From 3c0935abceb9a1cb0ef9050e11bf964abd5fa209 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 16:12:43 +0000 Subject: [PATCH] deploy: db04966532a4ff782e34f4f5004da81c4662fc7c --- 404.html | 10 +- advanced.html | 64 ++-- architecture.html | 20 +- ...tyles.0bb257a4.css => styles.3fb89a44.css} | 2 +- assets/js/0480b142.6dc7064a.js | 1 + assets/js/0480b142.8dd27be6.js | 1 - assets/js/06dc01b4.43c8b06d.js | 1 + assets/js/06dc01b4.4cc2ccd0.js | 1 - assets/js/0759a3f5.4692e71f.js | 1 - assets/js/0759a3f5.e9290839.js | 1 + assets/js/0ce5aa86.11dbb5a6.js | 1 + assets/js/0ce5aa86.a0c55954.js | 1 - assets/js/0e4359fd.9916ba74.js | 1 + assets/js/0e4359fd.fbccc3d8.js | 1 - .../js/{109.b4b6c92d.js => 109.bf60b3bc.js} | 6 +- assets/js/10b61a3f.97000b17.js | 1 - assets/js/10b61a3f.ba9c77f7.js | 1 + assets/js/17035653.5c7dad87.js | 1 - assets/js/17035653.a7378ff8.js | 1 + .../js/{1772.61c7be9f.js => 1772.edd9b014.js} | 2 +- assets/js/179ec51e.a93a27f5.js | 1 + assets/js/179ec51e.db3bde09.js | 1 - .../js/1a4e3797.7f3d6643.js | 2 +- assets/js/1be8dcfa.a0f4bffd.js | 1 - assets/js/1be8dcfa.b8400791.js | 1 + assets/js/1e924268.5c7cbbc4.js | 1 + assets/js/1e924268.9b06e0c5.js | 1 - .../js/{255.92d4592e.js => 255.8724ba33.js} | 8 +- assets/js/2a65762c.063d138f.js | 1 - assets/js/2a65762c.f89b4e81.js | 1 + assets/js/2f797aa4.39029747.js | 1 + assets/js/2f797aa4.4789b2d8.js | 1 - assets/js/36f34ab4.007b25b5.js | 1 - assets/js/36f34ab4.7cc62e9b.js | 1 + assets/js/395f47e2.09a4c72a.js | 1 - assets/js/395f47e2.bd3cc9da.js | 1 + assets/js/41765d36.81dca32b.js | 1 - assets/js/41765d36.97e3cb18.js | 1 + assets/js/43077f1d.9534ceb0.js | 1 + assets/js/43077f1d.e04b7c2a.js | 1 - assets/js/43e5cb58.074c5ba0.js | 1 - assets/js/43e5cb58.292d1714.js | 1 + assets/js/4455f95b.99c7e8c9.js | 1 - assets/js/4455f95b.acae1445.js | 1 + assets/js/4a667cf9.5264a034.js | 1 + assets/js/4a667cf9.a262b9c2.js | 1 - assets/js/4aae9e46.4c751e85.js | 1 + assets/js/4aae9e46.9df87721.js | 1 - assets/js/4e366d5e.380029dc.js | 1 + assets/js/4e366d5e.ba028e8f.js | 1 - assets/js/4fea1ac4.20695fb2.js | 1 - assets/js/4fea1ac4.a6c2da5e.js | 1 + assets/js/5159b4a0.6146d0a4.js | 1 + assets/js/5159b4a0.64a2572d.js | 1 - assets/js/5281b7a2.1d5cfe2a.js | 1 + assets/js/5281b7a2.a1edc1e5.js | 1 - assets/js/57d35c99.19d8884d.js | 1 + assets/js/57d35c99.a6cfff3e.js | 1 - ...5c892.34e77302.js => 5e95c892.06469c98.js} | 2 +- assets/js/5ea4afd8.60aa9d10.js | 1 - assets/js/5ea4afd8.966a946e.js | 1 + assets/js/65c5030c.333cc8ee.js | 1 + assets/js/65c5030c.ed6acdee.js | 1 - .../js/696.57f80179.js | 6 +- assets/js/6ab2c2e0.69f493b4.js | 1 + assets/js/6ab2c2e0.6ea3594f.js | 1 - assets/js/6e9804bc.30e4e843.js | 1 + assets/js/6e9804bc.ba685bd6.js | 1 - .../7.749c7d0b.js => assets/js/7.750475ca.js | 6 +- assets/js/7236.ac67632c.js | 2 + ...CENSE.txt => 7236.ac67632c.js.LICENSE.txt} | 0 assets/js/72e14192.55e09fa8.js | 1 - assets/js/72e14192.7465fa8f.js | 1 + .../js/763.ca021dac.js | 8 +- assets/js/7837.35b3df6a.js | 2 - assets/js/7b8e2475.2e6b9e2b.js | 1 - assets/js/7b8e2475.edeef426.js | 1 + assets/js/82406859.d13f2f6e.js | 1 + assets/js/82406859.f312e597.js | 1 - assets/js/82f1aa93.6ab8331d.js | 1 - assets/js/82f1aa93.7a77f720.js | 1 + .../js/8443.a5d9c459.js | 4 +- ...CENSE.txt => 8443.a5d9c459.js.LICENSE.txt} | 0 .../js/893.c93e490f.js | 8 +- assets/js/914a16f4.3af55ecf.js | 1 + assets/js/914a16f4.d484640c.js | 1 - .../js/943.3c7831dd.js | 8 +- assets/js/97c4f258.1b92ba91.js | 1 + assets/js/97c4f258.1bf9809c.js | 1 - .../js/985.fc87dcc9.js | 6 +- assets/js/9e39b1cd.0920eaf2.js | 1 - assets/js/9e39b1cd.e6fc251b.js | 1 + assets/js/9e7a009d.bd52ca75.js | 1 + assets/js/9e7a009d.cc31d4a0.js | 1 - assets/js/9f491e05.ccd56893.js | 1 + assets/js/9f491e05.fa57d8a6.js | 1 - assets/js/a09c2993.17f49ec2.js | 1 + assets/js/a09c2993.d15c3147.js | 1 - assets/js/a7bd4aaa.d2fc12fe.js | 1 + assets/js/a7bd4aaa.f175b6d3.js | 1 - .../js/a94703ab.c2f69992.js | 2 +- assets/js/ab388925.00132f62.js | 1 + assets/js/ab388925.803abe99.js | 1 - assets/js/ab60f49a.33892d2f.js | 1 - assets/js/ab60f49a.ba2a036b.js | 1 + assets/js/ac75af2e.07750136.js | 1 - assets/js/ac75af2e.c02290fe.js | 1 + assets/js/b36bdd38.9040c257.js | 1 + assets/js/b36bdd38.94fd1490.js | 1 - assets/js/b8002741.5f6e0146.js | 1 - assets/js/b8002741.8bc866ac.js | 1 + assets/js/b9a30a37.cffce9fc.js | 1 - assets/js/b9a30a37.e7c17c25.js | 1 + assets/js/ba3a957c.690a87ff.js | 1 - assets/js/ba3a957c.7539050d.js | 1 + assets/js/d123a91e.2fe3a155.js | 1 - assets/js/d123a91e.5caf1e39.js | 1 + assets/js/d8ab3227.3780315b.js | 1 + assets/js/d8ab3227.50ff09a3.js | 1 - assets/js/d8ed1217.0be5a98d.js | 1 + assets/js/d8ed1217.4d9ddd19.js | 1 - assets/js/dd22e55f.5e3f87f8.js | 1 - assets/js/dd22e55f.63ddd683.js | 1 + assets/js/e7c9153a.c20e6d7a.js | 1 - assets/js/e7c9153a.efcc87ae.js | 1 + assets/js/ea0a4c6d.4ac156c5.js | 1 - assets/js/ea0a4c6d.6f8b73e4.js | 1 + assets/js/ec6f9153.2cb400d8.js | 1 + assets/js/ec6f9153.9dac174f.js | 1 - assets/js/ee75e821.652d2896.js | 1 + assets/js/ee75e821.a8cdab5c.js | 1 - assets/js/f319c6ab.13d902eb.js | 1 + assets/js/f319c6ab.732d9658.js | 1 - assets/js/f8eefdc6.720b0f37.js | 1 + assets/js/f8eefdc6.fbf6e172.js | 1 - assets/js/fc39421f.64f5b424.js | 1 + assets/js/fc39421f.9c6a7858.js | 1 - assets/js/main.58acbbc0.js | 2 + ...CENSE.txt => main.58acbbc0.js.LICENSE.txt} | 0 assets/js/main.b8228620.js | 2 - assets/js/runtime~main.899b1176.js | 1 - assets/js/runtime~main.8fdd9248.js | 1 + cli.html | 12 +- cli/agent.html | 34 +- cli/certificate.html | 36 +- cli/etcd-snapshot.html | 24 +- cli/secrets-encrypt.html | 24 +- cli/server.html | 46 +-- cli/token.html | 40 +-- cluster-access.html | 14 +- datastore.html | 16 +- datastore/backup-restore.html | 18 +- datastore/cluster-loadbalancer.html | 18 +- datastore/ha-embedded.html | 14 +- datastore/ha.html | 24 +- faq.html | 32 +- helm.html | 20 +- index.html | 14 +- installation.html | 12 +- installation/airgap.html | 48 +-- installation/configuration.html | 24 +- installation/packaged-components.html | 26 +- installation/private-registry.html | 34 +- installation/registry-mirror.html | 32 +- installation/requirements.html | 38 +-- installation/server-roles.html | 20 +- installation/uninstall.html | 16 +- known-issues.html | 20 +- kr/404.html | 10 +- kr/advanced.html | 92 +++--- kr/architecture.html | 20 +- .../assets/css/styles.a300c3a6.css | 2 +- kr/assets/js/03ee9047.19e209ec.js | 1 + kr/assets/js/03ee9047.b4f3bf19.js | 1 - kr/assets/js/0759a3f5.403e480f.js | 1 + kr/assets/js/0759a3f5.abfeb73e.js | 1 - kr/assets/js/0a63d2fd.7f075bc5.js | 1 + kr/assets/js/0a63d2fd.caee5ba0.js | 1 - kr/assets/js/0ce5aa86.51903c7f.js | 1 + kr/assets/js/0ce5aa86.9dc7bad8.js | 1 - kr/assets/js/105936f9.c2eec2a9.js | 1 + kr/assets/js/105936f9.cf1e9242.js | 1 - .../assets/js/109.bf60b3bc.js | 6 +- .../assets/js/1772.edd9b014.js | 2 +- kr/assets/js/18ace21a.bffc2fc9.js | 1 + kr/assets/js/18ace21a.ce51c42a.js | 1 - kr/assets/js/1a0c5791.a58bbcc5.js | 1 - kr/assets/js/1a0c5791.d6e14a35.js | 1 + .../assets/js/1a4e3797.7f3d6643.js | 2 +- kr/assets/js/1aef17e6.3c429484.js | 1 + kr/assets/js/1aef17e6.f6995567.js | 1 - kr/assets/js/1fbd281a.95cd42bf.js | 1 + kr/assets/js/1fbd281a.ad7c8e02.js | 1 - kr/assets/js/20aafa33.3bcbd266.js | 1 + kr/assets/js/20aafa33.ecfa7dc8.js | 1 - .../js/{255.92d4592e.js => 255.8724ba33.js} | 8 +- kr/assets/js/289875c4.58dc5d8c.js | 1 - kr/assets/js/289875c4.d86a86f4.js | 1 + kr/assets/js/2c7731a3.78ce50e1.js | 1 - kr/assets/js/2c7731a3.ad50e493.js | 1 + kr/assets/js/2f797aa4.d5c63ad6.js | 1 + kr/assets/js/2f797aa4.e34a8141.js | 1 - kr/assets/js/310030e7.2d105a0b.js | 1 - kr/assets/js/310030e7.d99bd5f3.js | 1 + kr/assets/js/37e09f03.53592bcd.js | 1 + kr/assets/js/37e09f03.d3c38896.js | 1 - kr/assets/js/3f659917.9a56c135.js | 1 + kr/assets/js/3f659917.da165abb.js | 1 - kr/assets/js/412d1b91.83360818.js | 1 + kr/assets/js/412d1b91.9f8f881e.js | 1 - .../assets/js/42e456bb.20337826.js | 2 +- kr/assets/js/42e456bb.71d7aebb.js | 1 - kr/assets/js/43a3241e.464912cc.js | 1 - kr/assets/js/43a3241e.b53b6c5a.js | 1 + kr/assets/js/49689b7d.cbd6fedd.js | 1 - kr/assets/js/49689b7d.da5127a9.js | 1 + .../assets/js/5133fc91.07233669.js | 2 +- kr/assets/js/5133fc91.27f5d387.js | 1 - ...5c892.34e77302.js => 5e95c892.06469c98.js} | 2 +- kr/assets/js/609981e6.2001baf2.js | 1 - kr/assets/js/609981e6.8c1da051.js | 1 + kr/assets/js/65309f9a.72799433.js | 1 + kr/assets/js/65309f9a.9f97a04a.js | 1 - .../js/{696.b4659b1c.js => 696.57f80179.js} | 6 +- kr/assets/js/6a7149bd.6a1c6b4a.js | 1 - kr/assets/js/6a7149bd.ac31f11d.js | 1 + .../assets/js/6eb212a2.3ba9f0bd.js | 2 +- kr/assets/js/6eb212a2.d763d6d7.js | 1 - .../assets/js/7.750475ca.js | 6 +- kr/assets/js/7236.db30f9fd.js | 2 + ...CENSE.txt => 7236.db30f9fd.js.LICENSE.txt} | 0 .../assets/js/763.ca021dac.js | 8 +- kr/assets/js/7837.55715d2b.js | 2 - kr/assets/js/81cffba8.5273758c.js | 1 - kr/assets/js/81cffba8.564bbbe3.js | 1 + kr/assets/js/832e9842.75e1e2e4.js | 1 + kr/assets/js/832e9842.c6b3dec0.js | 1 - .../assets/js/8443.a5d9c459.js | 4 +- ...CENSE.txt => 8443.a5d9c459.js.LICENSE.txt} | 0 .../assets/js/893.c93e490f.js | 8 +- kr/assets/js/914a16f4.1f47a5fa.js | 1 - kr/assets/js/914a16f4.ce008661.js | 1 + .../js/{943.288d0bb4.js => 943.3c7831dd.js} | 8 +- kr/assets/js/944a1646.0f1c836e.js | 1 - kr/assets/js/944a1646.37a7041d.js | 1 + .../assets/js/985.fc87dcc9.js | 6 +- kr/assets/js/9a11c291.7fb475ca.js | 1 + kr/assets/js/9a11c291.eb38d005.js | 1 - kr/assets/js/9c4d4f7f.1d881b09.js | 1 + kr/assets/js/9c4d4f7f.9da27a87.js | 1 - kr/assets/js/9e7a009d.0d33ad0c.js | 1 - kr/assets/js/9e7a009d.204a0230.js | 1 + kr/assets/js/a0c5848d.894c4224.js | 1 - kr/assets/js/a0c5848d.a7bb9059.js | 1 + kr/assets/js/a101d863.a48e323f.js | 1 - kr/assets/js/a101d863.d286647e.js | 1 + kr/assets/js/a1ce2930.30638b81.js | 1 + kr/assets/js/a1ce2930.7d48a7ad.js | 1 - kr/assets/js/a43d9b4f.928d733e.js | 1 + kr/assets/js/a43d9b4f.b2ed37e7.js | 1 - kr/assets/js/a7bd4aaa.d2fc12fe.js | 1 + kr/assets/js/a7bd4aaa.f175b6d3.js | 1 - .../assets/js/a94703ab.c2f69992.js | 2 +- kr/assets/js/b1445c4f.ccb42167.js | 1 - kr/assets/js/b1445c4f.edd374f3.js | 1 + kr/assets/js/b44e7719.1e65b95e.js | 1 + kr/assets/js/b44e7719.c35ed88b.js | 1 - kr/assets/js/b8002741.213dd26e.js | 1 + kr/assets/js/b8002741.fd36fa70.js | 1 - kr/assets/js/b87d0734.0d2ae43b.js | 1 - kr/assets/js/b87d0734.309f13dc.js | 1 + kr/assets/js/b97d3598.fa076b01.js | 1 + kr/assets/js/b97d3598.fcc9795e.js | 1 - .../assets/js/bccfb1cb.4240bdfb.js | 2 +- kr/assets/js/bccfb1cb.d1ce3eb3.js | 1 - kr/assets/js/c5022e3f.6d9082f4.js | 1 - kr/assets/js/c5022e3f.b4406196.js | 1 + kr/assets/js/c7700003.3cbaaec1.js | 1 + kr/assets/js/c7700003.cdcda1c1.js | 1 - kr/assets/js/cfa0e807.798b7325.js | 1 - kr/assets/js/cfa0e807.be961597.js | 1 + kr/assets/js/d123a91e.18f3a6fd.js | 1 + kr/assets/js/d123a91e.325b80fb.js | 1 - kr/assets/js/d1c3e381.dff08217.js | 1 + kr/assets/js/d428bf88.52d60868.js | 1 - kr/assets/js/d428bf88.92f76c8d.js | 1 + kr/assets/js/dd0fba39.a599df5d.js | 1 - kr/assets/js/dd0fba39.e82585e9.js | 1 + kr/assets/js/dd22e55f.7f767527.js | 1 + kr/assets/js/dd22e55f.83da3868.js | 1 - kr/assets/js/df1a3a69.0e3431df.js | 1 + kr/assets/js/df1a3a69.561c08d1.js | 1 - kr/assets/js/e7c9153a.3ba97217.js | 1 + kr/assets/js/e7c9153a.9e70a0bd.js | 1 - kr/assets/js/e8666366.45f94ebc.js | 1 + kr/assets/js/e8666366.b5cdde90.js | 1 - kr/assets/js/e92581be.3f96b3a6.js | 1 - kr/assets/js/e92581be.70bed0e9.js | 1 + kr/assets/js/f5fc080a.74d620d3.js | 1 - kr/assets/js/f5fc080a.f8d911d8.js | 1 + kr/assets/js/f9fc8d33.bb9794c1.js | 1 - kr/assets/js/f9fc8d33.ec3eeee7.js | 1 + kr/assets/js/feba781c.63981e19.js | 1 + kr/assets/js/feba781c.825960db.js | 1 - kr/assets/js/main.1bd5d7d5.js | 2 + ...CENSE.txt => main.1bd5d7d5.js.LICENSE.txt} | 0 kr/assets/js/main.fa808223.js | 2 - ...n.e0b2a96e.js => runtime~main.bbf98367.js} | 2 +- kr/cli.html | 12 +- kr/cli/agent.html | 34 +- kr/cli/certificate.html | 36 +- kr/cli/etcd-snapshot.html | 24 +- kr/cli/secrets-encrypt.html | 24 +- kr/cli/server.html | 44 +-- kr/cli/token.html | 38 +-- kr/cluster-access.html | 14 +- kr/datastore.html | 18 +- kr/datastore/backup-restore.html | 18 +- kr/datastore/cluster-loadbalancer.html | 18 +- kr/datastore/ha-embedded.html | 16 +- kr/datastore/ha.html | 24 +- kr/faq.html | 30 +- kr/helm.html | 24 +- kr/index.html | 14 +- kr/installation.html | 12 +- kr/installation/airgap.html | 48 +-- kr/installation/configuration.html | 24 +- kr/installation/packaged-components.html | 26 +- kr/installation/private-registry.html | 32 +- kr/installation/registry-mirror.html | 30 +- kr/installation/requirements.html | 38 +-- kr/installation/server-roles.html | 20 +- kr/installation/uninstall.html | 16 +- kr/known-issues.html | 20 +- kr/networking.html | 12 +- kr/networking/basic-network-options.html | 26 +- kr/networking/distributed-multicloud.html | 16 +- kr/networking/multus-ipams.html | 12 +- kr/networking/networking-services.html | 32 +- kr/quick-start.html | 14 +- kr/reference/env-variables.html | 12 +- kr/reference/flag-deprecation.html | 16 +- kr/reference/resource-profiling.html | 56 ++-- kr/related-projects.html | 18 +- kr/release-notes/v1.24.X.html | 86 ++--- kr/release-notes/v1.25.X.html | 86 ++--- kr/release-notes/v1.26.X.html | 86 ++--- kr/release-notes/v1.27.X.html | 84 ++--- kr/release-notes/v1.28.X.html | 68 ++-- kr/release-notes/v1.29.X.html | 48 +-- kr/release-notes/v1.30.X.html | 32 +- kr/search-index.json | 2 +- kr/search.html | 10 +- kr/security.html | 12 +- kr/security/hardening-guide.html | 64 ++-- kr/security/secrets-encryption.html | 14 +- kr/security/self-assessment-1.23.html | 306 ++++++++--------- kr/security/self-assessment-1.24.html | 10 +- kr/security/self-assessment-1.7.html | 10 +- kr/security/self-assessment-1.8.html | 10 +- kr/storage.html | 26 +- kr/upgrades.html | 20 +- kr/upgrades/automated.html | 16 +- kr/upgrades/killall.html | 12 +- kr/upgrades/manual.html | 20 +- networking.html | 12 +- networking/basic-network-options.html | 26 +- networking/distributed-multicloud.html | 16 +- networking/multus-ipams.html | 18 +- networking/networking-services.html | 34 +- quick-start.html | 14 +- reference/env-variables.html | 12 +- reference/flag-deprecation.html | 16 +- reference/resource-profiling.html | 58 ++-- related-projects.html | 18 +- release-notes/v1.24.X.html | 86 ++--- release-notes/v1.25.X.html | 86 ++--- release-notes/v1.26.X.html | 86 ++--- release-notes/v1.27.X.html | 84 ++--- release-notes/v1.28.X.html | 68 ++-- release-notes/v1.29.X.html | 48 +-- release-notes/v1.30.X.html | 32 +- search-index.json | 2 +- search.html | 10 +- security.html | 12 +- security/hardening-guide.html | 46 +-- security/secrets-encryption.html | 14 +- security/self-assessment-1.23.html | 292 ++++++++-------- security/self-assessment-1.24.html | 284 ++++++++-------- security/self-assessment-1.7.html | 292 ++++++++-------- security/self-assessment-1.8.html | 290 ++++++++-------- storage.html | 28 +- upgrades.html | 14 +- upgrades/automated.html | 18 +- upgrades/killall.html | 16 +- upgrades/manual.html | 18 +- zh/404.html | 10 +- zh/advanced.html | 84 ++--- zh/architecture.html | 24 +- .../assets/css/styles.57e5a020.css | 2 +- zh/assets/js/03f6c9e9.744e53be.js | 1 - zh/assets/js/03f6c9e9.b1b6fe39.js | 1 + zh/assets/js/0510e5ff.5fa415e6.js | 1 + zh/assets/js/0510e5ff.e3870af8.js | 1 - zh/assets/js/0627a8f4.ef9e3d38.js | 1 + zh/assets/js/0627a8f4.f4805528.js | 1 - zh/assets/js/0759a3f5.8173e739.js | 1 + zh/assets/js/0759a3f5.aa3971b5.js | 1 - zh/assets/js/0a743094.01d023b2.js | 1 + zh/assets/js/0a743094.b9a8b3ad.js | 1 - zh/assets/js/0ce5aa86.9e11cdec.js | 1 + zh/assets/js/0ce5aa86.fb19bad7.js | 1 - zh/assets/js/107c63f9.25dbf0d2.js | 1 + zh/assets/js/107c63f9.72d4fa9a.js | 1 - .../assets/js/109.bf60b3bc.js | 6 +- zh/assets/js/11f121d5.931453aa.js | 1 - zh/assets/js/11f121d5.fb196149.js | 1 + zh/assets/js/13055719.dc630fe6.js | 1 + zh/assets/js/13055719.ff39039e.js | 1 - zh/assets/js/15ed8710.54d150a8.js | 1 + zh/assets/js/15ed8710.adad4cdb.js | 1 - .../assets/js/1772.edd9b014.js | 2 +- .../assets/js/1a4e3797.7f3d6643.js | 2 +- zh/assets/js/1f6c7e37.0bcf32ad.js | 1 - zh/assets/js/1f6c7e37.3c139b8a.js | 1 + .../js/{255.92d4592e.js => 255.8724ba33.js} | 8 +- zh/assets/js/2962c32e.435980e3.js | 1 - zh/assets/js/2962c32e.b6388ec4.js | 1 + zh/assets/js/2af2f480.0dccb5fc.js | 1 + zh/assets/js/2af2f480.b7362130.js | 1 - zh/assets/js/2d65ef92.9dffdffb.js | 1 + zh/assets/js/2d65ef92.f810a99f.js | 1 - zh/assets/js/2f797aa4.0f97d46a.js | 1 - zh/assets/js/2f797aa4.a3e708c6.js | 1 + zh/assets/js/357d395b.3b1ebae1.js | 1 + zh/assets/js/357d395b.ab664dad.js | 1 - zh/assets/js/37dfe6f0.0ad7c17a.js | 1 - zh/assets/js/37dfe6f0.a6fd69c1.js | 1 + .../assets/js/43760f39.05e4728a.js | 2 +- zh/assets/js/43760f39.79fc6238.js | 1 - zh/assets/js/46fd080e.1df52801.js | 1 + zh/assets/js/46fd080e.73763ee7.js | 1 - zh/assets/js/492f60c5.a5707f09.js | 1 + zh/assets/js/492f60c5.e548544c.js | 1 - zh/assets/js/50715220.81a3c735.js | 1 + zh/assets/js/50715220.941641df.js | 1 - zh/assets/js/512e8471.ab939d90.js | 1 + zh/assets/js/512e8471.c5fd07f2.js | 1 - zh/assets/js/5247e5b2.510fef40.js | 1 - zh/assets/js/5247e5b2.9b7f5208.js | 1 + zh/assets/js/53163943.7a3ff1d8.js | 1 + zh/assets/js/53163943.7b14c430.js | 1 - zh/assets/js/5977b32d.ebb637e3.js | 1 - zh/assets/js/5977b32d.f589eaae.js | 1 + zh/assets/js/599b6ccd.571e648d.js | 1 + zh/assets/js/599b6ccd.6837279d.js | 1 - zh/assets/js/5d1c93cb.a0038b38.js | 1 + ...5c892.34e77302.js => 5e95c892.06469c98.js} | 2 +- zh/assets/js/5f7f165c.948fd9b7.js | 1 + zh/assets/js/5f7f165c.c4ae5760.js | 1 - zh/assets/js/62005660.2a56b090.js | 1 - zh/assets/js/62005660.991af052.js | 1 + .../assets/js/696.57f80179.js | 6 +- zh/assets/js/6d8200b0.411e2f96.js | 1 - zh/assets/js/6d8200b0.75dae683.js | 1 + zh/assets/js/6f7960fe.6808c702.js | 1 + zh/assets/js/6f7960fe.a82da871.js | 1 - .../assets/js/7.750475ca.js | 6 +- zh/assets/js/711cf357.3e205a4c.js | 1 + zh/assets/js/711cf357.b938ab0f.js | 1 - zh/assets/js/7236.ac67632c.js | 2 + ...CENSE.txt => 7236.ac67632c.js.LICENSE.txt} | 0 .../js/{763.f91b6550.js => 763.ca021dac.js} | 8 +- zh/assets/js/772a162b.85eb1054.js | 1 - zh/assets/js/772a162b.ad668596.js | 1 + zh/assets/js/7837.35b3df6a.js | 2 - zh/assets/js/7c3827ce.38c1f1a2.js | 1 + zh/assets/js/7c3827ce.7cf55cbf.js | 1 - zh/assets/js/7d5aab5d.94c893e8.js | 1 + zh/assets/js/800df7af.07ba417c.js | 1 + zh/assets/js/800df7af.42d390d1.js | 1 - zh/assets/js/811e87f8.953e5bd7.js | 1 - zh/assets/js/811e87f8.bc6bd0da.js | 1 + .../assets/js/8443.a5d9c459.js | 4 +- ...CENSE.txt => 8443.a5d9c459.js.LICENSE.txt} | 0 .../assets/js/893.c93e490f.js | 8 +- zh/assets/js/914a16f4.0014379a.js | 1 - zh/assets/js/914a16f4.bdfc2d22.js | 1 + zh/assets/js/93e8d6ea.42bfb4ac.js | 1 - zh/assets/js/93e8d6ea.ffa035cc.js | 1 + .../assets/js/943.3c7831dd.js | 8 +- zh/assets/js/945c4120.cfbc151b.js | 1 + zh/assets/js/945c4120.f3c73547.js | 1 - zh/assets/js/97691ddb.f60b0047.js | 1 + .../assets/js/985.fc87dcc9.js | 6 +- zh/assets/js/9e7a009d.301f77e1.js | 1 + zh/assets/js/9e7a009d.84db764f.js | 1 - zh/assets/js/a3ec58b8.8335b201.js | 1 + zh/assets/js/a3ec58b8.8df4ac18.js | 1 - zh/assets/js/a7bd4aaa.d2fc12fe.js | 1 + zh/assets/js/a7bd4aaa.f175b6d3.js | 1 - .../assets/js/a94703ab.c2f69992.js | 2 +- zh/assets/js/b2fd5509.7122b8c0.js | 1 - zh/assets/js/b2fd5509.c5f491a7.js | 1 + zh/assets/js/b8002741.0c3813af.js | 1 - zh/assets/js/b8002741.b701907c.js | 1 + zh/assets/js/beafadc6.0c477833.js | 1 + zh/assets/js/beafadc6.99797dd9.js | 1 - zh/assets/js/cfa189fe.3e77115a.js | 1 + zh/assets/js/cfa189fe.e4441555.js | 1 - zh/assets/js/d123a91e.5966c654.js | 1 - zh/assets/js/d123a91e.9cc630b6.js | 1 + zh/assets/js/d627673e.0ca0c1e8.js | 1 + zh/assets/js/d627673e.168f71c1.js | 1 - zh/assets/js/dcd62276.d1deb937.js | 1 + zh/assets/js/dd22e55f.904eae92.js | 1 + zh/assets/js/dd22e55f.f6992e16.js | 1 - zh/assets/js/dd7cd9f3.af0db619.js | 1 + zh/assets/js/dd7cd9f3.b8c12490.js | 1 - zh/assets/js/df5dd15e.4d3d742a.js | 1 + zh/assets/js/df5dd15e.9af4a68d.js | 1 - zh/assets/js/e1787277.186ba958.js | 1 - zh/assets/js/e1787277.503757c5.js | 1 + zh/assets/js/e65553dc.12425f1c.js | 1 + zh/assets/js/e65553dc.9f303148.js | 1 - zh/assets/js/e7c9153a.3c137bb6.js | 1 + zh/assets/js/e7c9153a.d01cad85.js | 1 - zh/assets/js/e83743cd.45cdc065.js | 1 + zh/assets/js/e83743cd.aae94911.js | 1 - zh/assets/js/main.0ebf62be.js | 2 + ...CENSE.txt => main.0ebf62be.js.LICENSE.txt} | 0 zh/assets/js/main.ab89c807.js | 2 - zh/assets/js/runtime~main.4d44cc88.js | 1 - zh/assets/js/runtime~main.86741a47.js | 1 + zh/cli.html | 12 +- zh/cli/agent.html | 38 +-- zh/cli/certificate.html | 40 +-- zh/cli/etcd-snapshot.html | 28 +- zh/cli/secrets-encrypt.html | 24 +- zh/cli/server.html | 52 +-- zh/cli/token.html | 44 +-- zh/cluster-access.html | 14 +- zh/datastore.html | 18 +- zh/datastore/backup-restore.html | 20 +- zh/datastore/cluster-loadbalancer.html | 18 +- zh/datastore/ha-embedded.html | 14 +- zh/datastore/ha.html | 28 +- zh/faq.html | 30 +- zh/helm.html | 22 +- zh/index.html | 16 +- zh/installation.html | 12 +- zh/installation/airgap.html | 50 +-- zh/installation/configuration.html | 24 +- zh/installation/packaged-components.html | 26 +- zh/installation/private-registry.html | 34 +- zh/installation/registry-mirror.html | 30 +- zh/installation/requirements.html | 38 +-- zh/installation/server-roles.html | 20 +- zh/installation/uninstall.html | 16 +- zh/known-issues.html | 22 +- zh/networking.html | 12 +- zh/networking/basic-network-options.html | 26 +- zh/networking/distributed-multicloud.html | 16 +- zh/networking/multus-ipams.html | 12 +- zh/networking/networking-services.html | 32 +- zh/quick-start.html | 20 +- zh/reference/env-variables.html | 12 +- zh/reference/flag-deprecation.html | 16 +- zh/reference/resource-profiling.html | 60 ++-- zh/related-projects.html | 18 +- zh/release-notes/v1.24.X.html | 86 ++--- zh/release-notes/v1.25.X.html | 86 ++--- zh/release-notes/v1.26.X.html | 86 ++--- zh/release-notes/v1.27.X.html | 84 ++--- zh/release-notes/v1.28.X.html | 68 ++-- zh/release-notes/v1.29.X.html | 48 +-- zh/release-notes/v1.30.X.html | 32 +- zh/search-index.json | 2 +- zh/search.html | 10 +- zh/security.html | 12 +- zh/security/hardening-guide.html | 64 ++-- zh/security/secrets-encryption.html | 14 +- zh/security/self-assessment-1.23.html | 312 +++++++++--------- zh/security/self-assessment-1.24.html | 10 +- zh/security/self-assessment-1.7.html | 10 +- zh/security/self-assessment-1.8.html | 10 +- zh/storage.html | 30 +- zh/upgrades.html | 14 +- zh/upgrades/automated.html | 22 +- zh/upgrades/killall.html | 12 +- zh/upgrades/manual.html | 22 +- 591 files changed, 3733 insertions(+), 3733 deletions(-) rename assets/css/{styles.0bb257a4.css => styles.3fb89a44.css} (51%) create mode 100644 assets/js/0480b142.6dc7064a.js delete mode 100644 assets/js/0480b142.8dd27be6.js create mode 100644 assets/js/06dc01b4.43c8b06d.js delete mode 100644 assets/js/06dc01b4.4cc2ccd0.js delete mode 100644 assets/js/0759a3f5.4692e71f.js create mode 100644 assets/js/0759a3f5.e9290839.js create mode 100644 assets/js/0ce5aa86.11dbb5a6.js delete mode 100644 assets/js/0ce5aa86.a0c55954.js create mode 100644 assets/js/0e4359fd.9916ba74.js delete mode 100644 assets/js/0e4359fd.fbccc3d8.js rename assets/js/{109.b4b6c92d.js => 109.bf60b3bc.js} (99%) delete mode 100644 assets/js/10b61a3f.97000b17.js create mode 100644 assets/js/10b61a3f.ba9c77f7.js delete mode 100644 assets/js/17035653.5c7dad87.js create mode 100644 assets/js/17035653.a7378ff8.js rename assets/js/{1772.61c7be9f.js => 1772.edd9b014.js} (95%) create mode 100644 assets/js/179ec51e.a93a27f5.js delete mode 100644 assets/js/179ec51e.db3bde09.js rename zh/assets/js/1a4e3797.4376c566.js => assets/js/1a4e3797.7f3d6643.js (98%) delete mode 100644 assets/js/1be8dcfa.a0f4bffd.js create mode 100644 assets/js/1be8dcfa.b8400791.js create mode 100644 assets/js/1e924268.5c7cbbc4.js delete mode 100644 assets/js/1e924268.9b06e0c5.js rename assets/js/{255.92d4592e.js => 255.8724ba33.js} (99%) delete mode 100644 assets/js/2a65762c.063d138f.js create mode 100644 assets/js/2a65762c.f89b4e81.js create mode 100644 assets/js/2f797aa4.39029747.js delete mode 100644 assets/js/2f797aa4.4789b2d8.js delete mode 100644 assets/js/36f34ab4.007b25b5.js create mode 100644 assets/js/36f34ab4.7cc62e9b.js delete mode 100644 assets/js/395f47e2.09a4c72a.js create mode 100644 assets/js/395f47e2.bd3cc9da.js delete mode 100644 assets/js/41765d36.81dca32b.js create mode 100644 assets/js/41765d36.97e3cb18.js create mode 100644 assets/js/43077f1d.9534ceb0.js delete mode 100644 assets/js/43077f1d.e04b7c2a.js delete mode 100644 assets/js/43e5cb58.074c5ba0.js create mode 100644 assets/js/43e5cb58.292d1714.js delete mode 100644 assets/js/4455f95b.99c7e8c9.js create mode 100644 assets/js/4455f95b.acae1445.js create mode 100644 assets/js/4a667cf9.5264a034.js delete mode 100644 assets/js/4a667cf9.a262b9c2.js create mode 100644 assets/js/4aae9e46.4c751e85.js delete mode 100644 assets/js/4aae9e46.9df87721.js create mode 100644 assets/js/4e366d5e.380029dc.js delete mode 100644 assets/js/4e366d5e.ba028e8f.js delete mode 100644 assets/js/4fea1ac4.20695fb2.js create mode 100644 assets/js/4fea1ac4.a6c2da5e.js create mode 100644 assets/js/5159b4a0.6146d0a4.js delete mode 100644 assets/js/5159b4a0.64a2572d.js create mode 100644 assets/js/5281b7a2.1d5cfe2a.js delete mode 100644 assets/js/5281b7a2.a1edc1e5.js create mode 100644 assets/js/57d35c99.19d8884d.js delete mode 100644 assets/js/57d35c99.a6cfff3e.js rename assets/js/{5e95c892.34e77302.js => 5e95c892.06469c98.js} (63%) delete mode 100644 assets/js/5ea4afd8.60aa9d10.js create mode 100644 assets/js/5ea4afd8.966a946e.js create mode 100644 assets/js/65c5030c.333cc8ee.js delete mode 100644 assets/js/65c5030c.ed6acdee.js rename zh/assets/js/696.b4659b1c.js => assets/js/696.57f80179.js (99%) create mode 100644 assets/js/6ab2c2e0.69f493b4.js delete mode 100644 assets/js/6ab2c2e0.6ea3594f.js create mode 100644 assets/js/6e9804bc.30e4e843.js delete mode 100644 assets/js/6e9804bc.ba685bd6.js rename kr/assets/js/7.749c7d0b.js => assets/js/7.750475ca.js (99%) create mode 100644 assets/js/7236.ac67632c.js rename assets/js/{7837.35b3df6a.js.LICENSE.txt => 7236.ac67632c.js.LICENSE.txt} (100%) delete mode 100644 assets/js/72e14192.55e09fa8.js create mode 100644 assets/js/72e14192.7465fa8f.js rename kr/assets/js/763.f91b6550.js => assets/js/763.ca021dac.js (99%) delete mode 100644 assets/js/7837.35b3df6a.js delete mode 100644 assets/js/7b8e2475.2e6b9e2b.js create mode 100644 assets/js/7b8e2475.edeef426.js create mode 100644 assets/js/82406859.d13f2f6e.js delete mode 100644 assets/js/82406859.f312e597.js delete mode 100644 assets/js/82f1aa93.6ab8331d.js create mode 100644 assets/js/82f1aa93.7a77f720.js rename zh/assets/js/8443.26559c8c.js => assets/js/8443.a5d9c459.js (99%) rename assets/js/{8443.26559c8c.js.LICENSE.txt => 8443.a5d9c459.js.LICENSE.txt} (100%) rename zh/assets/js/893.bef64808.js => assets/js/893.c93e490f.js (99%) create mode 100644 assets/js/914a16f4.3af55ecf.js delete mode 100644 assets/js/914a16f4.d484640c.js rename zh/assets/js/943.288d0bb4.js => assets/js/943.3c7831dd.js (99%) create mode 100644 assets/js/97c4f258.1b92ba91.js delete mode 100644 assets/js/97c4f258.1bf9809c.js rename zh/assets/js/985.59c3c4c4.js => assets/js/985.fc87dcc9.js (99%) delete mode 100644 assets/js/9e39b1cd.0920eaf2.js create mode 100644 assets/js/9e39b1cd.e6fc251b.js create mode 100644 assets/js/9e7a009d.bd52ca75.js delete mode 100644 assets/js/9e7a009d.cc31d4a0.js create mode 100644 assets/js/9f491e05.ccd56893.js delete mode 100644 assets/js/9f491e05.fa57d8a6.js create mode 100644 assets/js/a09c2993.17f49ec2.js delete mode 100644 assets/js/a09c2993.d15c3147.js create mode 100644 assets/js/a7bd4aaa.d2fc12fe.js delete mode 100644 assets/js/a7bd4aaa.f175b6d3.js rename kr/assets/js/a94703ab.1e5da719.js => assets/js/a94703ab.c2f69992.js (98%) create mode 100644 assets/js/ab388925.00132f62.js delete mode 100644 assets/js/ab388925.803abe99.js delete mode 100644 assets/js/ab60f49a.33892d2f.js create mode 100644 assets/js/ab60f49a.ba2a036b.js delete mode 100644 assets/js/ac75af2e.07750136.js create mode 100644 assets/js/ac75af2e.c02290fe.js create mode 100644 assets/js/b36bdd38.9040c257.js delete mode 100644 assets/js/b36bdd38.94fd1490.js delete mode 100644 assets/js/b8002741.5f6e0146.js create mode 100644 assets/js/b8002741.8bc866ac.js delete mode 100644 assets/js/b9a30a37.cffce9fc.js create mode 100644 assets/js/b9a30a37.e7c17c25.js delete mode 100644 assets/js/ba3a957c.690a87ff.js create mode 100644 assets/js/ba3a957c.7539050d.js delete mode 100644 assets/js/d123a91e.2fe3a155.js create mode 100644 assets/js/d123a91e.5caf1e39.js create mode 100644 assets/js/d8ab3227.3780315b.js delete mode 100644 assets/js/d8ab3227.50ff09a3.js create mode 100644 assets/js/d8ed1217.0be5a98d.js delete mode 100644 assets/js/d8ed1217.4d9ddd19.js delete mode 100644 assets/js/dd22e55f.5e3f87f8.js create mode 100644 assets/js/dd22e55f.63ddd683.js delete mode 100644 assets/js/e7c9153a.c20e6d7a.js create mode 100644 assets/js/e7c9153a.efcc87ae.js delete mode 100644 assets/js/ea0a4c6d.4ac156c5.js create mode 100644 assets/js/ea0a4c6d.6f8b73e4.js create mode 100644 assets/js/ec6f9153.2cb400d8.js delete mode 100644 assets/js/ec6f9153.9dac174f.js create mode 100644 assets/js/ee75e821.652d2896.js delete mode 100644 assets/js/ee75e821.a8cdab5c.js create mode 100644 assets/js/f319c6ab.13d902eb.js delete mode 100644 assets/js/f319c6ab.732d9658.js create mode 100644 assets/js/f8eefdc6.720b0f37.js delete mode 100644 assets/js/f8eefdc6.fbf6e172.js create mode 100644 assets/js/fc39421f.64f5b424.js delete mode 100644 assets/js/fc39421f.9c6a7858.js create mode 100644 assets/js/main.58acbbc0.js rename assets/js/{main.b8228620.js.LICENSE.txt => main.58acbbc0.js.LICENSE.txt} (100%) delete mode 100644 assets/js/main.b8228620.js delete mode 100644 assets/js/runtime~main.899b1176.js create mode 100644 assets/js/runtime~main.8fdd9248.js rename zh/assets/css/styles.e1f8cbea.css => kr/assets/css/styles.a300c3a6.css (51%) create mode 100644 kr/assets/js/03ee9047.19e209ec.js delete mode 100644 kr/assets/js/03ee9047.b4f3bf19.js create mode 100644 kr/assets/js/0759a3f5.403e480f.js delete mode 100644 kr/assets/js/0759a3f5.abfeb73e.js create mode 100644 kr/assets/js/0a63d2fd.7f075bc5.js delete mode 100644 kr/assets/js/0a63d2fd.caee5ba0.js create mode 100644 kr/assets/js/0ce5aa86.51903c7f.js delete mode 100644 kr/assets/js/0ce5aa86.9dc7bad8.js create mode 100644 kr/assets/js/105936f9.c2eec2a9.js delete mode 100644 kr/assets/js/105936f9.cf1e9242.js rename zh/assets/js/109.b4b6c92d.js => kr/assets/js/109.bf60b3bc.js (99%) rename zh/assets/js/1772.61c7be9f.js => kr/assets/js/1772.edd9b014.js (95%) create mode 100644 kr/assets/js/18ace21a.bffc2fc9.js delete mode 100644 kr/assets/js/18ace21a.ce51c42a.js delete mode 100644 kr/assets/js/1a0c5791.a58bbcc5.js create mode 100644 kr/assets/js/1a0c5791.d6e14a35.js rename assets/js/1a4e3797.4376c566.js => kr/assets/js/1a4e3797.7f3d6643.js (98%) create mode 100644 kr/assets/js/1aef17e6.3c429484.js delete mode 100644 kr/assets/js/1aef17e6.f6995567.js create mode 100644 kr/assets/js/1fbd281a.95cd42bf.js delete mode 100644 kr/assets/js/1fbd281a.ad7c8e02.js create mode 100644 kr/assets/js/20aafa33.3bcbd266.js delete mode 100644 kr/assets/js/20aafa33.ecfa7dc8.js rename kr/assets/js/{255.92d4592e.js => 255.8724ba33.js} (99%) delete mode 100644 kr/assets/js/289875c4.58dc5d8c.js create mode 100644 kr/assets/js/289875c4.d86a86f4.js delete mode 100644 kr/assets/js/2c7731a3.78ce50e1.js create mode 100644 kr/assets/js/2c7731a3.ad50e493.js create mode 100644 kr/assets/js/2f797aa4.d5c63ad6.js delete mode 100644 kr/assets/js/2f797aa4.e34a8141.js delete mode 100644 kr/assets/js/310030e7.2d105a0b.js create mode 100644 kr/assets/js/310030e7.d99bd5f3.js create mode 100644 kr/assets/js/37e09f03.53592bcd.js delete mode 100644 kr/assets/js/37e09f03.d3c38896.js create mode 100644 kr/assets/js/3f659917.9a56c135.js delete mode 100644 kr/assets/js/3f659917.da165abb.js create mode 100644 kr/assets/js/412d1b91.83360818.js delete mode 100644 kr/assets/js/412d1b91.9f8f881e.js rename zh/assets/js/7d5aab5d.d0a92439.js => kr/assets/js/42e456bb.20337826.js (67%) delete mode 100644 kr/assets/js/42e456bb.71d7aebb.js delete mode 100644 kr/assets/js/43a3241e.464912cc.js create mode 100644 kr/assets/js/43a3241e.b53b6c5a.js delete mode 100644 kr/assets/js/49689b7d.cbd6fedd.js create mode 100644 kr/assets/js/49689b7d.da5127a9.js rename zh/assets/js/dcd62276.b1623ddb.js => kr/assets/js/5133fc91.07233669.js (90%) delete mode 100644 kr/assets/js/5133fc91.27f5d387.js rename kr/assets/js/{5e95c892.34e77302.js => 5e95c892.06469c98.js} (63%) delete mode 100644 kr/assets/js/609981e6.2001baf2.js create mode 100644 kr/assets/js/609981e6.8c1da051.js create mode 100644 kr/assets/js/65309f9a.72799433.js delete mode 100644 kr/assets/js/65309f9a.9f97a04a.js rename kr/assets/js/{696.b4659b1c.js => 696.57f80179.js} (99%) delete mode 100644 kr/assets/js/6a7149bd.6a1c6b4a.js create mode 100644 kr/assets/js/6a7149bd.ac31f11d.js rename zh/assets/js/5d1c93cb.a101bad9.js => kr/assets/js/6eb212a2.3ba9f0bd.js (56%) delete mode 100644 kr/assets/js/6eb212a2.d763d6d7.js rename zh/assets/js/7.749c7d0b.js => kr/assets/js/7.750475ca.js (99%) create mode 100644 kr/assets/js/7236.db30f9fd.js rename kr/assets/js/{7837.55715d2b.js.LICENSE.txt => 7236.db30f9fd.js.LICENSE.txt} (100%) rename assets/js/763.f91b6550.js => kr/assets/js/763.ca021dac.js (99%) delete mode 100644 kr/assets/js/7837.55715d2b.js delete mode 100644 kr/assets/js/81cffba8.5273758c.js create mode 100644 kr/assets/js/81cffba8.564bbbe3.js create mode 100644 kr/assets/js/832e9842.75e1e2e4.js delete mode 100644 kr/assets/js/832e9842.c6b3dec0.js rename assets/js/8443.26559c8c.js => kr/assets/js/8443.a5d9c459.js (99%) rename kr/assets/js/{8443.26559c8c.js.LICENSE.txt => 8443.a5d9c459.js.LICENSE.txt} (100%) rename assets/js/893.bef64808.js => kr/assets/js/893.c93e490f.js (99%) delete mode 100644 kr/assets/js/914a16f4.1f47a5fa.js create mode 100644 kr/assets/js/914a16f4.ce008661.js rename kr/assets/js/{943.288d0bb4.js => 943.3c7831dd.js} (99%) delete mode 100644 kr/assets/js/944a1646.0f1c836e.js create mode 100644 kr/assets/js/944a1646.37a7041d.js rename assets/js/985.59c3c4c4.js => kr/assets/js/985.fc87dcc9.js (99%) create mode 100644 kr/assets/js/9a11c291.7fb475ca.js delete mode 100644 kr/assets/js/9a11c291.eb38d005.js create mode 100644 kr/assets/js/9c4d4f7f.1d881b09.js delete mode 100644 kr/assets/js/9c4d4f7f.9da27a87.js delete mode 100644 kr/assets/js/9e7a009d.0d33ad0c.js create mode 100644 kr/assets/js/9e7a009d.204a0230.js delete mode 100644 kr/assets/js/a0c5848d.894c4224.js create mode 100644 kr/assets/js/a0c5848d.a7bb9059.js delete mode 100644 kr/assets/js/a101d863.a48e323f.js create mode 100644 kr/assets/js/a101d863.d286647e.js create mode 100644 kr/assets/js/a1ce2930.30638b81.js delete mode 100644 kr/assets/js/a1ce2930.7d48a7ad.js create mode 100644 kr/assets/js/a43d9b4f.928d733e.js delete mode 100644 kr/assets/js/a43d9b4f.b2ed37e7.js create mode 100644 kr/assets/js/a7bd4aaa.d2fc12fe.js delete mode 100644 kr/assets/js/a7bd4aaa.f175b6d3.js rename zh/assets/js/a94703ab.1e5da719.js => kr/assets/js/a94703ab.c2f69992.js (98%) delete mode 100644 kr/assets/js/b1445c4f.ccb42167.js create mode 100644 kr/assets/js/b1445c4f.edd374f3.js create mode 100644 kr/assets/js/b44e7719.1e65b95e.js delete mode 100644 kr/assets/js/b44e7719.c35ed88b.js create mode 100644 kr/assets/js/b8002741.213dd26e.js delete mode 100644 kr/assets/js/b8002741.fd36fa70.js delete mode 100644 kr/assets/js/b87d0734.0d2ae43b.js create mode 100644 kr/assets/js/b87d0734.309f13dc.js create mode 100644 kr/assets/js/b97d3598.fa076b01.js delete mode 100644 kr/assets/js/b97d3598.fcc9795e.js rename zh/assets/js/97691ddb.3c80872d.js => kr/assets/js/bccfb1cb.4240bdfb.js (77%) delete mode 100644 kr/assets/js/bccfb1cb.d1ce3eb3.js delete mode 100644 kr/assets/js/c5022e3f.6d9082f4.js create mode 100644 kr/assets/js/c5022e3f.b4406196.js create mode 100644 kr/assets/js/c7700003.3cbaaec1.js delete mode 100644 kr/assets/js/c7700003.cdcda1c1.js delete mode 100644 kr/assets/js/cfa0e807.798b7325.js create mode 100644 kr/assets/js/cfa0e807.be961597.js create mode 100644 kr/assets/js/d123a91e.18f3a6fd.js delete mode 100644 kr/assets/js/d123a91e.325b80fb.js create mode 100644 kr/assets/js/d1c3e381.dff08217.js delete mode 100644 kr/assets/js/d428bf88.52d60868.js create mode 100644 kr/assets/js/d428bf88.92f76c8d.js delete mode 100644 kr/assets/js/dd0fba39.a599df5d.js create mode 100644 kr/assets/js/dd0fba39.e82585e9.js create mode 100644 kr/assets/js/dd22e55f.7f767527.js delete mode 100644 kr/assets/js/dd22e55f.83da3868.js create mode 100644 kr/assets/js/df1a3a69.0e3431df.js delete mode 100644 kr/assets/js/df1a3a69.561c08d1.js create mode 100644 kr/assets/js/e7c9153a.3ba97217.js delete mode 100644 kr/assets/js/e7c9153a.9e70a0bd.js create mode 100644 kr/assets/js/e8666366.45f94ebc.js delete mode 100644 kr/assets/js/e8666366.b5cdde90.js delete mode 100644 kr/assets/js/e92581be.3f96b3a6.js create mode 100644 kr/assets/js/e92581be.70bed0e9.js delete mode 100644 kr/assets/js/f5fc080a.74d620d3.js create mode 100644 kr/assets/js/f5fc080a.f8d911d8.js delete mode 100644 kr/assets/js/f9fc8d33.bb9794c1.js create mode 100644 kr/assets/js/f9fc8d33.ec3eeee7.js create mode 100644 kr/assets/js/feba781c.63981e19.js delete mode 100644 kr/assets/js/feba781c.825960db.js create mode 100644 kr/assets/js/main.1bd5d7d5.js rename kr/assets/js/{main.fa808223.js.LICENSE.txt => main.1bd5d7d5.js.LICENSE.txt} (100%) delete mode 100644 kr/assets/js/main.fa808223.js rename kr/assets/js/{runtime~main.e0b2a96e.js => runtime~main.bbf98367.js} (52%) rename kr/assets/css/styles.c42ab3d9.css => zh/assets/css/styles.57e5a020.css (51%) delete mode 100644 zh/assets/js/03f6c9e9.744e53be.js create mode 100644 zh/assets/js/03f6c9e9.b1b6fe39.js create mode 100644 zh/assets/js/0510e5ff.5fa415e6.js delete mode 100644 zh/assets/js/0510e5ff.e3870af8.js create mode 100644 zh/assets/js/0627a8f4.ef9e3d38.js delete mode 100644 zh/assets/js/0627a8f4.f4805528.js create mode 100644 zh/assets/js/0759a3f5.8173e739.js delete mode 100644 zh/assets/js/0759a3f5.aa3971b5.js create mode 100644 zh/assets/js/0a743094.01d023b2.js delete mode 100644 zh/assets/js/0a743094.b9a8b3ad.js create mode 100644 zh/assets/js/0ce5aa86.9e11cdec.js delete mode 100644 zh/assets/js/0ce5aa86.fb19bad7.js create mode 100644 zh/assets/js/107c63f9.25dbf0d2.js delete mode 100644 zh/assets/js/107c63f9.72d4fa9a.js rename kr/assets/js/109.b4b6c92d.js => zh/assets/js/109.bf60b3bc.js (99%) delete mode 100644 zh/assets/js/11f121d5.931453aa.js create mode 100644 zh/assets/js/11f121d5.fb196149.js create mode 100644 zh/assets/js/13055719.dc630fe6.js delete mode 100644 zh/assets/js/13055719.ff39039e.js create mode 100644 zh/assets/js/15ed8710.54d150a8.js delete mode 100644 zh/assets/js/15ed8710.adad4cdb.js rename kr/assets/js/1772.61c7be9f.js => zh/assets/js/1772.edd9b014.js (95%) rename kr/assets/js/1a4e3797.4376c566.js => zh/assets/js/1a4e3797.7f3d6643.js (98%) delete mode 100644 zh/assets/js/1f6c7e37.0bcf32ad.js create mode 100644 zh/assets/js/1f6c7e37.3c139b8a.js rename zh/assets/js/{255.92d4592e.js => 255.8724ba33.js} (99%) delete mode 100644 zh/assets/js/2962c32e.435980e3.js create mode 100644 zh/assets/js/2962c32e.b6388ec4.js create mode 100644 zh/assets/js/2af2f480.0dccb5fc.js delete mode 100644 zh/assets/js/2af2f480.b7362130.js create mode 100644 zh/assets/js/2d65ef92.9dffdffb.js delete mode 100644 zh/assets/js/2d65ef92.f810a99f.js delete mode 100644 zh/assets/js/2f797aa4.0f97d46a.js create mode 100644 zh/assets/js/2f797aa4.a3e708c6.js create mode 100644 zh/assets/js/357d395b.3b1ebae1.js delete mode 100644 zh/assets/js/357d395b.ab664dad.js delete mode 100644 zh/assets/js/37dfe6f0.0ad7c17a.js create mode 100644 zh/assets/js/37dfe6f0.a6fd69c1.js rename kr/assets/js/d1c3e381.ec3ab634.js => zh/assets/js/43760f39.05e4728a.js (85%) delete mode 100644 zh/assets/js/43760f39.79fc6238.js create mode 100644 zh/assets/js/46fd080e.1df52801.js delete mode 100644 zh/assets/js/46fd080e.73763ee7.js create mode 100644 zh/assets/js/492f60c5.a5707f09.js delete mode 100644 zh/assets/js/492f60c5.e548544c.js create mode 100644 zh/assets/js/50715220.81a3c735.js delete mode 100644 zh/assets/js/50715220.941641df.js create mode 100644 zh/assets/js/512e8471.ab939d90.js delete mode 100644 zh/assets/js/512e8471.c5fd07f2.js delete mode 100644 zh/assets/js/5247e5b2.510fef40.js create mode 100644 zh/assets/js/5247e5b2.9b7f5208.js create mode 100644 zh/assets/js/53163943.7a3ff1d8.js delete mode 100644 zh/assets/js/53163943.7b14c430.js delete mode 100644 zh/assets/js/5977b32d.ebb637e3.js create mode 100644 zh/assets/js/5977b32d.f589eaae.js create mode 100644 zh/assets/js/599b6ccd.571e648d.js delete mode 100644 zh/assets/js/599b6ccd.6837279d.js create mode 100644 zh/assets/js/5d1c93cb.a0038b38.js rename zh/assets/js/{5e95c892.34e77302.js => 5e95c892.06469c98.js} (63%) create mode 100644 zh/assets/js/5f7f165c.948fd9b7.js delete mode 100644 zh/assets/js/5f7f165c.c4ae5760.js delete mode 100644 zh/assets/js/62005660.2a56b090.js create mode 100644 zh/assets/js/62005660.991af052.js rename assets/js/696.b4659b1c.js => zh/assets/js/696.57f80179.js (99%) delete mode 100644 zh/assets/js/6d8200b0.411e2f96.js create mode 100644 zh/assets/js/6d8200b0.75dae683.js create mode 100644 zh/assets/js/6f7960fe.6808c702.js delete mode 100644 zh/assets/js/6f7960fe.a82da871.js rename assets/js/7.749c7d0b.js => zh/assets/js/7.750475ca.js (99%) create mode 100644 zh/assets/js/711cf357.3e205a4c.js delete mode 100644 zh/assets/js/711cf357.b938ab0f.js create mode 100644 zh/assets/js/7236.ac67632c.js rename zh/assets/js/{7837.35b3df6a.js.LICENSE.txt => 7236.ac67632c.js.LICENSE.txt} (100%) rename zh/assets/js/{763.f91b6550.js => 763.ca021dac.js} (99%) delete mode 100644 zh/assets/js/772a162b.85eb1054.js create mode 100644 zh/assets/js/772a162b.ad668596.js delete mode 100644 zh/assets/js/7837.35b3df6a.js create mode 100644 zh/assets/js/7c3827ce.38c1f1a2.js delete mode 100644 zh/assets/js/7c3827ce.7cf55cbf.js create mode 100644 zh/assets/js/7d5aab5d.94c893e8.js create mode 100644 zh/assets/js/800df7af.07ba417c.js delete mode 100644 zh/assets/js/800df7af.42d390d1.js delete mode 100644 zh/assets/js/811e87f8.953e5bd7.js create mode 100644 zh/assets/js/811e87f8.bc6bd0da.js rename kr/assets/js/8443.26559c8c.js => zh/assets/js/8443.a5d9c459.js (99%) rename zh/assets/js/{8443.26559c8c.js.LICENSE.txt => 8443.a5d9c459.js.LICENSE.txt} (100%) rename kr/assets/js/893.bef64808.js => zh/assets/js/893.c93e490f.js (99%) delete mode 100644 zh/assets/js/914a16f4.0014379a.js create mode 100644 zh/assets/js/914a16f4.bdfc2d22.js delete mode 100644 zh/assets/js/93e8d6ea.42bfb4ac.js create mode 100644 zh/assets/js/93e8d6ea.ffa035cc.js rename assets/js/943.288d0bb4.js => zh/assets/js/943.3c7831dd.js (99%) create mode 100644 zh/assets/js/945c4120.cfbc151b.js delete mode 100644 zh/assets/js/945c4120.f3c73547.js create mode 100644 zh/assets/js/97691ddb.f60b0047.js rename kr/assets/js/985.59c3c4c4.js => zh/assets/js/985.fc87dcc9.js (99%) create mode 100644 zh/assets/js/9e7a009d.301f77e1.js delete mode 100644 zh/assets/js/9e7a009d.84db764f.js create mode 100644 zh/assets/js/a3ec58b8.8335b201.js delete mode 100644 zh/assets/js/a3ec58b8.8df4ac18.js create mode 100644 zh/assets/js/a7bd4aaa.d2fc12fe.js delete mode 100644 zh/assets/js/a7bd4aaa.f175b6d3.js rename assets/js/a94703ab.1e5da719.js => zh/assets/js/a94703ab.c2f69992.js (98%) delete mode 100644 zh/assets/js/b2fd5509.7122b8c0.js create mode 100644 zh/assets/js/b2fd5509.c5f491a7.js delete mode 100644 zh/assets/js/b8002741.0c3813af.js create mode 100644 zh/assets/js/b8002741.b701907c.js create mode 100644 zh/assets/js/beafadc6.0c477833.js delete mode 100644 zh/assets/js/beafadc6.99797dd9.js create mode 100644 zh/assets/js/cfa189fe.3e77115a.js delete mode 100644 zh/assets/js/cfa189fe.e4441555.js delete mode 100644 zh/assets/js/d123a91e.5966c654.js create mode 100644 zh/assets/js/d123a91e.9cc630b6.js create mode 100644 zh/assets/js/d627673e.0ca0c1e8.js delete mode 100644 zh/assets/js/d627673e.168f71c1.js create mode 100644 zh/assets/js/dcd62276.d1deb937.js create mode 100644 zh/assets/js/dd22e55f.904eae92.js delete mode 100644 zh/assets/js/dd22e55f.f6992e16.js create mode 100644 zh/assets/js/dd7cd9f3.af0db619.js delete mode 100644 zh/assets/js/dd7cd9f3.b8c12490.js create mode 100644 zh/assets/js/df5dd15e.4d3d742a.js delete mode 100644 zh/assets/js/df5dd15e.9af4a68d.js delete mode 100644 zh/assets/js/e1787277.186ba958.js create mode 100644 zh/assets/js/e1787277.503757c5.js create mode 100644 zh/assets/js/e65553dc.12425f1c.js delete mode 100644 zh/assets/js/e65553dc.9f303148.js create mode 100644 zh/assets/js/e7c9153a.3c137bb6.js delete mode 100644 zh/assets/js/e7c9153a.d01cad85.js create mode 100644 zh/assets/js/e83743cd.45cdc065.js delete mode 100644 zh/assets/js/e83743cd.aae94911.js create mode 100644 zh/assets/js/main.0ebf62be.js rename zh/assets/js/{main.ab89c807.js.LICENSE.txt => main.0ebf62be.js.LICENSE.txt} (100%) delete mode 100644 zh/assets/js/main.ab89c807.js delete mode 100644 zh/assets/js/runtime~main.4d44cc88.js create mode 100644 zh/assets/js/runtime~main.86741a47.js diff --git a/404.html b/404.html index 78e827bd6..27ab0fde3 100644 --- a/404.html +++ b/404.html @@ -2,13 +2,13 @@ - -K3s - - + +K3s + + -
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

diff --git a/architecture.html b/architecture.html index ede7abbda..4c1f7efde 100644 --- a/architecture.html +++ b/architecture.html @@ -2,24 +2,24 @@ - -Architecture | K3s - - + +Architecture | K3s + + -
Skip to main content

Architecture

Servers and Agents

+

Architecture

Servers and Agents

  • A server node is defined as a host running the k3s server command, with control-plane and datastore components managed by K3s.
  • An agent node is defined as a host running the k3s agent command, without any datastore or control-plane components.
  • Both servers and agents run the kubelet, container runtime, and CNI. See the Advanced Options documentation for more information on running agentless servers.

-

Single-server Setup with an Embedded DB

+

Single-server Setup with an Embedded DB

The following diagram shows an example of a cluster that has a single-node K3s server with an embedded SQLite database.

In this configuration, each agent node is registered to the same server node. A K3s user can manipulate Kubernetes resources by calling the K3s API on the server node.

K3s Architecture with a Single ServerK3s Architecture with a Single Server -

High-Availability K3s

+

High-Availability K3s

Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster comprises:

  • Three or more server nodes that will serve the Kubernetes API and run other control plane services
    • @@ -28,15 +28,15 @@

    High-A
  • Two or more server nodes that will serve the Kubernetes API and run other control plane services
  • An external datastore (such as MySQL, PostgreSQL, or etcd)

K3s Architecture with High-availability Servers and an External DBK3s Architecture with High-availability Servers and an External DB
-

Fixed Registration Address for Agent Nodes

+

Fixed Registration Address for Agent Nodes

In the high-availability server configuration, each node can also register with the Kubernetes API by using a fixed registration address, as shown in the diagram below.

After registration, the agent nodes establish a connection directly to one of the server nodes.

Agent Registration HAAgent Registration HA -

How Agent Node Registration Works

+

How Agent Node Registration Works

Agent nodes are registered with a websocket connection initiated by the k3s agent process, and the connection is maintained by a client-side load balancer running as part of the agent process. Initially, the agent connects to the supervisor (and kube-apiserver) via the local load-balancer on port 6443. The load-balancer maintains a list of available endpoints to connect to. The default (and initially only) endpoint is seeded by the hostname from the --server address. Once it connects to the cluster, the agent retrieves a list of kube-apiserver addresses from the Kubernetes service endpoint list in the default namespace. Those endpoints are added to the load balancer, which then maintains stable connections to all servers in the cluster, providing a connection to the kube-apiserver that tolerates outages of individual servers.

Agents will register with the server using the node cluster secret along with a randomly generated password for the node, stored at /etc/rancher/node/password. The server will store the passwords for individual nodes as Kubernetes secrets, and any subsequent attempts must use the same password. Node password secrets are stored in the kube-system namespace with names using the template <host>.node-password.k3s. This is done to protect the integrity of node IDs.

If the /etc/rancher/node directory of an agent is removed, or you wish to rejoin a node using an existing name, the node should be deleted from the cluster. This will clean up both the old node entry, and the node password secret, and allow the node to (re)join the cluster.

-

If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the --with-node-id flag. When enabled, the node ID is also stored in /etc/rancher/node/.

Copyright © 2024 K3s Project Authors. All rights reserved.
The Linux Foundation has registered trademarks +

If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the --with-node-id flag. When enabled, the node ID is also stored in /etc/rancher/node/.

diff --git a/assets/css/styles.0bb257a4.css b/assets/css/styles.3fb89a44.css similarity index 51% rename from assets/css/styles.0bb257a4.css rename to assets/css/styles.3fb89a44.css index c8ae8016a..84c11f1e3 100644 --- a/assets/css/styles.0bb257a4.css +++ b/assets/css/styles.3fb89a44.css @@ -1 +1 @@ -.col,.container{padding:0 var(--ifm-spacing-horizontal);width:100%}.markdown>h2,.markdown>h3,.markdown>h4,.markdown>h5,.markdown>h6{margin-bottom:calc(var(--ifm-heading-vertical-rhythm-bottom)*var(--ifm-leading))}pre,table{overflow:auto}blockquote,pre{margin:0 0 var(--ifm-spacing-vertical)}.breadcrumbs__link,.button{transition-timing-function:var(--ifm-transition-timing-default)}.button,code{vertical-align:middle}.button--outline.button--active,.button--outline:active,.button--outline:hover,:root{--ifm-button-color:var(--ifm-font-color-base-inverse)}.menu__link:hover,a{transition:color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.navbar--dark,:root{--ifm-navbar-link-hover-color:var(--ifm-color-primary)}.menu,.navbar-sidebar{overflow-x:hidden}:root,html[data-theme=dark]{--ifm-color-emphasis-500:var(--ifm-color-gray-500)}.markdown li,body{word-wrap:break-word}.toggleButton_gllP,html{-webkit-tap-highlight-color:transparent}*,.loadingRing_RJI3 div{box-sizing:border-box}.clean-list,.containsTaskList_mC6p,.details_lb9f>summary,.dropdown__menu,.menu__list{list-style:none}:root{--ifm-color-scheme:light;--ifm-dark-value:10%;--ifm-darker-value:15%;--ifm-darkest-value:30%;--ifm-light-value:15%;--ifm-lighter-value:30%;--ifm-lightest-value:50%;--ifm-contrast-background-value:90%;--ifm-contrast-foreground-value:70%;--ifm-contrast-background-dark-value:70%;--ifm-contrast-foreground-dark-value:90%;--ifm-color-primary:#3578e5;--ifm-color-secondary:#ebedf0;--ifm-color-success:#00a400;--ifm-color-info:#54c7ec;--ifm-color-warning:#ffba00;--ifm-color-danger:#fa383e;--ifm-color-primary-dark:#306cce;--ifm-color-primary-darker:#2d66c3;--ifm-color-primary-darkest:#2554a0;--ifm-color-primary-light:#538ce9;--ifm-color-primary-lighter:#72a1ed;--ifm-color-primary-lightest:#9abcf2;--ifm-color-primary-contrast-background:#ebf2fc;--ifm-color-primary-contrast-foreground:#102445;--ifm-color-secondary-dark:#d4d5d8;--ifm-color-secondary-darker:#c8c9cc;--ifm-color-secondary-darkest:#a4a6a8;--ifm-color-secondary-light:#eef0f2;--ifm-color-secondary-lighter:#f1f2f5;--ifm-color-secondary-lightest:#f5f6f8;--ifm-color-secondary-contrast-background:#fdfdfe;--ifm-color-secondary-contrast-foreground:#474748;--ifm-color-success-dark:#009400;--ifm-color-success-darker:#008b00;--ifm-color-success-darkest:#007300;--ifm-color-success-light:#26b226;--ifm-color-success-lighter:#4dbf4d;--ifm-color-success-lightest:#80d280;--ifm-color-success-contrast-background:#e6f6e6;--ifm-color-success-contrast-foreground:#003100;--ifm-color-info-dark:#4cb3d4;--ifm-color-info-darker:#47a9c9;--ifm-color-info-darkest:#3b8ba5;--ifm-color-info-light:#6ecfef;--ifm-color-info-lighter:#87d8f2;--ifm-color-info-lightest:#aae3f6;--ifm-color-info-contrast-background:#eef9fd;--ifm-color-info-contrast-foreground:#193c47;--ifm-color-warning-dark:#e6a700;--ifm-color-warning-darker:#d99e00;--ifm-color-warning-darkest:#b38200;--ifm-color-warning-light:#ffc426;--ifm-color-warning-lighter:#ffcf4d;--ifm-color-warning-lightest:#ffdd80;--ifm-color-warning-contrast-background:#fff8e6;--ifm-color-warning-contrast-foreground:#4d3800;--ifm-color-danger-dark:#e13238;--ifm-color-danger-darker:#d53035;--ifm-color-danger-darkest:#af272b;--ifm-color-danger-light:#fb565b;--ifm-color-danger-lighter:#fb7478;--ifm-color-danger-lightest:#fd9c9f;--ifm-color-danger-contrast-background:#ffebec;--ifm-color-danger-contrast-foreground:#4b1113;--ifm-color-white:#fff;--ifm-color-black:#000;--ifm-color-gray-0:var(--ifm-color-white);--ifm-color-gray-100:#f5f6f7;--ifm-color-gray-200:#ebedf0;--ifm-color-gray-300:#dadde1;--ifm-color-gray-400:#ccd0d5;--ifm-color-gray-500:#bec3c9;--ifm-color-gray-600:#8d949e;--ifm-color-gray-700:#606770;--ifm-color-gray-800:#444950;--ifm-color-gray-900:#1c1e21;--ifm-color-gray-1000:var(--ifm-color-black);--ifm-color-emphasis-0:var(--ifm-color-gray-0);--ifm-color-emphasis-100:var(--ifm-color-gray-100);--ifm-color-emphasis-200:var(--ifm-color-gray-200);--ifm-color-emphasis-300:var(--ifm-color-gray-300);--ifm-color-emphasis-400:var(--ifm-color-gray-400);--ifm-color-emphasis-600:var(--ifm-color-gray-600);--ifm-color-emphasis-700:var(--ifm-color-gray-700);--ifm-color-emphasis-800:var(--ifm-color-gray-800);--ifm-color-emphasis-900:var(--ifm-color-gray-900);--ifm-color-emphasis-1000:var(--ifm-color-gray-1000);--ifm-color-content:var(--ifm-color-emphasis-900);--ifm-color-content-inverse:var(--ifm-color-emphasis-0);--ifm-color-content-secondary:#525860;--ifm-background-color:#0000;--ifm-background-surface-color:var(--ifm-color-content-inverse);--ifm-global-border-width:1px;--ifm-global-radius:0.4rem;--ifm-hover-overlay:#0000000d;--ifm-font-color-base:var(--ifm-color-content);--ifm-font-color-base-inverse:var(--ifm-color-content-inverse);--ifm-font-color-secondary:var(--ifm-color-content-secondary);--ifm-font-family-base:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";--ifm-font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--ifm-font-size-base:100%;--ifm-font-weight-light:300;--ifm-font-weight-normal:400;--ifm-font-weight-semibold:500;--ifm-font-weight-bold:700;--ifm-font-weight-base:var(--ifm-font-weight-normal);--ifm-line-height-base:1.65;--ifm-global-spacing:1rem;--ifm-spacing-vertical:var(--ifm-global-spacing);--ifm-spacing-horizontal:var(--ifm-global-spacing);--ifm-transition-fast:200ms;--ifm-transition-slow:400ms;--ifm-transition-timing-default:cubic-bezier(0.08,0.52,0.52,1);--ifm-global-shadow-lw:0 1px 2px 0 #0000001a;--ifm-global-shadow-md:0 5px 40px #0003;--ifm-global-shadow-tl:0 12px 28px 0 #0003,0 2px 4px 0 #0000001a;--ifm-z-index-dropdown:100;--ifm-z-index-fixed:200;--ifm-z-index-overlay:400;--ifm-container-width:1140px;--ifm-container-width-xl:1320px;--ifm-code-background:#f6f7f8;--ifm-code-border-radius:var(--ifm-global-radius);--ifm-code-font-size:90%;--ifm-code-padding-horizontal:0.1rem;--ifm-code-padding-vertical:0.1rem;--ifm-pre-background:var(--ifm-code-background);--ifm-pre-border-radius:var(--ifm-code-border-radius);--ifm-pre-color:inherit;--ifm-pre-line-height:1.45;--ifm-pre-padding:1rem;--ifm-heading-color:inherit;--ifm-heading-margin-top:0;--ifm-heading-margin-bottom:var(--ifm-spacing-vertical);--ifm-heading-font-family:var(--ifm-font-family-base);--ifm-heading-font-weight:var(--ifm-font-weight-bold);--ifm-heading-line-height:1.25;--ifm-h1-font-size:2rem;--ifm-h2-font-size:1.5rem;--ifm-h3-font-size:1.25rem;--ifm-h4-font-size:1rem;--ifm-h5-font-size:0.875rem;--ifm-h6-font-size:0.85rem;--ifm-image-alignment-padding:1.25rem;--ifm-leading-desktop:1.25;--ifm-leading:calc(var(--ifm-leading-desktop)*1rem);--ifm-list-left-padding:2rem;--ifm-list-margin:1rem;--ifm-list-item-margin:0.25rem;--ifm-list-paragraph-margin:1rem;--ifm-table-cell-padding:0.75rem;--ifm-table-background:#0000;--ifm-table-stripe-background:#00000008;--ifm-table-border-width:1px;--ifm-table-border-color:var(--ifm-color-emphasis-300);--ifm-table-head-background:inherit;--ifm-table-head-color:inherit;--ifm-table-head-font-weight:var(--ifm-font-weight-bold);--ifm-table-cell-color:inherit;--ifm-link-color:var(--ifm-color-primary);--ifm-link-decoration:none;--ifm-link-hover-color:var(--ifm-link-color);--ifm-link-hover-decoration:underline;--ifm-paragraph-margin-bottom:var(--ifm-leading);--ifm-blockquote-font-size:var(--ifm-font-size-base);--ifm-blockquote-border-left-width:2px;--ifm-blockquote-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-blockquote-padding-vertical:0;--ifm-blockquote-shadow:none;--ifm-blockquote-color:var(--ifm-color-emphasis-800);--ifm-blockquote-border-color:var(--ifm-color-emphasis-300);--ifm-hr-background-color:var(--ifm-color-emphasis-500);--ifm-hr-height:1px;--ifm-hr-margin-vertical:1.5rem;--ifm-scrollbar-size:7px;--ifm-scrollbar-track-background-color:#f1f1f1;--ifm-scrollbar-thumb-background-color:silver;--ifm-scrollbar-thumb-hover-background-color:#a7a7a7;--ifm-alert-background-color:inherit;--ifm-alert-border-color:inherit;--ifm-alert-border-radius:var(--ifm-global-radius);--ifm-alert-border-width:0px;--ifm-alert-border-left-width:5px;--ifm-alert-color:var(--ifm-font-color-base);--ifm-alert-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-alert-padding-vertical:var(--ifm-spacing-vertical);--ifm-alert-shadow:var(--ifm-global-shadow-lw);--ifm-avatar-intro-margin:1rem;--ifm-avatar-intro-alignment:inherit;--ifm-avatar-photo-size:3rem;--ifm-badge-background-color:inherit;--ifm-badge-border-color:inherit;--ifm-badge-border-radius:var(--ifm-global-radius);--ifm-badge-border-width:var(--ifm-global-border-width);--ifm-badge-color:var(--ifm-color-white);--ifm-badge-padding-horizontal:calc(var(--ifm-spacing-horizontal)*0.5);--ifm-badge-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-breadcrumb-border-radius:1.5rem;--ifm-breadcrumb-spacing:0.5rem;--ifm-breadcrumb-color-active:var(--ifm-color-primary);--ifm-breadcrumb-item-background-active:var(--ifm-hover-overlay);--ifm-breadcrumb-padding-horizontal:0.8rem;--ifm-breadcrumb-padding-vertical:0.4rem;--ifm-breadcrumb-size-multiplier:1;--ifm-breadcrumb-separator:url('data:image/svg+xml;utf8,');--ifm-breadcrumb-separator-filter:none;--ifm-breadcrumb-separator-size:0.5rem;--ifm-breadcrumb-separator-size-multiplier:1.25;--ifm-button-background-color:inherit;--ifm-button-border-color:var(--ifm-button-background-color);--ifm-button-border-width:var(--ifm-global-border-width);--ifm-button-font-weight:var(--ifm-font-weight-bold);--ifm-button-padding-horizontal:1.5rem;--ifm-button-padding-vertical:0.375rem;--ifm-button-size-multiplier:1;--ifm-button-transition-duration:var(--ifm-transition-fast);--ifm-button-border-radius:calc(var(--ifm-global-radius)*var(--ifm-button-size-multiplier));--ifm-button-group-spacing:2px;--ifm-card-background-color:var(--ifm-background-surface-color);--ifm-card-border-radius:calc(var(--ifm-global-radius)*2);--ifm-card-horizontal-spacing:var(--ifm-global-spacing);--ifm-card-vertical-spacing:var(--ifm-global-spacing);--ifm-toc-border-color:var(--ifm-color-emphasis-300);--ifm-toc-link-color:var(--ifm-color-content-secondary);--ifm-toc-padding-vertical:0.5rem;--ifm-toc-padding-horizontal:0.5rem;--ifm-dropdown-background-color:var(--ifm-background-surface-color);--ifm-dropdown-font-weight:var(--ifm-font-weight-semibold);--ifm-dropdown-link-color:var(--ifm-font-color-base);--ifm-dropdown-hover-background-color:var(--ifm-hover-overlay);--ifm-footer-background-color:var(--ifm-color-emphasis-100);--ifm-footer-color:inherit;--ifm-footer-link-color:var(--ifm-color-emphasis-700);--ifm-footer-link-hover-color:var(--ifm-color-primary);--ifm-footer-link-horizontal-spacing:0.5rem;--ifm-footer-padding-horizontal:calc(var(--ifm-spacing-horizontal)*2);--ifm-footer-padding-vertical:calc(var(--ifm-spacing-vertical)*2);--ifm-footer-title-color:inherit;--ifm-footer-logo-max-width:min(30rem,90vw);--ifm-hero-background-color:var(--ifm-background-surface-color);--ifm-hero-text-color:var(--ifm-color-emphasis-800);--ifm-menu-color:var(--ifm-color-emphasis-700);--ifm-menu-color-active:var(--ifm-color-primary);--ifm-menu-color-background-active:var(--ifm-hover-overlay);--ifm-menu-color-background-hover:var(--ifm-hover-overlay);--ifm-menu-link-padding-horizontal:0.75rem;--ifm-menu-link-padding-vertical:0.375rem;--ifm-menu-link-sublist-icon:url('data:image/svg+xml;utf8,');--ifm-menu-link-sublist-icon-filter:none;--ifm-navbar-background-color:var(--ifm-background-surface-color);--ifm-navbar-height:3.75rem;--ifm-navbar-item-padding-horizontal:0.75rem;--ifm-navbar-item-padding-vertical:0.25rem;--ifm-navbar-link-color:var(--ifm-font-color-base);--ifm-navbar-link-active-color:var(--ifm-link-color);--ifm-navbar-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-navbar-padding-vertical:calc(var(--ifm-spacing-vertical)*0.5);--ifm-navbar-shadow:var(--ifm-global-shadow-lw);--ifm-navbar-search-input-background-color:var(--ifm-color-emphasis-200);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-800);--ifm-navbar-search-input-placeholder-color:var(--ifm-color-emphasis-500);--ifm-navbar-search-input-icon:url('data:image/svg+xml;utf8,');--ifm-navbar-sidebar-width:83vw;--ifm-pagination-border-radius:var(--ifm-global-radius);--ifm-pagination-color-active:var(--ifm-color-primary);--ifm-pagination-font-size:1rem;--ifm-pagination-item-active-background:var(--ifm-hover-overlay);--ifm-pagination-page-spacing:0.2em;--ifm-pagination-padding-horizontal:calc(var(--ifm-spacing-horizontal)*1);--ifm-pagination-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-pagination-nav-border-radius:var(--ifm-global-radius);--ifm-pagination-nav-color-hover:var(--ifm-color-primary);--ifm-pills-color-active:var(--ifm-color-primary);--ifm-pills-color-background-active:var(--ifm-hover-overlay);--ifm-pills-spacing:0.125rem;--ifm-tabs-color:var(--ifm-font-color-secondary);--ifm-tabs-color-active:var(--ifm-color-primary);--ifm-tabs-color-active-border:var(--ifm-tabs-color-active);--ifm-tabs-padding-horizontal:1rem;--ifm-tabs-padding-vertical:1rem;--docusaurus-progress-bar-color:var(--ifm-color-primary);--ifm-color-primary:#06527a;--ifm-color-primary-dark:#054a6e;--ifm-color-primary-darker:#054668;--ifm-color-primary-darkest:#043955;--ifm-color-primary-light:#075a86;--ifm-color-primary-lighter:#075e8c;--ifm-color-primary-lightest:#086b9f;--ifm-color-secondary:#ffc61c;--ifm-color-secondary-light:#ffcd38;--dark:#33313b;--light:#f3f3f3;--docusaurus-announcement-bar-height:auto;--docusaurus-tag-list-border:var(--ifm-color-emphasis-300);--docusaurus-collapse-button-bg:#0000;--docusaurus-collapse-button-bg-hover:#0000001a;--doc-sidebar-width:300px;--doc-sidebar-hidden-width:30px}.badge--danger,.badge--info,.badge--primary,.badge--secondary,.badge--success,.badge--warning{--ifm-badge-border-color:var(--ifm-badge-background-color)}.button--link,.button--outline{--ifm-button-background-color:#0000}html{background-color:var(--ifm-background-color);color:var(--ifm-font-color-base);color-scheme:var(--ifm-color-scheme);font:var(--ifm-font-size-base)/var(--ifm-line-height-base) var(--ifm-font-family-base);-webkit-font-smoothing:antialiased;text-rendering:optimizelegibility;-webkit-text-size-adjust:100%;text-size-adjust:100%}iframe{border:0;color-scheme:auto}.container{margin:0 auto;max-width:var(--ifm-container-width)}.container--fluid{max-width:inherit}.row{display:flex;flex-wrap:wrap;margin:0 calc(var(--ifm-spacing-horizontal)*-1)}.margin-bottom--none,.margin-vert--none,.markdown>:last-child{margin-bottom:0!important}.margin-top--none,.margin-vert--none,.tabItem_LNqP{margin-top:0!important}.row--no-gutters{margin-left:0;margin-right:0}.margin-horiz--none,.margin-right--none{margin-right:0!important}.row--no-gutters>.col{padding-left:0;padding-right:0}.row--align-top{align-items:flex-start}.row--align-bottom{align-items:flex-end}.menuExternalLink_NmtK,.row--align-center{align-items:center}.row--align-stretch{align-items:stretch}.row--align-baseline{align-items:baseline}.col{--ifm-col-width:100%;flex:1 0;margin-left:0;max-width:var(--ifm-col-width)}.padding-bottom--none,.padding-vert--none{padding-bottom:0!important}.padding-top--none,.padding-vert--none{padding-top:0!important}.padding-horiz--none,.padding-left--none{padding-left:0!important}.padding-horiz--none,.padding-right--none{padding-right:0!important}.col[class*=col--]{flex:0 0 var(--ifm-col-width)}.col--1{--ifm-col-width:8.33333%}.col--offset-1{margin-left:8.33333%}.col--2{--ifm-col-width:16.66667%}.col--offset-2{margin-left:16.66667%}.col--3{--ifm-col-width:25%}.col--offset-3{margin-left:25%}.col--4{--ifm-col-width:33.33333%}.col--offset-4{margin-left:33.33333%}.col--5{--ifm-col-width:41.66667%}.col--offset-5{margin-left:41.66667%}.col--6{--ifm-col-width:50%}.col--offset-6{margin-left:50%}.col--7{--ifm-col-width:58.33333%}.col--offset-7{margin-left:58.33333%}.col--8{--ifm-col-width:66.66667%}.col--offset-8{margin-left:66.66667%}.col--9{--ifm-col-width:75%}.col--offset-9{margin-left:75%}.col--10{--ifm-col-width:83.33333%}.col--offset-10{margin-left:83.33333%}.col--11{--ifm-col-width:91.66667%}.col--offset-11{margin-left:91.66667%}.col--12{--ifm-col-width:100%}.col--offset-12{margin-left:100%}.margin-horiz--none,.margin-left--none{margin-left:0!important}.margin--none{margin:0!important}.margin-bottom--xs,.margin-vert--xs{margin-bottom:.25rem!important}.margin-top--xs,.margin-vert--xs{margin-top:.25rem!important}.margin-horiz--xs,.margin-left--xs{margin-left:.25rem!important}.margin-horiz--xs,.margin-right--xs{margin-right:.25rem!important}.margin--xs{margin:.25rem!important}.margin-bottom--sm,.margin-vert--sm{margin-bottom:.5rem!important}.margin-top--sm,.margin-vert--sm{margin-top:.5rem!important}.margin-horiz--sm,.margin-left--sm{margin-left:.5rem!important}.margin-horiz--sm,.margin-right--sm{margin-right:.5rem!important}.margin--sm{margin:.5rem!important}.margin-bottom--md,.margin-vert--md{margin-bottom:1rem!important}.margin-top--md,.margin-vert--md{margin-top:1rem!important}.margin-horiz--md,.margin-left--md{margin-left:1rem!important}.margin-horiz--md,.margin-right--md{margin-right:1rem!important}.margin--md{margin:1rem!important}.margin-bottom--lg,.margin-vert--lg{margin-bottom:2rem!important}.margin-top--lg,.margin-vert--lg{margin-top:2rem!important}.margin-horiz--lg,.margin-left--lg{margin-left:2rem!important}.margin-horiz--lg,.margin-right--lg{margin-right:2rem!important}.margin--lg{margin:2rem!important}.margin-bottom--xl,.margin-vert--xl{margin-bottom:5rem!important}.margin-top--xl,.margin-vert--xl{margin-top:5rem!important}.margin-horiz--xl,.margin-left--xl{margin-left:5rem!important}.margin-horiz--xl,.margin-right--xl{margin-right:5rem!important}.margin--xl{margin:5rem!important}.padding--none{padding:0!important}.padding-bottom--xs,.padding-vert--xs{padding-bottom:.25rem!important}.padding-top--xs,.padding-vert--xs{padding-top:.25rem!important}.padding-horiz--xs,.padding-left--xs{padding-left:.25rem!important}.padding-horiz--xs,.padding-right--xs{padding-right:.25rem!important}.padding--xs{padding:.25rem!important}.padding-bottom--sm,.padding-vert--sm{padding-bottom:.5rem!important}.padding-top--sm,.padding-vert--sm{padding-top:.5rem!important}.padding-horiz--sm,.padding-left--sm{padding-left:.5rem!important}.padding-horiz--sm,.padding-right--sm{padding-right:.5rem!important}.padding--sm{padding:.5rem!important}.padding-bottom--md,.padding-vert--md{padding-bottom:1rem!important}.padding-top--md,.padding-vert--md{padding-top:1rem!important}.padding-horiz--md,.padding-left--md{padding-left:1rem!important}.padding-horiz--md,.padding-right--md{padding-right:1rem!important}.padding--md{padding:1rem!important}.padding-bottom--lg,.padding-vert--lg{padding-bottom:2rem!important}.padding-top--lg,.padding-vert--lg{padding-top:2rem!important}.padding-horiz--lg,.padding-left--lg{padding-left:2rem!important}.padding-horiz--lg,.padding-right--lg{padding-right:2rem!important}.padding--lg{padding:2rem!important}.padding-bottom--xl,.padding-vert--xl{padding-bottom:5rem!important}.padding-top--xl,.padding-vert--xl{padding-top:5rem!important}.padding-horiz--xl,.padding-left--xl{padding-left:5rem!important}.padding-horiz--xl,.padding-right--xl{padding-right:5rem!important}.padding--xl{padding:5rem!important}code{background-color:var(--ifm-code-background);border:.1rem solid #0000001a;border-radius:var(--ifm-code-border-radius);font-family:var(--ifm-font-family-monospace);font-size:var(--ifm-code-font-size);padding:var(--ifm-code-padding-vertical) var(--ifm-code-padding-horizontal)}a code{color:inherit}pre{background-color:var(--ifm-pre-background);border-radius:var(--ifm-pre-border-radius);color:var(--ifm-pre-color);font:var(--ifm-code-font-size)/var(--ifm-pre-line-height) var(--ifm-font-family-monospace);padding:var(--ifm-pre-padding)}pre code{background-color:initial;border:none;font-size:100%;line-height:inherit;padding:0}kbd{background-color:var(--ifm-color-emphasis-0);border:1px solid var(--ifm-color-emphasis-400);border-radius:.2rem;box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-400);color:var(--ifm-color-emphasis-800);font:80% var(--ifm-font-family-monospace);padding:.15rem .3rem}h1,h2,h3,h4,h5,h6{color:var(--ifm-heading-color);font-family:var(--ifm-heading-font-family);font-weight:var(--ifm-heading-font-weight);line-height:var(--ifm-heading-line-height);margin:var(--ifm-heading-margin-top) 0 var(--ifm-heading-margin-bottom) 0}h1{font-size:var(--ifm-h1-font-size)}h2{font-size:var(--ifm-h2-font-size)}h3{font-size:var(--ifm-h3-font-size)}h4{font-size:var(--ifm-h4-font-size)}h5{font-size:var(--ifm-h5-font-size)}h6{font-size:var(--ifm-h6-font-size)}.container_lyt7,.container_lyt7>svg,img{max-width:100%}img[align=right]{padding-left:var(--image-alignment-padding)}img[align=left]{padding-right:var(--image-alignment-padding)}.markdown{--ifm-h1-vertical-rhythm-top:3;--ifm-h2-vertical-rhythm-top:2;--ifm-h3-vertical-rhythm-top:1.5;--ifm-heading-vertical-rhythm-top:1.25;--ifm-h1-vertical-rhythm-bottom:1.25;--ifm-heading-vertical-rhythm-bottom:1}.markdown:after,.markdown:before{content:"";display:table}.markdown:after{clear:both}.markdown h1:first-child{--ifm-h1-font-size:3rem;margin-bottom:calc(var(--ifm-h1-vertical-rhythm-bottom)*var(--ifm-leading))}.markdown>h2{--ifm-h2-font-size:2rem;margin-top:calc(var(--ifm-h2-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h3{--ifm-h3-font-size:1.5rem;margin-top:calc(var(--ifm-h3-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h4,.markdown>h5,.markdown>h6{margin-top:calc(var(--ifm-heading-vertical-rhythm-top)*var(--ifm-leading))}.markdown>p,.markdown>pre,.markdown>ul,.tabList__CuJ{margin-bottom:var(--ifm-leading)}.markdown li>p{margin-top:var(--ifm-list-paragraph-margin)}.markdown li+li{margin-top:var(--ifm-list-item-margin)}ol,ul{margin:0 0 var(--ifm-list-margin);padding-left:var(--ifm-list-left-padding)}ol ol,ul ol{list-style-type:lower-roman}ol ol,ol ul,ul ol,ul ul{margin:0}ol ol ol,ol ul ol,ul ol ol,ul ul ol{list-style-type:lower-alpha}table{border-collapse:collapse;display:block;margin-bottom:var(--ifm-spacing-vertical)}table thead tr{border-bottom:2px solid var(--ifm-table-border-color)}table thead,table tr:nth-child(2n){background-color:var(--ifm-table-stripe-background)}table tr{background-color:var(--ifm-table-background);border-top:var(--ifm-table-border-width) solid var(--ifm-table-border-color)}table td,table th{border:var(--ifm-table-border-width) solid var(--ifm-table-border-color);padding:var(--ifm-table-cell-padding)}table th{background-color:var(--ifm-table-head-background);color:var(--ifm-table-head-color);font-weight:var(--ifm-table-head-font-weight)}table td{color:var(--ifm-table-cell-color)}strong{font-weight:var(--ifm-font-weight-bold)}a{color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}a:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button:hover,.text--no-decoration,.text--no-decoration:hover,a:not([href]){text-decoration:none}p{margin:0 0 var(--ifm-paragraph-margin-bottom)}blockquote{border-left:var(--ifm-blockquote-border-left-width) solid var(--ifm-blockquote-border-color);box-shadow:var(--ifm-blockquote-shadow);color:var(--ifm-blockquote-color);font-size:var(--ifm-blockquote-font-size);padding:var(--ifm-blockquote-padding-vertical) var(--ifm-blockquote-padding-horizontal)}blockquote>:first-child{margin-top:0}blockquote>:last-child{margin-bottom:0}hr{background-color:var(--ifm-hr-background-color);border:0;height:var(--ifm-hr-height);margin:var(--ifm-hr-margin-vertical) 0;background-image:-webkit-linear-gradient(left,#f3f3f3,#adadb1,#f3f3f3);margin:0 auto}.shadow--lw{box-shadow:var(--ifm-global-shadow-lw)!important}.shadow--md{box-shadow:var(--ifm-global-shadow-md)!important}.shadow--tl{box-shadow:var(--ifm-global-shadow-tl)!important}.text--primary,.wordWrapButtonEnabled_EoeP .wordWrapButtonIcon_Bwma{color:var(--ifm-color-primary)}.text--secondary{color:var(--ifm-color-secondary)}.text--success{color:var(--ifm-color-success)}.text--info{color:var(--ifm-color-info)}.text--warning{color:var(--ifm-color-warning)}.text--danger{color:var(--ifm-color-danger)}.text--center{text-align:center}.text--left{text-align:left}.text--justify{text-align:justify}.text--right{text-align:right}.text--capitalize{text-transform:capitalize}.text--lowercase{text-transform:lowercase}.admonitionHeading_Gvgb,.alert__heading,.text--uppercase{text-transform:uppercase}.text--light{font-weight:var(--ifm-font-weight-light)}.text--normal{font-weight:var(--ifm-font-weight-normal)}.text--semibold{font-weight:var(--ifm-font-weight-semibold)}.text--bold{font-weight:var(--ifm-font-weight-bold)}.text--italic{font-style:italic}.text--truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text--break{word-wrap:break-word!important;word-break:break-word!important}.clean-btn{background:none;border:none;color:inherit;cursor:pointer;font-family:inherit;padding:0}.alert,.alert .close{color:var(--ifm-alert-foreground-color)}.clean-list{padding-left:0}.alert--primary{--ifm-alert-background-color:var(--ifm-color-primary-contrast-background);--ifm-alert-background-color-highlight:#3578e526;--ifm-alert-foreground-color:var(--ifm-color-primary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-primary-dark)}.alert--secondary{--ifm-alert-background-color:var(--ifm-color-secondary-contrast-background);--ifm-alert-background-color-highlight:#ebedf026;--ifm-alert-foreground-color:var(--ifm-color-secondary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-secondary-dark)}.alert--success{--ifm-alert-background-color:var(--ifm-color-success-contrast-background);--ifm-alert-background-color-highlight:#00a40026;--ifm-alert-foreground-color:var(--ifm-color-success-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-success-dark)}.alert--info{--ifm-alert-background-color:var(--ifm-color-info-contrast-background);--ifm-alert-background-color-highlight:#54c7ec26;--ifm-alert-foreground-color:var(--ifm-color-info-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-info-dark)}.alert--warning{--ifm-alert-background-color:var(--ifm-color-warning-contrast-background);--ifm-alert-background-color-highlight:#ffba0026;--ifm-alert-foreground-color:var(--ifm-color-warning-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-warning-dark)}.alert--danger{--ifm-alert-background-color:var(--ifm-color-danger-contrast-background);--ifm-alert-background-color-highlight:#fa383e26;--ifm-alert-foreground-color:var(--ifm-color-danger-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-danger-dark)}.alert{--ifm-code-background:var(--ifm-alert-background-color-highlight);--ifm-link-color:var(--ifm-alert-foreground-color);--ifm-link-hover-color:var(--ifm-alert-foreground-color);--ifm-link-decoration:underline;--ifm-tabs-color:var(--ifm-alert-foreground-color);--ifm-tabs-color-active:var(--ifm-alert-foreground-color);--ifm-tabs-color-active-border:var(--ifm-alert-border-color);background-color:var(--ifm-alert-background-color);border:var(--ifm-alert-border-width) solid var(--ifm-alert-border-color);border-left-width:var(--ifm-alert-border-left-width);border-radius:var(--ifm-alert-border-radius);box-shadow:var(--ifm-alert-shadow);padding:var(--ifm-alert-padding-vertical) var(--ifm-alert-padding-horizontal)}.alert__heading{align-items:center;display:flex;font:700 var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family);margin-bottom:.5rem}.alert__icon{display:inline-flex;margin-right:.4em}.alert__icon svg{fill:var(--ifm-alert-foreground-color);stroke:var(--ifm-alert-foreground-color);stroke-width:0}.alert .close{margin:calc(var(--ifm-alert-padding-vertical)*-1) calc(var(--ifm-alert-padding-horizontal)*-1) 0 0;opacity:.75}.alert .close:focus,.alert .close:hover{opacity:1}.alert a{text-decoration-color:var(--ifm-alert-border-color)}.alert a:hover{text-decoration-thickness:2px}.avatar{column-gap:var(--ifm-avatar-intro-margin);display:flex}.avatar__photo{border-radius:50%;display:block;height:var(--ifm-avatar-photo-size);overflow:hidden;width:var(--ifm-avatar-photo-size)}.card--full-height,.navbar__logo img,body,html{height:100%}.avatar__photo--sm{--ifm-avatar-photo-size:2rem}.avatar__photo--lg{--ifm-avatar-photo-size:4rem}.avatar__photo--xl{--ifm-avatar-photo-size:6rem}.avatar__intro{display:flex;flex:1 1;flex-direction:column;justify-content:center;text-align:var(--ifm-avatar-intro-alignment)}.badge,.breadcrumbs__item,.breadcrumbs__link,.button,.dropdown>.navbar__link:after,.searchBarContainer_NW3z.searchIndexLoading_EJ1f .searchBarLoadingRing_YnHq{display:inline-block}.avatar__name{font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base)}.avatar__subtitle{margin-top:.25rem}.avatar--vertical{--ifm-avatar-intro-alignment:center;--ifm-avatar-intro-margin:0.5rem;align-items:center;flex-direction:column}.badge{background-color:var(--ifm-badge-background-color);border:var(--ifm-badge-border-width) solid var(--ifm-badge-border-color);border-radius:var(--ifm-badge-border-radius);color:var(--ifm-badge-color);font-size:75%;font-weight:var(--ifm-font-weight-bold);line-height:1;padding:var(--ifm-badge-padding-vertical) var(--ifm-badge-padding-horizontal)}.badge--primary{--ifm-badge-background-color:var(--ifm-color-primary)}.badge--secondary{--ifm-badge-background-color:var(--ifm-color-secondary);color:var(--ifm-color-black)}.breadcrumbs__link,.button.button--secondary.button--outline:not(.button--active):not(:hover){color:var(--ifm-font-color-base)}.badge--success{--ifm-badge-background-color:var(--ifm-color-success)}.badge--info{--ifm-badge-background-color:var(--ifm-color-info)}.badge--warning{--ifm-badge-background-color:var(--ifm-color-warning)}.badge--danger{--ifm-badge-background-color:var(--ifm-color-danger)}.breadcrumbs{margin-bottom:0;padding-left:0}.breadcrumbs__item:not(:last-child):after{background:var(--ifm-breadcrumb-separator) center;content:" ";display:inline-block;filter:var(--ifm-breadcrumb-separator-filter);height:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier));margin:0 var(--ifm-breadcrumb-spacing);opacity:.5;width:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier))}.breadcrumbs__item--active .breadcrumbs__link{background:var(--ifm-breadcrumb-item-background-active);color:var(--ifm-breadcrumb-color-active)}.breadcrumbs__link{border-radius:var(--ifm-breadcrumb-border-radius);font-size:calc(1rem*var(--ifm-breadcrumb-size-multiplier));padding:calc(var(--ifm-breadcrumb-padding-vertical)*var(--ifm-breadcrumb-size-multiplier)) calc(var(--ifm-breadcrumb-padding-horizontal)*var(--ifm-breadcrumb-size-multiplier));transition-duration:var(--ifm-transition-fast);transition-property:background,color}.breadcrumbs__link:any-link:hover,.breadcrumbs__link:link:hover,.breadcrumbs__link:visited:hover,area[href].breadcrumbs__link:hover{background:var(--ifm-breadcrumb-item-background-active);text-decoration:none}.breadcrumbs--sm{--ifm-breadcrumb-size-multiplier:0.8}.breadcrumbs--lg{--ifm-breadcrumb-size-multiplier:1.2}.button{background-color:var(--ifm-button-background-color);border:var(--ifm-button-border-width) solid var(--ifm-button-border-color);border-radius:var(--ifm-button-border-radius);cursor:pointer;font-size:calc(.875rem*var(--ifm-button-size-multiplier));font-weight:var(--ifm-button-font-weight);line-height:1.5;padding:calc(var(--ifm-button-padding-vertical)*var(--ifm-button-size-multiplier)) calc(var(--ifm-button-padding-horizontal)*var(--ifm-button-size-multiplier));text-align:center;transition-duration:var(--ifm-button-transition-duration);transition-property:color,background,border-color;-webkit-user-select:none;user-select:none;white-space:nowrap}.button,.button:hover{color:var(--ifm-button-color)}.button--outline{--ifm-button-color:var(--ifm-button-border-color)}.button--outline:hover{--ifm-button-background-color:var(--ifm-button-border-color)}.button--link{--ifm-button-border-color:#0000;color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}.button--link.button--active,.button--link:active,.button--link:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button.disabled,.button:disabled,.button[disabled]{opacity:.65;pointer-events:none}.button--sm{--ifm-button-size-multiplier:0.8}.button--lg{--ifm-button-size-multiplier:1.35}.button--block{display:block;width:100%}.button.button--secondary{color:var(--ifm-color-gray-900)}:where(.button--primary){--ifm-button-background-color:var(--ifm-color-primary);--ifm-button-border-color:var(--ifm-color-primary)}:where(.button--primary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-primary-dark);--ifm-button-border-color:var(--ifm-color-primary-dark)}.button--primary.button--active,.button--primary:active{--ifm-button-background-color:var(--ifm-color-primary-darker);--ifm-button-border-color:var(--ifm-color-primary-darker)}:where(.button--secondary){--ifm-button-background-color:var(--ifm-color-secondary);--ifm-button-border-color:var(--ifm-color-secondary)}:where(.button--secondary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-secondary-dark);--ifm-button-border-color:var(--ifm-color-secondary-dark)}.button--secondary.button--active,.button--secondary:active{--ifm-button-background-color:var(--ifm-color-secondary-darker);--ifm-button-border-color:var(--ifm-color-secondary-darker)}:where(.button--success){--ifm-button-background-color:var(--ifm-color-success);--ifm-button-border-color:var(--ifm-color-success)}:where(.button--success):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-success-dark);--ifm-button-border-color:var(--ifm-color-success-dark)}.button--success.button--active,.button--success:active{--ifm-button-background-color:var(--ifm-color-success-darker);--ifm-button-border-color:var(--ifm-color-success-darker)}:where(.button--info){--ifm-button-background-color:var(--ifm-color-info);--ifm-button-border-color:var(--ifm-color-info)}:where(.button--info):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-info-dark);--ifm-button-border-color:var(--ifm-color-info-dark)}.button--info.button--active,.button--info:active{--ifm-button-background-color:var(--ifm-color-info-darker);--ifm-button-border-color:var(--ifm-color-info-darker)}:where(.button--warning){--ifm-button-background-color:var(--ifm-color-warning);--ifm-button-border-color:var(--ifm-color-warning)}:where(.button--warning):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-warning-dark);--ifm-button-border-color:var(--ifm-color-warning-dark)}.button--warning.button--active,.button--warning:active{--ifm-button-background-color:var(--ifm-color-warning-darker);--ifm-button-border-color:var(--ifm-color-warning-darker)}:where(.button--danger){--ifm-button-background-color:var(--ifm-color-danger);--ifm-button-border-color:var(--ifm-color-danger)}:where(.button--danger):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-danger-dark);--ifm-button-border-color:var(--ifm-color-danger-dark)}.button--danger.button--active,.button--danger:active{--ifm-button-background-color:var(--ifm-color-danger-darker);--ifm-button-border-color:var(--ifm-color-danger-darker)}.button-group{display:inline-flex;gap:var(--ifm-button-group-spacing)}.button-group>.button:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.button-group>.button:not(:last-child){border-bottom-right-radius:0;border-top-right-radius:0}.button-group--block{display:flex;justify-content:stretch}.button-group--block>.button{flex-grow:1}.card{background-color:var(--ifm-card-background-color);border-radius:var(--ifm-card-border-radius);box-shadow:var(--ifm-global-shadow-lw);display:flex;flex-direction:column;overflow:hidden}.card__image{padding-top:var(--ifm-card-vertical-spacing)}.card__image:first-child{padding-top:0}.card__body,.card__footer,.card__header{padding:var(--ifm-card-vertical-spacing) var(--ifm-card-horizontal-spacing)}.card__body:not(:last-child),.card__footer:not(:last-child),.card__header:not(:last-child){padding-bottom:0}.card__body>:last-child,.card__footer>:last-child,.card__header>:last-child{margin-bottom:0}.card__footer{margin-top:auto}.table-of-contents{font-size:.8rem;margin-bottom:0;padding:var(--ifm-toc-padding-vertical) 0}.table-of-contents,.table-of-contents ul{list-style:none;padding-left:var(--ifm-toc-padding-horizontal)}.table-of-contents li{margin:var(--ifm-toc-padding-vertical) var(--ifm-toc-padding-horizontal)}.table-of-contents__left-border{border-left:1px solid var(--ifm-toc-border-color)}.table-of-contents__link{color:var(--ifm-toc-link-color);display:block}.table-of-contents__link--active,.table-of-contents__link--active code,.table-of-contents__link:hover,.table-of-contents__link:hover code{color:var(--ifm-color-primary);text-decoration:none}.content_knG7 a,.hitFooter_E9YW a,.suggestion_fB_2.cursor_eG29 mark{text-decoration:underline}.close{color:var(--ifm-color-black);float:right;font-size:1.5rem;font-weight:var(--ifm-font-weight-bold);line-height:1;opacity:.5;padding:1rem;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.close:hover{opacity:.7}.close:focus,.theme-code-block-highlighted-line .codeLineNumber_Tfdd:before{opacity:.8}.dropdown{display:inline-flex;font-weight:var(--ifm-dropdown-font-weight);position:relative;vertical-align:top}.dropdown--hoverable:hover .dropdown__menu,.dropdown--show .dropdown__menu{opacity:1;pointer-events:all;transform:translateY(-1px);visibility:visible}.dropdown--right .dropdown__menu{left:inherit;right:0}.dropdown--nocaret .navbar__link:after{content:none!important}.dropdown__menu{background-color:var(--ifm-dropdown-background-color);border-radius:var(--ifm-global-radius);box-shadow:var(--ifm-global-shadow-md);left:0;max-height:80vh;min-width:10rem;opacity:0;overflow-y:auto;padding:.5rem;pointer-events:none;position:absolute;top:calc(100% - var(--ifm-navbar-item-padding-vertical) + .3rem);transform:translateY(-.625rem);transition-duration:var(--ifm-transition-fast);transition-property:opacity,transform,visibility;transition-timing-function:var(--ifm-transition-timing-default);visibility:hidden;z-index:var(--ifm-z-index-dropdown)}.menu__caret,.menu__link,.menu__list-item-collapsible{border-radius:.25rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.dropdown__link{border-radius:.25rem;color:var(--ifm-dropdown-link-color);display:block;font-size:.875rem;margin-top:.2rem;padding:.25rem .5rem;white-space:nowrap}.dropdown__link--active,.dropdown__link:hover{background-color:var(--ifm-dropdown-hover-background-color);color:var(--ifm-dropdown-link-color);text-decoration:none}.dropdown__link--active,.dropdown__link--active:hover{--ifm-dropdown-link-color:var(--ifm-link-color)}.dropdown>.navbar__link:after{border-color:currentcolor #0000;border-style:solid;border-width:.4em .4em 0;content:"";margin-left:.3em;position:relative;top:2px;transform:translateY(-50%)}.footer{background-color:var(--ifm-footer-background-color);color:var(--ifm-footer-color);padding:var(--ifm-footer-padding-vertical) var(--ifm-footer-padding-horizontal)}.footer--dark{--ifm-footer-background-color:#303846;--ifm-footer-color:var(--ifm-footer-link-color);--ifm-footer-link-color:var(--ifm-color-secondary);--ifm-footer-title-color:var(--ifm-color-white)}.footer__links{margin-bottom:1rem}.footer__link-item{color:var(--ifm-footer-link-color);line-height:2}.footer__link-item:hover{color:var(--ifm-footer-link-hover-color)}.footer__link-separator{margin:0 var(--ifm-footer-link-horizontal-spacing)}.footer__logo{margin-top:1rem;max-width:var(--ifm-footer-logo-max-width)}.footer__title{color:var(--ifm-footer-title-color);font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base);margin-bottom:var(--ifm-heading-margin-bottom)}.menu,.navbar__link{font-weight:var(--ifm-font-weight-semibold)}.docItemContainer_Djhp article>:first-child,.docItemContainer_Djhp header+*,.footer__item{margin-top:0}.admonitionContent_BuS1>:last-child,.collapsibleContent_i85q p:last-child,.details_lb9f>summary>p:last-child,.footer__items,.searchResultItem_U687>h2,.tabItem_Ymn6>:last-child{margin-bottom:0}.codeBlockStandalone_MEMb,[type=checkbox]{padding:0}.hero{align-items:center;background-color:var(--ifm-hero-background-color);color:var(--ifm-hero-text-color);display:flex;padding:4rem 2rem}.hero--primary{--ifm-hero-background-color:var(--ifm-color-primary);--ifm-hero-text-color:var(--ifm-font-color-base-inverse)}.hero--dark{--ifm-hero-background-color:#303846;--ifm-hero-text-color:var(--ifm-color-white)}.hero__title{font-size:3rem}.hero__subtitle{font-size:1.5rem}.menu__list{margin:0;padding-left:0}.menu__caret,.menu__link{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu__list .menu__list{flex:0 0 100%;margin-top:.25rem;padding-left:var(--ifm-menu-link-padding-horizontal)}.menu__list-item:not(:first-child){margin-top:.25rem}.menu__list-item--collapsed .menu__list{height:0;overflow:hidden}.details_lb9f[data-collapsed=false].isBrowser_bmU9>summary:before,.details_lb9f[open]:not(.isBrowser_bmU9)>summary:before,.menu__list-item--collapsed .menu__caret:before,.menu__list-item--collapsed .menu__link--sublist:after{transform:rotate(90deg)}.menu__list-item-collapsible{display:flex;flex-wrap:wrap;position:relative}.menu__caret:hover,.menu__link:hover,.menu__list-item-collapsible--active,.menu__list-item-collapsible:hover{background:var(--ifm-menu-color-background-hover)}.menu__list-item-collapsible .menu__link--active,.menu__list-item-collapsible .menu__link:hover{background:none!important}.menu__caret,.menu__link{align-items:center;display:flex}.menu__link{color:var(--ifm-menu-color);flex:1;line-height:1.25}.menu__link:hover{color:var(--ifm-menu-color);text-decoration:none}.menu__caret:before,.menu__link--sublist-caret:after{height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast) linear;width:1.25rem;content:"";filter:var(--ifm-menu-link-sublist-icon-filter)}.menu__link--sublist-caret:after{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem;margin-left:auto;min-width:1.25rem}.navbar__items--center .navbar__brand,body{margin:0}.menu__link--active,.menu__link--active:hover{color:var(--ifm-menu-color-active)}.navbar__brand,.navbar__link{color:var(--ifm-navbar-link-color)}.menu__link--active:not(.menu__link--sublist){background-color:var(--ifm-menu-color-background-active)}.menu__caret:before{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem}.navbar--dark,html[data-theme=dark]{--ifm-menu-link-sublist-icon-filter:invert(100%) sepia(94%) saturate(17%) hue-rotate(223deg) brightness(104%) contrast(98%)}.navbar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-navbar-shadow);height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar,.navbar>.container,.navbar>.container-fluid{display:flex}.navbar--fixed-top{position:sticky;top:0;z-index:var(--ifm-z-index-fixed)}.navbar-sidebar,.navbar-sidebar__backdrop{bottom:0;opacity:0;position:fixed;transition-duration:var(--ifm-transition-fast);transition-timing-function:ease-in-out;left:0;top:0;visibility:hidden}.navbar__inner{display:flex;flex-wrap:wrap;justify-content:space-between;width:100%}.navbar__brand{align-items:center;display:flex;margin-right:1rem;min-width:0}.navbar__brand:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.announcementBarContent_xLdY,.navbar__title{flex:1 1 auto}.navbar__toggle{display:none;margin-right:.5rem}.navbar__logo{flex:0 0 auto;height:2rem;margin-right:.5rem}.navbar__items{align-items:center;display:flex;flex:1;min-width:0}.navbar__items--center{flex:0 0 auto}.navbar__items--center+.navbar__items--right{flex:1}.navbar__items--right{flex:0 0 auto;justify-content:flex-end}.navbar__items--right>:last-child{padding-right:0}.navbar__item{display:inline-block;padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}#nprogress,.navbar__item.dropdown .navbar__link:not([href]){pointer-events:none}.navbar__link--active,.navbar__link:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.navbar--dark,.navbar--primary{--ifm-menu-color:var(--ifm-color-gray-300);--ifm-navbar-link-color:var(--ifm-color-gray-100);--ifm-navbar-search-input-background-color:#ffffff1a;--ifm-navbar-search-input-placeholder-color:#ffffff80;color:var(--ifm-color-white)}.navbar--dark{--ifm-navbar-background-color:#242526;--ifm-menu-color-background-active:#ffffff0d;--ifm-navbar-search-input-color:var(--ifm-color-white)}.navbar--primary{--ifm-navbar-background-color:var(--ifm-color-primary);--ifm-navbar-link-hover-color:var(--ifm-color-white);--ifm-menu-color-active:var(--ifm-color-white);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-500)}.navbar__search-input{appearance:none;background:var(--ifm-navbar-search-input-background-color) var(--ifm-navbar-search-input-icon) no-repeat .75rem center/1rem 1rem;border:none;border-radius:2rem;color:var(--ifm-navbar-search-input-color);cursor:text;display:inline-block;font-size:.9rem;height:2rem;padding:0 .5rem 0 2.25rem;width:12.5rem}.navbar__search-input::placeholder{color:var(--ifm-navbar-search-input-placeholder-color)}.navbar-sidebar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-global-shadow-md);transform:translate3d(-100%,0,0);transition-property:opacity,visibility,transform;width:var(--ifm-navbar-sidebar-width)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar__items{transform:translateZ(0)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar--show .navbar-sidebar__backdrop{opacity:1;visibility:visible}.navbar-sidebar__backdrop{background-color:#0009;right:0;transition-property:opacity,visibility}.navbar-sidebar__brand{align-items:center;box-shadow:var(--ifm-navbar-shadow);display:flex;flex:1;height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar-sidebar__items{display:flex;height:calc(100% - var(--ifm-navbar-height));transition:transform var(--ifm-transition-fast) ease-in-out}.navbar-sidebar__items--show-secondary{transform:translate3d(calc((var(--ifm-navbar-sidebar-width))*-1),0,0)}.navbar-sidebar__item{flex-shrink:0;padding:.5rem;width:calc(var(--ifm-navbar-sidebar-width))}.navbar-sidebar__back{background:var(--ifm-menu-color-background-active);font-size:15px;font-weight:var(--ifm-button-font-weight);margin:0 0 .2rem -.5rem;padding:.6rem 1.5rem;position:relative;text-align:left;top:-.5rem;width:calc(100% + 1rem)}.navbar-sidebar__close{display:flex;margin-left:auto}.pagination{column-gap:var(--ifm-pagination-page-spacing);display:flex;font-size:var(--ifm-pagination-font-size);padding-left:0}.pagination--sm{--ifm-pagination-font-size:0.8rem;--ifm-pagination-padding-horizontal:0.8rem;--ifm-pagination-padding-vertical:0.2rem}.pagination--lg{--ifm-pagination-font-size:1.2rem;--ifm-pagination-padding-horizontal:1.2rem;--ifm-pagination-padding-vertical:0.3rem}.pagination__item{display:inline-flex}.pagination__item>span{padding:var(--ifm-pagination-padding-vertical)}.pagination__item--active .pagination__link{color:var(--ifm-pagination-color-active)}.pagination__item--active .pagination__link,.pagination__item:not(.pagination__item--active):hover .pagination__link{background:var(--ifm-pagination-item-active-background)}.pagination__item--disabled,.pagination__item[disabled]{opacity:.25;pointer-events:none}.pagination__link{border-radius:var(--ifm-pagination-border-radius);color:var(--ifm-font-color-base);display:inline-block;padding:var(--ifm-pagination-padding-vertical) var(--ifm-pagination-padding-horizontal);transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination__link:hover{text-decoration:none}.pagination-nav{display:grid;grid-gap:var(--ifm-spacing-horizontal);gap:var(--ifm-spacing-horizontal);grid-template-columns:repeat(2,1fr)}.pagination-nav__link{border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-pagination-nav-border-radius);display:block;height:100%;line-height:var(--ifm-heading-line-height);padding:var(--ifm-global-spacing);transition:border-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination-nav__link:hover{border-color:var(--ifm-pagination-nav-color-hover);text-decoration:none}.pagination-nav__link--next{grid-column:2/3;text-align:right}.pagination-nav__label{font-size:var(--ifm-h4-font-size);font-weight:var(--ifm-heading-font-weight);word-break:break-word}.pagination-nav__link--prev .pagination-nav__label:before{content:"« "}.pagination-nav__link--next .pagination-nav__label:after{content:" »"}.pagination-nav__sublabel{color:var(--ifm-color-content-secondary);font-size:var(--ifm-h5-font-size);font-weight:var(--ifm-font-weight-semibold);margin-bottom:.25rem}.pills__item,.tabs{font-weight:var(--ifm-font-weight-bold)}.pills{display:flex;gap:var(--ifm-pills-spacing);padding-left:0}.pills__item{border-radius:.5rem;cursor:pointer;display:inline-block;padding:.25rem 1rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pills__item--active{color:var(--ifm-pills-color-active)}.pills__item--active,.pills__item:not(.pills__item--active):hover{background:var(--ifm-pills-color-background-active)}.pills--block{justify-content:stretch}.pills--block .pills__item{flex-grow:1;text-align:center}.tabs{color:var(--ifm-tabs-color);display:flex;margin-bottom:0;overflow-x:auto;padding-left:0}.tabs__item{border-bottom:3px solid #0000;border-radius:var(--ifm-global-radius);cursor:pointer;display:inline-flex;padding:var(--ifm-tabs-padding-vertical) var(--ifm-tabs-padding-horizontal);transition:background-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.tabs__item--active{border-bottom-color:var(--ifm-tabs-color-active-border);border-bottom-left-radius:0;border-bottom-right-radius:0;color:var(--ifm-tabs-color-active)}.tabs__item:hover{background-color:var(--ifm-hover-overlay)}.tabs--block{justify-content:stretch}.tabs--block .tabs__item{flex-grow:1;justify-content:center}html[data-theme=dark]{--ifm-color-scheme:dark;--ifm-color-emphasis-0:var(--ifm-color-gray-1000);--ifm-color-emphasis-100:var(--ifm-color-gray-900);--ifm-color-emphasis-200:var(--ifm-color-gray-800);--ifm-color-emphasis-300:var(--ifm-color-gray-700);--ifm-color-emphasis-400:var(--ifm-color-gray-600);--ifm-color-emphasis-600:var(--ifm-color-gray-400);--ifm-color-emphasis-700:var(--ifm-color-gray-300);--ifm-color-emphasis-800:var(--ifm-color-gray-200);--ifm-color-emphasis-900:var(--ifm-color-gray-100);--ifm-color-emphasis-1000:var(--ifm-color-gray-0);--ifm-background-color:#1b1b1d;--ifm-background-surface-color:#242526;--ifm-hover-overlay:#ffffff0d;--ifm-color-content:#e3e3e3;--ifm-color-content-secondary:#fff;--ifm-breadcrumb-separator-filter:invert(64%) sepia(11%) saturate(0%) hue-rotate(149deg) brightness(99%) contrast(95%);--ifm-code-background:#ffffff1a;--ifm-scrollbar-track-background-color:#444;--ifm-scrollbar-thumb-background-color:#686868;--ifm-scrollbar-thumb-hover-background-color:#7a7a7a;--ifm-table-stripe-background:#ffffff12;--ifm-toc-border-color:var(--ifm-color-emphasis-200);--ifm-color-primary-contrast-background:#102445;--ifm-color-primary-contrast-foreground:#ebf2fc;--ifm-color-secondary-contrast-background:#474748;--ifm-color-secondary-contrast-foreground:#fdfdfe;--ifm-color-success-contrast-background:#003100;--ifm-color-success-contrast-foreground:#e6f6e6;--ifm-color-info-contrast-background:#193c47;--ifm-color-info-contrast-foreground:#eef9fd;--ifm-color-warning-contrast-background:#4d3800;--ifm-color-warning-contrast-foreground:#fff8e6;--ifm-color-danger-contrast-background:#4b1113;--ifm-color-danger-contrast-foreground:#ffebec}#nprogress .bar{background:var(--docusaurus-progress-bar-color);height:2px;left:0;position:fixed;top:0;width:100%;z-index:1031}#nprogress .peg{box-shadow:0 0 10px var(--docusaurus-progress-bar-color),0 0 5px var(--docusaurus-progress-bar-color);height:100%;opacity:1;position:absolute;right:0;transform:rotate(3deg) translateY(-4px);width:100px}@font-face{font-family:Poppins;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/poppins-regular-f61407da33b59324fbefe468ce6917ab.woff) format("woff2"),url(data:font/woff2;base64,d09GMgABAAAAAB7MAAwAAAAAP6AAAB54AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGx4cLgZgAIFUCudM0jYLgzYAATYCJAOGaAQgBYNcB4QLG34ysyLYOAAgoXcUUbVZLPs/JHBDBr6G+hIpYlQoaayFQFiGbR8DjCviFJxE41HqT/OOXC0/Z9GQVQfAWhGOAF/O89SlbJ4fIclsS0SNUfbMPgE5dhgAVqioPNrYqNhUZCQIRaCBLIK83W+vy6VjrXTMAYfFIfS65yPR0ziMQaj0M56vY3h+bj1EaSMJC9jIVbCMv+2vgv0FSxg1alhIGl2gBxecx4xqvCi9NvP2XXsT27xJRGharfanif3dB1IbH7D/n1vvG1gi90J+0acoU3UyzKzznZ8Q8S/KSQdFE/HKrFSrbCW+EZMGJ/JOrWFOCzJcLDcqMIye7xUDVgJSUf//a37amcAiFDGyIExnC3pkybH+6s19gXl5eXMmRB9Ln2eT0vLklZIpALkqpMkyJiUkt25tgVyFkF8WZYV0VRkTScF3O1cffLfDNqsTWFV2rwUPIfjECpG7lz5AAVbIGyfmmutgE0hgB8wJNaQ30lgYP+3xQCMZjDoEDzyVUi580bg7SwwCfbU2wM1JQR5DDgSJxZ7llnqObrxHpgXHgAOb7RkL2/gXhVu/D4DXAHqoBwD7DAQKDGCTWIoEB7JEnap7PP3Aas/+DynGHuqZ3u8P+0ZRlopUoQZt6CZzX2tbJVpJTFb5OJJs6W/YeiSlKS9d/6ya+d/8fZ6YS2ftgn326bdP//3yrm98rcc+6yxV+PO3P/P9e2I8D/za2srbgL+A1V8AG18HMDYA+dea0d4dnI0DUjAxhECe4VuLDc7VmwqwYTiuFzfuViWi6aNC0Z4wRhGs1DQggom7F3EXA3Uj7WxnxPmMGXjAq72EYaM9d+AG6ziGD0E2Ej5mwCsAOBXGWG1AYIJtCLwQDEeD1BqU5mmQH15SfTnMYUKO6QE/4F8j1ltms2QsVoSSz4WUYkelXQ/7kGlFRAxAW5s6qQqGsbVQl+8GCZsOFLXw0ul+mnssHngMiMV+wiHwzdVDGrfpDWLDkN8ewxN6ZRvyKaQ6K04Nqc6B6o8yc2SW7XOOuk1FcKA/XlsYa6voyRGelb8acI8ZbnoE+I9bLYFYSdUlo6Miyo+OYJqnPAsyYlzDkHe2VlOgYQcrDqbWBQEPfr7lShm/dUdxu7Up8/IxDbSiNG8zdthTYufBq+u76tI1uHc3vs7tLencpdyDGVdkPq4cQvLkEMhSXsY0J+4dQu0yRz7TZW7mccfhw18fQHPvvAbszInsG2aKiyHGmqz3Yvm3u8vmFpjxaPQezfuYJlpv3PN2ELEgVO3vPWKl2Ow/IpRJqDdPE8JqY3cYGuq1ECiB1yW0RVSa66GOdCXTLnh+xxeZ2xOqquVBgJFiAV77CqaFeYl2Q3S3BeKrdnAR3ZBPYM8o7ibQuBGK9xO3wKqYDmUkxZX+YNiXA09cBmjYPgA3eC8JPjEQxkjfWNFnGY2x+ej0ZGhv9VXwYAX9XZ1h53rzljTYf774b0vaBdtfcXWQxtyLpkaMb6v1GUsdrpV5ajkXRww17Pu1Ak3yTzYCGLr8Iara73lF7Cb+vtFNzajk4iaA8ltEQiOf66wxQAem4oXOWNTna0SswZSLr69zS/jeLLVejEOPPrPCBwhciHFchPFxIsHeTycPj9TzLzASCiQQ3wskAX5KdXKVa1sfQ/sqkMZ64u7bhwtw/U8GOoEbFSSWFLQnxd1WqtNBLxi8rBazf8BSfI/jBekq6kcBa1EXlt6oSzrtaXe+aXn1zDSw+t2F0YBoSCOqvK6Ty82lpKxNRobfRmluFw/KDLgqURpESW0OWpuaXaHkb7VmE8MOcR+a/dhsTsOYCArwsIQcjWl06SjVvNzhISxlLRqvol7V9Uvp5h+XUC6iUmapwuGiAxeC1khAQZdBxgFmUTC3Z4yjPVCczdRKlpb1KicmRnbBwTOOKbXkmmPFA5OJDMkKWz+t9i6mbI/as3b5+7k73N1wNPu9xjdrpg+sMm01qiKDGA5cKAYnIcm+Qfh+uhwzPoM6yGjV7B60MOvA1XEKSqIe0eUd09HDQqAknanN3NpKivMX9BiYBbda9g9oXcV/PqUdinIHcm/0xF16f7v01DQjzirvp4PZFBDVvuQsuKo43h6x4onbhb8L/aorsWA7vreavOxZrXrFsTJEMSfmbtxnkGGNSLjUx4n7KqyizvGq3pG6UbpMYLQKzia0LJaGR1CpXzjijsrdmFQNi3l3ZYBXuX+Llw+XK27BoJFUN5uJGbP5AMzwbSAAsF0Rv6p1ZltdaUBWVzRXCpFiUgwe6Baj927ntwXVUyMpM/vud4ksUyM6kqSZVDs0S3iuldjWchysX2vbV4o/Pz8amoTijmvhaPWLd9VIgu1A/oldyDH0JWVzJzxjd0w6fMbXH0zOZ8+5usPgm5jaIvuHGYtiiiYCEnuoL1AdNtUB41RrTZ7Prwsb3D4W0uh3f+8i9Y0bosq9ebt7S1nLbRmg04XpC671CTyK/OjbeAPmgF2YeccypeMa1gKZ9E8jw7TT55F7FR2oTczlzcGotU+MVuoqoXw1TPk9a1bQ3tfBEjN7MCtjyfklpqmKJbbc34qhy8Q7eToWpjQGEGGJrZnakycxfRbZY43YyZIvHGjmrkwH3GX9ieY2bjaGtjSmpnJoafqeSCs7vP/AmRVQ5uYueAgyd/6U8/Ce98r/4CsiEQrURcQ8yxIrH6kYK037PryUXX1DSGoin9hSaDQjFAbj+CSei/XKrsvfazl9OA8ULAsnF+SYtWHLOyPlaySB9McWn9vqi5Rydc4BO8Wx7X4x481Yc106vl4c+4xeZM3i0C7U4fBplHqWdJI9w+dIizb5C8c3+c+W/s1fAWyvmjjcoH8R8PSKF/buAQYf8Vni2k1zcVt5+eRRTQvCvnyhGrvdSHxMpO0f+ipWFcWyWH3YgmF3OGGrEXByld91/lvL+Y5FK7ufR6crNdA/dFvx3trsWXx1L772EFa64hj34WLmJ78Qxmfiq3ku6j9tjemYFnMBbJS2VsycEIoo1+qL53Lh/wMrVnnuOnTikosR+44dGJUxlM41kdlU4FBuwQ31zIAn1EjHa7nrvNj5pOtpV0HbfVdql/aCfyuO6xX04YiLwnDUwrSZlLWD5ZDYebCxYV9c+xxqTqCguAXT+t+Kts5OICnYBGqxYfM2RfN3UMFKB0aj7MClv7cY2Vv0Qy834/a5ps7PZzGMEF78qaPzfxjAib6kF/C4RcYRSkaGno7qZohKB/HLxyWd4Sef+fFgBxou5nwzT7e+8KwV9AakNuq6Xfl63b7m+boXN6rX5w0wZBHB4mAKYvV0vT2+1g/UHmZV6nvRMD2KqRLoa0LOQUa60RRX6opXeUSMPS+FwwzZDJUwMmp5zZ/Ue5QfD3CEeFJv+D9QUK/XCQR6nUSaGKTyuSui9n1+07HVeHw4O7sGh2/O/u9whaDLSnT6BoZqRzMe1zw4mt9WwG9H0PVkBVRN4bgFCkO1buKro7lYrMyYV0TXFuQpxyMJn3PzU1AT4suuXhsrrvXqFw4u2bBhvtBSUHHpcguxnG1SS0D8N+OSz/BTzoA7SHnWnn01hWUl7sRwWU3u5vXl6cFQohsQoomCHn39Zh/FkI1yKK/v2/PtN+Z2gvaNKME85nxGjmiydegq1ZBVk2254nnMeUVo0TTb0NXwsNXAJLt9z3zvlvpWv7n/NuiaHk7hQilAO0gac88Y2T0cbbMPH2UD3HHhYwvms8e+nvDx+Qt22LPBMmayTCGWINnAah8zRZeIgfBHzw5yWoyHbjpawVfdi9u9i6RCnlImUZoGyGyx4ZYpgdLJtX6jd8P0Ro/GBv8qBKLJLaVBiZdINtJ4suIFgwRDVU6YSbGXUhTls6vjA7YKo0omgyCWyicMpMJpCHCyeDQJX8BT8QPFIG+L1PWw6ge/1r/VvjX2YkrTYJDU4X4QLs6nGksl2EouRKutFhpCbRWDi4vPGfkCrdal0WhNGpqGPNay5htwYGV9sXUO2OArZ4lKp7bUSqgV5Xy4tB7BbZ0UBt5wKFFn+nqFKhsvo8BWl0FmsCg1WpsavJ8/er4jvb1dcx/MXcg2cug0SzkZhrFUdAudxbWYbkAusZBf0kCF4Toq7IRiufv6kLtaoUyKufMYBrFIbJAwfj7hlEgFdvX6yixWC8SITAUOzYG4PKOmLWYt7CFzxGV0dkhVMa29bkHNt73N2O3lZmewtireZLq61GyQq4wILDNYIYXeqgGS2U8fPn1Q/+zBs4eg8n91VMffGbLAaciS+u474Tk+JewKtfnDA1za2I3jfWG2kSOXcnkyEcvCodm9JKHtrOj7sJ7W7UbrKp+WssRbLCLrWf+4SDTY4tCqeG1hjdydKf9CS8rMHsah5bNU4+sYHRsWL550pK7i7BTQsXnRIpc867ANXVGxTWdb5V/Y9tcfM5dIBCoqxk6nMgRUIsTIc5BpTgr4ax2xaF3Jh97Q+94S/YPp7ulucLXkV7SikEYzBYmygdH3ch+epCXzRDpPDHqtQMqm0bhZtPpB9lQ7k6UViTe93goKTyDbNiGeus6qXH/VlUoxrKgXC5tMRiD5V6SAK0VXqnJ9nZV1nk12ZGsQrO7bZbJtrKiwbdhlqOuP9s+qWriorX3R0lnN6Gawu/rvz6rPT8epJh2YpAJ3+pSEf18rX7OQKHA8vlQlUigaRKImg0E0rUGkCHZMSSodo5wkizcji1YaHJ7NdsfWYNCxbbPdE+6qyvWBQF8U4fg4SBQh+8hgd18UiYK9fbGWUNBqC5UhyAAChTKOEAvOTuDykCginiiqZzt4CNiteKnURhFAGtDbiwx8GCv4Y+AgpNf7P3uy1SJVhRjkAFJVUIiAvLjNdse24VQvbYBsLS1FNDcvpGkQi6YbTaKmerFSCQTdZLSR/z2sABNWNtZNnYVCor82Tq2172iWC7ltK2aBWWBax7x5OJqns0n91s0wrqc7tJDVWsHz7QoO7RxXPR6J/qqtpNEQNmSoMgzvRrUGZikVEJcHiVWzwIO4SiLXkuARyEQSoVJAyf9KmN4sGW5AsWAhk2ktI0i8TZ54nV+u4HCZchYtt+evxZIRRjQbFlFoxaEiCLzrUx4JI+GjSrCzL+q0F+t1bOeMIn1WaWMjU6lUNpJGax9Y0BfXFzIpz32beToBe1n0fF9wK3E30Q9ORD2rNbs1wc3wGhiEkNtI6a6hm4YGbiG3HcHdwzYPCwJq329fxSPxv38V2Fui6gVrNSbtMUifpdEegMDI5btU7vNuuLcEHOwcucJmp3aQFe2FA0+7qhe073H9k2z+N9n97XrQlGMaZQIPl0hu1WpBYam4uVGqgELcTX4H2hHsKefJFRG5uM14lUNCTEQKxUiQdh6f5DA+yEZUJw+cfFzBlSojUnGzyShua5Qr5OXcngDyAMmtr/ieIlDIX5rJDi6PFY0jyh+i5slSTaDdM8riva5jcjTucq/PXaHhaIt+9442dvh9mlxe3GKZTFWloIp1NdvxwFG6JaR2R+OrSZCC3T9Q57dDbA39k3e0psPr1UyVSlvNZnHLVIlOM0ksaFQ5ZTilJpcoLbHGqe0Ac6++H+mXq+R5DpcpBHOG0PPqQQRbjsGqE1X8hkahtnJxIMVq/9XJEalcTnN9T4g/CmrC6xxd/H4s63gdzkdlhGCxnW7QW+SQqdhCQB4gQzpdODbwNO1eE2BsaAQNfE0v/+uyYF8oFGI5TZ2b+wi9FgEtd549/5/dNzeet8QMGzAC7P6dJnsAyAPwPiqT+63qLFK50W7B369lBI1ou+y4ImmIuz4U4gvBQdy0yXVjQdml0nQ6cAzwOKFJKms1m6DW6RKNhmuAWsxmZWuLVEPUmnFURCSiIEYsiWzAkp4NxERE3wpOPCqXhkn0qsy+U4+EkHwkUF8JIFBV/ukLsdDvyHeENlbwISgCfcPRdzaKwJW2dlchgkaKwdUEXyETznIxJBQG9TAK/Vw07CqcSRfQCklSJJ+NhJFYLVL4O420NntstuS/HsUEdQyOJLfns8HBe+L8YYVitQFWSXViuUo+D5m3WAXIKDSiX+vAMwQBKisEC+00vd4iVxiLLTiQZuy86rmDKt9tvIBch+5CuTq+Nv8bdO1FOadfnH3ROePStEugou1i00X3l0O/HFnadmHaBXfPkC9HATRq1PZcV0X8D+MDew92HgRLlINVEVXiogRlrRKUrQmMsOQmIokeLKRTSVjagjxD/vh405BEN5ZGlVUMqKDKadhE95B40/h8Q16BliXRqSBsoicRybUERoAjIWQmAj7z2B3y3Sq7r3LAm1s/dtvW5kfDM0RcSdrSSEbt8eafRmYYuGLQTVFJmqGedRVcgJNeeEGzFqZvMScoajyWOBfdVZEwaUFFBTcnOOgOD0VexgmQ+aiqiAu7SiwWlxsGmQr4yItN+WZ+RketADnxU66A7vJSBMGqSGyxKUMk57MgsSzr/t0Tgu6ODLcMBoc5n7rmHnzE4uzrWtv1I4f38eLaS/vY7EOXTJ3J/DmRI0VFPZjCRQzGdAxY1TxXtC9me9458bmNyMbDLu+bvTGiuTuYwS739vwEQZx4LDIVsSch0xAQlS8mYIhyRwHP0WCJUSOc3Ux6Fyb9lDjzZSDLa5QxZBbRiPxF9RvyHfXWAZg9Iw4UZGyZ9dKf6atVahaP+lCrF0rFGhGRrOdLJBohEdCqHo0Z83jM6Me0waPRC35Uf2rhaDMGPDu60W7ZUlrKSPRAEMSqRevcg468uRrFQpdTsWiu1umYoyXd6bLt5mgcXIO3iFkmk2lbL4OjqtKNFJvGG5ArZdbqUBMH+/6saYSsSg2DTClGr8ISCCL0YC7kgjgf+7njiTAeY6ApmXwxgcgXMZmwIRL4QiZYMMndXY8o9naPQFzdQfv30gBnzy1kwX0IMI4jVIqDxaI4JcxiT6JTcBjZ8hobolBwClJYCODpLN7faiky/ELQDtdR75Zkd0xsTCtI/jc5+Z/kAlBzSlIiAWPtXrdG43FraTitDkPRlJToUhksAQ6rloLJXoTDHWWBtsn7b6o/qW/vv61SXeYu3deCzHXsGGqlNSlz/NjLqWldeYoJYjabKeHjcw/EaorAxEUQncVQsTETUr8bEFVOKICLuByoiAyxEseOS05Lw4zDEAvGp6elfhyX8adYCh4euVUrudUEilBoxL/SRefmi8YLWPZ8O9ZqQuRyQ7GFAOL0Veoq/YTkyKSw3T65tuE9+I4hpRAJ4iJ6PduT9Xta6u9Z5ClcIUibzWgugfJBppSgN2GpNCOWDHQa0WDCYaABt6J5TIEQT+AJ2SyugIAXCplgRa63u3i182O6PfcxkMPj3n1BikQtkejuBqIUkn5XuPGZ5xEx0l3dHQbFs+m1d/624sqotSp6sWU99kDMHISWGVFzR3RVA2FAF+GMPozjOVdbz/ra9wpgap98lH18lQFF1idb1vnmRXughsXLf1sGbkDh6u1GIasq/PG0Let451bZBy1zGDd4gwHvGUFngFtXbT/JarJS+2fWLVzW3r5w6azmf46Zjv3bDH5ZuWlVDzYt69ev2wD1ICbfuAks1HXjmqAQcub8mtyTPLGyJLQZP00eEPqykwfP0eXVi8UMTwDYEVNOg8KnXu8wAyYM9DELliEHkKWzrj5wO9sgCZcHSVWz4mYB9sLGhgapF0dWYYkE0bJdTcPG/CwYDaUKYTbktxVbq9xxRkdmJ5mQnoc+6NFlSNh4lFEwIXkcTkLmLF6Si5CA8FkK46ScptHmYQVG+o/e0ZoWr1tcwz1Vrg3dqOBJPYnaJc2TpLC4jDEwAAdkVfPgBgm/EXIK8LAunwSVIXGalj5yhtY8J5kBtWLf6YaMVDd4rXFkEdw5FZK4EMSaqjV7Xr+bwPj+WEi+pFmh1zbJJO1mo7R5ihSexEUmuiRwG4bsnPi51VlnbsdQnBMRrYlAdgqFJKcRTyYb8ES7UERw6YlkQI1XqGv/WKf+rP6DmTsyGH7zZbaH5VPMzKOgbxTKNa+yvexwY6YBBaNHeMOJTkS9lfkYqTCc+co+FJFCj+sAx/8sl0CBxucJCsk6m5C/EGq98xDZjfKplvpB+yf5p5djocbFufI5aptrgx3ZFixFtsoinLa5qlzZ/Eb5WEdQNO2XhRHTDAat4Wen2QLB9RRGb6ze7VBwwsmP41M2yJ5MnCpTaaaFS7UpJ0uHfI5IYU2jWBhRbn5gxlOcIhHZYcKRSAYmjulpcOjxpDoUTqPJJ8pLkIF6O1jfOc8EzTPMNUDgwepzeFw/gdCPw58jKh6npj5OT38yLc2TdJC6VJo/ch+m3z54eARN1ZtfG1wa966glkAODRSvUA9RA/LSleof1WD67aD7NyGw9wWGDQWAWceEBWcM/lYc/eG3eBCjLvTzScHaGzIZhfq2oVxGpZRYDvO2ZgBvoyuiyP5uBMNUlcJLlTm+zsraxm/asio9AmNBRnqekV8yGiqpnsXR1nZW5fgrL1cIYVOTOUP1H/9jXvp4+gfBv+MUTQY9SDv6nGHOh0Ce5WBRiRh8rvxMqRgQKypxViaFk8D9FerF6lMIqMvvwAHDAUtvWvKWPFZmnZYvDBDaDlS4PB2b3Z+c6F7tsqUpKcvFfrnlC7nx7eize858uTZVynLhG214nVi5nq+lLJf582gzf2KkSTkPOckX1IkHKcvFU7nlr9HGk0oGJlKGlFHJQIFxqJxbRAkZaLoCpKQsF9/JLT1yY//os34nJNe+lrJcrB9trBVPXKH0/5e7YBn5YZD5nukn49zEDFg0HRIfSVkudsotG0cbO5gNhEMBkDJwCABmEQFzULGVBE9QeGFk/XUdNNzBZGAmCcWXYvQwLy8Bz4Vxusj/33zzkJJ5CbAC5XxWws73djVb6qx1qqiyb4uQVJ1ZLgvoK2Nz4m5zF7vLGnaCGsh7Y7O7zVgmHvgWfgjPp1AX5wbOV2LAiI/9/CiGme/6J3iJqy0AI8uoRBsH3G0InSOBnmW9hje1jiFkaJ+6z7G7xEliQpoAGdqn7O7UtSHgXQLKeUEBALvA8yLMY3QytG/cVxvyE2i+LWUMGdqnxrtSFhaao72g2IWZueNYo7J7zjpeI9q0ZOvoFgMsypIrnzV/G63l/JcQO34E+PLN5QDwzRb636dHn04lxS86rpkMNSMEv1uqL3+UGfCuGnKlz7mv8xLiWflW7wm2oKEGJKvVOH2jsL/LsRkqZ1SqRzYrf+B2L6sz83PzsNyAzQ9obcCLQG75KFUjNSJ/Sis6Da+cbFmdhNNGCrdhkyBVDFNvCnQsV1PUxytQt8lqgHoM1O1J6sa4zVvqkaTbXmqvscUIBbWG82WMOG1yVMiIHBFDHCWU1FUVZsfL7naq7jBmXJPaKrhCRsYmxGe3mV2mA9WrG5HTH4USI/KNYDirrpsgCJVtUUg90tahi3nezoeNhbR6URxo6xtmAZoBidTRJMNUymgrqCQp44yU/GBwT0u1DxXkilBQ/KpH0nh13OfbtYSthG06fo3S65e7fPiwpI40pJyQlctwnacAnoN8Qk2H4VlnXLvZojQhsFRvDO9M6ppMdAshwwx3Snp6WedPbqvcbofuaajGG2B+nG9tY4YUOThjArCJ1+IHzqc9r3pbogy40NIOpUJRcjATAJBXaztxMDvOaMAiBY4sKoE/dGMzjAz4JLuUZqkIEgjkAPKCBMtx6XgwixgwvpeZIsO9MDQPomp3gkcE7HtpvMNMB+bnNElDz8C4qm1grBQ2aXCYPzmPJY6T0sdgmeaBz4sXQAzwtZVSsDgKKooDHgcMCCxzL5ZatBx4wy2yrRIkIrq/trXZadrWrsi1rYPXHXHG3HQSHNuBpzVsnjXqsRAUafepE/JIwzMSr55UEglHSGluQi0ZmE642bJGSHU7jkFgJJFPxFM3jAqPiIg6rswvgoKJjBZbJkCtmeNFeDHueYxUnKJTlkBLF4d0loz4ls5k8qwDg0Ga1BEpj1MfdVooIrRs0VBnnY9TtlToIR3hHYt9wqoQ8iT4TBhRza/OFHCGaSswwPN+zneQTf01kGaw/WXSf3LcPLx8/AKCQsKGG2GkUUYbI1WadBnGGme8CSbKlCUbClqOXHnyFSiEgYWDR0BEQkZBRUNXhIGJhY2Di4dPQEhETEJKRg6ioKQCU9PQ0tEzMDIxs7CyKWaHcHBycSvhyUCfZpjpsFX+Mssi823UaUcGeXNfh+Wee2Fh4rw46SfPbNLllZde2+YL553VzctnCb+LAs654KpLLrvib0E3XXNdj1JPLXXHLbeV+dcjc5ULqVClUrUtwmrVqFMvokGjSf4x2VRTTDNdkz5btWjWqs1/Hjvgri99lXgXP+r3tW/s951Ten3rtNn2OuKoQ0nw4UkSF912LwwPEN8VH3kmRCReEROXZPA1rZV8LR74/5ThpJVMHs8BAAAA) format("woff"),}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/roboto-mono-regular-498042b7fe9cd07b4fd11a0965093e55.woff) format("woff2"),url(/assets/fonts/roboto-mono-regular-535bc89d4af715503b01afd761501e58.woff2) format("woff"),}@font-face{font-family:Lato;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/lato-regular-292725486219768e62259f7286dc73cc.woff) format("woff2"),url(/assets/fonts/lato-regular-be36596da218e1eec01c5c600b1c13ef.woff2) format("woff"),}[data-theme=dark]{--ifm-color-primary:#ffc61c;--ifm-color-primary-dark:#ffbf00;--ifm-color-primary-darker:#f1b400;--ifm-color-primary-darkest:#c69400;--ifm-color-primary-light:#ffcd38;--ifm-color-primary-lighter:#ffd146;--ifm-color-primary-lightest:#ffdb71;--ifm-color-secondary-dark:#054a6e;--ifm-color-secondary:#06527a;--ifm-color-secondary-light:#075a86;--light:#33313b;--dark:#f3f3f3}[data-theme=dark] .footer--dark{background-color:var(--light);color:var(--ifm-color-primary)}body{font-family:Lato,sans-serif}h1,h2,h3,h4,h5,h6{font-family:Poppins,sans-serif}code{font-family:Roboto Mono,monospace}.navbar__brand{height:40px}.btn.navbar__github{background-color:#384745;border:2px solid #384745;border-radius:3px;box-shadow:inset 0 1px #ffffff26,0 1px 1px #00000014;color:#fff!important;font-family:poppins,sans-serif;font-size:1rem;font-weight:400;line-height:1.66;padding:8px 20px 7px 47px;position:relative;text-align:center;text-decoration:none;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-webkit-user-select:none;user-select:none}.clear-btn{padding:100px}a.btn.navbar__github:hover{background-color:#273230;border-color:#222a29;color:#fff}a.btn.navbar__github:before{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20.5 20'%3E%3Cpath fill='%23fff' d='M10.3 0C4.6 0 0 4.6 0 10.3c0 4.4 2.8 8.3 7 9.7.5.1.7-.2.7-.5v-1.9c-2.6.5-3.2-.6-3.4-1.2s-.6-1.1-1-1.5c-.4-.2-.9-.7 0-.7.7.1 1.3.5 1.6 1 .6 1.1 1.9 1.4 3 .8 0-.5.3-1 .7-1.4-2.3-.3-4.7-1.1-4.7-5.1 0-1 .4-2 1.1-2.8-.5-.6-.5-1.6-.1-2.5 0 0 .9-.3 2.8 1.1q2.55-.75 5.1 0c2-1.3 2.8-1.1 2.8-1.1.4.9.5 1.9.2 2.8.7.7 1.1 1.7 1.1 2.8 0 3.9-2.4 4.8-4.7 5.1.5.5.7 1.2.7 1.9v2.8c0 .3.2.6.7.5 5.4-1.8 8.3-7.6 6.5-13C18.6 2.8 14.7 0 10.3 0'/%3E%3C/svg%3E");content:"";height:20px;left:15px;position:absolute;top:10px;width:20px}.header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat;content:"";display:flex;height:24px;width:24px}[data-theme=dark] .header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath fill='%23fff' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat}.docusaurus-highlight-code-line{background-color:#484d5b;display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}body:not(.navigation-with-keyboard) :not(input):focus{outline:0}#__docusaurus-base-url-issue-banner-container,.hideAction_vcyE>svg,.navbarSearchContainer_Bca1:empty,.themedComponent_mlkZ,[data-theme=dark] .lightToggleIcon_pyhR,[data-theme=light] .darkToggleIcon_wfgR,html[data-announcement-bar-initially-dismissed=true] .announcementBar_mb4j{display:none}.skipToContent_fXgn{background-color:var(--ifm-background-surface-color);color:var(--ifm-color-emphasis-900);left:100%;padding:calc(var(--ifm-global-spacing)/2) var(--ifm-global-spacing);position:fixed;top:1rem;z-index:calc(var(--ifm-z-index-fixed) + 1)}.skipToContent_fXgn:focus{box-shadow:var(--ifm-global-shadow-md);left:1rem}.closeButton_CVFx{line-height:0;padding:0}.content_knG7{font-size:85%;padding:5px 0;text-align:center}.content_knG7 a{color:inherit}.announcementBar_mb4j{align-items:center;background-color:var(--ifm-color-white);border-bottom:1px solid var(--ifm-color-emphasis-100);color:var(--ifm-color-black);display:flex;height:var(--docusaurus-announcement-bar-height)}.announcementBarPlaceholder_vyr4{flex:0 0 10px}.announcementBarClose_gvF7{align-self:stretch;flex:0 0 30px}.toggle_vylO{height:2rem;width:2rem}.toggleButton_gllP{align-items:center;border-radius:50%;display:flex;height:100%;justify-content:center;transition:background var(--ifm-transition-fast);width:100%}.toggleButton_gllP:hover{background:var(--ifm-color-emphasis-200)}.toggleButtonDisabled_aARS{cursor:not-allowed}.darkNavbarColorModeToggle_X3D1:hover{background:var(--ifm-color-gray-800)}[data-theme=dark] .themedComponent--dark_xIcU,[data-theme=light] .themedComponent--light_NVdE,html:not([data-theme]) .themedComponent--light_NVdE{display:initial}.iconExternalLink_nPIU{margin-left:.3rem}.dropdownNavbarItemMobile_S0Fm{cursor:pointer}.iconLanguage_nlXk{margin-right:5px;vertical-align:text-bottom}.searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,#f5f6f7);border-radius:6px;box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #ffffff80,0 3px 8px 0 #555a64);left:auto!important;margin-top:8px;padding:var(--search-local-spacing,12px);position:relative;right:0!important;width:var(--search-local-modal-width,560px)}html[data-theme=dark] .searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,var(--ifm-background-color));box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #2c2e40,0 3px 8px 0 #000309)}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2{align-items:center;background:var(--search-local-hit-background,#fff);border-radius:4px;box-shadow:var(--search-local-hit-shadow,0 1px 3px 0 #d4d9e1);color:var(--search-local-hit-color,#444950);cursor:pointer;display:flex;flex-direction:row;height:var(--search-local-hit-height,56px);padding:0 var(--search-local-spacing,12px);width:100%}.hitTree_kk6K,.noResults_l6Q3{align-items:center;display:flex}html[data-theme=dark] .dropdownMenu_qbY6 .suggestion_fB_2{background:var(--search-local-hit-background,var(--ifm-color-emphasis-100));box-shadow:var(--search-local-hit-shadow,none);color:var(--search-local-hit-color,var(--ifm-font-color-base))}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2:not(:last-child){margin-bottom:4px}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2.cursor_eG29{background-color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitFooter_E9YW a,.hitIcon_a7Zy,.hitPath_ieM4,.hitTree_kk6K,.noResultsIcon_EBY5{color:var(--search-local-muted-color,#969faf)}html[data-theme=dark] .hitIcon_a7Zy,html[data-theme=dark] .hitPath_ieM4,html[data-theme=dark] .hitTree_kk6K,html[data-theme=dark] .noResultsIcon_EBY5{color:var(--search-local-muted-color,var(--ifm-color-secondary-darkest))}.hitTree_kk6K>svg{height:var(--search-local-hit-height,56px);opacity:.5;width:24px}.hitIcon_a7Zy,.hitTree_kk6K>svg{stroke-width:var(--search-local-icon-stroke-width,1.4)}.hitAction_NqkB,.hitIcon_a7Zy{height:20px;width:20px}.hitWrapper_sAK8{display:flex;flex:1 1 auto;flex-direction:column;font-weight:500;justify-content:center;margin:0 8px;overflow-x:hidden;width:80%}.hitWrapper_sAK8 mark{background:none;color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitTitle_vyVt{font-size:.9em}.hitPath_ieM4{font-size:.75em}.hitPath_ieM4,.hitTitle_vyVt{overflow-x:hidden;text-overflow:ellipsis;white-space:nowrap}.noResults_l6Q3{flex-direction:column;justify-content:center;padding:var(--search-local-spacing,12px) 0}.noResultsIcon_EBY5{margin-bottom:var(--search-local-spacing,12px)}.hitFooter_E9YW{font-size:.85em;margin-top:var(--search-local-spacing,12px);text-align:center}.cursor_eG29 .hideAction_vcyE>svg,.tocCollapsibleContent_vkbj a{display:block}.suggestion_fB_2.cursor_eG29,.suggestion_fB_2.cursor_eG29 .hitIcon_a7Zy,.suggestion_fB_2.cursor_eG29 .hitPath_ieM4,.suggestion_fB_2.cursor_eG29 .hitTree_kk6K,.suggestion_fB_2.cursor_eG29 mark{color:var(--search-local-hit-active-color,var(--ifm-color-white))!important}.searchBarContainer_NW3z{margin-left:16px}.searchBarContainer_NW3z .searchBarLoadingRing_YnHq{display:none;left:10px;position:absolute;top:6px}.searchBarContainer_NW3z .searchClearButton_qk4g{background:none;border:none;line-height:1rem;padding:0;position:absolute;right:.8rem;top:50%;transform:translateY(-50%)}.navbar__search{position:relative}.searchIndexLoading_EJ1f .navbar__search-input{background-image:none}.searchHintContainer_Pkmr{align-items:center;display:flex;gap:4px;height:100%;justify-content:center;pointer-events:none;position:absolute;right:10px;top:0}.searchHint_iIMx{background-color:var(--ifm-navbar-search-input-background-color);border:1px solid var(--ifm-color-emphasis-500);box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-500);color:var(--ifm-navbar-search-input-placeholder-color)}html[dir=rtl] .searchHintContainer_Pkmr{left:10px;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchClearButton_qk4g{left:.8rem;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchBarLoadingRing_YnHq{left:auto;right:10px}html[dir=rtl] .navbar__search-input{padding:0 2.25em 0 .5em}.loadingRing_RJI3{display:inline-block;height:20px;opacity:var(--search-local-loading-icon-opacity,.5);position:relative;width:20px}.loadingRing_RJI3 div{animation:1.2s cubic-bezier(.5,0,.5,1) infinite a;border:2px solid var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color));border-color:var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color)) #0000 #0000 #0000;border-radius:50%;display:block;height:16px;margin:2px;position:absolute;width:16px}.loadingRing_RJI3 div:first-child{animation-delay:-.45s}.loadingRing_RJI3 div:nth-child(2){animation-delay:-.3s}.loadingRing_RJI3 div:nth-child(3){animation-delay:-.15s}@keyframes a{0%{transform:rotate(0)}to{transform:rotate(1turn)}}.navbarHideable_m1mJ{transition:transform var(--ifm-transition-fast) ease}.navbarHidden_jGov{transform:translate3d(0,calc(-100% - 2px),0)}.errorBoundaryError_a6uf{color:red;white-space:pre-wrap}.errorBoundaryFallback_VBag{color:red;padding:.55rem}.footerLogoLink_BH7S{opacity:.5;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.footerLogoLink_BH7S:hover,.hash-link:focus,:hover>.hash-link{opacity:1}.anchorWithStickyNavbar_LWe7{scroll-margin-top:calc(var(--ifm-navbar-height) + .5rem)}.anchorWithHideOnScrollNavbar_WYt5{scroll-margin-top:.5rem}.hash-link{opacity:0;padding-left:.5rem;transition:opacity var(--ifm-transition-fast);-webkit-user-select:none;user-select:none}.hash-link:before{content:"#"}.mainWrapper_z2l0{display:flex;flex:1 0 auto;flex-direction:column}.docusaurus-mt-lg{margin-top:3rem}#__docusaurus{display:flex;flex-direction:column;min-height:100%}.tag_zVej{border:1px solid var(--docusaurus-tag-list-border);transition:border var(--ifm-transition-fast)}.tag_zVej:hover{--docusaurus-tag-list-border:var(--ifm-link-color);text-decoration:none}.tagRegular_sFm0{border-radius:var(--ifm-global-radius);font-size:90%;padding:.2rem .5rem .3rem}.tagWithCount_h2kH{align-items:center;border-left:0;display:flex;padding:0 .5rem 0 1rem;position:relative}.tagWithCount_h2kH:after,.tagWithCount_h2kH:before{border:1px solid var(--docusaurus-tag-list-border);content:"";position:absolute;top:50%;transition:inherit}.tagWithCount_h2kH:before{border-bottom:0;border-right:0;height:1.18rem;right:100%;transform:translate(50%,-50%) rotate(-45deg);width:1.18rem}.tagWithCount_h2kH:after{border-radius:50%;height:.5rem;left:0;transform:translateY(-50%);width:.5rem}.tagWithCount_h2kH span{background:var(--ifm-color-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-color-black);font-size:.7rem;line-height:1.2;margin-left:.3rem;padding:.1rem .4rem}.tags_jXut{display:inline}.tag_QGVx{display:inline-block;margin:0 .4rem .5rem 0}.iconEdit_Z9Sw{margin-right:.3em;vertical-align:sub}.lastUpdated_JAkA{font-size:smaller;font-style:italic;margin-top:.2rem}.tocCollapsibleButton_TO0P{align-items:center;display:flex;font-size:inherit;justify-content:space-between;padding:.4rem .8rem;width:100%}.tocCollapsibleButton_TO0P:after{background:var(--ifm-menu-link-sublist-icon) 50% 50%/2rem 2rem no-repeat;content:"";filter:var(--ifm-menu-link-sublist-icon-filter);height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast);width:1.25rem}.tocCollapsibleButtonExpanded_MG3E:after,.tocCollapsibleExpanded_sAul{transform:none}.tocCollapsible_ETCw{background-color:var(--ifm-menu-color-background-active);border-radius:var(--ifm-global-radius);margin:1rem 0}.buttonGroup__atx button,.codeBlockContainer_Ckt0{background:var(--prism-background-color);color:var(--prism-color)}.tocCollapsibleContent_vkbj>ul{border-left:none;border-top:1px solid var(--ifm-color-emphasis-300);font-size:15px;padding:.2rem 0}.tocCollapsibleContent_vkbj ul li{margin:.4rem .8rem}.tableOfContents_bqdL{max-height:calc(100vh - var(--ifm-navbar-height) - 2rem);overflow-y:auto;position:sticky;top:calc(var(--ifm-navbar-height) + 1rem)}.codeBlockContainer_Ckt0{border-radius:var(--ifm-code-border-radius);box-shadow:var(--ifm-global-shadow-lw);margin-bottom:var(--ifm-leading)}.codeBlockContent_biex{border-radius:inherit;direction:ltr;position:relative}.codeBlockTitle_Ktv7{border-bottom:1px solid var(--ifm-color-emphasis-300);border-top-left-radius:inherit;border-top-right-radius:inherit;font-size:var(--ifm-code-font-size);font-weight:500;padding:.75rem var(--ifm-pre-padding)}.codeBlock_bY9V{--ifm-pre-background:var(--prism-background-color);margin:0;padding:0}.codeBlockTitle_Ktv7+.codeBlockContent_biex .codeBlock_bY9V{border-top-left-radius:0;border-top-right-radius:0}.codeBlockLines_e6Vv{float:left;font:inherit;min-width:100%;padding:var(--ifm-pre-padding)}.codeBlockLinesWithNumbering_o6Pm{display:table;padding:var(--ifm-pre-padding) 0}.buttonGroup__atx{column-gap:.2rem;display:flex;position:absolute;right:calc(var(--ifm-pre-padding)/2);top:calc(var(--ifm-pre-padding)/2)}.buttonGroup__atx button{align-items:center;border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-global-radius);display:flex;line-height:0;opacity:0;padding:.4rem;transition:opacity var(--ifm-transition-fast) ease-in-out}.buttonGroup__atx button:focus-visible,.buttonGroup__atx button:hover{opacity:1!important}.theme-code-block:hover .buttonGroup__atx button{opacity:.4}:where(:root){--docusaurus-highlighted-code-line-bg:#484d5b}:where([data-theme=dark]){--docusaurus-highlighted-code-line-bg:#646464}.theme-code-block-highlighted-line{background-color:var(--docusaurus-highlighted-code-line-bg);display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}.codeLine_lJS_{counter-increment:a;display:table-row}.codeLineNumber_Tfdd{background:var(--ifm-pre-background);display:table-cell;left:0;overflow-wrap:normal;padding:0 var(--ifm-pre-padding);position:sticky;text-align:right;width:1%}.codeLineNumber_Tfdd:before{content:counter(a);opacity:.4}.codeLineContent_feaV{padding-right:var(--ifm-pre-padding)}.theme-code-block:hover .copyButtonCopied_obH4{opacity:1!important}.copyButtonIcons_eSgA{height:1.125rem;position:relative;width:1.125rem}.copyButtonIcon_y97N,.copyButtonSuccessIcon_LjdS{left:0;position:absolute;top:0;fill:currentColor;height:inherit;opacity:inherit;transition:all var(--ifm-transition-fast) ease;width:inherit}.copyButtonSuccessIcon_LjdS{color:#00d600;left:50%;opacity:0;top:50%;transform:translate(-50%,-50%) scale(.33)}.copyButtonCopied_obH4 .copyButtonIcon_y97N{opacity:0;transform:scale(.33)}.copyButtonCopied_obH4 .copyButtonSuccessIcon_LjdS{opacity:1;transform:translate(-50%,-50%) scale(1);transition-delay:75ms}.wordWrapButtonIcon_Bwma{height:1.2rem;width:1.2rem}.details_lb9f{--docusaurus-details-summary-arrow-size:0.38rem;--docusaurus-details-transition:transform 200ms ease;--docusaurus-details-decoration-color:grey}.details_lb9f>summary{cursor:pointer;padding-left:1rem;position:relative}.details_lb9f>summary::-webkit-details-marker{display:none}.details_lb9f>summary:before{border-color:#0000 #0000 #0000 var(--docusaurus-details-decoration-color);border-style:solid;border-width:var(--docusaurus-details-summary-arrow-size);content:"";left:0;position:absolute;top:.45rem;transform:rotate(0);transform-origin:calc(var(--docusaurus-details-summary-arrow-size)/2) 50%;transition:var(--docusaurus-details-transition)}.collapsibleContent_i85q{border-top:1px solid var(--docusaurus-details-decoration-color);margin-top:1rem;padding-top:1rem}.details_b_Ee{--docusaurus-details-decoration-color:var(--ifm-alert-border-color);--docusaurus-details-transition:transform var(--ifm-transition-fast) ease;border:1px solid var(--ifm-alert-border-color);margin:0 0 var(--ifm-spacing-vertical)}:not(.containsTaskList_mC6p>li)>.containsTaskList_mC6p{padding-left:0}.img_ev3q{height:auto}.admonition_xJq3{margin-bottom:1em}.admonitionHeading_Gvgb{font:var(--ifm-heading-font-weight) var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family)}.admonitionHeading_Gvgb:not(:last-child){margin-bottom:.3rem}.admonitionHeading_Gvgb code{text-transform:none}.admonitionIcon_Rf37{display:inline-block;margin-right:.4em;vertical-align:middle}.admonitionIcon_Rf37 svg{display:inline-block;height:1.6em;width:1.6em;fill:var(--ifm-alert-foreground-color)}.breadcrumbHomeIcon_YNFT{height:1.1rem;position:relative;top:1px;vertical-align:top;width:1.1rem}.breadcrumbsContainer_Z_bl{--ifm-breadcrumb-size-multiplier:0.8;margin-bottom:.8rem}.searchContextInput_mXoe,.searchQueryInput_CFBF{background:var(--ifm-background-color);border:var(--ifm-global-border-width) solid var(--ifm-color-content-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-font-color-base);font-size:var(--ifm-font-size-base);margin-bottom:1rem;padding:.5rem;width:100%}.searchResultItem_U687{border-bottom:1px solid #dfe3e8;padding:1rem 0}.searchResultItemPath_uIbk{color:var(--ifm-color-content-secondary);font-size:.8rem;margin:.5rem 0 0}.searchResultItemSummary_oZHr{font-style:italic;margin:.5rem 0 0}.backToTopButton_sjWU{background-color:var(--ifm-color-emphasis-200);border-radius:50%;bottom:1.3rem;box-shadow:var(--ifm-global-shadow-lw);height:3rem;opacity:0;position:fixed;right:1.3rem;transform:scale(0);transition:all var(--ifm-transition-fast) var(--ifm-transition-timing-default);visibility:hidden;width:3rem;z-index:calc(var(--ifm-z-index-fixed) - 1)}.backToTopButton_sjWU:after{background-color:var(--ifm-color-emphasis-1000);content:" ";display:inline-block;height:100%;-webkit-mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;width:100%}.backToTopButtonShow_xfvO{opacity:1;transform:scale(1);visibility:visible}[data-theme=dark]:root{--docusaurus-collapse-button-bg:#ffffff0d;--docusaurus-collapse-button-bg-hover:#ffffff1a}.collapseSidebarButton_PEFL{display:none;margin:0}.docSidebarContainer_YfHR,.sidebarLogo_isFc{display:none}.docMainContainer_TBSr,.docRoot_UBD9{display:flex;width:100%}.docsWrapper_hBAB{display:flex;flex:1 0 auto}@media (min-width:997px){.collapseSidebarButton_PEFL,.expandButton_TmdG{background-color:var(--docusaurus-collapse-button-bg)}:root{--docusaurus-announcement-bar-height:30px}.announcementBarClose_gvF7,.announcementBarPlaceholder_vyr4{flex-basis:50px}.navbarSearchContainer_Bca1{padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}.lastUpdated_JAkA{text-align:right}.tocMobile_ITEo{display:none}.docItemCol_VOVn{max-width:75%!important}.collapseSidebarButton_PEFL{border:1px solid var(--ifm-toc-border-color);border-radius:0;bottom:0;display:block!important;height:40px;position:sticky}.collapseSidebarButtonIcon_kv0_{margin-top:4px;transform:rotate(180deg)}.expandButtonIcon_i1dp,[dir=rtl] .collapseSidebarButtonIcon_kv0_{transform:rotate(0)}.collapseSidebarButton_PEFL:focus,.collapseSidebarButton_PEFL:hover,.expandButton_TmdG:focus,.expandButton_TmdG:hover{background-color:var(--docusaurus-collapse-button-bg-hover)}.menuHtmlItem_M9Kj{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu_SIkG{flex-grow:1;padding:.5rem}@supports (scrollbar-gutter:stable){.menu_SIkG{padding:.5rem 0 .5rem .5rem;scrollbar-gutter:stable}}.menuWithAnnouncementBar_GW3s{margin-bottom:var(--docusaurus-announcement-bar-height)}.sidebar_njMd{display:flex;flex-direction:column;height:100%;padding-top:var(--ifm-navbar-height);width:var(--doc-sidebar-width)}.sidebarWithHideableNavbar_wUlq{padding-top:0}.sidebarHidden_VK0M{opacity:0;visibility:hidden}.sidebarLogo_isFc{align-items:center;color:inherit!important;display:flex!important;margin:0 var(--ifm-navbar-padding-horizontal);max-height:var(--ifm-navbar-height);min-height:var(--ifm-navbar-height);text-decoration:none!important}.sidebarLogo_isFc img{height:2rem;margin-right:.5rem}.expandButton_TmdG{align-items:center;display:flex;height:100%;justify-content:center;position:absolute;right:0;top:0;transition:background-color var(--ifm-transition-fast) ease;width:100%}[dir=rtl] .expandButtonIcon_i1dp{transform:rotate(180deg)}.docSidebarContainer_YfHR{border-right:1px solid var(--ifm-toc-border-color);clip-path:inset(0);display:block;margin-top:calc(var(--ifm-navbar-height)*-1);transition:width var(--ifm-transition-fast) ease;width:var(--doc-sidebar-width);will-change:width}.docSidebarContainerHidden_DPk8{cursor:pointer;width:var(--doc-sidebar-hidden-width)}.sidebarViewport_aRkj{height:100%;max-height:100vh;position:sticky;top:0}.docMainContainer_TBSr{flex-grow:1;max-width:calc(100% - var(--doc-sidebar-width))}.docMainContainerEnhanced_lQrH{max-width:calc(100% - var(--doc-sidebar-hidden-width))}.docItemWrapperEnhanced_JWYK{max-width:calc(var(--ifm-container-width) + var(--doc-sidebar-width))!important}}@media (min-width:1440px){.container{max-width:var(--ifm-container-width-xl)}}@media (max-width:996px){.col{--ifm-col-width:100%;flex-basis:var(--ifm-col-width);margin-left:0}.footer{--ifm-footer-padding-horizontal:0}.colorModeToggle_DEke,.footer__link-separator,.navbar-sidebar__back,.navbar__item,.tableOfContents_bqdL{display:none}.footer__col{margin-bottom:calc(var(--ifm-spacing-vertical)*3)}.footer__link-item{display:block}.hero{padding-left:0;padding-right:0}.navbar>.container,.navbar>.container-fluid{padding:0}.navbar__toggle{display:inherit}.navbar__search-input{width:9rem}.pills--block,.tabs--block{flex-direction:column}.navbarSearchContainer_Bca1{position:absolute;right:var(--ifm-navbar-padding-horizontal)}.docItemContainer_F8PC{padding:0 .3rem}}@media not (max-width:996px){.searchBar_RVTs.searchBarLeft_MXDe .dropdownMenu_qbY6{left:0!important;right:auto!important}}@media only screen and (max-width:996px){.searchQueryColumn_q7nx{max-width:60%!important}.searchContextColumn_oWAF{max-width:40%!important}}@media (max-width:768px){#theme-main h1{font-size:50px!important;font-weight:700;line-height:3rem!important}#theme-main .header-docs{margin-bottom:20px}}@media (max-width:576px){.markdown h1:first-child{--ifm-h1-font-size:2rem}.markdown>h2{--ifm-h2-font-size:1.5rem}.markdown>h3{--ifm-h3-font-size:1.25rem}.navbar__search-input:not(:focus){width:2rem}.searchBar_RVTs .dropdownMenu_qbY6{max-width:calc(100vw - var(--ifm-navbar-padding-horizontal)*2);width:var(--search-local-modal-width-sm,340px)}.searchBarContainer_NW3z:not(.focused_OWtg) .searchClearButton_qk4g,.searchHintContainer_Pkmr{display:none}}@media screen and (max-width:576px){.searchQueryColumn_q7nx{max-width:100%!important}.searchContextColumn_oWAF{max-width:100%!important;padding-left:var(--ifm-spacing-horizontal)!important}}@media (hover:hover){.backToTopButton_sjWU:hover{background-color:var(--ifm-color-emphasis-300)}}@media (pointer:fine){.thin-scrollbar{scrollbar-width:thin}.thin-scrollbar::-webkit-scrollbar{height:var(--ifm-scrollbar-size);width:var(--ifm-scrollbar-size)}.thin-scrollbar::-webkit-scrollbar-track{background:var(--ifm-scrollbar-track-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb{background:var(--ifm-scrollbar-thumb-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb:hover{background:var(--ifm-scrollbar-thumb-hover-background-color)}}@media (prefers-reduced-motion:reduce){:root{--ifm-transition-fast:0ms;--ifm-transition-slow:0ms}}@media print{.announcementBar_mb4j,.footer,.menu,.navbar,.pagination-nav,.table-of-contents,.tocMobile_ITEo{display:none}.tabs{page-break-inside:avoid}.codeBlockLines_e6Vv{white-space:pre-wrap}} \ No newline at end of file +.col,.container{padding:0 var(--ifm-spacing-horizontal);width:100%}.markdown>h2,.markdown>h3,.markdown>h4,.markdown>h5,.markdown>h6{margin-bottom:calc(var(--ifm-heading-vertical-rhythm-bottom)*var(--ifm-leading))}pre,table{overflow:auto}blockquote,pre{margin:0 0 var(--ifm-spacing-vertical)}.breadcrumbs__link,.button{transition-timing-function:var(--ifm-transition-timing-default)}.button,code{vertical-align:middle}.button--outline.button--active,.button--outline:active,.button--outline:hover,:root{--ifm-button-color:var(--ifm-font-color-base-inverse)}.menu__link:hover,a{transition:color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.navbar--dark,:root{--ifm-navbar-link-hover-color:var(--ifm-color-primary)}.menu,.navbar-sidebar{overflow-x:hidden}:root,html[data-theme=dark]{--ifm-color-emphasis-500:var(--ifm-color-gray-500)}.markdown li,body{word-wrap:break-word}.toggleButton_gllP,html{-webkit-tap-highlight-color:transparent}*,.loadingRing_RJI3 div{box-sizing:border-box}.clean-list,.containsTaskList_mC6p,.details_lb9f>summary,.dropdown__menu,.menu__list{list-style:none}:root{--ifm-color-scheme:light;--ifm-dark-value:10%;--ifm-darker-value:15%;--ifm-darkest-value:30%;--ifm-light-value:15%;--ifm-lighter-value:30%;--ifm-lightest-value:50%;--ifm-contrast-background-value:90%;--ifm-contrast-foreground-value:70%;--ifm-contrast-background-dark-value:70%;--ifm-contrast-foreground-dark-value:90%;--ifm-color-primary:#3578e5;--ifm-color-secondary:#ebedf0;--ifm-color-success:#00a400;--ifm-color-info:#54c7ec;--ifm-color-warning:#ffba00;--ifm-color-danger:#fa383e;--ifm-color-primary-dark:#306cce;--ifm-color-primary-darker:#2d66c3;--ifm-color-primary-darkest:#2554a0;--ifm-color-primary-light:#538ce9;--ifm-color-primary-lighter:#72a1ed;--ifm-color-primary-lightest:#9abcf2;--ifm-color-primary-contrast-background:#ebf2fc;--ifm-color-primary-contrast-foreground:#102445;--ifm-color-secondary-dark:#d4d5d8;--ifm-color-secondary-darker:#c8c9cc;--ifm-color-secondary-darkest:#a4a6a8;--ifm-color-secondary-light:#eef0f2;--ifm-color-secondary-lighter:#f1f2f5;--ifm-color-secondary-lightest:#f5f6f8;--ifm-color-secondary-contrast-background:#fdfdfe;--ifm-color-secondary-contrast-foreground:#474748;--ifm-color-success-dark:#009400;--ifm-color-success-darker:#008b00;--ifm-color-success-darkest:#007300;--ifm-color-success-light:#26b226;--ifm-color-success-lighter:#4dbf4d;--ifm-color-success-lightest:#80d280;--ifm-color-success-contrast-background:#e6f6e6;--ifm-color-success-contrast-foreground:#003100;--ifm-color-info-dark:#4cb3d4;--ifm-color-info-darker:#47a9c9;--ifm-color-info-darkest:#3b8ba5;--ifm-color-info-light:#6ecfef;--ifm-color-info-lighter:#87d8f2;--ifm-color-info-lightest:#aae3f6;--ifm-color-info-contrast-background:#eef9fd;--ifm-color-info-contrast-foreground:#193c47;--ifm-color-warning-dark:#e6a700;--ifm-color-warning-darker:#d99e00;--ifm-color-warning-darkest:#b38200;--ifm-color-warning-light:#ffc426;--ifm-color-warning-lighter:#ffcf4d;--ifm-color-warning-lightest:#ffdd80;--ifm-color-warning-contrast-background:#fff8e6;--ifm-color-warning-contrast-foreground:#4d3800;--ifm-color-danger-dark:#e13238;--ifm-color-danger-darker:#d53035;--ifm-color-danger-darkest:#af272b;--ifm-color-danger-light:#fb565b;--ifm-color-danger-lighter:#fb7478;--ifm-color-danger-lightest:#fd9c9f;--ifm-color-danger-contrast-background:#ffebec;--ifm-color-danger-contrast-foreground:#4b1113;--ifm-color-white:#fff;--ifm-color-black:#000;--ifm-color-gray-0:var(--ifm-color-white);--ifm-color-gray-100:#f5f6f7;--ifm-color-gray-200:#ebedf0;--ifm-color-gray-300:#dadde1;--ifm-color-gray-400:#ccd0d5;--ifm-color-gray-500:#bec3c9;--ifm-color-gray-600:#8d949e;--ifm-color-gray-700:#606770;--ifm-color-gray-800:#444950;--ifm-color-gray-900:#1c1e21;--ifm-color-gray-1000:var(--ifm-color-black);--ifm-color-emphasis-0:var(--ifm-color-gray-0);--ifm-color-emphasis-100:var(--ifm-color-gray-100);--ifm-color-emphasis-200:var(--ifm-color-gray-200);--ifm-color-emphasis-300:var(--ifm-color-gray-300);--ifm-color-emphasis-400:var(--ifm-color-gray-400);--ifm-color-emphasis-600:var(--ifm-color-gray-600);--ifm-color-emphasis-700:var(--ifm-color-gray-700);--ifm-color-emphasis-800:var(--ifm-color-gray-800);--ifm-color-emphasis-900:var(--ifm-color-gray-900);--ifm-color-emphasis-1000:var(--ifm-color-gray-1000);--ifm-color-content:var(--ifm-color-emphasis-900);--ifm-color-content-inverse:var(--ifm-color-emphasis-0);--ifm-color-content-secondary:#525860;--ifm-background-color:#0000;--ifm-background-surface-color:var(--ifm-color-content-inverse);--ifm-global-border-width:1px;--ifm-global-radius:0.4rem;--ifm-hover-overlay:#0000000d;--ifm-font-color-base:var(--ifm-color-content);--ifm-font-color-base-inverse:var(--ifm-color-content-inverse);--ifm-font-color-secondary:var(--ifm-color-content-secondary);--ifm-font-family-base:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";--ifm-font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--ifm-font-size-base:100%;--ifm-font-weight-light:300;--ifm-font-weight-normal:400;--ifm-font-weight-semibold:500;--ifm-font-weight-bold:700;--ifm-font-weight-base:var(--ifm-font-weight-normal);--ifm-line-height-base:1.65;--ifm-global-spacing:1rem;--ifm-spacing-vertical:var(--ifm-global-spacing);--ifm-spacing-horizontal:var(--ifm-global-spacing);--ifm-transition-fast:200ms;--ifm-transition-slow:400ms;--ifm-transition-timing-default:cubic-bezier(0.08,0.52,0.52,1);--ifm-global-shadow-lw:0 1px 2px 0 #0000001a;--ifm-global-shadow-md:0 5px 40px #0003;--ifm-global-shadow-tl:0 12px 28px 0 #0003,0 2px 4px 0 #0000001a;--ifm-z-index-dropdown:100;--ifm-z-index-fixed:200;--ifm-z-index-overlay:400;--ifm-container-width:1140px;--ifm-container-width-xl:1320px;--ifm-code-background:#f6f7f8;--ifm-code-border-radius:var(--ifm-global-radius);--ifm-code-font-size:90%;--ifm-code-padding-horizontal:0.1rem;--ifm-code-padding-vertical:0.1rem;--ifm-pre-background:var(--ifm-code-background);--ifm-pre-border-radius:var(--ifm-code-border-radius);--ifm-pre-color:inherit;--ifm-pre-line-height:1.45;--ifm-pre-padding:1rem;--ifm-heading-color:inherit;--ifm-heading-margin-top:0;--ifm-heading-margin-bottom:var(--ifm-spacing-vertical);--ifm-heading-font-family:var(--ifm-font-family-base);--ifm-heading-font-weight:var(--ifm-font-weight-bold);--ifm-heading-line-height:1.25;--ifm-h1-font-size:2rem;--ifm-h2-font-size:1.5rem;--ifm-h3-font-size:1.25rem;--ifm-h4-font-size:1rem;--ifm-h5-font-size:0.875rem;--ifm-h6-font-size:0.85rem;--ifm-image-alignment-padding:1.25rem;--ifm-leading-desktop:1.25;--ifm-leading:calc(var(--ifm-leading-desktop)*1rem);--ifm-list-left-padding:2rem;--ifm-list-margin:1rem;--ifm-list-item-margin:0.25rem;--ifm-list-paragraph-margin:1rem;--ifm-table-cell-padding:0.75rem;--ifm-table-background:#0000;--ifm-table-stripe-background:#00000008;--ifm-table-border-width:1px;--ifm-table-border-color:var(--ifm-color-emphasis-300);--ifm-table-head-background:inherit;--ifm-table-head-color:inherit;--ifm-table-head-font-weight:var(--ifm-font-weight-bold);--ifm-table-cell-color:inherit;--ifm-link-color:var(--ifm-color-primary);--ifm-link-decoration:none;--ifm-link-hover-color:var(--ifm-link-color);--ifm-link-hover-decoration:underline;--ifm-paragraph-margin-bottom:var(--ifm-leading);--ifm-blockquote-font-size:var(--ifm-font-size-base);--ifm-blockquote-border-left-width:2px;--ifm-blockquote-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-blockquote-padding-vertical:0;--ifm-blockquote-shadow:none;--ifm-blockquote-color:var(--ifm-color-emphasis-800);--ifm-blockquote-border-color:var(--ifm-color-emphasis-300);--ifm-hr-background-color:var(--ifm-color-emphasis-500);--ifm-hr-height:1px;--ifm-hr-margin-vertical:1.5rem;--ifm-scrollbar-size:7px;--ifm-scrollbar-track-background-color:#f1f1f1;--ifm-scrollbar-thumb-background-color:silver;--ifm-scrollbar-thumb-hover-background-color:#a7a7a7;--ifm-alert-background-color:inherit;--ifm-alert-border-color:inherit;--ifm-alert-border-radius:var(--ifm-global-radius);--ifm-alert-border-width:0px;--ifm-alert-border-left-width:5px;--ifm-alert-color:var(--ifm-font-color-base);--ifm-alert-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-alert-padding-vertical:var(--ifm-spacing-vertical);--ifm-alert-shadow:var(--ifm-global-shadow-lw);--ifm-avatar-intro-margin:1rem;--ifm-avatar-intro-alignment:inherit;--ifm-avatar-photo-size:3rem;--ifm-badge-background-color:inherit;--ifm-badge-border-color:inherit;--ifm-badge-border-radius:var(--ifm-global-radius);--ifm-badge-border-width:var(--ifm-global-border-width);--ifm-badge-color:var(--ifm-color-white);--ifm-badge-padding-horizontal:calc(var(--ifm-spacing-horizontal)*0.5);--ifm-badge-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-breadcrumb-border-radius:1.5rem;--ifm-breadcrumb-spacing:0.5rem;--ifm-breadcrumb-color-active:var(--ifm-color-primary);--ifm-breadcrumb-item-background-active:var(--ifm-hover-overlay);--ifm-breadcrumb-padding-horizontal:0.8rem;--ifm-breadcrumb-padding-vertical:0.4rem;--ifm-breadcrumb-size-multiplier:1;--ifm-breadcrumb-separator:url('data:image/svg+xml;utf8,');--ifm-breadcrumb-separator-filter:none;--ifm-breadcrumb-separator-size:0.5rem;--ifm-breadcrumb-separator-size-multiplier:1.25;--ifm-button-background-color:inherit;--ifm-button-border-color:var(--ifm-button-background-color);--ifm-button-border-width:var(--ifm-global-border-width);--ifm-button-font-weight:var(--ifm-font-weight-bold);--ifm-button-padding-horizontal:1.5rem;--ifm-button-padding-vertical:0.375rem;--ifm-button-size-multiplier:1;--ifm-button-transition-duration:var(--ifm-transition-fast);--ifm-button-border-radius:calc(var(--ifm-global-radius)*var(--ifm-button-size-multiplier));--ifm-button-group-spacing:2px;--ifm-card-background-color:var(--ifm-background-surface-color);--ifm-card-border-radius:calc(var(--ifm-global-radius)*2);--ifm-card-horizontal-spacing:var(--ifm-global-spacing);--ifm-card-vertical-spacing:var(--ifm-global-spacing);--ifm-toc-border-color:var(--ifm-color-emphasis-300);--ifm-toc-link-color:var(--ifm-color-content-secondary);--ifm-toc-padding-vertical:0.5rem;--ifm-toc-padding-horizontal:0.5rem;--ifm-dropdown-background-color:var(--ifm-background-surface-color);--ifm-dropdown-font-weight:var(--ifm-font-weight-semibold);--ifm-dropdown-link-color:var(--ifm-font-color-base);--ifm-dropdown-hover-background-color:var(--ifm-hover-overlay);--ifm-footer-background-color:var(--ifm-color-emphasis-100);--ifm-footer-color:inherit;--ifm-footer-link-color:var(--ifm-color-emphasis-700);--ifm-footer-link-hover-color:var(--ifm-color-primary);--ifm-footer-link-horizontal-spacing:0.5rem;--ifm-footer-padding-horizontal:calc(var(--ifm-spacing-horizontal)*2);--ifm-footer-padding-vertical:calc(var(--ifm-spacing-vertical)*2);--ifm-footer-title-color:inherit;--ifm-footer-logo-max-width:min(30rem,90vw);--ifm-hero-background-color:var(--ifm-background-surface-color);--ifm-hero-text-color:var(--ifm-color-emphasis-800);--ifm-menu-color:var(--ifm-color-emphasis-700);--ifm-menu-color-active:var(--ifm-color-primary);--ifm-menu-color-background-active:var(--ifm-hover-overlay);--ifm-menu-color-background-hover:var(--ifm-hover-overlay);--ifm-menu-link-padding-horizontal:0.75rem;--ifm-menu-link-padding-vertical:0.375rem;--ifm-menu-link-sublist-icon:url('data:image/svg+xml;utf8,');--ifm-menu-link-sublist-icon-filter:none;--ifm-navbar-background-color:var(--ifm-background-surface-color);--ifm-navbar-height:3.75rem;--ifm-navbar-item-padding-horizontal:0.75rem;--ifm-navbar-item-padding-vertical:0.25rem;--ifm-navbar-link-color:var(--ifm-font-color-base);--ifm-navbar-link-active-color:var(--ifm-link-color);--ifm-navbar-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-navbar-padding-vertical:calc(var(--ifm-spacing-vertical)*0.5);--ifm-navbar-shadow:var(--ifm-global-shadow-lw);--ifm-navbar-search-input-background-color:var(--ifm-color-emphasis-200);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-800);--ifm-navbar-search-input-placeholder-color:var(--ifm-color-emphasis-500);--ifm-navbar-search-input-icon:url('data:image/svg+xml;utf8,');--ifm-navbar-sidebar-width:83vw;--ifm-pagination-border-radius:var(--ifm-global-radius);--ifm-pagination-color-active:var(--ifm-color-primary);--ifm-pagination-font-size:1rem;--ifm-pagination-item-active-background:var(--ifm-hover-overlay);--ifm-pagination-page-spacing:0.2em;--ifm-pagination-padding-horizontal:calc(var(--ifm-spacing-horizontal)*1);--ifm-pagination-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-pagination-nav-border-radius:var(--ifm-global-radius);--ifm-pagination-nav-color-hover:var(--ifm-color-primary);--ifm-pills-color-active:var(--ifm-color-primary);--ifm-pills-color-background-active:var(--ifm-hover-overlay);--ifm-pills-spacing:0.125rem;--ifm-tabs-color:var(--ifm-font-color-secondary);--ifm-tabs-color-active:var(--ifm-color-primary);--ifm-tabs-color-active-border:var(--ifm-tabs-color-active);--ifm-tabs-padding-horizontal:1rem;--ifm-tabs-padding-vertical:1rem;--docusaurus-progress-bar-color:var(--ifm-color-primary);--ifm-color-primary:#06527a;--ifm-color-primary-dark:#054a6e;--ifm-color-primary-darker:#054668;--ifm-color-primary-darkest:#043955;--ifm-color-primary-light:#075a86;--ifm-color-primary-lighter:#075e8c;--ifm-color-primary-lightest:#086b9f;--ifm-color-secondary:#ffc61c;--ifm-color-secondary-light:#ffcd38;--dark:#33313b;--light:#f3f3f3;--docusaurus-announcement-bar-height:auto;--docusaurus-tag-list-border:var(--ifm-color-emphasis-300);--docusaurus-collapse-button-bg:#0000;--docusaurus-collapse-button-bg-hover:#0000001a;--doc-sidebar-width:300px;--doc-sidebar-hidden-width:30px}.badge--danger,.badge--info,.badge--primary,.badge--secondary,.badge--success,.badge--warning{--ifm-badge-border-color:var(--ifm-badge-background-color)}.button--link,.button--outline{--ifm-button-background-color:#0000}html{background-color:var(--ifm-background-color);color:var(--ifm-font-color-base);color-scheme:var(--ifm-color-scheme);font:var(--ifm-font-size-base)/var(--ifm-line-height-base) var(--ifm-font-family-base);-webkit-font-smoothing:antialiased;text-rendering:optimizelegibility;-webkit-text-size-adjust:100%;text-size-adjust:100%}iframe{border:0;color-scheme:auto}.container{margin:0 auto;max-width:var(--ifm-container-width)}.container--fluid{max-width:inherit}.row{display:flex;flex-wrap:wrap;margin:0 calc(var(--ifm-spacing-horizontal)*-1)}.margin-bottom--none,.margin-vert--none,.markdown>:last-child{margin-bottom:0!important}.margin-top--none,.margin-vert--none,.tabItem_LNqP{margin-top:0!important}.row--no-gutters{margin-left:0;margin-right:0}.margin-horiz--none,.margin-right--none{margin-right:0!important}.row--no-gutters>.col{padding-left:0;padding-right:0}.row--align-top{align-items:flex-start}.row--align-bottom{align-items:flex-end}.menuExternalLink_NmtK,.row--align-center{align-items:center}.row--align-stretch{align-items:stretch}.row--align-baseline{align-items:baseline}.col{--ifm-col-width:100%;flex:1 0;margin-left:0;max-width:var(--ifm-col-width)}.padding-bottom--none,.padding-vert--none{padding-bottom:0!important}.padding-top--none,.padding-vert--none{padding-top:0!important}.padding-horiz--none,.padding-left--none{padding-left:0!important}.padding-horiz--none,.padding-right--none{padding-right:0!important}.col[class*=col--]{flex:0 0 var(--ifm-col-width)}.col--1{--ifm-col-width:8.33333%}.col--offset-1{margin-left:8.33333%}.col--2{--ifm-col-width:16.66667%}.col--offset-2{margin-left:16.66667%}.col--3{--ifm-col-width:25%}.col--offset-3{margin-left:25%}.col--4{--ifm-col-width:33.33333%}.col--offset-4{margin-left:33.33333%}.col--5{--ifm-col-width:41.66667%}.col--offset-5{margin-left:41.66667%}.col--6{--ifm-col-width:50%}.col--offset-6{margin-left:50%}.col--7{--ifm-col-width:58.33333%}.col--offset-7{margin-left:58.33333%}.col--8{--ifm-col-width:66.66667%}.col--offset-8{margin-left:66.66667%}.col--9{--ifm-col-width:75%}.col--offset-9{margin-left:75%}.col--10{--ifm-col-width:83.33333%}.col--offset-10{margin-left:83.33333%}.col--11{--ifm-col-width:91.66667%}.col--offset-11{margin-left:91.66667%}.col--12{--ifm-col-width:100%}.col--offset-12{margin-left:100%}.margin-horiz--none,.margin-left--none{margin-left:0!important}.margin--none{margin:0!important}.margin-bottom--xs,.margin-vert--xs{margin-bottom:.25rem!important}.margin-top--xs,.margin-vert--xs{margin-top:.25rem!important}.margin-horiz--xs,.margin-left--xs{margin-left:.25rem!important}.margin-horiz--xs,.margin-right--xs{margin-right:.25rem!important}.margin--xs{margin:.25rem!important}.margin-bottom--sm,.margin-vert--sm{margin-bottom:.5rem!important}.margin-top--sm,.margin-vert--sm{margin-top:.5rem!important}.margin-horiz--sm,.margin-left--sm{margin-left:.5rem!important}.margin-horiz--sm,.margin-right--sm{margin-right:.5rem!important}.margin--sm{margin:.5rem!important}.margin-bottom--md,.margin-vert--md{margin-bottom:1rem!important}.margin-top--md,.margin-vert--md{margin-top:1rem!important}.margin-horiz--md,.margin-left--md{margin-left:1rem!important}.margin-horiz--md,.margin-right--md{margin-right:1rem!important}.margin--md{margin:1rem!important}.margin-bottom--lg,.margin-vert--lg{margin-bottom:2rem!important}.margin-top--lg,.margin-vert--lg{margin-top:2rem!important}.margin-horiz--lg,.margin-left--lg{margin-left:2rem!important}.margin-horiz--lg,.margin-right--lg{margin-right:2rem!important}.margin--lg{margin:2rem!important}.margin-bottom--xl,.margin-vert--xl{margin-bottom:5rem!important}.margin-top--xl,.margin-vert--xl{margin-top:5rem!important}.margin-horiz--xl,.margin-left--xl{margin-left:5rem!important}.margin-horiz--xl,.margin-right--xl{margin-right:5rem!important}.margin--xl{margin:5rem!important}.padding--none{padding:0!important}.padding-bottom--xs,.padding-vert--xs{padding-bottom:.25rem!important}.padding-top--xs,.padding-vert--xs{padding-top:.25rem!important}.padding-horiz--xs,.padding-left--xs{padding-left:.25rem!important}.padding-horiz--xs,.padding-right--xs{padding-right:.25rem!important}.padding--xs{padding:.25rem!important}.padding-bottom--sm,.padding-vert--sm{padding-bottom:.5rem!important}.padding-top--sm,.padding-vert--sm{padding-top:.5rem!important}.padding-horiz--sm,.padding-left--sm{padding-left:.5rem!important}.padding-horiz--sm,.padding-right--sm{padding-right:.5rem!important}.padding--sm{padding:.5rem!important}.padding-bottom--md,.padding-vert--md{padding-bottom:1rem!important}.padding-top--md,.padding-vert--md{padding-top:1rem!important}.padding-horiz--md,.padding-left--md{padding-left:1rem!important}.padding-horiz--md,.padding-right--md{padding-right:1rem!important}.padding--md{padding:1rem!important}.padding-bottom--lg,.padding-vert--lg{padding-bottom:2rem!important}.padding-top--lg,.padding-vert--lg{padding-top:2rem!important}.padding-horiz--lg,.padding-left--lg{padding-left:2rem!important}.padding-horiz--lg,.padding-right--lg{padding-right:2rem!important}.padding--lg{padding:2rem!important}.padding-bottom--xl,.padding-vert--xl{padding-bottom:5rem!important}.padding-top--xl,.padding-vert--xl{padding-top:5rem!important}.padding-horiz--xl,.padding-left--xl{padding-left:5rem!important}.padding-horiz--xl,.padding-right--xl{padding-right:5rem!important}.padding--xl{padding:5rem!important}code{background-color:var(--ifm-code-background);border:.1rem solid #0000001a;border-radius:var(--ifm-code-border-radius);font-family:var(--ifm-font-family-monospace);font-size:var(--ifm-code-font-size);padding:var(--ifm-code-padding-vertical) var(--ifm-code-padding-horizontal)}a code{color:inherit}pre{background-color:var(--ifm-pre-background);border-radius:var(--ifm-pre-border-radius);color:var(--ifm-pre-color);font:var(--ifm-code-font-size)/var(--ifm-pre-line-height) var(--ifm-font-family-monospace);padding:var(--ifm-pre-padding)}pre code{background-color:initial;border:none;font-size:100%;line-height:inherit;padding:0}kbd{background-color:var(--ifm-color-emphasis-0);border:1px solid var(--ifm-color-emphasis-400);border-radius:.2rem;box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-400);color:var(--ifm-color-emphasis-800);font:80% var(--ifm-font-family-monospace);padding:.15rem .3rem}h1,h2,h3,h4,h5,h6{color:var(--ifm-heading-color);font-family:var(--ifm-heading-font-family);font-weight:var(--ifm-heading-font-weight);line-height:var(--ifm-heading-line-height);margin:var(--ifm-heading-margin-top) 0 var(--ifm-heading-margin-bottom) 0}h1{font-size:var(--ifm-h1-font-size)}h2{font-size:var(--ifm-h2-font-size)}h3{font-size:var(--ifm-h3-font-size)}h4{font-size:var(--ifm-h4-font-size)}h5{font-size:var(--ifm-h5-font-size)}h6{font-size:var(--ifm-h6-font-size)}.container_lyt7,.container_lyt7>svg,img{max-width:100%}img[align=right]{padding-left:var(--image-alignment-padding)}img[align=left]{padding-right:var(--image-alignment-padding)}.markdown{--ifm-h1-vertical-rhythm-top:3;--ifm-h2-vertical-rhythm-top:2;--ifm-h3-vertical-rhythm-top:1.5;--ifm-heading-vertical-rhythm-top:1.25;--ifm-h1-vertical-rhythm-bottom:1.25;--ifm-heading-vertical-rhythm-bottom:1}.markdown:after,.markdown:before{content:"";display:table}.markdown:after{clear:both}.markdown h1:first-child{--ifm-h1-font-size:3rem;margin-bottom:calc(var(--ifm-h1-vertical-rhythm-bottom)*var(--ifm-leading))}.markdown>h2{--ifm-h2-font-size:2rem;margin-top:calc(var(--ifm-h2-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h3{--ifm-h3-font-size:1.5rem;margin-top:calc(var(--ifm-h3-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h4,.markdown>h5,.markdown>h6{margin-top:calc(var(--ifm-heading-vertical-rhythm-top)*var(--ifm-leading))}.markdown>p,.markdown>pre,.markdown>ul,.tabList__CuJ{margin-bottom:var(--ifm-leading)}.markdown li>p{margin-top:var(--ifm-list-paragraph-margin)}.markdown li+li{margin-top:var(--ifm-list-item-margin)}ol,ul{margin:0 0 var(--ifm-list-margin);padding-left:var(--ifm-list-left-padding)}ol ol,ul ol{list-style-type:lower-roman}ol ol,ol ul,ul ol,ul ul{margin:0}ol ol ol,ol ul ol,ul ol ol,ul ul ol{list-style-type:lower-alpha}table{border-collapse:collapse;display:block;margin-bottom:var(--ifm-spacing-vertical)}table thead tr{border-bottom:2px solid var(--ifm-table-border-color)}table thead,table tr:nth-child(2n){background-color:var(--ifm-table-stripe-background)}table tr{background-color:var(--ifm-table-background);border-top:var(--ifm-table-border-width) solid var(--ifm-table-border-color)}table td,table th{border:var(--ifm-table-border-width) solid var(--ifm-table-border-color);padding:var(--ifm-table-cell-padding)}table th{background-color:var(--ifm-table-head-background);color:var(--ifm-table-head-color);font-weight:var(--ifm-table-head-font-weight)}table td{color:var(--ifm-table-cell-color)}strong{font-weight:var(--ifm-font-weight-bold)}a{color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}a:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button:hover,.text--no-decoration,.text--no-decoration:hover,a:not([href]){text-decoration:none}p{margin:0 0 var(--ifm-paragraph-margin-bottom)}blockquote{border-left:var(--ifm-blockquote-border-left-width) solid var(--ifm-blockquote-border-color);box-shadow:var(--ifm-blockquote-shadow);color:var(--ifm-blockquote-color);font-size:var(--ifm-blockquote-font-size);padding:var(--ifm-blockquote-padding-vertical) var(--ifm-blockquote-padding-horizontal)}blockquote>:first-child{margin-top:0}blockquote>:last-child{margin-bottom:0}hr{background-color:var(--ifm-hr-background-color);border:0;height:var(--ifm-hr-height);margin:var(--ifm-hr-margin-vertical) 0;background-image:-webkit-linear-gradient(left,#f3f3f3,#adadb1,#f3f3f3);margin:0 auto}.shadow--lw{box-shadow:var(--ifm-global-shadow-lw)!important}.shadow--md{box-shadow:var(--ifm-global-shadow-md)!important}.shadow--tl{box-shadow:var(--ifm-global-shadow-tl)!important}.text--primary,.wordWrapButtonEnabled_EoeP .wordWrapButtonIcon_Bwma{color:var(--ifm-color-primary)}.text--secondary{color:var(--ifm-color-secondary)}.text--success{color:var(--ifm-color-success)}.text--info{color:var(--ifm-color-info)}.text--warning{color:var(--ifm-color-warning)}.text--danger{color:var(--ifm-color-danger)}.text--center{text-align:center}.text--left{text-align:left}.text--justify{text-align:justify}.text--right{text-align:right}.text--capitalize{text-transform:capitalize}.text--lowercase{text-transform:lowercase}.admonitionHeading_Gvgb,.alert__heading,.text--uppercase{text-transform:uppercase}.text--light{font-weight:var(--ifm-font-weight-light)}.text--normal{font-weight:var(--ifm-font-weight-normal)}.text--semibold{font-weight:var(--ifm-font-weight-semibold)}.text--bold{font-weight:var(--ifm-font-weight-bold)}.text--italic{font-style:italic}.text--truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text--break{word-wrap:break-word!important;word-break:break-word!important}.clean-btn{background:none;border:none;color:inherit;cursor:pointer;font-family:inherit;padding:0}.alert,.alert .close{color:var(--ifm-alert-foreground-color)}.clean-list{padding-left:0}.alert--primary{--ifm-alert-background-color:var(--ifm-color-primary-contrast-background);--ifm-alert-background-color-highlight:#3578e526;--ifm-alert-foreground-color:var(--ifm-color-primary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-primary-dark)}.alert--secondary{--ifm-alert-background-color:var(--ifm-color-secondary-contrast-background);--ifm-alert-background-color-highlight:#ebedf026;--ifm-alert-foreground-color:var(--ifm-color-secondary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-secondary-dark)}.alert--success{--ifm-alert-background-color:var(--ifm-color-success-contrast-background);--ifm-alert-background-color-highlight:#00a40026;--ifm-alert-foreground-color:var(--ifm-color-success-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-success-dark)}.alert--info{--ifm-alert-background-color:var(--ifm-color-info-contrast-background);--ifm-alert-background-color-highlight:#54c7ec26;--ifm-alert-foreground-color:var(--ifm-color-info-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-info-dark)}.alert--warning{--ifm-alert-background-color:var(--ifm-color-warning-contrast-background);--ifm-alert-background-color-highlight:#ffba0026;--ifm-alert-foreground-color:var(--ifm-color-warning-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-warning-dark)}.alert--danger{--ifm-alert-background-color:var(--ifm-color-danger-contrast-background);--ifm-alert-background-color-highlight:#fa383e26;--ifm-alert-foreground-color:var(--ifm-color-danger-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-danger-dark)}.alert{--ifm-code-background:var(--ifm-alert-background-color-highlight);--ifm-link-color:var(--ifm-alert-foreground-color);--ifm-link-hover-color:var(--ifm-alert-foreground-color);--ifm-link-decoration:underline;--ifm-tabs-color:var(--ifm-alert-foreground-color);--ifm-tabs-color-active:var(--ifm-alert-foreground-color);--ifm-tabs-color-active-border:var(--ifm-alert-border-color);background-color:var(--ifm-alert-background-color);border:var(--ifm-alert-border-width) solid var(--ifm-alert-border-color);border-left-width:var(--ifm-alert-border-left-width);border-radius:var(--ifm-alert-border-radius);box-shadow:var(--ifm-alert-shadow);padding:var(--ifm-alert-padding-vertical) var(--ifm-alert-padding-horizontal)}.alert__heading{align-items:center;display:flex;font:700 var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family);margin-bottom:.5rem}.alert__icon{display:inline-flex;margin-right:.4em}.alert__icon svg{fill:var(--ifm-alert-foreground-color);stroke:var(--ifm-alert-foreground-color);stroke-width:0}.alert .close{margin:calc(var(--ifm-alert-padding-vertical)*-1) calc(var(--ifm-alert-padding-horizontal)*-1) 0 0;opacity:.75}.alert .close:focus,.alert .close:hover{opacity:1}.alert a{text-decoration-color:var(--ifm-alert-border-color)}.alert a:hover{text-decoration-thickness:2px}.avatar{column-gap:var(--ifm-avatar-intro-margin);display:flex}.avatar__photo{border-radius:50%;display:block;height:var(--ifm-avatar-photo-size);overflow:hidden;width:var(--ifm-avatar-photo-size)}.card--full-height,.navbar__logo img,body,html{height:100%}.avatar__photo--sm{--ifm-avatar-photo-size:2rem}.avatar__photo--lg{--ifm-avatar-photo-size:4rem}.avatar__photo--xl{--ifm-avatar-photo-size:6rem}.avatar__intro{display:flex;flex:1 1;flex-direction:column;justify-content:center;text-align:var(--ifm-avatar-intro-alignment)}.badge,.breadcrumbs__item,.breadcrumbs__link,.button,.dropdown>.navbar__link:after,.searchBarContainer_NW3z.searchIndexLoading_EJ1f .searchBarLoadingRing_YnHq{display:inline-block}.avatar__name{font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base)}.avatar__subtitle{margin-top:.25rem}.avatar--vertical{--ifm-avatar-intro-alignment:center;--ifm-avatar-intro-margin:0.5rem;align-items:center;flex-direction:column}.badge{background-color:var(--ifm-badge-background-color);border:var(--ifm-badge-border-width) solid var(--ifm-badge-border-color);border-radius:var(--ifm-badge-border-radius);color:var(--ifm-badge-color);font-size:75%;font-weight:var(--ifm-font-weight-bold);line-height:1;padding:var(--ifm-badge-padding-vertical) var(--ifm-badge-padding-horizontal)}.badge--primary{--ifm-badge-background-color:var(--ifm-color-primary)}.badge--secondary{--ifm-badge-background-color:var(--ifm-color-secondary);color:var(--ifm-color-black)}.breadcrumbs__link,.button.button--secondary.button--outline:not(.button--active):not(:hover){color:var(--ifm-font-color-base)}.badge--success{--ifm-badge-background-color:var(--ifm-color-success)}.badge--info{--ifm-badge-background-color:var(--ifm-color-info)}.badge--warning{--ifm-badge-background-color:var(--ifm-color-warning)}.badge--danger{--ifm-badge-background-color:var(--ifm-color-danger)}.breadcrumbs{margin-bottom:0;padding-left:0}.breadcrumbs__item:not(:last-child):after{background:var(--ifm-breadcrumb-separator) center;content:" ";display:inline-block;filter:var(--ifm-breadcrumb-separator-filter);height:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier));margin:0 var(--ifm-breadcrumb-spacing);opacity:.5;width:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier))}.breadcrumbs__item--active .breadcrumbs__link{background:var(--ifm-breadcrumb-item-background-active);color:var(--ifm-breadcrumb-color-active)}.breadcrumbs__link{border-radius:var(--ifm-breadcrumb-border-radius);font-size:calc(1rem*var(--ifm-breadcrumb-size-multiplier));padding:calc(var(--ifm-breadcrumb-padding-vertical)*var(--ifm-breadcrumb-size-multiplier)) calc(var(--ifm-breadcrumb-padding-horizontal)*var(--ifm-breadcrumb-size-multiplier));transition-duration:var(--ifm-transition-fast);transition-property:background,color}.breadcrumbs__link:any-link:hover,.breadcrumbs__link:link:hover,.breadcrumbs__link:visited:hover,area[href].breadcrumbs__link:hover{background:var(--ifm-breadcrumb-item-background-active);text-decoration:none}.breadcrumbs--sm{--ifm-breadcrumb-size-multiplier:0.8}.breadcrumbs--lg{--ifm-breadcrumb-size-multiplier:1.2}.button{background-color:var(--ifm-button-background-color);border:var(--ifm-button-border-width) solid var(--ifm-button-border-color);border-radius:var(--ifm-button-border-radius);cursor:pointer;font-size:calc(.875rem*var(--ifm-button-size-multiplier));font-weight:var(--ifm-button-font-weight);line-height:1.5;padding:calc(var(--ifm-button-padding-vertical)*var(--ifm-button-size-multiplier)) calc(var(--ifm-button-padding-horizontal)*var(--ifm-button-size-multiplier));text-align:center;transition-duration:var(--ifm-button-transition-duration);transition-property:color,background,border-color;-webkit-user-select:none;user-select:none;white-space:nowrap}.button,.button:hover{color:var(--ifm-button-color)}.button--outline{--ifm-button-color:var(--ifm-button-border-color)}.button--outline:hover{--ifm-button-background-color:var(--ifm-button-border-color)}.button--link{--ifm-button-border-color:#0000;color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}.button--link.button--active,.button--link:active,.button--link:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button.disabled,.button:disabled,.button[disabled]{opacity:.65;pointer-events:none}.button--sm{--ifm-button-size-multiplier:0.8}.button--lg{--ifm-button-size-multiplier:1.35}.button--block{display:block;width:100%}.button.button--secondary{color:var(--ifm-color-gray-900)}:where(.button--primary){--ifm-button-background-color:var(--ifm-color-primary);--ifm-button-border-color:var(--ifm-color-primary)}:where(.button--primary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-primary-dark);--ifm-button-border-color:var(--ifm-color-primary-dark)}.button--primary.button--active,.button--primary:active{--ifm-button-background-color:var(--ifm-color-primary-darker);--ifm-button-border-color:var(--ifm-color-primary-darker)}:where(.button--secondary){--ifm-button-background-color:var(--ifm-color-secondary);--ifm-button-border-color:var(--ifm-color-secondary)}:where(.button--secondary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-secondary-dark);--ifm-button-border-color:var(--ifm-color-secondary-dark)}.button--secondary.button--active,.button--secondary:active{--ifm-button-background-color:var(--ifm-color-secondary-darker);--ifm-button-border-color:var(--ifm-color-secondary-darker)}:where(.button--success){--ifm-button-background-color:var(--ifm-color-success);--ifm-button-border-color:var(--ifm-color-success)}:where(.button--success):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-success-dark);--ifm-button-border-color:var(--ifm-color-success-dark)}.button--success.button--active,.button--success:active{--ifm-button-background-color:var(--ifm-color-success-darker);--ifm-button-border-color:var(--ifm-color-success-darker)}:where(.button--info){--ifm-button-background-color:var(--ifm-color-info);--ifm-button-border-color:var(--ifm-color-info)}:where(.button--info):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-info-dark);--ifm-button-border-color:var(--ifm-color-info-dark)}.button--info.button--active,.button--info:active{--ifm-button-background-color:var(--ifm-color-info-darker);--ifm-button-border-color:var(--ifm-color-info-darker)}:where(.button--warning){--ifm-button-background-color:var(--ifm-color-warning);--ifm-button-border-color:var(--ifm-color-warning)}:where(.button--warning):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-warning-dark);--ifm-button-border-color:var(--ifm-color-warning-dark)}.button--warning.button--active,.button--warning:active{--ifm-button-background-color:var(--ifm-color-warning-darker);--ifm-button-border-color:var(--ifm-color-warning-darker)}:where(.button--danger){--ifm-button-background-color:var(--ifm-color-danger);--ifm-button-border-color:var(--ifm-color-danger)}:where(.button--danger):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-danger-dark);--ifm-button-border-color:var(--ifm-color-danger-dark)}.button--danger.button--active,.button--danger:active{--ifm-button-background-color:var(--ifm-color-danger-darker);--ifm-button-border-color:var(--ifm-color-danger-darker)}.button-group{display:inline-flex;gap:var(--ifm-button-group-spacing)}.button-group>.button:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.button-group>.button:not(:last-child){border-bottom-right-radius:0;border-top-right-radius:0}.button-group--block{display:flex;justify-content:stretch}.button-group--block>.button{flex-grow:1}.card{background-color:var(--ifm-card-background-color);border-radius:var(--ifm-card-border-radius);box-shadow:var(--ifm-global-shadow-lw);display:flex;flex-direction:column;overflow:hidden}.card__image{padding-top:var(--ifm-card-vertical-spacing)}.card__image:first-child{padding-top:0}.card__body,.card__footer,.card__header{padding:var(--ifm-card-vertical-spacing) var(--ifm-card-horizontal-spacing)}.card__body:not(:last-child),.card__footer:not(:last-child),.card__header:not(:last-child){padding-bottom:0}.card__body>:last-child,.card__footer>:last-child,.card__header>:last-child{margin-bottom:0}.card__footer{margin-top:auto}.table-of-contents{font-size:.8rem;margin-bottom:0;padding:var(--ifm-toc-padding-vertical) 0}.table-of-contents,.table-of-contents ul{list-style:none;padding-left:var(--ifm-toc-padding-horizontal)}.table-of-contents li{margin:var(--ifm-toc-padding-vertical) var(--ifm-toc-padding-horizontal)}.table-of-contents__left-border{border-left:1px solid var(--ifm-toc-border-color)}.table-of-contents__link{color:var(--ifm-toc-link-color);display:block}.table-of-contents__link--active,.table-of-contents__link--active code,.table-of-contents__link:hover,.table-of-contents__link:hover code{color:var(--ifm-color-primary);text-decoration:none}.content_knG7 a,.hitFooter_E9YW a,.suggestion_fB_2.cursor_eG29 mark{text-decoration:underline}.close{color:var(--ifm-color-black);float:right;font-size:1.5rem;font-weight:var(--ifm-font-weight-bold);line-height:1;opacity:.5;padding:1rem;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.close:hover{opacity:.7}.close:focus,.theme-code-block-highlighted-line .codeLineNumber_Tfdd:before{opacity:.8}.dropdown{display:inline-flex;font-weight:var(--ifm-dropdown-font-weight);position:relative;vertical-align:top}.dropdown--hoverable:hover .dropdown__menu,.dropdown--show .dropdown__menu{opacity:1;pointer-events:all;transform:translateY(-1px);visibility:visible}.dropdown--right .dropdown__menu{left:inherit;right:0}.dropdown--nocaret .navbar__link:after{content:none!important}.dropdown__menu{background-color:var(--ifm-dropdown-background-color);border-radius:var(--ifm-global-radius);box-shadow:var(--ifm-global-shadow-md);left:0;max-height:80vh;min-width:10rem;opacity:0;overflow-y:auto;padding:.5rem;pointer-events:none;position:absolute;top:calc(100% - var(--ifm-navbar-item-padding-vertical) + .3rem);transform:translateY(-.625rem);transition-duration:var(--ifm-transition-fast);transition-property:opacity,transform,visibility;transition-timing-function:var(--ifm-transition-timing-default);visibility:hidden;z-index:var(--ifm-z-index-dropdown)}.menu__caret,.menu__link,.menu__list-item-collapsible{border-radius:.25rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.dropdown__link{border-radius:.25rem;color:var(--ifm-dropdown-link-color);display:block;font-size:.875rem;margin-top:.2rem;padding:.25rem .5rem;white-space:nowrap}.dropdown__link--active,.dropdown__link:hover{background-color:var(--ifm-dropdown-hover-background-color);color:var(--ifm-dropdown-link-color);text-decoration:none}.dropdown__link--active,.dropdown__link--active:hover{--ifm-dropdown-link-color:var(--ifm-link-color)}.dropdown>.navbar__link:after{border-color:currentcolor #0000;border-style:solid;border-width:.4em .4em 0;content:"";margin-left:.3em;position:relative;top:2px;transform:translateY(-50%)}.footer{background-color:var(--ifm-footer-background-color);color:var(--ifm-footer-color);padding:var(--ifm-footer-padding-vertical) var(--ifm-footer-padding-horizontal)}.footer--dark{--ifm-footer-background-color:#303846;--ifm-footer-color:var(--ifm-footer-link-color);--ifm-footer-link-color:var(--ifm-color-secondary);--ifm-footer-title-color:var(--ifm-color-white)}.footer__links{margin-bottom:1rem}.footer__link-item{color:var(--ifm-footer-link-color);line-height:2}.footer__link-item:hover{color:var(--ifm-footer-link-hover-color)}.footer__link-separator{margin:0 var(--ifm-footer-link-horizontal-spacing)}.footer__logo{margin-top:1rem;max-width:var(--ifm-footer-logo-max-width)}.footer__title{color:var(--ifm-footer-title-color);font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base);margin-bottom:var(--ifm-heading-margin-bottom)}.menu,.navbar__link{font-weight:var(--ifm-font-weight-semibold)}.docItemContainer_Djhp article>:first-child,.docItemContainer_Djhp header+*,.footer__item{margin-top:0}.admonitionContent_BuS1>:last-child,.collapsibleContent_i85q p:last-child,.details_lb9f>summary>p:last-child,.footer__items,.searchResultItem_U687>h2,.tabItem_Ymn6>:last-child{margin-bottom:0}.codeBlockStandalone_MEMb,[type=checkbox]{padding:0}.hero{align-items:center;background-color:var(--ifm-hero-background-color);color:var(--ifm-hero-text-color);display:flex;padding:4rem 2rem}.hero--primary{--ifm-hero-background-color:var(--ifm-color-primary);--ifm-hero-text-color:var(--ifm-font-color-base-inverse)}.hero--dark{--ifm-hero-background-color:#303846;--ifm-hero-text-color:var(--ifm-color-white)}.hero__title{font-size:3rem}.hero__subtitle{font-size:1.5rem}.menu__list{margin:0;padding-left:0}.menu__caret,.menu__link{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu__list .menu__list{flex:0 0 100%;margin-top:.25rem;padding-left:var(--ifm-menu-link-padding-horizontal)}.menu__list-item:not(:first-child){margin-top:.25rem}.menu__list-item--collapsed .menu__list{height:0;overflow:hidden}.details_lb9f[data-collapsed=false].isBrowser_bmU9>summary:before,.details_lb9f[open]:not(.isBrowser_bmU9)>summary:before,.menu__list-item--collapsed .menu__caret:before,.menu__list-item--collapsed .menu__link--sublist:after{transform:rotate(90deg)}.menu__list-item-collapsible{display:flex;flex-wrap:wrap;position:relative}.menu__caret:hover,.menu__link:hover,.menu__list-item-collapsible--active,.menu__list-item-collapsible:hover{background:var(--ifm-menu-color-background-hover)}.menu__list-item-collapsible .menu__link--active,.menu__list-item-collapsible .menu__link:hover{background:none!important}.menu__caret,.menu__link{align-items:center;display:flex}.menu__link{color:var(--ifm-menu-color);flex:1;line-height:1.25}.menu__link:hover{color:var(--ifm-menu-color);text-decoration:none}.menu__caret:before,.menu__link--sublist-caret:after{height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast) linear;width:1.25rem;content:"";filter:var(--ifm-menu-link-sublist-icon-filter)}.menu__link--sublist-caret:after{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem;margin-left:auto;min-width:1.25rem}.navbar__items--center .navbar__brand,body{margin:0}.menu__link--active,.menu__link--active:hover{color:var(--ifm-menu-color-active)}.navbar__brand,.navbar__link{color:var(--ifm-navbar-link-color)}.menu__link--active:not(.menu__link--sublist){background-color:var(--ifm-menu-color-background-active)}.menu__caret:before{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem}.navbar--dark,html[data-theme=dark]{--ifm-menu-link-sublist-icon-filter:invert(100%) sepia(94%) saturate(17%) hue-rotate(223deg) brightness(104%) contrast(98%)}.navbar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-navbar-shadow);height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar,.navbar>.container,.navbar>.container-fluid{display:flex}.navbar--fixed-top{position:sticky;top:0;z-index:var(--ifm-z-index-fixed)}.navbar-sidebar,.navbar-sidebar__backdrop{bottom:0;opacity:0;position:fixed;transition-duration:var(--ifm-transition-fast);transition-timing-function:ease-in-out;left:0;top:0;visibility:hidden}.navbar__inner{display:flex;flex-wrap:wrap;justify-content:space-between;width:100%}.navbar__brand{align-items:center;display:flex;margin-right:1rem;min-width:0}.navbar__brand:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.announcementBarContent_xLdY,.navbar__title{flex:1 1 auto}.navbar__toggle{display:none;margin-right:.5rem}.navbar__logo{flex:0 0 auto;height:2rem;margin-right:.5rem}.navbar__items{align-items:center;display:flex;flex:1;min-width:0}.navbar__items--center{flex:0 0 auto}.navbar__items--center+.navbar__items--right{flex:1}.navbar__items--right{flex:0 0 auto;justify-content:flex-end}.navbar__items--right>:last-child{padding-right:0}.navbar__item{display:inline-block;padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}#nprogress,.navbar__item.dropdown .navbar__link:not([href]){pointer-events:none}.navbar__link--active,.navbar__link:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.navbar--dark,.navbar--primary{--ifm-menu-color:var(--ifm-color-gray-300);--ifm-navbar-link-color:var(--ifm-color-gray-100);--ifm-navbar-search-input-background-color:#ffffff1a;--ifm-navbar-search-input-placeholder-color:#ffffff80;color:var(--ifm-color-white)}.navbar--dark{--ifm-navbar-background-color:#242526;--ifm-menu-color-background-active:#ffffff0d;--ifm-navbar-search-input-color:var(--ifm-color-white)}.navbar--primary{--ifm-navbar-background-color:var(--ifm-color-primary);--ifm-navbar-link-hover-color:var(--ifm-color-white);--ifm-menu-color-active:var(--ifm-color-white);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-500)}.navbar__search-input{appearance:none;background:var(--ifm-navbar-search-input-background-color) var(--ifm-navbar-search-input-icon) no-repeat .75rem center/1rem 1rem;border:none;border-radius:2rem;color:var(--ifm-navbar-search-input-color);cursor:text;display:inline-block;font-size:1rem;height:2rem;padding:0 .5rem 0 2.25rem;width:12.5rem}.navbar__search-input::placeholder{color:var(--ifm-navbar-search-input-placeholder-color)}.navbar-sidebar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-global-shadow-md);transform:translate3d(-100%,0,0);transition-property:opacity,visibility,transform;width:var(--ifm-navbar-sidebar-width)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar__items{transform:translateZ(0)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar--show .navbar-sidebar__backdrop{opacity:1;visibility:visible}.navbar-sidebar__backdrop{background-color:#0009;right:0;transition-property:opacity,visibility}.navbar-sidebar__brand{align-items:center;box-shadow:var(--ifm-navbar-shadow);display:flex;flex:1;height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar-sidebar__items{display:flex;height:calc(100% - var(--ifm-navbar-height));transition:transform var(--ifm-transition-fast) ease-in-out}.navbar-sidebar__items--show-secondary{transform:translate3d(calc((var(--ifm-navbar-sidebar-width))*-1),0,0)}.navbar-sidebar__item{flex-shrink:0;padding:.5rem;width:calc(var(--ifm-navbar-sidebar-width))}.navbar-sidebar__back{background:var(--ifm-menu-color-background-active);font-size:15px;font-weight:var(--ifm-button-font-weight);margin:0 0 .2rem -.5rem;padding:.6rem 1.5rem;position:relative;text-align:left;top:-.5rem;width:calc(100% + 1rem)}.navbar-sidebar__close{display:flex;margin-left:auto}.pagination{column-gap:var(--ifm-pagination-page-spacing);display:flex;font-size:var(--ifm-pagination-font-size);padding-left:0}.pagination--sm{--ifm-pagination-font-size:0.8rem;--ifm-pagination-padding-horizontal:0.8rem;--ifm-pagination-padding-vertical:0.2rem}.pagination--lg{--ifm-pagination-font-size:1.2rem;--ifm-pagination-padding-horizontal:1.2rem;--ifm-pagination-padding-vertical:0.3rem}.pagination__item{display:inline-flex}.pagination__item>span{padding:var(--ifm-pagination-padding-vertical)}.pagination__item--active .pagination__link{color:var(--ifm-pagination-color-active)}.pagination__item--active .pagination__link,.pagination__item:not(.pagination__item--active):hover .pagination__link{background:var(--ifm-pagination-item-active-background)}.pagination__item--disabled,.pagination__item[disabled]{opacity:.25;pointer-events:none}.pagination__link{border-radius:var(--ifm-pagination-border-radius);color:var(--ifm-font-color-base);display:inline-block;padding:var(--ifm-pagination-padding-vertical) var(--ifm-pagination-padding-horizontal);transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination__link:hover{text-decoration:none}.pagination-nav{display:grid;grid-gap:var(--ifm-spacing-horizontal);gap:var(--ifm-spacing-horizontal);grid-template-columns:repeat(2,1fr)}.pagination-nav__link{border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-pagination-nav-border-radius);display:block;height:100%;line-height:var(--ifm-heading-line-height);padding:var(--ifm-global-spacing);transition:border-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination-nav__link:hover{border-color:var(--ifm-pagination-nav-color-hover);text-decoration:none}.pagination-nav__link--next{grid-column:2/3;text-align:right}.pagination-nav__label{font-size:var(--ifm-h4-font-size);font-weight:var(--ifm-heading-font-weight);word-break:break-word}.pagination-nav__link--prev .pagination-nav__label:before{content:"« "}.pagination-nav__link--next .pagination-nav__label:after{content:" »"}.pagination-nav__sublabel{color:var(--ifm-color-content-secondary);font-size:var(--ifm-h5-font-size);font-weight:var(--ifm-font-weight-semibold);margin-bottom:.25rem}.pills__item,.tabs{font-weight:var(--ifm-font-weight-bold)}.pills{display:flex;gap:var(--ifm-pills-spacing);padding-left:0}.pills__item{border-radius:.5rem;cursor:pointer;display:inline-block;padding:.25rem 1rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pills__item--active{color:var(--ifm-pills-color-active)}.pills__item--active,.pills__item:not(.pills__item--active):hover{background:var(--ifm-pills-color-background-active)}.pills--block{justify-content:stretch}.pills--block .pills__item{flex-grow:1;text-align:center}.tabs{color:var(--ifm-tabs-color);display:flex;margin-bottom:0;overflow-x:auto;padding-left:0}.tabs__item{border-bottom:3px solid #0000;border-radius:var(--ifm-global-radius);cursor:pointer;display:inline-flex;padding:var(--ifm-tabs-padding-vertical) var(--ifm-tabs-padding-horizontal);transition:background-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.tabs__item--active{border-bottom-color:var(--ifm-tabs-color-active-border);border-bottom-left-radius:0;border-bottom-right-radius:0;color:var(--ifm-tabs-color-active)}.tabs__item:hover{background-color:var(--ifm-hover-overlay)}.tabs--block{justify-content:stretch}.tabs--block .tabs__item{flex-grow:1;justify-content:center}html[data-theme=dark]{--ifm-color-scheme:dark;--ifm-color-emphasis-0:var(--ifm-color-gray-1000);--ifm-color-emphasis-100:var(--ifm-color-gray-900);--ifm-color-emphasis-200:var(--ifm-color-gray-800);--ifm-color-emphasis-300:var(--ifm-color-gray-700);--ifm-color-emphasis-400:var(--ifm-color-gray-600);--ifm-color-emphasis-600:var(--ifm-color-gray-400);--ifm-color-emphasis-700:var(--ifm-color-gray-300);--ifm-color-emphasis-800:var(--ifm-color-gray-200);--ifm-color-emphasis-900:var(--ifm-color-gray-100);--ifm-color-emphasis-1000:var(--ifm-color-gray-0);--ifm-background-color:#1b1b1d;--ifm-background-surface-color:#242526;--ifm-hover-overlay:#ffffff0d;--ifm-color-content:#e3e3e3;--ifm-color-content-secondary:#fff;--ifm-breadcrumb-separator-filter:invert(64%) sepia(11%) saturate(0%) hue-rotate(149deg) brightness(99%) contrast(95%);--ifm-code-background:#ffffff1a;--ifm-scrollbar-track-background-color:#444;--ifm-scrollbar-thumb-background-color:#686868;--ifm-scrollbar-thumb-hover-background-color:#7a7a7a;--ifm-table-stripe-background:#ffffff12;--ifm-toc-border-color:var(--ifm-color-emphasis-200);--ifm-color-primary-contrast-background:#102445;--ifm-color-primary-contrast-foreground:#ebf2fc;--ifm-color-secondary-contrast-background:#474748;--ifm-color-secondary-contrast-foreground:#fdfdfe;--ifm-color-success-contrast-background:#003100;--ifm-color-success-contrast-foreground:#e6f6e6;--ifm-color-info-contrast-background:#193c47;--ifm-color-info-contrast-foreground:#eef9fd;--ifm-color-warning-contrast-background:#4d3800;--ifm-color-warning-contrast-foreground:#fff8e6;--ifm-color-danger-contrast-background:#4b1113;--ifm-color-danger-contrast-foreground:#ffebec}#nprogress .bar{background:var(--docusaurus-progress-bar-color);height:2px;left:0;position:fixed;top:0;width:100%;z-index:1031}#nprogress .peg{box-shadow:0 0 10px var(--docusaurus-progress-bar-color),0 0 5px var(--docusaurus-progress-bar-color);height:100%;opacity:1;position:absolute;right:0;transform:rotate(3deg) translateY(-4px);width:100px}@font-face{font-family:Poppins;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/poppins-regular-f61407da33b59324fbefe468ce6917ab.woff) format("woff2"),url(data:font/woff2;base64,d09GMgABAAAAAB7MAAwAAAAAP6AAAB54AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGx4cLgZgAIFUCudM0jYLgzYAATYCJAOGaAQgBYNcB4QLG34ysyLYOAAgoXcUUbVZLPs/JHBDBr6G+hIpYlQoaayFQFiGbR8DjCviFJxE41HqT/OOXC0/Z9GQVQfAWhGOAF/O89SlbJ4fIclsS0SNUfbMPgE5dhgAVqioPNrYqNhUZCQIRaCBLIK83W+vy6VjrXTMAYfFIfS65yPR0ziMQaj0M56vY3h+bj1EaSMJC9jIVbCMv+2vgv0FSxg1alhIGl2gBxecx4xqvCi9NvP2XXsT27xJRGharfanif3dB1IbH7D/n1vvG1gi90J+0acoU3UyzKzznZ8Q8S/KSQdFE/HKrFSrbCW+EZMGJ/JOrWFOCzJcLDcqMIye7xUDVgJSUf//a37amcAiFDGyIExnC3pkybH+6s19gXl5eXMmRB9Ln2eT0vLklZIpALkqpMkyJiUkt25tgVyFkF8WZYV0VRkTScF3O1cffLfDNqsTWFV2rwUPIfjECpG7lz5AAVbIGyfmmutgE0hgB8wJNaQ30lgYP+3xQCMZjDoEDzyVUi580bg7SwwCfbU2wM1JQR5DDgSJxZ7llnqObrxHpgXHgAOb7RkL2/gXhVu/D4DXAHqoBwD7DAQKDGCTWIoEB7JEnap7PP3Aas/+DynGHuqZ3u8P+0ZRlopUoQZt6CZzX2tbJVpJTFb5OJJs6W/YeiSlKS9d/6ya+d/8fZ6YS2ftgn326bdP//3yrm98rcc+6yxV+PO3P/P9e2I8D/za2srbgL+A1V8AG18HMDYA+dea0d4dnI0DUjAxhECe4VuLDc7VmwqwYTiuFzfuViWi6aNC0Z4wRhGs1DQggom7F3EXA3Uj7WxnxPmMGXjAq72EYaM9d+AG6ziGD0E2Ej5mwCsAOBXGWG1AYIJtCLwQDEeD1BqU5mmQH15SfTnMYUKO6QE/4F8j1ltms2QsVoSSz4WUYkelXQ/7kGlFRAxAW5s6qQqGsbVQl+8GCZsOFLXw0ul+mnssHngMiMV+wiHwzdVDGrfpDWLDkN8ewxN6ZRvyKaQ6K04Nqc6B6o8yc2SW7XOOuk1FcKA/XlsYa6voyRGelb8acI8ZbnoE+I9bLYFYSdUlo6Miyo+OYJqnPAsyYlzDkHe2VlOgYQcrDqbWBQEPfr7lShm/dUdxu7Up8/IxDbSiNG8zdthTYufBq+u76tI1uHc3vs7tLencpdyDGVdkPq4cQvLkEMhSXsY0J+4dQu0yRz7TZW7mccfhw18fQHPvvAbszInsG2aKiyHGmqz3Yvm3u8vmFpjxaPQezfuYJlpv3PN2ELEgVO3vPWKl2Ow/IpRJqDdPE8JqY3cYGuq1ECiB1yW0RVSa66GOdCXTLnh+xxeZ2xOqquVBgJFiAV77CqaFeYl2Q3S3BeKrdnAR3ZBPYM8o7ibQuBGK9xO3wKqYDmUkxZX+YNiXA09cBmjYPgA3eC8JPjEQxkjfWNFnGY2x+ej0ZGhv9VXwYAX9XZ1h53rzljTYf774b0vaBdtfcXWQxtyLpkaMb6v1GUsdrpV5ajkXRww17Pu1Ak3yTzYCGLr8Iara73lF7Cb+vtFNzajk4iaA8ltEQiOf66wxQAem4oXOWNTna0SswZSLr69zS/jeLLVejEOPPrPCBwhciHFchPFxIsHeTycPj9TzLzASCiQQ3wskAX5KdXKVa1sfQ/sqkMZ64u7bhwtw/U8GOoEbFSSWFLQnxd1WqtNBLxi8rBazf8BSfI/jBekq6kcBa1EXlt6oSzrtaXe+aXn1zDSw+t2F0YBoSCOqvK6Ty82lpKxNRobfRmluFw/KDLgqURpESW0OWpuaXaHkb7VmE8MOcR+a/dhsTsOYCArwsIQcjWl06SjVvNzhISxlLRqvol7V9Uvp5h+XUC6iUmapwuGiAxeC1khAQZdBxgFmUTC3Z4yjPVCczdRKlpb1KicmRnbBwTOOKbXkmmPFA5OJDMkKWz+t9i6mbI/as3b5+7k73N1wNPu9xjdrpg+sMm01qiKDGA5cKAYnIcm+Qfh+uhwzPoM6yGjV7B60MOvA1XEKSqIe0eUd09HDQqAknanN3NpKivMX9BiYBbda9g9oXcV/PqUdinIHcm/0xF16f7v01DQjzirvp4PZFBDVvuQsuKo43h6x4onbhb8L/aorsWA7vreavOxZrXrFsTJEMSfmbtxnkGGNSLjUx4n7KqyizvGq3pG6UbpMYLQKzia0LJaGR1CpXzjijsrdmFQNi3l3ZYBXuX+Llw+XK27BoJFUN5uJGbP5AMzwbSAAsF0Rv6p1ZltdaUBWVzRXCpFiUgwe6Baj927ntwXVUyMpM/vud4ksUyM6kqSZVDs0S3iuldjWchysX2vbV4o/Pz8amoTijmvhaPWLd9VIgu1A/oldyDH0JWVzJzxjd0w6fMbXH0zOZ8+5usPgm5jaIvuHGYtiiiYCEnuoL1AdNtUB41RrTZ7Prwsb3D4W0uh3f+8i9Y0bosq9ebt7S1nLbRmg04XpC671CTyK/OjbeAPmgF2YeccypeMa1gKZ9E8jw7TT55F7FR2oTczlzcGotU+MVuoqoXw1TPk9a1bQ3tfBEjN7MCtjyfklpqmKJbbc34qhy8Q7eToWpjQGEGGJrZnakycxfRbZY43YyZIvHGjmrkwH3GX9ieY2bjaGtjSmpnJoafqeSCs7vP/AmRVQ5uYueAgyd/6U8/Ce98r/4CsiEQrURcQ8yxIrH6kYK037PryUXX1DSGoin9hSaDQjFAbj+CSei/XKrsvfazl9OA8ULAsnF+SYtWHLOyPlaySB9McWn9vqi5Rydc4BO8Wx7X4x481Yc106vl4c+4xeZM3i0C7U4fBplHqWdJI9w+dIizb5C8c3+c+W/s1fAWyvmjjcoH8R8PSKF/buAQYf8Vni2k1zcVt5+eRRTQvCvnyhGrvdSHxMpO0f+ipWFcWyWH3YgmF3OGGrEXByld91/lvL+Y5FK7ufR6crNdA/dFvx3trsWXx1L772EFa64hj34WLmJ78Qxmfiq3ku6j9tjemYFnMBbJS2VsycEIoo1+qL53Lh/wMrVnnuOnTikosR+44dGJUxlM41kdlU4FBuwQ31zIAn1EjHa7nrvNj5pOtpV0HbfVdql/aCfyuO6xX04YiLwnDUwrSZlLWD5ZDYebCxYV9c+xxqTqCguAXT+t+Kts5OICnYBGqxYfM2RfN3UMFKB0aj7MClv7cY2Vv0Qy834/a5ps7PZzGMEF78qaPzfxjAib6kF/C4RcYRSkaGno7qZohKB/HLxyWd4Sef+fFgBxou5nwzT7e+8KwV9AakNuq6Xfl63b7m+boXN6rX5w0wZBHB4mAKYvV0vT2+1g/UHmZV6nvRMD2KqRLoa0LOQUa60RRX6opXeUSMPS+FwwzZDJUwMmp5zZ/Ue5QfD3CEeFJv+D9QUK/XCQR6nUSaGKTyuSui9n1+07HVeHw4O7sGh2/O/u9whaDLSnT6BoZqRzMe1zw4mt9WwG9H0PVkBVRN4bgFCkO1buKro7lYrMyYV0TXFuQpxyMJn3PzU1AT4suuXhsrrvXqFw4u2bBhvtBSUHHpcguxnG1SS0D8N+OSz/BTzoA7SHnWnn01hWUl7sRwWU3u5vXl6cFQohsQoomCHn39Zh/FkI1yKK/v2/PtN+Z2gvaNKME85nxGjmiydegq1ZBVk2254nnMeUVo0TTb0NXwsNXAJLt9z3zvlvpWv7n/NuiaHk7hQilAO0gac88Y2T0cbbMPH2UD3HHhYwvms8e+nvDx+Qt22LPBMmayTCGWINnAah8zRZeIgfBHzw5yWoyHbjpawVfdi9u9i6RCnlImUZoGyGyx4ZYpgdLJtX6jd8P0Ro/GBv8qBKLJLaVBiZdINtJ4suIFgwRDVU6YSbGXUhTls6vjA7YKo0omgyCWyicMpMJpCHCyeDQJX8BT8QPFIG+L1PWw6ge/1r/VvjX2YkrTYJDU4X4QLs6nGksl2EouRKutFhpCbRWDi4vPGfkCrdal0WhNGpqGPNay5htwYGV9sXUO2OArZ4lKp7bUSqgV5Xy4tB7BbZ0UBt5wKFFn+nqFKhsvo8BWl0FmsCg1WpsavJ8/er4jvb1dcx/MXcg2cug0SzkZhrFUdAudxbWYbkAusZBf0kCF4Toq7IRiufv6kLtaoUyKufMYBrFIbJAwfj7hlEgFdvX6yixWC8SITAUOzYG4PKOmLWYt7CFzxGV0dkhVMa29bkHNt73N2O3lZmewtireZLq61GyQq4wILDNYIYXeqgGS2U8fPn1Q/+zBs4eg8n91VMffGbLAaciS+u474Tk+JewKtfnDA1za2I3jfWG2kSOXcnkyEcvCodm9JKHtrOj7sJ7W7UbrKp+WssRbLCLrWf+4SDTY4tCqeG1hjdydKf9CS8rMHsah5bNU4+sYHRsWL550pK7i7BTQsXnRIpc867ANXVGxTWdb5V/Y9tcfM5dIBCoqxk6nMgRUIsTIc5BpTgr4ax2xaF3Jh97Q+94S/YPp7ulucLXkV7SikEYzBYmygdH3ch+epCXzRDpPDHqtQMqm0bhZtPpB9lQ7k6UViTe93goKTyDbNiGeus6qXH/VlUoxrKgXC5tMRiD5V6SAK0VXqnJ9nZV1nk12ZGsQrO7bZbJtrKiwbdhlqOuP9s+qWriorX3R0lnN6Gawu/rvz6rPT8epJh2YpAJ3+pSEf18rX7OQKHA8vlQlUigaRKImg0E0rUGkCHZMSSodo5wkizcji1YaHJ7NdsfWYNCxbbPdE+6qyvWBQF8U4fg4SBQh+8hgd18UiYK9fbGWUNBqC5UhyAAChTKOEAvOTuDykCginiiqZzt4CNiteKnURhFAGtDbiwx8GCv4Y+AgpNf7P3uy1SJVhRjkAFJVUIiAvLjNdse24VQvbYBsLS1FNDcvpGkQi6YbTaKmerFSCQTdZLSR/z2sABNWNtZNnYVCor82Tq2172iWC7ltK2aBWWBax7x5OJqns0n91s0wrqc7tJDVWsHz7QoO7RxXPR6J/qqtpNEQNmSoMgzvRrUGZikVEJcHiVWzwIO4SiLXkuARyEQSoVJAyf9KmN4sGW5AsWAhk2ktI0i8TZ54nV+u4HCZchYtt+evxZIRRjQbFlFoxaEiCLzrUx4JI+GjSrCzL+q0F+t1bOeMIn1WaWMjU6lUNpJGax9Y0BfXFzIpz32beToBe1n0fF9wK3E30Q9ORD2rNbs1wc3wGhiEkNtI6a6hm4YGbiG3HcHdwzYPCwJq329fxSPxv38V2Fui6gVrNSbtMUifpdEegMDI5btU7vNuuLcEHOwcucJmp3aQFe2FA0+7qhe073H9k2z+N9n97XrQlGMaZQIPl0hu1WpBYam4uVGqgELcTX4H2hHsKefJFRG5uM14lUNCTEQKxUiQdh6f5DA+yEZUJw+cfFzBlSojUnGzyShua5Qr5OXcngDyAMmtr/ieIlDIX5rJDi6PFY0jyh+i5slSTaDdM8riva5jcjTucq/PXaHhaIt+9442dvh9mlxe3GKZTFWloIp1NdvxwFG6JaR2R+OrSZCC3T9Q57dDbA39k3e0psPr1UyVSlvNZnHLVIlOM0ksaFQ5ZTilJpcoLbHGqe0Ac6++H+mXq+R5DpcpBHOG0PPqQQRbjsGqE1X8hkahtnJxIMVq/9XJEalcTnN9T4g/CmrC6xxd/H4s63gdzkdlhGCxnW7QW+SQqdhCQB4gQzpdODbwNO1eE2BsaAQNfE0v/+uyYF8oFGI5TZ2b+wi9FgEtd549/5/dNzeet8QMGzAC7P6dJnsAyAPwPiqT+63qLFK50W7B369lBI1ou+y4ImmIuz4U4gvBQdy0yXVjQdml0nQ6cAzwOKFJKms1m6DW6RKNhmuAWsxmZWuLVEPUmnFURCSiIEYsiWzAkp4NxERE3wpOPCqXhkn0qsy+U4+EkHwkUF8JIFBV/ukLsdDvyHeENlbwISgCfcPRdzaKwJW2dlchgkaKwdUEXyETznIxJBQG9TAK/Vw07CqcSRfQCklSJJ+NhJFYLVL4O420NntstuS/HsUEdQyOJLfns8HBe+L8YYVitQFWSXViuUo+D5m3WAXIKDSiX+vAMwQBKisEC+00vd4iVxiLLTiQZuy86rmDKt9tvIBch+5CuTq+Nv8bdO1FOadfnH3ROePStEugou1i00X3l0O/HFnadmHaBXfPkC9HATRq1PZcV0X8D+MDew92HgRLlINVEVXiogRlrRKUrQmMsOQmIokeLKRTSVjagjxD/vh405BEN5ZGlVUMqKDKadhE95B40/h8Q16BliXRqSBsoicRybUERoAjIWQmAj7z2B3y3Sq7r3LAm1s/dtvW5kfDM0RcSdrSSEbt8eafRmYYuGLQTVFJmqGedRVcgJNeeEGzFqZvMScoajyWOBfdVZEwaUFFBTcnOOgOD0VexgmQ+aiqiAu7SiwWlxsGmQr4yItN+WZ+RketADnxU66A7vJSBMGqSGyxKUMk57MgsSzr/t0Tgu6ODLcMBoc5n7rmHnzE4uzrWtv1I4f38eLaS/vY7EOXTJ3J/DmRI0VFPZjCRQzGdAxY1TxXtC9me9458bmNyMbDLu+bvTGiuTuYwS739vwEQZx4LDIVsSch0xAQlS8mYIhyRwHP0WCJUSOc3Ux6Fyb9lDjzZSDLa5QxZBbRiPxF9RvyHfXWAZg9Iw4UZGyZ9dKf6atVahaP+lCrF0rFGhGRrOdLJBohEdCqHo0Z83jM6Me0waPRC35Uf2rhaDMGPDu60W7ZUlrKSPRAEMSqRevcg468uRrFQpdTsWiu1umYoyXd6bLt5mgcXIO3iFkmk2lbL4OjqtKNFJvGG5ArZdbqUBMH+/6saYSsSg2DTClGr8ISCCL0YC7kgjgf+7njiTAeY6ApmXwxgcgXMZmwIRL4QiZYMMndXY8o9naPQFzdQfv30gBnzy1kwX0IMI4jVIqDxaI4JcxiT6JTcBjZ8hobolBwClJYCODpLN7faiky/ELQDtdR75Zkd0xsTCtI/jc5+Z/kAlBzSlIiAWPtXrdG43FraTitDkPRlJToUhksAQ6rloLJXoTDHWWBtsn7b6o/qW/vv61SXeYu3deCzHXsGGqlNSlz/NjLqWldeYoJYjabKeHjcw/EaorAxEUQncVQsTETUr8bEFVOKICLuByoiAyxEseOS05Lw4zDEAvGp6elfhyX8adYCh4euVUrudUEilBoxL/SRefmi8YLWPZ8O9ZqQuRyQ7GFAOL0Veoq/YTkyKSw3T65tuE9+I4hpRAJ4iJ6PduT9Xta6u9Z5ClcIUibzWgugfJBppSgN2GpNCOWDHQa0WDCYaABt6J5TIEQT+AJ2SyugIAXCplgRa63u3i182O6PfcxkMPj3n1BikQtkejuBqIUkn5XuPGZ5xEx0l3dHQbFs+m1d/624sqotSp6sWU99kDMHISWGVFzR3RVA2FAF+GMPozjOVdbz/ra9wpgap98lH18lQFF1idb1vnmRXughsXLf1sGbkDh6u1GIasq/PG0Let451bZBy1zGDd4gwHvGUFngFtXbT/JarJS+2fWLVzW3r5w6azmf46Zjv3bDH5ZuWlVDzYt69ev2wD1ICbfuAks1HXjmqAQcub8mtyTPLGyJLQZP00eEPqykwfP0eXVi8UMTwDYEVNOg8KnXu8wAyYM9DELliEHkKWzrj5wO9sgCZcHSVWz4mYB9sLGhgapF0dWYYkE0bJdTcPG/CwYDaUKYTbktxVbq9xxRkdmJ5mQnoc+6NFlSNh4lFEwIXkcTkLmLF6Si5CA8FkK46ScptHmYQVG+o/e0ZoWr1tcwz1Vrg3dqOBJPYnaJc2TpLC4jDEwAAdkVfPgBgm/EXIK8LAunwSVIXGalj5yhtY8J5kBtWLf6YaMVDd4rXFkEdw5FZK4EMSaqjV7Xr+bwPj+WEi+pFmh1zbJJO1mo7R5ihSexEUmuiRwG4bsnPi51VlnbsdQnBMRrYlAdgqFJKcRTyYb8ES7UERw6YlkQI1XqGv/WKf+rP6DmTsyGH7zZbaH5VPMzKOgbxTKNa+yvexwY6YBBaNHeMOJTkS9lfkYqTCc+co+FJFCj+sAx/8sl0CBxucJCsk6m5C/EGq98xDZjfKplvpB+yf5p5djocbFufI5aptrgx3ZFixFtsoinLa5qlzZ/Eb5WEdQNO2XhRHTDAat4Wen2QLB9RRGb6ze7VBwwsmP41M2yJ5MnCpTaaaFS7UpJ0uHfI5IYU2jWBhRbn5gxlOcIhHZYcKRSAYmjulpcOjxpDoUTqPJJ8pLkIF6O1jfOc8EzTPMNUDgwepzeFw/gdCPw58jKh6npj5OT38yLc2TdJC6VJo/ch+m3z54eARN1ZtfG1wa966glkAODRSvUA9RA/LSleof1WD67aD7NyGw9wWGDQWAWceEBWcM/lYc/eG3eBCjLvTzScHaGzIZhfq2oVxGpZRYDvO2ZgBvoyuiyP5uBMNUlcJLlTm+zsraxm/asio9AmNBRnqekV8yGiqpnsXR1nZW5fgrL1cIYVOTOUP1H/9jXvp4+gfBv+MUTQY9SDv6nGHOh0Ce5WBRiRh8rvxMqRgQKypxViaFk8D9FerF6lMIqMvvwAHDAUtvWvKWPFZmnZYvDBDaDlS4PB2b3Z+c6F7tsqUpKcvFfrnlC7nx7eize858uTZVynLhG214nVi5nq+lLJf582gzf2KkSTkPOckX1IkHKcvFU7nlr9HGk0oGJlKGlFHJQIFxqJxbRAkZaLoCpKQsF9/JLT1yY//os34nJNe+lrJcrB9trBVPXKH0/5e7YBn5YZD5nukn49zEDFg0HRIfSVkudsotG0cbO5gNhEMBkDJwCABmEQFzULGVBE9QeGFk/XUdNNzBZGAmCcWXYvQwLy8Bz4Vxusj/33zzkJJ5CbAC5XxWws73djVb6qx1qqiyb4uQVJ1ZLgvoK2Nz4m5zF7vLGnaCGsh7Y7O7zVgmHvgWfgjPp1AX5wbOV2LAiI/9/CiGme/6J3iJqy0AI8uoRBsH3G0InSOBnmW9hje1jiFkaJ+6z7G7xEliQpoAGdqn7O7UtSHgXQLKeUEBALvA8yLMY3QytG/cVxvyE2i+LWUMGdqnxrtSFhaao72g2IWZueNYo7J7zjpeI9q0ZOvoFgMsypIrnzV/G63l/JcQO34E+PLN5QDwzRb636dHn04lxS86rpkMNSMEv1uqL3+UGfCuGnKlz7mv8xLiWflW7wm2oKEGJKvVOH2jsL/LsRkqZ1SqRzYrf+B2L6sz83PzsNyAzQ9obcCLQG75KFUjNSJ/Sis6Da+cbFmdhNNGCrdhkyBVDFNvCnQsV1PUxytQt8lqgHoM1O1J6sa4zVvqkaTbXmqvscUIBbWG82WMOG1yVMiIHBFDHCWU1FUVZsfL7naq7jBmXJPaKrhCRsYmxGe3mV2mA9WrG5HTH4USI/KNYDirrpsgCJVtUUg90tahi3nezoeNhbR6URxo6xtmAZoBidTRJMNUymgrqCQp44yU/GBwT0u1DxXkilBQ/KpH0nh13OfbtYSthG06fo3S65e7fPiwpI40pJyQlctwnacAnoN8Qk2H4VlnXLvZojQhsFRvDO9M6ppMdAshwwx3Snp6WedPbqvcbofuaajGG2B+nG9tY4YUOThjArCJ1+IHzqc9r3pbogy40NIOpUJRcjATAJBXaztxMDvOaMAiBY4sKoE/dGMzjAz4JLuUZqkIEgjkAPKCBMtx6XgwixgwvpeZIsO9MDQPomp3gkcE7HtpvMNMB+bnNElDz8C4qm1grBQ2aXCYPzmPJY6T0sdgmeaBz4sXQAzwtZVSsDgKKooDHgcMCCxzL5ZatBx4wy2yrRIkIrq/trXZadrWrsi1rYPXHXHG3HQSHNuBpzVsnjXqsRAUafepE/JIwzMSr55UEglHSGluQi0ZmE642bJGSHU7jkFgJJFPxFM3jAqPiIg6rswvgoKJjBZbJkCtmeNFeDHueYxUnKJTlkBLF4d0loz4ls5k8qwDg0Ga1BEpj1MfdVooIrRs0VBnnY9TtlToIR3hHYt9wqoQ8iT4TBhRza/OFHCGaSswwPN+zneQTf01kGaw/WXSf3LcPLx8/AKCQsKGG2GkUUYbI1WadBnGGme8CSbKlCUbClqOXHnyFSiEgYWDR0BEQkZBRUNXhIGJhY2Di4dPQEhETEJKRg6ioKQCU9PQ0tEzMDIxs7CyKWaHcHBycSvhyUCfZpjpsFX+Mssi823UaUcGeXNfh+Wee2Fh4rw46SfPbNLllZde2+YL553VzctnCb+LAs654KpLLrvib0E3XXNdj1JPLXXHLbeV+dcjc5ULqVClUrUtwmrVqFMvokGjSf4x2VRTTDNdkz5btWjWqs1/Hjvgri99lXgXP+r3tW/s951Ten3rtNn2OuKoQ0nw4UkSF912LwwPEN8VH3kmRCReEROXZPA1rZV8LR74/5ThpJVMHs8BAAAA) format("woff"),}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/roboto-mono-regular-498042b7fe9cd07b4fd11a0965093e55.woff) format("woff2"),url(/assets/fonts/roboto-mono-regular-535bc89d4af715503b01afd761501e58.woff2) format("woff"),}@font-face{font-family:Lato;font-style:normal;font-weight:400;src:local(""),url(/assets/fonts/lato-regular-292725486219768e62259f7286dc73cc.woff) format("woff2"),url(/assets/fonts/lato-regular-be36596da218e1eec01c5c600b1c13ef.woff2) format("woff"),}[data-theme=dark]{--ifm-color-primary:#ffc61c;--ifm-color-primary-dark:#ffbf00;--ifm-color-primary-darker:#f1b400;--ifm-color-primary-darkest:#c69400;--ifm-color-primary-light:#ffcd38;--ifm-color-primary-lighter:#ffd146;--ifm-color-primary-lightest:#ffdb71;--ifm-color-secondary-dark:#054a6e;--ifm-color-secondary:#06527a;--ifm-color-secondary-light:#075a86;--light:#33313b;--dark:#f3f3f3}[data-theme=dark] .footer--dark{background-color:var(--light);color:var(--ifm-color-primary)}body{font-family:Lato,sans-serif}h1,h2,h3,h4,h5,h6{font-family:Poppins,sans-serif}code{font-family:Roboto Mono,monospace}.navbar__brand{height:40px}.btn.navbar__github{background-color:#384745;border:2px solid #384745;border-radius:3px;box-shadow:inset 0 1px #ffffff26,0 1px 1px #00000014;color:#fff!important;font-family:poppins,sans-serif;font-size:1rem;font-weight:400;line-height:1.66;padding:8px 20px 7px 47px;position:relative;text-align:center;text-decoration:none;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-webkit-user-select:none;user-select:none}.clear-btn{padding:100px}a.btn.navbar__github:hover{background-color:#273230;border-color:#222a29;color:#fff}a.btn.navbar__github:before{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20.5 20'%3E%3Cpath fill='%23fff' d='M10.3 0C4.6 0 0 4.6 0 10.3c0 4.4 2.8 8.3 7 9.7.5.1.7-.2.7-.5v-1.9c-2.6.5-3.2-.6-3.4-1.2s-.6-1.1-1-1.5c-.4-.2-.9-.7 0-.7.7.1 1.3.5 1.6 1 .6 1.1 1.9 1.4 3 .8 0-.5.3-1 .7-1.4-2.3-.3-4.7-1.1-4.7-5.1 0-1 .4-2 1.1-2.8-.5-.6-.5-1.6-.1-2.5 0 0 .9-.3 2.8 1.1q2.55-.75 5.1 0c2-1.3 2.8-1.1 2.8-1.1.4.9.5 1.9.2 2.8.7.7 1.1 1.7 1.1 2.8 0 3.9-2.4 4.8-4.7 5.1.5.5.7 1.2.7 1.9v2.8c0 .3.2.6.7.5 5.4-1.8 8.3-7.6 6.5-13C18.6 2.8 14.7 0 10.3 0'/%3E%3C/svg%3E");content:"";height:20px;left:15px;position:absolute;top:10px;width:20px}.header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat;content:"";display:flex;height:24px;width:24px}[data-theme=dark] .header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath fill='%23fff' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat}.docusaurus-highlight-code-line{background-color:#484d5b;display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}body:not(.navigation-with-keyboard) :not(input):focus{outline:0}#__docusaurus-base-url-issue-banner-container,.hideAction_vcyE>svg,.navbarSearchContainer_Bca1:empty,.themedComponent_mlkZ,[data-theme=dark] .lightToggleIcon_pyhR,[data-theme=light] .darkToggleIcon_wfgR,html[data-announcement-bar-initially-dismissed=true] .announcementBar_mb4j{display:none}.skipToContent_fXgn{background-color:var(--ifm-background-surface-color);color:var(--ifm-color-emphasis-900);left:100%;padding:calc(var(--ifm-global-spacing)/2) var(--ifm-global-spacing);position:fixed;top:1rem;z-index:calc(var(--ifm-z-index-fixed) + 1)}.skipToContent_fXgn:focus{box-shadow:var(--ifm-global-shadow-md);left:1rem}.closeButton_CVFx{line-height:0;padding:0}.content_knG7{font-size:85%;padding:5px 0;text-align:center}.content_knG7 a{color:inherit}.announcementBar_mb4j{align-items:center;background-color:var(--ifm-color-white);border-bottom:1px solid var(--ifm-color-emphasis-100);color:var(--ifm-color-black);display:flex;height:var(--docusaurus-announcement-bar-height)}.announcementBarPlaceholder_vyr4{flex:0 0 10px}.announcementBarClose_gvF7{align-self:stretch;flex:0 0 30px}.toggle_vylO{height:2rem;width:2rem}.toggleButton_gllP{align-items:center;border-radius:50%;display:flex;height:100%;justify-content:center;transition:background var(--ifm-transition-fast);width:100%}.toggleButton_gllP:hover{background:var(--ifm-color-emphasis-200)}.toggleButtonDisabled_aARS{cursor:not-allowed}.darkNavbarColorModeToggle_X3D1:hover{background:var(--ifm-color-gray-800)}[data-theme=dark] .themedComponent--dark_xIcU,[data-theme=light] .themedComponent--light_NVdE,html:not([data-theme]) .themedComponent--light_NVdE{display:initial}.iconExternalLink_nPIU{margin-left:.3rem}.dropdownNavbarItemMobile_S0Fm{cursor:pointer}.iconLanguage_nlXk{margin-right:5px;vertical-align:text-bottom}.searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,#f5f6f7);border-radius:6px;box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #ffffff80,0 3px 8px 0 #555a64);left:auto!important;margin-top:8px;padding:var(--search-local-spacing,12px);position:relative;right:0!important;width:var(--search-local-modal-width,560px)}html[data-theme=dark] .searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,var(--ifm-background-color));box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #2c2e40,0 3px 8px 0 #000309)}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2{align-items:center;background:var(--search-local-hit-background,#fff);border-radius:4px;box-shadow:var(--search-local-hit-shadow,0 1px 3px 0 #d4d9e1);color:var(--search-local-hit-color,#444950);cursor:pointer;display:flex;flex-direction:row;height:var(--search-local-hit-height,56px);padding:0 var(--search-local-spacing,12px);width:100%}.hitTree_kk6K,.noResults_l6Q3{align-items:center;display:flex}html[data-theme=dark] .dropdownMenu_qbY6 .suggestion_fB_2{background:var(--search-local-hit-background,var(--ifm-color-emphasis-100));box-shadow:var(--search-local-hit-shadow,none);color:var(--search-local-hit-color,var(--ifm-font-color-base))}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2:not(:last-child){margin-bottom:4px}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2.cursor_eG29{background-color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitFooter_E9YW a,.hitIcon_a7Zy,.hitPath_ieM4,.hitTree_kk6K,.noResultsIcon_EBY5{color:var(--search-local-muted-color,#969faf)}html[data-theme=dark] .hitIcon_a7Zy,html[data-theme=dark] .hitPath_ieM4,html[data-theme=dark] .hitTree_kk6K,html[data-theme=dark] .noResultsIcon_EBY5{color:var(--search-local-muted-color,var(--ifm-color-secondary-darkest))}.hitTree_kk6K>svg{height:var(--search-local-hit-height,56px);opacity:.5;width:24px}.hitIcon_a7Zy,.hitTree_kk6K>svg{stroke-width:var(--search-local-icon-stroke-width,1.4)}.hitAction_NqkB,.hitIcon_a7Zy{height:20px;width:20px}.hitWrapper_sAK8{display:flex;flex:1 1 auto;flex-direction:column;font-weight:500;justify-content:center;margin:0 8px;overflow-x:hidden;width:80%}.hitWrapper_sAK8 mark{background:none;color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitTitle_vyVt{font-size:.9em}.hitPath_ieM4{font-size:.75em}.hitPath_ieM4,.hitTitle_vyVt{overflow-x:hidden;text-overflow:ellipsis;white-space:nowrap}.noResults_l6Q3{flex-direction:column;justify-content:center;padding:var(--search-local-spacing,12px) 0}.noResultsIcon_EBY5{margin-bottom:var(--search-local-spacing,12px)}.hitFooter_E9YW{font-size:.85em;margin-top:var(--search-local-spacing,12px);text-align:center}.cursor_eG29 .hideAction_vcyE>svg,.tocCollapsibleContent_vkbj a{display:block}.suggestion_fB_2.cursor_eG29,.suggestion_fB_2.cursor_eG29 .hitIcon_a7Zy,.suggestion_fB_2.cursor_eG29 .hitPath_ieM4,.suggestion_fB_2.cursor_eG29 .hitTree_kk6K,.suggestion_fB_2.cursor_eG29 mark{color:var(--search-local-hit-active-color,var(--ifm-color-white))!important}.searchBarContainer_NW3z{margin-left:16px}.searchBarContainer_NW3z .searchBarLoadingRing_YnHq{display:none;left:10px;position:absolute;top:6px}.searchBarContainer_NW3z .searchClearButton_qk4g{background:none;border:none;line-height:1rem;padding:0;position:absolute;right:.8rem;top:50%;transform:translateY(-50%)}.navbar__search{position:relative}.searchIndexLoading_EJ1f .navbar__search-input{background-image:none}.searchHintContainer_Pkmr{align-items:center;display:flex;gap:4px;height:100%;justify-content:center;pointer-events:none;position:absolute;right:10px;top:0}.searchHint_iIMx{background-color:var(--ifm-navbar-search-input-background-color);border:1px solid var(--ifm-color-emphasis-500);box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-500);color:var(--ifm-navbar-search-input-placeholder-color)}html[dir=rtl] .searchHintContainer_Pkmr{left:10px;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchClearButton_qk4g{left:.8rem;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchBarLoadingRing_YnHq{left:auto;right:10px}html[dir=rtl] .navbar__search-input{padding:0 2.25em 0 .5em}.loadingRing_RJI3{display:inline-block;height:20px;opacity:var(--search-local-loading-icon-opacity,.5);position:relative;width:20px}.loadingRing_RJI3 div{animation:1.2s cubic-bezier(.5,0,.5,1) infinite a;border:2px solid var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color));border-color:var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color)) #0000 #0000 #0000;border-radius:50%;display:block;height:16px;margin:2px;position:absolute;width:16px}.loadingRing_RJI3 div:first-child{animation-delay:-.45s}.loadingRing_RJI3 div:nth-child(2){animation-delay:-.3s}.loadingRing_RJI3 div:nth-child(3){animation-delay:-.15s}@keyframes a{0%{transform:rotate(0)}to{transform:rotate(1turn)}}.navbarHideable_m1mJ{transition:transform var(--ifm-transition-fast) ease}.navbarHidden_jGov{transform:translate3d(0,calc(-100% - 2px),0)}.errorBoundaryError_a6uf{color:red;white-space:pre-wrap}.errorBoundaryFallback_VBag{color:red;padding:.55rem}.footerLogoLink_BH7S{opacity:.5;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.footerLogoLink_BH7S:hover,.hash-link:focus,:hover>.hash-link{opacity:1}.anchorWithStickyNavbar_LWe7{scroll-margin-top:calc(var(--ifm-navbar-height) + .5rem)}.anchorWithHideOnScrollNavbar_WYt5{scroll-margin-top:.5rem}.hash-link{opacity:0;padding-left:.5rem;transition:opacity var(--ifm-transition-fast);-webkit-user-select:none;user-select:none}.hash-link:before{content:"#"}.mainWrapper_z2l0{display:flex;flex:1 0 auto;flex-direction:column}.docusaurus-mt-lg{margin-top:3rem}#__docusaurus{display:flex;flex-direction:column;min-height:100%}.tag_zVej{border:1px solid var(--docusaurus-tag-list-border);transition:border var(--ifm-transition-fast)}.tag_zVej:hover{--docusaurus-tag-list-border:var(--ifm-link-color);text-decoration:none}.tagRegular_sFm0{border-radius:var(--ifm-global-radius);font-size:90%;padding:.2rem .5rem .3rem}.tagWithCount_h2kH{align-items:center;border-left:0;display:flex;padding:0 .5rem 0 1rem;position:relative}.tagWithCount_h2kH:after,.tagWithCount_h2kH:before{border:1px solid var(--docusaurus-tag-list-border);content:"";position:absolute;top:50%;transition:inherit}.tagWithCount_h2kH:before{border-bottom:0;border-right:0;height:1.18rem;right:100%;transform:translate(50%,-50%) rotate(-45deg);width:1.18rem}.tagWithCount_h2kH:after{border-radius:50%;height:.5rem;left:0;transform:translateY(-50%);width:.5rem}.tagWithCount_h2kH span{background:var(--ifm-color-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-color-black);font-size:.7rem;line-height:1.2;margin-left:.3rem;padding:.1rem .4rem}.tags_jXut{display:inline}.tag_QGVx{display:inline-block;margin:0 .4rem .5rem 0}.iconEdit_Z9Sw{margin-right:.3em;vertical-align:sub}.lastUpdated_JAkA{font-size:smaller;font-style:italic;margin-top:.2rem}.tocCollapsibleButton_TO0P{align-items:center;display:flex;font-size:inherit;justify-content:space-between;padding:.4rem .8rem;width:100%}.tocCollapsibleButton_TO0P:after{background:var(--ifm-menu-link-sublist-icon) 50% 50%/2rem 2rem no-repeat;content:"";filter:var(--ifm-menu-link-sublist-icon-filter);height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast);width:1.25rem}.tocCollapsibleButtonExpanded_MG3E:after,.tocCollapsibleExpanded_sAul{transform:none}.tocCollapsible_ETCw{background-color:var(--ifm-menu-color-background-active);border-radius:var(--ifm-global-radius);margin:1rem 0}.buttonGroup__atx button,.codeBlockContainer_Ckt0{background:var(--prism-background-color);color:var(--prism-color)}.tocCollapsibleContent_vkbj>ul{border-left:none;border-top:1px solid var(--ifm-color-emphasis-300);font-size:15px;padding:.2rem 0}.tocCollapsibleContent_vkbj ul li{margin:.4rem .8rem}.tableOfContents_bqdL{max-height:calc(100vh - var(--ifm-navbar-height) - 2rem);overflow-y:auto;position:sticky;top:calc(var(--ifm-navbar-height) + 1rem)}.codeBlockContainer_Ckt0{border-radius:var(--ifm-code-border-radius);box-shadow:var(--ifm-global-shadow-lw);margin-bottom:var(--ifm-leading)}.codeBlockContent_biex{border-radius:inherit;direction:ltr;position:relative}.codeBlockTitle_Ktv7{border-bottom:1px solid var(--ifm-color-emphasis-300);border-top-left-radius:inherit;border-top-right-radius:inherit;font-size:var(--ifm-code-font-size);font-weight:500;padding:.75rem var(--ifm-pre-padding)}.codeBlock_bY9V{--ifm-pre-background:var(--prism-background-color);margin:0;padding:0}.codeBlockTitle_Ktv7+.codeBlockContent_biex .codeBlock_bY9V{border-top-left-radius:0;border-top-right-radius:0}.codeBlockLines_e6Vv{float:left;font:inherit;min-width:100%;padding:var(--ifm-pre-padding)}.codeBlockLinesWithNumbering_o6Pm{display:table;padding:var(--ifm-pre-padding) 0}.buttonGroup__atx{column-gap:.2rem;display:flex;position:absolute;right:calc(var(--ifm-pre-padding)/2);top:calc(var(--ifm-pre-padding)/2)}.buttonGroup__atx button{align-items:center;border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-global-radius);display:flex;line-height:0;opacity:0;padding:.4rem;transition:opacity var(--ifm-transition-fast) ease-in-out}.buttonGroup__atx button:focus-visible,.buttonGroup__atx button:hover{opacity:1!important}.theme-code-block:hover .buttonGroup__atx button{opacity:.4}:where(:root){--docusaurus-highlighted-code-line-bg:#484d5b}:where([data-theme=dark]){--docusaurus-highlighted-code-line-bg:#646464}.theme-code-block-highlighted-line{background-color:var(--docusaurus-highlighted-code-line-bg);display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}.codeLine_lJS_{counter-increment:a;display:table-row}.codeLineNumber_Tfdd{background:var(--ifm-pre-background);display:table-cell;left:0;overflow-wrap:normal;padding:0 var(--ifm-pre-padding);position:sticky;text-align:right;width:1%}.codeLineNumber_Tfdd:before{content:counter(a);opacity:.4}.codeLineContent_feaV{padding-right:var(--ifm-pre-padding)}.theme-code-block:hover .copyButtonCopied_obH4{opacity:1!important}.copyButtonIcons_eSgA{height:1.125rem;position:relative;width:1.125rem}.copyButtonIcon_y97N,.copyButtonSuccessIcon_LjdS{left:0;position:absolute;top:0;fill:currentColor;height:inherit;opacity:inherit;transition:all var(--ifm-transition-fast) ease;width:inherit}.copyButtonSuccessIcon_LjdS{color:#00d600;left:50%;opacity:0;top:50%;transform:translate(-50%,-50%) scale(.33)}.copyButtonCopied_obH4 .copyButtonIcon_y97N{opacity:0;transform:scale(.33)}.copyButtonCopied_obH4 .copyButtonSuccessIcon_LjdS{opacity:1;transform:translate(-50%,-50%) scale(1);transition-delay:75ms}.wordWrapButtonIcon_Bwma{height:1.2rem;width:1.2rem}.details_lb9f{--docusaurus-details-summary-arrow-size:0.38rem;--docusaurus-details-transition:transform 200ms ease;--docusaurus-details-decoration-color:grey}.details_lb9f>summary{cursor:pointer;padding-left:1rem;position:relative}.details_lb9f>summary::-webkit-details-marker{display:none}.details_lb9f>summary:before{border-color:#0000 #0000 #0000 var(--docusaurus-details-decoration-color);border-style:solid;border-width:var(--docusaurus-details-summary-arrow-size);content:"";left:0;position:absolute;top:.45rem;transform:rotate(0);transform-origin:calc(var(--docusaurus-details-summary-arrow-size)/2) 50%;transition:var(--docusaurus-details-transition)}.collapsibleContent_i85q{border-top:1px solid var(--docusaurus-details-decoration-color);margin-top:1rem;padding-top:1rem}.details_b_Ee{--docusaurus-details-decoration-color:var(--ifm-alert-border-color);--docusaurus-details-transition:transform var(--ifm-transition-fast) ease;border:1px solid var(--ifm-alert-border-color);margin:0 0 var(--ifm-spacing-vertical)}:not(.containsTaskList_mC6p>li)>.containsTaskList_mC6p{padding-left:0}.img_ev3q{height:auto}.admonition_xJq3{margin-bottom:1em}.admonitionHeading_Gvgb{font:var(--ifm-heading-font-weight) var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family)}.admonitionHeading_Gvgb:not(:last-child){margin-bottom:.3rem}.admonitionHeading_Gvgb code{text-transform:none}.admonitionIcon_Rf37{display:inline-block;margin-right:.4em;vertical-align:middle}.admonitionIcon_Rf37 svg{display:inline-block;height:1.6em;width:1.6em;fill:var(--ifm-alert-foreground-color)}.breadcrumbHomeIcon_YNFT{height:1.1rem;position:relative;top:1px;vertical-align:top;width:1.1rem}.breadcrumbsContainer_Z_bl{--ifm-breadcrumb-size-multiplier:0.8;margin-bottom:.8rem}.searchContextInput_mXoe,.searchQueryInput_CFBF{background:var(--ifm-background-color);border:var(--ifm-global-border-width) solid var(--ifm-color-content-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-font-color-base);font-size:var(--ifm-font-size-base);margin-bottom:1rem;padding:.5rem;width:100%}.searchResultItem_U687{border-bottom:1px solid #dfe3e8;padding:1rem 0}.searchResultItemPath_uIbk{color:var(--ifm-color-content-secondary);font-size:.8rem;margin:.5rem 0 0}.searchResultItemSummary_oZHr{font-style:italic;margin:.5rem 0 0}.backToTopButton_sjWU{background-color:var(--ifm-color-emphasis-200);border-radius:50%;bottom:1.3rem;box-shadow:var(--ifm-global-shadow-lw);height:3rem;opacity:0;position:fixed;right:1.3rem;transform:scale(0);transition:all var(--ifm-transition-fast) var(--ifm-transition-timing-default);visibility:hidden;width:3rem;z-index:calc(var(--ifm-z-index-fixed) - 1)}.backToTopButton_sjWU:after{background-color:var(--ifm-color-emphasis-1000);content:" ";display:inline-block;height:100%;-webkit-mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;width:100%}.backToTopButtonShow_xfvO{opacity:1;transform:scale(1);visibility:visible}[data-theme=dark]:root{--docusaurus-collapse-button-bg:#ffffff0d;--docusaurus-collapse-button-bg-hover:#ffffff1a}.collapseSidebarButton_PEFL{display:none;margin:0}.docSidebarContainer_YfHR,.sidebarLogo_isFc{display:none}.docMainContainer_TBSr,.docRoot_UBD9{display:flex;width:100%}.docsWrapper_hBAB{display:flex;flex:1 0 auto}@media (min-width:997px){.collapseSidebarButton_PEFL,.expandButton_TmdG{background-color:var(--docusaurus-collapse-button-bg)}:root{--docusaurus-announcement-bar-height:30px}.announcementBarClose_gvF7,.announcementBarPlaceholder_vyr4{flex-basis:50px}.navbarSearchContainer_Bca1{padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}.lastUpdated_JAkA{text-align:right}.tocMobile_ITEo{display:none}.docItemCol_VOVn{max-width:75%!important}.collapseSidebarButton_PEFL{border:1px solid var(--ifm-toc-border-color);border-radius:0;bottom:0;display:block!important;height:40px;position:sticky}.collapseSidebarButtonIcon_kv0_{margin-top:4px;transform:rotate(180deg)}.expandButtonIcon_i1dp,[dir=rtl] .collapseSidebarButtonIcon_kv0_{transform:rotate(0)}.collapseSidebarButton_PEFL:focus,.collapseSidebarButton_PEFL:hover,.expandButton_TmdG:focus,.expandButton_TmdG:hover{background-color:var(--docusaurus-collapse-button-bg-hover)}.menuHtmlItem_M9Kj{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu_SIkG{flex-grow:1;padding:.5rem}@supports (scrollbar-gutter:stable){.menu_SIkG{padding:.5rem 0 .5rem .5rem;scrollbar-gutter:stable}}.menuWithAnnouncementBar_GW3s{margin-bottom:var(--docusaurus-announcement-bar-height)}.sidebar_njMd{display:flex;flex-direction:column;height:100%;padding-top:var(--ifm-navbar-height);width:var(--doc-sidebar-width)}.sidebarWithHideableNavbar_wUlq{padding-top:0}.sidebarHidden_VK0M{opacity:0;visibility:hidden}.sidebarLogo_isFc{align-items:center;color:inherit!important;display:flex!important;margin:0 var(--ifm-navbar-padding-horizontal);max-height:var(--ifm-navbar-height);min-height:var(--ifm-navbar-height);text-decoration:none!important}.sidebarLogo_isFc img{height:2rem;margin-right:.5rem}.expandButton_TmdG{align-items:center;display:flex;height:100%;justify-content:center;position:absolute;right:0;top:0;transition:background-color var(--ifm-transition-fast) ease;width:100%}[dir=rtl] .expandButtonIcon_i1dp{transform:rotate(180deg)}.docSidebarContainer_YfHR{border-right:1px solid var(--ifm-toc-border-color);clip-path:inset(0);display:block;margin-top:calc(var(--ifm-navbar-height)*-1);transition:width var(--ifm-transition-fast) ease;width:var(--doc-sidebar-width);will-change:width}.docSidebarContainerHidden_DPk8{cursor:pointer;width:var(--doc-sidebar-hidden-width)}.sidebarViewport_aRkj{height:100%;max-height:100vh;position:sticky;top:0}.docMainContainer_TBSr{flex-grow:1;max-width:calc(100% - var(--doc-sidebar-width))}.docMainContainerEnhanced_lQrH{max-width:calc(100% - var(--doc-sidebar-hidden-width))}.docItemWrapperEnhanced_JWYK{max-width:calc(var(--ifm-container-width) + var(--doc-sidebar-width))!important}}@media (min-width:1440px){.container{max-width:var(--ifm-container-width-xl)}}@media (max-width:996px){.col{--ifm-col-width:100%;flex-basis:var(--ifm-col-width);margin-left:0}.footer{--ifm-footer-padding-horizontal:0}.colorModeToggle_DEke,.footer__link-separator,.navbar-sidebar__back,.navbar__item,.tableOfContents_bqdL{display:none}.footer__col{margin-bottom:calc(var(--ifm-spacing-vertical)*3)}.footer__link-item{display:block}.hero{padding-left:0;padding-right:0}.navbar>.container,.navbar>.container-fluid{padding:0}.navbar__toggle{display:inherit}.navbar__search-input{width:9rem}.pills--block,.tabs--block{flex-direction:column}.navbarSearchContainer_Bca1{position:absolute;right:var(--ifm-navbar-padding-horizontal)}.docItemContainer_F8PC{padding:0 .3rem}}@media not (max-width:996px){.searchBar_RVTs.searchBarLeft_MXDe .dropdownMenu_qbY6{left:0!important;right:auto!important}}@media only screen and (max-width:996px){.searchQueryColumn_q7nx{max-width:60%!important}.searchContextColumn_oWAF{max-width:40%!important}}@media (max-width:768px){#theme-main h1{font-size:50px!important;font-weight:700;line-height:3rem!important}#theme-main .header-docs{margin-bottom:20px}}@media (max-width:576px){.markdown h1:first-child{--ifm-h1-font-size:2rem}.markdown>h2{--ifm-h2-font-size:1.5rem}.markdown>h3{--ifm-h3-font-size:1.25rem}.navbar__search-input:not(:focus){width:2rem}.searchBar_RVTs .dropdownMenu_qbY6{max-width:calc(100vw - var(--ifm-navbar-padding-horizontal)*2);width:var(--search-local-modal-width-sm,340px)}.searchBarContainer_NW3z:not(.focused_OWtg) .searchClearButton_qk4g,.searchHintContainer_Pkmr{display:none}}@media screen and (max-width:576px){.searchQueryColumn_q7nx{max-width:100%!important}.searchContextColumn_oWAF{max-width:100%!important;padding-left:var(--ifm-spacing-horizontal)!important}}@media (hover:hover){.backToTopButton_sjWU:hover{background-color:var(--ifm-color-emphasis-300)}}@media (pointer:fine){.thin-scrollbar{scrollbar-width:thin}.thin-scrollbar::-webkit-scrollbar{height:var(--ifm-scrollbar-size);width:var(--ifm-scrollbar-size)}.thin-scrollbar::-webkit-scrollbar-track{background:var(--ifm-scrollbar-track-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb{background:var(--ifm-scrollbar-thumb-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb:hover{background:var(--ifm-scrollbar-thumb-hover-background-color)}}@media (prefers-reduced-motion:reduce){:root{--ifm-transition-fast:0ms;--ifm-transition-slow:0ms}}@media print{.announcementBar_mb4j,.footer,.menu,.navbar,.pagination-nav,.table-of-contents,.tocMobile_ITEo{display:none}.tabs{page-break-inside:avoid}.codeBlockLines_e6Vv{white-space:pre-wrap}} \ No newline at end of file diff --git a/assets/js/0480b142.6dc7064a.js b/assets/js/0480b142.6dc7064a.js new file mode 100644 index 000000000..e3b81fc67 --- /dev/null +++ b/assets/js/0480b142.6dc7064a.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[836],{9665:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>t,metadata:()=>a,toc:()=>d});var i=s(5893),r=s(1151);const t={title:"FAQ"},o=void 0,a={id:"faq",title:"FAQ",description:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.",source:"@site/docs/faq.md",sourceDirName:".",slug:"/faq",permalink:"/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"FAQ"},sidebar:"mySidebar",previous:{title:"Known Issues",permalink:"/known-issues"}},l={},d=[{value:"Is K3s a suitable replacement for Kubernetes?",id:"is-k3s-a-suitable-replacement-for-kubernetes",level:3},{value:"How can I use my own Ingress instead of Traefik?",id:"how-can-i-use-my-own-ingress-instead-of-traefik",level:3},{value:"Does K3s support Windows?",id:"does-k3s-support-windows",level:3},{value:"What exactly are Servers and Agents?",id:"what-exactly-are-servers-and-agents",level:3},{value:"How can I build from source?",id:"how-can-i-build-from-source",level:3},{value:"Where are the K3s logs?",id:"where-are-the-k3s-logs",level:3},{value:"Can I run K3s in Docker?",id:"can-i-run-k3s-in-docker",level:3},{value:"What is the difference between K3s Server and Agent Tokens?",id:"what-is-the-difference-between-k3s-server-and-agent-tokens",level:3},{value:"How compatible are different versions of K3s?",id:"how-compatible-are-different-versions-of-k3s",level:3},{value:"I'm having an issue, where can I get help?",id:"im-having-an-issue-where-can-i-get-help",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s."}),"\n",(0,i.jsx)(n.h3,{id:"is-k3s-a-suitable-replacement-for-kubernetes",children:"Is K3s a suitable replacement for Kubernetes?"}),"\n",(0,i.jsxs)(n.p,{children:["K3s is a CNCF-certified Kubernetes distribution, and can do everything required of a standard Kubernetes cluster. It is just a more lightweight version. See the ",(0,i.jsx)(n.a,{href:"/",children:"main"})," docs page for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-use-my-own-ingress-instead-of-traefik",children:"How can I use my own Ingress instead of Traefik?"}),"\n",(0,i.jsxs)(n.p,{children:["Simply start K3s server with ",(0,i.jsx)(n.code,{children:"--disable=traefik"})," and deploy your ingress."]}),"\n",(0,i.jsx)(n.h3,{id:"does-k3s-support-windows",children:"Does K3s support Windows?"}),"\n",(0,i.jsx)(n.p,{children:"At this time K3s does not natively support Windows, however we are open to the idea in the future."}),"\n",(0,i.jsx)(n.h3,{id:"what-exactly-are-servers-and-agents",children:"What exactly are Servers and Agents?"}),"\n",(0,i.jsxs)(n.p,{children:["For a breakdown on the components that make up a server and agent, see the ",(0,i.jsx)(n.a,{href:"/architecture",children:"Architecture page"}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-build-from-source",children:"How can I build from source?"}),"\n",(0,i.jsxs)(n.p,{children:["Please reference the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"})," with instructions."]}),"\n",(0,i.jsx)(n.h3,{id:"where-are-the-k3s-logs",children:"Where are the K3s logs?"}),"\n",(0,i.jsx)(n.p,{children:"The location of K3s logs will vary depending on how you run K3s and the node's OS."}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"When run from the command line, logs are sent to stdout and stderr."}),"\n",(0,i.jsxs)(n.li,{children:["When running under openrc, logs will be created at ",(0,i.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["When running under Systemd, logs will be sent to Journald and can be viewed using ",(0,i.jsx)(n.code,{children:"journalctl -u k3s"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Pod logs can be found at ",(0,i.jsx)(n.code,{children:"/var/log/pods"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Containerd logs can be found at ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"."]}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["You can generate more detailed logs by using the ",(0,i.jsx)(n.code,{children:"--debug"})," flag when starting K3s (or ",(0,i.jsx)(n.code,{children:"debug: true"})," in the configuration file)."]}),"\n",(0,i.jsxs)(n.p,{children:["Kubernetes uses a logging framework known as ",(0,i.jsx)(n.code,{children:"klog"}),", which uses a single logging configuration for all components within a process.\nSince K3s runs all Kubernetes components within a single process, it is not possible to configure different log levels or destinations for individual Kubernetes components.\nUse of the ",(0,i.jsx)(n.code,{children:"-v="})," or ",(0,i.jsx)(n.code,{children:"--vmodule=="})," component args will likely not have the desired effect."]}),"\n",(0,i.jsxs)(n.p,{children:["See ",(0,i.jsx)(n.a,{href:"/advanced#additional-logging-sources",children:"Additional Logging Sources"})," for even more log options."]}),"\n",(0,i.jsx)(n.h3,{id:"can-i-run-k3s-in-docker",children:"Can I run K3s in Docker?"}),"\n",(0,i.jsxs)(n.p,{children:["Yes, there are multiple ways to run K3s in Docker. See ",(0,i.jsx)(n.a,{href:"/advanced#running-k3s-in-docker",children:"Advanced Options"})," for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"what-is-the-difference-between-k3s-server-and-agent-tokens",children:"What is the difference between K3s Server and Agent Tokens?"}),"\n",(0,i.jsxs)(n.p,{children:["For more information on managing K3s join tokens, see the ",(0,i.jsxs)(n.a,{href:"/cli/token",children:[(0,i.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-compatible-are-different-versions-of-k3s",children:"How compatible are different versions of K3s?"}),"\n",(0,i.jsxs)(n.p,{children:["In general, the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies."]}),"\n",(0,i.jsx)(n.p,{children:"In short, servers can be newer than agents, but agents cannot be newer than servers."}),"\n",(0,i.jsx)(n.h3,{id:"im-having-an-issue-where-can-i-get-help",children:"I'm having an issue, where can I get help?"}),"\n",(0,i.jsx)(n.p,{children:"If you are having an issue with deploying K3s, you should:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check the ",(0,i.jsx)(n.a,{href:"/known-issues",children:"Known Issues"})," page."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check that you have resolved any ",(0,i.jsx)(n.a,{href:"/installation/requirements#operating-systems",children:"Additional OS Preparation"}),". Run ",(0,i.jsx)(n.code,{children:"k3s check-config"})," and ensure that it passes."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Search the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues",children:"Issues"})," and ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"Discussions"})," for one that matches your problem."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Join the ",(0,i.jsx)(n.a,{href:"https://slack.rancher.io/",children:"Rancher Slack"})," K3s channel to get help."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Submit a ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"New Issue"})," on the K3s Github describing your setup and the issue you are experiencing."]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>a,a:()=>o});var i=s(7294);const r={},t=i.createContext(r);function o(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0480b142.8dd27be6.js b/assets/js/0480b142.8dd27be6.js deleted file mode 100644 index dbf2fa0de..000000000 --- a/assets/js/0480b142.8dd27be6.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[836],{9665:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>t,metadata:()=>a,toc:()=>d});var i=s(5893),r=s(1151);const t={title:"FAQ"},o=void 0,a={id:"faq",title:"FAQ",description:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.",source:"@site/docs/faq.md",sourceDirName:".",slug:"/faq",permalink:"/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"FAQ"},sidebar:"mySidebar",previous:{title:"Known Issues",permalink:"/known-issues"}},l={},d=[{value:"Is K3s a suitable replacement for Kubernetes?",id:"is-k3s-a-suitable-replacement-for-kubernetes",level:3},{value:"How can I use my own Ingress instead of Traefik?",id:"how-can-i-use-my-own-ingress-instead-of-traefik",level:3},{value:"Does K3s support Windows?",id:"does-k3s-support-windows",level:3},{value:"What exactly are Servers and Agents?",id:"what-exactly-are-servers-and-agents",level:3},{value:"How can I build from source?",id:"how-can-i-build-from-source",level:3},{value:"Where are the K3s logs?",id:"where-are-the-k3s-logs",level:3},{value:"Can I run K3s in Docker?",id:"can-i-run-k3s-in-docker",level:3},{value:"What is the difference between K3s Server and Agent Tokens?",id:"what-is-the-difference-between-k3s-server-and-agent-tokens",level:3},{value:"How compatible are different versions of K3s?",id:"how-compatible-are-different-versions-of-k3s",level:3},{value:"I'm having an issue, where can I get help?",id:"im-having-an-issue-where-can-i-get-help",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s."}),"\n",(0,i.jsx)(n.h3,{id:"is-k3s-a-suitable-replacement-for-kubernetes",children:"Is K3s a suitable replacement for Kubernetes?"}),"\n",(0,i.jsxs)(n.p,{children:["K3s is a CNCF-certified Kubernetes distribution, and can do everything required of a standard Kubernetes cluster. It is just a more lightweight version. See the ",(0,i.jsx)(n.a,{href:"/",children:"main"})," docs page for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-use-my-own-ingress-instead-of-traefik",children:"How can I use my own Ingress instead of Traefik?"}),"\n",(0,i.jsxs)(n.p,{children:["Simply start K3s server with ",(0,i.jsx)(n.code,{children:"--disable=traefik"})," and deploy your ingress."]}),"\n",(0,i.jsx)(n.h3,{id:"does-k3s-support-windows",children:"Does K3s support Windows?"}),"\n",(0,i.jsx)(n.p,{children:"At this time K3s does not natively support Windows, however we are open to the idea in the future."}),"\n",(0,i.jsx)(n.h3,{id:"what-exactly-are-servers-and-agents",children:"What exactly are Servers and Agents?"}),"\n",(0,i.jsxs)(n.p,{children:["For a breakdown on the components that make up a server and agent, see the ",(0,i.jsx)(n.a,{href:"/architecture",children:"Architecture page"}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-build-from-source",children:"How can I build from source?"}),"\n",(0,i.jsxs)(n.p,{children:["Please reference the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"})," with instructions."]}),"\n",(0,i.jsx)(n.h3,{id:"where-are-the-k3s-logs",children:"Where are the K3s logs?"}),"\n",(0,i.jsx)(n.p,{children:"The location of K3s logs will vary depending on how you run K3s and the node's OS."}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"When run from the command line, logs are sent to stdout and stderr."}),"\n",(0,i.jsxs)(n.li,{children:["When running under openrc, logs will be created at ",(0,i.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["When running under Systemd, logs will be sent to Journald and can be viewed using ",(0,i.jsx)(n.code,{children:"journalctl -u k3s"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Pod logs can be found at ",(0,i.jsx)(n.code,{children:"/var/log/pods"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Containerd logs can be found at ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"."]}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["You can generate more detailed logs by using the ",(0,i.jsx)(n.code,{children:"--debug"})," flag when starting K3s (or ",(0,i.jsx)(n.code,{children:"debug: true"})," in the configuration file)."]}),"\n",(0,i.jsxs)(n.p,{children:["Kubernetes uses a logging framework known as ",(0,i.jsx)(n.code,{children:"klog"}),", which uses a single logging configuration for all components within a process.\nSince K3s runs all Kubernetes components within a single process, it is not possible to configure different log levels or destinations for individual Kubernetes components.\nUse of the ",(0,i.jsx)(n.code,{children:"-v="})," or ",(0,i.jsx)(n.code,{children:"--vmodule=="})," component args will likely not have the desired effect."]}),"\n",(0,i.jsxs)(n.p,{children:["See ",(0,i.jsx)(n.a,{href:"/advanced#additional-logging-sources",children:"Additional Logging Sources"})," for even more log options."]}),"\n",(0,i.jsx)(n.h3,{id:"can-i-run-k3s-in-docker",children:"Can I run K3s in Docker?"}),"\n",(0,i.jsxs)(n.p,{children:["Yes, there are multiple ways to run K3s in Docker. See ",(0,i.jsx)(n.a,{href:"/advanced#running-k3s-in-docker",children:"Advanced Options"})," for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"what-is-the-difference-between-k3s-server-and-agent-tokens",children:"What is the difference between K3s Server and Agent Tokens?"}),"\n",(0,i.jsxs)(n.p,{children:["For more information on managing K3s join tokens, see the ",(0,i.jsxs)(n.a,{href:"/cli/token",children:[(0,i.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-compatible-are-different-versions-of-k3s",children:"How compatible are different versions of K3s?"}),"\n",(0,i.jsxs)(n.p,{children:["In general, the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies."]}),"\n",(0,i.jsx)(n.p,{children:"In short, servers can be newer than agents, but agents cannot be newer than servers."}),"\n",(0,i.jsx)(n.h3,{id:"im-having-an-issue-where-can-i-get-help",children:"I'm having an issue, where can I get help?"}),"\n",(0,i.jsx)(n.p,{children:"If you are having an issue with deploying K3s, you should:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check the ",(0,i.jsx)(n.a,{href:"/known-issues",children:"Known Issues"})," page."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check that you have resolved any ",(0,i.jsx)(n.a,{href:"/installation/requirements#operating-systems",children:"Additional OS Preparation"}),". Run ",(0,i.jsx)(n.code,{children:"k3s check-config"})," and ensure that it passes."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Search the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues",children:"Issues"})," and ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"Discussions"})," for one that matches your problem."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Join the ",(0,i.jsx)(n.a,{href:"https://slack.rancher.io/",children:"Rancher Slack"})," K3s channel to get help."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Submit a ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"New Issue"})," on the K3s Github describing your setup and the issue you are experiencing."]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>a,a:()=>o});var i=s(7294);const r={},t=i.createContext(r);function o(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/06dc01b4.43c8b06d.js b/assets/js/06dc01b4.43c8b06d.js new file mode 100644 index 000000000..13b4c4421 --- /dev/null +++ b/assets/js/06dc01b4.43c8b06d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9233],{6516:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/docs/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{queryString:"cni",children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/advanced#running-agentless-servers-experimental",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/06dc01b4.4cc2ccd0.js b/assets/js/06dc01b4.4cc2ccd0.js deleted file mode 100644 index 96df269d0..000000000 --- a/assets/js/06dc01b4.4cc2ccd0.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9233],{6516:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/docs/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{queryString:"cni",children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/advanced#running-agentless-servers-experimental",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0759a3f5.4692e71f.js b/assets/js/0759a3f5.4692e71f.js deleted file mode 100644 index 53beb9ad1..000000000 --- a/assets/js/0759a3f5.4692e71f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0759a3f5.e9290839.js b/assets/js/0759a3f5.e9290839.js new file mode 100644 index 000000000..345b56d97 --- /dev/null +++ b/assets/js/0759a3f5.e9290839.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0ce5aa86.11dbb5a6.js b/assets/js/0ce5aa86.11dbb5a6.js new file mode 100644 index 000000000..2eb5bf030 --- /dev/null +++ b/assets/js/0ce5aa86.11dbb5a6.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0ce5aa86.a0c55954.js b/assets/js/0ce5aa86.a0c55954.js deleted file mode 100644 index 284655084..000000000 --- a/assets/js/0ce5aa86.a0c55954.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0e4359fd.9916ba74.js b/assets/js/0e4359fd.9916ba74.js new file mode 100644 index 000000000..829415849 --- /dev/null +++ b/assets/js/0e4359fd.9916ba74.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9751],{8495:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>o,contentTitle:()=>a,default:()=>h,frontMatter:()=>i,metadata:()=>c,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"Helm"},a=void 0,c={id:"helm",title:"Helm",description:"Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.",source:"@site/docs/helm.md",sourceDirName:".",slug:"/helm",permalink:"/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Helm"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/networking/networking-services"},next:{title:"Advanced Options / Configuration",permalink:"/advanced"}},o={},l=[{value:"Using the Helm Controller",id:"using-the-helm-controller",level:3},{value:"HelmChart Field Definitions",id:"helmchart-field-definitions",level:4},{value:"Customizing Packaged Components with HelmChartConfig",id:"customizing-packaged-components-with-helmchartconfig",level:3},{value:"Migrating from Helm v2",id:"migrating-from-helm-v2",level:3}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access"})," documentation."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s includes a ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"})," that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with ",(0,s.jsx)(t.a,{href:"/installation/packaged-components",children:"auto-deploying AddOn manifests"}),", installing a Helm chart on your cluster can be automated by creating a single file on disk."]}),"\n",(0,s.jsx)(t.h3,{id:"using-the-helm-controller",children:"Using the Helm Controller"}),"\n",(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"HelmChart Custom Resource"})," captures most of the options you would normally pass to the ",(0,s.jsx)(t.code,{children:"helm"})," command-line tool. Here's an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the ",(0,s.jsx)(t.code,{children:"kube-system"})," namespace, but the chart's resources will be deployed to the ",(0,s.jsx)(t.code,{children:"web"})," namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,s.jsx)(t.p,{children:"An example of deploying a helm chart from a private repo with authentication:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n namespace: kube-system\n name: example-app\nspec:\n targetNamespace: example-space\n createNamespace: true\n version: v1.2.3\n chart: example-app\n repo: https://secure-repo.example.com\n authSecret:\n name: example-repo-auth\n repoCAConfigMap:\n name: example-repo-ca\n valuesContent: |-\n image:\n tag: v1.2.2\n---\napiVersion: v1\nkind: Secret\nmetadata:\n namespace: kube-system\n name: example-repo-auth\ntype: kubernetes.io/basic-auth\nstringData:\n username: user\n password: pass\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n namespace: kube-system\n name: example-repo-ca\ndata:\n ca.crt: |-\n -----BEGIN CERTIFICATE-----\n \n -----END CERTIFICATE-----\n"})}),"\n",(0,s.jsx)(t.h4,{id:"helmchart-field-definitions",children:"HelmChart Field Definitions"}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Field"}),(0,s.jsx)(t.th,{children:"Default"}),(0,s.jsx)(t.th,{children:"Description"}),(0,s.jsx)(t.th,{children:"Helm Argument / Flag Equivalent"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"metadata.name"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name"}),(0,s.jsx)(t.td,{children:"NAME"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chart"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)"}),(0,s.jsx)(t.td,{children:"CHART"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.targetNamespace"}),(0,s.jsx)(t.td,{children:"default"}),(0,s.jsx)(t.td,{children:"Helm Chart target namespace"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.createNamespace"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Create target namespace if not present"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--create-namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.version"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart version (when installing from repository)"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--version"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repo"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart repository URL"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--repo"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCA"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCAConfigMap"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of ",(0,s.jsx)(t.code,{children:"repoCA"})]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.helmVersion"}),(0,s.jsx)(t.td,{children:"v3"}),(0,s.jsxs)(t.td,{children:["Helm version to use (",(0,s.jsx)(t.code,{children:"v2"})," or ",(0,s.jsx)(t.code,{children:"v3"}),")"]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.bootstrap"}),(0,s.jsx)(t.td,{children:"False"}),(0,s.jsx)(t.td,{children:"Set to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)"}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.set"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override simple default Chart values. These take precedence over options set via valuesContent."}),(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--set"})," / ",(0,s.jsx)(t.code,{children:"--set-string"})]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.jobImage"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Specify the image to use when installing the helm chart. E.g. rancher/klipper-helm",":v0",".3.0 ."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.backOffLimit"}),(0,s.jsx)(t.td,{children:"1000"}),(0,s.jsx)(t.td,{children:"Specify the number of retries before considering a job failed."}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.timeout"}),(0,s.jsx)(t.td,{children:"300s"}),(0,s.jsxs)(t.td,{children:["Timeout for Helm operations, as a ",(0,s.jsx)(t.a,{href:"https://pkg.go.dev/time#ParseDuration",children:"duration string"})," (",(0,s.jsx)(t.code,{children:"300s"}),", ",(0,s.jsx)(t.code,{children:"10m"}),", ",(0,s.jsx)(t.code,{children:"1h"}),", etc)"]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--timeout"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.failurePolicy"}),(0,s.jsx)(t.td,{children:"reinstall"}),(0,s.jsxs)(t.td,{children:["Set to ",(0,s.jsx)(t.code,{children:"abort"})," which case the Helm operation is aborted, pending manual intervention by the operator."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authSecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/basic-auth"})," holding Basic auth credentials for the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authPassCredentials"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Pass Basic auth credentials to all domains."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--pass-credentials"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.dockerRegistrySecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/dockerconfigjson"})," holding Docker auth credentials for the OCI-based registry acting as the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.valuesContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override complex default Chart values via YAML file content"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--values"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chartContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Base64-encoded chart archive .tgz - overrides spec.chart"}),(0,s.jsx)(t.td,{children:"CHART"})]})]})]}),"\n",(0,s.jsxs)(t.p,{children:["Content placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/static/"})," can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable ",(0,s.jsx)(t.code,{children:"%{KUBERNETES_API}%"})," in the ",(0,s.jsx)(t.code,{children:"spec.chart"})," field. For example, the packaged Traefik component loads its chart from ",(0,s.jsx)(t.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.code,{children:"name"})," field should follow the Helm chart naming conventions. Refer to the ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"Helm Best Practices documentation"})," to learn more."]})}),"\n",(0,s.jsx)(t.h3,{id:"customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),"\n",(0,s.jsxs)(t.p,{children:["To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional ",(0,s.jsx)(t.code,{children:"valuesContent"}),", which is passed to the ",(0,s.jsx)(t.code,{children:"helm"})," command as an additional value file."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["HelmChart ",(0,s.jsx)(t.code,{children:"spec.set"})," values override HelmChart and HelmChartConfig ",(0,s.jsx)(t.code,{children:"spec.valuesContent"})," settings."]})}),"\n",(0,s.jsxs)(t.p,{children:["For example, to customize the packaged Traefik ingress configuration, you can create a file named ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"})," and populate it with the following content:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: 2.9.10\n ports:\n web:\n forwardedHeaders:\n trustedIPs:\n - 10.0.0.0/8\n"})}),"\n",(0,s.jsx)(t.h3,{id:"migrating-from-helm-v2",children:"Migrating from Helm v2"}),"\n",(0,s.jsxs)(t.p,{children:["K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, ",(0,s.jsx)(t.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"this"})," blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/",children:"here"})," for more information. Just be sure you have properly set your kubeconfig as per the section about ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access."})]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Helm 3 no longer requires Tiller and the ",(0,s.jsx)(t.code,{children:"helm init"})," command. Refer to the official documentation for details."]})})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>c,a:()=>a});var s=n(7294);const r={},i=s.createContext(r);function a(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function c(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/0e4359fd.fbccc3d8.js b/assets/js/0e4359fd.fbccc3d8.js deleted file mode 100644 index 847b732ef..000000000 --- a/assets/js/0e4359fd.fbccc3d8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9751],{8495:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>o,contentTitle:()=>a,default:()=>h,frontMatter:()=>i,metadata:()=>c,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"Helm"},a=void 0,c={id:"helm",title:"Helm",description:"Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.",source:"@site/docs/helm.md",sourceDirName:".",slug:"/helm",permalink:"/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Helm"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/networking/networking-services"},next:{title:"Advanced Options / Configuration",permalink:"/advanced"}},o={},l=[{value:"Using the Helm Controller",id:"using-the-helm-controller",level:3},{value:"HelmChart Field Definitions",id:"helmchart-field-definitions",level:4},{value:"Customizing Packaged Components with HelmChartConfig",id:"customizing-packaged-components-with-helmchartconfig",level:3},{value:"Migrating from Helm v2",id:"migrating-from-helm-v2",level:3}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access"})," documentation."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s includes a ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"})," that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with ",(0,s.jsx)(t.a,{href:"/installation/packaged-components",children:"auto-deploying AddOn manifests"}),", installing a Helm chart on your cluster can be automated by creating a single file on disk."]}),"\n",(0,s.jsx)(t.h3,{id:"using-the-helm-controller",children:"Using the Helm Controller"}),"\n",(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"HelmChart Custom Resource"})," captures most of the options you would normally pass to the ",(0,s.jsx)(t.code,{children:"helm"})," command-line tool. Here's an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the ",(0,s.jsx)(t.code,{children:"kube-system"})," namespace, but the chart's resources will be deployed to the ",(0,s.jsx)(t.code,{children:"web"})," namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,s.jsx)(t.p,{children:"An example of deploying a helm chart from a private repo with authentication:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n namespace: kube-system\n name: example-app\nspec:\n targetNamespace: example-space\n createNamespace: true\n version: v1.2.3\n chart: example-app\n repo: https://secure-repo.example.com\n authSecret:\n name: example-repo-auth\n repoCAConfigMap:\n name: example-repo-ca\n valuesContent: |-\n image:\n tag: v1.2.2\n---\napiVersion: v1\nkind: Secret\nmetadata:\n namespace: kube-system\n name: example-repo-auth\ntype: kubernetes.io/basic-auth\nstringData:\n username: user\n password: pass\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n namespace: kube-system\n name: example-repo-ca\ndata:\n ca.crt: |-\n -----BEGIN CERTIFICATE-----\n \n -----END CERTIFICATE-----\n"})}),"\n",(0,s.jsx)(t.h4,{id:"helmchart-field-definitions",children:"HelmChart Field Definitions"}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Field"}),(0,s.jsx)(t.th,{children:"Default"}),(0,s.jsx)(t.th,{children:"Description"}),(0,s.jsx)(t.th,{children:"Helm Argument / Flag Equivalent"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"metadata.name"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name"}),(0,s.jsx)(t.td,{children:"NAME"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chart"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)"}),(0,s.jsx)(t.td,{children:"CHART"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.targetNamespace"}),(0,s.jsx)(t.td,{children:"default"}),(0,s.jsx)(t.td,{children:"Helm Chart target namespace"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.createNamespace"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Create target namespace if not present"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--create-namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.version"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart version (when installing from repository)"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--version"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repo"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart repository URL"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--repo"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCA"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCAConfigMap"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of ",(0,s.jsx)(t.code,{children:"repoCA"})]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.helmVersion"}),(0,s.jsx)(t.td,{children:"v3"}),(0,s.jsxs)(t.td,{children:["Helm version to use (",(0,s.jsx)(t.code,{children:"v2"})," or ",(0,s.jsx)(t.code,{children:"v3"}),")"]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.bootstrap"}),(0,s.jsx)(t.td,{children:"False"}),(0,s.jsx)(t.td,{children:"Set to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)"}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.set"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override simple default Chart values. These take precedence over options set via valuesContent."}),(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--set"})," / ",(0,s.jsx)(t.code,{children:"--set-string"})]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.jobImage"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Specify the image to use when installing the helm chart. E.g. rancher/klipper-helm",":v0",".3.0 ."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.backOffLimit"}),(0,s.jsx)(t.td,{children:"1000"}),(0,s.jsx)(t.td,{children:"Specify the number of retries before considering a job failed."}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.timeout"}),(0,s.jsx)(t.td,{children:"300s"}),(0,s.jsxs)(t.td,{children:["Timeout for Helm operations, as a ",(0,s.jsx)(t.a,{href:"https://pkg.go.dev/time#ParseDuration",children:"duration string"})," (",(0,s.jsx)(t.code,{children:"300s"}),", ",(0,s.jsx)(t.code,{children:"10m"}),", ",(0,s.jsx)(t.code,{children:"1h"}),", etc)"]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--timeout"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.failurePolicy"}),(0,s.jsx)(t.td,{children:"reinstall"}),(0,s.jsxs)(t.td,{children:["Set to ",(0,s.jsx)(t.code,{children:"abort"})," which case the Helm operation is aborted, pending manual intervention by the operator."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authSecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/basic-auth"})," holding Basic auth credentials for the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authPassCredentials"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Pass Basic auth credentials to all domains."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--pass-credentials"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.dockerRegistrySecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/dockerconfigjson"})," holding Docker auth credentials for the OCI-based registry acting as the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.valuesContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override complex default Chart values via YAML file content"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--values"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chartContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Base64-encoded chart archive .tgz - overrides spec.chart"}),(0,s.jsx)(t.td,{children:"CHART"})]})]})]}),"\n",(0,s.jsxs)(t.p,{children:["Content placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/static/"})," can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable ",(0,s.jsx)(t.code,{children:"%{KUBERNETES_API}%"})," in the ",(0,s.jsx)(t.code,{children:"spec.chart"})," field. For example, the packaged Traefik component loads its chart from ",(0,s.jsx)(t.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.code,{children:"name"})," field should follow the Helm chart naming conventions. Refer to the ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"Helm Best Practices documentation"})," to learn more."]})}),"\n",(0,s.jsx)(t.h3,{id:"customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),"\n",(0,s.jsxs)(t.p,{children:["To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional ",(0,s.jsx)(t.code,{children:"valuesContent"}),", which is passed to the ",(0,s.jsx)(t.code,{children:"helm"})," command as an additional value file."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["HelmChart ",(0,s.jsx)(t.code,{children:"spec.set"})," values override HelmChart and HelmChartConfig ",(0,s.jsx)(t.code,{children:"spec.valuesContent"})," settings."]})}),"\n",(0,s.jsxs)(t.p,{children:["For example, to customize the packaged Traefik ingress configuration, you can create a file named ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"})," and populate it with the following content:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: 2.9.10\n ports:\n web:\n forwardedHeaders:\n trustedIPs:\n - 10.0.0.0/8\n"})}),"\n",(0,s.jsx)(t.h3,{id:"migrating-from-helm-v2",children:"Migrating from Helm v2"}),"\n",(0,s.jsxs)(t.p,{children:["K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, ",(0,s.jsx)(t.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"this"})," blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/",children:"here"})," for more information. Just be sure you have properly set your kubeconfig as per the section about ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access."})]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Helm 3 no longer requires Tiller and the ",(0,s.jsx)(t.code,{children:"helm init"})," command. Refer to the official documentation for details."]})})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>c,a:()=>a});var s=n(7294);const r={},i=s.createContext(r);function a(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function c(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/109.b4b6c92d.js b/assets/js/109.bf60b3bc.js similarity index 99% rename from assets/js/109.b4b6c92d.js rename to assets/js/109.bf60b3bc.js index d50894aa9..8c4ae5d49 100644 --- a/assets/js/109.b4b6c92d.js +++ b/assets/js/109.bf60b3bc.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/assets/js/10b61a3f.97000b17.js b/assets/js/10b61a3f.97000b17.js deleted file mode 100644 index 6a8934110..000000000 --- a/assets/js/10b61a3f.97000b17.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4902],{8040:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/docs/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"Wildcard Support",id:"wildcard-support",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||p("TabItem",!0),s||p("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"wildcard-support",children:"Wildcard Support"}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard entry can be used in the ",(0,t.jsx)(r.code,{children:"mirrors"})," and ",(0,t.jsx)(r.code,{children:"configs"})," sections to provide default configuration for all registries.\nThe default configuration will only be used if there is no specific entry for that registry. Note that the asterisk MUST be quoted."]}),"\n",(0,t.jsxs)(r.p,{children:["In the following example, a local registry mirror will be used for all registries. TLS verification will be disabled for all registries, except ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "docker.io":\n "*":\n tls:\n insecure_skip_verify: true\n'})}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function p(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/10b61a3f.ba9c77f7.js b/assets/js/10b61a3f.ba9c77f7.js new file mode 100644 index 000000000..96fea3c1e --- /dev/null +++ b/assets/js/10b61a3f.ba9c77f7.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4902],{8040:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/docs/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"Wildcard Support",id:"wildcard-support",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||p("TabItem",!0),s||p("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"wildcard-support",children:"Wildcard Support"}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard entry can be used in the ",(0,t.jsx)(r.code,{children:"mirrors"})," and ",(0,t.jsx)(r.code,{children:"configs"})," sections to provide default configuration for all registries.\nThe default configuration will only be used if there is no specific entry for that registry. Note that the asterisk MUST be quoted."]}),"\n",(0,t.jsxs)(r.p,{children:["In the following example, a local registry mirror will be used for all registries. TLS verification will be disabled for all registries, except ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "docker.io":\n "*":\n tls:\n insecure_skip_verify: true\n'})}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function p(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/17035653.5c7dad87.js b/assets/js/17035653.5c7dad87.js deleted file mode 100644 index 19ca76295..000000000 --- a/assets/js/17035653.5c7dad87.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8380],{4877:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>a,toc:()=>u});var s=t(5893),i=t(1151);const r={title:"Multus and IPAM plugins"},l=void 0,a={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/docs/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/networking/networking-services"}},o={},u=[{value:"Add the Helm Repository",id:"add-the-helm-repository",level:3},{value:"Configure the IPAM plugin",id:"configure-the-ipam-plugin",level:3},{value:"Deploy Multus",id:"deploy-multus",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",p:"p",pre:"pre",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||h("TabItem",!0),r||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.h3,{id:"add-the-helm-repository",children:"Add the Helm Repository"}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.h3,{id:"configure-the-ipam-plugin",children:"Configure the IPAM plugin"}),"\n",(0,s.jsx)(n.p,{children:"An IPAM plugin is required to assign IP addresses on the extra interfaces created by Multus."}),"\n",(0,s.jsxs)(r,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsxs)(n.p,{children:["To use the Whereabouts IPAM plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the DHCP plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsx)(n.h3,{id:"deploy-multus",children:"Deploy Multus"}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsxs)(n.p,{children:["The helm chart install will deploy a DaemonSet to create Multus pods for installing the required CNI binaries in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/data/current/"})," and Multus CNI config in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/cni/net.d"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const i={},r=s.createContext(i);function l(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/17035653.a7378ff8.js b/assets/js/17035653.a7378ff8.js new file mode 100644 index 000000000..7ba1efbc3 --- /dev/null +++ b/assets/js/17035653.a7378ff8.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8380],{4877:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>a,toc:()=>u});var s=t(5893),i=t(1151);const r={title:"Multus and IPAM plugins"},l=void 0,a={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/docs/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/networking/networking-services"}},o={},u=[{value:"Add the Helm Repository",id:"add-the-helm-repository",level:3},{value:"Configure the IPAM plugin",id:"configure-the-ipam-plugin",level:3},{value:"Deploy Multus",id:"deploy-multus",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",p:"p",pre:"pre",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||h("TabItem",!0),r||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.h3,{id:"add-the-helm-repository",children:"Add the Helm Repository"}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.h3,{id:"configure-the-ipam-plugin",children:"Configure the IPAM plugin"}),"\n",(0,s.jsx)(n.p,{children:"An IPAM plugin is required to assign IP addresses on the extra interfaces created by Multus."}),"\n",(0,s.jsxs)(r,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsxs)(n.p,{children:["To use the Whereabouts IPAM plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the DHCP plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsx)(n.h3,{id:"deploy-multus",children:"Deploy Multus"}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsxs)(n.p,{children:["The helm chart install will deploy a DaemonSet to create Multus pods for installing the required CNI binaries in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/data/current/"})," and Multus CNI config in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/cni/net.d"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const i={},r=s.createContext(i);function l(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/1772.61c7be9f.js b/assets/js/1772.edd9b014.js similarity index 95% rename from assets/js/1772.61c7be9f.js rename to assets/js/1772.edd9b014.js index fedff29db..8daf6c973 100644 --- a/assets/js/1772.61c7be9f.js +++ b/assets/js/1772.edd9b014.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1772],{5658:(e,t,n)=>{n.d(t,{Z:()=>a});n(7294);var s=n(512),i=n(5999),o=n(2503),r=n(5893);function a(e){let{className:t}=e;return(0,r.jsx)("main",{className:(0,s.Z)("container margin-vert--xl",t),children:(0,r.jsx)("div",{className:"row",children:(0,r.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,r.jsx)(o.Z,{as:"h1",className:"hero__title",children:(0,r.jsx)(i.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}},1772:(e,t,n)=>{n.r(t),n.d(t,{default:()=>d});n(7294);var s=n(5999),i=n(1944),o=n(2315),r=n(5658),a=n(5893);function d(){const e=(0,s.I)({id:"theme.NotFound.title",message:"Page Not Found"});return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(i.d,{title:e}),(0,a.jsx)(o.Z,{children:(0,a.jsx)(r.Z,{})})]})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1772],{5658:(e,t,n)=>{n.d(t,{Z:()=>a});n(7294);var s=n(512),i=n(5999),o=n(2503),r=n(5893);function a(e){let{className:t}=e;return(0,r.jsx)("main",{className:(0,s.Z)("container margin-vert--xl",t),children:(0,r.jsx)("div",{className:"row",children:(0,r.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,r.jsx)(o.Z,{as:"h1",className:"hero__title",children:(0,r.jsx)(i.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}},1772:(e,t,n)=>{n.r(t),n.d(t,{default:()=>d});n(7294);var s=n(5999),i=n(1944),o=n(8947),r=n(5658),a=n(5893);function d(){const e=(0,s.I)({id:"theme.NotFound.title",message:"Page Not Found"});return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(i.d,{title:e}),(0,a.jsx)(o.Z,{children:(0,a.jsx)(r.Z,{})})]})}}}]); \ No newline at end of file diff --git a/assets/js/179ec51e.a93a27f5.js b/assets/js/179ec51e.a93a27f5.js new file mode 100644 index 000000000..a80a0c5e5 --- /dev/null +++ b/assets/js/179ec51e.a93a27f5.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7176],{6790:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/docs/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"},next:{title:"token",permalink:"/cli/token"}},a={},o=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"New Encryption Key Rotation (Experimental)",id:"new-encryption-key-rotation-experimental",level:3},{value:"Encryption Key Rotation Classic",id:"encryption-key-rotation-classic",level:3},{value:"Secrets Encryption Disable/Re-enable",id:"secrets-encryption-disablere-enable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"new-encryption-key-rotation-experimental",children:"New Encryption Key Rotation (Experimental)"}),"\n",(0,r.jsxs)(n.admonition,{title:"Version Gate",type:"info",children:[(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1%2Bk3s1",children:"v1.28.1+k3s1"}),". This new version of the tool utilized K8s ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#configure-automatic-reloading",children:"automatic config reloading"})," which is currently in beta. GA is expected in v1.29.0"]}),(0,r.jsxs)(n.p,{children:["For older releases, see ",(0,r.jsx)(n.a,{href:"#encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"})]})]}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs."})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Restart K3s on S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, restart K3s on S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disablere-enable",children:"Secrets Encryption Disable/Re-enable"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/179ec51e.db3bde09.js b/assets/js/179ec51e.db3bde09.js deleted file mode 100644 index f2376835c..000000000 --- a/assets/js/179ec51e.db3bde09.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7176],{6790:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/docs/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"},next:{title:"token",permalink:"/cli/token"}},a={},o=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"New Encryption Key Rotation (Experimental)",id:"new-encryption-key-rotation-experimental",level:3},{value:"Encryption Key Rotation Classic",id:"encryption-key-rotation-classic",level:3},{value:"Secrets Encryption Disable/Re-enable",id:"secrets-encryption-disablere-enable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"new-encryption-key-rotation-experimental",children:"New Encryption Key Rotation (Experimental)"}),"\n",(0,r.jsxs)(n.admonition,{title:"Version Gate",type:"info",children:[(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1%2Bk3s1",children:"v1.28.1+k3s1"}),". This new version of the tool utilized K8s ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#configure-automatic-reloading",children:"automatic config reloading"})," which is currently in beta. GA is expected in v1.29.0"]}),(0,r.jsxs)(n.p,{children:["For older releases, see ",(0,r.jsx)(n.a,{href:"#encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"})]})]}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs."})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Restart K3s on S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, restart K3s on S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disablere-enable",children:"Secrets Encryption Disable/Re-enable"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/1a4e3797.4376c566.js b/assets/js/1a4e3797.7f3d6643.js similarity index 98% rename from zh/assets/js/1a4e3797.4376c566.js rename to assets/js/1a4e3797.7f3d6643.js index 283f18783..880a1133e 100644 --- a/zh/assets/js/1a4e3797.4376c566.js +++ b/assets/js/1a4e3797.7f3d6643.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7920],{2027:(e,t,r)=>{r.r(t),r.d(t,{default:()=>$});var s=r(7294),a=r(2263),n=r(2315),c=r(5742),l=r(3692),o=r(5999);const u=["zero","one","two","few","many","other"];function h(e){return u.filter((t=>e.includes(t)))}const i={locale:"en",pluralForms:h(["one","other"]),select:e=>1===e?"one":"other"};function m(){const{i18n:{currentLocale:e}}=(0,a.Z)();return(0,s.useMemo)((()=>{try{return function(e){const t=new Intl.PluralRules(e);return{locale:e,pluralForms:h(t.resolvedOptions().pluralCategories),select:e=>t.select(e)}}(e)}catch(t){return console.error(`Failed to use Intl.PluralRules for locale "${e}".\nDocusaurus will fallback to the default (English) implementation.\nError: ${t.message}\n`),i}}),[e])}function d(){const e=m();return{selectMessage:(t,r)=>function(e,t,r){const s=e.split("|");if(1===s.length)return s[0];s.length>r.pluralForms.length&&console.error(`For locale=${r.locale}, a maximum of ${r.pluralForms.length} plural forms are expected (${r.pluralForms.join(",")}), but the message contains ${s.length}: ${e}`);const a=r.select(t),n=r.pluralForms.indexOf(a);return s[Math.min(n,s.length-1)]}(r,t,e)}}var p=r(1728),g=r(6550),x=r(2389),f=r(1029);const y=function(){const e=(0,x.Z)(),t=(0,g.k6)(),r=(0,g.TH)(),{siteConfig:{baseUrl:s}}=(0,a.Z)(),n=e?new URLSearchParams(r.search):null,c=n?.get("q")||"",l=n?.get("ctx")||"",o=n?.get("version")||"",u=e=>{const t=new URLSearchParams(r.search);return e?t.set("q",e):t.delete("q"),t};return{searchValue:c,searchContext:l&&Array.isArray(f.Kc)&&f.Kc.some((e=>"string"==typeof e?e===l:e.path===l))?l:"",searchVersion:o,updateSearchPath:e=>{const r=u(e);t.replace({search:r.toString()})},updateSearchContext:e=>{const s=new URLSearchParams(r.search);s.set("ctx",e),t.replace({search:s.toString()})},generateSearchPageLink:e=>{const t=u(e);return`${s}search?${t.toString()}`}}};var C=r(22),S=r(8202),j=r(3545),I=r(2539),v=r(726),w=r(1073),P=r(311),_=r(3926);const R={searchContextInput:"searchContextInput_mXoe",searchQueryInput:"searchQueryInput_CFBF",searchResultItem:"searchResultItem_U687",searchResultItemPath:"searchResultItemPath_uIbk",searchResultItemSummary:"searchResultItemSummary_oZHr",searchQueryColumn:"searchQueryColumn_q7nx",searchContextColumn:"searchContextColumn_oWAF"};var b=r(51),F=r(5893);function A(){const{siteConfig:{baseUrl:e},i18n:{currentLocale:t}}=(0,a.Z)(),{selectMessage:r}=d(),{searchValue:n,searchContext:l,searchVersion:u,updateSearchPath:h,updateSearchContext:i}=y(),[m,g]=(0,s.useState)(n),[x,j]=(0,s.useState)(),[I,v]=(0,s.useState)(),w=`${e}${u}`,_=(0,s.useMemo)((()=>m?(0,o.I)({id:"theme.SearchPage.existingResultsTitle",message:'Search results for "{query}"',description:"The search page title for non-empty query"},{query:m}):(0,o.I)({id:"theme.SearchPage.emptyResultsTitle",message:"Search the documentation",description:"The search page title for empty query"})),[m]);(0,s.useEffect)((()=>{h(m),x&&(m?x(m,(e=>{v(e)})):v(void 0))}),[m,x]);const A=(0,s.useCallback)((e=>{g(e.target.value)}),[]);return(0,s.useEffect)((()=>{n&&n!==m&&g(n)}),[n]),(0,s.useEffect)((()=>{!async function(){const{wrappedIndexes:e,zhDictionary:t}=!Array.isArray(f.Kc)||l||f.pQ?await(0,C.w)(w,l):{wrappedIndexes:[],zhDictionary:[]};j((()=>(0,S.v)(e,t,100)))}()}),[l,w]),(0,F.jsxs)(s.Fragment,{children:[(0,F.jsxs)(c.Z,{children:[(0,F.jsx)("meta",{property:"robots",content:"noindex, follow"}),(0,F.jsx)("title",{children:_})]}),(0,F.jsxs)("div",{className:"container margin-vert--lg",children:[(0,F.jsx)("h1",{children:_}),(0,F.jsxs)("div",{className:"row",children:[(0,F.jsx)("div",{className:(0,p.Z)("col",{[R.searchQueryColumn]:Array.isArray(f.Kc),"col--9":Array.isArray(f.Kc),"col--12":!Array.isArray(f.Kc)}),children:(0,F.jsx)("input",{type:"search",name:"q",className:R.searchQueryInput,"aria-label":"Search",onChange:A,value:m,autoComplete:"off",autoFocus:!0})}),Array.isArray(f.Kc)?(0,F.jsx)("div",{className:(0,p.Z)("col","col--3","padding-left--none",R.searchContextColumn),children:(0,F.jsxs)("select",{name:"search-context",className:R.searchContextInput,id:"context-selector",value:l,onChange:e=>i(e.target.value),children:[f.pQ&&(0,F.jsx)("option",{value:"",children:(0,o.I)({id:"theme.SearchPage.searchContext.everywhere",message:"Everywhere"})}),f.Kc.map((e=>{const{label:r,path:s}=(0,b._)(e,t);return(0,F.jsx)("option",{value:s,children:r},s)}))]})}):null]}),!x&&m&&(0,F.jsx)("div",{children:(0,F.jsx)(P.Z,{})}),I&&(I.length>0?(0,F.jsx)("p",{children:r(I.length,(0,o.I)({id:"theme.SearchPage.documentsFound.plurals",message:"1 document found|{count} documents found",description:'Pluralized label for "{count} documents found". Use as much plural forms (separated by "|") as your language support (see https://www.unicode.org/cldr/cldr-aux/charts/34/supplemental/language_plural_rules.html)'},{count:I.length}))}):(0,F.jsx)("p",{children:(0,o.I)({id:"theme.SearchPage.noResultsText",message:"No documents were found",description:"The paragraph for empty search result"})})),(0,F.jsx)("section",{children:I&&I.map((e=>(0,F.jsx)(k,{searchResult:e},e.document.i)))})]})]})}function k(e){let{searchResult:{document:t,type:r,page:s,tokens:a,metadata:n}}=e;const c=r===j.P.Title,o=r===j.P.Keywords,u=r===j.P.Description,h=u||o,i=c||h,m=r===j.P.Content,d=(c?t.b:s.b).slice(),p=m||h?t.s:t.t;i||d.push(s.t);let g="";if(f.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append("_highlight",t);g=`?${e.toString()}`}return(0,F.jsxs)("article",{className:R.searchResultItem,children:[(0,F.jsx)("h2",{children:(0,F.jsx)(l.Z,{to:t.u+g+(t.h||""),dangerouslySetInnerHTML:{__html:m||h?(0,I.C)(p,a):(0,v.o)(p,(0,w.m)(n,"t"),a,100)}})}),d.length>0&&(0,F.jsx)("p",{className:R.searchResultItemPath,children:(0,_.e)(d)}),(m||u)&&(0,F.jsx)("p",{className:R.searchResultItemSummary,dangerouslySetInnerHTML:{__html:(0,v.o)(t.t,(0,w.m)(n,"t"),a,100)}})]})}const $=function(){return(0,F.jsx)(n.Z,{children:(0,F.jsx)(A,{})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7920],{2027:(e,t,r)=>{r.r(t),r.d(t,{default:()=>$});var s=r(7294),a=r(2263),n=r(8947),c=r(5742),l=r(3692),o=r(5999);const u=["zero","one","two","few","many","other"];function h(e){return u.filter((t=>e.includes(t)))}const i={locale:"en",pluralForms:h(["one","other"]),select:e=>1===e?"one":"other"};function m(){const{i18n:{currentLocale:e}}=(0,a.Z)();return(0,s.useMemo)((()=>{try{return function(e){const t=new Intl.PluralRules(e);return{locale:e,pluralForms:h(t.resolvedOptions().pluralCategories),select:e=>t.select(e)}}(e)}catch(t){return console.error(`Failed to use Intl.PluralRules for locale "${e}".\nDocusaurus will fallback to the default (English) implementation.\nError: ${t.message}\n`),i}}),[e])}function d(){const e=m();return{selectMessage:(t,r)=>function(e,t,r){const s=e.split("|");if(1===s.length)return s[0];s.length>r.pluralForms.length&&console.error(`For locale=${r.locale}, a maximum of ${r.pluralForms.length} plural forms are expected (${r.pluralForms.join(",")}), but the message contains ${s.length}: ${e}`);const a=r.select(t),n=r.pluralForms.indexOf(a);return s[Math.min(n,s.length-1)]}(r,t,e)}}var p=r(1728),g=r(6550),x=r(2389),f=r(1029);const y=function(){const e=(0,x.Z)(),t=(0,g.k6)(),r=(0,g.TH)(),{siteConfig:{baseUrl:s}}=(0,a.Z)(),n=e?new URLSearchParams(r.search):null,c=n?.get("q")||"",l=n?.get("ctx")||"",o=n?.get("version")||"",u=e=>{const t=new URLSearchParams(r.search);return e?t.set("q",e):t.delete("q"),t};return{searchValue:c,searchContext:l&&Array.isArray(f.Kc)&&f.Kc.some((e=>"string"==typeof e?e===l:e.path===l))?l:"",searchVersion:o,updateSearchPath:e=>{const r=u(e);t.replace({search:r.toString()})},updateSearchContext:e=>{const s=new URLSearchParams(r.search);s.set("ctx",e),t.replace({search:s.toString()})},generateSearchPageLink:e=>{const t=u(e);return`${s}search?${t.toString()}`}}};var C=r(22),S=r(8202),j=r(3545),I=r(2539),v=r(726),w=r(1073),P=r(311),_=r(3926);const R={searchContextInput:"searchContextInput_mXoe",searchQueryInput:"searchQueryInput_CFBF",searchResultItem:"searchResultItem_U687",searchResultItemPath:"searchResultItemPath_uIbk",searchResultItemSummary:"searchResultItemSummary_oZHr",searchQueryColumn:"searchQueryColumn_q7nx",searchContextColumn:"searchContextColumn_oWAF"};var b=r(51),F=r(5893);function A(){const{siteConfig:{baseUrl:e},i18n:{currentLocale:t}}=(0,a.Z)(),{selectMessage:r}=d(),{searchValue:n,searchContext:l,searchVersion:u,updateSearchPath:h,updateSearchContext:i}=y(),[m,g]=(0,s.useState)(n),[x,j]=(0,s.useState)(),[I,v]=(0,s.useState)(),w=`${e}${u}`,_=(0,s.useMemo)((()=>m?(0,o.I)({id:"theme.SearchPage.existingResultsTitle",message:'Search results for "{query}"',description:"The search page title for non-empty query"},{query:m}):(0,o.I)({id:"theme.SearchPage.emptyResultsTitle",message:"Search the documentation",description:"The search page title for empty query"})),[m]);(0,s.useEffect)((()=>{h(m),x&&(m?x(m,(e=>{v(e)})):v(void 0))}),[m,x]);const A=(0,s.useCallback)((e=>{g(e.target.value)}),[]);return(0,s.useEffect)((()=>{n&&n!==m&&g(n)}),[n]),(0,s.useEffect)((()=>{!async function(){const{wrappedIndexes:e,zhDictionary:t}=!Array.isArray(f.Kc)||l||f.pQ?await(0,C.w)(w,l):{wrappedIndexes:[],zhDictionary:[]};j((()=>(0,S.v)(e,t,100)))}()}),[l,w]),(0,F.jsxs)(s.Fragment,{children:[(0,F.jsxs)(c.Z,{children:[(0,F.jsx)("meta",{property:"robots",content:"noindex, follow"}),(0,F.jsx)("title",{children:_})]}),(0,F.jsxs)("div",{className:"container margin-vert--lg",children:[(0,F.jsx)("h1",{children:_}),(0,F.jsxs)("div",{className:"row",children:[(0,F.jsx)("div",{className:(0,p.Z)("col",{[R.searchQueryColumn]:Array.isArray(f.Kc),"col--9":Array.isArray(f.Kc),"col--12":!Array.isArray(f.Kc)}),children:(0,F.jsx)("input",{type:"search",name:"q",className:R.searchQueryInput,"aria-label":"Search",onChange:A,value:m,autoComplete:"off",autoFocus:!0})}),Array.isArray(f.Kc)?(0,F.jsx)("div",{className:(0,p.Z)("col","col--3","padding-left--none",R.searchContextColumn),children:(0,F.jsxs)("select",{name:"search-context",className:R.searchContextInput,id:"context-selector",value:l,onChange:e=>i(e.target.value),children:[f.pQ&&(0,F.jsx)("option",{value:"",children:(0,o.I)({id:"theme.SearchPage.searchContext.everywhere",message:"Everywhere"})}),f.Kc.map((e=>{const{label:r,path:s}=(0,b._)(e,t);return(0,F.jsx)("option",{value:s,children:r},s)}))]})}):null]}),!x&&m&&(0,F.jsx)("div",{children:(0,F.jsx)(P.Z,{})}),I&&(I.length>0?(0,F.jsx)("p",{children:r(I.length,(0,o.I)({id:"theme.SearchPage.documentsFound.plurals",message:"1 document found|{count} documents found",description:'Pluralized label for "{count} documents found". Use as much plural forms (separated by "|") as your language support (see https://www.unicode.org/cldr/cldr-aux/charts/34/supplemental/language_plural_rules.html)'},{count:I.length}))}):(0,F.jsx)("p",{children:(0,o.I)({id:"theme.SearchPage.noResultsText",message:"No documents were found",description:"The paragraph for empty search result"})})),(0,F.jsx)("section",{children:I&&I.map((e=>(0,F.jsx)(k,{searchResult:e},e.document.i)))})]})]})}function k(e){let{searchResult:{document:t,type:r,page:s,tokens:a,metadata:n}}=e;const c=r===j.P.Title,o=r===j.P.Keywords,u=r===j.P.Description,h=u||o,i=c||h,m=r===j.P.Content,d=(c?t.b:s.b).slice(),p=m||h?t.s:t.t;i||d.push(s.t);let g="";if(f.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append("_highlight",t);g=`?${e.toString()}`}return(0,F.jsxs)("article",{className:R.searchResultItem,children:[(0,F.jsx)("h2",{children:(0,F.jsx)(l.Z,{to:t.u+g+(t.h||""),dangerouslySetInnerHTML:{__html:m||h?(0,I.C)(p,a):(0,v.o)(p,(0,w.m)(n,"t"),a,100)}})}),d.length>0&&(0,F.jsx)("p",{className:R.searchResultItemPath,children:(0,_.e)(d)}),(m||u)&&(0,F.jsx)("p",{className:R.searchResultItemSummary,dangerouslySetInnerHTML:{__html:(0,v.o)(t.t,(0,w.m)(n,"t"),a,100)}})]})}const $=function(){return(0,F.jsx)(n.Z,{children:(0,F.jsx)(A,{})})}}}]); \ No newline at end of file diff --git a/assets/js/1be8dcfa.a0f4bffd.js b/assets/js/1be8dcfa.a0f4bffd.js deleted file mode 100644 index 0eead790e..000000000 --- a/assets/js/1be8dcfa.a0f4bffd.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7628],{2023:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/docs/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/cli/server"},next:{title:"certificate",permalink:"/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--disable-default-registry-endpoint"})}),(0,r.jsxs)(n.td,{children:['See "',(0,r.jsx)(n.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),'"']})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/1be8dcfa.b8400791.js b/assets/js/1be8dcfa.b8400791.js new file mode 100644 index 000000000..6fb7fca3c --- /dev/null +++ b/assets/js/1be8dcfa.b8400791.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7628],{2023:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/docs/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/cli/server"},next:{title:"certificate",permalink:"/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",header:"header",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"})}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--disable-default-registry-endpoint"})}),(0,r.jsxs)(n.td,{children:['See "',(0,r.jsx)(n.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),'"']})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/1e924268.5c7cbbc4.js b/assets/js/1e924268.5c7cbbc4.js new file mode 100644 index 000000000..1f809e2e7 --- /dev/null +++ b/assets/js/1e924268.5c7cbbc4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8614],{770:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>o,metadata:()=>r,toc:()=>c});var i=t(5893),s=t(1151);const o={title:"Installation"},a=void 0,r={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/docs/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"Quick-Start Guide",permalink:"/quick-start"},next:{title:"Requirements",permalink:"/installation/requirements"}},l={},c=[];function d(e){const n={a:"a",code:"code",p:"p",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(n.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(n.code,{children:"control-plane"})," or ",(0,i.jsx)(n.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>r,a:()=>a});var i=t(7294);const s={},o=i.createContext(s);function a(e){const n=i.useContext(o);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:a(e.components),i.createElement(o.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/1e924268.9b06e0c5.js b/assets/js/1e924268.9b06e0c5.js deleted file mode 100644 index d65eb82d5..000000000 --- a/assets/js/1e924268.9b06e0c5.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8614],{770:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>o,metadata:()=>r,toc:()=>c});var i=t(5893),s=t(1151);const o={title:"Installation"},a=void 0,r={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/docs/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"Quick-Start Guide",permalink:"/quick-start"},next:{title:"Requirements",permalink:"/installation/requirements"}},l={},c=[];function d(e){const n={a:"a",code:"code",p:"p",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(n.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(n.code,{children:"control-plane"})," or ",(0,i.jsx)(n.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>r,a:()=>a});var i=t(7294);const s={},o=i.createContext(s);function a(e){const n=i.useContext(o);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:a(e.components),i.createElement(o.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/255.92d4592e.js b/assets/js/255.8724ba33.js similarity index 99% rename from assets/js/255.92d4592e.js rename to assets/js/255.8724ba33.js index db2964b89..b303b4f0a 100644 --- a/assets/js/255.92d4592e.js +++ b/assets/js/255.8724ba33.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5234,7 +5234,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/assets/js/2a65762c.063d138f.js b/assets/js/2a65762c.063d138f.js deleted file mode 100644 index c46762669..000000000 --- a/assets/js/2a65762c.063d138f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1430],{7084:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/docs/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"},next:{title:"Architecture",permalink:"/architecture"}},c={},l=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4},{value:"k3s token rotate",id:"k3s-token-rotate",level:4}];function a(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n rotate Rotate original server token with a new bootstrap token\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-rotate",children:(0,s.jsx)(t.code,{children:"k3s token rotate"})}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(t.p,{children:"Available as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1)."})}),"\n",(0,s.jsx)(t.p,{children:"Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token."}),"\n",(0,s.jsx)(t.p,{children:"If you do not specify a new token, one will be generated for you."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--server"})," value"]}),(0,s.jsxs)(t.td,{children:['Server to connect to (default: "',(0,s.jsx)(t.a,{href:"https://127.0.0.1:6443",children:"https://127.0.0.1:6443"}),'") [$K3S_URL]']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--token"})," value"]}),(0,s.jsx)(t.td,{children:"Existing token used to join a server or agent to a cluster [$K3S_TOKEN]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--new-token"})," value"]}),(0,s.jsx)(t.td,{children:"New token that replaces existing token"})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/2a65762c.f89b4e81.js b/assets/js/2a65762c.f89b4e81.js new file mode 100644 index 000000000..2b94de496 --- /dev/null +++ b/assets/js/2a65762c.f89b4e81.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1430],{7084:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/docs/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"},next:{title:"Architecture",permalink:"/architecture"}},c={},l=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4},{value:"k3s token rotate",id:"k3s-token-rotate",level:4}];function a(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"})}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n rotate Rotate original server token with a new bootstrap token\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-rotate",children:(0,s.jsx)(t.code,{children:"k3s token rotate"})}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(t.p,{children:"Available as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1)."})}),"\n",(0,s.jsx)(t.p,{children:"Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token."}),"\n",(0,s.jsx)(t.p,{children:"If you do not specify a new token, one will be generated for you."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--server"})," value"]}),(0,s.jsxs)(t.td,{children:['Server to connect to (default: "',(0,s.jsx)(t.a,{href:"https://127.0.0.1:6443",children:"https://127.0.0.1:6443"}),'") [$K3S_URL]']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--token"})," value"]}),(0,s.jsx)(t.td,{children:"Existing token used to join a server or agent to a cluster [$K3S_TOKEN]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--new-token"})," value"]}),(0,s.jsx)(t.td,{children:"New token that replaces existing token"})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/2f797aa4.39029747.js b/assets/js/2f797aa4.39029747.js new file mode 100644 index 000000000..d582cb2fd --- /dev/null +++ b/assets/js/2f797aa4.39029747.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/2f797aa4.4789b2d8.js b/assets/js/2f797aa4.4789b2d8.js deleted file mode 100644 index 514dab6ea..000000000 --- a/assets/js/2f797aa4.4789b2d8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/36f34ab4.007b25b5.js b/assets/js/36f34ab4.007b25b5.js deleted file mode 100644 index f65c723e9..000000000 --- a/assets/js/36f34ab4.007b25b5.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6155],{7406:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/docs/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{queryString:"etcdsnap",children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot save \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path= \\\n --etcd-s3-bucket= \\\n --etcd-s3-access-key= \\\n --etcd-s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key= \\\n \n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/36f34ab4.7cc62e9b.js b/assets/js/36f34ab4.7cc62e9b.js new file mode 100644 index 000000000..3f7696d5f --- /dev/null +++ b/assets/js/36f34ab4.7cc62e9b.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6155],{7406:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/docs/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.header,{children:(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"})}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{queryString:"etcdsnap",children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot save \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path= \\\n --etcd-s3-bucket= \\\n --etcd-s3-access-key= \\\n --etcd-s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key= \\\n \n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/395f47e2.09a4c72a.js b/assets/js/395f47e2.09a4c72a.js deleted file mode 100644 index 5a7423ec3..000000000 --- a/assets/js/395f47e2.09a4c72a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6801],{793:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var s=t(5893),i=t(1151);const r={title:"Advanced Options / Configuration"},o=void 0,a={id:"advanced",title:"Advanced Options / Configuration",description:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use.",source:"@site/docs/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Advanced Options / Configuration"},sidebar:"mySidebar",previous:{title:"Helm",permalink:"/helm"},next:{title:"Environment Variables",permalink:"/reference/env-variables"}},l={},c=[{value:"Certificate Management",id:"certificate-management",level:2},{value:"Certificate Authority Certificates",id:"certificate-authority-certificates",level:3},{value:"Client and Server certificates",id:"client-and-server-certificates",level:3},{value:"Token Management",id:"token-management",level:2},{value:"Configuring an HTTP proxy",id:"configuring-an-http-proxy",level:2},{value:"Using Docker as the Container Runtime",id:"using-docker-as-the-container-runtime",level:2},{value:"Using etcdctl",id:"using-etcdctl",level:2},{value:"Configuring containerd",id:"configuring-containerd",level:2},{value:"Base template",id:"base-template",level:3},{value:"NVIDIA Container Runtime Support",id:"nvidia-container-runtime-support",level:2},{value:"Running Agentless Servers (Experimental)",id:"running-agentless-servers-experimental",level:2},{value:"Running Rootless Servers (Experimental)",id:"running-rootless-servers-experimental",level:2},{value:"Known Issues with Rootless mode",id:"known-issues-with-rootless-mode",level:3},{value:"Starting Rootless Servers",id:"starting-rootless-servers",level:3},{value:"Advanced Rootless Configuration",id:"advanced-rootless-configuration",level:3},{value:"Troubleshooting Rootless",id:"troubleshooting-rootless",level:3},{value:"Node Labels and Taints",id:"node-labels-and-taints",level:2},{value:"Starting the Service with the Installation Script",id:"starting-the-service-with-the-installation-script",level:2},{value:"Running K3s in Docker",id:"running-k3s-in-docker",level:2},{value:"SELinux Support",id:"selinux-support",level:2},{value:"Enabling SELinux Enforcement",id:"enabling-selinux-enforcement",level:3},{value:"Enabling Lazy Pulling of eStargz (Experimental)",id:"enabling-lazy-pulling-of-estargz-experimental",level:2},{value:"What's lazy pulling and eStargz?",id:"whats-lazy-pulling-and-estargz",level:3},{value:"Configure k3s for lazy pulling of eStargz",id:"configure-k3s-for-lazy-pulling-of-estargz",level:3},{value:"Additional Logging Sources",id:"additional-logging-sources",level:2},{value:"Additional Network Policy Logging",id:"additional-network-policy-logging",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use."}),"\n",(0,s.jsx)(n.h2,{id:"certificate-management",children:"Certificate Management"}),"\n",(0,s.jsx)(n.h3,{id:"certificate-authority-certificates",children:"Certificate Authority Certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s generates self-signed Certificate Authority (CA) Certificates during startup of the first server node. These CA certificates are valid for 10 years, and are not automatically renewed."}),"\n",(0,s.jsxs)(n.p,{children:["For information on using custom CA certificates, or renewing the self-signed CA certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#certificate-authority-ca-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate-ca"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"client-and-server-certificates",children:"Client and Server certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsxs)(n.p,{children:["For information on manually rotating client and server certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#client-and-server-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"token-management",children:"Token Management"}),"\n",(0,s.jsxs)(n.p,{children:["By default, K3s uses a single static token for both servers and agents. This token cannot be changed once the cluster has been created.\nIt is possible to enable a second static token that can only be used to join agents, or to create temporary ",(0,s.jsx)(n.code,{children:"kubeadm"})," style join tokens that expire automatically.\nFor more information, see the ",(0,s.jsxs)(n.a,{href:"/cli/token",children:[(0,s.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"configuring-an-http-proxy",children:"Configuring an HTTP proxy"}),"\n",(0,s.jsx)(n.p,{children:"If you are running K3s in an environment, which only has external connectivity through an HTTP proxy, you can configure your proxy settings on the K3s systemd service. These proxy settings will then be used in K3s and passed down to the embedded containerd and kubelet."}),"\n",(0,s.jsxs)(n.p,{children:["The K3s installation script will automatically take the ",(0,s.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"NO_PROXY"}),", as well as the ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," variables from the current shell, if they are present, and write them to the environment file of your systemd service, usually:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Of course, you can also configure the proxy by editing these files."}),"\n",(0,s.jsxs)(n.p,{children:["K3s will automatically add the cluster internal Pod and Service IP ranges and cluster DNS domain to the list of ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," entries. You should ensure that the IP address ranges used by the Kubernetes nodes themselves (i.e. the public and private IPs of the nodes) are included in the ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," list, or that the nodes can be reached through the proxy."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsxs)(n.p,{children:["If you want to configure the proxy settings for containerd without affecting K3s and the Kubelet, you can prefix the variables with ",(0,s.jsx)(n.code,{children:"CONTAINERD_"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsx)(n.h2,{id:"using-docker-as-the-container-runtime",children:"Using Docker as the Container Runtime"}),"\n",(0,s.jsxs)(n.p,{children:["K3s includes and defaults to ",(0,s.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),", an industry-standard container runtime.\nAs of Kubernetes 1.24, the Kubelet no longer includes dockershim, the component that allows the kubelet to communicate with dockerd.\nK3s 1.24 and higher include ",(0,s.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),", which allows seamless upgrade from prior releases of K3s while continuing to use the Docker container runtime."]}),"\n",(0,s.jsx)(n.p,{children:"To use Docker instead of containerd:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install Docker on the K3s node. One of Rancher's ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker installation scripts"})," can be used to install Docker:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install K3s using the ",(0,s.jsx)(n.code,{children:"--docker"})," option:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the cluster is available:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the Docker containers are running:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"using-etcdctl",children:"Using etcdctl"}),"\n",(0,s.jsx)(n.p,{children:"etcdctl provides a CLI for interacting with etcd servers. K3s does not bundle etcdctl."}),"\n",(0,s.jsxs)(n.p,{children:["If you would like to use etcdctl to interact with K3s's embedded etcd, install etcdctl using the ",(0,s.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"official documentation"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,s.jsx)(n.p,{children:"You may then use etcdctl by configuring it to use the K3s-managed certificates and keys for authentication:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,s.jsx)(n.h2,{id:"configuring-containerd",children:"Configuring containerd"}),"\n",(0,s.jsxs)(n.p,{children:["K3s will generate config.toml for containerd in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For advanced customization for this file you can create another file called ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," in the same directory, and it will be used instead."]}),"\n",(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," will be treated as a Go template file, and the ",(0,s.jsx)(n.code,{children:"config.Node"})," structure is being passed to the template. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"this folder"})," for Linux and Windows examples on how to use the structure to customize the configuration file.\nThe config.Node golang struct is defined ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"here"})]}),"\n",(0,s.jsx)(n.h3,{id:"base-template",children:"Base template"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of September 2023 releases: v1.24.17+k3s1, v1.25.13+k3s1, v1.26.8+k3s1, v1.27.5+k3s1, v1.28.1+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"You can extend the K3s base template instead of copy-pasting the complete stock template out of the K3s source code. This is useful if you need to build on the existing configuration, and add a few extra lines at the end."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-toml",children:'#/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl\n\n{{ template "base" . }}\n\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom"]\n runtime_type = "io.containerd.runc.v2"\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom".options]\n BinaryName = "/usr/bin/custom-container-runtime"\n\n'})}),"\n",(0,s.jsx)(n.h2,{id:"nvidia-container-runtime-support",children:"NVIDIA Container Runtime Support"}),"\n",(0,s.jsx)(n.p,{children:"K3s will automatically detect and configure the NVIDIA container runtime if it is present when K3s starts."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Install the nvidia-container package repository on the node by following the instructions at:\n",(0,s.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install the nvidia container runtime packages. For example:\n",(0,s.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install K3s, or restart it if already installed:\n",(0,s.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,s.jsxs)(n.li,{children:["Confirm that the nvidia container runtime has been found by k3s:\n",(0,s.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This will automatically add ",(0,s.jsx)(n.code,{children:"nvidia"})," and/or ",(0,s.jsx)(n.code,{children:"nvidia-experimental"})," runtimes to the containerd configuration, depending on what runtime executables are found.\nYou must still add a RuntimeClass definition to your cluster, and deploy Pods that explicitly request the appropriate runtime by setting ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"})," in the Pod spec:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,s.jsxs)(n.p,{children:["Note that the NVIDIA Container Runtime is also frequently used with ",(0,s.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"NVIDIA Device Plugin"}),", with modifications to ensure that pod specs include ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"}),", as mentioned above."]}),"\n",(0,s.jsx)(n.h2,{id:"running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["When started with the ",(0,s.jsx)(n.code,{children:"--disable-agent"})," flag, servers do not run the kubelet, container runtime, or CNI. They do not register a Node resource in the cluster, and will not appear in ",(0,s.jsx)(n.code,{children:"kubectl get nodes"})," output.\nBecause they do not host a kubelet, they cannot run pods or be managed by operators that rely on enumerating cluster nodes, including the embedded etcd controller and the system upgrade controller."]}),"\n",(0,s.jsx)(n.p,{children:"Running agentless servers may be advantageous if you want to obscure your control-plane nodes from discovery by agents and workloads, at the cost of increased administrative overhead caused by lack of cluster operator support."}),"\n",(0,s.jsxs)(n.p,{children:["By default, the apiserver on agentless servers will not be able to make outgoing connections to admission webhooks or aggregated apiservices running within the cluster. To remedy this, set the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," server flag to either ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"}),". If you are changing this flag on an existing cluster, you'll need to restart all nodes in the cluster for the option to take effect."]}),"\n",(0,s.jsx)(n.h2,{id:"running-rootless-servers-experimental",children:"Running Rootless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Rootless mode allows running K3s servers as an unprivileged user, so as to protect the real root on the host from potential container-breakout attacks."}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," to learn more about Rootless Kubernetes."]}),"\n",(0,s.jsx)(n.h3,{id:"known-issues-with-rootless-mode",children:"Known Issues with Rootless mode"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Ports"})}),"\n",(0,s.jsx)(n.p,{children:"When running rootless a new network namespace is created. This means that K3s instance is running with networking fairly detached from the host.\nThe only way to access Services run in K3s from the host is to set up port forwards to the K3s network namespace.\nRootless K3s includes controller that will automatically bind 6443 and service ports below 1024 to the host with an offset of 10000."}),"\n",(0,s.jsx)(n.p,{children:"For example, a Service on port 80 will become 10080 on the host, but 8080 will become 8080 without any offset. Currently, only LoadBalancer Services are automatically bound."}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Cgroups"})}),"\n",(0,s.jsx)(n.p,{children:'Cgroup v1 and Hybrid v1/v2 are not supported; only pure Cgroup v2 is supported. If K3s fails to start due to missing cgroups when running rootless, it is likely that your node is in Hybrid mode, and the "missing" cgroups are still bound to a v1 controller.'}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Multi-node/multi-process cluster"})}),"\n",(0,s.jsxs)(n.p,{children:["Multi-node rootless clusters, or multiple rootless k3s processes on the same node, are not currently supported. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"})," for more details."]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"starting-rootless-servers",children:"Starting Rootless Servers"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Enable cgroup v2 delegation, see ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," .\nThis step is required; the rootless kubelet will fail to start without the proper cgroups delegated."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Download ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service",children:(0,s.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob//k3s-rootless.service"})}),".\nMake sure to use the same version of ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," and ",(0,s.jsx)(n.code,{children:"k3s"}),"."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," to ",(0,s.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),".\nInstalling this file as a system-wide service (",(0,s.jsx)(n.code,{children:"/etc/systemd/..."}),") is not supported.\nDepending on the path of ",(0,s.jsx)(n.code,{children:"k3s"})," binary, you might need to modify the ",(0,s.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," line of the file."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user daemon-reload"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),", and make sure the pods are running."]}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Don't try to run ",(0,s.jsx)(n.code,{children:"k3s server --rootless"})," on a terminal, as terminal sessions do not allow cgroup v2 delegation.\nIf you really need to try it on a terminal, use ",(0,s.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --rootless"})," to wrap it in a systemd scope."]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"advanced-rootless-configuration",children:"Advanced Rootless Configuration"}),"\n",(0,s.jsxs)(n.p,{children:["Rootless K3s uses ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," and ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"})," to communicate between host and user network namespaces.\nSome of the configuration used by rootlesskit and slirp4nets can be set by environment variables. The best way to set these is to add them to the ",(0,s.jsx)(n.code,{children:"Environment"})," field of the k3s-rootless systemd unit."]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Variable"}),(0,s.jsx)(n.th,{children:"Default"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,s.jsx)(n.td,{children:"1500"}),(0,s.jsx)(n.td,{children:"Sets the MTU for the slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,s.jsx)(n.td,{children:"10.41.0.0/16"}),(0,s.jsx)(n.td,{children:"Sets the CIDR used by slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,s.jsx)(n.td,{children:"autotedected"}),(0,s.jsx)(n.td,{children:"Enables slirp4netns IPv6 support. If not specified, it is automatically enabled if K3s is configured for dual-stack operation."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,s.jsx)(n.td,{children:"builtin"}),(0,s.jsxs)(n.td,{children:["Selects the rootless port driver; either ",(0,s.jsx)(n.code,{children:"builtin"})," or ",(0,s.jsx)(n.code,{children:"slirp4netns"}),". Builtin is faster, but masquerades the original source address of inbound packets."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,s.jsx)(n.td,{children:"true"}),(0,s.jsx)(n.td,{children:"Controls whether or not access to the hosts's loopback address via the gateway interface is enabled. It is recommended that this not be changed, for security reasons."})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"troubleshooting-rootless",children:"Troubleshooting Rootless"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user status k3s-rootless"})," to check the daemon status"]}),"\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"})," to see the daemon log"]}),"\n",(0,s.jsxs)(n.li,{children:["See also ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"node-labels-and-taints",children:"Node Labels and Taints"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,s.jsx)(n.code,{children:"--node-label"})," and ",(0,s.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints ",(0,s.jsx)(n.a,{href:"/cli/agent#node-labels-and-taints-for-agents",children:"at registration time"}),", so they can only be set when the node is first joined to the cluster."]}),"\n",(0,s.jsxs)(n.p,{children:["All current versions of Kubernetes restrict nodes from registering with most labels with ",(0,s.jsx)(n.code,{children:"kubernetes.io"})," and ",(0,s.jsx)(n.code,{children:"k8s.io"})," prefixes, specifically including the ",(0,s.jsx)(n.code,{children:"kubernetes.io/role"})," label. If you attempt to start a node with a disallowed label, K3s will fail to start. As stated by the Kubernetes authors:"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"Nodes are not permitted to assert their own role labels. Node roles are typically used to identify privileged or control plane types of nodes, and allowing nodes to label themselves into that pool allows a compromised node to trivially attract workloads (like control plane daemonsets) that confer access to higher privilege credentials."}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"})," for more information."]}),"\n",(0,s.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration, or add reserved labels, you should use ",(0,s.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,s.jsx)(n.h2,{id:"starting-the-service-with-the-installation-script",children:"Starting the Service with the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"The installation script will auto-detect if your OS is using systemd or openrc and enable and start the service as part of the installation process."}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["When running with openrc, logs will be created at ",(0,s.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["When running with systemd, logs will be created in ",(0,s.jsx)(n.code,{children:"/var/log/syslog"})," and viewed using ",(0,s.jsx)(n.code,{children:"journalctl -u k3s"})," (or ",(0,s.jsx)(n.code,{children:"journalctl -u k3s-agent"})," on agents)."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"An example of disabling auto-starting and service enablement with the install script:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,s.jsx)(n.h2,{id:"running-k3s-in-docker",children:"Running K3s in Docker"}),"\n",(0,s.jsx)(n.p,{children:"There are several ways to run K3s in Docker:"}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(t,{value:"K3d",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"})," is a utility designed to easily run multi-node K3s clusters in Docker."]}),(0,s.jsx)(n.p,{children:"k3d makes it very easy to create single- and multi-node k3s clusters in docker, e.g. for local development on Kubernetes."}),(0,s.jsxs)(n.p,{children:["See the ",(0,s.jsx)(n.a,{href:"https://k3d.io/#installation",children:"Installation"})," documentation for more information on how to install and use k3d."]})]}),(0,s.jsxs)(t,{value:"Docker",children:[(0,s.jsxs)(n.p,{children:["To use Docker, ",(0,s.jsx)(n.code,{children:"rancher/k3s"})," images are also available to run the K3s server and agent.\nUsing the ",(0,s.jsx)(n.code,{children:"docker run"})," command:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["You must specify a valid K3s version as the tag; the ",(0,s.jsx)(n.code,{children:"latest"})," tag is not maintained.",(0,s.jsx)(n.br,{}),"\n","Docker images do not allow a ",(0,s.jsx)(n.code,{children:"+"})," sign in tags, use a ",(0,s.jsx)(n.code,{children:"-"})," in the tag instead."]})}),(0,s.jsx)(n.p,{children:"Once K3s is up and running, you can copy the admin kubeconfig out of the Docker container for use:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"selinux-support",children:"SELinux Support"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of v1.19.4+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed."}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsx)(t,{value:"Automatic Installation",default:!0,children:(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"install script"})," will automatically install the SELinux RPM from the Rancher RPM repository if on a compatible system if not performing an air-gapped install. Automatic installation can be skipped by setting ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"."]})}),(0,s.jsxs)(t,{value:"Manual Installation",default:!0,children:[(0,s.jsx)(n.p,{children:"The necessary policies can be installed with the following commands:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-1.4-1.el7.noarch.rpm\n"})}),(0,s.jsxs)(n.p,{children:["To force the install script to log a warning rather than fail, you can set the following environment variable: ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"enabling-selinux-enforcement",children:"Enabling SELinux Enforcement"}),"\n",(0,s.jsxs)(n.p,{children:["To leverage SELinux, specify the ",(0,s.jsx)(n.code,{children:"--selinux"})," flag when starting K3s servers and agents."]}),"\n",(0,s.jsxs)(n.p,{children:["This option can also be specified in the K3s ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Using a custom ",(0,s.jsx)(n.code,{children:"--data-dir"})," under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," repository, which contains the SELinux policy files for Container Runtimes, and the ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," repository, which contains the SELinux policy for K3s."]}),"\n",(0,s.jsx)(n.h2,{id:"enabling-lazy-pulling-of-estargz-experimental",children:"Enabling Lazy Pulling of eStargz (Experimental)"}),"\n",(0,s.jsx)(n.h3,{id:"whats-lazy-pulling-and-estargz",children:"What's lazy pulling and eStargz?"}),"\n",(0,s.jsxs)(n.p,{children:["Pulling images is known as one of the time-consuming steps in the container lifecycle.\nAccording to ",(0,s.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"Harter, et al."}),","]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"pulling packages accounts for 76% of container start time, but only 6.4% of that data is read"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["To address this issue, k3s experimentally supports ",(0,s.jsx)(n.em,{children:"lazy pulling"})," of image contents.\nThis allows k3s to start a container before the entire image has been pulled.\nInstead, the necessary chunks of contents (e.g. individual files) are fetched on-demand.\nEspecially for large images, this technique can shorten the container startup latency."]}),"\n",(0,s.jsxs)(n.p,{children:["To enable lazy pulling, the target image needs to be formatted as ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,s.jsx)(n.em,{children:"eStargz"})}),".\nThis is an OCI-alternative but 100% OCI-compatible image format for lazy pulling.\nBecause of the compatibility, eStargz can be pushed to standard container registries (e.g. ghcr.io) as well as this is ",(0,s.jsx)(n.em,{children:"still runnable"})," even on eStargz-agnostic runtimes."]}),"\n",(0,s.jsxs)(n.p,{children:["eStargz is developed based on the ",(0,s.jsx)(n.a,{href:"https://github.com/google/crfs",children:"stargz format proposed by Google CRFS project"})," but comes with practical features including content verification and performance optimization.\nFor more details about lazy pulling and eStargz, please refer to ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter project repository"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"configure-k3s-for-lazy-pulling-of-estargz",children:"Configure k3s for lazy pulling of eStargz"}),"\n",(0,s.jsxs)(n.p,{children:["As shown in the following, ",(0,s.jsx)(n.code,{children:"--snapshotter=stargz"})," option is needed for k3s server and agent."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,s.jsxs)(n.p,{children:["With this configuration, you can perform lazy pulling for eStargz-formatted images.\nThe following example Pod manifest uses eStargz-formatted ",(0,s.jsx)(n.code,{children:"node:13.13.0"})," image (",(0,s.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),").\nWhen the stargz snapshotter is enabled, K3s performs lazy pulling for this image."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-logging-sources",children:"Additional Logging Sources"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"Rancher logging"})," for K3s can be installed without using Rancher. The following instructions should be executed to do so:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-network-policy-logging",children:"Additional Network Policy Logging"}),"\n",(0,s.jsx)(n.p,{children:"Packets dropped by network policies can be logged. The packet is sent to the iptables NFLOG action, which shows the packet details, including the network policy that blocked it."}),"\n",(0,s.jsxs)(n.p,{children:["If there is a lot of traffic, the number of log messages could be very high. To control the log rate on a per-policy basis, set the ",(0,s.jsx)(n.code,{children:"limit"})," and ",(0,s.jsx)(n.code,{children:"limit-burst"})," iptables parameters by adding the following annotations to the network policy in question:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit="})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst="})}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["Default values are ",(0,s.jsx)(n.code,{children:"limit=10/minute"})," and ",(0,s.jsx)(n.code,{children:"limit-burst=10"}),". Check the ",(0,s.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"})," for more information on the format and possible values for these fields."]}),"\n",(0,s.jsxs)(n.p,{children:["To convert NFLOG packets to log entries, install ulogd2 and configure ",(0,s.jsx)(n.code,{children:"[log1]"})," to read on ",(0,s.jsx)(n.code,{children:"group=100"}),". Then, restart the ulogd2 service for the new config to be committed.\nWhen a packet is blocked by network policy rules, a log message will appear in ",(0,s.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"."]}),"\n",(0,s.jsx)(n.p,{children:"Packets sent to the NFLOG netlink socket can also be read by using command-line tools like tcpdump or tshark:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,s.jsxs)(n.p,{children:["While more readily available, tcpdump will not show the name of the network policy that blocked the packet. Use wireshark's tshark command instead to display the full NFLOG packet header, including the ",(0,s.jsx)(n.code,{children:"nflog.prefix"})," field that contains the policy name."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>o});var s=t(7294);const i={},r=s.createContext(i);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/395f47e2.bd3cc9da.js b/assets/js/395f47e2.bd3cc9da.js new file mode 100644 index 000000000..9af5e33f4 --- /dev/null +++ b/assets/js/395f47e2.bd3cc9da.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6801],{793:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var s=t(5893),i=t(1151);const r={title:"Advanced Options / Configuration"},o=void 0,a={id:"advanced",title:"Advanced Options / Configuration",description:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use.",source:"@site/docs/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Advanced Options / Configuration"},sidebar:"mySidebar",previous:{title:"Helm",permalink:"/helm"},next:{title:"Environment Variables",permalink:"/reference/env-variables"}},l={},c=[{value:"Certificate Management",id:"certificate-management",level:2},{value:"Certificate Authority Certificates",id:"certificate-authority-certificates",level:3},{value:"Client and Server certificates",id:"client-and-server-certificates",level:3},{value:"Token Management",id:"token-management",level:2},{value:"Configuring an HTTP proxy",id:"configuring-an-http-proxy",level:2},{value:"Using Docker as the Container Runtime",id:"using-docker-as-the-container-runtime",level:2},{value:"Using etcdctl",id:"using-etcdctl",level:2},{value:"Configuring containerd",id:"configuring-containerd",level:2},{value:"Base template",id:"base-template",level:3},{value:"NVIDIA Container Runtime Support",id:"nvidia-container-runtime-support",level:2},{value:"Running Agentless Servers (Experimental)",id:"running-agentless-servers-experimental",level:2},{value:"Running Rootless Servers (Experimental)",id:"running-rootless-servers-experimental",level:2},{value:"Known Issues with Rootless mode",id:"known-issues-with-rootless-mode",level:3},{value:"Starting Rootless Servers",id:"starting-rootless-servers",level:3},{value:"Advanced Rootless Configuration",id:"advanced-rootless-configuration",level:3},{value:"Troubleshooting Rootless",id:"troubleshooting-rootless",level:3},{value:"Node Labels and Taints",id:"node-labels-and-taints",level:2},{value:"Starting the Service with the Installation Script",id:"starting-the-service-with-the-installation-script",level:2},{value:"Running K3s in Docker",id:"running-k3s-in-docker",level:2},{value:"SELinux Support",id:"selinux-support",level:2},{value:"Enabling SELinux Enforcement",id:"enabling-selinux-enforcement",level:3},{value:"Enabling Lazy Pulling of eStargz (Experimental)",id:"enabling-lazy-pulling-of-estargz-experimental",level:2},{value:"What's lazy pulling and eStargz?",id:"whats-lazy-pulling-and-estargz",level:3},{value:"Configure k3s for lazy pulling of eStargz",id:"configure-k3s-for-lazy-pulling-of-estargz",level:3},{value:"Additional Logging Sources",id:"additional-logging-sources",level:2},{value:"Additional Network Policy Logging",id:"additional-network-policy-logging",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use."}),"\n",(0,s.jsx)(n.h2,{id:"certificate-management",children:"Certificate Management"}),"\n",(0,s.jsx)(n.h3,{id:"certificate-authority-certificates",children:"Certificate Authority Certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s generates self-signed Certificate Authority (CA) Certificates during startup of the first server node. These CA certificates are valid for 10 years, and are not automatically renewed."}),"\n",(0,s.jsxs)(n.p,{children:["For information on using custom CA certificates, or renewing the self-signed CA certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#certificate-authority-ca-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate-ca"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"client-and-server-certificates",children:"Client and Server certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsxs)(n.p,{children:["For information on manually rotating client and server certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#client-and-server-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"token-management",children:"Token Management"}),"\n",(0,s.jsxs)(n.p,{children:["By default, K3s uses a single static token for both servers and agents. This token cannot be changed once the cluster has been created.\nIt is possible to enable a second static token that can only be used to join agents, or to create temporary ",(0,s.jsx)(n.code,{children:"kubeadm"})," style join tokens that expire automatically.\nFor more information, see the ",(0,s.jsxs)(n.a,{href:"/cli/token",children:[(0,s.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"configuring-an-http-proxy",children:"Configuring an HTTP proxy"}),"\n",(0,s.jsx)(n.p,{children:"If you are running K3s in an environment, which only has external connectivity through an HTTP proxy, you can configure your proxy settings on the K3s systemd service. These proxy settings will then be used in K3s and passed down to the embedded containerd and kubelet."}),"\n",(0,s.jsxs)(n.p,{children:["The K3s installation script will automatically take the ",(0,s.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"NO_PROXY"}),", as well as the ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," variables from the current shell, if they are present, and write them to the environment file of your systemd service, usually:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Of course, you can also configure the proxy by editing these files."}),"\n",(0,s.jsxs)(n.p,{children:["K3s will automatically add the cluster internal Pod and Service IP ranges and cluster DNS domain to the list of ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," entries. You should ensure that the IP address ranges used by the Kubernetes nodes themselves (i.e. the public and private IPs of the nodes) are included in the ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," list, or that the nodes can be reached through the proxy."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsxs)(n.p,{children:["If you want to configure the proxy settings for containerd without affecting K3s and the Kubelet, you can prefix the variables with ",(0,s.jsx)(n.code,{children:"CONTAINERD_"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsx)(n.h2,{id:"using-docker-as-the-container-runtime",children:"Using Docker as the Container Runtime"}),"\n",(0,s.jsxs)(n.p,{children:["K3s includes and defaults to ",(0,s.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),", an industry-standard container runtime.\nAs of Kubernetes 1.24, the Kubelet no longer includes dockershim, the component that allows the kubelet to communicate with dockerd.\nK3s 1.24 and higher include ",(0,s.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),", which allows seamless upgrade from prior releases of K3s while continuing to use the Docker container runtime."]}),"\n",(0,s.jsx)(n.p,{children:"To use Docker instead of containerd:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install Docker on the K3s node. One of Rancher's ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker installation scripts"})," can be used to install Docker:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install K3s using the ",(0,s.jsx)(n.code,{children:"--docker"})," option:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the cluster is available:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the Docker containers are running:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"using-etcdctl",children:"Using etcdctl"}),"\n",(0,s.jsx)(n.p,{children:"etcdctl provides a CLI for interacting with etcd servers. K3s does not bundle etcdctl."}),"\n",(0,s.jsxs)(n.p,{children:["If you would like to use etcdctl to interact with K3s's embedded etcd, install etcdctl using the ",(0,s.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"official documentation"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,s.jsx)(n.p,{children:"You may then use etcdctl by configuring it to use the K3s-managed certificates and keys for authentication:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,s.jsx)(n.h2,{id:"configuring-containerd",children:"Configuring containerd"}),"\n",(0,s.jsxs)(n.p,{children:["K3s will generate config.toml for containerd in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For advanced customization for this file you can create another file called ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," in the same directory, and it will be used instead."]}),"\n",(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," will be treated as a Go template file, and the ",(0,s.jsx)(n.code,{children:"config.Node"})," structure is being passed to the template. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"this folder"})," for Linux and Windows examples on how to use the structure to customize the configuration file.\nThe config.Node golang struct is defined ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"here"})]}),"\n",(0,s.jsx)(n.h3,{id:"base-template",children:"Base template"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of September 2023 releases: v1.24.17+k3s1, v1.25.13+k3s1, v1.26.8+k3s1, v1.27.5+k3s1, v1.28.1+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"You can extend the K3s base template instead of copy-pasting the complete stock template out of the K3s source code. This is useful if you need to build on the existing configuration, and add a few extra lines at the end."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-toml",children:'#/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl\n\n{{ template "base" . }}\n\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom"]\n runtime_type = "io.containerd.runc.v2"\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom".options]\n BinaryName = "/usr/bin/custom-container-runtime"\n\n'})}),"\n",(0,s.jsx)(n.h2,{id:"nvidia-container-runtime-support",children:"NVIDIA Container Runtime Support"}),"\n",(0,s.jsx)(n.p,{children:"K3s will automatically detect and configure the NVIDIA container runtime if it is present when K3s starts."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Install the nvidia-container package repository on the node by following the instructions at:\n",(0,s.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install the nvidia container runtime packages. For example:\n",(0,s.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install K3s, or restart it if already installed:\n",(0,s.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,s.jsxs)(n.li,{children:["Confirm that the nvidia container runtime has been found by k3s:\n",(0,s.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This will automatically add ",(0,s.jsx)(n.code,{children:"nvidia"})," and/or ",(0,s.jsx)(n.code,{children:"nvidia-experimental"})," runtimes to the containerd configuration, depending on what runtime executables are found.\nYou must still add a RuntimeClass definition to your cluster, and deploy Pods that explicitly request the appropriate runtime by setting ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"})," in the Pod spec:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,s.jsxs)(n.p,{children:["Note that the NVIDIA Container Runtime is also frequently used with ",(0,s.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"NVIDIA Device Plugin"}),", with modifications to ensure that pod specs include ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"}),", as mentioned above."]}),"\n",(0,s.jsx)(n.h2,{id:"running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["When started with the ",(0,s.jsx)(n.code,{children:"--disable-agent"})," flag, servers do not run the kubelet, container runtime, or CNI. They do not register a Node resource in the cluster, and will not appear in ",(0,s.jsx)(n.code,{children:"kubectl get nodes"})," output.\nBecause they do not host a kubelet, they cannot run pods or be managed by operators that rely on enumerating cluster nodes, including the embedded etcd controller and the system upgrade controller."]}),"\n",(0,s.jsx)(n.p,{children:"Running agentless servers may be advantageous if you want to obscure your control-plane nodes from discovery by agents and workloads, at the cost of increased administrative overhead caused by lack of cluster operator support."}),"\n",(0,s.jsxs)(n.p,{children:["By default, the apiserver on agentless servers will not be able to make outgoing connections to admission webhooks or aggregated apiservices running within the cluster. To remedy this, set the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," server flag to either ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"}),". If you are changing this flag on an existing cluster, you'll need to restart all nodes in the cluster for the option to take effect."]}),"\n",(0,s.jsx)(n.h2,{id:"running-rootless-servers-experimental",children:"Running Rootless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Rootless mode allows running K3s servers as an unprivileged user, so as to protect the real root on the host from potential container-breakout attacks."}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," to learn more about Rootless Kubernetes."]}),"\n",(0,s.jsx)(n.h3,{id:"known-issues-with-rootless-mode",children:"Known Issues with Rootless mode"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Ports"})}),"\n",(0,s.jsx)(n.p,{children:"When running rootless a new network namespace is created. This means that K3s instance is running with networking fairly detached from the host.\nThe only way to access Services run in K3s from the host is to set up port forwards to the K3s network namespace.\nRootless K3s includes controller that will automatically bind 6443 and service ports below 1024 to the host with an offset of 10000."}),"\n",(0,s.jsx)(n.p,{children:"For example, a Service on port 80 will become 10080 on the host, but 8080 will become 8080 without any offset. Currently, only LoadBalancer Services are automatically bound."}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Cgroups"})}),"\n",(0,s.jsx)(n.p,{children:'Cgroup v1 and Hybrid v1/v2 are not supported; only pure Cgroup v2 is supported. If K3s fails to start due to missing cgroups when running rootless, it is likely that your node is in Hybrid mode, and the "missing" cgroups are still bound to a v1 controller.'}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Multi-node/multi-process cluster"})}),"\n",(0,s.jsxs)(n.p,{children:["Multi-node rootless clusters, or multiple rootless k3s processes on the same node, are not currently supported. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"})," for more details."]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"starting-rootless-servers",children:"Starting Rootless Servers"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Enable cgroup v2 delegation, see ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," .\nThis step is required; the rootless kubelet will fail to start without the proper cgroups delegated."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Download ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service",children:(0,s.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob//k3s-rootless.service"})}),".\nMake sure to use the same version of ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," and ",(0,s.jsx)(n.code,{children:"k3s"}),"."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," to ",(0,s.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),".\nInstalling this file as a system-wide service (",(0,s.jsx)(n.code,{children:"/etc/systemd/..."}),") is not supported.\nDepending on the path of ",(0,s.jsx)(n.code,{children:"k3s"})," binary, you might need to modify the ",(0,s.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," line of the file."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user daemon-reload"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),", and make sure the pods are running."]}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Don't try to run ",(0,s.jsx)(n.code,{children:"k3s server --rootless"})," on a terminal, as terminal sessions do not allow cgroup v2 delegation.\nIf you really need to try it on a terminal, use ",(0,s.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --rootless"})," to wrap it in a systemd scope."]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"advanced-rootless-configuration",children:"Advanced Rootless Configuration"}),"\n",(0,s.jsxs)(n.p,{children:["Rootless K3s uses ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," and ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"})," to communicate between host and user network namespaces.\nSome of the configuration used by rootlesskit and slirp4nets can be set by environment variables. The best way to set these is to add them to the ",(0,s.jsx)(n.code,{children:"Environment"})," field of the k3s-rootless systemd unit."]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Variable"}),(0,s.jsx)(n.th,{children:"Default"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,s.jsx)(n.td,{children:"1500"}),(0,s.jsx)(n.td,{children:"Sets the MTU for the slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,s.jsx)(n.td,{children:"10.41.0.0/16"}),(0,s.jsx)(n.td,{children:"Sets the CIDR used by slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,s.jsx)(n.td,{children:"autotedected"}),(0,s.jsx)(n.td,{children:"Enables slirp4netns IPv6 support. If not specified, it is automatically enabled if K3s is configured for dual-stack operation."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,s.jsx)(n.td,{children:"builtin"}),(0,s.jsxs)(n.td,{children:["Selects the rootless port driver; either ",(0,s.jsx)(n.code,{children:"builtin"})," or ",(0,s.jsx)(n.code,{children:"slirp4netns"}),". Builtin is faster, but masquerades the original source address of inbound packets."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,s.jsx)(n.td,{children:"true"}),(0,s.jsx)(n.td,{children:"Controls whether or not access to the hosts's loopback address via the gateway interface is enabled. It is recommended that this not be changed, for security reasons."})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"troubleshooting-rootless",children:"Troubleshooting Rootless"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user status k3s-rootless"})," to check the daemon status"]}),"\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"})," to see the daemon log"]}),"\n",(0,s.jsxs)(n.li,{children:["See also ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"node-labels-and-taints",children:"Node Labels and Taints"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,s.jsx)(n.code,{children:"--node-label"})," and ",(0,s.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints ",(0,s.jsx)(n.a,{href:"/cli/agent#node-labels-and-taints-for-agents",children:"at registration time"}),", so they can only be set when the node is first joined to the cluster."]}),"\n",(0,s.jsxs)(n.p,{children:["All current versions of Kubernetes restrict nodes from registering with most labels with ",(0,s.jsx)(n.code,{children:"kubernetes.io"})," and ",(0,s.jsx)(n.code,{children:"k8s.io"})," prefixes, specifically including the ",(0,s.jsx)(n.code,{children:"kubernetes.io/role"})," label. If you attempt to start a node with a disallowed label, K3s will fail to start. As stated by the Kubernetes authors:"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"Nodes are not permitted to assert their own role labels. Node roles are typically used to identify privileged or control plane types of nodes, and allowing nodes to label themselves into that pool allows a compromised node to trivially attract workloads (like control plane daemonsets) that confer access to higher privilege credentials."}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"})," for more information."]}),"\n",(0,s.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration, or add reserved labels, you should use ",(0,s.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,s.jsx)(n.h2,{id:"starting-the-service-with-the-installation-script",children:"Starting the Service with the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"The installation script will auto-detect if your OS is using systemd or openrc and enable and start the service as part of the installation process."}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["When running with openrc, logs will be created at ",(0,s.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["When running with systemd, logs will be created in ",(0,s.jsx)(n.code,{children:"/var/log/syslog"})," and viewed using ",(0,s.jsx)(n.code,{children:"journalctl -u k3s"})," (or ",(0,s.jsx)(n.code,{children:"journalctl -u k3s-agent"})," on agents)."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"An example of disabling auto-starting and service enablement with the install script:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,s.jsx)(n.h2,{id:"running-k3s-in-docker",children:"Running K3s in Docker"}),"\n",(0,s.jsx)(n.p,{children:"There are several ways to run K3s in Docker:"}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(t,{value:"K3d",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"})," is a utility designed to easily run multi-node K3s clusters in Docker."]}),(0,s.jsx)(n.p,{children:"k3d makes it very easy to create single- and multi-node k3s clusters in docker, e.g. for local development on Kubernetes."}),(0,s.jsxs)(n.p,{children:["See the ",(0,s.jsx)(n.a,{href:"https://k3d.io/#installation",children:"Installation"})," documentation for more information on how to install and use k3d."]})]}),(0,s.jsxs)(t,{value:"Docker",children:[(0,s.jsxs)(n.p,{children:["To use Docker, ",(0,s.jsx)(n.code,{children:"rancher/k3s"})," images are also available to run the K3s server and agent.\nUsing the ",(0,s.jsx)(n.code,{children:"docker run"})," command:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["You must specify a valid K3s version as the tag; the ",(0,s.jsx)(n.code,{children:"latest"})," tag is not maintained.",(0,s.jsx)(n.br,{}),"\n","Docker images do not allow a ",(0,s.jsx)(n.code,{children:"+"})," sign in tags, use a ",(0,s.jsx)(n.code,{children:"-"})," in the tag instead."]})}),(0,s.jsx)(n.p,{children:"Once K3s is up and running, you can copy the admin kubeconfig out of the Docker container for use:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"selinux-support",children:"SELinux Support"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of v1.19.4+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed."}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsx)(t,{value:"Automatic Installation",default:!0,children:(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"install script"})," will automatically install the SELinux RPM from the Rancher RPM repository if on a compatible system if not performing an air-gapped install. Automatic installation can be skipped by setting ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"."]})}),(0,s.jsxs)(t,{value:"Manual Installation",default:!0,children:[(0,s.jsx)(n.p,{children:"The necessary policies can be installed with the following commands:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-1.4-1.el7.noarch.rpm\n"})}),(0,s.jsxs)(n.p,{children:["To force the install script to log a warning rather than fail, you can set the following environment variable: ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"enabling-selinux-enforcement",children:"Enabling SELinux Enforcement"}),"\n",(0,s.jsxs)(n.p,{children:["To leverage SELinux, specify the ",(0,s.jsx)(n.code,{children:"--selinux"})," flag when starting K3s servers and agents."]}),"\n",(0,s.jsxs)(n.p,{children:["This option can also be specified in the K3s ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Using a custom ",(0,s.jsx)(n.code,{children:"--data-dir"})," under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," repository, which contains the SELinux policy files for Container Runtimes, and the ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," repository, which contains the SELinux policy for K3s."]}),"\n",(0,s.jsx)(n.h2,{id:"enabling-lazy-pulling-of-estargz-experimental",children:"Enabling Lazy Pulling of eStargz (Experimental)"}),"\n",(0,s.jsx)(n.h3,{id:"whats-lazy-pulling-and-estargz",children:"What's lazy pulling and eStargz?"}),"\n",(0,s.jsxs)(n.p,{children:["Pulling images is known as one of the time-consuming steps in the container lifecycle.\nAccording to ",(0,s.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"Harter, et al."}),","]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"pulling packages accounts for 76% of container start time, but only 6.4% of that data is read"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["To address this issue, k3s experimentally supports ",(0,s.jsx)(n.em,{children:"lazy pulling"})," of image contents.\nThis allows k3s to start a container before the entire image has been pulled.\nInstead, the necessary chunks of contents (e.g. individual files) are fetched on-demand.\nEspecially for large images, this technique can shorten the container startup latency."]}),"\n",(0,s.jsxs)(n.p,{children:["To enable lazy pulling, the target image needs to be formatted as ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,s.jsx)(n.em,{children:"eStargz"})}),".\nThis is an OCI-alternative but 100% OCI-compatible image format for lazy pulling.\nBecause of the compatibility, eStargz can be pushed to standard container registries (e.g. ghcr.io) as well as this is ",(0,s.jsx)(n.em,{children:"still runnable"})," even on eStargz-agnostic runtimes."]}),"\n",(0,s.jsxs)(n.p,{children:["eStargz is developed based on the ",(0,s.jsx)(n.a,{href:"https://github.com/google/crfs",children:"stargz format proposed by Google CRFS project"})," but comes with practical features including content verification and performance optimization.\nFor more details about lazy pulling and eStargz, please refer to ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter project repository"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"configure-k3s-for-lazy-pulling-of-estargz",children:"Configure k3s for lazy pulling of eStargz"}),"\n",(0,s.jsxs)(n.p,{children:["As shown in the following, ",(0,s.jsx)(n.code,{children:"--snapshotter=stargz"})," option is needed for k3s server and agent."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,s.jsxs)(n.p,{children:["With this configuration, you can perform lazy pulling for eStargz-formatted images.\nThe following example Pod manifest uses eStargz-formatted ",(0,s.jsx)(n.code,{children:"node:13.13.0"})," image (",(0,s.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),").\nWhen the stargz snapshotter is enabled, K3s performs lazy pulling for this image."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-logging-sources",children:"Additional Logging Sources"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"Rancher logging"})," for K3s can be installed without using Rancher. The following instructions should be executed to do so:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-network-policy-logging",children:"Additional Network Policy Logging"}),"\n",(0,s.jsx)(n.p,{children:"Packets dropped by network policies can be logged. The packet is sent to the iptables NFLOG action, which shows the packet details, including the network policy that blocked it."}),"\n",(0,s.jsxs)(n.p,{children:["If there is a lot of traffic, the number of log messages could be very high. To control the log rate on a per-policy basis, set the ",(0,s.jsx)(n.code,{children:"limit"})," and ",(0,s.jsx)(n.code,{children:"limit-burst"})," iptables parameters by adding the following annotations to the network policy in question:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit="})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst="})}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["Default values are ",(0,s.jsx)(n.code,{children:"limit=10/minute"})," and ",(0,s.jsx)(n.code,{children:"limit-burst=10"}),". Check the ",(0,s.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"})," for more information on the format and possible values for these fields."]}),"\n",(0,s.jsxs)(n.p,{children:["To convert NFLOG packets to log entries, install ulogd2 and configure ",(0,s.jsx)(n.code,{children:"[log1]"})," to read on ",(0,s.jsx)(n.code,{children:"group=100"}),". Then, restart the ulogd2 service for the new config to be committed.\nWhen a packet is blocked by network policy rules, a log message will appear in ",(0,s.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"."]}),"\n",(0,s.jsx)(n.p,{children:"Packets sent to the NFLOG netlink socket can also be read by using command-line tools like tcpdump or tshark:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,s.jsxs)(n.p,{children:["While more readily available, tcpdump will not show the name of the network policy that blocked the packet. Use wireshark's tshark command instead to display the full NFLOG packet header, including the ",(0,s.jsx)(n.code,{children:"nflog.prefix"})," field that contains the policy name."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>o});var s=t(7294);const i={},r=s.createContext(i);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/41765d36.81dca32b.js b/assets/js/41765d36.81dca32b.js deleted file mode 100644 index af2271b0f..000000000 --- a/assets/js/41765d36.81dca32b.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1615],{99:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>i,contentTitle:()=>r,default:()=>h,frontMatter:()=>s,metadata:()=>l,toc:()=>c});var a=t(5893),o=t(1151);const s={title:"Volumes and Storage"},r=void 0,l={id:"storage",title:"Volumes and Storage",description:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails.",source:"@site/docs/storage.md",sourceDirName:".",slug:"/storage",permalink:"/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Volumes and Storage"},sidebar:"mySidebar",previous:{title:"Cluster Access",permalink:"/cluster-access"},next:{title:"Networking",permalink:"/networking/"}},i={},c=[{value:"What's different about K3s storage?",id:"whats-different-about-k3s-storage",level:2},{value:"Setting up the Local Storage Provider",id:"setting-up-the-local-storage-provider",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Setting up Longhorn",id:"setting-up-longhorn",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,o.a)(),...e.components};return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(n.p,{children:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails."}),"\n",(0,a.jsxs)(n.p,{children:["A persistent volume (PV) is a piece of storage in the Kubernetes cluster, while a persistent volume claim (PVC) is a request for storage. For details on how PVs and PVCs work, refer to the official Kubernetes documentation on ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/storage/volumes/",children:"storage."})]}),"\n",(0,a.jsxs)(n.p,{children:["This page describes how to set up persistent storage with a local storage provider, or with ",(0,a.jsx)(n.a,{href:"#setting-up-longhorn",children:"Longhorn."})]}),"\n",(0,a.jsx)(n.h2,{id:"whats-different-about-k3s-storage",children:"What's different about K3s storage?"}),"\n",(0,a.jsx)(n.p,{children:'K3s removes several optional volume plugins and all built-in (sometimes referred to as "in-tree") cloud providers. We do this in order to achieve a smaller binary size and to avoid dependence on third-party cloud or data center technologies and services, which may not be available in many K3s use cases. We are able to do this because their removal affects neither core Kubernetes functionality nor conformance.'}),"\n",(0,a.jsx)(n.p,{children:"The following volume plugins have been removed from K3s:"}),"\n",(0,a.jsxs)(n.ul,{children:["\n",(0,a.jsx)(n.li,{children:"cephfs"}),"\n",(0,a.jsx)(n.li,{children:"fc"}),"\n",(0,a.jsx)(n.li,{children:"flocker"}),"\n",(0,a.jsx)(n.li,{children:"git_repo"}),"\n",(0,a.jsx)(n.li,{children:"glusterfs"}),"\n",(0,a.jsx)(n.li,{children:"portworx"}),"\n",(0,a.jsx)(n.li,{children:"quobyte"}),"\n",(0,a.jsx)(n.li,{children:"rbd"}),"\n",(0,a.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,a.jsxs)(n.p,{children:["Both components have out-of-tree alternatives that can be used with K3s: The Kubernetes ",(0,a.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"Container Storage Interface (CSI)"})," and ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"Cloud Provider Interface (CPI)"}),"."]}),"\n",(0,a.jsxs)(n.p,{children:["Kubernetes maintainers are actively migrating in-tree volume plugins to CSI drivers. For more information on this migration, please refer ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"here"}),"."]}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-the-local-storage-provider",children:"Setting up the Local Storage Provider"}),"\n",(0,a.jsxs)(n.p,{children:["K3s comes with Rancher's Local Path Provisioner and this enables the ability to create persistent volume claims out of the box using local storage on the respective node. Below we cover a simple example. For more information please reference the official documentation ",(0,a.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"here"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Create a hostPath backed persistent volume claim and a pod to utilize it:"}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-longhorn",children:"Setting up Longhorn"}),"\n",(0,a.jsx)(n.admonition,{type:"warning",children:(0,a.jsx)(n.p,{children:"Longhorn does not support ARM32."})}),"\n",(0,a.jsxs)(n.p,{children:["K3s supports ",(0,a.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),", an open-source distributed block storage system for Kubernetes."]}),"\n",(0,a.jsxs)(n.p,{children:["Below we cover a simple example. For more information, refer to the ",(0,a.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"official documentation"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the longhorn.yaml to install Longhorn:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml\n"})}),"\n",(0,a.jsxs)(n.p,{children:["Longhorn will be installed in the namespace ",(0,a.jsx)(n.code,{children:"longhorn-system"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml to create the PVC and pod:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,a.jsx)(n,{...e,children:(0,a.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var a=t(7294);const o={},s=a.createContext(o);function r(e){const n=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),a.createElement(s.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/41765d36.97e3cb18.js b/assets/js/41765d36.97e3cb18.js new file mode 100644 index 000000000..fedce0e8e --- /dev/null +++ b/assets/js/41765d36.97e3cb18.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1615],{99:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>i,contentTitle:()=>r,default:()=>h,frontMatter:()=>s,metadata:()=>l,toc:()=>c});var a=t(5893),o=t(1151);const s={title:"Volumes and Storage"},r=void 0,l={id:"storage",title:"Volumes and Storage",description:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails.",source:"@site/docs/storage.md",sourceDirName:".",slug:"/storage",permalink:"/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Volumes and Storage"},sidebar:"mySidebar",previous:{title:"Cluster Access",permalink:"/cluster-access"},next:{title:"Networking",permalink:"/networking/"}},i={},c=[{value:"What's different about K3s storage?",id:"whats-different-about-k3s-storage",level:2},{value:"Setting up the Local Storage Provider",id:"setting-up-the-local-storage-provider",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Setting up Longhorn",id:"setting-up-longhorn",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,o.a)(),...e.components};return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(n.p,{children:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails."}),"\n",(0,a.jsxs)(n.p,{children:["A persistent volume (PV) is a piece of storage in the Kubernetes cluster, while a persistent volume claim (PVC) is a request for storage. For details on how PVs and PVCs work, refer to the official Kubernetes documentation on ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/storage/volumes/",children:"storage."})]}),"\n",(0,a.jsxs)(n.p,{children:["This page describes how to set up persistent storage with a local storage provider, or with ",(0,a.jsx)(n.a,{href:"#setting-up-longhorn",children:"Longhorn."})]}),"\n",(0,a.jsx)(n.h2,{id:"whats-different-about-k3s-storage",children:"What's different about K3s storage?"}),"\n",(0,a.jsx)(n.p,{children:'K3s removes several optional volume plugins and all built-in (sometimes referred to as "in-tree") cloud providers. We do this in order to achieve a smaller binary size and to avoid dependence on third-party cloud or data center technologies and services, which may not be available in many K3s use cases. We are able to do this because their removal affects neither core Kubernetes functionality nor conformance.'}),"\n",(0,a.jsx)(n.p,{children:"The following volume plugins have been removed from K3s:"}),"\n",(0,a.jsxs)(n.ul,{children:["\n",(0,a.jsx)(n.li,{children:"cephfs"}),"\n",(0,a.jsx)(n.li,{children:"fc"}),"\n",(0,a.jsx)(n.li,{children:"flocker"}),"\n",(0,a.jsx)(n.li,{children:"git_repo"}),"\n",(0,a.jsx)(n.li,{children:"glusterfs"}),"\n",(0,a.jsx)(n.li,{children:"portworx"}),"\n",(0,a.jsx)(n.li,{children:"quobyte"}),"\n",(0,a.jsx)(n.li,{children:"rbd"}),"\n",(0,a.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,a.jsxs)(n.p,{children:["Both components have out-of-tree alternatives that can be used with K3s: The Kubernetes ",(0,a.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"Container Storage Interface (CSI)"})," and ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"Cloud Provider Interface (CPI)"}),"."]}),"\n",(0,a.jsxs)(n.p,{children:["Kubernetes maintainers are actively migrating in-tree volume plugins to CSI drivers. For more information on this migration, please refer ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"here"}),"."]}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-the-local-storage-provider",children:"Setting up the Local Storage Provider"}),"\n",(0,a.jsxs)(n.p,{children:["K3s comes with Rancher's Local Path Provisioner and this enables the ability to create persistent volume claims out of the box using local storage on the respective node. Below we cover a simple example. For more information please reference the official documentation ",(0,a.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"here"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Create a hostPath backed persistent volume claim and a pod to utilize it:"}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-longhorn",children:"Setting up Longhorn"}),"\n",(0,a.jsx)(n.admonition,{type:"warning",children:(0,a.jsx)(n.p,{children:"Longhorn does not support ARM32."})}),"\n",(0,a.jsxs)(n.p,{children:["K3s supports ",(0,a.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),", an open-source distributed block storage system for Kubernetes."]}),"\n",(0,a.jsxs)(n.p,{children:["Below we cover a simple example. For more information, refer to the ",(0,a.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"official documentation"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the longhorn.yaml to install Longhorn:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml\n"})}),"\n",(0,a.jsxs)(n.p,{children:["Longhorn will be installed in the namespace ",(0,a.jsx)(n.code,{children:"longhorn-system"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml to create the PVC and pod:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,a.jsx)(n,{...e,children:(0,a.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var a=t(7294);const o={},s=a.createContext(o);function r(e){const n=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),a.createElement(s.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/43077f1d.9534ceb0.js b/assets/js/43077f1d.9534ceb0.js new file mode 100644 index 000000000..023baaf30 --- /dev/null +++ b/assets/js/43077f1d.9534ceb0.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8397],{8104:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var c=s(5893),n=s(1151);const r={title:"Cluster Access"},o=void 0,l={id:"cluster-access",title:"Cluster Access",description:"The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.",source:"@site/docs/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Cluster Access"},sidebar:"mySidebar",previous:{title:"Architecture",permalink:"/architecture"},next:{title:"Volumes and Storage",permalink:"/storage"}},i={},a=[{value:"Accessing the Cluster from Outside with kubectl",id:"accessing-the-cluster-from-outside-with-kubectl",level:3}];function u(e){const t={code:"code",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,c.jsxs)(c.Fragment,{children:[(0,c.jsxs)(t.p,{children:["The kubeconfig file stored at ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the ",(0,c.jsx)(t.code,{children:"KUBECONFIG"})," environment variable or by invoking the ",(0,c.jsx)(t.code,{children:"--kubeconfig"})," command line flag. Refer to the examples below for details."]}),"\n",(0,c.jsx)(t.p,{children:"Leverage the KUBECONFIG environment variable:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.p,{children:"Or specify the location of the kubeconfig file in the command:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.h3,{id:"accessing-the-cluster-from-outside-with-kubectl",children:"Accessing the Cluster from Outside with kubectl"}),"\n",(0,c.jsxs)(t.p,{children:["Copy ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," on your machine located outside the cluster as ",(0,c.jsx)(t.code,{children:"~/.kube/config"}),". Then replace the value of the ",(0,c.jsx)(t.code,{children:"server"})," field with the IP or name of your K3s server. ",(0,c.jsx)(t.code,{children:"kubectl"})," can now manage your K3s cluster."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,c.jsx)(t,{...e,children:(0,c.jsx)(u,{...e})}):u(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>o});var c=s(7294);const n={},r=c.createContext(n);function o(e){const t=c.useContext(r);return c.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),c.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/43077f1d.e04b7c2a.js b/assets/js/43077f1d.e04b7c2a.js deleted file mode 100644 index cb2a82c4d..000000000 --- a/assets/js/43077f1d.e04b7c2a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8397],{8104:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var c=s(5893),n=s(1151);const r={title:"Cluster Access"},o=void 0,l={id:"cluster-access",title:"Cluster Access",description:"The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.",source:"@site/docs/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Cluster Access"},sidebar:"mySidebar",previous:{title:"Architecture",permalink:"/architecture"},next:{title:"Volumes and Storage",permalink:"/storage"}},i={},a=[{value:"Accessing the Cluster from Outside with kubectl",id:"accessing-the-cluster-from-outside-with-kubectl",level:3}];function u(e){const t={code:"code",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,c.jsxs)(c.Fragment,{children:[(0,c.jsxs)(t.p,{children:["The kubeconfig file stored at ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the ",(0,c.jsx)(t.code,{children:"KUBECONFIG"})," environment variable or by invoking the ",(0,c.jsx)(t.code,{children:"--kubeconfig"})," command line flag. Refer to the examples below for details."]}),"\n",(0,c.jsx)(t.p,{children:"Leverage the KUBECONFIG environment variable:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.p,{children:"Or specify the location of the kubeconfig file in the command:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.h3,{id:"accessing-the-cluster-from-outside-with-kubectl",children:"Accessing the Cluster from Outside with kubectl"}),"\n",(0,c.jsxs)(t.p,{children:["Copy ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," on your machine located outside the cluster as ",(0,c.jsx)(t.code,{children:"~/.kube/config"}),". Then replace the value of the ",(0,c.jsx)(t.code,{children:"server"})," field with the IP or name of your K3s server. ",(0,c.jsx)(t.code,{children:"kubectl"})," can now manage your K3s cluster."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,c.jsx)(t,{...e,children:(0,c.jsx)(u,{...e})}):u(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>o});var c=s(7294);const n={},r=c.createContext(n);function o(e){const t=c.useContext(r);return c.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),c.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/43e5cb58.074c5ba0.js b/assets/js/43e5cb58.074c5ba0.js deleted file mode 100644 index cdb30f61c..000000000 --- a/assets/js/43e5cb58.074c5ba0.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4804],{8446:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>t,metadata:()=>s,toc:()=>d});var o=r(5893),i=r(1151);const t={title:"Networking Services"},l=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/docs/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"},next:{title:"Helm",permalink:"/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(n.p,{children:["Refer to the ",(0,o.jsx)(n.a,{href:"/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(n.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(n.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(n.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(n.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(n.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443, advertises the LoadBalancer Service's External IPs in the Status of Ingress resources it manages."}),"\n",(0,o.jsx)(n.p,{children:"By default, ServiceLB will use all nodes in the cluster to host the Traefik LoadBalancer Service, meaning ports 80 and 443 will not be usable for other HostPort or NodePort pods, and Ingress resources' Status will show all cluster members' node IPs."}),"\n",(0,o.jsxs)(n.p,{children:["To restrict the nodes used by Traefik, and by extension the node IPs advertised in the Ingress Status, you can follow the instructions in the ",(0,o.jsx)(n.a,{href:"#controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"})," section below to limit what nodes ServiceLB runs on, or by adding some nodes to a LoadBalancer pool and restricting the Traefik Service to that pool by setting matching labels in the Traefik HelmChartConfig."]}),"\n",(0,o.jsxs)(n.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(n.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(n.a,{href:"/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(n.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"K3s includes Traefik v2. K3s versions 1.21 through 1.30 install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. K3s versions 1.20 and earlier include Traefik v1. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(n.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(n.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(n.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(n.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To disable it, start each server with the ",(0,o.jsx)(n.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(n.admonition,{type:"note",children:[(0,o.jsxs)(n.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(n.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(n.code,{children:"iptables-save"})," and ",(0,o.jsx)(n.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(n.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(n.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(n.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(n.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(n.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(n.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(n.code,{children:"spec.type"})," field set to ",(0,o.jsx)(n.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(n.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(n.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(n.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(n.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(n.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(n.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(n.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(n.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(n.p,{children:["Create a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(n.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(n.p,{children:["Adding the ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(n.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(n.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(n.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(n.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Label Node A and Node B with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Label Node C and Node D with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(n.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(n.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(n.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(n.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(n.code,{children:"--node-ip"})," and ",(0,o.jsx)(n.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(n.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(n.li,{children:["Clears the ",(0,o.jsx)(n.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(n.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(n.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(n.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,n,r)=>{r.d(n,{Z:()=>s,a:()=>l});var o=r(7294);const i={},t=o.createContext(i);function l(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/43e5cb58.292d1714.js b/assets/js/43e5cb58.292d1714.js new file mode 100644 index 000000000..684161a0a --- /dev/null +++ b/assets/js/43e5cb58.292d1714.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4804],{8446:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>t,metadata:()=>s,toc:()=>d});var o=r(5893),i=r(1151);const t={title:"Networking Services"},l=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/docs/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"},next:{title:"Helm",permalink:"/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(n.p,{children:["Refer to the ",(0,o.jsx)(n.a,{href:"/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(n.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(n.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(n.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(n.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(n.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443, advertises the LoadBalancer Service's External IPs in the Status of Ingress resources it manages."}),"\n",(0,o.jsx)(n.p,{children:"By default, ServiceLB will use all nodes in the cluster to host the Traefik LoadBalancer Service, meaning ports 80 and 443 will not be usable for other HostPort or NodePort pods, and Ingress resources' Status will show all cluster members' node IPs."}),"\n",(0,o.jsxs)(n.p,{children:["To restrict the nodes used by Traefik, and by extension the node IPs advertised in the Ingress Status, you can follow the instructions in the ",(0,o.jsx)(n.a,{href:"#controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"})," section below to limit what nodes ServiceLB runs on, or by adding some nodes to a LoadBalancer pool and restricting the Traefik Service to that pool by setting matching labels in the Traefik HelmChartConfig."]}),"\n",(0,o.jsxs)(n.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(n.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(n.a,{href:"/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(n.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"K3s includes Traefik v2. K3s versions 1.21 through 1.30 install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. K3s versions 1.20 and earlier include Traefik v1. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(n.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(n.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(n.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(n.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To disable it, start each server with the ",(0,o.jsx)(n.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(n.admonition,{type:"note",children:[(0,o.jsxs)(n.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(n.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(n.code,{children:"iptables-save"})," and ",(0,o.jsx)(n.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(n.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(n.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(n.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(n.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(n.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(n.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(n.code,{children:"spec.type"})," field set to ",(0,o.jsx)(n.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(n.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(n.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(n.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(n.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(n.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(n.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(n.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(n.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(n.p,{children:["Create a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(n.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(n.p,{children:["Adding the ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(n.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(n.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(n.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(n.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Label Node A and Node B with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Label Node C and Node D with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(n.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(n.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(n.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(n.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(n.code,{children:"--node-ip"})," and ",(0,o.jsx)(n.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(n.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(n.li,{children:["Clears the ",(0,o.jsx)(n.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(n.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(n.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(n.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,n,r)=>{r.d(n,{Z:()=>s,a:()=>l});var o=r(7294);const i={},t=o.createContext(i);function l(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4455f95b.99c7e8c9.js b/assets/js/4455f95b.99c7e8c9.js deleted file mode 100644 index fa966cfb9..000000000 --- a/assets/js/4455f95b.99c7e8c9.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1340],{2644:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/docs/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"CLI Tools",permalink:"/cli/"},next:{title:"agent",permalink:"/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3},{value:"K3s Server CLI Help",id:"k3s-server-cli-help",level:2}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--disable=servicelb"})," ",(0,r.jsx)(s.em,{children:"note: other packaged components may be disabled on a per-server basis"})]}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"etcd-snapshot-"'}),(0,r.jsx)(s.td,{children:"Set the base name of etcd snapshots."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"0 */12 * * *"'}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _'"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"${data-dir}/db/snapshots"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"s3.amazonaws.com"'}),(0,r.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"us-east-1"'}),(0,r.jsx)(s.td,{children:"S3 region / bucket location (optional)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5m0s"}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsxs)(s.td,{children:["IPv4/IPv6 address that apiserver advertises for its service endpoint",(0,r.jsx)("br",{}),"Note that the primary ",(0,r.jsx)(s.code,{children:"service-cidr"})," IP range must be of the same address family as the advertised address"]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/advanced#running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4455f95b.acae1445.js b/assets/js/4455f95b.acae1445.js new file mode 100644 index 000000000..919b6d07f --- /dev/null +++ b/assets/js/4455f95b.acae1445.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1340],{2644:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/docs/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"CLI Tools",permalink:"/cli/"},next:{title:"agent",permalink:"/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3},{value:"K3s Server CLI Help",id:"k3s-server-cli-help",level:2}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"})}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--disable=servicelb"})," ",(0,r.jsx)(s.em,{children:"note: other packaged components may be disabled on a per-server basis"})]}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"etcd-snapshot-"'}),(0,r.jsx)(s.td,{children:"Set the base name of etcd snapshots."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"0 */12 * * *"'}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _'"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"${data-dir}/db/snapshots"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"s3.amazonaws.com"'}),(0,r.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"us-east-1"'}),(0,r.jsx)(s.td,{children:"S3 region / bucket location (optional)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5m0s"}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsxs)(s.td,{children:["IPv4/IPv6 address that apiserver advertises for its service endpoint",(0,r.jsx)("br",{}),"Note that the primary ",(0,r.jsx)(s.code,{children:"service-cidr"})," IP range must be of the same address family as the advertised address"]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/advanced#running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4a667cf9.5264a034.js b/assets/js/4a667cf9.5264a034.js new file mode 100644 index 000000000..81e3d0d6e --- /dev/null +++ b/assets/js/4a667cf9.5264a034.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9477],{8676:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var r=s(5893),a=s(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/docs/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/datastore/ha"},next:{title:"Upgrades",permalink:"/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:s,Tabs:l}=n;return s||x("TabItem",!0),l||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,r.jsxs)(n.admonition,{type:"tip",children:[(0,r.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,r.jsx)(n.a,{href:"/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,r.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,r.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,r.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,r.jsxs)(n.p,{children:["For both examples, assume that a ",(0,r.jsx)(n.a,{href:"/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,r.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,r.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["server-1: ",(0,r.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-2: ",(0,r.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-3: ",(0,r.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["lb-1: ",(0,r.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,r.jsxs)(n.li,{children:["lb-2: ",(0,r.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["agent-1: ",(0,r.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-2: ",(0,r.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-3: ",(0,r.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,r.jsxs)(l,{queryString:"ext-load-balancer",children:[(0,r.jsxs)(s,{value:"HAProxy",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,r.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,r.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,r.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"vrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state # MASTER on lb-1, BACKUP on lb-2\n priority # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"6",children:["\n",(0,r.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"5",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 32s v1.27.3+k3s1\nagent-2 Ready 20s v1.27.3+k3s1\nagent-3 Ready 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,r.jsxs)(s,{value:"Nginx",children:[(0,r.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,r.jsx)(n.admonition,{type:"danger",children:(0,r.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,r.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Create a ",(0,r.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,r.jsx)(n.p,{children:"Using docker:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,r.jsxs)(n.p,{children:["Or ",(0,r.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.98:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 30s v1.27.3+k3s1\nagent-2 Ready 22s v1.27.3+k3s1\nagent-3 Ready 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var r=s(7294);const a={},l=r.createContext(a);function t(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4a667cf9.a262b9c2.js b/assets/js/4a667cf9.a262b9c2.js deleted file mode 100644 index 252801fa7..000000000 --- a/assets/js/4a667cf9.a262b9c2.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9477],{8676:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var r=s(5893),a=s(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/docs/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/datastore/ha"},next:{title:"Upgrades",permalink:"/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:s,Tabs:l}=n;return s||x("TabItem",!0),l||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,r.jsxs)(n.admonition,{type:"tip",children:[(0,r.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,r.jsx)(n.a,{href:"/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,r.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,r.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,r.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,r.jsxs)(n.p,{children:["For both examples, assume that a ",(0,r.jsx)(n.a,{href:"/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,r.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,r.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["server-1: ",(0,r.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-2: ",(0,r.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-3: ",(0,r.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["lb-1: ",(0,r.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,r.jsxs)(n.li,{children:["lb-2: ",(0,r.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["agent-1: ",(0,r.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-2: ",(0,r.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-3: ",(0,r.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,r.jsxs)(l,{queryString:"ext-load-balancer",children:[(0,r.jsxs)(s,{value:"HAProxy",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,r.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,r.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,r.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"vrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state # MASTER on lb-1, BACKUP on lb-2\n priority # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"6",children:["\n",(0,r.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"5",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 32s v1.27.3+k3s1\nagent-2 Ready 20s v1.27.3+k3s1\nagent-3 Ready 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,r.jsxs)(s,{value:"Nginx",children:[(0,r.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,r.jsx)(n.admonition,{type:"danger",children:(0,r.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,r.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Create a ",(0,r.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,r.jsx)(n.p,{children:"Using docker:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,r.jsxs)(n.p,{children:["Or ",(0,r.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.98:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 30s v1.27.3+k3s1\nagent-2 Ready 22s v1.27.3+k3s1\nagent-3 Ready 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var r=s(7294);const a={},l=r.createContext(a);function t(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4aae9e46.4c751e85.js b/assets/js/4aae9e46.4c751e85.js new file mode 100644 index 000000000..cd9143479 --- /dev/null +++ b/assets/js/4aae9e46.4c751e85.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4443],{557:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>a,default:()=>p,frontMatter:()=>l,metadata:()=>i,toc:()=>o});var t=n(5893),r=n(1151);const l={title:"Stopping K3s"},a=void 0,i={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/docs/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"Upgrades",permalink:"/upgrades/"},next:{title:"Manual Upgrades",permalink:"/upgrades/manual"}},c={},o=[{value:"K3s Service",id:"k3s-service",level:2},{value:"Killall Script",id:"killall-script",level:2}];function d(e){const s={code:"code",h2:"h2",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:n,Tabs:l}=s;return n||h("TabItem",!0),l||h("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,t.jsx)(s.h2,{id:"k3s-service",children:"K3s Service"}),"\n",(0,t.jsx)(s.p,{children:"Stopping and restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsxs)(l,{children:[(0,t.jsxs)(n,{value:"systemd",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s-agent\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s-agent\n"})})]}),(0,t.jsxs)(n,{value:"OpenRC",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s stop\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s restart\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent stop\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent restart\n"})})]})]}),"\n",(0,t.jsx)(s.h2,{id:"killall-script",children:"Killall Script"}),"\n",(0,t.jsxs)(s.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,t.jsx)(s.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,t.jsx)(s.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}function h(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>a});var t=n(7294);const r={},l=t.createContext(r);function a(e){const s=t.useContext(l);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),t.createElement(l.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4aae9e46.9df87721.js b/assets/js/4aae9e46.9df87721.js deleted file mode 100644 index a0b85d8cb..000000000 --- a/assets/js/4aae9e46.9df87721.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4443],{557:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>a,default:()=>p,frontMatter:()=>l,metadata:()=>i,toc:()=>o});var t=n(5893),r=n(1151);const l={title:"Stopping K3s"},a=void 0,i={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/docs/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"Upgrades",permalink:"/upgrades/"},next:{title:"Manual Upgrades",permalink:"/upgrades/manual"}},c={},o=[{value:"K3s Service",id:"k3s-service",level:2},{value:"Killall Script",id:"killall-script",level:2}];function d(e){const s={code:"code",h2:"h2",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:n,Tabs:l}=s;return n||h("TabItem",!0),l||h("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,t.jsx)(s.h2,{id:"k3s-service",children:"K3s Service"}),"\n",(0,t.jsx)(s.p,{children:"Stopping and restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsxs)(l,{children:[(0,t.jsxs)(n,{value:"systemd",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s-agent\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s-agent\n"})})]}),(0,t.jsxs)(n,{value:"OpenRC",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s stop\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s restart\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent stop\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent restart\n"})})]})]}),"\n",(0,t.jsx)(s.h2,{id:"killall-script",children:"Killall Script"}),"\n",(0,t.jsxs)(s.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,t.jsx)(s.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,t.jsx)(s.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}function h(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>a});var t=n(7294);const r={},l=t.createContext(r);function a(e){const s=t.useContext(l);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),t.createElement(l.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4e366d5e.380029dc.js b/assets/js/4e366d5e.380029dc.js new file mode 100644 index 000000000..65e29540f --- /dev/null +++ b/assets/js/4e366d5e.380029dc.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3595],{882:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>u,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=s(5893),n=s(1151);const a={title:"Upgrades"},i=void 0,o={id:"upgrades/upgrades",title:"Upgrades",description:"Upgrading your K3s cluster",source:"@site/docs/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Upgrades"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/upgrades/killall"}},l={},d=[{value:"Upgrading your K3s cluster",id:"upgrading-your-k3s-cluster",level:3},{value:"Version-specific caveats",id:"version-specific-caveats",level:3}];function c(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h3,{id:"upgrading-your-k3s-cluster",children:"Upgrading your K3s cluster"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/manual",children:"Manual Upgrades"})," describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like ",(0,t.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/automated",children:"Automated Upgrades"})," describes how to perform Kubernetes-native automated upgrades using Rancher's ",(0,t.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"version-specific-caveats",children:"Version-specific caveats"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Traefik:"})," If Traefik is not disabled, K3s versions 1.20 and earlier will install Traefik v1, while K3s versions 1.21 and later will install Traefik v2, if v1 is not already present. To upgrade from the older Traefik v1 to Traefik v2, please refer to the ",(0,t.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and use the ",(0,t.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"K3s bootstrap data:"})," If you are using K3s in an HA configuration with an external SQL datastore, and your server (control-plane) nodes were not started with the ",(0,t.jsx)(r.code,{children:"--token"})," CLI flag, you will no longer be able to add additional K3s servers to the cluster without specifying the token. Ensure that you retain a copy of this token, as it is required when restoring from backup. Previously, K3s did not enforce the use of a token when using external SQL datastores."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"The affected versions are <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; the patched versions are v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1."}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"You may retrieve the token value from any server already joined to the cluster as follows:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>o,a:()=>i});var t=s(7294);const n={},a=t.createContext(n);function i(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4e366d5e.ba028e8f.js b/assets/js/4e366d5e.ba028e8f.js deleted file mode 100644 index 69204fc20..000000000 --- a/assets/js/4e366d5e.ba028e8f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3595],{882:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>u,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=s(5893),n=s(1151);const a={title:"Upgrades"},i=void 0,o={id:"upgrades/upgrades",title:"Upgrades",description:"Upgrading your K3s cluster",source:"@site/docs/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Upgrades"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/upgrades/killall"}},l={},d=[{value:"Upgrading your K3s cluster",id:"upgrading-your-k3s-cluster",level:3},{value:"Version-specific caveats",id:"version-specific-caveats",level:3}];function c(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h3,{id:"upgrading-your-k3s-cluster",children:"Upgrading your K3s cluster"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/manual",children:"Manual Upgrades"})," describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like ",(0,t.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/automated",children:"Automated Upgrades"})," describes how to perform Kubernetes-native automated upgrades using Rancher's ",(0,t.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"version-specific-caveats",children:"Version-specific caveats"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Traefik:"})," If Traefik is not disabled, K3s versions 1.20 and earlier will install Traefik v1, while K3s versions 1.21 and later will install Traefik v2, if v1 is not already present. To upgrade from the older Traefik v1 to Traefik v2, please refer to the ",(0,t.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and use the ",(0,t.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"K3s bootstrap data:"})," If you are using K3s in an HA configuration with an external SQL datastore, and your server (control-plane) nodes were not started with the ",(0,t.jsx)(r.code,{children:"--token"})," CLI flag, you will no longer be able to add additional K3s servers to the cluster without specifying the token. Ensure that you retain a copy of this token, as it is required when restoring from backup. Previously, K3s did not enforce the use of a token when using external SQL datastores."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"The affected versions are <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; the patched versions are v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1."}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"You may retrieve the token value from any server already joined to the cluster as follows:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>o,a:()=>i});var t=s(7294);const n={},a=t.createContext(n);function i(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/4fea1ac4.20695fb2.js b/assets/js/4fea1ac4.20695fb2.js deleted file mode 100644 index a68773476..000000000 --- a/assets/js/4fea1ac4.20695fb2.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1073],{8544:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>r,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,o={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/docs/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"},next:{title:"Cluster Datastore",permalink:"/datastore/"}},r={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>o,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function o(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/assets/js/4fea1ac4.a6c2da5e.js b/assets/js/4fea1ac4.a6c2da5e.js new file mode 100644 index 000000000..1a07cf748 --- /dev/null +++ b/assets/js/4fea1ac4.a6c2da5e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1073],{8544:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>r,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,o={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/docs/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"},next:{title:"Cluster Datastore",permalink:"/datastore/"}},r={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>o,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function o(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/assets/js/5159b4a0.6146d0a4.js b/assets/js/5159b4a0.6146d0a4.js new file mode 100644 index 000000000..22804414e --- /dev/null +++ b/assets/js/5159b4a0.6146d0a4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9478],{7477:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>s,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Embedded Registry Mirror"},a=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/docs/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Latest Tag",id:"latest-tag",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",strong:"strong",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsxs)(r.p,{children:["The peer to peer port can changed from 5001 by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_PORT"})," environment variable for the K3s service. The port must be set to the same value on all nodes.\nChanging the port is unsupported and not recommended."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard mirror entry can be used to enable distributed mirroring of all registries. Note that the asterisk MUST be quoted:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n'})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h3,{id:"latest-tag",children:"Latest Tag"}),"\n",(0,t.jsxs)(r.p,{children:["When no tag is specified for a container image, the implicit default tag is ",(0,t.jsx)(r.code,{children:"latest"}),". This tag is frequently\nupdated to point at the most recent version of the image. Because this tag will point at a different revisions\nof an image depending on when it is pulled, the distributed registry ",(0,t.jsx)(r.strong,{children:"will not"})," pull the ",(0,t.jsx)(r.code,{children:"latest"})," tag from\nother nodes. This forces containerd go out to an upstream registry or registry mirror to ensure a consistent\nview of what the ",(0,t.jsx)(r.code,{children:"latest"})," tag refers to."]}),"\n",(0,t.jsxs)(r.p,{children:["This aligns with the ",(0,t.jsxs)(r.a,{href:"https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting",children:["special ",(0,t.jsx)(r.code,{children:"imagePullPolicy"})," defaulting"]}),"\nobserved by Kubernetes when using the ",(0,t.jsx)(r.code,{children:"latest"})," tag for a container image."]}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring the ",(0,t.jsx)(r.code,{children:"latest"})," tag can be enabled by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_ENABLE_LATEST=true"})," environment variable for the K3s service.\nThis is unsupported and not recommended, for the reasons discussed above."]}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives created by ",(0,t.jsx)(r.code,{children:"docker save"})," via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image import"})," command.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>a});var t=i(7294);const n={},s=t.createContext(n);function a(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/5159b4a0.64a2572d.js b/assets/js/5159b4a0.64a2572d.js deleted file mode 100644 index aae95ce23..000000000 --- a/assets/js/5159b4a0.64a2572d.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9478],{7477:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>s,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Embedded Registry Mirror"},a=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/docs/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Latest Tag",id:"latest-tag",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",strong:"strong",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsxs)(r.p,{children:["The peer to peer port can changed from 5001 by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_PORT"})," environment variable for the K3s service. The port must be set to the same value on all nodes.\nChanging the port is unsupported and not recommended."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard mirror entry can be used to enable distributed mirroring of all registries. Note that the asterisk MUST be quoted:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n'})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h3,{id:"latest-tag",children:"Latest Tag"}),"\n",(0,t.jsxs)(r.p,{children:["When no tag is specified for a container image, the implicit default tag is ",(0,t.jsx)(r.code,{children:"latest"}),". This tag is frequently\nupdated to point at the most recent version of the image. Because this tag will point at a different revisions\nof an image depending on when it is pulled, the distributed registry ",(0,t.jsx)(r.strong,{children:"will not"})," pull the ",(0,t.jsx)(r.code,{children:"latest"})," tag from\nother nodes. This forces containerd go out to an upstream registry or registry mirror to ensure a consistent\nview of what the ",(0,t.jsx)(r.code,{children:"latest"})," tag refers to."]}),"\n",(0,t.jsxs)(r.p,{children:["This aligns with the ",(0,t.jsxs)(r.a,{href:"https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting",children:["special ",(0,t.jsx)(r.code,{children:"imagePullPolicy"})," defaulting"]}),"\nobserved by Kubernetes when using the ",(0,t.jsx)(r.code,{children:"latest"})," tag for a container image."]}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring the ",(0,t.jsx)(r.code,{children:"latest"})," tag can be enabled by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_ENABLE_LATEST=true"})," environment variable for the K3s service.\nThis is unsupported and not recommended, for the reasons discussed above."]}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives created by ",(0,t.jsx)(r.code,{children:"docker save"})," via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image import"})," command.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>a});var t=i(7294);const n={},s=t.createContext(n);function a(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/5281b7a2.1d5cfe2a.js b/assets/js/5281b7a2.1d5cfe2a.js new file mode 100644 index 000000000..50b4c0bb9 --- /dev/null +++ b/assets/js/5281b7a2.1d5cfe2a.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5927],{6506:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>d,default:()=>g,frontMatter:()=>o,metadata:()=>c,toc:()=>h});var n=s(5893),r=s(1151),i=s(9965),a=s(4996);const o={title:"Architecture"},d=void 0,c={id:"architecture",title:"Architecture",description:"Servers and Agents",source:"@site/docs/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Architecture"},sidebar:"mySidebar",previous:{title:"token",permalink:"/cli/token"},next:{title:"Cluster Access",permalink:"/cluster-access"}},l={},h=[{value:"Servers and Agents",id:"servers-and-agents",level:3},{value:"Single-server Setup with an Embedded DB",id:"single-server-setup-with-an-embedded-db",level:3},{value:"High-Availability K3s",id:"high-availability-k3s",level:3},{value:"Fixed Registration Address for Agent Nodes",id:"fixed-registration-address-for-agent-nodes",level:3},{value:"How Agent Node Registration Works",id:"how-agent-node-registration-works",level:3}];function u(e){const t={a:"a",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{TabItem:o,Tabs:d}=t;return o||v("TabItem",!0),d||v("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(t.h3,{id:"servers-and-agents",children:"Servers and Agents"}),"\n",(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["A server node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s server"})," command, with control-plane and datastore components managed by K3s."]}),"\n",(0,n.jsxs)(t.li,{children:["An agent node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s agent"})," command, without any datastore or control-plane components."]}),"\n",(0,n.jsxs)(t.li,{children:["Both servers and agents run the kubelet, container runtime, and CNI. See the ",(0,n.jsx)(t.a,{href:"/advanced#running-agentless-servers-experimental",children:"Advanced Options"})," documentation for more information on running agentless servers."]}),"\n"]}),"\n",(0,n.jsx)(t.p,{children:(0,n.jsx)(t.img,{src:s(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,n.jsx)(t.h3,{id:"single-server-setup-with-an-embedded-db",children:"Single-server Setup with an Embedded DB"}),"\n",(0,n.jsx)(t.p,{children:"The following diagram shows an example of a cluster that has a single-node K3s server with an embedded SQLite database."}),"\n",(0,n.jsx)(t.p,{children:"In this configuration, each agent node is registered to the same server node. A K3s user can manipulate Kubernetes resources by calling the K3s API on the server node."}),"\n",(0,n.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,a.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,a.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"high-availability-k3s",children:"High-Availability K3s"}),"\n",(0,n.jsx)(t.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster comprises:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(o,{value:"Embedded DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Three or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"embedded etcd datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-embedded.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-embedded-dark.svg")}})]}),(0,n.jsxs)(o,{value:"External DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Two or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"external datastore"})," (such as MySQL, PostgreSQL, or etcd)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers and an External DB",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-external.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-external-dark.svg")}})]})]}),"\n",(0,n.jsx)(t.h3,{id:"fixed-registration-address-for-agent-nodes",children:"Fixed Registration Address for Agent Nodes"}),"\n",(0,n.jsx)(t.p,{children:"In the high-availability server configuration, each node can also register with the Kubernetes API by using a fixed registration address, as shown in the diagram below."}),"\n",(0,n.jsx)(t.p,{children:"After registration, the agent nodes establish a connection directly to one of the server nodes."}),"\n",(0,n.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,a.ZP)("/img/k3s-production-setup.svg"),dark:(0,a.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"how-agent-node-registration-works",children:"How Agent Node Registration Works"}),"\n",(0,n.jsxs)(t.p,{children:["Agent nodes are registered with a websocket connection initiated by the ",(0,n.jsx)(t.code,{children:"k3s agent"})," process, and the connection is maintained by a client-side load balancer running as part of the agent process. Initially, the agent connects to the supervisor (and kube-apiserver) via the local load-balancer on port 6443. The load-balancer maintains a list of available endpoints to connect to. The default (and initially only) endpoint is seeded by the hostname from the ",(0,n.jsx)(t.code,{children:"--server"})," address. Once it connects to the cluster, the agent retrieves a list of kube-apiserver addresses from the Kubernetes service endpoint list in the default namespace. Those endpoints are added to the load balancer, which then maintains stable connections to all servers in the cluster, providing a connection to the kube-apiserver that tolerates outages of individual servers."]}),"\n",(0,n.jsxs)(t.p,{children:["Agents will register with the server using the node cluster secret along with a randomly generated password for the node, stored at ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/password"}),". The server will store the passwords for individual nodes as Kubernetes secrets, and any subsequent attempts must use the same password. Node password secrets are stored in the ",(0,n.jsx)(t.code,{children:"kube-system"})," namespace with names using the template ",(0,n.jsx)(t.code,{children:".node-password.k3s"}),". This is done to protect the integrity of node IDs."]}),"\n",(0,n.jsxs)(t.p,{children:["If the ",(0,n.jsx)(t.code,{children:"/etc/rancher/node"})," directory of an agent is removed, or you wish to rejoin a node using an existing name, the node should be deleted from the cluster. This will clean up both the old node entry, and the node password secret, and allow the node to (re)join the cluster."]}),"\n",(0,n.jsxs)(t.p,{children:["If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the ",(0,n.jsx)(t.code,{children:"--with-node-id"})," flag. When enabled, the node ID is also stored in ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/"}),"."]})]})}function g(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}function v(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},4530:(e,t,s)=>{s.d(t,{Z:()=>n});const n=s.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,t,s)=>{s.d(t,{Z:()=>o,a:()=>a});var n=s(7294);const r={},i=n.createContext(r);function a(e){const t=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),n.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/5281b7a2.a1edc1e5.js b/assets/js/5281b7a2.a1edc1e5.js deleted file mode 100644 index 3cd790932..000000000 --- a/assets/js/5281b7a2.a1edc1e5.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5927],{6506:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>d,default:()=>g,frontMatter:()=>o,metadata:()=>c,toc:()=>h});var n=s(5893),r=s(1151),i=s(9965),a=s(4996);const o={title:"Architecture"},d=void 0,c={id:"architecture",title:"Architecture",description:"Servers and Agents",source:"@site/docs/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Architecture"},sidebar:"mySidebar",previous:{title:"token",permalink:"/cli/token"},next:{title:"Cluster Access",permalink:"/cluster-access"}},l={},h=[{value:"Servers and Agents",id:"servers-and-agents",level:3},{value:"Single-server Setup with an Embedded DB",id:"single-server-setup-with-an-embedded-db",level:3},{value:"High-Availability K3s",id:"high-availability-k3s",level:3},{value:"Fixed Registration Address for Agent Nodes",id:"fixed-registration-address-for-agent-nodes",level:3},{value:"How Agent Node Registration Works",id:"how-agent-node-registration-works",level:3}];function u(e){const t={a:"a",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{TabItem:o,Tabs:d}=t;return o||v("TabItem",!0),d||v("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(t.h3,{id:"servers-and-agents",children:"Servers and Agents"}),"\n",(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["A server node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s server"})," command, with control-plane and datastore components managed by K3s."]}),"\n",(0,n.jsxs)(t.li,{children:["An agent node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s agent"})," command, without any datastore or control-plane components."]}),"\n",(0,n.jsxs)(t.li,{children:["Both servers and agents run the kubelet, container runtime, and CNI. See the ",(0,n.jsx)(t.a,{href:"/advanced#running-agentless-servers-experimental",children:"Advanced Options"})," documentation for more information on running agentless servers."]}),"\n"]}),"\n",(0,n.jsx)(t.p,{children:(0,n.jsx)(t.img,{src:s(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,n.jsx)(t.h3,{id:"single-server-setup-with-an-embedded-db",children:"Single-server Setup with an Embedded DB"}),"\n",(0,n.jsx)(t.p,{children:"The following diagram shows an example of a cluster that has a single-node K3s server with an embedded SQLite database."}),"\n",(0,n.jsx)(t.p,{children:"In this configuration, each agent node is registered to the same server node. A K3s user can manipulate Kubernetes resources by calling the K3s API on the server node."}),"\n",(0,n.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,a.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,a.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"high-availability-k3s",children:"High-Availability K3s"}),"\n",(0,n.jsx)(t.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster comprises:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(o,{value:"Embedded DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Three or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"embedded etcd datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-embedded.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-embedded-dark.svg")}})]}),(0,n.jsxs)(o,{value:"External DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Two or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"external datastore"})," (such as MySQL, PostgreSQL, or etcd)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers and an External DB",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-external.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-external-dark.svg")}})]})]}),"\n",(0,n.jsx)(t.h3,{id:"fixed-registration-address-for-agent-nodes",children:"Fixed Registration Address for Agent Nodes"}),"\n",(0,n.jsx)(t.p,{children:"In the high-availability server configuration, each node can also register with the Kubernetes API by using a fixed registration address, as shown in the diagram below."}),"\n",(0,n.jsx)(t.p,{children:"After registration, the agent nodes establish a connection directly to one of the server nodes."}),"\n",(0,n.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,a.ZP)("/img/k3s-production-setup.svg"),dark:(0,a.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"how-agent-node-registration-works",children:"How Agent Node Registration Works"}),"\n",(0,n.jsxs)(t.p,{children:["Agent nodes are registered with a websocket connection initiated by the ",(0,n.jsx)(t.code,{children:"k3s agent"})," process, and the connection is maintained by a client-side load balancer running as part of the agent process. Initially, the agent connects to the supervisor (and kube-apiserver) via the local load-balancer on port 6443. The load-balancer maintains a list of available endpoints to connect to. The default (and initially only) endpoint is seeded by the hostname from the ",(0,n.jsx)(t.code,{children:"--server"})," address. Once it connects to the cluster, the agent retrieves a list of kube-apiserver addresses from the Kubernetes service endpoint list in the default namespace. Those endpoints are added to the load balancer, which then maintains stable connections to all servers in the cluster, providing a connection to the kube-apiserver that tolerates outages of individual servers."]}),"\n",(0,n.jsxs)(t.p,{children:["Agents will register with the server using the node cluster secret along with a randomly generated password for the node, stored at ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/password"}),". The server will store the passwords for individual nodes as Kubernetes secrets, and any subsequent attempts must use the same password. Node password secrets are stored in the ",(0,n.jsx)(t.code,{children:"kube-system"})," namespace with names using the template ",(0,n.jsx)(t.code,{children:".node-password.k3s"}),". This is done to protect the integrity of node IDs."]}),"\n",(0,n.jsxs)(t.p,{children:["If the ",(0,n.jsx)(t.code,{children:"/etc/rancher/node"})," directory of an agent is removed, or you wish to rejoin a node using an existing name, the node should be deleted from the cluster. This will clean up both the old node entry, and the node password secret, and allow the node to (re)join the cluster."]}),"\n",(0,n.jsxs)(t.p,{children:["If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the ",(0,n.jsx)(t.code,{children:"--with-node-id"})," flag. When enabled, the node ID is also stored in ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/"}),"."]})]})}function g(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}function v(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},4530:(e,t,s)=>{s.d(t,{Z:()=>n});const n=s.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,t,s)=>{s.d(t,{Z:()=>o,a:()=>a});var n=s(7294);const r={},i=n.createContext(r);function a(e){const t=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),n.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/57d35c99.19d8884d.js b/assets/js/57d35c99.19d8884d.js new file mode 100644 index 000000000..9ba0a28f2 --- /dev/null +++ b/assets/js/57d35c99.19d8884d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8005],{3548:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>s,metadata:()=>o,toc:()=>a});var i=t(5893),r=t(1151);const s={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/docs/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"Security",permalink:"/security/"},next:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"})}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const r={},s=i.createContext(r);function c(e){const n=i.useContext(s);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),i.createElement(s.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/57d35c99.a6cfff3e.js b/assets/js/57d35c99.a6cfff3e.js deleted file mode 100644 index 0d2cb4dc9..000000000 --- a/assets/js/57d35c99.a6cfff3e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8005],{3548:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>r,metadata:()=>o,toc:()=>a});var i=t(5893),s=t(1151);const r={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/docs/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"Security",permalink:"/security/"},next:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const s={},r=i.createContext(s);function c(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:c(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/5e95c892.34e77302.js b/assets/js/5e95c892.06469c98.js similarity index 63% rename from assets/js/5e95c892.34e77302.js rename to assets/js/5e95c892.06469c98.js index 95c3dcfbe..d698b1a49 100644 --- a/assets/js/5e95c892.34e77302.js +++ b/assets/js/5e95c892.06469c98.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9661],{1892:(s,e,r)=>{r.r(e),r.d(e,{default:()=>t});r(7294);var c=r(512),u=r(1944),a=r(5281),d=r(8790),k=r(2315),n=r(5893);function t(s){return(0,n.jsx)(u.FG,{className:(0,c.Z)(a.k.wrapper.docsPages),children:(0,n.jsx)(k.Z,{children:(0,d.H)(s.route.routes)})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9661],{1892:(s,e,r)=>{r.r(e),r.d(e,{default:()=>t});r(7294);var c=r(512),u=r(1944),a=r(5281),d=r(8790),k=r(8947),n=r(5893);function t(s){return(0,n.jsx)(u.FG,{className:(0,c.Z)(a.k.wrapper.docsPages),children:(0,n.jsx)(k.Z,{children:(0,d.H)(s.route.routes)})})}}}]); \ No newline at end of file diff --git a/assets/js/5ea4afd8.60aa9d10.js b/assets/js/5ea4afd8.60aa9d10.js deleted file mode 100644 index 978e03cc5..000000000 --- a/assets/js/5ea4afd8.60aa9d10.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9075],{7902:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.7 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.7",title:"CIS 1.7 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS 1.7 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"},next:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Automated)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)",id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",level:3},{value:"1.2.17 Ensure that the --profiling argument is set to false (Automated)",id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)",id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)",id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.25"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.7.1"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.7.1. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.admonition,{type:"note",children:(0,t.jsxs)(r.p,{children:["Only ",(0,t.jsx)(r.code,{children:"scored"})," test, also know as ",(0,t.jsx)(r.code,{children:"automated"})," tests are covered in this guide."]})}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nBy default, K3s sets the CNI file permissions to 644.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/"})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ps -ef | grep containerd | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root "})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/rancher/k3s/server/db/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",children:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.17 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is present OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root 2372 2354 4 19:01 ? 00:00:05 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd\nroot 3128 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 878d74b0d77d904ec40cd1db71956f2edeb68ab420227a5a42e6d25f249a140a -address /run/k3s/containerd/containerd.sock\nroot 3239 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id d00cc363af40aee36210e396597e4c02712ae99535be21d204849dc33a22af88 -address /run/k3s/containerd/containerd.sock\nroot 3293 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 5df076fa9547c555a2231b9a9a7cbb44021eaa1ab68c9b59b13da960697143f6 -address /run/k3s/containerd/containerd.sock\nroot 4557 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id f6483b71bcb7ea23356003921a7d90cf638b8f9e473728f3b28dc67163e0fa2d -address /run/k3s/containerd/containerd.sock\nroot 4644 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 4d8ceb2620c4e0501a49dc9192fc56d035e76bc79a2c6072fee8619730006233 -address /run/k3s/containerd/containerd.sock\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nthe below parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids="\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/5ea4afd8.966a946e.js b/assets/js/5ea4afd8.966a946e.js new file mode 100644 index 000000000..6778a1068 --- /dev/null +++ b/assets/js/5ea4afd8.966a946e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9075],{7902:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.7 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.7",title:"CIS 1.7 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS 1.7 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"},next:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Automated)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)",id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",level:3},{value:"1.2.17 Ensure that the --profiling argument is set to false (Automated)",id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)",id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)",id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.25"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.7.1"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.7.1. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.admonition,{type:"note",children:(0,t.jsxs)(r.p,{children:["Only ",(0,t.jsx)(r.code,{children:"scored"})," test, also know as ",(0,t.jsx)(r.code,{children:"automated"})," tests are covered in this guide."]})}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nBy default, K3s sets the CNI file permissions to 644.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/"})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ps -ef | grep containerd | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root "})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/rancher/k3s/server/db/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",children:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.17 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is present OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root 2372 2354 4 19:01 ? 00:00:05 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd\nroot 3128 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 878d74b0d77d904ec40cd1db71956f2edeb68ab420227a5a42e6d25f249a140a -address /run/k3s/containerd/containerd.sock\nroot 3239 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id d00cc363af40aee36210e396597e4c02712ae99535be21d204849dc33a22af88 -address /run/k3s/containerd/containerd.sock\nroot 3293 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 5df076fa9547c555a2231b9a9a7cbb44021eaa1ab68c9b59b13da960697143f6 -address /run/k3s/containerd/containerd.sock\nroot 4557 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id f6483b71bcb7ea23356003921a7d90cf638b8f9e473728f3b28dc67163e0fa2d -address /run/k3s/containerd/containerd.sock\nroot 4644 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 4d8ceb2620c4e0501a49dc9192fc56d035e76bc79a2c6072fee8619730006233 -address /run/k3s/containerd/containerd.sock\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nthe below parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids="\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/65c5030c.333cc8ee.js b/assets/js/65c5030c.333cc8ee.js new file mode 100644 index 000000000..0e3abf483 --- /dev/null +++ b/assets/js/65c5030c.333cc8ee.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7733],{215:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/docs/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/65c5030c.ed6acdee.js b/assets/js/65c5030c.ed6acdee.js deleted file mode 100644 index c15b49c0a..000000000 --- a/assets/js/65c5030c.ed6acdee.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7733],{215:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/docs/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/696.b4659b1c.js b/assets/js/696.57f80179.js similarity index 99% rename from zh/assets/js/696.b4659b1c.js rename to assets/js/696.57f80179.js index b2b5af2c6..33c71b7df 100644 --- a/zh/assets/js/696.b4659b1c.js +++ b/assets/js/696.57f80179.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/assets/js/6ab2c2e0.69f493b4.js b/assets/js/6ab2c2e0.69f493b4.js new file mode 100644 index 000000000..0e88f4ae7 --- /dev/null +++ b/assets/js/6ab2c2e0.69f493b4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[981],{9414:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>d,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},d=void 0,l={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/docs/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"Advanced Options / Configuration",permalink:"/advanced"},next:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>d});var n=s(7294);const i={},r=n.createContext(i);function d(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:d(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/6ab2c2e0.6ea3594f.js b/assets/js/6ab2c2e0.6ea3594f.js deleted file mode 100644 index 867d5c098..000000000 --- a/assets/js/6ab2c2e0.6ea3594f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[981],{9414:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>d,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},d=void 0,l={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/docs/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"Advanced Options / Configuration",permalink:"/advanced"},next:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>d});var n=s(7294);const i={},r=n.createContext(i);function d(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:d(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/6e9804bc.30e4e843.js b/assets/js/6e9804bc.30e4e843.js new file mode 100644 index 000000000..d80c775cb --- /dev/null +++ b/assets/js/6e9804bc.30e4e843.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[393],{1218:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/docs/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/cli/agent"},next:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"})}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"Important",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root-ca.pem /etc/ssl/certs/intermediate-ca.pem /etc/ssl/private/intermediate-ca.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/tls/root-ca.* /var/lib/rancher/k3s/server/tls/intermediate-ca.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA
(old)")\n client-ca-old("Client CA
(old)")\n request-header-ca-old("API Aggregation CA
(old)")\n etcd-peer-ca-old("etcd Peer CA
(old)")\n etcd-server-ca-old("etcd Server CA
(old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA
(cross-signed)")\n client-ca-xsigned("Client CA
(cross-signed)")\n request-header-ca-xsigned("API Aggregation CA
(cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA
(cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA
(cross-signed)")\n\n server-ca-ssigned("Server CA
(self-signed)")\n client-ca-ssigned("Client CA
(self-signed)")\n request-header-ca-ssigned("API Aggregation CA
(self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA
(self-signed)")\n etcd-server-ca-ssigned("etcd Server CA
(self-signed)")\n\n server-ca("Intermediate
Server CA")\n client-ca("Intermediate
Client CA")\n request-header-ca("Intermediate
API Aggregation CA")\n etcd-peer-ca("Intermediate
etcd Peer CA")\n etcd-server-ca("Intermediate
etcd Server CA")\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/6e9804bc.ba685bd6.js b/assets/js/6e9804bc.ba685bd6.js deleted file mode 100644 index 03d450ea0..000000000 --- a/assets/js/6e9804bc.ba685bd6.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[393],{1218:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/docs/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/cli/agent"},next:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"Important",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root-ca.pem /etc/ssl/certs/intermediate-ca.pem /etc/ssl/private/intermediate-ca.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/tls/root-ca.* /var/lib/rancher/k3s/server/tls/intermediate-ca.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA
(old)")\n client-ca-old("Client CA
(old)")\n request-header-ca-old("API Aggregation CA
(old)")\n etcd-peer-ca-old("etcd Peer CA
(old)")\n etcd-server-ca-old("etcd Server CA
(old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA
(cross-signed)")\n client-ca-xsigned("Client CA
(cross-signed)")\n request-header-ca-xsigned("API Aggregation CA
(cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA
(cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA
(cross-signed)")\n\n server-ca-ssigned("Server CA
(self-signed)")\n client-ca-ssigned("Client CA
(self-signed)")\n request-header-ca-ssigned("API Aggregation CA
(self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA
(self-signed)")\n etcd-server-ca-ssigned("etcd Server CA
(self-signed)")\n\n server-ca("Intermediate
Server CA")\n client-ca("Intermediate
Client CA")\n request-header-ca("Intermediate
API Aggregation CA")\n etcd-peer-ca("Intermediate
etcd Peer CA")\n etcd-server-ca("Intermediate
etcd Server CA")\n\n kube-server-certs[["Kubernetes servers
(control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
(apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
(apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
(etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
(Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/7.749c7d0b.js b/assets/js/7.750475ca.js similarity index 99% rename from kr/assets/js/7.749c7d0b.js rename to assets/js/7.750475ca.js index 31e3b9cbe..23cf53e10 100644 --- a/kr/assets/js/7.749c7d0b.js +++ b/assets/js/7.750475ca.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/assets/js/7236.ac67632c.js b/assets/js/7236.ac67632c.js new file mode 100644 index 000000000..12a391a88 --- /dev/null +++ b/assets/js/7236.ac67632c.js @@ -0,0 +1,2 @@ +/*! For license information please see 7236.ac67632c.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7236],{7967:(t,e)=>{"use strict";e.Nm=e.Rq=void 0;var i=/^([^\w]*)(javascript|data|vbscript)/im,r=/&#(\w+)(^\w|;)?/g,n=/&(newline|tab);/gi,o=/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim,a=/^.+(:|:)/gim,s=[".","/"];e.Rq="about:blank",e.Nm=function(t){if(!t)return e.Rq;var l,c=(l=t,l.replace(o,"").replace(r,(function(t,e){return String.fromCharCode(e)}))).replace(n,"").replace(o,"").trim();if(!c)return e.Rq;if(function(t){return s.indexOf(t[0])>-1}(c))return c;var h=c.match(a);if(!h)return c;var u=h[0];return i.test(u)?e.Rq:c}},9047:(t,e,i)=>{"use strict";i.d(e,{Z:()=>L});var r=i(7294),n=i(5893);function o(t){const{mdxAdmonitionTitle:e,rest:i}=function(t){const e=r.Children.toArray(t),i=e.find((t=>r.isValidElement(t)&&"mdxAdmonitionTitle"===t.type)),o=e.filter((t=>t!==i)),a=i?.props.children;return{mdxAdmonitionTitle:a,rest:o.length>0?(0,n.jsx)(n.Fragment,{children:o}):null}}(t.children),o=t.title??e;return{...t,...o&&{title:o},children:i}}var a=i(512),s=i(5999),l=i(5281);const c={admonition:"admonition_xJq3",admonitionHeading:"admonitionHeading_Gvgb",admonitionIcon:"admonitionIcon_Rf37",admonitionContent:"admonitionContent_BuS1"};function h(t){let{type:e,className:i,children:r}=t;return(0,n.jsx)("div",{className:(0,a.Z)(l.k.common.admonition,l.k.common.admonitionType(e),c.admonition,i),children:r})}function u(t){let{icon:e,title:i}=t;return(0,n.jsxs)("div",{className:c.admonitionHeading,children:[(0,n.jsx)("span",{className:c.admonitionIcon,children:e}),i]})}function d(t){let{children:e}=t;return e?(0,n.jsx)("div",{className:c.admonitionContent,children:e}):null}function f(t){const{type:e,icon:i,title:r,children:o,className:a}=t;return(0,n.jsxs)(h,{type:e,className:a,children:[r||i?(0,n.jsx)(u,{title:r,icon:i}):null,(0,n.jsx)(d,{children:o})]})}function p(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})})}const g={icon:(0,n.jsx)(p,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.note",description:"The default label used for the Note admonition (:::note)",children:"note"})};function m(t){return(0,n.jsx)(f,{...g,...t,className:(0,a.Z)("alert alert--secondary",t.className),children:t.children})}function y(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.5 0C3.48 0 1 2.19 1 5c0 .92.55 2.25 1 3 1.34 2.25 1.78 2.78 2 4v1h5v-1c.22-1.22.66-1.75 2-4 .45-.75 1-2.08 1-3 0-2.81-2.48-5-5.5-5zm3.64 7.48c-.25.44-.47.8-.67 1.11-.86 1.41-1.25 2.06-1.45 3.23-.02.05-.02.11-.02.17H5c0-.06 0-.13-.02-.17-.2-1.17-.59-1.83-1.45-3.23-.2-.31-.42-.67-.67-1.11C2.44 6.78 2 5.65 2 5c0-2.2 2.02-4 4.5-4 1.22 0 2.36.42 3.22 1.19C10.55 2.94 11 3.94 11 5c0 .66-.44 1.78-.86 2.48zM4 14h5c-.23 1.14-1.3 2-2.5 2s-2.27-.86-2.5-2z"})})}const x={icon:(0,n.jsx)(y,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.tip",description:"The default label used for the Tip admonition (:::tip)",children:"tip"})};function b(t){return(0,n.jsx)(f,{...x,...t,className:(0,a.Z)("alert alert--success",t.className),children:t.children})}function C(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"})})}const _={icon:(0,n.jsx)(C,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.info",description:"The default label used for the Info admonition (:::info)",children:"info"})};function v(t){return(0,n.jsx)(f,{..._,...t,className:(0,a.Z)("alert alert--info",t.className),children:t.children})}function k(t){return(0,n.jsx)("svg",{viewBox:"0 0 16 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"})})}const T={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.warning",description:"The default label used for the Warning admonition (:::warning)",children:"warning"})};function w(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"})})}const S={icon:(0,n.jsx)(w,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.danger",description:"The default label used for the Danger admonition (:::danger)",children:"danger"})};const B={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.caution",description:"The default label used for the Caution admonition (:::caution)",children:"caution"})};const F={...{note:m,tip:b,info:v,warning:function(t){return(0,n.jsx)(f,{...T,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})},danger:function(t){return(0,n.jsx)(f,{...S,...t,className:(0,a.Z)("alert alert--danger",t.className),children:t.children})}},...{secondary:t=>(0,n.jsx)(m,{title:"secondary",...t}),important:t=>(0,n.jsx)(v,{title:"important",...t}),success:t=>(0,n.jsx)(b,{title:"success",...t}),caution:function(t){return(0,n.jsx)(f,{...B,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})}}};function L(t){const e=o(t),i=(r=e.type,F[r]||(console.warn(`No admonition component found for admonition type "${r}". Using Info as fallback.`),F.info));var r;return(0,n.jsx)(i,{...e})}},3354:(t,e,i)=>{"use strict";i.r(e),i.d(e,{default:()=>qt});var r=i(7294),n=i(1944),o=i(902),a=i(5893);const s=r.createContext(null);function l(t){let{children:e,content:i}=t;const n=function(t){return(0,r.useMemo)((()=>({metadata:t.metadata,frontMatter:t.frontMatter,assets:t.assets,contentTitle:t.contentTitle,toc:t.toc})),[t])}(i);return(0,a.jsx)(s.Provider,{value:n,children:e})}function c(){const t=(0,r.useContext)(s);if(null===t)throw new o.i6("DocProvider");return t}function h(){const{metadata:t,frontMatter:e,assets:i}=c();return(0,a.jsx)(n.d,{title:t.title,description:t.description,keywords:e.keywords,image:i.image??e.image})}var u=i(512),d=i(7524),f=i(5999),p=i(3692);function g(t){const{permalink:e,title:i,subLabel:r,isNext:n}=t;return(0,a.jsxs)(p.Z,{className:(0,u.Z)("pagination-nav__link",n?"pagination-nav__link--next":"pagination-nav__link--prev"),to:e,children:[r&&(0,a.jsx)("div",{className:"pagination-nav__sublabel",children:r}),(0,a.jsx)("div",{className:"pagination-nav__label",children:i})]})}function m(t){const{previous:e,next:i}=t;return(0,a.jsxs)("nav",{className:"pagination-nav docusaurus-mt-lg","aria-label":(0,f.I)({id:"theme.docs.paginator.navAriaLabel",message:"Docs pages",description:"The ARIA label for the docs pagination"}),children:[e&&(0,a.jsx)(g,{...e,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.previous",description:"The label used to navigate to the previous doc",children:"Previous"})}),i&&(0,a.jsx)(g,{...i,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.next",description:"The label used to navigate to the next doc",children:"Next"}),isNext:!0})]})}function y(){const{metadata:t}=c();return(0,a.jsx)(m,{previous:t.previous,next:t.next})}var x=i(2263),b=i(143),C=i(5281),_=i(298),v=i(3797);const k={unreleased:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unreleasedVersionLabel",description:"The label used to tell the user that he's browsing an unreleased doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is unreleased documentation for {siteTitle} {versionLabel} version."})},unmaintained:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unmaintainedVersionLabel",description:"The label used to tell the user that he's browsing an unmaintained doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is documentation for {siteTitle} {versionLabel}, which is no longer actively maintained."})}};function T(t){const e=k[t.versionMetadata.banner];return(0,a.jsx)(e,{...t})}function w(t){let{versionLabel:e,to:i,onClick:r}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionSuggestionLabel",description:"The label used to tell the user to check the latest version",values:{versionLabel:e,latestVersionLink:(0,a.jsx)("b",{children:(0,a.jsx)(p.Z,{to:i,onClick:r,children:(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionLinkLabel",description:"The label used for the latest version suggestion link label",children:"latest version"})})})},children:"For up-to-date documentation, see the {latestVersionLink} ({versionLabel})."})}function S(t){let{className:e,versionMetadata:i}=t;const{siteConfig:{title:r}}=(0,x.Z)(),{pluginId:n}=(0,b.gA)({failfast:!0}),{savePreferredVersionName:o}=(0,_.J)(n),{latestDocSuggestion:s,latestVersionSuggestion:l}=(0,b.Jo)(n),c=s??(h=l).docs.find((t=>t.id===h.mainDocId));var h;return(0,a.jsxs)("div",{className:(0,u.Z)(e,C.k.docs.docVersionBanner,"alert alert--warning margin-bottom--md"),role:"alert",children:[(0,a.jsx)("div",{children:(0,a.jsx)(T,{siteTitle:r,versionMetadata:i})}),(0,a.jsx)("div",{className:"margin-top--md",children:(0,a.jsx)(w,{versionLabel:l.label,to:c.path,onClick:()=>o(l.name)})})]})}function B(t){let{className:e}=t;const i=(0,v.E)();return i.banner?(0,a.jsx)(S,{className:e,versionMetadata:i}):null}function F(t){let{className:e}=t;const i=(0,v.E)();return i.badge?(0,a.jsx)("span",{className:(0,u.Z)(e,C.k.docs.docVersionBadge,"badge badge--secondary"),children:(0,a.jsx)(f.Z,{id:"theme.docs.versionBadge.label",values:{versionLabel:i.label},children:"Version: {versionLabel}"})}):null}const L={tag:"tag_zVej",tagRegular:"tagRegular_sFm0",tagWithCount:"tagWithCount_h2kH"};function A(t){let{permalink:e,label:i,count:r,description:n}=t;return(0,a.jsxs)(p.Z,{href:e,title:n,className:(0,u.Z)(L.tag,r?L.tagWithCount:L.tagRegular),children:[i,r&&(0,a.jsx)("span",{children:r})]})}const M={tags:"tags_jXut",tag:"tag_QGVx"};function E(t){let{tags:e}=t;return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)("b",{children:(0,a.jsx)(f.Z,{id:"theme.tags.tagsListLabel",description:"The label alongside a tag list",children:"Tags:"})}),(0,a.jsx)("ul",{className:(0,u.Z)(M.tags,"padding--none","margin-left--sm"),children:e.map((t=>(0,a.jsx)("li",{className:M.tag,children:(0,a.jsx)(A,{...t})},t.permalink)))})]})}const N={iconEdit:"iconEdit_Z9Sw"};function j(t){let{className:e,...i}=t;return(0,a.jsx)("svg",{fill:"currentColor",height:"20",width:"20",viewBox:"0 0 40 40",className:(0,u.Z)(N.iconEdit,e),"aria-hidden":"true",...i,children:(0,a.jsx)("g",{children:(0,a.jsx)("path",{d:"m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"})})})}function Z(t){let{editUrl:e}=t;return(0,a.jsxs)(p.Z,{to:e,className:C.k.common.editThisPage,children:[(0,a.jsx)(j,{}),(0,a.jsx)(f.Z,{id:"theme.common.editThisPage",description:"The link label to edit the current page",children:"Edit this page"})]})}function I(t){void 0===t&&(t={});const{i18n:{currentLocale:e}}=(0,x.Z)(),i=function(){const{i18n:{currentLocale:t,localeConfigs:e}}=(0,x.Z)();return e[t].calendar}();return new Intl.DateTimeFormat(e,{calendar:i,...t})}function O(t){let{lastUpdatedAt:e}=t;const i=new Date(e),r=I({day:"numeric",month:"short",year:"numeric",timeZone:"UTC"}).format(i);return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.atDate",description:"The words used to describe on which date a page has been last updated",values:{date:(0,a.jsx)("b",{children:(0,a.jsx)("time",{dateTime:i.toISOString(),itemProp:"dateModified",children:r})})},children:" on {date}"})}function D(t){let{lastUpdatedBy:e}=t;return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.byUser",description:"The words used to describe by who the page has been last updated",values:{user:(0,a.jsx)("b",{children:e})},children:" by {user}"})}function q(t){let{lastUpdatedAt:e,lastUpdatedBy:i}=t;return(0,a.jsxs)("span",{className:C.k.common.lastUpdated,children:[(0,a.jsx)(f.Z,{id:"theme.lastUpdated.lastUpdatedAtBy",description:"The sentence used to display when a page has been last updated, and by who",values:{atDate:e?(0,a.jsx)(O,{lastUpdatedAt:e}):"",byUser:i?(0,a.jsx)(D,{lastUpdatedBy:i}):""},children:"Last updated{atDate}{byUser}"}),!1]})}const $={lastUpdated:"lastUpdated_JAkA"};function z(t){let{className:e,editUrl:i,lastUpdatedAt:r,lastUpdatedBy:n}=t;return(0,a.jsxs)("div",{className:(0,u.Z)("row",e),children:[(0,a.jsx)("div",{className:"col",children:i&&(0,a.jsx)(Z,{editUrl:i})}),(0,a.jsx)("div",{className:(0,u.Z)("col",$.lastUpdated),children:(r||n)&&(0,a.jsx)(q,{lastUpdatedAt:r,lastUpdatedBy:n})})]})}function P(){const{metadata:t}=c(),{editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r,tags:n}=t,o=n.length>0,s=!!(e||i||r);return o||s?(0,a.jsxs)("footer",{className:(0,u.Z)(C.k.docs.docFooter,"docusaurus-mt-lg"),children:[o&&(0,a.jsx)("div",{className:(0,u.Z)("row margin-top--sm",C.k.docs.docFooterTagsRow),children:(0,a.jsx)("div",{className:"col",children:(0,a.jsx)(E,{tags:n})})}),s&&(0,a.jsx)(z,{className:(0,u.Z)("margin-top--sm",C.k.docs.docFooterEditMetaRow),editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r})]}):null}var R=i(6043),H=i(6668);function W(t){const e=t.map((t=>({...t,parentIndex:-1,children:[]}))),i=Array(7).fill(-1);e.forEach(((t,e)=>{const r=i.slice(2,t.level);t.parentIndex=Math.max(...r),i[t.level]=e}));const r=[];return e.forEach((t=>{const{parentIndex:i,...n}=t;i>=0?e[i].children.push(n):r.push(n)})),r}function U(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:r}=t;return e.flatMap((t=>{const e=U({toc:t.children,minHeadingLevel:i,maxHeadingLevel:r});return function(t){return t.level>=i&&t.level<=r}(t)?[{...t,children:e}]:e}))}function Y(t){const e=t.getBoundingClientRect();return e.top===e.bottom?Y(t.parentNode):e}function V(t,e){let{anchorTopOffset:i}=e;const r=t.find((t=>Y(t).top>=i));if(r){return function(t){return t.top>0&&t.bottom{t.current=e?0:document.querySelector(".navbar").clientHeight}),[e]),t}function X(t){const e=(0,r.useRef)(void 0),i=G();(0,r.useEffect)((()=>{if(!t)return()=>{};const{linkClassName:r,linkActiveClassName:n,minHeadingLevel:o,maxHeadingLevel:a}=t;function s(){const t=function(t){return Array.from(document.getElementsByClassName(t))}(r),s=function(t){let{minHeadingLevel:e,maxHeadingLevel:i}=t;const r=[];for(let n=e;n<=i;n+=1)r.push(`h${n}.anchor`);return Array.from(document.querySelectorAll(r.join()))}({minHeadingLevel:o,maxHeadingLevel:a}),l=V(s,{anchorTopOffset:i.current}),c=t.find((t=>l&&l.id===function(t){return decodeURIComponent(t.href.substring(t.href.indexOf("#")+1))}(t)));t.forEach((t=>{!function(t,i){i?(e.current&&e.current!==t&&e.current.classList.remove(n),t.classList.add(n),e.current=t):t.classList.remove(n)}(t,t===c)}))}return document.addEventListener("scroll",s),document.addEventListener("resize",s),s(),()=>{document.removeEventListener("scroll",s),document.removeEventListener("resize",s)}}),[t,i])}function J(t){let{toc:e,className:i,linkClassName:r,isChild:n}=t;return e.length?(0,a.jsx)("ul",{className:n?void 0:i,children:e.map((t=>(0,a.jsxs)("li",{children:[(0,a.jsx)(p.Z,{to:`#${t.id}`,className:r??void 0,dangerouslySetInnerHTML:{__html:t.value}}),(0,a.jsx)(J,{isChild:!0,toc:t.children,className:i,linkClassName:r})]},t.id)))}):null}const Q=r.memo(J);function K(t){let{toc:e,className:i="table-of-contents table-of-contents__left-border",linkClassName:n="table-of-contents__link",linkActiveClassName:o,minHeadingLevel:s,maxHeadingLevel:l,...c}=t;const h=(0,H.L)(),u=s??h.tableOfContents.minHeadingLevel,d=l??h.tableOfContents.maxHeadingLevel,f=function(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:n}=t;return(0,r.useMemo)((()=>U({toc:W(e),minHeadingLevel:i,maxHeadingLevel:n})),[e,i,n])}({toc:e,minHeadingLevel:u,maxHeadingLevel:d});return X((0,r.useMemo)((()=>{if(n&&o)return{linkClassName:n,linkActiveClassName:o,minHeadingLevel:u,maxHeadingLevel:d}}),[n,o,u,d])),(0,a.jsx)(Q,{toc:f,className:i,linkClassName:n,...c})}const tt={tocCollapsibleButton:"tocCollapsibleButton_TO0P",tocCollapsibleButtonExpanded:"tocCollapsibleButtonExpanded_MG3E"};function et(t){let{collapsed:e,...i}=t;return(0,a.jsx)("button",{type:"button",...i,className:(0,u.Z)("clean-btn",tt.tocCollapsibleButton,!e&&tt.tocCollapsibleButtonExpanded,i.className),children:(0,a.jsx)(f.Z,{id:"theme.TOCCollapsible.toggleButtonLabel",description:"The label used by the button on the collapsible TOC component",children:"On this page"})})}const it={tocCollapsible:"tocCollapsible_ETCw",tocCollapsibleContent:"tocCollapsibleContent_vkbj",tocCollapsibleExpanded:"tocCollapsibleExpanded_sAul"};function rt(t){let{toc:e,className:i,minHeadingLevel:r,maxHeadingLevel:n}=t;const{collapsed:o,toggleCollapsed:s}=(0,R.u)({initialState:!0});return(0,a.jsxs)("div",{className:(0,u.Z)(it.tocCollapsible,!o&&it.tocCollapsibleExpanded,i),children:[(0,a.jsx)(et,{collapsed:o,onClick:s}),(0,a.jsx)(R.z,{lazy:!0,className:it.tocCollapsibleContent,collapsed:o,children:(0,a.jsx)(K,{toc:e,minHeadingLevel:r,maxHeadingLevel:n})})]})}const nt={tocMobile:"tocMobile_ITEo"};function ot(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(rt,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:(0,u.Z)(C.k.docs.docTocMobile,nt.tocMobile)})}const at={tableOfContents:"tableOfContents_bqdL",docItemContainer:"docItemContainer_F8PC"},st="table-of-contents__link toc-highlight",lt="table-of-contents__link--active";function ct(t){let{className:e,...i}=t;return(0,a.jsx)("div",{className:(0,u.Z)(at.tableOfContents,"thin-scrollbar",e),children:(0,a.jsx)(K,{...i,linkClassName:st,linkActiveClassName:lt})})}function ht(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(ct,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:C.k.docs.docTocDesktop})}var ut=i(2503),dt=i(1151),ft=i(1769);function pt(t){let{children:e}=t;return(0,a.jsx)(dt.Z,{components:ft.Z,children:e})}function gt(t){let{children:e}=t;const i=function(){const{metadata:t,frontMatter:e,contentTitle:i}=c();return e.hide_title||void 0!==i?null:t.title}();return(0,a.jsxs)("div",{className:(0,u.Z)(C.k.docs.docMarkdown,"markdown"),children:[i&&(0,a.jsx)("header",{children:(0,a.jsx)(ut.Z,{as:"h1",children:i})}),(0,a.jsx)(pt,{children:e})]})}var mt=i(9690),yt=i(8596),xt=i(4996);function bt(t){return(0,a.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,a.jsx)("path",{d:"M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z",fill:"currentColor"})})}const Ct={breadcrumbHomeIcon:"breadcrumbHomeIcon_YNFT"};function _t(){const t=(0,xt.ZP)("/");return(0,a.jsx)("li",{className:"breadcrumbs__item",children:(0,a.jsx)(p.Z,{"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.home",message:"Home page",description:"The ARIA label for the home page in the breadcrumbs"}),className:"breadcrumbs__link",href:t,children:(0,a.jsx)(bt,{className:Ct.breadcrumbHomeIcon})})})}const vt={breadcrumbsContainer:"breadcrumbsContainer_Z_bl"};function kt(t){let{children:e,href:i,isLast:r}=t;const n="breadcrumbs__link";return r?(0,a.jsx)("span",{className:n,itemProp:"name",children:e}):i?(0,a.jsx)(p.Z,{className:n,href:i,itemProp:"item",children:(0,a.jsx)("span",{itemProp:"name",children:e})}):(0,a.jsx)("span",{className:n,children:e})}function Tt(t){let{children:e,active:i,index:r,addMicrodata:n}=t;return(0,a.jsxs)("li",{...n&&{itemScope:!0,itemProp:"itemListElement",itemType:"https://schema.org/ListItem"},className:(0,u.Z)("breadcrumbs__item",{"breadcrumbs__item--active":i}),children:[e,(0,a.jsx)("meta",{itemProp:"position",content:String(r+1)})]})}function wt(){const t=(0,mt.s1)(),e=(0,yt.Ns)();return t?(0,a.jsx)("nav",{className:(0,u.Z)(C.k.docs.docBreadcrumbs,vt.breadcrumbsContainer),"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.navAriaLabel",message:"Breadcrumbs",description:"The ARIA label for the breadcrumbs"}),children:(0,a.jsxs)("ul",{className:"breadcrumbs",itemScope:!0,itemType:"https://schema.org/BreadcrumbList",children:[e&&(0,a.jsx)(_t,{}),t.map(((e,i)=>{const r=i===t.length-1,n="category"===e.type&&e.linkUnlisted?void 0:e.href;return(0,a.jsx)(Tt,{active:r,index:i,addMicrodata:!!n,children:(0,a.jsx)(kt,{href:n,isLast:r,children:e.label})},i)}))]})}):null}var St=i(5742);function Bt(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.unlistedBanner.title",description:"The unlisted content banner title",children:"Unlisted page"})}function Ft(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.unlistedBanner.message",description:"The unlisted content banner message",children:"This page is unlisted. Search engines will not index it, and only users having a direct link can access it."})}function Lt(){return(0,a.jsx)(St.Z,{children:(0,a.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})}function At(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.draftBanner.title",description:"The draft content banner title",children:"Draft page"})}function Mt(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.draftBanner.message",description:"The draft content banner message",children:"This page is a draft. It will only be visible in dev and be excluded from the production build."})}var Et=i(9047);function Nt(t){let{className:e}=t;return(0,a.jsx)(Et.Z,{type:"caution",title:(0,a.jsx)(At,{}),className:(0,u.Z)(e,C.k.common.draftBanner),children:(0,a.jsx)(Mt,{})})}function jt(t){let{className:e}=t;return(0,a.jsx)(Et.Z,{type:"caution",title:(0,a.jsx)(Bt,{}),className:(0,u.Z)(e,C.k.common.unlistedBanner),children:(0,a.jsx)(Ft,{})})}function Zt(t){return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(Lt,{}),(0,a.jsx)(jt,{...t})]})}function It(t){let{metadata:e}=t;const{unlisted:i,frontMatter:r}=e;return(0,a.jsxs)(a.Fragment,{children:[(i||r.unlisted)&&(0,a.jsx)(Zt,{}),r.draft&&(0,a.jsx)(Nt,{})]})}const Ot={docItemContainer:"docItemContainer_Djhp",docItemCol:"docItemCol_VOVn"};function Dt(t){let{children:e}=t;const i=function(){const{frontMatter:t,toc:e}=c(),i=(0,d.i)(),r=t.hide_table_of_contents,n=!r&&e.length>0;return{hidden:r,mobile:n?(0,a.jsx)(ot,{}):void 0,desktop:!n||"desktop"!==i&&"ssr"!==i?void 0:(0,a.jsx)(ht,{})}}(),{metadata:r}=c();return(0,a.jsxs)("div",{className:"row",children:[(0,a.jsxs)("div",{className:(0,u.Z)("col",!i.hidden&&Ot.docItemCol),children:[(0,a.jsx)(It,{metadata:r}),(0,a.jsx)(B,{}),(0,a.jsxs)("div",{className:Ot.docItemContainer,children:[(0,a.jsxs)("article",{children:[(0,a.jsx)(wt,{}),(0,a.jsx)(F,{}),i.mobile,(0,a.jsx)(gt,{children:e}),(0,a.jsx)(P,{})]}),(0,a.jsx)(y,{})]})]}),i.desktop&&(0,a.jsx)("div",{className:"col col--3",children:i.desktop})]})}function qt(t){const e=`docs-doc-id-${t.content.metadata.id}`,i=t.content;return(0,a.jsx)(l,{content:t.content,children:(0,a.jsxs)(n.FG,{className:e,children:[(0,a.jsx)(h,{}),(0,a.jsx)(Dt,{children:(0,a.jsx)(i,{})})]})})}},4694:(t,e,i)=>{"use strict";i.d(e,{Z:()=>pt});var r=i(7294),n=i(5742),o=i(2389),a=i(512),s=i(2949),l=i(6668);function c(){const{prism:t}=(0,l.L)(),{colorMode:e}=(0,s.I)(),i=t.theme,r=t.darkTheme||i;return"dark"===e?r:i}var h=i(5281),u=i(7594),d=i.n(u);const f=/title=(?["'])(?.*?)\1/,p=/\{(?<range>[\d,-]+)\}/,g={js:{start:"\\/\\/",end:""},jsBlock:{start:"\\/\\*",end:"\\*\\/"},jsx:{start:"\\{\\s*\\/\\*",end:"\\*\\/\\s*\\}"},bash:{start:"#",end:""},html:{start:"\x3c!--",end:"--\x3e"}},m={...g,lua:{start:"--",end:""},wasm:{start:"\\;\\;",end:""},tex:{start:"%",end:""},vb:{start:"['\u2018\u2019]",end:""},vbnet:{start:"(?:_\\s*)?['\u2018\u2019]",end:""},rem:{start:"[Rr][Ee][Mm]\\b",end:""},f90:{start:"!",end:""},ml:{start:"\\(\\*",end:"\\*\\)"},cobol:{start:"\\*>",end:""}},y=Object.keys(g);function x(t,e){const i=t.map((t=>{const{start:i,end:r}=m[t];return`(?:${i}\\s*(${e.flatMap((t=>[t.line,t.block?.start,t.block?.end].filter(Boolean))).join("|")})\\s*${r})`})).join("|");return new RegExp(`^\\s*(?:${i})\\s*$`)}function b(t,e){let i=t.replace(/\n$/,"");const{language:r,magicComments:n,metastring:o}=e;if(o&&p.test(o)){const t=o.match(p).groups.range;if(0===n.length)throw new Error(`A highlight range has been given in code block's metastring (\`\`\` ${o}), but no magic comment config is available. Docusaurus applies the first magic comment entry's className for metastring ranges.`);const e=n[0].className,r=d()(t).filter((t=>t>0)).map((t=>[t-1,[e]]));return{lineClassNames:Object.fromEntries(r),code:i}}if(void 0===r)return{lineClassNames:{},code:i};const a=function(t,e){switch(t){case"js":case"javascript":case"ts":case"typescript":return x(["js","jsBlock"],e);case"jsx":case"tsx":return x(["js","jsBlock","jsx"],e);case"html":return x(["js","jsBlock","html"],e);case"python":case"py":case"bash":return x(["bash"],e);case"markdown":case"md":return x(["html","jsx","bash"],e);case"tex":case"latex":case"matlab":return x(["tex"],e);case"lua":case"haskell":case"sql":return x(["lua"],e);case"wasm":return x(["wasm"],e);case"vb":case"vba":case"visual-basic":return x(["vb","rem"],e);case"vbnet":return x(["vbnet","rem"],e);case"batch":return x(["rem"],e);case"basic":return x(["rem","f90"],e);case"fsharp":return x(["js","ml"],e);case"ocaml":case"sml":return x(["ml"],e);case"fortran":return x(["f90"],e);case"cobol":return x(["cobol"],e);default:return x(y,e)}}(r,n),s=i.split("\n"),l=Object.fromEntries(n.map((t=>[t.className,{start:0,range:""}]))),c=Object.fromEntries(n.filter((t=>t.line)).map((t=>{let{className:e,line:i}=t;return[i,e]}))),h=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.start,e]}))),u=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.end,e]})));for(let d=0;d<s.length;){const t=s[d].match(a);if(!t){d+=1;continue}const e=t.slice(1).find((t=>void 0!==t));c[e]?l[c[e]].range+=`${d},`:h[e]?l[h[e]].start=d:u[e]&&(l[u[e]].range+=`${l[u[e]].start}-${d-1},`),s.splice(d,1)}i=s.join("\n");const f={};return Object.entries(l).forEach((t=>{let[e,{range:i}]=t;d()(i).forEach((t=>{f[t]??=[],f[t].push(e)}))})),{lineClassNames:f,code:i}}const C={codeBlockContainer:"codeBlockContainer_Ckt0"};var _=i(5893);function v(t){let{as:e,...i}=t;const r=function(t){const e={color:"--prism-color",backgroundColor:"--prism-background-color"},i={};return Object.entries(t.plain).forEach((t=>{let[r,n]=t;const o=e[r];o&&"string"==typeof n&&(i[o]=n)})),i}(c());return(0,_.jsx)(e,{...i,style:r,className:(0,a.Z)(i.className,C.codeBlockContainer,h.k.common.codeBlock)})}const k={codeBlockContent:"codeBlockContent_biex",codeBlockTitle:"codeBlockTitle_Ktv7",codeBlock:"codeBlock_bY9V",codeBlockStandalone:"codeBlockStandalone_MEMb",codeBlockLines:"codeBlockLines_e6Vv",codeBlockLinesWithNumbering:"codeBlockLinesWithNumbering_o6Pm",buttonGroup:"buttonGroup__atx"};function T(t){let{children:e,className:i}=t;return(0,_.jsx)(v,{as:"pre",tabIndex:0,className:(0,a.Z)(k.codeBlockStandalone,"thin-scrollbar",i),children:(0,_.jsx)("code",{className:k.codeBlockLines,children:e})})}var w=i(902);const S={attributes:!0,characterData:!0,childList:!0,subtree:!0};function B(t,e){const[i,n]=(0,r.useState)(),o=(0,r.useCallback)((()=>{n(t.current?.closest("[role=tabpanel][hidden]"))}),[t,n]);(0,r.useEffect)((()=>{o()}),[o]),function(t,e,i){void 0===i&&(i=S);const n=(0,w.zX)(e),o=(0,w.Ql)(i);(0,r.useEffect)((()=>{const e=new MutationObserver(n);return t&&e.observe(t,o),()=>e.disconnect()}),[t,n,o])}(i,(t=>{t.forEach((t=>{"attributes"===t.type&&"hidden"===t.attributeName&&(e(),o())}))}),{attributes:!0,characterData:!1,childList:!1,subtree:!1})}var F=i(2573);const L={codeLine:"codeLine_lJS_",codeLineNumber:"codeLineNumber_Tfdd",codeLineContent:"codeLineContent_feaV"};function A(t){let{line:e,classNames:i,showLineNumbers:r,getLineProps:n,getTokenProps:o}=t;1===e.length&&"\n"===e[0].content&&(e[0].content="");const s=n({line:e,className:(0,a.Z)(i,r&&L.codeLine)}),l=e.map(((t,e)=>(0,_.jsx)("span",{...o({token:t})},e)));return(0,_.jsxs)("span",{...s,children:[r?(0,_.jsxs)(_.Fragment,{children:[(0,_.jsx)("span",{className:L.codeLineNumber}),(0,_.jsx)("span",{className:L.codeLineContent,children:l})]}):l,(0,_.jsx)("br",{})]})}var M=i(5999);function E(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"})})}function N(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"})})}const j={copyButtonCopied:"copyButtonCopied_obH4",copyButtonIcons:"copyButtonIcons_eSgA",copyButtonIcon:"copyButtonIcon_y97N",copyButtonSuccessIcon:"copyButtonSuccessIcon_LjdS"};function Z(t){let{code:e,className:i}=t;const[n,o]=(0,r.useState)(!1),s=(0,r.useRef)(void 0),l=(0,r.useCallback)((()=>{!function(t,e){let{target:i=document.body}=void 0===e?{}:e;if("string"!=typeof t)throw new TypeError(`Expected parameter \`text\` to be a \`string\`, got \`${typeof t}\`.`);const r=document.createElement("textarea"),n=document.activeElement;r.value=t,r.setAttribute("readonly",""),r.style.contain="strict",r.style.position="absolute",r.style.left="-9999px",r.style.fontSize="12pt";const o=document.getSelection(),a=o.rangeCount>0&&o.getRangeAt(0);i.append(r),r.select(),r.selectionStart=0,r.selectionEnd=t.length;let s=!1;try{s=document.execCommand("copy")}catch{}r.remove(),a&&(o.removeAllRanges(),o.addRange(a)),n&&n.focus()}(e),o(!0),s.current=window.setTimeout((()=>{o(!1)}),1e3)}),[e]);return(0,r.useEffect)((()=>()=>window.clearTimeout(s.current)),[]),(0,_.jsx)("button",{type:"button","aria-label":n?(0,M.I)({id:"theme.CodeBlock.copied",message:"Copied",description:"The copied button label on code blocks"}):(0,M.I)({id:"theme.CodeBlock.copyButtonAriaLabel",message:"Copy code to clipboard",description:"The ARIA label for copy code blocks button"}),title:(0,M.I)({id:"theme.CodeBlock.copy",message:"Copy",description:"The copy button label on code blocks"}),className:(0,a.Z)("clean-btn",i,j.copyButton,n&&j.copyButtonCopied),onClick:l,children:(0,_.jsxs)("span",{className:j.copyButtonIcons,"aria-hidden":"true",children:[(0,_.jsx)(E,{className:j.copyButtonIcon}),(0,_.jsx)(N,{className:j.copyButtonSuccessIcon})]})})}function I(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M4 19h6v-2H4v2zM20 5H4v2h16V5zm-3 6H4v2h13.25c1.1 0 2 .9 2 2s-.9 2-2 2H15v-2l-3 3l3 3v-2h2c2.21 0 4-1.79 4-4s-1.79-4-4-4z"})})}const O={wordWrapButtonIcon:"wordWrapButtonIcon_Bwma",wordWrapButtonEnabled:"wordWrapButtonEnabled_EoeP"};function D(t){let{className:e,onClick:i,isEnabled:r}=t;const n=(0,M.I)({id:"theme.CodeBlock.wordWrapToggle",message:"Toggle word wrap",description:"The title attribute for toggle word wrapping button of code block lines"});return(0,_.jsx)("button",{type:"button",onClick:i,className:(0,a.Z)("clean-btn",e,r&&O.wordWrapButtonEnabled),"aria-label":n,title:n,children:(0,_.jsx)(I,{className:O.wordWrapButtonIcon,"aria-hidden":"true"})})}function q(t){let{children:e,className:i="",metastring:n,title:o,showLineNumbers:s,language:h}=t;const{prism:{defaultLanguage:u,magicComments:d}}=(0,l.L)(),p=function(t){return t?.toLowerCase()}(h??function(t){const e=t.split(" ").find((t=>t.startsWith("language-")));return e?.replace(/language-/,"")}(i)??u),g=c(),m=function(){const[t,e]=(0,r.useState)(!1),[i,n]=(0,r.useState)(!1),o=(0,r.useRef)(null),a=(0,r.useCallback)((()=>{const i=o.current.querySelector("code");t?i.removeAttribute("style"):(i.style.whiteSpace="pre-wrap",i.style.overflowWrap="anywhere"),e((t=>!t))}),[o,t]),s=(0,r.useCallback)((()=>{const{scrollWidth:t,clientWidth:e}=o.current,i=t>e||o.current.querySelector("code").hasAttribute("style");n(i)}),[o]);return B(o,s),(0,r.useEffect)((()=>{s()}),[t,s]),(0,r.useEffect)((()=>(window.addEventListener("resize",s,{passive:!0}),()=>{window.removeEventListener("resize",s)})),[s]),{codeBlockRef:o,isEnabled:t,isCodeScrollable:i,toggle:a}}(),y=function(t){return t?.match(f)?.groups.title??""}(n)||o,{lineClassNames:x,code:C}=b(e,{metastring:n,language:p,magicComments:d}),T=s??function(t){return Boolean(t?.includes("showLineNumbers"))}(n);return(0,_.jsxs)(v,{as:"div",className:(0,a.Z)(i,p&&!i.includes(`language-${p}`)&&`language-${p}`),children:[y&&(0,_.jsx)("div",{className:k.codeBlockTitle,children:y}),(0,_.jsxs)("div",{className:k.codeBlockContent,children:[(0,_.jsx)(F.y$,{theme:g,code:C,language:p??"text",children:t=>{let{className:e,style:i,tokens:r,getLineProps:n,getTokenProps:o}=t;return(0,_.jsx)("pre",{tabIndex:0,ref:m.codeBlockRef,className:(0,a.Z)(e,k.codeBlock,"thin-scrollbar"),style:i,children:(0,_.jsx)("code",{className:(0,a.Z)(k.codeBlockLines,T&&k.codeBlockLinesWithNumbering),children:r.map(((t,e)=>(0,_.jsx)(A,{line:t,getLineProps:n,getTokenProps:o,classNames:x[e],showLineNumbers:T},e)))})})}}),(0,_.jsxs)("div",{className:k.buttonGroup,children:[(m.isEnabled||m.isCodeScrollable)&&(0,_.jsx)(D,{className:k.codeButton,onClick:()=>m.toggle(),isEnabled:m.isEnabled}),(0,_.jsx)(Z,{className:k.codeButton,code:C})]})]})]})}function $(t){let{children:e,...i}=t;const n=(0,o.Z)(),a=function(t){return r.Children.toArray(t).some((t=>(0,r.isValidElement)(t)))?t:Array.isArray(t)?t.join(""):t}(e),s="string"==typeof a?q:T;return(0,_.jsx)(s,{...i,children:a},String(n))}function z(t){return(0,_.jsx)("code",{...t})}var P=i(3692);var R=i(8138),H=i(6043);const W={details:"details_lb9f",isBrowser:"isBrowser_bmU9",collapsibleContent:"collapsibleContent_i85q"};function U(t){return!!t&&("SUMMARY"===t.tagName||U(t.parentElement))}function Y(t,e){return!!t&&(t===e||Y(t.parentElement,e))}function V(t){let{summary:e,children:i,...n}=t;(0,R.Z)().collectAnchor(n.id);const s=(0,o.Z)(),l=(0,r.useRef)(null),{collapsed:c,setCollapsed:h}=(0,H.u)({initialState:!n.open}),[u,d]=(0,r.useState)(n.open),f=r.isValidElement(e)?e:(0,_.jsx)("summary",{children:e??"Details"});return(0,_.jsxs)("details",{...n,ref:l,open:u,"data-collapsed":c,className:(0,a.Z)(W.details,s&&W.isBrowser,n.className),onMouseDown:t=>{U(t.target)&&t.detail>1&&t.preventDefault()},onClick:t=>{t.stopPropagation();const e=t.target;U(e)&&Y(e,l.current)&&(t.preventDefault(),c?(h(!1),d(!0)):h(!0))},children:[f,(0,_.jsx)(H.z,{lazy:!1,collapsed:c,disableSSRStyle:!0,onCollapseTransitionEnd:t=>{h(t),d(!t)},children:(0,_.jsx)("div",{className:W.collapsibleContent,children:i})})]})}const G={details:"details_b_Ee"},X="alert alert--info";function J(t){let{...e}=t;return(0,_.jsx)(V,{...e,className:(0,a.Z)(X,G.details,e.className)})}function Q(t){const e=r.Children.toArray(t.children),i=e.find((t=>r.isValidElement(t)&&"summary"===t.type)),n=(0,_.jsx)(_.Fragment,{children:e.filter((t=>t!==i))});return(0,_.jsx)(J,{...t,summary:i,children:n})}var K=i(2503);function tt(t){return(0,_.jsx)(K.Z,{...t})}const et={containsTaskList:"containsTaskList_mC6p"};function it(t){if(void 0!==t)return(0,a.Z)(t,t?.includes("contains-task-list")&&et.containsTaskList)}const rt={img:"img_ev3q"};var nt=i(9047),ot=i(4763),at=i(3087),st=i(5322);const lt="docusaurus-mermaid-container";function ct(){const{colorMode:t}=(0,s.I)(),e=(0,l.L)().mermaid,i=e.theme[t],{options:n}=e;return(0,r.useMemo)((()=>({startOnLoad:!1,...n,theme:i})),[i,n])}function ht(t){let{text:e,config:i}=t;const[n,o]=(0,r.useState)(null),a=(0,r.useRef)(`mermaid-svg-${Math.round(1e7*Math.random())}`).current,s=ct(),l=i??s;return(0,r.useEffect)((()=>{(async function(t){let{id:e,text:i,config:r}=t;st.L.mermaidAPI.initialize(r);try{return await st.L.render(e,i)}catch(n){throw document.querySelector(`#d${e}`)?.remove(),n}})({id:a,text:e,config:l}).then(o).catch((t=>{o((()=>{throw t}))}))}),[a,e,l]),n}const ut={container:"container_lyt7"};function dt(t){let{renderResult:e}=t;const i=(0,r.useRef)(null);return(0,r.useEffect)((()=>{const t=i.current;e.bindFunctions?.(t)}),[e]),(0,_.jsx)("div",{ref:i,className:`${lt} ${ut.container}`,dangerouslySetInnerHTML:{__html:e.svg}})}function ft(t){let{value:e}=t;const i=ht({text:e});return null===i?null:(0,_.jsx)(dt,{renderResult:i})}const pt={Head:n.Z,details:Q,Details:Q,code:function(t){return function(t){return void 0!==t.children&&r.Children.toArray(t.children).every((t=>"string"==typeof t&&!t.includes("\n")))}(t)?(0,_.jsx)(z,{...t}):(0,_.jsx)($,{...t})},a:function(t){return(0,_.jsx)(P.Z,{...t})},pre:function(t){return(0,_.jsx)(_.Fragment,{children:t.children})},ul:function(t){return(0,_.jsx)("ul",{...t,className:it(t.className)})},li:function(t){return(0,R.Z)().collectAnchor(t.id),(0,_.jsx)("li",{...t})},img:function(t){return(0,_.jsx)("img",{decoding:"async",loading:"lazy",...t,className:(e=t.className,(0,a.Z)(e,rt.img))});var e},h1:t=>(0,_.jsx)(tt,{as:"h1",...t}),h2:t=>(0,_.jsx)(tt,{as:"h2",...t}),h3:t=>(0,_.jsx)(tt,{as:"h3",...t}),h4:t=>(0,_.jsx)(tt,{as:"h4",...t}),h5:t=>(0,_.jsx)(tt,{as:"h5",...t}),h6:t=>(0,_.jsx)(tt,{as:"h6",...t}),admonition:nt.Z,mermaid:function(t){return(0,_.jsx)(ot.Z,{fallback:t=>(0,_.jsx)(at.Ac,{...t}),children:(0,_.jsx)(ft,{...t})})}}},5162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});i(7294);var r=i(512);const n={tabItem:"tabItem_Ymn6"};var o=i(5893);function a(t){let{children:e,hidden:i,className:a}=t;return(0,o.jsx)("div",{role:"tabpanel",className:(0,r.Z)(n.tabItem,a),hidden:i,children:e})}},4866:(t,e,i)=>{"use strict";i.d(e,{Z:()=>v});var r=i(7294),n=i(512),o=i(2466),a=i(6550),s=i(469),l=i(1980),c=i(7392),h=i(812);function u(t){return r.Children.toArray(t).filter((t=>"\n"!==t)).map((t=>{if(!t||(0,r.isValidElement)(t)&&function(t){const{props:e}=t;return!!e&&"object"==typeof e&&"value"in e}(t))return t;throw new Error(`Docusaurus error: Bad <Tabs> child <${"string"==typeof t.type?t.type:t.type.name}>: all children of the <Tabs> component should be <TabItem>, and every <TabItem> should have a unique "value" prop.`)}))?.filter(Boolean)??[]}function d(t){const{values:e,children:i}=t;return(0,r.useMemo)((()=>{const t=e??function(t){return u(t).map((t=>{let{props:{value:e,label:i,attributes:r,default:n}}=t;return{value:e,label:i,attributes:r,default:n}}))}(i);return function(t){const e=(0,c.lx)(t,((t,e)=>t.value===e.value));if(e.length>0)throw new Error(`Docusaurus error: Duplicate values "${e.map((t=>t.value)).join(", ")}" found in <Tabs>. Every value needs to be unique.`)}(t),t}),[e,i])}function f(t){let{value:e,tabValues:i}=t;return i.some((t=>t.value===e))}function p(t){let{queryString:e=!1,groupId:i}=t;const n=(0,a.k6)(),o=function(t){let{queryString:e=!1,groupId:i}=t;if("string"==typeof e)return e;if(!1===e)return null;if(!0===e&&!i)throw new Error('Docusaurus error: The <Tabs> component groupId prop is required if queryString=true, because this value is used as the search param name. You can also provide an explicit value such as queryString="my-search-param".');return i??null}({queryString:e,groupId:i});return[(0,l._X)(o),(0,r.useCallback)((t=>{if(!o)return;const e=new URLSearchParams(n.location.search);e.set(o,t),n.replace({...n.location,search:e.toString()})}),[o,n])]}function g(t){const{defaultValue:e,queryString:i=!1,groupId:n}=t,o=d(t),[a,l]=(0,r.useState)((()=>function(t){let{defaultValue:e,tabValues:i}=t;if(0===i.length)throw new Error("Docusaurus error: the <Tabs> component requires at least one <TabItem> children component");if(e){if(!f({value:e,tabValues:i}))throw new Error(`Docusaurus error: The <Tabs> has a defaultValue "${e}" but none of its children has the corresponding value. Available values are: ${i.map((t=>t.value)).join(", ")}. If you intend to show no default tab, use defaultValue={null} instead.`);return e}const r=i.find((t=>t.default))??i[0];if(!r)throw new Error("Unexpected error: 0 tabValues");return r.value}({defaultValue:e,tabValues:o}))),[c,u]=p({queryString:i,groupId:n}),[g,m]=function(t){let{groupId:e}=t;const i=function(t){return t?`docusaurus.tab.${t}`:null}(e),[n,o]=(0,h.Nk)(i);return[n,(0,r.useCallback)((t=>{i&&o.set(t)}),[i,o])]}({groupId:n}),y=(()=>{const t=c??g;return f({value:t,tabValues:o})?t:null})();(0,s.Z)((()=>{y&&l(y)}),[y]);return{selectedValue:a,selectValue:(0,r.useCallback)((t=>{if(!f({value:t,tabValues:o}))throw new Error(`Can't select invalid tab value=${t}`);l(t),u(t),m(t)}),[u,m,o]),tabValues:o}}var m=i(2389);const y={tabList:"tabList__CuJ",tabItem:"tabItem_LNqP"};var x=i(5893);function b(t){let{className:e,block:i,selectedValue:r,selectValue:a,tabValues:s}=t;const l=[],{blockElementScrollPositionUntilNextRender:c}=(0,o.o5)(),h=t=>{const e=t.currentTarget,i=l.indexOf(e),n=s[i].value;n!==r&&(c(e),a(n))},u=t=>{let e=null;switch(t.key){case"Enter":h(t);break;case"ArrowRight":{const i=l.indexOf(t.currentTarget)+1;e=l[i]??l[0];break}case"ArrowLeft":{const i=l.indexOf(t.currentTarget)-1;e=l[i]??l[l.length-1];break}}e?.focus()};return(0,x.jsx)("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,n.Z)("tabs",{"tabs--block":i},e),children:s.map((t=>{let{value:e,label:i,attributes:o}=t;return(0,x.jsx)("li",{role:"tab",tabIndex:r===e?0:-1,"aria-selected":r===e,ref:t=>l.push(t),onKeyDown:u,onClick:h,...o,className:(0,n.Z)("tabs__item",y.tabItem,o?.className,{"tabs__item--active":r===e}),children:i??e},e)}))})}function C(t){let{lazy:e,children:i,selectedValue:o}=t;const a=(Array.isArray(i)?i:[i]).filter(Boolean);if(e){const t=a.find((t=>t.props.value===o));return t?(0,r.cloneElement)(t,{className:(0,n.Z)("margin-top--md",t.props.className)}):null}return(0,x.jsx)("div",{className:"margin-top--md",children:a.map(((t,e)=>(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==o})))})}function _(t){const e=g(t);return(0,x.jsxs)("div",{className:(0,n.Z)("tabs-container",y.tabList),children:[(0,x.jsx)(b,{...e,...t}),(0,x.jsx)(C,{...e,...t})]})}function v(t){const e=(0,m.Z)();return(0,x.jsx)(_,{...t,children:u(t.children)},String(e))}},7484:function(t){t.exports=function(){"use strict";var t=1e3,e=6e4,i=36e5,r="millisecond",n="second",o="minute",a="hour",s="day",l="week",c="month",h="quarter",u="year",d="date",f="Invalid Date",p=/^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/,g=/\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g,m={name:"en",weekdays:"Sunday_Monday_Tuesday_Wednesday_Thursday_Friday_Saturday".split("_"),months:"January_February_March_April_May_June_July_August_September_October_November_December".split("_"),ordinal:function(t){var e=["th","st","nd","rd"],i=t%100;return"["+t+(e[(i-20)%10]||e[i]||e[0])+"]"}},y=function(t,e,i){var r=String(t);return!r||r.length>=e?t:""+Array(e+1-r.length).join(i)+t},x={s:y,z:function(t){var e=-t.utcOffset(),i=Math.abs(e),r=Math.floor(i/60),n=i%60;return(e<=0?"+":"-")+y(r,2,"0")+":"+y(n,2,"0")},m:function t(e,i){if(e.date()<i.date())return-t(i,e);var r=12*(i.year()-e.year())+(i.month()-e.month()),n=e.clone().add(r,c),o=i-n<0,a=e.clone().add(r+(o?-1:1),c);return+(-(r+(i-n)/(o?n-a:a-n))||0)},a:function(t){return t<0?Math.ceil(t)||0:Math.floor(t)},p:function(t){return{M:c,y:u,w:l,d:s,D:d,h:a,m:o,s:n,ms:r,Q:h}[t]||String(t||"").toLowerCase().replace(/s$/,"")},u:function(t){return void 0===t}},b="en",C={};C[b]=m;var _="$isDayjsObject",v=function(t){return t instanceof S||!(!t||!t[_])},k=function t(e,i,r){var n;if(!e)return b;if("string"==typeof e){var o=e.toLowerCase();C[o]&&(n=o),i&&(C[o]=i,n=o);var a=e.split("-");if(!n&&a.length>1)return t(a[0])}else{var s=e.name;C[s]=e,n=s}return!r&&n&&(b=n),n||!r&&b},T=function(t,e){if(v(t))return t.clone();var i="object"==typeof e?e:{};return i.date=t,i.args=arguments,new S(i)},w=x;w.l=k,w.i=v,w.w=function(t,e){return T(t,{locale:e.$L,utc:e.$u,x:e.$x,$offset:e.$offset})};var S=function(){function m(t){this.$L=k(t.locale,null,!0),this.parse(t),this.$x=this.$x||t.x||{},this[_]=!0}var y=m.prototype;return y.parse=function(t){this.$d=function(t){var e=t.date,i=t.utc;if(null===e)return new Date(NaN);if(w.u(e))return new Date;if(e instanceof Date)return new Date(e);if("string"==typeof e&&!/Z$/i.test(e)){var r=e.match(p);if(r){var n=r[2]-1||0,o=(r[7]||"0").substring(0,3);return i?new Date(Date.UTC(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)):new Date(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)}}return new Date(e)}(t),this.init()},y.init=function(){var t=this.$d;this.$y=t.getFullYear(),this.$M=t.getMonth(),this.$D=t.getDate(),this.$W=t.getDay(),this.$H=t.getHours(),this.$m=t.getMinutes(),this.$s=t.getSeconds(),this.$ms=t.getMilliseconds()},y.$utils=function(){return w},y.isValid=function(){return!(this.$d.toString()===f)},y.isSame=function(t,e){var i=T(t);return this.startOf(e)<=i&&i<=this.endOf(e)},y.isAfter=function(t,e){return T(t)<this.startOf(e)},y.isBefore=function(t,e){return this.endOf(e)<T(t)},y.$g=function(t,e,i){return w.u(t)?this[e]:this.set(i,t)},y.unix=function(){return Math.floor(this.valueOf()/1e3)},y.valueOf=function(){return this.$d.getTime()},y.startOf=function(t,e){var i=this,r=!!w.u(e)||e,h=w.p(t),f=function(t,e){var n=w.w(i.$u?Date.UTC(i.$y,e,t):new Date(i.$y,e,t),i);return r?n:n.endOf(s)},p=function(t,e){return w.w(i.toDate()[t].apply(i.toDate("s"),(r?[0,0,0,0]:[23,59,59,999]).slice(e)),i)},g=this.$W,m=this.$M,y=this.$D,x="set"+(this.$u?"UTC":"");switch(h){case u:return r?f(1,0):f(31,11);case c:return r?f(1,m):f(0,m+1);case l:var b=this.$locale().weekStart||0,C=(g<b?g+7:g)-b;return f(r?y-C:y+(6-C),m);case s:case d:return p(x+"Hours",0);case a:return p(x+"Minutes",1);case o:return p(x+"Seconds",2);case n:return p(x+"Milliseconds",3);default:return this.clone()}},y.endOf=function(t){return this.startOf(t,!1)},y.$set=function(t,e){var i,l=w.p(t),h="set"+(this.$u?"UTC":""),f=(i={},i[s]=h+"Date",i[d]=h+"Date",i[c]=h+"Month",i[u]=h+"FullYear",i[a]=h+"Hours",i[o]=h+"Minutes",i[n]=h+"Seconds",i[r]=h+"Milliseconds",i)[l],p=l===s?this.$D+(e-this.$W):e;if(l===c||l===u){var g=this.clone().set(d,1);g.$d[f](p),g.init(),this.$d=g.set(d,Math.min(this.$D,g.daysInMonth())).$d}else f&&this.$d[f](p);return this.init(),this},y.set=function(t,e){return this.clone().$set(t,e)},y.get=function(t){return this[w.p(t)]()},y.add=function(r,h){var d,f=this;r=Number(r);var p=w.p(h),g=function(t){var e=T(f);return w.w(e.date(e.date()+Math.round(t*r)),f)};if(p===c)return this.set(c,this.$M+r);if(p===u)return this.set(u,this.$y+r);if(p===s)return g(1);if(p===l)return g(7);var m=(d={},d[o]=e,d[a]=i,d[n]=t,d)[p]||1,y=this.$d.getTime()+r*m;return w.w(y,this)},y.subtract=function(t,e){return this.add(-1*t,e)},y.format=function(t){var e=this,i=this.$locale();if(!this.isValid())return i.invalidDate||f;var r=t||"YYYY-MM-DDTHH:mm:ssZ",n=w.z(this),o=this.$H,a=this.$m,s=this.$M,l=i.weekdays,c=i.months,h=i.meridiem,u=function(t,i,n,o){return t&&(t[i]||t(e,r))||n[i].slice(0,o)},d=function(t){return w.s(o%12||12,t,"0")},p=h||function(t,e,i){var r=t<12?"AM":"PM";return i?r.toLowerCase():r};return r.replace(g,(function(t,r){return r||function(t){switch(t){case"YY":return String(e.$y).slice(-2);case"YYYY":return w.s(e.$y,4,"0");case"M":return s+1;case"MM":return w.s(s+1,2,"0");case"MMM":return u(i.monthsShort,s,c,3);case"MMMM":return u(c,s);case"D":return e.$D;case"DD":return w.s(e.$D,2,"0");case"d":return String(e.$W);case"dd":return u(i.weekdaysMin,e.$W,l,2);case"ddd":return u(i.weekdaysShort,e.$W,l,3);case"dddd":return l[e.$W];case"H":return String(o);case"HH":return w.s(o,2,"0");case"h":return d(1);case"hh":return d(2);case"a":return p(o,a,!0);case"A":return p(o,a,!1);case"m":return String(a);case"mm":return w.s(a,2,"0");case"s":return String(e.$s);case"ss":return w.s(e.$s,2,"0");case"SSS":return w.s(e.$ms,3,"0");case"Z":return n}return null}(t)||n.replace(":","")}))},y.utcOffset=function(){return 15*-Math.round(this.$d.getTimezoneOffset()/15)},y.diff=function(r,d,f){var p,g=this,m=w.p(d),y=T(r),x=(y.utcOffset()-this.utcOffset())*e,b=this-y,C=function(){return w.m(g,y)};switch(m){case u:p=C()/12;break;case c:p=C();break;case h:p=C()/3;break;case l:p=(b-x)/6048e5;break;case s:p=(b-x)/864e5;break;case a:p=b/i;break;case o:p=b/e;break;case n:p=b/t;break;default:p=b}return f?p:w.a(p)},y.daysInMonth=function(){return this.endOf(c).$D},y.$locale=function(){return C[this.$L]},y.locale=function(t,e){if(!t)return this.$L;var i=this.clone(),r=k(t,e,!0);return r&&(i.$L=r),i},y.clone=function(){return w.w(this.$d,this)},y.toDate=function(){return new Date(this.valueOf())},y.toJSON=function(){return this.isValid()?this.toISOString():null},y.toISOString=function(){return this.$d.toISOString()},y.toString=function(){return this.$d.toUTCString()},m}(),B=S.prototype;return T.prototype=B,[["$ms",r],["$s",n],["$m",o],["$H",a],["$W",s],["$M",c],["$y",u],["$D",d]].forEach((function(t){B[t[1]]=function(e){return this.$g(e,t[0],t[1])}})),T.extend=function(t,e){return t.$i||(t(e,S,T),t.$i=!0),T},T.locale=k,T.isDayjs=v,T.unix=function(t){return T(1e3*t)},T.en=C[b],T.Ls=C,T.p={},T}()},7856:function(t){t.exports=function(){"use strict";const{entries:t,setPrototypeOf:e,isFrozen:i,getPrototypeOf:r,getOwnPropertyDescriptor:n}=Object;let{freeze:o,seal:a,create:s}=Object,{apply:l,construct:c}="undefined"!=typeof Reflect&&Reflect;o||(o=function(t){return t}),a||(a=function(t){return t}),l||(l=function(t,e,i){return t.apply(e,i)}),c||(c=function(t,e){return new t(...e)});const h=_(Array.prototype.forEach),u=_(Array.prototype.pop),d=_(Array.prototype.push),f=_(String.prototype.toLowerCase),p=_(String.prototype.toString),g=_(String.prototype.match),m=_(String.prototype.replace),y=_(String.prototype.indexOf),x=_(String.prototype.trim),b=_(RegExp.prototype.test),C=v(TypeError);function _(t){return function(e){for(var i=arguments.length,r=new Array(i>1?i-1:0),n=1;n<i;n++)r[n-1]=arguments[n];return l(t,e,r)}}function v(t){return function(){for(var e=arguments.length,i=new Array(e),r=0;r<e;r++)i[r]=arguments[r];return c(t,i)}}function k(t,r){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:f;e&&e(t,null);let o=r.length;for(;o--;){let e=r[o];if("string"==typeof e){const t=n(e);t!==e&&(i(r)||(r[o]=t),e=t)}t[e]=!0}return t}function T(e){const i=s(null);for(const[r,o]of t(e))void 0!==n(e,r)&&(i[r]=o);return i}function w(t,e){for(;null!==t;){const i=n(t,e);if(i){if(i.get)return _(i.get);if("function"==typeof i.value)return _(i.value)}t=r(t)}function i(t){return console.warn("fallback value for",t),null}return i}const S=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dialog","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),B=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","view","vkern"]),F=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feDropShadow","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),L=o(["animate","color-profile","cursor","discard","font-face","font-face-format","font-face-name","font-face-src","font-face-uri","foreignobject","hatch","hatchpath","mesh","meshgradient","meshpatch","meshrow","missing-glyph","script","set","solidcolor","unknown","use"]),A=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","mprescripts"]),M=o(["maction","maligngroup","malignmark","mlongdiv","mscarries","mscarry","msgroup","mstack","msline","msrow","semantics","annotation","annotation-xml","mprescripts","none"]),E=o(["#text"]),N=o(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","nonce","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns","slot"]),j=o(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","transform-origin","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),Z=o(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),I=o(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),O=a(/\{\{[\w\W]*|[\w\W]*\}\}/gm),D=a(/<%[\w\W]*|[\w\W]*%>/gm),q=a(/\${[\w\W]*}/gm),$=a(/^data-[\-\w.\u00B7-\uFFFF]/),z=a(/^aria-[\-\w]+$/),P=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),R=a(/^(?:\w+script|data):/i),H=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),W=a(/^html$/i);var U=Object.freeze({__proto__:null,MUSTACHE_EXPR:O,ERB_EXPR:D,TMPLIT_EXPR:q,DATA_ATTR:$,ARIA_ATTR:z,IS_ALLOWED_URI:P,IS_SCRIPT_OR_DATA:R,ATTR_WHITESPACE:H,DOCTYPE_NAME:W});const Y=function(){return"undefined"==typeof window?null:window},V=function(t,e){if("object"!=typeof t||"function"!=typeof t.createPolicy)return null;let i=null;const r="data-tt-policy-suffix";e&&e.hasAttribute(r)&&(i=e.getAttribute(r));const n="dompurify"+(i?"#"+i:"");try{return t.createPolicy(n,{createHTML:t=>t,createScriptURL:t=>t})}catch(o){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};function G(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:Y();const i=t=>G(t);if(i.version="3.0.6",i.removed=[],!e||!e.document||9!==e.document.nodeType)return i.isSupported=!1,i;let{document:r}=e;const n=r,a=n.currentScript,{DocumentFragment:l,HTMLTemplateElement:c,Node:_,Element:v,NodeFilter:O,NamedNodeMap:D=e.NamedNodeMap||e.MozNamedAttrMap,HTMLFormElement:q,DOMParser:$,trustedTypes:z}=e,R=v.prototype,H=w(R,"cloneNode"),X=w(R,"nextSibling"),J=w(R,"childNodes"),Q=w(R,"parentNode");if("function"==typeof c){const t=r.createElement("template");t.content&&t.content.ownerDocument&&(r=t.content.ownerDocument)}let K,tt="";const{implementation:et,createNodeIterator:it,createDocumentFragment:rt,getElementsByTagName:nt}=r,{importNode:ot}=n;let at={};i.isSupported="function"==typeof t&&"function"==typeof Q&&et&&void 0!==et.createHTMLDocument;const{MUSTACHE_EXPR:st,ERB_EXPR:lt,TMPLIT_EXPR:ct,DATA_ATTR:ht,ARIA_ATTR:ut,IS_SCRIPT_OR_DATA:dt,ATTR_WHITESPACE:ft}=U;let{IS_ALLOWED_URI:pt}=U,gt=null;const mt=k({},[...S,...B,...F,...A,...E]);let yt=null;const xt=k({},[...N,...j,...Z,...I]);let bt=Object.seal(s(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),Ct=null,_t=null,vt=!0,kt=!0,Tt=!1,wt=!0,St=!1,Bt=!1,Ft=!1,Lt=!1,At=!1,Mt=!1,Et=!1,Nt=!0,jt=!1;const Zt="user-content-";let It=!0,Ot=!1,Dt={},qt=null;const $t=k({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]);let zt=null;const Pt=k({},["audio","video","img","source","image","track"]);let Rt=null;const Ht=k({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),Wt="http://www.w3.org/1998/Math/MathML",Ut="http://www.w3.org/2000/svg",Yt="http://www.w3.org/1999/xhtml";let Vt=Yt,Gt=!1,Xt=null;const Jt=k({},[Wt,Ut,Yt],p);let Qt=null;const Kt=["application/xhtml+xml","text/html"],te="text/html";let ee=null,ie=null;const re=r.createElement("form"),ne=function(t){return t instanceof RegExp||t instanceof Function},oe=function(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!ie||ie!==t){if(t&&"object"==typeof t||(t={}),t=T(t),Qt=Qt=-1===Kt.indexOf(t.PARSER_MEDIA_TYPE)?te:t.PARSER_MEDIA_TYPE,ee="application/xhtml+xml"===Qt?p:f,gt="ALLOWED_TAGS"in t?k({},t.ALLOWED_TAGS,ee):mt,yt="ALLOWED_ATTR"in t?k({},t.ALLOWED_ATTR,ee):xt,Xt="ALLOWED_NAMESPACES"in t?k({},t.ALLOWED_NAMESPACES,p):Jt,Rt="ADD_URI_SAFE_ATTR"in t?k(T(Ht),t.ADD_URI_SAFE_ATTR,ee):Ht,zt="ADD_DATA_URI_TAGS"in t?k(T(Pt),t.ADD_DATA_URI_TAGS,ee):Pt,qt="FORBID_CONTENTS"in t?k({},t.FORBID_CONTENTS,ee):$t,Ct="FORBID_TAGS"in t?k({},t.FORBID_TAGS,ee):{},_t="FORBID_ATTR"in t?k({},t.FORBID_ATTR,ee):{},Dt="USE_PROFILES"in t&&t.USE_PROFILES,vt=!1!==t.ALLOW_ARIA_ATTR,kt=!1!==t.ALLOW_DATA_ATTR,Tt=t.ALLOW_UNKNOWN_PROTOCOLS||!1,wt=!1!==t.ALLOW_SELF_CLOSE_IN_ATTR,St=t.SAFE_FOR_TEMPLATES||!1,Bt=t.WHOLE_DOCUMENT||!1,At=t.RETURN_DOM||!1,Mt=t.RETURN_DOM_FRAGMENT||!1,Et=t.RETURN_TRUSTED_TYPE||!1,Lt=t.FORCE_BODY||!1,Nt=!1!==t.SANITIZE_DOM,jt=t.SANITIZE_NAMED_PROPS||!1,It=!1!==t.KEEP_CONTENT,Ot=t.IN_PLACE||!1,pt=t.ALLOWED_URI_REGEXP||P,Vt=t.NAMESPACE||Yt,bt=t.CUSTOM_ELEMENT_HANDLING||{},t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(bt.tagNameCheck=t.CUSTOM_ELEMENT_HANDLING.tagNameCheck),t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(bt.attributeNameCheck=t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),t.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(bt.allowCustomizedBuiltInElements=t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),St&&(kt=!1),Mt&&(At=!0),Dt&&(gt=k({},[...E]),yt=[],!0===Dt.html&&(k(gt,S),k(yt,N)),!0===Dt.svg&&(k(gt,B),k(yt,j),k(yt,I)),!0===Dt.svgFilters&&(k(gt,F),k(yt,j),k(yt,I)),!0===Dt.mathMl&&(k(gt,A),k(yt,Z),k(yt,I))),t.ADD_TAGS&&(gt===mt&&(gt=T(gt)),k(gt,t.ADD_TAGS,ee)),t.ADD_ATTR&&(yt===xt&&(yt=T(yt)),k(yt,t.ADD_ATTR,ee)),t.ADD_URI_SAFE_ATTR&&k(Rt,t.ADD_URI_SAFE_ATTR,ee),t.FORBID_CONTENTS&&(qt===$t&&(qt=T(qt)),k(qt,t.FORBID_CONTENTS,ee)),It&&(gt["#text"]=!0),Bt&&k(gt,["html","head","body"]),gt.table&&(k(gt,["tbody"]),delete Ct.tbody),t.TRUSTED_TYPES_POLICY){if("function"!=typeof t.TRUSTED_TYPES_POLICY.createHTML)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');if("function"!=typeof t.TRUSTED_TYPES_POLICY.createScriptURL)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');K=t.TRUSTED_TYPES_POLICY,tt=K.createHTML("")}else void 0===K&&(K=V(z,a)),null!==K&&"string"==typeof tt&&(tt=K.createHTML(""));o&&o(t),ie=t}},ae=k({},["mi","mo","mn","ms","mtext"]),se=k({},["foreignobject","desc","title","annotation-xml"]),le=k({},["title","style","font","a","script"]),ce=k({},B);k(ce,F),k(ce,L);const he=k({},A);k(he,M);const ue=function(t){let e=Q(t);e&&e.tagName||(e={namespaceURI:Vt,tagName:"template"});const i=f(t.tagName),r=f(e.tagName);return!!Xt[t.namespaceURI]&&(t.namespaceURI===Ut?e.namespaceURI===Yt?"svg"===i:e.namespaceURI===Wt?"svg"===i&&("annotation-xml"===r||ae[r]):Boolean(ce[i]):t.namespaceURI===Wt?e.namespaceURI===Yt?"math"===i:e.namespaceURI===Ut?"math"===i&&se[r]:Boolean(he[i]):t.namespaceURI===Yt?!(e.namespaceURI===Ut&&!se[r])&&!(e.namespaceURI===Wt&&!ae[r])&&!he[i]&&(le[i]||!ce[i]):!("application/xhtml+xml"!==Qt||!Xt[t.namespaceURI]))},de=function(t){d(i.removed,{element:t});try{t.parentNode.removeChild(t)}catch(e){t.remove()}},fe=function(t,e){try{d(i.removed,{attribute:e.getAttributeNode(t),from:e})}catch(r){d(i.removed,{attribute:null,from:e})}if(e.removeAttribute(t),"is"===t&&!yt[t])if(At||Mt)try{de(e)}catch(r){}else try{e.setAttribute(t,"")}catch(r){}},pe=function(t){let e=null,i=null;if(Lt)t="<remove></remove>"+t;else{const e=g(t,/^[\r\n\t ]+/);i=e&&e[0]}"application/xhtml+xml"===Qt&&Vt===Yt&&(t='<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>'+t+"</body></html>");const n=K?K.createHTML(t):t;if(Vt===Yt)try{e=(new $).parseFromString(n,Qt)}catch(a){}if(!e||!e.documentElement){e=et.createDocument(Vt,"template",null);try{e.documentElement.innerHTML=Gt?tt:n}catch(a){}}const o=e.body||e.documentElement;return t&&i&&o.insertBefore(r.createTextNode(i),o.childNodes[0]||null),Vt===Yt?nt.call(e,Bt?"html":"body")[0]:Bt?e.documentElement:o},ge=function(t){return it.call(t.ownerDocument||t,t,O.SHOW_ELEMENT|O.SHOW_COMMENT|O.SHOW_TEXT,null)},me=function(t){return t instanceof q&&("string"!=typeof t.nodeName||"string"!=typeof t.textContent||"function"!=typeof t.removeChild||!(t.attributes instanceof D)||"function"!=typeof t.removeAttribute||"function"!=typeof t.setAttribute||"string"!=typeof t.namespaceURI||"function"!=typeof t.insertBefore||"function"!=typeof t.hasChildNodes)},ye=function(t){return"function"==typeof _&&t instanceof _},xe=function(t,e,r){at[t]&&h(at[t],(t=>{t.call(i,e,r,ie)}))},be=function(t){let e=null;if(xe("beforeSanitizeElements",t,null),me(t))return de(t),!0;const r=ee(t.nodeName);if(xe("uponSanitizeElement",t,{tagName:r,allowedTags:gt}),t.hasChildNodes()&&!ye(t.firstElementChild)&&b(/<[/\w]/g,t.innerHTML)&&b(/<[/\w]/g,t.textContent))return de(t),!0;if(!gt[r]||Ct[r]){if(!Ct[r]&&_e(r)){if(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,r))return!1;if(bt.tagNameCheck instanceof Function&&bt.tagNameCheck(r))return!1}if(It&&!qt[r]){const e=Q(t)||t.parentNode,i=J(t)||t.childNodes;if(i&&e)for(let r=i.length-1;r>=0;--r)e.insertBefore(H(i[r],!0),X(t))}return de(t),!0}return t instanceof v&&!ue(t)?(de(t),!0):"noscript"!==r&&"noembed"!==r&&"noframes"!==r||!b(/<\/no(script|embed|frames)/i,t.innerHTML)?(St&&3===t.nodeType&&(e=t.textContent,h([st,lt,ct],(t=>{e=m(e,t," ")})),t.textContent!==e&&(d(i.removed,{element:t.cloneNode()}),t.textContent=e)),xe("afterSanitizeElements",t,null),!1):(de(t),!0)},Ce=function(t,e,i){if(Nt&&("id"===e||"name"===e)&&(i in r||i in re))return!1;if(kt&&!_t[e]&&b(ht,e));else if(vt&&b(ut,e));else if(!yt[e]||_t[e]){if(!(_e(t)&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,t)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(t))&&(bt.attributeNameCheck instanceof RegExp&&b(bt.attributeNameCheck,e)||bt.attributeNameCheck instanceof Function&&bt.attributeNameCheck(e))||"is"===e&&bt.allowCustomizedBuiltInElements&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,i)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(i))))return!1}else if(Rt[e]);else if(b(pt,m(i,ft,"")));else if("src"!==e&&"xlink:href"!==e&&"href"!==e||"script"===t||0!==y(i,"data:")||!zt[t])if(Tt&&!b(dt,m(i,ft,"")));else if(i)return!1;return!0},_e=function(t){return t.indexOf("-")>0},ve=function(t){xe("beforeSanitizeAttributes",t,null);const{attributes:e}=t;if(!e)return;const r={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:yt};let n=e.length;for(;n--;){const a=e[n],{name:s,namespaceURI:l,value:c}=a,d=ee(s);let f="value"===s?c:x(c);if(r.attrName=d,r.attrValue=f,r.keepAttr=!0,r.forceKeepAttr=void 0,xe("uponSanitizeAttribute",t,r),f=r.attrValue,r.forceKeepAttr)continue;if(fe(s,t),!r.keepAttr)continue;if(!wt&&b(/\/>/i,f)){fe(s,t);continue}St&&h([st,lt,ct],(t=>{f=m(f,t," ")}));const p=ee(t.nodeName);if(Ce(p,d,f)){if(!jt||"id"!==d&&"name"!==d||(fe(s,t),f=Zt+f),K&&"object"==typeof z&&"function"==typeof z.getAttributeType)if(l);else switch(z.getAttributeType(p,d)){case"TrustedHTML":f=K.createHTML(f);break;case"TrustedScriptURL":f=K.createScriptURL(f)}try{l?t.setAttributeNS(l,s,f):t.setAttribute(s,f),u(i.removed)}catch(o){}}}xe("afterSanitizeAttributes",t,null)},ke=function t(e){let i=null;const r=ge(e);for(xe("beforeSanitizeShadowDOM",e,null);i=r.nextNode();)xe("uponSanitizeShadowNode",i,null),be(i)||(i.content instanceof l&&t(i.content),ve(i));xe("afterSanitizeShadowDOM",e,null)};return i.sanitize=function(t){let e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},r=null,o=null,a=null,s=null;if(Gt=!t,Gt&&(t="\x3c!--\x3e"),"string"!=typeof t&&!ye(t)){if("function"!=typeof t.toString)throw C("toString is not a function");if("string"!=typeof(t=t.toString()))throw C("dirty is not a string, aborting")}if(!i.isSupported)return t;if(Ft||oe(e),i.removed=[],"string"==typeof t&&(Ot=!1),Ot){if(t.nodeName){const e=ee(t.nodeName);if(!gt[e]||Ct[e])throw C("root node is forbidden and cannot be sanitized in-place")}}else if(t instanceof _)r=pe("\x3c!----\x3e"),o=r.ownerDocument.importNode(t,!0),1===o.nodeType&&"BODY"===o.nodeName||"HTML"===o.nodeName?r=o:r.appendChild(o);else{if(!At&&!St&&!Bt&&-1===t.indexOf("<"))return K&&Et?K.createHTML(t):t;if(r=pe(t),!r)return At?null:Et?tt:""}r&&Lt&&de(r.firstChild);const c=ge(Ot?t:r);for(;a=c.nextNode();)be(a)||(a.content instanceof l&&ke(a.content),ve(a));if(Ot)return t;if(At){if(Mt)for(s=rt.call(r.ownerDocument);r.firstChild;)s.appendChild(r.firstChild);else s=r;return(yt.shadowroot||yt.shadowrootmode)&&(s=ot.call(n,s,!0)),s}let u=Bt?r.outerHTML:r.innerHTML;return Bt&>["!doctype"]&&r.ownerDocument&&r.ownerDocument.doctype&&r.ownerDocument.doctype.name&&b(W,r.ownerDocument.doctype.name)&&(u="<!DOCTYPE "+r.ownerDocument.doctype.name+">\n"+u),St&&h([st,lt,ct],(t=>{u=m(u,t," ")})),K&&Et?K.createHTML(u):u},i.setConfig=function(){oe(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),Ft=!0},i.clearConfig=function(){ie=null,Ft=!1},i.isValidAttribute=function(t,e,i){ie||oe({});const r=ee(t),n=ee(e);return Ce(r,n,i)},i.addHook=function(t,e){"function"==typeof e&&(at[t]=at[t]||[],d(at[t],e))},i.removeHook=function(t){if(at[t])return u(at[t])},i.removeHooks=function(t){at[t]&&(at[t]=[])},i.removeAllHooks=function(){at={}},i}return G()}()},7594:(t,e)=>{function i(t){let e,i=[];for(let r of t.split(",").map((t=>t.trim())))if(/^-?\d+$/.test(r))i.push(parseInt(r,10));else if(e=r.match(/^(-?\d+)(-|\.\.\.?|\u2025|\u2026|\u22EF)(-?\d+)$/)){let[t,r,n,o]=e;if(r&&o){r=parseInt(r),o=parseInt(o);const t=r<o?1:-1;"-"!==n&&".."!==n&&"\u2025"!==n||(o+=t);for(let e=r;e!==o;e+=t)i.push(e)}}return i}e.default=i,t.exports=i},8464:(t,e,i)=>{"use strict";function r(t){for(var e=[],i=1;i<arguments.length;i++)e[i-1]=arguments[i];var r=Array.from("string"==typeof t?[t]:t);r[r.length-1]=r[r.length-1].replace(/\r?\n([\t ]*)$/,"");var n=r.reduce((function(t,e){var i=e.match(/\n([\t ]+|(?!\s).)/g);return i?t.concat(i.map((function(t){var e,i;return null!==(i=null===(e=t.match(/[\t ]/g))||void 0===e?void 0:e.length)&&void 0!==i?i:0}))):t}),[]);if(n.length){var o=new RegExp("\n[\t ]{"+Math.min.apply(Math,n)+"}","g");r=r.map((function(t){return t.replace(o,"\n")}))}r[0]=r[0].replace(/^\r?\n/,"");var a=r[0];return e.forEach((function(t,e){var i=a.match(/(?:^|\n)( *)$/),n=i?i[1]:"",o=t;"string"==typeof t&&t.includes("\n")&&(o=String(t).split("\n").map((function(t,e){return 0===e?t:""+n+t})).join("\n")),a+=o+r[e+1]})),a}i.d(e,{Z:()=>r})},1151:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s,a:()=>a});var r=i(7294);const n={},o=r.createContext(n);function a(t){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof t?t(e):{...e,...t}}),[e,t])}function s(t){let e;return e=t.disableParentContext?"function"==typeof t.components?t.components(n):t.components||n:a(t.components),r.createElement(o.Provider,{value:e},t.children)}},4218:(t,e,i)=>{"use strict";function r(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i<r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i<n||void 0===i&&n>=n)&&(i=n)}return i}function n(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i>r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i>n||void 0===i&&n>=n)&&(i=n)}return i}function o(t){return t}i.d(e,{Nb1:()=>cs,LLu:()=>x,F5q:()=>y,$0Z:()=>vs,Dts:()=>Ts,WQY:()=>Ss,qpX:()=>Fs,u93:()=>Ls,tFB:()=>Ms,YY7:()=>js,OvA:()=>Is,dCK:()=>Ds,zgE:()=>zs,fGX:()=>Rs,$m7:()=>Ws,c_6:()=>ds,fxm:()=>Ys,FdL:()=>el,ak_:()=>il,SxZ:()=>ol,eA_:()=>sl,jsv:()=>cl,iJ:()=>ll,JHv:()=>pr,jvg:()=>gs,Fp7:()=>r,VV$:()=>n,ve8:()=>xs,tiA:()=>kr,BYU:()=>mn,PKp:()=>vr,Xf:()=>Na,K2I:()=>ja,Ys:()=>Za,td_:()=>Ia,YPS:()=>Yi,rr1:()=>Nn,i$Z:()=>uo,y2j:()=>Pn,WQD:()=>Mn,U8T:()=>Bn,Z_i:()=>Ln,Ox9:()=>Dn,F0B:()=>Qn,LqH:()=>Rn,S1K:()=>Fn,Zyz:()=>On,Igq:()=>zn,YDX:()=>qn,EFj:()=>$n});var a=1,s=2,l=3,c=4,h=1e-6;function u(t){return"translate("+t+",0)"}function d(t){return"translate(0,"+t+")"}function f(t){return e=>+t(e)}function p(t,e){return e=Math.max(0,t.bandwidth()-2*e)/2,t.round()&&(e=Math.round(e)),i=>+t(i)+e}function g(){return!this.__axis}function m(t,e){var i=[],r=null,n=null,m=6,y=6,x=3,b="undefined"!=typeof window&&window.devicePixelRatio>1?0:.5,C=t===a||t===c?-1:1,_=t===c||t===s?"x":"y",v=t===a||t===l?u:d;function k(u){var d=null==r?e.ticks?e.ticks.apply(e,i):e.domain():r,k=null==n?e.tickFormat?e.tickFormat.apply(e,i):o:n,T=Math.max(m,0)+x,w=e.range(),S=+w[0]+b,B=+w[w.length-1]+b,F=(e.bandwidth?p:f)(e.copy(),b),L=u.selection?u.selection():u,A=L.selectAll(".domain").data([null]),M=L.selectAll(".tick").data(d,e).order(),E=M.exit(),N=M.enter().append("g").attr("class","tick"),j=M.select("line"),Z=M.select("text");A=A.merge(A.enter().insert("path",".tick").attr("class","domain").attr("stroke","currentColor")),M=M.merge(N),j=j.merge(N.append("line").attr("stroke","currentColor").attr(_+"2",C*m)),Z=Z.merge(N.append("text").attr("fill","currentColor").attr(_,C*T).attr("dy",t===a?"0em":t===l?"0.71em":"0.32em")),u!==L&&(A=A.transition(u),M=M.transition(u),j=j.transition(u),Z=Z.transition(u),E=E.transition(u).attr("opacity",h).attr("transform",(function(t){return isFinite(t=F(t))?v(t+b):this.getAttribute("transform")})),N.attr("opacity",h).attr("transform",(function(t){var e=this.parentNode.__axis;return v((e&&isFinite(e=e(t))?e:F(t))+b)}))),E.remove(),A.attr("d",t===c||t===s?y?"M"+C*y+","+S+"H"+b+"V"+B+"H"+C*y:"M"+b+","+S+"V"+B:y?"M"+S+","+C*y+"V"+b+"H"+B+"V"+C*y:"M"+S+","+b+"H"+B),M.attr("opacity",1).attr("transform",(function(t){return v(F(t)+b)})),j.attr(_+"2",C*m),Z.attr(_,C*T).text(k),L.filter(g).attr("fill","none").attr("font-size",10).attr("font-family","sans-serif").attr("text-anchor",t===s?"start":t===c?"end":"middle"),L.each((function(){this.__axis=F}))}return k.scale=function(t){return arguments.length?(e=t,k):e},k.ticks=function(){return i=Array.from(arguments),k},k.tickArguments=function(t){return arguments.length?(i=null==t?[]:Array.from(t),k):i.slice()},k.tickValues=function(t){return arguments.length?(r=null==t?null:Array.from(t),k):r&&r.slice()},k.tickFormat=function(t){return arguments.length?(n=t,k):n},k.tickSize=function(t){return arguments.length?(m=y=+t,k):m},k.tickSizeInner=function(t){return arguments.length?(m=+t,k):m},k.tickSizeOuter=function(t){return arguments.length?(y=+t,k):y},k.tickPadding=function(t){return arguments.length?(x=+t,k):x},k.offset=function(t){return arguments.length?(b=+t,k):b},k}function y(t){return m(a,t)}function x(t){return m(l,t)}function b(){}function C(t){return null==t?b:function(){return this.querySelector(t)}}function _(t){return null==t?[]:Array.isArray(t)?t:Array.from(t)}function v(){return[]}function k(t){return null==t?v:function(){return this.querySelectorAll(t)}}function T(t){return function(){return this.matches(t)}}function w(t){return function(e){return e.matches(t)}}var S=Array.prototype.find;function B(){return this.firstElementChild}var F=Array.prototype.filter;function L(){return Array.from(this.children)}function A(t){return new Array(t.length)}function M(t,e){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=e}function E(t,e,i,r,n,o){for(var a,s=0,l=e.length,c=o.length;s<c;++s)(a=e[s])?(a.__data__=o[s],r[s]=a):i[s]=new M(t,o[s]);for(;s<l;++s)(a=e[s])&&(n[s]=a)}function N(t,e,i,r,n,o,a){var s,l,c,h=new Map,u=e.length,d=o.length,f=new Array(u);for(s=0;s<u;++s)(l=e[s])&&(f[s]=c=a.call(l,l.__data__,s,e)+"",h.has(c)?n[s]=l:h.set(c,l));for(s=0;s<d;++s)c=a.call(t,o[s],s,o)+"",(l=h.get(c))?(r[s]=l,l.__data__=o[s],h.delete(c)):i[s]=new M(t,o[s]);for(s=0;s<u;++s)(l=e[s])&&h.get(f[s])===l&&(n[s]=l)}function j(t){return t.__data__}function Z(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function I(t,e){return t<e?-1:t>e?1:t>=e?0:NaN}M.prototype={constructor:M,appendChild:function(t){return this._parent.insertBefore(t,this._next)},insertBefore:function(t,e){return this._parent.insertBefore(t,e)},querySelector:function(t){return this._parent.querySelector(t)},querySelectorAll:function(t){return this._parent.querySelectorAll(t)}};var O="http://www.w3.org/1999/xhtml";const D={svg:"http://www.w3.org/2000/svg",xhtml:O,xlink:"http://www.w3.org/1999/xlink",xml:"http://www.w3.org/XML/1998/namespace",xmlns:"http://www.w3.org/2000/xmlns/"};function q(t){var e=t+="",i=e.indexOf(":");return i>=0&&"xmlns"!==(e=t.slice(0,i))&&(t=t.slice(i+1)),D.hasOwnProperty(e)?{space:D[e],local:t}:t}function $(t){return function(){this.removeAttribute(t)}}function z(t){return function(){this.removeAttributeNS(t.space,t.local)}}function P(t,e){return function(){this.setAttribute(t,e)}}function R(t,e){return function(){this.setAttributeNS(t.space,t.local,e)}}function H(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttribute(t):this.setAttribute(t,i)}}function W(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttributeNS(t.space,t.local):this.setAttributeNS(t.space,t.local,i)}}function U(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView}function Y(t){return function(){this.style.removeProperty(t)}}function V(t,e,i){return function(){this.style.setProperty(t,e,i)}}function G(t,e,i){return function(){var r=e.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,i)}}function X(t,e){return t.style.getPropertyValue(e)||U(t).getComputedStyle(t,null).getPropertyValue(e)}function J(t){return function(){delete this[t]}}function Q(t,e){return function(){this[t]=e}}function K(t,e){return function(){var i=e.apply(this,arguments);null==i?delete this[t]:this[t]=i}}function tt(t){return t.trim().split(/^|\s+/)}function et(t){return t.classList||new it(t)}function it(t){this._node=t,this._names=tt(t.getAttribute("class")||"")}function rt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.add(e[r])}function nt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.remove(e[r])}function ot(t){return function(){rt(this,t)}}function at(t){return function(){nt(this,t)}}function st(t,e){return function(){(e.apply(this,arguments)?rt:nt)(this,t)}}function lt(){this.textContent=""}function ct(t){return function(){this.textContent=t}}function ht(t){return function(){var e=t.apply(this,arguments);this.textContent=null==e?"":e}}function ut(){this.innerHTML=""}function dt(t){return function(){this.innerHTML=t}}function ft(t){return function(){var e=t.apply(this,arguments);this.innerHTML=null==e?"":e}}function pt(){this.nextSibling&&this.parentNode.appendChild(this)}function gt(){this.previousSibling&&this.parentNode.insertBefore(this,this.parentNode.firstChild)}function mt(t){return function(){var e=this.ownerDocument,i=this.namespaceURI;return i===O&&e.documentElement.namespaceURI===O?e.createElement(t):e.createElementNS(i,t)}}function yt(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}function xt(t){var e=q(t);return(e.local?yt:mt)(e)}function bt(){return null}function Ct(){var t=this.parentNode;t&&t.removeChild(this)}function _t(){var t=this.cloneNode(!1),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function vt(){var t=this.cloneNode(!0),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function kt(t){return function(){var e=this.__on;if(e){for(var i,r=0,n=-1,o=e.length;r<o;++r)i=e[r],t.type&&i.type!==t.type||i.name!==t.name?e[++n]=i:this.removeEventListener(i.type,i.listener,i.options);++n?e.length=n:delete this.__on}}}function Tt(t,e,i){return function(){var r,n=this.__on,o=function(t){return function(e){t.call(this,e,this.__data__)}}(e);if(n)for(var a=0,s=n.length;a<s;++a)if((r=n[a]).type===t.type&&r.name===t.name)return this.removeEventListener(r.type,r.listener,r.options),this.addEventListener(r.type,r.listener=o,r.options=i),void(r.value=e);this.addEventListener(t.type,o,i),r={type:t.type,name:t.name,value:e,listener:o,options:i},n?n.push(r):this.__on=[r]}}function wt(t,e,i){var r=U(t),n=r.CustomEvent;"function"==typeof n?n=new n(e,i):(n=r.document.createEvent("Event"),i?(n.initEvent(e,i.bubbles,i.cancelable),n.detail=i.detail):n.initEvent(e,!1,!1)),t.dispatchEvent(n)}function St(t,e){return function(){return wt(this,t,e)}}function Bt(t,e){return function(){return wt(this,t,e.apply(this,arguments))}}it.prototype={add:function(t){this._names.indexOf(t)<0&&(this._names.push(t),this._node.setAttribute("class",this._names.join(" ")))},remove:function(t){var e=this._names.indexOf(t);e>=0&&(this._names.splice(e,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};var Ft=[null];function Lt(t,e){this._groups=t,this._parents=e}function At(){return new Lt([[document.documentElement]],Ft)}Lt.prototype=At.prototype={constructor:Lt,select:function(t){"function"!=typeof t&&(t=C(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a,s=e[n],l=s.length,c=r[n]=new Array(l),h=0;h<l;++h)(o=s[h])&&(a=t.call(o,o.__data__,h,s))&&("__data__"in o&&(a.__data__=o.__data__),c[h]=a);return new Lt(r,this._parents)},selectAll:function(t){t="function"==typeof t?function(t){return function(){return _(t.apply(this,arguments))}}(t):k(t);for(var e=this._groups,i=e.length,r=[],n=[],o=0;o<i;++o)for(var a,s=e[o],l=s.length,c=0;c<l;++c)(a=s[c])&&(r.push(t.call(a,a.__data__,c,s)),n.push(a));return new Lt(r,n)},selectChild:function(t){return this.select(null==t?B:function(t){return function(){return S.call(this.children,t)}}("function"==typeof t?t:w(t)))},selectChildren:function(t){return this.selectAll(null==t?L:function(t){return function(){return F.call(this.children,t)}}("function"==typeof t?t:w(t)))},filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Lt(r,this._parents)},data:function(t,e){if(!arguments.length)return Array.from(this,j);var i,r=e?N:E,n=this._parents,o=this._groups;"function"!=typeof t&&(i=t,t=function(){return i});for(var a=o.length,s=new Array(a),l=new Array(a),c=new Array(a),h=0;h<a;++h){var u=n[h],d=o[h],f=d.length,p=Z(t.call(u,u&&u.__data__,h,n)),g=p.length,m=l[h]=new Array(g),y=s[h]=new Array(g);r(u,d,m,y,c[h]=new Array(f),p,e);for(var x,b,C=0,_=0;C<g;++C)if(x=m[C]){for(C>=_&&(_=C+1);!(b=y[_])&&++_<g;);x._next=b||null}}return(s=new Lt(s,n))._enter=l,s._exit=c,s},enter:function(){return new Lt(this._enter||this._groups.map(A),this._parents)},exit:function(){return new Lt(this._exit||this._groups.map(A),this._parents)},join:function(t,e,i){var r=this.enter(),n=this,o=this.exit();return"function"==typeof t?(r=t(r))&&(r=r.selection()):r=r.append(t+""),null!=e&&(n=e(n))&&(n=n.selection()),null==i?o.remove():i(o),r&&n?r.merge(n).order():n},merge:function(t){for(var e=t.selection?t.selection():t,i=this._groups,r=e._groups,n=i.length,o=r.length,a=Math.min(n,o),s=new Array(n),l=0;l<a;++l)for(var c,h=i[l],u=r[l],d=h.length,f=s[l]=new Array(d),p=0;p<d;++p)(c=h[p]||u[p])&&(f[p]=c);for(;l<n;++l)s[l]=i[l];return new Lt(s,this._parents)},selection:function(){return this},order:function(){for(var t=this._groups,e=-1,i=t.length;++e<i;)for(var r,n=t[e],o=n.length-1,a=n[o];--o>=0;)(r=n[o])&&(a&&4^r.compareDocumentPosition(a)&&a.parentNode.insertBefore(r,a),a=r);return this},sort:function(t){function e(e,i){return e&&i?t(e.__data__,i.__data__):!e-!i}t||(t=I);for(var i=this._groups,r=i.length,n=new Array(r),o=0;o<r;++o){for(var a,s=i[o],l=s.length,c=n[o]=new Array(l),h=0;h<l;++h)(a=s[h])&&(c[h]=a);c.sort(e)}return new Lt(n,this._parents).order()},call:function(){var t=arguments[0];return arguments[0]=this,t.apply(null,arguments),this},nodes:function(){return Array.from(this)},node:function(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r=t[e],n=0,o=r.length;n<o;++n){var a=r[n];if(a)return a}return null},size:function(){let t=0;for(const e of this)++t;return t},empty:function(){return!this.node()},each:function(t){for(var e=this._groups,i=0,r=e.length;i<r;++i)for(var n,o=e[i],a=0,s=o.length;a<s;++a)(n=o[a])&&t.call(n,n.__data__,a,o);return this},attr:function(t,e){var i=q(t);if(arguments.length<2){var r=this.node();return i.local?r.getAttributeNS(i.space,i.local):r.getAttribute(i)}return this.each((null==e?i.local?z:$:"function"==typeof e?i.local?W:H:i.local?R:P)(i,e))},style:function(t,e,i){return arguments.length>1?this.each((null==e?Y:"function"==typeof e?G:V)(t,e,null==i?"":i)):X(this.node(),t)},property:function(t,e){return arguments.length>1?this.each((null==e?J:"function"==typeof e?K:Q)(t,e)):this.node()[t]},classed:function(t,e){var i=tt(t+"");if(arguments.length<2){for(var r=et(this.node()),n=-1,o=i.length;++n<o;)if(!r.contains(i[n]))return!1;return!0}return this.each(("function"==typeof e?st:e?ot:at)(i,e))},text:function(t){return arguments.length?this.each(null==t?lt:("function"==typeof t?ht:ct)(t)):this.node().textContent},html:function(t){return arguments.length?this.each(null==t?ut:("function"==typeof t?ft:dt)(t)):this.node().innerHTML},raise:function(){return this.each(pt)},lower:function(){return this.each(gt)},append:function(t){var e="function"==typeof t?t:xt(t);return this.select((function(){return this.appendChild(e.apply(this,arguments))}))},insert:function(t,e){var i="function"==typeof t?t:xt(t),r=null==e?bt:"function"==typeof e?e:C(e);return this.select((function(){return this.insertBefore(i.apply(this,arguments),r.apply(this,arguments)||null)}))},remove:function(){return this.each(Ct)},clone:function(t){return this.select(t?vt:_t)},datum:function(t){return arguments.length?this.property("__data__",t):this.node().__data__},on:function(t,e,i){var r,n,o=function(t){return t.trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");return i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),{type:t,name:e}}))}(t+""),a=o.length;if(!(arguments.length<2)){for(s=e?Tt:kt,r=0;r<a;++r)this.each(s(o[r],e,i));return this}var s=this.node().__on;if(s)for(var l,c=0,h=s.length;c<h;++c)for(r=0,l=s[c];r<a;++r)if((n=o[r]).type===l.type&&n.name===l.name)return l.value},dispatch:function(t,e){return this.each(("function"==typeof e?Bt:St)(t,e))},[Symbol.iterator]:function*(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r,n=t[e],o=0,a=n.length;o<a;++o)(r=n[o])&&(yield r)}};const Mt=At;var Et={value:()=>{}};function Nt(){for(var t,e=0,i=arguments.length,r={};e<i;++e){if(!(t=arguments[e]+"")||t in r||/[\s.]/.test(t))throw new Error("illegal type: "+t);r[t]=[]}return new jt(r)}function jt(t){this._=t}function Zt(t,e){for(var i,r=0,n=t.length;r<n;++r)if((i=t[r]).name===e)return i.value}function It(t,e,i){for(var r=0,n=t.length;r<n;++r)if(t[r].name===e){t[r]=Et,t=t.slice(0,r).concat(t.slice(r+1));break}return null!=i&&t.push({name:e,value:i}),t}jt.prototype=Nt.prototype={constructor:jt,on:function(t,e){var i,r,n=this._,o=(r=n,(t+"").trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");if(i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),t&&!r.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:e}}))),a=-1,s=o.length;if(!(arguments.length<2)){if(null!=e&&"function"!=typeof e)throw new Error("invalid callback: "+e);for(;++a<s;)if(i=(t=o[a]).type)n[i]=It(n[i],t.name,e);else if(null==e)for(i in n)n[i]=It(n[i],t.name,null);return this}for(;++a<s;)if((i=(t=o[a]).type)&&(i=Zt(n[i],t.name)))return i},copy:function(){var t={},e=this._;for(var i in e)t[i]=e[i].slice();return new jt(t)},call:function(t,e){if((i=arguments.length-2)>0)for(var i,r,n=new Array(i),o=0;o<i;++o)n[o]=arguments[o+2];if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(o=0,i=(r=this._[t]).length;o<i;++o)r[o].value.apply(e,n)},apply:function(t,e,i){if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(var r=this._[t],n=0,o=r.length;n<o;++n)r[n].value.apply(e,i)}};const Ot=Nt;var Dt,qt,$t=0,zt=0,Pt=0,Rt=1e3,Ht=0,Wt=0,Ut=0,Yt="object"==typeof performance&&performance.now?performance:Date,Vt="object"==typeof window&&window.requestAnimationFrame?window.requestAnimationFrame.bind(window):function(t){setTimeout(t,17)};function Gt(){return Wt||(Vt(Xt),Wt=Yt.now()+Ut)}function Xt(){Wt=0}function Jt(){this._call=this._time=this._next=null}function Qt(t,e,i){var r=new Jt;return r.restart(t,e,i),r}function Kt(){Wt=(Ht=Yt.now())+Ut,$t=zt=0;try{!function(){Gt(),++$t;for(var t,e=Dt;e;)(t=Wt-e._time)>=0&&e._call.call(void 0,t),e=e._next;--$t}()}finally{$t=0,function(){var t,e,i=Dt,r=1/0;for(;i;)i._call?(r>i._time&&(r=i._time),t=i,i=i._next):(e=i._next,i._next=null,i=t?t._next=e:Dt=e);qt=t,ee(r)}(),Wt=0}}function te(){var t=Yt.now(),e=t-Ht;e>Rt&&(Ut-=e,Ht=t)}function ee(t){$t||(zt&&(zt=clearTimeout(zt)),t-Wt>24?(t<1/0&&(zt=setTimeout(Kt,t-Yt.now()-Ut)),Pt&&(Pt=clearInterval(Pt))):(Pt||(Ht=Yt.now(),Pt=setInterval(te,Rt)),$t=1,Vt(Kt)))}function ie(t,e,i){var r=new Jt;return e=null==e?0:+e,r.restart((i=>{r.stop(),t(i+e)}),e,i),r}Jt.prototype=Qt.prototype={constructor:Jt,restart:function(t,e,i){if("function"!=typeof t)throw new TypeError("callback is not a function");i=(null==i?Gt():+i)+(null==e?0:+e),this._next||qt===this||(qt?qt._next=this:Dt=this,qt=this),this._call=t,this._time=i,ee()},stop:function(){this._call&&(this._call=null,this._time=1/0,ee())}};var re=Ot("start","end","cancel","interrupt"),ne=[],oe=0,ae=1,se=2,le=3,ce=4,he=5,ue=6;function de(t,e,i,r,n,o){var a=t.__transition;if(a){if(i in a)return}else t.__transition={};!function(t,e,i){var r,n=t.__transition;function o(t){i.state=ae,i.timer.restart(a,i.delay,i.time),i.delay<=t&&a(t-i.delay)}function a(o){var c,h,u,d;if(i.state!==ae)return l();for(c in n)if((d=n[c]).name===i.name){if(d.state===le)return ie(a);d.state===ce?(d.state=ue,d.timer.stop(),d.on.call("interrupt",t,t.__data__,d.index,d.group),delete n[c]):+c<e&&(d.state=ue,d.timer.stop(),d.on.call("cancel",t,t.__data__,d.index,d.group),delete n[c])}if(ie((function(){i.state===le&&(i.state=ce,i.timer.restart(s,i.delay,i.time),s(o))})),i.state=se,i.on.call("start",t,t.__data__,i.index,i.group),i.state===se){for(i.state=le,r=new Array(u=i.tween.length),c=0,h=-1;c<u;++c)(d=i.tween[c].value.call(t,t.__data__,i.index,i.group))&&(r[++h]=d);r.length=h+1}}function s(e){for(var n=e<i.duration?i.ease.call(null,e/i.duration):(i.timer.restart(l),i.state=he,1),o=-1,a=r.length;++o<a;)r[o].call(t,n);i.state===he&&(i.on.call("end",t,t.__data__,i.index,i.group),l())}function l(){for(var r in i.state=ue,i.timer.stop(),delete n[e],n)return;delete t.__transition}n[e]=i,i.timer=Qt(o,0,i.time)}(t,i,{name:e,index:r,group:n,on:re,tween:ne,time:o.time,delay:o.delay,duration:o.duration,ease:o.ease,timer:null,state:oe})}function fe(t,e){var i=ge(t,e);if(i.state>oe)throw new Error("too late; already scheduled");return i}function pe(t,e){var i=ge(t,e);if(i.state>le)throw new Error("too late; already running");return i}function ge(t,e){var i=t.__transition;if(!i||!(i=i[e]))throw new Error("transition not found");return i}function me(t,e){return t=+t,e=+e,function(i){return t*(1-i)+e*i}}var ye,xe=180/Math.PI,be={translateX:0,translateY:0,rotate:0,skewX:0,scaleX:1,scaleY:1};function Ce(t,e,i,r,n,o){var a,s,l;return(a=Math.sqrt(t*t+e*e))&&(t/=a,e/=a),(l=t*i+e*r)&&(i-=t*l,r-=e*l),(s=Math.sqrt(i*i+r*r))&&(i/=s,r/=s,l/=s),t*r<e*i&&(t=-t,e=-e,l=-l,a=-a),{translateX:n,translateY:o,rotate:Math.atan2(e,t)*xe,skewX:Math.atan(l)*xe,scaleX:a,scaleY:s}}function _e(t,e,i,r){function n(t){return t.length?t.pop()+" ":""}return function(o,a){var s=[],l=[];return o=t(o),a=t(a),function(t,r,n,o,a,s){if(t!==n||r!==o){var l=a.push("translate(",null,e,null,i);s.push({i:l-4,x:me(t,n)},{i:l-2,x:me(r,o)})}else(n||o)&&a.push("translate("+n+e+o+i)}(o.translateX,o.translateY,a.translateX,a.translateY,s,l),function(t,e,i,o){t!==e?(t-e>180?e+=360:e-t>180&&(t+=360),o.push({i:i.push(n(i)+"rotate(",null,r)-2,x:me(t,e)})):e&&i.push(n(i)+"rotate("+e+r)}(o.rotate,a.rotate,s,l),function(t,e,i,o){t!==e?o.push({i:i.push(n(i)+"skewX(",null,r)-2,x:me(t,e)}):e&&i.push(n(i)+"skewX("+e+r)}(o.skewX,a.skewX,s,l),function(t,e,i,r,o,a){if(t!==i||e!==r){var s=o.push(n(o)+"scale(",null,",",null,")");a.push({i:s-4,x:me(t,i)},{i:s-2,x:me(e,r)})}else 1===i&&1===r||o.push(n(o)+"scale("+i+","+r+")")}(o.scaleX,o.scaleY,a.scaleX,a.scaleY,s,l),o=a=null,function(t){for(var e,i=-1,r=l.length;++i<r;)s[(e=l[i]).i]=e.x(t);return s.join("")}}}var ve=_e((function(t){const e=new("function"==typeof DOMMatrix?DOMMatrix:WebKitCSSMatrix)(t+"");return e.isIdentity?be:Ce(e.a,e.b,e.c,e.d,e.e,e.f)}),"px, ","px)","deg)"),ke=_e((function(t){return null==t?be:(ye||(ye=document.createElementNS("http://www.w3.org/2000/svg","g")),ye.setAttribute("transform",t),(t=ye.transform.baseVal.consolidate())?Ce((t=t.matrix).a,t.b,t.c,t.d,t.e,t.f):be)}),", ",")",")");function Te(t,e){var i,r;return function(){var n=pe(this,t),o=n.tween;if(o!==i)for(var a=0,s=(r=i=o).length;a<s;++a)if(r[a].name===e){(r=r.slice()).splice(a,1);break}n.tween=r}}function we(t,e,i){var r,n;if("function"!=typeof i)throw new Error;return function(){var o=pe(this,t),a=o.tween;if(a!==r){n=(r=a).slice();for(var s={name:e,value:i},l=0,c=n.length;l<c;++l)if(n[l].name===e){n[l]=s;break}l===c&&n.push(s)}o.tween=n}}function Se(t,e,i){var r=t._id;return t.each((function(){var t=pe(this,r);(t.value||(t.value={}))[e]=i.apply(this,arguments)})),function(t){return ge(t,r).value[e]}}function Be(t,e,i){t.prototype=e.prototype=i,i.constructor=t}function Fe(t,e){var i=Object.create(t.prototype);for(var r in e)i[r]=e[r];return i}function Le(){}var Ae=.7,Me=1/Ae,Ee="\\s*([+-]?\\d+)\\s*",Ne="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)\\s*",je="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)%\\s*",Ze=/^#([0-9a-f]{3,8})$/,Ie=new RegExp(`^rgb\\(${Ee},${Ee},${Ee}\\)$`),Oe=new RegExp(`^rgb\\(${je},${je},${je}\\)$`),De=new RegExp(`^rgba\\(${Ee},${Ee},${Ee},${Ne}\\)$`),qe=new RegExp(`^rgba\\(${je},${je},${je},${Ne}\\)$`),$e=new RegExp(`^hsl\\(${Ne},${je},${je}\\)$`),ze=new RegExp(`^hsla\\(${Ne},${je},${je},${Ne}\\)$`),Pe={aliceblue:15792383,antiquewhite:16444375,aqua:65535,aquamarine:8388564,azure:15794175,beige:16119260,bisque:16770244,black:0,blanchedalmond:16772045,blue:255,blueviolet:9055202,brown:10824234,burlywood:14596231,cadetblue:6266528,chartreuse:8388352,chocolate:13789470,coral:16744272,cornflowerblue:6591981,cornsilk:16775388,crimson:14423100,cyan:65535,darkblue:139,darkcyan:35723,darkgoldenrod:12092939,darkgray:11119017,darkgreen:25600,darkgrey:11119017,darkkhaki:12433259,darkmagenta:9109643,darkolivegreen:5597999,darkorange:16747520,darkorchid:10040012,darkred:9109504,darksalmon:15308410,darkseagreen:9419919,darkslateblue:4734347,darkslategray:3100495,darkslategrey:3100495,darkturquoise:52945,darkviolet:9699539,deeppink:16716947,deepskyblue:49151,dimgray:6908265,dimgrey:6908265,dodgerblue:2003199,firebrick:11674146,floralwhite:16775920,forestgreen:2263842,fuchsia:16711935,gainsboro:14474460,ghostwhite:16316671,gold:16766720,goldenrod:14329120,gray:8421504,green:32768,greenyellow:11403055,grey:8421504,honeydew:15794160,hotpink:16738740,indianred:13458524,indigo:4915330,ivory:16777200,khaki:15787660,lavender:15132410,lavenderblush:16773365,lawngreen:8190976,lemonchiffon:16775885,lightblue:11393254,lightcoral:15761536,lightcyan:14745599,lightgoldenrodyellow:16448210,lightgray:13882323,lightgreen:9498256,lightgrey:13882323,lightpink:16758465,lightsalmon:16752762,lightseagreen:2142890,lightskyblue:8900346,lightslategray:7833753,lightslategrey:7833753,lightsteelblue:11584734,lightyellow:16777184,lime:65280,limegreen:3329330,linen:16445670,magenta:16711935,maroon:8388608,mediumaquamarine:6737322,mediumblue:205,mediumorchid:12211667,mediumpurple:9662683,mediumseagreen:3978097,mediumslateblue:8087790,mediumspringgreen:64154,mediumturquoise:4772300,mediumvioletred:13047173,midnightblue:1644912,mintcream:16121850,mistyrose:16770273,moccasin:16770229,navajowhite:16768685,navy:128,oldlace:16643558,olive:8421376,olivedrab:7048739,orange:16753920,orangered:16729344,orchid:14315734,palegoldenrod:15657130,palegreen:10025880,paleturquoise:11529966,palevioletred:14381203,papayawhip:16773077,peachpuff:16767673,peru:13468991,pink:16761035,plum:14524637,powderblue:11591910,purple:8388736,rebeccapurple:6697881,red:16711680,rosybrown:12357519,royalblue:4286945,saddlebrown:9127187,salmon:16416882,sandybrown:16032864,seagreen:3050327,seashell:16774638,sienna:10506797,silver:12632256,skyblue:8900331,slateblue:6970061,slategray:7372944,slategrey:7372944,snow:16775930,springgreen:65407,steelblue:4620980,tan:13808780,teal:32896,thistle:14204888,tomato:16737095,turquoise:4251856,violet:15631086,wheat:16113331,white:16777215,whitesmoke:16119285,yellow:16776960,yellowgreen:10145074};function Re(){return this.rgb().formatHex()}function He(){return this.rgb().formatRgb()}function We(t){var e,i;return t=(t+"").trim().toLowerCase(),(e=Ze.exec(t))?(i=e[1].length,e=parseInt(e[1],16),6===i?Ue(e):3===i?new Xe(e>>8&15|e>>4&240,e>>4&15|240&e,(15&e)<<4|15&e,1):8===i?Ye(e>>24&255,e>>16&255,e>>8&255,(255&e)/255):4===i?Ye(e>>12&15|e>>8&240,e>>8&15|e>>4&240,e>>4&15|240&e,((15&e)<<4|15&e)/255):null):(e=Ie.exec(t))?new Xe(e[1],e[2],e[3],1):(e=Oe.exec(t))?new Xe(255*e[1]/100,255*e[2]/100,255*e[3]/100,1):(e=De.exec(t))?Ye(e[1],e[2],e[3],e[4]):(e=qe.exec(t))?Ye(255*e[1]/100,255*e[2]/100,255*e[3]/100,e[4]):(e=$e.exec(t))?ii(e[1],e[2]/100,e[3]/100,1):(e=ze.exec(t))?ii(e[1],e[2]/100,e[3]/100,e[4]):Pe.hasOwnProperty(t)?Ue(Pe[t]):"transparent"===t?new Xe(NaN,NaN,NaN,0):null}function Ue(t){return new Xe(t>>16&255,t>>8&255,255&t,1)}function Ye(t,e,i,r){return r<=0&&(t=e=i=NaN),new Xe(t,e,i,r)}function Ve(t){return t instanceof Le||(t=We(t)),t?new Xe((t=t.rgb()).r,t.g,t.b,t.opacity):new Xe}function Ge(t,e,i,r){return 1===arguments.length?Ve(t):new Xe(t,e,i,null==r?1:r)}function Xe(t,e,i,r){this.r=+t,this.g=+e,this.b=+i,this.opacity=+r}function Je(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}`}function Qe(){const t=Ke(this.opacity);return`${1===t?"rgb(":"rgba("}${ti(this.r)}, ${ti(this.g)}, ${ti(this.b)}${1===t?")":`, ${t})`}`}function Ke(t){return isNaN(t)?1:Math.max(0,Math.min(1,t))}function ti(t){return Math.max(0,Math.min(255,Math.round(t)||0))}function ei(t){return((t=ti(t))<16?"0":"")+t.toString(16)}function ii(t,e,i,r){return r<=0?t=e=i=NaN:i<=0||i>=1?t=e=NaN:e<=0&&(t=NaN),new ni(t,e,i,r)}function ri(t){if(t instanceof ni)return new ni(t.h,t.s,t.l,t.opacity);if(t instanceof Le||(t=We(t)),!t)return new ni;if(t instanceof ni)return t;var e=(t=t.rgb()).r/255,i=t.g/255,r=t.b/255,n=Math.min(e,i,r),o=Math.max(e,i,r),a=NaN,s=o-n,l=(o+n)/2;return s?(a=e===o?(i-r)/s+6*(i<r):i===o?(r-e)/s+2:(e-i)/s+4,s/=l<.5?o+n:2-o-n,a*=60):s=l>0&&l<1?0:a,new ni(a,s,l,t.opacity)}function ni(t,e,i,r){this.h=+t,this.s=+e,this.l=+i,this.opacity=+r}function oi(t){return(t=(t||0)%360)<0?t+360:t}function ai(t){return Math.max(0,Math.min(1,t||0))}function si(t,e,i){return 255*(t<60?e+(i-e)*t/60:t<180?i:t<240?e+(i-e)*(240-t)/60:e)}function li(t,e,i,r,n){var o=t*t,a=o*t;return((1-3*t+3*o-a)*e+(4-6*o+3*a)*i+(1+3*t+3*o-3*a)*r+a*n)/6}Be(Le,We,{copy(t){return Object.assign(new this.constructor,this,t)},displayable(){return this.rgb().displayable()},hex:Re,formatHex:Re,formatHex8:function(){return this.rgb().formatHex8()},formatHsl:function(){return ri(this).formatHsl()},formatRgb:He,toString:He}),Be(Xe,Ge,Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},rgb(){return this},clamp(){return new Xe(ti(this.r),ti(this.g),ti(this.b),Ke(this.opacity))},displayable(){return-.5<=this.r&&this.r<255.5&&-.5<=this.g&&this.g<255.5&&-.5<=this.b&&this.b<255.5&&0<=this.opacity&&this.opacity<=1},hex:Je,formatHex:Je,formatHex8:function(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}${ei(255*(isNaN(this.opacity)?1:this.opacity))}`},formatRgb:Qe,toString:Qe})),Be(ni,(function(t,e,i,r){return 1===arguments.length?ri(t):new ni(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new ni(this.h,this.s,this.l*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new ni(this.h,this.s,this.l*t,this.opacity)},rgb(){var t=this.h%360+360*(this.h<0),e=isNaN(t)||isNaN(this.s)?0:this.s,i=this.l,r=i+(i<.5?i:1-i)*e,n=2*i-r;return new Xe(si(t>=240?t-240:t+120,n,r),si(t,n,r),si(t<120?t+240:t-120,n,r),this.opacity)},clamp(){return new ni(oi(this.h),ai(this.s),ai(this.l),Ke(this.opacity))},displayable(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1},formatHsl(){const t=Ke(this.opacity);return`${1===t?"hsl(":"hsla("}${oi(this.h)}, ${100*ai(this.s)}%, ${100*ai(this.l)}%${1===t?")":`, ${t})`}`}}));const ci=t=>()=>t;function hi(t,e){return function(i){return t+i*e}}function ui(t){return 1==(t=+t)?di:function(e,i){return i-e?function(t,e,i){return t=Math.pow(t,i),e=Math.pow(e,i)-t,i=1/i,function(r){return Math.pow(t+r*e,i)}}(e,i,t):ci(isNaN(e)?i:e)}}function di(t,e){var i=e-t;return i?hi(t,i):ci(isNaN(t)?e:t)}const fi=function t(e){var i=ui(e);function r(t,e){var r=i((t=Ge(t)).r,(e=Ge(e)).r),n=i(t.g,e.g),o=i(t.b,e.b),a=di(t.opacity,e.opacity);return function(e){return t.r=r(e),t.g=n(e),t.b=o(e),t.opacity=a(e),t+""}}return r.gamma=t,r}(1);function pi(t){return function(e){var i,r,n=e.length,o=new Array(n),a=new Array(n),s=new Array(n);for(i=0;i<n;++i)r=Ge(e[i]),o[i]=r.r||0,a[i]=r.g||0,s[i]=r.b||0;return o=t(o),a=t(a),s=t(s),r.opacity=1,function(t){return r.r=o(t),r.g=a(t),r.b=s(t),r+""}}}pi((function(t){var e=t.length-1;return function(i){var r=i<=0?i=0:i>=1?(i=1,e-1):Math.floor(i*e),n=t[r],o=t[r+1],a=r>0?t[r-1]:2*n-o,s=r<e-1?t[r+2]:2*o-n;return li((i-r/e)*e,a,n,o,s)}})),pi((function(t){var e=t.length;return function(i){var r=Math.floor(((i%=1)<0?++i:i)*e),n=t[(r+e-1)%e],o=t[r%e],a=t[(r+1)%e],s=t[(r+2)%e];return li((i-r/e)*e,n,o,a,s)}}));var gi=/[-+]?(?:\d+\.?\d*|\.?\d+)(?:[eE][-+]?\d+)?/g,mi=new RegExp(gi.source,"g");function yi(t,e){var i,r,n,o=gi.lastIndex=mi.lastIndex=0,a=-1,s=[],l=[];for(t+="",e+="";(i=gi.exec(t))&&(r=mi.exec(e));)(n=r.index)>o&&(n=e.slice(o,n),s[a]?s[a]+=n:s[++a]=n),(i=i[0])===(r=r[0])?s[a]?s[a]+=r:s[++a]=r:(s[++a]=null,l.push({i:a,x:me(i,r)})),o=mi.lastIndex;return o<e.length&&(n=e.slice(o),s[a]?s[a]+=n:s[++a]=n),s.length<2?l[0]?function(t){return function(e){return t(e)+""}}(l[0].x):function(t){return function(){return t}}(e):(e=l.length,function(t){for(var i,r=0;r<e;++r)s[(i=l[r]).i]=i.x(t);return s.join("")})}function xi(t,e){var i;return("number"==typeof e?me:e instanceof We?fi:(i=We(e))?(e=i,fi):yi)(t,e)}function bi(t){return function(){this.removeAttribute(t)}}function Ci(t){return function(){this.removeAttributeNS(t.space,t.local)}}function _i(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttribute(t);return a===o?null:a===r?n:n=e(r=a,i)}}function vi(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttributeNS(t.space,t.local);return a===o?null:a===r?n:n=e(r=a,i)}}function ki(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttribute(t))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttribute(t)}}function Ti(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttributeNS(t.space,t.local))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttributeNS(t.space,t.local)}}function wi(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttributeNS(t.space,t.local,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Si(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttribute(t,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Bi(t,e){return function(){fe(this,t).delay=+e.apply(this,arguments)}}function Fi(t,e){return e=+e,function(){fe(this,t).delay=e}}function Li(t,e){return function(){pe(this,t).duration=+e.apply(this,arguments)}}function Ai(t,e){return e=+e,function(){pe(this,t).duration=e}}var Mi=Mt.prototype.constructor;function Ei(t){return function(){this.style.removeProperty(t)}}var Ni=0;function ji(t,e,i,r){this._groups=t,this._parents=e,this._name=i,this._id=r}function Zi(){return++Ni}var Ii=Mt.prototype;ji.prototype=function(t){return Mt().transition(t)}.prototype={constructor:ji,select:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=C(t));for(var r=this._groups,n=r.length,o=new Array(n),a=0;a<n;++a)for(var s,l,c=r[a],h=c.length,u=o[a]=new Array(h),d=0;d<h;++d)(s=c[d])&&(l=t.call(s,s.__data__,d,c))&&("__data__"in s&&(l.__data__=s.__data__),u[d]=l,de(u[d],e,i,d,u,ge(s,i)));return new ji(o,this._parents,e,i)},selectAll:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=k(t));for(var r=this._groups,n=r.length,o=[],a=[],s=0;s<n;++s)for(var l,c=r[s],h=c.length,u=0;u<h;++u)if(l=c[u]){for(var d,f=t.call(l,l.__data__,u,c),p=ge(l,i),g=0,m=f.length;g<m;++g)(d=f[g])&&de(d,e,i,g,f,p);o.push(f),a.push(l)}return new ji(o,a,e,i)},selectChild:Ii.selectChild,selectChildren:Ii.selectChildren,filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new ji(r,this._parents,this._name,this._id)},merge:function(t){if(t._id!==this._id)throw new Error;for(var e=this._groups,i=t._groups,r=e.length,n=i.length,o=Math.min(r,n),a=new Array(r),s=0;s<o;++s)for(var l,c=e[s],h=i[s],u=c.length,d=a[s]=new Array(u),f=0;f<u;++f)(l=c[f]||h[f])&&(d[f]=l);for(;s<r;++s)a[s]=e[s];return new ji(a,this._parents,this._name,this._id)},selection:function(){return new Mi(this._groups,this._parents)},transition:function(){for(var t=this._name,e=this._id,i=Zi(),r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)if(a=s[c]){var h=ge(a,e);de(a,t,i,c,s,{time:h.time+h.delay+h.duration,delay:0,duration:h.duration,ease:h.ease})}return new ji(r,this._parents,t,i)},call:Ii.call,nodes:Ii.nodes,node:Ii.node,size:Ii.size,empty:Ii.empty,each:Ii.each,on:function(t,e){var i=this._id;return arguments.length<2?ge(this.node(),i).on.on(t):this.each(function(t,e,i){var r,n,o=function(t){return(t+"").trim().split(/^|\s+/).every((function(t){var e=t.indexOf(".");return e>=0&&(t=t.slice(0,e)),!t||"start"===t}))}(e)?fe:pe;return function(){var a=o(this,t),s=a.on;s!==r&&(n=(r=s).copy()).on(e,i),a.on=n}}(i,t,e))},attr:function(t,e){var i=q(t),r="transform"===i?ke:xi;return this.attrTween(t,"function"==typeof e?(i.local?Ti:ki)(i,r,Se(this,"attr."+t,e)):null==e?(i.local?Ci:bi)(i):(i.local?vi:_i)(i,r,e))},attrTween:function(t,e){var i="attr."+t;if(arguments.length<2)return(i=this.tween(i))&&i._value;if(null==e)return this.tween(i,null);if("function"!=typeof e)throw new Error;var r=q(t);return this.tween(i,(r.local?wi:Si)(r,e))},style:function(t,e,i){var r="transform"==(t+="")?ve:xi;return null==e?this.styleTween(t,function(t,e){var i,r,n;return function(){var o=X(this,t),a=(this.style.removeProperty(t),X(this,t));return o===a?null:o===i&&a===r?n:n=e(i=o,r=a)}}(t,r)).on("end.style."+t,Ei(t)):"function"==typeof e?this.styleTween(t,function(t,e,i){var r,n,o;return function(){var a=X(this,t),s=i(this),l=s+"";return null==s&&(this.style.removeProperty(t),l=s=X(this,t)),a===l?null:a===r&&l===n?o:(n=l,o=e(r=a,s))}}(t,r,Se(this,"style."+t,e))).each(function(t,e){var i,r,n,o,a="style."+e,s="end."+a;return function(){var l=pe(this,t),c=l.on,h=null==l.value[a]?o||(o=Ei(e)):void 0;c===i&&n===h||(r=(i=c).copy()).on(s,n=h),l.on=r}}(this._id,t)):this.styleTween(t,function(t,e,i){var r,n,o=i+"";return function(){var a=X(this,t);return a===o?null:a===r?n:n=e(r=a,i)}}(t,r,e),i).on("end.style."+t,null)},styleTween:function(t,e,i){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==e)return this.tween(r,null);if("function"!=typeof e)throw new Error;return this.tween(r,function(t,e,i){var r,n;function o(){var o=e.apply(this,arguments);return o!==n&&(r=(n=o)&&function(t,e,i){return function(r){this.style.setProperty(t,e.call(this,r),i)}}(t,o,i)),r}return o._value=e,o}(t,e,null==i?"":i))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var e=t(this);this.textContent=null==e?"":e}}(Se(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},textTween:function(t){var e="text";if(arguments.length<1)return(e=this.tween(e))&&e._value;if(null==t)return this.tween(e,null);if("function"!=typeof t)throw new Error;return this.tween(e,function(t){var e,i;function r(){var r=t.apply(this,arguments);return r!==i&&(e=(i=r)&&function(t){return function(e){this.textContent=t.call(this,e)}}(r)),e}return r._value=t,r}(t))},remove:function(){return this.on("end.remove",function(t){return function(){var e=this.parentNode;for(var i in this.__transition)if(+i!==t)return;e&&e.removeChild(this)}}(this._id))},tween:function(t,e){var i=this._id;if(t+="",arguments.length<2){for(var r,n=ge(this.node(),i).tween,o=0,a=n.length;o<a;++o)if((r=n[o]).name===t)return r.value;return null}return this.each((null==e?Te:we)(i,t,e))},delay:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Bi:Fi)(e,t)):ge(this.node(),e).delay},duration:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Li:Ai)(e,t)):ge(this.node(),e).duration},ease:function(t){var e=this._id;return arguments.length?this.each(function(t,e){if("function"!=typeof e)throw new Error;return function(){pe(this,t).ease=e}}(e,t)):ge(this.node(),e).ease},easeVarying:function(t){if("function"!=typeof t)throw new Error;return this.each(function(t,e){return function(){var i=e.apply(this,arguments);if("function"!=typeof i)throw new Error;pe(this,t).ease=i}}(this._id,t))},end:function(){var t,e,i=this,r=i._id,n=i.size();return new Promise((function(o,a){var s={value:a},l={value:function(){0==--n&&o()}};i.each((function(){var i=pe(this,r),n=i.on;n!==t&&((e=(t=n).copy())._.cancel.push(s),e._.interrupt.push(s),e._.end.push(l)),i.on=e})),0===n&&o()}))},[Symbol.iterator]:Ii[Symbol.iterator]};var Oi={time:null,delay:0,duration:250,ease:function(t){return((t*=2)<=1?t*t*t:(t-=2)*t*t+2)/2}};function Di(t,e){for(var i;!(i=t.__transition)||!(i=i[e]);)if(!(t=t.parentNode))throw new Error(`transition ${e} not found`);return i}Mt.prototype.interrupt=function(t){return this.each((function(){!function(t,e){var i,r,n,o=t.__transition,a=!0;if(o){for(n in e=null==e?null:e+"",o)(i=o[n]).name===e?(r=i.state>se&&i.state<he,i.state=ue,i.timer.stop(),i.on.call(r?"interrupt":"cancel",t,t.__data__,i.index,i.group),delete o[n]):a=!1;a&&delete t.__transition}}(this,t)}))},Mt.prototype.transition=function(t){var e,i;t instanceof ji?(e=t._id,t=t._name):(e=Zi(),(i=Oi).time=Gt(),t=null==t?null:t+"");for(var r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)(a=s[c])&&de(a,t,e,c,s,i||Di(a,e));return new ji(r,this._parents,t,e)};const{abs:qi,max:$i,min:zi}=Math;function Pi(t){return[+t[0],+t[1]]}function Ri(t){return[Pi(t[0]),Pi(t[1])]}["w","e"].map(Hi),["n","s"].map(Hi),["n","w","e","s","nw","ne","sw","se"].map(Hi);function Hi(t){return{type:t}}function Wi(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.text()}function Ui(t){return(e,i)=>function(t,e){return fetch(t,e).then(Wi)}(e,i).then((e=>(new DOMParser).parseFromString(e,t)))}Ui("application/xml");Ui("text/html");var Yi=Ui("image/svg+xml");const Vi=Math.PI/180,Gi=180/Math.PI,Xi=.96422,Ji=1,Qi=.82521,Ki=4/29,tr=6/29,er=3*tr*tr,ir=tr*tr*tr;function rr(t){if(t instanceof nr)return new nr(t.l,t.a,t.b,t.opacity);if(t instanceof ur)return dr(t);t instanceof Xe||(t=Ve(t));var e,i,r=lr(t.r),n=lr(t.g),o=lr(t.b),a=or((.2225045*r+.7168786*n+.0606169*o)/Ji);return r===n&&n===o?e=i=a:(e=or((.4360747*r+.3850649*n+.1430804*o)/Xi),i=or((.0139322*r+.0971045*n+.7141733*o)/Qi)),new nr(116*a-16,500*(e-a),200*(a-i),t.opacity)}function nr(t,e,i,r){this.l=+t,this.a=+e,this.b=+i,this.opacity=+r}function or(t){return t>ir?Math.pow(t,1/3):t/er+Ki}function ar(t){return t>tr?t*t*t:er*(t-Ki)}function sr(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function lr(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function cr(t){if(t instanceof ur)return new ur(t.h,t.c,t.l,t.opacity);if(t instanceof nr||(t=rr(t)),0===t.a&&0===t.b)return new ur(NaN,0<t.l&&t.l<100?0:NaN,t.l,t.opacity);var e=Math.atan2(t.b,t.a)*Gi;return new ur(e<0?e+360:e,Math.sqrt(t.a*t.a+t.b*t.b),t.l,t.opacity)}function hr(t,e,i,r){return 1===arguments.length?cr(t):new ur(t,e,i,null==r?1:r)}function ur(t,e,i,r){this.h=+t,this.c=+e,this.l=+i,this.opacity=+r}function dr(t){if(isNaN(t.h))return new nr(t.l,0,0,t.opacity);var e=t.h*Vi;return new nr(t.l,Math.cos(e)*t.c,Math.sin(e)*t.c,t.opacity)}function fr(t){return function(e,i){var r=t((e=hr(e)).h,(i=hr(i)).h),n=di(e.c,i.c),o=di(e.l,i.l),a=di(e.opacity,i.opacity);return function(t){return e.h=r(t),e.c=n(t),e.l=o(t),e.opacity=a(t),e+""}}}Be(nr,(function(t,e,i,r){return 1===arguments.length?rr(t):new nr(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return new nr(this.l+18*(null==t?1:t),this.a,this.b,this.opacity)},darker(t){return new nr(this.l-18*(null==t?1:t),this.a,this.b,this.opacity)},rgb(){var t=(this.l+16)/116,e=isNaN(this.a)?t:t+this.a/500,i=isNaN(this.b)?t:t-this.b/200;return new Xe(sr(3.1338561*(e=Xi*ar(e))-1.6168667*(t=Ji*ar(t))-.4906146*(i=Qi*ar(i))),sr(-.9787684*e+1.9161415*t+.033454*i),sr(.0719453*e-.2289914*t+1.4052427*i),this.opacity)}})),Be(ur,hr,Fe(Le,{brighter(t){return new ur(this.h,this.c,this.l+18*(null==t?1:t),this.opacity)},darker(t){return new ur(this.h,this.c,this.l-18*(null==t?1:t),this.opacity)},rgb(){return dr(this).rgb()}}));const pr=fr((function(t,e){var i=e-t;return i?hi(t,i>180||i<-180?i-360*Math.round(i/360):i):ci(isNaN(t)?e:t)}));fr(di);function gr(t,e){switch(arguments.length){case 0:break;case 1:this.range(t);break;default:this.range(e).domain(t)}return this}class mr extends Map{constructor(t,e=Cr){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:e}}),null!=t)for(const[i,r]of t)this.set(i,r)}get(t){return super.get(yr(this,t))}has(t){return super.has(yr(this,t))}set(t,e){return super.set(xr(this,t),e)}delete(t){return super.delete(br(this,t))}}function yr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):i}function xr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):(t.set(r,i),i)}function br({_intern:t,_key:e},i){const r=e(i);return t.has(r)&&(i=t.get(r),t.delete(r)),i}function Cr(t){return null!==t&&"object"==typeof t?t.valueOf():t}const _r=Symbol("implicit");function vr(){var t=new mr,e=[],i=[],r=_r;function n(n){let o=t.get(n);if(void 0===o){if(r!==_r)return r;t.set(n,o=e.push(n)-1)}return i[o%i.length]}return n.domain=function(i){if(!arguments.length)return e.slice();e=[],t=new mr;for(const r of i)t.has(r)||t.set(r,e.push(r)-1);return n},n.range=function(t){return arguments.length?(i=Array.from(t),n):i.slice()},n.unknown=function(t){return arguments.length?(r=t,n):r},n.copy=function(){return vr(e,i).unknown(r)},gr.apply(n,arguments),n}function kr(){var t,e,i=vr().unknown(void 0),r=i.domain,n=i.range,o=0,a=1,s=!1,l=0,c=0,h=.5;function u(){var i=r().length,u=a<o,d=u?a:o,f=u?o:a;t=(f-d)/Math.max(1,i-l+2*c),s&&(t=Math.floor(t)),d+=(f-d-t*(i-l))*h,e=t*(1-l),s&&(d=Math.round(d),e=Math.round(e));var p=function(t,e,i){t=+t,e=+e,i=(n=arguments.length)<2?(e=t,t=0,1):n<3?1:+i;for(var r=-1,n=0|Math.max(0,Math.ceil((e-t)/i)),o=new Array(n);++r<n;)o[r]=t+r*i;return o}(i).map((function(e){return d+t*e}));return n(u?p.reverse():p)}return delete i.unknown,i.domain=function(t){return arguments.length?(r(t),u()):r()},i.range=function(t){return arguments.length?([o,a]=t,o=+o,a=+a,u()):[o,a]},i.rangeRound=function(t){return[o,a]=t,o=+o,a=+a,s=!0,u()},i.bandwidth=function(){return e},i.step=function(){return t},i.round=function(t){return arguments.length?(s=!!t,u()):s},i.padding=function(t){return arguments.length?(l=Math.min(1,c=+t),u()):l},i.paddingInner=function(t){return arguments.length?(l=Math.min(1,t),u()):l},i.paddingOuter=function(t){return arguments.length?(c=+t,u()):c},i.align=function(t){return arguments.length?(h=Math.max(0,Math.min(1,t)),u()):h},i.copy=function(){return kr(r(),[o,a]).round(s).paddingInner(l).paddingOuter(c).align(h)},gr.apply(u(),arguments)}const Tr=Math.sqrt(50),wr=Math.sqrt(10),Sr=Math.sqrt(2);function Br(t,e,i){const r=(e-t)/Math.max(0,i),n=Math.floor(Math.log10(r)),o=r/Math.pow(10,n),a=o>=Tr?10:o>=wr?5:o>=Sr?2:1;let s,l,c;return n<0?(c=Math.pow(10,-n)/a,s=Math.round(t*c),l=Math.round(e*c),s/c<t&&++s,l/c>e&&--l,c=-c):(c=Math.pow(10,n)*a,s=Math.round(t/c),l=Math.round(e/c),s*c<t&&++s,l*c>e&&--l),l<s&&.5<=i&&i<2?Br(t,e,2*i):[s,l,c]}function Fr(t,e,i){return Br(t=+t,e=+e,i=+i)[2]}function Lr(t,e,i){i=+i;const r=(e=+e)<(t=+t),n=r?Fr(e,t,i):Fr(t,e,i);return(r?-1:1)*(n<0?1/-n:n)}function Ar(t,e){return null==t||null==e?NaN:t<e?-1:t>e?1:t>=e?0:NaN}function Mr(t,e){return null==t||null==e?NaN:e<t?-1:e>t?1:e>=t?0:NaN}function Er(t){let e,i,r;function n(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<0?n=e+1:o=e}while(n<o)}return n}return 2!==t.length?(e=Ar,i=(e,i)=>Ar(t(e),i),r=(e,i)=>t(e)-i):(e=t===Ar||t===Mr?t:Nr,i=t,r=t),{left:n,center:function(t,e,i=0,o=t.length){const a=n(t,e,i,o-1);return a>i&&r(t[a-1],e)>-r(t[a],e)?a-1:a},right:function(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<=0?n=e+1:o=e}while(n<o)}return n}}}function Nr(){return 0}const jr=Er(Ar),Zr=jr.right,Ir=(jr.left,Er((function(t){return null===t?NaN:+t})).center,Zr);function Or(t,e){var i,r=e?e.length:0,n=t?Math.min(r,t.length):0,o=new Array(n),a=new Array(r);for(i=0;i<n;++i)o[i]=zr(t[i],e[i]);for(;i<r;++i)a[i]=e[i];return function(t){for(i=0;i<n;++i)a[i]=o[i](t);return a}}function Dr(t,e){var i=new Date;return t=+t,e=+e,function(r){return i.setTime(t*(1-r)+e*r),i}}function qr(t,e){var i,r={},n={};for(i in null!==t&&"object"==typeof t||(t={}),null!==e&&"object"==typeof e||(e={}),e)i in t?r[i]=zr(t[i],e[i]):n[i]=e[i];return function(t){for(i in r)n[i]=r[i](t);return n}}function $r(t,e){e||(e=[]);var i,r=t?Math.min(e.length,t.length):0,n=e.slice();return function(o){for(i=0;i<r;++i)n[i]=t[i]*(1-o)+e[i]*o;return n}}function zr(t,e){var i,r,n=typeof e;return null==e||"boolean"===n?ci(e):("number"===n?me:"string"===n?(i=We(e))?(e=i,fi):yi:e instanceof We?fi:e instanceof Date?Dr:(r=e,!ArrayBuffer.isView(r)||r instanceof DataView?Array.isArray(e)?Or:"function"!=typeof e.valueOf&&"function"!=typeof e.toString||isNaN(e)?qr:me:$r))(t,e)}function Pr(t,e){return t=+t,e=+e,function(i){return Math.round(t*(1-i)+e*i)}}function Rr(t){return+t}var Hr=[0,1];function Wr(t){return t}function Ur(t,e){return(e-=t=+t)?function(i){return(i-t)/e}:(i=isNaN(e)?NaN:.5,function(){return i});var i}function Yr(t,e,i){var r=t[0],n=t[1],o=e[0],a=e[1];return n<r?(r=Ur(n,r),o=i(a,o)):(r=Ur(r,n),o=i(o,a)),function(t){return o(r(t))}}function Vr(t,e,i){var r=Math.min(t.length,e.length)-1,n=new Array(r),o=new Array(r),a=-1;for(t[r]<t[0]&&(t=t.slice().reverse(),e=e.slice().reverse());++a<r;)n[a]=Ur(t[a],t[a+1]),o[a]=i(e[a],e[a+1]);return function(e){var i=Ir(t,e,1,r)-1;return o[i](n[i](e))}}function Gr(t,e){return e.domain(t.domain()).range(t.range()).interpolate(t.interpolate()).clamp(t.clamp()).unknown(t.unknown())}function Xr(){var t,e,i,r,n,o,a=Hr,s=Hr,l=zr,c=Wr;function h(){var t,e,i,l=Math.min(a.length,s.length);return c!==Wr&&(t=a[0],e=a[l-1],t>e&&(i=t,t=e,e=i),c=function(i){return Math.max(t,Math.min(e,i))}),r=l>2?Vr:Yr,n=o=null,u}function u(e){return null==e||isNaN(e=+e)?i:(n||(n=r(a.map(t),s,l)))(t(c(e)))}return u.invert=function(i){return c(e((o||(o=r(s,a.map(t),me)))(i)))},u.domain=function(t){return arguments.length?(a=Array.from(t,Rr),h()):a.slice()},u.range=function(t){return arguments.length?(s=Array.from(t),h()):s.slice()},u.rangeRound=function(t){return s=Array.from(t),l=Pr,h()},u.clamp=function(t){return arguments.length?(c=!!t||Wr,h()):c!==Wr},u.interpolate=function(t){return arguments.length?(l=t,h()):l},u.unknown=function(t){return arguments.length?(i=t,u):i},function(i,r){return t=i,e=r,h()}}function Jr(){return Xr()(Wr,Wr)}var Qr,Kr=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function tn(t){if(!(e=Kr.exec(t)))throw new Error("invalid format: "+t);var e;return new en({fill:e[1],align:e[2],sign:e[3],symbol:e[4],zero:e[5],width:e[6],comma:e[7],precision:e[8]&&e[8].slice(1),trim:e[9],type:e[10]})}function en(t){this.fill=void 0===t.fill?" ":t.fill+"",this.align=void 0===t.align?">":t.align+"",this.sign=void 0===t.sign?"-":t.sign+"",this.symbol=void 0===t.symbol?"":t.symbol+"",this.zero=!!t.zero,this.width=void 0===t.width?void 0:+t.width,this.comma=!!t.comma,this.precision=void 0===t.precision?void 0:+t.precision,this.trim=!!t.trim,this.type=void 0===t.type?"":t.type+""}function rn(t,e){if((i=(t=e?t.toExponential(e-1):t.toExponential()).indexOf("e"))<0)return null;var i,r=t.slice(0,i);return[r.length>1?r[0]+r.slice(2):r,+t.slice(i+1)]}function nn(t){return(t=rn(Math.abs(t)))?t[1]:NaN}function on(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1];return n<0?"0."+new Array(-n).join("0")+r:r.length>n+1?r.slice(0,n+1)+"."+r.slice(n+1):r+new Array(n-r.length+2).join("0")}tn.prototype=en.prototype,en.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(void 0===this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(void 0===this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};const an={"%":(t,e)=>(100*t).toFixed(e),b:t=>Math.round(t).toString(2),c:t=>t+"",d:function(t){return Math.abs(t=Math.round(t))>=1e21?t.toLocaleString("en").replace(/,/g,""):t.toString(10)},e:(t,e)=>t.toExponential(e),f:(t,e)=>t.toFixed(e),g:(t,e)=>t.toPrecision(e),o:t=>Math.round(t).toString(8),p:(t,e)=>on(100*t,e),r:on,s:function(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1],o=n-(Qr=3*Math.max(-8,Math.min(8,Math.floor(n/3))))+1,a=r.length;return o===a?r:o>a?r+new Array(o-a+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+rn(t,Math.max(0,e+o-1))[0]},X:t=>Math.round(t).toString(16).toUpperCase(),x:t=>Math.round(t).toString(16)};function sn(t){return t}var ln,cn,hn,un=Array.prototype.map,dn=["y","z","a","f","p","n","\xb5","m","","k","M","G","T","P","E","Z","Y"];function fn(t){var e,i,r=void 0===t.grouping||void 0===t.thousands?sn:(e=un.call(t.grouping,Number),i=t.thousands+"",function(t,r){for(var n=t.length,o=[],a=0,s=e[0],l=0;n>0&&s>0&&(l+s+1>r&&(s=Math.max(1,r-l)),o.push(t.substring(n-=s,n+s)),!((l+=s+1)>r));)s=e[a=(a+1)%e.length];return o.reverse().join(i)}),n=void 0===t.currency?"":t.currency[0]+"",o=void 0===t.currency?"":t.currency[1]+"",a=void 0===t.decimal?".":t.decimal+"",s=void 0===t.numerals?sn:function(t){return function(e){return e.replace(/[0-9]/g,(function(e){return t[+e]}))}}(un.call(t.numerals,String)),l=void 0===t.percent?"%":t.percent+"",c=void 0===t.minus?"\u2212":t.minus+"",h=void 0===t.nan?"NaN":t.nan+"";function u(t){var e=(t=tn(t)).fill,i=t.align,u=t.sign,d=t.symbol,f=t.zero,p=t.width,g=t.comma,m=t.precision,y=t.trim,x=t.type;"n"===x?(g=!0,x="g"):an[x]||(void 0===m&&(m=12),y=!0,x="g"),(f||"0"===e&&"="===i)&&(f=!0,e="0",i="=");var b="$"===d?n:"#"===d&&/[boxX]/.test(x)?"0"+x.toLowerCase():"",C="$"===d?o:/[%p]/.test(x)?l:"",_=an[x],v=/[defgprs%]/.test(x);function k(t){var n,o,l,d=b,k=C;if("c"===x)k=_(t)+k,t="";else{var T=(t=+t)<0||1/t<0;if(t=isNaN(t)?h:_(Math.abs(t),m),y&&(t=function(t){t:for(var e,i=t.length,r=1,n=-1;r<i;++r)switch(t[r]){case".":n=e=r;break;case"0":0===n&&(n=r),e=r;break;default:if(!+t[r])break t;n>0&&(n=0)}return n>0?t.slice(0,n)+t.slice(e+1):t}(t)),T&&0==+t&&"+"!==u&&(T=!1),d=(T?"("===u?u:c:"-"===u||"("===u?"":u)+d,k=("s"===x?dn[8+Qr/3]:"")+k+(T&&"("===u?")":""),v)for(n=-1,o=t.length;++n<o;)if(48>(l=t.charCodeAt(n))||l>57){k=(46===l?a+t.slice(n+1):t.slice(n))+k,t=t.slice(0,n);break}}g&&!f&&(t=r(t,1/0));var w=d.length+t.length+k.length,S=w<p?new Array(p-w+1).join(e):"";switch(g&&f&&(t=r(S+t,S.length?p-k.length:1/0),S=""),i){case"<":t=d+t+k+S;break;case"=":t=d+S+t+k;break;case"^":t=S.slice(0,w=S.length>>1)+d+t+k+S.slice(w);break;default:t=S+d+t+k}return s(t)}return m=void 0===m?6:/[gprs]/.test(x)?Math.max(1,Math.min(21,m)):Math.max(0,Math.min(20,m)),k.toString=function(){return t+""},k}return{format:u,formatPrefix:function(t,e){var i=u(((t=tn(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3))),n=Math.pow(10,-r),o=dn[8+r/3];return function(t){return i(n*t)+o}}}}function pn(t,e,i,r){var n,o=Lr(t,e,i);switch((r=tn(null==r?",f":r)).type){case"s":var a=Math.max(Math.abs(t),Math.abs(e));return null!=r.precision||isNaN(n=function(t,e){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3)))-nn(Math.abs(t)))}(o,a))||(r.precision=n),hn(r,a);case"":case"e":case"g":case"p":case"r":null!=r.precision||isNaN(n=function(t,e){return t=Math.abs(t),e=Math.abs(e)-t,Math.max(0,nn(e)-nn(t))+1}(o,Math.max(Math.abs(t),Math.abs(e))))||(r.precision=n-("e"===r.type));break;case"f":case"%":null!=r.precision||isNaN(n=function(t){return Math.max(0,-nn(Math.abs(t)))}(o))||(r.precision=n-2*("%"===r.type))}return cn(r)}function gn(t){var e=t.domain;return t.ticks=function(t){var i=e();return function(t,e,i){if(!((i=+i)>0))return[];if((t=+t)==(e=+e))return[t];const r=e<t,[n,o,a]=r?Br(e,t,i):Br(t,e,i);if(!(o>=n))return[];const s=o-n+1,l=new Array(s);if(r)if(a<0)for(let c=0;c<s;++c)l[c]=(o-c)/-a;else for(let c=0;c<s;++c)l[c]=(o-c)*a;else if(a<0)for(let c=0;c<s;++c)l[c]=(n+c)/-a;else for(let c=0;c<s;++c)l[c]=(n+c)*a;return l}(i[0],i[i.length-1],null==t?10:t)},t.tickFormat=function(t,i){var r=e();return pn(r[0],r[r.length-1],null==t?10:t,i)},t.nice=function(i){null==i&&(i=10);var r,n,o=e(),a=0,s=o.length-1,l=o[a],c=o[s],h=10;for(c<l&&(n=l,l=c,c=n,n=a,a=s,s=n);h-- >0;){if((n=Fr(l,c,i))===r)return o[a]=l,o[s]=c,e(o);if(n>0)l=Math.floor(l/n)*n,c=Math.ceil(c/n)*n;else{if(!(n<0))break;l=Math.ceil(l*n)/n,c=Math.floor(c*n)/n}r=n}return t},t}function mn(){var t=Jr();return t.copy=function(){return Gr(t,mn())},gr.apply(t,arguments),gn(t)}ln=fn({thousands:",",grouping:[3],currency:["$",""]}),cn=ln.format,hn=ln.formatPrefix;const yn=1e3,xn=6e4,bn=36e5,Cn=864e5,_n=6048e5,vn=2592e6,kn=31536e6,Tn=new Date,wn=new Date;function Sn(t,e,i,r){function n(e){return t(e=0===arguments.length?new Date:new Date(+e)),e}return n.floor=e=>(t(e=new Date(+e)),e),n.ceil=i=>(t(i=new Date(i-1)),e(i,1),t(i),i),n.round=t=>{const e=n(t),i=n.ceil(t);return t-e<i-t?e:i},n.offset=(t,i)=>(e(t=new Date(+t),null==i?1:Math.floor(i)),t),n.range=(i,r,o)=>{const a=[];if(i=n.ceil(i),o=null==o?1:Math.floor(o),!(i<r&&o>0))return a;let s;do{a.push(s=new Date(+i)),e(i,o),t(i)}while(s<i&&i<r);return a},n.filter=i=>Sn((e=>{if(e>=e)for(;t(e),!i(e);)e.setTime(e-1)}),((t,r)=>{if(t>=t)if(r<0)for(;++r<=0;)for(;e(t,-1),!i(t););else for(;--r>=0;)for(;e(t,1),!i(t););})),i&&(n.count=(e,r)=>(Tn.setTime(+e),wn.setTime(+r),t(Tn),t(wn),Math.floor(i(Tn,wn))),n.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?n.filter(r?e=>r(e)%t==0:e=>n.count(0,e)%t==0):n:null)),n}const Bn=Sn((()=>{}),((t,e)=>{t.setTime(+t+e)}),((t,e)=>e-t));Bn.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?Sn((e=>{e.setTime(Math.floor(e/t)*t)}),((e,i)=>{e.setTime(+e+i*t)}),((e,i)=>(i-e)/t)):Bn:null);Bn.range;const Fn=Sn((t=>{t.setTime(t-t.getMilliseconds())}),((t,e)=>{t.setTime(+t+e*yn)}),((t,e)=>(e-t)/yn),(t=>t.getUTCSeconds())),Ln=(Fn.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getMinutes()))),An=(Ln.range,Sn((t=>{t.setUTCSeconds(0,0)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getUTCMinutes()))),Mn=(An.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn-t.getMinutes()*xn)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getHours()))),En=(Mn.range,Sn((t=>{t.setUTCMinutes(0,0,0)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getUTCHours()))),Nn=(En.range,Sn((t=>t.setHours(0,0,0,0)),((t,e)=>t.setDate(t.getDate()+e)),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/Cn),(t=>t.getDate()-1))),jn=(Nn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>t.getUTCDate()-1))),Zn=(jn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>Math.floor(t/Cn))));Zn.range;function In(t){return Sn((e=>{e.setDate(e.getDate()-(e.getDay()+7-t)%7),e.setHours(0,0,0,0)}),((t,e)=>{t.setDate(t.getDate()+7*e)}),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/_n))}const On=In(0),Dn=In(1),qn=In(2),$n=In(3),zn=In(4),Pn=In(5),Rn=In(6);On.range,Dn.range,qn.range,$n.range,zn.range,Pn.range,Rn.range;function Hn(t){return Sn((e=>{e.setUTCDate(e.getUTCDate()-(e.getUTCDay()+7-t)%7),e.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+7*e)}),((t,e)=>(e-t)/_n))}const Wn=Hn(0),Un=Hn(1),Yn=Hn(2),Vn=Hn(3),Gn=Hn(4),Xn=Hn(5),Jn=Hn(6),Qn=(Wn.range,Un.range,Yn.range,Vn.range,Gn.range,Xn.range,Jn.range,Sn((t=>{t.setDate(1),t.setHours(0,0,0,0)}),((t,e)=>{t.setMonth(t.getMonth()+e)}),((t,e)=>e.getMonth()-t.getMonth()+12*(e.getFullYear()-t.getFullYear())),(t=>t.getMonth()))),Kn=(Qn.range,Sn((t=>{t.setUTCDate(1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCMonth(t.getUTCMonth()+e)}),((t,e)=>e.getUTCMonth()-t.getUTCMonth()+12*(e.getUTCFullYear()-t.getUTCFullYear())),(t=>t.getUTCMonth()))),to=(Kn.range,Sn((t=>{t.setMonth(0,1),t.setHours(0,0,0,0)}),((t,e)=>{t.setFullYear(t.getFullYear()+e)}),((t,e)=>e.getFullYear()-t.getFullYear()),(t=>t.getFullYear())));to.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setFullYear(Math.floor(e.getFullYear()/t)*t),e.setMonth(0,1),e.setHours(0,0,0,0)}),((e,i)=>{e.setFullYear(e.getFullYear()+i*t)})):null;to.range;const eo=Sn((t=>{t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCFullYear(t.getUTCFullYear()+e)}),((t,e)=>e.getUTCFullYear()-t.getUTCFullYear()),(t=>t.getUTCFullYear()));eo.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setUTCFullYear(Math.floor(e.getUTCFullYear()/t)*t),e.setUTCMonth(0,1),e.setUTCHours(0,0,0,0)}),((e,i)=>{e.setUTCFullYear(e.getUTCFullYear()+i*t)})):null;eo.range;function io(t,e,i,r,n,o){const a=[[Fn,1,yn],[Fn,5,5e3],[Fn,15,15e3],[Fn,30,3e4],[o,1,xn],[o,5,3e5],[o,15,9e5],[o,30,18e5],[n,1,bn],[n,3,108e5],[n,6,216e5],[n,12,432e5],[r,1,Cn],[r,2,1728e5],[i,1,_n],[e,1,vn],[e,3,7776e6],[t,1,kn]];function s(e,i,r){const n=Math.abs(i-e)/r,o=Er((([,,t])=>t)).right(a,n);if(o===a.length)return t.every(Lr(e/kn,i/kn,r));if(0===o)return Bn.every(Math.max(Lr(e,i,r),1));const[s,l]=a[n/a[o-1][2]<a[o][2]/n?o-1:o];return s.every(l)}return[function(t,e,i){const r=e<t;r&&([t,e]=[e,t]);const n=i&&"function"==typeof i.range?i:s(t,e,i),o=n?n.range(t,+e+1):[];return r?o.reverse():o},s]}const[ro,no]=io(eo,Kn,Wn,Zn,En,An),[oo,ao]=io(to,Qn,On,Nn,Mn,Ln);function so(t){if(0<=t.y&&t.y<100){var e=new Date(-1,t.m,t.d,t.H,t.M,t.S,t.L);return e.setFullYear(t.y),e}return new Date(t.y,t.m,t.d,t.H,t.M,t.S,t.L)}function lo(t){if(0<=t.y&&t.y<100){var e=new Date(Date.UTC(-1,t.m,t.d,t.H,t.M,t.S,t.L));return e.setUTCFullYear(t.y),e}return new Date(Date.UTC(t.y,t.m,t.d,t.H,t.M,t.S,t.L))}function co(t,e,i){return{y:t,m:e,d:i,H:0,M:0,S:0,L:0}}var ho,uo,fo={"-":"",_:" ",0:"0"},po=/^\s*\d+/,go=/^%/,mo=/[\\^$*+?|[\]().{}]/g;function yo(t,e,i){var r=t<0?"-":"",n=(r?-t:t)+"",o=n.length;return r+(o<i?new Array(i-o+1).join(e)+n:n)}function xo(t){return t.replace(mo,"\\$&")}function bo(t){return new RegExp("^(?:"+t.map(xo).join("|")+")","i")}function Co(t){return new Map(t.map(((t,e)=>[t.toLowerCase(),e])))}function _o(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.w=+r[0],i+r[0].length):-1}function vo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.u=+r[0],i+r[0].length):-1}function ko(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.U=+r[0],i+r[0].length):-1}function To(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.V=+r[0],i+r[0].length):-1}function wo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.W=+r[0],i+r[0].length):-1}function So(t,e,i){var r=po.exec(e.slice(i,i+4));return r?(t.y=+r[0],i+r[0].length):-1}function Bo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.y=+r[0]+(+r[0]>68?1900:2e3),i+r[0].length):-1}function Fo(t,e,i){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(e.slice(i,i+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),i+r[0].length):-1}function Lo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.q=3*r[0]-3,i+r[0].length):-1}function Ao(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.m=r[0]-1,i+r[0].length):-1}function Mo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.d=+r[0],i+r[0].length):-1}function Eo(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.m=0,t.d=+r[0],i+r[0].length):-1}function No(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.H=+r[0],i+r[0].length):-1}function jo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.M=+r[0],i+r[0].length):-1}function Zo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.S=+r[0],i+r[0].length):-1}function Io(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.L=+r[0],i+r[0].length):-1}function Oo(t,e,i){var r=po.exec(e.slice(i,i+6));return r?(t.L=Math.floor(r[0]/1e3),i+r[0].length):-1}function Do(t,e,i){var r=go.exec(e.slice(i,i+1));return r?i+r[0].length:-1}function qo(t,e,i){var r=po.exec(e.slice(i));return r?(t.Q=+r[0],i+r[0].length):-1}function $o(t,e,i){var r=po.exec(e.slice(i));return r?(t.s=+r[0],i+r[0].length):-1}function zo(t,e){return yo(t.getDate(),e,2)}function Po(t,e){return yo(t.getHours(),e,2)}function Ro(t,e){return yo(t.getHours()%12||12,e,2)}function Ho(t,e){return yo(1+Nn.count(to(t),t),e,3)}function Wo(t,e){return yo(t.getMilliseconds(),e,3)}function Uo(t,e){return Wo(t,e)+"000"}function Yo(t,e){return yo(t.getMonth()+1,e,2)}function Vo(t,e){return yo(t.getMinutes(),e,2)}function Go(t,e){return yo(t.getSeconds(),e,2)}function Xo(t){var e=t.getDay();return 0===e?7:e}function Jo(t,e){return yo(On.count(to(t)-1,t),e,2)}function Qo(t){var e=t.getDay();return e>=4||0===e?zn(t):zn.ceil(t)}function Ko(t,e){return t=Qo(t),yo(zn.count(to(t),t)+(4===to(t).getDay()),e,2)}function ta(t){return t.getDay()}function ea(t,e){return yo(Dn.count(to(t)-1,t),e,2)}function ia(t,e){return yo(t.getFullYear()%100,e,2)}function ra(t,e){return yo((t=Qo(t)).getFullYear()%100,e,2)}function na(t,e){return yo(t.getFullYear()%1e4,e,4)}function oa(t,e){var i=t.getDay();return yo((t=i>=4||0===i?zn(t):zn.ceil(t)).getFullYear()%1e4,e,4)}function aa(t){var e=t.getTimezoneOffset();return(e>0?"-":(e*=-1,"+"))+yo(e/60|0,"0",2)+yo(e%60,"0",2)}function sa(t,e){return yo(t.getUTCDate(),e,2)}function la(t,e){return yo(t.getUTCHours(),e,2)}function ca(t,e){return yo(t.getUTCHours()%12||12,e,2)}function ha(t,e){return yo(1+jn.count(eo(t),t),e,3)}function ua(t,e){return yo(t.getUTCMilliseconds(),e,3)}function da(t,e){return ua(t,e)+"000"}function fa(t,e){return yo(t.getUTCMonth()+1,e,2)}function pa(t,e){return yo(t.getUTCMinutes(),e,2)}function ga(t,e){return yo(t.getUTCSeconds(),e,2)}function ma(t){var e=t.getUTCDay();return 0===e?7:e}function ya(t,e){return yo(Wn.count(eo(t)-1,t),e,2)}function xa(t){var e=t.getUTCDay();return e>=4||0===e?Gn(t):Gn.ceil(t)}function ba(t,e){return t=xa(t),yo(Gn.count(eo(t),t)+(4===eo(t).getUTCDay()),e,2)}function Ca(t){return t.getUTCDay()}function _a(t,e){return yo(Un.count(eo(t)-1,t),e,2)}function va(t,e){return yo(t.getUTCFullYear()%100,e,2)}function ka(t,e){return yo((t=xa(t)).getUTCFullYear()%100,e,2)}function Ta(t,e){return yo(t.getUTCFullYear()%1e4,e,4)}function wa(t,e){var i=t.getUTCDay();return yo((t=i>=4||0===i?Gn(t):Gn.ceil(t)).getUTCFullYear()%1e4,e,4)}function Sa(){return"+0000"}function Ba(){return"%"}function Fa(t){return+t}function La(t){return Math.floor(+t/1e3)}function Aa(t){return new Date(t)}function Ma(t){return t instanceof Date?+t:+new Date(+t)}function Ea(t,e,i,r,n,o,a,s,l,c){var h=Jr(),u=h.invert,d=h.domain,f=c(".%L"),p=c(":%S"),g=c("%I:%M"),m=c("%I %p"),y=c("%a %d"),x=c("%b %d"),b=c("%B"),C=c("%Y");function _(t){return(l(t)<t?f:s(t)<t?p:a(t)<t?g:o(t)<t?m:r(t)<t?n(t)<t?y:x:i(t)<t?b:C)(t)}return h.invert=function(t){return new Date(u(t))},h.domain=function(t){return arguments.length?d(Array.from(t,Ma)):d().map(Aa)},h.ticks=function(e){var i=d();return t(i[0],i[i.length-1],null==e?10:e)},h.tickFormat=function(t,e){return null==e?_:c(e)},h.nice=function(t){var i=d();return t&&"function"==typeof t.range||(t=e(i[0],i[i.length-1],null==t?10:t)),t?d(function(t,e){var i,r=0,n=(t=t.slice()).length-1,o=t[r],a=t[n];return a<o&&(i=r,r=n,n=i,i=o,o=a,a=i),t[r]=e.floor(o),t[n]=e.ceil(a),t}(i,t)):h},h.copy=function(){return Gr(h,Ea(t,e,i,r,n,o,a,s,l,c))},h}function Na(){return gr.apply(Ea(oo,ao,to,Qn,On,Nn,Mn,Ln,Fn,uo).domain([new Date(2e3,0,1),new Date(2e3,0,2)]),arguments)}!function(t){ho=function(t){var e=t.dateTime,i=t.date,r=t.time,n=t.periods,o=t.days,a=t.shortDays,s=t.months,l=t.shortMonths,c=bo(n),h=Co(n),u=bo(o),d=Co(o),f=bo(a),p=Co(a),g=bo(s),m=Co(s),y=bo(l),x=Co(l),b={a:function(t){return a[t.getDay()]},A:function(t){return o[t.getDay()]},b:function(t){return l[t.getMonth()]},B:function(t){return s[t.getMonth()]},c:null,d:zo,e:zo,f:Uo,g:ra,G:oa,H:Po,I:Ro,j:Ho,L:Wo,m:Yo,M:Vo,p:function(t){return n[+(t.getHours()>=12)]},q:function(t){return 1+~~(t.getMonth()/3)},Q:Fa,s:La,S:Go,u:Xo,U:Jo,V:Ko,w:ta,W:ea,x:null,X:null,y:ia,Y:na,Z:aa,"%":Ba},C={a:function(t){return a[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return l[t.getUTCMonth()]},B:function(t){return s[t.getUTCMonth()]},c:null,d:sa,e:sa,f:da,g:ka,G:wa,H:la,I:ca,j:ha,L:ua,m:fa,M:pa,p:function(t){return n[+(t.getUTCHours()>=12)]},q:function(t){return 1+~~(t.getUTCMonth()/3)},Q:Fa,s:La,S:ga,u:ma,U:ya,V:ba,w:Ca,W:_a,x:null,X:null,y:va,Y:Ta,Z:Sa,"%":Ba},_={a:function(t,e,i){var r=f.exec(e.slice(i));return r?(t.w=p.get(r[0].toLowerCase()),i+r[0].length):-1},A:function(t,e,i){var r=u.exec(e.slice(i));return r?(t.w=d.get(r[0].toLowerCase()),i+r[0].length):-1},b:function(t,e,i){var r=y.exec(e.slice(i));return r?(t.m=x.get(r[0].toLowerCase()),i+r[0].length):-1},B:function(t,e,i){var r=g.exec(e.slice(i));return r?(t.m=m.get(r[0].toLowerCase()),i+r[0].length):-1},c:function(t,i,r){return T(t,e,i,r)},d:Mo,e:Mo,f:Oo,g:Bo,G:So,H:No,I:No,j:Eo,L:Io,m:Ao,M:jo,p:function(t,e,i){var r=c.exec(e.slice(i));return r?(t.p=h.get(r[0].toLowerCase()),i+r[0].length):-1},q:Lo,Q:qo,s:$o,S:Zo,u:vo,U:ko,V:To,w:_o,W:wo,x:function(t,e,r){return T(t,i,e,r)},X:function(t,e,i){return T(t,r,e,i)},y:Bo,Y:So,Z:Fo,"%":Do};function v(t,e){return function(i){var r,n,o,a=[],s=-1,l=0,c=t.length;for(i instanceof Date||(i=new Date(+i));++s<c;)37===t.charCodeAt(s)&&(a.push(t.slice(l,s)),null!=(n=fo[r=t.charAt(++s)])?r=t.charAt(++s):n="e"===r?" ":"0",(o=e[r])&&(r=o(i,n)),a.push(r),l=s+1);return a.push(t.slice(l,s)),a.join("")}}function k(t,e){return function(i){var r,n,o=co(1900,void 0,1);if(T(o,t,i+="",0)!=i.length)return null;if("Q"in o)return new Date(o.Q);if("s"in o)return new Date(1e3*o.s+("L"in o?o.L:0));if(e&&!("Z"in o)&&(o.Z=0),"p"in o&&(o.H=o.H%12+12*o.p),void 0===o.m&&(o.m="q"in o?o.q:0),"V"in o){if(o.V<1||o.V>53)return null;"w"in o||(o.w=1),"Z"in o?(n=(r=lo(co(o.y,0,1))).getUTCDay(),r=n>4||0===n?Un.ceil(r):Un(r),r=jn.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(n=(r=so(co(o.y,0,1))).getDay(),r=n>4||0===n?Dn.ceil(r):Dn(r),r=Nn.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),n="Z"in o?lo(co(o.y,0,1)).getUTCDay():so(co(o.y,0,1)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(n+5)%7:o.w+7*o.U-(n+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,lo(o)):so(o)}}function T(t,e,i,r){for(var n,o,a=0,s=e.length,l=i.length;a<s;){if(r>=l)return-1;if(37===(n=e.charCodeAt(a++))){if(n=e.charAt(a++),!(o=_[n in fo?e.charAt(a++):n])||(r=o(t,i,r))<0)return-1}else if(n!=i.charCodeAt(r++))return-1}return r}return b.x=v(i,b),b.X=v(r,b),b.c=v(e,b),C.x=v(i,C),C.X=v(r,C),C.c=v(e,C),{format:function(t){var e=v(t+="",b);return e.toString=function(){return t},e},parse:function(t){var e=k(t+="",!1);return e.toString=function(){return t},e},utcFormat:function(t){var e=v(t+="",C);return e.toString=function(){return t},e},utcParse:function(t){var e=k(t+="",!0);return e.toString=function(){return t},e}}}(t),uo=ho.format,ho.parse,ho.utcFormat,ho.utcParse}({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});const ja=function(t){for(var e=t.length/6|0,i=new Array(e),r=0;r<e;)i[r]="#"+t.slice(6*r,6*++r);return i}("4e79a7f28e2ce1575976b7b259a14fedc949af7aa1ff9da79c755fbab0ab");function Za(t){return"string"==typeof t?new Lt([[document.querySelector(t)]],[document.documentElement]):new Lt([[t]],Ft)}function Ia(t){return"string"==typeof t?new Lt([document.querySelectorAll(t)],[document.documentElement]):new Lt([_(t)],Ft)}function Oa(t){return function(){return t}}const Da=Math.abs,qa=Math.atan2,$a=Math.cos,za=Math.max,Pa=Math.min,Ra=Math.sin,Ha=Math.sqrt,Wa=1e-12,Ua=Math.PI,Ya=Ua/2,Va=2*Ua;function Ga(t){return t>=1?Ya:t<=-1?-Ya:Math.asin(t)}const Xa=Math.PI,Ja=2*Xa,Qa=1e-6,Ka=Ja-Qa;function ts(t){this._+=t[0];for(let e=1,i=t.length;e<i;++e)this._+=arguments[e]+t[e]}class es{constructor(t){this._x0=this._y0=this._x1=this._y1=null,this._="",this._append=null==t?ts:function(t){let e=Math.floor(t);if(!(e>=0))throw new Error(`invalid digits: ${t}`);if(e>15)return ts;const i=10**e;return function(t){this._+=t[0];for(let e=1,r=t.length;e<r;++e)this._+=Math.round(arguments[e]*i)/i+t[e]}}(t)}moveTo(t,e){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}`}closePath(){null!==this._x1&&(this._x1=this._x0,this._y1=this._y0,this._append`Z`)}lineTo(t,e){this._append`L${this._x1=+t},${this._y1=+e}`}quadraticCurveTo(t,e,i,r){this._append`Q${+t},${+e},${this._x1=+i},${this._y1=+r}`}bezierCurveTo(t,e,i,r,n,o){this._append`C${+t},${+e},${+i},${+r},${this._x1=+n},${this._y1=+o}`}arcTo(t,e,i,r,n){if(t=+t,e=+e,i=+i,r=+r,(n=+n)<0)throw new Error(`negative radius: ${n}`);let o=this._x1,a=this._y1,s=i-t,l=r-e,c=o-t,h=a-e,u=c*c+h*h;if(null===this._x1)this._append`M${this._x1=t},${this._y1=e}`;else if(u>Qa)if(Math.abs(h*s-l*c)>Qa&&n){let d=i-o,f=r-a,p=s*s+l*l,g=d*d+f*f,m=Math.sqrt(p),y=Math.sqrt(u),x=n*Math.tan((Xa-Math.acos((p+u-g)/(2*m*y)))/2),b=x/y,C=x/m;Math.abs(b-1)>Qa&&this._append`L${t+b*c},${e+b*h}`,this._append`A${n},${n},0,0,${+(h*d>c*f)},${this._x1=t+C*s},${this._y1=e+C*l}`}else this._append`L${this._x1=t},${this._y1=e}`;else;}arc(t,e,i,r,n,o){if(t=+t,e=+e,o=!!o,(i=+i)<0)throw new Error(`negative radius: ${i}`);let a=i*Math.cos(r),s=i*Math.sin(r),l=t+a,c=e+s,h=1^o,u=o?r-n:n-r;null===this._x1?this._append`M${l},${c}`:(Math.abs(this._x1-l)>Qa||Math.abs(this._y1-c)>Qa)&&this._append`L${l},${c}`,i&&(u<0&&(u=u%Ja+Ja),u>Ka?this._append`A${i},${i},0,1,${h},${t-a},${e-s}A${i},${i},0,1,${h},${this._x1=l},${this._y1=c}`:u>Qa&&this._append`A${i},${i},0,${+(u>=Xa)},${h},${this._x1=t+i*Math.cos(n)},${this._y1=e+i*Math.sin(n)}`)}rect(t,e,i,r){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}h${i=+i}v${+r}h${-i}Z`}toString(){return this._}}function is(t){let e=3;return t.digits=function(i){if(!arguments.length)return e;if(null==i)e=null;else{const t=Math.floor(i);if(!(t>=0))throw new RangeError(`invalid digits: ${i}`);e=t}return t},()=>new es(e)}function rs(t){return t.innerRadius}function ns(t){return t.outerRadius}function os(t){return t.startAngle}function as(t){return t.endAngle}function ss(t){return t&&t.padAngle}function ls(t,e,i,r,n,o,a){var s=t-i,l=e-r,c=(a?o:-o)/Ha(s*s+l*l),h=c*l,u=-c*s,d=t+h,f=e+u,p=i+h,g=r+u,m=(d+p)/2,y=(f+g)/2,x=p-d,b=g-f,C=x*x+b*b,_=n-o,v=d*g-p*f,k=(b<0?-1:1)*Ha(za(0,_*_*C-v*v)),T=(v*b-x*k)/C,w=(-v*x-b*k)/C,S=(v*b+x*k)/C,B=(-v*x+b*k)/C,F=T-m,L=w-y,A=S-m,M=B-y;return F*F+L*L>A*A+M*M&&(T=S,w=B),{cx:T,cy:w,x01:-h,y01:-u,x11:T*(n/_-1),y11:w*(n/_-1)}}function cs(){var t=rs,e=ns,i=Oa(0),r=null,n=os,o=as,a=ss,s=null,l=is(c);function c(){var c,h,u,d=+t.apply(this,arguments),f=+e.apply(this,arguments),p=n.apply(this,arguments)-Ya,g=o.apply(this,arguments)-Ya,m=Da(g-p),y=g>p;if(s||(s=c=l()),f<d&&(h=f,f=d,d=h),f>Wa)if(m>Va-Wa)s.moveTo(f*$a(p),f*Ra(p)),s.arc(0,0,f,p,g,!y),d>Wa&&(s.moveTo(d*$a(g),d*Ra(g)),s.arc(0,0,d,g,p,y));else{var x,b,C=p,_=g,v=p,k=g,T=m,w=m,S=a.apply(this,arguments)/2,B=S>Wa&&(r?+r.apply(this,arguments):Ha(d*d+f*f)),F=Pa(Da(f-d)/2,+i.apply(this,arguments)),L=F,A=F;if(B>Wa){var M=Ga(B/d*Ra(S)),E=Ga(B/f*Ra(S));(T-=2*M)>Wa?(v+=M*=y?1:-1,k-=M):(T=0,v=k=(p+g)/2),(w-=2*E)>Wa?(C+=E*=y?1:-1,_-=E):(w=0,C=_=(p+g)/2)}var N=f*$a(C),j=f*Ra(C),Z=d*$a(k),I=d*Ra(k);if(F>Wa){var O,D=f*$a(_),q=f*Ra(_),$=d*$a(v),z=d*Ra(v);if(m<Ua)if(O=function(t,e,i,r,n,o,a,s){var l=i-t,c=r-e,h=a-n,u=s-o,d=u*l-h*c;if(!(d*d<Wa))return[t+(d=(h*(e-o)-u*(t-n))/d)*l,e+d*c]}(N,j,$,z,D,q,Z,I)){var P=N-O[0],R=j-O[1],H=D-O[0],W=q-O[1],U=1/Ra(((u=(P*H+R*W)/(Ha(P*P+R*R)*Ha(H*H+W*W)))>1?0:u<-1?Ua:Math.acos(u))/2),Y=Ha(O[0]*O[0]+O[1]*O[1]);L=Pa(F,(d-Y)/(U-1)),A=Pa(F,(f-Y)/(U+1))}else L=A=0}w>Wa?A>Wa?(x=ls($,z,N,j,f,A,y),b=ls(D,q,Z,I,f,A,y),s.moveTo(x.cx+x.x01,x.cy+x.y01),A<F?s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,f,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),!y),s.arc(b.cx,b.cy,A,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):(s.moveTo(N,j),s.arc(0,0,f,C,_,!y)):s.moveTo(N,j),d>Wa&&T>Wa?L>Wa?(x=ls(Z,I,D,q,d,-L,y),b=ls(N,j,$,z,d,-L,y),s.lineTo(x.cx+x.x01,x.cy+x.y01),L<F?s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,d,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),y),s.arc(b.cx,b.cy,L,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):s.arc(0,0,d,k,v,y):s.lineTo(Z,I)}else s.moveTo(0,0);if(s.closePath(),c)return s=null,c+""||null}return c.centroid=function(){var i=(+t.apply(this,arguments)+ +e.apply(this,arguments))/2,r=(+n.apply(this,arguments)+ +o.apply(this,arguments))/2-Ua/2;return[$a(r)*i,Ra(r)*i]},c.innerRadius=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),c):t},c.outerRadius=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),c):e},c.cornerRadius=function(t){return arguments.length?(i="function"==typeof t?t:Oa(+t),c):i},c.padRadius=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:Oa(+t),c):r},c.startAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),c):n},c.endAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),c):o},c.padAngle=function(t){return arguments.length?(a="function"==typeof t?t:Oa(+t),c):a},c.context=function(t){return arguments.length?(s=null==t?null:t,c):s},c}es.prototype;Array.prototype.slice;function hs(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function us(t){this._context=t}function ds(t){return new us(t)}function fs(t){return t[0]}function ps(t){return t[1]}function gs(t,e){var i=Oa(!0),r=null,n=ds,o=null,a=is(s);function s(s){var l,c,h,u=(s=hs(s)).length,d=!1;for(null==r&&(o=n(h=a())),l=0;l<=u;++l)!(l<u&&i(c=s[l],l,s))===d&&((d=!d)?o.lineStart():o.lineEnd()),d&&o.point(+t(c,l,s),+e(c,l,s));if(h)return o=null,h+""||null}return t="function"==typeof t?t:void 0===t?fs:Oa(t),e="function"==typeof e?e:void 0===e?ps:Oa(e),s.x=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),s):t},s.y=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),s):e},s.defined=function(t){return arguments.length?(i="function"==typeof t?t:Oa(!!t),s):i},s.curve=function(t){return arguments.length?(n=t,null!=r&&(o=n(r)),s):n},s.context=function(t){return arguments.length?(null==t?r=o=null:o=n(r=t),s):r},s}function ms(t,e){return e<t?-1:e>t?1:e>=t?0:NaN}function ys(t){return t}function xs(){var t=ys,e=ms,i=null,r=Oa(0),n=Oa(Va),o=Oa(0);function a(a){var s,l,c,h,u,d=(a=hs(a)).length,f=0,p=new Array(d),g=new Array(d),m=+r.apply(this,arguments),y=Math.min(Va,Math.max(-Va,n.apply(this,arguments)-m)),x=Math.min(Math.abs(y)/d,o.apply(this,arguments)),b=x*(y<0?-1:1);for(s=0;s<d;++s)(u=g[p[s]=s]=+t(a[s],s,a))>0&&(f+=u);for(null!=e?p.sort((function(t,i){return e(g[t],g[i])})):null!=i&&p.sort((function(t,e){return i(a[t],a[e])})),s=0,c=f?(y-d*b)/f:0;s<d;++s,m=h)l=p[s],h=m+((u=g[l])>0?u*c:0)+b,g[l]={data:a[l],index:s,value:u,startAngle:m,endAngle:h,padAngle:x};return g}return a.value=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),a):t},a.sortValues=function(t){return arguments.length?(e=t,i=null,a):e},a.sort=function(t){return arguments.length?(i=t,e=null,a):i},a.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:Oa(+t),a):r},a.endAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),a):n},a.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),a):o},a}function bs(){}function Cs(t,e,i){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+e)/6,(t._y0+4*t._y1+i)/6)}function _s(t){this._context=t}function vs(t){return new _s(t)}function ks(t){this._context=t}function Ts(t){return new ks(t)}function ws(t){this._context=t}function Ss(t){return new ws(t)}us.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._context.lineTo(t,e)}}},_s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Cs(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ks.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x2=t,this._y2=e;break;case 1:this._point=2,this._x3=t,this._y3=e;break;case 2:this._point=3,this._x4=t,this._y4=e,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+e)/6);break;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ws.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var i=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+e)/6;this._line?this._context.lineTo(i,r):this._context.moveTo(i,r);break;case 3:this._point=4;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}};class Bs{constructor(t,e){this._context=t,this._x=e}areaStart(){this._line=0}areaEnd(){this._line=NaN}lineStart(){this._point=0}lineEnd(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line}point(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._x?this._context.bezierCurveTo(this._x0=(this._x0+t)/2,this._y0,this._x0,e,t,e):this._context.bezierCurveTo(this._x0,this._y0=(this._y0+e)/2,t,this._y0,t,e)}this._x0=t,this._y0=e}}function Fs(t){return new Bs(t,!0)}function Ls(t){return new Bs(t,!1)}function As(t,e){this._basis=new _s(t),this._beta=e}As.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,e=this._y,i=t.length-1;if(i>0)for(var r,n=t[0],o=e[0],a=t[i]-n,s=e[i]-o,l=-1;++l<=i;)r=l/i,this._basis.point(this._beta*t[l]+(1-this._beta)*(n+r*a),this._beta*e[l]+(1-this._beta)*(o+r*s));this._x=this._y=null,this._basis.lineEnd()},point:function(t,e){this._x.push(+t),this._y.push(+e)}};const Ms=function t(e){function i(t){return 1===e?new _s(t):new As(t,e)}return i.beta=function(e){return t(+e)},i}(.85);function Es(t,e,i){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-e),t._y2+t._k*(t._y1-i),t._x2,t._y2)}function Ns(t,e){this._context=t,this._k=(1-e)/6}Ns.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:Es(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2,this._x1=t,this._y1=e;break;case 2:this._point=3;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const js=function t(e){function i(t){return new Ns(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Zs(t,e){this._context=t,this._k=(1-e)/6}Zs.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Is=function t(e){function i(t){return new Zs(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Os(t,e){this._context=t,this._k=(1-e)/6}Os.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ds=function t(e){function i(t){return new Os(t,e)}return i.tension=function(e){return t(+e)},i}(0);function qs(t,e,i){var r=t._x1,n=t._y1,o=t._x2,a=t._y2;if(t._l01_a>Wa){var s=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,l=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*s-t._x0*t._l12_2a+t._x2*t._l01_2a)/l,n=(n*s-t._y0*t._l12_2a+t._y2*t._l01_2a)/l}if(t._l23_a>Wa){var c=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,h=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*c+t._x1*t._l23_2a-e*t._l12_2a)/h,a=(a*c+t._y1*t._l23_2a-i*t._l12_2a)/h}t._context.bezierCurveTo(r,n,o,a,t._x2,t._y2)}function $s(t,e){this._context=t,this._alpha=e}$s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const zs=function t(e){function i(t){return e?new $s(t,e):new Ns(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Ps(t,e){this._context=t,this._alpha=e}Ps.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Rs=function t(e){function i(t){return e?new Ps(t,e):new Zs(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Hs(t,e){this._context=t,this._alpha=e}Hs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ws=function t(e){function i(t){return e?new Hs(t,e):new Os(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Us(t){this._context=t}function Ys(t){return new Us(t)}function Vs(t){return t<0?-1:1}function Gs(t,e,i){var r=t._x1-t._x0,n=e-t._x1,o=(t._y1-t._y0)/(r||n<0&&-0),a=(i-t._y1)/(n||r<0&&-0),s=(o*n+a*r)/(r+n);return(Vs(o)+Vs(a))*Math.min(Math.abs(o),Math.abs(a),.5*Math.abs(s))||0}function Xs(t,e){var i=t._x1-t._x0;return i?(3*(t._y1-t._y0)/i-e)/2:e}function Js(t,e,i){var r=t._x0,n=t._y0,o=t._x1,a=t._y1,s=(o-r)/3;t._context.bezierCurveTo(r+s,n+s*e,o-s,a-s*i,o,a)}function Qs(t){this._context=t}function Ks(t){this._context=new tl(t)}function tl(t){this._context=t}function el(t){return new Qs(t)}function il(t){return new Ks(t)}function rl(t){this._context=t}function nl(t){var e,i,r=t.length-1,n=new Array(r),o=new Array(r),a=new Array(r);for(n[0]=0,o[0]=2,a[0]=t[0]+2*t[1],e=1;e<r-1;++e)n[e]=1,o[e]=4,a[e]=4*t[e]+2*t[e+1];for(n[r-1]=2,o[r-1]=7,a[r-1]=8*t[r-1]+t[r],e=1;e<r;++e)i=n[e]/o[e-1],o[e]-=i,a[e]-=i*a[e-1];for(n[r-1]=a[r-1]/o[r-1],e=r-2;e>=0;--e)n[e]=(a[e]-n[e+1])/o[e];for(o[r-1]=(t[r]+n[r-1])/2,e=0;e<r-1;++e)o[e]=2*t[e+1]-n[e+1];return[n,o]}function ol(t){return new rl(t)}function al(t,e){this._context=t,this._t=e}function sl(t){return new al(t,.5)}function ll(t){return new al(t,0)}function cl(t){return new al(t,1)}function hl(t,e,i){this.k=t,this.x=e,this.y=i}Us.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._point=0},lineEnd:function(){this._point&&this._context.closePath()},point:function(t,e){t=+t,e=+e,this._point?this._context.lineTo(t,e):(this._point=1,this._context.moveTo(t,e))}},Qs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=this._t0=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x1,this._y1);break;case 3:Js(this,this._t0,Xs(this,this._t0))}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){var i=NaN;if(e=+e,(t=+t)!==this._x1||e!==this._y1){switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,Js(this,Xs(this,i=Gs(this,t,e)),i);break;default:Js(this,this._t0,i=Gs(this,t,e))}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e,this._t0=i}}},(Ks.prototype=Object.create(Qs.prototype)).point=function(t,e){Qs.prototype.point.call(this,e,t)},tl.prototype={moveTo:function(t,e){this._context.moveTo(e,t)},closePath:function(){this._context.closePath()},lineTo:function(t,e){this._context.lineTo(e,t)},bezierCurveTo:function(t,e,i,r,n,o){this._context.bezierCurveTo(e,t,r,i,o,n)}},rl.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=[],this._y=[]},lineEnd:function(){var t=this._x,e=this._y,i=t.length;if(i)if(this._line?this._context.lineTo(t[0],e[0]):this._context.moveTo(t[0],e[0]),2===i)this._context.lineTo(t[1],e[1]);else for(var r=nl(t),n=nl(e),o=0,a=1;a<i;++o,++a)this._context.bezierCurveTo(r[0][o],n[0][o],r[1][o],n[1][o],t[a],e[a]);(this._line||0!==this._line&&1===i)&&this._context.closePath(),this._line=1-this._line,this._x=this._y=null},point:function(t,e){this._x.push(+t),this._y.push(+e)}},al.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=this._y=NaN,this._point=0},lineEnd:function(){0<this._t&&this._t<1&&2===this._point&&this._context.lineTo(this._x,this._y),(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line>=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,e),this._context.lineTo(t,e);else{var i=this._x*(1-this._t)+t*this._t;this._context.lineTo(i,this._y),this._context.lineTo(i,e)}}this._x=t,this._y=e}},hl.prototype={constructor:hl,scale:function(t){return 1===t?this:new hl(this.k*t,this.x,this.y)},translate:function(t,e){return 0===t&0===e?this:new hl(this.k,this.x+this.k*t,this.y+this.k*e)},apply:function(t){return[t[0]*this.k+this.x,t[1]*this.k+this.y]},applyX:function(t){return t*this.k+this.x},applyY:function(t){return t*this.k+this.y},invert:function(t){return[(t[0]-this.x)/this.k,(t[1]-this.y)/this.k]},invertX:function(t){return(t-this.x)/this.k},invertY:function(t){return(t-this.y)/this.k},rescaleX:function(t){return t.copy().domain(t.range().map(this.invertX,this).map(t.invert,t))},rescaleY:function(t){return t.copy().domain(t.range().map(this.invertY,this).map(t.invert,t))},toString:function(){return"translate("+this.x+","+this.y+") scale("+this.k+")"}};new hl(1,0,0);hl.prototype},1883:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(1691),n=i(2142);const o=class{constructor(){this.type=n.w.ALL}get(){return this.type}set(t){if(this.type&&this.type!==t)throw new Error("Cannot change both RGB and HSL channels at the same time");this.type=t}reset(){this.type=n.w.ALL}is(t){return this.type===t}};const a=new class{constructor(t,e){this.color=e,this.changed=!1,this.data=t,this.type=new o}set(t,e){return this.color=e,this.changed=!1,this.data=t,this.type.type=n.w.ALL,this}_ensureHSL(){const t=this.data,{h:e,s:i,l:n}=t;void 0===e&&(t.h=r.Z.channel.rgb2hsl(t,"h")),void 0===i&&(t.s=r.Z.channel.rgb2hsl(t,"s")),void 0===n&&(t.l=r.Z.channel.rgb2hsl(t,"l"))}_ensureRGB(){const t=this.data,{r:e,g:i,b:n}=t;void 0===e&&(t.r=r.Z.channel.hsl2rgb(t,"r")),void 0===i&&(t.g=r.Z.channel.hsl2rgb(t,"g")),void 0===n&&(t.b=r.Z.channel.hsl2rgb(t,"b"))}get r(){const t=this.data,e=t.r;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"r")):e}get g(){const t=this.data,e=t.g;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"g")):e}get b(){const t=this.data,e=t.b;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"b")):e}get h(){const t=this.data,e=t.h;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"h")):e}get s(){const t=this.data,e=t.s;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"s")):e}get l(){const t=this.data,e=t.l;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"l")):e}get a(){return this.data.a}set r(t){this.type.set(n.w.RGB),this.changed=!0,this.data.r=t}set g(t){this.type.set(n.w.RGB),this.changed=!0,this.data.g=t}set b(t){this.type.set(n.w.RGB),this.changed=!0,this.data.b=t}set h(t){this.type.set(n.w.HSL),this.changed=!0,this.data.h=t}set s(t){this.type.set(n.w.HSL),this.changed=!0,this.data.s=t}set l(t){this.type.set(n.w.HSL),this.changed=!0,this.data.l=t}set a(t){this.changed=!0,this.data.a=t}}({r:0,g:0,b:0,a:0},"transparent")},1610:(t,e,i)=>{"use strict";i.d(e,{Z:()=>g});var r=i(1883),n=i(2142);const o={re:/^#((?:[a-f0-9]{2}){2,4}|[a-f0-9]{3})$/i,parse:t=>{if(35!==t.charCodeAt(0))return;const e=t.match(o.re);if(!e)return;const i=e[1],n=parseInt(i,16),a=i.length,s=a%4==0,l=a>4,c=l?1:17,h=l?8:4,u=s?0:-1,d=l?255:15;return r.Z.set({r:(n>>h*(u+3)&d)*c,g:(n>>h*(u+2)&d)*c,b:(n>>h*(u+1)&d)*c,a:s?(n&d)*c/255:1},t)},stringify:t=>{const{r:e,g:i,b:r,a:o}=t;return o<1?`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}${n.Q[Math.round(255*o)]}`:`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}`}},a=o;var s=i(1691);const l={re:/^hsla?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(?:deg|grad|rad|turn)?)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(%)?))?\s*?\)$/i,hueRe:/^(.+?)(deg|grad|rad|turn)$/i,_hue2deg:t=>{const e=t.match(l.hueRe);if(e){const[,t,i]=e;switch(i){case"grad":return s.Z.channel.clamp.h(.9*parseFloat(t));case"rad":return s.Z.channel.clamp.h(180*parseFloat(t)/Math.PI);case"turn":return s.Z.channel.clamp.h(360*parseFloat(t))}}return s.Z.channel.clamp.h(parseFloat(t))},parse:t=>{const e=t.charCodeAt(0);if(104!==e&&72!==e)return;const i=t.match(l.re);if(!i)return;const[,n,o,a,c,h]=i;return r.Z.set({h:l._hue2deg(n),s:s.Z.channel.clamp.s(parseFloat(o)),l:s.Z.channel.clamp.l(parseFloat(a)),a:c?s.Z.channel.clamp.a(h?parseFloat(c)/100:parseFloat(c)):1},t)},stringify:t=>{const{h:e,s:i,l:r,a:n}=t;return n<1?`hsla(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%, ${n})`:`hsl(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%)`}},c=l,h={colors:{aliceblue:"#f0f8ff",antiquewhite:"#faebd7",aqua:"#00ffff",aquamarine:"#7fffd4",azure:"#f0ffff",beige:"#f5f5dc",bisque:"#ffe4c4",black:"#000000",blanchedalmond:"#ffebcd",blue:"#0000ff",blueviolet:"#8a2be2",brown:"#a52a2a",burlywood:"#deb887",cadetblue:"#5f9ea0",chartreuse:"#7fff00",chocolate:"#d2691e",coral:"#ff7f50",cornflowerblue:"#6495ed",cornsilk:"#fff8dc",crimson:"#dc143c",cyanaqua:"#00ffff",darkblue:"#00008b",darkcyan:"#008b8b",darkgoldenrod:"#b8860b",darkgray:"#a9a9a9",darkgreen:"#006400",darkgrey:"#a9a9a9",darkkhaki:"#bdb76b",darkmagenta:"#8b008b",darkolivegreen:"#556b2f",darkorange:"#ff8c00",darkorchid:"#9932cc",darkred:"#8b0000",darksalmon:"#e9967a",darkseagreen:"#8fbc8f",darkslateblue:"#483d8b",darkslategray:"#2f4f4f",darkslategrey:"#2f4f4f",darkturquoise:"#00ced1",darkviolet:"#9400d3",deeppink:"#ff1493",deepskyblue:"#00bfff",dimgray:"#696969",dimgrey:"#696969",dodgerblue:"#1e90ff",firebrick:"#b22222",floralwhite:"#fffaf0",forestgreen:"#228b22",fuchsia:"#ff00ff",gainsboro:"#dcdcdc",ghostwhite:"#f8f8ff",gold:"#ffd700",goldenrod:"#daa520",gray:"#808080",green:"#008000",greenyellow:"#adff2f",grey:"#808080",honeydew:"#f0fff0",hotpink:"#ff69b4",indianred:"#cd5c5c",indigo:"#4b0082",ivory:"#fffff0",khaki:"#f0e68c",lavender:"#e6e6fa",lavenderblush:"#fff0f5",lawngreen:"#7cfc00",lemonchiffon:"#fffacd",lightblue:"#add8e6",lightcoral:"#f08080",lightcyan:"#e0ffff",lightgoldenrodyellow:"#fafad2",lightgray:"#d3d3d3",lightgreen:"#90ee90",lightgrey:"#d3d3d3",lightpink:"#ffb6c1",lightsalmon:"#ffa07a",lightseagreen:"#20b2aa",lightskyblue:"#87cefa",lightslategray:"#778899",lightslategrey:"#778899",lightsteelblue:"#b0c4de",lightyellow:"#ffffe0",lime:"#00ff00",limegreen:"#32cd32",linen:"#faf0e6",magenta:"#ff00ff",maroon:"#800000",mediumaquamarine:"#66cdaa",mediumblue:"#0000cd",mediumorchid:"#ba55d3",mediumpurple:"#9370db",mediumseagreen:"#3cb371",mediumslateblue:"#7b68ee",mediumspringgreen:"#00fa9a",mediumturquoise:"#48d1cc",mediumvioletred:"#c71585",midnightblue:"#191970",mintcream:"#f5fffa",mistyrose:"#ffe4e1",moccasin:"#ffe4b5",navajowhite:"#ffdead",navy:"#000080",oldlace:"#fdf5e6",olive:"#808000",olivedrab:"#6b8e23",orange:"#ffa500",orangered:"#ff4500",orchid:"#da70d6",palegoldenrod:"#eee8aa",palegreen:"#98fb98",paleturquoise:"#afeeee",palevioletred:"#db7093",papayawhip:"#ffefd5",peachpuff:"#ffdab9",peru:"#cd853f",pink:"#ffc0cb",plum:"#dda0dd",powderblue:"#b0e0e6",purple:"#800080",rebeccapurple:"#663399",red:"#ff0000",rosybrown:"#bc8f8f",royalblue:"#4169e1",saddlebrown:"#8b4513",salmon:"#fa8072",sandybrown:"#f4a460",seagreen:"#2e8b57",seashell:"#fff5ee",sienna:"#a0522d",silver:"#c0c0c0",skyblue:"#87ceeb",slateblue:"#6a5acd",slategray:"#708090",slategrey:"#708090",snow:"#fffafa",springgreen:"#00ff7f",tan:"#d2b48c",teal:"#008080",thistle:"#d8bfd8",transparent:"#00000000",turquoise:"#40e0d0",violet:"#ee82ee",wheat:"#f5deb3",white:"#ffffff",whitesmoke:"#f5f5f5",yellow:"#ffff00",yellowgreen:"#9acd32"},parse:t=>{t=t.toLowerCase();const e=h.colors[t];if(e)return a.parse(e)},stringify:t=>{const e=a.stringify(t);for(const i in h.colors)if(h.colors[i]===e)return i}},u=h,d={re:/^rgba?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?)))?\s*?\)$/i,parse:t=>{const e=t.charCodeAt(0);if(114!==e&&82!==e)return;const i=t.match(d.re);if(!i)return;const[,n,o,a,l,c,h,u,f]=i;return r.Z.set({r:s.Z.channel.clamp.r(o?2.55*parseFloat(n):parseFloat(n)),g:s.Z.channel.clamp.g(l?2.55*parseFloat(a):parseFloat(a)),b:s.Z.channel.clamp.b(h?2.55*parseFloat(c):parseFloat(c)),a:u?s.Z.channel.clamp.a(f?parseFloat(u)/100:parseFloat(u)):1},t)},stringify:t=>{const{r:e,g:i,b:r,a:n}=t;return n<1?`rgba(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)}, ${s.Z.lang.round(n)})`:`rgb(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)})`}},f=d,p={format:{keyword:h,hex:a,rgb:d,rgba:d,hsl:l,hsla:l},parse:t=>{if("string"!=typeof t)return t;const e=a.parse(t)||f.parse(t)||c.parse(t)||u.parse(t);if(e)return e;throw new Error(`Unsupported color format: "${t}"`)},stringify:t=>!t.changed&&t.color?t.color:t.type.is(n.w.HSL)||void 0===t.data.r?c.stringify(t):t.a<1||!Number.isInteger(t.r)||!Number.isInteger(t.g)||!Number.isInteger(t.b)?f.stringify(t):a.stringify(t)},g=p},2142:(t,e,i)=>{"use strict";i.d(e,{Q:()=>n,w:()=>o});var r=i(1691);const n={};for(let a=0;a<=255;a++)n[a]=r.Z.unit.dec2hex(a);const o={ALL:0,RGB:1,HSL:2}},6174:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e,i)=>{const o=n.Z.parse(t),a=o[e],s=r.Z.channel.clamp[e](a+i);return a!==s&&(o[e]=s),n.Z.stringify(o)}},3438:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e)=>{const i=n.Z.parse(t);for(const n in e)i[n]=r.Z.channel.clamp[n](e[n]);return n.Z.stringify(i)}},7201:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",-e)},1619:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1610);const o=t=>{const{r:e,g:i,b:o}=n.Z.parse(t),a=.2126*r.Z.channel.toLinear(e)+.7152*r.Z.channel.toLinear(i)+.0722*r.Z.channel.toLinear(o);return r.Z.lang.round(a)},a=t=>o(t)>=.5,s=t=>!a(t)},2281:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",e)},1117:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1883),o=i(1610),a=i(3438);const s=(t,e,i=0,s=1)=>{if("number"!=typeof t)return(0,a.Z)(t,{a:e});const l=n.Z.set({r:r.Z.channel.clamp.r(t),g:r.Z.channel.clamp.g(e),b:r.Z.channel.clamp.b(i),a:r.Z.channel.clamp.a(s)});return o.Z.stringify(l)}},1691:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});const r={min:{r:0,g:0,b:0,s:0,l:0,a:0},max:{r:255,g:255,b:255,h:360,s:100,l:100,a:1},clamp:{r:t=>t>=255?255:t<0?0:t,g:t=>t>=255?255:t<0?0:t,b:t=>t>=255?255:t<0?0:t,h:t=>t%360,s:t=>t>=100?100:t<0?0:t,l:t=>t>=100?100:t<0?0:t,a:t=>t>=1?1:t<0?0:t},toLinear:t=>{const e=t/255;return t>.03928?Math.pow((e+.055)/1.055,2.4):e/12.92},hue2rgb:(t,e,i)=>(i<0&&(i+=1),i>1&&(i-=1),i<1/6?t+6*(e-t)*i:i<.5?e:i<2/3?t+(e-t)*(2/3-i)*6:t),hsl2rgb:({h:t,s:e,l:i},n)=>{if(!e)return 2.55*i;t/=360,e/=100;const o=(i/=100)<.5?i*(1+e):i+e-i*e,a=2*i-o;switch(n){case"r":return 255*r.hue2rgb(a,o,t+1/3);case"g":return 255*r.hue2rgb(a,o,t);case"b":return 255*r.hue2rgb(a,o,t-1/3)}},rgb2hsl:({r:t,g:e,b:i},r)=>{t/=255,e/=255,i/=255;const n=Math.max(t,e,i),o=Math.min(t,e,i),a=(n+o)/2;if("l"===r)return 100*a;if(n===o)return 0;const s=n-o;if("s"===r)return 100*(a>.5?s/(2-n-o):s/(n+o));switch(n){case t:return 60*((e-i)/s+(e<i?6:0));case e:return 60*((i-t)/s+2);case i:return 60*((t-e)/s+4);default:return-1}}},n={channel:r,lang:{clamp:(t,e,i)=>e>i?Math.min(e,Math.max(i,t)):Math.min(i,Math.max(e,t)),round:t=>Math.round(1e10*t)/1e10},unit:{dec2hex:t=>{const e=Math.round(t).toString(16);return e.length>1?e:`0${e}`}}}},7308:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});const r=function(){this.__data__=[],this.size=0};var n=i(9651);const o=function(t,e){for(var i=t.length;i--;)if((0,n.Z)(t[i][0],e))return i;return-1};var a=Array.prototype.splice;const s=function(t){var e=this.__data__,i=o(e,t);return!(i<0)&&(i==e.length-1?e.pop():a.call(e,i,1),--this.size,!0)};const l=function(t){var e=this.__data__,i=o(e,t);return i<0?void 0:e[i][1]};const c=function(t){return o(this.__data__,t)>-1};const h=function(t,e){var i=this.__data__,r=o(i,t);return r<0?(++this.size,i.push([t,e])):i[r][1]=e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=r,u.prototype.delete=s,u.prototype.get=l,u.prototype.has=c,u.prototype.set=h;const d=u},6183:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Map")},7834:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});const r=(0,i(2508).Z)(Object,"create");const n=function(){this.__data__=r?r(null):{},this.size=0};const o=function(t){var e=this.has(t)&&delete this.__data__[t];return this.size-=e?1:0,e};var a=Object.prototype.hasOwnProperty;const s=function(t){var e=this.__data__;if(r){var i=e[t];return"__lodash_hash_undefined__"===i?void 0:i}return a.call(e,t)?e[t]:void 0};var l=Object.prototype.hasOwnProperty;const c=function(t){var e=this.__data__;return r?void 0!==e[t]:l.call(e,t)};const h=function(t,e){var i=this.__data__;return this.size+=this.has(t)?0:1,i[t]=r&&void 0===e?"__lodash_hash_undefined__":e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=s,u.prototype.has=c,u.prototype.set=h;const d=u;var f=i(7308),p=i(6183);const g=function(){this.size=0,this.__data__={hash:new d,map:new(p.Z||f.Z),string:new d}};const m=function(t){var e=typeof t;return"string"==e||"number"==e||"symbol"==e||"boolean"==e?"__proto__"!==t:null===t};const y=function(t,e){var i=t.__data__;return m(e)?i["string"==typeof e?"string":"hash"]:i.map};const x=function(t){var e=y(this,t).delete(t);return this.size-=e?1:0,e};const b=function(t){return y(this,t).get(t)};const C=function(t){return y(this,t).has(t)};const _=function(t,e){var i=y(this,t),r=i.size;return i.set(t,e),this.size+=i.size==r?0:1,this};function v(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}v.prototype.clear=g,v.prototype.delete=x,v.prototype.get=b,v.prototype.has=C,v.prototype.set=_;const k=v},3203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Set")},1667:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7308);const n=function(){this.__data__=new r.Z,this.size=0};const o=function(t){var e=this.__data__,i=e.delete(t);return this.size=e.size,i};const a=function(t){return this.__data__.get(t)};const s=function(t){return this.__data__.has(t)};var l=i(6183),c=i(7834);const h=function(t,e){var i=this.__data__;if(i instanceof r.Z){var n=i.__data__;if(!l.Z||n.length<199)return n.push([t,e]),this.size=++i.size,this;i=this.__data__=new c.Z(n)}return i.set(t,e),this.size=i.size,this};function u(t){var e=this.__data__=new r.Z(t);this.size=e.size}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=a,u.prototype.has=s,u.prototype.set=h;const d=u},7685:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Symbol},4073:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Uint8Array},7668:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});const r=function(t,e){for(var i=-1,r=Array(t);++i<t;)r[i]=e(i);return r};var n=i(9169),o=i(7771),a=i(7008),s=i(6009),l=i(8843),c=Object.prototype.hasOwnProperty;const h=function(t,e){var i=(0,o.Z)(t),h=!i&&(0,n.Z)(t),u=!i&&!h&&(0,a.Z)(t),d=!i&&!h&&!u&&(0,l.Z)(t),f=i||h||u||d,p=f?r(t.length,String):[],g=p.length;for(var m in t)!e&&!c.call(t,m)||f&&("length"==m||u&&("offset"==m||"parent"==m)||d&&("buffer"==m||"byteLength"==m||"byteOffset"==m)||(0,s.Z)(m,g))||p.push(m);return p}},2954:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(4752),n=i(9651),o=Object.prototype.hasOwnProperty;const a=function(t,e,i){var a=t[e];o.call(t,e)&&(0,n.Z)(a,i)&&(void 0!==i||e in t)||(0,r.Z)(t,e,i)}},4752:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(7904);const n=function(t,e,i){"__proto__"==e&&r.Z?(0,r.Z)(t,e,{configurable:!0,enumerable:!0,value:i,writable:!0}):t[e]=i}},1395:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e,i,r){for(var n=-1,o=Object(e),a=r(e),s=a.length;s--;){var l=a[t?s:++n];if(!1===i(o[l],l,o))break}return e}}()},3589:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7685),n=Object.prototype,o=n.hasOwnProperty,a=n.toString,s=r.Z?r.Z.toStringTag:void 0;const l=function(t){var e=o.call(t,s),i=t[s];try{t[s]=void 0;var r=!0}catch(l){}var n=a.call(t);return r&&(e?t[s]=i:delete t[s]),n};var c=Object.prototype.toString;const h=function(t){return c.call(t)};var u=r.Z?r.Z.toStringTag:void 0;const d=function(t){return null==t?void 0===t?"[object Undefined]":"[object Null]":u&&u in Object(t)?l(t):h(t)}},9473:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(2764);const n=(0,i(1851).Z)(Object.keys,Object);var o=Object.prototype.hasOwnProperty;const a=function(t){if(!(0,r.Z)(t))return n(t);var e=[];for(var i in Object(t))o.call(t,i)&&"constructor"!=i&&e.push(i);return e}},9581:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(9203),n=i(1211),o=i(7227);const a=function(t,e){return(0,o.Z)((0,n.Z)(t,e,r.Z),t+"")}},1162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e){return t(e)}}},1884:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(4073);const n=function(t){var e=new t.constructor(t.byteLength);return new r.Z(e).set(new r.Z(t)),e}},1050:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n?r.Z.Buffer:void 0,s=a?a.allocUnsafe:void 0;const l=function(t,e){if(e)return t.slice();var i=t.length,r=s?s(i):new t.constructor(i);return t.copy(r),r}},2701:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(1884);const n=function(t,e){var i=e?(0,r.Z)(t.buffer):t.buffer;return new t.constructor(i,t.byteOffset,t.length)}},7215:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){var i=-1,r=t.length;for(e||(e=Array(r));++i<r;)e[i]=t[i];return e}},1899:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2954),n=i(4752);const o=function(t,e,i,o){var a=!i;i||(i={});for(var s=-1,l=e.length;++s<l;){var c=e[s],h=o?o(i[c],t[c],c,i,t):void 0;void 0===h&&(h=t[c]),a?(0,n.Z)(i,c,h):(0,r.Z)(i,c,h)}return i}},7904:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(2508);const n=function(){try{var t=(0,r.Z)(Object,"defineProperty");return t({},"",{}),t}catch(e){}}()},3413:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r="object"==typeof global&&global&&global.Object===Object&&global},2508:(t,e,i)=>{"use strict";i.d(e,{Z:()=>x});var r=i(3234);const n=i(6092).Z["__core-js_shared__"];var o,a=(o=/[^.]+$/.exec(n&&n.keys&&n.keys.IE_PROTO||""))?"Symbol(src)_1."+o:"";const s=function(t){return!!a&&a in t};var l=i(7226),c=i(19),h=/^\[object .+?Constructor\]$/,u=Function.prototype,d=Object.prototype,f=u.toString,p=d.hasOwnProperty,g=RegExp("^"+f.call(p).replace(/[\\^$.*+?()[\]{}|]/g,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$");const m=function(t){return!(!(0,l.Z)(t)||s(t))&&((0,r.Z)(t)?g:h).test((0,c.Z)(t))};const y=function(t,e){return null==t?void 0:t[e]};const x=function(t,e){var i=y(t,e);return m(i)?i:void 0}},2513:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=(0,i(1851).Z)(Object.getPrototypeOf,Object)},3970:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"DataView");var a=i(6183);const s=(0,r.Z)(n.Z,"Promise");var l=i(3203);const c=(0,r.Z)(n.Z,"WeakMap");var h=i(3589),u=i(19),d="[object Map]",f="[object Promise]",p="[object Set]",g="[object WeakMap]",m="[object DataView]",y=(0,u.Z)(o),x=(0,u.Z)(a.Z),b=(0,u.Z)(s),C=(0,u.Z)(l.Z),_=(0,u.Z)(c),v=h.Z;(o&&v(new o(new ArrayBuffer(1)))!=m||a.Z&&v(new a.Z)!=d||s&&v(s.resolve())!=f||l.Z&&v(new l.Z)!=p||c&&v(new c)!=g)&&(v=function(t){var e=(0,h.Z)(t),i="[object Object]"==e?t.constructor:void 0,r=i?(0,u.Z)(i):"";if(r)switch(r){case y:return m;case x:return d;case b:return f;case C:return p;case _:return g}return e});const k=v},3658:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(7226),n=Object.create;const o=function(){function t(){}return function(e){if(!(0,r.Z)(e))return{};if(n)return n(e);t.prototype=e;var i=new t;return t.prototype=void 0,i}}();var a=i(2513),s=i(2764);const l=function(t){return"function"!=typeof t.constructor||(0,s.Z)(t)?{}:o((0,a.Z)(t))}},6009:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=/^(?:0|[1-9]\d*)$/;const n=function(t,e){var i=typeof t;return!!(e=null==e?9007199254740991:e)&&("number"==i||"symbol"!=i&&r.test(t))&&t>-1&&t%1==0&&t<e}},439:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(9651),n=i(585),o=i(6009),a=i(7226);const s=function(t,e,i){if(!(0,a.Z)(i))return!1;var s=typeof e;return!!("number"==s?(0,n.Z)(i)&&(0,o.Z)(e,i.length):"string"==s&&e in i)&&(0,r.Z)(i[e],t)}},2764:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Object.prototype;const n=function(t){var e=t&&t.constructor;return t===("function"==typeof e&&e.prototype||r)}},8351:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(3413),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n&&r.Z.process;const s=function(){try{var t=o&&o.require&&o.require("util").types;return t||a&&a.binding&&a.binding("util")}catch(e){}}()},1851:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return function(i){return t(e(i))}}},1211:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});const r=function(t,e,i){switch(i.length){case 0:return t.call(e);case 1:return t.call(e,i[0]);case 2:return t.call(e,i[0],i[1]);case 3:return t.call(e,i[0],i[1],i[2])}return t.apply(e,i)};var n=Math.max;const o=function(t,e,i){return e=n(void 0===e?t.length-1:e,0),function(){for(var o=arguments,a=-1,s=n(o.length-e,0),l=Array(s);++a<s;)l[a]=o[e+a];a=-1;for(var c=Array(e+1);++a<e;)c[a]=o[a];return c[e]=i(l),r(t,this,c)}}},6092:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3413),n="object"==typeof self&&self&&self.Object===Object&&self;const o=r.Z||n||Function("return this")()},7227:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(2002),n=i(7904),o=i(9203);const a=n.Z?function(t,e){return(0,n.Z)(t,"toString",{configurable:!0,enumerable:!1,value:(0,r.Z)(e),writable:!0})}:o.Z;var s=Date.now;const l=function(t){var e=0,i=0;return function(){var r=s(),n=16-(r-i);if(i=r,n>0){if(++e>=800)return arguments[0]}else e=0;return t.apply(void 0,arguments)}}(a)},19:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Function.prototype.toString;const n=function(t){if(null!=t){try{return r.call(t)}catch(e){}try{return t+""}catch(e){}}return""}},2002:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(){return t}}},9651:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return t===e||t!=t&&e!=e}},9203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return t}},9169:(t,e,i)=>{"use strict";i.d(e,{Z:()=>c});var r=i(3589),n=i(8533);const o=function(t){return(0,n.Z)(t)&&"[object Arguments]"==(0,r.Z)(t)};var a=Object.prototype,s=a.hasOwnProperty,l=a.propertyIsEnumerable;const c=o(function(){return arguments}())?o:function(t){return(0,n.Z)(t)&&s.call(t,"callee")&&!l.call(t,"callee")}},7771:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=Array.isArray},585:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3234),n=i(1656);const o=function(t){return null!=t&&(0,n.Z)(t.length)&&!(0,r.Z)(t)}},836:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(585),n=i(8533);const o=function(t){return(0,n.Z)(t)&&(0,r.Z)(t)}},7008:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092);const n=function(){return!1};var o="object"==typeof exports&&exports&&!exports.nodeType&&exports,a=o&&"object"==typeof module&&module&&!module.nodeType&&module,s=a&&a.exports===o?r.Z.Buffer:void 0;const l=(s?s.isBuffer:void 0)||n},9697:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(9473),n=i(3970),o=i(9169),a=i(7771),s=i(585),l=i(7008),c=i(2764),h=i(8843),u=Object.prototype.hasOwnProperty;const d=function(t){if(null==t)return!0;if((0,s.Z)(t)&&((0,a.Z)(t)||"string"==typeof t||"function"==typeof t.splice||(0,l.Z)(t)||(0,h.Z)(t)||(0,o.Z)(t)))return!t.length;var e=(0,n.Z)(t);if("[object Map]"==e||"[object Set]"==e)return!t.size;if((0,c.Z)(t))return!(0,r.Z)(t).length;for(var i in t)if(u.call(t,i))return!1;return!0}},3234:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3589),n=i(7226);const o=function(t){if(!(0,n.Z)(t))return!1;var e=(0,r.Z)(t);return"[object Function]"==e||"[object GeneratorFunction]"==e||"[object AsyncFunction]"==e||"[object Proxy]"==e}},1656:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=9007199254740991}},7226:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){var e=typeof t;return null!=t&&("object"==e||"function"==e)}},8533:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return null!=t&&"object"==typeof t}},7514:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(2513),o=i(8533),a=Function.prototype,s=Object.prototype,l=a.toString,c=s.hasOwnProperty,h=l.call(Object);const u=function(t){if(!(0,o.Z)(t)||"[object Object]"!=(0,r.Z)(t))return!1;var e=(0,n.Z)(t);if(null===e)return!0;var i=c.call(e,"constructor")&&e.constructor;return"function"==typeof i&&i instanceof i&&l.call(i)==h}},8843:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(1656),o=i(8533),a={};a["[object Float32Array]"]=a["[object Float64Array]"]=a["[object Int8Array]"]=a["[object Int16Array]"]=a["[object Int32Array]"]=a["[object Uint8Array]"]=a["[object Uint8ClampedArray]"]=a["[object Uint16Array]"]=a["[object Uint32Array]"]=!0,a["[object Arguments]"]=a["[object Array]"]=a["[object ArrayBuffer]"]=a["[object Boolean]"]=a["[object DataView]"]=a["[object Date]"]=a["[object Error]"]=a["[object Function]"]=a["[object Map]"]=a["[object Number]"]=a["[object Object]"]=a["[object RegExp]"]=a["[object Set]"]=a["[object String]"]=a["[object WeakMap]"]=!1;const s=function(t){return(0,o.Z)(t)&&(0,n.Z)(t.length)&&!!a[(0,r.Z)(t)]};var l=i(1162),c=i(8351),h=c.Z&&c.Z.isTypedArray;const u=h?(0,l.Z)(h):s},2957:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});var r=i(7668),n=i(7226),o=i(2764);const a=function(t){var e=[];if(null!=t)for(var i in Object(t))e.push(i);return e};var s=Object.prototype.hasOwnProperty;const l=function(t){if(!(0,n.Z)(t))return a(t);var e=(0,o.Z)(t),i=[];for(var r in t)("constructor"!=r||!e&&s.call(t,r))&&i.push(r);return i};var c=i(585);const h=function(t){return(0,c.Z)(t)?(0,r.Z)(t,!0):l(t)}},2454:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(7834);function n(t,e){if("function"!=typeof t||null!=e&&"function"!=typeof e)throw new TypeError("Expected a function");var i=function(){var r=arguments,n=e?e.apply(this,r):r[0],o=i.cache;if(o.has(n))return o.get(n);var a=t.apply(this,r);return i.cache=o.set(n,a)||o,a};return i.cache=new(n.Cache||r.Z),i}n.Cache=r.Z;const o=n},9236:(t,e,i)=>{"use strict";i.d(e,{Z:()=>F});var r=i(1667),n=i(4752),o=i(9651);const a=function(t,e,i){(void 0!==i&&!(0,o.Z)(t[e],i)||void 0===i&&!(e in t))&&(0,n.Z)(t,e,i)};var s=i(1395),l=i(1050),c=i(2701),h=i(7215),u=i(3658),d=i(9169),f=i(7771),p=i(836),g=i(7008),m=i(3234),y=i(7226),x=i(7514),b=i(8843);const C=function(t,e){if(("constructor"!==e||"function"!=typeof t[e])&&"__proto__"!=e)return t[e]};var _=i(1899),v=i(2957);const k=function(t){return(0,_.Z)(t,(0,v.Z)(t))};const T=function(t,e,i,r,n,o,s){var _=C(t,i),v=C(e,i),T=s.get(v);if(T)a(t,i,T);else{var w=o?o(_,v,i+"",t,e,s):void 0,S=void 0===w;if(S){var B=(0,f.Z)(v),F=!B&&(0,g.Z)(v),L=!B&&!F&&(0,b.Z)(v);w=v,B||F||L?(0,f.Z)(_)?w=_:(0,p.Z)(_)?w=(0,h.Z)(_):F?(S=!1,w=(0,l.Z)(v,!0)):L?(S=!1,w=(0,c.Z)(v,!0)):w=[]:(0,x.Z)(v)||(0,d.Z)(v)?(w=_,(0,d.Z)(_)?w=k(_):(0,y.Z)(_)&&!(0,m.Z)(_)||(w=(0,u.Z)(v))):S=!1}S&&(s.set(v,w),n(w,v,r,o,s),s.delete(v)),a(t,i,w)}};const w=function t(e,i,n,o,l){e!==i&&(0,s.Z)(i,(function(s,c){if(l||(l=new r.Z),(0,y.Z)(s))T(e,i,c,n,t,o,l);else{var h=o?o(C(e,c),s,c+"",e,i,l):void 0;void 0===h&&(h=s),a(e,c,h)}}),v.Z)};var S=i(9581),B=i(439);const F=function(t){return(0,S.Z)((function(e,i){var r=-1,n=i.length,o=n>1?i[n-1]:void 0,a=n>2?i[2]:void 0;for(o=t.length>3&&"function"==typeof o?(n--,o):void 0,a&&(0,B.Z)(i[0],i[1],a)&&(o=n<3?void 0:o,n=1),e=Object(e);++r<n;){var s=i[r];s&&t(e,s,r,o)}return e}))}((function(t,e,i){w(t,e,i)}))},5322:(t,e,i)=>{"use strict";i.d(e,{A:()=>It,B:()=>me,C:()=>ge,D:()=>Ft,E:()=>Be,F:()=>er,G:()=>oe,H:()=>ht,I:()=>Mi,J:()=>qn,K:()=>Si,L:()=>to,Z:()=>Gt,a:()=>ki,b:()=>vi,c:()=>Li,d:()=>ft,e:()=>_t,f:()=>Vt,g:()=>_i,h:()=>ue,i:()=>ui,j:()=>he,k:()=>re,l:()=>st,m:()=>mt,n:()=>Kt,o:()=>di,p:()=>Ai,q:()=>Ti,r:()=>wi,s:()=>Ci,t:()=>bi,u:()=>ye,v:()=>yt,w:()=>le,x:()=>ae,y:()=>Ni,z:()=>Di});var r=i(8464),n=i(7484),o=i(7967),a=i(4218),s=i(7856),l=i(1610),c=i(3438);const h=(t,e)=>{const i=l.Z.parse(t),r={};for(const n in e)e[n]&&(r[n]=i[n]+e[n]);return(0,c.Z)(t,r)};var u=i(1117);const d=(t,e,i=50)=>{const{r:r,g:n,b:o,a:a}=l.Z.parse(t),{r:s,g:c,b:h,a:d}=l.Z.parse(e),f=i/100,p=2*f-1,g=a-d,m=((p*g==-1?p:(p+g)/(1+p*g))+1)/2,y=1-m,x=r*m+s*y,b=n*m+c*y,C=o*m+h*y,_=a*f+d*(1-f);return(0,u.Z)(x,b,C,_)},f=(t,e=100)=>{const i=l.Z.parse(t);return i.r=255-i.r,i.g=255-i.g,i.b=255-i.b,d(i,t,e)};var p=i(7201),g=i(2281),m=i(1619),y=i(2454),x=i(9236),b="comm",C="rule",_="decl",v=Math.abs,k=String.fromCharCode;Object.assign;function T(t){return t.trim()}function w(t,e,i){return t.replace(e,i)}function S(t,e){return t.indexOf(e)}function B(t,e){return 0|t.charCodeAt(e)}function F(t,e,i){return t.slice(e,i)}function L(t){return t.length}function A(t,e){return e.push(t),t}function M(t,e){for(var i="",r=0;r<t.length;r++)i+=e(t[r],r,t,e)||"";return i}function E(t,e,i,r){switch(t.type){case"@layer":if(t.children.length)break;case"@import":case _:return t.return=t.return||t.value;case b:return"";case"@keyframes":return t.return=t.value+"{"+M(t.children,r)+"}";case C:if(!L(t.value=t.props.join(",")))return""}return L(i=M(t.children,r))?t.return=t.value+"{"+i+"}":""}var N=1,j=1,Z=0,I=0,O=0,D="";function q(t,e,i,r,n,o,a,s){return{value:t,root:e,parent:i,type:r,props:n,children:o,line:N,column:j,length:a,return:"",siblings:s}}function $(){return O=I>0?B(D,--I):0,j--,10===O&&(j=1,N--),O}function z(){return O=I<Z?B(D,I++):0,j++,10===O&&(j=1,N++),O}function P(){return B(D,I)}function R(){return I}function H(t,e){return F(D,t,e)}function W(t){switch(t){case 0:case 9:case 10:case 13:case 32:return 5;case 33:case 43:case 44:case 47:case 62:case 64:case 126:case 59:case 123:case 125:return 4;case 58:return 3;case 34:case 39:case 40:case 91:return 2;case 41:case 93:return 1}return 0}function U(t){return N=j=1,Z=L(D=t),I=0,[]}function Y(t){return D="",t}function V(t){return T(H(I-1,J(91===t?t+2:40===t?t+1:t)))}function G(t){for(;(O=P())&&O<33;)z();return W(t)>2||W(O)>3?"":" "}function X(t,e){for(;--e&&z()&&!(O<48||O>102||O>57&&O<65||O>70&&O<97););return H(t,R()+(e<6&&32==P()&&32==z()))}function J(t){for(;z();)switch(O){case t:return I;case 34:case 39:34!==t&&39!==t&&J(O);break;case 40:41===t&&J(t);break;case 92:z()}return I}function Q(t,e){for(;z()&&t+O!==57&&(t+O!==84||47!==P()););return"/*"+H(e,I-1)+"*"+k(47===t?t:z())}function K(t){for(;!W(P());)z();return H(t,I)}function tt(t){return Y(et("",null,null,null,[""],t=U(t),0,[0],t))}function et(t,e,i,r,n,o,a,s,l){for(var c=0,h=0,u=a,d=0,f=0,p=0,g=1,m=1,y=1,x=0,b="",C=n,_=o,v=r,T=b;m;)switch(p=x,x=z()){case 40:if(108!=p&&58==B(T,u-1)){-1!=S(T+=w(V(x),"&","&\f"),"&\f")&&(y=-1);break}case 34:case 39:case 91:T+=V(x);break;case 9:case 10:case 13:case 32:T+=G(p);break;case 92:T+=X(R()-1,7);continue;case 47:switch(P()){case 42:case 47:A(rt(Q(z(),R()),e,i,l),l);break;default:T+="/"}break;case 123*g:s[c++]=L(T)*y;case 125*g:case 59:case 0:switch(x){case 0:case 125:m=0;case 59+h:-1==y&&(T=w(T,/\f/g,"")),f>0&&L(T)-u&&A(f>32?nt(T+";",r,i,u-1,l):nt(w(T," ","")+";",r,i,u-2,l),l);break;case 59:T+=";";default:if(A(v=it(T,e,i,c,h,n,s,b,C=[],_=[],u,o),o),123===x)if(0===h)et(T,e,v,v,C,o,u,s,_);else switch(99===d&&110===B(T,3)?100:d){case 100:case 108:case 109:case 115:et(t,v,v,r&&A(it(t,v,v,0,0,n,s,b,n,C=[],u,_),_),n,_,u,s,r?C:_);break;default:et(T,v,v,v,[""],_,0,s,_)}}c=h=f=0,g=y=1,b=T="",u=a;break;case 58:u=1+L(T),f=p;default:if(g<1)if(123==x)--g;else if(125==x&&0==g++&&125==$())continue;switch(T+=k(x),x*g){case 38:y=h>0?1:(T+="\f",-1);break;case 44:s[c++]=(L(T)-1)*y,y=1;break;case 64:45===P()&&(T+=V(z())),d=P(),h=u=L(b=T+=K(R())),x++;break;case 45:45===p&&2==L(T)&&(g=0)}}return o}function it(t,e,i,r,n,o,a,s,l,c,h,u){for(var d=n-1,f=0===n?o:[""],p=function(t){return t.length}(f),g=0,m=0,y=0;g<r;++g)for(var x=0,b=F(t,d+1,d=v(m=a[g])),_=t;x<p;++x)(_=T(m>0?f[x]+" "+b:w(b,/&\f/g,f[x])))&&(l[y++]=_);return q(t,e,i,0===n?C:s,l,c,h,u)}function rt(t,e,i,r){return q(t,e,i,b,k(O),F(t,2,-2),0,r)}function nt(t,e,i,r,n){return q(t,e,i,_,F(t,0,r),F(t,r+1,-1),r,n)}var ot=i(9697);const at={trace:0,debug:1,info:2,warn:3,error:4,fatal:5},st={trace:(...t)=>{},debug:(...t)=>{},info:(...t)=>{},warn:(...t)=>{},error:(...t)=>{},fatal:(...t)=>{}},lt=function(t="fatal"){let e=at.fatal;"string"==typeof t?(t=t.toLowerCase())in at&&(e=at[t]):"number"==typeof t&&(e=t),st.trace=()=>{},st.debug=()=>{},st.info=()=>{},st.warn=()=>{},st.error=()=>{},st.fatal=()=>{},e<=at.fatal&&(st.fatal=console.error?console.error.bind(console,ct("FATAL"),"color: orange"):console.log.bind(console,"\x1b[35m",ct("FATAL"))),e<=at.error&&(st.error=console.error?console.error.bind(console,ct("ERROR"),"color: orange"):console.log.bind(console,"\x1b[31m",ct("ERROR"))),e<=at.warn&&(st.warn=console.warn?console.warn.bind(console,ct("WARN"),"color: orange"):console.log.bind(console,"\x1b[33m",ct("WARN"))),e<=at.info&&(st.info=console.info?console.info.bind(console,ct("INFO"),"color: lightblue"):console.log.bind(console,"\x1b[34m",ct("INFO"))),e<=at.debug&&(st.debug=console.debug?console.debug.bind(console,ct("DEBUG"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("DEBUG"))),e<=at.trace&&(st.trace=console.debug?console.debug.bind(console,ct("TRACE"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("TRACE")))},ct=t=>`%c${n().format("ss.SSS")} : ${t} : `,ht=/<br\s*\/?>/gi,ut=t=>s.sanitize(t),dt=(t,e)=>{var i;if(!1!==(null==(i=e.flowchart)?void 0:i.htmlLabels)){const i=e.securityLevel;"antiscript"===i||"strict"===i?t=ut(t):"loose"!==i&&(t=(t=(t=gt(t)).replace(/</g,"<").replace(/>/g,">")).replace(/=/g,"="),t=pt(t))}return t},ft=(t,e)=>t?t=e.dompurifyConfig?s.sanitize(dt(t,e),e.dompurifyConfig).toString():s.sanitize(dt(t,e),{FORBID_TAGS:["style"]}).toString():t,pt=t=>t.replace(/#br#/g,"<br/>"),gt=t=>t.replace(ht,"#br#"),mt=t=>!1!==t&&!["false","null","0"].includes(String(t).trim().toLowerCase()),yt=function(t){const e=t.split(/(,)/),i=[];for(let r=0;r<e.length;r++){let t=e[r];if(","===t&&r>0&&r+1<e.length){const n=e[r-1],o=e[r+1];bt(n,o)&&(t=n+","+o,r++,i.pop())}i.push(Ct(t))}return i.join("")},xt=(t,e)=>Math.max(0,t.split(e).length-1),bt=(t,e)=>{const i=xt(t,"~"),r=xt(e,"~");return 1===i&&1===r},Ct=t=>{const e=xt(t,"~");let i=!1;if(e<=1)return t;e%2!=0&&t.startsWith("~")&&(t=t.substring(1),i=!0);const r=[...t];let n=r.indexOf("~"),o=r.lastIndexOf("~");for(;-1!==n&&-1!==o&&n!==o;)r[n]="<",r[o]=">",n=r.indexOf("~"),o=r.lastIndexOf("~");return i&&r.unshift("~"),r.join("")},_t={getRows:t=>{if(!t)return[""];return gt(t).replace(/\\n/g,"#br#").split("#br#")},sanitizeText:ft,sanitizeTextOrArray:(t,e)=>"string"==typeof t?ft(t,e):t.flat().map((t=>ft(t,e))),hasBreaks:t=>ht.test(t),splitBreaks:t=>t.split(ht),lineBreakRegex:ht,removeScript:ut,getUrl:t=>{let e="";return t&&(e=window.location.protocol+"//"+window.location.host+window.location.pathname+window.location.search,e=e.replaceAll(/\(/g,"\\("),e=e.replaceAll(/\)/g,"\\)")),e},evaluate:mt,getMax:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.max(...e)},getMin:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.min(...e)}},vt=(t,e)=>h(t,e?{s:-40,l:10}:{s:-40,l:-10}),kt="#ffffff",Tt="#f2f2f2";let wt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#fff4dd",this.noteBkgColor="#fff5ad",this.noteTextColor="#333",this.THEME_COLOR_LIMIT=12,this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;if(this.primaryTextColor=this.primaryTextColor||(this.darkMode?"#eee":"#333"),this.secondaryColor=this.secondaryColor||h(this.primaryColor,{h:-120}),this.tertiaryColor=this.tertiaryColor||h(this.primaryColor,{h:180,l:5}),this.primaryBorderColor=this.primaryBorderColor||vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=this.secondaryBorderColor||vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=this.tertiaryBorderColor||vt(this.tertiaryColor,this.darkMode),this.noteBorderColor=this.noteBorderColor||vt(this.noteBkgColor,this.darkMode),this.noteBkgColor=this.noteBkgColor||"#fff5ad",this.noteTextColor=this.noteTextColor||"#333",this.secondaryTextColor=this.secondaryTextColor||f(this.secondaryColor),this.tertiaryTextColor=this.tertiaryTextColor||f(this.tertiaryColor),this.lineColor=this.lineColor||f(this.background),this.arrowheadColor=this.arrowheadColor||f(this.background),this.textColor=this.textColor||this.primaryTextColor,this.border2=this.border2||this.tertiaryBorderColor,this.nodeBkg=this.nodeBkg||this.primaryColor,this.mainBkg=this.mainBkg||this.primaryColor,this.nodeBorder=this.nodeBorder||this.primaryBorderColor,this.clusterBkg=this.clusterBkg||this.tertiaryColor,this.clusterBorder=this.clusterBorder||this.tertiaryBorderColor,this.defaultLinkColor=this.defaultLinkColor||this.lineColor,this.titleColor=this.titleColor||this.tertiaryTextColor,this.edgeLabelBackground=this.edgeLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.nodeTextColor=this.nodeTextColor||this.primaryTextColor,this.actorBorder=this.actorBorder||this.primaryBorderColor,this.actorBkg=this.actorBkg||this.mainBkg,this.actorTextColor=this.actorTextColor||this.primaryTextColor,this.actorLineColor=this.actorLineColor||"grey",this.labelBoxBkgColor=this.labelBoxBkgColor||this.actorBkg,this.signalColor=this.signalColor||this.textColor,this.signalTextColor=this.signalTextColor||this.textColor,this.labelBoxBorderColor=this.labelBoxBorderColor||this.actorBorder,this.labelTextColor=this.labelTextColor||this.actorTextColor,this.loopTextColor=this.loopTextColor||this.actorTextColor,this.activationBorderColor=this.activationBorderColor||(0,p.Z)(this.secondaryColor,10),this.activationBkgColor=this.activationBkgColor||this.secondaryColor,this.sequenceNumberColor=this.sequenceNumberColor||f(this.lineColor),this.sectionBkgColor=this.sectionBkgColor||this.tertiaryColor,this.altSectionBkgColor=this.altSectionBkgColor||"white",this.sectionBkgColor=this.sectionBkgColor||this.secondaryColor,this.sectionBkgColor2=this.sectionBkgColor2||this.primaryColor,this.excludeBkgColor=this.excludeBkgColor||"#eeeeee",this.taskBorderColor=this.taskBorderColor||this.primaryBorderColor,this.taskBkgColor=this.taskBkgColor||this.primaryColor,this.activeTaskBorderColor=this.activeTaskBorderColor||this.primaryColor,this.activeTaskBkgColor=this.activeTaskBkgColor||(0,g.Z)(this.primaryColor,23),this.gridColor=this.gridColor||"lightgrey",this.doneTaskBkgColor=this.doneTaskBkgColor||"lightgrey",this.doneTaskBorderColor=this.doneTaskBorderColor||"grey",this.critBorderColor=this.critBorderColor||"#ff8888",this.critBkgColor=this.critBkgColor||"red",this.todayLineColor=this.todayLineColor||"red",this.taskTextColor=this.taskTextColor||this.textColor,this.taskTextOutsideColor=this.taskTextOutsideColor||this.textColor,this.taskTextLightColor=this.taskTextLightColor||this.textColor,this.taskTextColor=this.taskTextColor||this.primaryTextColor,this.taskTextDarkColor=this.taskTextDarkColor||this.textColor,this.taskTextClickableColor=this.taskTextClickableColor||"#003163",this.personBorder=this.personBorder||this.primaryBorderColor,this.personBkg=this.personBkg||this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||this.tertiaryColor,this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.specialStateColor=this.lineColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210,l:150}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.darkMode)for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],75);else for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],25);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;const d=this.darkMode?-4:-1;for(let f=0;f<5;f++)this["surface"+f]=this["surface"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(5+3*f)}),this["surfacePeer"+f]=this["surfacePeer"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(8+3*f)});this.classText=this.classText||this.textColor,this.fillType0=this.fillType0||this.primaryColor,this.fillType1=this.fillType1||this.secondaryColor,this.fillType2=this.fillType2||h(this.primaryColor,{h:64}),this.fillType3=this.fillType3||h(this.secondaryColor,{h:64}),this.fillType4=this.fillType4||h(this.primaryColor,{h:-64}),this.fillType5=this.fillType5||h(this.secondaryColor,{h:-64}),this.fillType6=this.fillType6||h(this.primaryColor,{h:128}),this.fillType7=this.fillType7||h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-10}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-10}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-20}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-20}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-10}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#FFF4DD,#FFD8B1,#FFA07A,#ECEFF1,#D6DBDF,#C3E0A8,#FFB6A4,#FFD74D,#738FA7,#FFFFF0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||(this.darkMode?"black":this.labelTextColor),this.gitBranchLabel0=this.gitBranchLabel0||this.branchLabelColor,this.gitBranchLabel1=this.gitBranchLabel1||this.branchLabelColor,this.gitBranchLabel2=this.gitBranchLabel2||this.branchLabelColor,this.gitBranchLabel3=this.gitBranchLabel3||this.branchLabelColor,this.gitBranchLabel4=this.gitBranchLabel4||this.branchLabelColor,this.gitBranchLabel5=this.gitBranchLabel5||this.branchLabelColor,this.gitBranchLabel6=this.gitBranchLabel6||this.branchLabelColor,this.gitBranchLabel7=this.gitBranchLabel7||this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let St=class{constructor(){this.background="#333",this.primaryColor="#1f2020",this.secondaryColor=(0,g.Z)(this.primaryColor,16),this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=f(this.background),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#1f2020",this.secondBkg="calculated",this.mainContrastColor="lightgrey",this.darkTextColor=(0,g.Z)(f("#323D47"),10),this.lineColor="calculated",this.border1="#81B1DB",this.border2=(0,u.Z)(255,255,255,.25),this.arrowheadColor="calculated",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#181818",this.textColor="#ccc",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#F9FFFE",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="calculated",this.activationBkgColor="calculated",this.sequenceNumberColor="black",this.sectionBkgColor=(0,p.Z)("#EAE8D9",30),this.altSectionBkgColor="calculated",this.sectionBkgColor2="#EAE8D9",this.excludeBkgColor=(0,p.Z)(this.sectionBkgColor,10),this.taskBorderColor=(0,u.Z)(255,255,255,70),this.taskBkgColor="calculated",this.taskTextColor="calculated",this.taskTextLightColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor=(0,u.Z)(255,255,255,50),this.activeTaskBkgColor="#81B1DB",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="grey",this.critBorderColor="#E83737",this.critBkgColor="#E83737",this.taskTextDarkColor="calculated",this.todayLineColor="#DB5757",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="calculated",this.errorBkgColor="#a44141",this.errorTextColor="#ddd"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.mainBkg,16),this.lineColor=this.mainContrastColor,this.arrowheadColor=this.mainContrastColor,this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.edgeLabelBackground=(0,g.Z)(this.labelBackground,25),this.actorBorder=this.border1,this.actorBkg=this.mainBkg,this.actorTextColor=this.mainContrastColor,this.actorLineColor=this.mainContrastColor,this.signalColor=this.mainContrastColor,this.signalTextColor=this.mainContrastColor,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.mainContrastColor,this.loopTextColor=this.mainContrastColor,this.noteBorderColor=this.secondaryBorderColor,this.noteBkgColor=this.secondBkg,this.noteTextColor=this.secondaryTextColor,this.activationBorderColor=this.border1,this.activationBkgColor=this.secondBkg,this.altSectionBkgColor=this.background,this.taskBkgColor=(0,g.Z)(this.mainBkg,23),this.taskTextColor=this.darkTextColor,this.taskTextLightColor=this.mainContrastColor,this.taskTextOutsideColor=this.taskTextLightColor,this.gridColor=this.mainContrastColor,this.doneTaskBkgColor=this.mainContrastColor,this.taskTextDarkColor=this.darkTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#555",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#f4f4f4",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.cScale1=this.cScale1||"#0b0000",this.cScale2=this.cScale2||"#4d1037",this.cScale3=this.cScale3||"#3f5258",this.cScale4=this.cScale4||"#4f2f1b",this.cScale5=this.cScale5||"#6e0a0a",this.cScale6=this.cScale6||"#3b0048",this.cScale7=this.cScale7||"#995a01",this.cScale8=this.cScale8||"#154706",this.cScale9=this.cScale9||"#161722",this.cScale10=this.cScale10||"#00296f",this.cScale11=this.cScale11||"#01629c",this.cScale12=this.cScale12||"#010029",this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10);for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-10)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-7)});this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#3498db,#2ecc71,#e74c3c,#f1c40f,#bdc3c7,#ffffff,#34495e,#9b59b6,#1abc9c,#e67e22"},this.classText=this.primaryTextColor,this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,g.Z)(this.secondaryColor,20),this.git1=(0,g.Z)(this.pie2||this.secondaryColor,20),this.git2=(0,g.Z)(this.pie3||this.tertiaryColor,20),this.git3=(0,g.Z)(this.pie4||h(this.primaryColor,{h:-30}),20),this.git4=(0,g.Z)(this.pie5||h(this.primaryColor,{h:-60}),20),this.git5=(0,g.Z)(this.pie6||h(this.primaryColor,{h:-90}),10),this.git6=(0,g.Z)(this.pie7||h(this.primaryColor,{h:60}),10),this.git7=(0,g.Z)(this.pie8||h(this.primaryColor,{h:120}),20),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||(0,g.Z)(this.background,12),this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||(0,g.Z)(this.background,2)}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let Bt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#ECECFF",this.secondaryColor=h(this.primaryColor,{h:120}),this.secondaryColor="#ffffde",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.background="white",this.mainBkg="#ECECFF",this.secondBkg="#ffffde",this.lineColor="#333333",this.border1="#9370DB",this.border2="#aaaa33",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#e8e8e8",this.textColor="#333",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="calculated",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="calculated",this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor="calculated",this.taskTextOutsideColor=this.taskTextDarkColor,this.taskTextClickableColor="calculated",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBorderColor="calculated",this.critBkgColor="calculated",this.todayLineColor="calculated",this.sectionBkgColor=(0,u.Z)(102,102,255,.49),this.altSectionBkgColor="white",this.sectionBkgColor2="#fff400",this.taskBorderColor="#534fbc",this.taskBkgColor="#8a90dd",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="#534fbc",this.activeTaskBkgColor="#bfc7ff",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222",this.updateColors()}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,l:-(7+5*d)});if(this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor,"calculated"!==this.labelTextColor){this.cScaleLabel0=this.cScaleLabel0||f(this.labelTextColor),this.cScaleLabel3=this.cScaleLabel3||f(this.labelTextColor);for(let t=0;t<this.THEME_COLOR_LIMIT;t++)this["cScaleLabel"+t]=this["cScaleLabel"+t]||this.labelTextColor}this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.textColor,this.edgeLabelBackground=this.labelBackground,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.signalColor=this.textColor,this.signalTextColor=this.textColor,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||h(this.tertiaryColor,{l:-40}),this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-20}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-20}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-40}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:-40}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-40}),this.pie11=this.pie11||h(this.primaryColor,{h:-90,l:-40}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-30}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#ECECFF,#8493A6,#FFC3A0,#DCDDE1,#B8E994,#D1A36F,#C3CDE6,#FFB6C1,#496078,#F8F3E3"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.labelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||(0,p.Z)(f(this.git0),25),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};const Ft=t=>{const e=new Bt;return e.calculate(t),e};let Lt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#cde498",this.secondaryColor="#cdffb2",this.background="white",this.mainBkg="#cde498",this.secondBkg="#cdffb2",this.lineColor="green",this.border1="#13540c",this.border2="#6eaa49",this.arrowheadColor="green",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.tertiaryColor=(0,g.Z)("#cde498",10),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.primaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#333",this.edgeLabelBackground="#e8e8e8",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="#333",this.signalTextColor="#333",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="#326932",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="#6eaa49",this.altSectionBkgColor="white",this.sectionBkgColor2="#6eaa49",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="#487e3a",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.actorBorder=(0,p.Z)(this.mainBkg,20),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.taskBorderColor=this.border1,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-30}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{h:40,l:-40}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-50}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-50}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-50}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#CDE498,#FF6B6B,#A0D2DB,#D7BDE2,#F0F0F0,#FFC3A0,#7FD8BE,#FF9A8B,#FAF3E0,#FFF176"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};class At{constructor(){this.primaryColor="#eee",this.contrast="#707070",this.secondaryColor=(0,g.Z)(this.contrast,55),this.background="#ffffff",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#eee",this.secondBkg="calculated",this.lineColor="#666",this.border1="#999",this.border2="calculated",this.note="#ffa",this.text="#333",this.critical="#d42",this.done="#bbb",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="white",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="calculated",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="white",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBkgColor="calculated",this.critBorderColor="calculated",this.todayLineColor="calculated",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.contrast,55),this.border2=this.contrast,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.actorTextColor=this.text,this.actorLineColor=this.lineColor,this.signalColor=this.text,this.signalTextColor=this.text,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.text,this.loopTextColor=this.text,this.noteBorderColor="#999",this.noteBkgColor="#666",this.noteTextColor="#fff",this.cScale0=this.cScale0||"#555",this.cScale1=this.cScale1||"#F4F4F4",this.cScale2=this.cScale2||"#555",this.cScale3=this.cScale3||"#BBB",this.cScale4=this.cScale4||"#777",this.cScale5=this.cScale5||"#999",this.cScale6=this.cScale6||"#DDD",this.cScale7=this.cScale7||"#FFF",this.cScale8=this.cScale8||"#DDD",this.cScale9=this.cScale9||"#BBB",this.cScale10=this.cScale10||"#999",this.cScale11=this.cScale11||"#777";for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor),this.cScaleLabel0=this.cScaleLabel0||this.cScale1,this.cScaleLabel2=this.cScaleLabel2||this.cScale1;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.text,this.sectionBkgColor=(0,g.Z)(this.contrast,30),this.sectionBkgColor2=(0,g.Z)(this.contrast,30),this.taskBorderColor=(0,p.Z)(this.contrast,10),this.taskBkgColor=this.contrast,this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor=this.text,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.gridColor=(0,g.Z)(this.border1,30),this.doneTaskBkgColor=this.done,this.doneTaskBorderColor=this.lineColor,this.critBkgColor=this.critical,this.critBorderColor=(0,p.Z)(this.critBkgColor,10),this.todayLineColor=this.critBkgColor,this.transitionColor=this.transitionColor||"#000",this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f4f4f4",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.stateBorder=this.stateBorder||"#000",this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#222",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pie12=this.pie0,this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#EEE,#6BB8E4,#8ACB88,#C7ACD6,#E8DCC2,#FFB2A8,#FFF380,#7E8D91,#FFD8B1,#FAF3E0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,p.Z)(this.pie1,25)||this.primaryColor,this.git1=this.pie2||this.secondaryColor,this.git2=this.pie3||this.tertiaryColor,this.git3=this.pie4||h(this.primaryColor,{h:-30}),this.git4=this.pie5||h(this.primaryColor,{h:-60}),this.git5=this.pie6||h(this.primaryColor,{h:-90}),this.git6=this.pie7||h(this.primaryColor,{h:60}),this.git7=this.pie8||h(this.primaryColor,{h:120}),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||this.labelTextColor,this.gitBranchLabel0=this.branchLabelColor,this.gitBranchLabel1="white",this.gitBranchLabel2=this.branchLabelColor,this.gitBranchLabel3="white",this.gitBranchLabel4=this.branchLabelColor,this.gitBranchLabel5=this.branchLabelColor,this.gitBranchLabel6=this.branchLabelColor,this.gitBranchLabel7=this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}}const Mt={base:{getThemeVariables:t=>{const e=new wt;return e.calculate(t),e}},dark:{getThemeVariables:t=>{const e=new St;return e.calculate(t),e}},default:{getThemeVariables:Ft},forest:{getThemeVariables:t=>{const e=new Lt;return e.calculate(t),e}},neutral:{getThemeVariables:t=>{const e=new At;return e.calculate(t),e}}},Et={flowchart:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,htmlLabels:!0,nodeSpacing:50,rankSpacing:50,curve:"basis",padding:15,defaultRenderer:"dagre-wrapper",wrappingWidth:200},sequence:{useMaxWidth:!0,hideUnusedParticipants:!1,activationWidth:10,diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",mirrorActors:!0,forceMenus:!1,bottomMarginAdj:1,rightAngles:!1,showSequenceNumbers:!1,actorFontSize:14,actorFontFamily:'"Open Sans", sans-serif',actorFontWeight:400,noteFontSize:14,noteFontFamily:'"trebuchet ms", verdana, arial, sans-serif',noteFontWeight:400,noteAlign:"center",messageFontSize:16,messageFontFamily:'"trebuchet ms", verdana, arial, sans-serif',messageFontWeight:400,wrap:!1,wrapPadding:10,labelBoxWidth:50,labelBoxHeight:20},gantt:{useMaxWidth:!0,titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,rightPadding:75,leftPadding:75,gridLineStartPadding:35,fontSize:11,sectionFontSize:11,numberSectionStyles:4,axisFormat:"%Y-%m-%d",topAxis:!1,displayMode:"",weekday:"sunday"},journey:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"]},class:{useMaxWidth:!0,titleTopMargin:25,arrowMarkerAbsolute:!1,dividerMargin:10,padding:5,textHeight:10,defaultRenderer:"dagre-wrapper",htmlLabels:!1},state:{useMaxWidth:!0,titleTopMargin:25,dividerMargin:10,sizeUnit:5,padding:8,textHeight:10,titleShift:-15,noteMargin:10,forkWidth:70,forkHeight:7,miniPadding:2,fontSizeFactor:5.02,fontSize:24,labelHeight:16,edgeLengthFactor:"20",compositTitleSize:35,radius:5,defaultRenderer:"dagre-wrapper"},er:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:20,layoutDirection:"TB",minEntityWidth:100,minEntityHeight:75,entityPadding:15,stroke:"gray",fill:"honeydew",fontSize:12},pie:{useMaxWidth:!0,textPosition:.75},quadrantChart:{useMaxWidth:!0,chartWidth:500,chartHeight:500,titleFontSize:20,titlePadding:10,quadrantPadding:5,xAxisLabelPadding:5,yAxisLabelPadding:5,xAxisLabelFontSize:16,yAxisLabelFontSize:16,quadrantLabelFontSize:16,quadrantTextTopPadding:5,pointTextPadding:5,pointLabelFontSize:12,pointRadius:5,xAxisPosition:"top",yAxisPosition:"left",quadrantInternalBorderStrokeWidth:1,quadrantExternalBorderStrokeWidth:2},xyChart:{useMaxWidth:!0,width:700,height:500,titleFontSize:20,titlePadding:10,showTitle:!0,xAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},yAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},chartOrientation:"vertical",plotReservedSpacePercent:50},requirement:{useMaxWidth:!0,rect_fill:"#f9f9f9",text_color:"#333",rect_border_size:"0.5px",rect_border_color:"#bbb",rect_min_width:200,rect_min_height:200,fontSize:14,rect_padding:10,line_height:20},mindmap:{useMaxWidth:!0,padding:10,maxNodeWidth:200},timeline:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"],disableMulticolor:!1},gitGraph:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,nodeLabel:{width:75,height:100,x:-25,y:0},mainBranchName:"main",mainBranchOrder:0,showCommitLabel:!0,showBranches:!0,rotateCommitLabel:!0,arrowMarkerAbsolute:!1},c4:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,c4ShapeMargin:50,c4ShapePadding:20,width:216,height:60,boxMargin:10,c4ShapeInRow:4,nextLinePaddingX:0,c4BoundaryInRow:2,personFontSize:14,personFontFamily:'"Open Sans", sans-serif',personFontWeight:"normal",external_personFontSize:14,external_personFontFamily:'"Open Sans", sans-serif',external_personFontWeight:"normal",systemFontSize:14,systemFontFamily:'"Open Sans", sans-serif',systemFontWeight:"normal",external_systemFontSize:14,external_systemFontFamily:'"Open Sans", sans-serif',external_systemFontWeight:"normal",system_dbFontSize:14,system_dbFontFamily:'"Open Sans", sans-serif',system_dbFontWeight:"normal",external_system_dbFontSize:14,external_system_dbFontFamily:'"Open Sans", sans-serif',external_system_dbFontWeight:"normal",system_queueFontSize:14,system_queueFontFamily:'"Open Sans", sans-serif',system_queueFontWeight:"normal",external_system_queueFontSize:14,external_system_queueFontFamily:'"Open Sans", sans-serif',external_system_queueFontWeight:"normal",boundaryFontSize:14,boundaryFontFamily:'"Open Sans", sans-serif',boundaryFontWeight:"normal",messageFontSize:12,messageFontFamily:'"Open Sans", sans-serif',messageFontWeight:"normal",containerFontSize:14,containerFontFamily:'"Open Sans", sans-serif',containerFontWeight:"normal",external_containerFontSize:14,external_containerFontFamily:'"Open Sans", sans-serif',external_containerFontWeight:"normal",container_dbFontSize:14,container_dbFontFamily:'"Open Sans", sans-serif',container_dbFontWeight:"normal",external_container_dbFontSize:14,external_container_dbFontFamily:'"Open Sans", sans-serif',external_container_dbFontWeight:"normal",container_queueFontSize:14,container_queueFontFamily:'"Open Sans", sans-serif',container_queueFontWeight:"normal",external_container_queueFontSize:14,external_container_queueFontFamily:'"Open Sans", sans-serif',external_container_queueFontWeight:"normal",componentFontSize:14,componentFontFamily:'"Open Sans", sans-serif',componentFontWeight:"normal",external_componentFontSize:14,external_componentFontFamily:'"Open Sans", sans-serif',external_componentFontWeight:"normal",component_dbFontSize:14,component_dbFontFamily:'"Open Sans", sans-serif',component_dbFontWeight:"normal",external_component_dbFontSize:14,external_component_dbFontFamily:'"Open Sans", sans-serif',external_component_dbFontWeight:"normal",component_queueFontSize:14,component_queueFontFamily:'"Open Sans", sans-serif',component_queueFontWeight:"normal",external_component_queueFontSize:14,external_component_queueFontFamily:'"Open Sans", sans-serif',external_component_queueFontWeight:"normal",wrap:!0,wrapPadding:10,person_bg_color:"#08427B",person_border_color:"#073B6F",external_person_bg_color:"#686868",external_person_border_color:"#8A8A8A",system_bg_color:"#1168BD",system_border_color:"#3C7FC0",system_db_bg_color:"#1168BD",system_db_border_color:"#3C7FC0",system_queue_bg_color:"#1168BD",system_queue_border_color:"#3C7FC0",external_system_bg_color:"#999999",external_system_border_color:"#8A8A8A",external_system_db_bg_color:"#999999",external_system_db_border_color:"#8A8A8A",external_system_queue_bg_color:"#999999",external_system_queue_border_color:"#8A8A8A",container_bg_color:"#438DD5",container_border_color:"#3C7FC0",container_db_bg_color:"#438DD5",container_db_border_color:"#3C7FC0",container_queue_bg_color:"#438DD5",container_queue_border_color:"#3C7FC0",external_container_bg_color:"#B3B3B3",external_container_border_color:"#A6A6A6",external_container_db_bg_color:"#B3B3B3",external_container_db_border_color:"#A6A6A6",external_container_queue_bg_color:"#B3B3B3",external_container_queue_border_color:"#A6A6A6",component_bg_color:"#85BBF0",component_border_color:"#78A8D8",component_db_bg_color:"#85BBF0",component_db_border_color:"#78A8D8",component_queue_bg_color:"#85BBF0",component_queue_border_color:"#78A8D8",external_component_bg_color:"#CCCCCC",external_component_border_color:"#BFBFBF",external_component_db_bg_color:"#CCCCCC",external_component_db_border_color:"#BFBFBF",external_component_queue_bg_color:"#CCCCCC",external_component_queue_border_color:"#BFBFBF"},sankey:{useMaxWidth:!0,width:600,height:400,linkColor:"gradient",nodeAlignment:"justify",showValues:!0,prefix:"",suffix:""},theme:"default",maxTextSize:5e4,darkMode:!1,fontFamily:'"trebuchet ms", verdana, arial, sans-serif;',logLevel:5,securityLevel:"strict",startOnLoad:!0,arrowMarkerAbsolute:!1,secure:["secure","securityLevel","startOnLoad","maxTextSize"],deterministicIds:!1,fontSize:16},Nt={...Et,deterministicIDSeed:void 0,themeCSS:void 0,themeVariables:Mt.default.getThemeVariables(),sequence:{...Et.sequence,messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}},noteFont:function(){return{fontFamily:this.noteFontFamily,fontSize:this.noteFontSize,fontWeight:this.noteFontWeight}},actorFont:function(){return{fontFamily:this.actorFontFamily,fontSize:this.actorFontSize,fontWeight:this.actorFontWeight}}},gantt:{...Et.gantt,tickInterval:void 0,useWidth:void 0},c4:{...Et.c4,useWidth:void 0,personFont:function(){return{fontFamily:this.personFontFamily,fontSize:this.personFontSize,fontWeight:this.personFontWeight}},external_personFont:function(){return{fontFamily:this.external_personFontFamily,fontSize:this.external_personFontSize,fontWeight:this.external_personFontWeight}},systemFont:function(){return{fontFamily:this.systemFontFamily,fontSize:this.systemFontSize,fontWeight:this.systemFontWeight}},external_systemFont:function(){return{fontFamily:this.external_systemFontFamily,fontSize:this.external_systemFontSize,fontWeight:this.external_systemFontWeight}},system_dbFont:function(){return{fontFamily:this.system_dbFontFamily,fontSize:this.system_dbFontSize,fontWeight:this.system_dbFontWeight}},external_system_dbFont:function(){return{fontFamily:this.external_system_dbFontFamily,fontSize:this.external_system_dbFontSize,fontWeight:this.external_system_dbFontWeight}},system_queueFont:function(){return{fontFamily:this.system_queueFontFamily,fontSize:this.system_queueFontSize,fontWeight:this.system_queueFontWeight}},external_system_queueFont:function(){return{fontFamily:this.external_system_queueFontFamily,fontSize:this.external_system_queueFontSize,fontWeight:this.external_system_queueFontWeight}},containerFont:function(){return{fontFamily:this.containerFontFamily,fontSize:this.containerFontSize,fontWeight:this.containerFontWeight}},external_containerFont:function(){return{fontFamily:this.external_containerFontFamily,fontSize:this.external_containerFontSize,fontWeight:this.external_containerFontWeight}},container_dbFont:function(){return{fontFamily:this.container_dbFontFamily,fontSize:this.container_dbFontSize,fontWeight:this.container_dbFontWeight}},external_container_dbFont:function(){return{fontFamily:this.external_container_dbFontFamily,fontSize:this.external_container_dbFontSize,fontWeight:this.external_container_dbFontWeight}},container_queueFont:function(){return{fontFamily:this.container_queueFontFamily,fontSize:this.container_queueFontSize,fontWeight:this.container_queueFontWeight}},external_container_queueFont:function(){return{fontFamily:this.external_container_queueFontFamily,fontSize:this.external_container_queueFontSize,fontWeight:this.external_container_queueFontWeight}},componentFont:function(){return{fontFamily:this.componentFontFamily,fontSize:this.componentFontSize,fontWeight:this.componentFontWeight}},external_componentFont:function(){return{fontFamily:this.external_componentFontFamily,fontSize:this.external_componentFontSize,fontWeight:this.external_componentFontWeight}},component_dbFont:function(){return{fontFamily:this.component_dbFontFamily,fontSize:this.component_dbFontSize,fontWeight:this.component_dbFontWeight}},external_component_dbFont:function(){return{fontFamily:this.external_component_dbFontFamily,fontSize:this.external_component_dbFontSize,fontWeight:this.external_component_dbFontWeight}},component_queueFont:function(){return{fontFamily:this.component_queueFontFamily,fontSize:this.component_queueFontSize,fontWeight:this.component_queueFontWeight}},external_component_queueFont:function(){return{fontFamily:this.external_component_queueFontFamily,fontSize:this.external_component_queueFontSize,fontWeight:this.external_component_queueFontWeight}},boundaryFont:function(){return{fontFamily:this.boundaryFontFamily,fontSize:this.boundaryFontSize,fontWeight:this.boundaryFontWeight}},messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}}},pie:{...Et.pie,useWidth:984},xyChart:{...Et.xyChart,useWidth:void 0},requirement:{...Et.requirement,useWidth:void 0},gitGraph:{...Et.gitGraph,useMaxWidth:!1},sankey:{...Et.sankey,useMaxWidth:!1}},jt=(t,e="")=>Object.keys(t).reduce(((i,r)=>Array.isArray(t[r])?i:"object"==typeof t[r]&&null!==t[r]?[...i,e+r,...jt(t[r],"")]:[...i,e+r]),[]),Zt=new Set(jt(Nt,"")),It=Nt,Ot=t=>{if(st.debug("sanitizeDirective called with",t),"object"==typeof t&&null!=t)if(Array.isArray(t))t.forEach((t=>Ot(t)));else{for(const e of Object.keys(t)){if(st.debug("Checking key",e),e.startsWith("__")||e.includes("proto")||e.includes("constr")||!Zt.has(e)||null==t[e]){st.debug("sanitize deleting key: ",e),delete t[e];continue}if("object"==typeof t[e]){st.debug("sanitizing object",e),Ot(t[e]);continue}const i=["themeCSS","fontFamily","altFontFamily"];for(const r of i)e.includes(r)&&(st.debug("sanitizing css option",e),t[e]=Dt(t[e]))}if(t.themeVariables)for(const e of Object.keys(t.themeVariables)){const i=t.themeVariables[e];(null==i?void 0:i.match)&&!i.match(/^[\d "#%(),.;A-Za-z]+$/)&&(t.themeVariables[e]="")}st.debug("After sanitization",t)}},Dt=t=>{let e=0,i=0;for(const r of t){if(e<i)return"{ /* ERROR: Unbalanced CSS */ }";"{"===r?e++:"}"===r&&i++}return e!==i?"{ /* ERROR: Unbalanced CSS */ }":t},qt=/^-{3}\s*[\n\r](.*?)[\n\r]-{3}\s*[\n\r]+/s,$t=/%{2}{\s*(?:(\w+)\s*:|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,zt=/\s*%%.*\n/gm;class Pt extends Error{constructor(t){super(t),this.name="UnknownDiagramError"}}const Rt={},Ht=function(t,e){t=t.replace(qt,"").replace($t,"").replace(zt,"\n");for(const[i,{detector:r}]of Object.entries(Rt)){if(r(t,e))return i}throw new Pt(`No diagram type detected matching given configuration for text: ${t}`)},Wt=(...t)=>{for(const{id:e,detector:i,loader:r}of t)Ut(e,i,r)},Ut=(t,e,i)=>{Rt[t]?st.error(`Detector with key ${t} already exists`):Rt[t]={detector:e,loader:i},st.debug(`Detector with key ${t} added${i?" with loader":""}`)},Yt=(t,e,{depth:i=2,clobber:r=!1}={})=>{const n={depth:i,clobber:r};return Array.isArray(e)&&!Array.isArray(t)?(e.forEach((e=>Yt(t,e,n))),t):Array.isArray(e)&&Array.isArray(t)?(e.forEach((e=>{t.includes(e)||t.push(e)})),t):void 0===t||i<=0?null!=t&&"object"==typeof t&&"object"==typeof e?Object.assign(t,e):e:(void 0!==e&&"object"==typeof t&&"object"==typeof e&&Object.keys(e).forEach((n=>{"object"!=typeof e[n]||void 0!==t[n]&&"object"!=typeof t[n]?(r||"object"!=typeof t[n]&&"object"!=typeof e[n])&&(t[n]=e[n]):(void 0===t[n]&&(t[n]=Array.isArray(e[n])?[]:{}),t[n]=Yt(t[n],e[n],{depth:i-1,clobber:r}))})),t)},Vt=Yt,Gt="\u200b",Xt={curveBasis:a.$0Z,curveBasisClosed:a.Dts,curveBasisOpen:a.WQY,curveBumpX:a.qpX,curveBumpY:a.u93,curveBundle:a.tFB,curveCardinalClosed:a.OvA,curveCardinalOpen:a.dCK,curveCardinal:a.YY7,curveCatmullRomClosed:a.fGX,curveCatmullRomOpen:a.$m7,curveCatmullRom:a.zgE,curveLinear:a.c_6,curveLinearClosed:a.fxm,curveMonotoneX:a.FdL,curveMonotoneY:a.ak_,curveNatural:a.SxZ,curveStep:a.eA_,curveStepAfter:a.jsv,curveStepBefore:a.iJ},Jt=/\s*(?:(\w+)(?=:):|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,Qt=function(t,e=null){try{const i=new RegExp(`[%]{2}(?![{]${Jt.source})(?=[}][%]{2}).*\n`,"ig");let r;t=t.trim().replace(i,"").replace(/'/gm,'"'),st.debug(`Detecting diagram directive${null!==e?" type:"+e:""} based on the text:${t}`);const n=[];for(;null!==(r=$t.exec(t));)if(r.index===$t.lastIndex&&$t.lastIndex++,r&&!e||e&&r[1]&&r[1].match(e)||e&&r[2]&&r[2].match(e)){const t=r[1]?r[1]:r[2],e=r[3]?r[3].trim():r[4]?JSON.parse(r[4].trim()):null;n.push({type:t,args:e})}return 0===n.length?{type:t,args:null}:1===n.length?n[0]:n}catch(i){return st.error(`ERROR: ${i.message} - Unable to parse directive type: '${e}' based on the text: '${t}'`),{type:void 0,args:null}}};function Kt(t,e){if(!t)return e;const i=`curve${t.charAt(0).toUpperCase()+t.slice(1)}`;return Xt[i]??e}function te(t,e){return t&&e?Math.sqrt(Math.pow(e.x-t.x,2)+Math.pow(e.y-t.y,2)):0}const ee=(t,e=2)=>{const i=Math.pow(10,e);return Math.round(t*i)/i},ie=(t,e)=>{let i,r=e;for(const n of t){if(i){const t=te(n,i);if(t<r)r-=t;else{const e=r/t;if(e<=0)return i;if(e>=1)return{x:n.x,y:n.y};if(e>0&&e<1)return{x:ee((1-e)*i.x+e*n.x,5),y:ee((1-e)*i.y+e*n.y,5)}}}i=n}throw new Error("Could not find a suitable point for the given distance")};function re(t){let e="",i="";for(const r of t)void 0!==r&&(r.startsWith("color:")||r.startsWith("text-align:")?i=i+r+";":e=e+r+";");return{style:e,labelStyle:i}}let ne=0;const oe=()=>(ne++,"id-"+Math.random().toString(36).substr(2,12)+"-"+ne);const ae=t=>function(t){let e="";const i="0123456789abcdef";for(let r=0;r<t;r++)e+=i.charAt(Math.floor(16*Math.random()));return e}(t.length),se=function(t,e){const i=e.text.replace(_t.lineBreakRegex," "),[,r]=ge(e.fontSize),n=t.append("text");n.attr("x",e.x),n.attr("y",e.y),n.style("text-anchor",e.anchor),n.style("font-family",e.fontFamily),n.style("font-size",r),n.style("font-weight",e.fontWeight),n.attr("fill",e.fill),void 0!==e.class&&n.attr("class",e.class);const o=n.append("tspan");return o.attr("x",e.x+2*e.textMargin),o.attr("fill",e.fill),o.text(i),n},le=(0,y.Z)(((t,e,i)=>{if(!t)return t;if(i=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",joinWith:"<br/>"},i),_t.lineBreakRegex.test(t))return t;const r=t.split(" "),n=[];let o="";return r.forEach(((t,a)=>{const s=ue(`${t} `,i),l=ue(o,i);if(s>e){const{hyphenatedStrings:r,remainingWord:a}=ce(t,e,"-",i);n.push(o,...r),o=a}else l+s>=e?(n.push(o),o=t):o=[o,t].filter(Boolean).join(" ");a+1===r.length&&n.push(o)})),n.filter((t=>""!==t)).join(i.joinWith)}),((t,e,i)=>`${t}${e}${i.fontSize}${i.fontWeight}${i.fontFamily}${i.joinWith}`)),ce=(0,y.Z)(((t,e,i="-",r)=>{r=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",margin:0},r);const n=[...t],o=[];let a="";return n.forEach(((t,s)=>{const l=`${a}${t}`;if(ue(l,r)>=e){const t=s+1,e=n.length===t,r=`${l}${i}`;o.push(e?l:r),a=""}else a=l})),{hyphenatedStrings:o,remainingWord:a}}),((t,e,i="-",r)=>`${t}${e}${i}${r.fontSize}${r.fontWeight}${r.fontFamily}`));function he(t,e){return de(t,e).height}function ue(t,e){return de(t,e).width}const de=(0,y.Z)(((t,e)=>{const{fontSize:i=12,fontFamily:r="Arial",fontWeight:n=400}=e;if(!t)return{width:0,height:0};const[,o]=ge(i),s=["sans-serif",r],l=t.split(_t.lineBreakRegex),c=[],h=(0,a.Ys)("body");if(!h.remove)return{width:0,height:0,lineHeight:0};const u=h.append("svg");for(const a of s){let t=0;const e={width:0,height:0,lineHeight:0};for(const i of l){const r={x:0,y:0,fill:void 0,anchor:"start",style:"#666",width:100,height:100,textMargin:0,rx:0,ry:0,valign:void 0,text:""};r.text=i||Gt;const s=se(u,r).style("font-size",o).style("font-weight",n).style("font-family",a),l=(s._groups||s)[0][0].getBBox();if(0===l.width&&0===l.height)throw new Error("svg element not in render tree");e.width=Math.round(Math.max(e.width,l.width)),t=Math.round(l.height),e.height+=t,e.lineHeight=Math.round(Math.max(e.lineHeight,t))}c.push(e)}u.remove();return c[isNaN(c[1].height)||isNaN(c[1].width)||isNaN(c[1].lineHeight)||c[0].height>c[1].height&&c[0].width>c[1].width&&c[0].lineHeight>c[1].lineHeight?0:1]}),((t,e)=>`${t}${e.fontSize}${e.fontWeight}${e.fontFamily}`));let fe;function pe(t){return"str"in t}const ge=t=>{if("number"==typeof t)return[t,t+"px"];const e=parseInt(t??"",10);return Number.isNaN(e)?[void 0,void 0]:t===String(e)?[e,t+"px"]:[e,t]};function me(t,e){return(0,x.Z)({},t,e)}const ye={assignWithDepth:Vt,wrapLabel:le,calculateTextHeight:he,calculateTextWidth:ue,calculateTextDimensions:de,cleanAndMerge:me,detectInit:function(t,e){const i=Qt(t,/(?:init\b)|(?:initialize\b)/);let r={};if(Array.isArray(i)){const t=i.map((t=>t.args));Ot(t),r=Vt(r,[...t])}else r=i.args;if(!r)return;let n=Ht(t,e);const o="config";return void 0!==r[o]&&("flowchart-v2"===n&&(n="flowchart"),r[n]=r[o],delete r[o]),r},detectDirective:Qt,isSubstringInArray:function(t,e){for(const[i,r]of e.entries())if(r.match(t))return i;return-1},interpolateToCurve:Kt,calcLabelPosition:function(t){return 1===t.length?t[0]:function(t){let e,i=0;return t.forEach((t=>{i+=te(t,e),e=t})),ie(t,i/2)}(t)},calcCardinalityPosition:(t,e,i)=>{st.info(`our points ${JSON.stringify(e)}`),e[0]!==i&&(e=e.reverse());const r=ie(e,25),n=t?10:5,o=Math.atan2(e[0].y-r.y,e[0].x-r.x),a={x:0,y:0};return a.x=Math.sin(o)*n+(e[0].x+r.x)/2,a.y=-Math.cos(o)*n+(e[0].y+r.y)/2,a},calcTerminalLabelPosition:function(t,e,i){const r=structuredClone(i);st.info("our points",r),"start_left"!==e&&"start_right"!==e&&r.reverse();const n=ie(r,25+t),o=10+.5*t,a=Math.atan2(r[0].y-n.y,r[0].x-n.x),s={x:0,y:0};return"start_left"===e?(s.x=Math.sin(a+Math.PI)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a+Math.PI)*o+(r[0].y+n.y)/2):"end_right"===e?(s.x=Math.sin(a-Math.PI)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a-Math.PI)*o+(r[0].y+n.y)/2-5):"end_left"===e?(s.x=Math.sin(a)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2-5):(s.x=Math.sin(a)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2),s},formatUrl:function(t,e){const i=t.trim();if(i)return"loose"!==e.securityLevel?(0,o.Nm)(i):i},getStylesFromArray:re,generateId:oe,random:ae,runFunc:(t,...e)=>{const i=t.split("."),r=i.length-1,n=i[r];let o=window;for(let a=0;a<r;a++)if(o=o[i[a]],!o)return void st.error(`Function name: ${t} not found in window`);o[n](...e)},entityDecode:function(t){return fe=fe||document.createElement("div"),t=escape(t).replace(/%26/g,"&").replace(/%23/g,"#").replace(/%3B/g,";"),fe.innerHTML=t,unescape(fe.textContent)},insertTitle:(t,e,i,r)=>{var n;if(!r)return;const o=null==(n=t.node())?void 0:n.getBBox();o&&t.append("text").text(r).attr("x",o.x+o.width/2).attr("y",-i).attr("class",e)},parseFontSize:ge,InitIDGenerator:class{constructor(t=!1,e){this.count=0,this.count=e?e.length:0,this.next=t?()=>this.count++:()=>Date.now()}}},xe="10.6.1",be=Object.freeze(It);let Ce,_e=Vt({},be),ve=[],ke=Vt({},be);const Te=(t,e)=>{let i=Vt({},t),r={};for(const n of e)Fe(n),r=Vt(r,n);if(i=Vt(i,r),r.theme&&r.theme in Mt){const t=Vt({},Ce),e=Vt(t.themeVariables||{},r.themeVariables);i.theme&&i.theme in Mt&&(i.themeVariables=Mt[i.theme].getThemeVariables(e))}return ke=i,Ne(ke),ke},we=()=>Vt({},_e),Se=t=>(Ne(t),Vt(ke,t),Be()),Be=()=>Vt({},ke),Fe=t=>{t&&(["secure",..._e.secure??[]].forEach((e=>{Object.hasOwn(t,e)&&(st.debug(`Denied attempt to modify a secure key ${e}`,t[e]),delete t[e])})),Object.keys(t).forEach((e=>{e.startsWith("__")&&delete t[e]})),Object.keys(t).forEach((e=>{"string"==typeof t[e]&&(t[e].includes("<")||t[e].includes(">")||t[e].includes("url(data:"))&&delete t[e],"object"==typeof t[e]&&Fe(t[e])})))},Le=t=>{Ot(t),!t.fontFamily||t.themeVariables&&t.themeVariables.fontFamily||(t.themeVariables={fontFamily:t.fontFamily}),ve.push(t),Te(_e,ve)},Ae=(t=_e)=>{ve=[],Te(t,ve)},Me={LAZY_LOAD_DEPRECATED:"The configuration options lazyLoadedDiagrams and loadExternalDiagramsAtStartup are deprecated. Please use registerExternalDiagrams instead."},Ee={},Ne=t=>{var e;t&&((t.lazyLoadedDiagrams||t.loadExternalDiagramsAtStartup)&&(Ee[e="LAZY_LOAD_DEPRECATED"]||(st.warn(Me[e]),Ee[e]=!0)))},je={id:"c4",detector:t=>/^\s*C4Context|C4Container|C4Component|C4Dynamic|C4Deployment/.test(t),loader:async()=>{const{diagram:t}=await i.e(132).then(i.bind(i,132));return{id:"c4",diagram:t}}},Ze="flowchart",Ie={id:Ze,detector:(t,e)=>{var i,r;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&/^\s*graph/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(1763)]).then(i.bind(i,1763));return{id:Ze,diagram:t}}},Oe="flowchart-v2",De={id:Oe,detector:(t,e)=>{var i,r,n;return"dagre-d3"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&(!(!/^\s*graph/.test(t)||"dagre-wrapper"!==(null==(n=null==e?void 0:e.flowchart)?void 0:n.defaultRenderer))||/^\s*flowchart/.test(t))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(9893)]).then(i.bind(i,9893));return{id:Oe,diagram:t}}},qe={id:"er",detector:t=>/^\s*erDiagram/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3343)]).then(i.bind(i,3343));return{id:"er",diagram:t}}},$e="gitGraph",ze={id:$e,detector:t=>/^\s*gitGraph/.test(t),loader:async()=>{const{diagram:t}=await i.e(3619).then(i.bind(i,3619));return{id:$e,diagram:t}}},Pe="gantt",Re={id:Pe,detector:t=>/^\s*gantt/.test(t),loader:async()=>{const{diagram:t}=await i.e(8016).then(i.bind(i,8016));return{id:Pe,diagram:t}}},He="info",We={id:He,detector:t=>/^\s*info/.test(t),loader:async()=>{const{diagram:t}=await i.e(5326).then(i.bind(i,5326));return{id:He,diagram:t}}},Ue={id:"pie",detector:t=>/^\s*pie/.test(t),loader:async()=>{const{diagram:t}=await i.e(2661).then(i.bind(i,2661));return{id:"pie",diagram:t}}},Ye="quadrantChart",Ve={id:Ye,detector:t=>/^\s*quadrantChart/.test(t),loader:async()=>{const{diagram:t}=await i.e(6648).then(i.bind(i,6648));return{id:Ye,diagram:t}}},Ge="xychart",Xe={id:Ge,detector:t=>/^\s*xychart-beta/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(2693)]).then(i.bind(i,8088));return{id:Ge,diagram:t}}},Je="requirement",Qe={id:Je,detector:t=>/^\s*requirement(Diagram)?/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(6985)]).then(i.bind(i,6985));return{id:Je,diagram:t}}},Ke="sequence",ti={id:Ke,detector:t=>/^\s*sequenceDiagram/.test(t),loader:async()=>{const{diagram:t}=await i.e(5790).then(i.bind(i,5790));return{id:Ke,diagram:t}}},ei="class",ii={id:ei,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer)&&/^\s*classDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(4706),i.e(109)]).then(i.bind(i,109));return{id:ei,diagram:t}}},ri="classDiagram",ni={id:ri,detector:(t,e)=>{var i;return!(!/^\s*classDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer))||/^\s*classDiagram-v2/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(4706),i.e(6255)]).then(i.bind(i,6255));return{id:ri,diagram:t}}},oi="state",ai={id:oi,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer)&&/^\s*stateDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(1504),i.e(2696)]).then(i.bind(i,2696));return{id:oi,diagram:t}}},si="stateDiagram",li={id:si,detector:(t,e)=>{var i;return!!/^\s*stateDiagram-v2/.test(t)||!(!/^\s*stateDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(1504),i.e(5943)]).then(i.bind(i,5943));return{id:si,diagram:t}}},ci="journey",hi={id:ci,detector:t=>/^\s*journey/.test(t),loader:async()=>{const{diagram:t}=await i.e(2183).then(i.bind(i,2183));return{id:ci,diagram:t}}},ui=function(t,e,i,r){const n=function(t,e,i){let r=new Map;return i?(r.set("width","100%"),r.set("style",`max-width: ${e}px;`)):(r.set("height",t),r.set("width",e)),r}(e,i,r);!function(t,e){for(let i of e)t.attr(i[0],i[1])}(t,n)},di=function(t,e,i,r){const n=e.node().getBBox(),o=n.width,a=n.height;st.info(`SVG bounds: ${o}x${a}`,n);let s=0,l=0;st.info(`Graph bounds: ${s}x${l}`,t),s=o+2*i,l=a+2*i,st.info(`Calculated bounds: ${s}x${l}`),ui(e,l,s,r);const c=`${n.x-i} ${n.y-i} ${n.width+2*i} ${n.height+2*i}`;e.attr("viewBox",c)},fi={},pi=(t,e,i)=>{let r="";return t in fi&&fi[t]?r=fi[t](i):st.warn(`No theme found for ${t}`),` & {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n fill: ${i.textColor}\n }\n\n /* Classes common for multiple diagrams */\n\n & .error-icon {\n fill: ${i.errorBkgColor};\n }\n & .error-text {\n fill: ${i.errorTextColor};\n stroke: ${i.errorTextColor};\n }\n\n & .edge-thickness-normal {\n stroke-width: 2px;\n }\n & .edge-thickness-thick {\n stroke-width: 3.5px\n }\n & .edge-pattern-solid {\n stroke-dasharray: 0;\n }\n\n & .edge-pattern-dashed{\n stroke-dasharray: 3;\n }\n .edge-pattern-dotted {\n stroke-dasharray: 2;\n }\n\n & .marker {\n fill: ${i.lineColor};\n stroke: ${i.lineColor};\n }\n & .marker.cross {\n stroke: ${i.lineColor};\n }\n\n & svg {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n }\n\n ${r}\n\n ${e}\n`};let gi="",mi="",yi="";const xi=t=>ft(t,Be()),bi=()=>{gi="",yi="",mi=""},Ci=t=>{gi=xi(t).replace(/^\s+/g,"")},_i=()=>gi,vi=t=>{yi=xi(t).replace(/\n\s+/g,"\n")},ki=()=>yi,Ti=t=>{mi=xi(t)},wi=()=>mi,Si=Object.freeze(Object.defineProperty({__proto__:null,clear:bi,getAccDescription:ki,getAccTitle:_i,getDiagramTitle:wi,setAccDescription:vi,setAccTitle:Ci,setDiagramTitle:Ti},Symbol.toStringTag,{value:"Module"})),Bi=st,Fi=lt,Li=Be,Ai=Se,Mi=be,Ei=t=>ft(t,Li()),Ni=di,ji={},Zi=(t,e,i)=>{var r,n,o;if(ji[t])throw new Error(`Diagram ${t} already registered.`);ji[t]=e,i&&Ut(t,i),n=t,void 0!==(o=e.styles)&&(fi[n]=o),null==(r=e.injectUtils)||r.call(e,Bi,Fi,Li,Ei,Ni,Si,(()=>{}))},Ii=t=>{if(t in ji)return ji[t];throw new Oi(t)};class Oi extends Error{constructor(t){super(`Diagram ${t} not found.`)}}const Di=t=>{var e;const{securityLevel:i}=Li();let r=(0,a.Ys)("body");if("sandbox"===i){const i=(null==(e=(0,a.Ys)(`#i${t}`).node())?void 0:e.contentDocument)??document;r=(0,a.Ys)(i.body)}return r.select(`#${t}`)},qi={draw:(t,e,i)=>{st.debug("renering svg for syntax error\n");const r=Di(e);r.attr("viewBox","0 0 2412 512"),ui(r,100,512,!0);const n=r.append("g");n.append("path").attr("class","error-icon").attr("d","m411.313,123.313c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32-9.375,9.375-20.688-20.688c-12.484-12.5-32.766-12.5-45.25,0l-16,16c-1.261,1.261-2.304,2.648-3.31,4.051-21.739-8.561-45.324-13.426-70.065-13.426-105.867,0-192,86.133-192,192s86.133,192 192,192 192-86.133 192-192c0-24.741-4.864-48.327-13.426-70.065 1.402-1.007 2.79-2.049 4.051-3.31l16-16c12.5-12.492 12.5-32.758 0-45.25l-20.688-20.688 9.375-9.375 32.001-31.999zm-219.313,100.687c-52.938,0-96,43.063-96,96 0,8.836-7.164,16-16,16s-16-7.164-16-16c0-70.578 57.422-128 128-128 8.836,0 16,7.164 16,16s-7.164,16-16,16z"),n.append("path").attr("class","error-icon").attr("d","m459.02,148.98c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l16,16c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16.001-16z"),n.append("path").attr("class","error-icon").attr("d","m340.395,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16-16c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l15.999,16z"),n.append("path").attr("class","error-icon").attr("d","m400,64c8.844,0 16-7.164 16-16v-32c0-8.836-7.156-16-16-16-8.844,0-16,7.164-16,16v32c0,8.836 7.156,16 16,16z"),n.append("path").attr("class","error-icon").attr("d","m496,96.586h-32c-8.844,0-16,7.164-16,16 0,8.836 7.156,16 16,16h32c8.844,0 16-7.164 16-16 0-8.836-7.156-16-16-16z"),n.append("path").attr("class","error-icon").attr("d","m436.98,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688l32-32c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32c-6.251,6.25-6.251,16.375-0.001,22.625z"),n.append("text").attr("class","error-text").attr("x",1440).attr("y",250).attr("font-size","150px").style("text-anchor","middle").text("Syntax error in text"),n.append("text").attr("class","error-text").attr("x",1250).attr("y",400).attr("font-size","100px").style("text-anchor","middle").text(`mermaid version ${i}`)}},$i=qi,zi={db:{},renderer:qi,parser:{parser:{yy:{}},parse:()=>{}}},Pi="flowchart-elk",Ri={id:Pi,detector:(t,e)=>{var i;return!!(/^\s*flowchart-elk/.test(t)||/^\s*flowchart|graph/.test(t)&&"elk"===(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(5269),i.e(8955),i.e(4238)]).then(i.bind(i,4238));return{id:Pi,diagram:t}}},Hi="timeline",Wi={id:Hi,detector:t=>/^\s*timeline/.test(t),loader:async()=>{const{diagram:t}=await i.e(2700).then(i.bind(i,2700));return{id:Hi,diagram:t}}},Ui="mindmap",Yi={id:Ui,detector:t=>/^\s*mindmap/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(9138)]).then(i.bind(i,9138));return{id:Ui,diagram:t}}},Vi="sankey",Gi={id:Vi,detector:t=>/^\s*sankey-beta/.test(t),loader:async()=>{const{diagram:t}=await i.e(240).then(i.bind(i,240));return{id:Vi,diagram:t}}};let Xi=!1;const Ji=()=>{Xi||(Xi=!0,Zi("error",zi,(t=>"error"===t.toLowerCase().trim())),Zi("---",{db:{clear:()=>{}},styles:{},renderer:{draw:()=>{}},parser:{parser:{yy:{}},parse:()=>{throw new Error("Diagrams beginning with --- are not valid. If you were trying to use a YAML front-matter, please ensure that you've correctly opened and closed the YAML front-matter with un-indented `---` blocks")}},init:()=>null},(t=>t.toLowerCase().trimStart().startsWith("---"))),Wt(je,ni,ii,qe,Re,We,Ue,Qe,ti,Ri,De,Ie,Yi,Wi,ze,li,ai,hi,Ve,Gi,Xe))};class Qi{constructor(t,e={}){this.text=t,this.metadata=e,this.type="graph",this.text+="\n";const i=Be();try{this.type=Ht(t,i)}catch(n){this.type="error",this.detectError=n}const r=Ii(this.type);st.debug("Type "+this.type),this.db=r.db,this.renderer=r.renderer,this.parser=r.parser,this.parser.parser.yy=this.db,this.init=r.init,this.parse()}parse(){var t,e,i,r,n;if(this.detectError)throw this.detectError;null==(e=(t=this.db).clear)||e.call(t);const o=Be();null==(i=this.init)||i.call(this,o),this.metadata.title&&(null==(n=(r=this.db).setDiagramTitle)||n.call(r,this.metadata.title)),this.parser.parse(this.text)}async render(t,e){await this.renderer.draw(this.text,t,e,this)}getParser(){return this.parser}getType(){return this.type}}const Ki=async(t,e={})=>{const i=Ht(t,Be());try{Ii(i)}catch(r){const t=Rt[i].loader;if(!t)throw new Pt(`Diagram ${i} not found.`);const{id:e,diagram:n}=await t();Zi(e,n)}return new Qi(t,e)};let tr=[];const er=t=>{tr.push(t)},ir="graphics-document document";const rr=t=>t.replace(/^\s*%%(?!{)[^\n]+\n?/gm,"").trimStart();function nr(t){return null==t}var or={isNothing:nr,isObject:function(t){return"object"==typeof t&&null!==t},toArray:function(t){return Array.isArray(t)?t:nr(t)?[]:[t]},repeat:function(t,e){var i,r="";for(i=0;i<e;i+=1)r+=t;return r},isNegativeZero:function(t){return 0===t&&Number.NEGATIVE_INFINITY===1/t},extend:function(t,e){var i,r,n,o;if(e)for(i=0,r=(o=Object.keys(e)).length;i<r;i+=1)t[n=o[i]]=e[n];return t}};function ar(t,e){var i="",r=t.reason||"(unknown reason)";return t.mark?(t.mark.name&&(i+='in "'+t.mark.name+'" '),i+="("+(t.mark.line+1)+":"+(t.mark.column+1)+")",!e&&t.mark.snippet&&(i+="\n\n"+t.mark.snippet),r+" "+i):r}function sr(t,e){Error.call(this),this.name="YAMLException",this.reason=t,this.mark=e,this.message=ar(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}sr.prototype=Object.create(Error.prototype),sr.prototype.constructor=sr,sr.prototype.toString=function(t){return this.name+": "+ar(this,t)};var lr=sr;function cr(t,e,i,r,n){var o="",a="",s=Math.floor(n/2)-1;return r-e>s&&(e=r-s+(o=" ... ").length),i-r>s&&(i=r+s-(a=" ...").length),{str:o+t.slice(e,i).replace(/\t/g,"\u2192")+a,pos:r-e+o.length}}function hr(t,e){return or.repeat(" ",e-t.length)+t}var ur=function(t,e){if(e=Object.create(e||null),!t.buffer)return null;e.maxLength||(e.maxLength=79),"number"!=typeof e.indent&&(e.indent=1),"number"!=typeof e.linesBefore&&(e.linesBefore=3),"number"!=typeof e.linesAfter&&(e.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,n=[0],o=[],a=-1;i=r.exec(t.buffer);)o.push(i.index),n.push(i.index+i[0].length),t.position<=i.index&&a<0&&(a=n.length-2);a<0&&(a=n.length-1);var s,l,c="",h=Math.min(t.line+e.linesAfter,o.length).toString().length,u=e.maxLength-(e.indent+h+3);for(s=1;s<=e.linesBefore&&!(a-s<0);s++)l=cr(t.buffer,n[a-s],o[a-s],t.position-(n[a]-n[a-s]),u),c=or.repeat(" ",e.indent)+hr((t.line-s+1).toString(),h)+" | "+l.str+"\n"+c;for(l=cr(t.buffer,n[a],o[a],t.position,u),c+=or.repeat(" ",e.indent)+hr((t.line+1).toString(),h)+" | "+l.str+"\n",c+=or.repeat("-",e.indent+h+3+l.pos)+"^\n",s=1;s<=e.linesAfter&&!(a+s>=o.length);s++)l=cr(t.buffer,n[a+s],o[a+s],t.position-(n[a]-n[a+s]),u),c+=or.repeat(" ",e.indent)+hr((t.line+s+1).toString(),h)+" | "+l.str+"\n";return c.replace(/\n$/,"")},dr=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],fr=["scalar","sequence","mapping"];var pr=function(t,e){var i,r;if(e=e||{},Object.keys(e).forEach((function(e){if(-1===dr.indexOf(e))throw new lr('Unknown option "'+e+'" is met in definition of "'+t+'" YAML type.')})),this.options=e,this.tag=t,this.kind=e.kind||null,this.resolve=e.resolve||function(){return!0},this.construct=e.construct||function(t){return t},this.instanceOf=e.instanceOf||null,this.predicate=e.predicate||null,this.represent=e.represent||null,this.representName=e.representName||null,this.defaultStyle=e.defaultStyle||null,this.multi=e.multi||!1,this.styleAliases=(i=e.styleAliases||null,r={},null!==i&&Object.keys(i).forEach((function(t){i[t].forEach((function(e){r[String(e)]=t}))})),r),-1===fr.indexOf(this.kind))throw new lr('Unknown kind "'+this.kind+'" is specified for "'+t+'" YAML type.')};function gr(t,e){var i=[];return t[e].forEach((function(t){var e=i.length;i.forEach((function(i,r){i.tag===t.tag&&i.kind===t.kind&&i.multi===t.multi&&(e=r)})),i[e]=t})),i}function mr(t){return this.extend(t)}mr.prototype.extend=function(t){var e=[],i=[];if(t instanceof pr)i.push(t);else if(Array.isArray(t))i=i.concat(t);else{if(!t||!Array.isArray(t.implicit)&&!Array.isArray(t.explicit))throw new lr("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");t.implicit&&(e=e.concat(t.implicit)),t.explicit&&(i=i.concat(t.explicit))}e.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(t.loadKind&&"scalar"!==t.loadKind)throw new lr("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(t.multi)throw new lr("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),i.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var r=Object.create(mr.prototype);return r.implicit=(this.implicit||[]).concat(e),r.explicit=(this.explicit||[]).concat(i),r.compiledImplicit=gr(r,"implicit"),r.compiledExplicit=gr(r,"explicit"),r.compiledTypeMap=function(){var t,e,i={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function r(t){t.multi?(i.multi[t.kind].push(t),i.multi.fallback.push(t)):i[t.kind][t.tag]=i.fallback[t.tag]=t}for(t=0,e=arguments.length;t<e;t+=1)arguments[t].forEach(r);return i}(r.compiledImplicit,r.compiledExplicit),r};var yr=new mr({explicit:[new pr("tag:yaml.org,2002:str",{kind:"scalar",construct:function(t){return null!==t?t:""}}),new pr("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(t){return null!==t?t:[]}}),new pr("tag:yaml.org,2002:map",{kind:"mapping",construct:function(t){return null!==t?t:{}}})]});var xr=new pr("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(t){if(null===t)return!0;var e=t.length;return 1===e&&"~"===t||4===e&&("null"===t||"Null"===t||"NULL"===t)},construct:function(){return null},predicate:function(t){return null===t},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var br=new pr("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e=t.length;return 4===e&&("true"===t||"True"===t||"TRUE"===t)||5===e&&("false"===t||"False"===t||"FALSE"===t)},construct:function(t){return"true"===t||"True"===t||"TRUE"===t},predicate:function(t){return"[object Boolean]"===Object.prototype.toString.call(t)},represent:{lowercase:function(t){return t?"true":"false"},uppercase:function(t){return t?"TRUE":"FALSE"},camelcase:function(t){return t?"True":"False"}},defaultStyle:"lowercase"});function Cr(t){return 48<=t&&t<=55}function _r(t){return 48<=t&&t<=57}var vr=new pr("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=t.length,n=0,o=!1;if(!r)return!1;if("-"!==(e=t[n])&&"+"!==e||(e=t[++n]),"0"===e){if(n+1===r)return!0;if("b"===(e=t[++n])){for(n++;n<r;n++)if("_"!==(e=t[n])){if("0"!==e&&"1"!==e)return!1;o=!0}return o&&"_"!==e}if("x"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!(48<=(i=t.charCodeAt(n))&&i<=57||65<=i&&i<=70||97<=i&&i<=102))return!1;o=!0}return o&&"_"!==e}if("o"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!Cr(t.charCodeAt(n)))return!1;o=!0}return o&&"_"!==e}}if("_"===e)return!1;for(;n<r;n++)if("_"!==(e=t[n])){if(!_r(t.charCodeAt(n)))return!1;o=!0}return!(!o||"_"===e)},construct:function(t){var e,i=t,r=1;if(-1!==i.indexOf("_")&&(i=i.replace(/_/g,"")),"-"!==(e=i[0])&&"+"!==e||("-"===e&&(r=-1),e=(i=i.slice(1))[0]),"0"===i)return 0;if("0"===e){if("b"===i[1])return r*parseInt(i.slice(2),2);if("x"===i[1])return r*parseInt(i.slice(2),16);if("o"===i[1])return r*parseInt(i.slice(2),8)}return r*parseInt(i,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&t%1==0&&!or.isNegativeZero(t)},represent:{binary:function(t){return t>=0?"0b"+t.toString(2):"-0b"+t.toString(2).slice(1)},octal:function(t){return t>=0?"0o"+t.toString(8):"-0o"+t.toString(8).slice(1)},decimal:function(t){return t.toString(10)},hexadecimal:function(t){return t>=0?"0x"+t.toString(16).toUpperCase():"-0x"+t.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),kr=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var Tr=/^[-+]?[0-9]+e/;var wr=new pr("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(t){return null!==t&&!(!kr.test(t)||"_"===t[t.length-1])},construct:function(t){var e,i;return i="-"===(e=t.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(e[0])>=0&&(e=e.slice(1)),".inf"===e?1===i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===e?NaN:i*parseFloat(e,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&(t%1!=0||or.isNegativeZero(t))},represent:function(t,e){var i;if(isNaN(t))switch(e){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===t)switch(e){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===t)switch(e){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(or.isNegativeZero(t))return"-0.0";return i=t.toString(10),Tr.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),Sr=yr.extend({implicit:[xr,br,vr,wr]}),Br=Sr,Fr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),Lr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var Ar=new pr("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(t){return null!==t&&(null!==Fr.exec(t)||null!==Lr.exec(t))},construct:function(t){var e,i,r,n,o,a,s,l,c=0,h=null;if(null===(e=Fr.exec(t))&&(e=Lr.exec(t)),null===e)throw new Error("Date resolve error");if(i=+e[1],r=+e[2]-1,n=+e[3],!e[4])return new Date(Date.UTC(i,r,n));if(o=+e[4],a=+e[5],s=+e[6],e[7]){for(c=e[7].slice(0,3);c.length<3;)c+="0";c=+c}return e[9]&&(h=6e4*(60*+e[10]+ +(e[11]||0)),"-"===e[9]&&(h=-h)),l=new Date(Date.UTC(i,r,n,o,a,s,c)),h&&l.setTime(l.getTime()-h),l},instanceOf:Date,represent:function(t){return t.toISOString()}});var Mr=new pr("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(t){return"<<"===t||null===t}}),Er="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var Nr=new pr("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=0,n=t.length,o=Er;for(i=0;i<n;i++)if(!((e=o.indexOf(t.charAt(i)))>64)){if(e<0)return!1;r+=6}return r%8==0},construct:function(t){var e,i,r=t.replace(/[\r\n=]/g,""),n=r.length,o=Er,a=0,s=[];for(e=0;e<n;e++)e%4==0&&e&&(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(r.charAt(e));return 0===(i=n%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18===i?(s.push(a>>10&255),s.push(a>>2&255)):12===i&&s.push(a>>4&255),new Uint8Array(s)},predicate:function(t){return"[object Uint8Array]"===Object.prototype.toString.call(t)},represent:function(t){var e,i,r="",n=0,o=t.length,a=Er;for(e=0;e<o;e++)e%3==0&&e&&(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]),n=(n<<8)+t[e];return 0===(i=o%3)?(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]):2===i?(r+=a[n>>10&63],r+=a[n>>4&63],r+=a[n<<2&63],r+=a[64]):1===i&&(r+=a[n>>2&63],r+=a[n<<4&63],r+=a[64],r+=a[64]),r}}),jr=Object.prototype.hasOwnProperty,Zr=Object.prototype.toString;var Ir=new pr("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=[],s=t;for(e=0,i=s.length;e<i;e+=1){if(r=s[e],o=!1,"[object Object]"!==Zr.call(r))return!1;for(n in r)if(jr.call(r,n)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(n))return!1;a.push(n)}return!0},construct:function(t){return null!==t?t:[]}}),Or=Object.prototype.toString;var Dr=new pr("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1){if(r=a[e],"[object Object]"!==Or.call(r))return!1;if(1!==(n=Object.keys(r)).length)return!1;o[e]=[n[0],r[n[0]]]}return!0},construct:function(t){if(null===t)return[];var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1)r=a[e],n=Object.keys(r),o[e]=[n[0],r[n[0]]];return o}}),qr=Object.prototype.hasOwnProperty;var $r=new pr("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(t){if(null===t)return!0;var e,i=t;for(e in i)if(qr.call(i,e)&&null!==i[e])return!1;return!0},construct:function(t){return null!==t?t:{}}}),zr=Br.extend({implicit:[Ar,Mr],explicit:[Nr,Ir,Dr,$r]}),Pr=Object.prototype.hasOwnProperty,Rr=1,Hr=2,Wr=3,Ur=4,Yr=1,Vr=2,Gr=3,Xr=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,Jr=/[\x85\u2028\u2029]/,Qr=/[,\[\]\{\}]/,Kr=/^(?:!|!!|![a-z\-]+!)$/i,tn=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function en(t){return Object.prototype.toString.call(t)}function rn(t){return 10===t||13===t}function nn(t){return 9===t||32===t}function on(t){return 9===t||32===t||10===t||13===t}function an(t){return 44===t||91===t||93===t||123===t||125===t}function sn(t){var e;return 48<=t&&t<=57?t-48:97<=(e=32|t)&&e<=102?e-97+10:-1}function ln(t){return 48===t?"\0":97===t?"\x07":98===t?"\b":116===t||9===t?"\t":110===t?"\n":118===t?"\v":102===t?"\f":114===t?"\r":101===t?"\x1b":32===t?" ":34===t?'"':47===t?"/":92===t?"\\":78===t?"\x85":95===t?"\xa0":76===t?"\u2028":80===t?"\u2029":""}function cn(t){return t<=65535?String.fromCharCode(t):String.fromCharCode(55296+(t-65536>>10),56320+(t-65536&1023))}for(var hn=new Array(256),un=new Array(256),dn=0;dn<256;dn++)hn[dn]=ln(dn)?1:0,un[dn]=ln(dn);function fn(t,e){this.input=t,this.filename=e.filename||null,this.schema=e.schema||zr,this.onWarning=e.onWarning||null,this.legacy=e.legacy||!1,this.json=e.json||!1,this.listener=e.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=t.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function pn(t,e){var i={name:t.filename,buffer:t.input.slice(0,-1),position:t.position,line:t.line,column:t.position-t.lineStart};return i.snippet=ur(i),new lr(e,i)}function gn(t,e){throw pn(t,e)}function mn(t,e){t.onWarning&&t.onWarning.call(null,pn(t,e))}var yn={YAML:function(t,e,i){var r,n,o;null!==t.version&&gn(t,"duplication of %YAML directive"),1!==i.length&&gn(t,"YAML directive accepts exactly one argument"),null===(r=/^([0-9]+)\.([0-9]+)$/.exec(i[0]))&&gn(t,"ill-formed argument of the YAML directive"),n=parseInt(r[1],10),o=parseInt(r[2],10),1!==n&&gn(t,"unacceptable YAML version of the document"),t.version=i[0],t.checkLineBreaks=o<2,1!==o&&2!==o&&mn(t,"unsupported YAML version of the document")},TAG:function(t,e,i){var r,n;2!==i.length&&gn(t,"TAG directive accepts exactly two arguments"),r=i[0],n=i[1],Kr.test(r)||gn(t,"ill-formed tag handle (first argument) of the TAG directive"),Pr.call(t.tagMap,r)&&gn(t,'there is a previously declared suffix for "'+r+'" tag handle'),tn.test(n)||gn(t,"ill-formed tag prefix (second argument) of the TAG directive");try{n=decodeURIComponent(n)}catch(o){gn(t,"tag prefix is malformed: "+n)}t.tagMap[r]=n}};function xn(t,e,i,r){var n,o,a,s;if(e<i){if(s=t.input.slice(e,i),r)for(n=0,o=s.length;n<o;n+=1)9===(a=s.charCodeAt(n))||32<=a&&a<=1114111||gn(t,"expected valid JSON character");else Xr.test(s)&&gn(t,"the stream contains non-printable characters");t.result+=s}}function bn(t,e,i,r){var n,o,a,s;for(or.isObject(i)||gn(t,"cannot merge mappings; the provided source object is unacceptable"),a=0,s=(n=Object.keys(i)).length;a<s;a+=1)o=n[a],Pr.call(e,o)||(e[o]=i[o],r[o]=!0)}function Cn(t,e,i,r,n,o,a,s,l){var c,h;if(Array.isArray(n))for(c=0,h=(n=Array.prototype.slice.call(n)).length;c<h;c+=1)Array.isArray(n[c])&&gn(t,"nested arrays are not supported inside keys"),"object"==typeof n&&"[object Object]"===en(n[c])&&(n[c]="[object Object]");if("object"==typeof n&&"[object Object]"===en(n)&&(n="[object Object]"),n=String(n),null===e&&(e={}),"tag:yaml.org,2002:merge"===r)if(Array.isArray(o))for(c=0,h=o.length;c<h;c+=1)bn(t,e,o[c],i);else bn(t,e,o,i);else t.json||Pr.call(i,n)||!Pr.call(e,n)||(t.line=a||t.line,t.lineStart=s||t.lineStart,t.position=l||t.position,gn(t,"duplicated mapping key")),"__proto__"===n?Object.defineProperty(e,n,{configurable:!0,enumerable:!0,writable:!0,value:o}):e[n]=o,delete i[n];return e}function _n(t){var e;10===(e=t.input.charCodeAt(t.position))?t.position++:13===e?(t.position++,10===t.input.charCodeAt(t.position)&&t.position++):gn(t,"a line break is expected"),t.line+=1,t.lineStart=t.position,t.firstTabInLine=-1}function vn(t,e,i){for(var r=0,n=t.input.charCodeAt(t.position);0!==n;){for(;nn(n);)9===n&&-1===t.firstTabInLine&&(t.firstTabInLine=t.position),n=t.input.charCodeAt(++t.position);if(e&&35===n)do{n=t.input.charCodeAt(++t.position)}while(10!==n&&13!==n&&0!==n);if(!rn(n))break;for(_n(t),n=t.input.charCodeAt(t.position),r++,t.lineIndent=0;32===n;)t.lineIndent++,n=t.input.charCodeAt(++t.position)}return-1!==i&&0!==r&&t.lineIndent<i&&mn(t,"deficient indentation"),r}function kn(t){var e,i=t.position;return!(45!==(e=t.input.charCodeAt(i))&&46!==e||e!==t.input.charCodeAt(i+1)||e!==t.input.charCodeAt(i+2)||(i+=3,0!==(e=t.input.charCodeAt(i))&&!on(e)))}function Tn(t,e){1===e?t.result+=" ":e>1&&(t.result+=or.repeat("\n",e-1))}function wn(t,e){var i,r,n=t.tag,o=t.anchor,a=[],s=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=a),r=t.input.charCodeAt(t.position);0!==r&&(-1!==t.firstTabInLine&&(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),45===r)&&on(t.input.charCodeAt(t.position+1));)if(s=!0,t.position++,vn(t,!0,-1)&&t.lineIndent<=e)a.push(null),r=t.input.charCodeAt(t.position);else if(i=t.line,Fn(t,e,Wr,!1,!0),a.push(t.result),vn(t,!0,-1),r=t.input.charCodeAt(t.position),(t.line===i||t.lineIndent>e)&&0!==r)gn(t,"bad indentation of a sequence entry");else if(t.lineIndent<e)break;return!!s&&(t.tag=n,t.anchor=o,t.kind="sequence",t.result=a,!0)}function Sn(t){var e,i,r,n,o=!1,a=!1;if(33!==(n=t.input.charCodeAt(t.position)))return!1;if(null!==t.tag&&gn(t,"duplication of a tag property"),60===(n=t.input.charCodeAt(++t.position))?(o=!0,n=t.input.charCodeAt(++t.position)):33===n?(a=!0,i="!!",n=t.input.charCodeAt(++t.position)):i="!",e=t.position,o){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&62!==n);t.position<t.length?(r=t.input.slice(e,t.position),n=t.input.charCodeAt(++t.position)):gn(t,"unexpected end of the stream within a verbatim tag")}else{for(;0!==n&&!on(n);)33===n&&(a?gn(t,"tag suffix cannot contain exclamation marks"):(i=t.input.slice(e-1,t.position+1),Kr.test(i)||gn(t,"named tag handle cannot contain such characters"),a=!0,e=t.position+1)),n=t.input.charCodeAt(++t.position);r=t.input.slice(e,t.position),Qr.test(r)&&gn(t,"tag suffix cannot contain flow indicator characters")}r&&!tn.test(r)&&gn(t,"tag name cannot contain such characters: "+r);try{r=decodeURIComponent(r)}catch(s){gn(t,"tag name is malformed: "+r)}return o?t.tag=r:Pr.call(t.tagMap,i)?t.tag=t.tagMap[i]+r:"!"===i?t.tag="!"+r:"!!"===i?t.tag="tag:yaml.org,2002:"+r:gn(t,'undeclared tag handle "'+i+'"'),!0}function Bn(t){var e,i;if(38!==(i=t.input.charCodeAt(t.position)))return!1;for(null!==t.anchor&&gn(t,"duplication of an anchor property"),i=t.input.charCodeAt(++t.position),e=t.position;0!==i&&!on(i)&&!an(i);)i=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an anchor node must contain at least one character"),t.anchor=t.input.slice(e,t.position),!0}function Fn(t,e,i,r,n){var o,a,s,l,c,h,u,d,f,p=1,g=!1,m=!1;if(null!==t.listener&&t.listener("open",t),t.tag=null,t.anchor=null,t.kind=null,t.result=null,o=a=s=Ur===i||Wr===i,r&&vn(t,!0,-1)&&(g=!0,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)),1===p)for(;Sn(t)||Bn(t);)vn(t,!0,-1)?(g=!0,s=o,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)):s=!1;if(s&&(s=g||n),1!==p&&Ur!==i||(d=Rr===i||Hr===i?e:e+1,f=t.position-t.lineStart,1===p?s&&(wn(t,f)||function(t,e,i){var r,n,o,a,s,l,c,h=t.tag,u=t.anchor,d={},f=Object.create(null),p=null,g=null,m=null,y=!1,x=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=d),c=t.input.charCodeAt(t.position);0!==c;){if(y||-1===t.firstTabInLine||(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),r=t.input.charCodeAt(t.position+1),o=t.line,63!==c&&58!==c||!on(r)){if(a=t.line,s=t.lineStart,l=t.position,!Fn(t,i,Hr,!1,!0))break;if(t.line===o){for(c=t.input.charCodeAt(t.position);nn(c);)c=t.input.charCodeAt(++t.position);if(58===c)on(c=t.input.charCodeAt(++t.position))||gn(t,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!1,n=!1,p=t.tag,g=t.result;else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read an implicit mapping pair; a colon is missed")}}else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===c?(y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!0,n=!0):y?(y=!1,n=!0):gn(t,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),t.position+=1,c=r;if((t.line===o||t.lineIndent>e)&&(y&&(a=t.line,s=t.lineStart,l=t.position),Fn(t,e,Ur,!0,n)&&(y?g=t.result:m=t.result),y||(Cn(t,d,f,p,g,m,a,s,l),p=g=m=null),vn(t,!0,-1),c=t.input.charCodeAt(t.position)),(t.line===o||t.lineIndent>e)&&0!==c)gn(t,"bad indentation of a mapping entry");else if(t.lineIndent<e)break}return y&&Cn(t,d,f,p,g,null,a,s,l),x&&(t.tag=h,t.anchor=u,t.kind="mapping",t.result=d),x}(t,f,d))||function(t,e){var i,r,n,o,a,s,l,c,h,u,d,f,p=!0,g=t.tag,m=t.anchor,y=Object.create(null);if(91===(f=t.input.charCodeAt(t.position)))a=93,c=!1,o=[];else{if(123!==f)return!1;a=125,c=!0,o={}}for(null!==t.anchor&&(t.anchorMap[t.anchor]=o),f=t.input.charCodeAt(++t.position);0!==f;){if(vn(t,!0,e),(f=t.input.charCodeAt(t.position))===a)return t.position++,t.tag=g,t.anchor=m,t.kind=c?"mapping":"sequence",t.result=o,!0;p?44===f&&gn(t,"expected the node content, but found ','"):gn(t,"missed comma between flow collection entries"),d=null,s=l=!1,63===f&&on(t.input.charCodeAt(t.position+1))&&(s=l=!0,t.position++,vn(t,!0,e)),i=t.line,r=t.lineStart,n=t.position,Fn(t,e,Rr,!1,!0),u=t.tag,h=t.result,vn(t,!0,e),f=t.input.charCodeAt(t.position),!l&&t.line!==i||58!==f||(s=!0,f=t.input.charCodeAt(++t.position),vn(t,!0,e),Fn(t,e,Rr,!1,!0),d=t.result),c?Cn(t,o,y,u,h,d,i,r,n):s?o.push(Cn(t,null,y,u,h,d,i,r,n)):o.push(h),vn(t,!0,e),44===(f=t.input.charCodeAt(t.position))?(p=!0,f=t.input.charCodeAt(++t.position)):p=!1}gn(t,"unexpected end of the stream within a flow collection")}(t,d)?m=!0:(a&&function(t,e){var i,r,n,o,a,s=Yr,l=!1,c=!1,h=e,u=0,d=!1;if(124===(o=t.input.charCodeAt(t.position)))r=!1;else{if(62!==o)return!1;r=!0}for(t.kind="scalar",t.result="";0!==o;)if(43===(o=t.input.charCodeAt(++t.position))||45===o)Yr===s?s=43===o?Gr:Vr:gn(t,"repeat of a chomping mode identifier");else{if(!((n=48<=(a=o)&&a<=57?a-48:-1)>=0))break;0===n?gn(t,"bad explicit indentation width of a block scalar; it cannot be less than one"):c?gn(t,"repeat of an indentation width identifier"):(h=e+n-1,c=!0)}if(nn(o)){do{o=t.input.charCodeAt(++t.position)}while(nn(o));if(35===o)do{o=t.input.charCodeAt(++t.position)}while(!rn(o)&&0!==o)}for(;0!==o;){for(_n(t),t.lineIndent=0,o=t.input.charCodeAt(t.position);(!c||t.lineIndent<h)&&32===o;)t.lineIndent++,o=t.input.charCodeAt(++t.position);if(!c&&t.lineIndent>h&&(h=t.lineIndent),rn(o))u++;else{if(t.lineIndent<h){s===Gr?t.result+=or.repeat("\n",l?1+u:u):s===Yr&&l&&(t.result+="\n");break}for(r?nn(o)?(d=!0,t.result+=or.repeat("\n",l?1+u:u)):d?(d=!1,t.result+=or.repeat("\n",u+1)):0===u?l&&(t.result+=" "):t.result+=or.repeat("\n",u):t.result+=or.repeat("\n",l?1+u:u),l=!0,c=!0,u=0,i=t.position;!rn(o)&&0!==o;)o=t.input.charCodeAt(++t.position);xn(t,i,t.position,!1)}}return!0}(t,d)||function(t,e){var i,r,n;if(39!==(i=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,r=n=t.position;0!==(i=t.input.charCodeAt(t.position));)if(39===i){if(xn(t,r,t.position,!0),39!==(i=t.input.charCodeAt(++t.position)))return!0;r=t.position,t.position++,n=t.position}else rn(i)?(xn(t,r,n,!0),Tn(t,vn(t,!1,e)),r=n=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a single quoted scalar"):(t.position++,n=t.position);gn(t,"unexpected end of the stream within a single quoted scalar")}(t,d)||function(t,e){var i,r,n,o,a,s,l;if(34!==(s=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,i=r=t.position;0!==(s=t.input.charCodeAt(t.position));){if(34===s)return xn(t,i,t.position,!0),t.position++,!0;if(92===s){if(xn(t,i,t.position,!0),rn(s=t.input.charCodeAt(++t.position)))vn(t,!1,e);else if(s<256&&hn[s])t.result+=un[s],t.position++;else if((a=120===(l=s)?2:117===l?4:85===l?8:0)>0){for(n=a,o=0;n>0;n--)(a=sn(s=t.input.charCodeAt(++t.position)))>=0?o=(o<<4)+a:gn(t,"expected hexadecimal character");t.result+=cn(o),t.position++}else gn(t,"unknown escape sequence");i=r=t.position}else rn(s)?(xn(t,i,r,!0),Tn(t,vn(t,!1,e)),i=r=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a double quoted scalar"):(t.position++,r=t.position)}gn(t,"unexpected end of the stream within a double quoted scalar")}(t,d)?m=!0:!function(t){var e,i,r;if(42!==(r=t.input.charCodeAt(t.position)))return!1;for(r=t.input.charCodeAt(++t.position),e=t.position;0!==r&&!on(r)&&!an(r);)r=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an alias node must contain at least one character"),i=t.input.slice(e,t.position),Pr.call(t.anchorMap,i)||gn(t,'unidentified alias "'+i+'"'),t.result=t.anchorMap[i],vn(t,!0,-1),!0}(t)?function(t,e,i){var r,n,o,a,s,l,c,h,u=t.kind,d=t.result;if(on(h=t.input.charCodeAt(t.position))||an(h)||35===h||38===h||42===h||33===h||124===h||62===h||39===h||34===h||37===h||64===h||96===h)return!1;if((63===h||45===h)&&(on(r=t.input.charCodeAt(t.position+1))||i&&an(r)))return!1;for(t.kind="scalar",t.result="",n=o=t.position,a=!1;0!==h;){if(58===h){if(on(r=t.input.charCodeAt(t.position+1))||i&&an(r))break}else if(35===h){if(on(t.input.charCodeAt(t.position-1)))break}else{if(t.position===t.lineStart&&kn(t)||i&&an(h))break;if(rn(h)){if(s=t.line,l=t.lineStart,c=t.lineIndent,vn(t,!1,-1),t.lineIndent>=e){a=!0,h=t.input.charCodeAt(t.position);continue}t.position=o,t.line=s,t.lineStart=l,t.lineIndent=c;break}}a&&(xn(t,n,o,!1),Tn(t,t.line-s),n=o=t.position,a=!1),nn(h)||(o=t.position+1),h=t.input.charCodeAt(++t.position)}return xn(t,n,o,!1),!!t.result||(t.kind=u,t.result=d,!1)}(t,d,Rr===i)&&(m=!0,null===t.tag&&(t.tag="?")):(m=!0,null===t.tag&&null===t.anchor||gn(t,"alias node should not have any properties")),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):0===p&&(m=s&&wn(t,f))),null===t.tag)null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);else if("?"===t.tag){for(null!==t.result&&"scalar"!==t.kind&&gn(t,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+t.kind+'"'),l=0,c=t.implicitTypes.length;l<c;l+=1)if((u=t.implicitTypes[l]).resolve(t.result)){t.result=u.construct(t.result),t.tag=u.tag,null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);break}}else if("!"!==t.tag){if(Pr.call(t.typeMap[t.kind||"fallback"],t.tag))u=t.typeMap[t.kind||"fallback"][t.tag];else for(u=null,l=0,c=(h=t.typeMap.multi[t.kind||"fallback"]).length;l<c;l+=1)if(t.tag.slice(0,h[l].tag.length)===h[l].tag){u=h[l];break}u||gn(t,"unknown tag !<"+t.tag+">"),null!==t.result&&u.kind!==t.kind&&gn(t,"unacceptable node kind for !<"+t.tag+'> tag; it should be "'+u.kind+'", not "'+t.kind+'"'),u.resolve(t.result,t.tag)?(t.result=u.construct(t.result,t.tag),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):gn(t,"cannot resolve a node with !<"+t.tag+"> explicit tag")}return null!==t.listener&&t.listener("close",t),null!==t.tag||null!==t.anchor||m}function Ln(t){var e,i,r,n,o=t.position,a=!1;for(t.version=null,t.checkLineBreaks=t.legacy,t.tagMap=Object.create(null),t.anchorMap=Object.create(null);0!==(n=t.input.charCodeAt(t.position))&&(vn(t,!0,-1),n=t.input.charCodeAt(t.position),!(t.lineIndent>0||37!==n));){for(a=!0,n=t.input.charCodeAt(++t.position),e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);for(r=[],(i=t.input.slice(e,t.position)).length<1&&gn(t,"directive name must not be less than one character in length");0!==n;){for(;nn(n);)n=t.input.charCodeAt(++t.position);if(35===n){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&!rn(n));break}if(rn(n))break;for(e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);r.push(t.input.slice(e,t.position))}0!==n&&_n(t),Pr.call(yn,i)?yn[i](t,i,r):mn(t,'unknown document directive "'+i+'"')}vn(t,!0,-1),0===t.lineIndent&&45===t.input.charCodeAt(t.position)&&45===t.input.charCodeAt(t.position+1)&&45===t.input.charCodeAt(t.position+2)?(t.position+=3,vn(t,!0,-1)):a&&gn(t,"directives end mark is expected"),Fn(t,t.lineIndent-1,Ur,!1,!0),vn(t,!0,-1),t.checkLineBreaks&&Jr.test(t.input.slice(o,t.position))&&mn(t,"non-ASCII line breaks are interpreted as content"),t.documents.push(t.result),t.position===t.lineStart&&kn(t)?46===t.input.charCodeAt(t.position)&&(t.position+=3,vn(t,!0,-1)):t.position<t.length-1&&gn(t,"end of the stream or a document separator is expected")}function An(t,e){e=e||{},0!==(t=String(t)).length&&(10!==t.charCodeAt(t.length-1)&&13!==t.charCodeAt(t.length-1)&&(t+="\n"),65279===t.charCodeAt(0)&&(t=t.slice(1)));var i=new fn(t,e),r=t.indexOf("\0");for(-1!==r&&(i.position=r,gn(i,"null byte is not allowed in input")),i.input+="\0";32===i.input.charCodeAt(i.position);)i.lineIndent+=1,i.position+=1;for(;i.position<i.length-1;)Ln(i);return i.documents}var Mn=Sr,En={loadAll:function(t,e,i){null!==e&&"object"==typeof e&&void 0===i&&(i=e,e=null);var r=An(t,i);if("function"!=typeof e)return r;for(var n=0,o=r.length;n<o;n+=1)e(r[n])},load:function(t,e){var i=An(t,e);if(0!==i.length){if(1===i.length)return i[0];throw new lr("expected a single document in the stream, but found more")}}}.load;const Nn=t=>t.replace(/\r\n?/g,"\n").replace(/<(\w+)([^>]*)>/g,((t,e,i)=>"<"+e+i.replace(/="([^"]*)"/g,"='$1'")+">")),jn=t=>{const{text:e,metadata:i}=function(t){const e=t.match(qt);if(!e)return{text:t,metadata:{}};let i=En(e[1],{schema:Mn})??{};i="object"!=typeof i||Array.isArray(i)?{}:i;const r={};return i.displayMode&&(r.displayMode=i.displayMode.toString()),i.title&&(r.title=i.title.toString()),i.config&&(r.config=i.config),{text:t.slice(e[0].length),metadata:r}}(t),{displayMode:r,title:n,config:o={}}=i;return r&&(o.gantt||(o.gantt={}),o.gantt.displayMode=r),{title:n,config:o,text:e}},Zn=t=>{const e=ye.detectInit(t)??{},i=ye.detectDirective(t,"wrap");return Array.isArray(i)?e.wrap=i.some((({type:t})=>{})):"wrap"===(null==i?void 0:i.type)&&(e.wrap=!0),{text:(r=t,r.replace($t,"")),directive:e};var r};const In=["foreignobject"],On=["dominant-baseline"];function Dn(t){const e=function(t){const e=Nn(t),i=jn(e),r=Zn(i.text),n=me(i.config,r.directive);return{code:t=rr(r.text),title:i.title,config:n}}(t);return Ae(),Le(e.config??{}),e}const qn=function(t){return t.replace(/\ufb02\xb0\xb0/g,"&#").replace(/\ufb02\xb0/g,"&").replace(/\xb6\xdf/g,";")},$n=(t,e,i=[])=>`\n.${t} ${e} { ${i.join(" !important; ")} !important; }`,zn=(t,e,i,r)=>{const n=((t,e={})=>{var i;let r="";if(void 0!==t.themeCSS&&(r+=`\n${t.themeCSS}`),void 0!==t.fontFamily&&(r+=`\n:root { --mermaid-font-family: ${t.fontFamily}}`),void 0!==t.altFontFamily&&(r+=`\n:root { --mermaid-alt-font-family: ${t.altFontFamily}}`),!(0,ot.Z)(e)){const n=t.htmlLabels||(null==(i=t.flowchart)?void 0:i.htmlLabels)?["> *","span"]:["rect","polygon","ellipse","circle","path"];for(const t in e){const i=e[t];(0,ot.Z)(i.styles)||n.forEach((t=>{r+=$n(i.id,t,i.styles)})),(0,ot.Z)(i.textStyles)||(r+=$n(i.id,"tspan",i.textStyles))}}return r})(t,i);return M(tt(`${r}{${pi(e,n,t.themeVariables)}}`),E)},Pn=(t,e,i,r,n)=>{const o=t.append("div");o.attr("id",i),r&&o.attr("style",r);const a=o.append("svg").attr("id",e).attr("width","100%").attr("xmlns","http://www.w3.org/2000/svg");return n&&a.attr("xmlns:xlink",n),a.append("g"),t};function Rn(t,e){return t.append("iframe").attr("id",e).attr("style","width: 100%; height: 100%;").attr("sandbox","")}const Hn=Object.freeze({render:async function(t,e,i){var r,n,o,l,c,h;Ji();const u=Dn(e);e=u.code;const d=Be();st.debug(d),e.length>((null==d?void 0:d.maxTextSize)??5e4)&&(e="graph TB;a[Maximum text size in diagram exceeded];style a fill:#faa");const f="#"+t,p="i"+t,g="#"+p,m="d"+t,y="#"+m;let x=(0,a.Ys)("body");const b="sandbox"===d.securityLevel,C="loose"===d.securityLevel,_=d.fontFamily;if(void 0!==i){if(i&&(i.innerHTML=""),b){const t=Rn((0,a.Ys)(i),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)(i);Pn(x,t,m,`font-family: ${_}`,"http://www.w3.org/1999/xlink")}else{if(((t,e,i,r)=>{var n,o,a;null==(n=t.getElementById(e))||n.remove(),null==(o=t.getElementById(i))||o.remove(),null==(a=t.getElementById(r))||a.remove()})(document,t,m,p),b){const t=Rn((0,a.Ys)("body"),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)("body");Pn(x,t,m)}let v,k;e=function(t){let e=t;return e=e.replace(/style.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/classDef.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/#\w+;/g,(function(t){const e=t.substring(1,t.length-1);return/^\+?\d+$/.test(e)?"\ufb02\xb0\xb0"+e+"\xb6\xdf":"\ufb02\xb0"+e+"\xb6\xdf"})),e}(e);try{v=await Ki(e,{title:u.title})}catch(j){v=new Qi("error"),k=j}const T=x.select(y).node(),w=v.type,S=T.firstChild,B=S.firstChild,F=null==(n=(r=v.renderer).getClasses)?void 0:n.call(r,e,v),L=zn(d,w,F,f),A=document.createElement("style");A.innerHTML=L,S.insertBefore(A,B);try{await v.renderer.draw(e,t,xe,v)}catch(Z){throw $i.draw(e,t,xe),Z}!function(t,e,i,r){(function(t,e){t.attr("role",ir),""!==e&&t.attr("aria-roledescription",e)})(e,t),function(t,e,i,r){if(void 0!==t.insert){if(i){const e=`chart-desc-${r}`;t.attr("aria-describedby",e),t.insert("desc",":first-child").attr("id",e).text(i)}if(e){const i=`chart-title-${r}`;t.attr("aria-labelledby",i),t.insert("title",":first-child").attr("id",i).text(e)}}}(e,i,r,e.attr("id"))}(w,x.select(`${y} svg`),null==(l=(o=v.db).getAccTitle)?void 0:l.call(o),null==(h=(c=v.db).getAccDescription)?void 0:h.call(c)),x.select(`[id="${t}"]`).selectAll("foreignobject > *").attr("xmlns","http://www.w3.org/1999/xhtml");let M=x.select(y).node().innerHTML;if(st.debug("config.arrowMarkerAbsolute",d.arrowMarkerAbsolute),M=((t="",e,i)=>{let r=t;return i||e||(r=r.replace(/marker-end="url\([\d+./:=?A-Za-z-]*?#/g,'marker-end="url(#')),r=qn(r),r=r.replace(/<br>/g,"<br/>"),r})(M,b,mt(d.arrowMarkerAbsolute)),b){M=((t="",e)=>{var i,r;return`<iframe style="width:100%;height:${(null==(r=null==(i=null==e?void 0:e.viewBox)?void 0:i.baseVal)?void 0:r.height)?e.viewBox.baseVal.height+"px":"100%"};border:0;margin:0;" src="data:text/html;base64,${btoa('<body style="margin:0">'+t+"</body>")}" sandbox="allow-top-navigation-by-user-activation allow-popups">\n The "iframe" tag is not supported by your browser.\n</iframe>`})(M,x.select(y+" svg").node())}else C||(M=s.sanitize(M,{ADD_TAGS:In,ADD_ATTR:On}));if(tr.forEach((t=>{t()})),tr=[],k)throw k;const E=b?g:y,N=(0,a.Ys)(E).node();return N&&"remove"in N&&N.remove(),{svg:M,bindFunctions:v.db.bindFunctions}},parse:async function(t,e){Ji(),t=Dn(t).code;try{await Ki(t)}catch(i){if(null==e?void 0:e.suppressErrors)return!1;throw i}return!0},getDiagramFromText:Ki,initialize:function(t={}){var e;(null==t?void 0:t.fontFamily)&&!(null==(e=t.themeVariables)?void 0:e.fontFamily)&&(t.themeVariables||(t.themeVariables={}),t.themeVariables.fontFamily=t.fontFamily),Ce=Vt({},t),(null==t?void 0:t.theme)&&t.theme in Mt?t.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables):t&&(t.themeVariables=Mt.default.getThemeVariables(t.themeVariables));const i="object"==typeof t?(t=>(_e=Vt({},be),_e=Vt(_e,t),t.theme&&Mt[t.theme]&&(_e.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables)),Te(_e,ve),_e))(t):we();lt(i.logLevel),Ji()},getConfig:Be,setConfig:Se,getSiteConfig:we,updateSiteConfig:t=>(_e=Vt(_e,t),Te(_e,ve),_e),reset:()=>{Ae()},globalReset:()=>{Ae(be)},defaultConfig:be});lt(Be().logLevel),Ae(Be());const Wn=(t,e,i)=>{st.warn(t),pe(t)?(i&&i(t.str,t.hash),e.push({...t,message:t.str,error:t})):(i&&i(t),t instanceof Error&&e.push({str:t.message,message:t.message,hash:t.name,error:t}))},Un=async function(t={querySelector:".mermaid"}){try{await Yn(t)}catch(e){if(pe(e)&&st.error(e.str),to.parseError&&to.parseError(e),!t.suppressErrors)throw st.error("Use the suppressErrors option to suppress these errors"),e}},Yn=async function({postRenderCallback:t,querySelector:e,nodes:i}={querySelector:".mermaid"}){const n=Hn.getConfig();let o;if(st.debug((t?"":"No ")+"Callback function found"),i)o=i;else{if(!e)throw new Error("Nodes and querySelector are both undefined");o=document.querySelectorAll(e)}st.debug(`Found ${o.length} diagrams`),void 0!==(null==n?void 0:n.startOnLoad)&&(st.debug("Start On Load: "+(null==n?void 0:n.startOnLoad)),Hn.updateSiteConfig({startOnLoad:null==n?void 0:n.startOnLoad}));const a=new ye.InitIDGenerator(n.deterministicIds,n.deterministicIDSeed);let s;const l=[];for(const h of Array.from(o)){if(st.info("Rendering diagram: "+h.id),h.getAttribute("data-processed"))continue;h.setAttribute("data-processed","true");const e=`mermaid-${a.next()}`;s=h.innerHTML,s=(0,r.Z)(ye.entityDecode(s)).trim().replace(/<br\s*\/?>/gi,"<br/>");const i=ye.detectInit(s);i&&st.debug("Detected early reinit: ",i);try{const{svg:i,bindFunctions:r}=await Kn(e,s,h);h.innerHTML=i,t&&await t(e),r&&r(h)}catch(c){Wn(c,l,to.parseError)}}if(l.length>0)throw l[0]},Vn=function(t){Hn.initialize(t)},Gn=function(){if(to.startOnLoad){const{startOnLoad:t}=Hn.getConfig();t&&to.run().catch((t=>st.error("Mermaid failed to initialize",t)))}};"undefined"!=typeof document&&window.addEventListener("load",Gn,!1);const Xn=[];let Jn=!1;const Qn=async()=>{if(!Jn){for(Jn=!0;Xn.length>0;){const e=Xn.shift();if(e)try{await e()}catch(t){st.error("Error executing queue",t)}}Jn=!1}},Kn=(t,e,i)=>new Promise(((r,n)=>{Xn.push((()=>new Promise(((o,a)=>{Hn.render(t,e,i).then((t=>{o(t),r(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),a(t),n(t)}))})))),Qn().catch(n)})),to={startOnLoad:!0,mermaidAPI:Hn,parse:async(t,e)=>new Promise(((i,r)=>{Xn.push((()=>new Promise(((n,o)=>{Hn.parse(t,e).then((t=>{n(t),i(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),o(t),r(t)}))})))),Qn().catch(r)})),render:Kn,init:async function(t,e,i){st.warn("mermaid.init is deprecated. Please use run instead."),t&&Vn(t);const r={postRenderCallback:i,querySelector:".mermaid"};"string"==typeof e?r.querySelector=e:e&&(e instanceof HTMLElement?r.nodes=[e]:r.nodes=e),await Un(r)},run:Un,registerExternalDiagrams:async(t,{lazyLoad:e=!0}={})=>{Wt(...t),!1===e&&await(async()=>{st.debug("Loading registered diagrams");const t=(await Promise.allSettled(Object.entries(Rt).map((async([t,{detector:e,loader:i}])=>{if(i)try{Ii(t)}catch(r){try{const{diagram:t,id:r}=await i();Zi(r,t,e)}catch(n){throw st.error(`Failed to load external diagram with key ${t}. Removing from detectors.`),delete Rt[t],n}}})))).filter((t=>"rejected"===t.status));if(t.length>0){st.error(`Failed to load ${t.length} external diagrams`);for(const e of t)st.error(e);throw new Error(`Failed to load ${t.length} external diagrams`)}})()},initialize:Vn,parseError:void 0,contentLoaded:Gn,setParseErrorHandler:function(t){to.parseError=t},detectType:Ht}}}]); \ No newline at end of file diff --git a/assets/js/7837.35b3df6a.js.LICENSE.txt b/assets/js/7236.ac67632c.js.LICENSE.txt similarity index 100% rename from assets/js/7837.35b3df6a.js.LICENSE.txt rename to assets/js/7236.ac67632c.js.LICENSE.txt diff --git a/assets/js/72e14192.55e09fa8.js b/assets/js/72e14192.55e09fa8.js deleted file mode 100644 index 7bb1717c2..000000000 --- a/assets/js/72e14192.55e09fa8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7239],{1658:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var s=n(5893),i=n(1151);const r={title:"Quick-Start Guide"},a=void 0,o={id:"quick-start",title:"Quick-Start Guide",description:"This guide will help you quickly launch a cluster with default options. The installation section covers in greater detail how K3s can be set up.",source:"@site/docs/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Quick-Start Guide"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/"},next:{title:"Installation",permalink:"/installation/"}},l={},c=[{value:"Install Script",id:"install-script",level:2}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["This guide will help you quickly launch a cluster with default options. The ",(0,s.jsx)(t.a,{href:"/installation/",children:"installation section"})," covers in greater detail how K3s can be set up."]}),"\n",(0,s.jsxs)(t.p,{children:["Make sure your nodes meet the ",(0,s.jsx)(t.a,{href:"/installation/requirements",children:"requirements"})," before proceeding."]}),"\n",(0,s.jsxs)(t.p,{children:["For information on how K3s components work together, refer to the ",(0,s.jsx)(t.a,{href:"/architecture",children:"architecture section."})]}),"\n",(0,s.jsx)(t.admonition,{type:"info",children:(0,s.jsxs)(t.p,{children:["New to Kubernetes? The official Kubernetes docs already have some great tutorials outlining the basics ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/tutorials/kubernetes-basics/",children:"here"}),"."]})}),"\n",(0,s.jsx)(t.h2,{id:"install-script",children:"Install Script"}),"\n",(0,s.jsxs)(t.p,{children:["K3s provides an installation script that is a convenient way to install it as a service on systemd or openrc based systems. This script is available at ",(0,s.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"}),". To install K3s using this method, just run:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,s.jsx)(t.p,{children:"After running this installation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"The K3s service will be configured to automatically restart after node reboots or if the process crashes or is killed"}),"\n",(0,s.jsxs)(t.li,{children:["Additional utilities will be installed, including ",(0,s.jsx)(t.code,{children:"kubectl"}),", ",(0,s.jsx)(t.code,{children:"crictl"}),", ",(0,s.jsx)(t.code,{children:"ctr"}),", ",(0,s.jsx)(t.code,{children:"k3s-killall.sh"}),", and ",(0,s.jsx)(t.code,{children:"k3s-uninstall.sh"})]}),"\n",(0,s.jsxs)(t.li,{children:["A ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file will be written to ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," and the kubectl installed by K3s will automatically use it"]}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"A single-node server installation is a fully-functional Kubernetes cluster, including all the datastore, control-plane, kubelet, and container runtime components necessary to host workload pods. It is not necessary to add additional server or agents nodes, but you may want to do so to add additional capacity or redundancy to your cluster."}),"\n",(0,s.jsxs)(t.p,{children:["To install additional agent nodes and add them to the cluster, run the installation script with the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," and ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," environment variables. Here is an example showing how to join an agent:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,s.jsxs)(t.p,{children:["Setting the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," parameter causes the installer to configure K3s as an agent, instead of a server. The K3s agent will register with the K3s server listening at the supplied URL. The value to use for ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," is stored at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/node-token"})," on your server node."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Each machine must have a unique hostname. If your machines do not have unique hostnames, pass the ",(0,s.jsx)(t.code,{children:"K3S_NODE_NAME"})," environment variable and provide a value with a valid and unique hostname for each node."]})}),"\n",(0,s.jsxs)(t.p,{children:["If interested in having more server nodes, see ",(0,s.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," and ",(0,s.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," pages for more information."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>a});var s=n(7294);const i={},r=s.createContext(i);function a(e){const t=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:a(e.components),s.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/72e14192.7465fa8f.js b/assets/js/72e14192.7465fa8f.js new file mode 100644 index 000000000..747c3135b --- /dev/null +++ b/assets/js/72e14192.7465fa8f.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7239],{1658:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var s=n(5893),i=n(1151);const r={title:"Quick-Start Guide"},a=void 0,o={id:"quick-start",title:"Quick-Start Guide",description:"This guide will help you quickly launch a cluster with default options. The installation section covers in greater detail how K3s can be set up.",source:"@site/docs/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Quick-Start Guide"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/"},next:{title:"Installation",permalink:"/installation/"}},l={},c=[{value:"Install Script",id:"install-script",level:2}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["This guide will help you quickly launch a cluster with default options. The ",(0,s.jsx)(t.a,{href:"/installation/",children:"installation section"})," covers in greater detail how K3s can be set up."]}),"\n",(0,s.jsxs)(t.p,{children:["Make sure your nodes meet the ",(0,s.jsx)(t.a,{href:"/installation/requirements",children:"requirements"})," before proceeding."]}),"\n",(0,s.jsxs)(t.p,{children:["For information on how K3s components work together, refer to the ",(0,s.jsx)(t.a,{href:"/architecture",children:"architecture section."})]}),"\n",(0,s.jsx)(t.admonition,{type:"info",children:(0,s.jsxs)(t.p,{children:["New to Kubernetes? The official Kubernetes docs already have some great tutorials outlining the basics ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/tutorials/kubernetes-basics/",children:"here"}),"."]})}),"\n",(0,s.jsx)(t.h2,{id:"install-script",children:"Install Script"}),"\n",(0,s.jsxs)(t.p,{children:["K3s provides an installation script that is a convenient way to install it as a service on systemd or openrc based systems. This script is available at ",(0,s.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"}),". To install K3s using this method, just run:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,s.jsx)(t.p,{children:"After running this installation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"The K3s service will be configured to automatically restart after node reboots or if the process crashes or is killed"}),"\n",(0,s.jsxs)(t.li,{children:["Additional utilities will be installed, including ",(0,s.jsx)(t.code,{children:"kubectl"}),", ",(0,s.jsx)(t.code,{children:"crictl"}),", ",(0,s.jsx)(t.code,{children:"ctr"}),", ",(0,s.jsx)(t.code,{children:"k3s-killall.sh"}),", and ",(0,s.jsx)(t.code,{children:"k3s-uninstall.sh"})]}),"\n",(0,s.jsxs)(t.li,{children:["A ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file will be written to ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," and the kubectl installed by K3s will automatically use it"]}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"A single-node server installation is a fully-functional Kubernetes cluster, including all the datastore, control-plane, kubelet, and container runtime components necessary to host workload pods. It is not necessary to add additional server or agents nodes, but you may want to do so to add additional capacity or redundancy to your cluster."}),"\n",(0,s.jsxs)(t.p,{children:["To install additional agent nodes and add them to the cluster, run the installation script with the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," and ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," environment variables. Here is an example showing how to join an agent:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,s.jsxs)(t.p,{children:["Setting the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," parameter causes the installer to configure K3s as an agent, instead of a server. The K3s agent will register with the K3s server listening at the supplied URL. The value to use for ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," is stored at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/node-token"})," on your server node."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Each machine must have a unique hostname. If your machines do not have unique hostnames, pass the ",(0,s.jsx)(t.code,{children:"K3S_NODE_NAME"})," environment variable and provide a value with a valid and unique hostname for each node."]})}),"\n",(0,s.jsxs)(t.p,{children:["If interested in having more server nodes, see ",(0,s.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," and ",(0,s.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," pages for more information."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>a});var s=n(7294);const i={},r=s.createContext(i);function a(e){const t=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:a(e.components),s.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/763.f91b6550.js b/assets/js/763.ca021dac.js similarity index 99% rename from kr/assets/js/763.f91b6550.js rename to assets/js/763.ca021dac.js index 5e0ecc115..aa5eef673 100644 --- a/kr/assets/js/763.f91b6550.js +++ b/assets/js/763.ca021dac.js @@ -1898,7 +1898,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4461,7 +4461,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5274,7 +5274,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5342,7 +5342,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/assets/js/7837.35b3df6a.js b/assets/js/7837.35b3df6a.js deleted file mode 100644 index dfbec2a38..000000000 --- a/assets/js/7837.35b3df6a.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! For license information please see 7837.35b3df6a.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7837],{7967:(t,e)=>{"use strict";e.Nm=e.Rq=void 0;var i=/^([^\w]*)(javascript|data|vbscript)/im,r=/&#(\w+)(^\w|;)?/g,n=/&(newline|tab);/gi,o=/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim,a=/^.+(:|:)/gim,s=[".","/"];e.Rq="about:blank",e.Nm=function(t){if(!t)return e.Rq;var l,c=(l=t,l.replace(o,"").replace(r,(function(t,e){return String.fromCharCode(e)}))).replace(n,"").replace(o,"").trim();if(!c)return e.Rq;if(function(t){return s.indexOf(t[0])>-1}(c))return c;var h=c.match(a);if(!h)return c;var u=h[0];return i.test(u)?e.Rq:c}},9047:(t,e,i)=>{"use strict";i.d(e,{Z:()=>L});var r=i(7294),n=i(5893);function o(t){const{mdxAdmonitionTitle:e,rest:i}=function(t){const e=r.Children.toArray(t),i=e.find((t=>r.isValidElement(t)&&"mdxAdmonitionTitle"===t.type)),o=e.filter((t=>t!==i)),a=i?.props.children;return{mdxAdmonitionTitle:a,rest:o.length>0?(0,n.jsx)(n.Fragment,{children:o}):null}}(t.children),o=t.title??e;return{...t,...o&&{title:o},children:i}}var a=i(512),s=i(5999),l=i(5281);const c={admonition:"admonition_xJq3",admonitionHeading:"admonitionHeading_Gvgb",admonitionIcon:"admonitionIcon_Rf37",admonitionContent:"admonitionContent_BuS1"};function h(t){let{type:e,className:i,children:r}=t;return(0,n.jsx)("div",{className:(0,a.Z)(l.k.common.admonition,l.k.common.admonitionType(e),c.admonition,i),children:r})}function u(t){let{icon:e,title:i}=t;return(0,n.jsxs)("div",{className:c.admonitionHeading,children:[(0,n.jsx)("span",{className:c.admonitionIcon,children:e}),i]})}function d(t){let{children:e}=t;return e?(0,n.jsx)("div",{className:c.admonitionContent,children:e}):null}function f(t){const{type:e,icon:i,title:r,children:o,className:a}=t;return(0,n.jsxs)(h,{type:e,className:a,children:[r||i?(0,n.jsx)(u,{title:r,icon:i}):null,(0,n.jsx)(d,{children:o})]})}function p(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})})}const g={icon:(0,n.jsx)(p,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.note",description:"The default label used for the Note admonition (:::note)",children:"note"})};function m(t){return(0,n.jsx)(f,{...g,...t,className:(0,a.Z)("alert alert--secondary",t.className),children:t.children})}function y(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.5 0C3.48 0 1 2.19 1 5c0 .92.55 2.25 1 3 1.34 2.25 1.78 2.78 2 4v1h5v-1c.22-1.22.66-1.75 2-4 .45-.75 1-2.08 1-3 0-2.81-2.48-5-5.5-5zm3.64 7.48c-.25.44-.47.8-.67 1.11-.86 1.41-1.25 2.06-1.45 3.23-.02.05-.02.11-.02.17H5c0-.06 0-.13-.02-.17-.2-1.17-.59-1.83-1.45-3.23-.2-.31-.42-.67-.67-1.11C2.44 6.78 2 5.65 2 5c0-2.2 2.02-4 4.5-4 1.22 0 2.36.42 3.22 1.19C10.55 2.94 11 3.94 11 5c0 .66-.44 1.78-.86 2.48zM4 14h5c-.23 1.14-1.3 2-2.5 2s-2.27-.86-2.5-2z"})})}const x={icon:(0,n.jsx)(y,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.tip",description:"The default label used for the Tip admonition (:::tip)",children:"tip"})};function b(t){return(0,n.jsx)(f,{...x,...t,className:(0,a.Z)("alert alert--success",t.className),children:t.children})}function C(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"})})}const _={icon:(0,n.jsx)(C,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.info",description:"The default label used for the Info admonition (:::info)",children:"info"})};function v(t){return(0,n.jsx)(f,{..._,...t,className:(0,a.Z)("alert alert--info",t.className),children:t.children})}function k(t){return(0,n.jsx)("svg",{viewBox:"0 0 16 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"})})}const T={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.warning",description:"The default label used for the Warning admonition (:::warning)",children:"warning"})};function w(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"})})}const S={icon:(0,n.jsx)(w,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.danger",description:"The default label used for the Danger admonition (:::danger)",children:"danger"})};const B={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.caution",description:"The default label used for the Caution admonition (:::caution)",children:"caution"})};const F={...{note:m,tip:b,info:v,warning:function(t){return(0,n.jsx)(f,{...T,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})},danger:function(t){return(0,n.jsx)(f,{...S,...t,className:(0,a.Z)("alert alert--danger",t.className),children:t.children})}},...{secondary:t=>(0,n.jsx)(m,{title:"secondary",...t}),important:t=>(0,n.jsx)(v,{title:"important",...t}),success:t=>(0,n.jsx)(b,{title:"success",...t}),caution:function(t){return(0,n.jsx)(f,{...B,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})}}};function L(t){const e=o(t),i=(r=e.type,F[r]||(console.warn(`No admonition component found for admonition type "${r}". Using Info as fallback.`),F.info));var r;return(0,n.jsx)(i,{...e})}},9666:(t,e,i)=>{"use strict";i.r(e),i.d(e,{default:()=>jt});var r=i(7294),n=i(1944),o=i(902),a=i(5893);const s=r.createContext(null);function l(t){let{children:e,content:i}=t;const n=function(t){return(0,r.useMemo)((()=>({metadata:t.metadata,frontMatter:t.frontMatter,assets:t.assets,contentTitle:t.contentTitle,toc:t.toc})),[t])}(i);return(0,a.jsx)(s.Provider,{value:n,children:e})}function c(){const t=(0,r.useContext)(s);if(null===t)throw new o.i6("DocProvider");return t}function h(){const{metadata:t,frontMatter:e,assets:i}=c();return(0,a.jsx)(n.d,{title:t.title,description:t.description,keywords:e.keywords,image:i.image??e.image})}var u=i(512),d=i(7524),f=i(5999),p=i(3692);function g(t){const{permalink:e,title:i,subLabel:r,isNext:n}=t;return(0,a.jsxs)(p.Z,{className:(0,u.Z)("pagination-nav__link",n?"pagination-nav__link--next":"pagination-nav__link--prev"),to:e,children:[r&&(0,a.jsx)("div",{className:"pagination-nav__sublabel",children:r}),(0,a.jsx)("div",{className:"pagination-nav__label",children:i})]})}function m(t){const{previous:e,next:i}=t;return(0,a.jsxs)("nav",{className:"pagination-nav docusaurus-mt-lg","aria-label":(0,f.I)({id:"theme.docs.paginator.navAriaLabel",message:"Docs pages",description:"The ARIA label for the docs pagination"}),children:[e&&(0,a.jsx)(g,{...e,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.previous",description:"The label used to navigate to the previous doc",children:"Previous"})}),i&&(0,a.jsx)(g,{...i,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.next",description:"The label used to navigate to the next doc",children:"Next"}),isNext:!0})]})}function y(){const{metadata:t}=c();return(0,a.jsx)(m,{previous:t.previous,next:t.next})}var x=i(2263),b=i(143),C=i(5281),_=i(373),v=i(4477);const k={unreleased:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unreleasedVersionLabel",description:"The label used to tell the user that he's browsing an unreleased doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is unreleased documentation for {siteTitle} {versionLabel} version."})},unmaintained:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unmaintainedVersionLabel",description:"The label used to tell the user that he's browsing an unmaintained doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is documentation for {siteTitle} {versionLabel}, which is no longer actively maintained."})}};function T(t){const e=k[t.versionMetadata.banner];return(0,a.jsx)(e,{...t})}function w(t){let{versionLabel:e,to:i,onClick:r}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionSuggestionLabel",description:"The label used to tell the user to check the latest version",values:{versionLabel:e,latestVersionLink:(0,a.jsx)("b",{children:(0,a.jsx)(p.Z,{to:i,onClick:r,children:(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionLinkLabel",description:"The label used for the latest version suggestion link label",children:"latest version"})})})},children:"For up-to-date documentation, see the {latestVersionLink} ({versionLabel})."})}function S(t){let{className:e,versionMetadata:i}=t;const{siteConfig:{title:r}}=(0,x.Z)(),{pluginId:n}=(0,b.gA)({failfast:!0}),{savePreferredVersionName:o}=(0,_.J)(n),{latestDocSuggestion:s,latestVersionSuggestion:l}=(0,b.Jo)(n),c=s??(h=l).docs.find((t=>t.id===h.mainDocId));var h;return(0,a.jsxs)("div",{className:(0,u.Z)(e,C.k.docs.docVersionBanner,"alert alert--warning margin-bottom--md"),role:"alert",children:[(0,a.jsx)("div",{children:(0,a.jsx)(T,{siteTitle:r,versionMetadata:i})}),(0,a.jsx)("div",{className:"margin-top--md",children:(0,a.jsx)(w,{versionLabel:l.label,to:c.path,onClick:()=>o(l.name)})})]})}function B(t){let{className:e}=t;const i=(0,v.E)();return i.banner?(0,a.jsx)(S,{className:e,versionMetadata:i}):null}function F(t){let{className:e}=t;const i=(0,v.E)();return i.badge?(0,a.jsx)("span",{className:(0,u.Z)(e,C.k.docs.docVersionBadge,"badge badge--secondary"),children:(0,a.jsx)(f.Z,{id:"theme.docs.versionBadge.label",values:{versionLabel:i.label},children:"Version: {versionLabel}"})}):null}const L={tag:"tag_zVej",tagRegular:"tagRegular_sFm0",tagWithCount:"tagWithCount_h2kH"};function A(t){let{permalink:e,label:i,count:r,description:n}=t;return(0,a.jsxs)(p.Z,{href:e,title:n,className:(0,u.Z)(L.tag,r?L.tagWithCount:L.tagRegular),children:[i,r&&(0,a.jsx)("span",{children:r})]})}const M={tags:"tags_jXut",tag:"tag_QGVx"};function E(t){let{tags:e}=t;return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)("b",{children:(0,a.jsx)(f.Z,{id:"theme.tags.tagsListLabel",description:"The label alongside a tag list",children:"Tags:"})}),(0,a.jsx)("ul",{className:(0,u.Z)(M.tags,"padding--none","margin-left--sm"),children:e.map((t=>(0,a.jsx)("li",{className:M.tag,children:(0,a.jsx)(A,{...t})},t.permalink)))})]})}const N={iconEdit:"iconEdit_Z9Sw"};function Z(t){let{className:e,...i}=t;return(0,a.jsx)("svg",{fill:"currentColor",height:"20",width:"20",viewBox:"0 0 40 40",className:(0,u.Z)(N.iconEdit,e),"aria-hidden":"true",...i,children:(0,a.jsx)("g",{children:(0,a.jsx)("path",{d:"m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"})})})}function j(t){let{editUrl:e}=t;return(0,a.jsxs)(p.Z,{to:e,className:C.k.common.editThisPage,children:[(0,a.jsx)(Z,{}),(0,a.jsx)(f.Z,{id:"theme.common.editThisPage",description:"The link label to edit the current page",children:"Edit this page"})]})}function I(t){void 0===t&&(t={});const{i18n:{currentLocale:e}}=(0,x.Z)(),i=function(){const{i18n:{currentLocale:t,localeConfigs:e}}=(0,x.Z)();return e[t].calendar}();return new Intl.DateTimeFormat(e,{calendar:i,...t})}function O(t){let{lastUpdatedAt:e}=t;const i=new Date(e),r=I({day:"numeric",month:"short",year:"numeric",timeZone:"UTC"}).format(i);return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.atDate",description:"The words used to describe on which date a page has been last updated",values:{date:(0,a.jsx)("b",{children:(0,a.jsx)("time",{dateTime:i.toISOString(),itemProp:"dateModified",children:r})})},children:" on {date}"})}function D(t){let{lastUpdatedBy:e}=t;return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.byUser",description:"The words used to describe by who the page has been last updated",values:{user:(0,a.jsx)("b",{children:e})},children:" by {user}"})}function q(t){let{lastUpdatedAt:e,lastUpdatedBy:i}=t;return(0,a.jsxs)("span",{className:C.k.common.lastUpdated,children:[(0,a.jsx)(f.Z,{id:"theme.lastUpdated.lastUpdatedAtBy",description:"The sentence used to display when a page has been last updated, and by who",values:{atDate:e?(0,a.jsx)(O,{lastUpdatedAt:e}):"",byUser:i?(0,a.jsx)(D,{lastUpdatedBy:i}):""},children:"Last updated{atDate}{byUser}"}),!1]})}const $={lastUpdated:"lastUpdated_JAkA"};function z(t){let{className:e,editUrl:i,lastUpdatedAt:r,lastUpdatedBy:n}=t;return(0,a.jsxs)("div",{className:(0,u.Z)("row",e),children:[(0,a.jsx)("div",{className:"col",children:i&&(0,a.jsx)(j,{editUrl:i})}),(0,a.jsx)("div",{className:(0,u.Z)("col",$.lastUpdated),children:(r||n)&&(0,a.jsx)(q,{lastUpdatedAt:r,lastUpdatedBy:n})})]})}function P(){const{metadata:t}=c(),{editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r,tags:n}=t,o=n.length>0,s=!!(e||i||r);return o||s?(0,a.jsxs)("footer",{className:(0,u.Z)(C.k.docs.docFooter,"docusaurus-mt-lg"),children:[o&&(0,a.jsx)("div",{className:(0,u.Z)("row margin-top--sm",C.k.docs.docFooterTagsRow),children:(0,a.jsx)("div",{className:"col",children:(0,a.jsx)(E,{tags:n})})}),s&&(0,a.jsx)(z,{className:(0,u.Z)("margin-top--sm",C.k.docs.docFooterEditMetaRow),editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r})]}):null}var R=i(6043),H=i(6668);function W(t){const e=t.map((t=>({...t,parentIndex:-1,children:[]}))),i=Array(7).fill(-1);e.forEach(((t,e)=>{const r=i.slice(2,t.level);t.parentIndex=Math.max(...r),i[t.level]=e}));const r=[];return e.forEach((t=>{const{parentIndex:i,...n}=t;i>=0?e[i].children.push(n):r.push(n)})),r}function U(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:r}=t;return e.flatMap((t=>{const e=U({toc:t.children,minHeadingLevel:i,maxHeadingLevel:r});return function(t){return t.level>=i&&t.level<=r}(t)?[{...t,children:e}]:e}))}function Y(t){const e=t.getBoundingClientRect();return e.top===e.bottom?Y(t.parentNode):e}function V(t,e){let{anchorTopOffset:i}=e;const r=t.find((t=>Y(t).top>=i));if(r){return function(t){return t.top>0&&t.bottom<window.innerHeight/2}(Y(r))?r:t[t.indexOf(r)-1]??null}return t[t.length-1]??null}function G(){const t=(0,r.useRef)(0),{navbar:{hideOnScroll:e}}=(0,H.L)();return(0,r.useEffect)((()=>{t.current=e?0:document.querySelector(".navbar").clientHeight}),[e]),t}function X(t){const e=(0,r.useRef)(void 0),i=G();(0,r.useEffect)((()=>{if(!t)return()=>{};const{linkClassName:r,linkActiveClassName:n,minHeadingLevel:o,maxHeadingLevel:a}=t;function s(){const t=function(t){return Array.from(document.getElementsByClassName(t))}(r),s=function(t){let{minHeadingLevel:e,maxHeadingLevel:i}=t;const r=[];for(let n=e;n<=i;n+=1)r.push(`h${n}.anchor`);return Array.from(document.querySelectorAll(r.join()))}({minHeadingLevel:o,maxHeadingLevel:a}),l=V(s,{anchorTopOffset:i.current}),c=t.find((t=>l&&l.id===function(t){return decodeURIComponent(t.href.substring(t.href.indexOf("#")+1))}(t)));t.forEach((t=>{!function(t,i){i?(e.current&&e.current!==t&&e.current.classList.remove(n),t.classList.add(n),e.current=t):t.classList.remove(n)}(t,t===c)}))}return document.addEventListener("scroll",s),document.addEventListener("resize",s),s(),()=>{document.removeEventListener("scroll",s),document.removeEventListener("resize",s)}}),[t,i])}function J(t){let{toc:e,className:i,linkClassName:r,isChild:n}=t;return e.length?(0,a.jsx)("ul",{className:n?void 0:i,children:e.map((t=>(0,a.jsxs)("li",{children:[(0,a.jsx)(p.Z,{to:`#${t.id}`,className:r??void 0,dangerouslySetInnerHTML:{__html:t.value}}),(0,a.jsx)(J,{isChild:!0,toc:t.children,className:i,linkClassName:r})]},t.id)))}):null}const Q=r.memo(J);function K(t){let{toc:e,className:i="table-of-contents table-of-contents__left-border",linkClassName:n="table-of-contents__link",linkActiveClassName:o,minHeadingLevel:s,maxHeadingLevel:l,...c}=t;const h=(0,H.L)(),u=s??h.tableOfContents.minHeadingLevel,d=l??h.tableOfContents.maxHeadingLevel,f=function(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:n}=t;return(0,r.useMemo)((()=>U({toc:W(e),minHeadingLevel:i,maxHeadingLevel:n})),[e,i,n])}({toc:e,minHeadingLevel:u,maxHeadingLevel:d});return X((0,r.useMemo)((()=>{if(n&&o)return{linkClassName:n,linkActiveClassName:o,minHeadingLevel:u,maxHeadingLevel:d}}),[n,o,u,d])),(0,a.jsx)(Q,{toc:f,className:i,linkClassName:n,...c})}const tt={tocCollapsibleButton:"tocCollapsibleButton_TO0P",tocCollapsibleButtonExpanded:"tocCollapsibleButtonExpanded_MG3E"};function et(t){let{collapsed:e,...i}=t;return(0,a.jsx)("button",{type:"button",...i,className:(0,u.Z)("clean-btn",tt.tocCollapsibleButton,!e&&tt.tocCollapsibleButtonExpanded,i.className),children:(0,a.jsx)(f.Z,{id:"theme.TOCCollapsible.toggleButtonLabel",description:"The label used by the button on the collapsible TOC component",children:"On this page"})})}const it={tocCollapsible:"tocCollapsible_ETCw",tocCollapsibleContent:"tocCollapsibleContent_vkbj",tocCollapsibleExpanded:"tocCollapsibleExpanded_sAul"};function rt(t){let{toc:e,className:i,minHeadingLevel:r,maxHeadingLevel:n}=t;const{collapsed:o,toggleCollapsed:s}=(0,R.u)({initialState:!0});return(0,a.jsxs)("div",{className:(0,u.Z)(it.tocCollapsible,!o&&it.tocCollapsibleExpanded,i),children:[(0,a.jsx)(et,{collapsed:o,onClick:s}),(0,a.jsx)(R.z,{lazy:!0,className:it.tocCollapsibleContent,collapsed:o,children:(0,a.jsx)(K,{toc:e,minHeadingLevel:r,maxHeadingLevel:n})})]})}const nt={tocMobile:"tocMobile_ITEo"};function ot(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(rt,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:(0,u.Z)(C.k.docs.docTocMobile,nt.tocMobile)})}const at={tableOfContents:"tableOfContents_bqdL",docItemContainer:"docItemContainer_F8PC"},st="table-of-contents__link toc-highlight",lt="table-of-contents__link--active";function ct(t){let{className:e,...i}=t;return(0,a.jsx)("div",{className:(0,u.Z)(at.tableOfContents,"thin-scrollbar",e),children:(0,a.jsx)(K,{...i,linkClassName:st,linkActiveClassName:lt})})}function ht(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(ct,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:C.k.docs.docTocDesktop})}var ut=i(2503),dt=i(1151),ft=i(1769);function pt(t){let{children:e}=t;return(0,a.jsx)(dt.Z,{components:ft.Z,children:e})}function gt(t){let{children:e}=t;const i=function(){const{metadata:t,frontMatter:e,contentTitle:i}=c();return e.hide_title||void 0!==i?null:t.title}();return(0,a.jsxs)("div",{className:(0,u.Z)(C.k.docs.docMarkdown,"markdown"),children:[i&&(0,a.jsx)("header",{children:(0,a.jsx)(ut.Z,{as:"h1",children:i})}),(0,a.jsx)(pt,{children:e})]})}var mt=i(3438),yt=i(8596),xt=i(4996);function bt(t){return(0,a.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,a.jsx)("path",{d:"M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z",fill:"currentColor"})})}const Ct={breadcrumbHomeIcon:"breadcrumbHomeIcon_YNFT"};function _t(){const t=(0,xt.ZP)("/");return(0,a.jsx)("li",{className:"breadcrumbs__item",children:(0,a.jsx)(p.Z,{"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.home",message:"Home page",description:"The ARIA label for the home page in the breadcrumbs"}),className:"breadcrumbs__link",href:t,children:(0,a.jsx)(bt,{className:Ct.breadcrumbHomeIcon})})})}const vt={breadcrumbsContainer:"breadcrumbsContainer_Z_bl"};function kt(t){let{children:e,href:i,isLast:r}=t;const n="breadcrumbs__link";return r?(0,a.jsx)("span",{className:n,itemProp:"name",children:e}):i?(0,a.jsx)(p.Z,{className:n,href:i,itemProp:"item",children:(0,a.jsx)("span",{itemProp:"name",children:e})}):(0,a.jsx)("span",{className:n,children:e})}function Tt(t){let{children:e,active:i,index:r,addMicrodata:n}=t;return(0,a.jsxs)("li",{...n&&{itemScope:!0,itemProp:"itemListElement",itemType:"https://schema.org/ListItem"},className:(0,u.Z)("breadcrumbs__item",{"breadcrumbs__item--active":i}),children:[e,(0,a.jsx)("meta",{itemProp:"position",content:String(r+1)})]})}function wt(){const t=(0,mt.s1)(),e=(0,yt.Ns)();return t?(0,a.jsx)("nav",{className:(0,u.Z)(C.k.docs.docBreadcrumbs,vt.breadcrumbsContainer),"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.navAriaLabel",message:"Breadcrumbs",description:"The ARIA label for the breadcrumbs"}),children:(0,a.jsxs)("ul",{className:"breadcrumbs",itemScope:!0,itemType:"https://schema.org/BreadcrumbList",children:[e&&(0,a.jsx)(_t,{}),t.map(((e,i)=>{const r=i===t.length-1,n="category"===e.type&&e.linkUnlisted?void 0:e.href;return(0,a.jsx)(Tt,{active:r,index:i,addMicrodata:!!n,children:(0,a.jsx)(kt,{href:n,isLast:r,children:e.label})},i)}))]})}):null}var St=i(5742);function Bt(){return(0,a.jsx)(f.Z,{id:"theme.unlistedContent.title",description:"The unlisted content banner title",children:"Unlisted page"})}function Ft(){return(0,a.jsx)(f.Z,{id:"theme.unlistedContent.message",description:"The unlisted content banner message",children:"This page is unlisted. Search engines will not index it, and only users having a direct link can access it."})}function Lt(){return(0,a.jsx)(St.Z,{children:(0,a.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})}var At=i(9047);function Mt(t){let{className:e}=t;return(0,a.jsx)(At.Z,{type:"caution",title:(0,a.jsx)(Bt,{}),className:(0,u.Z)(e,C.k.common.unlistedBanner),children:(0,a.jsx)(Ft,{})})}function Et(t){return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(Lt,{}),(0,a.jsx)(Mt,{...t})]})}const Nt={docItemContainer:"docItemContainer_Djhp",docItemCol:"docItemCol_VOVn"};function Zt(t){let{children:e}=t;const i=function(){const{frontMatter:t,toc:e}=c(),i=(0,d.i)(),r=t.hide_table_of_contents,n=!r&&e.length>0;return{hidden:r,mobile:n?(0,a.jsx)(ot,{}):void 0,desktop:!n||"desktop"!==i&&"ssr"!==i?void 0:(0,a.jsx)(ht,{})}}(),{metadata:{unlisted:r}}=c();return(0,a.jsxs)("div",{className:"row",children:[(0,a.jsxs)("div",{className:(0,u.Z)("col",!i.hidden&&Nt.docItemCol),children:[r&&(0,a.jsx)(Et,{}),(0,a.jsx)(B,{}),(0,a.jsxs)("div",{className:Nt.docItemContainer,children:[(0,a.jsxs)("article",{children:[(0,a.jsx)(wt,{}),(0,a.jsx)(F,{}),i.mobile,(0,a.jsx)(gt,{children:e}),(0,a.jsx)(P,{})]}),(0,a.jsx)(y,{})]})]}),i.desktop&&(0,a.jsx)("div",{className:"col col--3",children:i.desktop})]})}function jt(t){const e=`docs-doc-id-${t.content.metadata.id}`,i=t.content;return(0,a.jsx)(l,{content:t.content,children:(0,a.jsxs)(n.FG,{className:e,children:[(0,a.jsx)(h,{}),(0,a.jsx)(Zt,{children:(0,a.jsx)(i,{})})]})})}},4694:(t,e,i)=>{"use strict";i.d(e,{Z:()=>pt});var r=i(7294),n=i(5742),o=i(2389),a=i(512),s=i(2949),l=i(6668);function c(){const{prism:t}=(0,l.L)(),{colorMode:e}=(0,s.I)(),i=t.theme,r=t.darkTheme||i;return"dark"===e?r:i}var h=i(5281),u=i(7594),d=i.n(u);const f=/title=(?<quote>["'])(?<title>.*?)\1/,p=/\{(?<range>[\d,-]+)\}/,g={js:{start:"\\/\\/",end:""},jsBlock:{start:"\\/\\*",end:"\\*\\/"},jsx:{start:"\\{\\s*\\/\\*",end:"\\*\\/\\s*\\}"},bash:{start:"#",end:""},html:{start:"\x3c!--",end:"--\x3e"}},m={...g,lua:{start:"--",end:""},wasm:{start:"\\;\\;",end:""},tex:{start:"%",end:""},vb:{start:"['\u2018\u2019]",end:""},vbnet:{start:"(?:_\\s*)?['\u2018\u2019]",end:""},rem:{start:"[Rr][Ee][Mm]\\b",end:""},f90:{start:"!",end:""},ml:{start:"\\(\\*",end:"\\*\\)"},cobol:{start:"\\*>",end:""}},y=Object.keys(g);function x(t,e){const i=t.map((t=>{const{start:i,end:r}=m[t];return`(?:${i}\\s*(${e.flatMap((t=>[t.line,t.block?.start,t.block?.end].filter(Boolean))).join("|")})\\s*${r})`})).join("|");return new RegExp(`^\\s*(?:${i})\\s*$`)}function b(t,e){let i=t.replace(/\n$/,"");const{language:r,magicComments:n,metastring:o}=e;if(o&&p.test(o)){const t=o.match(p).groups.range;if(0===n.length)throw new Error(`A highlight range has been given in code block's metastring (\`\`\` ${o}), but no magic comment config is available. Docusaurus applies the first magic comment entry's className for metastring ranges.`);const e=n[0].className,r=d()(t).filter((t=>t>0)).map((t=>[t-1,[e]]));return{lineClassNames:Object.fromEntries(r),code:i}}if(void 0===r)return{lineClassNames:{},code:i};const a=function(t,e){switch(t){case"js":case"javascript":case"ts":case"typescript":return x(["js","jsBlock"],e);case"jsx":case"tsx":return x(["js","jsBlock","jsx"],e);case"html":return x(["js","jsBlock","html"],e);case"python":case"py":case"bash":return x(["bash"],e);case"markdown":case"md":return x(["html","jsx","bash"],e);case"tex":case"latex":case"matlab":return x(["tex"],e);case"lua":case"haskell":case"sql":return x(["lua"],e);case"wasm":return x(["wasm"],e);case"vb":case"vba":case"visual-basic":return x(["vb","rem"],e);case"vbnet":return x(["vbnet","rem"],e);case"batch":return x(["rem"],e);case"basic":return x(["rem","f90"],e);case"fsharp":return x(["js","ml"],e);case"ocaml":case"sml":return x(["ml"],e);case"fortran":return x(["f90"],e);case"cobol":return x(["cobol"],e);default:return x(y,e)}}(r,n),s=i.split("\n"),l=Object.fromEntries(n.map((t=>[t.className,{start:0,range:""}]))),c=Object.fromEntries(n.filter((t=>t.line)).map((t=>{let{className:e,line:i}=t;return[i,e]}))),h=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.start,e]}))),u=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.end,e]})));for(let d=0;d<s.length;){const t=s[d].match(a);if(!t){d+=1;continue}const e=t.slice(1).find((t=>void 0!==t));c[e]?l[c[e]].range+=`${d},`:h[e]?l[h[e]].start=d:u[e]&&(l[u[e]].range+=`${l[u[e]].start}-${d-1},`),s.splice(d,1)}i=s.join("\n");const f={};return Object.entries(l).forEach((t=>{let[e,{range:i}]=t;d()(i).forEach((t=>{f[t]??=[],f[t].push(e)}))})),{lineClassNames:f,code:i}}const C={codeBlockContainer:"codeBlockContainer_Ckt0"};var _=i(5893);function v(t){let{as:e,...i}=t;const r=function(t){const e={color:"--prism-color",backgroundColor:"--prism-background-color"},i={};return Object.entries(t.plain).forEach((t=>{let[r,n]=t;const o=e[r];o&&"string"==typeof n&&(i[o]=n)})),i}(c());return(0,_.jsx)(e,{...i,style:r,className:(0,a.Z)(i.className,C.codeBlockContainer,h.k.common.codeBlock)})}const k={codeBlockContent:"codeBlockContent_biex",codeBlockTitle:"codeBlockTitle_Ktv7",codeBlock:"codeBlock_bY9V",codeBlockStandalone:"codeBlockStandalone_MEMb",codeBlockLines:"codeBlockLines_e6Vv",codeBlockLinesWithNumbering:"codeBlockLinesWithNumbering_o6Pm",buttonGroup:"buttonGroup__atx"};function T(t){let{children:e,className:i}=t;return(0,_.jsx)(v,{as:"pre",tabIndex:0,className:(0,a.Z)(k.codeBlockStandalone,"thin-scrollbar",i),children:(0,_.jsx)("code",{className:k.codeBlockLines,children:e})})}var w=i(902);const S={attributes:!0,characterData:!0,childList:!0,subtree:!0};function B(t,e){const[i,n]=(0,r.useState)(),o=(0,r.useCallback)((()=>{n(t.current?.closest("[role=tabpanel][hidden]"))}),[t,n]);(0,r.useEffect)((()=>{o()}),[o]),function(t,e,i){void 0===i&&(i=S);const n=(0,w.zX)(e),o=(0,w.Ql)(i);(0,r.useEffect)((()=>{const e=new MutationObserver(n);return t&&e.observe(t,o),()=>e.disconnect()}),[t,n,o])}(i,(t=>{t.forEach((t=>{"attributes"===t.type&&"hidden"===t.attributeName&&(e(),o())}))}),{attributes:!0,characterData:!1,childList:!1,subtree:!1})}var F=i(2573);const L={codeLine:"codeLine_lJS_",codeLineNumber:"codeLineNumber_Tfdd",codeLineContent:"codeLineContent_feaV"};function A(t){let{line:e,classNames:i,showLineNumbers:r,getLineProps:n,getTokenProps:o}=t;1===e.length&&"\n"===e[0].content&&(e[0].content="");const s=n({line:e,className:(0,a.Z)(i,r&&L.codeLine)}),l=e.map(((t,e)=>(0,_.jsx)("span",{...o({token:t})},e)));return(0,_.jsxs)("span",{...s,children:[r?(0,_.jsxs)(_.Fragment,{children:[(0,_.jsx)("span",{className:L.codeLineNumber}),(0,_.jsx)("span",{className:L.codeLineContent,children:l})]}):l,(0,_.jsx)("br",{})]})}var M=i(5999);function E(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"})})}function N(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"})})}const Z={copyButtonCopied:"copyButtonCopied_obH4",copyButtonIcons:"copyButtonIcons_eSgA",copyButtonIcon:"copyButtonIcon_y97N",copyButtonSuccessIcon:"copyButtonSuccessIcon_LjdS"};function j(t){let{code:e,className:i}=t;const[n,o]=(0,r.useState)(!1),s=(0,r.useRef)(void 0),l=(0,r.useCallback)((()=>{!function(t,e){let{target:i=document.body}=void 0===e?{}:e;if("string"!=typeof t)throw new TypeError(`Expected parameter \`text\` to be a \`string\`, got \`${typeof t}\`.`);const r=document.createElement("textarea"),n=document.activeElement;r.value=t,r.setAttribute("readonly",""),r.style.contain="strict",r.style.position="absolute",r.style.left="-9999px",r.style.fontSize="12pt";const o=document.getSelection(),a=o.rangeCount>0&&o.getRangeAt(0);i.append(r),r.select(),r.selectionStart=0,r.selectionEnd=t.length;let s=!1;try{s=document.execCommand("copy")}catch{}r.remove(),a&&(o.removeAllRanges(),o.addRange(a)),n&&n.focus()}(e),o(!0),s.current=window.setTimeout((()=>{o(!1)}),1e3)}),[e]);return(0,r.useEffect)((()=>()=>window.clearTimeout(s.current)),[]),(0,_.jsx)("button",{type:"button","aria-label":n?(0,M.I)({id:"theme.CodeBlock.copied",message:"Copied",description:"The copied button label on code blocks"}):(0,M.I)({id:"theme.CodeBlock.copyButtonAriaLabel",message:"Copy code to clipboard",description:"The ARIA label for copy code blocks button"}),title:(0,M.I)({id:"theme.CodeBlock.copy",message:"Copy",description:"The copy button label on code blocks"}),className:(0,a.Z)("clean-btn",i,Z.copyButton,n&&Z.copyButtonCopied),onClick:l,children:(0,_.jsxs)("span",{className:Z.copyButtonIcons,"aria-hidden":"true",children:[(0,_.jsx)(E,{className:Z.copyButtonIcon}),(0,_.jsx)(N,{className:Z.copyButtonSuccessIcon})]})})}function I(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M4 19h6v-2H4v2zM20 5H4v2h16V5zm-3 6H4v2h13.25c1.1 0 2 .9 2 2s-.9 2-2 2H15v-2l-3 3l3 3v-2h2c2.21 0 4-1.79 4-4s-1.79-4-4-4z"})})}const O={wordWrapButtonIcon:"wordWrapButtonIcon_Bwma",wordWrapButtonEnabled:"wordWrapButtonEnabled_EoeP"};function D(t){let{className:e,onClick:i,isEnabled:r}=t;const n=(0,M.I)({id:"theme.CodeBlock.wordWrapToggle",message:"Toggle word wrap",description:"The title attribute for toggle word wrapping button of code block lines"});return(0,_.jsx)("button",{type:"button",onClick:i,className:(0,a.Z)("clean-btn",e,r&&O.wordWrapButtonEnabled),"aria-label":n,title:n,children:(0,_.jsx)(I,{className:O.wordWrapButtonIcon,"aria-hidden":"true"})})}function q(t){let{children:e,className:i="",metastring:n,title:o,showLineNumbers:s,language:h}=t;const{prism:{defaultLanguage:u,magicComments:d}}=(0,l.L)(),p=function(t){return t?.toLowerCase()}(h??function(t){const e=t.split(" ").find((t=>t.startsWith("language-")));return e?.replace(/language-/,"")}(i)??u),g=c(),m=function(){const[t,e]=(0,r.useState)(!1),[i,n]=(0,r.useState)(!1),o=(0,r.useRef)(null),a=(0,r.useCallback)((()=>{const i=o.current.querySelector("code");t?i.removeAttribute("style"):(i.style.whiteSpace="pre-wrap",i.style.overflowWrap="anywhere"),e((t=>!t))}),[o,t]),s=(0,r.useCallback)((()=>{const{scrollWidth:t,clientWidth:e}=o.current,i=t>e||o.current.querySelector("code").hasAttribute("style");n(i)}),[o]);return B(o,s),(0,r.useEffect)((()=>{s()}),[t,s]),(0,r.useEffect)((()=>(window.addEventListener("resize",s,{passive:!0}),()=>{window.removeEventListener("resize",s)})),[s]),{codeBlockRef:o,isEnabled:t,isCodeScrollable:i,toggle:a}}(),y=function(t){return t?.match(f)?.groups.title??""}(n)||o,{lineClassNames:x,code:C}=b(e,{metastring:n,language:p,magicComments:d}),T=s??function(t){return Boolean(t?.includes("showLineNumbers"))}(n);return(0,_.jsxs)(v,{as:"div",className:(0,a.Z)(i,p&&!i.includes(`language-${p}`)&&`language-${p}`),children:[y&&(0,_.jsx)("div",{className:k.codeBlockTitle,children:y}),(0,_.jsxs)("div",{className:k.codeBlockContent,children:[(0,_.jsx)(F.y$,{theme:g,code:C,language:p??"text",children:t=>{let{className:e,style:i,tokens:r,getLineProps:n,getTokenProps:o}=t;return(0,_.jsx)("pre",{tabIndex:0,ref:m.codeBlockRef,className:(0,a.Z)(e,k.codeBlock,"thin-scrollbar"),style:i,children:(0,_.jsx)("code",{className:(0,a.Z)(k.codeBlockLines,T&&k.codeBlockLinesWithNumbering),children:r.map(((t,e)=>(0,_.jsx)(A,{line:t,getLineProps:n,getTokenProps:o,classNames:x[e],showLineNumbers:T},e)))})})}}),(0,_.jsxs)("div",{className:k.buttonGroup,children:[(m.isEnabled||m.isCodeScrollable)&&(0,_.jsx)(D,{className:k.codeButton,onClick:()=>m.toggle(),isEnabled:m.isEnabled}),(0,_.jsx)(j,{className:k.codeButton,code:C})]})]})]})}function $(t){let{children:e,...i}=t;const n=(0,o.Z)(),a=function(t){return r.Children.toArray(t).some((t=>(0,r.isValidElement)(t)))?t:Array.isArray(t)?t.join(""):t}(e),s="string"==typeof a?q:T;return(0,_.jsx)(s,{...i,children:a},String(n))}function z(t){return(0,_.jsx)("code",{...t})}var P=i(3692);var R=i(8138),H=i(6043);const W={details:"details_lb9f",isBrowser:"isBrowser_bmU9",collapsibleContent:"collapsibleContent_i85q"};function U(t){return!!t&&("SUMMARY"===t.tagName||U(t.parentElement))}function Y(t,e){return!!t&&(t===e||Y(t.parentElement,e))}function V(t){let{summary:e,children:i,...n}=t;(0,R.Z)().collectAnchor(n.id);const s=(0,o.Z)(),l=(0,r.useRef)(null),{collapsed:c,setCollapsed:h}=(0,H.u)({initialState:!n.open}),[u,d]=(0,r.useState)(n.open),f=r.isValidElement(e)?e:(0,_.jsx)("summary",{children:e??"Details"});return(0,_.jsxs)("details",{...n,ref:l,open:u,"data-collapsed":c,className:(0,a.Z)(W.details,s&&W.isBrowser,n.className),onMouseDown:t=>{U(t.target)&&t.detail>1&&t.preventDefault()},onClick:t=>{t.stopPropagation();const e=t.target;U(e)&&Y(e,l.current)&&(t.preventDefault(),c?(h(!1),d(!0)):h(!0))},children:[f,(0,_.jsx)(H.z,{lazy:!1,collapsed:c,disableSSRStyle:!0,onCollapseTransitionEnd:t=>{h(t),d(!t)},children:(0,_.jsx)("div",{className:W.collapsibleContent,children:i})})]})}const G={details:"details_b_Ee"},X="alert alert--info";function J(t){let{...e}=t;return(0,_.jsx)(V,{...e,className:(0,a.Z)(X,G.details,e.className)})}function Q(t){const e=r.Children.toArray(t.children),i=e.find((t=>r.isValidElement(t)&&"summary"===t.type)),n=(0,_.jsx)(_.Fragment,{children:e.filter((t=>t!==i))});return(0,_.jsx)(J,{...t,summary:i,children:n})}var K=i(2503);function tt(t){return(0,_.jsx)(K.Z,{...t})}const et={containsTaskList:"containsTaskList_mC6p"};function it(t){if(void 0!==t)return(0,a.Z)(t,t?.includes("contains-task-list")&&et.containsTaskList)}const rt={img:"img_ev3q"};var nt=i(9047),ot=i(4763),at=i(9690),st=i(5322);const lt="docusaurus-mermaid-container";function ct(){const{colorMode:t}=(0,s.I)(),e=(0,l.L)().mermaid,i=e.theme[t],{options:n}=e;return(0,r.useMemo)((()=>({startOnLoad:!1,...n,theme:i})),[i,n])}function ht(t){let{text:e,config:i}=t;const[n,o]=(0,r.useState)(null),a=(0,r.useRef)(`mermaid-svg-${Math.round(1e7*Math.random())}`).current,s=ct(),l=i??s;return(0,r.useEffect)((()=>{(async function(t){let{id:e,text:i,config:r}=t;st.L.mermaidAPI.initialize(r);try{return await st.L.render(e,i)}catch(n){throw document.querySelector(`#d${e}`)?.remove(),n}})({id:a,text:e,config:l}).then(o).catch((t=>{o((()=>{throw t}))}))}),[a,e,l]),n}const ut={container:"container_lyt7"};function dt(t){let{renderResult:e}=t;const i=(0,r.useRef)(null);return(0,r.useEffect)((()=>{const t=i.current;e.bindFunctions?.(t)}),[e]),(0,_.jsx)("div",{ref:i,className:`${lt} ${ut.container}`,dangerouslySetInnerHTML:{__html:e.svg}})}function ft(t){let{value:e}=t;const i=ht({text:e});return null===i?null:(0,_.jsx)(dt,{renderResult:i})}const pt={Head:n.Z,details:Q,Details:Q,code:function(t){return function(t){return void 0!==t.children&&r.Children.toArray(t.children).every((t=>"string"==typeof t&&!t.includes("\n")))}(t)?(0,_.jsx)(z,{...t}):(0,_.jsx)($,{...t})},a:function(t){return(0,_.jsx)(P.Z,{...t})},pre:function(t){return(0,_.jsx)(_.Fragment,{children:t.children})},ul:function(t){return(0,_.jsx)("ul",{...t,className:it(t.className)})},li:function(t){return(0,R.Z)().collectAnchor(t.id),(0,_.jsx)("li",{...t})},img:function(t){return(0,_.jsx)("img",{decoding:"async",loading:"lazy",...t,className:(e=t.className,(0,a.Z)(e,rt.img))});var e},h1:t=>(0,_.jsx)(tt,{as:"h1",...t}),h2:t=>(0,_.jsx)(tt,{as:"h2",...t}),h3:t=>(0,_.jsx)(tt,{as:"h3",...t}),h4:t=>(0,_.jsx)(tt,{as:"h4",...t}),h5:t=>(0,_.jsx)(tt,{as:"h5",...t}),h6:t=>(0,_.jsx)(tt,{as:"h6",...t}),admonition:nt.Z,mermaid:function(t){return(0,_.jsx)(ot.Z,{fallback:t=>(0,_.jsx)(at.Ac,{...t}),children:(0,_.jsx)(ft,{...t})})}}},5162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});i(7294);var r=i(512);const n={tabItem:"tabItem_Ymn6"};var o=i(5893);function a(t){let{children:e,hidden:i,className:a}=t;return(0,o.jsx)("div",{role:"tabpanel",className:(0,r.Z)(n.tabItem,a),hidden:i,children:e})}},4866:(t,e,i)=>{"use strict";i.d(e,{Z:()=>v});var r=i(7294),n=i(512),o=i(2466),a=i(6550),s=i(469),l=i(1980),c=i(7392),h=i(812);function u(t){return r.Children.toArray(t).filter((t=>"\n"!==t)).map((t=>{if(!t||(0,r.isValidElement)(t)&&function(t){const{props:e}=t;return!!e&&"object"==typeof e&&"value"in e}(t))return t;throw new Error(`Docusaurus error: Bad <Tabs> child <${"string"==typeof t.type?t.type:t.type.name}>: all children of the <Tabs> component should be <TabItem>, and every <TabItem> should have a unique "value" prop.`)}))?.filter(Boolean)??[]}function d(t){const{values:e,children:i}=t;return(0,r.useMemo)((()=>{const t=e??function(t){return u(t).map((t=>{let{props:{value:e,label:i,attributes:r,default:n}}=t;return{value:e,label:i,attributes:r,default:n}}))}(i);return function(t){const e=(0,c.l)(t,((t,e)=>t.value===e.value));if(e.length>0)throw new Error(`Docusaurus error: Duplicate values "${e.map((t=>t.value)).join(", ")}" found in <Tabs>. Every value needs to be unique.`)}(t),t}),[e,i])}function f(t){let{value:e,tabValues:i}=t;return i.some((t=>t.value===e))}function p(t){let{queryString:e=!1,groupId:i}=t;const n=(0,a.k6)(),o=function(t){let{queryString:e=!1,groupId:i}=t;if("string"==typeof e)return e;if(!1===e)return null;if(!0===e&&!i)throw new Error('Docusaurus error: The <Tabs> component groupId prop is required if queryString=true, because this value is used as the search param name. You can also provide an explicit value such as queryString="my-search-param".');return i??null}({queryString:e,groupId:i});return[(0,l._X)(o),(0,r.useCallback)((t=>{if(!o)return;const e=new URLSearchParams(n.location.search);e.set(o,t),n.replace({...n.location,search:e.toString()})}),[o,n])]}function g(t){const{defaultValue:e,queryString:i=!1,groupId:n}=t,o=d(t),[a,l]=(0,r.useState)((()=>function(t){let{defaultValue:e,tabValues:i}=t;if(0===i.length)throw new Error("Docusaurus error: the <Tabs> component requires at least one <TabItem> children component");if(e){if(!f({value:e,tabValues:i}))throw new Error(`Docusaurus error: The <Tabs> has a defaultValue "${e}" but none of its children has the corresponding value. Available values are: ${i.map((t=>t.value)).join(", ")}. If you intend to show no default tab, use defaultValue={null} instead.`);return e}const r=i.find((t=>t.default))??i[0];if(!r)throw new Error("Unexpected error: 0 tabValues");return r.value}({defaultValue:e,tabValues:o}))),[c,u]=p({queryString:i,groupId:n}),[g,m]=function(t){let{groupId:e}=t;const i=function(t){return t?`docusaurus.tab.${t}`:null}(e),[n,o]=(0,h.Nk)(i);return[n,(0,r.useCallback)((t=>{i&&o.set(t)}),[i,o])]}({groupId:n}),y=(()=>{const t=c??g;return f({value:t,tabValues:o})?t:null})();(0,s.Z)((()=>{y&&l(y)}),[y]);return{selectedValue:a,selectValue:(0,r.useCallback)((t=>{if(!f({value:t,tabValues:o}))throw new Error(`Can't select invalid tab value=${t}`);l(t),u(t),m(t)}),[u,m,o]),tabValues:o}}var m=i(2389);const y={tabList:"tabList__CuJ",tabItem:"tabItem_LNqP"};var x=i(5893);function b(t){let{className:e,block:i,selectedValue:r,selectValue:a,tabValues:s}=t;const l=[],{blockElementScrollPositionUntilNextRender:c}=(0,o.o5)(),h=t=>{const e=t.currentTarget,i=l.indexOf(e),n=s[i].value;n!==r&&(c(e),a(n))},u=t=>{let e=null;switch(t.key){case"Enter":h(t);break;case"ArrowRight":{const i=l.indexOf(t.currentTarget)+1;e=l[i]??l[0];break}case"ArrowLeft":{const i=l.indexOf(t.currentTarget)-1;e=l[i]??l[l.length-1];break}}e?.focus()};return(0,x.jsx)("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,n.Z)("tabs",{"tabs--block":i},e),children:s.map((t=>{let{value:e,label:i,attributes:o}=t;return(0,x.jsx)("li",{role:"tab",tabIndex:r===e?0:-1,"aria-selected":r===e,ref:t=>l.push(t),onKeyDown:u,onClick:h,...o,className:(0,n.Z)("tabs__item",y.tabItem,o?.className,{"tabs__item--active":r===e}),children:i??e},e)}))})}function C(t){let{lazy:e,children:i,selectedValue:n}=t;const o=(Array.isArray(i)?i:[i]).filter(Boolean);if(e){const t=o.find((t=>t.props.value===n));return t?(0,r.cloneElement)(t,{className:"margin-top--md"}):null}return(0,x.jsx)("div",{className:"margin-top--md",children:o.map(((t,e)=>(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==n})))})}function _(t){const e=g(t);return(0,x.jsxs)("div",{className:(0,n.Z)("tabs-container",y.tabList),children:[(0,x.jsx)(b,{...e,...t}),(0,x.jsx)(C,{...e,...t})]})}function v(t){const e=(0,m.Z)();return(0,x.jsx)(_,{...t,children:u(t.children)},String(e))}},7484:function(t){t.exports=function(){"use strict";var t=1e3,e=6e4,i=36e5,r="millisecond",n="second",o="minute",a="hour",s="day",l="week",c="month",h="quarter",u="year",d="date",f="Invalid Date",p=/^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/,g=/\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g,m={name:"en",weekdays:"Sunday_Monday_Tuesday_Wednesday_Thursday_Friday_Saturday".split("_"),months:"January_February_March_April_May_June_July_August_September_October_November_December".split("_"),ordinal:function(t){var e=["th","st","nd","rd"],i=t%100;return"["+t+(e[(i-20)%10]||e[i]||e[0])+"]"}},y=function(t,e,i){var r=String(t);return!r||r.length>=e?t:""+Array(e+1-r.length).join(i)+t},x={s:y,z:function(t){var e=-t.utcOffset(),i=Math.abs(e),r=Math.floor(i/60),n=i%60;return(e<=0?"+":"-")+y(r,2,"0")+":"+y(n,2,"0")},m:function t(e,i){if(e.date()<i.date())return-t(i,e);var r=12*(i.year()-e.year())+(i.month()-e.month()),n=e.clone().add(r,c),o=i-n<0,a=e.clone().add(r+(o?-1:1),c);return+(-(r+(i-n)/(o?n-a:a-n))||0)},a:function(t){return t<0?Math.ceil(t)||0:Math.floor(t)},p:function(t){return{M:c,y:u,w:l,d:s,D:d,h:a,m:o,s:n,ms:r,Q:h}[t]||String(t||"").toLowerCase().replace(/s$/,"")},u:function(t){return void 0===t}},b="en",C={};C[b]=m;var _="$isDayjsObject",v=function(t){return t instanceof S||!(!t||!t[_])},k=function t(e,i,r){var n;if(!e)return b;if("string"==typeof e){var o=e.toLowerCase();C[o]&&(n=o),i&&(C[o]=i,n=o);var a=e.split("-");if(!n&&a.length>1)return t(a[0])}else{var s=e.name;C[s]=e,n=s}return!r&&n&&(b=n),n||!r&&b},T=function(t,e){if(v(t))return t.clone();var i="object"==typeof e?e:{};return i.date=t,i.args=arguments,new S(i)},w=x;w.l=k,w.i=v,w.w=function(t,e){return T(t,{locale:e.$L,utc:e.$u,x:e.$x,$offset:e.$offset})};var S=function(){function m(t){this.$L=k(t.locale,null,!0),this.parse(t),this.$x=this.$x||t.x||{},this[_]=!0}var y=m.prototype;return y.parse=function(t){this.$d=function(t){var e=t.date,i=t.utc;if(null===e)return new Date(NaN);if(w.u(e))return new Date;if(e instanceof Date)return new Date(e);if("string"==typeof e&&!/Z$/i.test(e)){var r=e.match(p);if(r){var n=r[2]-1||0,o=(r[7]||"0").substring(0,3);return i?new Date(Date.UTC(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)):new Date(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)}}return new Date(e)}(t),this.init()},y.init=function(){var t=this.$d;this.$y=t.getFullYear(),this.$M=t.getMonth(),this.$D=t.getDate(),this.$W=t.getDay(),this.$H=t.getHours(),this.$m=t.getMinutes(),this.$s=t.getSeconds(),this.$ms=t.getMilliseconds()},y.$utils=function(){return w},y.isValid=function(){return!(this.$d.toString()===f)},y.isSame=function(t,e){var i=T(t);return this.startOf(e)<=i&&i<=this.endOf(e)},y.isAfter=function(t,e){return T(t)<this.startOf(e)},y.isBefore=function(t,e){return this.endOf(e)<T(t)},y.$g=function(t,e,i){return w.u(t)?this[e]:this.set(i,t)},y.unix=function(){return Math.floor(this.valueOf()/1e3)},y.valueOf=function(){return this.$d.getTime()},y.startOf=function(t,e){var i=this,r=!!w.u(e)||e,h=w.p(t),f=function(t,e){var n=w.w(i.$u?Date.UTC(i.$y,e,t):new Date(i.$y,e,t),i);return r?n:n.endOf(s)},p=function(t,e){return w.w(i.toDate()[t].apply(i.toDate("s"),(r?[0,0,0,0]:[23,59,59,999]).slice(e)),i)},g=this.$W,m=this.$M,y=this.$D,x="set"+(this.$u?"UTC":"");switch(h){case u:return r?f(1,0):f(31,11);case c:return r?f(1,m):f(0,m+1);case l:var b=this.$locale().weekStart||0,C=(g<b?g+7:g)-b;return f(r?y-C:y+(6-C),m);case s:case d:return p(x+"Hours",0);case a:return p(x+"Minutes",1);case o:return p(x+"Seconds",2);case n:return p(x+"Milliseconds",3);default:return this.clone()}},y.endOf=function(t){return this.startOf(t,!1)},y.$set=function(t,e){var i,l=w.p(t),h="set"+(this.$u?"UTC":""),f=(i={},i[s]=h+"Date",i[d]=h+"Date",i[c]=h+"Month",i[u]=h+"FullYear",i[a]=h+"Hours",i[o]=h+"Minutes",i[n]=h+"Seconds",i[r]=h+"Milliseconds",i)[l],p=l===s?this.$D+(e-this.$W):e;if(l===c||l===u){var g=this.clone().set(d,1);g.$d[f](p),g.init(),this.$d=g.set(d,Math.min(this.$D,g.daysInMonth())).$d}else f&&this.$d[f](p);return this.init(),this},y.set=function(t,e){return this.clone().$set(t,e)},y.get=function(t){return this[w.p(t)]()},y.add=function(r,h){var d,f=this;r=Number(r);var p=w.p(h),g=function(t){var e=T(f);return w.w(e.date(e.date()+Math.round(t*r)),f)};if(p===c)return this.set(c,this.$M+r);if(p===u)return this.set(u,this.$y+r);if(p===s)return g(1);if(p===l)return g(7);var m=(d={},d[o]=e,d[a]=i,d[n]=t,d)[p]||1,y=this.$d.getTime()+r*m;return w.w(y,this)},y.subtract=function(t,e){return this.add(-1*t,e)},y.format=function(t){var e=this,i=this.$locale();if(!this.isValid())return i.invalidDate||f;var r=t||"YYYY-MM-DDTHH:mm:ssZ",n=w.z(this),o=this.$H,a=this.$m,s=this.$M,l=i.weekdays,c=i.months,h=i.meridiem,u=function(t,i,n,o){return t&&(t[i]||t(e,r))||n[i].slice(0,o)},d=function(t){return w.s(o%12||12,t,"0")},p=h||function(t,e,i){var r=t<12?"AM":"PM";return i?r.toLowerCase():r};return r.replace(g,(function(t,r){return r||function(t){switch(t){case"YY":return String(e.$y).slice(-2);case"YYYY":return w.s(e.$y,4,"0");case"M":return s+1;case"MM":return w.s(s+1,2,"0");case"MMM":return u(i.monthsShort,s,c,3);case"MMMM":return u(c,s);case"D":return e.$D;case"DD":return w.s(e.$D,2,"0");case"d":return String(e.$W);case"dd":return u(i.weekdaysMin,e.$W,l,2);case"ddd":return u(i.weekdaysShort,e.$W,l,3);case"dddd":return l[e.$W];case"H":return String(o);case"HH":return w.s(o,2,"0");case"h":return d(1);case"hh":return d(2);case"a":return p(o,a,!0);case"A":return p(o,a,!1);case"m":return String(a);case"mm":return w.s(a,2,"0");case"s":return String(e.$s);case"ss":return w.s(e.$s,2,"0");case"SSS":return w.s(e.$ms,3,"0");case"Z":return n}return null}(t)||n.replace(":","")}))},y.utcOffset=function(){return 15*-Math.round(this.$d.getTimezoneOffset()/15)},y.diff=function(r,d,f){var p,g=this,m=w.p(d),y=T(r),x=(y.utcOffset()-this.utcOffset())*e,b=this-y,C=function(){return w.m(g,y)};switch(m){case u:p=C()/12;break;case c:p=C();break;case h:p=C()/3;break;case l:p=(b-x)/6048e5;break;case s:p=(b-x)/864e5;break;case a:p=b/i;break;case o:p=b/e;break;case n:p=b/t;break;default:p=b}return f?p:w.a(p)},y.daysInMonth=function(){return this.endOf(c).$D},y.$locale=function(){return C[this.$L]},y.locale=function(t,e){if(!t)return this.$L;var i=this.clone(),r=k(t,e,!0);return r&&(i.$L=r),i},y.clone=function(){return w.w(this.$d,this)},y.toDate=function(){return new Date(this.valueOf())},y.toJSON=function(){return this.isValid()?this.toISOString():null},y.toISOString=function(){return this.$d.toISOString()},y.toString=function(){return this.$d.toUTCString()},m}(),B=S.prototype;return T.prototype=B,[["$ms",r],["$s",n],["$m",o],["$H",a],["$W",s],["$M",c],["$y",u],["$D",d]].forEach((function(t){B[t[1]]=function(e){return this.$g(e,t[0],t[1])}})),T.extend=function(t,e){return t.$i||(t(e,S,T),t.$i=!0),T},T.locale=k,T.isDayjs=v,T.unix=function(t){return T(1e3*t)},T.en=C[b],T.Ls=C,T.p={},T}()},7856:function(t){t.exports=function(){"use strict";const{entries:t,setPrototypeOf:e,isFrozen:i,getPrototypeOf:r,getOwnPropertyDescriptor:n}=Object;let{freeze:o,seal:a,create:s}=Object,{apply:l,construct:c}="undefined"!=typeof Reflect&&Reflect;o||(o=function(t){return t}),a||(a=function(t){return t}),l||(l=function(t,e,i){return t.apply(e,i)}),c||(c=function(t,e){return new t(...e)});const h=_(Array.prototype.forEach),u=_(Array.prototype.pop),d=_(Array.prototype.push),f=_(String.prototype.toLowerCase),p=_(String.prototype.toString),g=_(String.prototype.match),m=_(String.prototype.replace),y=_(String.prototype.indexOf),x=_(String.prototype.trim),b=_(RegExp.prototype.test),C=v(TypeError);function _(t){return function(e){for(var i=arguments.length,r=new Array(i>1?i-1:0),n=1;n<i;n++)r[n-1]=arguments[n];return l(t,e,r)}}function v(t){return function(){for(var e=arguments.length,i=new Array(e),r=0;r<e;r++)i[r]=arguments[r];return c(t,i)}}function k(t,r){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:f;e&&e(t,null);let o=r.length;for(;o--;){let e=r[o];if("string"==typeof e){const t=n(e);t!==e&&(i(r)||(r[o]=t),e=t)}t[e]=!0}return t}function T(e){const i=s(null);for(const[r,o]of t(e))void 0!==n(e,r)&&(i[r]=o);return i}function w(t,e){for(;null!==t;){const i=n(t,e);if(i){if(i.get)return _(i.get);if("function"==typeof i.value)return _(i.value)}t=r(t)}function i(t){return console.warn("fallback value for",t),null}return i}const S=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dialog","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),B=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","view","vkern"]),F=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feDropShadow","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),L=o(["animate","color-profile","cursor","discard","font-face","font-face-format","font-face-name","font-face-src","font-face-uri","foreignobject","hatch","hatchpath","mesh","meshgradient","meshpatch","meshrow","missing-glyph","script","set","solidcolor","unknown","use"]),A=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","mprescripts"]),M=o(["maction","maligngroup","malignmark","mlongdiv","mscarries","mscarry","msgroup","mstack","msline","msrow","semantics","annotation","annotation-xml","mprescripts","none"]),E=o(["#text"]),N=o(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","nonce","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns","slot"]),Z=o(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","transform-origin","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),j=o(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),I=o(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),O=a(/\{\{[\w\W]*|[\w\W]*\}\}/gm),D=a(/<%[\w\W]*|[\w\W]*%>/gm),q=a(/\${[\w\W]*}/gm),$=a(/^data-[\-\w.\u00B7-\uFFFF]/),z=a(/^aria-[\-\w]+$/),P=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),R=a(/^(?:\w+script|data):/i),H=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),W=a(/^html$/i);var U=Object.freeze({__proto__:null,MUSTACHE_EXPR:O,ERB_EXPR:D,TMPLIT_EXPR:q,DATA_ATTR:$,ARIA_ATTR:z,IS_ALLOWED_URI:P,IS_SCRIPT_OR_DATA:R,ATTR_WHITESPACE:H,DOCTYPE_NAME:W});const Y=function(){return"undefined"==typeof window?null:window},V=function(t,e){if("object"!=typeof t||"function"!=typeof t.createPolicy)return null;let i=null;const r="data-tt-policy-suffix";e&&e.hasAttribute(r)&&(i=e.getAttribute(r));const n="dompurify"+(i?"#"+i:"");try{return t.createPolicy(n,{createHTML:t=>t,createScriptURL:t=>t})}catch(o){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};function G(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:Y();const i=t=>G(t);if(i.version="3.0.6",i.removed=[],!e||!e.document||9!==e.document.nodeType)return i.isSupported=!1,i;let{document:r}=e;const n=r,a=n.currentScript,{DocumentFragment:l,HTMLTemplateElement:c,Node:_,Element:v,NodeFilter:O,NamedNodeMap:D=e.NamedNodeMap||e.MozNamedAttrMap,HTMLFormElement:q,DOMParser:$,trustedTypes:z}=e,R=v.prototype,H=w(R,"cloneNode"),X=w(R,"nextSibling"),J=w(R,"childNodes"),Q=w(R,"parentNode");if("function"==typeof c){const t=r.createElement("template");t.content&&t.content.ownerDocument&&(r=t.content.ownerDocument)}let K,tt="";const{implementation:et,createNodeIterator:it,createDocumentFragment:rt,getElementsByTagName:nt}=r,{importNode:ot}=n;let at={};i.isSupported="function"==typeof t&&"function"==typeof Q&&et&&void 0!==et.createHTMLDocument;const{MUSTACHE_EXPR:st,ERB_EXPR:lt,TMPLIT_EXPR:ct,DATA_ATTR:ht,ARIA_ATTR:ut,IS_SCRIPT_OR_DATA:dt,ATTR_WHITESPACE:ft}=U;let{IS_ALLOWED_URI:pt}=U,gt=null;const mt=k({},[...S,...B,...F,...A,...E]);let yt=null;const xt=k({},[...N,...Z,...j,...I]);let bt=Object.seal(s(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),Ct=null,_t=null,vt=!0,kt=!0,Tt=!1,wt=!0,St=!1,Bt=!1,Ft=!1,Lt=!1,At=!1,Mt=!1,Et=!1,Nt=!0,Zt=!1;const jt="user-content-";let It=!0,Ot=!1,Dt={},qt=null;const $t=k({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]);let zt=null;const Pt=k({},["audio","video","img","source","image","track"]);let Rt=null;const Ht=k({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),Wt="http://www.w3.org/1998/Math/MathML",Ut="http://www.w3.org/2000/svg",Yt="http://www.w3.org/1999/xhtml";let Vt=Yt,Gt=!1,Xt=null;const Jt=k({},[Wt,Ut,Yt],p);let Qt=null;const Kt=["application/xhtml+xml","text/html"],te="text/html";let ee=null,ie=null;const re=r.createElement("form"),ne=function(t){return t instanceof RegExp||t instanceof Function},oe=function(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!ie||ie!==t){if(t&&"object"==typeof t||(t={}),t=T(t),Qt=Qt=-1===Kt.indexOf(t.PARSER_MEDIA_TYPE)?te:t.PARSER_MEDIA_TYPE,ee="application/xhtml+xml"===Qt?p:f,gt="ALLOWED_TAGS"in t?k({},t.ALLOWED_TAGS,ee):mt,yt="ALLOWED_ATTR"in t?k({},t.ALLOWED_ATTR,ee):xt,Xt="ALLOWED_NAMESPACES"in t?k({},t.ALLOWED_NAMESPACES,p):Jt,Rt="ADD_URI_SAFE_ATTR"in t?k(T(Ht),t.ADD_URI_SAFE_ATTR,ee):Ht,zt="ADD_DATA_URI_TAGS"in t?k(T(Pt),t.ADD_DATA_URI_TAGS,ee):Pt,qt="FORBID_CONTENTS"in t?k({},t.FORBID_CONTENTS,ee):$t,Ct="FORBID_TAGS"in t?k({},t.FORBID_TAGS,ee):{},_t="FORBID_ATTR"in t?k({},t.FORBID_ATTR,ee):{},Dt="USE_PROFILES"in t&&t.USE_PROFILES,vt=!1!==t.ALLOW_ARIA_ATTR,kt=!1!==t.ALLOW_DATA_ATTR,Tt=t.ALLOW_UNKNOWN_PROTOCOLS||!1,wt=!1!==t.ALLOW_SELF_CLOSE_IN_ATTR,St=t.SAFE_FOR_TEMPLATES||!1,Bt=t.WHOLE_DOCUMENT||!1,At=t.RETURN_DOM||!1,Mt=t.RETURN_DOM_FRAGMENT||!1,Et=t.RETURN_TRUSTED_TYPE||!1,Lt=t.FORCE_BODY||!1,Nt=!1!==t.SANITIZE_DOM,Zt=t.SANITIZE_NAMED_PROPS||!1,It=!1!==t.KEEP_CONTENT,Ot=t.IN_PLACE||!1,pt=t.ALLOWED_URI_REGEXP||P,Vt=t.NAMESPACE||Yt,bt=t.CUSTOM_ELEMENT_HANDLING||{},t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(bt.tagNameCheck=t.CUSTOM_ELEMENT_HANDLING.tagNameCheck),t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(bt.attributeNameCheck=t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),t.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(bt.allowCustomizedBuiltInElements=t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),St&&(kt=!1),Mt&&(At=!0),Dt&&(gt=k({},[...E]),yt=[],!0===Dt.html&&(k(gt,S),k(yt,N)),!0===Dt.svg&&(k(gt,B),k(yt,Z),k(yt,I)),!0===Dt.svgFilters&&(k(gt,F),k(yt,Z),k(yt,I)),!0===Dt.mathMl&&(k(gt,A),k(yt,j),k(yt,I))),t.ADD_TAGS&&(gt===mt&&(gt=T(gt)),k(gt,t.ADD_TAGS,ee)),t.ADD_ATTR&&(yt===xt&&(yt=T(yt)),k(yt,t.ADD_ATTR,ee)),t.ADD_URI_SAFE_ATTR&&k(Rt,t.ADD_URI_SAFE_ATTR,ee),t.FORBID_CONTENTS&&(qt===$t&&(qt=T(qt)),k(qt,t.FORBID_CONTENTS,ee)),It&&(gt["#text"]=!0),Bt&&k(gt,["html","head","body"]),gt.table&&(k(gt,["tbody"]),delete Ct.tbody),t.TRUSTED_TYPES_POLICY){if("function"!=typeof t.TRUSTED_TYPES_POLICY.createHTML)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');if("function"!=typeof t.TRUSTED_TYPES_POLICY.createScriptURL)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');K=t.TRUSTED_TYPES_POLICY,tt=K.createHTML("")}else void 0===K&&(K=V(z,a)),null!==K&&"string"==typeof tt&&(tt=K.createHTML(""));o&&o(t),ie=t}},ae=k({},["mi","mo","mn","ms","mtext"]),se=k({},["foreignobject","desc","title","annotation-xml"]),le=k({},["title","style","font","a","script"]),ce=k({},B);k(ce,F),k(ce,L);const he=k({},A);k(he,M);const ue=function(t){let e=Q(t);e&&e.tagName||(e={namespaceURI:Vt,tagName:"template"});const i=f(t.tagName),r=f(e.tagName);return!!Xt[t.namespaceURI]&&(t.namespaceURI===Ut?e.namespaceURI===Yt?"svg"===i:e.namespaceURI===Wt?"svg"===i&&("annotation-xml"===r||ae[r]):Boolean(ce[i]):t.namespaceURI===Wt?e.namespaceURI===Yt?"math"===i:e.namespaceURI===Ut?"math"===i&&se[r]:Boolean(he[i]):t.namespaceURI===Yt?!(e.namespaceURI===Ut&&!se[r])&&!(e.namespaceURI===Wt&&!ae[r])&&!he[i]&&(le[i]||!ce[i]):!("application/xhtml+xml"!==Qt||!Xt[t.namespaceURI]))},de=function(t){d(i.removed,{element:t});try{t.parentNode.removeChild(t)}catch(e){t.remove()}},fe=function(t,e){try{d(i.removed,{attribute:e.getAttributeNode(t),from:e})}catch(r){d(i.removed,{attribute:null,from:e})}if(e.removeAttribute(t),"is"===t&&!yt[t])if(At||Mt)try{de(e)}catch(r){}else try{e.setAttribute(t,"")}catch(r){}},pe=function(t){let e=null,i=null;if(Lt)t="<remove></remove>"+t;else{const e=g(t,/^[\r\n\t ]+/);i=e&&e[0]}"application/xhtml+xml"===Qt&&Vt===Yt&&(t='<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>'+t+"</body></html>");const n=K?K.createHTML(t):t;if(Vt===Yt)try{e=(new $).parseFromString(n,Qt)}catch(a){}if(!e||!e.documentElement){e=et.createDocument(Vt,"template",null);try{e.documentElement.innerHTML=Gt?tt:n}catch(a){}}const o=e.body||e.documentElement;return t&&i&&o.insertBefore(r.createTextNode(i),o.childNodes[0]||null),Vt===Yt?nt.call(e,Bt?"html":"body")[0]:Bt?e.documentElement:o},ge=function(t){return it.call(t.ownerDocument||t,t,O.SHOW_ELEMENT|O.SHOW_COMMENT|O.SHOW_TEXT,null)},me=function(t){return t instanceof q&&("string"!=typeof t.nodeName||"string"!=typeof t.textContent||"function"!=typeof t.removeChild||!(t.attributes instanceof D)||"function"!=typeof t.removeAttribute||"function"!=typeof t.setAttribute||"string"!=typeof t.namespaceURI||"function"!=typeof t.insertBefore||"function"!=typeof t.hasChildNodes)},ye=function(t){return"function"==typeof _&&t instanceof _},xe=function(t,e,r){at[t]&&h(at[t],(t=>{t.call(i,e,r,ie)}))},be=function(t){let e=null;if(xe("beforeSanitizeElements",t,null),me(t))return de(t),!0;const r=ee(t.nodeName);if(xe("uponSanitizeElement",t,{tagName:r,allowedTags:gt}),t.hasChildNodes()&&!ye(t.firstElementChild)&&b(/<[/\w]/g,t.innerHTML)&&b(/<[/\w]/g,t.textContent))return de(t),!0;if(!gt[r]||Ct[r]){if(!Ct[r]&&_e(r)){if(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,r))return!1;if(bt.tagNameCheck instanceof Function&&bt.tagNameCheck(r))return!1}if(It&&!qt[r]){const e=Q(t)||t.parentNode,i=J(t)||t.childNodes;if(i&&e)for(let r=i.length-1;r>=0;--r)e.insertBefore(H(i[r],!0),X(t))}return de(t),!0}return t instanceof v&&!ue(t)?(de(t),!0):"noscript"!==r&&"noembed"!==r&&"noframes"!==r||!b(/<\/no(script|embed|frames)/i,t.innerHTML)?(St&&3===t.nodeType&&(e=t.textContent,h([st,lt,ct],(t=>{e=m(e,t," ")})),t.textContent!==e&&(d(i.removed,{element:t.cloneNode()}),t.textContent=e)),xe("afterSanitizeElements",t,null),!1):(de(t),!0)},Ce=function(t,e,i){if(Nt&&("id"===e||"name"===e)&&(i in r||i in re))return!1;if(kt&&!_t[e]&&b(ht,e));else if(vt&&b(ut,e));else if(!yt[e]||_t[e]){if(!(_e(t)&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,t)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(t))&&(bt.attributeNameCheck instanceof RegExp&&b(bt.attributeNameCheck,e)||bt.attributeNameCheck instanceof Function&&bt.attributeNameCheck(e))||"is"===e&&bt.allowCustomizedBuiltInElements&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,i)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(i))))return!1}else if(Rt[e]);else if(b(pt,m(i,ft,"")));else if("src"!==e&&"xlink:href"!==e&&"href"!==e||"script"===t||0!==y(i,"data:")||!zt[t])if(Tt&&!b(dt,m(i,ft,"")));else if(i)return!1;return!0},_e=function(t){return t.indexOf("-")>0},ve=function(t){xe("beforeSanitizeAttributes",t,null);const{attributes:e}=t;if(!e)return;const r={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:yt};let n=e.length;for(;n--;){const a=e[n],{name:s,namespaceURI:l,value:c}=a,d=ee(s);let f="value"===s?c:x(c);if(r.attrName=d,r.attrValue=f,r.keepAttr=!0,r.forceKeepAttr=void 0,xe("uponSanitizeAttribute",t,r),f=r.attrValue,r.forceKeepAttr)continue;if(fe(s,t),!r.keepAttr)continue;if(!wt&&b(/\/>/i,f)){fe(s,t);continue}St&&h([st,lt,ct],(t=>{f=m(f,t," ")}));const p=ee(t.nodeName);if(Ce(p,d,f)){if(!Zt||"id"!==d&&"name"!==d||(fe(s,t),f=jt+f),K&&"object"==typeof z&&"function"==typeof z.getAttributeType)if(l);else switch(z.getAttributeType(p,d)){case"TrustedHTML":f=K.createHTML(f);break;case"TrustedScriptURL":f=K.createScriptURL(f)}try{l?t.setAttributeNS(l,s,f):t.setAttribute(s,f),u(i.removed)}catch(o){}}}xe("afterSanitizeAttributes",t,null)},ke=function t(e){let i=null;const r=ge(e);for(xe("beforeSanitizeShadowDOM",e,null);i=r.nextNode();)xe("uponSanitizeShadowNode",i,null),be(i)||(i.content instanceof l&&t(i.content),ve(i));xe("afterSanitizeShadowDOM",e,null)};return i.sanitize=function(t){let e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},r=null,o=null,a=null,s=null;if(Gt=!t,Gt&&(t="\x3c!--\x3e"),"string"!=typeof t&&!ye(t)){if("function"!=typeof t.toString)throw C("toString is not a function");if("string"!=typeof(t=t.toString()))throw C("dirty is not a string, aborting")}if(!i.isSupported)return t;if(Ft||oe(e),i.removed=[],"string"==typeof t&&(Ot=!1),Ot){if(t.nodeName){const e=ee(t.nodeName);if(!gt[e]||Ct[e])throw C("root node is forbidden and cannot be sanitized in-place")}}else if(t instanceof _)r=pe("\x3c!----\x3e"),o=r.ownerDocument.importNode(t,!0),1===o.nodeType&&"BODY"===o.nodeName||"HTML"===o.nodeName?r=o:r.appendChild(o);else{if(!At&&!St&&!Bt&&-1===t.indexOf("<"))return K&&Et?K.createHTML(t):t;if(r=pe(t),!r)return At?null:Et?tt:""}r&&Lt&&de(r.firstChild);const c=ge(Ot?t:r);for(;a=c.nextNode();)be(a)||(a.content instanceof l&&ke(a.content),ve(a));if(Ot)return t;if(At){if(Mt)for(s=rt.call(r.ownerDocument);r.firstChild;)s.appendChild(r.firstChild);else s=r;return(yt.shadowroot||yt.shadowrootmode)&&(s=ot.call(n,s,!0)),s}let u=Bt?r.outerHTML:r.innerHTML;return Bt&>["!doctype"]&&r.ownerDocument&&r.ownerDocument.doctype&&r.ownerDocument.doctype.name&&b(W,r.ownerDocument.doctype.name)&&(u="<!DOCTYPE "+r.ownerDocument.doctype.name+">\n"+u),St&&h([st,lt,ct],(t=>{u=m(u,t," ")})),K&&Et?K.createHTML(u):u},i.setConfig=function(){oe(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),Ft=!0},i.clearConfig=function(){ie=null,Ft=!1},i.isValidAttribute=function(t,e,i){ie||oe({});const r=ee(t),n=ee(e);return Ce(r,n,i)},i.addHook=function(t,e){"function"==typeof e&&(at[t]=at[t]||[],d(at[t],e))},i.removeHook=function(t){if(at[t])return u(at[t])},i.removeHooks=function(t){at[t]&&(at[t]=[])},i.removeAllHooks=function(){at={}},i}return G()}()},7594:(t,e)=>{function i(t){let e,i=[];for(let r of t.split(",").map((t=>t.trim())))if(/^-?\d+$/.test(r))i.push(parseInt(r,10));else if(e=r.match(/^(-?\d+)(-|\.\.\.?|\u2025|\u2026|\u22EF)(-?\d+)$/)){let[t,r,n,o]=e;if(r&&o){r=parseInt(r),o=parseInt(o);const t=r<o?1:-1;"-"!==n&&".."!==n&&"\u2025"!==n||(o+=t);for(let e=r;e!==o;e+=t)i.push(e)}}return i}e.default=i,t.exports=i},8464:(t,e,i)=>{"use strict";function r(t){for(var e=[],i=1;i<arguments.length;i++)e[i-1]=arguments[i];var r=Array.from("string"==typeof t?[t]:t);r[r.length-1]=r[r.length-1].replace(/\r?\n([\t ]*)$/,"");var n=r.reduce((function(t,e){var i=e.match(/\n([\t ]+|(?!\s).)/g);return i?t.concat(i.map((function(t){var e,i;return null!==(i=null===(e=t.match(/[\t ]/g))||void 0===e?void 0:e.length)&&void 0!==i?i:0}))):t}),[]);if(n.length){var o=new RegExp("\n[\t ]{"+Math.min.apply(Math,n)+"}","g");r=r.map((function(t){return t.replace(o,"\n")}))}r[0]=r[0].replace(/^\r?\n/,"");var a=r[0];return e.forEach((function(t,e){var i=a.match(/(?:^|\n)( *)$/),n=i?i[1]:"",o=t;"string"==typeof t&&t.includes("\n")&&(o=String(t).split("\n").map((function(t,e){return 0===e?t:""+n+t})).join("\n")),a+=o+r[e+1]})),a}i.d(e,{Z:()=>r})},1151:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s,a:()=>a});var r=i(7294);const n={},o=r.createContext(n);function a(t){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof t?t(e):{...e,...t}}),[e,t])}function s(t){let e;return e=t.disableParentContext?"function"==typeof t.components?t.components(n):t.components||n:a(t.components),r.createElement(o.Provider,{value:e},t.children)}},4218:(t,e,i)=>{"use strict";function r(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i<r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i<n||void 0===i&&n>=n)&&(i=n)}return i}function n(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i>r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i>n||void 0===i&&n>=n)&&(i=n)}return i}function o(t){return t}i.d(e,{Nb1:()=>cs,LLu:()=>x,F5q:()=>y,$0Z:()=>vs,Dts:()=>Ts,WQY:()=>Ss,qpX:()=>Fs,u93:()=>Ls,tFB:()=>Ms,YY7:()=>Zs,OvA:()=>Is,dCK:()=>Ds,zgE:()=>zs,fGX:()=>Rs,$m7:()=>Ws,c_6:()=>ds,fxm:()=>Ys,FdL:()=>el,ak_:()=>il,SxZ:()=>ol,eA_:()=>sl,jsv:()=>cl,iJ:()=>ll,JHv:()=>pr,jvg:()=>gs,Fp7:()=>r,VV$:()=>n,ve8:()=>xs,tiA:()=>kr,BYU:()=>mn,PKp:()=>vr,Xf:()=>Na,K2I:()=>Za,Ys:()=>ja,td_:()=>Ia,YPS:()=>Yi,rr1:()=>Nn,i$Z:()=>uo,y2j:()=>Pn,WQD:()=>Mn,U8T:()=>Bn,Z_i:()=>Ln,Ox9:()=>Dn,F0B:()=>Qn,LqH:()=>Rn,S1K:()=>Fn,Zyz:()=>On,Igq:()=>zn,YDX:()=>qn,EFj:()=>$n});var a=1,s=2,l=3,c=4,h=1e-6;function u(t){return"translate("+t+",0)"}function d(t){return"translate(0,"+t+")"}function f(t){return e=>+t(e)}function p(t,e){return e=Math.max(0,t.bandwidth()-2*e)/2,t.round()&&(e=Math.round(e)),i=>+t(i)+e}function g(){return!this.__axis}function m(t,e){var i=[],r=null,n=null,m=6,y=6,x=3,b="undefined"!=typeof window&&window.devicePixelRatio>1?0:.5,C=t===a||t===c?-1:1,_=t===c||t===s?"x":"y",v=t===a||t===l?u:d;function k(u){var d=null==r?e.ticks?e.ticks.apply(e,i):e.domain():r,k=null==n?e.tickFormat?e.tickFormat.apply(e,i):o:n,T=Math.max(m,0)+x,w=e.range(),S=+w[0]+b,B=+w[w.length-1]+b,F=(e.bandwidth?p:f)(e.copy(),b),L=u.selection?u.selection():u,A=L.selectAll(".domain").data([null]),M=L.selectAll(".tick").data(d,e).order(),E=M.exit(),N=M.enter().append("g").attr("class","tick"),Z=M.select("line"),j=M.select("text");A=A.merge(A.enter().insert("path",".tick").attr("class","domain").attr("stroke","currentColor")),M=M.merge(N),Z=Z.merge(N.append("line").attr("stroke","currentColor").attr(_+"2",C*m)),j=j.merge(N.append("text").attr("fill","currentColor").attr(_,C*T).attr("dy",t===a?"0em":t===l?"0.71em":"0.32em")),u!==L&&(A=A.transition(u),M=M.transition(u),Z=Z.transition(u),j=j.transition(u),E=E.transition(u).attr("opacity",h).attr("transform",(function(t){return isFinite(t=F(t))?v(t+b):this.getAttribute("transform")})),N.attr("opacity",h).attr("transform",(function(t){var e=this.parentNode.__axis;return v((e&&isFinite(e=e(t))?e:F(t))+b)}))),E.remove(),A.attr("d",t===c||t===s?y?"M"+C*y+","+S+"H"+b+"V"+B+"H"+C*y:"M"+b+","+S+"V"+B:y?"M"+S+","+C*y+"V"+b+"H"+B+"V"+C*y:"M"+S+","+b+"H"+B),M.attr("opacity",1).attr("transform",(function(t){return v(F(t)+b)})),Z.attr(_+"2",C*m),j.attr(_,C*T).text(k),L.filter(g).attr("fill","none").attr("font-size",10).attr("font-family","sans-serif").attr("text-anchor",t===s?"start":t===c?"end":"middle"),L.each((function(){this.__axis=F}))}return k.scale=function(t){return arguments.length?(e=t,k):e},k.ticks=function(){return i=Array.from(arguments),k},k.tickArguments=function(t){return arguments.length?(i=null==t?[]:Array.from(t),k):i.slice()},k.tickValues=function(t){return arguments.length?(r=null==t?null:Array.from(t),k):r&&r.slice()},k.tickFormat=function(t){return arguments.length?(n=t,k):n},k.tickSize=function(t){return arguments.length?(m=y=+t,k):m},k.tickSizeInner=function(t){return arguments.length?(m=+t,k):m},k.tickSizeOuter=function(t){return arguments.length?(y=+t,k):y},k.tickPadding=function(t){return arguments.length?(x=+t,k):x},k.offset=function(t){return arguments.length?(b=+t,k):b},k}function y(t){return m(a,t)}function x(t){return m(l,t)}function b(){}function C(t){return null==t?b:function(){return this.querySelector(t)}}function _(t){return null==t?[]:Array.isArray(t)?t:Array.from(t)}function v(){return[]}function k(t){return null==t?v:function(){return this.querySelectorAll(t)}}function T(t){return function(){return this.matches(t)}}function w(t){return function(e){return e.matches(t)}}var S=Array.prototype.find;function B(){return this.firstElementChild}var F=Array.prototype.filter;function L(){return Array.from(this.children)}function A(t){return new Array(t.length)}function M(t,e){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=e}function E(t,e,i,r,n,o){for(var a,s=0,l=e.length,c=o.length;s<c;++s)(a=e[s])?(a.__data__=o[s],r[s]=a):i[s]=new M(t,o[s]);for(;s<l;++s)(a=e[s])&&(n[s]=a)}function N(t,e,i,r,n,o,a){var s,l,c,h=new Map,u=e.length,d=o.length,f=new Array(u);for(s=0;s<u;++s)(l=e[s])&&(f[s]=c=a.call(l,l.__data__,s,e)+"",h.has(c)?n[s]=l:h.set(c,l));for(s=0;s<d;++s)c=a.call(t,o[s],s,o)+"",(l=h.get(c))?(r[s]=l,l.__data__=o[s],h.delete(c)):i[s]=new M(t,o[s]);for(s=0;s<u;++s)(l=e[s])&&h.get(f[s])===l&&(n[s]=l)}function Z(t){return t.__data__}function j(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function I(t,e){return t<e?-1:t>e?1:t>=e?0:NaN}M.prototype={constructor:M,appendChild:function(t){return this._parent.insertBefore(t,this._next)},insertBefore:function(t,e){return this._parent.insertBefore(t,e)},querySelector:function(t){return this._parent.querySelector(t)},querySelectorAll:function(t){return this._parent.querySelectorAll(t)}};var O="http://www.w3.org/1999/xhtml";const D={svg:"http://www.w3.org/2000/svg",xhtml:O,xlink:"http://www.w3.org/1999/xlink",xml:"http://www.w3.org/XML/1998/namespace",xmlns:"http://www.w3.org/2000/xmlns/"};function q(t){var e=t+="",i=e.indexOf(":");return i>=0&&"xmlns"!==(e=t.slice(0,i))&&(t=t.slice(i+1)),D.hasOwnProperty(e)?{space:D[e],local:t}:t}function $(t){return function(){this.removeAttribute(t)}}function z(t){return function(){this.removeAttributeNS(t.space,t.local)}}function P(t,e){return function(){this.setAttribute(t,e)}}function R(t,e){return function(){this.setAttributeNS(t.space,t.local,e)}}function H(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttribute(t):this.setAttribute(t,i)}}function W(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttributeNS(t.space,t.local):this.setAttributeNS(t.space,t.local,i)}}function U(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView}function Y(t){return function(){this.style.removeProperty(t)}}function V(t,e,i){return function(){this.style.setProperty(t,e,i)}}function G(t,e,i){return function(){var r=e.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,i)}}function X(t,e){return t.style.getPropertyValue(e)||U(t).getComputedStyle(t,null).getPropertyValue(e)}function J(t){return function(){delete this[t]}}function Q(t,e){return function(){this[t]=e}}function K(t,e){return function(){var i=e.apply(this,arguments);null==i?delete this[t]:this[t]=i}}function tt(t){return t.trim().split(/^|\s+/)}function et(t){return t.classList||new it(t)}function it(t){this._node=t,this._names=tt(t.getAttribute("class")||"")}function rt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.add(e[r])}function nt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.remove(e[r])}function ot(t){return function(){rt(this,t)}}function at(t){return function(){nt(this,t)}}function st(t,e){return function(){(e.apply(this,arguments)?rt:nt)(this,t)}}function lt(){this.textContent=""}function ct(t){return function(){this.textContent=t}}function ht(t){return function(){var e=t.apply(this,arguments);this.textContent=null==e?"":e}}function ut(){this.innerHTML=""}function dt(t){return function(){this.innerHTML=t}}function ft(t){return function(){var e=t.apply(this,arguments);this.innerHTML=null==e?"":e}}function pt(){this.nextSibling&&this.parentNode.appendChild(this)}function gt(){this.previousSibling&&this.parentNode.insertBefore(this,this.parentNode.firstChild)}function mt(t){return function(){var e=this.ownerDocument,i=this.namespaceURI;return i===O&&e.documentElement.namespaceURI===O?e.createElement(t):e.createElementNS(i,t)}}function yt(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}function xt(t){var e=q(t);return(e.local?yt:mt)(e)}function bt(){return null}function Ct(){var t=this.parentNode;t&&t.removeChild(this)}function _t(){var t=this.cloneNode(!1),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function vt(){var t=this.cloneNode(!0),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function kt(t){return function(){var e=this.__on;if(e){for(var i,r=0,n=-1,o=e.length;r<o;++r)i=e[r],t.type&&i.type!==t.type||i.name!==t.name?e[++n]=i:this.removeEventListener(i.type,i.listener,i.options);++n?e.length=n:delete this.__on}}}function Tt(t,e,i){return function(){var r,n=this.__on,o=function(t){return function(e){t.call(this,e,this.__data__)}}(e);if(n)for(var a=0,s=n.length;a<s;++a)if((r=n[a]).type===t.type&&r.name===t.name)return this.removeEventListener(r.type,r.listener,r.options),this.addEventListener(r.type,r.listener=o,r.options=i),void(r.value=e);this.addEventListener(t.type,o,i),r={type:t.type,name:t.name,value:e,listener:o,options:i},n?n.push(r):this.__on=[r]}}function wt(t,e,i){var r=U(t),n=r.CustomEvent;"function"==typeof n?n=new n(e,i):(n=r.document.createEvent("Event"),i?(n.initEvent(e,i.bubbles,i.cancelable),n.detail=i.detail):n.initEvent(e,!1,!1)),t.dispatchEvent(n)}function St(t,e){return function(){return wt(this,t,e)}}function Bt(t,e){return function(){return wt(this,t,e.apply(this,arguments))}}it.prototype={add:function(t){this._names.indexOf(t)<0&&(this._names.push(t),this._node.setAttribute("class",this._names.join(" ")))},remove:function(t){var e=this._names.indexOf(t);e>=0&&(this._names.splice(e,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};var Ft=[null];function Lt(t,e){this._groups=t,this._parents=e}function At(){return new Lt([[document.documentElement]],Ft)}Lt.prototype=At.prototype={constructor:Lt,select:function(t){"function"!=typeof t&&(t=C(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a,s=e[n],l=s.length,c=r[n]=new Array(l),h=0;h<l;++h)(o=s[h])&&(a=t.call(o,o.__data__,h,s))&&("__data__"in o&&(a.__data__=o.__data__),c[h]=a);return new Lt(r,this._parents)},selectAll:function(t){t="function"==typeof t?function(t){return function(){return _(t.apply(this,arguments))}}(t):k(t);for(var e=this._groups,i=e.length,r=[],n=[],o=0;o<i;++o)for(var a,s=e[o],l=s.length,c=0;c<l;++c)(a=s[c])&&(r.push(t.call(a,a.__data__,c,s)),n.push(a));return new Lt(r,n)},selectChild:function(t){return this.select(null==t?B:function(t){return function(){return S.call(this.children,t)}}("function"==typeof t?t:w(t)))},selectChildren:function(t){return this.selectAll(null==t?L:function(t){return function(){return F.call(this.children,t)}}("function"==typeof t?t:w(t)))},filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Lt(r,this._parents)},data:function(t,e){if(!arguments.length)return Array.from(this,Z);var i,r=e?N:E,n=this._parents,o=this._groups;"function"!=typeof t&&(i=t,t=function(){return i});for(var a=o.length,s=new Array(a),l=new Array(a),c=new Array(a),h=0;h<a;++h){var u=n[h],d=o[h],f=d.length,p=j(t.call(u,u&&u.__data__,h,n)),g=p.length,m=l[h]=new Array(g),y=s[h]=new Array(g);r(u,d,m,y,c[h]=new Array(f),p,e);for(var x,b,C=0,_=0;C<g;++C)if(x=m[C]){for(C>=_&&(_=C+1);!(b=y[_])&&++_<g;);x._next=b||null}}return(s=new Lt(s,n))._enter=l,s._exit=c,s},enter:function(){return new Lt(this._enter||this._groups.map(A),this._parents)},exit:function(){return new Lt(this._exit||this._groups.map(A),this._parents)},join:function(t,e,i){var r=this.enter(),n=this,o=this.exit();return"function"==typeof t?(r=t(r))&&(r=r.selection()):r=r.append(t+""),null!=e&&(n=e(n))&&(n=n.selection()),null==i?o.remove():i(o),r&&n?r.merge(n).order():n},merge:function(t){for(var e=t.selection?t.selection():t,i=this._groups,r=e._groups,n=i.length,o=r.length,a=Math.min(n,o),s=new Array(n),l=0;l<a;++l)for(var c,h=i[l],u=r[l],d=h.length,f=s[l]=new Array(d),p=0;p<d;++p)(c=h[p]||u[p])&&(f[p]=c);for(;l<n;++l)s[l]=i[l];return new Lt(s,this._parents)},selection:function(){return this},order:function(){for(var t=this._groups,e=-1,i=t.length;++e<i;)for(var r,n=t[e],o=n.length-1,a=n[o];--o>=0;)(r=n[o])&&(a&&4^r.compareDocumentPosition(a)&&a.parentNode.insertBefore(r,a),a=r);return this},sort:function(t){function e(e,i){return e&&i?t(e.__data__,i.__data__):!e-!i}t||(t=I);for(var i=this._groups,r=i.length,n=new Array(r),o=0;o<r;++o){for(var a,s=i[o],l=s.length,c=n[o]=new Array(l),h=0;h<l;++h)(a=s[h])&&(c[h]=a);c.sort(e)}return new Lt(n,this._parents).order()},call:function(){var t=arguments[0];return arguments[0]=this,t.apply(null,arguments),this},nodes:function(){return Array.from(this)},node:function(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r=t[e],n=0,o=r.length;n<o;++n){var a=r[n];if(a)return a}return null},size:function(){let t=0;for(const e of this)++t;return t},empty:function(){return!this.node()},each:function(t){for(var e=this._groups,i=0,r=e.length;i<r;++i)for(var n,o=e[i],a=0,s=o.length;a<s;++a)(n=o[a])&&t.call(n,n.__data__,a,o);return this},attr:function(t,e){var i=q(t);if(arguments.length<2){var r=this.node();return i.local?r.getAttributeNS(i.space,i.local):r.getAttribute(i)}return this.each((null==e?i.local?z:$:"function"==typeof e?i.local?W:H:i.local?R:P)(i,e))},style:function(t,e,i){return arguments.length>1?this.each((null==e?Y:"function"==typeof e?G:V)(t,e,null==i?"":i)):X(this.node(),t)},property:function(t,e){return arguments.length>1?this.each((null==e?J:"function"==typeof e?K:Q)(t,e)):this.node()[t]},classed:function(t,e){var i=tt(t+"");if(arguments.length<2){for(var r=et(this.node()),n=-1,o=i.length;++n<o;)if(!r.contains(i[n]))return!1;return!0}return this.each(("function"==typeof e?st:e?ot:at)(i,e))},text:function(t){return arguments.length?this.each(null==t?lt:("function"==typeof t?ht:ct)(t)):this.node().textContent},html:function(t){return arguments.length?this.each(null==t?ut:("function"==typeof t?ft:dt)(t)):this.node().innerHTML},raise:function(){return this.each(pt)},lower:function(){return this.each(gt)},append:function(t){var e="function"==typeof t?t:xt(t);return this.select((function(){return this.appendChild(e.apply(this,arguments))}))},insert:function(t,e){var i="function"==typeof t?t:xt(t),r=null==e?bt:"function"==typeof e?e:C(e);return this.select((function(){return this.insertBefore(i.apply(this,arguments),r.apply(this,arguments)||null)}))},remove:function(){return this.each(Ct)},clone:function(t){return this.select(t?vt:_t)},datum:function(t){return arguments.length?this.property("__data__",t):this.node().__data__},on:function(t,e,i){var r,n,o=function(t){return t.trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");return i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),{type:t,name:e}}))}(t+""),a=o.length;if(!(arguments.length<2)){for(s=e?Tt:kt,r=0;r<a;++r)this.each(s(o[r],e,i));return this}var s=this.node().__on;if(s)for(var l,c=0,h=s.length;c<h;++c)for(r=0,l=s[c];r<a;++r)if((n=o[r]).type===l.type&&n.name===l.name)return l.value},dispatch:function(t,e){return this.each(("function"==typeof e?Bt:St)(t,e))},[Symbol.iterator]:function*(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r,n=t[e],o=0,a=n.length;o<a;++o)(r=n[o])&&(yield r)}};const Mt=At;var Et={value:()=>{}};function Nt(){for(var t,e=0,i=arguments.length,r={};e<i;++e){if(!(t=arguments[e]+"")||t in r||/[\s.]/.test(t))throw new Error("illegal type: "+t);r[t]=[]}return new Zt(r)}function Zt(t){this._=t}function jt(t,e){for(var i,r=0,n=t.length;r<n;++r)if((i=t[r]).name===e)return i.value}function It(t,e,i){for(var r=0,n=t.length;r<n;++r)if(t[r].name===e){t[r]=Et,t=t.slice(0,r).concat(t.slice(r+1));break}return null!=i&&t.push({name:e,value:i}),t}Zt.prototype=Nt.prototype={constructor:Zt,on:function(t,e){var i,r,n=this._,o=(r=n,(t+"").trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");if(i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),t&&!r.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:e}}))),a=-1,s=o.length;if(!(arguments.length<2)){if(null!=e&&"function"!=typeof e)throw new Error("invalid callback: "+e);for(;++a<s;)if(i=(t=o[a]).type)n[i]=It(n[i],t.name,e);else if(null==e)for(i in n)n[i]=It(n[i],t.name,null);return this}for(;++a<s;)if((i=(t=o[a]).type)&&(i=jt(n[i],t.name)))return i},copy:function(){var t={},e=this._;for(var i in e)t[i]=e[i].slice();return new Zt(t)},call:function(t,e){if((i=arguments.length-2)>0)for(var i,r,n=new Array(i),o=0;o<i;++o)n[o]=arguments[o+2];if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(o=0,i=(r=this._[t]).length;o<i;++o)r[o].value.apply(e,n)},apply:function(t,e,i){if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(var r=this._[t],n=0,o=r.length;n<o;++n)r[n].value.apply(e,i)}};const Ot=Nt;var Dt,qt,$t=0,zt=0,Pt=0,Rt=1e3,Ht=0,Wt=0,Ut=0,Yt="object"==typeof performance&&performance.now?performance:Date,Vt="object"==typeof window&&window.requestAnimationFrame?window.requestAnimationFrame.bind(window):function(t){setTimeout(t,17)};function Gt(){return Wt||(Vt(Xt),Wt=Yt.now()+Ut)}function Xt(){Wt=0}function Jt(){this._call=this._time=this._next=null}function Qt(t,e,i){var r=new Jt;return r.restart(t,e,i),r}function Kt(){Wt=(Ht=Yt.now())+Ut,$t=zt=0;try{!function(){Gt(),++$t;for(var t,e=Dt;e;)(t=Wt-e._time)>=0&&e._call.call(void 0,t),e=e._next;--$t}()}finally{$t=0,function(){var t,e,i=Dt,r=1/0;for(;i;)i._call?(r>i._time&&(r=i._time),t=i,i=i._next):(e=i._next,i._next=null,i=t?t._next=e:Dt=e);qt=t,ee(r)}(),Wt=0}}function te(){var t=Yt.now(),e=t-Ht;e>Rt&&(Ut-=e,Ht=t)}function ee(t){$t||(zt&&(zt=clearTimeout(zt)),t-Wt>24?(t<1/0&&(zt=setTimeout(Kt,t-Yt.now()-Ut)),Pt&&(Pt=clearInterval(Pt))):(Pt||(Ht=Yt.now(),Pt=setInterval(te,Rt)),$t=1,Vt(Kt)))}function ie(t,e,i){var r=new Jt;return e=null==e?0:+e,r.restart((i=>{r.stop(),t(i+e)}),e,i),r}Jt.prototype=Qt.prototype={constructor:Jt,restart:function(t,e,i){if("function"!=typeof t)throw new TypeError("callback is not a function");i=(null==i?Gt():+i)+(null==e?0:+e),this._next||qt===this||(qt?qt._next=this:Dt=this,qt=this),this._call=t,this._time=i,ee()},stop:function(){this._call&&(this._call=null,this._time=1/0,ee())}};var re=Ot("start","end","cancel","interrupt"),ne=[],oe=0,ae=1,se=2,le=3,ce=4,he=5,ue=6;function de(t,e,i,r,n,o){var a=t.__transition;if(a){if(i in a)return}else t.__transition={};!function(t,e,i){var r,n=t.__transition;function o(t){i.state=ae,i.timer.restart(a,i.delay,i.time),i.delay<=t&&a(t-i.delay)}function a(o){var c,h,u,d;if(i.state!==ae)return l();for(c in n)if((d=n[c]).name===i.name){if(d.state===le)return ie(a);d.state===ce?(d.state=ue,d.timer.stop(),d.on.call("interrupt",t,t.__data__,d.index,d.group),delete n[c]):+c<e&&(d.state=ue,d.timer.stop(),d.on.call("cancel",t,t.__data__,d.index,d.group),delete n[c])}if(ie((function(){i.state===le&&(i.state=ce,i.timer.restart(s,i.delay,i.time),s(o))})),i.state=se,i.on.call("start",t,t.__data__,i.index,i.group),i.state===se){for(i.state=le,r=new Array(u=i.tween.length),c=0,h=-1;c<u;++c)(d=i.tween[c].value.call(t,t.__data__,i.index,i.group))&&(r[++h]=d);r.length=h+1}}function s(e){for(var n=e<i.duration?i.ease.call(null,e/i.duration):(i.timer.restart(l),i.state=he,1),o=-1,a=r.length;++o<a;)r[o].call(t,n);i.state===he&&(i.on.call("end",t,t.__data__,i.index,i.group),l())}function l(){for(var r in i.state=ue,i.timer.stop(),delete n[e],n)return;delete t.__transition}n[e]=i,i.timer=Qt(o,0,i.time)}(t,i,{name:e,index:r,group:n,on:re,tween:ne,time:o.time,delay:o.delay,duration:o.duration,ease:o.ease,timer:null,state:oe})}function fe(t,e){var i=ge(t,e);if(i.state>oe)throw new Error("too late; already scheduled");return i}function pe(t,e){var i=ge(t,e);if(i.state>le)throw new Error("too late; already running");return i}function ge(t,e){var i=t.__transition;if(!i||!(i=i[e]))throw new Error("transition not found");return i}function me(t,e){return t=+t,e=+e,function(i){return t*(1-i)+e*i}}var ye,xe=180/Math.PI,be={translateX:0,translateY:0,rotate:0,skewX:0,scaleX:1,scaleY:1};function Ce(t,e,i,r,n,o){var a,s,l;return(a=Math.sqrt(t*t+e*e))&&(t/=a,e/=a),(l=t*i+e*r)&&(i-=t*l,r-=e*l),(s=Math.sqrt(i*i+r*r))&&(i/=s,r/=s,l/=s),t*r<e*i&&(t=-t,e=-e,l=-l,a=-a),{translateX:n,translateY:o,rotate:Math.atan2(e,t)*xe,skewX:Math.atan(l)*xe,scaleX:a,scaleY:s}}function _e(t,e,i,r){function n(t){return t.length?t.pop()+" ":""}return function(o,a){var s=[],l=[];return o=t(o),a=t(a),function(t,r,n,o,a,s){if(t!==n||r!==o){var l=a.push("translate(",null,e,null,i);s.push({i:l-4,x:me(t,n)},{i:l-2,x:me(r,o)})}else(n||o)&&a.push("translate("+n+e+o+i)}(o.translateX,o.translateY,a.translateX,a.translateY,s,l),function(t,e,i,o){t!==e?(t-e>180?e+=360:e-t>180&&(t+=360),o.push({i:i.push(n(i)+"rotate(",null,r)-2,x:me(t,e)})):e&&i.push(n(i)+"rotate("+e+r)}(o.rotate,a.rotate,s,l),function(t,e,i,o){t!==e?o.push({i:i.push(n(i)+"skewX(",null,r)-2,x:me(t,e)}):e&&i.push(n(i)+"skewX("+e+r)}(o.skewX,a.skewX,s,l),function(t,e,i,r,o,a){if(t!==i||e!==r){var s=o.push(n(o)+"scale(",null,",",null,")");a.push({i:s-4,x:me(t,i)},{i:s-2,x:me(e,r)})}else 1===i&&1===r||o.push(n(o)+"scale("+i+","+r+")")}(o.scaleX,o.scaleY,a.scaleX,a.scaleY,s,l),o=a=null,function(t){for(var e,i=-1,r=l.length;++i<r;)s[(e=l[i]).i]=e.x(t);return s.join("")}}}var ve=_e((function(t){const e=new("function"==typeof DOMMatrix?DOMMatrix:WebKitCSSMatrix)(t+"");return e.isIdentity?be:Ce(e.a,e.b,e.c,e.d,e.e,e.f)}),"px, ","px)","deg)"),ke=_e((function(t){return null==t?be:(ye||(ye=document.createElementNS("http://www.w3.org/2000/svg","g")),ye.setAttribute("transform",t),(t=ye.transform.baseVal.consolidate())?Ce((t=t.matrix).a,t.b,t.c,t.d,t.e,t.f):be)}),", ",")",")");function Te(t,e){var i,r;return function(){var n=pe(this,t),o=n.tween;if(o!==i)for(var a=0,s=(r=i=o).length;a<s;++a)if(r[a].name===e){(r=r.slice()).splice(a,1);break}n.tween=r}}function we(t,e,i){var r,n;if("function"!=typeof i)throw new Error;return function(){var o=pe(this,t),a=o.tween;if(a!==r){n=(r=a).slice();for(var s={name:e,value:i},l=0,c=n.length;l<c;++l)if(n[l].name===e){n[l]=s;break}l===c&&n.push(s)}o.tween=n}}function Se(t,e,i){var r=t._id;return t.each((function(){var t=pe(this,r);(t.value||(t.value={}))[e]=i.apply(this,arguments)})),function(t){return ge(t,r).value[e]}}function Be(t,e,i){t.prototype=e.prototype=i,i.constructor=t}function Fe(t,e){var i=Object.create(t.prototype);for(var r in e)i[r]=e[r];return i}function Le(){}var Ae=.7,Me=1/Ae,Ee="\\s*([+-]?\\d+)\\s*",Ne="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)\\s*",Ze="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)%\\s*",je=/^#([0-9a-f]{3,8})$/,Ie=new RegExp(`^rgb\\(${Ee},${Ee},${Ee}\\)$`),Oe=new RegExp(`^rgb\\(${Ze},${Ze},${Ze}\\)$`),De=new RegExp(`^rgba\\(${Ee},${Ee},${Ee},${Ne}\\)$`),qe=new RegExp(`^rgba\\(${Ze},${Ze},${Ze},${Ne}\\)$`),$e=new RegExp(`^hsl\\(${Ne},${Ze},${Ze}\\)$`),ze=new RegExp(`^hsla\\(${Ne},${Ze},${Ze},${Ne}\\)$`),Pe={aliceblue:15792383,antiquewhite:16444375,aqua:65535,aquamarine:8388564,azure:15794175,beige:16119260,bisque:16770244,black:0,blanchedalmond:16772045,blue:255,blueviolet:9055202,brown:10824234,burlywood:14596231,cadetblue:6266528,chartreuse:8388352,chocolate:13789470,coral:16744272,cornflowerblue:6591981,cornsilk:16775388,crimson:14423100,cyan:65535,darkblue:139,darkcyan:35723,darkgoldenrod:12092939,darkgray:11119017,darkgreen:25600,darkgrey:11119017,darkkhaki:12433259,darkmagenta:9109643,darkolivegreen:5597999,darkorange:16747520,darkorchid:10040012,darkred:9109504,darksalmon:15308410,darkseagreen:9419919,darkslateblue:4734347,darkslategray:3100495,darkslategrey:3100495,darkturquoise:52945,darkviolet:9699539,deeppink:16716947,deepskyblue:49151,dimgray:6908265,dimgrey:6908265,dodgerblue:2003199,firebrick:11674146,floralwhite:16775920,forestgreen:2263842,fuchsia:16711935,gainsboro:14474460,ghostwhite:16316671,gold:16766720,goldenrod:14329120,gray:8421504,green:32768,greenyellow:11403055,grey:8421504,honeydew:15794160,hotpink:16738740,indianred:13458524,indigo:4915330,ivory:16777200,khaki:15787660,lavender:15132410,lavenderblush:16773365,lawngreen:8190976,lemonchiffon:16775885,lightblue:11393254,lightcoral:15761536,lightcyan:14745599,lightgoldenrodyellow:16448210,lightgray:13882323,lightgreen:9498256,lightgrey:13882323,lightpink:16758465,lightsalmon:16752762,lightseagreen:2142890,lightskyblue:8900346,lightslategray:7833753,lightslategrey:7833753,lightsteelblue:11584734,lightyellow:16777184,lime:65280,limegreen:3329330,linen:16445670,magenta:16711935,maroon:8388608,mediumaquamarine:6737322,mediumblue:205,mediumorchid:12211667,mediumpurple:9662683,mediumseagreen:3978097,mediumslateblue:8087790,mediumspringgreen:64154,mediumturquoise:4772300,mediumvioletred:13047173,midnightblue:1644912,mintcream:16121850,mistyrose:16770273,moccasin:16770229,navajowhite:16768685,navy:128,oldlace:16643558,olive:8421376,olivedrab:7048739,orange:16753920,orangered:16729344,orchid:14315734,palegoldenrod:15657130,palegreen:10025880,paleturquoise:11529966,palevioletred:14381203,papayawhip:16773077,peachpuff:16767673,peru:13468991,pink:16761035,plum:14524637,powderblue:11591910,purple:8388736,rebeccapurple:6697881,red:16711680,rosybrown:12357519,royalblue:4286945,saddlebrown:9127187,salmon:16416882,sandybrown:16032864,seagreen:3050327,seashell:16774638,sienna:10506797,silver:12632256,skyblue:8900331,slateblue:6970061,slategray:7372944,slategrey:7372944,snow:16775930,springgreen:65407,steelblue:4620980,tan:13808780,teal:32896,thistle:14204888,tomato:16737095,turquoise:4251856,violet:15631086,wheat:16113331,white:16777215,whitesmoke:16119285,yellow:16776960,yellowgreen:10145074};function Re(){return this.rgb().formatHex()}function He(){return this.rgb().formatRgb()}function We(t){var e,i;return t=(t+"").trim().toLowerCase(),(e=je.exec(t))?(i=e[1].length,e=parseInt(e[1],16),6===i?Ue(e):3===i?new Xe(e>>8&15|e>>4&240,e>>4&15|240&e,(15&e)<<4|15&e,1):8===i?Ye(e>>24&255,e>>16&255,e>>8&255,(255&e)/255):4===i?Ye(e>>12&15|e>>8&240,e>>8&15|e>>4&240,e>>4&15|240&e,((15&e)<<4|15&e)/255):null):(e=Ie.exec(t))?new Xe(e[1],e[2],e[3],1):(e=Oe.exec(t))?new Xe(255*e[1]/100,255*e[2]/100,255*e[3]/100,1):(e=De.exec(t))?Ye(e[1],e[2],e[3],e[4]):(e=qe.exec(t))?Ye(255*e[1]/100,255*e[2]/100,255*e[3]/100,e[4]):(e=$e.exec(t))?ii(e[1],e[2]/100,e[3]/100,1):(e=ze.exec(t))?ii(e[1],e[2]/100,e[3]/100,e[4]):Pe.hasOwnProperty(t)?Ue(Pe[t]):"transparent"===t?new Xe(NaN,NaN,NaN,0):null}function Ue(t){return new Xe(t>>16&255,t>>8&255,255&t,1)}function Ye(t,e,i,r){return r<=0&&(t=e=i=NaN),new Xe(t,e,i,r)}function Ve(t){return t instanceof Le||(t=We(t)),t?new Xe((t=t.rgb()).r,t.g,t.b,t.opacity):new Xe}function Ge(t,e,i,r){return 1===arguments.length?Ve(t):new Xe(t,e,i,null==r?1:r)}function Xe(t,e,i,r){this.r=+t,this.g=+e,this.b=+i,this.opacity=+r}function Je(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}`}function Qe(){const t=Ke(this.opacity);return`${1===t?"rgb(":"rgba("}${ti(this.r)}, ${ti(this.g)}, ${ti(this.b)}${1===t?")":`, ${t})`}`}function Ke(t){return isNaN(t)?1:Math.max(0,Math.min(1,t))}function ti(t){return Math.max(0,Math.min(255,Math.round(t)||0))}function ei(t){return((t=ti(t))<16?"0":"")+t.toString(16)}function ii(t,e,i,r){return r<=0?t=e=i=NaN:i<=0||i>=1?t=e=NaN:e<=0&&(t=NaN),new ni(t,e,i,r)}function ri(t){if(t instanceof ni)return new ni(t.h,t.s,t.l,t.opacity);if(t instanceof Le||(t=We(t)),!t)return new ni;if(t instanceof ni)return t;var e=(t=t.rgb()).r/255,i=t.g/255,r=t.b/255,n=Math.min(e,i,r),o=Math.max(e,i,r),a=NaN,s=o-n,l=(o+n)/2;return s?(a=e===o?(i-r)/s+6*(i<r):i===o?(r-e)/s+2:(e-i)/s+4,s/=l<.5?o+n:2-o-n,a*=60):s=l>0&&l<1?0:a,new ni(a,s,l,t.opacity)}function ni(t,e,i,r){this.h=+t,this.s=+e,this.l=+i,this.opacity=+r}function oi(t){return(t=(t||0)%360)<0?t+360:t}function ai(t){return Math.max(0,Math.min(1,t||0))}function si(t,e,i){return 255*(t<60?e+(i-e)*t/60:t<180?i:t<240?e+(i-e)*(240-t)/60:e)}function li(t,e,i,r,n){var o=t*t,a=o*t;return((1-3*t+3*o-a)*e+(4-6*o+3*a)*i+(1+3*t+3*o-3*a)*r+a*n)/6}Be(Le,We,{copy(t){return Object.assign(new this.constructor,this,t)},displayable(){return this.rgb().displayable()},hex:Re,formatHex:Re,formatHex8:function(){return this.rgb().formatHex8()},formatHsl:function(){return ri(this).formatHsl()},formatRgb:He,toString:He}),Be(Xe,Ge,Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},rgb(){return this},clamp(){return new Xe(ti(this.r),ti(this.g),ti(this.b),Ke(this.opacity))},displayable(){return-.5<=this.r&&this.r<255.5&&-.5<=this.g&&this.g<255.5&&-.5<=this.b&&this.b<255.5&&0<=this.opacity&&this.opacity<=1},hex:Je,formatHex:Je,formatHex8:function(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}${ei(255*(isNaN(this.opacity)?1:this.opacity))}`},formatRgb:Qe,toString:Qe})),Be(ni,(function(t,e,i,r){return 1===arguments.length?ri(t):new ni(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new ni(this.h,this.s,this.l*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new ni(this.h,this.s,this.l*t,this.opacity)},rgb(){var t=this.h%360+360*(this.h<0),e=isNaN(t)||isNaN(this.s)?0:this.s,i=this.l,r=i+(i<.5?i:1-i)*e,n=2*i-r;return new Xe(si(t>=240?t-240:t+120,n,r),si(t,n,r),si(t<120?t+240:t-120,n,r),this.opacity)},clamp(){return new ni(oi(this.h),ai(this.s),ai(this.l),Ke(this.opacity))},displayable(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1},formatHsl(){const t=Ke(this.opacity);return`${1===t?"hsl(":"hsla("}${oi(this.h)}, ${100*ai(this.s)}%, ${100*ai(this.l)}%${1===t?")":`, ${t})`}`}}));const ci=t=>()=>t;function hi(t,e){return function(i){return t+i*e}}function ui(t){return 1==(t=+t)?di:function(e,i){return i-e?function(t,e,i){return t=Math.pow(t,i),e=Math.pow(e,i)-t,i=1/i,function(r){return Math.pow(t+r*e,i)}}(e,i,t):ci(isNaN(e)?i:e)}}function di(t,e){var i=e-t;return i?hi(t,i):ci(isNaN(t)?e:t)}const fi=function t(e){var i=ui(e);function r(t,e){var r=i((t=Ge(t)).r,(e=Ge(e)).r),n=i(t.g,e.g),o=i(t.b,e.b),a=di(t.opacity,e.opacity);return function(e){return t.r=r(e),t.g=n(e),t.b=o(e),t.opacity=a(e),t+""}}return r.gamma=t,r}(1);function pi(t){return function(e){var i,r,n=e.length,o=new Array(n),a=new Array(n),s=new Array(n);for(i=0;i<n;++i)r=Ge(e[i]),o[i]=r.r||0,a[i]=r.g||0,s[i]=r.b||0;return o=t(o),a=t(a),s=t(s),r.opacity=1,function(t){return r.r=o(t),r.g=a(t),r.b=s(t),r+""}}}pi((function(t){var e=t.length-1;return function(i){var r=i<=0?i=0:i>=1?(i=1,e-1):Math.floor(i*e),n=t[r],o=t[r+1],a=r>0?t[r-1]:2*n-o,s=r<e-1?t[r+2]:2*o-n;return li((i-r/e)*e,a,n,o,s)}})),pi((function(t){var e=t.length;return function(i){var r=Math.floor(((i%=1)<0?++i:i)*e),n=t[(r+e-1)%e],o=t[r%e],a=t[(r+1)%e],s=t[(r+2)%e];return li((i-r/e)*e,n,o,a,s)}}));var gi=/[-+]?(?:\d+\.?\d*|\.?\d+)(?:[eE][-+]?\d+)?/g,mi=new RegExp(gi.source,"g");function yi(t,e){var i,r,n,o=gi.lastIndex=mi.lastIndex=0,a=-1,s=[],l=[];for(t+="",e+="";(i=gi.exec(t))&&(r=mi.exec(e));)(n=r.index)>o&&(n=e.slice(o,n),s[a]?s[a]+=n:s[++a]=n),(i=i[0])===(r=r[0])?s[a]?s[a]+=r:s[++a]=r:(s[++a]=null,l.push({i:a,x:me(i,r)})),o=mi.lastIndex;return o<e.length&&(n=e.slice(o),s[a]?s[a]+=n:s[++a]=n),s.length<2?l[0]?function(t){return function(e){return t(e)+""}}(l[0].x):function(t){return function(){return t}}(e):(e=l.length,function(t){for(var i,r=0;r<e;++r)s[(i=l[r]).i]=i.x(t);return s.join("")})}function xi(t,e){var i;return("number"==typeof e?me:e instanceof We?fi:(i=We(e))?(e=i,fi):yi)(t,e)}function bi(t){return function(){this.removeAttribute(t)}}function Ci(t){return function(){this.removeAttributeNS(t.space,t.local)}}function _i(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttribute(t);return a===o?null:a===r?n:n=e(r=a,i)}}function vi(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttributeNS(t.space,t.local);return a===o?null:a===r?n:n=e(r=a,i)}}function ki(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttribute(t))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttribute(t)}}function Ti(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttributeNS(t.space,t.local))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttributeNS(t.space,t.local)}}function wi(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttributeNS(t.space,t.local,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Si(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttribute(t,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Bi(t,e){return function(){fe(this,t).delay=+e.apply(this,arguments)}}function Fi(t,e){return e=+e,function(){fe(this,t).delay=e}}function Li(t,e){return function(){pe(this,t).duration=+e.apply(this,arguments)}}function Ai(t,e){return e=+e,function(){pe(this,t).duration=e}}var Mi=Mt.prototype.constructor;function Ei(t){return function(){this.style.removeProperty(t)}}var Ni=0;function Zi(t,e,i,r){this._groups=t,this._parents=e,this._name=i,this._id=r}function ji(){return++Ni}var Ii=Mt.prototype;Zi.prototype=function(t){return Mt().transition(t)}.prototype={constructor:Zi,select:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=C(t));for(var r=this._groups,n=r.length,o=new Array(n),a=0;a<n;++a)for(var s,l,c=r[a],h=c.length,u=o[a]=new Array(h),d=0;d<h;++d)(s=c[d])&&(l=t.call(s,s.__data__,d,c))&&("__data__"in s&&(l.__data__=s.__data__),u[d]=l,de(u[d],e,i,d,u,ge(s,i)));return new Zi(o,this._parents,e,i)},selectAll:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=k(t));for(var r=this._groups,n=r.length,o=[],a=[],s=0;s<n;++s)for(var l,c=r[s],h=c.length,u=0;u<h;++u)if(l=c[u]){for(var d,f=t.call(l,l.__data__,u,c),p=ge(l,i),g=0,m=f.length;g<m;++g)(d=f[g])&&de(d,e,i,g,f,p);o.push(f),a.push(l)}return new Zi(o,a,e,i)},selectChild:Ii.selectChild,selectChildren:Ii.selectChildren,filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Zi(r,this._parents,this._name,this._id)},merge:function(t){if(t._id!==this._id)throw new Error;for(var e=this._groups,i=t._groups,r=e.length,n=i.length,o=Math.min(r,n),a=new Array(r),s=0;s<o;++s)for(var l,c=e[s],h=i[s],u=c.length,d=a[s]=new Array(u),f=0;f<u;++f)(l=c[f]||h[f])&&(d[f]=l);for(;s<r;++s)a[s]=e[s];return new Zi(a,this._parents,this._name,this._id)},selection:function(){return new Mi(this._groups,this._parents)},transition:function(){for(var t=this._name,e=this._id,i=ji(),r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)if(a=s[c]){var h=ge(a,e);de(a,t,i,c,s,{time:h.time+h.delay+h.duration,delay:0,duration:h.duration,ease:h.ease})}return new Zi(r,this._parents,t,i)},call:Ii.call,nodes:Ii.nodes,node:Ii.node,size:Ii.size,empty:Ii.empty,each:Ii.each,on:function(t,e){var i=this._id;return arguments.length<2?ge(this.node(),i).on.on(t):this.each(function(t,e,i){var r,n,o=function(t){return(t+"").trim().split(/^|\s+/).every((function(t){var e=t.indexOf(".");return e>=0&&(t=t.slice(0,e)),!t||"start"===t}))}(e)?fe:pe;return function(){var a=o(this,t),s=a.on;s!==r&&(n=(r=s).copy()).on(e,i),a.on=n}}(i,t,e))},attr:function(t,e){var i=q(t),r="transform"===i?ke:xi;return this.attrTween(t,"function"==typeof e?(i.local?Ti:ki)(i,r,Se(this,"attr."+t,e)):null==e?(i.local?Ci:bi)(i):(i.local?vi:_i)(i,r,e))},attrTween:function(t,e){var i="attr."+t;if(arguments.length<2)return(i=this.tween(i))&&i._value;if(null==e)return this.tween(i,null);if("function"!=typeof e)throw new Error;var r=q(t);return this.tween(i,(r.local?wi:Si)(r,e))},style:function(t,e,i){var r="transform"==(t+="")?ve:xi;return null==e?this.styleTween(t,function(t,e){var i,r,n;return function(){var o=X(this,t),a=(this.style.removeProperty(t),X(this,t));return o===a?null:o===i&&a===r?n:n=e(i=o,r=a)}}(t,r)).on("end.style."+t,Ei(t)):"function"==typeof e?this.styleTween(t,function(t,e,i){var r,n,o;return function(){var a=X(this,t),s=i(this),l=s+"";return null==s&&(this.style.removeProperty(t),l=s=X(this,t)),a===l?null:a===r&&l===n?o:(n=l,o=e(r=a,s))}}(t,r,Se(this,"style."+t,e))).each(function(t,e){var i,r,n,o,a="style."+e,s="end."+a;return function(){var l=pe(this,t),c=l.on,h=null==l.value[a]?o||(o=Ei(e)):void 0;c===i&&n===h||(r=(i=c).copy()).on(s,n=h),l.on=r}}(this._id,t)):this.styleTween(t,function(t,e,i){var r,n,o=i+"";return function(){var a=X(this,t);return a===o?null:a===r?n:n=e(r=a,i)}}(t,r,e),i).on("end.style."+t,null)},styleTween:function(t,e,i){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==e)return this.tween(r,null);if("function"!=typeof e)throw new Error;return this.tween(r,function(t,e,i){var r,n;function o(){var o=e.apply(this,arguments);return o!==n&&(r=(n=o)&&function(t,e,i){return function(r){this.style.setProperty(t,e.call(this,r),i)}}(t,o,i)),r}return o._value=e,o}(t,e,null==i?"":i))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var e=t(this);this.textContent=null==e?"":e}}(Se(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},textTween:function(t){var e="text";if(arguments.length<1)return(e=this.tween(e))&&e._value;if(null==t)return this.tween(e,null);if("function"!=typeof t)throw new Error;return this.tween(e,function(t){var e,i;function r(){var r=t.apply(this,arguments);return r!==i&&(e=(i=r)&&function(t){return function(e){this.textContent=t.call(this,e)}}(r)),e}return r._value=t,r}(t))},remove:function(){return this.on("end.remove",function(t){return function(){var e=this.parentNode;for(var i in this.__transition)if(+i!==t)return;e&&e.removeChild(this)}}(this._id))},tween:function(t,e){var i=this._id;if(t+="",arguments.length<2){for(var r,n=ge(this.node(),i).tween,o=0,a=n.length;o<a;++o)if((r=n[o]).name===t)return r.value;return null}return this.each((null==e?Te:we)(i,t,e))},delay:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Bi:Fi)(e,t)):ge(this.node(),e).delay},duration:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Li:Ai)(e,t)):ge(this.node(),e).duration},ease:function(t){var e=this._id;return arguments.length?this.each(function(t,e){if("function"!=typeof e)throw new Error;return function(){pe(this,t).ease=e}}(e,t)):ge(this.node(),e).ease},easeVarying:function(t){if("function"!=typeof t)throw new Error;return this.each(function(t,e){return function(){var i=e.apply(this,arguments);if("function"!=typeof i)throw new Error;pe(this,t).ease=i}}(this._id,t))},end:function(){var t,e,i=this,r=i._id,n=i.size();return new Promise((function(o,a){var s={value:a},l={value:function(){0==--n&&o()}};i.each((function(){var i=pe(this,r),n=i.on;n!==t&&((e=(t=n).copy())._.cancel.push(s),e._.interrupt.push(s),e._.end.push(l)),i.on=e})),0===n&&o()}))},[Symbol.iterator]:Ii[Symbol.iterator]};var Oi={time:null,delay:0,duration:250,ease:function(t){return((t*=2)<=1?t*t*t:(t-=2)*t*t+2)/2}};function Di(t,e){for(var i;!(i=t.__transition)||!(i=i[e]);)if(!(t=t.parentNode))throw new Error(`transition ${e} not found`);return i}Mt.prototype.interrupt=function(t){return this.each((function(){!function(t,e){var i,r,n,o=t.__transition,a=!0;if(o){for(n in e=null==e?null:e+"",o)(i=o[n]).name===e?(r=i.state>se&&i.state<he,i.state=ue,i.timer.stop(),i.on.call(r?"interrupt":"cancel",t,t.__data__,i.index,i.group),delete o[n]):a=!1;a&&delete t.__transition}}(this,t)}))},Mt.prototype.transition=function(t){var e,i;t instanceof Zi?(e=t._id,t=t._name):(e=ji(),(i=Oi).time=Gt(),t=null==t?null:t+"");for(var r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)(a=s[c])&&de(a,t,e,c,s,i||Di(a,e));return new Zi(r,this._parents,t,e)};const{abs:qi,max:$i,min:zi}=Math;function Pi(t){return[+t[0],+t[1]]}function Ri(t){return[Pi(t[0]),Pi(t[1])]}["w","e"].map(Hi),["n","s"].map(Hi),["n","w","e","s","nw","ne","sw","se"].map(Hi);function Hi(t){return{type:t}}function Wi(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.text()}function Ui(t){return(e,i)=>function(t,e){return fetch(t,e).then(Wi)}(e,i).then((e=>(new DOMParser).parseFromString(e,t)))}Ui("application/xml");Ui("text/html");var Yi=Ui("image/svg+xml");const Vi=Math.PI/180,Gi=180/Math.PI,Xi=.96422,Ji=1,Qi=.82521,Ki=4/29,tr=6/29,er=3*tr*tr,ir=tr*tr*tr;function rr(t){if(t instanceof nr)return new nr(t.l,t.a,t.b,t.opacity);if(t instanceof ur)return dr(t);t instanceof Xe||(t=Ve(t));var e,i,r=lr(t.r),n=lr(t.g),o=lr(t.b),a=or((.2225045*r+.7168786*n+.0606169*o)/Ji);return r===n&&n===o?e=i=a:(e=or((.4360747*r+.3850649*n+.1430804*o)/Xi),i=or((.0139322*r+.0971045*n+.7141733*o)/Qi)),new nr(116*a-16,500*(e-a),200*(a-i),t.opacity)}function nr(t,e,i,r){this.l=+t,this.a=+e,this.b=+i,this.opacity=+r}function or(t){return t>ir?Math.pow(t,1/3):t/er+Ki}function ar(t){return t>tr?t*t*t:er*(t-Ki)}function sr(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function lr(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function cr(t){if(t instanceof ur)return new ur(t.h,t.c,t.l,t.opacity);if(t instanceof nr||(t=rr(t)),0===t.a&&0===t.b)return new ur(NaN,0<t.l&&t.l<100?0:NaN,t.l,t.opacity);var e=Math.atan2(t.b,t.a)*Gi;return new ur(e<0?e+360:e,Math.sqrt(t.a*t.a+t.b*t.b),t.l,t.opacity)}function hr(t,e,i,r){return 1===arguments.length?cr(t):new ur(t,e,i,null==r?1:r)}function ur(t,e,i,r){this.h=+t,this.c=+e,this.l=+i,this.opacity=+r}function dr(t){if(isNaN(t.h))return new nr(t.l,0,0,t.opacity);var e=t.h*Vi;return new nr(t.l,Math.cos(e)*t.c,Math.sin(e)*t.c,t.opacity)}function fr(t){return function(e,i){var r=t((e=hr(e)).h,(i=hr(i)).h),n=di(e.c,i.c),o=di(e.l,i.l),a=di(e.opacity,i.opacity);return function(t){return e.h=r(t),e.c=n(t),e.l=o(t),e.opacity=a(t),e+""}}}Be(nr,(function(t,e,i,r){return 1===arguments.length?rr(t):new nr(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return new nr(this.l+18*(null==t?1:t),this.a,this.b,this.opacity)},darker(t){return new nr(this.l-18*(null==t?1:t),this.a,this.b,this.opacity)},rgb(){var t=(this.l+16)/116,e=isNaN(this.a)?t:t+this.a/500,i=isNaN(this.b)?t:t-this.b/200;return new Xe(sr(3.1338561*(e=Xi*ar(e))-1.6168667*(t=Ji*ar(t))-.4906146*(i=Qi*ar(i))),sr(-.9787684*e+1.9161415*t+.033454*i),sr(.0719453*e-.2289914*t+1.4052427*i),this.opacity)}})),Be(ur,hr,Fe(Le,{brighter(t){return new ur(this.h,this.c,this.l+18*(null==t?1:t),this.opacity)},darker(t){return new ur(this.h,this.c,this.l-18*(null==t?1:t),this.opacity)},rgb(){return dr(this).rgb()}}));const pr=fr((function(t,e){var i=e-t;return i?hi(t,i>180||i<-180?i-360*Math.round(i/360):i):ci(isNaN(t)?e:t)}));fr(di);function gr(t,e){switch(arguments.length){case 0:break;case 1:this.range(t);break;default:this.range(e).domain(t)}return this}class mr extends Map{constructor(t,e=Cr){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:e}}),null!=t)for(const[i,r]of t)this.set(i,r)}get(t){return super.get(yr(this,t))}has(t){return super.has(yr(this,t))}set(t,e){return super.set(xr(this,t),e)}delete(t){return super.delete(br(this,t))}}function yr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):i}function xr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):(t.set(r,i),i)}function br({_intern:t,_key:e},i){const r=e(i);return t.has(r)&&(i=t.get(r),t.delete(r)),i}function Cr(t){return null!==t&&"object"==typeof t?t.valueOf():t}const _r=Symbol("implicit");function vr(){var t=new mr,e=[],i=[],r=_r;function n(n){let o=t.get(n);if(void 0===o){if(r!==_r)return r;t.set(n,o=e.push(n)-1)}return i[o%i.length]}return n.domain=function(i){if(!arguments.length)return e.slice();e=[],t=new mr;for(const r of i)t.has(r)||t.set(r,e.push(r)-1);return n},n.range=function(t){return arguments.length?(i=Array.from(t),n):i.slice()},n.unknown=function(t){return arguments.length?(r=t,n):r},n.copy=function(){return vr(e,i).unknown(r)},gr.apply(n,arguments),n}function kr(){var t,e,i=vr().unknown(void 0),r=i.domain,n=i.range,o=0,a=1,s=!1,l=0,c=0,h=.5;function u(){var i=r().length,u=a<o,d=u?a:o,f=u?o:a;t=(f-d)/Math.max(1,i-l+2*c),s&&(t=Math.floor(t)),d+=(f-d-t*(i-l))*h,e=t*(1-l),s&&(d=Math.round(d),e=Math.round(e));var p=function(t,e,i){t=+t,e=+e,i=(n=arguments.length)<2?(e=t,t=0,1):n<3?1:+i;for(var r=-1,n=0|Math.max(0,Math.ceil((e-t)/i)),o=new Array(n);++r<n;)o[r]=t+r*i;return o}(i).map((function(e){return d+t*e}));return n(u?p.reverse():p)}return delete i.unknown,i.domain=function(t){return arguments.length?(r(t),u()):r()},i.range=function(t){return arguments.length?([o,a]=t,o=+o,a=+a,u()):[o,a]},i.rangeRound=function(t){return[o,a]=t,o=+o,a=+a,s=!0,u()},i.bandwidth=function(){return e},i.step=function(){return t},i.round=function(t){return arguments.length?(s=!!t,u()):s},i.padding=function(t){return arguments.length?(l=Math.min(1,c=+t),u()):l},i.paddingInner=function(t){return arguments.length?(l=Math.min(1,t),u()):l},i.paddingOuter=function(t){return arguments.length?(c=+t,u()):c},i.align=function(t){return arguments.length?(h=Math.max(0,Math.min(1,t)),u()):h},i.copy=function(){return kr(r(),[o,a]).round(s).paddingInner(l).paddingOuter(c).align(h)},gr.apply(u(),arguments)}const Tr=Math.sqrt(50),wr=Math.sqrt(10),Sr=Math.sqrt(2);function Br(t,e,i){const r=(e-t)/Math.max(0,i),n=Math.floor(Math.log10(r)),o=r/Math.pow(10,n),a=o>=Tr?10:o>=wr?5:o>=Sr?2:1;let s,l,c;return n<0?(c=Math.pow(10,-n)/a,s=Math.round(t*c),l=Math.round(e*c),s/c<t&&++s,l/c>e&&--l,c=-c):(c=Math.pow(10,n)*a,s=Math.round(t/c),l=Math.round(e/c),s*c<t&&++s,l*c>e&&--l),l<s&&.5<=i&&i<2?Br(t,e,2*i):[s,l,c]}function Fr(t,e,i){return Br(t=+t,e=+e,i=+i)[2]}function Lr(t,e,i){i=+i;const r=(e=+e)<(t=+t),n=r?Fr(e,t,i):Fr(t,e,i);return(r?-1:1)*(n<0?1/-n:n)}function Ar(t,e){return null==t||null==e?NaN:t<e?-1:t>e?1:t>=e?0:NaN}function Mr(t,e){return null==t||null==e?NaN:e<t?-1:e>t?1:e>=t?0:NaN}function Er(t){let e,i,r;function n(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<0?n=e+1:o=e}while(n<o)}return n}return 2!==t.length?(e=Ar,i=(e,i)=>Ar(t(e),i),r=(e,i)=>t(e)-i):(e=t===Ar||t===Mr?t:Nr,i=t,r=t),{left:n,center:function(t,e,i=0,o=t.length){const a=n(t,e,i,o-1);return a>i&&r(t[a-1],e)>-r(t[a],e)?a-1:a},right:function(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<=0?n=e+1:o=e}while(n<o)}return n}}}function Nr(){return 0}const Zr=Er(Ar),jr=Zr.right,Ir=(Zr.left,Er((function(t){return null===t?NaN:+t})).center,jr);function Or(t,e){var i,r=e?e.length:0,n=t?Math.min(r,t.length):0,o=new Array(n),a=new Array(r);for(i=0;i<n;++i)o[i]=zr(t[i],e[i]);for(;i<r;++i)a[i]=e[i];return function(t){for(i=0;i<n;++i)a[i]=o[i](t);return a}}function Dr(t,e){var i=new Date;return t=+t,e=+e,function(r){return i.setTime(t*(1-r)+e*r),i}}function qr(t,e){var i,r={},n={};for(i in null!==t&&"object"==typeof t||(t={}),null!==e&&"object"==typeof e||(e={}),e)i in t?r[i]=zr(t[i],e[i]):n[i]=e[i];return function(t){for(i in r)n[i]=r[i](t);return n}}function $r(t,e){e||(e=[]);var i,r=t?Math.min(e.length,t.length):0,n=e.slice();return function(o){for(i=0;i<r;++i)n[i]=t[i]*(1-o)+e[i]*o;return n}}function zr(t,e){var i,r,n=typeof e;return null==e||"boolean"===n?ci(e):("number"===n?me:"string"===n?(i=We(e))?(e=i,fi):yi:e instanceof We?fi:e instanceof Date?Dr:(r=e,!ArrayBuffer.isView(r)||r instanceof DataView?Array.isArray(e)?Or:"function"!=typeof e.valueOf&&"function"!=typeof e.toString||isNaN(e)?qr:me:$r))(t,e)}function Pr(t,e){return t=+t,e=+e,function(i){return Math.round(t*(1-i)+e*i)}}function Rr(t){return+t}var Hr=[0,1];function Wr(t){return t}function Ur(t,e){return(e-=t=+t)?function(i){return(i-t)/e}:(i=isNaN(e)?NaN:.5,function(){return i});var i}function Yr(t,e,i){var r=t[0],n=t[1],o=e[0],a=e[1];return n<r?(r=Ur(n,r),o=i(a,o)):(r=Ur(r,n),o=i(o,a)),function(t){return o(r(t))}}function Vr(t,e,i){var r=Math.min(t.length,e.length)-1,n=new Array(r),o=new Array(r),a=-1;for(t[r]<t[0]&&(t=t.slice().reverse(),e=e.slice().reverse());++a<r;)n[a]=Ur(t[a],t[a+1]),o[a]=i(e[a],e[a+1]);return function(e){var i=Ir(t,e,1,r)-1;return o[i](n[i](e))}}function Gr(t,e){return e.domain(t.domain()).range(t.range()).interpolate(t.interpolate()).clamp(t.clamp()).unknown(t.unknown())}function Xr(){var t,e,i,r,n,o,a=Hr,s=Hr,l=zr,c=Wr;function h(){var t,e,i,l=Math.min(a.length,s.length);return c!==Wr&&(t=a[0],e=a[l-1],t>e&&(i=t,t=e,e=i),c=function(i){return Math.max(t,Math.min(e,i))}),r=l>2?Vr:Yr,n=o=null,u}function u(e){return null==e||isNaN(e=+e)?i:(n||(n=r(a.map(t),s,l)))(t(c(e)))}return u.invert=function(i){return c(e((o||(o=r(s,a.map(t),me)))(i)))},u.domain=function(t){return arguments.length?(a=Array.from(t,Rr),h()):a.slice()},u.range=function(t){return arguments.length?(s=Array.from(t),h()):s.slice()},u.rangeRound=function(t){return s=Array.from(t),l=Pr,h()},u.clamp=function(t){return arguments.length?(c=!!t||Wr,h()):c!==Wr},u.interpolate=function(t){return arguments.length?(l=t,h()):l},u.unknown=function(t){return arguments.length?(i=t,u):i},function(i,r){return t=i,e=r,h()}}function Jr(){return Xr()(Wr,Wr)}var Qr,Kr=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function tn(t){if(!(e=Kr.exec(t)))throw new Error("invalid format: "+t);var e;return new en({fill:e[1],align:e[2],sign:e[3],symbol:e[4],zero:e[5],width:e[6],comma:e[7],precision:e[8]&&e[8].slice(1),trim:e[9],type:e[10]})}function en(t){this.fill=void 0===t.fill?" ":t.fill+"",this.align=void 0===t.align?">":t.align+"",this.sign=void 0===t.sign?"-":t.sign+"",this.symbol=void 0===t.symbol?"":t.symbol+"",this.zero=!!t.zero,this.width=void 0===t.width?void 0:+t.width,this.comma=!!t.comma,this.precision=void 0===t.precision?void 0:+t.precision,this.trim=!!t.trim,this.type=void 0===t.type?"":t.type+""}function rn(t,e){if((i=(t=e?t.toExponential(e-1):t.toExponential()).indexOf("e"))<0)return null;var i,r=t.slice(0,i);return[r.length>1?r[0]+r.slice(2):r,+t.slice(i+1)]}function nn(t){return(t=rn(Math.abs(t)))?t[1]:NaN}function on(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1];return n<0?"0."+new Array(-n).join("0")+r:r.length>n+1?r.slice(0,n+1)+"."+r.slice(n+1):r+new Array(n-r.length+2).join("0")}tn.prototype=en.prototype,en.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(void 0===this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(void 0===this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};const an={"%":(t,e)=>(100*t).toFixed(e),b:t=>Math.round(t).toString(2),c:t=>t+"",d:function(t){return Math.abs(t=Math.round(t))>=1e21?t.toLocaleString("en").replace(/,/g,""):t.toString(10)},e:(t,e)=>t.toExponential(e),f:(t,e)=>t.toFixed(e),g:(t,e)=>t.toPrecision(e),o:t=>Math.round(t).toString(8),p:(t,e)=>on(100*t,e),r:on,s:function(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1],o=n-(Qr=3*Math.max(-8,Math.min(8,Math.floor(n/3))))+1,a=r.length;return o===a?r:o>a?r+new Array(o-a+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+rn(t,Math.max(0,e+o-1))[0]},X:t=>Math.round(t).toString(16).toUpperCase(),x:t=>Math.round(t).toString(16)};function sn(t){return t}var ln,cn,hn,un=Array.prototype.map,dn=["y","z","a","f","p","n","\xb5","m","","k","M","G","T","P","E","Z","Y"];function fn(t){var e,i,r=void 0===t.grouping||void 0===t.thousands?sn:(e=un.call(t.grouping,Number),i=t.thousands+"",function(t,r){for(var n=t.length,o=[],a=0,s=e[0],l=0;n>0&&s>0&&(l+s+1>r&&(s=Math.max(1,r-l)),o.push(t.substring(n-=s,n+s)),!((l+=s+1)>r));)s=e[a=(a+1)%e.length];return o.reverse().join(i)}),n=void 0===t.currency?"":t.currency[0]+"",o=void 0===t.currency?"":t.currency[1]+"",a=void 0===t.decimal?".":t.decimal+"",s=void 0===t.numerals?sn:function(t){return function(e){return e.replace(/[0-9]/g,(function(e){return t[+e]}))}}(un.call(t.numerals,String)),l=void 0===t.percent?"%":t.percent+"",c=void 0===t.minus?"\u2212":t.minus+"",h=void 0===t.nan?"NaN":t.nan+"";function u(t){var e=(t=tn(t)).fill,i=t.align,u=t.sign,d=t.symbol,f=t.zero,p=t.width,g=t.comma,m=t.precision,y=t.trim,x=t.type;"n"===x?(g=!0,x="g"):an[x]||(void 0===m&&(m=12),y=!0,x="g"),(f||"0"===e&&"="===i)&&(f=!0,e="0",i="=");var b="$"===d?n:"#"===d&&/[boxX]/.test(x)?"0"+x.toLowerCase():"",C="$"===d?o:/[%p]/.test(x)?l:"",_=an[x],v=/[defgprs%]/.test(x);function k(t){var n,o,l,d=b,k=C;if("c"===x)k=_(t)+k,t="";else{var T=(t=+t)<0||1/t<0;if(t=isNaN(t)?h:_(Math.abs(t),m),y&&(t=function(t){t:for(var e,i=t.length,r=1,n=-1;r<i;++r)switch(t[r]){case".":n=e=r;break;case"0":0===n&&(n=r),e=r;break;default:if(!+t[r])break t;n>0&&(n=0)}return n>0?t.slice(0,n)+t.slice(e+1):t}(t)),T&&0==+t&&"+"!==u&&(T=!1),d=(T?"("===u?u:c:"-"===u||"("===u?"":u)+d,k=("s"===x?dn[8+Qr/3]:"")+k+(T&&"("===u?")":""),v)for(n=-1,o=t.length;++n<o;)if(48>(l=t.charCodeAt(n))||l>57){k=(46===l?a+t.slice(n+1):t.slice(n))+k,t=t.slice(0,n);break}}g&&!f&&(t=r(t,1/0));var w=d.length+t.length+k.length,S=w<p?new Array(p-w+1).join(e):"";switch(g&&f&&(t=r(S+t,S.length?p-k.length:1/0),S=""),i){case"<":t=d+t+k+S;break;case"=":t=d+S+t+k;break;case"^":t=S.slice(0,w=S.length>>1)+d+t+k+S.slice(w);break;default:t=S+d+t+k}return s(t)}return m=void 0===m?6:/[gprs]/.test(x)?Math.max(1,Math.min(21,m)):Math.max(0,Math.min(20,m)),k.toString=function(){return t+""},k}return{format:u,formatPrefix:function(t,e){var i=u(((t=tn(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3))),n=Math.pow(10,-r),o=dn[8+r/3];return function(t){return i(n*t)+o}}}}function pn(t,e,i,r){var n,o=Lr(t,e,i);switch((r=tn(null==r?",f":r)).type){case"s":var a=Math.max(Math.abs(t),Math.abs(e));return null!=r.precision||isNaN(n=function(t,e){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3)))-nn(Math.abs(t)))}(o,a))||(r.precision=n),hn(r,a);case"":case"e":case"g":case"p":case"r":null!=r.precision||isNaN(n=function(t,e){return t=Math.abs(t),e=Math.abs(e)-t,Math.max(0,nn(e)-nn(t))+1}(o,Math.max(Math.abs(t),Math.abs(e))))||(r.precision=n-("e"===r.type));break;case"f":case"%":null!=r.precision||isNaN(n=function(t){return Math.max(0,-nn(Math.abs(t)))}(o))||(r.precision=n-2*("%"===r.type))}return cn(r)}function gn(t){var e=t.domain;return t.ticks=function(t){var i=e();return function(t,e,i){if(!((i=+i)>0))return[];if((t=+t)==(e=+e))return[t];const r=e<t,[n,o,a]=r?Br(e,t,i):Br(t,e,i);if(!(o>=n))return[];const s=o-n+1,l=new Array(s);if(r)if(a<0)for(let c=0;c<s;++c)l[c]=(o-c)/-a;else for(let c=0;c<s;++c)l[c]=(o-c)*a;else if(a<0)for(let c=0;c<s;++c)l[c]=(n+c)/-a;else for(let c=0;c<s;++c)l[c]=(n+c)*a;return l}(i[0],i[i.length-1],null==t?10:t)},t.tickFormat=function(t,i){var r=e();return pn(r[0],r[r.length-1],null==t?10:t,i)},t.nice=function(i){null==i&&(i=10);var r,n,o=e(),a=0,s=o.length-1,l=o[a],c=o[s],h=10;for(c<l&&(n=l,l=c,c=n,n=a,a=s,s=n);h-- >0;){if((n=Fr(l,c,i))===r)return o[a]=l,o[s]=c,e(o);if(n>0)l=Math.floor(l/n)*n,c=Math.ceil(c/n)*n;else{if(!(n<0))break;l=Math.ceil(l*n)/n,c=Math.floor(c*n)/n}r=n}return t},t}function mn(){var t=Jr();return t.copy=function(){return Gr(t,mn())},gr.apply(t,arguments),gn(t)}ln=fn({thousands:",",grouping:[3],currency:["$",""]}),cn=ln.format,hn=ln.formatPrefix;const yn=1e3,xn=6e4,bn=36e5,Cn=864e5,_n=6048e5,vn=2592e6,kn=31536e6,Tn=new Date,wn=new Date;function Sn(t,e,i,r){function n(e){return t(e=0===arguments.length?new Date:new Date(+e)),e}return n.floor=e=>(t(e=new Date(+e)),e),n.ceil=i=>(t(i=new Date(i-1)),e(i,1),t(i),i),n.round=t=>{const e=n(t),i=n.ceil(t);return t-e<i-t?e:i},n.offset=(t,i)=>(e(t=new Date(+t),null==i?1:Math.floor(i)),t),n.range=(i,r,o)=>{const a=[];if(i=n.ceil(i),o=null==o?1:Math.floor(o),!(i<r&&o>0))return a;let s;do{a.push(s=new Date(+i)),e(i,o),t(i)}while(s<i&&i<r);return a},n.filter=i=>Sn((e=>{if(e>=e)for(;t(e),!i(e);)e.setTime(e-1)}),((t,r)=>{if(t>=t)if(r<0)for(;++r<=0;)for(;e(t,-1),!i(t););else for(;--r>=0;)for(;e(t,1),!i(t););})),i&&(n.count=(e,r)=>(Tn.setTime(+e),wn.setTime(+r),t(Tn),t(wn),Math.floor(i(Tn,wn))),n.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?n.filter(r?e=>r(e)%t==0:e=>n.count(0,e)%t==0):n:null)),n}const Bn=Sn((()=>{}),((t,e)=>{t.setTime(+t+e)}),((t,e)=>e-t));Bn.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?Sn((e=>{e.setTime(Math.floor(e/t)*t)}),((e,i)=>{e.setTime(+e+i*t)}),((e,i)=>(i-e)/t)):Bn:null);Bn.range;const Fn=Sn((t=>{t.setTime(t-t.getMilliseconds())}),((t,e)=>{t.setTime(+t+e*yn)}),((t,e)=>(e-t)/yn),(t=>t.getUTCSeconds())),Ln=(Fn.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getMinutes()))),An=(Ln.range,Sn((t=>{t.setUTCSeconds(0,0)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getUTCMinutes()))),Mn=(An.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn-t.getMinutes()*xn)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getHours()))),En=(Mn.range,Sn((t=>{t.setUTCMinutes(0,0,0)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getUTCHours()))),Nn=(En.range,Sn((t=>t.setHours(0,0,0,0)),((t,e)=>t.setDate(t.getDate()+e)),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/Cn),(t=>t.getDate()-1))),Zn=(Nn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>t.getUTCDate()-1))),jn=(Zn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>Math.floor(t/Cn))));jn.range;function In(t){return Sn((e=>{e.setDate(e.getDate()-(e.getDay()+7-t)%7),e.setHours(0,0,0,0)}),((t,e)=>{t.setDate(t.getDate()+7*e)}),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/_n))}const On=In(0),Dn=In(1),qn=In(2),$n=In(3),zn=In(4),Pn=In(5),Rn=In(6);On.range,Dn.range,qn.range,$n.range,zn.range,Pn.range,Rn.range;function Hn(t){return Sn((e=>{e.setUTCDate(e.getUTCDate()-(e.getUTCDay()+7-t)%7),e.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+7*e)}),((t,e)=>(e-t)/_n))}const Wn=Hn(0),Un=Hn(1),Yn=Hn(2),Vn=Hn(3),Gn=Hn(4),Xn=Hn(5),Jn=Hn(6),Qn=(Wn.range,Un.range,Yn.range,Vn.range,Gn.range,Xn.range,Jn.range,Sn((t=>{t.setDate(1),t.setHours(0,0,0,0)}),((t,e)=>{t.setMonth(t.getMonth()+e)}),((t,e)=>e.getMonth()-t.getMonth()+12*(e.getFullYear()-t.getFullYear())),(t=>t.getMonth()))),Kn=(Qn.range,Sn((t=>{t.setUTCDate(1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCMonth(t.getUTCMonth()+e)}),((t,e)=>e.getUTCMonth()-t.getUTCMonth()+12*(e.getUTCFullYear()-t.getUTCFullYear())),(t=>t.getUTCMonth()))),to=(Kn.range,Sn((t=>{t.setMonth(0,1),t.setHours(0,0,0,0)}),((t,e)=>{t.setFullYear(t.getFullYear()+e)}),((t,e)=>e.getFullYear()-t.getFullYear()),(t=>t.getFullYear())));to.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setFullYear(Math.floor(e.getFullYear()/t)*t),e.setMonth(0,1),e.setHours(0,0,0,0)}),((e,i)=>{e.setFullYear(e.getFullYear()+i*t)})):null;to.range;const eo=Sn((t=>{t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCFullYear(t.getUTCFullYear()+e)}),((t,e)=>e.getUTCFullYear()-t.getUTCFullYear()),(t=>t.getUTCFullYear()));eo.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setUTCFullYear(Math.floor(e.getUTCFullYear()/t)*t),e.setUTCMonth(0,1),e.setUTCHours(0,0,0,0)}),((e,i)=>{e.setUTCFullYear(e.getUTCFullYear()+i*t)})):null;eo.range;function io(t,e,i,r,n,o){const a=[[Fn,1,yn],[Fn,5,5e3],[Fn,15,15e3],[Fn,30,3e4],[o,1,xn],[o,5,3e5],[o,15,9e5],[o,30,18e5],[n,1,bn],[n,3,108e5],[n,6,216e5],[n,12,432e5],[r,1,Cn],[r,2,1728e5],[i,1,_n],[e,1,vn],[e,3,7776e6],[t,1,kn]];function s(e,i,r){const n=Math.abs(i-e)/r,o=Er((([,,t])=>t)).right(a,n);if(o===a.length)return t.every(Lr(e/kn,i/kn,r));if(0===o)return Bn.every(Math.max(Lr(e,i,r),1));const[s,l]=a[n/a[o-1][2]<a[o][2]/n?o-1:o];return s.every(l)}return[function(t,e,i){const r=e<t;r&&([t,e]=[e,t]);const n=i&&"function"==typeof i.range?i:s(t,e,i),o=n?n.range(t,+e+1):[];return r?o.reverse():o},s]}const[ro,no]=io(eo,Kn,Wn,jn,En,An),[oo,ao]=io(to,Qn,On,Nn,Mn,Ln);function so(t){if(0<=t.y&&t.y<100){var e=new Date(-1,t.m,t.d,t.H,t.M,t.S,t.L);return e.setFullYear(t.y),e}return new Date(t.y,t.m,t.d,t.H,t.M,t.S,t.L)}function lo(t){if(0<=t.y&&t.y<100){var e=new Date(Date.UTC(-1,t.m,t.d,t.H,t.M,t.S,t.L));return e.setUTCFullYear(t.y),e}return new Date(Date.UTC(t.y,t.m,t.d,t.H,t.M,t.S,t.L))}function co(t,e,i){return{y:t,m:e,d:i,H:0,M:0,S:0,L:0}}var ho,uo,fo={"-":"",_:" ",0:"0"},po=/^\s*\d+/,go=/^%/,mo=/[\\^$*+?|[\]().{}]/g;function yo(t,e,i){var r=t<0?"-":"",n=(r?-t:t)+"",o=n.length;return r+(o<i?new Array(i-o+1).join(e)+n:n)}function xo(t){return t.replace(mo,"\\$&")}function bo(t){return new RegExp("^(?:"+t.map(xo).join("|")+")","i")}function Co(t){return new Map(t.map(((t,e)=>[t.toLowerCase(),e])))}function _o(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.w=+r[0],i+r[0].length):-1}function vo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.u=+r[0],i+r[0].length):-1}function ko(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.U=+r[0],i+r[0].length):-1}function To(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.V=+r[0],i+r[0].length):-1}function wo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.W=+r[0],i+r[0].length):-1}function So(t,e,i){var r=po.exec(e.slice(i,i+4));return r?(t.y=+r[0],i+r[0].length):-1}function Bo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.y=+r[0]+(+r[0]>68?1900:2e3),i+r[0].length):-1}function Fo(t,e,i){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(e.slice(i,i+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),i+r[0].length):-1}function Lo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.q=3*r[0]-3,i+r[0].length):-1}function Ao(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.m=r[0]-1,i+r[0].length):-1}function Mo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.d=+r[0],i+r[0].length):-1}function Eo(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.m=0,t.d=+r[0],i+r[0].length):-1}function No(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.H=+r[0],i+r[0].length):-1}function Zo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.M=+r[0],i+r[0].length):-1}function jo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.S=+r[0],i+r[0].length):-1}function Io(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.L=+r[0],i+r[0].length):-1}function Oo(t,e,i){var r=po.exec(e.slice(i,i+6));return r?(t.L=Math.floor(r[0]/1e3),i+r[0].length):-1}function Do(t,e,i){var r=go.exec(e.slice(i,i+1));return r?i+r[0].length:-1}function qo(t,e,i){var r=po.exec(e.slice(i));return r?(t.Q=+r[0],i+r[0].length):-1}function $o(t,e,i){var r=po.exec(e.slice(i));return r?(t.s=+r[0],i+r[0].length):-1}function zo(t,e){return yo(t.getDate(),e,2)}function Po(t,e){return yo(t.getHours(),e,2)}function Ro(t,e){return yo(t.getHours()%12||12,e,2)}function Ho(t,e){return yo(1+Nn.count(to(t),t),e,3)}function Wo(t,e){return yo(t.getMilliseconds(),e,3)}function Uo(t,e){return Wo(t,e)+"000"}function Yo(t,e){return yo(t.getMonth()+1,e,2)}function Vo(t,e){return yo(t.getMinutes(),e,2)}function Go(t,e){return yo(t.getSeconds(),e,2)}function Xo(t){var e=t.getDay();return 0===e?7:e}function Jo(t,e){return yo(On.count(to(t)-1,t),e,2)}function Qo(t){var e=t.getDay();return e>=4||0===e?zn(t):zn.ceil(t)}function Ko(t,e){return t=Qo(t),yo(zn.count(to(t),t)+(4===to(t).getDay()),e,2)}function ta(t){return t.getDay()}function ea(t,e){return yo(Dn.count(to(t)-1,t),e,2)}function ia(t,e){return yo(t.getFullYear()%100,e,2)}function ra(t,e){return yo((t=Qo(t)).getFullYear()%100,e,2)}function na(t,e){return yo(t.getFullYear()%1e4,e,4)}function oa(t,e){var i=t.getDay();return yo((t=i>=4||0===i?zn(t):zn.ceil(t)).getFullYear()%1e4,e,4)}function aa(t){var e=t.getTimezoneOffset();return(e>0?"-":(e*=-1,"+"))+yo(e/60|0,"0",2)+yo(e%60,"0",2)}function sa(t,e){return yo(t.getUTCDate(),e,2)}function la(t,e){return yo(t.getUTCHours(),e,2)}function ca(t,e){return yo(t.getUTCHours()%12||12,e,2)}function ha(t,e){return yo(1+Zn.count(eo(t),t),e,3)}function ua(t,e){return yo(t.getUTCMilliseconds(),e,3)}function da(t,e){return ua(t,e)+"000"}function fa(t,e){return yo(t.getUTCMonth()+1,e,2)}function pa(t,e){return yo(t.getUTCMinutes(),e,2)}function ga(t,e){return yo(t.getUTCSeconds(),e,2)}function ma(t){var e=t.getUTCDay();return 0===e?7:e}function ya(t,e){return yo(Wn.count(eo(t)-1,t),e,2)}function xa(t){var e=t.getUTCDay();return e>=4||0===e?Gn(t):Gn.ceil(t)}function ba(t,e){return t=xa(t),yo(Gn.count(eo(t),t)+(4===eo(t).getUTCDay()),e,2)}function Ca(t){return t.getUTCDay()}function _a(t,e){return yo(Un.count(eo(t)-1,t),e,2)}function va(t,e){return yo(t.getUTCFullYear()%100,e,2)}function ka(t,e){return yo((t=xa(t)).getUTCFullYear()%100,e,2)}function Ta(t,e){return yo(t.getUTCFullYear()%1e4,e,4)}function wa(t,e){var i=t.getUTCDay();return yo((t=i>=4||0===i?Gn(t):Gn.ceil(t)).getUTCFullYear()%1e4,e,4)}function Sa(){return"+0000"}function Ba(){return"%"}function Fa(t){return+t}function La(t){return Math.floor(+t/1e3)}function Aa(t){return new Date(t)}function Ma(t){return t instanceof Date?+t:+new Date(+t)}function Ea(t,e,i,r,n,o,a,s,l,c){var h=Jr(),u=h.invert,d=h.domain,f=c(".%L"),p=c(":%S"),g=c("%I:%M"),m=c("%I %p"),y=c("%a %d"),x=c("%b %d"),b=c("%B"),C=c("%Y");function _(t){return(l(t)<t?f:s(t)<t?p:a(t)<t?g:o(t)<t?m:r(t)<t?n(t)<t?y:x:i(t)<t?b:C)(t)}return h.invert=function(t){return new Date(u(t))},h.domain=function(t){return arguments.length?d(Array.from(t,Ma)):d().map(Aa)},h.ticks=function(e){var i=d();return t(i[0],i[i.length-1],null==e?10:e)},h.tickFormat=function(t,e){return null==e?_:c(e)},h.nice=function(t){var i=d();return t&&"function"==typeof t.range||(t=e(i[0],i[i.length-1],null==t?10:t)),t?d(function(t,e){var i,r=0,n=(t=t.slice()).length-1,o=t[r],a=t[n];return a<o&&(i=r,r=n,n=i,i=o,o=a,a=i),t[r]=e.floor(o),t[n]=e.ceil(a),t}(i,t)):h},h.copy=function(){return Gr(h,Ea(t,e,i,r,n,o,a,s,l,c))},h}function Na(){return gr.apply(Ea(oo,ao,to,Qn,On,Nn,Mn,Ln,Fn,uo).domain([new Date(2e3,0,1),new Date(2e3,0,2)]),arguments)}!function(t){ho=function(t){var e=t.dateTime,i=t.date,r=t.time,n=t.periods,o=t.days,a=t.shortDays,s=t.months,l=t.shortMonths,c=bo(n),h=Co(n),u=bo(o),d=Co(o),f=bo(a),p=Co(a),g=bo(s),m=Co(s),y=bo(l),x=Co(l),b={a:function(t){return a[t.getDay()]},A:function(t){return o[t.getDay()]},b:function(t){return l[t.getMonth()]},B:function(t){return s[t.getMonth()]},c:null,d:zo,e:zo,f:Uo,g:ra,G:oa,H:Po,I:Ro,j:Ho,L:Wo,m:Yo,M:Vo,p:function(t){return n[+(t.getHours()>=12)]},q:function(t){return 1+~~(t.getMonth()/3)},Q:Fa,s:La,S:Go,u:Xo,U:Jo,V:Ko,w:ta,W:ea,x:null,X:null,y:ia,Y:na,Z:aa,"%":Ba},C={a:function(t){return a[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return l[t.getUTCMonth()]},B:function(t){return s[t.getUTCMonth()]},c:null,d:sa,e:sa,f:da,g:ka,G:wa,H:la,I:ca,j:ha,L:ua,m:fa,M:pa,p:function(t){return n[+(t.getUTCHours()>=12)]},q:function(t){return 1+~~(t.getUTCMonth()/3)},Q:Fa,s:La,S:ga,u:ma,U:ya,V:ba,w:Ca,W:_a,x:null,X:null,y:va,Y:Ta,Z:Sa,"%":Ba},_={a:function(t,e,i){var r=f.exec(e.slice(i));return r?(t.w=p.get(r[0].toLowerCase()),i+r[0].length):-1},A:function(t,e,i){var r=u.exec(e.slice(i));return r?(t.w=d.get(r[0].toLowerCase()),i+r[0].length):-1},b:function(t,e,i){var r=y.exec(e.slice(i));return r?(t.m=x.get(r[0].toLowerCase()),i+r[0].length):-1},B:function(t,e,i){var r=g.exec(e.slice(i));return r?(t.m=m.get(r[0].toLowerCase()),i+r[0].length):-1},c:function(t,i,r){return T(t,e,i,r)},d:Mo,e:Mo,f:Oo,g:Bo,G:So,H:No,I:No,j:Eo,L:Io,m:Ao,M:Zo,p:function(t,e,i){var r=c.exec(e.slice(i));return r?(t.p=h.get(r[0].toLowerCase()),i+r[0].length):-1},q:Lo,Q:qo,s:$o,S:jo,u:vo,U:ko,V:To,w:_o,W:wo,x:function(t,e,r){return T(t,i,e,r)},X:function(t,e,i){return T(t,r,e,i)},y:Bo,Y:So,Z:Fo,"%":Do};function v(t,e){return function(i){var r,n,o,a=[],s=-1,l=0,c=t.length;for(i instanceof Date||(i=new Date(+i));++s<c;)37===t.charCodeAt(s)&&(a.push(t.slice(l,s)),null!=(n=fo[r=t.charAt(++s)])?r=t.charAt(++s):n="e"===r?" ":"0",(o=e[r])&&(r=o(i,n)),a.push(r),l=s+1);return a.push(t.slice(l,s)),a.join("")}}function k(t,e){return function(i){var r,n,o=co(1900,void 0,1);if(T(o,t,i+="",0)!=i.length)return null;if("Q"in o)return new Date(o.Q);if("s"in o)return new Date(1e3*o.s+("L"in o?o.L:0));if(e&&!("Z"in o)&&(o.Z=0),"p"in o&&(o.H=o.H%12+12*o.p),void 0===o.m&&(o.m="q"in o?o.q:0),"V"in o){if(o.V<1||o.V>53)return null;"w"in o||(o.w=1),"Z"in o?(n=(r=lo(co(o.y,0,1))).getUTCDay(),r=n>4||0===n?Un.ceil(r):Un(r),r=Zn.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(n=(r=so(co(o.y,0,1))).getDay(),r=n>4||0===n?Dn.ceil(r):Dn(r),r=Nn.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),n="Z"in o?lo(co(o.y,0,1)).getUTCDay():so(co(o.y,0,1)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(n+5)%7:o.w+7*o.U-(n+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,lo(o)):so(o)}}function T(t,e,i,r){for(var n,o,a=0,s=e.length,l=i.length;a<s;){if(r>=l)return-1;if(37===(n=e.charCodeAt(a++))){if(n=e.charAt(a++),!(o=_[n in fo?e.charAt(a++):n])||(r=o(t,i,r))<0)return-1}else if(n!=i.charCodeAt(r++))return-1}return r}return b.x=v(i,b),b.X=v(r,b),b.c=v(e,b),C.x=v(i,C),C.X=v(r,C),C.c=v(e,C),{format:function(t){var e=v(t+="",b);return e.toString=function(){return t},e},parse:function(t){var e=k(t+="",!1);return e.toString=function(){return t},e},utcFormat:function(t){var e=v(t+="",C);return e.toString=function(){return t},e},utcParse:function(t){var e=k(t+="",!0);return e.toString=function(){return t},e}}}(t),uo=ho.format,ho.parse,ho.utcFormat,ho.utcParse}({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});const Za=function(t){for(var e=t.length/6|0,i=new Array(e),r=0;r<e;)i[r]="#"+t.slice(6*r,6*++r);return i}("4e79a7f28e2ce1575976b7b259a14fedc949af7aa1ff9da79c755fbab0ab");function ja(t){return"string"==typeof t?new Lt([[document.querySelector(t)]],[document.documentElement]):new Lt([[t]],Ft)}function Ia(t){return"string"==typeof t?new Lt([document.querySelectorAll(t)],[document.documentElement]):new Lt([_(t)],Ft)}function Oa(t){return function(){return t}}const Da=Math.abs,qa=Math.atan2,$a=Math.cos,za=Math.max,Pa=Math.min,Ra=Math.sin,Ha=Math.sqrt,Wa=1e-12,Ua=Math.PI,Ya=Ua/2,Va=2*Ua;function Ga(t){return t>=1?Ya:t<=-1?-Ya:Math.asin(t)}const Xa=Math.PI,Ja=2*Xa,Qa=1e-6,Ka=Ja-Qa;function ts(t){this._+=t[0];for(let e=1,i=t.length;e<i;++e)this._+=arguments[e]+t[e]}class es{constructor(t){this._x0=this._y0=this._x1=this._y1=null,this._="",this._append=null==t?ts:function(t){let e=Math.floor(t);if(!(e>=0))throw new Error(`invalid digits: ${t}`);if(e>15)return ts;const i=10**e;return function(t){this._+=t[0];for(let e=1,r=t.length;e<r;++e)this._+=Math.round(arguments[e]*i)/i+t[e]}}(t)}moveTo(t,e){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}`}closePath(){null!==this._x1&&(this._x1=this._x0,this._y1=this._y0,this._append`Z`)}lineTo(t,e){this._append`L${this._x1=+t},${this._y1=+e}`}quadraticCurveTo(t,e,i,r){this._append`Q${+t},${+e},${this._x1=+i},${this._y1=+r}`}bezierCurveTo(t,e,i,r,n,o){this._append`C${+t},${+e},${+i},${+r},${this._x1=+n},${this._y1=+o}`}arcTo(t,e,i,r,n){if(t=+t,e=+e,i=+i,r=+r,(n=+n)<0)throw new Error(`negative radius: ${n}`);let o=this._x1,a=this._y1,s=i-t,l=r-e,c=o-t,h=a-e,u=c*c+h*h;if(null===this._x1)this._append`M${this._x1=t},${this._y1=e}`;else if(u>Qa)if(Math.abs(h*s-l*c)>Qa&&n){let d=i-o,f=r-a,p=s*s+l*l,g=d*d+f*f,m=Math.sqrt(p),y=Math.sqrt(u),x=n*Math.tan((Xa-Math.acos((p+u-g)/(2*m*y)))/2),b=x/y,C=x/m;Math.abs(b-1)>Qa&&this._append`L${t+b*c},${e+b*h}`,this._append`A${n},${n},0,0,${+(h*d>c*f)},${this._x1=t+C*s},${this._y1=e+C*l}`}else this._append`L${this._x1=t},${this._y1=e}`;else;}arc(t,e,i,r,n,o){if(t=+t,e=+e,o=!!o,(i=+i)<0)throw new Error(`negative radius: ${i}`);let a=i*Math.cos(r),s=i*Math.sin(r),l=t+a,c=e+s,h=1^o,u=o?r-n:n-r;null===this._x1?this._append`M${l},${c}`:(Math.abs(this._x1-l)>Qa||Math.abs(this._y1-c)>Qa)&&this._append`L${l},${c}`,i&&(u<0&&(u=u%Ja+Ja),u>Ka?this._append`A${i},${i},0,1,${h},${t-a},${e-s}A${i},${i},0,1,${h},${this._x1=l},${this._y1=c}`:u>Qa&&this._append`A${i},${i},0,${+(u>=Xa)},${h},${this._x1=t+i*Math.cos(n)},${this._y1=e+i*Math.sin(n)}`)}rect(t,e,i,r){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}h${i=+i}v${+r}h${-i}Z`}toString(){return this._}}function is(t){let e=3;return t.digits=function(i){if(!arguments.length)return e;if(null==i)e=null;else{const t=Math.floor(i);if(!(t>=0))throw new RangeError(`invalid digits: ${i}`);e=t}return t},()=>new es(e)}function rs(t){return t.innerRadius}function ns(t){return t.outerRadius}function os(t){return t.startAngle}function as(t){return t.endAngle}function ss(t){return t&&t.padAngle}function ls(t,e,i,r,n,o,a){var s=t-i,l=e-r,c=(a?o:-o)/Ha(s*s+l*l),h=c*l,u=-c*s,d=t+h,f=e+u,p=i+h,g=r+u,m=(d+p)/2,y=(f+g)/2,x=p-d,b=g-f,C=x*x+b*b,_=n-o,v=d*g-p*f,k=(b<0?-1:1)*Ha(za(0,_*_*C-v*v)),T=(v*b-x*k)/C,w=(-v*x-b*k)/C,S=(v*b+x*k)/C,B=(-v*x+b*k)/C,F=T-m,L=w-y,A=S-m,M=B-y;return F*F+L*L>A*A+M*M&&(T=S,w=B),{cx:T,cy:w,x01:-h,y01:-u,x11:T*(n/_-1),y11:w*(n/_-1)}}function cs(){var t=rs,e=ns,i=Oa(0),r=null,n=os,o=as,a=ss,s=null,l=is(c);function c(){var c,h,u,d=+t.apply(this,arguments),f=+e.apply(this,arguments),p=n.apply(this,arguments)-Ya,g=o.apply(this,arguments)-Ya,m=Da(g-p),y=g>p;if(s||(s=c=l()),f<d&&(h=f,f=d,d=h),f>Wa)if(m>Va-Wa)s.moveTo(f*$a(p),f*Ra(p)),s.arc(0,0,f,p,g,!y),d>Wa&&(s.moveTo(d*$a(g),d*Ra(g)),s.arc(0,0,d,g,p,y));else{var x,b,C=p,_=g,v=p,k=g,T=m,w=m,S=a.apply(this,arguments)/2,B=S>Wa&&(r?+r.apply(this,arguments):Ha(d*d+f*f)),F=Pa(Da(f-d)/2,+i.apply(this,arguments)),L=F,A=F;if(B>Wa){var M=Ga(B/d*Ra(S)),E=Ga(B/f*Ra(S));(T-=2*M)>Wa?(v+=M*=y?1:-1,k-=M):(T=0,v=k=(p+g)/2),(w-=2*E)>Wa?(C+=E*=y?1:-1,_-=E):(w=0,C=_=(p+g)/2)}var N=f*$a(C),Z=f*Ra(C),j=d*$a(k),I=d*Ra(k);if(F>Wa){var O,D=f*$a(_),q=f*Ra(_),$=d*$a(v),z=d*Ra(v);if(m<Ua)if(O=function(t,e,i,r,n,o,a,s){var l=i-t,c=r-e,h=a-n,u=s-o,d=u*l-h*c;if(!(d*d<Wa))return[t+(d=(h*(e-o)-u*(t-n))/d)*l,e+d*c]}(N,Z,$,z,D,q,j,I)){var P=N-O[0],R=Z-O[1],H=D-O[0],W=q-O[1],U=1/Ra(((u=(P*H+R*W)/(Ha(P*P+R*R)*Ha(H*H+W*W)))>1?0:u<-1?Ua:Math.acos(u))/2),Y=Ha(O[0]*O[0]+O[1]*O[1]);L=Pa(F,(d-Y)/(U-1)),A=Pa(F,(f-Y)/(U+1))}else L=A=0}w>Wa?A>Wa?(x=ls($,z,N,Z,f,A,y),b=ls(D,q,j,I,f,A,y),s.moveTo(x.cx+x.x01,x.cy+x.y01),A<F?s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,f,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),!y),s.arc(b.cx,b.cy,A,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):(s.moveTo(N,Z),s.arc(0,0,f,C,_,!y)):s.moveTo(N,Z),d>Wa&&T>Wa?L>Wa?(x=ls(j,I,D,q,d,-L,y),b=ls(N,Z,$,z,d,-L,y),s.lineTo(x.cx+x.x01,x.cy+x.y01),L<F?s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,d,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),y),s.arc(b.cx,b.cy,L,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):s.arc(0,0,d,k,v,y):s.lineTo(j,I)}else s.moveTo(0,0);if(s.closePath(),c)return s=null,c+""||null}return c.centroid=function(){var i=(+t.apply(this,arguments)+ +e.apply(this,arguments))/2,r=(+n.apply(this,arguments)+ +o.apply(this,arguments))/2-Ua/2;return[$a(r)*i,Ra(r)*i]},c.innerRadius=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),c):t},c.outerRadius=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),c):e},c.cornerRadius=function(t){return arguments.length?(i="function"==typeof t?t:Oa(+t),c):i},c.padRadius=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:Oa(+t),c):r},c.startAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),c):n},c.endAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),c):o},c.padAngle=function(t){return arguments.length?(a="function"==typeof t?t:Oa(+t),c):a},c.context=function(t){return arguments.length?(s=null==t?null:t,c):s},c}es.prototype;Array.prototype.slice;function hs(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function us(t){this._context=t}function ds(t){return new us(t)}function fs(t){return t[0]}function ps(t){return t[1]}function gs(t,e){var i=Oa(!0),r=null,n=ds,o=null,a=is(s);function s(s){var l,c,h,u=(s=hs(s)).length,d=!1;for(null==r&&(o=n(h=a())),l=0;l<=u;++l)!(l<u&&i(c=s[l],l,s))===d&&((d=!d)?o.lineStart():o.lineEnd()),d&&o.point(+t(c,l,s),+e(c,l,s));if(h)return o=null,h+""||null}return t="function"==typeof t?t:void 0===t?fs:Oa(t),e="function"==typeof e?e:void 0===e?ps:Oa(e),s.x=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),s):t},s.y=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),s):e},s.defined=function(t){return arguments.length?(i="function"==typeof t?t:Oa(!!t),s):i},s.curve=function(t){return arguments.length?(n=t,null!=r&&(o=n(r)),s):n},s.context=function(t){return arguments.length?(null==t?r=o=null:o=n(r=t),s):r},s}function ms(t,e){return e<t?-1:e>t?1:e>=t?0:NaN}function ys(t){return t}function xs(){var t=ys,e=ms,i=null,r=Oa(0),n=Oa(Va),o=Oa(0);function a(a){var s,l,c,h,u,d=(a=hs(a)).length,f=0,p=new Array(d),g=new Array(d),m=+r.apply(this,arguments),y=Math.min(Va,Math.max(-Va,n.apply(this,arguments)-m)),x=Math.min(Math.abs(y)/d,o.apply(this,arguments)),b=x*(y<0?-1:1);for(s=0;s<d;++s)(u=g[p[s]=s]=+t(a[s],s,a))>0&&(f+=u);for(null!=e?p.sort((function(t,i){return e(g[t],g[i])})):null!=i&&p.sort((function(t,e){return i(a[t],a[e])})),s=0,c=f?(y-d*b)/f:0;s<d;++s,m=h)l=p[s],h=m+((u=g[l])>0?u*c:0)+b,g[l]={data:a[l],index:s,value:u,startAngle:m,endAngle:h,padAngle:x};return g}return a.value=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),a):t},a.sortValues=function(t){return arguments.length?(e=t,i=null,a):e},a.sort=function(t){return arguments.length?(i=t,e=null,a):i},a.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:Oa(+t),a):r},a.endAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),a):n},a.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),a):o},a}function bs(){}function Cs(t,e,i){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+e)/6,(t._y0+4*t._y1+i)/6)}function _s(t){this._context=t}function vs(t){return new _s(t)}function ks(t){this._context=t}function Ts(t){return new ks(t)}function ws(t){this._context=t}function Ss(t){return new ws(t)}us.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._context.lineTo(t,e)}}},_s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Cs(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ks.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x2=t,this._y2=e;break;case 1:this._point=2,this._x3=t,this._y3=e;break;case 2:this._point=3,this._x4=t,this._y4=e,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+e)/6);break;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ws.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var i=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+e)/6;this._line?this._context.lineTo(i,r):this._context.moveTo(i,r);break;case 3:this._point=4;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}};class Bs{constructor(t,e){this._context=t,this._x=e}areaStart(){this._line=0}areaEnd(){this._line=NaN}lineStart(){this._point=0}lineEnd(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line}point(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._x?this._context.bezierCurveTo(this._x0=(this._x0+t)/2,this._y0,this._x0,e,t,e):this._context.bezierCurveTo(this._x0,this._y0=(this._y0+e)/2,t,this._y0,t,e)}this._x0=t,this._y0=e}}function Fs(t){return new Bs(t,!0)}function Ls(t){return new Bs(t,!1)}function As(t,e){this._basis=new _s(t),this._beta=e}As.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,e=this._y,i=t.length-1;if(i>0)for(var r,n=t[0],o=e[0],a=t[i]-n,s=e[i]-o,l=-1;++l<=i;)r=l/i,this._basis.point(this._beta*t[l]+(1-this._beta)*(n+r*a),this._beta*e[l]+(1-this._beta)*(o+r*s));this._x=this._y=null,this._basis.lineEnd()},point:function(t,e){this._x.push(+t),this._y.push(+e)}};const Ms=function t(e){function i(t){return 1===e?new _s(t):new As(t,e)}return i.beta=function(e){return t(+e)},i}(.85);function Es(t,e,i){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-e),t._y2+t._k*(t._y1-i),t._x2,t._y2)}function Ns(t,e){this._context=t,this._k=(1-e)/6}Ns.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:Es(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2,this._x1=t,this._y1=e;break;case 2:this._point=3;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Zs=function t(e){function i(t){return new Ns(t,e)}return i.tension=function(e){return t(+e)},i}(0);function js(t,e){this._context=t,this._k=(1-e)/6}js.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Is=function t(e){function i(t){return new js(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Os(t,e){this._context=t,this._k=(1-e)/6}Os.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ds=function t(e){function i(t){return new Os(t,e)}return i.tension=function(e){return t(+e)},i}(0);function qs(t,e,i){var r=t._x1,n=t._y1,o=t._x2,a=t._y2;if(t._l01_a>Wa){var s=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,l=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*s-t._x0*t._l12_2a+t._x2*t._l01_2a)/l,n=(n*s-t._y0*t._l12_2a+t._y2*t._l01_2a)/l}if(t._l23_a>Wa){var c=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,h=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*c+t._x1*t._l23_2a-e*t._l12_2a)/h,a=(a*c+t._y1*t._l23_2a-i*t._l12_2a)/h}t._context.bezierCurveTo(r,n,o,a,t._x2,t._y2)}function $s(t,e){this._context=t,this._alpha=e}$s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const zs=function t(e){function i(t){return e?new $s(t,e):new Ns(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Ps(t,e){this._context=t,this._alpha=e}Ps.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Rs=function t(e){function i(t){return e?new Ps(t,e):new js(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Hs(t,e){this._context=t,this._alpha=e}Hs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ws=function t(e){function i(t){return e?new Hs(t,e):new Os(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Us(t){this._context=t}function Ys(t){return new Us(t)}function Vs(t){return t<0?-1:1}function Gs(t,e,i){var r=t._x1-t._x0,n=e-t._x1,o=(t._y1-t._y0)/(r||n<0&&-0),a=(i-t._y1)/(n||r<0&&-0),s=(o*n+a*r)/(r+n);return(Vs(o)+Vs(a))*Math.min(Math.abs(o),Math.abs(a),.5*Math.abs(s))||0}function Xs(t,e){var i=t._x1-t._x0;return i?(3*(t._y1-t._y0)/i-e)/2:e}function Js(t,e,i){var r=t._x0,n=t._y0,o=t._x1,a=t._y1,s=(o-r)/3;t._context.bezierCurveTo(r+s,n+s*e,o-s,a-s*i,o,a)}function Qs(t){this._context=t}function Ks(t){this._context=new tl(t)}function tl(t){this._context=t}function el(t){return new Qs(t)}function il(t){return new Ks(t)}function rl(t){this._context=t}function nl(t){var e,i,r=t.length-1,n=new Array(r),o=new Array(r),a=new Array(r);for(n[0]=0,o[0]=2,a[0]=t[0]+2*t[1],e=1;e<r-1;++e)n[e]=1,o[e]=4,a[e]=4*t[e]+2*t[e+1];for(n[r-1]=2,o[r-1]=7,a[r-1]=8*t[r-1]+t[r],e=1;e<r;++e)i=n[e]/o[e-1],o[e]-=i,a[e]-=i*a[e-1];for(n[r-1]=a[r-1]/o[r-1],e=r-2;e>=0;--e)n[e]=(a[e]-n[e+1])/o[e];for(o[r-1]=(t[r]+n[r-1])/2,e=0;e<r-1;++e)o[e]=2*t[e+1]-n[e+1];return[n,o]}function ol(t){return new rl(t)}function al(t,e){this._context=t,this._t=e}function sl(t){return new al(t,.5)}function ll(t){return new al(t,0)}function cl(t){return new al(t,1)}function hl(t,e,i){this.k=t,this.x=e,this.y=i}Us.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._point=0},lineEnd:function(){this._point&&this._context.closePath()},point:function(t,e){t=+t,e=+e,this._point?this._context.lineTo(t,e):(this._point=1,this._context.moveTo(t,e))}},Qs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=this._t0=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x1,this._y1);break;case 3:Js(this,this._t0,Xs(this,this._t0))}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){var i=NaN;if(e=+e,(t=+t)!==this._x1||e!==this._y1){switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,Js(this,Xs(this,i=Gs(this,t,e)),i);break;default:Js(this,this._t0,i=Gs(this,t,e))}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e,this._t0=i}}},(Ks.prototype=Object.create(Qs.prototype)).point=function(t,e){Qs.prototype.point.call(this,e,t)},tl.prototype={moveTo:function(t,e){this._context.moveTo(e,t)},closePath:function(){this._context.closePath()},lineTo:function(t,e){this._context.lineTo(e,t)},bezierCurveTo:function(t,e,i,r,n,o){this._context.bezierCurveTo(e,t,r,i,o,n)}},rl.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=[],this._y=[]},lineEnd:function(){var t=this._x,e=this._y,i=t.length;if(i)if(this._line?this._context.lineTo(t[0],e[0]):this._context.moveTo(t[0],e[0]),2===i)this._context.lineTo(t[1],e[1]);else for(var r=nl(t),n=nl(e),o=0,a=1;a<i;++o,++a)this._context.bezierCurveTo(r[0][o],n[0][o],r[1][o],n[1][o],t[a],e[a]);(this._line||0!==this._line&&1===i)&&this._context.closePath(),this._line=1-this._line,this._x=this._y=null},point:function(t,e){this._x.push(+t),this._y.push(+e)}},al.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=this._y=NaN,this._point=0},lineEnd:function(){0<this._t&&this._t<1&&2===this._point&&this._context.lineTo(this._x,this._y),(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line>=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,e),this._context.lineTo(t,e);else{var i=this._x*(1-this._t)+t*this._t;this._context.lineTo(i,this._y),this._context.lineTo(i,e)}}this._x=t,this._y=e}},hl.prototype={constructor:hl,scale:function(t){return 1===t?this:new hl(this.k*t,this.x,this.y)},translate:function(t,e){return 0===t&0===e?this:new hl(this.k,this.x+this.k*t,this.y+this.k*e)},apply:function(t){return[t[0]*this.k+this.x,t[1]*this.k+this.y]},applyX:function(t){return t*this.k+this.x},applyY:function(t){return t*this.k+this.y},invert:function(t){return[(t[0]-this.x)/this.k,(t[1]-this.y)/this.k]},invertX:function(t){return(t-this.x)/this.k},invertY:function(t){return(t-this.y)/this.k},rescaleX:function(t){return t.copy().domain(t.range().map(this.invertX,this).map(t.invert,t))},rescaleY:function(t){return t.copy().domain(t.range().map(this.invertY,this).map(t.invert,t))},toString:function(){return"translate("+this.x+","+this.y+") scale("+this.k+")"}};new hl(1,0,0);hl.prototype},1883:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(1691),n=i(2142);const o=class{constructor(){this.type=n.w.ALL}get(){return this.type}set(t){if(this.type&&this.type!==t)throw new Error("Cannot change both RGB and HSL channels at the same time");this.type=t}reset(){this.type=n.w.ALL}is(t){return this.type===t}};const a=new class{constructor(t,e){this.color=e,this.changed=!1,this.data=t,this.type=new o}set(t,e){return this.color=e,this.changed=!1,this.data=t,this.type.type=n.w.ALL,this}_ensureHSL(){const t=this.data,{h:e,s:i,l:n}=t;void 0===e&&(t.h=r.Z.channel.rgb2hsl(t,"h")),void 0===i&&(t.s=r.Z.channel.rgb2hsl(t,"s")),void 0===n&&(t.l=r.Z.channel.rgb2hsl(t,"l"))}_ensureRGB(){const t=this.data,{r:e,g:i,b:n}=t;void 0===e&&(t.r=r.Z.channel.hsl2rgb(t,"r")),void 0===i&&(t.g=r.Z.channel.hsl2rgb(t,"g")),void 0===n&&(t.b=r.Z.channel.hsl2rgb(t,"b"))}get r(){const t=this.data,e=t.r;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"r")):e}get g(){const t=this.data,e=t.g;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"g")):e}get b(){const t=this.data,e=t.b;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"b")):e}get h(){const t=this.data,e=t.h;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"h")):e}get s(){const t=this.data,e=t.s;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"s")):e}get l(){const t=this.data,e=t.l;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"l")):e}get a(){return this.data.a}set r(t){this.type.set(n.w.RGB),this.changed=!0,this.data.r=t}set g(t){this.type.set(n.w.RGB),this.changed=!0,this.data.g=t}set b(t){this.type.set(n.w.RGB),this.changed=!0,this.data.b=t}set h(t){this.type.set(n.w.HSL),this.changed=!0,this.data.h=t}set s(t){this.type.set(n.w.HSL),this.changed=!0,this.data.s=t}set l(t){this.type.set(n.w.HSL),this.changed=!0,this.data.l=t}set a(t){this.changed=!0,this.data.a=t}}({r:0,g:0,b:0,a:0},"transparent")},1610:(t,e,i)=>{"use strict";i.d(e,{Z:()=>g});var r=i(1883),n=i(2142);const o={re:/^#((?:[a-f0-9]{2}){2,4}|[a-f0-9]{3})$/i,parse:t=>{if(35!==t.charCodeAt(0))return;const e=t.match(o.re);if(!e)return;const i=e[1],n=parseInt(i,16),a=i.length,s=a%4==0,l=a>4,c=l?1:17,h=l?8:4,u=s?0:-1,d=l?255:15;return r.Z.set({r:(n>>h*(u+3)&d)*c,g:(n>>h*(u+2)&d)*c,b:(n>>h*(u+1)&d)*c,a:s?(n&d)*c/255:1},t)},stringify:t=>{const{r:e,g:i,b:r,a:o}=t;return o<1?`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}${n.Q[Math.round(255*o)]}`:`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}`}},a=o;var s=i(1691);const l={re:/^hsla?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(?:deg|grad|rad|turn)?)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(%)?))?\s*?\)$/i,hueRe:/^(.+?)(deg|grad|rad|turn)$/i,_hue2deg:t=>{const e=t.match(l.hueRe);if(e){const[,t,i]=e;switch(i){case"grad":return s.Z.channel.clamp.h(.9*parseFloat(t));case"rad":return s.Z.channel.clamp.h(180*parseFloat(t)/Math.PI);case"turn":return s.Z.channel.clamp.h(360*parseFloat(t))}}return s.Z.channel.clamp.h(parseFloat(t))},parse:t=>{const e=t.charCodeAt(0);if(104!==e&&72!==e)return;const i=t.match(l.re);if(!i)return;const[,n,o,a,c,h]=i;return r.Z.set({h:l._hue2deg(n),s:s.Z.channel.clamp.s(parseFloat(o)),l:s.Z.channel.clamp.l(parseFloat(a)),a:c?s.Z.channel.clamp.a(h?parseFloat(c)/100:parseFloat(c)):1},t)},stringify:t=>{const{h:e,s:i,l:r,a:n}=t;return n<1?`hsla(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%, ${n})`:`hsl(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%)`}},c=l,h={colors:{aliceblue:"#f0f8ff",antiquewhite:"#faebd7",aqua:"#00ffff",aquamarine:"#7fffd4",azure:"#f0ffff",beige:"#f5f5dc",bisque:"#ffe4c4",black:"#000000",blanchedalmond:"#ffebcd",blue:"#0000ff",blueviolet:"#8a2be2",brown:"#a52a2a",burlywood:"#deb887",cadetblue:"#5f9ea0",chartreuse:"#7fff00",chocolate:"#d2691e",coral:"#ff7f50",cornflowerblue:"#6495ed",cornsilk:"#fff8dc",crimson:"#dc143c",cyanaqua:"#00ffff",darkblue:"#00008b",darkcyan:"#008b8b",darkgoldenrod:"#b8860b",darkgray:"#a9a9a9",darkgreen:"#006400",darkgrey:"#a9a9a9",darkkhaki:"#bdb76b",darkmagenta:"#8b008b",darkolivegreen:"#556b2f",darkorange:"#ff8c00",darkorchid:"#9932cc",darkred:"#8b0000",darksalmon:"#e9967a",darkseagreen:"#8fbc8f",darkslateblue:"#483d8b",darkslategray:"#2f4f4f",darkslategrey:"#2f4f4f",darkturquoise:"#00ced1",darkviolet:"#9400d3",deeppink:"#ff1493",deepskyblue:"#00bfff",dimgray:"#696969",dimgrey:"#696969",dodgerblue:"#1e90ff",firebrick:"#b22222",floralwhite:"#fffaf0",forestgreen:"#228b22",fuchsia:"#ff00ff",gainsboro:"#dcdcdc",ghostwhite:"#f8f8ff",gold:"#ffd700",goldenrod:"#daa520",gray:"#808080",green:"#008000",greenyellow:"#adff2f",grey:"#808080",honeydew:"#f0fff0",hotpink:"#ff69b4",indianred:"#cd5c5c",indigo:"#4b0082",ivory:"#fffff0",khaki:"#f0e68c",lavender:"#e6e6fa",lavenderblush:"#fff0f5",lawngreen:"#7cfc00",lemonchiffon:"#fffacd",lightblue:"#add8e6",lightcoral:"#f08080",lightcyan:"#e0ffff",lightgoldenrodyellow:"#fafad2",lightgray:"#d3d3d3",lightgreen:"#90ee90",lightgrey:"#d3d3d3",lightpink:"#ffb6c1",lightsalmon:"#ffa07a",lightseagreen:"#20b2aa",lightskyblue:"#87cefa",lightslategray:"#778899",lightslategrey:"#778899",lightsteelblue:"#b0c4de",lightyellow:"#ffffe0",lime:"#00ff00",limegreen:"#32cd32",linen:"#faf0e6",magenta:"#ff00ff",maroon:"#800000",mediumaquamarine:"#66cdaa",mediumblue:"#0000cd",mediumorchid:"#ba55d3",mediumpurple:"#9370db",mediumseagreen:"#3cb371",mediumslateblue:"#7b68ee",mediumspringgreen:"#00fa9a",mediumturquoise:"#48d1cc",mediumvioletred:"#c71585",midnightblue:"#191970",mintcream:"#f5fffa",mistyrose:"#ffe4e1",moccasin:"#ffe4b5",navajowhite:"#ffdead",navy:"#000080",oldlace:"#fdf5e6",olive:"#808000",olivedrab:"#6b8e23",orange:"#ffa500",orangered:"#ff4500",orchid:"#da70d6",palegoldenrod:"#eee8aa",palegreen:"#98fb98",paleturquoise:"#afeeee",palevioletred:"#db7093",papayawhip:"#ffefd5",peachpuff:"#ffdab9",peru:"#cd853f",pink:"#ffc0cb",plum:"#dda0dd",powderblue:"#b0e0e6",purple:"#800080",rebeccapurple:"#663399",red:"#ff0000",rosybrown:"#bc8f8f",royalblue:"#4169e1",saddlebrown:"#8b4513",salmon:"#fa8072",sandybrown:"#f4a460",seagreen:"#2e8b57",seashell:"#fff5ee",sienna:"#a0522d",silver:"#c0c0c0",skyblue:"#87ceeb",slateblue:"#6a5acd",slategray:"#708090",slategrey:"#708090",snow:"#fffafa",springgreen:"#00ff7f",tan:"#d2b48c",teal:"#008080",thistle:"#d8bfd8",transparent:"#00000000",turquoise:"#40e0d0",violet:"#ee82ee",wheat:"#f5deb3",white:"#ffffff",whitesmoke:"#f5f5f5",yellow:"#ffff00",yellowgreen:"#9acd32"},parse:t=>{t=t.toLowerCase();const e=h.colors[t];if(e)return a.parse(e)},stringify:t=>{const e=a.stringify(t);for(const i in h.colors)if(h.colors[i]===e)return i}},u=h,d={re:/^rgba?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?)))?\s*?\)$/i,parse:t=>{const e=t.charCodeAt(0);if(114!==e&&82!==e)return;const i=t.match(d.re);if(!i)return;const[,n,o,a,l,c,h,u,f]=i;return r.Z.set({r:s.Z.channel.clamp.r(o?2.55*parseFloat(n):parseFloat(n)),g:s.Z.channel.clamp.g(l?2.55*parseFloat(a):parseFloat(a)),b:s.Z.channel.clamp.b(h?2.55*parseFloat(c):parseFloat(c)),a:u?s.Z.channel.clamp.a(f?parseFloat(u)/100:parseFloat(u)):1},t)},stringify:t=>{const{r:e,g:i,b:r,a:n}=t;return n<1?`rgba(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)}, ${s.Z.lang.round(n)})`:`rgb(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)})`}},f=d,p={format:{keyword:h,hex:a,rgb:d,rgba:d,hsl:l,hsla:l},parse:t=>{if("string"!=typeof t)return t;const e=a.parse(t)||f.parse(t)||c.parse(t)||u.parse(t);if(e)return e;throw new Error(`Unsupported color format: "${t}"`)},stringify:t=>!t.changed&&t.color?t.color:t.type.is(n.w.HSL)||void 0===t.data.r?c.stringify(t):t.a<1||!Number.isInteger(t.r)||!Number.isInteger(t.g)||!Number.isInteger(t.b)?f.stringify(t):a.stringify(t)},g=p},2142:(t,e,i)=>{"use strict";i.d(e,{Q:()=>n,w:()=>o});var r=i(1691);const n={};for(let a=0;a<=255;a++)n[a]=r.Z.unit.dec2hex(a);const o={ALL:0,RGB:1,HSL:2}},6174:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e,i)=>{const o=n.Z.parse(t),a=o[e],s=r.Z.channel.clamp[e](a+i);return a!==s&&(o[e]=s),n.Z.stringify(o)}},9807:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e)=>{const i=n.Z.parse(t);for(const n in e)i[n]=r.Z.channel.clamp[n](e[n]);return n.Z.stringify(i)}},7201:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",-e)},1619:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1610);const o=t=>{const{r:e,g:i,b:o}=n.Z.parse(t),a=.2126*r.Z.channel.toLinear(e)+.7152*r.Z.channel.toLinear(i)+.0722*r.Z.channel.toLinear(o);return r.Z.lang.round(a)},a=t=>o(t)>=.5,s=t=>!a(t)},2281:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",e)},1117:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1883),o=i(1610),a=i(9807);const s=(t,e,i=0,s=1)=>{if("number"!=typeof t)return(0,a.Z)(t,{a:e});const l=n.Z.set({r:r.Z.channel.clamp.r(t),g:r.Z.channel.clamp.g(e),b:r.Z.channel.clamp.b(i),a:r.Z.channel.clamp.a(s)});return o.Z.stringify(l)}},1691:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});const r={min:{r:0,g:0,b:0,s:0,l:0,a:0},max:{r:255,g:255,b:255,h:360,s:100,l:100,a:1},clamp:{r:t=>t>=255?255:t<0?0:t,g:t=>t>=255?255:t<0?0:t,b:t=>t>=255?255:t<0?0:t,h:t=>t%360,s:t=>t>=100?100:t<0?0:t,l:t=>t>=100?100:t<0?0:t,a:t=>t>=1?1:t<0?0:t},toLinear:t=>{const e=t/255;return t>.03928?Math.pow((e+.055)/1.055,2.4):e/12.92},hue2rgb:(t,e,i)=>(i<0&&(i+=1),i>1&&(i-=1),i<1/6?t+6*(e-t)*i:i<.5?e:i<2/3?t+(e-t)*(2/3-i)*6:t),hsl2rgb:({h:t,s:e,l:i},n)=>{if(!e)return 2.55*i;t/=360,e/=100;const o=(i/=100)<.5?i*(1+e):i+e-i*e,a=2*i-o;switch(n){case"r":return 255*r.hue2rgb(a,o,t+1/3);case"g":return 255*r.hue2rgb(a,o,t);case"b":return 255*r.hue2rgb(a,o,t-1/3)}},rgb2hsl:({r:t,g:e,b:i},r)=>{t/=255,e/=255,i/=255;const n=Math.max(t,e,i),o=Math.min(t,e,i),a=(n+o)/2;if("l"===r)return 100*a;if(n===o)return 0;const s=n-o;if("s"===r)return 100*(a>.5?s/(2-n-o):s/(n+o));switch(n){case t:return 60*((e-i)/s+(e<i?6:0));case e:return 60*((i-t)/s+2);case i:return 60*((t-e)/s+4);default:return-1}}},n={channel:r,lang:{clamp:(t,e,i)=>e>i?Math.min(e,Math.max(i,t)):Math.min(i,Math.max(e,t)),round:t=>Math.round(1e10*t)/1e10},unit:{dec2hex:t=>{const e=Math.round(t).toString(16);return e.length>1?e:`0${e}`}}}},7308:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});const r=function(){this.__data__=[],this.size=0};var n=i(9651);const o=function(t,e){for(var i=t.length;i--;)if((0,n.Z)(t[i][0],e))return i;return-1};var a=Array.prototype.splice;const s=function(t){var e=this.__data__,i=o(e,t);return!(i<0)&&(i==e.length-1?e.pop():a.call(e,i,1),--this.size,!0)};const l=function(t){var e=this.__data__,i=o(e,t);return i<0?void 0:e[i][1]};const c=function(t){return o(this.__data__,t)>-1};const h=function(t,e){var i=this.__data__,r=o(i,t);return r<0?(++this.size,i.push([t,e])):i[r][1]=e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=r,u.prototype.delete=s,u.prototype.get=l,u.prototype.has=c,u.prototype.set=h;const d=u},6183:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Map")},7834:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});const r=(0,i(2508).Z)(Object,"create");const n=function(){this.__data__=r?r(null):{},this.size=0};const o=function(t){var e=this.has(t)&&delete this.__data__[t];return this.size-=e?1:0,e};var a=Object.prototype.hasOwnProperty;const s=function(t){var e=this.__data__;if(r){var i=e[t];return"__lodash_hash_undefined__"===i?void 0:i}return a.call(e,t)?e[t]:void 0};var l=Object.prototype.hasOwnProperty;const c=function(t){var e=this.__data__;return r?void 0!==e[t]:l.call(e,t)};const h=function(t,e){var i=this.__data__;return this.size+=this.has(t)?0:1,i[t]=r&&void 0===e?"__lodash_hash_undefined__":e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=s,u.prototype.has=c,u.prototype.set=h;const d=u;var f=i(7308),p=i(6183);const g=function(){this.size=0,this.__data__={hash:new d,map:new(p.Z||f.Z),string:new d}};const m=function(t){var e=typeof t;return"string"==e||"number"==e||"symbol"==e||"boolean"==e?"__proto__"!==t:null===t};const y=function(t,e){var i=t.__data__;return m(e)?i["string"==typeof e?"string":"hash"]:i.map};const x=function(t){var e=y(this,t).delete(t);return this.size-=e?1:0,e};const b=function(t){return y(this,t).get(t)};const C=function(t){return y(this,t).has(t)};const _=function(t,e){var i=y(this,t),r=i.size;return i.set(t,e),this.size+=i.size==r?0:1,this};function v(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}v.prototype.clear=g,v.prototype.delete=x,v.prototype.get=b,v.prototype.has=C,v.prototype.set=_;const k=v},3203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Set")},1667:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7308);const n=function(){this.__data__=new r.Z,this.size=0};const o=function(t){var e=this.__data__,i=e.delete(t);return this.size=e.size,i};const a=function(t){return this.__data__.get(t)};const s=function(t){return this.__data__.has(t)};var l=i(6183),c=i(7834);const h=function(t,e){var i=this.__data__;if(i instanceof r.Z){var n=i.__data__;if(!l.Z||n.length<199)return n.push([t,e]),this.size=++i.size,this;i=this.__data__=new c.Z(n)}return i.set(t,e),this.size=i.size,this};function u(t){var e=this.__data__=new r.Z(t);this.size=e.size}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=a,u.prototype.has=s,u.prototype.set=h;const d=u},7685:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Symbol},4073:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Uint8Array},7668:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});const r=function(t,e){for(var i=-1,r=Array(t);++i<t;)r[i]=e(i);return r};var n=i(9169),o=i(7771),a=i(7008),s=i(6009),l=i(8843),c=Object.prototype.hasOwnProperty;const h=function(t,e){var i=(0,o.Z)(t),h=!i&&(0,n.Z)(t),u=!i&&!h&&(0,a.Z)(t),d=!i&&!h&&!u&&(0,l.Z)(t),f=i||h||u||d,p=f?r(t.length,String):[],g=p.length;for(var m in t)!e&&!c.call(t,m)||f&&("length"==m||u&&("offset"==m||"parent"==m)||d&&("buffer"==m||"byteLength"==m||"byteOffset"==m)||(0,s.Z)(m,g))||p.push(m);return p}},2954:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(4752),n=i(9651),o=Object.prototype.hasOwnProperty;const a=function(t,e,i){var a=t[e];o.call(t,e)&&(0,n.Z)(a,i)&&(void 0!==i||e in t)||(0,r.Z)(t,e,i)}},4752:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(7904);const n=function(t,e,i){"__proto__"==e&&r.Z?(0,r.Z)(t,e,{configurable:!0,enumerable:!0,value:i,writable:!0}):t[e]=i}},1395:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e,i,r){for(var n=-1,o=Object(e),a=r(e),s=a.length;s--;){var l=a[t?s:++n];if(!1===i(o[l],l,o))break}return e}}()},3589:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7685),n=Object.prototype,o=n.hasOwnProperty,a=n.toString,s=r.Z?r.Z.toStringTag:void 0;const l=function(t){var e=o.call(t,s),i=t[s];try{t[s]=void 0;var r=!0}catch(l){}var n=a.call(t);return r&&(e?t[s]=i:delete t[s]),n};var c=Object.prototype.toString;const h=function(t){return c.call(t)};var u=r.Z?r.Z.toStringTag:void 0;const d=function(t){return null==t?void 0===t?"[object Undefined]":"[object Null]":u&&u in Object(t)?l(t):h(t)}},9473:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(2764);const n=(0,i(1851).Z)(Object.keys,Object);var o=Object.prototype.hasOwnProperty;const a=function(t){if(!(0,r.Z)(t))return n(t);var e=[];for(var i in Object(t))o.call(t,i)&&"constructor"!=i&&e.push(i);return e}},9581:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(9203),n=i(1211),o=i(7227);const a=function(t,e){return(0,o.Z)((0,n.Z)(t,e,r.Z),t+"")}},1162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e){return t(e)}}},1884:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(4073);const n=function(t){var e=new t.constructor(t.byteLength);return new r.Z(e).set(new r.Z(t)),e}},1050:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n?r.Z.Buffer:void 0,s=a?a.allocUnsafe:void 0;const l=function(t,e){if(e)return t.slice();var i=t.length,r=s?s(i):new t.constructor(i);return t.copy(r),r}},2701:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(1884);const n=function(t,e){var i=e?(0,r.Z)(t.buffer):t.buffer;return new t.constructor(i,t.byteOffset,t.length)}},7215:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){var i=-1,r=t.length;for(e||(e=Array(r));++i<r;)e[i]=t[i];return e}},1899:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2954),n=i(4752);const o=function(t,e,i,o){var a=!i;i||(i={});for(var s=-1,l=e.length;++s<l;){var c=e[s],h=o?o(i[c],t[c],c,i,t):void 0;void 0===h&&(h=t[c]),a?(0,n.Z)(i,c,h):(0,r.Z)(i,c,h)}return i}},7904:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(2508);const n=function(){try{var t=(0,r.Z)(Object,"defineProperty");return t({},"",{}),t}catch(e){}}()},3413:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r="object"==typeof global&&global&&global.Object===Object&&global},2508:(t,e,i)=>{"use strict";i.d(e,{Z:()=>x});var r=i(3234);const n=i(6092).Z["__core-js_shared__"];var o,a=(o=/[^.]+$/.exec(n&&n.keys&&n.keys.IE_PROTO||""))?"Symbol(src)_1."+o:"";const s=function(t){return!!a&&a in t};var l=i(7226),c=i(19),h=/^\[object .+?Constructor\]$/,u=Function.prototype,d=Object.prototype,f=u.toString,p=d.hasOwnProperty,g=RegExp("^"+f.call(p).replace(/[\\^$.*+?()[\]{}|]/g,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$");const m=function(t){return!(!(0,l.Z)(t)||s(t))&&((0,r.Z)(t)?g:h).test((0,c.Z)(t))};const y=function(t,e){return null==t?void 0:t[e]};const x=function(t,e){var i=y(t,e);return m(i)?i:void 0}},2513:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=(0,i(1851).Z)(Object.getPrototypeOf,Object)},3970:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"DataView");var a=i(6183);const s=(0,r.Z)(n.Z,"Promise");var l=i(3203);const c=(0,r.Z)(n.Z,"WeakMap");var h=i(3589),u=i(19),d="[object Map]",f="[object Promise]",p="[object Set]",g="[object WeakMap]",m="[object DataView]",y=(0,u.Z)(o),x=(0,u.Z)(a.Z),b=(0,u.Z)(s),C=(0,u.Z)(l.Z),_=(0,u.Z)(c),v=h.Z;(o&&v(new o(new ArrayBuffer(1)))!=m||a.Z&&v(new a.Z)!=d||s&&v(s.resolve())!=f||l.Z&&v(new l.Z)!=p||c&&v(new c)!=g)&&(v=function(t){var e=(0,h.Z)(t),i="[object Object]"==e?t.constructor:void 0,r=i?(0,u.Z)(i):"";if(r)switch(r){case y:return m;case x:return d;case b:return f;case C:return p;case _:return g}return e});const k=v},3658:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(7226),n=Object.create;const o=function(){function t(){}return function(e){if(!(0,r.Z)(e))return{};if(n)return n(e);t.prototype=e;var i=new t;return t.prototype=void 0,i}}();var a=i(2513),s=i(2764);const l=function(t){return"function"!=typeof t.constructor||(0,s.Z)(t)?{}:o((0,a.Z)(t))}},6009:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=/^(?:0|[1-9]\d*)$/;const n=function(t,e){var i=typeof t;return!!(e=null==e?9007199254740991:e)&&("number"==i||"symbol"!=i&&r.test(t))&&t>-1&&t%1==0&&t<e}},439:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(9651),n=i(585),o=i(6009),a=i(7226);const s=function(t,e,i){if(!(0,a.Z)(i))return!1;var s=typeof e;return!!("number"==s?(0,n.Z)(i)&&(0,o.Z)(e,i.length):"string"==s&&e in i)&&(0,r.Z)(i[e],t)}},2764:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Object.prototype;const n=function(t){var e=t&&t.constructor;return t===("function"==typeof e&&e.prototype||r)}},8351:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(3413),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n&&r.Z.process;const s=function(){try{var t=o&&o.require&&o.require("util").types;return t||a&&a.binding&&a.binding("util")}catch(e){}}()},1851:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return function(i){return t(e(i))}}},1211:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});const r=function(t,e,i){switch(i.length){case 0:return t.call(e);case 1:return t.call(e,i[0]);case 2:return t.call(e,i[0],i[1]);case 3:return t.call(e,i[0],i[1],i[2])}return t.apply(e,i)};var n=Math.max;const o=function(t,e,i){return e=n(void 0===e?t.length-1:e,0),function(){for(var o=arguments,a=-1,s=n(o.length-e,0),l=Array(s);++a<s;)l[a]=o[e+a];a=-1;for(var c=Array(e+1);++a<e;)c[a]=o[a];return c[e]=i(l),r(t,this,c)}}},6092:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3413),n="object"==typeof self&&self&&self.Object===Object&&self;const o=r.Z||n||Function("return this")()},7227:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(2002),n=i(7904),o=i(9203);const a=n.Z?function(t,e){return(0,n.Z)(t,"toString",{configurable:!0,enumerable:!1,value:(0,r.Z)(e),writable:!0})}:o.Z;var s=Date.now;const l=function(t){var e=0,i=0;return function(){var r=s(),n=16-(r-i);if(i=r,n>0){if(++e>=800)return arguments[0]}else e=0;return t.apply(void 0,arguments)}}(a)},19:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Function.prototype.toString;const n=function(t){if(null!=t){try{return r.call(t)}catch(e){}try{return t+""}catch(e){}}return""}},2002:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(){return t}}},9651:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return t===e||t!=t&&e!=e}},9203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return t}},9169:(t,e,i)=>{"use strict";i.d(e,{Z:()=>c});var r=i(3589),n=i(8533);const o=function(t){return(0,n.Z)(t)&&"[object Arguments]"==(0,r.Z)(t)};var a=Object.prototype,s=a.hasOwnProperty,l=a.propertyIsEnumerable;const c=o(function(){return arguments}())?o:function(t){return(0,n.Z)(t)&&s.call(t,"callee")&&!l.call(t,"callee")}},7771:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=Array.isArray},585:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3234),n=i(1656);const o=function(t){return null!=t&&(0,n.Z)(t.length)&&!(0,r.Z)(t)}},836:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(585),n=i(8533);const o=function(t){return(0,n.Z)(t)&&(0,r.Z)(t)}},7008:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092);const n=function(){return!1};var o="object"==typeof exports&&exports&&!exports.nodeType&&exports,a=o&&"object"==typeof module&&module&&!module.nodeType&&module,s=a&&a.exports===o?r.Z.Buffer:void 0;const l=(s?s.isBuffer:void 0)||n},9697:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(9473),n=i(3970),o=i(9169),a=i(7771),s=i(585),l=i(7008),c=i(2764),h=i(8843),u=Object.prototype.hasOwnProperty;const d=function(t){if(null==t)return!0;if((0,s.Z)(t)&&((0,a.Z)(t)||"string"==typeof t||"function"==typeof t.splice||(0,l.Z)(t)||(0,h.Z)(t)||(0,o.Z)(t)))return!t.length;var e=(0,n.Z)(t);if("[object Map]"==e||"[object Set]"==e)return!t.size;if((0,c.Z)(t))return!(0,r.Z)(t).length;for(var i in t)if(u.call(t,i))return!1;return!0}},3234:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3589),n=i(7226);const o=function(t){if(!(0,n.Z)(t))return!1;var e=(0,r.Z)(t);return"[object Function]"==e||"[object GeneratorFunction]"==e||"[object AsyncFunction]"==e||"[object Proxy]"==e}},1656:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=9007199254740991}},7226:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){var e=typeof t;return null!=t&&("object"==e||"function"==e)}},8533:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return null!=t&&"object"==typeof t}},7514:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(2513),o=i(8533),a=Function.prototype,s=Object.prototype,l=a.toString,c=s.hasOwnProperty,h=l.call(Object);const u=function(t){if(!(0,o.Z)(t)||"[object Object]"!=(0,r.Z)(t))return!1;var e=(0,n.Z)(t);if(null===e)return!0;var i=c.call(e,"constructor")&&e.constructor;return"function"==typeof i&&i instanceof i&&l.call(i)==h}},8843:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(1656),o=i(8533),a={};a["[object Float32Array]"]=a["[object Float64Array]"]=a["[object Int8Array]"]=a["[object Int16Array]"]=a["[object Int32Array]"]=a["[object Uint8Array]"]=a["[object Uint8ClampedArray]"]=a["[object Uint16Array]"]=a["[object Uint32Array]"]=!0,a["[object Arguments]"]=a["[object Array]"]=a["[object ArrayBuffer]"]=a["[object Boolean]"]=a["[object DataView]"]=a["[object Date]"]=a["[object Error]"]=a["[object Function]"]=a["[object Map]"]=a["[object Number]"]=a["[object Object]"]=a["[object RegExp]"]=a["[object Set]"]=a["[object String]"]=a["[object WeakMap]"]=!1;const s=function(t){return(0,o.Z)(t)&&(0,n.Z)(t.length)&&!!a[(0,r.Z)(t)]};var l=i(1162),c=i(8351),h=c.Z&&c.Z.isTypedArray;const u=h?(0,l.Z)(h):s},2957:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});var r=i(7668),n=i(7226),o=i(2764);const a=function(t){var e=[];if(null!=t)for(var i in Object(t))e.push(i);return e};var s=Object.prototype.hasOwnProperty;const l=function(t){if(!(0,n.Z)(t))return a(t);var e=(0,o.Z)(t),i=[];for(var r in t)("constructor"!=r||!e&&s.call(t,r))&&i.push(r);return i};var c=i(585);const h=function(t){return(0,c.Z)(t)?(0,r.Z)(t,!0):l(t)}},2454:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(7834);function n(t,e){if("function"!=typeof t||null!=e&&"function"!=typeof e)throw new TypeError("Expected a function");var i=function(){var r=arguments,n=e?e.apply(this,r):r[0],o=i.cache;if(o.has(n))return o.get(n);var a=t.apply(this,r);return i.cache=o.set(n,a)||o,a};return i.cache=new(n.Cache||r.Z),i}n.Cache=r.Z;const o=n},9236:(t,e,i)=>{"use strict";i.d(e,{Z:()=>F});var r=i(1667),n=i(4752),o=i(9651);const a=function(t,e,i){(void 0!==i&&!(0,o.Z)(t[e],i)||void 0===i&&!(e in t))&&(0,n.Z)(t,e,i)};var s=i(1395),l=i(1050),c=i(2701),h=i(7215),u=i(3658),d=i(9169),f=i(7771),p=i(836),g=i(7008),m=i(3234),y=i(7226),x=i(7514),b=i(8843);const C=function(t,e){if(("constructor"!==e||"function"!=typeof t[e])&&"__proto__"!=e)return t[e]};var _=i(1899),v=i(2957);const k=function(t){return(0,_.Z)(t,(0,v.Z)(t))};const T=function(t,e,i,r,n,o,s){var _=C(t,i),v=C(e,i),T=s.get(v);if(T)a(t,i,T);else{var w=o?o(_,v,i+"",t,e,s):void 0,S=void 0===w;if(S){var B=(0,f.Z)(v),F=!B&&(0,g.Z)(v),L=!B&&!F&&(0,b.Z)(v);w=v,B||F||L?(0,f.Z)(_)?w=_:(0,p.Z)(_)?w=(0,h.Z)(_):F?(S=!1,w=(0,l.Z)(v,!0)):L?(S=!1,w=(0,c.Z)(v,!0)):w=[]:(0,x.Z)(v)||(0,d.Z)(v)?(w=_,(0,d.Z)(_)?w=k(_):(0,y.Z)(_)&&!(0,m.Z)(_)||(w=(0,u.Z)(v))):S=!1}S&&(s.set(v,w),n(w,v,r,o,s),s.delete(v)),a(t,i,w)}};const w=function t(e,i,n,o,l){e!==i&&(0,s.Z)(i,(function(s,c){if(l||(l=new r.Z),(0,y.Z)(s))T(e,i,c,n,t,o,l);else{var h=o?o(C(e,c),s,c+"",e,i,l):void 0;void 0===h&&(h=s),a(e,c,h)}}),v.Z)};var S=i(9581),B=i(439);const F=function(t){return(0,S.Z)((function(e,i){var r=-1,n=i.length,o=n>1?i[n-1]:void 0,a=n>2?i[2]:void 0;for(o=t.length>3&&"function"==typeof o?(n--,o):void 0,a&&(0,B.Z)(i[0],i[1],a)&&(o=n<3?void 0:o,n=1),e=Object(e);++r<n;){var s=i[r];s&&t(e,s,r,o)}return e}))}((function(t,e,i){w(t,e,i)}))},5322:(t,e,i)=>{"use strict";i.d(e,{A:()=>It,B:()=>me,C:()=>ge,D:()=>Ft,E:()=>Be,F:()=>er,G:()=>oe,H:()=>ht,I:()=>Mi,J:()=>qn,K:()=>Si,L:()=>to,Z:()=>Gt,a:()=>ki,b:()=>vi,c:()=>Li,d:()=>ft,e:()=>_t,f:()=>Vt,g:()=>_i,h:()=>ue,i:()=>ui,j:()=>he,k:()=>re,l:()=>st,m:()=>mt,n:()=>Kt,o:()=>di,p:()=>Ai,q:()=>Ti,r:()=>wi,s:()=>Ci,t:()=>bi,u:()=>ye,v:()=>yt,w:()=>le,x:()=>ae,y:()=>Ni,z:()=>Di});var r=i(8464),n=i(7484),o=i(7967),a=i(4218),s=i(7856),l=i(1610),c=i(9807);const h=(t,e)=>{const i=l.Z.parse(t),r={};for(const n in e)e[n]&&(r[n]=i[n]+e[n]);return(0,c.Z)(t,r)};var u=i(1117);const d=(t,e,i=50)=>{const{r:r,g:n,b:o,a:a}=l.Z.parse(t),{r:s,g:c,b:h,a:d}=l.Z.parse(e),f=i/100,p=2*f-1,g=a-d,m=((p*g==-1?p:(p+g)/(1+p*g))+1)/2,y=1-m,x=r*m+s*y,b=n*m+c*y,C=o*m+h*y,_=a*f+d*(1-f);return(0,u.Z)(x,b,C,_)},f=(t,e=100)=>{const i=l.Z.parse(t);return i.r=255-i.r,i.g=255-i.g,i.b=255-i.b,d(i,t,e)};var p=i(7201),g=i(2281),m=i(1619),y=i(2454),x=i(9236),b="comm",C="rule",_="decl",v=Math.abs,k=String.fromCharCode;Object.assign;function T(t){return t.trim()}function w(t,e,i){return t.replace(e,i)}function S(t,e){return t.indexOf(e)}function B(t,e){return 0|t.charCodeAt(e)}function F(t,e,i){return t.slice(e,i)}function L(t){return t.length}function A(t,e){return e.push(t),t}function M(t,e){for(var i="",r=0;r<t.length;r++)i+=e(t[r],r,t,e)||"";return i}function E(t,e,i,r){switch(t.type){case"@layer":if(t.children.length)break;case"@import":case _:return t.return=t.return||t.value;case b:return"";case"@keyframes":return t.return=t.value+"{"+M(t.children,r)+"}";case C:if(!L(t.value=t.props.join(",")))return""}return L(i=M(t.children,r))?t.return=t.value+"{"+i+"}":""}var N=1,Z=1,j=0,I=0,O=0,D="";function q(t,e,i,r,n,o,a,s){return{value:t,root:e,parent:i,type:r,props:n,children:o,line:N,column:Z,length:a,return:"",siblings:s}}function $(){return O=I>0?B(D,--I):0,Z--,10===O&&(Z=1,N--),O}function z(){return O=I<j?B(D,I++):0,Z++,10===O&&(Z=1,N++),O}function P(){return B(D,I)}function R(){return I}function H(t,e){return F(D,t,e)}function W(t){switch(t){case 0:case 9:case 10:case 13:case 32:return 5;case 33:case 43:case 44:case 47:case 62:case 64:case 126:case 59:case 123:case 125:return 4;case 58:return 3;case 34:case 39:case 40:case 91:return 2;case 41:case 93:return 1}return 0}function U(t){return N=Z=1,j=L(D=t),I=0,[]}function Y(t){return D="",t}function V(t){return T(H(I-1,J(91===t?t+2:40===t?t+1:t)))}function G(t){for(;(O=P())&&O<33;)z();return W(t)>2||W(O)>3?"":" "}function X(t,e){for(;--e&&z()&&!(O<48||O>102||O>57&&O<65||O>70&&O<97););return H(t,R()+(e<6&&32==P()&&32==z()))}function J(t){for(;z();)switch(O){case t:return I;case 34:case 39:34!==t&&39!==t&&J(O);break;case 40:41===t&&J(t);break;case 92:z()}return I}function Q(t,e){for(;z()&&t+O!==57&&(t+O!==84||47!==P()););return"/*"+H(e,I-1)+"*"+k(47===t?t:z())}function K(t){for(;!W(P());)z();return H(t,I)}function tt(t){return Y(et("",null,null,null,[""],t=U(t),0,[0],t))}function et(t,e,i,r,n,o,a,s,l){for(var c=0,h=0,u=a,d=0,f=0,p=0,g=1,m=1,y=1,x=0,b="",C=n,_=o,v=r,T=b;m;)switch(p=x,x=z()){case 40:if(108!=p&&58==B(T,u-1)){-1!=S(T+=w(V(x),"&","&\f"),"&\f")&&(y=-1);break}case 34:case 39:case 91:T+=V(x);break;case 9:case 10:case 13:case 32:T+=G(p);break;case 92:T+=X(R()-1,7);continue;case 47:switch(P()){case 42:case 47:A(rt(Q(z(),R()),e,i,l),l);break;default:T+="/"}break;case 123*g:s[c++]=L(T)*y;case 125*g:case 59:case 0:switch(x){case 0:case 125:m=0;case 59+h:-1==y&&(T=w(T,/\f/g,"")),f>0&&L(T)-u&&A(f>32?nt(T+";",r,i,u-1,l):nt(w(T," ","")+";",r,i,u-2,l),l);break;case 59:T+=";";default:if(A(v=it(T,e,i,c,h,n,s,b,C=[],_=[],u,o),o),123===x)if(0===h)et(T,e,v,v,C,o,u,s,_);else switch(99===d&&110===B(T,3)?100:d){case 100:case 108:case 109:case 115:et(t,v,v,r&&A(it(t,v,v,0,0,n,s,b,n,C=[],u,_),_),n,_,u,s,r?C:_);break;default:et(T,v,v,v,[""],_,0,s,_)}}c=h=f=0,g=y=1,b=T="",u=a;break;case 58:u=1+L(T),f=p;default:if(g<1)if(123==x)--g;else if(125==x&&0==g++&&125==$())continue;switch(T+=k(x),x*g){case 38:y=h>0?1:(T+="\f",-1);break;case 44:s[c++]=(L(T)-1)*y,y=1;break;case 64:45===P()&&(T+=V(z())),d=P(),h=u=L(b=T+=K(R())),x++;break;case 45:45===p&&2==L(T)&&(g=0)}}return o}function it(t,e,i,r,n,o,a,s,l,c,h,u){for(var d=n-1,f=0===n?o:[""],p=function(t){return t.length}(f),g=0,m=0,y=0;g<r;++g)for(var x=0,b=F(t,d+1,d=v(m=a[g])),_=t;x<p;++x)(_=T(m>0?f[x]+" "+b:w(b,/&\f/g,f[x])))&&(l[y++]=_);return q(t,e,i,0===n?C:s,l,c,h,u)}function rt(t,e,i,r){return q(t,e,i,b,k(O),F(t,2,-2),0,r)}function nt(t,e,i,r,n){return q(t,e,i,_,F(t,0,r),F(t,r+1,-1),r,n)}var ot=i(9697);const at={trace:0,debug:1,info:2,warn:3,error:4,fatal:5},st={trace:(...t)=>{},debug:(...t)=>{},info:(...t)=>{},warn:(...t)=>{},error:(...t)=>{},fatal:(...t)=>{}},lt=function(t="fatal"){let e=at.fatal;"string"==typeof t?(t=t.toLowerCase())in at&&(e=at[t]):"number"==typeof t&&(e=t),st.trace=()=>{},st.debug=()=>{},st.info=()=>{},st.warn=()=>{},st.error=()=>{},st.fatal=()=>{},e<=at.fatal&&(st.fatal=console.error?console.error.bind(console,ct("FATAL"),"color: orange"):console.log.bind(console,"\x1b[35m",ct("FATAL"))),e<=at.error&&(st.error=console.error?console.error.bind(console,ct("ERROR"),"color: orange"):console.log.bind(console,"\x1b[31m",ct("ERROR"))),e<=at.warn&&(st.warn=console.warn?console.warn.bind(console,ct("WARN"),"color: orange"):console.log.bind(console,"\x1b[33m",ct("WARN"))),e<=at.info&&(st.info=console.info?console.info.bind(console,ct("INFO"),"color: lightblue"):console.log.bind(console,"\x1b[34m",ct("INFO"))),e<=at.debug&&(st.debug=console.debug?console.debug.bind(console,ct("DEBUG"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("DEBUG"))),e<=at.trace&&(st.trace=console.debug?console.debug.bind(console,ct("TRACE"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("TRACE")))},ct=t=>`%c${n().format("ss.SSS")} : ${t} : `,ht=/<br\s*\/?>/gi,ut=t=>s.sanitize(t),dt=(t,e)=>{var i;if(!1!==(null==(i=e.flowchart)?void 0:i.htmlLabels)){const i=e.securityLevel;"antiscript"===i||"strict"===i?t=ut(t):"loose"!==i&&(t=(t=(t=gt(t)).replace(/</g,"<").replace(/>/g,">")).replace(/=/g,"="),t=pt(t))}return t},ft=(t,e)=>t?t=e.dompurifyConfig?s.sanitize(dt(t,e),e.dompurifyConfig).toString():s.sanitize(dt(t,e),{FORBID_TAGS:["style"]}).toString():t,pt=t=>t.replace(/#br#/g,"<br/>"),gt=t=>t.replace(ht,"#br#"),mt=t=>!1!==t&&!["false","null","0"].includes(String(t).trim().toLowerCase()),yt=function(t){const e=t.split(/(,)/),i=[];for(let r=0;r<e.length;r++){let t=e[r];if(","===t&&r>0&&r+1<e.length){const n=e[r-1],o=e[r+1];bt(n,o)&&(t=n+","+o,r++,i.pop())}i.push(Ct(t))}return i.join("")},xt=(t,e)=>Math.max(0,t.split(e).length-1),bt=(t,e)=>{const i=xt(t,"~"),r=xt(e,"~");return 1===i&&1===r},Ct=t=>{const e=xt(t,"~");let i=!1;if(e<=1)return t;e%2!=0&&t.startsWith("~")&&(t=t.substring(1),i=!0);const r=[...t];let n=r.indexOf("~"),o=r.lastIndexOf("~");for(;-1!==n&&-1!==o&&n!==o;)r[n]="<",r[o]=">",n=r.indexOf("~"),o=r.lastIndexOf("~");return i&&r.unshift("~"),r.join("")},_t={getRows:t=>{if(!t)return[""];return gt(t).replace(/\\n/g,"#br#").split("#br#")},sanitizeText:ft,sanitizeTextOrArray:(t,e)=>"string"==typeof t?ft(t,e):t.flat().map((t=>ft(t,e))),hasBreaks:t=>ht.test(t),splitBreaks:t=>t.split(ht),lineBreakRegex:ht,removeScript:ut,getUrl:t=>{let e="";return t&&(e=window.location.protocol+"//"+window.location.host+window.location.pathname+window.location.search,e=e.replaceAll(/\(/g,"\\("),e=e.replaceAll(/\)/g,"\\)")),e},evaluate:mt,getMax:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.max(...e)},getMin:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.min(...e)}},vt=(t,e)=>h(t,e?{s:-40,l:10}:{s:-40,l:-10}),kt="#ffffff",Tt="#f2f2f2";let wt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#fff4dd",this.noteBkgColor="#fff5ad",this.noteTextColor="#333",this.THEME_COLOR_LIMIT=12,this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;if(this.primaryTextColor=this.primaryTextColor||(this.darkMode?"#eee":"#333"),this.secondaryColor=this.secondaryColor||h(this.primaryColor,{h:-120}),this.tertiaryColor=this.tertiaryColor||h(this.primaryColor,{h:180,l:5}),this.primaryBorderColor=this.primaryBorderColor||vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=this.secondaryBorderColor||vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=this.tertiaryBorderColor||vt(this.tertiaryColor,this.darkMode),this.noteBorderColor=this.noteBorderColor||vt(this.noteBkgColor,this.darkMode),this.noteBkgColor=this.noteBkgColor||"#fff5ad",this.noteTextColor=this.noteTextColor||"#333",this.secondaryTextColor=this.secondaryTextColor||f(this.secondaryColor),this.tertiaryTextColor=this.tertiaryTextColor||f(this.tertiaryColor),this.lineColor=this.lineColor||f(this.background),this.arrowheadColor=this.arrowheadColor||f(this.background),this.textColor=this.textColor||this.primaryTextColor,this.border2=this.border2||this.tertiaryBorderColor,this.nodeBkg=this.nodeBkg||this.primaryColor,this.mainBkg=this.mainBkg||this.primaryColor,this.nodeBorder=this.nodeBorder||this.primaryBorderColor,this.clusterBkg=this.clusterBkg||this.tertiaryColor,this.clusterBorder=this.clusterBorder||this.tertiaryBorderColor,this.defaultLinkColor=this.defaultLinkColor||this.lineColor,this.titleColor=this.titleColor||this.tertiaryTextColor,this.edgeLabelBackground=this.edgeLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.nodeTextColor=this.nodeTextColor||this.primaryTextColor,this.actorBorder=this.actorBorder||this.primaryBorderColor,this.actorBkg=this.actorBkg||this.mainBkg,this.actorTextColor=this.actorTextColor||this.primaryTextColor,this.actorLineColor=this.actorLineColor||"grey",this.labelBoxBkgColor=this.labelBoxBkgColor||this.actorBkg,this.signalColor=this.signalColor||this.textColor,this.signalTextColor=this.signalTextColor||this.textColor,this.labelBoxBorderColor=this.labelBoxBorderColor||this.actorBorder,this.labelTextColor=this.labelTextColor||this.actorTextColor,this.loopTextColor=this.loopTextColor||this.actorTextColor,this.activationBorderColor=this.activationBorderColor||(0,p.Z)(this.secondaryColor,10),this.activationBkgColor=this.activationBkgColor||this.secondaryColor,this.sequenceNumberColor=this.sequenceNumberColor||f(this.lineColor),this.sectionBkgColor=this.sectionBkgColor||this.tertiaryColor,this.altSectionBkgColor=this.altSectionBkgColor||"white",this.sectionBkgColor=this.sectionBkgColor||this.secondaryColor,this.sectionBkgColor2=this.sectionBkgColor2||this.primaryColor,this.excludeBkgColor=this.excludeBkgColor||"#eeeeee",this.taskBorderColor=this.taskBorderColor||this.primaryBorderColor,this.taskBkgColor=this.taskBkgColor||this.primaryColor,this.activeTaskBorderColor=this.activeTaskBorderColor||this.primaryColor,this.activeTaskBkgColor=this.activeTaskBkgColor||(0,g.Z)(this.primaryColor,23),this.gridColor=this.gridColor||"lightgrey",this.doneTaskBkgColor=this.doneTaskBkgColor||"lightgrey",this.doneTaskBorderColor=this.doneTaskBorderColor||"grey",this.critBorderColor=this.critBorderColor||"#ff8888",this.critBkgColor=this.critBkgColor||"red",this.todayLineColor=this.todayLineColor||"red",this.taskTextColor=this.taskTextColor||this.textColor,this.taskTextOutsideColor=this.taskTextOutsideColor||this.textColor,this.taskTextLightColor=this.taskTextLightColor||this.textColor,this.taskTextColor=this.taskTextColor||this.primaryTextColor,this.taskTextDarkColor=this.taskTextDarkColor||this.textColor,this.taskTextClickableColor=this.taskTextClickableColor||"#003163",this.personBorder=this.personBorder||this.primaryBorderColor,this.personBkg=this.personBkg||this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||this.tertiaryColor,this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.specialStateColor=this.lineColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210,l:150}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.darkMode)for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],75);else for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],25);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;const d=this.darkMode?-4:-1;for(let f=0;f<5;f++)this["surface"+f]=this["surface"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(5+3*f)}),this["surfacePeer"+f]=this["surfacePeer"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(8+3*f)});this.classText=this.classText||this.textColor,this.fillType0=this.fillType0||this.primaryColor,this.fillType1=this.fillType1||this.secondaryColor,this.fillType2=this.fillType2||h(this.primaryColor,{h:64}),this.fillType3=this.fillType3||h(this.secondaryColor,{h:64}),this.fillType4=this.fillType4||h(this.primaryColor,{h:-64}),this.fillType5=this.fillType5||h(this.secondaryColor,{h:-64}),this.fillType6=this.fillType6||h(this.primaryColor,{h:128}),this.fillType7=this.fillType7||h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-10}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-10}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-20}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-20}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-10}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#FFF4DD,#FFD8B1,#FFA07A,#ECEFF1,#D6DBDF,#C3E0A8,#FFB6A4,#FFD74D,#738FA7,#FFFFF0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||(this.darkMode?"black":this.labelTextColor),this.gitBranchLabel0=this.gitBranchLabel0||this.branchLabelColor,this.gitBranchLabel1=this.gitBranchLabel1||this.branchLabelColor,this.gitBranchLabel2=this.gitBranchLabel2||this.branchLabelColor,this.gitBranchLabel3=this.gitBranchLabel3||this.branchLabelColor,this.gitBranchLabel4=this.gitBranchLabel4||this.branchLabelColor,this.gitBranchLabel5=this.gitBranchLabel5||this.branchLabelColor,this.gitBranchLabel6=this.gitBranchLabel6||this.branchLabelColor,this.gitBranchLabel7=this.gitBranchLabel7||this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let St=class{constructor(){this.background="#333",this.primaryColor="#1f2020",this.secondaryColor=(0,g.Z)(this.primaryColor,16),this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=f(this.background),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#1f2020",this.secondBkg="calculated",this.mainContrastColor="lightgrey",this.darkTextColor=(0,g.Z)(f("#323D47"),10),this.lineColor="calculated",this.border1="#81B1DB",this.border2=(0,u.Z)(255,255,255,.25),this.arrowheadColor="calculated",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#181818",this.textColor="#ccc",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#F9FFFE",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="calculated",this.activationBkgColor="calculated",this.sequenceNumberColor="black",this.sectionBkgColor=(0,p.Z)("#EAE8D9",30),this.altSectionBkgColor="calculated",this.sectionBkgColor2="#EAE8D9",this.excludeBkgColor=(0,p.Z)(this.sectionBkgColor,10),this.taskBorderColor=(0,u.Z)(255,255,255,70),this.taskBkgColor="calculated",this.taskTextColor="calculated",this.taskTextLightColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor=(0,u.Z)(255,255,255,50),this.activeTaskBkgColor="#81B1DB",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="grey",this.critBorderColor="#E83737",this.critBkgColor="#E83737",this.taskTextDarkColor="calculated",this.todayLineColor="#DB5757",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="calculated",this.errorBkgColor="#a44141",this.errorTextColor="#ddd"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.mainBkg,16),this.lineColor=this.mainContrastColor,this.arrowheadColor=this.mainContrastColor,this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.edgeLabelBackground=(0,g.Z)(this.labelBackground,25),this.actorBorder=this.border1,this.actorBkg=this.mainBkg,this.actorTextColor=this.mainContrastColor,this.actorLineColor=this.mainContrastColor,this.signalColor=this.mainContrastColor,this.signalTextColor=this.mainContrastColor,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.mainContrastColor,this.loopTextColor=this.mainContrastColor,this.noteBorderColor=this.secondaryBorderColor,this.noteBkgColor=this.secondBkg,this.noteTextColor=this.secondaryTextColor,this.activationBorderColor=this.border1,this.activationBkgColor=this.secondBkg,this.altSectionBkgColor=this.background,this.taskBkgColor=(0,g.Z)(this.mainBkg,23),this.taskTextColor=this.darkTextColor,this.taskTextLightColor=this.mainContrastColor,this.taskTextOutsideColor=this.taskTextLightColor,this.gridColor=this.mainContrastColor,this.doneTaskBkgColor=this.mainContrastColor,this.taskTextDarkColor=this.darkTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#555",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#f4f4f4",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.cScale1=this.cScale1||"#0b0000",this.cScale2=this.cScale2||"#4d1037",this.cScale3=this.cScale3||"#3f5258",this.cScale4=this.cScale4||"#4f2f1b",this.cScale5=this.cScale5||"#6e0a0a",this.cScale6=this.cScale6||"#3b0048",this.cScale7=this.cScale7||"#995a01",this.cScale8=this.cScale8||"#154706",this.cScale9=this.cScale9||"#161722",this.cScale10=this.cScale10||"#00296f",this.cScale11=this.cScale11||"#01629c",this.cScale12=this.cScale12||"#010029",this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10);for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-10)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-7)});this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#3498db,#2ecc71,#e74c3c,#f1c40f,#bdc3c7,#ffffff,#34495e,#9b59b6,#1abc9c,#e67e22"},this.classText=this.primaryTextColor,this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,g.Z)(this.secondaryColor,20),this.git1=(0,g.Z)(this.pie2||this.secondaryColor,20),this.git2=(0,g.Z)(this.pie3||this.tertiaryColor,20),this.git3=(0,g.Z)(this.pie4||h(this.primaryColor,{h:-30}),20),this.git4=(0,g.Z)(this.pie5||h(this.primaryColor,{h:-60}),20),this.git5=(0,g.Z)(this.pie6||h(this.primaryColor,{h:-90}),10),this.git6=(0,g.Z)(this.pie7||h(this.primaryColor,{h:60}),10),this.git7=(0,g.Z)(this.pie8||h(this.primaryColor,{h:120}),20),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||(0,g.Z)(this.background,12),this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||(0,g.Z)(this.background,2)}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let Bt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#ECECFF",this.secondaryColor=h(this.primaryColor,{h:120}),this.secondaryColor="#ffffde",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.background="white",this.mainBkg="#ECECFF",this.secondBkg="#ffffde",this.lineColor="#333333",this.border1="#9370DB",this.border2="#aaaa33",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#e8e8e8",this.textColor="#333",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="calculated",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="calculated",this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor="calculated",this.taskTextOutsideColor=this.taskTextDarkColor,this.taskTextClickableColor="calculated",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBorderColor="calculated",this.critBkgColor="calculated",this.todayLineColor="calculated",this.sectionBkgColor=(0,u.Z)(102,102,255,.49),this.altSectionBkgColor="white",this.sectionBkgColor2="#fff400",this.taskBorderColor="#534fbc",this.taskBkgColor="#8a90dd",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="#534fbc",this.activeTaskBkgColor="#bfc7ff",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222",this.updateColors()}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,l:-(7+5*d)});if(this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor,"calculated"!==this.labelTextColor){this.cScaleLabel0=this.cScaleLabel0||f(this.labelTextColor),this.cScaleLabel3=this.cScaleLabel3||f(this.labelTextColor);for(let t=0;t<this.THEME_COLOR_LIMIT;t++)this["cScaleLabel"+t]=this["cScaleLabel"+t]||this.labelTextColor}this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.textColor,this.edgeLabelBackground=this.labelBackground,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.signalColor=this.textColor,this.signalTextColor=this.textColor,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||h(this.tertiaryColor,{l:-40}),this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-20}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-20}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-40}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:-40}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-40}),this.pie11=this.pie11||h(this.primaryColor,{h:-90,l:-40}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-30}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#ECECFF,#8493A6,#FFC3A0,#DCDDE1,#B8E994,#D1A36F,#C3CDE6,#FFB6C1,#496078,#F8F3E3"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.labelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||(0,p.Z)(f(this.git0),25),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};const Ft=t=>{const e=new Bt;return e.calculate(t),e};let Lt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#cde498",this.secondaryColor="#cdffb2",this.background="white",this.mainBkg="#cde498",this.secondBkg="#cdffb2",this.lineColor="green",this.border1="#13540c",this.border2="#6eaa49",this.arrowheadColor="green",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.tertiaryColor=(0,g.Z)("#cde498",10),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.primaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#333",this.edgeLabelBackground="#e8e8e8",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="#333",this.signalTextColor="#333",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="#326932",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="#6eaa49",this.altSectionBkgColor="white",this.sectionBkgColor2="#6eaa49",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="#487e3a",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.actorBorder=(0,p.Z)(this.mainBkg,20),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.taskBorderColor=this.border1,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-30}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{h:40,l:-40}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-50}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-50}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-50}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#CDE498,#FF6B6B,#A0D2DB,#D7BDE2,#F0F0F0,#FFC3A0,#7FD8BE,#FF9A8B,#FAF3E0,#FFF176"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};class At{constructor(){this.primaryColor="#eee",this.contrast="#707070",this.secondaryColor=(0,g.Z)(this.contrast,55),this.background="#ffffff",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#eee",this.secondBkg="calculated",this.lineColor="#666",this.border1="#999",this.border2="calculated",this.note="#ffa",this.text="#333",this.critical="#d42",this.done="#bbb",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="white",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="calculated",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="white",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBkgColor="calculated",this.critBorderColor="calculated",this.todayLineColor="calculated",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.contrast,55),this.border2=this.contrast,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.actorTextColor=this.text,this.actorLineColor=this.lineColor,this.signalColor=this.text,this.signalTextColor=this.text,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.text,this.loopTextColor=this.text,this.noteBorderColor="#999",this.noteBkgColor="#666",this.noteTextColor="#fff",this.cScale0=this.cScale0||"#555",this.cScale1=this.cScale1||"#F4F4F4",this.cScale2=this.cScale2||"#555",this.cScale3=this.cScale3||"#BBB",this.cScale4=this.cScale4||"#777",this.cScale5=this.cScale5||"#999",this.cScale6=this.cScale6||"#DDD",this.cScale7=this.cScale7||"#FFF",this.cScale8=this.cScale8||"#DDD",this.cScale9=this.cScale9||"#BBB",this.cScale10=this.cScale10||"#999",this.cScale11=this.cScale11||"#777";for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor),this.cScaleLabel0=this.cScaleLabel0||this.cScale1,this.cScaleLabel2=this.cScaleLabel2||this.cScale1;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.text,this.sectionBkgColor=(0,g.Z)(this.contrast,30),this.sectionBkgColor2=(0,g.Z)(this.contrast,30),this.taskBorderColor=(0,p.Z)(this.contrast,10),this.taskBkgColor=this.contrast,this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor=this.text,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.gridColor=(0,g.Z)(this.border1,30),this.doneTaskBkgColor=this.done,this.doneTaskBorderColor=this.lineColor,this.critBkgColor=this.critical,this.critBorderColor=(0,p.Z)(this.critBkgColor,10),this.todayLineColor=this.critBkgColor,this.transitionColor=this.transitionColor||"#000",this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f4f4f4",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.stateBorder=this.stateBorder||"#000",this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#222",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pie12=this.pie0,this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#EEE,#6BB8E4,#8ACB88,#C7ACD6,#E8DCC2,#FFB2A8,#FFF380,#7E8D91,#FFD8B1,#FAF3E0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,p.Z)(this.pie1,25)||this.primaryColor,this.git1=this.pie2||this.secondaryColor,this.git2=this.pie3||this.tertiaryColor,this.git3=this.pie4||h(this.primaryColor,{h:-30}),this.git4=this.pie5||h(this.primaryColor,{h:-60}),this.git5=this.pie6||h(this.primaryColor,{h:-90}),this.git6=this.pie7||h(this.primaryColor,{h:60}),this.git7=this.pie8||h(this.primaryColor,{h:120}),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||this.labelTextColor,this.gitBranchLabel0=this.branchLabelColor,this.gitBranchLabel1="white",this.gitBranchLabel2=this.branchLabelColor,this.gitBranchLabel3="white",this.gitBranchLabel4=this.branchLabelColor,this.gitBranchLabel5=this.branchLabelColor,this.gitBranchLabel6=this.branchLabelColor,this.gitBranchLabel7=this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}}const Mt={base:{getThemeVariables:t=>{const e=new wt;return e.calculate(t),e}},dark:{getThemeVariables:t=>{const e=new St;return e.calculate(t),e}},default:{getThemeVariables:Ft},forest:{getThemeVariables:t=>{const e=new Lt;return e.calculate(t),e}},neutral:{getThemeVariables:t=>{const e=new At;return e.calculate(t),e}}},Et={flowchart:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,htmlLabels:!0,nodeSpacing:50,rankSpacing:50,curve:"basis",padding:15,defaultRenderer:"dagre-wrapper",wrappingWidth:200},sequence:{useMaxWidth:!0,hideUnusedParticipants:!1,activationWidth:10,diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",mirrorActors:!0,forceMenus:!1,bottomMarginAdj:1,rightAngles:!1,showSequenceNumbers:!1,actorFontSize:14,actorFontFamily:'"Open Sans", sans-serif',actorFontWeight:400,noteFontSize:14,noteFontFamily:'"trebuchet ms", verdana, arial, sans-serif',noteFontWeight:400,noteAlign:"center",messageFontSize:16,messageFontFamily:'"trebuchet ms", verdana, arial, sans-serif',messageFontWeight:400,wrap:!1,wrapPadding:10,labelBoxWidth:50,labelBoxHeight:20},gantt:{useMaxWidth:!0,titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,rightPadding:75,leftPadding:75,gridLineStartPadding:35,fontSize:11,sectionFontSize:11,numberSectionStyles:4,axisFormat:"%Y-%m-%d",topAxis:!1,displayMode:"",weekday:"sunday"},journey:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"]},class:{useMaxWidth:!0,titleTopMargin:25,arrowMarkerAbsolute:!1,dividerMargin:10,padding:5,textHeight:10,defaultRenderer:"dagre-wrapper",htmlLabels:!1},state:{useMaxWidth:!0,titleTopMargin:25,dividerMargin:10,sizeUnit:5,padding:8,textHeight:10,titleShift:-15,noteMargin:10,forkWidth:70,forkHeight:7,miniPadding:2,fontSizeFactor:5.02,fontSize:24,labelHeight:16,edgeLengthFactor:"20",compositTitleSize:35,radius:5,defaultRenderer:"dagre-wrapper"},er:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:20,layoutDirection:"TB",minEntityWidth:100,minEntityHeight:75,entityPadding:15,stroke:"gray",fill:"honeydew",fontSize:12},pie:{useMaxWidth:!0,textPosition:.75},quadrantChart:{useMaxWidth:!0,chartWidth:500,chartHeight:500,titleFontSize:20,titlePadding:10,quadrantPadding:5,xAxisLabelPadding:5,yAxisLabelPadding:5,xAxisLabelFontSize:16,yAxisLabelFontSize:16,quadrantLabelFontSize:16,quadrantTextTopPadding:5,pointTextPadding:5,pointLabelFontSize:12,pointRadius:5,xAxisPosition:"top",yAxisPosition:"left",quadrantInternalBorderStrokeWidth:1,quadrantExternalBorderStrokeWidth:2},xyChart:{useMaxWidth:!0,width:700,height:500,titleFontSize:20,titlePadding:10,showTitle:!0,xAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},yAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},chartOrientation:"vertical",plotReservedSpacePercent:50},requirement:{useMaxWidth:!0,rect_fill:"#f9f9f9",text_color:"#333",rect_border_size:"0.5px",rect_border_color:"#bbb",rect_min_width:200,rect_min_height:200,fontSize:14,rect_padding:10,line_height:20},mindmap:{useMaxWidth:!0,padding:10,maxNodeWidth:200},timeline:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"],disableMulticolor:!1},gitGraph:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,nodeLabel:{width:75,height:100,x:-25,y:0},mainBranchName:"main",mainBranchOrder:0,showCommitLabel:!0,showBranches:!0,rotateCommitLabel:!0,arrowMarkerAbsolute:!1},c4:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,c4ShapeMargin:50,c4ShapePadding:20,width:216,height:60,boxMargin:10,c4ShapeInRow:4,nextLinePaddingX:0,c4BoundaryInRow:2,personFontSize:14,personFontFamily:'"Open Sans", sans-serif',personFontWeight:"normal",external_personFontSize:14,external_personFontFamily:'"Open Sans", sans-serif',external_personFontWeight:"normal",systemFontSize:14,systemFontFamily:'"Open Sans", sans-serif',systemFontWeight:"normal",external_systemFontSize:14,external_systemFontFamily:'"Open Sans", sans-serif',external_systemFontWeight:"normal",system_dbFontSize:14,system_dbFontFamily:'"Open Sans", sans-serif',system_dbFontWeight:"normal",external_system_dbFontSize:14,external_system_dbFontFamily:'"Open Sans", sans-serif',external_system_dbFontWeight:"normal",system_queueFontSize:14,system_queueFontFamily:'"Open Sans", sans-serif',system_queueFontWeight:"normal",external_system_queueFontSize:14,external_system_queueFontFamily:'"Open Sans", sans-serif',external_system_queueFontWeight:"normal",boundaryFontSize:14,boundaryFontFamily:'"Open Sans", sans-serif',boundaryFontWeight:"normal",messageFontSize:12,messageFontFamily:'"Open Sans", sans-serif',messageFontWeight:"normal",containerFontSize:14,containerFontFamily:'"Open Sans", sans-serif',containerFontWeight:"normal",external_containerFontSize:14,external_containerFontFamily:'"Open Sans", sans-serif',external_containerFontWeight:"normal",container_dbFontSize:14,container_dbFontFamily:'"Open Sans", sans-serif',container_dbFontWeight:"normal",external_container_dbFontSize:14,external_container_dbFontFamily:'"Open Sans", sans-serif',external_container_dbFontWeight:"normal",container_queueFontSize:14,container_queueFontFamily:'"Open Sans", sans-serif',container_queueFontWeight:"normal",external_container_queueFontSize:14,external_container_queueFontFamily:'"Open Sans", sans-serif',external_container_queueFontWeight:"normal",componentFontSize:14,componentFontFamily:'"Open Sans", sans-serif',componentFontWeight:"normal",external_componentFontSize:14,external_componentFontFamily:'"Open Sans", sans-serif',external_componentFontWeight:"normal",component_dbFontSize:14,component_dbFontFamily:'"Open Sans", sans-serif',component_dbFontWeight:"normal",external_component_dbFontSize:14,external_component_dbFontFamily:'"Open Sans", sans-serif',external_component_dbFontWeight:"normal",component_queueFontSize:14,component_queueFontFamily:'"Open Sans", sans-serif',component_queueFontWeight:"normal",external_component_queueFontSize:14,external_component_queueFontFamily:'"Open Sans", sans-serif',external_component_queueFontWeight:"normal",wrap:!0,wrapPadding:10,person_bg_color:"#08427B",person_border_color:"#073B6F",external_person_bg_color:"#686868",external_person_border_color:"#8A8A8A",system_bg_color:"#1168BD",system_border_color:"#3C7FC0",system_db_bg_color:"#1168BD",system_db_border_color:"#3C7FC0",system_queue_bg_color:"#1168BD",system_queue_border_color:"#3C7FC0",external_system_bg_color:"#999999",external_system_border_color:"#8A8A8A",external_system_db_bg_color:"#999999",external_system_db_border_color:"#8A8A8A",external_system_queue_bg_color:"#999999",external_system_queue_border_color:"#8A8A8A",container_bg_color:"#438DD5",container_border_color:"#3C7FC0",container_db_bg_color:"#438DD5",container_db_border_color:"#3C7FC0",container_queue_bg_color:"#438DD5",container_queue_border_color:"#3C7FC0",external_container_bg_color:"#B3B3B3",external_container_border_color:"#A6A6A6",external_container_db_bg_color:"#B3B3B3",external_container_db_border_color:"#A6A6A6",external_container_queue_bg_color:"#B3B3B3",external_container_queue_border_color:"#A6A6A6",component_bg_color:"#85BBF0",component_border_color:"#78A8D8",component_db_bg_color:"#85BBF0",component_db_border_color:"#78A8D8",component_queue_bg_color:"#85BBF0",component_queue_border_color:"#78A8D8",external_component_bg_color:"#CCCCCC",external_component_border_color:"#BFBFBF",external_component_db_bg_color:"#CCCCCC",external_component_db_border_color:"#BFBFBF",external_component_queue_bg_color:"#CCCCCC",external_component_queue_border_color:"#BFBFBF"},sankey:{useMaxWidth:!0,width:600,height:400,linkColor:"gradient",nodeAlignment:"justify",showValues:!0,prefix:"",suffix:""},theme:"default",maxTextSize:5e4,darkMode:!1,fontFamily:'"trebuchet ms", verdana, arial, sans-serif;',logLevel:5,securityLevel:"strict",startOnLoad:!0,arrowMarkerAbsolute:!1,secure:["secure","securityLevel","startOnLoad","maxTextSize"],deterministicIds:!1,fontSize:16},Nt={...Et,deterministicIDSeed:void 0,themeCSS:void 0,themeVariables:Mt.default.getThemeVariables(),sequence:{...Et.sequence,messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}},noteFont:function(){return{fontFamily:this.noteFontFamily,fontSize:this.noteFontSize,fontWeight:this.noteFontWeight}},actorFont:function(){return{fontFamily:this.actorFontFamily,fontSize:this.actorFontSize,fontWeight:this.actorFontWeight}}},gantt:{...Et.gantt,tickInterval:void 0,useWidth:void 0},c4:{...Et.c4,useWidth:void 0,personFont:function(){return{fontFamily:this.personFontFamily,fontSize:this.personFontSize,fontWeight:this.personFontWeight}},external_personFont:function(){return{fontFamily:this.external_personFontFamily,fontSize:this.external_personFontSize,fontWeight:this.external_personFontWeight}},systemFont:function(){return{fontFamily:this.systemFontFamily,fontSize:this.systemFontSize,fontWeight:this.systemFontWeight}},external_systemFont:function(){return{fontFamily:this.external_systemFontFamily,fontSize:this.external_systemFontSize,fontWeight:this.external_systemFontWeight}},system_dbFont:function(){return{fontFamily:this.system_dbFontFamily,fontSize:this.system_dbFontSize,fontWeight:this.system_dbFontWeight}},external_system_dbFont:function(){return{fontFamily:this.external_system_dbFontFamily,fontSize:this.external_system_dbFontSize,fontWeight:this.external_system_dbFontWeight}},system_queueFont:function(){return{fontFamily:this.system_queueFontFamily,fontSize:this.system_queueFontSize,fontWeight:this.system_queueFontWeight}},external_system_queueFont:function(){return{fontFamily:this.external_system_queueFontFamily,fontSize:this.external_system_queueFontSize,fontWeight:this.external_system_queueFontWeight}},containerFont:function(){return{fontFamily:this.containerFontFamily,fontSize:this.containerFontSize,fontWeight:this.containerFontWeight}},external_containerFont:function(){return{fontFamily:this.external_containerFontFamily,fontSize:this.external_containerFontSize,fontWeight:this.external_containerFontWeight}},container_dbFont:function(){return{fontFamily:this.container_dbFontFamily,fontSize:this.container_dbFontSize,fontWeight:this.container_dbFontWeight}},external_container_dbFont:function(){return{fontFamily:this.external_container_dbFontFamily,fontSize:this.external_container_dbFontSize,fontWeight:this.external_container_dbFontWeight}},container_queueFont:function(){return{fontFamily:this.container_queueFontFamily,fontSize:this.container_queueFontSize,fontWeight:this.container_queueFontWeight}},external_container_queueFont:function(){return{fontFamily:this.external_container_queueFontFamily,fontSize:this.external_container_queueFontSize,fontWeight:this.external_container_queueFontWeight}},componentFont:function(){return{fontFamily:this.componentFontFamily,fontSize:this.componentFontSize,fontWeight:this.componentFontWeight}},external_componentFont:function(){return{fontFamily:this.external_componentFontFamily,fontSize:this.external_componentFontSize,fontWeight:this.external_componentFontWeight}},component_dbFont:function(){return{fontFamily:this.component_dbFontFamily,fontSize:this.component_dbFontSize,fontWeight:this.component_dbFontWeight}},external_component_dbFont:function(){return{fontFamily:this.external_component_dbFontFamily,fontSize:this.external_component_dbFontSize,fontWeight:this.external_component_dbFontWeight}},component_queueFont:function(){return{fontFamily:this.component_queueFontFamily,fontSize:this.component_queueFontSize,fontWeight:this.component_queueFontWeight}},external_component_queueFont:function(){return{fontFamily:this.external_component_queueFontFamily,fontSize:this.external_component_queueFontSize,fontWeight:this.external_component_queueFontWeight}},boundaryFont:function(){return{fontFamily:this.boundaryFontFamily,fontSize:this.boundaryFontSize,fontWeight:this.boundaryFontWeight}},messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}}},pie:{...Et.pie,useWidth:984},xyChart:{...Et.xyChart,useWidth:void 0},requirement:{...Et.requirement,useWidth:void 0},gitGraph:{...Et.gitGraph,useMaxWidth:!1},sankey:{...Et.sankey,useMaxWidth:!1}},Zt=(t,e="")=>Object.keys(t).reduce(((i,r)=>Array.isArray(t[r])?i:"object"==typeof t[r]&&null!==t[r]?[...i,e+r,...Zt(t[r],"")]:[...i,e+r]),[]),jt=new Set(Zt(Nt,"")),It=Nt,Ot=t=>{if(st.debug("sanitizeDirective called with",t),"object"==typeof t&&null!=t)if(Array.isArray(t))t.forEach((t=>Ot(t)));else{for(const e of Object.keys(t)){if(st.debug("Checking key",e),e.startsWith("__")||e.includes("proto")||e.includes("constr")||!jt.has(e)||null==t[e]){st.debug("sanitize deleting key: ",e),delete t[e];continue}if("object"==typeof t[e]){st.debug("sanitizing object",e),Ot(t[e]);continue}const i=["themeCSS","fontFamily","altFontFamily"];for(const r of i)e.includes(r)&&(st.debug("sanitizing css option",e),t[e]=Dt(t[e]))}if(t.themeVariables)for(const e of Object.keys(t.themeVariables)){const i=t.themeVariables[e];(null==i?void 0:i.match)&&!i.match(/^[\d "#%(),.;A-Za-z]+$/)&&(t.themeVariables[e]="")}st.debug("After sanitization",t)}},Dt=t=>{let e=0,i=0;for(const r of t){if(e<i)return"{ /* ERROR: Unbalanced CSS */ }";"{"===r?e++:"}"===r&&i++}return e!==i?"{ /* ERROR: Unbalanced CSS */ }":t},qt=/^-{3}\s*[\n\r](.*?)[\n\r]-{3}\s*[\n\r]+/s,$t=/%{2}{\s*(?:(\w+)\s*:|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,zt=/\s*%%.*\n/gm;class Pt extends Error{constructor(t){super(t),this.name="UnknownDiagramError"}}const Rt={},Ht=function(t,e){t=t.replace(qt,"").replace($t,"").replace(zt,"\n");for(const[i,{detector:r}]of Object.entries(Rt)){if(r(t,e))return i}throw new Pt(`No diagram type detected matching given configuration for text: ${t}`)},Wt=(...t)=>{for(const{id:e,detector:i,loader:r}of t)Ut(e,i,r)},Ut=(t,e,i)=>{Rt[t]?st.error(`Detector with key ${t} already exists`):Rt[t]={detector:e,loader:i},st.debug(`Detector with key ${t} added${i?" with loader":""}`)},Yt=(t,e,{depth:i=2,clobber:r=!1}={})=>{const n={depth:i,clobber:r};return Array.isArray(e)&&!Array.isArray(t)?(e.forEach((e=>Yt(t,e,n))),t):Array.isArray(e)&&Array.isArray(t)?(e.forEach((e=>{t.includes(e)||t.push(e)})),t):void 0===t||i<=0?null!=t&&"object"==typeof t&&"object"==typeof e?Object.assign(t,e):e:(void 0!==e&&"object"==typeof t&&"object"==typeof e&&Object.keys(e).forEach((n=>{"object"!=typeof e[n]||void 0!==t[n]&&"object"!=typeof t[n]?(r||"object"!=typeof t[n]&&"object"!=typeof e[n])&&(t[n]=e[n]):(void 0===t[n]&&(t[n]=Array.isArray(e[n])?[]:{}),t[n]=Yt(t[n],e[n],{depth:i-1,clobber:r}))})),t)},Vt=Yt,Gt="\u200b",Xt={curveBasis:a.$0Z,curveBasisClosed:a.Dts,curveBasisOpen:a.WQY,curveBumpX:a.qpX,curveBumpY:a.u93,curveBundle:a.tFB,curveCardinalClosed:a.OvA,curveCardinalOpen:a.dCK,curveCardinal:a.YY7,curveCatmullRomClosed:a.fGX,curveCatmullRomOpen:a.$m7,curveCatmullRom:a.zgE,curveLinear:a.c_6,curveLinearClosed:a.fxm,curveMonotoneX:a.FdL,curveMonotoneY:a.ak_,curveNatural:a.SxZ,curveStep:a.eA_,curveStepAfter:a.jsv,curveStepBefore:a.iJ},Jt=/\s*(?:(\w+)(?=:):|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,Qt=function(t,e=null){try{const i=new RegExp(`[%]{2}(?![{]${Jt.source})(?=[}][%]{2}).*\n`,"ig");let r;t=t.trim().replace(i,"").replace(/'/gm,'"'),st.debug(`Detecting diagram directive${null!==e?" type:"+e:""} based on the text:${t}`);const n=[];for(;null!==(r=$t.exec(t));)if(r.index===$t.lastIndex&&$t.lastIndex++,r&&!e||e&&r[1]&&r[1].match(e)||e&&r[2]&&r[2].match(e)){const t=r[1]?r[1]:r[2],e=r[3]?r[3].trim():r[4]?JSON.parse(r[4].trim()):null;n.push({type:t,args:e})}return 0===n.length?{type:t,args:null}:1===n.length?n[0]:n}catch(i){return st.error(`ERROR: ${i.message} - Unable to parse directive type: '${e}' based on the text: '${t}'`),{type:void 0,args:null}}};function Kt(t,e){if(!t)return e;const i=`curve${t.charAt(0).toUpperCase()+t.slice(1)}`;return Xt[i]??e}function te(t,e){return t&&e?Math.sqrt(Math.pow(e.x-t.x,2)+Math.pow(e.y-t.y,2)):0}const ee=(t,e=2)=>{const i=Math.pow(10,e);return Math.round(t*i)/i},ie=(t,e)=>{let i,r=e;for(const n of t){if(i){const t=te(n,i);if(t<r)r-=t;else{const e=r/t;if(e<=0)return i;if(e>=1)return{x:n.x,y:n.y};if(e>0&&e<1)return{x:ee((1-e)*i.x+e*n.x,5),y:ee((1-e)*i.y+e*n.y,5)}}}i=n}throw new Error("Could not find a suitable point for the given distance")};function re(t){let e="",i="";for(const r of t)void 0!==r&&(r.startsWith("color:")||r.startsWith("text-align:")?i=i+r+";":e=e+r+";");return{style:e,labelStyle:i}}let ne=0;const oe=()=>(ne++,"id-"+Math.random().toString(36).substr(2,12)+"-"+ne);const ae=t=>function(t){let e="";const i="0123456789abcdef";for(let r=0;r<t;r++)e+=i.charAt(Math.floor(16*Math.random()));return e}(t.length),se=function(t,e){const i=e.text.replace(_t.lineBreakRegex," "),[,r]=ge(e.fontSize),n=t.append("text");n.attr("x",e.x),n.attr("y",e.y),n.style("text-anchor",e.anchor),n.style("font-family",e.fontFamily),n.style("font-size",r),n.style("font-weight",e.fontWeight),n.attr("fill",e.fill),void 0!==e.class&&n.attr("class",e.class);const o=n.append("tspan");return o.attr("x",e.x+2*e.textMargin),o.attr("fill",e.fill),o.text(i),n},le=(0,y.Z)(((t,e,i)=>{if(!t)return t;if(i=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",joinWith:"<br/>"},i),_t.lineBreakRegex.test(t))return t;const r=t.split(" "),n=[];let o="";return r.forEach(((t,a)=>{const s=ue(`${t} `,i),l=ue(o,i);if(s>e){const{hyphenatedStrings:r,remainingWord:a}=ce(t,e,"-",i);n.push(o,...r),o=a}else l+s>=e?(n.push(o),o=t):o=[o,t].filter(Boolean).join(" ");a+1===r.length&&n.push(o)})),n.filter((t=>""!==t)).join(i.joinWith)}),((t,e,i)=>`${t}${e}${i.fontSize}${i.fontWeight}${i.fontFamily}${i.joinWith}`)),ce=(0,y.Z)(((t,e,i="-",r)=>{r=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",margin:0},r);const n=[...t],o=[];let a="";return n.forEach(((t,s)=>{const l=`${a}${t}`;if(ue(l,r)>=e){const t=s+1,e=n.length===t,r=`${l}${i}`;o.push(e?l:r),a=""}else a=l})),{hyphenatedStrings:o,remainingWord:a}}),((t,e,i="-",r)=>`${t}${e}${i}${r.fontSize}${r.fontWeight}${r.fontFamily}`));function he(t,e){return de(t,e).height}function ue(t,e){return de(t,e).width}const de=(0,y.Z)(((t,e)=>{const{fontSize:i=12,fontFamily:r="Arial",fontWeight:n=400}=e;if(!t)return{width:0,height:0};const[,o]=ge(i),s=["sans-serif",r],l=t.split(_t.lineBreakRegex),c=[],h=(0,a.Ys)("body");if(!h.remove)return{width:0,height:0,lineHeight:0};const u=h.append("svg");for(const a of s){let t=0;const e={width:0,height:0,lineHeight:0};for(const i of l){const r={x:0,y:0,fill:void 0,anchor:"start",style:"#666",width:100,height:100,textMargin:0,rx:0,ry:0,valign:void 0,text:""};r.text=i||Gt;const s=se(u,r).style("font-size",o).style("font-weight",n).style("font-family",a),l=(s._groups||s)[0][0].getBBox();if(0===l.width&&0===l.height)throw new Error("svg element not in render tree");e.width=Math.round(Math.max(e.width,l.width)),t=Math.round(l.height),e.height+=t,e.lineHeight=Math.round(Math.max(e.lineHeight,t))}c.push(e)}u.remove();return c[isNaN(c[1].height)||isNaN(c[1].width)||isNaN(c[1].lineHeight)||c[0].height>c[1].height&&c[0].width>c[1].width&&c[0].lineHeight>c[1].lineHeight?0:1]}),((t,e)=>`${t}${e.fontSize}${e.fontWeight}${e.fontFamily}`));let fe;function pe(t){return"str"in t}const ge=t=>{if("number"==typeof t)return[t,t+"px"];const e=parseInt(t??"",10);return Number.isNaN(e)?[void 0,void 0]:t===String(e)?[e,t+"px"]:[e,t]};function me(t,e){return(0,x.Z)({},t,e)}const ye={assignWithDepth:Vt,wrapLabel:le,calculateTextHeight:he,calculateTextWidth:ue,calculateTextDimensions:de,cleanAndMerge:me,detectInit:function(t,e){const i=Qt(t,/(?:init\b)|(?:initialize\b)/);let r={};if(Array.isArray(i)){const t=i.map((t=>t.args));Ot(t),r=Vt(r,[...t])}else r=i.args;if(!r)return;let n=Ht(t,e);const o="config";return void 0!==r[o]&&("flowchart-v2"===n&&(n="flowchart"),r[n]=r[o],delete r[o]),r},detectDirective:Qt,isSubstringInArray:function(t,e){for(const[i,r]of e.entries())if(r.match(t))return i;return-1},interpolateToCurve:Kt,calcLabelPosition:function(t){return 1===t.length?t[0]:function(t){let e,i=0;return t.forEach((t=>{i+=te(t,e),e=t})),ie(t,i/2)}(t)},calcCardinalityPosition:(t,e,i)=>{st.info(`our points ${JSON.stringify(e)}`),e[0]!==i&&(e=e.reverse());const r=ie(e,25),n=t?10:5,o=Math.atan2(e[0].y-r.y,e[0].x-r.x),a={x:0,y:0};return a.x=Math.sin(o)*n+(e[0].x+r.x)/2,a.y=-Math.cos(o)*n+(e[0].y+r.y)/2,a},calcTerminalLabelPosition:function(t,e,i){const r=structuredClone(i);st.info("our points",r),"start_left"!==e&&"start_right"!==e&&r.reverse();const n=ie(r,25+t),o=10+.5*t,a=Math.atan2(r[0].y-n.y,r[0].x-n.x),s={x:0,y:0};return"start_left"===e?(s.x=Math.sin(a+Math.PI)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a+Math.PI)*o+(r[0].y+n.y)/2):"end_right"===e?(s.x=Math.sin(a-Math.PI)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a-Math.PI)*o+(r[0].y+n.y)/2-5):"end_left"===e?(s.x=Math.sin(a)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2-5):(s.x=Math.sin(a)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2),s},formatUrl:function(t,e){const i=t.trim();if(i)return"loose"!==e.securityLevel?(0,o.Nm)(i):i},getStylesFromArray:re,generateId:oe,random:ae,runFunc:(t,...e)=>{const i=t.split("."),r=i.length-1,n=i[r];let o=window;for(let a=0;a<r;a++)if(o=o[i[a]],!o)return void st.error(`Function name: ${t} not found in window`);o[n](...e)},entityDecode:function(t){return fe=fe||document.createElement("div"),t=escape(t).replace(/%26/g,"&").replace(/%23/g,"#").replace(/%3B/g,";"),fe.innerHTML=t,unescape(fe.textContent)},insertTitle:(t,e,i,r)=>{var n;if(!r)return;const o=null==(n=t.node())?void 0:n.getBBox();o&&t.append("text").text(r).attr("x",o.x+o.width/2).attr("y",-i).attr("class",e)},parseFontSize:ge,InitIDGenerator:class{constructor(t=!1,e){this.count=0,this.count=e?e.length:0,this.next=t?()=>this.count++:()=>Date.now()}}},xe="10.6.1",be=Object.freeze(It);let Ce,_e=Vt({},be),ve=[],ke=Vt({},be);const Te=(t,e)=>{let i=Vt({},t),r={};for(const n of e)Fe(n),r=Vt(r,n);if(i=Vt(i,r),r.theme&&r.theme in Mt){const t=Vt({},Ce),e=Vt(t.themeVariables||{},r.themeVariables);i.theme&&i.theme in Mt&&(i.themeVariables=Mt[i.theme].getThemeVariables(e))}return ke=i,Ne(ke),ke},we=()=>Vt({},_e),Se=t=>(Ne(t),Vt(ke,t),Be()),Be=()=>Vt({},ke),Fe=t=>{t&&(["secure",..._e.secure??[]].forEach((e=>{Object.hasOwn(t,e)&&(st.debug(`Denied attempt to modify a secure key ${e}`,t[e]),delete t[e])})),Object.keys(t).forEach((e=>{e.startsWith("__")&&delete t[e]})),Object.keys(t).forEach((e=>{"string"==typeof t[e]&&(t[e].includes("<")||t[e].includes(">")||t[e].includes("url(data:"))&&delete t[e],"object"==typeof t[e]&&Fe(t[e])})))},Le=t=>{Ot(t),!t.fontFamily||t.themeVariables&&t.themeVariables.fontFamily||(t.themeVariables={fontFamily:t.fontFamily}),ve.push(t),Te(_e,ve)},Ae=(t=_e)=>{ve=[],Te(t,ve)},Me={LAZY_LOAD_DEPRECATED:"The configuration options lazyLoadedDiagrams and loadExternalDiagramsAtStartup are deprecated. Please use registerExternalDiagrams instead."},Ee={},Ne=t=>{var e;t&&((t.lazyLoadedDiagrams||t.loadExternalDiagramsAtStartup)&&(Ee[e="LAZY_LOAD_DEPRECATED"]||(st.warn(Me[e]),Ee[e]=!0)))},Ze={id:"c4",detector:t=>/^\s*C4Context|C4Container|C4Component|C4Dynamic|C4Deployment/.test(t),loader:async()=>{const{diagram:t}=await i.e(132).then(i.bind(i,132));return{id:"c4",diagram:t}}},je="flowchart",Ie={id:je,detector:(t,e)=>{var i,r;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&/^\s*graph/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(1763)]).then(i.bind(i,1763));return{id:je,diagram:t}}},Oe="flowchart-v2",De={id:Oe,detector:(t,e)=>{var i,r,n;return"dagre-d3"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&(!(!/^\s*graph/.test(t)||"dagre-wrapper"!==(null==(n=null==e?void 0:e.flowchart)?void 0:n.defaultRenderer))||/^\s*flowchart/.test(t))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(9893)]).then(i.bind(i,9893));return{id:Oe,diagram:t}}},qe={id:"er",detector:t=>/^\s*erDiagram/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3343)]).then(i.bind(i,3343));return{id:"er",diagram:t}}},$e="gitGraph",ze={id:$e,detector:t=>/^\s*gitGraph/.test(t),loader:async()=>{const{diagram:t}=await i.e(3619).then(i.bind(i,3619));return{id:$e,diagram:t}}},Pe="gantt",Re={id:Pe,detector:t=>/^\s*gantt/.test(t),loader:async()=>{const{diagram:t}=await i.e(8016).then(i.bind(i,8016));return{id:Pe,diagram:t}}},He="info",We={id:He,detector:t=>/^\s*info/.test(t),loader:async()=>{const{diagram:t}=await i.e(5326).then(i.bind(i,5326));return{id:He,diagram:t}}},Ue={id:"pie",detector:t=>/^\s*pie/.test(t),loader:async()=>{const{diagram:t}=await i.e(2661).then(i.bind(i,2661));return{id:"pie",diagram:t}}},Ye="quadrantChart",Ve={id:Ye,detector:t=>/^\s*quadrantChart/.test(t),loader:async()=>{const{diagram:t}=await i.e(6648).then(i.bind(i,6648));return{id:Ye,diagram:t}}},Ge="xychart",Xe={id:Ge,detector:t=>/^\s*xychart-beta/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(2693)]).then(i.bind(i,8088));return{id:Ge,diagram:t}}},Je="requirement",Qe={id:Je,detector:t=>/^\s*requirement(Diagram)?/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(6985)]).then(i.bind(i,6985));return{id:Je,diagram:t}}},Ke="sequence",ti={id:Ke,detector:t=>/^\s*sequenceDiagram/.test(t),loader:async()=>{const{diagram:t}=await i.e(5790).then(i.bind(i,5790));return{id:Ke,diagram:t}}},ei="class",ii={id:ei,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer)&&/^\s*classDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(4706),i.e(109)]).then(i.bind(i,109));return{id:ei,diagram:t}}},ri="classDiagram",ni={id:ri,detector:(t,e)=>{var i;return!(!/^\s*classDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer))||/^\s*classDiagram-v2/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(4706),i.e(6255)]).then(i.bind(i,6255));return{id:ri,diagram:t}}},oi="state",ai={id:oi,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer)&&/^\s*stateDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(1504),i.e(2696)]).then(i.bind(i,2696));return{id:oi,diagram:t}}},si="stateDiagram",li={id:si,detector:(t,e)=>{var i;return!!/^\s*stateDiagram-v2/.test(t)||!(!/^\s*stateDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(1504),i.e(5943)]).then(i.bind(i,5943));return{id:si,diagram:t}}},ci="journey",hi={id:ci,detector:t=>/^\s*journey/.test(t),loader:async()=>{const{diagram:t}=await i.e(2183).then(i.bind(i,2183));return{id:ci,diagram:t}}},ui=function(t,e,i,r){const n=function(t,e,i){let r=new Map;return i?(r.set("width","100%"),r.set("style",`max-width: ${e}px;`)):(r.set("height",t),r.set("width",e)),r}(e,i,r);!function(t,e){for(let i of e)t.attr(i[0],i[1])}(t,n)},di=function(t,e,i,r){const n=e.node().getBBox(),o=n.width,a=n.height;st.info(`SVG bounds: ${o}x${a}`,n);let s=0,l=0;st.info(`Graph bounds: ${s}x${l}`,t),s=o+2*i,l=a+2*i,st.info(`Calculated bounds: ${s}x${l}`),ui(e,l,s,r);const c=`${n.x-i} ${n.y-i} ${n.width+2*i} ${n.height+2*i}`;e.attr("viewBox",c)},fi={},pi=(t,e,i)=>{let r="";return t in fi&&fi[t]?r=fi[t](i):st.warn(`No theme found for ${t}`),` & {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n fill: ${i.textColor}\n }\n\n /* Classes common for multiple diagrams */\n\n & .error-icon {\n fill: ${i.errorBkgColor};\n }\n & .error-text {\n fill: ${i.errorTextColor};\n stroke: ${i.errorTextColor};\n }\n\n & .edge-thickness-normal {\n stroke-width: 2px;\n }\n & .edge-thickness-thick {\n stroke-width: 3.5px\n }\n & .edge-pattern-solid {\n stroke-dasharray: 0;\n }\n\n & .edge-pattern-dashed{\n stroke-dasharray: 3;\n }\n .edge-pattern-dotted {\n stroke-dasharray: 2;\n }\n\n & .marker {\n fill: ${i.lineColor};\n stroke: ${i.lineColor};\n }\n & .marker.cross {\n stroke: ${i.lineColor};\n }\n\n & svg {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n }\n\n ${r}\n\n ${e}\n`};let gi="",mi="",yi="";const xi=t=>ft(t,Be()),bi=()=>{gi="",yi="",mi=""},Ci=t=>{gi=xi(t).replace(/^\s+/g,"")},_i=()=>gi,vi=t=>{yi=xi(t).replace(/\n\s+/g,"\n")},ki=()=>yi,Ti=t=>{mi=xi(t)},wi=()=>mi,Si=Object.freeze(Object.defineProperty({__proto__:null,clear:bi,getAccDescription:ki,getAccTitle:_i,getDiagramTitle:wi,setAccDescription:vi,setAccTitle:Ci,setDiagramTitle:Ti},Symbol.toStringTag,{value:"Module"})),Bi=st,Fi=lt,Li=Be,Ai=Se,Mi=be,Ei=t=>ft(t,Li()),Ni=di,Zi={},ji=(t,e,i)=>{var r,n,o;if(Zi[t])throw new Error(`Diagram ${t} already registered.`);Zi[t]=e,i&&Ut(t,i),n=t,void 0!==(o=e.styles)&&(fi[n]=o),null==(r=e.injectUtils)||r.call(e,Bi,Fi,Li,Ei,Ni,Si,(()=>{}))},Ii=t=>{if(t in Zi)return Zi[t];throw new Oi(t)};class Oi extends Error{constructor(t){super(`Diagram ${t} not found.`)}}const Di=t=>{var e;const{securityLevel:i}=Li();let r=(0,a.Ys)("body");if("sandbox"===i){const i=(null==(e=(0,a.Ys)(`#i${t}`).node())?void 0:e.contentDocument)??document;r=(0,a.Ys)(i.body)}return r.select(`#${t}`)},qi={draw:(t,e,i)=>{st.debug("renering svg for syntax error\n");const r=Di(e);r.attr("viewBox","0 0 2412 512"),ui(r,100,512,!0);const n=r.append("g");n.append("path").attr("class","error-icon").attr("d","m411.313,123.313c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32-9.375,9.375-20.688-20.688c-12.484-12.5-32.766-12.5-45.25,0l-16,16c-1.261,1.261-2.304,2.648-3.31,4.051-21.739-8.561-45.324-13.426-70.065-13.426-105.867,0-192,86.133-192,192s86.133,192 192,192 192-86.133 192-192c0-24.741-4.864-48.327-13.426-70.065 1.402-1.007 2.79-2.049 4.051-3.31l16-16c12.5-12.492 12.5-32.758 0-45.25l-20.688-20.688 9.375-9.375 32.001-31.999zm-219.313,100.687c-52.938,0-96,43.063-96,96 0,8.836-7.164,16-16,16s-16-7.164-16-16c0-70.578 57.422-128 128-128 8.836,0 16,7.164 16,16s-7.164,16-16,16z"),n.append("path").attr("class","error-icon").attr("d","m459.02,148.98c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l16,16c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16.001-16z"),n.append("path").attr("class","error-icon").attr("d","m340.395,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16-16c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l15.999,16z"),n.append("path").attr("class","error-icon").attr("d","m400,64c8.844,0 16-7.164 16-16v-32c0-8.836-7.156-16-16-16-8.844,0-16,7.164-16,16v32c0,8.836 7.156,16 16,16z"),n.append("path").attr("class","error-icon").attr("d","m496,96.586h-32c-8.844,0-16,7.164-16,16 0,8.836 7.156,16 16,16h32c8.844,0 16-7.164 16-16 0-8.836-7.156-16-16-16z"),n.append("path").attr("class","error-icon").attr("d","m436.98,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688l32-32c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32c-6.251,6.25-6.251,16.375-0.001,22.625z"),n.append("text").attr("class","error-text").attr("x",1440).attr("y",250).attr("font-size","150px").style("text-anchor","middle").text("Syntax error in text"),n.append("text").attr("class","error-text").attr("x",1250).attr("y",400).attr("font-size","100px").style("text-anchor","middle").text(`mermaid version ${i}`)}},$i=qi,zi={db:{},renderer:qi,parser:{parser:{yy:{}},parse:()=>{}}},Pi="flowchart-elk",Ri={id:Pi,detector:(t,e)=>{var i;return!!(/^\s*flowchart-elk/.test(t)||/^\s*flowchart|graph/.test(t)&&"elk"===(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(5269),i.e(8955),i.e(4238)]).then(i.bind(i,4238));return{id:Pi,diagram:t}}},Hi="timeline",Wi={id:Hi,detector:t=>/^\s*timeline/.test(t),loader:async()=>{const{diagram:t}=await i.e(2700).then(i.bind(i,2700));return{id:Hi,diagram:t}}},Ui="mindmap",Yi={id:Ui,detector:t=>/^\s*mindmap/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(9138)]).then(i.bind(i,9138));return{id:Ui,diagram:t}}},Vi="sankey",Gi={id:Vi,detector:t=>/^\s*sankey-beta/.test(t),loader:async()=>{const{diagram:t}=await i.e(240).then(i.bind(i,240));return{id:Vi,diagram:t}}};let Xi=!1;const Ji=()=>{Xi||(Xi=!0,ji("error",zi,(t=>"error"===t.toLowerCase().trim())),ji("---",{db:{clear:()=>{}},styles:{},renderer:{draw:()=>{}},parser:{parser:{yy:{}},parse:()=>{throw new Error("Diagrams beginning with --- are not valid. If you were trying to use a YAML front-matter, please ensure that you've correctly opened and closed the YAML front-matter with un-indented `---` blocks")}},init:()=>null},(t=>t.toLowerCase().trimStart().startsWith("---"))),Wt(Ze,ni,ii,qe,Re,We,Ue,Qe,ti,Ri,De,Ie,Yi,Wi,ze,li,ai,hi,Ve,Gi,Xe))};class Qi{constructor(t,e={}){this.text=t,this.metadata=e,this.type="graph",this.text+="\n";const i=Be();try{this.type=Ht(t,i)}catch(n){this.type="error",this.detectError=n}const r=Ii(this.type);st.debug("Type "+this.type),this.db=r.db,this.renderer=r.renderer,this.parser=r.parser,this.parser.parser.yy=this.db,this.init=r.init,this.parse()}parse(){var t,e,i,r,n;if(this.detectError)throw this.detectError;null==(e=(t=this.db).clear)||e.call(t);const o=Be();null==(i=this.init)||i.call(this,o),this.metadata.title&&(null==(n=(r=this.db).setDiagramTitle)||n.call(r,this.metadata.title)),this.parser.parse(this.text)}async render(t,e){await this.renderer.draw(this.text,t,e,this)}getParser(){return this.parser}getType(){return this.type}}const Ki=async(t,e={})=>{const i=Ht(t,Be());try{Ii(i)}catch(r){const t=Rt[i].loader;if(!t)throw new Pt(`Diagram ${i} not found.`);const{id:e,diagram:n}=await t();ji(e,n)}return new Qi(t,e)};let tr=[];const er=t=>{tr.push(t)},ir="graphics-document document";const rr=t=>t.replace(/^\s*%%(?!{)[^\n]+\n?/gm,"").trimStart();function nr(t){return null==t}var or={isNothing:nr,isObject:function(t){return"object"==typeof t&&null!==t},toArray:function(t){return Array.isArray(t)?t:nr(t)?[]:[t]},repeat:function(t,e){var i,r="";for(i=0;i<e;i+=1)r+=t;return r},isNegativeZero:function(t){return 0===t&&Number.NEGATIVE_INFINITY===1/t},extend:function(t,e){var i,r,n,o;if(e)for(i=0,r=(o=Object.keys(e)).length;i<r;i+=1)t[n=o[i]]=e[n];return t}};function ar(t,e){var i="",r=t.reason||"(unknown reason)";return t.mark?(t.mark.name&&(i+='in "'+t.mark.name+'" '),i+="("+(t.mark.line+1)+":"+(t.mark.column+1)+")",!e&&t.mark.snippet&&(i+="\n\n"+t.mark.snippet),r+" "+i):r}function sr(t,e){Error.call(this),this.name="YAMLException",this.reason=t,this.mark=e,this.message=ar(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}sr.prototype=Object.create(Error.prototype),sr.prototype.constructor=sr,sr.prototype.toString=function(t){return this.name+": "+ar(this,t)};var lr=sr;function cr(t,e,i,r,n){var o="",a="",s=Math.floor(n/2)-1;return r-e>s&&(e=r-s+(o=" ... ").length),i-r>s&&(i=r+s-(a=" ...").length),{str:o+t.slice(e,i).replace(/\t/g,"\u2192")+a,pos:r-e+o.length}}function hr(t,e){return or.repeat(" ",e-t.length)+t}var ur=function(t,e){if(e=Object.create(e||null),!t.buffer)return null;e.maxLength||(e.maxLength=79),"number"!=typeof e.indent&&(e.indent=1),"number"!=typeof e.linesBefore&&(e.linesBefore=3),"number"!=typeof e.linesAfter&&(e.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,n=[0],o=[],a=-1;i=r.exec(t.buffer);)o.push(i.index),n.push(i.index+i[0].length),t.position<=i.index&&a<0&&(a=n.length-2);a<0&&(a=n.length-1);var s,l,c="",h=Math.min(t.line+e.linesAfter,o.length).toString().length,u=e.maxLength-(e.indent+h+3);for(s=1;s<=e.linesBefore&&!(a-s<0);s++)l=cr(t.buffer,n[a-s],o[a-s],t.position-(n[a]-n[a-s]),u),c=or.repeat(" ",e.indent)+hr((t.line-s+1).toString(),h)+" | "+l.str+"\n"+c;for(l=cr(t.buffer,n[a],o[a],t.position,u),c+=or.repeat(" ",e.indent)+hr((t.line+1).toString(),h)+" | "+l.str+"\n",c+=or.repeat("-",e.indent+h+3+l.pos)+"^\n",s=1;s<=e.linesAfter&&!(a+s>=o.length);s++)l=cr(t.buffer,n[a+s],o[a+s],t.position-(n[a]-n[a+s]),u),c+=or.repeat(" ",e.indent)+hr((t.line+s+1).toString(),h)+" | "+l.str+"\n";return c.replace(/\n$/,"")},dr=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],fr=["scalar","sequence","mapping"];var pr=function(t,e){var i,r;if(e=e||{},Object.keys(e).forEach((function(e){if(-1===dr.indexOf(e))throw new lr('Unknown option "'+e+'" is met in definition of "'+t+'" YAML type.')})),this.options=e,this.tag=t,this.kind=e.kind||null,this.resolve=e.resolve||function(){return!0},this.construct=e.construct||function(t){return t},this.instanceOf=e.instanceOf||null,this.predicate=e.predicate||null,this.represent=e.represent||null,this.representName=e.representName||null,this.defaultStyle=e.defaultStyle||null,this.multi=e.multi||!1,this.styleAliases=(i=e.styleAliases||null,r={},null!==i&&Object.keys(i).forEach((function(t){i[t].forEach((function(e){r[String(e)]=t}))})),r),-1===fr.indexOf(this.kind))throw new lr('Unknown kind "'+this.kind+'" is specified for "'+t+'" YAML type.')};function gr(t,e){var i=[];return t[e].forEach((function(t){var e=i.length;i.forEach((function(i,r){i.tag===t.tag&&i.kind===t.kind&&i.multi===t.multi&&(e=r)})),i[e]=t})),i}function mr(t){return this.extend(t)}mr.prototype.extend=function(t){var e=[],i=[];if(t instanceof pr)i.push(t);else if(Array.isArray(t))i=i.concat(t);else{if(!t||!Array.isArray(t.implicit)&&!Array.isArray(t.explicit))throw new lr("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");t.implicit&&(e=e.concat(t.implicit)),t.explicit&&(i=i.concat(t.explicit))}e.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(t.loadKind&&"scalar"!==t.loadKind)throw new lr("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(t.multi)throw new lr("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),i.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var r=Object.create(mr.prototype);return r.implicit=(this.implicit||[]).concat(e),r.explicit=(this.explicit||[]).concat(i),r.compiledImplicit=gr(r,"implicit"),r.compiledExplicit=gr(r,"explicit"),r.compiledTypeMap=function(){var t,e,i={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function r(t){t.multi?(i.multi[t.kind].push(t),i.multi.fallback.push(t)):i[t.kind][t.tag]=i.fallback[t.tag]=t}for(t=0,e=arguments.length;t<e;t+=1)arguments[t].forEach(r);return i}(r.compiledImplicit,r.compiledExplicit),r};var yr=new mr({explicit:[new pr("tag:yaml.org,2002:str",{kind:"scalar",construct:function(t){return null!==t?t:""}}),new pr("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(t){return null!==t?t:[]}}),new pr("tag:yaml.org,2002:map",{kind:"mapping",construct:function(t){return null!==t?t:{}}})]});var xr=new pr("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(t){if(null===t)return!0;var e=t.length;return 1===e&&"~"===t||4===e&&("null"===t||"Null"===t||"NULL"===t)},construct:function(){return null},predicate:function(t){return null===t},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var br=new pr("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e=t.length;return 4===e&&("true"===t||"True"===t||"TRUE"===t)||5===e&&("false"===t||"False"===t||"FALSE"===t)},construct:function(t){return"true"===t||"True"===t||"TRUE"===t},predicate:function(t){return"[object Boolean]"===Object.prototype.toString.call(t)},represent:{lowercase:function(t){return t?"true":"false"},uppercase:function(t){return t?"TRUE":"FALSE"},camelcase:function(t){return t?"True":"False"}},defaultStyle:"lowercase"});function Cr(t){return 48<=t&&t<=55}function _r(t){return 48<=t&&t<=57}var vr=new pr("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=t.length,n=0,o=!1;if(!r)return!1;if("-"!==(e=t[n])&&"+"!==e||(e=t[++n]),"0"===e){if(n+1===r)return!0;if("b"===(e=t[++n])){for(n++;n<r;n++)if("_"!==(e=t[n])){if("0"!==e&&"1"!==e)return!1;o=!0}return o&&"_"!==e}if("x"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!(48<=(i=t.charCodeAt(n))&&i<=57||65<=i&&i<=70||97<=i&&i<=102))return!1;o=!0}return o&&"_"!==e}if("o"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!Cr(t.charCodeAt(n)))return!1;o=!0}return o&&"_"!==e}}if("_"===e)return!1;for(;n<r;n++)if("_"!==(e=t[n])){if(!_r(t.charCodeAt(n)))return!1;o=!0}return!(!o||"_"===e)},construct:function(t){var e,i=t,r=1;if(-1!==i.indexOf("_")&&(i=i.replace(/_/g,"")),"-"!==(e=i[0])&&"+"!==e||("-"===e&&(r=-1),e=(i=i.slice(1))[0]),"0"===i)return 0;if("0"===e){if("b"===i[1])return r*parseInt(i.slice(2),2);if("x"===i[1])return r*parseInt(i.slice(2),16);if("o"===i[1])return r*parseInt(i.slice(2),8)}return r*parseInt(i,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&t%1==0&&!or.isNegativeZero(t)},represent:{binary:function(t){return t>=0?"0b"+t.toString(2):"-0b"+t.toString(2).slice(1)},octal:function(t){return t>=0?"0o"+t.toString(8):"-0o"+t.toString(8).slice(1)},decimal:function(t){return t.toString(10)},hexadecimal:function(t){return t>=0?"0x"+t.toString(16).toUpperCase():"-0x"+t.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),kr=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var Tr=/^[-+]?[0-9]+e/;var wr=new pr("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(t){return null!==t&&!(!kr.test(t)||"_"===t[t.length-1])},construct:function(t){var e,i;return i="-"===(e=t.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(e[0])>=0&&(e=e.slice(1)),".inf"===e?1===i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===e?NaN:i*parseFloat(e,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&(t%1!=0||or.isNegativeZero(t))},represent:function(t,e){var i;if(isNaN(t))switch(e){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===t)switch(e){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===t)switch(e){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(or.isNegativeZero(t))return"-0.0";return i=t.toString(10),Tr.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),Sr=yr.extend({implicit:[xr,br,vr,wr]}),Br=Sr,Fr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),Lr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var Ar=new pr("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(t){return null!==t&&(null!==Fr.exec(t)||null!==Lr.exec(t))},construct:function(t){var e,i,r,n,o,a,s,l,c=0,h=null;if(null===(e=Fr.exec(t))&&(e=Lr.exec(t)),null===e)throw new Error("Date resolve error");if(i=+e[1],r=+e[2]-1,n=+e[3],!e[4])return new Date(Date.UTC(i,r,n));if(o=+e[4],a=+e[5],s=+e[6],e[7]){for(c=e[7].slice(0,3);c.length<3;)c+="0";c=+c}return e[9]&&(h=6e4*(60*+e[10]+ +(e[11]||0)),"-"===e[9]&&(h=-h)),l=new Date(Date.UTC(i,r,n,o,a,s,c)),h&&l.setTime(l.getTime()-h),l},instanceOf:Date,represent:function(t){return t.toISOString()}});var Mr=new pr("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(t){return"<<"===t||null===t}}),Er="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var Nr=new pr("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=0,n=t.length,o=Er;for(i=0;i<n;i++)if(!((e=o.indexOf(t.charAt(i)))>64)){if(e<0)return!1;r+=6}return r%8==0},construct:function(t){var e,i,r=t.replace(/[\r\n=]/g,""),n=r.length,o=Er,a=0,s=[];for(e=0;e<n;e++)e%4==0&&e&&(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(r.charAt(e));return 0===(i=n%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18===i?(s.push(a>>10&255),s.push(a>>2&255)):12===i&&s.push(a>>4&255),new Uint8Array(s)},predicate:function(t){return"[object Uint8Array]"===Object.prototype.toString.call(t)},represent:function(t){var e,i,r="",n=0,o=t.length,a=Er;for(e=0;e<o;e++)e%3==0&&e&&(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]),n=(n<<8)+t[e];return 0===(i=o%3)?(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]):2===i?(r+=a[n>>10&63],r+=a[n>>4&63],r+=a[n<<2&63],r+=a[64]):1===i&&(r+=a[n>>2&63],r+=a[n<<4&63],r+=a[64],r+=a[64]),r}}),Zr=Object.prototype.hasOwnProperty,jr=Object.prototype.toString;var Ir=new pr("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=[],s=t;for(e=0,i=s.length;e<i;e+=1){if(r=s[e],o=!1,"[object Object]"!==jr.call(r))return!1;for(n in r)if(Zr.call(r,n)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(n))return!1;a.push(n)}return!0},construct:function(t){return null!==t?t:[]}}),Or=Object.prototype.toString;var Dr=new pr("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1){if(r=a[e],"[object Object]"!==Or.call(r))return!1;if(1!==(n=Object.keys(r)).length)return!1;o[e]=[n[0],r[n[0]]]}return!0},construct:function(t){if(null===t)return[];var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1)r=a[e],n=Object.keys(r),o[e]=[n[0],r[n[0]]];return o}}),qr=Object.prototype.hasOwnProperty;var $r=new pr("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(t){if(null===t)return!0;var e,i=t;for(e in i)if(qr.call(i,e)&&null!==i[e])return!1;return!0},construct:function(t){return null!==t?t:{}}}),zr=Br.extend({implicit:[Ar,Mr],explicit:[Nr,Ir,Dr,$r]}),Pr=Object.prototype.hasOwnProperty,Rr=1,Hr=2,Wr=3,Ur=4,Yr=1,Vr=2,Gr=3,Xr=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,Jr=/[\x85\u2028\u2029]/,Qr=/[,\[\]\{\}]/,Kr=/^(?:!|!!|![a-z\-]+!)$/i,tn=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function en(t){return Object.prototype.toString.call(t)}function rn(t){return 10===t||13===t}function nn(t){return 9===t||32===t}function on(t){return 9===t||32===t||10===t||13===t}function an(t){return 44===t||91===t||93===t||123===t||125===t}function sn(t){var e;return 48<=t&&t<=57?t-48:97<=(e=32|t)&&e<=102?e-97+10:-1}function ln(t){return 48===t?"\0":97===t?"\x07":98===t?"\b":116===t||9===t?"\t":110===t?"\n":118===t?"\v":102===t?"\f":114===t?"\r":101===t?"\x1b":32===t?" ":34===t?'"':47===t?"/":92===t?"\\":78===t?"\x85":95===t?"\xa0":76===t?"\u2028":80===t?"\u2029":""}function cn(t){return t<=65535?String.fromCharCode(t):String.fromCharCode(55296+(t-65536>>10),56320+(t-65536&1023))}for(var hn=new Array(256),un=new Array(256),dn=0;dn<256;dn++)hn[dn]=ln(dn)?1:0,un[dn]=ln(dn);function fn(t,e){this.input=t,this.filename=e.filename||null,this.schema=e.schema||zr,this.onWarning=e.onWarning||null,this.legacy=e.legacy||!1,this.json=e.json||!1,this.listener=e.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=t.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function pn(t,e){var i={name:t.filename,buffer:t.input.slice(0,-1),position:t.position,line:t.line,column:t.position-t.lineStart};return i.snippet=ur(i),new lr(e,i)}function gn(t,e){throw pn(t,e)}function mn(t,e){t.onWarning&&t.onWarning.call(null,pn(t,e))}var yn={YAML:function(t,e,i){var r,n,o;null!==t.version&&gn(t,"duplication of %YAML directive"),1!==i.length&&gn(t,"YAML directive accepts exactly one argument"),null===(r=/^([0-9]+)\.([0-9]+)$/.exec(i[0]))&&gn(t,"ill-formed argument of the YAML directive"),n=parseInt(r[1],10),o=parseInt(r[2],10),1!==n&&gn(t,"unacceptable YAML version of the document"),t.version=i[0],t.checkLineBreaks=o<2,1!==o&&2!==o&&mn(t,"unsupported YAML version of the document")},TAG:function(t,e,i){var r,n;2!==i.length&&gn(t,"TAG directive accepts exactly two arguments"),r=i[0],n=i[1],Kr.test(r)||gn(t,"ill-formed tag handle (first argument) of the TAG directive"),Pr.call(t.tagMap,r)&&gn(t,'there is a previously declared suffix for "'+r+'" tag handle'),tn.test(n)||gn(t,"ill-formed tag prefix (second argument) of the TAG directive");try{n=decodeURIComponent(n)}catch(o){gn(t,"tag prefix is malformed: "+n)}t.tagMap[r]=n}};function xn(t,e,i,r){var n,o,a,s;if(e<i){if(s=t.input.slice(e,i),r)for(n=0,o=s.length;n<o;n+=1)9===(a=s.charCodeAt(n))||32<=a&&a<=1114111||gn(t,"expected valid JSON character");else Xr.test(s)&&gn(t,"the stream contains non-printable characters");t.result+=s}}function bn(t,e,i,r){var n,o,a,s;for(or.isObject(i)||gn(t,"cannot merge mappings; the provided source object is unacceptable"),a=0,s=(n=Object.keys(i)).length;a<s;a+=1)o=n[a],Pr.call(e,o)||(e[o]=i[o],r[o]=!0)}function Cn(t,e,i,r,n,o,a,s,l){var c,h;if(Array.isArray(n))for(c=0,h=(n=Array.prototype.slice.call(n)).length;c<h;c+=1)Array.isArray(n[c])&&gn(t,"nested arrays are not supported inside keys"),"object"==typeof n&&"[object Object]"===en(n[c])&&(n[c]="[object Object]");if("object"==typeof n&&"[object Object]"===en(n)&&(n="[object Object]"),n=String(n),null===e&&(e={}),"tag:yaml.org,2002:merge"===r)if(Array.isArray(o))for(c=0,h=o.length;c<h;c+=1)bn(t,e,o[c],i);else bn(t,e,o,i);else t.json||Pr.call(i,n)||!Pr.call(e,n)||(t.line=a||t.line,t.lineStart=s||t.lineStart,t.position=l||t.position,gn(t,"duplicated mapping key")),"__proto__"===n?Object.defineProperty(e,n,{configurable:!0,enumerable:!0,writable:!0,value:o}):e[n]=o,delete i[n];return e}function _n(t){var e;10===(e=t.input.charCodeAt(t.position))?t.position++:13===e?(t.position++,10===t.input.charCodeAt(t.position)&&t.position++):gn(t,"a line break is expected"),t.line+=1,t.lineStart=t.position,t.firstTabInLine=-1}function vn(t,e,i){for(var r=0,n=t.input.charCodeAt(t.position);0!==n;){for(;nn(n);)9===n&&-1===t.firstTabInLine&&(t.firstTabInLine=t.position),n=t.input.charCodeAt(++t.position);if(e&&35===n)do{n=t.input.charCodeAt(++t.position)}while(10!==n&&13!==n&&0!==n);if(!rn(n))break;for(_n(t),n=t.input.charCodeAt(t.position),r++,t.lineIndent=0;32===n;)t.lineIndent++,n=t.input.charCodeAt(++t.position)}return-1!==i&&0!==r&&t.lineIndent<i&&mn(t,"deficient indentation"),r}function kn(t){var e,i=t.position;return!(45!==(e=t.input.charCodeAt(i))&&46!==e||e!==t.input.charCodeAt(i+1)||e!==t.input.charCodeAt(i+2)||(i+=3,0!==(e=t.input.charCodeAt(i))&&!on(e)))}function Tn(t,e){1===e?t.result+=" ":e>1&&(t.result+=or.repeat("\n",e-1))}function wn(t,e){var i,r,n=t.tag,o=t.anchor,a=[],s=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=a),r=t.input.charCodeAt(t.position);0!==r&&(-1!==t.firstTabInLine&&(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),45===r)&&on(t.input.charCodeAt(t.position+1));)if(s=!0,t.position++,vn(t,!0,-1)&&t.lineIndent<=e)a.push(null),r=t.input.charCodeAt(t.position);else if(i=t.line,Fn(t,e,Wr,!1,!0),a.push(t.result),vn(t,!0,-1),r=t.input.charCodeAt(t.position),(t.line===i||t.lineIndent>e)&&0!==r)gn(t,"bad indentation of a sequence entry");else if(t.lineIndent<e)break;return!!s&&(t.tag=n,t.anchor=o,t.kind="sequence",t.result=a,!0)}function Sn(t){var e,i,r,n,o=!1,a=!1;if(33!==(n=t.input.charCodeAt(t.position)))return!1;if(null!==t.tag&&gn(t,"duplication of a tag property"),60===(n=t.input.charCodeAt(++t.position))?(o=!0,n=t.input.charCodeAt(++t.position)):33===n?(a=!0,i="!!",n=t.input.charCodeAt(++t.position)):i="!",e=t.position,o){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&62!==n);t.position<t.length?(r=t.input.slice(e,t.position),n=t.input.charCodeAt(++t.position)):gn(t,"unexpected end of the stream within a verbatim tag")}else{for(;0!==n&&!on(n);)33===n&&(a?gn(t,"tag suffix cannot contain exclamation marks"):(i=t.input.slice(e-1,t.position+1),Kr.test(i)||gn(t,"named tag handle cannot contain such characters"),a=!0,e=t.position+1)),n=t.input.charCodeAt(++t.position);r=t.input.slice(e,t.position),Qr.test(r)&&gn(t,"tag suffix cannot contain flow indicator characters")}r&&!tn.test(r)&&gn(t,"tag name cannot contain such characters: "+r);try{r=decodeURIComponent(r)}catch(s){gn(t,"tag name is malformed: "+r)}return o?t.tag=r:Pr.call(t.tagMap,i)?t.tag=t.tagMap[i]+r:"!"===i?t.tag="!"+r:"!!"===i?t.tag="tag:yaml.org,2002:"+r:gn(t,'undeclared tag handle "'+i+'"'),!0}function Bn(t){var e,i;if(38!==(i=t.input.charCodeAt(t.position)))return!1;for(null!==t.anchor&&gn(t,"duplication of an anchor property"),i=t.input.charCodeAt(++t.position),e=t.position;0!==i&&!on(i)&&!an(i);)i=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an anchor node must contain at least one character"),t.anchor=t.input.slice(e,t.position),!0}function Fn(t,e,i,r,n){var o,a,s,l,c,h,u,d,f,p=1,g=!1,m=!1;if(null!==t.listener&&t.listener("open",t),t.tag=null,t.anchor=null,t.kind=null,t.result=null,o=a=s=Ur===i||Wr===i,r&&vn(t,!0,-1)&&(g=!0,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)),1===p)for(;Sn(t)||Bn(t);)vn(t,!0,-1)?(g=!0,s=o,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)):s=!1;if(s&&(s=g||n),1!==p&&Ur!==i||(d=Rr===i||Hr===i?e:e+1,f=t.position-t.lineStart,1===p?s&&(wn(t,f)||function(t,e,i){var r,n,o,a,s,l,c,h=t.tag,u=t.anchor,d={},f=Object.create(null),p=null,g=null,m=null,y=!1,x=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=d),c=t.input.charCodeAt(t.position);0!==c;){if(y||-1===t.firstTabInLine||(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),r=t.input.charCodeAt(t.position+1),o=t.line,63!==c&&58!==c||!on(r)){if(a=t.line,s=t.lineStart,l=t.position,!Fn(t,i,Hr,!1,!0))break;if(t.line===o){for(c=t.input.charCodeAt(t.position);nn(c);)c=t.input.charCodeAt(++t.position);if(58===c)on(c=t.input.charCodeAt(++t.position))||gn(t,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!1,n=!1,p=t.tag,g=t.result;else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read an implicit mapping pair; a colon is missed")}}else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===c?(y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!0,n=!0):y?(y=!1,n=!0):gn(t,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),t.position+=1,c=r;if((t.line===o||t.lineIndent>e)&&(y&&(a=t.line,s=t.lineStart,l=t.position),Fn(t,e,Ur,!0,n)&&(y?g=t.result:m=t.result),y||(Cn(t,d,f,p,g,m,a,s,l),p=g=m=null),vn(t,!0,-1),c=t.input.charCodeAt(t.position)),(t.line===o||t.lineIndent>e)&&0!==c)gn(t,"bad indentation of a mapping entry");else if(t.lineIndent<e)break}return y&&Cn(t,d,f,p,g,null,a,s,l),x&&(t.tag=h,t.anchor=u,t.kind="mapping",t.result=d),x}(t,f,d))||function(t,e){var i,r,n,o,a,s,l,c,h,u,d,f,p=!0,g=t.tag,m=t.anchor,y=Object.create(null);if(91===(f=t.input.charCodeAt(t.position)))a=93,c=!1,o=[];else{if(123!==f)return!1;a=125,c=!0,o={}}for(null!==t.anchor&&(t.anchorMap[t.anchor]=o),f=t.input.charCodeAt(++t.position);0!==f;){if(vn(t,!0,e),(f=t.input.charCodeAt(t.position))===a)return t.position++,t.tag=g,t.anchor=m,t.kind=c?"mapping":"sequence",t.result=o,!0;p?44===f&&gn(t,"expected the node content, but found ','"):gn(t,"missed comma between flow collection entries"),d=null,s=l=!1,63===f&&on(t.input.charCodeAt(t.position+1))&&(s=l=!0,t.position++,vn(t,!0,e)),i=t.line,r=t.lineStart,n=t.position,Fn(t,e,Rr,!1,!0),u=t.tag,h=t.result,vn(t,!0,e),f=t.input.charCodeAt(t.position),!l&&t.line!==i||58!==f||(s=!0,f=t.input.charCodeAt(++t.position),vn(t,!0,e),Fn(t,e,Rr,!1,!0),d=t.result),c?Cn(t,o,y,u,h,d,i,r,n):s?o.push(Cn(t,null,y,u,h,d,i,r,n)):o.push(h),vn(t,!0,e),44===(f=t.input.charCodeAt(t.position))?(p=!0,f=t.input.charCodeAt(++t.position)):p=!1}gn(t,"unexpected end of the stream within a flow collection")}(t,d)?m=!0:(a&&function(t,e){var i,r,n,o,a,s=Yr,l=!1,c=!1,h=e,u=0,d=!1;if(124===(o=t.input.charCodeAt(t.position)))r=!1;else{if(62!==o)return!1;r=!0}for(t.kind="scalar",t.result="";0!==o;)if(43===(o=t.input.charCodeAt(++t.position))||45===o)Yr===s?s=43===o?Gr:Vr:gn(t,"repeat of a chomping mode identifier");else{if(!((n=48<=(a=o)&&a<=57?a-48:-1)>=0))break;0===n?gn(t,"bad explicit indentation width of a block scalar; it cannot be less than one"):c?gn(t,"repeat of an indentation width identifier"):(h=e+n-1,c=!0)}if(nn(o)){do{o=t.input.charCodeAt(++t.position)}while(nn(o));if(35===o)do{o=t.input.charCodeAt(++t.position)}while(!rn(o)&&0!==o)}for(;0!==o;){for(_n(t),t.lineIndent=0,o=t.input.charCodeAt(t.position);(!c||t.lineIndent<h)&&32===o;)t.lineIndent++,o=t.input.charCodeAt(++t.position);if(!c&&t.lineIndent>h&&(h=t.lineIndent),rn(o))u++;else{if(t.lineIndent<h){s===Gr?t.result+=or.repeat("\n",l?1+u:u):s===Yr&&l&&(t.result+="\n");break}for(r?nn(o)?(d=!0,t.result+=or.repeat("\n",l?1+u:u)):d?(d=!1,t.result+=or.repeat("\n",u+1)):0===u?l&&(t.result+=" "):t.result+=or.repeat("\n",u):t.result+=or.repeat("\n",l?1+u:u),l=!0,c=!0,u=0,i=t.position;!rn(o)&&0!==o;)o=t.input.charCodeAt(++t.position);xn(t,i,t.position,!1)}}return!0}(t,d)||function(t,e){var i,r,n;if(39!==(i=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,r=n=t.position;0!==(i=t.input.charCodeAt(t.position));)if(39===i){if(xn(t,r,t.position,!0),39!==(i=t.input.charCodeAt(++t.position)))return!0;r=t.position,t.position++,n=t.position}else rn(i)?(xn(t,r,n,!0),Tn(t,vn(t,!1,e)),r=n=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a single quoted scalar"):(t.position++,n=t.position);gn(t,"unexpected end of the stream within a single quoted scalar")}(t,d)||function(t,e){var i,r,n,o,a,s,l;if(34!==(s=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,i=r=t.position;0!==(s=t.input.charCodeAt(t.position));){if(34===s)return xn(t,i,t.position,!0),t.position++,!0;if(92===s){if(xn(t,i,t.position,!0),rn(s=t.input.charCodeAt(++t.position)))vn(t,!1,e);else if(s<256&&hn[s])t.result+=un[s],t.position++;else if((a=120===(l=s)?2:117===l?4:85===l?8:0)>0){for(n=a,o=0;n>0;n--)(a=sn(s=t.input.charCodeAt(++t.position)))>=0?o=(o<<4)+a:gn(t,"expected hexadecimal character");t.result+=cn(o),t.position++}else gn(t,"unknown escape sequence");i=r=t.position}else rn(s)?(xn(t,i,r,!0),Tn(t,vn(t,!1,e)),i=r=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a double quoted scalar"):(t.position++,r=t.position)}gn(t,"unexpected end of the stream within a double quoted scalar")}(t,d)?m=!0:!function(t){var e,i,r;if(42!==(r=t.input.charCodeAt(t.position)))return!1;for(r=t.input.charCodeAt(++t.position),e=t.position;0!==r&&!on(r)&&!an(r);)r=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an alias node must contain at least one character"),i=t.input.slice(e,t.position),Pr.call(t.anchorMap,i)||gn(t,'unidentified alias "'+i+'"'),t.result=t.anchorMap[i],vn(t,!0,-1),!0}(t)?function(t,e,i){var r,n,o,a,s,l,c,h,u=t.kind,d=t.result;if(on(h=t.input.charCodeAt(t.position))||an(h)||35===h||38===h||42===h||33===h||124===h||62===h||39===h||34===h||37===h||64===h||96===h)return!1;if((63===h||45===h)&&(on(r=t.input.charCodeAt(t.position+1))||i&&an(r)))return!1;for(t.kind="scalar",t.result="",n=o=t.position,a=!1;0!==h;){if(58===h){if(on(r=t.input.charCodeAt(t.position+1))||i&&an(r))break}else if(35===h){if(on(t.input.charCodeAt(t.position-1)))break}else{if(t.position===t.lineStart&&kn(t)||i&&an(h))break;if(rn(h)){if(s=t.line,l=t.lineStart,c=t.lineIndent,vn(t,!1,-1),t.lineIndent>=e){a=!0,h=t.input.charCodeAt(t.position);continue}t.position=o,t.line=s,t.lineStart=l,t.lineIndent=c;break}}a&&(xn(t,n,o,!1),Tn(t,t.line-s),n=o=t.position,a=!1),nn(h)||(o=t.position+1),h=t.input.charCodeAt(++t.position)}return xn(t,n,o,!1),!!t.result||(t.kind=u,t.result=d,!1)}(t,d,Rr===i)&&(m=!0,null===t.tag&&(t.tag="?")):(m=!0,null===t.tag&&null===t.anchor||gn(t,"alias node should not have any properties")),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):0===p&&(m=s&&wn(t,f))),null===t.tag)null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);else if("?"===t.tag){for(null!==t.result&&"scalar"!==t.kind&&gn(t,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+t.kind+'"'),l=0,c=t.implicitTypes.length;l<c;l+=1)if((u=t.implicitTypes[l]).resolve(t.result)){t.result=u.construct(t.result),t.tag=u.tag,null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);break}}else if("!"!==t.tag){if(Pr.call(t.typeMap[t.kind||"fallback"],t.tag))u=t.typeMap[t.kind||"fallback"][t.tag];else for(u=null,l=0,c=(h=t.typeMap.multi[t.kind||"fallback"]).length;l<c;l+=1)if(t.tag.slice(0,h[l].tag.length)===h[l].tag){u=h[l];break}u||gn(t,"unknown tag !<"+t.tag+">"),null!==t.result&&u.kind!==t.kind&&gn(t,"unacceptable node kind for !<"+t.tag+'> tag; it should be "'+u.kind+'", not "'+t.kind+'"'),u.resolve(t.result,t.tag)?(t.result=u.construct(t.result,t.tag),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):gn(t,"cannot resolve a node with !<"+t.tag+"> explicit tag")}return null!==t.listener&&t.listener("close",t),null!==t.tag||null!==t.anchor||m}function Ln(t){var e,i,r,n,o=t.position,a=!1;for(t.version=null,t.checkLineBreaks=t.legacy,t.tagMap=Object.create(null),t.anchorMap=Object.create(null);0!==(n=t.input.charCodeAt(t.position))&&(vn(t,!0,-1),n=t.input.charCodeAt(t.position),!(t.lineIndent>0||37!==n));){for(a=!0,n=t.input.charCodeAt(++t.position),e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);for(r=[],(i=t.input.slice(e,t.position)).length<1&&gn(t,"directive name must not be less than one character in length");0!==n;){for(;nn(n);)n=t.input.charCodeAt(++t.position);if(35===n){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&!rn(n));break}if(rn(n))break;for(e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);r.push(t.input.slice(e,t.position))}0!==n&&_n(t),Pr.call(yn,i)?yn[i](t,i,r):mn(t,'unknown document directive "'+i+'"')}vn(t,!0,-1),0===t.lineIndent&&45===t.input.charCodeAt(t.position)&&45===t.input.charCodeAt(t.position+1)&&45===t.input.charCodeAt(t.position+2)?(t.position+=3,vn(t,!0,-1)):a&&gn(t,"directives end mark is expected"),Fn(t,t.lineIndent-1,Ur,!1,!0),vn(t,!0,-1),t.checkLineBreaks&&Jr.test(t.input.slice(o,t.position))&&mn(t,"non-ASCII line breaks are interpreted as content"),t.documents.push(t.result),t.position===t.lineStart&&kn(t)?46===t.input.charCodeAt(t.position)&&(t.position+=3,vn(t,!0,-1)):t.position<t.length-1&&gn(t,"end of the stream or a document separator is expected")}function An(t,e){e=e||{},0!==(t=String(t)).length&&(10!==t.charCodeAt(t.length-1)&&13!==t.charCodeAt(t.length-1)&&(t+="\n"),65279===t.charCodeAt(0)&&(t=t.slice(1)));var i=new fn(t,e),r=t.indexOf("\0");for(-1!==r&&(i.position=r,gn(i,"null byte is not allowed in input")),i.input+="\0";32===i.input.charCodeAt(i.position);)i.lineIndent+=1,i.position+=1;for(;i.position<i.length-1;)Ln(i);return i.documents}var Mn=Sr,En={loadAll:function(t,e,i){null!==e&&"object"==typeof e&&void 0===i&&(i=e,e=null);var r=An(t,i);if("function"!=typeof e)return r;for(var n=0,o=r.length;n<o;n+=1)e(r[n])},load:function(t,e){var i=An(t,e);if(0!==i.length){if(1===i.length)return i[0];throw new lr("expected a single document in the stream, but found more")}}}.load;const Nn=t=>t.replace(/\r\n?/g,"\n").replace(/<(\w+)([^>]*)>/g,((t,e,i)=>"<"+e+i.replace(/="([^"]*)"/g,"='$1'")+">")),Zn=t=>{const{text:e,metadata:i}=function(t){const e=t.match(qt);if(!e)return{text:t,metadata:{}};let i=En(e[1],{schema:Mn})??{};i="object"!=typeof i||Array.isArray(i)?{}:i;const r={};return i.displayMode&&(r.displayMode=i.displayMode.toString()),i.title&&(r.title=i.title.toString()),i.config&&(r.config=i.config),{text:t.slice(e[0].length),metadata:r}}(t),{displayMode:r,title:n,config:o={}}=i;return r&&(o.gantt||(o.gantt={}),o.gantt.displayMode=r),{title:n,config:o,text:e}},jn=t=>{const e=ye.detectInit(t)??{},i=ye.detectDirective(t,"wrap");return Array.isArray(i)?e.wrap=i.some((({type:t})=>{})):"wrap"===(null==i?void 0:i.type)&&(e.wrap=!0),{text:(r=t,r.replace($t,"")),directive:e};var r};const In=["foreignobject"],On=["dominant-baseline"];function Dn(t){const e=function(t){const e=Nn(t),i=Zn(e),r=jn(i.text),n=me(i.config,r.directive);return{code:t=rr(r.text),title:i.title,config:n}}(t);return Ae(),Le(e.config??{}),e}const qn=function(t){return t.replace(/\ufb02\xb0\xb0/g,"&#").replace(/\ufb02\xb0/g,"&").replace(/\xb6\xdf/g,";")},$n=(t,e,i=[])=>`\n.${t} ${e} { ${i.join(" !important; ")} !important; }`,zn=(t,e,i,r)=>{const n=((t,e={})=>{var i;let r="";if(void 0!==t.themeCSS&&(r+=`\n${t.themeCSS}`),void 0!==t.fontFamily&&(r+=`\n:root { --mermaid-font-family: ${t.fontFamily}}`),void 0!==t.altFontFamily&&(r+=`\n:root { --mermaid-alt-font-family: ${t.altFontFamily}}`),!(0,ot.Z)(e)){const n=t.htmlLabels||(null==(i=t.flowchart)?void 0:i.htmlLabels)?["> *","span"]:["rect","polygon","ellipse","circle","path"];for(const t in e){const i=e[t];(0,ot.Z)(i.styles)||n.forEach((t=>{r+=$n(i.id,t,i.styles)})),(0,ot.Z)(i.textStyles)||(r+=$n(i.id,"tspan",i.textStyles))}}return r})(t,i);return M(tt(`${r}{${pi(e,n,t.themeVariables)}}`),E)},Pn=(t,e,i,r,n)=>{const o=t.append("div");o.attr("id",i),r&&o.attr("style",r);const a=o.append("svg").attr("id",e).attr("width","100%").attr("xmlns","http://www.w3.org/2000/svg");return n&&a.attr("xmlns:xlink",n),a.append("g"),t};function Rn(t,e){return t.append("iframe").attr("id",e).attr("style","width: 100%; height: 100%;").attr("sandbox","")}const Hn=Object.freeze({render:async function(t,e,i){var r,n,o,l,c,h;Ji();const u=Dn(e);e=u.code;const d=Be();st.debug(d),e.length>((null==d?void 0:d.maxTextSize)??5e4)&&(e="graph TB;a[Maximum text size in diagram exceeded];style a fill:#faa");const f="#"+t,p="i"+t,g="#"+p,m="d"+t,y="#"+m;let x=(0,a.Ys)("body");const b="sandbox"===d.securityLevel,C="loose"===d.securityLevel,_=d.fontFamily;if(void 0!==i){if(i&&(i.innerHTML=""),b){const t=Rn((0,a.Ys)(i),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)(i);Pn(x,t,m,`font-family: ${_}`,"http://www.w3.org/1999/xlink")}else{if(((t,e,i,r)=>{var n,o,a;null==(n=t.getElementById(e))||n.remove(),null==(o=t.getElementById(i))||o.remove(),null==(a=t.getElementById(r))||a.remove()})(document,t,m,p),b){const t=Rn((0,a.Ys)("body"),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)("body");Pn(x,t,m)}let v,k;e=function(t){let e=t;return e=e.replace(/style.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/classDef.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/#\w+;/g,(function(t){const e=t.substring(1,t.length-1);return/^\+?\d+$/.test(e)?"\ufb02\xb0\xb0"+e+"\xb6\xdf":"\ufb02\xb0"+e+"\xb6\xdf"})),e}(e);try{v=await Ki(e,{title:u.title})}catch(Z){v=new Qi("error"),k=Z}const T=x.select(y).node(),w=v.type,S=T.firstChild,B=S.firstChild,F=null==(n=(r=v.renderer).getClasses)?void 0:n.call(r,e,v),L=zn(d,w,F,f),A=document.createElement("style");A.innerHTML=L,S.insertBefore(A,B);try{await v.renderer.draw(e,t,xe,v)}catch(j){throw $i.draw(e,t,xe),j}!function(t,e,i,r){(function(t,e){t.attr("role",ir),""!==e&&t.attr("aria-roledescription",e)})(e,t),function(t,e,i,r){if(void 0!==t.insert){if(i){const e=`chart-desc-${r}`;t.attr("aria-describedby",e),t.insert("desc",":first-child").attr("id",e).text(i)}if(e){const i=`chart-title-${r}`;t.attr("aria-labelledby",i),t.insert("title",":first-child").attr("id",i).text(e)}}}(e,i,r,e.attr("id"))}(w,x.select(`${y} svg`),null==(l=(o=v.db).getAccTitle)?void 0:l.call(o),null==(h=(c=v.db).getAccDescription)?void 0:h.call(c)),x.select(`[id="${t}"]`).selectAll("foreignobject > *").attr("xmlns","http://www.w3.org/1999/xhtml");let M=x.select(y).node().innerHTML;if(st.debug("config.arrowMarkerAbsolute",d.arrowMarkerAbsolute),M=((t="",e,i)=>{let r=t;return i||e||(r=r.replace(/marker-end="url\([\d+./:=?A-Za-z-]*?#/g,'marker-end="url(#')),r=qn(r),r=r.replace(/<br>/g,"<br/>"),r})(M,b,mt(d.arrowMarkerAbsolute)),b){M=((t="",e)=>{var i,r;return`<iframe style="width:100%;height:${(null==(r=null==(i=null==e?void 0:e.viewBox)?void 0:i.baseVal)?void 0:r.height)?e.viewBox.baseVal.height+"px":"100%"};border:0;margin:0;" src="data:text/html;base64,${btoa('<body style="margin:0">'+t+"</body>")}" sandbox="allow-top-navigation-by-user-activation allow-popups">\n The "iframe" tag is not supported by your browser.\n</iframe>`})(M,x.select(y+" svg").node())}else C||(M=s.sanitize(M,{ADD_TAGS:In,ADD_ATTR:On}));if(tr.forEach((t=>{t()})),tr=[],k)throw k;const E=b?g:y,N=(0,a.Ys)(E).node();return N&&"remove"in N&&N.remove(),{svg:M,bindFunctions:v.db.bindFunctions}},parse:async function(t,e){Ji(),t=Dn(t).code;try{await Ki(t)}catch(i){if(null==e?void 0:e.suppressErrors)return!1;throw i}return!0},getDiagramFromText:Ki,initialize:function(t={}){var e;(null==t?void 0:t.fontFamily)&&!(null==(e=t.themeVariables)?void 0:e.fontFamily)&&(t.themeVariables||(t.themeVariables={}),t.themeVariables.fontFamily=t.fontFamily),Ce=Vt({},t),(null==t?void 0:t.theme)&&t.theme in Mt?t.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables):t&&(t.themeVariables=Mt.default.getThemeVariables(t.themeVariables));const i="object"==typeof t?(t=>(_e=Vt({},be),_e=Vt(_e,t),t.theme&&Mt[t.theme]&&(_e.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables)),Te(_e,ve),_e))(t):we();lt(i.logLevel),Ji()},getConfig:Be,setConfig:Se,getSiteConfig:we,updateSiteConfig:t=>(_e=Vt(_e,t),Te(_e,ve),_e),reset:()=>{Ae()},globalReset:()=>{Ae(be)},defaultConfig:be});lt(Be().logLevel),Ae(Be());const Wn=(t,e,i)=>{st.warn(t),pe(t)?(i&&i(t.str,t.hash),e.push({...t,message:t.str,error:t})):(i&&i(t),t instanceof Error&&e.push({str:t.message,message:t.message,hash:t.name,error:t}))},Un=async function(t={querySelector:".mermaid"}){try{await Yn(t)}catch(e){if(pe(e)&&st.error(e.str),to.parseError&&to.parseError(e),!t.suppressErrors)throw st.error("Use the suppressErrors option to suppress these errors"),e}},Yn=async function({postRenderCallback:t,querySelector:e,nodes:i}={querySelector:".mermaid"}){const n=Hn.getConfig();let o;if(st.debug((t?"":"No ")+"Callback function found"),i)o=i;else{if(!e)throw new Error("Nodes and querySelector are both undefined");o=document.querySelectorAll(e)}st.debug(`Found ${o.length} diagrams`),void 0!==(null==n?void 0:n.startOnLoad)&&(st.debug("Start On Load: "+(null==n?void 0:n.startOnLoad)),Hn.updateSiteConfig({startOnLoad:null==n?void 0:n.startOnLoad}));const a=new ye.InitIDGenerator(n.deterministicIds,n.deterministicIDSeed);let s;const l=[];for(const h of Array.from(o)){if(st.info("Rendering diagram: "+h.id),h.getAttribute("data-processed"))continue;h.setAttribute("data-processed","true");const e=`mermaid-${a.next()}`;s=h.innerHTML,s=(0,r.Z)(ye.entityDecode(s)).trim().replace(/<br\s*\/?>/gi,"<br/>");const i=ye.detectInit(s);i&&st.debug("Detected early reinit: ",i);try{const{svg:i,bindFunctions:r}=await Kn(e,s,h);h.innerHTML=i,t&&await t(e),r&&r(h)}catch(c){Wn(c,l,to.parseError)}}if(l.length>0)throw l[0]},Vn=function(t){Hn.initialize(t)},Gn=function(){if(to.startOnLoad){const{startOnLoad:t}=Hn.getConfig();t&&to.run().catch((t=>st.error("Mermaid failed to initialize",t)))}};"undefined"!=typeof document&&window.addEventListener("load",Gn,!1);const Xn=[];let Jn=!1;const Qn=async()=>{if(!Jn){for(Jn=!0;Xn.length>0;){const e=Xn.shift();if(e)try{await e()}catch(t){st.error("Error executing queue",t)}}Jn=!1}},Kn=(t,e,i)=>new Promise(((r,n)=>{Xn.push((()=>new Promise(((o,a)=>{Hn.render(t,e,i).then((t=>{o(t),r(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),a(t),n(t)}))})))),Qn().catch(n)})),to={startOnLoad:!0,mermaidAPI:Hn,parse:async(t,e)=>new Promise(((i,r)=>{Xn.push((()=>new Promise(((n,o)=>{Hn.parse(t,e).then((t=>{n(t),i(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),o(t),r(t)}))})))),Qn().catch(r)})),render:Kn,init:async function(t,e,i){st.warn("mermaid.init is deprecated. Please use run instead."),t&&Vn(t);const r={postRenderCallback:i,querySelector:".mermaid"};"string"==typeof e?r.querySelector=e:e&&(e instanceof HTMLElement?r.nodes=[e]:r.nodes=e),await Un(r)},run:Un,registerExternalDiagrams:async(t,{lazyLoad:e=!0}={})=>{Wt(...t),!1===e&&await(async()=>{st.debug("Loading registered diagrams");const t=(await Promise.allSettled(Object.entries(Rt).map((async([t,{detector:e,loader:i}])=>{if(i)try{Ii(t)}catch(r){try{const{diagram:t,id:r}=await i();ji(r,t,e)}catch(n){throw st.error(`Failed to load external diagram with key ${t}. Removing from detectors.`),delete Rt[t],n}}})))).filter((t=>"rejected"===t.status));if(t.length>0){st.error(`Failed to load ${t.length} external diagrams`);for(const e of t)st.error(e);throw new Error(`Failed to load ${t.length} external diagrams`)}})()},initialize:Vn,parseError:void 0,contentLoaded:Gn,setParseErrorHandler:function(t){to.parseError=t},detectType:Ht}}}]); \ No newline at end of file diff --git a/assets/js/7b8e2475.2e6b9e2b.js b/assets/js/7b8e2475.2e6b9e2b.js deleted file mode 100644 index 670b04a80..000000000 --- a/assets/js/7b8e2475.2e6b9e2b.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[79],{6498:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>d,contentTitle:()=>c,default:()=>l,frontMatter:()=>r,metadata:()=>o,toc:()=>a});var n=t(5893),i=t(1151);const r={title:"Security"},c=void 0,o={id:"security/security",title:"Security",description:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd.",source:"@site/docs/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Security"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"}},d={},a=[];function u(e){const s={a:"a",li:"li",p:"p",ul:"ul",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.p,{children:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd."}),"\n",(0,n.jsx)(s.p,{children:"First the hardening guide provides a list of security best practices to secure a K3s cluster."}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsx)(s.li,{children:(0,n.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})}),"\n"]}),"\n",(0,n.jsx)(s.p,{children:"Second, is the self assessment to validate a hardened cluster. We currently have two different assessments available:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.24",children:"CIS 1.24 Benchmark Self-Assessment Guide"}),", for K3s version v1.24"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.7",children:"CIS 1.7 Benchmark Self-Assessment Guide"}),", for K3s version v1.25"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Benchmark Self-Assessment Guide"}),", for K3s version v1.26-v1.29"]}),"\n"]}),"\n"]})]})}function l(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>o,a:()=>c});var n=t(7294);const i={},r=n.createContext(i);function c(e){const s=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:c(e.components),n.createElement(r.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/7b8e2475.edeef426.js b/assets/js/7b8e2475.edeef426.js new file mode 100644 index 000000000..910b65a6e --- /dev/null +++ b/assets/js/7b8e2475.edeef426.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[79],{6498:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>d,contentTitle:()=>c,default:()=>l,frontMatter:()=>r,metadata:()=>o,toc:()=>a});var n=t(5893),i=t(1151);const r={title:"Security"},c=void 0,o={id:"security/security",title:"Security",description:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd.",source:"@site/docs/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Security"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"}},d={},a=[];function u(e){const s={a:"a",li:"li",p:"p",ul:"ul",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.p,{children:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd."}),"\n",(0,n.jsx)(s.p,{children:"First the hardening guide provides a list of security best practices to secure a K3s cluster."}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsx)(s.li,{children:(0,n.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})}),"\n"]}),"\n",(0,n.jsx)(s.p,{children:"Second, is the self assessment to validate a hardened cluster. We currently have two different assessments available:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.24",children:"CIS 1.24 Benchmark Self-Assessment Guide"}),", for K3s version v1.24"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.7",children:"CIS 1.7 Benchmark Self-Assessment Guide"}),", for K3s version v1.25"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Benchmark Self-Assessment Guide"}),", for K3s version v1.26-v1.29"]}),"\n"]}),"\n"]})]})}function l(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>o,a:()=>c});var n=t(7294);const i={},r=n.createContext(i);function c(e){const s=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:c(e.components),n.createElement(r.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/82406859.d13f2f6e.js b/assets/js/82406859.d13f2f6e.js new file mode 100644 index 000000000..b36a7c530 --- /dev/null +++ b/assets/js/82406859.d13f2f6e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3319],{6758:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/docs/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/upgrades/manual"},next:{title:"Security",permalink:"/security/"}},i={},d=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3},{value:"Downgrade Prevention",id:"downgrade-prevention",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.p,{children:"To be able to apply plans, the system-upgrade-controller CRD has to be deployed:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml\n"})}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})}),"\n",(0,t.jsx)(n.h2,{id:"downgrade-prevention",children:"Downgrade Prevention"}),"\n",(0,t.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(n.p,{children:["Starting with the 2023-07 releases (",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.27.4%2Bk3s1",children:"v1.27.4+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.26.7%2Bk3s1",children:"v1.26.7+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.25.12%2Bk3s1",children:"v1.25.12+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.24.16%2Bk3s1",children:"v1.24.16+k3s1"}),")"]})}),"\n",(0,t.jsx)(n.p,{children:"Kubernetes does not support downgrades of control-plane components. The k3s-upgrade image used by upgrade plans will refuse to downgrade K3s, failing the plan and leaving your nodes cordoned."}),"\n",(0,t.jsx)(n.p,{children:"Here is an example cluster, showing failed upgrade pods and cordoned nodes:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-console",children:"ubuntu@user:~$ kubectl get pods -n system-upgrade\nNAME READY STATUS RESTARTS AGE\napply-k3s-server-on-ip-172-31-0-16-with-7af95590a5af8e8c3-2cdc6 0/1 Error 0 9m25s\napply-k3s-server-on-ip-172-31-10-23-with-7af95590a5af8e8c-9xvwg 0/1 Error 0 14m\napply-k3s-server-on-ip-172-31-13-213-with-7af95590a5af8e8-8j72v 0/1 Error 0 18m\nsystem-upgrade-controller-7c4b84d5d9-kkzr6 1/1 Running 0 20m\nubuntu@user:~$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nip-172-31-0-16 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-10-23 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-13-213 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-2-13 Ready <none> 19h v1.27.4+k3s1\n"})}),"\n",(0,t.jsx)(n.p,{children:"You can return your cordoned nodes to service by either of the following methods:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"Change the version or channel on your plan to target a release that is the same or newer than what is currently running on the cluster, so that the plan succeeds."}),"\n",(0,t.jsxs)(n.li,{children:["Delete the plan and manually uncordon the nodes.\nUse ",(0,t.jsx)(n.code,{children:"kubectl get plan -n system-upgrade"})," to find the plan name, then ",(0,t.jsx)(n.code,{children:"kubectl delete plan -n system-upgrade PLAN_NAME"})," to delete it. Once the plan has been deleted, use ",(0,t.jsx)(n.code,{children:"kubectl uncordon NODE_NAME"})," to uncordon each of the nodes."]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/82406859.f312e597.js b/assets/js/82406859.f312e597.js deleted file mode 100644 index eb4677f8a..000000000 --- a/assets/js/82406859.f312e597.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3319],{6758:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/docs/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/upgrades/manual"},next:{title:"Security",permalink:"/security/"}},i={},d=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3},{value:"Downgrade Prevention",id:"downgrade-prevention",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.p,{children:"To be able to apply plans, the system-upgrade-controller CRD has to be deployed:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml\n"})}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})}),"\n",(0,t.jsx)(n.h2,{id:"downgrade-prevention",children:"Downgrade Prevention"}),"\n",(0,t.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(n.p,{children:["Starting with the 2023-07 releases (",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.27.4%2Bk3s1",children:"v1.27.4+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.26.7%2Bk3s1",children:"v1.26.7+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.25.12%2Bk3s1",children:"v1.25.12+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.24.16%2Bk3s1",children:"v1.24.16+k3s1"}),")"]})}),"\n",(0,t.jsx)(n.p,{children:"Kubernetes does not support downgrades of control-plane components. The k3s-upgrade image used by upgrade plans will refuse to downgrade K3s, failing the plan and leaving your nodes cordoned."}),"\n",(0,t.jsx)(n.p,{children:"Here is an example cluster, showing failed upgrade pods and cordoned nodes:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-console",children:"ubuntu@user:~$ kubectl get pods -n system-upgrade\nNAME READY STATUS RESTARTS AGE\napply-k3s-server-on-ip-172-31-0-16-with-7af95590a5af8e8c3-2cdc6 0/1 Error 0 9m25s\napply-k3s-server-on-ip-172-31-10-23-with-7af95590a5af8e8c-9xvwg 0/1 Error 0 14m\napply-k3s-server-on-ip-172-31-13-213-with-7af95590a5af8e8-8j72v 0/1 Error 0 18m\nsystem-upgrade-controller-7c4b84d5d9-kkzr6 1/1 Running 0 20m\nubuntu@user:~$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nip-172-31-0-16 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-10-23 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-13-213 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-2-13 Ready <none> 19h v1.27.4+k3s1\n"})}),"\n",(0,t.jsx)(n.p,{children:"You can return your cordoned nodes to service by either of the following methods:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"Change the version or channel on your plan to target a release that is the same or newer than what is currently running on the cluster, so that the plan succeeds."}),"\n",(0,t.jsxs)(n.li,{children:["Delete the plan and manually uncordon the nodes.\nUse ",(0,t.jsx)(n.code,{children:"kubectl get plan -n system-upgrade"})," to find the plan name, then ",(0,t.jsx)(n.code,{children:"kubectl delete plan -n system-upgrade PLAN_NAME"})," to delete it. Once the plan has been deleted, use ",(0,t.jsx)(n.code,{children:"kubectl uncordon NODE_NAME"})," to uncordon each of the nodes."]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/82f1aa93.6ab8331d.js b/assets/js/82f1aa93.6ab8331d.js deleted file mode 100644 index f86ff9549..000000000 --- a/assets/js/82f1aa93.6ab8331d.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7709],{1587:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>t,metadata:()=>o,toc:()=>c});var i=s(5893),r=s(1151);const t={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/docs/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"},next:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure <code>protect-kernel-defaults</code> is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Manual Operations",id:"manual-operations",level:2},{value:"Control 1.1.20",id:"control-1120",level:3},{value:"Control 1.2.9",id:"control-129",level:3},{value:"Control 1.2.11",id:"control-1211",level:3},{value:"Control 1.2.21",id:"control-1221",level:3},{value:"Control 4.2.13",id:"control-4213",level:3},{value:"Control 5.X",id:"control-5x",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,r.a)(),...e.components},{Details:s,TabItem:t,Tabs:a}=n;return s||p("Details",!0),t||p("TabItem",!0),a||p("Tabs",!0),(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,i.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,i.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,i.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,i.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,i.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,i.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,i.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,i.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,i.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,i.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,i.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,i.jsxs)(n.p,{children:["Create a file called ",(0,i.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,i.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\n"})}),"\n",(0,i.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,i.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,i.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,i.jsx)(n.code,{children:"PodSecurity"})," and ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,i.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsxs)(t,{value:"v1.25 and Newer",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,i.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"psa.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,i.jsxs)(t,{value:"v1.24 and Older",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,i.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,i.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,i.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,i.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,i.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,i.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,i.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,i.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,i.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,i.jsxs)(n.p,{children:["Network policies should be placed the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,i.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,i.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: <NAMESPACE>\nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,i.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"v1.21 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,i.jsx)(t,{value:"v1.20 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,i.jsx)(n.admonition,{type:"info",children:(0,i.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,i.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,i.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,i.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,i.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"audit.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,i.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"config",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\n"})})}),(0,i.jsx)(t,{value:"cmdline",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})})})]}),"\n",(0,i.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,i.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,i.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsx)(t,{value:"v1.25 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - \"enable-admission-plugins=NodeRestriction,EventRateLimit\"\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})}),(0,i.jsx)(t,{value:"v1.24 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})})]}),"\n",(0,i.jsx)(n.h2,{id:"manual-operations",children:"Manual Operations"}),"\n",(0,i.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by with the above configuration applied. These controls require manual intervention to fully comply with the CIS Benchmark."}),"\n",(0,i.jsx)(n.h3,{id:"control-1120",children:"Control 1.1.20"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nK3s PKI certificate files are stored in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/tls/"})," with permission 644.\nTo remediate, run the following command:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-129",children:"Control 1.2.9"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin EventRateLimit is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nFollow the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit",children:"Kubernetes documentation"})," and set the desired limits in a configuration file.\nFor this and other psa configuration, this documentation uses /var/lib/rancher/k3s/server/psa.yaml.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=NodeRestriction,EventRateLimit"\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1211",children:"Control 1.2.11"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin AlwaysPullImages is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1221",children:"Control 1.2.21"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the --request-timeout argument is set as appropriate"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-4213",children:"Control 4.2.13"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that a limit is set on pod PIDs"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,i.jsx)(n.code,{children:"podPidsLimit"})," to"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kubelet-arg:\n - "pod-max-pids=<value>"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-5x",children:"Control 5.X"}),"\n",(0,i.jsx)(n.p,{children:"All the 5.X Controls are related to Kubernetes policy configuration. These controls are not enforced by K3s by default."}),"\n",(0,i.jsxs)(n.p,{children:["Refer to ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8#51-rbac-and-service-accounts",children:"CIS 1.8 Section 5"})," for more information on how to create and apply these policies."]}),"\n",(0,i.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,i.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var i=s(7294);const r={},t=i.createContext(r);function a(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/82f1aa93.7a77f720.js b/assets/js/82f1aa93.7a77f720.js new file mode 100644 index 000000000..b3edd2e23 --- /dev/null +++ b/assets/js/82f1aa93.7a77f720.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7709],{1587:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>t,metadata:()=>o,toc:()=>c});var i=s(5893),r=s(1151);const t={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/docs/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"},next:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure <code>protect-kernel-defaults</code> is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Manual Operations",id:"manual-operations",level:2},{value:"Control 1.1.20",id:"control-1120",level:3},{value:"Control 1.2.9",id:"control-129",level:3},{value:"Control 1.2.11",id:"control-1211",level:3},{value:"Control 1.2.21",id:"control-1221",level:3},{value:"Control 4.2.13",id:"control-4213",level:3},{value:"Control 5.X",id:"control-5x",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,r.a)(),...e.components},{Details:s,TabItem:t,Tabs:a}=n;return s||p("Details",!0),t||p("TabItem",!0),a||p("Tabs",!0),(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,i.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,i.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,i.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,i.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,i.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,i.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,i.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,i.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,i.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,i.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,i.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,i.jsxs)(n.p,{children:["Create a file called ",(0,i.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,i.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\n"})}),"\n",(0,i.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,i.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,i.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,i.jsx)(n.code,{children:"PodSecurity"})," and ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,i.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsxs)(t,{value:"v1.25 and Newer",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,i.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"psa.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,i.jsxs)(t,{value:"v1.24 and Older",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,i.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,i.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,i.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,i.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,i.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,i.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,i.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,i.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,i.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,i.jsxs)(n.p,{children:["Network policies should be placed the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,i.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,i.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: <NAMESPACE>\nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,i.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"v1.21 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,i.jsx)(t,{value:"v1.20 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,i.jsx)(n.admonition,{type:"info",children:(0,i.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,i.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,i.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,i.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,i.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"audit.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,i.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"config",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\n"})})}),(0,i.jsx)(t,{value:"cmdline",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})})})]}),"\n",(0,i.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,i.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,i.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsx)(t,{value:"v1.25 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - \"enable-admission-plugins=NodeRestriction,EventRateLimit\"\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})}),(0,i.jsx)(t,{value:"v1.24 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})})]}),"\n",(0,i.jsx)(n.h2,{id:"manual-operations",children:"Manual Operations"}),"\n",(0,i.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by with the above configuration applied. These controls require manual intervention to fully comply with the CIS Benchmark."}),"\n",(0,i.jsx)(n.h3,{id:"control-1120",children:"Control 1.1.20"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nK3s PKI certificate files are stored in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/tls/"})," with permission 644.\nTo remediate, run the following command:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-129",children:"Control 1.2.9"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin EventRateLimit is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nFollow the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit",children:"Kubernetes documentation"})," and set the desired limits in a configuration file.\nFor this and other psa configuration, this documentation uses /var/lib/rancher/k3s/server/psa.yaml.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=NodeRestriction,EventRateLimit"\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1211",children:"Control 1.2.11"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin AlwaysPullImages is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1221",children:"Control 1.2.21"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the --request-timeout argument is set as appropriate"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-4213",children:"Control 4.2.13"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that a limit is set on pod PIDs"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,i.jsx)(n.code,{children:"podPidsLimit"})," to"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kubelet-arg:\n - "pod-max-pids=<value>"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-5x",children:"Control 5.X"}),"\n",(0,i.jsx)(n.p,{children:"All the 5.X Controls are related to Kubernetes policy configuration. These controls are not enforced by K3s by default."}),"\n",(0,i.jsxs)(n.p,{children:["Refer to ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8#51-rbac-and-service-accounts",children:"CIS 1.8 Section 5"})," for more information on how to create and apply these policies."]}),"\n",(0,i.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,i.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var i=s(7294);const r={},t=i.createContext(r);function a(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/8443.26559c8c.js b/assets/js/8443.a5d9c459.js similarity index 99% rename from zh/assets/js/8443.26559c8c.js rename to assets/js/8443.a5d9c459.js index 0cfcd5948..d07fabef4 100644 --- a/zh/assets/js/8443.26559c8c.js +++ b/assets/js/8443.a5d9c459.js @@ -1,2 +1,2 @@ -/*! For license information please see 8443.26559c8c.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8443],{8443:(t,e,n)=>{"use strict";t.exports=n(295)},1228:(t,e,n)=>{"use strict";var i=n(2856),s={wrapper:{position:"relative",display:"inline-block"},hint:{position:"absolute",top:"0",left:"0",borderColor:"transparent",boxShadow:"none",opacity:"1"},input:{position:"relative",verticalAlign:"top",backgroundColor:"transparent"},inputWithNoHint:{position:"relative",verticalAlign:"top"},dropdown:{position:"absolute",top:"100%",left:"0",zIndex:"100",display:"none"},suggestions:{display:"block"},suggestion:{whiteSpace:"nowrap",cursor:"pointer"},suggestionChild:{whiteSpace:"normal"},ltr:{left:"0",right:"auto"},rtl:{left:"auto",right:"0"},defaultClasses:{root:"algolia-autocomplete",prefix:"aa",noPrefix:!1,dropdownMenu:"dropdown-menu",input:"input",hint:"hint",suggestions:"suggestions",suggestion:"suggestion",cursor:"cursor",dataset:"dataset",empty:"empty"},appendTo:{wrapper:{position:"absolute",zIndex:"100",display:"none"},input:{},inputWithNoHint:{},dropdown:{display:"block"}}};i.isMsie()&&i.mixin(s.input,{backgroundImage:"url(data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)"}),i.isMsie()&&i.isMsie()<=7&&i.mixin(s.input,{marginTop:"-1px"}),t.exports=s},9050:(t,e,n)=>{"use strict";var i="aaDataset",s="aaValue",r="aaDatum",o=n(2856),a=n(4910),u=n(3561),c=n(1228),l=n(3109);function h(t){var e;(t=t||{}).templates=t.templates||{},t.source||o.error("missing source"),t.name&&(e=t.name,!/^[_a-zA-Z0-9-]+$/.test(e))&&o.error("invalid dataset name: "+t.name),this.query=null,this._isEmpty=!0,this.highlight=!!t.highlight,this.name=void 0===t.name||null===t.name?o.getUniqueId():t.name,this.source=t.source,this.displayFn=function(t){return t=t||"value",o.isFunction(t)?t:e;function e(e){return e[t]}}(t.display||t.displayKey),this.debounce=t.debounce,this.cache=!1!==t.cache,this.templates=function(t,e){return{empty:t.empty&&o.templatify(t.empty),header:t.header&&o.templatify(t.header),footer:t.footer&&o.templatify(t.footer),suggestion:t.suggestion||n};function n(t){return"<p>"+e(t)+"</p>"}}(t.templates,this.displayFn),this.css=o.mixin({},c,t.appendTo?c.appendTo:{}),this.cssClasses=t.cssClasses=o.mixin({},c.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||o.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix);var n=o.className(this.cssClasses.prefix,this.cssClasses.dataset);this.$el=t.$menu&&t.$menu.find(n+"-"+this.name).length>0?a.element(t.$menu.find(n+"-"+this.name)[0]):a.element(u.dataset.replace("%CLASS%",this.name).replace("%PREFIX%",this.cssClasses.prefix).replace("%DATASET%",this.cssClasses.dataset)),this.$menu=t.$menu,this.clearCachedSuggestions()}h.extractDatasetName=function(t){return a.element(t).data(i)},h.extractValue=function(t){return a.element(t).data(s)},h.extractDatum=function(t){var e=a.element(t).data(r);return"string"==typeof e&&(e=JSON.parse(e)),e},o.mixin(h.prototype,l,{_render:function(t,e){if(this.$el){var n,c=this,l=[].slice.call(arguments,2);if(this.$el.empty(),n=e&&e.length,this._isEmpty=!n,!n&&this.templates.empty)this.$el.html(function(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!0}].concat(e),c.templates.empty.apply(this,e)}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(n)this.$el.html(function(){var t,n,l=[].slice.call(arguments,0),h=this,p=u.suggestions.replace("%PREFIX%",this.cssClasses.prefix).replace("%SUGGESTIONS%",this.cssClasses.suggestions);return t=a.element(p).css(this.css.suggestions),n=o.map(e,f),t.append.apply(t,n),t;function f(t){var e,n=u.suggestion.replace("%PREFIX%",h.cssClasses.prefix).replace("%SUGGESTION%",h.cssClasses.suggestion);return(e=a.element(n).attr({role:"option",id:["option",Math.floor(1e8*Math.random())].join("-")}).append(c.templates.suggestion.apply(this,[t].concat(l)))).data(i,c.name),e.data(s,c.displayFn(t)||void 0),e.data(r,JSON.stringify(t)),e.children().each((function(){a.element(this).css(h.css.suggestionChild)})),e}}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(e&&!Array.isArray(e))throw new TypeError("suggestions must be an array");this.$menu&&this.$menu.addClass(this.cssClasses.prefix+(n?"with":"without")+"-"+this.name).removeClass(this.cssClasses.prefix+(n?"without":"with")+"-"+this.name),this.trigger("rendered",t)}function h(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.header.apply(this,e)}function p(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.footer.apply(this,e)}},getRoot:function(){return this.$el},update:function(t){function e(e){if(!this.canceled&&t===this.query){var n=[].slice.call(arguments,1);this.cacheSuggestions(t,e,n),this._render.apply(this,[t,e].concat(n))}}if(this.query=t,this.canceled=!1,this.shouldFetchFromCache(t))e.apply(this,[this.cachedSuggestions].concat(this.cachedRenderExtraArgs));else{var n=this,i=function(){n.canceled||n.source(t,e.bind(n))};if(this.debounce){clearTimeout(this.debounceTimeout),this.debounceTimeout=setTimeout((function(){n.debounceTimeout=null,i()}),this.debounce)}else i()}},cacheSuggestions:function(t,e,n){this.cachedQuery=t,this.cachedSuggestions=e,this.cachedRenderExtraArgs=n},shouldFetchFromCache:function(t){return this.cache&&this.cachedQuery===t&&this.cachedSuggestions&&this.cachedSuggestions.length},clearCachedSuggestions:function(){delete this.cachedQuery,delete this.cachedSuggestions,delete this.cachedRenderExtraArgs},cancel:function(){this.canceled=!0},clear:function(){this.$el&&(this.cancel(),this.$el.empty(),this.trigger("rendered",""))},isEmpty:function(){return this._isEmpty},destroy:function(){this.clearCachedSuggestions(),this.$el=null}}),t.exports=h},3354:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910),r=n(3109),o=n(9050),a=n(1228);function u(t){var e,n,r,o=this;(t=t||{}).menu||i.error("menu is required"),i.isArray(t.datasets)||i.isObject(t.datasets)||i.error("1 or more datasets required"),t.datasets||i.error("datasets is required"),this.isOpen=!1,this.isEmpty=!0,this.minLength=t.minLength||0,this.templates={},this.appendTo=t.appendTo||!1,this.css=i.mixin({},a,t.appendTo?a.appendTo:{}),this.cssClasses=t.cssClasses=i.mixin({},a.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||i.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),e=i.bind(this._onSuggestionClick,this),n=i.bind(this._onSuggestionMouseEnter,this),r=i.bind(this._onSuggestionMouseLeave,this);var c=i.className(this.cssClasses.prefix,this.cssClasses.suggestion);this.$menu=s.element(t.menu).on("mouseenter.aa",c,n).on("mouseleave.aa",c,r).on("click.aa",c,e),this.$container=t.appendTo?t.wrapper:this.$menu,t.templates&&t.templates.header&&(this.templates.header=i.templatify(t.templates.header),this.$menu.prepend(this.templates.header())),t.templates&&t.templates.empty&&(this.templates.empty=i.templatify(t.templates.empty),this.$empty=s.element('<div class="'+i.className(this.cssClasses.prefix,this.cssClasses.empty,!0)+'"></div>'),this.$menu.append(this.$empty),this.$empty.hide()),this.datasets=i.map(t.datasets,(function(e){return function(t,e,n){return new u.Dataset(i.mixin({$menu:t,cssClasses:n},e))}(o.$menu,e,t.cssClasses)})),i.each(this.datasets,(function(t){var e=t.getRoot();e&&0===e.parent().length&&o.$menu.append(e),t.onSync("rendered",o._onRendered,o)})),t.templates&&t.templates.footer&&(this.templates.footer=i.templatify(t.templates.footer),this.$menu.append(this.templates.footer()));var l=this;s.element(window).resize((function(){l._redraw()}))}i.mixin(u.prototype,r,{_onSuggestionClick:function(t){this.trigger("suggestionClicked",s.element(t.currentTarget))},_onSuggestionMouseEnter:function(t){var e=s.element(t.currentTarget);if(!e.hasClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0))){this._removeCursor();var n=this;setTimeout((function(){n._setCursor(e,!1)}),0)}},_onSuggestionMouseLeave:function(t){if(t.relatedTarget&&s.element(t.relatedTarget).closest("."+i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).length>0)return;this._removeCursor(),this.trigger("cursorRemoved")},_onRendered:function(t,e){if(this.isEmpty=i.every(this.datasets,(function(t){return t.isEmpty()})),this.isEmpty)if(e.length>=this.minLength&&this.trigger("empty"),this.$empty)if(e.length<this.minLength)this._hide();else{var n=this.templates.empty({query:this.datasets[0]&&this.datasets[0].query});this.$empty.html(n),this.$empty.show(),this._show()}else i.any(this.datasets,(function(t){return t.templates&&t.templates.empty}))?e.length<this.minLength?this._hide():this._show():this._hide();else this.isOpen&&(this.$empty&&(this.$empty.empty(),this.$empty.hide()),e.length>=this.minLength?this._show():this._hide());this.trigger("datasetRendered")},_hide:function(){this.$container.hide()},_show:function(){this.$container.css("display","block"),this._redraw(),this.trigger("shown")},_redraw:function(){this.isOpen&&this.appendTo&&this.trigger("redrawn")},_getSuggestions:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.suggestion))},_getCursor:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.cursor)).first()},_setCursor:function(t,e){t.first().addClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).attr("aria-selected","true"),this.trigger("cursorMoved",e)},_removeCursor:function(){this._getCursor().removeClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).removeAttr("aria-selected")},_moveCursor:function(t){var e,n,i,s;this.isOpen&&(n=this._getCursor(),e=this._getSuggestions(),this._removeCursor(),-1!==(i=((i=e.index(n)+t)+1)%(e.length+1)-1)?(i<-1&&(i=e.length-1),this._setCursor(s=e.eq(i),!0),this._ensureVisible(s)):this.trigger("cursorRemoved"))},_ensureVisible:function(t){var e,n,i,s;n=(e=t.position().top)+t.height()+parseInt(t.css("margin-top"),10)+parseInt(t.css("margin-bottom"),10),i=this.$menu.scrollTop(),s=this.$menu.height()+parseInt(this.$menu.css("padding-top"),10)+parseInt(this.$menu.css("padding-bottom"),10),e<0?this.$menu.scrollTop(i+e):s<n&&this.$menu.scrollTop(i+(n-s))},close:function(){this.isOpen&&(this.isOpen=!1,this._removeCursor(),this._hide(),this.trigger("closed"))},open:function(){this.isOpen||(this.isOpen=!0,this.isEmpty||this._show(),this.trigger("opened"))},setLanguageDirection:function(t){this.$menu.css("ltr"===t?this.css.ltr:this.css.rtl)},moveCursorUp:function(){this._moveCursor(-1)},moveCursorDown:function(){this._moveCursor(1)},getDatumForSuggestion:function(t){var e=null;return t.length&&(e={raw:o.extractDatum(t),value:o.extractValue(t),datasetName:o.extractDatasetName(t)}),e},getCurrentCursor:function(){return this._getCursor().first()},getDatumForCursor:function(){return this.getDatumForSuggestion(this._getCursor().first())},getDatumForTopSuggestion:function(){return this.getDatumForSuggestion(this._getSuggestions().first())},cursorTopSuggestion:function(){this._setCursor(this._getSuggestions().first(),!1)},update:function(t){i.each(this.datasets,(function(e){e.update(t)}))},empty:function(){i.each(this.datasets,(function(t){t.clear()})),this.isEmpty=!0},isVisible:function(){return this.isOpen&&!this.isEmpty},destroy:function(){this.$menu.off(".aa"),this.$menu=null,i.each(this.datasets,(function(t){t.destroy()}))}}),u.Dataset=o,t.exports=u},50:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910);function r(t){t&&t.el||i.error("EventBus initialized without el"),this.$el=s.element(t.el)}i.mixin(r.prototype,{trigger:function(t,e,n,s){var r=i.Event("autocomplete:"+t);return this.$el.trigger(r,[e,n,s]),r}}),t.exports=r},3109:(t,e,n)=>{"use strict";var i=n(624),s=/\s+/;function r(t,e,n,i){var r;if(!n)return this;for(e=e.split(s),n=i?function(t,e){return t.bind?t.bind(e):function(){t.apply(e,[].slice.call(arguments,0))}}(n,i):n,this._callbacks=this._callbacks||{};r=e.shift();)this._callbacks[r]=this._callbacks[r]||{sync:[],async:[]},this._callbacks[r][t].push(n);return this}function o(t,e,n){return function(){for(var i,s=0,r=t.length;!i&&s<r;s+=1)i=!1===t[s].apply(e,n);return!i}}t.exports={onSync:function(t,e,n){return r.call(this,"sync",t,e,n)},onAsync:function(t,e,n){return r.call(this,"async",t,e,n)},off:function(t){var e;if(!this._callbacks)return this;t=t.split(s);for(;e=t.shift();)delete this._callbacks[e];return this},trigger:function(t){var e,n,r,a,u;if(!this._callbacks)return this;t=t.split(s),r=[].slice.call(arguments,1);for(;(e=t.shift())&&(n=this._callbacks[e]);)a=o(n.sync,this,[e].concat(r)),u=o(n.async,this,[e].concat(r)),a()&&i(u);return this}}},3561:t=>{"use strict";t.exports={wrapper:'<span class="%ROOT%"></span>',dropdown:'<span class="%PREFIX%%DROPDOWN_MENU%"></span>',dataset:'<div class="%PREFIX%%DATASET%-%CLASS%"></div>',suggestions:'<span class="%PREFIX%%SUGGESTIONS%"></span>',suggestion:'<div class="%PREFIX%%SUGGESTION%"></div>'}},2534:(t,e,n)=>{"use strict";var i;i={9:"tab",27:"esc",37:"left",39:"right",13:"enter",38:"up",40:"down"};var s=n(2856),r=n(4910),o=n(3109);function a(t){var e,n,o,a,u,c=this;(t=t||{}).input||s.error("input is missing"),e=s.bind(this._onBlur,this),n=s.bind(this._onFocus,this),o=s.bind(this._onKeydown,this),a=s.bind(this._onInput,this),this.$hint=r.element(t.hint),this.$input=r.element(t.input).on("blur.aa",e).on("focus.aa",n).on("keydown.aa",o),0===this.$hint.length&&(this.setHint=this.getHint=this.clearHint=this.clearHintIfInvalid=s.noop),s.isMsie()?this.$input.on("keydown.aa keypress.aa cut.aa paste.aa",(function(t){i[t.which||t.keyCode]||s.defer(s.bind(c._onInput,c,t))})):this.$input.on("input.aa",a),this.query=this.$input.val(),this.$overflowHelper=(u=this.$input,r.element('<pre aria-hidden="true"></pre>').css({position:"absolute",visibility:"hidden",whiteSpace:"pre",fontFamily:u.css("font-family"),fontSize:u.css("font-size"),fontStyle:u.css("font-style"),fontVariant:u.css("font-variant"),fontWeight:u.css("font-weight"),wordSpacing:u.css("word-spacing"),letterSpacing:u.css("letter-spacing"),textIndent:u.css("text-indent"),textRendering:u.css("text-rendering"),textTransform:u.css("text-transform")}).insertAfter(u))}function u(t){return t.altKey||t.ctrlKey||t.metaKey||t.shiftKey}a.normalizeQuery=function(t){return(t||"").replace(/^\s*/g,"").replace(/\s{2,}/g," ")},s.mixin(a.prototype,o,{_onBlur:function(){this.resetInputValue(),this.$input.removeAttr("aria-activedescendant"),this.trigger("blurred")},_onFocus:function(){this.trigger("focused")},_onKeydown:function(t){var e=i[t.which||t.keyCode];this._managePreventDefault(e,t),e&&this._shouldTrigger(e,t)&&this.trigger(e+"Keyed",t)},_onInput:function(){this._checkInputValue()},_managePreventDefault:function(t,e){var n,i,s;switch(t){case"tab":i=this.getHint(),s=this.getInputValue(),n=i&&i!==s&&!u(e);break;case"up":case"down":n=!u(e);break;default:n=!1}n&&e.preventDefault()},_shouldTrigger:function(t,e){var n;if("tab"===t)n=!u(e);else n=!0;return n},_checkInputValue:function(){var t,e,n,i,s;t=this.getInputValue(),i=t,s=this.query,n=!(!(e=a.normalizeQuery(i)===a.normalizeQuery(s))||!this.query)&&this.query.length!==t.length,this.query=t,e?n&&this.trigger("whitespaceChanged",this.query):this.trigger("queryChanged",this.query)},focus:function(){this.$input.focus()},blur:function(){this.$input.blur()},getQuery:function(){return this.query},setQuery:function(t){this.query=t},getInputValue:function(){return this.$input.val()},setInputValue:function(t,e){void 0===t&&(t=this.query),this.$input.val(t),e?this.clearHint():this._checkInputValue()},expand:function(){this.$input.attr("aria-expanded","true")},collapse:function(){this.$input.attr("aria-expanded","false")},setActiveDescendant:function(t){this.$input.attr("aria-activedescendant",t)},removeActiveDescendant:function(){this.$input.removeAttr("aria-activedescendant")},resetInputValue:function(){this.setInputValue(this.query,!0)},getHint:function(){return this.$hint.val()},setHint:function(t){this.$hint.val(t)},clearHint:function(){this.setHint("")},clearHintIfInvalid:function(){var t,e,n;n=(t=this.getInputValue())!==(e=this.getHint())&&0===e.indexOf(t),""!==t&&n&&!this.hasOverflow()||this.clearHint()},getLanguageDirection:function(){return(this.$input.css("direction")||"ltr").toLowerCase()},hasOverflow:function(){var t=this.$input.width()-2;return this.$overflowHelper.text(this.getInputValue()),this.$overflowHelper.width()>=t},isCursorAtEnd:function(){var t,e,n;return t=this.$input.val().length,e=this.$input[0].selectionStart,s.isNumber(e)?e===t:!document.selection||((n=document.selection.createRange()).moveStart("character",-t),t===n.text.length)},destroy:function(){this.$hint.off(".aa"),this.$input.off(".aa"),this.$hint=this.$input=this.$overflowHelper=null}}),t.exports=a},6549:(t,e,n)=>{"use strict";var i="aaAttrs",s=n(2856),r=n(4910),o=n(50),a=n(2534),u=n(3354),c=n(3561),l=n(1228);function h(t){var e,n;if((t=t||{}).input||s.error("missing input"),this.isActivated=!1,this.debug=!!t.debug,this.autoselect=!!t.autoselect,this.autoselectOnBlur=!!t.autoselectOnBlur,this.openOnFocus=!!t.openOnFocus,this.minLength=s.isNumber(t.minLength)?t.minLength:1,this.autoWidth=void 0===t.autoWidth||!!t.autoWidth,this.clearOnSelected=!!t.clearOnSelected,this.tabAutocomplete=void 0===t.tabAutocomplete||!!t.tabAutocomplete,t.hint=!!t.hint,t.hint&&t.appendTo)throw new Error("[autocomplete.js] hint and appendTo options can't be used at the same time");this.css=t.css=s.mixin({},l,t.appendTo?l.appendTo:{}),this.cssClasses=t.cssClasses=s.mixin({},l.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix=s.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),this.listboxId=t.listboxId=[this.cssClasses.root,"listbox",s.getUniqueId()].join("-");var a=function(t){var e,n,o,a;e=r.element(t.input),n=r.element(c.wrapper.replace("%ROOT%",t.cssClasses.root)).css(t.css.wrapper),t.appendTo||"block"!==e.css("display")||"table"!==e.parent().css("display")||n.css("display","table-cell");var u=c.dropdown.replace("%PREFIX%",t.cssClasses.prefix).replace("%DROPDOWN_MENU%",t.cssClasses.dropdownMenu);o=r.element(u).css(t.css.dropdown).attr({role:"listbox",id:t.listboxId}),t.templates&&t.templates.dropdownMenu&&o.html(s.templatify(t.templates.dropdownMenu)());a=e.clone().css(t.css.hint).css(function(t){return{backgroundAttachment:t.css("background-attachment"),backgroundClip:t.css("background-clip"),backgroundColor:t.css("background-color"),backgroundImage:t.css("background-image"),backgroundOrigin:t.css("background-origin"),backgroundPosition:t.css("background-position"),backgroundRepeat:t.css("background-repeat"),backgroundSize:t.css("background-size")}}(e)),a.val("").addClass(s.className(t.cssClasses.prefix,t.cssClasses.hint,!0)).removeAttr("id name placeholder required").prop("readonly",!0).attr({"aria-hidden":"true",autocomplete:"off",spellcheck:"false",tabindex:-1}),a.removeData&&a.removeData();e.data(i,{"aria-autocomplete":e.attr("aria-autocomplete"),"aria-expanded":e.attr("aria-expanded"),"aria-owns":e.attr("aria-owns"),autocomplete:e.attr("autocomplete"),dir:e.attr("dir"),role:e.attr("role"),spellcheck:e.attr("spellcheck"),style:e.attr("style"),type:e.attr("type")}),e.addClass(s.className(t.cssClasses.prefix,t.cssClasses.input,!0)).attr({autocomplete:"off",spellcheck:!1,role:"combobox","aria-autocomplete":t.datasets&&t.datasets[0]&&t.datasets[0].displayKey?"both":"list","aria-expanded":"false","aria-label":t.ariaLabel,"aria-owns":t.listboxId}).css(t.hint?t.css.input:t.css.inputWithNoHint);try{e.attr("dir")||e.attr("dir","auto")}catch(l){}return n=t.appendTo?n.appendTo(r.element(t.appendTo).eq(0)).eq(0):e.wrap(n).parent(),n.prepend(t.hint?a:null).append(o),{wrapper:n,input:e,hint:a,menu:o}}(t);this.$node=a.wrapper;var u=this.$input=a.input;e=a.menu,n=a.hint,t.dropdownMenuContainer&&r.element(t.dropdownMenuContainer).css("position","relative").append(e.css("top","0")),u.on("blur.aa",(function(t){var n=document.activeElement;s.isMsie()&&(e[0]===n||e[0].contains(n))&&(t.preventDefault(),t.stopImmediatePropagation(),s.defer((function(){u.focus()})))})),e.on("mousedown.aa",(function(t){t.preventDefault()})),this.eventBus=t.eventBus||new o({el:u}),this.dropdown=new h.Dropdown({appendTo:t.appendTo,wrapper:this.$node,menu:e,datasets:t.datasets,templates:t.templates,cssClasses:t.cssClasses,minLength:this.minLength}).onSync("suggestionClicked",this._onSuggestionClicked,this).onSync("cursorMoved",this._onCursorMoved,this).onSync("cursorRemoved",this._onCursorRemoved,this).onSync("opened",this._onOpened,this).onSync("closed",this._onClosed,this).onSync("shown",this._onShown,this).onSync("empty",this._onEmpty,this).onSync("redrawn",this._onRedrawn,this).onAsync("datasetRendered",this._onDatasetRendered,this),this.input=new h.Input({input:u,hint:n}).onSync("focused",this._onFocused,this).onSync("blurred",this._onBlurred,this).onSync("enterKeyed",this._onEnterKeyed,this).onSync("tabKeyed",this._onTabKeyed,this).onSync("escKeyed",this._onEscKeyed,this).onSync("upKeyed",this._onUpKeyed,this).onSync("downKeyed",this._onDownKeyed,this).onSync("leftKeyed",this._onLeftKeyed,this).onSync("rightKeyed",this._onRightKeyed,this).onSync("queryChanged",this._onQueryChanged,this).onSync("whitespaceChanged",this._onWhitespaceChanged,this),this._bindKeyboardShortcuts(t),this._setLanguageDirection()}s.mixin(h.prototype,{_bindKeyboardShortcuts:function(t){if(t.keyboardShortcuts){var e=this.$input,n=[];s.each(t.keyboardShortcuts,(function(t){"string"==typeof t&&(t=t.toUpperCase().charCodeAt(0)),n.push(t)})),r.element(document).keydown((function(t){var i=t.target||t.srcElement,s=i.tagName;if(!i.isContentEditable&&"INPUT"!==s&&"SELECT"!==s&&"TEXTAREA"!==s){var r=t.which||t.keyCode;-1!==n.indexOf(r)&&(e.focus(),t.stopPropagation(),t.preventDefault())}}))}},_onSuggestionClicked:function(t,e){var n;(n=this.dropdown.getDatumForSuggestion(e))&&this._select(n,{selectionMethod:"click"})},_onCursorMoved:function(t,e){var n=this.dropdown.getDatumForCursor(),i=this.dropdown.getCurrentCursor().attr("id");this.input.setActiveDescendant(i),n&&(e&&this.input.setInputValue(n.value,!0),this.eventBus.trigger("cursorchanged",n.raw,n.datasetName))},_onCursorRemoved:function(){this.input.resetInputValue(),this._updateHint(),this.eventBus.trigger("cursorremoved")},_onDatasetRendered:function(){this._updateHint(),this.eventBus.trigger("updated")},_onOpened:function(){this._updateHint(),this.input.expand(),this.eventBus.trigger("opened")},_onEmpty:function(){this.eventBus.trigger("empty")},_onRedrawn:function(){this.$node.css("top","0px"),this.$node.css("left","0px");var t=this.$input[0].getBoundingClientRect();this.autoWidth&&this.$node.css("width",t.width+"px");var e=this.$node[0].getBoundingClientRect(),n=t.bottom-e.top;this.$node.css("top",n+"px");var i=t.left-e.left;this.$node.css("left",i+"px"),this.eventBus.trigger("redrawn")},_onShown:function(){this.eventBus.trigger("shown"),this.autoselect&&this.dropdown.cursorTopSuggestion()},_onClosed:function(){this.input.clearHint(),this.input.removeActiveDescendant(),this.input.collapse(),this.eventBus.trigger("closed")},_onFocused:function(){if(this.isActivated=!0,this.openOnFocus){var t=this.input.getQuery();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty(),this.dropdown.open()}},_onBlurred:function(){var t,e;t=this.dropdown.getDatumForCursor(),e=this.dropdown.getDatumForTopSuggestion();var n={selectionMethod:"blur"};this.debug||(this.autoselectOnBlur&&t?this._select(t,n):this.autoselectOnBlur&&e?this._select(e,n):(this.isActivated=!1,this.dropdown.empty(),this.dropdown.close()))},_onEnterKeyed:function(t,e){var n,i;n=this.dropdown.getDatumForCursor(),i=this.dropdown.getDatumForTopSuggestion();var s={selectionMethod:"enterKey"};n?(this._select(n,s),e.preventDefault()):this.autoselect&&i&&(this._select(i,s),e.preventDefault())},_onTabKeyed:function(t,e){if(this.tabAutocomplete){var n;(n=this.dropdown.getDatumForCursor())?(this._select(n,{selectionMethod:"tabKey"}),e.preventDefault()):this._autocomplete(!0)}else this.dropdown.close()},_onEscKeyed:function(){this.dropdown.close(),this.input.resetInputValue()},_onUpKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorUp(),this.dropdown.open()},_onDownKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorDown(),this.dropdown.open()},_onLeftKeyed:function(){"rtl"===this.dir&&this._autocomplete()},_onRightKeyed:function(){"ltr"===this.dir&&this._autocomplete()},_onQueryChanged:function(t,e){this.input.clearHintIfInvalid(),e.length>=this.minLength?this.dropdown.update(e):this.dropdown.empty(),this.dropdown.open(),this._setLanguageDirection()},_onWhitespaceChanged:function(){this._updateHint(),this.dropdown.open()},_setLanguageDirection:function(){var t=this.input.getLanguageDirection();this.dir!==t&&(this.dir=t,this.$node.css("direction",t),this.dropdown.setLanguageDirection(t))},_updateHint:function(){var t,e,n,i,r;(t=this.dropdown.getDatumForTopSuggestion())&&this.dropdown.isVisible()&&!this.input.hasOverflow()?(e=this.input.getInputValue(),n=a.normalizeQuery(e),i=s.escapeRegExChars(n),(r=new RegExp("^(?:"+i+")(.+$)","i").exec(t.value))?this.input.setHint(e+r[1]):this.input.clearHint()):this.input.clearHint()},_autocomplete:function(t){var e,n,i,s;e=this.input.getHint(),n=this.input.getQuery(),i=t||this.input.isCursorAtEnd(),e&&n!==e&&i&&((s=this.dropdown.getDatumForTopSuggestion())&&this.input.setInputValue(s.value),this.eventBus.trigger("autocompleted",s.raw,s.datasetName))},_select:function(t,e){void 0!==t.value&&this.input.setQuery(t.value),this.clearOnSelected?this.setVal(""):this.input.setInputValue(t.value,!0),this._setLanguageDirection(),!1===this.eventBus.trigger("selected",t.raw,t.datasetName,e).isDefaultPrevented()&&(this.dropdown.close(),s.defer(s.bind(this.dropdown.empty,this.dropdown)))},open:function(){if(!this.isActivated){var t=this.input.getInputValue();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty()}this.dropdown.open()},close:function(){this.dropdown.close()},setVal:function(t){t=s.toStr(t),this.isActivated?this.input.setInputValue(t):(this.input.setQuery(t),this.input.setInputValue(t,!0)),this._setLanguageDirection()},getVal:function(){return this.input.getQuery()},destroy:function(){this.input.destroy(),this.dropdown.destroy(),function(t,e){var n=t.find(s.className(e.prefix,e.input));s.each(n.data(i),(function(t,e){void 0===t?n.removeAttr(e):n.attr(e,t)})),n.detach().removeClass(s.className(e.prefix,e.input,!0)).insertAfter(t),n.removeData&&n.removeData(i);t.remove()}(this.$node,this.cssClasses),this.$node=null},getWrapper:function(){return this.dropdown.$container[0]}}),h.Dropdown=u,h.Input=a,h.sources=n(8840),t.exports=h},4910:t=>{"use strict";t.exports={element:null}},6177:t=>{"use strict";t.exports=function(t){var e=t.match(/Algolia for JavaScript \((\d+\.)(\d+\.)(\d+)\)/)||t.match(/Algolia for vanilla JavaScript (\d+\.)(\d+\.)(\d+)/);if(e)return[e[1],e[2],e[3]]}},2856:(t,e,n)=>{"use strict";var i,s=n(8820),r=n(4910);function o(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}t.exports={isArray:null,isFunction:null,isObject:null,bind:null,each:null,map:null,mixin:null,isMsie:function(t){if(void 0===t&&(t=navigator.userAgent),/(msie|trident)/i.test(t)){var e=t.match(/(msie |rv:)(\d+(.\d+)?)/i);if(e)return e[2]}return!1},escapeRegExChars:function(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")},isNumber:function(t){return"number"==typeof t},toStr:function(t){return null==t?"":t+""},cloneDeep:function(t){var e=this.mixin({},t),n=this;return this.each(e,(function(t,i){t&&(n.isArray(t)?e[i]=[].concat(t):n.isObject(t)&&(e[i]=n.cloneDeep(t)))})),e},error:function(t){throw new Error(t)},every:function(t,e){var n=!0;return t?(this.each(t,(function(i,s){n&&(n=e.call(null,i,s,t)&&n)})),!!n):n},any:function(t,e){var n=!1;return t?(this.each(t,(function(i,s){if(e.call(null,i,s,t))return n=!0,!1})),n):n},getUniqueId:(i=0,function(){return i++}),templatify:function(t){if(this.isFunction(t))return t;var e=r.element(t);return"SCRIPT"===e.prop("tagName")?function(){return e.text()}:function(){return String(t)}},defer:function(t){setTimeout(t,0)},noop:function(){},formatPrefix:function(t,e){return e?"":t+"-"},className:function(t,e,n){return n?t+e:"."+s(t+e,{isIdentifier:!0})},escapeHighlightedString:function(t,e,n){e=e||"<em>";var i=document.createElement("div");i.appendChild(document.createTextNode(e)),n=n||"</em>";var s=document.createElement("div");s.appendChild(document.createTextNode(n));var r=document.createElement("div");return r.appendChild(document.createTextNode(t)),r.innerHTML.replace(RegExp(o(i.innerHTML),"g"),e).replace(RegExp(o(s.innerHTML),"g"),n)}}},9983:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);var o,a,u=(o=[],a=window.Promise.resolve(),function(t,e){return function(n,s){(function(t,e){return window.Promise.resolve().then((function(){return o.length&&(a=t.search(o),o=[]),a})).then((function(t){if(t)return t.results[e]}))})(t.as,o.push({indexName:t.indexName,query:n,params:e})-1).then((function(t){t&&s(t.hits,t)})).catch((function(t){i.error(t.message)}))}});t.exports=function(t,e){var n=r(t.as._ua);if(n&&n[0]>=3&&n[1]>20){var i="autocomplete.js "+s;-1===t.as._ua.indexOf(i)&&(t.as._ua+="; "+i)}return u(t,e)}},8840:(t,e,n)=>{"use strict";t.exports={hits:n(9983),popularIn:n(4445)}},4445:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);t.exports=function(t,e,n,o){var a=r(t.as._ua);if(a&&a[0]>=3&&a[1]>20&&((e=e||{}).additionalUA="autocomplete.js "+s),!n.source)return i.error("Missing 'source' key");var u=i.isFunction(n.source)?n.source:function(t){return t[n.source]};if(!n.index)return i.error("Missing 'index' key");var c=n.index;return o=o||{},function(a,l){t.search(a,e,(function(t,a){if(t)i.error(t.message);else{if(a.hits.length>0){var h=a.hits[0],p=i.mixin({hitsPerPage:0},n);delete p.source,delete p.index;var f=r(c.as._ua);return f&&f[0]>=3&&f[1]>20&&(e.additionalUA="autocomplete.js "+s),void c.search(u(h),p,(function(t,e){if(t)i.error(t.message);else{var n=[];if(o.includeAll){var s=o.allTitle||"All departments";n.push(i.mixin({facet:{value:s,count:e.nbHits}},i.cloneDeep(h)))}i.each(e.facets,(function(t,e){i.each(t,(function(t,s){n.push(i.mixin({facet:{facet:e,value:s,count:t}},i.cloneDeep(h)))}))}));for(var r=1;r<a.hits.length;++r)n.push(a.hits[r]);l(n,a)}}))}l([])}}))}}},295:(t,e,n)=>{"use strict";var i=n(6990);n(4910).element=i;var s=n(2856);s.isArray=i.isArray,s.isFunction=i.isFunction,s.isObject=i.isPlainObject,s.bind=i.proxy,s.each=function(t,e){i.each(t,(function(t,n){return e(n,t)}))},s.map=i.map,s.mixin=i.extend,s.Event=i.Event;var r="aaAutocomplete",o=n(6549),a=n(50);function u(t,e,n,u){n=s.isArray(n)?n:[].slice.call(arguments,2);var c=i(t).each((function(t,s){var c=i(s),l=new a({el:c}),h=u||new o({input:c,eventBus:l,dropdownMenuContainer:e.dropdownMenuContainer,hint:void 0===e.hint||!!e.hint,minLength:e.minLength,autoselect:e.autoselect,autoselectOnBlur:e.autoselectOnBlur,tabAutocomplete:e.tabAutocomplete,openOnFocus:e.openOnFocus,templates:e.templates,debug:e.debug,clearOnSelected:e.clearOnSelected,cssClasses:e.cssClasses,datasets:n,keyboardShortcuts:e.keyboardShortcuts,appendTo:e.appendTo,autoWidth:e.autoWidth,ariaLabel:e.ariaLabel||s.getAttribute("aria-label")});c.data(r,h)}));return c.autocomplete={},s.each(["open","close","getVal","setVal","destroy","getWrapper"],(function(t){c.autocomplete[t]=function(){var e,n=arguments;return c.each((function(s,o){var a=i(o).data(r);e=a[t].apply(a,n)})),e}})),c}u.sources=o.sources,u.escapeHighlightedString=s.escapeHighlightedString;var c="autocomplete"in window,l=window.autocomplete;u.noConflict=function(){return c?window.autocomplete=l:delete window.autocomplete,u},t.exports=u},533:t=>{t.exports="0.38.1"},6990:t=>{var e;e=window,t.exports=function(t){var e,n,i=function(){var e,n,i,s,r,o,a=[],u=a.concat,c=a.filter,l=a.slice,h=t.document,p={},f={},d={"column-count":1,columns:1,"font-weight":1,"line-height":1,opacity:1,"z-index":1,zoom:1},g=/^\s*<(\w+|!)[^>]*>/,m=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,y=/^(?:body|html)$/i,w=/([A-Z])/g,b=["val","css","html","text","data","width","height","offset"],C=["after","prepend","before","append"],x=h.createElement("table"),_=h.createElement("tr"),S={tr:h.createElement("tbody"),tbody:x,thead:x,tfoot:x,td:_,th:_,"*":h.createElement("div")},E=/complete|loaded|interactive/,A=/^[\w-]*$/,$={},T=$.toString,O={},D=h.createElement("div"),N={tabindex:"tabIndex",readonly:"readOnly",for:"htmlFor",class:"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},k=Array.isArray||function(t){return t instanceof Array};function I(t){return null==t?String(t):$[T.call(t)]||"object"}function P(t){return"function"==I(t)}function L(t){return null!=t&&t==t.window}function M(t){return null!=t&&t.nodeType==t.DOCUMENT_NODE}function F(t){return"object"==I(t)}function R(t){return F(t)&&!L(t)&&Object.getPrototypeOf(t)==Object.prototype}function q(t){var e=!!t&&"length"in t&&t.length,n=i.type(t);return"function"!=n&&!L(t)&&("array"==n||0===e||"number"==typeof e&&e>0&&e-1 in t)}function V(t){return c.call(t,(function(t){return null!=t}))}function H(t){return t.length>0?i.fn.concat.apply([],t):t}function B(t){return t.replace(/::/g,"/").replace(/([A-Z]+)([A-Z][a-z])/g,"$1_$2").replace(/([a-z\d])([A-Z])/g,"$1_$2").replace(/_/g,"-").toLowerCase()}function K(t){return t in f?f[t]:f[t]=new RegExp("(^|\\s)"+t+"(\\s|$)")}function j(t,e){return"number"!=typeof e||d[B(t)]?e:e+"px"}function z(t){var e,n;return p[t]||(e=h.createElement(t),h.body.appendChild(e),n=getComputedStyle(e,"").getPropertyValue("display"),e.parentNode.removeChild(e),"none"==n&&(n="block"),p[t]=n),p[t]}function U(t){return"children"in t?l.call(t.children):i.map(t.childNodes,(function(t){if(1==t.nodeType)return t}))}function Q(t,e){var n,i=t?t.length:0;for(n=0;n<i;n++)this[n]=t[n];this.length=i,this.selector=e||""}function W(t,i,s){for(n in i)s&&(R(i[n])||k(i[n]))?(R(i[n])&&!R(t[n])&&(t[n]={}),k(i[n])&&!k(t[n])&&(t[n]=[]),W(t[n],i[n],s)):i[n]!==e&&(t[n]=i[n])}function Z(t,e){return null==e?i(t):i(t).filter(e)}function X(t,e,n,i){return P(e)?e.call(t,n,i):e}function G(t,e,n){null==n?t.removeAttribute(e):t.setAttribute(e,n)}function J(t,n){var i=t.className||"",s=i&&i.baseVal!==e;if(n===e)return s?i.baseVal:i;s?i.baseVal=n:t.className=n}function Y(t){try{return t?"true"==t||"false"!=t&&("null"==t?null:+t+""==t?+t:/^[\[\{]/.test(t)?i.parseJSON(t):t):t}catch(e){return t}}function tt(t,e){e(t);for(var n=0,i=t.childNodes.length;n<i;n++)tt(t.childNodes[n],e)}return O.matches=function(t,e){if(!e||!t||1!==t.nodeType)return!1;var n=t.matches||t.webkitMatchesSelector||t.mozMatchesSelector||t.oMatchesSelector||t.matchesSelector;if(n)return n.call(t,e);var i,s=t.parentNode,r=!s;return r&&(s=D).appendChild(t),i=~O.qsa(s,e).indexOf(t),r&&D.removeChild(t),i},r=function(t){return t.replace(/-+(.)?/g,(function(t,e){return e?e.toUpperCase():""}))},o=function(t){return c.call(t,(function(e,n){return t.indexOf(e)==n}))},O.fragment=function(t,n,s){var r,o,a;return m.test(t)&&(r=i(h.createElement(RegExp.$1))),r||(t.replace&&(t=t.replace(v,"<$1></$2>")),n===e&&(n=g.test(t)&&RegExp.$1),n in S||(n="*"),(a=S[n]).innerHTML=""+t,r=i.each(l.call(a.childNodes),(function(){a.removeChild(this)}))),R(s)&&(o=i(r),i.each(s,(function(t,e){b.indexOf(t)>-1?o[t](e):o.attr(t,e)}))),r},O.Z=function(t,e){return new Q(t,e)},O.isZ=function(t){return t instanceof O.Z},O.init=function(t,n){var s;if(!t)return O.Z();if("string"==typeof t)if("<"==(t=t.trim())[0]&&g.test(t))s=O.fragment(t,RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}else{if(P(t))return i(h).ready(t);if(O.isZ(t))return t;if(k(t))s=V(t);else if(F(t))s=[t],t=null;else if(g.test(t))s=O.fragment(t.trim(),RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}}return O.Z(s,t)},(i=function(t,e){return O.init(t,e)}).extend=function(t){var e,n=l.call(arguments,1);return"boolean"==typeof t&&(e=t,t=n.shift()),n.forEach((function(n){W(t,n,e)})),t},O.qsa=function(t,e){var n,i="#"==e[0],s=!i&&"."==e[0],r=i||s?e.slice(1):e,o=A.test(r);return t.getElementById&&o&&i?(n=t.getElementById(r))?[n]:[]:1!==t.nodeType&&9!==t.nodeType&&11!==t.nodeType?[]:l.call(o&&!i&&t.getElementsByClassName?s?t.getElementsByClassName(r):t.getElementsByTagName(e):t.querySelectorAll(e))},i.contains=h.documentElement.contains?function(t,e){return t!==e&&t.contains(e)}:function(t,e){for(;e&&(e=e.parentNode);)if(e===t)return!0;return!1},i.type=I,i.isFunction=P,i.isWindow=L,i.isArray=k,i.isPlainObject=R,i.isEmptyObject=function(t){var e;for(e in t)return!1;return!0},i.isNumeric=function(t){var e=Number(t),n=typeof t;return null!=t&&"boolean"!=n&&("string"!=n||t.length)&&!isNaN(e)&&isFinite(e)||!1},i.inArray=function(t,e,n){return a.indexOf.call(e,t,n)},i.camelCase=r,i.trim=function(t){return null==t?"":String.prototype.trim.call(t)},i.uuid=0,i.support={},i.expr={},i.noop=function(){},i.map=function(t,e){var n,i,s,r=[];if(q(t))for(i=0;i<t.length;i++)null!=(n=e(t[i],i))&&r.push(n);else for(s in t)null!=(n=e(t[s],s))&&r.push(n);return H(r)},i.each=function(t,e){var n,i;if(q(t)){for(n=0;n<t.length;n++)if(!1===e.call(t[n],n,t[n]))return t}else for(i in t)if(!1===e.call(t[i],i,t[i]))return t;return t},i.grep=function(t,e){return c.call(t,e)},t.JSON&&(i.parseJSON=JSON.parse),i.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),(function(t,e){$["[object "+e+"]"]=e.toLowerCase()})),i.fn={constructor:O.Z,length:0,forEach:a.forEach,reduce:a.reduce,push:a.push,sort:a.sort,splice:a.splice,indexOf:a.indexOf,concat:function(){var t,e,n=[];for(t=0;t<arguments.length;t++)e=arguments[t],n[t]=O.isZ(e)?e.toArray():e;return u.apply(O.isZ(this)?this.toArray():this,n)},map:function(t){return i(i.map(this,(function(e,n){return t.call(e,n,e)})))},slice:function(){return i(l.apply(this,arguments))},ready:function(t){return E.test(h.readyState)&&h.body?t(i):h.addEventListener("DOMContentLoaded",(function(){t(i)}),!1),this},get:function(t){return t===e?l.call(this):this[t>=0?t:t+this.length]},toArray:function(){return this.get()},size:function(){return this.length},remove:function(){return this.each((function(){null!=this.parentNode&&this.parentNode.removeChild(this)}))},each:function(t){return a.every.call(this,(function(e,n){return!1!==t.call(e,n,e)})),this},filter:function(t){return P(t)?this.not(this.not(t)):i(c.call(this,(function(e){return O.matches(e,t)})))},add:function(t,e){return i(o(this.concat(i(t,e))))},is:function(t){return this.length>0&&O.matches(this[0],t)},not:function(t){var n=[];if(P(t)&&t.call!==e)this.each((function(e){t.call(this,e)||n.push(this)}));else{var s="string"==typeof t?this.filter(t):q(t)&&P(t.item)?l.call(t):i(t);this.forEach((function(t){s.indexOf(t)<0&&n.push(t)}))}return i(n)},has:function(t){return this.filter((function(){return F(t)?i.contains(this,t):i(this).find(t).size()}))},eq:function(t){return-1===t?this.slice(t):this.slice(t,+t+1)},first:function(){var t=this[0];return t&&!F(t)?t:i(t)},last:function(){var t=this[this.length-1];return t&&!F(t)?t:i(t)},find:function(t){var e=this;return t?"object"==typeof t?i(t).filter((function(){var t=this;return a.some.call(e,(function(e){return i.contains(e,t)}))})):1==this.length?i(O.qsa(this[0],t)):this.map((function(){return O.qsa(this,t)})):i()},closest:function(t,e){var n=[],s="object"==typeof t&&i(t);return this.each((function(i,r){for(;r&&!(s?s.indexOf(r)>=0:O.matches(r,t));)r=r!==e&&!M(r)&&r.parentNode;r&&n.indexOf(r)<0&&n.push(r)})),i(n)},parents:function(t){for(var e=[],n=this;n.length>0;)n=i.map(n,(function(t){if((t=t.parentNode)&&!M(t)&&e.indexOf(t)<0)return e.push(t),t}));return Z(e,t)},parent:function(t){return Z(o(this.pluck("parentNode")),t)},children:function(t){return Z(this.map((function(){return U(this)})),t)},contents:function(){return this.map((function(){return this.contentDocument||l.call(this.childNodes)}))},siblings:function(t){return Z(this.map((function(t,e){return c.call(U(e.parentNode),(function(t){return t!==e}))})),t)},empty:function(){return this.each((function(){this.innerHTML=""}))},pluck:function(t){return i.map(this,(function(e){return e[t]}))},show:function(){return this.each((function(){"none"==this.style.display&&(this.style.display=""),"none"==getComputedStyle(this,"").getPropertyValue("display")&&(this.style.display=z(this.nodeName))}))},replaceWith:function(t){return this.before(t).remove()},wrap:function(t){var e=P(t);if(this[0]&&!e)var n=i(t).get(0),s=n.parentNode||this.length>1;return this.each((function(r){i(this).wrapAll(e?t.call(this,r):s?n.cloneNode(!0):n)}))},wrapAll:function(t){if(this[0]){var e;for(i(this[0]).before(t=i(t));(e=t.children()).length;)t=e.first();i(t).append(this)}return this},wrapInner:function(t){var e=P(t);return this.each((function(n){var s=i(this),r=s.contents(),o=e?t.call(this,n):t;r.length?r.wrapAll(o):s.append(o)}))},unwrap:function(){return this.parent().each((function(){i(this).replaceWith(i(this).children())})),this},clone:function(){return this.map((function(){return this.cloneNode(!0)}))},hide:function(){return this.css("display","none")},toggle:function(t){return this.each((function(){var n=i(this);(t===e?"none"==n.css("display"):t)?n.show():n.hide()}))},prev:function(t){return i(this.pluck("previousElementSibling")).filter(t||"*")},next:function(t){return i(this.pluck("nextElementSibling")).filter(t||"*")},html:function(t){return 0 in arguments?this.each((function(e){var n=this.innerHTML;i(this).empty().append(X(this,t,e,n))})):0 in this?this[0].innerHTML:null},text:function(t){return 0 in arguments?this.each((function(e){var n=X(this,t,e,this.textContent);this.textContent=null==n?"":""+n})):0 in this?this.pluck("textContent").join(""):null},attr:function(t,i){var s;return"string"!=typeof t||1 in arguments?this.each((function(e){if(1===this.nodeType)if(F(t))for(n in t)G(this,n,t[n]);else G(this,t,X(this,i,e,this.getAttribute(t)))})):0 in this&&1==this[0].nodeType&&null!=(s=this[0].getAttribute(t))?s:e},removeAttr:function(t){return this.each((function(){1===this.nodeType&&t.split(" ").forEach((function(t){G(this,t)}),this)}))},prop:function(t,e){return t=N[t]||t,1 in arguments?this.each((function(n){this[t]=X(this,e,n,this[t])})):this[0]&&this[0][t]},removeProp:function(t){return t=N[t]||t,this.each((function(){delete this[t]}))},data:function(t,n){var i="data-"+t.replace(w,"-$1").toLowerCase(),s=1 in arguments?this.attr(i,n):this.attr(i);return null!==s?Y(s):e},val:function(t){return 0 in arguments?(null==t&&(t=""),this.each((function(e){this.value=X(this,t,e,this.value)}))):this[0]&&(this[0].multiple?i(this[0]).find("option").filter((function(){return this.selected})).pluck("value"):this[0].value)},offset:function(e){if(e)return this.each((function(t){var n=i(this),s=X(this,e,t,n.offset()),r=n.offsetParent().offset(),o={top:s.top-r.top,left:s.left-r.left};"static"==n.css("position")&&(o.position="relative"),n.css(o)}));if(!this.length)return null;if(h.documentElement!==this[0]&&!i.contains(h.documentElement,this[0]))return{top:0,left:0};var n=this[0].getBoundingClientRect();return{left:n.left+t.pageXOffset,top:n.top+t.pageYOffset,width:Math.round(n.width),height:Math.round(n.height)}},css:function(t,e){if(arguments.length<2){var s=this[0];if("string"==typeof t){if(!s)return;return s.style[r(t)]||getComputedStyle(s,"").getPropertyValue(t)}if(k(t)){if(!s)return;var o={},a=getComputedStyle(s,"");return i.each(t,(function(t,e){o[e]=s.style[r(e)]||a.getPropertyValue(e)})),o}}var u="";if("string"==I(t))e||0===e?u=B(t)+":"+j(t,e):this.each((function(){this.style.removeProperty(B(t))}));else for(n in t)t[n]||0===t[n]?u+=B(n)+":"+j(n,t[n])+";":this.each((function(){this.style.removeProperty(B(n))}));return this.each((function(){this.style.cssText+=";"+u}))},index:function(t){return t?this.indexOf(i(t)[0]):this.parent().children().indexOf(this[0])},hasClass:function(t){return!!t&&a.some.call(this,(function(t){return this.test(J(t))}),K(t))},addClass:function(t){return t?this.each((function(e){if("className"in this){s=[];var n=J(this);X(this,t,e,n).split(/\s+/g).forEach((function(t){i(this).hasClass(t)||s.push(t)}),this),s.length&&J(this,n+(n?" ":"")+s.join(" "))}})):this},removeClass:function(t){return this.each((function(n){if("className"in this){if(t===e)return J(this,"");s=J(this),X(this,t,n,s).split(/\s+/g).forEach((function(t){s=s.replace(K(t)," ")})),J(this,s.trim())}}))},toggleClass:function(t,n){return t?this.each((function(s){var r=i(this);X(this,t,s,J(this)).split(/\s+/g).forEach((function(t){(n===e?!r.hasClass(t):n)?r.addClass(t):r.removeClass(t)}))})):this},scrollTop:function(t){if(this.length){var n="scrollTop"in this[0];return t===e?n?this[0].scrollTop:this[0].pageYOffset:this.each(n?function(){this.scrollTop=t}:function(){this.scrollTo(this.scrollX,t)})}},scrollLeft:function(t){if(this.length){var n="scrollLeft"in this[0];return t===e?n?this[0].scrollLeft:this[0].pageXOffset:this.each(n?function(){this.scrollLeft=t}:function(){this.scrollTo(t,this.scrollY)})}},position:function(){if(this.length){var t=this[0],e=this.offsetParent(),n=this.offset(),s=y.test(e[0].nodeName)?{top:0,left:0}:e.offset();return n.top-=parseFloat(i(t).css("margin-top"))||0,n.left-=parseFloat(i(t).css("margin-left"))||0,s.top+=parseFloat(i(e[0]).css("border-top-width"))||0,s.left+=parseFloat(i(e[0]).css("border-left-width"))||0,{top:n.top-s.top,left:n.left-s.left}}},offsetParent:function(){return this.map((function(){for(var t=this.offsetParent||h.body;t&&!y.test(t.nodeName)&&"static"==i(t).css("position");)t=t.offsetParent;return t}))}},i.fn.detach=i.fn.remove,["width","height"].forEach((function(t){var n=t.replace(/./,(function(t){return t[0].toUpperCase()}));i.fn[t]=function(s){var r,o=this[0];return s===e?L(o)?o["inner"+n]:M(o)?o.documentElement["scroll"+n]:(r=this.offset())&&r[t]:this.each((function(e){(o=i(this)).css(t,X(this,s,e,o[t]()))}))}})),C.forEach((function(n,s){var r=s%2;i.fn[n]=function(){var n,o,a=i.map(arguments,(function(t){var s=[];return"array"==(n=I(t))?(t.forEach((function(t){return t.nodeType!==e?s.push(t):i.zepto.isZ(t)?s=s.concat(t.get()):void(s=s.concat(O.fragment(t)))})),s):"object"==n||null==t?t:O.fragment(t)})),u=this.length>1;return a.length<1?this:this.each((function(e,n){o=r?n:n.parentNode,n=0==s?n.nextSibling:1==s?n.firstChild:2==s?n:null;var c=i.contains(h.documentElement,o);a.forEach((function(e){if(u)e=e.cloneNode(!0);else if(!o)return i(e).remove();o.insertBefore(e,n),c&&tt(e,(function(e){if(!(null==e.nodeName||"SCRIPT"!==e.nodeName.toUpperCase()||e.type&&"text/javascript"!==e.type||e.src)){var n=e.ownerDocument?e.ownerDocument.defaultView:t;n.eval.call(n,e.innerHTML)}}))}))}))},i.fn[r?n+"To":"insert"+(s?"Before":"After")]=function(t){return i(t)[n](this),this}})),O.Z.prototype=Q.prototype=i.fn,O.uniq=o,O.deserializeValue=Y,i.zepto=O,i}();return function(e){var n,i=1,s=Array.prototype.slice,r=e.isFunction,o=function(t){return"string"==typeof t},a={},u={},c="onfocusin"in t,l={focus:"focusin",blur:"focusout"},h={mouseenter:"mouseover",mouseleave:"mouseout"};function p(t){return t._zid||(t._zid=i++)}function f(t,e,n,i){if((e=d(e)).ns)var s=g(e.ns);return(a[p(t)]||[]).filter((function(t){return t&&(!e.e||t.e==e.e)&&(!e.ns||s.test(t.ns))&&(!n||p(t.fn)===p(n))&&(!i||t.sel==i)}))}function d(t){var e=(""+t).split(".");return{e:e[0],ns:e.slice(1).sort().join(" ")}}function g(t){return new RegExp("(?:^| )"+t.replace(" "," .* ?")+"(?: |$)")}function m(t,e){return t.del&&!c&&t.e in l||!!e}function v(t){return h[t]||c&&l[t]||t}function y(t,i,s,r,o,u,c){var l=p(t),f=a[l]||(a[l]=[]);i.split(/\s/).forEach((function(i){if("ready"==i)return e(document).ready(s);var a=d(i);a.fn=s,a.sel=o,a.e in h&&(s=function(t){var n=t.relatedTarget;if(!n||n!==this&&!e.contains(this,n))return a.fn.apply(this,arguments)}),a.del=u;var l=u||s;a.proxy=function(e){if(!(e=S(e)).isImmediatePropagationStopped()){try{var i=Object.getOwnPropertyDescriptor(e,"data");i&&!i.writable||(e.data=r)}catch(e){}var s=l.apply(t,e._args==n?[e]:[e].concat(e._args));return!1===s&&(e.preventDefault(),e.stopPropagation()),s}},a.i=f.length,f.push(a),"addEventListener"in t&&t.addEventListener(v(a.e),a.proxy,m(a,c))}))}function w(t,e,n,i,s){var r=p(t);(e||"").split(/\s/).forEach((function(e){f(t,e,n,i).forEach((function(e){delete a[r][e.i],"removeEventListener"in t&&t.removeEventListener(v(e.e),e.proxy,m(e,s))}))}))}u.click=u.mousedown=u.mouseup=u.mousemove="MouseEvents",e.event={add:y,remove:w},e.proxy=function(t,n){var i=2 in arguments&&s.call(arguments,2);if(r(t)){var a=function(){return t.apply(n,i?i.concat(s.call(arguments)):arguments)};return a._zid=p(t),a}if(o(n))return i?(i.unshift(t[n],t),e.proxy.apply(null,i)):e.proxy(t[n],t);throw new TypeError("expected function")},e.fn.bind=function(t,e,n){return this.on(t,e,n)},e.fn.unbind=function(t,e){return this.off(t,e)},e.fn.one=function(t,e,n,i){return this.on(t,e,n,i,1)};var b=function(){return!0},C=function(){return!1},x=/^([A-Z]|returnValue$|layer[XY]$|webkitMovement[XY]$)/,_={preventDefault:"isDefaultPrevented",stopImmediatePropagation:"isImmediatePropagationStopped",stopPropagation:"isPropagationStopped"};function S(t,i){if(i||!t.isDefaultPrevented){i||(i=t),e.each(_,(function(e,n){var s=i[e];t[e]=function(){return this[n]=b,s&&s.apply(i,arguments)},t[n]=C}));try{t.timeStamp||(t.timeStamp=Date.now())}catch(s){}(i.defaultPrevented!==n?i.defaultPrevented:"returnValue"in i?!1===i.returnValue:i.getPreventDefault&&i.getPreventDefault())&&(t.isDefaultPrevented=b)}return t}function E(t){var e,i={originalEvent:t};for(e in t)x.test(e)||t[e]===n||(i[e]=t[e]);return S(i,t)}e.fn.delegate=function(t,e,n){return this.on(e,t,n)},e.fn.undelegate=function(t,e,n){return this.off(e,t,n)},e.fn.live=function(t,n){return e(document.body).delegate(this.selector,t,n),this},e.fn.die=function(t,n){return e(document.body).undelegate(this.selector,t,n),this},e.fn.on=function(t,i,a,u,c){var l,h,p=this;return t&&!o(t)?(e.each(t,(function(t,e){p.on(t,i,a,e,c)})),p):(o(i)||r(u)||!1===u||(u=a,a=i,i=n),u!==n&&!1!==a||(u=a,a=n),!1===u&&(u=C),p.each((function(n,r){c&&(l=function(t){return w(r,t.type,u),u.apply(this,arguments)}),i&&(h=function(t){var n,o=e(t.target).closest(i,r).get(0);if(o&&o!==r)return n=e.extend(E(t),{currentTarget:o,liveFired:r}),(l||u).apply(o,[n].concat(s.call(arguments,1)))}),y(r,t,u,a,i,h||l)})))},e.fn.off=function(t,i,s){var a=this;return t&&!o(t)?(e.each(t,(function(t,e){a.off(t,i,e)})),a):(o(i)||r(s)||!1===s||(s=i,i=n),!1===s&&(s=C),a.each((function(){w(this,t,s,i)})))},e.fn.trigger=function(t,n){return(t=o(t)||e.isPlainObject(t)?e.Event(t):S(t))._args=n,this.each((function(){t.type in l&&"function"==typeof this[t.type]?this[t.type]():"dispatchEvent"in this?this.dispatchEvent(t):e(this).triggerHandler(t,n)}))},e.fn.triggerHandler=function(t,n){var i,s;return this.each((function(r,a){(i=E(o(t)?e.Event(t):t))._args=n,i.target=a,e.each(f(a,t.type||t),(function(t,e){if(s=e.proxy(i),i.isImmediatePropagationStopped())return!1}))})),s},"focusin focusout focus blur load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select keydown keypress keyup error".split(" ").forEach((function(t){e.fn[t]=function(e){return 0 in arguments?this.bind(t,e):this.trigger(t)}})),e.Event=function(t,e){o(t)||(t=(e=t).type);var n=document.createEvent(u[t]||"Events"),i=!0;if(e)for(var s in e)"bubbles"==s?i=!!e[s]:n[s]=e[s];return n.initEvent(t,i,!0),S(n)}}(i),n=[],i.fn.remove=function(){return this.each((function(){this.parentNode&&("IMG"===this.tagName&&(n.push(this),this.src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=",e&&clearTimeout(e),e=setTimeout((function(){n=[]}),6e4)),this.parentNode.removeChild(this))}))},function(t){var e={},n=t.fn.data,i=t.camelCase,s=t.expando="Zepto"+ +new Date,r=[];function o(r,o){var u=r[s],c=u&&e[u];if(void 0===o)return c||a(r);if(c){if(o in c)return c[o];var l=i(o);if(l in c)return c[l]}return n.call(t(r),o)}function a(n,r,o){var a=n[s]||(n[s]=++t.uuid),c=e[a]||(e[a]=u(n));return void 0!==r&&(c[i(r)]=o),c}function u(e){var n={};return t.each(e.attributes||r,(function(e,s){0==s.name.indexOf("data-")&&(n[i(s.name.replace("data-",""))]=t.zepto.deserializeValue(s.value))})),n}t.fn.data=function(e,n){return void 0===n?t.isPlainObject(e)?this.each((function(n,i){t.each(e,(function(t,e){a(i,t,e)}))})):0 in this?o(this[0],e):void 0:this.each((function(){a(this,e,n)}))},t.data=function(e,n,i){return t(e).data(n,i)},t.hasData=function(n){var i=n[s],r=i&&e[i];return!!r&&!t.isEmptyObject(r)},t.fn.removeData=function(n){return"string"==typeof n&&(n=n.split(/\s+/)),this.each((function(){var r=this[s],o=r&&e[r];o&&t.each(n||o,(function(t){delete o[n?i(this):t]}))}))},["remove","empty"].forEach((function(e){var n=t.fn[e];t.fn[e]=function(){var t=this.find("*");return"remove"===e&&(t=t.add(this)),t.removeData(),n.call(this)}}))}(i),i}(e)},8820:t=>{"use strict";var e={}.hasOwnProperty,n=/[ -,\.\/:-@\[-\^`\{-~]/,i=/[ -,\.\/:-@\[\]\^`\{-~]/,s=/(^|\\+)?(\\[A-F0-9]{1,6})\x20(?![a-fA-F0-9\x20])/g,r=function t(r,o){"single"!=(o=function(t,n){if(!t)return n;var i={};for(var s in n)i[s]=e.call(t,s)?t[s]:n[s];return i}(o,t.options)).quotes&&"double"!=o.quotes&&(o.quotes="single");for(var a="double"==o.quotes?'"':"'",u=o.isIdentifier,c=r.charAt(0),l="",h=0,p=r.length;h<p;){var f=r.charAt(h++),d=f.charCodeAt(),g=void 0;if(d<32||d>126){if(d>=55296&&d<=56319&&h<p){var m=r.charCodeAt(h++);56320==(64512&m)?d=((1023&d)<<10)+(1023&m)+65536:h--}g="\\"+d.toString(16).toUpperCase()+" "}else g=o.escapeEverything?n.test(f)?"\\"+f:"\\"+d.toString(16).toUpperCase()+" ":/[\t\n\f\r\x0B]/.test(f)?"\\"+d.toString(16).toUpperCase()+" ":"\\"==f||!u&&('"'==f&&a==f||"'"==f&&a==f)||u&&i.test(f)?"\\"+f:f;l+=g}return u&&(/^-[-\d]/.test(l)?l="\\-"+l.slice(1):/\d/.test(c)&&(l="\\3"+c+" "+l.slice(1))),l=l.replace(s,(function(t,e,n){return e&&e.length%2?t:(e||"")+n})),!u&&o.wrap?a+l+a:l};r.options={escapeEverything:!1,isIdentifier:!1,quotes:"single",wrap:!1},r.version="3.0.0",t.exports=r},624:(t,e,n)=>{"use strict";var i,s,r,o=[n(5525),n(4785),n(8291),n(2709),n(2506),n(9176)],a=-1,u=[],c=!1;function l(){i&&s&&(i=!1,s.length?u=s.concat(u):a=-1,u.length&&h())}function h(){if(!i){c=!1,i=!0;for(var t=u.length,e=setTimeout(l);t;){for(s=u,u=[];s&&++a<t;)s[a].run();a=-1,t=u.length}s=null,a=-1,i=!1,clearTimeout(e)}}for(var p=-1,f=o.length;++p<f;)if(o[p]&&o[p].test&&o[p].test()){r=o[p].install(h);break}function d(t,e){this.fun=t,this.array=e}d.prototype.run=function(){var t=this.fun,e=this.array;switch(e.length){case 0:return t();case 1:return t(e[0]);case 2:return t(e[0],e[1]);case 3:return t(e[0],e[1],e[2]);default:return t.apply(null,e)}},t.exports=function(t){var e=new Array(arguments.length-1);if(arguments.length>1)for(var n=1;n<arguments.length;n++)e[n-1]=arguments[n];u.push(new d(t,e)),c||i||(c=!0,r())}},2709:(t,e,n)=>{"use strict";e.test=function(){return!n.g.setImmediate&&void 0!==n.g.MessageChannel},e.install=function(t){var e=new n.g.MessageChannel;return e.port1.onmessage=t,function(){e.port2.postMessage(0)}}},8291:(t,e,n)=>{"use strict";var i=n.g.MutationObserver||n.g.WebKitMutationObserver;e.test=function(){return i},e.install=function(t){var e=0,s=new i(t),r=n.g.document.createTextNode("");return s.observe(r,{characterData:!0}),function(){r.data=e=++e%2}}},4785:(t,e,n)=>{"use strict";e.test=function(){return"function"==typeof n.g.queueMicrotask},e.install=function(t){return function(){n.g.queueMicrotask(t)}}},2506:(t,e,n)=>{"use strict";e.test=function(){return"document"in n.g&&"onreadystatechange"in n.g.document.createElement("script")},e.install=function(t){return function(){var e=n.g.document.createElement("script");return e.onreadystatechange=function(){t(),e.onreadystatechange=null,e.parentNode.removeChild(e),e=null},n.g.document.documentElement.appendChild(e),t}}},9176:(t,e)=>{"use strict";e.test=function(){return!0},e.install=function(t){return function(){setTimeout(t,0)}}}}]); \ No newline at end of file +/*! For license information please see 8443.a5d9c459.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8443],{8443:(t,e,n)=>{"use strict";t.exports=n(295)},1228:(t,e,n)=>{"use strict";var i=n(2856),s={wrapper:{position:"relative",display:"inline-block"},hint:{position:"absolute",top:"0",left:"0",borderColor:"transparent",boxShadow:"none",opacity:"1"},input:{position:"relative",verticalAlign:"top",backgroundColor:"transparent"},inputWithNoHint:{position:"relative",verticalAlign:"top"},dropdown:{position:"absolute",top:"100%",left:"0",zIndex:"100",display:"none"},suggestions:{display:"block"},suggestion:{whiteSpace:"nowrap",cursor:"pointer"},suggestionChild:{whiteSpace:"normal"},ltr:{left:"0",right:"auto"},rtl:{left:"auto",right:"0"},defaultClasses:{root:"algolia-autocomplete",prefix:"aa",noPrefix:!1,dropdownMenu:"dropdown-menu",input:"input",hint:"hint",suggestions:"suggestions",suggestion:"suggestion",cursor:"cursor",dataset:"dataset",empty:"empty"},appendTo:{wrapper:{position:"absolute",zIndex:"100",display:"none"},input:{},inputWithNoHint:{},dropdown:{display:"block"}}};i.isMsie()&&i.mixin(s.input,{backgroundImage:"url(data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)"}),i.isMsie()&&i.isMsie()<=7&&i.mixin(s.input,{marginTop:"-1px"}),t.exports=s},9050:(t,e,n)=>{"use strict";var i="aaDataset",s="aaValue",r="aaDatum",o=n(2856),a=n(4910),u=n(3561),c=n(1228),l=n(3109);function h(t){var e;(t=t||{}).templates=t.templates||{},t.source||o.error("missing source"),t.name&&(e=t.name,!/^[_a-zA-Z0-9-]+$/.test(e))&&o.error("invalid dataset name: "+t.name),this.query=null,this._isEmpty=!0,this.highlight=!!t.highlight,this.name=void 0===t.name||null===t.name?o.getUniqueId():t.name,this.source=t.source,this.displayFn=function(t){return t=t||"value",o.isFunction(t)?t:e;function e(e){return e[t]}}(t.display||t.displayKey),this.debounce=t.debounce,this.cache=!1!==t.cache,this.templates=function(t,e){return{empty:t.empty&&o.templatify(t.empty),header:t.header&&o.templatify(t.header),footer:t.footer&&o.templatify(t.footer),suggestion:t.suggestion||n};function n(t){return"<p>"+e(t)+"</p>"}}(t.templates,this.displayFn),this.css=o.mixin({},c,t.appendTo?c.appendTo:{}),this.cssClasses=t.cssClasses=o.mixin({},c.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||o.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix);var n=o.className(this.cssClasses.prefix,this.cssClasses.dataset);this.$el=t.$menu&&t.$menu.find(n+"-"+this.name).length>0?a.element(t.$menu.find(n+"-"+this.name)[0]):a.element(u.dataset.replace("%CLASS%",this.name).replace("%PREFIX%",this.cssClasses.prefix).replace("%DATASET%",this.cssClasses.dataset)),this.$menu=t.$menu,this.clearCachedSuggestions()}h.extractDatasetName=function(t){return a.element(t).data(i)},h.extractValue=function(t){return a.element(t).data(s)},h.extractDatum=function(t){var e=a.element(t).data(r);return"string"==typeof e&&(e=JSON.parse(e)),e},o.mixin(h.prototype,l,{_render:function(t,e){if(this.$el){var n,c=this,l=[].slice.call(arguments,2);if(this.$el.empty(),n=e&&e.length,this._isEmpty=!n,!n&&this.templates.empty)this.$el.html(function(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!0}].concat(e),c.templates.empty.apply(this,e)}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(n)this.$el.html(function(){var t,n,l=[].slice.call(arguments,0),h=this,p=u.suggestions.replace("%PREFIX%",this.cssClasses.prefix).replace("%SUGGESTIONS%",this.cssClasses.suggestions);return t=a.element(p).css(this.css.suggestions),n=o.map(e,f),t.append.apply(t,n),t;function f(t){var e,n=u.suggestion.replace("%PREFIX%",h.cssClasses.prefix).replace("%SUGGESTION%",h.cssClasses.suggestion);return(e=a.element(n).attr({role:"option",id:["option",Math.floor(1e8*Math.random())].join("-")}).append(c.templates.suggestion.apply(this,[t].concat(l)))).data(i,c.name),e.data(s,c.displayFn(t)||void 0),e.data(r,JSON.stringify(t)),e.children().each((function(){a.element(this).css(h.css.suggestionChild)})),e}}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(e&&!Array.isArray(e))throw new TypeError("suggestions must be an array");this.$menu&&this.$menu.addClass(this.cssClasses.prefix+(n?"with":"without")+"-"+this.name).removeClass(this.cssClasses.prefix+(n?"without":"with")+"-"+this.name),this.trigger("rendered",t)}function h(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.header.apply(this,e)}function p(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.footer.apply(this,e)}},getRoot:function(){return this.$el},update:function(t){function e(e){if(!this.canceled&&t===this.query){var n=[].slice.call(arguments,1);this.cacheSuggestions(t,e,n),this._render.apply(this,[t,e].concat(n))}}if(this.query=t,this.canceled=!1,this.shouldFetchFromCache(t))e.apply(this,[this.cachedSuggestions].concat(this.cachedRenderExtraArgs));else{var n=this,i=function(){n.canceled||n.source(t,e.bind(n))};if(this.debounce){clearTimeout(this.debounceTimeout),this.debounceTimeout=setTimeout((function(){n.debounceTimeout=null,i()}),this.debounce)}else i()}},cacheSuggestions:function(t,e,n){this.cachedQuery=t,this.cachedSuggestions=e,this.cachedRenderExtraArgs=n},shouldFetchFromCache:function(t){return this.cache&&this.cachedQuery===t&&this.cachedSuggestions&&this.cachedSuggestions.length},clearCachedSuggestions:function(){delete this.cachedQuery,delete this.cachedSuggestions,delete this.cachedRenderExtraArgs},cancel:function(){this.canceled=!0},clear:function(){this.$el&&(this.cancel(),this.$el.empty(),this.trigger("rendered",""))},isEmpty:function(){return this._isEmpty},destroy:function(){this.clearCachedSuggestions(),this.$el=null}}),t.exports=h},2407:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910),r=n(3109),o=n(9050),a=n(1228);function u(t){var e,n,r,o=this;(t=t||{}).menu||i.error("menu is required"),i.isArray(t.datasets)||i.isObject(t.datasets)||i.error("1 or more datasets required"),t.datasets||i.error("datasets is required"),this.isOpen=!1,this.isEmpty=!0,this.minLength=t.minLength||0,this.templates={},this.appendTo=t.appendTo||!1,this.css=i.mixin({},a,t.appendTo?a.appendTo:{}),this.cssClasses=t.cssClasses=i.mixin({},a.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||i.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),e=i.bind(this._onSuggestionClick,this),n=i.bind(this._onSuggestionMouseEnter,this),r=i.bind(this._onSuggestionMouseLeave,this);var c=i.className(this.cssClasses.prefix,this.cssClasses.suggestion);this.$menu=s.element(t.menu).on("mouseenter.aa",c,n).on("mouseleave.aa",c,r).on("click.aa",c,e),this.$container=t.appendTo?t.wrapper:this.$menu,t.templates&&t.templates.header&&(this.templates.header=i.templatify(t.templates.header),this.$menu.prepend(this.templates.header())),t.templates&&t.templates.empty&&(this.templates.empty=i.templatify(t.templates.empty),this.$empty=s.element('<div class="'+i.className(this.cssClasses.prefix,this.cssClasses.empty,!0)+'"></div>'),this.$menu.append(this.$empty),this.$empty.hide()),this.datasets=i.map(t.datasets,(function(e){return function(t,e,n){return new u.Dataset(i.mixin({$menu:t,cssClasses:n},e))}(o.$menu,e,t.cssClasses)})),i.each(this.datasets,(function(t){var e=t.getRoot();e&&0===e.parent().length&&o.$menu.append(e),t.onSync("rendered",o._onRendered,o)})),t.templates&&t.templates.footer&&(this.templates.footer=i.templatify(t.templates.footer),this.$menu.append(this.templates.footer()));var l=this;s.element(window).resize((function(){l._redraw()}))}i.mixin(u.prototype,r,{_onSuggestionClick:function(t){this.trigger("suggestionClicked",s.element(t.currentTarget))},_onSuggestionMouseEnter:function(t){var e=s.element(t.currentTarget);if(!e.hasClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0))){this._removeCursor();var n=this;setTimeout((function(){n._setCursor(e,!1)}),0)}},_onSuggestionMouseLeave:function(t){if(t.relatedTarget&&s.element(t.relatedTarget).closest("."+i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).length>0)return;this._removeCursor(),this.trigger("cursorRemoved")},_onRendered:function(t,e){if(this.isEmpty=i.every(this.datasets,(function(t){return t.isEmpty()})),this.isEmpty)if(e.length>=this.minLength&&this.trigger("empty"),this.$empty)if(e.length<this.minLength)this._hide();else{var n=this.templates.empty({query:this.datasets[0]&&this.datasets[0].query});this.$empty.html(n),this.$empty.show(),this._show()}else i.any(this.datasets,(function(t){return t.templates&&t.templates.empty}))?e.length<this.minLength?this._hide():this._show():this._hide();else this.isOpen&&(this.$empty&&(this.$empty.empty(),this.$empty.hide()),e.length>=this.minLength?this._show():this._hide());this.trigger("datasetRendered")},_hide:function(){this.$container.hide()},_show:function(){this.$container.css("display","block"),this._redraw(),this.trigger("shown")},_redraw:function(){this.isOpen&&this.appendTo&&this.trigger("redrawn")},_getSuggestions:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.suggestion))},_getCursor:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.cursor)).first()},_setCursor:function(t,e){t.first().addClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).attr("aria-selected","true"),this.trigger("cursorMoved",e)},_removeCursor:function(){this._getCursor().removeClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).removeAttr("aria-selected")},_moveCursor:function(t){var e,n,i,s;this.isOpen&&(n=this._getCursor(),e=this._getSuggestions(),this._removeCursor(),-1!==(i=((i=e.index(n)+t)+1)%(e.length+1)-1)?(i<-1&&(i=e.length-1),this._setCursor(s=e.eq(i),!0),this._ensureVisible(s)):this.trigger("cursorRemoved"))},_ensureVisible:function(t){var e,n,i,s;n=(e=t.position().top)+t.height()+parseInt(t.css("margin-top"),10)+parseInt(t.css("margin-bottom"),10),i=this.$menu.scrollTop(),s=this.$menu.height()+parseInt(this.$menu.css("padding-top"),10)+parseInt(this.$menu.css("padding-bottom"),10),e<0?this.$menu.scrollTop(i+e):s<n&&this.$menu.scrollTop(i+(n-s))},close:function(){this.isOpen&&(this.isOpen=!1,this._removeCursor(),this._hide(),this.trigger("closed"))},open:function(){this.isOpen||(this.isOpen=!0,this.isEmpty||this._show(),this.trigger("opened"))},setLanguageDirection:function(t){this.$menu.css("ltr"===t?this.css.ltr:this.css.rtl)},moveCursorUp:function(){this._moveCursor(-1)},moveCursorDown:function(){this._moveCursor(1)},getDatumForSuggestion:function(t){var e=null;return t.length&&(e={raw:o.extractDatum(t),value:o.extractValue(t),datasetName:o.extractDatasetName(t)}),e},getCurrentCursor:function(){return this._getCursor().first()},getDatumForCursor:function(){return this.getDatumForSuggestion(this._getCursor().first())},getDatumForTopSuggestion:function(){return this.getDatumForSuggestion(this._getSuggestions().first())},cursorTopSuggestion:function(){this._setCursor(this._getSuggestions().first(),!1)},update:function(t){i.each(this.datasets,(function(e){e.update(t)}))},empty:function(){i.each(this.datasets,(function(t){t.clear()})),this.isEmpty=!0},isVisible:function(){return this.isOpen&&!this.isEmpty},destroy:function(){this.$menu.off(".aa"),this.$menu=null,i.each(this.datasets,(function(t){t.destroy()}))}}),u.Dataset=o,t.exports=u},50:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910);function r(t){t&&t.el||i.error("EventBus initialized without el"),this.$el=s.element(t.el)}i.mixin(r.prototype,{trigger:function(t,e,n,s){var r=i.Event("autocomplete:"+t);return this.$el.trigger(r,[e,n,s]),r}}),t.exports=r},3109:(t,e,n)=>{"use strict";var i=n(624),s=/\s+/;function r(t,e,n,i){var r;if(!n)return this;for(e=e.split(s),n=i?function(t,e){return t.bind?t.bind(e):function(){t.apply(e,[].slice.call(arguments,0))}}(n,i):n,this._callbacks=this._callbacks||{};r=e.shift();)this._callbacks[r]=this._callbacks[r]||{sync:[],async:[]},this._callbacks[r][t].push(n);return this}function o(t,e,n){return function(){for(var i,s=0,r=t.length;!i&&s<r;s+=1)i=!1===t[s].apply(e,n);return!i}}t.exports={onSync:function(t,e,n){return r.call(this,"sync",t,e,n)},onAsync:function(t,e,n){return r.call(this,"async",t,e,n)},off:function(t){var e;if(!this._callbacks)return this;t=t.split(s);for(;e=t.shift();)delete this._callbacks[e];return this},trigger:function(t){var e,n,r,a,u;if(!this._callbacks)return this;t=t.split(s),r=[].slice.call(arguments,1);for(;(e=t.shift())&&(n=this._callbacks[e]);)a=o(n.sync,this,[e].concat(r)),u=o(n.async,this,[e].concat(r)),a()&&i(u);return this}}},3561:t=>{"use strict";t.exports={wrapper:'<span class="%ROOT%"></span>',dropdown:'<span class="%PREFIX%%DROPDOWN_MENU%"></span>',dataset:'<div class="%PREFIX%%DATASET%-%CLASS%"></div>',suggestions:'<span class="%PREFIX%%SUGGESTIONS%"></span>',suggestion:'<div class="%PREFIX%%SUGGESTION%"></div>'}},2534:(t,e,n)=>{"use strict";var i;i={9:"tab",27:"esc",37:"left",39:"right",13:"enter",38:"up",40:"down"};var s=n(2856),r=n(4910),o=n(3109);function a(t){var e,n,o,a,u,c=this;(t=t||{}).input||s.error("input is missing"),e=s.bind(this._onBlur,this),n=s.bind(this._onFocus,this),o=s.bind(this._onKeydown,this),a=s.bind(this._onInput,this),this.$hint=r.element(t.hint),this.$input=r.element(t.input).on("blur.aa",e).on("focus.aa",n).on("keydown.aa",o),0===this.$hint.length&&(this.setHint=this.getHint=this.clearHint=this.clearHintIfInvalid=s.noop),s.isMsie()?this.$input.on("keydown.aa keypress.aa cut.aa paste.aa",(function(t){i[t.which||t.keyCode]||s.defer(s.bind(c._onInput,c,t))})):this.$input.on("input.aa",a),this.query=this.$input.val(),this.$overflowHelper=(u=this.$input,r.element('<pre aria-hidden="true"></pre>').css({position:"absolute",visibility:"hidden",whiteSpace:"pre",fontFamily:u.css("font-family"),fontSize:u.css("font-size"),fontStyle:u.css("font-style"),fontVariant:u.css("font-variant"),fontWeight:u.css("font-weight"),wordSpacing:u.css("word-spacing"),letterSpacing:u.css("letter-spacing"),textIndent:u.css("text-indent"),textRendering:u.css("text-rendering"),textTransform:u.css("text-transform")}).insertAfter(u))}function u(t){return t.altKey||t.ctrlKey||t.metaKey||t.shiftKey}a.normalizeQuery=function(t){return(t||"").replace(/^\s*/g,"").replace(/\s{2,}/g," ")},s.mixin(a.prototype,o,{_onBlur:function(){this.resetInputValue(),this.$input.removeAttr("aria-activedescendant"),this.trigger("blurred")},_onFocus:function(){this.trigger("focused")},_onKeydown:function(t){var e=i[t.which||t.keyCode];this._managePreventDefault(e,t),e&&this._shouldTrigger(e,t)&&this.trigger(e+"Keyed",t)},_onInput:function(){this._checkInputValue()},_managePreventDefault:function(t,e){var n,i,s;switch(t){case"tab":i=this.getHint(),s=this.getInputValue(),n=i&&i!==s&&!u(e);break;case"up":case"down":n=!u(e);break;default:n=!1}n&&e.preventDefault()},_shouldTrigger:function(t,e){var n;if("tab"===t)n=!u(e);else n=!0;return n},_checkInputValue:function(){var t,e,n,i,s;t=this.getInputValue(),i=t,s=this.query,n=!(!(e=a.normalizeQuery(i)===a.normalizeQuery(s))||!this.query)&&this.query.length!==t.length,this.query=t,e?n&&this.trigger("whitespaceChanged",this.query):this.trigger("queryChanged",this.query)},focus:function(){this.$input.focus()},blur:function(){this.$input.blur()},getQuery:function(){return this.query},setQuery:function(t){this.query=t},getInputValue:function(){return this.$input.val()},setInputValue:function(t,e){void 0===t&&(t=this.query),this.$input.val(t),e?this.clearHint():this._checkInputValue()},expand:function(){this.$input.attr("aria-expanded","true")},collapse:function(){this.$input.attr("aria-expanded","false")},setActiveDescendant:function(t){this.$input.attr("aria-activedescendant",t)},removeActiveDescendant:function(){this.$input.removeAttr("aria-activedescendant")},resetInputValue:function(){this.setInputValue(this.query,!0)},getHint:function(){return this.$hint.val()},setHint:function(t){this.$hint.val(t)},clearHint:function(){this.setHint("")},clearHintIfInvalid:function(){var t,e,n;n=(t=this.getInputValue())!==(e=this.getHint())&&0===e.indexOf(t),""!==t&&n&&!this.hasOverflow()||this.clearHint()},getLanguageDirection:function(){return(this.$input.css("direction")||"ltr").toLowerCase()},hasOverflow:function(){var t=this.$input.width()-2;return this.$overflowHelper.text(this.getInputValue()),this.$overflowHelper.width()>=t},isCursorAtEnd:function(){var t,e,n;return t=this.$input.val().length,e=this.$input[0].selectionStart,s.isNumber(e)?e===t:!document.selection||((n=document.selection.createRange()).moveStart("character",-t),t===n.text.length)},destroy:function(){this.$hint.off(".aa"),this.$input.off(".aa"),this.$hint=this.$input=this.$overflowHelper=null}}),t.exports=a},6549:(t,e,n)=>{"use strict";var i="aaAttrs",s=n(2856),r=n(4910),o=n(50),a=n(2534),u=n(2407),c=n(3561),l=n(1228);function h(t){var e,n;if((t=t||{}).input||s.error("missing input"),this.isActivated=!1,this.debug=!!t.debug,this.autoselect=!!t.autoselect,this.autoselectOnBlur=!!t.autoselectOnBlur,this.openOnFocus=!!t.openOnFocus,this.minLength=s.isNumber(t.minLength)?t.minLength:1,this.autoWidth=void 0===t.autoWidth||!!t.autoWidth,this.clearOnSelected=!!t.clearOnSelected,this.tabAutocomplete=void 0===t.tabAutocomplete||!!t.tabAutocomplete,t.hint=!!t.hint,t.hint&&t.appendTo)throw new Error("[autocomplete.js] hint and appendTo options can't be used at the same time");this.css=t.css=s.mixin({},l,t.appendTo?l.appendTo:{}),this.cssClasses=t.cssClasses=s.mixin({},l.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix=s.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),this.listboxId=t.listboxId=[this.cssClasses.root,"listbox",s.getUniqueId()].join("-");var a=function(t){var e,n,o,a;e=r.element(t.input),n=r.element(c.wrapper.replace("%ROOT%",t.cssClasses.root)).css(t.css.wrapper),t.appendTo||"block"!==e.css("display")||"table"!==e.parent().css("display")||n.css("display","table-cell");var u=c.dropdown.replace("%PREFIX%",t.cssClasses.prefix).replace("%DROPDOWN_MENU%",t.cssClasses.dropdownMenu);o=r.element(u).css(t.css.dropdown).attr({role:"listbox",id:t.listboxId}),t.templates&&t.templates.dropdownMenu&&o.html(s.templatify(t.templates.dropdownMenu)());a=e.clone().css(t.css.hint).css(function(t){return{backgroundAttachment:t.css("background-attachment"),backgroundClip:t.css("background-clip"),backgroundColor:t.css("background-color"),backgroundImage:t.css("background-image"),backgroundOrigin:t.css("background-origin"),backgroundPosition:t.css("background-position"),backgroundRepeat:t.css("background-repeat"),backgroundSize:t.css("background-size")}}(e)),a.val("").addClass(s.className(t.cssClasses.prefix,t.cssClasses.hint,!0)).removeAttr("id name placeholder required").prop("readonly",!0).attr({"aria-hidden":"true",autocomplete:"off",spellcheck:"false",tabindex:-1}),a.removeData&&a.removeData();e.data(i,{"aria-autocomplete":e.attr("aria-autocomplete"),"aria-expanded":e.attr("aria-expanded"),"aria-owns":e.attr("aria-owns"),autocomplete:e.attr("autocomplete"),dir:e.attr("dir"),role:e.attr("role"),spellcheck:e.attr("spellcheck"),style:e.attr("style"),type:e.attr("type")}),e.addClass(s.className(t.cssClasses.prefix,t.cssClasses.input,!0)).attr({autocomplete:"off",spellcheck:!1,role:"combobox","aria-autocomplete":t.datasets&&t.datasets[0]&&t.datasets[0].displayKey?"both":"list","aria-expanded":"false","aria-label":t.ariaLabel,"aria-owns":t.listboxId}).css(t.hint?t.css.input:t.css.inputWithNoHint);try{e.attr("dir")||e.attr("dir","auto")}catch(l){}return n=t.appendTo?n.appendTo(r.element(t.appendTo).eq(0)).eq(0):e.wrap(n).parent(),n.prepend(t.hint?a:null).append(o),{wrapper:n,input:e,hint:a,menu:o}}(t);this.$node=a.wrapper;var u=this.$input=a.input;e=a.menu,n=a.hint,t.dropdownMenuContainer&&r.element(t.dropdownMenuContainer).css("position","relative").append(e.css("top","0")),u.on("blur.aa",(function(t){var n=document.activeElement;s.isMsie()&&(e[0]===n||e[0].contains(n))&&(t.preventDefault(),t.stopImmediatePropagation(),s.defer((function(){u.focus()})))})),e.on("mousedown.aa",(function(t){t.preventDefault()})),this.eventBus=t.eventBus||new o({el:u}),this.dropdown=new h.Dropdown({appendTo:t.appendTo,wrapper:this.$node,menu:e,datasets:t.datasets,templates:t.templates,cssClasses:t.cssClasses,minLength:this.minLength}).onSync("suggestionClicked",this._onSuggestionClicked,this).onSync("cursorMoved",this._onCursorMoved,this).onSync("cursorRemoved",this._onCursorRemoved,this).onSync("opened",this._onOpened,this).onSync("closed",this._onClosed,this).onSync("shown",this._onShown,this).onSync("empty",this._onEmpty,this).onSync("redrawn",this._onRedrawn,this).onAsync("datasetRendered",this._onDatasetRendered,this),this.input=new h.Input({input:u,hint:n}).onSync("focused",this._onFocused,this).onSync("blurred",this._onBlurred,this).onSync("enterKeyed",this._onEnterKeyed,this).onSync("tabKeyed",this._onTabKeyed,this).onSync("escKeyed",this._onEscKeyed,this).onSync("upKeyed",this._onUpKeyed,this).onSync("downKeyed",this._onDownKeyed,this).onSync("leftKeyed",this._onLeftKeyed,this).onSync("rightKeyed",this._onRightKeyed,this).onSync("queryChanged",this._onQueryChanged,this).onSync("whitespaceChanged",this._onWhitespaceChanged,this),this._bindKeyboardShortcuts(t),this._setLanguageDirection()}s.mixin(h.prototype,{_bindKeyboardShortcuts:function(t){if(t.keyboardShortcuts){var e=this.$input,n=[];s.each(t.keyboardShortcuts,(function(t){"string"==typeof t&&(t=t.toUpperCase().charCodeAt(0)),n.push(t)})),r.element(document).keydown((function(t){var i=t.target||t.srcElement,s=i.tagName;if(!i.isContentEditable&&"INPUT"!==s&&"SELECT"!==s&&"TEXTAREA"!==s){var r=t.which||t.keyCode;-1!==n.indexOf(r)&&(e.focus(),t.stopPropagation(),t.preventDefault())}}))}},_onSuggestionClicked:function(t,e){var n;(n=this.dropdown.getDatumForSuggestion(e))&&this._select(n,{selectionMethod:"click"})},_onCursorMoved:function(t,e){var n=this.dropdown.getDatumForCursor(),i=this.dropdown.getCurrentCursor().attr("id");this.input.setActiveDescendant(i),n&&(e&&this.input.setInputValue(n.value,!0),this.eventBus.trigger("cursorchanged",n.raw,n.datasetName))},_onCursorRemoved:function(){this.input.resetInputValue(),this._updateHint(),this.eventBus.trigger("cursorremoved")},_onDatasetRendered:function(){this._updateHint(),this.eventBus.trigger("updated")},_onOpened:function(){this._updateHint(),this.input.expand(),this.eventBus.trigger("opened")},_onEmpty:function(){this.eventBus.trigger("empty")},_onRedrawn:function(){this.$node.css("top","0px"),this.$node.css("left","0px");var t=this.$input[0].getBoundingClientRect();this.autoWidth&&this.$node.css("width",t.width+"px");var e=this.$node[0].getBoundingClientRect(),n=t.bottom-e.top;this.$node.css("top",n+"px");var i=t.left-e.left;this.$node.css("left",i+"px"),this.eventBus.trigger("redrawn")},_onShown:function(){this.eventBus.trigger("shown"),this.autoselect&&this.dropdown.cursorTopSuggestion()},_onClosed:function(){this.input.clearHint(),this.input.removeActiveDescendant(),this.input.collapse(),this.eventBus.trigger("closed")},_onFocused:function(){if(this.isActivated=!0,this.openOnFocus){var t=this.input.getQuery();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty(),this.dropdown.open()}},_onBlurred:function(){var t,e;t=this.dropdown.getDatumForCursor(),e=this.dropdown.getDatumForTopSuggestion();var n={selectionMethod:"blur"};this.debug||(this.autoselectOnBlur&&t?this._select(t,n):this.autoselectOnBlur&&e?this._select(e,n):(this.isActivated=!1,this.dropdown.empty(),this.dropdown.close()))},_onEnterKeyed:function(t,e){var n,i;n=this.dropdown.getDatumForCursor(),i=this.dropdown.getDatumForTopSuggestion();var s={selectionMethod:"enterKey"};n?(this._select(n,s),e.preventDefault()):this.autoselect&&i&&(this._select(i,s),e.preventDefault())},_onTabKeyed:function(t,e){if(this.tabAutocomplete){var n;(n=this.dropdown.getDatumForCursor())?(this._select(n,{selectionMethod:"tabKey"}),e.preventDefault()):this._autocomplete(!0)}else this.dropdown.close()},_onEscKeyed:function(){this.dropdown.close(),this.input.resetInputValue()},_onUpKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorUp(),this.dropdown.open()},_onDownKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorDown(),this.dropdown.open()},_onLeftKeyed:function(){"rtl"===this.dir&&this._autocomplete()},_onRightKeyed:function(){"ltr"===this.dir&&this._autocomplete()},_onQueryChanged:function(t,e){this.input.clearHintIfInvalid(),e.length>=this.minLength?this.dropdown.update(e):this.dropdown.empty(),this.dropdown.open(),this._setLanguageDirection()},_onWhitespaceChanged:function(){this._updateHint(),this.dropdown.open()},_setLanguageDirection:function(){var t=this.input.getLanguageDirection();this.dir!==t&&(this.dir=t,this.$node.css("direction",t),this.dropdown.setLanguageDirection(t))},_updateHint:function(){var t,e,n,i,r;(t=this.dropdown.getDatumForTopSuggestion())&&this.dropdown.isVisible()&&!this.input.hasOverflow()?(e=this.input.getInputValue(),n=a.normalizeQuery(e),i=s.escapeRegExChars(n),(r=new RegExp("^(?:"+i+")(.+$)","i").exec(t.value))?this.input.setHint(e+r[1]):this.input.clearHint()):this.input.clearHint()},_autocomplete:function(t){var e,n,i,s;e=this.input.getHint(),n=this.input.getQuery(),i=t||this.input.isCursorAtEnd(),e&&n!==e&&i&&((s=this.dropdown.getDatumForTopSuggestion())&&this.input.setInputValue(s.value),this.eventBus.trigger("autocompleted",s.raw,s.datasetName))},_select:function(t,e){void 0!==t.value&&this.input.setQuery(t.value),this.clearOnSelected?this.setVal(""):this.input.setInputValue(t.value,!0),this._setLanguageDirection(),!1===this.eventBus.trigger("selected",t.raw,t.datasetName,e).isDefaultPrevented()&&(this.dropdown.close(),s.defer(s.bind(this.dropdown.empty,this.dropdown)))},open:function(){if(!this.isActivated){var t=this.input.getInputValue();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty()}this.dropdown.open()},close:function(){this.dropdown.close()},setVal:function(t){t=s.toStr(t),this.isActivated?this.input.setInputValue(t):(this.input.setQuery(t),this.input.setInputValue(t,!0)),this._setLanguageDirection()},getVal:function(){return this.input.getQuery()},destroy:function(){this.input.destroy(),this.dropdown.destroy(),function(t,e){var n=t.find(s.className(e.prefix,e.input));s.each(n.data(i),(function(t,e){void 0===t?n.removeAttr(e):n.attr(e,t)})),n.detach().removeClass(s.className(e.prefix,e.input,!0)).insertAfter(t),n.removeData&&n.removeData(i);t.remove()}(this.$node,this.cssClasses),this.$node=null},getWrapper:function(){return this.dropdown.$container[0]}}),h.Dropdown=u,h.Input=a,h.sources=n(8840),t.exports=h},4910:t=>{"use strict";t.exports={element:null}},6177:t=>{"use strict";t.exports=function(t){var e=t.match(/Algolia for JavaScript \((\d+\.)(\d+\.)(\d+)\)/)||t.match(/Algolia for vanilla JavaScript (\d+\.)(\d+\.)(\d+)/);if(e)return[e[1],e[2],e[3]]}},2856:(t,e,n)=>{"use strict";var i,s=n(8820),r=n(4910);function o(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}t.exports={isArray:null,isFunction:null,isObject:null,bind:null,each:null,map:null,mixin:null,isMsie:function(t){if(void 0===t&&(t=navigator.userAgent),/(msie|trident)/i.test(t)){var e=t.match(/(msie |rv:)(\d+(.\d+)?)/i);if(e)return e[2]}return!1},escapeRegExChars:function(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")},isNumber:function(t){return"number"==typeof t},toStr:function(t){return null==t?"":t+""},cloneDeep:function(t){var e=this.mixin({},t),n=this;return this.each(e,(function(t,i){t&&(n.isArray(t)?e[i]=[].concat(t):n.isObject(t)&&(e[i]=n.cloneDeep(t)))})),e},error:function(t){throw new Error(t)},every:function(t,e){var n=!0;return t?(this.each(t,(function(i,s){n&&(n=e.call(null,i,s,t)&&n)})),!!n):n},any:function(t,e){var n=!1;return t?(this.each(t,(function(i,s){if(e.call(null,i,s,t))return n=!0,!1})),n):n},getUniqueId:(i=0,function(){return i++}),templatify:function(t){if(this.isFunction(t))return t;var e=r.element(t);return"SCRIPT"===e.prop("tagName")?function(){return e.text()}:function(){return String(t)}},defer:function(t){setTimeout(t,0)},noop:function(){},formatPrefix:function(t,e){return e?"":t+"-"},className:function(t,e,n){return n?t+e:"."+s(t+e,{isIdentifier:!0})},escapeHighlightedString:function(t,e,n){e=e||"<em>";var i=document.createElement("div");i.appendChild(document.createTextNode(e)),n=n||"</em>";var s=document.createElement("div");s.appendChild(document.createTextNode(n));var r=document.createElement("div");return r.appendChild(document.createTextNode(t)),r.innerHTML.replace(RegExp(o(i.innerHTML),"g"),e).replace(RegExp(o(s.innerHTML),"g"),n)}}},9983:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);var o,a,u=(o=[],a=window.Promise.resolve(),function(t,e){return function(n,s){(function(t,e){return window.Promise.resolve().then((function(){return o.length&&(a=t.search(o),o=[]),a})).then((function(t){if(t)return t.results[e]}))})(t.as,o.push({indexName:t.indexName,query:n,params:e})-1).then((function(t){t&&s(t.hits,t)})).catch((function(t){i.error(t.message)}))}});t.exports=function(t,e){var n=r(t.as._ua);if(n&&n[0]>=3&&n[1]>20){var i="autocomplete.js "+s;-1===t.as._ua.indexOf(i)&&(t.as._ua+="; "+i)}return u(t,e)}},8840:(t,e,n)=>{"use strict";t.exports={hits:n(9983),popularIn:n(4445)}},4445:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);t.exports=function(t,e,n,o){var a=r(t.as._ua);if(a&&a[0]>=3&&a[1]>20&&((e=e||{}).additionalUA="autocomplete.js "+s),!n.source)return i.error("Missing 'source' key");var u=i.isFunction(n.source)?n.source:function(t){return t[n.source]};if(!n.index)return i.error("Missing 'index' key");var c=n.index;return o=o||{},function(a,l){t.search(a,e,(function(t,a){if(t)i.error(t.message);else{if(a.hits.length>0){var h=a.hits[0],p=i.mixin({hitsPerPage:0},n);delete p.source,delete p.index;var f=r(c.as._ua);return f&&f[0]>=3&&f[1]>20&&(e.additionalUA="autocomplete.js "+s),void c.search(u(h),p,(function(t,e){if(t)i.error(t.message);else{var n=[];if(o.includeAll){var s=o.allTitle||"All departments";n.push(i.mixin({facet:{value:s,count:e.nbHits}},i.cloneDeep(h)))}i.each(e.facets,(function(t,e){i.each(t,(function(t,s){n.push(i.mixin({facet:{facet:e,value:s,count:t}},i.cloneDeep(h)))}))}));for(var r=1;r<a.hits.length;++r)n.push(a.hits[r]);l(n,a)}}))}l([])}}))}}},295:(t,e,n)=>{"use strict";var i=n(6990);n(4910).element=i;var s=n(2856);s.isArray=i.isArray,s.isFunction=i.isFunction,s.isObject=i.isPlainObject,s.bind=i.proxy,s.each=function(t,e){i.each(t,(function(t,n){return e(n,t)}))},s.map=i.map,s.mixin=i.extend,s.Event=i.Event;var r="aaAutocomplete",o=n(6549),a=n(50);function u(t,e,n,u){n=s.isArray(n)?n:[].slice.call(arguments,2);var c=i(t).each((function(t,s){var c=i(s),l=new a({el:c}),h=u||new o({input:c,eventBus:l,dropdownMenuContainer:e.dropdownMenuContainer,hint:void 0===e.hint||!!e.hint,minLength:e.minLength,autoselect:e.autoselect,autoselectOnBlur:e.autoselectOnBlur,tabAutocomplete:e.tabAutocomplete,openOnFocus:e.openOnFocus,templates:e.templates,debug:e.debug,clearOnSelected:e.clearOnSelected,cssClasses:e.cssClasses,datasets:n,keyboardShortcuts:e.keyboardShortcuts,appendTo:e.appendTo,autoWidth:e.autoWidth,ariaLabel:e.ariaLabel||s.getAttribute("aria-label")});c.data(r,h)}));return c.autocomplete={},s.each(["open","close","getVal","setVal","destroy","getWrapper"],(function(t){c.autocomplete[t]=function(){var e,n=arguments;return c.each((function(s,o){var a=i(o).data(r);e=a[t].apply(a,n)})),e}})),c}u.sources=o.sources,u.escapeHighlightedString=s.escapeHighlightedString;var c="autocomplete"in window,l=window.autocomplete;u.noConflict=function(){return c?window.autocomplete=l:delete window.autocomplete,u},t.exports=u},533:t=>{t.exports="0.38.1"},6990:t=>{var e;e=window,t.exports=function(t){var e,n,i=function(){var e,n,i,s,r,o,a=[],u=a.concat,c=a.filter,l=a.slice,h=t.document,p={},f={},d={"column-count":1,columns:1,"font-weight":1,"line-height":1,opacity:1,"z-index":1,zoom:1},g=/^\s*<(\w+|!)[^>]*>/,m=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,y=/^(?:body|html)$/i,w=/([A-Z])/g,b=["val","css","html","text","data","width","height","offset"],C=["after","prepend","before","append"],x=h.createElement("table"),_=h.createElement("tr"),S={tr:h.createElement("tbody"),tbody:x,thead:x,tfoot:x,td:_,th:_,"*":h.createElement("div")},E=/complete|loaded|interactive/,A=/^[\w-]*$/,$={},T=$.toString,O={},D=h.createElement("div"),N={tabindex:"tabIndex",readonly:"readOnly",for:"htmlFor",class:"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},k=Array.isArray||function(t){return t instanceof Array};function I(t){return null==t?String(t):$[T.call(t)]||"object"}function P(t){return"function"==I(t)}function L(t){return null!=t&&t==t.window}function M(t){return null!=t&&t.nodeType==t.DOCUMENT_NODE}function F(t){return"object"==I(t)}function R(t){return F(t)&&!L(t)&&Object.getPrototypeOf(t)==Object.prototype}function q(t){var e=!!t&&"length"in t&&t.length,n=i.type(t);return"function"!=n&&!L(t)&&("array"==n||0===e||"number"==typeof e&&e>0&&e-1 in t)}function V(t){return c.call(t,(function(t){return null!=t}))}function H(t){return t.length>0?i.fn.concat.apply([],t):t}function B(t){return t.replace(/::/g,"/").replace(/([A-Z]+)([A-Z][a-z])/g,"$1_$2").replace(/([a-z\d])([A-Z])/g,"$1_$2").replace(/_/g,"-").toLowerCase()}function K(t){return t in f?f[t]:f[t]=new RegExp("(^|\\s)"+t+"(\\s|$)")}function j(t,e){return"number"!=typeof e||d[B(t)]?e:e+"px"}function z(t){var e,n;return p[t]||(e=h.createElement(t),h.body.appendChild(e),n=getComputedStyle(e,"").getPropertyValue("display"),e.parentNode.removeChild(e),"none"==n&&(n="block"),p[t]=n),p[t]}function U(t){return"children"in t?l.call(t.children):i.map(t.childNodes,(function(t){if(1==t.nodeType)return t}))}function Q(t,e){var n,i=t?t.length:0;for(n=0;n<i;n++)this[n]=t[n];this.length=i,this.selector=e||""}function W(t,i,s){for(n in i)s&&(R(i[n])||k(i[n]))?(R(i[n])&&!R(t[n])&&(t[n]={}),k(i[n])&&!k(t[n])&&(t[n]=[]),W(t[n],i[n],s)):i[n]!==e&&(t[n]=i[n])}function Z(t,e){return null==e?i(t):i(t).filter(e)}function X(t,e,n,i){return P(e)?e.call(t,n,i):e}function G(t,e,n){null==n?t.removeAttribute(e):t.setAttribute(e,n)}function J(t,n){var i=t.className||"",s=i&&i.baseVal!==e;if(n===e)return s?i.baseVal:i;s?i.baseVal=n:t.className=n}function Y(t){try{return t?"true"==t||"false"!=t&&("null"==t?null:+t+""==t?+t:/^[\[\{]/.test(t)?i.parseJSON(t):t):t}catch(e){return t}}function tt(t,e){e(t);for(var n=0,i=t.childNodes.length;n<i;n++)tt(t.childNodes[n],e)}return O.matches=function(t,e){if(!e||!t||1!==t.nodeType)return!1;var n=t.matches||t.webkitMatchesSelector||t.mozMatchesSelector||t.oMatchesSelector||t.matchesSelector;if(n)return n.call(t,e);var i,s=t.parentNode,r=!s;return r&&(s=D).appendChild(t),i=~O.qsa(s,e).indexOf(t),r&&D.removeChild(t),i},r=function(t){return t.replace(/-+(.)?/g,(function(t,e){return e?e.toUpperCase():""}))},o=function(t){return c.call(t,(function(e,n){return t.indexOf(e)==n}))},O.fragment=function(t,n,s){var r,o,a;return m.test(t)&&(r=i(h.createElement(RegExp.$1))),r||(t.replace&&(t=t.replace(v,"<$1></$2>")),n===e&&(n=g.test(t)&&RegExp.$1),n in S||(n="*"),(a=S[n]).innerHTML=""+t,r=i.each(l.call(a.childNodes),(function(){a.removeChild(this)}))),R(s)&&(o=i(r),i.each(s,(function(t,e){b.indexOf(t)>-1?o[t](e):o.attr(t,e)}))),r},O.Z=function(t,e){return new Q(t,e)},O.isZ=function(t){return t instanceof O.Z},O.init=function(t,n){var s;if(!t)return O.Z();if("string"==typeof t)if("<"==(t=t.trim())[0]&&g.test(t))s=O.fragment(t,RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}else{if(P(t))return i(h).ready(t);if(O.isZ(t))return t;if(k(t))s=V(t);else if(F(t))s=[t],t=null;else if(g.test(t))s=O.fragment(t.trim(),RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}}return O.Z(s,t)},(i=function(t,e){return O.init(t,e)}).extend=function(t){var e,n=l.call(arguments,1);return"boolean"==typeof t&&(e=t,t=n.shift()),n.forEach((function(n){W(t,n,e)})),t},O.qsa=function(t,e){var n,i="#"==e[0],s=!i&&"."==e[0],r=i||s?e.slice(1):e,o=A.test(r);return t.getElementById&&o&&i?(n=t.getElementById(r))?[n]:[]:1!==t.nodeType&&9!==t.nodeType&&11!==t.nodeType?[]:l.call(o&&!i&&t.getElementsByClassName?s?t.getElementsByClassName(r):t.getElementsByTagName(e):t.querySelectorAll(e))},i.contains=h.documentElement.contains?function(t,e){return t!==e&&t.contains(e)}:function(t,e){for(;e&&(e=e.parentNode);)if(e===t)return!0;return!1},i.type=I,i.isFunction=P,i.isWindow=L,i.isArray=k,i.isPlainObject=R,i.isEmptyObject=function(t){var e;for(e in t)return!1;return!0},i.isNumeric=function(t){var e=Number(t),n=typeof t;return null!=t&&"boolean"!=n&&("string"!=n||t.length)&&!isNaN(e)&&isFinite(e)||!1},i.inArray=function(t,e,n){return a.indexOf.call(e,t,n)},i.camelCase=r,i.trim=function(t){return null==t?"":String.prototype.trim.call(t)},i.uuid=0,i.support={},i.expr={},i.noop=function(){},i.map=function(t,e){var n,i,s,r=[];if(q(t))for(i=0;i<t.length;i++)null!=(n=e(t[i],i))&&r.push(n);else for(s in t)null!=(n=e(t[s],s))&&r.push(n);return H(r)},i.each=function(t,e){var n,i;if(q(t)){for(n=0;n<t.length;n++)if(!1===e.call(t[n],n,t[n]))return t}else for(i in t)if(!1===e.call(t[i],i,t[i]))return t;return t},i.grep=function(t,e){return c.call(t,e)},t.JSON&&(i.parseJSON=JSON.parse),i.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),(function(t,e){$["[object "+e+"]"]=e.toLowerCase()})),i.fn={constructor:O.Z,length:0,forEach:a.forEach,reduce:a.reduce,push:a.push,sort:a.sort,splice:a.splice,indexOf:a.indexOf,concat:function(){var t,e,n=[];for(t=0;t<arguments.length;t++)e=arguments[t],n[t]=O.isZ(e)?e.toArray():e;return u.apply(O.isZ(this)?this.toArray():this,n)},map:function(t){return i(i.map(this,(function(e,n){return t.call(e,n,e)})))},slice:function(){return i(l.apply(this,arguments))},ready:function(t){return E.test(h.readyState)&&h.body?t(i):h.addEventListener("DOMContentLoaded",(function(){t(i)}),!1),this},get:function(t){return t===e?l.call(this):this[t>=0?t:t+this.length]},toArray:function(){return this.get()},size:function(){return this.length},remove:function(){return this.each((function(){null!=this.parentNode&&this.parentNode.removeChild(this)}))},each:function(t){return a.every.call(this,(function(e,n){return!1!==t.call(e,n,e)})),this},filter:function(t){return P(t)?this.not(this.not(t)):i(c.call(this,(function(e){return O.matches(e,t)})))},add:function(t,e){return i(o(this.concat(i(t,e))))},is:function(t){return this.length>0&&O.matches(this[0],t)},not:function(t){var n=[];if(P(t)&&t.call!==e)this.each((function(e){t.call(this,e)||n.push(this)}));else{var s="string"==typeof t?this.filter(t):q(t)&&P(t.item)?l.call(t):i(t);this.forEach((function(t){s.indexOf(t)<0&&n.push(t)}))}return i(n)},has:function(t){return this.filter((function(){return F(t)?i.contains(this,t):i(this).find(t).size()}))},eq:function(t){return-1===t?this.slice(t):this.slice(t,+t+1)},first:function(){var t=this[0];return t&&!F(t)?t:i(t)},last:function(){var t=this[this.length-1];return t&&!F(t)?t:i(t)},find:function(t){var e=this;return t?"object"==typeof t?i(t).filter((function(){var t=this;return a.some.call(e,(function(e){return i.contains(e,t)}))})):1==this.length?i(O.qsa(this[0],t)):this.map((function(){return O.qsa(this,t)})):i()},closest:function(t,e){var n=[],s="object"==typeof t&&i(t);return this.each((function(i,r){for(;r&&!(s?s.indexOf(r)>=0:O.matches(r,t));)r=r!==e&&!M(r)&&r.parentNode;r&&n.indexOf(r)<0&&n.push(r)})),i(n)},parents:function(t){for(var e=[],n=this;n.length>0;)n=i.map(n,(function(t){if((t=t.parentNode)&&!M(t)&&e.indexOf(t)<0)return e.push(t),t}));return Z(e,t)},parent:function(t){return Z(o(this.pluck("parentNode")),t)},children:function(t){return Z(this.map((function(){return U(this)})),t)},contents:function(){return this.map((function(){return this.contentDocument||l.call(this.childNodes)}))},siblings:function(t){return Z(this.map((function(t,e){return c.call(U(e.parentNode),(function(t){return t!==e}))})),t)},empty:function(){return this.each((function(){this.innerHTML=""}))},pluck:function(t){return i.map(this,(function(e){return e[t]}))},show:function(){return this.each((function(){"none"==this.style.display&&(this.style.display=""),"none"==getComputedStyle(this,"").getPropertyValue("display")&&(this.style.display=z(this.nodeName))}))},replaceWith:function(t){return this.before(t).remove()},wrap:function(t){var e=P(t);if(this[0]&&!e)var n=i(t).get(0),s=n.parentNode||this.length>1;return this.each((function(r){i(this).wrapAll(e?t.call(this,r):s?n.cloneNode(!0):n)}))},wrapAll:function(t){if(this[0]){var e;for(i(this[0]).before(t=i(t));(e=t.children()).length;)t=e.first();i(t).append(this)}return this},wrapInner:function(t){var e=P(t);return this.each((function(n){var s=i(this),r=s.contents(),o=e?t.call(this,n):t;r.length?r.wrapAll(o):s.append(o)}))},unwrap:function(){return this.parent().each((function(){i(this).replaceWith(i(this).children())})),this},clone:function(){return this.map((function(){return this.cloneNode(!0)}))},hide:function(){return this.css("display","none")},toggle:function(t){return this.each((function(){var n=i(this);(t===e?"none"==n.css("display"):t)?n.show():n.hide()}))},prev:function(t){return i(this.pluck("previousElementSibling")).filter(t||"*")},next:function(t){return i(this.pluck("nextElementSibling")).filter(t||"*")},html:function(t){return 0 in arguments?this.each((function(e){var n=this.innerHTML;i(this).empty().append(X(this,t,e,n))})):0 in this?this[0].innerHTML:null},text:function(t){return 0 in arguments?this.each((function(e){var n=X(this,t,e,this.textContent);this.textContent=null==n?"":""+n})):0 in this?this.pluck("textContent").join(""):null},attr:function(t,i){var s;return"string"!=typeof t||1 in arguments?this.each((function(e){if(1===this.nodeType)if(F(t))for(n in t)G(this,n,t[n]);else G(this,t,X(this,i,e,this.getAttribute(t)))})):0 in this&&1==this[0].nodeType&&null!=(s=this[0].getAttribute(t))?s:e},removeAttr:function(t){return this.each((function(){1===this.nodeType&&t.split(" ").forEach((function(t){G(this,t)}),this)}))},prop:function(t,e){return t=N[t]||t,1 in arguments?this.each((function(n){this[t]=X(this,e,n,this[t])})):this[0]&&this[0][t]},removeProp:function(t){return t=N[t]||t,this.each((function(){delete this[t]}))},data:function(t,n){var i="data-"+t.replace(w,"-$1").toLowerCase(),s=1 in arguments?this.attr(i,n):this.attr(i);return null!==s?Y(s):e},val:function(t){return 0 in arguments?(null==t&&(t=""),this.each((function(e){this.value=X(this,t,e,this.value)}))):this[0]&&(this[0].multiple?i(this[0]).find("option").filter((function(){return this.selected})).pluck("value"):this[0].value)},offset:function(e){if(e)return this.each((function(t){var n=i(this),s=X(this,e,t,n.offset()),r=n.offsetParent().offset(),o={top:s.top-r.top,left:s.left-r.left};"static"==n.css("position")&&(o.position="relative"),n.css(o)}));if(!this.length)return null;if(h.documentElement!==this[0]&&!i.contains(h.documentElement,this[0]))return{top:0,left:0};var n=this[0].getBoundingClientRect();return{left:n.left+t.pageXOffset,top:n.top+t.pageYOffset,width:Math.round(n.width),height:Math.round(n.height)}},css:function(t,e){if(arguments.length<2){var s=this[0];if("string"==typeof t){if(!s)return;return s.style[r(t)]||getComputedStyle(s,"").getPropertyValue(t)}if(k(t)){if(!s)return;var o={},a=getComputedStyle(s,"");return i.each(t,(function(t,e){o[e]=s.style[r(e)]||a.getPropertyValue(e)})),o}}var u="";if("string"==I(t))e||0===e?u=B(t)+":"+j(t,e):this.each((function(){this.style.removeProperty(B(t))}));else for(n in t)t[n]||0===t[n]?u+=B(n)+":"+j(n,t[n])+";":this.each((function(){this.style.removeProperty(B(n))}));return this.each((function(){this.style.cssText+=";"+u}))},index:function(t){return t?this.indexOf(i(t)[0]):this.parent().children().indexOf(this[0])},hasClass:function(t){return!!t&&a.some.call(this,(function(t){return this.test(J(t))}),K(t))},addClass:function(t){return t?this.each((function(e){if("className"in this){s=[];var n=J(this);X(this,t,e,n).split(/\s+/g).forEach((function(t){i(this).hasClass(t)||s.push(t)}),this),s.length&&J(this,n+(n?" ":"")+s.join(" "))}})):this},removeClass:function(t){return this.each((function(n){if("className"in this){if(t===e)return J(this,"");s=J(this),X(this,t,n,s).split(/\s+/g).forEach((function(t){s=s.replace(K(t)," ")})),J(this,s.trim())}}))},toggleClass:function(t,n){return t?this.each((function(s){var r=i(this);X(this,t,s,J(this)).split(/\s+/g).forEach((function(t){(n===e?!r.hasClass(t):n)?r.addClass(t):r.removeClass(t)}))})):this},scrollTop:function(t){if(this.length){var n="scrollTop"in this[0];return t===e?n?this[0].scrollTop:this[0].pageYOffset:this.each(n?function(){this.scrollTop=t}:function(){this.scrollTo(this.scrollX,t)})}},scrollLeft:function(t){if(this.length){var n="scrollLeft"in this[0];return t===e?n?this[0].scrollLeft:this[0].pageXOffset:this.each(n?function(){this.scrollLeft=t}:function(){this.scrollTo(t,this.scrollY)})}},position:function(){if(this.length){var t=this[0],e=this.offsetParent(),n=this.offset(),s=y.test(e[0].nodeName)?{top:0,left:0}:e.offset();return n.top-=parseFloat(i(t).css("margin-top"))||0,n.left-=parseFloat(i(t).css("margin-left"))||0,s.top+=parseFloat(i(e[0]).css("border-top-width"))||0,s.left+=parseFloat(i(e[0]).css("border-left-width"))||0,{top:n.top-s.top,left:n.left-s.left}}},offsetParent:function(){return this.map((function(){for(var t=this.offsetParent||h.body;t&&!y.test(t.nodeName)&&"static"==i(t).css("position");)t=t.offsetParent;return t}))}},i.fn.detach=i.fn.remove,["width","height"].forEach((function(t){var n=t.replace(/./,(function(t){return t[0].toUpperCase()}));i.fn[t]=function(s){var r,o=this[0];return s===e?L(o)?o["inner"+n]:M(o)?o.documentElement["scroll"+n]:(r=this.offset())&&r[t]:this.each((function(e){(o=i(this)).css(t,X(this,s,e,o[t]()))}))}})),C.forEach((function(n,s){var r=s%2;i.fn[n]=function(){var n,o,a=i.map(arguments,(function(t){var s=[];return"array"==(n=I(t))?(t.forEach((function(t){return t.nodeType!==e?s.push(t):i.zepto.isZ(t)?s=s.concat(t.get()):void(s=s.concat(O.fragment(t)))})),s):"object"==n||null==t?t:O.fragment(t)})),u=this.length>1;return a.length<1?this:this.each((function(e,n){o=r?n:n.parentNode,n=0==s?n.nextSibling:1==s?n.firstChild:2==s?n:null;var c=i.contains(h.documentElement,o);a.forEach((function(e){if(u)e=e.cloneNode(!0);else if(!o)return i(e).remove();o.insertBefore(e,n),c&&tt(e,(function(e){if(!(null==e.nodeName||"SCRIPT"!==e.nodeName.toUpperCase()||e.type&&"text/javascript"!==e.type||e.src)){var n=e.ownerDocument?e.ownerDocument.defaultView:t;n.eval.call(n,e.innerHTML)}}))}))}))},i.fn[r?n+"To":"insert"+(s?"Before":"After")]=function(t){return i(t)[n](this),this}})),O.Z.prototype=Q.prototype=i.fn,O.uniq=o,O.deserializeValue=Y,i.zepto=O,i}();return function(e){var n,i=1,s=Array.prototype.slice,r=e.isFunction,o=function(t){return"string"==typeof t},a={},u={},c="onfocusin"in t,l={focus:"focusin",blur:"focusout"},h={mouseenter:"mouseover",mouseleave:"mouseout"};function p(t){return t._zid||(t._zid=i++)}function f(t,e,n,i){if((e=d(e)).ns)var s=g(e.ns);return(a[p(t)]||[]).filter((function(t){return t&&(!e.e||t.e==e.e)&&(!e.ns||s.test(t.ns))&&(!n||p(t.fn)===p(n))&&(!i||t.sel==i)}))}function d(t){var e=(""+t).split(".");return{e:e[0],ns:e.slice(1).sort().join(" ")}}function g(t){return new RegExp("(?:^| )"+t.replace(" "," .* ?")+"(?: |$)")}function m(t,e){return t.del&&!c&&t.e in l||!!e}function v(t){return h[t]||c&&l[t]||t}function y(t,i,s,r,o,u,c){var l=p(t),f=a[l]||(a[l]=[]);i.split(/\s/).forEach((function(i){if("ready"==i)return e(document).ready(s);var a=d(i);a.fn=s,a.sel=o,a.e in h&&(s=function(t){var n=t.relatedTarget;if(!n||n!==this&&!e.contains(this,n))return a.fn.apply(this,arguments)}),a.del=u;var l=u||s;a.proxy=function(e){if(!(e=S(e)).isImmediatePropagationStopped()){try{var i=Object.getOwnPropertyDescriptor(e,"data");i&&!i.writable||(e.data=r)}catch(e){}var s=l.apply(t,e._args==n?[e]:[e].concat(e._args));return!1===s&&(e.preventDefault(),e.stopPropagation()),s}},a.i=f.length,f.push(a),"addEventListener"in t&&t.addEventListener(v(a.e),a.proxy,m(a,c))}))}function w(t,e,n,i,s){var r=p(t);(e||"").split(/\s/).forEach((function(e){f(t,e,n,i).forEach((function(e){delete a[r][e.i],"removeEventListener"in t&&t.removeEventListener(v(e.e),e.proxy,m(e,s))}))}))}u.click=u.mousedown=u.mouseup=u.mousemove="MouseEvents",e.event={add:y,remove:w},e.proxy=function(t,n){var i=2 in arguments&&s.call(arguments,2);if(r(t)){var a=function(){return t.apply(n,i?i.concat(s.call(arguments)):arguments)};return a._zid=p(t),a}if(o(n))return i?(i.unshift(t[n],t),e.proxy.apply(null,i)):e.proxy(t[n],t);throw new TypeError("expected function")},e.fn.bind=function(t,e,n){return this.on(t,e,n)},e.fn.unbind=function(t,e){return this.off(t,e)},e.fn.one=function(t,e,n,i){return this.on(t,e,n,i,1)};var b=function(){return!0},C=function(){return!1},x=/^([A-Z]|returnValue$|layer[XY]$|webkitMovement[XY]$)/,_={preventDefault:"isDefaultPrevented",stopImmediatePropagation:"isImmediatePropagationStopped",stopPropagation:"isPropagationStopped"};function S(t,i){if(i||!t.isDefaultPrevented){i||(i=t),e.each(_,(function(e,n){var s=i[e];t[e]=function(){return this[n]=b,s&&s.apply(i,arguments)},t[n]=C}));try{t.timeStamp||(t.timeStamp=Date.now())}catch(s){}(i.defaultPrevented!==n?i.defaultPrevented:"returnValue"in i?!1===i.returnValue:i.getPreventDefault&&i.getPreventDefault())&&(t.isDefaultPrevented=b)}return t}function E(t){var e,i={originalEvent:t};for(e in t)x.test(e)||t[e]===n||(i[e]=t[e]);return S(i,t)}e.fn.delegate=function(t,e,n){return this.on(e,t,n)},e.fn.undelegate=function(t,e,n){return this.off(e,t,n)},e.fn.live=function(t,n){return e(document.body).delegate(this.selector,t,n),this},e.fn.die=function(t,n){return e(document.body).undelegate(this.selector,t,n),this},e.fn.on=function(t,i,a,u,c){var l,h,p=this;return t&&!o(t)?(e.each(t,(function(t,e){p.on(t,i,a,e,c)})),p):(o(i)||r(u)||!1===u||(u=a,a=i,i=n),u!==n&&!1!==a||(u=a,a=n),!1===u&&(u=C),p.each((function(n,r){c&&(l=function(t){return w(r,t.type,u),u.apply(this,arguments)}),i&&(h=function(t){var n,o=e(t.target).closest(i,r).get(0);if(o&&o!==r)return n=e.extend(E(t),{currentTarget:o,liveFired:r}),(l||u).apply(o,[n].concat(s.call(arguments,1)))}),y(r,t,u,a,i,h||l)})))},e.fn.off=function(t,i,s){var a=this;return t&&!o(t)?(e.each(t,(function(t,e){a.off(t,i,e)})),a):(o(i)||r(s)||!1===s||(s=i,i=n),!1===s&&(s=C),a.each((function(){w(this,t,s,i)})))},e.fn.trigger=function(t,n){return(t=o(t)||e.isPlainObject(t)?e.Event(t):S(t))._args=n,this.each((function(){t.type in l&&"function"==typeof this[t.type]?this[t.type]():"dispatchEvent"in this?this.dispatchEvent(t):e(this).triggerHandler(t,n)}))},e.fn.triggerHandler=function(t,n){var i,s;return this.each((function(r,a){(i=E(o(t)?e.Event(t):t))._args=n,i.target=a,e.each(f(a,t.type||t),(function(t,e){if(s=e.proxy(i),i.isImmediatePropagationStopped())return!1}))})),s},"focusin focusout focus blur load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select keydown keypress keyup error".split(" ").forEach((function(t){e.fn[t]=function(e){return 0 in arguments?this.bind(t,e):this.trigger(t)}})),e.Event=function(t,e){o(t)||(t=(e=t).type);var n=document.createEvent(u[t]||"Events"),i=!0;if(e)for(var s in e)"bubbles"==s?i=!!e[s]:n[s]=e[s];return n.initEvent(t,i,!0),S(n)}}(i),n=[],i.fn.remove=function(){return this.each((function(){this.parentNode&&("IMG"===this.tagName&&(n.push(this),this.src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=",e&&clearTimeout(e),e=setTimeout((function(){n=[]}),6e4)),this.parentNode.removeChild(this))}))},function(t){var e={},n=t.fn.data,i=t.camelCase,s=t.expando="Zepto"+ +new Date,r=[];function o(r,o){var u=r[s],c=u&&e[u];if(void 0===o)return c||a(r);if(c){if(o in c)return c[o];var l=i(o);if(l in c)return c[l]}return n.call(t(r),o)}function a(n,r,o){var a=n[s]||(n[s]=++t.uuid),c=e[a]||(e[a]=u(n));return void 0!==r&&(c[i(r)]=o),c}function u(e){var n={};return t.each(e.attributes||r,(function(e,s){0==s.name.indexOf("data-")&&(n[i(s.name.replace("data-",""))]=t.zepto.deserializeValue(s.value))})),n}t.fn.data=function(e,n){return void 0===n?t.isPlainObject(e)?this.each((function(n,i){t.each(e,(function(t,e){a(i,t,e)}))})):0 in this?o(this[0],e):void 0:this.each((function(){a(this,e,n)}))},t.data=function(e,n,i){return t(e).data(n,i)},t.hasData=function(n){var i=n[s],r=i&&e[i];return!!r&&!t.isEmptyObject(r)},t.fn.removeData=function(n){return"string"==typeof n&&(n=n.split(/\s+/)),this.each((function(){var r=this[s],o=r&&e[r];o&&t.each(n||o,(function(t){delete o[n?i(this):t]}))}))},["remove","empty"].forEach((function(e){var n=t.fn[e];t.fn[e]=function(){var t=this.find("*");return"remove"===e&&(t=t.add(this)),t.removeData(),n.call(this)}}))}(i),i}(e)},8820:t=>{"use strict";var e={}.hasOwnProperty,n=/[ -,\.\/:-@\[-\^`\{-~]/,i=/[ -,\.\/:-@\[\]\^`\{-~]/,s=/(^|\\+)?(\\[A-F0-9]{1,6})\x20(?![a-fA-F0-9\x20])/g,r=function t(r,o){"single"!=(o=function(t,n){if(!t)return n;var i={};for(var s in n)i[s]=e.call(t,s)?t[s]:n[s];return i}(o,t.options)).quotes&&"double"!=o.quotes&&(o.quotes="single");for(var a="double"==o.quotes?'"':"'",u=o.isIdentifier,c=r.charAt(0),l="",h=0,p=r.length;h<p;){var f=r.charAt(h++),d=f.charCodeAt(),g=void 0;if(d<32||d>126){if(d>=55296&&d<=56319&&h<p){var m=r.charCodeAt(h++);56320==(64512&m)?d=((1023&d)<<10)+(1023&m)+65536:h--}g="\\"+d.toString(16).toUpperCase()+" "}else g=o.escapeEverything?n.test(f)?"\\"+f:"\\"+d.toString(16).toUpperCase()+" ":/[\t\n\f\r\x0B]/.test(f)?"\\"+d.toString(16).toUpperCase()+" ":"\\"==f||!u&&('"'==f&&a==f||"'"==f&&a==f)||u&&i.test(f)?"\\"+f:f;l+=g}return u&&(/^-[-\d]/.test(l)?l="\\-"+l.slice(1):/\d/.test(c)&&(l="\\3"+c+" "+l.slice(1))),l=l.replace(s,(function(t,e,n){return e&&e.length%2?t:(e||"")+n})),!u&&o.wrap?a+l+a:l};r.options={escapeEverything:!1,isIdentifier:!1,quotes:"single",wrap:!1},r.version="3.0.0",t.exports=r},624:(t,e,n)=>{"use strict";var i,s,r,o=[n(5525),n(4785),n(8291),n(2709),n(2506),n(9176)],a=-1,u=[],c=!1;function l(){i&&s&&(i=!1,s.length?u=s.concat(u):a=-1,u.length&&h())}function h(){if(!i){c=!1,i=!0;for(var t=u.length,e=setTimeout(l);t;){for(s=u,u=[];s&&++a<t;)s[a].run();a=-1,t=u.length}s=null,a=-1,i=!1,clearTimeout(e)}}for(var p=-1,f=o.length;++p<f;)if(o[p]&&o[p].test&&o[p].test()){r=o[p].install(h);break}function d(t,e){this.fun=t,this.array=e}d.prototype.run=function(){var t=this.fun,e=this.array;switch(e.length){case 0:return t();case 1:return t(e[0]);case 2:return t(e[0],e[1]);case 3:return t(e[0],e[1],e[2]);default:return t.apply(null,e)}},t.exports=function(t){var e=new Array(arguments.length-1);if(arguments.length>1)for(var n=1;n<arguments.length;n++)e[n-1]=arguments[n];u.push(new d(t,e)),c||i||(c=!0,r())}},2709:(t,e,n)=>{"use strict";e.test=function(){return!n.g.setImmediate&&void 0!==n.g.MessageChannel},e.install=function(t){var e=new n.g.MessageChannel;return e.port1.onmessage=t,function(){e.port2.postMessage(0)}}},8291:(t,e,n)=>{"use strict";var i=n.g.MutationObserver||n.g.WebKitMutationObserver;e.test=function(){return i},e.install=function(t){var e=0,s=new i(t),r=n.g.document.createTextNode("");return s.observe(r,{characterData:!0}),function(){r.data=e=++e%2}}},4785:(t,e,n)=>{"use strict";e.test=function(){return"function"==typeof n.g.queueMicrotask},e.install=function(t){return function(){n.g.queueMicrotask(t)}}},2506:(t,e,n)=>{"use strict";e.test=function(){return"document"in n.g&&"onreadystatechange"in n.g.document.createElement("script")},e.install=function(t){return function(){var e=n.g.document.createElement("script");return e.onreadystatechange=function(){t(),e.onreadystatechange=null,e.parentNode.removeChild(e),e=null},n.g.document.documentElement.appendChild(e),t}}},9176:(t,e)=>{"use strict";e.test=function(){return!0},e.install=function(t){return function(){setTimeout(t,0)}}}}]); \ No newline at end of file diff --git a/assets/js/8443.26559c8c.js.LICENSE.txt b/assets/js/8443.a5d9c459.js.LICENSE.txt similarity index 100% rename from assets/js/8443.26559c8c.js.LICENSE.txt rename to assets/js/8443.a5d9c459.js.LICENSE.txt diff --git a/zh/assets/js/893.bef64808.js b/assets/js/893.c93e490f.js similarity index 99% rename from zh/assets/js/893.bef64808.js rename to assets/js/893.c93e490f.js index 80ba702b6..fd939b687 100644 --- a/zh/assets/js/893.bef64808.js +++ b/assets/js/893.c93e490f.js @@ -1898,7 +1898,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4461,7 +4461,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5274,7 +5274,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5342,7 +5342,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/assets/js/914a16f4.3af55ecf.js b/assets/js/914a16f4.3af55ecf.js new file mode 100644 index 000000000..35e05b4bc --- /dev/null +++ b/assets/js/914a16f4.3af55ecf.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/914a16f4.d484640c.js b/assets/js/914a16f4.d484640c.js deleted file mode 100644 index 65954903d..000000000 --- a/assets/js/914a16f4.d484640c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/943.288d0bb4.js b/assets/js/943.3c7831dd.js similarity index 99% rename from zh/assets/js/943.288d0bb4.js rename to assets/js/943.3c7831dd.js index 1a8c22ec7..9bb7c0cb0 100644 --- a/zh/assets/js/943.288d0bb4.js +++ b/assets/js/943.3c7831dd.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5234,7 +5234,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/assets/js/97c4f258.1b92ba91.js b/assets/js/97c4f258.1b92ba91.js new file mode 100644 index 000000000..6b7a8cc5f --- /dev/null +++ b/assets/js/97c4f258.1b92ba91.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[305],{8486:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/docs/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/97c4f258.1bf9809c.js b/assets/js/97c4f258.1bf9809c.js deleted file mode 100644 index 6095a07fd..000000000 --- a/assets/js/97c4f258.1bf9809c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[305],{8486:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/docs/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/985.59c3c4c4.js b/assets/js/985.fc87dcc9.js similarity index 99% rename from zh/assets/js/985.59c3c4c4.js rename to assets/js/985.fc87dcc9.js index fa6dc05fd..70bed5b1a 100644 --- a/zh/assets/js/985.59c3c4c4.js +++ b/assets/js/985.fc87dcc9.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/assets/js/9e39b1cd.0920eaf2.js b/assets/js/9e39b1cd.0920eaf2.js deleted file mode 100644 index f83ee6437..000000000 --- a/assets/js/9e39b1cd.0920eaf2.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7813],{4016:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>i,contentTitle:()=>d,default:()=>a,frontMatter:()=>c,metadata:()=>o,toc:()=>l});var s=n(5893),r=n(1151);const c={title:"CLI Tools"},d=void 0,o={id:"cli/cli",title:"CLI Tools",description:"The K3s binary contains a number of additional tools the help you manage your cluster.",source:"@site/docs/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CLI Tools"},sidebar:"mySidebar",previous:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"},next:{title:"server",permalink:"/cli/server"}},i={},l=[];function h(e){const t={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The K3s binary contains a number of additional tools the help you manage your cluster."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Command"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s server"})}),(0,s.jsxs)(t.td,{children:["Run a K3s server node, which launches the Kubernetes ",(0,s.jsx)(t.code,{children:"apiserver"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", and ",(0,s.jsx)(t.code,{children:"cloud-controller-manager"})," components, in addition a datastore and the agent components. See the ",(0,s.jsxs)(t.a,{href:"/cli/server",children:[(0,s.jsx)(t.code,{children:"k3s server"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s agent"})}),(0,s.jsxs)(t.td,{children:["Run the K3s agent node, which launches ",(0,s.jsx)(t.code,{children:"containerd"}),", ",(0,s.jsx)(t.code,{children:"flannel"}),", ",(0,s.jsx)(t.code,{children:"kube-router"})," network policy controller, and the Kubernetes ",(0,s.jsx)(t.code,{children:"kubelet"})," and ",(0,s.jsx)(t.code,{children:"kube-proxy"})," components. See the ",(0,s.jsxs)(t.a,{href:"/cli/agent",children:[(0,s.jsx)(t.code,{children:"k3s agent"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s kubectl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://kubernetes.io/docs/reference/kubectl",children:[(0,s.jsx)(t.code,{children:"kubectl"})," command"]}),". This is a CLI for interacting with the Kubernetes apiserver. If the ",(0,s.jsx)(t.code,{children:"KUBECONFIG"})," environment variable is not set, this will automatically attempt to use the kubeconfig at ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s crictl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,s.jsx)(t.code,{children:"crictl"})," command"]}),". This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s ctr"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,s.jsx)(t.code,{children:"ctr"})," command"]}),". This is a CLI for containerd, the container daemon used by K3s. Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s token"})}),(0,s.jsxs)(t.td,{children:["Manage bootstrap tokens. See the ",(0,s.jsxs)(t.a,{href:"/cli/token",children:[(0,s.jsx)(t.code,{children:"k3s token"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})}),(0,s.jsxs)(t.td,{children:["Perform on demand backups of the K3s cluster data and upload to S3. See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})}),(0,s.jsxs)(t.td,{children:["Configure K3s to encrypt secrets when storing them in the cluster. See the ",(0,s.jsxs)(t.a,{href:"/cli/secrets-encrypt",children:[(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s certificate"})}),(0,s.jsxs)(t.td,{children:["Manage K3s certificates. See the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s completion"})}),(0,s.jsx)(t.td,{children:"Generate shell completion scripts for k3s"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s help"})}),(0,s.jsx)(t.td,{children:"Shows a list of commands or help for one command"})]})]})]})]})}function a(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>d});var s=n(7294);const r={},c=s.createContext(r);function d(e){const t=s.useContext(c);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(c.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/9e39b1cd.e6fc251b.js b/assets/js/9e39b1cd.e6fc251b.js new file mode 100644 index 000000000..f0327cfcd --- /dev/null +++ b/assets/js/9e39b1cd.e6fc251b.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7813],{4016:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>i,contentTitle:()=>d,default:()=>a,frontMatter:()=>c,metadata:()=>o,toc:()=>l});var s=n(5893),r=n(1151);const c={title:"CLI Tools"},d=void 0,o={id:"cli/cli",title:"CLI Tools",description:"The K3s binary contains a number of additional tools the help you manage your cluster.",source:"@site/docs/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CLI Tools"},sidebar:"mySidebar",previous:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"},next:{title:"server",permalink:"/cli/server"}},i={},l=[];function h(e){const t={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The K3s binary contains a number of additional tools the help you manage your cluster."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Command"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s server"})}),(0,s.jsxs)(t.td,{children:["Run a K3s server node, which launches the Kubernetes ",(0,s.jsx)(t.code,{children:"apiserver"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", and ",(0,s.jsx)(t.code,{children:"cloud-controller-manager"})," components, in addition a datastore and the agent components. See the ",(0,s.jsxs)(t.a,{href:"/cli/server",children:[(0,s.jsx)(t.code,{children:"k3s server"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s agent"})}),(0,s.jsxs)(t.td,{children:["Run the K3s agent node, which launches ",(0,s.jsx)(t.code,{children:"containerd"}),", ",(0,s.jsx)(t.code,{children:"flannel"}),", ",(0,s.jsx)(t.code,{children:"kube-router"})," network policy controller, and the Kubernetes ",(0,s.jsx)(t.code,{children:"kubelet"})," and ",(0,s.jsx)(t.code,{children:"kube-proxy"})," components. See the ",(0,s.jsxs)(t.a,{href:"/cli/agent",children:[(0,s.jsx)(t.code,{children:"k3s agent"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s kubectl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://kubernetes.io/docs/reference/kubectl",children:[(0,s.jsx)(t.code,{children:"kubectl"})," command"]}),". This is a CLI for interacting with the Kubernetes apiserver. If the ",(0,s.jsx)(t.code,{children:"KUBECONFIG"})," environment variable is not set, this will automatically attempt to use the kubeconfig at ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s crictl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,s.jsx)(t.code,{children:"crictl"})," command"]}),". This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s ctr"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,s.jsx)(t.code,{children:"ctr"})," command"]}),". This is a CLI for containerd, the container daemon used by K3s. Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s token"})}),(0,s.jsxs)(t.td,{children:["Manage bootstrap tokens. See the ",(0,s.jsxs)(t.a,{href:"/cli/token",children:[(0,s.jsx)(t.code,{children:"k3s token"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})}),(0,s.jsxs)(t.td,{children:["Perform on demand backups of the K3s cluster data and upload to S3. See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})}),(0,s.jsxs)(t.td,{children:["Configure K3s to encrypt secrets when storing them in the cluster. See the ",(0,s.jsxs)(t.a,{href:"/cli/secrets-encrypt",children:[(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s certificate"})}),(0,s.jsxs)(t.td,{children:["Manage K3s certificates. See the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s completion"})}),(0,s.jsx)(t.td,{children:"Generate shell completion scripts for k3s"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s help"})}),(0,s.jsx)(t.td,{children:"Shows a list of commands or help for one command"})]})]})]})]})}function a(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>d});var s=n(7294);const r={},c=s.createContext(r);function d(e){const t=s.useContext(c);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(c.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/9e7a009d.bd52ca75.js b/assets/js/9e7a009d.bd52ca75.js new file mode 100644 index 000000000..b8f27e3b4 --- /dev/null +++ b/assets/js/9e7a009d.bd52ca75.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v125x",children:"v1.25.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 20 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Nov 18 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 25 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 28 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 12 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix runc version bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,i.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add private registry e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on Makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,i.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Carolines github id ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Github CI Updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The rootless ",(0,i.jsx)(s.code,{children:"port-driver"}),", ",(0,i.jsx)(s.code,{children:"cidr"}),", ",(0,i.jsx)(s.code,{children:"mtu"}),", ",(0,i.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,i.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix artifact upload with ",(0,i.jsx)(s.code,{children:"aws s3 cp"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,i.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,i.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Updating rel docs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update maintainers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,i.jsxs)(s.li,{children:["update e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,i.jsxs)(s.li,{children:["None ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,i.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,i.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,i.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,i.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,i.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Avoid wrong config for ",(0,i.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Nightly test fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add cluster reset test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ",(0,i.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,i.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," and ",(0,i.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix the typo in the test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,i.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,i.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove ",(0,i.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update README.md ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Expand startup integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Usage of ",(0,i.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,i.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,i.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,i.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix deprecation message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/9e7a009d.cc31d4a0.js b/assets/js/9e7a009d.cc31d4a0.js deleted file mode 100644 index 856ee148a..000000000 --- a/assets/js/9e7a009d.cc31d4a0.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.h1,{id:"v125x",children:"v1.25.X"}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 20 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Nov 18 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 25 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 28 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 12 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix runc version bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,i.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add private registry e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on Makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,i.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Carolines github id ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Github CI Updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The rootless ",(0,i.jsx)(s.code,{children:"port-driver"}),", ",(0,i.jsx)(s.code,{children:"cidr"}),", ",(0,i.jsx)(s.code,{children:"mtu"}),", ",(0,i.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,i.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix artifact upload with ",(0,i.jsx)(s.code,{children:"aws s3 cp"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,i.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,i.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Updating rel docs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update maintainers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,i.jsxs)(s.li,{children:["update e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,i.jsxs)(s.li,{children:["None ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,i.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,i.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,i.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,i.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,i.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Avoid wrong config for ",(0,i.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Nightly test fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add cluster reset test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ",(0,i.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,i.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," and ",(0,i.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix the typo in the test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,i.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,i.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove ",(0,i.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update README.md ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Expand startup integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Usage of ",(0,i.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,i.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,i.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,i.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix deprecation message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/9f491e05.ccd56893.js b/assets/js/9f491e05.ccd56893.js new file mode 100644 index 000000000..9e643c94e --- /dev/null +++ b/assets/js/9f491e05.ccd56893.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3189],{9297:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS 1.23 Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS 1.23 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS 1.23 Self Assessment Guide"}},l={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22-v1.23"})," release lines of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 <path/to/cni/files>"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root <path/to/cni/files>"})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file=<filename>"})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=<path/to/client-certificate-file>\n--kubelet-client-key=<path/to/client-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority=<ca-string>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=<path/to/configuration/file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-key-file=<filename>"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=<path/to/client-certificate-file>\n--etcd-keyfile=<path/to/client-key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=<path/to/tls-certificate-file>\n--tls-private-key-file=<path/to/tls-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file=<path/to/client-ca-file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile=<path/to/ca-file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config=</path/to/EncryptionConfig/File>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file=<filename>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file=<path/to/file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=</path/to/ca-file>\n--key-file=</path/to/key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=</path/to/peer-cert-file>\n--peer-key-file=</path/to/peer-key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file=</path/to/ca-file>"})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 <filename>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root <filename>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file=<path/to/client-ca-file>"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=<path/to/tls-certificate-file>\n--tls-private-key-file=<path/to/tls-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/9f491e05.fa57d8a6.js b/assets/js/9f491e05.fa57d8a6.js deleted file mode 100644 index d8b7aef62..000000000 --- a/assets/js/9f491e05.fa57d8a6.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3189],{9297:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS 1.23 Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS 1.23 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS 1.23 Self Assessment Guide"}},l={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22-v1.23"})," release lines of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 <path/to/cni/files>"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root <path/to/cni/files>"})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file=<filename>"})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=<path/to/client-certificate-file>\n--kubelet-client-key=<path/to/client-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority=<ca-string>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=<path/to/configuration/file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-key-file=<filename>"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=<path/to/client-certificate-file>\n--etcd-keyfile=<path/to/client-key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=<path/to/tls-certificate-file>\n--tls-private-key-file=<path/to/tls-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file=<path/to/client-ca-file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile=<path/to/ca-file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config=</path/to/EncryptionConfig/File>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file=<filename>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file=<path/to/file>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=</path/to/ca-file>\n--key-file=</path/to/key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=</path/to/peer-cert-file>\n--peer-key-file=</path/to/peer-key-file>\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file=</path/to/ca-file>"})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 <filename>"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root <filename>"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file=<path/to/client-ca-file>"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=<path/to/tls-certificate-file>\n--tls-private-key-file=<path/to/tls-key-file>\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/a09c2993.17f49ec2.js b/assets/js/a09c2993.17f49ec2.js new file mode 100644 index 000000000..4c48fb332 --- /dev/null +++ b/assets/js/a09c2993.17f49ec2.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4128],{8152:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var i=t(5893),s=t(1151);const r={slug:"/",title:"K3s - Lightweight Kubernetes"},l="What is K3s?",o={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.",source:"@site/docs/introduction.md",sourceDirName:".",slug:"/",permalink:"/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"Quick-Start Guide",permalink:"/quick-start"}},a={},c=[];function d(e){const n={h1:"h1",header:"header",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB."}),"\n",(0,i.jsx)(n.p,{children:"Great for:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Edge"}),"\n",(0,i.jsx)(n.li,{children:"Homelab"}),"\n",(0,i.jsx)(n.li,{children:"Internet of Things (IoT)"}),"\n",(0,i.jsx)(n.li,{children:"Continuous Integration (CI)"}),"\n",(0,i.jsx)(n.li,{children:"Development"}),"\n",(0,i.jsx)(n.li,{children:"Single board computers (ARM)"}),"\n",(0,i.jsx)(n.li,{children:"Air-gapped environments"}),"\n",(0,i.jsx)(n.li,{children:"Embedded K8s"}),"\n",(0,i.jsx)(n.li,{children:"Situations where a PhD in K8s clusterology is infeasible"}),"\n"]}),"\n",(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"what-is-k3s",children:"What is K3s?"})}),"\n",(0,i.jsx)(n.p,{children:"K3s is a fully compliant Kubernetes distribution with the following enhancements:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Distributed as a single binary or minimal container image."}),"\n",(0,i.jsx)(n.li,{children:"Lightweight datastore based on sqlite3 as the default storage backend. etcd3, MySQL, and Postgres are also available."}),"\n",(0,i.jsx)(n.li,{children:"Wrapped in simple launcher that handles a lot of the complexity of TLS and options."}),"\n",(0,i.jsx)(n.li,{children:"Secure by default with reasonable defaults for lightweight environments."}),"\n",(0,i.jsx)(n.li,{children:"Operation of all Kubernetes control plane components is encapsulated in a single binary and process, allowing K3s to automate and manage complex cluster operations like distributing certificates."}),"\n",(0,i.jsx)(n.li,{children:"External dependencies have been minimized; the only requirements are a modern kernel and cgroup mounts."}),"\n",(0,i.jsxs)(n.li,{children:['Packages the required dependencies for easy "batteries-included" cluster creation:',"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"containerd / cri-dockerd container runtime (CRI)"}),"\n",(0,i.jsx)(n.li,{children:"Flannel Container Network Interface (CNI)"}),"\n",(0,i.jsx)(n.li,{children:"CoreDNS Cluster DNS"}),"\n",(0,i.jsx)(n.li,{children:"Traefik Ingress controller"}),"\n",(0,i.jsx)(n.li,{children:"ServiceLB Load-Balancer controller"}),"\n",(0,i.jsx)(n.li,{children:"Kube-router Network Policy controller"}),"\n",(0,i.jsx)(n.li,{children:"Local-path-provisioner Persistent Volume controller"}),"\n",(0,i.jsx)(n.li,{children:"Spegel distributed container image registry mirror"}),"\n",(0,i.jsx)(n.li,{children:"Host utilities (iptables, socat, etc)"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.h1,{id:"whats-with-the-name",children:"What's with the name?"}),"\n",(0,i.jsx)(n.p,{children:"We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation."})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>l});var i=t(7294);const s={},r=i.createContext(s);function l(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:l(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/a09c2993.d15c3147.js b/assets/js/a09c2993.d15c3147.js deleted file mode 100644 index 45bc35f4d..000000000 --- a/assets/js/a09c2993.d15c3147.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4128],{8152:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var i=t(5893),s=t(1151);const r={slug:"/",title:"K3s - Lightweight Kubernetes"},l="What is K3s?",o={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.",source:"@site/docs/introduction.md",sourceDirName:".",slug:"/",permalink:"/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"Quick-Start Guide",permalink:"/quick-start"}},a={},c=[];function d(e){const n={h1:"h1",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB."}),"\n",(0,i.jsx)(n.p,{children:"Great for:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Edge"}),"\n",(0,i.jsx)(n.li,{children:"Homelab"}),"\n",(0,i.jsx)(n.li,{children:"Internet of Things (IoT)"}),"\n",(0,i.jsx)(n.li,{children:"Continuous Integration (CI)"}),"\n",(0,i.jsx)(n.li,{children:"Development"}),"\n",(0,i.jsx)(n.li,{children:"Single board computers (ARM)"}),"\n",(0,i.jsx)(n.li,{children:"Air-gapped environments"}),"\n",(0,i.jsx)(n.li,{children:"Embedded K8s"}),"\n",(0,i.jsx)(n.li,{children:"Situations where a PhD in K8s clusterology is infeasible"}),"\n"]}),"\n",(0,i.jsx)(n.h1,{id:"what-is-k3s",children:"What is K3s?"}),"\n",(0,i.jsx)(n.p,{children:"K3s is a fully compliant Kubernetes distribution with the following enhancements:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Distributed as a single binary or minimal container image."}),"\n",(0,i.jsx)(n.li,{children:"Lightweight datastore based on sqlite3 as the default storage backend. etcd3, MySQL, and Postgres are also available."}),"\n",(0,i.jsx)(n.li,{children:"Wrapped in simple launcher that handles a lot of the complexity of TLS and options."}),"\n",(0,i.jsx)(n.li,{children:"Secure by default with reasonable defaults for lightweight environments."}),"\n",(0,i.jsx)(n.li,{children:"Operation of all Kubernetes control plane components is encapsulated in a single binary and process, allowing K3s to automate and manage complex cluster operations like distributing certificates."}),"\n",(0,i.jsx)(n.li,{children:"External dependencies have been minimized; the only requirements are a modern kernel and cgroup mounts."}),"\n",(0,i.jsxs)(n.li,{children:['Packages the required dependencies for easy "batteries-included" cluster creation:',"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"containerd / cri-dockerd container runtime (CRI)"}),"\n",(0,i.jsx)(n.li,{children:"Flannel Container Network Interface (CNI)"}),"\n",(0,i.jsx)(n.li,{children:"CoreDNS Cluster DNS"}),"\n",(0,i.jsx)(n.li,{children:"Traefik Ingress controller"}),"\n",(0,i.jsx)(n.li,{children:"ServiceLB Load-Balancer controller"}),"\n",(0,i.jsx)(n.li,{children:"Kube-router Network Policy controller"}),"\n",(0,i.jsx)(n.li,{children:"Local-path-provisioner Persistent Volume controller"}),"\n",(0,i.jsx)(n.li,{children:"Spegel distributed container image registry mirror"}),"\n",(0,i.jsx)(n.li,{children:"Host utilities (iptables, socat, etc)"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.h1,{id:"whats-with-the-name",children:"What's with the name?"}),"\n",(0,i.jsx)(n.p,{children:"We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation."})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>l});var i=t(7294);const s={},r=i.createContext(s);function l(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:l(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/a7bd4aaa.d2fc12fe.js b/assets/js/a7bd4aaa.d2fc12fe.js new file mode 100644 index 000000000..f05c6aff2 --- /dev/null +++ b/assets/js/a7bd4aaa.d2fc12fe.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8518],{4974:(n,s,e)=>{e.r(s),e.d(s,{default:()=>l});e(7294);var r=e(1944);function o(n,s){return`docs-${n}-${s}`}var t=e(3797),c=e(8790),i=e(197),u=e(5893);function a(n){const{version:s}=n;return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(i.Z,{version:s.version,tag:o(s.pluginId,s.version)}),(0,u.jsx)(r.d,{children:s.noIndex&&(0,u.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})]})}function d(n){const{version:s,route:e}=n;return(0,u.jsx)(r.FG,{className:s.className,children:(0,u.jsx)(t.q,{version:s,children:(0,c.H)(e.routes)})})}function l(n){return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(a,{...n}),(0,u.jsx)(d,{...n})]})}}}]); \ No newline at end of file diff --git a/assets/js/a7bd4aaa.f175b6d3.js b/assets/js/a7bd4aaa.f175b6d3.js deleted file mode 100644 index 3717fcd8d..000000000 --- a/assets/js/a7bd4aaa.f175b6d3.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8518],{8564:(n,s,e)=>{e.r(s),e.d(s,{default:()=>l});e(7294);var r=e(1944),o=e(3320),t=e(4477),c=e(8790),i=e(197),u=e(5893);function a(n){const{version:s}=n;return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(i.Z,{version:s.version,tag:(0,o.os)(s.pluginId,s.version)}),(0,u.jsx)(r.d,{children:s.noIndex&&(0,u.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})]})}function d(n){const{version:s,route:e}=n;return(0,u.jsx)(r.FG,{className:s.className,children:(0,u.jsx)(t.q,{version:s,children:(0,c.H)(e.routes)})})}function l(n){return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(a,{...n}),(0,u.jsx)(d,{...n})]})}}}]); \ No newline at end of file diff --git a/kr/assets/js/a94703ab.1e5da719.js b/assets/js/a94703ab.c2f69992.js similarity index 98% rename from kr/assets/js/a94703ab.1e5da719.js rename to assets/js/a94703ab.c2f69992.js index a49e954da..6268237ca 100644 --- a/kr/assets/js/a94703ab.1e5da719.js +++ b/assets/js/a94703ab.c2f69992.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4368],{2674:(e,t,n)=>{n.r(t),n.d(t,{default:()=>be});var a=n(7294),o=n(512),i=n(1944),s=n(5281),l=n(3438),r=n(1116),c=n(5999),d=n(2466),u=n(5936);const m={backToTopButton:"backToTopButton_sjWU",backToTopButtonShow:"backToTopButtonShow_xfvO"};var b=n(5893);function h(){const{shown:e,scrollToTop:t}=function(e){let{threshold:t}=e;const[n,o]=(0,a.useState)(!1),i=(0,a.useRef)(!1),{startScroll:s,cancelScroll:l}=(0,d.Ct)();return(0,d.RF)(((e,n)=>{let{scrollY:a}=e;const s=n?.scrollY;s&&(i.current?i.current=!1:a>=s?(l(),o(!1)):a<t?o(!1):a+window.innerHeight<document.documentElement.scrollHeight&&o(!0))})),(0,u.S)((e=>{e.location.hash&&(i.current=!0,o(!1))})),{shown:n,scrollToTop:()=>s(0)}}({threshold:300});return(0,b.jsx)("button",{"aria-label":(0,c.I)({id:"theme.BackToTopButton.buttonAriaLabel",message:"Scroll back to top",description:"The ARIA label for the back to top button"}),className:(0,o.Z)("clean-btn",s.k.common.backToTopButton,m.backToTopButton,e&&m.backToTopButtonShow),type:"button",onClick:t})}var p=n(1442),x=n(6550),f=n(7524),j=n(6668),k=n(1327);function _(e){return(0,b.jsx)("svg",{width:"20",height:"20","aria-hidden":"true",...e,children:(0,b.jsxs)("g",{fill:"#7a7a7a",children:[(0,b.jsx)("path",{d:"M9.992 10.023c0 .2-.062.399-.172.547l-4.996 7.492a.982.982 0 01-.828.454H1c-.55 0-1-.453-1-1 0-.2.059-.403.168-.551l4.629-6.942L.168 3.078A.939.939 0 010 2.528c0-.548.45-.997 1-.997h2.996c.352 0 .649.18.828.45L9.82 9.472c.11.148.172.347.172.55zm0 0"}),(0,b.jsx)("path",{d:"M19.98 10.023c0 .2-.058.399-.168.547l-4.996 7.492a.987.987 0 01-.828.454h-3c-.547 0-.996-.453-.996-1 0-.2.059-.403.168-.551l4.625-6.942-4.625-6.945a.939.939 0 01-.168-.55 1 1 0 01.996-.997h3c.348 0 .649.18.828.45l4.996 7.492c.11.148.168.347.168.55zm0 0"})]})})}const v={collapseSidebarButton:"collapseSidebarButton_PEFL",collapseSidebarButtonIcon:"collapseSidebarButtonIcon_kv0_"};function g(e){let{onClick:t}=e;return(0,b.jsx)("button",{type:"button",title:(0,c.I)({id:"theme.docs.sidebar.collapseButtonTitle",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.collapseButtonAriaLabel",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),className:(0,o.Z)("button button--secondary button--outline",v.collapseSidebarButton),onClick:t,children:(0,b.jsx)(_,{className:v.collapseSidebarButtonIcon})})}var C=n(9689),S=n(902);const I=Symbol("EmptyContext"),N=a.createContext(I);function T(e){let{children:t}=e;const[n,o]=(0,a.useState)(null),i=(0,a.useMemo)((()=>({expandedItem:n,setExpandedItem:o})),[n]);return(0,b.jsx)(N.Provider,{value:i,children:t})}var B=n(6043),Z=n(8596),A=n(3692),L=n(2389);function y(e){let{collapsed:t,categoryLabel:n,onClick:a}=e;return(0,b.jsx)("button",{"aria-label":t?(0,c.I)({id:"theme.DocSidebarItem.expandCategoryAriaLabel",message:"Expand sidebar category '{label}'",description:"The ARIA label to expand the sidebar category"},{label:n}):(0,c.I)({id:"theme.DocSidebarItem.collapseCategoryAriaLabel",message:"Collapse sidebar category '{label}'",description:"The ARIA label to collapse the sidebar category"},{label:n}),"aria-expanded":!t,type:"button",className:"clean-btn menu__caret",onClick:a})}function w(e){let{item:t,onItemClick:n,activePath:i,level:r,index:c,...d}=e;const{items:u,label:m,collapsible:h,className:p,href:x}=t,{docs:{sidebar:{autoCollapseCategories:f}}}=(0,j.L)(),k=function(e){const t=(0,L.Z)();return(0,a.useMemo)((()=>e.href&&!e.linkUnlisted?e.href:!t&&e.collapsible?(0,l.LM)(e):void 0),[e,t])}(t),_=(0,l._F)(t,i),v=(0,Z.Mg)(x,i),{collapsed:g,setCollapsed:C}=(0,B.u)({initialState:()=>!!h&&(!_&&t.collapsed)}),{expandedItem:T,setExpandedItem:w}=function(){const e=(0,a.useContext)(N);if(e===I)throw new S.i6("DocSidebarItemsExpandedStateProvider");return e}(),E=function(e){void 0===e&&(e=!g),w(e?null:c),C(e)};return function(e){let{isActive:t,collapsed:n,updateCollapsed:o}=e;const i=(0,S.D9)(t);(0,a.useEffect)((()=>{t&&!i&&n&&o(!1)}),[t,i,n,o])}({isActive:_,collapsed:g,updateCollapsed:E}),(0,a.useEffect)((()=>{h&&null!=T&&T!==c&&f&&C(!0)}),[h,T,c,C,f]),(0,b.jsxs)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemCategory,s.k.docs.docSidebarItemCategoryLevel(r),"menu__list-item",{"menu__list-item--collapsed":g},p),children:[(0,b.jsxs)("div",{className:(0,o.Z)("menu__list-item-collapsible",{"menu__list-item-collapsible--active":v}),children:[(0,b.jsx)(A.Z,{className:(0,o.Z)("menu__link",{"menu__link--sublist":h,"menu__link--sublist-caret":!x&&h,"menu__link--active":_}),onClick:h?e=>{n?.(t),x?E(!1):(e.preventDefault(),E())}:()=>{n?.(t)},"aria-current":v?"page":void 0,role:h&&!x?"button":void 0,"aria-expanded":h&&!x?!g:void 0,href:h?k??"#":k,...d,children:m}),x&&h&&(0,b.jsx)(y,{collapsed:g,categoryLabel:m,onClick:e=>{e.preventDefault(),E()}})]}),(0,b.jsx)(B.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:g,children:(0,b.jsx)(V,{items:u,tabIndex:g?-1:0,onItemClick:n,activePath:i,level:r+1})})]})}var E=n(3919),H=n(9471);const M={menuExternalLink:"menuExternalLink_NmtK"};function R(e){let{item:t,onItemClick:n,activePath:a,level:i,index:r,...c}=e;const{href:d,label:u,className:m,autoAddBaseUrl:h}=t,p=(0,l._F)(t,a),x=(0,E.Z)(d);return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(i),"menu__list-item",m),children:(0,b.jsxs)(A.Z,{className:(0,o.Z)("menu__link",!x&&M.menuExternalLink,{"menu__link--active":p}),autoAddBaseUrl:h,"aria-current":p?"page":void 0,to:d,...x&&{onClick:n?()=>n(t):void 0},...c,children:[u,!x&&(0,b.jsx)(H.Z,{})]})},u)}const W={menuHtmlItem:"menuHtmlItem_M9Kj"};function F(e){let{item:t,level:n,index:a}=e;const{value:i,defaultStyle:l,className:r}=t;return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(n),l&&[W.menuHtmlItem,"menu__list-item"],r),dangerouslySetInnerHTML:{__html:i}},a)}function P(e){let{item:t,...n}=e;switch(t.type){case"category":return(0,b.jsx)(w,{item:t,...n});case"html":return(0,b.jsx)(F,{item:t,...n});default:return(0,b.jsx)(R,{item:t,...n})}}function D(e){let{items:t,...n}=e;const a=(0,l.f)(t,n.activePath);return(0,b.jsx)(T,{children:a.map(((e,t)=>(0,b.jsx)(P,{item:e,index:t,...n},t)))})}const V=(0,a.memo)(D),U={menu:"menu_SIkG",menuWithAnnouncementBar:"menuWithAnnouncementBar_GW3s"};function K(e){let{path:t,sidebar:n,className:i}=e;const l=function(){const{isActive:e}=(0,C.n)(),[t,n]=(0,a.useState)(e);return(0,d.RF)((t=>{let{scrollY:a}=t;e&&n(0===a)}),[e]),e&&t}();return(0,b.jsx)("nav",{"aria-label":(0,c.I)({id:"theme.docs.sidebar.navAriaLabel",message:"Docs sidebar",description:"The ARIA label for the sidebar navigation"}),className:(0,o.Z)("menu thin-scrollbar",U.menu,l&&U.menuWithAnnouncementBar,i),children:(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:n,activePath:t,level:1})})})}const Y="sidebar_njMd",z="sidebarWithHideableNavbar_wUlq",G="sidebarHidden_VK0M",O="sidebarLogo_isFc";function q(e){let{path:t,sidebar:n,onCollapse:a,isHidden:i}=e;const{navbar:{hideOnScroll:s},docs:{sidebar:{hideable:l}}}=(0,j.L)();return(0,b.jsxs)("div",{className:(0,o.Z)(Y,s&&z,i&&G),children:[s&&(0,b.jsx)(k.Z,{tabIndex:-1,className:O}),(0,b.jsx)(K,{path:t,sidebar:n}),l&&(0,b.jsx)(g,{onClick:a})]})}const J=a.memo(q);var Q=n(3102),X=n(3163);const $=e=>{let{sidebar:t,path:n}=e;const a=(0,X.e)();return(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:t,activePath:n,onItemClick:e=>{"category"===e.type&&e.href&&a.toggle(),"link"===e.type&&a.toggle()},level:1})})};function ee(e){return(0,b.jsx)(Q.Zo,{component:$,props:e})}const te=a.memo(ee);function ne(e){const t=(0,f.i)(),n="desktop"===t||"ssr"===t,a="mobile"===t;return(0,b.jsxs)(b.Fragment,{children:[n&&(0,b.jsx)(J,{...e}),a&&(0,b.jsx)(te,{...e})]})}const ae={expandButton:"expandButton_TmdG",expandButtonIcon:"expandButtonIcon_i1dp"};function oe(e){let{toggleSidebar:t}=e;return(0,b.jsx)("div",{className:ae.expandButton,title:(0,c.I)({id:"theme.docs.sidebar.expandButtonTitle",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.expandButtonAriaLabel",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),tabIndex:0,role:"button",onKeyDown:t,onClick:t,children:(0,b.jsx)(_,{className:ae.expandButtonIcon})})}const ie={docSidebarContainer:"docSidebarContainer_YfHR",docSidebarContainerHidden:"docSidebarContainerHidden_DPk8",sidebarViewport:"sidebarViewport_aRkj"};function se(e){let{children:t}=e;const n=(0,r.V)();return(0,b.jsx)(a.Fragment,{children:t},n?.name??"noSidebar")}function le(e){let{sidebar:t,hiddenSidebarContainer:n,setHiddenSidebarContainer:i}=e;const{pathname:l}=(0,x.TH)(),[r,c]=(0,a.useState)(!1),d=(0,a.useCallback)((()=>{r&&c(!1),!r&&(0,p.n)()&&c(!0),i((e=>!e))}),[i,r]);return(0,b.jsx)("aside",{className:(0,o.Z)(s.k.docs.docSidebarContainer,ie.docSidebarContainer,n&&ie.docSidebarContainerHidden),onTransitionEnd:e=>{e.currentTarget.classList.contains(ie.docSidebarContainer)&&n&&c(!0)},children:(0,b.jsx)(se,{children:(0,b.jsxs)("div",{className:(0,o.Z)(ie.sidebarViewport,r&&ie.sidebarViewportHidden),children:[(0,b.jsx)(ne,{sidebar:t,path:l,onCollapse:d,isHidden:r}),r&&(0,b.jsx)(oe,{toggleSidebar:d})]})})})}const re={docMainContainer:"docMainContainer_TBSr",docMainContainerEnhanced:"docMainContainerEnhanced_lQrH",docItemWrapperEnhanced:"docItemWrapperEnhanced_JWYK"};function ce(e){let{hiddenSidebarContainer:t,children:n}=e;const a=(0,r.V)();return(0,b.jsx)("main",{className:(0,o.Z)(re.docMainContainer,(t||!a)&&re.docMainContainerEnhanced),children:(0,b.jsx)("div",{className:(0,o.Z)("container padding-top--md padding-bottom--lg",re.docItemWrapper,t&&re.docItemWrapperEnhanced),children:n})})}const de={docRoot:"docRoot_UBD9",docsWrapper:"docsWrapper_hBAB"};function ue(e){let{children:t}=e;const n=(0,r.V)(),[o,i]=(0,a.useState)(!1);return(0,b.jsxs)("div",{className:de.docsWrapper,children:[(0,b.jsx)(h,{}),(0,b.jsxs)("div",{className:de.docRoot,children:[n&&(0,b.jsx)(le,{sidebar:n.items,hiddenSidebarContainer:o,setHiddenSidebarContainer:i}),(0,b.jsx)(ce,{hiddenSidebarContainer:o,children:t})]})]})}var me=n(5658);function be(e){const t=(0,l.SN)(e);if(!t)return(0,b.jsx)(me.Z,{});const{docElement:n,sidebarName:a,sidebarItems:c}=t;return(0,b.jsx)(i.FG,{className:(0,o.Z)(s.k.page.docsDocPage),children:(0,b.jsx)(r.b,{name:a,items:c,children:(0,b.jsx)(ue,{children:n})})})}},5658:(e,t,n)=>{n.d(t,{Z:()=>l});n(7294);var a=n(512),o=n(5999),i=n(2503),s=n(5893);function l(e){let{className:t}=e;return(0,s.jsx)("main",{className:(0,a.Z)("container margin-vert--xl",t),children:(0,s.jsx)("div",{className:"row",children:(0,s.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,s.jsx)(i.Z,{as:"h1",className:"hero__title",children:(0,s.jsx)(o.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4368],{4547:(e,t,n)=>{n.r(t),n.d(t,{default:()=>be});var a=n(7294),o=n(512),i=n(1944),s=n(5281),l=n(9690),r=n(4731),c=n(5999),d=n(2466),u=n(5936);const m={backToTopButton:"backToTopButton_sjWU",backToTopButtonShow:"backToTopButtonShow_xfvO"};var b=n(5893);function h(){const{shown:e,scrollToTop:t}=function(e){let{threshold:t}=e;const[n,o]=(0,a.useState)(!1),i=(0,a.useRef)(!1),{startScroll:s,cancelScroll:l}=(0,d.Ct)();return(0,d.RF)(((e,n)=>{let{scrollY:a}=e;const s=n?.scrollY;s&&(i.current?i.current=!1:a>=s?(l(),o(!1)):a<t?o(!1):a+window.innerHeight<document.documentElement.scrollHeight&&o(!0))})),(0,u.S)((e=>{e.location.hash&&(i.current=!0,o(!1))})),{shown:n,scrollToTop:()=>s(0)}}({threshold:300});return(0,b.jsx)("button",{"aria-label":(0,c.I)({id:"theme.BackToTopButton.buttonAriaLabel",message:"Scroll back to top",description:"The ARIA label for the back to top button"}),className:(0,o.Z)("clean-btn",s.k.common.backToTopButton,m.backToTopButton,e&&m.backToTopButtonShow),type:"button",onClick:t})}var p=n(1442),x=n(6550),f=n(7524),j=n(6668),k=n(1327);function _(e){return(0,b.jsx)("svg",{width:"20",height:"20","aria-hidden":"true",...e,children:(0,b.jsxs)("g",{fill:"#7a7a7a",children:[(0,b.jsx)("path",{d:"M9.992 10.023c0 .2-.062.399-.172.547l-4.996 7.492a.982.982 0 01-.828.454H1c-.55 0-1-.453-1-1 0-.2.059-.403.168-.551l4.629-6.942L.168 3.078A.939.939 0 010 2.528c0-.548.45-.997 1-.997h2.996c.352 0 .649.18.828.45L9.82 9.472c.11.148.172.347.172.55zm0 0"}),(0,b.jsx)("path",{d:"M19.98 10.023c0 .2-.058.399-.168.547l-4.996 7.492a.987.987 0 01-.828.454h-3c-.547 0-.996-.453-.996-1 0-.2.059-.403.168-.551l4.625-6.942-4.625-6.945a.939.939 0 01-.168-.55 1 1 0 01.996-.997h3c.348 0 .649.18.828.45l4.996 7.492c.11.148.168.347.168.55zm0 0"})]})})}const v={collapseSidebarButton:"collapseSidebarButton_PEFL",collapseSidebarButtonIcon:"collapseSidebarButtonIcon_kv0_"};function g(e){let{onClick:t}=e;return(0,b.jsx)("button",{type:"button",title:(0,c.I)({id:"theme.docs.sidebar.collapseButtonTitle",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.collapseButtonAriaLabel",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),className:(0,o.Z)("button button--secondary button--outline",v.collapseSidebarButton),onClick:t,children:(0,b.jsx)(_,{className:v.collapseSidebarButtonIcon})})}var C=n(9689),S=n(902);const I=Symbol("EmptyContext"),N=a.createContext(I);function T(e){let{children:t}=e;const[n,o]=(0,a.useState)(null),i=(0,a.useMemo)((()=>({expandedItem:n,setExpandedItem:o})),[n]);return(0,b.jsx)(N.Provider,{value:i,children:t})}var B=n(6043),Z=n(8596),A=n(3692),L=n(2389);function y(e){let{collapsed:t,categoryLabel:n,onClick:a}=e;return(0,b.jsx)("button",{"aria-label":t?(0,c.I)({id:"theme.DocSidebarItem.expandCategoryAriaLabel",message:"Expand sidebar category '{label}'",description:"The ARIA label to expand the sidebar category"},{label:n}):(0,c.I)({id:"theme.DocSidebarItem.collapseCategoryAriaLabel",message:"Collapse sidebar category '{label}'",description:"The ARIA label to collapse the sidebar category"},{label:n}),"aria-expanded":!t,type:"button",className:"clean-btn menu__caret",onClick:a})}function w(e){let{item:t,onItemClick:n,activePath:i,level:r,index:c,...d}=e;const{items:u,label:m,collapsible:h,className:p,href:x}=t,{docs:{sidebar:{autoCollapseCategories:f}}}=(0,j.L)(),k=function(e){const t=(0,L.Z)();return(0,a.useMemo)((()=>e.href&&!e.linkUnlisted?e.href:!t&&e.collapsible?(0,l.LM)(e):void 0),[e,t])}(t),_=(0,l._F)(t,i),v=(0,Z.Mg)(x,i),{collapsed:g,setCollapsed:C}=(0,B.u)({initialState:()=>!!h&&(!_&&t.collapsed)}),{expandedItem:T,setExpandedItem:w}=function(){const e=(0,a.useContext)(N);if(e===I)throw new S.i6("DocSidebarItemsExpandedStateProvider");return e}(),E=function(e){void 0===e&&(e=!g),w(e?null:c),C(e)};return function(e){let{isActive:t,collapsed:n,updateCollapsed:o}=e;const i=(0,S.D9)(t);(0,a.useEffect)((()=>{t&&!i&&n&&o(!1)}),[t,i,n,o])}({isActive:_,collapsed:g,updateCollapsed:E}),(0,a.useEffect)((()=>{h&&null!=T&&T!==c&&f&&C(!0)}),[h,T,c,C,f]),(0,b.jsxs)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemCategory,s.k.docs.docSidebarItemCategoryLevel(r),"menu__list-item",{"menu__list-item--collapsed":g},p),children:[(0,b.jsxs)("div",{className:(0,o.Z)("menu__list-item-collapsible",{"menu__list-item-collapsible--active":v}),children:[(0,b.jsx)(A.Z,{className:(0,o.Z)("menu__link",{"menu__link--sublist":h,"menu__link--sublist-caret":!x&&h,"menu__link--active":_}),onClick:h?e=>{n?.(t),x?E(!1):(e.preventDefault(),E())}:()=>{n?.(t)},"aria-current":v?"page":void 0,role:h&&!x?"button":void 0,"aria-expanded":h&&!x?!g:void 0,href:h?k??"#":k,...d,children:m}),x&&h&&(0,b.jsx)(y,{collapsed:g,categoryLabel:m,onClick:e=>{e.preventDefault(),E()}})]}),(0,b.jsx)(B.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:g,children:(0,b.jsx)(V,{items:u,tabIndex:g?-1:0,onItemClick:n,activePath:i,level:r+1})})]})}var E=n(3919),H=n(9471);const M={menuExternalLink:"menuExternalLink_NmtK"};function R(e){let{item:t,onItemClick:n,activePath:a,level:i,index:r,...c}=e;const{href:d,label:u,className:m,autoAddBaseUrl:h}=t,p=(0,l._F)(t,a),x=(0,E.Z)(d);return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(i),"menu__list-item",m),children:(0,b.jsxs)(A.Z,{className:(0,o.Z)("menu__link",!x&&M.menuExternalLink,{"menu__link--active":p}),autoAddBaseUrl:h,"aria-current":p?"page":void 0,to:d,...x&&{onClick:n?()=>n(t):void 0},...c,children:[u,!x&&(0,b.jsx)(H.Z,{})]})},u)}const W={menuHtmlItem:"menuHtmlItem_M9Kj"};function F(e){let{item:t,level:n,index:a}=e;const{value:i,defaultStyle:l,className:r}=t;return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(n),l&&[W.menuHtmlItem,"menu__list-item"],r),dangerouslySetInnerHTML:{__html:i}},a)}function P(e){let{item:t,...n}=e;switch(t.type){case"category":return(0,b.jsx)(w,{item:t,...n});case"html":return(0,b.jsx)(F,{item:t,...n});default:return(0,b.jsx)(R,{item:t,...n})}}function D(e){let{items:t,...n}=e;const a=(0,l.f)(t,n.activePath);return(0,b.jsx)(T,{children:a.map(((e,t)=>(0,b.jsx)(P,{item:e,index:t,...n},t)))})}const V=(0,a.memo)(D),U={menu:"menu_SIkG",menuWithAnnouncementBar:"menuWithAnnouncementBar_GW3s"};function K(e){let{path:t,sidebar:n,className:i}=e;const l=function(){const{isActive:e}=(0,C.n)(),[t,n]=(0,a.useState)(e);return(0,d.RF)((t=>{let{scrollY:a}=t;e&&n(0===a)}),[e]),e&&t}();return(0,b.jsx)("nav",{"aria-label":(0,c.I)({id:"theme.docs.sidebar.navAriaLabel",message:"Docs sidebar",description:"The ARIA label for the sidebar navigation"}),className:(0,o.Z)("menu thin-scrollbar",U.menu,l&&U.menuWithAnnouncementBar,i),children:(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:n,activePath:t,level:1})})})}const Y="sidebar_njMd",z="sidebarWithHideableNavbar_wUlq",G="sidebarHidden_VK0M",O="sidebarLogo_isFc";function q(e){let{path:t,sidebar:n,onCollapse:a,isHidden:i}=e;const{navbar:{hideOnScroll:s},docs:{sidebar:{hideable:l}}}=(0,j.L)();return(0,b.jsxs)("div",{className:(0,o.Z)(Y,s&&z,i&&G),children:[s&&(0,b.jsx)(k.Z,{tabIndex:-1,className:O}),(0,b.jsx)(K,{path:t,sidebar:n}),l&&(0,b.jsx)(g,{onClick:a})]})}const J=a.memo(q);var Q=n(3102),X=n(3163);const $=e=>{let{sidebar:t,path:n}=e;const a=(0,X.e)();return(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:t,activePath:n,onItemClick:e=>{"category"===e.type&&e.href&&a.toggle(),"link"===e.type&&a.toggle()},level:1})})};function ee(e){return(0,b.jsx)(Q.Zo,{component:$,props:e})}const te=a.memo(ee);function ne(e){const t=(0,f.i)(),n="desktop"===t||"ssr"===t,a="mobile"===t;return(0,b.jsxs)(b.Fragment,{children:[n&&(0,b.jsx)(J,{...e}),a&&(0,b.jsx)(te,{...e})]})}const ae={expandButton:"expandButton_TmdG",expandButtonIcon:"expandButtonIcon_i1dp"};function oe(e){let{toggleSidebar:t}=e;return(0,b.jsx)("div",{className:ae.expandButton,title:(0,c.I)({id:"theme.docs.sidebar.expandButtonTitle",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.expandButtonAriaLabel",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),tabIndex:0,role:"button",onKeyDown:t,onClick:t,children:(0,b.jsx)(_,{className:ae.expandButtonIcon})})}const ie={docSidebarContainer:"docSidebarContainer_YfHR",docSidebarContainerHidden:"docSidebarContainerHidden_DPk8",sidebarViewport:"sidebarViewport_aRkj"};function se(e){let{children:t}=e;const n=(0,r.V)();return(0,b.jsx)(a.Fragment,{children:t},n?.name??"noSidebar")}function le(e){let{sidebar:t,hiddenSidebarContainer:n,setHiddenSidebarContainer:i}=e;const{pathname:l}=(0,x.TH)(),[r,c]=(0,a.useState)(!1),d=(0,a.useCallback)((()=>{r&&c(!1),!r&&(0,p.n)()&&c(!0),i((e=>!e))}),[i,r]);return(0,b.jsx)("aside",{className:(0,o.Z)(s.k.docs.docSidebarContainer,ie.docSidebarContainer,n&&ie.docSidebarContainerHidden),onTransitionEnd:e=>{e.currentTarget.classList.contains(ie.docSidebarContainer)&&n&&c(!0)},children:(0,b.jsx)(se,{children:(0,b.jsxs)("div",{className:(0,o.Z)(ie.sidebarViewport,r&&ie.sidebarViewportHidden),children:[(0,b.jsx)(ne,{sidebar:t,path:l,onCollapse:d,isHidden:r}),r&&(0,b.jsx)(oe,{toggleSidebar:d})]})})})}const re={docMainContainer:"docMainContainer_TBSr",docMainContainerEnhanced:"docMainContainerEnhanced_lQrH",docItemWrapperEnhanced:"docItemWrapperEnhanced_JWYK"};function ce(e){let{hiddenSidebarContainer:t,children:n}=e;const a=(0,r.V)();return(0,b.jsx)("main",{className:(0,o.Z)(re.docMainContainer,(t||!a)&&re.docMainContainerEnhanced),children:(0,b.jsx)("div",{className:(0,o.Z)("container padding-top--md padding-bottom--lg",re.docItemWrapper,t&&re.docItemWrapperEnhanced),children:n})})}const de={docRoot:"docRoot_UBD9",docsWrapper:"docsWrapper_hBAB"};function ue(e){let{children:t}=e;const n=(0,r.V)(),[o,i]=(0,a.useState)(!1);return(0,b.jsxs)("div",{className:de.docsWrapper,children:[(0,b.jsx)(h,{}),(0,b.jsxs)("div",{className:de.docRoot,children:[n&&(0,b.jsx)(le,{sidebar:n.items,hiddenSidebarContainer:o,setHiddenSidebarContainer:i}),(0,b.jsx)(ce,{hiddenSidebarContainer:o,children:t})]})]})}var me=n(5658);function be(e){const t=(0,l.SN)(e);if(!t)return(0,b.jsx)(me.Z,{});const{docElement:n,sidebarName:a,sidebarItems:c}=t;return(0,b.jsx)(i.FG,{className:(0,o.Z)(s.k.page.docsDocPage),children:(0,b.jsx)(r.b,{name:a,items:c,children:(0,b.jsx)(ue,{children:n})})})}},5658:(e,t,n)=>{n.d(t,{Z:()=>l});n(7294);var a=n(512),o=n(5999),i=n(2503),s=n(5893);function l(e){let{className:t}=e;return(0,s.jsx)("main",{className:(0,a.Z)("container margin-vert--xl",t),children:(0,s.jsx)("div",{className:"row",children:(0,s.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,s.jsx)(i.Z,{as:"h1",className:"hero__title",children:(0,s.jsx)(o.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}}}]); \ No newline at end of file diff --git a/assets/js/ab388925.00132f62.js b/assets/js/ab388925.00132f62.js new file mode 100644 index 000000000..121d71b19 --- /dev/null +++ b/assets/js/ab388925.00132f62.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4548],{9027:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>i,toc:()=>c});var a=s(5893),r=s(1151);const n={title:"Cluster Datastore"},o=void 0,i={id:"datastore/datastore",title:"Cluster Datastore",description:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:",source:"@site/docs/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Cluster Datastore"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/datastore/backup-restore"}},d={},c=[{value:"External Datastore Configuration Parameters",id:"external-datastore-configuration-parameters",level:3},{value:"Datastore Endpoint Format and Functionality",id:"datastore-endpoint-format-and-functionality",level:3}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:s,Tabs:n}=t;return s||u("TabItem",!0),n||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(t.p,{children:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsx)(t.li,{children:"If your team doesn't have expertise in operating etcd, you can choose an enterprise-grade SQL database like MySQL or PostgreSQL"}),"\n",(0,a.jsx)(t.li,{children:"If you need to run a simple, short-lived cluster in your CI/CD environment, you can use the embedded SQLite database"}),"\n",(0,a.jsx)(t.li,{children:"If you wish to deploy Kubernetes on the edge and require a highly available solution but can't afford the operational overhead of managing a database at the edge, you can use K3s's embedded HA datastore built on top of embedded etcd."}),"\n"]}),"\n",(0,a.jsx)(t.p,{children:"K3s supports the following datastore options:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsxs)(t.strong,{children:["Embedded ",(0,a.jsx)(t.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,a.jsx)(t.br,{}),"\n","SQLite cannot be used on clusters with multiple servers.",(0,a.jsx)(t.br,{}),"\n","SQLite is the default datastore, and will be used if no other datastore configuration is present, and no embedded etcd database files are present on disk."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"Embedded etcd"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," documentation for more information on using embedded etcd with multiple servers.\nEmbedded etcd will be automatically selected if K3s is configured to initialize a new etcd cluster, join an existing etcd cluster, or if etcd database files are present on disk during startup."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"External Database"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," documentation for more information on using external datastores with multiple servers.",(0,a.jsx)(t.br,{}),"\n","The following external datastores are supported:","\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://etcd.io/",children:"etcd"})," (certified against version 3.5.4)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.mysql.com/",children:"MySQL"})," (certified against versions 5.7 and 8.0)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://mariadb.org/",children:"MariaDB"})," (certified against version 10.6.8)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (certified against versions 12.16, 13.12, 14.9 and 15.4)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,a.jsx)(t.admonition,{title:"Prepared Statement Support",type:"warning",children:(0,a.jsxs)(t.p,{children:["K3s requires prepared statements support from the DB. This means that connection poolers such as ",(0,a.jsx)(t.a,{href:"https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling",children:"PgBouncer"})," may require additional configuration to work with K3s."]})}),"\n",(0,a.jsx)(t.h3,{id:"external-datastore-configuration-parameters",children:"External Datastore Configuration Parameters"}),"\n",(0,a.jsxs)(t.p,{children:["If you wish to use an external datastore such as PostgreSQL, MySQL, or etcd you must set the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to it. You may also specify parameters to configure the authentication and encryption of the connection. The below table summarizes these parameters, which can be passed as either CLI flags or environment variables."]}),"\n",(0,a.jsxs)(t.table,{children:[(0,a.jsx)(t.thead,{children:(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.th,{children:"CLI Flag"}),(0,a.jsx)(t.th,{children:"Environment Variable"}),(0,a.jsx)(t.th,{children:"Description"})]})}),(0,a.jsxs)(t.tbody,{children:[(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-endpoint"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,a.jsx)(t.td,{children:"Specify a PostgreSQL, MySQL, or etcd connection string. This is a string used to describe the connection to the datastore. The structure of this string is specific to each backend and is detailed below."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-cafile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,a.jsx)(t.td,{children:"TLS Certificate Authority (CA) file used to help secure communication with the datastore. If your datastore serves requests over TLS using a certificate signed by a custom certificate authority, you can specify that CA using this parameter so that the K3s client can properly verify the certificate."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-certfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,a.jsxs)(t.td,{children:["TLS certificate file used for client certificate based authentication to your datastore. To use this feature, your datastore must be configured to support client certificate based authentication. If you specify this parameter, you must also specify the ",(0,a.jsx)(t.code,{children:"datastore-keyfile"})," parameter."]})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-keyfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,a.jsxs)(t.td,{children:["TLS key file used for client certificate based authentication to your datastore. See the previous ",(0,a.jsx)(t.code,{children:"datastore-certfile"})," parameter for more details."]})]})]})]}),"\n",(0,a.jsx)(t.p,{children:"As a best practice we recommend setting these parameters as environment variables rather than command line arguments so that your database credentials or other sensitive information aren't exposed as part of the process info."}),"\n",(0,a.jsx)(t.h3,{id:"datastore-endpoint-format-and-functionality",children:"Datastore Endpoint Format and Functionality"}),"\n",(0,a.jsxs)(t.p,{children:["As mentioned, the format of the value passed to the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter is dependent upon the datastore backend. The following details this format and functionality for each supported external datastore."]}),"\n",(0,a.jsxs)(n,{queryString:"ext-db",children:[(0,a.jsxs)(s,{value:"PostgreSQL",children:[(0,a.jsx)(t.p,{children:"In its most common form, the datastore-endpoint parameter for PostgreSQL has the following format:"}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"}),"."]}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"postgres://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to localhost using ",(0,a.jsx)(t.code,{children:"postgres"})," as the username and password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database named ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"MySQL / MariaDB",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for MySQL and MariaDB has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})]}),(0,a.jsxs)(t.p,{children:["Note that due to a ",(0,a.jsx)(t.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"known issue"})," in K3s, you cannot set the ",(0,a.jsx)(t.code,{children:"tls"}),' parameter. TLS communication is supported, but you cannot, for example, set this parameter to "skip-verify" to cause K3s to skip certificate verification.']}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"mysql://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to the MySQL socket at ",(0,a.jsx)(t.code,{children:"/var/run/mysqld/mysqld.sock"})," using the ",(0,a.jsx)(t.code,{children:"root"})," user and no password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database with the name ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"etcd",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for etcd has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,a.jsx)(t.p,{children:"The above assumes a typical three node etcd cluster. The parameter can accept one more comma separated etcd URLs."})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,a.jsx)(t,{...e,children:(0,a.jsx)(l,{...e})}):l(e)}function u(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,t,s)=>{s.d(t,{Z:()=>i,a:()=>o});var a=s(7294);const r={},n=a.createContext(r);function o(e){const t=a.useContext(n);return a.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function i(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),a.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ab388925.803abe99.js b/assets/js/ab388925.803abe99.js deleted file mode 100644 index 308f3088f..000000000 --- a/assets/js/ab388925.803abe99.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4548],{9027:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>i,toc:()=>c});var a=s(5893),r=s(1151);const n={title:"Cluster Datastore"},o=void 0,i={id:"datastore/datastore",title:"Cluster Datastore",description:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:",source:"@site/docs/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Cluster Datastore"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/datastore/backup-restore"}},d={},c=[{value:"External Datastore Configuration Parameters",id:"external-datastore-configuration-parameters",level:3},{value:"Datastore Endpoint Format and Functionality",id:"datastore-endpoint-format-and-functionality",level:3}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:s,Tabs:n}=t;return s||u("TabItem",!0),n||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(t.p,{children:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsx)(t.li,{children:"If your team doesn't have expertise in operating etcd, you can choose an enterprise-grade SQL database like MySQL or PostgreSQL"}),"\n",(0,a.jsx)(t.li,{children:"If you need to run a simple, short-lived cluster in your CI/CD environment, you can use the embedded SQLite database"}),"\n",(0,a.jsx)(t.li,{children:"If you wish to deploy Kubernetes on the edge and require a highly available solution but can't afford the operational overhead of managing a database at the edge, you can use K3s's embedded HA datastore built on top of embedded etcd."}),"\n"]}),"\n",(0,a.jsx)(t.p,{children:"K3s supports the following datastore options:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsxs)(t.strong,{children:["Embedded ",(0,a.jsx)(t.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,a.jsx)(t.br,{}),"\n","SQLite cannot be used on clusters with multiple servers.",(0,a.jsx)(t.br,{}),"\n","SQLite is the default datastore, and will be used if no other datastore configuration is present, and no embedded etcd database files are present on disk."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"Embedded etcd"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," documentation for more information on using embedded etcd with multiple servers.\nEmbedded etcd will be automatically selected if K3s is configured to initialize a new etcd cluster, join an existing etcd cluster, or if etcd database files are present on disk during startup."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"External Database"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," documentation for more information on using external datastores with multiple servers.",(0,a.jsx)(t.br,{}),"\n","The following external datastores are supported:","\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://etcd.io/",children:"etcd"})," (certified against version 3.5.4)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.mysql.com/",children:"MySQL"})," (certified against versions 5.7 and 8.0)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://mariadb.org/",children:"MariaDB"})," (certified against version 10.6.8)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (certified against versions 12.16, 13.12, 14.9 and 15.4)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,a.jsx)(t.admonition,{title:"Prepared Statement Support",type:"warning",children:(0,a.jsxs)(t.p,{children:["K3s requires prepared statements support from the DB. This means that connection poolers such as ",(0,a.jsx)(t.a,{href:"https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling",children:"PgBouncer"})," may require additional configuration to work with K3s."]})}),"\n",(0,a.jsx)(t.h3,{id:"external-datastore-configuration-parameters",children:"External Datastore Configuration Parameters"}),"\n",(0,a.jsxs)(t.p,{children:["If you wish to use an external datastore such as PostgreSQL, MySQL, or etcd you must set the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to it. You may also specify parameters to configure the authentication and encryption of the connection. The below table summarizes these parameters, which can be passed as either CLI flags or environment variables."]}),"\n",(0,a.jsxs)(t.table,{children:[(0,a.jsx)(t.thead,{children:(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.th,{children:"CLI Flag"}),(0,a.jsx)(t.th,{children:"Environment Variable"}),(0,a.jsx)(t.th,{children:"Description"})]})}),(0,a.jsxs)(t.tbody,{children:[(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-endpoint"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,a.jsx)(t.td,{children:"Specify a PostgreSQL, MySQL, or etcd connection string. This is a string used to describe the connection to the datastore. The structure of this string is specific to each backend and is detailed below."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-cafile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,a.jsx)(t.td,{children:"TLS Certificate Authority (CA) file used to help secure communication with the datastore. If your datastore serves requests over TLS using a certificate signed by a custom certificate authority, you can specify that CA using this parameter so that the K3s client can properly verify the certificate."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-certfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,a.jsxs)(t.td,{children:["TLS certificate file used for client certificate based authentication to your datastore. To use this feature, your datastore must be configured to support client certificate based authentication. If you specify this parameter, you must also specify the ",(0,a.jsx)(t.code,{children:"datastore-keyfile"})," parameter."]})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-keyfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,a.jsxs)(t.td,{children:["TLS key file used for client certificate based authentication to your datastore. See the previous ",(0,a.jsx)(t.code,{children:"datastore-certfile"})," parameter for more details."]})]})]})]}),"\n",(0,a.jsx)(t.p,{children:"As a best practice we recommend setting these parameters as environment variables rather than command line arguments so that your database credentials or other sensitive information aren't exposed as part of the process info."}),"\n",(0,a.jsx)(t.h3,{id:"datastore-endpoint-format-and-functionality",children:"Datastore Endpoint Format and Functionality"}),"\n",(0,a.jsxs)(t.p,{children:["As mentioned, the format of the value passed to the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter is dependent upon the datastore backend. The following details this format and functionality for each supported external datastore."]}),"\n",(0,a.jsxs)(n,{queryString:"ext-db",children:[(0,a.jsxs)(s,{value:"PostgreSQL",children:[(0,a.jsx)(t.p,{children:"In its most common form, the datastore-endpoint parameter for PostgreSQL has the following format:"}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"}),"."]}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"postgres://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to localhost using ",(0,a.jsx)(t.code,{children:"postgres"})," as the username and password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database named ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"MySQL / MariaDB",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for MySQL and MariaDB has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})]}),(0,a.jsxs)(t.p,{children:["Note that due to a ",(0,a.jsx)(t.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"known issue"})," in K3s, you cannot set the ",(0,a.jsx)(t.code,{children:"tls"}),' parameter. TLS communication is supported, but you cannot, for example, set this parameter to "skip-verify" to cause K3s to skip certificate verification.']}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"mysql://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to the MySQL socket at ",(0,a.jsx)(t.code,{children:"/var/run/mysqld/mysqld.sock"})," using the ",(0,a.jsx)(t.code,{children:"root"})," user and no password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database with the name ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"etcd",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for etcd has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,a.jsx)(t.p,{children:"The above assumes a typical three node etcd cluster. The parameter can accept one more comma separated etcd URLs."})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,a.jsx)(t,{...e,children:(0,a.jsx)(l,{...e})}):l(e)}function u(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,t,s)=>{s.d(t,{Z:()=>i,a:()=>o});var a=s(7294);const r={},n=a.createContext(r);function o(e){const t=a.useContext(n);return a.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function i(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),a.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ab60f49a.33892d2f.js b/assets/js/ab60f49a.33892d2f.js deleted file mode 100644 index 3f40f8ab8..000000000 --- a/assets/js/ab60f49a.33892d2f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3555],{2688:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var s=t(5893),n=t(1151);const i={title:"CIS 1.24 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.24",title:"CIS 1.24 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS 1.24 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"},next:{title:"CLI Tools",permalink:"/cli/"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)",id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root (Automated)",id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:t}=r;return t||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,s.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown -R root:root /etc/kubernetes/pki/"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate=<path/to/client-cert-file>"\n - "kubelet-client-key=<path/to/client-key-file>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority=<ca-string>"})]}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file=<path/to/configuration/file>"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."})]}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'ServiceAccount'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port=<PORT>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-path'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxage'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxbackup'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxsize'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,s.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'service-account-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile=<path>"\n - "etcd-keyfile=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file=<path>"\n - "tls-private-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,s.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",children:["4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--protect-kernel-defaults' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter.\nprotect-kernel-defaults: true\nIf using the command line, run K3s with --protect-kernel-defaults=true.\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service"})]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is equal to '0'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps=<value>"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=<value>".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file=<path/to/tls-cert-file>"\n - "tls-private-key-file=<path/to/tls-private-key-file>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,s.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,s.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,s.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>l,a:()=>a});var s=t(7294);const n={},i=s.createContext(n);function a(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ab60f49a.ba2a036b.js b/assets/js/ab60f49a.ba2a036b.js new file mode 100644 index 000000000..841cdcf61 --- /dev/null +++ b/assets/js/ab60f49a.ba2a036b.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3555],{2688:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var s=t(5893),n=t(1151);const i={title:"CIS 1.24 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.24",title:"CIS 1.24 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS 1.24 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"},next:{title:"CLI Tools",permalink:"/cli/"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)",id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root (Automated)",id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:t}=r;return t||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,s.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown -R root:root /etc/kubernetes/pki/"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate=<path/to/client-cert-file>"\n - "kubelet-client-key=<path/to/client-key-file>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority=<ca-string>"})]}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file=<path/to/configuration/file>"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."})]}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'ServiceAccount'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port=<PORT>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-path'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxage'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxbackup'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxsize'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,s.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'service-account-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile=<path>"\n - "etcd-keyfile=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file=<path>"\n - "tls-private-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,s.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file=<path>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",children:["4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--protect-kernel-defaults' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter.\nprotect-kernel-defaults: true\nIf using the command line, run K3s with --protect-kernel-defaults=true.\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service"})]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is equal to '0'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps=<value>"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=<value>".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file=<path/to/tls-cert-file>"\n - "tls-private-key-file=<path/to/tls-private-key-file>"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,s.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,s.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,s.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>l,a:()=>a});var s=t(7294);const n={},i=s.createContext(n);function a(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ac75af2e.07750136.js b/assets/js/ac75af2e.07750136.js deleted file mode 100644 index 4f031d9ac..000000000 --- a/assets/js/ac75af2e.07750136.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1199],{6455:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/docs/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/installation/"},next:{title:"Configuration Options",permalink:"/installation/configuration"}},o={},a=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"suse",label:"SUSE Linux Enterprise / openSUSE",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"With Ubuntu 21.10 to Ubuntu 23.10, vxlan support on Raspberry Pi was moved into a separate kernel module. This step in not required for Ubuntu 24.04 and later."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ac75af2e.c02290fe.js b/assets/js/ac75af2e.c02290fe.js new file mode 100644 index 000000000..d6ad5a502 --- /dev/null +++ b/assets/js/ac75af2e.c02290fe.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1199],{6455:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/docs/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/installation/"},next:{title:"Configuration Options",permalink:"/installation/configuration"}},o={},a=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"suse",label:"SUSE Linux Enterprise / openSUSE",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"With Ubuntu 21.10 to Ubuntu 23.10, vxlan support on Raspberry Pi was moved into a separate kernel module. This step in not required for Ubuntu 24.04 and later."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b36bdd38.9040c257.js b/assets/js/b36bdd38.9040c257.js new file mode 100644 index 000000000..13fa87c34 --- /dev/null +++ b/assets/js/b36bdd38.9040c257.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6895],{5020:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>l});var n=t(5893),r=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/docs/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/datastore/ha"}},o={},l=[{value:"Existing single-node clusters",id:"existing-single-node-clusters",level:2}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{Details:t}=s;return t||function(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.admonition,{type:"warning",children:(0,n.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,n.jsxs)(t,{children:[(0,n.jsx)("summary",{children:"Why An Odd Number Of Server Nodes?"}),(0,n.jsx)(s.p,{children:"HA embedded etcd cluster must be comprised of an odd number of server nodes for etcd to maintain quorum. For a cluster with n servers, quorum is (n/2)+1. For any odd-sized cluster, adding one node will always increase the number of nodes necessary for quorum. Although adding a node to an odd-sized cluster appears better since there are more machines, the fault tolerance is worse since exactly the same number of nodes may fail without losing quorum but there are more nodes that can fail."})]}),"\n",(0,n.jsx)(s.p,{children:"An HA K3s cluster with embedded etcd is composed of:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Three or more ",(0,n.jsx)(s.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services, as well as host the embedded etcd datastore."]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: Zero or more ",(0,n.jsx)(s.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: A ",(0,n.jsx)(s.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["To rapidly deploy large HA clusters, see ",(0,n.jsx)(s.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,n.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,n.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --cluster-init \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --server https://<ip or hostname of server1>:6443 \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\nserver3 Ready control-plane,etcd,master 10m vX.Y.Z\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,n.jsx)(s.code,{children:"--server"})," argument to join additional server and agent nodes. Joining additional agent nodes to the cluster follows the same procedure as servers:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - agent --server https://<ip or hostname of server>:6443\n"})}),"\n",(0,n.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Network related flags: ",(0,n.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,n.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,n.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,n.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,n.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,n.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,n.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,n.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,n.jsx)(s.code,{children:"--disable"})]}),"\n",(0,n.jsxs)(s.li,{children:["Feature related flags: ",(0,n.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,n.jsx)(s.h2,{id:"existing-single-node-clusters",children:"Existing single-node clusters"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.2%2Bk3s1",children:"v1.22.2+k3s1"})]})}),"\n",(0,n.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,n.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,n.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,n.jsx)(s.code,{children:"--cluster-init"}),", ",(0,n.jsx)(s.code,{children:"--server"}),", ",(0,n.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var n=t(7294);const r={},d=n.createContext(r);function i(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b36bdd38.94fd1490.js b/assets/js/b36bdd38.94fd1490.js deleted file mode 100644 index 79f911ca6..000000000 --- a/assets/js/b36bdd38.94fd1490.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6895],{5020:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>l});var n=t(5893),r=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/docs/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/datastore/ha"}},o={},l=[{value:"Existing single-node clusters",id:"existing-single-node-clusters",level:2}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{Details:t}=s;return t||function(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.admonition,{type:"warning",children:(0,n.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,n.jsxs)(t,{children:[(0,n.jsx)("summary",{children:"Why An Odd Number Of Server Nodes?"}),(0,n.jsx)(s.p,{children:"HA embedded etcd cluster must be comprised of an odd number of server nodes for etcd to maintain quorum. For a cluster with n servers, quorum is (n/2)+1. For any odd-sized cluster, adding one node will always increase the number of nodes necessary for quorum. Although adding a node to an odd-sized cluster appears better since there are more machines, the fault tolerance is worse since exactly the same number of nodes may fail without losing quorum but there are more nodes that can fail."})]}),"\n",(0,n.jsx)(s.p,{children:"An HA K3s cluster with embedded etcd is composed of:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Three or more ",(0,n.jsx)(s.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services, as well as host the embedded etcd datastore."]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: Zero or more ",(0,n.jsx)(s.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: A ",(0,n.jsx)(s.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["To rapidly deploy large HA clusters, see ",(0,n.jsx)(s.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,n.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,n.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --cluster-init \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --server https://<ip or hostname of server1>:6443 \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\nserver3 Ready control-plane,etcd,master 10m vX.Y.Z\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,n.jsx)(s.code,{children:"--server"})," argument to join additional server and agent nodes. Joining additional agent nodes to the cluster follows the same procedure as servers:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - agent --server https://<ip or hostname of server>:6443\n"})}),"\n",(0,n.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Network related flags: ",(0,n.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,n.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,n.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,n.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,n.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,n.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,n.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,n.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,n.jsx)(s.code,{children:"--disable"})]}),"\n",(0,n.jsxs)(s.li,{children:["Feature related flags: ",(0,n.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,n.jsx)(s.h2,{id:"existing-single-node-clusters",children:"Existing single-node clusters"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.2%2Bk3s1",children:"v1.22.2+k3s1"})]})}),"\n",(0,n.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,n.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,n.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,n.jsx)(s.code,{children:"--cluster-init"}),", ",(0,n.jsx)(s.code,{children:"--server"}),", ",(0,n.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var n=t(7294);const r={},d=n.createContext(r);function i(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b8002741.5f6e0146.js b/assets/js/b8002741.5f6e0146.js deleted file mode 100644 index 532f12a9c..000000000 --- a/assets/js/b8002741.5f6e0146.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b8002741.8bc866ac.js b/assets/js/b8002741.8bc866ac.js new file mode 100644 index 000000000..33f9a154c --- /dev/null +++ b/assets/js/b8002741.8bc866ac.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b9a30a37.cffce9fc.js b/assets/js/b9a30a37.cffce9fc.js deleted file mode 100644 index 08390d470..000000000 --- a/assets/js/b9a30a37.cffce9fc.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2038],{9763:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.8 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.8",title:"CIS 1.8 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.8.md",sourceDirName:"security",slug:"/security/self-assessment-1.8",permalink:"/security/self-assessment-1.8",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.8.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS 1.8 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"},next:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --profiling argument is set to false (Automated)",id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)",id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1226-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1227-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1228-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.29 Ensure that encryption providers are appropriately configured (Manual)",id:"1229-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1230-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.26-v1.29"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.8"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.8. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s sets the CNI file permissions to 600.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/<filename>"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root <path/to/cni/files>"})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate=<path/to/client-cert-file>"\n - "kubelet-client-key=<path/to/client-key-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority=<path/to/ca-cert-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file=<path/to/configuration/file>"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.16 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile=<path>"\n - "etcd-keyfile=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file=<path>"\n - "tls-private-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.29 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' is present OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps=<value>"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=<value>".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file=<path/to/tls-cert-file>"\n - "tls-private-key-file=<path/to/tls-private-key-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.rotateCertificates' is present OR '.rotateCertificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"apiVersion: v1\nclusters:\n- cluster:\n server: https://127.0.0.1:6443\n certificate-authority: /var/lib/rancher/k3s/agent/server-ca.crt\n name: local\ncontexts:\n- context:\n cluster: local\n namespace: default\n user: user\n name: Default\ncurrent-context: Default\nkind: Config\npreferences: {}\nusers:\n- name: user\n user:\n client-certificate: /var/lib/rancher/k3s/agent/client-kubelet.crt\n client-key: /var/lib/rancher/k3s/agent/client-kubelet.key\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.featureGates.RotateKubeletServerCertificate' is present OR '.featureGates.RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"apiVersion: v1\nclusters:\n- cluster:\n server: https://127.0.0.1:6443\n certificate-authority: /var/lib/rancher/k3s/agent/server-ca.crt\n name: local\ncontexts:\n- context:\n cluster: local\n namespace: default\n user: user\n name: Default\ncurrent-context: Default\nkind: Config\npreferences: {}\nusers:\n- name: user\n user:\n client-certificate: /var/lib/rancher/k3s/agent/client-kubelet.crt\n client-key: /var/lib/rancher/k3s/agent/client-kubelet.key\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids=<value>"\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/b9a30a37.e7c17c25.js b/assets/js/b9a30a37.e7c17c25.js new file mode 100644 index 000000000..168fb6021 --- /dev/null +++ b/assets/js/b9a30a37.e7c17c25.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2038],{9763:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.8 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.8",title:"CIS 1.8 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.8.md",sourceDirName:"security",slug:"/security/self-assessment-1.8",permalink:"/security/self-assessment-1.8",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.8.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS 1.8 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"},next:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --profiling argument is set to false (Automated)",id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)",id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1226-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1227-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1228-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.29 Ensure that encryption providers are appropriately configured (Manual)",id:"1229-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1230-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.26-v1.29"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.8"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.8. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s sets the CNI file permissions to 600.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/<filename>"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root <path/to/cni/files>"})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate=<path/to/client-cert-file>"\n - "kubelet-client-key=<path/to/client-key-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority=<path/to/ca-cert-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file=<path/to/configuration/file>"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.16 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile=<path>"\n - "etcd-keyfile=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file=<path>"\n - "tls-private-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.29 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file=<path>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' is present OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address=<IP>"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nexperimental-watch-progress-notify-interval: 5000000000\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-11120bb0=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-11120bb0\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps=<value>"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=<value>".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file=<path/to/tls-cert-file>"\n - "tls-private-key-file=<path/to/tls-private-key-file>"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.rotateCertificates' is present OR '.rotateCertificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"apiVersion: v1\nclusters:\n- cluster:\n server: https://127.0.0.1:6443\n certificate-authority: /var/lib/rancher/k3s/agent/server-ca.crt\n name: local\ncontexts:\n- context:\n cluster: local\n namespace: default\n user: user\n name: Default\ncurrent-context: Default\nkind: Config\npreferences: {}\nusers:\n- name: user\n user:\n client-certificate: /var/lib/rancher/k3s/agent/client-kubelet.crt\n client-key: /var/lib/rancher/k3s/agent/client-kubelet.key\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.featureGates.RotateKubeletServerCertificate' is present OR '.featureGates.RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"apiVersion: v1\nclusters:\n- cluster:\n server: https://127.0.0.1:6443\n certificate-authority: /var/lib/rancher/k3s/agent/server-ca.crt\n name: local\ncontexts:\n- context:\n cluster: local\n namespace: default\n user: user\n name: Default\ncurrent-context: Default\nkind: Config\npreferences: {}\nusers:\n- name: user\n user:\n client-certificate: /var/lib/rancher/k3s/agent/client-kubelet.crt\n client-key: /var/lib/rancher/k3s/agent/client-kubelet.key\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:19 server-0 k3s[2357]: time="2024-08-09T19:06:19Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --feature-gates=CloudDualStackNodeIPs=true --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids=<value>"\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ba3a957c.690a87ff.js b/assets/js/ba3a957c.690a87ff.js deleted file mode 100644 index 29a7bbf41..000000000 --- a/assets/js/ba3a957c.690a87ff.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8776],{615:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>d,toc:()=>c});var s=a(5893),r=a(1151);const n={title:"Backup and Restore"},o=void 0,d={id:"datastore/backup-restore",title:"Backup and Restore",description:"The way K3s is backed up and restored depends on which type of datastore is used.",source:"@site/docs/datastore/backup-restore.md",sourceDirName:"datastore",slug:"/datastore/backup-restore",permalink:"/datastore/backup-restore",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/backup-restore.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Backup and Restore"},sidebar:"mySidebar",previous:{title:"Cluster Datastore",permalink:"/datastore/"},next:{title:"High Availability Embedded etcd",permalink:"/datastore/ha-embedded"}},i={},c=[{value:"Backup and Restore with SQLite",id:"backup-and-restore-with-sqlite",level:2},{value:"Backup and Restore with External Datastore",id:"backup-and-restore-with-external-datastore",level:2},{value:"Backup and Restore with Embedded etcd Datastore",id:"backup-and-restore-with-embedded-etcd-datastore",level:2}];function l(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The way K3s is backed up and restored depends on which type of datastore is used."}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["In addition to backing up the datastore itself, you must also back up the server token file at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),".\nYou must restore this file, or pass its value into the ",(0,s.jsx)(t.code,{children:"--token"})," option, when restoring from backup.\nIf you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself."]})}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-sqlite",children:"Backup and Restore with SQLite"}),"\n",(0,s.jsx)(t.p,{children:"No special commands are required to back up or restore the SQLite datastore."}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:["To back up the SQLite datastore, take a copy of ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db/"}),"."]}),"\n",(0,s.jsxs)(t.li,{children:["To restore the SQLite datastore, restore the contents of ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db"})," (and the token, as discussed above)."]}),"\n"]}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-external-datastore",children:"Backup and Restore with External Datastore"}),"\n",(0,s.jsx)(t.p,{children:"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump."}),"\n",(0,s.jsx)(t.p,{children:"We recommend configuring the database to take recurring snapshots."}),"\n",(0,s.jsx)(t.p,{children:"For details on taking database snapshots and restoring your database from them, refer to the official database documentation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html",children:"Official MySQL documentation"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://www.postgresql.org/docs/8.3/backup-dump.html",children:"Official PostgreSQL documentation"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://etcd.io/docs/latest/op-guide/recovery/",children:"Official etcd documentation"})}),"\n"]}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-embedded-etcd-datastore",children:"Backup and Restore with Embedded etcd Datastore"}),"\n",(0,s.jsxs)(t.p,{children:["See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for information on performing backup and restore operations on the embedded etcd datastore."]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,a)=>{a.d(t,{Z:()=>d,a:()=>o});var s=a(7294);const r={},n=s.createContext(r);function o(e){const t=s.useContext(n);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ba3a957c.7539050d.js b/assets/js/ba3a957c.7539050d.js new file mode 100644 index 000000000..c83a71714 --- /dev/null +++ b/assets/js/ba3a957c.7539050d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8776],{615:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>d,toc:()=>c});var s=a(5893),r=a(1151);const n={title:"Backup and Restore"},o=void 0,d={id:"datastore/backup-restore",title:"Backup and Restore",description:"The way K3s is backed up and restored depends on which type of datastore is used.",source:"@site/docs/datastore/backup-restore.md",sourceDirName:"datastore",slug:"/datastore/backup-restore",permalink:"/datastore/backup-restore",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/backup-restore.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Backup and Restore"},sidebar:"mySidebar",previous:{title:"Cluster Datastore",permalink:"/datastore/"},next:{title:"High Availability Embedded etcd",permalink:"/datastore/ha-embedded"}},i={},c=[{value:"Backup and Restore with SQLite",id:"backup-and-restore-with-sqlite",level:2},{value:"Backup and Restore with External Datastore",id:"backup-and-restore-with-external-datastore",level:2},{value:"Backup and Restore with Embedded etcd Datastore",id:"backup-and-restore-with-embedded-etcd-datastore",level:2}];function l(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The way K3s is backed up and restored depends on which type of datastore is used."}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["In addition to backing up the datastore itself, you must also back up the server token file at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),".\nYou must restore this file, or pass its value into the ",(0,s.jsx)(t.code,{children:"--token"})," option, when restoring from backup.\nIf you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself."]})}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-sqlite",children:"Backup and Restore with SQLite"}),"\n",(0,s.jsx)(t.p,{children:"No special commands are required to back up or restore the SQLite datastore."}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:["To back up the SQLite datastore, take a copy of ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db/"}),"."]}),"\n",(0,s.jsxs)(t.li,{children:["To restore the SQLite datastore, restore the contents of ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db"})," (and the token, as discussed above)."]}),"\n"]}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-external-datastore",children:"Backup and Restore with External Datastore"}),"\n",(0,s.jsx)(t.p,{children:"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump."}),"\n",(0,s.jsx)(t.p,{children:"We recommend configuring the database to take recurring snapshots."}),"\n",(0,s.jsx)(t.p,{children:"For details on taking database snapshots and restoring your database from them, refer to the official database documentation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html",children:"Official MySQL documentation"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://www.postgresql.org/docs/8.3/backup-dump.html",children:"Official PostgreSQL documentation"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"https://etcd.io/docs/latest/op-guide/recovery/",children:"Official etcd documentation"})}),"\n"]}),"\n",(0,s.jsx)(t.h2,{id:"backup-and-restore-with-embedded-etcd-datastore",children:"Backup and Restore with Embedded etcd Datastore"}),"\n",(0,s.jsxs)(t.p,{children:["See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for information on performing backup and restore operations on the embedded etcd datastore."]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,a)=>{a.d(t,{Z:()=>d,a:()=>o});var s=a(7294);const r={},n=s.createContext(r);function o(e){const t=s.useContext(n);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d123a91e.2fe3a155.js b/assets/js/d123a91e.2fe3a155.js deleted file mode 100644 index 3ce2c77aa..000000000 --- a/assets/js/d123a91e.2fe3a155.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[855],{5418:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>i,metadata:()=>h,toc:()=>d});var r=t(5893),n=t(1151);const i={hide_table_of_contents:!0,sidebar_position:7},l="v1.24.X",h={id:"release-notes/v1.24.X",title:"v1.24.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.24.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.24.X",permalink:"/release-notes/v1.24.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.24.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:7,frontMatter:{hide_table_of_contents:!0,sidebar_position:7},sidebar:"mySidebar",previous:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"},next:{title:"Related Projects",permalink:"/related-projects"}},c={},d=[{value:"Release v1.24.17+k3s1",id:"release-v12417k3s1",level:2},{value:"Changes since v1.24.16+k3s1:",id:"changes-since-v12416k3s1",level:3},{value:"Release v1.24.16+k3s1",id:"release-v12416k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1",level:3},{value:"Release v1.24.15+k3s1",id:"release-v12415k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1-1",level:3},{value:"Release v1.24.14+k3s1",id:"release-v12414k3s1",level:2},{value:"Changes since v1.24.13+k3s1:",id:"changes-since-v12413k3s1",level:3},{value:"Release v1.24.13+k3s1",id:"release-v12413k3s1",level:2},{value:"Changes since v1.24.12+k3s1:",id:"changes-since-v12412k3s1",level:3},{value:"Release v1.24.12+k3s1",id:"release-v12412k3s1",level:2},{value:"Changes since v1.24.11+k3s1:",id:"changes-since-v12411k3s1",level:3},{value:"Release v1.24.11+k3s1",id:"release-v12411k3s1",level:2},{value:"Changes since v1.24.10+k3s1:",id:"changes-since-v12410k3s1",level:3},{value:"Release v1.24.10+k3s1",id:"release-v12410k3s1",level:2},{value:"Changes since v1.24.9+k3s2:",id:"changes-since-v1249k3s2",level:3},{value:"Release v1.24.9+k3s2",id:"release-v1249k3s2",level:2},{value:"Changes since v1.24.9+k3s1:",id:"changes-since-v1249k3s1",level:3},{value:"Release v1.24.9+k3s1",id:"release-v1249k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.24.8+k3s1:",id:"changes-since-v1248k3s1",level:3},{value:"Release v1.24.8+k3s1",id:"release-v1248k3s1",level:2},{value:"Changes since v1.24.7+k3s1:",id:"changes-since-v1247k3s1",level:3},{value:"Release v1.24.7+k3s1",id:"release-v1247k3s1",level:2},{value:"Changes since v1.24.6+k3s1:",id:"changes-since-v1246k3s1",level:3},{value:"Release v1.24.6+k3s1",id:"release-v1246k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3},{value:"Release v1.24.4+k3s1",id:"release-v1244k3s1",level:2},{value:"Changes since v1.24.3+k3s1:",id:"changes-since-v1243k3s1",level:3},{value:"Release v1.24.3+k3s1",id:"release-v1243k3s1",level:2},{value:"Changes since v1.24.2+k3s2:",id:"changes-since-v1242k3s2",level:3},{value:"Release v1.24.2+k3s2",id:"release-v1242k3s2",level:2},{value:"Changes since v1.24.2+k3s1:",id:"changes-since-v1242k3s1",level:3},{value:"Release v1.24.2+k3s1",id:"release-v1242k3s1",level:2},{value:"Changes since v1.24.1+k3s1:",id:"changes-since-v1241k3s1",level:3},{value:"Release v1.24.1+k3s1",id:"release-v1241k3s1",level:2},{value:"Changes since v1.24.0+k3s1:",id:"changes-since-v1240k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v124x",children:"v1.24.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12417k3s1",children:"v1.24.17+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12417",children:"v1.24.17"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12416k3s1",children:"v1.24.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12416",children:"v1.24.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12415k3s1",children:"v1.24.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12415",children:"v1.24.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12414k3s1",children:"v1.24.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12414",children:"v1.24.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12413k3s1",children:"v1.24.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12413",children:"v1.24.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12412k3s1",children:"v1.24.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12412",children:"v1.24.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12411k3s1",children:"v1.24.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12411",children:"v1.24.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1-k3s1.23",children:"v0.21.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12410k3s1",children:"v1.24.10+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12410",children:"v1.24.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1249k3s2",children:"v1.24.9+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1249k3s1",children:"v1.24.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1248k3s1",children:"v1.24.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1248",children:"v1.24.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1-k3s1.23",children:"v0.20.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1247k3s1",children:"v1.24.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1247",children:"v1.24.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1246k3s1",children:"v1.24.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1246",children:"v1.24.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1244k3s1",children:"v1.24.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Aug 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1244",children:"v1.24.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1243k3s1",children:"v1.24.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 19 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1243",children:"v1.24.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1242k3s2",children:"v1.24.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 06 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1242k3s1",children:"v1.24.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 27 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.6-k3s1",children:"v1.6.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1241k3s1",children:"v1.24.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 11 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1241",children:"v1.24.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.11-k3s1",children:"v1.5.11-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.1",children:"v1.1.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.17.0",children:"v0.17.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.1",children:"v0.12.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12417k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.17+k3s1",children:"v1.24.17+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.17, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"IMPORTANT",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12416",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12416k3s1",children:"Changes since v1.24.16+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8087",children:"(#8087)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8124",children:"(#8124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8128",children:"(#8128)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8135",children:"(#8135)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8146",children:"(#8146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8168",children:"(#8168)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8191",children:"(#8191)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8214",children:"(#8214)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8243",children:"(#8243)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.17 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8240",children:"(#8240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8260",children:"(#8260)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8276",children:"(#8276)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12416k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.16+k3s1",children:"v1.24.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12415",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7861",children:"(#7861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7857",children:"(#7857)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7872",children:"(#7872)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7899",children:"(#7899)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7910",children:"(#7910)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7916",children:"(#7916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7946",children:"(#7946)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7955",children:"(#7955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7970",children:"(#7970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7985",children:"(#7985)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8023",children:"(#8023)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12415k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.15+k3s1",children:"v1.24.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12414",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1-1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7726",children:"(#7726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7753",children:"(#7753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7719",children:"(#7719)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7759",children:"(#7759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7764",children:"(#7764)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.24.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7785",children:"(#7785)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12414k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.14+k3s1",children:"v1.24.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12413",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12413k3s1",children:"Changes since v1.24.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7376",children:"(#7376)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7379",children:"(#7379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7407",children:"(#7407)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7435",children:"(#7435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7453",children:"(#7453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7462",children:"(#7462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn tests 1.24 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7467",children:"(#7467)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7472",children:"(#7472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7516",children:"(#7516)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7536",children:"(#7536)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7549",children:"(#7549)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7577",children:"(#7577)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12413k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.13+k3s1",children:"v1.24.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12412",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12412k3s1",children:"Changes since v1.24.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7165",children:"(#7165)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7122",children:"(#7122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7229",children:"(#7229)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7222",children:"(#7222)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7241",children:"(#7241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7277",children:"(#7277)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.13-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7284",children:"(#7284)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12412k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.12+k3s1",children:"v1.24.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12411",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12411k3s1",children:"Changes since v1.24.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7063",children:"(#7063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7042",children:"(#7042)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7046",children:"(#7046)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7065",children:"(#7065)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7080",children:"(#7080)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7076",children:"(#7076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7105",children:"(#7105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12411k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.11+k3s1",children:"v1.24.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12410",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12410k3s1",children:"Changes since v1.24.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6783",children:"(#6783)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6799",children:"(#6799)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6838",children:"(#6838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6859",children:"(#6859)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6865",children:"(#6865)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6868",children:"(#6868)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6854",children:"(#6854)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6888",children:"(#6888)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6918",children:"(#6918)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6908",children:"(#6908)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6905",children:"(#6905)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6920",children:"(#6920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6930",children:"(#6930)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6937",children:"(#6937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6925",children:"(#6925)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6942",children:"(#6942)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6955",children:"(#6955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6988",children:"(#6988)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6976",children:"(#6976)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.11-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7009",children:"(#7009)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12410k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.10+k3s1",children:"v1.24.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.10+k3s1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1249",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s2",children:"Changes since v1.24.9+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6731",children:"(#6731)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6736",children:"(#6736)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6748",children:"(#6748)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s2",children:"v1.24.9+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s1",children:"Changes since v1.24.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backport missing E2E test commits ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6616",children:"(#6616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6695",children:"(#6695)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s1",children:"v1.24.9+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.24.9+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1248",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1248k3s1",children:"Changes since v1.24.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6502",children:"(#6502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6535",children:"(#6535)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6540",children:"(#6540)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6570",children:"(#6570)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change secrets-encryption flag to GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6591",children:"(#6591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6589",children:"(#6589)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6599",children:"(#6599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6595",children:"(#6595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6623",children:"(#6623)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6630",children:"(#6630)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6647",children:"(#6647)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1248k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.8+k3s1",children:"v1.24.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1247",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1247k3s1",children:"Changes since v1.24.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6341",children:"(#6341)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a netpol test for podSelector & ingress type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6348",children:"(#6348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade kube-router to v1.5.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6356",children:"(#6356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump install tests OS images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6379",children:"(#6379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6363",children:"(#6363)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to v0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6418",children:"(#6418)"})]}),"\n",(0,r.jsx)(s.li,{children:"Backports for 2022-11"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressclass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsx)(s.li,{children:"The packaged coredns has been bumped to v1.9.4"}),"\n",(0,r.jsx)(s.li,{children:"Fix incorrect defer usage"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik has been updated to v2.9.4 / helm chart v18.3.0"}),"\n",(0,r.jsx)(s.li,{children:"Use debugger-friendly compile settings if debug is set"}),"\n",(0,r.jsx)(s.li,{children:"Add test for node-external-ip config parameter"}),"\n",(0,r.jsx)(s.li,{children:"Convert containerd config.toml.tmpl linux template to v2 syntax"}),"\n",(0,r.jsx)(s.li,{children:"Replace fedora-coreos with fedora 36 for install tests"}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.13.0"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik helm chart has been updated to v18.0.0"}),"\n",(0,r.jsx)(s.li,{children:"Add hardened cluster and upgrade tests"}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/cve-2022-35737",children:"cve-2022-35737"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6411",children:"(#6411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add some helping logs to avoid wrong configs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6432",children:"(#6432)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change the priority of address types depending on flannel-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6434",children:"(#6434)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6439",children:"(#6439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6446",children:"(#6446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6469",children:"(#6469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6479",children:"(#6479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6495",children:"(#6495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6509",children:"(#6509)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1247k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.7+k3s1",children:"v1.24.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["The K3s ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/security/hardening-guide",children:"CIS Hardening Guide"})," has been updated to include configuration changes required to support embedding ServiceLB in the cloud controller manager. If you have followed the hardening guide, please update your policies and RBAC in accordingly."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1246",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1246k3s1",children:"Changes since v1.24.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add flannel-external-ip when there is a k3s node-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6189",children:"(#6189)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6227",children:"(#6227)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded metrics-server version has been bumped to v0.6.1"}),"\n",(0,r.jsx)(s.li,{children:"The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager."}),"\n",(0,r.jsx)(s.li,{children:"Events recorded to the cluster by embedded controllers are now properly formatted in the service logs."}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n",(0,r.jsx)(s.li,{children:"The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6235",children:"(#6235)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6250",children:"(#6250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6270",children:"(#6270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6276",children:"(#6276)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6287",children:"(#6287)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6307",children:"(#6307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6322",children:"(#6322)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1246k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.6+k3s1",children:"v1.24.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1244",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6036",children:"(#6036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6088",children:"(#6088)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6072",children:"(#6072)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6079",children:"(#6079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bulk Backport of Testing Changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6085",children:"(#6085)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6113",children:"(#6113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6143",children:"(#6143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.6-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6164",children:"(#6164)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1244k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.4+k3s1",children:"v1.24.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["This release restores use of the ",(0,r.jsx)(s.code,{children:"--docker"})," flag to the v1.24 branch. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/docs/adrs/cri-dockerd.md",children:"docs/adrs/cri-dockerd.md"})," for more information."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1243",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1243k3s1",children:"Changes since v1.24.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Put the terraform tests into their own packages and cleanup the test runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5861",children:"(#5861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped rootlesskit to v1.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5773",children:"(#5773)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The initial health-check time for the etcd datastore has been raised from 10 to 30 seconds. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5882",children:"(#5882)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused systemd cgroup driver autoconfiguration to fail on server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5851",children:"(#5851)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded network policy controller has been updated to kube-router v1.5.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5789",children:"(#5789)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The configured service CIDR is now passed to the Kubernetes controller-manager via the ",(0,r.jsx)(s.code,{children:"--service-cluster-ip-range"})," flag. Previously this value was only passed to the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5894",children:"(#5894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated dynamiclistener to fix a regression that prevented certificate renewal from working properly. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5896",children:"(#5896)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.24.3+k3s1 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5889",children:"(#5889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["ADR: Depreciating and Removing Old Flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5890",children:"(#5890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer sets containerd's ",(0,r.jsx)(s.code,{children:"enable_unprivileged_icmp"})," and ",(0,r.jsx)(s.code,{children:"enable_unprivileged_ports"})," options on kernels that do not support them. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5913",children:"(#5913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The etcd error on incorrect peer urls now correctly includes the expected https and 2380 port. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5909",children:"(#5909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["When set, the agent-token value is now written to ",(0,r.jsx)(s.code,{children:"$datadir/server/agent-token"}),", in the same manner as the default (server) token is written to ",(0,r.jsx)(s.code,{children:"$datadir/server/token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5906",children:"(#5906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Deprecated flags now warn of their v1.25 removal ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5937",children:"(#5937)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix secrets reencryption for clusters with 8K+ secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5936",children:"(#5936)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped minio-go to v7.0.33. This adds support for IMDSv2 credentials. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5928",children:"(#5928)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade GH Actions macos-10.15 to macos-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5953",children:"(#5953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added dualstack IP auto detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5920",children:"(#5920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--docker"})," flag has been restored to k3s, as a shortcut to enabling embedded cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5916",children:"(#5916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update MAINTAINERS with new folks and departures ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5948",children:"(#5948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Removing checkbox indicating backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5947",children:"(#5947)"})]}),"\n",(0,r.jsxs)(s.li,{children:["fix checkError in terraform/testutils ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5893",children:"(#5893)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add scripts to run e2e test using ansible ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5134",children:"(#5134)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel to v0.19.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5962",children:"(#5962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update run scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5979",children:"(#5979)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install/cgroup tests to yaml based config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5992",children:"(#5992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Local cluster testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5977",children:"(#5977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add nightly install github action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5998",children:"(#5998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert codespell from Drone to GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6004",children:"(#6004)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6014",children:"(#6014)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1243k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.3+k3s1",children:"v1.24.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1242",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s2",children:"Changes since v1.24.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Updated rancher/remotedialer to address a potential memory leak. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5784",children:"(#5784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded runc binary has been bumped to v1.1.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5783",children:"(#5783)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused some containerd labels to be empty in cadvisor pod metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5812",children:"(#5812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace dapper testing with regular docker ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5805",children:"(#5805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.23.8+k3s2 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5814",children:"(#5814)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would cause etcd restore to fail when restoring a snapshot made with secrets encryption enabled if the --secrets-encryption command was not included in the config file or restore command. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5817",children:"(#5817)"})]}),"\n",(0,r.jsx)(s.li,{children:"Fix deletion of svclb DaemonSet when Service is deleted"}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused ServiceLB DaemonSets to remain present after their corresponding Services were deleted.\r\nManual cleanup of orphaned ",(0,r.jsx)(s.code,{children:"svclb-*"})," DaemonSets from the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace may be necessary if any LoadBalancer Services were deleted while running an affected release. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5824",children:"(#5824)"})]}),"\n",(0,r.jsx)(s.li,{children:"Address issues with etcd snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now compressed when snapshot compression is enabled."}),"\n",(0,r.jsx)(s.li,{children:"The default etcd snapshot timeout has been raised to 5 minutes.\r\nOnly one scheduled etcd snapshot will run at a time. If another snapshot would occur while the previous snapshot is still in progress, an error will be logged and the second scheduled snapshot will be skipped."}),"\n",(0,r.jsxs)(s.li,{children:["S3 objects for etcd snapshots are now labeled with the correct content-type when compression is not enabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5833",children:"(#5833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5870",children:"(#5870)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s2",children:"v1.24.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This fixes several issues in the v1.24.2+k3s1 and prior releases."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s1",children:"Changes since v1.24.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bumped kine to fix an issue where namespaced lists that included a field-selector on metadata.name would fail to return results when using a sql storage backend. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5795",children:"#5795"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s will no longer log panics after upgrading directly from much older kubernetes releases, or when deploying services with ",(0,r.jsx)(s.code,{children:"type: externalname"}),". (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5771",children:"#5771"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented ",(0,r.jsx)(s.code,{children:"kubectl logs"})," and other functionality that requires a connection to the agent from working correctly when the server's ",(0,r.jsx)(s.code,{children:"--bind-address"})," flag was used, or when k3s is used behind a http proxy. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5780",children:"#5780"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented newer versions of k3s from joining clusters that do not have egress-selector-mode support. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5785",children:"#5785"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove go-powershell dead dependency (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5777",children:"#5777"}),")"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s1",children:"v1.24.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1241",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1241k3s1",children:"Changes since v1.24.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove kube-ipvs0 interface when cleaning up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5644",children:"(#5644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--flannel-wireguard-mode"})," switch was added to the k3s cli to configure the wireguard tunnel mode with the wireguard native backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5552",children:"(#5552)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce the flannelcniconf flag to set the desired flannel cni configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5656",children:"(#5656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integration Test: Startup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5630",children:"(#5630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Improvements and groundwork for test-pad tool ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5593",children:"(#5593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update SECURITY.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5607",children:"(#5607)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce --enable-pprof flag to optionally run pprof server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5527",children:"(#5527)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Dualstack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5617",children:"(#5617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pods created by ServiceLB are now all placed in the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace, instead of in the same namespace as the Service. This allows for ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",children:"enforcing Pod Security Standards"})," in user namespaces without breaking ServiceLB. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5657",children:"(#5657)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: testpad prep, add alternate scripts location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5692",children:"(#5692)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add arm tests and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5526",children:"(#5526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Delay service readiness until after startuphooks have finished ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5649",children:"(#5649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable urfave markdown/man docs generation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5566",children:"(#5566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd snapshot controller will no longer fail to process snapshot files containing characters that are invalid for use in ConfigMap keys. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5702",children:"(#5702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Environment variables prefixed with ",(0,r.jsx)(s.code,{children:"CONTAINERD_"})," now take priority over other existing variables, when passed through to containerd. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5706",children:"(#5706)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd instance no longer accepts connections from other nodes while resetting or restoring. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5542",children:"(#5542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable compatibility tests for k3s s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5658",children:"(#5658)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Containerd: Enable enable_unprivileged_ports and enable_unprivileged_\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5538",children:"(#5538)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller now properly updates Chart deployments when HelmChartConfig resources are updated or deleted. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5731",children:"(#5731)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5749",children:"(#5749)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1241k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.1+k3s1",children:"v1.24.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1240",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1240k3s1",children:"Changes since v1.24.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Objects will be removed from Kubernetes when they are removed from manifest files. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5560",children:"(#5560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove errant unversioned etcd go.mod entry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5548",children:"(#5548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass the node-ip values to kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5579",children:"(#5579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The integrated apiserver network proxy's operational mode can now be set with ",(0,r.jsx)(s.code,{children:"--egress-selector-mode"}),". ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5577",children:"(#5577)"})]}),"\n",(0,r.jsxs)(s.li,{children:["remove dweomer from maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5582",children:"(#5582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener to v0.3.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5554",children:"(#5554)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.1-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5616",children:"(#5616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-add ",(0,r.jsx)(s.code,{children:"--cloud-provider=external"})," kubelet arg ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5628",children:"(#5628)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Give kubelet the node-ip value (#5579)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5636",children:"(#5636)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const n={},i=r.createContext(n);function l(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d123a91e.5caf1e39.js b/assets/js/d123a91e.5caf1e39.js new file mode 100644 index 000000000..a8b6568c5 --- /dev/null +++ b/assets/js/d123a91e.5caf1e39.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[855],{5418:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>i,metadata:()=>h,toc:()=>d});var r=t(5893),n=t(1151);const i={hide_table_of_contents:!0,sidebar_position:7},l="v1.24.X",h={id:"release-notes/v1.24.X",title:"v1.24.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.24.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.24.X",permalink:"/release-notes/v1.24.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.24.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:7,frontMatter:{hide_table_of_contents:!0,sidebar_position:7},sidebar:"mySidebar",previous:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"},next:{title:"Related Projects",permalink:"/related-projects"}},c={},d=[{value:"Release v1.24.17+k3s1",id:"release-v12417k3s1",level:2},{value:"Changes since v1.24.16+k3s1:",id:"changes-since-v12416k3s1",level:3},{value:"Release v1.24.16+k3s1",id:"release-v12416k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1",level:3},{value:"Release v1.24.15+k3s1",id:"release-v12415k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1-1",level:3},{value:"Release v1.24.14+k3s1",id:"release-v12414k3s1",level:2},{value:"Changes since v1.24.13+k3s1:",id:"changes-since-v12413k3s1",level:3},{value:"Release v1.24.13+k3s1",id:"release-v12413k3s1",level:2},{value:"Changes since v1.24.12+k3s1:",id:"changes-since-v12412k3s1",level:3},{value:"Release v1.24.12+k3s1",id:"release-v12412k3s1",level:2},{value:"Changes since v1.24.11+k3s1:",id:"changes-since-v12411k3s1",level:3},{value:"Release v1.24.11+k3s1",id:"release-v12411k3s1",level:2},{value:"Changes since v1.24.10+k3s1:",id:"changes-since-v12410k3s1",level:3},{value:"Release v1.24.10+k3s1",id:"release-v12410k3s1",level:2},{value:"Changes since v1.24.9+k3s2:",id:"changes-since-v1249k3s2",level:3},{value:"Release v1.24.9+k3s2",id:"release-v1249k3s2",level:2},{value:"Changes since v1.24.9+k3s1:",id:"changes-since-v1249k3s1",level:3},{value:"Release v1.24.9+k3s1",id:"release-v1249k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.24.8+k3s1:",id:"changes-since-v1248k3s1",level:3},{value:"Release v1.24.8+k3s1",id:"release-v1248k3s1",level:2},{value:"Changes since v1.24.7+k3s1:",id:"changes-since-v1247k3s1",level:3},{value:"Release v1.24.7+k3s1",id:"release-v1247k3s1",level:2},{value:"Changes since v1.24.6+k3s1:",id:"changes-since-v1246k3s1",level:3},{value:"Release v1.24.6+k3s1",id:"release-v1246k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3},{value:"Release v1.24.4+k3s1",id:"release-v1244k3s1",level:2},{value:"Changes since v1.24.3+k3s1:",id:"changes-since-v1243k3s1",level:3},{value:"Release v1.24.3+k3s1",id:"release-v1243k3s1",level:2},{value:"Changes since v1.24.2+k3s2:",id:"changes-since-v1242k3s2",level:3},{value:"Release v1.24.2+k3s2",id:"release-v1242k3s2",level:2},{value:"Changes since v1.24.2+k3s1:",id:"changes-since-v1242k3s1",level:3},{value:"Release v1.24.2+k3s1",id:"release-v1242k3s1",level:2},{value:"Changes since v1.24.1+k3s1:",id:"changes-since-v1241k3s1",level:3},{value:"Release v1.24.1+k3s1",id:"release-v1241k3s1",level:2},{value:"Changes since v1.24.0+k3s1:",id:"changes-since-v1240k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v124x",children:"v1.24.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12417k3s1",children:"v1.24.17+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12417",children:"v1.24.17"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12416k3s1",children:"v1.24.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12416",children:"v1.24.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12415k3s1",children:"v1.24.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12415",children:"v1.24.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12414k3s1",children:"v1.24.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12414",children:"v1.24.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12413k3s1",children:"v1.24.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12413",children:"v1.24.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12412k3s1",children:"v1.24.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12412",children:"v1.24.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12411k3s1",children:"v1.24.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12411",children:"v1.24.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1-k3s1.23",children:"v0.21.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v12410k3s1",children:"v1.24.10+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12410",children:"v1.24.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1249k3s2",children:"v1.24.9+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1249k3s1",children:"v1.24.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1248k3s1",children:"v1.24.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1248",children:"v1.24.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1-k3s1.23",children:"v0.20.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1247k3s1",children:"v1.24.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1247",children:"v1.24.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1246k3s1",children:"v1.24.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1246",children:"v1.24.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1244k3s1",children:"v1.24.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Aug 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1244",children:"v1.24.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1243k3s1",children:"v1.24.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 19 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1243",children:"v1.24.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1242k3s2",children:"v1.24.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 06 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1242k3s1",children:"v1.24.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 27 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.6-k3s1",children:"v1.6.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.24.X#release-v1241k3s1",children:"v1.24.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 11 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1241",children:"v1.24.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.11-k3s1",children:"v1.5.11-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.1",children:"v1.1.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.17.0",children:"v0.17.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.1",children:"v0.12.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12417k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.17+k3s1",children:"v1.24.17+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.17, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"IMPORTANT",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12416",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12416k3s1",children:"Changes since v1.24.16+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8087",children:"(#8087)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8124",children:"(#8124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8128",children:"(#8128)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8135",children:"(#8135)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8146",children:"(#8146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8168",children:"(#8168)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8191",children:"(#8191)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8214",children:"(#8214)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8243",children:"(#8243)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.17 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8240",children:"(#8240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8260",children:"(#8260)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8276",children:"(#8276)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12416k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.16+k3s1",children:"v1.24.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12415",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7861",children:"(#7861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7857",children:"(#7857)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7872",children:"(#7872)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7899",children:"(#7899)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7910",children:"(#7910)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7916",children:"(#7916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7946",children:"(#7946)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7955",children:"(#7955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7970",children:"(#7970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7985",children:"(#7985)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8023",children:"(#8023)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12415k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.15+k3s1",children:"v1.24.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12414",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1-1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7726",children:"(#7726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7753",children:"(#7753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7719",children:"(#7719)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7759",children:"(#7759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7764",children:"(#7764)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.24.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7785",children:"(#7785)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12414k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.14+k3s1",children:"v1.24.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12413",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12413k3s1",children:"Changes since v1.24.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7376",children:"(#7376)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7379",children:"(#7379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7407",children:"(#7407)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7435",children:"(#7435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7453",children:"(#7453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7462",children:"(#7462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn tests 1.24 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7467",children:"(#7467)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7472",children:"(#7472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7516",children:"(#7516)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7536",children:"(#7536)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7549",children:"(#7549)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7577",children:"(#7577)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12413k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.13+k3s1",children:"v1.24.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12412",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12412k3s1",children:"Changes since v1.24.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7165",children:"(#7165)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7122",children:"(#7122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7229",children:"(#7229)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7222",children:"(#7222)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7241",children:"(#7241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7277",children:"(#7277)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.13-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7284",children:"(#7284)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12412k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.12+k3s1",children:"v1.24.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12411",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12411k3s1",children:"Changes since v1.24.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7063",children:"(#7063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7042",children:"(#7042)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7046",children:"(#7046)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7065",children:"(#7065)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7080",children:"(#7080)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7076",children:"(#7076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7105",children:"(#7105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12411k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.11+k3s1",children:"v1.24.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12410",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12410k3s1",children:"Changes since v1.24.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6783",children:"(#6783)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6799",children:"(#6799)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6838",children:"(#6838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6859",children:"(#6859)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6865",children:"(#6865)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6868",children:"(#6868)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6854",children:"(#6854)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6888",children:"(#6888)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6918",children:"(#6918)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6908",children:"(#6908)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6905",children:"(#6905)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6920",children:"(#6920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6930",children:"(#6930)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6937",children:"(#6937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6925",children:"(#6925)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6942",children:"(#6942)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6955",children:"(#6955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6988",children:"(#6988)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6976",children:"(#6976)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.11-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7009",children:"(#7009)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12410k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.10+k3s1",children:"v1.24.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.10+k3s1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1249",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s2",children:"Changes since v1.24.9+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6731",children:"(#6731)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6736",children:"(#6736)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6748",children:"(#6748)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s2",children:"v1.24.9+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s1",children:"Changes since v1.24.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backport missing E2E test commits ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6616",children:"(#6616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6695",children:"(#6695)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s1",children:"v1.24.9+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.24.9+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1248",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1248k3s1",children:"Changes since v1.24.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6502",children:"(#6502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6535",children:"(#6535)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6540",children:"(#6540)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6570",children:"(#6570)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change secrets-encryption flag to GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6591",children:"(#6591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6589",children:"(#6589)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6599",children:"(#6599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6595",children:"(#6595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6623",children:"(#6623)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6630",children:"(#6630)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6647",children:"(#6647)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1248k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.8+k3s1",children:"v1.24.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1247",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1247k3s1",children:"Changes since v1.24.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6341",children:"(#6341)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a netpol test for podSelector & ingress type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6348",children:"(#6348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade kube-router to v1.5.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6356",children:"(#6356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump install tests OS images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6379",children:"(#6379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6363",children:"(#6363)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to v0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6418",children:"(#6418)"})]}),"\n",(0,r.jsx)(s.li,{children:"Backports for 2022-11"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressclass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsx)(s.li,{children:"The packaged coredns has been bumped to v1.9.4"}),"\n",(0,r.jsx)(s.li,{children:"Fix incorrect defer usage"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik has been updated to v2.9.4 / helm chart v18.3.0"}),"\n",(0,r.jsx)(s.li,{children:"Use debugger-friendly compile settings if debug is set"}),"\n",(0,r.jsx)(s.li,{children:"Add test for node-external-ip config parameter"}),"\n",(0,r.jsx)(s.li,{children:"Convert containerd config.toml.tmpl linux template to v2 syntax"}),"\n",(0,r.jsx)(s.li,{children:"Replace fedora-coreos with fedora 36 for install tests"}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.13.0"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik helm chart has been updated to v18.0.0"}),"\n",(0,r.jsx)(s.li,{children:"Add hardened cluster and upgrade tests"}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/cve-2022-35737",children:"cve-2022-35737"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6411",children:"(#6411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add some helping logs to avoid wrong configs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6432",children:"(#6432)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change the priority of address types depending on flannel-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6434",children:"(#6434)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6439",children:"(#6439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6446",children:"(#6446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6469",children:"(#6469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6479",children:"(#6479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6495",children:"(#6495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6509",children:"(#6509)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1247k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.7+k3s1",children:"v1.24.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["The K3s ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/security/hardening-guide",children:"CIS Hardening Guide"})," has been updated to include configuration changes required to support embedding ServiceLB in the cloud controller manager. If you have followed the hardening guide, please update your policies and RBAC in accordingly."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1246",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1246k3s1",children:"Changes since v1.24.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add flannel-external-ip when there is a k3s node-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6189",children:"(#6189)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6227",children:"(#6227)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded metrics-server version has been bumped to v0.6.1"}),"\n",(0,r.jsx)(s.li,{children:"The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager."}),"\n",(0,r.jsx)(s.li,{children:"Events recorded to the cluster by embedded controllers are now properly formatted in the service logs."}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n",(0,r.jsx)(s.li,{children:"The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6235",children:"(#6235)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6250",children:"(#6250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6270",children:"(#6270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6276",children:"(#6276)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6287",children:"(#6287)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6307",children:"(#6307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6322",children:"(#6322)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1246k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.6+k3s1",children:"v1.24.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1244",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6036",children:"(#6036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6088",children:"(#6088)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6072",children:"(#6072)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6079",children:"(#6079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bulk Backport of Testing Changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6085",children:"(#6085)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6113",children:"(#6113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6143",children:"(#6143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.6-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6164",children:"(#6164)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1244k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.4+k3s1",children:"v1.24.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["This release restores use of the ",(0,r.jsx)(s.code,{children:"--docker"})," flag to the v1.24 branch. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/docs/adrs/cri-dockerd.md",children:"docs/adrs/cri-dockerd.md"})," for more information."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1243",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1243k3s1",children:"Changes since v1.24.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Put the terraform tests into their own packages and cleanup the test runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5861",children:"(#5861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped rootlesskit to v1.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5773",children:"(#5773)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The initial health-check time for the etcd datastore has been raised from 10 to 30 seconds. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5882",children:"(#5882)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused systemd cgroup driver autoconfiguration to fail on server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5851",children:"(#5851)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded network policy controller has been updated to kube-router v1.5.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5789",children:"(#5789)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The configured service CIDR is now passed to the Kubernetes controller-manager via the ",(0,r.jsx)(s.code,{children:"--service-cluster-ip-range"})," flag. Previously this value was only passed to the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5894",children:"(#5894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated dynamiclistener to fix a regression that prevented certificate renewal from working properly. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5896",children:"(#5896)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.24.3+k3s1 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5889",children:"(#5889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["ADR: Depreciating and Removing Old Flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5890",children:"(#5890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer sets containerd's ",(0,r.jsx)(s.code,{children:"enable_unprivileged_icmp"})," and ",(0,r.jsx)(s.code,{children:"enable_unprivileged_ports"})," options on kernels that do not support them. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5913",children:"(#5913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The etcd error on incorrect peer urls now correctly includes the expected https and 2380 port. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5909",children:"(#5909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["When set, the agent-token value is now written to ",(0,r.jsx)(s.code,{children:"$datadir/server/agent-token"}),", in the same manner as the default (server) token is written to ",(0,r.jsx)(s.code,{children:"$datadir/server/token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5906",children:"(#5906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Deprecated flags now warn of their v1.25 removal ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5937",children:"(#5937)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix secrets reencryption for clusters with 8K+ secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5936",children:"(#5936)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped minio-go to v7.0.33. This adds support for IMDSv2 credentials. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5928",children:"(#5928)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade GH Actions macos-10.15 to macos-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5953",children:"(#5953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added dualstack IP auto detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5920",children:"(#5920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--docker"})," flag has been restored to k3s, as a shortcut to enabling embedded cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5916",children:"(#5916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update MAINTAINERS with new folks and departures ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5948",children:"(#5948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Removing checkbox indicating backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5947",children:"(#5947)"})]}),"\n",(0,r.jsxs)(s.li,{children:["fix checkError in terraform/testutils ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5893",children:"(#5893)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add scripts to run e2e test using ansible ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5134",children:"(#5134)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel to v0.19.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5962",children:"(#5962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update run scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5979",children:"(#5979)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install/cgroup tests to yaml based config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5992",children:"(#5992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Local cluster testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5977",children:"(#5977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add nightly install github action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5998",children:"(#5998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert codespell from Drone to GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6004",children:"(#6004)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6014",children:"(#6014)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1243k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.3+k3s1",children:"v1.24.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1242",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s2",children:"Changes since v1.24.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Updated rancher/remotedialer to address a potential memory leak. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5784",children:"(#5784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded runc binary has been bumped to v1.1.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5783",children:"(#5783)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused some containerd labels to be empty in cadvisor pod metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5812",children:"(#5812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace dapper testing with regular docker ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5805",children:"(#5805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.23.8+k3s2 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5814",children:"(#5814)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would cause etcd restore to fail when restoring a snapshot made with secrets encryption enabled if the --secrets-encryption command was not included in the config file or restore command. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5817",children:"(#5817)"})]}),"\n",(0,r.jsx)(s.li,{children:"Fix deletion of svclb DaemonSet when Service is deleted"}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused ServiceLB DaemonSets to remain present after their corresponding Services were deleted.\r\nManual cleanup of orphaned ",(0,r.jsx)(s.code,{children:"svclb-*"})," DaemonSets from the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace may be necessary if any LoadBalancer Services were deleted while running an affected release. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5824",children:"(#5824)"})]}),"\n",(0,r.jsx)(s.li,{children:"Address issues with etcd snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now compressed when snapshot compression is enabled."}),"\n",(0,r.jsx)(s.li,{children:"The default etcd snapshot timeout has been raised to 5 minutes.\r\nOnly one scheduled etcd snapshot will run at a time. If another snapshot would occur while the previous snapshot is still in progress, an error will be logged and the second scheduled snapshot will be skipped."}),"\n",(0,r.jsxs)(s.li,{children:["S3 objects for etcd snapshots are now labeled with the correct content-type when compression is not enabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5833",children:"(#5833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5870",children:"(#5870)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s2",children:"v1.24.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This fixes several issues in the v1.24.2+k3s1 and prior releases."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s1",children:"Changes since v1.24.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bumped kine to fix an issue where namespaced lists that included a field-selector on metadata.name would fail to return results when using a sql storage backend. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5795",children:"#5795"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s will no longer log panics after upgrading directly from much older kubernetes releases, or when deploying services with ",(0,r.jsx)(s.code,{children:"type: externalname"}),". (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5771",children:"#5771"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented ",(0,r.jsx)(s.code,{children:"kubectl logs"})," and other functionality that requires a connection to the agent from working correctly when the server's ",(0,r.jsx)(s.code,{children:"--bind-address"})," flag was used, or when k3s is used behind a http proxy. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5780",children:"#5780"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented newer versions of k3s from joining clusters that do not have egress-selector-mode support. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5785",children:"#5785"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove go-powershell dead dependency (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5777",children:"#5777"}),")"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s1",children:"v1.24.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1241",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1241k3s1",children:"Changes since v1.24.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove kube-ipvs0 interface when cleaning up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5644",children:"(#5644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--flannel-wireguard-mode"})," switch was added to the k3s cli to configure the wireguard tunnel mode with the wireguard native backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5552",children:"(#5552)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce the flannelcniconf flag to set the desired flannel cni configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5656",children:"(#5656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integration Test: Startup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5630",children:"(#5630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Improvements and groundwork for test-pad tool ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5593",children:"(#5593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update SECURITY.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5607",children:"(#5607)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce --enable-pprof flag to optionally run pprof server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5527",children:"(#5527)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Dualstack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5617",children:"(#5617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pods created by ServiceLB are now all placed in the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace, instead of in the same namespace as the Service. This allows for ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",children:"enforcing Pod Security Standards"})," in user namespaces without breaking ServiceLB. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5657",children:"(#5657)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: testpad prep, add alternate scripts location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5692",children:"(#5692)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add arm tests and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5526",children:"(#5526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Delay service readiness until after startuphooks have finished ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5649",children:"(#5649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable urfave markdown/man docs generation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5566",children:"(#5566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd snapshot controller will no longer fail to process snapshot files containing characters that are invalid for use in ConfigMap keys. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5702",children:"(#5702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Environment variables prefixed with ",(0,r.jsx)(s.code,{children:"CONTAINERD_"})," now take priority over other existing variables, when passed through to containerd. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5706",children:"(#5706)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd instance no longer accepts connections from other nodes while resetting or restoring. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5542",children:"(#5542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable compatibility tests for k3s s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5658",children:"(#5658)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Containerd: Enable enable_unprivileged_ports and enable_unprivileged_\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5538",children:"(#5538)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller now properly updates Chart deployments when HelmChartConfig resources are updated or deleted. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5731",children:"(#5731)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5749",children:"(#5749)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1241k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.1+k3s1",children:"v1.24.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1240",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1240k3s1",children:"Changes since v1.24.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Objects will be removed from Kubernetes when they are removed from manifest files. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5560",children:"(#5560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove errant unversioned etcd go.mod entry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5548",children:"(#5548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass the node-ip values to kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5579",children:"(#5579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The integrated apiserver network proxy's operational mode can now be set with ",(0,r.jsx)(s.code,{children:"--egress-selector-mode"}),". ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5577",children:"(#5577)"})]}),"\n",(0,r.jsxs)(s.li,{children:["remove dweomer from maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5582",children:"(#5582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener to v0.3.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5554",children:"(#5554)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.1-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5616",children:"(#5616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-add ",(0,r.jsx)(s.code,{children:"--cloud-provider=external"})," kubelet arg ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5628",children:"(#5628)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Give kubelet the node-ip value (#5579)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5636",children:"(#5636)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const n={},i=r.createContext(n);function l(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d8ab3227.3780315b.js b/assets/js/d8ab3227.3780315b.js new file mode 100644 index 000000000..e8ce981ab --- /dev/null +++ b/assets/js/d8ab3227.3780315b.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6501],{7953:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>d});var i=t(5893),s=t(1151);const r={title:"Distributed hybrid or multicloud cluster"},o=void 0,l={id:"networking/distributed-multicloud",title:"Distributed hybrid or multicloud cluster",description:"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.",source:"@site/docs/networking/distributed-multicloud.md",sourceDirName:"networking",slug:"/networking/distributed-multicloud",permalink:"/networking/distributed-multicloud",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/distributed-multicloud.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Distributed hybrid or multicloud cluster"},sidebar:"mySidebar",previous:{title:"Basic Network Options",permalink:"/networking/basic-network-options"},next:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"}},a={},d=[{value:"Embedded k3s multicloud solution",id:"embedded-k3s-multicloud-solution",level:3},{value:"Integration with the Tailscale VPN provider (experimental)",id:"integration-with-the-tailscale-vpn-provider-experimental",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the ",(0,i.jsx)(n.code,{children:"tailscale"})," VPN provider."]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high."})}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location."})}),"\n",(0,i.jsx)(n.h3,{id:"embedded-k3s-multicloud-solution",children:"Embedded k3s multicloud solution"}),"\n",(0,i.jsx)(n.p,{children:"K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel."}),"\n",(0,i.jsx)(n.p,{children:"To enable this type of deployment, you must add the following parameters on servers:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<SERVER_EXTERNAL_IP> --flannel-backend=wireguard-native --flannel-external-ip\n"})}),"\n",(0,i.jsx)(n.p,{children:"and on agents:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<AGENT_EXTERNAL_IP>\n"})}),"\n",(0,i.jsxs)(n.p,{children:["where ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," is the IP through which we can reach the server node and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," is the IP through which we can reach the agent node. Note that the ",(0,i.jsx)(n.code,{children:"K3S_URL"})," config parameter in the agent should use the ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," to be able to connect to it. Remember to check the ",(0,i.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"})," and allow access to the listed ports on both internal and external addresses."]}),"\n",(0,i.jsxs)(n.p,{children:["Both ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," must have connectivity between them and are normally public IPs."]}),"\n",(0,i.jsxs)(n.admonition,{title:"Dynamic IPs",type:"info",children:[(0,i.jsxs)(n.p,{children:["If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the ",(0,i.jsx)(n.code,{children:"--node-external-ip"})," parameter to reflect the new IP. If running K3s as a service, you must modify ",(0,i.jsx)(n.code,{children:"/etc/systemd/system/k3s.service"})," then run:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"systemctl daemon-reload\nsystemctl restart k3s\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"integration-with-the-tailscale-vpn-provider-experimental",children:"Integration with the Tailscale VPN provider (experimental)"}),"\n",(0,i.jsx)(n.p,{children:"Available in v1.27.3, v1.26.6, v1.25.11 and newer."}),"\n",(0,i.jsxs)(n.p,{children:["K3s can integrate with ",(0,i.jsx)(n.a,{href:"https://tailscale.com/",children:"Tailscale"})," so that nodes use the Tailscale VPN service to build a mesh between nodes."]}),"\n",(0,i.jsx)(n.p,{children:"There are four steps to be done with Tailscale before deploying K3s:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsx)(n.p,{children:"Log in to your Tailscale account"}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["In ",(0,i.jsx)(n.code,{children:"Settings > Keys"}),", generate an auth key ($AUTH-KEY), which may be reusable for all nodes in your cluster"]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Decide on the podCIDR the cluster will use (by default ",(0,i.jsx)(n.code,{children:"10.42.0.0/16"}),"). Append the CIDR (or CIDRs for dual-stack) in Access controls with the stanza:"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'"autoApprovers": {\n "routes": {\n "10.42.0.0/16": ["your_account@xyz.com"],\n "2001:cafe:42::/56": ["your_account@xyz.com"],\n },\n },\n'})}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsx)(n.li,{children:"Install Tailscale in your nodes:"}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"curl -fsSL https://tailscale.com/install.sh | sh\n"})}),"\n",(0,i.jsx)(n.p,{children:"To deploy K3s with Tailscale integration enabled, you must add the following parameter on each of your nodes:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:'--vpn-auth="name=tailscale,joinKey=$AUTH-KEY\n'})}),"\n",(0,i.jsx)(n.p,{children:"or provide that information in a file and use the parameter:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--vpn-auth-file=$PATH_TO_FILE\n"})}),"\n",(0,i.jsxs)(n.p,{children:["Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ",(0,i.jsx)(n.code,{children:",controlServerURL=$URL"})," to the vpn-auth parameters"]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsxs)(n.p,{children:["If you plan on running several K3s clusters using the same tailscale network, please create appropriate ",(0,i.jsx)(n.a,{href:"https://tailscale.com/kb/1018/acls/",children:"ACLs"})," to avoid IP conflicts or use different podCIDR subnets for each cluster."]})})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>o});var i=t(7294);const s={},r=i.createContext(s);function o(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:o(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d8ab3227.50ff09a3.js b/assets/js/d8ab3227.50ff09a3.js deleted file mode 100644 index 57089c117..000000000 --- a/assets/js/d8ab3227.50ff09a3.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6501],{7953:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>d});var i=t(5893),s=t(1151);const r={title:"Distributed hybrid or multicloud cluster"},o=void 0,l={id:"networking/distributed-multicloud",title:"Distributed hybrid or multicloud cluster",description:"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.",source:"@site/docs/networking/distributed-multicloud.md",sourceDirName:"networking",slug:"/networking/distributed-multicloud",permalink:"/networking/distributed-multicloud",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/distributed-multicloud.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Distributed hybrid or multicloud cluster"},sidebar:"mySidebar",previous:{title:"Basic Network Options",permalink:"/networking/basic-network-options"},next:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"}},a={},d=[{value:"Embedded k3s multicloud solution",id:"embedded-k3s-multicloud-solution",level:3},{value:"Integration with the Tailscale VPN provider (experimental)",id:"integration-with-the-tailscale-vpn-provider-experimental",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the ",(0,i.jsx)(n.code,{children:"tailscale"})," VPN provider."]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high."})}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location."})}),"\n",(0,i.jsx)(n.h3,{id:"embedded-k3s-multicloud-solution",children:"Embedded k3s multicloud solution"}),"\n",(0,i.jsx)(n.p,{children:"K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel."}),"\n",(0,i.jsx)(n.p,{children:"To enable this type of deployment, you must add the following parameters on servers:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<SERVER_EXTERNAL_IP> --flannel-backend=wireguard-native --flannel-external-ip\n"})}),"\n",(0,i.jsx)(n.p,{children:"and on agents:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<AGENT_EXTERNAL_IP>\n"})}),"\n",(0,i.jsxs)(n.p,{children:["where ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," is the IP through which we can reach the server node and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," is the IP through which we can reach the agent node. Note that the ",(0,i.jsx)(n.code,{children:"K3S_URL"})," config parameter in the agent should use the ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," to be able to connect to it. Remember to check the ",(0,i.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"})," and allow access to the listed ports on both internal and external addresses."]}),"\n",(0,i.jsxs)(n.p,{children:["Both ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," must have connectivity between them and are normally public IPs."]}),"\n",(0,i.jsxs)(n.admonition,{title:"Dynamic IPs",type:"info",children:[(0,i.jsxs)(n.p,{children:["If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the ",(0,i.jsx)(n.code,{children:"--node-external-ip"})," parameter to reflect the new IP. If running K3s as a service, you must modify ",(0,i.jsx)(n.code,{children:"/etc/systemd/system/k3s.service"})," then run:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"systemctl daemon-reload\nsystemctl restart k3s\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"integration-with-the-tailscale-vpn-provider-experimental",children:"Integration with the Tailscale VPN provider (experimental)"}),"\n",(0,i.jsx)(n.p,{children:"Available in v1.27.3, v1.26.6, v1.25.11 and newer."}),"\n",(0,i.jsxs)(n.p,{children:["K3s can integrate with ",(0,i.jsx)(n.a,{href:"https://tailscale.com/",children:"Tailscale"})," so that nodes use the Tailscale VPN service to build a mesh between nodes."]}),"\n",(0,i.jsx)(n.p,{children:"There are four steps to be done with Tailscale before deploying K3s:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsx)(n.p,{children:"Log in to your Tailscale account"}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["In ",(0,i.jsx)(n.code,{children:"Settings > Keys"}),", generate an auth key ($AUTH-KEY), which may be reusable for all nodes in your cluster"]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Decide on the podCIDR the cluster will use (by default ",(0,i.jsx)(n.code,{children:"10.42.0.0/16"}),"). Append the CIDR (or CIDRs for dual-stack) in Access controls with the stanza:"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'"autoApprovers": {\n "routes": {\n "10.42.0.0/16": ["your_account@xyz.com"],\n "2001:cafe:42::/56": ["your_account@xyz.com"],\n },\n },\n'})}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsx)(n.li,{children:"Install Tailscale in your nodes:"}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"curl -fsSL https://tailscale.com/install.sh | sh\n"})}),"\n",(0,i.jsx)(n.p,{children:"To deploy K3s with Tailscale integration enabled, you must add the following parameter on each of your nodes:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:'--vpn-auth="name=tailscale,joinKey=$AUTH-KEY\n'})}),"\n",(0,i.jsx)(n.p,{children:"or provide that information in a file and use the parameter:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--vpn-auth-file=$PATH_TO_FILE\n"})}),"\n",(0,i.jsxs)(n.p,{children:["Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ",(0,i.jsx)(n.code,{children:",controlServerURL=$URL"})," to the vpn-auth parameters"]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsxs)(n.p,{children:["If you plan on running several K3s clusters using the same tailscale network, please create appropriate ",(0,i.jsx)(n.a,{href:"https://tailscale.com/kb/1018/acls/",children:"ACLs"})," to avoid IP conflicts or use different podCIDR subnets for each cluster."]})})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>o});var i=t(7294);const s={},r=i.createContext(s);function o(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:o(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d8ed1217.0be5a98d.js b/assets/js/d8ed1217.0be5a98d.js new file mode 100644 index 000000000..6a6e74154 --- /dev/null +++ b/assets/js/d8ed1217.0be5a98d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2745],{7803:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>r,default:()=>c,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var s=t(5893),i=t(1151);const a={title:"Manual Upgrades"},r=void 0,l={id:"upgrades/manual",title:"Manual Upgrades",description:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version.",source:"@site/docs/upgrades/manual.md",sourceDirName:"upgrades",slug:"/upgrades/manual",permalink:"/upgrades/manual",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/manual.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Manual Upgrades"},sidebar:"mySidebar",previous:{title:"Stopping K3s",permalink:"/upgrades/killall"},next:{title:"Automated Upgrades",permalink:"/upgrades/automated"}},o={},d=[{value:"Release Channels",id:"release-channels",level:3},{value:"Upgrade K3s Using the Installation Script",id:"upgrade-k3s-using-the-installation-script",level:3},{value:"Upgrade K3s Using the Binary",id:"upgrade-k3s-using-the-binary",level:3}];function h(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version."}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"When upgrading, upgrade server nodes first one at a time, then any agent nodes."})}),"\n",(0,s.jsx)(n.h3,{id:"release-channels",children:"Release Channels"}),"\n",(0,s.jsxs)(n.p,{children:["Upgrades performed via the installation script or using our ",(0,s.jsx)(n.a,{href:"/upgrades/automated",children:"automated upgrades"})," feature can be tied to different release channels. The following channels are available:"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Channel"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"stable"}),(0,s.jsx)(n.td,{children:"(Default) Stable is recommended for production environments. These releases have been through a period of community hardening."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"latest"}),(0,s.jsx)(n.td,{children:"Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"v1.26 (example)"}),(0,s.jsx)(n.td,{children:"There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release."})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For an exhaustive and up-to-date list of channels, you can visit the ",(0,s.jsx)(n.a,{href:"https://update.k3s.io/v1-release/channels",children:"k3s channel service API"}),". For more technical details on how channels work, you see the ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/channelserver",children:"channelserver project"}),"."]}),"\n",(0,s.jsx)(n.admonition,{type:"tip",children:(0,s.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,s.jsx)(n.h3,{id:"upgrade-k3s-using-the-installation-script",children:"Upgrade K3s Using the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"To upgrade K3s from an older version you can re-run the installation script using the same configuration options you originally used when running the install script."}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," variable, ",(0,s.jsx)(n.code,{children:"K3S_"})," variables, and trailing shell arguments are all used by the install script to generate the systemd unit and environment file.\nIf you set configuration when originally running the install script, but do not set it again when re-running the install script, the original values will be lost."]}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.p,{children:"Running the install script will:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsx)(n.li,{children:"Download the new k3s binary"}),"\n",(0,s.jsx)(n.li,{children:"Update the systemd unit or openrc init script to reflect the args passed to the install script"}),"\n",(0,s.jsx)(n.li,{children:"Restart the k3s service"}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"For example, to upgrade to the current stable release:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsx)(n.p,{children:"If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsx)(n.p,{children:"If you want to upgrade to a specific version you can run the following command:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z+k3s1 <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsxs)(n.admonition,{type:"tip",children:[(0,s.jsx)(n.mdxAdmonitionTitle,{}),(0,s.jsxs)(n.p,{children:["If you want to download the new version of k3s, but not start it, you can use the ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_START=true"})," environment variable."]})]}),"\n",(0,s.jsx)(n.h3,{id:"upgrade-k3s-using-the-binary",children:"Upgrade K3s Using the Binary"}),"\n",(0,s.jsx)(n.p,{children:"To upgrade K3s manually, you can download the desired version of the K3s binary and replace the existing binary with the new one."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Download the desired version of the K3s binary from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})]}),"\n",(0,s.jsxs)(n.li,{children:["Copy the downloaded binary to ",(0,s.jsx)(n.code,{children:"/usr/local/bin/k3s"})," (or your desired location)"]}),"\n",(0,s.jsx)(n.li,{children:"Stop the old k3s binary"}),"\n",(0,s.jsx)(n.li,{children:"Launch the new k3s binary"}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var s=t(7294);const i={},a=s.createContext(i);function r(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:r(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/d8ed1217.4d9ddd19.js b/assets/js/d8ed1217.4d9ddd19.js deleted file mode 100644 index bf5923cd5..000000000 --- a/assets/js/d8ed1217.4d9ddd19.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2745],{7803:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>r,default:()=>c,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var s=t(5893),i=t(1151);const a={title:"Manual Upgrades"},r=void 0,l={id:"upgrades/manual",title:"Manual Upgrades",description:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version.",source:"@site/docs/upgrades/manual.md",sourceDirName:"upgrades",slug:"/upgrades/manual",permalink:"/upgrades/manual",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/manual.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Manual Upgrades"},sidebar:"mySidebar",previous:{title:"Stopping K3s",permalink:"/upgrades/killall"},next:{title:"Automated Upgrades",permalink:"/upgrades/automated"}},o={},d=[{value:"Release Channels",id:"release-channels",level:3},{value:"Upgrade K3s Using the Installation Script",id:"upgrade-k3s-using-the-installation-script",level:3},{value:"Upgrade K3s Using the Binary",id:"upgrade-k3s-using-the-binary",level:3}];function h(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version."}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"When upgrading, upgrade server nodes first one at a time, then any agent nodes."})}),"\n",(0,s.jsx)(n.h3,{id:"release-channels",children:"Release Channels"}),"\n",(0,s.jsxs)(n.p,{children:["Upgrades performed via the installation script or using our ",(0,s.jsx)(n.a,{href:"/upgrades/automated",children:"automated upgrades"})," feature can be tied to different release channels. The following channels are available:"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Channel"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"stable"}),(0,s.jsx)(n.td,{children:"(Default) Stable is recommended for production environments. These releases have been through a period of community hardening."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"latest"}),(0,s.jsx)(n.td,{children:"Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"v1.26 (example)"}),(0,s.jsx)(n.td,{children:"There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release."})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For an exhaustive and up-to-date list of channels, you can visit the ",(0,s.jsx)(n.a,{href:"https://update.k3s.io/v1-release/channels",children:"k3s channel service API"}),". For more technical details on how channels work, you see the ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/channelserver",children:"channelserver project"}),"."]}),"\n",(0,s.jsx)(n.admonition,{type:"tip",children:(0,s.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,s.jsx)(n.h3,{id:"upgrade-k3s-using-the-installation-script",children:"Upgrade K3s Using the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"To upgrade K3s from an older version you can re-run the installation script using the same configuration options you originally used when running the install script."}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," variable, ",(0,s.jsx)(n.code,{children:"K3S_"})," variables, and trailing shell arguments are all used by the install script to generate the systemd unit and environment file.\nIf you set configuration when originally running the install script, but do not set it again when re-running the install script, the original values will be lost."]}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.p,{children:"Running the install script will:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsx)(n.li,{children:"Download the new k3s binary"}),"\n",(0,s.jsx)(n.li,{children:"Update the systemd unit or openrc init script to reflect the args passed to the install script"}),"\n",(0,s.jsx)(n.li,{children:"Restart the k3s service"}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"For example, to upgrade to the current stable release:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsx)(n.p,{children:"If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsx)(n.p,{children:"If you want to upgrade to a specific version you can run the following command:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z+k3s1 <EXISTING_K3S_ENV> sh -s - <EXISTING_K3S_ARGS>\n"})}),"\n",(0,s.jsxs)(n.admonition,{type:"tip",children:[(0,s.jsx)(n.mdxAdmonitionTitle,{}),(0,s.jsxs)(n.p,{children:["If you want to download the new version of k3s, but not start it, you can use the ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_START=true"})," environment variable."]})]}),"\n",(0,s.jsx)(n.h3,{id:"upgrade-k3s-using-the-binary",children:"Upgrade K3s Using the Binary"}),"\n",(0,s.jsx)(n.p,{children:"To upgrade K3s manually, you can download the desired version of the K3s binary and replace the existing binary with the new one."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Download the desired version of the K3s binary from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})]}),"\n",(0,s.jsxs)(n.li,{children:["Copy the downloaded binary to ",(0,s.jsx)(n.code,{children:"/usr/local/bin/k3s"})," (or your desired location)"]}),"\n",(0,s.jsx)(n.li,{children:"Stop the old k3s binary"}),"\n",(0,s.jsx)(n.li,{children:"Launch the new k3s binary"}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var s=t(7294);const i={},a=s.createContext(i);function r(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:r(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/dd22e55f.5e3f87f8.js b/assets/js/dd22e55f.5e3f87f8.js deleted file mode 100644 index e29d87699..000000000 --- a/assets/js/dd22e55f.5e3f87f8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5668],{4840:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>t,metadata:()=>h,toc:()=>d});var r=i(5893),n=i(1151);const t={hide_table_of_contents:!0,sidebar_position:4},l="v1.27.X",h={id:"release-notes/v1.27.X",title:"v1.27.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.27.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.27.X",permalink:"/release-notes/v1.27.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.27.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:4,frontMatter:{hide_table_of_contents:!0,sidebar_position:4},sidebar:"mySidebar",previous:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"},next:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"}},c={},d=[{value:"Release v1.27.16+k3s1",id:"release-v12716k3s1",level:2},{value:"Changes since v1.27.15+k3s2:",id:"changes-since-v12715k3s2",level:3},{value:"Release v1.27.15+k3s2",id:"release-v12715k3s2",level:2},{value:"Changes since v1.27.15+k3s1:",id:"changes-since-v12715k3s1",level:3},{value:"Release v1.27.15+k3s1",id:"release-v12715k3s1",level:2},{value:"Changes since v1.27.14+k3s1:",id:"changes-since-v12714k3s1",level:3},{value:"Release v1.27.14+k3s1",id:"release-v12714k3s1",level:2},{value:"Changes since v1.27.13+k3s1:",id:"changes-since-v12713k3s1",level:3},{value:"Release v1.27.13+k3s1",id:"release-v12713k3s1",level:2},{value:"Changes since v1.27.12+k3s1:",id:"changes-since-v12712k3s1",level:3},{value:"Release v1.27.12+k3s1",id:"release-v12712k3s1",level:2},{value:"Changes since v1.27.11+k3s1:",id:"changes-since-v12711k3s1",level:3},{value:"Release v1.27.11+k3s1",id:"release-v12711k3s1",level:2},{value:"Changes since v1.27.10+k3s2:",id:"changes-since-v12710k3s2",level:3},{value:"Release v1.27.10+k3s2",id:"release-v12710k3s2",level:2},{value:"Changes since v1.27.9+k3s1:",id:"changes-since-v1279k3s1",level:3},{value:"Release v1.27.9+k3s1",id:"release-v1279k3s1",level:2},{value:"Changes since v1.27.8+k3s2:",id:"changes-since-v1278k3s2",level:3},{value:"Release v1.27.8+k3s2",id:"release-v1278k3s2",level:2},{value:"Changes since v1.27.7+k3s2:",id:"changes-since-v1277k3s2",level:3},{value:"Release v1.27.7+k3s2",id:"release-v1277k3s2",level:2},{value:"Changes since v1.27.7+k3s1:",id:"changes-since-v1277k3s1",level:3},{value:"Release v1.27.7+k3s1",id:"release-v1277k3s1",level:2},{value:"Changes since v1.27.6+k3s1:",id:"changes-since-v1276k3s1",level:3},{value:"Release v1.27.6+k3s1",id:"release-v1276k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3},{value:"Release v1.27.5+k3s1",id:"release-v1275k3s1",level:2},{value:"Changes since v1.27.4+k3s1:",id:"changes-since-v1274k3s1",level:3},{value:"Release v1.27.4+k3s1",id:"release-v1274k3s1",level:2},{value:"Changes since v1.27.3+k3s1:",id:"changes-since-v1273k3s1",level:3},{value:"Release v1.27.3+k3s1",id:"release-v1273k3s1",level:2},{value:"Changes since v1.27.2+k3s1:",id:"changes-since-v1272k3s1",level:3},{value:"Release v1.27.2+k3s1",id:"release-v1272k3s1",level:2},{value:"Changes since v1.27.1+k3s1:",id:"changes-since-v1271k3s1",level:3},{value:"Release v1.27.1+k3s1",id:"release-v1271k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v127x",children:"v1.27.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12716k3s1",children:"v1.27.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12716",children:"v1.27.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12715k3s2",children:"v1.27.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12715k3s1",children:"v1.27.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12714k3s1",children:"v1.27.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12714",children:"v1.27.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12713k3s1",children:"v1.27.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12713",children:"v1.27.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12712k3s1",children:"v1.27.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12712",children:"v1.27.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12711k3s1",children:"v1.27.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12711",children:"v1.27.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12710k3s2",children:"v1.27.10+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12710",children:"v1.27.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1279k3s1",children:"v1.27.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1279",children:"v1.27.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1278k3s2",children:"v1.27.8+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1278",children:"v1.27.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1277k3s2",children:"v1.27.7+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1277k3s1",children:"v1.27.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1276k3s1",children:"v1.27.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1276",children:"v1.27.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.27",children:"v1.7.6-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1275k3s1",children:"v1.27.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1275",children:"v1.27.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1274k3s1",children:"v1.27.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1274",children:"v1.27.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1273k3s1",children:"v1.27.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1273",children:"v1.27.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1272k3s1",children:"v1.27.2+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1272",children:"v1.27.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1271k3s1",children:"v1.27.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1271",children:"v1.27.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12716k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.16+k3s1",children:"v1.27.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s2",children:"Changes since v1.27.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10500",children:"(#10500)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10510",children:"(#10510)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.16-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10542",children:"(#10542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10599",children:"(#10599)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s2",children:"v1.27.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s1",children:"Changes since v1.27.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10429",children:"(#10429)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s1",children:"v1.27.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12714",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12714k3s1",children:"Changes since v1.27.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10089",children:"(#10089)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10143",children:"(#10143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10222",children:"(#10222)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10183",children:"(#10183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10214",children:"(#10214)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10259",children:"(#10259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10290",children:"(#10290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10314",children:"(#10314)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10332",children:"(#10332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10324",children:"(#10324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10297",children:"(#10297)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10346",children:"(#10346)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update Kubernetes to v1.27.15"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10356",children:"(#10356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10378",children:"(#10378)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12714k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.14+k3s1",children:"v1.27.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12713",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12713k3s1",children:"Changes since v1.27.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10096",children:"(#10096)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10113",children:"(#10113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.14-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10103",children:"(#10103)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12713k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.13+k3s1",children:"v1.27.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12712",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12712k3s1",children:"Changes since v1.27.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9803",children:"(#9803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9828",children:"(#9828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9825",children:"(#9825)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9822",children:"(#9822)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9850",children:"(#9850)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9881",children:"(#9881)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9912",children:"(#9912)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9939",children:"(#9939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9943",children:"(#9943)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.13-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9958",children:"(#9958)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9995",children:"(#9995)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10003",children:"(#10003)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12712k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.12+k3s1",children:"v1.27.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12711",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12711k3s1",children:"Changes since v1.27.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9609",children:"(#9609)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9642",children:"(#9642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9606",children:"(#9606)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9632",children:"(#9632)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9654",children:"(#9654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9670",children:"(#9670)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9708",children:"(#9708)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9734",children:"(#9734)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.12-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9745",children:"(#9745)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12711k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.11+k3s1",children:"v1.27.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12710",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12710k3s2",children:"Changes since v1.27.10+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9427",children:"(#9427)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9291",children:"(#9291)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9420",children:"(#9420)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9430",children:"(#9430)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9425",children:"(#9425)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9253",children:"(#9253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9405",children:"(#9405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9463",children:"(#9463)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9407",children:"(#9407)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9445",children:"(#9445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9441",children:"(#9441)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9470",children:"(#9470)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9491",children:"(#9491)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9509",children:"(#9509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9515",children:"(#9515)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9546",children:"(#9546)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9579",children:"(#9579)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12710k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.10+k3s2",children:"v1.27.10+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1279",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1279k3s1",children:"Changes since v1.27.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9124",children:"(#9124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9117",children:"(#9117)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9176",children:"(#9176)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9182",children:"(#9182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9211",children:"(#9211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9220",children:"(#9220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9217",children:"(#9217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9229",children:"(#9229)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.10 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9261",children:"(#9261)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9270",children:"(#9270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9337",children:"(#9337)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9347",children:"(#9347)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1279k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.9+k3s1",children:"v1.27.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1278",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1278k3s2",children:"Changes since v1.27.8+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8963",children:"(#8963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9018",children:"(#9018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes backport ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9013",children:"(#9013)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9041",children:"(#9041)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9078",children:"(#9078)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1278k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.8+k3s2",children:"v1.27.8+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s2",children:"Changes since v1.27.7+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8821",children:"(#8821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8759",children:"(#8759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8878",children:"(#8878)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8887",children:"(#8887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8828",children:"(#8828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8902",children:"(#8902)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8907",children:"(#8907)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8937",children:"(#8937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.8 and Go to 1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8921",children:"(#8921)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8999",children:"(#8999)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s2",children:"v1.27.7+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s1",children:"Changes since v1.27.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8765",children:"(#8765)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8775",children:"(#8775)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8789",children:"(#8789)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s1",children:"v1.27.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1276",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1276k3s1",children:"Changes since v1.27.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8411",children:"(#8411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8419",children:"(#8419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8435",children:"(#8435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8443",children:"(#8443)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8464",children:"(#8464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8455",children:"(#8455)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8451",children:"(#8451)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8504",children:"(#8504)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8509",children:"(#8509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8551",children:"(#8551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8516",children:"(#8516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8569",children:"(#8569)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8558",children:"(#8558)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8576",children:"(#8576)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8582",children:"(#8582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8587",children:"(#8587)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8597",children:"(#8597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8615",children:"(#8615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8634",children:"(#8634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8642",children:"(#8642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8656",children:"(#8656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8650",children:"(#8650)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8669",children:"(#8669)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8662",children:"(#8662)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8690",children:"(#8690)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.7 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8681",children:"(#8681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8733",children:"(#8733)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1276k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.6+k3s1",children:"v1.27.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1275",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8324",children:"(#8324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.6 and Go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8356",children:"(#8356)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1275k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.5+k3s1",children:"v1.27.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.5, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1274",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1274k3s1",children:"Changes since v1.27.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8056",children:"(#8056)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Upgraded cni-plugins to v1.3.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.22.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8057",children:"(#8057)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR on secrets encryption v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7938",children:"(#7938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit test for MustFindString ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8013",children:"(#8013)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for using base template in etc/containerd/config.toml.tmpl ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7991",children:"(#7991)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Make apiserver egress args conditional on egress-selector-mode ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7972",children:"(#7972)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Security bump to ",(0,r.jsx)(s.code,{children:"docker/distribution"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8047",children:"(#8047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coreos multiple installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8083",children:"(#8083)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8067",children:"(#8067)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8077",children:"(#8077)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate CopyFile functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8079",children:"(#8079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Support GOCOVER for more tests + fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8080",children:"(#8080)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo in terraform/README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8090",children:"(#8090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add FilterCN function to prevent SAN Stuffing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8085",children:"(#8085)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker/docker to master commit; cri-dockerd to 0.3.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8092",children:"(#8092)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump versions for etcd, containerd, runc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8109",children:"(#8109)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8099",children:"(#8099)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8125",children:"(#8125)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove terraform package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8136",children:"(#8136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd-snapshot delete when etcd-s3 is true ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8110",children:"(#8110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --disable-cloud-controller and --disable-kube-proxy test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8018",children:"(#8018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"go list -m"})," instead of grep to look up versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8138",children:"(#8138)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use VERSION_K8S in tests instead of grep go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8147",children:"(#8147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for Kubeflag Integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8154",children:"(#8154)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8155",children:"(#8155)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run integration test CI in parallel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8156",children:"(#8156)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8150",children:"(#8150)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8178",children:"(#8178)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8177",children:"(#8177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8193",children:"(#8193)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8204",children:"(#8204)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add test for ",(0,r.jsx)(s.code,{children:"k3s token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8184",children:"(#8184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8219",children:"(#8219)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Move flannel to v0.22.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8236",children:"(#8236)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8257",children:"(#8257)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8273",children:"(#8273)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1274k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.4+k3s1",children:"v1.27.4+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.27.4, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1273",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1273k3s1",children:"Changes since v1.27.3+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pkg imported more than once ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7803",children:"(#7803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Faster K3s Binary Build Option ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7805",children:"(#7805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7827",children:"(#7827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7682",children:"(#7682)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7838",children:"(#7838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7845",children:"(#7845)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a k3s data directory location specified by the cli ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7791",children:"(#7791)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e startup flaky test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7839",children:"(#7839)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7834",children:"(#7834)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fall back to basic/bearer auth when node identity auth is rejected ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7836",children:"(#7836)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7858",children:"(#7858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e s3 test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7833",children:"(#7833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn that v1.28 will deprecate reencrypt/prepare ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7848",children:"(#7848)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7807",children:"(#7807)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Support connecting tailscale to a separate server (e.g. headscale)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve for K3s release Docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7864",children:"(#7864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7887",children:"(#7887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7879",children:"(#7879)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add retry for clone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7862",children:"(#7862)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certificates and keys for etcd gated if etcd is disabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6998",children:"(#6998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7939",children:"(#7939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7950",children:"(#7950)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Warn that v1.28 will deprecate reencrypt/prepare" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7977",children:"(#7977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7978",children:"(#7978)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix update go version command on release documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8028",children:"(#8028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8014",children:"(#8014)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1273k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.3+k3s1",children:"v1.27.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1272",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1272k3s1",children:"Changes since v1.27.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7628",children:"(#7628)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7635",children:"(#7635)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7634",children:"(#7634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow coredns override extensions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7583",children:"(#7583)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-lb to v0.4.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7617",children:"(#7617)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.6.3 and update tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7564",children:"(#7564)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Do not use the admin kubeconfig for the supervisor and core controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7616",children:"(#7616)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7619",children:"(#7619)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make LB image configurable when compiling k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7626",children:"(#7626)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7605",children:"(#7605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7437",children:"(#7437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use el8 rpm for fedora 38 and 39 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7664",children:"(#7664)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check variant before version to decide rpm target and packager closes #7666 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7667",children:"(#7667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test Coverage Reports for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7526",children:"(#7526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Soft-fail on node password verification if the secret cannot be created ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7655",children:"(#7655)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable containerd aufs/devmapper/zfs snapshotter plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7661",children:"(#7661)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7681",children:"(#7681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Shortcircuit commands with version or help flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7683",children:"(#7683)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Non root users can now call ",(0,r.jsx)(s.code,{children:"k3s --help"})," and ",(0,r.jsx)(s.code,{children:"k3s --version"})," commands without running into permission errors over the default config file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7672",children:"(#7672)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Capture coverage of K3s subcommands ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7686",children:"(#7686)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integrate tailscale into k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7352",children:"(#7352)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Integration of tailscale VPN into k3s"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7653",children:"(#7653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Remove unnecessary daemonset addition/deletion ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7696",children:"(#7696)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add issue template for OS validation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7695",children:"(#7695)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7740",children:"(#7740)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove useless libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7745",children:"(#7745)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to v0.15.0 for create-namespace support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7716",children:"(#7716)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error logging in tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7776",children:"(#7776)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add commands to remove advertised routes of tailscale in k3s-killall.sh ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7777",children:"(#7777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7790",children:"(#7790)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1272k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.2+k3s1",children:"v1.27.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1271",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1271k3s1",children:"Changes since v1.27.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7303",children:"(#7303)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create CRDs with schema ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7308",children:"(#7308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root for aarch64 page size fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7364",children:"(#7364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7339",children:"(#7339)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7300",children:"(#7300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik to v2.9.10 / chart 21.2.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7324",children:"(#7324)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add longhorn storage test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6445",children:"(#6445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve error message when CLI wrapper Exec fails ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7373",children:"(#7373)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with ",(0,r.jsx)(s.code,{children:"--disable-agent"})," and ",(0,r.jsx)(s.code,{children:"--egress-selector-mode=pod|cluster"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7331",children:"(#7331)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:['Retry cluster join on "too many learners" error ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7351",children:"(#7351)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix MemberList error handling and incorrect etcd-arg passthrough ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7371",children:"(#7371)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7383",children:"(#7383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle multiple arguments with StringSlice flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7380",children:"(#7380)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add v1.27 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7387",children:"(#7387)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable FindString to search dotD config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7323",children:"(#7323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /util/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7422",children:"(#7422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7217",children:"(#7217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cni plugins to v1.2.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7425",children:"(#7425)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add dependabot label and reviewer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7423",children:"(#7423)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Startup test cleanup + RunCommand Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7388",children:"(#7388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fail to validate server tokens that use bootstrap id/secret format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7389",children:"(#7389)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix token startup test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7442",children:"(#7442)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7414",children:"(#7414)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add kube-* server flags integration tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7416",children:"(#7416)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for ",(0,r.jsx)(s.code,{children:"-cover"})," + integration test code coverage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7415",children:"(#7415)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7454",children:"(#7454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consistently use constant-time comparison of password hashes instead of bare password strings ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7455",children:"(#7455)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7418",children:"(#7418)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,r.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7524",children:"(#7524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller version for repo auth/ca support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7525",children:"(#7525)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7533",children:"(#7533)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7539",children:"(#7539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Rotation certification Check, remove func to restart agents ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7097",children:"(#7097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7550",children:"(#7550)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7551",children:"(#7551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive systemd units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7567",children:"(#7567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7575",children:"(#7575)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables rules clean during upgrade ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7591",children:"(#7591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7597",children:"(#7597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7443",children:"(#7443)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Add el9 selinux rpm (#7443)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7608",children:"(#7608)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1271k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.1+k3s1",children:"v1.27.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.27 line. This release updates Kubernetes to v1.27.1."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes 1.27.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7271",children:"(#7271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["V1.27.1 CLI Deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7311",children:"(#7311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=wireguard"})," has been completely replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command will now print a help message, to save a snapshot use: ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot save"})]}),"\n",(0,r.jsxs)(s.li,{children:["The following flags will now cause fatal errors (with full removal coming in v1.28.0):","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=ipsec"}),": replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})," ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/installation/network-options#migrating-from-wireguard-or-ipsec-to-wireguard-native",children:"see docs for more info."})]}),"\n",(0,r.jsxs)(s.li,{children:["Supplying multiple ",(0,r.jsx)(s.code,{children:"--flannel-backend"})," values is no longer valid. Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," instead."]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed command -v redirection for iptables bin check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7315",children:"(#7315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for april 2023 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7327",children:"(#7327)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7347",children:"(#7347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Cleanup help messages ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7369",children:"(#7369)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const n={},t=r.createContext(n);function l(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/dd22e55f.63ddd683.js b/assets/js/dd22e55f.63ddd683.js new file mode 100644 index 000000000..61ba0e688 --- /dev/null +++ b/assets/js/dd22e55f.63ddd683.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5668],{4840:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>t,metadata:()=>h,toc:()=>d});var r=i(5893),n=i(1151);const t={hide_table_of_contents:!0,sidebar_position:4},l="v1.27.X",h={id:"release-notes/v1.27.X",title:"v1.27.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.27.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.27.X",permalink:"/release-notes/v1.27.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.27.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:4,frontMatter:{hide_table_of_contents:!0,sidebar_position:4},sidebar:"mySidebar",previous:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"},next:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"}},c={},d=[{value:"Release v1.27.16+k3s1",id:"release-v12716k3s1",level:2},{value:"Changes since v1.27.15+k3s2:",id:"changes-since-v12715k3s2",level:3},{value:"Release v1.27.15+k3s2",id:"release-v12715k3s2",level:2},{value:"Changes since v1.27.15+k3s1:",id:"changes-since-v12715k3s1",level:3},{value:"Release v1.27.15+k3s1",id:"release-v12715k3s1",level:2},{value:"Changes since v1.27.14+k3s1:",id:"changes-since-v12714k3s1",level:3},{value:"Release v1.27.14+k3s1",id:"release-v12714k3s1",level:2},{value:"Changes since v1.27.13+k3s1:",id:"changes-since-v12713k3s1",level:3},{value:"Release v1.27.13+k3s1",id:"release-v12713k3s1",level:2},{value:"Changes since v1.27.12+k3s1:",id:"changes-since-v12712k3s1",level:3},{value:"Release v1.27.12+k3s1",id:"release-v12712k3s1",level:2},{value:"Changes since v1.27.11+k3s1:",id:"changes-since-v12711k3s1",level:3},{value:"Release v1.27.11+k3s1",id:"release-v12711k3s1",level:2},{value:"Changes since v1.27.10+k3s2:",id:"changes-since-v12710k3s2",level:3},{value:"Release v1.27.10+k3s2",id:"release-v12710k3s2",level:2},{value:"Changes since v1.27.9+k3s1:",id:"changes-since-v1279k3s1",level:3},{value:"Release v1.27.9+k3s1",id:"release-v1279k3s1",level:2},{value:"Changes since v1.27.8+k3s2:",id:"changes-since-v1278k3s2",level:3},{value:"Release v1.27.8+k3s2",id:"release-v1278k3s2",level:2},{value:"Changes since v1.27.7+k3s2:",id:"changes-since-v1277k3s2",level:3},{value:"Release v1.27.7+k3s2",id:"release-v1277k3s2",level:2},{value:"Changes since v1.27.7+k3s1:",id:"changes-since-v1277k3s1",level:3},{value:"Release v1.27.7+k3s1",id:"release-v1277k3s1",level:2},{value:"Changes since v1.27.6+k3s1:",id:"changes-since-v1276k3s1",level:3},{value:"Release v1.27.6+k3s1",id:"release-v1276k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3},{value:"Release v1.27.5+k3s1",id:"release-v1275k3s1",level:2},{value:"Changes since v1.27.4+k3s1:",id:"changes-since-v1274k3s1",level:3},{value:"Release v1.27.4+k3s1",id:"release-v1274k3s1",level:2},{value:"Changes since v1.27.3+k3s1:",id:"changes-since-v1273k3s1",level:3},{value:"Release v1.27.3+k3s1",id:"release-v1273k3s1",level:2},{value:"Changes since v1.27.2+k3s1:",id:"changes-since-v1272k3s1",level:3},{value:"Release v1.27.2+k3s1",id:"release-v1272k3s1",level:2},{value:"Changes since v1.27.1+k3s1:",id:"changes-since-v1271k3s1",level:3},{value:"Release v1.27.1+k3s1",id:"release-v1271k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v127x",children:"v1.27.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12716k3s1",children:"v1.27.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12716",children:"v1.27.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12715k3s2",children:"v1.27.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12715k3s1",children:"v1.27.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12714k3s1",children:"v1.27.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12714",children:"v1.27.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12713k3s1",children:"v1.27.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12713",children:"v1.27.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12712k3s1",children:"v1.27.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12712",children:"v1.27.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12711k3s1",children:"v1.27.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12711",children:"v1.27.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v12710k3s2",children:"v1.27.10+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12710",children:"v1.27.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1279k3s1",children:"v1.27.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1279",children:"v1.27.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1278k3s2",children:"v1.27.8+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1278",children:"v1.27.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1277k3s2",children:"v1.27.7+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1277k3s1",children:"v1.27.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1276k3s1",children:"v1.27.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1276",children:"v1.27.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.27",children:"v1.7.6-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1275k3s1",children:"v1.27.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1275",children:"v1.27.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1274k3s1",children:"v1.27.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1274",children:"v1.27.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1273k3s1",children:"v1.27.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1273",children:"v1.27.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1272k3s1",children:"v1.27.2+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1272",children:"v1.27.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.27.X#release-v1271k3s1",children:"v1.27.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1271",children:"v1.27.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12716k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.16+k3s1",children:"v1.27.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s2",children:"Changes since v1.27.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10500",children:"(#10500)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10510",children:"(#10510)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.16-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10542",children:"(#10542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10599",children:"(#10599)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s2",children:"v1.27.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s1",children:"Changes since v1.27.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10429",children:"(#10429)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s1",children:"v1.27.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12714",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12714k3s1",children:"Changes since v1.27.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10089",children:"(#10089)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10143",children:"(#10143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10222",children:"(#10222)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10183",children:"(#10183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10214",children:"(#10214)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10259",children:"(#10259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10290",children:"(#10290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10314",children:"(#10314)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10332",children:"(#10332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10324",children:"(#10324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10297",children:"(#10297)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10346",children:"(#10346)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update Kubernetes to v1.27.15"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10356",children:"(#10356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10378",children:"(#10378)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12714k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.14+k3s1",children:"v1.27.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12713",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12713k3s1",children:"Changes since v1.27.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10096",children:"(#10096)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10113",children:"(#10113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.14-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10103",children:"(#10103)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12713k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.13+k3s1",children:"v1.27.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12712",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12712k3s1",children:"Changes since v1.27.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9803",children:"(#9803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9828",children:"(#9828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9825",children:"(#9825)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9822",children:"(#9822)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9850",children:"(#9850)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9881",children:"(#9881)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9912",children:"(#9912)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9939",children:"(#9939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9943",children:"(#9943)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.13-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9958",children:"(#9958)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9995",children:"(#9995)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10003",children:"(#10003)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12712k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.12+k3s1",children:"v1.27.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12711",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12711k3s1",children:"Changes since v1.27.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9609",children:"(#9609)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9642",children:"(#9642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9606",children:"(#9606)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9632",children:"(#9632)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9654",children:"(#9654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9670",children:"(#9670)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9708",children:"(#9708)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9734",children:"(#9734)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.12-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9745",children:"(#9745)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12711k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.11+k3s1",children:"v1.27.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12710",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12710k3s2",children:"Changes since v1.27.10+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9427",children:"(#9427)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9291",children:"(#9291)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9420",children:"(#9420)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9430",children:"(#9430)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9425",children:"(#9425)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9253",children:"(#9253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9405",children:"(#9405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9463",children:"(#9463)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9407",children:"(#9407)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9445",children:"(#9445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9441",children:"(#9441)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9470",children:"(#9470)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9491",children:"(#9491)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9509",children:"(#9509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9515",children:"(#9515)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9546",children:"(#9546)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9579",children:"(#9579)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12710k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.10+k3s2",children:"v1.27.10+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1279",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1279k3s1",children:"Changes since v1.27.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9124",children:"(#9124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9117",children:"(#9117)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9176",children:"(#9176)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9182",children:"(#9182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9211",children:"(#9211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9220",children:"(#9220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9217",children:"(#9217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9229",children:"(#9229)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.10 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9261",children:"(#9261)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9270",children:"(#9270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9337",children:"(#9337)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9347",children:"(#9347)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1279k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.9+k3s1",children:"v1.27.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1278",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1278k3s2",children:"Changes since v1.27.8+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8963",children:"(#8963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9018",children:"(#9018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes backport ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9013",children:"(#9013)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9041",children:"(#9041)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9078",children:"(#9078)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1278k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.8+k3s2",children:"v1.27.8+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s2",children:"Changes since v1.27.7+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8821",children:"(#8821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8759",children:"(#8759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8878",children:"(#8878)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8887",children:"(#8887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8828",children:"(#8828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8902",children:"(#8902)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8907",children:"(#8907)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8937",children:"(#8937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.8 and Go to 1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8921",children:"(#8921)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8999",children:"(#8999)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s2",children:"v1.27.7+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s1",children:"Changes since v1.27.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8765",children:"(#8765)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8775",children:"(#8775)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8789",children:"(#8789)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s1",children:"v1.27.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1276",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1276k3s1",children:"Changes since v1.27.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8411",children:"(#8411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8419",children:"(#8419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8435",children:"(#8435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8443",children:"(#8443)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8464",children:"(#8464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8455",children:"(#8455)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8451",children:"(#8451)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8504",children:"(#8504)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8509",children:"(#8509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8551",children:"(#8551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8516",children:"(#8516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8569",children:"(#8569)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8558",children:"(#8558)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8576",children:"(#8576)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8582",children:"(#8582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8587",children:"(#8587)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8597",children:"(#8597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8615",children:"(#8615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8634",children:"(#8634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8642",children:"(#8642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8656",children:"(#8656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8650",children:"(#8650)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8669",children:"(#8669)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8662",children:"(#8662)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8690",children:"(#8690)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.7 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8681",children:"(#8681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8733",children:"(#8733)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1276k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.6+k3s1",children:"v1.27.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1275",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8324",children:"(#8324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.6 and Go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8356",children:"(#8356)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1275k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.5+k3s1",children:"v1.27.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.5, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1274",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1274k3s1",children:"Changes since v1.27.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8056",children:"(#8056)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Upgraded cni-plugins to v1.3.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.22.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8057",children:"(#8057)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR on secrets encryption v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7938",children:"(#7938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit test for MustFindString ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8013",children:"(#8013)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for using base template in etc/containerd/config.toml.tmpl ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7991",children:"(#7991)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Make apiserver egress args conditional on egress-selector-mode ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7972",children:"(#7972)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Security bump to ",(0,r.jsx)(s.code,{children:"docker/distribution"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8047",children:"(#8047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coreos multiple installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8083",children:"(#8083)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8067",children:"(#8067)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8077",children:"(#8077)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate CopyFile functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8079",children:"(#8079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Support GOCOVER for more tests + fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8080",children:"(#8080)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo in terraform/README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8090",children:"(#8090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add FilterCN function to prevent SAN Stuffing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8085",children:"(#8085)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker/docker to master commit; cri-dockerd to 0.3.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8092",children:"(#8092)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump versions for etcd, containerd, runc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8109",children:"(#8109)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8099",children:"(#8099)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8125",children:"(#8125)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove terraform package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8136",children:"(#8136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd-snapshot delete when etcd-s3 is true ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8110",children:"(#8110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --disable-cloud-controller and --disable-kube-proxy test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8018",children:"(#8018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"go list -m"})," instead of grep to look up versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8138",children:"(#8138)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use VERSION_K8S in tests instead of grep go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8147",children:"(#8147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for Kubeflag Integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8154",children:"(#8154)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8155",children:"(#8155)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run integration test CI in parallel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8156",children:"(#8156)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8150",children:"(#8150)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8178",children:"(#8178)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8177",children:"(#8177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8193",children:"(#8193)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8204",children:"(#8204)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add test for ",(0,r.jsx)(s.code,{children:"k3s token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8184",children:"(#8184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8219",children:"(#8219)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Move flannel to v0.22.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8236",children:"(#8236)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8257",children:"(#8257)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8273",children:"(#8273)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1274k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.4+k3s1",children:"v1.27.4+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.27.4, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1273",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1273k3s1",children:"Changes since v1.27.3+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pkg imported more than once ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7803",children:"(#7803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Faster K3s Binary Build Option ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7805",children:"(#7805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7827",children:"(#7827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7682",children:"(#7682)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7838",children:"(#7838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7845",children:"(#7845)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a k3s data directory location specified by the cli ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7791",children:"(#7791)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e startup flaky test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7839",children:"(#7839)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7834",children:"(#7834)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fall back to basic/bearer auth when node identity auth is rejected ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7836",children:"(#7836)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7858",children:"(#7858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e s3 test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7833",children:"(#7833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn that v1.28 will deprecate reencrypt/prepare ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7848",children:"(#7848)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7807",children:"(#7807)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Support connecting tailscale to a separate server (e.g. headscale)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve for K3s release Docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7864",children:"(#7864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7887",children:"(#7887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7879",children:"(#7879)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add retry for clone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7862",children:"(#7862)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certificates and keys for etcd gated if etcd is disabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6998",children:"(#6998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7939",children:"(#7939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7950",children:"(#7950)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Warn that v1.28 will deprecate reencrypt/prepare" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7977",children:"(#7977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7978",children:"(#7978)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix update go version command on release documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8028",children:"(#8028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8014",children:"(#8014)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1273k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.3+k3s1",children:"v1.27.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1272",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1272k3s1",children:"Changes since v1.27.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7628",children:"(#7628)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7635",children:"(#7635)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7634",children:"(#7634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow coredns override extensions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7583",children:"(#7583)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-lb to v0.4.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7617",children:"(#7617)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.6.3 and update tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7564",children:"(#7564)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Do not use the admin kubeconfig for the supervisor and core controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7616",children:"(#7616)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7619",children:"(#7619)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make LB image configurable when compiling k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7626",children:"(#7626)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7605",children:"(#7605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7437",children:"(#7437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use el8 rpm for fedora 38 and 39 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7664",children:"(#7664)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check variant before version to decide rpm target and packager closes #7666 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7667",children:"(#7667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test Coverage Reports for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7526",children:"(#7526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Soft-fail on node password verification if the secret cannot be created ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7655",children:"(#7655)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable containerd aufs/devmapper/zfs snapshotter plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7661",children:"(#7661)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7681",children:"(#7681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Shortcircuit commands with version or help flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7683",children:"(#7683)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Non root users can now call ",(0,r.jsx)(s.code,{children:"k3s --help"})," and ",(0,r.jsx)(s.code,{children:"k3s --version"})," commands without running into permission errors over the default config file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7672",children:"(#7672)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Capture coverage of K3s subcommands ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7686",children:"(#7686)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integrate tailscale into k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7352",children:"(#7352)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Integration of tailscale VPN into k3s"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7653",children:"(#7653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Remove unnecessary daemonset addition/deletion ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7696",children:"(#7696)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add issue template for OS validation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7695",children:"(#7695)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7740",children:"(#7740)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove useless libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7745",children:"(#7745)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to v0.15.0 for create-namespace support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7716",children:"(#7716)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error logging in tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7776",children:"(#7776)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add commands to remove advertised routes of tailscale in k3s-killall.sh ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7777",children:"(#7777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7790",children:"(#7790)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1272k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.2+k3s1",children:"v1.27.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1271",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1271k3s1",children:"Changes since v1.27.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7303",children:"(#7303)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create CRDs with schema ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7308",children:"(#7308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root for aarch64 page size fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7364",children:"(#7364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7339",children:"(#7339)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7300",children:"(#7300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik to v2.9.10 / chart 21.2.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7324",children:"(#7324)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add longhorn storage test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6445",children:"(#6445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve error message when CLI wrapper Exec fails ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7373",children:"(#7373)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with ",(0,r.jsx)(s.code,{children:"--disable-agent"})," and ",(0,r.jsx)(s.code,{children:"--egress-selector-mode=pod|cluster"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7331",children:"(#7331)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:['Retry cluster join on "too many learners" error ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7351",children:"(#7351)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix MemberList error handling and incorrect etcd-arg passthrough ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7371",children:"(#7371)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7383",children:"(#7383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle multiple arguments with StringSlice flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7380",children:"(#7380)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add v1.27 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7387",children:"(#7387)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable FindString to search dotD config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7323",children:"(#7323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /util/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7422",children:"(#7422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7217",children:"(#7217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cni plugins to v1.2.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7425",children:"(#7425)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add dependabot label and reviewer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7423",children:"(#7423)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Startup test cleanup + RunCommand Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7388",children:"(#7388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fail to validate server tokens that use bootstrap id/secret format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7389",children:"(#7389)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix token startup test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7442",children:"(#7442)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7414",children:"(#7414)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add kube-* server flags integration tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7416",children:"(#7416)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for ",(0,r.jsx)(s.code,{children:"-cover"})," + integration test code coverage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7415",children:"(#7415)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7454",children:"(#7454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consistently use constant-time comparison of password hashes instead of bare password strings ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7455",children:"(#7455)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7418",children:"(#7418)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,r.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7524",children:"(#7524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller version for repo auth/ca support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7525",children:"(#7525)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7533",children:"(#7533)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7539",children:"(#7539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Rotation certification Check, remove func to restart agents ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7097",children:"(#7097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7550",children:"(#7550)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7551",children:"(#7551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive systemd units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7567",children:"(#7567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7575",children:"(#7575)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables rules clean during upgrade ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7591",children:"(#7591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7597",children:"(#7597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7443",children:"(#7443)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Add el9 selinux rpm (#7443)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7608",children:"(#7608)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1271k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.1+k3s1",children:"v1.27.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.27 line. This release updates Kubernetes to v1.27.1."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes 1.27.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7271",children:"(#7271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["V1.27.1 CLI Deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7311",children:"(#7311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=wireguard"})," has been completely replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command will now print a help message, to save a snapshot use: ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot save"})]}),"\n",(0,r.jsxs)(s.li,{children:["The following flags will now cause fatal errors (with full removal coming in v1.28.0):","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=ipsec"}),": replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})," ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/installation/network-options#migrating-from-wireguard-or-ipsec-to-wireguard-native",children:"see docs for more info."})]}),"\n",(0,r.jsxs)(s.li,{children:["Supplying multiple ",(0,r.jsx)(s.code,{children:"--flannel-backend"})," values is no longer valid. Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," instead."]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed command -v redirection for iptables bin check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7315",children:"(#7315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for april 2023 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7327",children:"(#7327)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7347",children:"(#7347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Cleanup help messages ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7369",children:"(#7369)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const n={},t=r.createContext(n);function l(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/e7c9153a.c20e6d7a.js b/assets/js/e7c9153a.c20e6d7a.js deleted file mode 100644 index 019a6a63e..000000000 --- a/assets/js/e7c9153a.c20e6d7a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7544],{1875:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>p,frontMatter:()=>i,metadata:()=>r,toc:()=>c});var o=s(5893),n=s(1151);const i={title:"Related Projects"},a=void 0,r={id:"related-projects",title:"Related Projects",description:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.",source:"@site/docs/related-projects.md",sourceDirName:".",slug:"/related-projects",permalink:"/related-projects",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/related-projects.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Related Projects"},sidebar:"mySidebar",previous:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"},next:{title:"Known Issues",permalink:"/known-issues"}},l={},c=[{value:"k3s-ansible",id:"k3s-ansible",level:2},{value:"k3sup",id:"k3sup",level:2},{value:"autok3s",id:"autok3s",level:2}];function d(e){const t={a:"a",h2:"h2",p:"p",...(0,n.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(t.p,{children:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications."}),"\n",(0,o.jsx)(t.p,{children:"These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters."}),"\n",(0,o.jsx)(t.h2,{id:"k3s-ansible",children:"k3s-ansible"}),"\n",(0,o.jsxs)(t.p,{children:["For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at ",(0,o.jsx)(t.a,{href:"https://github.com/k3s-io/k3s-ansible",children:"k3s-io/k3s-ansible"})," repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process."]}),"\n",(0,o.jsx)(t.h2,{id:"k3sup",children:"k3sup"}),"\n",(0,o.jsxs)(t.p,{children:["Another project that simplifies the process of setting up a K3s cluster is ",(0,o.jsx)(t.a,{href:"https://github.com/alexellis/k3sup",children:"k3sup"}),". This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd."]}),"\n",(0,o.jsx)(t.h2,{id:"autok3s",children:"autok3s"}),"\n",(0,o.jsxs)(t.p,{children:["Another provisioning tool, ",(0,o.jsx)(t.a,{href:"https://github.com/cnrancher/autok3s",children:"autok3s"}),", provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters."]})]})}function p(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,o.jsx)(t,{...e,children:(0,o.jsx)(d,{...e})}):d(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>r,a:()=>a});var o=s(7294);const n={},i=o.createContext(n);function a(e){const t=o.useContext(i);return o.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function r(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),o.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/e7c9153a.efcc87ae.js b/assets/js/e7c9153a.efcc87ae.js new file mode 100644 index 000000000..c5fa8bbd5 --- /dev/null +++ b/assets/js/e7c9153a.efcc87ae.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7544],{1875:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>p,frontMatter:()=>i,metadata:()=>r,toc:()=>c});var o=s(5893),n=s(1151);const i={title:"Related Projects"},a=void 0,r={id:"related-projects",title:"Related Projects",description:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.",source:"@site/docs/related-projects.md",sourceDirName:".",slug:"/related-projects",permalink:"/related-projects",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/related-projects.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Related Projects"},sidebar:"mySidebar",previous:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"},next:{title:"Known Issues",permalink:"/known-issues"}},l={},c=[{value:"k3s-ansible",id:"k3s-ansible",level:2},{value:"k3sup",id:"k3sup",level:2},{value:"autok3s",id:"autok3s",level:2}];function d(e){const t={a:"a",h2:"h2",p:"p",...(0,n.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(t.p,{children:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications."}),"\n",(0,o.jsx)(t.p,{children:"These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters."}),"\n",(0,o.jsx)(t.h2,{id:"k3s-ansible",children:"k3s-ansible"}),"\n",(0,o.jsxs)(t.p,{children:["For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at ",(0,o.jsx)(t.a,{href:"https://github.com/k3s-io/k3s-ansible",children:"k3s-io/k3s-ansible"})," repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process."]}),"\n",(0,o.jsx)(t.h2,{id:"k3sup",children:"k3sup"}),"\n",(0,o.jsxs)(t.p,{children:["Another project that simplifies the process of setting up a K3s cluster is ",(0,o.jsx)(t.a,{href:"https://github.com/alexellis/k3sup",children:"k3sup"}),". This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd."]}),"\n",(0,o.jsx)(t.h2,{id:"autok3s",children:"autok3s"}),"\n",(0,o.jsxs)(t.p,{children:["Another provisioning tool, ",(0,o.jsx)(t.a,{href:"https://github.com/cnrancher/autok3s",children:"autok3s"}),", provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters."]})]})}function p(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,o.jsx)(t,{...e,children:(0,o.jsx)(d,{...e})}):d(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>r,a:()=>a});var o=s(7294);const n={},i=o.createContext(n);function a(e){const t=o.useContext(i);return o.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function r(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),o.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ea0a4c6d.4ac156c5.js b/assets/js/ea0a4c6d.4ac156c5.js deleted file mode 100644 index 37458583d..000000000 --- a/assets/js/ea0a4c6d.4ac156c5.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[791],{9555:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>i,toc:()=>l});var s=t(5893),r=t(1151);const a={title:"High Availability External DB"},o=void 0,i={id:"datastore/ha",title:"High Availability External DB",description:"This section describes how to install a high-availability K3s cluster with an external database.",source:"@site/docs/datastore/ha.md",sourceDirName:"datastore",slug:"/datastore/ha",permalink:"/datastore/ha",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"High Availability External DB"},sidebar:"mySidebar",previous:{title:"High Availability Embedded etcd",permalink:"/datastore/ha-embedded"},next:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"}},d={},l=[{value:"Installation Outline",id:"installation-outline",level:2},{value:"1. Create an External Datastore",id:"1-create-an-external-datastore",level:3},{value:"2. Launch Server Nodes",id:"2-launch-server-nodes",level:3},{value:"3. Optional: Join Additional Server Nodes",id:"3-optional-join-additional-server-nodes",level:3},{value:"4. Optional: Configure a Fixed Registration Address",id:"4-optional-configure-a-fixed-registration-address",level:3},{value:"5. Optional: Join Agent Nodes",id:"5-optional-join-agent-nodes",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section describes how to install a high-availability K3s cluster with an external database."}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["To rapidly deploy large HA clusters, see ",(0,s.jsx)(n.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,s.jsx)(n.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is composed of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Two or more ",(0,s.jsx)(n.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,s.jsxs)(n.li,{children:["An ",(0,s.jsx)(n.strong,{children:"external datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n",(0,s.jsxs)(n.li,{children:["Optional: Zero or more ",(0,s.jsx)(n.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,s.jsxs)(n.li,{children:["Optional: A ",(0,s.jsx)(n.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["For more details on how these components work together, refer to the ",(0,s.jsx)(n.a,{href:"/architecture#high-availability-k3s",children:"architecture section."})]}),"\n",(0,s.jsx)(n.h2,{id:"installation-outline",children:"Installation Outline"}),"\n",(0,s.jsx)(n.p,{children:"Setting up an HA cluster requires the following steps:"}),"\n",(0,s.jsx)(n.h3,{id:"1-create-an-external-datastore",children:"1. Create an External Datastore"}),"\n",(0,s.jsxs)(n.p,{children:["You will first need to create an external datastore for the cluster. See the ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore Options"})," documentation for more details."]}),"\n",(0,s.jsx)(n.h3,{id:"2-launch-server-nodes",children:"2. Launch Server Nodes"}),"\n",(0,s.jsxs)(n.p,{children:["K3s requires two or more server nodes for this HA configuration. See the ",(0,s.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," guide for minimum machine requirements."]}),"\n",(0,s.jsxs)(n.p,{children:["When running the ",(0,s.jsx)(n.code,{children:"k3s server"})," command on these nodes, you must set the ",(0,s.jsx)(n.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to the external datastore. The ",(0,s.jsx)(n.code,{children:"token"})," parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use."]}),"\n",(0,s.jsxs)(n.p,{children:["For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and ",(0,s.jsx)(n.a,{href:"/cli/server#cluster-options",children:"set a token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n'})}),"\n",(0,s.jsxs)(n.p,{children:["The datastore endpoint format differs based on the database type. For details, refer to the section on ",(0,s.jsx)(n.a,{href:"/datastore/#datastore-endpoint-format-and-functionality",children:"datastore endpoint formats."})]}),"\n",(0,s.jsxs)(n.p,{children:["To configure TLS certificates when launching server nodes, refer to the ",(0,s.jsx)(n.a,{href:"/datastore/#external-datastore-configuration-parameters",children:"datastore configuration guide."})]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["The same installation options available to single-server installs are also available for high-availability installs. For more details, see the ",(0,s.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," documentation."]})}),"\n",(0,s.jsxs)(n.p,{children:["By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The ",(0,s.jsx)(n.code,{children:"node-taint"})," parameter will allow you to configure nodes with taints, for example ",(0,s.jsx)(n.code,{children:"--node-taint CriticalAddonsOnly=true:NoExecute"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["Once you've launched the ",(0,s.jsx)(n.code,{children:"k3s server"})," process on all server nodes, ensure that the cluster has come up properly with ",(0,s.jsx)(n.code,{children:"k3s kubectl get nodes"}),". You should see your server nodes in the Ready state."]}),"\n",(0,s.jsx)(n.h3,{id:"3-optional-join-additional-server-nodes",children:"3. Optional: Join Additional Server Nodes"}),"\n",(0,s.jsx)(n.p,{children:"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used."}),"\n",(0,s.jsxs)(n.p,{children:["If the first server node was started without the ",(0,s.jsx)(n.code,{children:"--token"})," CLI flag or ",(0,s.jsx)(n.code,{children:"K3S_TOKEN"})," variable, the token value can be retrieved from any server already joined to the cluster:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Additional server nodes can then be added ",(0,s.jsx)(n.a,{href:"/cli/server#cluster-options",children:"using the token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsx)(n.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Network related flags: ",(0,s.jsx)(n.code,{children:"--cluster-dns"}),", ",(0,s.jsx)(n.code,{children:"--cluster-domain"}),", ",(0,s.jsx)(n.code,{children:"--cluster-cidr"}),", ",(0,s.jsx)(n.code,{children:"--service-cidr"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flags controlling the deployment of certain components: ",(0,s.jsx)(n.code,{children:"--disable-helm-controller"}),", ",(0,s.jsx)(n.code,{children:"--disable-kube-proxy"}),", ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," and any component passed to ",(0,s.jsx)(n.code,{children:"--disable"})]}),"\n",(0,s.jsxs)(n.li,{children:["Feature related flags: ",(0,s.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores."})}),"\n",(0,s.jsx)(n.h3,{id:"4-optional-configure-a-fixed-registration-address",children:"4. Optional: Configure a Fixed Registration Address"}),"\n",(0,s.jsx)(n.p,{children:"Agent nodes need a URL to register against. This can be the IP or hostname of any server node, but in many cases those may change over time. For example, if running your cluster in a cloud that supports scaling groups, nodes may be created and destroyed over time, changing to different IPs from the initial set of server nodes. It would be best to have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"A layer-4 (TCP) load balancer"}),"\n",(0,s.jsx)(n.li,{children:"Round-robin DNS"}),"\n",(0,s.jsx)(n.li,{children:"Virtual or elastic IP addresses"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"/datastore/cluster-loadbalancer",children:"Cluster Loadbalancer"})," for example configurations."]}),"\n",(0,s.jsxs)(n.p,{children:["This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file to point to it instead of a specific node."]}),"\n",(0,s.jsxs)(n.p,{children:["To avoid certificate errors in such a configuration, you should configure the server with the ",(0,s.jsx)(n.code,{children:"--tls-san=YOUR_IP_OR_HOSTNAME_HERE"})," option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname."]}),"\n",(0,s.jsx)(n.h3,{id:"5-optional-join-agent-nodes",children:"5. Optional: Join Agent Nodes"}),"\n",(0,s.jsx)(n.p,{children:"Because K3s server nodes are schedulable by default, agent nodes are not required for a HA K3s cluster. However, you may wish to have dedicated agent nodes to run your apps and services."}),"\n",(0,s.jsx)(n.p,{children:"Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to (either one of the server IPs or a fixed registration address) and the token it should use."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"K3S_TOKEN=SECRET k3s agent --server https://server-or-fixed-registration-address:6443\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>i,a:()=>o});var s=t(7294);const r={},a=s.createContext(r);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function i(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ea0a4c6d.6f8b73e4.js b/assets/js/ea0a4c6d.6f8b73e4.js new file mode 100644 index 000000000..30f61a9d2 --- /dev/null +++ b/assets/js/ea0a4c6d.6f8b73e4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[791],{9555:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>i,toc:()=>l});var s=t(5893),r=t(1151);const a={title:"High Availability External DB"},o=void 0,i={id:"datastore/ha",title:"High Availability External DB",description:"This section describes how to install a high-availability K3s cluster with an external database.",source:"@site/docs/datastore/ha.md",sourceDirName:"datastore",slug:"/datastore/ha",permalink:"/datastore/ha",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"High Availability External DB"},sidebar:"mySidebar",previous:{title:"High Availability Embedded etcd",permalink:"/datastore/ha-embedded"},next:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"}},d={},l=[{value:"Installation Outline",id:"installation-outline",level:2},{value:"1. Create an External Datastore",id:"1-create-an-external-datastore",level:3},{value:"2. Launch Server Nodes",id:"2-launch-server-nodes",level:3},{value:"3. Optional: Join Additional Server Nodes",id:"3-optional-join-additional-server-nodes",level:3},{value:"4. Optional: Configure a Fixed Registration Address",id:"4-optional-configure-a-fixed-registration-address",level:3},{value:"5. Optional: Join Agent Nodes",id:"5-optional-join-agent-nodes",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section describes how to install a high-availability K3s cluster with an external database."}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["To rapidly deploy large HA clusters, see ",(0,s.jsx)(n.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,s.jsx)(n.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is composed of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Two or more ",(0,s.jsx)(n.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,s.jsxs)(n.li,{children:["An ",(0,s.jsx)(n.strong,{children:"external datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n",(0,s.jsxs)(n.li,{children:["Optional: Zero or more ",(0,s.jsx)(n.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,s.jsxs)(n.li,{children:["Optional: A ",(0,s.jsx)(n.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["For more details on how these components work together, refer to the ",(0,s.jsx)(n.a,{href:"/architecture#high-availability-k3s",children:"architecture section."})]}),"\n",(0,s.jsx)(n.h2,{id:"installation-outline",children:"Installation Outline"}),"\n",(0,s.jsx)(n.p,{children:"Setting up an HA cluster requires the following steps:"}),"\n",(0,s.jsx)(n.h3,{id:"1-create-an-external-datastore",children:"1. Create an External Datastore"}),"\n",(0,s.jsxs)(n.p,{children:["You will first need to create an external datastore for the cluster. See the ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore Options"})," documentation for more details."]}),"\n",(0,s.jsx)(n.h3,{id:"2-launch-server-nodes",children:"2. Launch Server Nodes"}),"\n",(0,s.jsxs)(n.p,{children:["K3s requires two or more server nodes for this HA configuration. See the ",(0,s.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," guide for minimum machine requirements."]}),"\n",(0,s.jsxs)(n.p,{children:["When running the ",(0,s.jsx)(n.code,{children:"k3s server"})," command on these nodes, you must set the ",(0,s.jsx)(n.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to the external datastore. The ",(0,s.jsx)(n.code,{children:"token"})," parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use."]}),"\n",(0,s.jsxs)(n.p,{children:["For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and ",(0,s.jsx)(n.a,{href:"/cli/server#cluster-options",children:"set a token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" \\\n --tls-san=<FIXED_IP> # Optional, needed if using a fixed registration address\n'})}),"\n",(0,s.jsxs)(n.p,{children:["The datastore endpoint format differs based on the database type. For details, refer to the section on ",(0,s.jsx)(n.a,{href:"/datastore/#datastore-endpoint-format-and-functionality",children:"datastore endpoint formats."})]}),"\n",(0,s.jsxs)(n.p,{children:["To configure TLS certificates when launching server nodes, refer to the ",(0,s.jsx)(n.a,{href:"/datastore/#external-datastore-configuration-parameters",children:"datastore configuration guide."})]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["The same installation options available to single-server installs are also available for high-availability installs. For more details, see the ",(0,s.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," documentation."]})}),"\n",(0,s.jsxs)(n.p,{children:["By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The ",(0,s.jsx)(n.code,{children:"node-taint"})," parameter will allow you to configure nodes with taints, for example ",(0,s.jsx)(n.code,{children:"--node-taint CriticalAddonsOnly=true:NoExecute"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["Once you've launched the ",(0,s.jsx)(n.code,{children:"k3s server"})," process on all server nodes, ensure that the cluster has come up properly with ",(0,s.jsx)(n.code,{children:"k3s kubectl get nodes"}),". You should see your server nodes in the Ready state."]}),"\n",(0,s.jsx)(n.h3,{id:"3-optional-join-additional-server-nodes",children:"3. Optional: Join Additional Server Nodes"}),"\n",(0,s.jsx)(n.p,{children:"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used."}),"\n",(0,s.jsxs)(n.p,{children:["If the first server node was started without the ",(0,s.jsx)(n.code,{children:"--token"})," CLI flag or ",(0,s.jsx)(n.code,{children:"K3S_TOKEN"})," variable, the token value can be retrieved from any server already joined to the cluster:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Additional server nodes can then be added ",(0,s.jsx)(n.a,{href:"/cli/server#cluster-options",children:"using the token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsx)(n.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Network related flags: ",(0,s.jsx)(n.code,{children:"--cluster-dns"}),", ",(0,s.jsx)(n.code,{children:"--cluster-domain"}),", ",(0,s.jsx)(n.code,{children:"--cluster-cidr"}),", ",(0,s.jsx)(n.code,{children:"--service-cidr"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flags controlling the deployment of certain components: ",(0,s.jsx)(n.code,{children:"--disable-helm-controller"}),", ",(0,s.jsx)(n.code,{children:"--disable-kube-proxy"}),", ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," and any component passed to ",(0,s.jsx)(n.code,{children:"--disable"})]}),"\n",(0,s.jsxs)(n.li,{children:["Feature related flags: ",(0,s.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores."})}),"\n",(0,s.jsx)(n.h3,{id:"4-optional-configure-a-fixed-registration-address",children:"4. Optional: Configure a Fixed Registration Address"}),"\n",(0,s.jsx)(n.p,{children:"Agent nodes need a URL to register against. This can be the IP or hostname of any server node, but in many cases those may change over time. For example, if running your cluster in a cloud that supports scaling groups, nodes may be created and destroyed over time, changing to different IPs from the initial set of server nodes. It would be best to have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"A layer-4 (TCP) load balancer"}),"\n",(0,s.jsx)(n.li,{children:"Round-robin DNS"}),"\n",(0,s.jsx)(n.li,{children:"Virtual or elastic IP addresses"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"/datastore/cluster-loadbalancer",children:"Cluster Loadbalancer"})," for example configurations."]}),"\n",(0,s.jsxs)(n.p,{children:["This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file to point to it instead of a specific node."]}),"\n",(0,s.jsxs)(n.p,{children:["To avoid certificate errors in such a configuration, you should configure the server with the ",(0,s.jsx)(n.code,{children:"--tls-san=YOUR_IP_OR_HOSTNAME_HERE"})," option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname."]}),"\n",(0,s.jsx)(n.h3,{id:"5-optional-join-agent-nodes",children:"5. Optional: Join Agent Nodes"}),"\n",(0,s.jsx)(n.p,{children:"Because K3s server nodes are schedulable by default, agent nodes are not required for a HA K3s cluster. However, you may wish to have dedicated agent nodes to run your apps and services."}),"\n",(0,s.jsx)(n.p,{children:"Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to (either one of the server IPs or a fixed registration address) and the token it should use."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"K3S_TOKEN=SECRET k3s agent --server https://server-or-fixed-registration-address:6443\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>i,a:()=>o});var s=t(7294);const r={},a=s.createContext(r);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function i(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ec6f9153.2cb400d8.js b/assets/js/ec6f9153.2cb400d8.js new file mode 100644 index 000000000..d924eba54 --- /dev/null +++ b/assets/js/ec6f9153.2cb400d8.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[750],{4987:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>t,default:()=>c,frontMatter:()=>s,metadata:()=>l,toc:()=>d});var a=n(5893),i=n(1151);const s={title:"Air-Gap Install"},t=void 0,l={id:"installation/airgap",title:"Air-Gap Install",description:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.",source:"@site/docs/installation/airgap.md",sourceDirName:"installation",slug:"/installation/airgap",permalink:"/installation/airgap",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/airgap.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Air-Gap Install"},sidebar:"mySidebar",previous:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"},next:{title:"Managing Server Roles",permalink:"/installation/server-roles"}},o={},d=[{value:"Load Images",id:"load-images",level:2},{value:"Private Registry Method",id:"private-registry-method",level:3},{value:"Create the Registry YAML and Push Images",id:"create-the-registry-yaml-and-push-images",level:4},{value:"Manually Deploy Images Method",id:"manually-deploy-images-method",level:3},{value:"Prepare the Images Directory and Airgap Image Tarball",id:"prepare-the-images-directory-and-airgap-image-tarball",level:4},{value:"Embedded Registry Mirror",id:"embedded-registry-mirror",level:3},{value:"Install K3s",id:"install-k3s",level:2},{value:"Prerequisites",id:"prerequisites",level:3},{value:"Binaries",id:"binaries",level:4},{value:"Default Network Route",id:"default-network-route",level:4},{value:"SELinux RPM",id:"selinux-rpm",level:4},{value:"Installing K3s in an Air-Gapped Environment",id:"installing-k3s-in-an-air-gapped-environment",level:3},{value:"Upgrading",id:"upgrading",level:2},{value:"Install Script Method",id:"install-script-method",level:3},{value:"Automated Upgrades Method",id:"automated-upgrades-method",level:3}];function h(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components},{TabItem:n,Tabs:s}=r;return n||u("TabItem",!0),s||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(r.p,{children:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters."}),"\n",(0,a.jsx)(r.h2,{id:"load-images",children:"Load Images"}),"\n",(0,a.jsx)(r.h3,{id:"private-registry-method",children:"Private Registry Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand have a OCI-compliant private registry available in your environment."}),"\n",(0,a.jsxs)(r.p,{children:["If you have not yet set up a private Docker registry, refer to the ",(0,a.jsx)(r.a,{href:"https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry",children:"official Registry documentation"}),"."]}),"\n",(0,a.jsx)(r.h4,{id:"create-the-registry-yaml-and-push-images",children:"Create the Registry YAML and Push Images"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker image load k3s-airgap-images-amd64.tar.zst"})," to import images from the tar file into docker."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker tag"})," and ",(0,a.jsx)(r.code,{children:"docker push"})," to retag and push the loaded images to your private registry."]}),"\n",(0,a.jsxs)(r.li,{children:["Follow the ",(0,a.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," guide to create and configure the ",(0,a.jsx)(r.code,{children:"registries.yaml"})," file."]}),"\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"manually-deploy-images-method",children:"Manually Deploy Images Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand cannot or do not want to use a private registry."}),"\n",(0,a.jsx)(r.p,{children:"This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical."}),"\n",(0,a.jsx)(r.h4,{id:"prepare-the-images-directory-and-airgap-image-tarball",children:"Prepare the Images Directory and Airgap Image Tarball"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsx)(r.li,{children:"Download the imagess archive to the agent's images directory, for example:"}),"\n"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'sudo mkdir -p /var/lib/rancher/k3s/agent/images/\nsudo curl -L -o /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst "https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst"\n'})}),"\n",(0,a.jsxs)(r.ol,{start:"3",children:["\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"embedded-registry-mirror",children:"Embedded Registry Mirror"}),"\n",(0,a.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,a.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,a.jsx)(r.p,{children:"K3s includes an embedded distributed OCI-compliant registry mirror.\nWhen enabled and properly configured, images available in the containerd image store on any node\ncan be pulled by other cluster members without access to an external image registry."}),"\n",(0,a.jsxs)(r.p,{children:["The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball.\nFor more information on enabling the embedded distributed registry mirror, see the ",(0,a.jsx)(r.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"})," documentation."]}),"\n",(0,a.jsx)(r.h2,{id:"install-k3s",children:"Install K3s"}),"\n",(0,a.jsx)(r.h3,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,a.jsxs)(r.p,{children:["Before installing K3s, complete the ",(0,a.jsx)(r.a,{href:"#private-registry-method",children:"Private Registry Method"})," or the ",(0,a.jsx)(r.a,{href:"#manually-deploy-images-method",children:"Manually Deploy Images Method"})," above to prepopulate the images that K3s needs to install."]}),"\n",(0,a.jsx)(r.h4,{id:"binaries",children:"Binaries"}),"\n",(0,a.jsxs)(r.ul,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the K3s binary from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page, matching the same version used to get the airgap images. Place the binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each air-gapped node and ensure it is executable."]}),"\n",(0,a.jsxs)(r.li,{children:["Download the K3s install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"get.k3s.io"}),". Place the install script anywhere on each air-gapped node, and name it ",(0,a.jsx)(r.code,{children:"install.sh"}),"."]}),"\n"]}),"\n",(0,a.jsx)(r.h4,{id:"default-network-route",children:"Default Network Route"}),"\n",(0,a.jsx)(r.p,{children:"If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:"}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"ip link add dummy0 type dummy\nip link set dummy0 up\nip addr add 203.0.113.254/31 dev dummy0\nip route add default via 203.0.113.255 dev dummy0 metric 1000\n"})}),"\n",(0,a.jsxs)(r.p,{children:["When running the K3s script with the ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})," environment variable, K3s will use the local version of the script and binary."]}),"\n",(0,a.jsx)(r.h4,{id:"selinux-rpm",children:"SELinux RPM"}),"\n",(0,a.jsxs)(r.p,{children:["If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s-selinux/releases/latest",children:"here"}),". For example, on CentOS 8:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"On internet accessible machine:\ncurl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm\n\n# Transfer RPM to air-gapped machine\nOn air-gapped machine:\nsudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm\n"})}),"\n",(0,a.jsxs)(r.p,{children:["See the ",(0,a.jsx)(r.a,{href:"/advanced#selinux-support",children:"SELinux"})," section for more information."]}),"\n",(0,a.jsx)(r.h3,{id:"installing-k3s-in-an-air-gapped-environment",children:"Installing K3s in an Air-Gapped Environment"}),"\n",(0,a.jsx)(r.p,{children:"You can install K3s on one or more servers as described below."}),"\n",(0,a.jsxs)(s,{queryString:"airgap-cluster",children:[(0,a.jsxs)(n,{value:"Single Server Configuration",default:!0,children:[(0,a.jsx)(r.p,{children:"To install K3s on a single server, simply do the following on the server node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh\n"})}),(0,a.jsx)(r.p,{children:"To add additional agents, do the following on each agent node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://<SERVER_IP>:6443 K3S_TOKEN=<YOUR_TOKEN> ./install.sh\n"})}),(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["The token from the server is typically found at ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/token"}),"."]})})]}),(0,a.jsxs)(n,{value:"High Availability Configuration",default:!0,children:[(0,a.jsxs)(r.p,{children:["Reference the ",(0,a.jsx)(r.a,{href:"/datastore/ha",children:"High Availability with an External DB"})," or ",(0,a.jsx)(r.a,{href:"/datastore/ha-embedded",children:"High Availability with Embedded DB"})," guides. You will be tweaking install commands so you specify ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"})," and run your install script locally instead of via curl. You will also utilize ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_EXEC='args'"})," to supply any arguments to k3s."]}),(0,a.jsx)(r.p,{children:"For example, step two of the High Availability with an External DB guide mentions the following:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),(0,a.jsx)(r.p,{children:"Instead, you would modify such examples like below:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\\nK3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\\n./install.sh\n"})})]})]}),"\n",(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["K3s's ",(0,a.jsx)(r.code,{children:"--resolv-conf"})," flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured."]})}),"\n",(0,a.jsx)(r.h2,{id:"upgrading",children:"Upgrading"}),"\n",(0,a.jsx)(r.h3,{id:"install-script-method",children:"Install Script Method"}),"\n",(0,a.jsx)(r.p,{children:"Upgrading an air-gap environment can be accomplished in the following manner:"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the new air-gap images (tar file) from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be upgrading to. Place the tar in the ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/images/"})," directory on each\nnode. Delete the old tar file."]}),"\n",(0,a.jsxs)(r.li,{children:["Copy and replace the old K3s binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each node. Copy over the install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," (as it is possible it has changed since the last release). Run the script again just as you had done in the past\nwith the same environment variables."]}),"\n",(0,a.jsx)(r.li,{children:"Restart the K3s service (if not restarted automatically by installer)."}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"automated-upgrades-method",children:"Automated Upgrades Method"}),"\n",(0,a.jsxs)(r.p,{children:["K3s supports ",(0,a.jsx)(r.a,{href:"/upgrades/automated",children:"automated upgrades"}),". To enable this in air-gapped environments, you must ensure the required images are available in your private registry."]}),"\n",(0,a.jsxs)(r.p,{children:["You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the ",(0,a.jsx)(r.code,{children:"+"})," in the K3s release with a ",(0,a.jsx)(r.code,{children:"-"})," because Docker images do not support ",(0,a.jsx)(r.code,{children:"+"}),"."]}),"\n",(0,a.jsxs)(r.p,{children:["You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller ",(0,a.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller/releases/latest",children:"here"})," and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"rancher/system-upgrade-controller:v0.4.0\nrancher/kubectl:v0.17.0\n"})}),"\n",(0,a.jsxs)(r.p,{children:["Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the ",(0,a.jsx)(r.a,{href:"/upgrades/automated",children:"automated upgrades"})," guide."]})]})}function c(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,a.jsx)(r,{...e,children:(0,a.jsx)(h,{...e})}):h(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,n)=>{n.d(r,{Z:()=>l,a:()=>t});var a=n(7294);const i={},s=a.createContext(i);function t(e){const r=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),a.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ec6f9153.9dac174f.js b/assets/js/ec6f9153.9dac174f.js deleted file mode 100644 index a166c331f..000000000 --- a/assets/js/ec6f9153.9dac174f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[750],{4987:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>t,default:()=>c,frontMatter:()=>s,metadata:()=>l,toc:()=>d});var a=n(5893),i=n(1151);const s={title:"Air-Gap Install"},t=void 0,l={id:"installation/airgap",title:"Air-Gap Install",description:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.",source:"@site/docs/installation/airgap.md",sourceDirName:"installation",slug:"/installation/airgap",permalink:"/installation/airgap",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/airgap.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Air-Gap Install"},sidebar:"mySidebar",previous:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"},next:{title:"Managing Server Roles",permalink:"/installation/server-roles"}},o={},d=[{value:"Load Images",id:"load-images",level:2},{value:"Private Registry Method",id:"private-registry-method",level:3},{value:"Create the Registry YAML and Push Images",id:"create-the-registry-yaml-and-push-images",level:4},{value:"Manually Deploy Images Method",id:"manually-deploy-images-method",level:3},{value:"Prepare the Images Directory and Airgap Image Tarball",id:"prepare-the-images-directory-and-airgap-image-tarball",level:4},{value:"Embedded Registry Mirror",id:"embedded-registry-mirror",level:3},{value:"Install K3s",id:"install-k3s",level:2},{value:"Prerequisites",id:"prerequisites",level:3},{value:"Binaries",id:"binaries",level:4},{value:"Default Network Route",id:"default-network-route",level:4},{value:"SELinux RPM",id:"selinux-rpm",level:4},{value:"Installing K3s in an Air-Gapped Environment",id:"installing-k3s-in-an-air-gapped-environment",level:3},{value:"Upgrading",id:"upgrading",level:2},{value:"Install Script Method",id:"install-script-method",level:3},{value:"Automated Upgrades Method",id:"automated-upgrades-method",level:3}];function h(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components},{TabItem:n,Tabs:s}=r;return n||u("TabItem",!0),s||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(r.p,{children:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters."}),"\n",(0,a.jsx)(r.h2,{id:"load-images",children:"Load Images"}),"\n",(0,a.jsx)(r.h3,{id:"private-registry-method",children:"Private Registry Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand have a OCI-compliant private registry available in your environment."}),"\n",(0,a.jsxs)(r.p,{children:["If you have not yet set up a private Docker registry, refer to the ",(0,a.jsx)(r.a,{href:"https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry",children:"official Registry documentation"}),"."]}),"\n",(0,a.jsx)(r.h4,{id:"create-the-registry-yaml-and-push-images",children:"Create the Registry YAML and Push Images"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker image load k3s-airgap-images-amd64.tar.zst"})," to import images from the tar file into docker."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker tag"})," and ",(0,a.jsx)(r.code,{children:"docker push"})," to retag and push the loaded images to your private registry."]}),"\n",(0,a.jsxs)(r.li,{children:["Follow the ",(0,a.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," guide to create and configure the ",(0,a.jsx)(r.code,{children:"registries.yaml"})," file."]}),"\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"manually-deploy-images-method",children:"Manually Deploy Images Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand cannot or do not want to use a private registry."}),"\n",(0,a.jsx)(r.p,{children:"This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical."}),"\n",(0,a.jsx)(r.h4,{id:"prepare-the-images-directory-and-airgap-image-tarball",children:"Prepare the Images Directory and Airgap Image Tarball"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsx)(r.li,{children:"Download the imagess archive to the agent's images directory, for example:"}),"\n"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'sudo mkdir -p /var/lib/rancher/k3s/agent/images/\nsudo curl -L -o /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst "https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst"\n'})}),"\n",(0,a.jsxs)(r.ol,{start:"3",children:["\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"embedded-registry-mirror",children:"Embedded Registry Mirror"}),"\n",(0,a.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,a.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,a.jsx)(r.p,{children:"K3s includes an embedded distributed OCI-compliant registry mirror.\nWhen enabled and properly configured, images available in the containerd image store on any node\ncan be pulled by other cluster members without access to an external image registry."}),"\n",(0,a.jsxs)(r.p,{children:["The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball.\nFor more information on enabling the embedded distributed registry mirror, see the ",(0,a.jsx)(r.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"})," documentation."]}),"\n",(0,a.jsx)(r.h2,{id:"install-k3s",children:"Install K3s"}),"\n",(0,a.jsx)(r.h3,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,a.jsxs)(r.p,{children:["Before installing K3s, complete the ",(0,a.jsx)(r.a,{href:"#private-registry-method",children:"Private Registry Method"})," or the ",(0,a.jsx)(r.a,{href:"#manually-deploy-images-method",children:"Manually Deploy Images Method"})," above to prepopulate the images that K3s needs to install."]}),"\n",(0,a.jsx)(r.h4,{id:"binaries",children:"Binaries"}),"\n",(0,a.jsxs)(r.ul,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the K3s binary from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page, matching the same version used to get the airgap images. Place the binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each air-gapped node and ensure it is executable."]}),"\n",(0,a.jsxs)(r.li,{children:["Download the K3s install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"get.k3s.io"}),". Place the install script anywhere on each air-gapped node, and name it ",(0,a.jsx)(r.code,{children:"install.sh"}),"."]}),"\n"]}),"\n",(0,a.jsx)(r.h4,{id:"default-network-route",children:"Default Network Route"}),"\n",(0,a.jsx)(r.p,{children:"If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:"}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"ip link add dummy0 type dummy\nip link set dummy0 up\nip addr add 203.0.113.254/31 dev dummy0\nip route add default via 203.0.113.255 dev dummy0 metric 1000\n"})}),"\n",(0,a.jsxs)(r.p,{children:["When running the K3s script with the ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})," environment variable, K3s will use the local version of the script and binary."]}),"\n",(0,a.jsx)(r.h4,{id:"selinux-rpm",children:"SELinux RPM"}),"\n",(0,a.jsxs)(r.p,{children:["If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s-selinux/releases/latest",children:"here"}),". For example, on CentOS 8:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"On internet accessible machine:\ncurl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm\n\n# Transfer RPM to air-gapped machine\nOn air-gapped machine:\nsudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm\n"})}),"\n",(0,a.jsxs)(r.p,{children:["See the ",(0,a.jsx)(r.a,{href:"/advanced#selinux-support",children:"SELinux"})," section for more information."]}),"\n",(0,a.jsx)(r.h3,{id:"installing-k3s-in-an-air-gapped-environment",children:"Installing K3s in an Air-Gapped Environment"}),"\n",(0,a.jsx)(r.p,{children:"You can install K3s on one or more servers as described below."}),"\n",(0,a.jsxs)(s,{queryString:"airgap-cluster",children:[(0,a.jsxs)(n,{value:"Single Server Configuration",default:!0,children:[(0,a.jsx)(r.p,{children:"To install K3s on a single server, simply do the following on the server node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh\n"})}),(0,a.jsx)(r.p,{children:"To add additional agents, do the following on each agent node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://<SERVER_IP>:6443 K3S_TOKEN=<YOUR_TOKEN> ./install.sh\n"})}),(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["The token from the server is typically found at ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/token"}),"."]})})]}),(0,a.jsxs)(n,{value:"High Availability Configuration",default:!0,children:[(0,a.jsxs)(r.p,{children:["Reference the ",(0,a.jsx)(r.a,{href:"/datastore/ha",children:"High Availability with an External DB"})," or ",(0,a.jsx)(r.a,{href:"/datastore/ha-embedded",children:"High Availability with Embedded DB"})," guides. You will be tweaking install commands so you specify ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"})," and run your install script locally instead of via curl. You will also utilize ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_EXEC='args'"})," to supply any arguments to k3s."]}),(0,a.jsx)(r.p,{children:"For example, step two of the High Availability with an External DB guide mentions the following:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),(0,a.jsx)(r.p,{children:"Instead, you would modify such examples like below:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\\nK3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\\n./install.sh\n"})})]})]}),"\n",(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["K3s's ",(0,a.jsx)(r.code,{children:"--resolv-conf"})," flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured."]})}),"\n",(0,a.jsx)(r.h2,{id:"upgrading",children:"Upgrading"}),"\n",(0,a.jsx)(r.h3,{id:"install-script-method",children:"Install Script Method"}),"\n",(0,a.jsx)(r.p,{children:"Upgrading an air-gap environment can be accomplished in the following manner:"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the new air-gap images (tar file) from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be upgrading to. Place the tar in the ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/images/"})," directory on each\nnode. Delete the old tar file."]}),"\n",(0,a.jsxs)(r.li,{children:["Copy and replace the old K3s binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each node. Copy over the install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," (as it is possible it has changed since the last release). Run the script again just as you had done in the past\nwith the same environment variables."]}),"\n",(0,a.jsx)(r.li,{children:"Restart the K3s service (if not restarted automatically by installer)."}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"automated-upgrades-method",children:"Automated Upgrades Method"}),"\n",(0,a.jsxs)(r.p,{children:["K3s supports ",(0,a.jsx)(r.a,{href:"/upgrades/automated",children:"automated upgrades"}),". To enable this in air-gapped environments, you must ensure the required images are available in your private registry."]}),"\n",(0,a.jsxs)(r.p,{children:["You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the ",(0,a.jsx)(r.code,{children:"+"})," in the K3s release with a ",(0,a.jsx)(r.code,{children:"-"})," because Docker images do not support ",(0,a.jsx)(r.code,{children:"+"}),"."]}),"\n",(0,a.jsxs)(r.p,{children:["You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller ",(0,a.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller/releases/latest",children:"here"})," and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"rancher/system-upgrade-controller:v0.4.0\nrancher/kubectl:v0.17.0\n"})}),"\n",(0,a.jsxs)(r.p,{children:["Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the ",(0,a.jsx)(r.a,{href:"/upgrades/automated",children:"automated upgrades"})," guide."]})]})}function c(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,a.jsx)(r,{...e,children:(0,a.jsx)(h,{...e})}):h(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,n)=>{n.d(r,{Z:()=>l,a:()=>t});var a=n(7294);const i={},s=a.createContext(i);function t(e){const r=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),a.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/ee75e821.652d2896.js b/assets/js/ee75e821.652d2896.js new file mode 100644 index 000000000..0ea6a8423 --- /dev/null +++ b/assets/js/ee75e821.652d2896.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7893],{5380:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>a,contentTitle:()=>s,default:()=>u,frontMatter:()=>r,metadata:()=>c,toc:()=>l});var i=t(5893),o=t(1151);const r={title:"Networking"},s=void 0,c={id:"networking/networking",title:"Networking",description:"This section contains instructions for configuring networking in K3s.",source:"@site/docs/networking/networking.md",sourceDirName:"networking",slug:"/networking/",permalink:"/networking/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Networking"},sidebar:"mySidebar",previous:{title:"Volumes and Storage",permalink:"/storage"},next:{title:"Basic Network Options",permalink:"/networking/basic-network-options"}},a={},l=[];function d(n){const e={a:"a",p:"p",...(0,o.a)(),...n.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(e.p,{children:"This section contains instructions for configuring networking in K3s."}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/basic-network-options",children:"Basic Network Options"})," covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/distributed-multicloud",children:"Hybrid/Multicloud cluster"})," provides guidance on the options available to span the k3s cluster over remote or hybrid nodes"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/multus-ipams",children:"Multus and IPAM plugins"})," provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/networking-services",children:"Networking services: dns, ingress, etc"})," explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s"]})]})}function u(n={}){const{wrapper:e}={...(0,o.a)(),...n.components};return e?(0,i.jsx)(e,{...n,children:(0,i.jsx)(d,{...n})}):d(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>c,a:()=>s});var i=t(7294);const o={},r=i.createContext(o);function s(n){const e=i.useContext(r);return i.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(o):n.components||o:s(n.components),i.createElement(r.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/assets/js/ee75e821.a8cdab5c.js b/assets/js/ee75e821.a8cdab5c.js deleted file mode 100644 index eff48a234..000000000 --- a/assets/js/ee75e821.a8cdab5c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7893],{5380:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>a,contentTitle:()=>s,default:()=>u,frontMatter:()=>r,metadata:()=>c,toc:()=>l});var i=t(5893),o=t(1151);const r={title:"Networking"},s=void 0,c={id:"networking/networking",title:"Networking",description:"This section contains instructions for configuring networking in K3s.",source:"@site/docs/networking/networking.md",sourceDirName:"networking",slug:"/networking/",permalink:"/networking/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Networking"},sidebar:"mySidebar",previous:{title:"Volumes and Storage",permalink:"/storage"},next:{title:"Basic Network Options",permalink:"/networking/basic-network-options"}},a={},l=[];function d(n){const e={a:"a",p:"p",...(0,o.a)(),...n.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(e.p,{children:"This section contains instructions for configuring networking in K3s."}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/basic-network-options",children:"Basic Network Options"})," covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/distributed-multicloud",children:"Hybrid/Multicloud cluster"})," provides guidance on the options available to span the k3s cluster over remote or hybrid nodes"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/multus-ipams",children:"Multus and IPAM plugins"})," provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod"]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/networking/networking-services",children:"Networking services: dns, ingress, etc"})," explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s"]})]})}function u(n={}){const{wrapper:e}={...(0,o.a)(),...n.components};return e?(0,i.jsx)(e,{...n,children:(0,i.jsx)(d,{...n})}):d(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>c,a:()=>s});var i=t(7294);const o={},r=i.createContext(o);function s(n){const e=i.useContext(r);return i.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(o):n.components||o:s(n.components),i.createElement(r.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/assets/js/f319c6ab.13d902eb.js b/assets/js/f319c6ab.13d902eb.js new file mode 100644 index 000000000..249e56d57 --- /dev/null +++ b/assets/js/f319c6ab.13d902eb.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8379],{1328:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>o,default:()=>u,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var t=n(5893),i=n(1151);const r={title:"Known Issues"},o=void 0,a={id:"known-issues",title:"Known Issues",description:"The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release.",source:"@site/docs/known-issues.md",sourceDirName:".",slug:"/known-issues",permalink:"/known-issues",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/known-issues.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Known Issues"},sidebar:"mySidebar",previous:{title:"Related Projects",permalink:"/related-projects"},next:{title:"FAQ",permalink:"/faq"}},l={},d=[{value:"Snap Docker",id:"snap-docker",level:3},{value:"Iptables",id:"iptables",level:3},{value:"Rootless Mode",id:"rootless-mode",level:3},{value:"Upgrading Hardened Clusters from v1.24.x to v1.25.x",id:"hardened-125",level:3}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,i.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release."}),"\n",(0,t.jsx)(s.h3,{id:"snap-docker",children:"Snap Docker"}),"\n",(0,t.jsx)(s.p,{children:"If you plan to use K3s with docker, Docker installed via a snap package is not recommended as it has been known to cause issues running K3s."}),"\n",(0,t.jsx)(s.h3,{id:"iptables",children:"Iptables"}),"\n",(0,t.jsx)(s.p,{children:"If you are running iptables v1.6.1 and older in nftables mode you might encounter issues. We recommend utilizing newer iptables (such as 1.6.1+) to avoid issues or running iptables legacy mode."}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{children:"update-alternatives --set iptables /usr/sbin/iptables-legacy\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-legacy\n"})}),"\n",(0,t.jsxs)(s.p,{children:["Iptables versions 1.8.0-1.8.4 have known issues that can cause K3s to fail. Several popular Linux distributions ship with these versions by default. One bug causes the accumulation of duplicate rules, which negatively affects the performance and stability of the node. See ",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/3117",children:"Issue #3117"})," for information on how to determine if you are affected by this problem."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s includes a working version of iptables (v1.8.8) which functions properly. You can tell K3s to use its bundled version of iptables by starting K3s with the ",(0,t.jsx)(s.code,{children:"--prefer-bundled-bin"})," option, or by uninstalling the iptables/nftables packages from your operating system."]}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:["The ",(0,t.jsx)(s.code,{children:"--prefer-bundled-bin"})," flag is available starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1)."]})}),"\n",(0,t.jsx)(s.h3,{id:"rootless-mode",children:"Rootless Mode"}),"\n",(0,t.jsxs)(s.p,{children:["Running K3s with Rootless mode is experimental and has several ",(0,t.jsx)(s.a,{href:"/advanced#known-issues-with-rootless-mode",children:"known issues."})]}),"\n",(0,t.jsx)(s.h3,{id:"hardened-125",children:"Upgrading Hardened Clusters from v1.24.x to v1.25.x"}),"\n",(0,t.jsxs)(s.p,{children:["Kubernetes removed PodSecurityPolicy from v1.25 in favor of Pod Security Standards. You can read more about PSS in the ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"upstream documentation"}),". For K3S, there are some manual steps that must be taken if any ",(0,t.jsx)(s.code,{children:"PodSecurityPolicy"})," has been configured on the nodes."]}),"\n",(0,t.jsxs)(s.ol,{children:["\n",(0,t.jsxs)(s.li,{children:["On all nodes, update the ",(0,t.jsx)(s.code,{children:"kube-apiserver-arg"})," value to remove the ",(0,t.jsx)(s.code,{children:"PodSecurityPolicy"})," admission-plugin. Add the following arg value instead: ",(0,t.jsx)(s.code,{children:"'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"}),", but do NOT restart or upgrade K3S yet. Below is an example of what a configuration file might look like after this update for the node to be hardened:"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})}),"\n",(0,t.jsxs)(s.ol,{start:"2",children:["\n",(0,t.jsxs)(s.li,{children:["Create the ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/psa.yaml"})," file with the following contents. You may want to exempt more namespaces as well. The below example exempts ",(0,t.jsx)(s.code,{children:"kube-system"})," (required), ",(0,t.jsx)(s.code,{children:"cis-operator-system"})," (optional, but useful for when running security scans through Rancher), and ",(0,t.jsx)(s.code,{children:"system-upgrade"})," (required if doing ",(0,t.jsx)(s.a,{href:"/upgrades/automated",children:"Automated Upgrades"}),")."]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system, system-upgrade]\n'})}),"\n",(0,t.jsxs)(s.ol,{start:"3",children:["\n",(0,t.jsxs)(s.li,{children:["Perform the upgrade as normal. If doing ",(0,t.jsx)(s.a,{href:"/upgrades/automated",children:"Automated Upgrades"}),", ensure that the namespace where the ",(0,t.jsx)(s.code,{children:"system-upgrade-controller"})," pod is running in is setup to be privileged in accordance with the ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels",children:"Pod Security levels"}),":"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: system-upgrade\n labels:\n # This value must be privileged for the controller to run successfully.\n pod-security.kubernetes.io/enforce: privileged\n pod-security.kubernetes.io/enforce-version: v1.25\n # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options.\n pod-security.kubernetes.io/audit: privileged\n pod-security.kubernetes.io/audit-version: v1.25\n pod-security.kubernetes.io/warn: privileged\n pod-security.kubernetes.io/warn-version: v1.25\n"})}),"\n",(0,t.jsxs)(s.ol,{start:"4",children:["\n",(0,t.jsxs)(s.li,{children:["After the upgrade is complete, remove any remaining PSP resources from the cluster. In many cases, there may be PodSecurityPolicies and associated RBAC resources in custom files used for hardening within ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/"}),". Remove those resources and k3s will update automatically. Sometimes, due to timing, some of these may be left in the cluster, in which case you will need to delete them manually. If the ",(0,t.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})," was previously followed, you should be able to delete them via the following:"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"# Get the resources associated with PSPs\n$ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp\n\n# Delete those resources:\n$ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding\n"})})]})}function u(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>a,a:()=>o});var t=n(7294);const i={},r=t.createContext(i);function o(e){const s=t.useContext(r);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),t.createElement(r.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/f319c6ab.732d9658.js b/assets/js/f319c6ab.732d9658.js deleted file mode 100644 index cc3f171b6..000000000 --- a/assets/js/f319c6ab.732d9658.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8379],{1328:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>o,default:()=>u,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var t=n(5893),i=n(1151);const r={title:"Known Issues"},o=void 0,a={id:"known-issues",title:"Known Issues",description:"The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release.",source:"@site/docs/known-issues.md",sourceDirName:".",slug:"/known-issues",permalink:"/known-issues",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/known-issues.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Known Issues"},sidebar:"mySidebar",previous:{title:"Related Projects",permalink:"/related-projects"},next:{title:"FAQ",permalink:"/faq"}},l={},d=[{value:"Snap Docker",id:"snap-docker",level:3},{value:"Iptables",id:"iptables",level:3},{value:"Rootless Mode",id:"rootless-mode",level:3},{value:"Upgrading Hardened Clusters from v1.24.x to v1.25.x",id:"hardened-125",level:3}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,i.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release."}),"\n",(0,t.jsx)(s.h3,{id:"snap-docker",children:"Snap Docker"}),"\n",(0,t.jsx)(s.p,{children:"If you plan to use K3s with docker, Docker installed via a snap package is not recommended as it has been known to cause issues running K3s."}),"\n",(0,t.jsx)(s.h3,{id:"iptables",children:"Iptables"}),"\n",(0,t.jsx)(s.p,{children:"If you are running iptables v1.6.1 and older in nftables mode you might encounter issues. We recommend utilizing newer iptables (such as 1.6.1+) to avoid issues or running iptables legacy mode."}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{children:"update-alternatives --set iptables /usr/sbin/iptables-legacy\nupdate-alternatives --set ip6tables /usr/sbin/ip6tables-legacy\n"})}),"\n",(0,t.jsxs)(s.p,{children:["Iptables versions 1.8.0-1.8.4 have known issues that can cause K3s to fail. Several popular Linux distributions ship with these versions by default. One bug causes the accumulation of duplicate rules, which negatively affects the performance and stability of the node. See ",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/3117",children:"Issue #3117"})," for information on how to determine if you are affected by this problem."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s includes a working version of iptables (v1.8.8) which functions properly. You can tell K3s to use its bundled version of iptables by starting K3s with the ",(0,t.jsx)(s.code,{children:"--prefer-bundled-bin"})," option, or by uninstalling the iptables/nftables packages from your operating system."]}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:["The ",(0,t.jsx)(s.code,{children:"--prefer-bundled-bin"})," flag is available starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1)."]})}),"\n",(0,t.jsx)(s.h3,{id:"rootless-mode",children:"Rootless Mode"}),"\n",(0,t.jsxs)(s.p,{children:["Running K3s with Rootless mode is experimental and has several ",(0,t.jsx)(s.a,{href:"/advanced#known-issues-with-rootless-mode",children:"known issues."})]}),"\n",(0,t.jsx)(s.h3,{id:"hardened-125",children:"Upgrading Hardened Clusters from v1.24.x to v1.25.x"}),"\n",(0,t.jsxs)(s.p,{children:["Kubernetes removed PodSecurityPolicy from v1.25 in favor of Pod Security Standards. You can read more about PSS in the ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"upstream documentation"}),". For K3S, there are some manual steps that must be taken if any ",(0,t.jsx)(s.code,{children:"PodSecurityPolicy"})," has been configured on the nodes."]}),"\n",(0,t.jsxs)(s.ol,{children:["\n",(0,t.jsxs)(s.li,{children:["On all nodes, update the ",(0,t.jsx)(s.code,{children:"kube-apiserver-arg"})," value to remove the ",(0,t.jsx)(s.code,{children:"PodSecurityPolicy"})," admission-plugin. Add the following arg value instead: ",(0,t.jsx)(s.code,{children:"'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"}),", but do NOT restart or upgrade K3S yet. Below is an example of what a configuration file might look like after this update for the node to be hardened:"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})}),"\n",(0,t.jsxs)(s.ol,{start:"2",children:["\n",(0,t.jsxs)(s.li,{children:["Create the ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/psa.yaml"})," file with the following contents. You may want to exempt more namespaces as well. The below example exempts ",(0,t.jsx)(s.code,{children:"kube-system"})," (required), ",(0,t.jsx)(s.code,{children:"cis-operator-system"})," (optional, but useful for when running security scans through Rancher), and ",(0,t.jsx)(s.code,{children:"system-upgrade"})," (required if doing ",(0,t.jsx)(s.a,{href:"/upgrades/automated",children:"Automated Upgrades"}),")."]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system, system-upgrade]\n'})}),"\n",(0,t.jsxs)(s.ol,{start:"3",children:["\n",(0,t.jsxs)(s.li,{children:["Perform the upgrade as normal. If doing ",(0,t.jsx)(s.a,{href:"/upgrades/automated",children:"Automated Upgrades"}),", ensure that the namespace where the ",(0,t.jsx)(s.code,{children:"system-upgrade-controller"})," pod is running in is setup to be privileged in accordance with the ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels",children:"Pod Security levels"}),":"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: system-upgrade\n labels:\n # This value must be privileged for the controller to run successfully.\n pod-security.kubernetes.io/enforce: privileged\n pod-security.kubernetes.io/enforce-version: v1.25\n # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options.\n pod-security.kubernetes.io/audit: privileged\n pod-security.kubernetes.io/audit-version: v1.25\n pod-security.kubernetes.io/warn: privileged\n pod-security.kubernetes.io/warn-version: v1.25\n"})}),"\n",(0,t.jsxs)(s.ol,{start:"4",children:["\n",(0,t.jsxs)(s.li,{children:["After the upgrade is complete, remove any remaining PSP resources from the cluster. In many cases, there may be PodSecurityPolicies and associated RBAC resources in custom files used for hardening within ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/"}),". Remove those resources and k3s will update automatically. Sometimes, due to timing, some of these may be left in the cluster, in which case you will need to delete them manually. If the ",(0,t.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})," was previously followed, you should be able to delete them via the following:"]}),"\n"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"# Get the resources associated with PSPs\n$ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp\n\n# Delete those resources:\n$ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding\n"})})]})}function u(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>a,a:()=>o});var t=n(7294);const i={},r=t.createContext(i);function o(e){const s=t.useContext(r);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),t.createElement(r.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/f8eefdc6.720b0f37.js b/assets/js/f8eefdc6.720b0f37.js new file mode 100644 index 000000000..68a37a655 --- /dev/null +++ b/assets/js/f8eefdc6.720b0f37.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5234],{2435:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>r,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),o=t(1151);const i={title:"Managing Server Roles"},r=void 0,l={id:"installation/server-roles",title:"Managing Server Roles",description:"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.",source:"@site/docs/installation/server-roles.md",sourceDirName:"installation",slug:"/installation/server-roles",permalink:"/installation/server-roles",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/server-roles.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Managing Server Roles"},sidebar:"mySidebar",previous:{title:"Air-Gap Install",permalink:"/installation/airgap"},next:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"}},d={},a=[{value:"Dedicated <code>etcd</code> Nodes",id:"dedicated-etcd-nodes",level:2},{value:"Dedicated <code>control-plane</code> Nodes",id:"dedicated-control-plane-nodes",level:2},{value:"Adding Roles To Existing Servers",id:"adding-roles-to-existing-servers",level:2},{value:"Configuration File Syntax",id:"configuration-file-syntax",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["Starting the K3s server with ",(0,s.jsx)(n.code,{children:"--cluster-init"})," will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes."]}),"\n",(0,s.jsx)(n.admonition,{type:"info",children:(0,s.jsx)(n.p,{children:"This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components."})}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-etcd-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," Nodes"]}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"etcd"})," role, start K3s with all the control-plane components disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler\n"})}),"\n",(0,s.jsxs)(n.p,{children:["This first node will start etcd, and wait for additional ",(0,s.jsx)(n.code,{children:"etcd"})," and/or ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes to join. The cluster will not be usable until you join an additional server with the ",(0,s.jsx)(n.code,{children:"control-plane"})," components enabled."]}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-control-plane-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," Nodes"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["A dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," node cannot be the first server in the cluster; there must be an existing node with the ",(0,s.jsx)(n.code,{children:"etcd"})," role before joining dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes."]})}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"control-plane"})," role, start k3s with etcd disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443 \n"})}),"\n",(0,s.jsxs)(n.p,{children:["After creating dedicated server nodes, the selected roles will be visible in ",(0,s.jsx)(n.code,{children:"kubectl get node"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nk3s-server-1 Ready etcd 5h39m v1.20.4+k3s1\nk3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1\n"})}),"\n",(0,s.jsx)(n.h2,{id:"adding-roles-to-existing-servers",children:"Adding Roles To Existing Servers"}),"\n",(0,s.jsxs)(n.p,{children:["Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the ",(0,s.jsx)(n.code,{children:"control-plane"})," role to a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can remove the ",(0,s.jsx)(n.code,{children:"--disable-apiserver --disable-controller-manager --disable-scheduler"})," flags from the systemd unit or config file, and restart the service."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file-syntax",children:"Configuration File Syntax"}),"\n",(0,s.jsxs)(n.p,{children:["As with all other CLI flags, you can use the ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," to disable components, instead of passing the options as CLI flags. For example, to create a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can place the following values in ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"cluster-init: true\ndisable-apiserver: true\ndisable-controller-manager: true\ndisable-scheduler: true\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var s=t(7294);const o={},i=s.createContext(o);function r(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/f8eefdc6.fbf6e172.js b/assets/js/f8eefdc6.fbf6e172.js deleted file mode 100644 index 8af8edf1d..000000000 --- a/assets/js/f8eefdc6.fbf6e172.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5234],{2435:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>r,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),o=t(1151);const i={title:"Managing Server Roles"},r=void 0,l={id:"installation/server-roles",title:"Managing Server Roles",description:"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.",source:"@site/docs/installation/server-roles.md",sourceDirName:"installation",slug:"/installation/server-roles",permalink:"/installation/server-roles",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/server-roles.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Server Roles"},sidebar:"mySidebar",previous:{title:"Air-Gap Install",permalink:"/installation/airgap"},next:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"}},d={},a=[{value:"Dedicated <code>etcd</code> Nodes",id:"dedicated-etcd-nodes",level:2},{value:"Dedicated <code>control-plane</code> Nodes",id:"dedicated-control-plane-nodes",level:2},{value:"Adding Roles To Existing Servers",id:"adding-roles-to-existing-servers",level:2},{value:"Configuration File Syntax",id:"configuration-file-syntax",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["Starting the K3s server with ",(0,s.jsx)(n.code,{children:"--cluster-init"})," will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes."]}),"\n",(0,s.jsx)(n.admonition,{type:"info",children:(0,s.jsx)(n.p,{children:"This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components."})}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-etcd-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," Nodes"]}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"etcd"})," role, start K3s with all the control-plane components disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler\n"})}),"\n",(0,s.jsxs)(n.p,{children:["This first node will start etcd, and wait for additional ",(0,s.jsx)(n.code,{children:"etcd"})," and/or ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes to join. The cluster will not be usable until you join an additional server with the ",(0,s.jsx)(n.code,{children:"control-plane"})," components enabled."]}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-control-plane-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," Nodes"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["A dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," node cannot be the first server in the cluster; there must be an existing node with the ",(0,s.jsx)(n.code,{children:"etcd"})," role before joining dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes."]})}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"control-plane"})," role, start k3s with etcd disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443 \n"})}),"\n",(0,s.jsxs)(n.p,{children:["After creating dedicated server nodes, the selected roles will be visible in ",(0,s.jsx)(n.code,{children:"kubectl get node"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nk3s-server-1 Ready etcd 5h39m v1.20.4+k3s1\nk3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1\n"})}),"\n",(0,s.jsx)(n.h2,{id:"adding-roles-to-existing-servers",children:"Adding Roles To Existing Servers"}),"\n",(0,s.jsxs)(n.p,{children:["Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the ",(0,s.jsx)(n.code,{children:"control-plane"})," role to a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can remove the ",(0,s.jsx)(n.code,{children:"--disable-apiserver --disable-controller-manager --disable-scheduler"})," flags from the systemd unit or config file, and restart the service."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file-syntax",children:"Configuration File Syntax"}),"\n",(0,s.jsxs)(n.p,{children:["As with all other CLI flags, you can use the ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," to disable components, instead of passing the options as CLI flags. For example, to create a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can place the following values in ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"cluster-init: true\ndisable-apiserver: true\ndisable-controller-manager: true\ndisable-scheduler: true\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var s=t(7294);const o={},i=s.createContext(o);function r(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/fc39421f.64f5b424.js b/assets/js/fc39421f.64f5b424.js new file mode 100644 index 000000000..dbace0f6e --- /dev/null +++ b/assets/js/fc39421f.64f5b424.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9778],{8573:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var n=s(5893),t=s(1151);const i={title:"Resource Profiling"},d=void 0,l={id:"reference/resource-profiling",title:"Resource Profiling",description:"This section captures the results of tests to determine minimum resource requirements for K3s.",source:"@site/docs/reference/resource-profiling.md",sourceDirName:"reference",slug:"/reference/resource-profiling",permalink:"/reference/resource-profiling",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/resource-profiling.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Resource Profiling"},sidebar:"mySidebar",previous:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"},next:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"}},o={},a=[{value:"Scope of Resource Testing",id:"scope-of-resource-testing",level:2},{value:"Components Included for Baseline Measurements",id:"components-included-for-baseline-measurements",level:2},{value:"Methodology",id:"methodology",level:2},{value:"Environment",id:"environment",level:2},{value:"Baseline Resource Requirements",id:"baseline-resource-requirements",level:2},{value:"K3s Server with a Workload",id:"k3s-server-with-a-workload",level:3},{value:"K3s Cluster with a Single Agent",id:"k3s-cluster-with-a-single-agent",level:3},{value:"K3s Server",id:"k3s-server",level:4},{value:"K3s Agent",id:"k3s-agent",level:3},{value:"Analysis",id:"analysis",level:2},{value:"Primary Resource Utilization Drivers",id:"primary-resource-utilization-drivers",level:3},{value:"Preventing Agents and Workloads from Interfering with the Cluster Datastore",id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",level:3}];function c(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for K3s."}),"\n",(0,n.jsx)(r.p,{children:"The results are summarized as follows:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Components"}),(0,n.jsx)(r.th,{children:"Processor"}),(0,n.jsx)(r.th,{children:"Min CPU"}),(0,n.jsx)(r.th,{children:"Min RAM with Kine/SQLite"}),(0,n.jsx)(r.th,{children:"Min RAM with Embedded etcd"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s server with a workload"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"6% of a core"}),(0,n.jsx)(r.td,{children:"1596 M"}),(0,n.jsx)(r.td,{children:"1606 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"5% of a core"}),(0,n.jsx)(r.td,{children:"1428 M"}),(0,n.jsx)(r.td,{children:"1450 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s agent"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"3% of a core"}),(0,n.jsx)(r.td,{children:"275 M"}),(0,n.jsx)(r.td,{children:"275 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s server with a workload"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"30% of a core"}),(0,n.jsx)(r.td,{children:"1588 M"}),(0,n.jsx)(r.td,{children:"1613 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"25% of a core"}),(0,n.jsx)(r.td,{children:"1215 M"}),(0,n.jsx)(r.td,{children:"1413 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s agent"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"10% of a core"}),(0,n.jsx)(r.td,{children:"268 M"}),(0,n.jsx)(r.td,{children:"268 M"})]})]})]}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#scope-of-resource-testing",children:"Scope of Resource Testing"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#methodology",children:"Methodology"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#environment",children:"Environment"})}),"\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.a,{href:"#baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-server-with-a-workload",children:"K3s Server with a Workload"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-agent",children:"K3s Agent"})}),"\n"]}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.a,{href:"#analysis",children:"Analysis"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"})}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,n.jsx)(r.h2,{id:"scope-of-resource-testing",children:"Scope of Resource Testing"}),"\n",(0,n.jsx)(r.p,{children:"The resource tests were intended to address the following problem statements:"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:"On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster."}),"\n",(0,n.jsx)(r.li,{children:"On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent)."}),"\n"]}),"\n",(0,n.jsx)(r.h2,{id:"components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"}),"\n",(0,n.jsx)(r.p,{children:"The tested components are:"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:"K3s v1.26.5 with all packaged components enabled"}),"\n",(0,n.jsx)(r.li,{children:"Prometheus + Grafana monitoring stack"}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/",children:"Kubernetes Example Nginx Deployment"})}),"\n"]}),"\n",(0,n.jsx)(r.p,{children:"These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app."}),"\n",(0,n.jsx)(r.p,{children:"Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements."}),"\n",(0,n.jsx)(r.h2,{id:"methodology",children:"Methodology"}),"\n",(0,n.jsxs)(r.p,{children:["A standalone instance of Prometheus v2.43.0 was used to collect host CPU, memory, and disk IO statistics using ",(0,n.jsx)(r.code,{children:"prometheus-node-exporter"})," installed via apt."]}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.code,{children:"systemd-cgtop"})," was used to spot-check systemd cgroup-level CPU and memory utilization. ",(0,n.jsx)(r.code,{children:"system.slice/k3s.service"})," tracks resource utilization for both K3s and containerd, while individual pods are under the ",(0,n.jsx)(r.code,{children:"kubepods"})," hierarchy."]}),"\n",(0,n.jsxs)(r.p,{children:["Additional detailed K3s memory utilization data was collected from ",(0,n.jsx)(r.code,{children:"kubectl top node"})," using the integrated metrics-server for the server and agent processes."]}),"\n",(0,n.jsx)(r.p,{children:"Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads."}),"\n",(0,n.jsx)(r.h2,{id:"environment",children:"Environment"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Arch"}),(0,n.jsx)(r.th,{children:"OS"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU"}),(0,n.jsx)(r.th,{children:"RAM"}),(0,n.jsx)(r.th,{children:"Disk"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"x86_64"}),(0,n.jsx)(r.td,{children:"Ubuntu 22.04"}),(0,n.jsx)(r.td,{children:"AWS c6id.xlarge"}),(0,n.jsx)(r.td,{children:"Intel Xeon Platinum 8375C CPU, 4 Core 2.90 GHz"}),(0,n.jsx)(r.td,{children:"8 GB"}),(0,n.jsx)(r.td,{children:"NVME SSD"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"aarch64"}),(0,n.jsx)(r.td,{children:"Raspberry Pi OS 11"}),(0,n.jsx)(r.td,{children:"Raspberry Pi 4 Model B"}),(0,n.jsx)(r.td,{children:"BCM2711, 4 Core 1.50 GHz"}),(0,n.jsx)(r.td,{children:"8 GB"}),(0,n.jsx)(r.td,{children:"UHS-III SDXC"})]})]})]}),"\n",(0,n.jsx)(r.h2,{id:"baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,n.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for basic K3s operation."}),"\n",(0,n.jsx)(r.h3,{id:"k3s-server-with-a-workload",children:"K3s Server with a Workload"}),"\n",(0,n.jsxs)(r.p,{children:["These are the requirements for a single-node cluster in which the K3s server shares resources with a ",(0,n.jsx)(r.a,{href:"https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/",children:"simple workload"}),"."]}),"\n",(0,n.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"6% of a core"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"30% of a core"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Memory Requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"Memory"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1596 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1588 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1606 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1613 M"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Disk requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"IOPS"}),(0,n.jsx)(r.th,{children:"KiB/sec"}),(0,n.jsx)(r.th,{children:"Latency"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"10"}),(0,n.jsx)(r.td,{children:"500"}),(0,n.jsx)(r.td,{children:"< 10 ms"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"50"}),(0,n.jsx)(r.td,{children:"250"}),(0,n.jsx)(r.td,{children:"< 5 ms"})]})]})]}),"\n",(0,n.jsx)(r.h3,{id:"k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"}),"\n",(0,n.jsx)(r.p,{children:"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload."}),"\n",(0,n.jsx)(r.h4,{id:"k3s-server",children:"K3s Server"}),"\n",(0,n.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"5% of a core"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"25% of a core"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Memory Requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"Memory"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1428 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1215 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1450 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1413 M"})]})]})]}),"\n",(0,n.jsx)(r.h3,{id:"k3s-agent",children:"K3s Agent"}),"\n",(0,n.jsx)(r.p,{children:"The requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"}),(0,n.jsx)(r.th,{children:"RAM"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"3% of a core"}),(0,n.jsx)(r.td,{children:"275 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"5% of a core"}),(0,n.jsx)(r.td,{children:"268 M"})]})]})]}),"\n",(0,n.jsx)(r.h2,{id:"analysis",children:"Analysis"}),"\n",(0,n.jsx)(r.p,{children:"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."}),"\n",(0,n.jsx)(r.h3,{id:"primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"}),"\n",(0,n.jsx)(r.p,{children:"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements."}),"\n",(0,n.jsx)(r.p,{children:"K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts."}),"\n",(0,n.jsx)(r.h3,{id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"}),"\n",(0,n.jsx)(r.p,{children:"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore."}),"\n",(0,n.jsx)(r.p,{children:"This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store."}),"\n",(0,n.jsx)(r.p,{children:"Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore."}),"\n",(0,n.jsx)(r.p,{children:"Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state."})]})}function h(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,n.jsx)(r,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>d});var n=s(7294);const t={},i=n.createContext(t);function d(e){const r=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:d(e.components),n.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/fc39421f.9c6a7858.js b/assets/js/fc39421f.9c6a7858.js deleted file mode 100644 index 8a8eea218..000000000 --- a/assets/js/fc39421f.9c6a7858.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9778],{8573:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var n=s(5893),t=s(1151);const i={title:"Resource Profiling"},d=void 0,l={id:"reference/resource-profiling",title:"Resource Profiling",description:"This section captures the results of tests to determine minimum resource requirements for K3s.",source:"@site/docs/reference/resource-profiling.md",sourceDirName:"reference",slug:"/reference/resource-profiling",permalink:"/reference/resource-profiling",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/resource-profiling.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Resource Profiling"},sidebar:"mySidebar",previous:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"},next:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"}},o={},a=[{value:"Scope of Resource Testing",id:"scope-of-resource-testing",level:2},{value:"Components Included for Baseline Measurements",id:"components-included-for-baseline-measurements",level:2},{value:"Methodology",id:"methodology",level:2},{value:"Environment",id:"environment",level:2},{value:"Baseline Resource Requirements",id:"baseline-resource-requirements",level:2},{value:"K3s Server with a Workload",id:"k3s-server-with-a-workload",level:3},{value:"K3s Cluster with a Single Agent",id:"k3s-cluster-with-a-single-agent",level:3},{value:"K3s Server",id:"k3s-server",level:4},{value:"K3s Agent",id:"k3s-agent",level:3},{value:"Analysis",id:"analysis",level:2},{value:"Primary Resource Utilization Drivers",id:"primary-resource-utilization-drivers",level:3},{value:"Preventing Agents and Workloads from Interfering with the Cluster Datastore",id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",level:3}];function c(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for K3s."}),"\n",(0,n.jsx)(r.p,{children:"The results are summarized as follows:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Components"}),(0,n.jsx)(r.th,{children:"Processor"}),(0,n.jsx)(r.th,{children:"Min CPU"}),(0,n.jsx)(r.th,{children:"Min RAM with Kine/SQLite"}),(0,n.jsx)(r.th,{children:"Min RAM with Embedded etcd"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s server with a workload"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"6% of a core"}),(0,n.jsx)(r.td,{children:"1596 M"}),(0,n.jsx)(r.td,{children:"1606 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"5% of a core"}),(0,n.jsx)(r.td,{children:"1428 M"}),(0,n.jsx)(r.td,{children:"1450 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s agent"}),(0,n.jsx)(r.td,{children:"Intel 8375C CPU, 2.90 GHz"}),(0,n.jsx)(r.td,{children:"3% of a core"}),(0,n.jsx)(r.td,{children:"275 M"}),(0,n.jsx)(r.td,{children:"275 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s server with a workload"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"30% of a core"}),(0,n.jsx)(r.td,{children:"1588 M"}),(0,n.jsx)(r.td,{children:"1613 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"25% of a core"}),(0,n.jsx)(r.td,{children:"1215 M"}),(0,n.jsx)(r.td,{children:"1413 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"K3s agent"}),(0,n.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,n.jsx)(r.td,{children:"10% of a core"}),(0,n.jsx)(r.td,{children:"268 M"}),(0,n.jsx)(r.td,{children:"268 M"})]})]})]}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#scope-of-resource-testing",children:"Scope of Resource Testing"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#methodology",children:"Methodology"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#environment",children:"Environment"})}),"\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.a,{href:"#baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-server-with-a-workload",children:"K3s Server with a Workload"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#k3s-agent",children:"K3s Agent"})}),"\n"]}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.a,{href:"#analysis",children:"Analysis"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"})}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"})}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,n.jsx)(r.h2,{id:"scope-of-resource-testing",children:"Scope of Resource Testing"}),"\n",(0,n.jsx)(r.p,{children:"The resource tests were intended to address the following problem statements:"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:"On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster."}),"\n",(0,n.jsx)(r.li,{children:"On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent)."}),"\n"]}),"\n",(0,n.jsx)(r.h2,{id:"components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"}),"\n",(0,n.jsx)(r.p,{children:"The tested components are:"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsx)(r.li,{children:"K3s v1.26.5 with all packaged components enabled"}),"\n",(0,n.jsx)(r.li,{children:"Prometheus + Grafana monitoring stack"}),"\n",(0,n.jsx)(r.li,{children:(0,n.jsx)(r.a,{href:"https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/",children:"Kubernetes Example Nginx Deployment"})}),"\n"]}),"\n",(0,n.jsx)(r.p,{children:"These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app."}),"\n",(0,n.jsx)(r.p,{children:"Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements."}),"\n",(0,n.jsx)(r.h2,{id:"methodology",children:"Methodology"}),"\n",(0,n.jsxs)(r.p,{children:["A standalone instance of Prometheus v2.43.0 was used to collect host CPU, memory, and disk IO statistics using ",(0,n.jsx)(r.code,{children:"prometheus-node-exporter"})," installed via apt."]}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.code,{children:"systemd-cgtop"})," was used to spot-check systemd cgroup-level CPU and memory utilization. ",(0,n.jsx)(r.code,{children:"system.slice/k3s.service"})," tracks resource utilization for both K3s and containerd, while individual pods are under the ",(0,n.jsx)(r.code,{children:"kubepods"})," hierarchy."]}),"\n",(0,n.jsxs)(r.p,{children:["Additional detailed K3s memory utilization data was collected from ",(0,n.jsx)(r.code,{children:"kubectl top node"})," using the integrated metrics-server for the server and agent processes."]}),"\n",(0,n.jsx)(r.p,{children:"Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads."}),"\n",(0,n.jsx)(r.h2,{id:"environment",children:"Environment"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Arch"}),(0,n.jsx)(r.th,{children:"OS"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU"}),(0,n.jsx)(r.th,{children:"RAM"}),(0,n.jsx)(r.th,{children:"Disk"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"x86_64"}),(0,n.jsx)(r.td,{children:"Ubuntu 22.04"}),(0,n.jsx)(r.td,{children:"AWS c6id.xlarge"}),(0,n.jsx)(r.td,{children:"Intel Xeon Platinum 8375C CPU, 4 Core 2.90 GHz"}),(0,n.jsx)(r.td,{children:"8 GB"}),(0,n.jsx)(r.td,{children:"NVME SSD"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"aarch64"}),(0,n.jsx)(r.td,{children:"Raspberry Pi OS 11"}),(0,n.jsx)(r.td,{children:"Raspberry Pi 4 Model B"}),(0,n.jsx)(r.td,{children:"BCM2711, 4 Core 1.50 GHz"}),(0,n.jsx)(r.td,{children:"8 GB"}),(0,n.jsx)(r.td,{children:"UHS-III SDXC"})]})]})]}),"\n",(0,n.jsx)(r.h2,{id:"baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,n.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for basic K3s operation."}),"\n",(0,n.jsx)(r.h3,{id:"k3s-server-with-a-workload",children:"K3s Server with a Workload"}),"\n",(0,n.jsxs)(r.p,{children:["These are the requirements for a single-node cluster in which the K3s server shares resources with a ",(0,n.jsx)(r.a,{href:"https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/",children:"simple workload"}),"."]}),"\n",(0,n.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"6% of a core"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"30% of a core"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Memory Requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"Memory"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1596 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1588 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1606 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1613 M"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Disk requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"IOPS"}),(0,n.jsx)(r.th,{children:"KiB/sec"}),(0,n.jsx)(r.th,{children:"Latency"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"10"}),(0,n.jsx)(r.td,{children:"500"}),(0,n.jsx)(r.td,{children:"< 10 ms"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"50"}),(0,n.jsx)(r.td,{children:"250"}),(0,n.jsx)(r.td,{children:"< 5 ms"})]})]})]}),"\n",(0,n.jsx)(r.h3,{id:"k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"}),"\n",(0,n.jsx)(r.p,{children:"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload."}),"\n",(0,n.jsx)(r.h4,{id:"k3s-server",children:"K3s Server"}),"\n",(0,n.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"5% of a core"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"25% of a core"})]})]})]}),"\n",(0,n.jsx)(r.p,{children:"The Memory Requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"Tested Datastore"}),(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"Memory"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Kine/SQLite"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1428 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1215 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Embedded etcd"}),(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"1450 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{}),(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"1413 M"})]})]})]}),"\n",(0,n.jsx)(r.h3,{id:"k3s-agent",children:"K3s Agent"}),"\n",(0,n.jsx)(r.p,{children:"The requirements are:"}),"\n",(0,n.jsxs)(r.table,{children:[(0,n.jsx)(r.thead,{children:(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.th,{children:"System"}),(0,n.jsx)(r.th,{children:"CPU Core Usage"}),(0,n.jsx)(r.th,{children:"RAM"})]})}),(0,n.jsxs)(r.tbody,{children:[(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Intel 8375C"}),(0,n.jsx)(r.td,{children:"3% of a core"}),(0,n.jsx)(r.td,{children:"275 M"})]}),(0,n.jsxs)(r.tr,{children:[(0,n.jsx)(r.td,{children:"Pi4B"}),(0,n.jsx)(r.td,{children:"5% of a core"}),(0,n.jsx)(r.td,{children:"268 M"})]})]})]}),"\n",(0,n.jsx)(r.h2,{id:"analysis",children:"Analysis"}),"\n",(0,n.jsx)(r.p,{children:"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."}),"\n",(0,n.jsx)(r.h3,{id:"primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"}),"\n",(0,n.jsx)(r.p,{children:"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements."}),"\n",(0,n.jsx)(r.p,{children:"K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts."}),"\n",(0,n.jsx)(r.h3,{id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"}),"\n",(0,n.jsx)(r.p,{children:"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore."}),"\n",(0,n.jsx)(r.p,{children:"This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store."}),"\n",(0,n.jsx)(r.p,{children:"Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore."}),"\n",(0,n.jsx)(r.p,{children:"Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state."})]})}function h(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,n.jsx)(r,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>d});var n=s(7294);const t={},i=n.createContext(t);function d(e){const r=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:d(e.components),n.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/main.58acbbc0.js b/assets/js/main.58acbbc0.js new file mode 100644 index 000000000..435a160aa --- /dev/null +++ b/assets/js/main.58acbbc0.js @@ -0,0 +1,2 @@ +/*! For license information please see main.58acbbc0.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[179],{1728:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n);else for(t in e)e[t]&&(a&&(a+=" "),a+=t);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="";n<arguments.length;)(e=arguments[n++])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},723:(e,t,n)=>{"use strict";n.d(t,{Z:()=>p});n(7294);var r=n(8356),a=n.n(r),o=n(6887);const i={"0480b142":[()=>n.e(836).then(n.bind(n,9665)),"@site/docs/faq.md",9665],"06dc01b4":[()=>n.e(9233).then(n.bind(n,6516)),"@site/docs/networking/basic-network-options.md",6516],"0759a3f5":[()=>n.e(2409).then(n.bind(n,2714)),"@site/docs/release-notes/v1.29.X.md",2714],"0ce5aa86":[()=>n.e(1620).then(n.bind(n,3012)),"@site/docs/release-notes/v1.26.X.md",3012],"0e4359fd":[()=>n.e(9751).then(n.bind(n,8495)),"@site/docs/helm.md",8495],"10b61a3f":[()=>n.e(4902).then(n.bind(n,8040)),"@site/docs/installation/private-registry.md",8040],"138e0e15":[()=>n.e(9524).then(n.t.bind(n,536,19)),"@generated/@easyops-cn/docusaurus-search-local/default/__plugin.json",536],17035653:[()=>n.e(8380).then(n.bind(n,4877)),"@site/docs/networking/multus-ipams.md",4877],17896441:[()=>Promise.all([n.e(532),n.e(7236),n.e(7918)]).then(n.bind(n,3354)),"@theme/DocItem",3354],"179ec51e":[()=>n.e(7176).then(n.bind(n,6790)),"@site/docs/cli/secrets-encrypt.md",6790],"1a4e3797":[()=>Promise.all([n.e(532),n.e(7920)]).then(n.bind(n,2027)),"@theme/SearchPage",2027],"1be8dcfa":[()=>n.e(7628).then(n.bind(n,2023)),"@site/docs/cli/agent.md",2023],"1e924268":[()=>n.e(8614).then(n.bind(n,770)),"@site/docs/installation/installation.md",770],"22dd74f7":[()=>n.e(4980).then(n.t.bind(n,5904,19)),"@generated/docusaurus-plugin-content-docs/default/p/index-466.json",5904],"2a65762c":[()=>n.e(1430).then(n.bind(n,7084)),"@site/docs/cli/token.md",7084],"2f797aa4":[()=>n.e(101).then(n.bind(n,3989)),"@site/docs/release-notes/v1.28.X.md",3989],"36f34ab4":[()=>n.e(6155).then(n.bind(n,7406)),"@site/docs/cli/etcd-snapshot.md",7406],"395f47e2":[()=>n.e(6801).then(n.bind(n,793)),"@site/docs/advanced.md",793],"41765d36":[()=>n.e(1615).then(n.bind(n,99)),"@site/docs/storage.md",99],"43077f1d":[()=>n.e(8397).then(n.bind(n,8104)),"@site/docs/cluster-access.md",8104],"43e5cb58":[()=>n.e(4804).then(n.bind(n,8446)),"@site/docs/networking/networking-services.md",8446],"4455f95b":[()=>n.e(1340).then(n.bind(n,2644)),"@site/docs/cli/server.md",2644],"4a667cf9":[()=>n.e(9477).then(n.bind(n,8676)),"@site/docs/datastore/cluster-loadbalancer.md",8676],"4aae9e46":[()=>n.e(4443).then(n.bind(n,557)),"@site/docs/upgrades/killall.md",557],"4e366d5e":[()=>n.e(3595).then(n.bind(n,882)),"@site/docs/upgrades/upgrades.md",882],"4fea1ac4":[()=>n.e(1073).then(n.bind(n,8544)),"@site/docs/installation/uninstall.md",8544],"5159b4a0":[()=>n.e(9478).then(n.bind(n,7477)),"@site/docs/installation/registry-mirror.md",7477],"5281b7a2":[()=>n.e(5927).then(n.bind(n,6506)),"@site/docs/architecture.md",6506],"57d35c99":[()=>n.e(8005).then(n.bind(n,3548)),"@site/docs/security/secrets-encryption.md",3548],"5e95c892":[()=>n.e(9661).then(n.bind(n,1892)),"@theme/DocsRoot",1892],"5ea4afd8":[()=>n.e(9075).then(n.bind(n,7902)),"@site/docs/security/self-assessment-1.7.md",7902],"65c5030c":[()=>n.e(7733).then(n.bind(n,215)),"@site/docs/installation/packaged-components.md",215],"6ab2c2e0":[()=>n.e(981).then(n.bind(n,9414)),"@site/docs/reference/env-variables.md",9414],"6e9804bc":[()=>n.e(393).then(n.bind(n,1218)),"@site/docs/cli/certificate.md",1218],"72e14192":[()=>n.e(7239).then(n.bind(n,1658)),"@site/docs/quick-start.md",1658],"7b8e2475":[()=>n.e(79).then(n.bind(n,6498)),"@site/docs/security/security.md",6498],82406859:[()=>n.e(3319).then(n.bind(n,6758)),"@site/docs/upgrades/automated.md",6758],"82f1aa93":[()=>n.e(7709).then(n.bind(n,1587)),"@site/docs/security/hardening-guide.md",1587],"914a16f4":[()=>n.e(7626).then(n.bind(n,6050)),"@site/docs/reference/flag-deprecation.md",6050],"97c4f258":[()=>n.e(305).then(n.bind(n,8486)),"@site/docs/installation/configuration.md",8486],"9e39b1cd":[()=>n.e(7813).then(n.bind(n,4016)),"@site/docs/cli/cli.md",4016],"9e7a009d":[()=>n.e(7251).then(n.bind(n,6253)),"@site/docs/release-notes/v1.25.X.md",6253],"9f491e05":[()=>n.e(3189).then(n.bind(n,9297)),"@site/docs/security/self-assessment-1.23.md",9297],a09c2993:[()=>n.e(4128).then(n.bind(n,8152)),"@site/docs/introduction.md",8152],a7bd4aaa:[()=>n.e(8518).then(n.bind(n,4974)),"@theme/DocVersionRoot",4974],a94703ab:[()=>Promise.all([n.e(532),n.e(4368)]).then(n.bind(n,4547)),"@theme/DocRoot",4547],ab388925:[()=>n.e(4548).then(n.bind(n,9027)),"@site/docs/datastore/datastore.md",9027],ab60f49a:[()=>n.e(3555).then(n.bind(n,2688)),"@site/docs/security/self-assessment-1.24.md",2688],aba21aa0:[()=>n.e(3629).then(n.t.bind(n,1765,19)),"@generated/docusaurus-plugin-content-docs/default/__plugin.json",1765],ac75af2e:[()=>n.e(1199).then(n.bind(n,6455)),"@site/docs/installation/requirements.md",6455],b36bdd38:[()=>n.e(6895).then(n.bind(n,5020)),"@site/docs/datastore/ha-embedded.md",5020],b8002741:[()=>n.e(2573).then(n.bind(n,3338)),"@site/docs/release-notes/v1.30.X.md",3338],b9a30a37:[()=>n.e(2038).then(n.bind(n,9763)),"@site/docs/security/self-assessment-1.8.md",9763],ba3a957c:[()=>n.e(8776).then(n.bind(n,615)),"@site/docs/datastore/backup-restore.md",615],d123a91e:[()=>n.e(855).then(n.bind(n,5418)),"@site/docs/release-notes/v1.24.X.md",5418],d8ab3227:[()=>n.e(6501).then(n.bind(n,7953)),"@site/docs/networking/distributed-multicloud.md",7953],d8ed1217:[()=>n.e(2745).then(n.bind(n,7803)),"@site/docs/upgrades/manual.md",7803],dd22e55f:[()=>n.e(5668).then(n.bind(n,4840)),"@site/docs/release-notes/v1.27.X.md",4840],e7c9153a:[()=>n.e(7544).then(n.bind(n,1875)),"@site/docs/related-projects.md",1875],ea0a4c6d:[()=>n.e(791).then(n.bind(n,9555)),"@site/docs/datastore/ha.md",9555],ec6f9153:[()=>n.e(750).then(n.bind(n,4987)),"@site/docs/installation/airgap.md",4987],ee75e821:[()=>n.e(7893).then(n.bind(n,5380)),"@site/docs/networking/networking.md",5380],f319c6ab:[()=>n.e(8379).then(n.bind(n,1328)),"@site/docs/known-issues.md",1328],f8eefdc6:[()=>n.e(5234).then(n.bind(n,2435)),"@site/docs/installation/server-roles.md",2435],fc39421f:[()=>n.e(9778).then(n.bind(n,8573)),"@site/docs/reference/resource-profiling.md",8573]};var s=n(5893);function l(e){let{error:t,retry:n,pastDelay:r}=e;return t?(0,s.jsxs)("div",{style:{textAlign:"center",color:"#fff",backgroundColor:"#fa383e",borderColor:"#fa383e",borderStyle:"solid",borderRadius:"0.25rem",borderWidth:"1px",boxSizing:"border-box",display:"block",padding:"1rem",flex:"0 0 50%",marginLeft:"25%",marginRight:"25%",marginTop:"5rem",maxWidth:"50%",width:"100%"},children:[(0,s.jsx)("p",{children:String(t)}),(0,s.jsx)("div",{children:(0,s.jsx)("button",{type:"button",onClick:n,children:"Retry"})})]}):r?(0,s.jsx)("div",{style:{display:"flex",justifyContent:"center",alignItems:"center",height:"100vh"},children:(0,s.jsx)("svg",{id:"loader",style:{width:128,height:110,position:"absolute",top:"calc(100vh - 64%)"},viewBox:"0 0 45 45",xmlns:"http://www.w3.org/2000/svg",stroke:"#61dafb",children:(0,s.jsxs)("g",{fill:"none",fillRule:"evenodd",transform:"translate(1 1)",strokeWidth:"2",children:[(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"1.5s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"1.5s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"1.5s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"3s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"3s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"3s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsx)("circle",{cx:"22",cy:"22",r:"8",children:(0,s.jsx)("animate",{attributeName:"r",begin:"0s",dur:"1.5s",values:"6;1;2;3;4;5;6",calcMode:"linear",repeatCount:"indefinite"})})]})})}):null}var c=n(9670),u=n(226);function d(e,t){if("*"===e)return a()({loading:l,loader:()=>n.e(1772).then(n.bind(n,1772)),modules:["@theme/NotFound"],webpack:()=>[1772],render(e,t){const n=e.default;return(0,s.jsx)(u.z,{value:{plugin:{name:"native",id:"default"}},children:(0,s.jsx)(n,{...t})})}});const r=o[`${e}-${t}`],d={},p=[],f=[],h=(0,c.Z)(r);return Object.entries(h).forEach((e=>{let[t,n]=e;const r=i[n];r&&(d[t]=r[0],p.push(r[1]),f.push(r[2]))})),a().Map({loading:l,loader:d,modules:p,webpack:()=>f,render(t,n){const a=JSON.parse(JSON.stringify(r));Object.entries(t).forEach((t=>{let[n,r]=t;const o=r.default;if(!o)throw new Error(`The page component at ${e} doesn't have a default export. This makes it impossible to render anything. Consider default-exporting a React component.`);"object"!=typeof o&&"function"!=typeof o||Object.keys(r).filter((e=>"default"!==e)).forEach((e=>{o[e]=r[e]}));let i=a;const s=n.split(".");s.slice(0,-1).forEach((e=>{i=i[e]})),i[s[s.length-1]]=o}));const o=a.__comp;delete a.__comp;const i=a.__context;delete a.__context;const l=a.__props;return delete a.__props,(0,s.jsx)(u.z,{value:i,children:(0,s.jsx)(o,{...a,...l,...n})})}})}const p=[{path:"/search",component:d("/search","822"),exact:!0},{path:"/",component:d("/","833"),routes:[{path:"/",component:d("/","0d3"),routes:[{path:"/",component:d("/","fa8"),routes:[{path:"/advanced",component:d("/advanced","23a"),exact:!0,sidebar:"mySidebar"},{path:"/architecture",component:d("/architecture","9fe"),exact:!0,sidebar:"mySidebar"},{path:"/cli",component:d("/cli","3c8"),exact:!0,sidebar:"mySidebar"},{path:"/cli/agent",component:d("/cli/agent","0b4"),exact:!0,sidebar:"mySidebar"},{path:"/cli/certificate",component:d("/cli/certificate","d90"),exact:!0,sidebar:"mySidebar"},{path:"/cli/etcd-snapshot",component:d("/cli/etcd-snapshot","6b4"),exact:!0,sidebar:"mySidebar"},{path:"/cli/secrets-encrypt",component:d("/cli/secrets-encrypt","493"),exact:!0,sidebar:"mySidebar"},{path:"/cli/server",component:d("/cli/server","fb0"),exact:!0,sidebar:"mySidebar"},{path:"/cli/token",component:d("/cli/token","028"),exact:!0,sidebar:"mySidebar"},{path:"/cluster-access",component:d("/cluster-access","644"),exact:!0,sidebar:"mySidebar"},{path:"/datastore",component:d("/datastore","53a"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/backup-restore",component:d("/datastore/backup-restore","b35"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/cluster-loadbalancer",component:d("/datastore/cluster-loadbalancer","6d1"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/ha",component:d("/datastore/ha","6c2"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/ha-embedded",component:d("/datastore/ha-embedded","fc4"),exact:!0,sidebar:"mySidebar"},{path:"/faq",component:d("/faq","9db"),exact:!0,sidebar:"mySidebar"},{path:"/helm",component:d("/helm","1a5"),exact:!0,sidebar:"mySidebar"},{path:"/installation",component:d("/installation","9b3"),exact:!0,sidebar:"mySidebar"},{path:"/installation/airgap",component:d("/installation/airgap","dca"),exact:!0,sidebar:"mySidebar"},{path:"/installation/configuration",component:d("/installation/configuration","2e0"),exact:!0,sidebar:"mySidebar"},{path:"/installation/packaged-components",component:d("/installation/packaged-components","615"),exact:!0,sidebar:"mySidebar"},{path:"/installation/private-registry",component:d("/installation/private-registry","80b"),exact:!0,sidebar:"mySidebar"},{path:"/installation/registry-mirror",component:d("/installation/registry-mirror","c9a"),exact:!0,sidebar:"mySidebar"},{path:"/installation/requirements",component:d("/installation/requirements","a58"),exact:!0,sidebar:"mySidebar"},{path:"/installation/server-roles",component:d("/installation/server-roles","5fe"),exact:!0,sidebar:"mySidebar"},{path:"/installation/uninstall",component:d("/installation/uninstall","4dd"),exact:!0,sidebar:"mySidebar"},{path:"/known-issues",component:d("/known-issues","bdf"),exact:!0,sidebar:"mySidebar"},{path:"/networking",component:d("/networking","a7c"),exact:!0,sidebar:"mySidebar"},{path:"/networking/basic-network-options",component:d("/networking/basic-network-options","412"),exact:!0,sidebar:"mySidebar"},{path:"/networking/distributed-multicloud",component:d("/networking/distributed-multicloud","7e4"),exact:!0,sidebar:"mySidebar"},{path:"/networking/multus-ipams",component:d("/networking/multus-ipams","efa"),exact:!0,sidebar:"mySidebar"},{path:"/networking/networking-services",component:d("/networking/networking-services","0f7"),exact:!0,sidebar:"mySidebar"},{path:"/quick-start",component:d("/quick-start","e14"),exact:!0,sidebar:"mySidebar"},{path:"/reference/env-variables",component:d("/reference/env-variables","25e"),exact:!0,sidebar:"mySidebar"},{path:"/reference/flag-deprecation",component:d("/reference/flag-deprecation","980"),exact:!0,sidebar:"mySidebar"},{path:"/reference/resource-profiling",component:d("/reference/resource-profiling","537"),exact:!0,sidebar:"mySidebar"},{path:"/related-projects",component:d("/related-projects","02d"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.24.X",component:d("/release-notes/v1.24.X","705"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.25.X",component:d("/release-notes/v1.25.X","641"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.26.X",component:d("/release-notes/v1.26.X","b40"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.27.X",component:d("/release-notes/v1.27.X","f30"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.28.X",component:d("/release-notes/v1.28.X","b85"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.29.X",component:d("/release-notes/v1.29.X","558"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.30.X",component:d("/release-notes/v1.30.X","be9"),exact:!0,sidebar:"mySidebar"},{path:"/security",component:d("/security","9f9"),exact:!0,sidebar:"mySidebar"},{path:"/security/hardening-guide",component:d("/security/hardening-guide","f39"),exact:!0,sidebar:"mySidebar"},{path:"/security/secrets-encryption",component:d("/security/secrets-encryption","5a3"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.23",component:d("/security/self-assessment-1.23","1f4"),exact:!0},{path:"/security/self-assessment-1.24",component:d("/security/self-assessment-1.24","bad"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.7",component:d("/security/self-assessment-1.7","ce4"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.8",component:d("/security/self-assessment-1.8","0cf"),exact:!0,sidebar:"mySidebar"},{path:"/storage",component:d("/storage","598"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades",component:d("/upgrades","fe1"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/automated",component:d("/upgrades/automated","8c6"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/killall",component:d("/upgrades/killall","25f"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/manual",component:d("/upgrades/manual","d9c"),exact:!0,sidebar:"mySidebar"},{path:"/",component:d("/","e0a"),exact:!0,sidebar:"mySidebar"}]}]}]},{path:"*",component:d("*")}]},8934:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,t:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(!1);function i(e){let{children:t}=e;const[n,i]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{i(!0)}),[]),(0,a.jsx)(o.Provider,{value:n,children:t})}},2849:(e,t,n)=>{"use strict";var r=n(7294),a=n(745),o=n(405),i=n(3727),s=n(6809),l=n(412);const c=[n(2497),n(3310),n(8320),n(2295)];var u=n(723),d=n(6550),p=n(8790),f=n(5893);function h(e){let{children:t}=e;return(0,f.jsx)(f.Fragment,{children:t})}var m=n(5742),g=n(2263),y=n(4996),b=n(6668),v=n(1944),w=n(4711),k=n(9727);const x="default";var S=n(8780),E=n(197);function _(){const{i18n:{currentLocale:e,defaultLocale:t,localeConfigs:n}}=(0,g.Z)(),r=(0,w.l)(),a=n[e].htmlLang,o=e=>e.replace("-","_");return(0,f.jsxs)(m.Z,{children:[Object.entries(n).map((e=>{let[t,{htmlLang:n}]=e;return(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:n},t)})),(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:"x-default"}),(0,f.jsx)("meta",{property:"og:locale",content:o(a)}),Object.values(n).filter((e=>a!==e.htmlLang)).map((e=>(0,f.jsx)("meta",{property:"og:locale:alternate",content:o(e.htmlLang)},`meta-og-${e.htmlLang}`)))]})}function C(e){let{permalink:t}=e;const{siteConfig:{url:n}}=(0,g.Z)(),r=function(){const{siteConfig:{url:e,baseUrl:t,trailingSlash:n}}=(0,g.Z)(),{pathname:r}=(0,d.TH)();return e+(0,S.Do)((0,y.ZP)(r),{trailingSlash:n,baseUrl:t})}(),a=t?`${n}${t}`:r;return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{property:"og:url",content:a}),(0,f.jsx)("link",{rel:"canonical",href:a})]})}function T(){const{i18n:{currentLocale:e}}=(0,g.Z)(),{metadata:t,image:n}=(0,b.L)();return(0,f.jsxs)(f.Fragment,{children:[(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{name:"twitter:card",content:"summary_large_image"}),(0,f.jsx)("body",{className:k.h})]}),n&&(0,f.jsx)(v.d,{image:n}),(0,f.jsx)(C,{}),(0,f.jsx)(_,{}),(0,f.jsx)(E.Z,{tag:x,locale:e}),(0,f.jsx)(m.Z,{children:t.map(((e,t)=>(0,f.jsx)("meta",{...e},t)))})]})}const j=new Map;var L=n(8934),R=n(8940),N=n(469);function P(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),r=1;r<t;r++)n[r-1]=arguments[r];const a=c.map((t=>{const r=t.default?.[e]??t[e];return r?.(...n)}));return()=>a.forEach((e=>e?.()))}const A=function(e){let{children:t,location:n,previousLocation:r}=e;return(0,N.Z)((()=>{r!==n&&(!function(e){let{location:t,previousLocation:n}=e;if(!n)return;const r=t.pathname===n.pathname,a=t.hash===n.hash,o=t.search===n.search;if(r&&a&&!o)return;const{hash:i}=t;if(i){const e=decodeURIComponent(i.substring(1)),t=document.getElementById(e);t?.scrollIntoView()}else window.scrollTo(0,0)}({location:n,previousLocation:r}),P("onRouteDidUpdate",{previousLocation:r,location:n}))}),[r,n]),t};function O(e){const t=Array.from(new Set([e,decodeURI(e)])).map((e=>(0,p.f)(u.Z,e))).flat();return Promise.all(t.map((e=>e.route.component.preload?.())))}class I extends r.Component{previousLocation;routeUpdateCleanupCb;constructor(e){super(e),this.previousLocation=null,this.routeUpdateCleanupCb=l.Z.canUseDOM?P("onRouteUpdate",{previousLocation:null,location:this.props.location}):()=>{},this.state={nextRouteHasLoaded:!0}}shouldComponentUpdate(e,t){if(e.location===this.props.location)return t.nextRouteHasLoaded;const n=e.location;return this.previousLocation=this.props.location,this.setState({nextRouteHasLoaded:!1}),this.routeUpdateCleanupCb=P("onRouteUpdate",{previousLocation:this.previousLocation,location:n}),O(n.pathname).then((()=>{this.routeUpdateCleanupCb(),this.setState({nextRouteHasLoaded:!0})})).catch((e=>{console.warn(e),window.location.reload()})),!1}render(){const{children:e,location:t}=this.props;return(0,f.jsx)(A,{previousLocation:this.previousLocation,location:t,children:(0,f.jsx)(d.AW,{location:t,render:()=>e})})}}const D=I,F="__docusaurus-base-url-issue-banner-container",M="__docusaurus-base-url-issue-banner",z="__docusaurus-base-url-issue-banner-suggestion-container";function B(e){return`\ndocument.addEventListener('DOMContentLoaded', function maybeInsertBanner() {\n var shouldInsert = typeof window['docusaurus'] === 'undefined';\n shouldInsert && insertBanner();\n});\n\nfunction insertBanner() {\n var bannerContainer = document.createElement('div');\n bannerContainer.id = '${F}';\n var bannerHtml = ${JSON.stringify(function(e){return`\n<div id="${M}" style="border: thick solid red; background-color: rgb(255, 230, 179); margin: 20px; padding: 20px; font-size: 20px;">\n <p style="font-weight: bold; font-size: 30px;">Your Docusaurus site did not load properly.</p>\n <p>A very common reason is a wrong site <a href="https://docusaurus.io/docs/docusaurus.config.js/#baseUrl" style="font-weight: bold;">baseUrl configuration</a>.</p>\n <p>Current configured baseUrl = <span style="font-weight: bold; color: red;">${e}</span> ${"/"===e?" (default value)":""}</p>\n <p>We suggest trying baseUrl = <span id="${z}" style="font-weight: bold; color: green;"></span></p>\n</div>\n`}(e)).replace(/</g,"\\<")};\n bannerContainer.innerHTML = bannerHtml;\n document.body.prepend(bannerContainer);\n var suggestionContainer = document.getElementById('${z}');\n var actualHomePagePath = window.location.pathname;\n var suggestedBaseUrl = actualHomePagePath.substr(-1) === '/'\n ? actualHomePagePath\n : actualHomePagePath + '/';\n suggestionContainer.innerHTML = suggestedBaseUrl;\n}\n`}function $(){const{siteConfig:{baseUrl:e}}=(0,g.Z)();return(0,f.jsx)(f.Fragment,{children:!l.Z.canUseDOM&&(0,f.jsx)(m.Z,{children:(0,f.jsx)("script",{children:B(e)})})})}function U(){const{siteConfig:{baseUrl:e,baseUrlIssueBanner:t}}=(0,g.Z)(),{pathname:n}=(0,d.TH)();return t&&n===e?(0,f.jsx)($,{}):null}function q(){const{siteConfig:{favicon:e,title:t,noIndex:n},i18n:{currentLocale:r,localeConfigs:a}}=(0,g.Z)(),o=(0,y.ZP)(e),{htmlLang:i,direction:s}=a[r];return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("html",{lang:i,dir:s}),(0,f.jsx)("title",{children:t}),(0,f.jsx)("meta",{property:"og:title",content:t}),(0,f.jsx)("meta",{name:"viewport",content:"width=device-width, initial-scale=1.0"}),n&&(0,f.jsx)("meta",{name:"robots",content:"noindex, nofollow"}),e&&(0,f.jsx)("link",{rel:"icon",href:o})]})}var H=n(4763),Q=n(2389);function Z(){const e=(0,Q.Z)();return(0,f.jsx)(m.Z,{children:(0,f.jsx)("html",{"data-has-hydrated":e})})}const V=(0,p.H)(u.Z);function W(){const e=function(e){if(j.has(e.pathname))return{...e,pathname:j.get(e.pathname)};if((0,p.f)(u.Z,e.pathname).some((e=>{let{route:t}=e;return!0===t.exact})))return j.set(e.pathname,e.pathname),e;const t=e.pathname.trim().replace(/(?:\/index)?\.html$/,"")||"/";return j.set(e.pathname,t),{...e,pathname:t}}((0,d.TH)());return(0,f.jsx)(D,{location:e,children:V})}function G(){return(0,f.jsx)(H.Z,{children:(0,f.jsx)(R.M,{children:(0,f.jsxs)(L.t,{children:[(0,f.jsxs)(h,{children:[(0,f.jsx)(q,{}),(0,f.jsx)(T,{}),(0,f.jsx)(U,{}),(0,f.jsx)(W,{})]}),(0,f.jsx)(Z,{})]})})})}var X=n(6887);const K=function(e){try{return document.createElement("link").relList.supports(e)}catch{return!1}}("prefetch")?function(e){return new Promise(((t,n)=>{if("undefined"==typeof document)return void n();const r=document.createElement("link");r.setAttribute("rel","prefetch"),r.setAttribute("href",e),r.onload=()=>t(),r.onerror=()=>n();const a=document.getElementsByTagName("head")[0]??document.getElementsByName("script")[0]?.parentNode;a?.appendChild(r)}))}:function(e){return new Promise(((t,n)=>{const r=new XMLHttpRequest;r.open("GET",e,!0),r.withCredentials=!0,r.onload=()=>{200===r.status?t():n()},r.send(null)}))};var Y=n(9670);const J=new Set,ee=new Set,te=()=>navigator.connection?.effectiveType.includes("2g")||navigator.connection?.saveData,ne={prefetch:e=>{if(!(e=>!te()&&!ee.has(e)&&!J.has(e))(e))return!1;J.add(e);const t=(0,p.f)(u.Z,e).flatMap((e=>{return t=e.route.path,Object.entries(X).filter((e=>{let[n]=e;return n.replace(/-[^-]+$/,"")===t})).flatMap((e=>{let[,t]=e;return Object.values((0,Y.Z)(t))}));var t}));return Promise.all(t.map((e=>{const t=n.gca(e);return t&&!t.includes("undefined")?K(t).catch((()=>{})):Promise.resolve()})))},preload:e=>!!(e=>!te()&&!ee.has(e))(e)&&(ee.add(e),O(e))},re=Object.freeze(ne);function ae(e){let{children:t}=e;return"hash"===s.default.future.experimental_router?(0,f.jsx)(i.UT,{children:t}):(0,f.jsx)(i.VK,{children:t})}const oe=Boolean(!0);if(l.Z.canUseDOM){window.docusaurus=re;const e=document.getElementById("__docusaurus"),t=(0,f.jsx)(o.B6,{children:(0,f.jsx)(ae,{children:(0,f.jsx)(G,{})})}),n=(e,t)=>{console.error("Docusaurus React Root onRecoverableError:",e,t)},i=()=>{if(window.docusaurusRoot)window.docusaurusRoot.render(t);else if(oe)window.docusaurusRoot=a.hydrateRoot(e,t,{onRecoverableError:n});else{const r=a.createRoot(e,{onRecoverableError:n});r.render(t),window.docusaurusRoot=r}};O(window.location.pathname).then((()=>{(0,r.startTransition)(i)}))}},8940:(e,t,n)=>{"use strict";n.d(t,{_:()=>d,M:()=>p});var r=n(7294),a=n(6809);const o=JSON.parse('{"docusaurus-plugin-content-docs":{"default":{"path":"/","versions":[{"name":"current","label":"Next","isLast":true,"path":"/","mainDocId":"introduction","docs":[{"id":"advanced","path":"/advanced","sidebar":"mySidebar"},{"id":"architecture","path":"/architecture","sidebar":"mySidebar"},{"id":"cli/agent","path":"/cli/agent","sidebar":"mySidebar"},{"id":"cli/certificate","path":"/cli/certificate","sidebar":"mySidebar"},{"id":"cli/cli","path":"/cli/","sidebar":"mySidebar"},{"id":"cli/etcd-snapshot","path":"/cli/etcd-snapshot","sidebar":"mySidebar"},{"id":"cli/secrets-encrypt","path":"/cli/secrets-encrypt","sidebar":"mySidebar"},{"id":"cli/server","path":"/cli/server","sidebar":"mySidebar"},{"id":"cli/token","path":"/cli/token","sidebar":"mySidebar"},{"id":"cluster-access","path":"/cluster-access","sidebar":"mySidebar"},{"id":"datastore/backup-restore","path":"/datastore/backup-restore","sidebar":"mySidebar"},{"id":"datastore/cluster-loadbalancer","path":"/datastore/cluster-loadbalancer","sidebar":"mySidebar"},{"id":"datastore/datastore","path":"/datastore/","sidebar":"mySidebar"},{"id":"datastore/ha","path":"/datastore/ha","sidebar":"mySidebar"},{"id":"datastore/ha-embedded","path":"/datastore/ha-embedded","sidebar":"mySidebar"},{"id":"faq","path":"/faq","sidebar":"mySidebar"},{"id":"helm","path":"/helm","sidebar":"mySidebar"},{"id":"installation/airgap","path":"/installation/airgap","sidebar":"mySidebar"},{"id":"installation/configuration","path":"/installation/configuration","sidebar":"mySidebar"},{"id":"installation/installation","path":"/installation/","sidebar":"mySidebar"},{"id":"installation/packaged-components","path":"/installation/packaged-components","sidebar":"mySidebar"},{"id":"installation/private-registry","path":"/installation/private-registry","sidebar":"mySidebar"},{"id":"installation/registry-mirror","path":"/installation/registry-mirror","sidebar":"mySidebar"},{"id":"installation/requirements","path":"/installation/requirements","sidebar":"mySidebar"},{"id":"installation/server-roles","path":"/installation/server-roles","sidebar":"mySidebar"},{"id":"installation/uninstall","path":"/installation/uninstall","sidebar":"mySidebar"},{"id":"introduction","path":"/","sidebar":"mySidebar"},{"id":"known-issues","path":"/known-issues","sidebar":"mySidebar"},{"id":"networking/basic-network-options","path":"/networking/basic-network-options","sidebar":"mySidebar"},{"id":"networking/distributed-multicloud","path":"/networking/distributed-multicloud","sidebar":"mySidebar"},{"id":"networking/multus-ipams","path":"/networking/multus-ipams","sidebar":"mySidebar"},{"id":"networking/networking","path":"/networking/","sidebar":"mySidebar"},{"id":"networking/networking-services","path":"/networking/networking-services","sidebar":"mySidebar"},{"id":"quick-start","path":"/quick-start","sidebar":"mySidebar"},{"id":"reference/env-variables","path":"/reference/env-variables","sidebar":"mySidebar"},{"id":"reference/flag-deprecation","path":"/reference/flag-deprecation","sidebar":"mySidebar"},{"id":"reference/resource-profiling","path":"/reference/resource-profiling","sidebar":"mySidebar"},{"id":"related-projects","path":"/related-projects","sidebar":"mySidebar"},{"id":"release-notes/v1.24.X","path":"/release-notes/v1.24.X","sidebar":"mySidebar"},{"id":"release-notes/v1.25.X","path":"/release-notes/v1.25.X","sidebar":"mySidebar"},{"id":"release-notes/v1.26.X","path":"/release-notes/v1.26.X","sidebar":"mySidebar"},{"id":"release-notes/v1.27.X","path":"/release-notes/v1.27.X","sidebar":"mySidebar"},{"id":"release-notes/v1.28.X","path":"/release-notes/v1.28.X","sidebar":"mySidebar"},{"id":"release-notes/v1.29.X","path":"/release-notes/v1.29.X","sidebar":"mySidebar"},{"id":"release-notes/v1.30.X","path":"/release-notes/v1.30.X","sidebar":"mySidebar"},{"id":"security/hardening-guide","path":"/security/hardening-guide","sidebar":"mySidebar"},{"id":"security/secrets-encryption","path":"/security/secrets-encryption","sidebar":"mySidebar"},{"id":"security/security","path":"/security/","sidebar":"mySidebar"},{"id":"security/self-assessment-1.23","path":"/security/self-assessment-1.23"},{"id":"security/self-assessment-1.24","path":"/security/self-assessment-1.24","sidebar":"mySidebar"},{"id":"security/self-assessment-1.7","path":"/security/self-assessment-1.7","sidebar":"mySidebar"},{"id":"security/self-assessment-1.8","path":"/security/self-assessment-1.8","sidebar":"mySidebar"},{"id":"storage","path":"/storage","sidebar":"mySidebar"},{"id":"upgrades/automated","path":"/upgrades/automated","sidebar":"mySidebar"},{"id":"upgrades/killall","path":"/upgrades/killall","sidebar":"mySidebar"},{"id":"upgrades/manual","path":"/upgrades/manual","sidebar":"mySidebar"},{"id":"upgrades/upgrades","path":"/upgrades/","sidebar":"mySidebar"}],"draftIds":[],"sidebars":{"mySidebar":{"link":{"path":"/","label":"introduction"}}}}],"breadcrumbs":true}}}'),i=JSON.parse('{"defaultLocale":"en","locales":["en","zh","kr"],"path":"i18n","currentLocale":"en","localeConfigs":{"en":{"label":"English","direction":"ltr","htmlLang":"en","calendar":"gregory","path":"en"},"zh":{"label":"\u7b80\u4f53\u4e2d\u6587","direction":"ltr","htmlLang":"zh","calendar":"gregory","path":"zh"},"kr":{"label":"\ud55c\uad6d\uc5b4","direction":"ltr","htmlLang":"kr","calendar":"gregory","path":"kr"}}}');var s=n(7529);const l=JSON.parse('{"docusaurusVersion":"3.5.1","siteVersion":"0.0.1","pluginVersions":{"docusaurus-plugin-content-docs":{"type":"package","name":"@docusaurus/plugin-content-docs","version":"3.5.1"},"docusaurus-plugin-content-pages":{"type":"package","name":"@docusaurus/plugin-content-pages","version":"3.5.1"},"docusaurus-plugin-sitemap":{"type":"package","name":"@docusaurus/plugin-sitemap","version":"3.5.1"},"docusaurus-theme-classic":{"type":"package","name":"@docusaurus/theme-classic","version":"3.5.1"},"docusaurus-plugin-client-redirects":{"type":"package","name":"@docusaurus/plugin-client-redirects","version":"3.5.1"},"docusaurus-theme-mermaid":{"type":"package","name":"@docusaurus/theme-mermaid","version":"3.5.1"},"@easyops-cn/docusaurus-search-local":{"type":"package","name":"@easyops-cn/docusaurus-search-local","version":"0.44.4"}}}');var c=n(5893);const u={siteConfig:a.default,siteMetadata:l,globalData:o,i18n:i,codeTranslations:s},d=r.createContext(u);function p(e){let{children:t}=e;return(0,c.jsx)(d.Provider,{value:u,children:t})}},4763:(e,t,n)=>{"use strict";n.d(t,{Z:()=>m});var r=n(7294),a=n(412),o=n(5742),i=n(8780),s=n(8947),l=n(226),c=n(5893);function u(e){let{error:t,tryAgain:n}=e;return(0,c.jsxs)("div",{style:{display:"flex",flexDirection:"column",justifyContent:"center",alignItems:"flex-start",minHeight:"100vh",width:"100%",maxWidth:"80ch",fontSize:"20px",margin:"0 auto",padding:"1rem"},children:[(0,c.jsx)("h1",{style:{fontSize:"3rem"},children:"This page crashed"}),(0,c.jsx)("button",{type:"button",onClick:n,style:{margin:"1rem 0",fontSize:"2rem",cursor:"pointer",borderRadius:20,padding:"1rem"},children:"Try again"}),(0,c.jsx)(d,{error:t})]})}function d(e){let{error:t}=e;const n=(0,i.BN)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,c.jsx)("p",{style:{whiteSpace:"pre-wrap"},children:n})}function p(e){let{children:t}=e;return(0,c.jsx)(l.z,{value:{plugin:{name:"docusaurus-core-error-boundary",id:"default"}},children:t})}function f(e){let{error:t,tryAgain:n}=e;return(0,c.jsx)(p,{children:(0,c.jsxs)(m,{fallback:()=>(0,c.jsx)(u,{error:t,tryAgain:n}),children:[(0,c.jsx)(o.Z,{children:(0,c.jsx)("title",{children:"Page Error"})}),(0,c.jsx)(s.Z,{children:(0,c.jsx)(u,{error:t,tryAgain:n})})]})})}const h=e=>(0,c.jsx)(f,{...e});class m extends r.Component{constructor(e){super(e),this.state={error:null}}componentDidCatch(e){a.Z.canUseDOM&&this.setState({error:e})}render(){const{children:e}=this.props,{error:t}=this.state;if(t){const e={error:t,tryAgain:()=>this.setState({error:null})};return(this.props.fallback??h)(e)}return e??null}}},412:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r="undefined"!=typeof window&&"document"in window&&"createElement"in window.document,a={canUseDOM:r,canUseEventListeners:r&&("addEventListener"in window||"attachEvent"in window),canUseIntersectionObserver:r&&"IntersectionObserver"in window,canUseViewport:r&&"screen"in window}},5742:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(405),a=n(5893);function o(e){return(0,a.jsx)(r.ql,{...e})}},3692:(e,t,n)=>{"use strict";n.d(t,{Z:()=>f});var r=n(7294),a=n(3727),o=n(8780),i=n(2263),s=n(3919),l=n(412),c=n(8138),u=n(4996),d=n(5893);function p(e,t){let{isNavLink:n,to:p,href:f,activeClassName:h,isActive:m,"data-noBrokenLinkCheck":g,autoAddBaseUrl:y=!0,...b}=e;const{siteConfig:v}=(0,i.Z)(),{trailingSlash:w,baseUrl:k}=v,x=v.future.experimental_router,{withBaseUrl:S}=(0,u.Cg)(),E=(0,c.Z)(),_=(0,r.useRef)(null);(0,r.useImperativeHandle)(t,(()=>_.current));const C=p||f;const T=(0,s.Z)(C),j=C?.replace("pathname://","");let L=void 0!==j?(R=j,y&&(e=>e.startsWith("/"))(R)?S(R):R):void 0;var R;"hash"===x&&L?.startsWith("./")&&(L=L?.slice(1)),L&&T&&(L=(0,o.Do)(L,{trailingSlash:w,baseUrl:k}));const N=(0,r.useRef)(!1),P=n?a.OL:a.rU,A=l.Z.canUseIntersectionObserver,O=(0,r.useRef)(),I=()=>{N.current||null==L||(window.docusaurus.preload(L),N.current=!0)};(0,r.useEffect)((()=>(!A&&T&&l.Z.canUseDOM&&null!=L&&window.docusaurus.prefetch(L),()=>{A&&O.current&&O.current.disconnect()})),[O,L,A,T]);const D=L?.startsWith("#")??!1,F=!b.target||"_self"===b.target,M=!L||!T||!F||D&&"hash"!==x;g||!D&&M||E.collectLink(L),b.id&&E.collectAnchor(b.id);const z={};return M?(0,d.jsx)("a",{ref:_,href:L,...C&&!T&&{target:"_blank",rel:"noopener noreferrer"},...b,...z}):(0,d.jsx)(P,{...b,onMouseEnter:I,onTouchStart:I,innerRef:e=>{_.current=e,A&&e&&T&&(O.current=new window.IntersectionObserver((t=>{t.forEach((t=>{e===t.target&&(t.isIntersecting||t.intersectionRatio>0)&&(O.current.unobserve(e),O.current.disconnect(),null!=L&&window.docusaurus.prefetch(L))}))})),O.current.observe(e))},to:L,...n&&{isActive:m,activeClassName:h},...z})}const f=r.forwardRef(p)},5999:(e,t,n)=>{"use strict";n.d(t,{Z:()=>c,I:()=>l});var r=n(7294),a=n(5893);function o(e,t){const n=e.split(/(\{\w+\})/).map(((e,n)=>{if(n%2==1){const n=t?.[e.slice(1,-1)];if(void 0!==n)return n}return e}));return n.some((e=>(0,r.isValidElement)(e)))?n.map(((e,t)=>(0,r.isValidElement)(e)?r.cloneElement(e,{key:t}):e)).filter((e=>""!==e)):n.join("")}var i=n(7529);function s(e){let{id:t,message:n}=e;if(void 0===t&&void 0===n)throw new Error("Docusaurus translation declarations must have at least a translation id or a default translation message");return i[t??n]??n??t}function l(e,t){let{message:n,id:r}=e;return o(s({message:n,id:r}),t)}function c(e){let{children:t,id:n,values:r}=e;if(t&&"string"!=typeof t)throw console.warn("Illegal <Translate> children",t),new Error("The Docusaurus <Translate> component only accept simple string values");const i=s({message:t,id:n});return(0,a.jsx)(a.Fragment,{children:o(i,r)})}},9935:(e,t,n)=>{"use strict";n.d(t,{m:()=>r});const r="default"},3919:(e,t,n)=>{"use strict";function r(e){return/^(?:\w*:|\/\/)/.test(e)}function a(e){return void 0!==e&&!r(e)}n.d(t,{Z:()=>a,b:()=>r})},4996:(e,t,n)=>{"use strict";n.d(t,{Cg:()=>i,ZP:()=>s});var r=n(7294),a=n(2263),o=n(3919);function i(){const{siteConfig:e}=(0,a.Z)(),{baseUrl:t,url:n}=e,i=e.future.experimental_router,s=(0,r.useCallback)(((e,r)=>function(e){let{siteUrl:t,baseUrl:n,url:r,options:{forcePrependBaseUrl:a=!1,absolute:i=!1}={},router:s}=e;if(!r||r.startsWith("#")||(0,o.b)(r))return r;if("hash"===s)return r.startsWith("/")?`.${r}`:`./${r}`;if(a)return n+r.replace(/^\//,"");if(r===n.replace(/\/$/,""))return n;const l=r.startsWith(n)?r:n+r.replace(/^\//,"");return i?t+l:l}({siteUrl:n,baseUrl:t,url:e,options:r,router:i})),[n,t,i]);return{withBaseUrl:s}}function s(e,t){void 0===t&&(t={});const{withBaseUrl:n}=i();return n(e,t)}},8138:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});var r=n(7294);n(5893);const a=r.createContext({collectAnchor:()=>{},collectLink:()=>{}}),o=()=>(0,r.useContext)(a);function i(){return o()}},2263:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8940);function o(){return(0,r.useContext)(a._)}},2389:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8934);function o(){return(0,r.useContext)(a._)}},469:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});var r=n(7294);const a=n(412).Z.canUseDOM?r.useLayoutEffect:r.useEffect},9670:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r=e=>"object"==typeof e&&!!e&&Object.keys(e).length>0;function a(e){const t={};return function e(n,a){Object.entries(n).forEach((n=>{let[o,i]=n;const s=a?`${a}.${o}`:o;r(i)?e(i,s):t[s]=i}))}(e),t}},226:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,z:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(null);function i(e){let{children:t,value:n}=e;const i=r.useContext(o),s=(0,r.useMemo)((()=>function(e){let{parent:t,value:n}=e;if(!t){if(!n)throw new Error("Unexpected: no Docusaurus route context found");if(!("plugin"in n))throw new Error("Unexpected: Docusaurus topmost route context has no `plugin` attribute");return n}const r={...t.data,...n?.data};return{plugin:t.plugin,data:r}}({parent:i,value:n})),[i,n]);return(0,a.jsx)(o.Provider,{value:s,children:t})}},298:(e,t,n)=>{"use strict";n.d(t,{J:()=>b,L5:()=>g});var r=n(7294),a=n(143),o=n(9935),i=n(6668),s=n(812),l=n(902),c=n(5893);const u=e=>`docs-preferred-version-${e}`,d={save:(e,t,n)=>{(0,s.WA)(u(e),{persistence:t}).set(n)},read:(e,t)=>(0,s.WA)(u(e),{persistence:t}).get(),clear:(e,t)=>{(0,s.WA)(u(e),{persistence:t}).del()}},p=e=>Object.fromEntries(e.map((e=>[e,{preferredVersionName:null}])));const f=r.createContext(null);function h(){const e=(0,a._r)(),t=(0,i.L)().docs.versionPersistence,n=(0,r.useMemo)((()=>Object.keys(e)),[e]),[o,s]=(0,r.useState)((()=>p(n)));(0,r.useEffect)((()=>{s(function(e){let{pluginIds:t,versionPersistence:n,allDocsData:r}=e;function a(e){const t=d.read(e,n);return r[e].versions.some((e=>e.name===t))?{preferredVersionName:t}:(d.clear(e,n),{preferredVersionName:null})}return Object.fromEntries(t.map((e=>[e,a(e)])))}({allDocsData:e,versionPersistence:t,pluginIds:n}))}),[e,t,n]);return[o,(0,r.useMemo)((()=>({savePreferredVersion:function(e,n){d.save(e,t,n),s((t=>({...t,[e]:{preferredVersionName:n}})))}})),[t])]}function m(e){let{children:t}=e;const n=h();return(0,c.jsx)(f.Provider,{value:n,children:t})}function g(e){let{children:t}=e;return(0,c.jsx)(m,{children:t})}function y(){const e=(0,r.useContext)(f);if(!e)throw new l.i6("DocsPreferredVersionContextProvider");return e}function b(e){void 0===e&&(e=o.m);const t=(0,a.zh)(e),[n,i]=y(),{preferredVersionName:s}=n[e];return{preferredVersion:t.versions.find((e=>e.name===s))??null,savePreferredVersionName:(0,r.useCallback)((t=>{i.savePreferredVersion(e,t)}),[i,e])}}},4731:(e,t,n)=>{"use strict";n.d(t,{V:()=>c,b:()=>l});var r=n(7294),a=n(902),o=n(5893);const i=Symbol("EmptyContext"),s=r.createContext(i);function l(e){let{children:t,name:n,items:a}=e;const i=(0,r.useMemo)((()=>n&&a?{name:n,items:a}:null),[n,a]);return(0,o.jsx)(s.Provider,{value:i,children:t})}function c(){const e=(0,r.useContext)(s);if(e===i)throw new a.i6("DocsSidebarProvider");return e}},9690:(e,t,n)=>{"use strict";n.d(t,{LM:()=>p,MN:()=>_,SN:()=>E,_F:()=>g,f:()=>b,jA:()=>f,lO:()=>k,oz:()=>x,s1:()=>w,vY:()=>S});var r=n(7294),a=n(6550),o=n(8790),i=n(143),s=n(8596),l=n(7392),c=n(298),u=n(3797),d=n(4731);function p(e){return"link"!==e.type||e.unlisted?"category"===e.type?function(e){if(e.href&&!e.linkUnlisted)return e.href;for(const t of e.items){const e=p(t);if(e)return e}}(e):void 0:e.href}function f(){const{pathname:e}=(0,a.TH)(),t=(0,d.V)();if(!t)throw new Error("Unexpected: cant find current sidebar in context");const n=v({sidebarItems:t.items,pathname:e,onlyCategories:!0}).slice(-1)[0];if(!n)throw new Error(`${e} is not associated with a category. useCurrentSidebarCategory() should only be used on category index pages.`);return n}const h=(e,t)=>void 0!==e&&(0,s.Mg)(e,t),m=(e,t)=>e.some((e=>g(e,t)));function g(e,t){return"link"===e.type?h(e.href,t):"category"===e.type&&(h(e.href,t)||m(e.items,t))}function y(e,t){switch(e.type){case"category":return g(e,t)||e.items.some((e=>y(e,t)));case"link":return!e.unlisted||g(e,t);default:return!0}}function b(e,t){return(0,r.useMemo)((()=>e.filter((e=>y(e,t)))),[e,t])}function v(e){let{sidebarItems:t,pathname:n,onlyCategories:r=!1}=e;const a=[];return function e(t){for(const o of t)if("category"===o.type&&((0,s.Mg)(o.href,n)||e(o.items))||"link"===o.type&&(0,s.Mg)(o.href,n)){return r&&"category"!==o.type||a.unshift(o),!0}return!1}(t),a}function w(){const e=(0,d.V)(),{pathname:t}=(0,a.TH)(),n=(0,i.gA)()?.pluginData.breadcrumbs;return!1!==n&&e?v({sidebarItems:e.items,pathname:t}):null}function k(e){const{activeVersion:t}=(0,i.Iw)(e),{preferredVersion:n}=(0,c.J)(e),a=(0,i.yW)(e);return(0,r.useMemo)((()=>(0,l.jj)([t,n,a].filter(Boolean))),[t,n,a])}function x(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.sidebars?Object.entries(e.sidebars):[])),r=t.find((t=>t[0]===e));if(!r)throw new Error(`Can't find any sidebar with id "${e}" in version${n.length>1?"s":""} ${n.map((e=>e.name)).join(", ")}".\nAvailable sidebar ids are:\n- ${t.map((e=>e[0])).join("\n- ")}`);return r[1]}),[e,n])}function S(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.docs)),r=t.find((t=>t.id===e));if(!r){if(n.flatMap((e=>e.draftIds)).includes(e))return null;throw new Error(`Couldn't find any doc with id "${e}" in version${n.length>1?"s":""} "${n.map((e=>e.name)).join(", ")}".\nAvailable doc ids are:\n- ${(0,l.jj)(t.map((e=>e.id))).join("\n- ")}`)}return r}),[e,n])}function E(e){let{route:t}=e;const n=(0,a.TH)(),r=(0,u.E)(),i=t.routes,s=i.find((e=>(0,a.LX)(n.pathname,e)));if(!s)return null;const l=s.sidebar,c=l?r.docsSidebars[l]:void 0;return{docElement:(0,o.H)(i),sidebarName:l,sidebarItems:c}}function _(e){return e.filter((e=>!("category"===e.type||"link"===e.type)||!!p(e)))}},3797:(e,t,n)=>{"use strict";n.d(t,{E:()=>l,q:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t,version:n}=e;return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(null===e)throw new a.i6("DocsVersionProvider");return e}},143:(e,t,n)=>{"use strict";n.d(t,{MN:()=>c.MN,Iw:()=>y,gA:()=>h,_r:()=>p,jA:()=>c.jA,Jo:()=>b,zh:()=>f,J:()=>u.J,yW:()=>g,gB:()=>m});var r=n(6550),a=n(2263),o=n(9935);function i(e,t){void 0===t&&(t={});const n=function(){const{globalData:e}=(0,a.Z)();return e}()[e];if(!n&&t.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin.`);return n}const s=e=>e.versions.find((e=>e.isLast));function l(e,t){const n=function(e,t){return[...e.versions].sort(((e,t)=>e.path===t.path?0:e.path.includes(t.path)?-1:t.path.includes(e.path)?1:0)).find((e=>!!(0,r.LX)(t,{path:e.path,exact:!1,strict:!1})))}(e,t),a=n?.docs.find((e=>!!(0,r.LX)(t,{path:e.path,exact:!0,strict:!1})));return{activeVersion:n,activeDoc:a,alternateDocVersions:a?function(t){const n={};return e.versions.forEach((e=>{e.docs.forEach((r=>{r.id===t&&(n[e.name]=r)}))})),n}(a.id):{}}}var c=n(9690),u=n(298);const d={},p=()=>i("docusaurus-plugin-content-docs")??d,f=e=>{try{return function(e,t,n){void 0===t&&(t=o.m),void 0===n&&(n={});const r=i(e),a=r?.[t];if(!a&&n.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin with id "${t}".`);return a}("docusaurus-plugin-content-docs",e,{failfast:!0})}catch(t){throw new Error("You are using a feature of the Docusaurus docs plugin, but this plugin does not seem to be enabled"+("Default"===e?"":` (pluginId=${e}`),{cause:t})}};function h(e){void 0===e&&(e={});const t=p(),{pathname:n}=(0,r.TH)();return function(e,t,n){void 0===n&&(n={});const a=Object.entries(e).sort(((e,t)=>t[1].path.localeCompare(e[1].path))).find((e=>{let[,n]=e;return!!(0,r.LX)(t,{path:n.path,exact:!1,strict:!1})})),o=a?{pluginId:a[0],pluginData:a[1]}:void 0;if(!o&&n.failfast)throw new Error(`Can't find active docs plugin for "${t}" pathname, while it was expected to be found. Maybe you tried to use a docs feature that can only be used on a docs-related page? Existing docs plugin paths are: ${Object.values(e).map((e=>e.path)).join(", ")}`);return o}(t,n,e)}function m(e){return f(e).versions}function g(e){const t=f(e);return s(t)}function y(e){const t=f(e),{pathname:n}=(0,r.TH)();return l(t,n)}function b(e){const t=f(e),{pathname:n}=(0,r.TH)();return function(e,t){const n=s(e);return{latestDocSuggestion:l(e,t).alternateDocVersions[n.name],latestVersionSuggestion:n}}(t,n)}},8320:(e,t,n)=>{"use strict";n.r(t),n.d(t,{default:()=>o});var r=n(4865),a=n.n(r);a().configure({showSpinner:!1});const o={onRouteUpdate(e){let{location:t,previousLocation:n}=e;if(n&&t.pathname!==n.pathname){const e=window.setTimeout((()=>{a().start()}),200);return()=>window.clearTimeout(e)}},onRouteDidUpdate(){a().done()}}},3310:(e,t,n)=>{"use strict";n.r(t);var r=n(2573),a=n(6809);!function(e){const{themeConfig:{prism:t}}=a.default,{additionalLanguages:r}=t;globalThis.Prism=e,r.forEach((e=>{"php"===e&&n(6854),n(6726)(`./prism-${e}`)})),delete globalThis.Prism}(r.p1)},2503:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(512),a=n(5999),o=n(6668),i=n(3692),s=n(8138);const l={anchorWithStickyNavbar:"anchorWithStickyNavbar_LWe7",anchorWithHideOnScrollNavbar:"anchorWithHideOnScrollNavbar_WYt5"};var c=n(5893);function u(e){let{as:t,id:n,...u}=e;const d=(0,s.Z)(),{navbar:{hideOnScroll:p}}=(0,o.L)();if("h1"===t||!n)return(0,c.jsx)(t,{...u,id:void 0});d.collectAnchor(n);const f=(0,a.I)({id:"theme.common.headingLinkTitle",message:"Direct link to {heading}",description:"Title for link to heading"},{heading:"string"==typeof u.children?u.children:n});return(0,c.jsxs)(t,{...u,className:(0,r.Z)("anchor",p?l.anchorWithHideOnScrollNavbar:l.anchorWithStickyNavbar,u.className),id:n,children:[u.children,(0,c.jsx)(i.Z,{className:"hash-link",to:`#${n}`,"aria-label":f,title:f,children:"\u200b"})]})}},9471:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);const r={iconExternalLink:"iconExternalLink_nPIU"};var a=n(5893);function o(e){let{width:t=13.5,height:n=13.5}=e;return(0,a.jsx)("svg",{width:t,height:n,"aria-hidden":"true",viewBox:"0 0 24 24",className:r.iconExternalLink,children:(0,a.jsx)("path",{fill:"currentColor",d:"M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"})})}},8947:(e,t,n)=>{"use strict";n.d(t,{Z:()=>Pt});var r=n(7294),a=n(512),o=n(4763),i=n(1944),s=n(6550),l=n(5999),c=n(5936),u=n(5893);const d="__docusaurus_skipToContent_fallback";function p(e){e.setAttribute("tabindex","-1"),e.focus(),e.removeAttribute("tabindex")}function f(){const e=(0,r.useRef)(null),{action:t}=(0,s.k6)(),n=(0,r.useCallback)((e=>{e.preventDefault();const t=document.querySelector("main:first-of-type")??document.getElementById(d);t&&p(t)}),[]);return(0,c.S)((n=>{let{location:r}=n;e.current&&!r.hash&&"PUSH"===t&&p(e.current)})),{containerRef:e,onClick:n}}const h=(0,l.I)({id:"theme.common.skipToMainContent",description:"The skip to content label used for accessibility, allowing to rapidly navigate to main content with keyboard tab/enter navigation",message:"Skip to main content"});function m(e){const t=e.children??h,{containerRef:n,onClick:r}=f();return(0,u.jsx)("div",{ref:n,role:"region","aria-label":h,children:(0,u.jsx)("a",{...e,href:`#${d}`,onClick:r,children:t})})}var g=n(5281),y=n(9727);const b={skipToContent:"skipToContent_fXgn"};function v(){return(0,u.jsx)(m,{className:b.skipToContent})}var w=n(6668),k=n(9689);function x(e){let{width:t=21,height:n=21,color:r="currentColor",strokeWidth:a=1.2,className:o,...i}=e;return(0,u.jsx)("svg",{viewBox:"0 0 15 15",width:t,height:n,...i,children:(0,u.jsx)("g",{stroke:r,strokeWidth:a,children:(0,u.jsx)("path",{d:"M.75.75l13.5 13.5M14.25.75L.75 14.25"})})})}const S={closeButton:"closeButton_CVFx"};function E(e){return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.AnnouncementBar.closeButtonAriaLabel",message:"Close",description:"The ARIA label for close button of announcement bar"}),...e,className:(0,a.Z)("clean-btn close",S.closeButton,e.className),children:(0,u.jsx)(x,{width:14,height:14,strokeWidth:3.1})})}const _={content:"content_knG7"};function C(e){const{announcementBar:t}=(0,w.L)(),{content:n}=t;return(0,u.jsx)("div",{...e,className:(0,a.Z)(_.content,e.className),dangerouslySetInnerHTML:{__html:n}})}const T={announcementBar:"announcementBar_mb4j",announcementBarPlaceholder:"announcementBarPlaceholder_vyr4",announcementBarClose:"announcementBarClose_gvF7",announcementBarContent:"announcementBarContent_xLdY"};function j(){const{announcementBar:e}=(0,w.L)(),{isActive:t,close:n}=(0,k.n)();if(!t)return null;const{backgroundColor:r,textColor:a,isCloseable:o}=e;return(0,u.jsxs)("div",{className:T.announcementBar,style:{backgroundColor:r,color:a},role:"banner",children:[o&&(0,u.jsx)("div",{className:T.announcementBarPlaceholder}),(0,u.jsx)(C,{className:T.announcementBarContent}),o&&(0,u.jsx)(E,{onClick:n,className:T.announcementBarClose})]})}var L=n(3163),R=n(2466);var N=n(902),P=n(3102);const A=r.createContext(null);function O(e){let{children:t}=e;const n=function(){const e=(0,L.e)(),t=(0,P.HY)(),[n,a]=(0,r.useState)(!1),o=null!==t.component,i=(0,N.D9)(o);return(0,r.useEffect)((()=>{o&&!i&&a(!0)}),[o,i]),(0,r.useEffect)((()=>{o?e.shown||a(!0):a(!1)}),[e.shown,o]),(0,r.useMemo)((()=>[n,a]),[n])}();return(0,u.jsx)(A.Provider,{value:n,children:t})}function I(e){if(e.component){const t=e.component;return(0,u.jsx)(t,{...e.props})}}function D(){const e=(0,r.useContext)(A);if(!e)throw new N.i6("NavbarSecondaryMenuDisplayProvider");const[t,n]=e,a=(0,r.useCallback)((()=>n(!1)),[n]),o=(0,P.HY)();return(0,r.useMemo)((()=>({shown:t,hide:a,content:I(o)})),[a,o,t])}function F(e){let{header:t,primaryMenu:n,secondaryMenu:r}=e;const{shown:o}=D();return(0,u.jsxs)("div",{className:"navbar-sidebar",children:[t,(0,u.jsxs)("div",{className:(0,a.Z)("navbar-sidebar__items",{"navbar-sidebar__items--show-secondary":o}),children:[(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:n}),(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:r})]})]})}var M=n(2949),z=n(2389);function B(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"})})}function $(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"})})}const U={toggle:"toggle_vylO",toggleButton:"toggleButton_gllP",darkToggleIcon:"darkToggleIcon_wfgR",lightToggleIcon:"lightToggleIcon_pyhR",toggleButtonDisabled:"toggleButtonDisabled_aARS"};function q(e){let{className:t,buttonClassName:n,value:r,onChange:o}=e;const i=(0,z.Z)(),s=(0,l.I)({message:"Switch between dark and light mode (currently {mode})",id:"theme.colorToggle.ariaLabel",description:"The ARIA label for the navbar color mode toggle"},{mode:"dark"===r?(0,l.I)({message:"dark mode",id:"theme.colorToggle.ariaLabel.mode.dark",description:"The name for the dark color mode"}):(0,l.I)({message:"light mode",id:"theme.colorToggle.ariaLabel.mode.light",description:"The name for the light color mode"})});return(0,u.jsx)("div",{className:(0,a.Z)(U.toggle,t),children:(0,u.jsxs)("button",{className:(0,a.Z)("clean-btn",U.toggleButton,!i&&U.toggleButtonDisabled,n),type:"button",onClick:()=>o("dark"===r?"light":"dark"),disabled:!i,title:s,"aria-label":s,"aria-live":"polite",children:[(0,u.jsx)(B,{className:(0,a.Z)(U.toggleIcon,U.lightToggleIcon)}),(0,u.jsx)($,{className:(0,a.Z)(U.toggleIcon,U.darkToggleIcon)})]})})}const H=r.memo(q),Q={darkNavbarColorModeToggle:"darkNavbarColorModeToggle_X3D1"};function Z(e){let{className:t}=e;const n=(0,w.L)().navbar.style,r=(0,w.L)().colorMode.disableSwitch,{colorMode:a,setColorMode:o}=(0,M.I)();return r?null:(0,u.jsx)(H,{className:t,buttonClassName:"dark"===n?Q.darkNavbarColorModeToggle:void 0,value:a,onChange:o})}var V=n(1327);function W(){return(0,u.jsx)(V.Z,{className:"navbar__brand",imageClassName:"navbar__logo",titleClassName:"navbar__title text--truncate"})}function G(){const e=(0,L.e)();return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.docs.sidebar.closeSidebarButtonAriaLabel",message:"Close navigation bar",description:"The ARIA label for close button of mobile sidebar"}),className:"clean-btn navbar-sidebar__close",onClick:()=>e.toggle(),children:(0,u.jsx)(x,{color:"var(--ifm-color-emphasis-600)"})})}function X(){return(0,u.jsxs)("div",{className:"navbar-sidebar__brand",children:[(0,u.jsx)(W,{}),(0,u.jsx)("a",{href:"https://github.com/k3s-io/k3s",target:"_blank",rel:"noopener noreferrer",className:"margin-right--md header-github-link"}),(0,u.jsx)(Z,{className:"margin-right--md"}),(0,u.jsx)(G,{})]})}var K=n(3692),Y=n(4996),J=n(3919);function ee(e,t){return void 0!==e&&void 0!==t&&new RegExp(e,"gi").test(t)}var te=n(9471);function ne(e){let{activeBasePath:t,activeBaseRegex:n,to:r,href:a,label:o,html:i,isDropdownLink:s,prependBaseUrlToHref:l,...c}=e;const d=(0,Y.ZP)(r),p=(0,Y.ZP)(t),f=(0,Y.ZP)(a,{forcePrependBaseUrl:!0}),h=o&&a&&!(0,J.Z)(a),m=i?{dangerouslySetInnerHTML:{__html:i}}:{children:(0,u.jsxs)(u.Fragment,{children:[o,h&&(0,u.jsx)(te.Z,{...s&&{width:12,height:12}})]})};return a?(0,u.jsx)(K.Z,{href:l?f:a,...c,...m}):(0,u.jsx)(K.Z,{to:d,isNavLink:!0,...(t||n)&&{isActive:(e,t)=>n?ee(n,t.pathname):t.pathname.startsWith(p)},...c,...m})}function re(e){let{className:t,isDropdownItem:n=!1,...r}=e;const o=(0,u.jsx)(ne,{className:(0,a.Z)(n?"dropdown__link":"navbar__item navbar__link",t),isDropdownLink:n,...r});return n?(0,u.jsx)("li",{children:o}):o}function ae(e){let{className:t,isDropdownItem:n,...r}=e;return(0,u.jsx)("li",{className:"menu__list-item",children:(0,u.jsx)(ne,{className:(0,a.Z)("menu__link",t),...r})})}function oe(e){let{mobile:t=!1,position:n,...r}=e;const a=t?ae:re;return(0,u.jsx)(a,{...r,activeClassName:r.activeClassName??(t?"menu__link--active":"navbar__link--active")})}var ie=n(6043),se=n(8596),le=n(2263);const ce={dropdownNavbarItemMobile:"dropdownNavbarItemMobile_S0Fm"};function ue(e,t){return e.some((e=>function(e,t){return!!(0,se.Mg)(e.to,t)||!!ee(e.activeBaseRegex,t)||!(!e.activeBasePath||!t.startsWith(e.activeBasePath))}(e,t)))}function de(e){let{items:t,position:n,className:o,onClick:i,...s}=e;const l=(0,r.useRef)(null),[c,d]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{const e=e=>{l.current&&!l.current.contains(e.target)&&d(!1)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),document.addEventListener("focusin",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e),document.removeEventListener("focusin",e)}}),[l]),(0,u.jsxs)("div",{ref:l,className:(0,a.Z)("navbar__item","dropdown","dropdown--hoverable",{"dropdown--right":"right"===n,"dropdown--show":c}),children:[(0,u.jsx)(ne,{"aria-haspopup":"true","aria-expanded":c,role:"button",href:s.to?void 0:"#",className:(0,a.Z)("navbar__link",o),...s,onClick:s.to?void 0:e=>e.preventDefault(),onKeyDown:e=>{"Enter"===e.key&&(e.preventDefault(),d(!c))},children:s.children??s.label}),(0,u.jsx)("ul",{className:"dropdown__menu",children:t.map(((e,t)=>(0,r.createElement)(We,{isDropdownItem:!0,activeClassName:"dropdown__link--active",...e,key:t})))})]})}function pe(e){let{items:t,className:n,position:o,onClick:i,...l}=e;const c=function(){const{siteConfig:{baseUrl:e}}=(0,le.Z)(),{pathname:t}=(0,s.TH)();return t.replace(e,"/")}(),d=ue(t,c),{collapsed:p,toggleCollapsed:f,setCollapsed:h}=(0,ie.u)({initialState:()=>!d});return(0,r.useEffect)((()=>{d&&h(!d)}),[c,d,h]),(0,u.jsxs)("li",{className:(0,a.Z)("menu__list-item",{"menu__list-item--collapsed":p}),children:[(0,u.jsx)(ne,{role:"button",className:(0,a.Z)(ce.dropdownNavbarItemMobile,"menu__link menu__link--sublist menu__link--sublist-caret",n),...l,onClick:e=>{e.preventDefault(),f()},children:l.children??l.label}),(0,u.jsx)(ie.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:p,children:t.map(((e,t)=>(0,r.createElement)(We,{mobile:!0,isDropdownItem:!0,onClick:i,activeClassName:"menu__link--active",...e,key:t})))})]})}function fe(e){let{mobile:t=!1,...n}=e;const r=t?pe:de;return(0,u.jsx)(r,{...n})}var he=n(4711);function me(e){let{width:t=20,height:n=20,...r}=e;return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:t,height:n,"aria-hidden":!0,...r,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"})})}const ge="iconLanguage_nlXk";var ye=n(1029),be=n(1728);var ve=n(143),we=n(22),ke=n(8202),xe=n(3545),Se=n(3926),Ee=n(1073),_e=n(2539),Ce=n(726);const Te='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 6v12c0 .52-.2 1-1 1H4c-.7 0-1-.33-1-1V2c0-.55.42-1 1-1h8l5 5zM14 8h-3.13c-.51 0-.87-.34-.87-.87V4" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',je='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M13 13h4-4V8H7v5h6v4-4H7V8H3h4V3v5h6V3v5h4-4v5zm-6 0v4-4H3h4z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg>',Le='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 5H3h14zm0 5H3h14zm0 5H3h14z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Re='<svg width="20" height="20" viewBox="0 0 20 20"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M18 3v4c0 2-2 4-4 4H2"></path><path d="M8 17l-6-6 6-6"></path></g></svg>',Ne='<svg width="40" height="40" viewBox="0 0 20 20" fill="none" fill-rule="evenodd" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round"><path d="M15.5 4.8c2 3 1.7 7-1 9.7h0l4.3 4.3-4.3-4.3a7.8 7.8 0 01-9.8 1m-2.2-2.2A7.8 7.8 0 0113.2 2.4M2 18L18 2"></path></svg>',Pe='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v42M20 27H8.3"></path></g></svg>',Ae='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v21M20 27H8.3"></path></g></svg>',Oe={searchBar:"searchBar_RVTs",dropdownMenu:"dropdownMenu_qbY6",searchBarLeft:"searchBarLeft_MXDe",suggestion:"suggestion_fB_2",cursor:"cursor_eG29",hitTree:"hitTree_kk6K",hitIcon:"hitIcon_a7Zy",hitPath:"hitPath_ieM4",noResultsIcon:"noResultsIcon_EBY5",hitFooter:"hitFooter_E9YW",hitWrapper:"hitWrapper_sAK8",hitTitle:"hitTitle_vyVt",hitAction:"hitAction_NqkB",hideAction:"hideAction_vcyE",noResults:"noResults_l6Q3",searchBarContainer:"searchBarContainer_NW3z",searchBarLoadingRing:"searchBarLoadingRing_YnHq",searchClearButton:"searchClearButton_qk4g",searchIndexLoading:"searchIndexLoading_EJ1f",searchHintContainer:"searchHintContainer_Pkmr",searchHint:"searchHint_iIMx",focused:"focused_OWtg",input:"input_FOTf",hint:"hint_URu1",suggestions:"suggestions_X8XU",dataset:"dataset_QiCy",empty:"empty_eITn"};function Ie(e){let{document:t,type:n,page:r,metadata:a,tokens:o,isInterOfTree:i,isLastOfTree:s}=e;const l=n===xe.P.Title,c=n===xe.P.Keywords,u=l||c,d=n===xe.P.Heading,p=[];i?p.push(Pe):s&&p.push(Ae);const f=p.map((e=>`<span class="${Oe.hitTree}">${e}</span>`)),h=`<span class="${Oe.hitIcon}">${u?Te:d?je:Le}</span>`,m=[`<span class="${Oe.hitTitle}">${c?(0,_e.C)(t.s,o):(0,Ce.o)(t.t,(0,Ee.m)(a,"t"),o)}</span>`];if(!i&&!s&&ye.H6){const e=r?r.b?.concat(r.t).concat(t.s&&t.s!==r.t?t.s:[]):t.b;m.push(`<span class="${Oe.hitPath}">${(0,Se.e)(e??[])}</span>`)}else u||m.push(`<span class="${Oe.hitPath}">${(0,_e.C)(r.t||(t.u.startsWith("/docs/api-reference/")?"API Reference":""),o)}</span>`);const g=`<span class="${Oe.hitAction}">${Re}</span>`;return[...f,h,`<span class="${Oe.hitWrapper}">`,...m,"</span>",g].join("")}function De(){return`<span class="${Oe.noResults}"><span class="${Oe.noResultsIcon}">${Ne}</span><span>${(0,l.I)({id:"theme.SearchBar.noResultsText",message:"No results"})}</span></span>`}var Fe=n(311),Me=n(51);async function ze(){const e=await Promise.all([n.e(8443),n.e(5525)]).then(n.t.bind(n,8443,23)),t=e.default;return t.noConflict?t.noConflict():e.noConflict&&e.noConflict(),t}const Be="_highlight";const $e=function(e){let{handleSearchBarToggle:t}=e;const a=(0,z.Z)(),{siteConfig:{baseUrl:o},i18n:{currentLocale:i}}=(0,le.Z)(),c=(0,ve.gA)();let d=o;try{const{preferredVersion:e}=function(){return n(143).J(...arguments)}(c?.pluginId??ye.gQ);e&&!e.isLast&&(d=e.path+"/")}catch(M){if(ye.l9&&!(M instanceof N.i6))throw M}const p=(0,s.k6)(),f=(0,s.TH)(),h=(0,r.useRef)(null),m=(0,r.useRef)(new Map),g=(0,r.useRef)(!1),[y,b]=(0,r.useState)(!1),[v,w]=(0,r.useState)(!1),[k,x]=(0,r.useState)(""),S=(0,r.useRef)(null),E=(0,r.useRef)(""),[_,C]=(0,r.useState)("");(0,r.useEffect)((()=>{if(!Array.isArray(ye.Kc))return;let e="";if(f.pathname.startsWith(d)){const t=f.pathname.substring(d.length);let n;for(const e of ye.Kc){const r="string"==typeof e?e:e.path;if(t===r||t.startsWith(`${r}/`)){n=r;break}}n&&(e=n)}E.current!==e&&(m.current.delete(e),E.current=e),C(e)}),[f.pathname,d]);const T=!!ye.hG&&Array.isArray(ye.Kc)&&""===_,j=(0,r.useCallback)((async()=>{if(T||m.current.get(_))return;m.current.set(_,"loading"),S.current?.autocomplete.destroy(),b(!0);const[{wrappedIndexes:e,zhDictionary:t},n]=await Promise.all([(0,we.w)(d,_),ze()]);if(S.current=n(h.current,{hint:!1,autoselect:!0,openOnFocus:!0,cssClasses:{root:(0,be.Z)(Oe.searchBar,{[Oe.searchBarLeft]:"left"===ye.pu}),noPrefix:!0,dropdownMenu:Oe.dropdownMenu,input:Oe.input,hint:Oe.hint,suggestions:Oe.suggestions,suggestion:Oe.suggestion,cursor:Oe.cursor,dataset:Oe.dataset,empty:Oe.empty}},[{source:(0,ke.v)(e,t,ye.qo),templates:{suggestion:Ie,empty:De,footer:e=>{let{query:t,isEmpty:n}=e;if(n&&(!_||!ye.pQ))return;const r=(e=>{let{query:t,isEmpty:n}=e;const r=document.createElement("a"),a=new URLSearchParams;let s;if(a.set("q",t),_){const e=_&&Array.isArray(ye.Kc)?ye.Kc.find((e=>"string"==typeof e?e===_:e.path===_)):_,t=e?(0,Me._)(e,i).label:_;s=ye.pQ&&n?(0,l.I)({id:"theme.SearchBar.seeAllOutsideContext",message:'See all results outside "{context}"'},{context:t}):(0,l.I)({id:"theme.SearchBar.searchInContext",message:'See all results within "{context}"'},{context:t})}else s=(0,l.I)({id:"theme.SearchBar.seeAll",message:"See all results"});if(!_||!Array.isArray(ye.Kc)||ye.pQ&&n||a.set("ctx",_),d!==o){if(!d.startsWith(o))throw new Error(`Version url '${d}' does not start with base url '${o}', this is a bug of \`@easyops-cn/docusaurus-search-local\`, please report it.`);a.set("version",d.substring(o.length))}const c=`${o}search/?${a.toString()}`;return r.href=c,r.textContent=s,r.addEventListener("click",(e=>{e.ctrlKey||e.metaKey||(e.preventDefault(),S.current?.autocomplete.close(),p.push(c))})),r})({query:t,isEmpty:n}),a=document.createElement("div");return a.className=Oe.hitFooter,a.appendChild(r),a}}}]).on("autocomplete:selected",(function(e,t){let{document:{u:n,h:r},tokens:a}=t;h.current?.blur();let o=n;if(ye.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append(Be,t);o+=`?${e.toString()}`}r&&(o+=r),p.push(o)})).on("autocomplete:closed",(()=>{h.current?.blur()})),m.current.set(_,"done"),b(!1),g.current){const e=h.current;e.value&&S.current?.autocomplete.open(),e.focus()}}),[T,_,d,o,p]);(0,r.useEffect)((()=>{if(!ye.vc)return;const e=a?new URLSearchParams(f.search).getAll(Be):[];setTimeout((()=>{const t=document.querySelector("article");if(!t)return;const n=new ye.vc(t);n.unmark(),0!==e.length&&n.mark(e),x(e.join(" ")),S.current?.autocomplete.setVal(e.join(" "))}))}),[a,f.search,f.pathname]);const[L,R]=(0,r.useState)(!1),P=(0,r.useCallback)((()=>{g.current=!0,j(),R(!0),t?.(!0)}),[t,j]),A=(0,r.useCallback)((()=>{R(!1),t?.(!1)}),[t]),O=(0,r.useCallback)((()=>{j()}),[j]),I=(0,r.useCallback)((e=>{x(e.target.value),e.target.value&&w(!0)}),[]),D=!!a&&/mac/i.test(navigator.userAgentData?.platform??navigator.platform);(0,r.useEffect)((()=>{if(!ye.AY)return;const e=e=>{!(D?e.metaKey:e.ctrlKey)||"k"!==e.key&&"K"!==e.key||(e.preventDefault(),h.current?.focus(),P())};return document.addEventListener("keydown",e),()=>{document.removeEventListener("keydown",e)}}),[D,P]);const F=(0,r.useCallback)((()=>{const e=new URLSearchParams(f.search);e.delete(Be);const t=e.toString(),n=f.pathname+(""!=t?`?${t}`:"")+f.hash;n!=f.pathname+f.search+f.hash&&p.push(n),x(""),S.current?.autocomplete.setVal("")}),[f.pathname,f.search,f.hash,p]);return(0,u.jsxs)("div",{className:(0,be.Z)("navbar__search",Oe.searchBarContainer,{[Oe.searchIndexLoading]:y&&v,[Oe.focused]:L}),hidden:T,dir:"ltr",children:[(0,u.jsx)("input",{placeholder:(0,l.I)({id:"theme.SearchBar.label",message:"Search",description:"The ARIA label and placeholder for search button"}),"aria-label":"Search",className:"navbar__search-input",onMouseEnter:O,onFocus:P,onBlur:A,onChange:I,ref:h,value:k}),(0,u.jsx)(Fe.Z,{className:Oe.searchBarLoadingRing}),ye.AY&&ye.t_&&(""!==k?(0,u.jsx)("button",{className:Oe.searchClearButton,onClick:F,children:"\u2715"}):a&&(0,u.jsxs)("div",{className:Oe.searchHintContainer,children:[(0,u.jsx)("kbd",{className:Oe.searchHint,children:D?"\u2318":"ctrl"}),(0,u.jsx)("kbd",{className:Oe.searchHint,children:"K"})]}))]})},Ue={navbarSearchContainer:"navbarSearchContainer_Bca1"};function qe(e){let{children:t,className:n}=e;return(0,u.jsx)("div",{className:(0,a.Z)(n,Ue.navbarSearchContainer),children:t})}var He=n(9690);var Qe=n(298);function Ze(e,t){return t.alternateDocVersions[e.name]??function(e){return e.docs.find((t=>t.id===e.mainDocId))}(e)}const Ve={default:oe,localeDropdown:function(e){let{mobile:t,dropdownItemsBefore:n,dropdownItemsAfter:r,queryString:a="",...o}=e;const{i18n:{currentLocale:i,locales:c,localeConfigs:d}}=(0,le.Z)(),p=(0,he.l)(),{search:f,hash:h}=(0,s.TH)(),m=[...n,...c.map((e=>{const n=`${`pathname://${p.createUrl({locale:e,fullyQualified:!1})}`}${f}${h}${a}`;return{label:d[e].label,lang:d[e].htmlLang,to:n,target:"_self",autoAddBaseUrl:!1,className:e===i?t?"menu__link--active":"dropdown__link--active":""}})),...r],g=t?(0,l.I)({message:"Languages",id:"theme.navbar.mobileLanguageDropdown.label",description:"The label for the mobile language switcher dropdown"}):d[i].label;return(0,u.jsx)(fe,{...o,mobile:t,label:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(me,{className:ge}),g]}),items:m})},search:function(e){let{mobile:t,className:n}=e;return t?null:(0,u.jsx)(qe,{className:n,children:(0,u.jsx)($e,{})})},dropdown:fe,html:function(e){let{value:t,className:n,mobile:r=!1,isDropdownItem:o=!1}=e;const i=o?"li":"div";return(0,u.jsx)(i,{className:(0,a.Z)({navbar__item:!r&&!o,"menu__list-item":r},n),dangerouslySetInnerHTML:{__html:t}})},doc:function(e){let{docId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ve.Iw)(r),i=(0,He.vY)(t,r),s=o?.path===i?.path;return null===i||i.unlisted&&!s?null:(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>s||!!o?.sidebar&&o.sidebar===i.sidebar,label:n??i.id,to:i.path})},docSidebar:function(e){let{sidebarId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ve.Iw)(r),i=(0,He.oz)(t,r).link;if(!i)throw new Error(`DocSidebarNavbarItem: Sidebar with ID "${t}" doesn't have anything to be linked to.`);return(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>o?.sidebar===t,label:n??i.label,to:i.path})},docsVersion:function(e){let{label:t,to:n,docsPluginId:r,...a}=e;const o=(0,He.lO)(r)[0],i=t??o.label,s=n??(e=>e.docs.find((t=>t.id===e.mainDocId)))(o).path;return(0,u.jsx)(oe,{...a,label:i,to:s})},docsVersionDropdown:function(e){let{mobile:t,docsPluginId:n,dropdownActiveClassDisabled:r,dropdownItemsBefore:a,dropdownItemsAfter:o,...i}=e;const{search:c,hash:d}=(0,s.TH)(),p=(0,ve.Iw)(n),f=(0,ve.gB)(n),{savePreferredVersionName:h}=(0,Qe.J)(n),m=[...a,...f.map((function(e){const t=Ze(e,p);return{label:e.label,to:`${t.path}${c}${d}`,isActive:()=>e===p.activeVersion,onClick:()=>h(e.name)}})),...o],g=(0,He.lO)(n)[0],y=t&&m.length>1?(0,l.I)({id:"theme.navbar.mobileVersionsDropdown.label",message:"Versions",description:"The label for the navbar versions dropdown on mobile view"}):g.label,b=t&&m.length>1?void 0:Ze(g,p).path;return m.length<=1?(0,u.jsx)(oe,{...i,mobile:t,label:y,to:b,isActive:r?()=>!1:void 0}):(0,u.jsx)(fe,{...i,mobile:t,label:y,to:b,items:m,isActive:r?()=>!1:void 0})}};function We(e){let{type:t,...n}=e;const r=function(e,t){return e&&"default"!==e?e:"items"in t?"dropdown":"default"}(t,n),a=Ve[r];if(!a)throw new Error(`No NavbarItem component found for type "${t}".`);return(0,u.jsx)(a,{...n})}function Ge(){const e=(0,L.e)(),t=(0,w.L)().navbar.items;return(0,u.jsx)("ul",{className:"menu__list",children:t.map(((t,n)=>(0,r.createElement)(We,{mobile:!0,...t,onClick:()=>e.toggle(),key:n})))})}function Xe(e){return(0,u.jsx)("button",{...e,type:"button",className:"clean-btn navbar-sidebar__back",children:(0,u.jsx)(l.Z,{id:"theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel",description:"The label of the back button to return to main menu, inside the mobile navbar sidebar secondary menu (notably used to display the docs sidebar)",children:"\u2190 Back to main menu"})})}function Ke(){const e=0===(0,w.L)().navbar.items.length,t=D();return(0,u.jsxs)(u.Fragment,{children:[!e&&(0,u.jsx)(Xe,{onClick:()=>t.hide()}),t.content]})}function Ye(){const e=(0,L.e)();var t;return void 0===(t=e.shown)&&(t=!0),(0,r.useEffect)((()=>(document.body.style.overflow=t?"hidden":"visible",()=>{document.body.style.overflow="visible"})),[t]),e.shouldRender?(0,u.jsx)(F,{header:(0,u.jsx)(X,{}),primaryMenu:(0,u.jsx)(Ge,{}),secondaryMenu:(0,u.jsx)(Ke,{})}):null}const Je={navbarHideable:"navbarHideable_m1mJ",navbarHidden:"navbarHidden_jGov"};function et(e){return(0,u.jsx)("div",{role:"presentation",...e,className:(0,a.Z)("navbar-sidebar__backdrop",e.className)})}function tt(e){let{children:t}=e;const{navbar:{hideOnScroll:n,style:o}}=(0,w.L)(),i=(0,L.e)(),{navbarRef:s,isNavbarVisible:d}=function(e){const[t,n]=(0,r.useState)(e),a=(0,r.useRef)(!1),o=(0,r.useRef)(0),i=(0,r.useCallback)((e=>{null!==e&&(o.current=e.getBoundingClientRect().height)}),[]);return(0,R.RF)(((t,r)=>{let{scrollY:i}=t;if(!e)return;if(i<o.current)return void n(!0);if(a.current)return void(a.current=!1);const s=r?.scrollY,l=document.documentElement.scrollHeight-o.current,c=window.innerHeight;s&&i>=s?n(!1):i+c<l&&n(!0)})),(0,c.S)((t=>{if(!e)return;const r=t.location.hash;if(r?document.getElementById(r.substring(1)):void 0)return a.current=!0,void n(!1);n(!0)})),{navbarRef:i,isNavbarVisible:t}}(n);return(0,u.jsxs)("nav",{ref:s,"aria-label":(0,l.I)({id:"theme.NavBar.navAriaLabel",message:"Main",description:"The ARIA label for the main navigation"}),className:(0,a.Z)("navbar","navbar--fixed-top",n&&[Je.navbarHideable,!d&&Je.navbarHidden],{"navbar--dark":"dark"===o,"navbar--primary":"primary"===o,"navbar-sidebar--show":i.shown}),children:[t,(0,u.jsx)(et,{onClick:i.toggle}),(0,u.jsx)(Ye,{})]})}var nt=n(3087);const rt="right";function at(e){let{width:t=30,height:n=30,className:r,...a}=e;return(0,u.jsx)("svg",{className:r,width:t,height:n,viewBox:"0 0 30 30","aria-hidden":"true",...a,children:(0,u.jsx)("path",{stroke:"currentColor",strokeLinecap:"round",strokeMiterlimit:"10",strokeWidth:"2",d:"M4 7h22M4 15h22M4 23h22"})})}function ot(){const{toggle:e,shown:t}=(0,L.e)();return(0,u.jsx)("button",{onClick:e,"aria-label":(0,l.I)({id:"theme.docs.sidebar.toggleSidebarButtonAriaLabel",message:"Toggle navigation bar",description:"The ARIA label for hamburger menu button of mobile navigation"}),"aria-expanded":t,className:"navbar__toggle clean-btn",type:"button",children:(0,u.jsx)(at,{})})}const it={colorModeToggle:"colorModeToggle_DEke"};function st(e){let{items:t}=e;return(0,u.jsx)(u.Fragment,{children:t.map(((e,t)=>(0,u.jsx)(nt.QW,{onError:t=>new Error(`A theme navbar item failed to render.\nPlease double-check the following navbar item (themeConfig.navbar.items) of your Docusaurus config:\n${JSON.stringify(e,null,2)}`,{cause:t}),children:(0,u.jsx)(We,{...e})},t)))})}function lt(e){let{left:t,right:n}=e;return(0,u.jsxs)("div",{className:"navbar__inner",children:[(0,u.jsx)("div",{className:"navbar__items",children:t}),(0,u.jsx)("div",{className:"navbar__items navbar__items--right",children:n})]})}function ct(){const e=(0,L.e)(),t=(0,w.L)().navbar.items,[n,r]=function(e){function t(e){return"left"===(e.position??rt)}return[e.filter(t),e.filter((e=>!t(e)))]}(t),a=t.find((e=>"search"===e.type));return(0,u.jsx)(lt,{left:(0,u.jsxs)(u.Fragment,{children:[!e.disabled&&(0,u.jsx)(ot,{}),(0,u.jsx)(W,{}),(0,u.jsx)(st,{items:n})]}),right:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(st,{items:r}),(0,u.jsx)(Z,{className:it.colorModeToggle}),!a&&(0,u.jsx)(qe,{children:(0,u.jsx)($e,{})})]})})}function ut(){return(0,u.jsx)(tt,{children:(0,u.jsx)(ct,{})})}function dt(e){let{item:t}=e;const{to:n,href:r,label:a,prependBaseUrlToHref:o,...i}=t,s=(0,Y.ZP)(n),l=(0,Y.ZP)(r,{forcePrependBaseUrl:!0});return(0,u.jsxs)(K.Z,{className:"footer__link-item",...r?{href:o?l:r}:{to:s},...i,children:[a,r&&!(0,J.Z)(r)&&(0,u.jsx)(te.Z,{})]})}function pt(e){let{item:t}=e;return t.html?(0,u.jsx)("li",{className:"footer__item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)("li",{className:"footer__item",children:(0,u.jsx)(dt,{item:t})},t.href??t.to)}function ft(e){let{column:t}=e;return(0,u.jsxs)("div",{className:"col footer__col",children:[(0,u.jsx)("div",{className:"footer__title",children:t.title}),(0,u.jsx)("ul",{className:"footer__items clean-list",children:t.items.map(((e,t)=>(0,u.jsx)(pt,{item:e},t)))})]})}function ht(e){let{columns:t}=e;return(0,u.jsx)("div",{className:"row footer__links",children:t.map(((e,t)=>(0,u.jsx)(ft,{column:e},t)))})}function mt(){return(0,u.jsx)("span",{className:"footer__link-separator",children:"\xb7"})}function gt(e){let{item:t}=e;return t.html?(0,u.jsx)("span",{className:"footer__link-item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)(dt,{item:t})}function yt(e){let{links:t}=e;return(0,u.jsx)("div",{className:"footer__links text--center",children:(0,u.jsx)("div",{className:"footer__links",children:t.map(((e,n)=>(0,u.jsxs)(r.Fragment,{children:[(0,u.jsx)(gt,{item:e}),t.length!==n+1&&(0,u.jsx)(mt,{})]},n)))})})}function bt(e){let{links:t}=e;return function(e){return"title"in e[0]}(t)?(0,u.jsx)(ht,{columns:t}):(0,u.jsx)(yt,{links:t})}var vt=n(9965);const wt={footerLogoLink:"footerLogoLink_BH7S"};function kt(e){let{logo:t}=e;const{withBaseUrl:n}=(0,Y.Cg)(),r={light:n(t.src),dark:n(t.srcDark??t.src)};return(0,u.jsx)(vt.Z,{className:(0,a.Z)("footer__logo",t.className),alt:t.alt,sources:r,width:t.width,height:t.height,style:t.style})}function xt(e){let{logo:t}=e;return t.href?(0,u.jsx)(K.Z,{href:t.href,className:wt.footerLogoLink,target:t.target,children:(0,u.jsx)(kt,{logo:t})}):(0,u.jsx)(kt,{logo:t})}function St(e){let{copyright:t}=e;return(0,u.jsx)("div",{className:"footer__copyright",dangerouslySetInnerHTML:{__html:t}})}function Et(e){let{style:t,links:n,logo:r,copyright:o}=e;return(0,u.jsx)("footer",{className:(0,a.Z)("footer",{"footer--dark":"dark"===t}),children:(0,u.jsxs)("div",{className:"container container-fluid",children:[n,(r||o)&&(0,u.jsxs)("div",{className:"footer__bottom text--center",children:[r&&(0,u.jsx)("div",{className:"margin-bottom--sm",children:r}),o]})]})})}function _t(){const{footer:e}=(0,w.L)();if(!e)return null;const{copyright:t,links:n,logo:r,style:a}=e;return(0,u.jsx)(Et,{style:a,links:n&&n.length>0&&(0,u.jsx)(bt,{links:n}),logo:r&&(0,u.jsx)(xt,{logo:r}),copyright:t&&(0,u.jsx)(St,{copyright:t})})}const Ct=r.memo(_t),Tt=(0,N.Qc)([M.S,k.p,R.OC,Qe.L5,i.VC,function(e){let{children:t}=e;return(0,u.jsx)(P.n2,{children:(0,u.jsx)(L.M,{children:(0,u.jsx)(O,{children:t})})})}]);function jt(e){let{children:t}=e;return(0,u.jsx)(Tt,{children:t})}var Lt=n(2503);function Rt(e){let{error:t,tryAgain:n}=e;return(0,u.jsx)("main",{className:"container margin-vert--xl",children:(0,u.jsx)("div",{className:"row",children:(0,u.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,u.jsx)(Lt.Z,{as:"h1",className:"hero__title",children:(0,u.jsx)(l.Z,{id:"theme.ErrorPageContent.title",description:"The title of the fallback page when the page crashed",children:"This page crashed."})}),(0,u.jsx)("div",{className:"margin-vert--lg",children:(0,u.jsx)(nt.Cw,{onClick:n,className:"button button--primary shadow--lw"})}),(0,u.jsx)("hr",{}),(0,u.jsx)("div",{className:"margin-vert--md",children:(0,u.jsx)(nt.aG,{error:t})})]})})})}const Nt={mainWrapper:"mainWrapper_z2l0"};function Pt(e){const{children:t,noFooter:n,wrapperClassName:r,title:s,description:l}=e;return(0,y.t)(),(0,u.jsxs)(jt,{children:[(0,u.jsx)(i.d,{title:s,description:l}),(0,u.jsx)(v,{}),(0,u.jsx)(j,{}),(0,u.jsx)(ut,{}),(0,u.jsx)("div",{id:d,className:(0,a.Z)(g.k.wrapper.main,Nt.mainWrapper,r),children:(0,u.jsx)(o.Z,{fallback:e=>(0,u.jsx)(Rt,{...e}),children:t})}),!n&&(0,u.jsx)(Ct,{})]})}},1327:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(3692),a=n(4996),o=n(2263),i=n(6668),s=n(9965),l=n(5893);function c(e){let{logo:t,alt:n,imageClassName:r}=e;const o={light:(0,a.ZP)(t.src),dark:(0,a.ZP)(t.srcDark||t.src)},i=(0,l.jsx)(s.Z,{className:t.className,sources:o,height:t.height,width:t.width,alt:n,style:t.style});return r?(0,l.jsx)("div",{className:r,children:i}):i}function u(e){const{siteConfig:{title:t}}=(0,o.Z)(),{navbar:{title:n,logo:s}}=(0,i.L)(),{imageClassName:u,titleClassName:d,...p}=e,f=(0,a.ZP)(s?.href||"/"),h=n?"":t,m=s?.alt??h;return(0,l.jsxs)(r.Z,{to:f,...p,...s?.target&&{target:s.target},children:[s&&(0,l.jsx)(c,{logo:s,alt:m,imageClassName:u}),null!=n&&(0,l.jsx)("b",{className:d,children:n})]})}},197:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(5742),a=n(5893);function o(e){let{locale:t,version:n,tag:o}=e;const i=t;return(0,a.jsxs)(r.Z,{children:[t&&(0,a.jsx)("meta",{name:"docusaurus_locale",content:t}),n&&(0,a.jsx)("meta",{name:"docusaurus_version",content:n}),o&&(0,a.jsx)("meta",{name:"docusaurus_tag",content:o}),i&&(0,a.jsx)("meta",{name:"docsearch:language",content:i}),n&&(0,a.jsx)("meta",{name:"docsearch:version",content:n}),o&&(0,a.jsx)("meta",{name:"docsearch:docusaurus_tag",content:o})]})}},9965:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});var r=n(7294),a=n(512),o=n(2389),i=n(2949);const s={themedComponent:"themedComponent_mlkZ","themedComponent--light":"themedComponent--light_NVdE","themedComponent--dark":"themedComponent--dark_xIcU"};var l=n(5893);function c(e){let{className:t,children:n}=e;const c=(0,o.Z)(),{colorMode:u}=(0,i.I)();return(0,l.jsx)(l.Fragment,{children:(c?"dark"===u?["dark"]:["light"]:["light","dark"]).map((e=>{const o=n({theme:e,className:(0,a.Z)(t,s.themedComponent,s[`themedComponent--${e}`])});return(0,l.jsx)(r.Fragment,{children:o},e)}))})}function u(e){const{sources:t,className:n,alt:r,...a}=e;return(0,l.jsx)(c,{className:n,children:e=>{let{theme:n,className:o}=e;return(0,l.jsx)("img",{src:t[n],alt:r,className:o,...a})}})}},6043:(e,t,n)=>{"use strict";n.d(t,{u:()=>c,z:()=>y});var r=n(7294),a=n(412),o=n(469),i=n(1442),s=n(5893);const l="ease-in-out";function c(e){let{initialState:t}=e;const[n,a]=(0,r.useState)(t??!1),o=(0,r.useCallback)((()=>{a((e=>!e))}),[]);return{collapsed:n,setCollapsed:a,toggleCollapsed:o}}const u={display:"none",overflow:"hidden",height:"0px"},d={display:"block",overflow:"visible",height:"auto"};function p(e,t){const n=t?u:d;e.style.display=n.display,e.style.overflow=n.overflow,e.style.height=n.height}function f(e){let{collapsibleRef:t,collapsed:n,animation:a}=e;const o=(0,r.useRef)(!1);(0,r.useEffect)((()=>{const e=t.current;function r(){const t=e.scrollHeight,n=a?.duration??function(e){if((0,i.n)())return 1;const t=e/36;return Math.round(10*(4+15*t**.25+t/5))}(t);return{transition:`height ${n}ms ${a?.easing??l}`,height:`${t}px`}}function s(){const t=r();e.style.transition=t.transition,e.style.height=t.height}if(!o.current)return p(e,n),void(o.current=!0);return e.style.willChange="height",function(){const t=requestAnimationFrame((()=>{n?(s(),requestAnimationFrame((()=>{e.style.height=u.height,e.style.overflow=u.overflow}))):(e.style.display="block",requestAnimationFrame((()=>{s()})))}));return()=>cancelAnimationFrame(t)}()}),[t,n,a])}function h(e){if(!a.Z.canUseDOM)return e?u:d}function m(e){let{as:t="div",collapsed:n,children:a,animation:o,onCollapseTransitionEnd:i,className:l,disableSSRStyle:c}=e;const u=(0,r.useRef)(null);return f({collapsibleRef:u,collapsed:n,animation:o}),(0,s.jsx)(t,{ref:u,style:c?void 0:h(n),onTransitionEnd:e=>{"height"===e.propertyName&&(p(u.current,n),i?.(n))},className:l,children:a})}function g(e){let{collapsed:t,...n}=e;const[a,i]=(0,r.useState)(!t),[l,c]=(0,r.useState)(t);return(0,o.Z)((()=>{t||i(!0)}),[t]),(0,o.Z)((()=>{a&&c(t)}),[a,t]),a?(0,s.jsx)(m,{...n,collapsed:l}):null}function y(e){let{lazy:t,...n}=e;const r=t?g:m;return(0,s.jsx)(r,{...n})}},9689:(e,t,n)=>{"use strict";n.d(t,{n:()=>m,p:()=>h});var r=n(7294),a=n(2389),o=n(812),i=n(902),s=n(6668),l=n(5893);const c=(0,o.WA)("docusaurus.announcement.dismiss"),u=(0,o.WA)("docusaurus.announcement.id"),d=()=>"true"===c.get(),p=e=>c.set(String(e)),f=r.createContext(null);function h(e){let{children:t}=e;const n=function(){const{announcementBar:e}=(0,s.L)(),t=(0,a.Z)(),[n,o]=(0,r.useState)((()=>!!t&&d()));(0,r.useEffect)((()=>{o(d())}),[]);const i=(0,r.useCallback)((()=>{p(!0),o(!0)}),[]);return(0,r.useEffect)((()=>{if(!e)return;const{id:t}=e;let n=u.get();"annoucement-bar"===n&&(n="announcement-bar");const r=t!==n;u.set(t),r&&p(!1),!r&&d()||o(!1)}),[e]),(0,r.useMemo)((()=>({isActive:!!e&&!n,close:i})),[e,n,i])}();return(0,l.jsx)(f.Provider,{value:n,children:t})}function m(){const e=(0,r.useContext)(f);if(!e)throw new i.i6("AnnouncementBarProvider");return e}},2949:(e,t,n)=>{"use strict";n.d(t,{I:()=>y,S:()=>g});var r=n(7294),a=n(412),o=n(902),i=n(812),s=n(6668),l=n(5893);const c=r.createContext(void 0),u="theme",d=(0,i.WA)(u),p={light:"light",dark:"dark"},f=e=>e===p.dark?p.dark:p.light,h=e=>a.Z.canUseDOM?f(document.documentElement.getAttribute("data-theme")):f(e),m=e=>{d.set(f(e))};function g(e){let{children:t}=e;const n=function(){const{colorMode:{defaultMode:e,disableSwitch:t,respectPrefersColorScheme:n}}=(0,s.L)(),[a,o]=(0,r.useState)(h(e));(0,r.useEffect)((()=>{t&&d.del()}),[t]);const i=(0,r.useCallback)((function(t,r){void 0===r&&(r={});const{persist:a=!0}=r;t?(o(t),a&&m(t)):(o(n?window.matchMedia("(prefers-color-scheme: dark)").matches?p.dark:p.light:e),d.del())}),[n,e]);(0,r.useEffect)((()=>{document.documentElement.setAttribute("data-theme",f(a))}),[a]),(0,r.useEffect)((()=>{if(t)return;const e=e=>{if(e.key!==u)return;const t=d.get();null!==t&&i(f(t))};return window.addEventListener("storage",e),()=>window.removeEventListener("storage",e)}),[t,i]);const l=(0,r.useRef)(!1);return(0,r.useEffect)((()=>{if(t&&!n)return;const e=window.matchMedia("(prefers-color-scheme: dark)"),r=()=>{window.matchMedia("print").matches||l.current?l.current=window.matchMedia("print").matches:i(null)};return e.addListener(r),()=>e.removeListener(r)}),[i,t,n]),(0,r.useMemo)((()=>({colorMode:a,setColorMode:i,get isDarkTheme(){return a===p.dark},setLightTheme(){i(p.light)},setDarkTheme(){i(p.dark)}})),[a,i])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function y(){const e=(0,r.useContext)(c);if(null==e)throw new o.i6("ColorModeProvider","Please see https://docusaurus.io/docs/api/themes/configuration#use-color-mode.");return e}},3163:(e,t,n)=>{"use strict";n.d(t,{M:()=>p,e:()=>f});var r=n(7294),a=n(3102),o=n(7524),i=n(1980),s=n(6668),l=n(902),c=n(5893);const u=r.createContext(void 0);function d(){const e=function(){const e=(0,a.HY)(),{items:t}=(0,s.L)().navbar;return 0===t.length&&!e.component}(),t=(0,o.i)(),n=!e&&"mobile"===t,[l,c]=(0,r.useState)(!1);(0,i.Rb)((()=>{if(l)return c(!1),!1}));const u=(0,r.useCallback)((()=>{c((e=>!e))}),[]);return(0,r.useEffect)((()=>{"desktop"===t&&c(!1)}),[t]),(0,r.useMemo)((()=>({disabled:e,shouldRender:n,toggle:u,shown:l})),[e,n,u,l])}function p(e){let{children:t}=e;const n=d();return(0,c.jsx)(u.Provider,{value:n,children:t})}function f(){const e=r.useContext(u);if(void 0===e)throw new l.i6("NavbarMobileSidebarProvider");return e}},3102:(e,t,n)=>{"use strict";n.d(t,{HY:()=>l,Zo:()=>c,n2:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t}=e;const n=(0,r.useState)({component:null,props:null});return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(!e)throw new a.i6("NavbarSecondaryMenuContentProvider");return e[0]}function c(e){let{component:t,props:n}=e;const o=(0,r.useContext)(i);if(!o)throw new a.i6("NavbarSecondaryMenuContentProvider");const[,s]=o,l=(0,a.Ql)(n);return(0,r.useEffect)((()=>{s({component:t,props:l})}),[s,t,l]),(0,r.useEffect)((()=>()=>s({component:null,props:null})),[s]),null}},9727:(e,t,n)=>{"use strict";n.d(t,{h:()=>a,t:()=>o});var r=n(7294);const a="navigation-with-keyboard";function o(){(0,r.useEffect)((()=>{function e(e){"keydown"===e.type&&"Tab"===e.key&&document.body.classList.add(a),"mousedown"===e.type&&document.body.classList.remove(a)}return document.addEventListener("keydown",e),document.addEventListener("mousedown",e),()=>{document.body.classList.remove(a),document.removeEventListener("keydown",e),document.removeEventListener("mousedown",e)}}),[])}},7524:(e,t,n)=>{"use strict";n.d(t,{i:()=>s});var r=n(7294),a=n(412);const o={desktop:"desktop",mobile:"mobile",ssr:"ssr"},i=996;function s(e){let{desktopBreakpoint:t=i}=void 0===e?{}:e;const[n,s]=(0,r.useState)((()=>"ssr"));return(0,r.useEffect)((()=>{function e(){s(function(e){if(!a.Z.canUseDOM)throw new Error("getWindowSize() should only be called after React hydration");return window.innerWidth>e?o.desktop:o.mobile}(t))}return e(),window.addEventListener("resize",e),()=>{window.removeEventListener("resize",e)}}),[t]),n}},5281:(e,t,n)=>{"use strict";n.d(t,{k:()=>r});const r={page:{blogListPage:"blog-list-page",blogPostPage:"blog-post-page",blogTagsListPage:"blog-tags-list-page",blogTagPostListPage:"blog-tags-post-list-page",blogAuthorsListPage:"blog-authors-list-page",blogAuthorsPostsPage:"blog-authors-posts-page",docsDocPage:"docs-doc-page",docsTagsListPage:"docs-tags-list-page",docsTagDocListPage:"docs-tags-doc-list-page",mdxPage:"mdx-page"},wrapper:{main:"main-wrapper",blogPages:"blog-wrapper",docsPages:"docs-wrapper",mdxPages:"mdx-wrapper"},common:{editThisPage:"theme-edit-this-page",lastUpdated:"theme-last-updated",backToTopButton:"theme-back-to-top-button",codeBlock:"theme-code-block",admonition:"theme-admonition",unlistedBanner:"theme-unlisted-banner",draftBanner:"theme-draft-banner",admonitionType:e=>`theme-admonition-${e}`},layout:{},docs:{docVersionBanner:"theme-doc-version-banner",docVersionBadge:"theme-doc-version-badge",docBreadcrumbs:"theme-doc-breadcrumbs",docMarkdown:"theme-doc-markdown",docTocMobile:"theme-doc-toc-mobile",docTocDesktop:"theme-doc-toc-desktop",docFooter:"theme-doc-footer",docFooterTagsRow:"theme-doc-footer-tags-row",docFooterEditMetaRow:"theme-doc-footer-edit-meta-row",docSidebarContainer:"theme-doc-sidebar-container",docSidebarMenu:"theme-doc-sidebar-menu",docSidebarItemCategory:"theme-doc-sidebar-item-category",docSidebarItemLink:"theme-doc-sidebar-item-link",docSidebarItemCategoryLevel:e=>`theme-doc-sidebar-item-category-level-${e}`,docSidebarItemLinkLevel:e=>`theme-doc-sidebar-item-link-level-${e}`},blog:{blogFooterTagsRow:"theme-blog-footer-tags-row",blogFooterEditMetaRow:"theme-blog-footer-edit-meta-row"},pages:{pageFooterEditMetaRow:"theme-pages-footer-edit-meta-row"}}},1442:(e,t,n)=>{"use strict";function r(){return window.matchMedia("(prefers-reduced-motion: reduce)").matches}n.d(t,{n:()=>r})},3087:(e,t,n)=>{"use strict";n.d(t,{aG:()=>u,Ac:()=>c,Cw:()=>l,QW:()=>d});var r=n(7294),a=n(5999),o=n(8780);const i={errorBoundaryError:"errorBoundaryError_a6uf",errorBoundaryFallback:"errorBoundaryFallback_VBag"};var s=n(5893);function l(e){return(0,s.jsx)("button",{type:"button",...e,children:(0,s.jsx)(a.Z,{id:"theme.ErrorPageContent.tryAgain",description:"The label of the button to try again rendering when the React error boundary captures an error",children:"Try again"})})}function c(e){let{error:t,tryAgain:n}=e;return(0,s.jsxs)("div",{className:i.errorBoundaryFallback,children:[(0,s.jsx)("p",{children:t.message}),(0,s.jsx)(l,{onClick:n})]})}function u(e){let{error:t}=e;const n=(0,o.BN)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,s.jsx)("p",{className:i.errorBoundaryError,children:n})}class d extends r.Component{componentDidCatch(e,t){throw this.props.onError(e,t)}render(){return this.props.children}}},1980:(e,t,n)=>{"use strict";n.d(t,{Rb:()=>i,_X:()=>l});var r=n(7294),a=n(6550),o=n(902);function i(e){!function(e){const t=(0,a.k6)(),n=(0,o.zX)(e);(0,r.useEffect)((()=>t.block(((e,t)=>n(e,t)))),[t,n])}(((t,n)=>{if("POP"===n)return e(t,n)}))}function s(e){const t=(0,a.k6)();return(0,r.useSyncExternalStore)(t.listen,(()=>e(t)),(()=>e(t)))}function l(e){return s((t=>null===e?null:new URLSearchParams(t.location.search).get(e)))}},7392:(e,t,n)=>{"use strict";function r(e,t){return void 0===t&&(t=(e,t)=>e===t),e.filter(((n,r)=>e.findIndex((e=>t(e,n)))!==r))}function a(e){return Array.from(new Set(e))}n.d(t,{jj:()=>a,lx:()=>r})},1944:(e,t,n)=>{"use strict";n.d(t,{FG:()=>f,d:()=>d,VC:()=>h});var r=n(7294),a=n(512),o=n(5742),i=n(226);function s(){const e=r.useContext(i._);if(!e)throw new Error("Unexpected: no Docusaurus route context found");return e}var l=n(4996),c=n(2263);var u=n(5893);function d(e){let{title:t,description:n,keywords:r,image:a,children:i}=e;const s=function(e){const{siteConfig:t}=(0,c.Z)(),{title:n,titleDelimiter:r}=t;return e?.trim().length?`${e.trim()} ${r} ${n}`:n}(t),{withBaseUrl:d}=(0,l.Cg)(),p=a?d(a,{absolute:!0}):void 0;return(0,u.jsxs)(o.Z,{children:[t&&(0,u.jsx)("title",{children:s}),t&&(0,u.jsx)("meta",{property:"og:title",content:s}),n&&(0,u.jsx)("meta",{name:"description",content:n}),n&&(0,u.jsx)("meta",{property:"og:description",content:n}),r&&(0,u.jsx)("meta",{name:"keywords",content:Array.isArray(r)?r.join(","):r}),p&&(0,u.jsx)("meta",{property:"og:image",content:p}),p&&(0,u.jsx)("meta",{name:"twitter:image",content:p}),i]})}const p=r.createContext(void 0);function f(e){let{className:t,children:n}=e;const i=r.useContext(p),s=(0,a.Z)(i,t);return(0,u.jsxs)(p.Provider,{value:s,children:[(0,u.jsx)(o.Z,{children:(0,u.jsx)("html",{className:s})}),n]})}function h(e){let{children:t}=e;const n=s(),r=`plugin-${n.plugin.name.replace(/docusaurus-(?:plugin|theme)-(?:content-)?/gi,"")}`;const o=`plugin-id-${n.plugin.id}`;return(0,u.jsx)(f,{className:(0,a.Z)(r,o),children:t})}},902:(e,t,n)=>{"use strict";n.d(t,{D9:()=>s,Qc:()=>u,Ql:()=>c,i6:()=>l,zX:()=>i});var r=n(7294),a=n(469),o=n(5893);function i(e){const t=(0,r.useRef)(e);return(0,a.Z)((()=>{t.current=e}),[e]),(0,r.useCallback)((function(){return t.current(...arguments)}),[])}function s(e){const t=(0,r.useRef)();return(0,a.Z)((()=>{t.current=e})),t.current}class l extends Error{constructor(e,t){super(),this.name="ReactContextError",this.message=`Hook ${this.stack?.split("\n")[1]?.match(/at (?:\w+\.)?(?<name>\w+)/)?.groups.name??""} is called outside the <${e}>. ${t??""}`}}function c(e){const t=Object.entries(e);return t.sort(((e,t)=>e[0].localeCompare(t[0]))),(0,r.useMemo)((()=>e),t.flat())}function u(e){return t=>{let{children:n}=t;return(0,o.jsx)(o.Fragment,{children:e.reduceRight(((e,t)=>(0,o.jsx)(t,{children:e})),n)})}}},8596:(e,t,n)=>{"use strict";n.d(t,{Mg:()=>i,Ns:()=>s});var r=n(7294),a=n(723),o=n(2263);function i(e,t){const n=e=>(!e||e.endsWith("/")?e:`${e}/`)?.toLowerCase();return n(e)===n(t)}function s(){const{baseUrl:e}=(0,o.Z)().siteConfig;return(0,r.useMemo)((()=>function(e){let{baseUrl:t,routes:n}=e;function r(e){return e.path===t&&!0===e.exact}function a(e){return e.path===t&&!e.exact}return function e(t){if(0===t.length)return;return t.find(r)||e(t.filter(a).flatMap((e=>e.routes??[])))}(n)}({routes:a.Z,baseUrl:e})),[e])}},2466:(e,t,n)=>{"use strict";n.d(t,{Ct:()=>m,OC:()=>u,RF:()=>f,o5:()=>h});var r=n(7294),a=n(412),o=n(2389),i=n(469),s=n(902),l=n(5893);const c=r.createContext(void 0);function u(e){let{children:t}=e;const n=function(){const e=(0,r.useRef)(!0);return(0,r.useMemo)((()=>({scrollEventsEnabledRef:e,enableScrollEvents:()=>{e.current=!0},disableScrollEvents:()=>{e.current=!1}})),[])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function d(){const e=(0,r.useContext)(c);if(null==e)throw new s.i6("ScrollControllerProvider");return e}const p=()=>a.Z.canUseDOM?{scrollX:window.pageXOffset,scrollY:window.pageYOffset}:null;function f(e,t){void 0===t&&(t=[]);const{scrollEventsEnabledRef:n}=d(),a=(0,r.useRef)(p()),o=(0,s.zX)(e);(0,r.useEffect)((()=>{const e=()=>{if(!n.current)return;const e=p();o(e,a.current),a.current=e},t={passive:!0};return e(),window.addEventListener("scroll",e,t),()=>window.removeEventListener("scroll",e,t)}),[o,n,...t])}function h(){const e=d(),t=function(){const e=(0,r.useRef)({elem:null,top:0}),t=(0,r.useCallback)((t=>{e.current={elem:t,top:t.getBoundingClientRect().top}}),[]),n=(0,r.useCallback)((()=>{const{current:{elem:t,top:n}}=e;if(!t)return{restored:!1};const r=t.getBoundingClientRect().top-n;return r&&window.scrollBy({left:0,top:r}),e.current={elem:null,top:0},{restored:0!==r}}),[]);return(0,r.useMemo)((()=>({save:t,restore:n})),[n,t])}(),n=(0,r.useRef)(void 0),a=(0,r.useCallback)((r=>{t.save(r),e.disableScrollEvents(),n.current=()=>{const{restored:r}=t.restore();if(n.current=void 0,r){const t=()=>{e.enableScrollEvents(),window.removeEventListener("scroll",t)};window.addEventListener("scroll",t)}else e.enableScrollEvents()}}),[e,t]);return(0,i.Z)((()=>{queueMicrotask((()=>n.current?.()))})),{blockElementScrollPositionUntilNextRender:a}}function m(){const e=(0,r.useRef)(null),t=(0,o.Z)()&&"smooth"===getComputedStyle(document.documentElement).scrollBehavior;return{startScroll:n=>{e.current=t?function(e){return window.scrollTo({top:e,behavior:"smooth"}),()=>{}}(n):function(e){let t=null;const n=document.documentElement.scrollTop>e;return function r(){const a=document.documentElement.scrollTop;(n&&a>e||!n&&a<e)&&(t=requestAnimationFrame(r),window.scrollTo(0,Math.floor(.85*(a-e))+e))}(),()=>t&&cancelAnimationFrame(t)}(n)},cancelScroll:()=>e.current?.()}}},812:(e,t,n)=>{"use strict";n.d(t,{WA:()=>u,Nk:()=>d});var r=n(7294);const a=JSON.parse('{"d":"localStorage","u":""}'),o=a.d;function i(e){let{key:t,oldValue:n,newValue:r,storage:a}=e;if(n===r)return;const o=document.createEvent("StorageEvent");o.initStorageEvent("storage",!1,!1,t,n,r,window.location.href,a),window.dispatchEvent(o)}function s(e){if(void 0===e&&(e=o),"undefined"==typeof window)throw new Error("Browser storage is not available on Node.js/Docusaurus SSR process.");if("none"===e)return null;try{return window[e]}catch(n){return t=n,l||(console.warn("Docusaurus browser storage is not available.\nPossible reasons: running Docusaurus in an iframe, in an incognito browser session, or using too strict browser privacy settings.",t),l=!0),null}var t}let l=!1;const c={get:()=>null,set:()=>{},del:()=>{},listen:()=>()=>{}};function u(e,t){const n=`${e}${a.u}`;if("undefined"==typeof window)return function(e){function t(){throw new Error(`Illegal storage API usage for storage key "${e}".\nDocusaurus storage APIs are not supposed to be called on the server-rendering process.\nPlease only call storage APIs in effects and event handlers.`)}return{get:t,set:t,del:t,listen:t}}(n);const r=s(t?.persistence);return null===r?c:{get:()=>{try{return r.getItem(n)}catch(e){return console.error(`Docusaurus storage error, can't get key=${n}`,e),null}},set:e=>{try{const t=r.getItem(n);r.setItem(n,e),i({key:n,oldValue:t,newValue:e,storage:r})}catch(t){console.error(`Docusaurus storage error, can't set ${n}=${e}`,t)}},del:()=>{try{const e=r.getItem(n);r.removeItem(n),i({key:n,oldValue:e,newValue:null,storage:r})}catch(e){console.error(`Docusaurus storage error, can't delete key=${n}`,e)}},listen:e=>{try{const t=t=>{t.storageArea===r&&t.key===n&&e(t)};return window.addEventListener("storage",t),()=>window.removeEventListener("storage",t)}catch(t){return console.error(`Docusaurus storage error, can't listen for changes of key=${n}`,t),()=>{}}}}}function d(e,t){const n=(0,r.useRef)((()=>null===e?c:u(e,t))).current(),a=(0,r.useCallback)((e=>"undefined"==typeof window?()=>{}:n.listen(e)),[n]);return[(0,r.useSyncExternalStore)(a,(()=>"undefined"==typeof window?null:n.get()),(()=>null)),n]}},4711:(e,t,n)=>{"use strict";n.d(t,{l:()=>i});var r=n(2263),a=n(6550),o=n(8780);function i(){const{siteConfig:{baseUrl:e,url:t,trailingSlash:n},i18n:{defaultLocale:i,currentLocale:s}}=(0,r.Z)(),{pathname:l}=(0,a.TH)(),c=(0,o.Do)(l,{trailingSlash:n,baseUrl:e}),u=s===i?e:e.replace(`/${s}/`,"/"),d=c.replace(e,"");return{createUrl:function(e){let{locale:n,fullyQualified:r}=e;return`${r?t:""}${function(e){return e===i?`${u}`:`${u}${e}/`}(n)}${d}`}}}},5936:(e,t,n)=>{"use strict";n.d(t,{S:()=>i});var r=n(7294),a=n(6550),o=n(902);function i(e){const t=(0,a.TH)(),n=(0,o.D9)(t),i=(0,o.zX)(e);(0,r.useEffect)((()=>{n&&t!==n&&i({location:t,previousLocation:n})}),[i,t,n])}},6668:(e,t,n)=>{"use strict";n.d(t,{L:()=>a});var r=n(2263);function a(){return(0,r.Z)().siteConfig.themeConfig}},8802:(e,t,n)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.addTrailingSlash=a,t.default=function(e,t){const{trailingSlash:n,baseUrl:r}=t;if(e.startsWith("#"))return e;if(void 0===n)return e;const[i]=e.split(/[#?]/),s="/"===i||i===r?i:(l=i,c=n,c?a(l):o(l));var l,c;return e.replace(i,s)},t.addLeadingSlash=function(e){return(0,r.addPrefix)(e,"/")},t.removeTrailingSlash=o;const r=n(5913);function a(e){return e.endsWith("/")?e:`${e}/`}function o(e){return(0,r.removeSuffix)(e,"/")}},4143:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=function e(t){if(t.cause)return[t,...e(t.cause)];return[t]}},8780:(e,t,n)=>{"use strict";t.BN=t.Do=void 0;const r=n(7582);var a=n(8802);Object.defineProperty(t,"Do",{enumerable:!0,get:function(){return r.__importDefault(a).default}});var o=n(5913);var i=n(4143);Object.defineProperty(t,"BN",{enumerable:!0,get:function(){return i.getErrorCausalChain}})},5913:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.addPrefix=function(e,t){return e.startsWith(t)?e:`${t}${e}`},t.removeSuffix=function(e,t){if(""===t)return e;return e.endsWith(t)?e.slice(0,-t.length):e},t.addSuffix=function(e,t){return e.endsWith(t)?e:`${e}${t}`},t.removePrefix=function(e,t){return e.startsWith(t)?e.slice(t.length):e}},311:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});n(7294);var r=n(1728);const a={loadingRing:"loadingRing_RJI3","loading-ring":"loading-ring_FB5o"};var o=n(5893);function i(e){let{className:t}=e;return(0,o.jsxs)("div",{className:(0,r.Z)(a.loadingRing,t),children:[(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{})]})}},22:(e,t,n)=>{"use strict";n.d(t,{w:()=>s});var r=n(1336),a=n.n(r),o=n(1029);const i=new Map;function s(e,t){const n=`${e}${t}`;let r=i.get(n);return r||(r=async function(e,t){{const n=`${e}${o.J.replace("{dir}",t?`-${t.replace(/\//g,"-")}`:"")}`;if(new URL(n,location.origin).origin!==location.origin)throw new Error("Unexpected version url");const r=await(await fetch(n)).json(),i=r.map(((e,t)=>{let{documents:n,index:r}=e;return{type:t,documents:n,index:a().Index.load(r)}})),s=r.reduce(((e,t)=>{for(const n of t.index.invertedIndex)/\p{Unified_Ideograph}/u.test(n[0][0])&&e.add(n[0]);return e}),new Set);return{wrappedIndexes:i,zhDictionary:Array.from(s)}}return{wrappedIndexes:[],zhDictionary:[]}}(e,t),i.set(n,r)),r}},8202:(e,t,n)=>{"use strict";n.d(t,{v:()=>c});var r=n(1336),a=n.n(r);var o=n(1029);function i(e){return s(e).concat(s(e.filter((e=>{const t=e[e.length-1];return!t.trailing&&t.maybeTyping})),!0))}function s(e,t){return e.map((e=>({tokens:e.map((e=>e.value)),term:e.map((e=>({value:e.value,presence:a().Query.presence.REQUIRED,wildcard:(t?e.trailing||e.maybeTyping:e.trailing)?a().Query.wildcard.TRAILING:a().Query.wildcard.NONE})))})))}var l=n(3545);function c(e,t,n){return function(r,s){const c=function(e,t){if(1===t.length&&["ja","jp","th"].includes(t[0]))return a()[t[0]].tokenizer(e).map((e=>e.toString()));let n=/[^-\s]+/g;return t.includes("zh")&&(n=/\w+|\p{Unified_Ideograph}+/gu),e.toLowerCase().match(n)||[]}(r,o.dK);if(0===c.length)return void s([]);const u=function(e,t){const n=function(e,t){const n=[];return function e(r,a){if(0===r.length)return void n.push(a);const o=r[0];if(/\p{Unified_Ideograph}/u.test(o)){const n=function(e,t){const n=[];return function e(r,a){let o=0,i=!1;for(const s of t)if(r.substr(0,s.length)===s){const t={missed:a.missed,term:a.term.concat({value:s})};r.length>s.length?e(r.substr(s.length),t):n.push(t),i=!0}else for(let t=s.length-1;t>o;t-=1){const l=s.substr(0,t);if(r.substr(0,t)===l){o=t;const s={missed:a.missed,term:a.term.concat({value:l,trailing:!0})};r.length>t?e(r.substr(t),s):n.push(s),i=!0;break}}i||(r.length>0?e(r.substr(1),{missed:a.missed+1,term:a.term}):a.term.length>0&&n.push(a))}(e,{missed:0,term:[]}),n.sort(((e,t)=>{const n=e.missed>0?1:0,r=t.missed>0?1:0;return n!==r?n-r:e.term.length-t.term.length})).map((e=>e.term))}(o,t);for(const t of n){const n=a.concat(...t);e(r.slice(1),n)}}else{const t=a.concat({value:o});e(r.slice(1),t)}}(e,[]),n}(e,t);if(0===n.length)return[{tokens:e,term:e.map((e=>({value:e,presence:a().Query.presence.REQUIRED,wildcard:a().Query.wildcard.LEADING|a().Query.wildcard.TRAILING})))}];for(const a of n)a[a.length-1].maybeTyping=!0;const r=[];for(const i of o.dK)if("en"===i)o._k||r.unshift(a().stopWordFilter);else{const e=a()[i];e.stopWordFilter&&r.unshift(e.stopWordFilter)}let s;if(r.length>0){const e=e=>r.reduce(((e,t)=>e.filter((e=>t(e.value)))),e);s=[];const t=[];for(const r of n){const n=e(r);s.push(n),n.length<r.length&&n.length>0&&t.push(n)}n.push(...t)}else s=n.slice();const l=[];for(const a of s)if(a.length>2)for(let e=a.length-1;e>=0;e-=1)l.push(a.slice(0,e).concat(a.slice(e+1)));return i(n).concat(i(l))}(c,t),d=[];e:for(const{term:t,tokens:a}of u)for(const{documents:r,index:o,type:i}of e)if(d.push(...o.query((e=>{for(const n of t)e.term(n.value,{wildcard:n.wildcard,presence:n.presence})})).slice(0,n).filter((e=>!d.some((t=>t.document.i.toString()===e.ref)))).slice(0,n-d.length).map((t=>{const n=r.find((e=>e.i.toString()===t.ref));return{document:n,type:i,page:i!==l.P.Title&&e[0].documents.find((e=>e.i===n.p)),metadata:t.matchData.metadata,tokens:a,score:t.score}}))),d.length>=n)break e;!function(e){e.forEach(((e,t)=>{e.index=t})),e.sort(((t,n)=>{let r=t.type!==l.P.Heading&&t.type!==l.P.Content&&t.type!==l.P.Description||!t.page?t.index:e.findIndex((e=>e.document===t.page)),a=n.type!==l.P.Heading&&n.type!==l.P.Content&&n.type!==l.P.Description||!n.page?n.index:e.findIndex((e=>e.document===n.page));if(-1===r&&(r=t.index),-1===a&&(a=n.index),r===a){const e=(0===n.type?1:0)-(0===t.type?1:0);return 0===e?t.index-n.index:e}return r-a}))}(d),function(e){e.forEach(((t,n)=>{n>0&&t.page&&e.slice(0,n).some((e=>(e.type===l.P.Keywords?e.page:e.document)===t.page))&&(n<e.length-1&&e[n+1].page===t.page?t.isInterOfTree=!0:t.isLastOfTree=!0)}))}(d),s(d)}}},3926:(e,t,n)=>{"use strict";function r(e){return e.join(" \u203a ")}n.d(t,{e:()=>r})},1690:(e,t,n)=>{"use strict";function r(e){return e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")}n.d(t,{X:()=>r})},1073:(e,t,n)=>{"use strict";function r(e,t){const n=[];for(const r of Object.values(e))r[t]&&n.push(...r[t].position);return n.sort(((e,t)=>e[0]-t[0]||t[1]-e[1]))}n.d(t,{m:()=>r})},2539:(e,t,n)=>{"use strict";n.d(t,{C:()=>a});var r=n(1690);function a(e,t,n){const o=[];for(const i of t){const n=e.toLowerCase().indexOf(i);if(n>=0){n>0&&o.push(a(e.substr(0,n),t)),o.push(`<mark>${(0,r.X)(e.substr(n,i.length))}</mark>`);const s=n+i.length;s<e.length&&o.push(a(e.substr(s),t));break}}return 0===o.length?n?`<mark>${(0,r.X)(e)}</mark>`:(0,r.X)(e):o.join("")}},726:(e,t,n)=>{"use strict";n.d(t,{o:()=>l});var r=n(1690),a=n(2539);const o=/\w+|\p{Unified_Ideograph}/u;function i(e){const t=[];let n=0,r=e;for(;r.length>0;){const a=r.match(o);if(!a){t.push(r);break}a.index>0&&t.push(r.substring(0,a.index)),t.push(a[0]),n+=a.index+a[0].length,r=e.substring(n)}return t}var s=n(1029);function l(e,t,n,o){void 0===o&&(o=s.Hk);const{chunkIndex:l,chunks:c}=function(e,t,n){const o=[];let s=0,l=0,c=-1;for(;s<t.length;){const[u,d]=t[s];if(s+=1,!(u<l)){if(u>l){const t=i(e.substring(l,u)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}-1===c&&(c=o.length),l=u+d,o.push({html:(0,a.C)(e.substring(u,l),n,!0),textLength:d})}}if(l<e.length){const t=i(e.substring(l)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}return{chunkIndex:c,chunks:o}}(e,t,n),u=c.slice(0,l),d=c[l],p=[d.html],f=c.slice(l+1);let h=d.textLength,m=0,g=0,y=!1,b=!1;for(;h<o;)if((m<=g||0===f.length)&&u.length>0){const e=u.pop();h+e.textLength<=o?(p.unshift(e.html),m+=e.textLength,h+=e.textLength):(y=!0,u.length=0)}else{if(!(f.length>0))break;{const e=f.shift();h+e.textLength<=o?(p.push(e.html),g+=e.textLength,h+=e.textLength):(b=!0,f.length=0)}}return(y||u.length>0)&&p.unshift("\u2026"),(b||f.length>0)&&p.push("\u2026"),p.join("")}},51:(e,t,n)=>{"use strict";function r(e,t){if("string"==typeof e)return{label:e,path:e};{const{label:n,path:r}=e;return"string"==typeof n?{label:n,path:r}:Object.prototype.hasOwnProperty.call(n,t)?{label:n[t],path:r}:{label:r,path:r}}}n.d(t,{_:()=>r})},1029:(e,t,n)=>{"use strict";n.d(t,{vc:()=>a(),gQ:()=>h,H6:()=>u,hG:()=>y,l9:()=>m,dK:()=>o,_k:()=>i,pu:()=>f,AY:()=>d,t_:()=>p,Kc:()=>g,J:()=>s,Hk:()=>c,qo:()=>l,pQ:()=>b});n(1336);var r=n(813),a=n.n(r);const o=["en"],i=!1,s="search-index{dir}.json?_=77f662a8",l=8,c=50,u=!1,d=!0,p=!0,f="right",h=void 0,m=!0,g=null,y=!1,b=!1},3545:(e,t,n)=>{"use strict";var r;n.d(t,{P:()=>r}),function(e){e[e.Title=0]="Title",e[e.Heading=1]="Heading",e[e.Description=2]="Description",e[e.Keywords=3]="Keywords",e[e.Content=4]="Content"}(r||(r={}))},9318:(e,t,n)=>{"use strict";n.d(t,{lX:()=>w,q_:()=>C,ob:()=>f,PP:()=>j,Ep:()=>p});var r=n(7462);function a(e){return"/"===e.charAt(0)}function o(e,t){for(var n=t,r=n+1,a=e.length;r<a;n+=1,r+=1)e[n]=e[r];e.pop()}const i=function(e,t){void 0===t&&(t="");var n,r=e&&e.split("/")||[],i=t&&t.split("/")||[],s=e&&a(e),l=t&&a(t),c=s||l;if(e&&a(e)?i=r:r.length&&(i.pop(),i=i.concat(r)),!i.length)return"/";if(i.length){var u=i[i.length-1];n="."===u||".."===u||""===u}else n=!1;for(var d=0,p=i.length;p>=0;p--){var f=i[p];"."===f?o(i,p):".."===f?(o(i,p),d++):d&&(o(i,p),d--)}if(!c)for(;d--;d)i.unshift("..");!c||""===i[0]||i[0]&&a(i[0])||i.unshift("");var h=i.join("/");return n&&"/"!==h.substr(-1)&&(h+="/"),h};var s=n(8776);function l(e){return"/"===e.charAt(0)?e:"/"+e}function c(e){return"/"===e.charAt(0)?e.substr(1):e}function u(e,t){return function(e,t){return 0===e.toLowerCase().indexOf(t.toLowerCase())&&-1!=="/?#".indexOf(e.charAt(t.length))}(e,t)?e.substr(t.length):e}function d(e){return"/"===e.charAt(e.length-1)?e.slice(0,-1):e}function p(e){var t=e.pathname,n=e.search,r=e.hash,a=t||"/";return n&&"?"!==n&&(a+="?"===n.charAt(0)?n:"?"+n),r&&"#"!==r&&(a+="#"===r.charAt(0)?r:"#"+r),a}function f(e,t,n,a){var o;"string"==typeof e?(o=function(e){var t=e||"/",n="",r="",a=t.indexOf("#");-1!==a&&(r=t.substr(a),t=t.substr(0,a));var o=t.indexOf("?");return-1!==o&&(n=t.substr(o),t=t.substr(0,o)),{pathname:t,search:"?"===n?"":n,hash:"#"===r?"":r}}(e),o.state=t):(void 0===(o=(0,r.Z)({},e)).pathname&&(o.pathname=""),o.search?"?"!==o.search.charAt(0)&&(o.search="?"+o.search):o.search="",o.hash?"#"!==o.hash.charAt(0)&&(o.hash="#"+o.hash):o.hash="",void 0!==t&&void 0===o.state&&(o.state=t));try{o.pathname=decodeURI(o.pathname)}catch(s){throw s instanceof URIError?new URIError('Pathname "'+o.pathname+'" could not be decoded. This is likely caused by an invalid percent-encoding.'):s}return n&&(o.key=n),a?o.pathname?"/"!==o.pathname.charAt(0)&&(o.pathname=i(o.pathname,a.pathname)):o.pathname=a.pathname:o.pathname||(o.pathname="/"),o}function h(){var e=null;var t=[];return{setPrompt:function(t){return e=t,function(){e===t&&(e=null)}},confirmTransitionTo:function(t,n,r,a){if(null!=e){var o="function"==typeof e?e(t,n):e;"string"==typeof o?"function"==typeof r?r(o,a):a(!0):a(!1!==o)}else a(!0)},appendListener:function(e){var n=!0;function r(){n&&e.apply(void 0,arguments)}return t.push(r),function(){n=!1,t=t.filter((function(e){return e!==r}))}},notifyListeners:function(){for(var e=arguments.length,n=new Array(e),r=0;r<e;r++)n[r]=arguments[r];t.forEach((function(e){return e.apply(void 0,n)}))}}}var m=!("undefined"==typeof window||!window.document||!window.document.createElement);function g(e,t){t(window.confirm(e))}var y="popstate",b="hashchange";function v(){try{return window.history.state||{}}catch(e){return{}}}function w(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t,n=window.history,a=(-1===(t=window.navigator.userAgent).indexOf("Android 2.")&&-1===t.indexOf("Android 4.0")||-1===t.indexOf("Mobile Safari")||-1!==t.indexOf("Chrome")||-1!==t.indexOf("Windows Phone"))&&window.history&&"pushState"in window.history,o=!(-1===window.navigator.userAgent.indexOf("Trident")),i=e,c=i.forceRefresh,w=void 0!==c&&c,k=i.getUserConfirmation,x=void 0===k?g:k,S=i.keyLength,E=void 0===S?6:S,_=e.basename?d(l(e.basename)):"";function C(e){var t=e||{},n=t.key,r=t.state,a=window.location,o=a.pathname+a.search+a.hash;return _&&(o=u(o,_)),f(o,r,n)}function T(){return Math.random().toString(36).substr(2,E)}var j=h();function L(e){(0,r.Z)($,e),$.length=n.length,j.notifyListeners($.location,$.action)}function R(e){(function(e){return void 0===e.state&&-1===navigator.userAgent.indexOf("CriOS")})(e)||A(C(e.state))}function N(){A(C(v()))}var P=!1;function A(e){if(P)P=!1,L();else{j.confirmTransitionTo(e,"POP",x,(function(t){t?L({action:"POP",location:e}):function(e){var t=$.location,n=I.indexOf(t.key);-1===n&&(n=0);var r=I.indexOf(e.key);-1===r&&(r=0);var a=n-r;a&&(P=!0,F(a))}(e)}))}}var O=C(v()),I=[O.key];function D(e){return _+p(e)}function F(e){n.go(e)}var M=0;function z(e){1===(M+=e)&&1===e?(window.addEventListener(y,R),o&&window.addEventListener(b,N)):0===M&&(window.removeEventListener(y,R),o&&window.removeEventListener(b,N))}var B=!1;var $={length:n.length,action:"POP",location:O,createHref:D,push:function(e,t){var r="PUSH",o=f(e,t,T(),$.location);j.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.pushState({key:i,state:s},null,t),w)window.location.href=t;else{var l=I.indexOf($.location.key),c=I.slice(0,l+1);c.push(o.key),I=c,L({action:r,location:o})}else window.location.href=t}}))},replace:function(e,t){var r="REPLACE",o=f(e,t,T(),$.location);j.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.replaceState({key:i,state:s},null,t),w)window.location.replace(t);else{var l=I.indexOf($.location.key);-1!==l&&(I[l]=o.key),L({action:r,location:o})}else window.location.replace(t)}}))},go:F,goBack:function(){F(-1)},goForward:function(){F(1)},block:function(e){void 0===e&&(e=!1);var t=j.setPrompt(e);return B||(z(1),B=!0),function(){return B&&(B=!1,z(-1)),t()}},listen:function(e){var t=j.appendListener(e);return z(1),function(){z(-1),t()}}};return $}var k="hashchange",x={hashbang:{encodePath:function(e){return"!"===e.charAt(0)?e:"!/"+c(e)},decodePath:function(e){return"!"===e.charAt(0)?e.substr(1):e}},noslash:{encodePath:c,decodePath:l},slash:{encodePath:l,decodePath:l}};function S(e){var t=e.indexOf("#");return-1===t?e:e.slice(0,t)}function E(){var e=window.location.href,t=e.indexOf("#");return-1===t?"":e.substring(t+1)}function _(e){window.location.replace(S(window.location.href)+"#"+e)}function C(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t=window.history,n=(window.navigator.userAgent.indexOf("Firefox"),e),a=n.getUserConfirmation,o=void 0===a?g:a,i=n.hashType,c=void 0===i?"slash":i,y=e.basename?d(l(e.basename)):"",b=x[c],v=b.encodePath,w=b.decodePath;function C(){var e=w(E());return y&&(e=u(e,y)),f(e)}var T=h();function j(e){(0,r.Z)(B,e),B.length=t.length,T.notifyListeners(B.location,B.action)}var L=!1,R=null;function N(){var e,t,n=E(),r=v(n);if(n!==r)_(r);else{var a=C(),i=B.location;if(!L&&(t=a,(e=i).pathname===t.pathname&&e.search===t.search&&e.hash===t.hash))return;if(R===p(a))return;R=null,function(e){if(L)L=!1,j();else{var t="POP";T.confirmTransitionTo(e,t,o,(function(n){n?j({action:t,location:e}):function(e){var t=B.location,n=I.lastIndexOf(p(t));-1===n&&(n=0);var r=I.lastIndexOf(p(e));-1===r&&(r=0);var a=n-r;a&&(L=!0,D(a))}(e)}))}}(a)}}var P=E(),A=v(P);P!==A&&_(A);var O=C(),I=[p(O)];function D(e){t.go(e)}var F=0;function M(e){1===(F+=e)&&1===e?window.addEventListener(k,N):0===F&&window.removeEventListener(k,N)}var z=!1;var B={length:t.length,action:"POP",location:O,createHref:function(e){var t=document.querySelector("base"),n="";return t&&t.getAttribute("href")&&(n=S(window.location.href)),n+"#"+v(y+p(e))},push:function(e,t){var n="PUSH",r=f(e,void 0,void 0,B.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);if(E()!==a){R=t,function(e){window.location.hash=e}(a);var o=I.lastIndexOf(p(B.location)),i=I.slice(0,o+1);i.push(t),I=i,j({action:n,location:r})}else j()}}))},replace:function(e,t){var n="REPLACE",r=f(e,void 0,void 0,B.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);E()!==a&&(R=t,_(a));var o=I.indexOf(p(B.location));-1!==o&&(I[o]=t),j({action:n,location:r})}}))},go:D,goBack:function(){D(-1)},goForward:function(){D(1)},block:function(e){void 0===e&&(e=!1);var t=T.setPrompt(e);return z||(M(1),z=!0),function(){return z&&(z=!1,M(-1)),t()}},listen:function(e){var t=T.appendListener(e);return M(1),function(){M(-1),t()}}};return B}function T(e,t,n){return Math.min(Math.max(e,t),n)}function j(e){void 0===e&&(e={});var t=e,n=t.getUserConfirmation,a=t.initialEntries,o=void 0===a?["/"]:a,i=t.initialIndex,s=void 0===i?0:i,l=t.keyLength,c=void 0===l?6:l,u=h();function d(e){(0,r.Z)(w,e),w.length=w.entries.length,u.notifyListeners(w.location,w.action)}function m(){return Math.random().toString(36).substr(2,c)}var g=T(s,0,o.length-1),y=o.map((function(e){return f(e,void 0,"string"==typeof e?m():e.key||m())})),b=p;function v(e){var t=T(w.index+e,0,w.entries.length-1),r=w.entries[t];u.confirmTransitionTo(r,"POP",n,(function(e){e?d({action:"POP",location:r,index:t}):d()}))}var w={length:y.length,action:"POP",location:y[g],index:g,entries:y,createHref:b,push:function(e,t){var r="PUSH",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){if(e){var t=w.index+1,n=w.entries.slice(0);n.length>t?n.splice(t,n.length-t,a):n.push(a),d({action:r,location:a,index:t,entries:n})}}))},replace:function(e,t){var r="REPLACE",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){e&&(w.entries[w.index]=a,d({action:r,location:a}))}))},go:v,goBack:function(){v(-1)},goForward:function(){v(1)},canGo:function(e){var t=w.index+e;return t>=0&&t<w.entries.length},block:function(e){return void 0===e&&(e=!1),u.setPrompt(e)},listen:function(e){return u.appendListener(e)}};return w}},8679:(e,t,n)=>{"use strict";var r=n(9864),a={childContextTypes:!0,contextType:!0,contextTypes:!0,defaultProps:!0,displayName:!0,getDefaultProps:!0,getDerivedStateFromError:!0,getDerivedStateFromProps:!0,mixins:!0,propTypes:!0,type:!0},o={name:!0,length:!0,prototype:!0,caller:!0,callee:!0,arguments:!0,arity:!0},i={$$typeof:!0,compare:!0,defaultProps:!0,displayName:!0,propTypes:!0,type:!0},s={};function l(e){return r.isMemo(e)?i:s[e.$$typeof]||a}s[r.ForwardRef]={$$typeof:!0,render:!0,defaultProps:!0,displayName:!0,propTypes:!0},s[r.Memo]=i;var c=Object.defineProperty,u=Object.getOwnPropertyNames,d=Object.getOwnPropertySymbols,p=Object.getOwnPropertyDescriptor,f=Object.getPrototypeOf,h=Object.prototype;e.exports=function e(t,n,r){if("string"!=typeof n){if(h){var a=f(n);a&&a!==h&&e(t,a,r)}var i=u(n);d&&(i=i.concat(d(n)));for(var s=l(t),m=l(n),g=0;g<i.length;++g){var y=i[g];if(!(o[y]||r&&r[y]||m&&m[y]||s&&s[y])){var b=p(n,y);try{c(t,y,b)}catch(v){}}}}return t}},1143:e=>{"use strict";e.exports=function(e,t,n,r,a,o,i,s){if(!e){var l;if(void 0===t)l=new Error("Minified exception occurred; use the non-minified dev environment for the full error message and additional helpful warnings.");else{var c=[n,r,a,o,i,s],u=0;(l=new Error(t.replace(/%s/g,(function(){return c[u++]})))).name="Invariant Violation"}throw l.framesToPop=1,l}}},5826:e=>{e.exports=Array.isArray||function(e){return"[object Array]"==Object.prototype.toString.call(e)}},1336:(e,t,n)=>{var r,a;!function(){var o,i,s,l,c,u,d,p,f,h,m,g,y,b,v,w,k,x,S,E,_,C,T,j,L,R,N,P,A,O,I=function(e){var t=new I.Builder;return t.pipeline.add(I.trimmer,I.stopWordFilter,I.stemmer),t.searchPipeline.add(I.stemmer),e.call(t,t),t.build()};I.version="2.3.9",I.utils={},I.utils.warn=(o=this,function(e){o.console&&console.warn&&console.warn(e)}),I.utils.asString=function(e){return null==e?"":e.toString()},I.utils.clone=function(e){if(null==e)return e;for(var t=Object.create(null),n=Object.keys(e),r=0;r<n.length;r++){var a=n[r],o=e[a];if(Array.isArray(o))t[a]=o.slice();else{if("string"!=typeof o&&"number"!=typeof o&&"boolean"!=typeof o)throw new TypeError("clone is not deep and does not support nested objects");t[a]=o}}return t},I.FieldRef=function(e,t,n){this.docRef=e,this.fieldName=t,this._stringValue=n},I.FieldRef.joiner="/",I.FieldRef.fromString=function(e){var t=e.indexOf(I.FieldRef.joiner);if(-1===t)throw"malformed field ref string";var n=e.slice(0,t),r=e.slice(t+1);return new I.FieldRef(r,n,e)},I.FieldRef.prototype.toString=function(){return null==this._stringValue&&(this._stringValue=this.fieldName+I.FieldRef.joiner+this.docRef),this._stringValue},I.Set=function(e){if(this.elements=Object.create(null),e){this.length=e.length;for(var t=0;t<this.length;t++)this.elements[e[t]]=!0}else this.length=0},I.Set.complete={intersect:function(e){return e},union:function(){return this},contains:function(){return!0}},I.Set.empty={intersect:function(){return this},union:function(e){return e},contains:function(){return!1}},I.Set.prototype.contains=function(e){return!!this.elements[e]},I.Set.prototype.intersect=function(e){var t,n,r,a=[];if(e===I.Set.complete)return this;if(e===I.Set.empty)return e;this.length<e.length?(t=this,n=e):(t=e,n=this),r=Object.keys(t.elements);for(var o=0;o<r.length;o++){var i=r[o];i in n.elements&&a.push(i)}return new I.Set(a)},I.Set.prototype.union=function(e){return e===I.Set.complete?I.Set.complete:e===I.Set.empty?this:new I.Set(Object.keys(this.elements).concat(Object.keys(e.elements)))},I.idf=function(e,t){var n=0;for(var r in e)"_index"!=r&&(n+=Object.keys(e[r]).length);var a=(t-n+.5)/(n+.5);return Math.log(1+Math.abs(a))},I.Token=function(e,t){this.str=e||"",this.metadata=t||{}},I.Token.prototype.toString=function(){return this.str},I.Token.prototype.update=function(e){return this.str=e(this.str,this.metadata),this},I.Token.prototype.clone=function(e){return e=e||function(e){return e},new I.Token(e(this.str,this.metadata),this.metadata)},I.tokenizer=function(e,t){if(null==e||null==e)return[];if(Array.isArray(e))return e.map((function(e){return new I.Token(I.utils.asString(e).toLowerCase(),I.utils.clone(t))}));for(var n=e.toString().toLowerCase(),r=n.length,a=[],o=0,i=0;o<=r;o++){var s=o-i;if(n.charAt(o).match(I.tokenizer.separator)||o==r){if(s>0){var l=I.utils.clone(t)||{};l.position=[i,s],l.index=a.length,a.push(new I.Token(n.slice(i,o),l))}i=o+1}}return a},I.tokenizer.separator=/[\s\-]+/,I.Pipeline=function(){this._stack=[]},I.Pipeline.registeredFunctions=Object.create(null),I.Pipeline.registerFunction=function(e,t){t in this.registeredFunctions&&I.utils.warn("Overwriting existing registered function: "+t),e.label=t,I.Pipeline.registeredFunctions[e.label]=e},I.Pipeline.warnIfFunctionNotRegistered=function(e){e.label&&e.label in this.registeredFunctions||I.utils.warn("Function is not registered with pipeline. This may cause problems when serialising the index.\n",e)},I.Pipeline.load=function(e){var t=new I.Pipeline;return e.forEach((function(e){var n=I.Pipeline.registeredFunctions[e];if(!n)throw new Error("Cannot load unregistered function: "+e);t.add(n)})),t},I.Pipeline.prototype.add=function(){Array.prototype.slice.call(arguments).forEach((function(e){I.Pipeline.warnIfFunctionNotRegistered(e),this._stack.push(e)}),this)},I.Pipeline.prototype.after=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");n+=1,this._stack.splice(n,0,t)},I.Pipeline.prototype.before=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");this._stack.splice(n,0,t)},I.Pipeline.prototype.remove=function(e){var t=this._stack.indexOf(e);-1!=t&&this._stack.splice(t,1)},I.Pipeline.prototype.run=function(e){for(var t=this._stack.length,n=0;n<t;n++){for(var r=this._stack[n],a=[],o=0;o<e.length;o++){var i=r(e[o],o,e);if(null!=i&&""!==i)if(Array.isArray(i))for(var s=0;s<i.length;s++)a.push(i[s]);else a.push(i)}e=a}return e},I.Pipeline.prototype.runString=function(e,t){var n=new I.Token(e,t);return this.run([n]).map((function(e){return e.toString()}))},I.Pipeline.prototype.reset=function(){this._stack=[]},I.Pipeline.prototype.toJSON=function(){return this._stack.map((function(e){return I.Pipeline.warnIfFunctionNotRegistered(e),e.label}))},I.Vector=function(e){this._magnitude=0,this.elements=e||[]},I.Vector.prototype.positionForIndex=function(e){if(0==this.elements.length)return 0;for(var t=0,n=this.elements.length/2,r=n-t,a=Math.floor(r/2),o=this.elements[2*a];r>1&&(o<e&&(t=a),o>e&&(n=a),o!=e);)r=n-t,a=t+Math.floor(r/2),o=this.elements[2*a];return o==e||o>e?2*a:o<e?2*(a+1):void 0},I.Vector.prototype.insert=function(e,t){this.upsert(e,t,(function(){throw"duplicate index"}))},I.Vector.prototype.upsert=function(e,t,n){this._magnitude=0;var r=this.positionForIndex(e);this.elements[r]==e?this.elements[r+1]=n(this.elements[r+1],t):this.elements.splice(r,0,e,t)},I.Vector.prototype.magnitude=function(){if(this._magnitude)return this._magnitude;for(var e=0,t=this.elements.length,n=1;n<t;n+=2){var r=this.elements[n];e+=r*r}return this._magnitude=Math.sqrt(e)},I.Vector.prototype.dot=function(e){for(var t=0,n=this.elements,r=e.elements,a=n.length,o=r.length,i=0,s=0,l=0,c=0;l<a&&c<o;)(i=n[l])<(s=r[c])?l+=2:i>s?c+=2:i==s&&(t+=n[l+1]*r[c+1],l+=2,c+=2);return t},I.Vector.prototype.similarity=function(e){return this.dot(e)/this.magnitude()||0},I.Vector.prototype.toArray=function(){for(var e=new Array(this.elements.length/2),t=1,n=0;t<this.elements.length;t+=2,n++)e[n]=this.elements[t];return e},I.Vector.prototype.toJSON=function(){return this.elements},I.stemmer=(i={ational:"ate",tional:"tion",enci:"ence",anci:"ance",izer:"ize",bli:"ble",alli:"al",entli:"ent",eli:"e",ousli:"ous",ization:"ize",ation:"ate",ator:"ate",alism:"al",iveness:"ive",fulness:"ful",ousness:"ous",aliti:"al",iviti:"ive",biliti:"ble",logi:"log"},s={icate:"ic",ative:"",alize:"al",iciti:"ic",ical:"ic",ful:"",ness:""},d="^("+(c="[^aeiou][^aeiouy]*")+")?"+(u=(l="[aeiouy]")+"[aeiou]*")+c+"("+u+")?$",p="^("+c+")?"+u+c+u+c,f="^("+c+")?"+l,h=new RegExp("^("+c+")?"+u+c),m=new RegExp(p),g=new RegExp(d),y=new RegExp(f),b=/^(.+?)(ss|i)es$/,v=/^(.+?)([^s])s$/,w=/^(.+?)eed$/,k=/^(.+?)(ed|ing)$/,x=/.$/,S=/(at|bl|iz)$/,E=new RegExp("([^aeiouylsz])\\1$"),_=new RegExp("^"+c+l+"[^aeiouwxy]$"),C=/^(.+?[^aeiou])y$/,T=/^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/,j=/^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/,L=/^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/,R=/^(.+?)(s|t)(ion)$/,N=/^(.+?)e$/,P=/ll$/,A=new RegExp("^"+c+l+"[^aeiouwxy]$"),O=function(e){var t,n,r,a,o,l,c;if(e.length<3)return e;if("y"==(r=e.substr(0,1))&&(e=r.toUpperCase()+e.substr(1)),o=v,(a=b).test(e)?e=e.replace(a,"$1$2"):o.test(e)&&(e=e.replace(o,"$1$2")),o=k,(a=w).test(e)){var u=a.exec(e);(a=h).test(u[1])&&(a=x,e=e.replace(a,""))}else o.test(e)&&(t=(u=o.exec(e))[1],(o=y).test(t)&&(l=E,c=_,(o=S).test(e=t)?e+="e":l.test(e)?(a=x,e=e.replace(a,"")):c.test(e)&&(e+="e")));return(a=C).test(e)&&(e=(t=(u=a.exec(e))[1])+"i"),(a=T).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+i[n])),(a=j).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+s[n])),o=R,(a=L).test(e)?(t=(u=a.exec(e))[1],(a=m).test(t)&&(e=t)):o.test(e)&&(t=(u=o.exec(e))[1]+u[2],(o=m).test(t)&&(e=t)),(a=N).test(e)&&(t=(u=a.exec(e))[1],o=g,l=A,((a=m).test(t)||o.test(t)&&!l.test(t))&&(e=t)),o=m,(a=P).test(e)&&o.test(e)&&(a=x,e=e.replace(a,"")),"y"==r&&(e=r.toLowerCase()+e.substr(1)),e},function(e){return e.update(O)}),I.Pipeline.registerFunction(I.stemmer,"stemmer"),I.generateStopWordFilter=function(e){var t=e.reduce((function(e,t){return e[t]=t,e}),{});return function(e){if(e&&t[e.toString()]!==e.toString())return e}},I.stopWordFilter=I.generateStopWordFilter(["a","able","about","across","after","all","almost","also","am","among","an","and","any","are","as","at","be","because","been","but","by","can","cannot","could","dear","did","do","does","either","else","ever","every","for","from","get","got","had","has","have","he","her","hers","him","his","how","however","i","if","in","into","is","it","its","just","least","let","like","likely","may","me","might","most","must","my","neither","no","nor","not","of","off","often","on","only","or","other","our","own","rather","said","say","says","she","should","since","so","some","than","that","the","their","them","then","there","these","they","this","tis","to","too","twas","us","wants","was","we","were","what","when","where","which","while","who","whom","why","will","with","would","yet","you","your"]),I.Pipeline.registerFunction(I.stopWordFilter,"stopWordFilter"),I.trimmer=function(e){return e.update((function(e){return e.replace(/^\W+/,"").replace(/\W+$/,"")}))},I.Pipeline.registerFunction(I.trimmer,"trimmer"),I.TokenSet=function(){this.final=!1,this.edges={},this.id=I.TokenSet._nextId,I.TokenSet._nextId+=1},I.TokenSet._nextId=1,I.TokenSet.fromArray=function(e){for(var t=new I.TokenSet.Builder,n=0,r=e.length;n<r;n++)t.insert(e[n]);return t.finish(),t.root},I.TokenSet.fromClause=function(e){return"editDistance"in e?I.TokenSet.fromFuzzyString(e.term,e.editDistance):I.TokenSet.fromString(e.term)},I.TokenSet.fromFuzzyString=function(e,t){for(var n=new I.TokenSet,r=[{node:n,editsRemaining:t,str:e}];r.length;){var a=r.pop();if(a.str.length>0){var o,i=a.str.charAt(0);i in a.node.edges?o=a.node.edges[i]:(o=new I.TokenSet,a.node.edges[i]=o),1==a.str.length&&(o.final=!0),r.push({node:o,editsRemaining:a.editsRemaining,str:a.str.slice(1)})}if(0!=a.editsRemaining){if("*"in a.node.edges)var s=a.node.edges["*"];else{s=new I.TokenSet;a.node.edges["*"]=s}if(0==a.str.length&&(s.final=!0),r.push({node:s,editsRemaining:a.editsRemaining-1,str:a.str}),a.str.length>1&&r.push({node:a.node,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)}),1==a.str.length&&(a.node.final=!0),a.str.length>=1){if("*"in a.node.edges)var l=a.node.edges["*"];else{l=new I.TokenSet;a.node.edges["*"]=l}1==a.str.length&&(l.final=!0),r.push({node:l,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)})}if(a.str.length>1){var c,u=a.str.charAt(0),d=a.str.charAt(1);d in a.node.edges?c=a.node.edges[d]:(c=new I.TokenSet,a.node.edges[d]=c),1==a.str.length&&(c.final=!0),r.push({node:c,editsRemaining:a.editsRemaining-1,str:u+a.str.slice(2)})}}}return n},I.TokenSet.fromString=function(e){for(var t=new I.TokenSet,n=t,r=0,a=e.length;r<a;r++){var o=e[r],i=r==a-1;if("*"==o)t.edges[o]=t,t.final=i;else{var s=new I.TokenSet;s.final=i,t.edges[o]=s,t=s}}return n},I.TokenSet.prototype.toArray=function(){for(var e=[],t=[{prefix:"",node:this}];t.length;){var n=t.pop(),r=Object.keys(n.node.edges),a=r.length;n.node.final&&(n.prefix.charAt(0),e.push(n.prefix));for(var o=0;o<a;o++){var i=r[o];t.push({prefix:n.prefix.concat(i),node:n.node.edges[i]})}}return e},I.TokenSet.prototype.toString=function(){if(this._str)return this._str;for(var e=this.final?"1":"0",t=Object.keys(this.edges).sort(),n=t.length,r=0;r<n;r++){var a=t[r];e=e+a+this.edges[a].id}return e},I.TokenSet.prototype.intersect=function(e){for(var t=new I.TokenSet,n=void 0,r=[{qNode:e,output:t,node:this}];r.length;){n=r.pop();for(var a=Object.keys(n.qNode.edges),o=a.length,i=Object.keys(n.node.edges),s=i.length,l=0;l<o;l++)for(var c=a[l],u=0;u<s;u++){var d=i[u];if(d==c||"*"==c){var p=n.node.edges[d],f=n.qNode.edges[c],h=p.final&&f.final,m=void 0;d in n.output.edges?(m=n.output.edges[d]).final=m.final||h:((m=new I.TokenSet).final=h,n.output.edges[d]=m),r.push({qNode:f,output:m,node:p})}}}return t},I.TokenSet.Builder=function(){this.previousWord="",this.root=new I.TokenSet,this.uncheckedNodes=[],this.minimizedNodes={}},I.TokenSet.Builder.prototype.insert=function(e){var t,n=0;if(e<this.previousWord)throw new Error("Out of order word insertion");for(var r=0;r<e.length&&r<this.previousWord.length&&e[r]==this.previousWord[r];r++)n++;this.minimize(n),t=0==this.uncheckedNodes.length?this.root:this.uncheckedNodes[this.uncheckedNodes.length-1].child;for(r=n;r<e.length;r++){var a=new I.TokenSet,o=e[r];t.edges[o]=a,this.uncheckedNodes.push({parent:t,char:o,child:a}),t=a}t.final=!0,this.previousWord=e},I.TokenSet.Builder.prototype.finish=function(){this.minimize(0)},I.TokenSet.Builder.prototype.minimize=function(e){for(var t=this.uncheckedNodes.length-1;t>=e;t--){var n=this.uncheckedNodes[t],r=n.child.toString();r in this.minimizedNodes?n.parent.edges[n.char]=this.minimizedNodes[r]:(n.child._str=r,this.minimizedNodes[r]=n.child),this.uncheckedNodes.pop()}},I.Index=function(e){this.invertedIndex=e.invertedIndex,this.fieldVectors=e.fieldVectors,this.tokenSet=e.tokenSet,this.fields=e.fields,this.pipeline=e.pipeline},I.Index.prototype.search=function(e){return this.query((function(t){new I.QueryParser(e,t).parse()}))},I.Index.prototype.query=function(e){for(var t=new I.Query(this.fields),n=Object.create(null),r=Object.create(null),a=Object.create(null),o=Object.create(null),i=Object.create(null),s=0;s<this.fields.length;s++)r[this.fields[s]]=new I.Vector;e.call(t,t);for(s=0;s<t.clauses.length;s++){var l=t.clauses[s],c=null,u=I.Set.empty;c=l.usePipeline?this.pipeline.runString(l.term,{fields:l.fields}):[l.term];for(var d=0;d<c.length;d++){var p=c[d];l.term=p;var f=I.TokenSet.fromClause(l),h=this.tokenSet.intersect(f).toArray();if(0===h.length&&l.presence===I.Query.presence.REQUIRED){for(var m=0;m<l.fields.length;m++){o[N=l.fields[m]]=I.Set.empty}break}for(var g=0;g<h.length;g++){var y=h[g],b=this.invertedIndex[y],v=b._index;for(m=0;m<l.fields.length;m++){var w=b[N=l.fields[m]],k=Object.keys(w),x=y+"/"+N,S=new I.Set(k);if(l.presence==I.Query.presence.REQUIRED&&(u=u.union(S),void 0===o[N]&&(o[N]=I.Set.complete)),l.presence!=I.Query.presence.PROHIBITED){if(r[N].upsert(v,l.boost,(function(e,t){return e+t})),!a[x]){for(var E=0;E<k.length;E++){var _,C=k[E],T=new I.FieldRef(C,N),j=w[C];void 0===(_=n[T])?n[T]=new I.MatchData(y,N,j):_.add(y,N,j)}a[x]=!0}}else void 0===i[N]&&(i[N]=I.Set.empty),i[N]=i[N].union(S)}}}if(l.presence===I.Query.presence.REQUIRED)for(m=0;m<l.fields.length;m++){o[N=l.fields[m]]=o[N].intersect(u)}}var L=I.Set.complete,R=I.Set.empty;for(s=0;s<this.fields.length;s++){var N;o[N=this.fields[s]]&&(L=L.intersect(o[N])),i[N]&&(R=R.union(i[N]))}var P=Object.keys(n),A=[],O=Object.create(null);if(t.isNegated()){P=Object.keys(this.fieldVectors);for(s=0;s<P.length;s++){T=P[s];var D=I.FieldRef.fromString(T);n[T]=new I.MatchData}}for(s=0;s<P.length;s++){var F=(D=I.FieldRef.fromString(P[s])).docRef;if(L.contains(F)&&!R.contains(F)){var M,z=this.fieldVectors[D],B=r[D.fieldName].similarity(z);if(void 0!==(M=O[F]))M.score+=B,M.matchData.combine(n[D]);else{var $={ref:F,score:B,matchData:n[D]};O[F]=$,A.push($)}}}return A.sort((function(e,t){return t.score-e.score}))},I.Index.prototype.toJSON=function(){var e=Object.keys(this.invertedIndex).sort().map((function(e){return[e,this.invertedIndex[e]]}),this),t=Object.keys(this.fieldVectors).map((function(e){return[e,this.fieldVectors[e].toJSON()]}),this);return{version:I.version,fields:this.fields,fieldVectors:t,invertedIndex:e,pipeline:this.pipeline.toJSON()}},I.Index.load=function(e){var t={},n={},r=e.fieldVectors,a=Object.create(null),o=e.invertedIndex,i=new I.TokenSet.Builder,s=I.Pipeline.load(e.pipeline);e.version!=I.version&&I.utils.warn("Version mismatch when loading serialised index. Current version of lunr '"+I.version+"' does not match serialized index '"+e.version+"'");for(var l=0;l<r.length;l++){var c=(d=r[l])[0],u=d[1];n[c]=new I.Vector(u)}for(l=0;l<o.length;l++){var d,p=(d=o[l])[0],f=d[1];i.insert(p),a[p]=f}return i.finish(),t.fields=e.fields,t.fieldVectors=n,t.invertedIndex=a,t.tokenSet=i.root,t.pipeline=s,new I.Index(t)},I.Builder=function(){this._ref="id",this._fields=Object.create(null),this._documents=Object.create(null),this.invertedIndex=Object.create(null),this.fieldTermFrequencies={},this.fieldLengths={},this.tokenizer=I.tokenizer,this.pipeline=new I.Pipeline,this.searchPipeline=new I.Pipeline,this.documentCount=0,this._b=.75,this._k1=1.2,this.termIndex=0,this.metadataWhitelist=[]},I.Builder.prototype.ref=function(e){this._ref=e},I.Builder.prototype.field=function(e,t){if(/\//.test(e))throw new RangeError("Field '"+e+"' contains illegal character '/'");this._fields[e]=t||{}},I.Builder.prototype.b=function(e){this._b=e<0?0:e>1?1:e},I.Builder.prototype.k1=function(e){this._k1=e},I.Builder.prototype.add=function(e,t){var n=e[this._ref],r=Object.keys(this._fields);this._documents[n]=t||{},this.documentCount+=1;for(var a=0;a<r.length;a++){var o=r[a],i=this._fields[o].extractor,s=i?i(e):e[o],l=this.tokenizer(s,{fields:[o]}),c=this.pipeline.run(l),u=new I.FieldRef(n,o),d=Object.create(null);this.fieldTermFrequencies[u]=d,this.fieldLengths[u]=0,this.fieldLengths[u]+=c.length;for(var p=0;p<c.length;p++){var f=c[p];if(null==d[f]&&(d[f]=0),d[f]+=1,null==this.invertedIndex[f]){var h=Object.create(null);h._index=this.termIndex,this.termIndex+=1;for(var m=0;m<r.length;m++)h[r[m]]=Object.create(null);this.invertedIndex[f]=h}null==this.invertedIndex[f][o][n]&&(this.invertedIndex[f][o][n]=Object.create(null));for(var g=0;g<this.metadataWhitelist.length;g++){var y=this.metadataWhitelist[g],b=f.metadata[y];null==this.invertedIndex[f][o][n][y]&&(this.invertedIndex[f][o][n][y]=[]),this.invertedIndex[f][o][n][y].push(b)}}}},I.Builder.prototype.calculateAverageFieldLengths=function(){for(var e=Object.keys(this.fieldLengths),t=e.length,n={},r={},a=0;a<t;a++){var o=I.FieldRef.fromString(e[a]),i=o.fieldName;r[i]||(r[i]=0),r[i]+=1,n[i]||(n[i]=0),n[i]+=this.fieldLengths[o]}var s=Object.keys(this._fields);for(a=0;a<s.length;a++){var l=s[a];n[l]=n[l]/r[l]}this.averageFieldLength=n},I.Builder.prototype.createFieldVectors=function(){for(var e={},t=Object.keys(this.fieldTermFrequencies),n=t.length,r=Object.create(null),a=0;a<n;a++){for(var o=I.FieldRef.fromString(t[a]),i=o.fieldName,s=this.fieldLengths[o],l=new I.Vector,c=this.fieldTermFrequencies[o],u=Object.keys(c),d=u.length,p=this._fields[i].boost||1,f=this._documents[o.docRef].boost||1,h=0;h<d;h++){var m,g,y,b=u[h],v=c[b],w=this.invertedIndex[b]._index;void 0===r[b]?(m=I.idf(this.invertedIndex[b],this.documentCount),r[b]=m):m=r[b],g=m*((this._k1+1)*v)/(this._k1*(1-this._b+this._b*(s/this.averageFieldLength[i]))+v),g*=p,g*=f,y=Math.round(1e3*g)/1e3,l.insert(w,y)}e[o]=l}this.fieldVectors=e},I.Builder.prototype.createTokenSet=function(){this.tokenSet=I.TokenSet.fromArray(Object.keys(this.invertedIndex).sort())},I.Builder.prototype.build=function(){return this.calculateAverageFieldLengths(),this.createFieldVectors(),this.createTokenSet(),new I.Index({invertedIndex:this.invertedIndex,fieldVectors:this.fieldVectors,tokenSet:this.tokenSet,fields:Object.keys(this._fields),pipeline:this.searchPipeline})},I.Builder.prototype.use=function(e){var t=Array.prototype.slice.call(arguments,1);t.unshift(this),e.apply(this,t)},I.MatchData=function(e,t,n){for(var r=Object.create(null),a=Object.keys(n||{}),o=0;o<a.length;o++){var i=a[o];r[i]=n[i].slice()}this.metadata=Object.create(null),void 0!==e&&(this.metadata[e]=Object.create(null),this.metadata[e][t]=r)},I.MatchData.prototype.combine=function(e){for(var t=Object.keys(e.metadata),n=0;n<t.length;n++){var r=t[n],a=Object.keys(e.metadata[r]);null==this.metadata[r]&&(this.metadata[r]=Object.create(null));for(var o=0;o<a.length;o++){var i=a[o],s=Object.keys(e.metadata[r][i]);null==this.metadata[r][i]&&(this.metadata[r][i]=Object.create(null));for(var l=0;l<s.length;l++){var c=s[l];null==this.metadata[r][i][c]?this.metadata[r][i][c]=e.metadata[r][i][c]:this.metadata[r][i][c]=this.metadata[r][i][c].concat(e.metadata[r][i][c])}}}},I.MatchData.prototype.add=function(e,t,n){if(!(e in this.metadata))return this.metadata[e]=Object.create(null),void(this.metadata[e][t]=n);if(t in this.metadata[e])for(var r=Object.keys(n),a=0;a<r.length;a++){var o=r[a];o in this.metadata[e][t]?this.metadata[e][t][o]=this.metadata[e][t][o].concat(n[o]):this.metadata[e][t][o]=n[o]}else this.metadata[e][t]=n},I.Query=function(e){this.clauses=[],this.allFields=e},I.Query.wildcard=new String("*"),I.Query.wildcard.NONE=0,I.Query.wildcard.LEADING=1,I.Query.wildcard.TRAILING=2,I.Query.presence={OPTIONAL:1,REQUIRED:2,PROHIBITED:3},I.Query.prototype.clause=function(e){return"fields"in e||(e.fields=this.allFields),"boost"in e||(e.boost=1),"usePipeline"in e||(e.usePipeline=!0),"wildcard"in e||(e.wildcard=I.Query.wildcard.NONE),e.wildcard&I.Query.wildcard.LEADING&&e.term.charAt(0)!=I.Query.wildcard&&(e.term="*"+e.term),e.wildcard&I.Query.wildcard.TRAILING&&e.term.slice(-1)!=I.Query.wildcard&&(e.term=e.term+"*"),"presence"in e||(e.presence=I.Query.presence.OPTIONAL),this.clauses.push(e),this},I.Query.prototype.isNegated=function(){for(var e=0;e<this.clauses.length;e++)if(this.clauses[e].presence!=I.Query.presence.PROHIBITED)return!1;return!0},I.Query.prototype.term=function(e,t){if(Array.isArray(e))return e.forEach((function(e){this.term(e,I.utils.clone(t))}),this),this;var n=t||{};return n.term=e.toString(),this.clause(n),this},I.QueryParseError=function(e,t,n){this.name="QueryParseError",this.message=e,this.start=t,this.end=n},I.QueryParseError.prototype=new Error,I.QueryLexer=function(e){this.lexemes=[],this.str=e,this.length=e.length,this.pos=0,this.start=0,this.escapeCharPositions=[]},I.QueryLexer.prototype.run=function(){for(var e=I.QueryLexer.lexText;e;)e=e(this)},I.QueryLexer.prototype.sliceString=function(){for(var e=[],t=this.start,n=this.pos,r=0;r<this.escapeCharPositions.length;r++)n=this.escapeCharPositions[r],e.push(this.str.slice(t,n)),t=n+1;return e.push(this.str.slice(t,this.pos)),this.escapeCharPositions.length=0,e.join("")},I.QueryLexer.prototype.emit=function(e){this.lexemes.push({type:e,str:this.sliceString(),start:this.start,end:this.pos}),this.start=this.pos},I.QueryLexer.prototype.escapeCharacter=function(){this.escapeCharPositions.push(this.pos-1),this.pos+=1},I.QueryLexer.prototype.next=function(){if(this.pos>=this.length)return I.QueryLexer.EOS;var e=this.str.charAt(this.pos);return this.pos+=1,e},I.QueryLexer.prototype.width=function(){return this.pos-this.start},I.QueryLexer.prototype.ignore=function(){this.start==this.pos&&(this.pos+=1),this.start=this.pos},I.QueryLexer.prototype.backup=function(){this.pos-=1},I.QueryLexer.prototype.acceptDigitRun=function(){var e,t;do{t=(e=this.next()).charCodeAt(0)}while(t>47&&t<58);e!=I.QueryLexer.EOS&&this.backup()},I.QueryLexer.prototype.more=function(){return this.pos<this.length},I.QueryLexer.EOS="EOS",I.QueryLexer.FIELD="FIELD",I.QueryLexer.TERM="TERM",I.QueryLexer.EDIT_DISTANCE="EDIT_DISTANCE",I.QueryLexer.BOOST="BOOST",I.QueryLexer.PRESENCE="PRESENCE",I.QueryLexer.lexField=function(e){return e.backup(),e.emit(I.QueryLexer.FIELD),e.ignore(),I.QueryLexer.lexText},I.QueryLexer.lexTerm=function(e){if(e.width()>1&&(e.backup(),e.emit(I.QueryLexer.TERM)),e.ignore(),e.more())return I.QueryLexer.lexText},I.QueryLexer.lexEditDistance=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.EDIT_DISTANCE),I.QueryLexer.lexText},I.QueryLexer.lexBoost=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.BOOST),I.QueryLexer.lexText},I.QueryLexer.lexEOS=function(e){e.width()>0&&e.emit(I.QueryLexer.TERM)},I.QueryLexer.termSeparator=I.tokenizer.separator,I.QueryLexer.lexText=function(e){for(;;){var t=e.next();if(t==I.QueryLexer.EOS)return I.QueryLexer.lexEOS;if(92!=t.charCodeAt(0)){if(":"==t)return I.QueryLexer.lexField;if("~"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexEditDistance;if("^"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexBoost;if("+"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if("-"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if(t.match(I.QueryLexer.termSeparator))return I.QueryLexer.lexTerm}else e.escapeCharacter()}},I.QueryParser=function(e,t){this.lexer=new I.QueryLexer(e),this.query=t,this.currentClause={},this.lexemeIdx=0},I.QueryParser.prototype.parse=function(){this.lexer.run(),this.lexemes=this.lexer.lexemes;for(var e=I.QueryParser.parseClause;e;)e=e(this);return this.query},I.QueryParser.prototype.peekLexeme=function(){return this.lexemes[this.lexemeIdx]},I.QueryParser.prototype.consumeLexeme=function(){var e=this.peekLexeme();return this.lexemeIdx+=1,e},I.QueryParser.prototype.nextClause=function(){var e=this.currentClause;this.query.clause(e),this.currentClause={}},I.QueryParser.parseClause=function(e){var t=e.peekLexeme();if(null!=t)switch(t.type){case I.QueryLexer.PRESENCE:return I.QueryParser.parsePresence;case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:var n="expected either a field or a term, found "+t.type;throw t.str.length>=1&&(n+=" with value '"+t.str+"'"),new I.QueryParseError(n,t.start,t.end)}},I.QueryParser.parsePresence=function(e){var t=e.consumeLexeme();if(null!=t){switch(t.str){case"-":e.currentClause.presence=I.Query.presence.PROHIBITED;break;case"+":e.currentClause.presence=I.Query.presence.REQUIRED;break;default:var n="unrecognised presence operator'"+t.str+"'";throw new I.QueryParseError(n,t.start,t.end)}var r=e.peekLexeme();if(null==r){n="expecting term or field, found nothing";throw new I.QueryParseError(n,t.start,t.end)}switch(r.type){case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:n="expecting term or field, found '"+r.type+"'";throw new I.QueryParseError(n,r.start,r.end)}}},I.QueryParser.parseField=function(e){var t=e.consumeLexeme();if(null!=t){if(-1==e.query.allFields.indexOf(t.str)){var n=e.query.allFields.map((function(e){return"'"+e+"'"})).join(", "),r="unrecognised field '"+t.str+"', possible fields: "+n;throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.fields=[t.str];var a=e.peekLexeme();if(null==a){r="expecting term, found nothing";throw new I.QueryParseError(r,t.start,t.end)}if(a.type===I.QueryLexer.TERM)return I.QueryParser.parseTerm;r="expecting term, found '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}},I.QueryParser.parseTerm=function(e){var t=e.consumeLexeme();if(null!=t){e.currentClause.term=t.str.toLowerCase(),-1!=t.str.indexOf("*")&&(e.currentClause.usePipeline=!1);var n=e.peekLexeme();if(null!=n)switch(n.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:var r="Unexpected lexeme type '"+n.type+"'";throw new I.QueryParseError(r,n.start,n.end)}else e.nextClause()}},I.QueryParser.parseEditDistance=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="edit distance must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.editDistance=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},I.QueryParser.parseBoost=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="boost must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.boost=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},void 0===(a="function"==typeof(r=function(){return I})?r.call(t,n,t,e):r)||(e.exports=a)}()},813:function(e){e.exports=function(){"use strict";var e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},t=function(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")},n=function(){function e(e,t){for(var n=0;n<t.length;n++){var r=t[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(e,r.key,r)}}return function(t,n,r){return n&&e(t.prototype,n),r&&e(t,r),t}}(),r=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},a=function(){function e(n){var r=!(arguments.length>1&&void 0!==arguments[1])||arguments[1],a=arguments.length>2&&void 0!==arguments[2]?arguments[2]:[],o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:5e3;t(this,e),this.ctx=n,this.iframes=r,this.exclude=a,this.iframesTimeout=o}return n(e,[{key:"getContexts",value:function(){var e=[];return(void 0!==this.ctx&&this.ctx?NodeList.prototype.isPrototypeOf(this.ctx)?Array.prototype.slice.call(this.ctx):Array.isArray(this.ctx)?this.ctx:"string"==typeof this.ctx?Array.prototype.slice.call(document.querySelectorAll(this.ctx)):[this.ctx]:[]).forEach((function(t){var n=e.filter((function(e){return e.contains(t)})).length>0;-1!==e.indexOf(t)||n||e.push(t)})),e}},{key:"getIframeContents",value:function(e,t){var n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:function(){},r=void 0;try{var a=e.contentWindow;if(r=a.document,!a||!r)throw new Error("iframe inaccessible")}catch(o){n()}r&&t(r)}},{key:"isIframeBlank",value:function(e){var t="about:blank",n=e.getAttribute("src").trim();return e.contentWindow.location.href===t&&n!==t&&n}},{key:"observeIframeLoad",value:function(e,t,n){var r=this,a=!1,o=null,i=function i(){if(!a){a=!0,clearTimeout(o);try{r.isIframeBlank(e)||(e.removeEventListener("load",i),r.getIframeContents(e,t,n))}catch(s){n()}}};e.addEventListener("load",i),o=setTimeout(i,this.iframesTimeout)}},{key:"onIframeReady",value:function(e,t,n){try{"complete"===e.contentWindow.document.readyState?this.isIframeBlank(e)?this.observeIframeLoad(e,t,n):this.getIframeContents(e,t,n):this.observeIframeLoad(e,t,n)}catch(r){n()}}},{key:"waitForIframes",value:function(e,t){var n=this,r=0;this.forEachIframe(e,(function(){return!0}),(function(e){r++,n.waitForIframes(e.querySelector("html"),(function(){--r||t()}))}),(function(e){e||t()}))}},{key:"forEachIframe",value:function(t,n,r){var a=this,o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},i=t.querySelectorAll("iframe"),s=i.length,l=0;i=Array.prototype.slice.call(i);var c=function(){--s<=0&&o(l)};s||c(),i.forEach((function(t){e.matches(t,a.exclude)?c():a.onIframeReady(t,(function(e){n(t)&&(l++,r(e)),c()}),c)}))}},{key:"createIterator",value:function(e,t,n){return document.createNodeIterator(e,t,n,!1)}},{key:"createInstanceOnIframe",value:function(t){return new e(t.querySelector("html"),this.iframes)}},{key:"compareNodeIframe",value:function(e,t,n){if(e.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_PRECEDING){if(null===t)return!0;if(t.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_FOLLOWING)return!0}return!1}},{key:"getIteratorNode",value:function(e){var t=e.previousNode();return{prevNode:t,node:(null===t||e.nextNode())&&e.nextNode()}}},{key:"checkIframeFilter",value:function(e,t,n,r){var a=!1,o=!1;return r.forEach((function(e,t){e.val===n&&(a=t,o=e.handled)})),this.compareNodeIframe(e,t,n)?(!1!==a||o?!1===a||o||(r[a].handled=!0):r.push({val:n,handled:!0}),!0):(!1===a&&r.push({val:n,handled:!1}),!1)}},{key:"handleOpenIframes",value:function(e,t,n,r){var a=this;e.forEach((function(e){e.handled||a.getIframeContents(e.val,(function(e){a.createInstanceOnIframe(e).forEachNode(t,n,r)}))}))}},{key:"iterateThroughNodes",value:function(e,t,n,r,a){for(var o=this,i=this.createIterator(t,e,r),s=[],l=[],c=void 0,u=void 0,d=function(){var e=o.getIteratorNode(i);return u=e.prevNode,c=e.node};d();)this.iframes&&this.forEachIframe(t,(function(e){return o.checkIframeFilter(c,u,e,s)}),(function(t){o.createInstanceOnIframe(t).forEachNode(e,(function(e){return l.push(e)}),r)})),l.push(c);l.forEach((function(e){n(e)})),this.iframes&&this.handleOpenIframes(s,e,n,r),a()}},{key:"forEachNode",value:function(e,t,n){var r=this,a=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},o=this.getContexts(),i=o.length;i||a(),o.forEach((function(o){var s=function(){r.iterateThroughNodes(e,o,t,n,(function(){--i<=0&&a()}))};r.iframes?r.waitForIframes(o,s):s()}))}}],[{key:"matches",value:function(e,t){var n="string"==typeof t?[t]:t,r=e.matches||e.matchesSelector||e.msMatchesSelector||e.mozMatchesSelector||e.oMatchesSelector||e.webkitMatchesSelector;if(r){var a=!1;return n.every((function(t){return!r.call(e,t)||(a=!0,!1)})),a}return!1}}]),e}(),o=function(){function o(e){t(this,o),this.ctx=e,this.ie=!1;var n=window.navigator.userAgent;(n.indexOf("MSIE")>-1||n.indexOf("Trident")>-1)&&(this.ie=!0)}return n(o,[{key:"log",value:function(t){var n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"debug",r=this.opt.log;this.opt.debug&&"object"===(void 0===r?"undefined":e(r))&&"function"==typeof r[n]&&r[n]("mark.js: "+t)}},{key:"escapeStr",value:function(e){return e.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}},{key:"createRegExp",value:function(e){return"disabled"!==this.opt.wildcards&&(e=this.setupWildcardsRegExp(e)),e=this.escapeStr(e),Object.keys(this.opt.synonyms).length&&(e=this.createSynonymsRegExp(e)),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),this.opt.diacritics&&(e=this.createDiacriticsRegExp(e)),e=this.createMergedBlanksRegExp(e),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.createJoinersRegExp(e)),"disabled"!==this.opt.wildcards&&(e=this.createWildcardsRegExp(e)),e=this.createAccuracyRegExp(e)}},{key:"createSynonymsRegExp",value:function(e){var t=this.opt.synonyms,n=this.opt.caseSensitive?"":"i",r=this.opt.ignoreJoiners||this.opt.ignorePunctuation.length?"\0":"";for(var a in t)if(t.hasOwnProperty(a)){var o=t[a],i="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(a):this.escapeStr(a),s="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(o):this.escapeStr(o);""!==i&&""!==s&&(e=e.replace(new RegExp("("+this.escapeStr(i)+"|"+this.escapeStr(s)+")","gm"+n),r+"("+this.processSynomyms(i)+"|"+this.processSynomyms(s)+")"+r))}return e}},{key:"processSynomyms",value:function(e){return(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),e}},{key:"setupWildcardsRegExp",value:function(e){return(e=e.replace(/(?:\\)*\?/g,(function(e){return"\\"===e.charAt(0)?"?":"\x01"}))).replace(/(?:\\)*\*/g,(function(e){return"\\"===e.charAt(0)?"*":"\x02"}))}},{key:"createWildcardsRegExp",value:function(e){var t="withSpaces"===this.opt.wildcards;return e.replace(/\u0001/g,t?"[\\S\\s]?":"\\S?").replace(/\u0002/g,t?"[\\S\\s]*?":"\\S*")}},{key:"setupIgnoreJoinersRegExp",value:function(e){return e.replace(/[^(|)\\]/g,(function(e,t,n){var r=n.charAt(t+1);return/[(|)\\]/.test(r)||""===r?e:e+"\0"}))}},{key:"createJoinersRegExp",value:function(e){var t=[],n=this.opt.ignorePunctuation;return Array.isArray(n)&&n.length&&t.push(this.escapeStr(n.join(""))),this.opt.ignoreJoiners&&t.push("\\u00ad\\u200b\\u200c\\u200d"),t.length?e.split(/\u0000+/).join("["+t.join("")+"]*"):e}},{key:"createDiacriticsRegExp",value:function(e){var t=this.opt.caseSensitive?"":"i",n=this.opt.caseSensitive?["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105","A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010d","C\xc7\u0106\u010c","d\u0111\u010f","D\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119","E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012b","I\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142","L\u0141","n\xf1\u0148\u0144","N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014d","O\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159","R\u0158","s\u0161\u015b\u0219\u015f","S\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163","T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016b","U\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xff","Y\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017a","Z\u017d\u017b\u0179"]:["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010dC\xc7\u0106\u010c","d\u0111\u010fD\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012bI\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142L\u0141","n\xf1\u0148\u0144N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014dO\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159R\u0158","s\u0161\u015b\u0219\u015fS\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016bU\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xffY\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017aZ\u017d\u017b\u0179"],r=[];return e.split("").forEach((function(a){n.every((function(n){if(-1!==n.indexOf(a)){if(r.indexOf(n)>-1)return!1;e=e.replace(new RegExp("["+n+"]","gm"+t),"["+n+"]"),r.push(n)}return!0}))})),e}},{key:"createMergedBlanksRegExp",value:function(e){return e.replace(/[\s]+/gim,"[\\s]+")}},{key:"createAccuracyRegExp",value:function(e){var t=this,n="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~\xa1\xbf",r=this.opt.accuracy,a="string"==typeof r?r:r.value,o="string"==typeof r?[]:r.limiters,i="";switch(o.forEach((function(e){i+="|"+t.escapeStr(e)})),a){case"partially":default:return"()("+e+")";case"complementary":return"()([^"+(i="\\s"+(i||this.escapeStr(n)))+"]*"+e+"[^"+i+"]*)";case"exactly":return"(^|\\s"+i+")("+e+")(?=$|\\s"+i+")"}}},{key:"getSeparatedKeywords",value:function(e){var t=this,n=[];return e.forEach((function(e){t.opt.separateWordSearch?e.split(" ").forEach((function(e){e.trim()&&-1===n.indexOf(e)&&n.push(e)})):e.trim()&&-1===n.indexOf(e)&&n.push(e)})),{keywords:n.sort((function(e,t){return t.length-e.length})),length:n.length}}},{key:"isNumeric",value:function(e){return Number(parseFloat(e))==e}},{key:"checkRanges",value:function(e){var t=this;if(!Array.isArray(e)||"[object Object]"!==Object.prototype.toString.call(e[0]))return this.log("markRanges() will only accept an array of objects"),this.opt.noMatch(e),[];var n=[],r=0;return e.sort((function(e,t){return e.start-t.start})).forEach((function(e){var a=t.callNoMatchOnInvalidRanges(e,r),o=a.start,i=a.end;a.valid&&(e.start=o,e.length=i-o,n.push(e),r=i)})),n}},{key:"callNoMatchOnInvalidRanges",value:function(e,t){var n=void 0,r=void 0,a=!1;return e&&void 0!==e.start?(r=(n=parseInt(e.start,10))+parseInt(e.length,10),this.isNumeric(e.start)&&this.isNumeric(e.length)&&r-t>0&&r-n>0?a=!0:(this.log("Ignoring invalid or overlapping range: "+JSON.stringify(e)),this.opt.noMatch(e))):(this.log("Ignoring invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:n,end:r,valid:a}}},{key:"checkWhitespaceRanges",value:function(e,t,n){var r=void 0,a=!0,o=n.length,i=t-o,s=parseInt(e.start,10)-i;return(r=(s=s>o?o:s)+parseInt(e.length,10))>o&&(r=o,this.log("End range automatically set to the max value of "+o)),s<0||r-s<0||s>o||r>o?(a=!1,this.log("Invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)):""===n.substring(s,r).replace(/\s+/g,"")&&(a=!1,this.log("Skipping whitespace only range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:s,end:r,valid:a}}},{key:"getTextNodes",value:function(e){var t=this,n="",r=[];this.iterator.forEachNode(NodeFilter.SHOW_TEXT,(function(e){r.push({start:n.length,end:(n+=e.textContent).length,node:e})}),(function(e){return t.matchesExclude(e.parentNode)?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),(function(){e({value:n,nodes:r})}))}},{key:"matchesExclude",value:function(e){return a.matches(e,this.opt.exclude.concat(["script","style","title","head","html"]))}},{key:"wrapRangeInTextNode",value:function(e,t,n){var r=this.opt.element?this.opt.element:"mark",a=e.splitText(t),o=a.splitText(n-t),i=document.createElement(r);return i.setAttribute("data-markjs","true"),this.opt.className&&i.setAttribute("class",this.opt.className),i.textContent=a.textContent,a.parentNode.replaceChild(i,a),o}},{key:"wrapRangeInMappedTextNode",value:function(e,t,n,r,a){var o=this;e.nodes.every((function(i,s){var l=e.nodes[s+1];if(void 0===l||l.start>t){if(!r(i.node))return!1;var c=t-i.start,u=(n>i.end?i.end:n)-i.start,d=e.value.substr(0,i.start),p=e.value.substr(u+i.start);if(i.node=o.wrapRangeInTextNode(i.node,c,u),e.value=d+p,e.nodes.forEach((function(t,n){n>=s&&(e.nodes[n].start>0&&n!==s&&(e.nodes[n].start-=u),e.nodes[n].end-=u)})),n-=u,a(i.node.previousSibling,i.start),!(n>i.end))return!1;t=i.end}return!0}))}},{key:"wrapMatches",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){t.nodes.forEach((function(t){t=t.node;for(var a=void 0;null!==(a=e.exec(t.textContent))&&""!==a[i];)if(n(a[i],t)){var s=a.index;if(0!==i)for(var l=1;l<i;l++)s+=a[l].length;t=o.wrapRangeInTextNode(t,s,s+a[i].length),r(t.previousSibling),e.lastIndex=0}})),a()}))}},{key:"wrapMatchesAcrossElements",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){for(var s=void 0;null!==(s=e.exec(t.value))&&""!==s[i];){var l=s.index;if(0!==i)for(var c=1;c<i;c++)l+=s[c].length;var u=l+s[i].length;o.wrapRangeInMappedTextNode(t,l,u,(function(e){return n(s[i],e)}),(function(t,n){e.lastIndex=n,r(t)}))}a()}))}},{key:"wrapRangeFromIndex",value:function(e,t,n,r){var a=this;this.getTextNodes((function(o){var i=o.value.length;e.forEach((function(e,r){var s=a.checkWhitespaceRanges(e,i,o.value),l=s.start,c=s.end;s.valid&&a.wrapRangeInMappedTextNode(o,l,c,(function(n){return t(n,e,o.value.substring(l,c),r)}),(function(t){n(t,e)}))})),r()}))}},{key:"unwrapMatches",value:function(e){for(var t=e.parentNode,n=document.createDocumentFragment();e.firstChild;)n.appendChild(e.removeChild(e.firstChild));t.replaceChild(n,e),this.ie?this.normalizeTextNode(t):t.normalize()}},{key:"normalizeTextNode",value:function(e){if(e){if(3===e.nodeType)for(;e.nextSibling&&3===e.nextSibling.nodeType;)e.nodeValue+=e.nextSibling.nodeValue,e.parentNode.removeChild(e.nextSibling);else this.normalizeTextNode(e.firstChild);this.normalizeTextNode(e.nextSibling)}}},{key:"markRegExp",value:function(e,t){var n=this;this.opt=t,this.log('Searching with expression "'+e+'"');var r=0,a="wrapMatches",o=function(e){r++,n.opt.each(e)};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),this[a](e,this.opt.ignoreGroups,(function(e,t){return n.opt.filter(t,e,r)}),o,(function(){0===r&&n.opt.noMatch(e),n.opt.done(r)}))}},{key:"mark",value:function(e,t){var n=this;this.opt=t;var r=0,a="wrapMatches",o=this.getSeparatedKeywords("string"==typeof e?[e]:e),i=o.keywords,s=o.length,l=this.opt.caseSensitive?"":"i",c=function e(t){var o=new RegExp(n.createRegExp(t),"gm"+l),c=0;n.log('Searching with expression "'+o+'"'),n[a](o,1,(function(e,a){return n.opt.filter(a,t,r,c)}),(function(e){c++,r++,n.opt.each(e)}),(function(){0===c&&n.opt.noMatch(t),i[s-1]===t?n.opt.done(r):e(i[i.indexOf(t)+1])}))};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),0===s?this.opt.done(r):c(i[0])}},{key:"markRanges",value:function(e,t){var n=this;this.opt=t;var r=0,a=this.checkRanges(e);a&&a.length?(this.log("Starting to mark with the following ranges: "+JSON.stringify(a)),this.wrapRangeFromIndex(a,(function(e,t,r,a){return n.opt.filter(e,t,r,a)}),(function(e,t){r++,n.opt.each(e,t)}),(function(){n.opt.done(r)}))):this.opt.done(r)}},{key:"unmark",value:function(e){var t=this;this.opt=e;var n=this.opt.element?this.opt.element:"*";n+="[data-markjs]",this.opt.className&&(n+="."+this.opt.className),this.log('Removal selector "'+n+'"'),this.iterator.forEachNode(NodeFilter.SHOW_ELEMENT,(function(e){t.unwrapMatches(e)}),(function(e){var r=a.matches(e,n),o=t.matchesExclude(e);return!r||o?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),this.opt.done)}},{key:"opt",set:function(e){this._opt=r({},{element:"",className:"",exclude:[],iframes:!1,iframesTimeout:5e3,separateWordSearch:!0,diacritics:!0,synonyms:{},accuracy:"partially",acrossElements:!1,caseSensitive:!1,ignoreJoiners:!1,ignoreGroups:0,ignorePunctuation:[],wildcards:"disabled",each:function(){},noMatch:function(){},filter:function(){return!0},done:function(){},debug:!1,log:window.console},e)},get:function(){return this._opt}},{key:"iterator",get:function(){return new a(this.ctx,this.opt.iframes,this.opt.exclude,this.opt.iframesTimeout)}}]),o}();function i(e){var t=this,n=new o(e);return this.mark=function(e,r){return n.mark(e,r),t},this.markRegExp=function(e,r){return n.markRegExp(e,r),t},this.markRanges=function(e,r){return n.markRanges(e,r),t},this.unmark=function(e){return n.unmark(e),t},this}return i}()},2497:(e,t,n)=>{"use strict";n.r(t)},2295:(e,t,n)=>{"use strict";n.r(t)},4865:function(e,t,n){var r,a;r=function(){var e,t,n={version:"0.2.0"},r=n.settings={minimum:.08,easing:"ease",positionUsing:"",speed:200,trickle:!0,trickleRate:.02,trickleSpeed:800,showSpinner:!0,barSelector:'[role="bar"]',spinnerSelector:'[role="spinner"]',parent:"body",template:'<div class="bar" role="bar"><div class="peg"></div></div><div class="spinner" role="spinner"><div class="spinner-icon"></div></div>'};function a(e,t,n){return e<t?t:e>n?n:e}function o(e){return 100*(-1+e)}function i(e,t,n){var a;return(a="translate3d"===r.positionUsing?{transform:"translate3d("+o(e)+"%,0,0)"}:"translate"===r.positionUsing?{transform:"translate("+o(e)+"%,0)"}:{"margin-left":o(e)+"%"}).transition="all "+t+"ms "+n,a}n.configure=function(e){var t,n;for(t in e)void 0!==(n=e[t])&&e.hasOwnProperty(t)&&(r[t]=n);return this},n.status=null,n.set=function(e){var t=n.isStarted();e=a(e,r.minimum,1),n.status=1===e?null:e;var o=n.render(!t),c=o.querySelector(r.barSelector),u=r.speed,d=r.easing;return o.offsetWidth,s((function(t){""===r.positionUsing&&(r.positionUsing=n.getPositioningCSS()),l(c,i(e,u,d)),1===e?(l(o,{transition:"none",opacity:1}),o.offsetWidth,setTimeout((function(){l(o,{transition:"all "+u+"ms linear",opacity:0}),setTimeout((function(){n.remove(),t()}),u)}),u)):setTimeout(t,u)})),this},n.isStarted=function(){return"number"==typeof n.status},n.start=function(){n.status||n.set(0);var e=function(){setTimeout((function(){n.status&&(n.trickle(),e())}),r.trickleSpeed)};return r.trickle&&e(),this},n.done=function(e){return e||n.status?n.inc(.3+.5*Math.random()).set(1):this},n.inc=function(e){var t=n.status;return t?("number"!=typeof e&&(e=(1-t)*a(Math.random()*t,.1,.95)),t=a(t+e,0,.994),n.set(t)):n.start()},n.trickle=function(){return n.inc(Math.random()*r.trickleRate)},e=0,t=0,n.promise=function(r){return r&&"resolved"!==r.state()?(0===t&&n.start(),e++,t++,r.always((function(){0==--t?(e=0,n.done()):n.set((e-t)/e)})),this):this},n.render=function(e){if(n.isRendered())return document.getElementById("nprogress");u(document.documentElement,"nprogress-busy");var t=document.createElement("div");t.id="nprogress",t.innerHTML=r.template;var a,i=t.querySelector(r.barSelector),s=e?"-100":o(n.status||0),c=document.querySelector(r.parent);return l(i,{transition:"all 0 linear",transform:"translate3d("+s+"%,0,0)"}),r.showSpinner||(a=t.querySelector(r.spinnerSelector))&&f(a),c!=document.body&&u(c,"nprogress-custom-parent"),c.appendChild(t),t},n.remove=function(){d(document.documentElement,"nprogress-busy"),d(document.querySelector(r.parent),"nprogress-custom-parent");var e=document.getElementById("nprogress");e&&f(e)},n.isRendered=function(){return!!document.getElementById("nprogress")},n.getPositioningCSS=function(){var e=document.body.style,t="WebkitTransform"in e?"Webkit":"MozTransform"in e?"Moz":"msTransform"in e?"ms":"OTransform"in e?"O":"";return t+"Perspective"in e?"translate3d":t+"Transform"in e?"translate":"margin"};var s=function(){var e=[];function t(){var n=e.shift();n&&n(t)}return function(n){e.push(n),1==e.length&&t()}}(),l=function(){var e=["Webkit","O","Moz","ms"],t={};function n(e){return e.replace(/^-ms-/,"ms-").replace(/-([\da-z])/gi,(function(e,t){return t.toUpperCase()}))}function r(t){var n=document.body.style;if(t in n)return t;for(var r,a=e.length,o=t.charAt(0).toUpperCase()+t.slice(1);a--;)if((r=e[a]+o)in n)return r;return t}function a(e){return e=n(e),t[e]||(t[e]=r(e))}function o(e,t,n){t=a(t),e.style[t]=n}return function(e,t){var n,r,a=arguments;if(2==a.length)for(n in t)void 0!==(r=t[n])&&t.hasOwnProperty(n)&&o(e,n,r);else o(e,a[1],a[2])}}();function c(e,t){return("string"==typeof e?e:p(e)).indexOf(" "+t+" ")>=0}function u(e,t){var n=p(e),r=n+t;c(n,t)||(e.className=r.substring(1))}function d(e,t){var n,r=p(e);c(e,t)&&(n=r.replace(" "+t+" "," "),e.className=n.substring(1,n.length-1))}function p(e){return(" "+(e.className||"")+" ").replace(/\s+/gi," ")}function f(e){e&&e.parentNode&&e.parentNode.removeChild(e)}return n},void 0===(a="function"==typeof r?r.call(t,n,t,e):r)||(e.exports=a)},9901:e=>{e.exports&&(e.exports={core:{meta:{path:"components/prism-core.js",option:"mandatory"},core:"Core"},themes:{meta:{path:"themes/{id}.css",link:"index.html?theme={id}",exclusive:!0},prism:{title:"Default",option:"default"},"prism-dark":"Dark","prism-funky":"Funky","prism-okaidia":{title:"Okaidia",owner:"ocodia"},"prism-twilight":{title:"Twilight",owner:"remybach"},"prism-coy":{title:"Coy",owner:"tshedor"},"prism-solarizedlight":{title:"Solarized Light",owner:"hectormatos2011 "},"prism-tomorrow":{title:"Tomorrow Night",owner:"Rosey"}},languages:{meta:{path:"components/prism-{id}",noCSS:!0,examplesPath:"examples/prism-{id}",addCheckAll:!0},markup:{title:"Markup",alias:["html","xml","svg","mathml","ssml","atom","rss"],aliasTitles:{html:"HTML",xml:"XML",svg:"SVG",mathml:"MathML",ssml:"SSML",atom:"Atom",rss:"RSS"},option:"default"},css:{title:"CSS",option:"default",modify:"markup"},clike:{title:"C-like",option:"default"},javascript:{title:"JavaScript",require:"clike",modify:"markup",optional:"regex",alias:"js",option:"default"},abap:{title:"ABAP",owner:"dellagustin"},abnf:{title:"ABNF",owner:"RunDevelopment"},actionscript:{title:"ActionScript",require:"javascript",modify:"markup",owner:"Golmote"},ada:{title:"Ada",owner:"Lucretia"},agda:{title:"Agda",owner:"xy-ren"},al:{title:"AL",owner:"RunDevelopment"},antlr4:{title:"ANTLR4",alias:"g4",owner:"RunDevelopment"},apacheconf:{title:"Apache Configuration",owner:"GuiTeK"},apex:{title:"Apex",require:["clike","sql"],owner:"RunDevelopment"},apl:{title:"APL",owner:"ngn"},applescript:{title:"AppleScript",owner:"Golmote"},aql:{title:"AQL",owner:"RunDevelopment"},arduino:{title:"Arduino",require:"cpp",alias:"ino",owner:"dkern"},arff:{title:"ARFF",owner:"Golmote"},armasm:{title:"ARM Assembly",alias:"arm-asm",owner:"RunDevelopment"},arturo:{title:"Arturo",alias:"art",optional:["bash","css","javascript","markup","markdown","sql"],owner:"drkameleon"},asciidoc:{alias:"adoc",title:"AsciiDoc",owner:"Golmote"},aspnet:{title:"ASP.NET (C#)",require:["markup","csharp"],owner:"nauzilus"},asm6502:{title:"6502 Assembly",owner:"kzurawel"},asmatmel:{title:"Atmel AVR Assembly",owner:"cerkit"},autohotkey:{title:"AutoHotkey",owner:"aviaryan"},autoit:{title:"AutoIt",owner:"Golmote"},avisynth:{title:"AviSynth",alias:"avs",owner:"Zinfidel"},"avro-idl":{title:"Avro IDL",alias:"avdl",owner:"RunDevelopment"},awk:{title:"AWK",alias:"gawk",aliasTitles:{gawk:"GAWK"},owner:"RunDevelopment"},bash:{title:"Bash",alias:["sh","shell"],aliasTitles:{sh:"Shell",shell:"Shell"},owner:"zeitgeist87"},basic:{title:"BASIC",owner:"Golmote"},batch:{title:"Batch",owner:"Golmote"},bbcode:{title:"BBcode",alias:"shortcode",aliasTitles:{shortcode:"Shortcode"},owner:"RunDevelopment"},bbj:{title:"BBj",owner:"hyyan"},bicep:{title:"Bicep",owner:"johnnyreilly"},birb:{title:"Birb",require:"clike",owner:"Calamity210"},bison:{title:"Bison",require:"c",owner:"Golmote"},bnf:{title:"BNF",alias:"rbnf",aliasTitles:{rbnf:"RBNF"},owner:"RunDevelopment"},bqn:{title:"BQN",owner:"yewscion"},brainfuck:{title:"Brainfuck",owner:"Golmote"},brightscript:{title:"BrightScript",owner:"RunDevelopment"},bro:{title:"Bro",owner:"wayward710"},bsl:{title:"BSL (1C:Enterprise)",alias:"oscript",aliasTitles:{oscript:"OneScript"},owner:"Diversus23"},c:{title:"C",require:"clike",owner:"zeitgeist87"},csharp:{title:"C#",require:"clike",alias:["cs","dotnet"],owner:"mvalipour"},cpp:{title:"C++",require:"c",owner:"zeitgeist87"},cfscript:{title:"CFScript",require:"clike",alias:"cfc",owner:"mjclemente"},chaiscript:{title:"ChaiScript",require:["clike","cpp"],owner:"RunDevelopment"},cil:{title:"CIL",owner:"sbrl"},cilkc:{title:"Cilk/C",require:"c",alias:"cilk-c",owner:"OpenCilk"},cilkcpp:{title:"Cilk/C++",require:"cpp",alias:["cilk-cpp","cilk"],owner:"OpenCilk"},clojure:{title:"Clojure",owner:"troglotit"},cmake:{title:"CMake",owner:"mjrogozinski"},cobol:{title:"COBOL",owner:"RunDevelopment"},coffeescript:{title:"CoffeeScript",require:"javascript",alias:"coffee",owner:"R-osey"},concurnas:{title:"Concurnas",alias:"conc",owner:"jasontatton"},csp:{title:"Content-Security-Policy",owner:"ScottHelme"},cooklang:{title:"Cooklang",owner:"ahue"},coq:{title:"Coq",owner:"RunDevelopment"},crystal:{title:"Crystal",require:"ruby",owner:"MakeNowJust"},"css-extras":{title:"CSS Extras",require:"css",modify:"css",owner:"milesj"},csv:{title:"CSV",owner:"RunDevelopment"},cue:{title:"CUE",owner:"RunDevelopment"},cypher:{title:"Cypher",owner:"RunDevelopment"},d:{title:"D",require:"clike",owner:"Golmote"},dart:{title:"Dart",require:"clike",owner:"Golmote"},dataweave:{title:"DataWeave",owner:"machaval"},dax:{title:"DAX",owner:"peterbud"},dhall:{title:"Dhall",owner:"RunDevelopment"},diff:{title:"Diff",owner:"uranusjr"},django:{title:"Django/Jinja2",require:"markup-templating",alias:"jinja2",owner:"romanvm"},"dns-zone-file":{title:"DNS zone file",owner:"RunDevelopment",alias:"dns-zone"},docker:{title:"Docker",alias:"dockerfile",owner:"JustinBeckwith"},dot:{title:"DOT (Graphviz)",alias:"gv",optional:"markup",owner:"RunDevelopment"},ebnf:{title:"EBNF",owner:"RunDevelopment"},editorconfig:{title:"EditorConfig",owner:"osipxd"},eiffel:{title:"Eiffel",owner:"Conaclos"},ejs:{title:"EJS",require:["javascript","markup-templating"],owner:"RunDevelopment",alias:"eta",aliasTitles:{eta:"Eta"}},elixir:{title:"Elixir",owner:"Golmote"},elm:{title:"Elm",owner:"zwilias"},etlua:{title:"Embedded Lua templating",require:["lua","markup-templating"],owner:"RunDevelopment"},erb:{title:"ERB",require:["ruby","markup-templating"],owner:"Golmote"},erlang:{title:"Erlang",owner:"Golmote"},"excel-formula":{title:"Excel Formula",alias:["xlsx","xls"],owner:"RunDevelopment"},fsharp:{title:"F#",require:"clike",owner:"simonreynolds7"},factor:{title:"Factor",owner:"catb0t"},false:{title:"False",owner:"edukisto"},"firestore-security-rules":{title:"Firestore security rules",require:"clike",owner:"RunDevelopment"},flow:{title:"Flow",require:"javascript",owner:"Golmote"},fortran:{title:"Fortran",owner:"Golmote"},ftl:{title:"FreeMarker Template Language",require:"markup-templating",owner:"RunDevelopment"},gml:{title:"GameMaker Language",alias:"gamemakerlanguage",require:"clike",owner:"LiarOnce"},gap:{title:"GAP (CAS)",owner:"RunDevelopment"},gcode:{title:"G-code",owner:"RunDevelopment"},gdscript:{title:"GDScript",owner:"RunDevelopment"},gedcom:{title:"GEDCOM",owner:"Golmote"},gettext:{title:"gettext",alias:"po",owner:"RunDevelopment"},gherkin:{title:"Gherkin",owner:"hason"},git:{title:"Git",owner:"lgiraudel"},glsl:{title:"GLSL",require:"c",owner:"Golmote"},gn:{title:"GN",alias:"gni",owner:"RunDevelopment"},"linker-script":{title:"GNU Linker Script",alias:"ld",owner:"RunDevelopment"},go:{title:"Go",require:"clike",owner:"arnehormann"},"go-module":{title:"Go module",alias:"go-mod",owner:"RunDevelopment"},gradle:{title:"Gradle",require:"clike",owner:"zeabdelkhalek-badido18"},graphql:{title:"GraphQL",optional:"markdown",owner:"Golmote"},groovy:{title:"Groovy",require:"clike",owner:"robfletcher"},haml:{title:"Haml",require:"ruby",optional:["css","css-extras","coffeescript","erb","javascript","less","markdown","scss","textile"],owner:"Golmote"},handlebars:{title:"Handlebars",require:"markup-templating",alias:["hbs","mustache"],aliasTitles:{mustache:"Mustache"},owner:"Golmote"},haskell:{title:"Haskell",alias:"hs",owner:"bholst"},haxe:{title:"Haxe",require:"clike",optional:"regex",owner:"Golmote"},hcl:{title:"HCL",owner:"outsideris"},hlsl:{title:"HLSL",require:"c",owner:"RunDevelopment"},hoon:{title:"Hoon",owner:"matildepark"},http:{title:"HTTP",optional:["csp","css","hpkp","hsts","javascript","json","markup","uri"],owner:"danielgtaylor"},hpkp:{title:"HTTP Public-Key-Pins",owner:"ScottHelme"},hsts:{title:"HTTP Strict-Transport-Security",owner:"ScottHelme"},ichigojam:{title:"IchigoJam",owner:"BlueCocoa"},icon:{title:"Icon",owner:"Golmote"},"icu-message-format":{title:"ICU Message Format",owner:"RunDevelopment"},idris:{title:"Idris",alias:"idr",owner:"KeenS",require:"haskell"},ignore:{title:".ignore",owner:"osipxd",alias:["gitignore","hgignore","npmignore"],aliasTitles:{gitignore:".gitignore",hgignore:".hgignore",npmignore:".npmignore"}},inform7:{title:"Inform 7",owner:"Golmote"},ini:{title:"Ini",owner:"aviaryan"},io:{title:"Io",owner:"AlesTsurko"},j:{title:"J",owner:"Golmote"},java:{title:"Java",require:"clike",owner:"sherblot"},javadoc:{title:"JavaDoc",require:["markup","java","javadoclike"],modify:"java",optional:"scala",owner:"RunDevelopment"},javadoclike:{title:"JavaDoc-like",modify:["java","javascript","php"],owner:"RunDevelopment"},javastacktrace:{title:"Java stack trace",owner:"RunDevelopment"},jexl:{title:"Jexl",owner:"czosel"},jolie:{title:"Jolie",require:"clike",owner:"thesave"},jq:{title:"JQ",owner:"RunDevelopment"},jsdoc:{title:"JSDoc",require:["javascript","javadoclike","typescript"],modify:"javascript",optional:["actionscript","coffeescript"],owner:"RunDevelopment"},"js-extras":{title:"JS Extras",require:"javascript",modify:"javascript",optional:["actionscript","coffeescript","flow","n4js","typescript"],owner:"RunDevelopment"},json:{title:"JSON",alias:"webmanifest",aliasTitles:{webmanifest:"Web App Manifest"},owner:"CupOfTea696"},json5:{title:"JSON5",require:"json",owner:"RunDevelopment"},jsonp:{title:"JSONP",require:"json",owner:"RunDevelopment"},jsstacktrace:{title:"JS stack trace",owner:"sbrl"},"js-templates":{title:"JS Templates",require:"javascript",modify:"javascript",optional:["css","css-extras","graphql","markdown","markup","sql"],owner:"RunDevelopment"},julia:{title:"Julia",owner:"cdagnino"},keepalived:{title:"Keepalived Configure",owner:"dev-itsheng"},keyman:{title:"Keyman",owner:"mcdurdin"},kotlin:{title:"Kotlin",alias:["kt","kts"],aliasTitles:{kts:"Kotlin Script"},require:"clike",owner:"Golmote"},kumir:{title:"KuMir (\u041a\u0443\u041c\u0438\u0440)",alias:"kum",owner:"edukisto"},kusto:{title:"Kusto",owner:"RunDevelopment"},latex:{title:"LaTeX",alias:["tex","context"],aliasTitles:{tex:"TeX",context:"ConTeXt"},owner:"japborst"},latte:{title:"Latte",require:["clike","markup-templating","php"],owner:"nette"},less:{title:"Less",require:"css",optional:"css-extras",owner:"Golmote"},lilypond:{title:"LilyPond",require:"scheme",alias:"ly",owner:"RunDevelopment"},liquid:{title:"Liquid",require:"markup-templating",owner:"cinhtau"},lisp:{title:"Lisp",alias:["emacs","elisp","emacs-lisp"],owner:"JuanCaicedo"},livescript:{title:"LiveScript",owner:"Golmote"},llvm:{title:"LLVM IR",owner:"porglezomp"},log:{title:"Log file",optional:"javastacktrace",owner:"RunDevelopment"},lolcode:{title:"LOLCODE",owner:"Golmote"},lua:{title:"Lua",owner:"Golmote"},magma:{title:"Magma (CAS)",owner:"RunDevelopment"},makefile:{title:"Makefile",owner:"Golmote"},markdown:{title:"Markdown",require:"markup",optional:"yaml",alias:"md",owner:"Golmote"},"markup-templating":{title:"Markup templating",require:"markup",owner:"Golmote"},mata:{title:"Mata",owner:"RunDevelopment"},matlab:{title:"MATLAB",owner:"Golmote"},maxscript:{title:"MAXScript",owner:"RunDevelopment"},mel:{title:"MEL",owner:"Golmote"},mermaid:{title:"Mermaid",owner:"RunDevelopment"},metafont:{title:"METAFONT",owner:"LaeriExNihilo"},mizar:{title:"Mizar",owner:"Golmote"},mongodb:{title:"MongoDB",owner:"airs0urce",require:"javascript"},monkey:{title:"Monkey",owner:"Golmote"},moonscript:{title:"MoonScript",alias:"moon",owner:"RunDevelopment"},n1ql:{title:"N1QL",owner:"TMWilds"},n4js:{title:"N4JS",require:"javascript",optional:"jsdoc",alias:"n4jsd",owner:"bsmith-n4"},"nand2tetris-hdl":{title:"Nand To Tetris HDL",owner:"stephanmax"},naniscript:{title:"Naninovel Script",owner:"Elringus",alias:"nani"},nasm:{title:"NASM",owner:"rbmj"},neon:{title:"NEON",owner:"nette"},nevod:{title:"Nevod",owner:"nezaboodka"},nginx:{title:"nginx",owner:"volado"},nim:{title:"Nim",owner:"Golmote"},nix:{title:"Nix",owner:"Golmote"},nsis:{title:"NSIS",owner:"idleberg"},objectivec:{title:"Objective-C",require:"c",alias:"objc",owner:"uranusjr"},ocaml:{title:"OCaml",owner:"Golmote"},odin:{title:"Odin",owner:"edukisto"},opencl:{title:"OpenCL",require:"c",modify:["c","cpp"],owner:"Milania1"},openqasm:{title:"OpenQasm",alias:"qasm",owner:"RunDevelopment"},oz:{title:"Oz",owner:"Golmote"},parigp:{title:"PARI/GP",owner:"Golmote"},parser:{title:"Parser",require:"markup",owner:"Golmote"},pascal:{title:"Pascal",alias:"objectpascal",aliasTitles:{objectpascal:"Object Pascal"},owner:"Golmote"},pascaligo:{title:"Pascaligo",owner:"DefinitelyNotAGoat"},psl:{title:"PATROL Scripting Language",owner:"bertysentry"},pcaxis:{title:"PC-Axis",alias:"px",owner:"RunDevelopment"},peoplecode:{title:"PeopleCode",alias:"pcode",owner:"RunDevelopment"},perl:{title:"Perl",owner:"Golmote"},php:{title:"PHP",require:"markup-templating",owner:"milesj"},phpdoc:{title:"PHPDoc",require:["php","javadoclike"],modify:"php",owner:"RunDevelopment"},"php-extras":{title:"PHP Extras",require:"php",modify:"php",owner:"milesj"},"plant-uml":{title:"PlantUML",alias:"plantuml",owner:"RunDevelopment"},plsql:{title:"PL/SQL",require:"sql",owner:"Golmote"},powerquery:{title:"PowerQuery",alias:["pq","mscript"],owner:"peterbud"},powershell:{title:"PowerShell",owner:"nauzilus"},processing:{title:"Processing",require:"clike",owner:"Golmote"},prolog:{title:"Prolog",owner:"Golmote"},promql:{title:"PromQL",owner:"arendjr"},properties:{title:".properties",owner:"Golmote"},protobuf:{title:"Protocol Buffers",require:"clike",owner:"just-boris"},pug:{title:"Pug",require:["markup","javascript"],optional:["coffeescript","ejs","handlebars","less","livescript","markdown","scss","stylus","twig"],owner:"Golmote"},puppet:{title:"Puppet",owner:"Golmote"},pure:{title:"Pure",optional:["c","cpp","fortran"],owner:"Golmote"},purebasic:{title:"PureBasic",require:"clike",alias:"pbfasm",owner:"HeX0R101"},purescript:{title:"PureScript",require:"haskell",alias:"purs",owner:"sriharshachilakapati"},python:{title:"Python",alias:"py",owner:"multipetros"},qsharp:{title:"Q#",require:"clike",alias:"qs",owner:"fedonman"},q:{title:"Q (kdb+ database)",owner:"Golmote"},qml:{title:"QML",require:"javascript",owner:"RunDevelopment"},qore:{title:"Qore",require:"clike",owner:"temnroegg"},r:{title:"R",owner:"Golmote"},racket:{title:"Racket",require:"scheme",alias:"rkt",owner:"RunDevelopment"},cshtml:{title:"Razor C#",alias:"razor",require:["markup","csharp"],optional:["css","css-extras","javascript","js-extras"],owner:"RunDevelopment"},jsx:{title:"React JSX",require:["markup","javascript"],optional:["jsdoc","js-extras","js-templates"],owner:"vkbansal"},tsx:{title:"React TSX",require:["jsx","typescript"]},reason:{title:"Reason",require:"clike",owner:"Golmote"},regex:{title:"Regex",owner:"RunDevelopment"},rego:{title:"Rego",owner:"JordanSh"},renpy:{title:"Ren'py",alias:"rpy",owner:"HyuchiaDiego"},rescript:{title:"ReScript",alias:"res",owner:"vmarcosp"},rest:{title:"reST (reStructuredText)",owner:"Golmote"},rip:{title:"Rip",owner:"ravinggenius"},roboconf:{title:"Roboconf",owner:"Golmote"},robotframework:{title:"Robot Framework",alias:"robot",owner:"RunDevelopment"},ruby:{title:"Ruby",require:"clike",alias:"rb",owner:"samflores"},rust:{title:"Rust",owner:"Golmote"},sas:{title:"SAS",optional:["groovy","lua","sql"],owner:"Golmote"},sass:{title:"Sass (Sass)",require:"css",optional:"css-extras",owner:"Golmote"},scss:{title:"Sass (SCSS)",require:"css",optional:"css-extras",owner:"MoOx"},scala:{title:"Scala",require:"java",owner:"jozic"},scheme:{title:"Scheme",owner:"bacchus123"},"shell-session":{title:"Shell session",require:"bash",alias:["sh-session","shellsession"],owner:"RunDevelopment"},smali:{title:"Smali",owner:"RunDevelopment"},smalltalk:{title:"Smalltalk",owner:"Golmote"},smarty:{title:"Smarty",require:"markup-templating",optional:"php",owner:"Golmote"},sml:{title:"SML",alias:"smlnj",aliasTitles:{smlnj:"SML/NJ"},owner:"RunDevelopment"},solidity:{title:"Solidity (Ethereum)",alias:"sol",require:"clike",owner:"glachaud"},"solution-file":{title:"Solution file",alias:"sln",owner:"RunDevelopment"},soy:{title:"Soy (Closure Template)",require:"markup-templating",owner:"Golmote"},sparql:{title:"SPARQL",require:"turtle",owner:"Triply-Dev",alias:"rq"},"splunk-spl":{title:"Splunk SPL",owner:"RunDevelopment"},sqf:{title:"SQF: Status Quo Function (Arma 3)",require:"clike",owner:"RunDevelopment"},sql:{title:"SQL",owner:"multipetros"},squirrel:{title:"Squirrel",require:"clike",owner:"RunDevelopment"},stan:{title:"Stan",owner:"RunDevelopment"},stata:{title:"Stata Ado",require:["mata","java","python"],owner:"RunDevelopment"},iecst:{title:"Structured Text (IEC 61131-3)",owner:"serhioromano"},stylus:{title:"Stylus",owner:"vkbansal"},supercollider:{title:"SuperCollider",alias:"sclang",owner:"RunDevelopment"},swift:{title:"Swift",owner:"chrischares"},systemd:{title:"Systemd configuration file",owner:"RunDevelopment"},"t4-templating":{title:"T4 templating",owner:"RunDevelopment"},"t4-cs":{title:"T4 Text Templates (C#)",require:["t4-templating","csharp"],alias:"t4",owner:"RunDevelopment"},"t4-vb":{title:"T4 Text Templates (VB)",require:["t4-templating","vbnet"],owner:"RunDevelopment"},tap:{title:"TAP",owner:"isaacs",require:"yaml"},tcl:{title:"Tcl",owner:"PeterChaplin"},tt2:{title:"Template Toolkit 2",require:["clike","markup-templating"],owner:"gflohr"},textile:{title:"Textile",require:"markup",optional:"css",owner:"Golmote"},toml:{title:"TOML",owner:"RunDevelopment"},tremor:{title:"Tremor",alias:["trickle","troy"],owner:"darach",aliasTitles:{trickle:"trickle",troy:"troy"}},turtle:{title:"Turtle",alias:"trig",aliasTitles:{trig:"TriG"},owner:"jakubklimek"},twig:{title:"Twig",require:"markup-templating",owner:"brandonkelly"},typescript:{title:"TypeScript",require:"javascript",optional:"js-templates",alias:"ts",owner:"vkbansal"},typoscript:{title:"TypoScript",alias:"tsconfig",aliasTitles:{tsconfig:"TSConfig"},owner:"dkern"},unrealscript:{title:"UnrealScript",alias:["uscript","uc"],owner:"RunDevelopment"},uorazor:{title:"UO Razor Script",owner:"jaseowns"},uri:{title:"URI",alias:"url",aliasTitles:{url:"URL"},owner:"RunDevelopment"},v:{title:"V",require:"clike",owner:"taggon"},vala:{title:"Vala",require:"clike",optional:"regex",owner:"TemplarVolk"},vbnet:{title:"VB.Net",require:"basic",owner:"Bigsby"},velocity:{title:"Velocity",require:"markup",owner:"Golmote"},verilog:{title:"Verilog",owner:"a-rey"},vhdl:{title:"VHDL",owner:"a-rey"},vim:{title:"vim",owner:"westonganger"},"visual-basic":{title:"Visual Basic",alias:["vb","vba"],aliasTitles:{vba:"VBA"},owner:"Golmote"},warpscript:{title:"WarpScript",owner:"RunDevelopment"},wasm:{title:"WebAssembly",owner:"Golmote"},"web-idl":{title:"Web IDL",alias:"webidl",owner:"RunDevelopment"},wgsl:{title:"WGSL",owner:"Dr4gonthree"},wiki:{title:"Wiki markup",require:"markup",owner:"Golmote"},wolfram:{title:"Wolfram language",alias:["mathematica","nb","wl"],aliasTitles:{mathematica:"Mathematica",nb:"Mathematica Notebook"},owner:"msollami"},wren:{title:"Wren",owner:"clsource"},xeora:{title:"Xeora",require:"markup",alias:"xeoracube",aliasTitles:{xeoracube:"XeoraCube"},owner:"freakmaxi"},"xml-doc":{title:"XML doc (.net)",require:"markup",modify:["csharp","fsharp","vbnet"],owner:"RunDevelopment"},xojo:{title:"Xojo (REALbasic)",owner:"Golmote"},xquery:{title:"XQuery",require:"markup",owner:"Golmote"},yaml:{title:"YAML",alias:"yml",owner:"hason"},yang:{title:"YANG",owner:"RunDevelopment"},zig:{title:"Zig",owner:"RunDevelopment"}},plugins:{meta:{path:"plugins/{id}/prism-{id}",link:"plugins/{id}/"},"line-highlight":{title:"Line Highlight",description:"Highlights specific lines and/or line ranges."},"line-numbers":{title:"Line Numbers",description:"Line number at the beginning of code lines.",owner:"kuba-kubula"},"show-invisibles":{title:"Show Invisibles",description:"Show hidden characters such as tabs and line breaks.",optional:["autolinker","data-uri-highlight"]},autolinker:{title:"Autolinker",description:"Converts URLs and emails in code to clickable links. Parses Markdown links in comments."},wpd:{title:"WebPlatform Docs",description:'Makes tokens link to <a href="https://webplatform.github.io/docs/">WebPlatform.org documentation</a>. The links open in a new tab.'},"custom-class":{title:"Custom Class",description:"This plugin allows you to prefix Prism's default classes (<code>.comment</code> can become <code>.namespace--comment</code>) or replace them with your defined ones (like <code>.editor__comment</code>). You can even add new classes.",owner:"dvkndn",noCSS:!0},"file-highlight":{title:"File Highlight",description:"Fetch external files and highlight them with Prism. Used on the Prism website itself.",noCSS:!0},"show-language":{title:"Show Language",description:"Display the highlighted language in code blocks (inline code does not show the label).",owner:"nauzilus",noCSS:!0,require:"toolbar"},"jsonp-highlight":{title:"JSONP Highlight",description:"Fetch content with JSONP and highlight some interesting content (e.g. GitHub/Gists or Bitbucket API).",noCSS:!0,owner:"nauzilus"},"highlight-keywords":{title:"Highlight Keywords",description:"Adds special CSS classes for each keyword for fine-grained highlighting.",owner:"vkbansal",noCSS:!0},"remove-initial-line-feed":{title:"Remove initial line feed",description:"Removes the initial line feed in code blocks.",owner:"Golmote",noCSS:!0},"inline-color":{title:"Inline color",description:"Adds a small inline preview for colors in style sheets.",require:"css-extras",owner:"RunDevelopment"},previewers:{title:"Previewers",description:"Previewers for angles, colors, gradients, easing and time.",require:"css-extras",owner:"Golmote"},autoloader:{title:"Autoloader",description:"Automatically loads the needed languages to highlight the code blocks.",owner:"Golmote",noCSS:!0},"keep-markup":{title:"Keep Markup",description:"Prevents custom markup from being dropped out during highlighting.",owner:"Golmote",optional:"normalize-whitespace",noCSS:!0},"command-line":{title:"Command Line",description:"Display a command line with a prompt and, optionally, the output/response from the commands.",owner:"chriswells0"},"unescaped-markup":{title:"Unescaped Markup",description:"Write markup without having to escape anything."},"normalize-whitespace":{title:"Normalize Whitespace",description:"Supports multiple operations to normalize whitespace in code blocks.",owner:"zeitgeist87",optional:"unescaped-markup",noCSS:!0},"data-uri-highlight":{title:"Data-URI Highlight",description:"Highlights data-URI contents.",owner:"Golmote",noCSS:!0},toolbar:{title:"Toolbar",description:"Attach a toolbar for plugins to easily register buttons on the top of a code block.",owner:"mAAdhaTTah"},"copy-to-clipboard":{title:"Copy to Clipboard Button",description:"Add a button that copies the code block to the clipboard when clicked.",owner:"mAAdhaTTah",require:"toolbar",noCSS:!0},"download-button":{title:"Download Button",description:"A button in the toolbar of a code block adding a convenient way to download a code file.",owner:"Golmote",require:"toolbar",noCSS:!0},"match-braces":{title:"Match braces",description:"Highlights matching braces.",owner:"RunDevelopment"},"diff-highlight":{title:"Diff Highlight",description:"Highlights the code inside diff blocks.",owner:"RunDevelopment",require:"diff"},"filter-highlight-all":{title:"Filter highlightAll",description:"Filters the elements the <code>highlightAll</code> and <code>highlightAllUnder</code> methods actually highlight.",owner:"RunDevelopment",noCSS:!0},treeview:{title:"Treeview",description:"A language with special styles to highlight file system tree structures.",owner:"Golmote"}}})},2885:(e,t,n)=>{const r=n(9901),a=n(9642),o=new Set;function i(e){void 0===e?e=Object.keys(r.languages).filter((e=>"meta"!=e)):Array.isArray(e)||(e=[e]);const t=[...o,...Object.keys(Prism.languages)];a(r,e,t).load((e=>{if(!(e in r.languages))return void(i.silent||console.warn("Language does not exist: "+e));const t="./prism-"+e;delete n.c[n(6500).resolve(t)],delete Prism.languages[e],n(6500)(t),o.add(e)}))}i.silent=!1,e.exports=i},6854:()=>{!function(e){function t(e,t){return"___"+e.toUpperCase()+t+"___"}Object.defineProperties(e.languages["markup-templating"]={},{buildPlaceholders:{value:function(n,r,a,o){if(n.language===r){var i=n.tokenStack=[];n.code=n.code.replace(a,(function(e){if("function"==typeof o&&!o(e))return e;for(var a,s=i.length;-1!==n.code.indexOf(a=t(r,s));)++s;return i[s]=e,a})),n.grammar=e.languages.markup}}},tokenizePlaceholders:{value:function(n,r){if(n.language===r&&n.tokenStack){n.grammar=e.languages[r];var a=0,o=Object.keys(n.tokenStack);!function i(s){for(var l=0;l<s.length&&!(a>=o.length);l++){var c=s[l];if("string"==typeof c||c.content&&"string"==typeof c.content){var u=o[a],d=n.tokenStack[u],p="string"==typeof c?c:c.content,f=t(r,u),h=p.indexOf(f);if(h>-1){++a;var m=p.substring(0,h),g=new e.Token(r,e.tokenize(d,n.grammar),"language-"+r,d),y=p.substring(h+f.length),b=[];m&&b.push.apply(b,i([m])),b.push(g),y&&b.push.apply(b,i([y])),"string"==typeof c?s.splice.apply(s,[l,1].concat(b)):c.content=b}}else c.content&&i(c.content)}return s}(n.tokens)}}}})}(Prism)},6726:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6726},6500:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6500},9642:e=>{"use strict";var t=function(){var e=function(){};function t(e,t){Array.isArray(e)?e.forEach(t):null!=e&&t(e,0)}function n(e){for(var t={},n=0,r=e.length;n<r;n++)t[e[n]]=!0;return t}function r(e){var n={},r=[];function a(r,o){if(!(r in n)){o.push(r);var i=o.indexOf(r);if(i<o.length-1)throw new Error("Circular dependency: "+o.slice(i).join(" -> "));var s={},l=e[r];if(l){function c(t){if(!(t in e))throw new Error(r+" depends on an unknown component "+t);if(!(t in s))for(var i in a(t,o),s[t]=!0,n[t])s[i]=!0}t(l.require,c),t(l.optional,c),t(l.modify,c)}n[r]=s,o.pop()}}return function(e){var t=n[e];return t||(a(e,r),t=n[e]),t}}function a(e){for(var t in e)return!0;return!1}return function(o,i,s){var l=function(e){var t={};for(var n in e){var r=e[n];for(var a in r)if("meta"!=a){var o=r[a];t[a]="string"==typeof o?{title:o}:o}}return t}(o),c=function(e){var n;return function(r){if(r in e)return r;if(!n)for(var a in n={},e){var o=e[a];t(o&&o.alias,(function(t){if(t in n)throw new Error(t+" cannot be alias for both "+a+" and "+n[t]);if(t in e)throw new Error(t+" cannot be alias of "+a+" because it is a component.");n[t]=a}))}return n[r]||r}}(l);i=i.map(c),s=(s||[]).map(c);var u=n(i),d=n(s);i.forEach((function e(n){var r=l[n];t(r&&r.require,(function(t){t in d||(u[t]=!0,e(t))}))}));for(var p,f=r(l),h=u;a(h);){for(var m in p={},h){var g=l[m];t(g&&g.modify,(function(e){e in d&&(p[e]=!0)}))}for(var y in d)if(!(y in u))for(var b in f(y))if(b in u){p[y]=!0;break}for(var v in h=p)u[v]=!0}var w={getIds:function(){var e=[];return w.load((function(t){e.push(t)})),e},load:function(t,n){return function(t,n,r,a){var o=a?a.series:void 0,i=a?a.parallel:e,s={},l={};function c(e){if(e in s)return s[e];l[e]=!0;var a,u=[];for(var d in t(e))d in n&&u.push(d);if(0===u.length)a=r(e);else{var p=i(u.map((function(e){var t=c(e);return delete l[e],t})));o?a=o(p,(function(){return r(e)})):r(e)}return s[e]=a}for(var u in n)c(u);var d=[];for(var p in l)d.push(s[p]);return i(d)}(f,u,t,n)}};return w}}();e.exports=t},2703:(e,t,n)=>{"use strict";var r=n(414);function a(){}function o(){}o.resetWarningCache=a,e.exports=function(){function e(e,t,n,a,o,i){if(i!==r){var s=new Error("Calling PropTypes validators directly is not supported by the `prop-types` package. Use PropTypes.checkPropTypes() to call them. Read more at http://fb.me/use-check-prop-types");throw s.name="Invariant Violation",s}}function t(){return e}e.isRequired=e;var n={array:e,bigint:e,bool:e,func:e,number:e,object:e,string:e,symbol:e,any:e,arrayOf:t,element:e,elementType:e,instanceOf:t,node:e,objectOf:t,oneOf:t,oneOfType:t,shape:t,exact:t,checkPropTypes:o,resetWarningCache:a};return n.PropTypes=n,n}},5697:(e,t,n)=>{e.exports=n(2703)()},414:e=>{"use strict";e.exports="SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED"},4448:(e,t,n)=>{"use strict";var r=n(7294),a=n(3840);function o(e){for(var t="https://reactjs.org/docs/error-decoder.html?invariant="+e,n=1;n<arguments.length;n++)t+="&args[]="+encodeURIComponent(arguments[n]);return"Minified React error #"+e+"; visit "+t+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}var i=new Set,s={};function l(e,t){c(e,t),c(e+"Capture",t)}function c(e,t){for(s[e]=t,e=0;e<t.length;e++)i.add(t[e])}var u=!("undefined"==typeof window||void 0===window.document||void 0===window.document.createElement),d=Object.prototype.hasOwnProperty,p=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,f={},h={};function m(e,t,n,r,a,o,i){this.acceptsBooleans=2===t||3===t||4===t,this.attributeName=r,this.attributeNamespace=a,this.mustUseProperty=n,this.propertyName=e,this.type=t,this.sanitizeURL=o,this.removeEmptyString=i}var g={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach((function(e){g[e]=new m(e,0,!1,e,null,!1,!1)})),[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach((function(e){var t=e[0];g[t]=new m(t,1,!1,e[1],null,!1,!1)})),["contentEditable","draggable","spellCheck","value"].forEach((function(e){g[e]=new m(e,2,!1,e.toLowerCase(),null,!1,!1)})),["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach((function(e){g[e]=new m(e,2,!1,e,null,!1,!1)})),"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture disableRemotePlayback formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach((function(e){g[e]=new m(e,3,!1,e.toLowerCase(),null,!1,!1)})),["checked","multiple","muted","selected"].forEach((function(e){g[e]=new m(e,3,!0,e,null,!1,!1)})),["capture","download"].forEach((function(e){g[e]=new m(e,4,!1,e,null,!1,!1)})),["cols","rows","size","span"].forEach((function(e){g[e]=new m(e,6,!1,e,null,!1,!1)})),["rowSpan","start"].forEach((function(e){g[e]=new m(e,5,!1,e.toLowerCase(),null,!1,!1)}));var y=/[\-:]([a-z])/g;function b(e){return e[1].toUpperCase()}function v(e,t,n,r){var a=g.hasOwnProperty(t)?g[t]:null;(null!==a?0!==a.type:r||!(2<t.length)||"o"!==t[0]&&"O"!==t[0]||"n"!==t[1]&&"N"!==t[1])&&(function(e,t,n,r){if(null==t||function(e,t,n,r){if(null!==n&&0===n.type)return!1;switch(typeof t){case"function":case"symbol":return!0;case"boolean":return!r&&(null!==n?!n.acceptsBooleans:"data-"!==(e=e.toLowerCase().slice(0,5))&&"aria-"!==e);default:return!1}}(e,t,n,r))return!0;if(r)return!1;if(null!==n)switch(n.type){case 3:return!t;case 4:return!1===t;case 5:return isNaN(t);case 6:return isNaN(t)||1>t}return!1}(t,n,a,r)&&(n=null),r||null===a?function(e){return!!d.call(h,e)||!d.call(f,e)&&(p.test(e)?h[e]=!0:(f[e]=!0,!1))}(t)&&(null===n?e.removeAttribute(t):e.setAttribute(t,""+n)):a.mustUseProperty?e[a.propertyName]=null===n?3!==a.type&&"":n:(t=a.attributeName,r=a.attributeNamespace,null===n?e.removeAttribute(t):(n=3===(a=a.type)||4===a&&!0===n?"":""+n,r?e.setAttributeNS(r,t,n):e.setAttribute(t,n))))}"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,null,!1,!1)})),"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/1999/xlink",!1,!1)})),["xml:base","xml:lang","xml:space"].forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/XML/1998/namespace",!1,!1)})),["tabIndex","crossOrigin"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!1,!1)})),g.xlinkHref=new m("xlinkHref",1,!1,"xlink:href","http://www.w3.org/1999/xlink",!0,!1),["src","href","action","formAction"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!0,!0)}));var w=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED,k=Symbol.for("react.element"),x=Symbol.for("react.portal"),S=Symbol.for("react.fragment"),E=Symbol.for("react.strict_mode"),_=Symbol.for("react.profiler"),C=Symbol.for("react.provider"),T=Symbol.for("react.context"),j=Symbol.for("react.forward_ref"),L=Symbol.for("react.suspense"),R=Symbol.for("react.suspense_list"),N=Symbol.for("react.memo"),P=Symbol.for("react.lazy");Symbol.for("react.scope"),Symbol.for("react.debug_trace_mode");var A=Symbol.for("react.offscreen");Symbol.for("react.legacy_hidden"),Symbol.for("react.cache"),Symbol.for("react.tracing_marker");var O=Symbol.iterator;function I(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=O&&e[O]||e["@@iterator"])?e:null}var D,F=Object.assign;function M(e){if(void 0===D)try{throw Error()}catch(n){var t=n.stack.trim().match(/\n( *(at )?)/);D=t&&t[1]||""}return"\n"+D+e}var z=!1;function B(e,t){if(!e||z)return"";z=!0;var n=Error.prepareStackTrace;Error.prepareStackTrace=void 0;try{if(t)if(t=function(){throw Error()},Object.defineProperty(t.prototype,"props",{set:function(){throw Error()}}),"object"==typeof Reflect&&Reflect.construct){try{Reflect.construct(t,[])}catch(c){var r=c}Reflect.construct(e,[],t)}else{try{t.call()}catch(c){r=c}e.call(t.prototype)}else{try{throw Error()}catch(c){r=c}e()}}catch(c){if(c&&r&&"string"==typeof c.stack){for(var a=c.stack.split("\n"),o=r.stack.split("\n"),i=a.length-1,s=o.length-1;1<=i&&0<=s&&a[i]!==o[s];)s--;for(;1<=i&&0<=s;i--,s--)if(a[i]!==o[s]){if(1!==i||1!==s)do{if(i--,0>--s||a[i]!==o[s]){var l="\n"+a[i].replace(" at new "," at ");return e.displayName&&l.includes("<anonymous>")&&(l=l.replace("<anonymous>",e.displayName)),l}}while(1<=i&&0<=s);break}}}finally{z=!1,Error.prepareStackTrace=n}return(e=e?e.displayName||e.name:"")?M(e):""}function $(e){switch(e.tag){case 5:return M(e.type);case 16:return M("Lazy");case 13:return M("Suspense");case 19:return M("SuspenseList");case 0:case 2:case 15:return e=B(e.type,!1);case 11:return e=B(e.type.render,!1);case 1:return e=B(e.type,!0);default:return""}}function U(e){if(null==e)return null;if("function"==typeof e)return e.displayName||e.name||null;if("string"==typeof e)return e;switch(e){case S:return"Fragment";case x:return"Portal";case _:return"Profiler";case E:return"StrictMode";case L:return"Suspense";case R:return"SuspenseList"}if("object"==typeof e)switch(e.$$typeof){case T:return(e.displayName||"Context")+".Consumer";case C:return(e._context.displayName||"Context")+".Provider";case j:var t=e.render;return(e=e.displayName)||(e=""!==(e=t.displayName||t.name||"")?"ForwardRef("+e+")":"ForwardRef"),e;case N:return null!==(t=e.displayName||null)?t:U(e.type)||"Memo";case P:t=e._payload,e=e._init;try{return U(e(t))}catch(n){}}return null}function q(e){var t=e.type;switch(e.tag){case 24:return"Cache";case 9:return(t.displayName||"Context")+".Consumer";case 10:return(t._context.displayName||"Context")+".Provider";case 18:return"DehydratedFragment";case 11:return e=(e=t.render).displayName||e.name||"",t.displayName||(""!==e?"ForwardRef("+e+")":"ForwardRef");case 7:return"Fragment";case 5:return t;case 4:return"Portal";case 3:return"Root";case 6:return"Text";case 16:return U(t);case 8:return t===E?"StrictMode":"Mode";case 22:return"Offscreen";case 12:return"Profiler";case 21:return"Scope";case 13:return"Suspense";case 19:return"SuspenseList";case 25:return"TracingMarker";case 1:case 0:case 17:case 2:case 14:case 15:if("function"==typeof t)return t.displayName||t.name||null;if("string"==typeof t)return t}return null}function H(e){switch(typeof e){case"boolean":case"number":case"string":case"undefined":case"object":return e;default:return""}}function Q(e){var t=e.type;return(e=e.nodeName)&&"input"===e.toLowerCase()&&("checkbox"===t||"radio"===t)}function Z(e){e._valueTracker||(e._valueTracker=function(e){var t=Q(e)?"checked":"value",n=Object.getOwnPropertyDescriptor(e.constructor.prototype,t),r=""+e[t];if(!e.hasOwnProperty(t)&&void 0!==n&&"function"==typeof n.get&&"function"==typeof n.set){var a=n.get,o=n.set;return Object.defineProperty(e,t,{configurable:!0,get:function(){return a.call(this)},set:function(e){r=""+e,o.call(this,e)}}),Object.defineProperty(e,t,{enumerable:n.enumerable}),{getValue:function(){return r},setValue:function(e){r=""+e},stopTracking:function(){e._valueTracker=null,delete e[t]}}}}(e))}function V(e){if(!e)return!1;var t=e._valueTracker;if(!t)return!0;var n=t.getValue(),r="";return e&&(r=Q(e)?e.checked?"true":"false":e.value),(e=r)!==n&&(t.setValue(e),!0)}function W(e){if(void 0===(e=e||("undefined"!=typeof document?document:void 0)))return null;try{return e.activeElement||e.body}catch(t){return e.body}}function G(e,t){var n=t.checked;return F({},t,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=n?n:e._wrapperState.initialChecked})}function X(e,t){var n=null==t.defaultValue?"":t.defaultValue,r=null!=t.checked?t.checked:t.defaultChecked;n=H(null!=t.value?t.value:n),e._wrapperState={initialChecked:r,initialValue:n,controlled:"checkbox"===t.type||"radio"===t.type?null!=t.checked:null!=t.value}}function K(e,t){null!=(t=t.checked)&&v(e,"checked",t,!1)}function Y(e,t){K(e,t);var n=H(t.value),r=t.type;if(null!=n)"number"===r?(0===n&&""===e.value||e.value!=n)&&(e.value=""+n):e.value!==""+n&&(e.value=""+n);else if("submit"===r||"reset"===r)return void e.removeAttribute("value");t.hasOwnProperty("value")?ee(e,t.type,n):t.hasOwnProperty("defaultValue")&&ee(e,t.type,H(t.defaultValue)),null==t.checked&&null!=t.defaultChecked&&(e.defaultChecked=!!t.defaultChecked)}function J(e,t,n){if(t.hasOwnProperty("value")||t.hasOwnProperty("defaultValue")){var r=t.type;if(!("submit"!==r&&"reset"!==r||void 0!==t.value&&null!==t.value))return;t=""+e._wrapperState.initialValue,n||t===e.value||(e.value=t),e.defaultValue=t}""!==(n=e.name)&&(e.name=""),e.defaultChecked=!!e._wrapperState.initialChecked,""!==n&&(e.name=n)}function ee(e,t,n){"number"===t&&W(e.ownerDocument)===e||(null==n?e.defaultValue=""+e._wrapperState.initialValue:e.defaultValue!==""+n&&(e.defaultValue=""+n))}var te=Array.isArray;function ne(e,t,n,r){if(e=e.options,t){t={};for(var a=0;a<n.length;a++)t["$"+n[a]]=!0;for(n=0;n<e.length;n++)a=t.hasOwnProperty("$"+e[n].value),e[n].selected!==a&&(e[n].selected=a),a&&r&&(e[n].defaultSelected=!0)}else{for(n=""+H(n),t=null,a=0;a<e.length;a++){if(e[a].value===n)return e[a].selected=!0,void(r&&(e[a].defaultSelected=!0));null!==t||e[a].disabled||(t=e[a])}null!==t&&(t.selected=!0)}}function re(e,t){if(null!=t.dangerouslySetInnerHTML)throw Error(o(91));return F({},t,{value:void 0,defaultValue:void 0,children:""+e._wrapperState.initialValue})}function ae(e,t){var n=t.value;if(null==n){if(n=t.children,t=t.defaultValue,null!=n){if(null!=t)throw Error(o(92));if(te(n)){if(1<n.length)throw Error(o(93));n=n[0]}t=n}null==t&&(t=""),n=t}e._wrapperState={initialValue:H(n)}}function oe(e,t){var n=H(t.value),r=H(t.defaultValue);null!=n&&((n=""+n)!==e.value&&(e.value=n),null==t.defaultValue&&e.defaultValue!==n&&(e.defaultValue=n)),null!=r&&(e.defaultValue=""+r)}function ie(e){var t=e.textContent;t===e._wrapperState.initialValue&&""!==t&&null!==t&&(e.value=t)}function se(e){switch(e){case"svg":return"http://www.w3.org/2000/svg";case"math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function le(e,t){return null==e||"http://www.w3.org/1999/xhtml"===e?se(t):"http://www.w3.org/2000/svg"===e&&"foreignObject"===t?"http://www.w3.org/1999/xhtml":e}var ce,ue,de=(ue=function(e,t){if("http://www.w3.org/2000/svg"!==e.namespaceURI||"innerHTML"in e)e.innerHTML=t;else{for((ce=ce||document.createElement("div")).innerHTML="<svg>"+t.valueOf().toString()+"</svg>",t=ce.firstChild;e.firstChild;)e.removeChild(e.firstChild);for(;t.firstChild;)e.appendChild(t.firstChild)}},"undefined"!=typeof MSApp&&MSApp.execUnsafeLocalFunction?function(e,t,n,r){MSApp.execUnsafeLocalFunction((function(){return ue(e,t)}))}:ue);function pe(e,t){if(t){var n=e.firstChild;if(n&&n===e.lastChild&&3===n.nodeType)return void(n.nodeValue=t)}e.textContent=t}var fe={animationIterationCount:!0,aspectRatio:!0,borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},he=["Webkit","ms","Moz","O"];function me(e,t,n){return null==t||"boolean"==typeof t||""===t?"":n||"number"!=typeof t||0===t||fe.hasOwnProperty(e)&&fe[e]?(""+t).trim():t+"px"}function ge(e,t){for(var n in e=e.style,t)if(t.hasOwnProperty(n)){var r=0===n.indexOf("--"),a=me(n,t[n],r);"float"===n&&(n="cssFloat"),r?e.setProperty(n,a):e[n]=a}}Object.keys(fe).forEach((function(e){he.forEach((function(t){t=t+e.charAt(0).toUpperCase()+e.substring(1),fe[t]=fe[e]}))}));var ye=F({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0});function be(e,t){if(t){if(ye[e]&&(null!=t.children||null!=t.dangerouslySetInnerHTML))throw Error(o(137,e));if(null!=t.dangerouslySetInnerHTML){if(null!=t.children)throw Error(o(60));if("object"!=typeof t.dangerouslySetInnerHTML||!("__html"in t.dangerouslySetInnerHTML))throw Error(o(61))}if(null!=t.style&&"object"!=typeof t.style)throw Error(o(62))}}function ve(e,t){if(-1===e.indexOf("-"))return"string"==typeof t.is;switch(e){case"annotation-xml":case"color-profile":case"font-face":case"font-face-src":case"font-face-uri":case"font-face-format":case"font-face-name":case"missing-glyph":return!1;default:return!0}}var we=null;function ke(e){return(e=e.target||e.srcElement||window).correspondingUseElement&&(e=e.correspondingUseElement),3===e.nodeType?e.parentNode:e}var xe=null,Se=null,Ee=null;function _e(e){if(e=va(e)){if("function"!=typeof xe)throw Error(o(280));var t=e.stateNode;t&&(t=ka(t),xe(e.stateNode,e.type,t))}}function Ce(e){Se?Ee?Ee.push(e):Ee=[e]:Se=e}function Te(){if(Se){var e=Se,t=Ee;if(Ee=Se=null,_e(e),t)for(e=0;e<t.length;e++)_e(t[e])}}function je(e,t){return e(t)}function Le(){}var Re=!1;function Ne(e,t,n){if(Re)return e(t,n);Re=!0;try{return je(e,t,n)}finally{Re=!1,(null!==Se||null!==Ee)&&(Le(),Te())}}function Pe(e,t){var n=e.stateNode;if(null===n)return null;var r=ka(n);if(null===r)return null;n=r[t];e:switch(t){case"onClick":case"onClickCapture":case"onDoubleClick":case"onDoubleClickCapture":case"onMouseDown":case"onMouseDownCapture":case"onMouseMove":case"onMouseMoveCapture":case"onMouseUp":case"onMouseUpCapture":case"onMouseEnter":(r=!r.disabled)||(r=!("button"===(e=e.type)||"input"===e||"select"===e||"textarea"===e)),e=!r;break e;default:e=!1}if(e)return null;if(n&&"function"!=typeof n)throw Error(o(231,t,typeof n));return n}var Ae=!1;if(u)try{var Oe={};Object.defineProperty(Oe,"passive",{get:function(){Ae=!0}}),window.addEventListener("test",Oe,Oe),window.removeEventListener("test",Oe,Oe)}catch(ue){Ae=!1}function Ie(e,t,n,r,a,o,i,s,l){var c=Array.prototype.slice.call(arguments,3);try{t.apply(n,c)}catch(u){this.onError(u)}}var De=!1,Fe=null,Me=!1,ze=null,Be={onError:function(e){De=!0,Fe=e}};function $e(e,t,n,r,a,o,i,s,l){De=!1,Fe=null,Ie.apply(Be,arguments)}function Ue(e){var t=e,n=e;if(e.alternate)for(;t.return;)t=t.return;else{e=t;do{0!=(4098&(t=e).flags)&&(n=t.return),e=t.return}while(e)}return 3===t.tag?n:null}function qe(e){if(13===e.tag){var t=e.memoizedState;if(null===t&&(null!==(e=e.alternate)&&(t=e.memoizedState)),null!==t)return t.dehydrated}return null}function He(e){if(Ue(e)!==e)throw Error(o(188))}function Qe(e){return null!==(e=function(e){var t=e.alternate;if(!t){if(null===(t=Ue(e)))throw Error(o(188));return t!==e?null:e}for(var n=e,r=t;;){var a=n.return;if(null===a)break;var i=a.alternate;if(null===i){if(null!==(r=a.return)){n=r;continue}break}if(a.child===i.child){for(i=a.child;i;){if(i===n)return He(a),e;if(i===r)return He(a),t;i=i.sibling}throw Error(o(188))}if(n.return!==r.return)n=a,r=i;else{for(var s=!1,l=a.child;l;){if(l===n){s=!0,n=a,r=i;break}if(l===r){s=!0,r=a,n=i;break}l=l.sibling}if(!s){for(l=i.child;l;){if(l===n){s=!0,n=i,r=a;break}if(l===r){s=!0,r=i,n=a;break}l=l.sibling}if(!s)throw Error(o(189))}}if(n.alternate!==r)throw Error(o(190))}if(3!==n.tag)throw Error(o(188));return n.stateNode.current===n?e:t}(e))?Ze(e):null}function Ze(e){if(5===e.tag||6===e.tag)return e;for(e=e.child;null!==e;){var t=Ze(e);if(null!==t)return t;e=e.sibling}return null}var Ve=a.unstable_scheduleCallback,We=a.unstable_cancelCallback,Ge=a.unstable_shouldYield,Xe=a.unstable_requestPaint,Ke=a.unstable_now,Ye=a.unstable_getCurrentPriorityLevel,Je=a.unstable_ImmediatePriority,et=a.unstable_UserBlockingPriority,tt=a.unstable_NormalPriority,nt=a.unstable_LowPriority,rt=a.unstable_IdlePriority,at=null,ot=null;var it=Math.clz32?Math.clz32:function(e){return e>>>=0,0===e?32:31-(st(e)/lt|0)|0},st=Math.log,lt=Math.LN2;var ct=64,ut=4194304;function dt(e){switch(e&-e){case 1:return 1;case 2:return 2;case 4:return 4;case 8:return 8;case 16:return 16;case 32:return 32;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return 4194240&e;case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:return 130023424&e;case 134217728:return 134217728;case 268435456:return 268435456;case 536870912:return 536870912;case 1073741824:return 1073741824;default:return e}}function pt(e,t){var n=e.pendingLanes;if(0===n)return 0;var r=0,a=e.suspendedLanes,o=e.pingedLanes,i=268435455&n;if(0!==i){var s=i&~a;0!==s?r=dt(s):0!==(o&=i)&&(r=dt(o))}else 0!==(i=n&~a)?r=dt(i):0!==o&&(r=dt(o));if(0===r)return 0;if(0!==t&&t!==r&&0==(t&a)&&((a=r&-r)>=(o=t&-t)||16===a&&0!=(4194240&o)))return t;if(0!=(4&r)&&(r|=16&n),0!==(t=e.entangledLanes))for(e=e.entanglements,t&=r;0<t;)a=1<<(n=31-it(t)),r|=e[n],t&=~a;return r}function ft(e,t){switch(e){case 1:case 2:case 4:return t+250;case 8:case 16:case 32:case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return t+5e3;default:return-1}}function ht(e){return 0!==(e=-1073741825&e.pendingLanes)?e:1073741824&e?1073741824:0}function mt(){var e=ct;return 0==(4194240&(ct<<=1))&&(ct=64),e}function gt(e){for(var t=[],n=0;31>n;n++)t.push(e);return t}function yt(e,t,n){e.pendingLanes|=t,536870912!==t&&(e.suspendedLanes=0,e.pingedLanes=0),(e=e.eventTimes)[t=31-it(t)]=n}function bt(e,t){var n=e.entangledLanes|=t;for(e=e.entanglements;n;){var r=31-it(n),a=1<<r;a&t|e[r]&t&&(e[r]|=t),n&=~a}}var vt=0;function wt(e){return 1<(e&=-e)?4<e?0!=(268435455&e)?16:536870912:4:1}var kt,xt,St,Et,_t,Ct=!1,Tt=[],jt=null,Lt=null,Rt=null,Nt=new Map,Pt=new Map,At=[],Ot="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput copy cut paste click change contextmenu reset submit".split(" ");function It(e,t){switch(e){case"focusin":case"focusout":jt=null;break;case"dragenter":case"dragleave":Lt=null;break;case"mouseover":case"mouseout":Rt=null;break;case"pointerover":case"pointerout":Nt.delete(t.pointerId);break;case"gotpointercapture":case"lostpointercapture":Pt.delete(t.pointerId)}}function Dt(e,t,n,r,a,o){return null===e||e.nativeEvent!==o?(e={blockedOn:t,domEventName:n,eventSystemFlags:r,nativeEvent:o,targetContainers:[a]},null!==t&&(null!==(t=va(t))&&xt(t)),e):(e.eventSystemFlags|=r,t=e.targetContainers,null!==a&&-1===t.indexOf(a)&&t.push(a),e)}function Ft(e){var t=ba(e.target);if(null!==t){var n=Ue(t);if(null!==n)if(13===(t=n.tag)){if(null!==(t=qe(n)))return e.blockedOn=t,void _t(e.priority,(function(){St(n)}))}else if(3===t&&n.stateNode.current.memoizedState.isDehydrated)return void(e.blockedOn=3===n.tag?n.stateNode.containerInfo:null)}e.blockedOn=null}function Mt(e){if(null!==e.blockedOn)return!1;for(var t=e.targetContainers;0<t.length;){var n=Gt(e.domEventName,e.eventSystemFlags,t[0],e.nativeEvent);if(null!==n)return null!==(t=va(n))&&xt(t),e.blockedOn=n,!1;var r=new(n=e.nativeEvent).constructor(n.type,n);we=r,n.target.dispatchEvent(r),we=null,t.shift()}return!0}function zt(e,t,n){Mt(e)&&n.delete(t)}function Bt(){Ct=!1,null!==jt&&Mt(jt)&&(jt=null),null!==Lt&&Mt(Lt)&&(Lt=null),null!==Rt&&Mt(Rt)&&(Rt=null),Nt.forEach(zt),Pt.forEach(zt)}function $t(e,t){e.blockedOn===t&&(e.blockedOn=null,Ct||(Ct=!0,a.unstable_scheduleCallback(a.unstable_NormalPriority,Bt)))}function Ut(e){function t(t){return $t(t,e)}if(0<Tt.length){$t(Tt[0],e);for(var n=1;n<Tt.length;n++){var r=Tt[n];r.blockedOn===e&&(r.blockedOn=null)}}for(null!==jt&&$t(jt,e),null!==Lt&&$t(Lt,e),null!==Rt&&$t(Rt,e),Nt.forEach(t),Pt.forEach(t),n=0;n<At.length;n++)(r=At[n]).blockedOn===e&&(r.blockedOn=null);for(;0<At.length&&null===(n=At[0]).blockedOn;)Ft(n),null===n.blockedOn&&At.shift()}var qt=w.ReactCurrentBatchConfig,Ht=!0;function Qt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=1,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Zt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=4,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Vt(e,t,n,r){if(Ht){var a=Gt(e,t,n,r);if(null===a)Hr(e,t,r,Wt,n),It(e,r);else if(function(e,t,n,r,a){switch(t){case"focusin":return jt=Dt(jt,e,t,n,r,a),!0;case"dragenter":return Lt=Dt(Lt,e,t,n,r,a),!0;case"mouseover":return Rt=Dt(Rt,e,t,n,r,a),!0;case"pointerover":var o=a.pointerId;return Nt.set(o,Dt(Nt.get(o)||null,e,t,n,r,a)),!0;case"gotpointercapture":return o=a.pointerId,Pt.set(o,Dt(Pt.get(o)||null,e,t,n,r,a)),!0}return!1}(a,e,t,n,r))r.stopPropagation();else if(It(e,r),4&t&&-1<Ot.indexOf(e)){for(;null!==a;){var o=va(a);if(null!==o&&kt(o),null===(o=Gt(e,t,n,r))&&Hr(e,t,r,Wt,n),o===a)break;a=o}null!==a&&r.stopPropagation()}else Hr(e,t,r,null,n)}}var Wt=null;function Gt(e,t,n,r){if(Wt=null,null!==(e=ba(e=ke(r))))if(null===(t=Ue(e)))e=null;else if(13===(n=t.tag)){if(null!==(e=qe(t)))return e;e=null}else if(3===n){if(t.stateNode.current.memoizedState.isDehydrated)return 3===t.tag?t.stateNode.containerInfo:null;e=null}else t!==e&&(e=null);return Wt=e,null}function Xt(e){switch(e){case"cancel":case"click":case"close":case"contextmenu":case"copy":case"cut":case"auxclick":case"dblclick":case"dragend":case"dragstart":case"drop":case"focusin":case"focusout":case"input":case"invalid":case"keydown":case"keypress":case"keyup":case"mousedown":case"mouseup":case"paste":case"pause":case"play":case"pointercancel":case"pointerdown":case"pointerup":case"ratechange":case"reset":case"resize":case"seeked":case"submit":case"touchcancel":case"touchend":case"touchstart":case"volumechange":case"change":case"selectionchange":case"textInput":case"compositionstart":case"compositionend":case"compositionupdate":case"beforeblur":case"afterblur":case"beforeinput":case"blur":case"fullscreenchange":case"focus":case"hashchange":case"popstate":case"select":case"selectstart":return 1;case"drag":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"mousemove":case"mouseout":case"mouseover":case"pointermove":case"pointerout":case"pointerover":case"scroll":case"toggle":case"touchmove":case"wheel":case"mouseenter":case"mouseleave":case"pointerenter":case"pointerleave":return 4;case"message":switch(Ye()){case Je:return 1;case et:return 4;case tt:case nt:return 16;case rt:return 536870912;default:return 16}default:return 16}}var Kt=null,Yt=null,Jt=null;function en(){if(Jt)return Jt;var e,t,n=Yt,r=n.length,a="value"in Kt?Kt.value:Kt.textContent,o=a.length;for(e=0;e<r&&n[e]===a[e];e++);var i=r-e;for(t=1;t<=i&&n[r-t]===a[o-t];t++);return Jt=a.slice(e,1<t?1-t:void 0)}function tn(e){var t=e.keyCode;return"charCode"in e?0===(e=e.charCode)&&13===t&&(e=13):e=t,10===e&&(e=13),32<=e||13===e?e:0}function nn(){return!0}function rn(){return!1}function an(e){function t(t,n,r,a,o){for(var i in this._reactName=t,this._targetInst=r,this.type=n,this.nativeEvent=a,this.target=o,this.currentTarget=null,e)e.hasOwnProperty(i)&&(t=e[i],this[i]=t?t(a):a[i]);return this.isDefaultPrevented=(null!=a.defaultPrevented?a.defaultPrevented:!1===a.returnValue)?nn:rn,this.isPropagationStopped=rn,this}return F(t.prototype,{preventDefault:function(){this.defaultPrevented=!0;var e=this.nativeEvent;e&&(e.preventDefault?e.preventDefault():"unknown"!=typeof e.returnValue&&(e.returnValue=!1),this.isDefaultPrevented=nn)},stopPropagation:function(){var e=this.nativeEvent;e&&(e.stopPropagation?e.stopPropagation():"unknown"!=typeof e.cancelBubble&&(e.cancelBubble=!0),this.isPropagationStopped=nn)},persist:function(){},isPersistent:nn}),t}var on,sn,ln,cn={eventPhase:0,bubbles:0,cancelable:0,timeStamp:function(e){return e.timeStamp||Date.now()},defaultPrevented:0,isTrusted:0},un=an(cn),dn=F({},cn,{view:0,detail:0}),pn=an(dn),fn=F({},dn,{screenX:0,screenY:0,clientX:0,clientY:0,pageX:0,pageY:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,getModifierState:_n,button:0,buttons:0,relatedTarget:function(e){return void 0===e.relatedTarget?e.fromElement===e.srcElement?e.toElement:e.fromElement:e.relatedTarget},movementX:function(e){return"movementX"in e?e.movementX:(e!==ln&&(ln&&"mousemove"===e.type?(on=e.screenX-ln.screenX,sn=e.screenY-ln.screenY):sn=on=0,ln=e),on)},movementY:function(e){return"movementY"in e?e.movementY:sn}}),hn=an(fn),mn=an(F({},fn,{dataTransfer:0})),gn=an(F({},dn,{relatedTarget:0})),yn=an(F({},cn,{animationName:0,elapsedTime:0,pseudoElement:0})),bn=F({},cn,{clipboardData:function(e){return"clipboardData"in e?e.clipboardData:window.clipboardData}}),vn=an(bn),wn=an(F({},cn,{data:0})),kn={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},xn={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",224:"Meta"},Sn={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"};function En(e){var t=this.nativeEvent;return t.getModifierState?t.getModifierState(e):!!(e=Sn[e])&&!!t[e]}function _n(){return En}var Cn=F({},dn,{key:function(e){if(e.key){var t=kn[e.key]||e.key;if("Unidentified"!==t)return t}return"keypress"===e.type?13===(e=tn(e))?"Enter":String.fromCharCode(e):"keydown"===e.type||"keyup"===e.type?xn[e.keyCode]||"Unidentified":""},code:0,location:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,repeat:0,locale:0,getModifierState:_n,charCode:function(e){return"keypress"===e.type?tn(e):0},keyCode:function(e){return"keydown"===e.type||"keyup"===e.type?e.keyCode:0},which:function(e){return"keypress"===e.type?tn(e):"keydown"===e.type||"keyup"===e.type?e.keyCode:0}}),Tn=an(Cn),jn=an(F({},fn,{pointerId:0,width:0,height:0,pressure:0,tangentialPressure:0,tiltX:0,tiltY:0,twist:0,pointerType:0,isPrimary:0})),Ln=an(F({},dn,{touches:0,targetTouches:0,changedTouches:0,altKey:0,metaKey:0,ctrlKey:0,shiftKey:0,getModifierState:_n})),Rn=an(F({},cn,{propertyName:0,elapsedTime:0,pseudoElement:0})),Nn=F({},fn,{deltaX:function(e){return"deltaX"in e?e.deltaX:"wheelDeltaX"in e?-e.wheelDeltaX:0},deltaY:function(e){return"deltaY"in e?e.deltaY:"wheelDeltaY"in e?-e.wheelDeltaY:"wheelDelta"in e?-e.wheelDelta:0},deltaZ:0,deltaMode:0}),Pn=an(Nn),An=[9,13,27,32],On=u&&"CompositionEvent"in window,In=null;u&&"documentMode"in document&&(In=document.documentMode);var Dn=u&&"TextEvent"in window&&!In,Fn=u&&(!On||In&&8<In&&11>=In),Mn=String.fromCharCode(32),zn=!1;function Bn(e,t){switch(e){case"keyup":return-1!==An.indexOf(t.keyCode);case"keydown":return 229!==t.keyCode;case"keypress":case"mousedown":case"focusout":return!0;default:return!1}}function $n(e){return"object"==typeof(e=e.detail)&&"data"in e?e.data:null}var Un=!1;var qn={color:!0,date:!0,datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0};function Hn(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return"input"===t?!!qn[e.type]:"textarea"===t}function Qn(e,t,n,r){Ce(r),0<(t=Zr(t,"onChange")).length&&(n=new un("onChange","change",null,n,r),e.push({event:n,listeners:t}))}var Zn=null,Vn=null;function Wn(e){Mr(e,0)}function Gn(e){if(V(wa(e)))return e}function Xn(e,t){if("change"===e)return t}var Kn=!1;if(u){var Yn;if(u){var Jn="oninput"in document;if(!Jn){var er=document.createElement("div");er.setAttribute("oninput","return;"),Jn="function"==typeof er.oninput}Yn=Jn}else Yn=!1;Kn=Yn&&(!document.documentMode||9<document.documentMode)}function tr(){Zn&&(Zn.detachEvent("onpropertychange",nr),Vn=Zn=null)}function nr(e){if("value"===e.propertyName&&Gn(Vn)){var t=[];Qn(t,Vn,e,ke(e)),Ne(Wn,t)}}function rr(e,t,n){"focusin"===e?(tr(),Vn=n,(Zn=t).attachEvent("onpropertychange",nr)):"focusout"===e&&tr()}function ar(e){if("selectionchange"===e||"keyup"===e||"keydown"===e)return Gn(Vn)}function or(e,t){if("click"===e)return Gn(t)}function ir(e,t){if("input"===e||"change"===e)return Gn(t)}var sr="function"==typeof Object.is?Object.is:function(e,t){return e===t&&(0!==e||1/e==1/t)||e!=e&&t!=t};function lr(e,t){if(sr(e,t))return!0;if("object"!=typeof e||null===e||"object"!=typeof t||null===t)return!1;var n=Object.keys(e),r=Object.keys(t);if(n.length!==r.length)return!1;for(r=0;r<n.length;r++){var a=n[r];if(!d.call(t,a)||!sr(e[a],t[a]))return!1}return!0}function cr(e){for(;e&&e.firstChild;)e=e.firstChild;return e}function ur(e,t){var n,r=cr(e);for(e=0;r;){if(3===r.nodeType){if(n=e+r.textContent.length,e<=t&&n>=t)return{node:r,offset:t-e};e=n}e:{for(;r;){if(r.nextSibling){r=r.nextSibling;break e}r=r.parentNode}r=void 0}r=cr(r)}}function dr(e,t){return!(!e||!t)&&(e===t||(!e||3!==e.nodeType)&&(t&&3===t.nodeType?dr(e,t.parentNode):"contains"in e?e.contains(t):!!e.compareDocumentPosition&&!!(16&e.compareDocumentPosition(t))))}function pr(){for(var e=window,t=W();t instanceof e.HTMLIFrameElement;){try{var n="string"==typeof t.contentWindow.location.href}catch(r){n=!1}if(!n)break;t=W((e=t.contentWindow).document)}return t}function fr(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return t&&("input"===t&&("text"===e.type||"search"===e.type||"tel"===e.type||"url"===e.type||"password"===e.type)||"textarea"===t||"true"===e.contentEditable)}function hr(e){var t=pr(),n=e.focusedElem,r=e.selectionRange;if(t!==n&&n&&n.ownerDocument&&dr(n.ownerDocument.documentElement,n)){if(null!==r&&fr(n))if(t=r.start,void 0===(e=r.end)&&(e=t),"selectionStart"in n)n.selectionStart=t,n.selectionEnd=Math.min(e,n.value.length);else if((e=(t=n.ownerDocument||document)&&t.defaultView||window).getSelection){e=e.getSelection();var a=n.textContent.length,o=Math.min(r.start,a);r=void 0===r.end?o:Math.min(r.end,a),!e.extend&&o>r&&(a=r,r=o,o=a),a=ur(n,o);var i=ur(n,r);a&&i&&(1!==e.rangeCount||e.anchorNode!==a.node||e.anchorOffset!==a.offset||e.focusNode!==i.node||e.focusOffset!==i.offset)&&((t=t.createRange()).setStart(a.node,a.offset),e.removeAllRanges(),o>r?(e.addRange(t),e.extend(i.node,i.offset)):(t.setEnd(i.node,i.offset),e.addRange(t)))}for(t=[],e=n;e=e.parentNode;)1===e.nodeType&&t.push({element:e,left:e.scrollLeft,top:e.scrollTop});for("function"==typeof n.focus&&n.focus(),n=0;n<t.length;n++)(e=t[n]).element.scrollLeft=e.left,e.element.scrollTop=e.top}}var mr=u&&"documentMode"in document&&11>=document.documentMode,gr=null,yr=null,br=null,vr=!1;function wr(e,t,n){var r=n.window===n?n.document:9===n.nodeType?n:n.ownerDocument;vr||null==gr||gr!==W(r)||("selectionStart"in(r=gr)&&fr(r)?r={start:r.selectionStart,end:r.selectionEnd}:r={anchorNode:(r=(r.ownerDocument&&r.ownerDocument.defaultView||window).getSelection()).anchorNode,anchorOffset:r.anchorOffset,focusNode:r.focusNode,focusOffset:r.focusOffset},br&&lr(br,r)||(br=r,0<(r=Zr(yr,"onSelect")).length&&(t=new un("onSelect","select",null,t,n),e.push({event:t,listeners:r}),t.target=gr)))}function kr(e,t){var n={};return n[e.toLowerCase()]=t.toLowerCase(),n["Webkit"+e]="webkit"+t,n["Moz"+e]="moz"+t,n}var xr={animationend:kr("Animation","AnimationEnd"),animationiteration:kr("Animation","AnimationIteration"),animationstart:kr("Animation","AnimationStart"),transitionend:kr("Transition","TransitionEnd")},Sr={},Er={};function _r(e){if(Sr[e])return Sr[e];if(!xr[e])return e;var t,n=xr[e];for(t in n)if(n.hasOwnProperty(t)&&t in Er)return Sr[e]=n[t];return e}u&&(Er=document.createElement("div").style,"AnimationEvent"in window||(delete xr.animationend.animation,delete xr.animationiteration.animation,delete xr.animationstart.animation),"TransitionEvent"in window||delete xr.transitionend.transition);var Cr=_r("animationend"),Tr=_r("animationiteration"),jr=_r("animationstart"),Lr=_r("transitionend"),Rr=new Map,Nr="abort auxClick cancel canPlay canPlayThrough click close contextMenu copy cut drag dragEnd dragEnter dragExit dragLeave dragOver dragStart drop durationChange emptied encrypted ended error gotPointerCapture input invalid keyDown keyPress keyUp load loadedData loadedMetadata loadStart lostPointerCapture mouseDown mouseMove mouseOut mouseOver mouseUp paste pause play playing pointerCancel pointerDown pointerMove pointerOut pointerOver pointerUp progress rateChange reset resize seeked seeking stalled submit suspend timeUpdate touchCancel touchEnd touchStart volumeChange scroll toggle touchMove waiting wheel".split(" ");function Pr(e,t){Rr.set(e,t),l(t,[e])}for(var Ar=0;Ar<Nr.length;Ar++){var Or=Nr[Ar];Pr(Or.toLowerCase(),"on"+(Or[0].toUpperCase()+Or.slice(1)))}Pr(Cr,"onAnimationEnd"),Pr(Tr,"onAnimationIteration"),Pr(jr,"onAnimationStart"),Pr("dblclick","onDoubleClick"),Pr("focusin","onFocus"),Pr("focusout","onBlur"),Pr(Lr,"onTransitionEnd"),c("onMouseEnter",["mouseout","mouseover"]),c("onMouseLeave",["mouseout","mouseover"]),c("onPointerEnter",["pointerout","pointerover"]),c("onPointerLeave",["pointerout","pointerover"]),l("onChange","change click focusin focusout input keydown keyup selectionchange".split(" ")),l("onSelect","focusout contextmenu dragend focusin keydown keyup mousedown mouseup selectionchange".split(" ")),l("onBeforeInput",["compositionend","keypress","textInput","paste"]),l("onCompositionEnd","compositionend focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionStart","compositionstart focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionUpdate","compositionupdate focusout keydown keypress keyup mousedown".split(" "));var Ir="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange resize seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Dr=new Set("cancel close invalid load scroll toggle".split(" ").concat(Ir));function Fr(e,t,n){var r=e.type||"unknown-event";e.currentTarget=n,function(e,t,n,r,a,i,s,l,c){if($e.apply(this,arguments),De){if(!De)throw Error(o(198));var u=Fe;De=!1,Fe=null,Me||(Me=!0,ze=u)}}(r,t,void 0,e),e.currentTarget=null}function Mr(e,t){t=0!=(4&t);for(var n=0;n<e.length;n++){var r=e[n],a=r.event;r=r.listeners;e:{var o=void 0;if(t)for(var i=r.length-1;0<=i;i--){var s=r[i],l=s.instance,c=s.currentTarget;if(s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}else for(i=0;i<r.length;i++){if(l=(s=r[i]).instance,c=s.currentTarget,s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}}}if(Me)throw e=ze,Me=!1,ze=null,e}function zr(e,t){var n=t[ma];void 0===n&&(n=t[ma]=new Set);var r=e+"__bubble";n.has(r)||(qr(t,e,2,!1),n.add(r))}function Br(e,t,n){var r=0;t&&(r|=4),qr(n,e,r,t)}var $r="_reactListening"+Math.random().toString(36).slice(2);function Ur(e){if(!e[$r]){e[$r]=!0,i.forEach((function(t){"selectionchange"!==t&&(Dr.has(t)||Br(t,!1,e),Br(t,!0,e))}));var t=9===e.nodeType?e:e.ownerDocument;null===t||t[$r]||(t[$r]=!0,Br("selectionchange",!1,t))}}function qr(e,t,n,r){switch(Xt(t)){case 1:var a=Qt;break;case 4:a=Zt;break;default:a=Vt}n=a.bind(null,t,n,e),a=void 0,!Ae||"touchstart"!==t&&"touchmove"!==t&&"wheel"!==t||(a=!0),r?void 0!==a?e.addEventListener(t,n,{capture:!0,passive:a}):e.addEventListener(t,n,!0):void 0!==a?e.addEventListener(t,n,{passive:a}):e.addEventListener(t,n,!1)}function Hr(e,t,n,r,a){var o=r;if(0==(1&t)&&0==(2&t)&&null!==r)e:for(;;){if(null===r)return;var i=r.tag;if(3===i||4===i){var s=r.stateNode.containerInfo;if(s===a||8===s.nodeType&&s.parentNode===a)break;if(4===i)for(i=r.return;null!==i;){var l=i.tag;if((3===l||4===l)&&((l=i.stateNode.containerInfo)===a||8===l.nodeType&&l.parentNode===a))return;i=i.return}for(;null!==s;){if(null===(i=ba(s)))return;if(5===(l=i.tag)||6===l){r=o=i;continue e}s=s.parentNode}}r=r.return}Ne((function(){var r=o,a=ke(n),i=[];e:{var s=Rr.get(e);if(void 0!==s){var l=un,c=e;switch(e){case"keypress":if(0===tn(n))break e;case"keydown":case"keyup":l=Tn;break;case"focusin":c="focus",l=gn;break;case"focusout":c="blur",l=gn;break;case"beforeblur":case"afterblur":l=gn;break;case"click":if(2===n.button)break e;case"auxclick":case"dblclick":case"mousedown":case"mousemove":case"mouseup":case"mouseout":case"mouseover":case"contextmenu":l=hn;break;case"drag":case"dragend":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"dragstart":case"drop":l=mn;break;case"touchcancel":case"touchend":case"touchmove":case"touchstart":l=Ln;break;case Cr:case Tr:case jr:l=yn;break;case Lr:l=Rn;break;case"scroll":l=pn;break;case"wheel":l=Pn;break;case"copy":case"cut":case"paste":l=vn;break;case"gotpointercapture":case"lostpointercapture":case"pointercancel":case"pointerdown":case"pointermove":case"pointerout":case"pointerover":case"pointerup":l=jn}var u=0!=(4&t),d=!u&&"scroll"===e,p=u?null!==s?s+"Capture":null:s;u=[];for(var f,h=r;null!==h;){var m=(f=h).stateNode;if(5===f.tag&&null!==m&&(f=m,null!==p&&(null!=(m=Pe(h,p))&&u.push(Qr(h,m,f)))),d)break;h=h.return}0<u.length&&(s=new l(s,c,null,n,a),i.push({event:s,listeners:u}))}}if(0==(7&t)){if(l="mouseout"===e||"pointerout"===e,(!(s="mouseover"===e||"pointerover"===e)||n===we||!(c=n.relatedTarget||n.fromElement)||!ba(c)&&!c[ha])&&(l||s)&&(s=a.window===a?a:(s=a.ownerDocument)?s.defaultView||s.parentWindow:window,l?(l=r,null!==(c=(c=n.relatedTarget||n.toElement)?ba(c):null)&&(c!==(d=Ue(c))||5!==c.tag&&6!==c.tag)&&(c=null)):(l=null,c=r),l!==c)){if(u=hn,m="onMouseLeave",p="onMouseEnter",h="mouse","pointerout"!==e&&"pointerover"!==e||(u=jn,m="onPointerLeave",p="onPointerEnter",h="pointer"),d=null==l?s:wa(l),f=null==c?s:wa(c),(s=new u(m,h+"leave",l,n,a)).target=d,s.relatedTarget=f,m=null,ba(a)===r&&((u=new u(p,h+"enter",c,n,a)).target=f,u.relatedTarget=d,m=u),d=m,l&&c)e:{for(p=c,h=0,f=u=l;f;f=Vr(f))h++;for(f=0,m=p;m;m=Vr(m))f++;for(;0<h-f;)u=Vr(u),h--;for(;0<f-h;)p=Vr(p),f--;for(;h--;){if(u===p||null!==p&&u===p.alternate)break e;u=Vr(u),p=Vr(p)}u=null}else u=null;null!==l&&Wr(i,s,l,u,!1),null!==c&&null!==d&&Wr(i,d,c,u,!0)}if("select"===(l=(s=r?wa(r):window).nodeName&&s.nodeName.toLowerCase())||"input"===l&&"file"===s.type)var g=Xn;else if(Hn(s))if(Kn)g=ir;else{g=ar;var y=rr}else(l=s.nodeName)&&"input"===l.toLowerCase()&&("checkbox"===s.type||"radio"===s.type)&&(g=or);switch(g&&(g=g(e,r))?Qn(i,g,n,a):(y&&y(e,s,r),"focusout"===e&&(y=s._wrapperState)&&y.controlled&&"number"===s.type&&ee(s,"number",s.value)),y=r?wa(r):window,e){case"focusin":(Hn(y)||"true"===y.contentEditable)&&(gr=y,yr=r,br=null);break;case"focusout":br=yr=gr=null;break;case"mousedown":vr=!0;break;case"contextmenu":case"mouseup":case"dragend":vr=!1,wr(i,n,a);break;case"selectionchange":if(mr)break;case"keydown":case"keyup":wr(i,n,a)}var b;if(On)e:{switch(e){case"compositionstart":var v="onCompositionStart";break e;case"compositionend":v="onCompositionEnd";break e;case"compositionupdate":v="onCompositionUpdate";break e}v=void 0}else Un?Bn(e,n)&&(v="onCompositionEnd"):"keydown"===e&&229===n.keyCode&&(v="onCompositionStart");v&&(Fn&&"ko"!==n.locale&&(Un||"onCompositionStart"!==v?"onCompositionEnd"===v&&Un&&(b=en()):(Yt="value"in(Kt=a)?Kt.value:Kt.textContent,Un=!0)),0<(y=Zr(r,v)).length&&(v=new wn(v,e,null,n,a),i.push({event:v,listeners:y}),b?v.data=b:null!==(b=$n(n))&&(v.data=b))),(b=Dn?function(e,t){switch(e){case"compositionend":return $n(t);case"keypress":return 32!==t.which?null:(zn=!0,Mn);case"textInput":return(e=t.data)===Mn&&zn?null:e;default:return null}}(e,n):function(e,t){if(Un)return"compositionend"===e||!On&&Bn(e,t)?(e=en(),Jt=Yt=Kt=null,Un=!1,e):null;switch(e){case"paste":default:return null;case"keypress":if(!(t.ctrlKey||t.altKey||t.metaKey)||t.ctrlKey&&t.altKey){if(t.char&&1<t.char.length)return t.char;if(t.which)return String.fromCharCode(t.which)}return null;case"compositionend":return Fn&&"ko"!==t.locale?null:t.data}}(e,n))&&(0<(r=Zr(r,"onBeforeInput")).length&&(a=new wn("onBeforeInput","beforeinput",null,n,a),i.push({event:a,listeners:r}),a.data=b))}Mr(i,t)}))}function Qr(e,t,n){return{instance:e,listener:t,currentTarget:n}}function Zr(e,t){for(var n=t+"Capture",r=[];null!==e;){var a=e,o=a.stateNode;5===a.tag&&null!==o&&(a=o,null!=(o=Pe(e,n))&&r.unshift(Qr(e,o,a)),null!=(o=Pe(e,t))&&r.push(Qr(e,o,a))),e=e.return}return r}function Vr(e){if(null===e)return null;do{e=e.return}while(e&&5!==e.tag);return e||null}function Wr(e,t,n,r,a){for(var o=t._reactName,i=[];null!==n&&n!==r;){var s=n,l=s.alternate,c=s.stateNode;if(null!==l&&l===r)break;5===s.tag&&null!==c&&(s=c,a?null!=(l=Pe(n,o))&&i.unshift(Qr(n,l,s)):a||null!=(l=Pe(n,o))&&i.push(Qr(n,l,s))),n=n.return}0!==i.length&&e.push({event:t,listeners:i})}var Gr=/\r\n?/g,Xr=/\u0000|\uFFFD/g;function Kr(e){return("string"==typeof e?e:""+e).replace(Gr,"\n").replace(Xr,"")}function Yr(e,t,n){if(t=Kr(t),Kr(e)!==t&&n)throw Error(o(425))}function Jr(){}var ea=null,ta=null;function na(e,t){return"textarea"===e||"noscript"===e||"string"==typeof t.children||"number"==typeof t.children||"object"==typeof t.dangerouslySetInnerHTML&&null!==t.dangerouslySetInnerHTML&&null!=t.dangerouslySetInnerHTML.__html}var ra="function"==typeof setTimeout?setTimeout:void 0,aa="function"==typeof clearTimeout?clearTimeout:void 0,oa="function"==typeof Promise?Promise:void 0,ia="function"==typeof queueMicrotask?queueMicrotask:void 0!==oa?function(e){return oa.resolve(null).then(e).catch(sa)}:ra;function sa(e){setTimeout((function(){throw e}))}function la(e,t){var n=t,r=0;do{var a=n.nextSibling;if(e.removeChild(n),a&&8===a.nodeType)if("/$"===(n=a.data)){if(0===r)return e.removeChild(a),void Ut(t);r--}else"$"!==n&&"$?"!==n&&"$!"!==n||r++;n=a}while(n);Ut(t)}function ca(e){for(;null!=e;e=e.nextSibling){var t=e.nodeType;if(1===t||3===t)break;if(8===t){if("$"===(t=e.data)||"$!"===t||"$?"===t)break;if("/$"===t)return null}}return e}function ua(e){e=e.previousSibling;for(var t=0;e;){if(8===e.nodeType){var n=e.data;if("$"===n||"$!"===n||"$?"===n){if(0===t)return e;t--}else"/$"===n&&t++}e=e.previousSibling}return null}var da=Math.random().toString(36).slice(2),pa="__reactFiber$"+da,fa="__reactProps$"+da,ha="__reactContainer$"+da,ma="__reactEvents$"+da,ga="__reactListeners$"+da,ya="__reactHandles$"+da;function ba(e){var t=e[pa];if(t)return t;for(var n=e.parentNode;n;){if(t=n[ha]||n[pa]){if(n=t.alternate,null!==t.child||null!==n&&null!==n.child)for(e=ua(e);null!==e;){if(n=e[pa])return n;e=ua(e)}return t}n=(e=n).parentNode}return null}function va(e){return!(e=e[pa]||e[ha])||5!==e.tag&&6!==e.tag&&13!==e.tag&&3!==e.tag?null:e}function wa(e){if(5===e.tag||6===e.tag)return e.stateNode;throw Error(o(33))}function ka(e){return e[fa]||null}var xa=[],Sa=-1;function Ea(e){return{current:e}}function _a(e){0>Sa||(e.current=xa[Sa],xa[Sa]=null,Sa--)}function Ca(e,t){Sa++,xa[Sa]=e.current,e.current=t}var Ta={},ja=Ea(Ta),La=Ea(!1),Ra=Ta;function Na(e,t){var n=e.type.contextTypes;if(!n)return Ta;var r=e.stateNode;if(r&&r.__reactInternalMemoizedUnmaskedChildContext===t)return r.__reactInternalMemoizedMaskedChildContext;var a,o={};for(a in n)o[a]=t[a];return r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=t,e.__reactInternalMemoizedMaskedChildContext=o),o}function Pa(e){return null!=(e=e.childContextTypes)}function Aa(){_a(La),_a(ja)}function Oa(e,t,n){if(ja.current!==Ta)throw Error(o(168));Ca(ja,t),Ca(La,n)}function Ia(e,t,n){var r=e.stateNode;if(t=t.childContextTypes,"function"!=typeof r.getChildContext)return n;for(var a in r=r.getChildContext())if(!(a in t))throw Error(o(108,q(e)||"Unknown",a));return F({},n,r)}function Da(e){return e=(e=e.stateNode)&&e.__reactInternalMemoizedMergedChildContext||Ta,Ra=ja.current,Ca(ja,e),Ca(La,La.current),!0}function Fa(e,t,n){var r=e.stateNode;if(!r)throw Error(o(169));n?(e=Ia(e,t,Ra),r.__reactInternalMemoizedMergedChildContext=e,_a(La),_a(ja),Ca(ja,e)):_a(La),Ca(La,n)}var Ma=null,za=!1,Ba=!1;function $a(e){null===Ma?Ma=[e]:Ma.push(e)}function Ua(){if(!Ba&&null!==Ma){Ba=!0;var e=0,t=vt;try{var n=Ma;for(vt=1;e<n.length;e++){var r=n[e];do{r=r(!0)}while(null!==r)}Ma=null,za=!1}catch(a){throw null!==Ma&&(Ma=Ma.slice(e+1)),Ve(Je,Ua),a}finally{vt=t,Ba=!1}}return null}var qa=[],Ha=0,Qa=null,Za=0,Va=[],Wa=0,Ga=null,Xa=1,Ka="";function Ya(e,t){qa[Ha++]=Za,qa[Ha++]=Qa,Qa=e,Za=t}function Ja(e,t,n){Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Ga=e;var r=Xa;e=Ka;var a=32-it(r)-1;r&=~(1<<a),n+=1;var o=32-it(t)+a;if(30<o){var i=a-a%5;o=(r&(1<<i)-1).toString(32),r>>=i,a-=i,Xa=1<<32-it(t)+a|n<<a|r,Ka=o+e}else Xa=1<<o|n<<a|r,Ka=e}function eo(e){null!==e.return&&(Ya(e,1),Ja(e,1,0))}function to(e){for(;e===Qa;)Qa=qa[--Ha],qa[Ha]=null,Za=qa[--Ha],qa[Ha]=null;for(;e===Ga;)Ga=Va[--Wa],Va[Wa]=null,Ka=Va[--Wa],Va[Wa]=null,Xa=Va[--Wa],Va[Wa]=null}var no=null,ro=null,ao=!1,oo=null;function io(e,t){var n=Nc(5,null,null,0);n.elementType="DELETED",n.stateNode=t,n.return=e,null===(t=e.deletions)?(e.deletions=[n],e.flags|=16):t.push(n)}function so(e,t){switch(e.tag){case 5:var n=e.type;return null!==(t=1!==t.nodeType||n.toLowerCase()!==t.nodeName.toLowerCase()?null:t)&&(e.stateNode=t,no=e,ro=ca(t.firstChild),!0);case 6:return null!==(t=""===e.pendingProps||3!==t.nodeType?null:t)&&(e.stateNode=t,no=e,ro=null,!0);case 13:return null!==(t=8!==t.nodeType?null:t)&&(n=null!==Ga?{id:Xa,overflow:Ka}:null,e.memoizedState={dehydrated:t,treeContext:n,retryLane:1073741824},(n=Nc(18,null,null,0)).stateNode=t,n.return=e,e.child=n,no=e,ro=null,!0);default:return!1}}function lo(e){return 0!=(1&e.mode)&&0==(128&e.flags)}function co(e){if(ao){var t=ro;if(t){var n=t;if(!so(e,t)){if(lo(e))throw Error(o(418));t=ca(n.nextSibling);var r=no;t&&so(e,t)?io(r,n):(e.flags=-4097&e.flags|2,ao=!1,no=e)}}else{if(lo(e))throw Error(o(418));e.flags=-4097&e.flags|2,ao=!1,no=e}}}function uo(e){for(e=e.return;null!==e&&5!==e.tag&&3!==e.tag&&13!==e.tag;)e=e.return;no=e}function po(e){if(e!==no)return!1;if(!ao)return uo(e),ao=!0,!1;var t;if((t=3!==e.tag)&&!(t=5!==e.tag)&&(t="head"!==(t=e.type)&&"body"!==t&&!na(e.type,e.memoizedProps)),t&&(t=ro)){if(lo(e))throw fo(),Error(o(418));for(;t;)io(e,t),t=ca(t.nextSibling)}if(uo(e),13===e.tag){if(!(e=null!==(e=e.memoizedState)?e.dehydrated:null))throw Error(o(317));e:{for(e=e.nextSibling,t=0;e;){if(8===e.nodeType){var n=e.data;if("/$"===n){if(0===t){ro=ca(e.nextSibling);break e}t--}else"$"!==n&&"$!"!==n&&"$?"!==n||t++}e=e.nextSibling}ro=null}}else ro=no?ca(e.stateNode.nextSibling):null;return!0}function fo(){for(var e=ro;e;)e=ca(e.nextSibling)}function ho(){ro=no=null,ao=!1}function mo(e){null===oo?oo=[e]:oo.push(e)}var go=w.ReactCurrentBatchConfig;function yo(e,t,n){if(null!==(e=n.ref)&&"function"!=typeof e&&"object"!=typeof e){if(n._owner){if(n=n._owner){if(1!==n.tag)throw Error(o(309));var r=n.stateNode}if(!r)throw Error(o(147,e));var a=r,i=""+e;return null!==t&&null!==t.ref&&"function"==typeof t.ref&&t.ref._stringRef===i?t.ref:(t=function(e){var t=a.refs;null===e?delete t[i]:t[i]=e},t._stringRef=i,t)}if("string"!=typeof e)throw Error(o(284));if(!n._owner)throw Error(o(290,e))}return e}function bo(e,t){throw e=Object.prototype.toString.call(t),Error(o(31,"[object Object]"===e?"object with keys {"+Object.keys(t).join(", ")+"}":e))}function vo(e){return(0,e._init)(e._payload)}function wo(e){function t(t,n){if(e){var r=t.deletions;null===r?(t.deletions=[n],t.flags|=16):r.push(n)}}function n(n,r){if(!e)return null;for(;null!==r;)t(n,r),r=r.sibling;return null}function r(e,t){for(e=new Map;null!==t;)null!==t.key?e.set(t.key,t):e.set(t.index,t),t=t.sibling;return e}function a(e,t){return(e=Ac(e,t)).index=0,e.sibling=null,e}function i(t,n,r){return t.index=r,e?null!==(r=t.alternate)?(r=r.index)<n?(t.flags|=2,n):r:(t.flags|=2,n):(t.flags|=1048576,n)}function s(t){return e&&null===t.alternate&&(t.flags|=2),t}function l(e,t,n,r){return null===t||6!==t.tag?((t=Fc(n,e.mode,r)).return=e,t):((t=a(t,n)).return=e,t)}function c(e,t,n,r){var o=n.type;return o===S?d(e,t,n.props.children,r,n.key):null!==t&&(t.elementType===o||"object"==typeof o&&null!==o&&o.$$typeof===P&&vo(o)===t.type)?((r=a(t,n.props)).ref=yo(e,t,n),r.return=e,r):((r=Oc(n.type,n.key,n.props,null,e.mode,r)).ref=yo(e,t,n),r.return=e,r)}function u(e,t,n,r){return null===t||4!==t.tag||t.stateNode.containerInfo!==n.containerInfo||t.stateNode.implementation!==n.implementation?((t=Mc(n,e.mode,r)).return=e,t):((t=a(t,n.children||[])).return=e,t)}function d(e,t,n,r,o){return null===t||7!==t.tag?((t=Ic(n,e.mode,r,o)).return=e,t):((t=a(t,n)).return=e,t)}function p(e,t,n){if("string"==typeof t&&""!==t||"number"==typeof t)return(t=Fc(""+t,e.mode,n)).return=e,t;if("object"==typeof t&&null!==t){switch(t.$$typeof){case k:return(n=Oc(t.type,t.key,t.props,null,e.mode,n)).ref=yo(e,null,t),n.return=e,n;case x:return(t=Mc(t,e.mode,n)).return=e,t;case P:return p(e,(0,t._init)(t._payload),n)}if(te(t)||I(t))return(t=Ic(t,e.mode,n,null)).return=e,t;bo(e,t)}return null}function f(e,t,n,r){var a=null!==t?t.key:null;if("string"==typeof n&&""!==n||"number"==typeof n)return null!==a?null:l(e,t,""+n,r);if("object"==typeof n&&null!==n){switch(n.$$typeof){case k:return n.key===a?c(e,t,n,r):null;case x:return n.key===a?u(e,t,n,r):null;case P:return f(e,t,(a=n._init)(n._payload),r)}if(te(n)||I(n))return null!==a?null:d(e,t,n,r,null);bo(e,n)}return null}function h(e,t,n,r,a){if("string"==typeof r&&""!==r||"number"==typeof r)return l(t,e=e.get(n)||null,""+r,a);if("object"==typeof r&&null!==r){switch(r.$$typeof){case k:return c(t,e=e.get(null===r.key?n:r.key)||null,r,a);case x:return u(t,e=e.get(null===r.key?n:r.key)||null,r,a);case P:return h(e,t,n,(0,r._init)(r._payload),a)}if(te(r)||I(r))return d(t,e=e.get(n)||null,r,a,null);bo(t,r)}return null}function m(a,o,s,l){for(var c=null,u=null,d=o,m=o=0,g=null;null!==d&&m<s.length;m++){d.index>m?(g=d,d=null):g=d.sibling;var y=f(a,d,s[m],l);if(null===y){null===d&&(d=g);break}e&&d&&null===y.alternate&&t(a,d),o=i(y,o,m),null===u?c=y:u.sibling=y,u=y,d=g}if(m===s.length)return n(a,d),ao&&Ya(a,m),c;if(null===d){for(;m<s.length;m++)null!==(d=p(a,s[m],l))&&(o=i(d,o,m),null===u?c=d:u.sibling=d,u=d);return ao&&Ya(a,m),c}for(d=r(a,d);m<s.length;m++)null!==(g=h(d,a,m,s[m],l))&&(e&&null!==g.alternate&&d.delete(null===g.key?m:g.key),o=i(g,o,m),null===u?c=g:u.sibling=g,u=g);return e&&d.forEach((function(e){return t(a,e)})),ao&&Ya(a,m),c}function g(a,s,l,c){var u=I(l);if("function"!=typeof u)throw Error(o(150));if(null==(l=u.call(l)))throw Error(o(151));for(var d=u=null,m=s,g=s=0,y=null,b=l.next();null!==m&&!b.done;g++,b=l.next()){m.index>g?(y=m,m=null):y=m.sibling;var v=f(a,m,b.value,c);if(null===v){null===m&&(m=y);break}e&&m&&null===v.alternate&&t(a,m),s=i(v,s,g),null===d?u=v:d.sibling=v,d=v,m=y}if(b.done)return n(a,m),ao&&Ya(a,g),u;if(null===m){for(;!b.done;g++,b=l.next())null!==(b=p(a,b.value,c))&&(s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return ao&&Ya(a,g),u}for(m=r(a,m);!b.done;g++,b=l.next())null!==(b=h(m,a,g,b.value,c))&&(e&&null!==b.alternate&&m.delete(null===b.key?g:b.key),s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return e&&m.forEach((function(e){return t(a,e)})),ao&&Ya(a,g),u}return function e(r,o,i,l){if("object"==typeof i&&null!==i&&i.type===S&&null===i.key&&(i=i.props.children),"object"==typeof i&&null!==i){switch(i.$$typeof){case k:e:{for(var c=i.key,u=o;null!==u;){if(u.key===c){if((c=i.type)===S){if(7===u.tag){n(r,u.sibling),(o=a(u,i.props.children)).return=r,r=o;break e}}else if(u.elementType===c||"object"==typeof c&&null!==c&&c.$$typeof===P&&vo(c)===u.type){n(r,u.sibling),(o=a(u,i.props)).ref=yo(r,u,i),o.return=r,r=o;break e}n(r,u);break}t(r,u),u=u.sibling}i.type===S?((o=Ic(i.props.children,r.mode,l,i.key)).return=r,r=o):((l=Oc(i.type,i.key,i.props,null,r.mode,l)).ref=yo(r,o,i),l.return=r,r=l)}return s(r);case x:e:{for(u=i.key;null!==o;){if(o.key===u){if(4===o.tag&&o.stateNode.containerInfo===i.containerInfo&&o.stateNode.implementation===i.implementation){n(r,o.sibling),(o=a(o,i.children||[])).return=r,r=o;break e}n(r,o);break}t(r,o),o=o.sibling}(o=Mc(i,r.mode,l)).return=r,r=o}return s(r);case P:return e(r,o,(u=i._init)(i._payload),l)}if(te(i))return m(r,o,i,l);if(I(i))return g(r,o,i,l);bo(r,i)}return"string"==typeof i&&""!==i||"number"==typeof i?(i=""+i,null!==o&&6===o.tag?(n(r,o.sibling),(o=a(o,i)).return=r,r=o):(n(r,o),(o=Fc(i,r.mode,l)).return=r,r=o),s(r)):n(r,o)}}var ko=wo(!0),xo=wo(!1),So=Ea(null),Eo=null,_o=null,Co=null;function To(){Co=_o=Eo=null}function jo(e){var t=So.current;_a(So),e._currentValue=t}function Lo(e,t,n){for(;null!==e;){var r=e.alternate;if((e.childLanes&t)!==t?(e.childLanes|=t,null!==r&&(r.childLanes|=t)):null!==r&&(r.childLanes&t)!==t&&(r.childLanes|=t),e===n)break;e=e.return}}function Ro(e,t){Eo=e,Co=_o=null,null!==(e=e.dependencies)&&null!==e.firstContext&&(0!=(e.lanes&t)&&(vs=!0),e.firstContext=null)}function No(e){var t=e._currentValue;if(Co!==e)if(e={context:e,memoizedValue:t,next:null},null===_o){if(null===Eo)throw Error(o(308));_o=e,Eo.dependencies={lanes:0,firstContext:e}}else _o=_o.next=e;return t}var Po=null;function Ao(e){null===Po?Po=[e]:Po.push(e)}function Oo(e,t,n,r){var a=t.interleaved;return null===a?(n.next=n,Ao(t)):(n.next=a.next,a.next=n),t.interleaved=n,Io(e,r)}function Io(e,t){e.lanes|=t;var n=e.alternate;for(null!==n&&(n.lanes|=t),n=e,e=e.return;null!==e;)e.childLanes|=t,null!==(n=e.alternate)&&(n.childLanes|=t),n=e,e=e.return;return 3===n.tag?n.stateNode:null}var Do=!1;function Fo(e){e.updateQueue={baseState:e.memoizedState,firstBaseUpdate:null,lastBaseUpdate:null,shared:{pending:null,interleaved:null,lanes:0},effects:null}}function Mo(e,t){e=e.updateQueue,t.updateQueue===e&&(t.updateQueue={baseState:e.baseState,firstBaseUpdate:e.firstBaseUpdate,lastBaseUpdate:e.lastBaseUpdate,shared:e.shared,effects:e.effects})}function zo(e,t){return{eventTime:e,lane:t,tag:0,payload:null,callback:null,next:null}}function Bo(e,t,n){var r=e.updateQueue;if(null===r)return null;if(r=r.shared,0!=(2&jl)){var a=r.pending;return null===a?t.next=t:(t.next=a.next,a.next=t),r.pending=t,Io(e,n)}return null===(a=r.interleaved)?(t.next=t,Ao(r)):(t.next=a.next,a.next=t),r.interleaved=t,Io(e,n)}function $o(e,t,n){if(null!==(t=t.updateQueue)&&(t=t.shared,0!=(4194240&n))){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}function Uo(e,t){var n=e.updateQueue,r=e.alternate;if(null!==r&&n===(r=r.updateQueue)){var a=null,o=null;if(null!==(n=n.firstBaseUpdate)){do{var i={eventTime:n.eventTime,lane:n.lane,tag:n.tag,payload:n.payload,callback:n.callback,next:null};null===o?a=o=i:o=o.next=i,n=n.next}while(null!==n);null===o?a=o=t:o=o.next=t}else a=o=t;return n={baseState:r.baseState,firstBaseUpdate:a,lastBaseUpdate:o,shared:r.shared,effects:r.effects},void(e.updateQueue=n)}null===(e=n.lastBaseUpdate)?n.firstBaseUpdate=t:e.next=t,n.lastBaseUpdate=t}function qo(e,t,n,r){var a=e.updateQueue;Do=!1;var o=a.firstBaseUpdate,i=a.lastBaseUpdate,s=a.shared.pending;if(null!==s){a.shared.pending=null;var l=s,c=l.next;l.next=null,null===i?o=c:i.next=c,i=l;var u=e.alternate;null!==u&&((s=(u=u.updateQueue).lastBaseUpdate)!==i&&(null===s?u.firstBaseUpdate=c:s.next=c,u.lastBaseUpdate=l))}if(null!==o){var d=a.baseState;for(i=0,u=c=l=null,s=o;;){var p=s.lane,f=s.eventTime;if((r&p)===p){null!==u&&(u=u.next={eventTime:f,lane:0,tag:s.tag,payload:s.payload,callback:s.callback,next:null});e:{var h=e,m=s;switch(p=t,f=n,m.tag){case 1:if("function"==typeof(h=m.payload)){d=h.call(f,d,p);break e}d=h;break e;case 3:h.flags=-65537&h.flags|128;case 0:if(null==(p="function"==typeof(h=m.payload)?h.call(f,d,p):h))break e;d=F({},d,p);break e;case 2:Do=!0}}null!==s.callback&&0!==s.lane&&(e.flags|=64,null===(p=a.effects)?a.effects=[s]:p.push(s))}else f={eventTime:f,lane:p,tag:s.tag,payload:s.payload,callback:s.callback,next:null},null===u?(c=u=f,l=d):u=u.next=f,i|=p;if(null===(s=s.next)){if(null===(s=a.shared.pending))break;s=(p=s).next,p.next=null,a.lastBaseUpdate=p,a.shared.pending=null}}if(null===u&&(l=d),a.baseState=l,a.firstBaseUpdate=c,a.lastBaseUpdate=u,null!==(t=a.shared.interleaved)){a=t;do{i|=a.lane,a=a.next}while(a!==t)}else null===o&&(a.shared.lanes=0);Dl|=i,e.lanes=i,e.memoizedState=d}}function Ho(e,t,n){if(e=t.effects,t.effects=null,null!==e)for(t=0;t<e.length;t++){var r=e[t],a=r.callback;if(null!==a){if(r.callback=null,r=n,"function"!=typeof a)throw Error(o(191,a));a.call(r)}}}var Qo={},Zo=Ea(Qo),Vo=Ea(Qo),Wo=Ea(Qo);function Go(e){if(e===Qo)throw Error(o(174));return e}function Xo(e,t){switch(Ca(Wo,t),Ca(Vo,e),Ca(Zo,Qo),e=t.nodeType){case 9:case 11:t=(t=t.documentElement)?t.namespaceURI:le(null,"");break;default:t=le(t=(e=8===e?t.parentNode:t).namespaceURI||null,e=e.tagName)}_a(Zo),Ca(Zo,t)}function Ko(){_a(Zo),_a(Vo),_a(Wo)}function Yo(e){Go(Wo.current);var t=Go(Zo.current),n=le(t,e.type);t!==n&&(Ca(Vo,e),Ca(Zo,n))}function Jo(e){Vo.current===e&&(_a(Zo),_a(Vo))}var ei=Ea(0);function ti(e){for(var t=e;null!==t;){if(13===t.tag){var n=t.memoizedState;if(null!==n&&(null===(n=n.dehydrated)||"$?"===n.data||"$!"===n.data))return t}else if(19===t.tag&&void 0!==t.memoizedProps.revealOrder){if(0!=(128&t.flags))return t}else if(null!==t.child){t.child.return=t,t=t.child;continue}if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return null;t=t.return}t.sibling.return=t.return,t=t.sibling}return null}var ni=[];function ri(){for(var e=0;e<ni.length;e++)ni[e]._workInProgressVersionPrimary=null;ni.length=0}var ai=w.ReactCurrentDispatcher,oi=w.ReactCurrentBatchConfig,ii=0,si=null,li=null,ci=null,ui=!1,di=!1,pi=0,fi=0;function hi(){throw Error(o(321))}function mi(e,t){if(null===t)return!1;for(var n=0;n<t.length&&n<e.length;n++)if(!sr(e[n],t[n]))return!1;return!0}function gi(e,t,n,r,a,i){if(ii=i,si=t,t.memoizedState=null,t.updateQueue=null,t.lanes=0,ai.current=null===e||null===e.memoizedState?Ji:es,e=n(r,a),di){i=0;do{if(di=!1,pi=0,25<=i)throw Error(o(301));i+=1,ci=li=null,t.updateQueue=null,ai.current=ts,e=n(r,a)}while(di)}if(ai.current=Yi,t=null!==li&&null!==li.next,ii=0,ci=li=si=null,ui=!1,t)throw Error(o(300));return e}function yi(){var e=0!==pi;return pi=0,e}function bi(){var e={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};return null===ci?si.memoizedState=ci=e:ci=ci.next=e,ci}function vi(){if(null===li){var e=si.alternate;e=null!==e?e.memoizedState:null}else e=li.next;var t=null===ci?si.memoizedState:ci.next;if(null!==t)ci=t,li=e;else{if(null===e)throw Error(o(310));e={memoizedState:(li=e).memoizedState,baseState:li.baseState,baseQueue:li.baseQueue,queue:li.queue,next:null},null===ci?si.memoizedState=ci=e:ci=ci.next=e}return ci}function wi(e,t){return"function"==typeof t?t(e):t}function ki(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=li,a=r.baseQueue,i=n.pending;if(null!==i){if(null!==a){var s=a.next;a.next=i.next,i.next=s}r.baseQueue=a=i,n.pending=null}if(null!==a){i=a.next,r=r.baseState;var l=s=null,c=null,u=i;do{var d=u.lane;if((ii&d)===d)null!==c&&(c=c.next={lane:0,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null}),r=u.hasEagerState?u.eagerState:e(r,u.action);else{var p={lane:d,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null};null===c?(l=c=p,s=r):c=c.next=p,si.lanes|=d,Dl|=d}u=u.next}while(null!==u&&u!==i);null===c?s=r:c.next=l,sr(r,t.memoizedState)||(vs=!0),t.memoizedState=r,t.baseState=s,t.baseQueue=c,n.lastRenderedState=r}if(null!==(e=n.interleaved)){a=e;do{i=a.lane,si.lanes|=i,Dl|=i,a=a.next}while(a!==e)}else null===a&&(n.lanes=0);return[t.memoizedState,n.dispatch]}function xi(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=n.dispatch,a=n.pending,i=t.memoizedState;if(null!==a){n.pending=null;var s=a=a.next;do{i=e(i,s.action),s=s.next}while(s!==a);sr(i,t.memoizedState)||(vs=!0),t.memoizedState=i,null===t.baseQueue&&(t.baseState=i),n.lastRenderedState=i}return[i,r]}function Si(){}function Ei(e,t){var n=si,r=vi(),a=t(),i=!sr(r.memoizedState,a);if(i&&(r.memoizedState=a,vs=!0),r=r.queue,Di(Ti.bind(null,n,r,e),[e]),r.getSnapshot!==t||i||null!==ci&&1&ci.memoizedState.tag){if(n.flags|=2048,Ni(9,Ci.bind(null,n,r,a,t),void 0,null),null===Ll)throw Error(o(349));0!=(30&ii)||_i(n,t,a)}return a}function _i(e,t,n){e.flags|=16384,e={getSnapshot:t,value:n},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.stores=[e]):null===(n=t.stores)?t.stores=[e]:n.push(e)}function Ci(e,t,n,r){t.value=n,t.getSnapshot=r,ji(t)&&Li(e)}function Ti(e,t,n){return n((function(){ji(t)&&Li(e)}))}function ji(e){var t=e.getSnapshot;e=e.value;try{var n=t();return!sr(e,n)}catch(r){return!0}}function Li(e){var t=Io(e,1);null!==t&&nc(t,e,1,-1)}function Ri(e){var t=bi();return"function"==typeof e&&(e=e()),t.memoizedState=t.baseState=e,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:wi,lastRenderedState:e},t.queue=e,e=e.dispatch=Wi.bind(null,si,e),[t.memoizedState,e]}function Ni(e,t,n,r){return e={tag:e,create:t,destroy:n,deps:r,next:null},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.lastEffect=e.next=e):null===(n=t.lastEffect)?t.lastEffect=e.next=e:(r=n.next,n.next=e,e.next=r,t.lastEffect=e),e}function Pi(){return vi().memoizedState}function Ai(e,t,n,r){var a=bi();si.flags|=e,a.memoizedState=Ni(1|t,n,void 0,void 0===r?null:r)}function Oi(e,t,n,r){var a=vi();r=void 0===r?null:r;var o=void 0;if(null!==li){var i=li.memoizedState;if(o=i.destroy,null!==r&&mi(r,i.deps))return void(a.memoizedState=Ni(t,n,o,r))}si.flags|=e,a.memoizedState=Ni(1|t,n,o,r)}function Ii(e,t){return Ai(8390656,8,e,t)}function Di(e,t){return Oi(2048,8,e,t)}function Fi(e,t){return Oi(4,2,e,t)}function Mi(e,t){return Oi(4,4,e,t)}function zi(e,t){return"function"==typeof t?(e=e(),t(e),function(){t(null)}):null!=t?(e=e(),t.current=e,function(){t.current=null}):void 0}function Bi(e,t,n){return n=null!=n?n.concat([e]):null,Oi(4,4,zi.bind(null,t,e),n)}function $i(){}function Ui(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(n.memoizedState=[e,t],e)}function qi(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(e=e(),n.memoizedState=[e,t],e)}function Hi(e,t,n){return 0==(21&ii)?(e.baseState&&(e.baseState=!1,vs=!0),e.memoizedState=n):(sr(n,t)||(n=mt(),si.lanes|=n,Dl|=n,e.baseState=!0),t)}function Qi(e,t){var n=vt;vt=0!==n&&4>n?n:4,e(!0);var r=oi.transition;oi.transition={};try{e(!1),t()}finally{vt=n,oi.transition=r}}function Zi(){return vi().memoizedState}function Vi(e,t,n){var r=tc(e);if(n={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null},Gi(e))Xi(t,n);else if(null!==(n=Oo(e,t,n,r))){nc(n,e,r,ec()),Ki(n,t,r)}}function Wi(e,t,n){var r=tc(e),a={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null};if(Gi(e))Xi(t,a);else{var o=e.alternate;if(0===e.lanes&&(null===o||0===o.lanes)&&null!==(o=t.lastRenderedReducer))try{var i=t.lastRenderedState,s=o(i,n);if(a.hasEagerState=!0,a.eagerState=s,sr(s,i)){var l=t.interleaved;return null===l?(a.next=a,Ao(t)):(a.next=l.next,l.next=a),void(t.interleaved=a)}}catch(c){}null!==(n=Oo(e,t,a,r))&&(nc(n,e,r,a=ec()),Ki(n,t,r))}}function Gi(e){var t=e.alternate;return e===si||null!==t&&t===si}function Xi(e,t){di=ui=!0;var n=e.pending;null===n?t.next=t:(t.next=n.next,n.next=t),e.pending=t}function Ki(e,t,n){if(0!=(4194240&n)){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}var Yi={readContext:No,useCallback:hi,useContext:hi,useEffect:hi,useImperativeHandle:hi,useInsertionEffect:hi,useLayoutEffect:hi,useMemo:hi,useReducer:hi,useRef:hi,useState:hi,useDebugValue:hi,useDeferredValue:hi,useTransition:hi,useMutableSource:hi,useSyncExternalStore:hi,useId:hi,unstable_isNewReconciler:!1},Ji={readContext:No,useCallback:function(e,t){return bi().memoizedState=[e,void 0===t?null:t],e},useContext:No,useEffect:Ii,useImperativeHandle:function(e,t,n){return n=null!=n?n.concat([e]):null,Ai(4194308,4,zi.bind(null,t,e),n)},useLayoutEffect:function(e,t){return Ai(4194308,4,e,t)},useInsertionEffect:function(e,t){return Ai(4,2,e,t)},useMemo:function(e,t){var n=bi();return t=void 0===t?null:t,e=e(),n.memoizedState=[e,t],e},useReducer:function(e,t,n){var r=bi();return t=void 0!==n?n(t):t,r.memoizedState=r.baseState=t,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:e,lastRenderedState:t},r.queue=e,e=e.dispatch=Vi.bind(null,si,e),[r.memoizedState,e]},useRef:function(e){return e={current:e},bi().memoizedState=e},useState:Ri,useDebugValue:$i,useDeferredValue:function(e){return bi().memoizedState=e},useTransition:function(){var e=Ri(!1),t=e[0];return e=Qi.bind(null,e[1]),bi().memoizedState=e,[t,e]},useMutableSource:function(){},useSyncExternalStore:function(e,t,n){var r=si,a=bi();if(ao){if(void 0===n)throw Error(o(407));n=n()}else{if(n=t(),null===Ll)throw Error(o(349));0!=(30&ii)||_i(r,t,n)}a.memoizedState=n;var i={value:n,getSnapshot:t};return a.queue=i,Ii(Ti.bind(null,r,i,e),[e]),r.flags|=2048,Ni(9,Ci.bind(null,r,i,n,t),void 0,null),n},useId:function(){var e=bi(),t=Ll.identifierPrefix;if(ao){var n=Ka;t=":"+t+"R"+(n=(Xa&~(1<<32-it(Xa)-1)).toString(32)+n),0<(n=pi++)&&(t+="H"+n.toString(32)),t+=":"}else t=":"+t+"r"+(n=fi++).toString(32)+":";return e.memoizedState=t},unstable_isNewReconciler:!1},es={readContext:No,useCallback:Ui,useContext:No,useEffect:Di,useImperativeHandle:Bi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:ki,useRef:Pi,useState:function(){return ki(wi)},useDebugValue:$i,useDeferredValue:function(e){return Hi(vi(),li.memoizedState,e)},useTransition:function(){return[ki(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1},ts={readContext:No,useCallback:Ui,useContext:No,useEffect:Di,useImperativeHandle:Bi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:xi,useRef:Pi,useState:function(){return xi(wi)},useDebugValue:$i,useDeferredValue:function(e){var t=vi();return null===li?t.memoizedState=e:Hi(t,li.memoizedState,e)},useTransition:function(){return[xi(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1};function ns(e,t){if(e&&e.defaultProps){for(var n in t=F({},t),e=e.defaultProps)void 0===t[n]&&(t[n]=e[n]);return t}return t}function rs(e,t,n,r){n=null==(n=n(r,t=e.memoizedState))?t:F({},t,n),e.memoizedState=n,0===e.lanes&&(e.updateQueue.baseState=n)}var as={isMounted:function(e){return!!(e=e._reactInternals)&&Ue(e)===e},enqueueSetState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=zo(r,a);o.payload=t,null!=n&&(o.callback=n),null!==(t=Bo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueReplaceState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=zo(r,a);o.tag=1,o.payload=t,null!=n&&(o.callback=n),null!==(t=Bo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueForceUpdate:function(e,t){e=e._reactInternals;var n=ec(),r=tc(e),a=zo(n,r);a.tag=2,null!=t&&(a.callback=t),null!==(t=Bo(e,a,r))&&(nc(t,e,r,n),$o(t,e,r))}};function os(e,t,n,r,a,o,i){return"function"==typeof(e=e.stateNode).shouldComponentUpdate?e.shouldComponentUpdate(r,o,i):!t.prototype||!t.prototype.isPureReactComponent||(!lr(n,r)||!lr(a,o))}function is(e,t,n){var r=!1,a=Ta,o=t.contextType;return"object"==typeof o&&null!==o?o=No(o):(a=Pa(t)?Ra:ja.current,o=(r=null!=(r=t.contextTypes))?Na(e,a):Ta),t=new t(n,o),e.memoizedState=null!==t.state&&void 0!==t.state?t.state:null,t.updater=as,e.stateNode=t,t._reactInternals=e,r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=a,e.__reactInternalMemoizedMaskedChildContext=o),t}function ss(e,t,n,r){e=t.state,"function"==typeof t.componentWillReceiveProps&&t.componentWillReceiveProps(n,r),"function"==typeof t.UNSAFE_componentWillReceiveProps&&t.UNSAFE_componentWillReceiveProps(n,r),t.state!==e&&as.enqueueReplaceState(t,t.state,null)}function ls(e,t,n,r){var a=e.stateNode;a.props=n,a.state=e.memoizedState,a.refs={},Fo(e);var o=t.contextType;"object"==typeof o&&null!==o?a.context=No(o):(o=Pa(t)?Ra:ja.current,a.context=Na(e,o)),a.state=e.memoizedState,"function"==typeof(o=t.getDerivedStateFromProps)&&(rs(e,t,o,n),a.state=e.memoizedState),"function"==typeof t.getDerivedStateFromProps||"function"==typeof a.getSnapshotBeforeUpdate||"function"!=typeof a.UNSAFE_componentWillMount&&"function"!=typeof a.componentWillMount||(t=a.state,"function"==typeof a.componentWillMount&&a.componentWillMount(),"function"==typeof a.UNSAFE_componentWillMount&&a.UNSAFE_componentWillMount(),t!==a.state&&as.enqueueReplaceState(a,a.state,null),qo(e,n,a,r),a.state=e.memoizedState),"function"==typeof a.componentDidMount&&(e.flags|=4194308)}function cs(e,t){try{var n="",r=t;do{n+=$(r),r=r.return}while(r);var a=n}catch(o){a="\nError generating stack: "+o.message+"\n"+o.stack}return{value:e,source:t,stack:a,digest:null}}function us(e,t,n){return{value:e,source:null,stack:null!=n?n:null,digest:null!=t?t:null}}function ds(e,t){try{console.error(t.value)}catch(n){setTimeout((function(){throw n}))}}var ps="function"==typeof WeakMap?WeakMap:Map;function fs(e,t,n){(n=zo(-1,n)).tag=3,n.payload={element:null};var r=t.value;return n.callback=function(){Hl||(Hl=!0,Ql=r),ds(0,t)},n}function hs(e,t,n){(n=zo(-1,n)).tag=3;var r=e.type.getDerivedStateFromError;if("function"==typeof r){var a=t.value;n.payload=function(){return r(a)},n.callback=function(){ds(0,t)}}var o=e.stateNode;return null!==o&&"function"==typeof o.componentDidCatch&&(n.callback=function(){ds(0,t),"function"!=typeof r&&(null===Zl?Zl=new Set([this]):Zl.add(this));var e=t.stack;this.componentDidCatch(t.value,{componentStack:null!==e?e:""})}),n}function ms(e,t,n){var r=e.pingCache;if(null===r){r=e.pingCache=new ps;var a=new Set;r.set(t,a)}else void 0===(a=r.get(t))&&(a=new Set,r.set(t,a));a.has(n)||(a.add(n),e=_c.bind(null,e,t,n),t.then(e,e))}function gs(e){do{var t;if((t=13===e.tag)&&(t=null===(t=e.memoizedState)||null!==t.dehydrated),t)return e;e=e.return}while(null!==e);return null}function ys(e,t,n,r,a){return 0==(1&e.mode)?(e===t?e.flags|=65536:(e.flags|=128,n.flags|=131072,n.flags&=-52805,1===n.tag&&(null===n.alternate?n.tag=17:((t=zo(-1,1)).tag=2,Bo(n,t,1))),n.lanes|=1),e):(e.flags|=65536,e.lanes=a,e)}var bs=w.ReactCurrentOwner,vs=!1;function ws(e,t,n,r){t.child=null===e?xo(t,null,n,r):ko(t,e.child,n,r)}function ks(e,t,n,r,a){n=n.render;var o=t.ref;return Ro(t,a),r=gi(e,t,n,r,o,a),n=yi(),null===e||vs?(ao&&n&&eo(t),t.flags|=1,ws(e,t,r,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function xs(e,t,n,r,a){if(null===e){var o=n.type;return"function"!=typeof o||Pc(o)||void 0!==o.defaultProps||null!==n.compare||void 0!==n.defaultProps?((e=Oc(n.type,null,r,t,t.mode,a)).ref=t.ref,e.return=t,t.child=e):(t.tag=15,t.type=o,Ss(e,t,o,r,a))}if(o=e.child,0==(e.lanes&a)){var i=o.memoizedProps;if((n=null!==(n=n.compare)?n:lr)(i,r)&&e.ref===t.ref)return Hs(e,t,a)}return t.flags|=1,(e=Ac(o,r)).ref=t.ref,e.return=t,t.child=e}function Ss(e,t,n,r,a){if(null!==e){var o=e.memoizedProps;if(lr(o,r)&&e.ref===t.ref){if(vs=!1,t.pendingProps=r=o,0==(e.lanes&a))return t.lanes=e.lanes,Hs(e,t,a);0!=(131072&e.flags)&&(vs=!0)}}return Cs(e,t,n,r,a)}function Es(e,t,n){var r=t.pendingProps,a=r.children,o=null!==e?e.memoizedState:null;if("hidden"===r.mode)if(0==(1&t.mode))t.memoizedState={baseLanes:0,cachePool:null,transitions:null},Ca(Al,Pl),Pl|=n;else{if(0==(1073741824&n))return e=null!==o?o.baseLanes|n:n,t.lanes=t.childLanes=1073741824,t.memoizedState={baseLanes:e,cachePool:null,transitions:null},t.updateQueue=null,Ca(Al,Pl),Pl|=e,null;t.memoizedState={baseLanes:0,cachePool:null,transitions:null},r=null!==o?o.baseLanes:n,Ca(Al,Pl),Pl|=r}else null!==o?(r=o.baseLanes|n,t.memoizedState=null):r=n,Ca(Al,Pl),Pl|=r;return ws(e,t,a,n),t.child}function _s(e,t){var n=t.ref;(null===e&&null!==n||null!==e&&e.ref!==n)&&(t.flags|=512,t.flags|=2097152)}function Cs(e,t,n,r,a){var o=Pa(n)?Ra:ja.current;return o=Na(t,o),Ro(t,a),n=gi(e,t,n,r,o,a),r=yi(),null===e||vs?(ao&&r&&eo(t),t.flags|=1,ws(e,t,n,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function Ts(e,t,n,r,a){if(Pa(n)){var o=!0;Da(t)}else o=!1;if(Ro(t,a),null===t.stateNode)qs(e,t),is(t,n,r),ls(t,n,r,a),r=!0;else if(null===e){var i=t.stateNode,s=t.memoizedProps;i.props=s;var l=i.context,c=n.contextType;"object"==typeof c&&null!==c?c=No(c):c=Na(t,c=Pa(n)?Ra:ja.current);var u=n.getDerivedStateFromProps,d="function"==typeof u||"function"==typeof i.getSnapshotBeforeUpdate;d||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==r||l!==c)&&ss(t,i,r,c),Do=!1;var p=t.memoizedState;i.state=p,qo(t,r,i,a),l=t.memoizedState,s!==r||p!==l||La.current||Do?("function"==typeof u&&(rs(t,n,u,r),l=t.memoizedState),(s=Do||os(t,n,s,r,p,l,c))?(d||"function"!=typeof i.UNSAFE_componentWillMount&&"function"!=typeof i.componentWillMount||("function"==typeof i.componentWillMount&&i.componentWillMount(),"function"==typeof i.UNSAFE_componentWillMount&&i.UNSAFE_componentWillMount()),"function"==typeof i.componentDidMount&&(t.flags|=4194308)):("function"==typeof i.componentDidMount&&(t.flags|=4194308),t.memoizedProps=r,t.memoizedState=l),i.props=r,i.state=l,i.context=c,r=s):("function"==typeof i.componentDidMount&&(t.flags|=4194308),r=!1)}else{i=t.stateNode,Mo(e,t),s=t.memoizedProps,c=t.type===t.elementType?s:ns(t.type,s),i.props=c,d=t.pendingProps,p=i.context,"object"==typeof(l=n.contextType)&&null!==l?l=No(l):l=Na(t,l=Pa(n)?Ra:ja.current);var f=n.getDerivedStateFromProps;(u="function"==typeof f||"function"==typeof i.getSnapshotBeforeUpdate)||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==d||p!==l)&&ss(t,i,r,l),Do=!1,p=t.memoizedState,i.state=p,qo(t,r,i,a);var h=t.memoizedState;s!==d||p!==h||La.current||Do?("function"==typeof f&&(rs(t,n,f,r),h=t.memoizedState),(c=Do||os(t,n,c,r,p,h,l)||!1)?(u||"function"!=typeof i.UNSAFE_componentWillUpdate&&"function"!=typeof i.componentWillUpdate||("function"==typeof i.componentWillUpdate&&i.componentWillUpdate(r,h,l),"function"==typeof i.UNSAFE_componentWillUpdate&&i.UNSAFE_componentWillUpdate(r,h,l)),"function"==typeof i.componentDidUpdate&&(t.flags|=4),"function"==typeof i.getSnapshotBeforeUpdate&&(t.flags|=1024)):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),t.memoizedProps=r,t.memoizedState=h),i.props=r,i.state=h,i.context=l,r=c):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),r=!1)}return js(e,t,n,r,o,a)}function js(e,t,n,r,a,o){_s(e,t);var i=0!=(128&t.flags);if(!r&&!i)return a&&Fa(t,n,!1),Hs(e,t,o);r=t.stateNode,bs.current=t;var s=i&&"function"!=typeof n.getDerivedStateFromError?null:r.render();return t.flags|=1,null!==e&&i?(t.child=ko(t,e.child,null,o),t.child=ko(t,null,s,o)):ws(e,t,s,o),t.memoizedState=r.state,a&&Fa(t,n,!0),t.child}function Ls(e){var t=e.stateNode;t.pendingContext?Oa(0,t.pendingContext,t.pendingContext!==t.context):t.context&&Oa(0,t.context,!1),Xo(e,t.containerInfo)}function Rs(e,t,n,r,a){return ho(),mo(a),t.flags|=256,ws(e,t,n,r),t.child}var Ns,Ps,As,Os,Is={dehydrated:null,treeContext:null,retryLane:0};function Ds(e){return{baseLanes:e,cachePool:null,transitions:null}}function Fs(e,t,n){var r,a=t.pendingProps,i=ei.current,s=!1,l=0!=(128&t.flags);if((r=l)||(r=(null===e||null!==e.memoizedState)&&0!=(2&i)),r?(s=!0,t.flags&=-129):null!==e&&null===e.memoizedState||(i|=1),Ca(ei,1&i),null===e)return co(t),null!==(e=t.memoizedState)&&null!==(e=e.dehydrated)?(0==(1&t.mode)?t.lanes=1:"$!"===e.data?t.lanes=8:t.lanes=1073741824,null):(l=a.children,e=a.fallback,s?(a=t.mode,s=t.child,l={mode:"hidden",children:l},0==(1&a)&&null!==s?(s.childLanes=0,s.pendingProps=l):s=Dc(l,a,0,null),e=Ic(e,a,n,null),s.return=t,e.return=t,s.sibling=e,t.child=s,t.child.memoizedState=Ds(n),t.memoizedState=Is,e):Ms(t,l));if(null!==(i=e.memoizedState)&&null!==(r=i.dehydrated))return function(e,t,n,r,a,i,s){if(n)return 256&t.flags?(t.flags&=-257,zs(e,t,s,r=us(Error(o(422))))):null!==t.memoizedState?(t.child=e.child,t.flags|=128,null):(i=r.fallback,a=t.mode,r=Dc({mode:"visible",children:r.children},a,0,null),(i=Ic(i,a,s,null)).flags|=2,r.return=t,i.return=t,r.sibling=i,t.child=r,0!=(1&t.mode)&&ko(t,e.child,null,s),t.child.memoizedState=Ds(s),t.memoizedState=Is,i);if(0==(1&t.mode))return zs(e,t,s,null);if("$!"===a.data){if(r=a.nextSibling&&a.nextSibling.dataset)var l=r.dgst;return r=l,zs(e,t,s,r=us(i=Error(o(419)),r,void 0))}if(l=0!=(s&e.childLanes),vs||l){if(null!==(r=Ll)){switch(s&-s){case 4:a=2;break;case 16:a=8;break;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:a=32;break;case 536870912:a=268435456;break;default:a=0}0!==(a=0!=(a&(r.suspendedLanes|s))?0:a)&&a!==i.retryLane&&(i.retryLane=a,Io(e,a),nc(r,e,a,-1))}return mc(),zs(e,t,s,r=us(Error(o(421))))}return"$?"===a.data?(t.flags|=128,t.child=e.child,t=Tc.bind(null,e),a._reactRetry=t,null):(e=i.treeContext,ro=ca(a.nextSibling),no=t,ao=!0,oo=null,null!==e&&(Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Xa=e.id,Ka=e.overflow,Ga=t),t=Ms(t,r.children),t.flags|=4096,t)}(e,t,l,a,r,i,n);if(s){s=a.fallback,l=t.mode,r=(i=e.child).sibling;var c={mode:"hidden",children:a.children};return 0==(1&l)&&t.child!==i?((a=t.child).childLanes=0,a.pendingProps=c,t.deletions=null):(a=Ac(i,c)).subtreeFlags=14680064&i.subtreeFlags,null!==r?s=Ac(r,s):(s=Ic(s,l,n,null)).flags|=2,s.return=t,a.return=t,a.sibling=s,t.child=a,a=s,s=t.child,l=null===(l=e.child.memoizedState)?Ds(n):{baseLanes:l.baseLanes|n,cachePool:null,transitions:l.transitions},s.memoizedState=l,s.childLanes=e.childLanes&~n,t.memoizedState=Is,a}return e=(s=e.child).sibling,a=Ac(s,{mode:"visible",children:a.children}),0==(1&t.mode)&&(a.lanes=n),a.return=t,a.sibling=null,null!==e&&(null===(n=t.deletions)?(t.deletions=[e],t.flags|=16):n.push(e)),t.child=a,t.memoizedState=null,a}function Ms(e,t){return(t=Dc({mode:"visible",children:t},e.mode,0,null)).return=e,e.child=t}function zs(e,t,n,r){return null!==r&&mo(r),ko(t,e.child,null,n),(e=Ms(t,t.pendingProps.children)).flags|=2,t.memoizedState=null,e}function Bs(e,t,n){e.lanes|=t;var r=e.alternate;null!==r&&(r.lanes|=t),Lo(e.return,t,n)}function $s(e,t,n,r,a){var o=e.memoizedState;null===o?e.memoizedState={isBackwards:t,rendering:null,renderingStartTime:0,last:r,tail:n,tailMode:a}:(o.isBackwards=t,o.rendering=null,o.renderingStartTime=0,o.last=r,o.tail=n,o.tailMode=a)}function Us(e,t,n){var r=t.pendingProps,a=r.revealOrder,o=r.tail;if(ws(e,t,r.children,n),0!=(2&(r=ei.current)))r=1&r|2,t.flags|=128;else{if(null!==e&&0!=(128&e.flags))e:for(e=t.child;null!==e;){if(13===e.tag)null!==e.memoizedState&&Bs(e,n,t);else if(19===e.tag)Bs(e,n,t);else if(null!==e.child){e.child.return=e,e=e.child;continue}if(e===t)break e;for(;null===e.sibling;){if(null===e.return||e.return===t)break e;e=e.return}e.sibling.return=e.return,e=e.sibling}r&=1}if(Ca(ei,r),0==(1&t.mode))t.memoizedState=null;else switch(a){case"forwards":for(n=t.child,a=null;null!==n;)null!==(e=n.alternate)&&null===ti(e)&&(a=n),n=n.sibling;null===(n=a)?(a=t.child,t.child=null):(a=n.sibling,n.sibling=null),$s(t,!1,a,n,o);break;case"backwards":for(n=null,a=t.child,t.child=null;null!==a;){if(null!==(e=a.alternate)&&null===ti(e)){t.child=a;break}e=a.sibling,a.sibling=n,n=a,a=e}$s(t,!0,n,null,o);break;case"together":$s(t,!1,null,null,void 0);break;default:t.memoizedState=null}return t.child}function qs(e,t){0==(1&t.mode)&&null!==e&&(e.alternate=null,t.alternate=null,t.flags|=2)}function Hs(e,t,n){if(null!==e&&(t.dependencies=e.dependencies),Dl|=t.lanes,0==(n&t.childLanes))return null;if(null!==e&&t.child!==e.child)throw Error(o(153));if(null!==t.child){for(n=Ac(e=t.child,e.pendingProps),t.child=n,n.return=t;null!==e.sibling;)e=e.sibling,(n=n.sibling=Ac(e,e.pendingProps)).return=t;n.sibling=null}return t.child}function Qs(e,t){if(!ao)switch(e.tailMode){case"hidden":t=e.tail;for(var n=null;null!==t;)null!==t.alternate&&(n=t),t=t.sibling;null===n?e.tail=null:n.sibling=null;break;case"collapsed":n=e.tail;for(var r=null;null!==n;)null!==n.alternate&&(r=n),n=n.sibling;null===r?t||null===e.tail?e.tail=null:e.tail.sibling=null:r.sibling=null}}function Zs(e){var t=null!==e.alternate&&e.alternate.child===e.child,n=0,r=0;if(t)for(var a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=14680064&a.subtreeFlags,r|=14680064&a.flags,a.return=e,a=a.sibling;else for(a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=a.subtreeFlags,r|=a.flags,a.return=e,a=a.sibling;return e.subtreeFlags|=r,e.childLanes=n,t}function Vs(e,t,n){var r=t.pendingProps;switch(to(t),t.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return Zs(t),null;case 1:case 17:return Pa(t.type)&&Aa(),Zs(t),null;case 3:return r=t.stateNode,Ko(),_a(La),_a(ja),ri(),r.pendingContext&&(r.context=r.pendingContext,r.pendingContext=null),null!==e&&null!==e.child||(po(t)?t.flags|=4:null===e||e.memoizedState.isDehydrated&&0==(256&t.flags)||(t.flags|=1024,null!==oo&&(ic(oo),oo=null))),Ps(e,t),Zs(t),null;case 5:Jo(t);var a=Go(Wo.current);if(n=t.type,null!==e&&null!=t.stateNode)As(e,t,n,r,a),e.ref!==t.ref&&(t.flags|=512,t.flags|=2097152);else{if(!r){if(null===t.stateNode)throw Error(o(166));return Zs(t),null}if(e=Go(Zo.current),po(t)){r=t.stateNode,n=t.type;var i=t.memoizedProps;switch(r[pa]=t,r[fa]=i,e=0!=(1&t.mode),n){case"dialog":zr("cancel",r),zr("close",r);break;case"iframe":case"object":case"embed":zr("load",r);break;case"video":case"audio":for(a=0;a<Ir.length;a++)zr(Ir[a],r);break;case"source":zr("error",r);break;case"img":case"image":case"link":zr("error",r),zr("load",r);break;case"details":zr("toggle",r);break;case"input":X(r,i),zr("invalid",r);break;case"select":r._wrapperState={wasMultiple:!!i.multiple},zr("invalid",r);break;case"textarea":ae(r,i),zr("invalid",r)}for(var l in be(n,i),a=null,i)if(i.hasOwnProperty(l)){var c=i[l];"children"===l?"string"==typeof c?r.textContent!==c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",c]):"number"==typeof c&&r.textContent!==""+c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",""+c]):s.hasOwnProperty(l)&&null!=c&&"onScroll"===l&&zr("scroll",r)}switch(n){case"input":Z(r),J(r,i,!0);break;case"textarea":Z(r),ie(r);break;case"select":case"option":break;default:"function"==typeof i.onClick&&(r.onclick=Jr)}r=a,t.updateQueue=r,null!==r&&(t.flags|=4)}else{l=9===a.nodeType?a:a.ownerDocument,"http://www.w3.org/1999/xhtml"===e&&(e=se(n)),"http://www.w3.org/1999/xhtml"===e?"script"===n?((e=l.createElement("div")).innerHTML="<script><\/script>",e=e.removeChild(e.firstChild)):"string"==typeof r.is?e=l.createElement(n,{is:r.is}):(e=l.createElement(n),"select"===n&&(l=e,r.multiple?l.multiple=!0:r.size&&(l.size=r.size))):e=l.createElementNS(e,n),e[pa]=t,e[fa]=r,Ns(e,t,!1,!1),t.stateNode=e;e:{switch(l=ve(n,r),n){case"dialog":zr("cancel",e),zr("close",e),a=r;break;case"iframe":case"object":case"embed":zr("load",e),a=r;break;case"video":case"audio":for(a=0;a<Ir.length;a++)zr(Ir[a],e);a=r;break;case"source":zr("error",e),a=r;break;case"img":case"image":case"link":zr("error",e),zr("load",e),a=r;break;case"details":zr("toggle",e),a=r;break;case"input":X(e,r),a=G(e,r),zr("invalid",e);break;case"option":default:a=r;break;case"select":e._wrapperState={wasMultiple:!!r.multiple},a=F({},r,{value:void 0}),zr("invalid",e);break;case"textarea":ae(e,r),a=re(e,r),zr("invalid",e)}for(i in be(n,a),c=a)if(c.hasOwnProperty(i)){var u=c[i];"style"===i?ge(e,u):"dangerouslySetInnerHTML"===i?null!=(u=u?u.__html:void 0)&&de(e,u):"children"===i?"string"==typeof u?("textarea"!==n||""!==u)&&pe(e,u):"number"==typeof u&&pe(e,""+u):"suppressContentEditableWarning"!==i&&"suppressHydrationWarning"!==i&&"autoFocus"!==i&&(s.hasOwnProperty(i)?null!=u&&"onScroll"===i&&zr("scroll",e):null!=u&&v(e,i,u,l))}switch(n){case"input":Z(e),J(e,r,!1);break;case"textarea":Z(e),ie(e);break;case"option":null!=r.value&&e.setAttribute("value",""+H(r.value));break;case"select":e.multiple=!!r.multiple,null!=(i=r.value)?ne(e,!!r.multiple,i,!1):null!=r.defaultValue&&ne(e,!!r.multiple,r.defaultValue,!0);break;default:"function"==typeof a.onClick&&(e.onclick=Jr)}switch(n){case"button":case"input":case"select":case"textarea":r=!!r.autoFocus;break e;case"img":r=!0;break e;default:r=!1}}r&&(t.flags|=4)}null!==t.ref&&(t.flags|=512,t.flags|=2097152)}return Zs(t),null;case 6:if(e&&null!=t.stateNode)Os(e,t,e.memoizedProps,r);else{if("string"!=typeof r&&null===t.stateNode)throw Error(o(166));if(n=Go(Wo.current),Go(Zo.current),po(t)){if(r=t.stateNode,n=t.memoizedProps,r[pa]=t,(i=r.nodeValue!==n)&&null!==(e=no))switch(e.tag){case 3:Yr(r.nodeValue,n,0!=(1&e.mode));break;case 5:!0!==e.memoizedProps.suppressHydrationWarning&&Yr(r.nodeValue,n,0!=(1&e.mode))}i&&(t.flags|=4)}else(r=(9===n.nodeType?n:n.ownerDocument).createTextNode(r))[pa]=t,t.stateNode=r}return Zs(t),null;case 13:if(_a(ei),r=t.memoizedState,null===e||null!==e.memoizedState&&null!==e.memoizedState.dehydrated){if(ao&&null!==ro&&0!=(1&t.mode)&&0==(128&t.flags))fo(),ho(),t.flags|=98560,i=!1;else if(i=po(t),null!==r&&null!==r.dehydrated){if(null===e){if(!i)throw Error(o(318));if(!(i=null!==(i=t.memoizedState)?i.dehydrated:null))throw Error(o(317));i[pa]=t}else ho(),0==(128&t.flags)&&(t.memoizedState=null),t.flags|=4;Zs(t),i=!1}else null!==oo&&(ic(oo),oo=null),i=!0;if(!i)return 65536&t.flags?t:null}return 0!=(128&t.flags)?(t.lanes=n,t):((r=null!==r)!==(null!==e&&null!==e.memoizedState)&&r&&(t.child.flags|=8192,0!=(1&t.mode)&&(null===e||0!=(1&ei.current)?0===Ol&&(Ol=3):mc())),null!==t.updateQueue&&(t.flags|=4),Zs(t),null);case 4:return Ko(),Ps(e,t),null===e&&Ur(t.stateNode.containerInfo),Zs(t),null;case 10:return jo(t.type._context),Zs(t),null;case 19:if(_a(ei),null===(i=t.memoizedState))return Zs(t),null;if(r=0!=(128&t.flags),null===(l=i.rendering))if(r)Qs(i,!1);else{if(0!==Ol||null!==e&&0!=(128&e.flags))for(e=t.child;null!==e;){if(null!==(l=ti(e))){for(t.flags|=128,Qs(i,!1),null!==(r=l.updateQueue)&&(t.updateQueue=r,t.flags|=4),t.subtreeFlags=0,r=n,n=t.child;null!==n;)e=r,(i=n).flags&=14680066,null===(l=i.alternate)?(i.childLanes=0,i.lanes=e,i.child=null,i.subtreeFlags=0,i.memoizedProps=null,i.memoizedState=null,i.updateQueue=null,i.dependencies=null,i.stateNode=null):(i.childLanes=l.childLanes,i.lanes=l.lanes,i.child=l.child,i.subtreeFlags=0,i.deletions=null,i.memoizedProps=l.memoizedProps,i.memoizedState=l.memoizedState,i.updateQueue=l.updateQueue,i.type=l.type,e=l.dependencies,i.dependencies=null===e?null:{lanes:e.lanes,firstContext:e.firstContext}),n=n.sibling;return Ca(ei,1&ei.current|2),t.child}e=e.sibling}null!==i.tail&&Ke()>Ul&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304)}else{if(!r)if(null!==(e=ti(l))){if(t.flags|=128,r=!0,null!==(n=e.updateQueue)&&(t.updateQueue=n,t.flags|=4),Qs(i,!0),null===i.tail&&"hidden"===i.tailMode&&!l.alternate&&!ao)return Zs(t),null}else 2*Ke()-i.renderingStartTime>Ul&&1073741824!==n&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304);i.isBackwards?(l.sibling=t.child,t.child=l):(null!==(n=i.last)?n.sibling=l:t.child=l,i.last=l)}return null!==i.tail?(t=i.tail,i.rendering=t,i.tail=t.sibling,i.renderingStartTime=Ke(),t.sibling=null,n=ei.current,Ca(ei,r?1&n|2:1&n),t):(Zs(t),null);case 22:case 23:return dc(),r=null!==t.memoizedState,null!==e&&null!==e.memoizedState!==r&&(t.flags|=8192),r&&0!=(1&t.mode)?0!=(1073741824&Pl)&&(Zs(t),6&t.subtreeFlags&&(t.flags|=8192)):Zs(t),null;case 24:case 25:return null}throw Error(o(156,t.tag))}function Ws(e,t){switch(to(t),t.tag){case 1:return Pa(t.type)&&Aa(),65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 3:return Ko(),_a(La),_a(ja),ri(),0!=(65536&(e=t.flags))&&0==(128&e)?(t.flags=-65537&e|128,t):null;case 5:return Jo(t),null;case 13:if(_a(ei),null!==(e=t.memoizedState)&&null!==e.dehydrated){if(null===t.alternate)throw Error(o(340));ho()}return 65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 19:return _a(ei),null;case 4:return Ko(),null;case 10:return jo(t.type._context),null;case 22:case 23:return dc(),null;default:return null}}Ns=function(e,t){for(var n=t.child;null!==n;){if(5===n.tag||6===n.tag)e.appendChild(n.stateNode);else if(4!==n.tag&&null!==n.child){n.child.return=n,n=n.child;continue}if(n===t)break;for(;null===n.sibling;){if(null===n.return||n.return===t)return;n=n.return}n.sibling.return=n.return,n=n.sibling}},Ps=function(){},As=function(e,t,n,r){var a=e.memoizedProps;if(a!==r){e=t.stateNode,Go(Zo.current);var o,i=null;switch(n){case"input":a=G(e,a),r=G(e,r),i=[];break;case"select":a=F({},a,{value:void 0}),r=F({},r,{value:void 0}),i=[];break;case"textarea":a=re(e,a),r=re(e,r),i=[];break;default:"function"!=typeof a.onClick&&"function"==typeof r.onClick&&(e.onclick=Jr)}for(u in be(n,r),n=null,a)if(!r.hasOwnProperty(u)&&a.hasOwnProperty(u)&&null!=a[u])if("style"===u){var l=a[u];for(o in l)l.hasOwnProperty(o)&&(n||(n={}),n[o]="")}else"dangerouslySetInnerHTML"!==u&&"children"!==u&&"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&"autoFocus"!==u&&(s.hasOwnProperty(u)?i||(i=[]):(i=i||[]).push(u,null));for(u in r){var c=r[u];if(l=null!=a?a[u]:void 0,r.hasOwnProperty(u)&&c!==l&&(null!=c||null!=l))if("style"===u)if(l){for(o in l)!l.hasOwnProperty(o)||c&&c.hasOwnProperty(o)||(n||(n={}),n[o]="");for(o in c)c.hasOwnProperty(o)&&l[o]!==c[o]&&(n||(n={}),n[o]=c[o])}else n||(i||(i=[]),i.push(u,n)),n=c;else"dangerouslySetInnerHTML"===u?(c=c?c.__html:void 0,l=l?l.__html:void 0,null!=c&&l!==c&&(i=i||[]).push(u,c)):"children"===u?"string"!=typeof c&&"number"!=typeof c||(i=i||[]).push(u,""+c):"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&(s.hasOwnProperty(u)?(null!=c&&"onScroll"===u&&zr("scroll",e),i||l===c||(i=[])):(i=i||[]).push(u,c))}n&&(i=i||[]).push("style",n);var u=i;(t.updateQueue=u)&&(t.flags|=4)}},Os=function(e,t,n,r){n!==r&&(t.flags|=4)};var Gs=!1,Xs=!1,Ks="function"==typeof WeakSet?WeakSet:Set,Ys=null;function Js(e,t){var n=e.ref;if(null!==n)if("function"==typeof n)try{n(null)}catch(r){Ec(e,t,r)}else n.current=null}function el(e,t,n){try{n()}catch(r){Ec(e,t,r)}}var tl=!1;function nl(e,t,n){var r=t.updateQueue;if(null!==(r=null!==r?r.lastEffect:null)){var a=r=r.next;do{if((a.tag&e)===e){var o=a.destroy;a.destroy=void 0,void 0!==o&&el(t,n,o)}a=a.next}while(a!==r)}}function rl(e,t){if(null!==(t=null!==(t=t.updateQueue)?t.lastEffect:null)){var n=t=t.next;do{if((n.tag&e)===e){var r=n.create;n.destroy=r()}n=n.next}while(n!==t)}}function al(e){var t=e.ref;if(null!==t){var n=e.stateNode;e.tag,e=n,"function"==typeof t?t(e):t.current=e}}function ol(e){var t=e.alternate;null!==t&&(e.alternate=null,ol(t)),e.child=null,e.deletions=null,e.sibling=null,5===e.tag&&(null!==(t=e.stateNode)&&(delete t[pa],delete t[fa],delete t[ma],delete t[ga],delete t[ya])),e.stateNode=null,e.return=null,e.dependencies=null,e.memoizedProps=null,e.memoizedState=null,e.pendingProps=null,e.stateNode=null,e.updateQueue=null}function il(e){return 5===e.tag||3===e.tag||4===e.tag}function sl(e){e:for(;;){for(;null===e.sibling;){if(null===e.return||il(e.return))return null;e=e.return}for(e.sibling.return=e.return,e=e.sibling;5!==e.tag&&6!==e.tag&&18!==e.tag;){if(2&e.flags)continue e;if(null===e.child||4===e.tag)continue e;e.child.return=e,e=e.child}if(!(2&e.flags))return e.stateNode}}function ll(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?8===n.nodeType?n.parentNode.insertBefore(e,t):n.insertBefore(e,t):(8===n.nodeType?(t=n.parentNode).insertBefore(e,n):(t=n).appendChild(e),null!=(n=n._reactRootContainer)||null!==t.onclick||(t.onclick=Jr));else if(4!==r&&null!==(e=e.child))for(ll(e,t,n),e=e.sibling;null!==e;)ll(e,t,n),e=e.sibling}function cl(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?n.insertBefore(e,t):n.appendChild(e);else if(4!==r&&null!==(e=e.child))for(cl(e,t,n),e=e.sibling;null!==e;)cl(e,t,n),e=e.sibling}var ul=null,dl=!1;function pl(e,t,n){for(n=n.child;null!==n;)fl(e,t,n),n=n.sibling}function fl(e,t,n){if(ot&&"function"==typeof ot.onCommitFiberUnmount)try{ot.onCommitFiberUnmount(at,n)}catch(s){}switch(n.tag){case 5:Xs||Js(n,t);case 6:var r=ul,a=dl;ul=null,pl(e,t,n),dl=a,null!==(ul=r)&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?e.parentNode.removeChild(n):e.removeChild(n)):ul.removeChild(n.stateNode));break;case 18:null!==ul&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?la(e.parentNode,n):1===e.nodeType&&la(e,n),Ut(e)):la(ul,n.stateNode));break;case 4:r=ul,a=dl,ul=n.stateNode.containerInfo,dl=!0,pl(e,t,n),ul=r,dl=a;break;case 0:case 11:case 14:case 15:if(!Xs&&(null!==(r=n.updateQueue)&&null!==(r=r.lastEffect))){a=r=r.next;do{var o=a,i=o.destroy;o=o.tag,void 0!==i&&(0!=(2&o)||0!=(4&o))&&el(n,t,i),a=a.next}while(a!==r)}pl(e,t,n);break;case 1:if(!Xs&&(Js(n,t),"function"==typeof(r=n.stateNode).componentWillUnmount))try{r.props=n.memoizedProps,r.state=n.memoizedState,r.componentWillUnmount()}catch(s){Ec(n,t,s)}pl(e,t,n);break;case 21:pl(e,t,n);break;case 22:1&n.mode?(Xs=(r=Xs)||null!==n.memoizedState,pl(e,t,n),Xs=r):pl(e,t,n);break;default:pl(e,t,n)}}function hl(e){var t=e.updateQueue;if(null!==t){e.updateQueue=null;var n=e.stateNode;null===n&&(n=e.stateNode=new Ks),t.forEach((function(t){var r=jc.bind(null,e,t);n.has(t)||(n.add(t),t.then(r,r))}))}}function ml(e,t){var n=t.deletions;if(null!==n)for(var r=0;r<n.length;r++){var a=n[r];try{var i=e,s=t,l=s;e:for(;null!==l;){switch(l.tag){case 5:ul=l.stateNode,dl=!1;break e;case 3:case 4:ul=l.stateNode.containerInfo,dl=!0;break e}l=l.return}if(null===ul)throw Error(o(160));fl(i,s,a),ul=null,dl=!1;var c=a.alternate;null!==c&&(c.return=null),a.return=null}catch(u){Ec(a,t,u)}}if(12854&t.subtreeFlags)for(t=t.child;null!==t;)gl(t,e),t=t.sibling}function gl(e,t){var n=e.alternate,r=e.flags;switch(e.tag){case 0:case 11:case 14:case 15:if(ml(t,e),yl(e),4&r){try{nl(3,e,e.return),rl(3,e)}catch(g){Ec(e,e.return,g)}try{nl(5,e,e.return)}catch(g){Ec(e,e.return,g)}}break;case 1:ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return);break;case 5:if(ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return),32&e.flags){var a=e.stateNode;try{pe(a,"")}catch(g){Ec(e,e.return,g)}}if(4&r&&null!=(a=e.stateNode)){var i=e.memoizedProps,s=null!==n?n.memoizedProps:i,l=e.type,c=e.updateQueue;if(e.updateQueue=null,null!==c)try{"input"===l&&"radio"===i.type&&null!=i.name&&K(a,i),ve(l,s);var u=ve(l,i);for(s=0;s<c.length;s+=2){var d=c[s],p=c[s+1];"style"===d?ge(a,p):"dangerouslySetInnerHTML"===d?de(a,p):"children"===d?pe(a,p):v(a,d,p,u)}switch(l){case"input":Y(a,i);break;case"textarea":oe(a,i);break;case"select":var f=a._wrapperState.wasMultiple;a._wrapperState.wasMultiple=!!i.multiple;var h=i.value;null!=h?ne(a,!!i.multiple,h,!1):f!==!!i.multiple&&(null!=i.defaultValue?ne(a,!!i.multiple,i.defaultValue,!0):ne(a,!!i.multiple,i.multiple?[]:"",!1))}a[fa]=i}catch(g){Ec(e,e.return,g)}}break;case 6:if(ml(t,e),yl(e),4&r){if(null===e.stateNode)throw Error(o(162));a=e.stateNode,i=e.memoizedProps;try{a.nodeValue=i}catch(g){Ec(e,e.return,g)}}break;case 3:if(ml(t,e),yl(e),4&r&&null!==n&&n.memoizedState.isDehydrated)try{Ut(t.containerInfo)}catch(g){Ec(e,e.return,g)}break;case 4:default:ml(t,e),yl(e);break;case 13:ml(t,e),yl(e),8192&(a=e.child).flags&&(i=null!==a.memoizedState,a.stateNode.isHidden=i,!i||null!==a.alternate&&null!==a.alternate.memoizedState||($l=Ke())),4&r&&hl(e);break;case 22:if(d=null!==n&&null!==n.memoizedState,1&e.mode?(Xs=(u=Xs)||d,ml(t,e),Xs=u):ml(t,e),yl(e),8192&r){if(u=null!==e.memoizedState,(e.stateNode.isHidden=u)&&!d&&0!=(1&e.mode))for(Ys=e,d=e.child;null!==d;){for(p=Ys=d;null!==Ys;){switch(h=(f=Ys).child,f.tag){case 0:case 11:case 14:case 15:nl(4,f,f.return);break;case 1:Js(f,f.return);var m=f.stateNode;if("function"==typeof m.componentWillUnmount){r=f,n=f.return;try{t=r,m.props=t.memoizedProps,m.state=t.memoizedState,m.componentWillUnmount()}catch(g){Ec(r,n,g)}}break;case 5:Js(f,f.return);break;case 22:if(null!==f.memoizedState){kl(p);continue}}null!==h?(h.return=f,Ys=h):kl(p)}d=d.sibling}e:for(d=null,p=e;;){if(5===p.tag){if(null===d){d=p;try{a=p.stateNode,u?"function"==typeof(i=a.style).setProperty?i.setProperty("display","none","important"):i.display="none":(l=p.stateNode,s=null!=(c=p.memoizedProps.style)&&c.hasOwnProperty("display")?c.display:null,l.style.display=me("display",s))}catch(g){Ec(e,e.return,g)}}}else if(6===p.tag){if(null===d)try{p.stateNode.nodeValue=u?"":p.memoizedProps}catch(g){Ec(e,e.return,g)}}else if((22!==p.tag&&23!==p.tag||null===p.memoizedState||p===e)&&null!==p.child){p.child.return=p,p=p.child;continue}if(p===e)break e;for(;null===p.sibling;){if(null===p.return||p.return===e)break e;d===p&&(d=null),p=p.return}d===p&&(d=null),p.sibling.return=p.return,p=p.sibling}}break;case 19:ml(t,e),yl(e),4&r&&hl(e);case 21:}}function yl(e){var t=e.flags;if(2&t){try{e:{for(var n=e.return;null!==n;){if(il(n)){var r=n;break e}n=n.return}throw Error(o(160))}switch(r.tag){case 5:var a=r.stateNode;32&r.flags&&(pe(a,""),r.flags&=-33),cl(e,sl(e),a);break;case 3:case 4:var i=r.stateNode.containerInfo;ll(e,sl(e),i);break;default:throw Error(o(161))}}catch(s){Ec(e,e.return,s)}e.flags&=-3}4096&t&&(e.flags&=-4097)}function bl(e,t,n){Ys=e,vl(e,t,n)}function vl(e,t,n){for(var r=0!=(1&e.mode);null!==Ys;){var a=Ys,o=a.child;if(22===a.tag&&r){var i=null!==a.memoizedState||Gs;if(!i){var s=a.alternate,l=null!==s&&null!==s.memoizedState||Xs;s=Gs;var c=Xs;if(Gs=i,(Xs=l)&&!c)for(Ys=a;null!==Ys;)l=(i=Ys).child,22===i.tag&&null!==i.memoizedState?xl(a):null!==l?(l.return=i,Ys=l):xl(a);for(;null!==o;)Ys=o,vl(o,t,n),o=o.sibling;Ys=a,Gs=s,Xs=c}wl(e)}else 0!=(8772&a.subtreeFlags)&&null!==o?(o.return=a,Ys=o):wl(e)}}function wl(e){for(;null!==Ys;){var t=Ys;if(0!=(8772&t.flags)){var n=t.alternate;try{if(0!=(8772&t.flags))switch(t.tag){case 0:case 11:case 15:Xs||rl(5,t);break;case 1:var r=t.stateNode;if(4&t.flags&&!Xs)if(null===n)r.componentDidMount();else{var a=t.elementType===t.type?n.memoizedProps:ns(t.type,n.memoizedProps);r.componentDidUpdate(a,n.memoizedState,r.__reactInternalSnapshotBeforeUpdate)}var i=t.updateQueue;null!==i&&Ho(t,i,r);break;case 3:var s=t.updateQueue;if(null!==s){if(n=null,null!==t.child)switch(t.child.tag){case 5:case 1:n=t.child.stateNode}Ho(t,s,n)}break;case 5:var l=t.stateNode;if(null===n&&4&t.flags){n=l;var c=t.memoizedProps;switch(t.type){case"button":case"input":case"select":case"textarea":c.autoFocus&&n.focus();break;case"img":c.src&&(n.src=c.src)}}break;case 6:case 4:case 12:case 19:case 17:case 21:case 22:case 23:case 25:break;case 13:if(null===t.memoizedState){var u=t.alternate;if(null!==u){var d=u.memoizedState;if(null!==d){var p=d.dehydrated;null!==p&&Ut(p)}}}break;default:throw Error(o(163))}Xs||512&t.flags&&al(t)}catch(f){Ec(t,t.return,f)}}if(t===e){Ys=null;break}if(null!==(n=t.sibling)){n.return=t.return,Ys=n;break}Ys=t.return}}function kl(e){for(;null!==Ys;){var t=Ys;if(t===e){Ys=null;break}var n=t.sibling;if(null!==n){n.return=t.return,Ys=n;break}Ys=t.return}}function xl(e){for(;null!==Ys;){var t=Ys;try{switch(t.tag){case 0:case 11:case 15:var n=t.return;try{rl(4,t)}catch(l){Ec(t,n,l)}break;case 1:var r=t.stateNode;if("function"==typeof r.componentDidMount){var a=t.return;try{r.componentDidMount()}catch(l){Ec(t,a,l)}}var o=t.return;try{al(t)}catch(l){Ec(t,o,l)}break;case 5:var i=t.return;try{al(t)}catch(l){Ec(t,i,l)}}}catch(l){Ec(t,t.return,l)}if(t===e){Ys=null;break}var s=t.sibling;if(null!==s){s.return=t.return,Ys=s;break}Ys=t.return}}var Sl,El=Math.ceil,_l=w.ReactCurrentDispatcher,Cl=w.ReactCurrentOwner,Tl=w.ReactCurrentBatchConfig,jl=0,Ll=null,Rl=null,Nl=0,Pl=0,Al=Ea(0),Ol=0,Il=null,Dl=0,Fl=0,Ml=0,zl=null,Bl=null,$l=0,Ul=1/0,ql=null,Hl=!1,Ql=null,Zl=null,Vl=!1,Wl=null,Gl=0,Xl=0,Kl=null,Yl=-1,Jl=0;function ec(){return 0!=(6&jl)?Ke():-1!==Yl?Yl:Yl=Ke()}function tc(e){return 0==(1&e.mode)?1:0!=(2&jl)&&0!==Nl?Nl&-Nl:null!==go.transition?(0===Jl&&(Jl=mt()),Jl):0!==(e=vt)?e:e=void 0===(e=window.event)?16:Xt(e.type)}function nc(e,t,n,r){if(50<Xl)throw Xl=0,Kl=null,Error(o(185));yt(e,n,r),0!=(2&jl)&&e===Ll||(e===Ll&&(0==(2&jl)&&(Fl|=n),4===Ol&&sc(e,Nl)),rc(e,r),1===n&&0===jl&&0==(1&t.mode)&&(Ul=Ke()+500,za&&Ua()))}function rc(e,t){var n=e.callbackNode;!function(e,t){for(var n=e.suspendedLanes,r=e.pingedLanes,a=e.expirationTimes,o=e.pendingLanes;0<o;){var i=31-it(o),s=1<<i,l=a[i];-1===l?0!=(s&n)&&0==(s&r)||(a[i]=ft(s,t)):l<=t&&(e.expiredLanes|=s),o&=~s}}(e,t);var r=pt(e,e===Ll?Nl:0);if(0===r)null!==n&&We(n),e.callbackNode=null,e.callbackPriority=0;else if(t=r&-r,e.callbackPriority!==t){if(null!=n&&We(n),1===t)0===e.tag?function(e){za=!0,$a(e)}(lc.bind(null,e)):$a(lc.bind(null,e)),ia((function(){0==(6&jl)&&Ua()})),n=null;else{switch(wt(r)){case 1:n=Je;break;case 4:n=et;break;case 16:default:n=tt;break;case 536870912:n=rt}n=Lc(n,ac.bind(null,e))}e.callbackPriority=t,e.callbackNode=n}}function ac(e,t){if(Yl=-1,Jl=0,0!=(6&jl))throw Error(o(327));var n=e.callbackNode;if(xc()&&e.callbackNode!==n)return null;var r=pt(e,e===Ll?Nl:0);if(0===r)return null;if(0!=(30&r)||0!=(r&e.expiredLanes)||t)t=gc(e,r);else{t=r;var a=jl;jl|=2;var i=hc();for(Ll===e&&Nl===t||(ql=null,Ul=Ke()+500,pc(e,t));;)try{bc();break}catch(l){fc(e,l)}To(),_l.current=i,jl=a,null!==Rl?t=0:(Ll=null,Nl=0,t=Ol)}if(0!==t){if(2===t&&(0!==(a=ht(e))&&(r=a,t=oc(e,a))),1===t)throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;if(6===t)sc(e,r);else{if(a=e.current.alternate,0==(30&r)&&!function(e){for(var t=e;;){if(16384&t.flags){var n=t.updateQueue;if(null!==n&&null!==(n=n.stores))for(var r=0;r<n.length;r++){var a=n[r],o=a.getSnapshot;a=a.value;try{if(!sr(o(),a))return!1}catch(s){return!1}}}if(n=t.child,16384&t.subtreeFlags&&null!==n)n.return=t,t=n;else{if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return!0;t=t.return}t.sibling.return=t.return,t=t.sibling}}return!0}(a)&&(2===(t=gc(e,r))&&(0!==(i=ht(e))&&(r=i,t=oc(e,i))),1===t))throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;switch(e.finishedWork=a,e.finishedLanes=r,t){case 0:case 1:throw Error(o(345));case 2:case 5:kc(e,Bl,ql);break;case 3:if(sc(e,r),(130023424&r)===r&&10<(t=$l+500-Ke())){if(0!==pt(e,0))break;if(((a=e.suspendedLanes)&r)!==r){ec(),e.pingedLanes|=e.suspendedLanes&a;break}e.timeoutHandle=ra(kc.bind(null,e,Bl,ql),t);break}kc(e,Bl,ql);break;case 4:if(sc(e,r),(4194240&r)===r)break;for(t=e.eventTimes,a=-1;0<r;){var s=31-it(r);i=1<<s,(s=t[s])>a&&(a=s),r&=~i}if(r=a,10<(r=(120>(r=Ke()-r)?120:480>r?480:1080>r?1080:1920>r?1920:3e3>r?3e3:4320>r?4320:1960*El(r/1960))-r)){e.timeoutHandle=ra(kc.bind(null,e,Bl,ql),r);break}kc(e,Bl,ql);break;default:throw Error(o(329))}}}return rc(e,Ke()),e.callbackNode===n?ac.bind(null,e):null}function oc(e,t){var n=zl;return e.current.memoizedState.isDehydrated&&(pc(e,t).flags|=256),2!==(e=gc(e,t))&&(t=Bl,Bl=n,null!==t&&ic(t)),e}function ic(e){null===Bl?Bl=e:Bl.push.apply(Bl,e)}function sc(e,t){for(t&=~Ml,t&=~Fl,e.suspendedLanes|=t,e.pingedLanes&=~t,e=e.expirationTimes;0<t;){var n=31-it(t),r=1<<n;e[n]=-1,t&=~r}}function lc(e){if(0!=(6&jl))throw Error(o(327));xc();var t=pt(e,0);if(0==(1&t))return rc(e,Ke()),null;var n=gc(e,t);if(0!==e.tag&&2===n){var r=ht(e);0!==r&&(t=r,n=oc(e,r))}if(1===n)throw n=Il,pc(e,0),sc(e,t),rc(e,Ke()),n;if(6===n)throw Error(o(345));return e.finishedWork=e.current.alternate,e.finishedLanes=t,kc(e,Bl,ql),rc(e,Ke()),null}function cc(e,t){var n=jl;jl|=1;try{return e(t)}finally{0===(jl=n)&&(Ul=Ke()+500,za&&Ua())}}function uc(e){null!==Wl&&0===Wl.tag&&0==(6&jl)&&xc();var t=jl;jl|=1;var n=Tl.transition,r=vt;try{if(Tl.transition=null,vt=1,e)return e()}finally{vt=r,Tl.transition=n,0==(6&(jl=t))&&Ua()}}function dc(){Pl=Al.current,_a(Al)}function pc(e,t){e.finishedWork=null,e.finishedLanes=0;var n=e.timeoutHandle;if(-1!==n&&(e.timeoutHandle=-1,aa(n)),null!==Rl)for(n=Rl.return;null!==n;){var r=n;switch(to(r),r.tag){case 1:null!=(r=r.type.childContextTypes)&&Aa();break;case 3:Ko(),_a(La),_a(ja),ri();break;case 5:Jo(r);break;case 4:Ko();break;case 13:case 19:_a(ei);break;case 10:jo(r.type._context);break;case 22:case 23:dc()}n=n.return}if(Ll=e,Rl=e=Ac(e.current,null),Nl=Pl=t,Ol=0,Il=null,Ml=Fl=Dl=0,Bl=zl=null,null!==Po){for(t=0;t<Po.length;t++)if(null!==(r=(n=Po[t]).interleaved)){n.interleaved=null;var a=r.next,o=n.pending;if(null!==o){var i=o.next;o.next=a,r.next=i}n.pending=r}Po=null}return e}function fc(e,t){for(;;){var n=Rl;try{if(To(),ai.current=Yi,ui){for(var r=si.memoizedState;null!==r;){var a=r.queue;null!==a&&(a.pending=null),r=r.next}ui=!1}if(ii=0,ci=li=si=null,di=!1,pi=0,Cl.current=null,null===n||null===n.return){Ol=1,Il=t,Rl=null;break}e:{var i=e,s=n.return,l=n,c=t;if(t=Nl,l.flags|=32768,null!==c&&"object"==typeof c&&"function"==typeof c.then){var u=c,d=l,p=d.tag;if(0==(1&d.mode)&&(0===p||11===p||15===p)){var f=d.alternate;f?(d.updateQueue=f.updateQueue,d.memoizedState=f.memoizedState,d.lanes=f.lanes):(d.updateQueue=null,d.memoizedState=null)}var h=gs(s);if(null!==h){h.flags&=-257,ys(h,s,l,0,t),1&h.mode&&ms(i,u,t),c=u;var m=(t=h).updateQueue;if(null===m){var g=new Set;g.add(c),t.updateQueue=g}else m.add(c);break e}if(0==(1&t)){ms(i,u,t),mc();break e}c=Error(o(426))}else if(ao&&1&l.mode){var y=gs(s);if(null!==y){0==(65536&y.flags)&&(y.flags|=256),ys(y,s,l,0,t),mo(cs(c,l));break e}}i=c=cs(c,l),4!==Ol&&(Ol=2),null===zl?zl=[i]:zl.push(i),i=s;do{switch(i.tag){case 3:i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,fs(0,c,t));break e;case 1:l=c;var b=i.type,v=i.stateNode;if(0==(128&i.flags)&&("function"==typeof b.getDerivedStateFromError||null!==v&&"function"==typeof v.componentDidCatch&&(null===Zl||!Zl.has(v)))){i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,hs(i,l,t));break e}}i=i.return}while(null!==i)}wc(n)}catch(w){t=w,Rl===n&&null!==n&&(Rl=n=n.return);continue}break}}function hc(){var e=_l.current;return _l.current=Yi,null===e?Yi:e}function mc(){0!==Ol&&3!==Ol&&2!==Ol||(Ol=4),null===Ll||0==(268435455&Dl)&&0==(268435455&Fl)||sc(Ll,Nl)}function gc(e,t){var n=jl;jl|=2;var r=hc();for(Ll===e&&Nl===t||(ql=null,pc(e,t));;)try{yc();break}catch(a){fc(e,a)}if(To(),jl=n,_l.current=r,null!==Rl)throw Error(o(261));return Ll=null,Nl=0,Ol}function yc(){for(;null!==Rl;)vc(Rl)}function bc(){for(;null!==Rl&&!Ge();)vc(Rl)}function vc(e){var t=Sl(e.alternate,e,Pl);e.memoizedProps=e.pendingProps,null===t?wc(e):Rl=t,Cl.current=null}function wc(e){var t=e;do{var n=t.alternate;if(e=t.return,0==(32768&t.flags)){if(null!==(n=Vs(n,t,Pl)))return void(Rl=n)}else{if(null!==(n=Ws(n,t)))return n.flags&=32767,void(Rl=n);if(null===e)return Ol=6,void(Rl=null);e.flags|=32768,e.subtreeFlags=0,e.deletions=null}if(null!==(t=t.sibling))return void(Rl=t);Rl=t=e}while(null!==t);0===Ol&&(Ol=5)}function kc(e,t,n){var r=vt,a=Tl.transition;try{Tl.transition=null,vt=1,function(e,t,n,r){do{xc()}while(null!==Wl);if(0!=(6&jl))throw Error(o(327));n=e.finishedWork;var a=e.finishedLanes;if(null===n)return null;if(e.finishedWork=null,e.finishedLanes=0,n===e.current)throw Error(o(177));e.callbackNode=null,e.callbackPriority=0;var i=n.lanes|n.childLanes;if(function(e,t){var n=e.pendingLanes&~t;e.pendingLanes=t,e.suspendedLanes=0,e.pingedLanes=0,e.expiredLanes&=t,e.mutableReadLanes&=t,e.entangledLanes&=t,t=e.entanglements;var r=e.eventTimes;for(e=e.expirationTimes;0<n;){var a=31-it(n),o=1<<a;t[a]=0,r[a]=-1,e[a]=-1,n&=~o}}(e,i),e===Ll&&(Rl=Ll=null,Nl=0),0==(2064&n.subtreeFlags)&&0==(2064&n.flags)||Vl||(Vl=!0,Lc(tt,(function(){return xc(),null}))),i=0!=(15990&n.flags),0!=(15990&n.subtreeFlags)||i){i=Tl.transition,Tl.transition=null;var s=vt;vt=1;var l=jl;jl|=4,Cl.current=null,function(e,t){if(ea=Ht,fr(e=pr())){if("selectionStart"in e)var n={start:e.selectionStart,end:e.selectionEnd};else e:{var r=(n=(n=e.ownerDocument)&&n.defaultView||window).getSelection&&n.getSelection();if(r&&0!==r.rangeCount){n=r.anchorNode;var a=r.anchorOffset,i=r.focusNode;r=r.focusOffset;try{n.nodeType,i.nodeType}catch(k){n=null;break e}var s=0,l=-1,c=-1,u=0,d=0,p=e,f=null;t:for(;;){for(var h;p!==n||0!==a&&3!==p.nodeType||(l=s+a),p!==i||0!==r&&3!==p.nodeType||(c=s+r),3===p.nodeType&&(s+=p.nodeValue.length),null!==(h=p.firstChild);)f=p,p=h;for(;;){if(p===e)break t;if(f===n&&++u===a&&(l=s),f===i&&++d===r&&(c=s),null!==(h=p.nextSibling))break;f=(p=f).parentNode}p=h}n=-1===l||-1===c?null:{start:l,end:c}}else n=null}n=n||{start:0,end:0}}else n=null;for(ta={focusedElem:e,selectionRange:n},Ht=!1,Ys=t;null!==Ys;)if(e=(t=Ys).child,0!=(1028&t.subtreeFlags)&&null!==e)e.return=t,Ys=e;else for(;null!==Ys;){t=Ys;try{var m=t.alternate;if(0!=(1024&t.flags))switch(t.tag){case 0:case 11:case 15:case 5:case 6:case 4:case 17:break;case 1:if(null!==m){var g=m.memoizedProps,y=m.memoizedState,b=t.stateNode,v=b.getSnapshotBeforeUpdate(t.elementType===t.type?g:ns(t.type,g),y);b.__reactInternalSnapshotBeforeUpdate=v}break;case 3:var w=t.stateNode.containerInfo;1===w.nodeType?w.textContent="":9===w.nodeType&&w.documentElement&&w.removeChild(w.documentElement);break;default:throw Error(o(163))}}catch(k){Ec(t,t.return,k)}if(null!==(e=t.sibling)){e.return=t.return,Ys=e;break}Ys=t.return}m=tl,tl=!1}(e,n),gl(n,e),hr(ta),Ht=!!ea,ta=ea=null,e.current=n,bl(n,e,a),Xe(),jl=l,vt=s,Tl.transition=i}else e.current=n;if(Vl&&(Vl=!1,Wl=e,Gl=a),i=e.pendingLanes,0===i&&(Zl=null),function(e){if(ot&&"function"==typeof ot.onCommitFiberRoot)try{ot.onCommitFiberRoot(at,e,void 0,128==(128&e.current.flags))}catch(t){}}(n.stateNode),rc(e,Ke()),null!==t)for(r=e.onRecoverableError,n=0;n<t.length;n++)a=t[n],r(a.value,{componentStack:a.stack,digest:a.digest});if(Hl)throw Hl=!1,e=Ql,Ql=null,e;0!=(1&Gl)&&0!==e.tag&&xc(),i=e.pendingLanes,0!=(1&i)?e===Kl?Xl++:(Xl=0,Kl=e):Xl=0,Ua()}(e,t,n,r)}finally{Tl.transition=a,vt=r}return null}function xc(){if(null!==Wl){var e=wt(Gl),t=Tl.transition,n=vt;try{if(Tl.transition=null,vt=16>e?16:e,null===Wl)var r=!1;else{if(e=Wl,Wl=null,Gl=0,0!=(6&jl))throw Error(o(331));var a=jl;for(jl|=4,Ys=e.current;null!==Ys;){var i=Ys,s=i.child;if(0!=(16&Ys.flags)){var l=i.deletions;if(null!==l){for(var c=0;c<l.length;c++){var u=l[c];for(Ys=u;null!==Ys;){var d=Ys;switch(d.tag){case 0:case 11:case 15:nl(8,d,i)}var p=d.child;if(null!==p)p.return=d,Ys=p;else for(;null!==Ys;){var f=(d=Ys).sibling,h=d.return;if(ol(d),d===u){Ys=null;break}if(null!==f){f.return=h,Ys=f;break}Ys=h}}}var m=i.alternate;if(null!==m){var g=m.child;if(null!==g){m.child=null;do{var y=g.sibling;g.sibling=null,g=y}while(null!==g)}}Ys=i}}if(0!=(2064&i.subtreeFlags)&&null!==s)s.return=i,Ys=s;else e:for(;null!==Ys;){if(0!=(2048&(i=Ys).flags))switch(i.tag){case 0:case 11:case 15:nl(9,i,i.return)}var b=i.sibling;if(null!==b){b.return=i.return,Ys=b;break e}Ys=i.return}}var v=e.current;for(Ys=v;null!==Ys;){var w=(s=Ys).child;if(0!=(2064&s.subtreeFlags)&&null!==w)w.return=s,Ys=w;else e:for(s=v;null!==Ys;){if(0!=(2048&(l=Ys).flags))try{switch(l.tag){case 0:case 11:case 15:rl(9,l)}}catch(x){Ec(l,l.return,x)}if(l===s){Ys=null;break e}var k=l.sibling;if(null!==k){k.return=l.return,Ys=k;break e}Ys=l.return}}if(jl=a,Ua(),ot&&"function"==typeof ot.onPostCommitFiberRoot)try{ot.onPostCommitFiberRoot(at,e)}catch(x){}r=!0}return r}finally{vt=n,Tl.transition=t}}return!1}function Sc(e,t,n){e=Bo(e,t=fs(0,t=cs(n,t),1),1),t=ec(),null!==e&&(yt(e,1,t),rc(e,t))}function Ec(e,t,n){if(3===e.tag)Sc(e,e,n);else for(;null!==t;){if(3===t.tag){Sc(t,e,n);break}if(1===t.tag){var r=t.stateNode;if("function"==typeof t.type.getDerivedStateFromError||"function"==typeof r.componentDidCatch&&(null===Zl||!Zl.has(r))){t=Bo(t,e=hs(t,e=cs(n,e),1),1),e=ec(),null!==t&&(yt(t,1,e),rc(t,e));break}}t=t.return}}function _c(e,t,n){var r=e.pingCache;null!==r&&r.delete(t),t=ec(),e.pingedLanes|=e.suspendedLanes&n,Ll===e&&(Nl&n)===n&&(4===Ol||3===Ol&&(130023424&Nl)===Nl&&500>Ke()-$l?pc(e,0):Ml|=n),rc(e,t)}function Cc(e,t){0===t&&(0==(1&e.mode)?t=1:(t=ut,0==(130023424&(ut<<=1))&&(ut=4194304)));var n=ec();null!==(e=Io(e,t))&&(yt(e,t,n),rc(e,n))}function Tc(e){var t=e.memoizedState,n=0;null!==t&&(n=t.retryLane),Cc(e,n)}function jc(e,t){var n=0;switch(e.tag){case 13:var r=e.stateNode,a=e.memoizedState;null!==a&&(n=a.retryLane);break;case 19:r=e.stateNode;break;default:throw Error(o(314))}null!==r&&r.delete(t),Cc(e,n)}function Lc(e,t){return Ve(e,t)}function Rc(e,t,n,r){this.tag=e,this.key=n,this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null,this.index=0,this.ref=null,this.pendingProps=t,this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null,this.mode=r,this.subtreeFlags=this.flags=0,this.deletions=null,this.childLanes=this.lanes=0,this.alternate=null}function Nc(e,t,n,r){return new Rc(e,t,n,r)}function Pc(e){return!(!(e=e.prototype)||!e.isReactComponent)}function Ac(e,t){var n=e.alternate;return null===n?((n=Nc(e.tag,t,e.key,e.mode)).elementType=e.elementType,n.type=e.type,n.stateNode=e.stateNode,n.alternate=e,e.alternate=n):(n.pendingProps=t,n.type=e.type,n.flags=0,n.subtreeFlags=0,n.deletions=null),n.flags=14680064&e.flags,n.childLanes=e.childLanes,n.lanes=e.lanes,n.child=e.child,n.memoizedProps=e.memoizedProps,n.memoizedState=e.memoizedState,n.updateQueue=e.updateQueue,t=e.dependencies,n.dependencies=null===t?null:{lanes:t.lanes,firstContext:t.firstContext},n.sibling=e.sibling,n.index=e.index,n.ref=e.ref,n}function Oc(e,t,n,r,a,i){var s=2;if(r=e,"function"==typeof e)Pc(e)&&(s=1);else if("string"==typeof e)s=5;else e:switch(e){case S:return Ic(n.children,a,i,t);case E:s=8,a|=8;break;case _:return(e=Nc(12,n,t,2|a)).elementType=_,e.lanes=i,e;case L:return(e=Nc(13,n,t,a)).elementType=L,e.lanes=i,e;case R:return(e=Nc(19,n,t,a)).elementType=R,e.lanes=i,e;case A:return Dc(n,a,i,t);default:if("object"==typeof e&&null!==e)switch(e.$$typeof){case C:s=10;break e;case T:s=9;break e;case j:s=11;break e;case N:s=14;break e;case P:s=16,r=null;break e}throw Error(o(130,null==e?e:typeof e,""))}return(t=Nc(s,n,t,a)).elementType=e,t.type=r,t.lanes=i,t}function Ic(e,t,n,r){return(e=Nc(7,e,r,t)).lanes=n,e}function Dc(e,t,n,r){return(e=Nc(22,e,r,t)).elementType=A,e.lanes=n,e.stateNode={isHidden:!1},e}function Fc(e,t,n){return(e=Nc(6,e,null,t)).lanes=n,e}function Mc(e,t,n){return(t=Nc(4,null!==e.children?e.children:[],e.key,t)).lanes=n,t.stateNode={containerInfo:e.containerInfo,pendingChildren:null,implementation:e.implementation},t}function zc(e,t,n,r,a){this.tag=t,this.containerInfo=e,this.finishedWork=this.pingCache=this.current=this.pendingChildren=null,this.timeoutHandle=-1,this.callbackNode=this.pendingContext=this.context=null,this.callbackPriority=0,this.eventTimes=gt(0),this.expirationTimes=gt(-1),this.entangledLanes=this.finishedLanes=this.mutableReadLanes=this.expiredLanes=this.pingedLanes=this.suspendedLanes=this.pendingLanes=0,this.entanglements=gt(0),this.identifierPrefix=r,this.onRecoverableError=a,this.mutableSourceEagerHydrationData=null}function Bc(e,t,n,r,a,o,i,s,l){return e=new zc(e,t,n,s,l),1===t?(t=1,!0===o&&(t|=8)):t=0,o=Nc(3,null,null,t),e.current=o,o.stateNode=e,o.memoizedState={element:r,isDehydrated:n,cache:null,transitions:null,pendingSuspenseBoundaries:null},Fo(o),e}function $c(e){if(!e)return Ta;e:{if(Ue(e=e._reactInternals)!==e||1!==e.tag)throw Error(o(170));var t=e;do{switch(t.tag){case 3:t=t.stateNode.context;break e;case 1:if(Pa(t.type)){t=t.stateNode.__reactInternalMemoizedMergedChildContext;break e}}t=t.return}while(null!==t);throw Error(o(171))}if(1===e.tag){var n=e.type;if(Pa(n))return Ia(e,n,t)}return t}function Uc(e,t,n,r,a,o,i,s,l){return(e=Bc(n,r,!0,e,0,o,0,s,l)).context=$c(null),n=e.current,(o=zo(r=ec(),a=tc(n))).callback=null!=t?t:null,Bo(n,o,a),e.current.lanes=a,yt(e,a,r),rc(e,r),e}function qc(e,t,n,r){var a=t.current,o=ec(),i=tc(a);return n=$c(n),null===t.context?t.context=n:t.pendingContext=n,(t=zo(o,i)).payload={element:e},null!==(r=void 0===r?null:r)&&(t.callback=r),null!==(e=Bo(a,t,i))&&(nc(e,a,i,o),$o(e,a,i)),i}function Hc(e){return(e=e.current).child?(e.child.tag,e.child.stateNode):null}function Qc(e,t){if(null!==(e=e.memoizedState)&&null!==e.dehydrated){var n=e.retryLane;e.retryLane=0!==n&&n<t?n:t}}function Zc(e,t){Qc(e,t),(e=e.alternate)&&Qc(e,t)}Sl=function(e,t,n){if(null!==e)if(e.memoizedProps!==t.pendingProps||La.current)vs=!0;else{if(0==(e.lanes&n)&&0==(128&t.flags))return vs=!1,function(e,t,n){switch(t.tag){case 3:Ls(t),ho();break;case 5:Yo(t);break;case 1:Pa(t.type)&&Da(t);break;case 4:Xo(t,t.stateNode.containerInfo);break;case 10:var r=t.type._context,a=t.memoizedProps.value;Ca(So,r._currentValue),r._currentValue=a;break;case 13:if(null!==(r=t.memoizedState))return null!==r.dehydrated?(Ca(ei,1&ei.current),t.flags|=128,null):0!=(n&t.child.childLanes)?Fs(e,t,n):(Ca(ei,1&ei.current),null!==(e=Hs(e,t,n))?e.sibling:null);Ca(ei,1&ei.current);break;case 19:if(r=0!=(n&t.childLanes),0!=(128&e.flags)){if(r)return Us(e,t,n);t.flags|=128}if(null!==(a=t.memoizedState)&&(a.rendering=null,a.tail=null,a.lastEffect=null),Ca(ei,ei.current),r)break;return null;case 22:case 23:return t.lanes=0,Es(e,t,n)}return Hs(e,t,n)}(e,t,n);vs=0!=(131072&e.flags)}else vs=!1,ao&&0!=(1048576&t.flags)&&Ja(t,Za,t.index);switch(t.lanes=0,t.tag){case 2:var r=t.type;qs(e,t),e=t.pendingProps;var a=Na(t,ja.current);Ro(t,n),a=gi(null,t,r,e,a,n);var i=yi();return t.flags|=1,"object"==typeof a&&null!==a&&"function"==typeof a.render&&void 0===a.$$typeof?(t.tag=1,t.memoizedState=null,t.updateQueue=null,Pa(r)?(i=!0,Da(t)):i=!1,t.memoizedState=null!==a.state&&void 0!==a.state?a.state:null,Fo(t),a.updater=as,t.stateNode=a,a._reactInternals=t,ls(t,r,e,n),t=js(null,t,r,!0,i,n)):(t.tag=0,ao&&i&&eo(t),ws(null,t,a,n),t=t.child),t;case 16:r=t.elementType;e:{switch(qs(e,t),e=t.pendingProps,r=(a=r._init)(r._payload),t.type=r,a=t.tag=function(e){if("function"==typeof e)return Pc(e)?1:0;if(null!=e){if((e=e.$$typeof)===j)return 11;if(e===N)return 14}return 2}(r),e=ns(r,e),a){case 0:t=Cs(null,t,r,e,n);break e;case 1:t=Ts(null,t,r,e,n);break e;case 11:t=ks(null,t,r,e,n);break e;case 14:t=xs(null,t,r,ns(r.type,e),n);break e}throw Error(o(306,r,""))}return t;case 0:return r=t.type,a=t.pendingProps,Cs(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 1:return r=t.type,a=t.pendingProps,Ts(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 3:e:{if(Ls(t),null===e)throw Error(o(387));r=t.pendingProps,a=(i=t.memoizedState).element,Mo(e,t),qo(t,r,null,n);var s=t.memoizedState;if(r=s.element,i.isDehydrated){if(i={element:r,isDehydrated:!1,cache:s.cache,pendingSuspenseBoundaries:s.pendingSuspenseBoundaries,transitions:s.transitions},t.updateQueue.baseState=i,t.memoizedState=i,256&t.flags){t=Rs(e,t,r,n,a=cs(Error(o(423)),t));break e}if(r!==a){t=Rs(e,t,r,n,a=cs(Error(o(424)),t));break e}for(ro=ca(t.stateNode.containerInfo.firstChild),no=t,ao=!0,oo=null,n=xo(t,null,r,n),t.child=n;n;)n.flags=-3&n.flags|4096,n=n.sibling}else{if(ho(),r===a){t=Hs(e,t,n);break e}ws(e,t,r,n)}t=t.child}return t;case 5:return Yo(t),null===e&&co(t),r=t.type,a=t.pendingProps,i=null!==e?e.memoizedProps:null,s=a.children,na(r,a)?s=null:null!==i&&na(r,i)&&(t.flags|=32),_s(e,t),ws(e,t,s,n),t.child;case 6:return null===e&&co(t),null;case 13:return Fs(e,t,n);case 4:return Xo(t,t.stateNode.containerInfo),r=t.pendingProps,null===e?t.child=ko(t,null,r,n):ws(e,t,r,n),t.child;case 11:return r=t.type,a=t.pendingProps,ks(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 7:return ws(e,t,t.pendingProps,n),t.child;case 8:case 12:return ws(e,t,t.pendingProps.children,n),t.child;case 10:e:{if(r=t.type._context,a=t.pendingProps,i=t.memoizedProps,s=a.value,Ca(So,r._currentValue),r._currentValue=s,null!==i)if(sr(i.value,s)){if(i.children===a.children&&!La.current){t=Hs(e,t,n);break e}}else for(null!==(i=t.child)&&(i.return=t);null!==i;){var l=i.dependencies;if(null!==l){s=i.child;for(var c=l.firstContext;null!==c;){if(c.context===r){if(1===i.tag){(c=zo(-1,n&-n)).tag=2;var u=i.updateQueue;if(null!==u){var d=(u=u.shared).pending;null===d?c.next=c:(c.next=d.next,d.next=c),u.pending=c}}i.lanes|=n,null!==(c=i.alternate)&&(c.lanes|=n),Lo(i.return,n,t),l.lanes|=n;break}c=c.next}}else if(10===i.tag)s=i.type===t.type?null:i.child;else if(18===i.tag){if(null===(s=i.return))throw Error(o(341));s.lanes|=n,null!==(l=s.alternate)&&(l.lanes|=n),Lo(s,n,t),s=i.sibling}else s=i.child;if(null!==s)s.return=i;else for(s=i;null!==s;){if(s===t){s=null;break}if(null!==(i=s.sibling)){i.return=s.return,s=i;break}s=s.return}i=s}ws(e,t,a.children,n),t=t.child}return t;case 9:return a=t.type,r=t.pendingProps.children,Ro(t,n),r=r(a=No(a)),t.flags|=1,ws(e,t,r,n),t.child;case 14:return a=ns(r=t.type,t.pendingProps),xs(e,t,r,a=ns(r.type,a),n);case 15:return Ss(e,t,t.type,t.pendingProps,n);case 17:return r=t.type,a=t.pendingProps,a=t.elementType===r?a:ns(r,a),qs(e,t),t.tag=1,Pa(r)?(e=!0,Da(t)):e=!1,Ro(t,n),is(t,r,a),ls(t,r,a,n),js(null,t,r,!0,e,n);case 19:return Us(e,t,n);case 22:return Es(e,t,n)}throw Error(o(156,t.tag))};var Vc="function"==typeof reportError?reportError:function(e){console.error(e)};function Wc(e){this._internalRoot=e}function Gc(e){this._internalRoot=e}function Xc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType)}function Kc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType&&(8!==e.nodeType||" react-mount-point-unstable "!==e.nodeValue))}function Yc(){}function Jc(e,t,n,r,a){var o=n._reactRootContainer;if(o){var i=o;if("function"==typeof a){var s=a;a=function(){var e=Hc(i);s.call(e)}}qc(t,i,e,a)}else i=function(e,t,n,r,a){if(a){if("function"==typeof r){var o=r;r=function(){var e=Hc(i);o.call(e)}}var i=Uc(t,r,e,0,null,!1,0,"",Yc);return e._reactRootContainer=i,e[ha]=i.current,Ur(8===e.nodeType?e.parentNode:e),uc(),i}for(;a=e.lastChild;)e.removeChild(a);if("function"==typeof r){var s=r;r=function(){var e=Hc(l);s.call(e)}}var l=Bc(e,0,!1,null,0,!1,0,"",Yc);return e._reactRootContainer=l,e[ha]=l.current,Ur(8===e.nodeType?e.parentNode:e),uc((function(){qc(t,l,n,r)})),l}(n,t,e,a,r);return Hc(i)}Gc.prototype.render=Wc.prototype.render=function(e){var t=this._internalRoot;if(null===t)throw Error(o(409));qc(e,t,null,null)},Gc.prototype.unmount=Wc.prototype.unmount=function(){var e=this._internalRoot;if(null!==e){this._internalRoot=null;var t=e.containerInfo;uc((function(){qc(null,e,null,null)})),t[ha]=null}},Gc.prototype.unstable_scheduleHydration=function(e){if(e){var t=Et();e={blockedOn:null,target:e,priority:t};for(var n=0;n<At.length&&0!==t&&t<At[n].priority;n++);At.splice(n,0,e),0===n&&Ft(e)}},kt=function(e){switch(e.tag){case 3:var t=e.stateNode;if(t.current.memoizedState.isDehydrated){var n=dt(t.pendingLanes);0!==n&&(bt(t,1|n),rc(t,Ke()),0==(6&jl)&&(Ul=Ke()+500,Ua()))}break;case 13:uc((function(){var t=Io(e,1);if(null!==t){var n=ec();nc(t,e,1,n)}})),Zc(e,1)}},xt=function(e){if(13===e.tag){var t=Io(e,134217728);if(null!==t)nc(t,e,134217728,ec());Zc(e,134217728)}},St=function(e){if(13===e.tag){var t=tc(e),n=Io(e,t);if(null!==n)nc(n,e,t,ec());Zc(e,t)}},Et=function(){return vt},_t=function(e,t){var n=vt;try{return vt=e,t()}finally{vt=n}},xe=function(e,t,n){switch(t){case"input":if(Y(e,n),t=n.name,"radio"===n.type&&null!=t){for(n=e;n.parentNode;)n=n.parentNode;for(n=n.querySelectorAll("input[name="+JSON.stringify(""+t)+'][type="radio"]'),t=0;t<n.length;t++){var r=n[t];if(r!==e&&r.form===e.form){var a=ka(r);if(!a)throw Error(o(90));V(r),Y(r,a)}}}break;case"textarea":oe(e,n);break;case"select":null!=(t=n.value)&&ne(e,!!n.multiple,t,!1)}},je=cc,Le=uc;var eu={usingClientEntryPoint:!1,Events:[va,wa,ka,Ce,Te,cc]},tu={findFiberByHostInstance:ba,bundleType:0,version:"18.3.1",rendererPackageName:"react-dom"},nu={bundleType:tu.bundleType,version:tu.version,rendererPackageName:tu.rendererPackageName,rendererConfig:tu.rendererConfig,overrideHookState:null,overrideHookStateDeletePath:null,overrideHookStateRenamePath:null,overrideProps:null,overridePropsDeletePath:null,overridePropsRenamePath:null,setErrorHandler:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:w.ReactCurrentDispatcher,findHostInstanceByFiber:function(e){return null===(e=Qe(e))?null:e.stateNode},findFiberByHostInstance:tu.findFiberByHostInstance||function(){return null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null,reconcilerVersion:"18.3.1-next-f1338f8080-20240426"};if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__){var ru=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(!ru.isDisabled&&ru.supportsFiber)try{at=ru.inject(nu),ot=ru}catch(ue){}}t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=eu,t.createPortal=function(e,t){var n=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;if(!Xc(t))throw Error(o(200));return function(e,t,n){var r=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:x,key:null==r?null:""+r,children:e,containerInfo:t,implementation:n}}(e,t,null,n)},t.createRoot=function(e,t){if(!Xc(e))throw Error(o(299));var n=!1,r="",a=Vc;return null!=t&&(!0===t.unstable_strictMode&&(n=!0),void 0!==t.identifierPrefix&&(r=t.identifierPrefix),void 0!==t.onRecoverableError&&(a=t.onRecoverableError)),t=Bc(e,1,!1,null,0,n,0,r,a),e[ha]=t.current,Ur(8===e.nodeType?e.parentNode:e),new Wc(t)},t.findDOMNode=function(e){if(null==e)return null;if(1===e.nodeType)return e;var t=e._reactInternals;if(void 0===t){if("function"==typeof e.render)throw Error(o(188));throw e=Object.keys(e).join(","),Error(o(268,e))}return e=null===(e=Qe(t))?null:e.stateNode},t.flushSync=function(e){return uc(e)},t.hydrate=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!0,n)},t.hydrateRoot=function(e,t,n){if(!Xc(e))throw Error(o(405));var r=null!=n&&n.hydratedSources||null,a=!1,i="",s=Vc;if(null!=n&&(!0===n.unstable_strictMode&&(a=!0),void 0!==n.identifierPrefix&&(i=n.identifierPrefix),void 0!==n.onRecoverableError&&(s=n.onRecoverableError)),t=Uc(t,null,e,1,null!=n?n:null,a,0,i,s),e[ha]=t.current,Ur(e),r)for(e=0;e<r.length;e++)a=(a=(n=r[e])._getVersion)(n._source),null==t.mutableSourceEagerHydrationData?t.mutableSourceEagerHydrationData=[n,a]:t.mutableSourceEagerHydrationData.push(n,a);return new Gc(t)},t.render=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!1,n)},t.unmountComponentAtNode=function(e){if(!Kc(e))throw Error(o(40));return!!e._reactRootContainer&&(uc((function(){Jc(null,null,e,!1,(function(){e._reactRootContainer=null,e[ha]=null}))})),!0)},t.unstable_batchedUpdates=cc,t.unstable_renderSubtreeIntoContainer=function(e,t,n,r){if(!Kc(n))throw Error(o(200));if(null==e||void 0===e._reactInternals)throw Error(o(38));return Jc(e,t,n,!1,r)},t.version="18.3.1-next-f1338f8080-20240426"},745:(e,t,n)=>{"use strict";var r=n(3935);t.createRoot=r.createRoot,t.hydrateRoot=r.hydrateRoot},3935:(e,t,n)=>{"use strict";!function e(){if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__&&"function"==typeof __REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE)try{__REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE(e)}catch(t){console.error(t)}}(),e.exports=n(4448)},9590:e=>{var t="undefined"!=typeof Element,n="function"==typeof Map,r="function"==typeof Set,a="function"==typeof ArrayBuffer&&!!ArrayBuffer.isView;function o(e,i){if(e===i)return!0;if(e&&i&&"object"==typeof e&&"object"==typeof i){if(e.constructor!==i.constructor)return!1;var s,l,c,u;if(Array.isArray(e)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(!o(e[l],i[l]))return!1;return!0}if(n&&e instanceof Map&&i instanceof Map){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;for(u=e.entries();!(l=u.next()).done;)if(!o(l.value[1],i.get(l.value[0])))return!1;return!0}if(r&&e instanceof Set&&i instanceof Set){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;return!0}if(a&&ArrayBuffer.isView(e)&&ArrayBuffer.isView(i)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(e[l]!==i[l])return!1;return!0}if(e.constructor===RegExp)return e.source===i.source&&e.flags===i.flags;if(e.valueOf!==Object.prototype.valueOf&&"function"==typeof e.valueOf&&"function"==typeof i.valueOf)return e.valueOf()===i.valueOf();if(e.toString!==Object.prototype.toString&&"function"==typeof e.toString&&"function"==typeof i.toString)return e.toString()===i.toString();if((s=(c=Object.keys(e)).length)!==Object.keys(i).length)return!1;for(l=s;0!=l--;)if(!Object.prototype.hasOwnProperty.call(i,c[l]))return!1;if(t&&e instanceof Element)return!1;for(l=s;0!=l--;)if(("_owner"!==c[l]&&"__v"!==c[l]&&"__o"!==c[l]||!e.$$typeof)&&!o(e[c[l]],i[c[l]]))return!1;return!0}return e!=e&&i!=i}e.exports=function(e,t){try{return o(e,t)}catch(n){if((n.message||"").match(/stack|recursion/i))return console.warn("react-fast-compare cannot handle circular refs"),!1;throw n}}},405:(e,t,n)=>{"use strict";n.d(t,{B6:()=>Q,ql:()=>J});var r=n(7294),a=n(5697),o=n.n(a),i=n(9590),s=n.n(i),l=n(1143),c=n.n(l),u=n(6774),d=n.n(u);function p(){return p=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},p.apply(this,arguments)}function f(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,h(e,t)}function h(e,t){return h=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e},h(e,t)}function m(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)t.indexOf(n=o[r])>=0||(a[n]=e[n]);return a}var g={BASE:"base",BODY:"body",HEAD:"head",HTML:"html",LINK:"link",META:"meta",NOSCRIPT:"noscript",SCRIPT:"script",STYLE:"style",TITLE:"title",FRAGMENT:"Symbol(react.fragment)"},y={rel:["amphtml","canonical","alternate"]},b={type:["application/ld+json"]},v={charset:"",name:["robots","description"],property:["og:type","og:title","og:url","og:image","og:image:alt","og:description","twitter:url","twitter:title","twitter:description","twitter:image","twitter:image:alt","twitter:card","twitter:site"]},w=Object.keys(g).map((function(e){return g[e]})),k={accesskey:"accessKey",charset:"charSet",class:"className",contenteditable:"contentEditable",contextmenu:"contextMenu","http-equiv":"httpEquiv",itemprop:"itemProp",tabindex:"tabIndex"},x=Object.keys(k).reduce((function(e,t){return e[k[t]]=t,e}),{}),S=function(e,t){for(var n=e.length-1;n>=0;n-=1){var r=e[n];if(Object.prototype.hasOwnProperty.call(r,t))return r[t]}return null},E=function(e){var t=S(e,g.TITLE),n=S(e,"titleTemplate");if(Array.isArray(t)&&(t=t.join("")),n&&t)return n.replace(/%s/g,(function(){return t}));var r=S(e,"defaultTitle");return t||r||void 0},_=function(e){return S(e,"onChangeClientState")||function(){}},C=function(e,t){return t.filter((function(t){return void 0!==t[e]})).map((function(t){return t[e]})).reduce((function(e,t){return p({},e,t)}),{})},T=function(e,t){return t.filter((function(e){return void 0!==e[g.BASE]})).map((function(e){return e[g.BASE]})).reverse().reduce((function(t,n){if(!t.length)for(var r=Object.keys(n),a=0;a<r.length;a+=1){var o=r[a].toLowerCase();if(-1!==e.indexOf(o)&&n[o])return t.concat(n)}return t}),[])},j=function(e,t,n){var r={};return n.filter((function(t){return!!Array.isArray(t[e])||(void 0!==t[e]&&console&&"function"==typeof console.warn&&console.warn("Helmet: "+e+' should be of type "Array". Instead found type "'+typeof t[e]+'"'),!1)})).map((function(t){return t[e]})).reverse().reduce((function(e,n){var a={};n.filter((function(e){for(var n,o=Object.keys(e),i=0;i<o.length;i+=1){var s=o[i],l=s.toLowerCase();-1===t.indexOf(l)||"rel"===n&&"canonical"===e[n].toLowerCase()||"rel"===l&&"stylesheet"===e[l].toLowerCase()||(n=l),-1===t.indexOf(s)||"innerHTML"!==s&&"cssText"!==s&&"itemprop"!==s||(n=s)}if(!n||!e[n])return!1;var c=e[n].toLowerCase();return r[n]||(r[n]={}),a[n]||(a[n]={}),!r[n][c]&&(a[n][c]=!0,!0)})).reverse().forEach((function(t){return e.push(t)}));for(var o=Object.keys(a),i=0;i<o.length;i+=1){var s=o[i],l=p({},r[s],a[s]);r[s]=l}return e}),[]).reverse()},L=function(e,t){if(Array.isArray(e)&&e.length)for(var n=0;n<e.length;n+=1)if(e[n][t])return!0;return!1},R=function(e){return Array.isArray(e)?e.join(""):e},N=function(e,t){return Array.isArray(e)?e.reduce((function(e,n){return function(e,t){for(var n=Object.keys(e),r=0;r<n.length;r+=1)if(t[n[r]]&&t[n[r]].includes(e[n[r]]))return!0;return!1}(n,t)?e.priority.push(n):e.default.push(n),e}),{priority:[],default:[]}):{default:e}},P=function(e,t){var n;return p({},e,((n={})[t]=void 0,n))},A=[g.NOSCRIPT,g.SCRIPT,g.STYLE],O=function(e,t){return void 0===t&&(t=!0),!1===t?String(e):String(e).replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")},I=function(e){return Object.keys(e).reduce((function(t,n){var r=void 0!==e[n]?n+'="'+e[n]+'"':""+n;return t?t+" "+r:r}),"")},D=function(e,t){return void 0===t&&(t={}),Object.keys(e).reduce((function(t,n){return t[k[n]||n]=e[n],t}),t)},F=function(e,t){return t.map((function(t,n){var a,o=((a={key:n})["data-rh"]=!0,a);return Object.keys(t).forEach((function(e){var n=k[e]||e;"innerHTML"===n||"cssText"===n?o.dangerouslySetInnerHTML={__html:t.innerHTML||t.cssText}:o[n]=t[e]})),r.createElement(e,o)}))},M=function(e,t,n){switch(e){case g.TITLE:return{toComponent:function(){return n=t.titleAttributes,(a={key:e=t.title})["data-rh"]=!0,o=D(n,a),[r.createElement(g.TITLE,o,e)];var e,n,a,o},toString:function(){return function(e,t,n,r){var a=I(n),o=R(t);return a?"<"+e+' data-rh="true" '+a+">"+O(o,r)+"</"+e+">":"<"+e+' data-rh="true">'+O(o,r)+"</"+e+">"}(e,t.title,t.titleAttributes,n)}};case"bodyAttributes":case"htmlAttributes":return{toComponent:function(){return D(t)},toString:function(){return I(t)}};default:return{toComponent:function(){return F(e,t)},toString:function(){return function(e,t,n){return t.reduce((function(t,r){var a=Object.keys(r).filter((function(e){return!("innerHTML"===e||"cssText"===e)})).reduce((function(e,t){var a=void 0===r[t]?t:t+'="'+O(r[t],n)+'"';return e?e+" "+a:a}),""),o=r.innerHTML||r.cssText||"",i=-1===A.indexOf(e);return t+"<"+e+' data-rh="true" '+a+(i?"/>":">"+o+"</"+e+">")}),"")}(e,t,n)}}}},z=function(e){var t=e.baseTag,n=e.bodyAttributes,r=e.encode,a=e.htmlAttributes,o=e.noscriptTags,i=e.styleTags,s=e.title,l=void 0===s?"":s,c=e.titleAttributes,u=e.linkTags,d=e.metaTags,p=e.scriptTags,f={toComponent:function(){},toString:function(){return""}};if(e.prioritizeSeoTags){var h=function(e){var t=e.linkTags,n=e.scriptTags,r=e.encode,a=N(e.metaTags,v),o=N(t,y),i=N(n,b);return{priorityMethods:{toComponent:function(){return[].concat(F(g.META,a.priority),F(g.LINK,o.priority),F(g.SCRIPT,i.priority))},toString:function(){return M(g.META,a.priority,r)+" "+M(g.LINK,o.priority,r)+" "+M(g.SCRIPT,i.priority,r)}},metaTags:a.default,linkTags:o.default,scriptTags:i.default}}(e);f=h.priorityMethods,u=h.linkTags,d=h.metaTags,p=h.scriptTags}return{priority:f,base:M(g.BASE,t,r),bodyAttributes:M("bodyAttributes",n,r),htmlAttributes:M("htmlAttributes",a,r),link:M(g.LINK,u,r),meta:M(g.META,d,r),noscript:M(g.NOSCRIPT,o,r),script:M(g.SCRIPT,p,r),style:M(g.STYLE,i,r),title:M(g.TITLE,{title:l,titleAttributes:c},r)}},B=[],$=function(e,t){var n=this;void 0===t&&(t="undefined"!=typeof document),this.instances=[],this.value={setHelmet:function(e){n.context.helmet=e},helmetInstances:{get:function(){return n.canUseDOM?B:n.instances},add:function(e){(n.canUseDOM?B:n.instances).push(e)},remove:function(e){var t=(n.canUseDOM?B:n.instances).indexOf(e);(n.canUseDOM?B:n.instances).splice(t,1)}}},this.context=e,this.canUseDOM=t,t||(e.helmet=z({baseTag:[],bodyAttributes:{},encodeSpecialCharacters:!0,htmlAttributes:{},linkTags:[],metaTags:[],noscriptTags:[],scriptTags:[],styleTags:[],title:"",titleAttributes:{}}))},U=r.createContext({}),q=o().shape({setHelmet:o().func,helmetInstances:o().shape({get:o().func,add:o().func,remove:o().func})}),H="undefined"!=typeof document,Q=function(e){function t(n){var r;return(r=e.call(this,n)||this).helmetData=new $(r.props.context,t.canUseDOM),r}return f(t,e),t.prototype.render=function(){return r.createElement(U.Provider,{value:this.helmetData.value},this.props.children)},t}(r.Component);Q.canUseDOM=H,Q.propTypes={context:o().shape({helmet:o().shape()}),children:o().node.isRequired},Q.defaultProps={context:{}},Q.displayName="HelmetProvider";var Z=function(e,t){var n,r=document.head||document.querySelector(g.HEAD),a=r.querySelectorAll(e+"[data-rh]"),o=[].slice.call(a),i=[];return t&&t.length&&t.forEach((function(t){var r=document.createElement(e);for(var a in t)Object.prototype.hasOwnProperty.call(t,a)&&("innerHTML"===a?r.innerHTML=t.innerHTML:"cssText"===a?r.styleSheet?r.styleSheet.cssText=t.cssText:r.appendChild(document.createTextNode(t.cssText)):r.setAttribute(a,void 0===t[a]?"":t[a]));r.setAttribute("data-rh","true"),o.some((function(e,t){return n=t,r.isEqualNode(e)}))?o.splice(n,1):i.push(r)})),o.forEach((function(e){return e.parentNode.removeChild(e)})),i.forEach((function(e){return r.appendChild(e)})),{oldTags:o,newTags:i}},V=function(e,t){var n=document.getElementsByTagName(e)[0];if(n){for(var r=n.getAttribute("data-rh"),a=r?r.split(","):[],o=[].concat(a),i=Object.keys(t),s=0;s<i.length;s+=1){var l=i[s],c=t[l]||"";n.getAttribute(l)!==c&&n.setAttribute(l,c),-1===a.indexOf(l)&&a.push(l);var u=o.indexOf(l);-1!==u&&o.splice(u,1)}for(var d=o.length-1;d>=0;d-=1)n.removeAttribute(o[d]);a.length===o.length?n.removeAttribute("data-rh"):n.getAttribute("data-rh")!==i.join(",")&&n.setAttribute("data-rh",i.join(","))}},W=function(e,t){var n=e.baseTag,r=e.htmlAttributes,a=e.linkTags,o=e.metaTags,i=e.noscriptTags,s=e.onChangeClientState,l=e.scriptTags,c=e.styleTags,u=e.title,d=e.titleAttributes;V(g.BODY,e.bodyAttributes),V(g.HTML,r),function(e,t){void 0!==e&&document.title!==e&&(document.title=R(e)),V(g.TITLE,t)}(u,d);var p={baseTag:Z(g.BASE,n),linkTags:Z(g.LINK,a),metaTags:Z(g.META,o),noscriptTags:Z(g.NOSCRIPT,i),scriptTags:Z(g.SCRIPT,l),styleTags:Z(g.STYLE,c)},f={},h={};Object.keys(p).forEach((function(e){var t=p[e],n=t.newTags,r=t.oldTags;n.length&&(f[e]=n),r.length&&(h[e]=p[e].oldTags)})),t&&t(),s(e,f,h)},G=null,X=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).rendered=!1,t}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!d()(e,this.props)},n.componentDidUpdate=function(){this.emitChange()},n.componentWillUnmount=function(){this.props.context.helmetInstances.remove(this),this.emitChange()},n.emitChange=function(){var e,t,n=this.props.context,r=n.setHelmet,a=null,o=(e=n.helmetInstances.get().map((function(e){var t=p({},e.props);return delete t.context,t})),{baseTag:T(["href"],e),bodyAttributes:C("bodyAttributes",e),defer:S(e,"defer"),encode:S(e,"encodeSpecialCharacters"),htmlAttributes:C("htmlAttributes",e),linkTags:j(g.LINK,["rel","href"],e),metaTags:j(g.META,["name","charset","http-equiv","property","itemprop"],e),noscriptTags:j(g.NOSCRIPT,["innerHTML"],e),onChangeClientState:_(e),scriptTags:j(g.SCRIPT,["src","innerHTML"],e),styleTags:j(g.STYLE,["cssText"],e),title:E(e),titleAttributes:C("titleAttributes",e),prioritizeSeoTags:L(e,"prioritizeSeoTags")});Q.canUseDOM?(t=o,G&&cancelAnimationFrame(G),t.defer?G=requestAnimationFrame((function(){W(t,(function(){G=null}))})):(W(t),G=null)):z&&(a=z(o)),r(a)},n.init=function(){this.rendered||(this.rendered=!0,this.props.context.helmetInstances.add(this),this.emitChange())},n.render=function(){return this.init(),null},t}(r.Component);X.propTypes={context:q.isRequired},X.displayName="HelmetDispatcher";var K=["children"],Y=["children"],J=function(e){function t(){return e.apply(this,arguments)||this}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!s()(P(this.props,"helmetData"),P(e,"helmetData"))},n.mapNestedChildrenToProps=function(e,t){if(!t)return null;switch(e.type){case g.SCRIPT:case g.NOSCRIPT:return{innerHTML:t};case g.STYLE:return{cssText:t};default:throw new Error("<"+e.type+" /> elements are self-closing and can not contain children. Refer to our API for more information.")}},n.flattenArrayTypeChildren=function(e){var t,n=e.child,r=e.arrayTypeChildren;return p({},r,((t={})[n.type]=[].concat(r[n.type]||[],[p({},e.newChildProps,this.mapNestedChildrenToProps(n,e.nestedChildren))]),t))},n.mapObjectTypeChildren=function(e){var t,n,r=e.child,a=e.newProps,o=e.newChildProps,i=e.nestedChildren;switch(r.type){case g.TITLE:return p({},a,((t={})[r.type]=i,t.titleAttributes=p({},o),t));case g.BODY:return p({},a,{bodyAttributes:p({},o)});case g.HTML:return p({},a,{htmlAttributes:p({},o)});default:return p({},a,((n={})[r.type]=p({},o),n))}},n.mapArrayTypeChildrenToProps=function(e,t){var n=p({},t);return Object.keys(e).forEach((function(t){var r;n=p({},n,((r={})[t]=e[t],r))})),n},n.warnOnInvalidChildren=function(e,t){return c()(w.some((function(t){return e.type===t})),"function"==typeof e.type?"You may be attempting to nest <Helmet> components within each other, which is not allowed. Refer to our API for more information.":"Only elements types "+w.join(", ")+" are allowed. Helmet does not support rendering <"+e.type+"> elements. Refer to our API for more information."),c()(!t||"string"==typeof t||Array.isArray(t)&&!t.some((function(e){return"string"!=typeof e})),"Helmet expects a string as a child of <"+e.type+">. Did you forget to wrap your children in braces? ( <"+e.type+">{``}</"+e.type+"> ) Refer to our API for more information."),!0},n.mapChildrenToProps=function(e,t){var n=this,a={};return r.Children.forEach(e,(function(e){if(e&&e.props){var r=e.props,o=r.children,i=m(r,K),s=Object.keys(i).reduce((function(e,t){return e[x[t]||t]=i[t],e}),{}),l=e.type;switch("symbol"==typeof l?l=l.toString():n.warnOnInvalidChildren(e,o),l){case g.FRAGMENT:t=n.mapChildrenToProps(o,t);break;case g.LINK:case g.META:case g.NOSCRIPT:case g.SCRIPT:case g.STYLE:a=n.flattenArrayTypeChildren({child:e,arrayTypeChildren:a,newChildProps:s,nestedChildren:o});break;default:t=n.mapObjectTypeChildren({child:e,newProps:t,newChildProps:s,nestedChildren:o})}}})),this.mapArrayTypeChildrenToProps(a,t)},n.render=function(){var e=this.props,t=e.children,n=m(e,Y),a=p({},n),o=n.helmetData;return t&&(a=this.mapChildrenToProps(t,a)),!o||o instanceof $||(o=new $(o.context,o.instances)),o?r.createElement(X,p({},a,{context:o.value,helmetData:void 0})):r.createElement(U.Consumer,null,(function(e){return r.createElement(X,p({},a,{context:e}))}))},t}(r.Component);J.propTypes={base:o().object,bodyAttributes:o().object,children:o().oneOfType([o().arrayOf(o().node),o().node]),defaultTitle:o().string,defer:o().bool,encodeSpecialCharacters:o().bool,htmlAttributes:o().object,link:o().arrayOf(o().object),meta:o().arrayOf(o().object),noscript:o().arrayOf(o().object),onChangeClientState:o().func,script:o().arrayOf(o().object),style:o().arrayOf(o().object),title:o().string,titleAttributes:o().object,titleTemplate:o().string,prioritizeSeoTags:o().bool,helmetData:o().object},J.defaultProps={defer:!0,encodeSpecialCharacters:!0,prioritizeSeoTags:!1},J.displayName="Helmet"},9921:(e,t)=>{"use strict";var n="function"==typeof Symbol&&Symbol.for,r=n?Symbol.for("react.element"):60103,a=n?Symbol.for("react.portal"):60106,o=n?Symbol.for("react.fragment"):60107,i=n?Symbol.for("react.strict_mode"):60108,s=n?Symbol.for("react.profiler"):60114,l=n?Symbol.for("react.provider"):60109,c=n?Symbol.for("react.context"):60110,u=n?Symbol.for("react.async_mode"):60111,d=n?Symbol.for("react.concurrent_mode"):60111,p=n?Symbol.for("react.forward_ref"):60112,f=n?Symbol.for("react.suspense"):60113,h=n?Symbol.for("react.suspense_list"):60120,m=n?Symbol.for("react.memo"):60115,g=n?Symbol.for("react.lazy"):60116,y=n?Symbol.for("react.block"):60121,b=n?Symbol.for("react.fundamental"):60117,v=n?Symbol.for("react.responder"):60118,w=n?Symbol.for("react.scope"):60119;function k(e){if("object"==typeof e&&null!==e){var t=e.$$typeof;switch(t){case r:switch(e=e.type){case u:case d:case o:case s:case i:case f:return e;default:switch(e=e&&e.$$typeof){case c:case p:case g:case m:case l:return e;default:return t}}case a:return t}}}function x(e){return k(e)===d}t.AsyncMode=u,t.ConcurrentMode=d,t.ContextConsumer=c,t.ContextProvider=l,t.Element=r,t.ForwardRef=p,t.Fragment=o,t.Lazy=g,t.Memo=m,t.Portal=a,t.Profiler=s,t.StrictMode=i,t.Suspense=f,t.isAsyncMode=function(e){return x(e)||k(e)===u},t.isConcurrentMode=x,t.isContextConsumer=function(e){return k(e)===c},t.isContextProvider=function(e){return k(e)===l},t.isElement=function(e){return"object"==typeof e&&null!==e&&e.$$typeof===r},t.isForwardRef=function(e){return k(e)===p},t.isFragment=function(e){return k(e)===o},t.isLazy=function(e){return k(e)===g},t.isMemo=function(e){return k(e)===m},t.isPortal=function(e){return k(e)===a},t.isProfiler=function(e){return k(e)===s},t.isStrictMode=function(e){return k(e)===i},t.isSuspense=function(e){return k(e)===f},t.isValidElementType=function(e){return"string"==typeof e||"function"==typeof e||e===o||e===d||e===s||e===i||e===f||e===h||"object"==typeof e&&null!==e&&(e.$$typeof===g||e.$$typeof===m||e.$$typeof===l||e.$$typeof===c||e.$$typeof===p||e.$$typeof===b||e.$$typeof===v||e.$$typeof===w||e.$$typeof===y)},t.typeOf=k},9864:(e,t,n)=>{"use strict";e.exports=n(9921)},8356:(e,t,n)=>{"use strict";function r(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}function a(e){if(void 0===e)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return e}function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(){return i=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},i.apply(this,arguments)}var s=n(7294),l=[],c=[];var u=s.createContext(null);function d(e){var t=e(),n={loading:!0,loaded:null,error:null};return n.promise=t.then((function(e){return n.loading=!1,n.loaded=e,e})).catch((function(e){throw n.loading=!1,n.error=e,e})),n}function p(e){var t={loading:!1,loaded:{},error:null},n=[];try{Object.keys(e).forEach((function(r){var a=d(e[r]);a.loading?t.loading=!0:(t.loaded[r]=a.loaded,t.error=a.error),n.push(a.promise),a.promise.then((function(e){t.loaded[r]=e})).catch((function(e){t.error=e}))}))}catch(r){t.error=r}return t.promise=Promise.all(n).then((function(e){return t.loading=!1,e})).catch((function(e){throw t.loading=!1,e})),t}function f(e,t){return s.createElement((n=e)&&n.__esModule?n.default:n,t);var n}function h(e,t){var d,p;if(!t.loading)throw new Error("react-loadable requires a `loading` component");var h=i({loader:null,loading:null,delay:200,timeout:null,render:f,webpack:null,modules:null},t),m=null;function g(){return m||(m=e(h.loader)),m.promise}return l.push(g),"function"==typeof h.webpack&&c.push((function(){if((0,h.webpack)().every((function(e){return void 0!==e&&void 0!==n.m[e]})))return g()})),p=d=function(t){function n(n){var r;return o(a(a(r=t.call(this,n)||this)),"retry",(function(){r.setState({error:null,loading:!0,timedOut:!1}),m=e(h.loader),r._loadModule()})),g(),r.state={error:m.error,pastDelay:!1,timedOut:!1,loading:m.loading,loaded:m.loaded},r}r(n,t),n.preload=function(){return g()};var i=n.prototype;return i.UNSAFE_componentWillMount=function(){this._loadModule()},i.componentDidMount=function(){this._mounted=!0},i._loadModule=function(){var e=this;if(this.context&&Array.isArray(h.modules)&&h.modules.forEach((function(t){e.context.report(t)})),m.loading){var t=function(t){e._mounted&&e.setState(t)};"number"==typeof h.delay&&(0===h.delay?this.setState({pastDelay:!0}):this._delay=setTimeout((function(){t({pastDelay:!0})}),h.delay)),"number"==typeof h.timeout&&(this._timeout=setTimeout((function(){t({timedOut:!0})}),h.timeout));var n=function(){t({error:m.error,loaded:m.loaded,loading:m.loading}),e._clearTimeouts()};m.promise.then((function(){return n(),null})).catch((function(e){return n(),null}))}},i.componentWillUnmount=function(){this._mounted=!1,this._clearTimeouts()},i._clearTimeouts=function(){clearTimeout(this._delay),clearTimeout(this._timeout)},i.render=function(){return this.state.loading||this.state.error?s.createElement(h.loading,{isLoading:this.state.loading,pastDelay:this.state.pastDelay,timedOut:this.state.timedOut,error:this.state.error,retry:this.retry}):this.state.loaded?h.render(this.state.loaded,this.props):null},n}(s.Component),o(d,"contextType",u),p}function m(e){return h(d,e)}m.Map=function(e){if("function"!=typeof e.render)throw new Error("LoadableMap requires a `render(loaded, props)` function");return h(p,e)};var g=function(e){function t(){return e.apply(this,arguments)||this}return r(t,e),t.prototype.render=function(){return s.createElement(u.Provider,{value:{report:this.props.report}},s.Children.only(this.props.children))},t}(s.Component);function y(e){for(var t=[];e.length;){var n=e.pop();t.push(n())}return Promise.all(t).then((function(){if(e.length)return y(e)}))}m.Capture=g,m.preloadAll=function(){return new Promise((function(e,t){y(l).then(e,t)}))},m.preloadReady=function(){return new Promise((function(e,t){y(c).then(e,e)}))},e.exports=m},8790:(e,t,n)=>{"use strict";n.d(t,{H:()=>s,f:()=>i});var r=n(6550),a=n(7462),o=n(7294);function i(e,t,n){return void 0===n&&(n=[]),e.some((function(e){var a=e.path?(0,r.LX)(t,e):n.length?n[n.length-1].match:r.F0.computeRootMatch(t);return a&&(n.push({route:e,match:a}),e.routes&&i(e.routes,t,n)),a})),n}function s(e,t,n){return void 0===t&&(t={}),void 0===n&&(n={}),e?o.createElement(r.rs,n,e.map((function(e,n){return o.createElement(r.AW,{key:e.key||n,path:e.path,exact:e.exact,strict:e.strict,render:function(n){return e.render?e.render((0,a.Z)({},n,{},t,{route:e})):o.createElement(e.component,(0,a.Z)({},n,t,{route:e}))}})}))):null}},3727:(e,t,n)=>{"use strict";n.d(t,{OL:()=>w,UT:()=>d,VK:()=>u,rU:()=>y});var r=n(6550),a=n(5068),o=n(7294),i=n(9318),s=n(7462),l=n(3366),c=n(8776),u=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.lX)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var d=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.q_)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var p=function(e,t){return"function"==typeof e?e(t):e},f=function(e,t){return"string"==typeof e?(0,i.ob)(e,null,null,t):e},h=function(e){return e},m=o.forwardRef;void 0===m&&(m=h);var g=m((function(e,t){var n=e.innerRef,r=e.navigate,a=e.onClick,i=(0,l.Z)(e,["innerRef","navigate","onClick"]),c=i.target,u=(0,s.Z)({},i,{onClick:function(e){try{a&&a(e)}catch(t){throw e.preventDefault(),t}e.defaultPrevented||0!==e.button||c&&"_self"!==c||function(e){return!!(e.metaKey||e.altKey||e.ctrlKey||e.shiftKey)}(e)||(e.preventDefault(),r())}});return u.ref=h!==m&&t||n,o.createElement("a",u)}));var y=m((function(e,t){var n=e.component,a=void 0===n?g:n,u=e.replace,d=e.to,y=e.innerRef,b=(0,l.Z)(e,["component","replace","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=e.history,r=f(p(d,e.location),e.location),l=r?n.createHref(r):"",g=(0,s.Z)({},b,{href:l,navigate:function(){var t=p(d,e.location),r=(0,i.Ep)(e.location)===(0,i.Ep)(f(t));(u||r?n.replace:n.push)(t)}});return h!==m?g.ref=t||y:g.innerRef=y,o.createElement(a,g)}))})),b=function(e){return e},v=o.forwardRef;void 0===v&&(v=b);var w=v((function(e,t){var n=e["aria-current"],a=void 0===n?"page":n,i=e.activeClassName,u=void 0===i?"active":i,d=e.activeStyle,h=e.className,m=e.exact,g=e.isActive,w=e.location,k=e.sensitive,x=e.strict,S=e.style,E=e.to,_=e.innerRef,C=(0,l.Z)(e,["aria-current","activeClassName","activeStyle","className","exact","isActive","location","sensitive","strict","style","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=w||e.location,i=f(p(E,n),n),l=i.pathname,T=l&&l.replace(/([.+*?=^!:${}()[\]|/\\])/g,"\\$1"),j=T?(0,r.LX)(n.pathname,{path:T,exact:m,sensitive:k,strict:x}):null,L=!!(g?g(j,n):j),R="function"==typeof h?h(L):h,N="function"==typeof S?S(L):S;L&&(R=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return t.filter((function(e){return e})).join(" ")}(R,u),N=(0,s.Z)({},N,d));var P=(0,s.Z)({"aria-current":L&&a||null,className:R,style:N,to:i},C);return b!==v?P.ref=t||_:P.innerRef=_,o.createElement(y,P)}))}))},6550:(e,t,n)=>{"use strict";n.d(t,{AW:()=>E,F0:()=>v,LX:()=>S,TH:()=>A,k6:()=>P,rs:()=>R,s6:()=>b});var r=n(5068),a=n(7294),o=n(5697),i=n.n(o),s=n(9318),l=n(8776),c=n(7462),u=n(9658),d=n.n(u),p=(n(9864),n(3366)),f=(n(8679),1073741823),h="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:void 0!==n.g?n.g:{};var m=a.createContext||function(e,t){var n,o,s="__create-react-context-"+function(){var e="__global_unique_id__";return h[e]=(h[e]||0)+1}()+"__",l=function(e){function n(){for(var t,n,r,a=arguments.length,o=new Array(a),i=0;i<a;i++)o[i]=arguments[i];return(t=e.call.apply(e,[this].concat(o))||this).emitter=(n=t.props.value,r=[],{on:function(e){r.push(e)},off:function(e){r=r.filter((function(t){return t!==e}))},get:function(){return n},set:function(e,t){n=e,r.forEach((function(e){return e(n,t)}))}}),t}(0,r.Z)(n,e);var a=n.prototype;return a.getChildContext=function(){var e;return(e={})[s]=this.emitter,e},a.componentWillReceiveProps=function(e){if(this.props.value!==e.value){var n,r=this.props.value,a=e.value;((o=r)===(i=a)?0!==o||1/o==1/i:o!=o&&i!=i)?n=0:(n="function"==typeof t?t(r,a):f,0!==(n|=0)&&this.emitter.set(e.value,n))}var o,i},a.render=function(){return this.props.children},n}(a.Component);l.childContextTypes=((n={})[s]=i().object.isRequired,n);var c=function(t){function n(){for(var e,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(e=t.call.apply(t,[this].concat(r))||this).observedBits=void 0,e.state={value:e.getValue()},e.onUpdate=function(t,n){0!=((0|e.observedBits)&n)&&e.setState({value:e.getValue()})},e}(0,r.Z)(n,t);var a=n.prototype;return a.componentWillReceiveProps=function(e){var t=e.observedBits;this.observedBits=null==t?f:t},a.componentDidMount=function(){this.context[s]&&this.context[s].on(this.onUpdate);var e=this.props.observedBits;this.observedBits=null==e?f:e},a.componentWillUnmount=function(){this.context[s]&&this.context[s].off(this.onUpdate)},a.getValue=function(){return this.context[s]?this.context[s].get():e},a.render=function(){return(e=this.props.children,Array.isArray(e)?e[0]:e)(this.state.value);var e},n}(a.Component);return c.contextTypes=((o={})[s]=i().object,o),{Provider:l,Consumer:c}},g=function(e){var t=m();return t.displayName=e,t},y=g("Router-History"),b=g("Router"),v=function(e){function t(t){var n;return(n=e.call(this,t)||this).state={location:t.history.location},n._isMounted=!1,n._pendingLocation=null,t.staticContext||(n.unlisten=t.history.listen((function(e){n._pendingLocation=e}))),n}(0,r.Z)(t,e),t.computeRootMatch=function(e){return{path:"/",url:"/",params:{},isExact:"/"===e}};var n=t.prototype;return n.componentDidMount=function(){var e=this;this._isMounted=!0,this.unlisten&&this.unlisten(),this.props.staticContext||(this.unlisten=this.props.history.listen((function(t){e._isMounted&&e.setState({location:t})}))),this._pendingLocation&&this.setState({location:this._pendingLocation})},n.componentWillUnmount=function(){this.unlisten&&(this.unlisten(),this._isMounted=!1,this._pendingLocation=null)},n.render=function(){return a.createElement(b.Provider,{value:{history:this.props.history,location:this.state.location,match:t.computeRootMatch(this.state.location.pathname),staticContext:this.props.staticContext}},a.createElement(y.Provider,{children:this.props.children||null,value:this.props.history}))},t}(a.Component);a.Component;a.Component;var w={},k=1e4,x=0;function S(e,t){void 0===t&&(t={}),("string"==typeof t||Array.isArray(t))&&(t={path:t});var n=t,r=n.path,a=n.exact,o=void 0!==a&&a,i=n.strict,s=void 0!==i&&i,l=n.sensitive,c=void 0!==l&&l;return[].concat(r).reduce((function(t,n){if(!n&&""!==n)return null;if(t)return t;var r=function(e,t){var n=""+t.end+t.strict+t.sensitive,r=w[n]||(w[n]={});if(r[e])return r[e];var a=[],o={regexp:d()(e,a,t),keys:a};return x<k&&(r[e]=o,x++),o}(n,{end:o,strict:s,sensitive:c}),a=r.regexp,i=r.keys,l=a.exec(e);if(!l)return null;var u=l[0],p=l.slice(1),f=e===u;return o&&!f?null:{path:n,url:"/"===n&&""===u?"/":u,isExact:f,params:i.reduce((function(e,t,n){return e[t.name]=p[n],e}),{})}}),null)}var E=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n=e.props.location||t.location,r=e.props.computedMatch?e.props.computedMatch:e.props.path?S(n.pathname,e.props):t.match,o=(0,c.Z)({},t,{location:n,match:r}),i=e.props,s=i.children,u=i.component,d=i.render;return Array.isArray(s)&&function(e){return 0===a.Children.count(e)}(s)&&(s=null),a.createElement(b.Provider,{value:o},o.match?s?"function"==typeof s?s(o):s:u?a.createElement(u,o):d?d(o):null:"function"==typeof s?s(o):null)}))},t}(a.Component);function _(e){return"/"===e.charAt(0)?e:"/"+e}function C(e,t){if(!e)return t;var n=_(e);return 0!==t.pathname.indexOf(n)?t:(0,c.Z)({},t,{pathname:t.pathname.substr(n.length)})}function T(e){return"string"==typeof e?e:(0,s.Ep)(e)}function j(e){return function(){(0,l.Z)(!1)}}function L(){}a.Component;var R=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n,r,o=e.props.location||t.location;return a.Children.forEach(e.props.children,(function(e){if(null==r&&a.isValidElement(e)){n=e;var i=e.props.path||e.props.from;r=i?S(o.pathname,(0,c.Z)({},e.props,{path:i})):t.match}})),r?a.cloneElement(n,{location:o,computedMatch:r}):null}))},t}(a.Component);var N=a.useContext;function P(){return N(y)}function A(){return N(b).location}},9658:(e,t,n)=>{var r=n(5826);e.exports=f,e.exports.parse=o,e.exports.compile=function(e,t){return s(o(e,t),t)},e.exports.tokensToFunction=s,e.exports.tokensToRegExp=p;var a=new RegExp(["(\\\\.)","([\\/.])?(?:(?:\\:(\\w+)(?:\\(((?:\\\\.|[^\\\\()])+)\\))?|\\(((?:\\\\.|[^\\\\()])+)\\))([+*?])?|(\\*))"].join("|"),"g");function o(e,t){for(var n,r=[],o=0,i=0,s="",u=t&&t.delimiter||"/";null!=(n=a.exec(e));){var d=n[0],p=n[1],f=n.index;if(s+=e.slice(i,f),i=f+d.length,p)s+=p[1];else{var h=e[i],m=n[2],g=n[3],y=n[4],b=n[5],v=n[6],w=n[7];s&&(r.push(s),s="");var k=null!=m&&null!=h&&h!==m,x="+"===v||"*"===v,S="?"===v||"*"===v,E=n[2]||u,_=y||b;r.push({name:g||o++,prefix:m||"",delimiter:E,optional:S,repeat:x,partial:k,asterisk:!!w,pattern:_?c(_):w?".*":"[^"+l(E)+"]+?"})}}return i<e.length&&(s+=e.substr(i)),s&&r.push(s),r}function i(e){return encodeURI(e).replace(/[\/?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()}))}function s(e,t){for(var n=new Array(e.length),a=0;a<e.length;a++)"object"==typeof e[a]&&(n[a]=new RegExp("^(?:"+e[a].pattern+")$",d(t)));return function(t,a){for(var o="",s=t||{},l=(a||{}).pretty?i:encodeURIComponent,c=0;c<e.length;c++){var u=e[c];if("string"!=typeof u){var d,p=s[u.name];if(null==p){if(u.optional){u.partial&&(o+=u.prefix);continue}throw new TypeError('Expected "'+u.name+'" to be defined')}if(r(p)){if(!u.repeat)throw new TypeError('Expected "'+u.name+'" to not repeat, but received `'+JSON.stringify(p)+"`");if(0===p.length){if(u.optional)continue;throw new TypeError('Expected "'+u.name+'" to not be empty')}for(var f=0;f<p.length;f++){if(d=l(p[f]),!n[c].test(d))throw new TypeError('Expected all "'+u.name+'" to match "'+u.pattern+'", but received `'+JSON.stringify(d)+"`");o+=(0===f?u.prefix:u.delimiter)+d}}else{if(d=u.asterisk?encodeURI(p).replace(/[?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()})):l(p),!n[c].test(d))throw new TypeError('Expected "'+u.name+'" to match "'+u.pattern+'", but received "'+d+'"');o+=u.prefix+d}}else o+=u}return o}}function l(e){return e.replace(/([.+*?=^!:${}()[\]|\/\\])/g,"\\$1")}function c(e){return e.replace(/([=!:$\/()])/g,"\\$1")}function u(e,t){return e.keys=t,e}function d(e){return e&&e.sensitive?"":"i"}function p(e,t,n){r(t)||(n=t||n,t=[]);for(var a=(n=n||{}).strict,o=!1!==n.end,i="",s=0;s<e.length;s++){var c=e[s];if("string"==typeof c)i+=l(c);else{var p=l(c.prefix),f="(?:"+c.pattern+")";t.push(c),c.repeat&&(f+="(?:"+p+f+")*"),i+=f=c.optional?c.partial?p+"("+f+")?":"(?:"+p+"("+f+"))?":p+"("+f+")"}}var h=l(n.delimiter||"/"),m=i.slice(-h.length)===h;return a||(i=(m?i.slice(0,-h.length):i)+"(?:"+h+"(?=$))?"),i+=o?"$":a&&m?"":"(?="+h+"|$)",u(new RegExp("^"+i,d(n)),t)}function f(e,t,n){return r(t)||(n=t||n,t=[]),n=n||{},e instanceof RegExp?function(e,t){var n=e.source.match(/\((?!\?)/g);if(n)for(var r=0;r<n.length;r++)t.push({name:r,prefix:null,delimiter:null,optional:!1,repeat:!1,partial:!1,asterisk:!1,pattern:null});return u(e,t)}(e,t):r(e)?function(e,t,n){for(var r=[],a=0;a<e.length;a++)r.push(f(e[a],t,n).source);return u(new RegExp("(?:"+r.join("|")+")",d(n)),t)}(e,t,n):function(e,t,n){return p(o(e,n),t,n)}(e,t,n)}},5251:(e,t,n)=>{"use strict";var r=n(7294),a=Symbol.for("react.element"),o=Symbol.for("react.fragment"),i=Object.prototype.hasOwnProperty,s=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.ReactCurrentOwner,l={key:!0,ref:!0,__self:!0,__source:!0};function c(e,t,n){var r,o={},c=null,u=null;for(r in void 0!==n&&(c=""+n),void 0!==t.key&&(c=""+t.key),void 0!==t.ref&&(u=t.ref),t)i.call(t,r)&&!l.hasOwnProperty(r)&&(o[r]=t[r]);if(e&&e.defaultProps)for(r in t=e.defaultProps)void 0===o[r]&&(o[r]=t[r]);return{$$typeof:a,type:e,key:c,ref:u,props:o,_owner:s.current}}t.Fragment=o,t.jsx=c,t.jsxs=c},2408:(e,t)=>{"use strict";var n=Symbol.for("react.element"),r=Symbol.for("react.portal"),a=Symbol.for("react.fragment"),o=Symbol.for("react.strict_mode"),i=Symbol.for("react.profiler"),s=Symbol.for("react.provider"),l=Symbol.for("react.context"),c=Symbol.for("react.forward_ref"),u=Symbol.for("react.suspense"),d=Symbol.for("react.memo"),p=Symbol.for("react.lazy"),f=Symbol.iterator;var h={isMounted:function(){return!1},enqueueForceUpdate:function(){},enqueueReplaceState:function(){},enqueueSetState:function(){}},m=Object.assign,g={};function y(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}function b(){}function v(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}y.prototype.isReactComponent={},y.prototype.setState=function(e,t){if("object"!=typeof e&&"function"!=typeof e&&null!=e)throw Error("setState(...): takes an object of state variables to update or a function which returns an object of state variables.");this.updater.enqueueSetState(this,e,t,"setState")},y.prototype.forceUpdate=function(e){this.updater.enqueueForceUpdate(this,e,"forceUpdate")},b.prototype=y.prototype;var w=v.prototype=new b;w.constructor=v,m(w,y.prototype),w.isPureReactComponent=!0;var k=Array.isArray,x=Object.prototype.hasOwnProperty,S={current:null},E={key:!0,ref:!0,__self:!0,__source:!0};function _(e,t,r){var a,o={},i=null,s=null;if(null!=t)for(a in void 0!==t.ref&&(s=t.ref),void 0!==t.key&&(i=""+t.key),t)x.call(t,a)&&!E.hasOwnProperty(a)&&(o[a]=t[a]);var l=arguments.length-2;if(1===l)o.children=r;else if(1<l){for(var c=Array(l),u=0;u<l;u++)c[u]=arguments[u+2];o.children=c}if(e&&e.defaultProps)for(a in l=e.defaultProps)void 0===o[a]&&(o[a]=l[a]);return{$$typeof:n,type:e,key:i,ref:s,props:o,_owner:S.current}}function C(e){return"object"==typeof e&&null!==e&&e.$$typeof===n}var T=/\/+/g;function j(e,t){return"object"==typeof e&&null!==e&&null!=e.key?function(e){var t={"=":"=0",":":"=2"};return"$"+e.replace(/[=:]/g,(function(e){return t[e]}))}(""+e.key):t.toString(36)}function L(e,t,a,o,i){var s=typeof e;"undefined"!==s&&"boolean"!==s||(e=null);var l=!1;if(null===e)l=!0;else switch(s){case"string":case"number":l=!0;break;case"object":switch(e.$$typeof){case n:case r:l=!0}}if(l)return i=i(l=e),e=""===o?"."+j(l,0):o,k(i)?(a="",null!=e&&(a=e.replace(T,"$&/")+"/"),L(i,t,a,"",(function(e){return e}))):null!=i&&(C(i)&&(i=function(e,t){return{$$typeof:n,type:e.type,key:t,ref:e.ref,props:e.props,_owner:e._owner}}(i,a+(!i.key||l&&l.key===i.key?"":(""+i.key).replace(T,"$&/")+"/")+e)),t.push(i)),1;if(l=0,o=""===o?".":o+":",k(e))for(var c=0;c<e.length;c++){var u=o+j(s=e[c],c);l+=L(s,t,a,u,i)}else if(u=function(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=f&&e[f]||e["@@iterator"])?e:null}(e),"function"==typeof u)for(e=u.call(e),c=0;!(s=e.next()).done;)l+=L(s=s.value,t,a,u=o+j(s,c++),i);else if("object"===s)throw t=String(e),Error("Objects are not valid as a React child (found: "+("[object Object]"===t?"object with keys {"+Object.keys(e).join(", ")+"}":t)+"). If you meant to render a collection of children, use an array instead.");return l}function R(e,t,n){if(null==e)return e;var r=[],a=0;return L(e,r,"","",(function(e){return t.call(n,e,a++)})),r}function N(e){if(-1===e._status){var t=e._result;(t=t()).then((function(t){0!==e._status&&-1!==e._status||(e._status=1,e._result=t)}),(function(t){0!==e._status&&-1!==e._status||(e._status=2,e._result=t)})),-1===e._status&&(e._status=0,e._result=t)}if(1===e._status)return e._result.default;throw e._result}var P={current:null},A={transition:null},O={ReactCurrentDispatcher:P,ReactCurrentBatchConfig:A,ReactCurrentOwner:S};function I(){throw Error("act(...) is not supported in production builds of React.")}t.Children={map:R,forEach:function(e,t,n){R(e,(function(){t.apply(this,arguments)}),n)},count:function(e){var t=0;return R(e,(function(){t++})),t},toArray:function(e){return R(e,(function(e){return e}))||[]},only:function(e){if(!C(e))throw Error("React.Children.only expected to receive a single React element child.");return e}},t.Component=y,t.Fragment=a,t.Profiler=i,t.PureComponent=v,t.StrictMode=o,t.Suspense=u,t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=O,t.act=I,t.cloneElement=function(e,t,r){if(null==e)throw Error("React.cloneElement(...): The argument must be a React element, but you passed "+e+".");var a=m({},e.props),o=e.key,i=e.ref,s=e._owner;if(null!=t){if(void 0!==t.ref&&(i=t.ref,s=S.current),void 0!==t.key&&(o=""+t.key),e.type&&e.type.defaultProps)var l=e.type.defaultProps;for(c in t)x.call(t,c)&&!E.hasOwnProperty(c)&&(a[c]=void 0===t[c]&&void 0!==l?l[c]:t[c])}var c=arguments.length-2;if(1===c)a.children=r;else if(1<c){l=Array(c);for(var u=0;u<c;u++)l[u]=arguments[u+2];a.children=l}return{$$typeof:n,type:e.type,key:o,ref:i,props:a,_owner:s}},t.createContext=function(e){return(e={$$typeof:l,_currentValue:e,_currentValue2:e,_threadCount:0,Provider:null,Consumer:null,_defaultValue:null,_globalName:null}).Provider={$$typeof:s,_context:e},e.Consumer=e},t.createElement=_,t.createFactory=function(e){var t=_.bind(null,e);return t.type=e,t},t.createRef=function(){return{current:null}},t.forwardRef=function(e){return{$$typeof:c,render:e}},t.isValidElement=C,t.lazy=function(e){return{$$typeof:p,_payload:{_status:-1,_result:e},_init:N}},t.memo=function(e,t){return{$$typeof:d,type:e,compare:void 0===t?null:t}},t.startTransition=function(e){var t=A.transition;A.transition={};try{e()}finally{A.transition=t}},t.unstable_act=I,t.useCallback=function(e,t){return P.current.useCallback(e,t)},t.useContext=function(e){return P.current.useContext(e)},t.useDebugValue=function(){},t.useDeferredValue=function(e){return P.current.useDeferredValue(e)},t.useEffect=function(e,t){return P.current.useEffect(e,t)},t.useId=function(){return P.current.useId()},t.useImperativeHandle=function(e,t,n){return P.current.useImperativeHandle(e,t,n)},t.useInsertionEffect=function(e,t){return P.current.useInsertionEffect(e,t)},t.useLayoutEffect=function(e,t){return P.current.useLayoutEffect(e,t)},t.useMemo=function(e,t){return P.current.useMemo(e,t)},t.useReducer=function(e,t,n){return P.current.useReducer(e,t,n)},t.useRef=function(e){return P.current.useRef(e)},t.useState=function(e){return P.current.useState(e)},t.useSyncExternalStore=function(e,t,n){return P.current.useSyncExternalStore(e,t,n)},t.useTransition=function(){return P.current.useTransition()},t.version="18.3.1"},7294:(e,t,n)=>{"use strict";e.exports=n(2408)},5893:(e,t,n)=>{"use strict";e.exports=n(5251)},53:(e,t)=>{"use strict";function n(e,t){var n=e.length;e.push(t);e:for(;0<n;){var r=n-1>>>1,a=e[r];if(!(0<o(a,t)))break e;e[r]=t,e[n]=a,n=r}}function r(e){return 0===e.length?null:e[0]}function a(e){if(0===e.length)return null;var t=e[0],n=e.pop();if(n!==t){e[0]=n;e:for(var r=0,a=e.length,i=a>>>1;r<i;){var s=2*(r+1)-1,l=e[s],c=s+1,u=e[c];if(0>o(l,n))c<a&&0>o(u,l)?(e[r]=u,e[c]=n,r=c):(e[r]=l,e[s]=n,r=s);else{if(!(c<a&&0>o(u,n)))break e;e[r]=u,e[c]=n,r=c}}}return t}function o(e,t){var n=e.sortIndex-t.sortIndex;return 0!==n?n:e.id-t.id}if("object"==typeof performance&&"function"==typeof performance.now){var i=performance;t.unstable_now=function(){return i.now()}}else{var s=Date,l=s.now();t.unstable_now=function(){return s.now()-l}}var c=[],u=[],d=1,p=null,f=3,h=!1,m=!1,g=!1,y="function"==typeof setTimeout?setTimeout:null,b="function"==typeof clearTimeout?clearTimeout:null,v="undefined"!=typeof setImmediate?setImmediate:null;function w(e){for(var t=r(u);null!==t;){if(null===t.callback)a(u);else{if(!(t.startTime<=e))break;a(u),t.sortIndex=t.expirationTime,n(c,t)}t=r(u)}}function k(e){if(g=!1,w(e),!m)if(null!==r(c))m=!0,A(x);else{var t=r(u);null!==t&&O(k,t.startTime-e)}}function x(e,n){m=!1,g&&(g=!1,b(C),C=-1),h=!0;var o=f;try{for(w(n),p=r(c);null!==p&&(!(p.expirationTime>n)||e&&!L());){var i=p.callback;if("function"==typeof i){p.callback=null,f=p.priorityLevel;var s=i(p.expirationTime<=n);n=t.unstable_now(),"function"==typeof s?p.callback=s:p===r(c)&&a(c),w(n)}else a(c);p=r(c)}if(null!==p)var l=!0;else{var d=r(u);null!==d&&O(k,d.startTime-n),l=!1}return l}finally{p=null,f=o,h=!1}}"undefined"!=typeof navigator&&void 0!==navigator.scheduling&&void 0!==navigator.scheduling.isInputPending&&navigator.scheduling.isInputPending.bind(navigator.scheduling);var S,E=!1,_=null,C=-1,T=5,j=-1;function L(){return!(t.unstable_now()-j<T)}function R(){if(null!==_){var e=t.unstable_now();j=e;var n=!0;try{n=_(!0,e)}finally{n?S():(E=!1,_=null)}}else E=!1}if("function"==typeof v)S=function(){v(R)};else if("undefined"!=typeof MessageChannel){var N=new MessageChannel,P=N.port2;N.port1.onmessage=R,S=function(){P.postMessage(null)}}else S=function(){y(R,0)};function A(e){_=e,E||(E=!0,S())}function O(e,n){C=y((function(){e(t.unstable_now())}),n)}t.unstable_IdlePriority=5,t.unstable_ImmediatePriority=1,t.unstable_LowPriority=4,t.unstable_NormalPriority=3,t.unstable_Profiling=null,t.unstable_UserBlockingPriority=2,t.unstable_cancelCallback=function(e){e.callback=null},t.unstable_continueExecution=function(){m||h||(m=!0,A(x))},t.unstable_forceFrameRate=function(e){0>e||125<e?console.error("forceFrameRate takes a positive int between 0 and 125, forcing frame rates higher than 125 fps is not supported"):T=0<e?Math.floor(1e3/e):5},t.unstable_getCurrentPriorityLevel=function(){return f},t.unstable_getFirstCallbackNode=function(){return r(c)},t.unstable_next=function(e){switch(f){case 1:case 2:case 3:var t=3;break;default:t=f}var n=f;f=t;try{return e()}finally{f=n}},t.unstable_pauseExecution=function(){},t.unstable_requestPaint=function(){},t.unstable_runWithPriority=function(e,t){switch(e){case 1:case 2:case 3:case 4:case 5:break;default:e=3}var n=f;f=e;try{return t()}finally{f=n}},t.unstable_scheduleCallback=function(e,a,o){var i=t.unstable_now();switch("object"==typeof o&&null!==o?o="number"==typeof(o=o.delay)&&0<o?i+o:i:o=i,e){case 1:var s=-1;break;case 2:s=250;break;case 5:s=1073741823;break;case 4:s=1e4;break;default:s=5e3}return e={id:d++,callback:a,priorityLevel:e,startTime:o,expirationTime:s=o+s,sortIndex:-1},o>i?(e.sortIndex=o,n(u,e),null===r(c)&&e===r(u)&&(g?(b(C),C=-1):g=!0,O(k,o-i))):(e.sortIndex=s,n(c,e),m||h||(m=!0,A(x))),e},t.unstable_shouldYield=L,t.unstable_wrapCallback=function(e){var t=f;return function(){var n=f;f=t;try{return e.apply(this,arguments)}finally{f=n}}}},3840:(e,t,n)=>{"use strict";e.exports=n(53)},6774:e=>{e.exports=function(e,t,n,r){var a=n?n.call(r,e,t):void 0;if(void 0!==a)return!!a;if(e===t)return!0;if("object"!=typeof e||!e||"object"!=typeof t||!t)return!1;var o=Object.keys(e),i=Object.keys(t);if(o.length!==i.length)return!1;for(var s=Object.prototype.hasOwnProperty.bind(t),l=0;l<o.length;l++){var c=o[l];if(!s(c))return!1;var u=e[c],d=t[c];if(!1===(a=n?n.call(r,u,d,c):void 0)||void 0===a&&u!==d)return!1}return!0}},6809:(e,t,n)=>{"use strict";n.d(t,{default:()=>r});const r={title:"K3s",tagline:"",url:"https://docs.k3s.io",baseUrl:"/",onBrokenLinks:"throw",onBrokenMarkdownLinks:"warn",favicon:"img/favicon.ico",organizationName:"k3s-io",projectName:"docs",trailingSlash:!1,markdown:{mermaid:!0,format:"mdx",mdx1Compat:{comments:!0,admonitions:!0,headingIds:!0},anchors:{maintainCase:!1}},themes:["@docusaurus/theme-mermaid",["@easyops-cn/docusaurus-search-local",{docsRouteBasePath:"/",hashed:!0,highlightSearchTermsOnTargetPage:!0,indexBlog:!1,ignoreFiles:[{}]}]],i18n:{defaultLocale:"en",locales:["en","zh","kr"],localeConfigs:{en:{label:"English",direction:"ltr"},zh:{label:"\u7b80\u4f53\u4e2d\u6587",direction:"ltr"},kr:{label:"\ud55c\uad6d\uc5b4",direction:"ltr"}},path:"i18n"},themeConfig:{colorMode:{defaultMode:"light",respectPrefersColorScheme:!0,disableSwitch:!1},navbar:{title:"",logo:{alt:"logo",src:"img/k3s-logo-light.svg",srcDark:"img/k3s-logo-dark.svg"},items:[{type:"search",position:"right"},{type:"localeDropdown",position:"right",dropdownItemsBefore:[],dropdownItemsAfter:[]},{to:"https://github.com/k3s-io/k3s/",label:"GitHub",position:"right",className:"navbar__github btn"}],hideOnScroll:!1},footer:{style:"dark",links:[],copyright:'Copyright \xa9 2024 K3s Project Authors. All rights reserved. <br>The Linux Foundation has registered trademarks\n and uses trademarks. For a list of trademarks of The Linux Foundation, \n please see our <a href="https://www.linuxfoundation.org/trademark-usage"> Trademark Usage</a> page.'},docs:{versionPersistence:"localStorage",sidebar:{hideable:!1,autoCollapseCategories:!1}},blog:{sidebar:{groupByYear:!0}},metadata:[],prism:{additionalLanguages:[],theme:{plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},magicComments:[{className:"theme-code-block-highlighted-line",line:"highlight-next-line",block:{start:"highlight-start",end:"highlight-end"}}]},tableOfContents:{minHeadingLevel:2,maxHeadingLevel:3},mermaid:{theme:{dark:"dark",light:"default"},options:{}}},presets:[["@docusaurus/preset-classic",{docs:{routeBasePath:"/",sidebarPath:"/home/runner/work/docs/docs/sidebars.js",showLastUpdateTime:!0,editUrl:"https://github.com/k3s-io/docs/edit/main/"},blog:!1,theme:{customCss:["/home/runner/work/docs/docs/src/css/custom.css"]}}]],plugins:[["@docusaurus/plugin-client-redirects",{redirects:[{from:"/installation/ha",to:"/datastore/ha"},{from:"/installation/ha-embedded",to:"/datastore/ha-embedded"},{from:"/installation/datastore",to:"/datastore"},{from:"/installation/disable-flags",to:"/installation/server-roles"},{from:"/backup-restore/backup-restore",to:"/datastore/backup-restore"},{from:"/reference/agent-config",to:"/cli/agent"},{from:"/reference/server-config",to:"/cli/server"},{from:"/installation/network-options",to:"/networking/basic-network-options"},{from:"/security/self-assessment",to:"/security/self-assessment-1.23"}]}]],baseUrlIssueBanner:!0,future:{experimental_storage:{type:"localStorage",namespace:!1},experimental_router:"browser"},onBrokenAnchors:"warn",onDuplicateRoutes:"warn",staticDirectories:["static"],customFields:{},scripts:[],headTags:[],stylesheets:[],clientModules:[],titleDelimiter:"|",noIndex:!1}},7462:(e,t,n)=>{"use strict";function r(){return r=Object.assign?Object.assign.bind():function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},r.apply(this,arguments)}n.d(t,{Z:()=>r})},5068:(e,t,n)=>{"use strict";function r(e,t){return r=Object.setPrototypeOf?Object.setPrototypeOf.bind():function(e,t){return e.__proto__=t,e},r(e,t)}function a(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,r(e,t)}n.d(t,{Z:()=>a})},3366:(e,t,n)=>{"use strict";function r(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}n.d(t,{Z:()=>r})},512:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e)){var o=e.length;for(t=0;t<o;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n)}else for(n in e)e[n]&&(a&&(a+=" "),a+=n);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="",o=arguments.length;n<o;n++)(e=arguments[n])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},2573:(e,t,n)=>{"use strict";n.d(t,{p1:()=>T,y$:()=>ee});var r,a,o,i,s,l,c,u=n(7294),d=n(512),p=Object.create,f=Object.defineProperty,h=Object.defineProperties,m=Object.getOwnPropertyDescriptor,g=Object.getOwnPropertyDescriptors,y=Object.getOwnPropertyNames,b=Object.getOwnPropertySymbols,v=Object.getPrototypeOf,w=Object.prototype.hasOwnProperty,k=Object.prototype.propertyIsEnumerable,x=(e,t,n)=>t in e?f(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,S=(e,t)=>{for(var n in t||(t={}))w.call(t,n)&&x(e,n,t[n]);if(b)for(var n of b(t))k.call(t,n)&&x(e,n,t[n]);return e},E=(e,t)=>h(e,g(t)),_=(e,t)=>{var n={};for(var r in e)w.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&b)for(var r of b(e))t.indexOf(r)<0&&k.call(e,r)&&(n[r]=e[r]);return n},C=(r={"../../node_modules/.pnpm/prismjs@1.29.0_patch_hash=vrxx3pzkik6jpmgpayxfjunetu/node_modules/prismjs/prism.js"(e,t){var n=function(){var e=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,n={},r={util:{encode:function e(t){return t instanceof a?new a(t.type,e(t.content),t.alias):Array.isArray(t)?t.map(e):t.replace(/&/g,"&").replace(/</g,"<").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(t,n){var a,o;switch(n=n||{},r.util.type(t)){case"Object":if(o=r.util.objId(t),n[o])return n[o];for(var i in a={},n[o]=a,t)t.hasOwnProperty(i)&&(a[i]=e(t[i],n));return a;case"Array":return o=r.util.objId(t),n[o]?n[o]:(a=[],n[o]=a,t.forEach((function(t,r){a[r]=e(t,n)})),a);default:return t}},getLanguage:function(t){for(;t;){var n=e.exec(t.className);if(n)return n[1].toLowerCase();t=t.parentElement}return"none"},setLanguage:function(t,n){t.className=t.className.replace(RegExp(e,"gi"),""),t.classList.add("language-"+n)},isActive:function(e,t,n){for(var r="no-"+t;e;){var a=e.classList;if(a.contains(t))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!n}},languages:{plain:n,plaintext:n,text:n,txt:n,extend:function(e,t){var n=r.util.clone(r.languages[e]);for(var a in t)n[a]=t[a];return n},insertBefore:function(e,t,n,a){var o=(a=a||r.languages)[e],i={};for(var s in o)if(o.hasOwnProperty(s)){if(s==t)for(var l in n)n.hasOwnProperty(l)&&(i[l]=n[l]);n.hasOwnProperty(s)||(i[s]=o[s])}var c=a[e];return a[e]=i,r.languages.DFS(r.languages,(function(t,n){n===c&&t!=e&&(this[t]=i)})),i},DFS:function e(t,n,a,o){o=o||{};var i=r.util.objId;for(var s in t)if(t.hasOwnProperty(s)){n.call(t,s,t[s],a||s);var l=t[s],c=r.util.type(l);"Object"!==c||o[i(l)]?"Array"!==c||o[i(l)]||(o[i(l)]=!0,e(l,n,s,o)):(o[i(l)]=!0,e(l,n,null,o))}}},plugins:{},highlight:function(e,t,n){var o={code:e,grammar:t,language:n};if(r.hooks.run("before-tokenize",o),!o.grammar)throw new Error('The language "'+o.language+'" has no grammar.');return o.tokens=r.tokenize(o.code,o.grammar),r.hooks.run("after-tokenize",o),a.stringify(r.util.encode(o.tokens),o.language)},tokenize:function(e,t){var n=t.rest;if(n){for(var r in n)t[r]=n[r];delete t.rest}var a=new s;return l(a,a.head,e),i(e,a,t,a.head,0),function(e){for(var t=[],n=e.head.next;n!==e.tail;)t.push(n.value),n=n.next;return t}(a)},hooks:{all:{},add:function(e,t){var n=r.hooks.all;n[e]=n[e]||[],n[e].push(t)},run:function(e,t){var n=r.hooks.all[e];if(n&&n.length)for(var a,o=0;a=n[o++];)a(t)}},Token:a};function a(e,t,n,r){this.type=e,this.content=t,this.alias=n,this.length=0|(r||"").length}function o(e,t,n,r){e.lastIndex=t;var a=e.exec(n);if(a&&r&&a[1]){var o=a[1].length;a.index+=o,a[0]=a[0].slice(o)}return a}function i(e,t,n,s,u,d){for(var p in n)if(n.hasOwnProperty(p)&&n[p]){var f=n[p];f=Array.isArray(f)?f:[f];for(var h=0;h<f.length;++h){if(d&&d.cause==p+","+h)return;var m=f[h],g=m.inside,y=!!m.lookbehind,b=!!m.greedy,v=m.alias;if(b&&!m.pattern.global){var w=m.pattern.toString().match(/[imsuy]*$/)[0];m.pattern=RegExp(m.pattern.source,w+"g")}for(var k=m.pattern||m,x=s.next,S=u;x!==t.tail&&!(d&&S>=d.reach);S+=x.value.length,x=x.next){var E=x.value;if(t.length>e.length)return;if(!(E instanceof a)){var _,C=1;if(b){if(!(_=o(k,S,e,y))||_.index>=e.length)break;var T=_.index,j=_.index+_[0].length,L=S;for(L+=x.value.length;T>=L;)L+=(x=x.next).value.length;if(S=L-=x.value.length,x.value instanceof a)continue;for(var R=x;R!==t.tail&&(L<j||"string"==typeof R.value);R=R.next)C++,L+=R.value.length;C--,E=e.slice(S,L),_.index-=S}else if(!(_=o(k,0,E,y)))continue;T=_.index;var N=_[0],P=E.slice(0,T),A=E.slice(T+N.length),O=S+E.length;d&&O>d.reach&&(d.reach=O);var I=x.prev;if(P&&(I=l(t,I,P),S+=P.length),c(t,I,C),x=l(t,I,new a(p,g?r.tokenize(N,g):N,v,N)),A&&l(t,x,A),C>1){var D={cause:p+","+h,reach:O};i(e,t,n,x.prev,S,D),d&&D.reach>d.reach&&(d.reach=D.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},t={value:null,prev:e,next:null};e.next=t,this.head=e,this.tail=t,this.length=0}function l(e,t,n){var r=t.next,a={value:n,prev:t,next:r};return t.next=a,r.prev=a,e.length++,a}function c(e,t,n){for(var r=t.next,a=0;a<n&&r!==e.tail;a++)r=r.next;t.next=r,r.prev=t,e.length-=a}return a.stringify=function e(t,n){if("string"==typeof t)return t;if(Array.isArray(t)){var a="";return t.forEach((function(t){a+=e(t,n)})),a}var o={type:t.type,content:e(t.content,n),tag:"span",classes:["token",t.type],attributes:{},language:n},i=t.alias;i&&(Array.isArray(i)?Array.prototype.push.apply(o.classes,i):o.classes.push(i)),r.hooks.run("wrap",o);var s="";for(var l in o.attributes)s+=" "+l+'="'+(o.attributes[l]||"").replace(/"/g,""")+'"';return"<"+o.tag+' class="'+o.classes.join(" ")+'"'+s+">"+o.content+"</"+o.tag+">"},r}();t.exports=n,n.default=n}},function(){return a||(0,r[y(r)[0]])((a={exports:{}}).exports,a),a.exports}),T=((e,t,n)=>(n=null!=e?p(v(e)):{},((e,t,n,r)=>{if(t&&"object"==typeof t||"function"==typeof t)for(let a of y(t))w.call(e,a)||a===n||f(e,a,{get:()=>t[a],enumerable:!(r=m(t,a))||r.enumerable});return e})(!t&&e&&e.__esModule?n:f(n,"default",{value:e,enumerable:!0}),e)))(C());T.languages.markup={comment:{pattern:/<!--(?:(?!<!--)[\s\S])*?-->/,greedy:!0},prolog:{pattern:/<\?[\s\S]+?\?>/,greedy:!0},doctype:{pattern:/<!DOCTYPE(?:[^>"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:[^<"'\]]|"[^"]*"|'[^']*'|<(?!!--)|<!--(?:[^-]|-(?!->))*-->)*\]\s*)?>/i,greedy:!0,inside:{"internal-subset":{pattern:/(^[^\[]*\[)[\s\S]+(?=\]>$)/,lookbehind:!0,greedy:!0,inside:null},string:{pattern:/"[^"]*"|'[^']*'/,greedy:!0},punctuation:/^<!|>$|[[\]]/,"doctype-tag":/^DOCTYPE/i,name:/[^\s<>'"]+/}},cdata:{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,greedy:!0},tag:{pattern:/<\/?(?!\d)[^\s>\/=$<%]+(?:\s(?:\s*[^\s>\/=]+(?:\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))|(?=[\s/>])))+)?\s*\/?>/,greedy:!0,inside:{tag:{pattern:/^<\/?[^\s>\/]+/,inside:{punctuation:/^<\/?/,namespace:/^[^\s>\/:]+:/}},"special-attr":[],"attr-value":{pattern:/=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+)/,inside:{punctuation:[{pattern:/^=/,alias:"attr-equals"},{pattern:/^(\s*)["']|["']$/,lookbehind:!0}]}},punctuation:/\/?>/,"attr-name":{pattern:/[^\s>\/]+/,inside:{namespace:/^[^\s>\/:]+:/}}}},entity:[{pattern:/&[\da-z]{1,8};/i,alias:"named-entity"},/&#x?[\da-f]{1,8};/i]},T.languages.markup.tag.inside["attr-value"].inside.entity=T.languages.markup.entity,T.languages.markup.doctype.inside["internal-subset"].inside=T.languages.markup,T.hooks.add("wrap",(function(e){"entity"===e.type&&(e.attributes.title=e.content.replace(/&/,"&"))})),Object.defineProperty(T.languages.markup.tag,"addInlined",{value:function(e,t){var n;(t=((n=((n={})["language-"+t]={pattern:/(^<!\[CDATA\[)[\s\S]+?(?=\]\]>$)/i,lookbehind:!0,inside:T.languages[t]},n.cdata=/^<!\[CDATA\[|\]\]>$/i,{"included-cdata":{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,inside:n}}))["language-"+t]={pattern:/[\s\S]+/,inside:T.languages[t]},{}))[e]={pattern:RegExp(/(<__[^>]*>)(?:<!\[CDATA\[(?:[^\]]|\](?!\]>))*\]\]>|(?!<!\[CDATA\[)[\s\S])*?(?=<\/__>)/.source.replace(/__/g,(function(){return e})),"i"),lookbehind:!0,greedy:!0,inside:n},T.languages.insertBefore("markup","cdata",t)}}),Object.defineProperty(T.languages.markup.tag,"addAttribute",{value:function(e,t){T.languages.markup.tag.inside["special-attr"].push({pattern:RegExp(/(^|["'\s])/.source+"(?:"+e+")"+/\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))/.source,"i"),lookbehind:!0,inside:{"attr-name":/^[^\s=]+/,"attr-value":{pattern:/=[\s\S]+/,inside:{value:{pattern:/(^=\s*(["']|(?!["'])))\S[\s\S]*(?=\2$)/,lookbehind:!0,alias:[t,"language-"+t],inside:T.languages[t]},punctuation:[{pattern:/^=/,alias:"attr-equals"},/"|'/]}}}})}}),T.languages.html=T.languages.markup,T.languages.mathml=T.languages.markup,T.languages.svg=T.languages.markup,T.languages.xml=T.languages.extend("markup",{}),T.languages.ssml=T.languages.xml,T.languages.atom=T.languages.xml,T.languages.rss=T.languages.xml,o=T,i={pattern:/\\[\\(){}[\]^$+*?|.]/,alias:"escape"},l="(?:[^\\\\-]|"+(s=/\\(?:x[\da-fA-F]{2}|u[\da-fA-F]{4}|u\{[\da-fA-F]+\}|0[0-7]{0,2}|[123][0-7]{2}|c[a-zA-Z]|.)/).source+")",l=RegExp(l+"-"+l),c={pattern:/(<|')[^<>']+(?=[>']$)/,lookbehind:!0,alias:"variable"},o.languages.regex={"char-class":{pattern:/((?:^|[^\\])(?:\\\\)*)\[(?:[^\\\]]|\\[\s\S])*\]/,lookbehind:!0,inside:{"char-class-negation":{pattern:/(^\[)\^/,lookbehind:!0,alias:"operator"},"char-class-punctuation":{pattern:/^\[|\]$/,alias:"punctuation"},range:{pattern:l,inside:{escape:s,"range-punctuation":{pattern:/-/,alias:"operator"}}},"special-escape":i,"char-set":{pattern:/\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},escape:s}},"special-escape":i,"char-set":{pattern:/\.|\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},backreference:[{pattern:/\\(?![123][0-7]{2})[1-9]/,alias:"keyword"},{pattern:/\\k<[^<>']+>/,alias:"keyword",inside:{"group-name":c}}],anchor:{pattern:/[$^]|\\[ABbGZz]/,alias:"function"},escape:s,group:[{pattern:/\((?:\?(?:<[^<>']+>|'[^<>']+'|[>:]|<?[=!]|[idmnsuxU]+(?:-[idmnsuxU]+)?:?))?/,alias:"punctuation",inside:{"group-name":c}},{pattern:/\)/,alias:"punctuation"}],quantifier:{pattern:/(?:[+*?]|\{\d+(?:,\d*)?\})[?+]?/,alias:"number"},alternation:{pattern:/\|/,alias:"keyword"}},T.languages.clike={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|trait)\s+|\bcatch\s+\()[\w.\\]+/i,lookbehind:!0,inside:{punctuation:/[.\\]/}},keyword:/\b(?:break|catch|continue|do|else|finally|for|function|if|in|instanceof|new|null|return|throw|try|while)\b/,boolean:/\b(?:false|true)\b/,function:/\b\w+(?=\()/,number:/\b0x[\da-f]+\b|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?/i,operator:/[<>]=?|[!=]=?=?|--?|\+\+?|&&?|\|\|?|[?*/~^%]/,punctuation:/[{}[\];(),.:]/},T.languages.javascript=T.languages.extend("clike",{"class-name":[T.languages.clike["class-name"],{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$A-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\.(?:constructor|prototype))/,lookbehind:!0}],keyword:[{pattern:/((?:^|\})\s*)catch\b/,lookbehind:!0},{pattern:/(^|[^.]|\.\.\.\s*)\b(?:as|assert(?=\s*\{)|async(?=\s*(?:function\b|\(|[$\w\xA0-\uFFFF]|$))|await|break|case|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally(?=\s*(?:\{|$))|for|from(?=\s*(?:['"]|$))|function|(?:get|set)(?=\s*(?:[#\[$\w\xA0-\uFFFF]|$))|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)\b/,lookbehind:!0}],function:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*(?:\.\s*(?:apply|bind|call)\s*)?\()/,number:{pattern:RegExp(/(^|[^\w$])/.source+"(?:"+/NaN|Infinity/.source+"|"+/0[bB][01]+(?:_[01]+)*n?/.source+"|"+/0[oO][0-7]+(?:_[0-7]+)*n?/.source+"|"+/0[xX][\dA-Fa-f]+(?:_[\dA-Fa-f]+)*n?/.source+"|"+/\d+(?:_\d+)*n/.source+"|"+/(?:\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\.\d+(?:_\d+)*)(?:[Ee][+-]?\d+(?:_\d+)*)?/.source+")"+/(?![\w$])/.source),lookbehind:!0},operator:/--|\+\+|\*\*=?|=>|&&=?|\|\|=?|[!=]==|<<=?|>>>?=?|[-+*/%&|^!=<>]=?|\.{3}|\?\?=?|\?\.?|[~:]/}),T.languages.javascript["class-name"][0].pattern=/(\b(?:class|extends|implements|instanceof|interface|new)\s+)[\w.\\]+/,T.languages.insertBefore("javascript","keyword",{regex:{pattern:RegExp(/((?:^|[^$\w\xA0-\uFFFF."'\])\s]|\b(?:return|yield))\s*)/.source+/\//.source+"(?:"+/(?:\[(?:[^\]\\\r\n]|\\.)*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}/.source+"|"+/(?:\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.)*\])*\])*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}v[dgimyus]{0,7}/.source+")"+/(?=(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/.source),lookbehind:!0,greedy:!0,inside:{"regex-source":{pattern:/^(\/)[\s\S]+(?=\/[a-z]*$)/,lookbehind:!0,alias:"language-regex",inside:T.languages.regex},"regex-delimiter":/^\/|\/$/,"regex-flags":/^[a-z]+$/}},"function-variable":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*[=:]\s*(?:async\s*)?(?:\bfunction\b|(?:\((?:[^()]|\([^()]*\))*\)|(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/,alias:"function"},parameter:[{pattern:/(function(?:\s+(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)?\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\))/,lookbehind:!0,inside:T.languages.javascript},{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=>)/i,lookbehind:!0,inside:T.languages.javascript},{pattern:/(\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*=>)/,lookbehind:!0,inside:T.languages.javascript},{pattern:/((?:\b|\s|^)(?!(?:as|async|await|break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)(?![$\w\xA0-\uFFFF]))(?:(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*)\(\s*|\]\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*\{)/,lookbehind:!0,inside:T.languages.javascript}],constant:/\b[A-Z](?:[A-Z_]|\dx?)*\b/}),T.languages.insertBefore("javascript","string",{hashbang:{pattern:/^#!.*/,greedy:!0,alias:"comment"},"template-string":{pattern:/`(?:\\[\s\S]|\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}|(?!\$\{)[^\\`])*`/,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}/,lookbehind:!0,inside:{"interpolation-punctuation":{pattern:/^\$\{|\}$/,alias:"punctuation"},rest:T.languages.javascript}},string:/[\s\S]+/}},"string-property":{pattern:/((?:^|[,{])[ \t]*)(["'])(?:\\(?:\r\n|[\s\S])|(?!\2)[^\\\r\n])*\2(?=\s*:)/m,lookbehind:!0,greedy:!0,alias:"property"}}),T.languages.insertBefore("javascript","operator",{"literal-property":{pattern:/((?:^|[,{])[ \t]*)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*:)/m,lookbehind:!0,alias:"property"}}),T.languages.markup&&(T.languages.markup.tag.addInlined("script","javascript"),T.languages.markup.tag.addAttribute(/on(?:abort|blur|change|click|composition(?:end|start|update)|dblclick|error|focus(?:in|out)?|key(?:down|up)|load|mouse(?:down|enter|leave|move|out|over|up)|reset|resize|scroll|select|slotchange|submit|unload|wheel)/.source,"javascript")),T.languages.js=T.languages.javascript,T.languages.actionscript=T.languages.extend("javascript",{keyword:/\b(?:as|break|case|catch|class|const|default|delete|do|dynamic|each|else|extends|final|finally|for|function|get|if|implements|import|in|include|instanceof|interface|internal|is|namespace|native|new|null|override|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|use|var|void|while|with)\b/,operator:/\+\+|--|(?:[+\-*\/%^]|&&?|\|\|?|<<?|>>?>?|[!=]=?)=?|[~?@]/}),T.languages.actionscript["class-name"].alias="function",delete T.languages.actionscript.parameter,delete T.languages.actionscript["literal-property"],T.languages.markup&&T.languages.insertBefore("actionscript","string",{xml:{pattern:/(^|[^.])<\/?\w+(?:\s+[^\s>\/=]+=("|')(?:\\[\s\S]|(?!\2)[^\\])*\2)*\s*\/?>/,lookbehind:!0,inside:T.languages.markup}}),function(e){var t=/#(?!\{).+/,n={pattern:/#\{[^}]+\}/,alias:"variable"};e.languages.coffeescript=e.languages.extend("javascript",{comment:t,string:[{pattern:/'(?:\\[\s\S]|[^\\'])*'/,greedy:!0},{pattern:/"(?:\\[\s\S]|[^\\"])*"/,greedy:!0,inside:{interpolation:n}}],keyword:/\b(?:and|break|by|catch|class|continue|debugger|delete|do|each|else|extend|extends|false|finally|for|if|in|instanceof|is|isnt|let|loop|namespace|new|no|not|null|of|off|on|or|own|return|super|switch|then|this|throw|true|try|typeof|undefined|unless|until|when|while|window|with|yes|yield)\b/,"class-member":{pattern:/@(?!\d)\w+/,alias:"variable"}}),e.languages.insertBefore("coffeescript","comment",{"multiline-comment":{pattern:/###[\s\S]+?###/,alias:"comment"},"block-regex":{pattern:/\/{3}[\s\S]*?\/{3}/,alias:"regex",inside:{comment:t,interpolation:n}}}),e.languages.insertBefore("coffeescript","string",{"inline-javascript":{pattern:/`(?:\\[\s\S]|[^\\`])*`/,inside:{delimiter:{pattern:/^`|`$/,alias:"punctuation"},script:{pattern:/[\s\S]+/,alias:"language-javascript",inside:e.languages.javascript}}},"multiline-string":[{pattern:/'''[\s\S]*?'''/,greedy:!0,alias:"string"},{pattern:/"""[\s\S]*?"""/,greedy:!0,alias:"string",inside:{interpolation:n}}]}),e.languages.insertBefore("coffeescript","keyword",{property:/(?!\d)\w+(?=\s*:(?!:))/}),delete e.languages.coffeescript["template-string"],e.languages.coffee=e.languages.coffeescript}(T),function(e){var t=e.languages.javadoclike={parameter:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*@(?:arg|arguments|param)\s+)\w+/m,lookbehind:!0},keyword:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*|\{)@[a-z][a-zA-Z-]+\b/m,lookbehind:!0},punctuation:/[{}]/};Object.defineProperty(t,"addSupport",{value:function(t,n){(t="string"==typeof t?[t]:t).forEach((function(t){var r=function(e){e.inside||(e.inside={}),e.inside.rest=n},a="doc-comment";if(o=e.languages[t]){var o,i=o[a];if((i=i||(o=e.languages.insertBefore(t,"comment",{"doc-comment":{pattern:/(^|[^\\])\/\*\*[^/][\s\S]*?(?:\*\/|$)/,lookbehind:!0,alias:"comment"}}))[a])instanceof RegExp&&(i=o[a]={pattern:i}),Array.isArray(i))for(var s=0,l=i.length;s<l;s++)i[s]instanceof RegExp&&(i[s]={pattern:i[s]}),r(i[s]);else r(i)}}))}}),t.addSupport(["java","javascript","php"],t)}(T),function(e){var t=/(?:"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n])*')/;(t=(e.languages.css={comment:/\/\*[\s\S]*?\*\//,atrule:{pattern:RegExp("@[\\w-](?:"+/[^;{\s"']|\s+(?!\s)/.source+"|"+t.source+")*?"+/(?:;|(?=\s*\{))/.source),inside:{rule:/^@[\w-]+/,"selector-function-argument":{pattern:/(\bselector\s*\(\s*(?![\s)]))(?:[^()\s]|\s+(?![\s)])|\((?:[^()]|\([^()]*\))*\))+(?=\s*\))/,lookbehind:!0,alias:"selector"},keyword:{pattern:/(^|[^\w-])(?:and|not|only|or)(?![\w-])/,lookbehind:!0}}},url:{pattern:RegExp("\\burl\\((?:"+t.source+"|"+/(?:[^\\\r\n()"']|\\[\s\S])*/.source+")\\)","i"),greedy:!0,inside:{function:/^url/i,punctuation:/^\(|\)$/,string:{pattern:RegExp("^"+t.source+"$"),alias:"url"}}},selector:{pattern:RegExp("(^|[{}\\s])[^{}\\s](?:[^{};\"'\\s]|\\s+(?![\\s{])|"+t.source+")*(?=\\s*\\{)"),lookbehind:!0},string:{pattern:t,greedy:!0},property:{pattern:/(^|[^-\w\xA0-\uFFFF])(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*(?=\s*:)/i,lookbehind:!0},important:/!important\b/i,function:{pattern:/(^|[^-a-z0-9])[-a-z0-9]+(?=\()/i,lookbehind:!0},punctuation:/[(){};:,]/},e.languages.css.atrule.inside.rest=e.languages.css,e.languages.markup))&&(t.tag.addInlined("style","css"),t.tag.addAttribute("style","css"))}(T),function(e){var t=/("|')(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,n=(t=(e.languages.css.selector={pattern:e.languages.css.selector.pattern,lookbehind:!0,inside:t={"pseudo-element":/:(?:after|before|first-letter|first-line|selection)|::[-\w]+/,"pseudo-class":/:[-\w]+/,class:/\.[-\w]+/,id:/#[-\w]+/,attribute:{pattern:RegExp("\\[(?:[^[\\]\"']|"+t.source+")*\\]"),greedy:!0,inside:{punctuation:/^\[|\]$/,"case-sensitivity":{pattern:/(\s)[si]$/i,lookbehind:!0,alias:"keyword"},namespace:{pattern:/^(\s*)(?:(?!\s)[-*\w\xA0-\uFFFF])*\|(?!=)/,lookbehind:!0,inside:{punctuation:/\|$/}},"attr-name":{pattern:/^(\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+/,lookbehind:!0},"attr-value":[t,{pattern:/(=\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+(?=\s*$)/,lookbehind:!0}],operator:/[|~*^$]?=/}},"n-th":[{pattern:/(\(\s*)[+-]?\d*[\dn](?:\s*[+-]\s*\d+)?(?=\s*\))/,lookbehind:!0,inside:{number:/[\dn]+/,operator:/[+-]/}},{pattern:/(\(\s*)(?:even|odd)(?=\s*\))/i,lookbehind:!0}],combinator:/>|\+|~|\|\|/,punctuation:/[(),]/}},e.languages.css.atrule.inside["selector-function-argument"].inside=t,e.languages.insertBefore("css","property",{variable:{pattern:/(^|[^-\w\xA0-\uFFFF])--(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*/i,lookbehind:!0}}),{pattern:/(\b\d+)(?:%|[a-z]+(?![\w-]))/,lookbehind:!0}),{pattern:/(^|[^\w.-])-?(?:\d+(?:\.\d+)?|\.\d+)/,lookbehind:!0});e.languages.insertBefore("css","function",{operator:{pattern:/(\s)[+\-*\/](?=\s)/,lookbehind:!0},hexcode:{pattern:/\B#[\da-f]{3,8}\b/i,alias:"color"},color:[{pattern:/(^|[^\w-])(?:AliceBlue|AntiqueWhite|Aqua|Aquamarine|Azure|Beige|Bisque|Black|BlanchedAlmond|Blue|BlueViolet|Brown|BurlyWood|CadetBlue|Chartreuse|Chocolate|Coral|CornflowerBlue|Cornsilk|Crimson|Cyan|DarkBlue|DarkCyan|DarkGoldenRod|DarkGr[ae]y|DarkGreen|DarkKhaki|DarkMagenta|DarkOliveGreen|DarkOrange|DarkOrchid|DarkRed|DarkSalmon|DarkSeaGreen|DarkSlateBlue|DarkSlateGr[ae]y|DarkTurquoise|DarkViolet|DeepPink|DeepSkyBlue|DimGr[ae]y|DodgerBlue|FireBrick|FloralWhite|ForestGreen|Fuchsia|Gainsboro|GhostWhite|Gold|GoldenRod|Gr[ae]y|Green|GreenYellow|HoneyDew|HotPink|IndianRed|Indigo|Ivory|Khaki|Lavender|LavenderBlush|LawnGreen|LemonChiffon|LightBlue|LightCoral|LightCyan|LightGoldenRodYellow|LightGr[ae]y|LightGreen|LightPink|LightSalmon|LightSeaGreen|LightSkyBlue|LightSlateGr[ae]y|LightSteelBlue|LightYellow|Lime|LimeGreen|Linen|Magenta|Maroon|MediumAquaMarine|MediumBlue|MediumOrchid|MediumPurple|MediumSeaGreen|MediumSlateBlue|MediumSpringGreen|MediumTurquoise|MediumVioletRed|MidnightBlue|MintCream|MistyRose|Moccasin|NavajoWhite|Navy|OldLace|Olive|OliveDrab|Orange|OrangeRed|Orchid|PaleGoldenRod|PaleGreen|PaleTurquoise|PaleVioletRed|PapayaWhip|PeachPuff|Peru|Pink|Plum|PowderBlue|Purple|RebeccaPurple|Red|RosyBrown|RoyalBlue|SaddleBrown|Salmon|SandyBrown|SeaGreen|SeaShell|Sienna|Silver|SkyBlue|SlateBlue|SlateGr[ae]y|Snow|SpringGreen|SteelBlue|Tan|Teal|Thistle|Tomato|Transparent|Turquoise|Violet|Wheat|White|WhiteSmoke|Yellow|YellowGreen)(?![\w-])/i,lookbehind:!0},{pattern:/\b(?:hsl|rgb)\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*\)\B|\b(?:hsl|rgb)a\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*,\s*(?:0|0?\.\d+|1)\s*\)\B/i,inside:{unit:t,number:n,function:/[\w-]+(?=\()/,punctuation:/[(),]/}}],entity:/\\[\da-f]{1,8}/i,unit:t,number:n})}(T),function(e){var t=/[*&][^\s[\]{},]+/,n=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,r="(?:"+n.source+"(?:[ \t]+"+t.source+")?|"+t.source+"(?:[ \t]+"+n.source+")?)",a=/(?:[^\s\x00-\x08\x0e-\x1f!"#%&'*,\-:>?@[\]`{|}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*/.source.replace(/<PLAIN>/g,(function(){return/[^\s\x00-\x08\x0e-\x1f,[\]{}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]/.source})),o=/"(?:[^"\\\r\n]|\\.)*"|'(?:[^'\\\r\n]|\\.)*'/.source;function i(e,t){t=(t||"").replace(/m/g,"")+"m";var n=/([:\-,[{]\s*(?:\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\]|\}|(?:[\r\n]\s*)?#))/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<value>>/g,(function(){return e}));return RegExp(n,t)}e.languages.yaml={scalar:{pattern:RegExp(/([\-:]\s*(?:\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\S[^\r\n]*(?:\2[^\r\n]+)*)/.source.replace(/<<prop>>/g,(function(){return r}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp(/((?:^|[:\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\s*:\s)/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+o+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:i(/\d{4}-\d\d?-\d\d?(?:[tT]|[ \t]+)\d\d?:\d{2}:\d{2}(?:\.\d*)?(?:[ \t]*(?:Z|[-+]\d\d?(?::\d{2})?))?|\d{4}-\d{2}-\d{2}|\d\d?:\d{2}(?::\d{2}(?:\.\d*)?)?/.source),lookbehind:!0,alias:"number"},boolean:{pattern:i(/false|true/.source,"i"),lookbehind:!0,alias:"important"},null:{pattern:i(/null|~/.source,"i"),lookbehind:!0,alias:"important"},string:{pattern:i(o),lookbehind:!0,greedy:!0},number:{pattern:i(/[+-]?(?:0x[\da-f]+|0o[0-7]+|(?:\d+(?:\.\d*)?|\.\d+)(?:e[+-]?\d+)?|\.inf|\.nan)/.source,"i"),lookbehind:!0},tag:n,important:t,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(T),function(e){var t=/(?:\\.|[^\\\n\r]|(?:\n|\r\n?)(?![\r\n]))/.source;function n(e){return e=e.replace(/<inner>/g,(function(){return t})),RegExp(/((?:^|[^\\])(?:\\{2})*)/.source+"(?:"+e+")")}var r=/(?:\\.|``(?:[^`\r\n]|`(?!`))+``|`[^`\r\n]+`|[^\\|\r\n`])+/.source,a=/\|?__(?:\|__)+\|?(?:(?:\n|\r\n?)|(?![\s\S]))/.source.replace(/__/g,(function(){return r})),o=/\|?[ \t]*:?-{3,}:?[ \t]*(?:\|[ \t]*:?-{3,}:?[ \t]*)+\|?(?:\n|\r\n?)/.source,i=(e.languages.markdown=e.languages.extend("markup",{}),e.languages.insertBefore("markdown","prolog",{"front-matter-block":{pattern:/(^(?:\s*[\r\n])?)---(?!.)[\s\S]*?[\r\n]---(?!.)/,lookbehind:!0,greedy:!0,inside:{punctuation:/^---|---$/,"front-matter":{pattern:/\S+(?:\s+\S+)*/,alias:["yaml","language-yaml"],inside:e.languages.yaml}}},blockquote:{pattern:/^>(?:[\t ]*>)*/m,alias:"punctuation"},table:{pattern:RegExp("^"+a+o+"(?:"+a+")*","m"),inside:{"table-data-rows":{pattern:RegExp("^("+a+o+")(?:"+a+")*$"),lookbehind:!0,inside:{"table-data":{pattern:RegExp(r),inside:e.languages.markdown},punctuation:/\|/}},"table-line":{pattern:RegExp("^("+a+")"+o+"$"),lookbehind:!0,inside:{punctuation:/\||:?-{3,}:?/}},"table-header-row":{pattern:RegExp("^"+a+"$"),inside:{"table-header":{pattern:RegExp(r),alias:"important",inside:e.languages.markdown},punctuation:/\|/}}}},code:[{pattern:/((?:^|\n)[ \t]*\n|(?:^|\r\n?)[ \t]*\r\n?)(?: {4}|\t).+(?:(?:\n|\r\n?)(?: {4}|\t).+)*/,lookbehind:!0,alias:"keyword"},{pattern:/^```[\s\S]*?^```$/m,greedy:!0,inside:{"code-block":{pattern:/^(```.*(?:\n|\r\n?))[\s\S]+?(?=(?:\n|\r\n?)^```$)/m,lookbehind:!0},"code-language":{pattern:/^(```).+/,lookbehind:!0},punctuation:/```/}}],title:[{pattern:/\S.*(?:\n|\r\n?)(?:==+|--+)(?=[ \t]*$)/m,alias:"important",inside:{punctuation:/==+$|--+$/}},{pattern:/(^\s*)#.+/m,lookbehind:!0,alias:"important",inside:{punctuation:/^#+|#+$/}}],hr:{pattern:/(^\s*)([*-])(?:[\t ]*\2){2,}(?=\s*$)/m,lookbehind:!0,alias:"punctuation"},list:{pattern:/(^\s*)(?:[*+-]|\d+\.)(?=[\t ].)/m,lookbehind:!0,alias:"punctuation"},"url-reference":{pattern:/!?\[[^\]]+\]:[\t ]+(?:\S+|<(?:\\.|[^>\\])+>)(?:[\t ]+(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\)))?/,inside:{variable:{pattern:/^(!?\[)[^\]]+/,lookbehind:!0},string:/(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\))$/,punctuation:/^[\[\]!:]|[<>]/},alias:"url"},bold:{pattern:n(/\b__(?:(?!_)<inner>|_(?:(?!_)<inner>)+_)+__\b|\*\*(?:(?!\*)<inner>|\*(?:(?!\*)<inner>)+\*)+\*\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^..)[\s\S]+(?=..$)/,lookbehind:!0,inside:{}},punctuation:/\*\*|__/}},italic:{pattern:n(/\b_(?:(?!_)<inner>|__(?:(?!_)<inner>)+__)+_\b|\*(?:(?!\*)<inner>|\*\*(?:(?!\*)<inner>)+\*\*)+\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^.)[\s\S]+(?=.$)/,lookbehind:!0,inside:{}},punctuation:/[*_]/}},strike:{pattern:n(/(~~?)(?:(?!~)<inner>)+\2/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^~~?)[\s\S]+(?=\1$)/,lookbehind:!0,inside:{}},punctuation:/~~?/}},"code-snippet":{pattern:/(^|[^\\`])(?:``[^`\r\n]+(?:`[^`\r\n]+)*``(?!`)|`[^`\r\n]+`(?!`))/,lookbehind:!0,greedy:!0,alias:["code","keyword"]},url:{pattern:n(/!?\[(?:(?!\])<inner>)+\](?:\([^\s)]+(?:[\t ]+"(?:\\.|[^"\\])*")?\)|[ \t]?\[(?:(?!\])<inner>)+\])/.source),lookbehind:!0,greedy:!0,inside:{operator:/^!/,content:{pattern:/(^\[)[^\]]+(?=\])/,lookbehind:!0,inside:{}},variable:{pattern:/(^\][ \t]?\[)[^\]]+(?=\]$)/,lookbehind:!0},url:{pattern:/(^\]\()[^\s)]+/,lookbehind:!0},string:{pattern:/(^[ \t]+)"(?:\\.|[^"\\])*"(?=\)$)/,lookbehind:!0}}}}),["url","bold","italic","strike"].forEach((function(t){["url","bold","italic","strike","code-snippet"].forEach((function(n){t!==n&&(e.languages.markdown[t].inside.content.inside[n]=e.languages.markdown[n])}))})),e.hooks.add("after-tokenize",(function(e){"markdown"!==e.language&&"md"!==e.language||function e(t){if(t&&"string"!=typeof t)for(var n=0,r=t.length;n<r;n++){var a,o=t[n];"code"!==o.type?e(o.content):(a=o.content[1],o=o.content[3],a&&o&&"code-language"===a.type&&"code-block"===o.type&&"string"==typeof a.content&&(a=a.content.replace(/\b#/g,"sharp").replace(/\b\+\+/g,"pp"),a="language-"+(a=(/[a-z][\w-]*/i.exec(a)||[""])[0].toLowerCase()),o.alias?"string"==typeof o.alias?o.alias=[o.alias,a]:o.alias.push(a):o.alias=[a]))}}(e.tokens)})),e.hooks.add("wrap",(function(t){if("code-block"===t.type){for(var n="",r=0,a=t.classes.length;r<a;r++){var o=t.classes[r];if(o=/language-(.+)/.exec(o)){n=o[1];break}}var c,u=e.languages[n];u?t.content=e.highlight(t.content.replace(i,"").replace(/&(\w{1,8}|#x?[\da-f]{1,8});/gi,(function(e,t){var n;return"#"===(t=t.toLowerCase())[0]?(n="x"===t[1]?parseInt(t.slice(2),16):Number(t.slice(1)),l(n)):s[t]||e})),u,n):n&&"none"!==n&&e.plugins.autoloader&&(c="md-"+(new Date).valueOf()+"-"+Math.floor(1e16*Math.random()),t.attributes.id=c,e.plugins.autoloader.loadLanguages(n,(function(){var t=document.getElementById(c);t&&(t.innerHTML=e.highlight(t.textContent,e.languages[n],n))})))}})),RegExp(e.languages.markup.tag.pattern.source,"gi")),s={amp:"&",lt:"<",gt:">",quot:'"'},l=String.fromCodePoint||String.fromCharCode;e.languages.md=e.languages.markdown}(T),T.languages.graphql={comment:/#.*/,description:{pattern:/(?:"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*")(?=\s*[a-z_])/i,greedy:!0,alias:"string",inside:{"language-markdown":{pattern:/(^"(?:"")?)(?!\1)[\s\S]+(?=\1$)/,lookbehind:!0,inside:T.languages.markdown}}},string:{pattern:/"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*"/,greedy:!0},number:/(?:\B-|\b)\d+(?:\.\d+)?(?:e[+-]?\d+)?\b/i,boolean:/\b(?:false|true)\b/,variable:/\$[a-z_]\w*/i,directive:{pattern:/@[a-z_]\w*/i,alias:"function"},"attr-name":{pattern:/\b[a-z_]\w*(?=\s*(?:\((?:[^()"]|"(?:\\.|[^\\"\r\n])*")*\))?:)/i,greedy:!0},"atom-input":{pattern:/\b[A-Z]\w*Input\b/,alias:"class-name"},scalar:/\b(?:Boolean|Float|ID|Int|String)\b/,constant:/\b[A-Z][A-Z_\d]*\b/,"class-name":{pattern:/(\b(?:enum|implements|interface|on|scalar|type|union)\s+|&\s*|:\s*|\[)[A-Z_]\w*/,lookbehind:!0},fragment:{pattern:/(\bfragment\s+|\.{3}\s*(?!on\b))[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-mutation":{pattern:/(\bmutation\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-query":{pattern:/(\bquery\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},keyword:/\b(?:directive|enum|extend|fragment|implements|input|interface|mutation|on|query|repeatable|scalar|schema|subscription|type|union)\b/,operator:/[!=|&]|\.{3}/,"property-query":/\w+(?=\s*\()/,object:/\w+(?=\s*\{)/,punctuation:/[!(){}\[\]:=,]/,property:/\w+/},T.hooks.add("after-tokenize",(function(e){if("graphql"===e.language)for(var t=e.tokens.filter((function(e){return"string"!=typeof e&&"comment"!==e.type&&"scalar"!==e.type})),n=0;n<t.length;){var r=t[n++];if("keyword"===r.type&&"mutation"===r.content){var a=[];if(d(["definition-mutation","punctuation"])&&"("===u(1).content){n+=2;var o=p(/^\($/,/^\)$/);if(-1===o)continue;for(;n<o;n++){var i=u(0);"variable"===i.type&&(f(i,"variable-input"),a.push(i.content))}n=o+1}if(d(["punctuation","property-query"])&&"{"===u(0).content&&(n++,f(u(0),"property-mutation"),0<a.length)){var s=p(/^\{$/,/^\}$/);if(-1!==s)for(var l=n;l<s;l++){var c=t[l];"variable"===c.type&&0<=a.indexOf(c.content)&&f(c,"variable-input")}}}}function u(e){return t[n+e]}function d(e,t){t=t||0;for(var n=0;n<e.length;n++){var r=u(n+t);if(!r||r.type!==e[n])return}return 1}function p(e,r){for(var a=1,o=n;o<t.length;o++){var i=t[o],s=i.content;if("punctuation"===i.type&&"string"==typeof s)if(e.test(s))a++;else if(r.test(s)&&0==--a)return o}return-1}function f(e,t){var n=e.alias;n?Array.isArray(n)||(e.alias=n=[n]):e.alias=n=[],n.push(t)}})),T.languages.sql={comment:{pattern:/(^|[^\\])(?:\/\*[\s\S]*?\*\/|(?:--|\/\/|#).*)/,lookbehind:!0},variable:[{pattern:/@(["'`])(?:\\[\s\S]|(?!\1)[^\\])+\1/,greedy:!0},/@[\w.$]+/],string:{pattern:/(^|[^@\\])("|')(?:\\[\s\S]|(?!\2)[^\\]|\2\2)*\2/,greedy:!0,lookbehind:!0},identifier:{pattern:/(^|[^@\\])`(?:\\[\s\S]|[^`\\]|``)*`/,greedy:!0,lookbehind:!0,inside:{punctuation:/^`|`$/}},function:/\b(?:AVG|COUNT|FIRST|FORMAT|LAST|LCASE|LEN|MAX|MID|MIN|MOD|NOW|ROUND|SUM|UCASE)(?=\s*\()/i,keyword:/\b(?:ACTION|ADD|AFTER|ALGORITHM|ALL|ALTER|ANALYZE|ANY|APPLY|AS|ASC|AUTHORIZATION|AUTO_INCREMENT|BACKUP|BDB|BEGIN|BERKELEYDB|BIGINT|BINARY|BIT|BLOB|BOOL|BOOLEAN|BREAK|BROWSE|BTREE|BULK|BY|CALL|CASCADED?|CASE|CHAIN|CHAR(?:ACTER|SET)?|CHECK(?:POINT)?|CLOSE|CLUSTERED|COALESCE|COLLATE|COLUMNS?|COMMENT|COMMIT(?:TED)?|COMPUTE|CONNECT|CONSISTENT|CONSTRAINT|CONTAINS(?:TABLE)?|CONTINUE|CONVERT|CREATE|CROSS|CURRENT(?:_DATE|_TIME|_TIMESTAMP|_USER)?|CURSOR|CYCLE|DATA(?:BASES?)?|DATE(?:TIME)?|DAY|DBCC|DEALLOCATE|DEC|DECIMAL|DECLARE|DEFAULT|DEFINER|DELAYED|DELETE|DELIMITERS?|DENY|DESC|DESCRIBE|DETERMINISTIC|DISABLE|DISCARD|DISK|DISTINCT|DISTINCTROW|DISTRIBUTED|DO|DOUBLE|DROP|DUMMY|DUMP(?:FILE)?|DUPLICATE|ELSE(?:IF)?|ENABLE|ENCLOSED|END|ENGINE|ENUM|ERRLVL|ERRORS|ESCAPED?|EXCEPT|EXEC(?:UTE)?|EXISTS|EXIT|EXPLAIN|EXTENDED|FETCH|FIELDS|FILE|FILLFACTOR|FIRST|FIXED|FLOAT|FOLLOWING|FOR(?: EACH ROW)?|FORCE|FOREIGN|FREETEXT(?:TABLE)?|FROM|FULL|FUNCTION|GEOMETRY(?:COLLECTION)?|GLOBAL|GOTO|GRANT|GROUP|HANDLER|HASH|HAVING|HOLDLOCK|HOUR|IDENTITY(?:COL|_INSERT)?|IF|IGNORE|IMPORT|INDEX|INFILE|INNER|INNODB|INOUT|INSERT|INT|INTEGER|INTERSECT|INTERVAL|INTO|INVOKER|ISOLATION|ITERATE|JOIN|KEYS?|KILL|LANGUAGE|LAST|LEAVE|LEFT|LEVEL|LIMIT|LINENO|LINES|LINESTRING|LOAD|LOCAL|LOCK|LONG(?:BLOB|TEXT)|LOOP|MATCH(?:ED)?|MEDIUM(?:BLOB|INT|TEXT)|MERGE|MIDDLEINT|MINUTE|MODE|MODIFIES|MODIFY|MONTH|MULTI(?:LINESTRING|POINT|POLYGON)|NATIONAL|NATURAL|NCHAR|NEXT|NO|NONCLUSTERED|NULLIF|NUMERIC|OFF?|OFFSETS?|ON|OPEN(?:DATASOURCE|QUERY|ROWSET)?|OPTIMIZE|OPTION(?:ALLY)?|ORDER|OUT(?:ER|FILE)?|OVER|PARTIAL|PARTITION|PERCENT|PIVOT|PLAN|POINT|POLYGON|PRECEDING|PRECISION|PREPARE|PREV|PRIMARY|PRINT|PRIVILEGES|PROC(?:EDURE)?|PUBLIC|PURGE|QUICK|RAISERROR|READS?|REAL|RECONFIGURE|REFERENCES|RELEASE|RENAME|REPEAT(?:ABLE)?|REPLACE|REPLICATION|REQUIRE|RESIGNAL|RESTORE|RESTRICT|RETURN(?:ING|S)?|REVOKE|RIGHT|ROLLBACK|ROUTINE|ROW(?:COUNT|GUIDCOL|S)?|RTREE|RULE|SAVE(?:POINT)?|SCHEMA|SECOND|SELECT|SERIAL(?:IZABLE)?|SESSION(?:_USER)?|SET(?:USER)?|SHARE|SHOW|SHUTDOWN|SIMPLE|SMALLINT|SNAPSHOT|SOME|SONAME|SQL|START(?:ING)?|STATISTICS|STATUS|STRIPED|SYSTEM_USER|TABLES?|TABLESPACE|TEMP(?:ORARY|TABLE)?|TERMINATED|TEXT(?:SIZE)?|THEN|TIME(?:STAMP)?|TINY(?:BLOB|INT|TEXT)|TOP?|TRAN(?:SACTIONS?)?|TRIGGER|TRUNCATE|TSEQUAL|TYPES?|UNBOUNDED|UNCOMMITTED|UNDEFINED|UNION|UNIQUE|UNLOCK|UNPIVOT|UNSIGNED|UPDATE(?:TEXT)?|USAGE|USE|USER|USING|VALUES?|VAR(?:BINARY|CHAR|CHARACTER|YING)|VIEW|WAITFOR|WARNINGS|WHEN|WHERE|WHILE|WITH(?: ROLLUP|IN)?|WORK|WRITE(?:TEXT)?|YEAR)\b/i,boolean:/\b(?:FALSE|NULL|TRUE)\b/i,number:/\b0x[\da-f]+\b|\b\d+(?:\.\d*)?|\B\.\d+\b/i,operator:/[-+*\/=%^~]|&&?|\|\|?|!=?|<(?:=>?|<|>)?|>[>=]?|\b(?:AND|BETWEEN|DIV|ILIKE|IN|IS|LIKE|NOT|OR|REGEXP|RLIKE|SOUNDS LIKE|XOR)\b/i,punctuation:/[;[\]()`,.]/},function(e){var t=e.languages.javascript["template-string"],n=t.pattern.source,r=t.inside.interpolation,a=r.inside["interpolation-punctuation"],o=r.pattern.source;function i(t,r){if(e.languages[t])return{pattern:RegExp("((?:"+r+")\\s*)"+n),lookbehind:!0,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},"embedded-code":{pattern:/[\s\S]+/,alias:t}}}}function s(t,n,r){return t={code:t,grammar:n,language:r},e.hooks.run("before-tokenize",t),t.tokens=e.tokenize(t.code,t.grammar),e.hooks.run("after-tokenize",t),t.tokens}function l(t,n,i){var l=e.tokenize(t,{interpolation:{pattern:RegExp(o),lookbehind:!0}}),c=0,u={},d=(l=s(l.map((function(e){if("string"==typeof e)return e;var n,r;for(e=e.content;-1!==t.indexOf((r=c++,n="___"+i.toUpperCase()+"_"+r+"___")););return u[n]=e,n})).join(""),n,i),Object.keys(u));return c=0,function t(n){for(var o=0;o<n.length;o++){if(c>=d.length)return;var i,l,p,f,h,m,g,y=n[o];"string"==typeof y||"string"==typeof y.content?(i=d[c],-1!==(g=(m="string"==typeof y?y:y.content).indexOf(i))&&(++c,l=m.substring(0,g),h=u[i],p=void 0,(f={})["interpolation-punctuation"]=a,3===(f=e.tokenize(h,f)).length&&((p=[1,1]).push.apply(p,s(f[1],e.languages.javascript,"javascript")),f.splice.apply(f,p)),p=new e.Token("interpolation",f,r.alias,h),f=m.substring(g+i.length),h=[],l&&h.push(l),h.push(p),f&&(t(m=[f]),h.push.apply(h,m)),"string"==typeof y?(n.splice.apply(n,[o,1].concat(h)),o+=h.length-1):y.content=h)):(g=y.content,Array.isArray(g)?t(g):t([g]))}}(l),new e.Token(i,l,"language-"+i,t)}e.languages.javascript["template-string"]=[i("css",/\b(?:styled(?:\([^)]*\))?(?:\s*\.\s*\w+(?:\([^)]*\))*)*|css(?:\s*\.\s*(?:global|resolve))?|createGlobalStyle|keyframes)/.source),i("html",/\bhtml|\.\s*(?:inner|outer)HTML\s*\+?=/.source),i("svg",/\bsvg/.source),i("markdown",/\b(?:markdown|md)/.source),i("graphql",/\b(?:gql|graphql(?:\s*\.\s*experimental)?)/.source),i("sql",/\bsql/.source),t].filter(Boolean);var c={javascript:!0,js:!0,typescript:!0,ts:!0,jsx:!0,tsx:!0};function u(e){return"string"==typeof e?e:Array.isArray(e)?e.map(u).join(""):u(e.content)}e.hooks.add("after-tokenize",(function(t){t.language in c&&function t(n){for(var r=0,a=n.length;r<a;r++){var o,i,s,c=n[r];"string"!=typeof c&&(o=c.content,Array.isArray(o)?"template-string"===c.type?(c=o[1],3===o.length&&"string"!=typeof c&&"embedded-code"===c.type&&(i=u(c),c=c.alias,c=Array.isArray(c)?c[0]:c,s=e.languages[c])&&(o[1]=l(i,s,c))):t(o):"string"!=typeof o&&t([o]))}}(t.tokens)}))}(T),function(e){e.languages.typescript=e.languages.extend("javascript",{"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|type)\s+)(?!keyof\b)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?:\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>)?/,lookbehind:!0,greedy:!0,inside:null},builtin:/\b(?:Array|Function|Promise|any|boolean|console|never|number|string|symbol|unknown)\b/}),e.languages.typescript.keyword.push(/\b(?:abstract|declare|is|keyof|readonly|require)\b/,/\b(?:asserts|infer|interface|module|namespace|type)\b(?=\s*(?:[{_$a-zA-Z\xA0-\uFFFF]|$))/,/\btype\b(?=\s*(?:[\{*]|$))/),delete e.languages.typescript.parameter,delete e.languages.typescript["literal-property"];var t=e.languages.extend("typescript",{});delete t["class-name"],e.languages.typescript["class-name"].inside=t,e.languages.insertBefore("typescript","function",{decorator:{pattern:/@[$\w\xA0-\uFFFF]+/,inside:{at:{pattern:/^@/,alias:"operator"},function:/^[\s\S]+/}},"generic-function":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>(?=\s*\()/,greedy:!0,inside:{function:/^#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:t}}}}),e.languages.ts=e.languages.typescript}(T),function(e){var t=e.languages.javascript,n=/\{(?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})+\}/.source,r="(@(?:arg|argument|param|property)\\s+(?:"+n+"\\s+)?)";e.languages.jsdoc=e.languages.extend("javadoclike",{parameter:{pattern:RegExp(r+/(?:(?!\s)[$\w\xA0-\uFFFF.])+(?=\s|$)/.source),lookbehind:!0,inside:{punctuation:/\./}}}),e.languages.insertBefore("jsdoc","keyword",{"optional-parameter":{pattern:RegExp(r+/\[(?:(?!\s)[$\w\xA0-\uFFFF.])+(?:=[^[\]]+)?\](?=\s|$)/.source),lookbehind:!0,inside:{parameter:{pattern:/(^\[)[$\w\xA0-\uFFFF\.]+/,lookbehind:!0,inside:{punctuation:/\./}},code:{pattern:/(=)[\s\S]*(?=\]$)/,lookbehind:!0,inside:t,alias:"language-javascript"},punctuation:/[=[\]]/}},"class-name":[{pattern:RegExp(/(@(?:augments|class|extends|interface|memberof!?|template|this|typedef)\s+(?:<TYPE>\s+)?)[A-Z]\w*(?:\.[A-Z]\w*)*/.source.replace(/<TYPE>/g,(function(){return n}))),lookbehind:!0,inside:{punctuation:/\./}},{pattern:RegExp("(@[a-z]+\\s+)"+n),lookbehind:!0,inside:{string:t.string,number:t.number,boolean:t.boolean,keyword:e.languages.typescript.keyword,operator:/=>|\.\.\.|[&|?:*]/,punctuation:/[.,;=<>{}()[\]]/}}],example:{pattern:/(@example\s+(?!\s))(?:[^@\s]|\s+(?!\s))+?(?=\s*(?:\*\s*)?(?:@\w|\*\/))/,lookbehind:!0,inside:{code:{pattern:/^([\t ]*(?:\*\s*)?)\S.*$/m,lookbehind:!0,inside:t,alias:"language-javascript"}}}}),e.languages.javadoclike.addSupport("javascript",e.languages.jsdoc)}(T),function(e){e.languages.flow=e.languages.extend("javascript",{}),e.languages.insertBefore("flow","keyword",{type:[{pattern:/\b(?:[Bb]oolean|Function|[Nn]umber|[Ss]tring|[Ss]ymbol|any|mixed|null|void)\b/,alias:"class-name"}]}),e.languages.flow["function-variable"].pattern=/(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=\s*(?:function\b|(?:\([^()]*\)(?:\s*:\s*\w+)?|(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/i,delete e.languages.flow.parameter,e.languages.insertBefore("flow","operator",{"flow-punctuation":{pattern:/\{\||\|\}/,alias:"punctuation"}}),Array.isArray(e.languages.flow.keyword)||(e.languages.flow.keyword=[e.languages.flow.keyword]),e.languages.flow.keyword.unshift({pattern:/(^|[^$]\b)(?:Class|declare|opaque|type)\b(?!\$)/,lookbehind:!0},{pattern:/(^|[^$]\B)\$(?:Diff|Enum|Exact|Keys|ObjMap|PropertyType|Record|Shape|Subtype|Supertype|await)\b(?!\$)/,lookbehind:!0})}(T),T.languages.n4js=T.languages.extend("javascript",{keyword:/\b(?:Array|any|boolean|break|case|catch|class|const|constructor|continue|debugger|declare|default|delete|do|else|enum|export|extends|false|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|module|new|null|number|package|private|protected|public|return|set|static|string|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/}),T.languages.insertBefore("n4js","constant",{annotation:{pattern:/@+\w+/,alias:"operator"}}),T.languages.n4jsd=T.languages.n4js,function(e){function t(e,t){return RegExp(e.replace(/<ID>/g,(function(){return/(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/.source})),t)}e.languages.insertBefore("javascript","function-variable",{"method-variable":{pattern:RegExp("(\\.\\s*)"+e.languages.javascript["function-variable"].pattern.source),lookbehind:!0,alias:["function-variable","method","function","property-access"]}}),e.languages.insertBefore("javascript","function",{method:{pattern:RegExp("(\\.\\s*)"+e.languages.javascript.function.source),lookbehind:!0,alias:["function","property-access"]}}),e.languages.insertBefore("javascript","constant",{"known-class-name":[{pattern:/\b(?:(?:Float(?:32|64)|(?:Int|Uint)(?:8|16|32)|Uint8Clamped)?Array|ArrayBuffer|BigInt|Boolean|DataView|Date|Error|Function|Intl|JSON|(?:Weak)?(?:Map|Set)|Math|Number|Object|Promise|Proxy|Reflect|RegExp|String|Symbol|WebAssembly)\b/,alias:"class-name"},{pattern:/\b(?:[A-Z]\w*)Error\b/,alias:"class-name"}]}),e.languages.insertBefore("javascript","keyword",{imports:{pattern:t(/(\bimport\b\s*)(?:<ID>(?:\s*,\s*(?:\*\s*as\s+<ID>|\{[^{}]*\}))?|\*\s*as\s+<ID>|\{[^{}]*\})(?=\s*\bfrom\b)/.source),lookbehind:!0,inside:e.languages.javascript},exports:{pattern:t(/(\bexport\b\s*)(?:\*(?:\s*as\s+<ID>)?(?=\s*\bfrom\b)|\{[^{}]*\})/.source),lookbehind:!0,inside:e.languages.javascript}}),e.languages.javascript.keyword.unshift({pattern:/\b(?:as|default|export|from|import)\b/,alias:"module"},{pattern:/\b(?:await|break|catch|continue|do|else|finally|for|if|return|switch|throw|try|while|yield)\b/,alias:"control-flow"},{pattern:/\bnull\b/,alias:["null","nil"]},{pattern:/\bundefined\b/,alias:"nil"}),e.languages.insertBefore("javascript","operator",{spread:{pattern:/\.{3}/,alias:"operator"},arrow:{pattern:/=>/,alias:"operator"}}),e.languages.insertBefore("javascript","punctuation",{"property-access":{pattern:t(/(\.\s*)#?<ID>/.source),lookbehind:!0},"maybe-class-name":{pattern:/(^|[^$\w\xA0-\uFFFF])[A-Z][$\w\xA0-\uFFFF]+/,lookbehind:!0},dom:{pattern:/\b(?:document|(?:local|session)Storage|location|navigator|performance|window)\b/,alias:"variable"},console:{pattern:/\bconsole(?=\s*\.)/,alias:"class-name"}});for(var n=["function","function-variable","method","method-variable","property-access"],r=0;r<n.length;r++){var a=n[r],o=e.languages.javascript[a];a=(o="RegExp"===e.util.type(o)?e.languages.javascript[a]={pattern:o}:o).inside||{};(o.inside=a)["maybe-class-name"]=/^[A-Z][\s\S]*/}}(T),function(e){var t=e.util.clone(e.languages.javascript),n=/(?:\s|\/\/.*(?!.)|\/\*(?:[^*]|\*(?!\/))\*\/)/.source,r=/(?:\{(?:\{(?:\{[^{}]*\}|[^{}])*\}|[^{}])*\})/.source,a=/(?:\{<S>*\.{3}(?:[^{}]|<BRACES>)*\})/.source;function o(e,t){return e=e.replace(/<S>/g,(function(){return n})).replace(/<BRACES>/g,(function(){return r})).replace(/<SPREAD>/g,(function(){return a})),RegExp(e,t)}function i(t){for(var n=[],r=0;r<t.length;r++){var a=t[r],o=!1;"string"!=typeof a&&("tag"===a.type&&a.content[0]&&"tag"===a.content[0].type?"</"===a.content[0].content[0].content?0<n.length&&n[n.length-1].tagName===s(a.content[0].content[1])&&n.pop():"/>"!==a.content[a.content.length-1].content&&n.push({tagName:s(a.content[0].content[1]),openedBraces:0}):0<n.length&&"punctuation"===a.type&&"{"===a.content?n[n.length-1].openedBraces++:0<n.length&&0<n[n.length-1].openedBraces&&"punctuation"===a.type&&"}"===a.content?n[n.length-1].openedBraces--:o=!0),(o||"string"==typeof a)&&0<n.length&&0===n[n.length-1].openedBraces&&(o=s(a),r<t.length-1&&("string"==typeof t[r+1]||"plain-text"===t[r+1].type)&&(o+=s(t[r+1]),t.splice(r+1,1)),0<r&&("string"==typeof t[r-1]||"plain-text"===t[r-1].type)&&(o=s(t[r-1])+o,t.splice(r-1,1),r--),t[r]=new e.Token("plain-text",o,null,o)),a.content&&"string"!=typeof a.content&&i(a.content)}}a=o(a).source,e.languages.jsx=e.languages.extend("markup",t),e.languages.jsx.tag.pattern=o(/<\/?(?:[\w.:-]+(?:<S>+(?:[\w.:$-]+(?:=(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s{'"/>=]+|<BRACES>))?|<SPREAD>))*<S>*\/?)?>/.source),e.languages.jsx.tag.inside.tag.pattern=/^<\/?[^\s>\/]*/,e.languages.jsx.tag.inside["attr-value"].pattern=/=(?!\{)(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s'">]+)/,e.languages.jsx.tag.inside.tag.inside["class-name"]=/^[A-Z]\w*(?:\.[A-Z]\w*)*$/,e.languages.jsx.tag.inside.comment=t.comment,e.languages.insertBefore("inside","attr-name",{spread:{pattern:o(/<SPREAD>/.source),inside:e.languages.jsx}},e.languages.jsx.tag),e.languages.insertBefore("inside","special-attr",{script:{pattern:o(/=<BRACES>/.source),alias:"language-javascript",inside:{"script-punctuation":{pattern:/^=(?=\{)/,alias:"punctuation"},rest:e.languages.jsx}}},e.languages.jsx.tag);var s=function(e){return e?"string"==typeof e?e:"string"==typeof e.content?e.content:e.content.map(s).join(""):""};e.hooks.add("after-tokenize",(function(e){"jsx"!==e.language&&"tsx"!==e.language||i(e.tokens)}))}(T),function(e){var t=e.util.clone(e.languages.typescript);(t=(e.languages.tsx=e.languages.extend("jsx",t),delete e.languages.tsx.parameter,delete e.languages.tsx["literal-property"],e.languages.tsx.tag)).pattern=RegExp(/(^|[^\w$]|(?=<\/))/.source+"(?:"+t.pattern.source+")",t.pattern.flags),t.lookbehind=!0}(T),T.languages.swift={comment:{pattern:/(^|[^\\:])(?:\/\/.*|\/\*(?:[^/*]|\/(?!\*)|\*(?!\/)|\/\*(?:[^*]|\*(?!\/))*\*\/)*\*\/)/,lookbehind:!0,greedy:!0},"string-literal":[{pattern:RegExp(/(^|[^"#])/.source+"(?:"+/"(?:\\(?:\((?:[^()]|\([^()]*\))*\)|\r\n|[^(])|[^\\\r\n"])*"/.source+"|"+/"""(?:\\(?:\((?:[^()]|\([^()]*\))*\)|[^(])|[^\\"]|"(?!""))*"""/.source+")"+/(?!["#])/.source),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\\($/,alias:"punctuation"},punctuation:/\\(?=[\r\n])/,string:/[\s\S]+/}},{pattern:RegExp(/(^|[^"#])(#+)/.source+"(?:"+/"(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|\r\n|[^#])|[^\\\r\n])*?"/.source+"|"+/"""(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|[^#])|[^\\])*?"""/.source+")\\2"),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\#+\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\#+\($/,alias:"punctuation"},string:/[\s\S]+/}}],directive:{pattern:RegExp(/#/.source+"(?:"+/(?:elseif|if)\b/.source+"(?:[ \t]*"+/(?:![ \t]*)?(?:\b\w+\b(?:[ \t]*\((?:[^()]|\([^()]*\))*\))?|\((?:[^()]|\([^()]*\))*\))(?:[ \t]*(?:&&|\|\|))?/.source+")+|"+/(?:else|endif)\b/.source+")"),alias:"property",inside:{"directive-name":/^#\w+/,boolean:/\b(?:false|true)\b/,number:/\b\d+(?:\.\d+)*\b/,operator:/!|&&|\|\||[<>]=?/,punctuation:/[(),]/}},literal:{pattern:/#(?:colorLiteral|column|dsohandle|file(?:ID|Literal|Path)?|function|imageLiteral|line)\b/,alias:"constant"},"other-directive":{pattern:/#\w+\b/,alias:"property"},attribute:{pattern:/@\w+/,alias:"atrule"},"function-definition":{pattern:/(\bfunc\s+)\w+/,lookbehind:!0,alias:"function"},label:{pattern:/\b(break|continue)\s+\w+|\b[a-zA-Z_]\w*(?=\s*:\s*(?:for|repeat|while)\b)/,lookbehind:!0,alias:"important"},keyword:/\b(?:Any|Protocol|Self|Type|actor|as|assignment|associatedtype|associativity|async|await|break|case|catch|class|continue|convenience|default|defer|deinit|didSet|do|dynamic|else|enum|extension|fallthrough|fileprivate|final|for|func|get|guard|higherThan|if|import|in|indirect|infix|init|inout|internal|is|isolated|lazy|left|let|lowerThan|mutating|none|nonisolated|nonmutating|open|operator|optional|override|postfix|precedencegroup|prefix|private|protocol|public|repeat|required|rethrows|return|right|safe|self|set|some|static|struct|subscript|super|switch|throw|throws|try|typealias|unowned|unsafe|var|weak|where|while|willSet)\b/,boolean:/\b(?:false|true)\b/,nil:{pattern:/\bnil\b/,alias:"constant"},"short-argument":/\$\d+\b/,omit:{pattern:/\b_\b/,alias:"keyword"},number:/\b(?:[\d_]+(?:\.[\de_]+)?|0x[a-f0-9_]+(?:\.[a-f0-9p_]+)?|0b[01_]+|0o[0-7_]+)\b/i,"class-name":/\b[A-Z](?:[A-Z_\d]*[a-z]\w*)?\b/,function:/\b[a-z_]\w*(?=\s*\()/i,constant:/\b(?:[A-Z_]{2,}|k[A-Z][A-Za-z_]+)\b/,operator:/[-+*/%=!<>&|^~?]+|\.[.\-+*/%=!<>&|^~?]+/,punctuation:/[{}[\]();,.:\\]/},T.languages.swift["string-literal"].forEach((function(e){e.inside.interpolation.inside=T.languages.swift})),function(e){e.languages.kotlin=e.languages.extend("clike",{keyword:{pattern:/(^|[^.])\b(?:abstract|actual|annotation|as|break|by|catch|class|companion|const|constructor|continue|crossinline|data|do|dynamic|else|enum|expect|external|final|finally|for|fun|get|if|import|in|infix|init|inline|inner|interface|internal|is|lateinit|noinline|null|object|open|operator|out|override|package|private|protected|public|reified|return|sealed|set|super|suspend|tailrec|this|throw|to|try|typealias|val|var|vararg|when|where|while)\b/,lookbehind:!0},function:[{pattern:/(?:`[^\r\n`]+`|\b\w+)(?=\s*\()/,greedy:!0},{pattern:/(\.)(?:`[^\r\n`]+`|\w+)(?=\s*\{)/,lookbehind:!0,greedy:!0}],number:/\b(?:0[xX][\da-fA-F]+(?:_[\da-fA-F]+)*|0[bB][01]+(?:_[01]+)*|\d+(?:_\d+)*(?:\.\d+(?:_\d+)*)?(?:[eE][+-]?\d+(?:_\d+)*)?[fFL]?)\b/,operator:/\+[+=]?|-[-=>]?|==?=?|!(?:!|==?)?|[\/*%<>]=?|[?:]:?|\.\.|&&|\|\||\b(?:and|inv|or|shl|shr|ushr|xor)\b/}),delete e.languages.kotlin["class-name"];var t={"interpolation-punctuation":{pattern:/^\$\{?|\}$/,alias:"punctuation"},expression:{pattern:/[\s\S]+/,inside:e.languages.kotlin}};e.languages.insertBefore("kotlin","string",{"string-literal":[{pattern:/"""(?:[^$]|\$(?:(?!\{)|\{[^{}]*\}))*?"""/,alias:"multiline",inside:{interpolation:{pattern:/\$(?:[a-z_]\w*|\{[^{}]*\})/i,inside:t},string:/[\s\S]+/}},{pattern:/"(?:[^"\\\r\n$]|\\.|\$(?:(?!\{)|\{[^{}]*\}))*"/,alias:"singleline",inside:{interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$(?:[a-z_]\w*|\{[^{}]*\})/i,lookbehind:!0,inside:t},string:/[\s\S]+/}}],char:{pattern:/'(?:[^'\\\r\n]|\\(?:.|u[a-fA-F0-9]{0,4}))'/,greedy:!0}}),delete e.languages.kotlin.string,e.languages.insertBefore("kotlin","keyword",{annotation:{pattern:/\B@(?:\w+:)?(?:[A-Z]\w*|\[[^\]]+\])/,alias:"builtin"}}),e.languages.insertBefore("kotlin","function",{label:{pattern:/\b\w+@|@\w+\b/,alias:"symbol"}}),e.languages.kt=e.languages.kotlin,e.languages.kts=e.languages.kotlin}(T),T.languages.c=T.languages.extend("clike",{comment:{pattern:/\/\/(?:[^\r\n\\]|\\(?:\r\n?|\n|(?![\r\n])))*|\/\*[\s\S]*?(?:\*\/|$)/,greedy:!0},string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},"class-name":{pattern:/(\b(?:enum|struct)\s+(?:__attribute__\s*\(\([\s\S]*?\)\)\s*)?)\w+|\b[a-z]\w*_t\b/,lookbehind:!0},keyword:/\b(?:_Alignas|_Alignof|_Atomic|_Bool|_Complex|_Generic|_Imaginary|_Noreturn|_Static_assert|_Thread_local|__attribute__|asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|inline|int|long|register|return|short|signed|sizeof|static|struct|switch|typedef|typeof|union|unsigned|void|volatile|while)\b/,function:/\b[a-z_]\w*(?=\s*\()/i,number:/(?:\b0x(?:[\da-f]+(?:\.[\da-f]*)?|\.[\da-f]+)(?:p[+-]?\d+)?|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?)[ful]{0,4}/i,operator:/>>=?|<<=?|->|([-+&|:])\1|[?:~]|[-+*/%&|^!=<>]=?/}),T.languages.insertBefore("c","string",{char:{pattern:/'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n]){0,32}'/,greedy:!0}}),T.languages.insertBefore("c","string",{macro:{pattern:/(^[\t ]*)#\s*[a-z](?:[^\r\n\\/]|\/(?!\*)|\/\*(?:[^*]|\*(?!\/))*\*\/|\\(?:\r\n|[\s\S]))*/im,lookbehind:!0,greedy:!0,alias:"property",inside:{string:[{pattern:/^(#\s*include\s*)<[^>]+>/,lookbehind:!0},T.languages.c.string],char:T.languages.c.char,comment:T.languages.c.comment,"macro-name":[{pattern:/(^#\s*define\s+)\w+\b(?!\()/i,lookbehind:!0},{pattern:/(^#\s*define\s+)\w+\b(?=\()/i,lookbehind:!0,alias:"function"}],directive:{pattern:/^(#\s*)[a-z]+/,lookbehind:!0,alias:"keyword"},"directive-hash":/^#/,punctuation:/##|\\(?=[\r\n])/,expression:{pattern:/\S[\s\S]*/,inside:T.languages.c}}}}),T.languages.insertBefore("c","function",{constant:/\b(?:EOF|NULL|SEEK_CUR|SEEK_END|SEEK_SET|__DATE__|__FILE__|__LINE__|__TIMESTAMP__|__TIME__|__func__|stderr|stdin|stdout)\b/}),delete T.languages.c.boolean,T.languages.objectivec=T.languages.extend("c",{string:{pattern:/@?"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},keyword:/\b(?:asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|in|inline|int|long|register|return|self|short|signed|sizeof|static|struct|super|switch|typedef|typeof|union|unsigned|void|volatile|while)\b|(?:@interface|@end|@implementation|@protocol|@class|@public|@protected|@private|@property|@try|@catch|@finally|@throw|@synthesize|@dynamic|@selector)\b/,operator:/-[->]?|\+\+?|!=?|<<?=?|>>?=?|==?|&&?|\|\|?|[~^%?*\/@]/}),delete T.languages.objectivec["class-name"],T.languages.objc=T.languages.objectivec,T.languages.reason=T.languages.extend("clike",{string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^\\\r\n"])*"/,greedy:!0},"class-name":/\b[A-Z]\w*/,keyword:/\b(?:and|as|assert|begin|class|constraint|do|done|downto|else|end|exception|external|for|fun|function|functor|if|in|include|inherit|initializer|lazy|let|method|module|mutable|new|nonrec|object|of|open|or|private|rec|sig|struct|switch|then|to|try|type|val|virtual|when|while|with)\b/,operator:/\.{3}|:[:=]|\|>|->|=(?:==?|>)?|<=?|>=?|[|^?'#!~`]|[+\-*\/]\.?|\b(?:asr|land|lor|lsl|lsr|lxor|mod)\b/}),T.languages.insertBefore("reason","class-name",{char:{pattern:/'(?:\\x[\da-f]{2}|\\o[0-3][0-7][0-7]|\\\d{3}|\\.|[^'\\\r\n])'/,greedy:!0},constructor:/\b[A-Z]\w*\b(?!\s*\.)/,label:{pattern:/\b[a-z]\w*(?=::)/,alias:"symbol"}}),delete T.languages.reason.function,function(e){for(var t=/\/\*(?:[^*/]|\*(?!\/)|\/(?!\*)|<self>)*\*\//.source,n=0;n<2;n++)t=t.replace(/<self>/g,(function(){return t}));t=t.replace(/<self>/g,(function(){return/[^\s\S]/.source})),e.languages.rust={comment:[{pattern:RegExp(/(^|[^\\])/.source+t),lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/b?"(?:\\[\s\S]|[^\\"])*"|b?r(#*)"(?:[^"]|"(?!\1))*"\1/,greedy:!0},char:{pattern:/b?'(?:\\(?:x[0-7][\da-fA-F]|u\{(?:[\da-fA-F]_*){1,6}\}|.)|[^\\\r\n\t'])'/,greedy:!0},attribute:{pattern:/#!?\[(?:[^\[\]"]|"(?:\\[\s\S]|[^\\"])*")*\]/,greedy:!0,alias:"attr-name",inside:{string:null}},"closure-params":{pattern:/([=(,:]\s*|\bmove\s*)\|[^|]*\||\|[^|]*\|(?=\s*(?:\{|->))/,lookbehind:!0,greedy:!0,inside:{"closure-punctuation":{pattern:/^\||\|$/,alias:"punctuation"},rest:null}},"lifetime-annotation":{pattern:/'\w+/,alias:"symbol"},"fragment-specifier":{pattern:/(\$\w+:)[a-z]+/,lookbehind:!0,alias:"punctuation"},variable:/\$\w+/,"function-definition":{pattern:/(\bfn\s+)\w+/,lookbehind:!0,alias:"function"},"type-definition":{pattern:/(\b(?:enum|struct|trait|type|union)\s+)\w+/,lookbehind:!0,alias:"class-name"},"module-declaration":[{pattern:/(\b(?:crate|mod)\s+)[a-z][a-z_\d]*/,lookbehind:!0,alias:"namespace"},{pattern:/(\b(?:crate|self|super)\s*)::\s*[a-z][a-z_\d]*\b(?:\s*::(?:\s*[a-z][a-z_\d]*\s*::)*)?/,lookbehind:!0,alias:"namespace",inside:{punctuation:/::/}}],keyword:[/\b(?:Self|abstract|as|async|await|become|box|break|const|continue|crate|do|dyn|else|enum|extern|final|fn|for|if|impl|in|let|loop|macro|match|mod|move|mut|override|priv|pub|ref|return|self|static|struct|super|trait|try|type|typeof|union|unsafe|unsized|use|virtual|where|while|yield)\b/,/\b(?:bool|char|f(?:32|64)|[ui](?:8|16|32|64|128|size)|str)\b/],function:/\b[a-z_]\w*(?=\s*(?:::\s*<|\())/,macro:{pattern:/\b\w+!/,alias:"property"},constant:/\b[A-Z_][A-Z_\d]+\b/,"class-name":/\b[A-Z]\w*\b/,namespace:{pattern:/(?:\b[a-z][a-z_\d]*\s*::\s*)*\b[a-z][a-z_\d]*\s*::(?!\s*<)/,inside:{punctuation:/::/}},number:/\b(?:0x[\dA-Fa-f](?:_?[\dA-Fa-f])*|0o[0-7](?:_?[0-7])*|0b[01](?:_?[01])*|(?:(?:\d(?:_?\d)*)?\.)?\d(?:_?\d)*(?:[Ee][+-]?\d+)?)(?:_?(?:f32|f64|[iu](?:8|16|32|64|size)?))?\b/,boolean:/\b(?:false|true)\b/,punctuation:/->|\.\.=|\.{1,3}|::|[{}[\];(),:]/,operator:/[-+*\/%!^]=?|=[=>]?|&[&=]?|\|[|=]?|<<?=?|>>?=?|[@?]/},e.languages.rust["closure-params"].inside.rest=e.languages.rust,e.languages.rust.attribute.inside.string=e.languages.rust.string}(T),T.languages.go=T.languages.extend("clike",{string:{pattern:/(^|[^\\])"(?:\\.|[^"\\\r\n])*"|`[^`]*`/,lookbehind:!0,greedy:!0},keyword:/\b(?:break|case|chan|const|continue|default|defer|else|fallthrough|for|func|go(?:to)?|if|import|interface|map|package|range|return|select|struct|switch|type|var)\b/,boolean:/\b(?:_|false|iota|nil|true)\b/,number:[/\b0(?:b[01_]+|o[0-7_]+)i?\b/i,/\b0x(?:[a-f\d_]+(?:\.[a-f\d_]*)?|\.[a-f\d_]+)(?:p[+-]?\d+(?:_\d+)*)?i?(?!\w)/i,/(?:\b\d[\d_]*(?:\.[\d_]*)?|\B\.\d[\d_]*)(?:e[+-]?[\d_]+)?i?(?!\w)/i],operator:/[*\/%^!=]=?|\+[=+]?|-[=-]?|\|[=|]?|&(?:=|&|\^=?)?|>(?:>=?|=)?|<(?:<=?|=|-)?|:=|\.\.\./,builtin:/\b(?:append|bool|byte|cap|close|complex|complex(?:64|128)|copy|delete|error|float(?:32|64)|u?int(?:8|16|32|64)?|imag|len|make|new|panic|print(?:ln)?|real|recover|rune|string|uintptr)\b/}),T.languages.insertBefore("go","string",{char:{pattern:/'(?:\\.|[^'\\\r\n]){0,10}'/,greedy:!0}}),delete T.languages.go["class-name"],function(e){var t=/\b(?:alignas|alignof|asm|auto|bool|break|case|catch|char|char16_t|char32_t|char8_t|class|co_await|co_return|co_yield|compl|concept|const|const_cast|consteval|constexpr|constinit|continue|decltype|default|delete|do|double|dynamic_cast|else|enum|explicit|export|extern|final|float|for|friend|goto|if|import|inline|int|int16_t|int32_t|int64_t|int8_t|long|module|mutable|namespace|new|noexcept|nullptr|operator|override|private|protected|public|register|reinterpret_cast|requires|return|short|signed|sizeof|static|static_assert|static_cast|struct|switch|template|this|thread_local|throw|try|typedef|typeid|typename|uint16_t|uint32_t|uint64_t|uint8_t|union|unsigned|using|virtual|void|volatile|wchar_t|while)\b/,n=/\b(?!<keyword>)\w+(?:\s*\.\s*\w+)*\b/.source.replace(/<keyword>/g,(function(){return t.source}));e.languages.cpp=e.languages.extend("c",{"class-name":[{pattern:RegExp(/(\b(?:class|concept|enum|struct|typename)\s+)(?!<keyword>)\w+/.source.replace(/<keyword>/g,(function(){return t.source}))),lookbehind:!0},/\b[A-Z]\w*(?=\s*::\s*\w+\s*\()/,/\b[A-Z_]\w*(?=\s*::\s*~\w+\s*\()/i,/\b\w+(?=\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>\s*::\s*\w+\s*\()/],keyword:t,number:{pattern:/(?:\b0b[01']+|\b0x(?:[\da-f']+(?:\.[\da-f']*)?|\.[\da-f']+)(?:p[+-]?[\d']+)?|(?:\b[\d']+(?:\.[\d']*)?|\B\.[\d']+)(?:e[+-]?[\d']+)?)[ful]{0,4}/i,greedy:!0},operator:/>>=?|<<=?|->|--|\+\+|&&|\|\||[?:~]|<=>|[-+*/%&|^!=<>]=?|\b(?:and|and_eq|bitand|bitor|not|not_eq|or|or_eq|xor|xor_eq)\b/,boolean:/\b(?:false|true)\b/}),e.languages.insertBefore("cpp","string",{module:{pattern:RegExp(/(\b(?:import|module)\s+)/.source+"(?:"+/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|<[^<>\r\n]*>/.source+"|"+/<mod-name>(?:\s*:\s*<mod-name>)?|:\s*<mod-name>/.source.replace(/<mod-name>/g,(function(){return n}))+")"),lookbehind:!0,greedy:!0,inside:{string:/^[<"][\s\S]+/,operator:/:/,punctuation:/\./}},"raw-string":{pattern:/R"([^()\\ ]{0,16})\([\s\S]*?\)\1"/,alias:"string",greedy:!0}}),e.languages.insertBefore("cpp","keyword",{"generic-function":{pattern:/\b(?!operator\b)[a-z_]\w*\s*<(?:[^<>]|<[^<>]*>)*>(?=\s*\()/i,inside:{function:/^\w+/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:e.languages.cpp}}}}),e.languages.insertBefore("cpp","operator",{"double-colon":{pattern:/::/,alias:"punctuation"}}),e.languages.insertBefore("cpp","class-name",{"base-clause":{pattern:/(\b(?:class|struct)\s+\w+\s*:\s*)[^;{}"'\s]+(?:\s+[^;{}"'\s]+)*(?=\s*[;{])/,lookbehind:!0,greedy:!0,inside:e.languages.extend("cpp",{})}}),e.languages.insertBefore("inside","double-colon",{"class-name":/\b[a-z_]\w*\b(?!\s*::)/i},e.languages.cpp["base-clause"])}(T),T.languages.python={comment:{pattern:/(^|[^\\])#.*/,lookbehind:!0,greedy:!0},"string-interpolation":{pattern:/(?:f|fr|rf)(?:("""|''')[\s\S]*?\1|("|')(?:\\.|(?!\2)[^\\\r\n])*\2)/i,greedy:!0,inside:{interpolation:{pattern:/((?:^|[^{])(?:\{\{)*)\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}])+\})+\})+\}/,lookbehind:!0,inside:{"format-spec":{pattern:/(:)[^:(){}]+(?=\}$)/,lookbehind:!0},"conversion-option":{pattern:/![sra](?=[:}]$)/,alias:"punctuation"},rest:null}},string:/[\s\S]+/}},"triple-quoted-string":{pattern:/(?:[rub]|br|rb)?("""|''')[\s\S]*?\1/i,greedy:!0,alias:"string"},string:{pattern:/(?:[rub]|br|rb)?("|')(?:\\.|(?!\1)[^\\\r\n])*\1/i,greedy:!0},function:{pattern:/((?:^|\s)def[ \t]+)[a-zA-Z_]\w*(?=\s*\()/g,lookbehind:!0},"class-name":{pattern:/(\bclass\s+)\w+/i,lookbehind:!0},decorator:{pattern:/(^[\t ]*)@\w+(?:\.\w+)*/m,lookbehind:!0,alias:["annotation","punctuation"],inside:{punctuation:/\./}},keyword:/\b(?:_(?=\s*:)|and|as|assert|async|await|break|case|class|continue|def|del|elif|else|except|exec|finally|for|from|global|if|import|in|is|lambda|match|nonlocal|not|or|pass|print|raise|return|try|while|with|yield)\b/,builtin:/\b(?:__import__|abs|all|any|apply|ascii|basestring|bin|bool|buffer|bytearray|bytes|callable|chr|classmethod|cmp|coerce|compile|complex|delattr|dict|dir|divmod|enumerate|eval|execfile|file|filter|float|format|frozenset|getattr|globals|hasattr|hash|help|hex|id|input|int|intern|isinstance|issubclass|iter|len|list|locals|long|map|max|memoryview|min|next|object|oct|open|ord|pow|property|range|raw_input|reduce|reload|repr|reversed|round|set|setattr|slice|sorted|staticmethod|str|sum|super|tuple|type|unichr|unicode|vars|xrange|zip)\b/,boolean:/\b(?:False|None|True)\b/,number:/\b0(?:b(?:_?[01])+|o(?:_?[0-7])+|x(?:_?[a-f0-9])+)\b|(?:\b\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\B\.\d+(?:_\d+)*)(?:e[+-]?\d+(?:_\d+)*)?j?(?!\w)/i,operator:/[-+%=]=?|!=|:=|\*\*?=?|\/\/?=?|<[<=>]?|>[=>]?|[&|^~]/,punctuation:/[{}[\];(),.:]/},T.languages.python["string-interpolation"].inside.interpolation.inside.rest=T.languages.python,T.languages.py=T.languages.python;((e,t)=>{for(var n in t)f(e,n,{get:t[n],enumerable:!0})})({},{dracula:()=>j,duotoneDark:()=>L,duotoneLight:()=>R,github:()=>N,jettwaveDark:()=>H,jettwaveLight:()=>Q,nightOwl:()=>P,nightOwlLight:()=>A,oceanicNext:()=>D,okaidia:()=>F,oneDark:()=>Z,oneLight:()=>V,palenight:()=>M,shadesOfPurple:()=>z,synthwave84:()=>B,ultramin:()=>$,vsDark:()=>U,vsLight:()=>q});var j={plain:{color:"#F8F8F2",backgroundColor:"#282A36"},styles:[{types:["prolog","constant","builtin"],style:{color:"rgb(189, 147, 249)"}},{types:["inserted","function"],style:{color:"rgb(80, 250, 123)"}},{types:["deleted"],style:{color:"rgb(255, 85, 85)"}},{types:["changed"],style:{color:"rgb(255, 184, 108)"}},{types:["punctuation","symbol"],style:{color:"rgb(248, 248, 242)"}},{types:["string","char","tag","selector"],style:{color:"rgb(255, 121, 198)"}},{types:["keyword","variable"],style:{color:"rgb(189, 147, 249)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(98, 114, 164)"}},{types:["attr-name"],style:{color:"rgb(241, 250, 140)"}}]},L={plain:{backgroundColor:"#2a2734",color:"#9a86fd"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#6c6783"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#e09142"}},{types:["property","function"],style:{color:"#9a86fd"}},{types:["tag-id","selector","atrule-id"],style:{color:"#eeebff"}},{types:["attr-name"],style:{color:"#c4b9fe"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule","placeholder","variable"],style:{color:"#ffcc99"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#c4b9fe"}}]},R={plain:{backgroundColor:"#faf8f5",color:"#728fcb"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#b6ad9a"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#063289"}},{types:["property","function"],style:{color:"#b29762"}},{types:["tag-id","selector","atrule-id"],style:{color:"#2d2006"}},{types:["attr-name"],style:{color:"#896724"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule"],style:{color:"#728fcb"}},{types:["placeholder","variable"],style:{color:"#93abdc"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#896724"}}]},N={plain:{color:"#393A34",backgroundColor:"#f6f8fa"},styles:[{types:["comment","prolog","doctype","cdata"],style:{color:"#999988",fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}},{types:["string","attr-value"],style:{color:"#e3116c"}},{types:["punctuation","operator"],style:{color:"#393A34"}},{types:["entity","url","symbol","number","boolean","variable","constant","property","regex","inserted"],style:{color:"#36acaa"}},{types:["atrule","keyword","attr-name","selector"],style:{color:"#00a4db"}},{types:["function","deleted","tag"],style:{color:"#d73a49"}},{types:["function-variable"],style:{color:"#6f42c1"}},{types:["tag","selector","keyword"],style:{color:"#00009f"}}]},P={plain:{color:"#d6deeb",backgroundColor:"#011627"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(99, 119, 119)",fontStyle:"italic"}},{types:["string","url"],style:{color:"rgb(173, 219, 103)"}},{types:["variable"],style:{color:"rgb(214, 222, 235)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation"],style:{color:"rgb(199, 146, 234)"}},{types:["selector","doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(255, 203, 139)"}},{types:["tag","operator","keyword"],style:{color:"rgb(127, 219, 202)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["property"],style:{color:"rgb(128, 203, 196)"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}}]},A={plain:{color:"#403f53",backgroundColor:"#FBFBFB"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(72, 118, 214)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(152, 159, 177)",fontStyle:"italic"}},{types:["string","builtin","char","constant","url"],style:{color:"rgb(72, 118, 214)"}},{types:["variable"],style:{color:"rgb(201, 103, 101)"}},{types:["number"],style:{color:"rgb(170, 9, 130)"}},{types:["punctuation"],style:{color:"rgb(153, 76, 195)"}},{types:["function","selector","doctype"],style:{color:"rgb(153, 76, 195)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(17, 17, 17)"}},{types:["tag"],style:{color:"rgb(153, 76, 195)"}},{types:["operator","property","keyword","namespace"],style:{color:"rgb(12, 150, 155)"}},{types:["boolean"],style:{color:"rgb(188, 84, 84)"}}]},O="#c5a5c5",I="#8dc891",D={plain:{backgroundColor:"#282c34",color:"#ffffff"},styles:[{types:["attr-name"],style:{color:O}},{types:["attr-value"],style:{color:I}},{types:["comment","block-comment","prolog","doctype","cdata","shebang"],style:{color:"#999999"}},{types:["property","number","function-name","constant","symbol","deleted"],style:{color:"#5a9bcf"}},{types:["boolean"],style:{color:"#ff8b50"}},{types:["tag"],style:{color:"#fc929e"}},{types:["string"],style:{color:I}},{types:["punctuation"],style:{color:I}},{types:["selector","char","builtin","inserted"],style:{color:"#D8DEE9"}},{types:["function"],style:{color:"#79b6f2"}},{types:["operator","entity","url","variable"],style:{color:"#d7deea"}},{types:["keyword"],style:{color:O}},{types:["atrule","class-name"],style:{color:"#FAC863"}},{types:["important"],style:{fontWeight:"400"}},{types:["bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}}]},F={plain:{color:"#f8f8f2",backgroundColor:"#272822"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"#f92672",fontStyle:"italic"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"#8292a2",fontStyle:"italic"}},{types:["string","url"],style:{color:"#a6e22e"}},{types:["variable"],style:{color:"#f8f8f2"}},{types:["number"],style:{color:"#ae81ff"}},{types:["builtin","char","constant","function","class-name"],style:{color:"#e6db74"}},{types:["punctuation"],style:{color:"#f8f8f2"}},{types:["selector","doctype"],style:{color:"#a6e22e",fontStyle:"italic"}},{types:["tag","operator","keyword"],style:{color:"#66d9ef"}},{types:["boolean"],style:{color:"#ae81ff"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)",opacity:.7}},{types:["tag","property"],style:{color:"#f92672"}},{types:["attr-name"],style:{color:"#a6e22e !important"}},{types:["doctype"],style:{color:"#8292a2"}},{types:["rule"],style:{color:"#e6db74"}}]},M={plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},z={plain:{color:"#9EFEFF",backgroundColor:"#2D2A55"},styles:[{types:["changed"],style:{color:"rgb(255, 238, 128)"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)"}},{types:["comment"],style:{color:"rgb(179, 98, 255)",fontStyle:"italic"}},{types:["punctuation"],style:{color:"rgb(255, 255, 255)"}},{types:["constant"],style:{color:"rgb(255, 98, 140)"}},{types:["string","url"],style:{color:"rgb(165, 255, 144)"}},{types:["variable"],style:{color:"rgb(255, 238, 128)"}},{types:["number","boolean"],style:{color:"rgb(255, 98, 140)"}},{types:["attr-name"],style:{color:"rgb(255, 180, 84)"}},{types:["keyword","operator","property","namespace","tag","selector","doctype"],style:{color:"rgb(255, 157, 0)"}},{types:["builtin","char","constant","function","class-name"],style:{color:"rgb(250, 208, 0)"}}]},B={plain:{backgroundColor:"linear-gradient(to bottom, #2a2139 75%, #34294f)",backgroundImage:"#34294f",color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"},styles:[{types:["comment","block-comment","prolog","doctype","cdata"],style:{color:"#495495",fontStyle:"italic"}},{types:["punctuation"],style:{color:"#ccc"}},{types:["tag","attr-name","namespace","number","unit","hexcode","deleted"],style:{color:"#e2777a"}},{types:["property","selector"],style:{color:"#72f1b8",textShadow:"0 0 2px #100c0f, 0 0 10px #257c5575, 0 0 35px #21272475"}},{types:["function-name"],style:{color:"#6196cc"}},{types:["boolean","selector-id","function"],style:{color:"#fdfdfd",textShadow:"0 0 2px #001716, 0 0 3px #03edf975, 0 0 5px #03edf975, 0 0 8px #03edf975"}},{types:["class-name","maybe-class-name","builtin"],style:{color:"#fff5f6",textShadow:"0 0 2px #000, 0 0 10px #fc1f2c75, 0 0 5px #fc1f2c75, 0 0 25px #fc1f2c75"}},{types:["constant","symbol"],style:{color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"}},{types:["important","atrule","keyword","selector-class"],style:{color:"#f4eee4",textShadow:"0 0 2px #393a33, 0 0 8px #f39f0575, 0 0 2px #f39f0575"}},{types:["string","char","attr-value","regex","variable"],style:{color:"#f87c32"}},{types:["parameter"],style:{fontStyle:"italic"}},{types:["entity","url"],style:{color:"#67cdcc"}},{types:["operator"],style:{color:"ffffffee"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["entity"],style:{cursor:"help"}},{types:["inserted"],style:{color:"green"}}]},$={plain:{color:"#282a2e",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(197, 200, 198)"}},{types:["string","number","builtin","variable"],style:{color:"rgb(150, 152, 150)"}},{types:["class-name","function","tag","attr-name"],style:{color:"rgb(40, 42, 46)"}}]},U={plain:{color:"#9CDCFE",backgroundColor:"#1E1E1E"},styles:[{types:["prolog"],style:{color:"rgb(0, 0, 128)"}},{types:["comment"],style:{color:"rgb(106, 153, 85)"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"rgb(86, 156, 214)"}},{types:["number","inserted"],style:{color:"rgb(181, 206, 168)"}},{types:["constant"],style:{color:"rgb(100, 102, 149)"}},{types:["attr-name","variable"],style:{color:"rgb(156, 220, 254)"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"rgb(206, 145, 120)"}},{types:["selector"],style:{color:"rgb(215, 186, 125)"}},{types:["tag"],style:{color:"rgb(78, 201, 176)"}},{types:["tag"],languages:["markup"],style:{color:"rgb(86, 156, 214)"}},{types:["punctuation","operator"],style:{color:"rgb(212, 212, 212)"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"rgb(220, 220, 170)"}},{types:["class-name"],style:{color:"rgb(78, 201, 176)"}},{types:["char"],style:{color:"rgb(209, 105, 105)"}}]},q={plain:{color:"#000000",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(0, 128, 0)"}},{types:["builtin"],style:{color:"rgb(0, 112, 193)"}},{types:["number","variable","inserted"],style:{color:"rgb(9, 134, 88)"}},{types:["operator"],style:{color:"rgb(0, 0, 0)"}},{types:["constant","char"],style:{color:"rgb(129, 31, 63)"}},{types:["tag"],style:{color:"rgb(128, 0, 0)"}},{types:["attr-name"],style:{color:"rgb(255, 0, 0)"}},{types:["deleted","string"],style:{color:"rgb(163, 21, 21)"}},{types:["changed","punctuation"],style:{color:"rgb(4, 81, 165)"}},{types:["function","keyword"],style:{color:"rgb(0, 0, 255)"}},{types:["class-name"],style:{color:"rgb(38, 127, 153)"}}]},H={plain:{color:"#f8fafc",backgroundColor:"#011627"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#569CD6"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#f8fafc"}},{types:["attr-name","variable"],style:{color:"#9CDCFE"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#cbd5e1"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#D4D4D4"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#7dd3fc"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Q={plain:{color:"#0f172a",backgroundColor:"#f1f5f9"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#0c4a6e"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#0f172a"}},{types:["attr-name","variable"],style:{color:"#0c4a6e"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#64748b"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#475569"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#0e7490"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Z={plain:{backgroundColor:"hsl(220, 13%, 18%)",color:"hsl(220, 14%, 71%)",textShadow:"0 1px rgba(0, 0, 0, 0.3)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(220, 10%, 40%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(220, 14%, 71%)"}},{types:["attr-name","class-name","maybe-class-name","boolean","constant","number","atrule"],style:{color:"hsl(29, 54%, 61%)"}},{types:["keyword"],style:{color:"hsl(286, 60%, 67%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(355, 65%, 65%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value"],style:{color:"hsl(95, 38%, 62%)"}},{types:["variable","operator","function"],style:{color:"hsl(207, 82%, 66%)"}},{types:["url"],style:{color:"hsl(187, 47%, 55%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(220, 14%, 71%)"}}]},V={plain:{backgroundColor:"hsl(230, 1%, 98%)",color:"hsl(230, 8%, 24%)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(230, 4%, 64%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(230, 8%, 24%)"}},{types:["attr-name","class-name","boolean","constant","number","atrule"],style:{color:"hsl(35, 99%, 36%)"}},{types:["keyword"],style:{color:"hsl(301, 63%, 40%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(5, 74%, 59%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value","punctuation"],style:{color:"hsl(119, 34%, 47%)"}},{types:["variable","operator","function"],style:{color:"hsl(221, 87%, 60%)"}},{types:["url"],style:{color:"hsl(198, 99%, 37%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(230, 8%, 24%)"}}]},W=(e,t)=>{const{plain:n}=e,r=e.styles.reduce(((e,n)=>{const{languages:r,style:a}=n;return r&&!r.includes(t)||n.types.forEach((t=>{const n=S(S({},e[t]),a);e[t]=n})),e}),{});return r.root=n,r.plain=E(S({},n),{backgroundColor:void 0}),r},G=/\r\n|\r|\n/,X=e=>{0===e.length?e.push({types:["plain"],content:"\n",empty:!0}):1===e.length&&""===e[0].content&&(e[0].content="\n",e[0].empty=!0)},K=(e,t)=>{const n=e.length;return n>0&&e[n-1]===t?e:e.concat(t)},Y=e=>{const t=[[]],n=[e],r=[0],a=[e.length];let o=0,i=0,s=[];const l=[s];for(;i>-1;){for(;(o=r[i]++)<a[i];){let e,c=t[i];const u=n[i][o];if("string"==typeof u?(c=i>0?c:["plain"],e=u):(c=K(c,u.type),u.alias&&(c=K(c,u.alias)),e=u.content),"string"!=typeof e){i++,t.push(c),n.push(e),r.push(0),a.push(e.length);continue}const d=e.split(G),p=d.length;s.push({types:c,content:d[0]});for(let t=1;t<p;t++)X(s),l.push(s=[]),s.push({types:c,content:d[t]})}i--,t.pop(),n.pop(),r.pop(),a.pop()}return X(s),l},J=({children:e,language:t,code:n,theme:r,prism:a})=>{const o=t.toLowerCase(),i=((e,t)=>{const[n,r]=(0,u.useState)(W(t,e)),a=(0,u.useRef)(),o=(0,u.useRef)();return(0,u.useEffect)((()=>{t===a.current&&e===o.current||(a.current=t,o.current=e,r(W(t,e)))}),[e,t]),n})(o,r),s=(e=>(0,u.useCallback)((t=>{var n=t,{className:r,style:a,line:o}=n,i=_(n,["className","style","line"]);const s=E(S({},i),{className:(0,d.Z)("token-line",r)});return"object"==typeof e&&"plain"in e&&(s.style=e.plain),"object"==typeof a&&(s.style=S(S({},s.style||{}),a)),s}),[e]))(i),l=(e=>{const t=(0,u.useCallback)((({types:t,empty:n})=>{if(null!=e)return 1===t.length&&"plain"===t[0]?null!=n?{display:"inline-block"}:void 0:1===t.length&&null!=n?e[t[0]]:Object.assign(null!=n?{display:"inline-block"}:{},...t.map((t=>e[t])))}),[e]);return(0,u.useCallback)((e=>{var n=e,{token:r,className:a,style:o}=n,i=_(n,["token","className","style"]);const s=E(S({},i),{className:(0,d.Z)("token",...r.types,a),children:r.content,style:t(r)});return null!=o&&(s.style=S(S({},s.style||{}),o)),s}),[t])})(i),c=(({prism:e,code:t,grammar:n,language:r})=>{const a=(0,u.useRef)(e);return(0,u.useMemo)((()=>{if(null==n)return Y([t]);const e={code:t,grammar:n,language:r,tokens:[]};return a.current.hooks.run("before-tokenize",e),e.tokens=a.current.tokenize(t,n),a.current.hooks.run("after-tokenize",e),Y(e.tokens)}),[t,n,r])})({prism:a,language:o,code:n,grammar:a.languages[o]});return e({tokens:c,className:`prism-code language-${o}`,style:null!=i?i.root:{},getLineProps:s,getTokenProps:l})},ee=e=>(0,u.createElement)(J,E(S({},e),{prism:e.prism||T,theme:e.theme||U,code:e.code,language:e.language}))},8776:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=!0,a="Invariant failed";function o(e,t){if(!e){if(r)throw new Error(a);var n="function"==typeof t?t():t,o=n?"".concat(a,": ").concat(n):a;throw new Error(o)}}},7582:(e,t,n)=>{"use strict";n.r(t),n.d(t,{__addDisposableResource:()=>O,__assign:()=>o,__asyncDelegator:()=>_,__asyncGenerator:()=>E,__asyncValues:()=>C,__await:()=>S,__awaiter:()=>h,__classPrivateFieldGet:()=>N,__classPrivateFieldIn:()=>A,__classPrivateFieldSet:()=>P,__createBinding:()=>g,__decorate:()=>s,__disposeResources:()=>D,__esDecorate:()=>c,__exportStar:()=>y,__extends:()=>a,__generator:()=>m,__importDefault:()=>R,__importStar:()=>L,__makeTemplateObject:()=>T,__metadata:()=>f,__param:()=>l,__propKey:()=>d,__read:()=>v,__rest:()=>i,__runInitializers:()=>u,__setFunctionName:()=>p,__spread:()=>w,__spreadArray:()=>x,__spreadArrays:()=>k,__values:()=>b,default:()=>F});var r=function(e,t){return r=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var n in t)Object.prototype.hasOwnProperty.call(t,n)&&(e[n]=t[n])},r(e,t)};function a(e,t){if("function"!=typeof t&&null!==t)throw new TypeError("Class extends value "+String(t)+" is not a constructor or null");function n(){this.constructor=e}r(e,t),e.prototype=null===t?Object.create(t):(n.prototype=t.prototype,new n)}var o=function(){return o=Object.assign||function(e){for(var t,n=1,r=arguments.length;n<r;n++)for(var a in t=arguments[n])Object.prototype.hasOwnProperty.call(t,a)&&(e[a]=t[a]);return e},o.apply(this,arguments)};function i(e,t){var n={};for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var a=0;for(r=Object.getOwnPropertySymbols(e);a<r.length;a++)t.indexOf(r[a])<0&&Object.prototype.propertyIsEnumerable.call(e,r[a])&&(n[r[a]]=e[r[a]])}return n}function s(e,t,n,r){var a,o=arguments.length,i=o<3?t:null===r?r=Object.getOwnPropertyDescriptor(t,n):r;if("object"==typeof Reflect&&"function"==typeof Reflect.decorate)i=Reflect.decorate(e,t,n,r);else for(var s=e.length-1;s>=0;s--)(a=e[s])&&(i=(o<3?a(i):o>3?a(t,n,i):a(t,n))||i);return o>3&&i&&Object.defineProperty(t,n,i),i}function l(e,t){return function(n,r){t(n,r,e)}}function c(e,t,n,r,a,o){function i(e){if(void 0!==e&&"function"!=typeof e)throw new TypeError("Function expected");return e}for(var s,l=r.kind,c="getter"===l?"get":"setter"===l?"set":"value",u=!t&&e?r.static?e:e.prototype:null,d=t||(u?Object.getOwnPropertyDescriptor(u,r.name):{}),p=!1,f=n.length-1;f>=0;f--){var h={};for(var m in r)h[m]="access"===m?{}:r[m];for(var m in r.access)h.access[m]=r.access[m];h.addInitializer=function(e){if(p)throw new TypeError("Cannot add initializers after decoration has completed");o.push(i(e||null))};var g=(0,n[f])("accessor"===l?{get:d.get,set:d.set}:d[c],h);if("accessor"===l){if(void 0===g)continue;if(null===g||"object"!=typeof g)throw new TypeError("Object expected");(s=i(g.get))&&(d.get=s),(s=i(g.set))&&(d.set=s),(s=i(g.init))&&a.unshift(s)}else(s=i(g))&&("field"===l?a.unshift(s):d[c]=s)}u&&Object.defineProperty(u,r.name,d),p=!0}function u(e,t,n){for(var r=arguments.length>2,a=0;a<t.length;a++)n=r?t[a].call(e,n):t[a].call(e);return r?n:void 0}function d(e){return"symbol"==typeof e?e:"".concat(e)}function p(e,t,n){return"symbol"==typeof t&&(t=t.description?"[".concat(t.description,"]"):""),Object.defineProperty(e,"name",{configurable:!0,value:n?"".concat(n," ",t):t})}function f(e,t){if("object"==typeof Reflect&&"function"==typeof Reflect.metadata)return Reflect.metadata(e,t)}function h(e,t,n,r){return new(n||(n=Promise))((function(a,o){function i(e){try{l(r.next(e))}catch(t){o(t)}}function s(e){try{l(r.throw(e))}catch(t){o(t)}}function l(e){var t;e.done?a(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(i,s)}l((r=r.apply(e,t||[])).next())}))}function m(e,t){var n,r,a,o,i={label:0,sent:function(){if(1&a[0])throw a[1];return a[1]},trys:[],ops:[]};return o={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(o[Symbol.iterator]=function(){return this}),o;function s(s){return function(l){return function(s){if(n)throw new TypeError("Generator is already executing.");for(;o&&(o=0,s[0]&&(i=0)),i;)try{if(n=1,r&&(a=2&s[0]?r.return:s[0]?r.throw||((a=r.return)&&a.call(r),0):r.next)&&!(a=a.call(r,s[1])).done)return a;switch(r=0,a&&(s=[2&s[0],a.value]),s[0]){case 0:case 1:a=s;break;case 4:return i.label++,{value:s[1],done:!1};case 5:i.label++,r=s[1],s=[0];continue;case 7:s=i.ops.pop(),i.trys.pop();continue;default:if(!(a=i.trys,(a=a.length>0&&a[a.length-1])||6!==s[0]&&2!==s[0])){i=0;continue}if(3===s[0]&&(!a||s[1]>a[0]&&s[1]<a[3])){i.label=s[1];break}if(6===s[0]&&i.label<a[1]){i.label=a[1],a=s;break}if(a&&i.label<a[2]){i.label=a[2],i.ops.push(s);break}a[2]&&i.ops.pop(),i.trys.pop();continue}s=t.call(e,i)}catch(l){s=[6,l],r=0}finally{n=a=0}if(5&s[0])throw s[1];return{value:s[0]?s[1]:void 0,done:!0}}([s,l])}}}var g=Object.create?function(e,t,n,r){void 0===r&&(r=n);var a=Object.getOwnPropertyDescriptor(t,n);a&&!("get"in a?!t.__esModule:a.writable||a.configurable)||(a={enumerable:!0,get:function(){return t[n]}}),Object.defineProperty(e,r,a)}:function(e,t,n,r){void 0===r&&(r=n),e[r]=t[n]};function y(e,t){for(var n in e)"default"===n||Object.prototype.hasOwnProperty.call(t,n)||g(t,e,n)}function b(e){var t="function"==typeof Symbol&&Symbol.iterator,n=t&&e[t],r=0;if(n)return n.call(e);if(e&&"number"==typeof e.length)return{next:function(){return e&&r>=e.length&&(e=void 0),{value:e&&e[r++],done:!e}}};throw new TypeError(t?"Object is not iterable.":"Symbol.iterator is not defined.")}function v(e,t){var n="function"==typeof Symbol&&e[Symbol.iterator];if(!n)return e;var r,a,o=n.call(e),i=[];try{for(;(void 0===t||t-- >0)&&!(r=o.next()).done;)i.push(r.value)}catch(s){a={error:s}}finally{try{r&&!r.done&&(n=o.return)&&n.call(o)}finally{if(a)throw a.error}}return i}function w(){for(var e=[],t=0;t<arguments.length;t++)e=e.concat(v(arguments[t]));return e}function k(){for(var e=0,t=0,n=arguments.length;t<n;t++)e+=arguments[t].length;var r=Array(e),a=0;for(t=0;t<n;t++)for(var o=arguments[t],i=0,s=o.length;i<s;i++,a++)r[a]=o[i];return r}function x(e,t,n){if(n||2===arguments.length)for(var r,a=0,o=t.length;a<o;a++)!r&&a in t||(r||(r=Array.prototype.slice.call(t,0,a)),r[a]=t[a]);return e.concat(r||Array.prototype.slice.call(t))}function S(e){return this instanceof S?(this.v=e,this):new S(e)}function E(e,t,n){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var r,a=n.apply(e,t||[]),o=[];return r={},i("next"),i("throw"),i("return"),r[Symbol.asyncIterator]=function(){return this},r;function i(e){a[e]&&(r[e]=function(t){return new Promise((function(n,r){o.push([e,t,n,r])>1||s(e,t)}))})}function s(e,t){try{(n=a[e](t)).value instanceof S?Promise.resolve(n.value.v).then(l,c):u(o[0][2],n)}catch(r){u(o[0][3],r)}var n}function l(e){s("next",e)}function c(e){s("throw",e)}function u(e,t){e(t),o.shift(),o.length&&s(o[0][0],o[0][1])}}function _(e){var t,n;return t={},r("next"),r("throw",(function(e){throw e})),r("return"),t[Symbol.iterator]=function(){return this},t;function r(r,a){t[r]=e[r]?function(t){return(n=!n)?{value:S(e[r](t)),done:!1}:a?a(t):t}:a}}function C(e){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var t,n=e[Symbol.asyncIterator];return n?n.call(e):(e=b(e),t={},r("next"),r("throw"),r("return"),t[Symbol.asyncIterator]=function(){return this},t);function r(n){t[n]=e[n]&&function(t){return new Promise((function(r,a){(function(e,t,n,r){Promise.resolve(r).then((function(t){e({value:t,done:n})}),t)})(r,a,(t=e[n](t)).done,t.value)}))}}}function T(e,t){return Object.defineProperty?Object.defineProperty(e,"raw",{value:t}):e.raw=t,e}var j=Object.create?function(e,t){Object.defineProperty(e,"default",{enumerable:!0,value:t})}:function(e,t){e.default=t};function L(e){if(e&&e.__esModule)return e;var t={};if(null!=e)for(var n in e)"default"!==n&&Object.prototype.hasOwnProperty.call(e,n)&&g(t,e,n);return j(t,e),t}function R(e){return e&&e.__esModule?e:{default:e}}function N(e,t,n,r){if("a"===n&&!r)throw new TypeError("Private accessor was defined without a getter");if("function"==typeof t?e!==t||!r:!t.has(e))throw new TypeError("Cannot read private member from an object whose class did not declare it");return"m"===n?r:"a"===n?r.call(e):r?r.value:t.get(e)}function P(e,t,n,r,a){if("m"===r)throw new TypeError("Private method is not writable");if("a"===r&&!a)throw new TypeError("Private accessor was defined without a setter");if("function"==typeof t?e!==t||!a:!t.has(e))throw new TypeError("Cannot write private member to an object whose class did not declare it");return"a"===r?a.call(e,n):a?a.value=n:t.set(e,n),n}function A(e,t){if(null===t||"object"!=typeof t&&"function"!=typeof t)throw new TypeError("Cannot use 'in' operator on non-object");return"function"==typeof e?t===e:e.has(t)}function O(e,t,n){if(null!=t){if("object"!=typeof t&&"function"!=typeof t)throw new TypeError("Object expected.");var r;if(n){if(!Symbol.asyncDispose)throw new TypeError("Symbol.asyncDispose is not defined.");r=t[Symbol.asyncDispose]}if(void 0===r){if(!Symbol.dispose)throw new TypeError("Symbol.dispose is not defined.");r=t[Symbol.dispose]}if("function"!=typeof r)throw new TypeError("Object not disposable.");e.stack.push({value:t,dispose:r,async:n})}else n&&e.stack.push({async:!0});return t}var I="function"==typeof SuppressedError?SuppressedError:function(e,t,n){var r=new Error(n);return r.name="SuppressedError",r.error=e,r.suppressed=t,r};function D(e){function t(t){e.error=e.hasError?new I(t,e.error,"An error was suppressed during disposal."):t,e.hasError=!0}return function n(){for(;e.stack.length;){var r=e.stack.pop();try{var a=r.dispose&&r.dispose.call(r.value);if(r.async)return Promise.resolve(a).then(n,(function(e){return t(e),n()}))}catch(o){t(o)}}if(e.hasError)throw e.error}()}const F={__extends:a,__assign:o,__rest:i,__decorate:s,__param:l,__metadata:f,__awaiter:h,__generator:m,__createBinding:g,__exportStar:y,__values:b,__read:v,__spread:w,__spreadArrays:k,__spreadArray:x,__await:S,__asyncGenerator:E,__asyncDelegator:_,__asyncValues:C,__makeTemplateObject:T,__importStar:L,__importDefault:R,__classPrivateFieldGet:N,__classPrivateFieldSet:P,__classPrivateFieldIn:A,__addDisposableResource:O,__disposeResources:D}},7529:e=>{"use strict";e.exports={}},6887:e=>{"use strict";e.exports=JSON.parse('{"/search-822":{"__comp":"1a4e3797","__context":{"plugin":"138e0e15"}},"/-833":{"__comp":"5e95c892","__context":{"plugin":"aba21aa0"}},"/-0d3":{"__comp":"a7bd4aaa","__props":"22dd74f7"},"/-fa8":{"__comp":"a94703ab"},"/advanced-23a":{"__comp":"17896441","content":"395f47e2"},"/architecture-9fe":{"__comp":"17896441","content":"5281b7a2"},"/cli-3c8":{"__comp":"17896441","content":"9e39b1cd"},"/cli/agent-0b4":{"__comp":"17896441","content":"1be8dcfa"},"/cli/certificate-d90":{"__comp":"17896441","content":"6e9804bc"},"/cli/etcd-snapshot-6b4":{"__comp":"17896441","content":"36f34ab4"},"/cli/secrets-encrypt-493":{"__comp":"17896441","content":"179ec51e"},"/cli/server-fb0":{"__comp":"17896441","content":"4455f95b"},"/cli/token-028":{"__comp":"17896441","content":"2a65762c"},"/cluster-access-644":{"__comp":"17896441","content":"43077f1d"},"/datastore-53a":{"__comp":"17896441","content":"ab388925"},"/datastore/backup-restore-b35":{"__comp":"17896441","content":"ba3a957c"},"/datastore/cluster-loadbalancer-6d1":{"__comp":"17896441","content":"4a667cf9"},"/datastore/ha-6c2":{"__comp":"17896441","content":"ea0a4c6d"},"/datastore/ha-embedded-fc4":{"__comp":"17896441","content":"b36bdd38"},"/faq-9db":{"__comp":"17896441","content":"0480b142"},"/helm-1a5":{"__comp":"17896441","content":"0e4359fd"},"/installation-9b3":{"__comp":"17896441","content":"1e924268"},"/installation/airgap-dca":{"__comp":"17896441","content":"ec6f9153"},"/installation/configuration-2e0":{"__comp":"17896441","content":"97c4f258"},"/installation/packaged-components-615":{"__comp":"17896441","content":"65c5030c"},"/installation/private-registry-80b":{"__comp":"17896441","content":"10b61a3f"},"/installation/registry-mirror-c9a":{"__comp":"17896441","content":"5159b4a0"},"/installation/requirements-a58":{"__comp":"17896441","content":"ac75af2e"},"/installation/server-roles-5fe":{"__comp":"17896441","content":"f8eefdc6"},"/installation/uninstall-4dd":{"__comp":"17896441","content":"4fea1ac4"},"/known-issues-bdf":{"__comp":"17896441","content":"f319c6ab"},"/networking-a7c":{"__comp":"17896441","content":"ee75e821"},"/networking/basic-network-options-412":{"__comp":"17896441","content":"06dc01b4"},"/networking/distributed-multicloud-7e4":{"__comp":"17896441","content":"d8ab3227"},"/networking/multus-ipams-efa":{"__comp":"17896441","content":"17035653"},"/networking/networking-services-0f7":{"__comp":"17896441","content":"43e5cb58"},"/quick-start-e14":{"__comp":"17896441","content":"72e14192"},"/reference/env-variables-25e":{"__comp":"17896441","content":"6ab2c2e0"},"/reference/flag-deprecation-980":{"__comp":"17896441","content":"914a16f4"},"/reference/resource-profiling-537":{"__comp":"17896441","content":"fc39421f"},"/related-projects-02d":{"__comp":"17896441","content":"e7c9153a"},"/release-notes/v1.24.X-705":{"__comp":"17896441","content":"d123a91e"},"/release-notes/v1.25.X-641":{"__comp":"17896441","content":"9e7a009d"},"/release-notes/v1.26.X-b40":{"__comp":"17896441","content":"0ce5aa86"},"/release-notes/v1.27.X-f30":{"__comp":"17896441","content":"dd22e55f"},"/release-notes/v1.28.X-b85":{"__comp":"17896441","content":"2f797aa4"},"/release-notes/v1.29.X-558":{"__comp":"17896441","content":"0759a3f5"},"/release-notes/v1.30.X-be9":{"__comp":"17896441","content":"b8002741"},"/security-9f9":{"__comp":"17896441","content":"7b8e2475"},"/security/hardening-guide-f39":{"__comp":"17896441","content":"82f1aa93"},"/security/secrets-encryption-5a3":{"__comp":"17896441","content":"57d35c99"},"/security/self-assessment-1.23-1f4":{"__comp":"17896441","content":"9f491e05"},"/security/self-assessment-1.24-bad":{"__comp":"17896441","content":"ab60f49a"},"/security/self-assessment-1.7-ce4":{"__comp":"17896441","content":"5ea4afd8"},"/security/self-assessment-1.8-0cf":{"__comp":"17896441","content":"b9a30a37"},"/storage-598":{"__comp":"17896441","content":"41765d36"},"/upgrades-fe1":{"__comp":"17896441","content":"4e366d5e"},"/upgrades/automated-8c6":{"__comp":"17896441","content":"82406859"},"/upgrades/killall-25f":{"__comp":"17896441","content":"4aae9e46"},"/upgrades/manual-d9c":{"__comp":"17896441","content":"d8ed1217"},"/-e0a":{"__comp":"17896441","content":"a09c2993"}}')}},e=>{e.O(0,[532],(()=>{return t=2849,e(e.s=t);var t}));e.O()}]); \ No newline at end of file diff --git a/assets/js/main.b8228620.js.LICENSE.txt b/assets/js/main.58acbbc0.js.LICENSE.txt similarity index 100% rename from assets/js/main.b8228620.js.LICENSE.txt rename to assets/js/main.58acbbc0.js.LICENSE.txt diff --git a/assets/js/main.b8228620.js b/assets/js/main.b8228620.js deleted file mode 100644 index 40a41d43b..000000000 --- a/assets/js/main.b8228620.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! For license information please see main.b8228620.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[179],{1728:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n);else for(t in e)e[t]&&(a&&(a+=" "),a+=t);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="";n<arguments.length;)(e=arguments[n++])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},723:(e,t,n)=>{"use strict";n.d(t,{Z:()=>p});n(7294);var r=n(8356),a=n.n(r),o=n(6887);const i={"0480b142":[()=>n.e(836).then(n.bind(n,9665)),"@site/docs/faq.md",9665],"06dc01b4":[()=>n.e(9233).then(n.bind(n,6516)),"@site/docs/networking/basic-network-options.md",6516],"0759a3f5":[()=>n.e(2409).then(n.bind(n,2714)),"@site/docs/release-notes/v1.29.X.md",2714],"0ce5aa86":[()=>n.e(1620).then(n.bind(n,3012)),"@site/docs/release-notes/v1.26.X.md",3012],"0e4359fd":[()=>n.e(9751).then(n.bind(n,8495)),"@site/docs/helm.md",8495],"10b61a3f":[()=>n.e(4902).then(n.bind(n,8040)),"@site/docs/installation/private-registry.md",8040],"138e0e15":[()=>n.e(9524).then(n.t.bind(n,536,19)),"@generated/@easyops-cn/docusaurus-search-local/default/__plugin.json",536],17035653:[()=>n.e(8380).then(n.bind(n,4877)),"@site/docs/networking/multus-ipams.md",4877],17896441:[()=>Promise.all([n.e(532),n.e(7837),n.e(7918)]).then(n.bind(n,9666)),"@theme/DocItem",9666],"179ec51e":[()=>n.e(7176).then(n.bind(n,6790)),"@site/docs/cli/secrets-encrypt.md",6790],"1a4e3797":[()=>Promise.all([n.e(532),n.e(7920)]).then(n.bind(n,2027)),"@theme/SearchPage",2027],"1be8dcfa":[()=>n.e(7628).then(n.bind(n,2023)),"@site/docs/cli/agent.md",2023],"1e924268":[()=>n.e(8614).then(n.bind(n,770)),"@site/docs/installation/installation.md",770],"22dd74f7":[()=>n.e(4980).then(n.t.bind(n,5904,19)),"@generated/docusaurus-plugin-content-docs/default/p/index-466.json",5904],"2a65762c":[()=>n.e(1430).then(n.bind(n,7084)),"@site/docs/cli/token.md",7084],"2f797aa4":[()=>n.e(101).then(n.bind(n,3989)),"@site/docs/release-notes/v1.28.X.md",3989],"36f34ab4":[()=>n.e(6155).then(n.bind(n,7406)),"@site/docs/cli/etcd-snapshot.md",7406],"395f47e2":[()=>n.e(6801).then(n.bind(n,793)),"@site/docs/advanced.md",793],"41765d36":[()=>n.e(1615).then(n.bind(n,99)),"@site/docs/storage.md",99],"43077f1d":[()=>n.e(8397).then(n.bind(n,8104)),"@site/docs/cluster-access.md",8104],"43e5cb58":[()=>n.e(4804).then(n.bind(n,8446)),"@site/docs/networking/networking-services.md",8446],"4455f95b":[()=>n.e(1340).then(n.bind(n,2644)),"@site/docs/cli/server.md",2644],"4a667cf9":[()=>n.e(9477).then(n.bind(n,8676)),"@site/docs/datastore/cluster-loadbalancer.md",8676],"4aae9e46":[()=>n.e(4443).then(n.bind(n,557)),"@site/docs/upgrades/killall.md",557],"4e366d5e":[()=>n.e(3595).then(n.bind(n,882)),"@site/docs/upgrades/upgrades.md",882],"4fea1ac4":[()=>n.e(1073).then(n.bind(n,8544)),"@site/docs/installation/uninstall.md",8544],"5159b4a0":[()=>n.e(9478).then(n.bind(n,7477)),"@site/docs/installation/registry-mirror.md",7477],"5281b7a2":[()=>n.e(5927).then(n.bind(n,6506)),"@site/docs/architecture.md",6506],"57d35c99":[()=>n.e(8005).then(n.bind(n,3548)),"@site/docs/security/secrets-encryption.md",3548],"5e95c892":[()=>n.e(9661).then(n.bind(n,1892)),"@theme/DocsRoot",1892],"5ea4afd8":[()=>n.e(9075).then(n.bind(n,7902)),"@site/docs/security/self-assessment-1.7.md",7902],"65c5030c":[()=>n.e(7733).then(n.bind(n,215)),"@site/docs/installation/packaged-components.md",215],"6ab2c2e0":[()=>n.e(981).then(n.bind(n,9414)),"@site/docs/reference/env-variables.md",9414],"6e9804bc":[()=>n.e(393).then(n.bind(n,1218)),"@site/docs/cli/certificate.md",1218],"72e14192":[()=>n.e(7239).then(n.bind(n,1658)),"@site/docs/quick-start.md",1658],"7b8e2475":[()=>n.e(79).then(n.bind(n,6498)),"@site/docs/security/security.md",6498],82406859:[()=>n.e(3319).then(n.bind(n,6758)),"@site/docs/upgrades/automated.md",6758],"82f1aa93":[()=>n.e(7709).then(n.bind(n,1587)),"@site/docs/security/hardening-guide.md",1587],"914a16f4":[()=>n.e(7626).then(n.bind(n,6050)),"@site/docs/reference/flag-deprecation.md",6050],"97c4f258":[()=>n.e(305).then(n.bind(n,8486)),"@site/docs/installation/configuration.md",8486],"9e39b1cd":[()=>n.e(7813).then(n.bind(n,4016)),"@site/docs/cli/cli.md",4016],"9e7a009d":[()=>n.e(7251).then(n.bind(n,6253)),"@site/docs/release-notes/v1.25.X.md",6253],"9f491e05":[()=>n.e(3189).then(n.bind(n,9297)),"@site/docs/security/self-assessment-1.23.md",9297],a09c2993:[()=>n.e(4128).then(n.bind(n,8152)),"@site/docs/introduction.md",8152],a7bd4aaa:[()=>n.e(8518).then(n.bind(n,8564)),"@theme/DocVersionRoot",8564],a94703ab:[()=>Promise.all([n.e(532),n.e(4368)]).then(n.bind(n,2674)),"@theme/DocRoot",2674],ab388925:[()=>n.e(4548).then(n.bind(n,9027)),"@site/docs/datastore/datastore.md",9027],ab60f49a:[()=>n.e(3555).then(n.bind(n,2688)),"@site/docs/security/self-assessment-1.24.md",2688],aba21aa0:[()=>n.e(3629).then(n.t.bind(n,1765,19)),"@generated/docusaurus-plugin-content-docs/default/__plugin.json",1765],ac75af2e:[()=>n.e(1199).then(n.bind(n,6455)),"@site/docs/installation/requirements.md",6455],b36bdd38:[()=>n.e(6895).then(n.bind(n,5020)),"@site/docs/datastore/ha-embedded.md",5020],b8002741:[()=>n.e(2573).then(n.bind(n,3338)),"@site/docs/release-notes/v1.30.X.md",3338],b9a30a37:[()=>n.e(2038).then(n.bind(n,9763)),"@site/docs/security/self-assessment-1.8.md",9763],ba3a957c:[()=>n.e(8776).then(n.bind(n,615)),"@site/docs/datastore/backup-restore.md",615],d123a91e:[()=>n.e(855).then(n.bind(n,5418)),"@site/docs/release-notes/v1.24.X.md",5418],d8ab3227:[()=>n.e(6501).then(n.bind(n,7953)),"@site/docs/networking/distributed-multicloud.md",7953],d8ed1217:[()=>n.e(2745).then(n.bind(n,7803)),"@site/docs/upgrades/manual.md",7803],dd22e55f:[()=>n.e(5668).then(n.bind(n,4840)),"@site/docs/release-notes/v1.27.X.md",4840],e7c9153a:[()=>n.e(7544).then(n.bind(n,1875)),"@site/docs/related-projects.md",1875],ea0a4c6d:[()=>n.e(791).then(n.bind(n,9555)),"@site/docs/datastore/ha.md",9555],ec6f9153:[()=>n.e(750).then(n.bind(n,4987)),"@site/docs/installation/airgap.md",4987],ee75e821:[()=>n.e(7893).then(n.bind(n,5380)),"@site/docs/networking/networking.md",5380],f319c6ab:[()=>n.e(8379).then(n.bind(n,1328)),"@site/docs/known-issues.md",1328],f8eefdc6:[()=>n.e(5234).then(n.bind(n,2435)),"@site/docs/installation/server-roles.md",2435],fc39421f:[()=>n.e(9778).then(n.bind(n,8573)),"@site/docs/reference/resource-profiling.md",8573]};var s=n(5893);function l(e){let{error:t,retry:n,pastDelay:r}=e;return t?(0,s.jsxs)("div",{style:{textAlign:"center",color:"#fff",backgroundColor:"#fa383e",borderColor:"#fa383e",borderStyle:"solid",borderRadius:"0.25rem",borderWidth:"1px",boxSizing:"border-box",display:"block",padding:"1rem",flex:"0 0 50%",marginLeft:"25%",marginRight:"25%",marginTop:"5rem",maxWidth:"50%",width:"100%"},children:[(0,s.jsx)("p",{children:String(t)}),(0,s.jsx)("div",{children:(0,s.jsx)("button",{type:"button",onClick:n,children:"Retry"})})]}):r?(0,s.jsx)("div",{style:{display:"flex",justifyContent:"center",alignItems:"center",height:"100vh"},children:(0,s.jsx)("svg",{id:"loader",style:{width:128,height:110,position:"absolute",top:"calc(100vh - 64%)"},viewBox:"0 0 45 45",xmlns:"http://www.w3.org/2000/svg",stroke:"#61dafb",children:(0,s.jsxs)("g",{fill:"none",fillRule:"evenodd",transform:"translate(1 1)",strokeWidth:"2",children:[(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"1.5s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"1.5s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"1.5s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"3s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"3s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"3s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsx)("circle",{cx:"22",cy:"22",r:"8",children:(0,s.jsx)("animate",{attributeName:"r",begin:"0s",dur:"1.5s",values:"6;1;2;3;4;5;6",calcMode:"linear",repeatCount:"indefinite"})})]})})}):null}var c=n(9670),u=n(226);function d(e,t){if("*"===e)return a()({loading:l,loader:()=>n.e(1772).then(n.bind(n,1772)),modules:["@theme/NotFound"],webpack:()=>[1772],render(e,t){const n=e.default;return(0,s.jsx)(u.z,{value:{plugin:{name:"native",id:"default"}},children:(0,s.jsx)(n,{...t})})}});const r=o[`${e}-${t}`],d={},p=[],f=[],h=(0,c.Z)(r);return Object.entries(h).forEach((e=>{let[t,n]=e;const r=i[n];r&&(d[t]=r[0],p.push(r[1]),f.push(r[2]))})),a().Map({loading:l,loader:d,modules:p,webpack:()=>f,render(t,n){const a=JSON.parse(JSON.stringify(r));Object.entries(t).forEach((t=>{let[n,r]=t;const o=r.default;if(!o)throw new Error(`The page component at ${e} doesn't have a default export. This makes it impossible to render anything. Consider default-exporting a React component.`);"object"!=typeof o&&"function"!=typeof o||Object.keys(r).filter((e=>"default"!==e)).forEach((e=>{o[e]=r[e]}));let i=a;const s=n.split(".");s.slice(0,-1).forEach((e=>{i=i[e]})),i[s[s.length-1]]=o}));const o=a.__comp;delete a.__comp;const i=a.__context;delete a.__context;const l=a.__props;return delete a.__props,(0,s.jsx)(u.z,{value:i,children:(0,s.jsx)(o,{...a,...l,...n})})}})}const p=[{path:"/search",component:d("/search","822"),exact:!0},{path:"/",component:d("/","bbf"),routes:[{path:"/",component:d("/","6dc"),routes:[{path:"/",component:d("/","1b4"),routes:[{path:"/advanced",component:d("/advanced","e66"),exact:!0,sidebar:"mySidebar"},{path:"/architecture",component:d("/architecture","9f8"),exact:!0,sidebar:"mySidebar"},{path:"/cli",component:d("/cli","8e7"),exact:!0,sidebar:"mySidebar"},{path:"/cli/agent",component:d("/cli/agent","685"),exact:!0,sidebar:"mySidebar"},{path:"/cli/certificate",component:d("/cli/certificate","8ed"),exact:!0,sidebar:"mySidebar"},{path:"/cli/etcd-snapshot",component:d("/cli/etcd-snapshot","fa1"),exact:!0,sidebar:"mySidebar"},{path:"/cli/secrets-encrypt",component:d("/cli/secrets-encrypt","85b"),exact:!0,sidebar:"mySidebar"},{path:"/cli/server",component:d("/cli/server","ed8"),exact:!0,sidebar:"mySidebar"},{path:"/cli/token",component:d("/cli/token","88a"),exact:!0,sidebar:"mySidebar"},{path:"/cluster-access",component:d("/cluster-access","935"),exact:!0,sidebar:"mySidebar"},{path:"/datastore",component:d("/datastore","6f5"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/backup-restore",component:d("/datastore/backup-restore","f6b"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/cluster-loadbalancer",component:d("/datastore/cluster-loadbalancer","2a5"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/ha",component:d("/datastore/ha","729"),exact:!0,sidebar:"mySidebar"},{path:"/datastore/ha-embedded",component:d("/datastore/ha-embedded","a60"),exact:!0,sidebar:"mySidebar"},{path:"/faq",component:d("/faq","62f"),exact:!0,sidebar:"mySidebar"},{path:"/helm",component:d("/helm","0a0"),exact:!0,sidebar:"mySidebar"},{path:"/installation",component:d("/installation","80a"),exact:!0,sidebar:"mySidebar"},{path:"/installation/airgap",component:d("/installation/airgap","54e"),exact:!0,sidebar:"mySidebar"},{path:"/installation/configuration",component:d("/installation/configuration","dd2"),exact:!0,sidebar:"mySidebar"},{path:"/installation/packaged-components",component:d("/installation/packaged-components","2a2"),exact:!0,sidebar:"mySidebar"},{path:"/installation/private-registry",component:d("/installation/private-registry","aca"),exact:!0,sidebar:"mySidebar"},{path:"/installation/registry-mirror",component:d("/installation/registry-mirror","a6a"),exact:!0,sidebar:"mySidebar"},{path:"/installation/requirements",component:d("/installation/requirements","2a6"),exact:!0,sidebar:"mySidebar"},{path:"/installation/server-roles",component:d("/installation/server-roles","0ed"),exact:!0,sidebar:"mySidebar"},{path:"/installation/uninstall",component:d("/installation/uninstall","c41"),exact:!0,sidebar:"mySidebar"},{path:"/known-issues",component:d("/known-issues","c3b"),exact:!0,sidebar:"mySidebar"},{path:"/networking",component:d("/networking","5dc"),exact:!0,sidebar:"mySidebar"},{path:"/networking/basic-network-options",component:d("/networking/basic-network-options","7b3"),exact:!0,sidebar:"mySidebar"},{path:"/networking/distributed-multicloud",component:d("/networking/distributed-multicloud","5bf"),exact:!0,sidebar:"mySidebar"},{path:"/networking/multus-ipams",component:d("/networking/multus-ipams","87a"),exact:!0,sidebar:"mySidebar"},{path:"/networking/networking-services",component:d("/networking/networking-services","c8e"),exact:!0,sidebar:"mySidebar"},{path:"/quick-start",component:d("/quick-start","69e"),exact:!0,sidebar:"mySidebar"},{path:"/reference/env-variables",component:d("/reference/env-variables","b04"),exact:!0,sidebar:"mySidebar"},{path:"/reference/flag-deprecation",component:d("/reference/flag-deprecation","403"),exact:!0,sidebar:"mySidebar"},{path:"/reference/resource-profiling",component:d("/reference/resource-profiling","45b"),exact:!0,sidebar:"mySidebar"},{path:"/related-projects",component:d("/related-projects","bc2"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.24.X",component:d("/release-notes/v1.24.X","a8a"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.25.X",component:d("/release-notes/v1.25.X","463"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.26.X",component:d("/release-notes/v1.26.X","883"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.27.X",component:d("/release-notes/v1.27.X","04f"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.28.X",component:d("/release-notes/v1.28.X","a86"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.29.X",component:d("/release-notes/v1.29.X","569"),exact:!0,sidebar:"mySidebar"},{path:"/release-notes/v1.30.X",component:d("/release-notes/v1.30.X","cca"),exact:!0,sidebar:"mySidebar"},{path:"/security",component:d("/security","32f"),exact:!0,sidebar:"mySidebar"},{path:"/security/hardening-guide",component:d("/security/hardening-guide","f0a"),exact:!0,sidebar:"mySidebar"},{path:"/security/secrets-encryption",component:d("/security/secrets-encryption","2d5"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.23",component:d("/security/self-assessment-1.23","17e"),exact:!0},{path:"/security/self-assessment-1.24",component:d("/security/self-assessment-1.24","170"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.7",component:d("/security/self-assessment-1.7","823"),exact:!0,sidebar:"mySidebar"},{path:"/security/self-assessment-1.8",component:d("/security/self-assessment-1.8","fd5"),exact:!0,sidebar:"mySidebar"},{path:"/storage",component:d("/storage","997"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades",component:d("/upgrades","6ba"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/automated",component:d("/upgrades/automated","0da"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/killall",component:d("/upgrades/killall","39c"),exact:!0,sidebar:"mySidebar"},{path:"/upgrades/manual",component:d("/upgrades/manual","534"),exact:!0,sidebar:"mySidebar"},{path:"/",component:d("/","3f9"),exact:!0,sidebar:"mySidebar"}]}]}]},{path:"*",component:d("*")}]},8934:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,t:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(!1);function i(e){let{children:t}=e;const[n,i]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{i(!0)}),[]),(0,a.jsx)(o.Provider,{value:n,children:t})}},7221:(e,t,n)=>{"use strict";var r=n(7294),a=n(745),o=n(405),i=n(3727),s=n(6809),l=n(412);const c=[n(2497),n(3310),n(8320),n(2295)];var u=n(723),d=n(6550),p=n(8790),f=n(5893);function h(e){let{children:t}=e;return(0,f.jsx)(f.Fragment,{children:t})}var m=n(5742),g=n(2263),y=n(4996),b=n(6668),v=n(1944),w=n(4711),k=n(9727),x=n(3320),S=n(8780),E=n(197);function C(){const{i18n:{currentLocale:e,defaultLocale:t,localeConfigs:n}}=(0,g.Z)(),r=(0,w.l)(),a=n[e].htmlLang,o=e=>e.replace("-","_");return(0,f.jsxs)(m.Z,{children:[Object.entries(n).map((e=>{let[t,{htmlLang:n}]=e;return(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:n},t)})),(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:"x-default"}),(0,f.jsx)("meta",{property:"og:locale",content:o(a)}),Object.values(n).filter((e=>a!==e.htmlLang)).map((e=>(0,f.jsx)("meta",{property:"og:locale:alternate",content:o(e.htmlLang)},`meta-og-${e.htmlLang}`)))]})}function _(e){let{permalink:t}=e;const{siteConfig:{url:n}}=(0,g.Z)(),r=function(){const{siteConfig:{url:e,baseUrl:t,trailingSlash:n}}=(0,g.Z)(),{pathname:r}=(0,d.TH)();return e+(0,S.applyTrailingSlash)((0,y.ZP)(r),{trailingSlash:n,baseUrl:t})}(),a=t?`${n}${t}`:r;return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{property:"og:url",content:a}),(0,f.jsx)("link",{rel:"canonical",href:a})]})}function T(){const{i18n:{currentLocale:e}}=(0,g.Z)(),{metadata:t,image:n}=(0,b.L)();return(0,f.jsxs)(f.Fragment,{children:[(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{name:"twitter:card",content:"summary_large_image"}),(0,f.jsx)("body",{className:k.h})]}),n&&(0,f.jsx)(v.d,{image:n}),(0,f.jsx)(_,{}),(0,f.jsx)(C,{}),(0,f.jsx)(E.Z,{tag:x.HX,locale:e}),(0,f.jsx)(m.Z,{children:t.map(((e,t)=>(0,f.jsx)("meta",{...e},t)))})]})}const L=new Map;var R=n(8934),j=n(8940),N=n(469);function P(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),r=1;r<t;r++)n[r-1]=arguments[r];const a=c.map((t=>{const r=t.default?.[e]??t[e];return r?.(...n)}));return()=>a.forEach((e=>e?.()))}const A=function(e){let{children:t,location:n,previousLocation:r}=e;return(0,N.Z)((()=>{r!==n&&(!function(e){let{location:t,previousLocation:n}=e;if(!n)return;const r=t.pathname===n.pathname,a=t.hash===n.hash,o=t.search===n.search;if(r&&a&&!o)return;const{hash:i}=t;if(i){const e=decodeURIComponent(i.substring(1)),t=document.getElementById(e);t?.scrollIntoView()}else window.scrollTo(0,0)}({location:n,previousLocation:r}),P("onRouteDidUpdate",{previousLocation:r,location:n}))}),[r,n]),t};function O(e){const t=Array.from(new Set([e,decodeURI(e)])).map((e=>(0,p.f)(u.Z,e))).flat();return Promise.all(t.map((e=>e.route.component.preload?.())))}class I extends r.Component{previousLocation;routeUpdateCleanupCb;constructor(e){super(e),this.previousLocation=null,this.routeUpdateCleanupCb=l.Z.canUseDOM?P("onRouteUpdate",{previousLocation:null,location:this.props.location}):()=>{},this.state={nextRouteHasLoaded:!0}}shouldComponentUpdate(e,t){if(e.location===this.props.location)return t.nextRouteHasLoaded;const n=e.location;return this.previousLocation=this.props.location,this.setState({nextRouteHasLoaded:!1}),this.routeUpdateCleanupCb=P("onRouteUpdate",{previousLocation:this.previousLocation,location:n}),O(n.pathname).then((()=>{this.routeUpdateCleanupCb(),this.setState({nextRouteHasLoaded:!0})})).catch((e=>{console.warn(e),window.location.reload()})),!1}render(){const{children:e,location:t}=this.props;return(0,f.jsx)(A,{previousLocation:this.previousLocation,location:t,children:(0,f.jsx)(d.AW,{location:t,render:()=>e})})}}const D=I,F="__docusaurus-base-url-issue-banner-container",M="__docusaurus-base-url-issue-banner",z="__docusaurus-base-url-issue-banner-suggestion-container";function B(e){return`\ndocument.addEventListener('DOMContentLoaded', function maybeInsertBanner() {\n var shouldInsert = typeof window['docusaurus'] === 'undefined';\n shouldInsert && insertBanner();\n});\n\nfunction insertBanner() {\n var bannerContainer = document.createElement('div');\n bannerContainer.id = '${F}';\n var bannerHtml = ${JSON.stringify(function(e){return`\n<div id="${M}" style="border: thick solid red; background-color: rgb(255, 230, 179); margin: 20px; padding: 20px; font-size: 20px;">\n <p style="font-weight: bold; font-size: 30px;">Your Docusaurus site did not load properly.</p>\n <p>A very common reason is a wrong site <a href="https://docusaurus.io/docs/docusaurus.config.js/#baseUrl" style="font-weight: bold;">baseUrl configuration</a>.</p>\n <p>Current configured baseUrl = <span style="font-weight: bold; color: red;">${e}</span> ${"/"===e?" (default value)":""}</p>\n <p>We suggest trying baseUrl = <span id="${z}" style="font-weight: bold; color: green;"></span></p>\n</div>\n`}(e)).replace(/</g,"\\<")};\n bannerContainer.innerHTML = bannerHtml;\n document.body.prepend(bannerContainer);\n var suggestionContainer = document.getElementById('${z}');\n var actualHomePagePath = window.location.pathname;\n var suggestedBaseUrl = actualHomePagePath.substr(-1) === '/'\n ? actualHomePagePath\n : actualHomePagePath + '/';\n suggestionContainer.innerHTML = suggestedBaseUrl;\n}\n`}function $(){const{siteConfig:{baseUrl:e}}=(0,g.Z)();return(0,f.jsx)(f.Fragment,{children:!l.Z.canUseDOM&&(0,f.jsx)(m.Z,{children:(0,f.jsx)("script",{children:B(e)})})})}function U(){const{siteConfig:{baseUrl:e,baseUrlIssueBanner:t}}=(0,g.Z)(),{pathname:n}=(0,d.TH)();return t&&n===e?(0,f.jsx)($,{}):null}function q(){const{siteConfig:{favicon:e,title:t,noIndex:n},i18n:{currentLocale:r,localeConfigs:a}}=(0,g.Z)(),o=(0,y.ZP)(e),{htmlLang:i,direction:s}=a[r];return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("html",{lang:i,dir:s}),(0,f.jsx)("title",{children:t}),(0,f.jsx)("meta",{property:"og:title",content:t}),(0,f.jsx)("meta",{name:"viewport",content:"width=device-width, initial-scale=1.0"}),n&&(0,f.jsx)("meta",{name:"robots",content:"noindex, nofollow"}),e&&(0,f.jsx)("link",{rel:"icon",href:o})]})}var H=n(4763),Q=n(2389);function Z(){const e=(0,Q.Z)();return(0,f.jsx)(m.Z,{children:(0,f.jsx)("html",{"data-has-hydrated":e})})}const W=(0,p.H)(u.Z);function V(){const e=function(e){if(L.has(e.pathname))return{...e,pathname:L.get(e.pathname)};if((0,p.f)(u.Z,e.pathname).some((e=>{let{route:t}=e;return!0===t.exact})))return L.set(e.pathname,e.pathname),e;const t=e.pathname.trim().replace(/(?:\/index)?\.html$/,"")||"/";return L.set(e.pathname,t),{...e,pathname:t}}((0,d.TH)());return(0,f.jsx)(D,{location:e,children:W})}function G(){return(0,f.jsx)(H.Z,{children:(0,f.jsx)(j.M,{children:(0,f.jsxs)(R.t,{children:[(0,f.jsxs)(h,{children:[(0,f.jsx)(q,{}),(0,f.jsx)(T,{}),(0,f.jsx)(U,{}),(0,f.jsx)(V,{})]}),(0,f.jsx)(Z,{})]})})})}var X=n(6887);const K=function(e){try{return document.createElement("link").relList.supports(e)}catch{return!1}}("prefetch")?function(e){return new Promise(((t,n)=>{if("undefined"==typeof document)return void n();const r=document.createElement("link");r.setAttribute("rel","prefetch"),r.setAttribute("href",e),r.onload=()=>t(),r.onerror=()=>n();const a=document.getElementsByTagName("head")[0]??document.getElementsByName("script")[0]?.parentNode;a?.appendChild(r)}))}:function(e){return new Promise(((t,n)=>{const r=new XMLHttpRequest;r.open("GET",e,!0),r.withCredentials=!0,r.onload=()=>{200===r.status?t():n()},r.send(null)}))};var Y=n(9670);const J=new Set,ee=new Set,te=()=>navigator.connection?.effectiveType.includes("2g")||navigator.connection?.saveData,ne={prefetch:e=>{if(!(e=>!te()&&!ee.has(e)&&!J.has(e))(e))return!1;J.add(e);const t=(0,p.f)(u.Z,e).flatMap((e=>{return t=e.route.path,Object.entries(X).filter((e=>{let[n]=e;return n.replace(/-[^-]+$/,"")===t})).flatMap((e=>{let[,t]=e;return Object.values((0,Y.Z)(t))}));var t}));return Promise.all(t.map((e=>{const t=n.gca(e);return t&&!t.includes("undefined")?K(t).catch((()=>{})):Promise.resolve()})))},preload:e=>!!(e=>!te()&&!ee.has(e))(e)&&(ee.add(e),O(e))},re=Object.freeze(ne);function ae(e){let{children:t}=e;return"hash"===s.default.future.experimental_router?(0,f.jsx)(i.UT,{children:t}):(0,f.jsx)(i.VK,{children:t})}const oe=Boolean(!0);if(l.Z.canUseDOM){window.docusaurus=re;const e=document.getElementById("__docusaurus"),t=(0,f.jsx)(o.B6,{children:(0,f.jsx)(ae,{children:(0,f.jsx)(G,{})})}),n=(e,t)=>{console.error("Docusaurus React Root onRecoverableError:",e,t)},i=()=>{if(window.docusaurusRoot)window.docusaurusRoot.render(t);else if(oe)window.docusaurusRoot=a.hydrateRoot(e,t,{onRecoverableError:n});else{const r=a.createRoot(e,{onRecoverableError:n});r.render(t),window.docusaurusRoot=r}};O(window.location.pathname).then((()=>{(0,r.startTransition)(i)}))}},8940:(e,t,n)=>{"use strict";n.d(t,{_:()=>d,M:()=>p});var r=n(7294),a=n(6809);const o=JSON.parse('{"docusaurus-plugin-content-docs":{"default":{"path":"/","versions":[{"name":"current","label":"Next","isLast":true,"path":"/","mainDocId":"introduction","docs":[{"id":"advanced","path":"/advanced","sidebar":"mySidebar"},{"id":"architecture","path":"/architecture","sidebar":"mySidebar"},{"id":"cli/agent","path":"/cli/agent","sidebar":"mySidebar"},{"id":"cli/certificate","path":"/cli/certificate","sidebar":"mySidebar"},{"id":"cli/cli","path":"/cli/","sidebar":"mySidebar"},{"id":"cli/etcd-snapshot","path":"/cli/etcd-snapshot","sidebar":"mySidebar"},{"id":"cli/secrets-encrypt","path":"/cli/secrets-encrypt","sidebar":"mySidebar"},{"id":"cli/server","path":"/cli/server","sidebar":"mySidebar"},{"id":"cli/token","path":"/cli/token","sidebar":"mySidebar"},{"id":"cluster-access","path":"/cluster-access","sidebar":"mySidebar"},{"id":"datastore/backup-restore","path":"/datastore/backup-restore","sidebar":"mySidebar"},{"id":"datastore/cluster-loadbalancer","path":"/datastore/cluster-loadbalancer","sidebar":"mySidebar"},{"id":"datastore/datastore","path":"/datastore/","sidebar":"mySidebar"},{"id":"datastore/ha","path":"/datastore/ha","sidebar":"mySidebar"},{"id":"datastore/ha-embedded","path":"/datastore/ha-embedded","sidebar":"mySidebar"},{"id":"faq","path":"/faq","sidebar":"mySidebar"},{"id":"helm","path":"/helm","sidebar":"mySidebar"},{"id":"installation/airgap","path":"/installation/airgap","sidebar":"mySidebar"},{"id":"installation/configuration","path":"/installation/configuration","sidebar":"mySidebar"},{"id":"installation/installation","path":"/installation/","sidebar":"mySidebar"},{"id":"installation/packaged-components","path":"/installation/packaged-components","sidebar":"mySidebar"},{"id":"installation/private-registry","path":"/installation/private-registry","sidebar":"mySidebar"},{"id":"installation/registry-mirror","path":"/installation/registry-mirror","sidebar":"mySidebar"},{"id":"installation/requirements","path":"/installation/requirements","sidebar":"mySidebar"},{"id":"installation/server-roles","path":"/installation/server-roles","sidebar":"mySidebar"},{"id":"installation/uninstall","path":"/installation/uninstall","sidebar":"mySidebar"},{"id":"introduction","path":"/","sidebar":"mySidebar"},{"id":"known-issues","path":"/known-issues","sidebar":"mySidebar"},{"id":"networking/basic-network-options","path":"/networking/basic-network-options","sidebar":"mySidebar"},{"id":"networking/distributed-multicloud","path":"/networking/distributed-multicloud","sidebar":"mySidebar"},{"id":"networking/multus-ipams","path":"/networking/multus-ipams","sidebar":"mySidebar"},{"id":"networking/networking","path":"/networking/","sidebar":"mySidebar"},{"id":"networking/networking-services","path":"/networking/networking-services","sidebar":"mySidebar"},{"id":"quick-start","path":"/quick-start","sidebar":"mySidebar"},{"id":"reference/env-variables","path":"/reference/env-variables","sidebar":"mySidebar"},{"id":"reference/flag-deprecation","path":"/reference/flag-deprecation","sidebar":"mySidebar"},{"id":"reference/resource-profiling","path":"/reference/resource-profiling","sidebar":"mySidebar"},{"id":"related-projects","path":"/related-projects","sidebar":"mySidebar"},{"id":"release-notes/v1.24.X","path":"/release-notes/v1.24.X","sidebar":"mySidebar"},{"id":"release-notes/v1.25.X","path":"/release-notes/v1.25.X","sidebar":"mySidebar"},{"id":"release-notes/v1.26.X","path":"/release-notes/v1.26.X","sidebar":"mySidebar"},{"id":"release-notes/v1.27.X","path":"/release-notes/v1.27.X","sidebar":"mySidebar"},{"id":"release-notes/v1.28.X","path":"/release-notes/v1.28.X","sidebar":"mySidebar"},{"id":"release-notes/v1.29.X","path":"/release-notes/v1.29.X","sidebar":"mySidebar"},{"id":"release-notes/v1.30.X","path":"/release-notes/v1.30.X","sidebar":"mySidebar"},{"id":"security/hardening-guide","path":"/security/hardening-guide","sidebar":"mySidebar"},{"id":"security/secrets-encryption","path":"/security/secrets-encryption","sidebar":"mySidebar"},{"id":"security/security","path":"/security/","sidebar":"mySidebar"},{"id":"security/self-assessment-1.23","path":"/security/self-assessment-1.23"},{"id":"security/self-assessment-1.24","path":"/security/self-assessment-1.24","sidebar":"mySidebar"},{"id":"security/self-assessment-1.7","path":"/security/self-assessment-1.7","sidebar":"mySidebar"},{"id":"security/self-assessment-1.8","path":"/security/self-assessment-1.8","sidebar":"mySidebar"},{"id":"storage","path":"/storage","sidebar":"mySidebar"},{"id":"upgrades/automated","path":"/upgrades/automated","sidebar":"mySidebar"},{"id":"upgrades/killall","path":"/upgrades/killall","sidebar":"mySidebar"},{"id":"upgrades/manual","path":"/upgrades/manual","sidebar":"mySidebar"},{"id":"upgrades/upgrades","path":"/upgrades/","sidebar":"mySidebar"}],"draftIds":[],"sidebars":{"mySidebar":{"link":{"path":"/","label":"introduction"}}}}],"breadcrumbs":true}}}'),i=JSON.parse('{"defaultLocale":"en","locales":["en","zh","kr"],"path":"i18n","currentLocale":"en","localeConfigs":{"en":{"label":"English","direction":"ltr","htmlLang":"en","calendar":"gregory","path":"en"},"zh":{"label":"\u7b80\u4f53\u4e2d\u6587","direction":"ltr","htmlLang":"zh","calendar":"gregory","path":"zh"},"kr":{"label":"\ud55c\uad6d\uc5b4","direction":"ltr","htmlLang":"kr","calendar":"gregory","path":"kr"}}}');var s=n(7529);const l=JSON.parse('{"docusaurusVersion":"3.4.0","siteVersion":"0.0.1","pluginVersions":{"docusaurus-plugin-content-docs":{"type":"package","name":"@docusaurus/plugin-content-docs","version":"3.4.0"},"docusaurus-plugin-content-pages":{"type":"package","name":"@docusaurus/plugin-content-pages","version":"3.4.0"},"docusaurus-plugin-sitemap":{"type":"package","name":"@docusaurus/plugin-sitemap","version":"3.4.0"},"docusaurus-theme-classic":{"type":"package","name":"@docusaurus/theme-classic","version":"3.4.0"},"docusaurus-plugin-client-redirects":{"type":"package","name":"@docusaurus/plugin-client-redirects","version":"3.4.0"},"docusaurus-theme-mermaid":{"type":"package","name":"@docusaurus/theme-mermaid","version":"3.4.0"},"@easyops-cn/docusaurus-search-local":{"type":"package","name":"@easyops-cn/docusaurus-search-local","version":"0.44.4"}}}');var c=n(5893);const u={siteConfig:a.default,siteMetadata:l,globalData:o,i18n:i,codeTranslations:s},d=r.createContext(u);function p(e){let{children:t}=e;return(0,c.jsx)(d.Provider,{value:u,children:t})}},4763:(e,t,n)=>{"use strict";n.d(t,{Z:()=>m});var r=n(7294),a=n(412),o=n(5742),i=n(8780),s=n(2315),l=n(226),c=n(5893);function u(e){let{error:t,tryAgain:n}=e;return(0,c.jsxs)("div",{style:{display:"flex",flexDirection:"column",justifyContent:"center",alignItems:"flex-start",minHeight:"100vh",width:"100%",maxWidth:"80ch",fontSize:"20px",margin:"0 auto",padding:"1rem"},children:[(0,c.jsx)("h1",{style:{fontSize:"3rem"},children:"This page crashed"}),(0,c.jsx)("button",{type:"button",onClick:n,style:{margin:"1rem 0",fontSize:"2rem",cursor:"pointer",borderRadius:20,padding:"1rem"},children:"Try again"}),(0,c.jsx)(d,{error:t})]})}function d(e){let{error:t}=e;const n=(0,i.getErrorCausalChain)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,c.jsx)("p",{style:{whiteSpace:"pre-wrap"},children:n})}function p(e){let{children:t}=e;return(0,c.jsx)(l.z,{value:{plugin:{name:"docusaurus-core-error-boundary",id:"default"}},children:t})}function f(e){let{error:t,tryAgain:n}=e;return(0,c.jsx)(p,{children:(0,c.jsxs)(m,{fallback:()=>(0,c.jsx)(u,{error:t,tryAgain:n}),children:[(0,c.jsx)(o.Z,{children:(0,c.jsx)("title",{children:"Page Error"})}),(0,c.jsx)(s.Z,{children:(0,c.jsx)(u,{error:t,tryAgain:n})})]})})}const h=e=>(0,c.jsx)(f,{...e});class m extends r.Component{constructor(e){super(e),this.state={error:null}}componentDidCatch(e){a.Z.canUseDOM&&this.setState({error:e})}render(){const{children:e}=this.props,{error:t}=this.state;if(t){const e={error:t,tryAgain:()=>this.setState({error:null})};return(this.props.fallback??h)(e)}return e??null}}},412:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r="undefined"!=typeof window&&"document"in window&&"createElement"in window.document,a={canUseDOM:r,canUseEventListeners:r&&("addEventListener"in window||"attachEvent"in window),canUseIntersectionObserver:r&&"IntersectionObserver"in window,canUseViewport:r&&"screen"in window}},5742:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(405),a=n(5893);function o(e){return(0,a.jsx)(r.ql,{...e})}},3692:(e,t,n)=>{"use strict";n.d(t,{Z:()=>f});var r=n(7294),a=n(3727),o=n(8780),i=n(2263),s=n(3919),l=n(412),c=n(8138),u=n(4996),d=n(5893);function p(e,t){let{isNavLink:n,to:p,href:f,activeClassName:h,isActive:m,"data-noBrokenLinkCheck":g,autoAddBaseUrl:y=!0,...b}=e;const{siteConfig:v}=(0,i.Z)(),{trailingSlash:w,baseUrl:k}=v,x=v.future.experimental_router,{withBaseUrl:S}=(0,u.Cg)(),E=(0,c.Z)(),C=(0,r.useRef)(null);(0,r.useImperativeHandle)(t,(()=>C.current));const _=p||f;const T=(0,s.Z)(_),L=_?.replace("pathname://","");let R=void 0!==L?(j=L,y&&(e=>e.startsWith("/"))(j)?S(j):j):void 0;var j;"hash"===x&&R?.startsWith("./")&&(R=R?.slice(1)),R&&T&&(R=(0,o.applyTrailingSlash)(R,{trailingSlash:w,baseUrl:k}));const N=(0,r.useRef)(!1),P=n?a.OL:a.rU,A=l.Z.canUseIntersectionObserver,O=(0,r.useRef)(),I=()=>{N.current||null==R||(window.docusaurus.preload(R),N.current=!0)};(0,r.useEffect)((()=>(!A&&T&&null!=R&&window.docusaurus.prefetch(R),()=>{A&&O.current&&O.current.disconnect()})),[O,R,A,T]);const D=R?.startsWith("#")??!1,F=!b.target||"_self"===b.target,M=!R||!T||!F;return g||!D&&M||E.collectLink(R),b.id&&E.collectAnchor(b.id),M?(0,d.jsx)("a",{ref:C,href:R,..._&&!T&&{target:"_blank",rel:"noopener noreferrer"},...b}):(0,d.jsx)(P,{...b,onMouseEnter:I,onTouchStart:I,innerRef:e=>{C.current=e,A&&e&&T&&(O.current=new window.IntersectionObserver((t=>{t.forEach((t=>{e===t.target&&(t.isIntersecting||t.intersectionRatio>0)&&(O.current.unobserve(e),O.current.disconnect(),null!=R&&window.docusaurus.prefetch(R))}))})),O.current.observe(e))},to:R,...n&&{isActive:m,activeClassName:h}})}const f=r.forwardRef(p)},5999:(e,t,n)=>{"use strict";n.d(t,{Z:()=>c,I:()=>l});var r=n(7294),a=n(5893);function o(e,t){const n=e.split(/(\{\w+\})/).map(((e,n)=>{if(n%2==1){const n=t?.[e.slice(1,-1)];if(void 0!==n)return n}return e}));return n.some((e=>(0,r.isValidElement)(e)))?n.map(((e,t)=>(0,r.isValidElement)(e)?r.cloneElement(e,{key:t}):e)).filter((e=>""!==e)):n.join("")}var i=n(7529);function s(e){let{id:t,message:n}=e;if(void 0===t&&void 0===n)throw new Error("Docusaurus translation declarations must have at least a translation id or a default translation message");return i[t??n]??n??t}function l(e,t){let{message:n,id:r}=e;return o(s({message:n,id:r}),t)}function c(e){let{children:t,id:n,values:r}=e;if(t&&"string"!=typeof t)throw console.warn("Illegal <Translate> children",t),new Error("The Docusaurus <Translate> component only accept simple string values");const i=s({message:t,id:n});return(0,a.jsx)(a.Fragment,{children:o(i,r)})}},9935:(e,t,n)=>{"use strict";n.d(t,{m:()=>r});const r="default"},3919:(e,t,n)=>{"use strict";function r(e){return/^(?:\w*:|\/\/)/.test(e)}function a(e){return void 0!==e&&!r(e)}n.d(t,{Z:()=>a,b:()=>r})},4996:(e,t,n)=>{"use strict";n.d(t,{Cg:()=>i,ZP:()=>s});var r=n(7294),a=n(2263),o=n(3919);function i(){const{siteConfig:e}=(0,a.Z)(),{baseUrl:t,url:n}=e,i=e.future.experimental_router,s=(0,r.useCallback)(((e,r)=>function(e){let{siteUrl:t,baseUrl:n,url:r,options:{forcePrependBaseUrl:a=!1,absolute:i=!1}={},router:s}=e;if(!r||r.startsWith("#")||(0,o.b)(r))return r;if("hash"===s)return r.startsWith("/")?`.${r}`:`./${r}`;if(a)return n+r.replace(/^\//,"");if(r===n.replace(/\/$/,""))return n;const l=r.startsWith(n)?r:n+r.replace(/^\//,"");return i?t+l:l}({siteUrl:n,baseUrl:t,url:e,options:r,router:i})),[n,t,i]);return{withBaseUrl:s}}function s(e,t){void 0===t&&(t={});const{withBaseUrl:n}=i();return n(e,t)}},8138:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});var r=n(7294);n(5893);const a=r.createContext({collectAnchor:()=>{},collectLink:()=>{}}),o=()=>(0,r.useContext)(a);function i(){return o()}},2263:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8940);function o(){return(0,r.useContext)(a._)}},2389:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8934);function o(){return(0,r.useContext)(a._)}},469:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});var r=n(7294);const a=n(412).Z.canUseDOM?r.useLayoutEffect:r.useEffect},9670:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r=e=>"object"==typeof e&&!!e&&Object.keys(e).length>0;function a(e){const t={};return function e(n,a){Object.entries(n).forEach((n=>{let[o,i]=n;const s=a?`${a}.${o}`:o;r(i)?e(i,s):t[s]=i}))}(e),t}},226:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,z:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(null);function i(e){let{children:t,value:n}=e;const i=r.useContext(o),s=(0,r.useMemo)((()=>function(e){let{parent:t,value:n}=e;if(!t){if(!n)throw new Error("Unexpected: no Docusaurus route context found");if(!("plugin"in n))throw new Error("Unexpected: Docusaurus topmost route context has no `plugin` attribute");return n}const r={...t.data,...n?.data};return{plugin:t.plugin,data:r}}({parent:i,value:n})),[i,n]);return(0,a.jsx)(o.Provider,{value:s,children:t})}},143:(e,t,n)=>{"use strict";n.d(t,{Iw:()=>m,gA:()=>p,_r:()=>u,Jo:()=>g,zh:()=>d,yW:()=>h,gB:()=>f});var r=n(6550),a=n(2263),o=n(9935);function i(e,t){void 0===t&&(t={});const n=function(){const{globalData:e}=(0,a.Z)();return e}()[e];if(!n&&t.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin.`);return n}const s=e=>e.versions.find((e=>e.isLast));function l(e,t){const n=function(e,t){const n=s(e);return[...e.versions.filter((e=>e!==n)),n].find((e=>!!(0,r.LX)(t,{path:e.path,exact:!1,strict:!1})))}(e,t),a=n?.docs.find((e=>!!(0,r.LX)(t,{path:e.path,exact:!0,strict:!1})));return{activeVersion:n,activeDoc:a,alternateDocVersions:a?function(t){const n={};return e.versions.forEach((e=>{e.docs.forEach((r=>{r.id===t&&(n[e.name]=r)}))})),n}(a.id):{}}}const c={},u=()=>i("docusaurus-plugin-content-docs")??c,d=e=>{try{return function(e,t,n){void 0===t&&(t=o.m),void 0===n&&(n={});const r=i(e),a=r?.[t];if(!a&&n.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin with id "${t}".`);return a}("docusaurus-plugin-content-docs",e,{failfast:!0})}catch(t){throw new Error("You are using a feature of the Docusaurus docs plugin, but this plugin does not seem to be enabled"+("Default"===e?"":` (pluginId=${e}`),{cause:t})}};function p(e){void 0===e&&(e={});const t=u(),{pathname:n}=(0,r.TH)();return function(e,t,n){void 0===n&&(n={});const a=Object.entries(e).sort(((e,t)=>t[1].path.localeCompare(e[1].path))).find((e=>{let[,n]=e;return!!(0,r.LX)(t,{path:n.path,exact:!1,strict:!1})})),o=a?{pluginId:a[0],pluginData:a[1]}:void 0;if(!o&&n.failfast)throw new Error(`Can't find active docs plugin for "${t}" pathname, while it was expected to be found. Maybe you tried to use a docs feature that can only be used on a docs-related page? Existing docs plugin paths are: ${Object.values(e).map((e=>e.path)).join(", ")}`);return o}(t,n,e)}function f(e){return d(e).versions}function h(e){const t=d(e);return s(t)}function m(e){const t=d(e),{pathname:n}=(0,r.TH)();return l(t,n)}function g(e){const t=d(e),{pathname:n}=(0,r.TH)();return function(e,t){const n=s(e);return{latestDocSuggestion:l(e,t).alternateDocVersions[n.name],latestVersionSuggestion:n}}(t,n)}},8320:(e,t,n)=>{"use strict";n.r(t),n.d(t,{default:()=>o});var r=n(4865),a=n.n(r);a().configure({showSpinner:!1});const o={onRouteUpdate(e){let{location:t,previousLocation:n}=e;if(n&&t.pathname!==n.pathname){const e=window.setTimeout((()=>{a().start()}),200);return()=>window.clearTimeout(e)}},onRouteDidUpdate(){a().done()}}},3310:(e,t,n)=>{"use strict";n.r(t);var r=n(2573),a=n(6809);!function(e){const{themeConfig:{prism:t}}=a.default,{additionalLanguages:r}=t;globalThis.Prism=e,r.forEach((e=>{"php"===e&&n(6854),n(6726)(`./prism-${e}`)})),delete globalThis.Prism}(r.p1)},2503:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(512),a=n(5999),o=n(6668),i=n(3692),s=n(8138);const l={anchorWithStickyNavbar:"anchorWithStickyNavbar_LWe7",anchorWithHideOnScrollNavbar:"anchorWithHideOnScrollNavbar_WYt5"};var c=n(5893);function u(e){let{as:t,id:n,...u}=e;const d=(0,s.Z)(),{navbar:{hideOnScroll:p}}=(0,o.L)();if("h1"===t||!n)return(0,c.jsx)(t,{...u,id:void 0});d.collectAnchor(n);const f=(0,a.I)({id:"theme.common.headingLinkTitle",message:"Direct link to {heading}",description:"Title for link to heading"},{heading:"string"==typeof u.children?u.children:n});return(0,c.jsxs)(t,{...u,className:(0,r.Z)("anchor",p?l.anchorWithHideOnScrollNavbar:l.anchorWithStickyNavbar,u.className),id:n,children:[u.children,(0,c.jsx)(i.Z,{className:"hash-link",to:`#${n}`,"aria-label":f,title:f,children:"\u200b"})]})}},9471:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);const r={iconExternalLink:"iconExternalLink_nPIU"};var a=n(5893);function o(e){let{width:t=13.5,height:n=13.5}=e;return(0,a.jsx)("svg",{width:t,height:n,"aria-hidden":"true",viewBox:"0 0 24 24",className:r.iconExternalLink,children:(0,a.jsx)("path",{fill:"currentColor",d:"M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"})})}},2315:(e,t,n)=>{"use strict";n.d(t,{Z:()=>Pt});var r=n(7294),a=n(512),o=n(4763),i=n(1944),s=n(6550),l=n(5999),c=n(5936),u=n(5893);const d="__docusaurus_skipToContent_fallback";function p(e){e.setAttribute("tabindex","-1"),e.focus(),e.removeAttribute("tabindex")}function f(){const e=(0,r.useRef)(null),{action:t}=(0,s.k6)(),n=(0,r.useCallback)((e=>{e.preventDefault();const t=document.querySelector("main:first-of-type")??document.getElementById(d);t&&p(t)}),[]);return(0,c.S)((n=>{let{location:r}=n;e.current&&!r.hash&&"PUSH"===t&&p(e.current)})),{containerRef:e,onClick:n}}const h=(0,l.I)({id:"theme.common.skipToMainContent",description:"The skip to content label used for accessibility, allowing to rapidly navigate to main content with keyboard tab/enter navigation",message:"Skip to main content"});function m(e){const t=e.children??h,{containerRef:n,onClick:r}=f();return(0,u.jsx)("div",{ref:n,role:"region","aria-label":h,children:(0,u.jsx)("a",{...e,href:`#${d}`,onClick:r,children:t})})}var g=n(5281),y=n(9727);const b={skipToContent:"skipToContent_fXgn"};function v(){return(0,u.jsx)(m,{className:b.skipToContent})}var w=n(6668),k=n(9689);function x(e){let{width:t=21,height:n=21,color:r="currentColor",strokeWidth:a=1.2,className:o,...i}=e;return(0,u.jsx)("svg",{viewBox:"0 0 15 15",width:t,height:n,...i,children:(0,u.jsx)("g",{stroke:r,strokeWidth:a,children:(0,u.jsx)("path",{d:"M.75.75l13.5 13.5M14.25.75L.75 14.25"})})})}const S={closeButton:"closeButton_CVFx"};function E(e){return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.AnnouncementBar.closeButtonAriaLabel",message:"Close",description:"The ARIA label for close button of announcement bar"}),...e,className:(0,a.Z)("clean-btn close",S.closeButton,e.className),children:(0,u.jsx)(x,{width:14,height:14,strokeWidth:3.1})})}const C={content:"content_knG7"};function _(e){const{announcementBar:t}=(0,w.L)(),{content:n}=t;return(0,u.jsx)("div",{...e,className:(0,a.Z)(C.content,e.className),dangerouslySetInnerHTML:{__html:n}})}const T={announcementBar:"announcementBar_mb4j",announcementBarPlaceholder:"announcementBarPlaceholder_vyr4",announcementBarClose:"announcementBarClose_gvF7",announcementBarContent:"announcementBarContent_xLdY"};function L(){const{announcementBar:e}=(0,w.L)(),{isActive:t,close:n}=(0,k.n)();if(!t)return null;const{backgroundColor:r,textColor:a,isCloseable:o}=e;return(0,u.jsxs)("div",{className:T.announcementBar,style:{backgroundColor:r,color:a},role:"banner",children:[o&&(0,u.jsx)("div",{className:T.announcementBarPlaceholder}),(0,u.jsx)(_,{className:T.announcementBarContent}),o&&(0,u.jsx)(E,{onClick:n,className:T.announcementBarClose})]})}var R=n(3163),j=n(2466);var N=n(902),P=n(3102);const A=r.createContext(null);function O(e){let{children:t}=e;const n=function(){const e=(0,R.e)(),t=(0,P.HY)(),[n,a]=(0,r.useState)(!1),o=null!==t.component,i=(0,N.D9)(o);return(0,r.useEffect)((()=>{o&&!i&&a(!0)}),[o,i]),(0,r.useEffect)((()=>{o?e.shown||a(!0):a(!1)}),[e.shown,o]),(0,r.useMemo)((()=>[n,a]),[n])}();return(0,u.jsx)(A.Provider,{value:n,children:t})}function I(e){if(e.component){const t=e.component;return(0,u.jsx)(t,{...e.props})}}function D(){const e=(0,r.useContext)(A);if(!e)throw new N.i6("NavbarSecondaryMenuDisplayProvider");const[t,n]=e,a=(0,r.useCallback)((()=>n(!1)),[n]),o=(0,P.HY)();return(0,r.useMemo)((()=>({shown:t,hide:a,content:I(o)})),[a,o,t])}function F(e){let{header:t,primaryMenu:n,secondaryMenu:r}=e;const{shown:o}=D();return(0,u.jsxs)("div",{className:"navbar-sidebar",children:[t,(0,u.jsxs)("div",{className:(0,a.Z)("navbar-sidebar__items",{"navbar-sidebar__items--show-secondary":o}),children:[(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:n}),(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:r})]})]})}var M=n(2949),z=n(2389);function B(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"})})}function $(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"})})}const U={toggle:"toggle_vylO",toggleButton:"toggleButton_gllP",darkToggleIcon:"darkToggleIcon_wfgR",lightToggleIcon:"lightToggleIcon_pyhR",toggleButtonDisabled:"toggleButtonDisabled_aARS"};function q(e){let{className:t,buttonClassName:n,value:r,onChange:o}=e;const i=(0,z.Z)(),s=(0,l.I)({message:"Switch between dark and light mode (currently {mode})",id:"theme.colorToggle.ariaLabel",description:"The ARIA label for the navbar color mode toggle"},{mode:"dark"===r?(0,l.I)({message:"dark mode",id:"theme.colorToggle.ariaLabel.mode.dark",description:"The name for the dark color mode"}):(0,l.I)({message:"light mode",id:"theme.colorToggle.ariaLabel.mode.light",description:"The name for the light color mode"})});return(0,u.jsx)("div",{className:(0,a.Z)(U.toggle,t),children:(0,u.jsxs)("button",{className:(0,a.Z)("clean-btn",U.toggleButton,!i&&U.toggleButtonDisabled,n),type:"button",onClick:()=>o("dark"===r?"light":"dark"),disabled:!i,title:s,"aria-label":s,"aria-live":"polite",children:[(0,u.jsx)(B,{className:(0,a.Z)(U.toggleIcon,U.lightToggleIcon)}),(0,u.jsx)($,{className:(0,a.Z)(U.toggleIcon,U.darkToggleIcon)})]})})}const H=r.memo(q),Q={darkNavbarColorModeToggle:"darkNavbarColorModeToggle_X3D1"};function Z(e){let{className:t}=e;const n=(0,w.L)().navbar.style,r=(0,w.L)().colorMode.disableSwitch,{colorMode:a,setColorMode:o}=(0,M.I)();return r?null:(0,u.jsx)(H,{className:t,buttonClassName:"dark"===n?Q.darkNavbarColorModeToggle:void 0,value:a,onChange:o})}var W=n(1327);function V(){return(0,u.jsx)(W.Z,{className:"navbar__brand",imageClassName:"navbar__logo",titleClassName:"navbar__title text--truncate"})}function G(){const e=(0,R.e)();return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.docs.sidebar.closeSidebarButtonAriaLabel",message:"Close navigation bar",description:"The ARIA label for close button of mobile sidebar"}),className:"clean-btn navbar-sidebar__close",onClick:()=>e.toggle(),children:(0,u.jsx)(x,{color:"var(--ifm-color-emphasis-600)"})})}function X(){return(0,u.jsxs)("div",{className:"navbar-sidebar__brand",children:[(0,u.jsx)(V,{}),(0,u.jsx)("a",{href:"https://github.com/k3s-io/k3s",target:"_blank",rel:"noopener noreferrer",className:"margin-right--md header-github-link"}),(0,u.jsx)(Z,{className:"margin-right--md"}),(0,u.jsx)(G,{})]})}var K=n(3692),Y=n(4996),J=n(3919);function ee(e,t){return void 0!==e&&void 0!==t&&new RegExp(e,"gi").test(t)}var te=n(9471);function ne(e){let{activeBasePath:t,activeBaseRegex:n,to:r,href:a,label:o,html:i,isDropdownLink:s,prependBaseUrlToHref:l,...c}=e;const d=(0,Y.ZP)(r),p=(0,Y.ZP)(t),f=(0,Y.ZP)(a,{forcePrependBaseUrl:!0}),h=o&&a&&!(0,J.Z)(a),m=i?{dangerouslySetInnerHTML:{__html:i}}:{children:(0,u.jsxs)(u.Fragment,{children:[o,h&&(0,u.jsx)(te.Z,{...s&&{width:12,height:12}})]})};return a?(0,u.jsx)(K.Z,{href:l?f:a,...c,...m}):(0,u.jsx)(K.Z,{to:d,isNavLink:!0,...(t||n)&&{isActive:(e,t)=>n?ee(n,t.pathname):t.pathname.startsWith(p)},...c,...m})}function re(e){let{className:t,isDropdownItem:n=!1,...r}=e;const o=(0,u.jsx)(ne,{className:(0,a.Z)(n?"dropdown__link":"navbar__item navbar__link",t),isDropdownLink:n,...r});return n?(0,u.jsx)("li",{children:o}):o}function ae(e){let{className:t,isDropdownItem:n,...r}=e;return(0,u.jsx)("li",{className:"menu__list-item",children:(0,u.jsx)(ne,{className:(0,a.Z)("menu__link",t),...r})})}function oe(e){let{mobile:t=!1,position:n,...r}=e;const a=t?ae:re;return(0,u.jsx)(a,{...r,activeClassName:r.activeClassName??(t?"menu__link--active":"navbar__link--active")})}var ie=n(6043),se=n(8596),le=n(2263);const ce={dropdownNavbarItemMobile:"dropdownNavbarItemMobile_S0Fm"};function ue(e,t){return e.some((e=>function(e,t){return!!(0,se.Mg)(e.to,t)||!!ee(e.activeBaseRegex,t)||!(!e.activeBasePath||!t.startsWith(e.activeBasePath))}(e,t)))}function de(e){let{items:t,position:n,className:o,onClick:i,...s}=e;const l=(0,r.useRef)(null),[c,d]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{const e=e=>{l.current&&!l.current.contains(e.target)&&d(!1)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),document.addEventListener("focusin",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e),document.removeEventListener("focusin",e)}}),[l]),(0,u.jsxs)("div",{ref:l,className:(0,a.Z)("navbar__item","dropdown","dropdown--hoverable",{"dropdown--right":"right"===n,"dropdown--show":c}),children:[(0,u.jsx)(ne,{"aria-haspopup":"true","aria-expanded":c,role:"button",href:s.to?void 0:"#",className:(0,a.Z)("navbar__link",o),...s,onClick:s.to?void 0:e=>e.preventDefault(),onKeyDown:e=>{"Enter"===e.key&&(e.preventDefault(),d(!c))},children:s.children??s.label}),(0,u.jsx)("ul",{className:"dropdown__menu",children:t.map(((e,t)=>(0,r.createElement)(Ve,{isDropdownItem:!0,activeClassName:"dropdown__link--active",...e,key:t})))})]})}function pe(e){let{items:t,className:n,position:o,onClick:i,...l}=e;const c=function(){const{siteConfig:{baseUrl:e}}=(0,le.Z)(),{pathname:t}=(0,s.TH)();return t.replace(e,"/")}(),d=ue(t,c),{collapsed:p,toggleCollapsed:f,setCollapsed:h}=(0,ie.u)({initialState:()=>!d});return(0,r.useEffect)((()=>{d&&h(!d)}),[c,d,h]),(0,u.jsxs)("li",{className:(0,a.Z)("menu__list-item",{"menu__list-item--collapsed":p}),children:[(0,u.jsx)(ne,{role:"button",className:(0,a.Z)(ce.dropdownNavbarItemMobile,"menu__link menu__link--sublist menu__link--sublist-caret",n),...l,onClick:e=>{e.preventDefault(),f()},children:l.children??l.label}),(0,u.jsx)(ie.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:p,children:t.map(((e,t)=>(0,r.createElement)(Ve,{mobile:!0,isDropdownItem:!0,onClick:i,activeClassName:"menu__link--active",...e,key:t})))})]})}function fe(e){let{mobile:t=!1,...n}=e;const r=t?pe:de;return(0,u.jsx)(r,{...n})}var he=n(4711);function me(e){let{width:t=20,height:n=20,...r}=e;return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:t,height:n,"aria-hidden":!0,...r,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"})})}const ge="iconLanguage_nlXk";var ye=n(1029),be=n(1728),ve=n(373),we=n(143),ke=n(22),xe=n(8202),Se=n(3545),Ee=n(3926),Ce=n(1073),_e=n(2539),Te=n(726);const Le='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 6v12c0 .52-.2 1-1 1H4c-.7 0-1-.33-1-1V2c0-.55.42-1 1-1h8l5 5zM14 8h-3.13c-.51 0-.87-.34-.87-.87V4" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Re='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M13 13h4-4V8H7v5h6v4-4H7V8H3h4V3v5h6V3v5h4-4v5zm-6 0v4-4H3h4z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg>',je='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 5H3h14zm0 5H3h14zm0 5H3h14z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Ne='<svg width="20" height="20" viewBox="0 0 20 20"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M18 3v4c0 2-2 4-4 4H2"></path><path d="M8 17l-6-6 6-6"></path></g></svg>',Pe='<svg width="40" height="40" viewBox="0 0 20 20" fill="none" fill-rule="evenodd" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round"><path d="M15.5 4.8c2 3 1.7 7-1 9.7h0l4.3 4.3-4.3-4.3a7.8 7.8 0 01-9.8 1m-2.2-2.2A7.8 7.8 0 0113.2 2.4M2 18L18 2"></path></svg>',Ae='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v42M20 27H8.3"></path></g></svg>',Oe='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v21M20 27H8.3"></path></g></svg>',Ie={searchBar:"searchBar_RVTs",dropdownMenu:"dropdownMenu_qbY6",searchBarLeft:"searchBarLeft_MXDe",suggestion:"suggestion_fB_2",cursor:"cursor_eG29",hitTree:"hitTree_kk6K",hitIcon:"hitIcon_a7Zy",hitPath:"hitPath_ieM4",noResultsIcon:"noResultsIcon_EBY5",hitFooter:"hitFooter_E9YW",hitWrapper:"hitWrapper_sAK8",hitTitle:"hitTitle_vyVt",hitAction:"hitAction_NqkB",hideAction:"hideAction_vcyE",noResults:"noResults_l6Q3",searchBarContainer:"searchBarContainer_NW3z",searchBarLoadingRing:"searchBarLoadingRing_YnHq",searchClearButton:"searchClearButton_qk4g",searchIndexLoading:"searchIndexLoading_EJ1f",searchHintContainer:"searchHintContainer_Pkmr",searchHint:"searchHint_iIMx",focused:"focused_OWtg",input:"input_FOTf",hint:"hint_URu1",suggestions:"suggestions_X8XU",dataset:"dataset_QiCy",empty:"empty_eITn"};function De(e){let{document:t,type:n,page:r,metadata:a,tokens:o,isInterOfTree:i,isLastOfTree:s}=e;const l=n===Se.P.Title,c=n===Se.P.Keywords,u=l||c,d=n===Se.P.Heading,p=[];i?p.push(Ae):s&&p.push(Oe);const f=p.map((e=>`<span class="${Ie.hitTree}">${e}</span>`)),h=`<span class="${Ie.hitIcon}">${u?Le:d?Re:je}</span>`,m=[`<span class="${Ie.hitTitle}">${c?(0,_e.C)(t.s,o):(0,Te.o)(t.t,(0,Ce.m)(a,"t"),o)}</span>`];if(!i&&!s&&ye.H6){const e=r?r.b?.concat(r.t).concat(t.s&&t.s!==r.t?t.s:[]):t.b;m.push(`<span class="${Ie.hitPath}">${(0,Ee.e)(e??[])}</span>`)}else u||m.push(`<span class="${Ie.hitPath}">${(0,_e.C)(r.t||(t.u.startsWith("/docs/api-reference/")?"API Reference":""),o)}</span>`);const g=`<span class="${Ie.hitAction}">${Ne}</span>`;return[...f,h,`<span class="${Ie.hitWrapper}">`,...m,"</span>",g].join("")}function Fe(){return`<span class="${Ie.noResults}"><span class="${Ie.noResultsIcon}">${Pe}</span><span>${(0,l.I)({id:"theme.SearchBar.noResultsText",message:"No results"})}</span></span>`}var Me=n(311),ze=n(51);async function Be(){const e=await Promise.all([n.e(8443),n.e(5525)]).then(n.t.bind(n,8443,23)),t=e.default;return t.noConflict?t.noConflict():e.noConflict&&e.noConflict(),t}const $e="_highlight";const Ue=function(e){let{handleSearchBarToggle:t}=e;const n=(0,z.Z)(),{siteConfig:{baseUrl:a},i18n:{currentLocale:o}}=(0,le.Z)(),i=(0,we.gA)();let c=a;try{const{preferredVersion:e}=(0,ve.J)(i?.pluginId??ye.gQ);e&&!e.isLast&&(c=e.path+"/")}catch(F){if(ye.l9&&!(F instanceof N.i6))throw F}const d=(0,s.k6)(),p=(0,s.TH)(),f=(0,r.useRef)(null),h=(0,r.useRef)(new Map),m=(0,r.useRef)(!1),[g,y]=(0,r.useState)(!1),[b,v]=(0,r.useState)(!1),[w,k]=(0,r.useState)(""),x=(0,r.useRef)(null),S=(0,r.useRef)(""),[E,C]=(0,r.useState)("");(0,r.useEffect)((()=>{if(!Array.isArray(ye.Kc))return;let e="";if(p.pathname.startsWith(c)){const t=p.pathname.substring(c.length);let n;for(const e of ye.Kc){const r="string"==typeof e?e:e.path;if(t===r||t.startsWith(`${r}/`)){n=r;break}}n&&(e=n)}S.current!==e&&(h.current.delete(e),S.current=e),C(e)}),[p.pathname,c]);const _=!!ye.hG&&Array.isArray(ye.Kc)&&""===E,T=(0,r.useCallback)((async()=>{if(_||h.current.get(E))return;h.current.set(E,"loading"),x.current?.autocomplete.destroy(),y(!0);const[{wrappedIndexes:e,zhDictionary:t},n]=await Promise.all([(0,ke.w)(c,E),Be()]);if(x.current=n(f.current,{hint:!1,autoselect:!0,openOnFocus:!0,cssClasses:{root:(0,be.Z)(Ie.searchBar,{[Ie.searchBarLeft]:"left"===ye.pu}),noPrefix:!0,dropdownMenu:Ie.dropdownMenu,input:Ie.input,hint:Ie.hint,suggestions:Ie.suggestions,suggestion:Ie.suggestion,cursor:Ie.cursor,dataset:Ie.dataset,empty:Ie.empty}},[{source:(0,xe.v)(e,t,ye.qo),templates:{suggestion:De,empty:Fe,footer:e=>{let{query:t,isEmpty:n}=e;if(n&&(!E||!ye.pQ))return;const r=(e=>{let{query:t,isEmpty:n}=e;const r=document.createElement("a"),i=new URLSearchParams;let s;if(i.set("q",t),E){const e=E&&Array.isArray(ye.Kc)?ye.Kc.find((e=>"string"==typeof e?e===E:e.path===E)):E,t=e?(0,ze._)(e,o).label:E;s=ye.pQ&&n?(0,l.I)({id:"theme.SearchBar.seeAllOutsideContext",message:'See all results outside "{context}"'},{context:t}):(0,l.I)({id:"theme.SearchBar.searchInContext",message:'See all results within "{context}"'},{context:t})}else s=(0,l.I)({id:"theme.SearchBar.seeAll",message:"See all results"});if(!E||!Array.isArray(ye.Kc)||ye.pQ&&n||i.set("ctx",E),c!==a){if(!c.startsWith(a))throw new Error(`Version url '${c}' does not start with base url '${a}', this is a bug of \`@easyops-cn/docusaurus-search-local\`, please report it.`);i.set("version",c.substring(a.length))}const u=`${a}search/?${i.toString()}`;return r.href=u,r.textContent=s,r.addEventListener("click",(e=>{e.ctrlKey||e.metaKey||(e.preventDefault(),x.current?.autocomplete.close(),d.push(u))})),r})({query:t,isEmpty:n}),i=document.createElement("div");return i.className=Ie.hitFooter,i.appendChild(r),i}}}]).on("autocomplete:selected",(function(e,t){let{document:{u:n,h:r},tokens:a}=t;f.current?.blur();let o=n;if(ye.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append($e,t);o+=`?${e.toString()}`}r&&(o+=r),d.push(o)})).on("autocomplete:closed",(()=>{f.current?.blur()})),h.current.set(E,"done"),y(!1),m.current){const e=f.current;e.value&&x.current?.autocomplete.open(),e.focus()}}),[_,E,c,a,d]);(0,r.useEffect)((()=>{if(!ye.vc)return;const e=n?new URLSearchParams(p.search).getAll($e):[];setTimeout((()=>{const t=document.querySelector("article");if(!t)return;const n=new ye.vc(t);n.unmark(),0!==e.length&&n.mark(e),k(e.join(" ")),x.current?.autocomplete.setVal(e.join(" "))}))}),[n,p.search,p.pathname]);const[L,R]=(0,r.useState)(!1),j=(0,r.useCallback)((()=>{m.current=!0,T(),R(!0),t?.(!0)}),[t,T]),P=(0,r.useCallback)((()=>{R(!1),t?.(!1)}),[t]),A=(0,r.useCallback)((()=>{T()}),[T]),O=(0,r.useCallback)((e=>{k(e.target.value),e.target.value&&v(!0)}),[]),I=!!n&&/mac/i.test(navigator.userAgentData?.platform??navigator.platform);(0,r.useEffect)((()=>{if(!ye.AY)return;const e=e=>{!(I?e.metaKey:e.ctrlKey)||"k"!==e.key&&"K"!==e.key||(e.preventDefault(),f.current?.focus(),j())};return document.addEventListener("keydown",e),()=>{document.removeEventListener("keydown",e)}}),[I,j]);const D=(0,r.useCallback)((()=>{const e=new URLSearchParams(p.search);e.delete($e);const t=e.toString(),n=p.pathname+(""!=t?`?${t}`:"")+p.hash;n!=p.pathname+p.search+p.hash&&d.push(n),k(""),x.current?.autocomplete.setVal("")}),[p.pathname,p.search,p.hash,d]);return(0,u.jsxs)("div",{className:(0,be.Z)("navbar__search",Ie.searchBarContainer,{[Ie.searchIndexLoading]:g&&b,[Ie.focused]:L}),hidden:_,dir:"ltr",children:[(0,u.jsx)("input",{placeholder:(0,l.I)({id:"theme.SearchBar.label",message:"Search",description:"The ARIA label and placeholder for search button"}),"aria-label":"Search",className:"navbar__search-input",onMouseEnter:A,onFocus:j,onBlur:P,onChange:O,ref:f,value:w}),(0,u.jsx)(Me.Z,{className:Ie.searchBarLoadingRing}),ye.AY&&ye.t_&&(""!==w?(0,u.jsx)("button",{className:Ie.searchClearButton,onClick:D,children:"\u2715"}):n&&(0,u.jsxs)("div",{className:Ie.searchHintContainer,children:[(0,u.jsx)("kbd",{className:Ie.searchHint,children:I?"\u2318":"ctrl"}),(0,u.jsx)("kbd",{className:Ie.searchHint,children:"K"})]}))]})},qe={navbarSearchContainer:"navbarSearchContainer_Bca1"};function He(e){let{children:t,className:n}=e;return(0,u.jsx)("div",{className:(0,a.Z)(n,qe.navbarSearchContainer),children:t})}var Qe=n(3438);const Ze=e=>e.docs.find((t=>t.id===e.mainDocId));const We={default:oe,localeDropdown:function(e){let{mobile:t,dropdownItemsBefore:n,dropdownItemsAfter:r,queryString:a="",...o}=e;const{i18n:{currentLocale:i,locales:c,localeConfigs:d}}=(0,le.Z)(),p=(0,he.l)(),{search:f,hash:h}=(0,s.TH)(),m=[...n,...c.map((e=>{const n=`${`pathname://${p.createUrl({locale:e,fullyQualified:!1})}`}${f}${h}${a}`;return{label:d[e].label,lang:d[e].htmlLang,to:n,target:"_self",autoAddBaseUrl:!1,className:e===i?t?"menu__link--active":"dropdown__link--active":""}})),...r],g=t?(0,l.I)({message:"Languages",id:"theme.navbar.mobileLanguageDropdown.label",description:"The label for the mobile language switcher dropdown"}):d[i].label;return(0,u.jsx)(fe,{...o,mobile:t,label:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(me,{className:ge}),g]}),items:m})},search:function(e){let{mobile:t,className:n}=e;return t?null:(0,u.jsx)(He,{className:n,children:(0,u.jsx)(Ue,{})})},dropdown:fe,html:function(e){let{value:t,className:n,mobile:r=!1,isDropdownItem:o=!1}=e;const i=o?"li":"div";return(0,u.jsx)(i,{className:(0,a.Z)({navbar__item:!r&&!o,"menu__list-item":r},n),dangerouslySetInnerHTML:{__html:t}})},doc:function(e){let{docId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,we.Iw)(r),i=(0,Qe.vY)(t,r),s=o?.path===i?.path;return null===i||i.unlisted&&!s?null:(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>s||!!o?.sidebar&&o.sidebar===i.sidebar,label:n??i.id,to:i.path})},docSidebar:function(e){let{sidebarId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,we.Iw)(r),i=(0,Qe.oz)(t,r).link;if(!i)throw new Error(`DocSidebarNavbarItem: Sidebar with ID "${t}" doesn't have anything to be linked to.`);return(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>o?.sidebar===t,label:n??i.label,to:i.path})},docsVersion:function(e){let{label:t,to:n,docsPluginId:r,...a}=e;const o=(0,Qe.lO)(r)[0],i=t??o.label,s=n??(e=>e.docs.find((t=>t.id===e.mainDocId)))(o).path;return(0,u.jsx)(oe,{...a,label:i,to:s})},docsVersionDropdown:function(e){let{mobile:t,docsPluginId:n,dropdownActiveClassDisabled:r,dropdownItemsBefore:a,dropdownItemsAfter:o,...i}=e;const{search:c,hash:d}=(0,s.TH)(),p=(0,we.Iw)(n),f=(0,we.gB)(n),{savePreferredVersionName:h}=(0,ve.J)(n),m=[...a,...f.map((e=>{const t=p.alternateDocVersions[e.name]??Ze(e);return{label:e.label,to:`${t.path}${c}${d}`,isActive:()=>e===p.activeVersion,onClick:()=>h(e.name)}})),...o],g=(0,Qe.lO)(n)[0],y=t&&m.length>1?(0,l.I)({id:"theme.navbar.mobileVersionsDropdown.label",message:"Versions",description:"The label for the navbar versions dropdown on mobile view"}):g.label,b=t&&m.length>1?void 0:Ze(g).path;return m.length<=1?(0,u.jsx)(oe,{...i,mobile:t,label:y,to:b,isActive:r?()=>!1:void 0}):(0,u.jsx)(fe,{...i,mobile:t,label:y,to:b,items:m,isActive:r?()=>!1:void 0})}};function Ve(e){let{type:t,...n}=e;const r=function(e,t){return e&&"default"!==e?e:"items"in t?"dropdown":"default"}(t,n),a=We[r];if(!a)throw new Error(`No NavbarItem component found for type "${t}".`);return(0,u.jsx)(a,{...n})}function Ge(){const e=(0,R.e)(),t=(0,w.L)().navbar.items;return(0,u.jsx)("ul",{className:"menu__list",children:t.map(((t,n)=>(0,r.createElement)(Ve,{mobile:!0,...t,onClick:()=>e.toggle(),key:n})))})}function Xe(e){return(0,u.jsx)("button",{...e,type:"button",className:"clean-btn navbar-sidebar__back",children:(0,u.jsx)(l.Z,{id:"theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel",description:"The label of the back button to return to main menu, inside the mobile navbar sidebar secondary menu (notably used to display the docs sidebar)",children:"\u2190 Back to main menu"})})}function Ke(){const e=0===(0,w.L)().navbar.items.length,t=D();return(0,u.jsxs)(u.Fragment,{children:[!e&&(0,u.jsx)(Xe,{onClick:()=>t.hide()}),t.content]})}function Ye(){const e=(0,R.e)();var t;return void 0===(t=e.shown)&&(t=!0),(0,r.useEffect)((()=>(document.body.style.overflow=t?"hidden":"visible",()=>{document.body.style.overflow="visible"})),[t]),e.shouldRender?(0,u.jsx)(F,{header:(0,u.jsx)(X,{}),primaryMenu:(0,u.jsx)(Ge,{}),secondaryMenu:(0,u.jsx)(Ke,{})}):null}const Je={navbarHideable:"navbarHideable_m1mJ",navbarHidden:"navbarHidden_jGov"};function et(e){return(0,u.jsx)("div",{role:"presentation",...e,className:(0,a.Z)("navbar-sidebar__backdrop",e.className)})}function tt(e){let{children:t}=e;const{navbar:{hideOnScroll:n,style:o}}=(0,w.L)(),i=(0,R.e)(),{navbarRef:s,isNavbarVisible:d}=function(e){const[t,n]=(0,r.useState)(e),a=(0,r.useRef)(!1),o=(0,r.useRef)(0),i=(0,r.useCallback)((e=>{null!==e&&(o.current=e.getBoundingClientRect().height)}),[]);return(0,j.RF)(((t,r)=>{let{scrollY:i}=t;if(!e)return;if(i<o.current)return void n(!0);if(a.current)return void(a.current=!1);const s=r?.scrollY,l=document.documentElement.scrollHeight-o.current,c=window.innerHeight;s&&i>=s?n(!1):i+c<l&&n(!0)})),(0,c.S)((t=>{if(!e)return;const r=t.location.hash;if(r?document.getElementById(r.substring(1)):void 0)return a.current=!0,void n(!1);n(!0)})),{navbarRef:i,isNavbarVisible:t}}(n);return(0,u.jsxs)("nav",{ref:s,"aria-label":(0,l.I)({id:"theme.NavBar.navAriaLabel",message:"Main",description:"The ARIA label for the main navigation"}),className:(0,a.Z)("navbar","navbar--fixed-top",n&&[Je.navbarHideable,!d&&Je.navbarHidden],{"navbar--dark":"dark"===o,"navbar--primary":"primary"===o,"navbar-sidebar--show":i.shown}),children:[t,(0,u.jsx)(et,{onClick:i.toggle}),(0,u.jsx)(Ye,{})]})}var nt=n(9690);const rt="right";function at(e){let{width:t=30,height:n=30,className:r,...a}=e;return(0,u.jsx)("svg",{className:r,width:t,height:n,viewBox:"0 0 30 30","aria-hidden":"true",...a,children:(0,u.jsx)("path",{stroke:"currentColor",strokeLinecap:"round",strokeMiterlimit:"10",strokeWidth:"2",d:"M4 7h22M4 15h22M4 23h22"})})}function ot(){const{toggle:e,shown:t}=(0,R.e)();return(0,u.jsx)("button",{onClick:e,"aria-label":(0,l.I)({id:"theme.docs.sidebar.toggleSidebarButtonAriaLabel",message:"Toggle navigation bar",description:"The ARIA label for hamburger menu button of mobile navigation"}),"aria-expanded":t,className:"navbar__toggle clean-btn",type:"button",children:(0,u.jsx)(at,{})})}const it={colorModeToggle:"colorModeToggle_DEke"};function st(e){let{items:t}=e;return(0,u.jsx)(u.Fragment,{children:t.map(((e,t)=>(0,u.jsx)(nt.QW,{onError:t=>new Error(`A theme navbar item failed to render.\nPlease double-check the following navbar item (themeConfig.navbar.items) of your Docusaurus config:\n${JSON.stringify(e,null,2)}`,{cause:t}),children:(0,u.jsx)(Ve,{...e})},t)))})}function lt(e){let{left:t,right:n}=e;return(0,u.jsxs)("div",{className:"navbar__inner",children:[(0,u.jsx)("div",{className:"navbar__items",children:t}),(0,u.jsx)("div",{className:"navbar__items navbar__items--right",children:n})]})}function ct(){const e=(0,R.e)(),t=(0,w.L)().navbar.items,[n,r]=function(e){function t(e){return"left"===(e.position??rt)}return[e.filter(t),e.filter((e=>!t(e)))]}(t),a=t.find((e=>"search"===e.type));return(0,u.jsx)(lt,{left:(0,u.jsxs)(u.Fragment,{children:[!e.disabled&&(0,u.jsx)(ot,{}),(0,u.jsx)(V,{}),(0,u.jsx)(st,{items:n})]}),right:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(st,{items:r}),(0,u.jsx)(Z,{className:it.colorModeToggle}),!a&&(0,u.jsx)(He,{children:(0,u.jsx)(Ue,{})})]})})}function ut(){return(0,u.jsx)(tt,{children:(0,u.jsx)(ct,{})})}function dt(e){let{item:t}=e;const{to:n,href:r,label:a,prependBaseUrlToHref:o,...i}=t,s=(0,Y.ZP)(n),l=(0,Y.ZP)(r,{forcePrependBaseUrl:!0});return(0,u.jsxs)(K.Z,{className:"footer__link-item",...r?{href:o?l:r}:{to:s},...i,children:[a,r&&!(0,J.Z)(r)&&(0,u.jsx)(te.Z,{})]})}function pt(e){let{item:t}=e;return t.html?(0,u.jsx)("li",{className:"footer__item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)("li",{className:"footer__item",children:(0,u.jsx)(dt,{item:t})},t.href??t.to)}function ft(e){let{column:t}=e;return(0,u.jsxs)("div",{className:"col footer__col",children:[(0,u.jsx)("div",{className:"footer__title",children:t.title}),(0,u.jsx)("ul",{className:"footer__items clean-list",children:t.items.map(((e,t)=>(0,u.jsx)(pt,{item:e},t)))})]})}function ht(e){let{columns:t}=e;return(0,u.jsx)("div",{className:"row footer__links",children:t.map(((e,t)=>(0,u.jsx)(ft,{column:e},t)))})}function mt(){return(0,u.jsx)("span",{className:"footer__link-separator",children:"\xb7"})}function gt(e){let{item:t}=e;return t.html?(0,u.jsx)("span",{className:"footer__link-item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)(dt,{item:t})}function yt(e){let{links:t}=e;return(0,u.jsx)("div",{className:"footer__links text--center",children:(0,u.jsx)("div",{className:"footer__links",children:t.map(((e,n)=>(0,u.jsxs)(r.Fragment,{children:[(0,u.jsx)(gt,{item:e}),t.length!==n+1&&(0,u.jsx)(mt,{})]},n)))})})}function bt(e){let{links:t}=e;return function(e){return"title"in e[0]}(t)?(0,u.jsx)(ht,{columns:t}):(0,u.jsx)(yt,{links:t})}var vt=n(9965);const wt={footerLogoLink:"footerLogoLink_BH7S"};function kt(e){let{logo:t}=e;const{withBaseUrl:n}=(0,Y.Cg)(),r={light:n(t.src),dark:n(t.srcDark??t.src)};return(0,u.jsx)(vt.Z,{className:(0,a.Z)("footer__logo",t.className),alt:t.alt,sources:r,width:t.width,height:t.height,style:t.style})}function xt(e){let{logo:t}=e;return t.href?(0,u.jsx)(K.Z,{href:t.href,className:wt.footerLogoLink,target:t.target,children:(0,u.jsx)(kt,{logo:t})}):(0,u.jsx)(kt,{logo:t})}function St(e){let{copyright:t}=e;return(0,u.jsx)("div",{className:"footer__copyright",dangerouslySetInnerHTML:{__html:t}})}function Et(e){let{style:t,links:n,logo:r,copyright:o}=e;return(0,u.jsx)("footer",{className:(0,a.Z)("footer",{"footer--dark":"dark"===t}),children:(0,u.jsxs)("div",{className:"container container-fluid",children:[n,(r||o)&&(0,u.jsxs)("div",{className:"footer__bottom text--center",children:[r&&(0,u.jsx)("div",{className:"margin-bottom--sm",children:r}),o]})]})})}function Ct(){const{footer:e}=(0,w.L)();if(!e)return null;const{copyright:t,links:n,logo:r,style:a}=e;return(0,u.jsx)(Et,{style:a,links:n&&n.length>0&&(0,u.jsx)(bt,{links:n}),logo:r&&(0,u.jsx)(xt,{logo:r}),copyright:t&&(0,u.jsx)(St,{copyright:t})})}const _t=r.memo(Ct),Tt=(0,N.Qc)([M.S,k.p,j.OC,ve.L5,i.VC,function(e){let{children:t}=e;return(0,u.jsx)(P.n2,{children:(0,u.jsx)(R.M,{children:(0,u.jsx)(O,{children:t})})})}]);function Lt(e){let{children:t}=e;return(0,u.jsx)(Tt,{children:t})}var Rt=n(2503);function jt(e){let{error:t,tryAgain:n}=e;return(0,u.jsx)("main",{className:"container margin-vert--xl",children:(0,u.jsx)("div",{className:"row",children:(0,u.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,u.jsx)(Rt.Z,{as:"h1",className:"hero__title",children:(0,u.jsx)(l.Z,{id:"theme.ErrorPageContent.title",description:"The title of the fallback page when the page crashed",children:"This page crashed."})}),(0,u.jsx)("div",{className:"margin-vert--lg",children:(0,u.jsx)(nt.Cw,{onClick:n,className:"button button--primary shadow--lw"})}),(0,u.jsx)("hr",{}),(0,u.jsx)("div",{className:"margin-vert--md",children:(0,u.jsx)(nt.aG,{error:t})})]})})})}const Nt={mainWrapper:"mainWrapper_z2l0"};function Pt(e){const{children:t,noFooter:n,wrapperClassName:r,title:s,description:l}=e;return(0,y.t)(),(0,u.jsxs)(Lt,{children:[(0,u.jsx)(i.d,{title:s,description:l}),(0,u.jsx)(v,{}),(0,u.jsx)(L,{}),(0,u.jsx)(ut,{}),(0,u.jsx)("div",{id:d,className:(0,a.Z)(g.k.wrapper.main,Nt.mainWrapper,r),children:(0,u.jsx)(o.Z,{fallback:e=>(0,u.jsx)(jt,{...e}),children:t})}),!n&&(0,u.jsx)(_t,{})]})}},1327:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(3692),a=n(4996),o=n(2263),i=n(6668),s=n(9965),l=n(5893);function c(e){let{logo:t,alt:n,imageClassName:r}=e;const o={light:(0,a.ZP)(t.src),dark:(0,a.ZP)(t.srcDark||t.src)},i=(0,l.jsx)(s.Z,{className:t.className,sources:o,height:t.height,width:t.width,alt:n,style:t.style});return r?(0,l.jsx)("div",{className:r,children:i}):i}function u(e){const{siteConfig:{title:t}}=(0,o.Z)(),{navbar:{title:n,logo:s}}=(0,i.L)(),{imageClassName:u,titleClassName:d,...p}=e,f=(0,a.ZP)(s?.href||"/"),h=n?"":t,m=s?.alt??h;return(0,l.jsxs)(r.Z,{to:f,...p,...s?.target&&{target:s.target},children:[s&&(0,l.jsx)(c,{logo:s,alt:m,imageClassName:u}),null!=n&&(0,l.jsx)("b",{className:d,children:n})]})}},197:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(5742),a=n(5893);function o(e){let{locale:t,version:n,tag:o}=e;const i=t;return(0,a.jsxs)(r.Z,{children:[t&&(0,a.jsx)("meta",{name:"docusaurus_locale",content:t}),n&&(0,a.jsx)("meta",{name:"docusaurus_version",content:n}),o&&(0,a.jsx)("meta",{name:"docusaurus_tag",content:o}),i&&(0,a.jsx)("meta",{name:"docsearch:language",content:i}),n&&(0,a.jsx)("meta",{name:"docsearch:version",content:n}),o&&(0,a.jsx)("meta",{name:"docsearch:docusaurus_tag",content:o})]})}},9965:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});var r=n(7294),a=n(512),o=n(2389),i=n(2949);const s={themedComponent:"themedComponent_mlkZ","themedComponent--light":"themedComponent--light_NVdE","themedComponent--dark":"themedComponent--dark_xIcU"};var l=n(5893);function c(e){let{className:t,children:n}=e;const c=(0,o.Z)(),{colorMode:u}=(0,i.I)();return(0,l.jsx)(l.Fragment,{children:(c?"dark"===u?["dark"]:["light"]:["light","dark"]).map((e=>{const o=n({theme:e,className:(0,a.Z)(t,s.themedComponent,s[`themedComponent--${e}`])});return(0,l.jsx)(r.Fragment,{children:o},e)}))})}function u(e){const{sources:t,className:n,alt:r,...a}=e;return(0,l.jsx)(c,{className:n,children:e=>{let{theme:n,className:o}=e;return(0,l.jsx)("img",{src:t[n],alt:r,className:o,...a})}})}},6043:(e,t,n)=>{"use strict";n.d(t,{u:()=>c,z:()=>y});var r=n(7294),a=n(412),o=n(469),i=n(1442),s=n(5893);const l="ease-in-out";function c(e){let{initialState:t}=e;const[n,a]=(0,r.useState)(t??!1),o=(0,r.useCallback)((()=>{a((e=>!e))}),[]);return{collapsed:n,setCollapsed:a,toggleCollapsed:o}}const u={display:"none",overflow:"hidden",height:"0px"},d={display:"block",overflow:"visible",height:"auto"};function p(e,t){const n=t?u:d;e.style.display=n.display,e.style.overflow=n.overflow,e.style.height=n.height}function f(e){let{collapsibleRef:t,collapsed:n,animation:a}=e;const o=(0,r.useRef)(!1);(0,r.useEffect)((()=>{const e=t.current;function r(){const t=e.scrollHeight,n=a?.duration??function(e){if((0,i.n)())return 1;const t=e/36;return Math.round(10*(4+15*t**.25+t/5))}(t);return{transition:`height ${n}ms ${a?.easing??l}`,height:`${t}px`}}function s(){const t=r();e.style.transition=t.transition,e.style.height=t.height}if(!o.current)return p(e,n),void(o.current=!0);return e.style.willChange="height",function(){const t=requestAnimationFrame((()=>{n?(s(),requestAnimationFrame((()=>{e.style.height=u.height,e.style.overflow=u.overflow}))):(e.style.display="block",requestAnimationFrame((()=>{s()})))}));return()=>cancelAnimationFrame(t)}()}),[t,n,a])}function h(e){if(!a.Z.canUseDOM)return e?u:d}function m(e){let{as:t="div",collapsed:n,children:a,animation:o,onCollapseTransitionEnd:i,className:l,disableSSRStyle:c}=e;const u=(0,r.useRef)(null);return f({collapsibleRef:u,collapsed:n,animation:o}),(0,s.jsx)(t,{ref:u,style:c?void 0:h(n),onTransitionEnd:e=>{"height"===e.propertyName&&(p(u.current,n),i?.(n))},className:l,children:a})}function g(e){let{collapsed:t,...n}=e;const[a,i]=(0,r.useState)(!t),[l,c]=(0,r.useState)(t);return(0,o.Z)((()=>{t||i(!0)}),[t]),(0,o.Z)((()=>{a&&c(t)}),[a,t]),a?(0,s.jsx)(m,{...n,collapsed:l}):null}function y(e){let{lazy:t,...n}=e;const r=t?g:m;return(0,s.jsx)(r,{...n})}},9689:(e,t,n)=>{"use strict";n.d(t,{n:()=>m,p:()=>h});var r=n(7294),a=n(2389),o=n(812),i=n(902),s=n(6668),l=n(5893);const c=(0,o.WA)("docusaurus.announcement.dismiss"),u=(0,o.WA)("docusaurus.announcement.id"),d=()=>"true"===c.get(),p=e=>c.set(String(e)),f=r.createContext(null);function h(e){let{children:t}=e;const n=function(){const{announcementBar:e}=(0,s.L)(),t=(0,a.Z)(),[n,o]=(0,r.useState)((()=>!!t&&d()));(0,r.useEffect)((()=>{o(d())}),[]);const i=(0,r.useCallback)((()=>{p(!0),o(!0)}),[]);return(0,r.useEffect)((()=>{if(!e)return;const{id:t}=e;let n=u.get();"annoucement-bar"===n&&(n="announcement-bar");const r=t!==n;u.set(t),r&&p(!1),!r&&d()||o(!1)}),[e]),(0,r.useMemo)((()=>({isActive:!!e&&!n,close:i})),[e,n,i])}();return(0,l.jsx)(f.Provider,{value:n,children:t})}function m(){const e=(0,r.useContext)(f);if(!e)throw new i.i6("AnnouncementBarProvider");return e}},2949:(e,t,n)=>{"use strict";n.d(t,{I:()=>y,S:()=>g});var r=n(7294),a=n(412),o=n(902),i=n(812),s=n(6668),l=n(5893);const c=r.createContext(void 0),u="theme",d=(0,i.WA)(u),p={light:"light",dark:"dark"},f=e=>e===p.dark?p.dark:p.light,h=e=>a.Z.canUseDOM?f(document.documentElement.getAttribute("data-theme")):f(e),m=e=>{d.set(f(e))};function g(e){let{children:t}=e;const n=function(){const{colorMode:{defaultMode:e,disableSwitch:t,respectPrefersColorScheme:n}}=(0,s.L)(),[a,o]=(0,r.useState)(h(e));(0,r.useEffect)((()=>{t&&d.del()}),[t]);const i=(0,r.useCallback)((function(t,r){void 0===r&&(r={});const{persist:a=!0}=r;t?(o(t),a&&m(t)):(o(n?window.matchMedia("(prefers-color-scheme: dark)").matches?p.dark:p.light:e),d.del())}),[n,e]);(0,r.useEffect)((()=>{document.documentElement.setAttribute("data-theme",f(a))}),[a]),(0,r.useEffect)((()=>{if(t)return;const e=e=>{if(e.key!==u)return;const t=d.get();null!==t&&i(f(t))};return window.addEventListener("storage",e),()=>window.removeEventListener("storage",e)}),[t,i]);const l=(0,r.useRef)(!1);return(0,r.useEffect)((()=>{if(t&&!n)return;const e=window.matchMedia("(prefers-color-scheme: dark)"),r=()=>{window.matchMedia("print").matches||l.current?l.current=window.matchMedia("print").matches:i(null)};return e.addListener(r),()=>e.removeListener(r)}),[i,t,n]),(0,r.useMemo)((()=>({colorMode:a,setColorMode:i,get isDarkTheme(){return a===p.dark},setLightTheme(){i(p.light)},setDarkTheme(){i(p.dark)}})),[a,i])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function y(){const e=(0,r.useContext)(c);if(null==e)throw new o.i6("ColorModeProvider","Please see https://docusaurus.io/docs/api/themes/configuration#use-color-mode.");return e}},373:(e,t,n)=>{"use strict";n.d(t,{J:()=>v,L5:()=>y});var r=n(7294),a=n(143),o=n(9935),i=n(6668),s=n(3438),l=n(902),c=n(812),u=n(5893);const d=e=>`docs-preferred-version-${e}`,p={save:(e,t,n)=>{(0,c.WA)(d(e),{persistence:t}).set(n)},read:(e,t)=>(0,c.WA)(d(e),{persistence:t}).get(),clear:(e,t)=>{(0,c.WA)(d(e),{persistence:t}).del()}},f=e=>Object.fromEntries(e.map((e=>[e,{preferredVersionName:null}])));const h=r.createContext(null);function m(){const e=(0,a._r)(),t=(0,i.L)().docs.versionPersistence,n=(0,r.useMemo)((()=>Object.keys(e)),[e]),[o,s]=(0,r.useState)((()=>f(n)));(0,r.useEffect)((()=>{s(function(e){let{pluginIds:t,versionPersistence:n,allDocsData:r}=e;function a(e){const t=p.read(e,n);return r[e].versions.some((e=>e.name===t))?{preferredVersionName:t}:(p.clear(e,n),{preferredVersionName:null})}return Object.fromEntries(t.map((e=>[e,a(e)])))}({allDocsData:e,versionPersistence:t,pluginIds:n}))}),[e,t,n]);return[o,(0,r.useMemo)((()=>({savePreferredVersion:function(e,n){p.save(e,t,n),s((t=>({...t,[e]:{preferredVersionName:n}})))}})),[t])]}function g(e){let{children:t}=e;const n=m();return(0,u.jsx)(h.Provider,{value:n,children:t})}function y(e){let{children:t}=e;return s.cE?(0,u.jsx)(g,{children:t}):(0,u.jsx)(u.Fragment,{children:t})}function b(){const e=(0,r.useContext)(h);if(!e)throw new l.i6("DocsPreferredVersionContextProvider");return e}function v(e){void 0===e&&(e=o.m);const t=(0,a.zh)(e),[n,i]=b(),{preferredVersionName:s}=n[e];return{preferredVersion:t.versions.find((e=>e.name===s))??null,savePreferredVersionName:(0,r.useCallback)((t=>{i.savePreferredVersion(e,t)}),[i,e])}}},1116:(e,t,n)=>{"use strict";n.d(t,{V:()=>c,b:()=>l});var r=n(7294),a=n(902),o=n(5893);const i=Symbol("EmptyContext"),s=r.createContext(i);function l(e){let{children:t,name:n,items:a}=e;const i=(0,r.useMemo)((()=>n&&a?{name:n,items:a}:null),[n,a]);return(0,o.jsx)(s.Provider,{value:i,children:t})}function c(){const e=(0,r.useContext)(s);if(e===i)throw new a.i6("DocsSidebarProvider");return e}},4477:(e,t,n)=>{"use strict";n.d(t,{E:()=>l,q:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t,version:n}=e;return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(null===e)throw new a.i6("DocsVersionProvider");return e}},3163:(e,t,n)=>{"use strict";n.d(t,{M:()=>p,e:()=>f});var r=n(7294),a=n(3102),o=n(7524),i=n(1980),s=n(6668),l=n(902),c=n(5893);const u=r.createContext(void 0);function d(){const e=function(){const e=(0,a.HY)(),{items:t}=(0,s.L)().navbar;return 0===t.length&&!e.component}(),t=(0,o.i)(),n=!e&&"mobile"===t,[l,c]=(0,r.useState)(!1);(0,i.Rb)((()=>{if(l)return c(!1),!1}));const u=(0,r.useCallback)((()=>{c((e=>!e))}),[]);return(0,r.useEffect)((()=>{"desktop"===t&&c(!1)}),[t]),(0,r.useMemo)((()=>({disabled:e,shouldRender:n,toggle:u,shown:l})),[e,n,u,l])}function p(e){let{children:t}=e;const n=d();return(0,c.jsx)(u.Provider,{value:n,children:t})}function f(){const e=r.useContext(u);if(void 0===e)throw new l.i6("NavbarMobileSidebarProvider");return e}},3102:(e,t,n)=>{"use strict";n.d(t,{HY:()=>l,Zo:()=>c,n2:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t}=e;const n=(0,r.useState)({component:null,props:null});return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(!e)throw new a.i6("NavbarSecondaryMenuContentProvider");return e[0]}function c(e){let{component:t,props:n}=e;const o=(0,r.useContext)(i);if(!o)throw new a.i6("NavbarSecondaryMenuContentProvider");const[,s]=o,l=(0,a.Ql)(n);return(0,r.useEffect)((()=>{s({component:t,props:l})}),[s,t,l]),(0,r.useEffect)((()=>()=>s({component:null,props:null})),[s]),null}},9727:(e,t,n)=>{"use strict";n.d(t,{h:()=>a,t:()=>o});var r=n(7294);const a="navigation-with-keyboard";function o(){(0,r.useEffect)((()=>{function e(e){"keydown"===e.type&&"Tab"===e.key&&document.body.classList.add(a),"mousedown"===e.type&&document.body.classList.remove(a)}return document.addEventListener("keydown",e),document.addEventListener("mousedown",e),()=>{document.body.classList.remove(a),document.removeEventListener("keydown",e),document.removeEventListener("mousedown",e)}}),[])}},7524:(e,t,n)=>{"use strict";n.d(t,{i:()=>s});var r=n(7294),a=n(412);const o={desktop:"desktop",mobile:"mobile",ssr:"ssr"},i=996;function s(e){let{desktopBreakpoint:t=i}=void 0===e?{}:e;const[n,s]=(0,r.useState)((()=>"ssr"));return(0,r.useEffect)((()=>{function e(){s(function(e){if(!a.Z.canUseDOM)throw new Error("getWindowSize() should only be called after React hydration");return window.innerWidth>e?o.desktop:o.mobile}(t))}return e(),window.addEventListener("resize",e),()=>{window.removeEventListener("resize",e)}}),[t]),n}},5281:(e,t,n)=>{"use strict";n.d(t,{k:()=>r});const r={page:{blogListPage:"blog-list-page",blogPostPage:"blog-post-page",blogTagsListPage:"blog-tags-list-page",blogTagPostListPage:"blog-tags-post-list-page",docsDocPage:"docs-doc-page",docsTagsListPage:"docs-tags-list-page",docsTagDocListPage:"docs-tags-doc-list-page",mdxPage:"mdx-page"},wrapper:{main:"main-wrapper",blogPages:"blog-wrapper",docsPages:"docs-wrapper",mdxPages:"mdx-wrapper"},common:{editThisPage:"theme-edit-this-page",lastUpdated:"theme-last-updated",backToTopButton:"theme-back-to-top-button",codeBlock:"theme-code-block",admonition:"theme-admonition",unlistedBanner:"theme-unlisted-banner",admonitionType:e=>`theme-admonition-${e}`},layout:{},docs:{docVersionBanner:"theme-doc-version-banner",docVersionBadge:"theme-doc-version-badge",docBreadcrumbs:"theme-doc-breadcrumbs",docMarkdown:"theme-doc-markdown",docTocMobile:"theme-doc-toc-mobile",docTocDesktop:"theme-doc-toc-desktop",docFooter:"theme-doc-footer",docFooterTagsRow:"theme-doc-footer-tags-row",docFooterEditMetaRow:"theme-doc-footer-edit-meta-row",docSidebarContainer:"theme-doc-sidebar-container",docSidebarMenu:"theme-doc-sidebar-menu",docSidebarItemCategory:"theme-doc-sidebar-item-category",docSidebarItemLink:"theme-doc-sidebar-item-link",docSidebarItemCategoryLevel:e=>`theme-doc-sidebar-item-category-level-${e}`,docSidebarItemLinkLevel:e=>`theme-doc-sidebar-item-link-level-${e}`},blog:{blogFooterTagsRow:"theme-blog-footer-tags-row",blogFooterEditMetaRow:"theme-blog-footer-edit-meta-row"},pages:{pageFooterEditMetaRow:"theme-pages-footer-edit-meta-row"}}},1442:(e,t,n)=>{"use strict";function r(){return window.matchMedia("(prefers-reduced-motion: reduce)").matches}n.d(t,{n:()=>r})},3438:(e,t,n)=>{"use strict";n.d(t,{LM:()=>f,SN:()=>E,_F:()=>g,cE:()=>p,f:()=>b,lO:()=>k,oz:()=>x,s1:()=>w,vY:()=>S});var r=n(7294),a=n(6550),o=n(8790),i=n(143),s=n(373),l=n(4477),c=n(1116),u=n(7392),d=n(8596);const p=!!i._r;function f(e){return"link"!==e.type||e.unlisted?"category"===e.type?function(e){if(e.href&&!e.linkUnlisted)return e.href;for(const t of e.items){const e=f(t);if(e)return e}}(e):void 0:e.href}const h=(e,t)=>void 0!==e&&(0,d.Mg)(e,t),m=(e,t)=>e.some((e=>g(e,t)));function g(e,t){return"link"===e.type?h(e.href,t):"category"===e.type&&(h(e.href,t)||m(e.items,t))}function y(e,t){switch(e.type){case"category":return g(e,t)||e.items.some((e=>y(e,t)));case"link":return!e.unlisted||g(e,t);default:return!0}}function b(e,t){return(0,r.useMemo)((()=>e.filter((e=>y(e,t)))),[e,t])}function v(e){let{sidebarItems:t,pathname:n,onlyCategories:r=!1}=e;const a=[];return function e(t){for(const o of t)if("category"===o.type&&((0,d.Mg)(o.href,n)||e(o.items))||"link"===o.type&&(0,d.Mg)(o.href,n)){return r&&"category"!==o.type||a.unshift(o),!0}return!1}(t),a}function w(){const e=(0,c.V)(),{pathname:t}=(0,a.TH)(),n=(0,i.gA)()?.pluginData.breadcrumbs;return!1!==n&&e?v({sidebarItems:e.items,pathname:t}):null}function k(e){const{activeVersion:t}=(0,i.Iw)(e),{preferredVersion:n}=(0,s.J)(e),a=(0,i.yW)(e);return(0,r.useMemo)((()=>(0,u.j)([t,n,a].filter(Boolean))),[t,n,a])}function x(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.sidebars?Object.entries(e.sidebars):[])),r=t.find((t=>t[0]===e));if(!r)throw new Error(`Can't find any sidebar with id "${e}" in version${n.length>1?"s":""} ${n.map((e=>e.name)).join(", ")}".\nAvailable sidebar ids are:\n- ${t.map((e=>e[0])).join("\n- ")}`);return r[1]}),[e,n])}function S(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.docs)),r=t.find((t=>t.id===e));if(!r){if(n.flatMap((e=>e.draftIds)).includes(e))return null;throw new Error(`Couldn't find any doc with id "${e}" in version${n.length>1?"s":""} "${n.map((e=>e.name)).join(", ")}".\nAvailable doc ids are:\n- ${(0,u.j)(t.map((e=>e.id))).join("\n- ")}`)}return r}),[e,n])}function E(e){let{route:t}=e;const n=(0,a.TH)(),r=(0,l.E)(),i=t.routes,s=i.find((e=>(0,a.LX)(n.pathname,e)));if(!s)return null;const c=s.sidebar,u=c?r.docsSidebars[c]:void 0;return{docElement:(0,o.H)(i),sidebarName:c,sidebarItems:u}}},9690:(e,t,n)=>{"use strict";n.d(t,{aG:()=>u,Ac:()=>c,Cw:()=>l,QW:()=>d});var r=n(7294),a=n(5999),o=n(8780);const i={errorBoundaryError:"errorBoundaryError_a6uf",errorBoundaryFallback:"errorBoundaryFallback_VBag"};var s=n(5893);function l(e){return(0,s.jsx)("button",{type:"button",...e,children:(0,s.jsx)(a.Z,{id:"theme.ErrorPageContent.tryAgain",description:"The label of the button to try again rendering when the React error boundary captures an error",children:"Try again"})})}function c(e){let{error:t,tryAgain:n}=e;return(0,s.jsxs)("div",{className:i.errorBoundaryFallback,children:[(0,s.jsx)("p",{children:t.message}),(0,s.jsx)(l,{onClick:n})]})}function u(e){let{error:t}=e;const n=(0,o.getErrorCausalChain)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,s.jsx)("p",{className:i.errorBoundaryError,children:n})}class d extends r.Component{componentDidCatch(e,t){throw this.props.onError(e,t)}render(){return this.props.children}}},1980:(e,t,n)=>{"use strict";n.d(t,{Rb:()=>i,_X:()=>l});var r=n(7294),a=n(6550),o=n(902);function i(e){!function(e){const t=(0,a.k6)(),n=(0,o.zX)(e);(0,r.useEffect)((()=>t.block(((e,t)=>n(e,t)))),[t,n])}(((t,n)=>{if("POP"===n)return e(t,n)}))}function s(e){const t=(0,a.k6)();return(0,r.useSyncExternalStore)(t.listen,(()=>e(t)),(()=>e(t)))}function l(e){return s((t=>null===e?null:new URLSearchParams(t.location.search).get(e)))}},7392:(e,t,n)=>{"use strict";function r(e,t){return void 0===t&&(t=(e,t)=>e===t),e.filter(((n,r)=>e.findIndex((e=>t(e,n)))!==r))}function a(e){return Array.from(new Set(e))}n.d(t,{j:()=>a,l:()=>r})},1944:(e,t,n)=>{"use strict";n.d(t,{FG:()=>f,d:()=>d,VC:()=>h});var r=n(7294),a=n(512),o=n(5742),i=n(226);function s(){const e=r.useContext(i._);if(!e)throw new Error("Unexpected: no Docusaurus route context found");return e}var l=n(4996),c=n(2263);var u=n(5893);function d(e){let{title:t,description:n,keywords:r,image:a,children:i}=e;const s=function(e){const{siteConfig:t}=(0,c.Z)(),{title:n,titleDelimiter:r}=t;return e?.trim().length?`${e.trim()} ${r} ${n}`:n}(t),{withBaseUrl:d}=(0,l.Cg)(),p=a?d(a,{absolute:!0}):void 0;return(0,u.jsxs)(o.Z,{children:[t&&(0,u.jsx)("title",{children:s}),t&&(0,u.jsx)("meta",{property:"og:title",content:s}),n&&(0,u.jsx)("meta",{name:"description",content:n}),n&&(0,u.jsx)("meta",{property:"og:description",content:n}),r&&(0,u.jsx)("meta",{name:"keywords",content:Array.isArray(r)?r.join(","):r}),p&&(0,u.jsx)("meta",{property:"og:image",content:p}),p&&(0,u.jsx)("meta",{name:"twitter:image",content:p}),i]})}const p=r.createContext(void 0);function f(e){let{className:t,children:n}=e;const i=r.useContext(p),s=(0,a.Z)(i,t);return(0,u.jsxs)(p.Provider,{value:s,children:[(0,u.jsx)(o.Z,{children:(0,u.jsx)("html",{className:s})}),n]})}function h(e){let{children:t}=e;const n=s(),r=`plugin-${n.plugin.name.replace(/docusaurus-(?:plugin|theme)-(?:content-)?/gi,"")}`;const o=`plugin-id-${n.plugin.id}`;return(0,u.jsx)(f,{className:(0,a.Z)(r,o),children:t})}},902:(e,t,n)=>{"use strict";n.d(t,{D9:()=>s,Qc:()=>u,Ql:()=>c,i6:()=>l,zX:()=>i});var r=n(7294),a=n(469),o=n(5893);function i(e){const t=(0,r.useRef)(e);return(0,a.Z)((()=>{t.current=e}),[e]),(0,r.useCallback)((function(){return t.current(...arguments)}),[])}function s(e){const t=(0,r.useRef)();return(0,a.Z)((()=>{t.current=e})),t.current}class l extends Error{constructor(e,t){super(),this.name="ReactContextError",this.message=`Hook ${this.stack?.split("\n")[1]?.match(/at (?:\w+\.)?(?<name>\w+)/)?.groups.name??""} is called outside the <${e}>. ${t??""}`}}function c(e){const t=Object.entries(e);return t.sort(((e,t)=>e[0].localeCompare(t[0]))),(0,r.useMemo)((()=>e),t.flat())}function u(e){return t=>{let{children:n}=t;return(0,o.jsx)(o.Fragment,{children:e.reduceRight(((e,t)=>(0,o.jsx)(t,{children:e})),n)})}}},8596:(e,t,n)=>{"use strict";n.d(t,{Mg:()=>i,Ns:()=>s});var r=n(7294),a=n(723),o=n(2263);function i(e,t){const n=e=>(!e||e.endsWith("/")?e:`${e}/`)?.toLowerCase();return n(e)===n(t)}function s(){const{baseUrl:e}=(0,o.Z)().siteConfig;return(0,r.useMemo)((()=>function(e){let{baseUrl:t,routes:n}=e;function r(e){return e.path===t&&!0===e.exact}function a(e){return e.path===t&&!e.exact}return function e(t){if(0===t.length)return;return t.find(r)||e(t.filter(a).flatMap((e=>e.routes??[])))}(n)}({routes:a.Z,baseUrl:e})),[e])}},2466:(e,t,n)=>{"use strict";n.d(t,{Ct:()=>m,OC:()=>u,RF:()=>f,o5:()=>h});var r=n(7294),a=n(412),o=n(2389),i=n(469),s=n(902),l=n(5893);const c=r.createContext(void 0);function u(e){let{children:t}=e;const n=function(){const e=(0,r.useRef)(!0);return(0,r.useMemo)((()=>({scrollEventsEnabledRef:e,enableScrollEvents:()=>{e.current=!0},disableScrollEvents:()=>{e.current=!1}})),[])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function d(){const e=(0,r.useContext)(c);if(null==e)throw new s.i6("ScrollControllerProvider");return e}const p=()=>a.Z.canUseDOM?{scrollX:window.pageXOffset,scrollY:window.pageYOffset}:null;function f(e,t){void 0===t&&(t=[]);const{scrollEventsEnabledRef:n}=d(),a=(0,r.useRef)(p()),o=(0,s.zX)(e);(0,r.useEffect)((()=>{const e=()=>{if(!n.current)return;const e=p();o(e,a.current),a.current=e},t={passive:!0};return e(),window.addEventListener("scroll",e,t),()=>window.removeEventListener("scroll",e,t)}),[o,n,...t])}function h(){const e=d(),t=function(){const e=(0,r.useRef)({elem:null,top:0}),t=(0,r.useCallback)((t=>{e.current={elem:t,top:t.getBoundingClientRect().top}}),[]),n=(0,r.useCallback)((()=>{const{current:{elem:t,top:n}}=e;if(!t)return{restored:!1};const r=t.getBoundingClientRect().top-n;return r&&window.scrollBy({left:0,top:r}),e.current={elem:null,top:0},{restored:0!==r}}),[]);return(0,r.useMemo)((()=>({save:t,restore:n})),[n,t])}(),n=(0,r.useRef)(void 0),a=(0,r.useCallback)((r=>{t.save(r),e.disableScrollEvents(),n.current=()=>{const{restored:r}=t.restore();if(n.current=void 0,r){const t=()=>{e.enableScrollEvents(),window.removeEventListener("scroll",t)};window.addEventListener("scroll",t)}else e.enableScrollEvents()}}),[e,t]);return(0,i.Z)((()=>{queueMicrotask((()=>n.current?.()))})),{blockElementScrollPositionUntilNextRender:a}}function m(){const e=(0,r.useRef)(null),t=(0,o.Z)()&&"smooth"===getComputedStyle(document.documentElement).scrollBehavior;return{startScroll:n=>{e.current=t?function(e){return window.scrollTo({top:e,behavior:"smooth"}),()=>{}}(n):function(e){let t=null;const n=document.documentElement.scrollTop>e;return function r(){const a=document.documentElement.scrollTop;(n&&a>e||!n&&a<e)&&(t=requestAnimationFrame(r),window.scrollTo(0,Math.floor(.85*(a-e))+e))}(),()=>t&&cancelAnimationFrame(t)}(n)},cancelScroll:()=>e.current?.()}}},3320:(e,t,n)=>{"use strict";n.d(t,{HX:()=>r,os:()=>a});n(2263);const r="default";function a(e,t){return`docs-${e}-${t}`}},812:(e,t,n)=>{"use strict";n.d(t,{WA:()=>u,Nk:()=>d});var r=n(7294);const a=JSON.parse('{"d":"localStorage","u":""}'),o=a.d;function i(e){let{key:t,oldValue:n,newValue:r,storage:a}=e;if(n===r)return;const o=document.createEvent("StorageEvent");o.initStorageEvent("storage",!1,!1,t,n,r,window.location.href,a),window.dispatchEvent(o)}function s(e){if(void 0===e&&(e=o),"undefined"==typeof window)throw new Error("Browser storage is not available on Node.js/Docusaurus SSR process.");if("none"===e)return null;try{return window[e]}catch(n){return t=n,l||(console.warn("Docusaurus browser storage is not available.\nPossible reasons: running Docusaurus in an iframe, in an incognito browser session, or using too strict browser privacy settings.",t),l=!0),null}var t}let l=!1;const c={get:()=>null,set:()=>{},del:()=>{},listen:()=>()=>{}};function u(e,t){const n=`${e}${a.u}`;if("undefined"==typeof window)return function(e){function t(){throw new Error(`Illegal storage API usage for storage key "${e}".\nDocusaurus storage APIs are not supposed to be called on the server-rendering process.\nPlease only call storage APIs in effects and event handlers.`)}return{get:t,set:t,del:t,listen:t}}(n);const r=s(t?.persistence);return null===r?c:{get:()=>{try{return r.getItem(n)}catch(e){return console.error(`Docusaurus storage error, can't get key=${n}`,e),null}},set:e=>{try{const t=r.getItem(n);r.setItem(n,e),i({key:n,oldValue:t,newValue:e,storage:r})}catch(t){console.error(`Docusaurus storage error, can't set ${n}=${e}`,t)}},del:()=>{try{const e=r.getItem(n);r.removeItem(n),i({key:n,oldValue:e,newValue:null,storage:r})}catch(e){console.error(`Docusaurus storage error, can't delete key=${n}`,e)}},listen:e=>{try{const t=t=>{t.storageArea===r&&t.key===n&&e(t)};return window.addEventListener("storage",t),()=>window.removeEventListener("storage",t)}catch(t){return console.error(`Docusaurus storage error, can't listen for changes of key=${n}`,t),()=>{}}}}}function d(e,t){const n=(0,r.useRef)((()=>null===e?c:u(e,t))).current(),a=(0,r.useCallback)((e=>"undefined"==typeof window?()=>{}:n.listen(e)),[n]);return[(0,r.useSyncExternalStore)(a,(()=>"undefined"==typeof window?null:n.get()),(()=>null)),n]}},4711:(e,t,n)=>{"use strict";n.d(t,{l:()=>i});var r=n(2263),a=n(6550),o=n(8780);function i(){const{siteConfig:{baseUrl:e,url:t,trailingSlash:n},i18n:{defaultLocale:i,currentLocale:s}}=(0,r.Z)(),{pathname:l}=(0,a.TH)(),c=(0,o.applyTrailingSlash)(l,{trailingSlash:n,baseUrl:e}),u=s===i?e:e.replace(`/${s}/`,"/"),d=c.replace(e,"");return{createUrl:function(e){let{locale:n,fullyQualified:r}=e;return`${r?t:""}${function(e){return e===i?`${u}`:`${u}${e}/`}(n)}${d}`}}}},5936:(e,t,n)=>{"use strict";n.d(t,{S:()=>i});var r=n(7294),a=n(6550),o=n(902);function i(e){const t=(0,a.TH)(),n=(0,o.D9)(t),i=(0,o.zX)(e);(0,r.useEffect)((()=>{n&&t!==n&&i({location:t,previousLocation:n})}),[i,t,n])}},6668:(e,t,n)=>{"use strict";n.d(t,{L:()=>a});var r=n(2263);function a(){return(0,r.Z)().siteConfig.themeConfig}},8802:(e,t,n)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.removeTrailingSlash=t.addLeadingSlash=t.addTrailingSlash=void 0;const r=n(5913);function a(e){return e.endsWith("/")?e:`${e}/`}function o(e){return(0,r.removeSuffix)(e,"/")}t.addTrailingSlash=a,t.default=function(e,t){const{trailingSlash:n,baseUrl:r}=t;if(e.startsWith("#"))return e;if(void 0===n)return e;const[i]=e.split(/[#?]/),s="/"===i||i===r?i:(l=i,n?a(l):o(l));var l;return e.replace(i,s)},t.addLeadingSlash=function(e){return(0,r.addPrefix)(e,"/")},t.removeTrailingSlash=o},4143:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=void 0,t.getErrorCausalChain=function e(t){return t.cause?[t,...e(t.cause)]:[t]}},8780:function(e,t,n){"use strict";var r=this&&this.__importDefault||function(e){return e&&e.__esModule?e:{default:e}};Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=t.removePrefix=t.addSuffix=t.removeSuffix=t.addPrefix=t.removeTrailingSlash=t.addLeadingSlash=t.addTrailingSlash=t.applyTrailingSlash=t.blogPostContainerID=void 0,t.blogPostContainerID="__blog-post-container";var a=n(8802);Object.defineProperty(t,"applyTrailingSlash",{enumerable:!0,get:function(){return r(a).default}}),Object.defineProperty(t,"addTrailingSlash",{enumerable:!0,get:function(){return a.addTrailingSlash}}),Object.defineProperty(t,"addLeadingSlash",{enumerable:!0,get:function(){return a.addLeadingSlash}}),Object.defineProperty(t,"removeTrailingSlash",{enumerable:!0,get:function(){return a.removeTrailingSlash}});var o=n(5913);Object.defineProperty(t,"addPrefix",{enumerable:!0,get:function(){return o.addPrefix}}),Object.defineProperty(t,"removeSuffix",{enumerable:!0,get:function(){return o.removeSuffix}}),Object.defineProperty(t,"addSuffix",{enumerable:!0,get:function(){return o.addSuffix}}),Object.defineProperty(t,"removePrefix",{enumerable:!0,get:function(){return o.removePrefix}});var i=n(4143);Object.defineProperty(t,"getErrorCausalChain",{enumerable:!0,get:function(){return i.getErrorCausalChain}})},5913:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.removePrefix=t.addSuffix=t.removeSuffix=t.addPrefix=void 0,t.addPrefix=function(e,t){return e.startsWith(t)?e:`${t}${e}`},t.removeSuffix=function(e,t){return""===t?e:e.endsWith(t)?e.slice(0,-t.length):e},t.addSuffix=function(e,t){return e.endsWith(t)?e:`${e}${t}`},t.removePrefix=function(e,t){return e.startsWith(t)?e.slice(t.length):e}},311:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});n(7294);var r=n(1728);const a={loadingRing:"loadingRing_RJI3","loading-ring":"loading-ring_FB5o"};var o=n(5893);function i(e){let{className:t}=e;return(0,o.jsxs)("div",{className:(0,r.Z)(a.loadingRing,t),children:[(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{})]})}},22:(e,t,n)=>{"use strict";n.d(t,{w:()=>s});var r=n(1336),a=n.n(r),o=n(1029);const i=new Map;function s(e,t){const n=`${e}${t}`;let r=i.get(n);return r||(r=async function(e,t){{const n=`${e}${o.J.replace("{dir}",t?`-${t.replace(/\//g,"-")}`:"")}`;if(new URL(n,location.origin).origin!==location.origin)throw new Error("Unexpected version url");const r=await(await fetch(n)).json(),i=r.map(((e,t)=>{let{documents:n,index:r}=e;return{type:t,documents:n,index:a().Index.load(r)}})),s=r.reduce(((e,t)=>{for(const n of t.index.invertedIndex)/\p{Unified_Ideograph}/u.test(n[0][0])&&e.add(n[0]);return e}),new Set);return{wrappedIndexes:i,zhDictionary:Array.from(s)}}return{wrappedIndexes:[],zhDictionary:[]}}(e,t),i.set(n,r)),r}},8202:(e,t,n)=>{"use strict";n.d(t,{v:()=>c});var r=n(1336),a=n.n(r);var o=n(1029);function i(e){return s(e).concat(s(e.filter((e=>{const t=e[e.length-1];return!t.trailing&&t.maybeTyping})),!0))}function s(e,t){return e.map((e=>({tokens:e.map((e=>e.value)),term:e.map((e=>({value:e.value,presence:a().Query.presence.REQUIRED,wildcard:(t?e.trailing||e.maybeTyping:e.trailing)?a().Query.wildcard.TRAILING:a().Query.wildcard.NONE})))})))}var l=n(3545);function c(e,t,n){return function(r,s){const c=function(e,t){if(1===t.length&&["ja","jp","th"].includes(t[0]))return a()[t[0]].tokenizer(e).map((e=>e.toString()));let n=/[^-\s]+/g;return t.includes("zh")&&(n=/\w+|\p{Unified_Ideograph}+/gu),e.toLowerCase().match(n)||[]}(r,o.dK);if(0===c.length)return void s([]);const u=function(e,t){const n=function(e,t){const n=[];return function e(r,a){if(0===r.length)return void n.push(a);const o=r[0];if(/\p{Unified_Ideograph}/u.test(o)){const n=function(e,t){const n=[];return function e(r,a){let o=0,i=!1;for(const s of t)if(r.substr(0,s.length)===s){const t={missed:a.missed,term:a.term.concat({value:s})};r.length>s.length?e(r.substr(s.length),t):n.push(t),i=!0}else for(let t=s.length-1;t>o;t-=1){const l=s.substr(0,t);if(r.substr(0,t)===l){o=t;const s={missed:a.missed,term:a.term.concat({value:l,trailing:!0})};r.length>t?e(r.substr(t),s):n.push(s),i=!0;break}}i||(r.length>0?e(r.substr(1),{missed:a.missed+1,term:a.term}):a.term.length>0&&n.push(a))}(e,{missed:0,term:[]}),n.sort(((e,t)=>{const n=e.missed>0?1:0,r=t.missed>0?1:0;return n!==r?n-r:e.term.length-t.term.length})).map((e=>e.term))}(o,t);for(const t of n){const n=a.concat(...t);e(r.slice(1),n)}}else{const t=a.concat({value:o});e(r.slice(1),t)}}(e,[]),n}(e,t);if(0===n.length)return[{tokens:e,term:e.map((e=>({value:e,presence:a().Query.presence.REQUIRED,wildcard:a().Query.wildcard.LEADING|a().Query.wildcard.TRAILING})))}];for(const a of n)a[a.length-1].maybeTyping=!0;const r=[];for(const i of o.dK)if("en"===i)o._k||r.unshift(a().stopWordFilter);else{const e=a()[i];e.stopWordFilter&&r.unshift(e.stopWordFilter)}let s;if(r.length>0){const e=e=>r.reduce(((e,t)=>e.filter((e=>t(e.value)))),e);s=[];const t=[];for(const r of n){const n=e(r);s.push(n),n.length<r.length&&n.length>0&&t.push(n)}n.push(...t)}else s=n.slice();const l=[];for(const a of s)if(a.length>2)for(let e=a.length-1;e>=0;e-=1)l.push(a.slice(0,e).concat(a.slice(e+1)));return i(n).concat(i(l))}(c,t),d=[];e:for(const{term:t,tokens:a}of u)for(const{documents:r,index:o,type:i}of e)if(d.push(...o.query((e=>{for(const n of t)e.term(n.value,{wildcard:n.wildcard,presence:n.presence})})).slice(0,n).filter((e=>!d.some((t=>t.document.i.toString()===e.ref)))).slice(0,n-d.length).map((t=>{const n=r.find((e=>e.i.toString()===t.ref));return{document:n,type:i,page:i!==l.P.Title&&e[0].documents.find((e=>e.i===n.p)),metadata:t.matchData.metadata,tokens:a,score:t.score}}))),d.length>=n)break e;!function(e){e.forEach(((e,t)=>{e.index=t})),e.sort(((t,n)=>{let r=t.type!==l.P.Heading&&t.type!==l.P.Content&&t.type!==l.P.Description||!t.page?t.index:e.findIndex((e=>e.document===t.page)),a=n.type!==l.P.Heading&&n.type!==l.P.Content&&n.type!==l.P.Description||!n.page?n.index:e.findIndex((e=>e.document===n.page));if(-1===r&&(r=t.index),-1===a&&(a=n.index),r===a){const e=(0===n.type?1:0)-(0===t.type?1:0);return 0===e?t.index-n.index:e}return r-a}))}(d),function(e){e.forEach(((t,n)=>{n>0&&t.page&&e.slice(0,n).some((e=>(e.type===l.P.Keywords?e.page:e.document)===t.page))&&(n<e.length-1&&e[n+1].page===t.page?t.isInterOfTree=!0:t.isLastOfTree=!0)}))}(d),s(d)}}},3926:(e,t,n)=>{"use strict";function r(e){return e.join(" \u203a ")}n.d(t,{e:()=>r})},1690:(e,t,n)=>{"use strict";function r(e){return e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")}n.d(t,{X:()=>r})},1073:(e,t,n)=>{"use strict";function r(e,t){const n=[];for(const r of Object.values(e))r[t]&&n.push(...r[t].position);return n.sort(((e,t)=>e[0]-t[0]||t[1]-e[1]))}n.d(t,{m:()=>r})},2539:(e,t,n)=>{"use strict";n.d(t,{C:()=>a});var r=n(1690);function a(e,t,n){const o=[];for(const i of t){const n=e.toLowerCase().indexOf(i);if(n>=0){n>0&&o.push(a(e.substr(0,n),t)),o.push(`<mark>${(0,r.X)(e.substr(n,i.length))}</mark>`);const s=n+i.length;s<e.length&&o.push(a(e.substr(s),t));break}}return 0===o.length?n?`<mark>${(0,r.X)(e)}</mark>`:(0,r.X)(e):o.join("")}},726:(e,t,n)=>{"use strict";n.d(t,{o:()=>l});var r=n(1690),a=n(2539);const o=/\w+|\p{Unified_Ideograph}/u;function i(e){const t=[];let n=0,r=e;for(;r.length>0;){const a=r.match(o);if(!a){t.push(r);break}a.index>0&&t.push(r.substring(0,a.index)),t.push(a[0]),n+=a.index+a[0].length,r=e.substring(n)}return t}var s=n(1029);function l(e,t,n,o){void 0===o&&(o=s.Hk);const{chunkIndex:l,chunks:c}=function(e,t,n){const o=[];let s=0,l=0,c=-1;for(;s<t.length;){const[u,d]=t[s];if(s+=1,!(u<l)){if(u>l){const t=i(e.substring(l,u)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}-1===c&&(c=o.length),l=u+d,o.push({html:(0,a.C)(e.substring(u,l),n,!0),textLength:d})}}if(l<e.length){const t=i(e.substring(l)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}return{chunkIndex:c,chunks:o}}(e,t,n),u=c.slice(0,l),d=c[l],p=[d.html],f=c.slice(l+1);let h=d.textLength,m=0,g=0,y=!1,b=!1;for(;h<o;)if((m<=g||0===f.length)&&u.length>0){const e=u.pop();h+e.textLength<=o?(p.unshift(e.html),m+=e.textLength,h+=e.textLength):(y=!0,u.length=0)}else{if(!(f.length>0))break;{const e=f.shift();h+e.textLength<=o?(p.push(e.html),g+=e.textLength,h+=e.textLength):(b=!0,f.length=0)}}return(y||u.length>0)&&p.unshift("\u2026"),(b||f.length>0)&&p.push("\u2026"),p.join("")}},51:(e,t,n)=>{"use strict";function r(e,t){if("string"==typeof e)return{label:e,path:e};{const{label:n,path:r}=e;return"string"==typeof n?{label:n,path:r}:Object.prototype.hasOwnProperty.call(n,t)?{label:n[t],path:r}:{label:r,path:r}}}n.d(t,{_:()=>r})},1029:(e,t,n)=>{"use strict";n.d(t,{vc:()=>a(),gQ:()=>h,H6:()=>u,hG:()=>y,l9:()=>m,dK:()=>o,_k:()=>i,pu:()=>f,AY:()=>d,t_:()=>p,Kc:()=>g,J:()=>s,Hk:()=>c,qo:()=>l,pQ:()=>b});n(1336);var r=n(813),a=n.n(r);const o=["en"],i=!1,s="search-index{dir}.json?_=77f662a8",l=8,c=50,u=!1,d=!0,p=!0,f="right",h=void 0,m=!0,g=null,y=!1,b=!1},3545:(e,t,n)=>{"use strict";var r;n.d(t,{P:()=>r}),function(e){e[e.Title=0]="Title",e[e.Heading=1]="Heading",e[e.Description=2]="Description",e[e.Keywords=3]="Keywords",e[e.Content=4]="Content"}(r||(r={}))},9318:(e,t,n)=>{"use strict";n.d(t,{lX:()=>w,q_:()=>_,ob:()=>f,PP:()=>L,Ep:()=>p});var r=n(7462);function a(e){return"/"===e.charAt(0)}function o(e,t){for(var n=t,r=n+1,a=e.length;r<a;n+=1,r+=1)e[n]=e[r];e.pop()}const i=function(e,t){void 0===t&&(t="");var n,r=e&&e.split("/")||[],i=t&&t.split("/")||[],s=e&&a(e),l=t&&a(t),c=s||l;if(e&&a(e)?i=r:r.length&&(i.pop(),i=i.concat(r)),!i.length)return"/";if(i.length){var u=i[i.length-1];n="."===u||".."===u||""===u}else n=!1;for(var d=0,p=i.length;p>=0;p--){var f=i[p];"."===f?o(i,p):".."===f?(o(i,p),d++):d&&(o(i,p),d--)}if(!c)for(;d--;d)i.unshift("..");!c||""===i[0]||i[0]&&a(i[0])||i.unshift("");var h=i.join("/");return n&&"/"!==h.substr(-1)&&(h+="/"),h};var s=n(8776);function l(e){return"/"===e.charAt(0)?e:"/"+e}function c(e){return"/"===e.charAt(0)?e.substr(1):e}function u(e,t){return function(e,t){return 0===e.toLowerCase().indexOf(t.toLowerCase())&&-1!=="/?#".indexOf(e.charAt(t.length))}(e,t)?e.substr(t.length):e}function d(e){return"/"===e.charAt(e.length-1)?e.slice(0,-1):e}function p(e){var t=e.pathname,n=e.search,r=e.hash,a=t||"/";return n&&"?"!==n&&(a+="?"===n.charAt(0)?n:"?"+n),r&&"#"!==r&&(a+="#"===r.charAt(0)?r:"#"+r),a}function f(e,t,n,a){var o;"string"==typeof e?(o=function(e){var t=e||"/",n="",r="",a=t.indexOf("#");-1!==a&&(r=t.substr(a),t=t.substr(0,a));var o=t.indexOf("?");return-1!==o&&(n=t.substr(o),t=t.substr(0,o)),{pathname:t,search:"?"===n?"":n,hash:"#"===r?"":r}}(e),o.state=t):(void 0===(o=(0,r.Z)({},e)).pathname&&(o.pathname=""),o.search?"?"!==o.search.charAt(0)&&(o.search="?"+o.search):o.search="",o.hash?"#"!==o.hash.charAt(0)&&(o.hash="#"+o.hash):o.hash="",void 0!==t&&void 0===o.state&&(o.state=t));try{o.pathname=decodeURI(o.pathname)}catch(s){throw s instanceof URIError?new URIError('Pathname "'+o.pathname+'" could not be decoded. This is likely caused by an invalid percent-encoding.'):s}return n&&(o.key=n),a?o.pathname?"/"!==o.pathname.charAt(0)&&(o.pathname=i(o.pathname,a.pathname)):o.pathname=a.pathname:o.pathname||(o.pathname="/"),o}function h(){var e=null;var t=[];return{setPrompt:function(t){return e=t,function(){e===t&&(e=null)}},confirmTransitionTo:function(t,n,r,a){if(null!=e){var o="function"==typeof e?e(t,n):e;"string"==typeof o?"function"==typeof r?r(o,a):a(!0):a(!1!==o)}else a(!0)},appendListener:function(e){var n=!0;function r(){n&&e.apply(void 0,arguments)}return t.push(r),function(){n=!1,t=t.filter((function(e){return e!==r}))}},notifyListeners:function(){for(var e=arguments.length,n=new Array(e),r=0;r<e;r++)n[r]=arguments[r];t.forEach((function(e){return e.apply(void 0,n)}))}}}var m=!("undefined"==typeof window||!window.document||!window.document.createElement);function g(e,t){t(window.confirm(e))}var y="popstate",b="hashchange";function v(){try{return window.history.state||{}}catch(e){return{}}}function w(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t,n=window.history,a=(-1===(t=window.navigator.userAgent).indexOf("Android 2.")&&-1===t.indexOf("Android 4.0")||-1===t.indexOf("Mobile Safari")||-1!==t.indexOf("Chrome")||-1!==t.indexOf("Windows Phone"))&&window.history&&"pushState"in window.history,o=!(-1===window.navigator.userAgent.indexOf("Trident")),i=e,c=i.forceRefresh,w=void 0!==c&&c,k=i.getUserConfirmation,x=void 0===k?g:k,S=i.keyLength,E=void 0===S?6:S,C=e.basename?d(l(e.basename)):"";function _(e){var t=e||{},n=t.key,r=t.state,a=window.location,o=a.pathname+a.search+a.hash;return C&&(o=u(o,C)),f(o,r,n)}function T(){return Math.random().toString(36).substr(2,E)}var L=h();function R(e){(0,r.Z)($,e),$.length=n.length,L.notifyListeners($.location,$.action)}function j(e){(function(e){return void 0===e.state&&-1===navigator.userAgent.indexOf("CriOS")})(e)||A(_(e.state))}function N(){A(_(v()))}var P=!1;function A(e){if(P)P=!1,R();else{L.confirmTransitionTo(e,"POP",x,(function(t){t?R({action:"POP",location:e}):function(e){var t=$.location,n=I.indexOf(t.key);-1===n&&(n=0);var r=I.indexOf(e.key);-1===r&&(r=0);var a=n-r;a&&(P=!0,F(a))}(e)}))}}var O=_(v()),I=[O.key];function D(e){return C+p(e)}function F(e){n.go(e)}var M=0;function z(e){1===(M+=e)&&1===e?(window.addEventListener(y,j),o&&window.addEventListener(b,N)):0===M&&(window.removeEventListener(y,j),o&&window.removeEventListener(b,N))}var B=!1;var $={length:n.length,action:"POP",location:O,createHref:D,push:function(e,t){var r="PUSH",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.pushState({key:i,state:s},null,t),w)window.location.href=t;else{var l=I.indexOf($.location.key),c=I.slice(0,l+1);c.push(o.key),I=c,R({action:r,location:o})}else window.location.href=t}}))},replace:function(e,t){var r="REPLACE",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.replaceState({key:i,state:s},null,t),w)window.location.replace(t);else{var l=I.indexOf($.location.key);-1!==l&&(I[l]=o.key),R({action:r,location:o})}else window.location.replace(t)}}))},go:F,goBack:function(){F(-1)},goForward:function(){F(1)},block:function(e){void 0===e&&(e=!1);var t=L.setPrompt(e);return B||(z(1),B=!0),function(){return B&&(B=!1,z(-1)),t()}},listen:function(e){var t=L.appendListener(e);return z(1),function(){z(-1),t()}}};return $}var k="hashchange",x={hashbang:{encodePath:function(e){return"!"===e.charAt(0)?e:"!/"+c(e)},decodePath:function(e){return"!"===e.charAt(0)?e.substr(1):e}},noslash:{encodePath:c,decodePath:l},slash:{encodePath:l,decodePath:l}};function S(e){var t=e.indexOf("#");return-1===t?e:e.slice(0,t)}function E(){var e=window.location.href,t=e.indexOf("#");return-1===t?"":e.substring(t+1)}function C(e){window.location.replace(S(window.location.href)+"#"+e)}function _(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t=window.history,n=(window.navigator.userAgent.indexOf("Firefox"),e),a=n.getUserConfirmation,o=void 0===a?g:a,i=n.hashType,c=void 0===i?"slash":i,y=e.basename?d(l(e.basename)):"",b=x[c],v=b.encodePath,w=b.decodePath;function _(){var e=w(E());return y&&(e=u(e,y)),f(e)}var T=h();function L(e){(0,r.Z)(B,e),B.length=t.length,T.notifyListeners(B.location,B.action)}var R=!1,j=null;function N(){var e,t,n=E(),r=v(n);if(n!==r)C(r);else{var a=_(),i=B.location;if(!R&&(t=a,(e=i).pathname===t.pathname&&e.search===t.search&&e.hash===t.hash))return;if(j===p(a))return;j=null,function(e){if(R)R=!1,L();else{var t="POP";T.confirmTransitionTo(e,t,o,(function(n){n?L({action:t,location:e}):function(e){var t=B.location,n=I.lastIndexOf(p(t));-1===n&&(n=0);var r=I.lastIndexOf(p(e));-1===r&&(r=0);var a=n-r;a&&(R=!0,D(a))}(e)}))}}(a)}}var P=E(),A=v(P);P!==A&&C(A);var O=_(),I=[p(O)];function D(e){t.go(e)}var F=0;function M(e){1===(F+=e)&&1===e?window.addEventListener(k,N):0===F&&window.removeEventListener(k,N)}var z=!1;var B={length:t.length,action:"POP",location:O,createHref:function(e){var t=document.querySelector("base"),n="";return t&&t.getAttribute("href")&&(n=S(window.location.href)),n+"#"+v(y+p(e))},push:function(e,t){var n="PUSH",r=f(e,void 0,void 0,B.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);if(E()!==a){j=t,function(e){window.location.hash=e}(a);var o=I.lastIndexOf(p(B.location)),i=I.slice(0,o+1);i.push(t),I=i,L({action:n,location:r})}else L()}}))},replace:function(e,t){var n="REPLACE",r=f(e,void 0,void 0,B.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);E()!==a&&(j=t,C(a));var o=I.indexOf(p(B.location));-1!==o&&(I[o]=t),L({action:n,location:r})}}))},go:D,goBack:function(){D(-1)},goForward:function(){D(1)},block:function(e){void 0===e&&(e=!1);var t=T.setPrompt(e);return z||(M(1),z=!0),function(){return z&&(z=!1,M(-1)),t()}},listen:function(e){var t=T.appendListener(e);return M(1),function(){M(-1),t()}}};return B}function T(e,t,n){return Math.min(Math.max(e,t),n)}function L(e){void 0===e&&(e={});var t=e,n=t.getUserConfirmation,a=t.initialEntries,o=void 0===a?["/"]:a,i=t.initialIndex,s=void 0===i?0:i,l=t.keyLength,c=void 0===l?6:l,u=h();function d(e){(0,r.Z)(w,e),w.length=w.entries.length,u.notifyListeners(w.location,w.action)}function m(){return Math.random().toString(36).substr(2,c)}var g=T(s,0,o.length-1),y=o.map((function(e){return f(e,void 0,"string"==typeof e?m():e.key||m())})),b=p;function v(e){var t=T(w.index+e,0,w.entries.length-1),r=w.entries[t];u.confirmTransitionTo(r,"POP",n,(function(e){e?d({action:"POP",location:r,index:t}):d()}))}var w={length:y.length,action:"POP",location:y[g],index:g,entries:y,createHref:b,push:function(e,t){var r="PUSH",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){if(e){var t=w.index+1,n=w.entries.slice(0);n.length>t?n.splice(t,n.length-t,a):n.push(a),d({action:r,location:a,index:t,entries:n})}}))},replace:function(e,t){var r="REPLACE",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){e&&(w.entries[w.index]=a,d({action:r,location:a}))}))},go:v,goBack:function(){v(-1)},goForward:function(){v(1)},canGo:function(e){var t=w.index+e;return t>=0&&t<w.entries.length},block:function(e){return void 0===e&&(e=!1),u.setPrompt(e)},listen:function(e){return u.appendListener(e)}};return w}},8679:(e,t,n)=>{"use strict";var r=n(9864),a={childContextTypes:!0,contextType:!0,contextTypes:!0,defaultProps:!0,displayName:!0,getDefaultProps:!0,getDerivedStateFromError:!0,getDerivedStateFromProps:!0,mixins:!0,propTypes:!0,type:!0},o={name:!0,length:!0,prototype:!0,caller:!0,callee:!0,arguments:!0,arity:!0},i={$$typeof:!0,compare:!0,defaultProps:!0,displayName:!0,propTypes:!0,type:!0},s={};function l(e){return r.isMemo(e)?i:s[e.$$typeof]||a}s[r.ForwardRef]={$$typeof:!0,render:!0,defaultProps:!0,displayName:!0,propTypes:!0},s[r.Memo]=i;var c=Object.defineProperty,u=Object.getOwnPropertyNames,d=Object.getOwnPropertySymbols,p=Object.getOwnPropertyDescriptor,f=Object.getPrototypeOf,h=Object.prototype;e.exports=function e(t,n,r){if("string"!=typeof n){if(h){var a=f(n);a&&a!==h&&e(t,a,r)}var i=u(n);d&&(i=i.concat(d(n)));for(var s=l(t),m=l(n),g=0;g<i.length;++g){var y=i[g];if(!(o[y]||r&&r[y]||m&&m[y]||s&&s[y])){var b=p(n,y);try{c(t,y,b)}catch(v){}}}}return t}},1143:e=>{"use strict";e.exports=function(e,t,n,r,a,o,i,s){if(!e){var l;if(void 0===t)l=new Error("Minified exception occurred; use the non-minified dev environment for the full error message and additional helpful warnings.");else{var c=[n,r,a,o,i,s],u=0;(l=new Error(t.replace(/%s/g,(function(){return c[u++]})))).name="Invariant Violation"}throw l.framesToPop=1,l}}},5826:e=>{e.exports=Array.isArray||function(e){return"[object Array]"==Object.prototype.toString.call(e)}},1336:(e,t,n)=>{var r,a;!function(){var o,i,s,l,c,u,d,p,f,h,m,g,y,b,v,w,k,x,S,E,C,_,T,L,R,j,N,P,A,O,I=function(e){var t=new I.Builder;return t.pipeline.add(I.trimmer,I.stopWordFilter,I.stemmer),t.searchPipeline.add(I.stemmer),e.call(t,t),t.build()};I.version="2.3.9",I.utils={},I.utils.warn=(o=this,function(e){o.console&&console.warn&&console.warn(e)}),I.utils.asString=function(e){return null==e?"":e.toString()},I.utils.clone=function(e){if(null==e)return e;for(var t=Object.create(null),n=Object.keys(e),r=0;r<n.length;r++){var a=n[r],o=e[a];if(Array.isArray(o))t[a]=o.slice();else{if("string"!=typeof o&&"number"!=typeof o&&"boolean"!=typeof o)throw new TypeError("clone is not deep and does not support nested objects");t[a]=o}}return t},I.FieldRef=function(e,t,n){this.docRef=e,this.fieldName=t,this._stringValue=n},I.FieldRef.joiner="/",I.FieldRef.fromString=function(e){var t=e.indexOf(I.FieldRef.joiner);if(-1===t)throw"malformed field ref string";var n=e.slice(0,t),r=e.slice(t+1);return new I.FieldRef(r,n,e)},I.FieldRef.prototype.toString=function(){return null==this._stringValue&&(this._stringValue=this.fieldName+I.FieldRef.joiner+this.docRef),this._stringValue},I.Set=function(e){if(this.elements=Object.create(null),e){this.length=e.length;for(var t=0;t<this.length;t++)this.elements[e[t]]=!0}else this.length=0},I.Set.complete={intersect:function(e){return e},union:function(){return this},contains:function(){return!0}},I.Set.empty={intersect:function(){return this},union:function(e){return e},contains:function(){return!1}},I.Set.prototype.contains=function(e){return!!this.elements[e]},I.Set.prototype.intersect=function(e){var t,n,r,a=[];if(e===I.Set.complete)return this;if(e===I.Set.empty)return e;this.length<e.length?(t=this,n=e):(t=e,n=this),r=Object.keys(t.elements);for(var o=0;o<r.length;o++){var i=r[o];i in n.elements&&a.push(i)}return new I.Set(a)},I.Set.prototype.union=function(e){return e===I.Set.complete?I.Set.complete:e===I.Set.empty?this:new I.Set(Object.keys(this.elements).concat(Object.keys(e.elements)))},I.idf=function(e,t){var n=0;for(var r in e)"_index"!=r&&(n+=Object.keys(e[r]).length);var a=(t-n+.5)/(n+.5);return Math.log(1+Math.abs(a))},I.Token=function(e,t){this.str=e||"",this.metadata=t||{}},I.Token.prototype.toString=function(){return this.str},I.Token.prototype.update=function(e){return this.str=e(this.str,this.metadata),this},I.Token.prototype.clone=function(e){return e=e||function(e){return e},new I.Token(e(this.str,this.metadata),this.metadata)},I.tokenizer=function(e,t){if(null==e||null==e)return[];if(Array.isArray(e))return e.map((function(e){return new I.Token(I.utils.asString(e).toLowerCase(),I.utils.clone(t))}));for(var n=e.toString().toLowerCase(),r=n.length,a=[],o=0,i=0;o<=r;o++){var s=o-i;if(n.charAt(o).match(I.tokenizer.separator)||o==r){if(s>0){var l=I.utils.clone(t)||{};l.position=[i,s],l.index=a.length,a.push(new I.Token(n.slice(i,o),l))}i=o+1}}return a},I.tokenizer.separator=/[\s\-]+/,I.Pipeline=function(){this._stack=[]},I.Pipeline.registeredFunctions=Object.create(null),I.Pipeline.registerFunction=function(e,t){t in this.registeredFunctions&&I.utils.warn("Overwriting existing registered function: "+t),e.label=t,I.Pipeline.registeredFunctions[e.label]=e},I.Pipeline.warnIfFunctionNotRegistered=function(e){e.label&&e.label in this.registeredFunctions||I.utils.warn("Function is not registered with pipeline. This may cause problems when serialising the index.\n",e)},I.Pipeline.load=function(e){var t=new I.Pipeline;return e.forEach((function(e){var n=I.Pipeline.registeredFunctions[e];if(!n)throw new Error("Cannot load unregistered function: "+e);t.add(n)})),t},I.Pipeline.prototype.add=function(){Array.prototype.slice.call(arguments).forEach((function(e){I.Pipeline.warnIfFunctionNotRegistered(e),this._stack.push(e)}),this)},I.Pipeline.prototype.after=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");n+=1,this._stack.splice(n,0,t)},I.Pipeline.prototype.before=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");this._stack.splice(n,0,t)},I.Pipeline.prototype.remove=function(e){var t=this._stack.indexOf(e);-1!=t&&this._stack.splice(t,1)},I.Pipeline.prototype.run=function(e){for(var t=this._stack.length,n=0;n<t;n++){for(var r=this._stack[n],a=[],o=0;o<e.length;o++){var i=r(e[o],o,e);if(null!=i&&""!==i)if(Array.isArray(i))for(var s=0;s<i.length;s++)a.push(i[s]);else a.push(i)}e=a}return e},I.Pipeline.prototype.runString=function(e,t){var n=new I.Token(e,t);return this.run([n]).map((function(e){return e.toString()}))},I.Pipeline.prototype.reset=function(){this._stack=[]},I.Pipeline.prototype.toJSON=function(){return this._stack.map((function(e){return I.Pipeline.warnIfFunctionNotRegistered(e),e.label}))},I.Vector=function(e){this._magnitude=0,this.elements=e||[]},I.Vector.prototype.positionForIndex=function(e){if(0==this.elements.length)return 0;for(var t=0,n=this.elements.length/2,r=n-t,a=Math.floor(r/2),o=this.elements[2*a];r>1&&(o<e&&(t=a),o>e&&(n=a),o!=e);)r=n-t,a=t+Math.floor(r/2),o=this.elements[2*a];return o==e||o>e?2*a:o<e?2*(a+1):void 0},I.Vector.prototype.insert=function(e,t){this.upsert(e,t,(function(){throw"duplicate index"}))},I.Vector.prototype.upsert=function(e,t,n){this._magnitude=0;var r=this.positionForIndex(e);this.elements[r]==e?this.elements[r+1]=n(this.elements[r+1],t):this.elements.splice(r,0,e,t)},I.Vector.prototype.magnitude=function(){if(this._magnitude)return this._magnitude;for(var e=0,t=this.elements.length,n=1;n<t;n+=2){var r=this.elements[n];e+=r*r}return this._magnitude=Math.sqrt(e)},I.Vector.prototype.dot=function(e){for(var t=0,n=this.elements,r=e.elements,a=n.length,o=r.length,i=0,s=0,l=0,c=0;l<a&&c<o;)(i=n[l])<(s=r[c])?l+=2:i>s?c+=2:i==s&&(t+=n[l+1]*r[c+1],l+=2,c+=2);return t},I.Vector.prototype.similarity=function(e){return this.dot(e)/this.magnitude()||0},I.Vector.prototype.toArray=function(){for(var e=new Array(this.elements.length/2),t=1,n=0;t<this.elements.length;t+=2,n++)e[n]=this.elements[t];return e},I.Vector.prototype.toJSON=function(){return this.elements},I.stemmer=(i={ational:"ate",tional:"tion",enci:"ence",anci:"ance",izer:"ize",bli:"ble",alli:"al",entli:"ent",eli:"e",ousli:"ous",ization:"ize",ation:"ate",ator:"ate",alism:"al",iveness:"ive",fulness:"ful",ousness:"ous",aliti:"al",iviti:"ive",biliti:"ble",logi:"log"},s={icate:"ic",ative:"",alize:"al",iciti:"ic",ical:"ic",ful:"",ness:""},d="^("+(c="[^aeiou][^aeiouy]*")+")?"+(u=(l="[aeiouy]")+"[aeiou]*")+c+"("+u+")?$",p="^("+c+")?"+u+c+u+c,f="^("+c+")?"+l,h=new RegExp("^("+c+")?"+u+c),m=new RegExp(p),g=new RegExp(d),y=new RegExp(f),b=/^(.+?)(ss|i)es$/,v=/^(.+?)([^s])s$/,w=/^(.+?)eed$/,k=/^(.+?)(ed|ing)$/,x=/.$/,S=/(at|bl|iz)$/,E=new RegExp("([^aeiouylsz])\\1$"),C=new RegExp("^"+c+l+"[^aeiouwxy]$"),_=/^(.+?[^aeiou])y$/,T=/^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/,L=/^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/,R=/^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/,j=/^(.+?)(s|t)(ion)$/,N=/^(.+?)e$/,P=/ll$/,A=new RegExp("^"+c+l+"[^aeiouwxy]$"),O=function(e){var t,n,r,a,o,l,c;if(e.length<3)return e;if("y"==(r=e.substr(0,1))&&(e=r.toUpperCase()+e.substr(1)),o=v,(a=b).test(e)?e=e.replace(a,"$1$2"):o.test(e)&&(e=e.replace(o,"$1$2")),o=k,(a=w).test(e)){var u=a.exec(e);(a=h).test(u[1])&&(a=x,e=e.replace(a,""))}else o.test(e)&&(t=(u=o.exec(e))[1],(o=y).test(t)&&(l=E,c=C,(o=S).test(e=t)?e+="e":l.test(e)?(a=x,e=e.replace(a,"")):c.test(e)&&(e+="e")));return(a=_).test(e)&&(e=(t=(u=a.exec(e))[1])+"i"),(a=T).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+i[n])),(a=L).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+s[n])),o=j,(a=R).test(e)?(t=(u=a.exec(e))[1],(a=m).test(t)&&(e=t)):o.test(e)&&(t=(u=o.exec(e))[1]+u[2],(o=m).test(t)&&(e=t)),(a=N).test(e)&&(t=(u=a.exec(e))[1],o=g,l=A,((a=m).test(t)||o.test(t)&&!l.test(t))&&(e=t)),o=m,(a=P).test(e)&&o.test(e)&&(a=x,e=e.replace(a,"")),"y"==r&&(e=r.toLowerCase()+e.substr(1)),e},function(e){return e.update(O)}),I.Pipeline.registerFunction(I.stemmer,"stemmer"),I.generateStopWordFilter=function(e){var t=e.reduce((function(e,t){return e[t]=t,e}),{});return function(e){if(e&&t[e.toString()]!==e.toString())return e}},I.stopWordFilter=I.generateStopWordFilter(["a","able","about","across","after","all","almost","also","am","among","an","and","any","are","as","at","be","because","been","but","by","can","cannot","could","dear","did","do","does","either","else","ever","every","for","from","get","got","had","has","have","he","her","hers","him","his","how","however","i","if","in","into","is","it","its","just","least","let","like","likely","may","me","might","most","must","my","neither","no","nor","not","of","off","often","on","only","or","other","our","own","rather","said","say","says","she","should","since","so","some","than","that","the","their","them","then","there","these","they","this","tis","to","too","twas","us","wants","was","we","were","what","when","where","which","while","who","whom","why","will","with","would","yet","you","your"]),I.Pipeline.registerFunction(I.stopWordFilter,"stopWordFilter"),I.trimmer=function(e){return e.update((function(e){return e.replace(/^\W+/,"").replace(/\W+$/,"")}))},I.Pipeline.registerFunction(I.trimmer,"trimmer"),I.TokenSet=function(){this.final=!1,this.edges={},this.id=I.TokenSet._nextId,I.TokenSet._nextId+=1},I.TokenSet._nextId=1,I.TokenSet.fromArray=function(e){for(var t=new I.TokenSet.Builder,n=0,r=e.length;n<r;n++)t.insert(e[n]);return t.finish(),t.root},I.TokenSet.fromClause=function(e){return"editDistance"in e?I.TokenSet.fromFuzzyString(e.term,e.editDistance):I.TokenSet.fromString(e.term)},I.TokenSet.fromFuzzyString=function(e,t){for(var n=new I.TokenSet,r=[{node:n,editsRemaining:t,str:e}];r.length;){var a=r.pop();if(a.str.length>0){var o,i=a.str.charAt(0);i in a.node.edges?o=a.node.edges[i]:(o=new I.TokenSet,a.node.edges[i]=o),1==a.str.length&&(o.final=!0),r.push({node:o,editsRemaining:a.editsRemaining,str:a.str.slice(1)})}if(0!=a.editsRemaining){if("*"in a.node.edges)var s=a.node.edges["*"];else{s=new I.TokenSet;a.node.edges["*"]=s}if(0==a.str.length&&(s.final=!0),r.push({node:s,editsRemaining:a.editsRemaining-1,str:a.str}),a.str.length>1&&r.push({node:a.node,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)}),1==a.str.length&&(a.node.final=!0),a.str.length>=1){if("*"in a.node.edges)var l=a.node.edges["*"];else{l=new I.TokenSet;a.node.edges["*"]=l}1==a.str.length&&(l.final=!0),r.push({node:l,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)})}if(a.str.length>1){var c,u=a.str.charAt(0),d=a.str.charAt(1);d in a.node.edges?c=a.node.edges[d]:(c=new I.TokenSet,a.node.edges[d]=c),1==a.str.length&&(c.final=!0),r.push({node:c,editsRemaining:a.editsRemaining-1,str:u+a.str.slice(2)})}}}return n},I.TokenSet.fromString=function(e){for(var t=new I.TokenSet,n=t,r=0,a=e.length;r<a;r++){var o=e[r],i=r==a-1;if("*"==o)t.edges[o]=t,t.final=i;else{var s=new I.TokenSet;s.final=i,t.edges[o]=s,t=s}}return n},I.TokenSet.prototype.toArray=function(){for(var e=[],t=[{prefix:"",node:this}];t.length;){var n=t.pop(),r=Object.keys(n.node.edges),a=r.length;n.node.final&&(n.prefix.charAt(0),e.push(n.prefix));for(var o=0;o<a;o++){var i=r[o];t.push({prefix:n.prefix.concat(i),node:n.node.edges[i]})}}return e},I.TokenSet.prototype.toString=function(){if(this._str)return this._str;for(var e=this.final?"1":"0",t=Object.keys(this.edges).sort(),n=t.length,r=0;r<n;r++){var a=t[r];e=e+a+this.edges[a].id}return e},I.TokenSet.prototype.intersect=function(e){for(var t=new I.TokenSet,n=void 0,r=[{qNode:e,output:t,node:this}];r.length;){n=r.pop();for(var a=Object.keys(n.qNode.edges),o=a.length,i=Object.keys(n.node.edges),s=i.length,l=0;l<o;l++)for(var c=a[l],u=0;u<s;u++){var d=i[u];if(d==c||"*"==c){var p=n.node.edges[d],f=n.qNode.edges[c],h=p.final&&f.final,m=void 0;d in n.output.edges?(m=n.output.edges[d]).final=m.final||h:((m=new I.TokenSet).final=h,n.output.edges[d]=m),r.push({qNode:f,output:m,node:p})}}}return t},I.TokenSet.Builder=function(){this.previousWord="",this.root=new I.TokenSet,this.uncheckedNodes=[],this.minimizedNodes={}},I.TokenSet.Builder.prototype.insert=function(e){var t,n=0;if(e<this.previousWord)throw new Error("Out of order word insertion");for(var r=0;r<e.length&&r<this.previousWord.length&&e[r]==this.previousWord[r];r++)n++;this.minimize(n),t=0==this.uncheckedNodes.length?this.root:this.uncheckedNodes[this.uncheckedNodes.length-1].child;for(r=n;r<e.length;r++){var a=new I.TokenSet,o=e[r];t.edges[o]=a,this.uncheckedNodes.push({parent:t,char:o,child:a}),t=a}t.final=!0,this.previousWord=e},I.TokenSet.Builder.prototype.finish=function(){this.minimize(0)},I.TokenSet.Builder.prototype.minimize=function(e){for(var t=this.uncheckedNodes.length-1;t>=e;t--){var n=this.uncheckedNodes[t],r=n.child.toString();r in this.minimizedNodes?n.parent.edges[n.char]=this.minimizedNodes[r]:(n.child._str=r,this.minimizedNodes[r]=n.child),this.uncheckedNodes.pop()}},I.Index=function(e){this.invertedIndex=e.invertedIndex,this.fieldVectors=e.fieldVectors,this.tokenSet=e.tokenSet,this.fields=e.fields,this.pipeline=e.pipeline},I.Index.prototype.search=function(e){return this.query((function(t){new I.QueryParser(e,t).parse()}))},I.Index.prototype.query=function(e){for(var t=new I.Query(this.fields),n=Object.create(null),r=Object.create(null),a=Object.create(null),o=Object.create(null),i=Object.create(null),s=0;s<this.fields.length;s++)r[this.fields[s]]=new I.Vector;e.call(t,t);for(s=0;s<t.clauses.length;s++){var l=t.clauses[s],c=null,u=I.Set.empty;c=l.usePipeline?this.pipeline.runString(l.term,{fields:l.fields}):[l.term];for(var d=0;d<c.length;d++){var p=c[d];l.term=p;var f=I.TokenSet.fromClause(l),h=this.tokenSet.intersect(f).toArray();if(0===h.length&&l.presence===I.Query.presence.REQUIRED){for(var m=0;m<l.fields.length;m++){o[N=l.fields[m]]=I.Set.empty}break}for(var g=0;g<h.length;g++){var y=h[g],b=this.invertedIndex[y],v=b._index;for(m=0;m<l.fields.length;m++){var w=b[N=l.fields[m]],k=Object.keys(w),x=y+"/"+N,S=new I.Set(k);if(l.presence==I.Query.presence.REQUIRED&&(u=u.union(S),void 0===o[N]&&(o[N]=I.Set.complete)),l.presence!=I.Query.presence.PROHIBITED){if(r[N].upsert(v,l.boost,(function(e,t){return e+t})),!a[x]){for(var E=0;E<k.length;E++){var C,_=k[E],T=new I.FieldRef(_,N),L=w[_];void 0===(C=n[T])?n[T]=new I.MatchData(y,N,L):C.add(y,N,L)}a[x]=!0}}else void 0===i[N]&&(i[N]=I.Set.empty),i[N]=i[N].union(S)}}}if(l.presence===I.Query.presence.REQUIRED)for(m=0;m<l.fields.length;m++){o[N=l.fields[m]]=o[N].intersect(u)}}var R=I.Set.complete,j=I.Set.empty;for(s=0;s<this.fields.length;s++){var N;o[N=this.fields[s]]&&(R=R.intersect(o[N])),i[N]&&(j=j.union(i[N]))}var P=Object.keys(n),A=[],O=Object.create(null);if(t.isNegated()){P=Object.keys(this.fieldVectors);for(s=0;s<P.length;s++){T=P[s];var D=I.FieldRef.fromString(T);n[T]=new I.MatchData}}for(s=0;s<P.length;s++){var F=(D=I.FieldRef.fromString(P[s])).docRef;if(R.contains(F)&&!j.contains(F)){var M,z=this.fieldVectors[D],B=r[D.fieldName].similarity(z);if(void 0!==(M=O[F]))M.score+=B,M.matchData.combine(n[D]);else{var $={ref:F,score:B,matchData:n[D]};O[F]=$,A.push($)}}}return A.sort((function(e,t){return t.score-e.score}))},I.Index.prototype.toJSON=function(){var e=Object.keys(this.invertedIndex).sort().map((function(e){return[e,this.invertedIndex[e]]}),this),t=Object.keys(this.fieldVectors).map((function(e){return[e,this.fieldVectors[e].toJSON()]}),this);return{version:I.version,fields:this.fields,fieldVectors:t,invertedIndex:e,pipeline:this.pipeline.toJSON()}},I.Index.load=function(e){var t={},n={},r=e.fieldVectors,a=Object.create(null),o=e.invertedIndex,i=new I.TokenSet.Builder,s=I.Pipeline.load(e.pipeline);e.version!=I.version&&I.utils.warn("Version mismatch when loading serialised index. Current version of lunr '"+I.version+"' does not match serialized index '"+e.version+"'");for(var l=0;l<r.length;l++){var c=(d=r[l])[0],u=d[1];n[c]=new I.Vector(u)}for(l=0;l<o.length;l++){var d,p=(d=o[l])[0],f=d[1];i.insert(p),a[p]=f}return i.finish(),t.fields=e.fields,t.fieldVectors=n,t.invertedIndex=a,t.tokenSet=i.root,t.pipeline=s,new I.Index(t)},I.Builder=function(){this._ref="id",this._fields=Object.create(null),this._documents=Object.create(null),this.invertedIndex=Object.create(null),this.fieldTermFrequencies={},this.fieldLengths={},this.tokenizer=I.tokenizer,this.pipeline=new I.Pipeline,this.searchPipeline=new I.Pipeline,this.documentCount=0,this._b=.75,this._k1=1.2,this.termIndex=0,this.metadataWhitelist=[]},I.Builder.prototype.ref=function(e){this._ref=e},I.Builder.prototype.field=function(e,t){if(/\//.test(e))throw new RangeError("Field '"+e+"' contains illegal character '/'");this._fields[e]=t||{}},I.Builder.prototype.b=function(e){this._b=e<0?0:e>1?1:e},I.Builder.prototype.k1=function(e){this._k1=e},I.Builder.prototype.add=function(e,t){var n=e[this._ref],r=Object.keys(this._fields);this._documents[n]=t||{},this.documentCount+=1;for(var a=0;a<r.length;a++){var o=r[a],i=this._fields[o].extractor,s=i?i(e):e[o],l=this.tokenizer(s,{fields:[o]}),c=this.pipeline.run(l),u=new I.FieldRef(n,o),d=Object.create(null);this.fieldTermFrequencies[u]=d,this.fieldLengths[u]=0,this.fieldLengths[u]+=c.length;for(var p=0;p<c.length;p++){var f=c[p];if(null==d[f]&&(d[f]=0),d[f]+=1,null==this.invertedIndex[f]){var h=Object.create(null);h._index=this.termIndex,this.termIndex+=1;for(var m=0;m<r.length;m++)h[r[m]]=Object.create(null);this.invertedIndex[f]=h}null==this.invertedIndex[f][o][n]&&(this.invertedIndex[f][o][n]=Object.create(null));for(var g=0;g<this.metadataWhitelist.length;g++){var y=this.metadataWhitelist[g],b=f.metadata[y];null==this.invertedIndex[f][o][n][y]&&(this.invertedIndex[f][o][n][y]=[]),this.invertedIndex[f][o][n][y].push(b)}}}},I.Builder.prototype.calculateAverageFieldLengths=function(){for(var e=Object.keys(this.fieldLengths),t=e.length,n={},r={},a=0;a<t;a++){var o=I.FieldRef.fromString(e[a]),i=o.fieldName;r[i]||(r[i]=0),r[i]+=1,n[i]||(n[i]=0),n[i]+=this.fieldLengths[o]}var s=Object.keys(this._fields);for(a=0;a<s.length;a++){var l=s[a];n[l]=n[l]/r[l]}this.averageFieldLength=n},I.Builder.prototype.createFieldVectors=function(){for(var e={},t=Object.keys(this.fieldTermFrequencies),n=t.length,r=Object.create(null),a=0;a<n;a++){for(var o=I.FieldRef.fromString(t[a]),i=o.fieldName,s=this.fieldLengths[o],l=new I.Vector,c=this.fieldTermFrequencies[o],u=Object.keys(c),d=u.length,p=this._fields[i].boost||1,f=this._documents[o.docRef].boost||1,h=0;h<d;h++){var m,g,y,b=u[h],v=c[b],w=this.invertedIndex[b]._index;void 0===r[b]?(m=I.idf(this.invertedIndex[b],this.documentCount),r[b]=m):m=r[b],g=m*((this._k1+1)*v)/(this._k1*(1-this._b+this._b*(s/this.averageFieldLength[i]))+v),g*=p,g*=f,y=Math.round(1e3*g)/1e3,l.insert(w,y)}e[o]=l}this.fieldVectors=e},I.Builder.prototype.createTokenSet=function(){this.tokenSet=I.TokenSet.fromArray(Object.keys(this.invertedIndex).sort())},I.Builder.prototype.build=function(){return this.calculateAverageFieldLengths(),this.createFieldVectors(),this.createTokenSet(),new I.Index({invertedIndex:this.invertedIndex,fieldVectors:this.fieldVectors,tokenSet:this.tokenSet,fields:Object.keys(this._fields),pipeline:this.searchPipeline})},I.Builder.prototype.use=function(e){var t=Array.prototype.slice.call(arguments,1);t.unshift(this),e.apply(this,t)},I.MatchData=function(e,t,n){for(var r=Object.create(null),a=Object.keys(n||{}),o=0;o<a.length;o++){var i=a[o];r[i]=n[i].slice()}this.metadata=Object.create(null),void 0!==e&&(this.metadata[e]=Object.create(null),this.metadata[e][t]=r)},I.MatchData.prototype.combine=function(e){for(var t=Object.keys(e.metadata),n=0;n<t.length;n++){var r=t[n],a=Object.keys(e.metadata[r]);null==this.metadata[r]&&(this.metadata[r]=Object.create(null));for(var o=0;o<a.length;o++){var i=a[o],s=Object.keys(e.metadata[r][i]);null==this.metadata[r][i]&&(this.metadata[r][i]=Object.create(null));for(var l=0;l<s.length;l++){var c=s[l];null==this.metadata[r][i][c]?this.metadata[r][i][c]=e.metadata[r][i][c]:this.metadata[r][i][c]=this.metadata[r][i][c].concat(e.metadata[r][i][c])}}}},I.MatchData.prototype.add=function(e,t,n){if(!(e in this.metadata))return this.metadata[e]=Object.create(null),void(this.metadata[e][t]=n);if(t in this.metadata[e])for(var r=Object.keys(n),a=0;a<r.length;a++){var o=r[a];o in this.metadata[e][t]?this.metadata[e][t][o]=this.metadata[e][t][o].concat(n[o]):this.metadata[e][t][o]=n[o]}else this.metadata[e][t]=n},I.Query=function(e){this.clauses=[],this.allFields=e},I.Query.wildcard=new String("*"),I.Query.wildcard.NONE=0,I.Query.wildcard.LEADING=1,I.Query.wildcard.TRAILING=2,I.Query.presence={OPTIONAL:1,REQUIRED:2,PROHIBITED:3},I.Query.prototype.clause=function(e){return"fields"in e||(e.fields=this.allFields),"boost"in e||(e.boost=1),"usePipeline"in e||(e.usePipeline=!0),"wildcard"in e||(e.wildcard=I.Query.wildcard.NONE),e.wildcard&I.Query.wildcard.LEADING&&e.term.charAt(0)!=I.Query.wildcard&&(e.term="*"+e.term),e.wildcard&I.Query.wildcard.TRAILING&&e.term.slice(-1)!=I.Query.wildcard&&(e.term=e.term+"*"),"presence"in e||(e.presence=I.Query.presence.OPTIONAL),this.clauses.push(e),this},I.Query.prototype.isNegated=function(){for(var e=0;e<this.clauses.length;e++)if(this.clauses[e].presence!=I.Query.presence.PROHIBITED)return!1;return!0},I.Query.prototype.term=function(e,t){if(Array.isArray(e))return e.forEach((function(e){this.term(e,I.utils.clone(t))}),this),this;var n=t||{};return n.term=e.toString(),this.clause(n),this},I.QueryParseError=function(e,t,n){this.name="QueryParseError",this.message=e,this.start=t,this.end=n},I.QueryParseError.prototype=new Error,I.QueryLexer=function(e){this.lexemes=[],this.str=e,this.length=e.length,this.pos=0,this.start=0,this.escapeCharPositions=[]},I.QueryLexer.prototype.run=function(){for(var e=I.QueryLexer.lexText;e;)e=e(this)},I.QueryLexer.prototype.sliceString=function(){for(var e=[],t=this.start,n=this.pos,r=0;r<this.escapeCharPositions.length;r++)n=this.escapeCharPositions[r],e.push(this.str.slice(t,n)),t=n+1;return e.push(this.str.slice(t,this.pos)),this.escapeCharPositions.length=0,e.join("")},I.QueryLexer.prototype.emit=function(e){this.lexemes.push({type:e,str:this.sliceString(),start:this.start,end:this.pos}),this.start=this.pos},I.QueryLexer.prototype.escapeCharacter=function(){this.escapeCharPositions.push(this.pos-1),this.pos+=1},I.QueryLexer.prototype.next=function(){if(this.pos>=this.length)return I.QueryLexer.EOS;var e=this.str.charAt(this.pos);return this.pos+=1,e},I.QueryLexer.prototype.width=function(){return this.pos-this.start},I.QueryLexer.prototype.ignore=function(){this.start==this.pos&&(this.pos+=1),this.start=this.pos},I.QueryLexer.prototype.backup=function(){this.pos-=1},I.QueryLexer.prototype.acceptDigitRun=function(){var e,t;do{t=(e=this.next()).charCodeAt(0)}while(t>47&&t<58);e!=I.QueryLexer.EOS&&this.backup()},I.QueryLexer.prototype.more=function(){return this.pos<this.length},I.QueryLexer.EOS="EOS",I.QueryLexer.FIELD="FIELD",I.QueryLexer.TERM="TERM",I.QueryLexer.EDIT_DISTANCE="EDIT_DISTANCE",I.QueryLexer.BOOST="BOOST",I.QueryLexer.PRESENCE="PRESENCE",I.QueryLexer.lexField=function(e){return e.backup(),e.emit(I.QueryLexer.FIELD),e.ignore(),I.QueryLexer.lexText},I.QueryLexer.lexTerm=function(e){if(e.width()>1&&(e.backup(),e.emit(I.QueryLexer.TERM)),e.ignore(),e.more())return I.QueryLexer.lexText},I.QueryLexer.lexEditDistance=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.EDIT_DISTANCE),I.QueryLexer.lexText},I.QueryLexer.lexBoost=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.BOOST),I.QueryLexer.lexText},I.QueryLexer.lexEOS=function(e){e.width()>0&&e.emit(I.QueryLexer.TERM)},I.QueryLexer.termSeparator=I.tokenizer.separator,I.QueryLexer.lexText=function(e){for(;;){var t=e.next();if(t==I.QueryLexer.EOS)return I.QueryLexer.lexEOS;if(92!=t.charCodeAt(0)){if(":"==t)return I.QueryLexer.lexField;if("~"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexEditDistance;if("^"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexBoost;if("+"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if("-"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if(t.match(I.QueryLexer.termSeparator))return I.QueryLexer.lexTerm}else e.escapeCharacter()}},I.QueryParser=function(e,t){this.lexer=new I.QueryLexer(e),this.query=t,this.currentClause={},this.lexemeIdx=0},I.QueryParser.prototype.parse=function(){this.lexer.run(),this.lexemes=this.lexer.lexemes;for(var e=I.QueryParser.parseClause;e;)e=e(this);return this.query},I.QueryParser.prototype.peekLexeme=function(){return this.lexemes[this.lexemeIdx]},I.QueryParser.prototype.consumeLexeme=function(){var e=this.peekLexeme();return this.lexemeIdx+=1,e},I.QueryParser.prototype.nextClause=function(){var e=this.currentClause;this.query.clause(e),this.currentClause={}},I.QueryParser.parseClause=function(e){var t=e.peekLexeme();if(null!=t)switch(t.type){case I.QueryLexer.PRESENCE:return I.QueryParser.parsePresence;case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:var n="expected either a field or a term, found "+t.type;throw t.str.length>=1&&(n+=" with value '"+t.str+"'"),new I.QueryParseError(n,t.start,t.end)}},I.QueryParser.parsePresence=function(e){var t=e.consumeLexeme();if(null!=t){switch(t.str){case"-":e.currentClause.presence=I.Query.presence.PROHIBITED;break;case"+":e.currentClause.presence=I.Query.presence.REQUIRED;break;default:var n="unrecognised presence operator'"+t.str+"'";throw new I.QueryParseError(n,t.start,t.end)}var r=e.peekLexeme();if(null==r){n="expecting term or field, found nothing";throw new I.QueryParseError(n,t.start,t.end)}switch(r.type){case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:n="expecting term or field, found '"+r.type+"'";throw new I.QueryParseError(n,r.start,r.end)}}},I.QueryParser.parseField=function(e){var t=e.consumeLexeme();if(null!=t){if(-1==e.query.allFields.indexOf(t.str)){var n=e.query.allFields.map((function(e){return"'"+e+"'"})).join(", "),r="unrecognised field '"+t.str+"', possible fields: "+n;throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.fields=[t.str];var a=e.peekLexeme();if(null==a){r="expecting term, found nothing";throw new I.QueryParseError(r,t.start,t.end)}if(a.type===I.QueryLexer.TERM)return I.QueryParser.parseTerm;r="expecting term, found '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}},I.QueryParser.parseTerm=function(e){var t=e.consumeLexeme();if(null!=t){e.currentClause.term=t.str.toLowerCase(),-1!=t.str.indexOf("*")&&(e.currentClause.usePipeline=!1);var n=e.peekLexeme();if(null!=n)switch(n.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:var r="Unexpected lexeme type '"+n.type+"'";throw new I.QueryParseError(r,n.start,n.end)}else e.nextClause()}},I.QueryParser.parseEditDistance=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="edit distance must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.editDistance=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},I.QueryParser.parseBoost=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="boost must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.boost=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},void 0===(a="function"==typeof(r=function(){return I})?r.call(t,n,t,e):r)||(e.exports=a)}()},813:function(e){e.exports=function(){"use strict";var e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},t=function(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")},n=function(){function e(e,t){for(var n=0;n<t.length;n++){var r=t[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(e,r.key,r)}}return function(t,n,r){return n&&e(t.prototype,n),r&&e(t,r),t}}(),r=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},a=function(){function e(n){var r=!(arguments.length>1&&void 0!==arguments[1])||arguments[1],a=arguments.length>2&&void 0!==arguments[2]?arguments[2]:[],o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:5e3;t(this,e),this.ctx=n,this.iframes=r,this.exclude=a,this.iframesTimeout=o}return n(e,[{key:"getContexts",value:function(){var e=[];return(void 0!==this.ctx&&this.ctx?NodeList.prototype.isPrototypeOf(this.ctx)?Array.prototype.slice.call(this.ctx):Array.isArray(this.ctx)?this.ctx:"string"==typeof this.ctx?Array.prototype.slice.call(document.querySelectorAll(this.ctx)):[this.ctx]:[]).forEach((function(t){var n=e.filter((function(e){return e.contains(t)})).length>0;-1!==e.indexOf(t)||n||e.push(t)})),e}},{key:"getIframeContents",value:function(e,t){var n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:function(){},r=void 0;try{var a=e.contentWindow;if(r=a.document,!a||!r)throw new Error("iframe inaccessible")}catch(o){n()}r&&t(r)}},{key:"isIframeBlank",value:function(e){var t="about:blank",n=e.getAttribute("src").trim();return e.contentWindow.location.href===t&&n!==t&&n}},{key:"observeIframeLoad",value:function(e,t,n){var r=this,a=!1,o=null,i=function i(){if(!a){a=!0,clearTimeout(o);try{r.isIframeBlank(e)||(e.removeEventListener("load",i),r.getIframeContents(e,t,n))}catch(s){n()}}};e.addEventListener("load",i),o=setTimeout(i,this.iframesTimeout)}},{key:"onIframeReady",value:function(e,t,n){try{"complete"===e.contentWindow.document.readyState?this.isIframeBlank(e)?this.observeIframeLoad(e,t,n):this.getIframeContents(e,t,n):this.observeIframeLoad(e,t,n)}catch(r){n()}}},{key:"waitForIframes",value:function(e,t){var n=this,r=0;this.forEachIframe(e,(function(){return!0}),(function(e){r++,n.waitForIframes(e.querySelector("html"),(function(){--r||t()}))}),(function(e){e||t()}))}},{key:"forEachIframe",value:function(t,n,r){var a=this,o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},i=t.querySelectorAll("iframe"),s=i.length,l=0;i=Array.prototype.slice.call(i);var c=function(){--s<=0&&o(l)};s||c(),i.forEach((function(t){e.matches(t,a.exclude)?c():a.onIframeReady(t,(function(e){n(t)&&(l++,r(e)),c()}),c)}))}},{key:"createIterator",value:function(e,t,n){return document.createNodeIterator(e,t,n,!1)}},{key:"createInstanceOnIframe",value:function(t){return new e(t.querySelector("html"),this.iframes)}},{key:"compareNodeIframe",value:function(e,t,n){if(e.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_PRECEDING){if(null===t)return!0;if(t.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_FOLLOWING)return!0}return!1}},{key:"getIteratorNode",value:function(e){var t=e.previousNode();return{prevNode:t,node:(null===t||e.nextNode())&&e.nextNode()}}},{key:"checkIframeFilter",value:function(e,t,n,r){var a=!1,o=!1;return r.forEach((function(e,t){e.val===n&&(a=t,o=e.handled)})),this.compareNodeIframe(e,t,n)?(!1!==a||o?!1===a||o||(r[a].handled=!0):r.push({val:n,handled:!0}),!0):(!1===a&&r.push({val:n,handled:!1}),!1)}},{key:"handleOpenIframes",value:function(e,t,n,r){var a=this;e.forEach((function(e){e.handled||a.getIframeContents(e.val,(function(e){a.createInstanceOnIframe(e).forEachNode(t,n,r)}))}))}},{key:"iterateThroughNodes",value:function(e,t,n,r,a){for(var o=this,i=this.createIterator(t,e,r),s=[],l=[],c=void 0,u=void 0,d=function(){var e=o.getIteratorNode(i);return u=e.prevNode,c=e.node};d();)this.iframes&&this.forEachIframe(t,(function(e){return o.checkIframeFilter(c,u,e,s)}),(function(t){o.createInstanceOnIframe(t).forEachNode(e,(function(e){return l.push(e)}),r)})),l.push(c);l.forEach((function(e){n(e)})),this.iframes&&this.handleOpenIframes(s,e,n,r),a()}},{key:"forEachNode",value:function(e,t,n){var r=this,a=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},o=this.getContexts(),i=o.length;i||a(),o.forEach((function(o){var s=function(){r.iterateThroughNodes(e,o,t,n,(function(){--i<=0&&a()}))};r.iframes?r.waitForIframes(o,s):s()}))}}],[{key:"matches",value:function(e,t){var n="string"==typeof t?[t]:t,r=e.matches||e.matchesSelector||e.msMatchesSelector||e.mozMatchesSelector||e.oMatchesSelector||e.webkitMatchesSelector;if(r){var a=!1;return n.every((function(t){return!r.call(e,t)||(a=!0,!1)})),a}return!1}}]),e}(),o=function(){function o(e){t(this,o),this.ctx=e,this.ie=!1;var n=window.navigator.userAgent;(n.indexOf("MSIE")>-1||n.indexOf("Trident")>-1)&&(this.ie=!0)}return n(o,[{key:"log",value:function(t){var n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"debug",r=this.opt.log;this.opt.debug&&"object"===(void 0===r?"undefined":e(r))&&"function"==typeof r[n]&&r[n]("mark.js: "+t)}},{key:"escapeStr",value:function(e){return e.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}},{key:"createRegExp",value:function(e){return"disabled"!==this.opt.wildcards&&(e=this.setupWildcardsRegExp(e)),e=this.escapeStr(e),Object.keys(this.opt.synonyms).length&&(e=this.createSynonymsRegExp(e)),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),this.opt.diacritics&&(e=this.createDiacriticsRegExp(e)),e=this.createMergedBlanksRegExp(e),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.createJoinersRegExp(e)),"disabled"!==this.opt.wildcards&&(e=this.createWildcardsRegExp(e)),e=this.createAccuracyRegExp(e)}},{key:"createSynonymsRegExp",value:function(e){var t=this.opt.synonyms,n=this.opt.caseSensitive?"":"i",r=this.opt.ignoreJoiners||this.opt.ignorePunctuation.length?"\0":"";for(var a in t)if(t.hasOwnProperty(a)){var o=t[a],i="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(a):this.escapeStr(a),s="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(o):this.escapeStr(o);""!==i&&""!==s&&(e=e.replace(new RegExp("("+this.escapeStr(i)+"|"+this.escapeStr(s)+")","gm"+n),r+"("+this.processSynomyms(i)+"|"+this.processSynomyms(s)+")"+r))}return e}},{key:"processSynomyms",value:function(e){return(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),e}},{key:"setupWildcardsRegExp",value:function(e){return(e=e.replace(/(?:\\)*\?/g,(function(e){return"\\"===e.charAt(0)?"?":"\x01"}))).replace(/(?:\\)*\*/g,(function(e){return"\\"===e.charAt(0)?"*":"\x02"}))}},{key:"createWildcardsRegExp",value:function(e){var t="withSpaces"===this.opt.wildcards;return e.replace(/\u0001/g,t?"[\\S\\s]?":"\\S?").replace(/\u0002/g,t?"[\\S\\s]*?":"\\S*")}},{key:"setupIgnoreJoinersRegExp",value:function(e){return e.replace(/[^(|)\\]/g,(function(e,t,n){var r=n.charAt(t+1);return/[(|)\\]/.test(r)||""===r?e:e+"\0"}))}},{key:"createJoinersRegExp",value:function(e){var t=[],n=this.opt.ignorePunctuation;return Array.isArray(n)&&n.length&&t.push(this.escapeStr(n.join(""))),this.opt.ignoreJoiners&&t.push("\\u00ad\\u200b\\u200c\\u200d"),t.length?e.split(/\u0000+/).join("["+t.join("")+"]*"):e}},{key:"createDiacriticsRegExp",value:function(e){var t=this.opt.caseSensitive?"":"i",n=this.opt.caseSensitive?["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105","A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010d","C\xc7\u0106\u010c","d\u0111\u010f","D\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119","E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012b","I\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142","L\u0141","n\xf1\u0148\u0144","N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014d","O\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159","R\u0158","s\u0161\u015b\u0219\u015f","S\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163","T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016b","U\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xff","Y\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017a","Z\u017d\u017b\u0179"]:["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010dC\xc7\u0106\u010c","d\u0111\u010fD\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012bI\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142L\u0141","n\xf1\u0148\u0144N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014dO\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159R\u0158","s\u0161\u015b\u0219\u015fS\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016bU\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xffY\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017aZ\u017d\u017b\u0179"],r=[];return e.split("").forEach((function(a){n.every((function(n){if(-1!==n.indexOf(a)){if(r.indexOf(n)>-1)return!1;e=e.replace(new RegExp("["+n+"]","gm"+t),"["+n+"]"),r.push(n)}return!0}))})),e}},{key:"createMergedBlanksRegExp",value:function(e){return e.replace(/[\s]+/gim,"[\\s]+")}},{key:"createAccuracyRegExp",value:function(e){var t=this,n="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~\xa1\xbf",r=this.opt.accuracy,a="string"==typeof r?r:r.value,o="string"==typeof r?[]:r.limiters,i="";switch(o.forEach((function(e){i+="|"+t.escapeStr(e)})),a){case"partially":default:return"()("+e+")";case"complementary":return"()([^"+(i="\\s"+(i||this.escapeStr(n)))+"]*"+e+"[^"+i+"]*)";case"exactly":return"(^|\\s"+i+")("+e+")(?=$|\\s"+i+")"}}},{key:"getSeparatedKeywords",value:function(e){var t=this,n=[];return e.forEach((function(e){t.opt.separateWordSearch?e.split(" ").forEach((function(e){e.trim()&&-1===n.indexOf(e)&&n.push(e)})):e.trim()&&-1===n.indexOf(e)&&n.push(e)})),{keywords:n.sort((function(e,t){return t.length-e.length})),length:n.length}}},{key:"isNumeric",value:function(e){return Number(parseFloat(e))==e}},{key:"checkRanges",value:function(e){var t=this;if(!Array.isArray(e)||"[object Object]"!==Object.prototype.toString.call(e[0]))return this.log("markRanges() will only accept an array of objects"),this.opt.noMatch(e),[];var n=[],r=0;return e.sort((function(e,t){return e.start-t.start})).forEach((function(e){var a=t.callNoMatchOnInvalidRanges(e,r),o=a.start,i=a.end;a.valid&&(e.start=o,e.length=i-o,n.push(e),r=i)})),n}},{key:"callNoMatchOnInvalidRanges",value:function(e,t){var n=void 0,r=void 0,a=!1;return e&&void 0!==e.start?(r=(n=parseInt(e.start,10))+parseInt(e.length,10),this.isNumeric(e.start)&&this.isNumeric(e.length)&&r-t>0&&r-n>0?a=!0:(this.log("Ignoring invalid or overlapping range: "+JSON.stringify(e)),this.opt.noMatch(e))):(this.log("Ignoring invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:n,end:r,valid:a}}},{key:"checkWhitespaceRanges",value:function(e,t,n){var r=void 0,a=!0,o=n.length,i=t-o,s=parseInt(e.start,10)-i;return(r=(s=s>o?o:s)+parseInt(e.length,10))>o&&(r=o,this.log("End range automatically set to the max value of "+o)),s<0||r-s<0||s>o||r>o?(a=!1,this.log("Invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)):""===n.substring(s,r).replace(/\s+/g,"")&&(a=!1,this.log("Skipping whitespace only range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:s,end:r,valid:a}}},{key:"getTextNodes",value:function(e){var t=this,n="",r=[];this.iterator.forEachNode(NodeFilter.SHOW_TEXT,(function(e){r.push({start:n.length,end:(n+=e.textContent).length,node:e})}),(function(e){return t.matchesExclude(e.parentNode)?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),(function(){e({value:n,nodes:r})}))}},{key:"matchesExclude",value:function(e){return a.matches(e,this.opt.exclude.concat(["script","style","title","head","html"]))}},{key:"wrapRangeInTextNode",value:function(e,t,n){var r=this.opt.element?this.opt.element:"mark",a=e.splitText(t),o=a.splitText(n-t),i=document.createElement(r);return i.setAttribute("data-markjs","true"),this.opt.className&&i.setAttribute("class",this.opt.className),i.textContent=a.textContent,a.parentNode.replaceChild(i,a),o}},{key:"wrapRangeInMappedTextNode",value:function(e,t,n,r,a){var o=this;e.nodes.every((function(i,s){var l=e.nodes[s+1];if(void 0===l||l.start>t){if(!r(i.node))return!1;var c=t-i.start,u=(n>i.end?i.end:n)-i.start,d=e.value.substr(0,i.start),p=e.value.substr(u+i.start);if(i.node=o.wrapRangeInTextNode(i.node,c,u),e.value=d+p,e.nodes.forEach((function(t,n){n>=s&&(e.nodes[n].start>0&&n!==s&&(e.nodes[n].start-=u),e.nodes[n].end-=u)})),n-=u,a(i.node.previousSibling,i.start),!(n>i.end))return!1;t=i.end}return!0}))}},{key:"wrapMatches",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){t.nodes.forEach((function(t){t=t.node;for(var a=void 0;null!==(a=e.exec(t.textContent))&&""!==a[i];)if(n(a[i],t)){var s=a.index;if(0!==i)for(var l=1;l<i;l++)s+=a[l].length;t=o.wrapRangeInTextNode(t,s,s+a[i].length),r(t.previousSibling),e.lastIndex=0}})),a()}))}},{key:"wrapMatchesAcrossElements",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){for(var s=void 0;null!==(s=e.exec(t.value))&&""!==s[i];){var l=s.index;if(0!==i)for(var c=1;c<i;c++)l+=s[c].length;var u=l+s[i].length;o.wrapRangeInMappedTextNode(t,l,u,(function(e){return n(s[i],e)}),(function(t,n){e.lastIndex=n,r(t)}))}a()}))}},{key:"wrapRangeFromIndex",value:function(e,t,n,r){var a=this;this.getTextNodes((function(o){var i=o.value.length;e.forEach((function(e,r){var s=a.checkWhitespaceRanges(e,i,o.value),l=s.start,c=s.end;s.valid&&a.wrapRangeInMappedTextNode(o,l,c,(function(n){return t(n,e,o.value.substring(l,c),r)}),(function(t){n(t,e)}))})),r()}))}},{key:"unwrapMatches",value:function(e){for(var t=e.parentNode,n=document.createDocumentFragment();e.firstChild;)n.appendChild(e.removeChild(e.firstChild));t.replaceChild(n,e),this.ie?this.normalizeTextNode(t):t.normalize()}},{key:"normalizeTextNode",value:function(e){if(e){if(3===e.nodeType)for(;e.nextSibling&&3===e.nextSibling.nodeType;)e.nodeValue+=e.nextSibling.nodeValue,e.parentNode.removeChild(e.nextSibling);else this.normalizeTextNode(e.firstChild);this.normalizeTextNode(e.nextSibling)}}},{key:"markRegExp",value:function(e,t){var n=this;this.opt=t,this.log('Searching with expression "'+e+'"');var r=0,a="wrapMatches",o=function(e){r++,n.opt.each(e)};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),this[a](e,this.opt.ignoreGroups,(function(e,t){return n.opt.filter(t,e,r)}),o,(function(){0===r&&n.opt.noMatch(e),n.opt.done(r)}))}},{key:"mark",value:function(e,t){var n=this;this.opt=t;var r=0,a="wrapMatches",o=this.getSeparatedKeywords("string"==typeof e?[e]:e),i=o.keywords,s=o.length,l=this.opt.caseSensitive?"":"i",c=function e(t){var o=new RegExp(n.createRegExp(t),"gm"+l),c=0;n.log('Searching with expression "'+o+'"'),n[a](o,1,(function(e,a){return n.opt.filter(a,t,r,c)}),(function(e){c++,r++,n.opt.each(e)}),(function(){0===c&&n.opt.noMatch(t),i[s-1]===t?n.opt.done(r):e(i[i.indexOf(t)+1])}))};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),0===s?this.opt.done(r):c(i[0])}},{key:"markRanges",value:function(e,t){var n=this;this.opt=t;var r=0,a=this.checkRanges(e);a&&a.length?(this.log("Starting to mark with the following ranges: "+JSON.stringify(a)),this.wrapRangeFromIndex(a,(function(e,t,r,a){return n.opt.filter(e,t,r,a)}),(function(e,t){r++,n.opt.each(e,t)}),(function(){n.opt.done(r)}))):this.opt.done(r)}},{key:"unmark",value:function(e){var t=this;this.opt=e;var n=this.opt.element?this.opt.element:"*";n+="[data-markjs]",this.opt.className&&(n+="."+this.opt.className),this.log('Removal selector "'+n+'"'),this.iterator.forEachNode(NodeFilter.SHOW_ELEMENT,(function(e){t.unwrapMatches(e)}),(function(e){var r=a.matches(e,n),o=t.matchesExclude(e);return!r||o?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),this.opt.done)}},{key:"opt",set:function(e){this._opt=r({},{element:"",className:"",exclude:[],iframes:!1,iframesTimeout:5e3,separateWordSearch:!0,diacritics:!0,synonyms:{},accuracy:"partially",acrossElements:!1,caseSensitive:!1,ignoreJoiners:!1,ignoreGroups:0,ignorePunctuation:[],wildcards:"disabled",each:function(){},noMatch:function(){},filter:function(){return!0},done:function(){},debug:!1,log:window.console},e)},get:function(){return this._opt}},{key:"iterator",get:function(){return new a(this.ctx,this.opt.iframes,this.opt.exclude,this.opt.iframesTimeout)}}]),o}();function i(e){var t=this,n=new o(e);return this.mark=function(e,r){return n.mark(e,r),t},this.markRegExp=function(e,r){return n.markRegExp(e,r),t},this.markRanges=function(e,r){return n.markRanges(e,r),t},this.unmark=function(e){return n.unmark(e),t},this}return i}()},2497:(e,t,n)=>{"use strict";n.r(t)},2295:(e,t,n)=>{"use strict";n.r(t)},4865:function(e,t,n){var r,a;r=function(){var e,t,n={version:"0.2.0"},r=n.settings={minimum:.08,easing:"ease",positionUsing:"",speed:200,trickle:!0,trickleRate:.02,trickleSpeed:800,showSpinner:!0,barSelector:'[role="bar"]',spinnerSelector:'[role="spinner"]',parent:"body",template:'<div class="bar" role="bar"><div class="peg"></div></div><div class="spinner" role="spinner"><div class="spinner-icon"></div></div>'};function a(e,t,n){return e<t?t:e>n?n:e}function o(e){return 100*(-1+e)}function i(e,t,n){var a;return(a="translate3d"===r.positionUsing?{transform:"translate3d("+o(e)+"%,0,0)"}:"translate"===r.positionUsing?{transform:"translate("+o(e)+"%,0)"}:{"margin-left":o(e)+"%"}).transition="all "+t+"ms "+n,a}n.configure=function(e){var t,n;for(t in e)void 0!==(n=e[t])&&e.hasOwnProperty(t)&&(r[t]=n);return this},n.status=null,n.set=function(e){var t=n.isStarted();e=a(e,r.minimum,1),n.status=1===e?null:e;var o=n.render(!t),c=o.querySelector(r.barSelector),u=r.speed,d=r.easing;return o.offsetWidth,s((function(t){""===r.positionUsing&&(r.positionUsing=n.getPositioningCSS()),l(c,i(e,u,d)),1===e?(l(o,{transition:"none",opacity:1}),o.offsetWidth,setTimeout((function(){l(o,{transition:"all "+u+"ms linear",opacity:0}),setTimeout((function(){n.remove(),t()}),u)}),u)):setTimeout(t,u)})),this},n.isStarted=function(){return"number"==typeof n.status},n.start=function(){n.status||n.set(0);var e=function(){setTimeout((function(){n.status&&(n.trickle(),e())}),r.trickleSpeed)};return r.trickle&&e(),this},n.done=function(e){return e||n.status?n.inc(.3+.5*Math.random()).set(1):this},n.inc=function(e){var t=n.status;return t?("number"!=typeof e&&(e=(1-t)*a(Math.random()*t,.1,.95)),t=a(t+e,0,.994),n.set(t)):n.start()},n.trickle=function(){return n.inc(Math.random()*r.trickleRate)},e=0,t=0,n.promise=function(r){return r&&"resolved"!==r.state()?(0===t&&n.start(),e++,t++,r.always((function(){0==--t?(e=0,n.done()):n.set((e-t)/e)})),this):this},n.render=function(e){if(n.isRendered())return document.getElementById("nprogress");u(document.documentElement,"nprogress-busy");var t=document.createElement("div");t.id="nprogress",t.innerHTML=r.template;var a,i=t.querySelector(r.barSelector),s=e?"-100":o(n.status||0),c=document.querySelector(r.parent);return l(i,{transition:"all 0 linear",transform:"translate3d("+s+"%,0,0)"}),r.showSpinner||(a=t.querySelector(r.spinnerSelector))&&f(a),c!=document.body&&u(c,"nprogress-custom-parent"),c.appendChild(t),t},n.remove=function(){d(document.documentElement,"nprogress-busy"),d(document.querySelector(r.parent),"nprogress-custom-parent");var e=document.getElementById("nprogress");e&&f(e)},n.isRendered=function(){return!!document.getElementById("nprogress")},n.getPositioningCSS=function(){var e=document.body.style,t="WebkitTransform"in e?"Webkit":"MozTransform"in e?"Moz":"msTransform"in e?"ms":"OTransform"in e?"O":"";return t+"Perspective"in e?"translate3d":t+"Transform"in e?"translate":"margin"};var s=function(){var e=[];function t(){var n=e.shift();n&&n(t)}return function(n){e.push(n),1==e.length&&t()}}(),l=function(){var e=["Webkit","O","Moz","ms"],t={};function n(e){return e.replace(/^-ms-/,"ms-").replace(/-([\da-z])/gi,(function(e,t){return t.toUpperCase()}))}function r(t){var n=document.body.style;if(t in n)return t;for(var r,a=e.length,o=t.charAt(0).toUpperCase()+t.slice(1);a--;)if((r=e[a]+o)in n)return r;return t}function a(e){return e=n(e),t[e]||(t[e]=r(e))}function o(e,t,n){t=a(t),e.style[t]=n}return function(e,t){var n,r,a=arguments;if(2==a.length)for(n in t)void 0!==(r=t[n])&&t.hasOwnProperty(n)&&o(e,n,r);else o(e,a[1],a[2])}}();function c(e,t){return("string"==typeof e?e:p(e)).indexOf(" "+t+" ")>=0}function u(e,t){var n=p(e),r=n+t;c(n,t)||(e.className=r.substring(1))}function d(e,t){var n,r=p(e);c(e,t)&&(n=r.replace(" "+t+" "," "),e.className=n.substring(1,n.length-1))}function p(e){return(" "+(e.className||"")+" ").replace(/\s+/gi," ")}function f(e){e&&e.parentNode&&e.parentNode.removeChild(e)}return n},void 0===(a="function"==typeof r?r.call(t,n,t,e):r)||(e.exports=a)},9901:e=>{e.exports&&(e.exports={core:{meta:{path:"components/prism-core.js",option:"mandatory"},core:"Core"},themes:{meta:{path:"themes/{id}.css",link:"index.html?theme={id}",exclusive:!0},prism:{title:"Default",option:"default"},"prism-dark":"Dark","prism-funky":"Funky","prism-okaidia":{title:"Okaidia",owner:"ocodia"},"prism-twilight":{title:"Twilight",owner:"remybach"},"prism-coy":{title:"Coy",owner:"tshedor"},"prism-solarizedlight":{title:"Solarized Light",owner:"hectormatos2011 "},"prism-tomorrow":{title:"Tomorrow Night",owner:"Rosey"}},languages:{meta:{path:"components/prism-{id}",noCSS:!0,examplesPath:"examples/prism-{id}",addCheckAll:!0},markup:{title:"Markup",alias:["html","xml","svg","mathml","ssml","atom","rss"],aliasTitles:{html:"HTML",xml:"XML",svg:"SVG",mathml:"MathML",ssml:"SSML",atom:"Atom",rss:"RSS"},option:"default"},css:{title:"CSS",option:"default",modify:"markup"},clike:{title:"C-like",option:"default"},javascript:{title:"JavaScript",require:"clike",modify:"markup",optional:"regex",alias:"js",option:"default"},abap:{title:"ABAP",owner:"dellagustin"},abnf:{title:"ABNF",owner:"RunDevelopment"},actionscript:{title:"ActionScript",require:"javascript",modify:"markup",owner:"Golmote"},ada:{title:"Ada",owner:"Lucretia"},agda:{title:"Agda",owner:"xy-ren"},al:{title:"AL",owner:"RunDevelopment"},antlr4:{title:"ANTLR4",alias:"g4",owner:"RunDevelopment"},apacheconf:{title:"Apache Configuration",owner:"GuiTeK"},apex:{title:"Apex",require:["clike","sql"],owner:"RunDevelopment"},apl:{title:"APL",owner:"ngn"},applescript:{title:"AppleScript",owner:"Golmote"},aql:{title:"AQL",owner:"RunDevelopment"},arduino:{title:"Arduino",require:"cpp",alias:"ino",owner:"dkern"},arff:{title:"ARFF",owner:"Golmote"},armasm:{title:"ARM Assembly",alias:"arm-asm",owner:"RunDevelopment"},arturo:{title:"Arturo",alias:"art",optional:["bash","css","javascript","markup","markdown","sql"],owner:"drkameleon"},asciidoc:{alias:"adoc",title:"AsciiDoc",owner:"Golmote"},aspnet:{title:"ASP.NET (C#)",require:["markup","csharp"],owner:"nauzilus"},asm6502:{title:"6502 Assembly",owner:"kzurawel"},asmatmel:{title:"Atmel AVR Assembly",owner:"cerkit"},autohotkey:{title:"AutoHotkey",owner:"aviaryan"},autoit:{title:"AutoIt",owner:"Golmote"},avisynth:{title:"AviSynth",alias:"avs",owner:"Zinfidel"},"avro-idl":{title:"Avro IDL",alias:"avdl",owner:"RunDevelopment"},awk:{title:"AWK",alias:"gawk",aliasTitles:{gawk:"GAWK"},owner:"RunDevelopment"},bash:{title:"Bash",alias:["sh","shell"],aliasTitles:{sh:"Shell",shell:"Shell"},owner:"zeitgeist87"},basic:{title:"BASIC",owner:"Golmote"},batch:{title:"Batch",owner:"Golmote"},bbcode:{title:"BBcode",alias:"shortcode",aliasTitles:{shortcode:"Shortcode"},owner:"RunDevelopment"},bbj:{title:"BBj",owner:"hyyan"},bicep:{title:"Bicep",owner:"johnnyreilly"},birb:{title:"Birb",require:"clike",owner:"Calamity210"},bison:{title:"Bison",require:"c",owner:"Golmote"},bnf:{title:"BNF",alias:"rbnf",aliasTitles:{rbnf:"RBNF"},owner:"RunDevelopment"},bqn:{title:"BQN",owner:"yewscion"},brainfuck:{title:"Brainfuck",owner:"Golmote"},brightscript:{title:"BrightScript",owner:"RunDevelopment"},bro:{title:"Bro",owner:"wayward710"},bsl:{title:"BSL (1C:Enterprise)",alias:"oscript",aliasTitles:{oscript:"OneScript"},owner:"Diversus23"},c:{title:"C",require:"clike",owner:"zeitgeist87"},csharp:{title:"C#",require:"clike",alias:["cs","dotnet"],owner:"mvalipour"},cpp:{title:"C++",require:"c",owner:"zeitgeist87"},cfscript:{title:"CFScript",require:"clike",alias:"cfc",owner:"mjclemente"},chaiscript:{title:"ChaiScript",require:["clike","cpp"],owner:"RunDevelopment"},cil:{title:"CIL",owner:"sbrl"},cilkc:{title:"Cilk/C",require:"c",alias:"cilk-c",owner:"OpenCilk"},cilkcpp:{title:"Cilk/C++",require:"cpp",alias:["cilk-cpp","cilk"],owner:"OpenCilk"},clojure:{title:"Clojure",owner:"troglotit"},cmake:{title:"CMake",owner:"mjrogozinski"},cobol:{title:"COBOL",owner:"RunDevelopment"},coffeescript:{title:"CoffeeScript",require:"javascript",alias:"coffee",owner:"R-osey"},concurnas:{title:"Concurnas",alias:"conc",owner:"jasontatton"},csp:{title:"Content-Security-Policy",owner:"ScottHelme"},cooklang:{title:"Cooklang",owner:"ahue"},coq:{title:"Coq",owner:"RunDevelopment"},crystal:{title:"Crystal",require:"ruby",owner:"MakeNowJust"},"css-extras":{title:"CSS Extras",require:"css",modify:"css",owner:"milesj"},csv:{title:"CSV",owner:"RunDevelopment"},cue:{title:"CUE",owner:"RunDevelopment"},cypher:{title:"Cypher",owner:"RunDevelopment"},d:{title:"D",require:"clike",owner:"Golmote"},dart:{title:"Dart",require:"clike",owner:"Golmote"},dataweave:{title:"DataWeave",owner:"machaval"},dax:{title:"DAX",owner:"peterbud"},dhall:{title:"Dhall",owner:"RunDevelopment"},diff:{title:"Diff",owner:"uranusjr"},django:{title:"Django/Jinja2",require:"markup-templating",alias:"jinja2",owner:"romanvm"},"dns-zone-file":{title:"DNS zone file",owner:"RunDevelopment",alias:"dns-zone"},docker:{title:"Docker",alias:"dockerfile",owner:"JustinBeckwith"},dot:{title:"DOT (Graphviz)",alias:"gv",optional:"markup",owner:"RunDevelopment"},ebnf:{title:"EBNF",owner:"RunDevelopment"},editorconfig:{title:"EditorConfig",owner:"osipxd"},eiffel:{title:"Eiffel",owner:"Conaclos"},ejs:{title:"EJS",require:["javascript","markup-templating"],owner:"RunDevelopment",alias:"eta",aliasTitles:{eta:"Eta"}},elixir:{title:"Elixir",owner:"Golmote"},elm:{title:"Elm",owner:"zwilias"},etlua:{title:"Embedded Lua templating",require:["lua","markup-templating"],owner:"RunDevelopment"},erb:{title:"ERB",require:["ruby","markup-templating"],owner:"Golmote"},erlang:{title:"Erlang",owner:"Golmote"},"excel-formula":{title:"Excel Formula",alias:["xlsx","xls"],owner:"RunDevelopment"},fsharp:{title:"F#",require:"clike",owner:"simonreynolds7"},factor:{title:"Factor",owner:"catb0t"},false:{title:"False",owner:"edukisto"},"firestore-security-rules":{title:"Firestore security rules",require:"clike",owner:"RunDevelopment"},flow:{title:"Flow",require:"javascript",owner:"Golmote"},fortran:{title:"Fortran",owner:"Golmote"},ftl:{title:"FreeMarker Template Language",require:"markup-templating",owner:"RunDevelopment"},gml:{title:"GameMaker Language",alias:"gamemakerlanguage",require:"clike",owner:"LiarOnce"},gap:{title:"GAP (CAS)",owner:"RunDevelopment"},gcode:{title:"G-code",owner:"RunDevelopment"},gdscript:{title:"GDScript",owner:"RunDevelopment"},gedcom:{title:"GEDCOM",owner:"Golmote"},gettext:{title:"gettext",alias:"po",owner:"RunDevelopment"},gherkin:{title:"Gherkin",owner:"hason"},git:{title:"Git",owner:"lgiraudel"},glsl:{title:"GLSL",require:"c",owner:"Golmote"},gn:{title:"GN",alias:"gni",owner:"RunDevelopment"},"linker-script":{title:"GNU Linker Script",alias:"ld",owner:"RunDevelopment"},go:{title:"Go",require:"clike",owner:"arnehormann"},"go-module":{title:"Go module",alias:"go-mod",owner:"RunDevelopment"},gradle:{title:"Gradle",require:"clike",owner:"zeabdelkhalek-badido18"},graphql:{title:"GraphQL",optional:"markdown",owner:"Golmote"},groovy:{title:"Groovy",require:"clike",owner:"robfletcher"},haml:{title:"Haml",require:"ruby",optional:["css","css-extras","coffeescript","erb","javascript","less","markdown","scss","textile"],owner:"Golmote"},handlebars:{title:"Handlebars",require:"markup-templating",alias:["hbs","mustache"],aliasTitles:{mustache:"Mustache"},owner:"Golmote"},haskell:{title:"Haskell",alias:"hs",owner:"bholst"},haxe:{title:"Haxe",require:"clike",optional:"regex",owner:"Golmote"},hcl:{title:"HCL",owner:"outsideris"},hlsl:{title:"HLSL",require:"c",owner:"RunDevelopment"},hoon:{title:"Hoon",owner:"matildepark"},http:{title:"HTTP",optional:["csp","css","hpkp","hsts","javascript","json","markup","uri"],owner:"danielgtaylor"},hpkp:{title:"HTTP Public-Key-Pins",owner:"ScottHelme"},hsts:{title:"HTTP Strict-Transport-Security",owner:"ScottHelme"},ichigojam:{title:"IchigoJam",owner:"BlueCocoa"},icon:{title:"Icon",owner:"Golmote"},"icu-message-format":{title:"ICU Message Format",owner:"RunDevelopment"},idris:{title:"Idris",alias:"idr",owner:"KeenS",require:"haskell"},ignore:{title:".ignore",owner:"osipxd",alias:["gitignore","hgignore","npmignore"],aliasTitles:{gitignore:".gitignore",hgignore:".hgignore",npmignore:".npmignore"}},inform7:{title:"Inform 7",owner:"Golmote"},ini:{title:"Ini",owner:"aviaryan"},io:{title:"Io",owner:"AlesTsurko"},j:{title:"J",owner:"Golmote"},java:{title:"Java",require:"clike",owner:"sherblot"},javadoc:{title:"JavaDoc",require:["markup","java","javadoclike"],modify:"java",optional:"scala",owner:"RunDevelopment"},javadoclike:{title:"JavaDoc-like",modify:["java","javascript","php"],owner:"RunDevelopment"},javastacktrace:{title:"Java stack trace",owner:"RunDevelopment"},jexl:{title:"Jexl",owner:"czosel"},jolie:{title:"Jolie",require:"clike",owner:"thesave"},jq:{title:"JQ",owner:"RunDevelopment"},jsdoc:{title:"JSDoc",require:["javascript","javadoclike","typescript"],modify:"javascript",optional:["actionscript","coffeescript"],owner:"RunDevelopment"},"js-extras":{title:"JS Extras",require:"javascript",modify:"javascript",optional:["actionscript","coffeescript","flow","n4js","typescript"],owner:"RunDevelopment"},json:{title:"JSON",alias:"webmanifest",aliasTitles:{webmanifest:"Web App Manifest"},owner:"CupOfTea696"},json5:{title:"JSON5",require:"json",owner:"RunDevelopment"},jsonp:{title:"JSONP",require:"json",owner:"RunDevelopment"},jsstacktrace:{title:"JS stack trace",owner:"sbrl"},"js-templates":{title:"JS Templates",require:"javascript",modify:"javascript",optional:["css","css-extras","graphql","markdown","markup","sql"],owner:"RunDevelopment"},julia:{title:"Julia",owner:"cdagnino"},keepalived:{title:"Keepalived Configure",owner:"dev-itsheng"},keyman:{title:"Keyman",owner:"mcdurdin"},kotlin:{title:"Kotlin",alias:["kt","kts"],aliasTitles:{kts:"Kotlin Script"},require:"clike",owner:"Golmote"},kumir:{title:"KuMir (\u041a\u0443\u041c\u0438\u0440)",alias:"kum",owner:"edukisto"},kusto:{title:"Kusto",owner:"RunDevelopment"},latex:{title:"LaTeX",alias:["tex","context"],aliasTitles:{tex:"TeX",context:"ConTeXt"},owner:"japborst"},latte:{title:"Latte",require:["clike","markup-templating","php"],owner:"nette"},less:{title:"Less",require:"css",optional:"css-extras",owner:"Golmote"},lilypond:{title:"LilyPond",require:"scheme",alias:"ly",owner:"RunDevelopment"},liquid:{title:"Liquid",require:"markup-templating",owner:"cinhtau"},lisp:{title:"Lisp",alias:["emacs","elisp","emacs-lisp"],owner:"JuanCaicedo"},livescript:{title:"LiveScript",owner:"Golmote"},llvm:{title:"LLVM IR",owner:"porglezomp"},log:{title:"Log file",optional:"javastacktrace",owner:"RunDevelopment"},lolcode:{title:"LOLCODE",owner:"Golmote"},lua:{title:"Lua",owner:"Golmote"},magma:{title:"Magma (CAS)",owner:"RunDevelopment"},makefile:{title:"Makefile",owner:"Golmote"},markdown:{title:"Markdown",require:"markup",optional:"yaml",alias:"md",owner:"Golmote"},"markup-templating":{title:"Markup templating",require:"markup",owner:"Golmote"},mata:{title:"Mata",owner:"RunDevelopment"},matlab:{title:"MATLAB",owner:"Golmote"},maxscript:{title:"MAXScript",owner:"RunDevelopment"},mel:{title:"MEL",owner:"Golmote"},mermaid:{title:"Mermaid",owner:"RunDevelopment"},metafont:{title:"METAFONT",owner:"LaeriExNihilo"},mizar:{title:"Mizar",owner:"Golmote"},mongodb:{title:"MongoDB",owner:"airs0urce",require:"javascript"},monkey:{title:"Monkey",owner:"Golmote"},moonscript:{title:"MoonScript",alias:"moon",owner:"RunDevelopment"},n1ql:{title:"N1QL",owner:"TMWilds"},n4js:{title:"N4JS",require:"javascript",optional:"jsdoc",alias:"n4jsd",owner:"bsmith-n4"},"nand2tetris-hdl":{title:"Nand To Tetris HDL",owner:"stephanmax"},naniscript:{title:"Naninovel Script",owner:"Elringus",alias:"nani"},nasm:{title:"NASM",owner:"rbmj"},neon:{title:"NEON",owner:"nette"},nevod:{title:"Nevod",owner:"nezaboodka"},nginx:{title:"nginx",owner:"volado"},nim:{title:"Nim",owner:"Golmote"},nix:{title:"Nix",owner:"Golmote"},nsis:{title:"NSIS",owner:"idleberg"},objectivec:{title:"Objective-C",require:"c",alias:"objc",owner:"uranusjr"},ocaml:{title:"OCaml",owner:"Golmote"},odin:{title:"Odin",owner:"edukisto"},opencl:{title:"OpenCL",require:"c",modify:["c","cpp"],owner:"Milania1"},openqasm:{title:"OpenQasm",alias:"qasm",owner:"RunDevelopment"},oz:{title:"Oz",owner:"Golmote"},parigp:{title:"PARI/GP",owner:"Golmote"},parser:{title:"Parser",require:"markup",owner:"Golmote"},pascal:{title:"Pascal",alias:"objectpascal",aliasTitles:{objectpascal:"Object Pascal"},owner:"Golmote"},pascaligo:{title:"Pascaligo",owner:"DefinitelyNotAGoat"},psl:{title:"PATROL Scripting Language",owner:"bertysentry"},pcaxis:{title:"PC-Axis",alias:"px",owner:"RunDevelopment"},peoplecode:{title:"PeopleCode",alias:"pcode",owner:"RunDevelopment"},perl:{title:"Perl",owner:"Golmote"},php:{title:"PHP",require:"markup-templating",owner:"milesj"},phpdoc:{title:"PHPDoc",require:["php","javadoclike"],modify:"php",owner:"RunDevelopment"},"php-extras":{title:"PHP Extras",require:"php",modify:"php",owner:"milesj"},"plant-uml":{title:"PlantUML",alias:"plantuml",owner:"RunDevelopment"},plsql:{title:"PL/SQL",require:"sql",owner:"Golmote"},powerquery:{title:"PowerQuery",alias:["pq","mscript"],owner:"peterbud"},powershell:{title:"PowerShell",owner:"nauzilus"},processing:{title:"Processing",require:"clike",owner:"Golmote"},prolog:{title:"Prolog",owner:"Golmote"},promql:{title:"PromQL",owner:"arendjr"},properties:{title:".properties",owner:"Golmote"},protobuf:{title:"Protocol Buffers",require:"clike",owner:"just-boris"},pug:{title:"Pug",require:["markup","javascript"],optional:["coffeescript","ejs","handlebars","less","livescript","markdown","scss","stylus","twig"],owner:"Golmote"},puppet:{title:"Puppet",owner:"Golmote"},pure:{title:"Pure",optional:["c","cpp","fortran"],owner:"Golmote"},purebasic:{title:"PureBasic",require:"clike",alias:"pbfasm",owner:"HeX0R101"},purescript:{title:"PureScript",require:"haskell",alias:"purs",owner:"sriharshachilakapati"},python:{title:"Python",alias:"py",owner:"multipetros"},qsharp:{title:"Q#",require:"clike",alias:"qs",owner:"fedonman"},q:{title:"Q (kdb+ database)",owner:"Golmote"},qml:{title:"QML",require:"javascript",owner:"RunDevelopment"},qore:{title:"Qore",require:"clike",owner:"temnroegg"},r:{title:"R",owner:"Golmote"},racket:{title:"Racket",require:"scheme",alias:"rkt",owner:"RunDevelopment"},cshtml:{title:"Razor C#",alias:"razor",require:["markup","csharp"],optional:["css","css-extras","javascript","js-extras"],owner:"RunDevelopment"},jsx:{title:"React JSX",require:["markup","javascript"],optional:["jsdoc","js-extras","js-templates"],owner:"vkbansal"},tsx:{title:"React TSX",require:["jsx","typescript"]},reason:{title:"Reason",require:"clike",owner:"Golmote"},regex:{title:"Regex",owner:"RunDevelopment"},rego:{title:"Rego",owner:"JordanSh"},renpy:{title:"Ren'py",alias:"rpy",owner:"HyuchiaDiego"},rescript:{title:"ReScript",alias:"res",owner:"vmarcosp"},rest:{title:"reST (reStructuredText)",owner:"Golmote"},rip:{title:"Rip",owner:"ravinggenius"},roboconf:{title:"Roboconf",owner:"Golmote"},robotframework:{title:"Robot Framework",alias:"robot",owner:"RunDevelopment"},ruby:{title:"Ruby",require:"clike",alias:"rb",owner:"samflores"},rust:{title:"Rust",owner:"Golmote"},sas:{title:"SAS",optional:["groovy","lua","sql"],owner:"Golmote"},sass:{title:"Sass (Sass)",require:"css",optional:"css-extras",owner:"Golmote"},scss:{title:"Sass (SCSS)",require:"css",optional:"css-extras",owner:"MoOx"},scala:{title:"Scala",require:"java",owner:"jozic"},scheme:{title:"Scheme",owner:"bacchus123"},"shell-session":{title:"Shell session",require:"bash",alias:["sh-session","shellsession"],owner:"RunDevelopment"},smali:{title:"Smali",owner:"RunDevelopment"},smalltalk:{title:"Smalltalk",owner:"Golmote"},smarty:{title:"Smarty",require:"markup-templating",optional:"php",owner:"Golmote"},sml:{title:"SML",alias:"smlnj",aliasTitles:{smlnj:"SML/NJ"},owner:"RunDevelopment"},solidity:{title:"Solidity (Ethereum)",alias:"sol",require:"clike",owner:"glachaud"},"solution-file":{title:"Solution file",alias:"sln",owner:"RunDevelopment"},soy:{title:"Soy (Closure Template)",require:"markup-templating",owner:"Golmote"},sparql:{title:"SPARQL",require:"turtle",owner:"Triply-Dev",alias:"rq"},"splunk-spl":{title:"Splunk SPL",owner:"RunDevelopment"},sqf:{title:"SQF: Status Quo Function (Arma 3)",require:"clike",owner:"RunDevelopment"},sql:{title:"SQL",owner:"multipetros"},squirrel:{title:"Squirrel",require:"clike",owner:"RunDevelopment"},stan:{title:"Stan",owner:"RunDevelopment"},stata:{title:"Stata Ado",require:["mata","java","python"],owner:"RunDevelopment"},iecst:{title:"Structured Text (IEC 61131-3)",owner:"serhioromano"},stylus:{title:"Stylus",owner:"vkbansal"},supercollider:{title:"SuperCollider",alias:"sclang",owner:"RunDevelopment"},swift:{title:"Swift",owner:"chrischares"},systemd:{title:"Systemd configuration file",owner:"RunDevelopment"},"t4-templating":{title:"T4 templating",owner:"RunDevelopment"},"t4-cs":{title:"T4 Text Templates (C#)",require:["t4-templating","csharp"],alias:"t4",owner:"RunDevelopment"},"t4-vb":{title:"T4 Text Templates (VB)",require:["t4-templating","vbnet"],owner:"RunDevelopment"},tap:{title:"TAP",owner:"isaacs",require:"yaml"},tcl:{title:"Tcl",owner:"PeterChaplin"},tt2:{title:"Template Toolkit 2",require:["clike","markup-templating"],owner:"gflohr"},textile:{title:"Textile",require:"markup",optional:"css",owner:"Golmote"},toml:{title:"TOML",owner:"RunDevelopment"},tremor:{title:"Tremor",alias:["trickle","troy"],owner:"darach",aliasTitles:{trickle:"trickle",troy:"troy"}},turtle:{title:"Turtle",alias:"trig",aliasTitles:{trig:"TriG"},owner:"jakubklimek"},twig:{title:"Twig",require:"markup-templating",owner:"brandonkelly"},typescript:{title:"TypeScript",require:"javascript",optional:"js-templates",alias:"ts",owner:"vkbansal"},typoscript:{title:"TypoScript",alias:"tsconfig",aliasTitles:{tsconfig:"TSConfig"},owner:"dkern"},unrealscript:{title:"UnrealScript",alias:["uscript","uc"],owner:"RunDevelopment"},uorazor:{title:"UO Razor Script",owner:"jaseowns"},uri:{title:"URI",alias:"url",aliasTitles:{url:"URL"},owner:"RunDevelopment"},v:{title:"V",require:"clike",owner:"taggon"},vala:{title:"Vala",require:"clike",optional:"regex",owner:"TemplarVolk"},vbnet:{title:"VB.Net",require:"basic",owner:"Bigsby"},velocity:{title:"Velocity",require:"markup",owner:"Golmote"},verilog:{title:"Verilog",owner:"a-rey"},vhdl:{title:"VHDL",owner:"a-rey"},vim:{title:"vim",owner:"westonganger"},"visual-basic":{title:"Visual Basic",alias:["vb","vba"],aliasTitles:{vba:"VBA"},owner:"Golmote"},warpscript:{title:"WarpScript",owner:"RunDevelopment"},wasm:{title:"WebAssembly",owner:"Golmote"},"web-idl":{title:"Web IDL",alias:"webidl",owner:"RunDevelopment"},wgsl:{title:"WGSL",owner:"Dr4gonthree"},wiki:{title:"Wiki markup",require:"markup",owner:"Golmote"},wolfram:{title:"Wolfram language",alias:["mathematica","nb","wl"],aliasTitles:{mathematica:"Mathematica",nb:"Mathematica Notebook"},owner:"msollami"},wren:{title:"Wren",owner:"clsource"},xeora:{title:"Xeora",require:"markup",alias:"xeoracube",aliasTitles:{xeoracube:"XeoraCube"},owner:"freakmaxi"},"xml-doc":{title:"XML doc (.net)",require:"markup",modify:["csharp","fsharp","vbnet"],owner:"RunDevelopment"},xojo:{title:"Xojo (REALbasic)",owner:"Golmote"},xquery:{title:"XQuery",require:"markup",owner:"Golmote"},yaml:{title:"YAML",alias:"yml",owner:"hason"},yang:{title:"YANG",owner:"RunDevelopment"},zig:{title:"Zig",owner:"RunDevelopment"}},plugins:{meta:{path:"plugins/{id}/prism-{id}",link:"plugins/{id}/"},"line-highlight":{title:"Line Highlight",description:"Highlights specific lines and/or line ranges."},"line-numbers":{title:"Line Numbers",description:"Line number at the beginning of code lines.",owner:"kuba-kubula"},"show-invisibles":{title:"Show Invisibles",description:"Show hidden characters such as tabs and line breaks.",optional:["autolinker","data-uri-highlight"]},autolinker:{title:"Autolinker",description:"Converts URLs and emails in code to clickable links. Parses Markdown links in comments."},wpd:{title:"WebPlatform Docs",description:'Makes tokens link to <a href="https://webplatform.github.io/docs/">WebPlatform.org documentation</a>. The links open in a new tab.'},"custom-class":{title:"Custom Class",description:"This plugin allows you to prefix Prism's default classes (<code>.comment</code> can become <code>.namespace--comment</code>) or replace them with your defined ones (like <code>.editor__comment</code>). You can even add new classes.",owner:"dvkndn",noCSS:!0},"file-highlight":{title:"File Highlight",description:"Fetch external files and highlight them with Prism. Used on the Prism website itself.",noCSS:!0},"show-language":{title:"Show Language",description:"Display the highlighted language in code blocks (inline code does not show the label).",owner:"nauzilus",noCSS:!0,require:"toolbar"},"jsonp-highlight":{title:"JSONP Highlight",description:"Fetch content with JSONP and highlight some interesting content (e.g. GitHub/Gists or Bitbucket API).",noCSS:!0,owner:"nauzilus"},"highlight-keywords":{title:"Highlight Keywords",description:"Adds special CSS classes for each keyword for fine-grained highlighting.",owner:"vkbansal",noCSS:!0},"remove-initial-line-feed":{title:"Remove initial line feed",description:"Removes the initial line feed in code blocks.",owner:"Golmote",noCSS:!0},"inline-color":{title:"Inline color",description:"Adds a small inline preview for colors in style sheets.",require:"css-extras",owner:"RunDevelopment"},previewers:{title:"Previewers",description:"Previewers for angles, colors, gradients, easing and time.",require:"css-extras",owner:"Golmote"},autoloader:{title:"Autoloader",description:"Automatically loads the needed languages to highlight the code blocks.",owner:"Golmote",noCSS:!0},"keep-markup":{title:"Keep Markup",description:"Prevents custom markup from being dropped out during highlighting.",owner:"Golmote",optional:"normalize-whitespace",noCSS:!0},"command-line":{title:"Command Line",description:"Display a command line with a prompt and, optionally, the output/response from the commands.",owner:"chriswells0"},"unescaped-markup":{title:"Unescaped Markup",description:"Write markup without having to escape anything."},"normalize-whitespace":{title:"Normalize Whitespace",description:"Supports multiple operations to normalize whitespace in code blocks.",owner:"zeitgeist87",optional:"unescaped-markup",noCSS:!0},"data-uri-highlight":{title:"Data-URI Highlight",description:"Highlights data-URI contents.",owner:"Golmote",noCSS:!0},toolbar:{title:"Toolbar",description:"Attach a toolbar for plugins to easily register buttons on the top of a code block.",owner:"mAAdhaTTah"},"copy-to-clipboard":{title:"Copy to Clipboard Button",description:"Add a button that copies the code block to the clipboard when clicked.",owner:"mAAdhaTTah",require:"toolbar",noCSS:!0},"download-button":{title:"Download Button",description:"A button in the toolbar of a code block adding a convenient way to download a code file.",owner:"Golmote",require:"toolbar",noCSS:!0},"match-braces":{title:"Match braces",description:"Highlights matching braces.",owner:"RunDevelopment"},"diff-highlight":{title:"Diff Highlight",description:"Highlights the code inside diff blocks.",owner:"RunDevelopment",require:"diff"},"filter-highlight-all":{title:"Filter highlightAll",description:"Filters the elements the <code>highlightAll</code> and <code>highlightAllUnder</code> methods actually highlight.",owner:"RunDevelopment",noCSS:!0},treeview:{title:"Treeview",description:"A language with special styles to highlight file system tree structures.",owner:"Golmote"}}})},2885:(e,t,n)=>{const r=n(9901),a=n(9642),o=new Set;function i(e){void 0===e?e=Object.keys(r.languages).filter((e=>"meta"!=e)):Array.isArray(e)||(e=[e]);const t=[...o,...Object.keys(Prism.languages)];a(r,e,t).load((e=>{if(!(e in r.languages))return void(i.silent||console.warn("Language does not exist: "+e));const t="./prism-"+e;delete n.c[n(6500).resolve(t)],delete Prism.languages[e],n(6500)(t),o.add(e)}))}i.silent=!1,e.exports=i},6854:()=>{!function(e){function t(e,t){return"___"+e.toUpperCase()+t+"___"}Object.defineProperties(e.languages["markup-templating"]={},{buildPlaceholders:{value:function(n,r,a,o){if(n.language===r){var i=n.tokenStack=[];n.code=n.code.replace(a,(function(e){if("function"==typeof o&&!o(e))return e;for(var a,s=i.length;-1!==n.code.indexOf(a=t(r,s));)++s;return i[s]=e,a})),n.grammar=e.languages.markup}}},tokenizePlaceholders:{value:function(n,r){if(n.language===r&&n.tokenStack){n.grammar=e.languages[r];var a=0,o=Object.keys(n.tokenStack);!function i(s){for(var l=0;l<s.length&&!(a>=o.length);l++){var c=s[l];if("string"==typeof c||c.content&&"string"==typeof c.content){var u=o[a],d=n.tokenStack[u],p="string"==typeof c?c:c.content,f=t(r,u),h=p.indexOf(f);if(h>-1){++a;var m=p.substring(0,h),g=new e.Token(r,e.tokenize(d,n.grammar),"language-"+r,d),y=p.substring(h+f.length),b=[];m&&b.push.apply(b,i([m])),b.push(g),y&&b.push.apply(b,i([y])),"string"==typeof c?s.splice.apply(s,[l,1].concat(b)):c.content=b}}else c.content&&i(c.content)}return s}(n.tokens)}}}})}(Prism)},6726:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6726},6500:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6500},9642:e=>{"use strict";var t=function(){var e=function(){};function t(e,t){Array.isArray(e)?e.forEach(t):null!=e&&t(e,0)}function n(e){for(var t={},n=0,r=e.length;n<r;n++)t[e[n]]=!0;return t}function r(e){var n={},r=[];function a(r,o){if(!(r in n)){o.push(r);var i=o.indexOf(r);if(i<o.length-1)throw new Error("Circular dependency: "+o.slice(i).join(" -> "));var s={},l=e[r];if(l){function c(t){if(!(t in e))throw new Error(r+" depends on an unknown component "+t);if(!(t in s))for(var i in a(t,o),s[t]=!0,n[t])s[i]=!0}t(l.require,c),t(l.optional,c),t(l.modify,c)}n[r]=s,o.pop()}}return function(e){var t=n[e];return t||(a(e,r),t=n[e]),t}}function a(e){for(var t in e)return!0;return!1}return function(o,i,s){var l=function(e){var t={};for(var n in e){var r=e[n];for(var a in r)if("meta"!=a){var o=r[a];t[a]="string"==typeof o?{title:o}:o}}return t}(o),c=function(e){var n;return function(r){if(r in e)return r;if(!n)for(var a in n={},e){var o=e[a];t(o&&o.alias,(function(t){if(t in n)throw new Error(t+" cannot be alias for both "+a+" and "+n[t]);if(t in e)throw new Error(t+" cannot be alias of "+a+" because it is a component.");n[t]=a}))}return n[r]||r}}(l);i=i.map(c),s=(s||[]).map(c);var u=n(i),d=n(s);i.forEach((function e(n){var r=l[n];t(r&&r.require,(function(t){t in d||(u[t]=!0,e(t))}))}));for(var p,f=r(l),h=u;a(h);){for(var m in p={},h){var g=l[m];t(g&&g.modify,(function(e){e in d&&(p[e]=!0)}))}for(var y in d)if(!(y in u))for(var b in f(y))if(b in u){p[y]=!0;break}for(var v in h=p)u[v]=!0}var w={getIds:function(){var e=[];return w.load((function(t){e.push(t)})),e},load:function(t,n){return function(t,n,r,a){var o=a?a.series:void 0,i=a?a.parallel:e,s={},l={};function c(e){if(e in s)return s[e];l[e]=!0;var a,u=[];for(var d in t(e))d in n&&u.push(d);if(0===u.length)a=r(e);else{var p=i(u.map((function(e){var t=c(e);return delete l[e],t})));o?a=o(p,(function(){return r(e)})):r(e)}return s[e]=a}for(var u in n)c(u);var d=[];for(var p in l)d.push(s[p]);return i(d)}(f,u,t,n)}};return w}}();e.exports=t},2703:(e,t,n)=>{"use strict";var r=n(414);function a(){}function o(){}o.resetWarningCache=a,e.exports=function(){function e(e,t,n,a,o,i){if(i!==r){var s=new Error("Calling PropTypes validators directly is not supported by the `prop-types` package. Use PropTypes.checkPropTypes() to call them. Read more at http://fb.me/use-check-prop-types");throw s.name="Invariant Violation",s}}function t(){return e}e.isRequired=e;var n={array:e,bigint:e,bool:e,func:e,number:e,object:e,string:e,symbol:e,any:e,arrayOf:t,element:e,elementType:e,instanceOf:t,node:e,objectOf:t,oneOf:t,oneOfType:t,shape:t,exact:t,checkPropTypes:o,resetWarningCache:a};return n.PropTypes=n,n}},5697:(e,t,n)=>{e.exports=n(2703)()},414:e=>{"use strict";e.exports="SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED"},4448:(e,t,n)=>{"use strict";var r=n(7294),a=n(3840);function o(e){for(var t="https://reactjs.org/docs/error-decoder.html?invariant="+e,n=1;n<arguments.length;n++)t+="&args[]="+encodeURIComponent(arguments[n]);return"Minified React error #"+e+"; visit "+t+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}var i=new Set,s={};function l(e,t){c(e,t),c(e+"Capture",t)}function c(e,t){for(s[e]=t,e=0;e<t.length;e++)i.add(t[e])}var u=!("undefined"==typeof window||void 0===window.document||void 0===window.document.createElement),d=Object.prototype.hasOwnProperty,p=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,f={},h={};function m(e,t,n,r,a,o,i){this.acceptsBooleans=2===t||3===t||4===t,this.attributeName=r,this.attributeNamespace=a,this.mustUseProperty=n,this.propertyName=e,this.type=t,this.sanitizeURL=o,this.removeEmptyString=i}var g={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach((function(e){g[e]=new m(e,0,!1,e,null,!1,!1)})),[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach((function(e){var t=e[0];g[t]=new m(t,1,!1,e[1],null,!1,!1)})),["contentEditable","draggable","spellCheck","value"].forEach((function(e){g[e]=new m(e,2,!1,e.toLowerCase(),null,!1,!1)})),["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach((function(e){g[e]=new m(e,2,!1,e,null,!1,!1)})),"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture disableRemotePlayback formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach((function(e){g[e]=new m(e,3,!1,e.toLowerCase(),null,!1,!1)})),["checked","multiple","muted","selected"].forEach((function(e){g[e]=new m(e,3,!0,e,null,!1,!1)})),["capture","download"].forEach((function(e){g[e]=new m(e,4,!1,e,null,!1,!1)})),["cols","rows","size","span"].forEach((function(e){g[e]=new m(e,6,!1,e,null,!1,!1)})),["rowSpan","start"].forEach((function(e){g[e]=new m(e,5,!1,e.toLowerCase(),null,!1,!1)}));var y=/[\-:]([a-z])/g;function b(e){return e[1].toUpperCase()}function v(e,t,n,r){var a=g.hasOwnProperty(t)?g[t]:null;(null!==a?0!==a.type:r||!(2<t.length)||"o"!==t[0]&&"O"!==t[0]||"n"!==t[1]&&"N"!==t[1])&&(function(e,t,n,r){if(null==t||function(e,t,n,r){if(null!==n&&0===n.type)return!1;switch(typeof t){case"function":case"symbol":return!0;case"boolean":return!r&&(null!==n?!n.acceptsBooleans:"data-"!==(e=e.toLowerCase().slice(0,5))&&"aria-"!==e);default:return!1}}(e,t,n,r))return!0;if(r)return!1;if(null!==n)switch(n.type){case 3:return!t;case 4:return!1===t;case 5:return isNaN(t);case 6:return isNaN(t)||1>t}return!1}(t,n,a,r)&&(n=null),r||null===a?function(e){return!!d.call(h,e)||!d.call(f,e)&&(p.test(e)?h[e]=!0:(f[e]=!0,!1))}(t)&&(null===n?e.removeAttribute(t):e.setAttribute(t,""+n)):a.mustUseProperty?e[a.propertyName]=null===n?3!==a.type&&"":n:(t=a.attributeName,r=a.attributeNamespace,null===n?e.removeAttribute(t):(n=3===(a=a.type)||4===a&&!0===n?"":""+n,r?e.setAttributeNS(r,t,n):e.setAttribute(t,n))))}"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,null,!1,!1)})),"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/1999/xlink",!1,!1)})),["xml:base","xml:lang","xml:space"].forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/XML/1998/namespace",!1,!1)})),["tabIndex","crossOrigin"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!1,!1)})),g.xlinkHref=new m("xlinkHref",1,!1,"xlink:href","http://www.w3.org/1999/xlink",!0,!1),["src","href","action","formAction"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!0,!0)}));var w=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED,k=Symbol.for("react.element"),x=Symbol.for("react.portal"),S=Symbol.for("react.fragment"),E=Symbol.for("react.strict_mode"),C=Symbol.for("react.profiler"),_=Symbol.for("react.provider"),T=Symbol.for("react.context"),L=Symbol.for("react.forward_ref"),R=Symbol.for("react.suspense"),j=Symbol.for("react.suspense_list"),N=Symbol.for("react.memo"),P=Symbol.for("react.lazy");Symbol.for("react.scope"),Symbol.for("react.debug_trace_mode");var A=Symbol.for("react.offscreen");Symbol.for("react.legacy_hidden"),Symbol.for("react.cache"),Symbol.for("react.tracing_marker");var O=Symbol.iterator;function I(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=O&&e[O]||e["@@iterator"])?e:null}var D,F=Object.assign;function M(e){if(void 0===D)try{throw Error()}catch(n){var t=n.stack.trim().match(/\n( *(at )?)/);D=t&&t[1]||""}return"\n"+D+e}var z=!1;function B(e,t){if(!e||z)return"";z=!0;var n=Error.prepareStackTrace;Error.prepareStackTrace=void 0;try{if(t)if(t=function(){throw Error()},Object.defineProperty(t.prototype,"props",{set:function(){throw Error()}}),"object"==typeof Reflect&&Reflect.construct){try{Reflect.construct(t,[])}catch(c){var r=c}Reflect.construct(e,[],t)}else{try{t.call()}catch(c){r=c}e.call(t.prototype)}else{try{throw Error()}catch(c){r=c}e()}}catch(c){if(c&&r&&"string"==typeof c.stack){for(var a=c.stack.split("\n"),o=r.stack.split("\n"),i=a.length-1,s=o.length-1;1<=i&&0<=s&&a[i]!==o[s];)s--;for(;1<=i&&0<=s;i--,s--)if(a[i]!==o[s]){if(1!==i||1!==s)do{if(i--,0>--s||a[i]!==o[s]){var l="\n"+a[i].replace(" at new "," at ");return e.displayName&&l.includes("<anonymous>")&&(l=l.replace("<anonymous>",e.displayName)),l}}while(1<=i&&0<=s);break}}}finally{z=!1,Error.prepareStackTrace=n}return(e=e?e.displayName||e.name:"")?M(e):""}function $(e){switch(e.tag){case 5:return M(e.type);case 16:return M("Lazy");case 13:return M("Suspense");case 19:return M("SuspenseList");case 0:case 2:case 15:return e=B(e.type,!1);case 11:return e=B(e.type.render,!1);case 1:return e=B(e.type,!0);default:return""}}function U(e){if(null==e)return null;if("function"==typeof e)return e.displayName||e.name||null;if("string"==typeof e)return e;switch(e){case S:return"Fragment";case x:return"Portal";case C:return"Profiler";case E:return"StrictMode";case R:return"Suspense";case j:return"SuspenseList"}if("object"==typeof e)switch(e.$$typeof){case T:return(e.displayName||"Context")+".Consumer";case _:return(e._context.displayName||"Context")+".Provider";case L:var t=e.render;return(e=e.displayName)||(e=""!==(e=t.displayName||t.name||"")?"ForwardRef("+e+")":"ForwardRef"),e;case N:return null!==(t=e.displayName||null)?t:U(e.type)||"Memo";case P:t=e._payload,e=e._init;try{return U(e(t))}catch(n){}}return null}function q(e){var t=e.type;switch(e.tag){case 24:return"Cache";case 9:return(t.displayName||"Context")+".Consumer";case 10:return(t._context.displayName||"Context")+".Provider";case 18:return"DehydratedFragment";case 11:return e=(e=t.render).displayName||e.name||"",t.displayName||(""!==e?"ForwardRef("+e+")":"ForwardRef");case 7:return"Fragment";case 5:return t;case 4:return"Portal";case 3:return"Root";case 6:return"Text";case 16:return U(t);case 8:return t===E?"StrictMode":"Mode";case 22:return"Offscreen";case 12:return"Profiler";case 21:return"Scope";case 13:return"Suspense";case 19:return"SuspenseList";case 25:return"TracingMarker";case 1:case 0:case 17:case 2:case 14:case 15:if("function"==typeof t)return t.displayName||t.name||null;if("string"==typeof t)return t}return null}function H(e){switch(typeof e){case"boolean":case"number":case"string":case"undefined":case"object":return e;default:return""}}function Q(e){var t=e.type;return(e=e.nodeName)&&"input"===e.toLowerCase()&&("checkbox"===t||"radio"===t)}function Z(e){e._valueTracker||(e._valueTracker=function(e){var t=Q(e)?"checked":"value",n=Object.getOwnPropertyDescriptor(e.constructor.prototype,t),r=""+e[t];if(!e.hasOwnProperty(t)&&void 0!==n&&"function"==typeof n.get&&"function"==typeof n.set){var a=n.get,o=n.set;return Object.defineProperty(e,t,{configurable:!0,get:function(){return a.call(this)},set:function(e){r=""+e,o.call(this,e)}}),Object.defineProperty(e,t,{enumerable:n.enumerable}),{getValue:function(){return r},setValue:function(e){r=""+e},stopTracking:function(){e._valueTracker=null,delete e[t]}}}}(e))}function W(e){if(!e)return!1;var t=e._valueTracker;if(!t)return!0;var n=t.getValue(),r="";return e&&(r=Q(e)?e.checked?"true":"false":e.value),(e=r)!==n&&(t.setValue(e),!0)}function V(e){if(void 0===(e=e||("undefined"!=typeof document?document:void 0)))return null;try{return e.activeElement||e.body}catch(t){return e.body}}function G(e,t){var n=t.checked;return F({},t,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=n?n:e._wrapperState.initialChecked})}function X(e,t){var n=null==t.defaultValue?"":t.defaultValue,r=null!=t.checked?t.checked:t.defaultChecked;n=H(null!=t.value?t.value:n),e._wrapperState={initialChecked:r,initialValue:n,controlled:"checkbox"===t.type||"radio"===t.type?null!=t.checked:null!=t.value}}function K(e,t){null!=(t=t.checked)&&v(e,"checked",t,!1)}function Y(e,t){K(e,t);var n=H(t.value),r=t.type;if(null!=n)"number"===r?(0===n&&""===e.value||e.value!=n)&&(e.value=""+n):e.value!==""+n&&(e.value=""+n);else if("submit"===r||"reset"===r)return void e.removeAttribute("value");t.hasOwnProperty("value")?ee(e,t.type,n):t.hasOwnProperty("defaultValue")&&ee(e,t.type,H(t.defaultValue)),null==t.checked&&null!=t.defaultChecked&&(e.defaultChecked=!!t.defaultChecked)}function J(e,t,n){if(t.hasOwnProperty("value")||t.hasOwnProperty("defaultValue")){var r=t.type;if(!("submit"!==r&&"reset"!==r||void 0!==t.value&&null!==t.value))return;t=""+e._wrapperState.initialValue,n||t===e.value||(e.value=t),e.defaultValue=t}""!==(n=e.name)&&(e.name=""),e.defaultChecked=!!e._wrapperState.initialChecked,""!==n&&(e.name=n)}function ee(e,t,n){"number"===t&&V(e.ownerDocument)===e||(null==n?e.defaultValue=""+e._wrapperState.initialValue:e.defaultValue!==""+n&&(e.defaultValue=""+n))}var te=Array.isArray;function ne(e,t,n,r){if(e=e.options,t){t={};for(var a=0;a<n.length;a++)t["$"+n[a]]=!0;for(n=0;n<e.length;n++)a=t.hasOwnProperty("$"+e[n].value),e[n].selected!==a&&(e[n].selected=a),a&&r&&(e[n].defaultSelected=!0)}else{for(n=""+H(n),t=null,a=0;a<e.length;a++){if(e[a].value===n)return e[a].selected=!0,void(r&&(e[a].defaultSelected=!0));null!==t||e[a].disabled||(t=e[a])}null!==t&&(t.selected=!0)}}function re(e,t){if(null!=t.dangerouslySetInnerHTML)throw Error(o(91));return F({},t,{value:void 0,defaultValue:void 0,children:""+e._wrapperState.initialValue})}function ae(e,t){var n=t.value;if(null==n){if(n=t.children,t=t.defaultValue,null!=n){if(null!=t)throw Error(o(92));if(te(n)){if(1<n.length)throw Error(o(93));n=n[0]}t=n}null==t&&(t=""),n=t}e._wrapperState={initialValue:H(n)}}function oe(e,t){var n=H(t.value),r=H(t.defaultValue);null!=n&&((n=""+n)!==e.value&&(e.value=n),null==t.defaultValue&&e.defaultValue!==n&&(e.defaultValue=n)),null!=r&&(e.defaultValue=""+r)}function ie(e){var t=e.textContent;t===e._wrapperState.initialValue&&""!==t&&null!==t&&(e.value=t)}function se(e){switch(e){case"svg":return"http://www.w3.org/2000/svg";case"math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function le(e,t){return null==e||"http://www.w3.org/1999/xhtml"===e?se(t):"http://www.w3.org/2000/svg"===e&&"foreignObject"===t?"http://www.w3.org/1999/xhtml":e}var ce,ue,de=(ue=function(e,t){if("http://www.w3.org/2000/svg"!==e.namespaceURI||"innerHTML"in e)e.innerHTML=t;else{for((ce=ce||document.createElement("div")).innerHTML="<svg>"+t.valueOf().toString()+"</svg>",t=ce.firstChild;e.firstChild;)e.removeChild(e.firstChild);for(;t.firstChild;)e.appendChild(t.firstChild)}},"undefined"!=typeof MSApp&&MSApp.execUnsafeLocalFunction?function(e,t,n,r){MSApp.execUnsafeLocalFunction((function(){return ue(e,t)}))}:ue);function pe(e,t){if(t){var n=e.firstChild;if(n&&n===e.lastChild&&3===n.nodeType)return void(n.nodeValue=t)}e.textContent=t}var fe={animationIterationCount:!0,aspectRatio:!0,borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},he=["Webkit","ms","Moz","O"];function me(e,t,n){return null==t||"boolean"==typeof t||""===t?"":n||"number"!=typeof t||0===t||fe.hasOwnProperty(e)&&fe[e]?(""+t).trim():t+"px"}function ge(e,t){for(var n in e=e.style,t)if(t.hasOwnProperty(n)){var r=0===n.indexOf("--"),a=me(n,t[n],r);"float"===n&&(n="cssFloat"),r?e.setProperty(n,a):e[n]=a}}Object.keys(fe).forEach((function(e){he.forEach((function(t){t=t+e.charAt(0).toUpperCase()+e.substring(1),fe[t]=fe[e]}))}));var ye=F({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0});function be(e,t){if(t){if(ye[e]&&(null!=t.children||null!=t.dangerouslySetInnerHTML))throw Error(o(137,e));if(null!=t.dangerouslySetInnerHTML){if(null!=t.children)throw Error(o(60));if("object"!=typeof t.dangerouslySetInnerHTML||!("__html"in t.dangerouslySetInnerHTML))throw Error(o(61))}if(null!=t.style&&"object"!=typeof t.style)throw Error(o(62))}}function ve(e,t){if(-1===e.indexOf("-"))return"string"==typeof t.is;switch(e){case"annotation-xml":case"color-profile":case"font-face":case"font-face-src":case"font-face-uri":case"font-face-format":case"font-face-name":case"missing-glyph":return!1;default:return!0}}var we=null;function ke(e){return(e=e.target||e.srcElement||window).correspondingUseElement&&(e=e.correspondingUseElement),3===e.nodeType?e.parentNode:e}var xe=null,Se=null,Ee=null;function Ce(e){if(e=va(e)){if("function"!=typeof xe)throw Error(o(280));var t=e.stateNode;t&&(t=ka(t),xe(e.stateNode,e.type,t))}}function _e(e){Se?Ee?Ee.push(e):Ee=[e]:Se=e}function Te(){if(Se){var e=Se,t=Ee;if(Ee=Se=null,Ce(e),t)for(e=0;e<t.length;e++)Ce(t[e])}}function Le(e,t){return e(t)}function Re(){}var je=!1;function Ne(e,t,n){if(je)return e(t,n);je=!0;try{return Le(e,t,n)}finally{je=!1,(null!==Se||null!==Ee)&&(Re(),Te())}}function Pe(e,t){var n=e.stateNode;if(null===n)return null;var r=ka(n);if(null===r)return null;n=r[t];e:switch(t){case"onClick":case"onClickCapture":case"onDoubleClick":case"onDoubleClickCapture":case"onMouseDown":case"onMouseDownCapture":case"onMouseMove":case"onMouseMoveCapture":case"onMouseUp":case"onMouseUpCapture":case"onMouseEnter":(r=!r.disabled)||(r=!("button"===(e=e.type)||"input"===e||"select"===e||"textarea"===e)),e=!r;break e;default:e=!1}if(e)return null;if(n&&"function"!=typeof n)throw Error(o(231,t,typeof n));return n}var Ae=!1;if(u)try{var Oe={};Object.defineProperty(Oe,"passive",{get:function(){Ae=!0}}),window.addEventListener("test",Oe,Oe),window.removeEventListener("test",Oe,Oe)}catch(ue){Ae=!1}function Ie(e,t,n,r,a,o,i,s,l){var c=Array.prototype.slice.call(arguments,3);try{t.apply(n,c)}catch(u){this.onError(u)}}var De=!1,Fe=null,Me=!1,ze=null,Be={onError:function(e){De=!0,Fe=e}};function $e(e,t,n,r,a,o,i,s,l){De=!1,Fe=null,Ie.apply(Be,arguments)}function Ue(e){var t=e,n=e;if(e.alternate)for(;t.return;)t=t.return;else{e=t;do{0!=(4098&(t=e).flags)&&(n=t.return),e=t.return}while(e)}return 3===t.tag?n:null}function qe(e){if(13===e.tag){var t=e.memoizedState;if(null===t&&(null!==(e=e.alternate)&&(t=e.memoizedState)),null!==t)return t.dehydrated}return null}function He(e){if(Ue(e)!==e)throw Error(o(188))}function Qe(e){return null!==(e=function(e){var t=e.alternate;if(!t){if(null===(t=Ue(e)))throw Error(o(188));return t!==e?null:e}for(var n=e,r=t;;){var a=n.return;if(null===a)break;var i=a.alternate;if(null===i){if(null!==(r=a.return)){n=r;continue}break}if(a.child===i.child){for(i=a.child;i;){if(i===n)return He(a),e;if(i===r)return He(a),t;i=i.sibling}throw Error(o(188))}if(n.return!==r.return)n=a,r=i;else{for(var s=!1,l=a.child;l;){if(l===n){s=!0,n=a,r=i;break}if(l===r){s=!0,r=a,n=i;break}l=l.sibling}if(!s){for(l=i.child;l;){if(l===n){s=!0,n=i,r=a;break}if(l===r){s=!0,r=i,n=a;break}l=l.sibling}if(!s)throw Error(o(189))}}if(n.alternate!==r)throw Error(o(190))}if(3!==n.tag)throw Error(o(188));return n.stateNode.current===n?e:t}(e))?Ze(e):null}function Ze(e){if(5===e.tag||6===e.tag)return e;for(e=e.child;null!==e;){var t=Ze(e);if(null!==t)return t;e=e.sibling}return null}var We=a.unstable_scheduleCallback,Ve=a.unstable_cancelCallback,Ge=a.unstable_shouldYield,Xe=a.unstable_requestPaint,Ke=a.unstable_now,Ye=a.unstable_getCurrentPriorityLevel,Je=a.unstable_ImmediatePriority,et=a.unstable_UserBlockingPriority,tt=a.unstable_NormalPriority,nt=a.unstable_LowPriority,rt=a.unstable_IdlePriority,at=null,ot=null;var it=Math.clz32?Math.clz32:function(e){return e>>>=0,0===e?32:31-(st(e)/lt|0)|0},st=Math.log,lt=Math.LN2;var ct=64,ut=4194304;function dt(e){switch(e&-e){case 1:return 1;case 2:return 2;case 4:return 4;case 8:return 8;case 16:return 16;case 32:return 32;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return 4194240&e;case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:return 130023424&e;case 134217728:return 134217728;case 268435456:return 268435456;case 536870912:return 536870912;case 1073741824:return 1073741824;default:return e}}function pt(e,t){var n=e.pendingLanes;if(0===n)return 0;var r=0,a=e.suspendedLanes,o=e.pingedLanes,i=268435455&n;if(0!==i){var s=i&~a;0!==s?r=dt(s):0!==(o&=i)&&(r=dt(o))}else 0!==(i=n&~a)?r=dt(i):0!==o&&(r=dt(o));if(0===r)return 0;if(0!==t&&t!==r&&0==(t&a)&&((a=r&-r)>=(o=t&-t)||16===a&&0!=(4194240&o)))return t;if(0!=(4&r)&&(r|=16&n),0!==(t=e.entangledLanes))for(e=e.entanglements,t&=r;0<t;)a=1<<(n=31-it(t)),r|=e[n],t&=~a;return r}function ft(e,t){switch(e){case 1:case 2:case 4:return t+250;case 8:case 16:case 32:case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return t+5e3;default:return-1}}function ht(e){return 0!==(e=-1073741825&e.pendingLanes)?e:1073741824&e?1073741824:0}function mt(){var e=ct;return 0==(4194240&(ct<<=1))&&(ct=64),e}function gt(e){for(var t=[],n=0;31>n;n++)t.push(e);return t}function yt(e,t,n){e.pendingLanes|=t,536870912!==t&&(e.suspendedLanes=0,e.pingedLanes=0),(e=e.eventTimes)[t=31-it(t)]=n}function bt(e,t){var n=e.entangledLanes|=t;for(e=e.entanglements;n;){var r=31-it(n),a=1<<r;a&t|e[r]&t&&(e[r]|=t),n&=~a}}var vt=0;function wt(e){return 1<(e&=-e)?4<e?0!=(268435455&e)?16:536870912:4:1}var kt,xt,St,Et,Ct,_t=!1,Tt=[],Lt=null,Rt=null,jt=null,Nt=new Map,Pt=new Map,At=[],Ot="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput copy cut paste click change contextmenu reset submit".split(" ");function It(e,t){switch(e){case"focusin":case"focusout":Lt=null;break;case"dragenter":case"dragleave":Rt=null;break;case"mouseover":case"mouseout":jt=null;break;case"pointerover":case"pointerout":Nt.delete(t.pointerId);break;case"gotpointercapture":case"lostpointercapture":Pt.delete(t.pointerId)}}function Dt(e,t,n,r,a,o){return null===e||e.nativeEvent!==o?(e={blockedOn:t,domEventName:n,eventSystemFlags:r,nativeEvent:o,targetContainers:[a]},null!==t&&(null!==(t=va(t))&&xt(t)),e):(e.eventSystemFlags|=r,t=e.targetContainers,null!==a&&-1===t.indexOf(a)&&t.push(a),e)}function Ft(e){var t=ba(e.target);if(null!==t){var n=Ue(t);if(null!==n)if(13===(t=n.tag)){if(null!==(t=qe(n)))return e.blockedOn=t,void Ct(e.priority,(function(){St(n)}))}else if(3===t&&n.stateNode.current.memoizedState.isDehydrated)return void(e.blockedOn=3===n.tag?n.stateNode.containerInfo:null)}e.blockedOn=null}function Mt(e){if(null!==e.blockedOn)return!1;for(var t=e.targetContainers;0<t.length;){var n=Gt(e.domEventName,e.eventSystemFlags,t[0],e.nativeEvent);if(null!==n)return null!==(t=va(n))&&xt(t),e.blockedOn=n,!1;var r=new(n=e.nativeEvent).constructor(n.type,n);we=r,n.target.dispatchEvent(r),we=null,t.shift()}return!0}function zt(e,t,n){Mt(e)&&n.delete(t)}function Bt(){_t=!1,null!==Lt&&Mt(Lt)&&(Lt=null),null!==Rt&&Mt(Rt)&&(Rt=null),null!==jt&&Mt(jt)&&(jt=null),Nt.forEach(zt),Pt.forEach(zt)}function $t(e,t){e.blockedOn===t&&(e.blockedOn=null,_t||(_t=!0,a.unstable_scheduleCallback(a.unstable_NormalPriority,Bt)))}function Ut(e){function t(t){return $t(t,e)}if(0<Tt.length){$t(Tt[0],e);for(var n=1;n<Tt.length;n++){var r=Tt[n];r.blockedOn===e&&(r.blockedOn=null)}}for(null!==Lt&&$t(Lt,e),null!==Rt&&$t(Rt,e),null!==jt&&$t(jt,e),Nt.forEach(t),Pt.forEach(t),n=0;n<At.length;n++)(r=At[n]).blockedOn===e&&(r.blockedOn=null);for(;0<At.length&&null===(n=At[0]).blockedOn;)Ft(n),null===n.blockedOn&&At.shift()}var qt=w.ReactCurrentBatchConfig,Ht=!0;function Qt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=1,Wt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Zt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=4,Wt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Wt(e,t,n,r){if(Ht){var a=Gt(e,t,n,r);if(null===a)Hr(e,t,r,Vt,n),It(e,r);else if(function(e,t,n,r,a){switch(t){case"focusin":return Lt=Dt(Lt,e,t,n,r,a),!0;case"dragenter":return Rt=Dt(Rt,e,t,n,r,a),!0;case"mouseover":return jt=Dt(jt,e,t,n,r,a),!0;case"pointerover":var o=a.pointerId;return Nt.set(o,Dt(Nt.get(o)||null,e,t,n,r,a)),!0;case"gotpointercapture":return o=a.pointerId,Pt.set(o,Dt(Pt.get(o)||null,e,t,n,r,a)),!0}return!1}(a,e,t,n,r))r.stopPropagation();else if(It(e,r),4&t&&-1<Ot.indexOf(e)){for(;null!==a;){var o=va(a);if(null!==o&&kt(o),null===(o=Gt(e,t,n,r))&&Hr(e,t,r,Vt,n),o===a)break;a=o}null!==a&&r.stopPropagation()}else Hr(e,t,r,null,n)}}var Vt=null;function Gt(e,t,n,r){if(Vt=null,null!==(e=ba(e=ke(r))))if(null===(t=Ue(e)))e=null;else if(13===(n=t.tag)){if(null!==(e=qe(t)))return e;e=null}else if(3===n){if(t.stateNode.current.memoizedState.isDehydrated)return 3===t.tag?t.stateNode.containerInfo:null;e=null}else t!==e&&(e=null);return Vt=e,null}function Xt(e){switch(e){case"cancel":case"click":case"close":case"contextmenu":case"copy":case"cut":case"auxclick":case"dblclick":case"dragend":case"dragstart":case"drop":case"focusin":case"focusout":case"input":case"invalid":case"keydown":case"keypress":case"keyup":case"mousedown":case"mouseup":case"paste":case"pause":case"play":case"pointercancel":case"pointerdown":case"pointerup":case"ratechange":case"reset":case"resize":case"seeked":case"submit":case"touchcancel":case"touchend":case"touchstart":case"volumechange":case"change":case"selectionchange":case"textInput":case"compositionstart":case"compositionend":case"compositionupdate":case"beforeblur":case"afterblur":case"beforeinput":case"blur":case"fullscreenchange":case"focus":case"hashchange":case"popstate":case"select":case"selectstart":return 1;case"drag":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"mousemove":case"mouseout":case"mouseover":case"pointermove":case"pointerout":case"pointerover":case"scroll":case"toggle":case"touchmove":case"wheel":case"mouseenter":case"mouseleave":case"pointerenter":case"pointerleave":return 4;case"message":switch(Ye()){case Je:return 1;case et:return 4;case tt:case nt:return 16;case rt:return 536870912;default:return 16}default:return 16}}var Kt=null,Yt=null,Jt=null;function en(){if(Jt)return Jt;var e,t,n=Yt,r=n.length,a="value"in Kt?Kt.value:Kt.textContent,o=a.length;for(e=0;e<r&&n[e]===a[e];e++);var i=r-e;for(t=1;t<=i&&n[r-t]===a[o-t];t++);return Jt=a.slice(e,1<t?1-t:void 0)}function tn(e){var t=e.keyCode;return"charCode"in e?0===(e=e.charCode)&&13===t&&(e=13):e=t,10===e&&(e=13),32<=e||13===e?e:0}function nn(){return!0}function rn(){return!1}function an(e){function t(t,n,r,a,o){for(var i in this._reactName=t,this._targetInst=r,this.type=n,this.nativeEvent=a,this.target=o,this.currentTarget=null,e)e.hasOwnProperty(i)&&(t=e[i],this[i]=t?t(a):a[i]);return this.isDefaultPrevented=(null!=a.defaultPrevented?a.defaultPrevented:!1===a.returnValue)?nn:rn,this.isPropagationStopped=rn,this}return F(t.prototype,{preventDefault:function(){this.defaultPrevented=!0;var e=this.nativeEvent;e&&(e.preventDefault?e.preventDefault():"unknown"!=typeof e.returnValue&&(e.returnValue=!1),this.isDefaultPrevented=nn)},stopPropagation:function(){var e=this.nativeEvent;e&&(e.stopPropagation?e.stopPropagation():"unknown"!=typeof e.cancelBubble&&(e.cancelBubble=!0),this.isPropagationStopped=nn)},persist:function(){},isPersistent:nn}),t}var on,sn,ln,cn={eventPhase:0,bubbles:0,cancelable:0,timeStamp:function(e){return e.timeStamp||Date.now()},defaultPrevented:0,isTrusted:0},un=an(cn),dn=F({},cn,{view:0,detail:0}),pn=an(dn),fn=F({},dn,{screenX:0,screenY:0,clientX:0,clientY:0,pageX:0,pageY:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,getModifierState:Cn,button:0,buttons:0,relatedTarget:function(e){return void 0===e.relatedTarget?e.fromElement===e.srcElement?e.toElement:e.fromElement:e.relatedTarget},movementX:function(e){return"movementX"in e?e.movementX:(e!==ln&&(ln&&"mousemove"===e.type?(on=e.screenX-ln.screenX,sn=e.screenY-ln.screenY):sn=on=0,ln=e),on)},movementY:function(e){return"movementY"in e?e.movementY:sn}}),hn=an(fn),mn=an(F({},fn,{dataTransfer:0})),gn=an(F({},dn,{relatedTarget:0})),yn=an(F({},cn,{animationName:0,elapsedTime:0,pseudoElement:0})),bn=F({},cn,{clipboardData:function(e){return"clipboardData"in e?e.clipboardData:window.clipboardData}}),vn=an(bn),wn=an(F({},cn,{data:0})),kn={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},xn={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",224:"Meta"},Sn={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"};function En(e){var t=this.nativeEvent;return t.getModifierState?t.getModifierState(e):!!(e=Sn[e])&&!!t[e]}function Cn(){return En}var _n=F({},dn,{key:function(e){if(e.key){var t=kn[e.key]||e.key;if("Unidentified"!==t)return t}return"keypress"===e.type?13===(e=tn(e))?"Enter":String.fromCharCode(e):"keydown"===e.type||"keyup"===e.type?xn[e.keyCode]||"Unidentified":""},code:0,location:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,repeat:0,locale:0,getModifierState:Cn,charCode:function(e){return"keypress"===e.type?tn(e):0},keyCode:function(e){return"keydown"===e.type||"keyup"===e.type?e.keyCode:0},which:function(e){return"keypress"===e.type?tn(e):"keydown"===e.type||"keyup"===e.type?e.keyCode:0}}),Tn=an(_n),Ln=an(F({},fn,{pointerId:0,width:0,height:0,pressure:0,tangentialPressure:0,tiltX:0,tiltY:0,twist:0,pointerType:0,isPrimary:0})),Rn=an(F({},dn,{touches:0,targetTouches:0,changedTouches:0,altKey:0,metaKey:0,ctrlKey:0,shiftKey:0,getModifierState:Cn})),jn=an(F({},cn,{propertyName:0,elapsedTime:0,pseudoElement:0})),Nn=F({},fn,{deltaX:function(e){return"deltaX"in e?e.deltaX:"wheelDeltaX"in e?-e.wheelDeltaX:0},deltaY:function(e){return"deltaY"in e?e.deltaY:"wheelDeltaY"in e?-e.wheelDeltaY:"wheelDelta"in e?-e.wheelDelta:0},deltaZ:0,deltaMode:0}),Pn=an(Nn),An=[9,13,27,32],On=u&&"CompositionEvent"in window,In=null;u&&"documentMode"in document&&(In=document.documentMode);var Dn=u&&"TextEvent"in window&&!In,Fn=u&&(!On||In&&8<In&&11>=In),Mn=String.fromCharCode(32),zn=!1;function Bn(e,t){switch(e){case"keyup":return-1!==An.indexOf(t.keyCode);case"keydown":return 229!==t.keyCode;case"keypress":case"mousedown":case"focusout":return!0;default:return!1}}function $n(e){return"object"==typeof(e=e.detail)&&"data"in e?e.data:null}var Un=!1;var qn={color:!0,date:!0,datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0};function Hn(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return"input"===t?!!qn[e.type]:"textarea"===t}function Qn(e,t,n,r){_e(r),0<(t=Zr(t,"onChange")).length&&(n=new un("onChange","change",null,n,r),e.push({event:n,listeners:t}))}var Zn=null,Wn=null;function Vn(e){Mr(e,0)}function Gn(e){if(W(wa(e)))return e}function Xn(e,t){if("change"===e)return t}var Kn=!1;if(u){var Yn;if(u){var Jn="oninput"in document;if(!Jn){var er=document.createElement("div");er.setAttribute("oninput","return;"),Jn="function"==typeof er.oninput}Yn=Jn}else Yn=!1;Kn=Yn&&(!document.documentMode||9<document.documentMode)}function tr(){Zn&&(Zn.detachEvent("onpropertychange",nr),Wn=Zn=null)}function nr(e){if("value"===e.propertyName&&Gn(Wn)){var t=[];Qn(t,Wn,e,ke(e)),Ne(Vn,t)}}function rr(e,t,n){"focusin"===e?(tr(),Wn=n,(Zn=t).attachEvent("onpropertychange",nr)):"focusout"===e&&tr()}function ar(e){if("selectionchange"===e||"keyup"===e||"keydown"===e)return Gn(Wn)}function or(e,t){if("click"===e)return Gn(t)}function ir(e,t){if("input"===e||"change"===e)return Gn(t)}var sr="function"==typeof Object.is?Object.is:function(e,t){return e===t&&(0!==e||1/e==1/t)||e!=e&&t!=t};function lr(e,t){if(sr(e,t))return!0;if("object"!=typeof e||null===e||"object"!=typeof t||null===t)return!1;var n=Object.keys(e),r=Object.keys(t);if(n.length!==r.length)return!1;for(r=0;r<n.length;r++){var a=n[r];if(!d.call(t,a)||!sr(e[a],t[a]))return!1}return!0}function cr(e){for(;e&&e.firstChild;)e=e.firstChild;return e}function ur(e,t){var n,r=cr(e);for(e=0;r;){if(3===r.nodeType){if(n=e+r.textContent.length,e<=t&&n>=t)return{node:r,offset:t-e};e=n}e:{for(;r;){if(r.nextSibling){r=r.nextSibling;break e}r=r.parentNode}r=void 0}r=cr(r)}}function dr(e,t){return!(!e||!t)&&(e===t||(!e||3!==e.nodeType)&&(t&&3===t.nodeType?dr(e,t.parentNode):"contains"in e?e.contains(t):!!e.compareDocumentPosition&&!!(16&e.compareDocumentPosition(t))))}function pr(){for(var e=window,t=V();t instanceof e.HTMLIFrameElement;){try{var n="string"==typeof t.contentWindow.location.href}catch(r){n=!1}if(!n)break;t=V((e=t.contentWindow).document)}return t}function fr(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return t&&("input"===t&&("text"===e.type||"search"===e.type||"tel"===e.type||"url"===e.type||"password"===e.type)||"textarea"===t||"true"===e.contentEditable)}function hr(e){var t=pr(),n=e.focusedElem,r=e.selectionRange;if(t!==n&&n&&n.ownerDocument&&dr(n.ownerDocument.documentElement,n)){if(null!==r&&fr(n))if(t=r.start,void 0===(e=r.end)&&(e=t),"selectionStart"in n)n.selectionStart=t,n.selectionEnd=Math.min(e,n.value.length);else if((e=(t=n.ownerDocument||document)&&t.defaultView||window).getSelection){e=e.getSelection();var a=n.textContent.length,o=Math.min(r.start,a);r=void 0===r.end?o:Math.min(r.end,a),!e.extend&&o>r&&(a=r,r=o,o=a),a=ur(n,o);var i=ur(n,r);a&&i&&(1!==e.rangeCount||e.anchorNode!==a.node||e.anchorOffset!==a.offset||e.focusNode!==i.node||e.focusOffset!==i.offset)&&((t=t.createRange()).setStart(a.node,a.offset),e.removeAllRanges(),o>r?(e.addRange(t),e.extend(i.node,i.offset)):(t.setEnd(i.node,i.offset),e.addRange(t)))}for(t=[],e=n;e=e.parentNode;)1===e.nodeType&&t.push({element:e,left:e.scrollLeft,top:e.scrollTop});for("function"==typeof n.focus&&n.focus(),n=0;n<t.length;n++)(e=t[n]).element.scrollLeft=e.left,e.element.scrollTop=e.top}}var mr=u&&"documentMode"in document&&11>=document.documentMode,gr=null,yr=null,br=null,vr=!1;function wr(e,t,n){var r=n.window===n?n.document:9===n.nodeType?n:n.ownerDocument;vr||null==gr||gr!==V(r)||("selectionStart"in(r=gr)&&fr(r)?r={start:r.selectionStart,end:r.selectionEnd}:r={anchorNode:(r=(r.ownerDocument&&r.ownerDocument.defaultView||window).getSelection()).anchorNode,anchorOffset:r.anchorOffset,focusNode:r.focusNode,focusOffset:r.focusOffset},br&&lr(br,r)||(br=r,0<(r=Zr(yr,"onSelect")).length&&(t=new un("onSelect","select",null,t,n),e.push({event:t,listeners:r}),t.target=gr)))}function kr(e,t){var n={};return n[e.toLowerCase()]=t.toLowerCase(),n["Webkit"+e]="webkit"+t,n["Moz"+e]="moz"+t,n}var xr={animationend:kr("Animation","AnimationEnd"),animationiteration:kr("Animation","AnimationIteration"),animationstart:kr("Animation","AnimationStart"),transitionend:kr("Transition","TransitionEnd")},Sr={},Er={};function Cr(e){if(Sr[e])return Sr[e];if(!xr[e])return e;var t,n=xr[e];for(t in n)if(n.hasOwnProperty(t)&&t in Er)return Sr[e]=n[t];return e}u&&(Er=document.createElement("div").style,"AnimationEvent"in window||(delete xr.animationend.animation,delete xr.animationiteration.animation,delete xr.animationstart.animation),"TransitionEvent"in window||delete xr.transitionend.transition);var _r=Cr("animationend"),Tr=Cr("animationiteration"),Lr=Cr("animationstart"),Rr=Cr("transitionend"),jr=new Map,Nr="abort auxClick cancel canPlay canPlayThrough click close contextMenu copy cut drag dragEnd dragEnter dragExit dragLeave dragOver dragStart drop durationChange emptied encrypted ended error gotPointerCapture input invalid keyDown keyPress keyUp load loadedData loadedMetadata loadStart lostPointerCapture mouseDown mouseMove mouseOut mouseOver mouseUp paste pause play playing pointerCancel pointerDown pointerMove pointerOut pointerOver pointerUp progress rateChange reset resize seeked seeking stalled submit suspend timeUpdate touchCancel touchEnd touchStart volumeChange scroll toggle touchMove waiting wheel".split(" ");function Pr(e,t){jr.set(e,t),l(t,[e])}for(var Ar=0;Ar<Nr.length;Ar++){var Or=Nr[Ar];Pr(Or.toLowerCase(),"on"+(Or[0].toUpperCase()+Or.slice(1)))}Pr(_r,"onAnimationEnd"),Pr(Tr,"onAnimationIteration"),Pr(Lr,"onAnimationStart"),Pr("dblclick","onDoubleClick"),Pr("focusin","onFocus"),Pr("focusout","onBlur"),Pr(Rr,"onTransitionEnd"),c("onMouseEnter",["mouseout","mouseover"]),c("onMouseLeave",["mouseout","mouseover"]),c("onPointerEnter",["pointerout","pointerover"]),c("onPointerLeave",["pointerout","pointerover"]),l("onChange","change click focusin focusout input keydown keyup selectionchange".split(" ")),l("onSelect","focusout contextmenu dragend focusin keydown keyup mousedown mouseup selectionchange".split(" ")),l("onBeforeInput",["compositionend","keypress","textInput","paste"]),l("onCompositionEnd","compositionend focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionStart","compositionstart focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionUpdate","compositionupdate focusout keydown keypress keyup mousedown".split(" "));var Ir="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange resize seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Dr=new Set("cancel close invalid load scroll toggle".split(" ").concat(Ir));function Fr(e,t,n){var r=e.type||"unknown-event";e.currentTarget=n,function(e,t,n,r,a,i,s,l,c){if($e.apply(this,arguments),De){if(!De)throw Error(o(198));var u=Fe;De=!1,Fe=null,Me||(Me=!0,ze=u)}}(r,t,void 0,e),e.currentTarget=null}function Mr(e,t){t=0!=(4&t);for(var n=0;n<e.length;n++){var r=e[n],a=r.event;r=r.listeners;e:{var o=void 0;if(t)for(var i=r.length-1;0<=i;i--){var s=r[i],l=s.instance,c=s.currentTarget;if(s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}else for(i=0;i<r.length;i++){if(l=(s=r[i]).instance,c=s.currentTarget,s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}}}if(Me)throw e=ze,Me=!1,ze=null,e}function zr(e,t){var n=t[ma];void 0===n&&(n=t[ma]=new Set);var r=e+"__bubble";n.has(r)||(qr(t,e,2,!1),n.add(r))}function Br(e,t,n){var r=0;t&&(r|=4),qr(n,e,r,t)}var $r="_reactListening"+Math.random().toString(36).slice(2);function Ur(e){if(!e[$r]){e[$r]=!0,i.forEach((function(t){"selectionchange"!==t&&(Dr.has(t)||Br(t,!1,e),Br(t,!0,e))}));var t=9===e.nodeType?e:e.ownerDocument;null===t||t[$r]||(t[$r]=!0,Br("selectionchange",!1,t))}}function qr(e,t,n,r){switch(Xt(t)){case 1:var a=Qt;break;case 4:a=Zt;break;default:a=Wt}n=a.bind(null,t,n,e),a=void 0,!Ae||"touchstart"!==t&&"touchmove"!==t&&"wheel"!==t||(a=!0),r?void 0!==a?e.addEventListener(t,n,{capture:!0,passive:a}):e.addEventListener(t,n,!0):void 0!==a?e.addEventListener(t,n,{passive:a}):e.addEventListener(t,n,!1)}function Hr(e,t,n,r,a){var o=r;if(0==(1&t)&&0==(2&t)&&null!==r)e:for(;;){if(null===r)return;var i=r.tag;if(3===i||4===i){var s=r.stateNode.containerInfo;if(s===a||8===s.nodeType&&s.parentNode===a)break;if(4===i)for(i=r.return;null!==i;){var l=i.tag;if((3===l||4===l)&&((l=i.stateNode.containerInfo)===a||8===l.nodeType&&l.parentNode===a))return;i=i.return}for(;null!==s;){if(null===(i=ba(s)))return;if(5===(l=i.tag)||6===l){r=o=i;continue e}s=s.parentNode}}r=r.return}Ne((function(){var r=o,a=ke(n),i=[];e:{var s=jr.get(e);if(void 0!==s){var l=un,c=e;switch(e){case"keypress":if(0===tn(n))break e;case"keydown":case"keyup":l=Tn;break;case"focusin":c="focus",l=gn;break;case"focusout":c="blur",l=gn;break;case"beforeblur":case"afterblur":l=gn;break;case"click":if(2===n.button)break e;case"auxclick":case"dblclick":case"mousedown":case"mousemove":case"mouseup":case"mouseout":case"mouseover":case"contextmenu":l=hn;break;case"drag":case"dragend":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"dragstart":case"drop":l=mn;break;case"touchcancel":case"touchend":case"touchmove":case"touchstart":l=Rn;break;case _r:case Tr:case Lr:l=yn;break;case Rr:l=jn;break;case"scroll":l=pn;break;case"wheel":l=Pn;break;case"copy":case"cut":case"paste":l=vn;break;case"gotpointercapture":case"lostpointercapture":case"pointercancel":case"pointerdown":case"pointermove":case"pointerout":case"pointerover":case"pointerup":l=Ln}var u=0!=(4&t),d=!u&&"scroll"===e,p=u?null!==s?s+"Capture":null:s;u=[];for(var f,h=r;null!==h;){var m=(f=h).stateNode;if(5===f.tag&&null!==m&&(f=m,null!==p&&(null!=(m=Pe(h,p))&&u.push(Qr(h,m,f)))),d)break;h=h.return}0<u.length&&(s=new l(s,c,null,n,a),i.push({event:s,listeners:u}))}}if(0==(7&t)){if(l="mouseout"===e||"pointerout"===e,(!(s="mouseover"===e||"pointerover"===e)||n===we||!(c=n.relatedTarget||n.fromElement)||!ba(c)&&!c[ha])&&(l||s)&&(s=a.window===a?a:(s=a.ownerDocument)?s.defaultView||s.parentWindow:window,l?(l=r,null!==(c=(c=n.relatedTarget||n.toElement)?ba(c):null)&&(c!==(d=Ue(c))||5!==c.tag&&6!==c.tag)&&(c=null)):(l=null,c=r),l!==c)){if(u=hn,m="onMouseLeave",p="onMouseEnter",h="mouse","pointerout"!==e&&"pointerover"!==e||(u=Ln,m="onPointerLeave",p="onPointerEnter",h="pointer"),d=null==l?s:wa(l),f=null==c?s:wa(c),(s=new u(m,h+"leave",l,n,a)).target=d,s.relatedTarget=f,m=null,ba(a)===r&&((u=new u(p,h+"enter",c,n,a)).target=f,u.relatedTarget=d,m=u),d=m,l&&c)e:{for(p=c,h=0,f=u=l;f;f=Wr(f))h++;for(f=0,m=p;m;m=Wr(m))f++;for(;0<h-f;)u=Wr(u),h--;for(;0<f-h;)p=Wr(p),f--;for(;h--;){if(u===p||null!==p&&u===p.alternate)break e;u=Wr(u),p=Wr(p)}u=null}else u=null;null!==l&&Vr(i,s,l,u,!1),null!==c&&null!==d&&Vr(i,d,c,u,!0)}if("select"===(l=(s=r?wa(r):window).nodeName&&s.nodeName.toLowerCase())||"input"===l&&"file"===s.type)var g=Xn;else if(Hn(s))if(Kn)g=ir;else{g=ar;var y=rr}else(l=s.nodeName)&&"input"===l.toLowerCase()&&("checkbox"===s.type||"radio"===s.type)&&(g=or);switch(g&&(g=g(e,r))?Qn(i,g,n,a):(y&&y(e,s,r),"focusout"===e&&(y=s._wrapperState)&&y.controlled&&"number"===s.type&&ee(s,"number",s.value)),y=r?wa(r):window,e){case"focusin":(Hn(y)||"true"===y.contentEditable)&&(gr=y,yr=r,br=null);break;case"focusout":br=yr=gr=null;break;case"mousedown":vr=!0;break;case"contextmenu":case"mouseup":case"dragend":vr=!1,wr(i,n,a);break;case"selectionchange":if(mr)break;case"keydown":case"keyup":wr(i,n,a)}var b;if(On)e:{switch(e){case"compositionstart":var v="onCompositionStart";break e;case"compositionend":v="onCompositionEnd";break e;case"compositionupdate":v="onCompositionUpdate";break e}v=void 0}else Un?Bn(e,n)&&(v="onCompositionEnd"):"keydown"===e&&229===n.keyCode&&(v="onCompositionStart");v&&(Fn&&"ko"!==n.locale&&(Un||"onCompositionStart"!==v?"onCompositionEnd"===v&&Un&&(b=en()):(Yt="value"in(Kt=a)?Kt.value:Kt.textContent,Un=!0)),0<(y=Zr(r,v)).length&&(v=new wn(v,e,null,n,a),i.push({event:v,listeners:y}),b?v.data=b:null!==(b=$n(n))&&(v.data=b))),(b=Dn?function(e,t){switch(e){case"compositionend":return $n(t);case"keypress":return 32!==t.which?null:(zn=!0,Mn);case"textInput":return(e=t.data)===Mn&&zn?null:e;default:return null}}(e,n):function(e,t){if(Un)return"compositionend"===e||!On&&Bn(e,t)?(e=en(),Jt=Yt=Kt=null,Un=!1,e):null;switch(e){case"paste":default:return null;case"keypress":if(!(t.ctrlKey||t.altKey||t.metaKey)||t.ctrlKey&&t.altKey){if(t.char&&1<t.char.length)return t.char;if(t.which)return String.fromCharCode(t.which)}return null;case"compositionend":return Fn&&"ko"!==t.locale?null:t.data}}(e,n))&&(0<(r=Zr(r,"onBeforeInput")).length&&(a=new wn("onBeforeInput","beforeinput",null,n,a),i.push({event:a,listeners:r}),a.data=b))}Mr(i,t)}))}function Qr(e,t,n){return{instance:e,listener:t,currentTarget:n}}function Zr(e,t){for(var n=t+"Capture",r=[];null!==e;){var a=e,o=a.stateNode;5===a.tag&&null!==o&&(a=o,null!=(o=Pe(e,n))&&r.unshift(Qr(e,o,a)),null!=(o=Pe(e,t))&&r.push(Qr(e,o,a))),e=e.return}return r}function Wr(e){if(null===e)return null;do{e=e.return}while(e&&5!==e.tag);return e||null}function Vr(e,t,n,r,a){for(var o=t._reactName,i=[];null!==n&&n!==r;){var s=n,l=s.alternate,c=s.stateNode;if(null!==l&&l===r)break;5===s.tag&&null!==c&&(s=c,a?null!=(l=Pe(n,o))&&i.unshift(Qr(n,l,s)):a||null!=(l=Pe(n,o))&&i.push(Qr(n,l,s))),n=n.return}0!==i.length&&e.push({event:t,listeners:i})}var Gr=/\r\n?/g,Xr=/\u0000|\uFFFD/g;function Kr(e){return("string"==typeof e?e:""+e).replace(Gr,"\n").replace(Xr,"")}function Yr(e,t,n){if(t=Kr(t),Kr(e)!==t&&n)throw Error(o(425))}function Jr(){}var ea=null,ta=null;function na(e,t){return"textarea"===e||"noscript"===e||"string"==typeof t.children||"number"==typeof t.children||"object"==typeof t.dangerouslySetInnerHTML&&null!==t.dangerouslySetInnerHTML&&null!=t.dangerouslySetInnerHTML.__html}var ra="function"==typeof setTimeout?setTimeout:void 0,aa="function"==typeof clearTimeout?clearTimeout:void 0,oa="function"==typeof Promise?Promise:void 0,ia="function"==typeof queueMicrotask?queueMicrotask:void 0!==oa?function(e){return oa.resolve(null).then(e).catch(sa)}:ra;function sa(e){setTimeout((function(){throw e}))}function la(e,t){var n=t,r=0;do{var a=n.nextSibling;if(e.removeChild(n),a&&8===a.nodeType)if("/$"===(n=a.data)){if(0===r)return e.removeChild(a),void Ut(t);r--}else"$"!==n&&"$?"!==n&&"$!"!==n||r++;n=a}while(n);Ut(t)}function ca(e){for(;null!=e;e=e.nextSibling){var t=e.nodeType;if(1===t||3===t)break;if(8===t){if("$"===(t=e.data)||"$!"===t||"$?"===t)break;if("/$"===t)return null}}return e}function ua(e){e=e.previousSibling;for(var t=0;e;){if(8===e.nodeType){var n=e.data;if("$"===n||"$!"===n||"$?"===n){if(0===t)return e;t--}else"/$"===n&&t++}e=e.previousSibling}return null}var da=Math.random().toString(36).slice(2),pa="__reactFiber$"+da,fa="__reactProps$"+da,ha="__reactContainer$"+da,ma="__reactEvents$"+da,ga="__reactListeners$"+da,ya="__reactHandles$"+da;function ba(e){var t=e[pa];if(t)return t;for(var n=e.parentNode;n;){if(t=n[ha]||n[pa]){if(n=t.alternate,null!==t.child||null!==n&&null!==n.child)for(e=ua(e);null!==e;){if(n=e[pa])return n;e=ua(e)}return t}n=(e=n).parentNode}return null}function va(e){return!(e=e[pa]||e[ha])||5!==e.tag&&6!==e.tag&&13!==e.tag&&3!==e.tag?null:e}function wa(e){if(5===e.tag||6===e.tag)return e.stateNode;throw Error(o(33))}function ka(e){return e[fa]||null}var xa=[],Sa=-1;function Ea(e){return{current:e}}function Ca(e){0>Sa||(e.current=xa[Sa],xa[Sa]=null,Sa--)}function _a(e,t){Sa++,xa[Sa]=e.current,e.current=t}var Ta={},La=Ea(Ta),Ra=Ea(!1),ja=Ta;function Na(e,t){var n=e.type.contextTypes;if(!n)return Ta;var r=e.stateNode;if(r&&r.__reactInternalMemoizedUnmaskedChildContext===t)return r.__reactInternalMemoizedMaskedChildContext;var a,o={};for(a in n)o[a]=t[a];return r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=t,e.__reactInternalMemoizedMaskedChildContext=o),o}function Pa(e){return null!=(e=e.childContextTypes)}function Aa(){Ca(Ra),Ca(La)}function Oa(e,t,n){if(La.current!==Ta)throw Error(o(168));_a(La,t),_a(Ra,n)}function Ia(e,t,n){var r=e.stateNode;if(t=t.childContextTypes,"function"!=typeof r.getChildContext)return n;for(var a in r=r.getChildContext())if(!(a in t))throw Error(o(108,q(e)||"Unknown",a));return F({},n,r)}function Da(e){return e=(e=e.stateNode)&&e.__reactInternalMemoizedMergedChildContext||Ta,ja=La.current,_a(La,e),_a(Ra,Ra.current),!0}function Fa(e,t,n){var r=e.stateNode;if(!r)throw Error(o(169));n?(e=Ia(e,t,ja),r.__reactInternalMemoizedMergedChildContext=e,Ca(Ra),Ca(La),_a(La,e)):Ca(Ra),_a(Ra,n)}var Ma=null,za=!1,Ba=!1;function $a(e){null===Ma?Ma=[e]:Ma.push(e)}function Ua(){if(!Ba&&null!==Ma){Ba=!0;var e=0,t=vt;try{var n=Ma;for(vt=1;e<n.length;e++){var r=n[e];do{r=r(!0)}while(null!==r)}Ma=null,za=!1}catch(a){throw null!==Ma&&(Ma=Ma.slice(e+1)),We(Je,Ua),a}finally{vt=t,Ba=!1}}return null}var qa=[],Ha=0,Qa=null,Za=0,Wa=[],Va=0,Ga=null,Xa=1,Ka="";function Ya(e,t){qa[Ha++]=Za,qa[Ha++]=Qa,Qa=e,Za=t}function Ja(e,t,n){Wa[Va++]=Xa,Wa[Va++]=Ka,Wa[Va++]=Ga,Ga=e;var r=Xa;e=Ka;var a=32-it(r)-1;r&=~(1<<a),n+=1;var o=32-it(t)+a;if(30<o){var i=a-a%5;o=(r&(1<<i)-1).toString(32),r>>=i,a-=i,Xa=1<<32-it(t)+a|n<<a|r,Ka=o+e}else Xa=1<<o|n<<a|r,Ka=e}function eo(e){null!==e.return&&(Ya(e,1),Ja(e,1,0))}function to(e){for(;e===Qa;)Qa=qa[--Ha],qa[Ha]=null,Za=qa[--Ha],qa[Ha]=null;for(;e===Ga;)Ga=Wa[--Va],Wa[Va]=null,Ka=Wa[--Va],Wa[Va]=null,Xa=Wa[--Va],Wa[Va]=null}var no=null,ro=null,ao=!1,oo=null;function io(e,t){var n=Nc(5,null,null,0);n.elementType="DELETED",n.stateNode=t,n.return=e,null===(t=e.deletions)?(e.deletions=[n],e.flags|=16):t.push(n)}function so(e,t){switch(e.tag){case 5:var n=e.type;return null!==(t=1!==t.nodeType||n.toLowerCase()!==t.nodeName.toLowerCase()?null:t)&&(e.stateNode=t,no=e,ro=ca(t.firstChild),!0);case 6:return null!==(t=""===e.pendingProps||3!==t.nodeType?null:t)&&(e.stateNode=t,no=e,ro=null,!0);case 13:return null!==(t=8!==t.nodeType?null:t)&&(n=null!==Ga?{id:Xa,overflow:Ka}:null,e.memoizedState={dehydrated:t,treeContext:n,retryLane:1073741824},(n=Nc(18,null,null,0)).stateNode=t,n.return=e,e.child=n,no=e,ro=null,!0);default:return!1}}function lo(e){return 0!=(1&e.mode)&&0==(128&e.flags)}function co(e){if(ao){var t=ro;if(t){var n=t;if(!so(e,t)){if(lo(e))throw Error(o(418));t=ca(n.nextSibling);var r=no;t&&so(e,t)?io(r,n):(e.flags=-4097&e.flags|2,ao=!1,no=e)}}else{if(lo(e))throw Error(o(418));e.flags=-4097&e.flags|2,ao=!1,no=e}}}function uo(e){for(e=e.return;null!==e&&5!==e.tag&&3!==e.tag&&13!==e.tag;)e=e.return;no=e}function po(e){if(e!==no)return!1;if(!ao)return uo(e),ao=!0,!1;var t;if((t=3!==e.tag)&&!(t=5!==e.tag)&&(t="head"!==(t=e.type)&&"body"!==t&&!na(e.type,e.memoizedProps)),t&&(t=ro)){if(lo(e))throw fo(),Error(o(418));for(;t;)io(e,t),t=ca(t.nextSibling)}if(uo(e),13===e.tag){if(!(e=null!==(e=e.memoizedState)?e.dehydrated:null))throw Error(o(317));e:{for(e=e.nextSibling,t=0;e;){if(8===e.nodeType){var n=e.data;if("/$"===n){if(0===t){ro=ca(e.nextSibling);break e}t--}else"$"!==n&&"$!"!==n&&"$?"!==n||t++}e=e.nextSibling}ro=null}}else ro=no?ca(e.stateNode.nextSibling):null;return!0}function fo(){for(var e=ro;e;)e=ca(e.nextSibling)}function ho(){ro=no=null,ao=!1}function mo(e){null===oo?oo=[e]:oo.push(e)}var go=w.ReactCurrentBatchConfig;function yo(e,t,n){if(null!==(e=n.ref)&&"function"!=typeof e&&"object"!=typeof e){if(n._owner){if(n=n._owner){if(1!==n.tag)throw Error(o(309));var r=n.stateNode}if(!r)throw Error(o(147,e));var a=r,i=""+e;return null!==t&&null!==t.ref&&"function"==typeof t.ref&&t.ref._stringRef===i?t.ref:(t=function(e){var t=a.refs;null===e?delete t[i]:t[i]=e},t._stringRef=i,t)}if("string"!=typeof e)throw Error(o(284));if(!n._owner)throw Error(o(290,e))}return e}function bo(e,t){throw e=Object.prototype.toString.call(t),Error(o(31,"[object Object]"===e?"object with keys {"+Object.keys(t).join(", ")+"}":e))}function vo(e){return(0,e._init)(e._payload)}function wo(e){function t(t,n){if(e){var r=t.deletions;null===r?(t.deletions=[n],t.flags|=16):r.push(n)}}function n(n,r){if(!e)return null;for(;null!==r;)t(n,r),r=r.sibling;return null}function r(e,t){for(e=new Map;null!==t;)null!==t.key?e.set(t.key,t):e.set(t.index,t),t=t.sibling;return e}function a(e,t){return(e=Ac(e,t)).index=0,e.sibling=null,e}function i(t,n,r){return t.index=r,e?null!==(r=t.alternate)?(r=r.index)<n?(t.flags|=2,n):r:(t.flags|=2,n):(t.flags|=1048576,n)}function s(t){return e&&null===t.alternate&&(t.flags|=2),t}function l(e,t,n,r){return null===t||6!==t.tag?((t=Fc(n,e.mode,r)).return=e,t):((t=a(t,n)).return=e,t)}function c(e,t,n,r){var o=n.type;return o===S?d(e,t,n.props.children,r,n.key):null!==t&&(t.elementType===o||"object"==typeof o&&null!==o&&o.$$typeof===P&&vo(o)===t.type)?((r=a(t,n.props)).ref=yo(e,t,n),r.return=e,r):((r=Oc(n.type,n.key,n.props,null,e.mode,r)).ref=yo(e,t,n),r.return=e,r)}function u(e,t,n,r){return null===t||4!==t.tag||t.stateNode.containerInfo!==n.containerInfo||t.stateNode.implementation!==n.implementation?((t=Mc(n,e.mode,r)).return=e,t):((t=a(t,n.children||[])).return=e,t)}function d(e,t,n,r,o){return null===t||7!==t.tag?((t=Ic(n,e.mode,r,o)).return=e,t):((t=a(t,n)).return=e,t)}function p(e,t,n){if("string"==typeof t&&""!==t||"number"==typeof t)return(t=Fc(""+t,e.mode,n)).return=e,t;if("object"==typeof t&&null!==t){switch(t.$$typeof){case k:return(n=Oc(t.type,t.key,t.props,null,e.mode,n)).ref=yo(e,null,t),n.return=e,n;case x:return(t=Mc(t,e.mode,n)).return=e,t;case P:return p(e,(0,t._init)(t._payload),n)}if(te(t)||I(t))return(t=Ic(t,e.mode,n,null)).return=e,t;bo(e,t)}return null}function f(e,t,n,r){var a=null!==t?t.key:null;if("string"==typeof n&&""!==n||"number"==typeof n)return null!==a?null:l(e,t,""+n,r);if("object"==typeof n&&null!==n){switch(n.$$typeof){case k:return n.key===a?c(e,t,n,r):null;case x:return n.key===a?u(e,t,n,r):null;case P:return f(e,t,(a=n._init)(n._payload),r)}if(te(n)||I(n))return null!==a?null:d(e,t,n,r,null);bo(e,n)}return null}function h(e,t,n,r,a){if("string"==typeof r&&""!==r||"number"==typeof r)return l(t,e=e.get(n)||null,""+r,a);if("object"==typeof r&&null!==r){switch(r.$$typeof){case k:return c(t,e=e.get(null===r.key?n:r.key)||null,r,a);case x:return u(t,e=e.get(null===r.key?n:r.key)||null,r,a);case P:return h(e,t,n,(0,r._init)(r._payload),a)}if(te(r)||I(r))return d(t,e=e.get(n)||null,r,a,null);bo(t,r)}return null}function m(a,o,s,l){for(var c=null,u=null,d=o,m=o=0,g=null;null!==d&&m<s.length;m++){d.index>m?(g=d,d=null):g=d.sibling;var y=f(a,d,s[m],l);if(null===y){null===d&&(d=g);break}e&&d&&null===y.alternate&&t(a,d),o=i(y,o,m),null===u?c=y:u.sibling=y,u=y,d=g}if(m===s.length)return n(a,d),ao&&Ya(a,m),c;if(null===d){for(;m<s.length;m++)null!==(d=p(a,s[m],l))&&(o=i(d,o,m),null===u?c=d:u.sibling=d,u=d);return ao&&Ya(a,m),c}for(d=r(a,d);m<s.length;m++)null!==(g=h(d,a,m,s[m],l))&&(e&&null!==g.alternate&&d.delete(null===g.key?m:g.key),o=i(g,o,m),null===u?c=g:u.sibling=g,u=g);return e&&d.forEach((function(e){return t(a,e)})),ao&&Ya(a,m),c}function g(a,s,l,c){var u=I(l);if("function"!=typeof u)throw Error(o(150));if(null==(l=u.call(l)))throw Error(o(151));for(var d=u=null,m=s,g=s=0,y=null,b=l.next();null!==m&&!b.done;g++,b=l.next()){m.index>g?(y=m,m=null):y=m.sibling;var v=f(a,m,b.value,c);if(null===v){null===m&&(m=y);break}e&&m&&null===v.alternate&&t(a,m),s=i(v,s,g),null===d?u=v:d.sibling=v,d=v,m=y}if(b.done)return n(a,m),ao&&Ya(a,g),u;if(null===m){for(;!b.done;g++,b=l.next())null!==(b=p(a,b.value,c))&&(s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return ao&&Ya(a,g),u}for(m=r(a,m);!b.done;g++,b=l.next())null!==(b=h(m,a,g,b.value,c))&&(e&&null!==b.alternate&&m.delete(null===b.key?g:b.key),s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return e&&m.forEach((function(e){return t(a,e)})),ao&&Ya(a,g),u}return function e(r,o,i,l){if("object"==typeof i&&null!==i&&i.type===S&&null===i.key&&(i=i.props.children),"object"==typeof i&&null!==i){switch(i.$$typeof){case k:e:{for(var c=i.key,u=o;null!==u;){if(u.key===c){if((c=i.type)===S){if(7===u.tag){n(r,u.sibling),(o=a(u,i.props.children)).return=r,r=o;break e}}else if(u.elementType===c||"object"==typeof c&&null!==c&&c.$$typeof===P&&vo(c)===u.type){n(r,u.sibling),(o=a(u,i.props)).ref=yo(r,u,i),o.return=r,r=o;break e}n(r,u);break}t(r,u),u=u.sibling}i.type===S?((o=Ic(i.props.children,r.mode,l,i.key)).return=r,r=o):((l=Oc(i.type,i.key,i.props,null,r.mode,l)).ref=yo(r,o,i),l.return=r,r=l)}return s(r);case x:e:{for(u=i.key;null!==o;){if(o.key===u){if(4===o.tag&&o.stateNode.containerInfo===i.containerInfo&&o.stateNode.implementation===i.implementation){n(r,o.sibling),(o=a(o,i.children||[])).return=r,r=o;break e}n(r,o);break}t(r,o),o=o.sibling}(o=Mc(i,r.mode,l)).return=r,r=o}return s(r);case P:return e(r,o,(u=i._init)(i._payload),l)}if(te(i))return m(r,o,i,l);if(I(i))return g(r,o,i,l);bo(r,i)}return"string"==typeof i&&""!==i||"number"==typeof i?(i=""+i,null!==o&&6===o.tag?(n(r,o.sibling),(o=a(o,i)).return=r,r=o):(n(r,o),(o=Fc(i,r.mode,l)).return=r,r=o),s(r)):n(r,o)}}var ko=wo(!0),xo=wo(!1),So=Ea(null),Eo=null,Co=null,_o=null;function To(){_o=Co=Eo=null}function Lo(e){var t=So.current;Ca(So),e._currentValue=t}function Ro(e,t,n){for(;null!==e;){var r=e.alternate;if((e.childLanes&t)!==t?(e.childLanes|=t,null!==r&&(r.childLanes|=t)):null!==r&&(r.childLanes&t)!==t&&(r.childLanes|=t),e===n)break;e=e.return}}function jo(e,t){Eo=e,_o=Co=null,null!==(e=e.dependencies)&&null!==e.firstContext&&(0!=(e.lanes&t)&&(vs=!0),e.firstContext=null)}function No(e){var t=e._currentValue;if(_o!==e)if(e={context:e,memoizedValue:t,next:null},null===Co){if(null===Eo)throw Error(o(308));Co=e,Eo.dependencies={lanes:0,firstContext:e}}else Co=Co.next=e;return t}var Po=null;function Ao(e){null===Po?Po=[e]:Po.push(e)}function Oo(e,t,n,r){var a=t.interleaved;return null===a?(n.next=n,Ao(t)):(n.next=a.next,a.next=n),t.interleaved=n,Io(e,r)}function Io(e,t){e.lanes|=t;var n=e.alternate;for(null!==n&&(n.lanes|=t),n=e,e=e.return;null!==e;)e.childLanes|=t,null!==(n=e.alternate)&&(n.childLanes|=t),n=e,e=e.return;return 3===n.tag?n.stateNode:null}var Do=!1;function Fo(e){e.updateQueue={baseState:e.memoizedState,firstBaseUpdate:null,lastBaseUpdate:null,shared:{pending:null,interleaved:null,lanes:0},effects:null}}function Mo(e,t){e=e.updateQueue,t.updateQueue===e&&(t.updateQueue={baseState:e.baseState,firstBaseUpdate:e.firstBaseUpdate,lastBaseUpdate:e.lastBaseUpdate,shared:e.shared,effects:e.effects})}function zo(e,t){return{eventTime:e,lane:t,tag:0,payload:null,callback:null,next:null}}function Bo(e,t,n){var r=e.updateQueue;if(null===r)return null;if(r=r.shared,0!=(2&Ll)){var a=r.pending;return null===a?t.next=t:(t.next=a.next,a.next=t),r.pending=t,Io(e,n)}return null===(a=r.interleaved)?(t.next=t,Ao(r)):(t.next=a.next,a.next=t),r.interleaved=t,Io(e,n)}function $o(e,t,n){if(null!==(t=t.updateQueue)&&(t=t.shared,0!=(4194240&n))){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}function Uo(e,t){var n=e.updateQueue,r=e.alternate;if(null!==r&&n===(r=r.updateQueue)){var a=null,o=null;if(null!==(n=n.firstBaseUpdate)){do{var i={eventTime:n.eventTime,lane:n.lane,tag:n.tag,payload:n.payload,callback:n.callback,next:null};null===o?a=o=i:o=o.next=i,n=n.next}while(null!==n);null===o?a=o=t:o=o.next=t}else a=o=t;return n={baseState:r.baseState,firstBaseUpdate:a,lastBaseUpdate:o,shared:r.shared,effects:r.effects},void(e.updateQueue=n)}null===(e=n.lastBaseUpdate)?n.firstBaseUpdate=t:e.next=t,n.lastBaseUpdate=t}function qo(e,t,n,r){var a=e.updateQueue;Do=!1;var o=a.firstBaseUpdate,i=a.lastBaseUpdate,s=a.shared.pending;if(null!==s){a.shared.pending=null;var l=s,c=l.next;l.next=null,null===i?o=c:i.next=c,i=l;var u=e.alternate;null!==u&&((s=(u=u.updateQueue).lastBaseUpdate)!==i&&(null===s?u.firstBaseUpdate=c:s.next=c,u.lastBaseUpdate=l))}if(null!==o){var d=a.baseState;for(i=0,u=c=l=null,s=o;;){var p=s.lane,f=s.eventTime;if((r&p)===p){null!==u&&(u=u.next={eventTime:f,lane:0,tag:s.tag,payload:s.payload,callback:s.callback,next:null});e:{var h=e,m=s;switch(p=t,f=n,m.tag){case 1:if("function"==typeof(h=m.payload)){d=h.call(f,d,p);break e}d=h;break e;case 3:h.flags=-65537&h.flags|128;case 0:if(null==(p="function"==typeof(h=m.payload)?h.call(f,d,p):h))break e;d=F({},d,p);break e;case 2:Do=!0}}null!==s.callback&&0!==s.lane&&(e.flags|=64,null===(p=a.effects)?a.effects=[s]:p.push(s))}else f={eventTime:f,lane:p,tag:s.tag,payload:s.payload,callback:s.callback,next:null},null===u?(c=u=f,l=d):u=u.next=f,i|=p;if(null===(s=s.next)){if(null===(s=a.shared.pending))break;s=(p=s).next,p.next=null,a.lastBaseUpdate=p,a.shared.pending=null}}if(null===u&&(l=d),a.baseState=l,a.firstBaseUpdate=c,a.lastBaseUpdate=u,null!==(t=a.shared.interleaved)){a=t;do{i|=a.lane,a=a.next}while(a!==t)}else null===o&&(a.shared.lanes=0);Dl|=i,e.lanes=i,e.memoizedState=d}}function Ho(e,t,n){if(e=t.effects,t.effects=null,null!==e)for(t=0;t<e.length;t++){var r=e[t],a=r.callback;if(null!==a){if(r.callback=null,r=n,"function"!=typeof a)throw Error(o(191,a));a.call(r)}}}var Qo={},Zo=Ea(Qo),Wo=Ea(Qo),Vo=Ea(Qo);function Go(e){if(e===Qo)throw Error(o(174));return e}function Xo(e,t){switch(_a(Vo,t),_a(Wo,e),_a(Zo,Qo),e=t.nodeType){case 9:case 11:t=(t=t.documentElement)?t.namespaceURI:le(null,"");break;default:t=le(t=(e=8===e?t.parentNode:t).namespaceURI||null,e=e.tagName)}Ca(Zo),_a(Zo,t)}function Ko(){Ca(Zo),Ca(Wo),Ca(Vo)}function Yo(e){Go(Vo.current);var t=Go(Zo.current),n=le(t,e.type);t!==n&&(_a(Wo,e),_a(Zo,n))}function Jo(e){Wo.current===e&&(Ca(Zo),Ca(Wo))}var ei=Ea(0);function ti(e){for(var t=e;null!==t;){if(13===t.tag){var n=t.memoizedState;if(null!==n&&(null===(n=n.dehydrated)||"$?"===n.data||"$!"===n.data))return t}else if(19===t.tag&&void 0!==t.memoizedProps.revealOrder){if(0!=(128&t.flags))return t}else if(null!==t.child){t.child.return=t,t=t.child;continue}if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return null;t=t.return}t.sibling.return=t.return,t=t.sibling}return null}var ni=[];function ri(){for(var e=0;e<ni.length;e++)ni[e]._workInProgressVersionPrimary=null;ni.length=0}var ai=w.ReactCurrentDispatcher,oi=w.ReactCurrentBatchConfig,ii=0,si=null,li=null,ci=null,ui=!1,di=!1,pi=0,fi=0;function hi(){throw Error(o(321))}function mi(e,t){if(null===t)return!1;for(var n=0;n<t.length&&n<e.length;n++)if(!sr(e[n],t[n]))return!1;return!0}function gi(e,t,n,r,a,i){if(ii=i,si=t,t.memoizedState=null,t.updateQueue=null,t.lanes=0,ai.current=null===e||null===e.memoizedState?Ji:es,e=n(r,a),di){i=0;do{if(di=!1,pi=0,25<=i)throw Error(o(301));i+=1,ci=li=null,t.updateQueue=null,ai.current=ts,e=n(r,a)}while(di)}if(ai.current=Yi,t=null!==li&&null!==li.next,ii=0,ci=li=si=null,ui=!1,t)throw Error(o(300));return e}function yi(){var e=0!==pi;return pi=0,e}function bi(){var e={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};return null===ci?si.memoizedState=ci=e:ci=ci.next=e,ci}function vi(){if(null===li){var e=si.alternate;e=null!==e?e.memoizedState:null}else e=li.next;var t=null===ci?si.memoizedState:ci.next;if(null!==t)ci=t,li=e;else{if(null===e)throw Error(o(310));e={memoizedState:(li=e).memoizedState,baseState:li.baseState,baseQueue:li.baseQueue,queue:li.queue,next:null},null===ci?si.memoizedState=ci=e:ci=ci.next=e}return ci}function wi(e,t){return"function"==typeof t?t(e):t}function ki(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=li,a=r.baseQueue,i=n.pending;if(null!==i){if(null!==a){var s=a.next;a.next=i.next,i.next=s}r.baseQueue=a=i,n.pending=null}if(null!==a){i=a.next,r=r.baseState;var l=s=null,c=null,u=i;do{var d=u.lane;if((ii&d)===d)null!==c&&(c=c.next={lane:0,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null}),r=u.hasEagerState?u.eagerState:e(r,u.action);else{var p={lane:d,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null};null===c?(l=c=p,s=r):c=c.next=p,si.lanes|=d,Dl|=d}u=u.next}while(null!==u&&u!==i);null===c?s=r:c.next=l,sr(r,t.memoizedState)||(vs=!0),t.memoizedState=r,t.baseState=s,t.baseQueue=c,n.lastRenderedState=r}if(null!==(e=n.interleaved)){a=e;do{i=a.lane,si.lanes|=i,Dl|=i,a=a.next}while(a!==e)}else null===a&&(n.lanes=0);return[t.memoizedState,n.dispatch]}function xi(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=n.dispatch,a=n.pending,i=t.memoizedState;if(null!==a){n.pending=null;var s=a=a.next;do{i=e(i,s.action),s=s.next}while(s!==a);sr(i,t.memoizedState)||(vs=!0),t.memoizedState=i,null===t.baseQueue&&(t.baseState=i),n.lastRenderedState=i}return[i,r]}function Si(){}function Ei(e,t){var n=si,r=vi(),a=t(),i=!sr(r.memoizedState,a);if(i&&(r.memoizedState=a,vs=!0),r=r.queue,Di(Ti.bind(null,n,r,e),[e]),r.getSnapshot!==t||i||null!==ci&&1&ci.memoizedState.tag){if(n.flags|=2048,Ni(9,_i.bind(null,n,r,a,t),void 0,null),null===Rl)throw Error(o(349));0!=(30&ii)||Ci(n,t,a)}return a}function Ci(e,t,n){e.flags|=16384,e={getSnapshot:t,value:n},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.stores=[e]):null===(n=t.stores)?t.stores=[e]:n.push(e)}function _i(e,t,n,r){t.value=n,t.getSnapshot=r,Li(t)&&Ri(e)}function Ti(e,t,n){return n((function(){Li(t)&&Ri(e)}))}function Li(e){var t=e.getSnapshot;e=e.value;try{var n=t();return!sr(e,n)}catch(r){return!0}}function Ri(e){var t=Io(e,1);null!==t&&nc(t,e,1,-1)}function ji(e){var t=bi();return"function"==typeof e&&(e=e()),t.memoizedState=t.baseState=e,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:wi,lastRenderedState:e},t.queue=e,e=e.dispatch=Vi.bind(null,si,e),[t.memoizedState,e]}function Ni(e,t,n,r){return e={tag:e,create:t,destroy:n,deps:r,next:null},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.lastEffect=e.next=e):null===(n=t.lastEffect)?t.lastEffect=e.next=e:(r=n.next,n.next=e,e.next=r,t.lastEffect=e),e}function Pi(){return vi().memoizedState}function Ai(e,t,n,r){var a=bi();si.flags|=e,a.memoizedState=Ni(1|t,n,void 0,void 0===r?null:r)}function Oi(e,t,n,r){var a=vi();r=void 0===r?null:r;var o=void 0;if(null!==li){var i=li.memoizedState;if(o=i.destroy,null!==r&&mi(r,i.deps))return void(a.memoizedState=Ni(t,n,o,r))}si.flags|=e,a.memoizedState=Ni(1|t,n,o,r)}function Ii(e,t){return Ai(8390656,8,e,t)}function Di(e,t){return Oi(2048,8,e,t)}function Fi(e,t){return Oi(4,2,e,t)}function Mi(e,t){return Oi(4,4,e,t)}function zi(e,t){return"function"==typeof t?(e=e(),t(e),function(){t(null)}):null!=t?(e=e(),t.current=e,function(){t.current=null}):void 0}function Bi(e,t,n){return n=null!=n?n.concat([e]):null,Oi(4,4,zi.bind(null,t,e),n)}function $i(){}function Ui(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(n.memoizedState=[e,t],e)}function qi(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(e=e(),n.memoizedState=[e,t],e)}function Hi(e,t,n){return 0==(21&ii)?(e.baseState&&(e.baseState=!1,vs=!0),e.memoizedState=n):(sr(n,t)||(n=mt(),si.lanes|=n,Dl|=n,e.baseState=!0),t)}function Qi(e,t){var n=vt;vt=0!==n&&4>n?n:4,e(!0);var r=oi.transition;oi.transition={};try{e(!1),t()}finally{vt=n,oi.transition=r}}function Zi(){return vi().memoizedState}function Wi(e,t,n){var r=tc(e);if(n={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null},Gi(e))Xi(t,n);else if(null!==(n=Oo(e,t,n,r))){nc(n,e,r,ec()),Ki(n,t,r)}}function Vi(e,t,n){var r=tc(e),a={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null};if(Gi(e))Xi(t,a);else{var o=e.alternate;if(0===e.lanes&&(null===o||0===o.lanes)&&null!==(o=t.lastRenderedReducer))try{var i=t.lastRenderedState,s=o(i,n);if(a.hasEagerState=!0,a.eagerState=s,sr(s,i)){var l=t.interleaved;return null===l?(a.next=a,Ao(t)):(a.next=l.next,l.next=a),void(t.interleaved=a)}}catch(c){}null!==(n=Oo(e,t,a,r))&&(nc(n,e,r,a=ec()),Ki(n,t,r))}}function Gi(e){var t=e.alternate;return e===si||null!==t&&t===si}function Xi(e,t){di=ui=!0;var n=e.pending;null===n?t.next=t:(t.next=n.next,n.next=t),e.pending=t}function Ki(e,t,n){if(0!=(4194240&n)){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}var Yi={readContext:No,useCallback:hi,useContext:hi,useEffect:hi,useImperativeHandle:hi,useInsertionEffect:hi,useLayoutEffect:hi,useMemo:hi,useReducer:hi,useRef:hi,useState:hi,useDebugValue:hi,useDeferredValue:hi,useTransition:hi,useMutableSource:hi,useSyncExternalStore:hi,useId:hi,unstable_isNewReconciler:!1},Ji={readContext:No,useCallback:function(e,t){return bi().memoizedState=[e,void 0===t?null:t],e},useContext:No,useEffect:Ii,useImperativeHandle:function(e,t,n){return n=null!=n?n.concat([e]):null,Ai(4194308,4,zi.bind(null,t,e),n)},useLayoutEffect:function(e,t){return Ai(4194308,4,e,t)},useInsertionEffect:function(e,t){return Ai(4,2,e,t)},useMemo:function(e,t){var n=bi();return t=void 0===t?null:t,e=e(),n.memoizedState=[e,t],e},useReducer:function(e,t,n){var r=bi();return t=void 0!==n?n(t):t,r.memoizedState=r.baseState=t,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:e,lastRenderedState:t},r.queue=e,e=e.dispatch=Wi.bind(null,si,e),[r.memoizedState,e]},useRef:function(e){return e={current:e},bi().memoizedState=e},useState:ji,useDebugValue:$i,useDeferredValue:function(e){return bi().memoizedState=e},useTransition:function(){var e=ji(!1),t=e[0];return e=Qi.bind(null,e[1]),bi().memoizedState=e,[t,e]},useMutableSource:function(){},useSyncExternalStore:function(e,t,n){var r=si,a=bi();if(ao){if(void 0===n)throw Error(o(407));n=n()}else{if(n=t(),null===Rl)throw Error(o(349));0!=(30&ii)||Ci(r,t,n)}a.memoizedState=n;var i={value:n,getSnapshot:t};return a.queue=i,Ii(Ti.bind(null,r,i,e),[e]),r.flags|=2048,Ni(9,_i.bind(null,r,i,n,t),void 0,null),n},useId:function(){var e=bi(),t=Rl.identifierPrefix;if(ao){var n=Ka;t=":"+t+"R"+(n=(Xa&~(1<<32-it(Xa)-1)).toString(32)+n),0<(n=pi++)&&(t+="H"+n.toString(32)),t+=":"}else t=":"+t+"r"+(n=fi++).toString(32)+":";return e.memoizedState=t},unstable_isNewReconciler:!1},es={readContext:No,useCallback:Ui,useContext:No,useEffect:Di,useImperativeHandle:Bi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:ki,useRef:Pi,useState:function(){return ki(wi)},useDebugValue:$i,useDeferredValue:function(e){return Hi(vi(),li.memoizedState,e)},useTransition:function(){return[ki(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1},ts={readContext:No,useCallback:Ui,useContext:No,useEffect:Di,useImperativeHandle:Bi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:xi,useRef:Pi,useState:function(){return xi(wi)},useDebugValue:$i,useDeferredValue:function(e){var t=vi();return null===li?t.memoizedState=e:Hi(t,li.memoizedState,e)},useTransition:function(){return[xi(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1};function ns(e,t){if(e&&e.defaultProps){for(var n in t=F({},t),e=e.defaultProps)void 0===t[n]&&(t[n]=e[n]);return t}return t}function rs(e,t,n,r){n=null==(n=n(r,t=e.memoizedState))?t:F({},t,n),e.memoizedState=n,0===e.lanes&&(e.updateQueue.baseState=n)}var as={isMounted:function(e){return!!(e=e._reactInternals)&&Ue(e)===e},enqueueSetState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=zo(r,a);o.payload=t,null!=n&&(o.callback=n),null!==(t=Bo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueReplaceState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=zo(r,a);o.tag=1,o.payload=t,null!=n&&(o.callback=n),null!==(t=Bo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueForceUpdate:function(e,t){e=e._reactInternals;var n=ec(),r=tc(e),a=zo(n,r);a.tag=2,null!=t&&(a.callback=t),null!==(t=Bo(e,a,r))&&(nc(t,e,r,n),$o(t,e,r))}};function os(e,t,n,r,a,o,i){return"function"==typeof(e=e.stateNode).shouldComponentUpdate?e.shouldComponentUpdate(r,o,i):!t.prototype||!t.prototype.isPureReactComponent||(!lr(n,r)||!lr(a,o))}function is(e,t,n){var r=!1,a=Ta,o=t.contextType;return"object"==typeof o&&null!==o?o=No(o):(a=Pa(t)?ja:La.current,o=(r=null!=(r=t.contextTypes))?Na(e,a):Ta),t=new t(n,o),e.memoizedState=null!==t.state&&void 0!==t.state?t.state:null,t.updater=as,e.stateNode=t,t._reactInternals=e,r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=a,e.__reactInternalMemoizedMaskedChildContext=o),t}function ss(e,t,n,r){e=t.state,"function"==typeof t.componentWillReceiveProps&&t.componentWillReceiveProps(n,r),"function"==typeof t.UNSAFE_componentWillReceiveProps&&t.UNSAFE_componentWillReceiveProps(n,r),t.state!==e&&as.enqueueReplaceState(t,t.state,null)}function ls(e,t,n,r){var a=e.stateNode;a.props=n,a.state=e.memoizedState,a.refs={},Fo(e);var o=t.contextType;"object"==typeof o&&null!==o?a.context=No(o):(o=Pa(t)?ja:La.current,a.context=Na(e,o)),a.state=e.memoizedState,"function"==typeof(o=t.getDerivedStateFromProps)&&(rs(e,t,o,n),a.state=e.memoizedState),"function"==typeof t.getDerivedStateFromProps||"function"==typeof a.getSnapshotBeforeUpdate||"function"!=typeof a.UNSAFE_componentWillMount&&"function"!=typeof a.componentWillMount||(t=a.state,"function"==typeof a.componentWillMount&&a.componentWillMount(),"function"==typeof a.UNSAFE_componentWillMount&&a.UNSAFE_componentWillMount(),t!==a.state&&as.enqueueReplaceState(a,a.state,null),qo(e,n,a,r),a.state=e.memoizedState),"function"==typeof a.componentDidMount&&(e.flags|=4194308)}function cs(e,t){try{var n="",r=t;do{n+=$(r),r=r.return}while(r);var a=n}catch(o){a="\nError generating stack: "+o.message+"\n"+o.stack}return{value:e,source:t,stack:a,digest:null}}function us(e,t,n){return{value:e,source:null,stack:null!=n?n:null,digest:null!=t?t:null}}function ds(e,t){try{console.error(t.value)}catch(n){setTimeout((function(){throw n}))}}var ps="function"==typeof WeakMap?WeakMap:Map;function fs(e,t,n){(n=zo(-1,n)).tag=3,n.payload={element:null};var r=t.value;return n.callback=function(){Hl||(Hl=!0,Ql=r),ds(0,t)},n}function hs(e,t,n){(n=zo(-1,n)).tag=3;var r=e.type.getDerivedStateFromError;if("function"==typeof r){var a=t.value;n.payload=function(){return r(a)},n.callback=function(){ds(0,t)}}var o=e.stateNode;return null!==o&&"function"==typeof o.componentDidCatch&&(n.callback=function(){ds(0,t),"function"!=typeof r&&(null===Zl?Zl=new Set([this]):Zl.add(this));var e=t.stack;this.componentDidCatch(t.value,{componentStack:null!==e?e:""})}),n}function ms(e,t,n){var r=e.pingCache;if(null===r){r=e.pingCache=new ps;var a=new Set;r.set(t,a)}else void 0===(a=r.get(t))&&(a=new Set,r.set(t,a));a.has(n)||(a.add(n),e=Cc.bind(null,e,t,n),t.then(e,e))}function gs(e){do{var t;if((t=13===e.tag)&&(t=null===(t=e.memoizedState)||null!==t.dehydrated),t)return e;e=e.return}while(null!==e);return null}function ys(e,t,n,r,a){return 0==(1&e.mode)?(e===t?e.flags|=65536:(e.flags|=128,n.flags|=131072,n.flags&=-52805,1===n.tag&&(null===n.alternate?n.tag=17:((t=zo(-1,1)).tag=2,Bo(n,t,1))),n.lanes|=1),e):(e.flags|=65536,e.lanes=a,e)}var bs=w.ReactCurrentOwner,vs=!1;function ws(e,t,n,r){t.child=null===e?xo(t,null,n,r):ko(t,e.child,n,r)}function ks(e,t,n,r,a){n=n.render;var o=t.ref;return jo(t,a),r=gi(e,t,n,r,o,a),n=yi(),null===e||vs?(ao&&n&&eo(t),t.flags|=1,ws(e,t,r,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function xs(e,t,n,r,a){if(null===e){var o=n.type;return"function"!=typeof o||Pc(o)||void 0!==o.defaultProps||null!==n.compare||void 0!==n.defaultProps?((e=Oc(n.type,null,r,t,t.mode,a)).ref=t.ref,e.return=t,t.child=e):(t.tag=15,t.type=o,Ss(e,t,o,r,a))}if(o=e.child,0==(e.lanes&a)){var i=o.memoizedProps;if((n=null!==(n=n.compare)?n:lr)(i,r)&&e.ref===t.ref)return Hs(e,t,a)}return t.flags|=1,(e=Ac(o,r)).ref=t.ref,e.return=t,t.child=e}function Ss(e,t,n,r,a){if(null!==e){var o=e.memoizedProps;if(lr(o,r)&&e.ref===t.ref){if(vs=!1,t.pendingProps=r=o,0==(e.lanes&a))return t.lanes=e.lanes,Hs(e,t,a);0!=(131072&e.flags)&&(vs=!0)}}return _s(e,t,n,r,a)}function Es(e,t,n){var r=t.pendingProps,a=r.children,o=null!==e?e.memoizedState:null;if("hidden"===r.mode)if(0==(1&t.mode))t.memoizedState={baseLanes:0,cachePool:null,transitions:null},_a(Al,Pl),Pl|=n;else{if(0==(1073741824&n))return e=null!==o?o.baseLanes|n:n,t.lanes=t.childLanes=1073741824,t.memoizedState={baseLanes:e,cachePool:null,transitions:null},t.updateQueue=null,_a(Al,Pl),Pl|=e,null;t.memoizedState={baseLanes:0,cachePool:null,transitions:null},r=null!==o?o.baseLanes:n,_a(Al,Pl),Pl|=r}else null!==o?(r=o.baseLanes|n,t.memoizedState=null):r=n,_a(Al,Pl),Pl|=r;return ws(e,t,a,n),t.child}function Cs(e,t){var n=t.ref;(null===e&&null!==n||null!==e&&e.ref!==n)&&(t.flags|=512,t.flags|=2097152)}function _s(e,t,n,r,a){var o=Pa(n)?ja:La.current;return o=Na(t,o),jo(t,a),n=gi(e,t,n,r,o,a),r=yi(),null===e||vs?(ao&&r&&eo(t),t.flags|=1,ws(e,t,n,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function Ts(e,t,n,r,a){if(Pa(n)){var o=!0;Da(t)}else o=!1;if(jo(t,a),null===t.stateNode)qs(e,t),is(t,n,r),ls(t,n,r,a),r=!0;else if(null===e){var i=t.stateNode,s=t.memoizedProps;i.props=s;var l=i.context,c=n.contextType;"object"==typeof c&&null!==c?c=No(c):c=Na(t,c=Pa(n)?ja:La.current);var u=n.getDerivedStateFromProps,d="function"==typeof u||"function"==typeof i.getSnapshotBeforeUpdate;d||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==r||l!==c)&&ss(t,i,r,c),Do=!1;var p=t.memoizedState;i.state=p,qo(t,r,i,a),l=t.memoizedState,s!==r||p!==l||Ra.current||Do?("function"==typeof u&&(rs(t,n,u,r),l=t.memoizedState),(s=Do||os(t,n,s,r,p,l,c))?(d||"function"!=typeof i.UNSAFE_componentWillMount&&"function"!=typeof i.componentWillMount||("function"==typeof i.componentWillMount&&i.componentWillMount(),"function"==typeof i.UNSAFE_componentWillMount&&i.UNSAFE_componentWillMount()),"function"==typeof i.componentDidMount&&(t.flags|=4194308)):("function"==typeof i.componentDidMount&&(t.flags|=4194308),t.memoizedProps=r,t.memoizedState=l),i.props=r,i.state=l,i.context=c,r=s):("function"==typeof i.componentDidMount&&(t.flags|=4194308),r=!1)}else{i=t.stateNode,Mo(e,t),s=t.memoizedProps,c=t.type===t.elementType?s:ns(t.type,s),i.props=c,d=t.pendingProps,p=i.context,"object"==typeof(l=n.contextType)&&null!==l?l=No(l):l=Na(t,l=Pa(n)?ja:La.current);var f=n.getDerivedStateFromProps;(u="function"==typeof f||"function"==typeof i.getSnapshotBeforeUpdate)||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==d||p!==l)&&ss(t,i,r,l),Do=!1,p=t.memoizedState,i.state=p,qo(t,r,i,a);var h=t.memoizedState;s!==d||p!==h||Ra.current||Do?("function"==typeof f&&(rs(t,n,f,r),h=t.memoizedState),(c=Do||os(t,n,c,r,p,h,l)||!1)?(u||"function"!=typeof i.UNSAFE_componentWillUpdate&&"function"!=typeof i.componentWillUpdate||("function"==typeof i.componentWillUpdate&&i.componentWillUpdate(r,h,l),"function"==typeof i.UNSAFE_componentWillUpdate&&i.UNSAFE_componentWillUpdate(r,h,l)),"function"==typeof i.componentDidUpdate&&(t.flags|=4),"function"==typeof i.getSnapshotBeforeUpdate&&(t.flags|=1024)):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),t.memoizedProps=r,t.memoizedState=h),i.props=r,i.state=h,i.context=l,r=c):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),r=!1)}return Ls(e,t,n,r,o,a)}function Ls(e,t,n,r,a,o){Cs(e,t);var i=0!=(128&t.flags);if(!r&&!i)return a&&Fa(t,n,!1),Hs(e,t,o);r=t.stateNode,bs.current=t;var s=i&&"function"!=typeof n.getDerivedStateFromError?null:r.render();return t.flags|=1,null!==e&&i?(t.child=ko(t,e.child,null,o),t.child=ko(t,null,s,o)):ws(e,t,s,o),t.memoizedState=r.state,a&&Fa(t,n,!0),t.child}function Rs(e){var t=e.stateNode;t.pendingContext?Oa(0,t.pendingContext,t.pendingContext!==t.context):t.context&&Oa(0,t.context,!1),Xo(e,t.containerInfo)}function js(e,t,n,r,a){return ho(),mo(a),t.flags|=256,ws(e,t,n,r),t.child}var Ns,Ps,As,Os,Is={dehydrated:null,treeContext:null,retryLane:0};function Ds(e){return{baseLanes:e,cachePool:null,transitions:null}}function Fs(e,t,n){var r,a=t.pendingProps,i=ei.current,s=!1,l=0!=(128&t.flags);if((r=l)||(r=(null===e||null!==e.memoizedState)&&0!=(2&i)),r?(s=!0,t.flags&=-129):null!==e&&null===e.memoizedState||(i|=1),_a(ei,1&i),null===e)return co(t),null!==(e=t.memoizedState)&&null!==(e=e.dehydrated)?(0==(1&t.mode)?t.lanes=1:"$!"===e.data?t.lanes=8:t.lanes=1073741824,null):(l=a.children,e=a.fallback,s?(a=t.mode,s=t.child,l={mode:"hidden",children:l},0==(1&a)&&null!==s?(s.childLanes=0,s.pendingProps=l):s=Dc(l,a,0,null),e=Ic(e,a,n,null),s.return=t,e.return=t,s.sibling=e,t.child=s,t.child.memoizedState=Ds(n),t.memoizedState=Is,e):Ms(t,l));if(null!==(i=e.memoizedState)&&null!==(r=i.dehydrated))return function(e,t,n,r,a,i,s){if(n)return 256&t.flags?(t.flags&=-257,zs(e,t,s,r=us(Error(o(422))))):null!==t.memoizedState?(t.child=e.child,t.flags|=128,null):(i=r.fallback,a=t.mode,r=Dc({mode:"visible",children:r.children},a,0,null),(i=Ic(i,a,s,null)).flags|=2,r.return=t,i.return=t,r.sibling=i,t.child=r,0!=(1&t.mode)&&ko(t,e.child,null,s),t.child.memoizedState=Ds(s),t.memoizedState=Is,i);if(0==(1&t.mode))return zs(e,t,s,null);if("$!"===a.data){if(r=a.nextSibling&&a.nextSibling.dataset)var l=r.dgst;return r=l,zs(e,t,s,r=us(i=Error(o(419)),r,void 0))}if(l=0!=(s&e.childLanes),vs||l){if(null!==(r=Rl)){switch(s&-s){case 4:a=2;break;case 16:a=8;break;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:a=32;break;case 536870912:a=268435456;break;default:a=0}0!==(a=0!=(a&(r.suspendedLanes|s))?0:a)&&a!==i.retryLane&&(i.retryLane=a,Io(e,a),nc(r,e,a,-1))}return mc(),zs(e,t,s,r=us(Error(o(421))))}return"$?"===a.data?(t.flags|=128,t.child=e.child,t=Tc.bind(null,e),a._reactRetry=t,null):(e=i.treeContext,ro=ca(a.nextSibling),no=t,ao=!0,oo=null,null!==e&&(Wa[Va++]=Xa,Wa[Va++]=Ka,Wa[Va++]=Ga,Xa=e.id,Ka=e.overflow,Ga=t),t=Ms(t,r.children),t.flags|=4096,t)}(e,t,l,a,r,i,n);if(s){s=a.fallback,l=t.mode,r=(i=e.child).sibling;var c={mode:"hidden",children:a.children};return 0==(1&l)&&t.child!==i?((a=t.child).childLanes=0,a.pendingProps=c,t.deletions=null):(a=Ac(i,c)).subtreeFlags=14680064&i.subtreeFlags,null!==r?s=Ac(r,s):(s=Ic(s,l,n,null)).flags|=2,s.return=t,a.return=t,a.sibling=s,t.child=a,a=s,s=t.child,l=null===(l=e.child.memoizedState)?Ds(n):{baseLanes:l.baseLanes|n,cachePool:null,transitions:l.transitions},s.memoizedState=l,s.childLanes=e.childLanes&~n,t.memoizedState=Is,a}return e=(s=e.child).sibling,a=Ac(s,{mode:"visible",children:a.children}),0==(1&t.mode)&&(a.lanes=n),a.return=t,a.sibling=null,null!==e&&(null===(n=t.deletions)?(t.deletions=[e],t.flags|=16):n.push(e)),t.child=a,t.memoizedState=null,a}function Ms(e,t){return(t=Dc({mode:"visible",children:t},e.mode,0,null)).return=e,e.child=t}function zs(e,t,n,r){return null!==r&&mo(r),ko(t,e.child,null,n),(e=Ms(t,t.pendingProps.children)).flags|=2,t.memoizedState=null,e}function Bs(e,t,n){e.lanes|=t;var r=e.alternate;null!==r&&(r.lanes|=t),Ro(e.return,t,n)}function $s(e,t,n,r,a){var o=e.memoizedState;null===o?e.memoizedState={isBackwards:t,rendering:null,renderingStartTime:0,last:r,tail:n,tailMode:a}:(o.isBackwards=t,o.rendering=null,o.renderingStartTime=0,o.last=r,o.tail=n,o.tailMode=a)}function Us(e,t,n){var r=t.pendingProps,a=r.revealOrder,o=r.tail;if(ws(e,t,r.children,n),0!=(2&(r=ei.current)))r=1&r|2,t.flags|=128;else{if(null!==e&&0!=(128&e.flags))e:for(e=t.child;null!==e;){if(13===e.tag)null!==e.memoizedState&&Bs(e,n,t);else if(19===e.tag)Bs(e,n,t);else if(null!==e.child){e.child.return=e,e=e.child;continue}if(e===t)break e;for(;null===e.sibling;){if(null===e.return||e.return===t)break e;e=e.return}e.sibling.return=e.return,e=e.sibling}r&=1}if(_a(ei,r),0==(1&t.mode))t.memoizedState=null;else switch(a){case"forwards":for(n=t.child,a=null;null!==n;)null!==(e=n.alternate)&&null===ti(e)&&(a=n),n=n.sibling;null===(n=a)?(a=t.child,t.child=null):(a=n.sibling,n.sibling=null),$s(t,!1,a,n,o);break;case"backwards":for(n=null,a=t.child,t.child=null;null!==a;){if(null!==(e=a.alternate)&&null===ti(e)){t.child=a;break}e=a.sibling,a.sibling=n,n=a,a=e}$s(t,!0,n,null,o);break;case"together":$s(t,!1,null,null,void 0);break;default:t.memoizedState=null}return t.child}function qs(e,t){0==(1&t.mode)&&null!==e&&(e.alternate=null,t.alternate=null,t.flags|=2)}function Hs(e,t,n){if(null!==e&&(t.dependencies=e.dependencies),Dl|=t.lanes,0==(n&t.childLanes))return null;if(null!==e&&t.child!==e.child)throw Error(o(153));if(null!==t.child){for(n=Ac(e=t.child,e.pendingProps),t.child=n,n.return=t;null!==e.sibling;)e=e.sibling,(n=n.sibling=Ac(e,e.pendingProps)).return=t;n.sibling=null}return t.child}function Qs(e,t){if(!ao)switch(e.tailMode){case"hidden":t=e.tail;for(var n=null;null!==t;)null!==t.alternate&&(n=t),t=t.sibling;null===n?e.tail=null:n.sibling=null;break;case"collapsed":n=e.tail;for(var r=null;null!==n;)null!==n.alternate&&(r=n),n=n.sibling;null===r?t||null===e.tail?e.tail=null:e.tail.sibling=null:r.sibling=null}}function Zs(e){var t=null!==e.alternate&&e.alternate.child===e.child,n=0,r=0;if(t)for(var a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=14680064&a.subtreeFlags,r|=14680064&a.flags,a.return=e,a=a.sibling;else for(a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=a.subtreeFlags,r|=a.flags,a.return=e,a=a.sibling;return e.subtreeFlags|=r,e.childLanes=n,t}function Ws(e,t,n){var r=t.pendingProps;switch(to(t),t.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return Zs(t),null;case 1:case 17:return Pa(t.type)&&Aa(),Zs(t),null;case 3:return r=t.stateNode,Ko(),Ca(Ra),Ca(La),ri(),r.pendingContext&&(r.context=r.pendingContext,r.pendingContext=null),null!==e&&null!==e.child||(po(t)?t.flags|=4:null===e||e.memoizedState.isDehydrated&&0==(256&t.flags)||(t.flags|=1024,null!==oo&&(ic(oo),oo=null))),Ps(e,t),Zs(t),null;case 5:Jo(t);var a=Go(Vo.current);if(n=t.type,null!==e&&null!=t.stateNode)As(e,t,n,r,a),e.ref!==t.ref&&(t.flags|=512,t.flags|=2097152);else{if(!r){if(null===t.stateNode)throw Error(o(166));return Zs(t),null}if(e=Go(Zo.current),po(t)){r=t.stateNode,n=t.type;var i=t.memoizedProps;switch(r[pa]=t,r[fa]=i,e=0!=(1&t.mode),n){case"dialog":zr("cancel",r),zr("close",r);break;case"iframe":case"object":case"embed":zr("load",r);break;case"video":case"audio":for(a=0;a<Ir.length;a++)zr(Ir[a],r);break;case"source":zr("error",r);break;case"img":case"image":case"link":zr("error",r),zr("load",r);break;case"details":zr("toggle",r);break;case"input":X(r,i),zr("invalid",r);break;case"select":r._wrapperState={wasMultiple:!!i.multiple},zr("invalid",r);break;case"textarea":ae(r,i),zr("invalid",r)}for(var l in be(n,i),a=null,i)if(i.hasOwnProperty(l)){var c=i[l];"children"===l?"string"==typeof c?r.textContent!==c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",c]):"number"==typeof c&&r.textContent!==""+c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",""+c]):s.hasOwnProperty(l)&&null!=c&&"onScroll"===l&&zr("scroll",r)}switch(n){case"input":Z(r),J(r,i,!0);break;case"textarea":Z(r),ie(r);break;case"select":case"option":break;default:"function"==typeof i.onClick&&(r.onclick=Jr)}r=a,t.updateQueue=r,null!==r&&(t.flags|=4)}else{l=9===a.nodeType?a:a.ownerDocument,"http://www.w3.org/1999/xhtml"===e&&(e=se(n)),"http://www.w3.org/1999/xhtml"===e?"script"===n?((e=l.createElement("div")).innerHTML="<script><\/script>",e=e.removeChild(e.firstChild)):"string"==typeof r.is?e=l.createElement(n,{is:r.is}):(e=l.createElement(n),"select"===n&&(l=e,r.multiple?l.multiple=!0:r.size&&(l.size=r.size))):e=l.createElementNS(e,n),e[pa]=t,e[fa]=r,Ns(e,t,!1,!1),t.stateNode=e;e:{switch(l=ve(n,r),n){case"dialog":zr("cancel",e),zr("close",e),a=r;break;case"iframe":case"object":case"embed":zr("load",e),a=r;break;case"video":case"audio":for(a=0;a<Ir.length;a++)zr(Ir[a],e);a=r;break;case"source":zr("error",e),a=r;break;case"img":case"image":case"link":zr("error",e),zr("load",e),a=r;break;case"details":zr("toggle",e),a=r;break;case"input":X(e,r),a=G(e,r),zr("invalid",e);break;case"option":default:a=r;break;case"select":e._wrapperState={wasMultiple:!!r.multiple},a=F({},r,{value:void 0}),zr("invalid",e);break;case"textarea":ae(e,r),a=re(e,r),zr("invalid",e)}for(i in be(n,a),c=a)if(c.hasOwnProperty(i)){var u=c[i];"style"===i?ge(e,u):"dangerouslySetInnerHTML"===i?null!=(u=u?u.__html:void 0)&&de(e,u):"children"===i?"string"==typeof u?("textarea"!==n||""!==u)&&pe(e,u):"number"==typeof u&&pe(e,""+u):"suppressContentEditableWarning"!==i&&"suppressHydrationWarning"!==i&&"autoFocus"!==i&&(s.hasOwnProperty(i)?null!=u&&"onScroll"===i&&zr("scroll",e):null!=u&&v(e,i,u,l))}switch(n){case"input":Z(e),J(e,r,!1);break;case"textarea":Z(e),ie(e);break;case"option":null!=r.value&&e.setAttribute("value",""+H(r.value));break;case"select":e.multiple=!!r.multiple,null!=(i=r.value)?ne(e,!!r.multiple,i,!1):null!=r.defaultValue&&ne(e,!!r.multiple,r.defaultValue,!0);break;default:"function"==typeof a.onClick&&(e.onclick=Jr)}switch(n){case"button":case"input":case"select":case"textarea":r=!!r.autoFocus;break e;case"img":r=!0;break e;default:r=!1}}r&&(t.flags|=4)}null!==t.ref&&(t.flags|=512,t.flags|=2097152)}return Zs(t),null;case 6:if(e&&null!=t.stateNode)Os(e,t,e.memoizedProps,r);else{if("string"!=typeof r&&null===t.stateNode)throw Error(o(166));if(n=Go(Vo.current),Go(Zo.current),po(t)){if(r=t.stateNode,n=t.memoizedProps,r[pa]=t,(i=r.nodeValue!==n)&&null!==(e=no))switch(e.tag){case 3:Yr(r.nodeValue,n,0!=(1&e.mode));break;case 5:!0!==e.memoizedProps.suppressHydrationWarning&&Yr(r.nodeValue,n,0!=(1&e.mode))}i&&(t.flags|=4)}else(r=(9===n.nodeType?n:n.ownerDocument).createTextNode(r))[pa]=t,t.stateNode=r}return Zs(t),null;case 13:if(Ca(ei),r=t.memoizedState,null===e||null!==e.memoizedState&&null!==e.memoizedState.dehydrated){if(ao&&null!==ro&&0!=(1&t.mode)&&0==(128&t.flags))fo(),ho(),t.flags|=98560,i=!1;else if(i=po(t),null!==r&&null!==r.dehydrated){if(null===e){if(!i)throw Error(o(318));if(!(i=null!==(i=t.memoizedState)?i.dehydrated:null))throw Error(o(317));i[pa]=t}else ho(),0==(128&t.flags)&&(t.memoizedState=null),t.flags|=4;Zs(t),i=!1}else null!==oo&&(ic(oo),oo=null),i=!0;if(!i)return 65536&t.flags?t:null}return 0!=(128&t.flags)?(t.lanes=n,t):((r=null!==r)!==(null!==e&&null!==e.memoizedState)&&r&&(t.child.flags|=8192,0!=(1&t.mode)&&(null===e||0!=(1&ei.current)?0===Ol&&(Ol=3):mc())),null!==t.updateQueue&&(t.flags|=4),Zs(t),null);case 4:return Ko(),Ps(e,t),null===e&&Ur(t.stateNode.containerInfo),Zs(t),null;case 10:return Lo(t.type._context),Zs(t),null;case 19:if(Ca(ei),null===(i=t.memoizedState))return Zs(t),null;if(r=0!=(128&t.flags),null===(l=i.rendering))if(r)Qs(i,!1);else{if(0!==Ol||null!==e&&0!=(128&e.flags))for(e=t.child;null!==e;){if(null!==(l=ti(e))){for(t.flags|=128,Qs(i,!1),null!==(r=l.updateQueue)&&(t.updateQueue=r,t.flags|=4),t.subtreeFlags=0,r=n,n=t.child;null!==n;)e=r,(i=n).flags&=14680066,null===(l=i.alternate)?(i.childLanes=0,i.lanes=e,i.child=null,i.subtreeFlags=0,i.memoizedProps=null,i.memoizedState=null,i.updateQueue=null,i.dependencies=null,i.stateNode=null):(i.childLanes=l.childLanes,i.lanes=l.lanes,i.child=l.child,i.subtreeFlags=0,i.deletions=null,i.memoizedProps=l.memoizedProps,i.memoizedState=l.memoizedState,i.updateQueue=l.updateQueue,i.type=l.type,e=l.dependencies,i.dependencies=null===e?null:{lanes:e.lanes,firstContext:e.firstContext}),n=n.sibling;return _a(ei,1&ei.current|2),t.child}e=e.sibling}null!==i.tail&&Ke()>Ul&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304)}else{if(!r)if(null!==(e=ti(l))){if(t.flags|=128,r=!0,null!==(n=e.updateQueue)&&(t.updateQueue=n,t.flags|=4),Qs(i,!0),null===i.tail&&"hidden"===i.tailMode&&!l.alternate&&!ao)return Zs(t),null}else 2*Ke()-i.renderingStartTime>Ul&&1073741824!==n&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304);i.isBackwards?(l.sibling=t.child,t.child=l):(null!==(n=i.last)?n.sibling=l:t.child=l,i.last=l)}return null!==i.tail?(t=i.tail,i.rendering=t,i.tail=t.sibling,i.renderingStartTime=Ke(),t.sibling=null,n=ei.current,_a(ei,r?1&n|2:1&n),t):(Zs(t),null);case 22:case 23:return dc(),r=null!==t.memoizedState,null!==e&&null!==e.memoizedState!==r&&(t.flags|=8192),r&&0!=(1&t.mode)?0!=(1073741824&Pl)&&(Zs(t),6&t.subtreeFlags&&(t.flags|=8192)):Zs(t),null;case 24:case 25:return null}throw Error(o(156,t.tag))}function Vs(e,t){switch(to(t),t.tag){case 1:return Pa(t.type)&&Aa(),65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 3:return Ko(),Ca(Ra),Ca(La),ri(),0!=(65536&(e=t.flags))&&0==(128&e)?(t.flags=-65537&e|128,t):null;case 5:return Jo(t),null;case 13:if(Ca(ei),null!==(e=t.memoizedState)&&null!==e.dehydrated){if(null===t.alternate)throw Error(o(340));ho()}return 65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 19:return Ca(ei),null;case 4:return Ko(),null;case 10:return Lo(t.type._context),null;case 22:case 23:return dc(),null;default:return null}}Ns=function(e,t){for(var n=t.child;null!==n;){if(5===n.tag||6===n.tag)e.appendChild(n.stateNode);else if(4!==n.tag&&null!==n.child){n.child.return=n,n=n.child;continue}if(n===t)break;for(;null===n.sibling;){if(null===n.return||n.return===t)return;n=n.return}n.sibling.return=n.return,n=n.sibling}},Ps=function(){},As=function(e,t,n,r){var a=e.memoizedProps;if(a!==r){e=t.stateNode,Go(Zo.current);var o,i=null;switch(n){case"input":a=G(e,a),r=G(e,r),i=[];break;case"select":a=F({},a,{value:void 0}),r=F({},r,{value:void 0}),i=[];break;case"textarea":a=re(e,a),r=re(e,r),i=[];break;default:"function"!=typeof a.onClick&&"function"==typeof r.onClick&&(e.onclick=Jr)}for(u in be(n,r),n=null,a)if(!r.hasOwnProperty(u)&&a.hasOwnProperty(u)&&null!=a[u])if("style"===u){var l=a[u];for(o in l)l.hasOwnProperty(o)&&(n||(n={}),n[o]="")}else"dangerouslySetInnerHTML"!==u&&"children"!==u&&"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&"autoFocus"!==u&&(s.hasOwnProperty(u)?i||(i=[]):(i=i||[]).push(u,null));for(u in r){var c=r[u];if(l=null!=a?a[u]:void 0,r.hasOwnProperty(u)&&c!==l&&(null!=c||null!=l))if("style"===u)if(l){for(o in l)!l.hasOwnProperty(o)||c&&c.hasOwnProperty(o)||(n||(n={}),n[o]="");for(o in c)c.hasOwnProperty(o)&&l[o]!==c[o]&&(n||(n={}),n[o]=c[o])}else n||(i||(i=[]),i.push(u,n)),n=c;else"dangerouslySetInnerHTML"===u?(c=c?c.__html:void 0,l=l?l.__html:void 0,null!=c&&l!==c&&(i=i||[]).push(u,c)):"children"===u?"string"!=typeof c&&"number"!=typeof c||(i=i||[]).push(u,""+c):"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&(s.hasOwnProperty(u)?(null!=c&&"onScroll"===u&&zr("scroll",e),i||l===c||(i=[])):(i=i||[]).push(u,c))}n&&(i=i||[]).push("style",n);var u=i;(t.updateQueue=u)&&(t.flags|=4)}},Os=function(e,t,n,r){n!==r&&(t.flags|=4)};var Gs=!1,Xs=!1,Ks="function"==typeof WeakSet?WeakSet:Set,Ys=null;function Js(e,t){var n=e.ref;if(null!==n)if("function"==typeof n)try{n(null)}catch(r){Ec(e,t,r)}else n.current=null}function el(e,t,n){try{n()}catch(r){Ec(e,t,r)}}var tl=!1;function nl(e,t,n){var r=t.updateQueue;if(null!==(r=null!==r?r.lastEffect:null)){var a=r=r.next;do{if((a.tag&e)===e){var o=a.destroy;a.destroy=void 0,void 0!==o&&el(t,n,o)}a=a.next}while(a!==r)}}function rl(e,t){if(null!==(t=null!==(t=t.updateQueue)?t.lastEffect:null)){var n=t=t.next;do{if((n.tag&e)===e){var r=n.create;n.destroy=r()}n=n.next}while(n!==t)}}function al(e){var t=e.ref;if(null!==t){var n=e.stateNode;e.tag,e=n,"function"==typeof t?t(e):t.current=e}}function ol(e){var t=e.alternate;null!==t&&(e.alternate=null,ol(t)),e.child=null,e.deletions=null,e.sibling=null,5===e.tag&&(null!==(t=e.stateNode)&&(delete t[pa],delete t[fa],delete t[ma],delete t[ga],delete t[ya])),e.stateNode=null,e.return=null,e.dependencies=null,e.memoizedProps=null,e.memoizedState=null,e.pendingProps=null,e.stateNode=null,e.updateQueue=null}function il(e){return 5===e.tag||3===e.tag||4===e.tag}function sl(e){e:for(;;){for(;null===e.sibling;){if(null===e.return||il(e.return))return null;e=e.return}for(e.sibling.return=e.return,e=e.sibling;5!==e.tag&&6!==e.tag&&18!==e.tag;){if(2&e.flags)continue e;if(null===e.child||4===e.tag)continue e;e.child.return=e,e=e.child}if(!(2&e.flags))return e.stateNode}}function ll(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?8===n.nodeType?n.parentNode.insertBefore(e,t):n.insertBefore(e,t):(8===n.nodeType?(t=n.parentNode).insertBefore(e,n):(t=n).appendChild(e),null!=(n=n._reactRootContainer)||null!==t.onclick||(t.onclick=Jr));else if(4!==r&&null!==(e=e.child))for(ll(e,t,n),e=e.sibling;null!==e;)ll(e,t,n),e=e.sibling}function cl(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?n.insertBefore(e,t):n.appendChild(e);else if(4!==r&&null!==(e=e.child))for(cl(e,t,n),e=e.sibling;null!==e;)cl(e,t,n),e=e.sibling}var ul=null,dl=!1;function pl(e,t,n){for(n=n.child;null!==n;)fl(e,t,n),n=n.sibling}function fl(e,t,n){if(ot&&"function"==typeof ot.onCommitFiberUnmount)try{ot.onCommitFiberUnmount(at,n)}catch(s){}switch(n.tag){case 5:Xs||Js(n,t);case 6:var r=ul,a=dl;ul=null,pl(e,t,n),dl=a,null!==(ul=r)&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?e.parentNode.removeChild(n):e.removeChild(n)):ul.removeChild(n.stateNode));break;case 18:null!==ul&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?la(e.parentNode,n):1===e.nodeType&&la(e,n),Ut(e)):la(ul,n.stateNode));break;case 4:r=ul,a=dl,ul=n.stateNode.containerInfo,dl=!0,pl(e,t,n),ul=r,dl=a;break;case 0:case 11:case 14:case 15:if(!Xs&&(null!==(r=n.updateQueue)&&null!==(r=r.lastEffect))){a=r=r.next;do{var o=a,i=o.destroy;o=o.tag,void 0!==i&&(0!=(2&o)||0!=(4&o))&&el(n,t,i),a=a.next}while(a!==r)}pl(e,t,n);break;case 1:if(!Xs&&(Js(n,t),"function"==typeof(r=n.stateNode).componentWillUnmount))try{r.props=n.memoizedProps,r.state=n.memoizedState,r.componentWillUnmount()}catch(s){Ec(n,t,s)}pl(e,t,n);break;case 21:pl(e,t,n);break;case 22:1&n.mode?(Xs=(r=Xs)||null!==n.memoizedState,pl(e,t,n),Xs=r):pl(e,t,n);break;default:pl(e,t,n)}}function hl(e){var t=e.updateQueue;if(null!==t){e.updateQueue=null;var n=e.stateNode;null===n&&(n=e.stateNode=new Ks),t.forEach((function(t){var r=Lc.bind(null,e,t);n.has(t)||(n.add(t),t.then(r,r))}))}}function ml(e,t){var n=t.deletions;if(null!==n)for(var r=0;r<n.length;r++){var a=n[r];try{var i=e,s=t,l=s;e:for(;null!==l;){switch(l.tag){case 5:ul=l.stateNode,dl=!1;break e;case 3:case 4:ul=l.stateNode.containerInfo,dl=!0;break e}l=l.return}if(null===ul)throw Error(o(160));fl(i,s,a),ul=null,dl=!1;var c=a.alternate;null!==c&&(c.return=null),a.return=null}catch(u){Ec(a,t,u)}}if(12854&t.subtreeFlags)for(t=t.child;null!==t;)gl(t,e),t=t.sibling}function gl(e,t){var n=e.alternate,r=e.flags;switch(e.tag){case 0:case 11:case 14:case 15:if(ml(t,e),yl(e),4&r){try{nl(3,e,e.return),rl(3,e)}catch(g){Ec(e,e.return,g)}try{nl(5,e,e.return)}catch(g){Ec(e,e.return,g)}}break;case 1:ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return);break;case 5:if(ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return),32&e.flags){var a=e.stateNode;try{pe(a,"")}catch(g){Ec(e,e.return,g)}}if(4&r&&null!=(a=e.stateNode)){var i=e.memoizedProps,s=null!==n?n.memoizedProps:i,l=e.type,c=e.updateQueue;if(e.updateQueue=null,null!==c)try{"input"===l&&"radio"===i.type&&null!=i.name&&K(a,i),ve(l,s);var u=ve(l,i);for(s=0;s<c.length;s+=2){var d=c[s],p=c[s+1];"style"===d?ge(a,p):"dangerouslySetInnerHTML"===d?de(a,p):"children"===d?pe(a,p):v(a,d,p,u)}switch(l){case"input":Y(a,i);break;case"textarea":oe(a,i);break;case"select":var f=a._wrapperState.wasMultiple;a._wrapperState.wasMultiple=!!i.multiple;var h=i.value;null!=h?ne(a,!!i.multiple,h,!1):f!==!!i.multiple&&(null!=i.defaultValue?ne(a,!!i.multiple,i.defaultValue,!0):ne(a,!!i.multiple,i.multiple?[]:"",!1))}a[fa]=i}catch(g){Ec(e,e.return,g)}}break;case 6:if(ml(t,e),yl(e),4&r){if(null===e.stateNode)throw Error(o(162));a=e.stateNode,i=e.memoizedProps;try{a.nodeValue=i}catch(g){Ec(e,e.return,g)}}break;case 3:if(ml(t,e),yl(e),4&r&&null!==n&&n.memoizedState.isDehydrated)try{Ut(t.containerInfo)}catch(g){Ec(e,e.return,g)}break;case 4:default:ml(t,e),yl(e);break;case 13:ml(t,e),yl(e),8192&(a=e.child).flags&&(i=null!==a.memoizedState,a.stateNode.isHidden=i,!i||null!==a.alternate&&null!==a.alternate.memoizedState||($l=Ke())),4&r&&hl(e);break;case 22:if(d=null!==n&&null!==n.memoizedState,1&e.mode?(Xs=(u=Xs)||d,ml(t,e),Xs=u):ml(t,e),yl(e),8192&r){if(u=null!==e.memoizedState,(e.stateNode.isHidden=u)&&!d&&0!=(1&e.mode))for(Ys=e,d=e.child;null!==d;){for(p=Ys=d;null!==Ys;){switch(h=(f=Ys).child,f.tag){case 0:case 11:case 14:case 15:nl(4,f,f.return);break;case 1:Js(f,f.return);var m=f.stateNode;if("function"==typeof m.componentWillUnmount){r=f,n=f.return;try{t=r,m.props=t.memoizedProps,m.state=t.memoizedState,m.componentWillUnmount()}catch(g){Ec(r,n,g)}}break;case 5:Js(f,f.return);break;case 22:if(null!==f.memoizedState){kl(p);continue}}null!==h?(h.return=f,Ys=h):kl(p)}d=d.sibling}e:for(d=null,p=e;;){if(5===p.tag){if(null===d){d=p;try{a=p.stateNode,u?"function"==typeof(i=a.style).setProperty?i.setProperty("display","none","important"):i.display="none":(l=p.stateNode,s=null!=(c=p.memoizedProps.style)&&c.hasOwnProperty("display")?c.display:null,l.style.display=me("display",s))}catch(g){Ec(e,e.return,g)}}}else if(6===p.tag){if(null===d)try{p.stateNode.nodeValue=u?"":p.memoizedProps}catch(g){Ec(e,e.return,g)}}else if((22!==p.tag&&23!==p.tag||null===p.memoizedState||p===e)&&null!==p.child){p.child.return=p,p=p.child;continue}if(p===e)break e;for(;null===p.sibling;){if(null===p.return||p.return===e)break e;d===p&&(d=null),p=p.return}d===p&&(d=null),p.sibling.return=p.return,p=p.sibling}}break;case 19:ml(t,e),yl(e),4&r&&hl(e);case 21:}}function yl(e){var t=e.flags;if(2&t){try{e:{for(var n=e.return;null!==n;){if(il(n)){var r=n;break e}n=n.return}throw Error(o(160))}switch(r.tag){case 5:var a=r.stateNode;32&r.flags&&(pe(a,""),r.flags&=-33),cl(e,sl(e),a);break;case 3:case 4:var i=r.stateNode.containerInfo;ll(e,sl(e),i);break;default:throw Error(o(161))}}catch(s){Ec(e,e.return,s)}e.flags&=-3}4096&t&&(e.flags&=-4097)}function bl(e,t,n){Ys=e,vl(e,t,n)}function vl(e,t,n){for(var r=0!=(1&e.mode);null!==Ys;){var a=Ys,o=a.child;if(22===a.tag&&r){var i=null!==a.memoizedState||Gs;if(!i){var s=a.alternate,l=null!==s&&null!==s.memoizedState||Xs;s=Gs;var c=Xs;if(Gs=i,(Xs=l)&&!c)for(Ys=a;null!==Ys;)l=(i=Ys).child,22===i.tag&&null!==i.memoizedState?xl(a):null!==l?(l.return=i,Ys=l):xl(a);for(;null!==o;)Ys=o,vl(o,t,n),o=o.sibling;Ys=a,Gs=s,Xs=c}wl(e)}else 0!=(8772&a.subtreeFlags)&&null!==o?(o.return=a,Ys=o):wl(e)}}function wl(e){for(;null!==Ys;){var t=Ys;if(0!=(8772&t.flags)){var n=t.alternate;try{if(0!=(8772&t.flags))switch(t.tag){case 0:case 11:case 15:Xs||rl(5,t);break;case 1:var r=t.stateNode;if(4&t.flags&&!Xs)if(null===n)r.componentDidMount();else{var a=t.elementType===t.type?n.memoizedProps:ns(t.type,n.memoizedProps);r.componentDidUpdate(a,n.memoizedState,r.__reactInternalSnapshotBeforeUpdate)}var i=t.updateQueue;null!==i&&Ho(t,i,r);break;case 3:var s=t.updateQueue;if(null!==s){if(n=null,null!==t.child)switch(t.child.tag){case 5:case 1:n=t.child.stateNode}Ho(t,s,n)}break;case 5:var l=t.stateNode;if(null===n&&4&t.flags){n=l;var c=t.memoizedProps;switch(t.type){case"button":case"input":case"select":case"textarea":c.autoFocus&&n.focus();break;case"img":c.src&&(n.src=c.src)}}break;case 6:case 4:case 12:case 19:case 17:case 21:case 22:case 23:case 25:break;case 13:if(null===t.memoizedState){var u=t.alternate;if(null!==u){var d=u.memoizedState;if(null!==d){var p=d.dehydrated;null!==p&&Ut(p)}}}break;default:throw Error(o(163))}Xs||512&t.flags&&al(t)}catch(f){Ec(t,t.return,f)}}if(t===e){Ys=null;break}if(null!==(n=t.sibling)){n.return=t.return,Ys=n;break}Ys=t.return}}function kl(e){for(;null!==Ys;){var t=Ys;if(t===e){Ys=null;break}var n=t.sibling;if(null!==n){n.return=t.return,Ys=n;break}Ys=t.return}}function xl(e){for(;null!==Ys;){var t=Ys;try{switch(t.tag){case 0:case 11:case 15:var n=t.return;try{rl(4,t)}catch(l){Ec(t,n,l)}break;case 1:var r=t.stateNode;if("function"==typeof r.componentDidMount){var a=t.return;try{r.componentDidMount()}catch(l){Ec(t,a,l)}}var o=t.return;try{al(t)}catch(l){Ec(t,o,l)}break;case 5:var i=t.return;try{al(t)}catch(l){Ec(t,i,l)}}}catch(l){Ec(t,t.return,l)}if(t===e){Ys=null;break}var s=t.sibling;if(null!==s){s.return=t.return,Ys=s;break}Ys=t.return}}var Sl,El=Math.ceil,Cl=w.ReactCurrentDispatcher,_l=w.ReactCurrentOwner,Tl=w.ReactCurrentBatchConfig,Ll=0,Rl=null,jl=null,Nl=0,Pl=0,Al=Ea(0),Ol=0,Il=null,Dl=0,Fl=0,Ml=0,zl=null,Bl=null,$l=0,Ul=1/0,ql=null,Hl=!1,Ql=null,Zl=null,Wl=!1,Vl=null,Gl=0,Xl=0,Kl=null,Yl=-1,Jl=0;function ec(){return 0!=(6&Ll)?Ke():-1!==Yl?Yl:Yl=Ke()}function tc(e){return 0==(1&e.mode)?1:0!=(2&Ll)&&0!==Nl?Nl&-Nl:null!==go.transition?(0===Jl&&(Jl=mt()),Jl):0!==(e=vt)?e:e=void 0===(e=window.event)?16:Xt(e.type)}function nc(e,t,n,r){if(50<Xl)throw Xl=0,Kl=null,Error(o(185));yt(e,n,r),0!=(2&Ll)&&e===Rl||(e===Rl&&(0==(2&Ll)&&(Fl|=n),4===Ol&&sc(e,Nl)),rc(e,r),1===n&&0===Ll&&0==(1&t.mode)&&(Ul=Ke()+500,za&&Ua()))}function rc(e,t){var n=e.callbackNode;!function(e,t){for(var n=e.suspendedLanes,r=e.pingedLanes,a=e.expirationTimes,o=e.pendingLanes;0<o;){var i=31-it(o),s=1<<i,l=a[i];-1===l?0!=(s&n)&&0==(s&r)||(a[i]=ft(s,t)):l<=t&&(e.expiredLanes|=s),o&=~s}}(e,t);var r=pt(e,e===Rl?Nl:0);if(0===r)null!==n&&Ve(n),e.callbackNode=null,e.callbackPriority=0;else if(t=r&-r,e.callbackPriority!==t){if(null!=n&&Ve(n),1===t)0===e.tag?function(e){za=!0,$a(e)}(lc.bind(null,e)):$a(lc.bind(null,e)),ia((function(){0==(6&Ll)&&Ua()})),n=null;else{switch(wt(r)){case 1:n=Je;break;case 4:n=et;break;case 16:default:n=tt;break;case 536870912:n=rt}n=Rc(n,ac.bind(null,e))}e.callbackPriority=t,e.callbackNode=n}}function ac(e,t){if(Yl=-1,Jl=0,0!=(6&Ll))throw Error(o(327));var n=e.callbackNode;if(xc()&&e.callbackNode!==n)return null;var r=pt(e,e===Rl?Nl:0);if(0===r)return null;if(0!=(30&r)||0!=(r&e.expiredLanes)||t)t=gc(e,r);else{t=r;var a=Ll;Ll|=2;var i=hc();for(Rl===e&&Nl===t||(ql=null,Ul=Ke()+500,pc(e,t));;)try{bc();break}catch(l){fc(e,l)}To(),Cl.current=i,Ll=a,null!==jl?t=0:(Rl=null,Nl=0,t=Ol)}if(0!==t){if(2===t&&(0!==(a=ht(e))&&(r=a,t=oc(e,a))),1===t)throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;if(6===t)sc(e,r);else{if(a=e.current.alternate,0==(30&r)&&!function(e){for(var t=e;;){if(16384&t.flags){var n=t.updateQueue;if(null!==n&&null!==(n=n.stores))for(var r=0;r<n.length;r++){var a=n[r],o=a.getSnapshot;a=a.value;try{if(!sr(o(),a))return!1}catch(s){return!1}}}if(n=t.child,16384&t.subtreeFlags&&null!==n)n.return=t,t=n;else{if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return!0;t=t.return}t.sibling.return=t.return,t=t.sibling}}return!0}(a)&&(2===(t=gc(e,r))&&(0!==(i=ht(e))&&(r=i,t=oc(e,i))),1===t))throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;switch(e.finishedWork=a,e.finishedLanes=r,t){case 0:case 1:throw Error(o(345));case 2:case 5:kc(e,Bl,ql);break;case 3:if(sc(e,r),(130023424&r)===r&&10<(t=$l+500-Ke())){if(0!==pt(e,0))break;if(((a=e.suspendedLanes)&r)!==r){ec(),e.pingedLanes|=e.suspendedLanes&a;break}e.timeoutHandle=ra(kc.bind(null,e,Bl,ql),t);break}kc(e,Bl,ql);break;case 4:if(sc(e,r),(4194240&r)===r)break;for(t=e.eventTimes,a=-1;0<r;){var s=31-it(r);i=1<<s,(s=t[s])>a&&(a=s),r&=~i}if(r=a,10<(r=(120>(r=Ke()-r)?120:480>r?480:1080>r?1080:1920>r?1920:3e3>r?3e3:4320>r?4320:1960*El(r/1960))-r)){e.timeoutHandle=ra(kc.bind(null,e,Bl,ql),r);break}kc(e,Bl,ql);break;default:throw Error(o(329))}}}return rc(e,Ke()),e.callbackNode===n?ac.bind(null,e):null}function oc(e,t){var n=zl;return e.current.memoizedState.isDehydrated&&(pc(e,t).flags|=256),2!==(e=gc(e,t))&&(t=Bl,Bl=n,null!==t&&ic(t)),e}function ic(e){null===Bl?Bl=e:Bl.push.apply(Bl,e)}function sc(e,t){for(t&=~Ml,t&=~Fl,e.suspendedLanes|=t,e.pingedLanes&=~t,e=e.expirationTimes;0<t;){var n=31-it(t),r=1<<n;e[n]=-1,t&=~r}}function lc(e){if(0!=(6&Ll))throw Error(o(327));xc();var t=pt(e,0);if(0==(1&t))return rc(e,Ke()),null;var n=gc(e,t);if(0!==e.tag&&2===n){var r=ht(e);0!==r&&(t=r,n=oc(e,r))}if(1===n)throw n=Il,pc(e,0),sc(e,t),rc(e,Ke()),n;if(6===n)throw Error(o(345));return e.finishedWork=e.current.alternate,e.finishedLanes=t,kc(e,Bl,ql),rc(e,Ke()),null}function cc(e,t){var n=Ll;Ll|=1;try{return e(t)}finally{0===(Ll=n)&&(Ul=Ke()+500,za&&Ua())}}function uc(e){null!==Vl&&0===Vl.tag&&0==(6&Ll)&&xc();var t=Ll;Ll|=1;var n=Tl.transition,r=vt;try{if(Tl.transition=null,vt=1,e)return e()}finally{vt=r,Tl.transition=n,0==(6&(Ll=t))&&Ua()}}function dc(){Pl=Al.current,Ca(Al)}function pc(e,t){e.finishedWork=null,e.finishedLanes=0;var n=e.timeoutHandle;if(-1!==n&&(e.timeoutHandle=-1,aa(n)),null!==jl)for(n=jl.return;null!==n;){var r=n;switch(to(r),r.tag){case 1:null!=(r=r.type.childContextTypes)&&Aa();break;case 3:Ko(),Ca(Ra),Ca(La),ri();break;case 5:Jo(r);break;case 4:Ko();break;case 13:case 19:Ca(ei);break;case 10:Lo(r.type._context);break;case 22:case 23:dc()}n=n.return}if(Rl=e,jl=e=Ac(e.current,null),Nl=Pl=t,Ol=0,Il=null,Ml=Fl=Dl=0,Bl=zl=null,null!==Po){for(t=0;t<Po.length;t++)if(null!==(r=(n=Po[t]).interleaved)){n.interleaved=null;var a=r.next,o=n.pending;if(null!==o){var i=o.next;o.next=a,r.next=i}n.pending=r}Po=null}return e}function fc(e,t){for(;;){var n=jl;try{if(To(),ai.current=Yi,ui){for(var r=si.memoizedState;null!==r;){var a=r.queue;null!==a&&(a.pending=null),r=r.next}ui=!1}if(ii=0,ci=li=si=null,di=!1,pi=0,_l.current=null,null===n||null===n.return){Ol=1,Il=t,jl=null;break}e:{var i=e,s=n.return,l=n,c=t;if(t=Nl,l.flags|=32768,null!==c&&"object"==typeof c&&"function"==typeof c.then){var u=c,d=l,p=d.tag;if(0==(1&d.mode)&&(0===p||11===p||15===p)){var f=d.alternate;f?(d.updateQueue=f.updateQueue,d.memoizedState=f.memoizedState,d.lanes=f.lanes):(d.updateQueue=null,d.memoizedState=null)}var h=gs(s);if(null!==h){h.flags&=-257,ys(h,s,l,0,t),1&h.mode&&ms(i,u,t),c=u;var m=(t=h).updateQueue;if(null===m){var g=new Set;g.add(c),t.updateQueue=g}else m.add(c);break e}if(0==(1&t)){ms(i,u,t),mc();break e}c=Error(o(426))}else if(ao&&1&l.mode){var y=gs(s);if(null!==y){0==(65536&y.flags)&&(y.flags|=256),ys(y,s,l,0,t),mo(cs(c,l));break e}}i=c=cs(c,l),4!==Ol&&(Ol=2),null===zl?zl=[i]:zl.push(i),i=s;do{switch(i.tag){case 3:i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,fs(0,c,t));break e;case 1:l=c;var b=i.type,v=i.stateNode;if(0==(128&i.flags)&&("function"==typeof b.getDerivedStateFromError||null!==v&&"function"==typeof v.componentDidCatch&&(null===Zl||!Zl.has(v)))){i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,hs(i,l,t));break e}}i=i.return}while(null!==i)}wc(n)}catch(w){t=w,jl===n&&null!==n&&(jl=n=n.return);continue}break}}function hc(){var e=Cl.current;return Cl.current=Yi,null===e?Yi:e}function mc(){0!==Ol&&3!==Ol&&2!==Ol||(Ol=4),null===Rl||0==(268435455&Dl)&&0==(268435455&Fl)||sc(Rl,Nl)}function gc(e,t){var n=Ll;Ll|=2;var r=hc();for(Rl===e&&Nl===t||(ql=null,pc(e,t));;)try{yc();break}catch(a){fc(e,a)}if(To(),Ll=n,Cl.current=r,null!==jl)throw Error(o(261));return Rl=null,Nl=0,Ol}function yc(){for(;null!==jl;)vc(jl)}function bc(){for(;null!==jl&&!Ge();)vc(jl)}function vc(e){var t=Sl(e.alternate,e,Pl);e.memoizedProps=e.pendingProps,null===t?wc(e):jl=t,_l.current=null}function wc(e){var t=e;do{var n=t.alternate;if(e=t.return,0==(32768&t.flags)){if(null!==(n=Ws(n,t,Pl)))return void(jl=n)}else{if(null!==(n=Vs(n,t)))return n.flags&=32767,void(jl=n);if(null===e)return Ol=6,void(jl=null);e.flags|=32768,e.subtreeFlags=0,e.deletions=null}if(null!==(t=t.sibling))return void(jl=t);jl=t=e}while(null!==t);0===Ol&&(Ol=5)}function kc(e,t,n){var r=vt,a=Tl.transition;try{Tl.transition=null,vt=1,function(e,t,n,r){do{xc()}while(null!==Vl);if(0!=(6&Ll))throw Error(o(327));n=e.finishedWork;var a=e.finishedLanes;if(null===n)return null;if(e.finishedWork=null,e.finishedLanes=0,n===e.current)throw Error(o(177));e.callbackNode=null,e.callbackPriority=0;var i=n.lanes|n.childLanes;if(function(e,t){var n=e.pendingLanes&~t;e.pendingLanes=t,e.suspendedLanes=0,e.pingedLanes=0,e.expiredLanes&=t,e.mutableReadLanes&=t,e.entangledLanes&=t,t=e.entanglements;var r=e.eventTimes;for(e=e.expirationTimes;0<n;){var a=31-it(n),o=1<<a;t[a]=0,r[a]=-1,e[a]=-1,n&=~o}}(e,i),e===Rl&&(jl=Rl=null,Nl=0),0==(2064&n.subtreeFlags)&&0==(2064&n.flags)||Wl||(Wl=!0,Rc(tt,(function(){return xc(),null}))),i=0!=(15990&n.flags),0!=(15990&n.subtreeFlags)||i){i=Tl.transition,Tl.transition=null;var s=vt;vt=1;var l=Ll;Ll|=4,_l.current=null,function(e,t){if(ea=Ht,fr(e=pr())){if("selectionStart"in e)var n={start:e.selectionStart,end:e.selectionEnd};else e:{var r=(n=(n=e.ownerDocument)&&n.defaultView||window).getSelection&&n.getSelection();if(r&&0!==r.rangeCount){n=r.anchorNode;var a=r.anchorOffset,i=r.focusNode;r=r.focusOffset;try{n.nodeType,i.nodeType}catch(k){n=null;break e}var s=0,l=-1,c=-1,u=0,d=0,p=e,f=null;t:for(;;){for(var h;p!==n||0!==a&&3!==p.nodeType||(l=s+a),p!==i||0!==r&&3!==p.nodeType||(c=s+r),3===p.nodeType&&(s+=p.nodeValue.length),null!==(h=p.firstChild);)f=p,p=h;for(;;){if(p===e)break t;if(f===n&&++u===a&&(l=s),f===i&&++d===r&&(c=s),null!==(h=p.nextSibling))break;f=(p=f).parentNode}p=h}n=-1===l||-1===c?null:{start:l,end:c}}else n=null}n=n||{start:0,end:0}}else n=null;for(ta={focusedElem:e,selectionRange:n},Ht=!1,Ys=t;null!==Ys;)if(e=(t=Ys).child,0!=(1028&t.subtreeFlags)&&null!==e)e.return=t,Ys=e;else for(;null!==Ys;){t=Ys;try{var m=t.alternate;if(0!=(1024&t.flags))switch(t.tag){case 0:case 11:case 15:case 5:case 6:case 4:case 17:break;case 1:if(null!==m){var g=m.memoizedProps,y=m.memoizedState,b=t.stateNode,v=b.getSnapshotBeforeUpdate(t.elementType===t.type?g:ns(t.type,g),y);b.__reactInternalSnapshotBeforeUpdate=v}break;case 3:var w=t.stateNode.containerInfo;1===w.nodeType?w.textContent="":9===w.nodeType&&w.documentElement&&w.removeChild(w.documentElement);break;default:throw Error(o(163))}}catch(k){Ec(t,t.return,k)}if(null!==(e=t.sibling)){e.return=t.return,Ys=e;break}Ys=t.return}m=tl,tl=!1}(e,n),gl(n,e),hr(ta),Ht=!!ea,ta=ea=null,e.current=n,bl(n,e,a),Xe(),Ll=l,vt=s,Tl.transition=i}else e.current=n;if(Wl&&(Wl=!1,Vl=e,Gl=a),i=e.pendingLanes,0===i&&(Zl=null),function(e){if(ot&&"function"==typeof ot.onCommitFiberRoot)try{ot.onCommitFiberRoot(at,e,void 0,128==(128&e.current.flags))}catch(t){}}(n.stateNode),rc(e,Ke()),null!==t)for(r=e.onRecoverableError,n=0;n<t.length;n++)a=t[n],r(a.value,{componentStack:a.stack,digest:a.digest});if(Hl)throw Hl=!1,e=Ql,Ql=null,e;0!=(1&Gl)&&0!==e.tag&&xc(),i=e.pendingLanes,0!=(1&i)?e===Kl?Xl++:(Xl=0,Kl=e):Xl=0,Ua()}(e,t,n,r)}finally{Tl.transition=a,vt=r}return null}function xc(){if(null!==Vl){var e=wt(Gl),t=Tl.transition,n=vt;try{if(Tl.transition=null,vt=16>e?16:e,null===Vl)var r=!1;else{if(e=Vl,Vl=null,Gl=0,0!=(6&Ll))throw Error(o(331));var a=Ll;for(Ll|=4,Ys=e.current;null!==Ys;){var i=Ys,s=i.child;if(0!=(16&Ys.flags)){var l=i.deletions;if(null!==l){for(var c=0;c<l.length;c++){var u=l[c];for(Ys=u;null!==Ys;){var d=Ys;switch(d.tag){case 0:case 11:case 15:nl(8,d,i)}var p=d.child;if(null!==p)p.return=d,Ys=p;else for(;null!==Ys;){var f=(d=Ys).sibling,h=d.return;if(ol(d),d===u){Ys=null;break}if(null!==f){f.return=h,Ys=f;break}Ys=h}}}var m=i.alternate;if(null!==m){var g=m.child;if(null!==g){m.child=null;do{var y=g.sibling;g.sibling=null,g=y}while(null!==g)}}Ys=i}}if(0!=(2064&i.subtreeFlags)&&null!==s)s.return=i,Ys=s;else e:for(;null!==Ys;){if(0!=(2048&(i=Ys).flags))switch(i.tag){case 0:case 11:case 15:nl(9,i,i.return)}var b=i.sibling;if(null!==b){b.return=i.return,Ys=b;break e}Ys=i.return}}var v=e.current;for(Ys=v;null!==Ys;){var w=(s=Ys).child;if(0!=(2064&s.subtreeFlags)&&null!==w)w.return=s,Ys=w;else e:for(s=v;null!==Ys;){if(0!=(2048&(l=Ys).flags))try{switch(l.tag){case 0:case 11:case 15:rl(9,l)}}catch(x){Ec(l,l.return,x)}if(l===s){Ys=null;break e}var k=l.sibling;if(null!==k){k.return=l.return,Ys=k;break e}Ys=l.return}}if(Ll=a,Ua(),ot&&"function"==typeof ot.onPostCommitFiberRoot)try{ot.onPostCommitFiberRoot(at,e)}catch(x){}r=!0}return r}finally{vt=n,Tl.transition=t}}return!1}function Sc(e,t,n){e=Bo(e,t=fs(0,t=cs(n,t),1),1),t=ec(),null!==e&&(yt(e,1,t),rc(e,t))}function Ec(e,t,n){if(3===e.tag)Sc(e,e,n);else for(;null!==t;){if(3===t.tag){Sc(t,e,n);break}if(1===t.tag){var r=t.stateNode;if("function"==typeof t.type.getDerivedStateFromError||"function"==typeof r.componentDidCatch&&(null===Zl||!Zl.has(r))){t=Bo(t,e=hs(t,e=cs(n,e),1),1),e=ec(),null!==t&&(yt(t,1,e),rc(t,e));break}}t=t.return}}function Cc(e,t,n){var r=e.pingCache;null!==r&&r.delete(t),t=ec(),e.pingedLanes|=e.suspendedLanes&n,Rl===e&&(Nl&n)===n&&(4===Ol||3===Ol&&(130023424&Nl)===Nl&&500>Ke()-$l?pc(e,0):Ml|=n),rc(e,t)}function _c(e,t){0===t&&(0==(1&e.mode)?t=1:(t=ut,0==(130023424&(ut<<=1))&&(ut=4194304)));var n=ec();null!==(e=Io(e,t))&&(yt(e,t,n),rc(e,n))}function Tc(e){var t=e.memoizedState,n=0;null!==t&&(n=t.retryLane),_c(e,n)}function Lc(e,t){var n=0;switch(e.tag){case 13:var r=e.stateNode,a=e.memoizedState;null!==a&&(n=a.retryLane);break;case 19:r=e.stateNode;break;default:throw Error(o(314))}null!==r&&r.delete(t),_c(e,n)}function Rc(e,t){return We(e,t)}function jc(e,t,n,r){this.tag=e,this.key=n,this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null,this.index=0,this.ref=null,this.pendingProps=t,this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null,this.mode=r,this.subtreeFlags=this.flags=0,this.deletions=null,this.childLanes=this.lanes=0,this.alternate=null}function Nc(e,t,n,r){return new jc(e,t,n,r)}function Pc(e){return!(!(e=e.prototype)||!e.isReactComponent)}function Ac(e,t){var n=e.alternate;return null===n?((n=Nc(e.tag,t,e.key,e.mode)).elementType=e.elementType,n.type=e.type,n.stateNode=e.stateNode,n.alternate=e,e.alternate=n):(n.pendingProps=t,n.type=e.type,n.flags=0,n.subtreeFlags=0,n.deletions=null),n.flags=14680064&e.flags,n.childLanes=e.childLanes,n.lanes=e.lanes,n.child=e.child,n.memoizedProps=e.memoizedProps,n.memoizedState=e.memoizedState,n.updateQueue=e.updateQueue,t=e.dependencies,n.dependencies=null===t?null:{lanes:t.lanes,firstContext:t.firstContext},n.sibling=e.sibling,n.index=e.index,n.ref=e.ref,n}function Oc(e,t,n,r,a,i){var s=2;if(r=e,"function"==typeof e)Pc(e)&&(s=1);else if("string"==typeof e)s=5;else e:switch(e){case S:return Ic(n.children,a,i,t);case E:s=8,a|=8;break;case C:return(e=Nc(12,n,t,2|a)).elementType=C,e.lanes=i,e;case R:return(e=Nc(13,n,t,a)).elementType=R,e.lanes=i,e;case j:return(e=Nc(19,n,t,a)).elementType=j,e.lanes=i,e;case A:return Dc(n,a,i,t);default:if("object"==typeof e&&null!==e)switch(e.$$typeof){case _:s=10;break e;case T:s=9;break e;case L:s=11;break e;case N:s=14;break e;case P:s=16,r=null;break e}throw Error(o(130,null==e?e:typeof e,""))}return(t=Nc(s,n,t,a)).elementType=e,t.type=r,t.lanes=i,t}function Ic(e,t,n,r){return(e=Nc(7,e,r,t)).lanes=n,e}function Dc(e,t,n,r){return(e=Nc(22,e,r,t)).elementType=A,e.lanes=n,e.stateNode={isHidden:!1},e}function Fc(e,t,n){return(e=Nc(6,e,null,t)).lanes=n,e}function Mc(e,t,n){return(t=Nc(4,null!==e.children?e.children:[],e.key,t)).lanes=n,t.stateNode={containerInfo:e.containerInfo,pendingChildren:null,implementation:e.implementation},t}function zc(e,t,n,r,a){this.tag=t,this.containerInfo=e,this.finishedWork=this.pingCache=this.current=this.pendingChildren=null,this.timeoutHandle=-1,this.callbackNode=this.pendingContext=this.context=null,this.callbackPriority=0,this.eventTimes=gt(0),this.expirationTimes=gt(-1),this.entangledLanes=this.finishedLanes=this.mutableReadLanes=this.expiredLanes=this.pingedLanes=this.suspendedLanes=this.pendingLanes=0,this.entanglements=gt(0),this.identifierPrefix=r,this.onRecoverableError=a,this.mutableSourceEagerHydrationData=null}function Bc(e,t,n,r,a,o,i,s,l){return e=new zc(e,t,n,s,l),1===t?(t=1,!0===o&&(t|=8)):t=0,o=Nc(3,null,null,t),e.current=o,o.stateNode=e,o.memoizedState={element:r,isDehydrated:n,cache:null,transitions:null,pendingSuspenseBoundaries:null},Fo(o),e}function $c(e){if(!e)return Ta;e:{if(Ue(e=e._reactInternals)!==e||1!==e.tag)throw Error(o(170));var t=e;do{switch(t.tag){case 3:t=t.stateNode.context;break e;case 1:if(Pa(t.type)){t=t.stateNode.__reactInternalMemoizedMergedChildContext;break e}}t=t.return}while(null!==t);throw Error(o(171))}if(1===e.tag){var n=e.type;if(Pa(n))return Ia(e,n,t)}return t}function Uc(e,t,n,r,a,o,i,s,l){return(e=Bc(n,r,!0,e,0,o,0,s,l)).context=$c(null),n=e.current,(o=zo(r=ec(),a=tc(n))).callback=null!=t?t:null,Bo(n,o,a),e.current.lanes=a,yt(e,a,r),rc(e,r),e}function qc(e,t,n,r){var a=t.current,o=ec(),i=tc(a);return n=$c(n),null===t.context?t.context=n:t.pendingContext=n,(t=zo(o,i)).payload={element:e},null!==(r=void 0===r?null:r)&&(t.callback=r),null!==(e=Bo(a,t,i))&&(nc(e,a,i,o),$o(e,a,i)),i}function Hc(e){return(e=e.current).child?(e.child.tag,e.child.stateNode):null}function Qc(e,t){if(null!==(e=e.memoizedState)&&null!==e.dehydrated){var n=e.retryLane;e.retryLane=0!==n&&n<t?n:t}}function Zc(e,t){Qc(e,t),(e=e.alternate)&&Qc(e,t)}Sl=function(e,t,n){if(null!==e)if(e.memoizedProps!==t.pendingProps||Ra.current)vs=!0;else{if(0==(e.lanes&n)&&0==(128&t.flags))return vs=!1,function(e,t,n){switch(t.tag){case 3:Rs(t),ho();break;case 5:Yo(t);break;case 1:Pa(t.type)&&Da(t);break;case 4:Xo(t,t.stateNode.containerInfo);break;case 10:var r=t.type._context,a=t.memoizedProps.value;_a(So,r._currentValue),r._currentValue=a;break;case 13:if(null!==(r=t.memoizedState))return null!==r.dehydrated?(_a(ei,1&ei.current),t.flags|=128,null):0!=(n&t.child.childLanes)?Fs(e,t,n):(_a(ei,1&ei.current),null!==(e=Hs(e,t,n))?e.sibling:null);_a(ei,1&ei.current);break;case 19:if(r=0!=(n&t.childLanes),0!=(128&e.flags)){if(r)return Us(e,t,n);t.flags|=128}if(null!==(a=t.memoizedState)&&(a.rendering=null,a.tail=null,a.lastEffect=null),_a(ei,ei.current),r)break;return null;case 22:case 23:return t.lanes=0,Es(e,t,n)}return Hs(e,t,n)}(e,t,n);vs=0!=(131072&e.flags)}else vs=!1,ao&&0!=(1048576&t.flags)&&Ja(t,Za,t.index);switch(t.lanes=0,t.tag){case 2:var r=t.type;qs(e,t),e=t.pendingProps;var a=Na(t,La.current);jo(t,n),a=gi(null,t,r,e,a,n);var i=yi();return t.flags|=1,"object"==typeof a&&null!==a&&"function"==typeof a.render&&void 0===a.$$typeof?(t.tag=1,t.memoizedState=null,t.updateQueue=null,Pa(r)?(i=!0,Da(t)):i=!1,t.memoizedState=null!==a.state&&void 0!==a.state?a.state:null,Fo(t),a.updater=as,t.stateNode=a,a._reactInternals=t,ls(t,r,e,n),t=Ls(null,t,r,!0,i,n)):(t.tag=0,ao&&i&&eo(t),ws(null,t,a,n),t=t.child),t;case 16:r=t.elementType;e:{switch(qs(e,t),e=t.pendingProps,r=(a=r._init)(r._payload),t.type=r,a=t.tag=function(e){if("function"==typeof e)return Pc(e)?1:0;if(null!=e){if((e=e.$$typeof)===L)return 11;if(e===N)return 14}return 2}(r),e=ns(r,e),a){case 0:t=_s(null,t,r,e,n);break e;case 1:t=Ts(null,t,r,e,n);break e;case 11:t=ks(null,t,r,e,n);break e;case 14:t=xs(null,t,r,ns(r.type,e),n);break e}throw Error(o(306,r,""))}return t;case 0:return r=t.type,a=t.pendingProps,_s(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 1:return r=t.type,a=t.pendingProps,Ts(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 3:e:{if(Rs(t),null===e)throw Error(o(387));r=t.pendingProps,a=(i=t.memoizedState).element,Mo(e,t),qo(t,r,null,n);var s=t.memoizedState;if(r=s.element,i.isDehydrated){if(i={element:r,isDehydrated:!1,cache:s.cache,pendingSuspenseBoundaries:s.pendingSuspenseBoundaries,transitions:s.transitions},t.updateQueue.baseState=i,t.memoizedState=i,256&t.flags){t=js(e,t,r,n,a=cs(Error(o(423)),t));break e}if(r!==a){t=js(e,t,r,n,a=cs(Error(o(424)),t));break e}for(ro=ca(t.stateNode.containerInfo.firstChild),no=t,ao=!0,oo=null,n=xo(t,null,r,n),t.child=n;n;)n.flags=-3&n.flags|4096,n=n.sibling}else{if(ho(),r===a){t=Hs(e,t,n);break e}ws(e,t,r,n)}t=t.child}return t;case 5:return Yo(t),null===e&&co(t),r=t.type,a=t.pendingProps,i=null!==e?e.memoizedProps:null,s=a.children,na(r,a)?s=null:null!==i&&na(r,i)&&(t.flags|=32),Cs(e,t),ws(e,t,s,n),t.child;case 6:return null===e&&co(t),null;case 13:return Fs(e,t,n);case 4:return Xo(t,t.stateNode.containerInfo),r=t.pendingProps,null===e?t.child=ko(t,null,r,n):ws(e,t,r,n),t.child;case 11:return r=t.type,a=t.pendingProps,ks(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 7:return ws(e,t,t.pendingProps,n),t.child;case 8:case 12:return ws(e,t,t.pendingProps.children,n),t.child;case 10:e:{if(r=t.type._context,a=t.pendingProps,i=t.memoizedProps,s=a.value,_a(So,r._currentValue),r._currentValue=s,null!==i)if(sr(i.value,s)){if(i.children===a.children&&!Ra.current){t=Hs(e,t,n);break e}}else for(null!==(i=t.child)&&(i.return=t);null!==i;){var l=i.dependencies;if(null!==l){s=i.child;for(var c=l.firstContext;null!==c;){if(c.context===r){if(1===i.tag){(c=zo(-1,n&-n)).tag=2;var u=i.updateQueue;if(null!==u){var d=(u=u.shared).pending;null===d?c.next=c:(c.next=d.next,d.next=c),u.pending=c}}i.lanes|=n,null!==(c=i.alternate)&&(c.lanes|=n),Ro(i.return,n,t),l.lanes|=n;break}c=c.next}}else if(10===i.tag)s=i.type===t.type?null:i.child;else if(18===i.tag){if(null===(s=i.return))throw Error(o(341));s.lanes|=n,null!==(l=s.alternate)&&(l.lanes|=n),Ro(s,n,t),s=i.sibling}else s=i.child;if(null!==s)s.return=i;else for(s=i;null!==s;){if(s===t){s=null;break}if(null!==(i=s.sibling)){i.return=s.return,s=i;break}s=s.return}i=s}ws(e,t,a.children,n),t=t.child}return t;case 9:return a=t.type,r=t.pendingProps.children,jo(t,n),r=r(a=No(a)),t.flags|=1,ws(e,t,r,n),t.child;case 14:return a=ns(r=t.type,t.pendingProps),xs(e,t,r,a=ns(r.type,a),n);case 15:return Ss(e,t,t.type,t.pendingProps,n);case 17:return r=t.type,a=t.pendingProps,a=t.elementType===r?a:ns(r,a),qs(e,t),t.tag=1,Pa(r)?(e=!0,Da(t)):e=!1,jo(t,n),is(t,r,a),ls(t,r,a,n),Ls(null,t,r,!0,e,n);case 19:return Us(e,t,n);case 22:return Es(e,t,n)}throw Error(o(156,t.tag))};var Wc="function"==typeof reportError?reportError:function(e){console.error(e)};function Vc(e){this._internalRoot=e}function Gc(e){this._internalRoot=e}function Xc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType)}function Kc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType&&(8!==e.nodeType||" react-mount-point-unstable "!==e.nodeValue))}function Yc(){}function Jc(e,t,n,r,a){var o=n._reactRootContainer;if(o){var i=o;if("function"==typeof a){var s=a;a=function(){var e=Hc(i);s.call(e)}}qc(t,i,e,a)}else i=function(e,t,n,r,a){if(a){if("function"==typeof r){var o=r;r=function(){var e=Hc(i);o.call(e)}}var i=Uc(t,r,e,0,null,!1,0,"",Yc);return e._reactRootContainer=i,e[ha]=i.current,Ur(8===e.nodeType?e.parentNode:e),uc(),i}for(;a=e.lastChild;)e.removeChild(a);if("function"==typeof r){var s=r;r=function(){var e=Hc(l);s.call(e)}}var l=Bc(e,0,!1,null,0,!1,0,"",Yc);return e._reactRootContainer=l,e[ha]=l.current,Ur(8===e.nodeType?e.parentNode:e),uc((function(){qc(t,l,n,r)})),l}(n,t,e,a,r);return Hc(i)}Gc.prototype.render=Vc.prototype.render=function(e){var t=this._internalRoot;if(null===t)throw Error(o(409));qc(e,t,null,null)},Gc.prototype.unmount=Vc.prototype.unmount=function(){var e=this._internalRoot;if(null!==e){this._internalRoot=null;var t=e.containerInfo;uc((function(){qc(null,e,null,null)})),t[ha]=null}},Gc.prototype.unstable_scheduleHydration=function(e){if(e){var t=Et();e={blockedOn:null,target:e,priority:t};for(var n=0;n<At.length&&0!==t&&t<At[n].priority;n++);At.splice(n,0,e),0===n&&Ft(e)}},kt=function(e){switch(e.tag){case 3:var t=e.stateNode;if(t.current.memoizedState.isDehydrated){var n=dt(t.pendingLanes);0!==n&&(bt(t,1|n),rc(t,Ke()),0==(6&Ll)&&(Ul=Ke()+500,Ua()))}break;case 13:uc((function(){var t=Io(e,1);if(null!==t){var n=ec();nc(t,e,1,n)}})),Zc(e,1)}},xt=function(e){if(13===e.tag){var t=Io(e,134217728);if(null!==t)nc(t,e,134217728,ec());Zc(e,134217728)}},St=function(e){if(13===e.tag){var t=tc(e),n=Io(e,t);if(null!==n)nc(n,e,t,ec());Zc(e,t)}},Et=function(){return vt},Ct=function(e,t){var n=vt;try{return vt=e,t()}finally{vt=n}},xe=function(e,t,n){switch(t){case"input":if(Y(e,n),t=n.name,"radio"===n.type&&null!=t){for(n=e;n.parentNode;)n=n.parentNode;for(n=n.querySelectorAll("input[name="+JSON.stringify(""+t)+'][type="radio"]'),t=0;t<n.length;t++){var r=n[t];if(r!==e&&r.form===e.form){var a=ka(r);if(!a)throw Error(o(90));W(r),Y(r,a)}}}break;case"textarea":oe(e,n);break;case"select":null!=(t=n.value)&&ne(e,!!n.multiple,t,!1)}},Le=cc,Re=uc;var eu={usingClientEntryPoint:!1,Events:[va,wa,ka,_e,Te,cc]},tu={findFiberByHostInstance:ba,bundleType:0,version:"18.3.1",rendererPackageName:"react-dom"},nu={bundleType:tu.bundleType,version:tu.version,rendererPackageName:tu.rendererPackageName,rendererConfig:tu.rendererConfig,overrideHookState:null,overrideHookStateDeletePath:null,overrideHookStateRenamePath:null,overrideProps:null,overridePropsDeletePath:null,overridePropsRenamePath:null,setErrorHandler:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:w.ReactCurrentDispatcher,findHostInstanceByFiber:function(e){return null===(e=Qe(e))?null:e.stateNode},findFiberByHostInstance:tu.findFiberByHostInstance||function(){return null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null,reconcilerVersion:"18.3.1-next-f1338f8080-20240426"};if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__){var ru=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(!ru.isDisabled&&ru.supportsFiber)try{at=ru.inject(nu),ot=ru}catch(ue){}}t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=eu,t.createPortal=function(e,t){var n=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;if(!Xc(t))throw Error(o(200));return function(e,t,n){var r=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:x,key:null==r?null:""+r,children:e,containerInfo:t,implementation:n}}(e,t,null,n)},t.createRoot=function(e,t){if(!Xc(e))throw Error(o(299));var n=!1,r="",a=Wc;return null!=t&&(!0===t.unstable_strictMode&&(n=!0),void 0!==t.identifierPrefix&&(r=t.identifierPrefix),void 0!==t.onRecoverableError&&(a=t.onRecoverableError)),t=Bc(e,1,!1,null,0,n,0,r,a),e[ha]=t.current,Ur(8===e.nodeType?e.parentNode:e),new Vc(t)},t.findDOMNode=function(e){if(null==e)return null;if(1===e.nodeType)return e;var t=e._reactInternals;if(void 0===t){if("function"==typeof e.render)throw Error(o(188));throw e=Object.keys(e).join(","),Error(o(268,e))}return e=null===(e=Qe(t))?null:e.stateNode},t.flushSync=function(e){return uc(e)},t.hydrate=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!0,n)},t.hydrateRoot=function(e,t,n){if(!Xc(e))throw Error(o(405));var r=null!=n&&n.hydratedSources||null,a=!1,i="",s=Wc;if(null!=n&&(!0===n.unstable_strictMode&&(a=!0),void 0!==n.identifierPrefix&&(i=n.identifierPrefix),void 0!==n.onRecoverableError&&(s=n.onRecoverableError)),t=Uc(t,null,e,1,null!=n?n:null,a,0,i,s),e[ha]=t.current,Ur(e),r)for(e=0;e<r.length;e++)a=(a=(n=r[e])._getVersion)(n._source),null==t.mutableSourceEagerHydrationData?t.mutableSourceEagerHydrationData=[n,a]:t.mutableSourceEagerHydrationData.push(n,a);return new Gc(t)},t.render=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!1,n)},t.unmountComponentAtNode=function(e){if(!Kc(e))throw Error(o(40));return!!e._reactRootContainer&&(uc((function(){Jc(null,null,e,!1,(function(){e._reactRootContainer=null,e[ha]=null}))})),!0)},t.unstable_batchedUpdates=cc,t.unstable_renderSubtreeIntoContainer=function(e,t,n,r){if(!Kc(n))throw Error(o(200));if(null==e||void 0===e._reactInternals)throw Error(o(38));return Jc(e,t,n,!1,r)},t.version="18.3.1-next-f1338f8080-20240426"},745:(e,t,n)=>{"use strict";var r=n(3935);t.createRoot=r.createRoot,t.hydrateRoot=r.hydrateRoot},3935:(e,t,n)=>{"use strict";!function e(){if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__&&"function"==typeof __REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE)try{__REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE(e)}catch(t){console.error(t)}}(),e.exports=n(4448)},9590:e=>{var t="undefined"!=typeof Element,n="function"==typeof Map,r="function"==typeof Set,a="function"==typeof ArrayBuffer&&!!ArrayBuffer.isView;function o(e,i){if(e===i)return!0;if(e&&i&&"object"==typeof e&&"object"==typeof i){if(e.constructor!==i.constructor)return!1;var s,l,c,u;if(Array.isArray(e)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(!o(e[l],i[l]))return!1;return!0}if(n&&e instanceof Map&&i instanceof Map){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;for(u=e.entries();!(l=u.next()).done;)if(!o(l.value[1],i.get(l.value[0])))return!1;return!0}if(r&&e instanceof Set&&i instanceof Set){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;return!0}if(a&&ArrayBuffer.isView(e)&&ArrayBuffer.isView(i)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(e[l]!==i[l])return!1;return!0}if(e.constructor===RegExp)return e.source===i.source&&e.flags===i.flags;if(e.valueOf!==Object.prototype.valueOf&&"function"==typeof e.valueOf&&"function"==typeof i.valueOf)return e.valueOf()===i.valueOf();if(e.toString!==Object.prototype.toString&&"function"==typeof e.toString&&"function"==typeof i.toString)return e.toString()===i.toString();if((s=(c=Object.keys(e)).length)!==Object.keys(i).length)return!1;for(l=s;0!=l--;)if(!Object.prototype.hasOwnProperty.call(i,c[l]))return!1;if(t&&e instanceof Element)return!1;for(l=s;0!=l--;)if(("_owner"!==c[l]&&"__v"!==c[l]&&"__o"!==c[l]||!e.$$typeof)&&!o(e[c[l]],i[c[l]]))return!1;return!0}return e!=e&&i!=i}e.exports=function(e,t){try{return o(e,t)}catch(n){if((n.message||"").match(/stack|recursion/i))return console.warn("react-fast-compare cannot handle circular refs"),!1;throw n}}},405:(e,t,n)=>{"use strict";n.d(t,{B6:()=>Q,ql:()=>J});var r=n(7294),a=n(5697),o=n.n(a),i=n(9590),s=n.n(i),l=n(1143),c=n.n(l),u=n(6774),d=n.n(u);function p(){return p=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},p.apply(this,arguments)}function f(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,h(e,t)}function h(e,t){return h=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e},h(e,t)}function m(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)t.indexOf(n=o[r])>=0||(a[n]=e[n]);return a}var g={BASE:"base",BODY:"body",HEAD:"head",HTML:"html",LINK:"link",META:"meta",NOSCRIPT:"noscript",SCRIPT:"script",STYLE:"style",TITLE:"title",FRAGMENT:"Symbol(react.fragment)"},y={rel:["amphtml","canonical","alternate"]},b={type:["application/ld+json"]},v={charset:"",name:["robots","description"],property:["og:type","og:title","og:url","og:image","og:image:alt","og:description","twitter:url","twitter:title","twitter:description","twitter:image","twitter:image:alt","twitter:card","twitter:site"]},w=Object.keys(g).map((function(e){return g[e]})),k={accesskey:"accessKey",charset:"charSet",class:"className",contenteditable:"contentEditable",contextmenu:"contextMenu","http-equiv":"httpEquiv",itemprop:"itemProp",tabindex:"tabIndex"},x=Object.keys(k).reduce((function(e,t){return e[k[t]]=t,e}),{}),S=function(e,t){for(var n=e.length-1;n>=0;n-=1){var r=e[n];if(Object.prototype.hasOwnProperty.call(r,t))return r[t]}return null},E=function(e){var t=S(e,g.TITLE),n=S(e,"titleTemplate");if(Array.isArray(t)&&(t=t.join("")),n&&t)return n.replace(/%s/g,(function(){return t}));var r=S(e,"defaultTitle");return t||r||void 0},C=function(e){return S(e,"onChangeClientState")||function(){}},_=function(e,t){return t.filter((function(t){return void 0!==t[e]})).map((function(t){return t[e]})).reduce((function(e,t){return p({},e,t)}),{})},T=function(e,t){return t.filter((function(e){return void 0!==e[g.BASE]})).map((function(e){return e[g.BASE]})).reverse().reduce((function(t,n){if(!t.length)for(var r=Object.keys(n),a=0;a<r.length;a+=1){var o=r[a].toLowerCase();if(-1!==e.indexOf(o)&&n[o])return t.concat(n)}return t}),[])},L=function(e,t,n){var r={};return n.filter((function(t){return!!Array.isArray(t[e])||(void 0!==t[e]&&console&&"function"==typeof console.warn&&console.warn("Helmet: "+e+' should be of type "Array". Instead found type "'+typeof t[e]+'"'),!1)})).map((function(t){return t[e]})).reverse().reduce((function(e,n){var a={};n.filter((function(e){for(var n,o=Object.keys(e),i=0;i<o.length;i+=1){var s=o[i],l=s.toLowerCase();-1===t.indexOf(l)||"rel"===n&&"canonical"===e[n].toLowerCase()||"rel"===l&&"stylesheet"===e[l].toLowerCase()||(n=l),-1===t.indexOf(s)||"innerHTML"!==s&&"cssText"!==s&&"itemprop"!==s||(n=s)}if(!n||!e[n])return!1;var c=e[n].toLowerCase();return r[n]||(r[n]={}),a[n]||(a[n]={}),!r[n][c]&&(a[n][c]=!0,!0)})).reverse().forEach((function(t){return e.push(t)}));for(var o=Object.keys(a),i=0;i<o.length;i+=1){var s=o[i],l=p({},r[s],a[s]);r[s]=l}return e}),[]).reverse()},R=function(e,t){if(Array.isArray(e)&&e.length)for(var n=0;n<e.length;n+=1)if(e[n][t])return!0;return!1},j=function(e){return Array.isArray(e)?e.join(""):e},N=function(e,t){return Array.isArray(e)?e.reduce((function(e,n){return function(e,t){for(var n=Object.keys(e),r=0;r<n.length;r+=1)if(t[n[r]]&&t[n[r]].includes(e[n[r]]))return!0;return!1}(n,t)?e.priority.push(n):e.default.push(n),e}),{priority:[],default:[]}):{default:e}},P=function(e,t){var n;return p({},e,((n={})[t]=void 0,n))},A=[g.NOSCRIPT,g.SCRIPT,g.STYLE],O=function(e,t){return void 0===t&&(t=!0),!1===t?String(e):String(e).replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")},I=function(e){return Object.keys(e).reduce((function(t,n){var r=void 0!==e[n]?n+'="'+e[n]+'"':""+n;return t?t+" "+r:r}),"")},D=function(e,t){return void 0===t&&(t={}),Object.keys(e).reduce((function(t,n){return t[k[n]||n]=e[n],t}),t)},F=function(e,t){return t.map((function(t,n){var a,o=((a={key:n})["data-rh"]=!0,a);return Object.keys(t).forEach((function(e){var n=k[e]||e;"innerHTML"===n||"cssText"===n?o.dangerouslySetInnerHTML={__html:t.innerHTML||t.cssText}:o[n]=t[e]})),r.createElement(e,o)}))},M=function(e,t,n){switch(e){case g.TITLE:return{toComponent:function(){return n=t.titleAttributes,(a={key:e=t.title})["data-rh"]=!0,o=D(n,a),[r.createElement(g.TITLE,o,e)];var e,n,a,o},toString:function(){return function(e,t,n,r){var a=I(n),o=j(t);return a?"<"+e+' data-rh="true" '+a+">"+O(o,r)+"</"+e+">":"<"+e+' data-rh="true">'+O(o,r)+"</"+e+">"}(e,t.title,t.titleAttributes,n)}};case"bodyAttributes":case"htmlAttributes":return{toComponent:function(){return D(t)},toString:function(){return I(t)}};default:return{toComponent:function(){return F(e,t)},toString:function(){return function(e,t,n){return t.reduce((function(t,r){var a=Object.keys(r).filter((function(e){return!("innerHTML"===e||"cssText"===e)})).reduce((function(e,t){var a=void 0===r[t]?t:t+'="'+O(r[t],n)+'"';return e?e+" "+a:a}),""),o=r.innerHTML||r.cssText||"",i=-1===A.indexOf(e);return t+"<"+e+' data-rh="true" '+a+(i?"/>":">"+o+"</"+e+">")}),"")}(e,t,n)}}}},z=function(e){var t=e.baseTag,n=e.bodyAttributes,r=e.encode,a=e.htmlAttributes,o=e.noscriptTags,i=e.styleTags,s=e.title,l=void 0===s?"":s,c=e.titleAttributes,u=e.linkTags,d=e.metaTags,p=e.scriptTags,f={toComponent:function(){},toString:function(){return""}};if(e.prioritizeSeoTags){var h=function(e){var t=e.linkTags,n=e.scriptTags,r=e.encode,a=N(e.metaTags,v),o=N(t,y),i=N(n,b);return{priorityMethods:{toComponent:function(){return[].concat(F(g.META,a.priority),F(g.LINK,o.priority),F(g.SCRIPT,i.priority))},toString:function(){return M(g.META,a.priority,r)+" "+M(g.LINK,o.priority,r)+" "+M(g.SCRIPT,i.priority,r)}},metaTags:a.default,linkTags:o.default,scriptTags:i.default}}(e);f=h.priorityMethods,u=h.linkTags,d=h.metaTags,p=h.scriptTags}return{priority:f,base:M(g.BASE,t,r),bodyAttributes:M("bodyAttributes",n,r),htmlAttributes:M("htmlAttributes",a,r),link:M(g.LINK,u,r),meta:M(g.META,d,r),noscript:M(g.NOSCRIPT,o,r),script:M(g.SCRIPT,p,r),style:M(g.STYLE,i,r),title:M(g.TITLE,{title:l,titleAttributes:c},r)}},B=[],$=function(e,t){var n=this;void 0===t&&(t="undefined"!=typeof document),this.instances=[],this.value={setHelmet:function(e){n.context.helmet=e},helmetInstances:{get:function(){return n.canUseDOM?B:n.instances},add:function(e){(n.canUseDOM?B:n.instances).push(e)},remove:function(e){var t=(n.canUseDOM?B:n.instances).indexOf(e);(n.canUseDOM?B:n.instances).splice(t,1)}}},this.context=e,this.canUseDOM=t,t||(e.helmet=z({baseTag:[],bodyAttributes:{},encodeSpecialCharacters:!0,htmlAttributes:{},linkTags:[],metaTags:[],noscriptTags:[],scriptTags:[],styleTags:[],title:"",titleAttributes:{}}))},U=r.createContext({}),q=o().shape({setHelmet:o().func,helmetInstances:o().shape({get:o().func,add:o().func,remove:o().func})}),H="undefined"!=typeof document,Q=function(e){function t(n){var r;return(r=e.call(this,n)||this).helmetData=new $(r.props.context,t.canUseDOM),r}return f(t,e),t.prototype.render=function(){return r.createElement(U.Provider,{value:this.helmetData.value},this.props.children)},t}(r.Component);Q.canUseDOM=H,Q.propTypes={context:o().shape({helmet:o().shape()}),children:o().node.isRequired},Q.defaultProps={context:{}},Q.displayName="HelmetProvider";var Z=function(e,t){var n,r=document.head||document.querySelector(g.HEAD),a=r.querySelectorAll(e+"[data-rh]"),o=[].slice.call(a),i=[];return t&&t.length&&t.forEach((function(t){var r=document.createElement(e);for(var a in t)Object.prototype.hasOwnProperty.call(t,a)&&("innerHTML"===a?r.innerHTML=t.innerHTML:"cssText"===a?r.styleSheet?r.styleSheet.cssText=t.cssText:r.appendChild(document.createTextNode(t.cssText)):r.setAttribute(a,void 0===t[a]?"":t[a]));r.setAttribute("data-rh","true"),o.some((function(e,t){return n=t,r.isEqualNode(e)}))?o.splice(n,1):i.push(r)})),o.forEach((function(e){return e.parentNode.removeChild(e)})),i.forEach((function(e){return r.appendChild(e)})),{oldTags:o,newTags:i}},W=function(e,t){var n=document.getElementsByTagName(e)[0];if(n){for(var r=n.getAttribute("data-rh"),a=r?r.split(","):[],o=[].concat(a),i=Object.keys(t),s=0;s<i.length;s+=1){var l=i[s],c=t[l]||"";n.getAttribute(l)!==c&&n.setAttribute(l,c),-1===a.indexOf(l)&&a.push(l);var u=o.indexOf(l);-1!==u&&o.splice(u,1)}for(var d=o.length-1;d>=0;d-=1)n.removeAttribute(o[d]);a.length===o.length?n.removeAttribute("data-rh"):n.getAttribute("data-rh")!==i.join(",")&&n.setAttribute("data-rh",i.join(","))}},V=function(e,t){var n=e.baseTag,r=e.htmlAttributes,a=e.linkTags,o=e.metaTags,i=e.noscriptTags,s=e.onChangeClientState,l=e.scriptTags,c=e.styleTags,u=e.title,d=e.titleAttributes;W(g.BODY,e.bodyAttributes),W(g.HTML,r),function(e,t){void 0!==e&&document.title!==e&&(document.title=j(e)),W(g.TITLE,t)}(u,d);var p={baseTag:Z(g.BASE,n),linkTags:Z(g.LINK,a),metaTags:Z(g.META,o),noscriptTags:Z(g.NOSCRIPT,i),scriptTags:Z(g.SCRIPT,l),styleTags:Z(g.STYLE,c)},f={},h={};Object.keys(p).forEach((function(e){var t=p[e],n=t.newTags,r=t.oldTags;n.length&&(f[e]=n),r.length&&(h[e]=p[e].oldTags)})),t&&t(),s(e,f,h)},G=null,X=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).rendered=!1,t}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!d()(e,this.props)},n.componentDidUpdate=function(){this.emitChange()},n.componentWillUnmount=function(){this.props.context.helmetInstances.remove(this),this.emitChange()},n.emitChange=function(){var e,t,n=this.props.context,r=n.setHelmet,a=null,o=(e=n.helmetInstances.get().map((function(e){var t=p({},e.props);return delete t.context,t})),{baseTag:T(["href"],e),bodyAttributes:_("bodyAttributes",e),defer:S(e,"defer"),encode:S(e,"encodeSpecialCharacters"),htmlAttributes:_("htmlAttributes",e),linkTags:L(g.LINK,["rel","href"],e),metaTags:L(g.META,["name","charset","http-equiv","property","itemprop"],e),noscriptTags:L(g.NOSCRIPT,["innerHTML"],e),onChangeClientState:C(e),scriptTags:L(g.SCRIPT,["src","innerHTML"],e),styleTags:L(g.STYLE,["cssText"],e),title:E(e),titleAttributes:_("titleAttributes",e),prioritizeSeoTags:R(e,"prioritizeSeoTags")});Q.canUseDOM?(t=o,G&&cancelAnimationFrame(G),t.defer?G=requestAnimationFrame((function(){V(t,(function(){G=null}))})):(V(t),G=null)):z&&(a=z(o)),r(a)},n.init=function(){this.rendered||(this.rendered=!0,this.props.context.helmetInstances.add(this),this.emitChange())},n.render=function(){return this.init(),null},t}(r.Component);X.propTypes={context:q.isRequired},X.displayName="HelmetDispatcher";var K=["children"],Y=["children"],J=function(e){function t(){return e.apply(this,arguments)||this}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!s()(P(this.props,"helmetData"),P(e,"helmetData"))},n.mapNestedChildrenToProps=function(e,t){if(!t)return null;switch(e.type){case g.SCRIPT:case g.NOSCRIPT:return{innerHTML:t};case g.STYLE:return{cssText:t};default:throw new Error("<"+e.type+" /> elements are self-closing and can not contain children. Refer to our API for more information.")}},n.flattenArrayTypeChildren=function(e){var t,n=e.child,r=e.arrayTypeChildren;return p({},r,((t={})[n.type]=[].concat(r[n.type]||[],[p({},e.newChildProps,this.mapNestedChildrenToProps(n,e.nestedChildren))]),t))},n.mapObjectTypeChildren=function(e){var t,n,r=e.child,a=e.newProps,o=e.newChildProps,i=e.nestedChildren;switch(r.type){case g.TITLE:return p({},a,((t={})[r.type]=i,t.titleAttributes=p({},o),t));case g.BODY:return p({},a,{bodyAttributes:p({},o)});case g.HTML:return p({},a,{htmlAttributes:p({},o)});default:return p({},a,((n={})[r.type]=p({},o),n))}},n.mapArrayTypeChildrenToProps=function(e,t){var n=p({},t);return Object.keys(e).forEach((function(t){var r;n=p({},n,((r={})[t]=e[t],r))})),n},n.warnOnInvalidChildren=function(e,t){return c()(w.some((function(t){return e.type===t})),"function"==typeof e.type?"You may be attempting to nest <Helmet> components within each other, which is not allowed. Refer to our API for more information.":"Only elements types "+w.join(", ")+" are allowed. Helmet does not support rendering <"+e.type+"> elements. Refer to our API for more information."),c()(!t||"string"==typeof t||Array.isArray(t)&&!t.some((function(e){return"string"!=typeof e})),"Helmet expects a string as a child of <"+e.type+">. Did you forget to wrap your children in braces? ( <"+e.type+">{``}</"+e.type+"> ) Refer to our API for more information."),!0},n.mapChildrenToProps=function(e,t){var n=this,a={};return r.Children.forEach(e,(function(e){if(e&&e.props){var r=e.props,o=r.children,i=m(r,K),s=Object.keys(i).reduce((function(e,t){return e[x[t]||t]=i[t],e}),{}),l=e.type;switch("symbol"==typeof l?l=l.toString():n.warnOnInvalidChildren(e,o),l){case g.FRAGMENT:t=n.mapChildrenToProps(o,t);break;case g.LINK:case g.META:case g.NOSCRIPT:case g.SCRIPT:case g.STYLE:a=n.flattenArrayTypeChildren({child:e,arrayTypeChildren:a,newChildProps:s,nestedChildren:o});break;default:t=n.mapObjectTypeChildren({child:e,newProps:t,newChildProps:s,nestedChildren:o})}}})),this.mapArrayTypeChildrenToProps(a,t)},n.render=function(){var e=this.props,t=e.children,n=m(e,Y),a=p({},n),o=n.helmetData;return t&&(a=this.mapChildrenToProps(t,a)),!o||o instanceof $||(o=new $(o.context,o.instances)),o?r.createElement(X,p({},a,{context:o.value,helmetData:void 0})):r.createElement(U.Consumer,null,(function(e){return r.createElement(X,p({},a,{context:e}))}))},t}(r.Component);J.propTypes={base:o().object,bodyAttributes:o().object,children:o().oneOfType([o().arrayOf(o().node),o().node]),defaultTitle:o().string,defer:o().bool,encodeSpecialCharacters:o().bool,htmlAttributes:o().object,link:o().arrayOf(o().object),meta:o().arrayOf(o().object),noscript:o().arrayOf(o().object),onChangeClientState:o().func,script:o().arrayOf(o().object),style:o().arrayOf(o().object),title:o().string,titleAttributes:o().object,titleTemplate:o().string,prioritizeSeoTags:o().bool,helmetData:o().object},J.defaultProps={defer:!0,encodeSpecialCharacters:!0,prioritizeSeoTags:!1},J.displayName="Helmet"},9921:(e,t)=>{"use strict";var n="function"==typeof Symbol&&Symbol.for,r=n?Symbol.for("react.element"):60103,a=n?Symbol.for("react.portal"):60106,o=n?Symbol.for("react.fragment"):60107,i=n?Symbol.for("react.strict_mode"):60108,s=n?Symbol.for("react.profiler"):60114,l=n?Symbol.for("react.provider"):60109,c=n?Symbol.for("react.context"):60110,u=n?Symbol.for("react.async_mode"):60111,d=n?Symbol.for("react.concurrent_mode"):60111,p=n?Symbol.for("react.forward_ref"):60112,f=n?Symbol.for("react.suspense"):60113,h=n?Symbol.for("react.suspense_list"):60120,m=n?Symbol.for("react.memo"):60115,g=n?Symbol.for("react.lazy"):60116,y=n?Symbol.for("react.block"):60121,b=n?Symbol.for("react.fundamental"):60117,v=n?Symbol.for("react.responder"):60118,w=n?Symbol.for("react.scope"):60119;function k(e){if("object"==typeof e&&null!==e){var t=e.$$typeof;switch(t){case r:switch(e=e.type){case u:case d:case o:case s:case i:case f:return e;default:switch(e=e&&e.$$typeof){case c:case p:case g:case m:case l:return e;default:return t}}case a:return t}}}function x(e){return k(e)===d}t.AsyncMode=u,t.ConcurrentMode=d,t.ContextConsumer=c,t.ContextProvider=l,t.Element=r,t.ForwardRef=p,t.Fragment=o,t.Lazy=g,t.Memo=m,t.Portal=a,t.Profiler=s,t.StrictMode=i,t.Suspense=f,t.isAsyncMode=function(e){return x(e)||k(e)===u},t.isConcurrentMode=x,t.isContextConsumer=function(e){return k(e)===c},t.isContextProvider=function(e){return k(e)===l},t.isElement=function(e){return"object"==typeof e&&null!==e&&e.$$typeof===r},t.isForwardRef=function(e){return k(e)===p},t.isFragment=function(e){return k(e)===o},t.isLazy=function(e){return k(e)===g},t.isMemo=function(e){return k(e)===m},t.isPortal=function(e){return k(e)===a},t.isProfiler=function(e){return k(e)===s},t.isStrictMode=function(e){return k(e)===i},t.isSuspense=function(e){return k(e)===f},t.isValidElementType=function(e){return"string"==typeof e||"function"==typeof e||e===o||e===d||e===s||e===i||e===f||e===h||"object"==typeof e&&null!==e&&(e.$$typeof===g||e.$$typeof===m||e.$$typeof===l||e.$$typeof===c||e.$$typeof===p||e.$$typeof===b||e.$$typeof===v||e.$$typeof===w||e.$$typeof===y)},t.typeOf=k},9864:(e,t,n)=>{"use strict";e.exports=n(9921)},8356:(e,t,n)=>{"use strict";function r(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}function a(e){if(void 0===e)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return e}function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(){return i=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},i.apply(this,arguments)}var s=n(7294),l=[],c=[];var u=s.createContext(null);function d(e){var t=e(),n={loading:!0,loaded:null,error:null};return n.promise=t.then((function(e){return n.loading=!1,n.loaded=e,e})).catch((function(e){throw n.loading=!1,n.error=e,e})),n}function p(e){var t={loading:!1,loaded:{},error:null},n=[];try{Object.keys(e).forEach((function(r){var a=d(e[r]);a.loading?t.loading=!0:(t.loaded[r]=a.loaded,t.error=a.error),n.push(a.promise),a.promise.then((function(e){t.loaded[r]=e})).catch((function(e){t.error=e}))}))}catch(r){t.error=r}return t.promise=Promise.all(n).then((function(e){return t.loading=!1,e})).catch((function(e){throw t.loading=!1,e})),t}function f(e,t){return s.createElement((n=e)&&n.__esModule?n.default:n,t);var n}function h(e,t){var d,p;if(!t.loading)throw new Error("react-loadable requires a `loading` component");var h=i({loader:null,loading:null,delay:200,timeout:null,render:f,webpack:null,modules:null},t),m=null;function g(){return m||(m=e(h.loader)),m.promise}return l.push(g),"function"==typeof h.webpack&&c.push((function(){if((0,h.webpack)().every((function(e){return void 0!==e&&void 0!==n.m[e]})))return g()})),p=d=function(t){function n(n){var r;return o(a(a(r=t.call(this,n)||this)),"retry",(function(){r.setState({error:null,loading:!0,timedOut:!1}),m=e(h.loader),r._loadModule()})),g(),r.state={error:m.error,pastDelay:!1,timedOut:!1,loading:m.loading,loaded:m.loaded},r}r(n,t),n.preload=function(){return g()};var i=n.prototype;return i.UNSAFE_componentWillMount=function(){this._loadModule()},i.componentDidMount=function(){this._mounted=!0},i._loadModule=function(){var e=this;if(this.context&&Array.isArray(h.modules)&&h.modules.forEach((function(t){e.context.report(t)})),m.loading){var t=function(t){e._mounted&&e.setState(t)};"number"==typeof h.delay&&(0===h.delay?this.setState({pastDelay:!0}):this._delay=setTimeout((function(){t({pastDelay:!0})}),h.delay)),"number"==typeof h.timeout&&(this._timeout=setTimeout((function(){t({timedOut:!0})}),h.timeout));var n=function(){t({error:m.error,loaded:m.loaded,loading:m.loading}),e._clearTimeouts()};m.promise.then((function(){return n(),null})).catch((function(e){return n(),null}))}},i.componentWillUnmount=function(){this._mounted=!1,this._clearTimeouts()},i._clearTimeouts=function(){clearTimeout(this._delay),clearTimeout(this._timeout)},i.render=function(){return this.state.loading||this.state.error?s.createElement(h.loading,{isLoading:this.state.loading,pastDelay:this.state.pastDelay,timedOut:this.state.timedOut,error:this.state.error,retry:this.retry}):this.state.loaded?h.render(this.state.loaded,this.props):null},n}(s.Component),o(d,"contextType",u),p}function m(e){return h(d,e)}m.Map=function(e){if("function"!=typeof e.render)throw new Error("LoadableMap requires a `render(loaded, props)` function");return h(p,e)};var g=function(e){function t(){return e.apply(this,arguments)||this}return r(t,e),t.prototype.render=function(){return s.createElement(u.Provider,{value:{report:this.props.report}},s.Children.only(this.props.children))},t}(s.Component);function y(e){for(var t=[];e.length;){var n=e.pop();t.push(n())}return Promise.all(t).then((function(){if(e.length)return y(e)}))}m.Capture=g,m.preloadAll=function(){return new Promise((function(e,t){y(l).then(e,t)}))},m.preloadReady=function(){return new Promise((function(e,t){y(c).then(e,e)}))},e.exports=m},8790:(e,t,n)=>{"use strict";n.d(t,{H:()=>s,f:()=>i});var r=n(6550),a=n(7462),o=n(7294);function i(e,t,n){return void 0===n&&(n=[]),e.some((function(e){var a=e.path?(0,r.LX)(t,e):n.length?n[n.length-1].match:r.F0.computeRootMatch(t);return a&&(n.push({route:e,match:a}),e.routes&&i(e.routes,t,n)),a})),n}function s(e,t,n){return void 0===t&&(t={}),void 0===n&&(n={}),e?o.createElement(r.rs,n,e.map((function(e,n){return o.createElement(r.AW,{key:e.key||n,path:e.path,exact:e.exact,strict:e.strict,render:function(n){return e.render?e.render((0,a.Z)({},n,{},t,{route:e})):o.createElement(e.component,(0,a.Z)({},n,t,{route:e}))}})}))):null}},3727:(e,t,n)=>{"use strict";n.d(t,{OL:()=>w,UT:()=>d,VK:()=>u,rU:()=>y});var r=n(6550),a=n(5068),o=n(7294),i=n(9318),s=n(7462),l=n(3366),c=n(8776),u=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.lX)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var d=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.q_)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var p=function(e,t){return"function"==typeof e?e(t):e},f=function(e,t){return"string"==typeof e?(0,i.ob)(e,null,null,t):e},h=function(e){return e},m=o.forwardRef;void 0===m&&(m=h);var g=m((function(e,t){var n=e.innerRef,r=e.navigate,a=e.onClick,i=(0,l.Z)(e,["innerRef","navigate","onClick"]),c=i.target,u=(0,s.Z)({},i,{onClick:function(e){try{a&&a(e)}catch(t){throw e.preventDefault(),t}e.defaultPrevented||0!==e.button||c&&"_self"!==c||function(e){return!!(e.metaKey||e.altKey||e.ctrlKey||e.shiftKey)}(e)||(e.preventDefault(),r())}});return u.ref=h!==m&&t||n,o.createElement("a",u)}));var y=m((function(e,t){var n=e.component,a=void 0===n?g:n,u=e.replace,d=e.to,y=e.innerRef,b=(0,l.Z)(e,["component","replace","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=e.history,r=f(p(d,e.location),e.location),l=r?n.createHref(r):"",g=(0,s.Z)({},b,{href:l,navigate:function(){var t=p(d,e.location),r=(0,i.Ep)(e.location)===(0,i.Ep)(f(t));(u||r?n.replace:n.push)(t)}});return h!==m?g.ref=t||y:g.innerRef=y,o.createElement(a,g)}))})),b=function(e){return e},v=o.forwardRef;void 0===v&&(v=b);var w=v((function(e,t){var n=e["aria-current"],a=void 0===n?"page":n,i=e.activeClassName,u=void 0===i?"active":i,d=e.activeStyle,h=e.className,m=e.exact,g=e.isActive,w=e.location,k=e.sensitive,x=e.strict,S=e.style,E=e.to,C=e.innerRef,_=(0,l.Z)(e,["aria-current","activeClassName","activeStyle","className","exact","isActive","location","sensitive","strict","style","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=w||e.location,i=f(p(E,n),n),l=i.pathname,T=l&&l.replace(/([.+*?=^!:${}()[\]|/\\])/g,"\\$1"),L=T?(0,r.LX)(n.pathname,{path:T,exact:m,sensitive:k,strict:x}):null,R=!!(g?g(L,n):L),j="function"==typeof h?h(R):h,N="function"==typeof S?S(R):S;R&&(j=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return t.filter((function(e){return e})).join(" ")}(j,u),N=(0,s.Z)({},N,d));var P=(0,s.Z)({"aria-current":R&&a||null,className:j,style:N,to:i},_);return b!==v?P.ref=t||C:P.innerRef=C,o.createElement(y,P)}))}))},6550:(e,t,n)=>{"use strict";n.d(t,{AW:()=>E,F0:()=>v,LX:()=>S,TH:()=>A,k6:()=>P,rs:()=>j,s6:()=>b});var r=n(5068),a=n(7294),o=n(5697),i=n.n(o),s=n(9318),l=n(8776),c=n(7462),u=n(9658),d=n.n(u),p=(n(9864),n(3366)),f=(n(8679),1073741823),h="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:void 0!==n.g?n.g:{};var m=a.createContext||function(e,t){var n,o,s="__create-react-context-"+function(){var e="__global_unique_id__";return h[e]=(h[e]||0)+1}()+"__",l=function(e){function n(){for(var t,n,r,a=arguments.length,o=new Array(a),i=0;i<a;i++)o[i]=arguments[i];return(t=e.call.apply(e,[this].concat(o))||this).emitter=(n=t.props.value,r=[],{on:function(e){r.push(e)},off:function(e){r=r.filter((function(t){return t!==e}))},get:function(){return n},set:function(e,t){n=e,r.forEach((function(e){return e(n,t)}))}}),t}(0,r.Z)(n,e);var a=n.prototype;return a.getChildContext=function(){var e;return(e={})[s]=this.emitter,e},a.componentWillReceiveProps=function(e){if(this.props.value!==e.value){var n,r=this.props.value,a=e.value;((o=r)===(i=a)?0!==o||1/o==1/i:o!=o&&i!=i)?n=0:(n="function"==typeof t?t(r,a):f,0!==(n|=0)&&this.emitter.set(e.value,n))}var o,i},a.render=function(){return this.props.children},n}(a.Component);l.childContextTypes=((n={})[s]=i().object.isRequired,n);var c=function(t){function n(){for(var e,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(e=t.call.apply(t,[this].concat(r))||this).observedBits=void 0,e.state={value:e.getValue()},e.onUpdate=function(t,n){0!=((0|e.observedBits)&n)&&e.setState({value:e.getValue()})},e}(0,r.Z)(n,t);var a=n.prototype;return a.componentWillReceiveProps=function(e){var t=e.observedBits;this.observedBits=null==t?f:t},a.componentDidMount=function(){this.context[s]&&this.context[s].on(this.onUpdate);var e=this.props.observedBits;this.observedBits=null==e?f:e},a.componentWillUnmount=function(){this.context[s]&&this.context[s].off(this.onUpdate)},a.getValue=function(){return this.context[s]?this.context[s].get():e},a.render=function(){return(e=this.props.children,Array.isArray(e)?e[0]:e)(this.state.value);var e},n}(a.Component);return c.contextTypes=((o={})[s]=i().object,o),{Provider:l,Consumer:c}},g=function(e){var t=m();return t.displayName=e,t},y=g("Router-History"),b=g("Router"),v=function(e){function t(t){var n;return(n=e.call(this,t)||this).state={location:t.history.location},n._isMounted=!1,n._pendingLocation=null,t.staticContext||(n.unlisten=t.history.listen((function(e){n._pendingLocation=e}))),n}(0,r.Z)(t,e),t.computeRootMatch=function(e){return{path:"/",url:"/",params:{},isExact:"/"===e}};var n=t.prototype;return n.componentDidMount=function(){var e=this;this._isMounted=!0,this.unlisten&&this.unlisten(),this.props.staticContext||(this.unlisten=this.props.history.listen((function(t){e._isMounted&&e.setState({location:t})}))),this._pendingLocation&&this.setState({location:this._pendingLocation})},n.componentWillUnmount=function(){this.unlisten&&(this.unlisten(),this._isMounted=!1,this._pendingLocation=null)},n.render=function(){return a.createElement(b.Provider,{value:{history:this.props.history,location:this.state.location,match:t.computeRootMatch(this.state.location.pathname),staticContext:this.props.staticContext}},a.createElement(y.Provider,{children:this.props.children||null,value:this.props.history}))},t}(a.Component);a.Component;a.Component;var w={},k=1e4,x=0;function S(e,t){void 0===t&&(t={}),("string"==typeof t||Array.isArray(t))&&(t={path:t});var n=t,r=n.path,a=n.exact,o=void 0!==a&&a,i=n.strict,s=void 0!==i&&i,l=n.sensitive,c=void 0!==l&&l;return[].concat(r).reduce((function(t,n){if(!n&&""!==n)return null;if(t)return t;var r=function(e,t){var n=""+t.end+t.strict+t.sensitive,r=w[n]||(w[n]={});if(r[e])return r[e];var a=[],o={regexp:d()(e,a,t),keys:a};return x<k&&(r[e]=o,x++),o}(n,{end:o,strict:s,sensitive:c}),a=r.regexp,i=r.keys,l=a.exec(e);if(!l)return null;var u=l[0],p=l.slice(1),f=e===u;return o&&!f?null:{path:n,url:"/"===n&&""===u?"/":u,isExact:f,params:i.reduce((function(e,t,n){return e[t.name]=p[n],e}),{})}}),null)}var E=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n=e.props.location||t.location,r=e.props.computedMatch?e.props.computedMatch:e.props.path?S(n.pathname,e.props):t.match,o=(0,c.Z)({},t,{location:n,match:r}),i=e.props,s=i.children,u=i.component,d=i.render;return Array.isArray(s)&&function(e){return 0===a.Children.count(e)}(s)&&(s=null),a.createElement(b.Provider,{value:o},o.match?s?"function"==typeof s?s(o):s:u?a.createElement(u,o):d?d(o):null:"function"==typeof s?s(o):null)}))},t}(a.Component);function C(e){return"/"===e.charAt(0)?e:"/"+e}function _(e,t){if(!e)return t;var n=C(e);return 0!==t.pathname.indexOf(n)?t:(0,c.Z)({},t,{pathname:t.pathname.substr(n.length)})}function T(e){return"string"==typeof e?e:(0,s.Ep)(e)}function L(e){return function(){(0,l.Z)(!1)}}function R(){}a.Component;var j=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n,r,o=e.props.location||t.location;return a.Children.forEach(e.props.children,(function(e){if(null==r&&a.isValidElement(e)){n=e;var i=e.props.path||e.props.from;r=i?S(o.pathname,(0,c.Z)({},e.props,{path:i})):t.match}})),r?a.cloneElement(n,{location:o,computedMatch:r}):null}))},t}(a.Component);var N=a.useContext;function P(){return N(y)}function A(){return N(b).location}},9658:(e,t,n)=>{var r=n(5826);e.exports=f,e.exports.parse=o,e.exports.compile=function(e,t){return s(o(e,t),t)},e.exports.tokensToFunction=s,e.exports.tokensToRegExp=p;var a=new RegExp(["(\\\\.)","([\\/.])?(?:(?:\\:(\\w+)(?:\\(((?:\\\\.|[^\\\\()])+)\\))?|\\(((?:\\\\.|[^\\\\()])+)\\))([+*?])?|(\\*))"].join("|"),"g");function o(e,t){for(var n,r=[],o=0,i=0,s="",u=t&&t.delimiter||"/";null!=(n=a.exec(e));){var d=n[0],p=n[1],f=n.index;if(s+=e.slice(i,f),i=f+d.length,p)s+=p[1];else{var h=e[i],m=n[2],g=n[3],y=n[4],b=n[5],v=n[6],w=n[7];s&&(r.push(s),s="");var k=null!=m&&null!=h&&h!==m,x="+"===v||"*"===v,S="?"===v||"*"===v,E=n[2]||u,C=y||b;r.push({name:g||o++,prefix:m||"",delimiter:E,optional:S,repeat:x,partial:k,asterisk:!!w,pattern:C?c(C):w?".*":"[^"+l(E)+"]+?"})}}return i<e.length&&(s+=e.substr(i)),s&&r.push(s),r}function i(e){return encodeURI(e).replace(/[\/?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()}))}function s(e,t){for(var n=new Array(e.length),a=0;a<e.length;a++)"object"==typeof e[a]&&(n[a]=new RegExp("^(?:"+e[a].pattern+")$",d(t)));return function(t,a){for(var o="",s=t||{},l=(a||{}).pretty?i:encodeURIComponent,c=0;c<e.length;c++){var u=e[c];if("string"!=typeof u){var d,p=s[u.name];if(null==p){if(u.optional){u.partial&&(o+=u.prefix);continue}throw new TypeError('Expected "'+u.name+'" to be defined')}if(r(p)){if(!u.repeat)throw new TypeError('Expected "'+u.name+'" to not repeat, but received `'+JSON.stringify(p)+"`");if(0===p.length){if(u.optional)continue;throw new TypeError('Expected "'+u.name+'" to not be empty')}for(var f=0;f<p.length;f++){if(d=l(p[f]),!n[c].test(d))throw new TypeError('Expected all "'+u.name+'" to match "'+u.pattern+'", but received `'+JSON.stringify(d)+"`");o+=(0===f?u.prefix:u.delimiter)+d}}else{if(d=u.asterisk?encodeURI(p).replace(/[?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()})):l(p),!n[c].test(d))throw new TypeError('Expected "'+u.name+'" to match "'+u.pattern+'", but received "'+d+'"');o+=u.prefix+d}}else o+=u}return o}}function l(e){return e.replace(/([.+*?=^!:${}()[\]|\/\\])/g,"\\$1")}function c(e){return e.replace(/([=!:$\/()])/g,"\\$1")}function u(e,t){return e.keys=t,e}function d(e){return e&&e.sensitive?"":"i"}function p(e,t,n){r(t)||(n=t||n,t=[]);for(var a=(n=n||{}).strict,o=!1!==n.end,i="",s=0;s<e.length;s++){var c=e[s];if("string"==typeof c)i+=l(c);else{var p=l(c.prefix),f="(?:"+c.pattern+")";t.push(c),c.repeat&&(f+="(?:"+p+f+")*"),i+=f=c.optional?c.partial?p+"("+f+")?":"(?:"+p+"("+f+"))?":p+"("+f+")"}}var h=l(n.delimiter||"/"),m=i.slice(-h.length)===h;return a||(i=(m?i.slice(0,-h.length):i)+"(?:"+h+"(?=$))?"),i+=o?"$":a&&m?"":"(?="+h+"|$)",u(new RegExp("^"+i,d(n)),t)}function f(e,t,n){return r(t)||(n=t||n,t=[]),n=n||{},e instanceof RegExp?function(e,t){var n=e.source.match(/\((?!\?)/g);if(n)for(var r=0;r<n.length;r++)t.push({name:r,prefix:null,delimiter:null,optional:!1,repeat:!1,partial:!1,asterisk:!1,pattern:null});return u(e,t)}(e,t):r(e)?function(e,t,n){for(var r=[],a=0;a<e.length;a++)r.push(f(e[a],t,n).source);return u(new RegExp("(?:"+r.join("|")+")",d(n)),t)}(e,t,n):function(e,t,n){return p(o(e,n),t,n)}(e,t,n)}},5251:(e,t,n)=>{"use strict";var r=n(7294),a=Symbol.for("react.element"),o=Symbol.for("react.fragment"),i=Object.prototype.hasOwnProperty,s=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.ReactCurrentOwner,l={key:!0,ref:!0,__self:!0,__source:!0};function c(e,t,n){var r,o={},c=null,u=null;for(r in void 0!==n&&(c=""+n),void 0!==t.key&&(c=""+t.key),void 0!==t.ref&&(u=t.ref),t)i.call(t,r)&&!l.hasOwnProperty(r)&&(o[r]=t[r]);if(e&&e.defaultProps)for(r in t=e.defaultProps)void 0===o[r]&&(o[r]=t[r]);return{$$typeof:a,type:e,key:c,ref:u,props:o,_owner:s.current}}t.Fragment=o,t.jsx=c,t.jsxs=c},2408:(e,t)=>{"use strict";var n=Symbol.for("react.element"),r=Symbol.for("react.portal"),a=Symbol.for("react.fragment"),o=Symbol.for("react.strict_mode"),i=Symbol.for("react.profiler"),s=Symbol.for("react.provider"),l=Symbol.for("react.context"),c=Symbol.for("react.forward_ref"),u=Symbol.for("react.suspense"),d=Symbol.for("react.memo"),p=Symbol.for("react.lazy"),f=Symbol.iterator;var h={isMounted:function(){return!1},enqueueForceUpdate:function(){},enqueueReplaceState:function(){},enqueueSetState:function(){}},m=Object.assign,g={};function y(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}function b(){}function v(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}y.prototype.isReactComponent={},y.prototype.setState=function(e,t){if("object"!=typeof e&&"function"!=typeof e&&null!=e)throw Error("setState(...): takes an object of state variables to update or a function which returns an object of state variables.");this.updater.enqueueSetState(this,e,t,"setState")},y.prototype.forceUpdate=function(e){this.updater.enqueueForceUpdate(this,e,"forceUpdate")},b.prototype=y.prototype;var w=v.prototype=new b;w.constructor=v,m(w,y.prototype),w.isPureReactComponent=!0;var k=Array.isArray,x=Object.prototype.hasOwnProperty,S={current:null},E={key:!0,ref:!0,__self:!0,__source:!0};function C(e,t,r){var a,o={},i=null,s=null;if(null!=t)for(a in void 0!==t.ref&&(s=t.ref),void 0!==t.key&&(i=""+t.key),t)x.call(t,a)&&!E.hasOwnProperty(a)&&(o[a]=t[a]);var l=arguments.length-2;if(1===l)o.children=r;else if(1<l){for(var c=Array(l),u=0;u<l;u++)c[u]=arguments[u+2];o.children=c}if(e&&e.defaultProps)for(a in l=e.defaultProps)void 0===o[a]&&(o[a]=l[a]);return{$$typeof:n,type:e,key:i,ref:s,props:o,_owner:S.current}}function _(e){return"object"==typeof e&&null!==e&&e.$$typeof===n}var T=/\/+/g;function L(e,t){return"object"==typeof e&&null!==e&&null!=e.key?function(e){var t={"=":"=0",":":"=2"};return"$"+e.replace(/[=:]/g,(function(e){return t[e]}))}(""+e.key):t.toString(36)}function R(e,t,a,o,i){var s=typeof e;"undefined"!==s&&"boolean"!==s||(e=null);var l=!1;if(null===e)l=!0;else switch(s){case"string":case"number":l=!0;break;case"object":switch(e.$$typeof){case n:case r:l=!0}}if(l)return i=i(l=e),e=""===o?"."+L(l,0):o,k(i)?(a="",null!=e&&(a=e.replace(T,"$&/")+"/"),R(i,t,a,"",(function(e){return e}))):null!=i&&(_(i)&&(i=function(e,t){return{$$typeof:n,type:e.type,key:t,ref:e.ref,props:e.props,_owner:e._owner}}(i,a+(!i.key||l&&l.key===i.key?"":(""+i.key).replace(T,"$&/")+"/")+e)),t.push(i)),1;if(l=0,o=""===o?".":o+":",k(e))for(var c=0;c<e.length;c++){var u=o+L(s=e[c],c);l+=R(s,t,a,u,i)}else if(u=function(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=f&&e[f]||e["@@iterator"])?e:null}(e),"function"==typeof u)for(e=u.call(e),c=0;!(s=e.next()).done;)l+=R(s=s.value,t,a,u=o+L(s,c++),i);else if("object"===s)throw t=String(e),Error("Objects are not valid as a React child (found: "+("[object Object]"===t?"object with keys {"+Object.keys(e).join(", ")+"}":t)+"). If you meant to render a collection of children, use an array instead.");return l}function j(e,t,n){if(null==e)return e;var r=[],a=0;return R(e,r,"","",(function(e){return t.call(n,e,a++)})),r}function N(e){if(-1===e._status){var t=e._result;(t=t()).then((function(t){0!==e._status&&-1!==e._status||(e._status=1,e._result=t)}),(function(t){0!==e._status&&-1!==e._status||(e._status=2,e._result=t)})),-1===e._status&&(e._status=0,e._result=t)}if(1===e._status)return e._result.default;throw e._result}var P={current:null},A={transition:null},O={ReactCurrentDispatcher:P,ReactCurrentBatchConfig:A,ReactCurrentOwner:S};function I(){throw Error("act(...) is not supported in production builds of React.")}t.Children={map:j,forEach:function(e,t,n){j(e,(function(){t.apply(this,arguments)}),n)},count:function(e){var t=0;return j(e,(function(){t++})),t},toArray:function(e){return j(e,(function(e){return e}))||[]},only:function(e){if(!_(e))throw Error("React.Children.only expected to receive a single React element child.");return e}},t.Component=y,t.Fragment=a,t.Profiler=i,t.PureComponent=v,t.StrictMode=o,t.Suspense=u,t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=O,t.act=I,t.cloneElement=function(e,t,r){if(null==e)throw Error("React.cloneElement(...): The argument must be a React element, but you passed "+e+".");var a=m({},e.props),o=e.key,i=e.ref,s=e._owner;if(null!=t){if(void 0!==t.ref&&(i=t.ref,s=S.current),void 0!==t.key&&(o=""+t.key),e.type&&e.type.defaultProps)var l=e.type.defaultProps;for(c in t)x.call(t,c)&&!E.hasOwnProperty(c)&&(a[c]=void 0===t[c]&&void 0!==l?l[c]:t[c])}var c=arguments.length-2;if(1===c)a.children=r;else if(1<c){l=Array(c);for(var u=0;u<c;u++)l[u]=arguments[u+2];a.children=l}return{$$typeof:n,type:e.type,key:o,ref:i,props:a,_owner:s}},t.createContext=function(e){return(e={$$typeof:l,_currentValue:e,_currentValue2:e,_threadCount:0,Provider:null,Consumer:null,_defaultValue:null,_globalName:null}).Provider={$$typeof:s,_context:e},e.Consumer=e},t.createElement=C,t.createFactory=function(e){var t=C.bind(null,e);return t.type=e,t},t.createRef=function(){return{current:null}},t.forwardRef=function(e){return{$$typeof:c,render:e}},t.isValidElement=_,t.lazy=function(e){return{$$typeof:p,_payload:{_status:-1,_result:e},_init:N}},t.memo=function(e,t){return{$$typeof:d,type:e,compare:void 0===t?null:t}},t.startTransition=function(e){var t=A.transition;A.transition={};try{e()}finally{A.transition=t}},t.unstable_act=I,t.useCallback=function(e,t){return P.current.useCallback(e,t)},t.useContext=function(e){return P.current.useContext(e)},t.useDebugValue=function(){},t.useDeferredValue=function(e){return P.current.useDeferredValue(e)},t.useEffect=function(e,t){return P.current.useEffect(e,t)},t.useId=function(){return P.current.useId()},t.useImperativeHandle=function(e,t,n){return P.current.useImperativeHandle(e,t,n)},t.useInsertionEffect=function(e,t){return P.current.useInsertionEffect(e,t)},t.useLayoutEffect=function(e,t){return P.current.useLayoutEffect(e,t)},t.useMemo=function(e,t){return P.current.useMemo(e,t)},t.useReducer=function(e,t,n){return P.current.useReducer(e,t,n)},t.useRef=function(e){return P.current.useRef(e)},t.useState=function(e){return P.current.useState(e)},t.useSyncExternalStore=function(e,t,n){return P.current.useSyncExternalStore(e,t,n)},t.useTransition=function(){return P.current.useTransition()},t.version="18.3.1"},7294:(e,t,n)=>{"use strict";e.exports=n(2408)},5893:(e,t,n)=>{"use strict";e.exports=n(5251)},53:(e,t)=>{"use strict";function n(e,t){var n=e.length;e.push(t);e:for(;0<n;){var r=n-1>>>1,a=e[r];if(!(0<o(a,t)))break e;e[r]=t,e[n]=a,n=r}}function r(e){return 0===e.length?null:e[0]}function a(e){if(0===e.length)return null;var t=e[0],n=e.pop();if(n!==t){e[0]=n;e:for(var r=0,a=e.length,i=a>>>1;r<i;){var s=2*(r+1)-1,l=e[s],c=s+1,u=e[c];if(0>o(l,n))c<a&&0>o(u,l)?(e[r]=u,e[c]=n,r=c):(e[r]=l,e[s]=n,r=s);else{if(!(c<a&&0>o(u,n)))break e;e[r]=u,e[c]=n,r=c}}}return t}function o(e,t){var n=e.sortIndex-t.sortIndex;return 0!==n?n:e.id-t.id}if("object"==typeof performance&&"function"==typeof performance.now){var i=performance;t.unstable_now=function(){return i.now()}}else{var s=Date,l=s.now();t.unstable_now=function(){return s.now()-l}}var c=[],u=[],d=1,p=null,f=3,h=!1,m=!1,g=!1,y="function"==typeof setTimeout?setTimeout:null,b="function"==typeof clearTimeout?clearTimeout:null,v="undefined"!=typeof setImmediate?setImmediate:null;function w(e){for(var t=r(u);null!==t;){if(null===t.callback)a(u);else{if(!(t.startTime<=e))break;a(u),t.sortIndex=t.expirationTime,n(c,t)}t=r(u)}}function k(e){if(g=!1,w(e),!m)if(null!==r(c))m=!0,A(x);else{var t=r(u);null!==t&&O(k,t.startTime-e)}}function x(e,n){m=!1,g&&(g=!1,b(_),_=-1),h=!0;var o=f;try{for(w(n),p=r(c);null!==p&&(!(p.expirationTime>n)||e&&!R());){var i=p.callback;if("function"==typeof i){p.callback=null,f=p.priorityLevel;var s=i(p.expirationTime<=n);n=t.unstable_now(),"function"==typeof s?p.callback=s:p===r(c)&&a(c),w(n)}else a(c);p=r(c)}if(null!==p)var l=!0;else{var d=r(u);null!==d&&O(k,d.startTime-n),l=!1}return l}finally{p=null,f=o,h=!1}}"undefined"!=typeof navigator&&void 0!==navigator.scheduling&&void 0!==navigator.scheduling.isInputPending&&navigator.scheduling.isInputPending.bind(navigator.scheduling);var S,E=!1,C=null,_=-1,T=5,L=-1;function R(){return!(t.unstable_now()-L<T)}function j(){if(null!==C){var e=t.unstable_now();L=e;var n=!0;try{n=C(!0,e)}finally{n?S():(E=!1,C=null)}}else E=!1}if("function"==typeof v)S=function(){v(j)};else if("undefined"!=typeof MessageChannel){var N=new MessageChannel,P=N.port2;N.port1.onmessage=j,S=function(){P.postMessage(null)}}else S=function(){y(j,0)};function A(e){C=e,E||(E=!0,S())}function O(e,n){_=y((function(){e(t.unstable_now())}),n)}t.unstable_IdlePriority=5,t.unstable_ImmediatePriority=1,t.unstable_LowPriority=4,t.unstable_NormalPriority=3,t.unstable_Profiling=null,t.unstable_UserBlockingPriority=2,t.unstable_cancelCallback=function(e){e.callback=null},t.unstable_continueExecution=function(){m||h||(m=!0,A(x))},t.unstable_forceFrameRate=function(e){0>e||125<e?console.error("forceFrameRate takes a positive int between 0 and 125, forcing frame rates higher than 125 fps is not supported"):T=0<e?Math.floor(1e3/e):5},t.unstable_getCurrentPriorityLevel=function(){return f},t.unstable_getFirstCallbackNode=function(){return r(c)},t.unstable_next=function(e){switch(f){case 1:case 2:case 3:var t=3;break;default:t=f}var n=f;f=t;try{return e()}finally{f=n}},t.unstable_pauseExecution=function(){},t.unstable_requestPaint=function(){},t.unstable_runWithPriority=function(e,t){switch(e){case 1:case 2:case 3:case 4:case 5:break;default:e=3}var n=f;f=e;try{return t()}finally{f=n}},t.unstable_scheduleCallback=function(e,a,o){var i=t.unstable_now();switch("object"==typeof o&&null!==o?o="number"==typeof(o=o.delay)&&0<o?i+o:i:o=i,e){case 1:var s=-1;break;case 2:s=250;break;case 5:s=1073741823;break;case 4:s=1e4;break;default:s=5e3}return e={id:d++,callback:a,priorityLevel:e,startTime:o,expirationTime:s=o+s,sortIndex:-1},o>i?(e.sortIndex=o,n(u,e),null===r(c)&&e===r(u)&&(g?(b(_),_=-1):g=!0,O(k,o-i))):(e.sortIndex=s,n(c,e),m||h||(m=!0,A(x))),e},t.unstable_shouldYield=R,t.unstable_wrapCallback=function(e){var t=f;return function(){var n=f;f=t;try{return e.apply(this,arguments)}finally{f=n}}}},3840:(e,t,n)=>{"use strict";e.exports=n(53)},6774:e=>{e.exports=function(e,t,n,r){var a=n?n.call(r,e,t):void 0;if(void 0!==a)return!!a;if(e===t)return!0;if("object"!=typeof e||!e||"object"!=typeof t||!t)return!1;var o=Object.keys(e),i=Object.keys(t);if(o.length!==i.length)return!1;for(var s=Object.prototype.hasOwnProperty.bind(t),l=0;l<o.length;l++){var c=o[l];if(!s(c))return!1;var u=e[c],d=t[c];if(!1===(a=n?n.call(r,u,d,c):void 0)||void 0===a&&u!==d)return!1}return!0}},6809:(e,t,n)=>{"use strict";n.d(t,{default:()=>r});const r={title:"K3s",tagline:"",url:"https://docs.k3s.io",baseUrl:"/",onBrokenLinks:"throw",onBrokenMarkdownLinks:"warn",favicon:"img/favicon.ico",organizationName:"k3s-io",projectName:"docs",trailingSlash:!1,markdown:{mermaid:!0,format:"mdx",mdx1Compat:{comments:!0,admonitions:!0,headingIds:!0},anchors:{maintainCase:!1}},themes:["@docusaurus/theme-mermaid",["@easyops-cn/docusaurus-search-local",{docsRouteBasePath:"/",hashed:!0,highlightSearchTermsOnTargetPage:!0,indexBlog:!1,ignoreFiles:[{}]}]],i18n:{defaultLocale:"en",locales:["en","zh","kr"],localeConfigs:{en:{label:"English",direction:"ltr"},zh:{label:"\u7b80\u4f53\u4e2d\u6587",direction:"ltr"},kr:{label:"\ud55c\uad6d\uc5b4",direction:"ltr"}},path:"i18n"},themeConfig:{colorMode:{defaultMode:"light",respectPrefersColorScheme:!0,disableSwitch:!1},navbar:{title:"",logo:{alt:"logo",src:"img/k3s-logo-light.svg",srcDark:"img/k3s-logo-dark.svg"},items:[{type:"search",position:"right"},{type:"localeDropdown",position:"right",dropdownItemsBefore:[],dropdownItemsAfter:[]},{to:"https://github.com/k3s-io/k3s/",label:"GitHub",position:"right",className:"navbar__github btn"}],hideOnScroll:!1},footer:{style:"dark",links:[],copyright:'Copyright \xa9 2024 K3s Project Authors. All rights reserved. <br>The Linux Foundation has registered trademarks\n and uses trademarks. For a list of trademarks of The Linux Foundation, \n please see our <a href="https://www.linuxfoundation.org/trademark-usage"> Trademark Usage</a> page.'},docs:{versionPersistence:"localStorage",sidebar:{hideable:!1,autoCollapseCategories:!1}},metadata:[],prism:{additionalLanguages:[],theme:{plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},magicComments:[{className:"theme-code-block-highlighted-line",line:"highlight-next-line",block:{start:"highlight-start",end:"highlight-end"}}]},tableOfContents:{minHeadingLevel:2,maxHeadingLevel:3},mermaid:{theme:{dark:"dark",light:"default"},options:{}}},presets:[["@docusaurus/preset-classic",{docs:{routeBasePath:"/",sidebarPath:"/home/runner/work/docs/docs/sidebars.js",showLastUpdateTime:!0,editUrl:"https://github.com/k3s-io/docs/edit/main/"},blog:!1,theme:{customCss:["/home/runner/work/docs/docs/src/css/custom.css"]}}]],plugins:[["@docusaurus/plugin-client-redirects",{redirects:[{from:"/installation/ha",to:"/datastore/ha"},{from:"/installation/ha-embedded",to:"/datastore/ha-embedded"},{from:"/installation/datastore",to:"/datastore"},{from:"/installation/disable-flags",to:"/installation/server-roles"},{from:"/backup-restore/backup-restore",to:"/datastore/backup-restore"},{from:"/reference/agent-config",to:"/cli/agent"},{from:"/reference/server-config",to:"/cli/server"},{from:"/installation/network-options",to:"/networking/basic-network-options"},{from:"/security/self-assessment",to:"/security/self-assessment-1.23"}]}]],baseUrlIssueBanner:!0,future:{experimental_storage:{type:"localStorage",namespace:!1},experimental_router:"browser"},onBrokenAnchors:"warn",onDuplicateRoutes:"warn",staticDirectories:["static"],customFields:{},scripts:[],headTags:[],stylesheets:[],clientModules:[],titleDelimiter:"|",noIndex:!1}},7462:(e,t,n)=>{"use strict";function r(){return r=Object.assign?Object.assign.bind():function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},r.apply(this,arguments)}n.d(t,{Z:()=>r})},5068:(e,t,n)=>{"use strict";function r(e,t){return r=Object.setPrototypeOf?Object.setPrototypeOf.bind():function(e,t){return e.__proto__=t,e},r(e,t)}function a(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,r(e,t)}n.d(t,{Z:()=>a})},3366:(e,t,n)=>{"use strict";function r(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}n.d(t,{Z:()=>r})},512:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e)){var o=e.length;for(t=0;t<o;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n)}else for(n in e)e[n]&&(a&&(a+=" "),a+=n);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="",o=arguments.length;n<o;n++)(e=arguments[n])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},2573:(e,t,n)=>{"use strict";n.d(t,{p1:()=>T,y$:()=>ee});var r,a,o,i,s,l,c,u=n(7294),d=n(512),p=Object.create,f=Object.defineProperty,h=Object.defineProperties,m=Object.getOwnPropertyDescriptor,g=Object.getOwnPropertyDescriptors,y=Object.getOwnPropertyNames,b=Object.getOwnPropertySymbols,v=Object.getPrototypeOf,w=Object.prototype.hasOwnProperty,k=Object.prototype.propertyIsEnumerable,x=(e,t,n)=>t in e?f(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,S=(e,t)=>{for(var n in t||(t={}))w.call(t,n)&&x(e,n,t[n]);if(b)for(var n of b(t))k.call(t,n)&&x(e,n,t[n]);return e},E=(e,t)=>h(e,g(t)),C=(e,t)=>{var n={};for(var r in e)w.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&b)for(var r of b(e))t.indexOf(r)<0&&k.call(e,r)&&(n[r]=e[r]);return n},_=(r={"../../node_modules/.pnpm/prismjs@1.29.0_patch_hash=vrxx3pzkik6jpmgpayxfjunetu/node_modules/prismjs/prism.js"(e,t){var n=function(){var e=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,n={},r={util:{encode:function e(t){return t instanceof a?new a(t.type,e(t.content),t.alias):Array.isArray(t)?t.map(e):t.replace(/&/g,"&").replace(/</g,"<").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(t,n){var a,o;switch(n=n||{},r.util.type(t)){case"Object":if(o=r.util.objId(t),n[o])return n[o];for(var i in a={},n[o]=a,t)t.hasOwnProperty(i)&&(a[i]=e(t[i],n));return a;case"Array":return o=r.util.objId(t),n[o]?n[o]:(a=[],n[o]=a,t.forEach((function(t,r){a[r]=e(t,n)})),a);default:return t}},getLanguage:function(t){for(;t;){var n=e.exec(t.className);if(n)return n[1].toLowerCase();t=t.parentElement}return"none"},setLanguage:function(t,n){t.className=t.className.replace(RegExp(e,"gi"),""),t.classList.add("language-"+n)},isActive:function(e,t,n){for(var r="no-"+t;e;){var a=e.classList;if(a.contains(t))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!n}},languages:{plain:n,plaintext:n,text:n,txt:n,extend:function(e,t){var n=r.util.clone(r.languages[e]);for(var a in t)n[a]=t[a];return n},insertBefore:function(e,t,n,a){var o=(a=a||r.languages)[e],i={};for(var s in o)if(o.hasOwnProperty(s)){if(s==t)for(var l in n)n.hasOwnProperty(l)&&(i[l]=n[l]);n.hasOwnProperty(s)||(i[s]=o[s])}var c=a[e];return a[e]=i,r.languages.DFS(r.languages,(function(t,n){n===c&&t!=e&&(this[t]=i)})),i},DFS:function e(t,n,a,o){o=o||{};var i=r.util.objId;for(var s in t)if(t.hasOwnProperty(s)){n.call(t,s,t[s],a||s);var l=t[s],c=r.util.type(l);"Object"!==c||o[i(l)]?"Array"!==c||o[i(l)]||(o[i(l)]=!0,e(l,n,s,o)):(o[i(l)]=!0,e(l,n,null,o))}}},plugins:{},highlight:function(e,t,n){var o={code:e,grammar:t,language:n};if(r.hooks.run("before-tokenize",o),!o.grammar)throw new Error('The language "'+o.language+'" has no grammar.');return o.tokens=r.tokenize(o.code,o.grammar),r.hooks.run("after-tokenize",o),a.stringify(r.util.encode(o.tokens),o.language)},tokenize:function(e,t){var n=t.rest;if(n){for(var r in n)t[r]=n[r];delete t.rest}var a=new s;return l(a,a.head,e),i(e,a,t,a.head,0),function(e){for(var t=[],n=e.head.next;n!==e.tail;)t.push(n.value),n=n.next;return t}(a)},hooks:{all:{},add:function(e,t){var n=r.hooks.all;n[e]=n[e]||[],n[e].push(t)},run:function(e,t){var n=r.hooks.all[e];if(n&&n.length)for(var a,o=0;a=n[o++];)a(t)}},Token:a};function a(e,t,n,r){this.type=e,this.content=t,this.alias=n,this.length=0|(r||"").length}function o(e,t,n,r){e.lastIndex=t;var a=e.exec(n);if(a&&r&&a[1]){var o=a[1].length;a.index+=o,a[0]=a[0].slice(o)}return a}function i(e,t,n,s,u,d){for(var p in n)if(n.hasOwnProperty(p)&&n[p]){var f=n[p];f=Array.isArray(f)?f:[f];for(var h=0;h<f.length;++h){if(d&&d.cause==p+","+h)return;var m=f[h],g=m.inside,y=!!m.lookbehind,b=!!m.greedy,v=m.alias;if(b&&!m.pattern.global){var w=m.pattern.toString().match(/[imsuy]*$/)[0];m.pattern=RegExp(m.pattern.source,w+"g")}for(var k=m.pattern||m,x=s.next,S=u;x!==t.tail&&!(d&&S>=d.reach);S+=x.value.length,x=x.next){var E=x.value;if(t.length>e.length)return;if(!(E instanceof a)){var C,_=1;if(b){if(!(C=o(k,S,e,y))||C.index>=e.length)break;var T=C.index,L=C.index+C[0].length,R=S;for(R+=x.value.length;T>=R;)R+=(x=x.next).value.length;if(S=R-=x.value.length,x.value instanceof a)continue;for(var j=x;j!==t.tail&&(R<L||"string"==typeof j.value);j=j.next)_++,R+=j.value.length;_--,E=e.slice(S,R),C.index-=S}else if(!(C=o(k,0,E,y)))continue;T=C.index;var N=C[0],P=E.slice(0,T),A=E.slice(T+N.length),O=S+E.length;d&&O>d.reach&&(d.reach=O);var I=x.prev;if(P&&(I=l(t,I,P),S+=P.length),c(t,I,_),x=l(t,I,new a(p,g?r.tokenize(N,g):N,v,N)),A&&l(t,x,A),_>1){var D={cause:p+","+h,reach:O};i(e,t,n,x.prev,S,D),d&&D.reach>d.reach&&(d.reach=D.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},t={value:null,prev:e,next:null};e.next=t,this.head=e,this.tail=t,this.length=0}function l(e,t,n){var r=t.next,a={value:n,prev:t,next:r};return t.next=a,r.prev=a,e.length++,a}function c(e,t,n){for(var r=t.next,a=0;a<n&&r!==e.tail;a++)r=r.next;t.next=r,r.prev=t,e.length-=a}return a.stringify=function e(t,n){if("string"==typeof t)return t;if(Array.isArray(t)){var a="";return t.forEach((function(t){a+=e(t,n)})),a}var o={type:t.type,content:e(t.content,n),tag:"span",classes:["token",t.type],attributes:{},language:n},i=t.alias;i&&(Array.isArray(i)?Array.prototype.push.apply(o.classes,i):o.classes.push(i)),r.hooks.run("wrap",o);var s="";for(var l in o.attributes)s+=" "+l+'="'+(o.attributes[l]||"").replace(/"/g,""")+'"';return"<"+o.tag+' class="'+o.classes.join(" ")+'"'+s+">"+o.content+"</"+o.tag+">"},r}();t.exports=n,n.default=n}},function(){return a||(0,r[y(r)[0]])((a={exports:{}}).exports,a),a.exports}),T=((e,t,n)=>(n=null!=e?p(v(e)):{},((e,t,n,r)=>{if(t&&"object"==typeof t||"function"==typeof t)for(let a of y(t))w.call(e,a)||a===n||f(e,a,{get:()=>t[a],enumerable:!(r=m(t,a))||r.enumerable});return e})(!t&&e&&e.__esModule?n:f(n,"default",{value:e,enumerable:!0}),e)))(_());T.languages.markup={comment:{pattern:/<!--(?:(?!<!--)[\s\S])*?-->/,greedy:!0},prolog:{pattern:/<\?[\s\S]+?\?>/,greedy:!0},doctype:{pattern:/<!DOCTYPE(?:[^>"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:[^<"'\]]|"[^"]*"|'[^']*'|<(?!!--)|<!--(?:[^-]|-(?!->))*-->)*\]\s*)?>/i,greedy:!0,inside:{"internal-subset":{pattern:/(^[^\[]*\[)[\s\S]+(?=\]>$)/,lookbehind:!0,greedy:!0,inside:null},string:{pattern:/"[^"]*"|'[^']*'/,greedy:!0},punctuation:/^<!|>$|[[\]]/,"doctype-tag":/^DOCTYPE/i,name:/[^\s<>'"]+/}},cdata:{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,greedy:!0},tag:{pattern:/<\/?(?!\d)[^\s>\/=$<%]+(?:\s(?:\s*[^\s>\/=]+(?:\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))|(?=[\s/>])))+)?\s*\/?>/,greedy:!0,inside:{tag:{pattern:/^<\/?[^\s>\/]+/,inside:{punctuation:/^<\/?/,namespace:/^[^\s>\/:]+:/}},"special-attr":[],"attr-value":{pattern:/=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+)/,inside:{punctuation:[{pattern:/^=/,alias:"attr-equals"},{pattern:/^(\s*)["']|["']$/,lookbehind:!0}]}},punctuation:/\/?>/,"attr-name":{pattern:/[^\s>\/]+/,inside:{namespace:/^[^\s>\/:]+:/}}}},entity:[{pattern:/&[\da-z]{1,8};/i,alias:"named-entity"},/&#x?[\da-f]{1,8};/i]},T.languages.markup.tag.inside["attr-value"].inside.entity=T.languages.markup.entity,T.languages.markup.doctype.inside["internal-subset"].inside=T.languages.markup,T.hooks.add("wrap",(function(e){"entity"===e.type&&(e.attributes.title=e.content.replace(/&/,"&"))})),Object.defineProperty(T.languages.markup.tag,"addInlined",{value:function(e,t){var n;(t=((n=((n={})["language-"+t]={pattern:/(^<!\[CDATA\[)[\s\S]+?(?=\]\]>$)/i,lookbehind:!0,inside:T.languages[t]},n.cdata=/^<!\[CDATA\[|\]\]>$/i,{"included-cdata":{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,inside:n}}))["language-"+t]={pattern:/[\s\S]+/,inside:T.languages[t]},{}))[e]={pattern:RegExp(/(<__[^>]*>)(?:<!\[CDATA\[(?:[^\]]|\](?!\]>))*\]\]>|(?!<!\[CDATA\[)[\s\S])*?(?=<\/__>)/.source.replace(/__/g,(function(){return e})),"i"),lookbehind:!0,greedy:!0,inside:n},T.languages.insertBefore("markup","cdata",t)}}),Object.defineProperty(T.languages.markup.tag,"addAttribute",{value:function(e,t){T.languages.markup.tag.inside["special-attr"].push({pattern:RegExp(/(^|["'\s])/.source+"(?:"+e+")"+/\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))/.source,"i"),lookbehind:!0,inside:{"attr-name":/^[^\s=]+/,"attr-value":{pattern:/=[\s\S]+/,inside:{value:{pattern:/(^=\s*(["']|(?!["'])))\S[\s\S]*(?=\2$)/,lookbehind:!0,alias:[t,"language-"+t],inside:T.languages[t]},punctuation:[{pattern:/^=/,alias:"attr-equals"},/"|'/]}}}})}}),T.languages.html=T.languages.markup,T.languages.mathml=T.languages.markup,T.languages.svg=T.languages.markup,T.languages.xml=T.languages.extend("markup",{}),T.languages.ssml=T.languages.xml,T.languages.atom=T.languages.xml,T.languages.rss=T.languages.xml,o=T,i={pattern:/\\[\\(){}[\]^$+*?|.]/,alias:"escape"},l="(?:[^\\\\-]|"+(s=/\\(?:x[\da-fA-F]{2}|u[\da-fA-F]{4}|u\{[\da-fA-F]+\}|0[0-7]{0,2}|[123][0-7]{2}|c[a-zA-Z]|.)/).source+")",l=RegExp(l+"-"+l),c={pattern:/(<|')[^<>']+(?=[>']$)/,lookbehind:!0,alias:"variable"},o.languages.regex={"char-class":{pattern:/((?:^|[^\\])(?:\\\\)*)\[(?:[^\\\]]|\\[\s\S])*\]/,lookbehind:!0,inside:{"char-class-negation":{pattern:/(^\[)\^/,lookbehind:!0,alias:"operator"},"char-class-punctuation":{pattern:/^\[|\]$/,alias:"punctuation"},range:{pattern:l,inside:{escape:s,"range-punctuation":{pattern:/-/,alias:"operator"}}},"special-escape":i,"char-set":{pattern:/\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},escape:s}},"special-escape":i,"char-set":{pattern:/\.|\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},backreference:[{pattern:/\\(?![123][0-7]{2})[1-9]/,alias:"keyword"},{pattern:/\\k<[^<>']+>/,alias:"keyword",inside:{"group-name":c}}],anchor:{pattern:/[$^]|\\[ABbGZz]/,alias:"function"},escape:s,group:[{pattern:/\((?:\?(?:<[^<>']+>|'[^<>']+'|[>:]|<?[=!]|[idmnsuxU]+(?:-[idmnsuxU]+)?:?))?/,alias:"punctuation",inside:{"group-name":c}},{pattern:/\)/,alias:"punctuation"}],quantifier:{pattern:/(?:[+*?]|\{\d+(?:,\d*)?\})[?+]?/,alias:"number"},alternation:{pattern:/\|/,alias:"keyword"}},T.languages.clike={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|trait)\s+|\bcatch\s+\()[\w.\\]+/i,lookbehind:!0,inside:{punctuation:/[.\\]/}},keyword:/\b(?:break|catch|continue|do|else|finally|for|function|if|in|instanceof|new|null|return|throw|try|while)\b/,boolean:/\b(?:false|true)\b/,function:/\b\w+(?=\()/,number:/\b0x[\da-f]+\b|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?/i,operator:/[<>]=?|[!=]=?=?|--?|\+\+?|&&?|\|\|?|[?*/~^%]/,punctuation:/[{}[\];(),.:]/},T.languages.javascript=T.languages.extend("clike",{"class-name":[T.languages.clike["class-name"],{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$A-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\.(?:constructor|prototype))/,lookbehind:!0}],keyword:[{pattern:/((?:^|\})\s*)catch\b/,lookbehind:!0},{pattern:/(^|[^.]|\.\.\.\s*)\b(?:as|assert(?=\s*\{)|async(?=\s*(?:function\b|\(|[$\w\xA0-\uFFFF]|$))|await|break|case|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally(?=\s*(?:\{|$))|for|from(?=\s*(?:['"]|$))|function|(?:get|set)(?=\s*(?:[#\[$\w\xA0-\uFFFF]|$))|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)\b/,lookbehind:!0}],function:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*(?:\.\s*(?:apply|bind|call)\s*)?\()/,number:{pattern:RegExp(/(^|[^\w$])/.source+"(?:"+/NaN|Infinity/.source+"|"+/0[bB][01]+(?:_[01]+)*n?/.source+"|"+/0[oO][0-7]+(?:_[0-7]+)*n?/.source+"|"+/0[xX][\dA-Fa-f]+(?:_[\dA-Fa-f]+)*n?/.source+"|"+/\d+(?:_\d+)*n/.source+"|"+/(?:\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\.\d+(?:_\d+)*)(?:[Ee][+-]?\d+(?:_\d+)*)?/.source+")"+/(?![\w$])/.source),lookbehind:!0},operator:/--|\+\+|\*\*=?|=>|&&=?|\|\|=?|[!=]==|<<=?|>>>?=?|[-+*/%&|^!=<>]=?|\.{3}|\?\?=?|\?\.?|[~:]/}),T.languages.javascript["class-name"][0].pattern=/(\b(?:class|extends|implements|instanceof|interface|new)\s+)[\w.\\]+/,T.languages.insertBefore("javascript","keyword",{regex:{pattern:RegExp(/((?:^|[^$\w\xA0-\uFFFF."'\])\s]|\b(?:return|yield))\s*)/.source+/\//.source+"(?:"+/(?:\[(?:[^\]\\\r\n]|\\.)*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}/.source+"|"+/(?:\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.)*\])*\])*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}v[dgimyus]{0,7}/.source+")"+/(?=(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/.source),lookbehind:!0,greedy:!0,inside:{"regex-source":{pattern:/^(\/)[\s\S]+(?=\/[a-z]*$)/,lookbehind:!0,alias:"language-regex",inside:T.languages.regex},"regex-delimiter":/^\/|\/$/,"regex-flags":/^[a-z]+$/}},"function-variable":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*[=:]\s*(?:async\s*)?(?:\bfunction\b|(?:\((?:[^()]|\([^()]*\))*\)|(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/,alias:"function"},parameter:[{pattern:/(function(?:\s+(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)?\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\))/,lookbehind:!0,inside:T.languages.javascript},{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=>)/i,lookbehind:!0,inside:T.languages.javascript},{pattern:/(\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*=>)/,lookbehind:!0,inside:T.languages.javascript},{pattern:/((?:\b|\s|^)(?!(?:as|async|await|break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)(?![$\w\xA0-\uFFFF]))(?:(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*)\(\s*|\]\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*\{)/,lookbehind:!0,inside:T.languages.javascript}],constant:/\b[A-Z](?:[A-Z_]|\dx?)*\b/}),T.languages.insertBefore("javascript","string",{hashbang:{pattern:/^#!.*/,greedy:!0,alias:"comment"},"template-string":{pattern:/`(?:\\[\s\S]|\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}|(?!\$\{)[^\\`])*`/,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}/,lookbehind:!0,inside:{"interpolation-punctuation":{pattern:/^\$\{|\}$/,alias:"punctuation"},rest:T.languages.javascript}},string:/[\s\S]+/}},"string-property":{pattern:/((?:^|[,{])[ \t]*)(["'])(?:\\(?:\r\n|[\s\S])|(?!\2)[^\\\r\n])*\2(?=\s*:)/m,lookbehind:!0,greedy:!0,alias:"property"}}),T.languages.insertBefore("javascript","operator",{"literal-property":{pattern:/((?:^|[,{])[ \t]*)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*:)/m,lookbehind:!0,alias:"property"}}),T.languages.markup&&(T.languages.markup.tag.addInlined("script","javascript"),T.languages.markup.tag.addAttribute(/on(?:abort|blur|change|click|composition(?:end|start|update)|dblclick|error|focus(?:in|out)?|key(?:down|up)|load|mouse(?:down|enter|leave|move|out|over|up)|reset|resize|scroll|select|slotchange|submit|unload|wheel)/.source,"javascript")),T.languages.js=T.languages.javascript,T.languages.actionscript=T.languages.extend("javascript",{keyword:/\b(?:as|break|case|catch|class|const|default|delete|do|dynamic|each|else|extends|final|finally|for|function|get|if|implements|import|in|include|instanceof|interface|internal|is|namespace|native|new|null|override|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|use|var|void|while|with)\b/,operator:/\+\+|--|(?:[+\-*\/%^]|&&?|\|\|?|<<?|>>?>?|[!=]=?)=?|[~?@]/}),T.languages.actionscript["class-name"].alias="function",delete T.languages.actionscript.parameter,delete T.languages.actionscript["literal-property"],T.languages.markup&&T.languages.insertBefore("actionscript","string",{xml:{pattern:/(^|[^.])<\/?\w+(?:\s+[^\s>\/=]+=("|')(?:\\[\s\S]|(?!\2)[^\\])*\2)*\s*\/?>/,lookbehind:!0,inside:T.languages.markup}}),function(e){var t=/#(?!\{).+/,n={pattern:/#\{[^}]+\}/,alias:"variable"};e.languages.coffeescript=e.languages.extend("javascript",{comment:t,string:[{pattern:/'(?:\\[\s\S]|[^\\'])*'/,greedy:!0},{pattern:/"(?:\\[\s\S]|[^\\"])*"/,greedy:!0,inside:{interpolation:n}}],keyword:/\b(?:and|break|by|catch|class|continue|debugger|delete|do|each|else|extend|extends|false|finally|for|if|in|instanceof|is|isnt|let|loop|namespace|new|no|not|null|of|off|on|or|own|return|super|switch|then|this|throw|true|try|typeof|undefined|unless|until|when|while|window|with|yes|yield)\b/,"class-member":{pattern:/@(?!\d)\w+/,alias:"variable"}}),e.languages.insertBefore("coffeescript","comment",{"multiline-comment":{pattern:/###[\s\S]+?###/,alias:"comment"},"block-regex":{pattern:/\/{3}[\s\S]*?\/{3}/,alias:"regex",inside:{comment:t,interpolation:n}}}),e.languages.insertBefore("coffeescript","string",{"inline-javascript":{pattern:/`(?:\\[\s\S]|[^\\`])*`/,inside:{delimiter:{pattern:/^`|`$/,alias:"punctuation"},script:{pattern:/[\s\S]+/,alias:"language-javascript",inside:e.languages.javascript}}},"multiline-string":[{pattern:/'''[\s\S]*?'''/,greedy:!0,alias:"string"},{pattern:/"""[\s\S]*?"""/,greedy:!0,alias:"string",inside:{interpolation:n}}]}),e.languages.insertBefore("coffeescript","keyword",{property:/(?!\d)\w+(?=\s*:(?!:))/}),delete e.languages.coffeescript["template-string"],e.languages.coffee=e.languages.coffeescript}(T),function(e){var t=e.languages.javadoclike={parameter:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*@(?:arg|arguments|param)\s+)\w+/m,lookbehind:!0},keyword:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*|\{)@[a-z][a-zA-Z-]+\b/m,lookbehind:!0},punctuation:/[{}]/};Object.defineProperty(t,"addSupport",{value:function(t,n){(t="string"==typeof t?[t]:t).forEach((function(t){var r=function(e){e.inside||(e.inside={}),e.inside.rest=n},a="doc-comment";if(o=e.languages[t]){var o,i=o[a];if((i=i||(o=e.languages.insertBefore(t,"comment",{"doc-comment":{pattern:/(^|[^\\])\/\*\*[^/][\s\S]*?(?:\*\/|$)/,lookbehind:!0,alias:"comment"}}))[a])instanceof RegExp&&(i=o[a]={pattern:i}),Array.isArray(i))for(var s=0,l=i.length;s<l;s++)i[s]instanceof RegExp&&(i[s]={pattern:i[s]}),r(i[s]);else r(i)}}))}}),t.addSupport(["java","javascript","php"],t)}(T),function(e){var t=/(?:"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n])*')/;(t=(e.languages.css={comment:/\/\*[\s\S]*?\*\//,atrule:{pattern:RegExp("@[\\w-](?:"+/[^;{\s"']|\s+(?!\s)/.source+"|"+t.source+")*?"+/(?:;|(?=\s*\{))/.source),inside:{rule:/^@[\w-]+/,"selector-function-argument":{pattern:/(\bselector\s*\(\s*(?![\s)]))(?:[^()\s]|\s+(?![\s)])|\((?:[^()]|\([^()]*\))*\))+(?=\s*\))/,lookbehind:!0,alias:"selector"},keyword:{pattern:/(^|[^\w-])(?:and|not|only|or)(?![\w-])/,lookbehind:!0}}},url:{pattern:RegExp("\\burl\\((?:"+t.source+"|"+/(?:[^\\\r\n()"']|\\[\s\S])*/.source+")\\)","i"),greedy:!0,inside:{function:/^url/i,punctuation:/^\(|\)$/,string:{pattern:RegExp("^"+t.source+"$"),alias:"url"}}},selector:{pattern:RegExp("(^|[{}\\s])[^{}\\s](?:[^{};\"'\\s]|\\s+(?![\\s{])|"+t.source+")*(?=\\s*\\{)"),lookbehind:!0},string:{pattern:t,greedy:!0},property:{pattern:/(^|[^-\w\xA0-\uFFFF])(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*(?=\s*:)/i,lookbehind:!0},important:/!important\b/i,function:{pattern:/(^|[^-a-z0-9])[-a-z0-9]+(?=\()/i,lookbehind:!0},punctuation:/[(){};:,]/},e.languages.css.atrule.inside.rest=e.languages.css,e.languages.markup))&&(t.tag.addInlined("style","css"),t.tag.addAttribute("style","css"))}(T),function(e){var t=/("|')(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,n=(t=(e.languages.css.selector={pattern:e.languages.css.selector.pattern,lookbehind:!0,inside:t={"pseudo-element":/:(?:after|before|first-letter|first-line|selection)|::[-\w]+/,"pseudo-class":/:[-\w]+/,class:/\.[-\w]+/,id:/#[-\w]+/,attribute:{pattern:RegExp("\\[(?:[^[\\]\"']|"+t.source+")*\\]"),greedy:!0,inside:{punctuation:/^\[|\]$/,"case-sensitivity":{pattern:/(\s)[si]$/i,lookbehind:!0,alias:"keyword"},namespace:{pattern:/^(\s*)(?:(?!\s)[-*\w\xA0-\uFFFF])*\|(?!=)/,lookbehind:!0,inside:{punctuation:/\|$/}},"attr-name":{pattern:/^(\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+/,lookbehind:!0},"attr-value":[t,{pattern:/(=\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+(?=\s*$)/,lookbehind:!0}],operator:/[|~*^$]?=/}},"n-th":[{pattern:/(\(\s*)[+-]?\d*[\dn](?:\s*[+-]\s*\d+)?(?=\s*\))/,lookbehind:!0,inside:{number:/[\dn]+/,operator:/[+-]/}},{pattern:/(\(\s*)(?:even|odd)(?=\s*\))/i,lookbehind:!0}],combinator:/>|\+|~|\|\|/,punctuation:/[(),]/}},e.languages.css.atrule.inside["selector-function-argument"].inside=t,e.languages.insertBefore("css","property",{variable:{pattern:/(^|[^-\w\xA0-\uFFFF])--(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*/i,lookbehind:!0}}),{pattern:/(\b\d+)(?:%|[a-z]+(?![\w-]))/,lookbehind:!0}),{pattern:/(^|[^\w.-])-?(?:\d+(?:\.\d+)?|\.\d+)/,lookbehind:!0});e.languages.insertBefore("css","function",{operator:{pattern:/(\s)[+\-*\/](?=\s)/,lookbehind:!0},hexcode:{pattern:/\B#[\da-f]{3,8}\b/i,alias:"color"},color:[{pattern:/(^|[^\w-])(?:AliceBlue|AntiqueWhite|Aqua|Aquamarine|Azure|Beige|Bisque|Black|BlanchedAlmond|Blue|BlueViolet|Brown|BurlyWood|CadetBlue|Chartreuse|Chocolate|Coral|CornflowerBlue|Cornsilk|Crimson|Cyan|DarkBlue|DarkCyan|DarkGoldenRod|DarkGr[ae]y|DarkGreen|DarkKhaki|DarkMagenta|DarkOliveGreen|DarkOrange|DarkOrchid|DarkRed|DarkSalmon|DarkSeaGreen|DarkSlateBlue|DarkSlateGr[ae]y|DarkTurquoise|DarkViolet|DeepPink|DeepSkyBlue|DimGr[ae]y|DodgerBlue|FireBrick|FloralWhite|ForestGreen|Fuchsia|Gainsboro|GhostWhite|Gold|GoldenRod|Gr[ae]y|Green|GreenYellow|HoneyDew|HotPink|IndianRed|Indigo|Ivory|Khaki|Lavender|LavenderBlush|LawnGreen|LemonChiffon|LightBlue|LightCoral|LightCyan|LightGoldenRodYellow|LightGr[ae]y|LightGreen|LightPink|LightSalmon|LightSeaGreen|LightSkyBlue|LightSlateGr[ae]y|LightSteelBlue|LightYellow|Lime|LimeGreen|Linen|Magenta|Maroon|MediumAquaMarine|MediumBlue|MediumOrchid|MediumPurple|MediumSeaGreen|MediumSlateBlue|MediumSpringGreen|MediumTurquoise|MediumVioletRed|MidnightBlue|MintCream|MistyRose|Moccasin|NavajoWhite|Navy|OldLace|Olive|OliveDrab|Orange|OrangeRed|Orchid|PaleGoldenRod|PaleGreen|PaleTurquoise|PaleVioletRed|PapayaWhip|PeachPuff|Peru|Pink|Plum|PowderBlue|Purple|RebeccaPurple|Red|RosyBrown|RoyalBlue|SaddleBrown|Salmon|SandyBrown|SeaGreen|SeaShell|Sienna|Silver|SkyBlue|SlateBlue|SlateGr[ae]y|Snow|SpringGreen|SteelBlue|Tan|Teal|Thistle|Tomato|Transparent|Turquoise|Violet|Wheat|White|WhiteSmoke|Yellow|YellowGreen)(?![\w-])/i,lookbehind:!0},{pattern:/\b(?:hsl|rgb)\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*\)\B|\b(?:hsl|rgb)a\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*,\s*(?:0|0?\.\d+|1)\s*\)\B/i,inside:{unit:t,number:n,function:/[\w-]+(?=\()/,punctuation:/[(),]/}}],entity:/\\[\da-f]{1,8}/i,unit:t,number:n})}(T),function(e){var t=/[*&][^\s[\]{},]+/,n=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,r="(?:"+n.source+"(?:[ \t]+"+t.source+")?|"+t.source+"(?:[ \t]+"+n.source+")?)",a=/(?:[^\s\x00-\x08\x0e-\x1f!"#%&'*,\-:>?@[\]`{|}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*/.source.replace(/<PLAIN>/g,(function(){return/[^\s\x00-\x08\x0e-\x1f,[\]{}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]/.source})),o=/"(?:[^"\\\r\n]|\\.)*"|'(?:[^'\\\r\n]|\\.)*'/.source;function i(e,t){t=(t||"").replace(/m/g,"")+"m";var n=/([:\-,[{]\s*(?:\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\]|\}|(?:[\r\n]\s*)?#))/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<value>>/g,(function(){return e}));return RegExp(n,t)}e.languages.yaml={scalar:{pattern:RegExp(/([\-:]\s*(?:\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\S[^\r\n]*(?:\2[^\r\n]+)*)/.source.replace(/<<prop>>/g,(function(){return r}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp(/((?:^|[:\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\s*:\s)/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+o+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:i(/\d{4}-\d\d?-\d\d?(?:[tT]|[ \t]+)\d\d?:\d{2}:\d{2}(?:\.\d*)?(?:[ \t]*(?:Z|[-+]\d\d?(?::\d{2})?))?|\d{4}-\d{2}-\d{2}|\d\d?:\d{2}(?::\d{2}(?:\.\d*)?)?/.source),lookbehind:!0,alias:"number"},boolean:{pattern:i(/false|true/.source,"i"),lookbehind:!0,alias:"important"},null:{pattern:i(/null|~/.source,"i"),lookbehind:!0,alias:"important"},string:{pattern:i(o),lookbehind:!0,greedy:!0},number:{pattern:i(/[+-]?(?:0x[\da-f]+|0o[0-7]+|(?:\d+(?:\.\d*)?|\.\d+)(?:e[+-]?\d+)?|\.inf|\.nan)/.source,"i"),lookbehind:!0},tag:n,important:t,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(T),function(e){var t=/(?:\\.|[^\\\n\r]|(?:\n|\r\n?)(?![\r\n]))/.source;function n(e){return e=e.replace(/<inner>/g,(function(){return t})),RegExp(/((?:^|[^\\])(?:\\{2})*)/.source+"(?:"+e+")")}var r=/(?:\\.|``(?:[^`\r\n]|`(?!`))+``|`[^`\r\n]+`|[^\\|\r\n`])+/.source,a=/\|?__(?:\|__)+\|?(?:(?:\n|\r\n?)|(?![\s\S]))/.source.replace(/__/g,(function(){return r})),o=/\|?[ \t]*:?-{3,}:?[ \t]*(?:\|[ \t]*:?-{3,}:?[ \t]*)+\|?(?:\n|\r\n?)/.source,i=(e.languages.markdown=e.languages.extend("markup",{}),e.languages.insertBefore("markdown","prolog",{"front-matter-block":{pattern:/(^(?:\s*[\r\n])?)---(?!.)[\s\S]*?[\r\n]---(?!.)/,lookbehind:!0,greedy:!0,inside:{punctuation:/^---|---$/,"front-matter":{pattern:/\S+(?:\s+\S+)*/,alias:["yaml","language-yaml"],inside:e.languages.yaml}}},blockquote:{pattern:/^>(?:[\t ]*>)*/m,alias:"punctuation"},table:{pattern:RegExp("^"+a+o+"(?:"+a+")*","m"),inside:{"table-data-rows":{pattern:RegExp("^("+a+o+")(?:"+a+")*$"),lookbehind:!0,inside:{"table-data":{pattern:RegExp(r),inside:e.languages.markdown},punctuation:/\|/}},"table-line":{pattern:RegExp("^("+a+")"+o+"$"),lookbehind:!0,inside:{punctuation:/\||:?-{3,}:?/}},"table-header-row":{pattern:RegExp("^"+a+"$"),inside:{"table-header":{pattern:RegExp(r),alias:"important",inside:e.languages.markdown},punctuation:/\|/}}}},code:[{pattern:/((?:^|\n)[ \t]*\n|(?:^|\r\n?)[ \t]*\r\n?)(?: {4}|\t).+(?:(?:\n|\r\n?)(?: {4}|\t).+)*/,lookbehind:!0,alias:"keyword"},{pattern:/^```[\s\S]*?^```$/m,greedy:!0,inside:{"code-block":{pattern:/^(```.*(?:\n|\r\n?))[\s\S]+?(?=(?:\n|\r\n?)^```$)/m,lookbehind:!0},"code-language":{pattern:/^(```).+/,lookbehind:!0},punctuation:/```/}}],title:[{pattern:/\S.*(?:\n|\r\n?)(?:==+|--+)(?=[ \t]*$)/m,alias:"important",inside:{punctuation:/==+$|--+$/}},{pattern:/(^\s*)#.+/m,lookbehind:!0,alias:"important",inside:{punctuation:/^#+|#+$/}}],hr:{pattern:/(^\s*)([*-])(?:[\t ]*\2){2,}(?=\s*$)/m,lookbehind:!0,alias:"punctuation"},list:{pattern:/(^\s*)(?:[*+-]|\d+\.)(?=[\t ].)/m,lookbehind:!0,alias:"punctuation"},"url-reference":{pattern:/!?\[[^\]]+\]:[\t ]+(?:\S+|<(?:\\.|[^>\\])+>)(?:[\t ]+(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\)))?/,inside:{variable:{pattern:/^(!?\[)[^\]]+/,lookbehind:!0},string:/(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\))$/,punctuation:/^[\[\]!:]|[<>]/},alias:"url"},bold:{pattern:n(/\b__(?:(?!_)<inner>|_(?:(?!_)<inner>)+_)+__\b|\*\*(?:(?!\*)<inner>|\*(?:(?!\*)<inner>)+\*)+\*\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^..)[\s\S]+(?=..$)/,lookbehind:!0,inside:{}},punctuation:/\*\*|__/}},italic:{pattern:n(/\b_(?:(?!_)<inner>|__(?:(?!_)<inner>)+__)+_\b|\*(?:(?!\*)<inner>|\*\*(?:(?!\*)<inner>)+\*\*)+\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^.)[\s\S]+(?=.$)/,lookbehind:!0,inside:{}},punctuation:/[*_]/}},strike:{pattern:n(/(~~?)(?:(?!~)<inner>)+\2/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^~~?)[\s\S]+(?=\1$)/,lookbehind:!0,inside:{}},punctuation:/~~?/}},"code-snippet":{pattern:/(^|[^\\`])(?:``[^`\r\n]+(?:`[^`\r\n]+)*``(?!`)|`[^`\r\n]+`(?!`))/,lookbehind:!0,greedy:!0,alias:["code","keyword"]},url:{pattern:n(/!?\[(?:(?!\])<inner>)+\](?:\([^\s)]+(?:[\t ]+"(?:\\.|[^"\\])*")?\)|[ \t]?\[(?:(?!\])<inner>)+\])/.source),lookbehind:!0,greedy:!0,inside:{operator:/^!/,content:{pattern:/(^\[)[^\]]+(?=\])/,lookbehind:!0,inside:{}},variable:{pattern:/(^\][ \t]?\[)[^\]]+(?=\]$)/,lookbehind:!0},url:{pattern:/(^\]\()[^\s)]+/,lookbehind:!0},string:{pattern:/(^[ \t]+)"(?:\\.|[^"\\])*"(?=\)$)/,lookbehind:!0}}}}),["url","bold","italic","strike"].forEach((function(t){["url","bold","italic","strike","code-snippet"].forEach((function(n){t!==n&&(e.languages.markdown[t].inside.content.inside[n]=e.languages.markdown[n])}))})),e.hooks.add("after-tokenize",(function(e){"markdown"!==e.language&&"md"!==e.language||function e(t){if(t&&"string"!=typeof t)for(var n=0,r=t.length;n<r;n++){var a,o=t[n];"code"!==o.type?e(o.content):(a=o.content[1],o=o.content[3],a&&o&&"code-language"===a.type&&"code-block"===o.type&&"string"==typeof a.content&&(a=a.content.replace(/\b#/g,"sharp").replace(/\b\+\+/g,"pp"),a="language-"+(a=(/[a-z][\w-]*/i.exec(a)||[""])[0].toLowerCase()),o.alias?"string"==typeof o.alias?o.alias=[o.alias,a]:o.alias.push(a):o.alias=[a]))}}(e.tokens)})),e.hooks.add("wrap",(function(t){if("code-block"===t.type){for(var n="",r=0,a=t.classes.length;r<a;r++){var o=t.classes[r];if(o=/language-(.+)/.exec(o)){n=o[1];break}}var c,u=e.languages[n];u?t.content=e.highlight(t.content.replace(i,"").replace(/&(\w{1,8}|#x?[\da-f]{1,8});/gi,(function(e,t){var n;return"#"===(t=t.toLowerCase())[0]?(n="x"===t[1]?parseInt(t.slice(2),16):Number(t.slice(1)),l(n)):s[t]||e})),u,n):n&&"none"!==n&&e.plugins.autoloader&&(c="md-"+(new Date).valueOf()+"-"+Math.floor(1e16*Math.random()),t.attributes.id=c,e.plugins.autoloader.loadLanguages(n,(function(){var t=document.getElementById(c);t&&(t.innerHTML=e.highlight(t.textContent,e.languages[n],n))})))}})),RegExp(e.languages.markup.tag.pattern.source,"gi")),s={amp:"&",lt:"<",gt:">",quot:'"'},l=String.fromCodePoint||String.fromCharCode;e.languages.md=e.languages.markdown}(T),T.languages.graphql={comment:/#.*/,description:{pattern:/(?:"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*")(?=\s*[a-z_])/i,greedy:!0,alias:"string",inside:{"language-markdown":{pattern:/(^"(?:"")?)(?!\1)[\s\S]+(?=\1$)/,lookbehind:!0,inside:T.languages.markdown}}},string:{pattern:/"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*"/,greedy:!0},number:/(?:\B-|\b)\d+(?:\.\d+)?(?:e[+-]?\d+)?\b/i,boolean:/\b(?:false|true)\b/,variable:/\$[a-z_]\w*/i,directive:{pattern:/@[a-z_]\w*/i,alias:"function"},"attr-name":{pattern:/\b[a-z_]\w*(?=\s*(?:\((?:[^()"]|"(?:\\.|[^\\"\r\n])*")*\))?:)/i,greedy:!0},"atom-input":{pattern:/\b[A-Z]\w*Input\b/,alias:"class-name"},scalar:/\b(?:Boolean|Float|ID|Int|String)\b/,constant:/\b[A-Z][A-Z_\d]*\b/,"class-name":{pattern:/(\b(?:enum|implements|interface|on|scalar|type|union)\s+|&\s*|:\s*|\[)[A-Z_]\w*/,lookbehind:!0},fragment:{pattern:/(\bfragment\s+|\.{3}\s*(?!on\b))[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-mutation":{pattern:/(\bmutation\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-query":{pattern:/(\bquery\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},keyword:/\b(?:directive|enum|extend|fragment|implements|input|interface|mutation|on|query|repeatable|scalar|schema|subscription|type|union)\b/,operator:/[!=|&]|\.{3}/,"property-query":/\w+(?=\s*\()/,object:/\w+(?=\s*\{)/,punctuation:/[!(){}\[\]:=,]/,property:/\w+/},T.hooks.add("after-tokenize",(function(e){if("graphql"===e.language)for(var t=e.tokens.filter((function(e){return"string"!=typeof e&&"comment"!==e.type&&"scalar"!==e.type})),n=0;n<t.length;){var r=t[n++];if("keyword"===r.type&&"mutation"===r.content){var a=[];if(d(["definition-mutation","punctuation"])&&"("===u(1).content){n+=2;var o=p(/^\($/,/^\)$/);if(-1===o)continue;for(;n<o;n++){var i=u(0);"variable"===i.type&&(f(i,"variable-input"),a.push(i.content))}n=o+1}if(d(["punctuation","property-query"])&&"{"===u(0).content&&(n++,f(u(0),"property-mutation"),0<a.length)){var s=p(/^\{$/,/^\}$/);if(-1!==s)for(var l=n;l<s;l++){var c=t[l];"variable"===c.type&&0<=a.indexOf(c.content)&&f(c,"variable-input")}}}}function u(e){return t[n+e]}function d(e,t){t=t||0;for(var n=0;n<e.length;n++){var r=u(n+t);if(!r||r.type!==e[n])return}return 1}function p(e,r){for(var a=1,o=n;o<t.length;o++){var i=t[o],s=i.content;if("punctuation"===i.type&&"string"==typeof s)if(e.test(s))a++;else if(r.test(s)&&0==--a)return o}return-1}function f(e,t){var n=e.alias;n?Array.isArray(n)||(e.alias=n=[n]):e.alias=n=[],n.push(t)}})),T.languages.sql={comment:{pattern:/(^|[^\\])(?:\/\*[\s\S]*?\*\/|(?:--|\/\/|#).*)/,lookbehind:!0},variable:[{pattern:/@(["'`])(?:\\[\s\S]|(?!\1)[^\\])+\1/,greedy:!0},/@[\w.$]+/],string:{pattern:/(^|[^@\\])("|')(?:\\[\s\S]|(?!\2)[^\\]|\2\2)*\2/,greedy:!0,lookbehind:!0},identifier:{pattern:/(^|[^@\\])`(?:\\[\s\S]|[^`\\]|``)*`/,greedy:!0,lookbehind:!0,inside:{punctuation:/^`|`$/}},function:/\b(?:AVG|COUNT|FIRST|FORMAT|LAST|LCASE|LEN|MAX|MID|MIN|MOD|NOW|ROUND|SUM|UCASE)(?=\s*\()/i,keyword:/\b(?:ACTION|ADD|AFTER|ALGORITHM|ALL|ALTER|ANALYZE|ANY|APPLY|AS|ASC|AUTHORIZATION|AUTO_INCREMENT|BACKUP|BDB|BEGIN|BERKELEYDB|BIGINT|BINARY|BIT|BLOB|BOOL|BOOLEAN|BREAK|BROWSE|BTREE|BULK|BY|CALL|CASCADED?|CASE|CHAIN|CHAR(?:ACTER|SET)?|CHECK(?:POINT)?|CLOSE|CLUSTERED|COALESCE|COLLATE|COLUMNS?|COMMENT|COMMIT(?:TED)?|COMPUTE|CONNECT|CONSISTENT|CONSTRAINT|CONTAINS(?:TABLE)?|CONTINUE|CONVERT|CREATE|CROSS|CURRENT(?:_DATE|_TIME|_TIMESTAMP|_USER)?|CURSOR|CYCLE|DATA(?:BASES?)?|DATE(?:TIME)?|DAY|DBCC|DEALLOCATE|DEC|DECIMAL|DECLARE|DEFAULT|DEFINER|DELAYED|DELETE|DELIMITERS?|DENY|DESC|DESCRIBE|DETERMINISTIC|DISABLE|DISCARD|DISK|DISTINCT|DISTINCTROW|DISTRIBUTED|DO|DOUBLE|DROP|DUMMY|DUMP(?:FILE)?|DUPLICATE|ELSE(?:IF)?|ENABLE|ENCLOSED|END|ENGINE|ENUM|ERRLVL|ERRORS|ESCAPED?|EXCEPT|EXEC(?:UTE)?|EXISTS|EXIT|EXPLAIN|EXTENDED|FETCH|FIELDS|FILE|FILLFACTOR|FIRST|FIXED|FLOAT|FOLLOWING|FOR(?: EACH ROW)?|FORCE|FOREIGN|FREETEXT(?:TABLE)?|FROM|FULL|FUNCTION|GEOMETRY(?:COLLECTION)?|GLOBAL|GOTO|GRANT|GROUP|HANDLER|HASH|HAVING|HOLDLOCK|HOUR|IDENTITY(?:COL|_INSERT)?|IF|IGNORE|IMPORT|INDEX|INFILE|INNER|INNODB|INOUT|INSERT|INT|INTEGER|INTERSECT|INTERVAL|INTO|INVOKER|ISOLATION|ITERATE|JOIN|KEYS?|KILL|LANGUAGE|LAST|LEAVE|LEFT|LEVEL|LIMIT|LINENO|LINES|LINESTRING|LOAD|LOCAL|LOCK|LONG(?:BLOB|TEXT)|LOOP|MATCH(?:ED)?|MEDIUM(?:BLOB|INT|TEXT)|MERGE|MIDDLEINT|MINUTE|MODE|MODIFIES|MODIFY|MONTH|MULTI(?:LINESTRING|POINT|POLYGON)|NATIONAL|NATURAL|NCHAR|NEXT|NO|NONCLUSTERED|NULLIF|NUMERIC|OFF?|OFFSETS?|ON|OPEN(?:DATASOURCE|QUERY|ROWSET)?|OPTIMIZE|OPTION(?:ALLY)?|ORDER|OUT(?:ER|FILE)?|OVER|PARTIAL|PARTITION|PERCENT|PIVOT|PLAN|POINT|POLYGON|PRECEDING|PRECISION|PREPARE|PREV|PRIMARY|PRINT|PRIVILEGES|PROC(?:EDURE)?|PUBLIC|PURGE|QUICK|RAISERROR|READS?|REAL|RECONFIGURE|REFERENCES|RELEASE|RENAME|REPEAT(?:ABLE)?|REPLACE|REPLICATION|REQUIRE|RESIGNAL|RESTORE|RESTRICT|RETURN(?:ING|S)?|REVOKE|RIGHT|ROLLBACK|ROUTINE|ROW(?:COUNT|GUIDCOL|S)?|RTREE|RULE|SAVE(?:POINT)?|SCHEMA|SECOND|SELECT|SERIAL(?:IZABLE)?|SESSION(?:_USER)?|SET(?:USER)?|SHARE|SHOW|SHUTDOWN|SIMPLE|SMALLINT|SNAPSHOT|SOME|SONAME|SQL|START(?:ING)?|STATISTICS|STATUS|STRIPED|SYSTEM_USER|TABLES?|TABLESPACE|TEMP(?:ORARY|TABLE)?|TERMINATED|TEXT(?:SIZE)?|THEN|TIME(?:STAMP)?|TINY(?:BLOB|INT|TEXT)|TOP?|TRAN(?:SACTIONS?)?|TRIGGER|TRUNCATE|TSEQUAL|TYPES?|UNBOUNDED|UNCOMMITTED|UNDEFINED|UNION|UNIQUE|UNLOCK|UNPIVOT|UNSIGNED|UPDATE(?:TEXT)?|USAGE|USE|USER|USING|VALUES?|VAR(?:BINARY|CHAR|CHARACTER|YING)|VIEW|WAITFOR|WARNINGS|WHEN|WHERE|WHILE|WITH(?: ROLLUP|IN)?|WORK|WRITE(?:TEXT)?|YEAR)\b/i,boolean:/\b(?:FALSE|NULL|TRUE)\b/i,number:/\b0x[\da-f]+\b|\b\d+(?:\.\d*)?|\B\.\d+\b/i,operator:/[-+*\/=%^~]|&&?|\|\|?|!=?|<(?:=>?|<|>)?|>[>=]?|\b(?:AND|BETWEEN|DIV|ILIKE|IN|IS|LIKE|NOT|OR|REGEXP|RLIKE|SOUNDS LIKE|XOR)\b/i,punctuation:/[;[\]()`,.]/},function(e){var t=e.languages.javascript["template-string"],n=t.pattern.source,r=t.inside.interpolation,a=r.inside["interpolation-punctuation"],o=r.pattern.source;function i(t,r){if(e.languages[t])return{pattern:RegExp("((?:"+r+")\\s*)"+n),lookbehind:!0,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},"embedded-code":{pattern:/[\s\S]+/,alias:t}}}}function s(t,n,r){return t={code:t,grammar:n,language:r},e.hooks.run("before-tokenize",t),t.tokens=e.tokenize(t.code,t.grammar),e.hooks.run("after-tokenize",t),t.tokens}function l(t,n,i){var l=e.tokenize(t,{interpolation:{pattern:RegExp(o),lookbehind:!0}}),c=0,u={},d=(l=s(l.map((function(e){if("string"==typeof e)return e;var n,r;for(e=e.content;-1!==t.indexOf((r=c++,n="___"+i.toUpperCase()+"_"+r+"___")););return u[n]=e,n})).join(""),n,i),Object.keys(u));return c=0,function t(n){for(var o=0;o<n.length;o++){if(c>=d.length)return;var i,l,p,f,h,m,g,y=n[o];"string"==typeof y||"string"==typeof y.content?(i=d[c],-1!==(g=(m="string"==typeof y?y:y.content).indexOf(i))&&(++c,l=m.substring(0,g),h=u[i],p=void 0,(f={})["interpolation-punctuation"]=a,3===(f=e.tokenize(h,f)).length&&((p=[1,1]).push.apply(p,s(f[1],e.languages.javascript,"javascript")),f.splice.apply(f,p)),p=new e.Token("interpolation",f,r.alias,h),f=m.substring(g+i.length),h=[],l&&h.push(l),h.push(p),f&&(t(m=[f]),h.push.apply(h,m)),"string"==typeof y?(n.splice.apply(n,[o,1].concat(h)),o+=h.length-1):y.content=h)):(g=y.content,Array.isArray(g)?t(g):t([g]))}}(l),new e.Token(i,l,"language-"+i,t)}e.languages.javascript["template-string"]=[i("css",/\b(?:styled(?:\([^)]*\))?(?:\s*\.\s*\w+(?:\([^)]*\))*)*|css(?:\s*\.\s*(?:global|resolve))?|createGlobalStyle|keyframes)/.source),i("html",/\bhtml|\.\s*(?:inner|outer)HTML\s*\+?=/.source),i("svg",/\bsvg/.source),i("markdown",/\b(?:markdown|md)/.source),i("graphql",/\b(?:gql|graphql(?:\s*\.\s*experimental)?)/.source),i("sql",/\bsql/.source),t].filter(Boolean);var c={javascript:!0,js:!0,typescript:!0,ts:!0,jsx:!0,tsx:!0};function u(e){return"string"==typeof e?e:Array.isArray(e)?e.map(u).join(""):u(e.content)}e.hooks.add("after-tokenize",(function(t){t.language in c&&function t(n){for(var r=0,a=n.length;r<a;r++){var o,i,s,c=n[r];"string"!=typeof c&&(o=c.content,Array.isArray(o)?"template-string"===c.type?(c=o[1],3===o.length&&"string"!=typeof c&&"embedded-code"===c.type&&(i=u(c),c=c.alias,c=Array.isArray(c)?c[0]:c,s=e.languages[c])&&(o[1]=l(i,s,c))):t(o):"string"!=typeof o&&t([o]))}}(t.tokens)}))}(T),function(e){e.languages.typescript=e.languages.extend("javascript",{"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|type)\s+)(?!keyof\b)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?:\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>)?/,lookbehind:!0,greedy:!0,inside:null},builtin:/\b(?:Array|Function|Promise|any|boolean|console|never|number|string|symbol|unknown)\b/}),e.languages.typescript.keyword.push(/\b(?:abstract|declare|is|keyof|readonly|require)\b/,/\b(?:asserts|infer|interface|module|namespace|type)\b(?=\s*(?:[{_$a-zA-Z\xA0-\uFFFF]|$))/,/\btype\b(?=\s*(?:[\{*]|$))/),delete e.languages.typescript.parameter,delete e.languages.typescript["literal-property"];var t=e.languages.extend("typescript",{});delete t["class-name"],e.languages.typescript["class-name"].inside=t,e.languages.insertBefore("typescript","function",{decorator:{pattern:/@[$\w\xA0-\uFFFF]+/,inside:{at:{pattern:/^@/,alias:"operator"},function:/^[\s\S]+/}},"generic-function":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>(?=\s*\()/,greedy:!0,inside:{function:/^#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:t}}}}),e.languages.ts=e.languages.typescript}(T),function(e){var t=e.languages.javascript,n=/\{(?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})+\}/.source,r="(@(?:arg|argument|param|property)\\s+(?:"+n+"\\s+)?)";e.languages.jsdoc=e.languages.extend("javadoclike",{parameter:{pattern:RegExp(r+/(?:(?!\s)[$\w\xA0-\uFFFF.])+(?=\s|$)/.source),lookbehind:!0,inside:{punctuation:/\./}}}),e.languages.insertBefore("jsdoc","keyword",{"optional-parameter":{pattern:RegExp(r+/\[(?:(?!\s)[$\w\xA0-\uFFFF.])+(?:=[^[\]]+)?\](?=\s|$)/.source),lookbehind:!0,inside:{parameter:{pattern:/(^\[)[$\w\xA0-\uFFFF\.]+/,lookbehind:!0,inside:{punctuation:/\./}},code:{pattern:/(=)[\s\S]*(?=\]$)/,lookbehind:!0,inside:t,alias:"language-javascript"},punctuation:/[=[\]]/}},"class-name":[{pattern:RegExp(/(@(?:augments|class|extends|interface|memberof!?|template|this|typedef)\s+(?:<TYPE>\s+)?)[A-Z]\w*(?:\.[A-Z]\w*)*/.source.replace(/<TYPE>/g,(function(){return n}))),lookbehind:!0,inside:{punctuation:/\./}},{pattern:RegExp("(@[a-z]+\\s+)"+n),lookbehind:!0,inside:{string:t.string,number:t.number,boolean:t.boolean,keyword:e.languages.typescript.keyword,operator:/=>|\.\.\.|[&|?:*]/,punctuation:/[.,;=<>{}()[\]]/}}],example:{pattern:/(@example\s+(?!\s))(?:[^@\s]|\s+(?!\s))+?(?=\s*(?:\*\s*)?(?:@\w|\*\/))/,lookbehind:!0,inside:{code:{pattern:/^([\t ]*(?:\*\s*)?)\S.*$/m,lookbehind:!0,inside:t,alias:"language-javascript"}}}}),e.languages.javadoclike.addSupport("javascript",e.languages.jsdoc)}(T),function(e){e.languages.flow=e.languages.extend("javascript",{}),e.languages.insertBefore("flow","keyword",{type:[{pattern:/\b(?:[Bb]oolean|Function|[Nn]umber|[Ss]tring|[Ss]ymbol|any|mixed|null|void)\b/,alias:"class-name"}]}),e.languages.flow["function-variable"].pattern=/(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=\s*(?:function\b|(?:\([^()]*\)(?:\s*:\s*\w+)?|(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/i,delete e.languages.flow.parameter,e.languages.insertBefore("flow","operator",{"flow-punctuation":{pattern:/\{\||\|\}/,alias:"punctuation"}}),Array.isArray(e.languages.flow.keyword)||(e.languages.flow.keyword=[e.languages.flow.keyword]),e.languages.flow.keyword.unshift({pattern:/(^|[^$]\b)(?:Class|declare|opaque|type)\b(?!\$)/,lookbehind:!0},{pattern:/(^|[^$]\B)\$(?:Diff|Enum|Exact|Keys|ObjMap|PropertyType|Record|Shape|Subtype|Supertype|await)\b(?!\$)/,lookbehind:!0})}(T),T.languages.n4js=T.languages.extend("javascript",{keyword:/\b(?:Array|any|boolean|break|case|catch|class|const|constructor|continue|debugger|declare|default|delete|do|else|enum|export|extends|false|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|module|new|null|number|package|private|protected|public|return|set|static|string|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/}),T.languages.insertBefore("n4js","constant",{annotation:{pattern:/@+\w+/,alias:"operator"}}),T.languages.n4jsd=T.languages.n4js,function(e){function t(e,t){return RegExp(e.replace(/<ID>/g,(function(){return/(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/.source})),t)}e.languages.insertBefore("javascript","function-variable",{"method-variable":{pattern:RegExp("(\\.\\s*)"+e.languages.javascript["function-variable"].pattern.source),lookbehind:!0,alias:["function-variable","method","function","property-access"]}}),e.languages.insertBefore("javascript","function",{method:{pattern:RegExp("(\\.\\s*)"+e.languages.javascript.function.source),lookbehind:!0,alias:["function","property-access"]}}),e.languages.insertBefore("javascript","constant",{"known-class-name":[{pattern:/\b(?:(?:Float(?:32|64)|(?:Int|Uint)(?:8|16|32)|Uint8Clamped)?Array|ArrayBuffer|BigInt|Boolean|DataView|Date|Error|Function|Intl|JSON|(?:Weak)?(?:Map|Set)|Math|Number|Object|Promise|Proxy|Reflect|RegExp|String|Symbol|WebAssembly)\b/,alias:"class-name"},{pattern:/\b(?:[A-Z]\w*)Error\b/,alias:"class-name"}]}),e.languages.insertBefore("javascript","keyword",{imports:{pattern:t(/(\bimport\b\s*)(?:<ID>(?:\s*,\s*(?:\*\s*as\s+<ID>|\{[^{}]*\}))?|\*\s*as\s+<ID>|\{[^{}]*\})(?=\s*\bfrom\b)/.source),lookbehind:!0,inside:e.languages.javascript},exports:{pattern:t(/(\bexport\b\s*)(?:\*(?:\s*as\s+<ID>)?(?=\s*\bfrom\b)|\{[^{}]*\})/.source),lookbehind:!0,inside:e.languages.javascript}}),e.languages.javascript.keyword.unshift({pattern:/\b(?:as|default|export|from|import)\b/,alias:"module"},{pattern:/\b(?:await|break|catch|continue|do|else|finally|for|if|return|switch|throw|try|while|yield)\b/,alias:"control-flow"},{pattern:/\bnull\b/,alias:["null","nil"]},{pattern:/\bundefined\b/,alias:"nil"}),e.languages.insertBefore("javascript","operator",{spread:{pattern:/\.{3}/,alias:"operator"},arrow:{pattern:/=>/,alias:"operator"}}),e.languages.insertBefore("javascript","punctuation",{"property-access":{pattern:t(/(\.\s*)#?<ID>/.source),lookbehind:!0},"maybe-class-name":{pattern:/(^|[^$\w\xA0-\uFFFF])[A-Z][$\w\xA0-\uFFFF]+/,lookbehind:!0},dom:{pattern:/\b(?:document|(?:local|session)Storage|location|navigator|performance|window)\b/,alias:"variable"},console:{pattern:/\bconsole(?=\s*\.)/,alias:"class-name"}});for(var n=["function","function-variable","method","method-variable","property-access"],r=0;r<n.length;r++){var a=n[r],o=e.languages.javascript[a];a=(o="RegExp"===e.util.type(o)?e.languages.javascript[a]={pattern:o}:o).inside||{};(o.inside=a)["maybe-class-name"]=/^[A-Z][\s\S]*/}}(T),function(e){var t=e.util.clone(e.languages.javascript),n=/(?:\s|\/\/.*(?!.)|\/\*(?:[^*]|\*(?!\/))\*\/)/.source,r=/(?:\{(?:\{(?:\{[^{}]*\}|[^{}])*\}|[^{}])*\})/.source,a=/(?:\{<S>*\.{3}(?:[^{}]|<BRACES>)*\})/.source;function o(e,t){return e=e.replace(/<S>/g,(function(){return n})).replace(/<BRACES>/g,(function(){return r})).replace(/<SPREAD>/g,(function(){return a})),RegExp(e,t)}function i(t){for(var n=[],r=0;r<t.length;r++){var a=t[r],o=!1;"string"!=typeof a&&("tag"===a.type&&a.content[0]&&"tag"===a.content[0].type?"</"===a.content[0].content[0].content?0<n.length&&n[n.length-1].tagName===s(a.content[0].content[1])&&n.pop():"/>"!==a.content[a.content.length-1].content&&n.push({tagName:s(a.content[0].content[1]),openedBraces:0}):0<n.length&&"punctuation"===a.type&&"{"===a.content?n[n.length-1].openedBraces++:0<n.length&&0<n[n.length-1].openedBraces&&"punctuation"===a.type&&"}"===a.content?n[n.length-1].openedBraces--:o=!0),(o||"string"==typeof a)&&0<n.length&&0===n[n.length-1].openedBraces&&(o=s(a),r<t.length-1&&("string"==typeof t[r+1]||"plain-text"===t[r+1].type)&&(o+=s(t[r+1]),t.splice(r+1,1)),0<r&&("string"==typeof t[r-1]||"plain-text"===t[r-1].type)&&(o=s(t[r-1])+o,t.splice(r-1,1),r--),t[r]=new e.Token("plain-text",o,null,o)),a.content&&"string"!=typeof a.content&&i(a.content)}}a=o(a).source,e.languages.jsx=e.languages.extend("markup",t),e.languages.jsx.tag.pattern=o(/<\/?(?:[\w.:-]+(?:<S>+(?:[\w.:$-]+(?:=(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s{'"/>=]+|<BRACES>))?|<SPREAD>))*<S>*\/?)?>/.source),e.languages.jsx.tag.inside.tag.pattern=/^<\/?[^\s>\/]*/,e.languages.jsx.tag.inside["attr-value"].pattern=/=(?!\{)(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s'">]+)/,e.languages.jsx.tag.inside.tag.inside["class-name"]=/^[A-Z]\w*(?:\.[A-Z]\w*)*$/,e.languages.jsx.tag.inside.comment=t.comment,e.languages.insertBefore("inside","attr-name",{spread:{pattern:o(/<SPREAD>/.source),inside:e.languages.jsx}},e.languages.jsx.tag),e.languages.insertBefore("inside","special-attr",{script:{pattern:o(/=<BRACES>/.source),alias:"language-javascript",inside:{"script-punctuation":{pattern:/^=(?=\{)/,alias:"punctuation"},rest:e.languages.jsx}}},e.languages.jsx.tag);var s=function(e){return e?"string"==typeof e?e:"string"==typeof e.content?e.content:e.content.map(s).join(""):""};e.hooks.add("after-tokenize",(function(e){"jsx"!==e.language&&"tsx"!==e.language||i(e.tokens)}))}(T),function(e){var t=e.util.clone(e.languages.typescript);(t=(e.languages.tsx=e.languages.extend("jsx",t),delete e.languages.tsx.parameter,delete e.languages.tsx["literal-property"],e.languages.tsx.tag)).pattern=RegExp(/(^|[^\w$]|(?=<\/))/.source+"(?:"+t.pattern.source+")",t.pattern.flags),t.lookbehind=!0}(T),T.languages.swift={comment:{pattern:/(^|[^\\:])(?:\/\/.*|\/\*(?:[^/*]|\/(?!\*)|\*(?!\/)|\/\*(?:[^*]|\*(?!\/))*\*\/)*\*\/)/,lookbehind:!0,greedy:!0},"string-literal":[{pattern:RegExp(/(^|[^"#])/.source+"(?:"+/"(?:\\(?:\((?:[^()]|\([^()]*\))*\)|\r\n|[^(])|[^\\\r\n"])*"/.source+"|"+/"""(?:\\(?:\((?:[^()]|\([^()]*\))*\)|[^(])|[^\\"]|"(?!""))*"""/.source+")"+/(?!["#])/.source),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\\($/,alias:"punctuation"},punctuation:/\\(?=[\r\n])/,string:/[\s\S]+/}},{pattern:RegExp(/(^|[^"#])(#+)/.source+"(?:"+/"(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|\r\n|[^#])|[^\\\r\n])*?"/.source+"|"+/"""(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|[^#])|[^\\])*?"""/.source+")\\2"),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\#+\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\#+\($/,alias:"punctuation"},string:/[\s\S]+/}}],directive:{pattern:RegExp(/#/.source+"(?:"+/(?:elseif|if)\b/.source+"(?:[ \t]*"+/(?:![ \t]*)?(?:\b\w+\b(?:[ \t]*\((?:[^()]|\([^()]*\))*\))?|\((?:[^()]|\([^()]*\))*\))(?:[ \t]*(?:&&|\|\|))?/.source+")+|"+/(?:else|endif)\b/.source+")"),alias:"property",inside:{"directive-name":/^#\w+/,boolean:/\b(?:false|true)\b/,number:/\b\d+(?:\.\d+)*\b/,operator:/!|&&|\|\||[<>]=?/,punctuation:/[(),]/}},literal:{pattern:/#(?:colorLiteral|column|dsohandle|file(?:ID|Literal|Path)?|function|imageLiteral|line)\b/,alias:"constant"},"other-directive":{pattern:/#\w+\b/,alias:"property"},attribute:{pattern:/@\w+/,alias:"atrule"},"function-definition":{pattern:/(\bfunc\s+)\w+/,lookbehind:!0,alias:"function"},label:{pattern:/\b(break|continue)\s+\w+|\b[a-zA-Z_]\w*(?=\s*:\s*(?:for|repeat|while)\b)/,lookbehind:!0,alias:"important"},keyword:/\b(?:Any|Protocol|Self|Type|actor|as|assignment|associatedtype|associativity|async|await|break|case|catch|class|continue|convenience|default|defer|deinit|didSet|do|dynamic|else|enum|extension|fallthrough|fileprivate|final|for|func|get|guard|higherThan|if|import|in|indirect|infix|init|inout|internal|is|isolated|lazy|left|let|lowerThan|mutating|none|nonisolated|nonmutating|open|operator|optional|override|postfix|precedencegroup|prefix|private|protocol|public|repeat|required|rethrows|return|right|safe|self|set|some|static|struct|subscript|super|switch|throw|throws|try|typealias|unowned|unsafe|var|weak|where|while|willSet)\b/,boolean:/\b(?:false|true)\b/,nil:{pattern:/\bnil\b/,alias:"constant"},"short-argument":/\$\d+\b/,omit:{pattern:/\b_\b/,alias:"keyword"},number:/\b(?:[\d_]+(?:\.[\de_]+)?|0x[a-f0-9_]+(?:\.[a-f0-9p_]+)?|0b[01_]+|0o[0-7_]+)\b/i,"class-name":/\b[A-Z](?:[A-Z_\d]*[a-z]\w*)?\b/,function:/\b[a-z_]\w*(?=\s*\()/i,constant:/\b(?:[A-Z_]{2,}|k[A-Z][A-Za-z_]+)\b/,operator:/[-+*/%=!<>&|^~?]+|\.[.\-+*/%=!<>&|^~?]+/,punctuation:/[{}[\]();,.:\\]/},T.languages.swift["string-literal"].forEach((function(e){e.inside.interpolation.inside=T.languages.swift})),function(e){e.languages.kotlin=e.languages.extend("clike",{keyword:{pattern:/(^|[^.])\b(?:abstract|actual|annotation|as|break|by|catch|class|companion|const|constructor|continue|crossinline|data|do|dynamic|else|enum|expect|external|final|finally|for|fun|get|if|import|in|infix|init|inline|inner|interface|internal|is|lateinit|noinline|null|object|open|operator|out|override|package|private|protected|public|reified|return|sealed|set|super|suspend|tailrec|this|throw|to|try|typealias|val|var|vararg|when|where|while)\b/,lookbehind:!0},function:[{pattern:/(?:`[^\r\n`]+`|\b\w+)(?=\s*\()/,greedy:!0},{pattern:/(\.)(?:`[^\r\n`]+`|\w+)(?=\s*\{)/,lookbehind:!0,greedy:!0}],number:/\b(?:0[xX][\da-fA-F]+(?:_[\da-fA-F]+)*|0[bB][01]+(?:_[01]+)*|\d+(?:_\d+)*(?:\.\d+(?:_\d+)*)?(?:[eE][+-]?\d+(?:_\d+)*)?[fFL]?)\b/,operator:/\+[+=]?|-[-=>]?|==?=?|!(?:!|==?)?|[\/*%<>]=?|[?:]:?|\.\.|&&|\|\||\b(?:and|inv|or|shl|shr|ushr|xor)\b/}),delete e.languages.kotlin["class-name"];var t={"interpolation-punctuation":{pattern:/^\$\{?|\}$/,alias:"punctuation"},expression:{pattern:/[\s\S]+/,inside:e.languages.kotlin}};e.languages.insertBefore("kotlin","string",{"string-literal":[{pattern:/"""(?:[^$]|\$(?:(?!\{)|\{[^{}]*\}))*?"""/,alias:"multiline",inside:{interpolation:{pattern:/\$(?:[a-z_]\w*|\{[^{}]*\})/i,inside:t},string:/[\s\S]+/}},{pattern:/"(?:[^"\\\r\n$]|\\.|\$(?:(?!\{)|\{[^{}]*\}))*"/,alias:"singleline",inside:{interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$(?:[a-z_]\w*|\{[^{}]*\})/i,lookbehind:!0,inside:t},string:/[\s\S]+/}}],char:{pattern:/'(?:[^'\\\r\n]|\\(?:.|u[a-fA-F0-9]{0,4}))'/,greedy:!0}}),delete e.languages.kotlin.string,e.languages.insertBefore("kotlin","keyword",{annotation:{pattern:/\B@(?:\w+:)?(?:[A-Z]\w*|\[[^\]]+\])/,alias:"builtin"}}),e.languages.insertBefore("kotlin","function",{label:{pattern:/\b\w+@|@\w+\b/,alias:"symbol"}}),e.languages.kt=e.languages.kotlin,e.languages.kts=e.languages.kotlin}(T),T.languages.c=T.languages.extend("clike",{comment:{pattern:/\/\/(?:[^\r\n\\]|\\(?:\r\n?|\n|(?![\r\n])))*|\/\*[\s\S]*?(?:\*\/|$)/,greedy:!0},string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},"class-name":{pattern:/(\b(?:enum|struct)\s+(?:__attribute__\s*\(\([\s\S]*?\)\)\s*)?)\w+|\b[a-z]\w*_t\b/,lookbehind:!0},keyword:/\b(?:_Alignas|_Alignof|_Atomic|_Bool|_Complex|_Generic|_Imaginary|_Noreturn|_Static_assert|_Thread_local|__attribute__|asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|inline|int|long|register|return|short|signed|sizeof|static|struct|switch|typedef|typeof|union|unsigned|void|volatile|while)\b/,function:/\b[a-z_]\w*(?=\s*\()/i,number:/(?:\b0x(?:[\da-f]+(?:\.[\da-f]*)?|\.[\da-f]+)(?:p[+-]?\d+)?|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?)[ful]{0,4}/i,operator:/>>=?|<<=?|->|([-+&|:])\1|[?:~]|[-+*/%&|^!=<>]=?/}),T.languages.insertBefore("c","string",{char:{pattern:/'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n]){0,32}'/,greedy:!0}}),T.languages.insertBefore("c","string",{macro:{pattern:/(^[\t ]*)#\s*[a-z](?:[^\r\n\\/]|\/(?!\*)|\/\*(?:[^*]|\*(?!\/))*\*\/|\\(?:\r\n|[\s\S]))*/im,lookbehind:!0,greedy:!0,alias:"property",inside:{string:[{pattern:/^(#\s*include\s*)<[^>]+>/,lookbehind:!0},T.languages.c.string],char:T.languages.c.char,comment:T.languages.c.comment,"macro-name":[{pattern:/(^#\s*define\s+)\w+\b(?!\()/i,lookbehind:!0},{pattern:/(^#\s*define\s+)\w+\b(?=\()/i,lookbehind:!0,alias:"function"}],directive:{pattern:/^(#\s*)[a-z]+/,lookbehind:!0,alias:"keyword"},"directive-hash":/^#/,punctuation:/##|\\(?=[\r\n])/,expression:{pattern:/\S[\s\S]*/,inside:T.languages.c}}}}),T.languages.insertBefore("c","function",{constant:/\b(?:EOF|NULL|SEEK_CUR|SEEK_END|SEEK_SET|__DATE__|__FILE__|__LINE__|__TIMESTAMP__|__TIME__|__func__|stderr|stdin|stdout)\b/}),delete T.languages.c.boolean,T.languages.objectivec=T.languages.extend("c",{string:{pattern:/@?"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},keyword:/\b(?:asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|in|inline|int|long|register|return|self|short|signed|sizeof|static|struct|super|switch|typedef|typeof|union|unsigned|void|volatile|while)\b|(?:@interface|@end|@implementation|@protocol|@class|@public|@protected|@private|@property|@try|@catch|@finally|@throw|@synthesize|@dynamic|@selector)\b/,operator:/-[->]?|\+\+?|!=?|<<?=?|>>?=?|==?|&&?|\|\|?|[~^%?*\/@]/}),delete T.languages.objectivec["class-name"],T.languages.objc=T.languages.objectivec,T.languages.reason=T.languages.extend("clike",{string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^\\\r\n"])*"/,greedy:!0},"class-name":/\b[A-Z]\w*/,keyword:/\b(?:and|as|assert|begin|class|constraint|do|done|downto|else|end|exception|external|for|fun|function|functor|if|in|include|inherit|initializer|lazy|let|method|module|mutable|new|nonrec|object|of|open|or|private|rec|sig|struct|switch|then|to|try|type|val|virtual|when|while|with)\b/,operator:/\.{3}|:[:=]|\|>|->|=(?:==?|>)?|<=?|>=?|[|^?'#!~`]|[+\-*\/]\.?|\b(?:asr|land|lor|lsl|lsr|lxor|mod)\b/}),T.languages.insertBefore("reason","class-name",{char:{pattern:/'(?:\\x[\da-f]{2}|\\o[0-3][0-7][0-7]|\\\d{3}|\\.|[^'\\\r\n])'/,greedy:!0},constructor:/\b[A-Z]\w*\b(?!\s*\.)/,label:{pattern:/\b[a-z]\w*(?=::)/,alias:"symbol"}}),delete T.languages.reason.function,function(e){for(var t=/\/\*(?:[^*/]|\*(?!\/)|\/(?!\*)|<self>)*\*\//.source,n=0;n<2;n++)t=t.replace(/<self>/g,(function(){return t}));t=t.replace(/<self>/g,(function(){return/[^\s\S]/.source})),e.languages.rust={comment:[{pattern:RegExp(/(^|[^\\])/.source+t),lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/b?"(?:\\[\s\S]|[^\\"])*"|b?r(#*)"(?:[^"]|"(?!\1))*"\1/,greedy:!0},char:{pattern:/b?'(?:\\(?:x[0-7][\da-fA-F]|u\{(?:[\da-fA-F]_*){1,6}\}|.)|[^\\\r\n\t'])'/,greedy:!0},attribute:{pattern:/#!?\[(?:[^\[\]"]|"(?:\\[\s\S]|[^\\"])*")*\]/,greedy:!0,alias:"attr-name",inside:{string:null}},"closure-params":{pattern:/([=(,:]\s*|\bmove\s*)\|[^|]*\||\|[^|]*\|(?=\s*(?:\{|->))/,lookbehind:!0,greedy:!0,inside:{"closure-punctuation":{pattern:/^\||\|$/,alias:"punctuation"},rest:null}},"lifetime-annotation":{pattern:/'\w+/,alias:"symbol"},"fragment-specifier":{pattern:/(\$\w+:)[a-z]+/,lookbehind:!0,alias:"punctuation"},variable:/\$\w+/,"function-definition":{pattern:/(\bfn\s+)\w+/,lookbehind:!0,alias:"function"},"type-definition":{pattern:/(\b(?:enum|struct|trait|type|union)\s+)\w+/,lookbehind:!0,alias:"class-name"},"module-declaration":[{pattern:/(\b(?:crate|mod)\s+)[a-z][a-z_\d]*/,lookbehind:!0,alias:"namespace"},{pattern:/(\b(?:crate|self|super)\s*)::\s*[a-z][a-z_\d]*\b(?:\s*::(?:\s*[a-z][a-z_\d]*\s*::)*)?/,lookbehind:!0,alias:"namespace",inside:{punctuation:/::/}}],keyword:[/\b(?:Self|abstract|as|async|await|become|box|break|const|continue|crate|do|dyn|else|enum|extern|final|fn|for|if|impl|in|let|loop|macro|match|mod|move|mut|override|priv|pub|ref|return|self|static|struct|super|trait|try|type|typeof|union|unsafe|unsized|use|virtual|where|while|yield)\b/,/\b(?:bool|char|f(?:32|64)|[ui](?:8|16|32|64|128|size)|str)\b/],function:/\b[a-z_]\w*(?=\s*(?:::\s*<|\())/,macro:{pattern:/\b\w+!/,alias:"property"},constant:/\b[A-Z_][A-Z_\d]+\b/,"class-name":/\b[A-Z]\w*\b/,namespace:{pattern:/(?:\b[a-z][a-z_\d]*\s*::\s*)*\b[a-z][a-z_\d]*\s*::(?!\s*<)/,inside:{punctuation:/::/}},number:/\b(?:0x[\dA-Fa-f](?:_?[\dA-Fa-f])*|0o[0-7](?:_?[0-7])*|0b[01](?:_?[01])*|(?:(?:\d(?:_?\d)*)?\.)?\d(?:_?\d)*(?:[Ee][+-]?\d+)?)(?:_?(?:f32|f64|[iu](?:8|16|32|64|size)?))?\b/,boolean:/\b(?:false|true)\b/,punctuation:/->|\.\.=|\.{1,3}|::|[{}[\];(),:]/,operator:/[-+*\/%!^]=?|=[=>]?|&[&=]?|\|[|=]?|<<?=?|>>?=?|[@?]/},e.languages.rust["closure-params"].inside.rest=e.languages.rust,e.languages.rust.attribute.inside.string=e.languages.rust.string}(T),T.languages.go=T.languages.extend("clike",{string:{pattern:/(^|[^\\])"(?:\\.|[^"\\\r\n])*"|`[^`]*`/,lookbehind:!0,greedy:!0},keyword:/\b(?:break|case|chan|const|continue|default|defer|else|fallthrough|for|func|go(?:to)?|if|import|interface|map|package|range|return|select|struct|switch|type|var)\b/,boolean:/\b(?:_|false|iota|nil|true)\b/,number:[/\b0(?:b[01_]+|o[0-7_]+)i?\b/i,/\b0x(?:[a-f\d_]+(?:\.[a-f\d_]*)?|\.[a-f\d_]+)(?:p[+-]?\d+(?:_\d+)*)?i?(?!\w)/i,/(?:\b\d[\d_]*(?:\.[\d_]*)?|\B\.\d[\d_]*)(?:e[+-]?[\d_]+)?i?(?!\w)/i],operator:/[*\/%^!=]=?|\+[=+]?|-[=-]?|\|[=|]?|&(?:=|&|\^=?)?|>(?:>=?|=)?|<(?:<=?|=|-)?|:=|\.\.\./,builtin:/\b(?:append|bool|byte|cap|close|complex|complex(?:64|128)|copy|delete|error|float(?:32|64)|u?int(?:8|16|32|64)?|imag|len|make|new|panic|print(?:ln)?|real|recover|rune|string|uintptr)\b/}),T.languages.insertBefore("go","string",{char:{pattern:/'(?:\\.|[^'\\\r\n]){0,10}'/,greedy:!0}}),delete T.languages.go["class-name"],function(e){var t=/\b(?:alignas|alignof|asm|auto|bool|break|case|catch|char|char16_t|char32_t|char8_t|class|co_await|co_return|co_yield|compl|concept|const|const_cast|consteval|constexpr|constinit|continue|decltype|default|delete|do|double|dynamic_cast|else|enum|explicit|export|extern|final|float|for|friend|goto|if|import|inline|int|int16_t|int32_t|int64_t|int8_t|long|module|mutable|namespace|new|noexcept|nullptr|operator|override|private|protected|public|register|reinterpret_cast|requires|return|short|signed|sizeof|static|static_assert|static_cast|struct|switch|template|this|thread_local|throw|try|typedef|typeid|typename|uint16_t|uint32_t|uint64_t|uint8_t|union|unsigned|using|virtual|void|volatile|wchar_t|while)\b/,n=/\b(?!<keyword>)\w+(?:\s*\.\s*\w+)*\b/.source.replace(/<keyword>/g,(function(){return t.source}));e.languages.cpp=e.languages.extend("c",{"class-name":[{pattern:RegExp(/(\b(?:class|concept|enum|struct|typename)\s+)(?!<keyword>)\w+/.source.replace(/<keyword>/g,(function(){return t.source}))),lookbehind:!0},/\b[A-Z]\w*(?=\s*::\s*\w+\s*\()/,/\b[A-Z_]\w*(?=\s*::\s*~\w+\s*\()/i,/\b\w+(?=\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>\s*::\s*\w+\s*\()/],keyword:t,number:{pattern:/(?:\b0b[01']+|\b0x(?:[\da-f']+(?:\.[\da-f']*)?|\.[\da-f']+)(?:p[+-]?[\d']+)?|(?:\b[\d']+(?:\.[\d']*)?|\B\.[\d']+)(?:e[+-]?[\d']+)?)[ful]{0,4}/i,greedy:!0},operator:/>>=?|<<=?|->|--|\+\+|&&|\|\||[?:~]|<=>|[-+*/%&|^!=<>]=?|\b(?:and|and_eq|bitand|bitor|not|not_eq|or|or_eq|xor|xor_eq)\b/,boolean:/\b(?:false|true)\b/}),e.languages.insertBefore("cpp","string",{module:{pattern:RegExp(/(\b(?:import|module)\s+)/.source+"(?:"+/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|<[^<>\r\n]*>/.source+"|"+/<mod-name>(?:\s*:\s*<mod-name>)?|:\s*<mod-name>/.source.replace(/<mod-name>/g,(function(){return n}))+")"),lookbehind:!0,greedy:!0,inside:{string:/^[<"][\s\S]+/,operator:/:/,punctuation:/\./}},"raw-string":{pattern:/R"([^()\\ ]{0,16})\([\s\S]*?\)\1"/,alias:"string",greedy:!0}}),e.languages.insertBefore("cpp","keyword",{"generic-function":{pattern:/\b(?!operator\b)[a-z_]\w*\s*<(?:[^<>]|<[^<>]*>)*>(?=\s*\()/i,inside:{function:/^\w+/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:e.languages.cpp}}}}),e.languages.insertBefore("cpp","operator",{"double-colon":{pattern:/::/,alias:"punctuation"}}),e.languages.insertBefore("cpp","class-name",{"base-clause":{pattern:/(\b(?:class|struct)\s+\w+\s*:\s*)[^;{}"'\s]+(?:\s+[^;{}"'\s]+)*(?=\s*[;{])/,lookbehind:!0,greedy:!0,inside:e.languages.extend("cpp",{})}}),e.languages.insertBefore("inside","double-colon",{"class-name":/\b[a-z_]\w*\b(?!\s*::)/i},e.languages.cpp["base-clause"])}(T),T.languages.python={comment:{pattern:/(^|[^\\])#.*/,lookbehind:!0,greedy:!0},"string-interpolation":{pattern:/(?:f|fr|rf)(?:("""|''')[\s\S]*?\1|("|')(?:\\.|(?!\2)[^\\\r\n])*\2)/i,greedy:!0,inside:{interpolation:{pattern:/((?:^|[^{])(?:\{\{)*)\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}])+\})+\})+\}/,lookbehind:!0,inside:{"format-spec":{pattern:/(:)[^:(){}]+(?=\}$)/,lookbehind:!0},"conversion-option":{pattern:/![sra](?=[:}]$)/,alias:"punctuation"},rest:null}},string:/[\s\S]+/}},"triple-quoted-string":{pattern:/(?:[rub]|br|rb)?("""|''')[\s\S]*?\1/i,greedy:!0,alias:"string"},string:{pattern:/(?:[rub]|br|rb)?("|')(?:\\.|(?!\1)[^\\\r\n])*\1/i,greedy:!0},function:{pattern:/((?:^|\s)def[ \t]+)[a-zA-Z_]\w*(?=\s*\()/g,lookbehind:!0},"class-name":{pattern:/(\bclass\s+)\w+/i,lookbehind:!0},decorator:{pattern:/(^[\t ]*)@\w+(?:\.\w+)*/m,lookbehind:!0,alias:["annotation","punctuation"],inside:{punctuation:/\./}},keyword:/\b(?:_(?=\s*:)|and|as|assert|async|await|break|case|class|continue|def|del|elif|else|except|exec|finally|for|from|global|if|import|in|is|lambda|match|nonlocal|not|or|pass|print|raise|return|try|while|with|yield)\b/,builtin:/\b(?:__import__|abs|all|any|apply|ascii|basestring|bin|bool|buffer|bytearray|bytes|callable|chr|classmethod|cmp|coerce|compile|complex|delattr|dict|dir|divmod|enumerate|eval|execfile|file|filter|float|format|frozenset|getattr|globals|hasattr|hash|help|hex|id|input|int|intern|isinstance|issubclass|iter|len|list|locals|long|map|max|memoryview|min|next|object|oct|open|ord|pow|property|range|raw_input|reduce|reload|repr|reversed|round|set|setattr|slice|sorted|staticmethod|str|sum|super|tuple|type|unichr|unicode|vars|xrange|zip)\b/,boolean:/\b(?:False|None|True)\b/,number:/\b0(?:b(?:_?[01])+|o(?:_?[0-7])+|x(?:_?[a-f0-9])+)\b|(?:\b\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\B\.\d+(?:_\d+)*)(?:e[+-]?\d+(?:_\d+)*)?j?(?!\w)/i,operator:/[-+%=]=?|!=|:=|\*\*?=?|\/\/?=?|<[<=>]?|>[=>]?|[&|^~]/,punctuation:/[{}[\];(),.:]/},T.languages.python["string-interpolation"].inside.interpolation.inside.rest=T.languages.python,T.languages.py=T.languages.python;((e,t)=>{for(var n in t)f(e,n,{get:t[n],enumerable:!0})})({},{dracula:()=>L,duotoneDark:()=>R,duotoneLight:()=>j,github:()=>N,jettwaveDark:()=>H,jettwaveLight:()=>Q,nightOwl:()=>P,nightOwlLight:()=>A,oceanicNext:()=>D,okaidia:()=>F,oneDark:()=>Z,oneLight:()=>W,palenight:()=>M,shadesOfPurple:()=>z,synthwave84:()=>B,ultramin:()=>$,vsDark:()=>U,vsLight:()=>q});var L={plain:{color:"#F8F8F2",backgroundColor:"#282A36"},styles:[{types:["prolog","constant","builtin"],style:{color:"rgb(189, 147, 249)"}},{types:["inserted","function"],style:{color:"rgb(80, 250, 123)"}},{types:["deleted"],style:{color:"rgb(255, 85, 85)"}},{types:["changed"],style:{color:"rgb(255, 184, 108)"}},{types:["punctuation","symbol"],style:{color:"rgb(248, 248, 242)"}},{types:["string","char","tag","selector"],style:{color:"rgb(255, 121, 198)"}},{types:["keyword","variable"],style:{color:"rgb(189, 147, 249)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(98, 114, 164)"}},{types:["attr-name"],style:{color:"rgb(241, 250, 140)"}}]},R={plain:{backgroundColor:"#2a2734",color:"#9a86fd"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#6c6783"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#e09142"}},{types:["property","function"],style:{color:"#9a86fd"}},{types:["tag-id","selector","atrule-id"],style:{color:"#eeebff"}},{types:["attr-name"],style:{color:"#c4b9fe"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule","placeholder","variable"],style:{color:"#ffcc99"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#c4b9fe"}}]},j={plain:{backgroundColor:"#faf8f5",color:"#728fcb"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#b6ad9a"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#063289"}},{types:["property","function"],style:{color:"#b29762"}},{types:["tag-id","selector","atrule-id"],style:{color:"#2d2006"}},{types:["attr-name"],style:{color:"#896724"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule"],style:{color:"#728fcb"}},{types:["placeholder","variable"],style:{color:"#93abdc"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#896724"}}]},N={plain:{color:"#393A34",backgroundColor:"#f6f8fa"},styles:[{types:["comment","prolog","doctype","cdata"],style:{color:"#999988",fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}},{types:["string","attr-value"],style:{color:"#e3116c"}},{types:["punctuation","operator"],style:{color:"#393A34"}},{types:["entity","url","symbol","number","boolean","variable","constant","property","regex","inserted"],style:{color:"#36acaa"}},{types:["atrule","keyword","attr-name","selector"],style:{color:"#00a4db"}},{types:["function","deleted","tag"],style:{color:"#d73a49"}},{types:["function-variable"],style:{color:"#6f42c1"}},{types:["tag","selector","keyword"],style:{color:"#00009f"}}]},P={plain:{color:"#d6deeb",backgroundColor:"#011627"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(99, 119, 119)",fontStyle:"italic"}},{types:["string","url"],style:{color:"rgb(173, 219, 103)"}},{types:["variable"],style:{color:"rgb(214, 222, 235)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation"],style:{color:"rgb(199, 146, 234)"}},{types:["selector","doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(255, 203, 139)"}},{types:["tag","operator","keyword"],style:{color:"rgb(127, 219, 202)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["property"],style:{color:"rgb(128, 203, 196)"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}}]},A={plain:{color:"#403f53",backgroundColor:"#FBFBFB"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(72, 118, 214)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(152, 159, 177)",fontStyle:"italic"}},{types:["string","builtin","char","constant","url"],style:{color:"rgb(72, 118, 214)"}},{types:["variable"],style:{color:"rgb(201, 103, 101)"}},{types:["number"],style:{color:"rgb(170, 9, 130)"}},{types:["punctuation"],style:{color:"rgb(153, 76, 195)"}},{types:["function","selector","doctype"],style:{color:"rgb(153, 76, 195)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(17, 17, 17)"}},{types:["tag"],style:{color:"rgb(153, 76, 195)"}},{types:["operator","property","keyword","namespace"],style:{color:"rgb(12, 150, 155)"}},{types:["boolean"],style:{color:"rgb(188, 84, 84)"}}]},O="#c5a5c5",I="#8dc891",D={plain:{backgroundColor:"#282c34",color:"#ffffff"},styles:[{types:["attr-name"],style:{color:O}},{types:["attr-value"],style:{color:I}},{types:["comment","block-comment","prolog","doctype","cdata","shebang"],style:{color:"#999999"}},{types:["property","number","function-name","constant","symbol","deleted"],style:{color:"#5a9bcf"}},{types:["boolean"],style:{color:"#ff8b50"}},{types:["tag"],style:{color:"#fc929e"}},{types:["string"],style:{color:I}},{types:["punctuation"],style:{color:I}},{types:["selector","char","builtin","inserted"],style:{color:"#D8DEE9"}},{types:["function"],style:{color:"#79b6f2"}},{types:["operator","entity","url","variable"],style:{color:"#d7deea"}},{types:["keyword"],style:{color:O}},{types:["atrule","class-name"],style:{color:"#FAC863"}},{types:["important"],style:{fontWeight:"400"}},{types:["bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}}]},F={plain:{color:"#f8f8f2",backgroundColor:"#272822"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"#f92672",fontStyle:"italic"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"#8292a2",fontStyle:"italic"}},{types:["string","url"],style:{color:"#a6e22e"}},{types:["variable"],style:{color:"#f8f8f2"}},{types:["number"],style:{color:"#ae81ff"}},{types:["builtin","char","constant","function","class-name"],style:{color:"#e6db74"}},{types:["punctuation"],style:{color:"#f8f8f2"}},{types:["selector","doctype"],style:{color:"#a6e22e",fontStyle:"italic"}},{types:["tag","operator","keyword"],style:{color:"#66d9ef"}},{types:["boolean"],style:{color:"#ae81ff"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)",opacity:.7}},{types:["tag","property"],style:{color:"#f92672"}},{types:["attr-name"],style:{color:"#a6e22e !important"}},{types:["doctype"],style:{color:"#8292a2"}},{types:["rule"],style:{color:"#e6db74"}}]},M={plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},z={plain:{color:"#9EFEFF",backgroundColor:"#2D2A55"},styles:[{types:["changed"],style:{color:"rgb(255, 238, 128)"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)"}},{types:["comment"],style:{color:"rgb(179, 98, 255)",fontStyle:"italic"}},{types:["punctuation"],style:{color:"rgb(255, 255, 255)"}},{types:["constant"],style:{color:"rgb(255, 98, 140)"}},{types:["string","url"],style:{color:"rgb(165, 255, 144)"}},{types:["variable"],style:{color:"rgb(255, 238, 128)"}},{types:["number","boolean"],style:{color:"rgb(255, 98, 140)"}},{types:["attr-name"],style:{color:"rgb(255, 180, 84)"}},{types:["keyword","operator","property","namespace","tag","selector","doctype"],style:{color:"rgb(255, 157, 0)"}},{types:["builtin","char","constant","function","class-name"],style:{color:"rgb(250, 208, 0)"}}]},B={plain:{backgroundColor:"linear-gradient(to bottom, #2a2139 75%, #34294f)",backgroundImage:"#34294f",color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"},styles:[{types:["comment","block-comment","prolog","doctype","cdata"],style:{color:"#495495",fontStyle:"italic"}},{types:["punctuation"],style:{color:"#ccc"}},{types:["tag","attr-name","namespace","number","unit","hexcode","deleted"],style:{color:"#e2777a"}},{types:["property","selector"],style:{color:"#72f1b8",textShadow:"0 0 2px #100c0f, 0 0 10px #257c5575, 0 0 35px #21272475"}},{types:["function-name"],style:{color:"#6196cc"}},{types:["boolean","selector-id","function"],style:{color:"#fdfdfd",textShadow:"0 0 2px #001716, 0 0 3px #03edf975, 0 0 5px #03edf975, 0 0 8px #03edf975"}},{types:["class-name","maybe-class-name","builtin"],style:{color:"#fff5f6",textShadow:"0 0 2px #000, 0 0 10px #fc1f2c75, 0 0 5px #fc1f2c75, 0 0 25px #fc1f2c75"}},{types:["constant","symbol"],style:{color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"}},{types:["important","atrule","keyword","selector-class"],style:{color:"#f4eee4",textShadow:"0 0 2px #393a33, 0 0 8px #f39f0575, 0 0 2px #f39f0575"}},{types:["string","char","attr-value","regex","variable"],style:{color:"#f87c32"}},{types:["parameter"],style:{fontStyle:"italic"}},{types:["entity","url"],style:{color:"#67cdcc"}},{types:["operator"],style:{color:"ffffffee"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["entity"],style:{cursor:"help"}},{types:["inserted"],style:{color:"green"}}]},$={plain:{color:"#282a2e",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(197, 200, 198)"}},{types:["string","number","builtin","variable"],style:{color:"rgb(150, 152, 150)"}},{types:["class-name","function","tag","attr-name"],style:{color:"rgb(40, 42, 46)"}}]},U={plain:{color:"#9CDCFE",backgroundColor:"#1E1E1E"},styles:[{types:["prolog"],style:{color:"rgb(0, 0, 128)"}},{types:["comment"],style:{color:"rgb(106, 153, 85)"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"rgb(86, 156, 214)"}},{types:["number","inserted"],style:{color:"rgb(181, 206, 168)"}},{types:["constant"],style:{color:"rgb(100, 102, 149)"}},{types:["attr-name","variable"],style:{color:"rgb(156, 220, 254)"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"rgb(206, 145, 120)"}},{types:["selector"],style:{color:"rgb(215, 186, 125)"}},{types:["tag"],style:{color:"rgb(78, 201, 176)"}},{types:["tag"],languages:["markup"],style:{color:"rgb(86, 156, 214)"}},{types:["punctuation","operator"],style:{color:"rgb(212, 212, 212)"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"rgb(220, 220, 170)"}},{types:["class-name"],style:{color:"rgb(78, 201, 176)"}},{types:["char"],style:{color:"rgb(209, 105, 105)"}}]},q={plain:{color:"#000000",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(0, 128, 0)"}},{types:["builtin"],style:{color:"rgb(0, 112, 193)"}},{types:["number","variable","inserted"],style:{color:"rgb(9, 134, 88)"}},{types:["operator"],style:{color:"rgb(0, 0, 0)"}},{types:["constant","char"],style:{color:"rgb(129, 31, 63)"}},{types:["tag"],style:{color:"rgb(128, 0, 0)"}},{types:["attr-name"],style:{color:"rgb(255, 0, 0)"}},{types:["deleted","string"],style:{color:"rgb(163, 21, 21)"}},{types:["changed","punctuation"],style:{color:"rgb(4, 81, 165)"}},{types:["function","keyword"],style:{color:"rgb(0, 0, 255)"}},{types:["class-name"],style:{color:"rgb(38, 127, 153)"}}]},H={plain:{color:"#f8fafc",backgroundColor:"#011627"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#569CD6"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#f8fafc"}},{types:["attr-name","variable"],style:{color:"#9CDCFE"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#cbd5e1"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#D4D4D4"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#7dd3fc"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Q={plain:{color:"#0f172a",backgroundColor:"#f1f5f9"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#0c4a6e"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#0f172a"}},{types:["attr-name","variable"],style:{color:"#0c4a6e"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#64748b"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#475569"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#0e7490"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Z={plain:{backgroundColor:"hsl(220, 13%, 18%)",color:"hsl(220, 14%, 71%)",textShadow:"0 1px rgba(0, 0, 0, 0.3)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(220, 10%, 40%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(220, 14%, 71%)"}},{types:["attr-name","class-name","maybe-class-name","boolean","constant","number","atrule"],style:{color:"hsl(29, 54%, 61%)"}},{types:["keyword"],style:{color:"hsl(286, 60%, 67%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(355, 65%, 65%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value"],style:{color:"hsl(95, 38%, 62%)"}},{types:["variable","operator","function"],style:{color:"hsl(207, 82%, 66%)"}},{types:["url"],style:{color:"hsl(187, 47%, 55%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(220, 14%, 71%)"}}]},W={plain:{backgroundColor:"hsl(230, 1%, 98%)",color:"hsl(230, 8%, 24%)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(230, 4%, 64%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(230, 8%, 24%)"}},{types:["attr-name","class-name","boolean","constant","number","atrule"],style:{color:"hsl(35, 99%, 36%)"}},{types:["keyword"],style:{color:"hsl(301, 63%, 40%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(5, 74%, 59%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value","punctuation"],style:{color:"hsl(119, 34%, 47%)"}},{types:["variable","operator","function"],style:{color:"hsl(221, 87%, 60%)"}},{types:["url"],style:{color:"hsl(198, 99%, 37%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(230, 8%, 24%)"}}]},V=(e,t)=>{const{plain:n}=e,r=e.styles.reduce(((e,n)=>{const{languages:r,style:a}=n;return r&&!r.includes(t)||n.types.forEach((t=>{const n=S(S({},e[t]),a);e[t]=n})),e}),{});return r.root=n,r.plain=E(S({},n),{backgroundColor:void 0}),r},G=/\r\n|\r|\n/,X=e=>{0===e.length?e.push({types:["plain"],content:"\n",empty:!0}):1===e.length&&""===e[0].content&&(e[0].content="\n",e[0].empty=!0)},K=(e,t)=>{const n=e.length;return n>0&&e[n-1]===t?e:e.concat(t)},Y=e=>{const t=[[]],n=[e],r=[0],a=[e.length];let o=0,i=0,s=[];const l=[s];for(;i>-1;){for(;(o=r[i]++)<a[i];){let e,c=t[i];const u=n[i][o];if("string"==typeof u?(c=i>0?c:["plain"],e=u):(c=K(c,u.type),u.alias&&(c=K(c,u.alias)),e=u.content),"string"!=typeof e){i++,t.push(c),n.push(e),r.push(0),a.push(e.length);continue}const d=e.split(G),p=d.length;s.push({types:c,content:d[0]});for(let t=1;t<p;t++)X(s),l.push(s=[]),s.push({types:c,content:d[t]})}i--,t.pop(),n.pop(),r.pop(),a.pop()}return X(s),l},J=({children:e,language:t,code:n,theme:r,prism:a})=>{const o=t.toLowerCase(),i=((e,t)=>{const[n,r]=(0,u.useState)(V(t,e)),a=(0,u.useRef)(),o=(0,u.useRef)();return(0,u.useEffect)((()=>{t===a.current&&e===o.current||(a.current=t,o.current=e,r(V(t,e)))}),[e,t]),n})(o,r),s=(e=>(0,u.useCallback)((t=>{var n=t,{className:r,style:a,line:o}=n,i=C(n,["className","style","line"]);const s=E(S({},i),{className:(0,d.Z)("token-line",r)});return"object"==typeof e&&"plain"in e&&(s.style=e.plain),"object"==typeof a&&(s.style=S(S({},s.style||{}),a)),s}),[e]))(i),l=(e=>{const t=(0,u.useCallback)((({types:t,empty:n})=>{if(null!=e)return 1===t.length&&"plain"===t[0]?null!=n?{display:"inline-block"}:void 0:1===t.length&&null!=n?e[t[0]]:Object.assign(null!=n?{display:"inline-block"}:{},...t.map((t=>e[t])))}),[e]);return(0,u.useCallback)((e=>{var n=e,{token:r,className:a,style:o}=n,i=C(n,["token","className","style"]);const s=E(S({},i),{className:(0,d.Z)("token",...r.types,a),children:r.content,style:t(r)});return null!=o&&(s.style=S(S({},s.style||{}),o)),s}),[t])})(i),c=(({prism:e,code:t,grammar:n,language:r})=>{const a=(0,u.useRef)(e);return(0,u.useMemo)((()=>{if(null==n)return Y([t]);const e={code:t,grammar:n,language:r,tokens:[]};return a.current.hooks.run("before-tokenize",e),e.tokens=a.current.tokenize(t,n),a.current.hooks.run("after-tokenize",e),Y(e.tokens)}),[t,n,r])})({prism:a,language:o,code:n,grammar:a.languages[o]});return e({tokens:c,className:`prism-code language-${o}`,style:null!=i?i.root:{},getLineProps:s,getTokenProps:l})},ee=e=>(0,u.createElement)(J,E(S({},e),{prism:e.prism||T,theme:e.theme||U,code:e.code,language:e.language}))},8776:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=!0,a="Invariant failed";function o(e,t){if(!e){if(r)throw new Error(a);var n="function"==typeof t?t():t,o=n?"".concat(a,": ").concat(n):a;throw new Error(o)}}},7529:e=>{"use strict";e.exports={}},6887:e=>{"use strict";e.exports=JSON.parse('{"/search-822":{"__comp":"1a4e3797","__context":{"plugin":"138e0e15"}},"/-bbf":{"__comp":"5e95c892","__context":{"plugin":"aba21aa0"}},"/-6dc":{"__comp":"a7bd4aaa","__props":"22dd74f7"},"/-1b4":{"__comp":"a94703ab"},"/advanced-e66":{"__comp":"17896441","content":"395f47e2"},"/architecture-9f8":{"__comp":"17896441","content":"5281b7a2"},"/cli-8e7":{"__comp":"17896441","content":"9e39b1cd"},"/cli/agent-685":{"__comp":"17896441","content":"1be8dcfa"},"/cli/certificate-8ed":{"__comp":"17896441","content":"6e9804bc"},"/cli/etcd-snapshot-fa1":{"__comp":"17896441","content":"36f34ab4"},"/cli/secrets-encrypt-85b":{"__comp":"17896441","content":"179ec51e"},"/cli/server-ed8":{"__comp":"17896441","content":"4455f95b"},"/cli/token-88a":{"__comp":"17896441","content":"2a65762c"},"/cluster-access-935":{"__comp":"17896441","content":"43077f1d"},"/datastore-6f5":{"__comp":"17896441","content":"ab388925"},"/datastore/backup-restore-f6b":{"__comp":"17896441","content":"ba3a957c"},"/datastore/cluster-loadbalancer-2a5":{"__comp":"17896441","content":"4a667cf9"},"/datastore/ha-729":{"__comp":"17896441","content":"ea0a4c6d"},"/datastore/ha-embedded-a60":{"__comp":"17896441","content":"b36bdd38"},"/faq-62f":{"__comp":"17896441","content":"0480b142"},"/helm-0a0":{"__comp":"17896441","content":"0e4359fd"},"/installation-80a":{"__comp":"17896441","content":"1e924268"},"/installation/airgap-54e":{"__comp":"17896441","content":"ec6f9153"},"/installation/configuration-dd2":{"__comp":"17896441","content":"97c4f258"},"/installation/packaged-components-2a2":{"__comp":"17896441","content":"65c5030c"},"/installation/private-registry-aca":{"__comp":"17896441","content":"10b61a3f"},"/installation/registry-mirror-a6a":{"__comp":"17896441","content":"5159b4a0"},"/installation/requirements-2a6":{"__comp":"17896441","content":"ac75af2e"},"/installation/server-roles-0ed":{"__comp":"17896441","content":"f8eefdc6"},"/installation/uninstall-c41":{"__comp":"17896441","content":"4fea1ac4"},"/known-issues-c3b":{"__comp":"17896441","content":"f319c6ab"},"/networking-5dc":{"__comp":"17896441","content":"ee75e821"},"/networking/basic-network-options-7b3":{"__comp":"17896441","content":"06dc01b4"},"/networking/distributed-multicloud-5bf":{"__comp":"17896441","content":"d8ab3227"},"/networking/multus-ipams-87a":{"__comp":"17896441","content":"17035653"},"/networking/networking-services-c8e":{"__comp":"17896441","content":"43e5cb58"},"/quick-start-69e":{"__comp":"17896441","content":"72e14192"},"/reference/env-variables-b04":{"__comp":"17896441","content":"6ab2c2e0"},"/reference/flag-deprecation-403":{"__comp":"17896441","content":"914a16f4"},"/reference/resource-profiling-45b":{"__comp":"17896441","content":"fc39421f"},"/related-projects-bc2":{"__comp":"17896441","content":"e7c9153a"},"/release-notes/v1.24.X-a8a":{"__comp":"17896441","content":"d123a91e"},"/release-notes/v1.25.X-463":{"__comp":"17896441","content":"9e7a009d"},"/release-notes/v1.26.X-883":{"__comp":"17896441","content":"0ce5aa86"},"/release-notes/v1.27.X-04f":{"__comp":"17896441","content":"dd22e55f"},"/release-notes/v1.28.X-a86":{"__comp":"17896441","content":"2f797aa4"},"/release-notes/v1.29.X-569":{"__comp":"17896441","content":"0759a3f5"},"/release-notes/v1.30.X-cca":{"__comp":"17896441","content":"b8002741"},"/security-32f":{"__comp":"17896441","content":"7b8e2475"},"/security/hardening-guide-f0a":{"__comp":"17896441","content":"82f1aa93"},"/security/secrets-encryption-2d5":{"__comp":"17896441","content":"57d35c99"},"/security/self-assessment-1.23-17e":{"__comp":"17896441","content":"9f491e05"},"/security/self-assessment-1.24-170":{"__comp":"17896441","content":"ab60f49a"},"/security/self-assessment-1.7-823":{"__comp":"17896441","content":"5ea4afd8"},"/security/self-assessment-1.8-fd5":{"__comp":"17896441","content":"b9a30a37"},"/storage-997":{"__comp":"17896441","content":"41765d36"},"/upgrades-6ba":{"__comp":"17896441","content":"4e366d5e"},"/upgrades/automated-0da":{"__comp":"17896441","content":"82406859"},"/upgrades/killall-39c":{"__comp":"17896441","content":"4aae9e46"},"/upgrades/manual-534":{"__comp":"17896441","content":"d8ed1217"},"/-3f9":{"__comp":"17896441","content":"a09c2993"}}')}},e=>{e.O(0,[532],(()=>{return t=7221,e(e.s=t);var t}));e.O()}]); \ No newline at end of file diff --git a/assets/js/runtime~main.899b1176.js b/assets/js/runtime~main.899b1176.js deleted file mode 100644 index 6d6afc619..000000000 --- a/assets/js/runtime~main.899b1176.js +++ /dev/null @@ -1 +0,0 @@ -(()=>{"use strict";var e,a,c,d,f,b={},t={};function r(e){var a=t[e];if(void 0!==a)return a.exports;var c=t[e]={id:e,loaded:!1,exports:{}};return b[e].call(c.exports,c,c.exports,r),c.loaded=!0,c.exports}r.m=b,r.c=t,e=[],r.O=(a,c,d,f)=>{if(!c){var b=1/0;for(i=0;i<e.length;i++){c=e[i][0],d=e[i][1],f=e[i][2];for(var t=!0,o=0;o<c.length;o++)(!1&f||b>=f)&&Object.keys(r.O).every((e=>r.O[e](c[o])))?c.splice(o--,1):(t=!1,f<b&&(b=f));if(t){e.splice(i--,1);var n=d();void 0!==n&&(a=n)}}return a}f=f||0;for(var i=e.length;i>0&&e[i-1][2]>f;i--)e[i]=e[i-1];e[i]=[c,d,f]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},c=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,d){if(1&d&&(e=this(e)),8&d)return e;if("object"==typeof e&&e){if(4&d&&e.__esModule)return e;if(16&d&&"function"==typeof e.then)return e}var f=Object.create(null);r.r(f);var b={};a=a||[null,c({}),c([]),c(c)];for(var t=2&d&&e;"object"==typeof t&&!~a.indexOf(t);t=c(t))Object.getOwnPropertyNames(t).forEach((a=>b[a]=()=>e[a]));return b.default=()=>e,r.d(f,b),f},r.d=(e,a)=>{for(var c in a)r.o(a,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:a[c]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,c)=>(r.f[c](e,a),a)),[])),r.u=e=>"assets/js/"+({79:"7b8e2475",101:"2f797aa4",305:"97c4f258",393:"6e9804bc",750:"ec6f9153",791:"ea0a4c6d",836:"0480b142",855:"d123a91e",981:"6ab2c2e0",1073:"4fea1ac4",1199:"ac75af2e",1340:"4455f95b",1430:"2a65762c",1615:"41765d36",1620:"0ce5aa86",2038:"b9a30a37",2409:"0759a3f5",2573:"b8002741",2745:"d8ed1217",3189:"9f491e05",3319:"82406859",3555:"ab60f49a",3595:"4e366d5e",3629:"aba21aa0",4128:"a09c2993",4368:"a94703ab",4443:"4aae9e46",4548:"ab388925",4804:"43e5cb58",4902:"10b61a3f",4980:"22dd74f7",5234:"f8eefdc6",5668:"dd22e55f",5927:"5281b7a2",6155:"36f34ab4",6501:"d8ab3227",6801:"395f47e2",6895:"b36bdd38",7176:"179ec51e",7239:"72e14192",7251:"9e7a009d",7544:"e7c9153a",7626:"914a16f4",7628:"1be8dcfa",7709:"82f1aa93",7733:"65c5030c",7813:"9e39b1cd",7893:"ee75e821",7918:"17896441",7920:"1a4e3797",8005:"57d35c99",8379:"f319c6ab",8380:"17035653",8397:"43077f1d",8518:"a7bd4aaa",8614:"1e924268",8776:"ba3a957c",9075:"5ea4afd8",9233:"06dc01b4",9477:"4a667cf9",9478:"5159b4a0",9524:"138e0e15",9661:"5e95c892",9751:"0e4359fd",9778:"fc39421f"}[e]||e)+"."+{79:"2e6b9e2b",101:"4789b2d8",109:"01756420",132:"dd9e691d",240:"78ac7b3a",305:"1bf9809c",393:"ba685bd6",750:"9dac174f",791:"4ac156c5",836:"8dd27be6",855:"2fe3a155",981:"6ea3594f",1073:"20695fb2",1199:"07750136",1340:"99c7e8c9",1430:"063d138f",1504:"97b84f00",1615:"81dca32b",1620:"a0c55954",1644:"fcd060a4",1763:"ce221339",1772:"61c7be9f",2038:"cffce9fc",2183:"b5f5fa5e",2409:"4692e71f",2573:"5f6e0146",2661:"8726bbab",2693:"6fc271a2",2696:"be8f6690",2700:"ffd76ef3",2745:"4d9ddd19",3076:"f0118536",3189:"fa57d8a6",3319:"f312e597",3343:"22235bc8",3555:"33892d2f",3595:"ba028e8f",3619:"c61e616d",3629:"48c0a166",4128:"d15c3147",4238:"492cd0f6",4368:"1e5da719",4443:"9df87721",4548:"803abe99",4706:"3f431cbe",4804:"074c5ba0",4902:"97000b17",4980:"5d17c616",5234:"fbf6e172",5269:"1c7af5ff",5326:"f85d6565",5525:"ab860f59",5668:"5e3f87f8",5790:"b62892d5",5927:"a1edc1e5",5943:"fbf216e9",6155:"007b25b5",6255:"5d3ef35b",6501:"50ff09a3",6648:"85f6378f",6801:"09a4c72a",6895:"94fd1490",6985:"abc8fa53",7176:"db3bde09",7239:"55e09fa8",7251:"cc31d4a0",7544:"c20e6d7a",7626:"d484640c",7628:"a0f4bffd",7709:"6ab8331d",7733:"ed6acdee",7813:"0920eaf2",7837:"35b3df6a",7893:"a8cdab5c",7918:"69b4e1f0",7920:"4376c566",7936:"ecd6f6b4",8005:"a6cfff3e",8016:"9b7b3383",8379:"732d9658",8380:"5c7dad87",8397:"e04b7c2a",8443:"26559c8c",8518:"f175b6d3",8614:"9b06e0c5",8776:"690a87ff",8955:"0ae96596",9075:"60aa9d10",9138:"dcafeafb",9233:"4cc2ccd0",9477:"a262b9c2",9478:"64a2572d",9524:"96b88364",9661:"34e77302",9751:"fbccc3d8",9778:"9c6a7858",9893:"0687af38"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),d={},f="k-3-s-docs:",r.l=(e,a,c,b)=>{if(d[e])d[e].push(a);else{var t,o;if(void 0!==c)for(var n=document.getElementsByTagName("script"),i=0;i<n.length;i++){var u=n[i];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==f+c){t=u;break}}t||(o=!0,(t=document.createElement("script")).charset="utf-8",t.timeout=120,r.nc&&t.setAttribute("nonce",r.nc),t.setAttribute("data-webpack",f+c),t.src=e),d[e]=[a];var l=(a,c)=>{t.onerror=t.onload=null,clearTimeout(s);var f=d[e];if(delete d[e],t.parentNode&&t.parentNode.removeChild(t),f&&f.forEach((e=>e(c))),a)return a(c)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={17035653:"8380",17896441:"7918",82406859:"3319","7b8e2475":"79","2f797aa4":"101","97c4f258":"305","6e9804bc":"393",ec6f9153:"750",ea0a4c6d:"791","0480b142":"836",d123a91e:"855","6ab2c2e0":"981","4fea1ac4":"1073",ac75af2e:"1199","4455f95b":"1340","2a65762c":"1430","41765d36":"1615","0ce5aa86":"1620",b9a30a37:"2038","0759a3f5":"2409",b8002741:"2573",d8ed1217:"2745","9f491e05":"3189",ab60f49a:"3555","4e366d5e":"3595",aba21aa0:"3629",a09c2993:"4128",a94703ab:"4368","4aae9e46":"4443",ab388925:"4548","43e5cb58":"4804","10b61a3f":"4902","22dd74f7":"4980",f8eefdc6:"5234",dd22e55f:"5668","5281b7a2":"5927","36f34ab4":"6155",d8ab3227:"6501","395f47e2":"6801",b36bdd38:"6895","179ec51e":"7176","72e14192":"7239","9e7a009d":"7251",e7c9153a:"7544","914a16f4":"7626","1be8dcfa":"7628","82f1aa93":"7709","65c5030c":"7733","9e39b1cd":"7813",ee75e821:"7893","1a4e3797":"7920","57d35c99":"8005",f319c6ab:"8379","43077f1d":"8397",a7bd4aaa:"8518","1e924268":"8614",ba3a957c:"8776","5ea4afd8":"9075","06dc01b4":"9233","4a667cf9":"9477","5159b4a0":"9478","138e0e15":"9524","5e95c892":"9661","0e4359fd":"9751",fc39421f:"9778"}[e]||e,r.p+r.u(e)},(()=>{var e={1303:0,532:0};r.f.j=(a,c)=>{var d=r.o(e,a)?e[a]:void 0;if(0!==d)if(d)c.push(d[2]);else if(/^(1303|532)$/.test(a))e[a]=0;else{var f=new Promise(((c,f)=>d=e[a]=[c,f]));c.push(d[2]=f);var b=r.p+r.u(a),t=new Error;r.l(b,(c=>{if(r.o(e,a)&&(0!==(d=e[a])&&(e[a]=void 0),d)){var f=c&&("load"===c.type?"missing":c.type),b=c&&c.target&&c.target.src;t.message="Loading chunk "+a+" failed.\n("+f+": "+b+")",t.name="ChunkLoadError",t.type=f,t.request=b,d[1](t)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,c)=>{var d,f,b=c[0],t=c[1],o=c[2],n=0;if(b.some((a=>0!==e[a]))){for(d in t)r.o(t,d)&&(r.m[d]=t[d]);if(o)var i=o(r)}for(a&&a(c);n<b.length;n++)f=b[n],r.o(e,f)&&e[f]&&e[f][0](),e[f]=0;return r.O(i)},c=self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[];c.forEach(a.bind(null,0)),c.push=a.bind(null,c.push.bind(c))})()})(); \ No newline at end of file diff --git a/assets/js/runtime~main.8fdd9248.js b/assets/js/runtime~main.8fdd9248.js new file mode 100644 index 000000000..1ebbb0cc9 --- /dev/null +++ b/assets/js/runtime~main.8fdd9248.js @@ -0,0 +1 @@ +(()=>{"use strict";var e,a,c,f,d,t={},b={};function r(e){var a=b[e];if(void 0!==a)return a.exports;var c=b[e]={id:e,loaded:!1,exports:{}};return t[e].call(c.exports,c,c.exports,r),c.loaded=!0,c.exports}r.m=t,r.c=b,e=[],r.O=(a,c,f,d)=>{if(!c){var t=1/0;for(i=0;i<e.length;i++){c=e[i][0],f=e[i][1],d=e[i][2];for(var b=!0,o=0;o<c.length;o++)(!1&d||t>=d)&&Object.keys(r.O).every((e=>r.O[e](c[o])))?c.splice(o--,1):(b=!1,d<t&&(t=d));if(b){e.splice(i--,1);var n=f();void 0!==n&&(a=n)}}return a}d=d||0;for(var i=e.length;i>0&&e[i-1][2]>d;i--)e[i]=e[i-1];e[i]=[c,f,d]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},c=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,f){if(1&f&&(e=this(e)),8&f)return e;if("object"==typeof e&&e){if(4&f&&e.__esModule)return e;if(16&f&&"function"==typeof e.then)return e}var d=Object.create(null);r.r(d);var t={};a=a||[null,c({}),c([]),c(c)];for(var b=2&f&&e;"object"==typeof b&&!~a.indexOf(b);b=c(b))Object.getOwnPropertyNames(b).forEach((a=>t[a]=()=>e[a]));return t.default=()=>e,r.d(d,t),d},r.d=(e,a)=>{for(var c in a)r.o(a,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:a[c]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,c)=>(r.f[c](e,a),a)),[])),r.u=e=>"assets/js/"+({79:"7b8e2475",101:"2f797aa4",305:"97c4f258",393:"6e9804bc",750:"ec6f9153",791:"ea0a4c6d",836:"0480b142",855:"d123a91e",981:"6ab2c2e0",1073:"4fea1ac4",1199:"ac75af2e",1340:"4455f95b",1430:"2a65762c",1615:"41765d36",1620:"0ce5aa86",2038:"b9a30a37",2409:"0759a3f5",2573:"b8002741",2745:"d8ed1217",3189:"9f491e05",3319:"82406859",3555:"ab60f49a",3595:"4e366d5e",3629:"aba21aa0",4128:"a09c2993",4368:"a94703ab",4443:"4aae9e46",4548:"ab388925",4804:"43e5cb58",4902:"10b61a3f",4980:"22dd74f7",5234:"f8eefdc6",5668:"dd22e55f",5927:"5281b7a2",6155:"36f34ab4",6501:"d8ab3227",6801:"395f47e2",6895:"b36bdd38",7176:"179ec51e",7239:"72e14192",7251:"9e7a009d",7544:"e7c9153a",7626:"914a16f4",7628:"1be8dcfa",7709:"82f1aa93",7733:"65c5030c",7813:"9e39b1cd",7893:"ee75e821",7918:"17896441",7920:"1a4e3797",8005:"57d35c99",8379:"f319c6ab",8380:"17035653",8397:"43077f1d",8518:"a7bd4aaa",8614:"1e924268",8776:"ba3a957c",9075:"5ea4afd8",9233:"06dc01b4",9477:"4a667cf9",9478:"5159b4a0",9524:"138e0e15",9661:"5e95c892",9751:"0e4359fd",9778:"fc39421f"}[e]||e)+"."+{79:"edeef426",101:"39029747",109:"01756420",132:"dd9e691d",240:"78ac7b3a",305:"1b92ba91",393:"30e4e843",750:"2cb400d8",791:"6f8b73e4",836:"6dc7064a",855:"5caf1e39",981:"69f493b4",1073:"a6c2da5e",1199:"c02290fe",1340:"acae1445",1430:"f89b4e81",1504:"97b84f00",1615:"97e3cb18",1620:"11dbb5a6",1644:"fcd060a4",1763:"ce221339",1772:"edd9b014",2038:"e7c17c25",2183:"b5f5fa5e",2409:"e9290839",2573:"8bc866ac",2661:"8726bbab",2693:"6fc271a2",2696:"be8f6690",2700:"ffd76ef3",2745:"0be5a98d",3076:"f0118536",3189:"ccd56893",3319:"d13f2f6e",3343:"22235bc8",3555:"ba2a036b",3595:"380029dc",3619:"c61e616d",3629:"48c0a166",4128:"17f49ec2",4238:"492cd0f6",4368:"c2f69992",4443:"4c751e85",4548:"00132f62",4706:"3f431cbe",4804:"292d1714",4902:"ba9c77f7",4980:"5d17c616",5234:"720b0f37",5269:"1c7af5ff",5326:"f85d6565",5525:"ab860f59",5668:"63ddd683",5790:"b62892d5",5927:"1d5cfe2a",5943:"fbf216e9",6155:"7cc62e9b",6255:"5d3ef35b",6501:"3780315b",6648:"85f6378f",6801:"bd3cc9da",6895:"9040c257",6985:"abc8fa53",7176:"a93a27f5",7236:"ac67632c",7239:"7465fa8f",7251:"bd52ca75",7544:"efcc87ae",7626:"3af55ecf",7628:"b8400791",7709:"7a77f720",7733:"333cc8ee",7813:"e6fc251b",7893:"652d2896",7918:"69b4e1f0",7920:"7f3d6643",7936:"ecd6f6b4",8005:"19d8884d",8016:"9b7b3383",8379:"13d902eb",8380:"a7378ff8",8397:"9534ceb0",8443:"a5d9c459",8518:"d2fc12fe",8614:"5c7cbbc4",8776:"7539050d",8955:"0ae96596",9075:"966a946e",9138:"dcafeafb",9233:"43c8b06d",9477:"5264a034",9478:"6146d0a4",9524:"96b88364",9661:"06469c98",9751:"9916ba74",9778:"64f5b424",9893:"0687af38"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),f={},d="k-3-s-docs:",r.l=(e,a,c,t)=>{if(f[e])f[e].push(a);else{var b,o;if(void 0!==c)for(var n=document.getElementsByTagName("script"),i=0;i<n.length;i++){var u=n[i];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==d+c){b=u;break}}b||(o=!0,(b=document.createElement("script")).charset="utf-8",b.timeout=120,r.nc&&b.setAttribute("nonce",r.nc),b.setAttribute("data-webpack",d+c),b.src=e),f[e]=[a];var l=(a,c)=>{b.onerror=b.onload=null,clearTimeout(s);var d=f[e];if(delete f[e],b.parentNode&&b.parentNode.removeChild(b),d&&d.forEach((e=>e(c))),a)return a(c)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:b}),12e4);b.onerror=l.bind(null,b.onerror),b.onload=l.bind(null,b.onload),o&&document.head.appendChild(b)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={17035653:"8380",17896441:"7918",82406859:"3319","7b8e2475":"79","2f797aa4":"101","97c4f258":"305","6e9804bc":"393",ec6f9153:"750",ea0a4c6d:"791","0480b142":"836",d123a91e:"855","6ab2c2e0":"981","4fea1ac4":"1073",ac75af2e:"1199","4455f95b":"1340","2a65762c":"1430","41765d36":"1615","0ce5aa86":"1620",b9a30a37:"2038","0759a3f5":"2409",b8002741:"2573",d8ed1217:"2745","9f491e05":"3189",ab60f49a:"3555","4e366d5e":"3595",aba21aa0:"3629",a09c2993:"4128",a94703ab:"4368","4aae9e46":"4443",ab388925:"4548","43e5cb58":"4804","10b61a3f":"4902","22dd74f7":"4980",f8eefdc6:"5234",dd22e55f:"5668","5281b7a2":"5927","36f34ab4":"6155",d8ab3227:"6501","395f47e2":"6801",b36bdd38:"6895","179ec51e":"7176","72e14192":"7239","9e7a009d":"7251",e7c9153a:"7544","914a16f4":"7626","1be8dcfa":"7628","82f1aa93":"7709","65c5030c":"7733","9e39b1cd":"7813",ee75e821:"7893","1a4e3797":"7920","57d35c99":"8005",f319c6ab:"8379","43077f1d":"8397",a7bd4aaa:"8518","1e924268":"8614",ba3a957c:"8776","5ea4afd8":"9075","06dc01b4":"9233","4a667cf9":"9477","5159b4a0":"9478","138e0e15":"9524","5e95c892":"9661","0e4359fd":"9751",fc39421f:"9778"}[e]||e,r.p+r.u(e)},(()=>{var e={1303:0,532:0};r.f.j=(a,c)=>{var f=r.o(e,a)?e[a]:void 0;if(0!==f)if(f)c.push(f[2]);else if(/^(1303|532)$/.test(a))e[a]=0;else{var d=new Promise(((c,d)=>f=e[a]=[c,d]));c.push(f[2]=d);var t=r.p+r.u(a),b=new Error;r.l(t,(c=>{if(r.o(e,a)&&(0!==(f=e[a])&&(e[a]=void 0),f)){var d=c&&("load"===c.type?"missing":c.type),t=c&&c.target&&c.target.src;b.message="Loading chunk "+a+" failed.\n("+d+": "+t+")",b.name="ChunkLoadError",b.type=d,b.request=t,f[1](b)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,c)=>{var f,d,t=c[0],b=c[1],o=c[2],n=0;if(t.some((a=>0!==e[a]))){for(f in b)r.o(b,f)&&(r.m[f]=b[f]);if(o)var i=o(r)}for(a&&a(c);n<t.length;n++)d=t[n],r.o(e,d)&&e[d]&&e[d][0](),e[d]=0;return r.O(i)},c=self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[];c.forEach(a.bind(null,0)),c.push=a.bind(null,c.push.bind(c))})()})(); \ No newline at end of file diff --git a/cli.html b/cli.html index 024fb0857..7748db68c 100644 --- a/cli.html +++ b/cli.html @@ -2,14 +2,14 @@ <html lang="en" dir="ltr" class="docs-wrapper plugin-docs plugin-id-default docs-version-current docs-doc-page docs-doc-id-cli/cli" data-has-hydrated="false"> <head> <meta charset="UTF-8"> -<meta name="generator" content="Docusaurus v3.4.0"> -<title data-rh="true">CLI Tools | K3s - - + +CLI Tools | K3s + + -

CLI Tools

The K3s binary contains a number of additional tools the help you manage your cluster.

-
CommandDescription
k3s serverRun a K3s server node, which launches the Kubernetes apiserver, scheduler, controller-manager, and cloud-controller-manager components, in addition a datastore and the agent components. See the k3s server command documentation for more information.
k3s agentRun the K3s agent node, which launches containerd, flannel, kube-router network policy controller, and the Kubernetes kubelet and kube-proxy components. See the k3s agent command documentation for more information.
k3s kubectlRun the embedded kubectl command. This is a CLI for interacting with the Kubernetes apiserver. If the KUBECONFIG environment variable is not set, this will automatically attempt to use the kubeconfig at /etc/rancher/k3s/k3s.yaml.
k3s crictlRun the embedded crictl command. This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging.
k3s ctrRun the embedded ctr command. This is a CLI for containerd, the container daemon used by K3s. Useful for debugging.
k3s tokenManage bootstrap tokens. See the k3s token command documentation for more information.
k3s etcd-snapshotPerform on demand backups of the K3s cluster data and upload to S3. See the k3s etcd-snapshot command documentation for more information.
k3s secrets-encryptConfigure K3s to encrypt secrets when storing them in the cluster. See the k3s secrets-encrypt command documentation for more information.
k3s certificateManage K3s certificates. See the k3s certificate command documentation for more information.
k3s completionGenerate shell completion scripts for k3s
k3s helpShows a list of commands or help for one command
Copyright © 2024 K3s Project Authors. All rights reserved.
The Linux Foundation has registered trademarks +

CLI Tools

The K3s binary contains a number of additional tools the help you manage your cluster.

+
CommandDescription
k3s serverRun a K3s server node, which launches the Kubernetes apiserver, scheduler, controller-manager, and cloud-controller-manager components, in addition a datastore and the agent components. See the k3s server command documentation for more information.
k3s agentRun the K3s agent node, which launches containerd, flannel, kube-router network policy controller, and the Kubernetes kubelet and kube-proxy components. See the k3s agent command documentation for more information.
k3s kubectlRun the embedded kubectl command. This is a CLI for interacting with the Kubernetes apiserver. If the KUBECONFIG environment variable is not set, this will automatically attempt to use the kubeconfig at /etc/rancher/k3s/k3s.yaml.
k3s crictlRun the embedded crictl command. This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging.
k3s ctrRun the embedded ctr command. This is a CLI for containerd, the container daemon used by K3s. Useful for debugging.
k3s tokenManage bootstrap tokens. See the k3s token command documentation for more information.
k3s etcd-snapshotPerform on demand backups of the K3s cluster data and upload to S3. See the k3s etcd-snapshot command documentation for more information.
k3s secrets-encryptConfigure K3s to encrypt secrets when storing them in the cluster. See the k3s secrets-encrypt command documentation for more information.
k3s certificateManage K3s certificates. See the k3s certificate command documentation for more information.
k3s completionGenerate shell completion scripts for k3s
k3s helpShows a list of commands or help for one command
Copyright © 2024 K3s Project Authors. All rights reserved.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
diff --git a/cli/agent.html b/cli/agent.html index 566a9d4a5..4f551b99d 100644 --- a/cli/agent.html +++ b/cli/agent.html @@ -2,44 +2,44 @@ - -agent | K3s - - + +agent | K3s + + -

k3s agent

+

k3s agent

In this section, you'll learn how to configure the K3s agent.

Note that servers also run an agent, so all flags listed on this page are also valid for use on servers.

Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.

-

Logging

+

Logging

FlagDefaultDescription
-v value0Number for the log level verbosity
--vmodule valueN/AComma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
--log value, -l valueN/ALog to file
--alsologtostderrN/ALog to standard error as well as file (if set)
-

Cluster Options

+

Cluster Options

FlagEnvironment VariableDescription
--token value, -t valueK3S_TOKENToken to use for authentication
--token-file valueK3S_TOKEN_FILEToken file to use for authentication
--server value, -s valueK3S_URLServer to connect to
-

Data

+

Data

FlagDefaultDescription
--data-dir value, -d value"/var/lib/rancher/k3s"Folder to hold state
-

Node

+

Node

FlagEnvironment VariableDescription
--node-name valueK3S_NODE_NAMENode name
--with-node-idN/AAppend id to node name
--node-label valueN/ARegistering and starting kubelet with set of labels
--node-taint valueN/ARegistering kubelet with set of taints
--protect-kernel-defaultsN/AKernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults.
--selinuxK3S_SELINUXEnable SELinux in containerd
--lb-server-port valueK3S_LB_SERVER_PORTLocal port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)
-

Runtime

+

Runtime

FlagDefaultDescription
--container-runtime-endpoint valueN/ADisable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path
--pause-image value"docker.io/rancher/pause:3.1"Customized pause image for containerd or docker sandbox
--private-registry value"/etc/rancher/k3s/registries.yaml"Private registry configuration file
-

Networking

+

Networking

FlagEnvironment VariableDescription
--node-ip value, -i valueN/AIP address to advertise for node
--node-external-ip valueN/AExternal IP address to advertise for node
--resolv-conf valueK3S_RESOLV_CONFKubelet resolv.conf file
--flannel-iface valueN/AOverride default flannel interface
--flannel-conf valueN/AOverride default flannel config file
--flannel-cni-conf valueN/AOverride default flannel cni config file
-

Customized Flags

+

Customized Flags

FlagDescription
--kubelet-arg valueCustomized flag for kubelet process
--kube-proxy-arg valueCustomized flag for kube-proxy process
-

Experimental

+

Experimental

FlagDescription
--rootlessRun rootless
--dockerUse cri-dockerd instead of containerd
--prefer-bundled-binPrefer bundled userspace binaries over host binaries
--disable-default-registry-endpointSee "Default Endpoint Fallback"
-

Deprecated

+

Deprecated

FlagEnvironment VariableDescription
--no-flannelN/AUse --flannel-backend=none
--cluster-secret valueK3S_CLUSTER_SECRETUse --token
-

Node Labels and Taints for Agents

+

Node Labels and Taints for Agents

K3s agents can be configured with the options --node-label and --node-taint which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands.

Below is an example showing how to add labels and a taint:

     --node-label foo=bar \
     --node-label hello=world \
     --node-taint key1=value1:NoExecute

If you want to change node labels and taints after node registration you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.

-

K3s Agent CLI Help

+

K3s Agent CLI Help

If an option appears in brackets below, for example [$K3S_URL], it means that the option can be passed in as an environment variable of that name.

-
NAME:
   k3s agent - Run node agent

USAGE:
   k3s agent [OPTIONS]

OPTIONS:
   --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
   --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
   -v value                                   (logging) Number for the log level verbosity (default: 0)
   --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
   --log value, -l value                      (logging) Log to file
   --alsologtostderr                          (logging) Log to standard error as well as file (if set)
   --token value, -t value                    (cluster) Token to use for authentication [$K3S_TOKEN]
   --token-file value                         (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]
   --server value, -s value                   (cluster) Server to connect to [$K3S_URL]
   --data-dir value, -d value                 (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")
   --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
   --with-node-id                             (agent/node) Append id to node name
   --node-label value                         (agent/node) Registering and starting kubelet with set of labels
   --node-taint value                         (agent/node) Registering kubelet with set of taints
   --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
   --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
   --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
   --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
   --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
   --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
   --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
   --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
   --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
   --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
   --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
   --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
   --flannel-iface value                      (agent/networking) Override default flannel interface
   --flannel-conf value                       (agent/networking) Override default flannel config file
   --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
   --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
   --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
   --rootless                                 (experimental) Run rootless
   --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
   --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
Copyright © 2024 K3s Project Authors. All rights reserved.
The Linux Foundation has registered trademarks +
NAME:
   k3s agent - Run node agent

USAGE:
   k3s agent [OPTIONS]

OPTIONS:
   --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
   --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
   -v value                                   (logging) Number for the log level verbosity (default: 0)
   --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
   --log value, -l value                      (logging) Log to file
   --alsologtostderr                          (logging) Log to standard error as well as file (if set)
   --token value, -t value                    (cluster) Token to use for authentication [$K3S_TOKEN]
   --token-file value                         (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]
   --server value, -s value                   (cluster) Server to connect to [$K3S_URL]
   --data-dir value, -d value                 (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")
   --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
   --with-node-id                             (agent/node) Append id to node name
   --node-label value                         (agent/node) Registering and starting kubelet with set of labels
   --node-taint value                         (agent/node) Registering kubelet with set of taints
   --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
   --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
   --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
   --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
   --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
   --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
   --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
   --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
   --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
   --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
   --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
   --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
   --flannel-iface value                      (agent/networking) Override default flannel interface
   --flannel-conf value                       (agent/networking) Override default flannel config file
   --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
   --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
   --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
   --rootless                                 (experimental) Run rootless
   --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
   --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
Copyright © 2024 K3s Project Authors. All rights reserved.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
diff --git a/cli/certificate.html b/cli/certificate.html index 8e90f873c..c27888775 100644 --- a/cli/certificate.html +++ b/cli/certificate.html @@ -2,22 +2,22 @@ - -certificate | K3s - - + +certificate | K3s + + -

k3s certificate

-

Client and Server Certificates

+

k3s certificate

+

Client and Server Certificates

K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts.

-

Rotating Client and Server Certificates

+

Rotating Client and Server Certificates

To rotate client and server certificates manually, use the k3s certificate rotate subcommand:

# Stop K3s
systemctl stop k3s

# Rotate certificates
k3s certificate rotate

# Start K3s
systemctl start k3s

Individual or lists of certificates can be rotated by specifying the certificate name:

k3s certificate rotate --service <SERVICE>,<SERVICE>

The following certificates can be rotated: admin, api-server, controller-manager, scheduler, k3s-controller, k3s-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy.

-

Certificate Authority (CA) Certificates

+

Certificate Authority (CA) Certificates

Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes PKI Certificates and Requirements documentation.

By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed.

The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the server token as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1. @@ -28,7 +28,7 @@

Version Gate

Support for the k3s certificate rotate-ca command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).

-

Using Custom CA Certificates

+

Using Custom CA Certificates

If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed.

An example script to pre-create the appropriate certificates and keys is available in the K3s repo at contrib/util/generate-custom-ca-certs.sh. This script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates. @@ -49,10 +49,10 @@

// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate.
  • service.key
    • -

    Custom CA Topology

    +

    Custom CA Topology

    Custom CA Certificates should observe the following topology:

    -

    Using the Example Script

    +

    Using the Example Script

    Important

    If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates.

    If you want to use only an existing root CA certificate, provide the following files:

    @@ -70,14 +70,14 @@

    Usi 
    # Create the target directory for cert generation.
    mkdir -p /var/lib/rancher/k3s/server/tls

    # Copy your root CA cert and intermediate CA cert+key into the correct location for the script.
    # For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.
    # If you do not have an existing root and/or intermediate CA, the script will generate them for you.
    cp /etc/ssl/certs/root-ca.pem /etc/ssl/certs/intermediate-ca.pem /etc/ssl/private/intermediate-ca.key /var/lib/rancher/k3s/server/tls

    # Generate custom CA certs and keys.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -

    If the command completes successfully, you may install and/or start K3s for the first time. If the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date.

    -

    Rotating Custom CA Certificates

    +

    Rotating Custom CA Certificates

    To rotate custom CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates.

    warning

    You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls.
    Stage the updated certificates and keys into a separate directory.

    A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used.

    If a new root CA is required, the rotation will be disruptive. The k3s certificate rotate-ca --force option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA.

    -

    Using the Example Script

    +

    Using the Example Script

    The example generate-custom-ca-certs.sh script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the DATA_DIR environment variable. To use the example script to generate updated certs and keys, run the following commands:

    # Create a temporary directory for cert generation.
    mkdir -p /opt/k3s/server/tls

    # Copy your root CA cert and intermediate CA cert+key into the correct location for the script.
    # Non-disruptive rotation requires the same root CA that was used to generate the original certificates.
    # If the original files are still in the data directory, you can just run:
    cp /var/lib/rancher/k3s/server/tls/root-ca.* /var/lib/rancher/k3s/server/tls/intermediate-ca.* /opt/k3s/server/tls

    # Copy the current service-account signing key, so that existing service-account tokens are not invalidated.
    cp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls

    # Generate updated custom CA certs and keys.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -

    # Load the updated CA certs and keys into the datastore.
    k3s certificate rotate-ca --path=/opt/k3s/server
    @@ -85,19 +85,19 @@

    U If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents.

    If you used the --force option or changed the root CA, ensure that any nodes that were joined with a secure token are reconfigured to use the new token value, prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.

    -

    Rotating Self-Signed CA Certificates

    +

    Rotating Self-Signed CA Certificates

    To rotate the K3s-generated self-signed CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates.

    warning

    You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls.
    Stage the updated certificates and keys into a separate directory.

    If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a secure token will need to be reconfigured to trust the new CA hash. If the new CA certificates are not cross-signed by the old CA certificates, you will need to use the --force option to bypass integrity checks, and pods will need to be restarted to trust the new root CA.

    -

    Default CA Topology

    +

    Default CA Topology

    The default self-signed CA certificates have the following topology:

    When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:

    -

    Using The Example Script

    +

    Using The Example Script

    An example script to create updated CA certificates and keys cross-signed by the existing CAs is available in the K3s repo at contrib/util/rotate-default-ca-certs.sh.

    To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:

    # Create updated CA certs and keys, cross-signed by the current CAs.
    # This script will create a new temporary directory containing the updated certs, and output the new token values.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -

    # Load the updated certs into the datastore; see the script output for the updated token values.
    k3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca
    @@ -105,7 +105,7 @@

    U If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents.

    Ensure that any nodes that were joined with a secure token, including other server nodes, are reconfigured to use the new token value prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.

    -

    Service-Account Issuer Key Rotation

    +

    Service-Account Issuer Key Rotation

    The service-account issuer key is an RSA private key used to sign service-account tokens. When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the k3s certificate rotate-ca to install only an updated service.key file that includes both the new and old keys.

    @@ -114,7 +114,7 @@ 

    # Create a temporary directory for cert generation
    mkdir -p /opt/k3s/server/tls

    # Check OpenSSL version
    openssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional

    # Generate a new key
    openssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048

    # Append the existing key to avoid invalidating current tokens
    cat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key

    # Load the updated key into the datastore
    k3s certificate rotate-ca --path=/opt/k3s/server

    It is normal to see warnings for files that are not being updated. If the rotate-ca command returns an error, check the service log for errors. -If the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/cli/etcd-snapshot.html b/cli/etcd-snapshot.html index 1177ce5a5..d604c14aa 100644 --- a/cli/etcd-snapshot.html +++ b/cli/etcd-snapshot.html @@ -2,19 +2,19 @@ - -etcd-snapshot | K3s - - + +etcd-snapshot | K3s + + -

    k3s etcd-snapshot

    +

    k3s etcd-snapshot

    Version Gate

    Available as of v1.19.1+k3s1

    In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup.

    -

    Creating Snapshots

    -

    Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options.

    +

    Creating Snapshots

    +

    Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options.

    The snapshot directory defaults to ${data-dir}/server/db/snapshots. The data-dir value defaults to /var/lib/rancher/k3s and can be changed by setting the --data-dir flag.

    -

    Restoring a Cluster from a Snapshot

    +

    Restoring a Cluster from a Snapshot

    When K3s is restored from backup, the old data directory will be moved to ${data-dir}/server/db/etcd-old/. Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member.

    To restore the cluster from backup:

    Run K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given:

    k3s server \
      --cluster-reset \
      --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>

    Result: A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot.

    -

    Options

    +

    Options

    These options can be passed in with the command line, or in the configuration file, which may be easier to use.

    OptionsDescription
    --etcd-disable-snapshotsDisable automatic etcd snapshots
    --etcd-snapshot-schedule-cron valueSnapshot interval time in cron spec. eg. every 5 hours 0 */5 * * *(default: 0 */12 * * *)
    --etcd-snapshot-retention valueNumber of snapshots to retain (default: 5)
    --etcd-snapshot-dir valueDirectory to save db snapshots. (Default location: ${data-dir}/db/snapshots)
    --cluster-resetForget all peers and become sole member of a new cluster. This can also be set with the environment variable [$K3S_CLUSTER_RESET].
    --cluster-reset-restore-path valuePath to snapshot file to be restored
    -

    S3 Compatible API Support

    +

    S3 Compatible API Support

    K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots.

    The arguments below have been added to the server subcommand. These flags exist for the etcd-snapshot subcommand as well however the --etcd-s3 portion is removed to avoid redundancy.

    OptionsDescription
    --etcd-s3Enable backup to S3
    --etcd-s3-endpointS3 endpoint url
    --etcd-s3-endpoint-caS3 custom CA cert to connect to S3 endpoint
    --etcd-s3-skip-ssl-verifyDisables S3 SSL certificate validation
    --etcd-s3-access-keyS3 access key
    --etcd-s3-secret-keyS3 secret key
    --etcd-s3-bucketS3 bucket name
    --etcd-s3-regionS3 region / bucket location (optional). defaults to us-east-1
    --etcd-s3-folderS3 folder
    @@ -47,7 +47,7 @@

    S3 
    k3s etcd-snapshot save \
      --s3 \
      --s3-bucket=<S3-BUCKET-NAME> \
      --s3-access-key=<S3-ACCESS-KEY> \
      --s3-secret-key=<S3-SECRET-KEY>

    To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:

    k3s server \
      --cluster-init \
      --cluster-reset \
      --etcd-s3 \
      --cluster-reset-restore-path=<SNAPSHOT-NAME> \
      --etcd-s3-bucket=<S3-BUCKET-NAME> \
      --etcd-s3-access-key=<S3-ACCESS-KEY> \
      --etcd-s3-secret-key=<S3-SECRET-KEY>
    -

    Etcd Snapshot and Restore Subcommands

    +

    Etcd Snapshot and Restore Subcommands

    k3s supports a set of subcommands for working with your etcd snapshots.

    SubcommandDescription
    deleteDelete given snapshot(s)
    ls, list, lList snapshots
    pruneRemove snapshots that exceed the configured retention count
    saveTrigger an immediate etcd snapshot
    note

    The save subcommand is the same as k3s etcd-snapshot. The latter will eventually be deprecated in favor of the former.

    @@ -57,7 +57,7 @@ 

    k3s etcd-snapshot delete          \
      --s3                            \
      --s3-bucket=<S3-BUCKET-NAME>    \
      --s3-access-key=<S3-ACCESS-KEY> \
      --s3-secret-key=<S3-SECRET-KEY> \
      <SNAPSHOT-NAME>

    Prune local snapshots with the default retention policy (5). The prune subcommand takes an additional flag --snapshot-retention that allows for overriding the default retention policy.

    k3s etcd-snapshot prune
    -
    k3s etcd-snapshot prune --snapshot-retention 10
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/cli/secrets-encrypt.html b/cli/secrets-encrypt.html index dd66b8371..68ff62342 100644 --- a/cli/secrets-encrypt.html +++ b/cli/secrets-encrypt.html @@ -2,15 +2,15 @@ - -secrets-encrypt | K3s - - + +secrets-encrypt | K3s + + -

    k3s secrets-encrypt

    +

    k3s secrets-encrypt

    K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.

    -

    Secrets Encryption Tool

    +

    Secrets Encryption Tool

    Version Gate

    Available as of v1.21.8+k3s1

    K3s contains a CLI tool secrets-encrypt, which enables automatic control over the following:

      @@ -20,8 +20,8 @@

      Secr
    • Reencrypting secrets

    warning

    Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution.

    -

    New Encryption Key Rotation (Experimental)

    -
    Version Gate

    Available as of v1.28.1+k3s1. This new version of the tool utilized K8s automatic config reloading which is currently in beta. GA is expected in v1.29.0

    For older releases, see Encryption Key Rotation Classic

    +

    New Encryption Key Rotation (Experimental)

    +
    Version Gate

    Available as of v1.28.1+k3s1. This new version of the tool utilized K8s automatic config reloading which is currently in beta. GA is expected in v1.29.0

    For older releases, see Encryption Key Rotation Classic

    To rotate secrets encryption keys on a single-server cluster:

    1. Start the K3s server with the flag --secrets-encryption

      @@ -57,7 +57,7 @@

      Encryption Key Rotation Classic

      +

      Encryption Key Rotation Classic

      To rotate secrets encryption keys on a single-server cluster:

      1. Start the K3s server with the flag --secrets-encryption

        @@ -126,7 +126,7 @@

        Secrets Encryption Disable/Re-enable

        +

        Secrets Encryption Disable/Re-enable

        After launching a server with --secrets-encryption flag, secrets encryption can be disabled.

        To disable secrets encryption on a single-node cluster:

        1. Disable

          @@ -184,7 +184,7 @@ 

          k3s secrets-encrypt reencrypt --force --skip

      -

      Secrets Encryption Status

      +

      Secrets Encryption Status

      The secrets-encrypt tool includes a status command that displays information about the current status of secrets encryption on the node.

      An example of the command on a single-server node:

      $ k3s secrets-encrypt status
      Encryption Status: Enabled
      Current Rotation Stage: start
      Server Encryption Hashes: All hashes match

      Active  Key Type  Name
      ------  --------  ----
       *      AES-CBC   aescbckey

      @@ -203,7 +203,7 @@

      Se
    2. Name: Name of the encryption key.

      3. -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/cli/server.html b/cli/server.html index b706a269c..8cc6d084f 100644 --- a/cli/server.html +++ b/cli/server.html @@ -2,17 +2,17 @@ - -server | K3s - - + +server | K3s + + -

    k3s server

    +

    k3s server

    In this section, you'll learn how to configure the K3s server.

    Note that servers also run an agent, so all of the configuration options listed in the k3s agent documentation are also supported on servers.

    Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.

    -

    Critical Configuration Values

    +

    Critical Configuration Values

    The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore.

    • --agent-token
      • @@ -31,39 +31,39 @@

      Commonly Used Options

      -

      Database

      +

      Commonly Used Options

      +

      Database

      FlagEnvironment VariableDefaultDescription
      --datastore-endpoint valueK3S_DATASTORE_ENDPOINTSpecify etcd, Mysql, Postgres, or Sqlite data source name
      --datastore-cafile valueK3S_DATASTORE_CAFILETLS Certificate Authority file used to secure datastore backend communication
      --datastore-certfile valueK3S_DATASTORE_CERTFILETLS certification file used to secure datastore backend communication
      --datastore-keyfile valueK3S_DATASTORE_KEYFILETLS key file used to secure datastore backend communication
      --etcd-expose-metricsfalseExpose etcd metrics to client interface
      --etcd-disable-snapshotsfalseDisable automatic etcd snapshots
      --etcd-snapshot-name value"etcd-snapshot-<unix-timestamp>"Set the base name of etcd snapshots.
      --etcd-snapshot-schedule-cron value"0 */12 * * *"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _'
      --etcd-snapshot-retention value5Number of snapshots to retain
      --etcd-snapshot-dir value${data-dir}/db/snapshotsDirectory to save db snapshots
      --etcd-s3Enable backup to S3
      --etcd-s3-endpoint value"s3.amazonaws.com"S3 endpoint url
      --etcd-s3-endpoint-ca valueS3 custom CA cert to connect to S3 endpoint
      --etcd-s3-skip-ssl-verifyDisables S3 SSL certificate validation
      --etcd-s3-access-key valueAWS_ACCESS_KEY_IDS3 access key
      --etcd-s3-secret-key valueAWS_SECRET_ACCESS_KEYS3 secret key
      --etcd-s3-bucket valueS3 bucket name
      --etcd-s3-region value"us-east-1"S3 region / bucket location (optional)
      --etcd-s3-folder valueS3 folder
      --etcd-s3-insecureDisables S3 over HTTPS
      --etcd-s3-timeout value5m0sS3 timeout (default: 5m0s)
      -

      Cluster Options

      +

      Cluster Options

      FlagEnvironment VariableDescription
      --token value, -t valueK3S_TOKENShared secret used to join a server or agent to a cluster
      --token-file valueK3S_TOKEN_FILEFile containing the cluster-secret/token
      --agent-token valueK3S_AGENT_TOKENShared secret used to join agents to the cluster, but not servers
      --agent-token-file valueK3S_AGENT_TOKEN_FILEFile containing the agent secret
      --server valueK3S_URLServer to connect to, used to join a cluster
      --cluster-initK3S_CLUSTER_INITInitialize a new cluster using embedded Etcd
      --cluster-resetK3S_CLUSTER_RESETForget all peers and become sole member of a new cluster
      -

      Admin Kubeconfig Options

      +

      Admin Kubeconfig Options

      FlagEnvironment VariableDescription
      --write-kubeconfig value, -o valueK3S_KUBECONFIG_OUTPUTWrite kubeconfig for admin client to this file
      --write-kubeconfig-mode valueK3S_KUBECONFIG_MODEWrite kubeconfig with this mode. The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host.
      -

      Advanced Options

      -

      Logging

      +

      Advanced Options

      +

      Logging

      FlagDefaultDescription
      --debugN/ATurn on debug logs
      -v value0Number for the log level verbosity
      --vmodule valueN/AComma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
      --log value, -l valueN/ALog to file
      --alsologtostderrN/ALog to standard error as well as file (if set)
      -

      Listeners

      +

      Listeners

      FlagDefaultDescription
      --bind-address value0.0.0.0k3s bind address
      --https-listen-port value6443HTTPS listen port
      --advertise-address valuenode-external-ip/node-ipIPv4/IPv6 address that apiserver advertises for its service endpoint
      Note that the primary service-cidr IP range must be of the same address family as the advertised address
      --advertise-port valuelisten-port/0Port that apiserver uses to advertise to members of the cluster
      --tls-san valueN/AAdd additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert
      -

      Data

      +

      Data

      FlagDefaultDescription
      --data-dir value, -d value/var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not rootFolder to hold state
      -

      Secrets Encryption

      +

      Secrets Encryption

      FlagDefaultDescription
      --secrets-encryptionfalseEnable Secret encryption at rest
      -

      Networking

      +

      Networking

      FlagDefaultDescription
      --cluster-cidr value"10.42.0.0/16"IPv4/IPv6 network CIDRs to use for pod IPs
      --service-cidr value"10.43.0.0/16"IPv4/IPv6 network CIDRs to use for service IPs
      --service-node-port-range value"30000-32767"Port range to reserve for services with NodePort visibility
      --cluster-dns value"10.43.0.10"IPv4 Cluster IP for coredns service. Should be in your service-cidr range
      --cluster-domain value"cluster.local"Cluster Domain
      --flannel-backend value"vxlan"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)
      --flannel-ipv6-masq"N/A"Enable IPv6 masquerading for pod
      --flannel-external-ip"N/A"Use node external IP addresses for Flannel traffic
      --servicelb-namespace value"kube-system"Namespace of the pods for the servicelb component
      --egress-selector-mode value"agent"Must be one of the following:
      • disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs.
      • agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s.
      • pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node.
      • cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range.
      -

      Storage Class

      +

      Storage Class

      FlagDescription
      --default-local-storage-path valueDefault local storage path for local provisioner storage class
      -

      Kubernetes Components

      +

      Kubernetes Components

      FlagDescription
      --disable valueSee "Using the --disable flag"
      --disable-schedulerDisable Kubernetes default scheduler
      --disable-cloud-controllerDisable k3s default cloud controller manager
      --disable-kube-proxyDisable running kube-proxy
      --disable-network-policyDisable k3s default network policy controller
      --disable-helm-controllerDisable Helm controller
      -

      Customized Flags for Kubernetes Processes

      +

      Customized Flags for Kubernetes Processes

      FlagDescription
      --etcd-arg valueCustomized flag for etcd process
      --kube-apiserver-arg valueCustomized flag for kube-apiserver process
      --kube-scheduler-arg valueCustomized flag for kube-scheduler process
      --kube-controller-manager-arg valueCustomized flag for kube-controller-manager process
      --kube-cloud-controller-manager-arg valueCustomized flag for kube-cloud-controller-manager process
      --kubelet-arg valueCustomized flag for kubelet process
      --kube-proxy-arg valueCustomized flag for kube-proxy process
      -

      Experimental Options

      +

      Experimental Options

      FlagDescription
      --rootlessRun rootless
      --enable-pprofEnable pprof endpoint on supervisor port
      --dockerUse cri-dockerd instead of containerd
      --prefer-bundled-binPrefer bundled userspace binaries over host binaries
      --disable-agentSee "Running Agentless Servers (Experimental)"
      --embedded-registrySee "Embedded Registry Mirror"
      -

      Deprecated Options

      +

      Deprecated Options

      FlagEnvironment VariableDescription
      --no-flannelN/AUse --flannel-backend=none
      --no-deploy valueN/AUse --disable
      --cluster-secret valueK3S_CLUSTER_SECRETUse --token
      --flannel-backend wireguardN/AUse --flannel-backend=wireguard-native
      --flannel-backend value=option1=valueN/AUse --flannel-conf to specify the flannel config file with the backend config
      -

      K3s Server CLI Help

      +

      K3s Server CLI Help

      If an option appears in brackets below, for example [$K3S_TOKEN], it means that the option can be passed in as an environment variable of that name.

      -
      NAME:
         k3s server - Run management server

      USAGE:
         k3s server [OPTIONS]

      OPTIONS:
         --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
         --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
         -v value                                   (logging) Number for the log level verbosity (default: 0)
         --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
         --log value, -l value                      (logging) Log to file
         --alsologtostderr                          (logging) Log to standard error as well as file (if set)
         --bind-address value                       (listener) k3s bind address (default: 0.0.0.0)
         --https-listen-port value                  (listener) HTTPS listen port (default: 6443)
         --advertise-address value                  (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)
         --advertise-port value                     (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)
         --tls-san value                            (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert
         --data-dir value, -d value                 (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
         --cluster-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)
         --service-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)
         --service-node-port-range value            (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")
         --cluster-dns value                        (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
         --cluster-domain value                     (networking) Cluster Domain (default: "cluster.local")
         --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
         --flannel-ipv6-masq                        (networking) Enable IPv6 masquerading for pod
         --flannel-external-ip                      (networking) Use node external IP addresses for Flannel traffic
         --egress-selector-mode value               (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: "agent")
         --servicelb-namespace value                (networking) Namespace of the pods for the servicelb component (default: "kube-system")
         --write-kubeconfig value, -o value         (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]
         --write-kubeconfig-mode value              (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]
         --token value, -t value                    (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]
         --token-file value                         (cluster) File containing the token [$K3S_TOKEN_FILE]
         --agent-token value                        (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]
         --agent-token-file value                   (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]
         --server value, -s value                   (cluster) Server to connect to, used to join a cluster [$K3S_URL]
         --cluster-init                             (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]
         --cluster-reset                            (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]
         --cluster-reset-restore-path value         (db) Path to snapshot file to be restored
         --kube-apiserver-arg value                 (flags) Customized flag for kube-apiserver process
         --etcd-arg value                           (flags) Customized flag for etcd process
         --kube-controller-manager-arg value        (flags) Customized flag for kube-controller-manager process
         --kube-scheduler-arg value                 (flags) Customized flag for kube-scheduler process
         --kube-cloud-controller-manager-arg value  (flags) Customized flag for kube-cloud-controller-manager process
         --datastore-endpoint value                 (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]
         --datastore-cafile value                   (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]
         --datastore-certfile value                 (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]
         --datastore-keyfile value                  (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]
         --etcd-expose-metrics                      (db) Expose etcd metrics to client interface. (default: false)
         --etcd-disable-snapshots                   (db) Disable automatic etcd snapshots
         --etcd-snapshot-name value                 (db) Set the base name of etcd snapshots (default: etcd-snapshot-<unix-timestamp>) (default: "etcd-snapshot")
         --etcd-snapshot-schedule-cron value        (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: "0 */12 * * *")
         --etcd-snapshot-retention value            (db) Number of snapshots to retain (default: 5)
         --etcd-snapshot-dir value                  (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)
         --etcd-snapshot-compress                   (db) Compress etcd snapshot
         --etcd-s3                                  (db) Enable backup to S3
         --etcd-s3-endpoint value                   (db) S3 endpoint url (default: "s3.amazonaws.com")
         --etcd-s3-endpoint-ca value                (db) S3 custom CA cert to connect to S3 endpoint
         --etcd-s3-skip-ssl-verify                  (db) Disables S3 SSL certificate validation
         --etcd-s3-access-key value                 (db) S3 access key [$AWS_ACCESS_KEY_ID]
         --etcd-s3-secret-key value                 (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]
         --etcd-s3-bucket value                     (db) S3 bucket name
         --etcd-s3-region value                     (db) S3 region / bucket location (optional) (default: "us-east-1")
         --etcd-s3-folder value                     (db) S3 folder
         --etcd-s3-insecure                         (db) Disables S3 over HTTPS
         --etcd-s3-timeout value                    (db) S3 timeout (default: 5m0s)
         --default-local-storage-path value         (storage) Default local storage path for local provisioner storage class
         --disable value                            (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
         --disable-scheduler                        (components) Disable Kubernetes default scheduler
         --disable-cloud-controller                 (components) Disable k3s default cloud controller manager
         --disable-kube-proxy                       (components) Disable running kube-proxy
         --disable-network-policy                   (components) Disable k3s default network policy controller
         --disable-helm-controller                  (components) Disable Helm controller
         --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
         --with-node-id                             (agent/node) Append id to node name
         --node-label value                         (agent/node) Registering and starting kubelet with set of labels
         --node-taint value                         (agent/node) Registering kubelet with set of taints
         --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
         --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
         --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
         --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
         --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
         --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
         --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
         --system-default-registry value            (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]
         --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
         --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
         --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
         --flannel-iface value                      (agent/networking) Override default flannel interface
         --flannel-conf value                       (agent/networking) Override default flannel config file
         --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
         --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
         --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
         --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
         --secrets-encryption                       Enable secret encryption at rest
         --enable-pprof                             (experimental) Enable pprof endpoint on supervisor port
         --rootless                                 (experimental) Run rootless
         --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
         --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
         --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    NAME:
       k3s server - Run management server

    USAGE:
       k3s server [OPTIONS]

    OPTIONS:
       --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
       --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
       -v value                                   (logging) Number for the log level verbosity (default: 0)
       --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
       --log value, -l value                      (logging) Log to file
       --alsologtostderr                          (logging) Log to standard error as well as file (if set)
       --bind-address value                       (listener) k3s bind address (default: 0.0.0.0)
       --https-listen-port value                  (listener) HTTPS listen port (default: 6443)
       --advertise-address value                  (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)
       --advertise-port value                     (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)
       --tls-san value                            (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert
       --data-dir value, -d value                 (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
       --cluster-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)
       --service-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)
       --service-node-port-range value            (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")
       --cluster-dns value                        (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
       --cluster-domain value                     (networking) Cluster Domain (default: "cluster.local")
       --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
       --flannel-ipv6-masq                        (networking) Enable IPv6 masquerading for pod
       --flannel-external-ip                      (networking) Use node external IP addresses for Flannel traffic
       --egress-selector-mode value               (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: "agent")
       --servicelb-namespace value                (networking) Namespace of the pods for the servicelb component (default: "kube-system")
       --write-kubeconfig value, -o value         (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]
       --write-kubeconfig-mode value              (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]
       --token value, -t value                    (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]
       --token-file value                         (cluster) File containing the token [$K3S_TOKEN_FILE]
       --agent-token value                        (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]
       --agent-token-file value                   (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]
       --server value, -s value                   (cluster) Server to connect to, used to join a cluster [$K3S_URL]
       --cluster-init                             (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]
       --cluster-reset                            (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]
       --cluster-reset-restore-path value         (db) Path to snapshot file to be restored
       --kube-apiserver-arg value                 (flags) Customized flag for kube-apiserver process
       --etcd-arg value                           (flags) Customized flag for etcd process
       --kube-controller-manager-arg value        (flags) Customized flag for kube-controller-manager process
       --kube-scheduler-arg value                 (flags) Customized flag for kube-scheduler process
       --kube-cloud-controller-manager-arg value  (flags) Customized flag for kube-cloud-controller-manager process
       --datastore-endpoint value                 (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]
       --datastore-cafile value                   (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]
       --datastore-certfile value                 (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]
       --datastore-keyfile value                  (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]
       --etcd-expose-metrics                      (db) Expose etcd metrics to client interface. (default: false)
       --etcd-disable-snapshots                   (db) Disable automatic etcd snapshots
       --etcd-snapshot-name value                 (db) Set the base name of etcd snapshots (default: etcd-snapshot-<unix-timestamp>) (default: "etcd-snapshot")
       --etcd-snapshot-schedule-cron value        (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: "0 */12 * * *")
       --etcd-snapshot-retention value            (db) Number of snapshots to retain (default: 5)
       --etcd-snapshot-dir value                  (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)
       --etcd-snapshot-compress                   (db) Compress etcd snapshot
       --etcd-s3                                  (db) Enable backup to S3
       --etcd-s3-endpoint value                   (db) S3 endpoint url (default: "s3.amazonaws.com")
       --etcd-s3-endpoint-ca value                (db) S3 custom CA cert to connect to S3 endpoint
       --etcd-s3-skip-ssl-verify                  (db) Disables S3 SSL certificate validation
       --etcd-s3-access-key value                 (db) S3 access key [$AWS_ACCESS_KEY_ID]
       --etcd-s3-secret-key value                 (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]
       --etcd-s3-bucket value                     (db) S3 bucket name
       --etcd-s3-region value                     (db) S3 region / bucket location (optional) (default: "us-east-1")
       --etcd-s3-folder value                     (db) S3 folder
       --etcd-s3-insecure                         (db) Disables S3 over HTTPS
       --etcd-s3-timeout value                    (db) S3 timeout (default: 5m0s)
       --default-local-storage-path value         (storage) Default local storage path for local provisioner storage class
       --disable value                            (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
       --disable-scheduler                        (components) Disable Kubernetes default scheduler
       --disable-cloud-controller                 (components) Disable k3s default cloud controller manager
       --disable-kube-proxy                       (components) Disable running kube-proxy
       --disable-network-policy                   (components) Disable k3s default network policy controller
       --disable-helm-controller                  (components) Disable Helm controller
       --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
       --with-node-id                             (agent/node) Append id to node name
       --node-label value                         (agent/node) Registering and starting kubelet with set of labels
       --node-taint value                         (agent/node) Registering kubelet with set of taints
       --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
       --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
       --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
       --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
       --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
       --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
       --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
       --system-default-registry value            (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]
       --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
       --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
       --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
       --flannel-iface value                      (agent/networking) Override default flannel interface
       --flannel-conf value                       (agent/networking) Override default flannel config file
       --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
       --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
       --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
       --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
       --secrets-encryption                       Enable secret encryption at rest
       --enable-pprof                             (experimental) Enable pprof endpoint on supervisor port
       --rootless                                 (experimental) Run rootless
       --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
       --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
       --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/cli/token.html b/cli/token.html index e419c6a97..3ee6ca49d 100644 --- a/cli/token.html +++ b/cli/token.html @@ -2,17 +2,17 @@ - -token | K3s - - + +token | K3s + + -

    k3s token

    +

    k3s token

    K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.

    -

    Token Format

    +

    Token Format

    K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials.

    -

    Secure

    +

    Secure

    The secure token format (occasionally referred to as a "full" token) contains the following parts:

    <prefix><cluster CA hash>::<credentials>

      @@ -25,7 +25,7 @@

      SecureTLS Bootstrapping

      +

      TLS Bootstrapping

      When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:

      1. With TLS verification disabled, download the CA bundle from /cacerts on the server it is joining.
        2. @@ -34,47 +34,47 @@

        TLS Bootst
      2. If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle.
      3. If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type.

      -

      Short

      +

      Short

      The short token format includes only the password or bearer token used to authenticate the joining node to the cluster.

      If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to man-in-the-middle attack.

      -

      Token Types

      +

      Token Types

      K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator.

      TypeCLI OptionEnvironment Variable
      Server--tokenK3S_TOKEN
      Agent--agent-tokenK3S_AGENT_TOKEN
      Bootstrapn/an/a
      -

      Server

      +

      Server

      If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to /var/lib/rancher/k3s/server/token, in secure format.

      The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully.

      The server token is also used as the PBKDF2 passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself.

      warning

      Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates.

      For more information on using custom CA certificates, see the k3s certificate documentation.
      For more information on backing up your cluster, see the Backup and Restore documentation.

      -

      Agent

      +

      Agent

      By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire.

      The agent token is written to /var/lib/rancher/k3s/server/agent-token, in secure format. If no agent token is specified, this file is a link to the server token.

      -

      Bootstrap

      +

      Bootstrap

      Version Gate

      Support for the k3s token command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).

      K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents.

      -

      k3s token

      +

      k3s token

      K3s bootstrap tokens use the same generation and validation code as kubeadm token bootstrap tokens, and the k3s token CLI is similar.

      NAME:
         k3s token - Manage bootstrap tokens

      USAGE:
         k3s token command [command options] [arguments...]

      COMMANDS:
         create    Create bootstrap tokens on the server
         delete    Delete bootstrap tokens on the server
         generate  Generate and print a bootstrap token, but do not create it on the server
         list      List bootstrap tokens on the server
         rotate    Rotate original server token with a new bootstrap token

      OPTIONS:
         --help, -h  show help
      -

      k3s token create [token]

      +

      k3s token create [token]

      Create a new token. The [token] is the actual token to write, as generated by k3s token generate. If no token is given, a random one will be generated.

      A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again.

      FlagDescription
      --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
      --kubeconfig valueServer to connect to [$KUBECONFIG]
      --description valueA human friendly description of how this token is used
      --groups valueExtra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s:default-node-token")
      --ttl valueThe duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)
      --usages valueDescribes the ways in which this token can be used. (default: "signing,authentication")
      -

      k3s token delete

      +

      k3s token delete

      Delete one or more tokens. The full token can be provided, or just the token ID.

      FlagDescription
      --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
      --kubeconfig valueServer to connect to [$KUBECONFIG]
      -

      k3s token generate

      +

      k3s token generate

      Generate a randomly-generated bootstrap token.

      You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format "[a-z0-9]6.[a-z0-9]16", where the first portion is the token ID, and the second portion is the secret.

      FlagDescription
      --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
      --kubeconfig valueServer to connect to [$KUBECONFIG]
      -

      k3s token list

      +

      k3s token list

      List bootstrap tokens, showing their ID, description, and remaining time-to-live.

      FlagDescription
      --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
      --kubeconfig valueServer to connect to [$KUBECONFIG]
      --output valueOutput format. Valid options: text, json (default: "text")
      -

      k3s token rotate

      +

      k3s token rotate

      Version Gate

      Available as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1).

      Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token.

      If you do not specify a new token, one will be generated for you.

      -
      FlagDescription
      --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
      --kubeconfig valueServer to connect to [$KUBECONFIG]
      --server valueServer to connect to (default: "https://127.0.0.1:6443") [$K3S_URL]
      --token valueExisting token used to join a server or agent to a cluster [$K3S_TOKEN]
      --new-token valueNew token that replaces existing token
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    FlagDescription
    --data-dir valueFolder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
    --kubeconfig valueServer to connect to [$KUBECONFIG]
    --server valueServer to connect to (default: "https://127.0.0.1:6443") [$K3S_URL]
    --token valueExisting token used to join a server or agent to a cluster [$K3S_TOKEN]
    --new-token valueNew token that replaces existing token
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/cluster-access.html b/cluster-access.html index f348dd978..ed7bdff50 100644 --- a/cluster-access.html +++ b/cluster-access.html @@ -2,19 +2,19 @@ - -Cluster Access | K3s - - + +Cluster Access | K3s + + -

    Cluster Access

    The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.

    +

    Cluster Access

    The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.

    Leverage the KUBECONFIG environment variable:

    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
    kubectl get pods --all-namespaces
    helm ls --all-namespaces

    Or specify the location of the kubeconfig file in the command:

    kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces
    helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces
    -

    Accessing the Cluster from Outside with kubectl

    -

    Copy /etc/rancher/k3s/k3s.yaml on your machine located outside the cluster as ~/.kube/config. Then replace the value of the server field with the IP or name of your K3s server. kubectl can now manage your K3s cluster.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Accessing the Cluster from Outside with kubectl

    +

    Copy /etc/rancher/k3s/k3s.yaml on your machine located outside the cluster as ~/.kube/config. Then replace the value of the server field with the IP or name of your K3s server. kubectl can now manage your K3s cluster.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/datastore.html b/datastore.html index 3d4b825df..4260388c9 100644 --- a/datastore.html +++ b/datastore.html @@ -2,13 +2,13 @@ - -Cluster Datastore | K3s - - + +Cluster Datastore | K3s + + -

    Cluster Datastore

    The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:

    +

    Cluster Datastore

    The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:

    • If your team doesn't have expertise in operating etcd, you can choose an enterprise-grade SQL database like MySQL or PostgreSQL
    • If you need to run a simple, short-lived cluster in your CI/CD environment, you can use the embedded SQLite database
      • @@ -34,11 +34,11 @@
    Prepared Statement Support

    K3s requires prepared statements support from the DB. This means that connection poolers such as PgBouncer may require additional configuration to work with K3s.

    -

    External Datastore Configuration Parameters

    +

    External Datastore Configuration Parameters

    If you wish to use an external datastore such as PostgreSQL, MySQL, or etcd you must set the datastore-endpoint parameter so that K3s knows how to connect to it. You may also specify parameters to configure the authentication and encryption of the connection. The below table summarizes these parameters, which can be passed as either CLI flags or environment variables.

    CLI FlagEnvironment VariableDescription
    --datastore-endpointK3S_DATASTORE_ENDPOINTSpecify a PostgreSQL, MySQL, or etcd connection string. This is a string used to describe the connection to the datastore. The structure of this string is specific to each backend and is detailed below.
    --datastore-cafileK3S_DATASTORE_CAFILETLS Certificate Authority (CA) file used to help secure communication with the datastore. If your datastore serves requests over TLS using a certificate signed by a custom certificate authority, you can specify that CA using this parameter so that the K3s client can properly verify the certificate.
    --datastore-certfileK3S_DATASTORE_CERTFILETLS certificate file used for client certificate based authentication to your datastore. To use this feature, your datastore must be configured to support client certificate based authentication. If you specify this parameter, you must also specify the datastore-keyfile parameter.
    --datastore-keyfileK3S_DATASTORE_KEYFILETLS key file used for client certificate based authentication to your datastore. See the previous datastore-certfile parameter for more details.

    As a best practice we recommend setting these parameters as environment variables rather than command line arguments so that your database credentials or other sensitive information aren't exposed as part of the process info.

    -

    Datastore Endpoint Format and Functionality

    +

    Datastore Endpoint Format and Functionality

    As mentioned, the format of the value passed to the datastore-endpoint parameter is dependent upon the datastore backend. The following details this format and functionality for each supported external datastore.

    In its most common form, the datastore-endpoint parameter for PostgreSQL has the following format:

    postgres://username:password@hostname:port/database-name

    More advanced configuration parameters are available. For more information on these, please see https://godoc.org/github.com/lib/pq.

    If you specify a database name and it does not exist, the server will attempt to create it.

    If you only supply postgres:// as the endpoint, K3s will attempt to do the following:

    • Connect to localhost using postgres as the username and password
      • @@ -46,7 +46,7 @@
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/datastore/backup-restore.html b/datastore/backup-restore.html index 429e0c95b..fd1ddca41 100644 --- a/datastore/backup-restore.html +++ b/datastore/backup-restore.html @@ -2,23 +2,23 @@ - -Backup and Restore | K3s - - + +Backup and Restore | K3s + + -

    Backup and Restore

    The way K3s is backed up and restored depends on which type of datastore is used.

    +

    Backup and Restore

    The way K3s is backed up and restored depends on which type of datastore is used.

    warning

    In addition to backing up the datastore itself, you must also back up the server token file at /var/lib/rancher/k3s/server/token. You must restore this file, or pass its value into the --token option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself.

    -

    Backup and Restore with SQLite

    +

    Backup and Restore with SQLite

    No special commands are required to back up or restore the SQLite datastore.

    • To back up the SQLite datastore, take a copy of /var/lib/rancher/k3s/server/db/.
    • To restore the SQLite datastore, restore the contents of /var/lib/rancher/k3s/server/db (and the token, as discussed above).
    -

    Backup and Restore with External Datastore

    +

    Backup and Restore with External Datastore

    When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump.

    We recommend configuring the database to take recurring snapshots.

    For details on taking database snapshots and restoring your database from them, refer to the official database documentation:

    @@ -27,8 +27,8 @@

    Official PostgreSQL documentation
  • Official etcd documentation
    • -

    Backup and Restore with Embedded etcd Datastore

    -

    See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Backup and Restore with Embedded etcd Datastore

    +

    See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/datastore/cluster-loadbalancer.html b/datastore/cluster-loadbalancer.html index 8f104e4cb..538f3805e 100644 --- a/datastore/cluster-loadbalancer.html +++ b/datastore/cluster-loadbalancer.html @@ -2,15 +2,15 @@ - -Cluster Load Balancer | K3s - - + +Cluster Load Balancer | K3s + + -

    Cluster Load Balancer

    This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.

    +

    Cluster Load Balancer

    This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.

    tip

    External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see Service Load Balancer.

    External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice.

    -

    Prerequisites

    +

    Prerequisites

    All nodes in this example are running Ubuntu 20.04.

    For both examples, assume that a HA K3s cluster with embedded etcd has been installed on 3 nodes.

    Each k3s server is configured with:

    @@ -32,7 +32,7 @@

    Prerequisites<
  • agent-2: 10.10.10.102
  • agent-3: 10.10.10.103
    • -

    Setup Load Balancer

    +

    Setup Load Balancer

    HAProxy is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See HAProxy Documentation for more info.

    Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See KeepAlived Documentation for more info.

    1. Install HAProxy and KeepAlived:
    sudo apt-get install haproxy keepalived
      @@ -43,13 +43,13 @@

      Setup Lo
    1. Restart HAProxy and KeepAlived on lb-1 and lb-2:

    systemctl restart haproxy
    systemctl restart keepalived
    1. On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:
      2. -
    curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443

    You can now use kubectl from server node to interact with the cluster.

    root@server-1 $ k3s kubectl get nodes -A
    NAME       STATUS   ROLES                       AGE     VERSION
    agent-1    Ready    <none>                      32s     v1.27.3+k3s1
    agent-2    Ready    <none>                      20s     v1.27.3+k3s1
    agent-3    Ready    <none>                      9s      v1.27.3+k3s1
    server-1   Ready    control-plane,etcd,master   4m22s   v1.27.3+k3s1
    server-2   Ready    control-plane,etcd,master   3m58s   v1.27.3+k3s1
    server-3   Ready    control-plane,etcd,master   3m12s   v1.27.3+k3s1
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.98:6443

    You can now use kubectl from server node to interact with the cluster.

    root@server1 $ k3s kubectl get nodes -A
    NAME       STATUS   ROLES                       AGE     VERSION
    agent-1    Ready    <none>                      30s     v1.27.3+k3s1
    agent-2    Ready    <none>                      22s     v1.27.3+k3s1
    agent-3    Ready    <none>                      13s     v1.27.3+k3s1
    server-1   Ready    control-plane,etcd,master   4m49s   v1.27.3+k3s1
    server-2   Ready    control-plane,etcd,master   3m58s   v1.27.3+k3s1
    server-3   Ready    control-plane,etcd,master   3m16s   v1.27.3+k3s1
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/datastore/ha-embedded.html b/datastore/ha-embedded.html index 49d456eb2..f5b837577 100644 --- a/datastore/ha-embedded.html +++ b/datastore/ha-embedded.html @@ -2,13 +2,13 @@ - -High Availability Embedded etcd | K3s - - + +High Availability Embedded etcd | K3s + + -

    High Availability Embedded etcd

    warning

    Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.

    +

    High Availability Embedded etcd

    warning

    Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.

    Why An Odd Number Of Server Nodes?

    HA embedded etcd cluster must be comprised of an odd number of server nodes for etcd to maintain quorum. For a cluster with n servers, quorum is (n/2)+1. For any odd-sized cluster, adding one node will always increase the number of nodes necessary for quorum. Although adding a node to an odd-sized cluster appears better since there are more machines, the fault tolerance is worse since exactly the same number of nodes may fail without losing quorum but there are more nodes that can fail.

    An HA K3s cluster with embedded etcd is composed of:

      @@ -31,10 +31,10 @@
    • Flags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable
    • Feature related flags: --secrets-encryption
    -

    Existing single-node clusters

    +

    Existing single-node clusters

    Version Gate

    Available as of v1.22.2+k3s1

    If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the --cluster-init flag. Once you've done that, you'll be able to add additional instances as described above.

    -

    If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (--cluster-init, --server, --datastore-endpoint, etc) are ignored.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (--cluster-init, --server, --datastore-endpoint, etc) are ignored.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/datastore/ha.html b/datastore/ha.html index aa20ab573..c3ad4b13f 100644 --- a/datastore/ha.html +++ b/datastore/ha.html @@ -2,13 +2,13 @@ - -High Availability External DB | K3s - - + +High Availability External DB | K3s + + -

    High Availability External DB

    This section describes how to install a high-availability K3s cluster with an external database.

    +

    High Availability External DB

    This section describes how to install a high-availability K3s cluster with an external database.

    note

    To rapidly deploy large HA clusters, see Related Projects

    Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is composed of:

      @@ -18,11 +18,11 @@
    • Optional: A fixed registration address for agent nodes to register with the cluster

    For more details on how these components work together, refer to the architecture section.

    -

    Installation Outline

    +

    Installation Outline

    Setting up an HA cluster requires the following steps:

    -

    1. Create an External Datastore

    +

    1. Create an External Datastore

    You will first need to create an external datastore for the cluster. See the Cluster Datastore Options documentation for more details.

    -

    2. Launch Server Nodes

    +

    2. Launch Server Nodes

    K3s requires two or more server nodes for this HA configuration. See the Requirements guide for minimum machine requirements.

    When running the k3s server command on these nodes, you must set the datastore-endpoint parameter so that K3s knows how to connect to the external datastore. The token parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use.

    For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and set a token:

    @@ -32,7 +32,7 @@

    2. Lau
    note

    The same installation options available to single-server installs are also available for high-availability installs. For more details, see the Configuration Options documentation.

    By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The node-taint parameter will allow you to configure nodes with taints, for example --node-taint CriticalAddonsOnly=true:NoExecute.

    Once you've launched the k3s server process on all server nodes, ensure that the cluster has come up properly with k3s kubectl get nodes. You should see your server nodes in the Ready state.

    -

    3. Optional: Join Additional Server Nodes

    +

    3. Optional: Join Additional Server Nodes

    The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used.

    If the first server node was started without the --token CLI flag or K3S_TOKEN variable, the token value can be retrieved from any server already joined to the cluster:

    cat /var/lib/rancher/k3s/server/token
    @@ -45,7 +45,7 @@

    note

    Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores.

    -

    4. Optional: Configure a Fixed Registration Address

    +

    4. Optional: Configure a Fixed Registration Address

    Agent nodes need a URL to register against. This can be the IP or hostname of any server node, but in many cases those may change over time. For example, if running your cluster in a cloud that supports scaling groups, nodes may be created and destroyed over time, changing to different IPs from the initial set of server nodes. It would be best to have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:

    • A layer-4 (TCP) load balancer
      • @@ -55,10 +55,10 @@

      Cluster Loadbalancer for example configurations.

      This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your kubeconfig file to point to it instead of a specific node.

      To avoid certificate errors in such a configuration, you should configure the server with the --tls-san=YOUR_IP_OR_HOSTNAME_HERE option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.

      -

      5. Optional: Join Agent Nodes

      +

      5. Optional: Join Agent Nodes

      Because K3s server nodes are schedulable by default, agent nodes are not required for a HA K3s cluster. However, you may wish to have dedicated agent nodes to run your apps and services.

      Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to (either one of the server IPs or a fixed registration address) and the token it should use.

      -
      K3S_TOKEN=SECRET k3s agent --server https://server-or-fixed-registration-address:6443
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/faq.html b/faq.html index 96c5b0e03..f7ee5cf3c 100644 --- a/faq.html +++ b/faq.html @@ -2,24 +2,24 @@ - -FAQ | K3s - - + +FAQ | K3s + + -

    FAQ

    The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.

    -

    Is K3s a suitable replacement for Kubernetes?

    +

    FAQ

    The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.

    +

    Is K3s a suitable replacement for Kubernetes?

    K3s is a CNCF-certified Kubernetes distribution, and can do everything required of a standard Kubernetes cluster. It is just a more lightweight version. See the main docs page for more details.

    -

    How can I use my own Ingress instead of Traefik?

    +

    How can I use my own Ingress instead of Traefik?

    Simply start K3s server with --disable=traefik and deploy your ingress.

    -

    Does K3s support Windows?

    +

    Does K3s support Windows?

    At this time K3s does not natively support Windows, however we are open to the idea in the future.

    -

    What exactly are Servers and Agents?

    +

    What exactly are Servers and Agents?

    For a breakdown on the components that make up a server and agent, see the Architecture page.

    -

    How can I build from source?

    +

    How can I build from source?

    Please reference the K3s BUILDING.md with instructions.

    -

    Where are the K3s logs?

    +

    Where are the K3s logs?

    The location of K3s logs will vary depending on how you run K3s and the node's OS.

    • When run from the command line, logs are sent to stdout and stderr.
      • @@ -33,14 +33,14 @@

      Where Since K3s runs all Kubernetes components within a single process, it is not possible to configure different log levels or destinations for individual Kubernetes components. Use of the -v=<level> or --vmodule=<module>=<level> component args will likely not have the desired effect.

      See Additional Logging Sources for even more log options.

      -

      Can I run K3s in Docker?

      +

      Can I run K3s in Docker?

      Yes, there are multiple ways to run K3s in Docker. See Advanced Options for more details.

      -

      What is the difference between K3s Server and Agent Tokens?

      +

      What is the difference between K3s Server and Agent Tokens?

      For more information on managing K3s join tokens, see the k3s token command documentation.

      -

      How compatible are different versions of K3s?

      +

      How compatible are different versions of K3s?

      In general, the Kubernetes version skew policy applies.

      In short, servers can be newer than agents, but agents cannot be newer than servers.

      -

      I'm having an issue, where can I get help?

      +

      I'm having an issue, where can I get help?

      If you are having an issue with deploying K3s, you should:

      1. @@ -60,7 +60,7 @@

        New Issue on the K3s Github describing your setup and the issue you are experiencing.

        2. -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/helm.html b/helm.html index 73b6e9893..87c4ce07b 100644 --- a/helm.html +++ b/helm.html @@ -2,32 +2,32 @@ - -Helm | K3s - - + +Helm | K3s + + -

    Helm

    Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.

    +

    Helm

    Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.

    K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the cluster access documentation.

    K3s includes a Helm Controller that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with auto-deploying AddOn manifests, installing a Helm chart on your cluster can be automated by creating a single file on disk.

    -

    Using the Helm Controller

    +

    Using the Helm Controller

    The HelmChart Custom Resource captures most of the options you would normally pass to the helm command-line tool. Here's an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the kube-system namespace, but the chart's resources will be deployed to the web namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy.

    apiVersion: v1
    kind: Namespace
    metadata:
      name: web
    ---
    apiVersion: helm.cattle.io/v1
    kind: HelmChart
    metadata:
      name: apache
      namespace: kube-system
    spec:
      repo: https://charts.bitnami.com/bitnami
      chart: apache
      targetNamespace: web
      valuesContent: |-
        service:
          type: ClusterIP
        ingress:
          enabled: true
          hostname: www.example.com
        metrics:
          enabled: true

    An example of deploying a helm chart from a private repo with authentication:

    apiVersion: helm.cattle.io/v1
    kind: HelmChart
    metadata:
      namespace: kube-system
      name: example-app
    spec:
      targetNamespace: example-space
      createNamespace: true
      version: v1.2.3
      chart: example-app
      repo: https://secure-repo.example.com
      authSecret:
        name: example-repo-auth
      repoCAConfigMap:
        name: example-repo-ca
      valuesContent: |-
        image:
          tag: v1.2.2
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      namespace: kube-system
      name: example-repo-auth
    type: kubernetes.io/basic-auth
    stringData:
      username: user
      password: pass
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      namespace: kube-system
      name: example-repo-ca
    data:
      ca.crt: |-
        -----BEGIN CERTIFICATE-----
        <YOUR CERTIFICATE>
        -----END CERTIFICATE-----
    -

    HelmChart Field Definitions

    +

    HelmChart Field Definitions

    FieldDefaultDescriptionHelm Argument / Flag Equivalent
    metadata.nameHelm Chart nameNAME
    spec.chartHelm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)CHART
    spec.targetNamespacedefaultHelm Chart target namespace--namespace
    spec.createNamespacefalseCreate target namespace if not present--create-namespace
    spec.versionHelm Chart version (when installing from repository)--version
    spec.repoHelm Chart repository URL--repo
    spec.repoCAVerify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates.--ca-file
    spec.repoCAConfigMapReference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of repoCA--ca-file
    spec.helmVersionv3Helm version to use (v2 or v3)
    spec.bootstrapFalseSet to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)
    spec.setOverride simple default Chart values. These take precedence over options set via valuesContent.--set / --set-string
    spec.jobImageSpecify the image to use when installing the helm chart. E.g. rancher/klipper-helm:v0.3.0 .
    spec.backOffLimit1000Specify the number of retries before considering a job failed.
    spec.timeout300sTimeout for Helm operations, as a duration string (300s, 10m, 1h, etc)--timeout
    spec.failurePolicyreinstallSet to abort which case the Helm operation is aborted, pending manual intervention by the operator.
    spec.authSecretReference to Secret of type kubernetes.io/basic-auth holding Basic auth credentials for the Chart repo.
    spec.authPassCredentialsfalsePass Basic auth credentials to all domains.--pass-credentials
    spec.dockerRegistrySecretReference to Secret of type kubernetes.io/dockerconfigjson holding Docker auth credentials for the OCI-based registry acting as the Chart repo.
    spec.valuesContentOverride complex default Chart values via YAML file content--values
    spec.chartContentBase64-encoded chart archive .tgz - overrides spec.chartCHART

    Content placed in /var/lib/rancher/k3s/server/static/ can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable %{KUBERNETES_API}% in the spec.chart field. For example, the packaged Traefik component loads its chart from https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz.

    note

    The name field should follow the Helm chart naming conventions. Refer to the Helm Best Practices documentation to learn more.

    -

    Customizing Packaged Components with HelmChartConfig

    +

    Customizing Packaged Components with HelmChartConfig

    To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional valuesContent, which is passed to the helm command as an additional value file.

    note

    HelmChart spec.set values override HelmChart and HelmChartConfig spec.valuesContent settings.

    For example, to customize the packaged Traefik ingress configuration, you can create a file named /var/lib/rancher/k3s/server/manifests/traefik-config.yaml and populate it with the following content:

    apiVersion: helm.cattle.io/v1
    kind: HelmChartConfig
    metadata:
      name: traefik
      namespace: kube-system
    spec:
      valuesContent: |-
        image:
          name: traefik
          tag: 2.9.10
        ports:
          web:
            forwardedHeaders:
              trustedIPs:
                - 10.0.0.0/8
    -

    Migrating from Helm v2

    +

    Migrating from Helm v2

    K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, this blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation here for more information. Just be sure you have properly set your kubeconfig as per the section about cluster access.

    -
    note

    Helm 3 no longer requires Tiller and the helm init command. Refer to the official documentation for details.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    note

    Helm 3 no longer requires Tiller and the helm init command. Refer to the official documentation for details.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/index.html b/index.html index 8dd94ba74..1aa9e439c 100644 --- a/index.html +++ b/index.html @@ -2,13 +2,13 @@ - -K3s - Lightweight Kubernetes | K3s - - + +K3s - Lightweight Kubernetes | K3s + + -

    Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.

    +

    Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.

    Great for:

    • Edge
      • @@ -21,7 +21,7 @@
    • Embedded K8s
    • Situations where a PhD in K8s clusterology is infeasible
    -

    What is K3s?

    +

    What is K3s?

    K3s is a fully compliant Kubernetes distribution with the following enhancements:

    • Distributed as a single binary or minimal container image.
      • @@ -45,7 +45,7 @@

      What is K3s?

    What's with the name?

    -

    We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation.html b/installation.html index ebf42baca..aeb0d1020 100644 --- a/installation.html +++ b/installation.html @@ -2,20 +2,20 @@ - -Installation | K3s - - + +Installation | K3s + + -

    Installation

    This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.

    +

    Installation

    This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.

    Configuration Options provides guidance on the options available to you when installing K3s.

    Private Registry Configuration covers use of registries.yaml to configure container image registry mirrors.

    Embedded Mirror shows how to enable the embedded distributed image registry mirror.

    Air-Gap Install details how to set up K3s in environments that do not have direct access to the Internet.

    Managing Server Roles details how to set up K3s with dedicated control-plane or etcd servers.

    Managing Packaged Components details how to disable packaged components, or install your own using auto-deploying manifests.

    -

    Uninstalling K3s details how to remove K3s from a host.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Uninstalling K3s details how to remove K3s from a host.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/airgap.html b/installation/airgap.html index e8070242a..4a35100c6 100644 --- a/installation/airgap.html +++ b/installation/airgap.html @@ -2,70 +2,70 @@ - -Air-Gap Install | K3s - - + +Air-Gap Install | K3s + + -

    Air-Gap Install

    You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.

    -

    Load Images

    -

    Private Registry Method

    +

    Air-Gap Install

    You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.

    +

    Load Images

    +

    Private Registry Method

    These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and have a OCI-compliant private registry available in your environment.

    If you have not yet set up a private Docker registry, refer to the official Registry documentation.

    -

    Create the Registry YAML and Push Images

    +

    Create the Registry YAML and Push Images

    1. Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
    2. Use docker image load k3s-airgap-images-amd64.tar.zst to import images from the tar file into docker.
    3. Use docker tag and docker push to retag and push the loaded images to your private registry.
    4. Follow the Private Registry Configuration guide to create and configure the registries.yaml file.
      5. -
    5. Proceed to the Install K3s section below.
      6. +
    6. Proceed to the Install K3s section below.
    -

    Manually Deploy Images Method

    +

    Manually Deploy Images Method

    These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and cannot or do not want to use a private registry.

    This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical.

    -

    Prepare the Images Directory and Airgap Image Tarball

    +

    Prepare the Images Directory and Airgap Image Tarball

    1. Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
    2. Download the imagess archive to the agent's images directory, for example:
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/
    sudo curl -L -o /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst "https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst"
      -
    1. Proceed to the Install K3s section below.
      2. +
    2. Proceed to the Install K3s section below.
    -

    Embedded Registry Mirror

    +

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    K3s includes an embedded distributed OCI-compliant registry mirror. When enabled and properly configured, images available in the containerd image store on any node can be pulled by other cluster members without access to an external image registry.

    The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball. For more information on enabling the embedded distributed registry mirror, see the Embedded Registry Mirror documentation.

    -

    Install K3s

    -

    Prerequisites

    -

    Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install.

    -

    Binaries

    +

    Install K3s

    +

    Prerequisites

    +

    Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install.

    +

    Binaries

    • Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in /usr/local/bin on each air-gapped node and ensure it is executable.
    • Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it install.sh.
    -

    Default Network Route

    +

    Default Network Route

    If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:

    ip link add dummy0 type dummy
    ip link set dummy0 up
    ip addr add 203.0.113.254/31 dev dummy0
    ip route add default via 203.0.113.255 dev dummy0 metric 1000

    When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary.

    -

    SELinux RPM

    +

    SELinux RPM

    If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found here. For example, on CentOS 8:

    On internet accessible machine:
    curl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm

    # Transfer RPM to air-gapped machine
    On air-gapped machine:
    sudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm

    See the SELinux section for more information.

    -

    Installing K3s in an Air-Gapped Environment

    +

    Installing K3s in an Air-Gapped Environment

    You can install K3s on one or more servers as described below.

    To install K3s on a single server, simply do the following on the server node:

    INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh

    To add additional agents, do the following on each agent node:

    INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://<SERVER_IP>:6443 K3S_TOKEN=<YOUR_TOKEN> ./install.sh
    note

    The token from the server is typically found at /var/lib/rancher/k3s/server/token.

    note

    K3s's --resolv-conf flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured.

    -

    Upgrading

    -

    Install Script Method

    +

    Upgrading

    +

    Install Script Method

    Upgrading an air-gap environment can be accomplished in the following manner:

    1. Download the new air-gap images (tar file) from the releases page for the version of K3s you will be upgrading to. Place the tar in the /var/lib/rancher/k3s/agent/images/ directory on each @@ -74,12 +74,12 @@

      Instal with the same environment variables.

    2. Restart the K3s service (if not restarted automatically by installer).
    -

    Automated Upgrades Method

    +

    Automated Upgrades Method

    K3s supports automated upgrades. To enable this in air-gapped environments, you must ensure the required images are available in your private registry.

    You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the + in the K3s release with a - because Docker images do not support +.

    You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller here and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:

    rancher/system-upgrade-controller:v0.4.0
    rancher/kubectl:v0.17.0
    -

    Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/configuration.html b/installation/configuration.html index 304e38620..82ce40959 100644 --- a/installation/configuration.html +++ b/installation/configuration.html @@ -2,14 +2,14 @@ - -Configuration Options | K3s - - + +Configuration Options | K3s + + -

    Configuration Options

    This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.

    -

    Configuration with install script

    +

    Configuration Options

    This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.

    +

    Configuration with install script

    As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.

    You can use a combination of INSTALL_K3S_EXEC, K3S_ environment variables, and command flags to pass configuration to the service configuration. The prefixed environment variables, INSTALL_K3S_EXEC value, and trailing shell arguments are all persisted into the service configuration. @@ -19,9 +19,9 @@ 

    curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -
    curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com
    curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword
    curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL

    For details on all environment variables, see Environment Variables.

    -
    Note

    If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost.

    The contents of the configuration file are not managed by the install script. +

    Note

    If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost.

    The contents of the configuration file are not managed by the install script. If you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script.

    -

    Configuration with binary

    +

    Configuration with binary

    As stated, the installation script is primarily concerned with configuring K3s to run as a service.
    If you choose to not use the script, you can run K3s simply by downloading the binary from our release page, placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service.

    curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s
    @@ -38,7 +38,7 @@

    Co --disable servicelb or --cluster-cidr=10.200.0.0/16 on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as: failed to validate server configuration: critical configuration value mismatch. See the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes.

    -

    Configuration File

    +

    Configuration File

    Version Gate

    Available as of v1.19.1+k3s1

    In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file.

    By default, values present in a YAML file located at /etc/rancher/k3s/config.yaml will be used on install.

    @@ -49,7 +49,7 @@

    Configura

    In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as true or false in the YAML file.

    It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as --node-label, the CLI arguments will overwrite all values in the list.

    Finally, the location of the config file can be changed either through the CLI argument --config FILE, -c FILE, or the environment variable $K3S_CONFIG_FILE.

    -

    Multiple Config Files

    +

    Multiple Config Files

    Version Gate

    Available as of v1.21.0+k3s1

    Multiple configuration files are supported. By default, configuration files are read from /etc/rancher/k3s/config.yaml and /etc/rancher/k3s/config.yaml.d/*.yaml in alphabetical order.

    By default, the last value found for a given key will be used. A + can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a + to prevent overwriting the accumulated value.

    @@ -57,7 +57,7 @@

    Multip 
    # config.yaml
    token: boop
    node-label:
      - foo=bar
      - bar=baz


    # config.yaml.d/test1.yaml
    write-kubeconfig-mode: 600
    node-taint:
      - alice=bob:NoExecute

    # config.yaml.d/test2.yaml
    write-kubeconfig-mode: 777
    node-label:
      - other=what
      - foo=three
    node-taint+:
      - charlie=delta:NoSchedule

    This results in a final configuration of:

    write-kubeconfig-mode: 777
    token: boop
    node-label:
      - other=what
      - foo=three
    node-taint:
      - alice=bob:NoExecute
      - charlie=delta:NoSchedule
    -

    Putting it all together

    +

    Putting it all together

    All of the above options can be combined into a single example.

    A config.yaml file is created at /etc/rancher/k3s/config.yaml:

    token: "secret"
    debug: true
    @@ -71,7 +71,7 @@

    Putt
  • Flannel backend set to none
  • The token set to secret
  • Debug logging enabled
    • -

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/packaged-components.html b/installation/packaged-components.html index 7ad16ef33..0a303c126 100644 --- a/installation/packaged-components.html +++ b/installation/packaged-components.html @@ -2,21 +2,21 @@ - -Managing Packaged Components | K3s - - + +Managing Packaged Components | K3s + + -

    Managing Packaged Components

    Auto-Deploying Manifests (AddOns)

    +

    Managing Packaged Components

    Auto-Deploying Manifests (AddOns)

    On server nodes, any file found in /var/lib/rancher/k3s/server/manifests will automatically be deployed to Kubernetes in a manner similar to kubectl apply, both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster.

    Manifests are tracked as AddOn custom resources in the kube-system namespace. Any errors or warnings encountered when applying the manifest file may seen by using kubectl describe on the corresponding AddOn, or by using kubectl get event -n kube-system to view all events for that namespace, including those from the deploy controller.

    -

    Packaged Components

    +

    Packaged Components

    K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: coredns, traefik, local-storage, and metrics-server. The embedded servicelb LoadBalancer controller does not have a manifest file, but can be disabled as if it were an AddOn for historical reasons.

    Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity.

    -

    User AddOns

    +

    User AddOns

    You may place additional files in the manifests directory for deployment as an AddOn. Each file may contain multiple Kubernetes resources, delmited by the --- YAML document separator. For more information on organizing resources in manifests, see the Managing Resources section of the Kubernetes documentation.

    -

    File Naming Requirements

    +

    File Naming Requirements

    The AddOn name for each file in the manifest directory is derived from the file basename. Ensure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes object naming restrictions. Care should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled.

    @@ -25,18 +25,18 @@

    Fil

    Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io "example_manifest" is invalid: metadata.name: Invalid value: "example_manifest": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

    danger

    If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests.

    -

    Disabling Manifests

    +

    Disabling Manifests

    There are two ways to disable deployment of specific content from the manifests directory.

    -

    Using the --disable flag

    +

    Using the --disable flag

    The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the manifests directory, can be disabled with the --disable flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the manifests directory.

    For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with --disable=traefik. Multiple items can be disabled by separating their names with commas, or by repeating the flag.

    -

    Using .skip files

    +

    Using .skip files

    For any file under /var/lib/rancher/k3s/server/manifests, you can create a .skip file which will cause K3s to ignore the corresponding manifest. The contents of the .skip file do not matter, only its existence is checked. Note that creating a .skip file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist.

    For example, creating an empty traefik.yaml.skip file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying traefik.yaml:

    $ ls /var/lib/rancher/k3s/server/manifests
    ccm.yaml      local-storage.yaml  rolebindings.yaml  traefik.yaml.skip
    coredns.yaml  traefik.yaml

    $ kubectl get pods -A
    NAMESPACE     NAME                                     READY   STATUS    RESTARTS   AGE
    kube-system   local-path-provisioner-64ffb68fd-xx98j   1/1     Running   0          74s
    kube-system   metrics-server-5489f84d5d-7zwkt          1/1     Running   0          74s
    kube-system   coredns-85cb69466-vcq7j                  1/1     Running   0          74s

    If Traefik had already been deployed prior to creating the traefik.skip file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded.

    -

    Helm AddOns

    -

    For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Helm AddOns

    +

    For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/private-registry.html b/installation/private-registry.html index 8ed0397ea..ae12709b9 100644 --- a/installation/private-registry.html +++ b/installation/private-registry.html @@ -2,13 +2,13 @@ - -Private Registry Configuration | K3s - - + +Private Registry Configuration | K3s + + -

    Private Registry Configuration

    Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.

    +

    Private Registry Configuration

    Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.

    Upon startup, K3s will check to see if /etc/rancher/k3s/registries.yaml exists. If so, the registry configuration contained in this file is used when generating the containerd configuration.

    • If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure registries.yaml on each node that you want to use the mirror.
      • @@ -16,7 +16,7 @@

    Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them, please ensure you also create the registries.yaml file on each server as well.

    -

    Default Endpoint Fallback

    +

    Default Endpoint Fallback

    Containerd has an implicit "default endpoint" for all registries. The default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in registries.yaml. For example, when pulling registry.example.com:5000/rancher/mirrored-pause:3.6, containerd will use a default endpoint of https://registry.example.com:5000/v2.

    @@ -34,54 +34,54 @@

    De or if you wish to have only some nodes pull from the upstream registry.

    Disabling the default registry endpoint applies only to registries configured via registries.yaml. If the registry is not explicitly configured via mirror entry in registries.yaml, the default fallback behavior will still be used.

    -

    Registries Configuration File

    +

    Registries Configuration File

    The file consists of two top-level keys, with subkeys for each registry:

    mirrors:
      <REGISTRY>:
        endpoint:
          - https://<REGISTRY>/v2
    configs:
      <REGISTRY>:
        auth:
          username: <BASIC AUTH USERNAME>
          password: <BASIC AUTH PASSWORD>
          token: <BEARER TOKEN>
        tls:
          ca_file: <PATH TO SERVER CA>
          cert_file: <PATH TO CLIENT CERT>
          key_file: <PATH TO CLIENT KEY>
          insecure_skip_verify: <SKIP TLS CERT VERIFICATION BOOLEAN>
    -

    Mirrors

    +

    Mirrors

    The mirrors section defines the names and endpoints of registries, for example:

    mirrors:
      registry.example.com:
        endpoint:
          - "https://registry.example.com:5000"

    Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one.

    -

    Redirects

    +

    Redirects

    If the private registry is used as a mirror for another registry, such as when configuring a pull through cache, images pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ns query parameter.

    For example, if you have a mirror configured for docker.io:

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"

    Then pulling docker.io/rancher/mirrored-pause:3.6 will transparently pull the image as registry.example.com:5000/rancher/mirrored-pause:3.6.

    -

    Rewrites

    +

    Rewrites

    Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions. This is useful if the organization/project structure in the private registry is different than the registry it is mirroring.

    For example, the following configuration would transparently pull the image docker.io/rancher/mirrored-pause:3.6 as registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6:

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"
        rewrite:
          "^rancher/(.*)": "mirrorproject/rancher-images/$1"

    When using redirects and rewrites, images will still be stored under the original name. For example, crictl image ls will show docker.io/rancher/mirrored-pause:3.6 as available on the node, even though the image was pulled from the mirrored registry with a different name.

    -

    Configs

    +

    Configs

    The configs section defines the TLS and credential configuration for each mirror. For each mirror you can define auth and/or tls.

    The tls part consists of:

    DirectiveDescription
    cert_fileThe client certificate path that will be used to authenticate with the registry
    key_fileThe client key path that will be used to authenticate with the registry
    ca_fileDefines the CA certificate path to be used to verify the registry's server cert file
    insecure_skip_verifyBoolean that defines if TLS verification should be skipped for the registry

    The auth part consists of either username/password or authentication token:

    DirectiveDescription
    usernameuser name of the private registry basic auth
    passworduser password of the private registry basic auth
    authauthentication token of the private registry basic auth

    Below are basic examples of using private registries in different modes:

    -

    Wildcard Support

    +

    Wildcard Support

    Version Gate

    Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1

    The "*" wildcard entry can be used in the mirrors and configs sections to provide default configuration for all registries. The default configuration will only be used if there is no specific entry for that registry. Note that the asterisk MUST be quoted.

    In the following example, a local registry mirror will be used for all registries. TLS verification will be disabled for all registries, except docker.io.

    mirrors:
      "*":
        endpoint:
          - "https://registry.example.com:5000"
    configs:
      "docker.io":
      "*":
        tls:
          insecure_skip_verify: true
    -

    With TLS

    +

    With TLS

    Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when using TLS.

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"
    configs:
      "registry.example.com:5000":
        auth:
          username: xxxxxx # this is the registry username
          password: xxxxxx # this is the registry password
        tls:
          cert_file: # path to the cert file used in the registry
          key_file:  # path to the key file used in the registry
          ca_file:   # path to the ca file used in the registry
    -

    Without TLS

    +

    Without TLS

    Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when not using TLS.

    mirrors:
      docker.io:
        endpoint:
          - "http://registry.example.com:5000"
    configs:
      "registry.example.com:5000":
        auth:
          username: xxxxxx # this is the registry username
          password: xxxxxx # this is the registry password

    In case of no TLS communication, you need to specify http:// for the endpoints, otherwise it will default to https.

    In order for the registry changes to take effect, you need to restart K3s on each node.

    -

    Troubleshooting Image Pulls

    +

    Troubleshooting Image Pulls

    When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned by the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used.

    Check the containerd log on the node at /var/lib/rancher/k3s/agent/containerd/containerd.log for detailed information on the root cause of the failure.

    -

    Adding Images to the Private Registry

    +

    Adding Images to the Private Registry

    Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.
    The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry.

      @@ -92,7 +92,7 @@

      Edit this page
      Last updated on

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/registry-mirror.html b/installation/registry-mirror.html index 6ab12d58b..5ebc9abf0 100644 --- a/installation/registry-mirror.html +++ b/installation/registry-mirror.html @@ -2,16 +2,16 @@ - -Embedded Registry Mirror | K3s - - + +Embedded Registry Mirror | K3s + + -

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    +

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    K3s embeds Spegel, a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster. The distributed registry mirror is disabled by default.

    -

    Enabling The Distributed OCI Registry Mirror

    +

    Enabling The Distributed OCI Registry Mirror

    In order to enable the embedded registry mirror, server nodes must be started with the --embedded-registry flag, or with embedded-registry: true in the configuration file. This option enables the embedded mirror for use on all nodes in the cluster.

    When enabled at a cluster level, all nodes will host a local OCI registry on port 6443, @@ -21,10 +21,10 @@

    Requirements

    +

    Requirements

    When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443. If nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints.

    -

    Enabling Registry Mirroring

    +

    Enabling Registry Mirroring

    Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes. If a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry.

    In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the mirrors section of registries.yaml for that registry. @@ -42,14 +42,14 @@ 

    mirrors:
      "*":

    If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity.

    For more information on the structure of the registries.yaml file, see Private Registry Configuration.

    -

    Default Endpoint Fallback

    +

    Default Endpoint Fallback

    By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this, and only pull images from the configured mirrors and/or the embedded mirror, see the Default Endpoint Fallback section of the Private Registry Configuration documentation.

    Note that if you are using the --disable-default-endpoint option and want to allow pulling directly from a particular registry, while disallowing the rest, you can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:

    mirrors:
      docker.io:           # no default endpoint, pulls will fail if not available on a node
      registry.k8s.io:     # no default endpoint, pulls will fail if not available on a node
      mirror.example.com:  # explicit default endpoint, can pull from upstream if not available on a node
        endpoint:
          - https://mirror.example.com
    -

    Latest Tag

    +

    Latest Tag

    When no tag is specified for a container image, the implicit default tag is latest. This tag is frequently updated to point at the most recent version of the image. Because this tag will point at a different revisions of an image depending on when it is pulled, the distributed registry will not pull the latest tag from @@ -59,12 +59,12 @@

    Latest Taglatest tag for a container image.

    Mirroring the latest tag can be enabled by setting the K3S_P2P_ENABLE_LATEST=true environment variable for the K3s service. This is unsupported and not recommended, for the reasons discussed above.

    -

    Security

    -

    Authentication

    +

    Security

    +

    Authentication

    Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority.

    Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes. Nodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority.

    -

    Potential Concerns

    +

    Potential Concerns

    warning

    The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members. If this does not match your cluster's security posture, you should not enable the embedded distributed registry.

    The embedded registry may make available images that a node may not otherwise have access to. @@ -73,18 +73,18 @@

    Potential

    Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes, as other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry. If image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner.

    -

    Sharing Air-gap or Manually Loaded Images

    +

    Sharing Air-gap or Manually Loaded Images

    Images sharing is controlled based on the source registry. Images loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ctr command line tool, will be shared between nodes if they are tagged as being from a registry that is enabled for mirroring.

    Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable. For example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store. You would then be able to pull those images from all cluster members, as long as that registry is listed in registries.yaml

    -

    Pushing Images

    +

    Pushing Images

    The embedded registry is read-only, and cannot be pushed to directly using docker push or other common tools that interact with OCI registries.

    Images can be manually made available via the embedded registry by running ctr -n k8s.io image pull to pull an image, or by loading image archives created by docker save via the ctr -n k8s.io image import command. -Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/requirements.html b/installation/requirements.html index 3d6e81c52..37fabc971 100644 --- a/installation/requirements.html +++ b/installation/requirements.html @@ -2,18 +2,18 @@ - -Requirements | K3s - - + +Requirements | K3s + + -

    Requirements

    K3s is very lightweight, but has some minimum requirements as outlined below.

    +

    Requirements

    K3s is very lightweight, but has some minimum requirements as outlined below.

    Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself.

    -

    Prerequisites

    +

    Prerequisites

    Two nodes cannot have the same hostname.

    If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the --with-node-id option to append a random suffix for each node, or devise a unique name to pass with --node-name or $K3S_NODE_NAME for each node you add to the cluster.

    -

    Architecture

    +

    Architecture

    K3s is available for the following architectures:

    • x86_64
      • @@ -22,47 +22,47 @@

      Architectures390x

    ARM64 Page Size

    Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on aarch64/arm64 systems, the kernel must use 4k pages. RHEL9, Ubuntu, Raspberry PI OS, and SLES all meet this requirement.

    -

    Operating Systems

    +

    Operating Systems

    K3s is expected to work on most modern Linux systems.

    Some OSs have additional setup requirements:

    -

    It is recommended to turn off firewalld:

    systemctl disable firewalld --now

    If you wish to keep firewalld enabled, by default, the following rules are required:

    firewall-cmd --permanent --add-port=6443/tcp #apiserver
    firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods
    firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services
    firewall-cmd --reload

    Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly.

    +

    It is recommended to turn off firewalld:

    systemctl disable firewalld --now

    If you wish to keep firewalld enabled, by default, the following rules are required:

    firewall-cmd --permanent --add-port=6443/tcp #apiserver
    firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods
    firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services
    firewall-cmd --reload

    Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly.

    For more information on which OSs were tested with Rancher managed K3s clusters, refer to the Rancher support and maintenance terms.

    -

    Hardware

    +

    Hardware

    Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here.

    SpecMinimumRecommended
    CPU1 core2 cores
    RAM512 MB1 GB

    Resource Profiling captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads.

    Raspberry Pi and embedded etcd

    If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load.

    -

    Disks

    +

    Disks

    K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC.

    -

    Networking

    +

    Networking

    The K3s server needs port 6443 to be accessible by all nodes.

    The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s.

    If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250.

    If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380.

    Important

    The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472.

    danger

    Flannel relies on the Bridge CNI plugin to create a L2 network that switches traffic. Rogue pods with NET_RAW capabilities can abuse that L2 network to launch attacks such as ARP spoofing. Therefore, as documented in the Kubernetes docs, please set a restricted profile that disables NET_RAW on non-trustable pods.

    -

    Inbound Rules for K3s Nodes

    +

    Inbound Rules for K3s Nodes

    ProtocolPortSourceDestinationDescription
    TCP2379-2380ServersServersRequired only for HA with embedded etcd
    TCP6443AgentsServersK3s supervisor and Kubernetes API Server
    UDP8472All nodesAll nodesRequired only for Flannel VXLAN
    TCP10250All nodesAll nodesKubelet metrics
    UDP51820All nodesAll nodesRequired only for Flannel Wireguard with IPv4
    UDP51821All nodesAll nodesRequired only for Flannel Wireguard with IPv6
    TCP5001All nodesAll nodesRequired only for embedded distributed registry (Spegel)
    TCP6443All nodesAll nodesRequired only for embedded distributed registry (Spegel)

    Typically, all outbound traffic is allowed.

    Additional changes to the firewall may be required depending on the OS used.

    -

    Large Clusters

    +

    Large Clusters

    Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:

    • MySQL
    • PostgreSQL
    • etcd
    -

    CPU and Memory

    +

    CPU and Memory

    The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:

    Deployment SizeNodesVCPUSRAM
    SmallUp to 1024 GB
    MediumUp to 10048 GB
    LargeUp to 250816 GB
    X-LargeUp to 5001632 GB
    XX-Large500+3264 GB
    -

    Disks

    +

    Disks

    The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS.

    -

    Network

    +

    Network

    You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the --cluster-cidr option to K3s server upon starting.

    -

    Database

    +

    Database

    K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See Cluster Datastore for more info.

    The following is a sizing guide for the database resources you need to run large clusters:

    -
    Deployment SizeNodesVCPUSRAM
    SmallUp to 1012 GB
    MediumUp to 10028 GB
    LargeUp to 250416 GB
    X-LargeUp to 500832 GB
    XX-Large500+1664 GB
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Deployment SizeNodesVCPUSRAM
    SmallUp to 1012 GB
    MediumUp to 10028 GB
    LargeUp to 250416 GB
    X-LargeUp to 500832 GB
    XX-Large500+1664 GB
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/server-roles.html b/installation/server-roles.html index 9c8fe1c87..ee2fa18fb 100644 --- a/installation/server-roles.html +++ b/installation/server-roles.html @@ -2,29 +2,29 @@ - -Managing Server Roles | K3s - - + +Managing Server Roles | K3s + + -

    Managing Server Roles

    Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.

    +

    Managing Server Roles

    Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.

    info

    This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components.

    -

    Dedicated etcd Nodes

    +

    Dedicated etcd Nodes

    To create a server with only the etcd role, start K3s with all the control-plane components disabled:

    curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler

    This first node will start etcd, and wait for additional etcd and/or control-plane nodes to join. The cluster will not be usable until you join an additional server with the control-plane components enabled.

    -

    Dedicated control-plane Nodes

    +

    Dedicated control-plane Nodes

    note

    A dedicated control-plane node cannot be the first server in the cluster; there must be an existing node with the etcd role before joining dedicated control-plane nodes.

    To create a server with only the control-plane role, start k3s with etcd disabled:

    curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443

    After creating dedicated server nodes, the selected roles will be visible in kubectl get node:

    $ kubectl get nodes
    NAME           STATUS   ROLES                       AGE     VERSION
    k3s-server-1   Ready    etcd                        5h39m   v1.20.4+k3s1
    k3s-server-2   Ready    control-plane,master        5h39m   v1.20.4+k3s1
    -

    Adding Roles To Existing Servers

    +

    Adding Roles To Existing Servers

    Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the control-plane role to a dedicated etcd node, you can remove the --disable-apiserver --disable-controller-manager --disable-scheduler flags from the systemd unit or config file, and restart the service.

    -

    Configuration File Syntax

    +

    Configuration File Syntax

    As with all other CLI flags, you can use the Configuration File to disable components, instead of passing the options as CLI flags. For example, to create a dedicated etcd node, you can place the following values in /etc/rancher/k3s/config.yaml:

    -
    cluster-init: true
    disable-apiserver: true
    disable-controller-manager: true
    disable-scheduler: true
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    cluster-init: true
    disable-apiserver: true
    disable-controller-manager: true
    disable-scheduler: true
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/installation/uninstall.html b/installation/uninstall.html index 3fbdee704..d4896b39f 100644 --- a/installation/uninstall.html +++ b/installation/uninstall.html @@ -2,22 +2,22 @@ - -Uninstalling K3s | K3s - - + +Uninstalling K3s | K3s + + -

    Uninstalling K3s

    warning

    Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.
    +

    Uninstalling K3s

    warning

    Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.
    It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes.

    If you installed K3s using the installation script, a script to uninstall K3s was generated during installation.

    If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the Node Registration documentation for more information.

    -

    Uninstalling Servers

    +

    Uninstalling Servers

    To uninstall K3s from a server node, run:

    /usr/local/bin/k3s-uninstall.sh
    -

    Uninstalling Agents

    +

    Uninstalling Agents

    To uninstall K3s from an agent node, run:

    -
    /usr/local/bin/k3s-agent-uninstall.sh
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    /usr/local/bin/k3s-agent-uninstall.sh
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/known-issues.html b/known-issues.html index 69be56327..63c246933 100644 --- a/known-issues.html +++ b/known-issues.html @@ -2,24 +2,24 @@ - -Known Issues | K3s - - + +Known Issues | K3s + + -

    Known Issues

    The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release.

    -

    Snap Docker

    +

    Known Issues

    The Known Issues are updated periodically and designed to inform you about any issues that may not be immediately addressed in the next upcoming release.

    +

    Snap Docker

    If you plan to use K3s with docker, Docker installed via a snap package is not recommended as it has been known to cause issues running K3s.

    -

    Iptables

    +

    Iptables

    If you are running iptables v1.6.1 and older in nftables mode you might encounter issues. We recommend utilizing newer iptables (such as 1.6.1+) to avoid issues or running iptables legacy mode.

    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

    Iptables versions 1.8.0-1.8.4 have known issues that can cause K3s to fail. Several popular Linux distributions ship with these versions by default. One bug causes the accumulation of duplicate rules, which negatively affects the performance and stability of the node. See Issue #3117 for information on how to determine if you are affected by this problem.

    K3s includes a working version of iptables (v1.8.8) which functions properly. You can tell K3s to use its bundled version of iptables by starting K3s with the --prefer-bundled-bin option, or by uninstalling the iptables/nftables packages from your operating system.

    Version Gate

    The --prefer-bundled-bin flag is available starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1).

    -

    Rootless Mode

    +

    Rootless Mode

    Running K3s with Rootless mode is experimental and has several known issues.

    -

    Upgrading Hardened Clusters from v1.24.x to v1.25.x

    +

    Upgrading Hardened Clusters from v1.24.x to v1.25.x

    Kubernetes removed PodSecurityPolicy from v1.25 in favor of Pod Security Standards. You can read more about PSS in the upstream documentation. For K3S, there are some manual steps that must be taken if any PodSecurityPolicy has been configured on the nodes.

    1. On all nodes, update the kube-apiserver-arg value to remove the PodSecurityPolicy admission-plugin. Add the following arg value instead: 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml', but do NOT restart or upgrade K3S yet. Below is an example of what a configuration file might look like after this update for the node to be hardened:
      2. @@ -36,7 +36,7 @@

      Upgrading Harde
      1. After the upgrade is complete, remove any remaining PSP resources from the cluster. In many cases, there may be PodSecurityPolicies and associated RBAC resources in custom files used for hardening within /var/lib/rancher/k3s/server/manifests/. Remove those resources and k3s will update automatically. Sometimes, due to timing, some of these may be left in the cluster, in which case you will need to delete them manually. If the Hardening Guide was previously followed, you should be able to delete them via the following:
      -
      # Get the resources associated with PSPs
      $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp

      # Delete those resources:
      $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    # Get the resources associated with PSPs
    $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp

    # Delete those resources:
    $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/404.html b/kr/404.html index 64a30a9ff..8473deaea 100644 --- a/kr/404.html +++ b/kr/404.html @@ -2,13 +2,13 @@ - -K3s - - + +K3s + + -

    페이지를 찾을 수 없습니다

    찾으시려는 페이지를 찾을 수 없습니다.

    원래 링크의 출처인 사이트의 소유자에게 연락하여 링크가 끊어졌음을 알려주세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    페이지를 찾을 수 없습니다

    찾으시려는 페이지를 찾을 수 없습니다.

    원래 링크의 출처인 사이트의 소유자에게 연락하여 링크가 끊어졌음을 알려주세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/advanced.html b/kr/advanced.html index 460fb4317..f4441760c 100644 --- a/kr/advanced.html +++ b/kr/advanced.html @@ -2,26 +2,26 @@ - -고급 옵션 / 설정 | K3s - - + +고급 옵션 / 설정 | K3s + + -

    고급 옵션 / 설정

    이 섹션에는 K3s를 실행하고 관리할 수 있는 다양한 방법과 K3s 사용을 위해 호스트 OS를 준비하는 데 필요한 단계를 설명하는 고급 정보가 포함되어 있습니다.

    -

    인증서 관리

    -

    인증 기관 인증서

    +

    고급 옵션 / 설정

    이 섹션에는 K3s를 실행하고 관리할 수 있는 다양한 방법과 K3s 사용을 위해 호스트 OS를 준비하는 데 필요한 단계를 설명하는 고급 정보가 포함되어 있습니다.

    +

    인증서 관리

    +

    인증 기관 인증서

    K3s는 첫 번째 서버 노드를 시작하는 동안 자체 서명된 CA(인증 기관) 인증서를 생성합니다. 이 CA 인증서는 10년 동안 유효하며 자동으로 갱신되지 않습니다.

    사용자 지정 CA 인증서 사용 또는 자체 서명 CA 인증서 갱신에 대한 자세한 내용은 k3s 인증서 rotate-ca 명령 설명서를 참조하세요.

    -

    클라이언트 및 서버 인증서

    +

    클라이언트 및 서버 인증서

    K3s 클라이언트 및 서버 인증서는 발급한 날로부터 365일 동안 유효합니다. 만료되었거나 만료 후 90일 이내에 만료된 인증서는 K3s를 시작할 때마다 자동으로 갱신됩니다.

    클라이언트 및 서버 인증서를 수동으로 로테이션하는 것에 대한 정보는 k3s 인증서 로테이션 명령 설명서를 참조하세요.

    -

    토큰 관리

    +

    토큰 관리

    기본적으로 K3s는 서버와 에이전트 모두에 단일 정적 토큰을 사용합니다. 이 토큰은 클러스터가 생성된 후에는 변경할 수 없습니다. 에이전트 조인에만 사용할 수 있는 두 번째 정적 토큰을 활성화하거나 자동으로 만료되는 임시 kubeadm 스타일 조인 토큰을 생성할 수 있습니다. 자세한 내용은 k3s token 명령어 설명서를 참고하세요.

    -

    HTTP 프록시 구성하기

    -

    HTTP 프록시를 통해서만 외부와 연결할 수 있는 환경에서 K3s를 실행하는 경우, K3s 시스템드 서비스에서 프록시 설정을 구성할 수 있습니다. 그러면 이 프록시 설정이 K3s에서 사용되어 내장 컨테이너와 kubelet에 전달됩니다.

    +

    HTTP 프록시 구성하기

    +

    HTTP 프록시를 통해서만 외부와 연결할 수 있는 환경에서 K3s를 실행하는 경우, K3s 시스템드 서비스에서 프록시 설정을 구성할 수 있습니다. 그러면 이 프록시 설정이 K3s에서 사용되어 내장 컨테이너와 kubelet에 전달됩니다.

    K3s 설치 스크립트는 자동으로 현재 셸에서 HTTP_PROXY, HTTPS_PROXYNO_PROXY 변수와 CONTAINERD_HTTP_PROXY, CONTAINERD_HTTPS_PROXYCONTAINERD_NO_PROXY 변수가 있는 경우 이를 systemd 서비스의 환경 파일에 작성합니다:

    • /etc/systemd/system/k3s.service.env
      • @@ -32,7 +32,7 @@ 

      HTTP_PROXY=http://your-proxy.example.com:8888
      HTTPS_PROXY=http://your-proxy.example.com:8888
      NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

      K3s와 Kubelet에 영향을 주지 않고 컨테이너에 대한 프록시 설정을 구성하려면, 변수 앞에 CONTAINERD_를 붙이면 됩니다:

      CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888
      CONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888
      CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
      -

      컨테이너 런타임으로 Docker 사용

      +

      컨테이너 런타임으로 Docker 사용

      K3s는 업계 표준 컨테이너 런타임인 containerd를 포함하며 기본값으로 사용합니다. 쿠버네티스 1.24부터, kubelet은 더 이상 kubelet이 dockerd와 통신할 수 있도록 하는 컴포넌트인 dockershim을 포함하지 않습니다. K3s 1.24 이상에는 cri-dockerd가 포함되어 있어 이전 릴리즈의 K3s에서 원활하게 업그레이드하면서 Docker 컨테이너 런타임을 계속 사용할 수 있습니다.

      @@ -55,18 +55,18 @@ 

      $ sudo docker ps
      CONTAINER ID        IMAGE                     COMMAND                  CREATED              STATUS              PORTS               NAMES
      3e4d34729602        897ce3c5fc8f              "entry"                  About a minute ago   Up About a minute                       k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0
      bffdc9d7a65f        rancher/klipper-lb        "entry"                  About a minute ago   Up About a minute                       k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0
      436b85c5e38d        rancher/library-traefik   "/traefik --configfi…"   About a minute ago   Up About a minute                       k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0
      de8fded06188        rancher/pause:3.1         "/pause"                 About a minute ago   Up About a minute                       k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0
      7c6a30aeeb2f        rancher/pause:3.1         "/pause"                 About a minute ago   Up About a minute                       k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0
      ae6c58cab4a7        9d12f9848b99              "local-path-provisio…"   About a minute ago   Up About a minute                       k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0
      be1450e1a11e        9dd718864ce6              "/metrics-server"        About a minute ago   Up About a minute                       k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0
      4454d14e4d3f        c4d3d16fe508              "/coredns -conf /etc…"   About a minute ago   Up About a minute                       k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0
      c3675b87f96c        rancher/pause:3.1         "/pause"                 About a minute ago   Up About a minute                       k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0
      4b1fddbe6ca6        rancher/pause:3.1         "/pause"                 About a minute ago   Up About a minute                       k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0
      64d3517d4a95        rancher/pause:3.1         "/pause"
      -

      etcdctl 사용하기

      +

      etcdctl 사용하기

      etcdctl은 etcd 서버와 상호 작용하기 위한 CLI를 제공합니다. K3s는 etcdctl을 번들로 제공하지 않습니다.

      etcdctl을 사용하여 K3s의 내장된 etcd와 상호 작용하려면 공식 문서를 참조하여 etcdctl을 설치하세요.

      ETCD_VERSION="v3.5.5"
      ETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"
      curl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin

      그런 다음 인증에 K3s에서 관리하는 인증서 및 키를 사용하도록 etcdctl을 구성하여 사용할 수 있습니다:

      sudo etcdctl version \
        --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \
        --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \
        --key=/var/lib/rancher/k3s/server/tls/etcd/client.key
      -

      컨테이너 설정하기

      +

      컨테이너 설정하기

      K3s는 /var/lib/rancher/k3s/agent/etc/containerd/config.toml에 컨테이너에 대한 config.toml을 생성합니다.

      이 파일에 대한 고급 커스터마이징을 위해 같은 디렉터리에 config.toml.tmpl이라는 다른 파일을 생성하면 이 파일이 대신 사용된다.

      config.toml.tmpl은 Go 템플릿 파일로 취급되며, config.Node 구조가 템플릿으로 전달됩니다. 이 구조를 사용하여 구성 파일을 사용자 정의하는 방법에 대한 Linux 및 Windows 예제는 이 폴더를 참조하세요. config.Node Go 언어 구조체는 여기에 정의되어 있습니다.

      -

      NVIDIA 컨테이너 런타임 지원

      +

      NVIDIA 컨테이너 런타임 지원

      K3s는 K3s 시작 시 NVIDIA 컨테이너 런타임이 있으면 자동으로 감지하여 설정합니다.

      1. 아래의 안내에 따라 노드에 엔비디아 컨테이너 패키지 리포지토리를 설치합니다: @@ -81,21 +81,21 @@ 

        apiVersion: node.k8s.io/v1
        kind: RuntimeClass
        metadata:
          name: nvidia
        handler: nvidia
        ---
        apiVersion: v1
        kind: Pod
        metadata:
          name: nbody-gpu-benchmark
          namespace: default
        spec:
          restartPolicy: OnFailure
          runtimeClassName: nvidia
          containers:
            - name: cuda-container
              image: nvcr.io/nvidia/k8s/cuda-sample:nbody
              args: ["nbody", "-gpu", "-benchmark"]
              resources:
                limits:
                  nvidia.com/gpu: 1
              env:
                - name: NVIDIA_VISIBLE_DEVICES
                  value: all
                - name: NVIDIA_DRIVER_CAPABILITIES
                  value: all

    -

    엔비디아 컨테이너 런타임은 엔비디아 디바이스 플러그인GPU 기능 검색과 함께 자주 사용되며, 위에서 언급한 것처럼 파드 사양에 runtimeClassName: nvidia가 포함되도록 수정하여 별도로 설치해야 한다는 점에 유의하세요.

    -

    에이전트 없는 서버 실행하기(실험적)

    +

    엔비디아 컨테이너 런타임은 엔비디아 디바이스 플러그인GPU 기능 검색과 함께 자주 사용되며, 위에서 언급한 것처럼 파드 사양에 runtimeClassName: nvidia가 포함되도록 수정하여 별도로 설치해야 한다는 점에 유의하세요.

    +

    에이전트 없는 서버 실행하기(실험적)

    경고: 이 기능은 실험 단계입니다.

    disable-agent 플래그로 시작하면, 서버는 kubelet, 컨테이너 런타임 또는 CNI를 실행하지 않습니다. 클러스터에 노드 리소스를 등록하지 않으며, kubectl get nodes 출력에 나타나지 않습니다. 에이전트리스 서버는 kubelet을 호스트하지 않기 때문에, 파드를 실행하거나 내장된 etcd 컨트롤러 및 시스템 업그레이드 컨트롤러를 포함하여 클러스터 노드를 열거하는 데 의존하는 운영자가 관리할 수 없습니다.

    에이전트리스 서버를 실행하는 것은 클러스터 운영자 지원 부족으로 인한 관리 오버헤드 증가를 감수하고서라도 에이전트와 워크로드에 의한 검색으로부터 컨트롤 플레인 노드를 숨기고자 하는 경우에 유리할 수 있습니다.

    -

    루트리스 서버 실행(실험적)

    +

    루트리스 서버 실행(실험적)

    경고: 이 기능은 실험 단계입니다.

    루트리스 모드는 잠재적인 컨테이너 브레이크아웃 공격으로부터 호스트의 실제 루트를 보호하기 위해 권한이 없는 사용자로 K3s 서버를 실행할 수 있습니다.

    루트리스 쿠버네티스에 대한 자세한 내용은 https://rootlesscontaine.rs/ 을 참조하세요.

    -

    루트리스 모드의 알려진 이슈

    +

    루트리스 모드의 알려진 이슈

    • 포트

      @@ -113,7 +113,7 @@

      #6488을 참조하세요.

    -

    루트리스 서버 시작하기

    +

    루트리스 서버 시작하기

    • https://rootlesscontaine.rs/getting-started/common/cgroup2/ 을 참조하여 cgroup v2 위임을 활성화합니다. @@ -142,25 +142,25 @@

      고급 루트리스 구성

      +

      고급 루트리스 구성

      루트리스 K3s는 호스트와 사용자 네트워크 네임스페이스 간 통신을 위해 rootlesskitslirp4netns를 사용합니다. 루트리스킷과 slirp4net에서 사용하는 구성 중 일부는 환경 변수로 설정할 수 있습니다. 이를 설정하는 가장 좋은 방법은 k3s-rootless systemd 유닛의 Environment 필드에 추가하는 것입니다.

      -
      VariableDefaultDescription
      K3S_ROOTLESS_MTU1500slirp4netns 가상 인터페이스의 MTU를 설정합니다.
      K3S_ROOTLESS_CIDR10.41.0.0/16slirp4netns 가상 인터페이스에서 사용하는 CIDR을 설정합니다.
      K3S_ROOTLESS_ENABLE_IPV6autotedectedEnables slirp4netns IPv6 지원. 지정하지 않으면 K3가 듀얼 스택 작동을 위해 구성되면 자동으로 활성화됩니다.
      K3S_ROOTLESS_PORT_DRIVERbuiltin루트리스 포트 드라이버를 선택합니다. builtin 또는 slirp4netns 중 하나를 선택합니다. 빌트인이 더 빠르지만 인바운드 패킷의 원래 소스 주소를 가장합니다.
      K3S_ROOTLESS_DISABLE_HOST_LOOPBACKtrue게이트웨이 인터페이스를 통한 호스트의 루프백 주소에 대한 액세스를 사용할지 여부를 제어합니다. 보안상의 이유로 변경하지 않는 것이 좋습니다.
      -

      루트리스 문제 해결하기

      +
      VariableDefaultDescription
      K3S_ROOTLESS_MTU1500slirp4netns 가상 인터페이스의 MTU를 설정합니다.
      K3S_ROOTLESS_CIDR10.41.0.0/16slirp4netns 가상 인터페이스에서 사용하는 CIDR을 설정합니다.
      K3S_ROOTLESS_ENABLE_IPV6autotedectedEnables slirp4netns IPv6 지원. 지정하지 않으면 K3가 듀얼 스택 작동을 위해 구성되면 자동으로 활성화됩니다.
      K3S_ROOTLESS_PORT_DRIVERbuiltin루트리스 포트 드라이버를 선택합니다. builtin 또는 slirp4netns 중 하나를 선택합니다. 빌트인이 더 빠르지만 인바운드 패킷의 원래 소스 주소를 가장합니다.
      K3S_ROOTLESS_DISABLE_HOST_LOOPBACKtrue게이트웨이 인터페이스를 통한 호스트의 루프백 주소에 대한 액세스를 사용할지 여부를 제어합니다. 보안상의 이유로 변경하지 않는 것이 좋습니다.
      +

      루트리스 문제 해결하기

      • systemctl --user status k3s-rootless를 실행하여 데몬 상태를 확인합니다.
      • journalctl --user -f -u k3s-rootless를 실행하여 데몬 로그를 확인합니다.
      • https://rootlesscontaine.rs/ 참조
      -

      노드 레이블 및 테인트

      +

      노드 레이블 및 테인트

      K3s 에이전트는 --node-label--node-taint 옵션으로 구성할 수 있으며, 이 옵션은 kubelet에 레이블과 테인트를 추가합니다. 이 두 옵션은 [등록 시점에] 레이블 및/또는 테인트만 추가하므로(./cli/agent.md#node-labels-and-taints-for-agents), 노드가 클러스터에 처음 조인될 때만 설정할 수 있습니다.

      현재 모든 버전의 쿠버네티스는 노드가 kubernetes.iok8s.io 접두사가 포함된 대부분의 레이블, 특히 kubernetes.io/role 레이블에 등록하는 것을 제한합니다. 허용되지 않는 레이블을 가진 노드를 시작하려고 하면 K3s가 시작되지 않습니다. 쿠버네티스 작성자가 언급했듯이:

      -

      노드는 자체 역할 레이블을 어설트하는 것이 허용되지 않습니다. 노드 역할은 일반적으로 권한 또는 컨트롤 플레인 유형의 노드를 식별하는 데 사용되며, 노드가 해당 풀에 레이블을 지정하도록 허용하면 손상된 노드가 더 높은 권한 자격 증명에 대한 액세스 권한을 부여하는 워크로드(예: 컨트롤 플레인 데몬셋)를 사소하게 끌어들일 수 있습니다.

      +

      노드는 자체 역할 레이블을 어설트하는 것이 허용되지 않습니다. 노드 역할은 일반적으로 권한 또는 컨트롤 플레인 유형의 노드를 식별하는 데 사용되며, 노드가 해당 풀에 레이블을 지정하도록 허용하면 손상된 노드가 더 높은 권한 자격 증명에 대한 액세스 권한을 부여하는 워크로드(예: 컨트롤 플레인 데몬셋)를 사소하게 끌어들일 수 있습니다.

      자세한 내용은 SIG-Auth KEP 279를 참조하세요.

      노드 등록 후 노드 레이블과 틴트를 변경하거나 예약 레이블을 추가하려면 kubectl을 사용해야 합니다. taint노드 레이블을 추가하는 방법에 대한 자세한 내용은 쿠버네티스 공식 문서를 참고하세요.

      -

      설치 스크립트로 서비스 시작하기

      +

      설치 스크립트로 서비스 시작하기

      설치 스크립트는 설치 프로세스의 일부로 OS가 systemd 또는 openrc를 사용하는지 자동으로 감지하고 서비스를 활성화 및 시작합니다.

      • openrc로 실행하면 /var/log/k3s.log에 로그가 생성됩니다.
        • @@ -168,12 +168,12 @@ 

        curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -

    -

    추가 OS 준비 사항

    -

    이전 iptables 버전

    +

    추가 OS 준비 사항

    +

    이전 iptables 버전

    몇몇 유명 Linux 배포판에는 중복 규칙이 누적되어 노드의 성능과 안정성에 부정적인 영향을 주는 버그가 포함된 버전의 iptables가 포함되어 있습니다. 이 문제의 영향을 받는지 확인하는 방법에 대한 자세한 내용은 Issue #3117을 참조하세요.

    K3s에는 정상적으로 작동하는 iptables(v1.8.8) 버전이 포함되어 있습니다. --prefer-bundled-bin 옵션으로 K3s를 시작하거나 운영 체제에서 iptables/nftables 패키지를 제거하여 K3s가 번들 버전의 iptables를 사용하도록 설정할 수 있습니다.

    Version Gate

    prefer-bundled-bin 플래그는 2022-12 릴리스(v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1) 부터 사용할 수 있습니다.

    -

    Red Hat Enterprise Linux / CentOS

    +

    Red Hat Enterprise Linux / CentOS

    firewalld를 끄는 것이 좋습니다:

    systemctl disable firewalld --now

    방화벽을 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다:

    @@ -181,36 +181,36 @@

    인바운드 규칙을 참조하세요. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다.

    활성화된 경우, nm-cloud-setup을 비활성화하고 노드를 재부팅해야 합니다:

    systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
    reboot
    -

    Ubuntu

    +

    Ubuntu

    ufw(uncomplicated firewall)를 끄는 것이 좋습니다:

    ufw disable

    ufw를 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다:

    ufw allow 6443/tcp #apiserver
    ufw allow from 10.42.0.0/16 to any #pods
    ufw allow from 10.43.0.0/16 to any #services
    -

    설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조한다. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다.

    -

    Raspberry Pi

    -

    라즈베리파이 OS는 데비안 기반이며, 오래된 iptables 버전으로 인해 문제가 발생할 수 있습니다. 해결 방법을 참조하세요.

    +

    설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조한다. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다.

    +

    Raspberry Pi

    +

    라즈베리파이 OS는 데비안 기반이며, 오래된 iptables 버전으로 인해 문제가 발생할 수 있습니다. 해결 방법을 참조하세요.

    표준 라즈베리파이 OS 설치는 cgroups가 활성화된 상태에서 시작되지 않습니다. K3S는 systemd 서비스를 시작하기 위해 cgroups가 필요합니다. cgroups/boot/cmdline.txtcgroup_memory=1 cgroup_enable=memory를 추가하여 활성화할 수 있습니다.

    cmdline.txt 예시:

    console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory

    우분투 21.10부터 라즈베리파이의 vxlan 지원은 별도의 커널 모듈로 옮겨졌습니다.

    sudo apt install linux-modules-extra-raspi
    -

    Docker에서 k3s 실행하기

    +

    Docker에서 k3s 실행하기

    Docker에서 K3s를 실행하는 방법에는 여러 가지가 있습니다:

    k3d는 도커에서 멀티노드 K3s 클러스터를 쉽게 실행할 수 있도록 설계된 유틸리티입니다.

    k3d를 사용하면 쿠버네티스의 로컬 개발 등을 위해 도커에서 단일 노드 및 다중 노드 k3s 클러스터를 매우 쉽게 생성할 수 있습니다.

    k3d 설치 및 사용 방법에 대한 자세한 내용은 설치 설명서를 참조하세요.

    -

    SELinux 지원

    +

    SELinux 지원

    Version Gate

    v1.19.4+k3s1부터 사용 가능

    -

    기본적으로 SELinux가 활성화된 시스템(예로 CentOS)에 K3s를 설치하는 경우 적절한 SELinux 정책이 설치되어 있는지 확인해야 합니다.

    -

    에어 갭(폐쇄망) 설치를 수행하지 않는 경우 호환되는 시스템에서 설치 스크립트는 랜처 RPM 저장소에서 SELinux RPM을 자동으로 설치합니다. 자동 설치는 INSTALL_K3S_SKIP_SELINUX_RPM=true로 설정하여 건너뛸 수 있습니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/architecture.html b/kr/architecture.html index cb211f0c8..9e82d315f 100644 --- a/kr/architecture.html +++ b/kr/architecture.html @@ -2,13 +2,13 @@ - -아키텍처 | K3s - - + +아키텍처 | K3s + + -

    아키텍처

    이 페이지에서는 고가용성 K3s 서버 클러스터의 아키텍처와 단일 노드 서버 클러스터와의 차이점에 대해 설명합니다.

    +

    아키텍처

    이 페이지에서는 고가용성 K3s 서버 클러스터의 아키텍처와 단일 노드 서버 클러스터와의 차이점에 대해 설명합니다.

    또한 에이전트 노드가 K3s 서버에 등록되는 방법도 설명합니다.

    • 서버 노드는 k3s server 명령을 실행하는 호스트로 정의되며, 컨트롤 플레인 및 데이터스토어 구성 요소는 K3s에서 관리합니다.
      • @@ -16,27 +16,27 @@
    • 서버와 에이전트 모두 kubelet, 컨테이너 런타임 및 CNI를 실행합니다. 에이전트 없는 서버 실행에 대한 자세한 내용은 고급 옵션 설명서를 참조하세요.

    -

    임베디드 DB가 있는 단일 서버 설정

    +

    임베디드 DB가 있는 단일 서버 설정

    다음 다이어그램은 임베디드 SQLite 데이터베이스가 있는 단일 노드 K3s 서버가 있는 클러스터의 예를 보여줍니다.

    이 구성에서 각 에이전트 노드는 동일한 서버 노드에 등록됩니다. K3s 사용자는 서버 노드에서 K3s API를 호출하여 쿠버네티스 리소스를 조작할 수 있습니다.

    K3s Architecture with a Single ServerK3s Architecture with a Single Server -

    외부 DB가 있는 고가용성 K3s 서버

    +

    외부 DB가 있는 고가용성 K3s 서버

    단일 서버 클러스터는 다양한 사용 사례를 충족할 수 있지만, Kubernetes 컨트롤 플레인의 가동 시간이 중요한 환경의 경우, HA 구성으로 K3s를 실행할 수 있습니다. HA K3s 클러스터는 다음과 같이 구성됩니다:

    • 두 개 이상의 서버 노드가 Kubernetes API를 제공하고 다른 컨트롤 플레인 서비스를 실행합니다.
    • 외부 데이터스토어(단일 서버 설정에 사용되는 임베디드 SQLite 데이터스토어와 반대)
    K3s Architecture with High-availability ServersK3s Architecture with High-availability Servers -

    에이전트 노드를 위한 고정 등록 주소

    +

    에이전트 노드를 위한 고정 등록 주소

    고가용성 서버 구성에서 각 노드는 아래 다이어그램과 같이 고정 등록 주소를 사용하여 Kubernetes API에 등록해야 합니다.

    등록 후 에이전트 노드는 서버 노드 중 하나에 직접 연결을 설정합니다.

    Agent Registration HAAgent Registration HA -

    에이전트 노드 등록 작동 방식

    +

    에이전트 노드 등록 작동 방식

    에이전트 노드는 k3s agent 프로세스에 의해 시작된 웹소켓 연결로 등록되며, 에이전트 프로세스의 일부로 실행되는 클라이언트 측 로드밸런서에 의해 연결이 유지됩니다. 이 로드 밸런서는 클러스터의 모든 서버에 대한 안정적인 연결을 유지하여 개별 서버의 중단을 허용하는 에이전시 서버에 대한 연결을 제공합니다.

    에이전트는 노드 클러스터 시크릿과 노드에 대해 무작위로 생성된 비밀번호를 사용하여 서버에 등록하며, 이 비밀번호는 /etc/rancher/node/password에 저장됩니다. 서버는 개별 노드의 비밀번호를 쿠버네티스 시크릿으로 저장하며, 이후 모든 시도는 동일한 비밀번호를 사용해야 합니다. 노드 패스워드 시크릿은 <host>.node-password.k3s 템플릿을 사용하는 이름으로 kube-system 네임스페이스에 저장됩니다. 이는 노드 ID의 무결성을 보호하기 위해 수행됩니다.

    에이전트의 /etc/rancher/node 디렉터리가 제거되거나 기존 이름을 사용하여 노드에 다시 가입하려는 경우, 클러스터에서 노드를 삭제해야 합니다. 이렇게 하면 이전 노드 항목과 노드 비밀번호 시크릿이 모두 정리되고 노드가 클러스터에 (재)조인할 수 있습니다.

    비고

    K3s v1.20.2 이전 서버는 /var/lib/rancher/k3s/server/cred/node-passwd에 디스크에 비밀번호를 저장합니다.

    -

    호스트 이름을 자주 재사용하지만 노드 암호 시크릿을 제거할 수 없는 경우, --with-node-id 플래그를 사용하여 K3s 서버 또는 에이전트를 시작하면 호스트 이름에 고유 노드 ID를 자동으로 추가할 수 있습니다. 활성화하면 노드 ID는 /etc/rancher/node/에도 저장됩니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    호스트 이름을 자주 재사용하지만 노드 암호 시크릿을 제거할 수 없는 경우, --with-node-id 플래그를 사용하여 K3s 서버 또는 에이전트를 시작하면 호스트 이름에 고유 노드 ID를 자동으로 추가할 수 있습니다. 활성화하면 노드 ID는 /etc/rancher/node/에도 저장됩니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/zh/assets/css/styles.e1f8cbea.css b/kr/assets/css/styles.a300c3a6.css similarity index 51% rename from zh/assets/css/styles.e1f8cbea.css rename to kr/assets/css/styles.a300c3a6.css index 5a61a86c8..9bebf4232 100644 --- a/zh/assets/css/styles.e1f8cbea.css +++ b/kr/assets/css/styles.a300c3a6.css @@ -1 +1 @@ -.col,.container{padding:0 var(--ifm-spacing-horizontal);width:100%}.markdown>h2,.markdown>h3,.markdown>h4,.markdown>h5,.markdown>h6{margin-bottom:calc(var(--ifm-heading-vertical-rhythm-bottom)*var(--ifm-leading))}pre,table{overflow:auto}blockquote,pre{margin:0 0 var(--ifm-spacing-vertical)}.breadcrumbs__link,.button{transition-timing-function:var(--ifm-transition-timing-default)}.button,code{vertical-align:middle}.button--outline.button--active,.button--outline:active,.button--outline:hover,:root{--ifm-button-color:var(--ifm-font-color-base-inverse)}.menu__link:hover,a{transition:color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.navbar--dark,:root{--ifm-navbar-link-hover-color:var(--ifm-color-primary)}.menu,.navbar-sidebar{overflow-x:hidden}:root,html[data-theme=dark]{--ifm-color-emphasis-500:var(--ifm-color-gray-500)}.markdown li,body{word-wrap:break-word}.toggleButton_gllP,html{-webkit-tap-highlight-color:transparent}*,.loadingRing_RJI3 div{box-sizing:border-box}.clean-list,.containsTaskList_mC6p,.details_lb9f>summary,.dropdown__menu,.menu__list{list-style:none}:root{--ifm-color-scheme:light;--ifm-dark-value:10%;--ifm-darker-value:15%;--ifm-darkest-value:30%;--ifm-light-value:15%;--ifm-lighter-value:30%;--ifm-lightest-value:50%;--ifm-contrast-background-value:90%;--ifm-contrast-foreground-value:70%;--ifm-contrast-background-dark-value:70%;--ifm-contrast-foreground-dark-value:90%;--ifm-color-primary:#3578e5;--ifm-color-secondary:#ebedf0;--ifm-color-success:#00a400;--ifm-color-info:#54c7ec;--ifm-color-warning:#ffba00;--ifm-color-danger:#fa383e;--ifm-color-primary-dark:#306cce;--ifm-color-primary-darker:#2d66c3;--ifm-color-primary-darkest:#2554a0;--ifm-color-primary-light:#538ce9;--ifm-color-primary-lighter:#72a1ed;--ifm-color-primary-lightest:#9abcf2;--ifm-color-primary-contrast-background:#ebf2fc;--ifm-color-primary-contrast-foreground:#102445;--ifm-color-secondary-dark:#d4d5d8;--ifm-color-secondary-darker:#c8c9cc;--ifm-color-secondary-darkest:#a4a6a8;--ifm-color-secondary-light:#eef0f2;--ifm-color-secondary-lighter:#f1f2f5;--ifm-color-secondary-lightest:#f5f6f8;--ifm-color-secondary-contrast-background:#fdfdfe;--ifm-color-secondary-contrast-foreground:#474748;--ifm-color-success-dark:#009400;--ifm-color-success-darker:#008b00;--ifm-color-success-darkest:#007300;--ifm-color-success-light:#26b226;--ifm-color-success-lighter:#4dbf4d;--ifm-color-success-lightest:#80d280;--ifm-color-success-contrast-background:#e6f6e6;--ifm-color-success-contrast-foreground:#003100;--ifm-color-info-dark:#4cb3d4;--ifm-color-info-darker:#47a9c9;--ifm-color-info-darkest:#3b8ba5;--ifm-color-info-light:#6ecfef;--ifm-color-info-lighter:#87d8f2;--ifm-color-info-lightest:#aae3f6;--ifm-color-info-contrast-background:#eef9fd;--ifm-color-info-contrast-foreground:#193c47;--ifm-color-warning-dark:#e6a700;--ifm-color-warning-darker:#d99e00;--ifm-color-warning-darkest:#b38200;--ifm-color-warning-light:#ffc426;--ifm-color-warning-lighter:#ffcf4d;--ifm-color-warning-lightest:#ffdd80;--ifm-color-warning-contrast-background:#fff8e6;--ifm-color-warning-contrast-foreground:#4d3800;--ifm-color-danger-dark:#e13238;--ifm-color-danger-darker:#d53035;--ifm-color-danger-darkest:#af272b;--ifm-color-danger-light:#fb565b;--ifm-color-danger-lighter:#fb7478;--ifm-color-danger-lightest:#fd9c9f;--ifm-color-danger-contrast-background:#ffebec;--ifm-color-danger-contrast-foreground:#4b1113;--ifm-color-white:#fff;--ifm-color-black:#000;--ifm-color-gray-0:var(--ifm-color-white);--ifm-color-gray-100:#f5f6f7;--ifm-color-gray-200:#ebedf0;--ifm-color-gray-300:#dadde1;--ifm-color-gray-400:#ccd0d5;--ifm-color-gray-500:#bec3c9;--ifm-color-gray-600:#8d949e;--ifm-color-gray-700:#606770;--ifm-color-gray-800:#444950;--ifm-color-gray-900:#1c1e21;--ifm-color-gray-1000:var(--ifm-color-black);--ifm-color-emphasis-0:var(--ifm-color-gray-0);--ifm-color-emphasis-100:var(--ifm-color-gray-100);--ifm-color-emphasis-200:var(--ifm-color-gray-200);--ifm-color-emphasis-300:var(--ifm-color-gray-300);--ifm-color-emphasis-400:var(--ifm-color-gray-400);--ifm-color-emphasis-600:var(--ifm-color-gray-600);--ifm-color-emphasis-700:var(--ifm-color-gray-700);--ifm-color-emphasis-800:var(--ifm-color-gray-800);--ifm-color-emphasis-900:var(--ifm-color-gray-900);--ifm-color-emphasis-1000:var(--ifm-color-gray-1000);--ifm-color-content:var(--ifm-color-emphasis-900);--ifm-color-content-inverse:var(--ifm-color-emphasis-0);--ifm-color-content-secondary:#525860;--ifm-background-color:#0000;--ifm-background-surface-color:var(--ifm-color-content-inverse);--ifm-global-border-width:1px;--ifm-global-radius:0.4rem;--ifm-hover-overlay:#0000000d;--ifm-font-color-base:var(--ifm-color-content);--ifm-font-color-base-inverse:var(--ifm-color-content-inverse);--ifm-font-color-secondary:var(--ifm-color-content-secondary);--ifm-font-family-base:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";--ifm-font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--ifm-font-size-base:100%;--ifm-font-weight-light:300;--ifm-font-weight-normal:400;--ifm-font-weight-semibold:500;--ifm-font-weight-bold:700;--ifm-font-weight-base:var(--ifm-font-weight-normal);--ifm-line-height-base:1.65;--ifm-global-spacing:1rem;--ifm-spacing-vertical:var(--ifm-global-spacing);--ifm-spacing-horizontal:var(--ifm-global-spacing);--ifm-transition-fast:200ms;--ifm-transition-slow:400ms;--ifm-transition-timing-default:cubic-bezier(0.08,0.52,0.52,1);--ifm-global-shadow-lw:0 1px 2px 0 #0000001a;--ifm-global-shadow-md:0 5px 40px #0003;--ifm-global-shadow-tl:0 12px 28px 0 #0003,0 2px 4px 0 #0000001a;--ifm-z-index-dropdown:100;--ifm-z-index-fixed:200;--ifm-z-index-overlay:400;--ifm-container-width:1140px;--ifm-container-width-xl:1320px;--ifm-code-background:#f6f7f8;--ifm-code-border-radius:var(--ifm-global-radius);--ifm-code-font-size:90%;--ifm-code-padding-horizontal:0.1rem;--ifm-code-padding-vertical:0.1rem;--ifm-pre-background:var(--ifm-code-background);--ifm-pre-border-radius:var(--ifm-code-border-radius);--ifm-pre-color:inherit;--ifm-pre-line-height:1.45;--ifm-pre-padding:1rem;--ifm-heading-color:inherit;--ifm-heading-margin-top:0;--ifm-heading-margin-bottom:var(--ifm-spacing-vertical);--ifm-heading-font-family:var(--ifm-font-family-base);--ifm-heading-font-weight:var(--ifm-font-weight-bold);--ifm-heading-line-height:1.25;--ifm-h1-font-size:2rem;--ifm-h2-font-size:1.5rem;--ifm-h3-font-size:1.25rem;--ifm-h4-font-size:1rem;--ifm-h5-font-size:0.875rem;--ifm-h6-font-size:0.85rem;--ifm-image-alignment-padding:1.25rem;--ifm-leading-desktop:1.25;--ifm-leading:calc(var(--ifm-leading-desktop)*1rem);--ifm-list-left-padding:2rem;--ifm-list-margin:1rem;--ifm-list-item-margin:0.25rem;--ifm-list-paragraph-margin:1rem;--ifm-table-cell-padding:0.75rem;--ifm-table-background:#0000;--ifm-table-stripe-background:#00000008;--ifm-table-border-width:1px;--ifm-table-border-color:var(--ifm-color-emphasis-300);--ifm-table-head-background:inherit;--ifm-table-head-color:inherit;--ifm-table-head-font-weight:var(--ifm-font-weight-bold);--ifm-table-cell-color:inherit;--ifm-link-color:var(--ifm-color-primary);--ifm-link-decoration:none;--ifm-link-hover-color:var(--ifm-link-color);--ifm-link-hover-decoration:underline;--ifm-paragraph-margin-bottom:var(--ifm-leading);--ifm-blockquote-font-size:var(--ifm-font-size-base);--ifm-blockquote-border-left-width:2px;--ifm-blockquote-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-blockquote-padding-vertical:0;--ifm-blockquote-shadow:none;--ifm-blockquote-color:var(--ifm-color-emphasis-800);--ifm-blockquote-border-color:var(--ifm-color-emphasis-300);--ifm-hr-background-color:var(--ifm-color-emphasis-500);--ifm-hr-height:1px;--ifm-hr-margin-vertical:1.5rem;--ifm-scrollbar-size:7px;--ifm-scrollbar-track-background-color:#f1f1f1;--ifm-scrollbar-thumb-background-color:silver;--ifm-scrollbar-thumb-hover-background-color:#a7a7a7;--ifm-alert-background-color:inherit;--ifm-alert-border-color:inherit;--ifm-alert-border-radius:var(--ifm-global-radius);--ifm-alert-border-width:0px;--ifm-alert-border-left-width:5px;--ifm-alert-color:var(--ifm-font-color-base);--ifm-alert-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-alert-padding-vertical:var(--ifm-spacing-vertical);--ifm-alert-shadow:var(--ifm-global-shadow-lw);--ifm-avatar-intro-margin:1rem;--ifm-avatar-intro-alignment:inherit;--ifm-avatar-photo-size:3rem;--ifm-badge-background-color:inherit;--ifm-badge-border-color:inherit;--ifm-badge-border-radius:var(--ifm-global-radius);--ifm-badge-border-width:var(--ifm-global-border-width);--ifm-badge-color:var(--ifm-color-white);--ifm-badge-padding-horizontal:calc(var(--ifm-spacing-horizontal)*0.5);--ifm-badge-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-breadcrumb-border-radius:1.5rem;--ifm-breadcrumb-spacing:0.5rem;--ifm-breadcrumb-color-active:var(--ifm-color-primary);--ifm-breadcrumb-item-background-active:var(--ifm-hover-overlay);--ifm-breadcrumb-padding-horizontal:0.8rem;--ifm-breadcrumb-padding-vertical:0.4rem;--ifm-breadcrumb-size-multiplier:1;--ifm-breadcrumb-separator:url('data:image/svg+xml;utf8,');--ifm-breadcrumb-separator-filter:none;--ifm-breadcrumb-separator-size:0.5rem;--ifm-breadcrumb-separator-size-multiplier:1.25;--ifm-button-background-color:inherit;--ifm-button-border-color:var(--ifm-button-background-color);--ifm-button-border-width:var(--ifm-global-border-width);--ifm-button-font-weight:var(--ifm-font-weight-bold);--ifm-button-padding-horizontal:1.5rem;--ifm-button-padding-vertical:0.375rem;--ifm-button-size-multiplier:1;--ifm-button-transition-duration:var(--ifm-transition-fast);--ifm-button-border-radius:calc(var(--ifm-global-radius)*var(--ifm-button-size-multiplier));--ifm-button-group-spacing:2px;--ifm-card-background-color:var(--ifm-background-surface-color);--ifm-card-border-radius:calc(var(--ifm-global-radius)*2);--ifm-card-horizontal-spacing:var(--ifm-global-spacing);--ifm-card-vertical-spacing:var(--ifm-global-spacing);--ifm-toc-border-color:var(--ifm-color-emphasis-300);--ifm-toc-link-color:var(--ifm-color-content-secondary);--ifm-toc-padding-vertical:0.5rem;--ifm-toc-padding-horizontal:0.5rem;--ifm-dropdown-background-color:var(--ifm-background-surface-color);--ifm-dropdown-font-weight:var(--ifm-font-weight-semibold);--ifm-dropdown-link-color:var(--ifm-font-color-base);--ifm-dropdown-hover-background-color:var(--ifm-hover-overlay);--ifm-footer-background-color:var(--ifm-color-emphasis-100);--ifm-footer-color:inherit;--ifm-footer-link-color:var(--ifm-color-emphasis-700);--ifm-footer-link-hover-color:var(--ifm-color-primary);--ifm-footer-link-horizontal-spacing:0.5rem;--ifm-footer-padding-horizontal:calc(var(--ifm-spacing-horizontal)*2);--ifm-footer-padding-vertical:calc(var(--ifm-spacing-vertical)*2);--ifm-footer-title-color:inherit;--ifm-footer-logo-max-width:min(30rem,90vw);--ifm-hero-background-color:var(--ifm-background-surface-color);--ifm-hero-text-color:var(--ifm-color-emphasis-800);--ifm-menu-color:var(--ifm-color-emphasis-700);--ifm-menu-color-active:var(--ifm-color-primary);--ifm-menu-color-background-active:var(--ifm-hover-overlay);--ifm-menu-color-background-hover:var(--ifm-hover-overlay);--ifm-menu-link-padding-horizontal:0.75rem;--ifm-menu-link-padding-vertical:0.375rem;--ifm-menu-link-sublist-icon:url('data:image/svg+xml;utf8,');--ifm-menu-link-sublist-icon-filter:none;--ifm-navbar-background-color:var(--ifm-background-surface-color);--ifm-navbar-height:3.75rem;--ifm-navbar-item-padding-horizontal:0.75rem;--ifm-navbar-item-padding-vertical:0.25rem;--ifm-navbar-link-color:var(--ifm-font-color-base);--ifm-navbar-link-active-color:var(--ifm-link-color);--ifm-navbar-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-navbar-padding-vertical:calc(var(--ifm-spacing-vertical)*0.5);--ifm-navbar-shadow:var(--ifm-global-shadow-lw);--ifm-navbar-search-input-background-color:var(--ifm-color-emphasis-200);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-800);--ifm-navbar-search-input-placeholder-color:var(--ifm-color-emphasis-500);--ifm-navbar-search-input-icon:url('data:image/svg+xml;utf8,');--ifm-navbar-sidebar-width:83vw;--ifm-pagination-border-radius:var(--ifm-global-radius);--ifm-pagination-color-active:var(--ifm-color-primary);--ifm-pagination-font-size:1rem;--ifm-pagination-item-active-background:var(--ifm-hover-overlay);--ifm-pagination-page-spacing:0.2em;--ifm-pagination-padding-horizontal:calc(var(--ifm-spacing-horizontal)*1);--ifm-pagination-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-pagination-nav-border-radius:var(--ifm-global-radius);--ifm-pagination-nav-color-hover:var(--ifm-color-primary);--ifm-pills-color-active:var(--ifm-color-primary);--ifm-pills-color-background-active:var(--ifm-hover-overlay);--ifm-pills-spacing:0.125rem;--ifm-tabs-color:var(--ifm-font-color-secondary);--ifm-tabs-color-active:var(--ifm-color-primary);--ifm-tabs-color-active-border:var(--ifm-tabs-color-active);--ifm-tabs-padding-horizontal:1rem;--ifm-tabs-padding-vertical:1rem;--docusaurus-progress-bar-color:var(--ifm-color-primary);--ifm-color-primary:#06527a;--ifm-color-primary-dark:#054a6e;--ifm-color-primary-darker:#054668;--ifm-color-primary-darkest:#043955;--ifm-color-primary-light:#075a86;--ifm-color-primary-lighter:#075e8c;--ifm-color-primary-lightest:#086b9f;--ifm-color-secondary:#ffc61c;--ifm-color-secondary-light:#ffcd38;--dark:#33313b;--light:#f3f3f3;--docusaurus-announcement-bar-height:auto;--docusaurus-tag-list-border:var(--ifm-color-emphasis-300);--docusaurus-collapse-button-bg:#0000;--docusaurus-collapse-button-bg-hover:#0000001a;--doc-sidebar-width:300px;--doc-sidebar-hidden-width:30px}.badge--danger,.badge--info,.badge--primary,.badge--secondary,.badge--success,.badge--warning{--ifm-badge-border-color:var(--ifm-badge-background-color)}.button--link,.button--outline{--ifm-button-background-color:#0000}html{background-color:var(--ifm-background-color);color:var(--ifm-font-color-base);color-scheme:var(--ifm-color-scheme);font:var(--ifm-font-size-base)/var(--ifm-line-height-base) var(--ifm-font-family-base);-webkit-font-smoothing:antialiased;text-rendering:optimizelegibility;-webkit-text-size-adjust:100%;text-size-adjust:100%}iframe{border:0;color-scheme:auto}.container{margin:0 auto;max-width:var(--ifm-container-width)}.container--fluid{max-width:inherit}.row{display:flex;flex-wrap:wrap;margin:0 calc(var(--ifm-spacing-horizontal)*-1)}.margin-bottom--none,.margin-vert--none,.markdown>:last-child{margin-bottom:0!important}.margin-top--none,.margin-vert--none,.tabItem_LNqP{margin-top:0!important}.row--no-gutters{margin-left:0;margin-right:0}.margin-horiz--none,.margin-right--none{margin-right:0!important}.row--no-gutters>.col{padding-left:0;padding-right:0}.row--align-top{align-items:flex-start}.row--align-bottom{align-items:flex-end}.menuExternalLink_NmtK,.row--align-center{align-items:center}.row--align-stretch{align-items:stretch}.row--align-baseline{align-items:baseline}.col{--ifm-col-width:100%;flex:1 0;margin-left:0;max-width:var(--ifm-col-width)}.padding-bottom--none,.padding-vert--none{padding-bottom:0!important}.padding-top--none,.padding-vert--none{padding-top:0!important}.padding-horiz--none,.padding-left--none{padding-left:0!important}.padding-horiz--none,.padding-right--none{padding-right:0!important}.col[class*=col--]{flex:0 0 var(--ifm-col-width)}.col--1{--ifm-col-width:8.33333%}.col--offset-1{margin-left:8.33333%}.col--2{--ifm-col-width:16.66667%}.col--offset-2{margin-left:16.66667%}.col--3{--ifm-col-width:25%}.col--offset-3{margin-left:25%}.col--4{--ifm-col-width:33.33333%}.col--offset-4{margin-left:33.33333%}.col--5{--ifm-col-width:41.66667%}.col--offset-5{margin-left:41.66667%}.col--6{--ifm-col-width:50%}.col--offset-6{margin-left:50%}.col--7{--ifm-col-width:58.33333%}.col--offset-7{margin-left:58.33333%}.col--8{--ifm-col-width:66.66667%}.col--offset-8{margin-left:66.66667%}.col--9{--ifm-col-width:75%}.col--offset-9{margin-left:75%}.col--10{--ifm-col-width:83.33333%}.col--offset-10{margin-left:83.33333%}.col--11{--ifm-col-width:91.66667%}.col--offset-11{margin-left:91.66667%}.col--12{--ifm-col-width:100%}.col--offset-12{margin-left:100%}.margin-horiz--none,.margin-left--none{margin-left:0!important}.margin--none{margin:0!important}.margin-bottom--xs,.margin-vert--xs{margin-bottom:.25rem!important}.margin-top--xs,.margin-vert--xs{margin-top:.25rem!important}.margin-horiz--xs,.margin-left--xs{margin-left:.25rem!important}.margin-horiz--xs,.margin-right--xs{margin-right:.25rem!important}.margin--xs{margin:.25rem!important}.margin-bottom--sm,.margin-vert--sm{margin-bottom:.5rem!important}.margin-top--sm,.margin-vert--sm{margin-top:.5rem!important}.margin-horiz--sm,.margin-left--sm{margin-left:.5rem!important}.margin-horiz--sm,.margin-right--sm{margin-right:.5rem!important}.margin--sm{margin:.5rem!important}.margin-bottom--md,.margin-vert--md{margin-bottom:1rem!important}.margin-top--md,.margin-vert--md{margin-top:1rem!important}.margin-horiz--md,.margin-left--md{margin-left:1rem!important}.margin-horiz--md,.margin-right--md{margin-right:1rem!important}.margin--md{margin:1rem!important}.margin-bottom--lg,.margin-vert--lg{margin-bottom:2rem!important}.margin-top--lg,.margin-vert--lg{margin-top:2rem!important}.margin-horiz--lg,.margin-left--lg{margin-left:2rem!important}.margin-horiz--lg,.margin-right--lg{margin-right:2rem!important}.margin--lg{margin:2rem!important}.margin-bottom--xl,.margin-vert--xl{margin-bottom:5rem!important}.margin-top--xl,.margin-vert--xl{margin-top:5rem!important}.margin-horiz--xl,.margin-left--xl{margin-left:5rem!important}.margin-horiz--xl,.margin-right--xl{margin-right:5rem!important}.margin--xl{margin:5rem!important}.padding--none{padding:0!important}.padding-bottom--xs,.padding-vert--xs{padding-bottom:.25rem!important}.padding-top--xs,.padding-vert--xs{padding-top:.25rem!important}.padding-horiz--xs,.padding-left--xs{padding-left:.25rem!important}.padding-horiz--xs,.padding-right--xs{padding-right:.25rem!important}.padding--xs{padding:.25rem!important}.padding-bottom--sm,.padding-vert--sm{padding-bottom:.5rem!important}.padding-top--sm,.padding-vert--sm{padding-top:.5rem!important}.padding-horiz--sm,.padding-left--sm{padding-left:.5rem!important}.padding-horiz--sm,.padding-right--sm{padding-right:.5rem!important}.padding--sm{padding:.5rem!important}.padding-bottom--md,.padding-vert--md{padding-bottom:1rem!important}.padding-top--md,.padding-vert--md{padding-top:1rem!important}.padding-horiz--md,.padding-left--md{padding-left:1rem!important}.padding-horiz--md,.padding-right--md{padding-right:1rem!important}.padding--md{padding:1rem!important}.padding-bottom--lg,.padding-vert--lg{padding-bottom:2rem!important}.padding-top--lg,.padding-vert--lg{padding-top:2rem!important}.padding-horiz--lg,.padding-left--lg{padding-left:2rem!important}.padding-horiz--lg,.padding-right--lg{padding-right:2rem!important}.padding--lg{padding:2rem!important}.padding-bottom--xl,.padding-vert--xl{padding-bottom:5rem!important}.padding-top--xl,.padding-vert--xl{padding-top:5rem!important}.padding-horiz--xl,.padding-left--xl{padding-left:5rem!important}.padding-horiz--xl,.padding-right--xl{padding-right:5rem!important}.padding--xl{padding:5rem!important}code{background-color:var(--ifm-code-background);border:.1rem solid #0000001a;border-radius:var(--ifm-code-border-radius);font-family:var(--ifm-font-family-monospace);font-size:var(--ifm-code-font-size);padding:var(--ifm-code-padding-vertical) var(--ifm-code-padding-horizontal)}a code{color:inherit}pre{background-color:var(--ifm-pre-background);border-radius:var(--ifm-pre-border-radius);color:var(--ifm-pre-color);font:var(--ifm-code-font-size)/var(--ifm-pre-line-height) var(--ifm-font-family-monospace);padding:var(--ifm-pre-padding)}pre code{background-color:initial;border:none;font-size:100%;line-height:inherit;padding:0}kbd{background-color:var(--ifm-color-emphasis-0);border:1px solid var(--ifm-color-emphasis-400);border-radius:.2rem;box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-400);color:var(--ifm-color-emphasis-800);font:80% var(--ifm-font-family-monospace);padding:.15rem .3rem}h1,h2,h3,h4,h5,h6{color:var(--ifm-heading-color);font-family:var(--ifm-heading-font-family);font-weight:var(--ifm-heading-font-weight);line-height:var(--ifm-heading-line-height);margin:var(--ifm-heading-margin-top) 0 var(--ifm-heading-margin-bottom) 0}h1{font-size:var(--ifm-h1-font-size)}h2{font-size:var(--ifm-h2-font-size)}h3{font-size:var(--ifm-h3-font-size)}h4{font-size:var(--ifm-h4-font-size)}h5{font-size:var(--ifm-h5-font-size)}h6{font-size:var(--ifm-h6-font-size)}.container_lyt7,.container_lyt7>svg,img{max-width:100%}img[align=right]{padding-left:var(--image-alignment-padding)}img[align=left]{padding-right:var(--image-alignment-padding)}.markdown{--ifm-h1-vertical-rhythm-top:3;--ifm-h2-vertical-rhythm-top:2;--ifm-h3-vertical-rhythm-top:1.5;--ifm-heading-vertical-rhythm-top:1.25;--ifm-h1-vertical-rhythm-bottom:1.25;--ifm-heading-vertical-rhythm-bottom:1}.markdown:after,.markdown:before{content:"";display:table}.markdown:after{clear:both}.markdown h1:first-child{--ifm-h1-font-size:3rem;margin-bottom:calc(var(--ifm-h1-vertical-rhythm-bottom)*var(--ifm-leading))}.markdown>h2{--ifm-h2-font-size:2rem;margin-top:calc(var(--ifm-h2-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h3{--ifm-h3-font-size:1.5rem;margin-top:calc(var(--ifm-h3-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h4,.markdown>h5,.markdown>h6{margin-top:calc(var(--ifm-heading-vertical-rhythm-top)*var(--ifm-leading))}.markdown>p,.markdown>pre,.markdown>ul,.tabList__CuJ{margin-bottom:var(--ifm-leading)}.markdown li>p{margin-top:var(--ifm-list-paragraph-margin)}.markdown li+li{margin-top:var(--ifm-list-item-margin)}ol,ul{margin:0 0 var(--ifm-list-margin);padding-left:var(--ifm-list-left-padding)}ol ol,ul ol{list-style-type:lower-roman}ol ol,ol ul,ul ol,ul ul{margin:0}ol ol ol,ol ul ol,ul ol ol,ul ul ol{list-style-type:lower-alpha}table{border-collapse:collapse;display:block;margin-bottom:var(--ifm-spacing-vertical)}table thead tr{border-bottom:2px solid var(--ifm-table-border-color)}table thead,table tr:nth-child(2n){background-color:var(--ifm-table-stripe-background)}table tr{background-color:var(--ifm-table-background);border-top:var(--ifm-table-border-width) solid var(--ifm-table-border-color)}table td,table th{border:var(--ifm-table-border-width) solid var(--ifm-table-border-color);padding:var(--ifm-table-cell-padding)}table th{background-color:var(--ifm-table-head-background);color:var(--ifm-table-head-color);font-weight:var(--ifm-table-head-font-weight)}table td{color:var(--ifm-table-cell-color)}strong{font-weight:var(--ifm-font-weight-bold)}a{color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}a:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button:hover,.text--no-decoration,.text--no-decoration:hover,a:not([href]){text-decoration:none}p{margin:0 0 var(--ifm-paragraph-margin-bottom)}blockquote{border-left:var(--ifm-blockquote-border-left-width) solid var(--ifm-blockquote-border-color);box-shadow:var(--ifm-blockquote-shadow);color:var(--ifm-blockquote-color);font-size:var(--ifm-blockquote-font-size);padding:var(--ifm-blockquote-padding-vertical) var(--ifm-blockquote-padding-horizontal)}blockquote>:first-child{margin-top:0}blockquote>:last-child{margin-bottom:0}hr{background-color:var(--ifm-hr-background-color);border:0;height:var(--ifm-hr-height);margin:var(--ifm-hr-margin-vertical) 0;background-image:-webkit-linear-gradient(left,#f3f3f3,#adadb1,#f3f3f3);margin:0 auto}.shadow--lw{box-shadow:var(--ifm-global-shadow-lw)!important}.shadow--md{box-shadow:var(--ifm-global-shadow-md)!important}.shadow--tl{box-shadow:var(--ifm-global-shadow-tl)!important}.text--primary,.wordWrapButtonEnabled_EoeP .wordWrapButtonIcon_Bwma{color:var(--ifm-color-primary)}.text--secondary{color:var(--ifm-color-secondary)}.text--success{color:var(--ifm-color-success)}.text--info{color:var(--ifm-color-info)}.text--warning{color:var(--ifm-color-warning)}.text--danger{color:var(--ifm-color-danger)}.text--center{text-align:center}.text--left{text-align:left}.text--justify{text-align:justify}.text--right{text-align:right}.text--capitalize{text-transform:capitalize}.text--lowercase{text-transform:lowercase}.admonitionHeading_Gvgb,.alert__heading,.text--uppercase{text-transform:uppercase}.text--light{font-weight:var(--ifm-font-weight-light)}.text--normal{font-weight:var(--ifm-font-weight-normal)}.text--semibold{font-weight:var(--ifm-font-weight-semibold)}.text--bold{font-weight:var(--ifm-font-weight-bold)}.text--italic{font-style:italic}.text--truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text--break{word-wrap:break-word!important;word-break:break-word!important}.clean-btn{background:none;border:none;color:inherit;cursor:pointer;font-family:inherit;padding:0}.alert,.alert .close{color:var(--ifm-alert-foreground-color)}.clean-list{padding-left:0}.alert--primary{--ifm-alert-background-color:var(--ifm-color-primary-contrast-background);--ifm-alert-background-color-highlight:#3578e526;--ifm-alert-foreground-color:var(--ifm-color-primary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-primary-dark)}.alert--secondary{--ifm-alert-background-color:var(--ifm-color-secondary-contrast-background);--ifm-alert-background-color-highlight:#ebedf026;--ifm-alert-foreground-color:var(--ifm-color-secondary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-secondary-dark)}.alert--success{--ifm-alert-background-color:var(--ifm-color-success-contrast-background);--ifm-alert-background-color-highlight:#00a40026;--ifm-alert-foreground-color:var(--ifm-color-success-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-success-dark)}.alert--info{--ifm-alert-background-color:var(--ifm-color-info-contrast-background);--ifm-alert-background-color-highlight:#54c7ec26;--ifm-alert-foreground-color:var(--ifm-color-info-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-info-dark)}.alert--warning{--ifm-alert-background-color:var(--ifm-color-warning-contrast-background);--ifm-alert-background-color-highlight:#ffba0026;--ifm-alert-foreground-color:var(--ifm-color-warning-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-warning-dark)}.alert--danger{--ifm-alert-background-color:var(--ifm-color-danger-contrast-background);--ifm-alert-background-color-highlight:#fa383e26;--ifm-alert-foreground-color:var(--ifm-color-danger-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-danger-dark)}.alert{--ifm-code-background:var(--ifm-alert-background-color-highlight);--ifm-link-color:var(--ifm-alert-foreground-color);--ifm-link-hover-color:var(--ifm-alert-foreground-color);--ifm-link-decoration:underline;--ifm-tabs-color:var(--ifm-alert-foreground-color);--ifm-tabs-color-active:var(--ifm-alert-foreground-color);--ifm-tabs-color-active-border:var(--ifm-alert-border-color);background-color:var(--ifm-alert-background-color);border:var(--ifm-alert-border-width) solid var(--ifm-alert-border-color);border-left-width:var(--ifm-alert-border-left-width);border-radius:var(--ifm-alert-border-radius);box-shadow:var(--ifm-alert-shadow);padding:var(--ifm-alert-padding-vertical) var(--ifm-alert-padding-horizontal)}.alert__heading{align-items:center;display:flex;font:700 var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family);margin-bottom:.5rem}.alert__icon{display:inline-flex;margin-right:.4em}.alert__icon svg{fill:var(--ifm-alert-foreground-color);stroke:var(--ifm-alert-foreground-color);stroke-width:0}.alert .close{margin:calc(var(--ifm-alert-padding-vertical)*-1) calc(var(--ifm-alert-padding-horizontal)*-1) 0 0;opacity:.75}.alert .close:focus,.alert .close:hover{opacity:1}.alert a{text-decoration-color:var(--ifm-alert-border-color)}.alert a:hover{text-decoration-thickness:2px}.avatar{column-gap:var(--ifm-avatar-intro-margin);display:flex}.avatar__photo{border-radius:50%;display:block;height:var(--ifm-avatar-photo-size);overflow:hidden;width:var(--ifm-avatar-photo-size)}.card--full-height,.navbar__logo img,body,html{height:100%}.avatar__photo--sm{--ifm-avatar-photo-size:2rem}.avatar__photo--lg{--ifm-avatar-photo-size:4rem}.avatar__photo--xl{--ifm-avatar-photo-size:6rem}.avatar__intro{display:flex;flex:1 1;flex-direction:column;justify-content:center;text-align:var(--ifm-avatar-intro-alignment)}.badge,.breadcrumbs__item,.breadcrumbs__link,.button,.dropdown>.navbar__link:after,.searchBarContainer_NW3z.searchIndexLoading_EJ1f .searchBarLoadingRing_YnHq{display:inline-block}.avatar__name{font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base)}.avatar__subtitle{margin-top:.25rem}.avatar--vertical{--ifm-avatar-intro-alignment:center;--ifm-avatar-intro-margin:0.5rem;align-items:center;flex-direction:column}.badge{background-color:var(--ifm-badge-background-color);border:var(--ifm-badge-border-width) solid var(--ifm-badge-border-color);border-radius:var(--ifm-badge-border-radius);color:var(--ifm-badge-color);font-size:75%;font-weight:var(--ifm-font-weight-bold);line-height:1;padding:var(--ifm-badge-padding-vertical) var(--ifm-badge-padding-horizontal)}.badge--primary{--ifm-badge-background-color:var(--ifm-color-primary)}.badge--secondary{--ifm-badge-background-color:var(--ifm-color-secondary);color:var(--ifm-color-black)}.breadcrumbs__link,.button.button--secondary.button--outline:not(.button--active):not(:hover){color:var(--ifm-font-color-base)}.badge--success{--ifm-badge-background-color:var(--ifm-color-success)}.badge--info{--ifm-badge-background-color:var(--ifm-color-info)}.badge--warning{--ifm-badge-background-color:var(--ifm-color-warning)}.badge--danger{--ifm-badge-background-color:var(--ifm-color-danger)}.breadcrumbs{margin-bottom:0;padding-left:0}.breadcrumbs__item:not(:last-child):after{background:var(--ifm-breadcrumb-separator) center;content:" ";display:inline-block;filter:var(--ifm-breadcrumb-separator-filter);height:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier));margin:0 var(--ifm-breadcrumb-spacing);opacity:.5;width:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier))}.breadcrumbs__item--active .breadcrumbs__link{background:var(--ifm-breadcrumb-item-background-active);color:var(--ifm-breadcrumb-color-active)}.breadcrumbs__link{border-radius:var(--ifm-breadcrumb-border-radius);font-size:calc(1rem*var(--ifm-breadcrumb-size-multiplier));padding:calc(var(--ifm-breadcrumb-padding-vertical)*var(--ifm-breadcrumb-size-multiplier)) calc(var(--ifm-breadcrumb-padding-horizontal)*var(--ifm-breadcrumb-size-multiplier));transition-duration:var(--ifm-transition-fast);transition-property:background,color}.breadcrumbs__link:any-link:hover,.breadcrumbs__link:link:hover,.breadcrumbs__link:visited:hover,area[href].breadcrumbs__link:hover{background:var(--ifm-breadcrumb-item-background-active);text-decoration:none}.breadcrumbs--sm{--ifm-breadcrumb-size-multiplier:0.8}.breadcrumbs--lg{--ifm-breadcrumb-size-multiplier:1.2}.button{background-color:var(--ifm-button-background-color);border:var(--ifm-button-border-width) solid var(--ifm-button-border-color);border-radius:var(--ifm-button-border-radius);cursor:pointer;font-size:calc(.875rem*var(--ifm-button-size-multiplier));font-weight:var(--ifm-button-font-weight);line-height:1.5;padding:calc(var(--ifm-button-padding-vertical)*var(--ifm-button-size-multiplier)) calc(var(--ifm-button-padding-horizontal)*var(--ifm-button-size-multiplier));text-align:center;transition-duration:var(--ifm-button-transition-duration);transition-property:color,background,border-color;-webkit-user-select:none;user-select:none;white-space:nowrap}.button,.button:hover{color:var(--ifm-button-color)}.button--outline{--ifm-button-color:var(--ifm-button-border-color)}.button--outline:hover{--ifm-button-background-color:var(--ifm-button-border-color)}.button--link{--ifm-button-border-color:#0000;color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}.button--link.button--active,.button--link:active,.button--link:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button.disabled,.button:disabled,.button[disabled]{opacity:.65;pointer-events:none}.button--sm{--ifm-button-size-multiplier:0.8}.button--lg{--ifm-button-size-multiplier:1.35}.button--block{display:block;width:100%}.button.button--secondary{color:var(--ifm-color-gray-900)}:where(.button--primary){--ifm-button-background-color:var(--ifm-color-primary);--ifm-button-border-color:var(--ifm-color-primary)}:where(.button--primary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-primary-dark);--ifm-button-border-color:var(--ifm-color-primary-dark)}.button--primary.button--active,.button--primary:active{--ifm-button-background-color:var(--ifm-color-primary-darker);--ifm-button-border-color:var(--ifm-color-primary-darker)}:where(.button--secondary){--ifm-button-background-color:var(--ifm-color-secondary);--ifm-button-border-color:var(--ifm-color-secondary)}:where(.button--secondary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-secondary-dark);--ifm-button-border-color:var(--ifm-color-secondary-dark)}.button--secondary.button--active,.button--secondary:active{--ifm-button-background-color:var(--ifm-color-secondary-darker);--ifm-button-border-color:var(--ifm-color-secondary-darker)}:where(.button--success){--ifm-button-background-color:var(--ifm-color-success);--ifm-button-border-color:var(--ifm-color-success)}:where(.button--success):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-success-dark);--ifm-button-border-color:var(--ifm-color-success-dark)}.button--success.button--active,.button--success:active{--ifm-button-background-color:var(--ifm-color-success-darker);--ifm-button-border-color:var(--ifm-color-success-darker)}:where(.button--info){--ifm-button-background-color:var(--ifm-color-info);--ifm-button-border-color:var(--ifm-color-info)}:where(.button--info):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-info-dark);--ifm-button-border-color:var(--ifm-color-info-dark)}.button--info.button--active,.button--info:active{--ifm-button-background-color:var(--ifm-color-info-darker);--ifm-button-border-color:var(--ifm-color-info-darker)}:where(.button--warning){--ifm-button-background-color:var(--ifm-color-warning);--ifm-button-border-color:var(--ifm-color-warning)}:where(.button--warning):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-warning-dark);--ifm-button-border-color:var(--ifm-color-warning-dark)}.button--warning.button--active,.button--warning:active{--ifm-button-background-color:var(--ifm-color-warning-darker);--ifm-button-border-color:var(--ifm-color-warning-darker)}:where(.button--danger){--ifm-button-background-color:var(--ifm-color-danger);--ifm-button-border-color:var(--ifm-color-danger)}:where(.button--danger):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-danger-dark);--ifm-button-border-color:var(--ifm-color-danger-dark)}.button--danger.button--active,.button--danger:active{--ifm-button-background-color:var(--ifm-color-danger-darker);--ifm-button-border-color:var(--ifm-color-danger-darker)}.button-group{display:inline-flex;gap:var(--ifm-button-group-spacing)}.button-group>.button:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.button-group>.button:not(:last-child){border-bottom-right-radius:0;border-top-right-radius:0}.button-group--block{display:flex;justify-content:stretch}.button-group--block>.button{flex-grow:1}.card{background-color:var(--ifm-card-background-color);border-radius:var(--ifm-card-border-radius);box-shadow:var(--ifm-global-shadow-lw);display:flex;flex-direction:column;overflow:hidden}.card__image{padding-top:var(--ifm-card-vertical-spacing)}.card__image:first-child{padding-top:0}.card__body,.card__footer,.card__header{padding:var(--ifm-card-vertical-spacing) var(--ifm-card-horizontal-spacing)}.card__body:not(:last-child),.card__footer:not(:last-child),.card__header:not(:last-child){padding-bottom:0}.card__body>:last-child,.card__footer>:last-child,.card__header>:last-child{margin-bottom:0}.card__footer{margin-top:auto}.table-of-contents{font-size:.8rem;margin-bottom:0;padding:var(--ifm-toc-padding-vertical) 0}.table-of-contents,.table-of-contents ul{list-style:none;padding-left:var(--ifm-toc-padding-horizontal)}.table-of-contents li{margin:var(--ifm-toc-padding-vertical) var(--ifm-toc-padding-horizontal)}.table-of-contents__left-border{border-left:1px solid var(--ifm-toc-border-color)}.table-of-contents__link{color:var(--ifm-toc-link-color);display:block}.table-of-contents__link--active,.table-of-contents__link--active code,.table-of-contents__link:hover,.table-of-contents__link:hover code{color:var(--ifm-color-primary);text-decoration:none}.content_knG7 a,.hitFooter_E9YW a,.suggestion_fB_2.cursor_eG29 mark{text-decoration:underline}.close{color:var(--ifm-color-black);float:right;font-size:1.5rem;font-weight:var(--ifm-font-weight-bold);line-height:1;opacity:.5;padding:1rem;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.close:hover{opacity:.7}.close:focus,.theme-code-block-highlighted-line .codeLineNumber_Tfdd:before{opacity:.8}.dropdown{display:inline-flex;font-weight:var(--ifm-dropdown-font-weight);position:relative;vertical-align:top}.dropdown--hoverable:hover .dropdown__menu,.dropdown--show .dropdown__menu{opacity:1;pointer-events:all;transform:translateY(-1px);visibility:visible}.dropdown--right .dropdown__menu{left:inherit;right:0}.dropdown--nocaret .navbar__link:after{content:none!important}.dropdown__menu{background-color:var(--ifm-dropdown-background-color);border-radius:var(--ifm-global-radius);box-shadow:var(--ifm-global-shadow-md);left:0;max-height:80vh;min-width:10rem;opacity:0;overflow-y:auto;padding:.5rem;pointer-events:none;position:absolute;top:calc(100% - var(--ifm-navbar-item-padding-vertical) + .3rem);transform:translateY(-.625rem);transition-duration:var(--ifm-transition-fast);transition-property:opacity,transform,visibility;transition-timing-function:var(--ifm-transition-timing-default);visibility:hidden;z-index:var(--ifm-z-index-dropdown)}.menu__caret,.menu__link,.menu__list-item-collapsible{border-radius:.25rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.dropdown__link{border-radius:.25rem;color:var(--ifm-dropdown-link-color);display:block;font-size:.875rem;margin-top:.2rem;padding:.25rem .5rem;white-space:nowrap}.dropdown__link--active,.dropdown__link:hover{background-color:var(--ifm-dropdown-hover-background-color);color:var(--ifm-dropdown-link-color);text-decoration:none}.dropdown__link--active,.dropdown__link--active:hover{--ifm-dropdown-link-color:var(--ifm-link-color)}.dropdown>.navbar__link:after{border-color:currentcolor #0000;border-style:solid;border-width:.4em .4em 0;content:"";margin-left:.3em;position:relative;top:2px;transform:translateY(-50%)}.footer{background-color:var(--ifm-footer-background-color);color:var(--ifm-footer-color);padding:var(--ifm-footer-padding-vertical) var(--ifm-footer-padding-horizontal)}.footer--dark{--ifm-footer-background-color:#303846;--ifm-footer-color:var(--ifm-footer-link-color);--ifm-footer-link-color:var(--ifm-color-secondary);--ifm-footer-title-color:var(--ifm-color-white)}.footer__links{margin-bottom:1rem}.footer__link-item{color:var(--ifm-footer-link-color);line-height:2}.footer__link-item:hover{color:var(--ifm-footer-link-hover-color)}.footer__link-separator{margin:0 var(--ifm-footer-link-horizontal-spacing)}.footer__logo{margin-top:1rem;max-width:var(--ifm-footer-logo-max-width)}.footer__title{color:var(--ifm-footer-title-color);font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base);margin-bottom:var(--ifm-heading-margin-bottom)}.menu,.navbar__link{font-weight:var(--ifm-font-weight-semibold)}.docItemContainer_Djhp article>:first-child,.docItemContainer_Djhp header+*,.footer__item{margin-top:0}.admonitionContent_BuS1>:last-child,.collapsibleContent_i85q p:last-child,.details_lb9f>summary>p:last-child,.footer__items,.searchResultItem_U687>h2,.tabItem_Ymn6>:last-child{margin-bottom:0}.codeBlockStandalone_MEMb,[type=checkbox]{padding:0}.hero{align-items:center;background-color:var(--ifm-hero-background-color);color:var(--ifm-hero-text-color);display:flex;padding:4rem 2rem}.hero--primary{--ifm-hero-background-color:var(--ifm-color-primary);--ifm-hero-text-color:var(--ifm-font-color-base-inverse)}.hero--dark{--ifm-hero-background-color:#303846;--ifm-hero-text-color:var(--ifm-color-white)}.hero__title{font-size:3rem}.hero__subtitle{font-size:1.5rem}.menu__list{margin:0;padding-left:0}.menu__caret,.menu__link{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu__list .menu__list{flex:0 0 100%;margin-top:.25rem;padding-left:var(--ifm-menu-link-padding-horizontal)}.menu__list-item:not(:first-child){margin-top:.25rem}.menu__list-item--collapsed .menu__list{height:0;overflow:hidden}.details_lb9f[data-collapsed=false].isBrowser_bmU9>summary:before,.details_lb9f[open]:not(.isBrowser_bmU9)>summary:before,.menu__list-item--collapsed .menu__caret:before,.menu__list-item--collapsed .menu__link--sublist:after{transform:rotate(90deg)}.menu__list-item-collapsible{display:flex;flex-wrap:wrap;position:relative}.menu__caret:hover,.menu__link:hover,.menu__list-item-collapsible--active,.menu__list-item-collapsible:hover{background:var(--ifm-menu-color-background-hover)}.menu__list-item-collapsible .menu__link--active,.menu__list-item-collapsible .menu__link:hover{background:none!important}.menu__caret,.menu__link{align-items:center;display:flex}.menu__link{color:var(--ifm-menu-color);flex:1;line-height:1.25}.menu__link:hover{color:var(--ifm-menu-color);text-decoration:none}.menu__caret:before,.menu__link--sublist-caret:after{height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast) linear;width:1.25rem;content:"";filter:var(--ifm-menu-link-sublist-icon-filter)}.menu__link--sublist-caret:after{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem;margin-left:auto;min-width:1.25rem}.navbar__items--center .navbar__brand,body{margin:0}.menu__link--active,.menu__link--active:hover{color:var(--ifm-menu-color-active)}.navbar__brand,.navbar__link{color:var(--ifm-navbar-link-color)}.menu__link--active:not(.menu__link--sublist){background-color:var(--ifm-menu-color-background-active)}.menu__caret:before{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem}.navbar--dark,html[data-theme=dark]{--ifm-menu-link-sublist-icon-filter:invert(100%) sepia(94%) saturate(17%) hue-rotate(223deg) brightness(104%) contrast(98%)}.navbar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-navbar-shadow);height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar,.navbar>.container,.navbar>.container-fluid{display:flex}.navbar--fixed-top{position:sticky;top:0;z-index:var(--ifm-z-index-fixed)}.navbar-sidebar,.navbar-sidebar__backdrop{bottom:0;opacity:0;position:fixed;transition-duration:var(--ifm-transition-fast);transition-timing-function:ease-in-out;left:0;top:0;visibility:hidden}.navbar__inner{display:flex;flex-wrap:wrap;justify-content:space-between;width:100%}.navbar__brand{align-items:center;display:flex;margin-right:1rem;min-width:0}.navbar__brand:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.announcementBarContent_xLdY,.navbar__title{flex:1 1 auto}.navbar__toggle{display:none;margin-right:.5rem}.navbar__logo{flex:0 0 auto;height:2rem;margin-right:.5rem}.navbar__items{align-items:center;display:flex;flex:1;min-width:0}.navbar__items--center{flex:0 0 auto}.navbar__items--center+.navbar__items--right{flex:1}.navbar__items--right{flex:0 0 auto;justify-content:flex-end}.navbar__items--right>:last-child{padding-right:0}.navbar__item{display:inline-block;padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}#nprogress,.navbar__item.dropdown .navbar__link:not([href]){pointer-events:none}.navbar__link--active,.navbar__link:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.navbar--dark,.navbar--primary{--ifm-menu-color:var(--ifm-color-gray-300);--ifm-navbar-link-color:var(--ifm-color-gray-100);--ifm-navbar-search-input-background-color:#ffffff1a;--ifm-navbar-search-input-placeholder-color:#ffffff80;color:var(--ifm-color-white)}.navbar--dark{--ifm-navbar-background-color:#242526;--ifm-menu-color-background-active:#ffffff0d;--ifm-navbar-search-input-color:var(--ifm-color-white)}.navbar--primary{--ifm-navbar-background-color:var(--ifm-color-primary);--ifm-navbar-link-hover-color:var(--ifm-color-white);--ifm-menu-color-active:var(--ifm-color-white);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-500)}.navbar__search-input{appearance:none;background:var(--ifm-navbar-search-input-background-color) var(--ifm-navbar-search-input-icon) no-repeat .75rem center/1rem 1rem;border:none;border-radius:2rem;color:var(--ifm-navbar-search-input-color);cursor:text;display:inline-block;font-size:.9rem;height:2rem;padding:0 .5rem 0 2.25rem;width:12.5rem}.navbar__search-input::placeholder{color:var(--ifm-navbar-search-input-placeholder-color)}.navbar-sidebar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-global-shadow-md);transform:translate3d(-100%,0,0);transition-property:opacity,visibility,transform;width:var(--ifm-navbar-sidebar-width)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar__items{transform:translateZ(0)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar--show .navbar-sidebar__backdrop{opacity:1;visibility:visible}.navbar-sidebar__backdrop{background-color:#0009;right:0;transition-property:opacity,visibility}.navbar-sidebar__brand{align-items:center;box-shadow:var(--ifm-navbar-shadow);display:flex;flex:1;height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar-sidebar__items{display:flex;height:calc(100% - var(--ifm-navbar-height));transition:transform var(--ifm-transition-fast) ease-in-out}.navbar-sidebar__items--show-secondary{transform:translate3d(calc((var(--ifm-navbar-sidebar-width))*-1),0,0)}.navbar-sidebar__item{flex-shrink:0;padding:.5rem;width:calc(var(--ifm-navbar-sidebar-width))}.navbar-sidebar__back{background:var(--ifm-menu-color-background-active);font-size:15px;font-weight:var(--ifm-button-font-weight);margin:0 0 .2rem -.5rem;padding:.6rem 1.5rem;position:relative;text-align:left;top:-.5rem;width:calc(100% + 1rem)}.navbar-sidebar__close{display:flex;margin-left:auto}.pagination{column-gap:var(--ifm-pagination-page-spacing);display:flex;font-size:var(--ifm-pagination-font-size);padding-left:0}.pagination--sm{--ifm-pagination-font-size:0.8rem;--ifm-pagination-padding-horizontal:0.8rem;--ifm-pagination-padding-vertical:0.2rem}.pagination--lg{--ifm-pagination-font-size:1.2rem;--ifm-pagination-padding-horizontal:1.2rem;--ifm-pagination-padding-vertical:0.3rem}.pagination__item{display:inline-flex}.pagination__item>span{padding:var(--ifm-pagination-padding-vertical)}.pagination__item--active .pagination__link{color:var(--ifm-pagination-color-active)}.pagination__item--active .pagination__link,.pagination__item:not(.pagination__item--active):hover .pagination__link{background:var(--ifm-pagination-item-active-background)}.pagination__item--disabled,.pagination__item[disabled]{opacity:.25;pointer-events:none}.pagination__link{border-radius:var(--ifm-pagination-border-radius);color:var(--ifm-font-color-base);display:inline-block;padding:var(--ifm-pagination-padding-vertical) var(--ifm-pagination-padding-horizontal);transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination__link:hover{text-decoration:none}.pagination-nav{display:grid;grid-gap:var(--ifm-spacing-horizontal);gap:var(--ifm-spacing-horizontal);grid-template-columns:repeat(2,1fr)}.pagination-nav__link{border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-pagination-nav-border-radius);display:block;height:100%;line-height:var(--ifm-heading-line-height);padding:var(--ifm-global-spacing);transition:border-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination-nav__link:hover{border-color:var(--ifm-pagination-nav-color-hover);text-decoration:none}.pagination-nav__link--next{grid-column:2/3;text-align:right}.pagination-nav__label{font-size:var(--ifm-h4-font-size);font-weight:var(--ifm-heading-font-weight);word-break:break-word}.pagination-nav__link--prev .pagination-nav__label:before{content:"« "}.pagination-nav__link--next .pagination-nav__label:after{content:" »"}.pagination-nav__sublabel{color:var(--ifm-color-content-secondary);font-size:var(--ifm-h5-font-size);font-weight:var(--ifm-font-weight-semibold);margin-bottom:.25rem}.pills__item,.tabs{font-weight:var(--ifm-font-weight-bold)}.pills{display:flex;gap:var(--ifm-pills-spacing);padding-left:0}.pills__item{border-radius:.5rem;cursor:pointer;display:inline-block;padding:.25rem 1rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pills__item--active{color:var(--ifm-pills-color-active)}.pills__item--active,.pills__item:not(.pills__item--active):hover{background:var(--ifm-pills-color-background-active)}.pills--block{justify-content:stretch}.pills--block .pills__item{flex-grow:1;text-align:center}.tabs{color:var(--ifm-tabs-color);display:flex;margin-bottom:0;overflow-x:auto;padding-left:0}.tabs__item{border-bottom:3px solid #0000;border-radius:var(--ifm-global-radius);cursor:pointer;display:inline-flex;padding:var(--ifm-tabs-padding-vertical) var(--ifm-tabs-padding-horizontal);transition:background-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.tabs__item--active{border-bottom-color:var(--ifm-tabs-color-active-border);border-bottom-left-radius:0;border-bottom-right-radius:0;color:var(--ifm-tabs-color-active)}.tabs__item:hover{background-color:var(--ifm-hover-overlay)}.tabs--block{justify-content:stretch}.tabs--block .tabs__item{flex-grow:1;justify-content:center}html[data-theme=dark]{--ifm-color-scheme:dark;--ifm-color-emphasis-0:var(--ifm-color-gray-1000);--ifm-color-emphasis-100:var(--ifm-color-gray-900);--ifm-color-emphasis-200:var(--ifm-color-gray-800);--ifm-color-emphasis-300:var(--ifm-color-gray-700);--ifm-color-emphasis-400:var(--ifm-color-gray-600);--ifm-color-emphasis-600:var(--ifm-color-gray-400);--ifm-color-emphasis-700:var(--ifm-color-gray-300);--ifm-color-emphasis-800:var(--ifm-color-gray-200);--ifm-color-emphasis-900:var(--ifm-color-gray-100);--ifm-color-emphasis-1000:var(--ifm-color-gray-0);--ifm-background-color:#1b1b1d;--ifm-background-surface-color:#242526;--ifm-hover-overlay:#ffffff0d;--ifm-color-content:#e3e3e3;--ifm-color-content-secondary:#fff;--ifm-breadcrumb-separator-filter:invert(64%) sepia(11%) saturate(0%) hue-rotate(149deg) brightness(99%) contrast(95%);--ifm-code-background:#ffffff1a;--ifm-scrollbar-track-background-color:#444;--ifm-scrollbar-thumb-background-color:#686868;--ifm-scrollbar-thumb-hover-background-color:#7a7a7a;--ifm-table-stripe-background:#ffffff12;--ifm-toc-border-color:var(--ifm-color-emphasis-200);--ifm-color-primary-contrast-background:#102445;--ifm-color-primary-contrast-foreground:#ebf2fc;--ifm-color-secondary-contrast-background:#474748;--ifm-color-secondary-contrast-foreground:#fdfdfe;--ifm-color-success-contrast-background:#003100;--ifm-color-success-contrast-foreground:#e6f6e6;--ifm-color-info-contrast-background:#193c47;--ifm-color-info-contrast-foreground:#eef9fd;--ifm-color-warning-contrast-background:#4d3800;--ifm-color-warning-contrast-foreground:#fff8e6;--ifm-color-danger-contrast-background:#4b1113;--ifm-color-danger-contrast-foreground:#ffebec}#nprogress .bar{background:var(--docusaurus-progress-bar-color);height:2px;left:0;position:fixed;top:0;width:100%;z-index:1031}#nprogress .peg{box-shadow:0 0 10px var(--docusaurus-progress-bar-color),0 0 5px var(--docusaurus-progress-bar-color);height:100%;opacity:1;position:absolute;right:0;transform:rotate(3deg) translateY(-4px);width:100px}@font-face{font-family:Poppins;font-style:normal;font-weight:400;src:local(""),url(/zh/assets/fonts/poppins-regular-f61407da33b59324fbefe468ce6917ab.woff) format("woff2"),url(data:font/woff2;base64,d09GMgABAAAAAB7MAAwAAAAAP6AAAB54AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGx4cLgZgAIFUCudM0jYLgzYAATYCJAOGaAQgBYNcB4QLG34ysyLYOAAgoXcUUbVZLPs/JHBDBr6G+hIpYlQoaayFQFiGbR8DjCviFJxE41HqT/OOXC0/Z9GQVQfAWhGOAF/O89SlbJ4fIclsS0SNUfbMPgE5dhgAVqioPNrYqNhUZCQIRaCBLIK83W+vy6VjrXTMAYfFIfS65yPR0ziMQaj0M56vY3h+bj1EaSMJC9jIVbCMv+2vgv0FSxg1alhIGl2gBxecx4xqvCi9NvP2XXsT27xJRGharfanif3dB1IbH7D/n1vvG1gi90J+0acoU3UyzKzznZ8Q8S/KSQdFE/HKrFSrbCW+EZMGJ/JOrWFOCzJcLDcqMIye7xUDVgJSUf//a37amcAiFDGyIExnC3pkybH+6s19gXl5eXMmRB9Ln2eT0vLklZIpALkqpMkyJiUkt25tgVyFkF8WZYV0VRkTScF3O1cffLfDNqsTWFV2rwUPIfjECpG7lz5AAVbIGyfmmutgE0hgB8wJNaQ30lgYP+3xQCMZjDoEDzyVUi580bg7SwwCfbU2wM1JQR5DDgSJxZ7llnqObrxHpgXHgAOb7RkL2/gXhVu/D4DXAHqoBwD7DAQKDGCTWIoEB7JEnap7PP3Aas/+DynGHuqZ3u8P+0ZRlopUoQZt6CZzX2tbJVpJTFb5OJJs6W/YeiSlKS9d/6ya+d/8fZ6YS2ftgn326bdP//3yrm98rcc+6yxV+PO3P/P9e2I8D/za2srbgL+A1V8AG18HMDYA+dea0d4dnI0DUjAxhECe4VuLDc7VmwqwYTiuFzfuViWi6aNC0Z4wRhGs1DQggom7F3EXA3Uj7WxnxPmMGXjAq72EYaM9d+AG6ziGD0E2Ej5mwCsAOBXGWG1AYIJtCLwQDEeD1BqU5mmQH15SfTnMYUKO6QE/4F8j1ltms2QsVoSSz4WUYkelXQ/7kGlFRAxAW5s6qQqGsbVQl+8GCZsOFLXw0ul+mnssHngMiMV+wiHwzdVDGrfpDWLDkN8ewxN6ZRvyKaQ6K04Nqc6B6o8yc2SW7XOOuk1FcKA/XlsYa6voyRGelb8acI8ZbnoE+I9bLYFYSdUlo6Miyo+OYJqnPAsyYlzDkHe2VlOgYQcrDqbWBQEPfr7lShm/dUdxu7Up8/IxDbSiNG8zdthTYufBq+u76tI1uHc3vs7tLencpdyDGVdkPq4cQvLkEMhSXsY0J+4dQu0yRz7TZW7mccfhw18fQHPvvAbszInsG2aKiyHGmqz3Yvm3u8vmFpjxaPQezfuYJlpv3PN2ELEgVO3vPWKl2Ow/IpRJqDdPE8JqY3cYGuq1ECiB1yW0RVSa66GOdCXTLnh+xxeZ2xOqquVBgJFiAV77CqaFeYl2Q3S3BeKrdnAR3ZBPYM8o7ibQuBGK9xO3wKqYDmUkxZX+YNiXA09cBmjYPgA3eC8JPjEQxkjfWNFnGY2x+ej0ZGhv9VXwYAX9XZ1h53rzljTYf774b0vaBdtfcXWQxtyLpkaMb6v1GUsdrpV5ajkXRww17Pu1Ak3yTzYCGLr8Iara73lF7Cb+vtFNzajk4iaA8ltEQiOf66wxQAem4oXOWNTna0SswZSLr69zS/jeLLVejEOPPrPCBwhciHFchPFxIsHeTycPj9TzLzASCiQQ3wskAX5KdXKVa1sfQ/sqkMZ64u7bhwtw/U8GOoEbFSSWFLQnxd1WqtNBLxi8rBazf8BSfI/jBekq6kcBa1EXlt6oSzrtaXe+aXn1zDSw+t2F0YBoSCOqvK6Ty82lpKxNRobfRmluFw/KDLgqURpESW0OWpuaXaHkb7VmE8MOcR+a/dhsTsOYCArwsIQcjWl06SjVvNzhISxlLRqvol7V9Uvp5h+XUC6iUmapwuGiAxeC1khAQZdBxgFmUTC3Z4yjPVCczdRKlpb1KicmRnbBwTOOKbXkmmPFA5OJDMkKWz+t9i6mbI/as3b5+7k73N1wNPu9xjdrpg+sMm01qiKDGA5cKAYnIcm+Qfh+uhwzPoM6yGjV7B60MOvA1XEKSqIe0eUd09HDQqAknanN3NpKivMX9BiYBbda9g9oXcV/PqUdinIHcm/0xF16f7v01DQjzirvp4PZFBDVvuQsuKo43h6x4onbhb8L/aorsWA7vreavOxZrXrFsTJEMSfmbtxnkGGNSLjUx4n7KqyizvGq3pG6UbpMYLQKzia0LJaGR1CpXzjijsrdmFQNi3l3ZYBXuX+Llw+XK27BoJFUN5uJGbP5AMzwbSAAsF0Rv6p1ZltdaUBWVzRXCpFiUgwe6Baj927ntwXVUyMpM/vud4ksUyM6kqSZVDs0S3iuldjWchysX2vbV4o/Pz8amoTijmvhaPWLd9VIgu1A/oldyDH0JWVzJzxjd0w6fMbXH0zOZ8+5usPgm5jaIvuHGYtiiiYCEnuoL1AdNtUB41RrTZ7Prwsb3D4W0uh3f+8i9Y0bosq9ebt7S1nLbRmg04XpC671CTyK/OjbeAPmgF2YeccypeMa1gKZ9E8jw7TT55F7FR2oTczlzcGotU+MVuoqoXw1TPk9a1bQ3tfBEjN7MCtjyfklpqmKJbbc34qhy8Q7eToWpjQGEGGJrZnakycxfRbZY43YyZIvHGjmrkwH3GX9ieY2bjaGtjSmpnJoafqeSCs7vP/AmRVQ5uYueAgyd/6U8/Ce98r/4CsiEQrURcQ8yxIrH6kYK037PryUXX1DSGoin9hSaDQjFAbj+CSei/XKrsvfazl9OA8ULAsnF+SYtWHLOyPlaySB9McWn9vqi5Rydc4BO8Wx7X4x481Yc106vl4c+4xeZM3i0C7U4fBplHqWdJI9w+dIizb5C8c3+c+W/s1fAWyvmjjcoH8R8PSKF/buAQYf8Vni2k1zcVt5+eRRTQvCvnyhGrvdSHxMpO0f+ipWFcWyWH3YgmF3OGGrEXByld91/lvL+Y5FK7ufR6crNdA/dFvx3trsWXx1L772EFa64hj34WLmJ78Qxmfiq3ku6j9tjemYFnMBbJS2VsycEIoo1+qL53Lh/wMrVnnuOnTikosR+44dGJUxlM41kdlU4FBuwQ31zIAn1EjHa7nrvNj5pOtpV0HbfVdql/aCfyuO6xX04YiLwnDUwrSZlLWD5ZDYebCxYV9c+xxqTqCguAXT+t+Kts5OICnYBGqxYfM2RfN3UMFKB0aj7MClv7cY2Vv0Qy834/a5ps7PZzGMEF78qaPzfxjAib6kF/C4RcYRSkaGno7qZohKB/HLxyWd4Sef+fFgBxou5nwzT7e+8KwV9AakNuq6Xfl63b7m+boXN6rX5w0wZBHB4mAKYvV0vT2+1g/UHmZV6nvRMD2KqRLoa0LOQUa60RRX6opXeUSMPS+FwwzZDJUwMmp5zZ/Ue5QfD3CEeFJv+D9QUK/XCQR6nUSaGKTyuSui9n1+07HVeHw4O7sGh2/O/u9whaDLSnT6BoZqRzMe1zw4mt9WwG9H0PVkBVRN4bgFCkO1buKro7lYrMyYV0TXFuQpxyMJn3PzU1AT4suuXhsrrvXqFw4u2bBhvtBSUHHpcguxnG1SS0D8N+OSz/BTzoA7SHnWnn01hWUl7sRwWU3u5vXl6cFQohsQoomCHn39Zh/FkI1yKK/v2/PtN+Z2gvaNKME85nxGjmiydegq1ZBVk2254nnMeUVo0TTb0NXwsNXAJLt9z3zvlvpWv7n/NuiaHk7hQilAO0gac88Y2T0cbbMPH2UD3HHhYwvms8e+nvDx+Qt22LPBMmayTCGWINnAah8zRZeIgfBHzw5yWoyHbjpawVfdi9u9i6RCnlImUZoGyGyx4ZYpgdLJtX6jd8P0Ro/GBv8qBKLJLaVBiZdINtJ4suIFgwRDVU6YSbGXUhTls6vjA7YKo0omgyCWyicMpMJpCHCyeDQJX8BT8QPFIG+L1PWw6ge/1r/VvjX2YkrTYJDU4X4QLs6nGksl2EouRKutFhpCbRWDi4vPGfkCrdal0WhNGpqGPNay5htwYGV9sXUO2OArZ4lKp7bUSqgV5Xy4tB7BbZ0UBt5wKFFn+nqFKhsvo8BWl0FmsCg1WpsavJ8/er4jvb1dcx/MXcg2cug0SzkZhrFUdAudxbWYbkAusZBf0kCF4Toq7IRiufv6kLtaoUyKufMYBrFIbJAwfj7hlEgFdvX6yixWC8SITAUOzYG4PKOmLWYt7CFzxGV0dkhVMa29bkHNt73N2O3lZmewtireZLq61GyQq4wILDNYIYXeqgGS2U8fPn1Q/+zBs4eg8n91VMffGbLAaciS+u474Tk+JewKtfnDA1za2I3jfWG2kSOXcnkyEcvCodm9JKHtrOj7sJ7W7UbrKp+WssRbLCLrWf+4SDTY4tCqeG1hjdydKf9CS8rMHsah5bNU4+sYHRsWL550pK7i7BTQsXnRIpc867ANXVGxTWdb5V/Y9tcfM5dIBCoqxk6nMgRUIsTIc5BpTgr4ax2xaF3Jh97Q+94S/YPp7ulucLXkV7SikEYzBYmygdH3ch+epCXzRDpPDHqtQMqm0bhZtPpB9lQ7k6UViTe93goKTyDbNiGeus6qXH/VlUoxrKgXC5tMRiD5V6SAK0VXqnJ9nZV1nk12ZGsQrO7bZbJtrKiwbdhlqOuP9s+qWriorX3R0lnN6Gawu/rvz6rPT8epJh2YpAJ3+pSEf18rX7OQKHA8vlQlUigaRKImg0E0rUGkCHZMSSodo5wkizcji1YaHJ7NdsfWYNCxbbPdE+6qyvWBQF8U4fg4SBQh+8hgd18UiYK9fbGWUNBqC5UhyAAChTKOEAvOTuDykCginiiqZzt4CNiteKnURhFAGtDbiwx8GCv4Y+AgpNf7P3uy1SJVhRjkAFJVUIiAvLjNdse24VQvbYBsLS1FNDcvpGkQi6YbTaKmerFSCQTdZLSR/z2sABNWNtZNnYVCor82Tq2172iWC7ltK2aBWWBax7x5OJqns0n91s0wrqc7tJDVWsHz7QoO7RxXPR6J/qqtpNEQNmSoMgzvRrUGZikVEJcHiVWzwIO4SiLXkuARyEQSoVJAyf9KmN4sGW5AsWAhk2ktI0i8TZ54nV+u4HCZchYtt+evxZIRRjQbFlFoxaEiCLzrUx4JI+GjSrCzL+q0F+t1bOeMIn1WaWMjU6lUNpJGax9Y0BfXFzIpz32beToBe1n0fF9wK3E30Q9ORD2rNbs1wc3wGhiEkNtI6a6hm4YGbiG3HcHdwzYPCwJq329fxSPxv38V2Fui6gVrNSbtMUifpdEegMDI5btU7vNuuLcEHOwcucJmp3aQFe2FA0+7qhe073H9k2z+N9n97XrQlGMaZQIPl0hu1WpBYam4uVGqgELcTX4H2hHsKefJFRG5uM14lUNCTEQKxUiQdh6f5DA+yEZUJw+cfFzBlSojUnGzyShua5Qr5OXcngDyAMmtr/ieIlDIX5rJDi6PFY0jyh+i5slSTaDdM8riva5jcjTucq/PXaHhaIt+9442dvh9mlxe3GKZTFWloIp1NdvxwFG6JaR2R+OrSZCC3T9Q57dDbA39k3e0psPr1UyVSlvNZnHLVIlOM0ksaFQ5ZTilJpcoLbHGqe0Ac6++H+mXq+R5DpcpBHOG0PPqQQRbjsGqE1X8hkahtnJxIMVq/9XJEalcTnN9T4g/CmrC6xxd/H4s63gdzkdlhGCxnW7QW+SQqdhCQB4gQzpdODbwNO1eE2BsaAQNfE0v/+uyYF8oFGI5TZ2b+wi9FgEtd549/5/dNzeet8QMGzAC7P6dJnsAyAPwPiqT+63qLFK50W7B369lBI1ou+y4ImmIuz4U4gvBQdy0yXVjQdml0nQ6cAzwOKFJKms1m6DW6RKNhmuAWsxmZWuLVEPUmnFURCSiIEYsiWzAkp4NxERE3wpOPCqXhkn0qsy+U4+EkHwkUF8JIFBV/ukLsdDvyHeENlbwISgCfcPRdzaKwJW2dlchgkaKwdUEXyETznIxJBQG9TAK/Vw07CqcSRfQCklSJJ+NhJFYLVL4O420NntstuS/HsUEdQyOJLfns8HBe+L8YYVitQFWSXViuUo+D5m3WAXIKDSiX+vAMwQBKisEC+00vd4iVxiLLTiQZuy86rmDKt9tvIBch+5CuTq+Nv8bdO1FOadfnH3ROePStEugou1i00X3l0O/HFnadmHaBXfPkC9HATRq1PZcV0X8D+MDew92HgRLlINVEVXiogRlrRKUrQmMsOQmIokeLKRTSVjagjxD/vh405BEN5ZGlVUMqKDKadhE95B40/h8Q16BliXRqSBsoicRybUERoAjIWQmAj7z2B3y3Sq7r3LAm1s/dtvW5kfDM0RcSdrSSEbt8eafRmYYuGLQTVFJmqGedRVcgJNeeEGzFqZvMScoajyWOBfdVZEwaUFFBTcnOOgOD0VexgmQ+aiqiAu7SiwWlxsGmQr4yItN+WZ+RketADnxU66A7vJSBMGqSGyxKUMk57MgsSzr/t0Tgu6ODLcMBoc5n7rmHnzE4uzrWtv1I4f38eLaS/vY7EOXTJ3J/DmRI0VFPZjCRQzGdAxY1TxXtC9me9458bmNyMbDLu+bvTGiuTuYwS739vwEQZx4LDIVsSch0xAQlS8mYIhyRwHP0WCJUSOc3Ux6Fyb9lDjzZSDLa5QxZBbRiPxF9RvyHfXWAZg9Iw4UZGyZ9dKf6atVahaP+lCrF0rFGhGRrOdLJBohEdCqHo0Z83jM6Me0waPRC35Uf2rhaDMGPDu60W7ZUlrKSPRAEMSqRevcg468uRrFQpdTsWiu1umYoyXd6bLt5mgcXIO3iFkmk2lbL4OjqtKNFJvGG5ArZdbqUBMH+/6saYSsSg2DTClGr8ISCCL0YC7kgjgf+7njiTAeY6ApmXwxgcgXMZmwIRL4QiZYMMndXY8o9naPQFzdQfv30gBnzy1kwX0IMI4jVIqDxaI4JcxiT6JTcBjZ8hobolBwClJYCODpLN7faiky/ELQDtdR75Zkd0xsTCtI/jc5+Z/kAlBzSlIiAWPtXrdG43FraTitDkPRlJToUhksAQ6rloLJXoTDHWWBtsn7b6o/qW/vv61SXeYu3deCzHXsGGqlNSlz/NjLqWldeYoJYjabKeHjcw/EaorAxEUQncVQsTETUr8bEFVOKICLuByoiAyxEseOS05Lw4zDEAvGp6elfhyX8adYCh4euVUrudUEilBoxL/SRefmi8YLWPZ8O9ZqQuRyQ7GFAOL0Veoq/YTkyKSw3T65tuE9+I4hpRAJ4iJ6PduT9Xta6u9Z5ClcIUibzWgugfJBppSgN2GpNCOWDHQa0WDCYaABt6J5TIEQT+AJ2SyugIAXCplgRa63u3i182O6PfcxkMPj3n1BikQtkejuBqIUkn5XuPGZ5xEx0l3dHQbFs+m1d/624sqotSp6sWU99kDMHISWGVFzR3RVA2FAF+GMPozjOVdbz/ra9wpgap98lH18lQFF1idb1vnmRXughsXLf1sGbkDh6u1GIasq/PG0Let451bZBy1zGDd4gwHvGUFngFtXbT/JarJS+2fWLVzW3r5w6azmf46Zjv3bDH5ZuWlVDzYt69ev2wD1ICbfuAks1HXjmqAQcub8mtyTPLGyJLQZP00eEPqykwfP0eXVi8UMTwDYEVNOg8KnXu8wAyYM9DELliEHkKWzrj5wO9sgCZcHSVWz4mYB9sLGhgapF0dWYYkE0bJdTcPG/CwYDaUKYTbktxVbq9xxRkdmJ5mQnoc+6NFlSNh4lFEwIXkcTkLmLF6Si5CA8FkK46ScptHmYQVG+o/e0ZoWr1tcwz1Vrg3dqOBJPYnaJc2TpLC4jDEwAAdkVfPgBgm/EXIK8LAunwSVIXGalj5yhtY8J5kBtWLf6YaMVDd4rXFkEdw5FZK4EMSaqjV7Xr+bwPj+WEi+pFmh1zbJJO1mo7R5ihSexEUmuiRwG4bsnPi51VlnbsdQnBMRrYlAdgqFJKcRTyYb8ES7UERw6YlkQI1XqGv/WKf+rP6DmTsyGH7zZbaH5VPMzKOgbxTKNa+yvexwY6YBBaNHeMOJTkS9lfkYqTCc+co+FJFCj+sAx/8sl0CBxucJCsk6m5C/EGq98xDZjfKplvpB+yf5p5djocbFufI5aptrgx3ZFixFtsoinLa5qlzZ/Eb5WEdQNO2XhRHTDAat4Wen2QLB9RRGb6ze7VBwwsmP41M2yJ5MnCpTaaaFS7UpJ0uHfI5IYU2jWBhRbn5gxlOcIhHZYcKRSAYmjulpcOjxpDoUTqPJJ8pLkIF6O1jfOc8EzTPMNUDgwepzeFw/gdCPw58jKh6npj5OT38yLc2TdJC6VJo/ch+m3z54eARN1ZtfG1wa966glkAODRSvUA9RA/LSleof1WD67aD7NyGw9wWGDQWAWceEBWcM/lYc/eG3eBCjLvTzScHaGzIZhfq2oVxGpZRYDvO2ZgBvoyuiyP5uBMNUlcJLlTm+zsraxm/asio9AmNBRnqekV8yGiqpnsXR1nZW5fgrL1cIYVOTOUP1H/9jXvp4+gfBv+MUTQY9SDv6nGHOh0Ce5WBRiRh8rvxMqRgQKypxViaFk8D9FerF6lMIqMvvwAHDAUtvWvKWPFZmnZYvDBDaDlS4PB2b3Z+c6F7tsqUpKcvFfrnlC7nx7eize858uTZVynLhG214nVi5nq+lLJf582gzf2KkSTkPOckX1IkHKcvFU7nlr9HGk0oGJlKGlFHJQIFxqJxbRAkZaLoCpKQsF9/JLT1yY//os34nJNe+lrJcrB9trBVPXKH0/5e7YBn5YZD5nukn49zEDFg0HRIfSVkudsotG0cbO5gNhEMBkDJwCABmEQFzULGVBE9QeGFk/XUdNNzBZGAmCcWXYvQwLy8Bz4Vxusj/33zzkJJ5CbAC5XxWws73djVb6qx1qqiyb4uQVJ1ZLgvoK2Nz4m5zF7vLGnaCGsh7Y7O7zVgmHvgWfgjPp1AX5wbOV2LAiI/9/CiGme/6J3iJqy0AI8uoRBsH3G0InSOBnmW9hje1jiFkaJ+6z7G7xEliQpoAGdqn7O7UtSHgXQLKeUEBALvA8yLMY3QytG/cVxvyE2i+LWUMGdqnxrtSFhaao72g2IWZueNYo7J7zjpeI9q0ZOvoFgMsypIrnzV/G63l/JcQO34E+PLN5QDwzRb636dHn04lxS86rpkMNSMEv1uqL3+UGfCuGnKlz7mv8xLiWflW7wm2oKEGJKvVOH2jsL/LsRkqZ1SqRzYrf+B2L6sz83PzsNyAzQ9obcCLQG75KFUjNSJ/Sis6Da+cbFmdhNNGCrdhkyBVDFNvCnQsV1PUxytQt8lqgHoM1O1J6sa4zVvqkaTbXmqvscUIBbWG82WMOG1yVMiIHBFDHCWU1FUVZsfL7naq7jBmXJPaKrhCRsYmxGe3mV2mA9WrG5HTH4USI/KNYDirrpsgCJVtUUg90tahi3nezoeNhbR6URxo6xtmAZoBidTRJMNUymgrqCQp44yU/GBwT0u1DxXkilBQ/KpH0nh13OfbtYSthG06fo3S65e7fPiwpI40pJyQlctwnacAnoN8Qk2H4VlnXLvZojQhsFRvDO9M6ppMdAshwwx3Snp6WedPbqvcbofuaajGG2B+nG9tY4YUOThjArCJ1+IHzqc9r3pbogy40NIOpUJRcjATAJBXaztxMDvOaMAiBY4sKoE/dGMzjAz4JLuUZqkIEgjkAPKCBMtx6XgwixgwvpeZIsO9MDQPomp3gkcE7HtpvMNMB+bnNElDz8C4qm1grBQ2aXCYPzmPJY6T0sdgmeaBz4sXQAzwtZVSsDgKKooDHgcMCCxzL5ZatBx4wy2yrRIkIrq/trXZadrWrsi1rYPXHXHG3HQSHNuBpzVsnjXqsRAUafepE/JIwzMSr55UEglHSGluQi0ZmE642bJGSHU7jkFgJJFPxFM3jAqPiIg6rswvgoKJjBZbJkCtmeNFeDHueYxUnKJTlkBLF4d0loz4ls5k8qwDg0Ga1BEpj1MfdVooIrRs0VBnnY9TtlToIR3hHYt9wqoQ8iT4TBhRza/OFHCGaSswwPN+zneQTf01kGaw/WXSf3LcPLx8/AKCQsKGG2GkUUYbI1WadBnGGme8CSbKlCUbClqOXHnyFSiEgYWDR0BEQkZBRUNXhIGJhY2Di4dPQEhETEJKRg6ioKQCU9PQ0tEzMDIxs7CyKWaHcHBycSvhyUCfZpjpsFX+Mssi823UaUcGeXNfh+Wee2Fh4rw46SfPbNLllZde2+YL553VzctnCb+LAs654KpLLrvib0E3XXNdj1JPLXXHLbeV+dcjc5ULqVClUrUtwmrVqFMvokGjSf4x2VRTTDNdkz5btWjWqs1/Hjvgri99lXgXP+r3tW/s951Ten3rtNn2OuKoQ0nw4UkSF912LwwPEN8VH3kmRCReEROXZPA1rZV8LR74/5ThpJVMHs8BAAAA) format("woff"),}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:local(""),url(/zh/assets/fonts/roboto-mono-regular-498042b7fe9cd07b4fd11a0965093e55.woff) format("woff2"),url(/zh/assets/fonts/roboto-mono-regular-535bc89d4af715503b01afd761501e58.woff2) format("woff"),}@font-face{font-family:Lato;font-style:normal;font-weight:400;src:local(""),url(/zh/assets/fonts/lato-regular-292725486219768e62259f7286dc73cc.woff) format("woff2"),url(/zh/assets/fonts/lato-regular-be36596da218e1eec01c5c600b1c13ef.woff2) format("woff"),}[data-theme=dark]{--ifm-color-primary:#ffc61c;--ifm-color-primary-dark:#ffbf00;--ifm-color-primary-darker:#f1b400;--ifm-color-primary-darkest:#c69400;--ifm-color-primary-light:#ffcd38;--ifm-color-primary-lighter:#ffd146;--ifm-color-primary-lightest:#ffdb71;--ifm-color-secondary-dark:#054a6e;--ifm-color-secondary:#06527a;--ifm-color-secondary-light:#075a86;--light:#33313b;--dark:#f3f3f3}[data-theme=dark] .footer--dark{background-color:var(--light);color:var(--ifm-color-primary)}body{font-family:Lato,sans-serif}h1,h2,h3,h4,h5,h6{font-family:Poppins,sans-serif}code{font-family:Roboto Mono,monospace}.navbar__brand{height:40px}.btn.navbar__github{background-color:#384745;border:2px solid #384745;border-radius:3px;box-shadow:inset 0 1px #ffffff26,0 1px 1px #00000014;color:#fff!important;font-family:poppins,sans-serif;font-size:1rem;font-weight:400;line-height:1.66;padding:8px 20px 7px 47px;position:relative;text-align:center;text-decoration:none;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-webkit-user-select:none;user-select:none}.clear-btn{padding:100px}a.btn.navbar__github:hover{background-color:#273230;border-color:#222a29;color:#fff}a.btn.navbar__github:before{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20.5 20'%3E%3Cpath fill='%23fff' d='M10.3 0C4.6 0 0 4.6 0 10.3c0 4.4 2.8 8.3 7 9.7.5.1.7-.2.7-.5v-1.9c-2.6.5-3.2-.6-3.4-1.2s-.6-1.1-1-1.5c-.4-.2-.9-.7 0-.7.7.1 1.3.5 1.6 1 .6 1.1 1.9 1.4 3 .8 0-.5.3-1 .7-1.4-2.3-.3-4.7-1.1-4.7-5.1 0-1 .4-2 1.1-2.8-.5-.6-.5-1.6-.1-2.5 0 0 .9-.3 2.8 1.1q2.55-.75 5.1 0c2-1.3 2.8-1.1 2.8-1.1.4.9.5 1.9.2 2.8.7.7 1.1 1.7 1.1 2.8 0 3.9-2.4 4.8-4.7 5.1.5.5.7 1.2.7 1.9v2.8c0 .3.2.6.7.5 5.4-1.8 8.3-7.6 6.5-13C18.6 2.8 14.7 0 10.3 0'/%3E%3C/svg%3E");content:"";height:20px;left:15px;position:absolute;top:10px;width:20px}.header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat;content:"";display:flex;height:24px;width:24px}[data-theme=dark] .header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath fill='%23fff' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat}.docusaurus-highlight-code-line{background-color:#484d5b;display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}body:not(.navigation-with-keyboard) :not(input):focus{outline:0}#__docusaurus-base-url-issue-banner-container,.hideAction_vcyE>svg,.navbarSearchContainer_Bca1:empty,.themedComponent_mlkZ,[data-theme=dark] .lightToggleIcon_pyhR,[data-theme=light] .darkToggleIcon_wfgR,html[data-announcement-bar-initially-dismissed=true] .announcementBar_mb4j{display:none}.skipToContent_fXgn{background-color:var(--ifm-background-surface-color);color:var(--ifm-color-emphasis-900);left:100%;padding:calc(var(--ifm-global-spacing)/2) var(--ifm-global-spacing);position:fixed;top:1rem;z-index:calc(var(--ifm-z-index-fixed) + 1)}.skipToContent_fXgn:focus{box-shadow:var(--ifm-global-shadow-md);left:1rem}.closeButton_CVFx{line-height:0;padding:0}.content_knG7{font-size:85%;padding:5px 0;text-align:center}.content_knG7 a{color:inherit}.announcementBar_mb4j{align-items:center;background-color:var(--ifm-color-white);border-bottom:1px solid var(--ifm-color-emphasis-100);color:var(--ifm-color-black);display:flex;height:var(--docusaurus-announcement-bar-height)}.announcementBarPlaceholder_vyr4{flex:0 0 10px}.announcementBarClose_gvF7{align-self:stretch;flex:0 0 30px}.toggle_vylO{height:2rem;width:2rem}.toggleButton_gllP{align-items:center;border-radius:50%;display:flex;height:100%;justify-content:center;transition:background var(--ifm-transition-fast);width:100%}.toggleButton_gllP:hover{background:var(--ifm-color-emphasis-200)}.toggleButtonDisabled_aARS{cursor:not-allowed}.darkNavbarColorModeToggle_X3D1:hover{background:var(--ifm-color-gray-800)}[data-theme=dark] .themedComponent--dark_xIcU,[data-theme=light] .themedComponent--light_NVdE,html:not([data-theme]) .themedComponent--light_NVdE{display:initial}.iconExternalLink_nPIU{margin-left:.3rem}.dropdownNavbarItemMobile_S0Fm{cursor:pointer}.iconLanguage_nlXk{margin-right:5px;vertical-align:text-bottom}.searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,#f5f6f7);border-radius:6px;box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #ffffff80,0 3px 8px 0 #555a64);left:auto!important;margin-top:8px;padding:var(--search-local-spacing,12px);position:relative;right:0!important;width:var(--search-local-modal-width,560px)}html[data-theme=dark] .searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,var(--ifm-background-color));box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #2c2e40,0 3px 8px 0 #000309)}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2{align-items:center;background:var(--search-local-hit-background,#fff);border-radius:4px;box-shadow:var(--search-local-hit-shadow,0 1px 3px 0 #d4d9e1);color:var(--search-local-hit-color,#444950);cursor:pointer;display:flex;flex-direction:row;height:var(--search-local-hit-height,56px);padding:0 var(--search-local-spacing,12px);width:100%}.hitTree_kk6K,.noResults_l6Q3{align-items:center;display:flex}html[data-theme=dark] .dropdownMenu_qbY6 .suggestion_fB_2{background:var(--search-local-hit-background,var(--ifm-color-emphasis-100));box-shadow:var(--search-local-hit-shadow,none);color:var(--search-local-hit-color,var(--ifm-font-color-base))}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2:not(:last-child){margin-bottom:4px}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2.cursor_eG29{background-color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitFooter_E9YW a,.hitIcon_a7Zy,.hitPath_ieM4,.hitTree_kk6K,.noResultsIcon_EBY5{color:var(--search-local-muted-color,#969faf)}html[data-theme=dark] .hitIcon_a7Zy,html[data-theme=dark] .hitPath_ieM4,html[data-theme=dark] .hitTree_kk6K,html[data-theme=dark] .noResultsIcon_EBY5{color:var(--search-local-muted-color,var(--ifm-color-secondary-darkest))}.hitTree_kk6K>svg{height:var(--search-local-hit-height,56px);opacity:.5;width:24px}.hitIcon_a7Zy,.hitTree_kk6K>svg{stroke-width:var(--search-local-icon-stroke-width,1.4)}.hitAction_NqkB,.hitIcon_a7Zy{height:20px;width:20px}.hitWrapper_sAK8{display:flex;flex:1 1 auto;flex-direction:column;font-weight:500;justify-content:center;margin:0 8px;overflow-x:hidden;width:80%}.hitWrapper_sAK8 mark{background:none;color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitTitle_vyVt{font-size:.9em}.hitPath_ieM4{font-size:.75em}.hitPath_ieM4,.hitTitle_vyVt{overflow-x:hidden;text-overflow:ellipsis;white-space:nowrap}.noResults_l6Q3{flex-direction:column;justify-content:center;padding:var(--search-local-spacing,12px) 0}.noResultsIcon_EBY5{margin-bottom:var(--search-local-spacing,12px)}.hitFooter_E9YW{font-size:.85em;margin-top:var(--search-local-spacing,12px);text-align:center}.cursor_eG29 .hideAction_vcyE>svg,.tocCollapsibleContent_vkbj a{display:block}.suggestion_fB_2.cursor_eG29,.suggestion_fB_2.cursor_eG29 .hitIcon_a7Zy,.suggestion_fB_2.cursor_eG29 .hitPath_ieM4,.suggestion_fB_2.cursor_eG29 .hitTree_kk6K,.suggestion_fB_2.cursor_eG29 mark{color:var(--search-local-hit-active-color,var(--ifm-color-white))!important}.searchBarContainer_NW3z{margin-left:16px}.searchBarContainer_NW3z .searchBarLoadingRing_YnHq{display:none;left:10px;position:absolute;top:6px}.searchBarContainer_NW3z .searchClearButton_qk4g{background:none;border:none;line-height:1rem;padding:0;position:absolute;right:.8rem;top:50%;transform:translateY(-50%)}.navbar__search{position:relative}.searchIndexLoading_EJ1f .navbar__search-input{background-image:none}.searchHintContainer_Pkmr{align-items:center;display:flex;gap:4px;height:100%;justify-content:center;pointer-events:none;position:absolute;right:10px;top:0}.searchHint_iIMx{background-color:var(--ifm-navbar-search-input-background-color);border:1px solid var(--ifm-color-emphasis-500);box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-500);color:var(--ifm-navbar-search-input-placeholder-color)}html[dir=rtl] .searchHintContainer_Pkmr{left:10px;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchClearButton_qk4g{left:.8rem;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchBarLoadingRing_YnHq{left:auto;right:10px}html[dir=rtl] .navbar__search-input{padding:0 2.25em 0 .5em}.loadingRing_RJI3{display:inline-block;height:20px;opacity:var(--search-local-loading-icon-opacity,.5);position:relative;width:20px}.loadingRing_RJI3 div{animation:1.2s cubic-bezier(.5,0,.5,1) infinite a;border:2px solid var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color));border-color:var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color)) #0000 #0000 #0000;border-radius:50%;display:block;height:16px;margin:2px;position:absolute;width:16px}.loadingRing_RJI3 div:first-child{animation-delay:-.45s}.loadingRing_RJI3 div:nth-child(2){animation-delay:-.3s}.loadingRing_RJI3 div:nth-child(3){animation-delay:-.15s}@keyframes a{0%{transform:rotate(0)}to{transform:rotate(1turn)}}.navbarHideable_m1mJ{transition:transform var(--ifm-transition-fast) ease}.navbarHidden_jGov{transform:translate3d(0,calc(-100% - 2px),0)}.errorBoundaryError_a6uf{color:red;white-space:pre-wrap}.errorBoundaryFallback_VBag{color:red;padding:.55rem}.footerLogoLink_BH7S{opacity:.5;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.footerLogoLink_BH7S:hover,.hash-link:focus,:hover>.hash-link{opacity:1}.anchorWithStickyNavbar_LWe7{scroll-margin-top:calc(var(--ifm-navbar-height) + .5rem)}.anchorWithHideOnScrollNavbar_WYt5{scroll-margin-top:.5rem}.hash-link{opacity:0;padding-left:.5rem;transition:opacity var(--ifm-transition-fast);-webkit-user-select:none;user-select:none}.hash-link:before{content:"#"}.mainWrapper_z2l0{display:flex;flex:1 0 auto;flex-direction:column}.docusaurus-mt-lg{margin-top:3rem}#__docusaurus{display:flex;flex-direction:column;min-height:100%}.tag_zVej{border:1px solid var(--docusaurus-tag-list-border);transition:border var(--ifm-transition-fast)}.tag_zVej:hover{--docusaurus-tag-list-border:var(--ifm-link-color);text-decoration:none}.tagRegular_sFm0{border-radius:var(--ifm-global-radius);font-size:90%;padding:.2rem .5rem .3rem}.tagWithCount_h2kH{align-items:center;border-left:0;display:flex;padding:0 .5rem 0 1rem;position:relative}.tagWithCount_h2kH:after,.tagWithCount_h2kH:before{border:1px solid var(--docusaurus-tag-list-border);content:"";position:absolute;top:50%;transition:inherit}.tagWithCount_h2kH:before{border-bottom:0;border-right:0;height:1.18rem;right:100%;transform:translate(50%,-50%) rotate(-45deg);width:1.18rem}.tagWithCount_h2kH:after{border-radius:50%;height:.5rem;left:0;transform:translateY(-50%);width:.5rem}.tagWithCount_h2kH span{background:var(--ifm-color-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-color-black);font-size:.7rem;line-height:1.2;margin-left:.3rem;padding:.1rem .4rem}.tags_jXut{display:inline}.tag_QGVx{display:inline-block;margin:0 .4rem .5rem 0}.iconEdit_Z9Sw{margin-right:.3em;vertical-align:sub}.lastUpdated_JAkA{font-size:smaller;font-style:italic;margin-top:.2rem}.tocCollapsibleButton_TO0P{align-items:center;display:flex;font-size:inherit;justify-content:space-between;padding:.4rem .8rem;width:100%}.tocCollapsibleButton_TO0P:after{background:var(--ifm-menu-link-sublist-icon) 50% 50%/2rem 2rem no-repeat;content:"";filter:var(--ifm-menu-link-sublist-icon-filter);height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast);width:1.25rem}.tocCollapsibleButtonExpanded_MG3E:after,.tocCollapsibleExpanded_sAul{transform:none}.tocCollapsible_ETCw{background-color:var(--ifm-menu-color-background-active);border-radius:var(--ifm-global-radius);margin:1rem 0}.buttonGroup__atx button,.codeBlockContainer_Ckt0{background:var(--prism-background-color);color:var(--prism-color)}.tocCollapsibleContent_vkbj>ul{border-left:none;border-top:1px solid var(--ifm-color-emphasis-300);font-size:15px;padding:.2rem 0}.tocCollapsibleContent_vkbj ul li{margin:.4rem .8rem}.tableOfContents_bqdL{max-height:calc(100vh - var(--ifm-navbar-height) - 2rem);overflow-y:auto;position:sticky;top:calc(var(--ifm-navbar-height) + 1rem)}.codeBlockContainer_Ckt0{border-radius:var(--ifm-code-border-radius);box-shadow:var(--ifm-global-shadow-lw);margin-bottom:var(--ifm-leading)}.codeBlockContent_biex{border-radius:inherit;direction:ltr;position:relative}.codeBlockTitle_Ktv7{border-bottom:1px solid var(--ifm-color-emphasis-300);border-top-left-radius:inherit;border-top-right-radius:inherit;font-size:var(--ifm-code-font-size);font-weight:500;padding:.75rem var(--ifm-pre-padding)}.codeBlock_bY9V{--ifm-pre-background:var(--prism-background-color);margin:0;padding:0}.codeBlockTitle_Ktv7+.codeBlockContent_biex .codeBlock_bY9V{border-top-left-radius:0;border-top-right-radius:0}.codeBlockLines_e6Vv{float:left;font:inherit;min-width:100%;padding:var(--ifm-pre-padding)}.codeBlockLinesWithNumbering_o6Pm{display:table;padding:var(--ifm-pre-padding) 0}.buttonGroup__atx{column-gap:.2rem;display:flex;position:absolute;right:calc(var(--ifm-pre-padding)/2);top:calc(var(--ifm-pre-padding)/2)}.buttonGroup__atx button{align-items:center;border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-global-radius);display:flex;line-height:0;opacity:0;padding:.4rem;transition:opacity var(--ifm-transition-fast) ease-in-out}.buttonGroup__atx button:focus-visible,.buttonGroup__atx button:hover{opacity:1!important}.theme-code-block:hover .buttonGroup__atx button{opacity:.4}:where(:root){--docusaurus-highlighted-code-line-bg:#484d5b}:where([data-theme=dark]){--docusaurus-highlighted-code-line-bg:#646464}.theme-code-block-highlighted-line{background-color:var(--docusaurus-highlighted-code-line-bg);display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}.codeLine_lJS_{counter-increment:a;display:table-row}.codeLineNumber_Tfdd{background:var(--ifm-pre-background);display:table-cell;left:0;overflow-wrap:normal;padding:0 var(--ifm-pre-padding);position:sticky;text-align:right;width:1%}.codeLineNumber_Tfdd:before{content:counter(a);opacity:.4}.codeLineContent_feaV{padding-right:var(--ifm-pre-padding)}.theme-code-block:hover .copyButtonCopied_obH4{opacity:1!important}.copyButtonIcons_eSgA{height:1.125rem;position:relative;width:1.125rem}.copyButtonIcon_y97N,.copyButtonSuccessIcon_LjdS{left:0;position:absolute;top:0;fill:currentColor;height:inherit;opacity:inherit;transition:all var(--ifm-transition-fast) ease;width:inherit}.copyButtonSuccessIcon_LjdS{color:#00d600;left:50%;opacity:0;top:50%;transform:translate(-50%,-50%) scale(.33)}.copyButtonCopied_obH4 .copyButtonIcon_y97N{opacity:0;transform:scale(.33)}.copyButtonCopied_obH4 .copyButtonSuccessIcon_LjdS{opacity:1;transform:translate(-50%,-50%) scale(1);transition-delay:75ms}.wordWrapButtonIcon_Bwma{height:1.2rem;width:1.2rem}.details_lb9f{--docusaurus-details-summary-arrow-size:0.38rem;--docusaurus-details-transition:transform 200ms ease;--docusaurus-details-decoration-color:grey}.details_lb9f>summary{cursor:pointer;padding-left:1rem;position:relative}.details_lb9f>summary::-webkit-details-marker{display:none}.details_lb9f>summary:before{border-color:#0000 #0000 #0000 var(--docusaurus-details-decoration-color);border-style:solid;border-width:var(--docusaurus-details-summary-arrow-size);content:"";left:0;position:absolute;top:.45rem;transform:rotate(0);transform-origin:calc(var(--docusaurus-details-summary-arrow-size)/2) 50%;transition:var(--docusaurus-details-transition)}.collapsibleContent_i85q{border-top:1px solid var(--docusaurus-details-decoration-color);margin-top:1rem;padding-top:1rem}.details_b_Ee{--docusaurus-details-decoration-color:var(--ifm-alert-border-color);--docusaurus-details-transition:transform var(--ifm-transition-fast) ease;border:1px solid var(--ifm-alert-border-color);margin:0 0 var(--ifm-spacing-vertical)}:not(.containsTaskList_mC6p>li)>.containsTaskList_mC6p{padding-left:0}.img_ev3q{height:auto}.admonition_xJq3{margin-bottom:1em}.admonitionHeading_Gvgb{font:var(--ifm-heading-font-weight) var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family)}.admonitionHeading_Gvgb:not(:last-child){margin-bottom:.3rem}.admonitionHeading_Gvgb code{text-transform:none}.admonitionIcon_Rf37{display:inline-block;margin-right:.4em;vertical-align:middle}.admonitionIcon_Rf37 svg{display:inline-block;height:1.6em;width:1.6em;fill:var(--ifm-alert-foreground-color)}.breadcrumbHomeIcon_YNFT{height:1.1rem;position:relative;top:1px;vertical-align:top;width:1.1rem}.breadcrumbsContainer_Z_bl{--ifm-breadcrumb-size-multiplier:0.8;margin-bottom:.8rem}.searchContextInput_mXoe,.searchQueryInput_CFBF{background:var(--ifm-background-color);border:var(--ifm-global-border-width) solid var(--ifm-color-content-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-font-color-base);font-size:var(--ifm-font-size-base);margin-bottom:1rem;padding:.5rem;width:100%}.searchResultItem_U687{border-bottom:1px solid #dfe3e8;padding:1rem 0}.searchResultItemPath_uIbk{color:var(--ifm-color-content-secondary);font-size:.8rem;margin:.5rem 0 0}.searchResultItemSummary_oZHr{font-style:italic;margin:.5rem 0 0}.backToTopButton_sjWU{background-color:var(--ifm-color-emphasis-200);border-radius:50%;bottom:1.3rem;box-shadow:var(--ifm-global-shadow-lw);height:3rem;opacity:0;position:fixed;right:1.3rem;transform:scale(0);transition:all var(--ifm-transition-fast) var(--ifm-transition-timing-default);visibility:hidden;width:3rem;z-index:calc(var(--ifm-z-index-fixed) - 1)}.backToTopButton_sjWU:after{background-color:var(--ifm-color-emphasis-1000);content:" ";display:inline-block;height:100%;-webkit-mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;width:100%}.backToTopButtonShow_xfvO{opacity:1;transform:scale(1);visibility:visible}[data-theme=dark]:root{--docusaurus-collapse-button-bg:#ffffff0d;--docusaurus-collapse-button-bg-hover:#ffffff1a}.collapseSidebarButton_PEFL{display:none;margin:0}.docSidebarContainer_YfHR,.sidebarLogo_isFc{display:none}.docMainContainer_TBSr,.docRoot_UBD9{display:flex;width:100%}.docsWrapper_hBAB{display:flex;flex:1 0 auto}@media (min-width:997px){.collapseSidebarButton_PEFL,.expandButton_TmdG{background-color:var(--docusaurus-collapse-button-bg)}:root{--docusaurus-announcement-bar-height:30px}.announcementBarClose_gvF7,.announcementBarPlaceholder_vyr4{flex-basis:50px}.navbarSearchContainer_Bca1{padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}.lastUpdated_JAkA{text-align:right}.tocMobile_ITEo{display:none}.docItemCol_VOVn{max-width:75%!important}.collapseSidebarButton_PEFL{border:1px solid var(--ifm-toc-border-color);border-radius:0;bottom:0;display:block!important;height:40px;position:sticky}.collapseSidebarButtonIcon_kv0_{margin-top:4px;transform:rotate(180deg)}.expandButtonIcon_i1dp,[dir=rtl] .collapseSidebarButtonIcon_kv0_{transform:rotate(0)}.collapseSidebarButton_PEFL:focus,.collapseSidebarButton_PEFL:hover,.expandButton_TmdG:focus,.expandButton_TmdG:hover{background-color:var(--docusaurus-collapse-button-bg-hover)}.menuHtmlItem_M9Kj{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu_SIkG{flex-grow:1;padding:.5rem}@supports (scrollbar-gutter:stable){.menu_SIkG{padding:.5rem 0 .5rem .5rem;scrollbar-gutter:stable}}.menuWithAnnouncementBar_GW3s{margin-bottom:var(--docusaurus-announcement-bar-height)}.sidebar_njMd{display:flex;flex-direction:column;height:100%;padding-top:var(--ifm-navbar-height);width:var(--doc-sidebar-width)}.sidebarWithHideableNavbar_wUlq{padding-top:0}.sidebarHidden_VK0M{opacity:0;visibility:hidden}.sidebarLogo_isFc{align-items:center;color:inherit!important;display:flex!important;margin:0 var(--ifm-navbar-padding-horizontal);max-height:var(--ifm-navbar-height);min-height:var(--ifm-navbar-height);text-decoration:none!important}.sidebarLogo_isFc img{height:2rem;margin-right:.5rem}.expandButton_TmdG{align-items:center;display:flex;height:100%;justify-content:center;position:absolute;right:0;top:0;transition:background-color var(--ifm-transition-fast) ease;width:100%}[dir=rtl] .expandButtonIcon_i1dp{transform:rotate(180deg)}.docSidebarContainer_YfHR{border-right:1px solid var(--ifm-toc-border-color);clip-path:inset(0);display:block;margin-top:calc(var(--ifm-navbar-height)*-1);transition:width var(--ifm-transition-fast) ease;width:var(--doc-sidebar-width);will-change:width}.docSidebarContainerHidden_DPk8{cursor:pointer;width:var(--doc-sidebar-hidden-width)}.sidebarViewport_aRkj{height:100%;max-height:100vh;position:sticky;top:0}.docMainContainer_TBSr{flex-grow:1;max-width:calc(100% - var(--doc-sidebar-width))}.docMainContainerEnhanced_lQrH{max-width:calc(100% - var(--doc-sidebar-hidden-width))}.docItemWrapperEnhanced_JWYK{max-width:calc(var(--ifm-container-width) + var(--doc-sidebar-width))!important}}@media (min-width:1440px){.container{max-width:var(--ifm-container-width-xl)}}@media (max-width:996px){.col{--ifm-col-width:100%;flex-basis:var(--ifm-col-width);margin-left:0}.footer{--ifm-footer-padding-horizontal:0}.colorModeToggle_DEke,.footer__link-separator,.navbar-sidebar__back,.navbar__item,.tableOfContents_bqdL{display:none}.footer__col{margin-bottom:calc(var(--ifm-spacing-vertical)*3)}.footer__link-item{display:block}.hero{padding-left:0;padding-right:0}.navbar>.container,.navbar>.container-fluid{padding:0}.navbar__toggle{display:inherit}.navbar__search-input{width:9rem}.pills--block,.tabs--block{flex-direction:column}.navbarSearchContainer_Bca1{position:absolute;right:var(--ifm-navbar-padding-horizontal)}.docItemContainer_F8PC{padding:0 .3rem}}@media not (max-width:996px){.searchBar_RVTs.searchBarLeft_MXDe .dropdownMenu_qbY6{left:0!important;right:auto!important}}@media only screen and (max-width:996px){.searchQueryColumn_q7nx{max-width:60%!important}.searchContextColumn_oWAF{max-width:40%!important}}@media (max-width:768px){#theme-main h1{font-size:50px!important;font-weight:700;line-height:3rem!important}#theme-main .header-docs{margin-bottom:20px}}@media (max-width:576px){.markdown h1:first-child{--ifm-h1-font-size:2rem}.markdown>h2{--ifm-h2-font-size:1.5rem}.markdown>h3{--ifm-h3-font-size:1.25rem}.navbar__search-input:not(:focus){width:2rem}.searchBar_RVTs .dropdownMenu_qbY6{max-width:calc(100vw - var(--ifm-navbar-padding-horizontal)*2);width:var(--search-local-modal-width-sm,340px)}.searchBarContainer_NW3z:not(.focused_OWtg) .searchClearButton_qk4g,.searchHintContainer_Pkmr{display:none}}@media screen and (max-width:576px){.searchQueryColumn_q7nx{max-width:100%!important}.searchContextColumn_oWAF{max-width:100%!important;padding-left:var(--ifm-spacing-horizontal)!important}}@media (hover:hover){.backToTopButton_sjWU:hover{background-color:var(--ifm-color-emphasis-300)}}@media (pointer:fine){.thin-scrollbar{scrollbar-width:thin}.thin-scrollbar::-webkit-scrollbar{height:var(--ifm-scrollbar-size);width:var(--ifm-scrollbar-size)}.thin-scrollbar::-webkit-scrollbar-track{background:var(--ifm-scrollbar-track-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb{background:var(--ifm-scrollbar-thumb-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb:hover{background:var(--ifm-scrollbar-thumb-hover-background-color)}}@media (prefers-reduced-motion:reduce){:root{--ifm-transition-fast:0ms;--ifm-transition-slow:0ms}}@media print{.announcementBar_mb4j,.footer,.menu,.navbar,.pagination-nav,.table-of-contents,.tocMobile_ITEo{display:none}.tabs{page-break-inside:avoid}.codeBlockLines_e6Vv{white-space:pre-wrap}} \ No newline at end of file +.col,.container{padding:0 var(--ifm-spacing-horizontal);width:100%}.markdown>h2,.markdown>h3,.markdown>h4,.markdown>h5,.markdown>h6{margin-bottom:calc(var(--ifm-heading-vertical-rhythm-bottom)*var(--ifm-leading))}pre,table{overflow:auto}blockquote,pre{margin:0 0 var(--ifm-spacing-vertical)}.breadcrumbs__link,.button{transition-timing-function:var(--ifm-transition-timing-default)}.button,code{vertical-align:middle}.button--outline.button--active,.button--outline:active,.button--outline:hover,:root{--ifm-button-color:var(--ifm-font-color-base-inverse)}.menu__link:hover,a{transition:color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.navbar--dark,:root{--ifm-navbar-link-hover-color:var(--ifm-color-primary)}.menu,.navbar-sidebar{overflow-x:hidden}:root,html[data-theme=dark]{--ifm-color-emphasis-500:var(--ifm-color-gray-500)}.markdown li,body{word-wrap:break-word}.toggleButton_gllP,html{-webkit-tap-highlight-color:transparent}*,.loadingRing_RJI3 div{box-sizing:border-box}.clean-list,.containsTaskList_mC6p,.details_lb9f>summary,.dropdown__menu,.menu__list{list-style:none}:root{--ifm-color-scheme:light;--ifm-dark-value:10%;--ifm-darker-value:15%;--ifm-darkest-value:30%;--ifm-light-value:15%;--ifm-lighter-value:30%;--ifm-lightest-value:50%;--ifm-contrast-background-value:90%;--ifm-contrast-foreground-value:70%;--ifm-contrast-background-dark-value:70%;--ifm-contrast-foreground-dark-value:90%;--ifm-color-primary:#3578e5;--ifm-color-secondary:#ebedf0;--ifm-color-success:#00a400;--ifm-color-info:#54c7ec;--ifm-color-warning:#ffba00;--ifm-color-danger:#fa383e;--ifm-color-primary-dark:#306cce;--ifm-color-primary-darker:#2d66c3;--ifm-color-primary-darkest:#2554a0;--ifm-color-primary-light:#538ce9;--ifm-color-primary-lighter:#72a1ed;--ifm-color-primary-lightest:#9abcf2;--ifm-color-primary-contrast-background:#ebf2fc;--ifm-color-primary-contrast-foreground:#102445;--ifm-color-secondary-dark:#d4d5d8;--ifm-color-secondary-darker:#c8c9cc;--ifm-color-secondary-darkest:#a4a6a8;--ifm-color-secondary-light:#eef0f2;--ifm-color-secondary-lighter:#f1f2f5;--ifm-color-secondary-lightest:#f5f6f8;--ifm-color-secondary-contrast-background:#fdfdfe;--ifm-color-secondary-contrast-foreground:#474748;--ifm-color-success-dark:#009400;--ifm-color-success-darker:#008b00;--ifm-color-success-darkest:#007300;--ifm-color-success-light:#26b226;--ifm-color-success-lighter:#4dbf4d;--ifm-color-success-lightest:#80d280;--ifm-color-success-contrast-background:#e6f6e6;--ifm-color-success-contrast-foreground:#003100;--ifm-color-info-dark:#4cb3d4;--ifm-color-info-darker:#47a9c9;--ifm-color-info-darkest:#3b8ba5;--ifm-color-info-light:#6ecfef;--ifm-color-info-lighter:#87d8f2;--ifm-color-info-lightest:#aae3f6;--ifm-color-info-contrast-background:#eef9fd;--ifm-color-info-contrast-foreground:#193c47;--ifm-color-warning-dark:#e6a700;--ifm-color-warning-darker:#d99e00;--ifm-color-warning-darkest:#b38200;--ifm-color-warning-light:#ffc426;--ifm-color-warning-lighter:#ffcf4d;--ifm-color-warning-lightest:#ffdd80;--ifm-color-warning-contrast-background:#fff8e6;--ifm-color-warning-contrast-foreground:#4d3800;--ifm-color-danger-dark:#e13238;--ifm-color-danger-darker:#d53035;--ifm-color-danger-darkest:#af272b;--ifm-color-danger-light:#fb565b;--ifm-color-danger-lighter:#fb7478;--ifm-color-danger-lightest:#fd9c9f;--ifm-color-danger-contrast-background:#ffebec;--ifm-color-danger-contrast-foreground:#4b1113;--ifm-color-white:#fff;--ifm-color-black:#000;--ifm-color-gray-0:var(--ifm-color-white);--ifm-color-gray-100:#f5f6f7;--ifm-color-gray-200:#ebedf0;--ifm-color-gray-300:#dadde1;--ifm-color-gray-400:#ccd0d5;--ifm-color-gray-500:#bec3c9;--ifm-color-gray-600:#8d949e;--ifm-color-gray-700:#606770;--ifm-color-gray-800:#444950;--ifm-color-gray-900:#1c1e21;--ifm-color-gray-1000:var(--ifm-color-black);--ifm-color-emphasis-0:var(--ifm-color-gray-0);--ifm-color-emphasis-100:var(--ifm-color-gray-100);--ifm-color-emphasis-200:var(--ifm-color-gray-200);--ifm-color-emphasis-300:var(--ifm-color-gray-300);--ifm-color-emphasis-400:var(--ifm-color-gray-400);--ifm-color-emphasis-600:var(--ifm-color-gray-600);--ifm-color-emphasis-700:var(--ifm-color-gray-700);--ifm-color-emphasis-800:var(--ifm-color-gray-800);--ifm-color-emphasis-900:var(--ifm-color-gray-900);--ifm-color-emphasis-1000:var(--ifm-color-gray-1000);--ifm-color-content:var(--ifm-color-emphasis-900);--ifm-color-content-inverse:var(--ifm-color-emphasis-0);--ifm-color-content-secondary:#525860;--ifm-background-color:#0000;--ifm-background-surface-color:var(--ifm-color-content-inverse);--ifm-global-border-width:1px;--ifm-global-radius:0.4rem;--ifm-hover-overlay:#0000000d;--ifm-font-color-base:var(--ifm-color-content);--ifm-font-color-base-inverse:var(--ifm-color-content-inverse);--ifm-font-color-secondary:var(--ifm-color-content-secondary);--ifm-font-family-base:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";--ifm-font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--ifm-font-size-base:100%;--ifm-font-weight-light:300;--ifm-font-weight-normal:400;--ifm-font-weight-semibold:500;--ifm-font-weight-bold:700;--ifm-font-weight-base:var(--ifm-font-weight-normal);--ifm-line-height-base:1.65;--ifm-global-spacing:1rem;--ifm-spacing-vertical:var(--ifm-global-spacing);--ifm-spacing-horizontal:var(--ifm-global-spacing);--ifm-transition-fast:200ms;--ifm-transition-slow:400ms;--ifm-transition-timing-default:cubic-bezier(0.08,0.52,0.52,1);--ifm-global-shadow-lw:0 1px 2px 0 #0000001a;--ifm-global-shadow-md:0 5px 40px #0003;--ifm-global-shadow-tl:0 12px 28px 0 #0003,0 2px 4px 0 #0000001a;--ifm-z-index-dropdown:100;--ifm-z-index-fixed:200;--ifm-z-index-overlay:400;--ifm-container-width:1140px;--ifm-container-width-xl:1320px;--ifm-code-background:#f6f7f8;--ifm-code-border-radius:var(--ifm-global-radius);--ifm-code-font-size:90%;--ifm-code-padding-horizontal:0.1rem;--ifm-code-padding-vertical:0.1rem;--ifm-pre-background:var(--ifm-code-background);--ifm-pre-border-radius:var(--ifm-code-border-radius);--ifm-pre-color:inherit;--ifm-pre-line-height:1.45;--ifm-pre-padding:1rem;--ifm-heading-color:inherit;--ifm-heading-margin-top:0;--ifm-heading-margin-bottom:var(--ifm-spacing-vertical);--ifm-heading-font-family:var(--ifm-font-family-base);--ifm-heading-font-weight:var(--ifm-font-weight-bold);--ifm-heading-line-height:1.25;--ifm-h1-font-size:2rem;--ifm-h2-font-size:1.5rem;--ifm-h3-font-size:1.25rem;--ifm-h4-font-size:1rem;--ifm-h5-font-size:0.875rem;--ifm-h6-font-size:0.85rem;--ifm-image-alignment-padding:1.25rem;--ifm-leading-desktop:1.25;--ifm-leading:calc(var(--ifm-leading-desktop)*1rem);--ifm-list-left-padding:2rem;--ifm-list-margin:1rem;--ifm-list-item-margin:0.25rem;--ifm-list-paragraph-margin:1rem;--ifm-table-cell-padding:0.75rem;--ifm-table-background:#0000;--ifm-table-stripe-background:#00000008;--ifm-table-border-width:1px;--ifm-table-border-color:var(--ifm-color-emphasis-300);--ifm-table-head-background:inherit;--ifm-table-head-color:inherit;--ifm-table-head-font-weight:var(--ifm-font-weight-bold);--ifm-table-cell-color:inherit;--ifm-link-color:var(--ifm-color-primary);--ifm-link-decoration:none;--ifm-link-hover-color:var(--ifm-link-color);--ifm-link-hover-decoration:underline;--ifm-paragraph-margin-bottom:var(--ifm-leading);--ifm-blockquote-font-size:var(--ifm-font-size-base);--ifm-blockquote-border-left-width:2px;--ifm-blockquote-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-blockquote-padding-vertical:0;--ifm-blockquote-shadow:none;--ifm-blockquote-color:var(--ifm-color-emphasis-800);--ifm-blockquote-border-color:var(--ifm-color-emphasis-300);--ifm-hr-background-color:var(--ifm-color-emphasis-500);--ifm-hr-height:1px;--ifm-hr-margin-vertical:1.5rem;--ifm-scrollbar-size:7px;--ifm-scrollbar-track-background-color:#f1f1f1;--ifm-scrollbar-thumb-background-color:silver;--ifm-scrollbar-thumb-hover-background-color:#a7a7a7;--ifm-alert-background-color:inherit;--ifm-alert-border-color:inherit;--ifm-alert-border-radius:var(--ifm-global-radius);--ifm-alert-border-width:0px;--ifm-alert-border-left-width:5px;--ifm-alert-color:var(--ifm-font-color-base);--ifm-alert-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-alert-padding-vertical:var(--ifm-spacing-vertical);--ifm-alert-shadow:var(--ifm-global-shadow-lw);--ifm-avatar-intro-margin:1rem;--ifm-avatar-intro-alignment:inherit;--ifm-avatar-photo-size:3rem;--ifm-badge-background-color:inherit;--ifm-badge-border-color:inherit;--ifm-badge-border-radius:var(--ifm-global-radius);--ifm-badge-border-width:var(--ifm-global-border-width);--ifm-badge-color:var(--ifm-color-white);--ifm-badge-padding-horizontal:calc(var(--ifm-spacing-horizontal)*0.5);--ifm-badge-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-breadcrumb-border-radius:1.5rem;--ifm-breadcrumb-spacing:0.5rem;--ifm-breadcrumb-color-active:var(--ifm-color-primary);--ifm-breadcrumb-item-background-active:var(--ifm-hover-overlay);--ifm-breadcrumb-padding-horizontal:0.8rem;--ifm-breadcrumb-padding-vertical:0.4rem;--ifm-breadcrumb-size-multiplier:1;--ifm-breadcrumb-separator:url('data:image/svg+xml;utf8,');--ifm-breadcrumb-separator-filter:none;--ifm-breadcrumb-separator-size:0.5rem;--ifm-breadcrumb-separator-size-multiplier:1.25;--ifm-button-background-color:inherit;--ifm-button-border-color:var(--ifm-button-background-color);--ifm-button-border-width:var(--ifm-global-border-width);--ifm-button-font-weight:var(--ifm-font-weight-bold);--ifm-button-padding-horizontal:1.5rem;--ifm-button-padding-vertical:0.375rem;--ifm-button-size-multiplier:1;--ifm-button-transition-duration:var(--ifm-transition-fast);--ifm-button-border-radius:calc(var(--ifm-global-radius)*var(--ifm-button-size-multiplier));--ifm-button-group-spacing:2px;--ifm-card-background-color:var(--ifm-background-surface-color);--ifm-card-border-radius:calc(var(--ifm-global-radius)*2);--ifm-card-horizontal-spacing:var(--ifm-global-spacing);--ifm-card-vertical-spacing:var(--ifm-global-spacing);--ifm-toc-border-color:var(--ifm-color-emphasis-300);--ifm-toc-link-color:var(--ifm-color-content-secondary);--ifm-toc-padding-vertical:0.5rem;--ifm-toc-padding-horizontal:0.5rem;--ifm-dropdown-background-color:var(--ifm-background-surface-color);--ifm-dropdown-font-weight:var(--ifm-font-weight-semibold);--ifm-dropdown-link-color:var(--ifm-font-color-base);--ifm-dropdown-hover-background-color:var(--ifm-hover-overlay);--ifm-footer-background-color:var(--ifm-color-emphasis-100);--ifm-footer-color:inherit;--ifm-footer-link-color:var(--ifm-color-emphasis-700);--ifm-footer-link-hover-color:var(--ifm-color-primary);--ifm-footer-link-horizontal-spacing:0.5rem;--ifm-footer-padding-horizontal:calc(var(--ifm-spacing-horizontal)*2);--ifm-footer-padding-vertical:calc(var(--ifm-spacing-vertical)*2);--ifm-footer-title-color:inherit;--ifm-footer-logo-max-width:min(30rem,90vw);--ifm-hero-background-color:var(--ifm-background-surface-color);--ifm-hero-text-color:var(--ifm-color-emphasis-800);--ifm-menu-color:var(--ifm-color-emphasis-700);--ifm-menu-color-active:var(--ifm-color-primary);--ifm-menu-color-background-active:var(--ifm-hover-overlay);--ifm-menu-color-background-hover:var(--ifm-hover-overlay);--ifm-menu-link-padding-horizontal:0.75rem;--ifm-menu-link-padding-vertical:0.375rem;--ifm-menu-link-sublist-icon:url('data:image/svg+xml;utf8,');--ifm-menu-link-sublist-icon-filter:none;--ifm-navbar-background-color:var(--ifm-background-surface-color);--ifm-navbar-height:3.75rem;--ifm-navbar-item-padding-horizontal:0.75rem;--ifm-navbar-item-padding-vertical:0.25rem;--ifm-navbar-link-color:var(--ifm-font-color-base);--ifm-navbar-link-active-color:var(--ifm-link-color);--ifm-navbar-padding-horizontal:var(--ifm-spacing-horizontal);--ifm-navbar-padding-vertical:calc(var(--ifm-spacing-vertical)*0.5);--ifm-navbar-shadow:var(--ifm-global-shadow-lw);--ifm-navbar-search-input-background-color:var(--ifm-color-emphasis-200);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-800);--ifm-navbar-search-input-placeholder-color:var(--ifm-color-emphasis-500);--ifm-navbar-search-input-icon:url('data:image/svg+xml;utf8,');--ifm-navbar-sidebar-width:83vw;--ifm-pagination-border-radius:var(--ifm-global-radius);--ifm-pagination-color-active:var(--ifm-color-primary);--ifm-pagination-font-size:1rem;--ifm-pagination-item-active-background:var(--ifm-hover-overlay);--ifm-pagination-page-spacing:0.2em;--ifm-pagination-padding-horizontal:calc(var(--ifm-spacing-horizontal)*1);--ifm-pagination-padding-vertical:calc(var(--ifm-spacing-vertical)*0.25);--ifm-pagination-nav-border-radius:var(--ifm-global-radius);--ifm-pagination-nav-color-hover:var(--ifm-color-primary);--ifm-pills-color-active:var(--ifm-color-primary);--ifm-pills-color-background-active:var(--ifm-hover-overlay);--ifm-pills-spacing:0.125rem;--ifm-tabs-color:var(--ifm-font-color-secondary);--ifm-tabs-color-active:var(--ifm-color-primary);--ifm-tabs-color-active-border:var(--ifm-tabs-color-active);--ifm-tabs-padding-horizontal:1rem;--ifm-tabs-padding-vertical:1rem;--docusaurus-progress-bar-color:var(--ifm-color-primary);--ifm-color-primary:#06527a;--ifm-color-primary-dark:#054a6e;--ifm-color-primary-darker:#054668;--ifm-color-primary-darkest:#043955;--ifm-color-primary-light:#075a86;--ifm-color-primary-lighter:#075e8c;--ifm-color-primary-lightest:#086b9f;--ifm-color-secondary:#ffc61c;--ifm-color-secondary-light:#ffcd38;--dark:#33313b;--light:#f3f3f3;--docusaurus-announcement-bar-height:auto;--docusaurus-tag-list-border:var(--ifm-color-emphasis-300);--docusaurus-collapse-button-bg:#0000;--docusaurus-collapse-button-bg-hover:#0000001a;--doc-sidebar-width:300px;--doc-sidebar-hidden-width:30px}.badge--danger,.badge--info,.badge--primary,.badge--secondary,.badge--success,.badge--warning{--ifm-badge-border-color:var(--ifm-badge-background-color)}.button--link,.button--outline{--ifm-button-background-color:#0000}html{background-color:var(--ifm-background-color);color:var(--ifm-font-color-base);color-scheme:var(--ifm-color-scheme);font:var(--ifm-font-size-base)/var(--ifm-line-height-base) var(--ifm-font-family-base);-webkit-font-smoothing:antialiased;text-rendering:optimizelegibility;-webkit-text-size-adjust:100%;text-size-adjust:100%}iframe{border:0;color-scheme:auto}.container{margin:0 auto;max-width:var(--ifm-container-width)}.container--fluid{max-width:inherit}.row{display:flex;flex-wrap:wrap;margin:0 calc(var(--ifm-spacing-horizontal)*-1)}.margin-bottom--none,.margin-vert--none,.markdown>:last-child{margin-bottom:0!important}.margin-top--none,.margin-vert--none,.tabItem_LNqP{margin-top:0!important}.row--no-gutters{margin-left:0;margin-right:0}.margin-horiz--none,.margin-right--none{margin-right:0!important}.row--no-gutters>.col{padding-left:0;padding-right:0}.row--align-top{align-items:flex-start}.row--align-bottom{align-items:flex-end}.menuExternalLink_NmtK,.row--align-center{align-items:center}.row--align-stretch{align-items:stretch}.row--align-baseline{align-items:baseline}.col{--ifm-col-width:100%;flex:1 0;margin-left:0;max-width:var(--ifm-col-width)}.padding-bottom--none,.padding-vert--none{padding-bottom:0!important}.padding-top--none,.padding-vert--none{padding-top:0!important}.padding-horiz--none,.padding-left--none{padding-left:0!important}.padding-horiz--none,.padding-right--none{padding-right:0!important}.col[class*=col--]{flex:0 0 var(--ifm-col-width)}.col--1{--ifm-col-width:8.33333%}.col--offset-1{margin-left:8.33333%}.col--2{--ifm-col-width:16.66667%}.col--offset-2{margin-left:16.66667%}.col--3{--ifm-col-width:25%}.col--offset-3{margin-left:25%}.col--4{--ifm-col-width:33.33333%}.col--offset-4{margin-left:33.33333%}.col--5{--ifm-col-width:41.66667%}.col--offset-5{margin-left:41.66667%}.col--6{--ifm-col-width:50%}.col--offset-6{margin-left:50%}.col--7{--ifm-col-width:58.33333%}.col--offset-7{margin-left:58.33333%}.col--8{--ifm-col-width:66.66667%}.col--offset-8{margin-left:66.66667%}.col--9{--ifm-col-width:75%}.col--offset-9{margin-left:75%}.col--10{--ifm-col-width:83.33333%}.col--offset-10{margin-left:83.33333%}.col--11{--ifm-col-width:91.66667%}.col--offset-11{margin-left:91.66667%}.col--12{--ifm-col-width:100%}.col--offset-12{margin-left:100%}.margin-horiz--none,.margin-left--none{margin-left:0!important}.margin--none{margin:0!important}.margin-bottom--xs,.margin-vert--xs{margin-bottom:.25rem!important}.margin-top--xs,.margin-vert--xs{margin-top:.25rem!important}.margin-horiz--xs,.margin-left--xs{margin-left:.25rem!important}.margin-horiz--xs,.margin-right--xs{margin-right:.25rem!important}.margin--xs{margin:.25rem!important}.margin-bottom--sm,.margin-vert--sm{margin-bottom:.5rem!important}.margin-top--sm,.margin-vert--sm{margin-top:.5rem!important}.margin-horiz--sm,.margin-left--sm{margin-left:.5rem!important}.margin-horiz--sm,.margin-right--sm{margin-right:.5rem!important}.margin--sm{margin:.5rem!important}.margin-bottom--md,.margin-vert--md{margin-bottom:1rem!important}.margin-top--md,.margin-vert--md{margin-top:1rem!important}.margin-horiz--md,.margin-left--md{margin-left:1rem!important}.margin-horiz--md,.margin-right--md{margin-right:1rem!important}.margin--md{margin:1rem!important}.margin-bottom--lg,.margin-vert--lg{margin-bottom:2rem!important}.margin-top--lg,.margin-vert--lg{margin-top:2rem!important}.margin-horiz--lg,.margin-left--lg{margin-left:2rem!important}.margin-horiz--lg,.margin-right--lg{margin-right:2rem!important}.margin--lg{margin:2rem!important}.margin-bottom--xl,.margin-vert--xl{margin-bottom:5rem!important}.margin-top--xl,.margin-vert--xl{margin-top:5rem!important}.margin-horiz--xl,.margin-left--xl{margin-left:5rem!important}.margin-horiz--xl,.margin-right--xl{margin-right:5rem!important}.margin--xl{margin:5rem!important}.padding--none{padding:0!important}.padding-bottom--xs,.padding-vert--xs{padding-bottom:.25rem!important}.padding-top--xs,.padding-vert--xs{padding-top:.25rem!important}.padding-horiz--xs,.padding-left--xs{padding-left:.25rem!important}.padding-horiz--xs,.padding-right--xs{padding-right:.25rem!important}.padding--xs{padding:.25rem!important}.padding-bottom--sm,.padding-vert--sm{padding-bottom:.5rem!important}.padding-top--sm,.padding-vert--sm{padding-top:.5rem!important}.padding-horiz--sm,.padding-left--sm{padding-left:.5rem!important}.padding-horiz--sm,.padding-right--sm{padding-right:.5rem!important}.padding--sm{padding:.5rem!important}.padding-bottom--md,.padding-vert--md{padding-bottom:1rem!important}.padding-top--md,.padding-vert--md{padding-top:1rem!important}.padding-horiz--md,.padding-left--md{padding-left:1rem!important}.padding-horiz--md,.padding-right--md{padding-right:1rem!important}.padding--md{padding:1rem!important}.padding-bottom--lg,.padding-vert--lg{padding-bottom:2rem!important}.padding-top--lg,.padding-vert--lg{padding-top:2rem!important}.padding-horiz--lg,.padding-left--lg{padding-left:2rem!important}.padding-horiz--lg,.padding-right--lg{padding-right:2rem!important}.padding--lg{padding:2rem!important}.padding-bottom--xl,.padding-vert--xl{padding-bottom:5rem!important}.padding-top--xl,.padding-vert--xl{padding-top:5rem!important}.padding-horiz--xl,.padding-left--xl{padding-left:5rem!important}.padding-horiz--xl,.padding-right--xl{padding-right:5rem!important}.padding--xl{padding:5rem!important}code{background-color:var(--ifm-code-background);border:.1rem solid #0000001a;border-radius:var(--ifm-code-border-radius);font-family:var(--ifm-font-family-monospace);font-size:var(--ifm-code-font-size);padding:var(--ifm-code-padding-vertical) var(--ifm-code-padding-horizontal)}a code{color:inherit}pre{background-color:var(--ifm-pre-background);border-radius:var(--ifm-pre-border-radius);color:var(--ifm-pre-color);font:var(--ifm-code-font-size)/var(--ifm-pre-line-height) var(--ifm-font-family-monospace);padding:var(--ifm-pre-padding)}pre code{background-color:initial;border:none;font-size:100%;line-height:inherit;padding:0}kbd{background-color:var(--ifm-color-emphasis-0);border:1px solid var(--ifm-color-emphasis-400);border-radius:.2rem;box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-400);color:var(--ifm-color-emphasis-800);font:80% var(--ifm-font-family-monospace);padding:.15rem .3rem}h1,h2,h3,h4,h5,h6{color:var(--ifm-heading-color);font-family:var(--ifm-heading-font-family);font-weight:var(--ifm-heading-font-weight);line-height:var(--ifm-heading-line-height);margin:var(--ifm-heading-margin-top) 0 var(--ifm-heading-margin-bottom) 0}h1{font-size:var(--ifm-h1-font-size)}h2{font-size:var(--ifm-h2-font-size)}h3{font-size:var(--ifm-h3-font-size)}h4{font-size:var(--ifm-h4-font-size)}h5{font-size:var(--ifm-h5-font-size)}h6{font-size:var(--ifm-h6-font-size)}.container_lyt7,.container_lyt7>svg,img{max-width:100%}img[align=right]{padding-left:var(--image-alignment-padding)}img[align=left]{padding-right:var(--image-alignment-padding)}.markdown{--ifm-h1-vertical-rhythm-top:3;--ifm-h2-vertical-rhythm-top:2;--ifm-h3-vertical-rhythm-top:1.5;--ifm-heading-vertical-rhythm-top:1.25;--ifm-h1-vertical-rhythm-bottom:1.25;--ifm-heading-vertical-rhythm-bottom:1}.markdown:after,.markdown:before{content:"";display:table}.markdown:after{clear:both}.markdown h1:first-child{--ifm-h1-font-size:3rem;margin-bottom:calc(var(--ifm-h1-vertical-rhythm-bottom)*var(--ifm-leading))}.markdown>h2{--ifm-h2-font-size:2rem;margin-top:calc(var(--ifm-h2-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h3{--ifm-h3-font-size:1.5rem;margin-top:calc(var(--ifm-h3-vertical-rhythm-top)*var(--ifm-leading))}.markdown>h4,.markdown>h5,.markdown>h6{margin-top:calc(var(--ifm-heading-vertical-rhythm-top)*var(--ifm-leading))}.markdown>p,.markdown>pre,.markdown>ul,.tabList__CuJ{margin-bottom:var(--ifm-leading)}.markdown li>p{margin-top:var(--ifm-list-paragraph-margin)}.markdown li+li{margin-top:var(--ifm-list-item-margin)}ol,ul{margin:0 0 var(--ifm-list-margin);padding-left:var(--ifm-list-left-padding)}ol ol,ul ol{list-style-type:lower-roman}ol ol,ol ul,ul ol,ul ul{margin:0}ol ol ol,ol ul ol,ul ol ol,ul ul ol{list-style-type:lower-alpha}table{border-collapse:collapse;display:block;margin-bottom:var(--ifm-spacing-vertical)}table thead tr{border-bottom:2px solid var(--ifm-table-border-color)}table thead,table tr:nth-child(2n){background-color:var(--ifm-table-stripe-background)}table tr{background-color:var(--ifm-table-background);border-top:var(--ifm-table-border-width) solid var(--ifm-table-border-color)}table td,table th{border:var(--ifm-table-border-width) solid var(--ifm-table-border-color);padding:var(--ifm-table-cell-padding)}table th{background-color:var(--ifm-table-head-background);color:var(--ifm-table-head-color);font-weight:var(--ifm-table-head-font-weight)}table td{color:var(--ifm-table-cell-color)}strong{font-weight:var(--ifm-font-weight-bold)}a{color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}a:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button:hover,.text--no-decoration,.text--no-decoration:hover,a:not([href]){text-decoration:none}p{margin:0 0 var(--ifm-paragraph-margin-bottom)}blockquote{border-left:var(--ifm-blockquote-border-left-width) solid var(--ifm-blockquote-border-color);box-shadow:var(--ifm-blockquote-shadow);color:var(--ifm-blockquote-color);font-size:var(--ifm-blockquote-font-size);padding:var(--ifm-blockquote-padding-vertical) var(--ifm-blockquote-padding-horizontal)}blockquote>:first-child{margin-top:0}blockquote>:last-child{margin-bottom:0}hr{background-color:var(--ifm-hr-background-color);border:0;height:var(--ifm-hr-height);margin:var(--ifm-hr-margin-vertical) 0;background-image:-webkit-linear-gradient(left,#f3f3f3,#adadb1,#f3f3f3);margin:0 auto}.shadow--lw{box-shadow:var(--ifm-global-shadow-lw)!important}.shadow--md{box-shadow:var(--ifm-global-shadow-md)!important}.shadow--tl{box-shadow:var(--ifm-global-shadow-tl)!important}.text--primary,.wordWrapButtonEnabled_EoeP .wordWrapButtonIcon_Bwma{color:var(--ifm-color-primary)}.text--secondary{color:var(--ifm-color-secondary)}.text--success{color:var(--ifm-color-success)}.text--info{color:var(--ifm-color-info)}.text--warning{color:var(--ifm-color-warning)}.text--danger{color:var(--ifm-color-danger)}.text--center{text-align:center}.text--left{text-align:left}.text--justify{text-align:justify}.text--right{text-align:right}.text--capitalize{text-transform:capitalize}.text--lowercase{text-transform:lowercase}.admonitionHeading_Gvgb,.alert__heading,.text--uppercase{text-transform:uppercase}.text--light{font-weight:var(--ifm-font-weight-light)}.text--normal{font-weight:var(--ifm-font-weight-normal)}.text--semibold{font-weight:var(--ifm-font-weight-semibold)}.text--bold{font-weight:var(--ifm-font-weight-bold)}.text--italic{font-style:italic}.text--truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text--break{word-wrap:break-word!important;word-break:break-word!important}.clean-btn{background:none;border:none;color:inherit;cursor:pointer;font-family:inherit;padding:0}.alert,.alert .close{color:var(--ifm-alert-foreground-color)}.clean-list{padding-left:0}.alert--primary{--ifm-alert-background-color:var(--ifm-color-primary-contrast-background);--ifm-alert-background-color-highlight:#3578e526;--ifm-alert-foreground-color:var(--ifm-color-primary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-primary-dark)}.alert--secondary{--ifm-alert-background-color:var(--ifm-color-secondary-contrast-background);--ifm-alert-background-color-highlight:#ebedf026;--ifm-alert-foreground-color:var(--ifm-color-secondary-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-secondary-dark)}.alert--success{--ifm-alert-background-color:var(--ifm-color-success-contrast-background);--ifm-alert-background-color-highlight:#00a40026;--ifm-alert-foreground-color:var(--ifm-color-success-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-success-dark)}.alert--info{--ifm-alert-background-color:var(--ifm-color-info-contrast-background);--ifm-alert-background-color-highlight:#54c7ec26;--ifm-alert-foreground-color:var(--ifm-color-info-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-info-dark)}.alert--warning{--ifm-alert-background-color:var(--ifm-color-warning-contrast-background);--ifm-alert-background-color-highlight:#ffba0026;--ifm-alert-foreground-color:var(--ifm-color-warning-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-warning-dark)}.alert--danger{--ifm-alert-background-color:var(--ifm-color-danger-contrast-background);--ifm-alert-background-color-highlight:#fa383e26;--ifm-alert-foreground-color:var(--ifm-color-danger-contrast-foreground);--ifm-alert-border-color:var(--ifm-color-danger-dark)}.alert{--ifm-code-background:var(--ifm-alert-background-color-highlight);--ifm-link-color:var(--ifm-alert-foreground-color);--ifm-link-hover-color:var(--ifm-alert-foreground-color);--ifm-link-decoration:underline;--ifm-tabs-color:var(--ifm-alert-foreground-color);--ifm-tabs-color-active:var(--ifm-alert-foreground-color);--ifm-tabs-color-active-border:var(--ifm-alert-border-color);background-color:var(--ifm-alert-background-color);border:var(--ifm-alert-border-width) solid var(--ifm-alert-border-color);border-left-width:var(--ifm-alert-border-left-width);border-radius:var(--ifm-alert-border-radius);box-shadow:var(--ifm-alert-shadow);padding:var(--ifm-alert-padding-vertical) var(--ifm-alert-padding-horizontal)}.alert__heading{align-items:center;display:flex;font:700 var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family);margin-bottom:.5rem}.alert__icon{display:inline-flex;margin-right:.4em}.alert__icon svg{fill:var(--ifm-alert-foreground-color);stroke:var(--ifm-alert-foreground-color);stroke-width:0}.alert .close{margin:calc(var(--ifm-alert-padding-vertical)*-1) calc(var(--ifm-alert-padding-horizontal)*-1) 0 0;opacity:.75}.alert .close:focus,.alert .close:hover{opacity:1}.alert a{text-decoration-color:var(--ifm-alert-border-color)}.alert a:hover{text-decoration-thickness:2px}.avatar{column-gap:var(--ifm-avatar-intro-margin);display:flex}.avatar__photo{border-radius:50%;display:block;height:var(--ifm-avatar-photo-size);overflow:hidden;width:var(--ifm-avatar-photo-size)}.card--full-height,.navbar__logo img,body,html{height:100%}.avatar__photo--sm{--ifm-avatar-photo-size:2rem}.avatar__photo--lg{--ifm-avatar-photo-size:4rem}.avatar__photo--xl{--ifm-avatar-photo-size:6rem}.avatar__intro{display:flex;flex:1 1;flex-direction:column;justify-content:center;text-align:var(--ifm-avatar-intro-alignment)}.badge,.breadcrumbs__item,.breadcrumbs__link,.button,.dropdown>.navbar__link:after,.searchBarContainer_NW3z.searchIndexLoading_EJ1f .searchBarLoadingRing_YnHq{display:inline-block}.avatar__name{font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base)}.avatar__subtitle{margin-top:.25rem}.avatar--vertical{--ifm-avatar-intro-alignment:center;--ifm-avatar-intro-margin:0.5rem;align-items:center;flex-direction:column}.badge{background-color:var(--ifm-badge-background-color);border:var(--ifm-badge-border-width) solid var(--ifm-badge-border-color);border-radius:var(--ifm-badge-border-radius);color:var(--ifm-badge-color);font-size:75%;font-weight:var(--ifm-font-weight-bold);line-height:1;padding:var(--ifm-badge-padding-vertical) var(--ifm-badge-padding-horizontal)}.badge--primary{--ifm-badge-background-color:var(--ifm-color-primary)}.badge--secondary{--ifm-badge-background-color:var(--ifm-color-secondary);color:var(--ifm-color-black)}.breadcrumbs__link,.button.button--secondary.button--outline:not(.button--active):not(:hover){color:var(--ifm-font-color-base)}.badge--success{--ifm-badge-background-color:var(--ifm-color-success)}.badge--info{--ifm-badge-background-color:var(--ifm-color-info)}.badge--warning{--ifm-badge-background-color:var(--ifm-color-warning)}.badge--danger{--ifm-badge-background-color:var(--ifm-color-danger)}.breadcrumbs{margin-bottom:0;padding-left:0}.breadcrumbs__item:not(:last-child):after{background:var(--ifm-breadcrumb-separator) center;content:" ";display:inline-block;filter:var(--ifm-breadcrumb-separator-filter);height:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier));margin:0 var(--ifm-breadcrumb-spacing);opacity:.5;width:calc(var(--ifm-breadcrumb-separator-size)*var(--ifm-breadcrumb-size-multiplier)*var(--ifm-breadcrumb-separator-size-multiplier))}.breadcrumbs__item--active .breadcrumbs__link{background:var(--ifm-breadcrumb-item-background-active);color:var(--ifm-breadcrumb-color-active)}.breadcrumbs__link{border-radius:var(--ifm-breadcrumb-border-radius);font-size:calc(1rem*var(--ifm-breadcrumb-size-multiplier));padding:calc(var(--ifm-breadcrumb-padding-vertical)*var(--ifm-breadcrumb-size-multiplier)) calc(var(--ifm-breadcrumb-padding-horizontal)*var(--ifm-breadcrumb-size-multiplier));transition-duration:var(--ifm-transition-fast);transition-property:background,color}.breadcrumbs__link:any-link:hover,.breadcrumbs__link:link:hover,.breadcrumbs__link:visited:hover,area[href].breadcrumbs__link:hover{background:var(--ifm-breadcrumb-item-background-active);text-decoration:none}.breadcrumbs--sm{--ifm-breadcrumb-size-multiplier:0.8}.breadcrumbs--lg{--ifm-breadcrumb-size-multiplier:1.2}.button{background-color:var(--ifm-button-background-color);border:var(--ifm-button-border-width) solid var(--ifm-button-border-color);border-radius:var(--ifm-button-border-radius);cursor:pointer;font-size:calc(.875rem*var(--ifm-button-size-multiplier));font-weight:var(--ifm-button-font-weight);line-height:1.5;padding:calc(var(--ifm-button-padding-vertical)*var(--ifm-button-size-multiplier)) calc(var(--ifm-button-padding-horizontal)*var(--ifm-button-size-multiplier));text-align:center;transition-duration:var(--ifm-button-transition-duration);transition-property:color,background,border-color;-webkit-user-select:none;user-select:none;white-space:nowrap}.button,.button:hover{color:var(--ifm-button-color)}.button--outline{--ifm-button-color:var(--ifm-button-border-color)}.button--outline:hover{--ifm-button-background-color:var(--ifm-button-border-color)}.button--link{--ifm-button-border-color:#0000;color:var(--ifm-link-color);text-decoration:var(--ifm-link-decoration)}.button--link.button--active,.button--link:active,.button--link:hover{color:var(--ifm-link-hover-color);text-decoration:var(--ifm-link-hover-decoration)}.button.disabled,.button:disabled,.button[disabled]{opacity:.65;pointer-events:none}.button--sm{--ifm-button-size-multiplier:0.8}.button--lg{--ifm-button-size-multiplier:1.35}.button--block{display:block;width:100%}.button.button--secondary{color:var(--ifm-color-gray-900)}:where(.button--primary){--ifm-button-background-color:var(--ifm-color-primary);--ifm-button-border-color:var(--ifm-color-primary)}:where(.button--primary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-primary-dark);--ifm-button-border-color:var(--ifm-color-primary-dark)}.button--primary.button--active,.button--primary:active{--ifm-button-background-color:var(--ifm-color-primary-darker);--ifm-button-border-color:var(--ifm-color-primary-darker)}:where(.button--secondary){--ifm-button-background-color:var(--ifm-color-secondary);--ifm-button-border-color:var(--ifm-color-secondary)}:where(.button--secondary):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-secondary-dark);--ifm-button-border-color:var(--ifm-color-secondary-dark)}.button--secondary.button--active,.button--secondary:active{--ifm-button-background-color:var(--ifm-color-secondary-darker);--ifm-button-border-color:var(--ifm-color-secondary-darker)}:where(.button--success){--ifm-button-background-color:var(--ifm-color-success);--ifm-button-border-color:var(--ifm-color-success)}:where(.button--success):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-success-dark);--ifm-button-border-color:var(--ifm-color-success-dark)}.button--success.button--active,.button--success:active{--ifm-button-background-color:var(--ifm-color-success-darker);--ifm-button-border-color:var(--ifm-color-success-darker)}:where(.button--info){--ifm-button-background-color:var(--ifm-color-info);--ifm-button-border-color:var(--ifm-color-info)}:where(.button--info):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-info-dark);--ifm-button-border-color:var(--ifm-color-info-dark)}.button--info.button--active,.button--info:active{--ifm-button-background-color:var(--ifm-color-info-darker);--ifm-button-border-color:var(--ifm-color-info-darker)}:where(.button--warning){--ifm-button-background-color:var(--ifm-color-warning);--ifm-button-border-color:var(--ifm-color-warning)}:where(.button--warning):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-warning-dark);--ifm-button-border-color:var(--ifm-color-warning-dark)}.button--warning.button--active,.button--warning:active{--ifm-button-background-color:var(--ifm-color-warning-darker);--ifm-button-border-color:var(--ifm-color-warning-darker)}:where(.button--danger){--ifm-button-background-color:var(--ifm-color-danger);--ifm-button-border-color:var(--ifm-color-danger)}:where(.button--danger):not(.button--outline):hover{--ifm-button-background-color:var(--ifm-color-danger-dark);--ifm-button-border-color:var(--ifm-color-danger-dark)}.button--danger.button--active,.button--danger:active{--ifm-button-background-color:var(--ifm-color-danger-darker);--ifm-button-border-color:var(--ifm-color-danger-darker)}.button-group{display:inline-flex;gap:var(--ifm-button-group-spacing)}.button-group>.button:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.button-group>.button:not(:last-child){border-bottom-right-radius:0;border-top-right-radius:0}.button-group--block{display:flex;justify-content:stretch}.button-group--block>.button{flex-grow:1}.card{background-color:var(--ifm-card-background-color);border-radius:var(--ifm-card-border-radius);box-shadow:var(--ifm-global-shadow-lw);display:flex;flex-direction:column;overflow:hidden}.card__image{padding-top:var(--ifm-card-vertical-spacing)}.card__image:first-child{padding-top:0}.card__body,.card__footer,.card__header{padding:var(--ifm-card-vertical-spacing) var(--ifm-card-horizontal-spacing)}.card__body:not(:last-child),.card__footer:not(:last-child),.card__header:not(:last-child){padding-bottom:0}.card__body>:last-child,.card__footer>:last-child,.card__header>:last-child{margin-bottom:0}.card__footer{margin-top:auto}.table-of-contents{font-size:.8rem;margin-bottom:0;padding:var(--ifm-toc-padding-vertical) 0}.table-of-contents,.table-of-contents ul{list-style:none;padding-left:var(--ifm-toc-padding-horizontal)}.table-of-contents li{margin:var(--ifm-toc-padding-vertical) var(--ifm-toc-padding-horizontal)}.table-of-contents__left-border{border-left:1px solid var(--ifm-toc-border-color)}.table-of-contents__link{color:var(--ifm-toc-link-color);display:block}.table-of-contents__link--active,.table-of-contents__link--active code,.table-of-contents__link:hover,.table-of-contents__link:hover code{color:var(--ifm-color-primary);text-decoration:none}.content_knG7 a,.hitFooter_E9YW a,.suggestion_fB_2.cursor_eG29 mark{text-decoration:underline}.close{color:var(--ifm-color-black);float:right;font-size:1.5rem;font-weight:var(--ifm-font-weight-bold);line-height:1;opacity:.5;padding:1rem;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.close:hover{opacity:.7}.close:focus,.theme-code-block-highlighted-line .codeLineNumber_Tfdd:before{opacity:.8}.dropdown{display:inline-flex;font-weight:var(--ifm-dropdown-font-weight);position:relative;vertical-align:top}.dropdown--hoverable:hover .dropdown__menu,.dropdown--show .dropdown__menu{opacity:1;pointer-events:all;transform:translateY(-1px);visibility:visible}.dropdown--right .dropdown__menu{left:inherit;right:0}.dropdown--nocaret .navbar__link:after{content:none!important}.dropdown__menu{background-color:var(--ifm-dropdown-background-color);border-radius:var(--ifm-global-radius);box-shadow:var(--ifm-global-shadow-md);left:0;max-height:80vh;min-width:10rem;opacity:0;overflow-y:auto;padding:.5rem;pointer-events:none;position:absolute;top:calc(100% - var(--ifm-navbar-item-padding-vertical) + .3rem);transform:translateY(-.625rem);transition-duration:var(--ifm-transition-fast);transition-property:opacity,transform,visibility;transition-timing-function:var(--ifm-transition-timing-default);visibility:hidden;z-index:var(--ifm-z-index-dropdown)}.menu__caret,.menu__link,.menu__list-item-collapsible{border-radius:.25rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.dropdown__link{border-radius:.25rem;color:var(--ifm-dropdown-link-color);display:block;font-size:.875rem;margin-top:.2rem;padding:.25rem .5rem;white-space:nowrap}.dropdown__link--active,.dropdown__link:hover{background-color:var(--ifm-dropdown-hover-background-color);color:var(--ifm-dropdown-link-color);text-decoration:none}.dropdown__link--active,.dropdown__link--active:hover{--ifm-dropdown-link-color:var(--ifm-link-color)}.dropdown>.navbar__link:after{border-color:currentcolor #0000;border-style:solid;border-width:.4em .4em 0;content:"";margin-left:.3em;position:relative;top:2px;transform:translateY(-50%)}.footer{background-color:var(--ifm-footer-background-color);color:var(--ifm-footer-color);padding:var(--ifm-footer-padding-vertical) var(--ifm-footer-padding-horizontal)}.footer--dark{--ifm-footer-background-color:#303846;--ifm-footer-color:var(--ifm-footer-link-color);--ifm-footer-link-color:var(--ifm-color-secondary);--ifm-footer-title-color:var(--ifm-color-white)}.footer__links{margin-bottom:1rem}.footer__link-item{color:var(--ifm-footer-link-color);line-height:2}.footer__link-item:hover{color:var(--ifm-footer-link-hover-color)}.footer__link-separator{margin:0 var(--ifm-footer-link-horizontal-spacing)}.footer__logo{margin-top:1rem;max-width:var(--ifm-footer-logo-max-width)}.footer__title{color:var(--ifm-footer-title-color);font:700 var(--ifm-h4-font-size)/var(--ifm-heading-line-height) var(--ifm-font-family-base);margin-bottom:var(--ifm-heading-margin-bottom)}.menu,.navbar__link{font-weight:var(--ifm-font-weight-semibold)}.docItemContainer_Djhp article>:first-child,.docItemContainer_Djhp header+*,.footer__item{margin-top:0}.admonitionContent_BuS1>:last-child,.collapsibleContent_i85q p:last-child,.details_lb9f>summary>p:last-child,.footer__items,.searchResultItem_U687>h2,.tabItem_Ymn6>:last-child{margin-bottom:0}.codeBlockStandalone_MEMb,[type=checkbox]{padding:0}.hero{align-items:center;background-color:var(--ifm-hero-background-color);color:var(--ifm-hero-text-color);display:flex;padding:4rem 2rem}.hero--primary{--ifm-hero-background-color:var(--ifm-color-primary);--ifm-hero-text-color:var(--ifm-font-color-base-inverse)}.hero--dark{--ifm-hero-background-color:#303846;--ifm-hero-text-color:var(--ifm-color-white)}.hero__title{font-size:3rem}.hero__subtitle{font-size:1.5rem}.menu__list{margin:0;padding-left:0}.menu__caret,.menu__link{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu__list .menu__list{flex:0 0 100%;margin-top:.25rem;padding-left:var(--ifm-menu-link-padding-horizontal)}.menu__list-item:not(:first-child){margin-top:.25rem}.menu__list-item--collapsed .menu__list{height:0;overflow:hidden}.details_lb9f[data-collapsed=false].isBrowser_bmU9>summary:before,.details_lb9f[open]:not(.isBrowser_bmU9)>summary:before,.menu__list-item--collapsed .menu__caret:before,.menu__list-item--collapsed .menu__link--sublist:after{transform:rotate(90deg)}.menu__list-item-collapsible{display:flex;flex-wrap:wrap;position:relative}.menu__caret:hover,.menu__link:hover,.menu__list-item-collapsible--active,.menu__list-item-collapsible:hover{background:var(--ifm-menu-color-background-hover)}.menu__list-item-collapsible .menu__link--active,.menu__list-item-collapsible .menu__link:hover{background:none!important}.menu__caret,.menu__link{align-items:center;display:flex}.menu__link{color:var(--ifm-menu-color);flex:1;line-height:1.25}.menu__link:hover{color:var(--ifm-menu-color);text-decoration:none}.menu__caret:before,.menu__link--sublist-caret:after{height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast) linear;width:1.25rem;content:"";filter:var(--ifm-menu-link-sublist-icon-filter)}.menu__link--sublist-caret:after{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem;margin-left:auto;min-width:1.25rem}.navbar__items--center .navbar__brand,body{margin:0}.menu__link--active,.menu__link--active:hover{color:var(--ifm-menu-color-active)}.navbar__brand,.navbar__link{color:var(--ifm-navbar-link-color)}.menu__link--active:not(.menu__link--sublist){background-color:var(--ifm-menu-color-background-active)}.menu__caret:before{background:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem}.navbar--dark,html[data-theme=dark]{--ifm-menu-link-sublist-icon-filter:invert(100%) sepia(94%) saturate(17%) hue-rotate(223deg) brightness(104%) contrast(98%)}.navbar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-navbar-shadow);height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar,.navbar>.container,.navbar>.container-fluid{display:flex}.navbar--fixed-top{position:sticky;top:0;z-index:var(--ifm-z-index-fixed)}.navbar-sidebar,.navbar-sidebar__backdrop{bottom:0;opacity:0;position:fixed;transition-duration:var(--ifm-transition-fast);transition-timing-function:ease-in-out;left:0;top:0;visibility:hidden}.navbar__inner{display:flex;flex-wrap:wrap;justify-content:space-between;width:100%}.navbar__brand{align-items:center;display:flex;margin-right:1rem;min-width:0}.navbar__brand:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.announcementBarContent_xLdY,.navbar__title{flex:1 1 auto}.navbar__toggle{display:none;margin-right:.5rem}.navbar__logo{flex:0 0 auto;height:2rem;margin-right:.5rem}.navbar__items{align-items:center;display:flex;flex:1;min-width:0}.navbar__items--center{flex:0 0 auto}.navbar__items--center+.navbar__items--right{flex:1}.navbar__items--right{flex:0 0 auto;justify-content:flex-end}.navbar__items--right>:last-child{padding-right:0}.navbar__item{display:inline-block;padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}#nprogress,.navbar__item.dropdown .navbar__link:not([href]){pointer-events:none}.navbar__link--active,.navbar__link:hover{color:var(--ifm-navbar-link-hover-color);text-decoration:none}.navbar--dark,.navbar--primary{--ifm-menu-color:var(--ifm-color-gray-300);--ifm-navbar-link-color:var(--ifm-color-gray-100);--ifm-navbar-search-input-background-color:#ffffff1a;--ifm-navbar-search-input-placeholder-color:#ffffff80;color:var(--ifm-color-white)}.navbar--dark{--ifm-navbar-background-color:#242526;--ifm-menu-color-background-active:#ffffff0d;--ifm-navbar-search-input-color:var(--ifm-color-white)}.navbar--primary{--ifm-navbar-background-color:var(--ifm-color-primary);--ifm-navbar-link-hover-color:var(--ifm-color-white);--ifm-menu-color-active:var(--ifm-color-white);--ifm-navbar-search-input-color:var(--ifm-color-emphasis-500)}.navbar__search-input{appearance:none;background:var(--ifm-navbar-search-input-background-color) var(--ifm-navbar-search-input-icon) no-repeat .75rem center/1rem 1rem;border:none;border-radius:2rem;color:var(--ifm-navbar-search-input-color);cursor:text;display:inline-block;font-size:1rem;height:2rem;padding:0 .5rem 0 2.25rem;width:12.5rem}.navbar__search-input::placeholder{color:var(--ifm-navbar-search-input-placeholder-color)}.navbar-sidebar{background-color:var(--ifm-navbar-background-color);box-shadow:var(--ifm-global-shadow-md);transform:translate3d(-100%,0,0);transition-property:opacity,visibility,transform;width:var(--ifm-navbar-sidebar-width)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar__items{transform:translateZ(0)}.navbar-sidebar--show .navbar-sidebar,.navbar-sidebar--show .navbar-sidebar__backdrop{opacity:1;visibility:visible}.navbar-sidebar__backdrop{background-color:#0009;right:0;transition-property:opacity,visibility}.navbar-sidebar__brand{align-items:center;box-shadow:var(--ifm-navbar-shadow);display:flex;flex:1;height:var(--ifm-navbar-height);padding:var(--ifm-navbar-padding-vertical) var(--ifm-navbar-padding-horizontal)}.navbar-sidebar__items{display:flex;height:calc(100% - var(--ifm-navbar-height));transition:transform var(--ifm-transition-fast) ease-in-out}.navbar-sidebar__items--show-secondary{transform:translate3d(calc((var(--ifm-navbar-sidebar-width))*-1),0,0)}.navbar-sidebar__item{flex-shrink:0;padding:.5rem;width:calc(var(--ifm-navbar-sidebar-width))}.navbar-sidebar__back{background:var(--ifm-menu-color-background-active);font-size:15px;font-weight:var(--ifm-button-font-weight);margin:0 0 .2rem -.5rem;padding:.6rem 1.5rem;position:relative;text-align:left;top:-.5rem;width:calc(100% + 1rem)}.navbar-sidebar__close{display:flex;margin-left:auto}.pagination{column-gap:var(--ifm-pagination-page-spacing);display:flex;font-size:var(--ifm-pagination-font-size);padding-left:0}.pagination--sm{--ifm-pagination-font-size:0.8rem;--ifm-pagination-padding-horizontal:0.8rem;--ifm-pagination-padding-vertical:0.2rem}.pagination--lg{--ifm-pagination-font-size:1.2rem;--ifm-pagination-padding-horizontal:1.2rem;--ifm-pagination-padding-vertical:0.3rem}.pagination__item{display:inline-flex}.pagination__item>span{padding:var(--ifm-pagination-padding-vertical)}.pagination__item--active .pagination__link{color:var(--ifm-pagination-color-active)}.pagination__item--active .pagination__link,.pagination__item:not(.pagination__item--active):hover .pagination__link{background:var(--ifm-pagination-item-active-background)}.pagination__item--disabled,.pagination__item[disabled]{opacity:.25;pointer-events:none}.pagination__link{border-radius:var(--ifm-pagination-border-radius);color:var(--ifm-font-color-base);display:inline-block;padding:var(--ifm-pagination-padding-vertical) var(--ifm-pagination-padding-horizontal);transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination__link:hover{text-decoration:none}.pagination-nav{display:grid;grid-gap:var(--ifm-spacing-horizontal);gap:var(--ifm-spacing-horizontal);grid-template-columns:repeat(2,1fr)}.pagination-nav__link{border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-pagination-nav-border-radius);display:block;height:100%;line-height:var(--ifm-heading-line-height);padding:var(--ifm-global-spacing);transition:border-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pagination-nav__link:hover{border-color:var(--ifm-pagination-nav-color-hover);text-decoration:none}.pagination-nav__link--next{grid-column:2/3;text-align:right}.pagination-nav__label{font-size:var(--ifm-h4-font-size);font-weight:var(--ifm-heading-font-weight);word-break:break-word}.pagination-nav__link--prev .pagination-nav__label:before{content:"« "}.pagination-nav__link--next .pagination-nav__label:after{content:" »"}.pagination-nav__sublabel{color:var(--ifm-color-content-secondary);font-size:var(--ifm-h5-font-size);font-weight:var(--ifm-font-weight-semibold);margin-bottom:.25rem}.pills__item,.tabs{font-weight:var(--ifm-font-weight-bold)}.pills{display:flex;gap:var(--ifm-pills-spacing);padding-left:0}.pills__item{border-radius:.5rem;cursor:pointer;display:inline-block;padding:.25rem 1rem;transition:background var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.pills__item--active{color:var(--ifm-pills-color-active)}.pills__item--active,.pills__item:not(.pills__item--active):hover{background:var(--ifm-pills-color-background-active)}.pills--block{justify-content:stretch}.pills--block .pills__item{flex-grow:1;text-align:center}.tabs{color:var(--ifm-tabs-color);display:flex;margin-bottom:0;overflow-x:auto;padding-left:0}.tabs__item{border-bottom:3px solid #0000;border-radius:var(--ifm-global-radius);cursor:pointer;display:inline-flex;padding:var(--ifm-tabs-padding-vertical) var(--ifm-tabs-padding-horizontal);transition:background-color var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.tabs__item--active{border-bottom-color:var(--ifm-tabs-color-active-border);border-bottom-left-radius:0;border-bottom-right-radius:0;color:var(--ifm-tabs-color-active)}.tabs__item:hover{background-color:var(--ifm-hover-overlay)}.tabs--block{justify-content:stretch}.tabs--block .tabs__item{flex-grow:1;justify-content:center}html[data-theme=dark]{--ifm-color-scheme:dark;--ifm-color-emphasis-0:var(--ifm-color-gray-1000);--ifm-color-emphasis-100:var(--ifm-color-gray-900);--ifm-color-emphasis-200:var(--ifm-color-gray-800);--ifm-color-emphasis-300:var(--ifm-color-gray-700);--ifm-color-emphasis-400:var(--ifm-color-gray-600);--ifm-color-emphasis-600:var(--ifm-color-gray-400);--ifm-color-emphasis-700:var(--ifm-color-gray-300);--ifm-color-emphasis-800:var(--ifm-color-gray-200);--ifm-color-emphasis-900:var(--ifm-color-gray-100);--ifm-color-emphasis-1000:var(--ifm-color-gray-0);--ifm-background-color:#1b1b1d;--ifm-background-surface-color:#242526;--ifm-hover-overlay:#ffffff0d;--ifm-color-content:#e3e3e3;--ifm-color-content-secondary:#fff;--ifm-breadcrumb-separator-filter:invert(64%) sepia(11%) saturate(0%) hue-rotate(149deg) brightness(99%) contrast(95%);--ifm-code-background:#ffffff1a;--ifm-scrollbar-track-background-color:#444;--ifm-scrollbar-thumb-background-color:#686868;--ifm-scrollbar-thumb-hover-background-color:#7a7a7a;--ifm-table-stripe-background:#ffffff12;--ifm-toc-border-color:var(--ifm-color-emphasis-200);--ifm-color-primary-contrast-background:#102445;--ifm-color-primary-contrast-foreground:#ebf2fc;--ifm-color-secondary-contrast-background:#474748;--ifm-color-secondary-contrast-foreground:#fdfdfe;--ifm-color-success-contrast-background:#003100;--ifm-color-success-contrast-foreground:#e6f6e6;--ifm-color-info-contrast-background:#193c47;--ifm-color-info-contrast-foreground:#eef9fd;--ifm-color-warning-contrast-background:#4d3800;--ifm-color-warning-contrast-foreground:#fff8e6;--ifm-color-danger-contrast-background:#4b1113;--ifm-color-danger-contrast-foreground:#ffebec}#nprogress .bar{background:var(--docusaurus-progress-bar-color);height:2px;left:0;position:fixed;top:0;width:100%;z-index:1031}#nprogress .peg{box-shadow:0 0 10px var(--docusaurus-progress-bar-color),0 0 5px var(--docusaurus-progress-bar-color);height:100%;opacity:1;position:absolute;right:0;transform:rotate(3deg) translateY(-4px);width:100px}@font-face{font-family:Poppins;font-style:normal;font-weight:400;src:local(""),url(/kr/assets/fonts/poppins-regular-f61407da33b59324fbefe468ce6917ab.woff) format("woff2"),url(data:font/woff2;base64,d09GMgABAAAAAB7MAAwAAAAAP6AAAB54AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGx4cLgZgAIFUCudM0jYLgzYAATYCJAOGaAQgBYNcB4QLG34ysyLYOAAgoXcUUbVZLPs/JHBDBr6G+hIpYlQoaayFQFiGbR8DjCviFJxE41HqT/OOXC0/Z9GQVQfAWhGOAF/O89SlbJ4fIclsS0SNUfbMPgE5dhgAVqioPNrYqNhUZCQIRaCBLIK83W+vy6VjrXTMAYfFIfS65yPR0ziMQaj0M56vY3h+bj1EaSMJC9jIVbCMv+2vgv0FSxg1alhIGl2gBxecx4xqvCi9NvP2XXsT27xJRGharfanif3dB1IbH7D/n1vvG1gi90J+0acoU3UyzKzznZ8Q8S/KSQdFE/HKrFSrbCW+EZMGJ/JOrWFOCzJcLDcqMIye7xUDVgJSUf//a37amcAiFDGyIExnC3pkybH+6s19gXl5eXMmRB9Ln2eT0vLklZIpALkqpMkyJiUkt25tgVyFkF8WZYV0VRkTScF3O1cffLfDNqsTWFV2rwUPIfjECpG7lz5AAVbIGyfmmutgE0hgB8wJNaQ30lgYP+3xQCMZjDoEDzyVUi580bg7SwwCfbU2wM1JQR5DDgSJxZ7llnqObrxHpgXHgAOb7RkL2/gXhVu/D4DXAHqoBwD7DAQKDGCTWIoEB7JEnap7PP3Aas/+DynGHuqZ3u8P+0ZRlopUoQZt6CZzX2tbJVpJTFb5OJJs6W/YeiSlKS9d/6ya+d/8fZ6YS2ftgn326bdP//3yrm98rcc+6yxV+PO3P/P9e2I8D/za2srbgL+A1V8AG18HMDYA+dea0d4dnI0DUjAxhECe4VuLDc7VmwqwYTiuFzfuViWi6aNC0Z4wRhGs1DQggom7F3EXA3Uj7WxnxPmMGXjAq72EYaM9d+AG6ziGD0E2Ej5mwCsAOBXGWG1AYIJtCLwQDEeD1BqU5mmQH15SfTnMYUKO6QE/4F8j1ltms2QsVoSSz4WUYkelXQ/7kGlFRAxAW5s6qQqGsbVQl+8GCZsOFLXw0ul+mnssHngMiMV+wiHwzdVDGrfpDWLDkN8ewxN6ZRvyKaQ6K04Nqc6B6o8yc2SW7XOOuk1FcKA/XlsYa6voyRGelb8acI8ZbnoE+I9bLYFYSdUlo6Miyo+OYJqnPAsyYlzDkHe2VlOgYQcrDqbWBQEPfr7lShm/dUdxu7Up8/IxDbSiNG8zdthTYufBq+u76tI1uHc3vs7tLencpdyDGVdkPq4cQvLkEMhSXsY0J+4dQu0yRz7TZW7mccfhw18fQHPvvAbszInsG2aKiyHGmqz3Yvm3u8vmFpjxaPQezfuYJlpv3PN2ELEgVO3vPWKl2Ow/IpRJqDdPE8JqY3cYGuq1ECiB1yW0RVSa66GOdCXTLnh+xxeZ2xOqquVBgJFiAV77CqaFeYl2Q3S3BeKrdnAR3ZBPYM8o7ibQuBGK9xO3wKqYDmUkxZX+YNiXA09cBmjYPgA3eC8JPjEQxkjfWNFnGY2x+ej0ZGhv9VXwYAX9XZ1h53rzljTYf774b0vaBdtfcXWQxtyLpkaMb6v1GUsdrpV5ajkXRww17Pu1Ak3yTzYCGLr8Iara73lF7Cb+vtFNzajk4iaA8ltEQiOf66wxQAem4oXOWNTna0SswZSLr69zS/jeLLVejEOPPrPCBwhciHFchPFxIsHeTycPj9TzLzASCiQQ3wskAX5KdXKVa1sfQ/sqkMZ64u7bhwtw/U8GOoEbFSSWFLQnxd1WqtNBLxi8rBazf8BSfI/jBekq6kcBa1EXlt6oSzrtaXe+aXn1zDSw+t2F0YBoSCOqvK6Ty82lpKxNRobfRmluFw/KDLgqURpESW0OWpuaXaHkb7VmE8MOcR+a/dhsTsOYCArwsIQcjWl06SjVvNzhISxlLRqvol7V9Uvp5h+XUC6iUmapwuGiAxeC1khAQZdBxgFmUTC3Z4yjPVCczdRKlpb1KicmRnbBwTOOKbXkmmPFA5OJDMkKWz+t9i6mbI/as3b5+7k73N1wNPu9xjdrpg+sMm01qiKDGA5cKAYnIcm+Qfh+uhwzPoM6yGjV7B60MOvA1XEKSqIe0eUd09HDQqAknanN3NpKivMX9BiYBbda9g9oXcV/PqUdinIHcm/0xF16f7v01DQjzirvp4PZFBDVvuQsuKo43h6x4onbhb8L/aorsWA7vreavOxZrXrFsTJEMSfmbtxnkGGNSLjUx4n7KqyizvGq3pG6UbpMYLQKzia0LJaGR1CpXzjijsrdmFQNi3l3ZYBXuX+Llw+XK27BoJFUN5uJGbP5AMzwbSAAsF0Rv6p1ZltdaUBWVzRXCpFiUgwe6Baj927ntwXVUyMpM/vud4ksUyM6kqSZVDs0S3iuldjWchysX2vbV4o/Pz8amoTijmvhaPWLd9VIgu1A/oldyDH0JWVzJzxjd0w6fMbXH0zOZ8+5usPgm5jaIvuHGYtiiiYCEnuoL1AdNtUB41RrTZ7Prwsb3D4W0uh3f+8i9Y0bosq9ebt7S1nLbRmg04XpC671CTyK/OjbeAPmgF2YeccypeMa1gKZ9E8jw7TT55F7FR2oTczlzcGotU+MVuoqoXw1TPk9a1bQ3tfBEjN7MCtjyfklpqmKJbbc34qhy8Q7eToWpjQGEGGJrZnakycxfRbZY43YyZIvHGjmrkwH3GX9ieY2bjaGtjSmpnJoafqeSCs7vP/AmRVQ5uYueAgyd/6U8/Ce98r/4CsiEQrURcQ8yxIrH6kYK037PryUXX1DSGoin9hSaDQjFAbj+CSei/XKrsvfazl9OA8ULAsnF+SYtWHLOyPlaySB9McWn9vqi5Rydc4BO8Wx7X4x481Yc106vl4c+4xeZM3i0C7U4fBplHqWdJI9w+dIizb5C8c3+c+W/s1fAWyvmjjcoH8R8PSKF/buAQYf8Vni2k1zcVt5+eRRTQvCvnyhGrvdSHxMpO0f+ipWFcWyWH3YgmF3OGGrEXByld91/lvL+Y5FK7ufR6crNdA/dFvx3trsWXx1L772EFa64hj34WLmJ78Qxmfiq3ku6j9tjemYFnMBbJS2VsycEIoo1+qL53Lh/wMrVnnuOnTikosR+44dGJUxlM41kdlU4FBuwQ31zIAn1EjHa7nrvNj5pOtpV0HbfVdql/aCfyuO6xX04YiLwnDUwrSZlLWD5ZDYebCxYV9c+xxqTqCguAXT+t+Kts5OICnYBGqxYfM2RfN3UMFKB0aj7MClv7cY2Vv0Qy834/a5ps7PZzGMEF78qaPzfxjAib6kF/C4RcYRSkaGno7qZohKB/HLxyWd4Sef+fFgBxou5nwzT7e+8KwV9AakNuq6Xfl63b7m+boXN6rX5w0wZBHB4mAKYvV0vT2+1g/UHmZV6nvRMD2KqRLoa0LOQUa60RRX6opXeUSMPS+FwwzZDJUwMmp5zZ/Ue5QfD3CEeFJv+D9QUK/XCQR6nUSaGKTyuSui9n1+07HVeHw4O7sGh2/O/u9whaDLSnT6BoZqRzMe1zw4mt9WwG9H0PVkBVRN4bgFCkO1buKro7lYrMyYV0TXFuQpxyMJn3PzU1AT4suuXhsrrvXqFw4u2bBhvtBSUHHpcguxnG1SS0D8N+OSz/BTzoA7SHnWnn01hWUl7sRwWU3u5vXl6cFQohsQoomCHn39Zh/FkI1yKK/v2/PtN+Z2gvaNKME85nxGjmiydegq1ZBVk2254nnMeUVo0TTb0NXwsNXAJLt9z3zvlvpWv7n/NuiaHk7hQilAO0gac88Y2T0cbbMPH2UD3HHhYwvms8e+nvDx+Qt22LPBMmayTCGWINnAah8zRZeIgfBHzw5yWoyHbjpawVfdi9u9i6RCnlImUZoGyGyx4ZYpgdLJtX6jd8P0Ro/GBv8qBKLJLaVBiZdINtJ4suIFgwRDVU6YSbGXUhTls6vjA7YKo0omgyCWyicMpMJpCHCyeDQJX8BT8QPFIG+L1PWw6ge/1r/VvjX2YkrTYJDU4X4QLs6nGksl2EouRKutFhpCbRWDi4vPGfkCrdal0WhNGpqGPNay5htwYGV9sXUO2OArZ4lKp7bUSqgV5Xy4tB7BbZ0UBt5wKFFn+nqFKhsvo8BWl0FmsCg1WpsavJ8/er4jvb1dcx/MXcg2cug0SzkZhrFUdAudxbWYbkAusZBf0kCF4Toq7IRiufv6kLtaoUyKufMYBrFIbJAwfj7hlEgFdvX6yixWC8SITAUOzYG4PKOmLWYt7CFzxGV0dkhVMa29bkHNt73N2O3lZmewtireZLq61GyQq4wILDNYIYXeqgGS2U8fPn1Q/+zBs4eg8n91VMffGbLAaciS+u474Tk+JewKtfnDA1za2I3jfWG2kSOXcnkyEcvCodm9JKHtrOj7sJ7W7UbrKp+WssRbLCLrWf+4SDTY4tCqeG1hjdydKf9CS8rMHsah5bNU4+sYHRsWL550pK7i7BTQsXnRIpc867ANXVGxTWdb5V/Y9tcfM5dIBCoqxk6nMgRUIsTIc5BpTgr4ax2xaF3Jh97Q+94S/YPp7ulucLXkV7SikEYzBYmygdH3ch+epCXzRDpPDHqtQMqm0bhZtPpB9lQ7k6UViTe93goKTyDbNiGeus6qXH/VlUoxrKgXC5tMRiD5V6SAK0VXqnJ9nZV1nk12ZGsQrO7bZbJtrKiwbdhlqOuP9s+qWriorX3R0lnN6Gawu/rvz6rPT8epJh2YpAJ3+pSEf18rX7OQKHA8vlQlUigaRKImg0E0rUGkCHZMSSodo5wkizcji1YaHJ7NdsfWYNCxbbPdE+6qyvWBQF8U4fg4SBQh+8hgd18UiYK9fbGWUNBqC5UhyAAChTKOEAvOTuDykCginiiqZzt4CNiteKnURhFAGtDbiwx8GCv4Y+AgpNf7P3uy1SJVhRjkAFJVUIiAvLjNdse24VQvbYBsLS1FNDcvpGkQi6YbTaKmerFSCQTdZLSR/z2sABNWNtZNnYVCor82Tq2172iWC7ltK2aBWWBax7x5OJqns0n91s0wrqc7tJDVWsHz7QoO7RxXPR6J/qqtpNEQNmSoMgzvRrUGZikVEJcHiVWzwIO4SiLXkuARyEQSoVJAyf9KmN4sGW5AsWAhk2ktI0i8TZ54nV+u4HCZchYtt+evxZIRRjQbFlFoxaEiCLzrUx4JI+GjSrCzL+q0F+t1bOeMIn1WaWMjU6lUNpJGax9Y0BfXFzIpz32beToBe1n0fF9wK3E30Q9ORD2rNbs1wc3wGhiEkNtI6a6hm4YGbiG3HcHdwzYPCwJq329fxSPxv38V2Fui6gVrNSbtMUifpdEegMDI5btU7vNuuLcEHOwcucJmp3aQFe2FA0+7qhe073H9k2z+N9n97XrQlGMaZQIPl0hu1WpBYam4uVGqgELcTX4H2hHsKefJFRG5uM14lUNCTEQKxUiQdh6f5DA+yEZUJw+cfFzBlSojUnGzyShua5Qr5OXcngDyAMmtr/ieIlDIX5rJDi6PFY0jyh+i5slSTaDdM8riva5jcjTucq/PXaHhaIt+9442dvh9mlxe3GKZTFWloIp1NdvxwFG6JaR2R+OrSZCC3T9Q57dDbA39k3e0psPr1UyVSlvNZnHLVIlOM0ksaFQ5ZTilJpcoLbHGqe0Ac6++H+mXq+R5DpcpBHOG0PPqQQRbjsGqE1X8hkahtnJxIMVq/9XJEalcTnN9T4g/CmrC6xxd/H4s63gdzkdlhGCxnW7QW+SQqdhCQB4gQzpdODbwNO1eE2BsaAQNfE0v/+uyYF8oFGI5TZ2b+wi9FgEtd549/5/dNzeet8QMGzAC7P6dJnsAyAPwPiqT+63qLFK50W7B369lBI1ou+y4ImmIuz4U4gvBQdy0yXVjQdml0nQ6cAzwOKFJKms1m6DW6RKNhmuAWsxmZWuLVEPUmnFURCSiIEYsiWzAkp4NxERE3wpOPCqXhkn0qsy+U4+EkHwkUF8JIFBV/ukLsdDvyHeENlbwISgCfcPRdzaKwJW2dlchgkaKwdUEXyETznIxJBQG9TAK/Vw07CqcSRfQCklSJJ+NhJFYLVL4O420NntstuS/HsUEdQyOJLfns8HBe+L8YYVitQFWSXViuUo+D5m3WAXIKDSiX+vAMwQBKisEC+00vd4iVxiLLTiQZuy86rmDKt9tvIBch+5CuTq+Nv8bdO1FOadfnH3ROePStEugou1i00X3l0O/HFnadmHaBXfPkC9HATRq1PZcV0X8D+MDew92HgRLlINVEVXiogRlrRKUrQmMsOQmIokeLKRTSVjagjxD/vh405BEN5ZGlVUMqKDKadhE95B40/h8Q16BliXRqSBsoicRybUERoAjIWQmAj7z2B3y3Sq7r3LAm1s/dtvW5kfDM0RcSdrSSEbt8eafRmYYuGLQTVFJmqGedRVcgJNeeEGzFqZvMScoajyWOBfdVZEwaUFFBTcnOOgOD0VexgmQ+aiqiAu7SiwWlxsGmQr4yItN+WZ+RketADnxU66A7vJSBMGqSGyxKUMk57MgsSzr/t0Tgu6ODLcMBoc5n7rmHnzE4uzrWtv1I4f38eLaS/vY7EOXTJ3J/DmRI0VFPZjCRQzGdAxY1TxXtC9me9458bmNyMbDLu+bvTGiuTuYwS739vwEQZx4LDIVsSch0xAQlS8mYIhyRwHP0WCJUSOc3Ux6Fyb9lDjzZSDLa5QxZBbRiPxF9RvyHfXWAZg9Iw4UZGyZ9dKf6atVahaP+lCrF0rFGhGRrOdLJBohEdCqHo0Z83jM6Me0waPRC35Uf2rhaDMGPDu60W7ZUlrKSPRAEMSqRevcg468uRrFQpdTsWiu1umYoyXd6bLt5mgcXIO3iFkmk2lbL4OjqtKNFJvGG5ArZdbqUBMH+/6saYSsSg2DTClGr8ISCCL0YC7kgjgf+7njiTAeY6ApmXwxgcgXMZmwIRL4QiZYMMndXY8o9naPQFzdQfv30gBnzy1kwX0IMI4jVIqDxaI4JcxiT6JTcBjZ8hobolBwClJYCODpLN7faiky/ELQDtdR75Zkd0xsTCtI/jc5+Z/kAlBzSlIiAWPtXrdG43FraTitDkPRlJToUhksAQ6rloLJXoTDHWWBtsn7b6o/qW/vv61SXeYu3deCzHXsGGqlNSlz/NjLqWldeYoJYjabKeHjcw/EaorAxEUQncVQsTETUr8bEFVOKICLuByoiAyxEseOS05Lw4zDEAvGp6elfhyX8adYCh4euVUrudUEilBoxL/SRefmi8YLWPZ8O9ZqQuRyQ7GFAOL0Veoq/YTkyKSw3T65tuE9+I4hpRAJ4iJ6PduT9Xta6u9Z5ClcIUibzWgugfJBppSgN2GpNCOWDHQa0WDCYaABt6J5TIEQT+AJ2SyugIAXCplgRa63u3i182O6PfcxkMPj3n1BikQtkejuBqIUkn5XuPGZ5xEx0l3dHQbFs+m1d/624sqotSp6sWU99kDMHISWGVFzR3RVA2FAF+GMPozjOVdbz/ra9wpgap98lH18lQFF1idb1vnmRXughsXLf1sGbkDh6u1GIasq/PG0Let451bZBy1zGDd4gwHvGUFngFtXbT/JarJS+2fWLVzW3r5w6azmf46Zjv3bDH5ZuWlVDzYt69ev2wD1ICbfuAks1HXjmqAQcub8mtyTPLGyJLQZP00eEPqykwfP0eXVi8UMTwDYEVNOg8KnXu8wAyYM9DELliEHkKWzrj5wO9sgCZcHSVWz4mYB9sLGhgapF0dWYYkE0bJdTcPG/CwYDaUKYTbktxVbq9xxRkdmJ5mQnoc+6NFlSNh4lFEwIXkcTkLmLF6Si5CA8FkK46ScptHmYQVG+o/e0ZoWr1tcwz1Vrg3dqOBJPYnaJc2TpLC4jDEwAAdkVfPgBgm/EXIK8LAunwSVIXGalj5yhtY8J5kBtWLf6YaMVDd4rXFkEdw5FZK4EMSaqjV7Xr+bwPj+WEi+pFmh1zbJJO1mo7R5ihSexEUmuiRwG4bsnPi51VlnbsdQnBMRrYlAdgqFJKcRTyYb8ES7UERw6YlkQI1XqGv/WKf+rP6DmTsyGH7zZbaH5VPMzKOgbxTKNa+yvexwY6YBBaNHeMOJTkS9lfkYqTCc+co+FJFCj+sAx/8sl0CBxucJCsk6m5C/EGq98xDZjfKplvpB+yf5p5djocbFufI5aptrgx3ZFixFtsoinLa5qlzZ/Eb5WEdQNO2XhRHTDAat4Wen2QLB9RRGb6ze7VBwwsmP41M2yJ5MnCpTaaaFS7UpJ0uHfI5IYU2jWBhRbn5gxlOcIhHZYcKRSAYmjulpcOjxpDoUTqPJJ8pLkIF6O1jfOc8EzTPMNUDgwepzeFw/gdCPw58jKh6npj5OT38yLc2TdJC6VJo/ch+m3z54eARN1ZtfG1wa966glkAODRSvUA9RA/LSleof1WD67aD7NyGw9wWGDQWAWceEBWcM/lYc/eG3eBCjLvTzScHaGzIZhfq2oVxGpZRYDvO2ZgBvoyuiyP5uBMNUlcJLlTm+zsraxm/asio9AmNBRnqekV8yGiqpnsXR1nZW5fgrL1cIYVOTOUP1H/9jXvp4+gfBv+MUTQY9SDv6nGHOh0Ce5WBRiRh8rvxMqRgQKypxViaFk8D9FerF6lMIqMvvwAHDAUtvWvKWPFZmnZYvDBDaDlS4PB2b3Z+c6F7tsqUpKcvFfrnlC7nx7eize858uTZVynLhG214nVi5nq+lLJf582gzf2KkSTkPOckX1IkHKcvFU7nlr9HGk0oGJlKGlFHJQIFxqJxbRAkZaLoCpKQsF9/JLT1yY//os34nJNe+lrJcrB9trBVPXKH0/5e7YBn5YZD5nukn49zEDFg0HRIfSVkudsotG0cbO5gNhEMBkDJwCABmEQFzULGVBE9QeGFk/XUdNNzBZGAmCcWXYvQwLy8Bz4Vxusj/33zzkJJ5CbAC5XxWws73djVb6qx1qqiyb4uQVJ1ZLgvoK2Nz4m5zF7vLGnaCGsh7Y7O7zVgmHvgWfgjPp1AX5wbOV2LAiI/9/CiGme/6J3iJqy0AI8uoRBsH3G0InSOBnmW9hje1jiFkaJ+6z7G7xEliQpoAGdqn7O7UtSHgXQLKeUEBALvA8yLMY3QytG/cVxvyE2i+LWUMGdqnxrtSFhaao72g2IWZueNYo7J7zjpeI9q0ZOvoFgMsypIrnzV/G63l/JcQO34E+PLN5QDwzRb636dHn04lxS86rpkMNSMEv1uqL3+UGfCuGnKlz7mv8xLiWflW7wm2oKEGJKvVOH2jsL/LsRkqZ1SqRzYrf+B2L6sz83PzsNyAzQ9obcCLQG75KFUjNSJ/Sis6Da+cbFmdhNNGCrdhkyBVDFNvCnQsV1PUxytQt8lqgHoM1O1J6sa4zVvqkaTbXmqvscUIBbWG82WMOG1yVMiIHBFDHCWU1FUVZsfL7naq7jBmXJPaKrhCRsYmxGe3mV2mA9WrG5HTH4USI/KNYDirrpsgCJVtUUg90tahi3nezoeNhbR6URxo6xtmAZoBidTRJMNUymgrqCQp44yU/GBwT0u1DxXkilBQ/KpH0nh13OfbtYSthG06fo3S65e7fPiwpI40pJyQlctwnacAnoN8Qk2H4VlnXLvZojQhsFRvDO9M6ppMdAshwwx3Snp6WedPbqvcbofuaajGG2B+nG9tY4YUOThjArCJ1+IHzqc9r3pbogy40NIOpUJRcjATAJBXaztxMDvOaMAiBY4sKoE/dGMzjAz4JLuUZqkIEgjkAPKCBMtx6XgwixgwvpeZIsO9MDQPomp3gkcE7HtpvMNMB+bnNElDz8C4qm1grBQ2aXCYPzmPJY6T0sdgmeaBz4sXQAzwtZVSsDgKKooDHgcMCCxzL5ZatBx4wy2yrRIkIrq/trXZadrWrsi1rYPXHXHG3HQSHNuBpzVsnjXqsRAUafepE/JIwzMSr55UEglHSGluQi0ZmE642bJGSHU7jkFgJJFPxFM3jAqPiIg6rswvgoKJjBZbJkCtmeNFeDHueYxUnKJTlkBLF4d0loz4ls5k8qwDg0Ga1BEpj1MfdVooIrRs0VBnnY9TtlToIR3hHYt9wqoQ8iT4TBhRza/OFHCGaSswwPN+zneQTf01kGaw/WXSf3LcPLx8/AKCQsKGG2GkUUYbI1WadBnGGme8CSbKlCUbClqOXHnyFSiEgYWDR0BEQkZBRUNXhIGJhY2Di4dPQEhETEJKRg6ioKQCU9PQ0tEzMDIxs7CyKWaHcHBycSvhyUCfZpjpsFX+Mssi823UaUcGeXNfh+Wee2Fh4rw46SfPbNLllZde2+YL553VzctnCb+LAs654KpLLrvib0E3XXNdj1JPLXXHLbeV+dcjc5ULqVClUrUtwmrVqFMvokGjSf4x2VRTTDNdkz5btWjWqs1/Hjvgri99lXgXP+r3tW/s951Ten3rtNn2OuKoQ0nw4UkSF912LwwPEN8VH3kmRCReEROXZPA1rZV8LR74/5ThpJVMHs8BAAAA) format("woff"),}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:local(""),url(/kr/assets/fonts/roboto-mono-regular-498042b7fe9cd07b4fd11a0965093e55.woff) format("woff2"),url(/kr/assets/fonts/roboto-mono-regular-535bc89d4af715503b01afd761501e58.woff2) format("woff"),}@font-face{font-family:Lato;font-style:normal;font-weight:400;src:local(""),url(/kr/assets/fonts/lato-regular-292725486219768e62259f7286dc73cc.woff) format("woff2"),url(/kr/assets/fonts/lato-regular-be36596da218e1eec01c5c600b1c13ef.woff2) format("woff"),}[data-theme=dark]{--ifm-color-primary:#ffc61c;--ifm-color-primary-dark:#ffbf00;--ifm-color-primary-darker:#f1b400;--ifm-color-primary-darkest:#c69400;--ifm-color-primary-light:#ffcd38;--ifm-color-primary-lighter:#ffd146;--ifm-color-primary-lightest:#ffdb71;--ifm-color-secondary-dark:#054a6e;--ifm-color-secondary:#06527a;--ifm-color-secondary-light:#075a86;--light:#33313b;--dark:#f3f3f3}[data-theme=dark] .footer--dark{background-color:var(--light);color:var(--ifm-color-primary)}body{font-family:Lato,sans-serif}h1,h2,h3,h4,h5,h6{font-family:Poppins,sans-serif}code{font-family:Roboto Mono,monospace}.navbar__brand{height:40px}.btn.navbar__github{background-color:#384745;border:2px solid #384745;border-radius:3px;box-shadow:inset 0 1px #ffffff26,0 1px 1px #00000014;color:#fff!important;font-family:poppins,sans-serif;font-size:1rem;font-weight:400;line-height:1.66;padding:8px 20px 7px 47px;position:relative;text-align:center;text-decoration:none;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-webkit-user-select:none;user-select:none}.clear-btn{padding:100px}a.btn.navbar__github:hover{background-color:#273230;border-color:#222a29;color:#fff}a.btn.navbar__github:before{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 20.5 20'%3E%3Cpath fill='%23fff' d='M10.3 0C4.6 0 0 4.6 0 10.3c0 4.4 2.8 8.3 7 9.7.5.1.7-.2.7-.5v-1.9c-2.6.5-3.2-.6-3.4-1.2s-.6-1.1-1-1.5c-.4-.2-.9-.7 0-.7.7.1 1.3.5 1.6 1 .6 1.1 1.9 1.4 3 .8 0-.5.3-1 .7-1.4-2.3-.3-4.7-1.1-4.7-5.1 0-1 .4-2 1.1-2.8-.5-.6-.5-1.6-.1-2.5 0 0 .9-.3 2.8 1.1q2.55-.75 5.1 0c2-1.3 2.8-1.1 2.8-1.1.4.9.5 1.9.2 2.8.7.7 1.1 1.7 1.1 2.8 0 3.9-2.4 4.8-4.7 5.1.5.5.7 1.2.7 1.9v2.8c0 .3.2.6.7.5 5.4-1.8 8.3-7.6 6.5-13C18.6 2.8 14.7 0 10.3 0'/%3E%3C/svg%3E");content:"";height:20px;left:15px;position:absolute;top:10px;width:20px}.header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat;content:"";display:flex;height:24px;width:24px}[data-theme=dark] .header-github-link:before{background:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'%3E%3Cpath fill='%23fff' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat}.docusaurus-highlight-code-line{background-color:#484d5b;display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}body:not(.navigation-with-keyboard) :not(input):focus{outline:0}#__docusaurus-base-url-issue-banner-container,.hideAction_vcyE>svg,.navbarSearchContainer_Bca1:empty,.themedComponent_mlkZ,[data-theme=dark] .lightToggleIcon_pyhR,[data-theme=light] .darkToggleIcon_wfgR,html[data-announcement-bar-initially-dismissed=true] .announcementBar_mb4j{display:none}.skipToContent_fXgn{background-color:var(--ifm-background-surface-color);color:var(--ifm-color-emphasis-900);left:100%;padding:calc(var(--ifm-global-spacing)/2) var(--ifm-global-spacing);position:fixed;top:1rem;z-index:calc(var(--ifm-z-index-fixed) + 1)}.skipToContent_fXgn:focus{box-shadow:var(--ifm-global-shadow-md);left:1rem}.closeButton_CVFx{line-height:0;padding:0}.content_knG7{font-size:85%;padding:5px 0;text-align:center}.content_knG7 a{color:inherit}.announcementBar_mb4j{align-items:center;background-color:var(--ifm-color-white);border-bottom:1px solid var(--ifm-color-emphasis-100);color:var(--ifm-color-black);display:flex;height:var(--docusaurus-announcement-bar-height)}.announcementBarPlaceholder_vyr4{flex:0 0 10px}.announcementBarClose_gvF7{align-self:stretch;flex:0 0 30px}.toggle_vylO{height:2rem;width:2rem}.toggleButton_gllP{align-items:center;border-radius:50%;display:flex;height:100%;justify-content:center;transition:background var(--ifm-transition-fast);width:100%}.toggleButton_gllP:hover{background:var(--ifm-color-emphasis-200)}.toggleButtonDisabled_aARS{cursor:not-allowed}.darkNavbarColorModeToggle_X3D1:hover{background:var(--ifm-color-gray-800)}[data-theme=dark] .themedComponent--dark_xIcU,[data-theme=light] .themedComponent--light_NVdE,html:not([data-theme]) .themedComponent--light_NVdE{display:initial}.iconExternalLink_nPIU{margin-left:.3rem}.dropdownNavbarItemMobile_S0Fm{cursor:pointer}.iconLanguage_nlXk{margin-right:5px;vertical-align:text-bottom}.searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,#f5f6f7);border-radius:6px;box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #ffffff80,0 3px 8px 0 #555a64);left:auto!important;margin-top:8px;padding:var(--search-local-spacing,12px);position:relative;right:0!important;width:var(--search-local-modal-width,560px)}html[data-theme=dark] .searchBar_RVTs .dropdownMenu_qbY6{background:var(--search-local-modal-background,var(--ifm-background-color));box-shadow:var(--search-local-modal-shadow,inset 1px 1px 0 0 #2c2e40,0 3px 8px 0 #000309)}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2{align-items:center;background:var(--search-local-hit-background,#fff);border-radius:4px;box-shadow:var(--search-local-hit-shadow,0 1px 3px 0 #d4d9e1);color:var(--search-local-hit-color,#444950);cursor:pointer;display:flex;flex-direction:row;height:var(--search-local-hit-height,56px);padding:0 var(--search-local-spacing,12px);width:100%}.hitTree_kk6K,.noResults_l6Q3{align-items:center;display:flex}html[data-theme=dark] .dropdownMenu_qbY6 .suggestion_fB_2{background:var(--search-local-hit-background,var(--ifm-color-emphasis-100));box-shadow:var(--search-local-hit-shadow,none);color:var(--search-local-hit-color,var(--ifm-font-color-base))}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2:not(:last-child){margin-bottom:4px}.searchBar_RVTs .dropdownMenu_qbY6 .suggestion_fB_2.cursor_eG29{background-color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitFooter_E9YW a,.hitIcon_a7Zy,.hitPath_ieM4,.hitTree_kk6K,.noResultsIcon_EBY5{color:var(--search-local-muted-color,#969faf)}html[data-theme=dark] .hitIcon_a7Zy,html[data-theme=dark] .hitPath_ieM4,html[data-theme=dark] .hitTree_kk6K,html[data-theme=dark] .noResultsIcon_EBY5{color:var(--search-local-muted-color,var(--ifm-color-secondary-darkest))}.hitTree_kk6K>svg{height:var(--search-local-hit-height,56px);opacity:.5;width:24px}.hitIcon_a7Zy,.hitTree_kk6K>svg{stroke-width:var(--search-local-icon-stroke-width,1.4)}.hitAction_NqkB,.hitIcon_a7Zy{height:20px;width:20px}.hitWrapper_sAK8{display:flex;flex:1 1 auto;flex-direction:column;font-weight:500;justify-content:center;margin:0 8px;overflow-x:hidden;width:80%}.hitWrapper_sAK8 mark{background:none;color:var(--search-local-highlight-color,var(--ifm-color-primary))}.hitTitle_vyVt{font-size:.9em}.hitPath_ieM4{font-size:.75em}.hitPath_ieM4,.hitTitle_vyVt{overflow-x:hidden;text-overflow:ellipsis;white-space:nowrap}.noResults_l6Q3{flex-direction:column;justify-content:center;padding:var(--search-local-spacing,12px) 0}.noResultsIcon_EBY5{margin-bottom:var(--search-local-spacing,12px)}.hitFooter_E9YW{font-size:.85em;margin-top:var(--search-local-spacing,12px);text-align:center}.cursor_eG29 .hideAction_vcyE>svg,.tocCollapsibleContent_vkbj a{display:block}.suggestion_fB_2.cursor_eG29,.suggestion_fB_2.cursor_eG29 .hitIcon_a7Zy,.suggestion_fB_2.cursor_eG29 .hitPath_ieM4,.suggestion_fB_2.cursor_eG29 .hitTree_kk6K,.suggestion_fB_2.cursor_eG29 mark{color:var(--search-local-hit-active-color,var(--ifm-color-white))!important}.searchBarContainer_NW3z{margin-left:16px}.searchBarContainer_NW3z .searchBarLoadingRing_YnHq{display:none;left:10px;position:absolute;top:6px}.searchBarContainer_NW3z .searchClearButton_qk4g{background:none;border:none;line-height:1rem;padding:0;position:absolute;right:.8rem;top:50%;transform:translateY(-50%)}.navbar__search{position:relative}.searchIndexLoading_EJ1f .navbar__search-input{background-image:none}.searchHintContainer_Pkmr{align-items:center;display:flex;gap:4px;height:100%;justify-content:center;pointer-events:none;position:absolute;right:10px;top:0}.searchHint_iIMx{background-color:var(--ifm-navbar-search-input-background-color);border:1px solid var(--ifm-color-emphasis-500);box-shadow:inset 0 -1px 0 var(--ifm-color-emphasis-500);color:var(--ifm-navbar-search-input-placeholder-color)}html[dir=rtl] .searchHintContainer_Pkmr{left:10px;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchClearButton_qk4g{left:.8rem;right:auto}html[dir=rtl] .searchBarContainer_NW3z .searchBarLoadingRing_YnHq{left:auto;right:10px}html[dir=rtl] .navbar__search-input{padding:0 2.25em 0 .5em}.loadingRing_RJI3{display:inline-block;height:20px;opacity:var(--search-local-loading-icon-opacity,.5);position:relative;width:20px}.loadingRing_RJI3 div{animation:1.2s cubic-bezier(.5,0,.5,1) infinite a;border:2px solid var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color));border-color:var(--search-load-loading-icon-color,var(--ifm-navbar-search-input-color)) #0000 #0000 #0000;border-radius:50%;display:block;height:16px;margin:2px;position:absolute;width:16px}.loadingRing_RJI3 div:first-child{animation-delay:-.45s}.loadingRing_RJI3 div:nth-child(2){animation-delay:-.3s}.loadingRing_RJI3 div:nth-child(3){animation-delay:-.15s}@keyframes a{0%{transform:rotate(0)}to{transform:rotate(1turn)}}.navbarHideable_m1mJ{transition:transform var(--ifm-transition-fast) ease}.navbarHidden_jGov{transform:translate3d(0,calc(-100% - 2px),0)}.errorBoundaryError_a6uf{color:red;white-space:pre-wrap}.errorBoundaryFallback_VBag{color:red;padding:.55rem}.footerLogoLink_BH7S{opacity:.5;transition:opacity var(--ifm-transition-fast) var(--ifm-transition-timing-default)}.footerLogoLink_BH7S:hover,.hash-link:focus,:hover>.hash-link{opacity:1}.anchorWithStickyNavbar_LWe7{scroll-margin-top:calc(var(--ifm-navbar-height) + .5rem)}.anchorWithHideOnScrollNavbar_WYt5{scroll-margin-top:.5rem}.hash-link{opacity:0;padding-left:.5rem;transition:opacity var(--ifm-transition-fast);-webkit-user-select:none;user-select:none}.hash-link:before{content:"#"}.mainWrapper_z2l0{display:flex;flex:1 0 auto;flex-direction:column}.docusaurus-mt-lg{margin-top:3rem}#__docusaurus{display:flex;flex-direction:column;min-height:100%}.tag_zVej{border:1px solid var(--docusaurus-tag-list-border);transition:border var(--ifm-transition-fast)}.tag_zVej:hover{--docusaurus-tag-list-border:var(--ifm-link-color);text-decoration:none}.tagRegular_sFm0{border-radius:var(--ifm-global-radius);font-size:90%;padding:.2rem .5rem .3rem}.tagWithCount_h2kH{align-items:center;border-left:0;display:flex;padding:0 .5rem 0 1rem;position:relative}.tagWithCount_h2kH:after,.tagWithCount_h2kH:before{border:1px solid var(--docusaurus-tag-list-border);content:"";position:absolute;top:50%;transition:inherit}.tagWithCount_h2kH:before{border-bottom:0;border-right:0;height:1.18rem;right:100%;transform:translate(50%,-50%) rotate(-45deg);width:1.18rem}.tagWithCount_h2kH:after{border-radius:50%;height:.5rem;left:0;transform:translateY(-50%);width:.5rem}.tagWithCount_h2kH span{background:var(--ifm-color-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-color-black);font-size:.7rem;line-height:1.2;margin-left:.3rem;padding:.1rem .4rem}.tags_jXut{display:inline}.tag_QGVx{display:inline-block;margin:0 .4rem .5rem 0}.iconEdit_Z9Sw{margin-right:.3em;vertical-align:sub}.lastUpdated_JAkA{font-size:smaller;font-style:italic;margin-top:.2rem}.tocCollapsibleButton_TO0P{align-items:center;display:flex;font-size:inherit;justify-content:space-between;padding:.4rem .8rem;width:100%}.tocCollapsibleButton_TO0P:after{background:var(--ifm-menu-link-sublist-icon) 50% 50%/2rem 2rem no-repeat;content:"";filter:var(--ifm-menu-link-sublist-icon-filter);height:1.25rem;transform:rotate(180deg);transition:transform var(--ifm-transition-fast);width:1.25rem}.tocCollapsibleButtonExpanded_MG3E:after,.tocCollapsibleExpanded_sAul{transform:none}.tocCollapsible_ETCw{background-color:var(--ifm-menu-color-background-active);border-radius:var(--ifm-global-radius);margin:1rem 0}.buttonGroup__atx button,.codeBlockContainer_Ckt0{background:var(--prism-background-color);color:var(--prism-color)}.tocCollapsibleContent_vkbj>ul{border-left:none;border-top:1px solid var(--ifm-color-emphasis-300);font-size:15px;padding:.2rem 0}.tocCollapsibleContent_vkbj ul li{margin:.4rem .8rem}.tableOfContents_bqdL{max-height:calc(100vh - var(--ifm-navbar-height) - 2rem);overflow-y:auto;position:sticky;top:calc(var(--ifm-navbar-height) + 1rem)}.codeBlockContainer_Ckt0{border-radius:var(--ifm-code-border-radius);box-shadow:var(--ifm-global-shadow-lw);margin-bottom:var(--ifm-leading)}.codeBlockContent_biex{border-radius:inherit;direction:ltr;position:relative}.codeBlockTitle_Ktv7{border-bottom:1px solid var(--ifm-color-emphasis-300);border-top-left-radius:inherit;border-top-right-radius:inherit;font-size:var(--ifm-code-font-size);font-weight:500;padding:.75rem var(--ifm-pre-padding)}.codeBlock_bY9V{--ifm-pre-background:var(--prism-background-color);margin:0;padding:0}.codeBlockTitle_Ktv7+.codeBlockContent_biex .codeBlock_bY9V{border-top-left-radius:0;border-top-right-radius:0}.codeBlockLines_e6Vv{float:left;font:inherit;min-width:100%;padding:var(--ifm-pre-padding)}.codeBlockLinesWithNumbering_o6Pm{display:table;padding:var(--ifm-pre-padding) 0}.buttonGroup__atx{column-gap:.2rem;display:flex;position:absolute;right:calc(var(--ifm-pre-padding)/2);top:calc(var(--ifm-pre-padding)/2)}.buttonGroup__atx button{align-items:center;border:1px solid var(--ifm-color-emphasis-300);border-radius:var(--ifm-global-radius);display:flex;line-height:0;opacity:0;padding:.4rem;transition:opacity var(--ifm-transition-fast) ease-in-out}.buttonGroup__atx button:focus-visible,.buttonGroup__atx button:hover{opacity:1!important}.theme-code-block:hover .buttonGroup__atx button{opacity:.4}:where(:root){--docusaurus-highlighted-code-line-bg:#484d5b}:where([data-theme=dark]){--docusaurus-highlighted-code-line-bg:#646464}.theme-code-block-highlighted-line{background-color:var(--docusaurus-highlighted-code-line-bg);display:block;margin:0 calc(var(--ifm-pre-padding)*-1);padding:0 var(--ifm-pre-padding)}.codeLine_lJS_{counter-increment:a;display:table-row}.codeLineNumber_Tfdd{background:var(--ifm-pre-background);display:table-cell;left:0;overflow-wrap:normal;padding:0 var(--ifm-pre-padding);position:sticky;text-align:right;width:1%}.codeLineNumber_Tfdd:before{content:counter(a);opacity:.4}.codeLineContent_feaV{padding-right:var(--ifm-pre-padding)}.theme-code-block:hover .copyButtonCopied_obH4{opacity:1!important}.copyButtonIcons_eSgA{height:1.125rem;position:relative;width:1.125rem}.copyButtonIcon_y97N,.copyButtonSuccessIcon_LjdS{left:0;position:absolute;top:0;fill:currentColor;height:inherit;opacity:inherit;transition:all var(--ifm-transition-fast) ease;width:inherit}.copyButtonSuccessIcon_LjdS{color:#00d600;left:50%;opacity:0;top:50%;transform:translate(-50%,-50%) scale(.33)}.copyButtonCopied_obH4 .copyButtonIcon_y97N{opacity:0;transform:scale(.33)}.copyButtonCopied_obH4 .copyButtonSuccessIcon_LjdS{opacity:1;transform:translate(-50%,-50%) scale(1);transition-delay:75ms}.wordWrapButtonIcon_Bwma{height:1.2rem;width:1.2rem}.details_lb9f{--docusaurus-details-summary-arrow-size:0.38rem;--docusaurus-details-transition:transform 200ms ease;--docusaurus-details-decoration-color:grey}.details_lb9f>summary{cursor:pointer;padding-left:1rem;position:relative}.details_lb9f>summary::-webkit-details-marker{display:none}.details_lb9f>summary:before{border-color:#0000 #0000 #0000 var(--docusaurus-details-decoration-color);border-style:solid;border-width:var(--docusaurus-details-summary-arrow-size);content:"";left:0;position:absolute;top:.45rem;transform:rotate(0);transform-origin:calc(var(--docusaurus-details-summary-arrow-size)/2) 50%;transition:var(--docusaurus-details-transition)}.collapsibleContent_i85q{border-top:1px solid var(--docusaurus-details-decoration-color);margin-top:1rem;padding-top:1rem}.details_b_Ee{--docusaurus-details-decoration-color:var(--ifm-alert-border-color);--docusaurus-details-transition:transform var(--ifm-transition-fast) ease;border:1px solid var(--ifm-alert-border-color);margin:0 0 var(--ifm-spacing-vertical)}:not(.containsTaskList_mC6p>li)>.containsTaskList_mC6p{padding-left:0}.img_ev3q{height:auto}.admonition_xJq3{margin-bottom:1em}.admonitionHeading_Gvgb{font:var(--ifm-heading-font-weight) var(--ifm-h5-font-size)/var(--ifm-heading-line-height) var(--ifm-heading-font-family)}.admonitionHeading_Gvgb:not(:last-child){margin-bottom:.3rem}.admonitionHeading_Gvgb code{text-transform:none}.admonitionIcon_Rf37{display:inline-block;margin-right:.4em;vertical-align:middle}.admonitionIcon_Rf37 svg{display:inline-block;height:1.6em;width:1.6em;fill:var(--ifm-alert-foreground-color)}.breadcrumbHomeIcon_YNFT{height:1.1rem;position:relative;top:1px;vertical-align:top;width:1.1rem}.breadcrumbsContainer_Z_bl{--ifm-breadcrumb-size-multiplier:0.8;margin-bottom:.8rem}.searchContextInput_mXoe,.searchQueryInput_CFBF{background:var(--ifm-background-color);border:var(--ifm-global-border-width) solid var(--ifm-color-content-secondary);border-radius:var(--ifm-global-radius);color:var(--ifm-font-color-base);font-size:var(--ifm-font-size-base);margin-bottom:1rem;padding:.5rem;width:100%}.searchResultItem_U687{border-bottom:1px solid #dfe3e8;padding:1rem 0}.searchResultItemPath_uIbk{color:var(--ifm-color-content-secondary);font-size:.8rem;margin:.5rem 0 0}.searchResultItemSummary_oZHr{font-style:italic;margin:.5rem 0 0}.backToTopButton_sjWU{background-color:var(--ifm-color-emphasis-200);border-radius:50%;bottom:1.3rem;box-shadow:var(--ifm-global-shadow-lw);height:3rem;opacity:0;position:fixed;right:1.3rem;transform:scale(0);transition:all var(--ifm-transition-fast) var(--ifm-transition-timing-default);visibility:hidden;width:3rem;z-index:calc(var(--ifm-z-index-fixed) - 1)}.backToTopButton_sjWU:after{background-color:var(--ifm-color-emphasis-1000);content:" ";display:inline-block;height:100%;-webkit-mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;mask:var(--ifm-menu-link-sublist-icon) 50%/2rem 2rem no-repeat;width:100%}.backToTopButtonShow_xfvO{opacity:1;transform:scale(1);visibility:visible}[data-theme=dark]:root{--docusaurus-collapse-button-bg:#ffffff0d;--docusaurus-collapse-button-bg-hover:#ffffff1a}.collapseSidebarButton_PEFL{display:none;margin:0}.docSidebarContainer_YfHR,.sidebarLogo_isFc{display:none}.docMainContainer_TBSr,.docRoot_UBD9{display:flex;width:100%}.docsWrapper_hBAB{display:flex;flex:1 0 auto}@media (min-width:997px){.collapseSidebarButton_PEFL,.expandButton_TmdG{background-color:var(--docusaurus-collapse-button-bg)}:root{--docusaurus-announcement-bar-height:30px}.announcementBarClose_gvF7,.announcementBarPlaceholder_vyr4{flex-basis:50px}.navbarSearchContainer_Bca1{padding:var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal)}.lastUpdated_JAkA{text-align:right}.tocMobile_ITEo{display:none}.docItemCol_VOVn{max-width:75%!important}.collapseSidebarButton_PEFL{border:1px solid var(--ifm-toc-border-color);border-radius:0;bottom:0;display:block!important;height:40px;position:sticky}.collapseSidebarButtonIcon_kv0_{margin-top:4px;transform:rotate(180deg)}.expandButtonIcon_i1dp,[dir=rtl] .collapseSidebarButtonIcon_kv0_{transform:rotate(0)}.collapseSidebarButton_PEFL:focus,.collapseSidebarButton_PEFL:hover,.expandButton_TmdG:focus,.expandButton_TmdG:hover{background-color:var(--docusaurus-collapse-button-bg-hover)}.menuHtmlItem_M9Kj{padding:var(--ifm-menu-link-padding-vertical) var(--ifm-menu-link-padding-horizontal)}.menu_SIkG{flex-grow:1;padding:.5rem}@supports (scrollbar-gutter:stable){.menu_SIkG{padding:.5rem 0 .5rem .5rem;scrollbar-gutter:stable}}.menuWithAnnouncementBar_GW3s{margin-bottom:var(--docusaurus-announcement-bar-height)}.sidebar_njMd{display:flex;flex-direction:column;height:100%;padding-top:var(--ifm-navbar-height);width:var(--doc-sidebar-width)}.sidebarWithHideableNavbar_wUlq{padding-top:0}.sidebarHidden_VK0M{opacity:0;visibility:hidden}.sidebarLogo_isFc{align-items:center;color:inherit!important;display:flex!important;margin:0 var(--ifm-navbar-padding-horizontal);max-height:var(--ifm-navbar-height);min-height:var(--ifm-navbar-height);text-decoration:none!important}.sidebarLogo_isFc img{height:2rem;margin-right:.5rem}.expandButton_TmdG{align-items:center;display:flex;height:100%;justify-content:center;position:absolute;right:0;top:0;transition:background-color var(--ifm-transition-fast) ease;width:100%}[dir=rtl] .expandButtonIcon_i1dp{transform:rotate(180deg)}.docSidebarContainer_YfHR{border-right:1px solid var(--ifm-toc-border-color);clip-path:inset(0);display:block;margin-top:calc(var(--ifm-navbar-height)*-1);transition:width var(--ifm-transition-fast) ease;width:var(--doc-sidebar-width);will-change:width}.docSidebarContainerHidden_DPk8{cursor:pointer;width:var(--doc-sidebar-hidden-width)}.sidebarViewport_aRkj{height:100%;max-height:100vh;position:sticky;top:0}.docMainContainer_TBSr{flex-grow:1;max-width:calc(100% - var(--doc-sidebar-width))}.docMainContainerEnhanced_lQrH{max-width:calc(100% - var(--doc-sidebar-hidden-width))}.docItemWrapperEnhanced_JWYK{max-width:calc(var(--ifm-container-width) + var(--doc-sidebar-width))!important}}@media (min-width:1440px){.container{max-width:var(--ifm-container-width-xl)}}@media (max-width:996px){.col{--ifm-col-width:100%;flex-basis:var(--ifm-col-width);margin-left:0}.footer{--ifm-footer-padding-horizontal:0}.colorModeToggle_DEke,.footer__link-separator,.navbar-sidebar__back,.navbar__item,.tableOfContents_bqdL{display:none}.footer__col{margin-bottom:calc(var(--ifm-spacing-vertical)*3)}.footer__link-item{display:block}.hero{padding-left:0;padding-right:0}.navbar>.container,.navbar>.container-fluid{padding:0}.navbar__toggle{display:inherit}.navbar__search-input{width:9rem}.pills--block,.tabs--block{flex-direction:column}.navbarSearchContainer_Bca1{position:absolute;right:var(--ifm-navbar-padding-horizontal)}.docItemContainer_F8PC{padding:0 .3rem}}@media not (max-width:996px){.searchBar_RVTs.searchBarLeft_MXDe .dropdownMenu_qbY6{left:0!important;right:auto!important}}@media only screen and (max-width:996px){.searchQueryColumn_q7nx{max-width:60%!important}.searchContextColumn_oWAF{max-width:40%!important}}@media (max-width:768px){#theme-main h1{font-size:50px!important;font-weight:700;line-height:3rem!important}#theme-main .header-docs{margin-bottom:20px}}@media (max-width:576px){.markdown h1:first-child{--ifm-h1-font-size:2rem}.markdown>h2{--ifm-h2-font-size:1.5rem}.markdown>h3{--ifm-h3-font-size:1.25rem}.navbar__search-input:not(:focus){width:2rem}.searchBar_RVTs .dropdownMenu_qbY6{max-width:calc(100vw - var(--ifm-navbar-padding-horizontal)*2);width:var(--search-local-modal-width-sm,340px)}.searchBarContainer_NW3z:not(.focused_OWtg) .searchClearButton_qk4g,.searchHintContainer_Pkmr{display:none}}@media screen and (max-width:576px){.searchQueryColumn_q7nx{max-width:100%!important}.searchContextColumn_oWAF{max-width:100%!important;padding-left:var(--ifm-spacing-horizontal)!important}}@media (hover:hover){.backToTopButton_sjWU:hover{background-color:var(--ifm-color-emphasis-300)}}@media (pointer:fine){.thin-scrollbar{scrollbar-width:thin}.thin-scrollbar::-webkit-scrollbar{height:var(--ifm-scrollbar-size);width:var(--ifm-scrollbar-size)}.thin-scrollbar::-webkit-scrollbar-track{background:var(--ifm-scrollbar-track-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb{background:var(--ifm-scrollbar-thumb-background-color);border-radius:10px}.thin-scrollbar::-webkit-scrollbar-thumb:hover{background:var(--ifm-scrollbar-thumb-hover-background-color)}}@media (prefers-reduced-motion:reduce){:root{--ifm-transition-fast:0ms;--ifm-transition-slow:0ms}}@media print{.announcementBar_mb4j,.footer,.menu,.navbar,.pagination-nav,.table-of-contents,.tocMobile_ITEo{display:none}.tabs{page-break-inside:avoid}.codeBlockLines_e6Vv{white-space:pre-wrap}} \ No newline at end of file diff --git a/kr/assets/js/03ee9047.19e209ec.js b/kr/assets/js/03ee9047.19e209ec.js new file mode 100644 index 000000000..baf0f9d31 --- /dev/null +++ b/kr/assets/js/03ee9047.19e209ec.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9482],{6029:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/kr/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/kr/cli/agent"},next:{title:"etcd-snapshot",permalink:"/kr/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"})}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/kr/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"\uc911\uc694\ud55c",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root.pem /etc/ssl/certs/intermediate.pem /etc/ssl/private/intermediate.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/root.* /var/lib/rancher/k3s/server/intermediate.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA
    (old)")\n client-ca-old("Client CA
    (old)")\n request-header-ca-old("API Aggregation CA
    (old)")\n etcd-peer-ca-old("etcd Peer CA
    (old)")\n etcd-server-ca-old("etcd Server CA
    (old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA
    (cross-signed)")\n client-ca-xsigned("Client CA
    (cross-signed)")\n request-header-ca-xsigned("API Aggregation CA
    (cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA
    (cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA
    (cross-signed)")\n\n server-ca-ssigned("Server CA
    (self-signed)")\n client-ca-ssigned("Client CA
    (self-signed)")\n request-header-ca-ssigned("API Aggregation CA
    (self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA
    (self-signed)")\n etcd-server-ca-ssigned("etcd Server CA
    (self-signed)")\n\n server-ca("Intermediate
    Server CA")\n client-ca("Intermediate
    Client CA")\n request-header-ca("Intermediate
    API Aggregation CA")\n etcd-peer-ca("Intermediate
    etcd Peer CA")\n etcd-server-ca("Intermediate
    etcd Server CA")\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/03ee9047.b4f3bf19.js b/kr/assets/js/03ee9047.b4f3bf19.js deleted file mode 100644 index 3a3bd6e11..000000000 --- a/kr/assets/js/03ee9047.b4f3bf19.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9482],{6029:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/kr/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/kr/cli/agent"},next:{title:"etcd-snapshot",permalink:"/kr/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/kr/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"\uc911\uc694\ud55c",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root.pem /etc/ssl/certs/intermediate.pem /etc/ssl/private/intermediate.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/root.* /var/lib/rancher/k3s/server/intermediate.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA
    (old)")\n client-ca-old("Client CA
    (old)")\n request-header-ca-old("API Aggregation CA
    (old)")\n etcd-peer-ca-old("etcd Peer CA
    (old)")\n etcd-server-ca-old("etcd Server CA
    (old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA
    (cross-signed)")\n client-ca-xsigned("Client CA
    (cross-signed)")\n request-header-ca-xsigned("API Aggregation CA
    (cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA
    (cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA
    (cross-signed)")\n\n server-ca-ssigned("Server CA
    (self-signed)")\n client-ca-ssigned("Client CA
    (self-signed)")\n request-header-ca-ssigned("API Aggregation CA
    (self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA
    (self-signed)")\n etcd-server-ca-ssigned("etcd Server CA
    (self-signed)")\n\n server-ca("Intermediate
    Server CA")\n client-ca("Intermediate
    Client CA")\n request-header-ca("Intermediate
    API Aggregation CA")\n etcd-peer-ca("Intermediate
    etcd Peer CA")\n etcd-server-ca("Intermediate
    etcd Server CA")\n\n kube-server-certs[["Kubernetes servers
    (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients
    (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation
    (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server
    (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates
    (Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/kr/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0759a3f5.403e480f.js b/kr/assets/js/0759a3f5.403e480f.js new file mode 100644 index 000000000..95ecfa3bc --- /dev/null +++ b/kr/assets/js/0759a3f5.403e480f.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/kr/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/kr/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/kr/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0759a3f5.abfeb73e.js b/kr/assets/js/0759a3f5.abfeb73e.js deleted file mode 100644 index 5df3c44e6..000000000 --- a/kr/assets/js/0759a3f5.abfeb73e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/kr/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/kr/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/kr/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0a63d2fd.7f075bc5.js b/kr/assets/js/0a63d2fd.7f075bc5.js new file mode 100644 index 000000000..92d2b9367 --- /dev/null +++ b/kr/assets/js/0a63d2fd.7f075bc5.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9341],{490:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>d,toc:()=>c});var r=a(5893),s=a(1151);const n={title:"Backup and Restore"},o=void 0,d={id:"datastore/backup-restore",title:"Backup and Restore",description:"The way K3s is backed up and restored depends on which type of datastore is used.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md",sourceDirName:"datastore",slug:"/datastore/backup-restore",permalink:"/kr/datastore/backup-restore",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/backup-restore.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Backup and Restore"},sidebar:"mySidebar",previous:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",permalink:"/kr/datastore/"},next:{title:"High Availability Embedded etcd",permalink:"/kr/datastore/ha-embedded"}},i={},c=[{value:"Backup and Restore with SQLite",id:"backup-and-restore-with-sqlite",level:2},{value:"Backup and Restore with External Datastore",id:"backup-and-restore-with-external-datastore",level:2},{value:"Backup and Restore with Embedded etcd Datastore",id:"backup-and-restore-with-embedded-etcd-datastore",level:2}];function l(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(t.p,{children:"The way K3s is backed up and restored depends on which type of datastore is used."}),"\n",(0,r.jsx)(t.admonition,{type:"warning",children:(0,r.jsxs)(t.p,{children:["In addition to backing up the datastore itself, you must also back up the server token file at ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),".\nYou must restore this file, or pass its value into the ",(0,r.jsx)(t.code,{children:"--token"})," option, when restoring from backup.\nIf you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself."]})}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-sqlite",children:"Backup and Restore with SQLite"}),"\n",(0,r.jsx)(t.p,{children:"No special commands are required to back up or restore the SQLite datastore."}),"\n",(0,r.jsxs)(t.ul,{children:["\n",(0,r.jsxs)(t.li,{children:["To back up the SQLite datastore, take a copy of ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db/"}),"."]}),"\n",(0,r.jsxs)(t.li,{children:["To restore the SQLite datastore, restore the contents of ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db"})," (and the token, as discussed above)."]}),"\n"]}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-external-datastore",children:"Backup and Restore with External Datastore"}),"\n",(0,r.jsx)(t.p,{children:"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump."}),"\n",(0,r.jsx)(t.p,{children:"We recommend configuring the database to take recurring snapshots."}),"\n",(0,r.jsx)(t.p,{children:"For details on taking database snapshots and restoring your database from them, refer to the official database documentation:"}),"\n",(0,r.jsxs)(t.ul,{children:["\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html",children:"Official MySQL documentation"})}),"\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://www.postgresql.org/docs/8.3/backup-dump.html",children:"Official PostgreSQL documentation"})}),"\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://etcd.io/docs/latest/op-guide/recovery/",children:"Official etcd documentation"})}),"\n"]}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-embedded-etcd-datastore",children:"Backup and Restore with Embedded etcd Datastore"}),"\n",(0,r.jsxs)(t.p,{children:["See the ",(0,r.jsxs)(t.a,{href:"/kr/cli/etcd-snapshot",children:[(0,r.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for information on performing backup and restore operations on the embedded etcd datastore."]})]})}function h(e={}){const{wrapper:t}={...(0,s.a)(),...e.components};return t?(0,r.jsx)(t,{...e,children:(0,r.jsx)(l,{...e})}):l(e)}},1151:(e,t,a)=>{a.d(t,{Z:()=>d,a:()=>o});var r=a(7294);const s={},n=r.createContext(s);function o(e){const t=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:o(e.components),r.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0a63d2fd.caee5ba0.js b/kr/assets/js/0a63d2fd.caee5ba0.js deleted file mode 100644 index 5f40bc937..000000000 --- a/kr/assets/js/0a63d2fd.caee5ba0.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9341],{490:(e,t,a)=>{a.r(t),a.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>d,toc:()=>c});var r=a(5893),s=a(1151);const n={title:"Backup and Restore"},o=void 0,d={id:"datastore/backup-restore",title:"Backup and Restore",description:"The way K3s is backed up and restored depends on which type of datastore is used.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md",sourceDirName:"datastore",slug:"/datastore/backup-restore",permalink:"/kr/datastore/backup-restore",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/backup-restore.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Backup and Restore"},sidebar:"mySidebar",previous:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",permalink:"/kr/datastore/"},next:{title:"High Availability Embedded etcd",permalink:"/kr/datastore/ha-embedded"}},i={},c=[{value:"Backup and Restore with SQLite",id:"backup-and-restore-with-sqlite",level:2},{value:"Backup and Restore with External Datastore",id:"backup-and-restore-with-external-datastore",level:2},{value:"Backup and Restore with Embedded etcd Datastore",id:"backup-and-restore-with-embedded-etcd-datastore",level:2}];function l(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(t.p,{children:"The way K3s is backed up and restored depends on which type of datastore is used."}),"\n",(0,r.jsx)(t.admonition,{type:"warning",children:(0,r.jsxs)(t.p,{children:["In addition to backing up the datastore itself, you must also back up the server token file at ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),".\nYou must restore this file, or pass its value into the ",(0,r.jsx)(t.code,{children:"--token"})," option, when restoring from backup.\nIf you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself."]})}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-sqlite",children:"Backup and Restore with SQLite"}),"\n",(0,r.jsx)(t.p,{children:"No special commands are required to back up or restore the SQLite datastore."}),"\n",(0,r.jsxs)(t.ul,{children:["\n",(0,r.jsxs)(t.li,{children:["To back up the SQLite datastore, take a copy of ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db/"}),"."]}),"\n",(0,r.jsxs)(t.li,{children:["To restore the SQLite datastore, restore the contents of ",(0,r.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/db"})," (and the token, as discussed above)."]}),"\n"]}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-external-datastore",children:"Backup and Restore with External Datastore"}),"\n",(0,r.jsx)(t.p,{children:"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump."}),"\n",(0,r.jsx)(t.p,{children:"We recommend configuring the database to take recurring snapshots."}),"\n",(0,r.jsx)(t.p,{children:"For details on taking database snapshots and restoring your database from them, refer to the official database documentation:"}),"\n",(0,r.jsxs)(t.ul,{children:["\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://dev.mysql.com/doc/refman/8.0/en/replication-snapshot-method.html",children:"Official MySQL documentation"})}),"\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://www.postgresql.org/docs/8.3/backup-dump.html",children:"Official PostgreSQL documentation"})}),"\n",(0,r.jsx)(t.li,{children:(0,r.jsx)(t.a,{href:"https://etcd.io/docs/latest/op-guide/recovery/",children:"Official etcd documentation"})}),"\n"]}),"\n",(0,r.jsx)(t.h2,{id:"backup-and-restore-with-embedded-etcd-datastore",children:"Backup and Restore with Embedded etcd Datastore"}),"\n",(0,r.jsxs)(t.p,{children:["See the ",(0,r.jsxs)(t.a,{href:"/kr/cli/etcd-snapshot",children:[(0,r.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for information on performing backup and restore operations on the embedded etcd datastore."]})]})}function h(e={}){const{wrapper:t}={...(0,s.a)(),...e.components};return t?(0,r.jsx)(t,{...e,children:(0,r.jsx)(l,{...e})}):l(e)}},1151:(e,t,a)=>{a.d(t,{Z:()=>d,a:()=>o});var r=a(7294);const s={},n=r.createContext(s);function o(e){const t=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:o(e.components),r.createElement(n.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0ce5aa86.51903c7f.js b/kr/assets/js/0ce5aa86.51903c7f.js new file mode 100644 index 000000000..36a5eb353 --- /dev/null +++ b/kr/assets/js/0ce5aa86.51903c7f.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/kr/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/kr/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/kr/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/0ce5aa86.9dc7bad8.js b/kr/assets/js/0ce5aa86.9dc7bad8.js deleted file mode 100644 index 9fd652444..000000000 --- a/kr/assets/js/0ce5aa86.9dc7bad8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/kr/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/kr/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/kr/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/kr/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/105936f9.c2eec2a9.js b/kr/assets/js/105936f9.c2eec2a9.js new file mode 100644 index 000000000..70e0743aa --- /dev/null +++ b/kr/assets/js/105936f9.c2eec2a9.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3217],{2262:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>l,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>a});var s=n(5893),t=n(1151);const i={title:"Resource Profiling"},l=void 0,d={id:"reference/resource-profiling",title:"Resource Profiling",description:"This section captures the results of tests to determine minimum resource requirements for K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/resource-profiling.md",sourceDirName:"reference",slug:"/reference/resource-profiling",permalink:"/kr/reference/resource-profiling",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/resource-profiling.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Resource Profiling"},sidebar:"mySidebar",previous:{title:"Flag Deprecation",permalink:"/kr/reference/flag-deprecation"},next:{title:"v1.30.X",permalink:"/kr/release-notes/v1.30.X"}},o={},a=[{value:"Scope of Resource Testing",id:"scope-of-resource-testing",level:2},{value:"Components Included for Baseline Measurements",id:"components-included-for-baseline-measurements",level:2},{value:"Methodology",id:"methodology",level:2},{value:"Environment",id:"environment",level:2},{value:"Baseline Resource Requirements",id:"baseline-resource-requirements",level:2},{value:"K3s Server with a Workload",id:"k3s-server-with-a-workload",level:3},{value:"K3s Cluster with a Single Agent",id:"k3s-cluster-with-a-single-agent",level:3},{value:"K3s Agent",id:"k3s-agent",level:3},{value:"Analysis",id:"analysis",level:2},{value:"Primary Resource Utilization Drivers",id:"primary-resource-utilization-drivers",level:3},{value:"Preventing Agents and Workloads from Interfering with the Cluster Datastore",id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",level:3}];function c(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for K3s."}),"\n",(0,s.jsx)(r.p,{children:"The results are summarized as follows:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Components"}),(0,s.jsx)(r.th,{children:"Processor"}),(0,s.jsx)(r.th,{children:"Min CPU"}),(0,s.jsx)(r.th,{children:"Min RAM with Kine/SQLite"}),(0,s.jsx)(r.th,{children:"Min RAM with Embedded etcd"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s server with a workload"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"768 M"}),(0,s.jsx)(r.td,{children:"896 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"512 M"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s agent"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"5% of a core"}),(0,s.jsx)(r.td,{children:"256 M"}),(0,s.jsx)(r.td,{children:"256 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s server with a workload"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"768 M"}),(0,s.jsx)(r.td,{children:"896 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"512 M"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s agent"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"256 M"}),(0,s.jsx)(r.td,{children:"256 M"})]})]})]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#scope-of-resource-testing",children:"Scope of Resource Testing"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#methodology",children:"Methodology"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#environment",children:"Environment"})}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.a,{href:"#baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-server-with-a-workload",children:"K3s Server with a Workload"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-agent",children:"K3s Agent"})}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.a,{href:"#analysis",children:"Analysis"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"})}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"scope-of-resource-testing",children:"Scope of Resource Testing"}),"\n",(0,s.jsx)(r.p,{children:"The resource tests were intended to address the following problem statements:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster."}),"\n",(0,s.jsx)(r.li,{children:"On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent)."}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"}),"\n",(0,s.jsx)(r.p,{children:"The tested components are:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"K3s 1.19.2 with all packaged components enabled"}),"\n",(0,s.jsx)(r.li,{children:"Prometheus + Grafana monitoring stack"}),"\n",(0,s.jsx)(r.li,{children:"Kubernetes Example PHP Guestbook app"}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:"These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app."}),"\n",(0,s.jsx)(r.p,{children:"Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements."}),"\n",(0,s.jsx)(r.h2,{id:"methodology",children:"Methodology"}),"\n",(0,s.jsxs)(r.p,{children:["A standalone instance of Prometheus v2.21.0 was used to collect host CPU, memory, and disk IO statistics using ",(0,s.jsx)(r.code,{children:"prometheus-node-exporter"})," installed via apt."]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.code,{children:"systemd-cgtop"})," was used to spot-check systemd cgroup-level CPU and memory utilization. ",(0,s.jsx)(r.code,{children:"system.slice/k3s.service"})," tracks resource utilization for both K3s and containerd, while individual pods are under the ",(0,s.jsx)(r.code,{children:"kubepods"})," hierarchy."]}),"\n",(0,s.jsxs)(r.p,{children:["Additional detailed K3s memory utilization data was collected from the ",(0,s.jsx)(r.code,{children:"process_resident_memory_bytes"})," and ",(0,s.jsx)(r.code,{children:"go_memstats_alloc_bytes"})," metrics using the kubelet exporter integrated into the server and agent processes."]}),"\n",(0,s.jsx)(r.p,{children:"Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads."}),"\n",(0,s.jsx)(r.h2,{id:"environment",children:"Environment"}),"\n",(0,s.jsx)(r.p,{children:"OS: Ubuntu 20.04 x86_64, aarch64"}),"\n",(0,s.jsx)(r.p,{children:"Hardware:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"AWS c5d.xlarge - 4 core, 8 GB RAM, NVME SSD"}),"\n",(0,s.jsx)(r.li,{children:"Raspberry Pi 4 Model B - 4 core, 8 GB RAM, Class 10 SDHC"}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,s.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent."}),"\n",(0,s.jsx)(r.h3,{id:"k3s-server-with-a-workload",children:"K3s Server with a Workload"}),"\n",(0,s.jsx)(r.p,{children:"These are the requirements for a single-node cluster in which the K3s server shares resources with a workload."}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"Low-power processor such as Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"The IOPS and memory requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Tested Datastore"}),(0,s.jsx)(r.th,{children:"IOPS"}),(0,s.jsx)(r.th,{children:"KiB/sec"}),(0,s.jsx)(r.th,{children:"Latency"}),(0,s.jsx)(r.th,{children:"RAM"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Kine/SQLite"}),(0,s.jsx)(r.td,{children:"10"}),(0,s.jsx)(r.td,{children:"500"}),(0,s.jsx)(r.td,{children:"< 10 ms"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Embedded etcd"}),(0,s.jsx)(r.td,{children:"50"}),(0,s.jsx)(r.td,{children:"250"}),(0,s.jsx)(r.td,{children:"< 5 ms"}),(0,s.jsx)(r.td,{children:"896 M"})]})]})]}),"\n",(0,s.jsx)(r.h3,{id:"k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"}),"\n",(0,s.jsx)(r.p,{children:"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload."}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"The IOPS and memory requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Datastore"}),(0,s.jsx)(r.th,{children:"IOPS"}),(0,s.jsx)(r.th,{children:"KiB/sec"}),(0,s.jsx)(r.th,{children:"Latency"}),(0,s.jsx)(r.th,{children:"RAM"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Kine/SQLite"}),(0,s.jsx)(r.td,{children:"10"}),(0,s.jsx)(r.td,{children:"500"}),(0,s.jsx)(r.td,{children:"< 10 ms"}),(0,s.jsx)(r.td,{children:"512 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Embedded etcd"}),(0,s.jsx)(r.td,{children:"50"}),(0,s.jsx)(r.td,{children:"250"}),(0,s.jsx)(r.td,{children:"< 5 ms"}),(0,s.jsx)(r.td,{children:"768 M"})]})]})]}),"\n",(0,s.jsx)(r.h3,{id:"k3s-agent",children:"K3s Agent"}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"5% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"256 M of RAM is required."}),"\n",(0,s.jsx)(r.h2,{id:"analysis",children:"Analysis"}),"\n",(0,s.jsx)(r.p,{children:"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."}),"\n",(0,s.jsx)(r.h3,{id:"primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"}),"\n",(0,s.jsx)(r.p,{children:"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements."}),"\n",(0,s.jsx)(r.p,{children:"K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts."}),"\n",(0,s.jsx)(r.h3,{id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"}),"\n",(0,s.jsx)(r.p,{children:"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore."}),"\n",(0,s.jsx)(r.p,{children:"This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store."}),"\n",(0,s.jsx)(r.p,{children:"Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore."}),"\n",(0,s.jsx)(r.p,{children:"Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state."})]})}function h(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,r,n)=>{n.d(r,{Z:()=>d,a:()=>l});var s=n(7294);const t={},i=s.createContext(t);function l(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function d(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/105936f9.cf1e9242.js b/kr/assets/js/105936f9.cf1e9242.js deleted file mode 100644 index 568fce419..000000000 --- a/kr/assets/js/105936f9.cf1e9242.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3217],{2262:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>l,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>a});var s=n(5893),t=n(1151);const i={title:"Resource Profiling"},l=void 0,d={id:"reference/resource-profiling",title:"Resource Profiling",description:"This section captures the results of tests to determine minimum resource requirements for K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/resource-profiling.md",sourceDirName:"reference",slug:"/reference/resource-profiling",permalink:"/kr/reference/resource-profiling",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/resource-profiling.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Resource Profiling"},sidebar:"mySidebar",previous:{title:"Flag Deprecation",permalink:"/kr/reference/flag-deprecation"},next:{title:"v1.30.X",permalink:"/kr/release-notes/v1.30.X"}},o={},a=[{value:"Scope of Resource Testing",id:"scope-of-resource-testing",level:2},{value:"Components Included for Baseline Measurements",id:"components-included-for-baseline-measurements",level:2},{value:"Methodology",id:"methodology",level:2},{value:"Environment",id:"environment",level:2},{value:"Baseline Resource Requirements",id:"baseline-resource-requirements",level:2},{value:"K3s Server with a Workload",id:"k3s-server-with-a-workload",level:3},{value:"K3s Cluster with a Single Agent",id:"k3s-cluster-with-a-single-agent",level:3},{value:"K3s Agent",id:"k3s-agent",level:3},{value:"Analysis",id:"analysis",level:2},{value:"Primary Resource Utilization Drivers",id:"primary-resource-utilization-drivers",level:3},{value:"Preventing Agents and Workloads from Interfering with the Cluster Datastore",id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",level:3}];function c(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for K3s."}),"\n",(0,s.jsx)(r.p,{children:"The results are summarized as follows:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Components"}),(0,s.jsx)(r.th,{children:"Processor"}),(0,s.jsx)(r.th,{children:"Min CPU"}),(0,s.jsx)(r.th,{children:"Min RAM with Kine/SQLite"}),(0,s.jsx)(r.th,{children:"Min RAM with Embedded etcd"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s server with a workload"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"768 M"}),(0,s.jsx)(r.td,{children:"896 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"512 M"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s agent"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"}),(0,s.jsx)(r.td,{children:"5% of a core"}),(0,s.jsx)(r.td,{children:"256 M"}),(0,s.jsx)(r.td,{children:"256 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s server with a workload"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"768 M"}),(0,s.jsx)(r.td,{children:"896 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s cluster with a single agent"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"512 M"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"K3s agent"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"}),(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"256 M"}),(0,s.jsx)(r.td,{children:"256 M"})]})]})]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#scope-of-resource-testing",children:"Scope of Resource Testing"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#methodology",children:"Methodology"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#environment",children:"Environment"})}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.a,{href:"#baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-server-with-a-workload",children:"K3s Server with a Workload"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#k3s-agent",children:"K3s Agent"})}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.a,{href:"#analysis",children:"Analysis"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"})}),"\n",(0,s.jsx)(r.li,{children:(0,s.jsx)(r.a,{href:"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"})}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"scope-of-resource-testing",children:"Scope of Resource Testing"}),"\n",(0,s.jsx)(r.p,{children:"The resource tests were intended to address the following problem statements:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster."}),"\n",(0,s.jsx)(r.li,{children:"On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent)."}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"components-included-for-baseline-measurements",children:"Components Included for Baseline Measurements"}),"\n",(0,s.jsx)(r.p,{children:"The tested components are:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"K3s 1.19.2 with all packaged components enabled"}),"\n",(0,s.jsx)(r.li,{children:"Prometheus + Grafana monitoring stack"}),"\n",(0,s.jsx)(r.li,{children:"Kubernetes Example PHP Guestbook app"}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:"These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app."}),"\n",(0,s.jsx)(r.p,{children:"Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements."}),"\n",(0,s.jsx)(r.h2,{id:"methodology",children:"Methodology"}),"\n",(0,s.jsxs)(r.p,{children:["A standalone instance of Prometheus v2.21.0 was used to collect host CPU, memory, and disk IO statistics using ",(0,s.jsx)(r.code,{children:"prometheus-node-exporter"})," installed via apt."]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.code,{children:"systemd-cgtop"})," was used to spot-check systemd cgroup-level CPU and memory utilization. ",(0,s.jsx)(r.code,{children:"system.slice/k3s.service"})," tracks resource utilization for both K3s and containerd, while individual pods are under the ",(0,s.jsx)(r.code,{children:"kubepods"})," hierarchy."]}),"\n",(0,s.jsxs)(r.p,{children:["Additional detailed K3s memory utilization data was collected from the ",(0,s.jsx)(r.code,{children:"process_resident_memory_bytes"})," and ",(0,s.jsx)(r.code,{children:"go_memstats_alloc_bytes"})," metrics using the kubelet exporter integrated into the server and agent processes."]}),"\n",(0,s.jsx)(r.p,{children:"Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads."}),"\n",(0,s.jsx)(r.h2,{id:"environment",children:"Environment"}),"\n",(0,s.jsx)(r.p,{children:"OS: Ubuntu 20.04 x86_64, aarch64"}),"\n",(0,s.jsx)(r.p,{children:"Hardware:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"AWS c5d.xlarge - 4 core, 8 GB RAM, NVME SSD"}),"\n",(0,s.jsx)(r.li,{children:"Raspberry Pi 4 Model B - 4 core, 8 GB RAM, Class 10 SDHC"}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"baseline-resource-requirements",children:"Baseline Resource Requirements"}),"\n",(0,s.jsx)(r.p,{children:"This section captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent."}),"\n",(0,s.jsx)(r.h3,{id:"k3s-server-with-a-workload",children:"K3s Server with a Workload"}),"\n",(0,s.jsx)(r.p,{children:"These are the requirements for a single-node cluster in which the K3s server shares resources with a workload."}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"Low-power processor such as Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"The IOPS and memory requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Tested Datastore"}),(0,s.jsx)(r.th,{children:"IOPS"}),(0,s.jsx)(r.th,{children:"KiB/sec"}),(0,s.jsx)(r.th,{children:"Latency"}),(0,s.jsx)(r.th,{children:"RAM"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Kine/SQLite"}),(0,s.jsx)(r.td,{children:"10"}),(0,s.jsx)(r.td,{children:"500"}),(0,s.jsx)(r.td,{children:"< 10 ms"}),(0,s.jsx)(r.td,{children:"768 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Embedded etcd"}),(0,s.jsx)(r.td,{children:"50"}),(0,s.jsx)(r.td,{children:"250"}),(0,s.jsx)(r.td,{children:"< 5 ms"}),(0,s.jsx)(r.td,{children:"896 M"})]})]})]}),"\n",(0,s.jsx)(r.h3,{id:"k3s-cluster-with-a-single-agent",children:"K3s Cluster with a Single Agent"}),"\n",(0,s.jsx)(r.p,{children:"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload."}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"20% of a core"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"The IOPS and memory requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Datastore"}),(0,s.jsx)(r.th,{children:"IOPS"}),(0,s.jsx)(r.th,{children:"KiB/sec"}),(0,s.jsx)(r.th,{children:"Latency"}),(0,s.jsx)(r.th,{children:"RAM"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Kine/SQLite"}),(0,s.jsx)(r.td,{children:"10"}),(0,s.jsx)(r.td,{children:"500"}),(0,s.jsx)(r.td,{children:"< 10 ms"}),(0,s.jsx)(r.td,{children:"512 M"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"Embedded etcd"}),(0,s.jsx)(r.td,{children:"50"}),(0,s.jsx)(r.td,{children:"250"}),(0,s.jsx)(r.td,{children:"< 5 ms"}),(0,s.jsx)(r.td,{children:"768 M"})]})]})]}),"\n",(0,s.jsx)(r.h3,{id:"k3s-agent",children:"K3s Agent"}),"\n",(0,s.jsx)(r.p,{children:"The CPU requirements are:"}),"\n",(0,s.jsxs)(r.table,{children:[(0,s.jsx)(r.thead,{children:(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.th,{children:"Resource Requirement"}),(0,s.jsx)(r.th,{children:"Tested Processor"})]})}),(0,s.jsxs)(r.tbody,{children:[(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"5% of a core"}),(0,s.jsx)(r.td,{children:"Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz"})]}),(0,s.jsxs)(r.tr,{children:[(0,s.jsx)(r.td,{children:"10% of a core"}),(0,s.jsx)(r.td,{children:"Pi4B BCM2711, 1.50 GHz"})]})]})]}),"\n",(0,s.jsx)(r.p,{children:"256 M of RAM is required."}),"\n",(0,s.jsx)(r.h2,{id:"analysis",children:"Analysis"}),"\n",(0,s.jsx)(r.p,{children:"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."}),"\n",(0,s.jsx)(r.h3,{id:"primary-resource-utilization-drivers",children:"Primary Resource Utilization Drivers"}),"\n",(0,s.jsx)(r.p,{children:"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements."}),"\n",(0,s.jsx)(r.p,{children:"K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts."}),"\n",(0,s.jsx)(r.h3,{id:"preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore",children:"Preventing Agents and Workloads from Interfering with the Cluster Datastore"}),"\n",(0,s.jsx)(r.p,{children:"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore."}),"\n",(0,s.jsx)(r.p,{children:"This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store."}),"\n",(0,s.jsx)(r.p,{children:"Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore."}),"\n",(0,s.jsx)(r.p,{children:"Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state."})]})}function h(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,r,n)=>{n.d(r,{Z:()=>d,a:()=>l});var s=n(7294);const t={},i=s.createContext(t);function l(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function d(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/109.b4b6c92d.js b/kr/assets/js/109.bf60b3bc.js similarity index 99% rename from zh/assets/js/109.b4b6c92d.js rename to kr/assets/js/109.bf60b3bc.js index d50894aa9..8c4ae5d49 100644 --- a/zh/assets/js/109.b4b6c92d.js +++ b/kr/assets/js/109.bf60b3bc.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/zh/assets/js/1772.61c7be9f.js b/kr/assets/js/1772.edd9b014.js similarity index 95% rename from zh/assets/js/1772.61c7be9f.js rename to kr/assets/js/1772.edd9b014.js index fedff29db..8daf6c973 100644 --- a/zh/assets/js/1772.61c7be9f.js +++ b/kr/assets/js/1772.edd9b014.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1772],{5658:(e,t,n)=>{n.d(t,{Z:()=>a});n(7294);var s=n(512),i=n(5999),o=n(2503),r=n(5893);function a(e){let{className:t}=e;return(0,r.jsx)("main",{className:(0,s.Z)("container margin-vert--xl",t),children:(0,r.jsx)("div",{className:"row",children:(0,r.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,r.jsx)(o.Z,{as:"h1",className:"hero__title",children:(0,r.jsx)(i.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}},1772:(e,t,n)=>{n.r(t),n.d(t,{default:()=>d});n(7294);var s=n(5999),i=n(1944),o=n(2315),r=n(5658),a=n(5893);function d(){const e=(0,s.I)({id:"theme.NotFound.title",message:"Page Not Found"});return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(i.d,{title:e}),(0,a.jsx)(o.Z,{children:(0,a.jsx)(r.Z,{})})]})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1772],{5658:(e,t,n)=>{n.d(t,{Z:()=>a});n(7294);var s=n(512),i=n(5999),o=n(2503),r=n(5893);function a(e){let{className:t}=e;return(0,r.jsx)("main",{className:(0,s.Z)("container margin-vert--xl",t),children:(0,r.jsx)("div",{className:"row",children:(0,r.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,r.jsx)(o.Z,{as:"h1",className:"hero__title",children:(0,r.jsx)(i.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,r.jsx)("p",{children:(0,r.jsx)(i.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}},1772:(e,t,n)=>{n.r(t),n.d(t,{default:()=>d});n(7294);var s=n(5999),i=n(1944),o=n(8947),r=n(5658),a=n(5893);function d(){const e=(0,s.I)({id:"theme.NotFound.title",message:"Page Not Found"});return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(i.d,{title:e}),(0,a.jsx)(o.Z,{children:(0,a.jsx)(r.Z,{})})]})}}}]); \ No newline at end of file diff --git a/kr/assets/js/18ace21a.bffc2fc9.js b/kr/assets/js/18ace21a.bffc2fc9.js new file mode 100644 index 000000000..3be84e5da --- /dev/null +++ b/kr/assets/js/18ace21a.bffc2fc9.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9269],{3497:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>c});var r=s(5893),t=s(1151);const i={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/kr/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/kr/security/secrets-encryption"},next:{title:"self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure protect-kernel-defaults is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Control Plane Execution and Arguments",id:"control-plane-execution-and-arguments",level:2},{value:"Known Issues",id:"known-issues",level:2},{value:"Control 1.2.15",id:"control-1215",level:3},{value:"Control 1.2.16",id:"control-1216",level:3},{value:"Control 1.2.22",id:"control-1222",level:3},{value:"Control 1.2.23",id:"control-1223",level:3},{value:"Control 1.2.24",id:"control-1224",level:3},{value:"Control 1.2.25",id:"control-1225",level:3},{value:"Control 1.2.26",id:"control-1226",level:3},{value:"Control 1.2.27",id:"control-1227",level:3},{value:"Control 1.2.33",id:"control-1233",level:3},{value:"Control 1.2.34",id:"control-1234",level:3},{value:"Control 1.3.1",id:"control-131",level:3},{value:"Control 3.2.1",id:"control-321",level:3},{value:"Control 4.2.7",id:"control-427",level:3},{value:"Control 5.1.5",id:"control-515",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,t.a)(),...e.components},{Details:s,TabItem:i,Tabs:a}=n;return s||h("Details",!0),i||h("TabItem",!0),a||h("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,r.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,r.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,r.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,r.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,r.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,r.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,r.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,r.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,r.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,r.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"Note:"})," ",(0,r.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,r.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,r.jsxs)(n.p,{children:["Create a file called ",(0,r.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,r.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\nkernel.keys.root_maxbytes=25000000\n"})}),"\n",(0,r.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,r.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,r.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,r.jsx)(n.code,{children:"PodSecurity"})," and ",(0,r.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,r.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsxs)(i,{value:"v1.25 and Newer",default:!0,children:[(0,r.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,r.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,r.jsx)(n.code,{children:"psa.yaml"})," in ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,r.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,r.jsxs)(i,{value:"v1.24 and Older",default:!0,children:[(0,r.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,r.jsx)(n.a,{href:"https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,r.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,r.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,r.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,r.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,r.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,r.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,r.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,r.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,r.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,r.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,r.jsxs)(n.p,{children:["Network policies should be placed the ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,r.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,r.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: \nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,r.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsx)(i,{value:"v1.21 and Newer",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,r.jsx)(i,{value:"v1.20 and Older",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,r.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,r.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,r.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,r.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,r.jsx)(n.code,{children:"audit.yaml"})," in ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,r.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If the configurations are created after K3s is installed, they must be added to K3s' systemd service in ",(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s.service"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ExecStart=/usr/local/bin/k3s \\\n server \\\n\t'--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \\\n\t'--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \\\n"})}),"\n",(0,r.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,r.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,r.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsx)(i,{value:"v1.25 and Newer",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})})}),(0,r.jsx)(i,{value:"v1.24 and Older",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})})})]}),"\n",(0,r.jsx)(n.h2,{id:"control-plane-execution-and-arguments",children:"Control Plane Execution and Arguments"}),"\n",(0,r.jsx)(n.p,{children:"Listed below are the K3s control plane components and the arguments they are given at start, by default. Commented to their right is the CIS 1.6 control that they satisfy."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-apiserver \n --advertise-port=6443 \n --allow-privileged=true \n --anonymous-auth=false # 1.2.1\n --api-audiences=unknown \n --authorization-mode=Node,RBAC \n --bind-address=127.0.0.1 \n --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs\n --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt # 1.2.31\n --enable-admission-plugins=NodeRestriction,PodSecurityPolicy # 1.2.17\n --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt # 1.2.32\n --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt # 1.2.29\n --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key # 1.2.29\n --etcd-servers=https://127.0.0.1:2379 \n --insecure-port=0 # 1.2.19\n --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt \n --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt \n --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key \n --profiling=false # 1.2.21\n --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt \n --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key \n --requestheader-allowed-names=system:auth-proxy \n --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt \n --requestheader-extra-headers-prefix=X-Remote-Extra- \n --requestheader-group-headers=X-Remote-Group \n --requestheader-username-headers=X-Remote-User \n --secure-port=6444 # 1.2.20\n --service-account-issuer=k3s \n --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.2.28\n --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key \n --service-cluster-ip-range=10.43.0.0/16 \n --storage-backend=etcd3 \n --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt # 1.2.30\n --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key # 1.2.30\n --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-controller-manager \n --address=127.0.0.1 \n --allocate-node-cidrs=true \n --bind-address=127.0.0.1 # 1.3.7\n --cluster-cidr=10.42.0.0/16 \n --cluster-signing-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt \n --cluster-signing-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key \n --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig \n --port=10252 \n --profiling=false # 1.3.2\n --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt # 1.3.5\n --secure-port=0 \n --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.3.4 \n --use-service-account-credentials=true # 1.3.3\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-scheduler \n --address=127.0.0.1 \n --bind-address=127.0.0.1 # 1.4.2\n --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig \n --port=10251 \n --profiling=false # 1.4.1\n --secure-port=0\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kubelet \n --address=0.0.0.0 \n --anonymous-auth=false # 4.2.1\n --authentication-token-webhook=true \n --authorization-mode=Webhook # 4.2.2\n --cgroup-driver=cgroupfs \n --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt # 4.2.3\n --cloud-provider=external \n --cluster-dns=10.43.0.10 \n --cluster-domain=cluster.local \n --cni-bin-dir=/var/lib/rancher/k3s/data/223e6420f8db0d8828a8f5ed3c44489bb8eb47aa71485404f8af8c462a29bea3/bin \n --cni-conf-dir=/var/lib/rancher/k3s/agent/etc/cni/net.d \n --container-runtime-endpoint=/run/k3s/containerd/containerd.sock \n --container-runtime=remote \n --containerd=/run/k3s/containerd/containerd.sock \n --eviction-hard=imagefs.available<5%,nodefs.available<5% \n --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% \n --fail-swap-on=false \n --healthz-bind-address=127.0.0.1 \n --hostname-override=hostname01 \n --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig \n --kubelet-cgroups=/systemd/system.slice \n --node-labels= \n --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests \n --protect-kernel-defaults=true # 4.2.6\n --read-only-port=0 # 4.2.4\n --resolv-conf=/run/systemd/resolve/resolv.conf \n --runtime-cgroups=/systemd/system.slice \n --serialize-image-pulls=false \n --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt # 4.2.10\n --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key # 4.2.10\n"})}),"\n",(0,r.jsx)(n.p,{children:"Additional information about CIS requirements 1.2.22 to 1.2.25 is presented below."}),"\n",(0,r.jsx)(n.h2,{id:"known-issues",children:"Known Issues"}),"\n",(0,r.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by default. Each gap will be explained, along with a note clarifying whether it can be passed through manual operator intervention, or if it will be addressed in a future release of K3s."}),"\n",(0,r.jsx)(n.h3,{id:"control-1215",children:"Control 1.2.15"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the admission control plugin ",(0,r.jsx)(n.code,{children:"NamespaceLifecycle"})," is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nSetting admission control policy to ",(0,r.jsx)(n.code,{children:"NamespaceLifecycle"})," ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"enable-admission-plugins="})," and pass that to ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1216",children:"Control 1.2.16"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the admission control plugin ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"})," is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"})," objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"enable-admission-plugins="})," and pass that to ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1222",children:"Control 1.2.22"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-path"})," argument is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1223",children:"Control 1.2.23"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxage"})," argument is set to 30 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1224",children:"Control 1.2.24"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxbackup"})," argument is set to 10 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1225",children:"Control 1.2.25"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxsize"})," argument is set to 100 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1226",children:"Control 1.2.26"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--request-timeout"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1227",children:"Control 1.2.27"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--service-account-lookup"})," argument is set to true."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nIf ",(0,r.jsx)(n.code,{children:"--service-account-lookup"})," is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1233",children:"Control 1.2.33"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--encryption-provider-config"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\n",(0,r.jsx)(n.code,{children:"etcd"})," is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures."]}),(0,r.jsxs)(n.p,{children:["Detailed steps on how to configure secrets encryption in K3s are available in ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1234",children:"Control 1.2.34"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that encryption providers are appropriately configured."}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nWhere ",(0,r.jsx)(n.code,{children:"etcd"})," encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the ",(0,r.jsx)(n.code,{children:"aescbc"}),", ",(0,r.jsx)(n.code,{children:"kms"})," and ",(0,r.jsx)(n.code,{children:"secretbox"})," are likely to be appropriate options."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing a valid configuration to ",(0,r.jsx)(n.code,{children:"k3s"})," as outlined above. Detailed steps on how to configure secrets encryption in K3s are available in ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-131",children:"Control 1.3.1"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--terminated-pod-gc-threshold"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nGarbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-321",children:"Control 3.2.1"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that a minimal audit policy is created."}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nLogging is an important detective control for all systems, to detect potential unauthorized access."]}),(0,r.jsx)(n.p,{children:"This can be remediated by passing controls 1.2.22 - 1.2.25 and verifying their efficacy."})]}),"\n",(0,r.jsx)(n.h3,{id:"control-427",children:"Control 4.2.7"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--make-iptables-util-chains"})," argument is set to true."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-515",children:"Control 5.1.5"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that default service accounts are not actively used"}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes provides a ",(0,r.jsx)(n.code,{children:"default"})," service account which is used by cluster workloads where no specific service account is assigned to the pod."]}),(0,r.jsx)(n.p,{children:"Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account."}),(0,r.jsx)(n.p,{children:"The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments."}),(0,r.jsxs)(n.p,{children:["This can be remediated by updating the ",(0,r.jsx)(n.code,{children:"automountServiceAccountToken"})," field to ",(0,r.jsx)(n.code,{children:"false"})," for the ",(0,r.jsx)(n.code,{children:"default"})," service account in each namespace."]}),(0,r.jsxs)(n.p,{children:["For ",(0,r.jsx)(n.code,{children:"default"})," service accounts in the built-in namespaces (",(0,r.jsx)(n.code,{children:"kube-system"}),", ",(0,r.jsx)(n.code,{children:"kube-public"}),", ",(0,r.jsx)(n.code,{children:"kube-node-lease"}),", and ",(0,r.jsx)(n.code,{children:"default"}),"), K3s does not automatically do this. You can manually update this field on these service accounts to pass the control."]})]}),"\n",(0,r.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,r.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,r.jsx)(n.a,{href:"/kr/security/self-assessment-1.23",children:"CIS Benchmark Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var r=s(7294);const t={},i=r.createContext(t);function a(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:a(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/18ace21a.ce51c42a.js b/kr/assets/js/18ace21a.ce51c42a.js deleted file mode 100644 index 840ade353..000000000 --- a/kr/assets/js/18ace21a.ce51c42a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9269],{3497:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>c});var r=s(5893),t=s(1151);const i={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/kr/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/kr/security/secrets-encryption"},next:{title:"self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure protect-kernel-defaults is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Control Plane Execution and Arguments",id:"control-plane-execution-and-arguments",level:2},{value:"Known Issues",id:"known-issues",level:2},{value:"Control 1.2.15",id:"control-1215",level:3},{value:"Control 1.2.16",id:"control-1216",level:3},{value:"Control 1.2.22",id:"control-1222",level:3},{value:"Control 1.2.23",id:"control-1223",level:3},{value:"Control 1.2.24",id:"control-1224",level:3},{value:"Control 1.2.25",id:"control-1225",level:3},{value:"Control 1.2.26",id:"control-1226",level:3},{value:"Control 1.2.27",id:"control-1227",level:3},{value:"Control 1.2.33",id:"control-1233",level:3},{value:"Control 1.2.34",id:"control-1234",level:3},{value:"Control 1.3.1",id:"control-131",level:3},{value:"Control 3.2.1",id:"control-321",level:3},{value:"Control 4.2.7",id:"control-427",level:3},{value:"Control 5.1.5",id:"control-515",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,t.a)(),...e.components},{Details:s,TabItem:i,Tabs:a}=n;return s||h("Details",!0),i||h("TabItem",!0),a||h("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,r.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,r.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,r.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,r.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,r.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,r.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,r.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,r.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,r.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,r.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"Note:"})," ",(0,r.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,r.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,r.jsxs)(n.p,{children:["Create a file called ",(0,r.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,r.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\nkernel.keys.root_maxbytes=25000000\n"})}),"\n",(0,r.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,r.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,r.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,r.jsx)(n.code,{children:"PodSecurity"})," and ",(0,r.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,r.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsxs)(i,{value:"v1.25 and Newer",default:!0,children:[(0,r.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,r.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,r.jsx)(n.code,{children:"psa.yaml"})," in ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,r.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,r.jsxs)(i,{value:"v1.24 and Older",default:!0,children:[(0,r.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,r.jsx)(n.a,{href:"https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,r.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,r.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,r.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,r.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,r.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,r.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,r.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,r.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,r.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,r.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,r.jsxs)(n.p,{children:["Network policies should be placed the ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,r.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,r.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: \nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,r.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsx)(i,{value:"v1.21 and Newer",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,r.jsx)(i,{value:"v1.20 and Older",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,r.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,r.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,r.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,r.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,r.jsx)(n.code,{children:"audit.yaml"})," in ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,r.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If the configurations are created after K3s is installed, they must be added to K3s' systemd service in ",(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s.service"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ExecStart=/usr/local/bin/k3s \\\n server \\\n\t'--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \\\n\t'--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \\\n"})}),"\n",(0,r.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,r.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,r.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,r.jsxs)(a,{children:[(0,r.jsx)(i,{value:"v1.25 and Newer",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})})}),(0,r.jsx)(i,{value:"v1.24 and Older",default:!0,children:(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\n - 'use-service-account-credentials=true'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n"})})})]}),"\n",(0,r.jsx)(n.h2,{id:"control-plane-execution-and-arguments",children:"Control Plane Execution and Arguments"}),"\n",(0,r.jsx)(n.p,{children:"Listed below are the K3s control plane components and the arguments they are given at start, by default. Commented to their right is the CIS 1.6 control that they satisfy."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-apiserver \n --advertise-port=6443 \n --allow-privileged=true \n --anonymous-auth=false # 1.2.1\n --api-audiences=unknown \n --authorization-mode=Node,RBAC \n --bind-address=127.0.0.1 \n --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs\n --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt # 1.2.31\n --enable-admission-plugins=NodeRestriction,PodSecurityPolicy # 1.2.17\n --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt # 1.2.32\n --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt # 1.2.29\n --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key # 1.2.29\n --etcd-servers=https://127.0.0.1:2379 \n --insecure-port=0 # 1.2.19\n --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt \n --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt \n --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key \n --profiling=false # 1.2.21\n --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt \n --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key \n --requestheader-allowed-names=system:auth-proxy \n --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt \n --requestheader-extra-headers-prefix=X-Remote-Extra- \n --requestheader-group-headers=X-Remote-Group \n --requestheader-username-headers=X-Remote-User \n --secure-port=6444 # 1.2.20\n --service-account-issuer=k3s \n --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.2.28\n --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key \n --service-cluster-ip-range=10.43.0.0/16 \n --storage-backend=etcd3 \n --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt # 1.2.30\n --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key # 1.2.30\n --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-controller-manager \n --address=127.0.0.1 \n --allocate-node-cidrs=true \n --bind-address=127.0.0.1 # 1.3.7\n --cluster-cidr=10.42.0.0/16 \n --cluster-signing-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt \n --cluster-signing-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key \n --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig \n --port=10252 \n --profiling=false # 1.3.2\n --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt # 1.3.5\n --secure-port=0 \n --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.3.4 \n --use-service-account-credentials=true # 1.3.3\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kube-scheduler \n --address=127.0.0.1 \n --bind-address=127.0.0.1 # 1.4.2\n --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig \n --port=10251 \n --profiling=false # 1.4.1\n --secure-port=0\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"kubelet \n --address=0.0.0.0 \n --anonymous-auth=false # 4.2.1\n --authentication-token-webhook=true \n --authorization-mode=Webhook # 4.2.2\n --cgroup-driver=cgroupfs \n --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt # 4.2.3\n --cloud-provider=external \n --cluster-dns=10.43.0.10 \n --cluster-domain=cluster.local \n --cni-bin-dir=/var/lib/rancher/k3s/data/223e6420f8db0d8828a8f5ed3c44489bb8eb47aa71485404f8af8c462a29bea3/bin \n --cni-conf-dir=/var/lib/rancher/k3s/agent/etc/cni/net.d \n --container-runtime-endpoint=/run/k3s/containerd/containerd.sock \n --container-runtime=remote \n --containerd=/run/k3s/containerd/containerd.sock \n --eviction-hard=imagefs.available<5%,nodefs.available<5% \n --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% \n --fail-swap-on=false \n --healthz-bind-address=127.0.0.1 \n --hostname-override=hostname01 \n --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig \n --kubelet-cgroups=/systemd/system.slice \n --node-labels= \n --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests \n --protect-kernel-defaults=true # 4.2.6\n --read-only-port=0 # 4.2.4\n --resolv-conf=/run/systemd/resolve/resolv.conf \n --runtime-cgroups=/systemd/system.slice \n --serialize-image-pulls=false \n --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt # 4.2.10\n --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key # 4.2.10\n"})}),"\n",(0,r.jsx)(n.p,{children:"Additional information about CIS requirements 1.2.22 to 1.2.25 is presented below."}),"\n",(0,r.jsx)(n.h2,{id:"known-issues",children:"Known Issues"}),"\n",(0,r.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by default. Each gap will be explained, along with a note clarifying whether it can be passed through manual operator intervention, or if it will be addressed in a future release of K3s."}),"\n",(0,r.jsx)(n.h3,{id:"control-1215",children:"Control 1.2.15"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the admission control plugin ",(0,r.jsx)(n.code,{children:"NamespaceLifecycle"})," is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nSetting admission control policy to ",(0,r.jsx)(n.code,{children:"NamespaceLifecycle"})," ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"enable-admission-plugins="})," and pass that to ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1216",children:"Control 1.2.16"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the admission control plugin ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"})," is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The ",(0,r.jsx)(n.code,{children:"PodSecurityPolicy"})," objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"enable-admission-plugins="})," and pass that to ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1222",children:"Control 1.2.22"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-path"})," argument is set."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1223",children:"Control 1.2.23"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxage"})," argument is set to 30 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1224",children:"Control 1.2.24"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxbackup"})," argument is set to 10 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1225",children:"Control 1.2.25"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--audit-log-maxsize"})," argument is set to 100 or as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1226",children:"Control 1.2.26"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--request-timeout"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1227",children:"Control 1.2.27"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--service-account-lookup"})," argument is set to true."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nIf ",(0,r.jsx)(n.code,{children:"--service-account-lookup"})," is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1233",children:"Control 1.2.33"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--encryption-provider-config"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\n",(0,r.jsx)(n.code,{children:"etcd"})," is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures."]}),(0,r.jsxs)(n.p,{children:["Detailed steps on how to configure secrets encryption in K3s are available in ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-1234",children:"Control 1.2.34"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that encryption providers are appropriately configured."}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nWhere ",(0,r.jsx)(n.code,{children:"etcd"})," encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the ",(0,r.jsx)(n.code,{children:"aescbc"}),", ",(0,r.jsx)(n.code,{children:"kms"})," and ",(0,r.jsx)(n.code,{children:"secretbox"})," are likely to be appropriate options."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing a valid configuration to ",(0,r.jsx)(n.code,{children:"k3s"})," as outlined above. Detailed steps on how to configure secrets encryption in K3s are available in ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-131",children:"Control 1.3.1"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--terminated-pod-gc-threshold"})," argument is set as appropriate."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nGarbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-321",children:"Control 3.2.1"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that a minimal audit policy is created."}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nLogging is an important detective control for all systems, to detect potential unauthorized access."]}),(0,r.jsx)(n.p,{children:"This can be remediated by passing controls 1.2.22 - 1.2.25 and verifying their efficacy."})]}),"\n",(0,r.jsx)(n.h3,{id:"control-427",children:"Control 4.2.7"}),"\n",(0,r.jsxs)(n.p,{children:["Ensure that the ",(0,r.jsx)(n.code,{children:"--make-iptables-util-chains"})," argument is set to true."]}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open."]}),(0,r.jsxs)(n.p,{children:["This can be remediated by passing this argument as a value to the ",(0,r.jsx)(n.code,{children:"--kube-apiserver-arg="})," argument to ",(0,r.jsx)(n.code,{children:"k3s server"}),". An example can be found below."]})]}),"\n",(0,r.jsx)(n.h3,{id:"control-515",children:"Control 5.1.5"}),"\n",(0,r.jsx)(n.p,{children:"Ensure that default service accounts are not actively used"}),"\n",(0,r.jsxs)(s,{children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)("summary",{children:"Rationale"}),"\nKubernetes provides a ",(0,r.jsx)(n.code,{children:"default"})," service account which is used by cluster workloads where no specific service account is assigned to the pod."]}),(0,r.jsx)(n.p,{children:"Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account."}),(0,r.jsx)(n.p,{children:"The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments."}),(0,r.jsxs)(n.p,{children:["This can be remediated by updating the ",(0,r.jsx)(n.code,{children:"automountServiceAccountToken"})," field to ",(0,r.jsx)(n.code,{children:"false"})," for the ",(0,r.jsx)(n.code,{children:"default"})," service account in each namespace."]}),(0,r.jsxs)(n.p,{children:["For ",(0,r.jsx)(n.code,{children:"default"})," service accounts in the built-in namespaces (",(0,r.jsx)(n.code,{children:"kube-system"}),", ",(0,r.jsx)(n.code,{children:"kube-public"}),", ",(0,r.jsx)(n.code,{children:"kube-node-lease"}),", and ",(0,r.jsx)(n.code,{children:"default"}),"), K3s does not automatically do this. You can manually update this field on these service accounts to pass the control."]})]}),"\n",(0,r.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,r.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,r.jsx)(n.a,{href:"/kr/security/self-assessment-1.23",children:"CIS Benchmark Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var r=s(7294);const t={},i=r.createContext(t);function a(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:a(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/1a0c5791.a58bbcc5.js b/kr/assets/js/1a0c5791.a58bbcc5.js deleted file mode 100644 index da850333b..000000000 --- a/kr/assets/js/1a0c5791.a58bbcc5.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[482],{5319:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>c,default:()=>d,frontMatter:()=>o,metadata:()=>i,toc:()=>u});var n=t(5893),r=t(1151);const o={},c=void 0,i={id:"security/self-assessment-1.7",title:"self-assessment-1.7",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{},sidebar:"mySidebar",previous:{title:"self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8"},next:{title:"self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24"}},a={},u=[];function l(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function d(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},o=n.createContext(r);function c(e){const s=n.useContext(o);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(o.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/1a0c5791.d6e14a35.js b/kr/assets/js/1a0c5791.d6e14a35.js new file mode 100644 index 000000000..e4ae66528 --- /dev/null +++ b/kr/assets/js/1a0c5791.d6e14a35.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[482],{5319:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>c,default:()=>d,frontMatter:()=>o,metadata:()=>i,toc:()=>u});var n=t(5893),r=t(1151);const o={},c=void 0,i={id:"security/self-assessment-1.7",title:"self-assessment-1.7",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{},sidebar:"mySidebar",previous:{title:"self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8"},next:{title:"self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24"}},a={},u=[];function l(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function d(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},o=n.createContext(r);function c(e){const s=n.useContext(o);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(o.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/1a4e3797.4376c566.js b/kr/assets/js/1a4e3797.7f3d6643.js similarity index 98% rename from assets/js/1a4e3797.4376c566.js rename to kr/assets/js/1a4e3797.7f3d6643.js index 283f18783..880a1133e 100644 --- a/assets/js/1a4e3797.4376c566.js +++ b/kr/assets/js/1a4e3797.7f3d6643.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7920],{2027:(e,t,r)=>{r.r(t),r.d(t,{default:()=>$});var s=r(7294),a=r(2263),n=r(2315),c=r(5742),l=r(3692),o=r(5999);const u=["zero","one","two","few","many","other"];function h(e){return u.filter((t=>e.includes(t)))}const i={locale:"en",pluralForms:h(["one","other"]),select:e=>1===e?"one":"other"};function m(){const{i18n:{currentLocale:e}}=(0,a.Z)();return(0,s.useMemo)((()=>{try{return function(e){const t=new Intl.PluralRules(e);return{locale:e,pluralForms:h(t.resolvedOptions().pluralCategories),select:e=>t.select(e)}}(e)}catch(t){return console.error(`Failed to use Intl.PluralRules for locale "${e}".\nDocusaurus will fallback to the default (English) implementation.\nError: ${t.message}\n`),i}}),[e])}function d(){const e=m();return{selectMessage:(t,r)=>function(e,t,r){const s=e.split("|");if(1===s.length)return s[0];s.length>r.pluralForms.length&&console.error(`For locale=${r.locale}, a maximum of ${r.pluralForms.length} plural forms are expected (${r.pluralForms.join(",")}), but the message contains ${s.length}: ${e}`);const a=r.select(t),n=r.pluralForms.indexOf(a);return s[Math.min(n,s.length-1)]}(r,t,e)}}var p=r(1728),g=r(6550),x=r(2389),f=r(1029);const y=function(){const e=(0,x.Z)(),t=(0,g.k6)(),r=(0,g.TH)(),{siteConfig:{baseUrl:s}}=(0,a.Z)(),n=e?new URLSearchParams(r.search):null,c=n?.get("q")||"",l=n?.get("ctx")||"",o=n?.get("version")||"",u=e=>{const t=new URLSearchParams(r.search);return e?t.set("q",e):t.delete("q"),t};return{searchValue:c,searchContext:l&&Array.isArray(f.Kc)&&f.Kc.some((e=>"string"==typeof e?e===l:e.path===l))?l:"",searchVersion:o,updateSearchPath:e=>{const r=u(e);t.replace({search:r.toString()})},updateSearchContext:e=>{const s=new URLSearchParams(r.search);s.set("ctx",e),t.replace({search:s.toString()})},generateSearchPageLink:e=>{const t=u(e);return`${s}search?${t.toString()}`}}};var C=r(22),S=r(8202),j=r(3545),I=r(2539),v=r(726),w=r(1073),P=r(311),_=r(3926);const R={searchContextInput:"searchContextInput_mXoe",searchQueryInput:"searchQueryInput_CFBF",searchResultItem:"searchResultItem_U687",searchResultItemPath:"searchResultItemPath_uIbk",searchResultItemSummary:"searchResultItemSummary_oZHr",searchQueryColumn:"searchQueryColumn_q7nx",searchContextColumn:"searchContextColumn_oWAF"};var b=r(51),F=r(5893);function A(){const{siteConfig:{baseUrl:e},i18n:{currentLocale:t}}=(0,a.Z)(),{selectMessage:r}=d(),{searchValue:n,searchContext:l,searchVersion:u,updateSearchPath:h,updateSearchContext:i}=y(),[m,g]=(0,s.useState)(n),[x,j]=(0,s.useState)(),[I,v]=(0,s.useState)(),w=`${e}${u}`,_=(0,s.useMemo)((()=>m?(0,o.I)({id:"theme.SearchPage.existingResultsTitle",message:'Search results for "{query}"',description:"The search page title for non-empty query"},{query:m}):(0,o.I)({id:"theme.SearchPage.emptyResultsTitle",message:"Search the documentation",description:"The search page title for empty query"})),[m]);(0,s.useEffect)((()=>{h(m),x&&(m?x(m,(e=>{v(e)})):v(void 0))}),[m,x]);const A=(0,s.useCallback)((e=>{g(e.target.value)}),[]);return(0,s.useEffect)((()=>{n&&n!==m&&g(n)}),[n]),(0,s.useEffect)((()=>{!async function(){const{wrappedIndexes:e,zhDictionary:t}=!Array.isArray(f.Kc)||l||f.pQ?await(0,C.w)(w,l):{wrappedIndexes:[],zhDictionary:[]};j((()=>(0,S.v)(e,t,100)))}()}),[l,w]),(0,F.jsxs)(s.Fragment,{children:[(0,F.jsxs)(c.Z,{children:[(0,F.jsx)("meta",{property:"robots",content:"noindex, follow"}),(0,F.jsx)("title",{children:_})]}),(0,F.jsxs)("div",{className:"container margin-vert--lg",children:[(0,F.jsx)("h1",{children:_}),(0,F.jsxs)("div",{className:"row",children:[(0,F.jsx)("div",{className:(0,p.Z)("col",{[R.searchQueryColumn]:Array.isArray(f.Kc),"col--9":Array.isArray(f.Kc),"col--12":!Array.isArray(f.Kc)}),children:(0,F.jsx)("input",{type:"search",name:"q",className:R.searchQueryInput,"aria-label":"Search",onChange:A,value:m,autoComplete:"off",autoFocus:!0})}),Array.isArray(f.Kc)?(0,F.jsx)("div",{className:(0,p.Z)("col","col--3","padding-left--none",R.searchContextColumn),children:(0,F.jsxs)("select",{name:"search-context",className:R.searchContextInput,id:"context-selector",value:l,onChange:e=>i(e.target.value),children:[f.pQ&&(0,F.jsx)("option",{value:"",children:(0,o.I)({id:"theme.SearchPage.searchContext.everywhere",message:"Everywhere"})}),f.Kc.map((e=>{const{label:r,path:s}=(0,b._)(e,t);return(0,F.jsx)("option",{value:s,children:r},s)}))]})}):null]}),!x&&m&&(0,F.jsx)("div",{children:(0,F.jsx)(P.Z,{})}),I&&(I.length>0?(0,F.jsx)("p",{children:r(I.length,(0,o.I)({id:"theme.SearchPage.documentsFound.plurals",message:"1 document found|{count} documents found",description:'Pluralized label for "{count} documents found". Use as much plural forms (separated by "|") as your language support (see https://www.unicode.org/cldr/cldr-aux/charts/34/supplemental/language_plural_rules.html)'},{count:I.length}))}):(0,F.jsx)("p",{children:(0,o.I)({id:"theme.SearchPage.noResultsText",message:"No documents were found",description:"The paragraph for empty search result"})})),(0,F.jsx)("section",{children:I&&I.map((e=>(0,F.jsx)(k,{searchResult:e},e.document.i)))})]})]})}function k(e){let{searchResult:{document:t,type:r,page:s,tokens:a,metadata:n}}=e;const c=r===j.P.Title,o=r===j.P.Keywords,u=r===j.P.Description,h=u||o,i=c||h,m=r===j.P.Content,d=(c?t.b:s.b).slice(),p=m||h?t.s:t.t;i||d.push(s.t);let g="";if(f.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append("_highlight",t);g=`?${e.toString()}`}return(0,F.jsxs)("article",{className:R.searchResultItem,children:[(0,F.jsx)("h2",{children:(0,F.jsx)(l.Z,{to:t.u+g+(t.h||""),dangerouslySetInnerHTML:{__html:m||h?(0,I.C)(p,a):(0,v.o)(p,(0,w.m)(n,"t"),a,100)}})}),d.length>0&&(0,F.jsx)("p",{className:R.searchResultItemPath,children:(0,_.e)(d)}),(m||u)&&(0,F.jsx)("p",{className:R.searchResultItemSummary,dangerouslySetInnerHTML:{__html:(0,v.o)(t.t,(0,w.m)(n,"t"),a,100)}})]})}const $=function(){return(0,F.jsx)(n.Z,{children:(0,F.jsx)(A,{})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7920],{2027:(e,t,r)=>{r.r(t),r.d(t,{default:()=>$});var s=r(7294),a=r(2263),n=r(8947),c=r(5742),l=r(3692),o=r(5999);const u=["zero","one","two","few","many","other"];function h(e){return u.filter((t=>e.includes(t)))}const i={locale:"en",pluralForms:h(["one","other"]),select:e=>1===e?"one":"other"};function m(){const{i18n:{currentLocale:e}}=(0,a.Z)();return(0,s.useMemo)((()=>{try{return function(e){const t=new Intl.PluralRules(e);return{locale:e,pluralForms:h(t.resolvedOptions().pluralCategories),select:e=>t.select(e)}}(e)}catch(t){return console.error(`Failed to use Intl.PluralRules for locale "${e}".\nDocusaurus will fallback to the default (English) implementation.\nError: ${t.message}\n`),i}}),[e])}function d(){const e=m();return{selectMessage:(t,r)=>function(e,t,r){const s=e.split("|");if(1===s.length)return s[0];s.length>r.pluralForms.length&&console.error(`For locale=${r.locale}, a maximum of ${r.pluralForms.length} plural forms are expected (${r.pluralForms.join(",")}), but the message contains ${s.length}: ${e}`);const a=r.select(t),n=r.pluralForms.indexOf(a);return s[Math.min(n,s.length-1)]}(r,t,e)}}var p=r(1728),g=r(6550),x=r(2389),f=r(1029);const y=function(){const e=(0,x.Z)(),t=(0,g.k6)(),r=(0,g.TH)(),{siteConfig:{baseUrl:s}}=(0,a.Z)(),n=e?new URLSearchParams(r.search):null,c=n?.get("q")||"",l=n?.get("ctx")||"",o=n?.get("version")||"",u=e=>{const t=new URLSearchParams(r.search);return e?t.set("q",e):t.delete("q"),t};return{searchValue:c,searchContext:l&&Array.isArray(f.Kc)&&f.Kc.some((e=>"string"==typeof e?e===l:e.path===l))?l:"",searchVersion:o,updateSearchPath:e=>{const r=u(e);t.replace({search:r.toString()})},updateSearchContext:e=>{const s=new URLSearchParams(r.search);s.set("ctx",e),t.replace({search:s.toString()})},generateSearchPageLink:e=>{const t=u(e);return`${s}search?${t.toString()}`}}};var C=r(22),S=r(8202),j=r(3545),I=r(2539),v=r(726),w=r(1073),P=r(311),_=r(3926);const R={searchContextInput:"searchContextInput_mXoe",searchQueryInput:"searchQueryInput_CFBF",searchResultItem:"searchResultItem_U687",searchResultItemPath:"searchResultItemPath_uIbk",searchResultItemSummary:"searchResultItemSummary_oZHr",searchQueryColumn:"searchQueryColumn_q7nx",searchContextColumn:"searchContextColumn_oWAF"};var b=r(51),F=r(5893);function A(){const{siteConfig:{baseUrl:e},i18n:{currentLocale:t}}=(0,a.Z)(),{selectMessage:r}=d(),{searchValue:n,searchContext:l,searchVersion:u,updateSearchPath:h,updateSearchContext:i}=y(),[m,g]=(0,s.useState)(n),[x,j]=(0,s.useState)(),[I,v]=(0,s.useState)(),w=`${e}${u}`,_=(0,s.useMemo)((()=>m?(0,o.I)({id:"theme.SearchPage.existingResultsTitle",message:'Search results for "{query}"',description:"The search page title for non-empty query"},{query:m}):(0,o.I)({id:"theme.SearchPage.emptyResultsTitle",message:"Search the documentation",description:"The search page title for empty query"})),[m]);(0,s.useEffect)((()=>{h(m),x&&(m?x(m,(e=>{v(e)})):v(void 0))}),[m,x]);const A=(0,s.useCallback)((e=>{g(e.target.value)}),[]);return(0,s.useEffect)((()=>{n&&n!==m&&g(n)}),[n]),(0,s.useEffect)((()=>{!async function(){const{wrappedIndexes:e,zhDictionary:t}=!Array.isArray(f.Kc)||l||f.pQ?await(0,C.w)(w,l):{wrappedIndexes:[],zhDictionary:[]};j((()=>(0,S.v)(e,t,100)))}()}),[l,w]),(0,F.jsxs)(s.Fragment,{children:[(0,F.jsxs)(c.Z,{children:[(0,F.jsx)("meta",{property:"robots",content:"noindex, follow"}),(0,F.jsx)("title",{children:_})]}),(0,F.jsxs)("div",{className:"container margin-vert--lg",children:[(0,F.jsx)("h1",{children:_}),(0,F.jsxs)("div",{className:"row",children:[(0,F.jsx)("div",{className:(0,p.Z)("col",{[R.searchQueryColumn]:Array.isArray(f.Kc),"col--9":Array.isArray(f.Kc),"col--12":!Array.isArray(f.Kc)}),children:(0,F.jsx)("input",{type:"search",name:"q",className:R.searchQueryInput,"aria-label":"Search",onChange:A,value:m,autoComplete:"off",autoFocus:!0})}),Array.isArray(f.Kc)?(0,F.jsx)("div",{className:(0,p.Z)("col","col--3","padding-left--none",R.searchContextColumn),children:(0,F.jsxs)("select",{name:"search-context",className:R.searchContextInput,id:"context-selector",value:l,onChange:e=>i(e.target.value),children:[f.pQ&&(0,F.jsx)("option",{value:"",children:(0,o.I)({id:"theme.SearchPage.searchContext.everywhere",message:"Everywhere"})}),f.Kc.map((e=>{const{label:r,path:s}=(0,b._)(e,t);return(0,F.jsx)("option",{value:s,children:r},s)}))]})}):null]}),!x&&m&&(0,F.jsx)("div",{children:(0,F.jsx)(P.Z,{})}),I&&(I.length>0?(0,F.jsx)("p",{children:r(I.length,(0,o.I)({id:"theme.SearchPage.documentsFound.plurals",message:"1 document found|{count} documents found",description:'Pluralized label for "{count} documents found". Use as much plural forms (separated by "|") as your language support (see https://www.unicode.org/cldr/cldr-aux/charts/34/supplemental/language_plural_rules.html)'},{count:I.length}))}):(0,F.jsx)("p",{children:(0,o.I)({id:"theme.SearchPage.noResultsText",message:"No documents were found",description:"The paragraph for empty search result"})})),(0,F.jsx)("section",{children:I&&I.map((e=>(0,F.jsx)(k,{searchResult:e},e.document.i)))})]})]})}function k(e){let{searchResult:{document:t,type:r,page:s,tokens:a,metadata:n}}=e;const c=r===j.P.Title,o=r===j.P.Keywords,u=r===j.P.Description,h=u||o,i=c||h,m=r===j.P.Content,d=(c?t.b:s.b).slice(),p=m||h?t.s:t.t;i||d.push(s.t);let g="";if(f.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append("_highlight",t);g=`?${e.toString()}`}return(0,F.jsxs)("article",{className:R.searchResultItem,children:[(0,F.jsx)("h2",{children:(0,F.jsx)(l.Z,{to:t.u+g+(t.h||""),dangerouslySetInnerHTML:{__html:m||h?(0,I.C)(p,a):(0,v.o)(p,(0,w.m)(n,"t"),a,100)}})}),d.length>0&&(0,F.jsx)("p",{className:R.searchResultItemPath,children:(0,_.e)(d)}),(m||u)&&(0,F.jsx)("p",{className:R.searchResultItemSummary,dangerouslySetInnerHTML:{__html:(0,v.o)(t.t,(0,w.m)(n,"t"),a,100)}})]})}const $=function(){return(0,F.jsx)(n.Z,{children:(0,F.jsx)(A,{})})}}}]); \ No newline at end of file diff --git a/kr/assets/js/1aef17e6.3c429484.js b/kr/assets/js/1aef17e6.3c429484.js new file mode 100644 index 000000000..9687476b3 --- /dev/null +++ b/kr/assets/js/1aef17e6.3c429484.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9169],{8761:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>u,contentTitle:()=>c,default:()=>l,frontMatter:()=>i,metadata:()=>o,toc:()=>a});var s=n(5893),r=n(1151);const i={title:"\ubcf4\uc548"},c=void 0,o={id:"security/security",title:"\ubcf4\uc548",description:"\uc774 \uc139\uc158\uc5d0\uc11c\ub294 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \ubcf4\ud638\ud558\ub294 \ubc29\ubc95\ub860\uacfc \uc218\ub2e8\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4. \ub450 \uc139\uc158\uc73c\ub85c \ub098\ub258\uc5b4\uc838 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\ub294 K3s\uac00 \uc784\ubca0\ub514\ub4dc etcd\ub85c \uc2e4\ud589\ub418\uace0 \uc788\ub2e4\uace0 \uac00\uc815\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/kr/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ubcf4\uc548"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/kr/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/kr/security/secrets-encryption"}},u={},a=[];function d(e){const t={a:"a",li:"li",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"\uc774 \uc139\uc158\uc5d0\uc11c\ub294 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \ubcf4\ud638\ud558\ub294 \ubc29\ubc95\ub860\uacfc \uc218\ub2e8\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4. \ub450 \uc139\uc158\uc73c\ub85c \ub098\ub258\uc5b4\uc838 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\ub294 K3s\uac00 \uc784\ubca0\ub514\ub4dc etcd\ub85c \uc2e4\ud589\ub418\uace0 \uc788\ub2e4\uace0 \uac00\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,s.jsx)(t.p,{children:"\uc544\ub798 \ubb38\uc11c\ub294 CIS \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubca4\uce58\ub9c8\ud06c v1.23\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4."}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"/kr/security/hardening-guide",children:"\uac15\ud654 \uac00\uc774\ub4dc"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"/kr/security/self-assessment-1.23",children:"CIS \ubca4\uce58\ub9c8\ud06c \uc790\uccb4 \ud3c9\uac00 \uac00\uc774\ub4dc"})}),"\n"]})]})}function l(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>c});var s=n(7294);const r={},i=s.createContext(r);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/1aef17e6.f6995567.js b/kr/assets/js/1aef17e6.f6995567.js deleted file mode 100644 index a78cd6c47..000000000 --- a/kr/assets/js/1aef17e6.f6995567.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9169],{8761:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>u,contentTitle:()=>c,default:()=>l,frontMatter:()=>i,metadata:()=>o,toc:()=>a});var s=n(5893),r=n(1151);const i={title:"\ubcf4\uc548"},c=void 0,o={id:"security/security",title:"\ubcf4\uc548",description:"\uc774 \uc139\uc158\uc5d0\uc11c\ub294 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \ubcf4\ud638\ud558\ub294 \ubc29\ubc95\ub860\uacfc \uc218\ub2e8\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4. \ub450 \uc139\uc158\uc73c\ub85c \ub098\ub258\uc5b4\uc838 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\ub294 K3s\uac00 \uc784\ubca0\ub514\ub4dc etcd\ub85c \uc2e4\ud589\ub418\uace0 \uc788\ub2e4\uace0 \uac00\uc815\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/kr/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ubcf4\uc548"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/kr/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/kr/security/secrets-encryption"}},u={},a=[];function d(e){const t={a:"a",li:"li",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"\uc774 \uc139\uc158\uc5d0\uc11c\ub294 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \ubcf4\ud638\ud558\ub294 \ubc29\ubc95\ub860\uacfc \uc218\ub2e8\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4. \ub450 \uc139\uc158\uc73c\ub85c \ub098\ub258\uc5b4\uc838 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uac00\uc774\ub4dc\ub294 K3s\uac00 \uc784\ubca0\ub514\ub4dc etcd\ub85c \uc2e4\ud589\ub418\uace0 \uc788\ub2e4\uace0 \uac00\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,s.jsx)(t.p,{children:"\uc544\ub798 \ubb38\uc11c\ub294 CIS \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubca4\uce58\ub9c8\ud06c v1.23\uc5d0 \uc801\uc6a9\ub429\ub2c8\ub2e4."}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"/kr/security/hardening-guide",children:"\uac15\ud654 \uac00\uc774\ub4dc"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.a,{href:"/kr/security/self-assessment-1.23",children:"CIS \ubca4\uce58\ub9c8\ud06c \uc790\uccb4 \ud3c9\uac00 \uac00\uc774\ub4dc"})}),"\n"]})]})}function l(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>c});var s=n(7294);const r={},i=s.createContext(r);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/1fbd281a.95cd42bf.js b/kr/assets/js/1fbd281a.95cd42bf.js new file mode 100644 index 000000000..233ce5c2f --- /dev/null +++ b/kr/assets/js/1fbd281a.95cd42bf.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3229],{8803:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/kr/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/kr/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/kr/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/kr/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/kr/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/kr/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/kr/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/kr/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/kr/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/kr/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/1fbd281a.ad7c8e02.js b/kr/assets/js/1fbd281a.ad7c8e02.js deleted file mode 100644 index 64b2c2a3c..000000000 --- a/kr/assets/js/1fbd281a.ad7c8e02.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3229],{8803:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/kr/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/kr/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/kr/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/kr/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/kr/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/kr/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/kr/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/kr/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/kr/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/kr/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/20aafa33.3bcbd266.js b/kr/assets/js/20aafa33.3bcbd266.js new file mode 100644 index 000000000..9048ee22a --- /dev/null +++ b/kr/assets/js/20aafa33.3bcbd266.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6515],{8188:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/kr/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"\uba85\ub839\uc904 \ub3c4\uad6c",permalink:"/kr/cli/"},next:{title:"agent",permalink:"/kr/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"})}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/kr/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-servicelb"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite (default) data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface (default: false)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'Set the base name of etcd snapshots. Default: etcd-snapshot- (default:"etcd-snapshot")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _' (default: \"0 */12 * * *\")"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots (default: ${data-dir}/db/snapshots)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'S3 endpoint url (default: "s3.amazonaws.com")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'S3 region / bucket location (optional) (default: "us-east-1")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"}),(0,r.jsx)(s.td,{})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"}),(0,r.jsx)(s.td,{})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsx)(s.td,{children:"IPv4 address that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/kr/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"Running Agentless Servers (Experimental)"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h1,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or $\\{HOME\\}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: $\\{data-dir\\}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/20aafa33.ecfa7dc8.js b/kr/assets/js/20aafa33.ecfa7dc8.js deleted file mode 100644 index 4a56ad4c0..000000000 --- a/kr/assets/js/20aafa33.ecfa7dc8.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6515],{8188:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/kr/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"\uba85\ub839\uc904 \ub3c4\uad6c",permalink:"/kr/cli/"},next:{title:"agent",permalink:"/kr/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/kr/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-servicelb"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite (default) data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface (default: false)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'Set the base name of etcd snapshots. Default: etcd-snapshot- (default:"etcd-snapshot")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _' (default: \"0 */12 * * *\")"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots (default: ${data-dir}/db/snapshots)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'S3 endpoint url (default: "s3.amazonaws.com")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:'S3 region / bucket location (optional) (default: "us-east-1")'})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"}),(0,r.jsx)(s.td,{})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"}),(0,r.jsx)(s.td,{})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsx)(s.td,{children:"IPv4 address that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/kr/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"Running Agentless Servers (Experimental)"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h1,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or $\\{HOME\\}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: $\\{data-dir\\}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/255.92d4592e.js b/kr/assets/js/255.8724ba33.js similarity index 99% rename from kr/assets/js/255.92d4592e.js rename to kr/assets/js/255.8724ba33.js index db2964b89..b303b4f0a 100644 --- a/kr/assets/js/255.92d4592e.js +++ b/kr/assets/js/255.8724ba33.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5234,7 +5234,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/kr/assets/js/289875c4.58dc5d8c.js b/kr/assets/js/289875c4.58dc5d8c.js deleted file mode 100644 index fe1ef4744..000000000 --- a/kr/assets/js/289875c4.58dc5d8c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6687],{9481:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>s,default:()=>h,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const a={title:"Embedded Registry Mirror"},s=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/kr/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/kr/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/kr/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/kr/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/kr/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io import"})," or ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io load"})," commands.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>s});var t=i(7294);const n={},a=t.createContext(n);function s(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:s(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/289875c4.d86a86f4.js b/kr/assets/js/289875c4.d86a86f4.js new file mode 100644 index 000000000..4e245f2de --- /dev/null +++ b/kr/assets/js/289875c4.d86a86f4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6687],{9481:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>s,default:()=>h,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const a={title:"Embedded Registry Mirror"},s=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/kr/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/kr/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/kr/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/kr/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/kr/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io import"})," or ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io load"})," commands.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>s});var t=i(7294);const n={},a=t.createContext(n);function s(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:s(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/2c7731a3.78ce50e1.js b/kr/assets/js/2c7731a3.78ce50e1.js deleted file mode 100644 index 9f79b93ab..000000000 --- a/kr/assets/js/2c7731a3.78ce50e1.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3411],{3023:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS Self Assessment Guide",description:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/kr/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"CIS Self Assessment Guide"}},l={},o=[{value:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24",id:"cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124",level:3},{value:"Overview",id:"overview",level:4},{value:"Testing controls methodology",id:"testing-controls-methodology",level:4},{value:"Controls",id:"controls",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",hr:"hr",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h3,{id:"cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124",children:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24"}),"\n",(0,s.jsx)(r.h4,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/kr/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22"}),", ",(0,s.jsx)(r.strong,{children:"v1.23"})," and ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h4,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h3,{id:"controls",children:"Controls"}),"\n",(0,s.jsx)(r.hr,{}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root "})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file="})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=\n--kubelet-client-key=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nThe request timeout limits the duration of API requests. The default value of 60 seconds is\nsufficiently low already. Only change the default value if necessary. When extending this\nlimit, make sure to keep it low enough. A large value can exhaust API server resources and\nmake it prone for Denial-of-Service attacks."]}),"\n",(0,s.jsxs)(r.p,{children:["Edit the config file /etc/rancher/k3s/config.yaml on the control plane node and remove the\n--request-timeout parameter or set it to an appropriate value if needed. For example,\n",(0,s.jsx)(r.code,{children:"--request-timeout=300s"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=\n--etcd-keyfile=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=\n--key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=\n--peer-key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file="})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root "}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/2c7731a3.ad50e493.js b/kr/assets/js/2c7731a3.ad50e493.js new file mode 100644 index 000000000..b9f326011 --- /dev/null +++ b/kr/assets/js/2c7731a3.ad50e493.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3411],{3023:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS Self Assessment Guide",description:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/kr/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"CIS Self Assessment Guide"}},l={},o=[{value:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24",id:"cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124",level:3},{value:"Overview",id:"overview",level:4},{value:"Testing controls methodology",id:"testing-controls-methodology",level:4},{value:"Controls",id:"controls",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",hr:"hr",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h3,{id:"cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124",children:"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24"}),"\n",(0,s.jsx)(r.h4,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/kr/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22"}),", ",(0,s.jsx)(r.strong,{children:"v1.23"})," and ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h4,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h3,{id:"controls",children:"Controls"}),"\n",(0,s.jsx)(r.hr,{}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root "})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file="})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=\n--kubelet-client-key=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nThe request timeout limits the duration of API requests. The default value of 60 seconds is\nsufficiently low already. Only change the default value if necessary. When extending this\nlimit, make sure to keep it low enough. A large value can exhaust API server resources and\nmake it prone for Denial-of-Service attacks."]}),"\n",(0,s.jsxs)(r.p,{children:["Edit the config file /etc/rancher/k3s/config.yaml on the control plane node and remove the\n--request-timeout parameter or set it to an appropriate value if needed. For example,\n",(0,s.jsx)(r.code,{children:"--request-timeout=300s"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=\n--etcd-keyfile=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=\n--key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=\n--peer-key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file="})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root "}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/2f797aa4.d5c63ad6.js b/kr/assets/js/2f797aa4.d5c63ad6.js new file mode 100644 index 000000000..d951246a9 --- /dev/null +++ b/kr/assets/js/2f797aa4.d5c63ad6.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/kr/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/kr/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/kr/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/2f797aa4.e34a8141.js b/kr/assets/js/2f797aa4.e34a8141.js deleted file mode 100644 index e559a3b1f..000000000 --- a/kr/assets/js/2f797aa4.e34a8141.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/kr/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/kr/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/kr/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/310030e7.2d105a0b.js b/kr/assets/js/310030e7.2d105a0b.js deleted file mode 100644 index 0c47ed19e..000000000 --- a/kr/assets/js/310030e7.2d105a0b.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5749],{8235:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>a});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/kr/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/kr/cli/secrets-encrypt"},next:{title:"\uc544\ud0a4\ud14d\ucc98",permalink:"/kr/architecture"}},c={},a=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/kr/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/kr/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/310030e7.d99bd5f3.js b/kr/assets/js/310030e7.d99bd5f3.js new file mode 100644 index 000000000..3982e5c55 --- /dev/null +++ b/kr/assets/js/310030e7.d99bd5f3.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5749],{8235:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>a});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/kr/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/kr/cli/secrets-encrypt"},next:{title:"\uc544\ud0a4\ud14d\ucc98",permalink:"/kr/architecture"}},c={},a=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"})}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/kr/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/kr/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"(cluster) Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/37e09f03.53592bcd.js b/kr/assets/js/37e09f03.53592bcd.js new file mode 100644 index 000000000..12d6d2c15 --- /dev/null +++ b/kr/assets/js/37e09f03.53592bcd.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6328],{5288:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Stopping K3s"},l=void 0,a={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/kr/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc",permalink:"/kr/upgrades/"},next:{title:"Manual Upgrades",permalink:"/kr/upgrades/manual"}},o={},c=[];function d(e){const n={code:"code",p:"p",pre:"pre",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,s.jsxs)(n.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,s.jsx)(n.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,s.jsx)(n.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const r={},i=s.createContext(r);function l(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/37e09f03.d3c38896.js b/kr/assets/js/37e09f03.d3c38896.js deleted file mode 100644 index 1843598a7..000000000 --- a/kr/assets/js/37e09f03.d3c38896.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6328],{5288:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Stopping K3s"},l=void 0,a={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/kr/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc",permalink:"/kr/upgrades/"},next:{title:"Manual Upgrades",permalink:"/kr/upgrades/manual"}},o={},c=[];function d(e){const n={code:"code",p:"p",pre:"pre",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,s.jsxs)(n.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,s.jsx)(n.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,s.jsx)(n.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const r={},i=s.createContext(r);function l(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/3f659917.9a56c135.js b/kr/assets/js/3f659917.9a56c135.js new file mode 100644 index 000000000..c8e086c29 --- /dev/null +++ b/kr/assets/js/3f659917.9a56c135.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6278],{3595:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>d});var n=s(5893),t=s(1151);const i={title:"\uc5c5\uadf8\ub808\uc774\ub4dc"},a=void 0,l={id:"upgrades/upgrades",title:"\uc5c5\uadf8\ub808\uc774\ub4dc",description:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/kr/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/kr/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/kr/upgrades/killall"}},c={},d=[{value:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",id:"k3s-\ud074\ub7ec\uc2a4\ud130-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",level:3},{value:"\ubc84\uc804\ubcc4 \uc8fc\uc758\uc0ac\ud56d",id:"\ubc84\uc804\ubcc4-\uc8fc\uc758\uc0ac\ud56d",level:3}];function o(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(r.h3,{id:"k3s-\ud074\ub7ec\uc2a4\ud130-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",children:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30"}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.a,{href:"/kr/upgrades/manual",children:"\uc218\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\uc5d0\uc11c\ub294 \ud074\ub7ec\uc2a4\ud130\ub97c \uc218\ub3d9\uc73c\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\ub294 \uba87 \uac00\uc9c0 \uae30\uc220\uc744 \uc124\uba85\ud569\ub2c8\ub2e4. \ub610\ud55c ",(0,n.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"\uacfc \uac19\uc740 \ud0c0\uc0ac \ucf54\ub4dc\ud615 \uc778\ud504\ub77c \ub3c4\uad6c(Infrastructure-as-Code)\ub97c \ud1b5\ud55c \uc5c5\uadf8\ub808\uc774\ub4dc\uc758 \uae30\ucd08\ub85c \uc0ac\uc6a9\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.a,{href:"/kr/upgrades/automated",children:"\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\ub294 Rancher\uc758 ",(0,n.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"\uc2dc\uc2a4\ud15c-\uc5c5\uadf8\ub808\uc774\ub4dc-\ucee8\ud2b8\ub864\ub7ec(system-upgrade-controller)"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub124\uc774\ud2f0\ube0c \uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,n.jsx)(r.h3,{id:"\ubc84\uc804\ubcc4-\uc8fc\uc758\uc0ac\ud56d",children:"\ubc84\uc804\ubcc4 \uc8fc\uc758\uc0ac\ud56d"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.strong,{children:"Traefik:"})," Traefik\uc774 \ube44\ud65c\uc131\ud654\ub418\uc9c0 \uc54a\uc740 \uacbd\uc6b0, K3s \ubc84\uc804 1.20 \uc774\ud558\uc5d0\uc11c\ub294 Traefik v1\uc774 \uc124\uce58\ub418\uace0, K3s \ubc84\uc804 1.21 \uc774\uc0c1\uc5d0\uc11c\ub294 v1\uc774 \uc5c6\ub294 \uacbd\uc6b0 Traefik v2\uac00 \uc124\uce58\ub429\ub2c8\ub2e4. \uad6c\ud615 Traefik v1\uc5d0\uc11c Traefik v2\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\ub824\uba74 ",(0,n.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik \ubb38\uc11c"}),"\ub97c \ucc38\uc870\ud558\uc2dc\uace0 ",(0,n.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"\ub9c8\uc774\uadf8\ub808\uc774\uc158 \ub3c4\uad6c"}),"\ub97c \uc0ac\uc6a9\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.strong,{children:"K3s \ubd80\ud2b8\uc2a4\ud2b8\ub7a9 \ub370\uc774\ud130:"})," \uc678\ubd80 SQL \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uac00 \uc788\ub294 HA \uad6c\uc131\uc5d0\uc11c K3s\ub97c \uc0ac\uc6a9 \uc911\uc774\uace0 \uc11c\ubc84(\ucee8\ud2b8\ub864 \ud50c\ub808\uc778) \ub178\ub4dc\uac00 ",(0,n.jsx)(r.code,{children:"--token"})," CLI \ud50c\ub798\uadf8\ub85c \uc2dc\uc791\ub418\uc9c0 \uc54a\uc740 \uacbd\uc6b0, \ud1a0\ud070\uc744 \uc9c0\uc815\ud558\uc9c0 \uc54a\uace0\ub294 \ub354 \uc774\uc0c1 \ud074\ub7ec\uc2a4\ud130\uc5d0 K3s \uc11c\ubc84\ub97c \ucd94\uac00\ud560 \uc218 \uc5c6\uac8c \ub429\ub2c8\ub2e4. \ubc31\uc5c5\uc5d0\uc11c \ubcf5\uc6d0\ud560 \ub54c \ud544\uc694\ud558\ubbc0\ub85c \uc774 \ud1a0\ud070\uc758 \uc0ac\ubcf8\uc744 \ubcf4\uad00\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\uc804\uc5d0\ub294 K3s\uc5d0\uc11c \uc678\ubd80 SQL \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud560 \ub54c \ud1a0\ud070\uc744 \uc0ac\uc6a9\ud558\ub3c4\ub85d \uac15\uc81c\ud558\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4."]}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsx)(r.p,{children:"\uc601\ud5a5\uc744 \ubc1b\ub294 \ubc84\uc804\uc740 <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; \uc774\uba70, \ud328\uce58\ub41c \ubc84\uc804\uc740 v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1 \uc785\ub2c8\ub2e4."}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsx)(r.p,{children:"\ub2e4\uc74c\uacfc \uac19\uc774 \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc774\ubbf8 \uac00\uc785\ub41c \uc11c\ubc84\uc5d0\uc11c \ud1a0\ud070 \uac12\uc744 \ucc3e\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,n.jsx)(r.pre,{children:(0,n.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.strong,{children:"\uc2e4\ud5d8\uc6a9 Dqlite:"})," \uc2e4\ud5d8\uc6a9 \ub0b4\uc7a5 Dqlite \ub370\uc774\ud130 \uc800\uc7a5\uc18c\ub294 K3s v1.19.1\uc5d0\uc11c \ub354 \uc774\uc0c1 \uc0ac\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc2e4\ud5d8\uc6a9 Dqlite\uc5d0\uc11c \uc2e4\ud5d8\uc6a9 \ub0b4\uc7a5 etcd \uc5c5\uadf8\ub808\uc774\ub4dc\ub294 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\ub294\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694. \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc2dc\ub3c4\ud558\uba74 \uc131\uacf5\ud558\uc9c0 \ubabb\ud558\uace0 \ub370\uc774\ud130\uac00 \uc190\uc2e4\ub429\ub2c8\ub2e4."]}),"\n"]})]})}function u(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,n.jsx)(r,{...e,children:(0,n.jsx)(o,{...e})}):o(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var n=s(7294);const t={},i=n.createContext(t);function a(e){const r=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:a(e.components),n.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/3f659917.da165abb.js b/kr/assets/js/3f659917.da165abb.js deleted file mode 100644 index 546523c18..000000000 --- a/kr/assets/js/3f659917.da165abb.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6278],{3595:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>d});var n=s(5893),t=s(1151);const i={title:"\uc5c5\uadf8\ub808\uc774\ub4dc"},a=void 0,l={id:"upgrades/upgrades",title:"\uc5c5\uadf8\ub808\uc774\ub4dc",description:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/kr/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/kr/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/kr/upgrades/killall"}},c={},d=[{value:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",id:"k3s-\ud074\ub7ec\uc2a4\ud130-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",level:3},{value:"\ubc84\uc804\ubcc4 \uc8fc\uc758\uc0ac\ud56d",id:"\ubc84\uc804\ubcc4-\uc8fc\uc758\uc0ac\ud56d",level:3}];function o(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(r.h3,{id:"k3s-\ud074\ub7ec\uc2a4\ud130-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",children:"K3s \ud074\ub7ec\uc2a4\ud130 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30"}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.a,{href:"/kr/upgrades/manual",children:"\uc218\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\uc5d0\uc11c\ub294 \ud074\ub7ec\uc2a4\ud130\ub97c \uc218\ub3d9\uc73c\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\ub294 \uba87 \uac00\uc9c0 \uae30\uc220\uc744 \uc124\uba85\ud569\ub2c8\ub2e4. \ub610\ud55c ",(0,n.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"\uacfc \uac19\uc740 \ud0c0\uc0ac \ucf54\ub4dc\ud615 \uc778\ud504\ub77c \ub3c4\uad6c(Infrastructure-as-Code)\ub97c \ud1b5\ud55c \uc5c5\uadf8\ub808\uc774\ub4dc\uc758 \uae30\ucd08\ub85c \uc0ac\uc6a9\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.a,{href:"/kr/upgrades/automated",children:"\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\ub294 Rancher\uc758 ",(0,n.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"\uc2dc\uc2a4\ud15c-\uc5c5\uadf8\ub808\uc774\ub4dc-\ucee8\ud2b8\ub864\ub7ec(system-upgrade-controller)"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub124\uc774\ud2f0\ube0c \uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,n.jsx)(r.h3,{id:"\ubc84\uc804\ubcc4-\uc8fc\uc758\uc0ac\ud56d",children:"\ubc84\uc804\ubcc4 \uc8fc\uc758\uc0ac\ud56d"}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.strong,{children:"Traefik:"})," Traefik\uc774 \ube44\ud65c\uc131\ud654\ub418\uc9c0 \uc54a\uc740 \uacbd\uc6b0, K3s \ubc84\uc804 1.20 \uc774\ud558\uc5d0\uc11c\ub294 Traefik v1\uc774 \uc124\uce58\ub418\uace0, K3s \ubc84\uc804 1.21 \uc774\uc0c1\uc5d0\uc11c\ub294 v1\uc774 \uc5c6\ub294 \uacbd\uc6b0 Traefik v2\uac00 \uc124\uce58\ub429\ub2c8\ub2e4. \uad6c\ud615 Traefik v1\uc5d0\uc11c Traefik v2\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\ub824\uba74 ",(0,n.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik \ubb38\uc11c"}),"\ub97c \ucc38\uc870\ud558\uc2dc\uace0 ",(0,n.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"\ub9c8\uc774\uadf8\ub808\uc774\uc158 \ub3c4\uad6c"}),"\ub97c \uc0ac\uc6a9\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsxs)(r.p,{children:[(0,n.jsx)(r.strong,{children:"K3s \ubd80\ud2b8\uc2a4\ud2b8\ub7a9 \ub370\uc774\ud130:"})," \uc678\ubd80 SQL \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uac00 \uc788\ub294 HA \uad6c\uc131\uc5d0\uc11c K3s\ub97c \uc0ac\uc6a9 \uc911\uc774\uace0 \uc11c\ubc84(\ucee8\ud2b8\ub864 \ud50c\ub808\uc778) \ub178\ub4dc\uac00 ",(0,n.jsx)(r.code,{children:"--token"})," CLI \ud50c\ub798\uadf8\ub85c \uc2dc\uc791\ub418\uc9c0 \uc54a\uc740 \uacbd\uc6b0, \ud1a0\ud070\uc744 \uc9c0\uc815\ud558\uc9c0 \uc54a\uace0\ub294 \ub354 \uc774\uc0c1 \ud074\ub7ec\uc2a4\ud130\uc5d0 K3s \uc11c\ubc84\ub97c \ucd94\uac00\ud560 \uc218 \uc5c6\uac8c \ub429\ub2c8\ub2e4. \ubc31\uc5c5\uc5d0\uc11c \ubcf5\uc6d0\ud560 \ub54c \ud544\uc694\ud558\ubbc0\ub85c \uc774 \ud1a0\ud070\uc758 \uc0ac\ubcf8\uc744 \ubcf4\uad00\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\uc804\uc5d0\ub294 K3s\uc5d0\uc11c \uc678\ubd80 SQL \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud560 \ub54c \ud1a0\ud070\uc744 \uc0ac\uc6a9\ud558\ub3c4\ub85d \uac15\uc81c\ud558\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4."]}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsx)(r.p,{children:"\uc601\ud5a5\uc744 \ubc1b\ub294 \ubc84\uc804\uc740 <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; \uc774\uba70, \ud328\uce58\ub41c \ubc84\uc804\uc740 v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1 \uc785\ub2c8\ub2e4."}),"\n"]}),"\n",(0,n.jsxs)(r.li,{children:["\n",(0,n.jsx)(r.p,{children:"\ub2e4\uc74c\uacfc \uac19\uc774 \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc774\ubbf8 \uac00\uc785\ub41c \uc11c\ubc84\uc5d0\uc11c \ud1a0\ud070 \uac12\uc744 \ucc3e\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,n.jsx)(r.pre,{children:(0,n.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,n.jsxs)(r.ul,{children:["\n",(0,n.jsxs)(r.li,{children:[(0,n.jsx)(r.strong,{children:"\uc2e4\ud5d8\uc6a9 Dqlite:"})," \uc2e4\ud5d8\uc6a9 \ub0b4\uc7a5 Dqlite \ub370\uc774\ud130 \uc800\uc7a5\uc18c\ub294 K3s v1.19.1\uc5d0\uc11c \ub354 \uc774\uc0c1 \uc0ac\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc2e4\ud5d8\uc6a9 Dqlite\uc5d0\uc11c \uc2e4\ud5d8\uc6a9 \ub0b4\uc7a5 etcd \uc5c5\uadf8\ub808\uc774\ub4dc\ub294 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\ub294\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694. \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc2dc\ub3c4\ud558\uba74 \uc131\uacf5\ud558\uc9c0 \ubabb\ud558\uace0 \ub370\uc774\ud130\uac00 \uc190\uc2e4\ub429\ub2c8\ub2e4."]}),"\n"]})]})}function u(e={}){const{wrapper:r}={...(0,t.a)(),...e.components};return r?(0,n.jsx)(r,{...e,children:(0,n.jsx)(o,{...e})}):o(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var n=s(7294);const t={},i=n.createContext(t);function a(e){const r=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:a(e.components),n.createElement(i.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/412d1b91.83360818.js b/kr/assets/js/412d1b91.83360818.js new file mode 100644 index 000000000..0011a4076 --- /dev/null +++ b/kr/assets/js/412d1b91.83360818.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[651],{5142:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>c,contentTitle:()=>t,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>i});var l=s(5893),a=s(1151);const r={title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c"},t=void 0,o={id:"storage",title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",description:"\ub370\uc774\ud130\ub97c \uc720\uc9c0\ud574\uc57c \ud558\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ubc30\ud3ec\ud560 \ub54c\ub294 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \ub9cc\ub4e4\uc5b4\uc57c \ud569\ub2c8\ub2e4. \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uc2e4\ud589\ud558\ub294 \ud30c\ub4dc \uc678\ubd80\uc5d0 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc29\uc2dd\uc744 \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ud30c\ub4dc\uc5d0 \uc7a5\uc560\uac00 \ubc1c\uc0dd\ud558\ub354\ub77c\ub3c4 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc720\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/storage.md",sourceDirName:".",slug:"/storage",permalink:"/kr/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c"},sidebar:"mySidebar",previous:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",permalink:"/kr/cluster-access"},next:{title:"Networking",permalink:"/kr/networking/"}},c={},i=[{value:"K3s \uc2a4\ud1a0\ub9ac\uc9c0\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?",id:"k3s-\uc2a4\ud1a0\ub9ac\uc9c0\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",level:2},{value:"\ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uacf5\uae09\uc790 \uc124\uc815\ud558\uae30",id:"\ub85c\uceec-\uc2a4\ud1a0\ub9ac\uc9c0-\uacf5\uae09\uc790-\uc124\uc815\ud558\uae30",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Longhorn \uad6c\uc131\ud558\uae30",id:"longhorn-\uad6c\uc131\ud558\uae30",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components};return(0,l.jsxs)(l.Fragment,{children:[(0,l.jsx)(n.p,{children:"\ub370\uc774\ud130\ub97c \uc720\uc9c0\ud574\uc57c \ud558\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ubc30\ud3ec\ud560 \ub54c\ub294 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \ub9cc\ub4e4\uc5b4\uc57c \ud569\ub2c8\ub2e4. \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uc2e4\ud589\ud558\ub294 \ud30c\ub4dc \uc678\ubd80\uc5d0 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc29\uc2dd\uc744 \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ud30c\ub4dc\uc5d0 \uc7a5\uc560\uac00 \ubc1c\uc0dd\ud558\ub354\ub77c\ub3c4 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc720\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,l.jsxs)(n.p,{children:["\ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968(PV: persistent volume)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc758 \uc2a4\ud1a0\ub9ac\uc9c0 \uc870\uac01\uc774\uba70, \ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968 \ud074\ub808\uc784(PVC: persistent volume claim)\uc740 \uc2a4\ud1a0\ub9ac\uc9c0\uc5d0 \ub300\ud55c \uc694\uccad\uc785\ub2c8\ub2e4. PV\uc640 PVC\uc758 \uc791\ub3d9 \ubc29\uc2dd\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/concepts/storage/volumes/",children:"\uc2a4\ud1a0\ub9ac\uc9c0"})," \uacf5\uc2dd \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubb38\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uc81c\uacf5\uc790 \ub610\ub294 [\ub871\ud63c(#setting-up-longhorn)]\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,l.jsx)(n.h2,{id:"k3s-\uc2a4\ud1a0\ub9ac\uc9c0\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",children:"K3s \uc2a4\ud1a0\ub9ac\uc9c0\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,l.jsx)(n.p,{children:'K3s\ub294 \uba87 \uac00\uc9c0 \uc120\ud0dd\uc801 \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uacfc \ubaa8\ub4e0 \ub0b4\uc7a5("in-tree"\ub77c\uace0\ub3c4 \ud568) \ud074\ub77c\uc6b0\ub4dc \uc81c\uacf5\uc5c5\uccb4\ub97c \uc81c\uac70\ud569\ub2c8\ub2e4. \uc774\ub294 \ub354 \uc791\uc740 \ubc14\uc774\ub108\ub9ac \ud06c\uae30\ub97c \ub2ec\uc131\ud558\uace0 \ub9ce\uc740 K3s \uc0ac\uc6a9 \uc0ac\ub840\uc5d0\uc11c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\ub294 \ud0c0\uc0ac \ud074\ub77c\uc6b0\ub4dc \ub610\ub294 \ub370\uc774\ud130\uc13c\ud130 \uae30\uc220 \ubc0f \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uc758\uc874\uc744 \ud53c\ud558\uae30 \uc704\ud55c \uac83\uc785\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ud50c\ub7ec\uadf8\uc778\uc744 \uc81c\uac70\ud574\ub3c4 \ud575\uc2ec Kubernetes \uae30\ub2a5\uc774\ub098 \uc801\ud569\uc131\uc5d0\ub294 \uc601\ud5a5\uc744 \ubbf8\uce58\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \uc774\ub807\uac8c \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.'}),"\n",(0,l.jsx)(n.p,{children:"\ub2e4\uc74c \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uc740 K3s\uc5d0\uc11c \uc81c\uac70\ub418\uc5c8\uc2b5\ub2c8\ub2e4:"}),"\n",(0,l.jsxs)(n.ul,{children:["\n",(0,l.jsx)(n.li,{children:"cephfs"}),"\n",(0,l.jsx)(n.li,{children:"fc"}),"\n",(0,l.jsx)(n.li,{children:"flocker"}),"\n",(0,l.jsx)(n.li,{children:"git_repo"}),"\n",(0,l.jsx)(n.li,{children:"glusterfs"}),"\n",(0,l.jsx)(n.li,{children:"portworx"}),"\n",(0,l.jsx)(n.li,{children:"quobyte"}),"\n",(0,l.jsx)(n.li,{children:"rbd"}),"\n",(0,l.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,l.jsxs)(n.p,{children:["K3s\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \ud2b8\ub9ac \uc678 \ub300\uc548\uc778 \ub450 \uad6c\uc131 \uc694\uc18c\uac00 \uc788\uc2b5\ub2c8\ub2e4:\n\ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,l.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"\ucee8\ud14c\uc774\ub108 \uc2a4\ud1a0\ub9ac\uc9c0 \uc778\ud130\ud398\uc774\uc2a4(CSI)"})," \ubc0f ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"\ud074\ub77c\uc6b0\ub4dc \ud504\ub85c\ubc14\uc774\ub354 \uc778\ud130\ud398\uc774\uc2a4(CPI)"}),"\uc785\ub2c8\ub2e4."]}),"\n",(0,l.jsxs)(n.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc720\uc9c0 \uad00\ub9ac\uc790\ub294 \uc778-\ud2b8\ub9ac \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uc744 CSI \ub4dc\ub77c\uc774\ubc84\ub85c \uc801\uadf9\uc801\uc73c\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ub9c8\uc774\uadf8\ub808\uc774\uc158\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.h2,{id:"\ub85c\uceec-\uc2a4\ud1a0\ub9ac\uc9c0-\uacf5\uae09\uc790-\uc124\uc815\ud558\uae30",children:"\ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uacf5\uae09\uc790 \uc124\uc815\ud558\uae30"}),"\n",(0,l.jsxs)(n.p,{children:["K3s\ub294 \ub79c\ucc98\uc758 \ub85c\uceec \uacbd\ub85c \ud504\ub85c\ube44\uc800\ub108\uc640 \ud568\uaed8 \uc81c\uacf5\ub418\uba70, \uc774\ub97c \ud1b5\ud574 \uac01 \ub178\ub4dc\uc758 \ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc601\uad6c \ubcfc\ub968 \ud074\ub808\uc784(persistent volume claims)\uc744 \uc989\uc2dc \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798\uc5d0\uc11c\ub294 \uac04\ub2e8\ud55c \uc608\uc81c\ub97c \ub2e4\ub8e8\uaca0\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uacf5\uc2dd \ubb38\uc11c ",(0,l.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.p,{children:"\ud638\uc2a4\ud2b8 \uacbd\ub85c \uc9c0\uc6d0 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968 \ud074\ub808\uc784\uacfc \uc774\ub97c \ud65c\uc6a9\ud560 \ud30c\ub4dc\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,l.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,l.jsx)(n.p,{children:"yaml\uc744 \uc801\uc6a9\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,l.jsx)(n.p,{children:"PV \ubc0f PVC\uac00 \uc0dd\uc131\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,l.jsxs)(n.p,{children:["\uc0c1\ud0dc\ub294 \uac01\uac01 ",(0,l.jsx)(n.code,{children:"Bound"}),"\uc5ec\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.h2,{id:"longhorn-\uad6c\uc131\ud558\uae30",children:"Longhorn \uad6c\uc131\ud558\uae30"}),"\n",(0,l.jsx)(n.admonition,{type:"warning",children:(0,l.jsx)(n.p,{children:"Longhorn\uc740 ARM32\ub97c \uc9c0\uc6d0\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."})}),"\n",(0,l.jsxs)(n.p,{children:["K3s\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc6a9 \uc624\ud508\uc18c\uc2a4 \ubd84\uc0b0\ud615 \ube14\ub85d \uc2a4\ud1a0\ub9ac\uc9c0 \uc2dc\uc2a4\ud15c\uc778 ",(0,l.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),"\uc744 \uc9c0\uc6d0\ud569\ub2c8\ub2e4."]}),"\n",(0,l.jsxs)(n.p,{children:["\uc544\ub798\ub294 \uac04\ub2e8\ud55c \uc608\uc81c\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"\uacf5\uc2dd \ubb38\uc11c"}),"\ub97c \ucc38\uace0\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.p,{children:"longhorn.yaml\uc744 \uc801\uc6a9\ud558\uc5ec Longhorn\uc744 \uc124\uce58\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml\n"})}),"\n",(0,l.jsxs)(n.p,{children:["Longhorn\uc740 \ub124\uc784\uc2a4\ud398\uc774\uc2a4 ",(0,l.jsx)(n.code,{children:"longhorn-system"}),"\uc5d0 \uc124\uce58\ub429\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.p,{children:"yaml\uc744 \uc801\uc6a9\ud558\uc5ec PVC\uc640 \ud30c\ub4dc\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,l.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,l.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,l.jsx)(n.p,{children:"PV \ubc0f PVC\uac00 \uc0dd\uc131\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,l.jsxs)(n.p,{children:["\uc0c1\ud0dc\ub294 \uac01\uac01 ",(0,l.jsx)(n.code,{children:"Bound"}),"\uc5ec\uc57c \ud569\ub2c8\ub2e4."]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,l.jsx)(n,{...e,children:(0,l.jsx)(d,{...e})}):d(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var l=s(7294);const a={},r=l.createContext(a);function t(e){const n=l.useContext(r);return l.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),l.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/412d1b91.9f8f881e.js b/kr/assets/js/412d1b91.9f8f881e.js deleted file mode 100644 index d644f0676..000000000 --- a/kr/assets/js/412d1b91.9f8f881e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[651],{5142:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>c,contentTitle:()=>t,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>i});var l=s(5893),a=s(1151);const r={title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c"},t=void 0,o={id:"storage",title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",description:"\ub370\uc774\ud130\ub97c \uc720\uc9c0\ud574\uc57c \ud558\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ubc30\ud3ec\ud560 \ub54c\ub294 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \ub9cc\ub4e4\uc5b4\uc57c \ud569\ub2c8\ub2e4. \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uc2e4\ud589\ud558\ub294 \ud30c\ub4dc \uc678\ubd80\uc5d0 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc29\uc2dd\uc744 \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ud30c\ub4dc\uc5d0 \uc7a5\uc560\uac00 \ubc1c\uc0dd\ud558\ub354\ub77c\ub3c4 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc720\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/storage.md",sourceDirName:".",slug:"/storage",permalink:"/kr/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c"},sidebar:"mySidebar",previous:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",permalink:"/kr/cluster-access"},next:{title:"Networking",permalink:"/kr/networking/"}},c={},i=[{value:"K3s \uc2a4\ud1a0\ub9ac\uc9c0\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?",id:"k3s-\uc2a4\ud1a0\ub9ac\uc9c0\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",level:2},{value:"\ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uacf5\uae09\uc790 \uc124\uc815\ud558\uae30",id:"\ub85c\uceec-\uc2a4\ud1a0\ub9ac\uc9c0-\uacf5\uae09\uc790-\uc124\uc815\ud558\uae30",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Longhorn \uad6c\uc131\ud558\uae30",id:"longhorn-\uad6c\uc131\ud558\uae30",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components};return(0,l.jsxs)(l.Fragment,{children:[(0,l.jsx)(n.p,{children:"\ub370\uc774\ud130\ub97c \uc720\uc9c0\ud574\uc57c \ud558\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ubc30\ud3ec\ud560 \ub54c\ub294 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \ub9cc\ub4e4\uc5b4\uc57c \ud569\ub2c8\ub2e4. \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uc2e4\ud589\ud558\ub294 \ud30c\ub4dc \uc678\ubd80\uc5d0 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc29\uc2dd\uc744 \uc0ac\uc6a9\ud558\uba74 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc758 \ud30c\ub4dc\uc5d0 \uc7a5\uc560\uac00 \ubc1c\uc0dd\ud558\ub354\ub77c\ub3c4 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub370\uc774\ud130\ub97c \uc720\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,l.jsxs)(n.p,{children:["\ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968(PV: persistent volume)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc758 \uc2a4\ud1a0\ub9ac\uc9c0 \uc870\uac01\uc774\uba70, \ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968 \ud074\ub808\uc784(PVC: persistent volume claim)\uc740 \uc2a4\ud1a0\ub9ac\uc9c0\uc5d0 \ub300\ud55c \uc694\uccad\uc785\ub2c8\ub2e4. PV\uc640 PVC\uc758 \uc791\ub3d9 \ubc29\uc2dd\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/concepts/storage/volumes/",children:"\uc2a4\ud1a0\ub9ac\uc9c0"})," \uacf5\uc2dd \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubb38\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uc81c\uacf5\uc790 \ub610\ub294 [\ub871\ud63c(#setting-up-longhorn)]\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud37c\uc2dc\uc2a4\ud134\ud2b8 \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,l.jsx)(n.h2,{id:"k3s-\uc2a4\ud1a0\ub9ac\uc9c0\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",children:"K3s \uc2a4\ud1a0\ub9ac\uc9c0\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,l.jsx)(n.p,{children:'K3s\ub294 \uba87 \uac00\uc9c0 \uc120\ud0dd\uc801 \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uacfc \ubaa8\ub4e0 \ub0b4\uc7a5("in-tree"\ub77c\uace0\ub3c4 \ud568) \ud074\ub77c\uc6b0\ub4dc \uc81c\uacf5\uc5c5\uccb4\ub97c \uc81c\uac70\ud569\ub2c8\ub2e4. \uc774\ub294 \ub354 \uc791\uc740 \ubc14\uc774\ub108\ub9ac \ud06c\uae30\ub97c \ub2ec\uc131\ud558\uace0 \ub9ce\uc740 K3s \uc0ac\uc6a9 \uc0ac\ub840\uc5d0\uc11c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\ub294 \ud0c0\uc0ac \ud074\ub77c\uc6b0\ub4dc \ub610\ub294 \ub370\uc774\ud130\uc13c\ud130 \uae30\uc220 \ubc0f \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uc758\uc874\uc744 \ud53c\ud558\uae30 \uc704\ud55c \uac83\uc785\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ud50c\ub7ec\uadf8\uc778\uc744 \uc81c\uac70\ud574\ub3c4 \ud575\uc2ec Kubernetes \uae30\ub2a5\uc774\ub098 \uc801\ud569\uc131\uc5d0\ub294 \uc601\ud5a5\uc744 \ubbf8\uce58\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \uc774\ub807\uac8c \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.'}),"\n",(0,l.jsx)(n.p,{children:"\ub2e4\uc74c \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uc740 K3s\uc5d0\uc11c \uc81c\uac70\ub418\uc5c8\uc2b5\ub2c8\ub2e4:"}),"\n",(0,l.jsxs)(n.ul,{children:["\n",(0,l.jsx)(n.li,{children:"cephfs"}),"\n",(0,l.jsx)(n.li,{children:"fc"}),"\n",(0,l.jsx)(n.li,{children:"flocker"}),"\n",(0,l.jsx)(n.li,{children:"git_repo"}),"\n",(0,l.jsx)(n.li,{children:"glusterfs"}),"\n",(0,l.jsx)(n.li,{children:"portworx"}),"\n",(0,l.jsx)(n.li,{children:"quobyte"}),"\n",(0,l.jsx)(n.li,{children:"rbd"}),"\n",(0,l.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,l.jsxs)(n.p,{children:["K3s\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \ud2b8\ub9ac \uc678 \ub300\uc548\uc778 \ub450 \uad6c\uc131 \uc694\uc18c\uac00 \uc788\uc2b5\ub2c8\ub2e4:\n\ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,l.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"\ucee8\ud14c\uc774\ub108 \uc2a4\ud1a0\ub9ac\uc9c0 \uc778\ud130\ud398\uc774\uc2a4(CSI)"})," \ubc0f ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"\ud074\ub77c\uc6b0\ub4dc \ud504\ub85c\ubc14\uc774\ub354 \uc778\ud130\ud398\uc774\uc2a4(CPI)"}),"\uc785\ub2c8\ub2e4."]}),"\n",(0,l.jsxs)(n.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc720\uc9c0 \uad00\ub9ac\uc790\ub294 \uc778-\ud2b8\ub9ac \ubcfc\ub968 \ud50c\ub7ec\uadf8\uc778\uc744 CSI \ub4dc\ub77c\uc774\ubc84\ub85c \uc801\uadf9\uc801\uc73c\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ub9c8\uc774\uadf8\ub808\uc774\uc158\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.h2,{id:"\ub85c\uceec-\uc2a4\ud1a0\ub9ac\uc9c0-\uacf5\uae09\uc790-\uc124\uc815\ud558\uae30",children:"\ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0 \uacf5\uae09\uc790 \uc124\uc815\ud558\uae30"}),"\n",(0,l.jsxs)(n.p,{children:["K3s\ub294 \ub79c\ucc98\uc758 \ub85c\uceec \uacbd\ub85c \ud504\ub85c\ube44\uc800\ub108\uc640 \ud568\uaed8 \uc81c\uacf5\ub418\uba70, \uc774\ub97c \ud1b5\ud574 \uac01 \ub178\ub4dc\uc758 \ub85c\uceec \uc2a4\ud1a0\ub9ac\uc9c0\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc601\uad6c \ubcfc\ub968 \ud074\ub808\uc784(persistent volume claims)\uc744 \uc989\uc2dc \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798\uc5d0\uc11c\ub294 \uac04\ub2e8\ud55c \uc608\uc81c\ub97c \ub2e4\ub8e8\uaca0\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uacf5\uc2dd \ubb38\uc11c ",(0,l.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,l.jsx)(n.p,{children:"\ud638\uc2a4\ud2b8 \uacbd\ub85c \uc9c0\uc6d0 \ud37c\uc2dc\uc2a4\ud134\ud2b8 \ubcfc\ub968 \ud074\ub808\uc784\uacfc \uc774\ub97c \ud65c\uc6a9\ud560 \ud30c\ub4dc\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,l.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,l.jsx)(n.p,{children:"yaml\uc744 \uc801\uc6a9\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,l.jsx)(n.p,{children:"PV \ubc0f PVC\uac00 \uc0dd\uc131\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,l.jsxs)(n.p,{children:["\uc0c1\ud0dc\ub294 \uac01\uac01 ",(0,l.jsx)(n.code,{children:"Bound"}),"\uc5ec\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.h2,{id:"longhorn-\uad6c\uc131\ud558\uae30",children:"Longhorn \uad6c\uc131\ud558\uae30"}),"\n",(0,l.jsx)(n.admonition,{type:"warning",children:(0,l.jsx)(n.p,{children:"Longhorn\uc740 ARM32\ub97c \uc9c0\uc6d0\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."})}),"\n",(0,l.jsxs)(n.p,{children:["K3s\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc6a9 \uc624\ud508\uc18c\uc2a4 \ubd84\uc0b0\ud615 \ube14\ub85d \uc2a4\ud1a0\ub9ac\uc9c0 \uc2dc\uc2a4\ud15c\uc778 ",(0,l.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),"\uc744 \uc9c0\uc6d0\ud569\ub2c8\ub2e4."]}),"\n",(0,l.jsxs)(n.p,{children:["\uc544\ub798\ub294 \uac04\ub2e8\ud55c \uc608\uc81c\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,l.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"\uacf5\uc2dd \ubb38\uc11c"}),"\ub97c \ucc38\uace0\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.p,{children:"longhorn.yaml\uc744 \uc801\uc6a9\ud558\uc5ec Longhorn\uc744 \uc124\uce58\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml\n"})}),"\n",(0,l.jsxs)(n.p,{children:["Longhorn\uc740 \ub124\uc784\uc2a4\ud398\uc774\uc2a4 ",(0,l.jsx)(n.code,{children:"longhorn-system"}),"\uc5d0 \uc124\uce58\ub429\ub2c8\ub2e4."]}),"\n",(0,l.jsx)(n.p,{children:"yaml\uc744 \uc801\uc6a9\ud558\uc5ec PVC\uc640 \ud30c\ub4dc\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,l.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,l.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,l.jsx)(n.p,{children:"PV \ubc0f PVC\uac00 \uc0dd\uc131\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,l.jsx)(n.pre,{children:(0,l.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,l.jsxs)(n.p,{children:["\uc0c1\ud0dc\ub294 \uac01\uac01 ",(0,l.jsx)(n.code,{children:"Bound"}),"\uc5ec\uc57c \ud569\ub2c8\ub2e4."]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,l.jsx)(n,{...e,children:(0,l.jsx)(d,{...e})}):d(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var l=s(7294);const a={},r=l.createContext(a);function t(e){const n=l.useContext(r);return l.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),l.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/7d5aab5d.d0a92439.js b/kr/assets/js/42e456bb.20337826.js similarity index 67% rename from zh/assets/js/7d5aab5d.d0a92439.js rename to kr/assets/js/42e456bb.20337826.js index 1b597bf41..eaae7661c 100644 --- a/zh/assets/js/7d5aab5d.d0a92439.js +++ b/kr/assets/js/42e456bb.20337826.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3219],{6381:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>t,default:()=>c,frontMatter:()=>s,metadata:()=>l,toc:()=>d});var a=n(5893),i=n(1151);const s={title:"Air-Gap Install"},t=void 0,l={id:"installation/airgap",title:"Air-Gap Install",description:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.",source:"@site/i18n/zh/docusaurus-plugin-content-docs/current/installation/airgap.md",sourceDirName:"installation",slug:"/installation/airgap",permalink:"/zh/installation/airgap",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/airgap.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Air-Gap Install"},sidebar:"mySidebar",previous:{title:"Embedded Registry Mirror",permalink:"/zh/installation/registry-mirror"},next:{title:"Managing Server Roles",permalink:"/zh/installation/server-roles"}},o={},d=[{value:"Load Images",id:"load-images",level:2},{value:"Private Registry Method",id:"private-registry-method",level:3},{value:"Create the Registry YAML and Push Images",id:"create-the-registry-yaml-and-push-images",level:4},{value:"Manually Deploy Images Method",id:"manually-deploy-images-method",level:3},{value:"Prepare the Images Directory and Airgap Image Tarball",id:"prepare-the-images-directory-and-airgap-image-tarball",level:4},{value:"Embedded Registry Mirror",id:"embedded-registry-mirror",level:3},{value:"Install K3s",id:"install-k3s",level:2},{value:"Prerequisites",id:"prerequisites",level:3},{value:"Binaries",id:"binaries",level:4},{value:"Default Network Route",id:"default-network-route",level:4},{value:"SELinux RPM",id:"selinux-rpm",level:4},{value:"Installing K3s in an Air-Gapped Environment",id:"installing-k3s-in-an-air-gapped-environment",level:3},{value:"Upgrading",id:"upgrading",level:2},{value:"Install Script Method",id:"install-script-method",level:3},{value:"Automated Upgrades Method",id:"automated-upgrades-method",level:3}];function h(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components},{TabItem:n,Tabs:s}=r;return n||u("TabItem",!0),s||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(r.p,{children:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters."}),"\n",(0,a.jsx)(r.h2,{id:"load-images",children:"Load Images"}),"\n",(0,a.jsx)(r.h3,{id:"private-registry-method",children:"Private Registry Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand have a OCI-compliant private registry available in your environment."}),"\n",(0,a.jsxs)(r.p,{children:["If you have not yet set up a private Docker registry, refer to the ",(0,a.jsx)(r.a,{href:"https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry",children:"official Registry documentation"}),"."]}),"\n",(0,a.jsx)(r.h4,{id:"create-the-registry-yaml-and-push-images",children:"Create the Registry YAML and Push Images"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker image load k3s-airgap-images-amd64.tar.zst"})," to import images from the tar file into docker."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker tag"})," and ",(0,a.jsx)(r.code,{children:"docker push"})," to retag and push the loaded images to your private registry."]}),"\n",(0,a.jsxs)(r.li,{children:["Follow the ",(0,a.jsx)(r.a,{href:"/zh/installation/private-registry",children:"Private Registry Configuration"})," guide to create and configure the ",(0,a.jsx)(r.code,{children:"registries.yaml"})," file."]}),"\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"manually-deploy-images-method",children:"Manually Deploy Images Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand cannot or do not want to use a private registry."}),"\n",(0,a.jsx)(r.p,{children:"This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical."}),"\n",(0,a.jsx)(r.h4,{id:"prepare-the-images-directory-and-airgap-image-tarball",children:"Prepare the Images Directory and Airgap Image Tarball"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsx)(r.li,{children:"Download the imagess archive to the agent's images directory, for example:"}),"\n"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"sudo mkdir -p /var/lib/rancher/k3s/agent/images/\nsudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst\n"})}),"\n",(0,a.jsxs)(r.ol,{start:"3",children:["\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"embedded-registry-mirror",children:"Embedded Registry Mirror"}),"\n",(0,a.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,a.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,a.jsx)(r.p,{children:"K3s includes an embedded distributed OCI-compliant registry mirror.\nWhen enabled and properly configured, images available in the containerd image store on any node\ncan be pulled by other cluster members without access to an external image registry."}),"\n",(0,a.jsxs)(r.p,{children:["The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball.\nFor more information on enabling the embedded distributed registry mirror, see the ",(0,a.jsx)(r.a,{href:"/zh/installation/registry-mirror",children:"Embedded Registry Mirror"})," documentation."]}),"\n",(0,a.jsx)(r.h2,{id:"install-k3s",children:"Install K3s"}),"\n",(0,a.jsx)(r.h3,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,a.jsxs)(r.p,{children:["Before installing K3s, complete the ",(0,a.jsx)(r.a,{href:"#private-registry-method",children:"Private Registry Method"})," or the ",(0,a.jsx)(r.a,{href:"#manually-deploy-images-method",children:"Manually Deploy Images Method"})," above to prepopulate the images that K3s needs to install."]}),"\n",(0,a.jsx)(r.h4,{id:"binaries",children:"Binaries"}),"\n",(0,a.jsxs)(r.ul,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the K3s binary from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page, matching the same version used to get the airgap images. Place the binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each air-gapped node and ensure it is executable."]}),"\n",(0,a.jsxs)(r.li,{children:["Download the K3s install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"get.k3s.io"}),". Place the install script anywhere on each air-gapped node, and name it ",(0,a.jsx)(r.code,{children:"install.sh"}),"."]}),"\n"]}),"\n",(0,a.jsx)(r.h4,{id:"default-network-route",children:"Default Network Route"}),"\n",(0,a.jsx)(r.p,{children:"If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:"}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"ip link add dummy0 type dummy\nip link set dummy0 up\nip addr add 203.0.113.254/31 dev dummy0\nip route add default via 203.0.113.255 dev dummy0 metric 1000\n"})}),"\n",(0,a.jsxs)(r.p,{children:["When running the K3s script with the ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})," environment variable, K3s will use the local version of the script and binary."]}),"\n",(0,a.jsx)(r.h4,{id:"selinux-rpm",children:"SELinux RPM"}),"\n",(0,a.jsxs)(r.p,{children:["If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s-selinux/releases/latest",children:"here"}),". For example, on CentOS 8:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"On internet accessible machine:\ncurl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm\n\n# Transfer RPM to air-gapped machine\nOn air-gapped machine:\nsudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm\n"})}),"\n",(0,a.jsxs)(r.p,{children:["See the ",(0,a.jsx)(r.a,{href:"/zh/advanced#selinux-support",children:"SELinux"})," section for more information."]}),"\n",(0,a.jsx)(r.h3,{id:"installing-k3s-in-an-air-gapped-environment",children:"Installing K3s in an Air-Gapped Environment"}),"\n",(0,a.jsx)(r.p,{children:"You can install K3s on one or more servers as described below."}),"\n",(0,a.jsxs)(s,{children:[(0,a.jsxs)(n,{value:"Single Server Configuration",default:!0,children:[(0,a.jsx)(r.p,{children:"To install K3s on a single server, simply do the following on the server node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh\n"})}),(0,a.jsx)(r.p,{children:"To add additional agents, do the following on each agent node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://:6443 K3S_TOKEN= ./install.sh\n"})}),(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["The token from the server is typically found at ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/token"}),"."]})})]}),(0,a.jsxs)(n,{value:"High Availability Configuration",default:!0,children:[(0,a.jsxs)(r.p,{children:["Reference the ",(0,a.jsx)(r.a,{href:"/zh/datastore/ha",children:"High Availability with an External DB"})," or ",(0,a.jsx)(r.a,{href:"/zh/datastore/ha-embedded",children:"High Availability with Embedded DB"})," guides. You will be tweaking install commands so you specify ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"})," and run your install script locally instead of via curl. You will also utilize ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_EXEC='args'"})," to supply any arguments to k3s."]}),(0,a.jsx)(r.p,{children:"For example, step two of the High Availability with an External DB guide mentions the following:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),(0,a.jsx)(r.p,{children:"Instead, you would modify such examples like below:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\\nK3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\\n./install.sh\n"})})]})]}),"\n",(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["K3s's ",(0,a.jsx)(r.code,{children:"--resolv-conf"})," flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured."]})}),"\n",(0,a.jsx)(r.h2,{id:"upgrading",children:"Upgrading"}),"\n",(0,a.jsx)(r.h3,{id:"install-script-method",children:"Install Script Method"}),"\n",(0,a.jsx)(r.p,{children:"Upgrading an air-gap environment can be accomplished in the following manner:"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the new air-gap images (tar file) from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be upgrading to. Place the tar in the ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/images/"})," directory on each\nnode. Delete the old tar file."]}),"\n",(0,a.jsxs)(r.li,{children:["Copy and replace the old K3s binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each node. Copy over the install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," (as it is possible it has changed since the last release). Run the script again just as you had done in the past\nwith the same environment variables."]}),"\n",(0,a.jsx)(r.li,{children:"Restart the K3s service (if not restarted automatically by installer)."}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"automated-upgrades-method",children:"Automated Upgrades Method"}),"\n",(0,a.jsxs)(r.p,{children:["K3s supports ",(0,a.jsx)(r.a,{href:"/zh/upgrades/automated",children:"automated upgrades"}),". To enable this in air-gapped environments, you must ensure the required images are available in your private registry."]}),"\n",(0,a.jsxs)(r.p,{children:["You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the ",(0,a.jsx)(r.code,{children:"+"})," in the K3s release with a ",(0,a.jsx)(r.code,{children:"-"})," because Docker images do not support ",(0,a.jsx)(r.code,{children:"+"}),"."]}),"\n",(0,a.jsxs)(r.p,{children:["You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller ",(0,a.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller/releases/latest",children:"here"})," and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"rancher/system-upgrade-controller:v0.4.0\nrancher/kubectl:v0.17.0\n"})}),"\n",(0,a.jsxs)(r.p,{children:["Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the ",(0,a.jsx)(r.a,{href:"/zh/upgrades/automated",children:"automated upgrades"})," guide."]})]})}function c(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,a.jsx)(r,{...e,children:(0,a.jsx)(h,{...e})}):h(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,n)=>{n.d(r,{Z:()=>l,a:()=>t});var a=n(7294);const i={},s=a.createContext(i);function t(e){const r=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),a.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9654],{5706:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>t,default:()=>c,frontMatter:()=>s,metadata:()=>l,toc:()=>d});var a=n(5893),i=n(1151);const s={title:"Air-Gap Install"},t=void 0,l={id:"installation/airgap",title:"Air-Gap Install",description:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/airgap.md",sourceDirName:"installation",slug:"/installation/airgap",permalink:"/kr/installation/airgap",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/airgap.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Air-Gap Install"},sidebar:"mySidebar",previous:{title:"Embedded Registry Mirror",permalink:"/kr/installation/registry-mirror"},next:{title:"Managing Server Roles",permalink:"/kr/installation/server-roles"}},o={},d=[{value:"Load Images",id:"load-images",level:2},{value:"Private Registry Method",id:"private-registry-method",level:3},{value:"Create the Registry YAML and Push Images",id:"create-the-registry-yaml-and-push-images",level:4},{value:"Manually Deploy Images Method",id:"manually-deploy-images-method",level:3},{value:"Prepare the Images Directory and Airgap Image Tarball",id:"prepare-the-images-directory-and-airgap-image-tarball",level:4},{value:"Embedded Registry Mirror",id:"embedded-registry-mirror",level:3},{value:"Install K3s",id:"install-k3s",level:2},{value:"Prerequisites",id:"prerequisites",level:3},{value:"Binaries",id:"binaries",level:4},{value:"Default Network Route",id:"default-network-route",level:4},{value:"SELinux RPM",id:"selinux-rpm",level:4},{value:"Installing K3s in an Air-Gapped Environment",id:"installing-k3s-in-an-air-gapped-environment",level:3},{value:"Upgrading",id:"upgrading",level:2},{value:"Install Script Method",id:"install-script-method",level:3},{value:"Automated Upgrades Method",id:"automated-upgrades-method",level:3}];function h(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components},{TabItem:n,Tabs:s}=r;return n||u("TabItem",!0),s||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(r.p,{children:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters."}),"\n",(0,a.jsx)(r.h2,{id:"load-images",children:"Load Images"}),"\n",(0,a.jsx)(r.h3,{id:"private-registry-method",children:"Private Registry Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand have a OCI-compliant private registry available in your environment."}),"\n",(0,a.jsxs)(r.p,{children:["If you have not yet set up a private Docker registry, refer to the ",(0,a.jsx)(r.a,{href:"https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry",children:"official Registry documentation"}),"."]}),"\n",(0,a.jsx)(r.h4,{id:"create-the-registry-yaml-and-push-images",children:"Create the Registry YAML and Push Images"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker image load k3s-airgap-images-amd64.tar.zst"})," to import images from the tar file into docker."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker tag"})," and ",(0,a.jsx)(r.code,{children:"docker push"})," to retag and push the loaded images to your private registry."]}),"\n",(0,a.jsxs)(r.li,{children:["Follow the ",(0,a.jsx)(r.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"})," guide to create and configure the ",(0,a.jsx)(r.code,{children:"registries.yaml"})," file."]}),"\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"manually-deploy-images-method",children:"Manually Deploy Images Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand cannot or do not want to use a private registry."}),"\n",(0,a.jsx)(r.p,{children:"This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical."}),"\n",(0,a.jsx)(r.h4,{id:"prepare-the-images-directory-and-airgap-image-tarball",children:"Prepare the Images Directory and Airgap Image Tarball"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsx)(r.li,{children:"Download the images archive to the agent's images directory, for example:"}),"\n"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"sudo mkdir -p /var/lib/rancher/k3s/agent/images/\nsudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst\n"})}),"\n",(0,a.jsxs)(r.ol,{start:"3",children:["\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"embedded-registry-mirror",children:"Embedded Registry Mirror"}),"\n",(0,a.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,a.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,a.jsx)(r.p,{children:"K3s includes an embedded distributed OCI-compliant registry mirror.\nWhen enabled and properly configured, images available in the containerd image store on any node\ncan be pulled by other cluster members without access to an external image registry."}),"\n",(0,a.jsxs)(r.p,{children:["The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball.\nFor more information on enabling the embedded distributed registry mirror, see the ",(0,a.jsx)(r.a,{href:"/kr/installation/registry-mirror",children:"Embedded Registry Mirror"})," documentation."]}),"\n",(0,a.jsx)(r.h2,{id:"install-k3s",children:"Install K3s"}),"\n",(0,a.jsx)(r.h3,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,a.jsxs)(r.p,{children:["Before installing K3s, complete the ",(0,a.jsx)(r.a,{href:"#private-registry-method",children:"Private Registry Method"})," or the ",(0,a.jsx)(r.a,{href:"#manually-deploy-images-method",children:"Manually Deploy Images Method"})," above to prepopulate the images that K3s needs to install."]}),"\n",(0,a.jsx)(r.h4,{id:"binaries",children:"Binaries"}),"\n",(0,a.jsxs)(r.ul,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the K3s binary from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page, matching the same version used to get the airgap images. Place the binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each air-gapped node and ensure it is executable."]}),"\n",(0,a.jsxs)(r.li,{children:["Download the K3s install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"get.k3s.io"}),". Place the install script anywhere on each air-gapped node, and name it ",(0,a.jsx)(r.code,{children:"install.sh"}),"."]}),"\n"]}),"\n",(0,a.jsx)(r.h4,{id:"default-network-route",children:"Default Network Route"}),"\n",(0,a.jsx)(r.p,{children:"If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:"}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"ip link add dummy0 type dummy\nip link set dummy0 up\nip addr add 203.0.113.254/31 dev dummy0\nip route add default via 203.0.113.255 dev dummy0 metric 1000\n"})}),"\n",(0,a.jsxs)(r.p,{children:["When running the K3s script with the ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})," environment variable, K3s will use the local version of the script and binary."]}),"\n",(0,a.jsx)(r.h4,{id:"selinux-rpm",children:"SELinux RPM"}),"\n",(0,a.jsxs)(r.p,{children:["If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s-selinux/releases/latest",children:"here"}),". For example, on CentOS 8:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"On internet accessible machine:\ncurl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm\n\n# Transfer RPM to air-gapped machine\nOn air-gapped machine:\nsudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm\n"})}),"\n",(0,a.jsxs)(r.p,{children:["See the ",(0,a.jsx)(r.a,{href:"/kr/advanced#selinux-support",children:"SELinux"})," section for more information."]}),"\n",(0,a.jsx)(r.h3,{id:"installing-k3s-in-an-air-gapped-environment",children:"Installing K3s in an Air-Gapped Environment"}),"\n",(0,a.jsx)(r.p,{children:"You can install K3s on one or more servers as described below."}),"\n",(0,a.jsxs)(s,{children:[(0,a.jsxs)(n,{value:"Single Server Configuration",default:!0,children:[(0,a.jsx)(r.p,{children:"To install K3s on a single server, simply do the following on the server node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh\n"})}),(0,a.jsx)(r.p,{children:"To add additional agents, do the following on each agent node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://:6443 K3S_TOKEN= ./install.sh\n"})}),(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["The token from the server is typically found at ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/token"}),"."]})})]}),(0,a.jsxs)(n,{value:"High Availability Configuration",default:!0,children:[(0,a.jsxs)(r.p,{children:["Reference the ",(0,a.jsx)(r.a,{href:"/kr/datastore/ha",children:"High Availability with an External DB"})," or ",(0,a.jsx)(r.a,{href:"/kr/datastore/ha-embedded",children:"High Availability with Embedded DB"})," guides. You will be tweaking install commands so you specify ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"})," and run your install script locally instead of via curl. You will also utilize ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_EXEC='args'"})," to supply any arguments to k3s."]}),(0,a.jsx)(r.p,{children:"For example, step two of the High Availability with an External DB guide mentions the following:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),(0,a.jsx)(r.p,{children:"Instead, you would modify such examples like below:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\\nK3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\\n./install.sh\n"})})]})]}),"\n",(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["K3s's ",(0,a.jsx)(r.code,{children:"--resolv-conf"})," flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured."]})}),"\n",(0,a.jsx)(r.h2,{id:"upgrading",children:"Upgrading"}),"\n",(0,a.jsx)(r.h3,{id:"install-script-method",children:"Install Script Method"}),"\n",(0,a.jsx)(r.p,{children:"Upgrading an air-gap environment can be accomplished in the following manner:"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the new air-gap images (tar file) from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be upgrading to. Place the tar in the ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/images/"})," directory on each\nnode. Delete the old tar file."]}),"\n",(0,a.jsxs)(r.li,{children:["Copy and replace the old K3s binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each node. Copy over the install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," (as it is possible it has changed since the last release). Run the script again just as you had done in the past\nwith the same environment variables."]}),"\n",(0,a.jsx)(r.li,{children:"Restart the K3s service (if not restarted automatically by installer)."}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"automated-upgrades-method",children:"Automated Upgrades Method"}),"\n",(0,a.jsxs)(r.p,{children:["K3s supports ",(0,a.jsx)(r.a,{href:"/kr/upgrades/automated",children:"automated upgrades"}),". To enable this in air-gapped environments, you must ensure the required images are available in your private registry."]}),"\n",(0,a.jsxs)(r.p,{children:["You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the ",(0,a.jsx)(r.code,{children:"+"})," in the K3s release with a ",(0,a.jsx)(r.code,{children:"-"})," because Docker images do not support ",(0,a.jsx)(r.code,{children:"+"}),"."]}),"\n",(0,a.jsxs)(r.p,{children:["You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller ",(0,a.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller/releases/latest",children:"here"})," and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"rancher/system-upgrade-controller:v0.4.0\nrancher/kubectl:v0.17.0\n"})}),"\n",(0,a.jsxs)(r.p,{children:["Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the ",(0,a.jsx)(r.a,{href:"/kr/upgrades/automated",children:"automated upgrades"})," guide."]})]})}function c(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,a.jsx)(r,{...e,children:(0,a.jsx)(h,{...e})}):h(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,n)=>{n.d(r,{Z:()=>l,a:()=>t});var a=n(7294);const i={},s=a.createContext(i);function t(e){const r=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),a.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/42e456bb.71d7aebb.js b/kr/assets/js/42e456bb.71d7aebb.js deleted file mode 100644 index 299fe83fc..000000000 --- a/kr/assets/js/42e456bb.71d7aebb.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9654],{5706:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>o,contentTitle:()=>t,default:()=>c,frontMatter:()=>s,metadata:()=>l,toc:()=>d});var a=n(5893),i=n(1151);const s={title:"Air-Gap Install"},t=void 0,l={id:"installation/airgap",title:"Air-Gap Install",description:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/airgap.md",sourceDirName:"installation",slug:"/installation/airgap",permalink:"/kr/installation/airgap",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/airgap.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Air-Gap Install"},sidebar:"mySidebar",previous:{title:"Embedded Registry Mirror",permalink:"/kr/installation/registry-mirror"},next:{title:"Managing Server Roles",permalink:"/kr/installation/server-roles"}},o={},d=[{value:"Load Images",id:"load-images",level:2},{value:"Private Registry Method",id:"private-registry-method",level:3},{value:"Create the Registry YAML and Push Images",id:"create-the-registry-yaml-and-push-images",level:4},{value:"Manually Deploy Images Method",id:"manually-deploy-images-method",level:3},{value:"Prepare the Images Directory and Airgap Image Tarball",id:"prepare-the-images-directory-and-airgap-image-tarball",level:4},{value:"Embedded Registry Mirror",id:"embedded-registry-mirror",level:3},{value:"Install K3s",id:"install-k3s",level:2},{value:"Prerequisites",id:"prerequisites",level:3},{value:"Binaries",id:"binaries",level:4},{value:"Default Network Route",id:"default-network-route",level:4},{value:"SELinux RPM",id:"selinux-rpm",level:4},{value:"Installing K3s in an Air-Gapped Environment",id:"installing-k3s-in-an-air-gapped-environment",level:3},{value:"Upgrading",id:"upgrading",level:2},{value:"Install Script Method",id:"install-script-method",level:3},{value:"Automated Upgrades Method",id:"automated-upgrades-method",level:3}];function h(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components},{TabItem:n,Tabs:s}=r;return n||u("TabItem",!0),s||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(r.p,{children:"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters."}),"\n",(0,a.jsx)(r.h2,{id:"load-images",children:"Load Images"}),"\n",(0,a.jsx)(r.h3,{id:"private-registry-method",children:"Private Registry Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand have a OCI-compliant private registry available in your environment."}),"\n",(0,a.jsxs)(r.p,{children:["If you have not yet set up a private Docker registry, refer to the ",(0,a.jsx)(r.a,{href:"https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry",children:"official Registry documentation"}),"."]}),"\n",(0,a.jsx)(r.h4,{id:"create-the-registry-yaml-and-push-images",children:"Create the Registry YAML and Push Images"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker image load k3s-airgap-images-amd64.tar.zst"})," to import images from the tar file into docker."]}),"\n",(0,a.jsxs)(r.li,{children:["Use ",(0,a.jsx)(r.code,{children:"docker tag"})," and ",(0,a.jsx)(r.code,{children:"docker push"})," to retag and push the loaded images to your private registry."]}),"\n",(0,a.jsxs)(r.li,{children:["Follow the ",(0,a.jsx)(r.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"})," guide to create and configure the ",(0,a.jsx)(r.code,{children:"registries.yaml"})," file."]}),"\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"manually-deploy-images-method",children:"Manually Deploy Images Method"}),"\n",(0,a.jsx)(r.p,{children:"These steps assume you have already created nodes in your air-gap environment,\nare using the bundled containerd as the container runtime,\nand cannot or do not want to use a private registry."}),"\n",(0,a.jsx)(r.p,{children:"This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical."}),"\n",(0,a.jsx)(r.h4,{id:"prepare-the-images-directory-and-airgap-image-tarball",children:"Prepare the Images Directory and Airgap Image Tarball"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Obtain the images archive for your architecture from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be running."]}),"\n",(0,a.jsx)(r.li,{children:"Download the images archive to the agent's images directory, for example:"}),"\n"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"sudo mkdir -p /var/lib/rancher/k3s/agent/images/\nsudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst\n"})}),"\n",(0,a.jsxs)(r.ol,{start:"3",children:["\n",(0,a.jsxs)(r.li,{children:["Proceed to the ",(0,a.jsx)(r.a,{href:"#install-k3s",children:"Install K3s"})," section below."]}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"embedded-registry-mirror",children:"Embedded Registry Mirror"}),"\n",(0,a.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,a.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,a.jsx)(r.p,{children:"K3s includes an embedded distributed OCI-compliant registry mirror.\nWhen enabled and properly configured, images available in the containerd image store on any node\ncan be pulled by other cluster members without access to an external image registry."}),"\n",(0,a.jsxs)(r.p,{children:["The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball.\nFor more information on enabling the embedded distributed registry mirror, see the ",(0,a.jsx)(r.a,{href:"/kr/installation/registry-mirror",children:"Embedded Registry Mirror"})," documentation."]}),"\n",(0,a.jsx)(r.h2,{id:"install-k3s",children:"Install K3s"}),"\n",(0,a.jsx)(r.h3,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,a.jsxs)(r.p,{children:["Before installing K3s, complete the ",(0,a.jsx)(r.a,{href:"#private-registry-method",children:"Private Registry Method"})," or the ",(0,a.jsx)(r.a,{href:"#manually-deploy-images-method",children:"Manually Deploy Images Method"})," above to prepopulate the images that K3s needs to install."]}),"\n",(0,a.jsx)(r.h4,{id:"binaries",children:"Binaries"}),"\n",(0,a.jsxs)(r.ul,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the K3s binary from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page, matching the same version used to get the airgap images. Place the binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each air-gapped node and ensure it is executable."]}),"\n",(0,a.jsxs)(r.li,{children:["Download the K3s install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"get.k3s.io"}),". Place the install script anywhere on each air-gapped node, and name it ",(0,a.jsx)(r.code,{children:"install.sh"}),"."]}),"\n"]}),"\n",(0,a.jsx)(r.h4,{id:"default-network-route",children:"Default Network Route"}),"\n",(0,a.jsx)(r.p,{children:"If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:"}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"ip link add dummy0 type dummy\nip link set dummy0 up\nip addr add 203.0.113.254/31 dev dummy0\nip route add default via 203.0.113.255 dev dummy0 metric 1000\n"})}),"\n",(0,a.jsxs)(r.p,{children:["When running the K3s script with the ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})," environment variable, K3s will use the local version of the script and binary."]}),"\n",(0,a.jsx)(r.h4,{id:"selinux-rpm",children:"SELinux RPM"}),"\n",(0,a.jsxs)(r.p,{children:["If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s-selinux/releases/latest",children:"here"}),". For example, on CentOS 8:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"On internet accessible machine:\ncurl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm\n\n# Transfer RPM to air-gapped machine\nOn air-gapped machine:\nsudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm\n"})}),"\n",(0,a.jsxs)(r.p,{children:["See the ",(0,a.jsx)(r.a,{href:"/kr/advanced#selinux-support",children:"SELinux"})," section for more information."]}),"\n",(0,a.jsx)(r.h3,{id:"installing-k3s-in-an-air-gapped-environment",children:"Installing K3s in an Air-Gapped Environment"}),"\n",(0,a.jsx)(r.p,{children:"You can install K3s on one or more servers as described below."}),"\n",(0,a.jsxs)(s,{children:[(0,a.jsxs)(n,{value:"Single Server Configuration",default:!0,children:[(0,a.jsx)(r.p,{children:"To install K3s on a single server, simply do the following on the server node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh\n"})}),(0,a.jsx)(r.p,{children:"To add additional agents, do the following on each agent node:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://:6443 K3S_TOKEN= ./install.sh\n"})}),(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["The token from the server is typically found at ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/token"}),"."]})})]}),(0,a.jsxs)(n,{value:"High Availability Configuration",default:!0,children:[(0,a.jsxs)(r.p,{children:["Reference the ",(0,a.jsx)(r.a,{href:"/kr/datastore/ha",children:"High Availability with an External DB"})," or ",(0,a.jsx)(r.a,{href:"/kr/datastore/ha-embedded",children:"High Availability with Embedded DB"})," guides. You will be tweaking install commands so you specify ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"})," and run your install script locally instead of via curl. You will also utilize ",(0,a.jsx)(r.code,{children:"INSTALL_K3S_EXEC='args'"})," to supply any arguments to k3s."]}),(0,a.jsx)(r.p,{children:"For example, step two of the High Availability with an External DB guide mentions the following:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),(0,a.jsx)(r.p,{children:"Instead, you would modify such examples like below:"}),(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{className:"language-bash",children:"INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\\nK3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\\n./install.sh\n"})})]})]}),"\n",(0,a.jsx)(r.admonition,{type:"note",children:(0,a.jsxs)(r.p,{children:["K3s's ",(0,a.jsx)(r.code,{children:"--resolv-conf"})," flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured."]})}),"\n",(0,a.jsx)(r.h2,{id:"upgrading",children:"Upgrading"}),"\n",(0,a.jsx)(r.h3,{id:"install-script-method",children:"Install Script Method"}),"\n",(0,a.jsx)(r.p,{children:"Upgrading an air-gap environment can be accomplished in the following manner:"}),"\n",(0,a.jsxs)(r.ol,{children:["\n",(0,a.jsxs)(r.li,{children:["Download the new air-gap images (tar file) from the ",(0,a.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})," page for the version of K3s you will be upgrading to. Place the tar in the ",(0,a.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/images/"})," directory on each\nnode. Delete the old tar file."]}),"\n",(0,a.jsxs)(r.li,{children:["Copy and replace the old K3s binary in ",(0,a.jsx)(r.code,{children:"/usr/local/bin"})," on each node. Copy over the install script at ",(0,a.jsx)(r.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," (as it is possible it has changed since the last release). Run the script again just as you had done in the past\nwith the same environment variables."]}),"\n",(0,a.jsx)(r.li,{children:"Restart the K3s service (if not restarted automatically by installer)."}),"\n"]}),"\n",(0,a.jsx)(r.h3,{id:"automated-upgrades-method",children:"Automated Upgrades Method"}),"\n",(0,a.jsxs)(r.p,{children:["K3s supports ",(0,a.jsx)(r.a,{href:"/kr/upgrades/automated",children:"automated upgrades"}),". To enable this in air-gapped environments, you must ensure the required images are available in your private registry."]}),"\n",(0,a.jsxs)(r.p,{children:["You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the ",(0,a.jsx)(r.code,{children:"+"})," in the K3s release with a ",(0,a.jsx)(r.code,{children:"-"})," because Docker images do not support ",(0,a.jsx)(r.code,{children:"+"}),"."]}),"\n",(0,a.jsxs)(r.p,{children:["You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller ",(0,a.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller/releases/latest",children:"here"})," and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:"]}),"\n",(0,a.jsx)(r.pre,{children:(0,a.jsx)(r.code,{children:"rancher/system-upgrade-controller:v0.4.0\nrancher/kubectl:v0.17.0\n"})}),"\n",(0,a.jsxs)(r.p,{children:["Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the ",(0,a.jsx)(r.a,{href:"/kr/upgrades/automated",children:"automated upgrades"})," guide."]})]})}function c(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,a.jsx)(r,{...e,children:(0,a.jsx)(h,{...e})}):h(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,n)=>{n.d(r,{Z:()=>l,a:()=>t});var a=n(7294);const i={},s=a.createContext(i);function t(e){const r=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),a.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/43a3241e.464912cc.js b/kr/assets/js/43a3241e.464912cc.js deleted file mode 100644 index 923360368..000000000 --- a/kr/assets/js/43a3241e.464912cc.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3892],{1465:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>t,contentTitle:()=>l,default:()=>a,frontMatter:()=>d,metadata:()=>c,toc:()=>o});var i=n(5893),r=n(1151);const d={title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38"},l=void 0,c={id:"faq",title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38",description:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc740 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \uc0ac\uc6a9\uc790\uac00 K3s\uc5d0 \ub300\ud574 \uac00\uc7a5 \uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc5d0 \ub300\ud55c \ub2f5\ubcc0\uc73c\ub85c \uad6c\uc131\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/faq.md",sourceDirName:".",slug:"/faq",permalink:"/kr/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38"},sidebar:"mySidebar",previous:{title:"\uc54c\ub824\uc9c4 \uc774\uc288",permalink:"/kr/known-issues"}},t={},o=[{value:"K3s\uac00 Kubernetes\ub97c \ub300\uccb4\ud558\uae30\uc5d0 \uc801\ud569\ud55c\uac00\uc694?",id:"k3s\uac00-kubernetes\ub97c-\ub300\uccb4\ud558\uae30\uc5d0-\uc801\ud569\ud55c\uac00\uc694",level:3},{value:"Traefik \ub300\uc2e0 \uc790\uccb4 Ingress\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?",id:"traefik-\ub300\uc2e0-\uc790\uccb4-ingress\ub97c-\uc0ac\uc6a9\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",level:3},{value:"K3s\ub294 Windows\ub97c \uc9c0\uc6d0\ud558\ub098\uc694?",id:"k3s\ub294-windows\ub97c-\uc9c0\uc6d0\ud558\ub098\uc694",level:3},{value:"\uc18c\uc2a4\ub85c\ubd80\ud130 \ube4c\ub4dc\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?",id:"\uc18c\uc2a4\ub85c\ubd80\ud130-\ube4c\ub4dc\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",level:3},{value:"K3s \ub85c\uadf8\ub294 \uc5b4\ub514\uc5d0 \uc788\ub098\uc694?",id:"k3s-\ub85c\uadf8\ub294-\uc5b4\ub514\uc5d0-\uc788\ub098\uc694",level:3},{value:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub098\uc694?",id:"docker\uc5d0\uc11c-k3s\ub97c-\uc2e4\ud589\ud560-\uc218-\uc788\ub098\uc694",level:3},{value:"K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ud1a0\ud070\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?",id:"k3s-\uc11c\ubc84\uc640-\uc5d0\uc774\uc804\ud2b8-\ud1a0\ud070\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",level:3},{value:"K3s\uc758 \ub2e4\ub978 \ubc84\uc804\ub4e4\uc740 \uc5bc\ub9c8\ub098 \ud638\ud658\ub418\ub098\uc694?",id:"k3s\uc758-\ub2e4\ub978-\ubc84\uc804\ub4e4\uc740-\uc5bc\ub9c8\ub098-\ud638\ud658\ub418\ub098\uc694",level:3},{value:"\ubb38\uc81c\uac00 \ubc1c\uc0dd\ud588\ub294\ub370 \uc5b4\ub514\uc11c \ub3c4\uc6c0\uc744 \ubc1b\uc744 \uc218 \uc788\ub098\uc694?",id:"\ubb38\uc81c\uac00-\ubc1c\uc0dd\ud588\ub294\ub370-\uc5b4\ub514\uc11c-\ub3c4\uc6c0\uc744-\ubc1b\uc744-\uc218-\uc788\ub098\uc694",level:3}];function h(e){const s={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.p,{children:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc740 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \uc0ac\uc6a9\uc790\uac00 K3s\uc5d0 \ub300\ud574 \uac00\uc7a5 \uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc5d0 \ub300\ud55c \ub2f5\ubcc0\uc73c\ub85c \uad6c\uc131\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"k3s\uac00-kubernetes\ub97c-\ub300\uccb4\ud558\uae30\uc5d0-\uc801\ud569\ud55c\uac00\uc694",children:"K3s\uac00 Kubernetes\ub97c \ub300\uccb4\ud558\uae30\uc5d0 \uc801\ud569\ud55c\uac00\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s\ub294 CNCF \uc778\uc99d\uc744 \ubc1b\uc740 Kubernetes \ubc30\ud3ec\ud310\uc73c\ub85c, \ud45c\uc900 Kubernetes \ud074\ub7ec\uc2a4\ud130\uc5d0 \ud544\uc694\ud55c \ubaa8\ub4e0 \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub2e8\uc9c0 \ub354 \uac00\ubcbc\uc6b4 \ubc84\uc804\uc77c \ubfd0\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsx)(s.a,{href:"/kr/",children:"main"})," \ubb38\uc11c \ud398\uc774\uc9c0\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"traefik-\ub300\uc2e0-\uc790\uccb4-ingress\ub97c-\uc0ac\uc6a9\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",children:"Traefik \ub300\uc2e0 \uc790\uccb4 Ingress\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.code,{children:"--disable=traefik"}),"\uc73c\ub85c K3s \uc11c\ubc84\ub97c \uc2dc\uc791\ud558\uace0 \uc778\uadf8\ub808\uc2a4\ub97c \ubc30\ud3ec\ud558\uae30\ub9cc \ud558\uba74 \ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s\ub294-windows\ub97c-\uc9c0\uc6d0\ud558\ub098\uc694",children:"K3s\ub294 Windows\ub97c \uc9c0\uc6d0\ud558\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"\ud604\uc7ac K3s\ub294 \uae30\ubcf8\uc801\uc73c\ub85c Windows\ub97c \uc9c0\uc6d0\ud558\uc9c0 \uc54a\uc9c0\ub9cc, \ucd94\ud6c4\uc5d0 \uc9c0\uc6d0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"\uc18c\uc2a4\ub85c\ubd80\ud130-\ube4c\ub4dc\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",children:"\uc18c\uc2a4\ub85c\ubd80\ud130 \ube4c\ub4dc\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"}),"\uc5d0\uc11c \uc9c0\uce68\uc744 \ucc38\uc870\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s-\ub85c\uadf8\ub294-\uc5b4\ub514\uc5d0-\uc788\ub098\uc694",children:"K3s \ub85c\uadf8\ub294 \uc5b4\ub514\uc5d0 \uc788\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"K3s \ub85c\uadf8\uc758 \uc704\uce58\ub294 K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uacfc \ub178\ub4dc\uc758 OS\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9d1\ub2c8\ub2e4."}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"\uba85\ub839\uc904\uc5d0\uc11c \uc2e4\ud589\ud560 \uacbd\uc6b0, \ub85c\uadf8\ub294 stdout\uacfc stderr\ub85c \uc804\uc1a1\ub429\ub2c8\ub2e4."}),"\n",(0,i.jsxs)(s.li,{children:["openrc\uc5d0\uc11c \uc2e4\ud589\ud558\uba74 ",(0,i.jsx)(s.code,{children:"/var/log/k3s.log"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["Systemd\uc5d0\uc11c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, \ub85c\uadf8\ub294 \uc800\ub110\ub110\ub85c \uc804\uc1a1\ub418\uba70 ",(0,i.jsx)(s.code,{children:"journalctl -u k3s"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ubcfc \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["\ud30c\ub4dc \ub85c\uadf8\ub294 ",(0,i.jsx)(s.code,{children:"/var/log/pods"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["\ucee8\ud14c\uc774\ub108 \ub85c\uadf8\ub294 ",(0,i.jsx)(s.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.p,{children:["K3s\ub97c \uc2dc\uc791\ud560 \ub54c ",(0,i.jsx)(s.code,{children:"--debug"})," \ud50c\ub798\uadf8(\ub610\ub294 \ud658\uacbd\uc124\uc815 \ud30c\uc77c\uc5d0\uc11c ",(0,i.jsx)(s.code,{children:"debug: true"}),")\ub97c \uc0ac\uc6a9\ud558\uba74 \ub354 \uc790\uc138\ud55c \ub85c\uadf8\ub97c \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ud504\ub85c\uc138\uc2a4 \ub0b4\uc758 \ubaa8\ub4e0 \ucef4\ud3ec\ub10c\ud2b8\uc5d0 \ub300\ud574 \ub2e8\uc77c \ub85c\uae45 \uad6c\uc131\uc744 \uc0ac\uc6a9\ud558\ub294 ",(0,i.jsx)(s.code,{children:"klog"}),"\ub77c\ub294 \ub85c\uae45 \ud504\ub808\uc784\uc6cc\ud06c\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\nK3s\ub294 \ub2e8\uc77c \ud504\ub85c\uc138\uc2a4 \ub0b4\uc5d0\uc11c \ubaa8\ub4e0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc2e4\ud589\ud558\uae30 \ub54c\ubb38\uc5d0, \uac1c\ubcc4 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucef4\ud3ec\ub10c\ud2b8\uc5d0 \ub300\ud574 \ub2e4\ub978 \ub85c\uadf8 \ub808\ubca8\uc774\ub098 \ub300\uc0c1\uc744 \uad6c\uc131\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.\n",(0,i.jsx)(s.code,{children:"-v="}),"\ub610\ub294",(0,i.jsx)(s.code,{children:"--vmodule=="})," \ucef4\ud3ec\ub10c\ud2b8 \uc778\uc218\ub97c \uc0ac\uc6a9\ud558\uba74 \uc6d0\ud558\ub294 \ud6a8\uacfc\ub97c \uc5bb\uc9c0 \ubabb\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.p,{children:["\ub354 \ub9ce\uc740 \ub85c\uadf8 \uc635\uc158\uc740 ",(0,i.jsx)(s.a,{href:"/kr/advanced#additional-logging-sources",children:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"docker\uc5d0\uc11c-k3s\ub97c-\uc2e4\ud589\ud560-\uc218-\uc788\ub098\uc694",children:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["\uc608, Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc740 \uc5ec\ub7ec \uac00\uc9c0\uac00 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsx)(s.a,{href:"/kr/advanced#running-k3s-in-docker",children:"\uace0\uae09 \uc635\uc158"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s-\uc11c\ubc84\uc640-\uc5d0\uc774\uc804\ud2b8-\ud1a0\ud070\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",children:"K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ud1a0\ud070\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s \uc870\uc778 \ud1a0\ud070 \uad00\ub9ac\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsxs)(s.a,{href:"/kr/cli/token",children:[(0,i.jsx)(s.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s\uc758-\ub2e4\ub978-\ubc84\uc804\ub4e4\uc740-\uc5bc\ub9c8\ub098-\ud638\ud658\ub418\ub098\uc694",children:"K3s\uc758 \ub2e4\ub978 \ubc84\uc804\ub4e4\uc740 \uc5bc\ub9c8\ub098 \ud638\ud658\ub418\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["\uc77c\ubc18\uc801\uc73c\ub85c ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/ko/releases/version-skew-policy/",children:"\ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc84\uc804 skew \uc815\ucc45"}),"\uc774 \uc801\uc6a9\ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.p,{children:"\uc989, \uc11c\ubc84\uac00 \uc5d0\uc774\uc804\ud2b8\ubcf4\ub2e4 \ucd5c\uc2e0 \ubc84\uc804\uc77c \uc218\ub294 \uc788\uc9c0\ub9cc \uc5d0\uc774\uc804\ud2b8\uac00 \uc11c\ubc84\ubcf4\ub2e4 \ucd5c\uc2e0 \ubc84\uc804\uc77c \uc218\ub294 \uc5c6\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"\ubb38\uc81c\uac00-\ubc1c\uc0dd\ud588\ub294\ub370-\uc5b4\ub514\uc11c-\ub3c4\uc6c0\uc744-\ubc1b\uc744-\uc218-\uc788\ub098\uc694",children:"\ubb38\uc81c\uac00 \ubc1c\uc0dd\ud588\ub294\ub370 \uc5b4\ub514\uc11c \ub3c4\uc6c0\uc744 \ubc1b\uc744 \uc218 \uc788\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"K3s\ub97c \ubc30\ud3ec\ud558\ub294 \ub370 \ubb38\uc81c\uac00 \uc788\ub294 \uacbd\uc6b0 \ub2e4\uc74c\uacfc \uac19\uc774 \ud558\uc138\uc694:"}),"\n",(0,i.jsxs)(s.ol,{children:["\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"/kr/known-issues",children:"\uc54c\ub824\uc9c4 \ubb38\uc81c"})," \ud398\uc774\uc9c0\ub97c \ud655\uc778\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"/kr/advanced#%EC%B6%94%EA%B0%80-os-%EC%A4%80%EB%B9%84-%EC%82%AC%ED%95%AD",children:"\ucd94\uac00 OS \uc900\ube44\uc0ac\ud56d"}),"\uc744 \ubaa8\ub450 \ud574\uacb0\ud588\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4. ",(0,i.jsx)(s.code,{children:"k3s check-config"}),"\ub97c \uc2e4\ud589\ud558\uace0 \ud1b5\uacfc\ud588\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:["K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues",children:"\uc774\uc288"})," \ubc0f ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"\ud1a0\ub860"}),"\uc5d0\uc11c \ubb38\uc81c\uc640 \uc77c\uce58\ud558\ub294 \ud56d\ubaa9\uc744 \uac80\uc0c9\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.ol,{start:"4",children:["\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"https://slack.rancher.io/",children:"Rancher \uc2ac\ub799"})," K3s \ucc44\ub110\uc5d0 \uac00\uc785\ud558\uc5ec \ub3c4\uc6c0\uc744 \ubc1b\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:["K3s \uae43\ud5c8\ube0c\uc5d0 \uc124\uc815\uacfc \ubc1c\uc0dd\ud55c \ubb38\uc81c\ub97c \uc124\uba85\ud558\ub294 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"\uc0c8 \uc774\uc288"}),"\ub97c \uc81c\ucd9c\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n"]})]})}function a(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(h,{...e})}):h(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>c,a:()=>l});var i=n(7294);const r={},d=i.createContext(r);function l(e){const s=i.useContext(d);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function c(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/43a3241e.b53b6c5a.js b/kr/assets/js/43a3241e.b53b6c5a.js new file mode 100644 index 000000000..e4a31d921 --- /dev/null +++ b/kr/assets/js/43a3241e.b53b6c5a.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3892],{1465:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>t,contentTitle:()=>l,default:()=>a,frontMatter:()=>d,metadata:()=>c,toc:()=>o});var i=n(5893),r=n(1151);const d={title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38"},l=void 0,c={id:"faq",title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38",description:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc740 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \uc0ac\uc6a9\uc790\uac00 K3s\uc5d0 \ub300\ud574 \uac00\uc7a5 \uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc5d0 \ub300\ud55c \ub2f5\ubcc0\uc73c\ub85c \uad6c\uc131\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/faq.md",sourceDirName:".",slug:"/faq",permalink:"/kr/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38"},sidebar:"mySidebar",previous:{title:"\uc54c\ub824\uc9c4 \uc774\uc288",permalink:"/kr/known-issues"}},t={},o=[{value:"K3s\uac00 Kubernetes\ub97c \ub300\uccb4\ud558\uae30\uc5d0 \uc801\ud569\ud55c\uac00\uc694?",id:"k3s\uac00-kubernetes\ub97c-\ub300\uccb4\ud558\uae30\uc5d0-\uc801\ud569\ud55c\uac00\uc694",level:3},{value:"Traefik \ub300\uc2e0 \uc790\uccb4 Ingress\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?",id:"traefik-\ub300\uc2e0-\uc790\uccb4-ingress\ub97c-\uc0ac\uc6a9\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",level:3},{value:"K3s\ub294 Windows\ub97c \uc9c0\uc6d0\ud558\ub098\uc694?",id:"k3s\ub294-windows\ub97c-\uc9c0\uc6d0\ud558\ub098\uc694",level:3},{value:"\uc18c\uc2a4\ub85c\ubd80\ud130 \ube4c\ub4dc\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?",id:"\uc18c\uc2a4\ub85c\ubd80\ud130-\ube4c\ub4dc\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",level:3},{value:"K3s \ub85c\uadf8\ub294 \uc5b4\ub514\uc5d0 \uc788\ub098\uc694?",id:"k3s-\ub85c\uadf8\ub294-\uc5b4\ub514\uc5d0-\uc788\ub098\uc694",level:3},{value:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub098\uc694?",id:"docker\uc5d0\uc11c-k3s\ub97c-\uc2e4\ud589\ud560-\uc218-\uc788\ub098\uc694",level:3},{value:"K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ud1a0\ud070\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?",id:"k3s-\uc11c\ubc84\uc640-\uc5d0\uc774\uc804\ud2b8-\ud1a0\ud070\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",level:3},{value:"K3s\uc758 \ub2e4\ub978 \ubc84\uc804\ub4e4\uc740 \uc5bc\ub9c8\ub098 \ud638\ud658\ub418\ub098\uc694?",id:"k3s\uc758-\ub2e4\ub978-\ubc84\uc804\ub4e4\uc740-\uc5bc\ub9c8\ub098-\ud638\ud658\ub418\ub098\uc694",level:3},{value:"\ubb38\uc81c\uac00 \ubc1c\uc0dd\ud588\ub294\ub370 \uc5b4\ub514\uc11c \ub3c4\uc6c0\uc744 \ubc1b\uc744 \uc218 \uc788\ub098\uc694?",id:"\ubb38\uc81c\uac00-\ubc1c\uc0dd\ud588\ub294\ub370-\uc5b4\ub514\uc11c-\ub3c4\uc6c0\uc744-\ubc1b\uc744-\uc218-\uc788\ub098\uc694",level:3}];function h(e){const s={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.p,{children:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc740 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \uc0ac\uc6a9\uc790\uac00 K3s\uc5d0 \ub300\ud574 \uac00\uc7a5 \uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38\uc5d0 \ub300\ud55c \ub2f5\ubcc0\uc73c\ub85c \uad6c\uc131\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"k3s\uac00-kubernetes\ub97c-\ub300\uccb4\ud558\uae30\uc5d0-\uc801\ud569\ud55c\uac00\uc694",children:"K3s\uac00 Kubernetes\ub97c \ub300\uccb4\ud558\uae30\uc5d0 \uc801\ud569\ud55c\uac00\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s\ub294 CNCF \uc778\uc99d\uc744 \ubc1b\uc740 Kubernetes \ubc30\ud3ec\ud310\uc73c\ub85c, \ud45c\uc900 Kubernetes \ud074\ub7ec\uc2a4\ud130\uc5d0 \ud544\uc694\ud55c \ubaa8\ub4e0 \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub2e8\uc9c0 \ub354 \uac00\ubcbc\uc6b4 \ubc84\uc804\uc77c \ubfd0\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsx)(s.a,{href:"/kr/",children:"main"})," \ubb38\uc11c \ud398\uc774\uc9c0\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"traefik-\ub300\uc2e0-\uc790\uccb4-ingress\ub97c-\uc0ac\uc6a9\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",children:"Traefik \ub300\uc2e0 \uc790\uccb4 Ingress\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.code,{children:"--disable=traefik"}),"\uc73c\ub85c K3s \uc11c\ubc84\ub97c \uc2dc\uc791\ud558\uace0 \uc778\uadf8\ub808\uc2a4\ub97c \ubc30\ud3ec\ud558\uae30\ub9cc \ud558\uba74 \ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s\ub294-windows\ub97c-\uc9c0\uc6d0\ud558\ub098\uc694",children:"K3s\ub294 Windows\ub97c \uc9c0\uc6d0\ud558\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"\ud604\uc7ac K3s\ub294 \uae30\ubcf8\uc801\uc73c\ub85c Windows\ub97c \uc9c0\uc6d0\ud558\uc9c0 \uc54a\uc9c0\ub9cc, \ucd94\ud6c4\uc5d0 \uc9c0\uc6d0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"\uc18c\uc2a4\ub85c\ubd80\ud130-\ube4c\ub4dc\ud558\ub824\uba74-\uc5b4\ub5bb\uac8c-\ud574\uc57c-\ud558\ub098\uc694",children:"\uc18c\uc2a4\ub85c\ubd80\ud130 \ube4c\ub4dc\ud558\ub824\uba74 \uc5b4\ub5bb\uac8c \ud574\uc57c \ud558\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"}),"\uc5d0\uc11c \uc9c0\uce68\uc744 \ucc38\uc870\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s-\ub85c\uadf8\ub294-\uc5b4\ub514\uc5d0-\uc788\ub098\uc694",children:"K3s \ub85c\uadf8\ub294 \uc5b4\ub514\uc5d0 \uc788\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"K3s \ub85c\uadf8\uc758 \uc704\uce58\ub294 K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uacfc \ub178\ub4dc\uc758 OS\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9d1\ub2c8\ub2e4."}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"\uba85\ub839\uc904\uc5d0\uc11c \uc2e4\ud589\ud560 \uacbd\uc6b0, \ub85c\uadf8\ub294 stdout\uacfc stderr\ub85c \uc804\uc1a1\ub429\ub2c8\ub2e4."}),"\n",(0,i.jsxs)(s.li,{children:["openrc\uc5d0\uc11c \uc2e4\ud589\ud558\uba74 ",(0,i.jsx)(s.code,{children:"/var/log/k3s.log"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["Systemd\uc5d0\uc11c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, \ub85c\uadf8\ub294 \uc800\ub110\ub110\ub85c \uc804\uc1a1\ub418\uba70 ",(0,i.jsx)(s.code,{children:"journalctl -u k3s"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ubcfc \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["\ud30c\ub4dc \ub85c\uadf8\ub294 ",(0,i.jsx)(s.code,{children:"/var/log/pods"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.li,{children:["\ucee8\ud14c\uc774\ub108 \ub85c\uadf8\ub294 ",(0,i.jsx)(s.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.p,{children:["K3s\ub97c \uc2dc\uc791\ud560 \ub54c ",(0,i.jsx)(s.code,{children:"--debug"})," \ud50c\ub798\uadf8(\ub610\ub294 \ud658\uacbd\uc124\uc815 \ud30c\uc77c\uc5d0\uc11c ",(0,i.jsx)(s.code,{children:"debug: true"}),")\ub97c \uc0ac\uc6a9\ud558\uba74 \ub354 \uc790\uc138\ud55c \ub85c\uadf8\ub97c \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ud504\ub85c\uc138\uc2a4 \ub0b4\uc758 \ubaa8\ub4e0 \ucef4\ud3ec\ub10c\ud2b8\uc5d0 \ub300\ud574 \ub2e8\uc77c \ub85c\uae45 \uad6c\uc131\uc744 \uc0ac\uc6a9\ud558\ub294 ",(0,i.jsx)(s.code,{children:"klog"}),"\ub77c\ub294 \ub85c\uae45 \ud504\ub808\uc784\uc6cc\ud06c\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\nK3s\ub294 \ub2e8\uc77c \ud504\ub85c\uc138\uc2a4 \ub0b4\uc5d0\uc11c \ubaa8\ub4e0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc2e4\ud589\ud558\uae30 \ub54c\ubb38\uc5d0, \uac1c\ubcc4 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucef4\ud3ec\ub10c\ud2b8\uc5d0 \ub300\ud574 \ub2e4\ub978 \ub85c\uadf8 \ub808\ubca8\uc774\ub098 \ub300\uc0c1\uc744 \uad6c\uc131\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.\n",(0,i.jsx)(s.code,{children:"-v="}),"\ub610\ub294",(0,i.jsx)(s.code,{children:"--vmodule=="})," \ucef4\ud3ec\ub10c\ud2b8 \uc778\uc218\ub97c \uc0ac\uc6a9\ud558\uba74 \uc6d0\ud558\ub294 \ud6a8\uacfc\ub97c \uc5bb\uc9c0 \ubabb\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,i.jsxs)(s.p,{children:["\ub354 \ub9ce\uc740 \ub85c\uadf8 \uc635\uc158\uc740 ",(0,i.jsx)(s.a,{href:"/kr/advanced#additional-logging-sources",children:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"docker\uc5d0\uc11c-k3s\ub97c-\uc2e4\ud589\ud560-\uc218-\uc788\ub098\uc694",children:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["\uc608, Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc740 \uc5ec\ub7ec \uac00\uc9c0\uac00 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsx)(s.a,{href:"/kr/advanced#running-k3s-in-docker",children:"\uace0\uae09 \uc635\uc158"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s-\uc11c\ubc84\uc640-\uc5d0\uc774\uc804\ud2b8-\ud1a0\ud070\uc758-\ucc28\uc774\uc810\uc740-\ubb34\uc5c7\uc778\uac00\uc694",children:"K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ud1a0\ud070\uc758 \ucc28\uc774\uc810\uc740 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["K3s \uc870\uc778 \ud1a0\ud070 \uad00\ub9ac\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,i.jsxs)(s.a,{href:"/kr/cli/token",children:[(0,i.jsx)(s.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,i.jsx)(s.h3,{id:"k3s\uc758-\ub2e4\ub978-\ubc84\uc804\ub4e4\uc740-\uc5bc\ub9c8\ub098-\ud638\ud658\ub418\ub098\uc694",children:"K3s\uc758 \ub2e4\ub978 \ubc84\uc804\ub4e4\uc740 \uc5bc\ub9c8\ub098 \ud638\ud658\ub418\ub098\uc694?"}),"\n",(0,i.jsxs)(s.p,{children:["\uc77c\ubc18\uc801\uc73c\ub85c ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/ko/releases/version-skew-policy/",children:"\ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc84\uc804 skew \uc815\ucc45"}),"\uc774 \uc801\uc6a9\ub429\ub2c8\ub2e4."]}),"\n",(0,i.jsx)(s.p,{children:"\uc989, \uc11c\ubc84\uac00 \uc5d0\uc774\uc804\ud2b8\ubcf4\ub2e4 \ucd5c\uc2e0 \ubc84\uc804\uc77c \uc218\ub294 \uc788\uc9c0\ub9cc \uc5d0\uc774\uc804\ud2b8\uac00 \uc11c\ubc84\ubcf4\ub2e4 \ucd5c\uc2e0 \ubc84\uc804\uc77c \uc218\ub294 \uc5c6\uc2b5\ub2c8\ub2e4."}),"\n",(0,i.jsx)(s.h3,{id:"\ubb38\uc81c\uac00-\ubc1c\uc0dd\ud588\ub294\ub370-\uc5b4\ub514\uc11c-\ub3c4\uc6c0\uc744-\ubc1b\uc744-\uc218-\uc788\ub098\uc694",children:"\ubb38\uc81c\uac00 \ubc1c\uc0dd\ud588\ub294\ub370 \uc5b4\ub514\uc11c \ub3c4\uc6c0\uc744 \ubc1b\uc744 \uc218 \uc788\ub098\uc694?"}),"\n",(0,i.jsx)(s.p,{children:"K3s\ub97c \ubc30\ud3ec\ud558\ub294 \ub370 \ubb38\uc81c\uac00 \uc788\ub294 \uacbd\uc6b0 \ub2e4\uc74c\uacfc \uac19\uc774 \ud558\uc138\uc694:"}),"\n",(0,i.jsxs)(s.ol,{children:["\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"/kr/known-issues",children:"\uc54c\ub824\uc9c4 \ubb38\uc81c"})," \ud398\uc774\uc9c0\ub97c \ud655\uc778\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"/kr/advanced#%EC%B6%94%EA%B0%80-os-%EC%A4%80%EB%B9%84-%EC%82%AC%ED%95%AD",children:"\ucd94\uac00 OS \uc900\ube44\uc0ac\ud56d"}),"\uc744 \ubaa8\ub450 \ud574\uacb0\ud588\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4. ",(0,i.jsx)(s.code,{children:"k3s check-config"}),"\ub97c \uc2e4\ud589\ud558\uace0 \ud1b5\uacfc\ud588\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:["K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues",children:"\uc774\uc288"})," \ubc0f ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"\ud1a0\ub860"}),"\uc5d0\uc11c \ubb38\uc81c\uc640 \uc77c\uce58\ud558\ub294 \ud56d\ubaa9\uc744 \uac80\uc0c9\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.ol,{start:"4",children:["\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.a,{href:"https://slack.rancher.io/",children:"Rancher \uc2ac\ub799"})," K3s \ucc44\ub110\uc5d0 \uac00\uc785\ud558\uc5ec \ub3c4\uc6c0\uc744 \ubc1b\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.p,{children:["K3s \uae43\ud5c8\ube0c\uc5d0 \uc124\uc815\uacfc \ubc1c\uc0dd\ud55c \ubb38\uc81c\ub97c \uc124\uba85\ud558\ub294 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"\uc0c8 \uc774\uc288"}),"\ub97c \uc81c\ucd9c\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n"]})]})}function a(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(h,{...e})}):h(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>c,a:()=>l});var i=n(7294);const r={},d=i.createContext(r);function l(e){const s=i.useContext(d);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function c(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/49689b7d.cbd6fedd.js b/kr/assets/js/49689b7d.cbd6fedd.js deleted file mode 100644 index b7d8ed58c..000000000 --- a/kr/assets/js/49689b7d.cbd6fedd.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1184],{9275:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>a,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>d});var o=n(5893),i=n(1151);const l={title:"Networking Services"},t=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/kr/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/kr/networking/multus-ipams"},next:{title:"\ud5ec\ub984(Helm)",permalink:"/kr/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(r.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(r.p,{children:["Refer to the ",(0,o.jsx)(r.a,{href:"/kr/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(r.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(r.a,{href:"/kr/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(r.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(r.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(r.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(r.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(r.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(r.p,{children:[(0,o.jsx)(r.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(r.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443. By default, ServiceLB will expose these ports on all cluster members, meaning these ports will not be usable for other HostPort or NodePort pods."}),"\n",(0,o.jsxs)(r.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(r.a,{href:"/kr/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["The ",(0,o.jsx)(r.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(r.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(r.a,{href:"/kr/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(r.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(r.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(r.p,{children:"K3s versions 1.20 and earlier include Traefik v1. K3s versions 1.21 and later install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(r.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(r.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(r.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(r.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["To disable it, start each server with the ",(0,o.jsx)(r.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(r.admonition,{type:"note",children:[(0,o.jsxs)(r.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(r.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(r.code,{children:"iptables-save"})," and ",(0,o.jsx)(r.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(r.pre,{children:(0,o.jsx)(r.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(r.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(r.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(r.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(r.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(r.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(r.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(r.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(r.code,{children:"spec.type"})," field set to ",(0,o.jsx)(r.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(r.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(r.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(r.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(r.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(r.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(r.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(r.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(r.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(r.p,{children:["Create a ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(r.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(r.p,{children:["Adding the ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(r.admonition,{type:"note",children:(0,o.jsx)(r.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(r.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(r.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(r.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(r.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(r.ol,{children:["\n",(0,o.jsxs)(r.li,{children:["Label Node A and Node B with ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(r.li,{children:["Label Node C and Node D with ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(r.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(r.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(r.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(r.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(r.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(r.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(r.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(r.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(r.ul,{children:["\n",(0,o.jsxs)(r.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(r.code,{children:"--node-ip"})," and ",(0,o.jsx)(r.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(r.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(r.li,{children:["Clears the ",(0,o.jsx)(r.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(r.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(r.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(r.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(r.admonition,{type:"note",children:(0,o.jsx)(r.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,o.jsx)(r,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,r,n)=>{n.d(r,{Z:()=>s,a:()=>t});var o=n(7294);const i={},l=o.createContext(i);function t(e){const r=o.useContext(l);return o.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function s(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),o.createElement(l.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/49689b7d.da5127a9.js b/kr/assets/js/49689b7d.da5127a9.js new file mode 100644 index 000000000..a38a9df3e --- /dev/null +++ b/kr/assets/js/49689b7d.da5127a9.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1184],{9275:(e,r,n)=>{n.r(r),n.d(r,{assets:()=>a,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>d});var o=n(5893),i=n(1151);const l={title:"Networking Services"},t=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/kr/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/kr/networking/multus-ipams"},next:{title:"\ud5ec\ub984(Helm)",permalink:"/kr/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(r.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(r.p,{children:["Refer to the ",(0,o.jsx)(r.a,{href:"/kr/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(r.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(r.a,{href:"/kr/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(r.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(r.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(r.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(r.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(r.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(r.p,{children:[(0,o.jsx)(r.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(r.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443. By default, ServiceLB will expose these ports on all cluster members, meaning these ports will not be usable for other HostPort or NodePort pods."}),"\n",(0,o.jsxs)(r.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(r.a,{href:"/kr/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["The ",(0,o.jsx)(r.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(r.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(r.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(r.a,{href:"/kr/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(r.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(r.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(r.p,{children:"K3s versions 1.20 and earlier include Traefik v1. K3s versions 1.21 and later install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(r.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(r.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(r.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(r.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(r.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["To disable it, start each server with the ",(0,o.jsx)(r.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(r.admonition,{type:"note",children:[(0,o.jsxs)(r.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(r.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(r.code,{children:"iptables-save"})," and ",(0,o.jsx)(r.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(r.pre,{children:(0,o.jsx)(r.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(r.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(r.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(r.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(r.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(r.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(r.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(r.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(r.code,{children:"spec.type"})," field set to ",(0,o.jsx)(r.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(r.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(r.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(r.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(r.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(r.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(r.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(r.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(r.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(r.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(r.p,{children:["Create a ",(0,o.jsx)(r.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(r.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(r.p,{children:["Adding the ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(r.admonition,{type:"note",children:(0,o.jsx)(r.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(r.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(r.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(r.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(r.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(r.ol,{children:["\n",(0,o.jsxs)(r.li,{children:["Label Node A and Node B with ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(r.li,{children:["Label Node C and Node D with ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(r.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(r.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(r.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(r.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(r.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(r.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(r.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(r.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(r.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(r.ul,{children:["\n",(0,o.jsxs)(r.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(r.code,{children:"--node-ip"})," and ",(0,o.jsx)(r.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(r.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(r.li,{children:["Clears the ",(0,o.jsx)(r.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(r.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(r.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(r.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(r.admonition,{type:"note",children:(0,o.jsx)(r.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:r}={...(0,i.a)(),...e.components};return r?(0,o.jsx)(r,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,r,n)=>{n.d(r,{Z:()=>s,a:()=>t});var o=n(7294);const i={},l=o.createContext(i);function t(e){const r=o.useContext(l);return o.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function s(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:t(e.components),o.createElement(l.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/dcd62276.b1623ddb.js b/kr/assets/js/5133fc91.07233669.js similarity index 90% rename from zh/assets/js/dcd62276.b1623ddb.js rename to kr/assets/js/5133fc91.07233669.js index ea5496f1e..06143291a 100644 --- a/zh/assets/js/dcd62276.b1623ddb.js +++ b/kr/assets/js/5133fc91.07233669.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8855],{6237:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/i18n/zh/docusaurus-plugin-content-docs/current/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/zh/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/zh/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/zh/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/zh/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7355],{506:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/kr/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/kr/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/kr/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/kr/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/5133fc91.27f5d387.js b/kr/assets/js/5133fc91.27f5d387.js deleted file mode 100644 index b73809d8e..000000000 --- a/kr/assets/js/5133fc91.27f5d387.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7355],{506:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/kr/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/kr/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/kr/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/kr/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/5e95c892.34e77302.js b/kr/assets/js/5e95c892.06469c98.js similarity index 63% rename from kr/assets/js/5e95c892.34e77302.js rename to kr/assets/js/5e95c892.06469c98.js index 95c3dcfbe..d698b1a49 100644 --- a/kr/assets/js/5e95c892.34e77302.js +++ b/kr/assets/js/5e95c892.06469c98.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9661],{1892:(s,e,r)=>{r.r(e),r.d(e,{default:()=>t});r(7294);var c=r(512),u=r(1944),a=r(5281),d=r(8790),k=r(2315),n=r(5893);function t(s){return(0,n.jsx)(u.FG,{className:(0,c.Z)(a.k.wrapper.docsPages),children:(0,n.jsx)(k.Z,{children:(0,d.H)(s.route.routes)})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9661],{1892:(s,e,r)=>{r.r(e),r.d(e,{default:()=>t});r(7294);var c=r(512),u=r(1944),a=r(5281),d=r(8790),k=r(8947),n=r(5893);function t(s){return(0,n.jsx)(u.FG,{className:(0,c.Z)(a.k.wrapper.docsPages),children:(0,n.jsx)(k.Z,{children:(0,d.H)(s.route.routes)})})}}}]); \ No newline at end of file diff --git a/kr/assets/js/609981e6.2001baf2.js b/kr/assets/js/609981e6.2001baf2.js deleted file mode 100644 index 3ad4ab325..000000000 --- a/kr/assets/js/609981e6.2001baf2.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2466],{509:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/kr/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/kr/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/kr/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||u("TabItem",!0),s||u("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/609981e6.8c1da051.js b/kr/assets/js/609981e6.8c1da051.js new file mode 100644 index 000000000..98f5f2f59 --- /dev/null +++ b/kr/assets/js/609981e6.8c1da051.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2466],{509:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/kr/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/kr/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/kr/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||u("TabItem",!0),s||u("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function u(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/65309f9a.72799433.js b/kr/assets/js/65309f9a.72799433.js new file mode 100644 index 000000000..8c839bbca --- /dev/null +++ b/kr/assets/js/65309f9a.72799433.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6005],{4417:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>s,metadata:()=>o,toc:()=>a});var i=t(5893),r=t(1151);const s={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/kr/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"\ubcf4\uc548",permalink:"/kr/security/"},next:{title:"CIS Hardening Guide",permalink:"/kr/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"})}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/kr/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const r={},s=i.createContext(r);function c(e){const n=i.useContext(s);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),i.createElement(s.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/65309f9a.9f97a04a.js b/kr/assets/js/65309f9a.9f97a04a.js deleted file mode 100644 index c729242cb..000000000 --- a/kr/assets/js/65309f9a.9f97a04a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6005],{4417:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>s,metadata:()=>o,toc:()=>a});var i=t(5893),r=t(1151);const s={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/kr/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"\ubcf4\uc548",permalink:"/kr/security/"},next:{title:"CIS Hardening Guide",permalink:"/kr/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/kr/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const r={},s=i.createContext(r);function c(e){const n=i.useContext(s);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),i.createElement(s.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/696.b4659b1c.js b/kr/assets/js/696.57f80179.js similarity index 99% rename from kr/assets/js/696.b4659b1c.js rename to kr/assets/js/696.57f80179.js index b2b5af2c6..33c71b7df 100644 --- a/kr/assets/js/696.b4659b1c.js +++ b/kr/assets/js/696.57f80179.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/kr/assets/js/6a7149bd.6a1c6b4a.js b/kr/assets/js/6a7149bd.6a1c6b4a.js deleted file mode 100644 index 40a1056af..000000000 --- a/kr/assets/js/6a7149bd.6a1c6b4a.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1894],{9280:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>h,frontMatter:()=>o,metadata:()=>i,toc:()=>l});var s=t(5893),r=t(1151);const o={title:"High Availability External DB"},a=void 0,i={id:"datastore/ha",title:"High Availability External DB",description:"Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha.md",sourceDirName:"datastore",slug:"/datastore/ha",permalink:"/kr/datastore/ha",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"High Availability External DB"},sidebar:"mySidebar",previous:{title:"High Availability Embedded etcd",permalink:"/kr/datastore/ha-embedded"},next:{title:"Cluster Load Balancer",permalink:"/kr/datastore/cluster-loadbalancer"}},d={},l=[{value:"Installation Outline",id:"installation-outline",level:2},{value:"1. Create an External Datastore",id:"1-create-an-external-datastore",level:3},{value:"2. Launch Server Nodes",id:"2-launch-server-nodes",level:3},{value:"3. Configure the Fixed Registration Address",id:"3-configure-the-fixed-registration-address",level:3},{value:"4. Optional: Join Additional Server Nodes",id:"4-optional-join-additional-server-nodes",level:3},{value:"5. Optional: Join Agent Nodes",id:"5-optional-join-agent-nodes",level:3}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"This section describes how to install a high-availability K3s cluster with an external database."}),"\n",(0,s.jsx)(n.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is comprised of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Two or more ",(0,s.jsx)(n.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,s.jsxs)(n.li,{children:["Zero or more ",(0,s.jsx)(n.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,s.jsxs)(n.li,{children:["An ",(0,s.jsx)(n.strong,{children:"external datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n",(0,s.jsxs)(n.li,{children:["A ",(0,s.jsx)(n.strong,{children:"fixed registration address"})," that is placed in front of the server nodes to allow agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["For more details on how these components work together, refer to the ",(0,s.jsx)(n.a,{href:"/kr/architecture#high-availability-k3s-server-with-an-external-db",children:"architecture section."})]}),"\n",(0,s.jsxs)(n.p,{children:["Agents register through the fixed registration address, but after registration they establish a connection directly to one of the server nodes. This is a websocket connection initiated by the ",(0,s.jsx)(n.code,{children:"k3s agent"})," process, it is maintained by a client-side load balancer running as part of the agent process."]}),"\n",(0,s.jsx)(n.h2,{id:"installation-outline",children:"Installation Outline"}),"\n",(0,s.jsx)(n.p,{children:"Setting up an HA cluster requires the following steps:"}),"\n",(0,s.jsx)(n.h3,{id:"1-create-an-external-datastore",children:"1. Create an External Datastore"}),"\n",(0,s.jsxs)(n.p,{children:["You will first need to create an external datastore for the cluster. See the ",(0,s.jsx)(n.a,{href:"/kr/datastore/",children:"Cluster Datastore Options"})," documentation for more details."]}),"\n",(0,s.jsx)(n.h3,{id:"2-launch-server-nodes",children:"2. Launch Server Nodes"}),"\n",(0,s.jsxs)(n.p,{children:["K3s requires two or more server nodes for this HA configuration. See the ",(0,s.jsx)(n.a,{href:"/kr/installation/requirements",children:"Requirements"})," guide for minimum machine requirements."]}),"\n",(0,s.jsxs)(n.p,{children:["When running the ",(0,s.jsx)(n.code,{children:"k3s server"})," command on these nodes, you must set the ",(0,s.jsx)(n.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to the external datastore. The ",(0,s.jsx)(n.code,{children:"token"})," parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use."]}),"\n",(0,s.jsxs)(n.p,{children:["For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and ",(0,s.jsx)(n.a,{href:"/kr/cli/server#cluster-options",children:"set a token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsxs)(n.p,{children:["The datastore endpoint format differs based on the database type. For details, refer to the section on ",(0,s.jsx)(n.a,{href:"/kr/datastore/#datastore-endpoint-format-and-functionality",children:"datastore endpoint formats."})]}),"\n",(0,s.jsxs)(n.p,{children:["To configure TLS certificates when launching server nodes, refer to the ",(0,s.jsx)(n.a,{href:"/kr/datastore/#external-datastore-configuration-parameters",children:"datastore configuration guide."})]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["The same installation options available to single-server installs are also available for high-availability installs. For more details, see the ",(0,s.jsx)(n.a,{href:"/kr/installation/configuration",children:"Configuration Options"})," documentation."]})}),"\n",(0,s.jsxs)(n.p,{children:["By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The ",(0,s.jsx)(n.code,{children:"node-taint"})," parameter will allow you to configure nodes with taints, for example ",(0,s.jsx)(n.code,{children:"--node-taint CriticalAddonsOnly=true:NoExecute"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["Once you've launched the ",(0,s.jsx)(n.code,{children:"k3s server"})," process on all server nodes, ensure that the cluster has come up properly with ",(0,s.jsx)(n.code,{children:"k3s kubectl get nodes"}),". You should see your server nodes in the Ready state."]}),"\n",(0,s.jsx)(n.h3,{id:"3-configure-the-fixed-registration-address",children:"3. Configure the Fixed Registration Address"}),"\n",(0,s.jsx)(n.p,{children:"Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"A layer-4 (TCP) load balancer"}),"\n",(0,s.jsx)(n.li,{children:"Round-robin DNS"}),"\n",(0,s.jsx)(n.li,{children:"Virtual or elastic IP addresses"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the ",(0,s.jsx)(n.code,{children:"--tls-san YOUR_IP_OR_HOSTNAME_HERE"})," option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname."]}),"\n",(0,s.jsx)(n.h3,{id:"4-optional-join-additional-server-nodes",children:"4. Optional: Join Additional Server Nodes"}),"\n",(0,s.jsx)(n.p,{children:"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used."}),"\n",(0,s.jsxs)(n.p,{children:["If the first server node was started without the ",(0,s.jsx)(n.code,{children:"--token"})," CLI flag or ",(0,s.jsx)(n.code,{children:"K3S_TOKEN"})," variable, the token value can be retrieved from any server already joined to the cluster:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Additional server nodes can then be added ",(0,s.jsx)(n.a,{href:"/kr/cli/server#cluster-options",children:"using the token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsx)(n.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Network related flags: ",(0,s.jsx)(n.code,{children:"--cluster-dns"}),", ",(0,s.jsx)(n.code,{children:"--cluster-domain"}),", ",(0,s.jsx)(n.code,{children:"--cluster-cidr"}),", ",(0,s.jsx)(n.code,{children:"--service-cidr"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flags controlling the deployment of certain components: ",(0,s.jsx)(n.code,{children:"--disable-helm-controller"}),", ",(0,s.jsx)(n.code,{children:"--disable-kube-proxy"}),", ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," and any component passed to ",(0,s.jsx)(n.code,{children:"--disable"})]}),"\n",(0,s.jsxs)(n.li,{children:["Feature related flags: ",(0,s.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores."})}),"\n",(0,s.jsx)(n.h3,{id:"5-optional-join-agent-nodes",children:"5. Optional: Join Agent Nodes"}),"\n",(0,s.jsx)(n.p,{children:"Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster."}),"\n",(0,s.jsx)(n.p,{children:"Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>i,a:()=>a});var s=t(7294);const r={},o=s.createContext(r);function a(e){const n=s.useContext(o);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function i(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(o.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/6a7149bd.ac31f11d.js b/kr/assets/js/6a7149bd.ac31f11d.js new file mode 100644 index 000000000..a731ebced --- /dev/null +++ b/kr/assets/js/6a7149bd.ac31f11d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1894],{9280:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>h,frontMatter:()=>o,metadata:()=>i,toc:()=>l});var s=t(5893),r=t(1151);const o={title:"High Availability External DB"},a=void 0,i={id:"datastore/ha",title:"High Availability External DB",description:"Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha.md",sourceDirName:"datastore",slug:"/datastore/ha",permalink:"/kr/datastore/ha",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"High Availability External DB"},sidebar:"mySidebar",previous:{title:"High Availability Embedded etcd",permalink:"/kr/datastore/ha-embedded"},next:{title:"Cluster Load Balancer",permalink:"/kr/datastore/cluster-loadbalancer"}},d={},l=[{value:"Installation Outline",id:"installation-outline",level:2},{value:"1. Create an External Datastore",id:"1-create-an-external-datastore",level:3},{value:"2. Launch Server Nodes",id:"2-launch-server-nodes",level:3},{value:"3. Configure the Fixed Registration Address",id:"3-configure-the-fixed-registration-address",level:3},{value:"4. Optional: Join Additional Server Nodes",id:"4-optional-join-additional-server-nodes",level:3},{value:"5. Optional: Join Agent Nodes",id:"5-optional-join-agent-nodes",level:3}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"This section describes how to install a high-availability K3s cluster with an external database."}),"\n",(0,s.jsx)(n.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is comprised of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Two or more ",(0,s.jsx)(n.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,s.jsxs)(n.li,{children:["Zero or more ",(0,s.jsx)(n.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,s.jsxs)(n.li,{children:["An ",(0,s.jsx)(n.strong,{children:"external datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n",(0,s.jsxs)(n.li,{children:["A ",(0,s.jsx)(n.strong,{children:"fixed registration address"})," that is placed in front of the server nodes to allow agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["For more details on how these components work together, refer to the ",(0,s.jsx)(n.a,{href:"/kr/architecture#high-availability-k3s-server-with-an-external-db",children:"architecture section."})]}),"\n",(0,s.jsxs)(n.p,{children:["Agents register through the fixed registration address, but after registration they establish a connection directly to one of the server nodes. This is a websocket connection initiated by the ",(0,s.jsx)(n.code,{children:"k3s agent"})," process, it is maintained by a client-side load balancer running as part of the agent process."]}),"\n",(0,s.jsx)(n.h2,{id:"installation-outline",children:"Installation Outline"}),"\n",(0,s.jsx)(n.p,{children:"Setting up an HA cluster requires the following steps:"}),"\n",(0,s.jsx)(n.h3,{id:"1-create-an-external-datastore",children:"1. Create an External Datastore"}),"\n",(0,s.jsxs)(n.p,{children:["You will first need to create an external datastore for the cluster. See the ",(0,s.jsx)(n.a,{href:"/kr/datastore/",children:"Cluster Datastore Options"})," documentation for more details."]}),"\n",(0,s.jsx)(n.h3,{id:"2-launch-server-nodes",children:"2. Launch Server Nodes"}),"\n",(0,s.jsxs)(n.p,{children:["K3s requires two or more server nodes for this HA configuration. See the ",(0,s.jsx)(n.a,{href:"/kr/installation/requirements",children:"Requirements"})," guide for minimum machine requirements."]}),"\n",(0,s.jsxs)(n.p,{children:["When running the ",(0,s.jsx)(n.code,{children:"k3s server"})," command on these nodes, you must set the ",(0,s.jsx)(n.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to the external datastore. The ",(0,s.jsx)(n.code,{children:"token"})," parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use."]}),"\n",(0,s.jsxs)(n.p,{children:["For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and ",(0,s.jsx)(n.a,{href:"/kr/cli/server#cluster-options",children:"set a token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsxs)(n.p,{children:["The datastore endpoint format differs based on the database type. For details, refer to the section on ",(0,s.jsx)(n.a,{href:"/kr/datastore/#datastore-endpoint-format-and-functionality",children:"datastore endpoint formats."})]}),"\n",(0,s.jsxs)(n.p,{children:["To configure TLS certificates when launching server nodes, refer to the ",(0,s.jsx)(n.a,{href:"/kr/datastore/#external-datastore-configuration-parameters",children:"datastore configuration guide."})]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["The same installation options available to single-server installs are also available for high-availability installs. For more details, see the ",(0,s.jsx)(n.a,{href:"/kr/installation/configuration",children:"Configuration Options"})," documentation."]})}),"\n",(0,s.jsxs)(n.p,{children:["By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The ",(0,s.jsx)(n.code,{children:"node-taint"})," parameter will allow you to configure nodes with taints, for example ",(0,s.jsx)(n.code,{children:"--node-taint CriticalAddonsOnly=true:NoExecute"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["Once you've launched the ",(0,s.jsx)(n.code,{children:"k3s server"})," process on all server nodes, ensure that the cluster has come up properly with ",(0,s.jsx)(n.code,{children:"k3s kubectl get nodes"}),". You should see your server nodes in the Ready state."]}),"\n",(0,s.jsx)(n.h3,{id:"3-configure-the-fixed-registration-address",children:"3. Configure the Fixed Registration Address"}),"\n",(0,s.jsx)(n.p,{children:"Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"A layer-4 (TCP) load balancer"}),"\n",(0,s.jsx)(n.li,{children:"Round-robin DNS"}),"\n",(0,s.jsx)(n.li,{children:"Virtual or elastic IP addresses"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the ",(0,s.jsx)(n.code,{children:"--tls-san YOUR_IP_OR_HOSTNAME_HERE"})," option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname."]}),"\n",(0,s.jsx)(n.h3,{id:"4-optional-join-additional-server-nodes",children:"4. Optional: Join Additional Server Nodes"}),"\n",(0,s.jsx)(n.p,{children:"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used."}),"\n",(0,s.jsxs)(n.p,{children:["If the first server node was started without the ",(0,s.jsx)(n.code,{children:"--token"})," CLI flag or ",(0,s.jsx)(n.code,{children:"K3S_TOKEN"})," variable, the token value can be retrieved from any server already joined to the cluster:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Additional server nodes can then be added ",(0,s.jsx)(n.a,{href:"/kr/cli/server#cluster-options",children:"using the token"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | sh -s - server \\\n --token=SECRET \\\n --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"\n'})}),"\n",(0,s.jsx)(n.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Network related flags: ",(0,s.jsx)(n.code,{children:"--cluster-dns"}),", ",(0,s.jsx)(n.code,{children:"--cluster-domain"}),", ",(0,s.jsx)(n.code,{children:"--cluster-cidr"}),", ",(0,s.jsx)(n.code,{children:"--service-cidr"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flags controlling the deployment of certain components: ",(0,s.jsx)(n.code,{children:"--disable-helm-controller"}),", ",(0,s.jsx)(n.code,{children:"--disable-kube-proxy"}),", ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," and any component passed to ",(0,s.jsx)(n.code,{children:"--disable"})]}),"\n",(0,s.jsxs)(n.li,{children:["Feature related flags: ",(0,s.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsx)(n.p,{children:"Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores."})}),"\n",(0,s.jsx)(n.h3,{id:"5-optional-join-agent-nodes",children:"5. Optional: Join Agent Nodes"}),"\n",(0,s.jsx)(n.p,{children:"Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster."}),"\n",(0,s.jsx)(n.p,{children:"Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>i,a:()=>a});var s=t(7294);const r={},o=s.createContext(r);function a(e){const n=s.useContext(o);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function i(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(o.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/5d1c93cb.a101bad9.js b/kr/assets/js/6eb212a2.3ba9f0bd.js similarity index 56% rename from zh/assets/js/5d1c93cb.a101bad9.js rename to kr/assets/js/6eb212a2.3ba9f0bd.js index 86abaeb64..54e2bd388 100644 --- a/zh/assets/js/5d1c93cb.a101bad9.js +++ b/kr/assets/js/6eb212a2.3ba9f0bd.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1515],{3097:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/i18n/zh/docusaurus-plugin-content-docs/current/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/zh/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/zh/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/zh/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/zh/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/zh/advanced#%E8%BF%90%E8%A1%8C%E6%97%A0-agent-%E7%9A%84-server%E5%AE%9E%E9%AA%8C%E6%80%A7",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5579],{711:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/kr/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/kr/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/kr/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/kr/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/6eb212a2.d763d6d7.js b/kr/assets/js/6eb212a2.d763d6d7.js deleted file mode 100644 index eaeb3d6a5..000000000 --- a/kr/assets/js/6eb212a2.d763d6d7.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5579],{711:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/kr/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/kr/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/kr/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/kr/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/7.749c7d0b.js b/kr/assets/js/7.750475ca.js similarity index 99% rename from zh/assets/js/7.749c7d0b.js rename to kr/assets/js/7.750475ca.js index 31e3b9cbe..23cf53e10 100644 --- a/zh/assets/js/7.749c7d0b.js +++ b/kr/assets/js/7.750475ca.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/kr/assets/js/7236.db30f9fd.js b/kr/assets/js/7236.db30f9fd.js new file mode 100644 index 000000000..3d108ac67 --- /dev/null +++ b/kr/assets/js/7236.db30f9fd.js @@ -0,0 +1,2 @@ +/*! For license information please see 7236.db30f9fd.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7236],{7967:(t,e)=>{"use strict";e.Nm=e.Rq=void 0;var i=/^([^\w]*)(javascript|data|vbscript)/im,r=/&#(\w+)(^\w|;)?/g,n=/&(newline|tab);/gi,o=/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim,a=/^.+(:|:)/gim,s=[".","/"];e.Rq="about:blank",e.Nm=function(t){if(!t)return e.Rq;var l,c=(l=t,l.replace(o,"").replace(r,(function(t,e){return String.fromCharCode(e)}))).replace(n,"").replace(o,"").trim();if(!c)return e.Rq;if(function(t){return s.indexOf(t[0])>-1}(c))return c;var h=c.match(a);if(!h)return c;var u=h[0];return i.test(u)?e.Rq:c}},9047:(t,e,i)=>{"use strict";i.d(e,{Z:()=>L});var r=i(7294),n=i(5893);function o(t){const{mdxAdmonitionTitle:e,rest:i}=function(t){const e=r.Children.toArray(t),i=e.find((t=>r.isValidElement(t)&&"mdxAdmonitionTitle"===t.type)),o=e.filter((t=>t!==i)),a=i?.props.children;return{mdxAdmonitionTitle:a,rest:o.length>0?(0,n.jsx)(n.Fragment,{children:o}):null}}(t.children),o=t.title??e;return{...t,...o&&{title:o},children:i}}var a=i(512),s=i(5999),l=i(5281);const c={admonition:"admonition_xJq3",admonitionHeading:"admonitionHeading_Gvgb",admonitionIcon:"admonitionIcon_Rf37",admonitionContent:"admonitionContent_BuS1"};function h(t){let{type:e,className:i,children:r}=t;return(0,n.jsx)("div",{className:(0,a.Z)(l.k.common.admonition,l.k.common.admonitionType(e),c.admonition,i),children:r})}function u(t){let{icon:e,title:i}=t;return(0,n.jsxs)("div",{className:c.admonitionHeading,children:[(0,n.jsx)("span",{className:c.admonitionIcon,children:e}),i]})}function d(t){let{children:e}=t;return e?(0,n.jsx)("div",{className:c.admonitionContent,children:e}):null}function f(t){const{type:e,icon:i,title:r,children:o,className:a}=t;return(0,n.jsxs)(h,{type:e,className:a,children:[r||i?(0,n.jsx)(u,{title:r,icon:i}):null,(0,n.jsx)(d,{children:o})]})}function p(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})})}const g={icon:(0,n.jsx)(p,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.note",description:"The default label used for the Note admonition (:::note)",children:"note"})};function m(t){return(0,n.jsx)(f,{...g,...t,className:(0,a.Z)("alert alert--secondary",t.className),children:t.children})}function y(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.5 0C3.48 0 1 2.19 1 5c0 .92.55 2.25 1 3 1.34 2.25 1.78 2.78 2 4v1h5v-1c.22-1.22.66-1.75 2-4 .45-.75 1-2.08 1-3 0-2.81-2.48-5-5.5-5zm3.64 7.48c-.25.44-.47.8-.67 1.11-.86 1.41-1.25 2.06-1.45 3.23-.02.05-.02.11-.02.17H5c0-.06 0-.13-.02-.17-.2-1.17-.59-1.83-1.45-3.23-.2-.31-.42-.67-.67-1.11C2.44 6.78 2 5.65 2 5c0-2.2 2.02-4 4.5-4 1.22 0 2.36.42 3.22 1.19C10.55 2.94 11 3.94 11 5c0 .66-.44 1.78-.86 2.48zM4 14h5c-.23 1.14-1.3 2-2.5 2s-2.27-.86-2.5-2z"})})}const x={icon:(0,n.jsx)(y,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.tip",description:"The default label used for the Tip admonition (:::tip)",children:"tip"})};function b(t){return(0,n.jsx)(f,{...x,...t,className:(0,a.Z)("alert alert--success",t.className),children:t.children})}function C(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"})})}const _={icon:(0,n.jsx)(C,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.info",description:"The default label used for the Info admonition (:::info)",children:"info"})};function v(t){return(0,n.jsx)(f,{..._,...t,className:(0,a.Z)("alert alert--info",t.className),children:t.children})}function k(t){return(0,n.jsx)("svg",{viewBox:"0 0 16 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"})})}const T={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.warning",description:"The default label used for the Warning admonition (:::warning)",children:"warning"})};function w(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"})})}const S={icon:(0,n.jsx)(w,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.danger",description:"The default label used for the Danger admonition (:::danger)",children:"danger"})};const B={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.caution",description:"The default label used for the Caution admonition (:::caution)",children:"caution"})};const F={...{note:m,tip:b,info:v,warning:function(t){return(0,n.jsx)(f,{...T,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})},danger:function(t){return(0,n.jsx)(f,{...S,...t,className:(0,a.Z)("alert alert--danger",t.className),children:t.children})}},...{secondary:t=>(0,n.jsx)(m,{title:"secondary",...t}),important:t=>(0,n.jsx)(v,{title:"important",...t}),success:t=>(0,n.jsx)(b,{title:"success",...t}),caution:function(t){return(0,n.jsx)(f,{...B,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})}}};function L(t){const e=o(t),i=(r=e.type,F[r]||(console.warn(`No admonition component found for admonition type "${r}". Using Info as fallback.`),F.info));var r;return(0,n.jsx)(i,{...e})}},3354:(t,e,i)=>{"use strict";i.r(e),i.d(e,{default:()=>qt});var r=i(7294),n=i(1944),o=i(902),a=i(5893);const s=r.createContext(null);function l(t){let{children:e,content:i}=t;const n=function(t){return(0,r.useMemo)((()=>({metadata:t.metadata,frontMatter:t.frontMatter,assets:t.assets,contentTitle:t.contentTitle,toc:t.toc})),[t])}(i);return(0,a.jsx)(s.Provider,{value:n,children:e})}function c(){const t=(0,r.useContext)(s);if(null===t)throw new o.i6("DocProvider");return t}function h(){const{metadata:t,frontMatter:e,assets:i}=c();return(0,a.jsx)(n.d,{title:t.title,description:t.description,keywords:e.keywords,image:i.image??e.image})}var u=i(512),d=i(7524),f=i(5999),p=i(3692);function g(t){const{permalink:e,title:i,subLabel:r,isNext:n}=t;return(0,a.jsxs)(p.Z,{className:(0,u.Z)("pagination-nav__link",n?"pagination-nav__link--next":"pagination-nav__link--prev"),to:e,children:[r&&(0,a.jsx)("div",{className:"pagination-nav__sublabel",children:r}),(0,a.jsx)("div",{className:"pagination-nav__label",children:i})]})}function m(t){const{previous:e,next:i}=t;return(0,a.jsxs)("nav",{className:"pagination-nav docusaurus-mt-lg","aria-label":(0,f.I)({id:"theme.docs.paginator.navAriaLabel",message:"Docs pages",description:"The ARIA label for the docs pagination"}),children:[e&&(0,a.jsx)(g,{...e,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.previous",description:"The label used to navigate to the previous doc",children:"Previous"})}),i&&(0,a.jsx)(g,{...i,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.next",description:"The label used to navigate to the next doc",children:"Next"}),isNext:!0})]})}function y(){const{metadata:t}=c();return(0,a.jsx)(m,{previous:t.previous,next:t.next})}var x=i(2263),b=i(143),C=i(5281),_=i(298),v=i(3797);const k={unreleased:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unreleasedVersionLabel",description:"The label used to tell the user that he's browsing an unreleased doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is unreleased documentation for {siteTitle} {versionLabel} version."})},unmaintained:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unmaintainedVersionLabel",description:"The label used to tell the user that he's browsing an unmaintained doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is documentation for {siteTitle} {versionLabel}, which is no longer actively maintained."})}};function T(t){const e=k[t.versionMetadata.banner];return(0,a.jsx)(e,{...t})}function w(t){let{versionLabel:e,to:i,onClick:r}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionSuggestionLabel",description:"The label used to tell the user to check the latest version",values:{versionLabel:e,latestVersionLink:(0,a.jsx)("b",{children:(0,a.jsx)(p.Z,{to:i,onClick:r,children:(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionLinkLabel",description:"The label used for the latest version suggestion link label",children:"latest version"})})})},children:"For up-to-date documentation, see the {latestVersionLink} ({versionLabel})."})}function S(t){let{className:e,versionMetadata:i}=t;const{siteConfig:{title:r}}=(0,x.Z)(),{pluginId:n}=(0,b.gA)({failfast:!0}),{savePreferredVersionName:o}=(0,_.J)(n),{latestDocSuggestion:s,latestVersionSuggestion:l}=(0,b.Jo)(n),c=s??(h=l).docs.find((t=>t.id===h.mainDocId));var h;return(0,a.jsxs)("div",{className:(0,u.Z)(e,C.k.docs.docVersionBanner,"alert alert--warning margin-bottom--md"),role:"alert",children:[(0,a.jsx)("div",{children:(0,a.jsx)(T,{siteTitle:r,versionMetadata:i})}),(0,a.jsx)("div",{className:"margin-top--md",children:(0,a.jsx)(w,{versionLabel:l.label,to:c.path,onClick:()=>o(l.name)})})]})}function B(t){let{className:e}=t;const i=(0,v.E)();return i.banner?(0,a.jsx)(S,{className:e,versionMetadata:i}):null}function F(t){let{className:e}=t;const i=(0,v.E)();return i.badge?(0,a.jsx)("span",{className:(0,u.Z)(e,C.k.docs.docVersionBadge,"badge badge--secondary"),children:(0,a.jsx)(f.Z,{id:"theme.docs.versionBadge.label",values:{versionLabel:i.label},children:"Version: {versionLabel}"})}):null}const L={tag:"tag_zVej",tagRegular:"tagRegular_sFm0",tagWithCount:"tagWithCount_h2kH"};function A(t){let{permalink:e,label:i,count:r,description:n}=t;return(0,a.jsxs)(p.Z,{href:e,title:n,className:(0,u.Z)(L.tag,r?L.tagWithCount:L.tagRegular),children:[i,r&&(0,a.jsx)("span",{children:r})]})}const M={tags:"tags_jXut",tag:"tag_QGVx"};function E(t){let{tags:e}=t;return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)("b",{children:(0,a.jsx)(f.Z,{id:"theme.tags.tagsListLabel",description:"The label alongside a tag list",children:"Tags:"})}),(0,a.jsx)("ul",{className:(0,u.Z)(M.tags,"padding--none","margin-left--sm"),children:e.map((t=>(0,a.jsx)("li",{className:M.tag,children:(0,a.jsx)(A,{...t})},t.permalink)))})]})}const N={iconEdit:"iconEdit_Z9Sw"};function j(t){let{className:e,...i}=t;return(0,a.jsx)("svg",{fill:"currentColor",height:"20",width:"20",viewBox:"0 0 40 40",className:(0,u.Z)(N.iconEdit,e),"aria-hidden":"true",...i,children:(0,a.jsx)("g",{children:(0,a.jsx)("path",{d:"m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"})})})}function Z(t){let{editUrl:e}=t;return(0,a.jsxs)(p.Z,{to:e,className:C.k.common.editThisPage,children:[(0,a.jsx)(j,{}),(0,a.jsx)(f.Z,{id:"theme.common.editThisPage",description:"The link label to edit the current page",children:"Edit this page"})]})}function I(t){void 0===t&&(t={});const{i18n:{currentLocale:e}}=(0,x.Z)(),i=function(){const{i18n:{currentLocale:t,localeConfigs:e}}=(0,x.Z)();return e[t].calendar}();return new Intl.DateTimeFormat(e,{calendar:i,...t})}function O(t){let{lastUpdatedAt:e}=t;const i=new Date(e),r=I({day:"numeric",month:"short",year:"numeric",timeZone:"UTC"}).format(i);return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.atDate",description:"The words used to describe on which date a page has been last updated",values:{date:(0,a.jsx)("b",{children:(0,a.jsx)("time",{dateTime:i.toISOString(),itemProp:"dateModified",children:r})})},children:" on {date}"})}function D(t){let{lastUpdatedBy:e}=t;return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.byUser",description:"The words used to describe by who the page has been last updated",values:{user:(0,a.jsx)("b",{children:e})},children:" by {user}"})}function q(t){let{lastUpdatedAt:e,lastUpdatedBy:i}=t;return(0,a.jsxs)("span",{className:C.k.common.lastUpdated,children:[(0,a.jsx)(f.Z,{id:"theme.lastUpdated.lastUpdatedAtBy",description:"The sentence used to display when a page has been last updated, and by who",values:{atDate:e?(0,a.jsx)(O,{lastUpdatedAt:e}):"",byUser:i?(0,a.jsx)(D,{lastUpdatedBy:i}):""},children:"Last updated{atDate}{byUser}"}),!1]})}const $={lastUpdated:"lastUpdated_JAkA"};function z(t){let{className:e,editUrl:i,lastUpdatedAt:r,lastUpdatedBy:n}=t;return(0,a.jsxs)("div",{className:(0,u.Z)("row",e),children:[(0,a.jsx)("div",{className:"col",children:i&&(0,a.jsx)(Z,{editUrl:i})}),(0,a.jsx)("div",{className:(0,u.Z)("col",$.lastUpdated),children:(r||n)&&(0,a.jsx)(q,{lastUpdatedAt:r,lastUpdatedBy:n})})]})}function P(){const{metadata:t}=c(),{editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r,tags:n}=t,o=n.length>0,s=!!(e||i||r);return o||s?(0,a.jsxs)("footer",{className:(0,u.Z)(C.k.docs.docFooter,"docusaurus-mt-lg"),children:[o&&(0,a.jsx)("div",{className:(0,u.Z)("row margin-top--sm",C.k.docs.docFooterTagsRow),children:(0,a.jsx)("div",{className:"col",children:(0,a.jsx)(E,{tags:n})})}),s&&(0,a.jsx)(z,{className:(0,u.Z)("margin-top--sm",C.k.docs.docFooterEditMetaRow),editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r})]}):null}var R=i(6043),H=i(6668);function W(t){const e=t.map((t=>({...t,parentIndex:-1,children:[]}))),i=Array(7).fill(-1);e.forEach(((t,e)=>{const r=i.slice(2,t.level);t.parentIndex=Math.max(...r),i[t.level]=e}));const r=[];return e.forEach((t=>{const{parentIndex:i,...n}=t;i>=0?e[i].children.push(n):r.push(n)})),r}function U(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:r}=t;return e.flatMap((t=>{const e=U({toc:t.children,minHeadingLevel:i,maxHeadingLevel:r});return function(t){return t.level>=i&&t.level<=r}(t)?[{...t,children:e}]:e}))}function Y(t){const e=t.getBoundingClientRect();return e.top===e.bottom?Y(t.parentNode):e}function V(t,e){let{anchorTopOffset:i}=e;const r=t.find((t=>Y(t).top>=i));if(r){return function(t){return t.top>0&&t.bottom{t.current=e?0:document.querySelector(".navbar").clientHeight}),[e]),t}function X(t){const e=(0,r.useRef)(void 0),i=G();(0,r.useEffect)((()=>{if(!t)return()=>{};const{linkClassName:r,linkActiveClassName:n,minHeadingLevel:o,maxHeadingLevel:a}=t;function s(){const t=function(t){return Array.from(document.getElementsByClassName(t))}(r),s=function(t){let{minHeadingLevel:e,maxHeadingLevel:i}=t;const r=[];for(let n=e;n<=i;n+=1)r.push(`h${n}.anchor`);return Array.from(document.querySelectorAll(r.join()))}({minHeadingLevel:o,maxHeadingLevel:a}),l=V(s,{anchorTopOffset:i.current}),c=t.find((t=>l&&l.id===function(t){return decodeURIComponent(t.href.substring(t.href.indexOf("#")+1))}(t)));t.forEach((t=>{!function(t,i){i?(e.current&&e.current!==t&&e.current.classList.remove(n),t.classList.add(n),e.current=t):t.classList.remove(n)}(t,t===c)}))}return document.addEventListener("scroll",s),document.addEventListener("resize",s),s(),()=>{document.removeEventListener("scroll",s),document.removeEventListener("resize",s)}}),[t,i])}function J(t){let{toc:e,className:i,linkClassName:r,isChild:n}=t;return e.length?(0,a.jsx)("ul",{className:n?void 0:i,children:e.map((t=>(0,a.jsxs)("li",{children:[(0,a.jsx)(p.Z,{to:`#${t.id}`,className:r??void 0,dangerouslySetInnerHTML:{__html:t.value}}),(0,a.jsx)(J,{isChild:!0,toc:t.children,className:i,linkClassName:r})]},t.id)))}):null}const Q=r.memo(J);function K(t){let{toc:e,className:i="table-of-contents table-of-contents__left-border",linkClassName:n="table-of-contents__link",linkActiveClassName:o,minHeadingLevel:s,maxHeadingLevel:l,...c}=t;const h=(0,H.L)(),u=s??h.tableOfContents.minHeadingLevel,d=l??h.tableOfContents.maxHeadingLevel,f=function(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:n}=t;return(0,r.useMemo)((()=>U({toc:W(e),minHeadingLevel:i,maxHeadingLevel:n})),[e,i,n])}({toc:e,minHeadingLevel:u,maxHeadingLevel:d});return X((0,r.useMemo)((()=>{if(n&&o)return{linkClassName:n,linkActiveClassName:o,minHeadingLevel:u,maxHeadingLevel:d}}),[n,o,u,d])),(0,a.jsx)(Q,{toc:f,className:i,linkClassName:n,...c})}const tt={tocCollapsibleButton:"tocCollapsibleButton_TO0P",tocCollapsibleButtonExpanded:"tocCollapsibleButtonExpanded_MG3E"};function et(t){let{collapsed:e,...i}=t;return(0,a.jsx)("button",{type:"button",...i,className:(0,u.Z)("clean-btn",tt.tocCollapsibleButton,!e&&tt.tocCollapsibleButtonExpanded,i.className),children:(0,a.jsx)(f.Z,{id:"theme.TOCCollapsible.toggleButtonLabel",description:"The label used by the button on the collapsible TOC component",children:"On this page"})})}const it={tocCollapsible:"tocCollapsible_ETCw",tocCollapsibleContent:"tocCollapsibleContent_vkbj",tocCollapsibleExpanded:"tocCollapsibleExpanded_sAul"};function rt(t){let{toc:e,className:i,minHeadingLevel:r,maxHeadingLevel:n}=t;const{collapsed:o,toggleCollapsed:s}=(0,R.u)({initialState:!0});return(0,a.jsxs)("div",{className:(0,u.Z)(it.tocCollapsible,!o&&it.tocCollapsibleExpanded,i),children:[(0,a.jsx)(et,{collapsed:o,onClick:s}),(0,a.jsx)(R.z,{lazy:!0,className:it.tocCollapsibleContent,collapsed:o,children:(0,a.jsx)(K,{toc:e,minHeadingLevel:r,maxHeadingLevel:n})})]})}const nt={tocMobile:"tocMobile_ITEo"};function ot(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(rt,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:(0,u.Z)(C.k.docs.docTocMobile,nt.tocMobile)})}const at={tableOfContents:"tableOfContents_bqdL",docItemContainer:"docItemContainer_F8PC"},st="table-of-contents__link toc-highlight",lt="table-of-contents__link--active";function ct(t){let{className:e,...i}=t;return(0,a.jsx)("div",{className:(0,u.Z)(at.tableOfContents,"thin-scrollbar",e),children:(0,a.jsx)(K,{...i,linkClassName:st,linkActiveClassName:lt})})}function ht(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(ct,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:C.k.docs.docTocDesktop})}var ut=i(2503),dt=i(1151),ft=i(1769);function pt(t){let{children:e}=t;return(0,a.jsx)(dt.Z,{components:ft.Z,children:e})}function gt(t){let{children:e}=t;const i=function(){const{metadata:t,frontMatter:e,contentTitle:i}=c();return e.hide_title||void 0!==i?null:t.title}();return(0,a.jsxs)("div",{className:(0,u.Z)(C.k.docs.docMarkdown,"markdown"),children:[i&&(0,a.jsx)("header",{children:(0,a.jsx)(ut.Z,{as:"h1",children:i})}),(0,a.jsx)(pt,{children:e})]})}var mt=i(9690),yt=i(8596),xt=i(4996);function bt(t){return(0,a.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,a.jsx)("path",{d:"M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z",fill:"currentColor"})})}const Ct={breadcrumbHomeIcon:"breadcrumbHomeIcon_YNFT"};function _t(){const t=(0,xt.ZP)("/");return(0,a.jsx)("li",{className:"breadcrumbs__item",children:(0,a.jsx)(p.Z,{"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.home",message:"Home page",description:"The ARIA label for the home page in the breadcrumbs"}),className:"breadcrumbs__link",href:t,children:(0,a.jsx)(bt,{className:Ct.breadcrumbHomeIcon})})})}const vt={breadcrumbsContainer:"breadcrumbsContainer_Z_bl"};function kt(t){let{children:e,href:i,isLast:r}=t;const n="breadcrumbs__link";return r?(0,a.jsx)("span",{className:n,itemProp:"name",children:e}):i?(0,a.jsx)(p.Z,{className:n,href:i,itemProp:"item",children:(0,a.jsx)("span",{itemProp:"name",children:e})}):(0,a.jsx)("span",{className:n,children:e})}function Tt(t){let{children:e,active:i,index:r,addMicrodata:n}=t;return(0,a.jsxs)("li",{...n&&{itemScope:!0,itemProp:"itemListElement",itemType:"https://schema.org/ListItem"},className:(0,u.Z)("breadcrumbs__item",{"breadcrumbs__item--active":i}),children:[e,(0,a.jsx)("meta",{itemProp:"position",content:String(r+1)})]})}function wt(){const t=(0,mt.s1)(),e=(0,yt.Ns)();return t?(0,a.jsx)("nav",{className:(0,u.Z)(C.k.docs.docBreadcrumbs,vt.breadcrumbsContainer),"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.navAriaLabel",message:"Breadcrumbs",description:"The ARIA label for the breadcrumbs"}),children:(0,a.jsxs)("ul",{className:"breadcrumbs",itemScope:!0,itemType:"https://schema.org/BreadcrumbList",children:[e&&(0,a.jsx)(_t,{}),t.map(((e,i)=>{const r=i===t.length-1,n="category"===e.type&&e.linkUnlisted?void 0:e.href;return(0,a.jsx)(Tt,{active:r,index:i,addMicrodata:!!n,children:(0,a.jsx)(kt,{href:n,isLast:r,children:e.label})},i)}))]})}):null}var St=i(5742);function Bt(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.unlistedBanner.title",description:"The unlisted content banner title",children:"Unlisted page"})}function Ft(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.unlistedBanner.message",description:"The unlisted content banner message",children:"This page is unlisted. Search engines will not index it, and only users having a direct link can access it."})}function Lt(){return(0,a.jsx)(St.Z,{children:(0,a.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})}function At(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.draftBanner.title",description:"The draft content banner title",children:"Draft page"})}function Mt(){return(0,a.jsx)(f.Z,{id:"theme.contentVisibility.draftBanner.message",description:"The draft content banner message",children:"This page is a draft. It will only be visible in dev and be excluded from the production build."})}var Et=i(9047);function Nt(t){let{className:e}=t;return(0,a.jsx)(Et.Z,{type:"caution",title:(0,a.jsx)(At,{}),className:(0,u.Z)(e,C.k.common.draftBanner),children:(0,a.jsx)(Mt,{})})}function jt(t){let{className:e}=t;return(0,a.jsx)(Et.Z,{type:"caution",title:(0,a.jsx)(Bt,{}),className:(0,u.Z)(e,C.k.common.unlistedBanner),children:(0,a.jsx)(Ft,{})})}function Zt(t){return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(Lt,{}),(0,a.jsx)(jt,{...t})]})}function It(t){let{metadata:e}=t;const{unlisted:i,frontMatter:r}=e;return(0,a.jsxs)(a.Fragment,{children:[(i||r.unlisted)&&(0,a.jsx)(Zt,{}),r.draft&&(0,a.jsx)(Nt,{})]})}const Ot={docItemContainer:"docItemContainer_Djhp",docItemCol:"docItemCol_VOVn"};function Dt(t){let{children:e}=t;const i=function(){const{frontMatter:t,toc:e}=c(),i=(0,d.i)(),r=t.hide_table_of_contents,n=!r&&e.length>0;return{hidden:r,mobile:n?(0,a.jsx)(ot,{}):void 0,desktop:!n||"desktop"!==i&&"ssr"!==i?void 0:(0,a.jsx)(ht,{})}}(),{metadata:r}=c();return(0,a.jsxs)("div",{className:"row",children:[(0,a.jsxs)("div",{className:(0,u.Z)("col",!i.hidden&&Ot.docItemCol),children:[(0,a.jsx)(It,{metadata:r}),(0,a.jsx)(B,{}),(0,a.jsxs)("div",{className:Ot.docItemContainer,children:[(0,a.jsxs)("article",{children:[(0,a.jsx)(wt,{}),(0,a.jsx)(F,{}),i.mobile,(0,a.jsx)(gt,{children:e}),(0,a.jsx)(P,{})]}),(0,a.jsx)(y,{})]})]}),i.desktop&&(0,a.jsx)("div",{className:"col col--3",children:i.desktop})]})}function qt(t){const e=`docs-doc-id-${t.content.metadata.id}`,i=t.content;return(0,a.jsx)(l,{content:t.content,children:(0,a.jsxs)(n.FG,{className:e,children:[(0,a.jsx)(h,{}),(0,a.jsx)(Dt,{children:(0,a.jsx)(i,{})})]})})}},4694:(t,e,i)=>{"use strict";i.d(e,{Z:()=>pt});var r=i(7294),n=i(5742),o=i(2389),a=i(512),s=i(2949),l=i(6668);function c(){const{prism:t}=(0,l.L)(),{colorMode:e}=(0,s.I)(),i=t.theme,r=t.darkTheme||i;return"dark"===e?r:i}var h=i(5281),u=i(7594),d=i.n(u);const f=/title=(?["'])(?.*?)\1/,p=/\{(?<range>[\d,-]+)\}/,g={js:{start:"\\/\\/",end:""},jsBlock:{start:"\\/\\*",end:"\\*\\/"},jsx:{start:"\\{\\s*\\/\\*",end:"\\*\\/\\s*\\}"},bash:{start:"#",end:""},html:{start:"\x3c!--",end:"--\x3e"}},m={...g,lua:{start:"--",end:""},wasm:{start:"\\;\\;",end:""},tex:{start:"%",end:""},vb:{start:"['\u2018\u2019]",end:""},vbnet:{start:"(?:_\\s*)?['\u2018\u2019]",end:""},rem:{start:"[Rr][Ee][Mm]\\b",end:""},f90:{start:"!",end:""},ml:{start:"\\(\\*",end:"\\*\\)"},cobol:{start:"\\*>",end:""}},y=Object.keys(g);function x(t,e){const i=t.map((t=>{const{start:i,end:r}=m[t];return`(?:${i}\\s*(${e.flatMap((t=>[t.line,t.block?.start,t.block?.end].filter(Boolean))).join("|")})\\s*${r})`})).join("|");return new RegExp(`^\\s*(?:${i})\\s*$`)}function b(t,e){let i=t.replace(/\n$/,"");const{language:r,magicComments:n,metastring:o}=e;if(o&&p.test(o)){const t=o.match(p).groups.range;if(0===n.length)throw new Error(`A highlight range has been given in code block's metastring (\`\`\` ${o}), but no magic comment config is available. Docusaurus applies the first magic comment entry's className for metastring ranges.`);const e=n[0].className,r=d()(t).filter((t=>t>0)).map((t=>[t-1,[e]]));return{lineClassNames:Object.fromEntries(r),code:i}}if(void 0===r)return{lineClassNames:{},code:i};const a=function(t,e){switch(t){case"js":case"javascript":case"ts":case"typescript":return x(["js","jsBlock"],e);case"jsx":case"tsx":return x(["js","jsBlock","jsx"],e);case"html":return x(["js","jsBlock","html"],e);case"python":case"py":case"bash":return x(["bash"],e);case"markdown":case"md":return x(["html","jsx","bash"],e);case"tex":case"latex":case"matlab":return x(["tex"],e);case"lua":case"haskell":case"sql":return x(["lua"],e);case"wasm":return x(["wasm"],e);case"vb":case"vba":case"visual-basic":return x(["vb","rem"],e);case"vbnet":return x(["vbnet","rem"],e);case"batch":return x(["rem"],e);case"basic":return x(["rem","f90"],e);case"fsharp":return x(["js","ml"],e);case"ocaml":case"sml":return x(["ml"],e);case"fortran":return x(["f90"],e);case"cobol":return x(["cobol"],e);default:return x(y,e)}}(r,n),s=i.split("\n"),l=Object.fromEntries(n.map((t=>[t.className,{start:0,range:""}]))),c=Object.fromEntries(n.filter((t=>t.line)).map((t=>{let{className:e,line:i}=t;return[i,e]}))),h=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.start,e]}))),u=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.end,e]})));for(let d=0;d<s.length;){const t=s[d].match(a);if(!t){d+=1;continue}const e=t.slice(1).find((t=>void 0!==t));c[e]?l[c[e]].range+=`${d},`:h[e]?l[h[e]].start=d:u[e]&&(l[u[e]].range+=`${l[u[e]].start}-${d-1},`),s.splice(d,1)}i=s.join("\n");const f={};return Object.entries(l).forEach((t=>{let[e,{range:i}]=t;d()(i).forEach((t=>{f[t]??=[],f[t].push(e)}))})),{lineClassNames:f,code:i}}const C={codeBlockContainer:"codeBlockContainer_Ckt0"};var _=i(5893);function v(t){let{as:e,...i}=t;const r=function(t){const e={color:"--prism-color",backgroundColor:"--prism-background-color"},i={};return Object.entries(t.plain).forEach((t=>{let[r,n]=t;const o=e[r];o&&"string"==typeof n&&(i[o]=n)})),i}(c());return(0,_.jsx)(e,{...i,style:r,className:(0,a.Z)(i.className,C.codeBlockContainer,h.k.common.codeBlock)})}const k={codeBlockContent:"codeBlockContent_biex",codeBlockTitle:"codeBlockTitle_Ktv7",codeBlock:"codeBlock_bY9V",codeBlockStandalone:"codeBlockStandalone_MEMb",codeBlockLines:"codeBlockLines_e6Vv",codeBlockLinesWithNumbering:"codeBlockLinesWithNumbering_o6Pm",buttonGroup:"buttonGroup__atx"};function T(t){let{children:e,className:i}=t;return(0,_.jsx)(v,{as:"pre",tabIndex:0,className:(0,a.Z)(k.codeBlockStandalone,"thin-scrollbar",i),children:(0,_.jsx)("code",{className:k.codeBlockLines,children:e})})}var w=i(902);const S={attributes:!0,characterData:!0,childList:!0,subtree:!0};function B(t,e){const[i,n]=(0,r.useState)(),o=(0,r.useCallback)((()=>{n(t.current?.closest("[role=tabpanel][hidden]"))}),[t,n]);(0,r.useEffect)((()=>{o()}),[o]),function(t,e,i){void 0===i&&(i=S);const n=(0,w.zX)(e),o=(0,w.Ql)(i);(0,r.useEffect)((()=>{const e=new MutationObserver(n);return t&&e.observe(t,o),()=>e.disconnect()}),[t,n,o])}(i,(t=>{t.forEach((t=>{"attributes"===t.type&&"hidden"===t.attributeName&&(e(),o())}))}),{attributes:!0,characterData:!1,childList:!1,subtree:!1})}var F=i(2573);const L={codeLine:"codeLine_lJS_",codeLineNumber:"codeLineNumber_Tfdd",codeLineContent:"codeLineContent_feaV"};function A(t){let{line:e,classNames:i,showLineNumbers:r,getLineProps:n,getTokenProps:o}=t;1===e.length&&"\n"===e[0].content&&(e[0].content="");const s=n({line:e,className:(0,a.Z)(i,r&&L.codeLine)}),l=e.map(((t,e)=>(0,_.jsx)("span",{...o({token:t})},e)));return(0,_.jsxs)("span",{...s,children:[r?(0,_.jsxs)(_.Fragment,{children:[(0,_.jsx)("span",{className:L.codeLineNumber}),(0,_.jsx)("span",{className:L.codeLineContent,children:l})]}):l,(0,_.jsx)("br",{})]})}var M=i(5999);function E(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"})})}function N(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"})})}const j={copyButtonCopied:"copyButtonCopied_obH4",copyButtonIcons:"copyButtonIcons_eSgA",copyButtonIcon:"copyButtonIcon_y97N",copyButtonSuccessIcon:"copyButtonSuccessIcon_LjdS"};function Z(t){let{code:e,className:i}=t;const[n,o]=(0,r.useState)(!1),s=(0,r.useRef)(void 0),l=(0,r.useCallback)((()=>{!function(t,e){let{target:i=document.body}=void 0===e?{}:e;if("string"!=typeof t)throw new TypeError(`Expected parameter \`text\` to be a \`string\`, got \`${typeof t}\`.`);const r=document.createElement("textarea"),n=document.activeElement;r.value=t,r.setAttribute("readonly",""),r.style.contain="strict",r.style.position="absolute",r.style.left="-9999px",r.style.fontSize="12pt";const o=document.getSelection(),a=o.rangeCount>0&&o.getRangeAt(0);i.append(r),r.select(),r.selectionStart=0,r.selectionEnd=t.length;let s=!1;try{s=document.execCommand("copy")}catch{}r.remove(),a&&(o.removeAllRanges(),o.addRange(a)),n&&n.focus()}(e),o(!0),s.current=window.setTimeout((()=>{o(!1)}),1e3)}),[e]);return(0,r.useEffect)((()=>()=>window.clearTimeout(s.current)),[]),(0,_.jsx)("button",{type:"button","aria-label":n?(0,M.I)({id:"theme.CodeBlock.copied",message:"Copied",description:"The copied button label on code blocks"}):(0,M.I)({id:"theme.CodeBlock.copyButtonAriaLabel",message:"Copy code to clipboard",description:"The ARIA label for copy code blocks button"}),title:(0,M.I)({id:"theme.CodeBlock.copy",message:"Copy",description:"The copy button label on code blocks"}),className:(0,a.Z)("clean-btn",i,j.copyButton,n&&j.copyButtonCopied),onClick:l,children:(0,_.jsxs)("span",{className:j.copyButtonIcons,"aria-hidden":"true",children:[(0,_.jsx)(E,{className:j.copyButtonIcon}),(0,_.jsx)(N,{className:j.copyButtonSuccessIcon})]})})}function I(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M4 19h6v-2H4v2zM20 5H4v2h16V5zm-3 6H4v2h13.25c1.1 0 2 .9 2 2s-.9 2-2 2H15v-2l-3 3l3 3v-2h2c2.21 0 4-1.79 4-4s-1.79-4-4-4z"})})}const O={wordWrapButtonIcon:"wordWrapButtonIcon_Bwma",wordWrapButtonEnabled:"wordWrapButtonEnabled_EoeP"};function D(t){let{className:e,onClick:i,isEnabled:r}=t;const n=(0,M.I)({id:"theme.CodeBlock.wordWrapToggle",message:"Toggle word wrap",description:"The title attribute for toggle word wrapping button of code block lines"});return(0,_.jsx)("button",{type:"button",onClick:i,className:(0,a.Z)("clean-btn",e,r&&O.wordWrapButtonEnabled),"aria-label":n,title:n,children:(0,_.jsx)(I,{className:O.wordWrapButtonIcon,"aria-hidden":"true"})})}function q(t){let{children:e,className:i="",metastring:n,title:o,showLineNumbers:s,language:h}=t;const{prism:{defaultLanguage:u,magicComments:d}}=(0,l.L)(),p=function(t){return t?.toLowerCase()}(h??function(t){const e=t.split(" ").find((t=>t.startsWith("language-")));return e?.replace(/language-/,"")}(i)??u),g=c(),m=function(){const[t,e]=(0,r.useState)(!1),[i,n]=(0,r.useState)(!1),o=(0,r.useRef)(null),a=(0,r.useCallback)((()=>{const i=o.current.querySelector("code");t?i.removeAttribute("style"):(i.style.whiteSpace="pre-wrap",i.style.overflowWrap="anywhere"),e((t=>!t))}),[o,t]),s=(0,r.useCallback)((()=>{const{scrollWidth:t,clientWidth:e}=o.current,i=t>e||o.current.querySelector("code").hasAttribute("style");n(i)}),[o]);return B(o,s),(0,r.useEffect)((()=>{s()}),[t,s]),(0,r.useEffect)((()=>(window.addEventListener("resize",s,{passive:!0}),()=>{window.removeEventListener("resize",s)})),[s]),{codeBlockRef:o,isEnabled:t,isCodeScrollable:i,toggle:a}}(),y=function(t){return t?.match(f)?.groups.title??""}(n)||o,{lineClassNames:x,code:C}=b(e,{metastring:n,language:p,magicComments:d}),T=s??function(t){return Boolean(t?.includes("showLineNumbers"))}(n);return(0,_.jsxs)(v,{as:"div",className:(0,a.Z)(i,p&&!i.includes(`language-${p}`)&&`language-${p}`),children:[y&&(0,_.jsx)("div",{className:k.codeBlockTitle,children:y}),(0,_.jsxs)("div",{className:k.codeBlockContent,children:[(0,_.jsx)(F.y$,{theme:g,code:C,language:p??"text",children:t=>{let{className:e,style:i,tokens:r,getLineProps:n,getTokenProps:o}=t;return(0,_.jsx)("pre",{tabIndex:0,ref:m.codeBlockRef,className:(0,a.Z)(e,k.codeBlock,"thin-scrollbar"),style:i,children:(0,_.jsx)("code",{className:(0,a.Z)(k.codeBlockLines,T&&k.codeBlockLinesWithNumbering),children:r.map(((t,e)=>(0,_.jsx)(A,{line:t,getLineProps:n,getTokenProps:o,classNames:x[e],showLineNumbers:T},e)))})})}}),(0,_.jsxs)("div",{className:k.buttonGroup,children:[(m.isEnabled||m.isCodeScrollable)&&(0,_.jsx)(D,{className:k.codeButton,onClick:()=>m.toggle(),isEnabled:m.isEnabled}),(0,_.jsx)(Z,{className:k.codeButton,code:C})]})]})]})}function $(t){let{children:e,...i}=t;const n=(0,o.Z)(),a=function(t){return r.Children.toArray(t).some((t=>(0,r.isValidElement)(t)))?t:Array.isArray(t)?t.join(""):t}(e),s="string"==typeof a?q:T;return(0,_.jsx)(s,{...i,children:a},String(n))}function z(t){return(0,_.jsx)("code",{...t})}var P=i(3692);var R=i(8138),H=i(6043);const W={details:"details_lb9f",isBrowser:"isBrowser_bmU9",collapsibleContent:"collapsibleContent_i85q"};function U(t){return!!t&&("SUMMARY"===t.tagName||U(t.parentElement))}function Y(t,e){return!!t&&(t===e||Y(t.parentElement,e))}function V(t){let{summary:e,children:i,...n}=t;(0,R.Z)().collectAnchor(n.id);const s=(0,o.Z)(),l=(0,r.useRef)(null),{collapsed:c,setCollapsed:h}=(0,H.u)({initialState:!n.open}),[u,d]=(0,r.useState)(n.open),f=r.isValidElement(e)?e:(0,_.jsx)("summary",{children:e??"Details"});return(0,_.jsxs)("details",{...n,ref:l,open:u,"data-collapsed":c,className:(0,a.Z)(W.details,s&&W.isBrowser,n.className),onMouseDown:t=>{U(t.target)&&t.detail>1&&t.preventDefault()},onClick:t=>{t.stopPropagation();const e=t.target;U(e)&&Y(e,l.current)&&(t.preventDefault(),c?(h(!1),d(!0)):h(!0))},children:[f,(0,_.jsx)(H.z,{lazy:!1,collapsed:c,disableSSRStyle:!0,onCollapseTransitionEnd:t=>{h(t),d(!t)},children:(0,_.jsx)("div",{className:W.collapsibleContent,children:i})})]})}const G={details:"details_b_Ee"},X="alert alert--info";function J(t){let{...e}=t;return(0,_.jsx)(V,{...e,className:(0,a.Z)(X,G.details,e.className)})}function Q(t){const e=r.Children.toArray(t.children),i=e.find((t=>r.isValidElement(t)&&"summary"===t.type)),n=(0,_.jsx)(_.Fragment,{children:e.filter((t=>t!==i))});return(0,_.jsx)(J,{...t,summary:i,children:n})}var K=i(2503);function tt(t){return(0,_.jsx)(K.Z,{...t})}const et={containsTaskList:"containsTaskList_mC6p"};function it(t){if(void 0!==t)return(0,a.Z)(t,t?.includes("contains-task-list")&&et.containsTaskList)}const rt={img:"img_ev3q"};var nt=i(9047),ot=i(4763),at=i(3087),st=i(5322);const lt="docusaurus-mermaid-container";function ct(){const{colorMode:t}=(0,s.I)(),e=(0,l.L)().mermaid,i=e.theme[t],{options:n}=e;return(0,r.useMemo)((()=>({startOnLoad:!1,...n,theme:i})),[i,n])}function ht(t){let{text:e,config:i}=t;const[n,o]=(0,r.useState)(null),a=(0,r.useRef)(`mermaid-svg-${Math.round(1e7*Math.random())}`).current,s=ct(),l=i??s;return(0,r.useEffect)((()=>{(async function(t){let{id:e,text:i,config:r}=t;st.L.mermaidAPI.initialize(r);try{return await st.L.render(e,i)}catch(n){throw document.querySelector(`#d${e}`)?.remove(),n}})({id:a,text:e,config:l}).then(o).catch((t=>{o((()=>{throw t}))}))}),[a,e,l]),n}const ut={container:"container_lyt7"};function dt(t){let{renderResult:e}=t;const i=(0,r.useRef)(null);return(0,r.useEffect)((()=>{const t=i.current;e.bindFunctions?.(t)}),[e]),(0,_.jsx)("div",{ref:i,className:`${lt} ${ut.container}`,dangerouslySetInnerHTML:{__html:e.svg}})}function ft(t){let{value:e}=t;const i=ht({text:e});return null===i?null:(0,_.jsx)(dt,{renderResult:i})}const pt={Head:n.Z,details:Q,Details:Q,code:function(t){return function(t){return void 0!==t.children&&r.Children.toArray(t.children).every((t=>"string"==typeof t&&!t.includes("\n")))}(t)?(0,_.jsx)(z,{...t}):(0,_.jsx)($,{...t})},a:function(t){return(0,_.jsx)(P.Z,{...t})},pre:function(t){return(0,_.jsx)(_.Fragment,{children:t.children})},ul:function(t){return(0,_.jsx)("ul",{...t,className:it(t.className)})},li:function(t){return(0,R.Z)().collectAnchor(t.id),(0,_.jsx)("li",{...t})},img:function(t){return(0,_.jsx)("img",{decoding:"async",loading:"lazy",...t,className:(e=t.className,(0,a.Z)(e,rt.img))});var e},h1:t=>(0,_.jsx)(tt,{as:"h1",...t}),h2:t=>(0,_.jsx)(tt,{as:"h2",...t}),h3:t=>(0,_.jsx)(tt,{as:"h3",...t}),h4:t=>(0,_.jsx)(tt,{as:"h4",...t}),h5:t=>(0,_.jsx)(tt,{as:"h5",...t}),h6:t=>(0,_.jsx)(tt,{as:"h6",...t}),admonition:nt.Z,mermaid:function(t){return(0,_.jsx)(ot.Z,{fallback:t=>(0,_.jsx)(at.Ac,{...t}),children:(0,_.jsx)(ft,{...t})})}}},5162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});i(7294);var r=i(512);const n={tabItem:"tabItem_Ymn6"};var o=i(5893);function a(t){let{children:e,hidden:i,className:a}=t;return(0,o.jsx)("div",{role:"tabpanel",className:(0,r.Z)(n.tabItem,a),hidden:i,children:e})}},4866:(t,e,i)=>{"use strict";i.d(e,{Z:()=>v});var r=i(7294),n=i(512),o=i(2466),a=i(6550),s=i(469),l=i(1980),c=i(7392),h=i(812);function u(t){return r.Children.toArray(t).filter((t=>"\n"!==t)).map((t=>{if(!t||(0,r.isValidElement)(t)&&function(t){const{props:e}=t;return!!e&&"object"==typeof e&&"value"in e}(t))return t;throw new Error(`Docusaurus error: Bad <Tabs> child <${"string"==typeof t.type?t.type:t.type.name}>: all children of the <Tabs> component should be <TabItem>, and every <TabItem> should have a unique "value" prop.`)}))?.filter(Boolean)??[]}function d(t){const{values:e,children:i}=t;return(0,r.useMemo)((()=>{const t=e??function(t){return u(t).map((t=>{let{props:{value:e,label:i,attributes:r,default:n}}=t;return{value:e,label:i,attributes:r,default:n}}))}(i);return function(t){const e=(0,c.lx)(t,((t,e)=>t.value===e.value));if(e.length>0)throw new Error(`Docusaurus error: Duplicate values "${e.map((t=>t.value)).join(", ")}" found in <Tabs>. Every value needs to be unique.`)}(t),t}),[e,i])}function f(t){let{value:e,tabValues:i}=t;return i.some((t=>t.value===e))}function p(t){let{queryString:e=!1,groupId:i}=t;const n=(0,a.k6)(),o=function(t){let{queryString:e=!1,groupId:i}=t;if("string"==typeof e)return e;if(!1===e)return null;if(!0===e&&!i)throw new Error('Docusaurus error: The <Tabs> component groupId prop is required if queryString=true, because this value is used as the search param name. You can also provide an explicit value such as queryString="my-search-param".');return i??null}({queryString:e,groupId:i});return[(0,l._X)(o),(0,r.useCallback)((t=>{if(!o)return;const e=new URLSearchParams(n.location.search);e.set(o,t),n.replace({...n.location,search:e.toString()})}),[o,n])]}function g(t){const{defaultValue:e,queryString:i=!1,groupId:n}=t,o=d(t),[a,l]=(0,r.useState)((()=>function(t){let{defaultValue:e,tabValues:i}=t;if(0===i.length)throw new Error("Docusaurus error: the <Tabs> component requires at least one <TabItem> children component");if(e){if(!f({value:e,tabValues:i}))throw new Error(`Docusaurus error: The <Tabs> has a defaultValue "${e}" but none of its children has the corresponding value. Available values are: ${i.map((t=>t.value)).join(", ")}. If you intend to show no default tab, use defaultValue={null} instead.`);return e}const r=i.find((t=>t.default))??i[0];if(!r)throw new Error("Unexpected error: 0 tabValues");return r.value}({defaultValue:e,tabValues:o}))),[c,u]=p({queryString:i,groupId:n}),[g,m]=function(t){let{groupId:e}=t;const i=function(t){return t?`docusaurus.tab.${t}`:null}(e),[n,o]=(0,h.Nk)(i);return[n,(0,r.useCallback)((t=>{i&&o.set(t)}),[i,o])]}({groupId:n}),y=(()=>{const t=c??g;return f({value:t,tabValues:o})?t:null})();(0,s.Z)((()=>{y&&l(y)}),[y]);return{selectedValue:a,selectValue:(0,r.useCallback)((t=>{if(!f({value:t,tabValues:o}))throw new Error(`Can't select invalid tab value=${t}`);l(t),u(t),m(t)}),[u,m,o]),tabValues:o}}var m=i(2389);const y={tabList:"tabList__CuJ",tabItem:"tabItem_LNqP"};var x=i(5893);function b(t){let{className:e,block:i,selectedValue:r,selectValue:a,tabValues:s}=t;const l=[],{blockElementScrollPositionUntilNextRender:c}=(0,o.o5)(),h=t=>{const e=t.currentTarget,i=l.indexOf(e),n=s[i].value;n!==r&&(c(e),a(n))},u=t=>{let e=null;switch(t.key){case"Enter":h(t);break;case"ArrowRight":{const i=l.indexOf(t.currentTarget)+1;e=l[i]??l[0];break}case"ArrowLeft":{const i=l.indexOf(t.currentTarget)-1;e=l[i]??l[l.length-1];break}}e?.focus()};return(0,x.jsx)("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,n.Z)("tabs",{"tabs--block":i},e),children:s.map((t=>{let{value:e,label:i,attributes:o}=t;return(0,x.jsx)("li",{role:"tab",tabIndex:r===e?0:-1,"aria-selected":r===e,ref:t=>l.push(t),onKeyDown:u,onClick:h,...o,className:(0,n.Z)("tabs__item",y.tabItem,o?.className,{"tabs__item--active":r===e}),children:i??e},e)}))})}function C(t){let{lazy:e,children:i,selectedValue:o}=t;const a=(Array.isArray(i)?i:[i]).filter(Boolean);if(e){const t=a.find((t=>t.props.value===o));return t?(0,r.cloneElement)(t,{className:(0,n.Z)("margin-top--md",t.props.className)}):null}return(0,x.jsx)("div",{className:"margin-top--md",children:a.map(((t,e)=>(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==o})))})}function _(t){const e=g(t);return(0,x.jsxs)("div",{className:(0,n.Z)("tabs-container",y.tabList),children:[(0,x.jsx)(b,{...e,...t}),(0,x.jsx)(C,{...e,...t})]})}function v(t){const e=(0,m.Z)();return(0,x.jsx)(_,{...t,children:u(t.children)},String(e))}},7484:function(t){t.exports=function(){"use strict";var t=1e3,e=6e4,i=36e5,r="millisecond",n="second",o="minute",a="hour",s="day",l="week",c="month",h="quarter",u="year",d="date",f="Invalid Date",p=/^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/,g=/\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g,m={name:"en",weekdays:"Sunday_Monday_Tuesday_Wednesday_Thursday_Friday_Saturday".split("_"),months:"January_February_March_April_May_June_July_August_September_October_November_December".split("_"),ordinal:function(t){var e=["th","st","nd","rd"],i=t%100;return"["+t+(e[(i-20)%10]||e[i]||e[0])+"]"}},y=function(t,e,i){var r=String(t);return!r||r.length>=e?t:""+Array(e+1-r.length).join(i)+t},x={s:y,z:function(t){var e=-t.utcOffset(),i=Math.abs(e),r=Math.floor(i/60),n=i%60;return(e<=0?"+":"-")+y(r,2,"0")+":"+y(n,2,"0")},m:function t(e,i){if(e.date()<i.date())return-t(i,e);var r=12*(i.year()-e.year())+(i.month()-e.month()),n=e.clone().add(r,c),o=i-n<0,a=e.clone().add(r+(o?-1:1),c);return+(-(r+(i-n)/(o?n-a:a-n))||0)},a:function(t){return t<0?Math.ceil(t)||0:Math.floor(t)},p:function(t){return{M:c,y:u,w:l,d:s,D:d,h:a,m:o,s:n,ms:r,Q:h}[t]||String(t||"").toLowerCase().replace(/s$/,"")},u:function(t){return void 0===t}},b="en",C={};C[b]=m;var _="$isDayjsObject",v=function(t){return t instanceof S||!(!t||!t[_])},k=function t(e,i,r){var n;if(!e)return b;if("string"==typeof e){var o=e.toLowerCase();C[o]&&(n=o),i&&(C[o]=i,n=o);var a=e.split("-");if(!n&&a.length>1)return t(a[0])}else{var s=e.name;C[s]=e,n=s}return!r&&n&&(b=n),n||!r&&b},T=function(t,e){if(v(t))return t.clone();var i="object"==typeof e?e:{};return i.date=t,i.args=arguments,new S(i)},w=x;w.l=k,w.i=v,w.w=function(t,e){return T(t,{locale:e.$L,utc:e.$u,x:e.$x,$offset:e.$offset})};var S=function(){function m(t){this.$L=k(t.locale,null,!0),this.parse(t),this.$x=this.$x||t.x||{},this[_]=!0}var y=m.prototype;return y.parse=function(t){this.$d=function(t){var e=t.date,i=t.utc;if(null===e)return new Date(NaN);if(w.u(e))return new Date;if(e instanceof Date)return new Date(e);if("string"==typeof e&&!/Z$/i.test(e)){var r=e.match(p);if(r){var n=r[2]-1||0,o=(r[7]||"0").substring(0,3);return i?new Date(Date.UTC(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)):new Date(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)}}return new Date(e)}(t),this.init()},y.init=function(){var t=this.$d;this.$y=t.getFullYear(),this.$M=t.getMonth(),this.$D=t.getDate(),this.$W=t.getDay(),this.$H=t.getHours(),this.$m=t.getMinutes(),this.$s=t.getSeconds(),this.$ms=t.getMilliseconds()},y.$utils=function(){return w},y.isValid=function(){return!(this.$d.toString()===f)},y.isSame=function(t,e){var i=T(t);return this.startOf(e)<=i&&i<=this.endOf(e)},y.isAfter=function(t,e){return T(t)<this.startOf(e)},y.isBefore=function(t,e){return this.endOf(e)<T(t)},y.$g=function(t,e,i){return w.u(t)?this[e]:this.set(i,t)},y.unix=function(){return Math.floor(this.valueOf()/1e3)},y.valueOf=function(){return this.$d.getTime()},y.startOf=function(t,e){var i=this,r=!!w.u(e)||e,h=w.p(t),f=function(t,e){var n=w.w(i.$u?Date.UTC(i.$y,e,t):new Date(i.$y,e,t),i);return r?n:n.endOf(s)},p=function(t,e){return w.w(i.toDate()[t].apply(i.toDate("s"),(r?[0,0,0,0]:[23,59,59,999]).slice(e)),i)},g=this.$W,m=this.$M,y=this.$D,x="set"+(this.$u?"UTC":"");switch(h){case u:return r?f(1,0):f(31,11);case c:return r?f(1,m):f(0,m+1);case l:var b=this.$locale().weekStart||0,C=(g<b?g+7:g)-b;return f(r?y-C:y+(6-C),m);case s:case d:return p(x+"Hours",0);case a:return p(x+"Minutes",1);case o:return p(x+"Seconds",2);case n:return p(x+"Milliseconds",3);default:return this.clone()}},y.endOf=function(t){return this.startOf(t,!1)},y.$set=function(t,e){var i,l=w.p(t),h="set"+(this.$u?"UTC":""),f=(i={},i[s]=h+"Date",i[d]=h+"Date",i[c]=h+"Month",i[u]=h+"FullYear",i[a]=h+"Hours",i[o]=h+"Minutes",i[n]=h+"Seconds",i[r]=h+"Milliseconds",i)[l],p=l===s?this.$D+(e-this.$W):e;if(l===c||l===u){var g=this.clone().set(d,1);g.$d[f](p),g.init(),this.$d=g.set(d,Math.min(this.$D,g.daysInMonth())).$d}else f&&this.$d[f](p);return this.init(),this},y.set=function(t,e){return this.clone().$set(t,e)},y.get=function(t){return this[w.p(t)]()},y.add=function(r,h){var d,f=this;r=Number(r);var p=w.p(h),g=function(t){var e=T(f);return w.w(e.date(e.date()+Math.round(t*r)),f)};if(p===c)return this.set(c,this.$M+r);if(p===u)return this.set(u,this.$y+r);if(p===s)return g(1);if(p===l)return g(7);var m=(d={},d[o]=e,d[a]=i,d[n]=t,d)[p]||1,y=this.$d.getTime()+r*m;return w.w(y,this)},y.subtract=function(t,e){return this.add(-1*t,e)},y.format=function(t){var e=this,i=this.$locale();if(!this.isValid())return i.invalidDate||f;var r=t||"YYYY-MM-DDTHH:mm:ssZ",n=w.z(this),o=this.$H,a=this.$m,s=this.$M,l=i.weekdays,c=i.months,h=i.meridiem,u=function(t,i,n,o){return t&&(t[i]||t(e,r))||n[i].slice(0,o)},d=function(t){return w.s(o%12||12,t,"0")},p=h||function(t,e,i){var r=t<12?"AM":"PM";return i?r.toLowerCase():r};return r.replace(g,(function(t,r){return r||function(t){switch(t){case"YY":return String(e.$y).slice(-2);case"YYYY":return w.s(e.$y,4,"0");case"M":return s+1;case"MM":return w.s(s+1,2,"0");case"MMM":return u(i.monthsShort,s,c,3);case"MMMM":return u(c,s);case"D":return e.$D;case"DD":return w.s(e.$D,2,"0");case"d":return String(e.$W);case"dd":return u(i.weekdaysMin,e.$W,l,2);case"ddd":return u(i.weekdaysShort,e.$W,l,3);case"dddd":return l[e.$W];case"H":return String(o);case"HH":return w.s(o,2,"0");case"h":return d(1);case"hh":return d(2);case"a":return p(o,a,!0);case"A":return p(o,a,!1);case"m":return String(a);case"mm":return w.s(a,2,"0");case"s":return String(e.$s);case"ss":return w.s(e.$s,2,"0");case"SSS":return w.s(e.$ms,3,"0");case"Z":return n}return null}(t)||n.replace(":","")}))},y.utcOffset=function(){return 15*-Math.round(this.$d.getTimezoneOffset()/15)},y.diff=function(r,d,f){var p,g=this,m=w.p(d),y=T(r),x=(y.utcOffset()-this.utcOffset())*e,b=this-y,C=function(){return w.m(g,y)};switch(m){case u:p=C()/12;break;case c:p=C();break;case h:p=C()/3;break;case l:p=(b-x)/6048e5;break;case s:p=(b-x)/864e5;break;case a:p=b/i;break;case o:p=b/e;break;case n:p=b/t;break;default:p=b}return f?p:w.a(p)},y.daysInMonth=function(){return this.endOf(c).$D},y.$locale=function(){return C[this.$L]},y.locale=function(t,e){if(!t)return this.$L;var i=this.clone(),r=k(t,e,!0);return r&&(i.$L=r),i},y.clone=function(){return w.w(this.$d,this)},y.toDate=function(){return new Date(this.valueOf())},y.toJSON=function(){return this.isValid()?this.toISOString():null},y.toISOString=function(){return this.$d.toISOString()},y.toString=function(){return this.$d.toUTCString()},m}(),B=S.prototype;return T.prototype=B,[["$ms",r],["$s",n],["$m",o],["$H",a],["$W",s],["$M",c],["$y",u],["$D",d]].forEach((function(t){B[t[1]]=function(e){return this.$g(e,t[0],t[1])}})),T.extend=function(t,e){return t.$i||(t(e,S,T),t.$i=!0),T},T.locale=k,T.isDayjs=v,T.unix=function(t){return T(1e3*t)},T.en=C[b],T.Ls=C,T.p={},T}()},7856:function(t){t.exports=function(){"use strict";const{entries:t,setPrototypeOf:e,isFrozen:i,getPrototypeOf:r,getOwnPropertyDescriptor:n}=Object;let{freeze:o,seal:a,create:s}=Object,{apply:l,construct:c}="undefined"!=typeof Reflect&&Reflect;o||(o=function(t){return t}),a||(a=function(t){return t}),l||(l=function(t,e,i){return t.apply(e,i)}),c||(c=function(t,e){return new t(...e)});const h=_(Array.prototype.forEach),u=_(Array.prototype.pop),d=_(Array.prototype.push),f=_(String.prototype.toLowerCase),p=_(String.prototype.toString),g=_(String.prototype.match),m=_(String.prototype.replace),y=_(String.prototype.indexOf),x=_(String.prototype.trim),b=_(RegExp.prototype.test),C=v(TypeError);function _(t){return function(e){for(var i=arguments.length,r=new Array(i>1?i-1:0),n=1;n<i;n++)r[n-1]=arguments[n];return l(t,e,r)}}function v(t){return function(){for(var e=arguments.length,i=new Array(e),r=0;r<e;r++)i[r]=arguments[r];return c(t,i)}}function k(t,r){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:f;e&&e(t,null);let o=r.length;for(;o--;){let e=r[o];if("string"==typeof e){const t=n(e);t!==e&&(i(r)||(r[o]=t),e=t)}t[e]=!0}return t}function T(e){const i=s(null);for(const[r,o]of t(e))void 0!==n(e,r)&&(i[r]=o);return i}function w(t,e){for(;null!==t;){const i=n(t,e);if(i){if(i.get)return _(i.get);if("function"==typeof i.value)return _(i.value)}t=r(t)}function i(t){return console.warn("fallback value for",t),null}return i}const S=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dialog","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),B=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","view","vkern"]),F=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feDropShadow","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),L=o(["animate","color-profile","cursor","discard","font-face","font-face-format","font-face-name","font-face-src","font-face-uri","foreignobject","hatch","hatchpath","mesh","meshgradient","meshpatch","meshrow","missing-glyph","script","set","solidcolor","unknown","use"]),A=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","mprescripts"]),M=o(["maction","maligngroup","malignmark","mlongdiv","mscarries","mscarry","msgroup","mstack","msline","msrow","semantics","annotation","annotation-xml","mprescripts","none"]),E=o(["#text"]),N=o(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","nonce","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns","slot"]),j=o(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","transform-origin","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),Z=o(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),I=o(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),O=a(/\{\{[\w\W]*|[\w\W]*\}\}/gm),D=a(/<%[\w\W]*|[\w\W]*%>/gm),q=a(/\${[\w\W]*}/gm),$=a(/^data-[\-\w.\u00B7-\uFFFF]/),z=a(/^aria-[\-\w]+$/),P=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),R=a(/^(?:\w+script|data):/i),H=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),W=a(/^html$/i);var U=Object.freeze({__proto__:null,MUSTACHE_EXPR:O,ERB_EXPR:D,TMPLIT_EXPR:q,DATA_ATTR:$,ARIA_ATTR:z,IS_ALLOWED_URI:P,IS_SCRIPT_OR_DATA:R,ATTR_WHITESPACE:H,DOCTYPE_NAME:W});const Y=function(){return"undefined"==typeof window?null:window},V=function(t,e){if("object"!=typeof t||"function"!=typeof t.createPolicy)return null;let i=null;const r="data-tt-policy-suffix";e&&e.hasAttribute(r)&&(i=e.getAttribute(r));const n="dompurify"+(i?"#"+i:"");try{return t.createPolicy(n,{createHTML:t=>t,createScriptURL:t=>t})}catch(o){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};function G(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:Y();const i=t=>G(t);if(i.version="3.0.6",i.removed=[],!e||!e.document||9!==e.document.nodeType)return i.isSupported=!1,i;let{document:r}=e;const n=r,a=n.currentScript,{DocumentFragment:l,HTMLTemplateElement:c,Node:_,Element:v,NodeFilter:O,NamedNodeMap:D=e.NamedNodeMap||e.MozNamedAttrMap,HTMLFormElement:q,DOMParser:$,trustedTypes:z}=e,R=v.prototype,H=w(R,"cloneNode"),X=w(R,"nextSibling"),J=w(R,"childNodes"),Q=w(R,"parentNode");if("function"==typeof c){const t=r.createElement("template");t.content&&t.content.ownerDocument&&(r=t.content.ownerDocument)}let K,tt="";const{implementation:et,createNodeIterator:it,createDocumentFragment:rt,getElementsByTagName:nt}=r,{importNode:ot}=n;let at={};i.isSupported="function"==typeof t&&"function"==typeof Q&&et&&void 0!==et.createHTMLDocument;const{MUSTACHE_EXPR:st,ERB_EXPR:lt,TMPLIT_EXPR:ct,DATA_ATTR:ht,ARIA_ATTR:ut,IS_SCRIPT_OR_DATA:dt,ATTR_WHITESPACE:ft}=U;let{IS_ALLOWED_URI:pt}=U,gt=null;const mt=k({},[...S,...B,...F,...A,...E]);let yt=null;const xt=k({},[...N,...j,...Z,...I]);let bt=Object.seal(s(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),Ct=null,_t=null,vt=!0,kt=!0,Tt=!1,wt=!0,St=!1,Bt=!1,Ft=!1,Lt=!1,At=!1,Mt=!1,Et=!1,Nt=!0,jt=!1;const Zt="user-content-";let It=!0,Ot=!1,Dt={},qt=null;const $t=k({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]);let zt=null;const Pt=k({},["audio","video","img","source","image","track"]);let Rt=null;const Ht=k({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),Wt="http://www.w3.org/1998/Math/MathML",Ut="http://www.w3.org/2000/svg",Yt="http://www.w3.org/1999/xhtml";let Vt=Yt,Gt=!1,Xt=null;const Jt=k({},[Wt,Ut,Yt],p);let Qt=null;const Kt=["application/xhtml+xml","text/html"],te="text/html";let ee=null,ie=null;const re=r.createElement("form"),ne=function(t){return t instanceof RegExp||t instanceof Function},oe=function(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!ie||ie!==t){if(t&&"object"==typeof t||(t={}),t=T(t),Qt=Qt=-1===Kt.indexOf(t.PARSER_MEDIA_TYPE)?te:t.PARSER_MEDIA_TYPE,ee="application/xhtml+xml"===Qt?p:f,gt="ALLOWED_TAGS"in t?k({},t.ALLOWED_TAGS,ee):mt,yt="ALLOWED_ATTR"in t?k({},t.ALLOWED_ATTR,ee):xt,Xt="ALLOWED_NAMESPACES"in t?k({},t.ALLOWED_NAMESPACES,p):Jt,Rt="ADD_URI_SAFE_ATTR"in t?k(T(Ht),t.ADD_URI_SAFE_ATTR,ee):Ht,zt="ADD_DATA_URI_TAGS"in t?k(T(Pt),t.ADD_DATA_URI_TAGS,ee):Pt,qt="FORBID_CONTENTS"in t?k({},t.FORBID_CONTENTS,ee):$t,Ct="FORBID_TAGS"in t?k({},t.FORBID_TAGS,ee):{},_t="FORBID_ATTR"in t?k({},t.FORBID_ATTR,ee):{},Dt="USE_PROFILES"in t&&t.USE_PROFILES,vt=!1!==t.ALLOW_ARIA_ATTR,kt=!1!==t.ALLOW_DATA_ATTR,Tt=t.ALLOW_UNKNOWN_PROTOCOLS||!1,wt=!1!==t.ALLOW_SELF_CLOSE_IN_ATTR,St=t.SAFE_FOR_TEMPLATES||!1,Bt=t.WHOLE_DOCUMENT||!1,At=t.RETURN_DOM||!1,Mt=t.RETURN_DOM_FRAGMENT||!1,Et=t.RETURN_TRUSTED_TYPE||!1,Lt=t.FORCE_BODY||!1,Nt=!1!==t.SANITIZE_DOM,jt=t.SANITIZE_NAMED_PROPS||!1,It=!1!==t.KEEP_CONTENT,Ot=t.IN_PLACE||!1,pt=t.ALLOWED_URI_REGEXP||P,Vt=t.NAMESPACE||Yt,bt=t.CUSTOM_ELEMENT_HANDLING||{},t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(bt.tagNameCheck=t.CUSTOM_ELEMENT_HANDLING.tagNameCheck),t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(bt.attributeNameCheck=t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),t.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(bt.allowCustomizedBuiltInElements=t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),St&&(kt=!1),Mt&&(At=!0),Dt&&(gt=k({},[...E]),yt=[],!0===Dt.html&&(k(gt,S),k(yt,N)),!0===Dt.svg&&(k(gt,B),k(yt,j),k(yt,I)),!0===Dt.svgFilters&&(k(gt,F),k(yt,j),k(yt,I)),!0===Dt.mathMl&&(k(gt,A),k(yt,Z),k(yt,I))),t.ADD_TAGS&&(gt===mt&&(gt=T(gt)),k(gt,t.ADD_TAGS,ee)),t.ADD_ATTR&&(yt===xt&&(yt=T(yt)),k(yt,t.ADD_ATTR,ee)),t.ADD_URI_SAFE_ATTR&&k(Rt,t.ADD_URI_SAFE_ATTR,ee),t.FORBID_CONTENTS&&(qt===$t&&(qt=T(qt)),k(qt,t.FORBID_CONTENTS,ee)),It&&(gt["#text"]=!0),Bt&&k(gt,["html","head","body"]),gt.table&&(k(gt,["tbody"]),delete Ct.tbody),t.TRUSTED_TYPES_POLICY){if("function"!=typeof t.TRUSTED_TYPES_POLICY.createHTML)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');if("function"!=typeof t.TRUSTED_TYPES_POLICY.createScriptURL)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');K=t.TRUSTED_TYPES_POLICY,tt=K.createHTML("")}else void 0===K&&(K=V(z,a)),null!==K&&"string"==typeof tt&&(tt=K.createHTML(""));o&&o(t),ie=t}},ae=k({},["mi","mo","mn","ms","mtext"]),se=k({},["foreignobject","desc","title","annotation-xml"]),le=k({},["title","style","font","a","script"]),ce=k({},B);k(ce,F),k(ce,L);const he=k({},A);k(he,M);const ue=function(t){let e=Q(t);e&&e.tagName||(e={namespaceURI:Vt,tagName:"template"});const i=f(t.tagName),r=f(e.tagName);return!!Xt[t.namespaceURI]&&(t.namespaceURI===Ut?e.namespaceURI===Yt?"svg"===i:e.namespaceURI===Wt?"svg"===i&&("annotation-xml"===r||ae[r]):Boolean(ce[i]):t.namespaceURI===Wt?e.namespaceURI===Yt?"math"===i:e.namespaceURI===Ut?"math"===i&&se[r]:Boolean(he[i]):t.namespaceURI===Yt?!(e.namespaceURI===Ut&&!se[r])&&!(e.namespaceURI===Wt&&!ae[r])&&!he[i]&&(le[i]||!ce[i]):!("application/xhtml+xml"!==Qt||!Xt[t.namespaceURI]))},de=function(t){d(i.removed,{element:t});try{t.parentNode.removeChild(t)}catch(e){t.remove()}},fe=function(t,e){try{d(i.removed,{attribute:e.getAttributeNode(t),from:e})}catch(r){d(i.removed,{attribute:null,from:e})}if(e.removeAttribute(t),"is"===t&&!yt[t])if(At||Mt)try{de(e)}catch(r){}else try{e.setAttribute(t,"")}catch(r){}},pe=function(t){let e=null,i=null;if(Lt)t="<remove></remove>"+t;else{const e=g(t,/^[\r\n\t ]+/);i=e&&e[0]}"application/xhtml+xml"===Qt&&Vt===Yt&&(t='<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>'+t+"</body></html>");const n=K?K.createHTML(t):t;if(Vt===Yt)try{e=(new $).parseFromString(n,Qt)}catch(a){}if(!e||!e.documentElement){e=et.createDocument(Vt,"template",null);try{e.documentElement.innerHTML=Gt?tt:n}catch(a){}}const o=e.body||e.documentElement;return t&&i&&o.insertBefore(r.createTextNode(i),o.childNodes[0]||null),Vt===Yt?nt.call(e,Bt?"html":"body")[0]:Bt?e.documentElement:o},ge=function(t){return it.call(t.ownerDocument||t,t,O.SHOW_ELEMENT|O.SHOW_COMMENT|O.SHOW_TEXT,null)},me=function(t){return t instanceof q&&("string"!=typeof t.nodeName||"string"!=typeof t.textContent||"function"!=typeof t.removeChild||!(t.attributes instanceof D)||"function"!=typeof t.removeAttribute||"function"!=typeof t.setAttribute||"string"!=typeof t.namespaceURI||"function"!=typeof t.insertBefore||"function"!=typeof t.hasChildNodes)},ye=function(t){return"function"==typeof _&&t instanceof _},xe=function(t,e,r){at[t]&&h(at[t],(t=>{t.call(i,e,r,ie)}))},be=function(t){let e=null;if(xe("beforeSanitizeElements",t,null),me(t))return de(t),!0;const r=ee(t.nodeName);if(xe("uponSanitizeElement",t,{tagName:r,allowedTags:gt}),t.hasChildNodes()&&!ye(t.firstElementChild)&&b(/<[/\w]/g,t.innerHTML)&&b(/<[/\w]/g,t.textContent))return de(t),!0;if(!gt[r]||Ct[r]){if(!Ct[r]&&_e(r)){if(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,r))return!1;if(bt.tagNameCheck instanceof Function&&bt.tagNameCheck(r))return!1}if(It&&!qt[r]){const e=Q(t)||t.parentNode,i=J(t)||t.childNodes;if(i&&e)for(let r=i.length-1;r>=0;--r)e.insertBefore(H(i[r],!0),X(t))}return de(t),!0}return t instanceof v&&!ue(t)?(de(t),!0):"noscript"!==r&&"noembed"!==r&&"noframes"!==r||!b(/<\/no(script|embed|frames)/i,t.innerHTML)?(St&&3===t.nodeType&&(e=t.textContent,h([st,lt,ct],(t=>{e=m(e,t," ")})),t.textContent!==e&&(d(i.removed,{element:t.cloneNode()}),t.textContent=e)),xe("afterSanitizeElements",t,null),!1):(de(t),!0)},Ce=function(t,e,i){if(Nt&&("id"===e||"name"===e)&&(i in r||i in re))return!1;if(kt&&!_t[e]&&b(ht,e));else if(vt&&b(ut,e));else if(!yt[e]||_t[e]){if(!(_e(t)&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,t)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(t))&&(bt.attributeNameCheck instanceof RegExp&&b(bt.attributeNameCheck,e)||bt.attributeNameCheck instanceof Function&&bt.attributeNameCheck(e))||"is"===e&&bt.allowCustomizedBuiltInElements&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,i)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(i))))return!1}else if(Rt[e]);else if(b(pt,m(i,ft,"")));else if("src"!==e&&"xlink:href"!==e&&"href"!==e||"script"===t||0!==y(i,"data:")||!zt[t])if(Tt&&!b(dt,m(i,ft,"")));else if(i)return!1;return!0},_e=function(t){return t.indexOf("-")>0},ve=function(t){xe("beforeSanitizeAttributes",t,null);const{attributes:e}=t;if(!e)return;const r={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:yt};let n=e.length;for(;n--;){const a=e[n],{name:s,namespaceURI:l,value:c}=a,d=ee(s);let f="value"===s?c:x(c);if(r.attrName=d,r.attrValue=f,r.keepAttr=!0,r.forceKeepAttr=void 0,xe("uponSanitizeAttribute",t,r),f=r.attrValue,r.forceKeepAttr)continue;if(fe(s,t),!r.keepAttr)continue;if(!wt&&b(/\/>/i,f)){fe(s,t);continue}St&&h([st,lt,ct],(t=>{f=m(f,t," ")}));const p=ee(t.nodeName);if(Ce(p,d,f)){if(!jt||"id"!==d&&"name"!==d||(fe(s,t),f=Zt+f),K&&"object"==typeof z&&"function"==typeof z.getAttributeType)if(l);else switch(z.getAttributeType(p,d)){case"TrustedHTML":f=K.createHTML(f);break;case"TrustedScriptURL":f=K.createScriptURL(f)}try{l?t.setAttributeNS(l,s,f):t.setAttribute(s,f),u(i.removed)}catch(o){}}}xe("afterSanitizeAttributes",t,null)},ke=function t(e){let i=null;const r=ge(e);for(xe("beforeSanitizeShadowDOM",e,null);i=r.nextNode();)xe("uponSanitizeShadowNode",i,null),be(i)||(i.content instanceof l&&t(i.content),ve(i));xe("afterSanitizeShadowDOM",e,null)};return i.sanitize=function(t){let e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},r=null,o=null,a=null,s=null;if(Gt=!t,Gt&&(t="\x3c!--\x3e"),"string"!=typeof t&&!ye(t)){if("function"!=typeof t.toString)throw C("toString is not a function");if("string"!=typeof(t=t.toString()))throw C("dirty is not a string, aborting")}if(!i.isSupported)return t;if(Ft||oe(e),i.removed=[],"string"==typeof t&&(Ot=!1),Ot){if(t.nodeName){const e=ee(t.nodeName);if(!gt[e]||Ct[e])throw C("root node is forbidden and cannot be sanitized in-place")}}else if(t instanceof _)r=pe("\x3c!----\x3e"),o=r.ownerDocument.importNode(t,!0),1===o.nodeType&&"BODY"===o.nodeName||"HTML"===o.nodeName?r=o:r.appendChild(o);else{if(!At&&!St&&!Bt&&-1===t.indexOf("<"))return K&&Et?K.createHTML(t):t;if(r=pe(t),!r)return At?null:Et?tt:""}r&&Lt&&de(r.firstChild);const c=ge(Ot?t:r);for(;a=c.nextNode();)be(a)||(a.content instanceof l&&ke(a.content),ve(a));if(Ot)return t;if(At){if(Mt)for(s=rt.call(r.ownerDocument);r.firstChild;)s.appendChild(r.firstChild);else s=r;return(yt.shadowroot||yt.shadowrootmode)&&(s=ot.call(n,s,!0)),s}let u=Bt?r.outerHTML:r.innerHTML;return Bt&>["!doctype"]&&r.ownerDocument&&r.ownerDocument.doctype&&r.ownerDocument.doctype.name&&b(W,r.ownerDocument.doctype.name)&&(u="<!DOCTYPE "+r.ownerDocument.doctype.name+">\n"+u),St&&h([st,lt,ct],(t=>{u=m(u,t," ")})),K&&Et?K.createHTML(u):u},i.setConfig=function(){oe(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),Ft=!0},i.clearConfig=function(){ie=null,Ft=!1},i.isValidAttribute=function(t,e,i){ie||oe({});const r=ee(t),n=ee(e);return Ce(r,n,i)},i.addHook=function(t,e){"function"==typeof e&&(at[t]=at[t]||[],d(at[t],e))},i.removeHook=function(t){if(at[t])return u(at[t])},i.removeHooks=function(t){at[t]&&(at[t]=[])},i.removeAllHooks=function(){at={}},i}return G()}()},7594:(t,e)=>{function i(t){let e,i=[];for(let r of t.split(",").map((t=>t.trim())))if(/^-?\d+$/.test(r))i.push(parseInt(r,10));else if(e=r.match(/^(-?\d+)(-|\.\.\.?|\u2025|\u2026|\u22EF)(-?\d+)$/)){let[t,r,n,o]=e;if(r&&o){r=parseInt(r),o=parseInt(o);const t=r<o?1:-1;"-"!==n&&".."!==n&&"\u2025"!==n||(o+=t);for(let e=r;e!==o;e+=t)i.push(e)}}return i}e.default=i,t.exports=i},8464:(t,e,i)=>{"use strict";function r(t){for(var e=[],i=1;i<arguments.length;i++)e[i-1]=arguments[i];var r=Array.from("string"==typeof t?[t]:t);r[r.length-1]=r[r.length-1].replace(/\r?\n([\t ]*)$/,"");var n=r.reduce((function(t,e){var i=e.match(/\n([\t ]+|(?!\s).)/g);return i?t.concat(i.map((function(t){var e,i;return null!==(i=null===(e=t.match(/[\t ]/g))||void 0===e?void 0:e.length)&&void 0!==i?i:0}))):t}),[]);if(n.length){var o=new RegExp("\n[\t ]{"+Math.min.apply(Math,n)+"}","g");r=r.map((function(t){return t.replace(o,"\n")}))}r[0]=r[0].replace(/^\r?\n/,"");var a=r[0];return e.forEach((function(t,e){var i=a.match(/(?:^|\n)( *)$/),n=i?i[1]:"",o=t;"string"==typeof t&&t.includes("\n")&&(o=String(t).split("\n").map((function(t,e){return 0===e?t:""+n+t})).join("\n")),a+=o+r[e+1]})),a}i.d(e,{Z:()=>r})},1151:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s,a:()=>a});var r=i(7294);const n={},o=r.createContext(n);function a(t){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof t?t(e):{...e,...t}}),[e,t])}function s(t){let e;return e=t.disableParentContext?"function"==typeof t.components?t.components(n):t.components||n:a(t.components),r.createElement(o.Provider,{value:e},t.children)}},4218:(t,e,i)=>{"use strict";function r(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i<r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i<n||void 0===i&&n>=n)&&(i=n)}return i}function n(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i>r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i>n||void 0===i&&n>=n)&&(i=n)}return i}function o(t){return t}i.d(e,{Nb1:()=>cs,LLu:()=>x,F5q:()=>y,$0Z:()=>vs,Dts:()=>Ts,WQY:()=>Ss,qpX:()=>Fs,u93:()=>Ls,tFB:()=>Ms,YY7:()=>js,OvA:()=>Is,dCK:()=>Ds,zgE:()=>zs,fGX:()=>Rs,$m7:()=>Ws,c_6:()=>ds,fxm:()=>Ys,FdL:()=>el,ak_:()=>il,SxZ:()=>ol,eA_:()=>sl,jsv:()=>cl,iJ:()=>ll,JHv:()=>pr,jvg:()=>gs,Fp7:()=>r,VV$:()=>n,ve8:()=>xs,tiA:()=>kr,BYU:()=>mn,PKp:()=>vr,Xf:()=>Na,K2I:()=>ja,Ys:()=>Za,td_:()=>Ia,YPS:()=>Yi,rr1:()=>Nn,i$Z:()=>uo,y2j:()=>Pn,WQD:()=>Mn,U8T:()=>Bn,Z_i:()=>Ln,Ox9:()=>Dn,F0B:()=>Qn,LqH:()=>Rn,S1K:()=>Fn,Zyz:()=>On,Igq:()=>zn,YDX:()=>qn,EFj:()=>$n});var a=1,s=2,l=3,c=4,h=1e-6;function u(t){return"translate("+t+",0)"}function d(t){return"translate(0,"+t+")"}function f(t){return e=>+t(e)}function p(t,e){return e=Math.max(0,t.bandwidth()-2*e)/2,t.round()&&(e=Math.round(e)),i=>+t(i)+e}function g(){return!this.__axis}function m(t,e){var i=[],r=null,n=null,m=6,y=6,x=3,b="undefined"!=typeof window&&window.devicePixelRatio>1?0:.5,C=t===a||t===c?-1:1,_=t===c||t===s?"x":"y",v=t===a||t===l?u:d;function k(u){var d=null==r?e.ticks?e.ticks.apply(e,i):e.domain():r,k=null==n?e.tickFormat?e.tickFormat.apply(e,i):o:n,T=Math.max(m,0)+x,w=e.range(),S=+w[0]+b,B=+w[w.length-1]+b,F=(e.bandwidth?p:f)(e.copy(),b),L=u.selection?u.selection():u,A=L.selectAll(".domain").data([null]),M=L.selectAll(".tick").data(d,e).order(),E=M.exit(),N=M.enter().append("g").attr("class","tick"),j=M.select("line"),Z=M.select("text");A=A.merge(A.enter().insert("path",".tick").attr("class","domain").attr("stroke","currentColor")),M=M.merge(N),j=j.merge(N.append("line").attr("stroke","currentColor").attr(_+"2",C*m)),Z=Z.merge(N.append("text").attr("fill","currentColor").attr(_,C*T).attr("dy",t===a?"0em":t===l?"0.71em":"0.32em")),u!==L&&(A=A.transition(u),M=M.transition(u),j=j.transition(u),Z=Z.transition(u),E=E.transition(u).attr("opacity",h).attr("transform",(function(t){return isFinite(t=F(t))?v(t+b):this.getAttribute("transform")})),N.attr("opacity",h).attr("transform",(function(t){var e=this.parentNode.__axis;return v((e&&isFinite(e=e(t))?e:F(t))+b)}))),E.remove(),A.attr("d",t===c||t===s?y?"M"+C*y+","+S+"H"+b+"V"+B+"H"+C*y:"M"+b+","+S+"V"+B:y?"M"+S+","+C*y+"V"+b+"H"+B+"V"+C*y:"M"+S+","+b+"H"+B),M.attr("opacity",1).attr("transform",(function(t){return v(F(t)+b)})),j.attr(_+"2",C*m),Z.attr(_,C*T).text(k),L.filter(g).attr("fill","none").attr("font-size",10).attr("font-family","sans-serif").attr("text-anchor",t===s?"start":t===c?"end":"middle"),L.each((function(){this.__axis=F}))}return k.scale=function(t){return arguments.length?(e=t,k):e},k.ticks=function(){return i=Array.from(arguments),k},k.tickArguments=function(t){return arguments.length?(i=null==t?[]:Array.from(t),k):i.slice()},k.tickValues=function(t){return arguments.length?(r=null==t?null:Array.from(t),k):r&&r.slice()},k.tickFormat=function(t){return arguments.length?(n=t,k):n},k.tickSize=function(t){return arguments.length?(m=y=+t,k):m},k.tickSizeInner=function(t){return arguments.length?(m=+t,k):m},k.tickSizeOuter=function(t){return arguments.length?(y=+t,k):y},k.tickPadding=function(t){return arguments.length?(x=+t,k):x},k.offset=function(t){return arguments.length?(b=+t,k):b},k}function y(t){return m(a,t)}function x(t){return m(l,t)}function b(){}function C(t){return null==t?b:function(){return this.querySelector(t)}}function _(t){return null==t?[]:Array.isArray(t)?t:Array.from(t)}function v(){return[]}function k(t){return null==t?v:function(){return this.querySelectorAll(t)}}function T(t){return function(){return this.matches(t)}}function w(t){return function(e){return e.matches(t)}}var S=Array.prototype.find;function B(){return this.firstElementChild}var F=Array.prototype.filter;function L(){return Array.from(this.children)}function A(t){return new Array(t.length)}function M(t,e){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=e}function E(t,e,i,r,n,o){for(var a,s=0,l=e.length,c=o.length;s<c;++s)(a=e[s])?(a.__data__=o[s],r[s]=a):i[s]=new M(t,o[s]);for(;s<l;++s)(a=e[s])&&(n[s]=a)}function N(t,e,i,r,n,o,a){var s,l,c,h=new Map,u=e.length,d=o.length,f=new Array(u);for(s=0;s<u;++s)(l=e[s])&&(f[s]=c=a.call(l,l.__data__,s,e)+"",h.has(c)?n[s]=l:h.set(c,l));for(s=0;s<d;++s)c=a.call(t,o[s],s,o)+"",(l=h.get(c))?(r[s]=l,l.__data__=o[s],h.delete(c)):i[s]=new M(t,o[s]);for(s=0;s<u;++s)(l=e[s])&&h.get(f[s])===l&&(n[s]=l)}function j(t){return t.__data__}function Z(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function I(t,e){return t<e?-1:t>e?1:t>=e?0:NaN}M.prototype={constructor:M,appendChild:function(t){return this._parent.insertBefore(t,this._next)},insertBefore:function(t,e){return this._parent.insertBefore(t,e)},querySelector:function(t){return this._parent.querySelector(t)},querySelectorAll:function(t){return this._parent.querySelectorAll(t)}};var O="http://www.w3.org/1999/xhtml";const D={svg:"http://www.w3.org/2000/svg",xhtml:O,xlink:"http://www.w3.org/1999/xlink",xml:"http://www.w3.org/XML/1998/namespace",xmlns:"http://www.w3.org/2000/xmlns/"};function q(t){var e=t+="",i=e.indexOf(":");return i>=0&&"xmlns"!==(e=t.slice(0,i))&&(t=t.slice(i+1)),D.hasOwnProperty(e)?{space:D[e],local:t}:t}function $(t){return function(){this.removeAttribute(t)}}function z(t){return function(){this.removeAttributeNS(t.space,t.local)}}function P(t,e){return function(){this.setAttribute(t,e)}}function R(t,e){return function(){this.setAttributeNS(t.space,t.local,e)}}function H(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttribute(t):this.setAttribute(t,i)}}function W(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttributeNS(t.space,t.local):this.setAttributeNS(t.space,t.local,i)}}function U(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView}function Y(t){return function(){this.style.removeProperty(t)}}function V(t,e,i){return function(){this.style.setProperty(t,e,i)}}function G(t,e,i){return function(){var r=e.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,i)}}function X(t,e){return t.style.getPropertyValue(e)||U(t).getComputedStyle(t,null).getPropertyValue(e)}function J(t){return function(){delete this[t]}}function Q(t,e){return function(){this[t]=e}}function K(t,e){return function(){var i=e.apply(this,arguments);null==i?delete this[t]:this[t]=i}}function tt(t){return t.trim().split(/^|\s+/)}function et(t){return t.classList||new it(t)}function it(t){this._node=t,this._names=tt(t.getAttribute("class")||"")}function rt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.add(e[r])}function nt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.remove(e[r])}function ot(t){return function(){rt(this,t)}}function at(t){return function(){nt(this,t)}}function st(t,e){return function(){(e.apply(this,arguments)?rt:nt)(this,t)}}function lt(){this.textContent=""}function ct(t){return function(){this.textContent=t}}function ht(t){return function(){var e=t.apply(this,arguments);this.textContent=null==e?"":e}}function ut(){this.innerHTML=""}function dt(t){return function(){this.innerHTML=t}}function ft(t){return function(){var e=t.apply(this,arguments);this.innerHTML=null==e?"":e}}function pt(){this.nextSibling&&this.parentNode.appendChild(this)}function gt(){this.previousSibling&&this.parentNode.insertBefore(this,this.parentNode.firstChild)}function mt(t){return function(){var e=this.ownerDocument,i=this.namespaceURI;return i===O&&e.documentElement.namespaceURI===O?e.createElement(t):e.createElementNS(i,t)}}function yt(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}function xt(t){var e=q(t);return(e.local?yt:mt)(e)}function bt(){return null}function Ct(){var t=this.parentNode;t&&t.removeChild(this)}function _t(){var t=this.cloneNode(!1),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function vt(){var t=this.cloneNode(!0),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function kt(t){return function(){var e=this.__on;if(e){for(var i,r=0,n=-1,o=e.length;r<o;++r)i=e[r],t.type&&i.type!==t.type||i.name!==t.name?e[++n]=i:this.removeEventListener(i.type,i.listener,i.options);++n?e.length=n:delete this.__on}}}function Tt(t,e,i){return function(){var r,n=this.__on,o=function(t){return function(e){t.call(this,e,this.__data__)}}(e);if(n)for(var a=0,s=n.length;a<s;++a)if((r=n[a]).type===t.type&&r.name===t.name)return this.removeEventListener(r.type,r.listener,r.options),this.addEventListener(r.type,r.listener=o,r.options=i),void(r.value=e);this.addEventListener(t.type,o,i),r={type:t.type,name:t.name,value:e,listener:o,options:i},n?n.push(r):this.__on=[r]}}function wt(t,e,i){var r=U(t),n=r.CustomEvent;"function"==typeof n?n=new n(e,i):(n=r.document.createEvent("Event"),i?(n.initEvent(e,i.bubbles,i.cancelable),n.detail=i.detail):n.initEvent(e,!1,!1)),t.dispatchEvent(n)}function St(t,e){return function(){return wt(this,t,e)}}function Bt(t,e){return function(){return wt(this,t,e.apply(this,arguments))}}it.prototype={add:function(t){this._names.indexOf(t)<0&&(this._names.push(t),this._node.setAttribute("class",this._names.join(" ")))},remove:function(t){var e=this._names.indexOf(t);e>=0&&(this._names.splice(e,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};var Ft=[null];function Lt(t,e){this._groups=t,this._parents=e}function At(){return new Lt([[document.documentElement]],Ft)}Lt.prototype=At.prototype={constructor:Lt,select:function(t){"function"!=typeof t&&(t=C(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a,s=e[n],l=s.length,c=r[n]=new Array(l),h=0;h<l;++h)(o=s[h])&&(a=t.call(o,o.__data__,h,s))&&("__data__"in o&&(a.__data__=o.__data__),c[h]=a);return new Lt(r,this._parents)},selectAll:function(t){t="function"==typeof t?function(t){return function(){return _(t.apply(this,arguments))}}(t):k(t);for(var e=this._groups,i=e.length,r=[],n=[],o=0;o<i;++o)for(var a,s=e[o],l=s.length,c=0;c<l;++c)(a=s[c])&&(r.push(t.call(a,a.__data__,c,s)),n.push(a));return new Lt(r,n)},selectChild:function(t){return this.select(null==t?B:function(t){return function(){return S.call(this.children,t)}}("function"==typeof t?t:w(t)))},selectChildren:function(t){return this.selectAll(null==t?L:function(t){return function(){return F.call(this.children,t)}}("function"==typeof t?t:w(t)))},filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Lt(r,this._parents)},data:function(t,e){if(!arguments.length)return Array.from(this,j);var i,r=e?N:E,n=this._parents,o=this._groups;"function"!=typeof t&&(i=t,t=function(){return i});for(var a=o.length,s=new Array(a),l=new Array(a),c=new Array(a),h=0;h<a;++h){var u=n[h],d=o[h],f=d.length,p=Z(t.call(u,u&&u.__data__,h,n)),g=p.length,m=l[h]=new Array(g),y=s[h]=new Array(g);r(u,d,m,y,c[h]=new Array(f),p,e);for(var x,b,C=0,_=0;C<g;++C)if(x=m[C]){for(C>=_&&(_=C+1);!(b=y[_])&&++_<g;);x._next=b||null}}return(s=new Lt(s,n))._enter=l,s._exit=c,s},enter:function(){return new Lt(this._enter||this._groups.map(A),this._parents)},exit:function(){return new Lt(this._exit||this._groups.map(A),this._parents)},join:function(t,e,i){var r=this.enter(),n=this,o=this.exit();return"function"==typeof t?(r=t(r))&&(r=r.selection()):r=r.append(t+""),null!=e&&(n=e(n))&&(n=n.selection()),null==i?o.remove():i(o),r&&n?r.merge(n).order():n},merge:function(t){for(var e=t.selection?t.selection():t,i=this._groups,r=e._groups,n=i.length,o=r.length,a=Math.min(n,o),s=new Array(n),l=0;l<a;++l)for(var c,h=i[l],u=r[l],d=h.length,f=s[l]=new Array(d),p=0;p<d;++p)(c=h[p]||u[p])&&(f[p]=c);for(;l<n;++l)s[l]=i[l];return new Lt(s,this._parents)},selection:function(){return this},order:function(){for(var t=this._groups,e=-1,i=t.length;++e<i;)for(var r,n=t[e],o=n.length-1,a=n[o];--o>=0;)(r=n[o])&&(a&&4^r.compareDocumentPosition(a)&&a.parentNode.insertBefore(r,a),a=r);return this},sort:function(t){function e(e,i){return e&&i?t(e.__data__,i.__data__):!e-!i}t||(t=I);for(var i=this._groups,r=i.length,n=new Array(r),o=0;o<r;++o){for(var a,s=i[o],l=s.length,c=n[o]=new Array(l),h=0;h<l;++h)(a=s[h])&&(c[h]=a);c.sort(e)}return new Lt(n,this._parents).order()},call:function(){var t=arguments[0];return arguments[0]=this,t.apply(null,arguments),this},nodes:function(){return Array.from(this)},node:function(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r=t[e],n=0,o=r.length;n<o;++n){var a=r[n];if(a)return a}return null},size:function(){let t=0;for(const e of this)++t;return t},empty:function(){return!this.node()},each:function(t){for(var e=this._groups,i=0,r=e.length;i<r;++i)for(var n,o=e[i],a=0,s=o.length;a<s;++a)(n=o[a])&&t.call(n,n.__data__,a,o);return this},attr:function(t,e){var i=q(t);if(arguments.length<2){var r=this.node();return i.local?r.getAttributeNS(i.space,i.local):r.getAttribute(i)}return this.each((null==e?i.local?z:$:"function"==typeof e?i.local?W:H:i.local?R:P)(i,e))},style:function(t,e,i){return arguments.length>1?this.each((null==e?Y:"function"==typeof e?G:V)(t,e,null==i?"":i)):X(this.node(),t)},property:function(t,e){return arguments.length>1?this.each((null==e?J:"function"==typeof e?K:Q)(t,e)):this.node()[t]},classed:function(t,e){var i=tt(t+"");if(arguments.length<2){for(var r=et(this.node()),n=-1,o=i.length;++n<o;)if(!r.contains(i[n]))return!1;return!0}return this.each(("function"==typeof e?st:e?ot:at)(i,e))},text:function(t){return arguments.length?this.each(null==t?lt:("function"==typeof t?ht:ct)(t)):this.node().textContent},html:function(t){return arguments.length?this.each(null==t?ut:("function"==typeof t?ft:dt)(t)):this.node().innerHTML},raise:function(){return this.each(pt)},lower:function(){return this.each(gt)},append:function(t){var e="function"==typeof t?t:xt(t);return this.select((function(){return this.appendChild(e.apply(this,arguments))}))},insert:function(t,e){var i="function"==typeof t?t:xt(t),r=null==e?bt:"function"==typeof e?e:C(e);return this.select((function(){return this.insertBefore(i.apply(this,arguments),r.apply(this,arguments)||null)}))},remove:function(){return this.each(Ct)},clone:function(t){return this.select(t?vt:_t)},datum:function(t){return arguments.length?this.property("__data__",t):this.node().__data__},on:function(t,e,i){var r,n,o=function(t){return t.trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");return i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),{type:t,name:e}}))}(t+""),a=o.length;if(!(arguments.length<2)){for(s=e?Tt:kt,r=0;r<a;++r)this.each(s(o[r],e,i));return this}var s=this.node().__on;if(s)for(var l,c=0,h=s.length;c<h;++c)for(r=0,l=s[c];r<a;++r)if((n=o[r]).type===l.type&&n.name===l.name)return l.value},dispatch:function(t,e){return this.each(("function"==typeof e?Bt:St)(t,e))},[Symbol.iterator]:function*(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r,n=t[e],o=0,a=n.length;o<a;++o)(r=n[o])&&(yield r)}};const Mt=At;var Et={value:()=>{}};function Nt(){for(var t,e=0,i=arguments.length,r={};e<i;++e){if(!(t=arguments[e]+"")||t in r||/[\s.]/.test(t))throw new Error("illegal type: "+t);r[t]=[]}return new jt(r)}function jt(t){this._=t}function Zt(t,e){for(var i,r=0,n=t.length;r<n;++r)if((i=t[r]).name===e)return i.value}function It(t,e,i){for(var r=0,n=t.length;r<n;++r)if(t[r].name===e){t[r]=Et,t=t.slice(0,r).concat(t.slice(r+1));break}return null!=i&&t.push({name:e,value:i}),t}jt.prototype=Nt.prototype={constructor:jt,on:function(t,e){var i,r,n=this._,o=(r=n,(t+"").trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");if(i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),t&&!r.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:e}}))),a=-1,s=o.length;if(!(arguments.length<2)){if(null!=e&&"function"!=typeof e)throw new Error("invalid callback: "+e);for(;++a<s;)if(i=(t=o[a]).type)n[i]=It(n[i],t.name,e);else if(null==e)for(i in n)n[i]=It(n[i],t.name,null);return this}for(;++a<s;)if((i=(t=o[a]).type)&&(i=Zt(n[i],t.name)))return i},copy:function(){var t={},e=this._;for(var i in e)t[i]=e[i].slice();return new jt(t)},call:function(t,e){if((i=arguments.length-2)>0)for(var i,r,n=new Array(i),o=0;o<i;++o)n[o]=arguments[o+2];if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(o=0,i=(r=this._[t]).length;o<i;++o)r[o].value.apply(e,n)},apply:function(t,e,i){if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(var r=this._[t],n=0,o=r.length;n<o;++n)r[n].value.apply(e,i)}};const Ot=Nt;var Dt,qt,$t=0,zt=0,Pt=0,Rt=1e3,Ht=0,Wt=0,Ut=0,Yt="object"==typeof performance&&performance.now?performance:Date,Vt="object"==typeof window&&window.requestAnimationFrame?window.requestAnimationFrame.bind(window):function(t){setTimeout(t,17)};function Gt(){return Wt||(Vt(Xt),Wt=Yt.now()+Ut)}function Xt(){Wt=0}function Jt(){this._call=this._time=this._next=null}function Qt(t,e,i){var r=new Jt;return r.restart(t,e,i),r}function Kt(){Wt=(Ht=Yt.now())+Ut,$t=zt=0;try{!function(){Gt(),++$t;for(var t,e=Dt;e;)(t=Wt-e._time)>=0&&e._call.call(void 0,t),e=e._next;--$t}()}finally{$t=0,function(){var t,e,i=Dt,r=1/0;for(;i;)i._call?(r>i._time&&(r=i._time),t=i,i=i._next):(e=i._next,i._next=null,i=t?t._next=e:Dt=e);qt=t,ee(r)}(),Wt=0}}function te(){var t=Yt.now(),e=t-Ht;e>Rt&&(Ut-=e,Ht=t)}function ee(t){$t||(zt&&(zt=clearTimeout(zt)),t-Wt>24?(t<1/0&&(zt=setTimeout(Kt,t-Yt.now()-Ut)),Pt&&(Pt=clearInterval(Pt))):(Pt||(Ht=Yt.now(),Pt=setInterval(te,Rt)),$t=1,Vt(Kt)))}function ie(t,e,i){var r=new Jt;return e=null==e?0:+e,r.restart((i=>{r.stop(),t(i+e)}),e,i),r}Jt.prototype=Qt.prototype={constructor:Jt,restart:function(t,e,i){if("function"!=typeof t)throw new TypeError("callback is not a function");i=(null==i?Gt():+i)+(null==e?0:+e),this._next||qt===this||(qt?qt._next=this:Dt=this,qt=this),this._call=t,this._time=i,ee()},stop:function(){this._call&&(this._call=null,this._time=1/0,ee())}};var re=Ot("start","end","cancel","interrupt"),ne=[],oe=0,ae=1,se=2,le=3,ce=4,he=5,ue=6;function de(t,e,i,r,n,o){var a=t.__transition;if(a){if(i in a)return}else t.__transition={};!function(t,e,i){var r,n=t.__transition;function o(t){i.state=ae,i.timer.restart(a,i.delay,i.time),i.delay<=t&&a(t-i.delay)}function a(o){var c,h,u,d;if(i.state!==ae)return l();for(c in n)if((d=n[c]).name===i.name){if(d.state===le)return ie(a);d.state===ce?(d.state=ue,d.timer.stop(),d.on.call("interrupt",t,t.__data__,d.index,d.group),delete n[c]):+c<e&&(d.state=ue,d.timer.stop(),d.on.call("cancel",t,t.__data__,d.index,d.group),delete n[c])}if(ie((function(){i.state===le&&(i.state=ce,i.timer.restart(s,i.delay,i.time),s(o))})),i.state=se,i.on.call("start",t,t.__data__,i.index,i.group),i.state===se){for(i.state=le,r=new Array(u=i.tween.length),c=0,h=-1;c<u;++c)(d=i.tween[c].value.call(t,t.__data__,i.index,i.group))&&(r[++h]=d);r.length=h+1}}function s(e){for(var n=e<i.duration?i.ease.call(null,e/i.duration):(i.timer.restart(l),i.state=he,1),o=-1,a=r.length;++o<a;)r[o].call(t,n);i.state===he&&(i.on.call("end",t,t.__data__,i.index,i.group),l())}function l(){for(var r in i.state=ue,i.timer.stop(),delete n[e],n)return;delete t.__transition}n[e]=i,i.timer=Qt(o,0,i.time)}(t,i,{name:e,index:r,group:n,on:re,tween:ne,time:o.time,delay:o.delay,duration:o.duration,ease:o.ease,timer:null,state:oe})}function fe(t,e){var i=ge(t,e);if(i.state>oe)throw new Error("too late; already scheduled");return i}function pe(t,e){var i=ge(t,e);if(i.state>le)throw new Error("too late; already running");return i}function ge(t,e){var i=t.__transition;if(!i||!(i=i[e]))throw new Error("transition not found");return i}function me(t,e){return t=+t,e=+e,function(i){return t*(1-i)+e*i}}var ye,xe=180/Math.PI,be={translateX:0,translateY:0,rotate:0,skewX:0,scaleX:1,scaleY:1};function Ce(t,e,i,r,n,o){var a,s,l;return(a=Math.sqrt(t*t+e*e))&&(t/=a,e/=a),(l=t*i+e*r)&&(i-=t*l,r-=e*l),(s=Math.sqrt(i*i+r*r))&&(i/=s,r/=s,l/=s),t*r<e*i&&(t=-t,e=-e,l=-l,a=-a),{translateX:n,translateY:o,rotate:Math.atan2(e,t)*xe,skewX:Math.atan(l)*xe,scaleX:a,scaleY:s}}function _e(t,e,i,r){function n(t){return t.length?t.pop()+" ":""}return function(o,a){var s=[],l=[];return o=t(o),a=t(a),function(t,r,n,o,a,s){if(t!==n||r!==o){var l=a.push("translate(",null,e,null,i);s.push({i:l-4,x:me(t,n)},{i:l-2,x:me(r,o)})}else(n||o)&&a.push("translate("+n+e+o+i)}(o.translateX,o.translateY,a.translateX,a.translateY,s,l),function(t,e,i,o){t!==e?(t-e>180?e+=360:e-t>180&&(t+=360),o.push({i:i.push(n(i)+"rotate(",null,r)-2,x:me(t,e)})):e&&i.push(n(i)+"rotate("+e+r)}(o.rotate,a.rotate,s,l),function(t,e,i,o){t!==e?o.push({i:i.push(n(i)+"skewX(",null,r)-2,x:me(t,e)}):e&&i.push(n(i)+"skewX("+e+r)}(o.skewX,a.skewX,s,l),function(t,e,i,r,o,a){if(t!==i||e!==r){var s=o.push(n(o)+"scale(",null,",",null,")");a.push({i:s-4,x:me(t,i)},{i:s-2,x:me(e,r)})}else 1===i&&1===r||o.push(n(o)+"scale("+i+","+r+")")}(o.scaleX,o.scaleY,a.scaleX,a.scaleY,s,l),o=a=null,function(t){for(var e,i=-1,r=l.length;++i<r;)s[(e=l[i]).i]=e.x(t);return s.join("")}}}var ve=_e((function(t){const e=new("function"==typeof DOMMatrix?DOMMatrix:WebKitCSSMatrix)(t+"");return e.isIdentity?be:Ce(e.a,e.b,e.c,e.d,e.e,e.f)}),"px, ","px)","deg)"),ke=_e((function(t){return null==t?be:(ye||(ye=document.createElementNS("http://www.w3.org/2000/svg","g")),ye.setAttribute("transform",t),(t=ye.transform.baseVal.consolidate())?Ce((t=t.matrix).a,t.b,t.c,t.d,t.e,t.f):be)}),", ",")",")");function Te(t,e){var i,r;return function(){var n=pe(this,t),o=n.tween;if(o!==i)for(var a=0,s=(r=i=o).length;a<s;++a)if(r[a].name===e){(r=r.slice()).splice(a,1);break}n.tween=r}}function we(t,e,i){var r,n;if("function"!=typeof i)throw new Error;return function(){var o=pe(this,t),a=o.tween;if(a!==r){n=(r=a).slice();for(var s={name:e,value:i},l=0,c=n.length;l<c;++l)if(n[l].name===e){n[l]=s;break}l===c&&n.push(s)}o.tween=n}}function Se(t,e,i){var r=t._id;return t.each((function(){var t=pe(this,r);(t.value||(t.value={}))[e]=i.apply(this,arguments)})),function(t){return ge(t,r).value[e]}}function Be(t,e,i){t.prototype=e.prototype=i,i.constructor=t}function Fe(t,e){var i=Object.create(t.prototype);for(var r in e)i[r]=e[r];return i}function Le(){}var Ae=.7,Me=1/Ae,Ee="\\s*([+-]?\\d+)\\s*",Ne="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)\\s*",je="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)%\\s*",Ze=/^#([0-9a-f]{3,8})$/,Ie=new RegExp(`^rgb\\(${Ee},${Ee},${Ee}\\)$`),Oe=new RegExp(`^rgb\\(${je},${je},${je}\\)$`),De=new RegExp(`^rgba\\(${Ee},${Ee},${Ee},${Ne}\\)$`),qe=new RegExp(`^rgba\\(${je},${je},${je},${Ne}\\)$`),$e=new RegExp(`^hsl\\(${Ne},${je},${je}\\)$`),ze=new RegExp(`^hsla\\(${Ne},${je},${je},${Ne}\\)$`),Pe={aliceblue:15792383,antiquewhite:16444375,aqua:65535,aquamarine:8388564,azure:15794175,beige:16119260,bisque:16770244,black:0,blanchedalmond:16772045,blue:255,blueviolet:9055202,brown:10824234,burlywood:14596231,cadetblue:6266528,chartreuse:8388352,chocolate:13789470,coral:16744272,cornflowerblue:6591981,cornsilk:16775388,crimson:14423100,cyan:65535,darkblue:139,darkcyan:35723,darkgoldenrod:12092939,darkgray:11119017,darkgreen:25600,darkgrey:11119017,darkkhaki:12433259,darkmagenta:9109643,darkolivegreen:5597999,darkorange:16747520,darkorchid:10040012,darkred:9109504,darksalmon:15308410,darkseagreen:9419919,darkslateblue:4734347,darkslategray:3100495,darkslategrey:3100495,darkturquoise:52945,darkviolet:9699539,deeppink:16716947,deepskyblue:49151,dimgray:6908265,dimgrey:6908265,dodgerblue:2003199,firebrick:11674146,floralwhite:16775920,forestgreen:2263842,fuchsia:16711935,gainsboro:14474460,ghostwhite:16316671,gold:16766720,goldenrod:14329120,gray:8421504,green:32768,greenyellow:11403055,grey:8421504,honeydew:15794160,hotpink:16738740,indianred:13458524,indigo:4915330,ivory:16777200,khaki:15787660,lavender:15132410,lavenderblush:16773365,lawngreen:8190976,lemonchiffon:16775885,lightblue:11393254,lightcoral:15761536,lightcyan:14745599,lightgoldenrodyellow:16448210,lightgray:13882323,lightgreen:9498256,lightgrey:13882323,lightpink:16758465,lightsalmon:16752762,lightseagreen:2142890,lightskyblue:8900346,lightslategray:7833753,lightslategrey:7833753,lightsteelblue:11584734,lightyellow:16777184,lime:65280,limegreen:3329330,linen:16445670,magenta:16711935,maroon:8388608,mediumaquamarine:6737322,mediumblue:205,mediumorchid:12211667,mediumpurple:9662683,mediumseagreen:3978097,mediumslateblue:8087790,mediumspringgreen:64154,mediumturquoise:4772300,mediumvioletred:13047173,midnightblue:1644912,mintcream:16121850,mistyrose:16770273,moccasin:16770229,navajowhite:16768685,navy:128,oldlace:16643558,olive:8421376,olivedrab:7048739,orange:16753920,orangered:16729344,orchid:14315734,palegoldenrod:15657130,palegreen:10025880,paleturquoise:11529966,palevioletred:14381203,papayawhip:16773077,peachpuff:16767673,peru:13468991,pink:16761035,plum:14524637,powderblue:11591910,purple:8388736,rebeccapurple:6697881,red:16711680,rosybrown:12357519,royalblue:4286945,saddlebrown:9127187,salmon:16416882,sandybrown:16032864,seagreen:3050327,seashell:16774638,sienna:10506797,silver:12632256,skyblue:8900331,slateblue:6970061,slategray:7372944,slategrey:7372944,snow:16775930,springgreen:65407,steelblue:4620980,tan:13808780,teal:32896,thistle:14204888,tomato:16737095,turquoise:4251856,violet:15631086,wheat:16113331,white:16777215,whitesmoke:16119285,yellow:16776960,yellowgreen:10145074};function Re(){return this.rgb().formatHex()}function He(){return this.rgb().formatRgb()}function We(t){var e,i;return t=(t+"").trim().toLowerCase(),(e=Ze.exec(t))?(i=e[1].length,e=parseInt(e[1],16),6===i?Ue(e):3===i?new Xe(e>>8&15|e>>4&240,e>>4&15|240&e,(15&e)<<4|15&e,1):8===i?Ye(e>>24&255,e>>16&255,e>>8&255,(255&e)/255):4===i?Ye(e>>12&15|e>>8&240,e>>8&15|e>>4&240,e>>4&15|240&e,((15&e)<<4|15&e)/255):null):(e=Ie.exec(t))?new Xe(e[1],e[2],e[3],1):(e=Oe.exec(t))?new Xe(255*e[1]/100,255*e[2]/100,255*e[3]/100,1):(e=De.exec(t))?Ye(e[1],e[2],e[3],e[4]):(e=qe.exec(t))?Ye(255*e[1]/100,255*e[2]/100,255*e[3]/100,e[4]):(e=$e.exec(t))?ii(e[1],e[2]/100,e[3]/100,1):(e=ze.exec(t))?ii(e[1],e[2]/100,e[3]/100,e[4]):Pe.hasOwnProperty(t)?Ue(Pe[t]):"transparent"===t?new Xe(NaN,NaN,NaN,0):null}function Ue(t){return new Xe(t>>16&255,t>>8&255,255&t,1)}function Ye(t,e,i,r){return r<=0&&(t=e=i=NaN),new Xe(t,e,i,r)}function Ve(t){return t instanceof Le||(t=We(t)),t?new Xe((t=t.rgb()).r,t.g,t.b,t.opacity):new Xe}function Ge(t,e,i,r){return 1===arguments.length?Ve(t):new Xe(t,e,i,null==r?1:r)}function Xe(t,e,i,r){this.r=+t,this.g=+e,this.b=+i,this.opacity=+r}function Je(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}`}function Qe(){const t=Ke(this.opacity);return`${1===t?"rgb(":"rgba("}${ti(this.r)}, ${ti(this.g)}, ${ti(this.b)}${1===t?")":`, ${t})`}`}function Ke(t){return isNaN(t)?1:Math.max(0,Math.min(1,t))}function ti(t){return Math.max(0,Math.min(255,Math.round(t)||0))}function ei(t){return((t=ti(t))<16?"0":"")+t.toString(16)}function ii(t,e,i,r){return r<=0?t=e=i=NaN:i<=0||i>=1?t=e=NaN:e<=0&&(t=NaN),new ni(t,e,i,r)}function ri(t){if(t instanceof ni)return new ni(t.h,t.s,t.l,t.opacity);if(t instanceof Le||(t=We(t)),!t)return new ni;if(t instanceof ni)return t;var e=(t=t.rgb()).r/255,i=t.g/255,r=t.b/255,n=Math.min(e,i,r),o=Math.max(e,i,r),a=NaN,s=o-n,l=(o+n)/2;return s?(a=e===o?(i-r)/s+6*(i<r):i===o?(r-e)/s+2:(e-i)/s+4,s/=l<.5?o+n:2-o-n,a*=60):s=l>0&&l<1?0:a,new ni(a,s,l,t.opacity)}function ni(t,e,i,r){this.h=+t,this.s=+e,this.l=+i,this.opacity=+r}function oi(t){return(t=(t||0)%360)<0?t+360:t}function ai(t){return Math.max(0,Math.min(1,t||0))}function si(t,e,i){return 255*(t<60?e+(i-e)*t/60:t<180?i:t<240?e+(i-e)*(240-t)/60:e)}function li(t,e,i,r,n){var o=t*t,a=o*t;return((1-3*t+3*o-a)*e+(4-6*o+3*a)*i+(1+3*t+3*o-3*a)*r+a*n)/6}Be(Le,We,{copy(t){return Object.assign(new this.constructor,this,t)},displayable(){return this.rgb().displayable()},hex:Re,formatHex:Re,formatHex8:function(){return this.rgb().formatHex8()},formatHsl:function(){return ri(this).formatHsl()},formatRgb:He,toString:He}),Be(Xe,Ge,Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},rgb(){return this},clamp(){return new Xe(ti(this.r),ti(this.g),ti(this.b),Ke(this.opacity))},displayable(){return-.5<=this.r&&this.r<255.5&&-.5<=this.g&&this.g<255.5&&-.5<=this.b&&this.b<255.5&&0<=this.opacity&&this.opacity<=1},hex:Je,formatHex:Je,formatHex8:function(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}${ei(255*(isNaN(this.opacity)?1:this.opacity))}`},formatRgb:Qe,toString:Qe})),Be(ni,(function(t,e,i,r){return 1===arguments.length?ri(t):new ni(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new ni(this.h,this.s,this.l*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new ni(this.h,this.s,this.l*t,this.opacity)},rgb(){var t=this.h%360+360*(this.h<0),e=isNaN(t)||isNaN(this.s)?0:this.s,i=this.l,r=i+(i<.5?i:1-i)*e,n=2*i-r;return new Xe(si(t>=240?t-240:t+120,n,r),si(t,n,r),si(t<120?t+240:t-120,n,r),this.opacity)},clamp(){return new ni(oi(this.h),ai(this.s),ai(this.l),Ke(this.opacity))},displayable(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1},formatHsl(){const t=Ke(this.opacity);return`${1===t?"hsl(":"hsla("}${oi(this.h)}, ${100*ai(this.s)}%, ${100*ai(this.l)}%${1===t?")":`, ${t})`}`}}));const ci=t=>()=>t;function hi(t,e){return function(i){return t+i*e}}function ui(t){return 1==(t=+t)?di:function(e,i){return i-e?function(t,e,i){return t=Math.pow(t,i),e=Math.pow(e,i)-t,i=1/i,function(r){return Math.pow(t+r*e,i)}}(e,i,t):ci(isNaN(e)?i:e)}}function di(t,e){var i=e-t;return i?hi(t,i):ci(isNaN(t)?e:t)}const fi=function t(e){var i=ui(e);function r(t,e){var r=i((t=Ge(t)).r,(e=Ge(e)).r),n=i(t.g,e.g),o=i(t.b,e.b),a=di(t.opacity,e.opacity);return function(e){return t.r=r(e),t.g=n(e),t.b=o(e),t.opacity=a(e),t+""}}return r.gamma=t,r}(1);function pi(t){return function(e){var i,r,n=e.length,o=new Array(n),a=new Array(n),s=new Array(n);for(i=0;i<n;++i)r=Ge(e[i]),o[i]=r.r||0,a[i]=r.g||0,s[i]=r.b||0;return o=t(o),a=t(a),s=t(s),r.opacity=1,function(t){return r.r=o(t),r.g=a(t),r.b=s(t),r+""}}}pi((function(t){var e=t.length-1;return function(i){var r=i<=0?i=0:i>=1?(i=1,e-1):Math.floor(i*e),n=t[r],o=t[r+1],a=r>0?t[r-1]:2*n-o,s=r<e-1?t[r+2]:2*o-n;return li((i-r/e)*e,a,n,o,s)}})),pi((function(t){var e=t.length;return function(i){var r=Math.floor(((i%=1)<0?++i:i)*e),n=t[(r+e-1)%e],o=t[r%e],a=t[(r+1)%e],s=t[(r+2)%e];return li((i-r/e)*e,n,o,a,s)}}));var gi=/[-+]?(?:\d+\.?\d*|\.?\d+)(?:[eE][-+]?\d+)?/g,mi=new RegExp(gi.source,"g");function yi(t,e){var i,r,n,o=gi.lastIndex=mi.lastIndex=0,a=-1,s=[],l=[];for(t+="",e+="";(i=gi.exec(t))&&(r=mi.exec(e));)(n=r.index)>o&&(n=e.slice(o,n),s[a]?s[a]+=n:s[++a]=n),(i=i[0])===(r=r[0])?s[a]?s[a]+=r:s[++a]=r:(s[++a]=null,l.push({i:a,x:me(i,r)})),o=mi.lastIndex;return o<e.length&&(n=e.slice(o),s[a]?s[a]+=n:s[++a]=n),s.length<2?l[0]?function(t){return function(e){return t(e)+""}}(l[0].x):function(t){return function(){return t}}(e):(e=l.length,function(t){for(var i,r=0;r<e;++r)s[(i=l[r]).i]=i.x(t);return s.join("")})}function xi(t,e){var i;return("number"==typeof e?me:e instanceof We?fi:(i=We(e))?(e=i,fi):yi)(t,e)}function bi(t){return function(){this.removeAttribute(t)}}function Ci(t){return function(){this.removeAttributeNS(t.space,t.local)}}function _i(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttribute(t);return a===o?null:a===r?n:n=e(r=a,i)}}function vi(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttributeNS(t.space,t.local);return a===o?null:a===r?n:n=e(r=a,i)}}function ki(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttribute(t))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttribute(t)}}function Ti(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttributeNS(t.space,t.local))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttributeNS(t.space,t.local)}}function wi(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttributeNS(t.space,t.local,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Si(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttribute(t,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Bi(t,e){return function(){fe(this,t).delay=+e.apply(this,arguments)}}function Fi(t,e){return e=+e,function(){fe(this,t).delay=e}}function Li(t,e){return function(){pe(this,t).duration=+e.apply(this,arguments)}}function Ai(t,e){return e=+e,function(){pe(this,t).duration=e}}var Mi=Mt.prototype.constructor;function Ei(t){return function(){this.style.removeProperty(t)}}var Ni=0;function ji(t,e,i,r){this._groups=t,this._parents=e,this._name=i,this._id=r}function Zi(){return++Ni}var Ii=Mt.prototype;ji.prototype=function(t){return Mt().transition(t)}.prototype={constructor:ji,select:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=C(t));for(var r=this._groups,n=r.length,o=new Array(n),a=0;a<n;++a)for(var s,l,c=r[a],h=c.length,u=o[a]=new Array(h),d=0;d<h;++d)(s=c[d])&&(l=t.call(s,s.__data__,d,c))&&("__data__"in s&&(l.__data__=s.__data__),u[d]=l,de(u[d],e,i,d,u,ge(s,i)));return new ji(o,this._parents,e,i)},selectAll:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=k(t));for(var r=this._groups,n=r.length,o=[],a=[],s=0;s<n;++s)for(var l,c=r[s],h=c.length,u=0;u<h;++u)if(l=c[u]){for(var d,f=t.call(l,l.__data__,u,c),p=ge(l,i),g=0,m=f.length;g<m;++g)(d=f[g])&&de(d,e,i,g,f,p);o.push(f),a.push(l)}return new ji(o,a,e,i)},selectChild:Ii.selectChild,selectChildren:Ii.selectChildren,filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new ji(r,this._parents,this._name,this._id)},merge:function(t){if(t._id!==this._id)throw new Error;for(var e=this._groups,i=t._groups,r=e.length,n=i.length,o=Math.min(r,n),a=new Array(r),s=0;s<o;++s)for(var l,c=e[s],h=i[s],u=c.length,d=a[s]=new Array(u),f=0;f<u;++f)(l=c[f]||h[f])&&(d[f]=l);for(;s<r;++s)a[s]=e[s];return new ji(a,this._parents,this._name,this._id)},selection:function(){return new Mi(this._groups,this._parents)},transition:function(){for(var t=this._name,e=this._id,i=Zi(),r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)if(a=s[c]){var h=ge(a,e);de(a,t,i,c,s,{time:h.time+h.delay+h.duration,delay:0,duration:h.duration,ease:h.ease})}return new ji(r,this._parents,t,i)},call:Ii.call,nodes:Ii.nodes,node:Ii.node,size:Ii.size,empty:Ii.empty,each:Ii.each,on:function(t,e){var i=this._id;return arguments.length<2?ge(this.node(),i).on.on(t):this.each(function(t,e,i){var r,n,o=function(t){return(t+"").trim().split(/^|\s+/).every((function(t){var e=t.indexOf(".");return e>=0&&(t=t.slice(0,e)),!t||"start"===t}))}(e)?fe:pe;return function(){var a=o(this,t),s=a.on;s!==r&&(n=(r=s).copy()).on(e,i),a.on=n}}(i,t,e))},attr:function(t,e){var i=q(t),r="transform"===i?ke:xi;return this.attrTween(t,"function"==typeof e?(i.local?Ti:ki)(i,r,Se(this,"attr."+t,e)):null==e?(i.local?Ci:bi)(i):(i.local?vi:_i)(i,r,e))},attrTween:function(t,e){var i="attr."+t;if(arguments.length<2)return(i=this.tween(i))&&i._value;if(null==e)return this.tween(i,null);if("function"!=typeof e)throw new Error;var r=q(t);return this.tween(i,(r.local?wi:Si)(r,e))},style:function(t,e,i){var r="transform"==(t+="")?ve:xi;return null==e?this.styleTween(t,function(t,e){var i,r,n;return function(){var o=X(this,t),a=(this.style.removeProperty(t),X(this,t));return o===a?null:o===i&&a===r?n:n=e(i=o,r=a)}}(t,r)).on("end.style."+t,Ei(t)):"function"==typeof e?this.styleTween(t,function(t,e,i){var r,n,o;return function(){var a=X(this,t),s=i(this),l=s+"";return null==s&&(this.style.removeProperty(t),l=s=X(this,t)),a===l?null:a===r&&l===n?o:(n=l,o=e(r=a,s))}}(t,r,Se(this,"style."+t,e))).each(function(t,e){var i,r,n,o,a="style."+e,s="end."+a;return function(){var l=pe(this,t),c=l.on,h=null==l.value[a]?o||(o=Ei(e)):void 0;c===i&&n===h||(r=(i=c).copy()).on(s,n=h),l.on=r}}(this._id,t)):this.styleTween(t,function(t,e,i){var r,n,o=i+"";return function(){var a=X(this,t);return a===o?null:a===r?n:n=e(r=a,i)}}(t,r,e),i).on("end.style."+t,null)},styleTween:function(t,e,i){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==e)return this.tween(r,null);if("function"!=typeof e)throw new Error;return this.tween(r,function(t,e,i){var r,n;function o(){var o=e.apply(this,arguments);return o!==n&&(r=(n=o)&&function(t,e,i){return function(r){this.style.setProperty(t,e.call(this,r),i)}}(t,o,i)),r}return o._value=e,o}(t,e,null==i?"":i))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var e=t(this);this.textContent=null==e?"":e}}(Se(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},textTween:function(t){var e="text";if(arguments.length<1)return(e=this.tween(e))&&e._value;if(null==t)return this.tween(e,null);if("function"!=typeof t)throw new Error;return this.tween(e,function(t){var e,i;function r(){var r=t.apply(this,arguments);return r!==i&&(e=(i=r)&&function(t){return function(e){this.textContent=t.call(this,e)}}(r)),e}return r._value=t,r}(t))},remove:function(){return this.on("end.remove",function(t){return function(){var e=this.parentNode;for(var i in this.__transition)if(+i!==t)return;e&&e.removeChild(this)}}(this._id))},tween:function(t,e){var i=this._id;if(t+="",arguments.length<2){for(var r,n=ge(this.node(),i).tween,o=0,a=n.length;o<a;++o)if((r=n[o]).name===t)return r.value;return null}return this.each((null==e?Te:we)(i,t,e))},delay:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Bi:Fi)(e,t)):ge(this.node(),e).delay},duration:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Li:Ai)(e,t)):ge(this.node(),e).duration},ease:function(t){var e=this._id;return arguments.length?this.each(function(t,e){if("function"!=typeof e)throw new Error;return function(){pe(this,t).ease=e}}(e,t)):ge(this.node(),e).ease},easeVarying:function(t){if("function"!=typeof t)throw new Error;return this.each(function(t,e){return function(){var i=e.apply(this,arguments);if("function"!=typeof i)throw new Error;pe(this,t).ease=i}}(this._id,t))},end:function(){var t,e,i=this,r=i._id,n=i.size();return new Promise((function(o,a){var s={value:a},l={value:function(){0==--n&&o()}};i.each((function(){var i=pe(this,r),n=i.on;n!==t&&((e=(t=n).copy())._.cancel.push(s),e._.interrupt.push(s),e._.end.push(l)),i.on=e})),0===n&&o()}))},[Symbol.iterator]:Ii[Symbol.iterator]};var Oi={time:null,delay:0,duration:250,ease:function(t){return((t*=2)<=1?t*t*t:(t-=2)*t*t+2)/2}};function Di(t,e){for(var i;!(i=t.__transition)||!(i=i[e]);)if(!(t=t.parentNode))throw new Error(`transition ${e} not found`);return i}Mt.prototype.interrupt=function(t){return this.each((function(){!function(t,e){var i,r,n,o=t.__transition,a=!0;if(o){for(n in e=null==e?null:e+"",o)(i=o[n]).name===e?(r=i.state>se&&i.state<he,i.state=ue,i.timer.stop(),i.on.call(r?"interrupt":"cancel",t,t.__data__,i.index,i.group),delete o[n]):a=!1;a&&delete t.__transition}}(this,t)}))},Mt.prototype.transition=function(t){var e,i;t instanceof ji?(e=t._id,t=t._name):(e=Zi(),(i=Oi).time=Gt(),t=null==t?null:t+"");for(var r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)(a=s[c])&&de(a,t,e,c,s,i||Di(a,e));return new ji(r,this._parents,t,e)};const{abs:qi,max:$i,min:zi}=Math;function Pi(t){return[+t[0],+t[1]]}function Ri(t){return[Pi(t[0]),Pi(t[1])]}["w","e"].map(Hi),["n","s"].map(Hi),["n","w","e","s","nw","ne","sw","se"].map(Hi);function Hi(t){return{type:t}}function Wi(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.text()}function Ui(t){return(e,i)=>function(t,e){return fetch(t,e).then(Wi)}(e,i).then((e=>(new DOMParser).parseFromString(e,t)))}Ui("application/xml");Ui("text/html");var Yi=Ui("image/svg+xml");const Vi=Math.PI/180,Gi=180/Math.PI,Xi=.96422,Ji=1,Qi=.82521,Ki=4/29,tr=6/29,er=3*tr*tr,ir=tr*tr*tr;function rr(t){if(t instanceof nr)return new nr(t.l,t.a,t.b,t.opacity);if(t instanceof ur)return dr(t);t instanceof Xe||(t=Ve(t));var e,i,r=lr(t.r),n=lr(t.g),o=lr(t.b),a=or((.2225045*r+.7168786*n+.0606169*o)/Ji);return r===n&&n===o?e=i=a:(e=or((.4360747*r+.3850649*n+.1430804*o)/Xi),i=or((.0139322*r+.0971045*n+.7141733*o)/Qi)),new nr(116*a-16,500*(e-a),200*(a-i),t.opacity)}function nr(t,e,i,r){this.l=+t,this.a=+e,this.b=+i,this.opacity=+r}function or(t){return t>ir?Math.pow(t,1/3):t/er+Ki}function ar(t){return t>tr?t*t*t:er*(t-Ki)}function sr(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function lr(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function cr(t){if(t instanceof ur)return new ur(t.h,t.c,t.l,t.opacity);if(t instanceof nr||(t=rr(t)),0===t.a&&0===t.b)return new ur(NaN,0<t.l&&t.l<100?0:NaN,t.l,t.opacity);var e=Math.atan2(t.b,t.a)*Gi;return new ur(e<0?e+360:e,Math.sqrt(t.a*t.a+t.b*t.b),t.l,t.opacity)}function hr(t,e,i,r){return 1===arguments.length?cr(t):new ur(t,e,i,null==r?1:r)}function ur(t,e,i,r){this.h=+t,this.c=+e,this.l=+i,this.opacity=+r}function dr(t){if(isNaN(t.h))return new nr(t.l,0,0,t.opacity);var e=t.h*Vi;return new nr(t.l,Math.cos(e)*t.c,Math.sin(e)*t.c,t.opacity)}function fr(t){return function(e,i){var r=t((e=hr(e)).h,(i=hr(i)).h),n=di(e.c,i.c),o=di(e.l,i.l),a=di(e.opacity,i.opacity);return function(t){return e.h=r(t),e.c=n(t),e.l=o(t),e.opacity=a(t),e+""}}}Be(nr,(function(t,e,i,r){return 1===arguments.length?rr(t):new nr(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return new nr(this.l+18*(null==t?1:t),this.a,this.b,this.opacity)},darker(t){return new nr(this.l-18*(null==t?1:t),this.a,this.b,this.opacity)},rgb(){var t=(this.l+16)/116,e=isNaN(this.a)?t:t+this.a/500,i=isNaN(this.b)?t:t-this.b/200;return new Xe(sr(3.1338561*(e=Xi*ar(e))-1.6168667*(t=Ji*ar(t))-.4906146*(i=Qi*ar(i))),sr(-.9787684*e+1.9161415*t+.033454*i),sr(.0719453*e-.2289914*t+1.4052427*i),this.opacity)}})),Be(ur,hr,Fe(Le,{brighter(t){return new ur(this.h,this.c,this.l+18*(null==t?1:t),this.opacity)},darker(t){return new ur(this.h,this.c,this.l-18*(null==t?1:t),this.opacity)},rgb(){return dr(this).rgb()}}));const pr=fr((function(t,e){var i=e-t;return i?hi(t,i>180||i<-180?i-360*Math.round(i/360):i):ci(isNaN(t)?e:t)}));fr(di);function gr(t,e){switch(arguments.length){case 0:break;case 1:this.range(t);break;default:this.range(e).domain(t)}return this}class mr extends Map{constructor(t,e=Cr){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:e}}),null!=t)for(const[i,r]of t)this.set(i,r)}get(t){return super.get(yr(this,t))}has(t){return super.has(yr(this,t))}set(t,e){return super.set(xr(this,t),e)}delete(t){return super.delete(br(this,t))}}function yr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):i}function xr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):(t.set(r,i),i)}function br({_intern:t,_key:e},i){const r=e(i);return t.has(r)&&(i=t.get(r),t.delete(r)),i}function Cr(t){return null!==t&&"object"==typeof t?t.valueOf():t}const _r=Symbol("implicit");function vr(){var t=new mr,e=[],i=[],r=_r;function n(n){let o=t.get(n);if(void 0===o){if(r!==_r)return r;t.set(n,o=e.push(n)-1)}return i[o%i.length]}return n.domain=function(i){if(!arguments.length)return e.slice();e=[],t=new mr;for(const r of i)t.has(r)||t.set(r,e.push(r)-1);return n},n.range=function(t){return arguments.length?(i=Array.from(t),n):i.slice()},n.unknown=function(t){return arguments.length?(r=t,n):r},n.copy=function(){return vr(e,i).unknown(r)},gr.apply(n,arguments),n}function kr(){var t,e,i=vr().unknown(void 0),r=i.domain,n=i.range,o=0,a=1,s=!1,l=0,c=0,h=.5;function u(){var i=r().length,u=a<o,d=u?a:o,f=u?o:a;t=(f-d)/Math.max(1,i-l+2*c),s&&(t=Math.floor(t)),d+=(f-d-t*(i-l))*h,e=t*(1-l),s&&(d=Math.round(d),e=Math.round(e));var p=function(t,e,i){t=+t,e=+e,i=(n=arguments.length)<2?(e=t,t=0,1):n<3?1:+i;for(var r=-1,n=0|Math.max(0,Math.ceil((e-t)/i)),o=new Array(n);++r<n;)o[r]=t+r*i;return o}(i).map((function(e){return d+t*e}));return n(u?p.reverse():p)}return delete i.unknown,i.domain=function(t){return arguments.length?(r(t),u()):r()},i.range=function(t){return arguments.length?([o,a]=t,o=+o,a=+a,u()):[o,a]},i.rangeRound=function(t){return[o,a]=t,o=+o,a=+a,s=!0,u()},i.bandwidth=function(){return e},i.step=function(){return t},i.round=function(t){return arguments.length?(s=!!t,u()):s},i.padding=function(t){return arguments.length?(l=Math.min(1,c=+t),u()):l},i.paddingInner=function(t){return arguments.length?(l=Math.min(1,t),u()):l},i.paddingOuter=function(t){return arguments.length?(c=+t,u()):c},i.align=function(t){return arguments.length?(h=Math.max(0,Math.min(1,t)),u()):h},i.copy=function(){return kr(r(),[o,a]).round(s).paddingInner(l).paddingOuter(c).align(h)},gr.apply(u(),arguments)}const Tr=Math.sqrt(50),wr=Math.sqrt(10),Sr=Math.sqrt(2);function Br(t,e,i){const r=(e-t)/Math.max(0,i),n=Math.floor(Math.log10(r)),o=r/Math.pow(10,n),a=o>=Tr?10:o>=wr?5:o>=Sr?2:1;let s,l,c;return n<0?(c=Math.pow(10,-n)/a,s=Math.round(t*c),l=Math.round(e*c),s/c<t&&++s,l/c>e&&--l,c=-c):(c=Math.pow(10,n)*a,s=Math.round(t/c),l=Math.round(e/c),s*c<t&&++s,l*c>e&&--l),l<s&&.5<=i&&i<2?Br(t,e,2*i):[s,l,c]}function Fr(t,e,i){return Br(t=+t,e=+e,i=+i)[2]}function Lr(t,e,i){i=+i;const r=(e=+e)<(t=+t),n=r?Fr(e,t,i):Fr(t,e,i);return(r?-1:1)*(n<0?1/-n:n)}function Ar(t,e){return null==t||null==e?NaN:t<e?-1:t>e?1:t>=e?0:NaN}function Mr(t,e){return null==t||null==e?NaN:e<t?-1:e>t?1:e>=t?0:NaN}function Er(t){let e,i,r;function n(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<0?n=e+1:o=e}while(n<o)}return n}return 2!==t.length?(e=Ar,i=(e,i)=>Ar(t(e),i),r=(e,i)=>t(e)-i):(e=t===Ar||t===Mr?t:Nr,i=t,r=t),{left:n,center:function(t,e,i=0,o=t.length){const a=n(t,e,i,o-1);return a>i&&r(t[a-1],e)>-r(t[a],e)?a-1:a},right:function(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<=0?n=e+1:o=e}while(n<o)}return n}}}function Nr(){return 0}const jr=Er(Ar),Zr=jr.right,Ir=(jr.left,Er((function(t){return null===t?NaN:+t})).center,Zr);function Or(t,e){var i,r=e?e.length:0,n=t?Math.min(r,t.length):0,o=new Array(n),a=new Array(r);for(i=0;i<n;++i)o[i]=zr(t[i],e[i]);for(;i<r;++i)a[i]=e[i];return function(t){for(i=0;i<n;++i)a[i]=o[i](t);return a}}function Dr(t,e){var i=new Date;return t=+t,e=+e,function(r){return i.setTime(t*(1-r)+e*r),i}}function qr(t,e){var i,r={},n={};for(i in null!==t&&"object"==typeof t||(t={}),null!==e&&"object"==typeof e||(e={}),e)i in t?r[i]=zr(t[i],e[i]):n[i]=e[i];return function(t){for(i in r)n[i]=r[i](t);return n}}function $r(t,e){e||(e=[]);var i,r=t?Math.min(e.length,t.length):0,n=e.slice();return function(o){for(i=0;i<r;++i)n[i]=t[i]*(1-o)+e[i]*o;return n}}function zr(t,e){var i,r,n=typeof e;return null==e||"boolean"===n?ci(e):("number"===n?me:"string"===n?(i=We(e))?(e=i,fi):yi:e instanceof We?fi:e instanceof Date?Dr:(r=e,!ArrayBuffer.isView(r)||r instanceof DataView?Array.isArray(e)?Or:"function"!=typeof e.valueOf&&"function"!=typeof e.toString||isNaN(e)?qr:me:$r))(t,e)}function Pr(t,e){return t=+t,e=+e,function(i){return Math.round(t*(1-i)+e*i)}}function Rr(t){return+t}var Hr=[0,1];function Wr(t){return t}function Ur(t,e){return(e-=t=+t)?function(i){return(i-t)/e}:(i=isNaN(e)?NaN:.5,function(){return i});var i}function Yr(t,e,i){var r=t[0],n=t[1],o=e[0],a=e[1];return n<r?(r=Ur(n,r),o=i(a,o)):(r=Ur(r,n),o=i(o,a)),function(t){return o(r(t))}}function Vr(t,e,i){var r=Math.min(t.length,e.length)-1,n=new Array(r),o=new Array(r),a=-1;for(t[r]<t[0]&&(t=t.slice().reverse(),e=e.slice().reverse());++a<r;)n[a]=Ur(t[a],t[a+1]),o[a]=i(e[a],e[a+1]);return function(e){var i=Ir(t,e,1,r)-1;return o[i](n[i](e))}}function Gr(t,e){return e.domain(t.domain()).range(t.range()).interpolate(t.interpolate()).clamp(t.clamp()).unknown(t.unknown())}function Xr(){var t,e,i,r,n,o,a=Hr,s=Hr,l=zr,c=Wr;function h(){var t,e,i,l=Math.min(a.length,s.length);return c!==Wr&&(t=a[0],e=a[l-1],t>e&&(i=t,t=e,e=i),c=function(i){return Math.max(t,Math.min(e,i))}),r=l>2?Vr:Yr,n=o=null,u}function u(e){return null==e||isNaN(e=+e)?i:(n||(n=r(a.map(t),s,l)))(t(c(e)))}return u.invert=function(i){return c(e((o||(o=r(s,a.map(t),me)))(i)))},u.domain=function(t){return arguments.length?(a=Array.from(t,Rr),h()):a.slice()},u.range=function(t){return arguments.length?(s=Array.from(t),h()):s.slice()},u.rangeRound=function(t){return s=Array.from(t),l=Pr,h()},u.clamp=function(t){return arguments.length?(c=!!t||Wr,h()):c!==Wr},u.interpolate=function(t){return arguments.length?(l=t,h()):l},u.unknown=function(t){return arguments.length?(i=t,u):i},function(i,r){return t=i,e=r,h()}}function Jr(){return Xr()(Wr,Wr)}var Qr,Kr=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function tn(t){if(!(e=Kr.exec(t)))throw new Error("invalid format: "+t);var e;return new en({fill:e[1],align:e[2],sign:e[3],symbol:e[4],zero:e[5],width:e[6],comma:e[7],precision:e[8]&&e[8].slice(1),trim:e[9],type:e[10]})}function en(t){this.fill=void 0===t.fill?" ":t.fill+"",this.align=void 0===t.align?">":t.align+"",this.sign=void 0===t.sign?"-":t.sign+"",this.symbol=void 0===t.symbol?"":t.symbol+"",this.zero=!!t.zero,this.width=void 0===t.width?void 0:+t.width,this.comma=!!t.comma,this.precision=void 0===t.precision?void 0:+t.precision,this.trim=!!t.trim,this.type=void 0===t.type?"":t.type+""}function rn(t,e){if((i=(t=e?t.toExponential(e-1):t.toExponential()).indexOf("e"))<0)return null;var i,r=t.slice(0,i);return[r.length>1?r[0]+r.slice(2):r,+t.slice(i+1)]}function nn(t){return(t=rn(Math.abs(t)))?t[1]:NaN}function on(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1];return n<0?"0."+new Array(-n).join("0")+r:r.length>n+1?r.slice(0,n+1)+"."+r.slice(n+1):r+new Array(n-r.length+2).join("0")}tn.prototype=en.prototype,en.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(void 0===this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(void 0===this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};const an={"%":(t,e)=>(100*t).toFixed(e),b:t=>Math.round(t).toString(2),c:t=>t+"",d:function(t){return Math.abs(t=Math.round(t))>=1e21?t.toLocaleString("en").replace(/,/g,""):t.toString(10)},e:(t,e)=>t.toExponential(e),f:(t,e)=>t.toFixed(e),g:(t,e)=>t.toPrecision(e),o:t=>Math.round(t).toString(8),p:(t,e)=>on(100*t,e),r:on,s:function(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1],o=n-(Qr=3*Math.max(-8,Math.min(8,Math.floor(n/3))))+1,a=r.length;return o===a?r:o>a?r+new Array(o-a+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+rn(t,Math.max(0,e+o-1))[0]},X:t=>Math.round(t).toString(16).toUpperCase(),x:t=>Math.round(t).toString(16)};function sn(t){return t}var ln,cn,hn,un=Array.prototype.map,dn=["y","z","a","f","p","n","\xb5","m","","k","M","G","T","P","E","Z","Y"];function fn(t){var e,i,r=void 0===t.grouping||void 0===t.thousands?sn:(e=un.call(t.grouping,Number),i=t.thousands+"",function(t,r){for(var n=t.length,o=[],a=0,s=e[0],l=0;n>0&&s>0&&(l+s+1>r&&(s=Math.max(1,r-l)),o.push(t.substring(n-=s,n+s)),!((l+=s+1)>r));)s=e[a=(a+1)%e.length];return o.reverse().join(i)}),n=void 0===t.currency?"":t.currency[0]+"",o=void 0===t.currency?"":t.currency[1]+"",a=void 0===t.decimal?".":t.decimal+"",s=void 0===t.numerals?sn:function(t){return function(e){return e.replace(/[0-9]/g,(function(e){return t[+e]}))}}(un.call(t.numerals,String)),l=void 0===t.percent?"%":t.percent+"",c=void 0===t.minus?"\u2212":t.minus+"",h=void 0===t.nan?"NaN":t.nan+"";function u(t){var e=(t=tn(t)).fill,i=t.align,u=t.sign,d=t.symbol,f=t.zero,p=t.width,g=t.comma,m=t.precision,y=t.trim,x=t.type;"n"===x?(g=!0,x="g"):an[x]||(void 0===m&&(m=12),y=!0,x="g"),(f||"0"===e&&"="===i)&&(f=!0,e="0",i="=");var b="$"===d?n:"#"===d&&/[boxX]/.test(x)?"0"+x.toLowerCase():"",C="$"===d?o:/[%p]/.test(x)?l:"",_=an[x],v=/[defgprs%]/.test(x);function k(t){var n,o,l,d=b,k=C;if("c"===x)k=_(t)+k,t="";else{var T=(t=+t)<0||1/t<0;if(t=isNaN(t)?h:_(Math.abs(t),m),y&&(t=function(t){t:for(var e,i=t.length,r=1,n=-1;r<i;++r)switch(t[r]){case".":n=e=r;break;case"0":0===n&&(n=r),e=r;break;default:if(!+t[r])break t;n>0&&(n=0)}return n>0?t.slice(0,n)+t.slice(e+1):t}(t)),T&&0==+t&&"+"!==u&&(T=!1),d=(T?"("===u?u:c:"-"===u||"("===u?"":u)+d,k=("s"===x?dn[8+Qr/3]:"")+k+(T&&"("===u?")":""),v)for(n=-1,o=t.length;++n<o;)if(48>(l=t.charCodeAt(n))||l>57){k=(46===l?a+t.slice(n+1):t.slice(n))+k,t=t.slice(0,n);break}}g&&!f&&(t=r(t,1/0));var w=d.length+t.length+k.length,S=w<p?new Array(p-w+1).join(e):"";switch(g&&f&&(t=r(S+t,S.length?p-k.length:1/0),S=""),i){case"<":t=d+t+k+S;break;case"=":t=d+S+t+k;break;case"^":t=S.slice(0,w=S.length>>1)+d+t+k+S.slice(w);break;default:t=S+d+t+k}return s(t)}return m=void 0===m?6:/[gprs]/.test(x)?Math.max(1,Math.min(21,m)):Math.max(0,Math.min(20,m)),k.toString=function(){return t+""},k}return{format:u,formatPrefix:function(t,e){var i=u(((t=tn(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3))),n=Math.pow(10,-r),o=dn[8+r/3];return function(t){return i(n*t)+o}}}}function pn(t,e,i,r){var n,o=Lr(t,e,i);switch((r=tn(null==r?",f":r)).type){case"s":var a=Math.max(Math.abs(t),Math.abs(e));return null!=r.precision||isNaN(n=function(t,e){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3)))-nn(Math.abs(t)))}(o,a))||(r.precision=n),hn(r,a);case"":case"e":case"g":case"p":case"r":null!=r.precision||isNaN(n=function(t,e){return t=Math.abs(t),e=Math.abs(e)-t,Math.max(0,nn(e)-nn(t))+1}(o,Math.max(Math.abs(t),Math.abs(e))))||(r.precision=n-("e"===r.type));break;case"f":case"%":null!=r.precision||isNaN(n=function(t){return Math.max(0,-nn(Math.abs(t)))}(o))||(r.precision=n-2*("%"===r.type))}return cn(r)}function gn(t){var e=t.domain;return t.ticks=function(t){var i=e();return function(t,e,i){if(!((i=+i)>0))return[];if((t=+t)==(e=+e))return[t];const r=e<t,[n,o,a]=r?Br(e,t,i):Br(t,e,i);if(!(o>=n))return[];const s=o-n+1,l=new Array(s);if(r)if(a<0)for(let c=0;c<s;++c)l[c]=(o-c)/-a;else for(let c=0;c<s;++c)l[c]=(o-c)*a;else if(a<0)for(let c=0;c<s;++c)l[c]=(n+c)/-a;else for(let c=0;c<s;++c)l[c]=(n+c)*a;return l}(i[0],i[i.length-1],null==t?10:t)},t.tickFormat=function(t,i){var r=e();return pn(r[0],r[r.length-1],null==t?10:t,i)},t.nice=function(i){null==i&&(i=10);var r,n,o=e(),a=0,s=o.length-1,l=o[a],c=o[s],h=10;for(c<l&&(n=l,l=c,c=n,n=a,a=s,s=n);h-- >0;){if((n=Fr(l,c,i))===r)return o[a]=l,o[s]=c,e(o);if(n>0)l=Math.floor(l/n)*n,c=Math.ceil(c/n)*n;else{if(!(n<0))break;l=Math.ceil(l*n)/n,c=Math.floor(c*n)/n}r=n}return t},t}function mn(){var t=Jr();return t.copy=function(){return Gr(t,mn())},gr.apply(t,arguments),gn(t)}ln=fn({thousands:",",grouping:[3],currency:["$",""]}),cn=ln.format,hn=ln.formatPrefix;const yn=1e3,xn=6e4,bn=36e5,Cn=864e5,_n=6048e5,vn=2592e6,kn=31536e6,Tn=new Date,wn=new Date;function Sn(t,e,i,r){function n(e){return t(e=0===arguments.length?new Date:new Date(+e)),e}return n.floor=e=>(t(e=new Date(+e)),e),n.ceil=i=>(t(i=new Date(i-1)),e(i,1),t(i),i),n.round=t=>{const e=n(t),i=n.ceil(t);return t-e<i-t?e:i},n.offset=(t,i)=>(e(t=new Date(+t),null==i?1:Math.floor(i)),t),n.range=(i,r,o)=>{const a=[];if(i=n.ceil(i),o=null==o?1:Math.floor(o),!(i<r&&o>0))return a;let s;do{a.push(s=new Date(+i)),e(i,o),t(i)}while(s<i&&i<r);return a},n.filter=i=>Sn((e=>{if(e>=e)for(;t(e),!i(e);)e.setTime(e-1)}),((t,r)=>{if(t>=t)if(r<0)for(;++r<=0;)for(;e(t,-1),!i(t););else for(;--r>=0;)for(;e(t,1),!i(t););})),i&&(n.count=(e,r)=>(Tn.setTime(+e),wn.setTime(+r),t(Tn),t(wn),Math.floor(i(Tn,wn))),n.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?n.filter(r?e=>r(e)%t==0:e=>n.count(0,e)%t==0):n:null)),n}const Bn=Sn((()=>{}),((t,e)=>{t.setTime(+t+e)}),((t,e)=>e-t));Bn.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?Sn((e=>{e.setTime(Math.floor(e/t)*t)}),((e,i)=>{e.setTime(+e+i*t)}),((e,i)=>(i-e)/t)):Bn:null);Bn.range;const Fn=Sn((t=>{t.setTime(t-t.getMilliseconds())}),((t,e)=>{t.setTime(+t+e*yn)}),((t,e)=>(e-t)/yn),(t=>t.getUTCSeconds())),Ln=(Fn.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getMinutes()))),An=(Ln.range,Sn((t=>{t.setUTCSeconds(0,0)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getUTCMinutes()))),Mn=(An.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn-t.getMinutes()*xn)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getHours()))),En=(Mn.range,Sn((t=>{t.setUTCMinutes(0,0,0)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getUTCHours()))),Nn=(En.range,Sn((t=>t.setHours(0,0,0,0)),((t,e)=>t.setDate(t.getDate()+e)),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/Cn),(t=>t.getDate()-1))),jn=(Nn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>t.getUTCDate()-1))),Zn=(jn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>Math.floor(t/Cn))));Zn.range;function In(t){return Sn((e=>{e.setDate(e.getDate()-(e.getDay()+7-t)%7),e.setHours(0,0,0,0)}),((t,e)=>{t.setDate(t.getDate()+7*e)}),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/_n))}const On=In(0),Dn=In(1),qn=In(2),$n=In(3),zn=In(4),Pn=In(5),Rn=In(6);On.range,Dn.range,qn.range,$n.range,zn.range,Pn.range,Rn.range;function Hn(t){return Sn((e=>{e.setUTCDate(e.getUTCDate()-(e.getUTCDay()+7-t)%7),e.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+7*e)}),((t,e)=>(e-t)/_n))}const Wn=Hn(0),Un=Hn(1),Yn=Hn(2),Vn=Hn(3),Gn=Hn(4),Xn=Hn(5),Jn=Hn(6),Qn=(Wn.range,Un.range,Yn.range,Vn.range,Gn.range,Xn.range,Jn.range,Sn((t=>{t.setDate(1),t.setHours(0,0,0,0)}),((t,e)=>{t.setMonth(t.getMonth()+e)}),((t,e)=>e.getMonth()-t.getMonth()+12*(e.getFullYear()-t.getFullYear())),(t=>t.getMonth()))),Kn=(Qn.range,Sn((t=>{t.setUTCDate(1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCMonth(t.getUTCMonth()+e)}),((t,e)=>e.getUTCMonth()-t.getUTCMonth()+12*(e.getUTCFullYear()-t.getUTCFullYear())),(t=>t.getUTCMonth()))),to=(Kn.range,Sn((t=>{t.setMonth(0,1),t.setHours(0,0,0,0)}),((t,e)=>{t.setFullYear(t.getFullYear()+e)}),((t,e)=>e.getFullYear()-t.getFullYear()),(t=>t.getFullYear())));to.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setFullYear(Math.floor(e.getFullYear()/t)*t),e.setMonth(0,1),e.setHours(0,0,0,0)}),((e,i)=>{e.setFullYear(e.getFullYear()+i*t)})):null;to.range;const eo=Sn((t=>{t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCFullYear(t.getUTCFullYear()+e)}),((t,e)=>e.getUTCFullYear()-t.getUTCFullYear()),(t=>t.getUTCFullYear()));eo.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setUTCFullYear(Math.floor(e.getUTCFullYear()/t)*t),e.setUTCMonth(0,1),e.setUTCHours(0,0,0,0)}),((e,i)=>{e.setUTCFullYear(e.getUTCFullYear()+i*t)})):null;eo.range;function io(t,e,i,r,n,o){const a=[[Fn,1,yn],[Fn,5,5e3],[Fn,15,15e3],[Fn,30,3e4],[o,1,xn],[o,5,3e5],[o,15,9e5],[o,30,18e5],[n,1,bn],[n,3,108e5],[n,6,216e5],[n,12,432e5],[r,1,Cn],[r,2,1728e5],[i,1,_n],[e,1,vn],[e,3,7776e6],[t,1,kn]];function s(e,i,r){const n=Math.abs(i-e)/r,o=Er((([,,t])=>t)).right(a,n);if(o===a.length)return t.every(Lr(e/kn,i/kn,r));if(0===o)return Bn.every(Math.max(Lr(e,i,r),1));const[s,l]=a[n/a[o-1][2]<a[o][2]/n?o-1:o];return s.every(l)}return[function(t,e,i){const r=e<t;r&&([t,e]=[e,t]);const n=i&&"function"==typeof i.range?i:s(t,e,i),o=n?n.range(t,+e+1):[];return r?o.reverse():o},s]}const[ro,no]=io(eo,Kn,Wn,Zn,En,An),[oo,ao]=io(to,Qn,On,Nn,Mn,Ln);function so(t){if(0<=t.y&&t.y<100){var e=new Date(-1,t.m,t.d,t.H,t.M,t.S,t.L);return e.setFullYear(t.y),e}return new Date(t.y,t.m,t.d,t.H,t.M,t.S,t.L)}function lo(t){if(0<=t.y&&t.y<100){var e=new Date(Date.UTC(-1,t.m,t.d,t.H,t.M,t.S,t.L));return e.setUTCFullYear(t.y),e}return new Date(Date.UTC(t.y,t.m,t.d,t.H,t.M,t.S,t.L))}function co(t,e,i){return{y:t,m:e,d:i,H:0,M:0,S:0,L:0}}var ho,uo,fo={"-":"",_:" ",0:"0"},po=/^\s*\d+/,go=/^%/,mo=/[\\^$*+?|[\]().{}]/g;function yo(t,e,i){var r=t<0?"-":"",n=(r?-t:t)+"",o=n.length;return r+(o<i?new Array(i-o+1).join(e)+n:n)}function xo(t){return t.replace(mo,"\\$&")}function bo(t){return new RegExp("^(?:"+t.map(xo).join("|")+")","i")}function Co(t){return new Map(t.map(((t,e)=>[t.toLowerCase(),e])))}function _o(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.w=+r[0],i+r[0].length):-1}function vo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.u=+r[0],i+r[0].length):-1}function ko(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.U=+r[0],i+r[0].length):-1}function To(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.V=+r[0],i+r[0].length):-1}function wo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.W=+r[0],i+r[0].length):-1}function So(t,e,i){var r=po.exec(e.slice(i,i+4));return r?(t.y=+r[0],i+r[0].length):-1}function Bo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.y=+r[0]+(+r[0]>68?1900:2e3),i+r[0].length):-1}function Fo(t,e,i){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(e.slice(i,i+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),i+r[0].length):-1}function Lo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.q=3*r[0]-3,i+r[0].length):-1}function Ao(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.m=r[0]-1,i+r[0].length):-1}function Mo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.d=+r[0],i+r[0].length):-1}function Eo(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.m=0,t.d=+r[0],i+r[0].length):-1}function No(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.H=+r[0],i+r[0].length):-1}function jo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.M=+r[0],i+r[0].length):-1}function Zo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.S=+r[0],i+r[0].length):-1}function Io(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.L=+r[0],i+r[0].length):-1}function Oo(t,e,i){var r=po.exec(e.slice(i,i+6));return r?(t.L=Math.floor(r[0]/1e3),i+r[0].length):-1}function Do(t,e,i){var r=go.exec(e.slice(i,i+1));return r?i+r[0].length:-1}function qo(t,e,i){var r=po.exec(e.slice(i));return r?(t.Q=+r[0],i+r[0].length):-1}function $o(t,e,i){var r=po.exec(e.slice(i));return r?(t.s=+r[0],i+r[0].length):-1}function zo(t,e){return yo(t.getDate(),e,2)}function Po(t,e){return yo(t.getHours(),e,2)}function Ro(t,e){return yo(t.getHours()%12||12,e,2)}function Ho(t,e){return yo(1+Nn.count(to(t),t),e,3)}function Wo(t,e){return yo(t.getMilliseconds(),e,3)}function Uo(t,e){return Wo(t,e)+"000"}function Yo(t,e){return yo(t.getMonth()+1,e,2)}function Vo(t,e){return yo(t.getMinutes(),e,2)}function Go(t,e){return yo(t.getSeconds(),e,2)}function Xo(t){var e=t.getDay();return 0===e?7:e}function Jo(t,e){return yo(On.count(to(t)-1,t),e,2)}function Qo(t){var e=t.getDay();return e>=4||0===e?zn(t):zn.ceil(t)}function Ko(t,e){return t=Qo(t),yo(zn.count(to(t),t)+(4===to(t).getDay()),e,2)}function ta(t){return t.getDay()}function ea(t,e){return yo(Dn.count(to(t)-1,t),e,2)}function ia(t,e){return yo(t.getFullYear()%100,e,2)}function ra(t,e){return yo((t=Qo(t)).getFullYear()%100,e,2)}function na(t,e){return yo(t.getFullYear()%1e4,e,4)}function oa(t,e){var i=t.getDay();return yo((t=i>=4||0===i?zn(t):zn.ceil(t)).getFullYear()%1e4,e,4)}function aa(t){var e=t.getTimezoneOffset();return(e>0?"-":(e*=-1,"+"))+yo(e/60|0,"0",2)+yo(e%60,"0",2)}function sa(t,e){return yo(t.getUTCDate(),e,2)}function la(t,e){return yo(t.getUTCHours(),e,2)}function ca(t,e){return yo(t.getUTCHours()%12||12,e,2)}function ha(t,e){return yo(1+jn.count(eo(t),t),e,3)}function ua(t,e){return yo(t.getUTCMilliseconds(),e,3)}function da(t,e){return ua(t,e)+"000"}function fa(t,e){return yo(t.getUTCMonth()+1,e,2)}function pa(t,e){return yo(t.getUTCMinutes(),e,2)}function ga(t,e){return yo(t.getUTCSeconds(),e,2)}function ma(t){var e=t.getUTCDay();return 0===e?7:e}function ya(t,e){return yo(Wn.count(eo(t)-1,t),e,2)}function xa(t){var e=t.getUTCDay();return e>=4||0===e?Gn(t):Gn.ceil(t)}function ba(t,e){return t=xa(t),yo(Gn.count(eo(t),t)+(4===eo(t).getUTCDay()),e,2)}function Ca(t){return t.getUTCDay()}function _a(t,e){return yo(Un.count(eo(t)-1,t),e,2)}function va(t,e){return yo(t.getUTCFullYear()%100,e,2)}function ka(t,e){return yo((t=xa(t)).getUTCFullYear()%100,e,2)}function Ta(t,e){return yo(t.getUTCFullYear()%1e4,e,4)}function wa(t,e){var i=t.getUTCDay();return yo((t=i>=4||0===i?Gn(t):Gn.ceil(t)).getUTCFullYear()%1e4,e,4)}function Sa(){return"+0000"}function Ba(){return"%"}function Fa(t){return+t}function La(t){return Math.floor(+t/1e3)}function Aa(t){return new Date(t)}function Ma(t){return t instanceof Date?+t:+new Date(+t)}function Ea(t,e,i,r,n,o,a,s,l,c){var h=Jr(),u=h.invert,d=h.domain,f=c(".%L"),p=c(":%S"),g=c("%I:%M"),m=c("%I %p"),y=c("%a %d"),x=c("%b %d"),b=c("%B"),C=c("%Y");function _(t){return(l(t)<t?f:s(t)<t?p:a(t)<t?g:o(t)<t?m:r(t)<t?n(t)<t?y:x:i(t)<t?b:C)(t)}return h.invert=function(t){return new Date(u(t))},h.domain=function(t){return arguments.length?d(Array.from(t,Ma)):d().map(Aa)},h.ticks=function(e){var i=d();return t(i[0],i[i.length-1],null==e?10:e)},h.tickFormat=function(t,e){return null==e?_:c(e)},h.nice=function(t){var i=d();return t&&"function"==typeof t.range||(t=e(i[0],i[i.length-1],null==t?10:t)),t?d(function(t,e){var i,r=0,n=(t=t.slice()).length-1,o=t[r],a=t[n];return a<o&&(i=r,r=n,n=i,i=o,o=a,a=i),t[r]=e.floor(o),t[n]=e.ceil(a),t}(i,t)):h},h.copy=function(){return Gr(h,Ea(t,e,i,r,n,o,a,s,l,c))},h}function Na(){return gr.apply(Ea(oo,ao,to,Qn,On,Nn,Mn,Ln,Fn,uo).domain([new Date(2e3,0,1),new Date(2e3,0,2)]),arguments)}!function(t){ho=function(t){var e=t.dateTime,i=t.date,r=t.time,n=t.periods,o=t.days,a=t.shortDays,s=t.months,l=t.shortMonths,c=bo(n),h=Co(n),u=bo(o),d=Co(o),f=bo(a),p=Co(a),g=bo(s),m=Co(s),y=bo(l),x=Co(l),b={a:function(t){return a[t.getDay()]},A:function(t){return o[t.getDay()]},b:function(t){return l[t.getMonth()]},B:function(t){return s[t.getMonth()]},c:null,d:zo,e:zo,f:Uo,g:ra,G:oa,H:Po,I:Ro,j:Ho,L:Wo,m:Yo,M:Vo,p:function(t){return n[+(t.getHours()>=12)]},q:function(t){return 1+~~(t.getMonth()/3)},Q:Fa,s:La,S:Go,u:Xo,U:Jo,V:Ko,w:ta,W:ea,x:null,X:null,y:ia,Y:na,Z:aa,"%":Ba},C={a:function(t){return a[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return l[t.getUTCMonth()]},B:function(t){return s[t.getUTCMonth()]},c:null,d:sa,e:sa,f:da,g:ka,G:wa,H:la,I:ca,j:ha,L:ua,m:fa,M:pa,p:function(t){return n[+(t.getUTCHours()>=12)]},q:function(t){return 1+~~(t.getUTCMonth()/3)},Q:Fa,s:La,S:ga,u:ma,U:ya,V:ba,w:Ca,W:_a,x:null,X:null,y:va,Y:Ta,Z:Sa,"%":Ba},_={a:function(t,e,i){var r=f.exec(e.slice(i));return r?(t.w=p.get(r[0].toLowerCase()),i+r[0].length):-1},A:function(t,e,i){var r=u.exec(e.slice(i));return r?(t.w=d.get(r[0].toLowerCase()),i+r[0].length):-1},b:function(t,e,i){var r=y.exec(e.slice(i));return r?(t.m=x.get(r[0].toLowerCase()),i+r[0].length):-1},B:function(t,e,i){var r=g.exec(e.slice(i));return r?(t.m=m.get(r[0].toLowerCase()),i+r[0].length):-1},c:function(t,i,r){return T(t,e,i,r)},d:Mo,e:Mo,f:Oo,g:Bo,G:So,H:No,I:No,j:Eo,L:Io,m:Ao,M:jo,p:function(t,e,i){var r=c.exec(e.slice(i));return r?(t.p=h.get(r[0].toLowerCase()),i+r[0].length):-1},q:Lo,Q:qo,s:$o,S:Zo,u:vo,U:ko,V:To,w:_o,W:wo,x:function(t,e,r){return T(t,i,e,r)},X:function(t,e,i){return T(t,r,e,i)},y:Bo,Y:So,Z:Fo,"%":Do};function v(t,e){return function(i){var r,n,o,a=[],s=-1,l=0,c=t.length;for(i instanceof Date||(i=new Date(+i));++s<c;)37===t.charCodeAt(s)&&(a.push(t.slice(l,s)),null!=(n=fo[r=t.charAt(++s)])?r=t.charAt(++s):n="e"===r?" ":"0",(o=e[r])&&(r=o(i,n)),a.push(r),l=s+1);return a.push(t.slice(l,s)),a.join("")}}function k(t,e){return function(i){var r,n,o=co(1900,void 0,1);if(T(o,t,i+="",0)!=i.length)return null;if("Q"in o)return new Date(o.Q);if("s"in o)return new Date(1e3*o.s+("L"in o?o.L:0));if(e&&!("Z"in o)&&(o.Z=0),"p"in o&&(o.H=o.H%12+12*o.p),void 0===o.m&&(o.m="q"in o?o.q:0),"V"in o){if(o.V<1||o.V>53)return null;"w"in o||(o.w=1),"Z"in o?(n=(r=lo(co(o.y,0,1))).getUTCDay(),r=n>4||0===n?Un.ceil(r):Un(r),r=jn.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(n=(r=so(co(o.y,0,1))).getDay(),r=n>4||0===n?Dn.ceil(r):Dn(r),r=Nn.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),n="Z"in o?lo(co(o.y,0,1)).getUTCDay():so(co(o.y,0,1)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(n+5)%7:o.w+7*o.U-(n+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,lo(o)):so(o)}}function T(t,e,i,r){for(var n,o,a=0,s=e.length,l=i.length;a<s;){if(r>=l)return-1;if(37===(n=e.charCodeAt(a++))){if(n=e.charAt(a++),!(o=_[n in fo?e.charAt(a++):n])||(r=o(t,i,r))<0)return-1}else if(n!=i.charCodeAt(r++))return-1}return r}return b.x=v(i,b),b.X=v(r,b),b.c=v(e,b),C.x=v(i,C),C.X=v(r,C),C.c=v(e,C),{format:function(t){var e=v(t+="",b);return e.toString=function(){return t},e},parse:function(t){var e=k(t+="",!1);return e.toString=function(){return t},e},utcFormat:function(t){var e=v(t+="",C);return e.toString=function(){return t},e},utcParse:function(t){var e=k(t+="",!0);return e.toString=function(){return t},e}}}(t),uo=ho.format,ho.parse,ho.utcFormat,ho.utcParse}({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});const ja=function(t){for(var e=t.length/6|0,i=new Array(e),r=0;r<e;)i[r]="#"+t.slice(6*r,6*++r);return i}("4e79a7f28e2ce1575976b7b259a14fedc949af7aa1ff9da79c755fbab0ab");function Za(t){return"string"==typeof t?new Lt([[document.querySelector(t)]],[document.documentElement]):new Lt([[t]],Ft)}function Ia(t){return"string"==typeof t?new Lt([document.querySelectorAll(t)],[document.documentElement]):new Lt([_(t)],Ft)}function Oa(t){return function(){return t}}const Da=Math.abs,qa=Math.atan2,$a=Math.cos,za=Math.max,Pa=Math.min,Ra=Math.sin,Ha=Math.sqrt,Wa=1e-12,Ua=Math.PI,Ya=Ua/2,Va=2*Ua;function Ga(t){return t>=1?Ya:t<=-1?-Ya:Math.asin(t)}const Xa=Math.PI,Ja=2*Xa,Qa=1e-6,Ka=Ja-Qa;function ts(t){this._+=t[0];for(let e=1,i=t.length;e<i;++e)this._+=arguments[e]+t[e]}class es{constructor(t){this._x0=this._y0=this._x1=this._y1=null,this._="",this._append=null==t?ts:function(t){let e=Math.floor(t);if(!(e>=0))throw new Error(`invalid digits: ${t}`);if(e>15)return ts;const i=10**e;return function(t){this._+=t[0];for(let e=1,r=t.length;e<r;++e)this._+=Math.round(arguments[e]*i)/i+t[e]}}(t)}moveTo(t,e){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}`}closePath(){null!==this._x1&&(this._x1=this._x0,this._y1=this._y0,this._append`Z`)}lineTo(t,e){this._append`L${this._x1=+t},${this._y1=+e}`}quadraticCurveTo(t,e,i,r){this._append`Q${+t},${+e},${this._x1=+i},${this._y1=+r}`}bezierCurveTo(t,e,i,r,n,o){this._append`C${+t},${+e},${+i},${+r},${this._x1=+n},${this._y1=+o}`}arcTo(t,e,i,r,n){if(t=+t,e=+e,i=+i,r=+r,(n=+n)<0)throw new Error(`negative radius: ${n}`);let o=this._x1,a=this._y1,s=i-t,l=r-e,c=o-t,h=a-e,u=c*c+h*h;if(null===this._x1)this._append`M${this._x1=t},${this._y1=e}`;else if(u>Qa)if(Math.abs(h*s-l*c)>Qa&&n){let d=i-o,f=r-a,p=s*s+l*l,g=d*d+f*f,m=Math.sqrt(p),y=Math.sqrt(u),x=n*Math.tan((Xa-Math.acos((p+u-g)/(2*m*y)))/2),b=x/y,C=x/m;Math.abs(b-1)>Qa&&this._append`L${t+b*c},${e+b*h}`,this._append`A${n},${n},0,0,${+(h*d>c*f)},${this._x1=t+C*s},${this._y1=e+C*l}`}else this._append`L${this._x1=t},${this._y1=e}`;else;}arc(t,e,i,r,n,o){if(t=+t,e=+e,o=!!o,(i=+i)<0)throw new Error(`negative radius: ${i}`);let a=i*Math.cos(r),s=i*Math.sin(r),l=t+a,c=e+s,h=1^o,u=o?r-n:n-r;null===this._x1?this._append`M${l},${c}`:(Math.abs(this._x1-l)>Qa||Math.abs(this._y1-c)>Qa)&&this._append`L${l},${c}`,i&&(u<0&&(u=u%Ja+Ja),u>Ka?this._append`A${i},${i},0,1,${h},${t-a},${e-s}A${i},${i},0,1,${h},${this._x1=l},${this._y1=c}`:u>Qa&&this._append`A${i},${i},0,${+(u>=Xa)},${h},${this._x1=t+i*Math.cos(n)},${this._y1=e+i*Math.sin(n)}`)}rect(t,e,i,r){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}h${i=+i}v${+r}h${-i}Z`}toString(){return this._}}function is(t){let e=3;return t.digits=function(i){if(!arguments.length)return e;if(null==i)e=null;else{const t=Math.floor(i);if(!(t>=0))throw new RangeError(`invalid digits: ${i}`);e=t}return t},()=>new es(e)}function rs(t){return t.innerRadius}function ns(t){return t.outerRadius}function os(t){return t.startAngle}function as(t){return t.endAngle}function ss(t){return t&&t.padAngle}function ls(t,e,i,r,n,o,a){var s=t-i,l=e-r,c=(a?o:-o)/Ha(s*s+l*l),h=c*l,u=-c*s,d=t+h,f=e+u,p=i+h,g=r+u,m=(d+p)/2,y=(f+g)/2,x=p-d,b=g-f,C=x*x+b*b,_=n-o,v=d*g-p*f,k=(b<0?-1:1)*Ha(za(0,_*_*C-v*v)),T=(v*b-x*k)/C,w=(-v*x-b*k)/C,S=(v*b+x*k)/C,B=(-v*x+b*k)/C,F=T-m,L=w-y,A=S-m,M=B-y;return F*F+L*L>A*A+M*M&&(T=S,w=B),{cx:T,cy:w,x01:-h,y01:-u,x11:T*(n/_-1),y11:w*(n/_-1)}}function cs(){var t=rs,e=ns,i=Oa(0),r=null,n=os,o=as,a=ss,s=null,l=is(c);function c(){var c,h,u,d=+t.apply(this,arguments),f=+e.apply(this,arguments),p=n.apply(this,arguments)-Ya,g=o.apply(this,arguments)-Ya,m=Da(g-p),y=g>p;if(s||(s=c=l()),f<d&&(h=f,f=d,d=h),f>Wa)if(m>Va-Wa)s.moveTo(f*$a(p),f*Ra(p)),s.arc(0,0,f,p,g,!y),d>Wa&&(s.moveTo(d*$a(g),d*Ra(g)),s.arc(0,0,d,g,p,y));else{var x,b,C=p,_=g,v=p,k=g,T=m,w=m,S=a.apply(this,arguments)/2,B=S>Wa&&(r?+r.apply(this,arguments):Ha(d*d+f*f)),F=Pa(Da(f-d)/2,+i.apply(this,arguments)),L=F,A=F;if(B>Wa){var M=Ga(B/d*Ra(S)),E=Ga(B/f*Ra(S));(T-=2*M)>Wa?(v+=M*=y?1:-1,k-=M):(T=0,v=k=(p+g)/2),(w-=2*E)>Wa?(C+=E*=y?1:-1,_-=E):(w=0,C=_=(p+g)/2)}var N=f*$a(C),j=f*Ra(C),Z=d*$a(k),I=d*Ra(k);if(F>Wa){var O,D=f*$a(_),q=f*Ra(_),$=d*$a(v),z=d*Ra(v);if(m<Ua)if(O=function(t,e,i,r,n,o,a,s){var l=i-t,c=r-e,h=a-n,u=s-o,d=u*l-h*c;if(!(d*d<Wa))return[t+(d=(h*(e-o)-u*(t-n))/d)*l,e+d*c]}(N,j,$,z,D,q,Z,I)){var P=N-O[0],R=j-O[1],H=D-O[0],W=q-O[1],U=1/Ra(((u=(P*H+R*W)/(Ha(P*P+R*R)*Ha(H*H+W*W)))>1?0:u<-1?Ua:Math.acos(u))/2),Y=Ha(O[0]*O[0]+O[1]*O[1]);L=Pa(F,(d-Y)/(U-1)),A=Pa(F,(f-Y)/(U+1))}else L=A=0}w>Wa?A>Wa?(x=ls($,z,N,j,f,A,y),b=ls(D,q,Z,I,f,A,y),s.moveTo(x.cx+x.x01,x.cy+x.y01),A<F?s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,f,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),!y),s.arc(b.cx,b.cy,A,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):(s.moveTo(N,j),s.arc(0,0,f,C,_,!y)):s.moveTo(N,j),d>Wa&&T>Wa?L>Wa?(x=ls(Z,I,D,q,d,-L,y),b=ls(N,j,$,z,d,-L,y),s.lineTo(x.cx+x.x01,x.cy+x.y01),L<F?s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,d,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),y),s.arc(b.cx,b.cy,L,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):s.arc(0,0,d,k,v,y):s.lineTo(Z,I)}else s.moveTo(0,0);if(s.closePath(),c)return s=null,c+""||null}return c.centroid=function(){var i=(+t.apply(this,arguments)+ +e.apply(this,arguments))/2,r=(+n.apply(this,arguments)+ +o.apply(this,arguments))/2-Ua/2;return[$a(r)*i,Ra(r)*i]},c.innerRadius=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),c):t},c.outerRadius=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),c):e},c.cornerRadius=function(t){return arguments.length?(i="function"==typeof t?t:Oa(+t),c):i},c.padRadius=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:Oa(+t),c):r},c.startAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),c):n},c.endAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),c):o},c.padAngle=function(t){return arguments.length?(a="function"==typeof t?t:Oa(+t),c):a},c.context=function(t){return arguments.length?(s=null==t?null:t,c):s},c}es.prototype;Array.prototype.slice;function hs(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function us(t){this._context=t}function ds(t){return new us(t)}function fs(t){return t[0]}function ps(t){return t[1]}function gs(t,e){var i=Oa(!0),r=null,n=ds,o=null,a=is(s);function s(s){var l,c,h,u=(s=hs(s)).length,d=!1;for(null==r&&(o=n(h=a())),l=0;l<=u;++l)!(l<u&&i(c=s[l],l,s))===d&&((d=!d)?o.lineStart():o.lineEnd()),d&&o.point(+t(c,l,s),+e(c,l,s));if(h)return o=null,h+""||null}return t="function"==typeof t?t:void 0===t?fs:Oa(t),e="function"==typeof e?e:void 0===e?ps:Oa(e),s.x=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),s):t},s.y=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),s):e},s.defined=function(t){return arguments.length?(i="function"==typeof t?t:Oa(!!t),s):i},s.curve=function(t){return arguments.length?(n=t,null!=r&&(o=n(r)),s):n},s.context=function(t){return arguments.length?(null==t?r=o=null:o=n(r=t),s):r},s}function ms(t,e){return e<t?-1:e>t?1:e>=t?0:NaN}function ys(t){return t}function xs(){var t=ys,e=ms,i=null,r=Oa(0),n=Oa(Va),o=Oa(0);function a(a){var s,l,c,h,u,d=(a=hs(a)).length,f=0,p=new Array(d),g=new Array(d),m=+r.apply(this,arguments),y=Math.min(Va,Math.max(-Va,n.apply(this,arguments)-m)),x=Math.min(Math.abs(y)/d,o.apply(this,arguments)),b=x*(y<0?-1:1);for(s=0;s<d;++s)(u=g[p[s]=s]=+t(a[s],s,a))>0&&(f+=u);for(null!=e?p.sort((function(t,i){return e(g[t],g[i])})):null!=i&&p.sort((function(t,e){return i(a[t],a[e])})),s=0,c=f?(y-d*b)/f:0;s<d;++s,m=h)l=p[s],h=m+((u=g[l])>0?u*c:0)+b,g[l]={data:a[l],index:s,value:u,startAngle:m,endAngle:h,padAngle:x};return g}return a.value=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),a):t},a.sortValues=function(t){return arguments.length?(e=t,i=null,a):e},a.sort=function(t){return arguments.length?(i=t,e=null,a):i},a.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:Oa(+t),a):r},a.endAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),a):n},a.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),a):o},a}function bs(){}function Cs(t,e,i){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+e)/6,(t._y0+4*t._y1+i)/6)}function _s(t){this._context=t}function vs(t){return new _s(t)}function ks(t){this._context=t}function Ts(t){return new ks(t)}function ws(t){this._context=t}function Ss(t){return new ws(t)}us.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._context.lineTo(t,e)}}},_s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Cs(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ks.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x2=t,this._y2=e;break;case 1:this._point=2,this._x3=t,this._y3=e;break;case 2:this._point=3,this._x4=t,this._y4=e,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+e)/6);break;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ws.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var i=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+e)/6;this._line?this._context.lineTo(i,r):this._context.moveTo(i,r);break;case 3:this._point=4;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}};class Bs{constructor(t,e){this._context=t,this._x=e}areaStart(){this._line=0}areaEnd(){this._line=NaN}lineStart(){this._point=0}lineEnd(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line}point(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._x?this._context.bezierCurveTo(this._x0=(this._x0+t)/2,this._y0,this._x0,e,t,e):this._context.bezierCurveTo(this._x0,this._y0=(this._y0+e)/2,t,this._y0,t,e)}this._x0=t,this._y0=e}}function Fs(t){return new Bs(t,!0)}function Ls(t){return new Bs(t,!1)}function As(t,e){this._basis=new _s(t),this._beta=e}As.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,e=this._y,i=t.length-1;if(i>0)for(var r,n=t[0],o=e[0],a=t[i]-n,s=e[i]-o,l=-1;++l<=i;)r=l/i,this._basis.point(this._beta*t[l]+(1-this._beta)*(n+r*a),this._beta*e[l]+(1-this._beta)*(o+r*s));this._x=this._y=null,this._basis.lineEnd()},point:function(t,e){this._x.push(+t),this._y.push(+e)}};const Ms=function t(e){function i(t){return 1===e?new _s(t):new As(t,e)}return i.beta=function(e){return t(+e)},i}(.85);function Es(t,e,i){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-e),t._y2+t._k*(t._y1-i),t._x2,t._y2)}function Ns(t,e){this._context=t,this._k=(1-e)/6}Ns.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:Es(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2,this._x1=t,this._y1=e;break;case 2:this._point=3;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const js=function t(e){function i(t){return new Ns(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Zs(t,e){this._context=t,this._k=(1-e)/6}Zs.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Is=function t(e){function i(t){return new Zs(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Os(t,e){this._context=t,this._k=(1-e)/6}Os.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ds=function t(e){function i(t){return new Os(t,e)}return i.tension=function(e){return t(+e)},i}(0);function qs(t,e,i){var r=t._x1,n=t._y1,o=t._x2,a=t._y2;if(t._l01_a>Wa){var s=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,l=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*s-t._x0*t._l12_2a+t._x2*t._l01_2a)/l,n=(n*s-t._y0*t._l12_2a+t._y2*t._l01_2a)/l}if(t._l23_a>Wa){var c=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,h=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*c+t._x1*t._l23_2a-e*t._l12_2a)/h,a=(a*c+t._y1*t._l23_2a-i*t._l12_2a)/h}t._context.bezierCurveTo(r,n,o,a,t._x2,t._y2)}function $s(t,e){this._context=t,this._alpha=e}$s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const zs=function t(e){function i(t){return e?new $s(t,e):new Ns(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Ps(t,e){this._context=t,this._alpha=e}Ps.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Rs=function t(e){function i(t){return e?new Ps(t,e):new Zs(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Hs(t,e){this._context=t,this._alpha=e}Hs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ws=function t(e){function i(t){return e?new Hs(t,e):new Os(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Us(t){this._context=t}function Ys(t){return new Us(t)}function Vs(t){return t<0?-1:1}function Gs(t,e,i){var r=t._x1-t._x0,n=e-t._x1,o=(t._y1-t._y0)/(r||n<0&&-0),a=(i-t._y1)/(n||r<0&&-0),s=(o*n+a*r)/(r+n);return(Vs(o)+Vs(a))*Math.min(Math.abs(o),Math.abs(a),.5*Math.abs(s))||0}function Xs(t,e){var i=t._x1-t._x0;return i?(3*(t._y1-t._y0)/i-e)/2:e}function Js(t,e,i){var r=t._x0,n=t._y0,o=t._x1,a=t._y1,s=(o-r)/3;t._context.bezierCurveTo(r+s,n+s*e,o-s,a-s*i,o,a)}function Qs(t){this._context=t}function Ks(t){this._context=new tl(t)}function tl(t){this._context=t}function el(t){return new Qs(t)}function il(t){return new Ks(t)}function rl(t){this._context=t}function nl(t){var e,i,r=t.length-1,n=new Array(r),o=new Array(r),a=new Array(r);for(n[0]=0,o[0]=2,a[0]=t[0]+2*t[1],e=1;e<r-1;++e)n[e]=1,o[e]=4,a[e]=4*t[e]+2*t[e+1];for(n[r-1]=2,o[r-1]=7,a[r-1]=8*t[r-1]+t[r],e=1;e<r;++e)i=n[e]/o[e-1],o[e]-=i,a[e]-=i*a[e-1];for(n[r-1]=a[r-1]/o[r-1],e=r-2;e>=0;--e)n[e]=(a[e]-n[e+1])/o[e];for(o[r-1]=(t[r]+n[r-1])/2,e=0;e<r-1;++e)o[e]=2*t[e+1]-n[e+1];return[n,o]}function ol(t){return new rl(t)}function al(t,e){this._context=t,this._t=e}function sl(t){return new al(t,.5)}function ll(t){return new al(t,0)}function cl(t){return new al(t,1)}function hl(t,e,i){this.k=t,this.x=e,this.y=i}Us.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._point=0},lineEnd:function(){this._point&&this._context.closePath()},point:function(t,e){t=+t,e=+e,this._point?this._context.lineTo(t,e):(this._point=1,this._context.moveTo(t,e))}},Qs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=this._t0=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x1,this._y1);break;case 3:Js(this,this._t0,Xs(this,this._t0))}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){var i=NaN;if(e=+e,(t=+t)!==this._x1||e!==this._y1){switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,Js(this,Xs(this,i=Gs(this,t,e)),i);break;default:Js(this,this._t0,i=Gs(this,t,e))}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e,this._t0=i}}},(Ks.prototype=Object.create(Qs.prototype)).point=function(t,e){Qs.prototype.point.call(this,e,t)},tl.prototype={moveTo:function(t,e){this._context.moveTo(e,t)},closePath:function(){this._context.closePath()},lineTo:function(t,e){this._context.lineTo(e,t)},bezierCurveTo:function(t,e,i,r,n,o){this._context.bezierCurveTo(e,t,r,i,o,n)}},rl.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=[],this._y=[]},lineEnd:function(){var t=this._x,e=this._y,i=t.length;if(i)if(this._line?this._context.lineTo(t[0],e[0]):this._context.moveTo(t[0],e[0]),2===i)this._context.lineTo(t[1],e[1]);else for(var r=nl(t),n=nl(e),o=0,a=1;a<i;++o,++a)this._context.bezierCurveTo(r[0][o],n[0][o],r[1][o],n[1][o],t[a],e[a]);(this._line||0!==this._line&&1===i)&&this._context.closePath(),this._line=1-this._line,this._x=this._y=null},point:function(t,e){this._x.push(+t),this._y.push(+e)}},al.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=this._y=NaN,this._point=0},lineEnd:function(){0<this._t&&this._t<1&&2===this._point&&this._context.lineTo(this._x,this._y),(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line>=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,e),this._context.lineTo(t,e);else{var i=this._x*(1-this._t)+t*this._t;this._context.lineTo(i,this._y),this._context.lineTo(i,e)}}this._x=t,this._y=e}},hl.prototype={constructor:hl,scale:function(t){return 1===t?this:new hl(this.k*t,this.x,this.y)},translate:function(t,e){return 0===t&0===e?this:new hl(this.k,this.x+this.k*t,this.y+this.k*e)},apply:function(t){return[t[0]*this.k+this.x,t[1]*this.k+this.y]},applyX:function(t){return t*this.k+this.x},applyY:function(t){return t*this.k+this.y},invert:function(t){return[(t[0]-this.x)/this.k,(t[1]-this.y)/this.k]},invertX:function(t){return(t-this.x)/this.k},invertY:function(t){return(t-this.y)/this.k},rescaleX:function(t){return t.copy().domain(t.range().map(this.invertX,this).map(t.invert,t))},rescaleY:function(t){return t.copy().domain(t.range().map(this.invertY,this).map(t.invert,t))},toString:function(){return"translate("+this.x+","+this.y+") scale("+this.k+")"}};new hl(1,0,0);hl.prototype},1883:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(1691),n=i(2142);const o=class{constructor(){this.type=n.w.ALL}get(){return this.type}set(t){if(this.type&&this.type!==t)throw new Error("Cannot change both RGB and HSL channels at the same time");this.type=t}reset(){this.type=n.w.ALL}is(t){return this.type===t}};const a=new class{constructor(t,e){this.color=e,this.changed=!1,this.data=t,this.type=new o}set(t,e){return this.color=e,this.changed=!1,this.data=t,this.type.type=n.w.ALL,this}_ensureHSL(){const t=this.data,{h:e,s:i,l:n}=t;void 0===e&&(t.h=r.Z.channel.rgb2hsl(t,"h")),void 0===i&&(t.s=r.Z.channel.rgb2hsl(t,"s")),void 0===n&&(t.l=r.Z.channel.rgb2hsl(t,"l"))}_ensureRGB(){const t=this.data,{r:e,g:i,b:n}=t;void 0===e&&(t.r=r.Z.channel.hsl2rgb(t,"r")),void 0===i&&(t.g=r.Z.channel.hsl2rgb(t,"g")),void 0===n&&(t.b=r.Z.channel.hsl2rgb(t,"b"))}get r(){const t=this.data,e=t.r;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"r")):e}get g(){const t=this.data,e=t.g;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"g")):e}get b(){const t=this.data,e=t.b;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"b")):e}get h(){const t=this.data,e=t.h;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"h")):e}get s(){const t=this.data,e=t.s;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"s")):e}get l(){const t=this.data,e=t.l;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"l")):e}get a(){return this.data.a}set r(t){this.type.set(n.w.RGB),this.changed=!0,this.data.r=t}set g(t){this.type.set(n.w.RGB),this.changed=!0,this.data.g=t}set b(t){this.type.set(n.w.RGB),this.changed=!0,this.data.b=t}set h(t){this.type.set(n.w.HSL),this.changed=!0,this.data.h=t}set s(t){this.type.set(n.w.HSL),this.changed=!0,this.data.s=t}set l(t){this.type.set(n.w.HSL),this.changed=!0,this.data.l=t}set a(t){this.changed=!0,this.data.a=t}}({r:0,g:0,b:0,a:0},"transparent")},1610:(t,e,i)=>{"use strict";i.d(e,{Z:()=>g});var r=i(1883),n=i(2142);const o={re:/^#((?:[a-f0-9]{2}){2,4}|[a-f0-9]{3})$/i,parse:t=>{if(35!==t.charCodeAt(0))return;const e=t.match(o.re);if(!e)return;const i=e[1],n=parseInt(i,16),a=i.length,s=a%4==0,l=a>4,c=l?1:17,h=l?8:4,u=s?0:-1,d=l?255:15;return r.Z.set({r:(n>>h*(u+3)&d)*c,g:(n>>h*(u+2)&d)*c,b:(n>>h*(u+1)&d)*c,a:s?(n&d)*c/255:1},t)},stringify:t=>{const{r:e,g:i,b:r,a:o}=t;return o<1?`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}${n.Q[Math.round(255*o)]}`:`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}`}},a=o;var s=i(1691);const l={re:/^hsla?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(?:deg|grad|rad|turn)?)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(%)?))?\s*?\)$/i,hueRe:/^(.+?)(deg|grad|rad|turn)$/i,_hue2deg:t=>{const e=t.match(l.hueRe);if(e){const[,t,i]=e;switch(i){case"grad":return s.Z.channel.clamp.h(.9*parseFloat(t));case"rad":return s.Z.channel.clamp.h(180*parseFloat(t)/Math.PI);case"turn":return s.Z.channel.clamp.h(360*parseFloat(t))}}return s.Z.channel.clamp.h(parseFloat(t))},parse:t=>{const e=t.charCodeAt(0);if(104!==e&&72!==e)return;const i=t.match(l.re);if(!i)return;const[,n,o,a,c,h]=i;return r.Z.set({h:l._hue2deg(n),s:s.Z.channel.clamp.s(parseFloat(o)),l:s.Z.channel.clamp.l(parseFloat(a)),a:c?s.Z.channel.clamp.a(h?parseFloat(c)/100:parseFloat(c)):1},t)},stringify:t=>{const{h:e,s:i,l:r,a:n}=t;return n<1?`hsla(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%, ${n})`:`hsl(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%)`}},c=l,h={colors:{aliceblue:"#f0f8ff",antiquewhite:"#faebd7",aqua:"#00ffff",aquamarine:"#7fffd4",azure:"#f0ffff",beige:"#f5f5dc",bisque:"#ffe4c4",black:"#000000",blanchedalmond:"#ffebcd",blue:"#0000ff",blueviolet:"#8a2be2",brown:"#a52a2a",burlywood:"#deb887",cadetblue:"#5f9ea0",chartreuse:"#7fff00",chocolate:"#d2691e",coral:"#ff7f50",cornflowerblue:"#6495ed",cornsilk:"#fff8dc",crimson:"#dc143c",cyanaqua:"#00ffff",darkblue:"#00008b",darkcyan:"#008b8b",darkgoldenrod:"#b8860b",darkgray:"#a9a9a9",darkgreen:"#006400",darkgrey:"#a9a9a9",darkkhaki:"#bdb76b",darkmagenta:"#8b008b",darkolivegreen:"#556b2f",darkorange:"#ff8c00",darkorchid:"#9932cc",darkred:"#8b0000",darksalmon:"#e9967a",darkseagreen:"#8fbc8f",darkslateblue:"#483d8b",darkslategray:"#2f4f4f",darkslategrey:"#2f4f4f",darkturquoise:"#00ced1",darkviolet:"#9400d3",deeppink:"#ff1493",deepskyblue:"#00bfff",dimgray:"#696969",dimgrey:"#696969",dodgerblue:"#1e90ff",firebrick:"#b22222",floralwhite:"#fffaf0",forestgreen:"#228b22",fuchsia:"#ff00ff",gainsboro:"#dcdcdc",ghostwhite:"#f8f8ff",gold:"#ffd700",goldenrod:"#daa520",gray:"#808080",green:"#008000",greenyellow:"#adff2f",grey:"#808080",honeydew:"#f0fff0",hotpink:"#ff69b4",indianred:"#cd5c5c",indigo:"#4b0082",ivory:"#fffff0",khaki:"#f0e68c",lavender:"#e6e6fa",lavenderblush:"#fff0f5",lawngreen:"#7cfc00",lemonchiffon:"#fffacd",lightblue:"#add8e6",lightcoral:"#f08080",lightcyan:"#e0ffff",lightgoldenrodyellow:"#fafad2",lightgray:"#d3d3d3",lightgreen:"#90ee90",lightgrey:"#d3d3d3",lightpink:"#ffb6c1",lightsalmon:"#ffa07a",lightseagreen:"#20b2aa",lightskyblue:"#87cefa",lightslategray:"#778899",lightslategrey:"#778899",lightsteelblue:"#b0c4de",lightyellow:"#ffffe0",lime:"#00ff00",limegreen:"#32cd32",linen:"#faf0e6",magenta:"#ff00ff",maroon:"#800000",mediumaquamarine:"#66cdaa",mediumblue:"#0000cd",mediumorchid:"#ba55d3",mediumpurple:"#9370db",mediumseagreen:"#3cb371",mediumslateblue:"#7b68ee",mediumspringgreen:"#00fa9a",mediumturquoise:"#48d1cc",mediumvioletred:"#c71585",midnightblue:"#191970",mintcream:"#f5fffa",mistyrose:"#ffe4e1",moccasin:"#ffe4b5",navajowhite:"#ffdead",navy:"#000080",oldlace:"#fdf5e6",olive:"#808000",olivedrab:"#6b8e23",orange:"#ffa500",orangered:"#ff4500",orchid:"#da70d6",palegoldenrod:"#eee8aa",palegreen:"#98fb98",paleturquoise:"#afeeee",palevioletred:"#db7093",papayawhip:"#ffefd5",peachpuff:"#ffdab9",peru:"#cd853f",pink:"#ffc0cb",plum:"#dda0dd",powderblue:"#b0e0e6",purple:"#800080",rebeccapurple:"#663399",red:"#ff0000",rosybrown:"#bc8f8f",royalblue:"#4169e1",saddlebrown:"#8b4513",salmon:"#fa8072",sandybrown:"#f4a460",seagreen:"#2e8b57",seashell:"#fff5ee",sienna:"#a0522d",silver:"#c0c0c0",skyblue:"#87ceeb",slateblue:"#6a5acd",slategray:"#708090",slategrey:"#708090",snow:"#fffafa",springgreen:"#00ff7f",tan:"#d2b48c",teal:"#008080",thistle:"#d8bfd8",transparent:"#00000000",turquoise:"#40e0d0",violet:"#ee82ee",wheat:"#f5deb3",white:"#ffffff",whitesmoke:"#f5f5f5",yellow:"#ffff00",yellowgreen:"#9acd32"},parse:t=>{t=t.toLowerCase();const e=h.colors[t];if(e)return a.parse(e)},stringify:t=>{const e=a.stringify(t);for(const i in h.colors)if(h.colors[i]===e)return i}},u=h,d={re:/^rgba?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?)))?\s*?\)$/i,parse:t=>{const e=t.charCodeAt(0);if(114!==e&&82!==e)return;const i=t.match(d.re);if(!i)return;const[,n,o,a,l,c,h,u,f]=i;return r.Z.set({r:s.Z.channel.clamp.r(o?2.55*parseFloat(n):parseFloat(n)),g:s.Z.channel.clamp.g(l?2.55*parseFloat(a):parseFloat(a)),b:s.Z.channel.clamp.b(h?2.55*parseFloat(c):parseFloat(c)),a:u?s.Z.channel.clamp.a(f?parseFloat(u)/100:parseFloat(u)):1},t)},stringify:t=>{const{r:e,g:i,b:r,a:n}=t;return n<1?`rgba(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)}, ${s.Z.lang.round(n)})`:`rgb(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)})`}},f=d,p={format:{keyword:h,hex:a,rgb:d,rgba:d,hsl:l,hsla:l},parse:t=>{if("string"!=typeof t)return t;const e=a.parse(t)||f.parse(t)||c.parse(t)||u.parse(t);if(e)return e;throw new Error(`Unsupported color format: "${t}"`)},stringify:t=>!t.changed&&t.color?t.color:t.type.is(n.w.HSL)||void 0===t.data.r?c.stringify(t):t.a<1||!Number.isInteger(t.r)||!Number.isInteger(t.g)||!Number.isInteger(t.b)?f.stringify(t):a.stringify(t)},g=p},2142:(t,e,i)=>{"use strict";i.d(e,{Q:()=>n,w:()=>o});var r=i(1691);const n={};for(let a=0;a<=255;a++)n[a]=r.Z.unit.dec2hex(a);const o={ALL:0,RGB:1,HSL:2}},6174:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e,i)=>{const o=n.Z.parse(t),a=o[e],s=r.Z.channel.clamp[e](a+i);return a!==s&&(o[e]=s),n.Z.stringify(o)}},3438:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e)=>{const i=n.Z.parse(t);for(const n in e)i[n]=r.Z.channel.clamp[n](e[n]);return n.Z.stringify(i)}},7201:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",-e)},1619:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1610);const o=t=>{const{r:e,g:i,b:o}=n.Z.parse(t),a=.2126*r.Z.channel.toLinear(e)+.7152*r.Z.channel.toLinear(i)+.0722*r.Z.channel.toLinear(o);return r.Z.lang.round(a)},a=t=>o(t)>=.5,s=t=>!a(t)},2281:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",e)},1117:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1883),o=i(1610),a=i(3438);const s=(t,e,i=0,s=1)=>{if("number"!=typeof t)return(0,a.Z)(t,{a:e});const l=n.Z.set({r:r.Z.channel.clamp.r(t),g:r.Z.channel.clamp.g(e),b:r.Z.channel.clamp.b(i),a:r.Z.channel.clamp.a(s)});return o.Z.stringify(l)}},1691:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});const r={min:{r:0,g:0,b:0,s:0,l:0,a:0},max:{r:255,g:255,b:255,h:360,s:100,l:100,a:1},clamp:{r:t=>t>=255?255:t<0?0:t,g:t=>t>=255?255:t<0?0:t,b:t=>t>=255?255:t<0?0:t,h:t=>t%360,s:t=>t>=100?100:t<0?0:t,l:t=>t>=100?100:t<0?0:t,a:t=>t>=1?1:t<0?0:t},toLinear:t=>{const e=t/255;return t>.03928?Math.pow((e+.055)/1.055,2.4):e/12.92},hue2rgb:(t,e,i)=>(i<0&&(i+=1),i>1&&(i-=1),i<1/6?t+6*(e-t)*i:i<.5?e:i<2/3?t+(e-t)*(2/3-i)*6:t),hsl2rgb:({h:t,s:e,l:i},n)=>{if(!e)return 2.55*i;t/=360,e/=100;const o=(i/=100)<.5?i*(1+e):i+e-i*e,a=2*i-o;switch(n){case"r":return 255*r.hue2rgb(a,o,t+1/3);case"g":return 255*r.hue2rgb(a,o,t);case"b":return 255*r.hue2rgb(a,o,t-1/3)}},rgb2hsl:({r:t,g:e,b:i},r)=>{t/=255,e/=255,i/=255;const n=Math.max(t,e,i),o=Math.min(t,e,i),a=(n+o)/2;if("l"===r)return 100*a;if(n===o)return 0;const s=n-o;if("s"===r)return 100*(a>.5?s/(2-n-o):s/(n+o));switch(n){case t:return 60*((e-i)/s+(e<i?6:0));case e:return 60*((i-t)/s+2);case i:return 60*((t-e)/s+4);default:return-1}}},n={channel:r,lang:{clamp:(t,e,i)=>e>i?Math.min(e,Math.max(i,t)):Math.min(i,Math.max(e,t)),round:t=>Math.round(1e10*t)/1e10},unit:{dec2hex:t=>{const e=Math.round(t).toString(16);return e.length>1?e:`0${e}`}}}},7308:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});const r=function(){this.__data__=[],this.size=0};var n=i(9651);const o=function(t,e){for(var i=t.length;i--;)if((0,n.Z)(t[i][0],e))return i;return-1};var a=Array.prototype.splice;const s=function(t){var e=this.__data__,i=o(e,t);return!(i<0)&&(i==e.length-1?e.pop():a.call(e,i,1),--this.size,!0)};const l=function(t){var e=this.__data__,i=o(e,t);return i<0?void 0:e[i][1]};const c=function(t){return o(this.__data__,t)>-1};const h=function(t,e){var i=this.__data__,r=o(i,t);return r<0?(++this.size,i.push([t,e])):i[r][1]=e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=r,u.prototype.delete=s,u.prototype.get=l,u.prototype.has=c,u.prototype.set=h;const d=u},6183:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Map")},7834:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});const r=(0,i(2508).Z)(Object,"create");const n=function(){this.__data__=r?r(null):{},this.size=0};const o=function(t){var e=this.has(t)&&delete this.__data__[t];return this.size-=e?1:0,e};var a=Object.prototype.hasOwnProperty;const s=function(t){var e=this.__data__;if(r){var i=e[t];return"__lodash_hash_undefined__"===i?void 0:i}return a.call(e,t)?e[t]:void 0};var l=Object.prototype.hasOwnProperty;const c=function(t){var e=this.__data__;return r?void 0!==e[t]:l.call(e,t)};const h=function(t,e){var i=this.__data__;return this.size+=this.has(t)?0:1,i[t]=r&&void 0===e?"__lodash_hash_undefined__":e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=s,u.prototype.has=c,u.prototype.set=h;const d=u;var f=i(7308),p=i(6183);const g=function(){this.size=0,this.__data__={hash:new d,map:new(p.Z||f.Z),string:new d}};const m=function(t){var e=typeof t;return"string"==e||"number"==e||"symbol"==e||"boolean"==e?"__proto__"!==t:null===t};const y=function(t,e){var i=t.__data__;return m(e)?i["string"==typeof e?"string":"hash"]:i.map};const x=function(t){var e=y(this,t).delete(t);return this.size-=e?1:0,e};const b=function(t){return y(this,t).get(t)};const C=function(t){return y(this,t).has(t)};const _=function(t,e){var i=y(this,t),r=i.size;return i.set(t,e),this.size+=i.size==r?0:1,this};function v(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}v.prototype.clear=g,v.prototype.delete=x,v.prototype.get=b,v.prototype.has=C,v.prototype.set=_;const k=v},3203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Set")},1667:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7308);const n=function(){this.__data__=new r.Z,this.size=0};const o=function(t){var e=this.__data__,i=e.delete(t);return this.size=e.size,i};const a=function(t){return this.__data__.get(t)};const s=function(t){return this.__data__.has(t)};var l=i(6183),c=i(7834);const h=function(t,e){var i=this.__data__;if(i instanceof r.Z){var n=i.__data__;if(!l.Z||n.length<199)return n.push([t,e]),this.size=++i.size,this;i=this.__data__=new c.Z(n)}return i.set(t,e),this.size=i.size,this};function u(t){var e=this.__data__=new r.Z(t);this.size=e.size}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=a,u.prototype.has=s,u.prototype.set=h;const d=u},7685:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Symbol},4073:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Uint8Array},7668:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});const r=function(t,e){for(var i=-1,r=Array(t);++i<t;)r[i]=e(i);return r};var n=i(9169),o=i(7771),a=i(7008),s=i(6009),l=i(8843),c=Object.prototype.hasOwnProperty;const h=function(t,e){var i=(0,o.Z)(t),h=!i&&(0,n.Z)(t),u=!i&&!h&&(0,a.Z)(t),d=!i&&!h&&!u&&(0,l.Z)(t),f=i||h||u||d,p=f?r(t.length,String):[],g=p.length;for(var m in t)!e&&!c.call(t,m)||f&&("length"==m||u&&("offset"==m||"parent"==m)||d&&("buffer"==m||"byteLength"==m||"byteOffset"==m)||(0,s.Z)(m,g))||p.push(m);return p}},2954:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(4752),n=i(9651),o=Object.prototype.hasOwnProperty;const a=function(t,e,i){var a=t[e];o.call(t,e)&&(0,n.Z)(a,i)&&(void 0!==i||e in t)||(0,r.Z)(t,e,i)}},4752:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(7904);const n=function(t,e,i){"__proto__"==e&&r.Z?(0,r.Z)(t,e,{configurable:!0,enumerable:!0,value:i,writable:!0}):t[e]=i}},1395:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e,i,r){for(var n=-1,o=Object(e),a=r(e),s=a.length;s--;){var l=a[t?s:++n];if(!1===i(o[l],l,o))break}return e}}()},3589:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7685),n=Object.prototype,o=n.hasOwnProperty,a=n.toString,s=r.Z?r.Z.toStringTag:void 0;const l=function(t){var e=o.call(t,s),i=t[s];try{t[s]=void 0;var r=!0}catch(l){}var n=a.call(t);return r&&(e?t[s]=i:delete t[s]),n};var c=Object.prototype.toString;const h=function(t){return c.call(t)};var u=r.Z?r.Z.toStringTag:void 0;const d=function(t){return null==t?void 0===t?"[object Undefined]":"[object Null]":u&&u in Object(t)?l(t):h(t)}},9473:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(2764);const n=(0,i(1851).Z)(Object.keys,Object);var o=Object.prototype.hasOwnProperty;const a=function(t){if(!(0,r.Z)(t))return n(t);var e=[];for(var i in Object(t))o.call(t,i)&&"constructor"!=i&&e.push(i);return e}},9581:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(9203),n=i(1211),o=i(7227);const a=function(t,e){return(0,o.Z)((0,n.Z)(t,e,r.Z),t+"")}},1162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e){return t(e)}}},1884:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(4073);const n=function(t){var e=new t.constructor(t.byteLength);return new r.Z(e).set(new r.Z(t)),e}},1050:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n?r.Z.Buffer:void 0,s=a?a.allocUnsafe:void 0;const l=function(t,e){if(e)return t.slice();var i=t.length,r=s?s(i):new t.constructor(i);return t.copy(r),r}},2701:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(1884);const n=function(t,e){var i=e?(0,r.Z)(t.buffer):t.buffer;return new t.constructor(i,t.byteOffset,t.length)}},7215:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){var i=-1,r=t.length;for(e||(e=Array(r));++i<r;)e[i]=t[i];return e}},1899:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2954),n=i(4752);const o=function(t,e,i,o){var a=!i;i||(i={});for(var s=-1,l=e.length;++s<l;){var c=e[s],h=o?o(i[c],t[c],c,i,t):void 0;void 0===h&&(h=t[c]),a?(0,n.Z)(i,c,h):(0,r.Z)(i,c,h)}return i}},7904:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(2508);const n=function(){try{var t=(0,r.Z)(Object,"defineProperty");return t({},"",{}),t}catch(e){}}()},3413:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r="object"==typeof global&&global&&global.Object===Object&&global},2508:(t,e,i)=>{"use strict";i.d(e,{Z:()=>x});var r=i(3234);const n=i(6092).Z["__core-js_shared__"];var o,a=(o=/[^.]+$/.exec(n&&n.keys&&n.keys.IE_PROTO||""))?"Symbol(src)_1."+o:"";const s=function(t){return!!a&&a in t};var l=i(7226),c=i(19),h=/^\[object .+?Constructor\]$/,u=Function.prototype,d=Object.prototype,f=u.toString,p=d.hasOwnProperty,g=RegExp("^"+f.call(p).replace(/[\\^$.*+?()[\]{}|]/g,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$");const m=function(t){return!(!(0,l.Z)(t)||s(t))&&((0,r.Z)(t)?g:h).test((0,c.Z)(t))};const y=function(t,e){return null==t?void 0:t[e]};const x=function(t,e){var i=y(t,e);return m(i)?i:void 0}},2513:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=(0,i(1851).Z)(Object.getPrototypeOf,Object)},3970:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"DataView");var a=i(6183);const s=(0,r.Z)(n.Z,"Promise");var l=i(3203);const c=(0,r.Z)(n.Z,"WeakMap");var h=i(3589),u=i(19),d="[object Map]",f="[object Promise]",p="[object Set]",g="[object WeakMap]",m="[object DataView]",y=(0,u.Z)(o),x=(0,u.Z)(a.Z),b=(0,u.Z)(s),C=(0,u.Z)(l.Z),_=(0,u.Z)(c),v=h.Z;(o&&v(new o(new ArrayBuffer(1)))!=m||a.Z&&v(new a.Z)!=d||s&&v(s.resolve())!=f||l.Z&&v(new l.Z)!=p||c&&v(new c)!=g)&&(v=function(t){var e=(0,h.Z)(t),i="[object Object]"==e?t.constructor:void 0,r=i?(0,u.Z)(i):"";if(r)switch(r){case y:return m;case x:return d;case b:return f;case C:return p;case _:return g}return e});const k=v},3658:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(7226),n=Object.create;const o=function(){function t(){}return function(e){if(!(0,r.Z)(e))return{};if(n)return n(e);t.prototype=e;var i=new t;return t.prototype=void 0,i}}();var a=i(2513),s=i(2764);const l=function(t){return"function"!=typeof t.constructor||(0,s.Z)(t)?{}:o((0,a.Z)(t))}},6009:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=/^(?:0|[1-9]\d*)$/;const n=function(t,e){var i=typeof t;return!!(e=null==e?9007199254740991:e)&&("number"==i||"symbol"!=i&&r.test(t))&&t>-1&&t%1==0&&t<e}},439:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(9651),n=i(585),o=i(6009),a=i(7226);const s=function(t,e,i){if(!(0,a.Z)(i))return!1;var s=typeof e;return!!("number"==s?(0,n.Z)(i)&&(0,o.Z)(e,i.length):"string"==s&&e in i)&&(0,r.Z)(i[e],t)}},2764:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Object.prototype;const n=function(t){var e=t&&t.constructor;return t===("function"==typeof e&&e.prototype||r)}},8351:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(3413),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n&&r.Z.process;const s=function(){try{var t=o&&o.require&&o.require("util").types;return t||a&&a.binding&&a.binding("util")}catch(e){}}()},1851:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return function(i){return t(e(i))}}},1211:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});const r=function(t,e,i){switch(i.length){case 0:return t.call(e);case 1:return t.call(e,i[0]);case 2:return t.call(e,i[0],i[1]);case 3:return t.call(e,i[0],i[1],i[2])}return t.apply(e,i)};var n=Math.max;const o=function(t,e,i){return e=n(void 0===e?t.length-1:e,0),function(){for(var o=arguments,a=-1,s=n(o.length-e,0),l=Array(s);++a<s;)l[a]=o[e+a];a=-1;for(var c=Array(e+1);++a<e;)c[a]=o[a];return c[e]=i(l),r(t,this,c)}}},6092:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3413),n="object"==typeof self&&self&&self.Object===Object&&self;const o=r.Z||n||Function("return this")()},7227:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(2002),n=i(7904),o=i(9203);const a=n.Z?function(t,e){return(0,n.Z)(t,"toString",{configurable:!0,enumerable:!1,value:(0,r.Z)(e),writable:!0})}:o.Z;var s=Date.now;const l=function(t){var e=0,i=0;return function(){var r=s(),n=16-(r-i);if(i=r,n>0){if(++e>=800)return arguments[0]}else e=0;return t.apply(void 0,arguments)}}(a)},19:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Function.prototype.toString;const n=function(t){if(null!=t){try{return r.call(t)}catch(e){}try{return t+""}catch(e){}}return""}},2002:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(){return t}}},9651:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return t===e||t!=t&&e!=e}},9203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return t}},9169:(t,e,i)=>{"use strict";i.d(e,{Z:()=>c});var r=i(3589),n=i(8533);const o=function(t){return(0,n.Z)(t)&&"[object Arguments]"==(0,r.Z)(t)};var a=Object.prototype,s=a.hasOwnProperty,l=a.propertyIsEnumerable;const c=o(function(){return arguments}())?o:function(t){return(0,n.Z)(t)&&s.call(t,"callee")&&!l.call(t,"callee")}},7771:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=Array.isArray},585:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3234),n=i(1656);const o=function(t){return null!=t&&(0,n.Z)(t.length)&&!(0,r.Z)(t)}},836:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(585),n=i(8533);const o=function(t){return(0,n.Z)(t)&&(0,r.Z)(t)}},7008:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092);const n=function(){return!1};var o="object"==typeof exports&&exports&&!exports.nodeType&&exports,a=o&&"object"==typeof module&&module&&!module.nodeType&&module,s=a&&a.exports===o?r.Z.Buffer:void 0;const l=(s?s.isBuffer:void 0)||n},9697:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(9473),n=i(3970),o=i(9169),a=i(7771),s=i(585),l=i(7008),c=i(2764),h=i(8843),u=Object.prototype.hasOwnProperty;const d=function(t){if(null==t)return!0;if((0,s.Z)(t)&&((0,a.Z)(t)||"string"==typeof t||"function"==typeof t.splice||(0,l.Z)(t)||(0,h.Z)(t)||(0,o.Z)(t)))return!t.length;var e=(0,n.Z)(t);if("[object Map]"==e||"[object Set]"==e)return!t.size;if((0,c.Z)(t))return!(0,r.Z)(t).length;for(var i in t)if(u.call(t,i))return!1;return!0}},3234:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3589),n=i(7226);const o=function(t){if(!(0,n.Z)(t))return!1;var e=(0,r.Z)(t);return"[object Function]"==e||"[object GeneratorFunction]"==e||"[object AsyncFunction]"==e||"[object Proxy]"==e}},1656:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=9007199254740991}},7226:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){var e=typeof t;return null!=t&&("object"==e||"function"==e)}},8533:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return null!=t&&"object"==typeof t}},7514:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(2513),o=i(8533),a=Function.prototype,s=Object.prototype,l=a.toString,c=s.hasOwnProperty,h=l.call(Object);const u=function(t){if(!(0,o.Z)(t)||"[object Object]"!=(0,r.Z)(t))return!1;var e=(0,n.Z)(t);if(null===e)return!0;var i=c.call(e,"constructor")&&e.constructor;return"function"==typeof i&&i instanceof i&&l.call(i)==h}},8843:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(1656),o=i(8533),a={};a["[object Float32Array]"]=a["[object Float64Array]"]=a["[object Int8Array]"]=a["[object Int16Array]"]=a["[object Int32Array]"]=a["[object Uint8Array]"]=a["[object Uint8ClampedArray]"]=a["[object Uint16Array]"]=a["[object Uint32Array]"]=!0,a["[object Arguments]"]=a["[object Array]"]=a["[object ArrayBuffer]"]=a["[object Boolean]"]=a["[object DataView]"]=a["[object Date]"]=a["[object Error]"]=a["[object Function]"]=a["[object Map]"]=a["[object Number]"]=a["[object Object]"]=a["[object RegExp]"]=a["[object Set]"]=a["[object String]"]=a["[object WeakMap]"]=!1;const s=function(t){return(0,o.Z)(t)&&(0,n.Z)(t.length)&&!!a[(0,r.Z)(t)]};var l=i(1162),c=i(8351),h=c.Z&&c.Z.isTypedArray;const u=h?(0,l.Z)(h):s},2957:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});var r=i(7668),n=i(7226),o=i(2764);const a=function(t){var e=[];if(null!=t)for(var i in Object(t))e.push(i);return e};var s=Object.prototype.hasOwnProperty;const l=function(t){if(!(0,n.Z)(t))return a(t);var e=(0,o.Z)(t),i=[];for(var r in t)("constructor"!=r||!e&&s.call(t,r))&&i.push(r);return i};var c=i(585);const h=function(t){return(0,c.Z)(t)?(0,r.Z)(t,!0):l(t)}},2454:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(7834);function n(t,e){if("function"!=typeof t||null!=e&&"function"!=typeof e)throw new TypeError("Expected a function");var i=function(){var r=arguments,n=e?e.apply(this,r):r[0],o=i.cache;if(o.has(n))return o.get(n);var a=t.apply(this,r);return i.cache=o.set(n,a)||o,a};return i.cache=new(n.Cache||r.Z),i}n.Cache=r.Z;const o=n},9236:(t,e,i)=>{"use strict";i.d(e,{Z:()=>F});var r=i(1667),n=i(4752),o=i(9651);const a=function(t,e,i){(void 0!==i&&!(0,o.Z)(t[e],i)||void 0===i&&!(e in t))&&(0,n.Z)(t,e,i)};var s=i(1395),l=i(1050),c=i(2701),h=i(7215),u=i(3658),d=i(9169),f=i(7771),p=i(836),g=i(7008),m=i(3234),y=i(7226),x=i(7514),b=i(8843);const C=function(t,e){if(("constructor"!==e||"function"!=typeof t[e])&&"__proto__"!=e)return t[e]};var _=i(1899),v=i(2957);const k=function(t){return(0,_.Z)(t,(0,v.Z)(t))};const T=function(t,e,i,r,n,o,s){var _=C(t,i),v=C(e,i),T=s.get(v);if(T)a(t,i,T);else{var w=o?o(_,v,i+"",t,e,s):void 0,S=void 0===w;if(S){var B=(0,f.Z)(v),F=!B&&(0,g.Z)(v),L=!B&&!F&&(0,b.Z)(v);w=v,B||F||L?(0,f.Z)(_)?w=_:(0,p.Z)(_)?w=(0,h.Z)(_):F?(S=!1,w=(0,l.Z)(v,!0)):L?(S=!1,w=(0,c.Z)(v,!0)):w=[]:(0,x.Z)(v)||(0,d.Z)(v)?(w=_,(0,d.Z)(_)?w=k(_):(0,y.Z)(_)&&!(0,m.Z)(_)||(w=(0,u.Z)(v))):S=!1}S&&(s.set(v,w),n(w,v,r,o,s),s.delete(v)),a(t,i,w)}};const w=function t(e,i,n,o,l){e!==i&&(0,s.Z)(i,(function(s,c){if(l||(l=new r.Z),(0,y.Z)(s))T(e,i,c,n,t,o,l);else{var h=o?o(C(e,c),s,c+"",e,i,l):void 0;void 0===h&&(h=s),a(e,c,h)}}),v.Z)};var S=i(9581),B=i(439);const F=function(t){return(0,S.Z)((function(e,i){var r=-1,n=i.length,o=n>1?i[n-1]:void 0,a=n>2?i[2]:void 0;for(o=t.length>3&&"function"==typeof o?(n--,o):void 0,a&&(0,B.Z)(i[0],i[1],a)&&(o=n<3?void 0:o,n=1),e=Object(e);++r<n;){var s=i[r];s&&t(e,s,r,o)}return e}))}((function(t,e,i){w(t,e,i)}))},5322:(t,e,i)=>{"use strict";i.d(e,{A:()=>It,B:()=>me,C:()=>ge,D:()=>Ft,E:()=>Be,F:()=>er,G:()=>oe,H:()=>ht,I:()=>Mi,J:()=>qn,K:()=>Si,L:()=>to,Z:()=>Gt,a:()=>ki,b:()=>vi,c:()=>Li,d:()=>ft,e:()=>_t,f:()=>Vt,g:()=>_i,h:()=>ue,i:()=>ui,j:()=>he,k:()=>re,l:()=>st,m:()=>mt,n:()=>Kt,o:()=>di,p:()=>Ai,q:()=>Ti,r:()=>wi,s:()=>Ci,t:()=>bi,u:()=>ye,v:()=>yt,w:()=>le,x:()=>ae,y:()=>Ni,z:()=>Di});var r=i(8464),n=i(7484),o=i(7967),a=i(4218),s=i(7856),l=i(1610),c=i(3438);const h=(t,e)=>{const i=l.Z.parse(t),r={};for(const n in e)e[n]&&(r[n]=i[n]+e[n]);return(0,c.Z)(t,r)};var u=i(1117);const d=(t,e,i=50)=>{const{r:r,g:n,b:o,a:a}=l.Z.parse(t),{r:s,g:c,b:h,a:d}=l.Z.parse(e),f=i/100,p=2*f-1,g=a-d,m=((p*g==-1?p:(p+g)/(1+p*g))+1)/2,y=1-m,x=r*m+s*y,b=n*m+c*y,C=o*m+h*y,_=a*f+d*(1-f);return(0,u.Z)(x,b,C,_)},f=(t,e=100)=>{const i=l.Z.parse(t);return i.r=255-i.r,i.g=255-i.g,i.b=255-i.b,d(i,t,e)};var p=i(7201),g=i(2281),m=i(1619),y=i(2454),x=i(9236),b="comm",C="rule",_="decl",v=Math.abs,k=String.fromCharCode;Object.assign;function T(t){return t.trim()}function w(t,e,i){return t.replace(e,i)}function S(t,e){return t.indexOf(e)}function B(t,e){return 0|t.charCodeAt(e)}function F(t,e,i){return t.slice(e,i)}function L(t){return t.length}function A(t,e){return e.push(t),t}function M(t,e){for(var i="",r=0;r<t.length;r++)i+=e(t[r],r,t,e)||"";return i}function E(t,e,i,r){switch(t.type){case"@layer":if(t.children.length)break;case"@import":case _:return t.return=t.return||t.value;case b:return"";case"@keyframes":return t.return=t.value+"{"+M(t.children,r)+"}";case C:if(!L(t.value=t.props.join(",")))return""}return L(i=M(t.children,r))?t.return=t.value+"{"+i+"}":""}var N=1,j=1,Z=0,I=0,O=0,D="";function q(t,e,i,r,n,o,a,s){return{value:t,root:e,parent:i,type:r,props:n,children:o,line:N,column:j,length:a,return:"",siblings:s}}function $(){return O=I>0?B(D,--I):0,j--,10===O&&(j=1,N--),O}function z(){return O=I<Z?B(D,I++):0,j++,10===O&&(j=1,N++),O}function P(){return B(D,I)}function R(){return I}function H(t,e){return F(D,t,e)}function W(t){switch(t){case 0:case 9:case 10:case 13:case 32:return 5;case 33:case 43:case 44:case 47:case 62:case 64:case 126:case 59:case 123:case 125:return 4;case 58:return 3;case 34:case 39:case 40:case 91:return 2;case 41:case 93:return 1}return 0}function U(t){return N=j=1,Z=L(D=t),I=0,[]}function Y(t){return D="",t}function V(t){return T(H(I-1,J(91===t?t+2:40===t?t+1:t)))}function G(t){for(;(O=P())&&O<33;)z();return W(t)>2||W(O)>3?"":" "}function X(t,e){for(;--e&&z()&&!(O<48||O>102||O>57&&O<65||O>70&&O<97););return H(t,R()+(e<6&&32==P()&&32==z()))}function J(t){for(;z();)switch(O){case t:return I;case 34:case 39:34!==t&&39!==t&&J(O);break;case 40:41===t&&J(t);break;case 92:z()}return I}function Q(t,e){for(;z()&&t+O!==57&&(t+O!==84||47!==P()););return"/*"+H(e,I-1)+"*"+k(47===t?t:z())}function K(t){for(;!W(P());)z();return H(t,I)}function tt(t){return Y(et("",null,null,null,[""],t=U(t),0,[0],t))}function et(t,e,i,r,n,o,a,s,l){for(var c=0,h=0,u=a,d=0,f=0,p=0,g=1,m=1,y=1,x=0,b="",C=n,_=o,v=r,T=b;m;)switch(p=x,x=z()){case 40:if(108!=p&&58==B(T,u-1)){-1!=S(T+=w(V(x),"&","&\f"),"&\f")&&(y=-1);break}case 34:case 39:case 91:T+=V(x);break;case 9:case 10:case 13:case 32:T+=G(p);break;case 92:T+=X(R()-1,7);continue;case 47:switch(P()){case 42:case 47:A(rt(Q(z(),R()),e,i,l),l);break;default:T+="/"}break;case 123*g:s[c++]=L(T)*y;case 125*g:case 59:case 0:switch(x){case 0:case 125:m=0;case 59+h:-1==y&&(T=w(T,/\f/g,"")),f>0&&L(T)-u&&A(f>32?nt(T+";",r,i,u-1,l):nt(w(T," ","")+";",r,i,u-2,l),l);break;case 59:T+=";";default:if(A(v=it(T,e,i,c,h,n,s,b,C=[],_=[],u,o),o),123===x)if(0===h)et(T,e,v,v,C,o,u,s,_);else switch(99===d&&110===B(T,3)?100:d){case 100:case 108:case 109:case 115:et(t,v,v,r&&A(it(t,v,v,0,0,n,s,b,n,C=[],u,_),_),n,_,u,s,r?C:_);break;default:et(T,v,v,v,[""],_,0,s,_)}}c=h=f=0,g=y=1,b=T="",u=a;break;case 58:u=1+L(T),f=p;default:if(g<1)if(123==x)--g;else if(125==x&&0==g++&&125==$())continue;switch(T+=k(x),x*g){case 38:y=h>0?1:(T+="\f",-1);break;case 44:s[c++]=(L(T)-1)*y,y=1;break;case 64:45===P()&&(T+=V(z())),d=P(),h=u=L(b=T+=K(R())),x++;break;case 45:45===p&&2==L(T)&&(g=0)}}return o}function it(t,e,i,r,n,o,a,s,l,c,h,u){for(var d=n-1,f=0===n?o:[""],p=function(t){return t.length}(f),g=0,m=0,y=0;g<r;++g)for(var x=0,b=F(t,d+1,d=v(m=a[g])),_=t;x<p;++x)(_=T(m>0?f[x]+" "+b:w(b,/&\f/g,f[x])))&&(l[y++]=_);return q(t,e,i,0===n?C:s,l,c,h,u)}function rt(t,e,i,r){return q(t,e,i,b,k(O),F(t,2,-2),0,r)}function nt(t,e,i,r,n){return q(t,e,i,_,F(t,0,r),F(t,r+1,-1),r,n)}var ot=i(9697);const at={trace:0,debug:1,info:2,warn:3,error:4,fatal:5},st={trace:(...t)=>{},debug:(...t)=>{},info:(...t)=>{},warn:(...t)=>{},error:(...t)=>{},fatal:(...t)=>{}},lt=function(t="fatal"){let e=at.fatal;"string"==typeof t?(t=t.toLowerCase())in at&&(e=at[t]):"number"==typeof t&&(e=t),st.trace=()=>{},st.debug=()=>{},st.info=()=>{},st.warn=()=>{},st.error=()=>{},st.fatal=()=>{},e<=at.fatal&&(st.fatal=console.error?console.error.bind(console,ct("FATAL"),"color: orange"):console.log.bind(console,"\x1b[35m",ct("FATAL"))),e<=at.error&&(st.error=console.error?console.error.bind(console,ct("ERROR"),"color: orange"):console.log.bind(console,"\x1b[31m",ct("ERROR"))),e<=at.warn&&(st.warn=console.warn?console.warn.bind(console,ct("WARN"),"color: orange"):console.log.bind(console,"\x1b[33m",ct("WARN"))),e<=at.info&&(st.info=console.info?console.info.bind(console,ct("INFO"),"color: lightblue"):console.log.bind(console,"\x1b[34m",ct("INFO"))),e<=at.debug&&(st.debug=console.debug?console.debug.bind(console,ct("DEBUG"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("DEBUG"))),e<=at.trace&&(st.trace=console.debug?console.debug.bind(console,ct("TRACE"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("TRACE")))},ct=t=>`%c${n().format("ss.SSS")} : ${t} : `,ht=/<br\s*\/?>/gi,ut=t=>s.sanitize(t),dt=(t,e)=>{var i;if(!1!==(null==(i=e.flowchart)?void 0:i.htmlLabels)){const i=e.securityLevel;"antiscript"===i||"strict"===i?t=ut(t):"loose"!==i&&(t=(t=(t=gt(t)).replace(/</g,"<").replace(/>/g,">")).replace(/=/g,"="),t=pt(t))}return t},ft=(t,e)=>t?t=e.dompurifyConfig?s.sanitize(dt(t,e),e.dompurifyConfig).toString():s.sanitize(dt(t,e),{FORBID_TAGS:["style"]}).toString():t,pt=t=>t.replace(/#br#/g,"<br/>"),gt=t=>t.replace(ht,"#br#"),mt=t=>!1!==t&&!["false","null","0"].includes(String(t).trim().toLowerCase()),yt=function(t){const e=t.split(/(,)/),i=[];for(let r=0;r<e.length;r++){let t=e[r];if(","===t&&r>0&&r+1<e.length){const n=e[r-1],o=e[r+1];bt(n,o)&&(t=n+","+o,r++,i.pop())}i.push(Ct(t))}return i.join("")},xt=(t,e)=>Math.max(0,t.split(e).length-1),bt=(t,e)=>{const i=xt(t,"~"),r=xt(e,"~");return 1===i&&1===r},Ct=t=>{const e=xt(t,"~");let i=!1;if(e<=1)return t;e%2!=0&&t.startsWith("~")&&(t=t.substring(1),i=!0);const r=[...t];let n=r.indexOf("~"),o=r.lastIndexOf("~");for(;-1!==n&&-1!==o&&n!==o;)r[n]="<",r[o]=">",n=r.indexOf("~"),o=r.lastIndexOf("~");return i&&r.unshift("~"),r.join("")},_t={getRows:t=>{if(!t)return[""];return gt(t).replace(/\\n/g,"#br#").split("#br#")},sanitizeText:ft,sanitizeTextOrArray:(t,e)=>"string"==typeof t?ft(t,e):t.flat().map((t=>ft(t,e))),hasBreaks:t=>ht.test(t),splitBreaks:t=>t.split(ht),lineBreakRegex:ht,removeScript:ut,getUrl:t=>{let e="";return t&&(e=window.location.protocol+"//"+window.location.host+window.location.pathname+window.location.search,e=e.replaceAll(/\(/g,"\\("),e=e.replaceAll(/\)/g,"\\)")),e},evaluate:mt,getMax:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.max(...e)},getMin:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.min(...e)}},vt=(t,e)=>h(t,e?{s:-40,l:10}:{s:-40,l:-10}),kt="#ffffff",Tt="#f2f2f2";let wt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#fff4dd",this.noteBkgColor="#fff5ad",this.noteTextColor="#333",this.THEME_COLOR_LIMIT=12,this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;if(this.primaryTextColor=this.primaryTextColor||(this.darkMode?"#eee":"#333"),this.secondaryColor=this.secondaryColor||h(this.primaryColor,{h:-120}),this.tertiaryColor=this.tertiaryColor||h(this.primaryColor,{h:180,l:5}),this.primaryBorderColor=this.primaryBorderColor||vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=this.secondaryBorderColor||vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=this.tertiaryBorderColor||vt(this.tertiaryColor,this.darkMode),this.noteBorderColor=this.noteBorderColor||vt(this.noteBkgColor,this.darkMode),this.noteBkgColor=this.noteBkgColor||"#fff5ad",this.noteTextColor=this.noteTextColor||"#333",this.secondaryTextColor=this.secondaryTextColor||f(this.secondaryColor),this.tertiaryTextColor=this.tertiaryTextColor||f(this.tertiaryColor),this.lineColor=this.lineColor||f(this.background),this.arrowheadColor=this.arrowheadColor||f(this.background),this.textColor=this.textColor||this.primaryTextColor,this.border2=this.border2||this.tertiaryBorderColor,this.nodeBkg=this.nodeBkg||this.primaryColor,this.mainBkg=this.mainBkg||this.primaryColor,this.nodeBorder=this.nodeBorder||this.primaryBorderColor,this.clusterBkg=this.clusterBkg||this.tertiaryColor,this.clusterBorder=this.clusterBorder||this.tertiaryBorderColor,this.defaultLinkColor=this.defaultLinkColor||this.lineColor,this.titleColor=this.titleColor||this.tertiaryTextColor,this.edgeLabelBackground=this.edgeLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.nodeTextColor=this.nodeTextColor||this.primaryTextColor,this.actorBorder=this.actorBorder||this.primaryBorderColor,this.actorBkg=this.actorBkg||this.mainBkg,this.actorTextColor=this.actorTextColor||this.primaryTextColor,this.actorLineColor=this.actorLineColor||"grey",this.labelBoxBkgColor=this.labelBoxBkgColor||this.actorBkg,this.signalColor=this.signalColor||this.textColor,this.signalTextColor=this.signalTextColor||this.textColor,this.labelBoxBorderColor=this.labelBoxBorderColor||this.actorBorder,this.labelTextColor=this.labelTextColor||this.actorTextColor,this.loopTextColor=this.loopTextColor||this.actorTextColor,this.activationBorderColor=this.activationBorderColor||(0,p.Z)(this.secondaryColor,10),this.activationBkgColor=this.activationBkgColor||this.secondaryColor,this.sequenceNumberColor=this.sequenceNumberColor||f(this.lineColor),this.sectionBkgColor=this.sectionBkgColor||this.tertiaryColor,this.altSectionBkgColor=this.altSectionBkgColor||"white",this.sectionBkgColor=this.sectionBkgColor||this.secondaryColor,this.sectionBkgColor2=this.sectionBkgColor2||this.primaryColor,this.excludeBkgColor=this.excludeBkgColor||"#eeeeee",this.taskBorderColor=this.taskBorderColor||this.primaryBorderColor,this.taskBkgColor=this.taskBkgColor||this.primaryColor,this.activeTaskBorderColor=this.activeTaskBorderColor||this.primaryColor,this.activeTaskBkgColor=this.activeTaskBkgColor||(0,g.Z)(this.primaryColor,23),this.gridColor=this.gridColor||"lightgrey",this.doneTaskBkgColor=this.doneTaskBkgColor||"lightgrey",this.doneTaskBorderColor=this.doneTaskBorderColor||"grey",this.critBorderColor=this.critBorderColor||"#ff8888",this.critBkgColor=this.critBkgColor||"red",this.todayLineColor=this.todayLineColor||"red",this.taskTextColor=this.taskTextColor||this.textColor,this.taskTextOutsideColor=this.taskTextOutsideColor||this.textColor,this.taskTextLightColor=this.taskTextLightColor||this.textColor,this.taskTextColor=this.taskTextColor||this.primaryTextColor,this.taskTextDarkColor=this.taskTextDarkColor||this.textColor,this.taskTextClickableColor=this.taskTextClickableColor||"#003163",this.personBorder=this.personBorder||this.primaryBorderColor,this.personBkg=this.personBkg||this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||this.tertiaryColor,this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.specialStateColor=this.lineColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210,l:150}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.darkMode)for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],75);else for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],25);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;const d=this.darkMode?-4:-1;for(let f=0;f<5;f++)this["surface"+f]=this["surface"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(5+3*f)}),this["surfacePeer"+f]=this["surfacePeer"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(8+3*f)});this.classText=this.classText||this.textColor,this.fillType0=this.fillType0||this.primaryColor,this.fillType1=this.fillType1||this.secondaryColor,this.fillType2=this.fillType2||h(this.primaryColor,{h:64}),this.fillType3=this.fillType3||h(this.secondaryColor,{h:64}),this.fillType4=this.fillType4||h(this.primaryColor,{h:-64}),this.fillType5=this.fillType5||h(this.secondaryColor,{h:-64}),this.fillType6=this.fillType6||h(this.primaryColor,{h:128}),this.fillType7=this.fillType7||h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-10}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-10}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-20}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-20}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-10}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#FFF4DD,#FFD8B1,#FFA07A,#ECEFF1,#D6DBDF,#C3E0A8,#FFB6A4,#FFD74D,#738FA7,#FFFFF0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||(this.darkMode?"black":this.labelTextColor),this.gitBranchLabel0=this.gitBranchLabel0||this.branchLabelColor,this.gitBranchLabel1=this.gitBranchLabel1||this.branchLabelColor,this.gitBranchLabel2=this.gitBranchLabel2||this.branchLabelColor,this.gitBranchLabel3=this.gitBranchLabel3||this.branchLabelColor,this.gitBranchLabel4=this.gitBranchLabel4||this.branchLabelColor,this.gitBranchLabel5=this.gitBranchLabel5||this.branchLabelColor,this.gitBranchLabel6=this.gitBranchLabel6||this.branchLabelColor,this.gitBranchLabel7=this.gitBranchLabel7||this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let St=class{constructor(){this.background="#333",this.primaryColor="#1f2020",this.secondaryColor=(0,g.Z)(this.primaryColor,16),this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=f(this.background),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#1f2020",this.secondBkg="calculated",this.mainContrastColor="lightgrey",this.darkTextColor=(0,g.Z)(f("#323D47"),10),this.lineColor="calculated",this.border1="#81B1DB",this.border2=(0,u.Z)(255,255,255,.25),this.arrowheadColor="calculated",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#181818",this.textColor="#ccc",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#F9FFFE",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="calculated",this.activationBkgColor="calculated",this.sequenceNumberColor="black",this.sectionBkgColor=(0,p.Z)("#EAE8D9",30),this.altSectionBkgColor="calculated",this.sectionBkgColor2="#EAE8D9",this.excludeBkgColor=(0,p.Z)(this.sectionBkgColor,10),this.taskBorderColor=(0,u.Z)(255,255,255,70),this.taskBkgColor="calculated",this.taskTextColor="calculated",this.taskTextLightColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor=(0,u.Z)(255,255,255,50),this.activeTaskBkgColor="#81B1DB",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="grey",this.critBorderColor="#E83737",this.critBkgColor="#E83737",this.taskTextDarkColor="calculated",this.todayLineColor="#DB5757",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="calculated",this.errorBkgColor="#a44141",this.errorTextColor="#ddd"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.mainBkg,16),this.lineColor=this.mainContrastColor,this.arrowheadColor=this.mainContrastColor,this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.edgeLabelBackground=(0,g.Z)(this.labelBackground,25),this.actorBorder=this.border1,this.actorBkg=this.mainBkg,this.actorTextColor=this.mainContrastColor,this.actorLineColor=this.mainContrastColor,this.signalColor=this.mainContrastColor,this.signalTextColor=this.mainContrastColor,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.mainContrastColor,this.loopTextColor=this.mainContrastColor,this.noteBorderColor=this.secondaryBorderColor,this.noteBkgColor=this.secondBkg,this.noteTextColor=this.secondaryTextColor,this.activationBorderColor=this.border1,this.activationBkgColor=this.secondBkg,this.altSectionBkgColor=this.background,this.taskBkgColor=(0,g.Z)(this.mainBkg,23),this.taskTextColor=this.darkTextColor,this.taskTextLightColor=this.mainContrastColor,this.taskTextOutsideColor=this.taskTextLightColor,this.gridColor=this.mainContrastColor,this.doneTaskBkgColor=this.mainContrastColor,this.taskTextDarkColor=this.darkTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#555",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#f4f4f4",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.cScale1=this.cScale1||"#0b0000",this.cScale2=this.cScale2||"#4d1037",this.cScale3=this.cScale3||"#3f5258",this.cScale4=this.cScale4||"#4f2f1b",this.cScale5=this.cScale5||"#6e0a0a",this.cScale6=this.cScale6||"#3b0048",this.cScale7=this.cScale7||"#995a01",this.cScale8=this.cScale8||"#154706",this.cScale9=this.cScale9||"#161722",this.cScale10=this.cScale10||"#00296f",this.cScale11=this.cScale11||"#01629c",this.cScale12=this.cScale12||"#010029",this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10);for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-10)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-7)});this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#3498db,#2ecc71,#e74c3c,#f1c40f,#bdc3c7,#ffffff,#34495e,#9b59b6,#1abc9c,#e67e22"},this.classText=this.primaryTextColor,this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,g.Z)(this.secondaryColor,20),this.git1=(0,g.Z)(this.pie2||this.secondaryColor,20),this.git2=(0,g.Z)(this.pie3||this.tertiaryColor,20),this.git3=(0,g.Z)(this.pie4||h(this.primaryColor,{h:-30}),20),this.git4=(0,g.Z)(this.pie5||h(this.primaryColor,{h:-60}),20),this.git5=(0,g.Z)(this.pie6||h(this.primaryColor,{h:-90}),10),this.git6=(0,g.Z)(this.pie7||h(this.primaryColor,{h:60}),10),this.git7=(0,g.Z)(this.pie8||h(this.primaryColor,{h:120}),20),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||(0,g.Z)(this.background,12),this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||(0,g.Z)(this.background,2)}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let Bt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#ECECFF",this.secondaryColor=h(this.primaryColor,{h:120}),this.secondaryColor="#ffffde",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.background="white",this.mainBkg="#ECECFF",this.secondBkg="#ffffde",this.lineColor="#333333",this.border1="#9370DB",this.border2="#aaaa33",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#e8e8e8",this.textColor="#333",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="calculated",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="calculated",this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor="calculated",this.taskTextOutsideColor=this.taskTextDarkColor,this.taskTextClickableColor="calculated",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBorderColor="calculated",this.critBkgColor="calculated",this.todayLineColor="calculated",this.sectionBkgColor=(0,u.Z)(102,102,255,.49),this.altSectionBkgColor="white",this.sectionBkgColor2="#fff400",this.taskBorderColor="#534fbc",this.taskBkgColor="#8a90dd",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="#534fbc",this.activeTaskBkgColor="#bfc7ff",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222",this.updateColors()}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,l:-(7+5*d)});if(this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor,"calculated"!==this.labelTextColor){this.cScaleLabel0=this.cScaleLabel0||f(this.labelTextColor),this.cScaleLabel3=this.cScaleLabel3||f(this.labelTextColor);for(let t=0;t<this.THEME_COLOR_LIMIT;t++)this["cScaleLabel"+t]=this["cScaleLabel"+t]||this.labelTextColor}this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.textColor,this.edgeLabelBackground=this.labelBackground,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.signalColor=this.textColor,this.signalTextColor=this.textColor,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||h(this.tertiaryColor,{l:-40}),this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-20}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-20}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-40}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:-40}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-40}),this.pie11=this.pie11||h(this.primaryColor,{h:-90,l:-40}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-30}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#ECECFF,#8493A6,#FFC3A0,#DCDDE1,#B8E994,#D1A36F,#C3CDE6,#FFB6C1,#496078,#F8F3E3"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.labelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||(0,p.Z)(f(this.git0),25),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};const Ft=t=>{const e=new Bt;return e.calculate(t),e};let Lt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#cde498",this.secondaryColor="#cdffb2",this.background="white",this.mainBkg="#cde498",this.secondBkg="#cdffb2",this.lineColor="green",this.border1="#13540c",this.border2="#6eaa49",this.arrowheadColor="green",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.tertiaryColor=(0,g.Z)("#cde498",10),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.primaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#333",this.edgeLabelBackground="#e8e8e8",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="#333",this.signalTextColor="#333",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="#326932",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="#6eaa49",this.altSectionBkgColor="white",this.sectionBkgColor2="#6eaa49",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="#487e3a",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.actorBorder=(0,p.Z)(this.mainBkg,20),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.taskBorderColor=this.border1,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-30}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{h:40,l:-40}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-50}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-50}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-50}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#CDE498,#FF6B6B,#A0D2DB,#D7BDE2,#F0F0F0,#FFC3A0,#7FD8BE,#FF9A8B,#FAF3E0,#FFF176"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};class At{constructor(){this.primaryColor="#eee",this.contrast="#707070",this.secondaryColor=(0,g.Z)(this.contrast,55),this.background="#ffffff",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#eee",this.secondBkg="calculated",this.lineColor="#666",this.border1="#999",this.border2="calculated",this.note="#ffa",this.text="#333",this.critical="#d42",this.done="#bbb",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="white",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="calculated",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="white",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBkgColor="calculated",this.critBorderColor="calculated",this.todayLineColor="calculated",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.contrast,55),this.border2=this.contrast,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.actorTextColor=this.text,this.actorLineColor=this.lineColor,this.signalColor=this.text,this.signalTextColor=this.text,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.text,this.loopTextColor=this.text,this.noteBorderColor="#999",this.noteBkgColor="#666",this.noteTextColor="#fff",this.cScale0=this.cScale0||"#555",this.cScale1=this.cScale1||"#F4F4F4",this.cScale2=this.cScale2||"#555",this.cScale3=this.cScale3||"#BBB",this.cScale4=this.cScale4||"#777",this.cScale5=this.cScale5||"#999",this.cScale6=this.cScale6||"#DDD",this.cScale7=this.cScale7||"#FFF",this.cScale8=this.cScale8||"#DDD",this.cScale9=this.cScale9||"#BBB",this.cScale10=this.cScale10||"#999",this.cScale11=this.cScale11||"#777";for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor),this.cScaleLabel0=this.cScaleLabel0||this.cScale1,this.cScaleLabel2=this.cScaleLabel2||this.cScale1;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.text,this.sectionBkgColor=(0,g.Z)(this.contrast,30),this.sectionBkgColor2=(0,g.Z)(this.contrast,30),this.taskBorderColor=(0,p.Z)(this.contrast,10),this.taskBkgColor=this.contrast,this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor=this.text,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.gridColor=(0,g.Z)(this.border1,30),this.doneTaskBkgColor=this.done,this.doneTaskBorderColor=this.lineColor,this.critBkgColor=this.critical,this.critBorderColor=(0,p.Z)(this.critBkgColor,10),this.todayLineColor=this.critBkgColor,this.transitionColor=this.transitionColor||"#000",this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f4f4f4",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.stateBorder=this.stateBorder||"#000",this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#222",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pie12=this.pie0,this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#EEE,#6BB8E4,#8ACB88,#C7ACD6,#E8DCC2,#FFB2A8,#FFF380,#7E8D91,#FFD8B1,#FAF3E0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,p.Z)(this.pie1,25)||this.primaryColor,this.git1=this.pie2||this.secondaryColor,this.git2=this.pie3||this.tertiaryColor,this.git3=this.pie4||h(this.primaryColor,{h:-30}),this.git4=this.pie5||h(this.primaryColor,{h:-60}),this.git5=this.pie6||h(this.primaryColor,{h:-90}),this.git6=this.pie7||h(this.primaryColor,{h:60}),this.git7=this.pie8||h(this.primaryColor,{h:120}),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||this.labelTextColor,this.gitBranchLabel0=this.branchLabelColor,this.gitBranchLabel1="white",this.gitBranchLabel2=this.branchLabelColor,this.gitBranchLabel3="white",this.gitBranchLabel4=this.branchLabelColor,this.gitBranchLabel5=this.branchLabelColor,this.gitBranchLabel6=this.branchLabelColor,this.gitBranchLabel7=this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}}const Mt={base:{getThemeVariables:t=>{const e=new wt;return e.calculate(t),e}},dark:{getThemeVariables:t=>{const e=new St;return e.calculate(t),e}},default:{getThemeVariables:Ft},forest:{getThemeVariables:t=>{const e=new Lt;return e.calculate(t),e}},neutral:{getThemeVariables:t=>{const e=new At;return e.calculate(t),e}}},Et={flowchart:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,htmlLabels:!0,nodeSpacing:50,rankSpacing:50,curve:"basis",padding:15,defaultRenderer:"dagre-wrapper",wrappingWidth:200},sequence:{useMaxWidth:!0,hideUnusedParticipants:!1,activationWidth:10,diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",mirrorActors:!0,forceMenus:!1,bottomMarginAdj:1,rightAngles:!1,showSequenceNumbers:!1,actorFontSize:14,actorFontFamily:'"Open Sans", sans-serif',actorFontWeight:400,noteFontSize:14,noteFontFamily:'"trebuchet ms", verdana, arial, sans-serif',noteFontWeight:400,noteAlign:"center",messageFontSize:16,messageFontFamily:'"trebuchet ms", verdana, arial, sans-serif',messageFontWeight:400,wrap:!1,wrapPadding:10,labelBoxWidth:50,labelBoxHeight:20},gantt:{useMaxWidth:!0,titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,rightPadding:75,leftPadding:75,gridLineStartPadding:35,fontSize:11,sectionFontSize:11,numberSectionStyles:4,axisFormat:"%Y-%m-%d",topAxis:!1,displayMode:"",weekday:"sunday"},journey:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"]},class:{useMaxWidth:!0,titleTopMargin:25,arrowMarkerAbsolute:!1,dividerMargin:10,padding:5,textHeight:10,defaultRenderer:"dagre-wrapper",htmlLabels:!1},state:{useMaxWidth:!0,titleTopMargin:25,dividerMargin:10,sizeUnit:5,padding:8,textHeight:10,titleShift:-15,noteMargin:10,forkWidth:70,forkHeight:7,miniPadding:2,fontSizeFactor:5.02,fontSize:24,labelHeight:16,edgeLengthFactor:"20",compositTitleSize:35,radius:5,defaultRenderer:"dagre-wrapper"},er:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:20,layoutDirection:"TB",minEntityWidth:100,minEntityHeight:75,entityPadding:15,stroke:"gray",fill:"honeydew",fontSize:12},pie:{useMaxWidth:!0,textPosition:.75},quadrantChart:{useMaxWidth:!0,chartWidth:500,chartHeight:500,titleFontSize:20,titlePadding:10,quadrantPadding:5,xAxisLabelPadding:5,yAxisLabelPadding:5,xAxisLabelFontSize:16,yAxisLabelFontSize:16,quadrantLabelFontSize:16,quadrantTextTopPadding:5,pointTextPadding:5,pointLabelFontSize:12,pointRadius:5,xAxisPosition:"top",yAxisPosition:"left",quadrantInternalBorderStrokeWidth:1,quadrantExternalBorderStrokeWidth:2},xyChart:{useMaxWidth:!0,width:700,height:500,titleFontSize:20,titlePadding:10,showTitle:!0,xAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},yAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},chartOrientation:"vertical",plotReservedSpacePercent:50},requirement:{useMaxWidth:!0,rect_fill:"#f9f9f9",text_color:"#333",rect_border_size:"0.5px",rect_border_color:"#bbb",rect_min_width:200,rect_min_height:200,fontSize:14,rect_padding:10,line_height:20},mindmap:{useMaxWidth:!0,padding:10,maxNodeWidth:200},timeline:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"],disableMulticolor:!1},gitGraph:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,nodeLabel:{width:75,height:100,x:-25,y:0},mainBranchName:"main",mainBranchOrder:0,showCommitLabel:!0,showBranches:!0,rotateCommitLabel:!0,arrowMarkerAbsolute:!1},c4:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,c4ShapeMargin:50,c4ShapePadding:20,width:216,height:60,boxMargin:10,c4ShapeInRow:4,nextLinePaddingX:0,c4BoundaryInRow:2,personFontSize:14,personFontFamily:'"Open Sans", sans-serif',personFontWeight:"normal",external_personFontSize:14,external_personFontFamily:'"Open Sans", sans-serif',external_personFontWeight:"normal",systemFontSize:14,systemFontFamily:'"Open Sans", sans-serif',systemFontWeight:"normal",external_systemFontSize:14,external_systemFontFamily:'"Open Sans", sans-serif',external_systemFontWeight:"normal",system_dbFontSize:14,system_dbFontFamily:'"Open Sans", sans-serif',system_dbFontWeight:"normal",external_system_dbFontSize:14,external_system_dbFontFamily:'"Open Sans", sans-serif',external_system_dbFontWeight:"normal",system_queueFontSize:14,system_queueFontFamily:'"Open Sans", sans-serif',system_queueFontWeight:"normal",external_system_queueFontSize:14,external_system_queueFontFamily:'"Open Sans", sans-serif',external_system_queueFontWeight:"normal",boundaryFontSize:14,boundaryFontFamily:'"Open Sans", sans-serif',boundaryFontWeight:"normal",messageFontSize:12,messageFontFamily:'"Open Sans", sans-serif',messageFontWeight:"normal",containerFontSize:14,containerFontFamily:'"Open Sans", sans-serif',containerFontWeight:"normal",external_containerFontSize:14,external_containerFontFamily:'"Open Sans", sans-serif',external_containerFontWeight:"normal",container_dbFontSize:14,container_dbFontFamily:'"Open Sans", sans-serif',container_dbFontWeight:"normal",external_container_dbFontSize:14,external_container_dbFontFamily:'"Open Sans", sans-serif',external_container_dbFontWeight:"normal",container_queueFontSize:14,container_queueFontFamily:'"Open Sans", sans-serif',container_queueFontWeight:"normal",external_container_queueFontSize:14,external_container_queueFontFamily:'"Open Sans", sans-serif',external_container_queueFontWeight:"normal",componentFontSize:14,componentFontFamily:'"Open Sans", sans-serif',componentFontWeight:"normal",external_componentFontSize:14,external_componentFontFamily:'"Open Sans", sans-serif',external_componentFontWeight:"normal",component_dbFontSize:14,component_dbFontFamily:'"Open Sans", sans-serif',component_dbFontWeight:"normal",external_component_dbFontSize:14,external_component_dbFontFamily:'"Open Sans", sans-serif',external_component_dbFontWeight:"normal",component_queueFontSize:14,component_queueFontFamily:'"Open Sans", sans-serif',component_queueFontWeight:"normal",external_component_queueFontSize:14,external_component_queueFontFamily:'"Open Sans", sans-serif',external_component_queueFontWeight:"normal",wrap:!0,wrapPadding:10,person_bg_color:"#08427B",person_border_color:"#073B6F",external_person_bg_color:"#686868",external_person_border_color:"#8A8A8A",system_bg_color:"#1168BD",system_border_color:"#3C7FC0",system_db_bg_color:"#1168BD",system_db_border_color:"#3C7FC0",system_queue_bg_color:"#1168BD",system_queue_border_color:"#3C7FC0",external_system_bg_color:"#999999",external_system_border_color:"#8A8A8A",external_system_db_bg_color:"#999999",external_system_db_border_color:"#8A8A8A",external_system_queue_bg_color:"#999999",external_system_queue_border_color:"#8A8A8A",container_bg_color:"#438DD5",container_border_color:"#3C7FC0",container_db_bg_color:"#438DD5",container_db_border_color:"#3C7FC0",container_queue_bg_color:"#438DD5",container_queue_border_color:"#3C7FC0",external_container_bg_color:"#B3B3B3",external_container_border_color:"#A6A6A6",external_container_db_bg_color:"#B3B3B3",external_container_db_border_color:"#A6A6A6",external_container_queue_bg_color:"#B3B3B3",external_container_queue_border_color:"#A6A6A6",component_bg_color:"#85BBF0",component_border_color:"#78A8D8",component_db_bg_color:"#85BBF0",component_db_border_color:"#78A8D8",component_queue_bg_color:"#85BBF0",component_queue_border_color:"#78A8D8",external_component_bg_color:"#CCCCCC",external_component_border_color:"#BFBFBF",external_component_db_bg_color:"#CCCCCC",external_component_db_border_color:"#BFBFBF",external_component_queue_bg_color:"#CCCCCC",external_component_queue_border_color:"#BFBFBF"},sankey:{useMaxWidth:!0,width:600,height:400,linkColor:"gradient",nodeAlignment:"justify",showValues:!0,prefix:"",suffix:""},theme:"default",maxTextSize:5e4,darkMode:!1,fontFamily:'"trebuchet ms", verdana, arial, sans-serif;',logLevel:5,securityLevel:"strict",startOnLoad:!0,arrowMarkerAbsolute:!1,secure:["secure","securityLevel","startOnLoad","maxTextSize"],deterministicIds:!1,fontSize:16},Nt={...Et,deterministicIDSeed:void 0,themeCSS:void 0,themeVariables:Mt.default.getThemeVariables(),sequence:{...Et.sequence,messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}},noteFont:function(){return{fontFamily:this.noteFontFamily,fontSize:this.noteFontSize,fontWeight:this.noteFontWeight}},actorFont:function(){return{fontFamily:this.actorFontFamily,fontSize:this.actorFontSize,fontWeight:this.actorFontWeight}}},gantt:{...Et.gantt,tickInterval:void 0,useWidth:void 0},c4:{...Et.c4,useWidth:void 0,personFont:function(){return{fontFamily:this.personFontFamily,fontSize:this.personFontSize,fontWeight:this.personFontWeight}},external_personFont:function(){return{fontFamily:this.external_personFontFamily,fontSize:this.external_personFontSize,fontWeight:this.external_personFontWeight}},systemFont:function(){return{fontFamily:this.systemFontFamily,fontSize:this.systemFontSize,fontWeight:this.systemFontWeight}},external_systemFont:function(){return{fontFamily:this.external_systemFontFamily,fontSize:this.external_systemFontSize,fontWeight:this.external_systemFontWeight}},system_dbFont:function(){return{fontFamily:this.system_dbFontFamily,fontSize:this.system_dbFontSize,fontWeight:this.system_dbFontWeight}},external_system_dbFont:function(){return{fontFamily:this.external_system_dbFontFamily,fontSize:this.external_system_dbFontSize,fontWeight:this.external_system_dbFontWeight}},system_queueFont:function(){return{fontFamily:this.system_queueFontFamily,fontSize:this.system_queueFontSize,fontWeight:this.system_queueFontWeight}},external_system_queueFont:function(){return{fontFamily:this.external_system_queueFontFamily,fontSize:this.external_system_queueFontSize,fontWeight:this.external_system_queueFontWeight}},containerFont:function(){return{fontFamily:this.containerFontFamily,fontSize:this.containerFontSize,fontWeight:this.containerFontWeight}},external_containerFont:function(){return{fontFamily:this.external_containerFontFamily,fontSize:this.external_containerFontSize,fontWeight:this.external_containerFontWeight}},container_dbFont:function(){return{fontFamily:this.container_dbFontFamily,fontSize:this.container_dbFontSize,fontWeight:this.container_dbFontWeight}},external_container_dbFont:function(){return{fontFamily:this.external_container_dbFontFamily,fontSize:this.external_container_dbFontSize,fontWeight:this.external_container_dbFontWeight}},container_queueFont:function(){return{fontFamily:this.container_queueFontFamily,fontSize:this.container_queueFontSize,fontWeight:this.container_queueFontWeight}},external_container_queueFont:function(){return{fontFamily:this.external_container_queueFontFamily,fontSize:this.external_container_queueFontSize,fontWeight:this.external_container_queueFontWeight}},componentFont:function(){return{fontFamily:this.componentFontFamily,fontSize:this.componentFontSize,fontWeight:this.componentFontWeight}},external_componentFont:function(){return{fontFamily:this.external_componentFontFamily,fontSize:this.external_componentFontSize,fontWeight:this.external_componentFontWeight}},component_dbFont:function(){return{fontFamily:this.component_dbFontFamily,fontSize:this.component_dbFontSize,fontWeight:this.component_dbFontWeight}},external_component_dbFont:function(){return{fontFamily:this.external_component_dbFontFamily,fontSize:this.external_component_dbFontSize,fontWeight:this.external_component_dbFontWeight}},component_queueFont:function(){return{fontFamily:this.component_queueFontFamily,fontSize:this.component_queueFontSize,fontWeight:this.component_queueFontWeight}},external_component_queueFont:function(){return{fontFamily:this.external_component_queueFontFamily,fontSize:this.external_component_queueFontSize,fontWeight:this.external_component_queueFontWeight}},boundaryFont:function(){return{fontFamily:this.boundaryFontFamily,fontSize:this.boundaryFontSize,fontWeight:this.boundaryFontWeight}},messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}}},pie:{...Et.pie,useWidth:984},xyChart:{...Et.xyChart,useWidth:void 0},requirement:{...Et.requirement,useWidth:void 0},gitGraph:{...Et.gitGraph,useMaxWidth:!1},sankey:{...Et.sankey,useMaxWidth:!1}},jt=(t,e="")=>Object.keys(t).reduce(((i,r)=>Array.isArray(t[r])?i:"object"==typeof t[r]&&null!==t[r]?[...i,e+r,...jt(t[r],"")]:[...i,e+r]),[]),Zt=new Set(jt(Nt,"")),It=Nt,Ot=t=>{if(st.debug("sanitizeDirective called with",t),"object"==typeof t&&null!=t)if(Array.isArray(t))t.forEach((t=>Ot(t)));else{for(const e of Object.keys(t)){if(st.debug("Checking key",e),e.startsWith("__")||e.includes("proto")||e.includes("constr")||!Zt.has(e)||null==t[e]){st.debug("sanitize deleting key: ",e),delete t[e];continue}if("object"==typeof t[e]){st.debug("sanitizing object",e),Ot(t[e]);continue}const i=["themeCSS","fontFamily","altFontFamily"];for(const r of i)e.includes(r)&&(st.debug("sanitizing css option",e),t[e]=Dt(t[e]))}if(t.themeVariables)for(const e of Object.keys(t.themeVariables)){const i=t.themeVariables[e];(null==i?void 0:i.match)&&!i.match(/^[\d "#%(),.;A-Za-z]+$/)&&(t.themeVariables[e]="")}st.debug("After sanitization",t)}},Dt=t=>{let e=0,i=0;for(const r of t){if(e<i)return"{ /* ERROR: Unbalanced CSS */ }";"{"===r?e++:"}"===r&&i++}return e!==i?"{ /* ERROR: Unbalanced CSS */ }":t},qt=/^-{3}\s*[\n\r](.*?)[\n\r]-{3}\s*[\n\r]+/s,$t=/%{2}{\s*(?:(\w+)\s*:|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,zt=/\s*%%.*\n/gm;class Pt extends Error{constructor(t){super(t),this.name="UnknownDiagramError"}}const Rt={},Ht=function(t,e){t=t.replace(qt,"").replace($t,"").replace(zt,"\n");for(const[i,{detector:r}]of Object.entries(Rt)){if(r(t,e))return i}throw new Pt(`No diagram type detected matching given configuration for text: ${t}`)},Wt=(...t)=>{for(const{id:e,detector:i,loader:r}of t)Ut(e,i,r)},Ut=(t,e,i)=>{Rt[t]?st.error(`Detector with key ${t} already exists`):Rt[t]={detector:e,loader:i},st.debug(`Detector with key ${t} added${i?" with loader":""}`)},Yt=(t,e,{depth:i=2,clobber:r=!1}={})=>{const n={depth:i,clobber:r};return Array.isArray(e)&&!Array.isArray(t)?(e.forEach((e=>Yt(t,e,n))),t):Array.isArray(e)&&Array.isArray(t)?(e.forEach((e=>{t.includes(e)||t.push(e)})),t):void 0===t||i<=0?null!=t&&"object"==typeof t&&"object"==typeof e?Object.assign(t,e):e:(void 0!==e&&"object"==typeof t&&"object"==typeof e&&Object.keys(e).forEach((n=>{"object"!=typeof e[n]||void 0!==t[n]&&"object"!=typeof t[n]?(r||"object"!=typeof t[n]&&"object"!=typeof e[n])&&(t[n]=e[n]):(void 0===t[n]&&(t[n]=Array.isArray(e[n])?[]:{}),t[n]=Yt(t[n],e[n],{depth:i-1,clobber:r}))})),t)},Vt=Yt,Gt="\u200b",Xt={curveBasis:a.$0Z,curveBasisClosed:a.Dts,curveBasisOpen:a.WQY,curveBumpX:a.qpX,curveBumpY:a.u93,curveBundle:a.tFB,curveCardinalClosed:a.OvA,curveCardinalOpen:a.dCK,curveCardinal:a.YY7,curveCatmullRomClosed:a.fGX,curveCatmullRomOpen:a.$m7,curveCatmullRom:a.zgE,curveLinear:a.c_6,curveLinearClosed:a.fxm,curveMonotoneX:a.FdL,curveMonotoneY:a.ak_,curveNatural:a.SxZ,curveStep:a.eA_,curveStepAfter:a.jsv,curveStepBefore:a.iJ},Jt=/\s*(?:(\w+)(?=:):|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,Qt=function(t,e=null){try{const i=new RegExp(`[%]{2}(?![{]${Jt.source})(?=[}][%]{2}).*\n`,"ig");let r;t=t.trim().replace(i,"").replace(/'/gm,'"'),st.debug(`Detecting diagram directive${null!==e?" type:"+e:""} based on the text:${t}`);const n=[];for(;null!==(r=$t.exec(t));)if(r.index===$t.lastIndex&&$t.lastIndex++,r&&!e||e&&r[1]&&r[1].match(e)||e&&r[2]&&r[2].match(e)){const t=r[1]?r[1]:r[2],e=r[3]?r[3].trim():r[4]?JSON.parse(r[4].trim()):null;n.push({type:t,args:e})}return 0===n.length?{type:t,args:null}:1===n.length?n[0]:n}catch(i){return st.error(`ERROR: ${i.message} - Unable to parse directive type: '${e}' based on the text: '${t}'`),{type:void 0,args:null}}};function Kt(t,e){if(!t)return e;const i=`curve${t.charAt(0).toUpperCase()+t.slice(1)}`;return Xt[i]??e}function te(t,e){return t&&e?Math.sqrt(Math.pow(e.x-t.x,2)+Math.pow(e.y-t.y,2)):0}const ee=(t,e=2)=>{const i=Math.pow(10,e);return Math.round(t*i)/i},ie=(t,e)=>{let i,r=e;for(const n of t){if(i){const t=te(n,i);if(t<r)r-=t;else{const e=r/t;if(e<=0)return i;if(e>=1)return{x:n.x,y:n.y};if(e>0&&e<1)return{x:ee((1-e)*i.x+e*n.x,5),y:ee((1-e)*i.y+e*n.y,5)}}}i=n}throw new Error("Could not find a suitable point for the given distance")};function re(t){let e="",i="";for(const r of t)void 0!==r&&(r.startsWith("color:")||r.startsWith("text-align:")?i=i+r+";":e=e+r+";");return{style:e,labelStyle:i}}let ne=0;const oe=()=>(ne++,"id-"+Math.random().toString(36).substr(2,12)+"-"+ne);const ae=t=>function(t){let e="";const i="0123456789abcdef";for(let r=0;r<t;r++)e+=i.charAt(Math.floor(16*Math.random()));return e}(t.length),se=function(t,e){const i=e.text.replace(_t.lineBreakRegex," "),[,r]=ge(e.fontSize),n=t.append("text");n.attr("x",e.x),n.attr("y",e.y),n.style("text-anchor",e.anchor),n.style("font-family",e.fontFamily),n.style("font-size",r),n.style("font-weight",e.fontWeight),n.attr("fill",e.fill),void 0!==e.class&&n.attr("class",e.class);const o=n.append("tspan");return o.attr("x",e.x+2*e.textMargin),o.attr("fill",e.fill),o.text(i),n},le=(0,y.Z)(((t,e,i)=>{if(!t)return t;if(i=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",joinWith:"<br/>"},i),_t.lineBreakRegex.test(t))return t;const r=t.split(" "),n=[];let o="";return r.forEach(((t,a)=>{const s=ue(`${t} `,i),l=ue(o,i);if(s>e){const{hyphenatedStrings:r,remainingWord:a}=ce(t,e,"-",i);n.push(o,...r),o=a}else l+s>=e?(n.push(o),o=t):o=[o,t].filter(Boolean).join(" ");a+1===r.length&&n.push(o)})),n.filter((t=>""!==t)).join(i.joinWith)}),((t,e,i)=>`${t}${e}${i.fontSize}${i.fontWeight}${i.fontFamily}${i.joinWith}`)),ce=(0,y.Z)(((t,e,i="-",r)=>{r=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",margin:0},r);const n=[...t],o=[];let a="";return n.forEach(((t,s)=>{const l=`${a}${t}`;if(ue(l,r)>=e){const t=s+1,e=n.length===t,r=`${l}${i}`;o.push(e?l:r),a=""}else a=l})),{hyphenatedStrings:o,remainingWord:a}}),((t,e,i="-",r)=>`${t}${e}${i}${r.fontSize}${r.fontWeight}${r.fontFamily}`));function he(t,e){return de(t,e).height}function ue(t,e){return de(t,e).width}const de=(0,y.Z)(((t,e)=>{const{fontSize:i=12,fontFamily:r="Arial",fontWeight:n=400}=e;if(!t)return{width:0,height:0};const[,o]=ge(i),s=["sans-serif",r],l=t.split(_t.lineBreakRegex),c=[],h=(0,a.Ys)("body");if(!h.remove)return{width:0,height:0,lineHeight:0};const u=h.append("svg");for(const a of s){let t=0;const e={width:0,height:0,lineHeight:0};for(const i of l){const r={x:0,y:0,fill:void 0,anchor:"start",style:"#666",width:100,height:100,textMargin:0,rx:0,ry:0,valign:void 0,text:""};r.text=i||Gt;const s=se(u,r).style("font-size",o).style("font-weight",n).style("font-family",a),l=(s._groups||s)[0][0].getBBox();if(0===l.width&&0===l.height)throw new Error("svg element not in render tree");e.width=Math.round(Math.max(e.width,l.width)),t=Math.round(l.height),e.height+=t,e.lineHeight=Math.round(Math.max(e.lineHeight,t))}c.push(e)}u.remove();return c[isNaN(c[1].height)||isNaN(c[1].width)||isNaN(c[1].lineHeight)||c[0].height>c[1].height&&c[0].width>c[1].width&&c[0].lineHeight>c[1].lineHeight?0:1]}),((t,e)=>`${t}${e.fontSize}${e.fontWeight}${e.fontFamily}`));let fe;function pe(t){return"str"in t}const ge=t=>{if("number"==typeof t)return[t,t+"px"];const e=parseInt(t??"",10);return Number.isNaN(e)?[void 0,void 0]:t===String(e)?[e,t+"px"]:[e,t]};function me(t,e){return(0,x.Z)({},t,e)}const ye={assignWithDepth:Vt,wrapLabel:le,calculateTextHeight:he,calculateTextWidth:ue,calculateTextDimensions:de,cleanAndMerge:me,detectInit:function(t,e){const i=Qt(t,/(?:init\b)|(?:initialize\b)/);let r={};if(Array.isArray(i)){const t=i.map((t=>t.args));Ot(t),r=Vt(r,[...t])}else r=i.args;if(!r)return;let n=Ht(t,e);const o="config";return void 0!==r[o]&&("flowchart-v2"===n&&(n="flowchart"),r[n]=r[o],delete r[o]),r},detectDirective:Qt,isSubstringInArray:function(t,e){for(const[i,r]of e.entries())if(r.match(t))return i;return-1},interpolateToCurve:Kt,calcLabelPosition:function(t){return 1===t.length?t[0]:function(t){let e,i=0;return t.forEach((t=>{i+=te(t,e),e=t})),ie(t,i/2)}(t)},calcCardinalityPosition:(t,e,i)=>{st.info(`our points ${JSON.stringify(e)}`),e[0]!==i&&(e=e.reverse());const r=ie(e,25),n=t?10:5,o=Math.atan2(e[0].y-r.y,e[0].x-r.x),a={x:0,y:0};return a.x=Math.sin(o)*n+(e[0].x+r.x)/2,a.y=-Math.cos(o)*n+(e[0].y+r.y)/2,a},calcTerminalLabelPosition:function(t,e,i){const r=structuredClone(i);st.info("our points",r),"start_left"!==e&&"start_right"!==e&&r.reverse();const n=ie(r,25+t),o=10+.5*t,a=Math.atan2(r[0].y-n.y,r[0].x-n.x),s={x:0,y:0};return"start_left"===e?(s.x=Math.sin(a+Math.PI)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a+Math.PI)*o+(r[0].y+n.y)/2):"end_right"===e?(s.x=Math.sin(a-Math.PI)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a-Math.PI)*o+(r[0].y+n.y)/2-5):"end_left"===e?(s.x=Math.sin(a)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2-5):(s.x=Math.sin(a)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2),s},formatUrl:function(t,e){const i=t.trim();if(i)return"loose"!==e.securityLevel?(0,o.Nm)(i):i},getStylesFromArray:re,generateId:oe,random:ae,runFunc:(t,...e)=>{const i=t.split("."),r=i.length-1,n=i[r];let o=window;for(let a=0;a<r;a++)if(o=o[i[a]],!o)return void st.error(`Function name: ${t} not found in window`);o[n](...e)},entityDecode:function(t){return fe=fe||document.createElement("div"),t=escape(t).replace(/%26/g,"&").replace(/%23/g,"#").replace(/%3B/g,";"),fe.innerHTML=t,unescape(fe.textContent)},insertTitle:(t,e,i,r)=>{var n;if(!r)return;const o=null==(n=t.node())?void 0:n.getBBox();o&&t.append("text").text(r).attr("x",o.x+o.width/2).attr("y",-i).attr("class",e)},parseFontSize:ge,InitIDGenerator:class{constructor(t=!1,e){this.count=0,this.count=e?e.length:0,this.next=t?()=>this.count++:()=>Date.now()}}},xe="10.6.1",be=Object.freeze(It);let Ce,_e=Vt({},be),ve=[],ke=Vt({},be);const Te=(t,e)=>{let i=Vt({},t),r={};for(const n of e)Fe(n),r=Vt(r,n);if(i=Vt(i,r),r.theme&&r.theme in Mt){const t=Vt({},Ce),e=Vt(t.themeVariables||{},r.themeVariables);i.theme&&i.theme in Mt&&(i.themeVariables=Mt[i.theme].getThemeVariables(e))}return ke=i,Ne(ke),ke},we=()=>Vt({},_e),Se=t=>(Ne(t),Vt(ke,t),Be()),Be=()=>Vt({},ke),Fe=t=>{t&&(["secure",..._e.secure??[]].forEach((e=>{Object.hasOwn(t,e)&&(st.debug(`Denied attempt to modify a secure key ${e}`,t[e]),delete t[e])})),Object.keys(t).forEach((e=>{e.startsWith("__")&&delete t[e]})),Object.keys(t).forEach((e=>{"string"==typeof t[e]&&(t[e].includes("<")||t[e].includes(">")||t[e].includes("url(data:"))&&delete t[e],"object"==typeof t[e]&&Fe(t[e])})))},Le=t=>{Ot(t),!t.fontFamily||t.themeVariables&&t.themeVariables.fontFamily||(t.themeVariables={fontFamily:t.fontFamily}),ve.push(t),Te(_e,ve)},Ae=(t=_e)=>{ve=[],Te(t,ve)},Me={LAZY_LOAD_DEPRECATED:"The configuration options lazyLoadedDiagrams and loadExternalDiagramsAtStartup are deprecated. Please use registerExternalDiagrams instead."},Ee={},Ne=t=>{var e;t&&((t.lazyLoadedDiagrams||t.loadExternalDiagramsAtStartup)&&(Ee[e="LAZY_LOAD_DEPRECATED"]||(st.warn(Me[e]),Ee[e]=!0)))},je={id:"c4",detector:t=>/^\s*C4Context|C4Container|C4Component|C4Dynamic|C4Deployment/.test(t),loader:async()=>{const{diagram:t}=await i.e(132).then(i.bind(i,132));return{id:"c4",diagram:t}}},Ze="flowchart",Ie={id:Ze,detector:(t,e)=>{var i,r;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&/^\s*graph/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(1763)]).then(i.bind(i,1763));return{id:Ze,diagram:t}}},Oe="flowchart-v2",De={id:Oe,detector:(t,e)=>{var i,r,n;return"dagre-d3"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&(!(!/^\s*graph/.test(t)||"dagre-wrapper"!==(null==(n=null==e?void 0:e.flowchart)?void 0:n.defaultRenderer))||/^\s*flowchart/.test(t))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(9893)]).then(i.bind(i,9893));return{id:Oe,diagram:t}}},qe={id:"er",detector:t=>/^\s*erDiagram/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3343)]).then(i.bind(i,3343));return{id:"er",diagram:t}}},$e="gitGraph",ze={id:$e,detector:t=>/^\s*gitGraph/.test(t),loader:async()=>{const{diagram:t}=await i.e(3619).then(i.bind(i,3619));return{id:$e,diagram:t}}},Pe="gantt",Re={id:Pe,detector:t=>/^\s*gantt/.test(t),loader:async()=>{const{diagram:t}=await i.e(8016).then(i.bind(i,8016));return{id:Pe,diagram:t}}},He="info",We={id:He,detector:t=>/^\s*info/.test(t),loader:async()=>{const{diagram:t}=await i.e(5326).then(i.bind(i,5326));return{id:He,diagram:t}}},Ue={id:"pie",detector:t=>/^\s*pie/.test(t),loader:async()=>{const{diagram:t}=await i.e(2661).then(i.bind(i,2661));return{id:"pie",diagram:t}}},Ye="quadrantChart",Ve={id:Ye,detector:t=>/^\s*quadrantChart/.test(t),loader:async()=>{const{diagram:t}=await i.e(6648).then(i.bind(i,6648));return{id:Ye,diagram:t}}},Ge="xychart",Xe={id:Ge,detector:t=>/^\s*xychart-beta/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(2693)]).then(i.bind(i,8088));return{id:Ge,diagram:t}}},Je="requirement",Qe={id:Je,detector:t=>/^\s*requirement(Diagram)?/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(6985)]).then(i.bind(i,6985));return{id:Je,diagram:t}}},Ke="sequence",ti={id:Ke,detector:t=>/^\s*sequenceDiagram/.test(t),loader:async()=>{const{diagram:t}=await i.e(5790).then(i.bind(i,5790));return{id:Ke,diagram:t}}},ei="class",ii={id:ei,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer)&&/^\s*classDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(4706),i.e(109)]).then(i.bind(i,109));return{id:ei,diagram:t}}},ri="classDiagram",ni={id:ri,detector:(t,e)=>{var i;return!(!/^\s*classDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer))||/^\s*classDiagram-v2/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(4706),i.e(6255)]).then(i.bind(i,6255));return{id:ri,diagram:t}}},oi="state",ai={id:oi,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer)&&/^\s*stateDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(1504),i.e(2696)]).then(i.bind(i,2696));return{id:oi,diagram:t}}},si="stateDiagram",li={id:si,detector:(t,e)=>{var i;return!!/^\s*stateDiagram-v2/.test(t)||!(!/^\s*stateDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(1504),i.e(5943)]).then(i.bind(i,5943));return{id:si,diagram:t}}},ci="journey",hi={id:ci,detector:t=>/^\s*journey/.test(t),loader:async()=>{const{diagram:t}=await i.e(2183).then(i.bind(i,2183));return{id:ci,diagram:t}}},ui=function(t,e,i,r){const n=function(t,e,i){let r=new Map;return i?(r.set("width","100%"),r.set("style",`max-width: ${e}px;`)):(r.set("height",t),r.set("width",e)),r}(e,i,r);!function(t,e){for(let i of e)t.attr(i[0],i[1])}(t,n)},di=function(t,e,i,r){const n=e.node().getBBox(),o=n.width,a=n.height;st.info(`SVG bounds: ${o}x${a}`,n);let s=0,l=0;st.info(`Graph bounds: ${s}x${l}`,t),s=o+2*i,l=a+2*i,st.info(`Calculated bounds: ${s}x${l}`),ui(e,l,s,r);const c=`${n.x-i} ${n.y-i} ${n.width+2*i} ${n.height+2*i}`;e.attr("viewBox",c)},fi={},pi=(t,e,i)=>{let r="";return t in fi&&fi[t]?r=fi[t](i):st.warn(`No theme found for ${t}`),` & {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n fill: ${i.textColor}\n }\n\n /* Classes common for multiple diagrams */\n\n & .error-icon {\n fill: ${i.errorBkgColor};\n }\n & .error-text {\n fill: ${i.errorTextColor};\n stroke: ${i.errorTextColor};\n }\n\n & .edge-thickness-normal {\n stroke-width: 2px;\n }\n & .edge-thickness-thick {\n stroke-width: 3.5px\n }\n & .edge-pattern-solid {\n stroke-dasharray: 0;\n }\n\n & .edge-pattern-dashed{\n stroke-dasharray: 3;\n }\n .edge-pattern-dotted {\n stroke-dasharray: 2;\n }\n\n & .marker {\n fill: ${i.lineColor};\n stroke: ${i.lineColor};\n }\n & .marker.cross {\n stroke: ${i.lineColor};\n }\n\n & svg {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n }\n\n ${r}\n\n ${e}\n`};let gi="",mi="",yi="";const xi=t=>ft(t,Be()),bi=()=>{gi="",yi="",mi=""},Ci=t=>{gi=xi(t).replace(/^\s+/g,"")},_i=()=>gi,vi=t=>{yi=xi(t).replace(/\n\s+/g,"\n")},ki=()=>yi,Ti=t=>{mi=xi(t)},wi=()=>mi,Si=Object.freeze(Object.defineProperty({__proto__:null,clear:bi,getAccDescription:ki,getAccTitle:_i,getDiagramTitle:wi,setAccDescription:vi,setAccTitle:Ci,setDiagramTitle:Ti},Symbol.toStringTag,{value:"Module"})),Bi=st,Fi=lt,Li=Be,Ai=Se,Mi=be,Ei=t=>ft(t,Li()),Ni=di,ji={},Zi=(t,e,i)=>{var r,n,o;if(ji[t])throw new Error(`Diagram ${t} already registered.`);ji[t]=e,i&&Ut(t,i),n=t,void 0!==(o=e.styles)&&(fi[n]=o),null==(r=e.injectUtils)||r.call(e,Bi,Fi,Li,Ei,Ni,Si,(()=>{}))},Ii=t=>{if(t in ji)return ji[t];throw new Oi(t)};class Oi extends Error{constructor(t){super(`Diagram ${t} not found.`)}}const Di=t=>{var e;const{securityLevel:i}=Li();let r=(0,a.Ys)("body");if("sandbox"===i){const i=(null==(e=(0,a.Ys)(`#i${t}`).node())?void 0:e.contentDocument)??document;r=(0,a.Ys)(i.body)}return r.select(`#${t}`)},qi={draw:(t,e,i)=>{st.debug("renering svg for syntax error\n");const r=Di(e);r.attr("viewBox","0 0 2412 512"),ui(r,100,512,!0);const n=r.append("g");n.append("path").attr("class","error-icon").attr("d","m411.313,123.313c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32-9.375,9.375-20.688-20.688c-12.484-12.5-32.766-12.5-45.25,0l-16,16c-1.261,1.261-2.304,2.648-3.31,4.051-21.739-8.561-45.324-13.426-70.065-13.426-105.867,0-192,86.133-192,192s86.133,192 192,192 192-86.133 192-192c0-24.741-4.864-48.327-13.426-70.065 1.402-1.007 2.79-2.049 4.051-3.31l16-16c12.5-12.492 12.5-32.758 0-45.25l-20.688-20.688 9.375-9.375 32.001-31.999zm-219.313,100.687c-52.938,0-96,43.063-96,96 0,8.836-7.164,16-16,16s-16-7.164-16-16c0-70.578 57.422-128 128-128 8.836,0 16,7.164 16,16s-7.164,16-16,16z"),n.append("path").attr("class","error-icon").attr("d","m459.02,148.98c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l16,16c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16.001-16z"),n.append("path").attr("class","error-icon").attr("d","m340.395,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16-16c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l15.999,16z"),n.append("path").attr("class","error-icon").attr("d","m400,64c8.844,0 16-7.164 16-16v-32c0-8.836-7.156-16-16-16-8.844,0-16,7.164-16,16v32c0,8.836 7.156,16 16,16z"),n.append("path").attr("class","error-icon").attr("d","m496,96.586h-32c-8.844,0-16,7.164-16,16 0,8.836 7.156,16 16,16h32c8.844,0 16-7.164 16-16 0-8.836-7.156-16-16-16z"),n.append("path").attr("class","error-icon").attr("d","m436.98,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688l32-32c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32c-6.251,6.25-6.251,16.375-0.001,22.625z"),n.append("text").attr("class","error-text").attr("x",1440).attr("y",250).attr("font-size","150px").style("text-anchor","middle").text("Syntax error in text"),n.append("text").attr("class","error-text").attr("x",1250).attr("y",400).attr("font-size","100px").style("text-anchor","middle").text(`mermaid version ${i}`)}},$i=qi,zi={db:{},renderer:qi,parser:{parser:{yy:{}},parse:()=>{}}},Pi="flowchart-elk",Ri={id:Pi,detector:(t,e)=>{var i;return!!(/^\s*flowchart-elk/.test(t)||/^\s*flowchart|graph/.test(t)&&"elk"===(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(5269),i.e(8955),i.e(4238)]).then(i.bind(i,4238));return{id:Pi,diagram:t}}},Hi="timeline",Wi={id:Hi,detector:t=>/^\s*timeline/.test(t),loader:async()=>{const{diagram:t}=await i.e(2700).then(i.bind(i,2700));return{id:Hi,diagram:t}}},Ui="mindmap",Yi={id:Ui,detector:t=>/^\s*mindmap/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(9138)]).then(i.bind(i,9138));return{id:Ui,diagram:t}}},Vi="sankey",Gi={id:Vi,detector:t=>/^\s*sankey-beta/.test(t),loader:async()=>{const{diagram:t}=await i.e(6591).then(i.bind(i,240));return{id:Vi,diagram:t}}};let Xi=!1;const Ji=()=>{Xi||(Xi=!0,Zi("error",zi,(t=>"error"===t.toLowerCase().trim())),Zi("---",{db:{clear:()=>{}},styles:{},renderer:{draw:()=>{}},parser:{parser:{yy:{}},parse:()=>{throw new Error("Diagrams beginning with --- are not valid. If you were trying to use a YAML front-matter, please ensure that you've correctly opened and closed the YAML front-matter with un-indented `---` blocks")}},init:()=>null},(t=>t.toLowerCase().trimStart().startsWith("---"))),Wt(je,ni,ii,qe,Re,We,Ue,Qe,ti,Ri,De,Ie,Yi,Wi,ze,li,ai,hi,Ve,Gi,Xe))};class Qi{constructor(t,e={}){this.text=t,this.metadata=e,this.type="graph",this.text+="\n";const i=Be();try{this.type=Ht(t,i)}catch(n){this.type="error",this.detectError=n}const r=Ii(this.type);st.debug("Type "+this.type),this.db=r.db,this.renderer=r.renderer,this.parser=r.parser,this.parser.parser.yy=this.db,this.init=r.init,this.parse()}parse(){var t,e,i,r,n;if(this.detectError)throw this.detectError;null==(e=(t=this.db).clear)||e.call(t);const o=Be();null==(i=this.init)||i.call(this,o),this.metadata.title&&(null==(n=(r=this.db).setDiagramTitle)||n.call(r,this.metadata.title)),this.parser.parse(this.text)}async render(t,e){await this.renderer.draw(this.text,t,e,this)}getParser(){return this.parser}getType(){return this.type}}const Ki=async(t,e={})=>{const i=Ht(t,Be());try{Ii(i)}catch(r){const t=Rt[i].loader;if(!t)throw new Pt(`Diagram ${i} not found.`);const{id:e,diagram:n}=await t();Zi(e,n)}return new Qi(t,e)};let tr=[];const er=t=>{tr.push(t)},ir="graphics-document document";const rr=t=>t.replace(/^\s*%%(?!{)[^\n]+\n?/gm,"").trimStart();function nr(t){return null==t}var or={isNothing:nr,isObject:function(t){return"object"==typeof t&&null!==t},toArray:function(t){return Array.isArray(t)?t:nr(t)?[]:[t]},repeat:function(t,e){var i,r="";for(i=0;i<e;i+=1)r+=t;return r},isNegativeZero:function(t){return 0===t&&Number.NEGATIVE_INFINITY===1/t},extend:function(t,e){var i,r,n,o;if(e)for(i=0,r=(o=Object.keys(e)).length;i<r;i+=1)t[n=o[i]]=e[n];return t}};function ar(t,e){var i="",r=t.reason||"(unknown reason)";return t.mark?(t.mark.name&&(i+='in "'+t.mark.name+'" '),i+="("+(t.mark.line+1)+":"+(t.mark.column+1)+")",!e&&t.mark.snippet&&(i+="\n\n"+t.mark.snippet),r+" "+i):r}function sr(t,e){Error.call(this),this.name="YAMLException",this.reason=t,this.mark=e,this.message=ar(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}sr.prototype=Object.create(Error.prototype),sr.prototype.constructor=sr,sr.prototype.toString=function(t){return this.name+": "+ar(this,t)};var lr=sr;function cr(t,e,i,r,n){var o="",a="",s=Math.floor(n/2)-1;return r-e>s&&(e=r-s+(o=" ... ").length),i-r>s&&(i=r+s-(a=" ...").length),{str:o+t.slice(e,i).replace(/\t/g,"\u2192")+a,pos:r-e+o.length}}function hr(t,e){return or.repeat(" ",e-t.length)+t}var ur=function(t,e){if(e=Object.create(e||null),!t.buffer)return null;e.maxLength||(e.maxLength=79),"number"!=typeof e.indent&&(e.indent=1),"number"!=typeof e.linesBefore&&(e.linesBefore=3),"number"!=typeof e.linesAfter&&(e.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,n=[0],o=[],a=-1;i=r.exec(t.buffer);)o.push(i.index),n.push(i.index+i[0].length),t.position<=i.index&&a<0&&(a=n.length-2);a<0&&(a=n.length-1);var s,l,c="",h=Math.min(t.line+e.linesAfter,o.length).toString().length,u=e.maxLength-(e.indent+h+3);for(s=1;s<=e.linesBefore&&!(a-s<0);s++)l=cr(t.buffer,n[a-s],o[a-s],t.position-(n[a]-n[a-s]),u),c=or.repeat(" ",e.indent)+hr((t.line-s+1).toString(),h)+" | "+l.str+"\n"+c;for(l=cr(t.buffer,n[a],o[a],t.position,u),c+=or.repeat(" ",e.indent)+hr((t.line+1).toString(),h)+" | "+l.str+"\n",c+=or.repeat("-",e.indent+h+3+l.pos)+"^\n",s=1;s<=e.linesAfter&&!(a+s>=o.length);s++)l=cr(t.buffer,n[a+s],o[a+s],t.position-(n[a]-n[a+s]),u),c+=or.repeat(" ",e.indent)+hr((t.line+s+1).toString(),h)+" | "+l.str+"\n";return c.replace(/\n$/,"")},dr=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],fr=["scalar","sequence","mapping"];var pr=function(t,e){var i,r;if(e=e||{},Object.keys(e).forEach((function(e){if(-1===dr.indexOf(e))throw new lr('Unknown option "'+e+'" is met in definition of "'+t+'" YAML type.')})),this.options=e,this.tag=t,this.kind=e.kind||null,this.resolve=e.resolve||function(){return!0},this.construct=e.construct||function(t){return t},this.instanceOf=e.instanceOf||null,this.predicate=e.predicate||null,this.represent=e.represent||null,this.representName=e.representName||null,this.defaultStyle=e.defaultStyle||null,this.multi=e.multi||!1,this.styleAliases=(i=e.styleAliases||null,r={},null!==i&&Object.keys(i).forEach((function(t){i[t].forEach((function(e){r[String(e)]=t}))})),r),-1===fr.indexOf(this.kind))throw new lr('Unknown kind "'+this.kind+'" is specified for "'+t+'" YAML type.')};function gr(t,e){var i=[];return t[e].forEach((function(t){var e=i.length;i.forEach((function(i,r){i.tag===t.tag&&i.kind===t.kind&&i.multi===t.multi&&(e=r)})),i[e]=t})),i}function mr(t){return this.extend(t)}mr.prototype.extend=function(t){var e=[],i=[];if(t instanceof pr)i.push(t);else if(Array.isArray(t))i=i.concat(t);else{if(!t||!Array.isArray(t.implicit)&&!Array.isArray(t.explicit))throw new lr("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");t.implicit&&(e=e.concat(t.implicit)),t.explicit&&(i=i.concat(t.explicit))}e.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(t.loadKind&&"scalar"!==t.loadKind)throw new lr("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(t.multi)throw new lr("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),i.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var r=Object.create(mr.prototype);return r.implicit=(this.implicit||[]).concat(e),r.explicit=(this.explicit||[]).concat(i),r.compiledImplicit=gr(r,"implicit"),r.compiledExplicit=gr(r,"explicit"),r.compiledTypeMap=function(){var t,e,i={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function r(t){t.multi?(i.multi[t.kind].push(t),i.multi.fallback.push(t)):i[t.kind][t.tag]=i.fallback[t.tag]=t}for(t=0,e=arguments.length;t<e;t+=1)arguments[t].forEach(r);return i}(r.compiledImplicit,r.compiledExplicit),r};var yr=new mr({explicit:[new pr("tag:yaml.org,2002:str",{kind:"scalar",construct:function(t){return null!==t?t:""}}),new pr("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(t){return null!==t?t:[]}}),new pr("tag:yaml.org,2002:map",{kind:"mapping",construct:function(t){return null!==t?t:{}}})]});var xr=new pr("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(t){if(null===t)return!0;var e=t.length;return 1===e&&"~"===t||4===e&&("null"===t||"Null"===t||"NULL"===t)},construct:function(){return null},predicate:function(t){return null===t},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var br=new pr("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e=t.length;return 4===e&&("true"===t||"True"===t||"TRUE"===t)||5===e&&("false"===t||"False"===t||"FALSE"===t)},construct:function(t){return"true"===t||"True"===t||"TRUE"===t},predicate:function(t){return"[object Boolean]"===Object.prototype.toString.call(t)},represent:{lowercase:function(t){return t?"true":"false"},uppercase:function(t){return t?"TRUE":"FALSE"},camelcase:function(t){return t?"True":"False"}},defaultStyle:"lowercase"});function Cr(t){return 48<=t&&t<=55}function _r(t){return 48<=t&&t<=57}var vr=new pr("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=t.length,n=0,o=!1;if(!r)return!1;if("-"!==(e=t[n])&&"+"!==e||(e=t[++n]),"0"===e){if(n+1===r)return!0;if("b"===(e=t[++n])){for(n++;n<r;n++)if("_"!==(e=t[n])){if("0"!==e&&"1"!==e)return!1;o=!0}return o&&"_"!==e}if("x"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!(48<=(i=t.charCodeAt(n))&&i<=57||65<=i&&i<=70||97<=i&&i<=102))return!1;o=!0}return o&&"_"!==e}if("o"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!Cr(t.charCodeAt(n)))return!1;o=!0}return o&&"_"!==e}}if("_"===e)return!1;for(;n<r;n++)if("_"!==(e=t[n])){if(!_r(t.charCodeAt(n)))return!1;o=!0}return!(!o||"_"===e)},construct:function(t){var e,i=t,r=1;if(-1!==i.indexOf("_")&&(i=i.replace(/_/g,"")),"-"!==(e=i[0])&&"+"!==e||("-"===e&&(r=-1),e=(i=i.slice(1))[0]),"0"===i)return 0;if("0"===e){if("b"===i[1])return r*parseInt(i.slice(2),2);if("x"===i[1])return r*parseInt(i.slice(2),16);if("o"===i[1])return r*parseInt(i.slice(2),8)}return r*parseInt(i,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&t%1==0&&!or.isNegativeZero(t)},represent:{binary:function(t){return t>=0?"0b"+t.toString(2):"-0b"+t.toString(2).slice(1)},octal:function(t){return t>=0?"0o"+t.toString(8):"-0o"+t.toString(8).slice(1)},decimal:function(t){return t.toString(10)},hexadecimal:function(t){return t>=0?"0x"+t.toString(16).toUpperCase():"-0x"+t.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),kr=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var Tr=/^[-+]?[0-9]+e/;var wr=new pr("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(t){return null!==t&&!(!kr.test(t)||"_"===t[t.length-1])},construct:function(t){var e,i;return i="-"===(e=t.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(e[0])>=0&&(e=e.slice(1)),".inf"===e?1===i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===e?NaN:i*parseFloat(e,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&(t%1!=0||or.isNegativeZero(t))},represent:function(t,e){var i;if(isNaN(t))switch(e){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===t)switch(e){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===t)switch(e){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(or.isNegativeZero(t))return"-0.0";return i=t.toString(10),Tr.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),Sr=yr.extend({implicit:[xr,br,vr,wr]}),Br=Sr,Fr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),Lr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var Ar=new pr("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(t){return null!==t&&(null!==Fr.exec(t)||null!==Lr.exec(t))},construct:function(t){var e,i,r,n,o,a,s,l,c=0,h=null;if(null===(e=Fr.exec(t))&&(e=Lr.exec(t)),null===e)throw new Error("Date resolve error");if(i=+e[1],r=+e[2]-1,n=+e[3],!e[4])return new Date(Date.UTC(i,r,n));if(o=+e[4],a=+e[5],s=+e[6],e[7]){for(c=e[7].slice(0,3);c.length<3;)c+="0";c=+c}return e[9]&&(h=6e4*(60*+e[10]+ +(e[11]||0)),"-"===e[9]&&(h=-h)),l=new Date(Date.UTC(i,r,n,o,a,s,c)),h&&l.setTime(l.getTime()-h),l},instanceOf:Date,represent:function(t){return t.toISOString()}});var Mr=new pr("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(t){return"<<"===t||null===t}}),Er="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var Nr=new pr("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=0,n=t.length,o=Er;for(i=0;i<n;i++)if(!((e=o.indexOf(t.charAt(i)))>64)){if(e<0)return!1;r+=6}return r%8==0},construct:function(t){var e,i,r=t.replace(/[\r\n=]/g,""),n=r.length,o=Er,a=0,s=[];for(e=0;e<n;e++)e%4==0&&e&&(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(r.charAt(e));return 0===(i=n%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18===i?(s.push(a>>10&255),s.push(a>>2&255)):12===i&&s.push(a>>4&255),new Uint8Array(s)},predicate:function(t){return"[object Uint8Array]"===Object.prototype.toString.call(t)},represent:function(t){var e,i,r="",n=0,o=t.length,a=Er;for(e=0;e<o;e++)e%3==0&&e&&(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]),n=(n<<8)+t[e];return 0===(i=o%3)?(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]):2===i?(r+=a[n>>10&63],r+=a[n>>4&63],r+=a[n<<2&63],r+=a[64]):1===i&&(r+=a[n>>2&63],r+=a[n<<4&63],r+=a[64],r+=a[64]),r}}),jr=Object.prototype.hasOwnProperty,Zr=Object.prototype.toString;var Ir=new pr("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=[],s=t;for(e=0,i=s.length;e<i;e+=1){if(r=s[e],o=!1,"[object Object]"!==Zr.call(r))return!1;for(n in r)if(jr.call(r,n)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(n))return!1;a.push(n)}return!0},construct:function(t){return null!==t?t:[]}}),Or=Object.prototype.toString;var Dr=new pr("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1){if(r=a[e],"[object Object]"!==Or.call(r))return!1;if(1!==(n=Object.keys(r)).length)return!1;o[e]=[n[0],r[n[0]]]}return!0},construct:function(t){if(null===t)return[];var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1)r=a[e],n=Object.keys(r),o[e]=[n[0],r[n[0]]];return o}}),qr=Object.prototype.hasOwnProperty;var $r=new pr("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(t){if(null===t)return!0;var e,i=t;for(e in i)if(qr.call(i,e)&&null!==i[e])return!1;return!0},construct:function(t){return null!==t?t:{}}}),zr=Br.extend({implicit:[Ar,Mr],explicit:[Nr,Ir,Dr,$r]}),Pr=Object.prototype.hasOwnProperty,Rr=1,Hr=2,Wr=3,Ur=4,Yr=1,Vr=2,Gr=3,Xr=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,Jr=/[\x85\u2028\u2029]/,Qr=/[,\[\]\{\}]/,Kr=/^(?:!|!!|![a-z\-]+!)$/i,tn=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function en(t){return Object.prototype.toString.call(t)}function rn(t){return 10===t||13===t}function nn(t){return 9===t||32===t}function on(t){return 9===t||32===t||10===t||13===t}function an(t){return 44===t||91===t||93===t||123===t||125===t}function sn(t){var e;return 48<=t&&t<=57?t-48:97<=(e=32|t)&&e<=102?e-97+10:-1}function ln(t){return 48===t?"\0":97===t?"\x07":98===t?"\b":116===t||9===t?"\t":110===t?"\n":118===t?"\v":102===t?"\f":114===t?"\r":101===t?"\x1b":32===t?" ":34===t?'"':47===t?"/":92===t?"\\":78===t?"\x85":95===t?"\xa0":76===t?"\u2028":80===t?"\u2029":""}function cn(t){return t<=65535?String.fromCharCode(t):String.fromCharCode(55296+(t-65536>>10),56320+(t-65536&1023))}for(var hn=new Array(256),un=new Array(256),dn=0;dn<256;dn++)hn[dn]=ln(dn)?1:0,un[dn]=ln(dn);function fn(t,e){this.input=t,this.filename=e.filename||null,this.schema=e.schema||zr,this.onWarning=e.onWarning||null,this.legacy=e.legacy||!1,this.json=e.json||!1,this.listener=e.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=t.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function pn(t,e){var i={name:t.filename,buffer:t.input.slice(0,-1),position:t.position,line:t.line,column:t.position-t.lineStart};return i.snippet=ur(i),new lr(e,i)}function gn(t,e){throw pn(t,e)}function mn(t,e){t.onWarning&&t.onWarning.call(null,pn(t,e))}var yn={YAML:function(t,e,i){var r,n,o;null!==t.version&&gn(t,"duplication of %YAML directive"),1!==i.length&&gn(t,"YAML directive accepts exactly one argument"),null===(r=/^([0-9]+)\.([0-9]+)$/.exec(i[0]))&&gn(t,"ill-formed argument of the YAML directive"),n=parseInt(r[1],10),o=parseInt(r[2],10),1!==n&&gn(t,"unacceptable YAML version of the document"),t.version=i[0],t.checkLineBreaks=o<2,1!==o&&2!==o&&mn(t,"unsupported YAML version of the document")},TAG:function(t,e,i){var r,n;2!==i.length&&gn(t,"TAG directive accepts exactly two arguments"),r=i[0],n=i[1],Kr.test(r)||gn(t,"ill-formed tag handle (first argument) of the TAG directive"),Pr.call(t.tagMap,r)&&gn(t,'there is a previously declared suffix for "'+r+'" tag handle'),tn.test(n)||gn(t,"ill-formed tag prefix (second argument) of the TAG directive");try{n=decodeURIComponent(n)}catch(o){gn(t,"tag prefix is malformed: "+n)}t.tagMap[r]=n}};function xn(t,e,i,r){var n,o,a,s;if(e<i){if(s=t.input.slice(e,i),r)for(n=0,o=s.length;n<o;n+=1)9===(a=s.charCodeAt(n))||32<=a&&a<=1114111||gn(t,"expected valid JSON character");else Xr.test(s)&&gn(t,"the stream contains non-printable characters");t.result+=s}}function bn(t,e,i,r){var n,o,a,s;for(or.isObject(i)||gn(t,"cannot merge mappings; the provided source object is unacceptable"),a=0,s=(n=Object.keys(i)).length;a<s;a+=1)o=n[a],Pr.call(e,o)||(e[o]=i[o],r[o]=!0)}function Cn(t,e,i,r,n,o,a,s,l){var c,h;if(Array.isArray(n))for(c=0,h=(n=Array.prototype.slice.call(n)).length;c<h;c+=1)Array.isArray(n[c])&&gn(t,"nested arrays are not supported inside keys"),"object"==typeof n&&"[object Object]"===en(n[c])&&(n[c]="[object Object]");if("object"==typeof n&&"[object Object]"===en(n)&&(n="[object Object]"),n=String(n),null===e&&(e={}),"tag:yaml.org,2002:merge"===r)if(Array.isArray(o))for(c=0,h=o.length;c<h;c+=1)bn(t,e,o[c],i);else bn(t,e,o,i);else t.json||Pr.call(i,n)||!Pr.call(e,n)||(t.line=a||t.line,t.lineStart=s||t.lineStart,t.position=l||t.position,gn(t,"duplicated mapping key")),"__proto__"===n?Object.defineProperty(e,n,{configurable:!0,enumerable:!0,writable:!0,value:o}):e[n]=o,delete i[n];return e}function _n(t){var e;10===(e=t.input.charCodeAt(t.position))?t.position++:13===e?(t.position++,10===t.input.charCodeAt(t.position)&&t.position++):gn(t,"a line break is expected"),t.line+=1,t.lineStart=t.position,t.firstTabInLine=-1}function vn(t,e,i){for(var r=0,n=t.input.charCodeAt(t.position);0!==n;){for(;nn(n);)9===n&&-1===t.firstTabInLine&&(t.firstTabInLine=t.position),n=t.input.charCodeAt(++t.position);if(e&&35===n)do{n=t.input.charCodeAt(++t.position)}while(10!==n&&13!==n&&0!==n);if(!rn(n))break;for(_n(t),n=t.input.charCodeAt(t.position),r++,t.lineIndent=0;32===n;)t.lineIndent++,n=t.input.charCodeAt(++t.position)}return-1!==i&&0!==r&&t.lineIndent<i&&mn(t,"deficient indentation"),r}function kn(t){var e,i=t.position;return!(45!==(e=t.input.charCodeAt(i))&&46!==e||e!==t.input.charCodeAt(i+1)||e!==t.input.charCodeAt(i+2)||(i+=3,0!==(e=t.input.charCodeAt(i))&&!on(e)))}function Tn(t,e){1===e?t.result+=" ":e>1&&(t.result+=or.repeat("\n",e-1))}function wn(t,e){var i,r,n=t.tag,o=t.anchor,a=[],s=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=a),r=t.input.charCodeAt(t.position);0!==r&&(-1!==t.firstTabInLine&&(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),45===r)&&on(t.input.charCodeAt(t.position+1));)if(s=!0,t.position++,vn(t,!0,-1)&&t.lineIndent<=e)a.push(null),r=t.input.charCodeAt(t.position);else if(i=t.line,Fn(t,e,Wr,!1,!0),a.push(t.result),vn(t,!0,-1),r=t.input.charCodeAt(t.position),(t.line===i||t.lineIndent>e)&&0!==r)gn(t,"bad indentation of a sequence entry");else if(t.lineIndent<e)break;return!!s&&(t.tag=n,t.anchor=o,t.kind="sequence",t.result=a,!0)}function Sn(t){var e,i,r,n,o=!1,a=!1;if(33!==(n=t.input.charCodeAt(t.position)))return!1;if(null!==t.tag&&gn(t,"duplication of a tag property"),60===(n=t.input.charCodeAt(++t.position))?(o=!0,n=t.input.charCodeAt(++t.position)):33===n?(a=!0,i="!!",n=t.input.charCodeAt(++t.position)):i="!",e=t.position,o){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&62!==n);t.position<t.length?(r=t.input.slice(e,t.position),n=t.input.charCodeAt(++t.position)):gn(t,"unexpected end of the stream within a verbatim tag")}else{for(;0!==n&&!on(n);)33===n&&(a?gn(t,"tag suffix cannot contain exclamation marks"):(i=t.input.slice(e-1,t.position+1),Kr.test(i)||gn(t,"named tag handle cannot contain such characters"),a=!0,e=t.position+1)),n=t.input.charCodeAt(++t.position);r=t.input.slice(e,t.position),Qr.test(r)&&gn(t,"tag suffix cannot contain flow indicator characters")}r&&!tn.test(r)&&gn(t,"tag name cannot contain such characters: "+r);try{r=decodeURIComponent(r)}catch(s){gn(t,"tag name is malformed: "+r)}return o?t.tag=r:Pr.call(t.tagMap,i)?t.tag=t.tagMap[i]+r:"!"===i?t.tag="!"+r:"!!"===i?t.tag="tag:yaml.org,2002:"+r:gn(t,'undeclared tag handle "'+i+'"'),!0}function Bn(t){var e,i;if(38!==(i=t.input.charCodeAt(t.position)))return!1;for(null!==t.anchor&&gn(t,"duplication of an anchor property"),i=t.input.charCodeAt(++t.position),e=t.position;0!==i&&!on(i)&&!an(i);)i=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an anchor node must contain at least one character"),t.anchor=t.input.slice(e,t.position),!0}function Fn(t,e,i,r,n){var o,a,s,l,c,h,u,d,f,p=1,g=!1,m=!1;if(null!==t.listener&&t.listener("open",t),t.tag=null,t.anchor=null,t.kind=null,t.result=null,o=a=s=Ur===i||Wr===i,r&&vn(t,!0,-1)&&(g=!0,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)),1===p)for(;Sn(t)||Bn(t);)vn(t,!0,-1)?(g=!0,s=o,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)):s=!1;if(s&&(s=g||n),1!==p&&Ur!==i||(d=Rr===i||Hr===i?e:e+1,f=t.position-t.lineStart,1===p?s&&(wn(t,f)||function(t,e,i){var r,n,o,a,s,l,c,h=t.tag,u=t.anchor,d={},f=Object.create(null),p=null,g=null,m=null,y=!1,x=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=d),c=t.input.charCodeAt(t.position);0!==c;){if(y||-1===t.firstTabInLine||(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),r=t.input.charCodeAt(t.position+1),o=t.line,63!==c&&58!==c||!on(r)){if(a=t.line,s=t.lineStart,l=t.position,!Fn(t,i,Hr,!1,!0))break;if(t.line===o){for(c=t.input.charCodeAt(t.position);nn(c);)c=t.input.charCodeAt(++t.position);if(58===c)on(c=t.input.charCodeAt(++t.position))||gn(t,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!1,n=!1,p=t.tag,g=t.result;else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read an implicit mapping pair; a colon is missed")}}else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===c?(y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!0,n=!0):y?(y=!1,n=!0):gn(t,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),t.position+=1,c=r;if((t.line===o||t.lineIndent>e)&&(y&&(a=t.line,s=t.lineStart,l=t.position),Fn(t,e,Ur,!0,n)&&(y?g=t.result:m=t.result),y||(Cn(t,d,f,p,g,m,a,s,l),p=g=m=null),vn(t,!0,-1),c=t.input.charCodeAt(t.position)),(t.line===o||t.lineIndent>e)&&0!==c)gn(t,"bad indentation of a mapping entry");else if(t.lineIndent<e)break}return y&&Cn(t,d,f,p,g,null,a,s,l),x&&(t.tag=h,t.anchor=u,t.kind="mapping",t.result=d),x}(t,f,d))||function(t,e){var i,r,n,o,a,s,l,c,h,u,d,f,p=!0,g=t.tag,m=t.anchor,y=Object.create(null);if(91===(f=t.input.charCodeAt(t.position)))a=93,c=!1,o=[];else{if(123!==f)return!1;a=125,c=!0,o={}}for(null!==t.anchor&&(t.anchorMap[t.anchor]=o),f=t.input.charCodeAt(++t.position);0!==f;){if(vn(t,!0,e),(f=t.input.charCodeAt(t.position))===a)return t.position++,t.tag=g,t.anchor=m,t.kind=c?"mapping":"sequence",t.result=o,!0;p?44===f&&gn(t,"expected the node content, but found ','"):gn(t,"missed comma between flow collection entries"),d=null,s=l=!1,63===f&&on(t.input.charCodeAt(t.position+1))&&(s=l=!0,t.position++,vn(t,!0,e)),i=t.line,r=t.lineStart,n=t.position,Fn(t,e,Rr,!1,!0),u=t.tag,h=t.result,vn(t,!0,e),f=t.input.charCodeAt(t.position),!l&&t.line!==i||58!==f||(s=!0,f=t.input.charCodeAt(++t.position),vn(t,!0,e),Fn(t,e,Rr,!1,!0),d=t.result),c?Cn(t,o,y,u,h,d,i,r,n):s?o.push(Cn(t,null,y,u,h,d,i,r,n)):o.push(h),vn(t,!0,e),44===(f=t.input.charCodeAt(t.position))?(p=!0,f=t.input.charCodeAt(++t.position)):p=!1}gn(t,"unexpected end of the stream within a flow collection")}(t,d)?m=!0:(a&&function(t,e){var i,r,n,o,a,s=Yr,l=!1,c=!1,h=e,u=0,d=!1;if(124===(o=t.input.charCodeAt(t.position)))r=!1;else{if(62!==o)return!1;r=!0}for(t.kind="scalar",t.result="";0!==o;)if(43===(o=t.input.charCodeAt(++t.position))||45===o)Yr===s?s=43===o?Gr:Vr:gn(t,"repeat of a chomping mode identifier");else{if(!((n=48<=(a=o)&&a<=57?a-48:-1)>=0))break;0===n?gn(t,"bad explicit indentation width of a block scalar; it cannot be less than one"):c?gn(t,"repeat of an indentation width identifier"):(h=e+n-1,c=!0)}if(nn(o)){do{o=t.input.charCodeAt(++t.position)}while(nn(o));if(35===o)do{o=t.input.charCodeAt(++t.position)}while(!rn(o)&&0!==o)}for(;0!==o;){for(_n(t),t.lineIndent=0,o=t.input.charCodeAt(t.position);(!c||t.lineIndent<h)&&32===o;)t.lineIndent++,o=t.input.charCodeAt(++t.position);if(!c&&t.lineIndent>h&&(h=t.lineIndent),rn(o))u++;else{if(t.lineIndent<h){s===Gr?t.result+=or.repeat("\n",l?1+u:u):s===Yr&&l&&(t.result+="\n");break}for(r?nn(o)?(d=!0,t.result+=or.repeat("\n",l?1+u:u)):d?(d=!1,t.result+=or.repeat("\n",u+1)):0===u?l&&(t.result+=" "):t.result+=or.repeat("\n",u):t.result+=or.repeat("\n",l?1+u:u),l=!0,c=!0,u=0,i=t.position;!rn(o)&&0!==o;)o=t.input.charCodeAt(++t.position);xn(t,i,t.position,!1)}}return!0}(t,d)||function(t,e){var i,r,n;if(39!==(i=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,r=n=t.position;0!==(i=t.input.charCodeAt(t.position));)if(39===i){if(xn(t,r,t.position,!0),39!==(i=t.input.charCodeAt(++t.position)))return!0;r=t.position,t.position++,n=t.position}else rn(i)?(xn(t,r,n,!0),Tn(t,vn(t,!1,e)),r=n=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a single quoted scalar"):(t.position++,n=t.position);gn(t,"unexpected end of the stream within a single quoted scalar")}(t,d)||function(t,e){var i,r,n,o,a,s,l;if(34!==(s=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,i=r=t.position;0!==(s=t.input.charCodeAt(t.position));){if(34===s)return xn(t,i,t.position,!0),t.position++,!0;if(92===s){if(xn(t,i,t.position,!0),rn(s=t.input.charCodeAt(++t.position)))vn(t,!1,e);else if(s<256&&hn[s])t.result+=un[s],t.position++;else if((a=120===(l=s)?2:117===l?4:85===l?8:0)>0){for(n=a,o=0;n>0;n--)(a=sn(s=t.input.charCodeAt(++t.position)))>=0?o=(o<<4)+a:gn(t,"expected hexadecimal character");t.result+=cn(o),t.position++}else gn(t,"unknown escape sequence");i=r=t.position}else rn(s)?(xn(t,i,r,!0),Tn(t,vn(t,!1,e)),i=r=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a double quoted scalar"):(t.position++,r=t.position)}gn(t,"unexpected end of the stream within a double quoted scalar")}(t,d)?m=!0:!function(t){var e,i,r;if(42!==(r=t.input.charCodeAt(t.position)))return!1;for(r=t.input.charCodeAt(++t.position),e=t.position;0!==r&&!on(r)&&!an(r);)r=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an alias node must contain at least one character"),i=t.input.slice(e,t.position),Pr.call(t.anchorMap,i)||gn(t,'unidentified alias "'+i+'"'),t.result=t.anchorMap[i],vn(t,!0,-1),!0}(t)?function(t,e,i){var r,n,o,a,s,l,c,h,u=t.kind,d=t.result;if(on(h=t.input.charCodeAt(t.position))||an(h)||35===h||38===h||42===h||33===h||124===h||62===h||39===h||34===h||37===h||64===h||96===h)return!1;if((63===h||45===h)&&(on(r=t.input.charCodeAt(t.position+1))||i&&an(r)))return!1;for(t.kind="scalar",t.result="",n=o=t.position,a=!1;0!==h;){if(58===h){if(on(r=t.input.charCodeAt(t.position+1))||i&&an(r))break}else if(35===h){if(on(t.input.charCodeAt(t.position-1)))break}else{if(t.position===t.lineStart&&kn(t)||i&&an(h))break;if(rn(h)){if(s=t.line,l=t.lineStart,c=t.lineIndent,vn(t,!1,-1),t.lineIndent>=e){a=!0,h=t.input.charCodeAt(t.position);continue}t.position=o,t.line=s,t.lineStart=l,t.lineIndent=c;break}}a&&(xn(t,n,o,!1),Tn(t,t.line-s),n=o=t.position,a=!1),nn(h)||(o=t.position+1),h=t.input.charCodeAt(++t.position)}return xn(t,n,o,!1),!!t.result||(t.kind=u,t.result=d,!1)}(t,d,Rr===i)&&(m=!0,null===t.tag&&(t.tag="?")):(m=!0,null===t.tag&&null===t.anchor||gn(t,"alias node should not have any properties")),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):0===p&&(m=s&&wn(t,f))),null===t.tag)null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);else if("?"===t.tag){for(null!==t.result&&"scalar"!==t.kind&&gn(t,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+t.kind+'"'),l=0,c=t.implicitTypes.length;l<c;l+=1)if((u=t.implicitTypes[l]).resolve(t.result)){t.result=u.construct(t.result),t.tag=u.tag,null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);break}}else if("!"!==t.tag){if(Pr.call(t.typeMap[t.kind||"fallback"],t.tag))u=t.typeMap[t.kind||"fallback"][t.tag];else for(u=null,l=0,c=(h=t.typeMap.multi[t.kind||"fallback"]).length;l<c;l+=1)if(t.tag.slice(0,h[l].tag.length)===h[l].tag){u=h[l];break}u||gn(t,"unknown tag !<"+t.tag+">"),null!==t.result&&u.kind!==t.kind&&gn(t,"unacceptable node kind for !<"+t.tag+'> tag; it should be "'+u.kind+'", not "'+t.kind+'"'),u.resolve(t.result,t.tag)?(t.result=u.construct(t.result,t.tag),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):gn(t,"cannot resolve a node with !<"+t.tag+"> explicit tag")}return null!==t.listener&&t.listener("close",t),null!==t.tag||null!==t.anchor||m}function Ln(t){var e,i,r,n,o=t.position,a=!1;for(t.version=null,t.checkLineBreaks=t.legacy,t.tagMap=Object.create(null),t.anchorMap=Object.create(null);0!==(n=t.input.charCodeAt(t.position))&&(vn(t,!0,-1),n=t.input.charCodeAt(t.position),!(t.lineIndent>0||37!==n));){for(a=!0,n=t.input.charCodeAt(++t.position),e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);for(r=[],(i=t.input.slice(e,t.position)).length<1&&gn(t,"directive name must not be less than one character in length");0!==n;){for(;nn(n);)n=t.input.charCodeAt(++t.position);if(35===n){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&!rn(n));break}if(rn(n))break;for(e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);r.push(t.input.slice(e,t.position))}0!==n&&_n(t),Pr.call(yn,i)?yn[i](t,i,r):mn(t,'unknown document directive "'+i+'"')}vn(t,!0,-1),0===t.lineIndent&&45===t.input.charCodeAt(t.position)&&45===t.input.charCodeAt(t.position+1)&&45===t.input.charCodeAt(t.position+2)?(t.position+=3,vn(t,!0,-1)):a&&gn(t,"directives end mark is expected"),Fn(t,t.lineIndent-1,Ur,!1,!0),vn(t,!0,-1),t.checkLineBreaks&&Jr.test(t.input.slice(o,t.position))&&mn(t,"non-ASCII line breaks are interpreted as content"),t.documents.push(t.result),t.position===t.lineStart&&kn(t)?46===t.input.charCodeAt(t.position)&&(t.position+=3,vn(t,!0,-1)):t.position<t.length-1&&gn(t,"end of the stream or a document separator is expected")}function An(t,e){e=e||{},0!==(t=String(t)).length&&(10!==t.charCodeAt(t.length-1)&&13!==t.charCodeAt(t.length-1)&&(t+="\n"),65279===t.charCodeAt(0)&&(t=t.slice(1)));var i=new fn(t,e),r=t.indexOf("\0");for(-1!==r&&(i.position=r,gn(i,"null byte is not allowed in input")),i.input+="\0";32===i.input.charCodeAt(i.position);)i.lineIndent+=1,i.position+=1;for(;i.position<i.length-1;)Ln(i);return i.documents}var Mn=Sr,En={loadAll:function(t,e,i){null!==e&&"object"==typeof e&&void 0===i&&(i=e,e=null);var r=An(t,i);if("function"!=typeof e)return r;for(var n=0,o=r.length;n<o;n+=1)e(r[n])},load:function(t,e){var i=An(t,e);if(0!==i.length){if(1===i.length)return i[0];throw new lr("expected a single document in the stream, but found more")}}}.load;const Nn=t=>t.replace(/\r\n?/g,"\n").replace(/<(\w+)([^>]*)>/g,((t,e,i)=>"<"+e+i.replace(/="([^"]*)"/g,"='$1'")+">")),jn=t=>{const{text:e,metadata:i}=function(t){const e=t.match(qt);if(!e)return{text:t,metadata:{}};let i=En(e[1],{schema:Mn})??{};i="object"!=typeof i||Array.isArray(i)?{}:i;const r={};return i.displayMode&&(r.displayMode=i.displayMode.toString()),i.title&&(r.title=i.title.toString()),i.config&&(r.config=i.config),{text:t.slice(e[0].length),metadata:r}}(t),{displayMode:r,title:n,config:o={}}=i;return r&&(o.gantt||(o.gantt={}),o.gantt.displayMode=r),{title:n,config:o,text:e}},Zn=t=>{const e=ye.detectInit(t)??{},i=ye.detectDirective(t,"wrap");return Array.isArray(i)?e.wrap=i.some((({type:t})=>{})):"wrap"===(null==i?void 0:i.type)&&(e.wrap=!0),{text:(r=t,r.replace($t,"")),directive:e};var r};const In=["foreignobject"],On=["dominant-baseline"];function Dn(t){const e=function(t){const e=Nn(t),i=jn(e),r=Zn(i.text),n=me(i.config,r.directive);return{code:t=rr(r.text),title:i.title,config:n}}(t);return Ae(),Le(e.config??{}),e}const qn=function(t){return t.replace(/\ufb02\xb0\xb0/g,"&#").replace(/\ufb02\xb0/g,"&").replace(/\xb6\xdf/g,";")},$n=(t,e,i=[])=>`\n.${t} ${e} { ${i.join(" !important; ")} !important; }`,zn=(t,e,i,r)=>{const n=((t,e={})=>{var i;let r="";if(void 0!==t.themeCSS&&(r+=`\n${t.themeCSS}`),void 0!==t.fontFamily&&(r+=`\n:root { --mermaid-font-family: ${t.fontFamily}}`),void 0!==t.altFontFamily&&(r+=`\n:root { --mermaid-alt-font-family: ${t.altFontFamily}}`),!(0,ot.Z)(e)){const n=t.htmlLabels||(null==(i=t.flowchart)?void 0:i.htmlLabels)?["> *","span"]:["rect","polygon","ellipse","circle","path"];for(const t in e){const i=e[t];(0,ot.Z)(i.styles)||n.forEach((t=>{r+=$n(i.id,t,i.styles)})),(0,ot.Z)(i.textStyles)||(r+=$n(i.id,"tspan",i.textStyles))}}return r})(t,i);return M(tt(`${r}{${pi(e,n,t.themeVariables)}}`),E)},Pn=(t,e,i,r,n)=>{const o=t.append("div");o.attr("id",i),r&&o.attr("style",r);const a=o.append("svg").attr("id",e).attr("width","100%").attr("xmlns","http://www.w3.org/2000/svg");return n&&a.attr("xmlns:xlink",n),a.append("g"),t};function Rn(t,e){return t.append("iframe").attr("id",e).attr("style","width: 100%; height: 100%;").attr("sandbox","")}const Hn=Object.freeze({render:async function(t,e,i){var r,n,o,l,c,h;Ji();const u=Dn(e);e=u.code;const d=Be();st.debug(d),e.length>((null==d?void 0:d.maxTextSize)??5e4)&&(e="graph TB;a[Maximum text size in diagram exceeded];style a fill:#faa");const f="#"+t,p="i"+t,g="#"+p,m="d"+t,y="#"+m;let x=(0,a.Ys)("body");const b="sandbox"===d.securityLevel,C="loose"===d.securityLevel,_=d.fontFamily;if(void 0!==i){if(i&&(i.innerHTML=""),b){const t=Rn((0,a.Ys)(i),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)(i);Pn(x,t,m,`font-family: ${_}`,"http://www.w3.org/1999/xlink")}else{if(((t,e,i,r)=>{var n,o,a;null==(n=t.getElementById(e))||n.remove(),null==(o=t.getElementById(i))||o.remove(),null==(a=t.getElementById(r))||a.remove()})(document,t,m,p),b){const t=Rn((0,a.Ys)("body"),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)("body");Pn(x,t,m)}let v,k;e=function(t){let e=t;return e=e.replace(/style.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/classDef.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/#\w+;/g,(function(t){const e=t.substring(1,t.length-1);return/^\+?\d+$/.test(e)?"\ufb02\xb0\xb0"+e+"\xb6\xdf":"\ufb02\xb0"+e+"\xb6\xdf"})),e}(e);try{v=await Ki(e,{title:u.title})}catch(j){v=new Qi("error"),k=j}const T=x.select(y).node(),w=v.type,S=T.firstChild,B=S.firstChild,F=null==(n=(r=v.renderer).getClasses)?void 0:n.call(r,e,v),L=zn(d,w,F,f),A=document.createElement("style");A.innerHTML=L,S.insertBefore(A,B);try{await v.renderer.draw(e,t,xe,v)}catch(Z){throw $i.draw(e,t,xe),Z}!function(t,e,i,r){(function(t,e){t.attr("role",ir),""!==e&&t.attr("aria-roledescription",e)})(e,t),function(t,e,i,r){if(void 0!==t.insert){if(i){const e=`chart-desc-${r}`;t.attr("aria-describedby",e),t.insert("desc",":first-child").attr("id",e).text(i)}if(e){const i=`chart-title-${r}`;t.attr("aria-labelledby",i),t.insert("title",":first-child").attr("id",i).text(e)}}}(e,i,r,e.attr("id"))}(w,x.select(`${y} svg`),null==(l=(o=v.db).getAccTitle)?void 0:l.call(o),null==(h=(c=v.db).getAccDescription)?void 0:h.call(c)),x.select(`[id="${t}"]`).selectAll("foreignobject > *").attr("xmlns","http://www.w3.org/1999/xhtml");let M=x.select(y).node().innerHTML;if(st.debug("config.arrowMarkerAbsolute",d.arrowMarkerAbsolute),M=((t="",e,i)=>{let r=t;return i||e||(r=r.replace(/marker-end="url\([\d+./:=?A-Za-z-]*?#/g,'marker-end="url(#')),r=qn(r),r=r.replace(/<br>/g,"<br/>"),r})(M,b,mt(d.arrowMarkerAbsolute)),b){M=((t="",e)=>{var i,r;return`<iframe style="width:100%;height:${(null==(r=null==(i=null==e?void 0:e.viewBox)?void 0:i.baseVal)?void 0:r.height)?e.viewBox.baseVal.height+"px":"100%"};border:0;margin:0;" src="data:text/html;base64,${btoa('<body style="margin:0">'+t+"</body>")}" sandbox="allow-top-navigation-by-user-activation allow-popups">\n The "iframe" tag is not supported by your browser.\n</iframe>`})(M,x.select(y+" svg").node())}else C||(M=s.sanitize(M,{ADD_TAGS:In,ADD_ATTR:On}));if(tr.forEach((t=>{t()})),tr=[],k)throw k;const E=b?g:y,N=(0,a.Ys)(E).node();return N&&"remove"in N&&N.remove(),{svg:M,bindFunctions:v.db.bindFunctions}},parse:async function(t,e){Ji(),t=Dn(t).code;try{await Ki(t)}catch(i){if(null==e?void 0:e.suppressErrors)return!1;throw i}return!0},getDiagramFromText:Ki,initialize:function(t={}){var e;(null==t?void 0:t.fontFamily)&&!(null==(e=t.themeVariables)?void 0:e.fontFamily)&&(t.themeVariables||(t.themeVariables={}),t.themeVariables.fontFamily=t.fontFamily),Ce=Vt({},t),(null==t?void 0:t.theme)&&t.theme in Mt?t.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables):t&&(t.themeVariables=Mt.default.getThemeVariables(t.themeVariables));const i="object"==typeof t?(t=>(_e=Vt({},be),_e=Vt(_e,t),t.theme&&Mt[t.theme]&&(_e.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables)),Te(_e,ve),_e))(t):we();lt(i.logLevel),Ji()},getConfig:Be,setConfig:Se,getSiteConfig:we,updateSiteConfig:t=>(_e=Vt(_e,t),Te(_e,ve),_e),reset:()=>{Ae()},globalReset:()=>{Ae(be)},defaultConfig:be});lt(Be().logLevel),Ae(Be());const Wn=(t,e,i)=>{st.warn(t),pe(t)?(i&&i(t.str,t.hash),e.push({...t,message:t.str,error:t})):(i&&i(t),t instanceof Error&&e.push({str:t.message,message:t.message,hash:t.name,error:t}))},Un=async function(t={querySelector:".mermaid"}){try{await Yn(t)}catch(e){if(pe(e)&&st.error(e.str),to.parseError&&to.parseError(e),!t.suppressErrors)throw st.error("Use the suppressErrors option to suppress these errors"),e}},Yn=async function({postRenderCallback:t,querySelector:e,nodes:i}={querySelector:".mermaid"}){const n=Hn.getConfig();let o;if(st.debug((t?"":"No ")+"Callback function found"),i)o=i;else{if(!e)throw new Error("Nodes and querySelector are both undefined");o=document.querySelectorAll(e)}st.debug(`Found ${o.length} diagrams`),void 0!==(null==n?void 0:n.startOnLoad)&&(st.debug("Start On Load: "+(null==n?void 0:n.startOnLoad)),Hn.updateSiteConfig({startOnLoad:null==n?void 0:n.startOnLoad}));const a=new ye.InitIDGenerator(n.deterministicIds,n.deterministicIDSeed);let s;const l=[];for(const h of Array.from(o)){if(st.info("Rendering diagram: "+h.id),h.getAttribute("data-processed"))continue;h.setAttribute("data-processed","true");const e=`mermaid-${a.next()}`;s=h.innerHTML,s=(0,r.Z)(ye.entityDecode(s)).trim().replace(/<br\s*\/?>/gi,"<br/>");const i=ye.detectInit(s);i&&st.debug("Detected early reinit: ",i);try{const{svg:i,bindFunctions:r}=await Kn(e,s,h);h.innerHTML=i,t&&await t(e),r&&r(h)}catch(c){Wn(c,l,to.parseError)}}if(l.length>0)throw l[0]},Vn=function(t){Hn.initialize(t)},Gn=function(){if(to.startOnLoad){const{startOnLoad:t}=Hn.getConfig();t&&to.run().catch((t=>st.error("Mermaid failed to initialize",t)))}};"undefined"!=typeof document&&window.addEventListener("load",Gn,!1);const Xn=[];let Jn=!1;const Qn=async()=>{if(!Jn){for(Jn=!0;Xn.length>0;){const e=Xn.shift();if(e)try{await e()}catch(t){st.error("Error executing queue",t)}}Jn=!1}},Kn=(t,e,i)=>new Promise(((r,n)=>{Xn.push((()=>new Promise(((o,a)=>{Hn.render(t,e,i).then((t=>{o(t),r(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),a(t),n(t)}))})))),Qn().catch(n)})),to={startOnLoad:!0,mermaidAPI:Hn,parse:async(t,e)=>new Promise(((i,r)=>{Xn.push((()=>new Promise(((n,o)=>{Hn.parse(t,e).then((t=>{n(t),i(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),o(t),r(t)}))})))),Qn().catch(r)})),render:Kn,init:async function(t,e,i){st.warn("mermaid.init is deprecated. Please use run instead."),t&&Vn(t);const r={postRenderCallback:i,querySelector:".mermaid"};"string"==typeof e?r.querySelector=e:e&&(e instanceof HTMLElement?r.nodes=[e]:r.nodes=e),await Un(r)},run:Un,registerExternalDiagrams:async(t,{lazyLoad:e=!0}={})=>{Wt(...t),!1===e&&await(async()=>{st.debug("Loading registered diagrams");const t=(await Promise.allSettled(Object.entries(Rt).map((async([t,{detector:e,loader:i}])=>{if(i)try{Ii(t)}catch(r){try{const{diagram:t,id:r}=await i();Zi(r,t,e)}catch(n){throw st.error(`Failed to load external diagram with key ${t}. Removing from detectors.`),delete Rt[t],n}}})))).filter((t=>"rejected"===t.status));if(t.length>0){st.error(`Failed to load ${t.length} external diagrams`);for(const e of t)st.error(e);throw new Error(`Failed to load ${t.length} external diagrams`)}})()},initialize:Vn,parseError:void 0,contentLoaded:Gn,setParseErrorHandler:function(t){to.parseError=t},detectType:Ht}}}]); \ No newline at end of file diff --git a/kr/assets/js/7837.55715d2b.js.LICENSE.txt b/kr/assets/js/7236.db30f9fd.js.LICENSE.txt similarity index 100% rename from kr/assets/js/7837.55715d2b.js.LICENSE.txt rename to kr/assets/js/7236.db30f9fd.js.LICENSE.txt diff --git a/assets/js/763.f91b6550.js b/kr/assets/js/763.ca021dac.js similarity index 99% rename from assets/js/763.f91b6550.js rename to kr/assets/js/763.ca021dac.js index 5e0ecc115..aa5eef673 100644 --- a/assets/js/763.f91b6550.js +++ b/kr/assets/js/763.ca021dac.js @@ -1898,7 +1898,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4461,7 +4461,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5274,7 +5274,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5342,7 +5342,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/kr/assets/js/7837.55715d2b.js b/kr/assets/js/7837.55715d2b.js deleted file mode 100644 index 3fad918cf..000000000 --- a/kr/assets/js/7837.55715d2b.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! For license information please see 7837.55715d2b.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7837],{7967:(t,e)=>{"use strict";e.Nm=e.Rq=void 0;var i=/^([^\w]*)(javascript|data|vbscript)/im,r=/&#(\w+)(^\w|;)?/g,n=/&(newline|tab);/gi,o=/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/gim,a=/^.+(:|:)/gim,s=[".","/"];e.Rq="about:blank",e.Nm=function(t){if(!t)return e.Rq;var l,c=(l=t,l.replace(o,"").replace(r,(function(t,e){return String.fromCharCode(e)}))).replace(n,"").replace(o,"").trim();if(!c)return e.Rq;if(function(t){return s.indexOf(t[0])>-1}(c))return c;var h=c.match(a);if(!h)return c;var u=h[0];return i.test(u)?e.Rq:c}},9047:(t,e,i)=>{"use strict";i.d(e,{Z:()=>L});var r=i(7294),n=i(5893);function o(t){const{mdxAdmonitionTitle:e,rest:i}=function(t){const e=r.Children.toArray(t),i=e.find((t=>r.isValidElement(t)&&"mdxAdmonitionTitle"===t.type)),o=e.filter((t=>t!==i)),a=i?.props.children;return{mdxAdmonitionTitle:a,rest:o.length>0?(0,n.jsx)(n.Fragment,{children:o}):null}}(t.children),o=t.title??e;return{...t,...o&&{title:o},children:i}}var a=i(512),s=i(5999),l=i(5281);const c={admonition:"admonition_xJq3",admonitionHeading:"admonitionHeading_Gvgb",admonitionIcon:"admonitionIcon_Rf37",admonitionContent:"admonitionContent_BuS1"};function h(t){let{type:e,className:i,children:r}=t;return(0,n.jsx)("div",{className:(0,a.Z)(l.k.common.admonition,l.k.common.admonitionType(e),c.admonition,i),children:r})}function u(t){let{icon:e,title:i}=t;return(0,n.jsxs)("div",{className:c.admonitionHeading,children:[(0,n.jsx)("span",{className:c.admonitionIcon,children:e}),i]})}function d(t){let{children:e}=t;return e?(0,n.jsx)("div",{className:c.admonitionContent,children:e}):null}function f(t){const{type:e,icon:i,title:r,children:o,className:a}=t;return(0,n.jsxs)(h,{type:e,className:a,children:[r||i?(0,n.jsx)(u,{title:r,icon:i}):null,(0,n.jsx)(d,{children:o})]})}function p(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})})}const g={icon:(0,n.jsx)(p,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.note",description:"The default label used for the Note admonition (:::note)",children:"note"})};function m(t){return(0,n.jsx)(f,{...g,...t,className:(0,a.Z)("alert alert--secondary",t.className),children:t.children})}function y(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M6.5 0C3.48 0 1 2.19 1 5c0 .92.55 2.25 1 3 1.34 2.25 1.78 2.78 2 4v1h5v-1c.22-1.22.66-1.75 2-4 .45-.75 1-2.08 1-3 0-2.81-2.48-5-5.5-5zm3.64 7.48c-.25.44-.47.8-.67 1.11-.86 1.41-1.25 2.06-1.45 3.23-.02.05-.02.11-.02.17H5c0-.06 0-.13-.02-.17-.2-1.17-.59-1.83-1.45-3.23-.2-.31-.42-.67-.67-1.11C2.44 6.78 2 5.65 2 5c0-2.2 2.02-4 4.5-4 1.22 0 2.36.42 3.22 1.19C10.55 2.94 11 3.94 11 5c0 .66-.44 1.78-.86 2.48zM4 14h5c-.23 1.14-1.3 2-2.5 2s-2.27-.86-2.5-2z"})})}const x={icon:(0,n.jsx)(y,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.tip",description:"The default label used for the Tip admonition (:::tip)",children:"tip"})};function b(t){return(0,n.jsx)(f,{...x,...t,className:(0,a.Z)("alert alert--success",t.className),children:t.children})}function C(t){return(0,n.jsx)("svg",{viewBox:"0 0 14 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"})})}const _={icon:(0,n.jsx)(C,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.info",description:"The default label used for the Info admonition (:::info)",children:"info"})};function v(t){return(0,n.jsx)(f,{..._,...t,className:(0,a.Z)("alert alert--info",t.className),children:t.children})}function k(t){return(0,n.jsx)("svg",{viewBox:"0 0 16 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"})})}const T={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.warning",description:"The default label used for the Warning admonition (:::warning)",children:"warning"})};function w(t){return(0,n.jsx)("svg",{viewBox:"0 0 12 16",...t,children:(0,n.jsx)("path",{fillRule:"evenodd",d:"M5.05.31c.81 2.17.41 3.38-.52 4.31C3.55 5.67 1.98 6.45.9 7.98c-1.45 2.05-1.7 6.53 3.53 7.7-2.2-1.16-2.67-4.52-.3-6.61-.61 2.03.53 3.33 1.94 2.86 1.39-.47 2.3.53 2.27 1.67-.02.78-.31 1.44-1.13 1.81 3.42-.59 4.78-3.42 4.78-5.56 0-2.84-2.53-3.22-1.25-5.61-1.52.13-2.03 1.13-1.89 2.75.09 1.08-1.02 1.8-1.86 1.33-.67-.41-.66-1.19-.06-1.78C8.18 5.31 8.68 2.45 5.05.32L5.03.3l.02.01z"})})}const S={icon:(0,n.jsx)(w,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.danger",description:"The default label used for the Danger admonition (:::danger)",children:"danger"})};const B={icon:(0,n.jsx)(k,{}),title:(0,n.jsx)(s.Z,{id:"theme.admonition.caution",description:"The default label used for the Caution admonition (:::caution)",children:"caution"})};const F={...{note:m,tip:b,info:v,warning:function(t){return(0,n.jsx)(f,{...T,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})},danger:function(t){return(0,n.jsx)(f,{...S,...t,className:(0,a.Z)("alert alert--danger",t.className),children:t.children})}},...{secondary:t=>(0,n.jsx)(m,{title:"secondary",...t}),important:t=>(0,n.jsx)(v,{title:"important",...t}),success:t=>(0,n.jsx)(b,{title:"success",...t}),caution:function(t){return(0,n.jsx)(f,{...B,...t,className:(0,a.Z)("alert alert--warning",t.className),children:t.children})}}};function L(t){const e=o(t),i=(r=e.type,F[r]||(console.warn(`No admonition component found for admonition type "${r}". Using Info as fallback.`),F.info));var r;return(0,n.jsx)(i,{...e})}},9666:(t,e,i)=>{"use strict";i.r(e),i.d(e,{default:()=>jt});var r=i(7294),n=i(1944),o=i(902),a=i(5893);const s=r.createContext(null);function l(t){let{children:e,content:i}=t;const n=function(t){return(0,r.useMemo)((()=>({metadata:t.metadata,frontMatter:t.frontMatter,assets:t.assets,contentTitle:t.contentTitle,toc:t.toc})),[t])}(i);return(0,a.jsx)(s.Provider,{value:n,children:e})}function c(){const t=(0,r.useContext)(s);if(null===t)throw new o.i6("DocProvider");return t}function h(){const{metadata:t,frontMatter:e,assets:i}=c();return(0,a.jsx)(n.d,{title:t.title,description:t.description,keywords:e.keywords,image:i.image??e.image})}var u=i(512),d=i(7524),f=i(5999),p=i(3692);function g(t){const{permalink:e,title:i,subLabel:r,isNext:n}=t;return(0,a.jsxs)(p.Z,{className:(0,u.Z)("pagination-nav__link",n?"pagination-nav__link--next":"pagination-nav__link--prev"),to:e,children:[r&&(0,a.jsx)("div",{className:"pagination-nav__sublabel",children:r}),(0,a.jsx)("div",{className:"pagination-nav__label",children:i})]})}function m(t){const{previous:e,next:i}=t;return(0,a.jsxs)("nav",{className:"pagination-nav docusaurus-mt-lg","aria-label":(0,f.I)({id:"theme.docs.paginator.navAriaLabel",message:"Docs pages",description:"The ARIA label for the docs pagination"}),children:[e&&(0,a.jsx)(g,{...e,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.previous",description:"The label used to navigate to the previous doc",children:"Previous"})}),i&&(0,a.jsx)(g,{...i,subLabel:(0,a.jsx)(f.Z,{id:"theme.docs.paginator.next",description:"The label used to navigate to the next doc",children:"Next"}),isNext:!0})]})}function y(){const{metadata:t}=c();return(0,a.jsx)(m,{previous:t.previous,next:t.next})}var x=i(2263),b=i(143),C=i(5281),_=i(373),v=i(4477);const k={unreleased:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unreleasedVersionLabel",description:"The label used to tell the user that he's browsing an unreleased doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is unreleased documentation for {siteTitle} {versionLabel} version."})},unmaintained:function(t){let{siteTitle:e,versionMetadata:i}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.unmaintainedVersionLabel",description:"The label used to tell the user that he's browsing an unmaintained doc version",values:{siteTitle:e,versionLabel:(0,a.jsx)("b",{children:i.label})},children:"This is documentation for {siteTitle} {versionLabel}, which is no longer actively maintained."})}};function T(t){const e=k[t.versionMetadata.banner];return(0,a.jsx)(e,{...t})}function w(t){let{versionLabel:e,to:i,onClick:r}=t;return(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionSuggestionLabel",description:"The label used to tell the user to check the latest version",values:{versionLabel:e,latestVersionLink:(0,a.jsx)("b",{children:(0,a.jsx)(p.Z,{to:i,onClick:r,children:(0,a.jsx)(f.Z,{id:"theme.docs.versions.latestVersionLinkLabel",description:"The label used for the latest version suggestion link label",children:"latest version"})})})},children:"For up-to-date documentation, see the {latestVersionLink} ({versionLabel})."})}function S(t){let{className:e,versionMetadata:i}=t;const{siteConfig:{title:r}}=(0,x.Z)(),{pluginId:n}=(0,b.gA)({failfast:!0}),{savePreferredVersionName:o}=(0,_.J)(n),{latestDocSuggestion:s,latestVersionSuggestion:l}=(0,b.Jo)(n),c=s??(h=l).docs.find((t=>t.id===h.mainDocId));var h;return(0,a.jsxs)("div",{className:(0,u.Z)(e,C.k.docs.docVersionBanner,"alert alert--warning margin-bottom--md"),role:"alert",children:[(0,a.jsx)("div",{children:(0,a.jsx)(T,{siteTitle:r,versionMetadata:i})}),(0,a.jsx)("div",{className:"margin-top--md",children:(0,a.jsx)(w,{versionLabel:l.label,to:c.path,onClick:()=>o(l.name)})})]})}function B(t){let{className:e}=t;const i=(0,v.E)();return i.banner?(0,a.jsx)(S,{className:e,versionMetadata:i}):null}function F(t){let{className:e}=t;const i=(0,v.E)();return i.badge?(0,a.jsx)("span",{className:(0,u.Z)(e,C.k.docs.docVersionBadge,"badge badge--secondary"),children:(0,a.jsx)(f.Z,{id:"theme.docs.versionBadge.label",values:{versionLabel:i.label},children:"Version: {versionLabel}"})}):null}const L={tag:"tag_zVej",tagRegular:"tagRegular_sFm0",tagWithCount:"tagWithCount_h2kH"};function A(t){let{permalink:e,label:i,count:r,description:n}=t;return(0,a.jsxs)(p.Z,{href:e,title:n,className:(0,u.Z)(L.tag,r?L.tagWithCount:L.tagRegular),children:[i,r&&(0,a.jsx)("span",{children:r})]})}const M={tags:"tags_jXut",tag:"tag_QGVx"};function E(t){let{tags:e}=t;return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)("b",{children:(0,a.jsx)(f.Z,{id:"theme.tags.tagsListLabel",description:"The label alongside a tag list",children:"Tags:"})}),(0,a.jsx)("ul",{className:(0,u.Z)(M.tags,"padding--none","margin-left--sm"),children:e.map((t=>(0,a.jsx)("li",{className:M.tag,children:(0,a.jsx)(A,{...t})},t.permalink)))})]})}const N={iconEdit:"iconEdit_Z9Sw"};function Z(t){let{className:e,...i}=t;return(0,a.jsx)("svg",{fill:"currentColor",height:"20",width:"20",viewBox:"0 0 40 40",className:(0,u.Z)(N.iconEdit,e),"aria-hidden":"true",...i,children:(0,a.jsx)("g",{children:(0,a.jsx)("path",{d:"m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"})})})}function j(t){let{editUrl:e}=t;return(0,a.jsxs)(p.Z,{to:e,className:C.k.common.editThisPage,children:[(0,a.jsx)(Z,{}),(0,a.jsx)(f.Z,{id:"theme.common.editThisPage",description:"The link label to edit the current page",children:"Edit this page"})]})}function I(t){void 0===t&&(t={});const{i18n:{currentLocale:e}}=(0,x.Z)(),i=function(){const{i18n:{currentLocale:t,localeConfigs:e}}=(0,x.Z)();return e[t].calendar}();return new Intl.DateTimeFormat(e,{calendar:i,...t})}function O(t){let{lastUpdatedAt:e}=t;const i=new Date(e),r=I({day:"numeric",month:"short",year:"numeric",timeZone:"UTC"}).format(i);return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.atDate",description:"The words used to describe on which date a page has been last updated",values:{date:(0,a.jsx)("b",{children:(0,a.jsx)("time",{dateTime:i.toISOString(),itemProp:"dateModified",children:r})})},children:" on {date}"})}function D(t){let{lastUpdatedBy:e}=t;return(0,a.jsx)(f.Z,{id:"theme.lastUpdated.byUser",description:"The words used to describe by who the page has been last updated",values:{user:(0,a.jsx)("b",{children:e})},children:" by {user}"})}function q(t){let{lastUpdatedAt:e,lastUpdatedBy:i}=t;return(0,a.jsxs)("span",{className:C.k.common.lastUpdated,children:[(0,a.jsx)(f.Z,{id:"theme.lastUpdated.lastUpdatedAtBy",description:"The sentence used to display when a page has been last updated, and by who",values:{atDate:e?(0,a.jsx)(O,{lastUpdatedAt:e}):"",byUser:i?(0,a.jsx)(D,{lastUpdatedBy:i}):""},children:"Last updated{atDate}{byUser}"}),!1]})}const $={lastUpdated:"lastUpdated_JAkA"};function z(t){let{className:e,editUrl:i,lastUpdatedAt:r,lastUpdatedBy:n}=t;return(0,a.jsxs)("div",{className:(0,u.Z)("row",e),children:[(0,a.jsx)("div",{className:"col",children:i&&(0,a.jsx)(j,{editUrl:i})}),(0,a.jsx)("div",{className:(0,u.Z)("col",$.lastUpdated),children:(r||n)&&(0,a.jsx)(q,{lastUpdatedAt:r,lastUpdatedBy:n})})]})}function P(){const{metadata:t}=c(),{editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r,tags:n}=t,o=n.length>0,s=!!(e||i||r);return o||s?(0,a.jsxs)("footer",{className:(0,u.Z)(C.k.docs.docFooter,"docusaurus-mt-lg"),children:[o&&(0,a.jsx)("div",{className:(0,u.Z)("row margin-top--sm",C.k.docs.docFooterTagsRow),children:(0,a.jsx)("div",{className:"col",children:(0,a.jsx)(E,{tags:n})})}),s&&(0,a.jsx)(z,{className:(0,u.Z)("margin-top--sm",C.k.docs.docFooterEditMetaRow),editUrl:e,lastUpdatedAt:i,lastUpdatedBy:r})]}):null}var R=i(6043),H=i(6668);function W(t){const e=t.map((t=>({...t,parentIndex:-1,children:[]}))),i=Array(7).fill(-1);e.forEach(((t,e)=>{const r=i.slice(2,t.level);t.parentIndex=Math.max(...r),i[t.level]=e}));const r=[];return e.forEach((t=>{const{parentIndex:i,...n}=t;i>=0?e[i].children.push(n):r.push(n)})),r}function U(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:r}=t;return e.flatMap((t=>{const e=U({toc:t.children,minHeadingLevel:i,maxHeadingLevel:r});return function(t){return t.level>=i&&t.level<=r}(t)?[{...t,children:e}]:e}))}function Y(t){const e=t.getBoundingClientRect();return e.top===e.bottom?Y(t.parentNode):e}function V(t,e){let{anchorTopOffset:i}=e;const r=t.find((t=>Y(t).top>=i));if(r){return function(t){return t.top>0&&t.bottom<window.innerHeight/2}(Y(r))?r:t[t.indexOf(r)-1]??null}return t[t.length-1]??null}function G(){const t=(0,r.useRef)(0),{navbar:{hideOnScroll:e}}=(0,H.L)();return(0,r.useEffect)((()=>{t.current=e?0:document.querySelector(".navbar").clientHeight}),[e]),t}function X(t){const e=(0,r.useRef)(void 0),i=G();(0,r.useEffect)((()=>{if(!t)return()=>{};const{linkClassName:r,linkActiveClassName:n,minHeadingLevel:o,maxHeadingLevel:a}=t;function s(){const t=function(t){return Array.from(document.getElementsByClassName(t))}(r),s=function(t){let{minHeadingLevel:e,maxHeadingLevel:i}=t;const r=[];for(let n=e;n<=i;n+=1)r.push(`h${n}.anchor`);return Array.from(document.querySelectorAll(r.join()))}({minHeadingLevel:o,maxHeadingLevel:a}),l=V(s,{anchorTopOffset:i.current}),c=t.find((t=>l&&l.id===function(t){return decodeURIComponent(t.href.substring(t.href.indexOf("#")+1))}(t)));t.forEach((t=>{!function(t,i){i?(e.current&&e.current!==t&&e.current.classList.remove(n),t.classList.add(n),e.current=t):t.classList.remove(n)}(t,t===c)}))}return document.addEventListener("scroll",s),document.addEventListener("resize",s),s(),()=>{document.removeEventListener("scroll",s),document.removeEventListener("resize",s)}}),[t,i])}function J(t){let{toc:e,className:i,linkClassName:r,isChild:n}=t;return e.length?(0,a.jsx)("ul",{className:n?void 0:i,children:e.map((t=>(0,a.jsxs)("li",{children:[(0,a.jsx)(p.Z,{to:`#${t.id}`,className:r??void 0,dangerouslySetInnerHTML:{__html:t.value}}),(0,a.jsx)(J,{isChild:!0,toc:t.children,className:i,linkClassName:r})]},t.id)))}):null}const Q=r.memo(J);function K(t){let{toc:e,className:i="table-of-contents table-of-contents__left-border",linkClassName:n="table-of-contents__link",linkActiveClassName:o,minHeadingLevel:s,maxHeadingLevel:l,...c}=t;const h=(0,H.L)(),u=s??h.tableOfContents.minHeadingLevel,d=l??h.tableOfContents.maxHeadingLevel,f=function(t){let{toc:e,minHeadingLevel:i,maxHeadingLevel:n}=t;return(0,r.useMemo)((()=>U({toc:W(e),minHeadingLevel:i,maxHeadingLevel:n})),[e,i,n])}({toc:e,minHeadingLevel:u,maxHeadingLevel:d});return X((0,r.useMemo)((()=>{if(n&&o)return{linkClassName:n,linkActiveClassName:o,minHeadingLevel:u,maxHeadingLevel:d}}),[n,o,u,d])),(0,a.jsx)(Q,{toc:f,className:i,linkClassName:n,...c})}const tt={tocCollapsibleButton:"tocCollapsibleButton_TO0P",tocCollapsibleButtonExpanded:"tocCollapsibleButtonExpanded_MG3E"};function et(t){let{collapsed:e,...i}=t;return(0,a.jsx)("button",{type:"button",...i,className:(0,u.Z)("clean-btn",tt.tocCollapsibleButton,!e&&tt.tocCollapsibleButtonExpanded,i.className),children:(0,a.jsx)(f.Z,{id:"theme.TOCCollapsible.toggleButtonLabel",description:"The label used by the button on the collapsible TOC component",children:"On this page"})})}const it={tocCollapsible:"tocCollapsible_ETCw",tocCollapsibleContent:"tocCollapsibleContent_vkbj",tocCollapsibleExpanded:"tocCollapsibleExpanded_sAul"};function rt(t){let{toc:e,className:i,minHeadingLevel:r,maxHeadingLevel:n}=t;const{collapsed:o,toggleCollapsed:s}=(0,R.u)({initialState:!0});return(0,a.jsxs)("div",{className:(0,u.Z)(it.tocCollapsible,!o&&it.tocCollapsibleExpanded,i),children:[(0,a.jsx)(et,{collapsed:o,onClick:s}),(0,a.jsx)(R.z,{lazy:!0,className:it.tocCollapsibleContent,collapsed:o,children:(0,a.jsx)(K,{toc:e,minHeadingLevel:r,maxHeadingLevel:n})})]})}const nt={tocMobile:"tocMobile_ITEo"};function ot(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(rt,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:(0,u.Z)(C.k.docs.docTocMobile,nt.tocMobile)})}const at={tableOfContents:"tableOfContents_bqdL",docItemContainer:"docItemContainer_F8PC"},st="table-of-contents__link toc-highlight",lt="table-of-contents__link--active";function ct(t){let{className:e,...i}=t;return(0,a.jsx)("div",{className:(0,u.Z)(at.tableOfContents,"thin-scrollbar",e),children:(0,a.jsx)(K,{...i,linkClassName:st,linkActiveClassName:lt})})}function ht(){const{toc:t,frontMatter:e}=c();return(0,a.jsx)(ct,{toc:t,minHeadingLevel:e.toc_min_heading_level,maxHeadingLevel:e.toc_max_heading_level,className:C.k.docs.docTocDesktop})}var ut=i(2503),dt=i(1151),ft=i(1769);function pt(t){let{children:e}=t;return(0,a.jsx)(dt.Z,{components:ft.Z,children:e})}function gt(t){let{children:e}=t;const i=function(){const{metadata:t,frontMatter:e,contentTitle:i}=c();return e.hide_title||void 0!==i?null:t.title}();return(0,a.jsxs)("div",{className:(0,u.Z)(C.k.docs.docMarkdown,"markdown"),children:[i&&(0,a.jsx)("header",{children:(0,a.jsx)(ut.Z,{as:"h1",children:i})}),(0,a.jsx)(pt,{children:e})]})}var mt=i(3438),yt=i(8596),xt=i(4996);function bt(t){return(0,a.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,a.jsx)("path",{d:"M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z",fill:"currentColor"})})}const Ct={breadcrumbHomeIcon:"breadcrumbHomeIcon_YNFT"};function _t(){const t=(0,xt.ZP)("/");return(0,a.jsx)("li",{className:"breadcrumbs__item",children:(0,a.jsx)(p.Z,{"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.home",message:"Home page",description:"The ARIA label for the home page in the breadcrumbs"}),className:"breadcrumbs__link",href:t,children:(0,a.jsx)(bt,{className:Ct.breadcrumbHomeIcon})})})}const vt={breadcrumbsContainer:"breadcrumbsContainer_Z_bl"};function kt(t){let{children:e,href:i,isLast:r}=t;const n="breadcrumbs__link";return r?(0,a.jsx)("span",{className:n,itemProp:"name",children:e}):i?(0,a.jsx)(p.Z,{className:n,href:i,itemProp:"item",children:(0,a.jsx)("span",{itemProp:"name",children:e})}):(0,a.jsx)("span",{className:n,children:e})}function Tt(t){let{children:e,active:i,index:r,addMicrodata:n}=t;return(0,a.jsxs)("li",{...n&&{itemScope:!0,itemProp:"itemListElement",itemType:"https://schema.org/ListItem"},className:(0,u.Z)("breadcrumbs__item",{"breadcrumbs__item--active":i}),children:[e,(0,a.jsx)("meta",{itemProp:"position",content:String(r+1)})]})}function wt(){const t=(0,mt.s1)(),e=(0,yt.Ns)();return t?(0,a.jsx)("nav",{className:(0,u.Z)(C.k.docs.docBreadcrumbs,vt.breadcrumbsContainer),"aria-label":(0,f.I)({id:"theme.docs.breadcrumbs.navAriaLabel",message:"Breadcrumbs",description:"The ARIA label for the breadcrumbs"}),children:(0,a.jsxs)("ul",{className:"breadcrumbs",itemScope:!0,itemType:"https://schema.org/BreadcrumbList",children:[e&&(0,a.jsx)(_t,{}),t.map(((e,i)=>{const r=i===t.length-1,n="category"===e.type&&e.linkUnlisted?void 0:e.href;return(0,a.jsx)(Tt,{active:r,index:i,addMicrodata:!!n,children:(0,a.jsx)(kt,{href:n,isLast:r,children:e.label})},i)}))]})}):null}var St=i(5742);function Bt(){return(0,a.jsx)(f.Z,{id:"theme.unlistedContent.title",description:"The unlisted content banner title",children:"Unlisted page"})}function Ft(){return(0,a.jsx)(f.Z,{id:"theme.unlistedContent.message",description:"The unlisted content banner message",children:"This page is unlisted. Search engines will not index it, and only users having a direct link can access it."})}function Lt(){return(0,a.jsx)(St.Z,{children:(0,a.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})}var At=i(9047);function Mt(t){let{className:e}=t;return(0,a.jsx)(At.Z,{type:"caution",title:(0,a.jsx)(Bt,{}),className:(0,u.Z)(e,C.k.common.unlistedBanner),children:(0,a.jsx)(Ft,{})})}function Et(t){return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(Lt,{}),(0,a.jsx)(Mt,{...t})]})}const Nt={docItemContainer:"docItemContainer_Djhp",docItemCol:"docItemCol_VOVn"};function Zt(t){let{children:e}=t;const i=function(){const{frontMatter:t,toc:e}=c(),i=(0,d.i)(),r=t.hide_table_of_contents,n=!r&&e.length>0;return{hidden:r,mobile:n?(0,a.jsx)(ot,{}):void 0,desktop:!n||"desktop"!==i&&"ssr"!==i?void 0:(0,a.jsx)(ht,{})}}(),{metadata:{unlisted:r}}=c();return(0,a.jsxs)("div",{className:"row",children:[(0,a.jsxs)("div",{className:(0,u.Z)("col",!i.hidden&&Nt.docItemCol),children:[r&&(0,a.jsx)(Et,{}),(0,a.jsx)(B,{}),(0,a.jsxs)("div",{className:Nt.docItemContainer,children:[(0,a.jsxs)("article",{children:[(0,a.jsx)(wt,{}),(0,a.jsx)(F,{}),i.mobile,(0,a.jsx)(gt,{children:e}),(0,a.jsx)(P,{})]}),(0,a.jsx)(y,{})]})]}),i.desktop&&(0,a.jsx)("div",{className:"col col--3",children:i.desktop})]})}function jt(t){const e=`docs-doc-id-${t.content.metadata.id}`,i=t.content;return(0,a.jsx)(l,{content:t.content,children:(0,a.jsxs)(n.FG,{className:e,children:[(0,a.jsx)(h,{}),(0,a.jsx)(Zt,{children:(0,a.jsx)(i,{})})]})})}},4694:(t,e,i)=>{"use strict";i.d(e,{Z:()=>pt});var r=i(7294),n=i(5742),o=i(2389),a=i(512),s=i(2949),l=i(6668);function c(){const{prism:t}=(0,l.L)(),{colorMode:e}=(0,s.I)(),i=t.theme,r=t.darkTheme||i;return"dark"===e?r:i}var h=i(5281),u=i(7594),d=i.n(u);const f=/title=(?<quote>["'])(?<title>.*?)\1/,p=/\{(?<range>[\d,-]+)\}/,g={js:{start:"\\/\\/",end:""},jsBlock:{start:"\\/\\*",end:"\\*\\/"},jsx:{start:"\\{\\s*\\/\\*",end:"\\*\\/\\s*\\}"},bash:{start:"#",end:""},html:{start:"\x3c!--",end:"--\x3e"}},m={...g,lua:{start:"--",end:""},wasm:{start:"\\;\\;",end:""},tex:{start:"%",end:""},vb:{start:"['\u2018\u2019]",end:""},vbnet:{start:"(?:_\\s*)?['\u2018\u2019]",end:""},rem:{start:"[Rr][Ee][Mm]\\b",end:""},f90:{start:"!",end:""},ml:{start:"\\(\\*",end:"\\*\\)"},cobol:{start:"\\*>",end:""}},y=Object.keys(g);function x(t,e){const i=t.map((t=>{const{start:i,end:r}=m[t];return`(?:${i}\\s*(${e.flatMap((t=>[t.line,t.block?.start,t.block?.end].filter(Boolean))).join("|")})\\s*${r})`})).join("|");return new RegExp(`^\\s*(?:${i})\\s*$`)}function b(t,e){let i=t.replace(/\n$/,"");const{language:r,magicComments:n,metastring:o}=e;if(o&&p.test(o)){const t=o.match(p).groups.range;if(0===n.length)throw new Error(`A highlight range has been given in code block's metastring (\`\`\` ${o}), but no magic comment config is available. Docusaurus applies the first magic comment entry's className for metastring ranges.`);const e=n[0].className,r=d()(t).filter((t=>t>0)).map((t=>[t-1,[e]]));return{lineClassNames:Object.fromEntries(r),code:i}}if(void 0===r)return{lineClassNames:{},code:i};const a=function(t,e){switch(t){case"js":case"javascript":case"ts":case"typescript":return x(["js","jsBlock"],e);case"jsx":case"tsx":return x(["js","jsBlock","jsx"],e);case"html":return x(["js","jsBlock","html"],e);case"python":case"py":case"bash":return x(["bash"],e);case"markdown":case"md":return x(["html","jsx","bash"],e);case"tex":case"latex":case"matlab":return x(["tex"],e);case"lua":case"haskell":case"sql":return x(["lua"],e);case"wasm":return x(["wasm"],e);case"vb":case"vba":case"visual-basic":return x(["vb","rem"],e);case"vbnet":return x(["vbnet","rem"],e);case"batch":return x(["rem"],e);case"basic":return x(["rem","f90"],e);case"fsharp":return x(["js","ml"],e);case"ocaml":case"sml":return x(["ml"],e);case"fortran":return x(["f90"],e);case"cobol":return x(["cobol"],e);default:return x(y,e)}}(r,n),s=i.split("\n"),l=Object.fromEntries(n.map((t=>[t.className,{start:0,range:""}]))),c=Object.fromEntries(n.filter((t=>t.line)).map((t=>{let{className:e,line:i}=t;return[i,e]}))),h=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.start,e]}))),u=Object.fromEntries(n.filter((t=>t.block)).map((t=>{let{className:e,block:i}=t;return[i.end,e]})));for(let d=0;d<s.length;){const t=s[d].match(a);if(!t){d+=1;continue}const e=t.slice(1).find((t=>void 0!==t));c[e]?l[c[e]].range+=`${d},`:h[e]?l[h[e]].start=d:u[e]&&(l[u[e]].range+=`${l[u[e]].start}-${d-1},`),s.splice(d,1)}i=s.join("\n");const f={};return Object.entries(l).forEach((t=>{let[e,{range:i}]=t;d()(i).forEach((t=>{f[t]??=[],f[t].push(e)}))})),{lineClassNames:f,code:i}}const C={codeBlockContainer:"codeBlockContainer_Ckt0"};var _=i(5893);function v(t){let{as:e,...i}=t;const r=function(t){const e={color:"--prism-color",backgroundColor:"--prism-background-color"},i={};return Object.entries(t.plain).forEach((t=>{let[r,n]=t;const o=e[r];o&&"string"==typeof n&&(i[o]=n)})),i}(c());return(0,_.jsx)(e,{...i,style:r,className:(0,a.Z)(i.className,C.codeBlockContainer,h.k.common.codeBlock)})}const k={codeBlockContent:"codeBlockContent_biex",codeBlockTitle:"codeBlockTitle_Ktv7",codeBlock:"codeBlock_bY9V",codeBlockStandalone:"codeBlockStandalone_MEMb",codeBlockLines:"codeBlockLines_e6Vv",codeBlockLinesWithNumbering:"codeBlockLinesWithNumbering_o6Pm",buttonGroup:"buttonGroup__atx"};function T(t){let{children:e,className:i}=t;return(0,_.jsx)(v,{as:"pre",tabIndex:0,className:(0,a.Z)(k.codeBlockStandalone,"thin-scrollbar",i),children:(0,_.jsx)("code",{className:k.codeBlockLines,children:e})})}var w=i(902);const S={attributes:!0,characterData:!0,childList:!0,subtree:!0};function B(t,e){const[i,n]=(0,r.useState)(),o=(0,r.useCallback)((()=>{n(t.current?.closest("[role=tabpanel][hidden]"))}),[t,n]);(0,r.useEffect)((()=>{o()}),[o]),function(t,e,i){void 0===i&&(i=S);const n=(0,w.zX)(e),o=(0,w.Ql)(i);(0,r.useEffect)((()=>{const e=new MutationObserver(n);return t&&e.observe(t,o),()=>e.disconnect()}),[t,n,o])}(i,(t=>{t.forEach((t=>{"attributes"===t.type&&"hidden"===t.attributeName&&(e(),o())}))}),{attributes:!0,characterData:!1,childList:!1,subtree:!1})}var F=i(2573);const L={codeLine:"codeLine_lJS_",codeLineNumber:"codeLineNumber_Tfdd",codeLineContent:"codeLineContent_feaV"};function A(t){let{line:e,classNames:i,showLineNumbers:r,getLineProps:n,getTokenProps:o}=t;1===e.length&&"\n"===e[0].content&&(e[0].content="");const s=n({line:e,className:(0,a.Z)(i,r&&L.codeLine)}),l=e.map(((t,e)=>(0,_.jsx)("span",{...o({token:t})},e)));return(0,_.jsxs)("span",{...s,children:[r?(0,_.jsxs)(_.Fragment,{children:[(0,_.jsx)("span",{className:L.codeLineNumber}),(0,_.jsx)("span",{className:L.codeLineContent,children:l})]}):l,(0,_.jsx)("br",{})]})}var M=i(5999);function E(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"})})}function N(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"})})}const Z={copyButtonCopied:"copyButtonCopied_obH4",copyButtonIcons:"copyButtonIcons_eSgA",copyButtonIcon:"copyButtonIcon_y97N",copyButtonSuccessIcon:"copyButtonSuccessIcon_LjdS"};function j(t){let{code:e,className:i}=t;const[n,o]=(0,r.useState)(!1),s=(0,r.useRef)(void 0),l=(0,r.useCallback)((()=>{!function(t,e){let{target:i=document.body}=void 0===e?{}:e;if("string"!=typeof t)throw new TypeError(`Expected parameter \`text\` to be a \`string\`, got \`${typeof t}\`.`);const r=document.createElement("textarea"),n=document.activeElement;r.value=t,r.setAttribute("readonly",""),r.style.contain="strict",r.style.position="absolute",r.style.left="-9999px",r.style.fontSize="12pt";const o=document.getSelection(),a=o.rangeCount>0&&o.getRangeAt(0);i.append(r),r.select(),r.selectionStart=0,r.selectionEnd=t.length;let s=!1;try{s=document.execCommand("copy")}catch{}r.remove(),a&&(o.removeAllRanges(),o.addRange(a)),n&&n.focus()}(e),o(!0),s.current=window.setTimeout((()=>{o(!1)}),1e3)}),[e]);return(0,r.useEffect)((()=>()=>window.clearTimeout(s.current)),[]),(0,_.jsx)("button",{type:"button","aria-label":n?(0,M.I)({id:"theme.CodeBlock.copied",message:"Copied",description:"The copied button label on code blocks"}):(0,M.I)({id:"theme.CodeBlock.copyButtonAriaLabel",message:"Copy code to clipboard",description:"The ARIA label for copy code blocks button"}),title:(0,M.I)({id:"theme.CodeBlock.copy",message:"Copy",description:"The copy button label on code blocks"}),className:(0,a.Z)("clean-btn",i,Z.copyButton,n&&Z.copyButtonCopied),onClick:l,children:(0,_.jsxs)("span",{className:Z.copyButtonIcons,"aria-hidden":"true",children:[(0,_.jsx)(E,{className:Z.copyButtonIcon}),(0,_.jsx)(N,{className:Z.copyButtonSuccessIcon})]})})}function I(t){return(0,_.jsx)("svg",{viewBox:"0 0 24 24",...t,children:(0,_.jsx)("path",{fill:"currentColor",d:"M4 19h6v-2H4v2zM20 5H4v2h16V5zm-3 6H4v2h13.25c1.1 0 2 .9 2 2s-.9 2-2 2H15v-2l-3 3l3 3v-2h2c2.21 0 4-1.79 4-4s-1.79-4-4-4z"})})}const O={wordWrapButtonIcon:"wordWrapButtonIcon_Bwma",wordWrapButtonEnabled:"wordWrapButtonEnabled_EoeP"};function D(t){let{className:e,onClick:i,isEnabled:r}=t;const n=(0,M.I)({id:"theme.CodeBlock.wordWrapToggle",message:"Toggle word wrap",description:"The title attribute for toggle word wrapping button of code block lines"});return(0,_.jsx)("button",{type:"button",onClick:i,className:(0,a.Z)("clean-btn",e,r&&O.wordWrapButtonEnabled),"aria-label":n,title:n,children:(0,_.jsx)(I,{className:O.wordWrapButtonIcon,"aria-hidden":"true"})})}function q(t){let{children:e,className:i="",metastring:n,title:o,showLineNumbers:s,language:h}=t;const{prism:{defaultLanguage:u,magicComments:d}}=(0,l.L)(),p=function(t){return t?.toLowerCase()}(h??function(t){const e=t.split(" ").find((t=>t.startsWith("language-")));return e?.replace(/language-/,"")}(i)??u),g=c(),m=function(){const[t,e]=(0,r.useState)(!1),[i,n]=(0,r.useState)(!1),o=(0,r.useRef)(null),a=(0,r.useCallback)((()=>{const i=o.current.querySelector("code");t?i.removeAttribute("style"):(i.style.whiteSpace="pre-wrap",i.style.overflowWrap="anywhere"),e((t=>!t))}),[o,t]),s=(0,r.useCallback)((()=>{const{scrollWidth:t,clientWidth:e}=o.current,i=t>e||o.current.querySelector("code").hasAttribute("style");n(i)}),[o]);return B(o,s),(0,r.useEffect)((()=>{s()}),[t,s]),(0,r.useEffect)((()=>(window.addEventListener("resize",s,{passive:!0}),()=>{window.removeEventListener("resize",s)})),[s]),{codeBlockRef:o,isEnabled:t,isCodeScrollable:i,toggle:a}}(),y=function(t){return t?.match(f)?.groups.title??""}(n)||o,{lineClassNames:x,code:C}=b(e,{metastring:n,language:p,magicComments:d}),T=s??function(t){return Boolean(t?.includes("showLineNumbers"))}(n);return(0,_.jsxs)(v,{as:"div",className:(0,a.Z)(i,p&&!i.includes(`language-${p}`)&&`language-${p}`),children:[y&&(0,_.jsx)("div",{className:k.codeBlockTitle,children:y}),(0,_.jsxs)("div",{className:k.codeBlockContent,children:[(0,_.jsx)(F.y$,{theme:g,code:C,language:p??"text",children:t=>{let{className:e,style:i,tokens:r,getLineProps:n,getTokenProps:o}=t;return(0,_.jsx)("pre",{tabIndex:0,ref:m.codeBlockRef,className:(0,a.Z)(e,k.codeBlock,"thin-scrollbar"),style:i,children:(0,_.jsx)("code",{className:(0,a.Z)(k.codeBlockLines,T&&k.codeBlockLinesWithNumbering),children:r.map(((t,e)=>(0,_.jsx)(A,{line:t,getLineProps:n,getTokenProps:o,classNames:x[e],showLineNumbers:T},e)))})})}}),(0,_.jsxs)("div",{className:k.buttonGroup,children:[(m.isEnabled||m.isCodeScrollable)&&(0,_.jsx)(D,{className:k.codeButton,onClick:()=>m.toggle(),isEnabled:m.isEnabled}),(0,_.jsx)(j,{className:k.codeButton,code:C})]})]})]})}function $(t){let{children:e,...i}=t;const n=(0,o.Z)(),a=function(t){return r.Children.toArray(t).some((t=>(0,r.isValidElement)(t)))?t:Array.isArray(t)?t.join(""):t}(e),s="string"==typeof a?q:T;return(0,_.jsx)(s,{...i,children:a},String(n))}function z(t){return(0,_.jsx)("code",{...t})}var P=i(3692);var R=i(8138),H=i(6043);const W={details:"details_lb9f",isBrowser:"isBrowser_bmU9",collapsibleContent:"collapsibleContent_i85q"};function U(t){return!!t&&("SUMMARY"===t.tagName||U(t.parentElement))}function Y(t,e){return!!t&&(t===e||Y(t.parentElement,e))}function V(t){let{summary:e,children:i,...n}=t;(0,R.Z)().collectAnchor(n.id);const s=(0,o.Z)(),l=(0,r.useRef)(null),{collapsed:c,setCollapsed:h}=(0,H.u)({initialState:!n.open}),[u,d]=(0,r.useState)(n.open),f=r.isValidElement(e)?e:(0,_.jsx)("summary",{children:e??"Details"});return(0,_.jsxs)("details",{...n,ref:l,open:u,"data-collapsed":c,className:(0,a.Z)(W.details,s&&W.isBrowser,n.className),onMouseDown:t=>{U(t.target)&&t.detail>1&&t.preventDefault()},onClick:t=>{t.stopPropagation();const e=t.target;U(e)&&Y(e,l.current)&&(t.preventDefault(),c?(h(!1),d(!0)):h(!0))},children:[f,(0,_.jsx)(H.z,{lazy:!1,collapsed:c,disableSSRStyle:!0,onCollapseTransitionEnd:t=>{h(t),d(!t)},children:(0,_.jsx)("div",{className:W.collapsibleContent,children:i})})]})}const G={details:"details_b_Ee"},X="alert alert--info";function J(t){let{...e}=t;return(0,_.jsx)(V,{...e,className:(0,a.Z)(X,G.details,e.className)})}function Q(t){const e=r.Children.toArray(t.children),i=e.find((t=>r.isValidElement(t)&&"summary"===t.type)),n=(0,_.jsx)(_.Fragment,{children:e.filter((t=>t!==i))});return(0,_.jsx)(J,{...t,summary:i,children:n})}var K=i(2503);function tt(t){return(0,_.jsx)(K.Z,{...t})}const et={containsTaskList:"containsTaskList_mC6p"};function it(t){if(void 0!==t)return(0,a.Z)(t,t?.includes("contains-task-list")&&et.containsTaskList)}const rt={img:"img_ev3q"};var nt=i(9047),ot=i(4763),at=i(9690),st=i(5322);const lt="docusaurus-mermaid-container";function ct(){const{colorMode:t}=(0,s.I)(),e=(0,l.L)().mermaid,i=e.theme[t],{options:n}=e;return(0,r.useMemo)((()=>({startOnLoad:!1,...n,theme:i})),[i,n])}function ht(t){let{text:e,config:i}=t;const[n,o]=(0,r.useState)(null),a=(0,r.useRef)(`mermaid-svg-${Math.round(1e7*Math.random())}`).current,s=ct(),l=i??s;return(0,r.useEffect)((()=>{(async function(t){let{id:e,text:i,config:r}=t;st.L.mermaidAPI.initialize(r);try{return await st.L.render(e,i)}catch(n){throw document.querySelector(`#d${e}`)?.remove(),n}})({id:a,text:e,config:l}).then(o).catch((t=>{o((()=>{throw t}))}))}),[a,e,l]),n}const ut={container:"container_lyt7"};function dt(t){let{renderResult:e}=t;const i=(0,r.useRef)(null);return(0,r.useEffect)((()=>{const t=i.current;e.bindFunctions?.(t)}),[e]),(0,_.jsx)("div",{ref:i,className:`${lt} ${ut.container}`,dangerouslySetInnerHTML:{__html:e.svg}})}function ft(t){let{value:e}=t;const i=ht({text:e});return null===i?null:(0,_.jsx)(dt,{renderResult:i})}const pt={Head:n.Z,details:Q,Details:Q,code:function(t){return function(t){return void 0!==t.children&&r.Children.toArray(t.children).every((t=>"string"==typeof t&&!t.includes("\n")))}(t)?(0,_.jsx)(z,{...t}):(0,_.jsx)($,{...t})},a:function(t){return(0,_.jsx)(P.Z,{...t})},pre:function(t){return(0,_.jsx)(_.Fragment,{children:t.children})},ul:function(t){return(0,_.jsx)("ul",{...t,className:it(t.className)})},li:function(t){return(0,R.Z)().collectAnchor(t.id),(0,_.jsx)("li",{...t})},img:function(t){return(0,_.jsx)("img",{decoding:"async",loading:"lazy",...t,className:(e=t.className,(0,a.Z)(e,rt.img))});var e},h1:t=>(0,_.jsx)(tt,{as:"h1",...t}),h2:t=>(0,_.jsx)(tt,{as:"h2",...t}),h3:t=>(0,_.jsx)(tt,{as:"h3",...t}),h4:t=>(0,_.jsx)(tt,{as:"h4",...t}),h5:t=>(0,_.jsx)(tt,{as:"h5",...t}),h6:t=>(0,_.jsx)(tt,{as:"h6",...t}),admonition:nt.Z,mermaid:function(t){return(0,_.jsx)(ot.Z,{fallback:t=>(0,_.jsx)(at.Ac,{...t}),children:(0,_.jsx)(ft,{...t})})}}},5162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});i(7294);var r=i(512);const n={tabItem:"tabItem_Ymn6"};var o=i(5893);function a(t){let{children:e,hidden:i,className:a}=t;return(0,o.jsx)("div",{role:"tabpanel",className:(0,r.Z)(n.tabItem,a),hidden:i,children:e})}},4866:(t,e,i)=>{"use strict";i.d(e,{Z:()=>v});var r=i(7294),n=i(512),o=i(2466),a=i(6550),s=i(469),l=i(1980),c=i(7392),h=i(812);function u(t){return r.Children.toArray(t).filter((t=>"\n"!==t)).map((t=>{if(!t||(0,r.isValidElement)(t)&&function(t){const{props:e}=t;return!!e&&"object"==typeof e&&"value"in e}(t))return t;throw new Error(`Docusaurus error: Bad <Tabs> child <${"string"==typeof t.type?t.type:t.type.name}>: all children of the <Tabs> component should be <TabItem>, and every <TabItem> should have a unique "value" prop.`)}))?.filter(Boolean)??[]}function d(t){const{values:e,children:i}=t;return(0,r.useMemo)((()=>{const t=e??function(t){return u(t).map((t=>{let{props:{value:e,label:i,attributes:r,default:n}}=t;return{value:e,label:i,attributes:r,default:n}}))}(i);return function(t){const e=(0,c.l)(t,((t,e)=>t.value===e.value));if(e.length>0)throw new Error(`Docusaurus error: Duplicate values "${e.map((t=>t.value)).join(", ")}" found in <Tabs>. Every value needs to be unique.`)}(t),t}),[e,i])}function f(t){let{value:e,tabValues:i}=t;return i.some((t=>t.value===e))}function p(t){let{queryString:e=!1,groupId:i}=t;const n=(0,a.k6)(),o=function(t){let{queryString:e=!1,groupId:i}=t;if("string"==typeof e)return e;if(!1===e)return null;if(!0===e&&!i)throw new Error('Docusaurus error: The <Tabs> component groupId prop is required if queryString=true, because this value is used as the search param name. You can also provide an explicit value such as queryString="my-search-param".');return i??null}({queryString:e,groupId:i});return[(0,l._X)(o),(0,r.useCallback)((t=>{if(!o)return;const e=new URLSearchParams(n.location.search);e.set(o,t),n.replace({...n.location,search:e.toString()})}),[o,n])]}function g(t){const{defaultValue:e,queryString:i=!1,groupId:n}=t,o=d(t),[a,l]=(0,r.useState)((()=>function(t){let{defaultValue:e,tabValues:i}=t;if(0===i.length)throw new Error("Docusaurus error: the <Tabs> component requires at least one <TabItem> children component");if(e){if(!f({value:e,tabValues:i}))throw new Error(`Docusaurus error: The <Tabs> has a defaultValue "${e}" but none of its children has the corresponding value. Available values are: ${i.map((t=>t.value)).join(", ")}. If you intend to show no default tab, use defaultValue={null} instead.`);return e}const r=i.find((t=>t.default))??i[0];if(!r)throw new Error("Unexpected error: 0 tabValues");return r.value}({defaultValue:e,tabValues:o}))),[c,u]=p({queryString:i,groupId:n}),[g,m]=function(t){let{groupId:e}=t;const i=function(t){return t?`docusaurus.tab.${t}`:null}(e),[n,o]=(0,h.Nk)(i);return[n,(0,r.useCallback)((t=>{i&&o.set(t)}),[i,o])]}({groupId:n}),y=(()=>{const t=c??g;return f({value:t,tabValues:o})?t:null})();(0,s.Z)((()=>{y&&l(y)}),[y]);return{selectedValue:a,selectValue:(0,r.useCallback)((t=>{if(!f({value:t,tabValues:o}))throw new Error(`Can't select invalid tab value=${t}`);l(t),u(t),m(t)}),[u,m,o]),tabValues:o}}var m=i(2389);const y={tabList:"tabList__CuJ",tabItem:"tabItem_LNqP"};var x=i(5893);function b(t){let{className:e,block:i,selectedValue:r,selectValue:a,tabValues:s}=t;const l=[],{blockElementScrollPositionUntilNextRender:c}=(0,o.o5)(),h=t=>{const e=t.currentTarget,i=l.indexOf(e),n=s[i].value;n!==r&&(c(e),a(n))},u=t=>{let e=null;switch(t.key){case"Enter":h(t);break;case"ArrowRight":{const i=l.indexOf(t.currentTarget)+1;e=l[i]??l[0];break}case"ArrowLeft":{const i=l.indexOf(t.currentTarget)-1;e=l[i]??l[l.length-1];break}}e?.focus()};return(0,x.jsx)("ul",{role:"tablist","aria-orientation":"horizontal",className:(0,n.Z)("tabs",{"tabs--block":i},e),children:s.map((t=>{let{value:e,label:i,attributes:o}=t;return(0,x.jsx)("li",{role:"tab",tabIndex:r===e?0:-1,"aria-selected":r===e,ref:t=>l.push(t),onKeyDown:u,onClick:h,...o,className:(0,n.Z)("tabs__item",y.tabItem,o?.className,{"tabs__item--active":r===e}),children:i??e},e)}))})}function C(t){let{lazy:e,children:i,selectedValue:n}=t;const o=(Array.isArray(i)?i:[i]).filter(Boolean);if(e){const t=o.find((t=>t.props.value===n));return t?(0,r.cloneElement)(t,{className:"margin-top--md"}):null}return(0,x.jsx)("div",{className:"margin-top--md",children:o.map(((t,e)=>(0,r.cloneElement)(t,{key:e,hidden:t.props.value!==n})))})}function _(t){const e=g(t);return(0,x.jsxs)("div",{className:(0,n.Z)("tabs-container",y.tabList),children:[(0,x.jsx)(b,{...e,...t}),(0,x.jsx)(C,{...e,...t})]})}function v(t){const e=(0,m.Z)();return(0,x.jsx)(_,{...t,children:u(t.children)},String(e))}},7484:function(t){t.exports=function(){"use strict";var t=1e3,e=6e4,i=36e5,r="millisecond",n="second",o="minute",a="hour",s="day",l="week",c="month",h="quarter",u="year",d="date",f="Invalid Date",p=/^(\d{4})[-/]?(\d{1,2})?[-/]?(\d{0,2})[Tt\s]*(\d{1,2})?:?(\d{1,2})?:?(\d{1,2})?[.:]?(\d+)?$/,g=/\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g,m={name:"en",weekdays:"Sunday_Monday_Tuesday_Wednesday_Thursday_Friday_Saturday".split("_"),months:"January_February_March_April_May_June_July_August_September_October_November_December".split("_"),ordinal:function(t){var e=["th","st","nd","rd"],i=t%100;return"["+t+(e[(i-20)%10]||e[i]||e[0])+"]"}},y=function(t,e,i){var r=String(t);return!r||r.length>=e?t:""+Array(e+1-r.length).join(i)+t},x={s:y,z:function(t){var e=-t.utcOffset(),i=Math.abs(e),r=Math.floor(i/60),n=i%60;return(e<=0?"+":"-")+y(r,2,"0")+":"+y(n,2,"0")},m:function t(e,i){if(e.date()<i.date())return-t(i,e);var r=12*(i.year()-e.year())+(i.month()-e.month()),n=e.clone().add(r,c),o=i-n<0,a=e.clone().add(r+(o?-1:1),c);return+(-(r+(i-n)/(o?n-a:a-n))||0)},a:function(t){return t<0?Math.ceil(t)||0:Math.floor(t)},p:function(t){return{M:c,y:u,w:l,d:s,D:d,h:a,m:o,s:n,ms:r,Q:h}[t]||String(t||"").toLowerCase().replace(/s$/,"")},u:function(t){return void 0===t}},b="en",C={};C[b]=m;var _="$isDayjsObject",v=function(t){return t instanceof S||!(!t||!t[_])},k=function t(e,i,r){var n;if(!e)return b;if("string"==typeof e){var o=e.toLowerCase();C[o]&&(n=o),i&&(C[o]=i,n=o);var a=e.split("-");if(!n&&a.length>1)return t(a[0])}else{var s=e.name;C[s]=e,n=s}return!r&&n&&(b=n),n||!r&&b},T=function(t,e){if(v(t))return t.clone();var i="object"==typeof e?e:{};return i.date=t,i.args=arguments,new S(i)},w=x;w.l=k,w.i=v,w.w=function(t,e){return T(t,{locale:e.$L,utc:e.$u,x:e.$x,$offset:e.$offset})};var S=function(){function m(t){this.$L=k(t.locale,null,!0),this.parse(t),this.$x=this.$x||t.x||{},this[_]=!0}var y=m.prototype;return y.parse=function(t){this.$d=function(t){var e=t.date,i=t.utc;if(null===e)return new Date(NaN);if(w.u(e))return new Date;if(e instanceof Date)return new Date(e);if("string"==typeof e&&!/Z$/i.test(e)){var r=e.match(p);if(r){var n=r[2]-1||0,o=(r[7]||"0").substring(0,3);return i?new Date(Date.UTC(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)):new Date(r[1],n,r[3]||1,r[4]||0,r[5]||0,r[6]||0,o)}}return new Date(e)}(t),this.init()},y.init=function(){var t=this.$d;this.$y=t.getFullYear(),this.$M=t.getMonth(),this.$D=t.getDate(),this.$W=t.getDay(),this.$H=t.getHours(),this.$m=t.getMinutes(),this.$s=t.getSeconds(),this.$ms=t.getMilliseconds()},y.$utils=function(){return w},y.isValid=function(){return!(this.$d.toString()===f)},y.isSame=function(t,e){var i=T(t);return this.startOf(e)<=i&&i<=this.endOf(e)},y.isAfter=function(t,e){return T(t)<this.startOf(e)},y.isBefore=function(t,e){return this.endOf(e)<T(t)},y.$g=function(t,e,i){return w.u(t)?this[e]:this.set(i,t)},y.unix=function(){return Math.floor(this.valueOf()/1e3)},y.valueOf=function(){return this.$d.getTime()},y.startOf=function(t,e){var i=this,r=!!w.u(e)||e,h=w.p(t),f=function(t,e){var n=w.w(i.$u?Date.UTC(i.$y,e,t):new Date(i.$y,e,t),i);return r?n:n.endOf(s)},p=function(t,e){return w.w(i.toDate()[t].apply(i.toDate("s"),(r?[0,0,0,0]:[23,59,59,999]).slice(e)),i)},g=this.$W,m=this.$M,y=this.$D,x="set"+(this.$u?"UTC":"");switch(h){case u:return r?f(1,0):f(31,11);case c:return r?f(1,m):f(0,m+1);case l:var b=this.$locale().weekStart||0,C=(g<b?g+7:g)-b;return f(r?y-C:y+(6-C),m);case s:case d:return p(x+"Hours",0);case a:return p(x+"Minutes",1);case o:return p(x+"Seconds",2);case n:return p(x+"Milliseconds",3);default:return this.clone()}},y.endOf=function(t){return this.startOf(t,!1)},y.$set=function(t,e){var i,l=w.p(t),h="set"+(this.$u?"UTC":""),f=(i={},i[s]=h+"Date",i[d]=h+"Date",i[c]=h+"Month",i[u]=h+"FullYear",i[a]=h+"Hours",i[o]=h+"Minutes",i[n]=h+"Seconds",i[r]=h+"Milliseconds",i)[l],p=l===s?this.$D+(e-this.$W):e;if(l===c||l===u){var g=this.clone().set(d,1);g.$d[f](p),g.init(),this.$d=g.set(d,Math.min(this.$D,g.daysInMonth())).$d}else f&&this.$d[f](p);return this.init(),this},y.set=function(t,e){return this.clone().$set(t,e)},y.get=function(t){return this[w.p(t)]()},y.add=function(r,h){var d,f=this;r=Number(r);var p=w.p(h),g=function(t){var e=T(f);return w.w(e.date(e.date()+Math.round(t*r)),f)};if(p===c)return this.set(c,this.$M+r);if(p===u)return this.set(u,this.$y+r);if(p===s)return g(1);if(p===l)return g(7);var m=(d={},d[o]=e,d[a]=i,d[n]=t,d)[p]||1,y=this.$d.getTime()+r*m;return w.w(y,this)},y.subtract=function(t,e){return this.add(-1*t,e)},y.format=function(t){var e=this,i=this.$locale();if(!this.isValid())return i.invalidDate||f;var r=t||"YYYY-MM-DDTHH:mm:ssZ",n=w.z(this),o=this.$H,a=this.$m,s=this.$M,l=i.weekdays,c=i.months,h=i.meridiem,u=function(t,i,n,o){return t&&(t[i]||t(e,r))||n[i].slice(0,o)},d=function(t){return w.s(o%12||12,t,"0")},p=h||function(t,e,i){var r=t<12?"AM":"PM";return i?r.toLowerCase():r};return r.replace(g,(function(t,r){return r||function(t){switch(t){case"YY":return String(e.$y).slice(-2);case"YYYY":return w.s(e.$y,4,"0");case"M":return s+1;case"MM":return w.s(s+1,2,"0");case"MMM":return u(i.monthsShort,s,c,3);case"MMMM":return u(c,s);case"D":return e.$D;case"DD":return w.s(e.$D,2,"0");case"d":return String(e.$W);case"dd":return u(i.weekdaysMin,e.$W,l,2);case"ddd":return u(i.weekdaysShort,e.$W,l,3);case"dddd":return l[e.$W];case"H":return String(o);case"HH":return w.s(o,2,"0");case"h":return d(1);case"hh":return d(2);case"a":return p(o,a,!0);case"A":return p(o,a,!1);case"m":return String(a);case"mm":return w.s(a,2,"0");case"s":return String(e.$s);case"ss":return w.s(e.$s,2,"0");case"SSS":return w.s(e.$ms,3,"0");case"Z":return n}return null}(t)||n.replace(":","")}))},y.utcOffset=function(){return 15*-Math.round(this.$d.getTimezoneOffset()/15)},y.diff=function(r,d,f){var p,g=this,m=w.p(d),y=T(r),x=(y.utcOffset()-this.utcOffset())*e,b=this-y,C=function(){return w.m(g,y)};switch(m){case u:p=C()/12;break;case c:p=C();break;case h:p=C()/3;break;case l:p=(b-x)/6048e5;break;case s:p=(b-x)/864e5;break;case a:p=b/i;break;case o:p=b/e;break;case n:p=b/t;break;default:p=b}return f?p:w.a(p)},y.daysInMonth=function(){return this.endOf(c).$D},y.$locale=function(){return C[this.$L]},y.locale=function(t,e){if(!t)return this.$L;var i=this.clone(),r=k(t,e,!0);return r&&(i.$L=r),i},y.clone=function(){return w.w(this.$d,this)},y.toDate=function(){return new Date(this.valueOf())},y.toJSON=function(){return this.isValid()?this.toISOString():null},y.toISOString=function(){return this.$d.toISOString()},y.toString=function(){return this.$d.toUTCString()},m}(),B=S.prototype;return T.prototype=B,[["$ms",r],["$s",n],["$m",o],["$H",a],["$W",s],["$M",c],["$y",u],["$D",d]].forEach((function(t){B[t[1]]=function(e){return this.$g(e,t[0],t[1])}})),T.extend=function(t,e){return t.$i||(t(e,S,T),t.$i=!0),T},T.locale=k,T.isDayjs=v,T.unix=function(t){return T(1e3*t)},T.en=C[b],T.Ls=C,T.p={},T}()},7856:function(t){t.exports=function(){"use strict";const{entries:t,setPrototypeOf:e,isFrozen:i,getPrototypeOf:r,getOwnPropertyDescriptor:n}=Object;let{freeze:o,seal:a,create:s}=Object,{apply:l,construct:c}="undefined"!=typeof Reflect&&Reflect;o||(o=function(t){return t}),a||(a=function(t){return t}),l||(l=function(t,e,i){return t.apply(e,i)}),c||(c=function(t,e){return new t(...e)});const h=_(Array.prototype.forEach),u=_(Array.prototype.pop),d=_(Array.prototype.push),f=_(String.prototype.toLowerCase),p=_(String.prototype.toString),g=_(String.prototype.match),m=_(String.prototype.replace),y=_(String.prototype.indexOf),x=_(String.prototype.trim),b=_(RegExp.prototype.test),C=v(TypeError);function _(t){return function(e){for(var i=arguments.length,r=new Array(i>1?i-1:0),n=1;n<i;n++)r[n-1]=arguments[n];return l(t,e,r)}}function v(t){return function(){for(var e=arguments.length,i=new Array(e),r=0;r<e;r++)i[r]=arguments[r];return c(t,i)}}function k(t,r){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:f;e&&e(t,null);let o=r.length;for(;o--;){let e=r[o];if("string"==typeof e){const t=n(e);t!==e&&(i(r)||(r[o]=t),e=t)}t[e]=!0}return t}function T(e){const i=s(null);for(const[r,o]of t(e))void 0!==n(e,r)&&(i[r]=o);return i}function w(t,e){for(;null!==t;){const i=n(t,e);if(i){if(i.get)return _(i.get);if("function"==typeof i.value)return _(i.value)}t=r(t)}function i(t){return console.warn("fallback value for",t),null}return i}const S=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dialog","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),B=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","view","vkern"]),F=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feDropShadow","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),L=o(["animate","color-profile","cursor","discard","font-face","font-face-format","font-face-name","font-face-src","font-face-uri","foreignobject","hatch","hatchpath","mesh","meshgradient","meshpatch","meshrow","missing-glyph","script","set","solidcolor","unknown","use"]),A=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","mprescripts"]),M=o(["maction","maligngroup","malignmark","mlongdiv","mscarries","mscarry","msgroup","mstack","msline","msrow","semantics","annotation","annotation-xml","mprescripts","none"]),E=o(["#text"]),N=o(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","nonce","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns","slot"]),Z=o(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","transform-origin","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),j=o(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),I=o(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),O=a(/\{\{[\w\W]*|[\w\W]*\}\}/gm),D=a(/<%[\w\W]*|[\w\W]*%>/gm),q=a(/\${[\w\W]*}/gm),$=a(/^data-[\-\w.\u00B7-\uFFFF]/),z=a(/^aria-[\-\w]+$/),P=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),R=a(/^(?:\w+script|data):/i),H=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),W=a(/^html$/i);var U=Object.freeze({__proto__:null,MUSTACHE_EXPR:O,ERB_EXPR:D,TMPLIT_EXPR:q,DATA_ATTR:$,ARIA_ATTR:z,IS_ALLOWED_URI:P,IS_SCRIPT_OR_DATA:R,ATTR_WHITESPACE:H,DOCTYPE_NAME:W});const Y=function(){return"undefined"==typeof window?null:window},V=function(t,e){if("object"!=typeof t||"function"!=typeof t.createPolicy)return null;let i=null;const r="data-tt-policy-suffix";e&&e.hasAttribute(r)&&(i=e.getAttribute(r));const n="dompurify"+(i?"#"+i:"");try{return t.createPolicy(n,{createHTML:t=>t,createScriptURL:t=>t})}catch(o){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};function G(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:Y();const i=t=>G(t);if(i.version="3.0.6",i.removed=[],!e||!e.document||9!==e.document.nodeType)return i.isSupported=!1,i;let{document:r}=e;const n=r,a=n.currentScript,{DocumentFragment:l,HTMLTemplateElement:c,Node:_,Element:v,NodeFilter:O,NamedNodeMap:D=e.NamedNodeMap||e.MozNamedAttrMap,HTMLFormElement:q,DOMParser:$,trustedTypes:z}=e,R=v.prototype,H=w(R,"cloneNode"),X=w(R,"nextSibling"),J=w(R,"childNodes"),Q=w(R,"parentNode");if("function"==typeof c){const t=r.createElement("template");t.content&&t.content.ownerDocument&&(r=t.content.ownerDocument)}let K,tt="";const{implementation:et,createNodeIterator:it,createDocumentFragment:rt,getElementsByTagName:nt}=r,{importNode:ot}=n;let at={};i.isSupported="function"==typeof t&&"function"==typeof Q&&et&&void 0!==et.createHTMLDocument;const{MUSTACHE_EXPR:st,ERB_EXPR:lt,TMPLIT_EXPR:ct,DATA_ATTR:ht,ARIA_ATTR:ut,IS_SCRIPT_OR_DATA:dt,ATTR_WHITESPACE:ft}=U;let{IS_ALLOWED_URI:pt}=U,gt=null;const mt=k({},[...S,...B,...F,...A,...E]);let yt=null;const xt=k({},[...N,...Z,...j,...I]);let bt=Object.seal(s(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),Ct=null,_t=null,vt=!0,kt=!0,Tt=!1,wt=!0,St=!1,Bt=!1,Ft=!1,Lt=!1,At=!1,Mt=!1,Et=!1,Nt=!0,Zt=!1;const jt="user-content-";let It=!0,Ot=!1,Dt={},qt=null;const $t=k({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]);let zt=null;const Pt=k({},["audio","video","img","source","image","track"]);let Rt=null;const Ht=k({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),Wt="http://www.w3.org/1998/Math/MathML",Ut="http://www.w3.org/2000/svg",Yt="http://www.w3.org/1999/xhtml";let Vt=Yt,Gt=!1,Xt=null;const Jt=k({},[Wt,Ut,Yt],p);let Qt=null;const Kt=["application/xhtml+xml","text/html"],te="text/html";let ee=null,ie=null;const re=r.createElement("form"),ne=function(t){return t instanceof RegExp||t instanceof Function},oe=function(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!ie||ie!==t){if(t&&"object"==typeof t||(t={}),t=T(t),Qt=Qt=-1===Kt.indexOf(t.PARSER_MEDIA_TYPE)?te:t.PARSER_MEDIA_TYPE,ee="application/xhtml+xml"===Qt?p:f,gt="ALLOWED_TAGS"in t?k({},t.ALLOWED_TAGS,ee):mt,yt="ALLOWED_ATTR"in t?k({},t.ALLOWED_ATTR,ee):xt,Xt="ALLOWED_NAMESPACES"in t?k({},t.ALLOWED_NAMESPACES,p):Jt,Rt="ADD_URI_SAFE_ATTR"in t?k(T(Ht),t.ADD_URI_SAFE_ATTR,ee):Ht,zt="ADD_DATA_URI_TAGS"in t?k(T(Pt),t.ADD_DATA_URI_TAGS,ee):Pt,qt="FORBID_CONTENTS"in t?k({},t.FORBID_CONTENTS,ee):$t,Ct="FORBID_TAGS"in t?k({},t.FORBID_TAGS,ee):{},_t="FORBID_ATTR"in t?k({},t.FORBID_ATTR,ee):{},Dt="USE_PROFILES"in t&&t.USE_PROFILES,vt=!1!==t.ALLOW_ARIA_ATTR,kt=!1!==t.ALLOW_DATA_ATTR,Tt=t.ALLOW_UNKNOWN_PROTOCOLS||!1,wt=!1!==t.ALLOW_SELF_CLOSE_IN_ATTR,St=t.SAFE_FOR_TEMPLATES||!1,Bt=t.WHOLE_DOCUMENT||!1,At=t.RETURN_DOM||!1,Mt=t.RETURN_DOM_FRAGMENT||!1,Et=t.RETURN_TRUSTED_TYPE||!1,Lt=t.FORCE_BODY||!1,Nt=!1!==t.SANITIZE_DOM,Zt=t.SANITIZE_NAMED_PROPS||!1,It=!1!==t.KEEP_CONTENT,Ot=t.IN_PLACE||!1,pt=t.ALLOWED_URI_REGEXP||P,Vt=t.NAMESPACE||Yt,bt=t.CUSTOM_ELEMENT_HANDLING||{},t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(bt.tagNameCheck=t.CUSTOM_ELEMENT_HANDLING.tagNameCheck),t.CUSTOM_ELEMENT_HANDLING&&ne(t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(bt.attributeNameCheck=t.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),t.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(bt.allowCustomizedBuiltInElements=t.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),St&&(kt=!1),Mt&&(At=!0),Dt&&(gt=k({},[...E]),yt=[],!0===Dt.html&&(k(gt,S),k(yt,N)),!0===Dt.svg&&(k(gt,B),k(yt,Z),k(yt,I)),!0===Dt.svgFilters&&(k(gt,F),k(yt,Z),k(yt,I)),!0===Dt.mathMl&&(k(gt,A),k(yt,j),k(yt,I))),t.ADD_TAGS&&(gt===mt&&(gt=T(gt)),k(gt,t.ADD_TAGS,ee)),t.ADD_ATTR&&(yt===xt&&(yt=T(yt)),k(yt,t.ADD_ATTR,ee)),t.ADD_URI_SAFE_ATTR&&k(Rt,t.ADD_URI_SAFE_ATTR,ee),t.FORBID_CONTENTS&&(qt===$t&&(qt=T(qt)),k(qt,t.FORBID_CONTENTS,ee)),It&&(gt["#text"]=!0),Bt&&k(gt,["html","head","body"]),gt.table&&(k(gt,["tbody"]),delete Ct.tbody),t.TRUSTED_TYPES_POLICY){if("function"!=typeof t.TRUSTED_TYPES_POLICY.createHTML)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');if("function"!=typeof t.TRUSTED_TYPES_POLICY.createScriptURL)throw C('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');K=t.TRUSTED_TYPES_POLICY,tt=K.createHTML("")}else void 0===K&&(K=V(z,a)),null!==K&&"string"==typeof tt&&(tt=K.createHTML(""));o&&o(t),ie=t}},ae=k({},["mi","mo","mn","ms","mtext"]),se=k({},["foreignobject","desc","title","annotation-xml"]),le=k({},["title","style","font","a","script"]),ce=k({},B);k(ce,F),k(ce,L);const he=k({},A);k(he,M);const ue=function(t){let e=Q(t);e&&e.tagName||(e={namespaceURI:Vt,tagName:"template"});const i=f(t.tagName),r=f(e.tagName);return!!Xt[t.namespaceURI]&&(t.namespaceURI===Ut?e.namespaceURI===Yt?"svg"===i:e.namespaceURI===Wt?"svg"===i&&("annotation-xml"===r||ae[r]):Boolean(ce[i]):t.namespaceURI===Wt?e.namespaceURI===Yt?"math"===i:e.namespaceURI===Ut?"math"===i&&se[r]:Boolean(he[i]):t.namespaceURI===Yt?!(e.namespaceURI===Ut&&!se[r])&&!(e.namespaceURI===Wt&&!ae[r])&&!he[i]&&(le[i]||!ce[i]):!("application/xhtml+xml"!==Qt||!Xt[t.namespaceURI]))},de=function(t){d(i.removed,{element:t});try{t.parentNode.removeChild(t)}catch(e){t.remove()}},fe=function(t,e){try{d(i.removed,{attribute:e.getAttributeNode(t),from:e})}catch(r){d(i.removed,{attribute:null,from:e})}if(e.removeAttribute(t),"is"===t&&!yt[t])if(At||Mt)try{de(e)}catch(r){}else try{e.setAttribute(t,"")}catch(r){}},pe=function(t){let e=null,i=null;if(Lt)t="<remove></remove>"+t;else{const e=g(t,/^[\r\n\t ]+/);i=e&&e[0]}"application/xhtml+xml"===Qt&&Vt===Yt&&(t='<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>'+t+"</body></html>");const n=K?K.createHTML(t):t;if(Vt===Yt)try{e=(new $).parseFromString(n,Qt)}catch(a){}if(!e||!e.documentElement){e=et.createDocument(Vt,"template",null);try{e.documentElement.innerHTML=Gt?tt:n}catch(a){}}const o=e.body||e.documentElement;return t&&i&&o.insertBefore(r.createTextNode(i),o.childNodes[0]||null),Vt===Yt?nt.call(e,Bt?"html":"body")[0]:Bt?e.documentElement:o},ge=function(t){return it.call(t.ownerDocument||t,t,O.SHOW_ELEMENT|O.SHOW_COMMENT|O.SHOW_TEXT,null)},me=function(t){return t instanceof q&&("string"!=typeof t.nodeName||"string"!=typeof t.textContent||"function"!=typeof t.removeChild||!(t.attributes instanceof D)||"function"!=typeof t.removeAttribute||"function"!=typeof t.setAttribute||"string"!=typeof t.namespaceURI||"function"!=typeof t.insertBefore||"function"!=typeof t.hasChildNodes)},ye=function(t){return"function"==typeof _&&t instanceof _},xe=function(t,e,r){at[t]&&h(at[t],(t=>{t.call(i,e,r,ie)}))},be=function(t){let e=null;if(xe("beforeSanitizeElements",t,null),me(t))return de(t),!0;const r=ee(t.nodeName);if(xe("uponSanitizeElement",t,{tagName:r,allowedTags:gt}),t.hasChildNodes()&&!ye(t.firstElementChild)&&b(/<[/\w]/g,t.innerHTML)&&b(/<[/\w]/g,t.textContent))return de(t),!0;if(!gt[r]||Ct[r]){if(!Ct[r]&&_e(r)){if(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,r))return!1;if(bt.tagNameCheck instanceof Function&&bt.tagNameCheck(r))return!1}if(It&&!qt[r]){const e=Q(t)||t.parentNode,i=J(t)||t.childNodes;if(i&&e)for(let r=i.length-1;r>=0;--r)e.insertBefore(H(i[r],!0),X(t))}return de(t),!0}return t instanceof v&&!ue(t)?(de(t),!0):"noscript"!==r&&"noembed"!==r&&"noframes"!==r||!b(/<\/no(script|embed|frames)/i,t.innerHTML)?(St&&3===t.nodeType&&(e=t.textContent,h([st,lt,ct],(t=>{e=m(e,t," ")})),t.textContent!==e&&(d(i.removed,{element:t.cloneNode()}),t.textContent=e)),xe("afterSanitizeElements",t,null),!1):(de(t),!0)},Ce=function(t,e,i){if(Nt&&("id"===e||"name"===e)&&(i in r||i in re))return!1;if(kt&&!_t[e]&&b(ht,e));else if(vt&&b(ut,e));else if(!yt[e]||_t[e]){if(!(_e(t)&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,t)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(t))&&(bt.attributeNameCheck instanceof RegExp&&b(bt.attributeNameCheck,e)||bt.attributeNameCheck instanceof Function&&bt.attributeNameCheck(e))||"is"===e&&bt.allowCustomizedBuiltInElements&&(bt.tagNameCheck instanceof RegExp&&b(bt.tagNameCheck,i)||bt.tagNameCheck instanceof Function&&bt.tagNameCheck(i))))return!1}else if(Rt[e]);else if(b(pt,m(i,ft,"")));else if("src"!==e&&"xlink:href"!==e&&"href"!==e||"script"===t||0!==y(i,"data:")||!zt[t])if(Tt&&!b(dt,m(i,ft,"")));else if(i)return!1;return!0},_e=function(t){return t.indexOf("-")>0},ve=function(t){xe("beforeSanitizeAttributes",t,null);const{attributes:e}=t;if(!e)return;const r={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:yt};let n=e.length;for(;n--;){const a=e[n],{name:s,namespaceURI:l,value:c}=a,d=ee(s);let f="value"===s?c:x(c);if(r.attrName=d,r.attrValue=f,r.keepAttr=!0,r.forceKeepAttr=void 0,xe("uponSanitizeAttribute",t,r),f=r.attrValue,r.forceKeepAttr)continue;if(fe(s,t),!r.keepAttr)continue;if(!wt&&b(/\/>/i,f)){fe(s,t);continue}St&&h([st,lt,ct],(t=>{f=m(f,t," ")}));const p=ee(t.nodeName);if(Ce(p,d,f)){if(!Zt||"id"!==d&&"name"!==d||(fe(s,t),f=jt+f),K&&"object"==typeof z&&"function"==typeof z.getAttributeType)if(l);else switch(z.getAttributeType(p,d)){case"TrustedHTML":f=K.createHTML(f);break;case"TrustedScriptURL":f=K.createScriptURL(f)}try{l?t.setAttributeNS(l,s,f):t.setAttribute(s,f),u(i.removed)}catch(o){}}}xe("afterSanitizeAttributes",t,null)},ke=function t(e){let i=null;const r=ge(e);for(xe("beforeSanitizeShadowDOM",e,null);i=r.nextNode();)xe("uponSanitizeShadowNode",i,null),be(i)||(i.content instanceof l&&t(i.content),ve(i));xe("afterSanitizeShadowDOM",e,null)};return i.sanitize=function(t){let e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},r=null,o=null,a=null,s=null;if(Gt=!t,Gt&&(t="\x3c!--\x3e"),"string"!=typeof t&&!ye(t)){if("function"!=typeof t.toString)throw C("toString is not a function");if("string"!=typeof(t=t.toString()))throw C("dirty is not a string, aborting")}if(!i.isSupported)return t;if(Ft||oe(e),i.removed=[],"string"==typeof t&&(Ot=!1),Ot){if(t.nodeName){const e=ee(t.nodeName);if(!gt[e]||Ct[e])throw C("root node is forbidden and cannot be sanitized in-place")}}else if(t instanceof _)r=pe("\x3c!----\x3e"),o=r.ownerDocument.importNode(t,!0),1===o.nodeType&&"BODY"===o.nodeName||"HTML"===o.nodeName?r=o:r.appendChild(o);else{if(!At&&!St&&!Bt&&-1===t.indexOf("<"))return K&&Et?K.createHTML(t):t;if(r=pe(t),!r)return At?null:Et?tt:""}r&&Lt&&de(r.firstChild);const c=ge(Ot?t:r);for(;a=c.nextNode();)be(a)||(a.content instanceof l&&ke(a.content),ve(a));if(Ot)return t;if(At){if(Mt)for(s=rt.call(r.ownerDocument);r.firstChild;)s.appendChild(r.firstChild);else s=r;return(yt.shadowroot||yt.shadowrootmode)&&(s=ot.call(n,s,!0)),s}let u=Bt?r.outerHTML:r.innerHTML;return Bt&>["!doctype"]&&r.ownerDocument&&r.ownerDocument.doctype&&r.ownerDocument.doctype.name&&b(W,r.ownerDocument.doctype.name)&&(u="<!DOCTYPE "+r.ownerDocument.doctype.name+">\n"+u),St&&h([st,lt,ct],(t=>{u=m(u,t," ")})),K&&Et?K.createHTML(u):u},i.setConfig=function(){oe(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),Ft=!0},i.clearConfig=function(){ie=null,Ft=!1},i.isValidAttribute=function(t,e,i){ie||oe({});const r=ee(t),n=ee(e);return Ce(r,n,i)},i.addHook=function(t,e){"function"==typeof e&&(at[t]=at[t]||[],d(at[t],e))},i.removeHook=function(t){if(at[t])return u(at[t])},i.removeHooks=function(t){at[t]&&(at[t]=[])},i.removeAllHooks=function(){at={}},i}return G()}()},7594:(t,e)=>{function i(t){let e,i=[];for(let r of t.split(",").map((t=>t.trim())))if(/^-?\d+$/.test(r))i.push(parseInt(r,10));else if(e=r.match(/^(-?\d+)(-|\.\.\.?|\u2025|\u2026|\u22EF)(-?\d+)$/)){let[t,r,n,o]=e;if(r&&o){r=parseInt(r),o=parseInt(o);const t=r<o?1:-1;"-"!==n&&".."!==n&&"\u2025"!==n||(o+=t);for(let e=r;e!==o;e+=t)i.push(e)}}return i}e.default=i,t.exports=i},8464:(t,e,i)=>{"use strict";function r(t){for(var e=[],i=1;i<arguments.length;i++)e[i-1]=arguments[i];var r=Array.from("string"==typeof t?[t]:t);r[r.length-1]=r[r.length-1].replace(/\r?\n([\t ]*)$/,"");var n=r.reduce((function(t,e){var i=e.match(/\n([\t ]+|(?!\s).)/g);return i?t.concat(i.map((function(t){var e,i;return null!==(i=null===(e=t.match(/[\t ]/g))||void 0===e?void 0:e.length)&&void 0!==i?i:0}))):t}),[]);if(n.length){var o=new RegExp("\n[\t ]{"+Math.min.apply(Math,n)+"}","g");r=r.map((function(t){return t.replace(o,"\n")}))}r[0]=r[0].replace(/^\r?\n/,"");var a=r[0];return e.forEach((function(t,e){var i=a.match(/(?:^|\n)( *)$/),n=i?i[1]:"",o=t;"string"==typeof t&&t.includes("\n")&&(o=String(t).split("\n").map((function(t,e){return 0===e?t:""+n+t})).join("\n")),a+=o+r[e+1]})),a}i.d(e,{Z:()=>r})},1151:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s,a:()=>a});var r=i(7294);const n={},o=r.createContext(n);function a(t){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof t?t(e):{...e,...t}}),[e,t])}function s(t){let e;return e=t.disableParentContext?"function"==typeof t.components?t.components(n):t.components||n:a(t.components),r.createElement(o.Provider,{value:e},t.children)}},4218:(t,e,i)=>{"use strict";function r(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i<r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i<n||void 0===i&&n>=n)&&(i=n)}return i}function n(t,e){let i;if(void 0===e)for(const r of t)null!=r&&(i>r||void 0===i&&r>=r)&&(i=r);else{let r=-1;for(let n of t)null!=(n=e(n,++r,t))&&(i>n||void 0===i&&n>=n)&&(i=n)}return i}function o(t){return t}i.d(e,{Nb1:()=>cs,LLu:()=>x,F5q:()=>y,$0Z:()=>vs,Dts:()=>Ts,WQY:()=>Ss,qpX:()=>Fs,u93:()=>Ls,tFB:()=>Ms,YY7:()=>Zs,OvA:()=>Is,dCK:()=>Ds,zgE:()=>zs,fGX:()=>Rs,$m7:()=>Ws,c_6:()=>ds,fxm:()=>Ys,FdL:()=>el,ak_:()=>il,SxZ:()=>ol,eA_:()=>sl,jsv:()=>cl,iJ:()=>ll,JHv:()=>pr,jvg:()=>gs,Fp7:()=>r,VV$:()=>n,ve8:()=>xs,tiA:()=>kr,BYU:()=>mn,PKp:()=>vr,Xf:()=>Na,K2I:()=>Za,Ys:()=>ja,td_:()=>Ia,YPS:()=>Yi,rr1:()=>Nn,i$Z:()=>uo,y2j:()=>Pn,WQD:()=>Mn,U8T:()=>Bn,Z_i:()=>Ln,Ox9:()=>Dn,F0B:()=>Qn,LqH:()=>Rn,S1K:()=>Fn,Zyz:()=>On,Igq:()=>zn,YDX:()=>qn,EFj:()=>$n});var a=1,s=2,l=3,c=4,h=1e-6;function u(t){return"translate("+t+",0)"}function d(t){return"translate(0,"+t+")"}function f(t){return e=>+t(e)}function p(t,e){return e=Math.max(0,t.bandwidth()-2*e)/2,t.round()&&(e=Math.round(e)),i=>+t(i)+e}function g(){return!this.__axis}function m(t,e){var i=[],r=null,n=null,m=6,y=6,x=3,b="undefined"!=typeof window&&window.devicePixelRatio>1?0:.5,C=t===a||t===c?-1:1,_=t===c||t===s?"x":"y",v=t===a||t===l?u:d;function k(u){var d=null==r?e.ticks?e.ticks.apply(e,i):e.domain():r,k=null==n?e.tickFormat?e.tickFormat.apply(e,i):o:n,T=Math.max(m,0)+x,w=e.range(),S=+w[0]+b,B=+w[w.length-1]+b,F=(e.bandwidth?p:f)(e.copy(),b),L=u.selection?u.selection():u,A=L.selectAll(".domain").data([null]),M=L.selectAll(".tick").data(d,e).order(),E=M.exit(),N=M.enter().append("g").attr("class","tick"),Z=M.select("line"),j=M.select("text");A=A.merge(A.enter().insert("path",".tick").attr("class","domain").attr("stroke","currentColor")),M=M.merge(N),Z=Z.merge(N.append("line").attr("stroke","currentColor").attr(_+"2",C*m)),j=j.merge(N.append("text").attr("fill","currentColor").attr(_,C*T).attr("dy",t===a?"0em":t===l?"0.71em":"0.32em")),u!==L&&(A=A.transition(u),M=M.transition(u),Z=Z.transition(u),j=j.transition(u),E=E.transition(u).attr("opacity",h).attr("transform",(function(t){return isFinite(t=F(t))?v(t+b):this.getAttribute("transform")})),N.attr("opacity",h).attr("transform",(function(t){var e=this.parentNode.__axis;return v((e&&isFinite(e=e(t))?e:F(t))+b)}))),E.remove(),A.attr("d",t===c||t===s?y?"M"+C*y+","+S+"H"+b+"V"+B+"H"+C*y:"M"+b+","+S+"V"+B:y?"M"+S+","+C*y+"V"+b+"H"+B+"V"+C*y:"M"+S+","+b+"H"+B),M.attr("opacity",1).attr("transform",(function(t){return v(F(t)+b)})),Z.attr(_+"2",C*m),j.attr(_,C*T).text(k),L.filter(g).attr("fill","none").attr("font-size",10).attr("font-family","sans-serif").attr("text-anchor",t===s?"start":t===c?"end":"middle"),L.each((function(){this.__axis=F}))}return k.scale=function(t){return arguments.length?(e=t,k):e},k.ticks=function(){return i=Array.from(arguments),k},k.tickArguments=function(t){return arguments.length?(i=null==t?[]:Array.from(t),k):i.slice()},k.tickValues=function(t){return arguments.length?(r=null==t?null:Array.from(t),k):r&&r.slice()},k.tickFormat=function(t){return arguments.length?(n=t,k):n},k.tickSize=function(t){return arguments.length?(m=y=+t,k):m},k.tickSizeInner=function(t){return arguments.length?(m=+t,k):m},k.tickSizeOuter=function(t){return arguments.length?(y=+t,k):y},k.tickPadding=function(t){return arguments.length?(x=+t,k):x},k.offset=function(t){return arguments.length?(b=+t,k):b},k}function y(t){return m(a,t)}function x(t){return m(l,t)}function b(){}function C(t){return null==t?b:function(){return this.querySelector(t)}}function _(t){return null==t?[]:Array.isArray(t)?t:Array.from(t)}function v(){return[]}function k(t){return null==t?v:function(){return this.querySelectorAll(t)}}function T(t){return function(){return this.matches(t)}}function w(t){return function(e){return e.matches(t)}}var S=Array.prototype.find;function B(){return this.firstElementChild}var F=Array.prototype.filter;function L(){return Array.from(this.children)}function A(t){return new Array(t.length)}function M(t,e){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=e}function E(t,e,i,r,n,o){for(var a,s=0,l=e.length,c=o.length;s<c;++s)(a=e[s])?(a.__data__=o[s],r[s]=a):i[s]=new M(t,o[s]);for(;s<l;++s)(a=e[s])&&(n[s]=a)}function N(t,e,i,r,n,o,a){var s,l,c,h=new Map,u=e.length,d=o.length,f=new Array(u);for(s=0;s<u;++s)(l=e[s])&&(f[s]=c=a.call(l,l.__data__,s,e)+"",h.has(c)?n[s]=l:h.set(c,l));for(s=0;s<d;++s)c=a.call(t,o[s],s,o)+"",(l=h.get(c))?(r[s]=l,l.__data__=o[s],h.delete(c)):i[s]=new M(t,o[s]);for(s=0;s<u;++s)(l=e[s])&&h.get(f[s])===l&&(n[s]=l)}function Z(t){return t.__data__}function j(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function I(t,e){return t<e?-1:t>e?1:t>=e?0:NaN}M.prototype={constructor:M,appendChild:function(t){return this._parent.insertBefore(t,this._next)},insertBefore:function(t,e){return this._parent.insertBefore(t,e)},querySelector:function(t){return this._parent.querySelector(t)},querySelectorAll:function(t){return this._parent.querySelectorAll(t)}};var O="http://www.w3.org/1999/xhtml";const D={svg:"http://www.w3.org/2000/svg",xhtml:O,xlink:"http://www.w3.org/1999/xlink",xml:"http://www.w3.org/XML/1998/namespace",xmlns:"http://www.w3.org/2000/xmlns/"};function q(t){var e=t+="",i=e.indexOf(":");return i>=0&&"xmlns"!==(e=t.slice(0,i))&&(t=t.slice(i+1)),D.hasOwnProperty(e)?{space:D[e],local:t}:t}function $(t){return function(){this.removeAttribute(t)}}function z(t){return function(){this.removeAttributeNS(t.space,t.local)}}function P(t,e){return function(){this.setAttribute(t,e)}}function R(t,e){return function(){this.setAttributeNS(t.space,t.local,e)}}function H(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttribute(t):this.setAttribute(t,i)}}function W(t,e){return function(){var i=e.apply(this,arguments);null==i?this.removeAttributeNS(t.space,t.local):this.setAttributeNS(t.space,t.local,i)}}function U(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView}function Y(t){return function(){this.style.removeProperty(t)}}function V(t,e,i){return function(){this.style.setProperty(t,e,i)}}function G(t,e,i){return function(){var r=e.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,i)}}function X(t,e){return t.style.getPropertyValue(e)||U(t).getComputedStyle(t,null).getPropertyValue(e)}function J(t){return function(){delete this[t]}}function Q(t,e){return function(){this[t]=e}}function K(t,e){return function(){var i=e.apply(this,arguments);null==i?delete this[t]:this[t]=i}}function tt(t){return t.trim().split(/^|\s+/)}function et(t){return t.classList||new it(t)}function it(t){this._node=t,this._names=tt(t.getAttribute("class")||"")}function rt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.add(e[r])}function nt(t,e){for(var i=et(t),r=-1,n=e.length;++r<n;)i.remove(e[r])}function ot(t){return function(){rt(this,t)}}function at(t){return function(){nt(this,t)}}function st(t,e){return function(){(e.apply(this,arguments)?rt:nt)(this,t)}}function lt(){this.textContent=""}function ct(t){return function(){this.textContent=t}}function ht(t){return function(){var e=t.apply(this,arguments);this.textContent=null==e?"":e}}function ut(){this.innerHTML=""}function dt(t){return function(){this.innerHTML=t}}function ft(t){return function(){var e=t.apply(this,arguments);this.innerHTML=null==e?"":e}}function pt(){this.nextSibling&&this.parentNode.appendChild(this)}function gt(){this.previousSibling&&this.parentNode.insertBefore(this,this.parentNode.firstChild)}function mt(t){return function(){var e=this.ownerDocument,i=this.namespaceURI;return i===O&&e.documentElement.namespaceURI===O?e.createElement(t):e.createElementNS(i,t)}}function yt(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}function xt(t){var e=q(t);return(e.local?yt:mt)(e)}function bt(){return null}function Ct(){var t=this.parentNode;t&&t.removeChild(this)}function _t(){var t=this.cloneNode(!1),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function vt(){var t=this.cloneNode(!0),e=this.parentNode;return e?e.insertBefore(t,this.nextSibling):t}function kt(t){return function(){var e=this.__on;if(e){for(var i,r=0,n=-1,o=e.length;r<o;++r)i=e[r],t.type&&i.type!==t.type||i.name!==t.name?e[++n]=i:this.removeEventListener(i.type,i.listener,i.options);++n?e.length=n:delete this.__on}}}function Tt(t,e,i){return function(){var r,n=this.__on,o=function(t){return function(e){t.call(this,e,this.__data__)}}(e);if(n)for(var a=0,s=n.length;a<s;++a)if((r=n[a]).type===t.type&&r.name===t.name)return this.removeEventListener(r.type,r.listener,r.options),this.addEventListener(r.type,r.listener=o,r.options=i),void(r.value=e);this.addEventListener(t.type,o,i),r={type:t.type,name:t.name,value:e,listener:o,options:i},n?n.push(r):this.__on=[r]}}function wt(t,e,i){var r=U(t),n=r.CustomEvent;"function"==typeof n?n=new n(e,i):(n=r.document.createEvent("Event"),i?(n.initEvent(e,i.bubbles,i.cancelable),n.detail=i.detail):n.initEvent(e,!1,!1)),t.dispatchEvent(n)}function St(t,e){return function(){return wt(this,t,e)}}function Bt(t,e){return function(){return wt(this,t,e.apply(this,arguments))}}it.prototype={add:function(t){this._names.indexOf(t)<0&&(this._names.push(t),this._node.setAttribute("class",this._names.join(" ")))},remove:function(t){var e=this._names.indexOf(t);e>=0&&(this._names.splice(e,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};var Ft=[null];function Lt(t,e){this._groups=t,this._parents=e}function At(){return new Lt([[document.documentElement]],Ft)}Lt.prototype=At.prototype={constructor:Lt,select:function(t){"function"!=typeof t&&(t=C(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a,s=e[n],l=s.length,c=r[n]=new Array(l),h=0;h<l;++h)(o=s[h])&&(a=t.call(o,o.__data__,h,s))&&("__data__"in o&&(a.__data__=o.__data__),c[h]=a);return new Lt(r,this._parents)},selectAll:function(t){t="function"==typeof t?function(t){return function(){return _(t.apply(this,arguments))}}(t):k(t);for(var e=this._groups,i=e.length,r=[],n=[],o=0;o<i;++o)for(var a,s=e[o],l=s.length,c=0;c<l;++c)(a=s[c])&&(r.push(t.call(a,a.__data__,c,s)),n.push(a));return new Lt(r,n)},selectChild:function(t){return this.select(null==t?B:function(t){return function(){return S.call(this.children,t)}}("function"==typeof t?t:w(t)))},selectChildren:function(t){return this.selectAll(null==t?L:function(t){return function(){return F.call(this.children,t)}}("function"==typeof t?t:w(t)))},filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Lt(r,this._parents)},data:function(t,e){if(!arguments.length)return Array.from(this,Z);var i,r=e?N:E,n=this._parents,o=this._groups;"function"!=typeof t&&(i=t,t=function(){return i});for(var a=o.length,s=new Array(a),l=new Array(a),c=new Array(a),h=0;h<a;++h){var u=n[h],d=o[h],f=d.length,p=j(t.call(u,u&&u.__data__,h,n)),g=p.length,m=l[h]=new Array(g),y=s[h]=new Array(g);r(u,d,m,y,c[h]=new Array(f),p,e);for(var x,b,C=0,_=0;C<g;++C)if(x=m[C]){for(C>=_&&(_=C+1);!(b=y[_])&&++_<g;);x._next=b||null}}return(s=new Lt(s,n))._enter=l,s._exit=c,s},enter:function(){return new Lt(this._enter||this._groups.map(A),this._parents)},exit:function(){return new Lt(this._exit||this._groups.map(A),this._parents)},join:function(t,e,i){var r=this.enter(),n=this,o=this.exit();return"function"==typeof t?(r=t(r))&&(r=r.selection()):r=r.append(t+""),null!=e&&(n=e(n))&&(n=n.selection()),null==i?o.remove():i(o),r&&n?r.merge(n).order():n},merge:function(t){for(var e=t.selection?t.selection():t,i=this._groups,r=e._groups,n=i.length,o=r.length,a=Math.min(n,o),s=new Array(n),l=0;l<a;++l)for(var c,h=i[l],u=r[l],d=h.length,f=s[l]=new Array(d),p=0;p<d;++p)(c=h[p]||u[p])&&(f[p]=c);for(;l<n;++l)s[l]=i[l];return new Lt(s,this._parents)},selection:function(){return this},order:function(){for(var t=this._groups,e=-1,i=t.length;++e<i;)for(var r,n=t[e],o=n.length-1,a=n[o];--o>=0;)(r=n[o])&&(a&&4^r.compareDocumentPosition(a)&&a.parentNode.insertBefore(r,a),a=r);return this},sort:function(t){function e(e,i){return e&&i?t(e.__data__,i.__data__):!e-!i}t||(t=I);for(var i=this._groups,r=i.length,n=new Array(r),o=0;o<r;++o){for(var a,s=i[o],l=s.length,c=n[o]=new Array(l),h=0;h<l;++h)(a=s[h])&&(c[h]=a);c.sort(e)}return new Lt(n,this._parents).order()},call:function(){var t=arguments[0];return arguments[0]=this,t.apply(null,arguments),this},nodes:function(){return Array.from(this)},node:function(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r=t[e],n=0,o=r.length;n<o;++n){var a=r[n];if(a)return a}return null},size:function(){let t=0;for(const e of this)++t;return t},empty:function(){return!this.node()},each:function(t){for(var e=this._groups,i=0,r=e.length;i<r;++i)for(var n,o=e[i],a=0,s=o.length;a<s;++a)(n=o[a])&&t.call(n,n.__data__,a,o);return this},attr:function(t,e){var i=q(t);if(arguments.length<2){var r=this.node();return i.local?r.getAttributeNS(i.space,i.local):r.getAttribute(i)}return this.each((null==e?i.local?z:$:"function"==typeof e?i.local?W:H:i.local?R:P)(i,e))},style:function(t,e,i){return arguments.length>1?this.each((null==e?Y:"function"==typeof e?G:V)(t,e,null==i?"":i)):X(this.node(),t)},property:function(t,e){return arguments.length>1?this.each((null==e?J:"function"==typeof e?K:Q)(t,e)):this.node()[t]},classed:function(t,e){var i=tt(t+"");if(arguments.length<2){for(var r=et(this.node()),n=-1,o=i.length;++n<o;)if(!r.contains(i[n]))return!1;return!0}return this.each(("function"==typeof e?st:e?ot:at)(i,e))},text:function(t){return arguments.length?this.each(null==t?lt:("function"==typeof t?ht:ct)(t)):this.node().textContent},html:function(t){return arguments.length?this.each(null==t?ut:("function"==typeof t?ft:dt)(t)):this.node().innerHTML},raise:function(){return this.each(pt)},lower:function(){return this.each(gt)},append:function(t){var e="function"==typeof t?t:xt(t);return this.select((function(){return this.appendChild(e.apply(this,arguments))}))},insert:function(t,e){var i="function"==typeof t?t:xt(t),r=null==e?bt:"function"==typeof e?e:C(e);return this.select((function(){return this.insertBefore(i.apply(this,arguments),r.apply(this,arguments)||null)}))},remove:function(){return this.each(Ct)},clone:function(t){return this.select(t?vt:_t)},datum:function(t){return arguments.length?this.property("__data__",t):this.node().__data__},on:function(t,e,i){var r,n,o=function(t){return t.trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");return i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),{type:t,name:e}}))}(t+""),a=o.length;if(!(arguments.length<2)){for(s=e?Tt:kt,r=0;r<a;++r)this.each(s(o[r],e,i));return this}var s=this.node().__on;if(s)for(var l,c=0,h=s.length;c<h;++c)for(r=0,l=s[c];r<a;++r)if((n=o[r]).type===l.type&&n.name===l.name)return l.value},dispatch:function(t,e){return this.each(("function"==typeof e?Bt:St)(t,e))},[Symbol.iterator]:function*(){for(var t=this._groups,e=0,i=t.length;e<i;++e)for(var r,n=t[e],o=0,a=n.length;o<a;++o)(r=n[o])&&(yield r)}};const Mt=At;var Et={value:()=>{}};function Nt(){for(var t,e=0,i=arguments.length,r={};e<i;++e){if(!(t=arguments[e]+"")||t in r||/[\s.]/.test(t))throw new Error("illegal type: "+t);r[t]=[]}return new Zt(r)}function Zt(t){this._=t}function jt(t,e){for(var i,r=0,n=t.length;r<n;++r)if((i=t[r]).name===e)return i.value}function It(t,e,i){for(var r=0,n=t.length;r<n;++r)if(t[r].name===e){t[r]=Et,t=t.slice(0,r).concat(t.slice(r+1));break}return null!=i&&t.push({name:e,value:i}),t}Zt.prototype=Nt.prototype={constructor:Zt,on:function(t,e){var i,r,n=this._,o=(r=n,(t+"").trim().split(/^|\s+/).map((function(t){var e="",i=t.indexOf(".");if(i>=0&&(e=t.slice(i+1),t=t.slice(0,i)),t&&!r.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:e}}))),a=-1,s=o.length;if(!(arguments.length<2)){if(null!=e&&"function"!=typeof e)throw new Error("invalid callback: "+e);for(;++a<s;)if(i=(t=o[a]).type)n[i]=It(n[i],t.name,e);else if(null==e)for(i in n)n[i]=It(n[i],t.name,null);return this}for(;++a<s;)if((i=(t=o[a]).type)&&(i=jt(n[i],t.name)))return i},copy:function(){var t={},e=this._;for(var i in e)t[i]=e[i].slice();return new Zt(t)},call:function(t,e){if((i=arguments.length-2)>0)for(var i,r,n=new Array(i),o=0;o<i;++o)n[o]=arguments[o+2];if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(o=0,i=(r=this._[t]).length;o<i;++o)r[o].value.apply(e,n)},apply:function(t,e,i){if(!this._.hasOwnProperty(t))throw new Error("unknown type: "+t);for(var r=this._[t],n=0,o=r.length;n<o;++n)r[n].value.apply(e,i)}};const Ot=Nt;var Dt,qt,$t=0,zt=0,Pt=0,Rt=1e3,Ht=0,Wt=0,Ut=0,Yt="object"==typeof performance&&performance.now?performance:Date,Vt="object"==typeof window&&window.requestAnimationFrame?window.requestAnimationFrame.bind(window):function(t){setTimeout(t,17)};function Gt(){return Wt||(Vt(Xt),Wt=Yt.now()+Ut)}function Xt(){Wt=0}function Jt(){this._call=this._time=this._next=null}function Qt(t,e,i){var r=new Jt;return r.restart(t,e,i),r}function Kt(){Wt=(Ht=Yt.now())+Ut,$t=zt=0;try{!function(){Gt(),++$t;for(var t,e=Dt;e;)(t=Wt-e._time)>=0&&e._call.call(void 0,t),e=e._next;--$t}()}finally{$t=0,function(){var t,e,i=Dt,r=1/0;for(;i;)i._call?(r>i._time&&(r=i._time),t=i,i=i._next):(e=i._next,i._next=null,i=t?t._next=e:Dt=e);qt=t,ee(r)}(),Wt=0}}function te(){var t=Yt.now(),e=t-Ht;e>Rt&&(Ut-=e,Ht=t)}function ee(t){$t||(zt&&(zt=clearTimeout(zt)),t-Wt>24?(t<1/0&&(zt=setTimeout(Kt,t-Yt.now()-Ut)),Pt&&(Pt=clearInterval(Pt))):(Pt||(Ht=Yt.now(),Pt=setInterval(te,Rt)),$t=1,Vt(Kt)))}function ie(t,e,i){var r=new Jt;return e=null==e?0:+e,r.restart((i=>{r.stop(),t(i+e)}),e,i),r}Jt.prototype=Qt.prototype={constructor:Jt,restart:function(t,e,i){if("function"!=typeof t)throw new TypeError("callback is not a function");i=(null==i?Gt():+i)+(null==e?0:+e),this._next||qt===this||(qt?qt._next=this:Dt=this,qt=this),this._call=t,this._time=i,ee()},stop:function(){this._call&&(this._call=null,this._time=1/0,ee())}};var re=Ot("start","end","cancel","interrupt"),ne=[],oe=0,ae=1,se=2,le=3,ce=4,he=5,ue=6;function de(t,e,i,r,n,o){var a=t.__transition;if(a){if(i in a)return}else t.__transition={};!function(t,e,i){var r,n=t.__transition;function o(t){i.state=ae,i.timer.restart(a,i.delay,i.time),i.delay<=t&&a(t-i.delay)}function a(o){var c,h,u,d;if(i.state!==ae)return l();for(c in n)if((d=n[c]).name===i.name){if(d.state===le)return ie(a);d.state===ce?(d.state=ue,d.timer.stop(),d.on.call("interrupt",t,t.__data__,d.index,d.group),delete n[c]):+c<e&&(d.state=ue,d.timer.stop(),d.on.call("cancel",t,t.__data__,d.index,d.group),delete n[c])}if(ie((function(){i.state===le&&(i.state=ce,i.timer.restart(s,i.delay,i.time),s(o))})),i.state=se,i.on.call("start",t,t.__data__,i.index,i.group),i.state===se){for(i.state=le,r=new Array(u=i.tween.length),c=0,h=-1;c<u;++c)(d=i.tween[c].value.call(t,t.__data__,i.index,i.group))&&(r[++h]=d);r.length=h+1}}function s(e){for(var n=e<i.duration?i.ease.call(null,e/i.duration):(i.timer.restart(l),i.state=he,1),o=-1,a=r.length;++o<a;)r[o].call(t,n);i.state===he&&(i.on.call("end",t,t.__data__,i.index,i.group),l())}function l(){for(var r in i.state=ue,i.timer.stop(),delete n[e],n)return;delete t.__transition}n[e]=i,i.timer=Qt(o,0,i.time)}(t,i,{name:e,index:r,group:n,on:re,tween:ne,time:o.time,delay:o.delay,duration:o.duration,ease:o.ease,timer:null,state:oe})}function fe(t,e){var i=ge(t,e);if(i.state>oe)throw new Error("too late; already scheduled");return i}function pe(t,e){var i=ge(t,e);if(i.state>le)throw new Error("too late; already running");return i}function ge(t,e){var i=t.__transition;if(!i||!(i=i[e]))throw new Error("transition not found");return i}function me(t,e){return t=+t,e=+e,function(i){return t*(1-i)+e*i}}var ye,xe=180/Math.PI,be={translateX:0,translateY:0,rotate:0,skewX:0,scaleX:1,scaleY:1};function Ce(t,e,i,r,n,o){var a,s,l;return(a=Math.sqrt(t*t+e*e))&&(t/=a,e/=a),(l=t*i+e*r)&&(i-=t*l,r-=e*l),(s=Math.sqrt(i*i+r*r))&&(i/=s,r/=s,l/=s),t*r<e*i&&(t=-t,e=-e,l=-l,a=-a),{translateX:n,translateY:o,rotate:Math.atan2(e,t)*xe,skewX:Math.atan(l)*xe,scaleX:a,scaleY:s}}function _e(t,e,i,r){function n(t){return t.length?t.pop()+" ":""}return function(o,a){var s=[],l=[];return o=t(o),a=t(a),function(t,r,n,o,a,s){if(t!==n||r!==o){var l=a.push("translate(",null,e,null,i);s.push({i:l-4,x:me(t,n)},{i:l-2,x:me(r,o)})}else(n||o)&&a.push("translate("+n+e+o+i)}(o.translateX,o.translateY,a.translateX,a.translateY,s,l),function(t,e,i,o){t!==e?(t-e>180?e+=360:e-t>180&&(t+=360),o.push({i:i.push(n(i)+"rotate(",null,r)-2,x:me(t,e)})):e&&i.push(n(i)+"rotate("+e+r)}(o.rotate,a.rotate,s,l),function(t,e,i,o){t!==e?o.push({i:i.push(n(i)+"skewX(",null,r)-2,x:me(t,e)}):e&&i.push(n(i)+"skewX("+e+r)}(o.skewX,a.skewX,s,l),function(t,e,i,r,o,a){if(t!==i||e!==r){var s=o.push(n(o)+"scale(",null,",",null,")");a.push({i:s-4,x:me(t,i)},{i:s-2,x:me(e,r)})}else 1===i&&1===r||o.push(n(o)+"scale("+i+","+r+")")}(o.scaleX,o.scaleY,a.scaleX,a.scaleY,s,l),o=a=null,function(t){for(var e,i=-1,r=l.length;++i<r;)s[(e=l[i]).i]=e.x(t);return s.join("")}}}var ve=_e((function(t){const e=new("function"==typeof DOMMatrix?DOMMatrix:WebKitCSSMatrix)(t+"");return e.isIdentity?be:Ce(e.a,e.b,e.c,e.d,e.e,e.f)}),"px, ","px)","deg)"),ke=_e((function(t){return null==t?be:(ye||(ye=document.createElementNS("http://www.w3.org/2000/svg","g")),ye.setAttribute("transform",t),(t=ye.transform.baseVal.consolidate())?Ce((t=t.matrix).a,t.b,t.c,t.d,t.e,t.f):be)}),", ",")",")");function Te(t,e){var i,r;return function(){var n=pe(this,t),o=n.tween;if(o!==i)for(var a=0,s=(r=i=o).length;a<s;++a)if(r[a].name===e){(r=r.slice()).splice(a,1);break}n.tween=r}}function we(t,e,i){var r,n;if("function"!=typeof i)throw new Error;return function(){var o=pe(this,t),a=o.tween;if(a!==r){n=(r=a).slice();for(var s={name:e,value:i},l=0,c=n.length;l<c;++l)if(n[l].name===e){n[l]=s;break}l===c&&n.push(s)}o.tween=n}}function Se(t,e,i){var r=t._id;return t.each((function(){var t=pe(this,r);(t.value||(t.value={}))[e]=i.apply(this,arguments)})),function(t){return ge(t,r).value[e]}}function Be(t,e,i){t.prototype=e.prototype=i,i.constructor=t}function Fe(t,e){var i=Object.create(t.prototype);for(var r in e)i[r]=e[r];return i}function Le(){}var Ae=.7,Me=1/Ae,Ee="\\s*([+-]?\\d+)\\s*",Ne="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)\\s*",Ze="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)%\\s*",je=/^#([0-9a-f]{3,8})$/,Ie=new RegExp(`^rgb\\(${Ee},${Ee},${Ee}\\)$`),Oe=new RegExp(`^rgb\\(${Ze},${Ze},${Ze}\\)$`),De=new RegExp(`^rgba\\(${Ee},${Ee},${Ee},${Ne}\\)$`),qe=new RegExp(`^rgba\\(${Ze},${Ze},${Ze},${Ne}\\)$`),$e=new RegExp(`^hsl\\(${Ne},${Ze},${Ze}\\)$`),ze=new RegExp(`^hsla\\(${Ne},${Ze},${Ze},${Ne}\\)$`),Pe={aliceblue:15792383,antiquewhite:16444375,aqua:65535,aquamarine:8388564,azure:15794175,beige:16119260,bisque:16770244,black:0,blanchedalmond:16772045,blue:255,blueviolet:9055202,brown:10824234,burlywood:14596231,cadetblue:6266528,chartreuse:8388352,chocolate:13789470,coral:16744272,cornflowerblue:6591981,cornsilk:16775388,crimson:14423100,cyan:65535,darkblue:139,darkcyan:35723,darkgoldenrod:12092939,darkgray:11119017,darkgreen:25600,darkgrey:11119017,darkkhaki:12433259,darkmagenta:9109643,darkolivegreen:5597999,darkorange:16747520,darkorchid:10040012,darkred:9109504,darksalmon:15308410,darkseagreen:9419919,darkslateblue:4734347,darkslategray:3100495,darkslategrey:3100495,darkturquoise:52945,darkviolet:9699539,deeppink:16716947,deepskyblue:49151,dimgray:6908265,dimgrey:6908265,dodgerblue:2003199,firebrick:11674146,floralwhite:16775920,forestgreen:2263842,fuchsia:16711935,gainsboro:14474460,ghostwhite:16316671,gold:16766720,goldenrod:14329120,gray:8421504,green:32768,greenyellow:11403055,grey:8421504,honeydew:15794160,hotpink:16738740,indianred:13458524,indigo:4915330,ivory:16777200,khaki:15787660,lavender:15132410,lavenderblush:16773365,lawngreen:8190976,lemonchiffon:16775885,lightblue:11393254,lightcoral:15761536,lightcyan:14745599,lightgoldenrodyellow:16448210,lightgray:13882323,lightgreen:9498256,lightgrey:13882323,lightpink:16758465,lightsalmon:16752762,lightseagreen:2142890,lightskyblue:8900346,lightslategray:7833753,lightslategrey:7833753,lightsteelblue:11584734,lightyellow:16777184,lime:65280,limegreen:3329330,linen:16445670,magenta:16711935,maroon:8388608,mediumaquamarine:6737322,mediumblue:205,mediumorchid:12211667,mediumpurple:9662683,mediumseagreen:3978097,mediumslateblue:8087790,mediumspringgreen:64154,mediumturquoise:4772300,mediumvioletred:13047173,midnightblue:1644912,mintcream:16121850,mistyrose:16770273,moccasin:16770229,navajowhite:16768685,navy:128,oldlace:16643558,olive:8421376,olivedrab:7048739,orange:16753920,orangered:16729344,orchid:14315734,palegoldenrod:15657130,palegreen:10025880,paleturquoise:11529966,palevioletred:14381203,papayawhip:16773077,peachpuff:16767673,peru:13468991,pink:16761035,plum:14524637,powderblue:11591910,purple:8388736,rebeccapurple:6697881,red:16711680,rosybrown:12357519,royalblue:4286945,saddlebrown:9127187,salmon:16416882,sandybrown:16032864,seagreen:3050327,seashell:16774638,sienna:10506797,silver:12632256,skyblue:8900331,slateblue:6970061,slategray:7372944,slategrey:7372944,snow:16775930,springgreen:65407,steelblue:4620980,tan:13808780,teal:32896,thistle:14204888,tomato:16737095,turquoise:4251856,violet:15631086,wheat:16113331,white:16777215,whitesmoke:16119285,yellow:16776960,yellowgreen:10145074};function Re(){return this.rgb().formatHex()}function He(){return this.rgb().formatRgb()}function We(t){var e,i;return t=(t+"").trim().toLowerCase(),(e=je.exec(t))?(i=e[1].length,e=parseInt(e[1],16),6===i?Ue(e):3===i?new Xe(e>>8&15|e>>4&240,e>>4&15|240&e,(15&e)<<4|15&e,1):8===i?Ye(e>>24&255,e>>16&255,e>>8&255,(255&e)/255):4===i?Ye(e>>12&15|e>>8&240,e>>8&15|e>>4&240,e>>4&15|240&e,((15&e)<<4|15&e)/255):null):(e=Ie.exec(t))?new Xe(e[1],e[2],e[3],1):(e=Oe.exec(t))?new Xe(255*e[1]/100,255*e[2]/100,255*e[3]/100,1):(e=De.exec(t))?Ye(e[1],e[2],e[3],e[4]):(e=qe.exec(t))?Ye(255*e[1]/100,255*e[2]/100,255*e[3]/100,e[4]):(e=$e.exec(t))?ii(e[1],e[2]/100,e[3]/100,1):(e=ze.exec(t))?ii(e[1],e[2]/100,e[3]/100,e[4]):Pe.hasOwnProperty(t)?Ue(Pe[t]):"transparent"===t?new Xe(NaN,NaN,NaN,0):null}function Ue(t){return new Xe(t>>16&255,t>>8&255,255&t,1)}function Ye(t,e,i,r){return r<=0&&(t=e=i=NaN),new Xe(t,e,i,r)}function Ve(t){return t instanceof Le||(t=We(t)),t?new Xe((t=t.rgb()).r,t.g,t.b,t.opacity):new Xe}function Ge(t,e,i,r){return 1===arguments.length?Ve(t):new Xe(t,e,i,null==r?1:r)}function Xe(t,e,i,r){this.r=+t,this.g=+e,this.b=+i,this.opacity=+r}function Je(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}`}function Qe(){const t=Ke(this.opacity);return`${1===t?"rgb(":"rgba("}${ti(this.r)}, ${ti(this.g)}, ${ti(this.b)}${1===t?")":`, ${t})`}`}function Ke(t){return isNaN(t)?1:Math.max(0,Math.min(1,t))}function ti(t){return Math.max(0,Math.min(255,Math.round(t)||0))}function ei(t){return((t=ti(t))<16?"0":"")+t.toString(16)}function ii(t,e,i,r){return r<=0?t=e=i=NaN:i<=0||i>=1?t=e=NaN:e<=0&&(t=NaN),new ni(t,e,i,r)}function ri(t){if(t instanceof ni)return new ni(t.h,t.s,t.l,t.opacity);if(t instanceof Le||(t=We(t)),!t)return new ni;if(t instanceof ni)return t;var e=(t=t.rgb()).r/255,i=t.g/255,r=t.b/255,n=Math.min(e,i,r),o=Math.max(e,i,r),a=NaN,s=o-n,l=(o+n)/2;return s?(a=e===o?(i-r)/s+6*(i<r):i===o?(r-e)/s+2:(e-i)/s+4,s/=l<.5?o+n:2-o-n,a*=60):s=l>0&&l<1?0:a,new ni(a,s,l,t.opacity)}function ni(t,e,i,r){this.h=+t,this.s=+e,this.l=+i,this.opacity=+r}function oi(t){return(t=(t||0)%360)<0?t+360:t}function ai(t){return Math.max(0,Math.min(1,t||0))}function si(t,e,i){return 255*(t<60?e+(i-e)*t/60:t<180?i:t<240?e+(i-e)*(240-t)/60:e)}function li(t,e,i,r,n){var o=t*t,a=o*t;return((1-3*t+3*o-a)*e+(4-6*o+3*a)*i+(1+3*t+3*o-3*a)*r+a*n)/6}Be(Le,We,{copy(t){return Object.assign(new this.constructor,this,t)},displayable(){return this.rgb().displayable()},hex:Re,formatHex:Re,formatHex8:function(){return this.rgb().formatHex8()},formatHsl:function(){return ri(this).formatHsl()},formatRgb:He,toString:He}),Be(Xe,Ge,Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new Xe(this.r*t,this.g*t,this.b*t,this.opacity)},rgb(){return this},clamp(){return new Xe(ti(this.r),ti(this.g),ti(this.b),Ke(this.opacity))},displayable(){return-.5<=this.r&&this.r<255.5&&-.5<=this.g&&this.g<255.5&&-.5<=this.b&&this.b<255.5&&0<=this.opacity&&this.opacity<=1},hex:Je,formatHex:Je,formatHex8:function(){return`#${ei(this.r)}${ei(this.g)}${ei(this.b)}${ei(255*(isNaN(this.opacity)?1:this.opacity))}`},formatRgb:Qe,toString:Qe})),Be(ni,(function(t,e,i,r){return 1===arguments.length?ri(t):new ni(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return t=null==t?Me:Math.pow(Me,t),new ni(this.h,this.s,this.l*t,this.opacity)},darker(t){return t=null==t?Ae:Math.pow(Ae,t),new ni(this.h,this.s,this.l*t,this.opacity)},rgb(){var t=this.h%360+360*(this.h<0),e=isNaN(t)||isNaN(this.s)?0:this.s,i=this.l,r=i+(i<.5?i:1-i)*e,n=2*i-r;return new Xe(si(t>=240?t-240:t+120,n,r),si(t,n,r),si(t<120?t+240:t-120,n,r),this.opacity)},clamp(){return new ni(oi(this.h),ai(this.s),ai(this.l),Ke(this.opacity))},displayable(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1},formatHsl(){const t=Ke(this.opacity);return`${1===t?"hsl(":"hsla("}${oi(this.h)}, ${100*ai(this.s)}%, ${100*ai(this.l)}%${1===t?")":`, ${t})`}`}}));const ci=t=>()=>t;function hi(t,e){return function(i){return t+i*e}}function ui(t){return 1==(t=+t)?di:function(e,i){return i-e?function(t,e,i){return t=Math.pow(t,i),e=Math.pow(e,i)-t,i=1/i,function(r){return Math.pow(t+r*e,i)}}(e,i,t):ci(isNaN(e)?i:e)}}function di(t,e){var i=e-t;return i?hi(t,i):ci(isNaN(t)?e:t)}const fi=function t(e){var i=ui(e);function r(t,e){var r=i((t=Ge(t)).r,(e=Ge(e)).r),n=i(t.g,e.g),o=i(t.b,e.b),a=di(t.opacity,e.opacity);return function(e){return t.r=r(e),t.g=n(e),t.b=o(e),t.opacity=a(e),t+""}}return r.gamma=t,r}(1);function pi(t){return function(e){var i,r,n=e.length,o=new Array(n),a=new Array(n),s=new Array(n);for(i=0;i<n;++i)r=Ge(e[i]),o[i]=r.r||0,a[i]=r.g||0,s[i]=r.b||0;return o=t(o),a=t(a),s=t(s),r.opacity=1,function(t){return r.r=o(t),r.g=a(t),r.b=s(t),r+""}}}pi((function(t){var e=t.length-1;return function(i){var r=i<=0?i=0:i>=1?(i=1,e-1):Math.floor(i*e),n=t[r],o=t[r+1],a=r>0?t[r-1]:2*n-o,s=r<e-1?t[r+2]:2*o-n;return li((i-r/e)*e,a,n,o,s)}})),pi((function(t){var e=t.length;return function(i){var r=Math.floor(((i%=1)<0?++i:i)*e),n=t[(r+e-1)%e],o=t[r%e],a=t[(r+1)%e],s=t[(r+2)%e];return li((i-r/e)*e,n,o,a,s)}}));var gi=/[-+]?(?:\d+\.?\d*|\.?\d+)(?:[eE][-+]?\d+)?/g,mi=new RegExp(gi.source,"g");function yi(t,e){var i,r,n,o=gi.lastIndex=mi.lastIndex=0,a=-1,s=[],l=[];for(t+="",e+="";(i=gi.exec(t))&&(r=mi.exec(e));)(n=r.index)>o&&(n=e.slice(o,n),s[a]?s[a]+=n:s[++a]=n),(i=i[0])===(r=r[0])?s[a]?s[a]+=r:s[++a]=r:(s[++a]=null,l.push({i:a,x:me(i,r)})),o=mi.lastIndex;return o<e.length&&(n=e.slice(o),s[a]?s[a]+=n:s[++a]=n),s.length<2?l[0]?function(t){return function(e){return t(e)+""}}(l[0].x):function(t){return function(){return t}}(e):(e=l.length,function(t){for(var i,r=0;r<e;++r)s[(i=l[r]).i]=i.x(t);return s.join("")})}function xi(t,e){var i;return("number"==typeof e?me:e instanceof We?fi:(i=We(e))?(e=i,fi):yi)(t,e)}function bi(t){return function(){this.removeAttribute(t)}}function Ci(t){return function(){this.removeAttributeNS(t.space,t.local)}}function _i(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttribute(t);return a===o?null:a===r?n:n=e(r=a,i)}}function vi(t,e,i){var r,n,o=i+"";return function(){var a=this.getAttributeNS(t.space,t.local);return a===o?null:a===r?n:n=e(r=a,i)}}function ki(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttribute(t))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttribute(t)}}function Ti(t,e,i){var r,n,o;return function(){var a,s,l=i(this);if(null!=l)return(a=this.getAttributeNS(t.space,t.local))===(s=l+"")?null:a===r&&s===n?o:(n=s,o=e(r=a,l));this.removeAttributeNS(t.space,t.local)}}function wi(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttributeNS(t.space,t.local,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Si(t,e){var i,r;function n(){var n=e.apply(this,arguments);return n!==r&&(i=(r=n)&&function(t,e){return function(i){this.setAttribute(t,e.call(this,i))}}(t,n)),i}return n._value=e,n}function Bi(t,e){return function(){fe(this,t).delay=+e.apply(this,arguments)}}function Fi(t,e){return e=+e,function(){fe(this,t).delay=e}}function Li(t,e){return function(){pe(this,t).duration=+e.apply(this,arguments)}}function Ai(t,e){return e=+e,function(){pe(this,t).duration=e}}var Mi=Mt.prototype.constructor;function Ei(t){return function(){this.style.removeProperty(t)}}var Ni=0;function Zi(t,e,i,r){this._groups=t,this._parents=e,this._name=i,this._id=r}function ji(){return++Ni}var Ii=Mt.prototype;Zi.prototype=function(t){return Mt().transition(t)}.prototype={constructor:Zi,select:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=C(t));for(var r=this._groups,n=r.length,o=new Array(n),a=0;a<n;++a)for(var s,l,c=r[a],h=c.length,u=o[a]=new Array(h),d=0;d<h;++d)(s=c[d])&&(l=t.call(s,s.__data__,d,c))&&("__data__"in s&&(l.__data__=s.__data__),u[d]=l,de(u[d],e,i,d,u,ge(s,i)));return new Zi(o,this._parents,e,i)},selectAll:function(t){var e=this._name,i=this._id;"function"!=typeof t&&(t=k(t));for(var r=this._groups,n=r.length,o=[],a=[],s=0;s<n;++s)for(var l,c=r[s],h=c.length,u=0;u<h;++u)if(l=c[u]){for(var d,f=t.call(l,l.__data__,u,c),p=ge(l,i),g=0,m=f.length;g<m;++g)(d=f[g])&&de(d,e,i,g,f,p);o.push(f),a.push(l)}return new Zi(o,a,e,i)},selectChild:Ii.selectChild,selectChildren:Ii.selectChildren,filter:function(t){"function"!=typeof t&&(t=T(t));for(var e=this._groups,i=e.length,r=new Array(i),n=0;n<i;++n)for(var o,a=e[n],s=a.length,l=r[n]=[],c=0;c<s;++c)(o=a[c])&&t.call(o,o.__data__,c,a)&&l.push(o);return new Zi(r,this._parents,this._name,this._id)},merge:function(t){if(t._id!==this._id)throw new Error;for(var e=this._groups,i=t._groups,r=e.length,n=i.length,o=Math.min(r,n),a=new Array(r),s=0;s<o;++s)for(var l,c=e[s],h=i[s],u=c.length,d=a[s]=new Array(u),f=0;f<u;++f)(l=c[f]||h[f])&&(d[f]=l);for(;s<r;++s)a[s]=e[s];return new Zi(a,this._parents,this._name,this._id)},selection:function(){return new Mi(this._groups,this._parents)},transition:function(){for(var t=this._name,e=this._id,i=ji(),r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)if(a=s[c]){var h=ge(a,e);de(a,t,i,c,s,{time:h.time+h.delay+h.duration,delay:0,duration:h.duration,ease:h.ease})}return new Zi(r,this._parents,t,i)},call:Ii.call,nodes:Ii.nodes,node:Ii.node,size:Ii.size,empty:Ii.empty,each:Ii.each,on:function(t,e){var i=this._id;return arguments.length<2?ge(this.node(),i).on.on(t):this.each(function(t,e,i){var r,n,o=function(t){return(t+"").trim().split(/^|\s+/).every((function(t){var e=t.indexOf(".");return e>=0&&(t=t.slice(0,e)),!t||"start"===t}))}(e)?fe:pe;return function(){var a=o(this,t),s=a.on;s!==r&&(n=(r=s).copy()).on(e,i),a.on=n}}(i,t,e))},attr:function(t,e){var i=q(t),r="transform"===i?ke:xi;return this.attrTween(t,"function"==typeof e?(i.local?Ti:ki)(i,r,Se(this,"attr."+t,e)):null==e?(i.local?Ci:bi)(i):(i.local?vi:_i)(i,r,e))},attrTween:function(t,e){var i="attr."+t;if(arguments.length<2)return(i=this.tween(i))&&i._value;if(null==e)return this.tween(i,null);if("function"!=typeof e)throw new Error;var r=q(t);return this.tween(i,(r.local?wi:Si)(r,e))},style:function(t,e,i){var r="transform"==(t+="")?ve:xi;return null==e?this.styleTween(t,function(t,e){var i,r,n;return function(){var o=X(this,t),a=(this.style.removeProperty(t),X(this,t));return o===a?null:o===i&&a===r?n:n=e(i=o,r=a)}}(t,r)).on("end.style."+t,Ei(t)):"function"==typeof e?this.styleTween(t,function(t,e,i){var r,n,o;return function(){var a=X(this,t),s=i(this),l=s+"";return null==s&&(this.style.removeProperty(t),l=s=X(this,t)),a===l?null:a===r&&l===n?o:(n=l,o=e(r=a,s))}}(t,r,Se(this,"style."+t,e))).each(function(t,e){var i,r,n,o,a="style."+e,s="end."+a;return function(){var l=pe(this,t),c=l.on,h=null==l.value[a]?o||(o=Ei(e)):void 0;c===i&&n===h||(r=(i=c).copy()).on(s,n=h),l.on=r}}(this._id,t)):this.styleTween(t,function(t,e,i){var r,n,o=i+"";return function(){var a=X(this,t);return a===o?null:a===r?n:n=e(r=a,i)}}(t,r,e),i).on("end.style."+t,null)},styleTween:function(t,e,i){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==e)return this.tween(r,null);if("function"!=typeof e)throw new Error;return this.tween(r,function(t,e,i){var r,n;function o(){var o=e.apply(this,arguments);return o!==n&&(r=(n=o)&&function(t,e,i){return function(r){this.style.setProperty(t,e.call(this,r),i)}}(t,o,i)),r}return o._value=e,o}(t,e,null==i?"":i))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var e=t(this);this.textContent=null==e?"":e}}(Se(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},textTween:function(t){var e="text";if(arguments.length<1)return(e=this.tween(e))&&e._value;if(null==t)return this.tween(e,null);if("function"!=typeof t)throw new Error;return this.tween(e,function(t){var e,i;function r(){var r=t.apply(this,arguments);return r!==i&&(e=(i=r)&&function(t){return function(e){this.textContent=t.call(this,e)}}(r)),e}return r._value=t,r}(t))},remove:function(){return this.on("end.remove",function(t){return function(){var e=this.parentNode;for(var i in this.__transition)if(+i!==t)return;e&&e.removeChild(this)}}(this._id))},tween:function(t,e){var i=this._id;if(t+="",arguments.length<2){for(var r,n=ge(this.node(),i).tween,o=0,a=n.length;o<a;++o)if((r=n[o]).name===t)return r.value;return null}return this.each((null==e?Te:we)(i,t,e))},delay:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Bi:Fi)(e,t)):ge(this.node(),e).delay},duration:function(t){var e=this._id;return arguments.length?this.each(("function"==typeof t?Li:Ai)(e,t)):ge(this.node(),e).duration},ease:function(t){var e=this._id;return arguments.length?this.each(function(t,e){if("function"!=typeof e)throw new Error;return function(){pe(this,t).ease=e}}(e,t)):ge(this.node(),e).ease},easeVarying:function(t){if("function"!=typeof t)throw new Error;return this.each(function(t,e){return function(){var i=e.apply(this,arguments);if("function"!=typeof i)throw new Error;pe(this,t).ease=i}}(this._id,t))},end:function(){var t,e,i=this,r=i._id,n=i.size();return new Promise((function(o,a){var s={value:a},l={value:function(){0==--n&&o()}};i.each((function(){var i=pe(this,r),n=i.on;n!==t&&((e=(t=n).copy())._.cancel.push(s),e._.interrupt.push(s),e._.end.push(l)),i.on=e})),0===n&&o()}))},[Symbol.iterator]:Ii[Symbol.iterator]};var Oi={time:null,delay:0,duration:250,ease:function(t){return((t*=2)<=1?t*t*t:(t-=2)*t*t+2)/2}};function Di(t,e){for(var i;!(i=t.__transition)||!(i=i[e]);)if(!(t=t.parentNode))throw new Error(`transition ${e} not found`);return i}Mt.prototype.interrupt=function(t){return this.each((function(){!function(t,e){var i,r,n,o=t.__transition,a=!0;if(o){for(n in e=null==e?null:e+"",o)(i=o[n]).name===e?(r=i.state>se&&i.state<he,i.state=ue,i.timer.stop(),i.on.call(r?"interrupt":"cancel",t,t.__data__,i.index,i.group),delete o[n]):a=!1;a&&delete t.__transition}}(this,t)}))},Mt.prototype.transition=function(t){var e,i;t instanceof Zi?(e=t._id,t=t._name):(e=ji(),(i=Oi).time=Gt(),t=null==t?null:t+"");for(var r=this._groups,n=r.length,o=0;o<n;++o)for(var a,s=r[o],l=s.length,c=0;c<l;++c)(a=s[c])&&de(a,t,e,c,s,i||Di(a,e));return new Zi(r,this._parents,t,e)};const{abs:qi,max:$i,min:zi}=Math;function Pi(t){return[+t[0],+t[1]]}function Ri(t){return[Pi(t[0]),Pi(t[1])]}["w","e"].map(Hi),["n","s"].map(Hi),["n","w","e","s","nw","ne","sw","se"].map(Hi);function Hi(t){return{type:t}}function Wi(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.text()}function Ui(t){return(e,i)=>function(t,e){return fetch(t,e).then(Wi)}(e,i).then((e=>(new DOMParser).parseFromString(e,t)))}Ui("application/xml");Ui("text/html");var Yi=Ui("image/svg+xml");const Vi=Math.PI/180,Gi=180/Math.PI,Xi=.96422,Ji=1,Qi=.82521,Ki=4/29,tr=6/29,er=3*tr*tr,ir=tr*tr*tr;function rr(t){if(t instanceof nr)return new nr(t.l,t.a,t.b,t.opacity);if(t instanceof ur)return dr(t);t instanceof Xe||(t=Ve(t));var e,i,r=lr(t.r),n=lr(t.g),o=lr(t.b),a=or((.2225045*r+.7168786*n+.0606169*o)/Ji);return r===n&&n===o?e=i=a:(e=or((.4360747*r+.3850649*n+.1430804*o)/Xi),i=or((.0139322*r+.0971045*n+.7141733*o)/Qi)),new nr(116*a-16,500*(e-a),200*(a-i),t.opacity)}function nr(t,e,i,r){this.l=+t,this.a=+e,this.b=+i,this.opacity=+r}function or(t){return t>ir?Math.pow(t,1/3):t/er+Ki}function ar(t){return t>tr?t*t*t:er*(t-Ki)}function sr(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function lr(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function cr(t){if(t instanceof ur)return new ur(t.h,t.c,t.l,t.opacity);if(t instanceof nr||(t=rr(t)),0===t.a&&0===t.b)return new ur(NaN,0<t.l&&t.l<100?0:NaN,t.l,t.opacity);var e=Math.atan2(t.b,t.a)*Gi;return new ur(e<0?e+360:e,Math.sqrt(t.a*t.a+t.b*t.b),t.l,t.opacity)}function hr(t,e,i,r){return 1===arguments.length?cr(t):new ur(t,e,i,null==r?1:r)}function ur(t,e,i,r){this.h=+t,this.c=+e,this.l=+i,this.opacity=+r}function dr(t){if(isNaN(t.h))return new nr(t.l,0,0,t.opacity);var e=t.h*Vi;return new nr(t.l,Math.cos(e)*t.c,Math.sin(e)*t.c,t.opacity)}function fr(t){return function(e,i){var r=t((e=hr(e)).h,(i=hr(i)).h),n=di(e.c,i.c),o=di(e.l,i.l),a=di(e.opacity,i.opacity);return function(t){return e.h=r(t),e.c=n(t),e.l=o(t),e.opacity=a(t),e+""}}}Be(nr,(function(t,e,i,r){return 1===arguments.length?rr(t):new nr(t,e,i,null==r?1:r)}),Fe(Le,{brighter(t){return new nr(this.l+18*(null==t?1:t),this.a,this.b,this.opacity)},darker(t){return new nr(this.l-18*(null==t?1:t),this.a,this.b,this.opacity)},rgb(){var t=(this.l+16)/116,e=isNaN(this.a)?t:t+this.a/500,i=isNaN(this.b)?t:t-this.b/200;return new Xe(sr(3.1338561*(e=Xi*ar(e))-1.6168667*(t=Ji*ar(t))-.4906146*(i=Qi*ar(i))),sr(-.9787684*e+1.9161415*t+.033454*i),sr(.0719453*e-.2289914*t+1.4052427*i),this.opacity)}})),Be(ur,hr,Fe(Le,{brighter(t){return new ur(this.h,this.c,this.l+18*(null==t?1:t),this.opacity)},darker(t){return new ur(this.h,this.c,this.l-18*(null==t?1:t),this.opacity)},rgb(){return dr(this).rgb()}}));const pr=fr((function(t,e){var i=e-t;return i?hi(t,i>180||i<-180?i-360*Math.round(i/360):i):ci(isNaN(t)?e:t)}));fr(di);function gr(t,e){switch(arguments.length){case 0:break;case 1:this.range(t);break;default:this.range(e).domain(t)}return this}class mr extends Map{constructor(t,e=Cr){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:e}}),null!=t)for(const[i,r]of t)this.set(i,r)}get(t){return super.get(yr(this,t))}has(t){return super.has(yr(this,t))}set(t,e){return super.set(xr(this,t),e)}delete(t){return super.delete(br(this,t))}}function yr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):i}function xr({_intern:t,_key:e},i){const r=e(i);return t.has(r)?t.get(r):(t.set(r,i),i)}function br({_intern:t,_key:e},i){const r=e(i);return t.has(r)&&(i=t.get(r),t.delete(r)),i}function Cr(t){return null!==t&&"object"==typeof t?t.valueOf():t}const _r=Symbol("implicit");function vr(){var t=new mr,e=[],i=[],r=_r;function n(n){let o=t.get(n);if(void 0===o){if(r!==_r)return r;t.set(n,o=e.push(n)-1)}return i[o%i.length]}return n.domain=function(i){if(!arguments.length)return e.slice();e=[],t=new mr;for(const r of i)t.has(r)||t.set(r,e.push(r)-1);return n},n.range=function(t){return arguments.length?(i=Array.from(t),n):i.slice()},n.unknown=function(t){return arguments.length?(r=t,n):r},n.copy=function(){return vr(e,i).unknown(r)},gr.apply(n,arguments),n}function kr(){var t,e,i=vr().unknown(void 0),r=i.domain,n=i.range,o=0,a=1,s=!1,l=0,c=0,h=.5;function u(){var i=r().length,u=a<o,d=u?a:o,f=u?o:a;t=(f-d)/Math.max(1,i-l+2*c),s&&(t=Math.floor(t)),d+=(f-d-t*(i-l))*h,e=t*(1-l),s&&(d=Math.round(d),e=Math.round(e));var p=function(t,e,i){t=+t,e=+e,i=(n=arguments.length)<2?(e=t,t=0,1):n<3?1:+i;for(var r=-1,n=0|Math.max(0,Math.ceil((e-t)/i)),o=new Array(n);++r<n;)o[r]=t+r*i;return o}(i).map((function(e){return d+t*e}));return n(u?p.reverse():p)}return delete i.unknown,i.domain=function(t){return arguments.length?(r(t),u()):r()},i.range=function(t){return arguments.length?([o,a]=t,o=+o,a=+a,u()):[o,a]},i.rangeRound=function(t){return[o,a]=t,o=+o,a=+a,s=!0,u()},i.bandwidth=function(){return e},i.step=function(){return t},i.round=function(t){return arguments.length?(s=!!t,u()):s},i.padding=function(t){return arguments.length?(l=Math.min(1,c=+t),u()):l},i.paddingInner=function(t){return arguments.length?(l=Math.min(1,t),u()):l},i.paddingOuter=function(t){return arguments.length?(c=+t,u()):c},i.align=function(t){return arguments.length?(h=Math.max(0,Math.min(1,t)),u()):h},i.copy=function(){return kr(r(),[o,a]).round(s).paddingInner(l).paddingOuter(c).align(h)},gr.apply(u(),arguments)}const Tr=Math.sqrt(50),wr=Math.sqrt(10),Sr=Math.sqrt(2);function Br(t,e,i){const r=(e-t)/Math.max(0,i),n=Math.floor(Math.log10(r)),o=r/Math.pow(10,n),a=o>=Tr?10:o>=wr?5:o>=Sr?2:1;let s,l,c;return n<0?(c=Math.pow(10,-n)/a,s=Math.round(t*c),l=Math.round(e*c),s/c<t&&++s,l/c>e&&--l,c=-c):(c=Math.pow(10,n)*a,s=Math.round(t/c),l=Math.round(e/c),s*c<t&&++s,l*c>e&&--l),l<s&&.5<=i&&i<2?Br(t,e,2*i):[s,l,c]}function Fr(t,e,i){return Br(t=+t,e=+e,i=+i)[2]}function Lr(t,e,i){i=+i;const r=(e=+e)<(t=+t),n=r?Fr(e,t,i):Fr(t,e,i);return(r?-1:1)*(n<0?1/-n:n)}function Ar(t,e){return null==t||null==e?NaN:t<e?-1:t>e?1:t>=e?0:NaN}function Mr(t,e){return null==t||null==e?NaN:e<t?-1:e>t?1:e>=t?0:NaN}function Er(t){let e,i,r;function n(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<0?n=e+1:o=e}while(n<o)}return n}return 2!==t.length?(e=Ar,i=(e,i)=>Ar(t(e),i),r=(e,i)=>t(e)-i):(e=t===Ar||t===Mr?t:Nr,i=t,r=t),{left:n,center:function(t,e,i=0,o=t.length){const a=n(t,e,i,o-1);return a>i&&r(t[a-1],e)>-r(t[a],e)?a-1:a},right:function(t,r,n=0,o=t.length){if(n<o){if(0!==e(r,r))return o;do{const e=n+o>>>1;i(t[e],r)<=0?n=e+1:o=e}while(n<o)}return n}}}function Nr(){return 0}const Zr=Er(Ar),jr=Zr.right,Ir=(Zr.left,Er((function(t){return null===t?NaN:+t})).center,jr);function Or(t,e){var i,r=e?e.length:0,n=t?Math.min(r,t.length):0,o=new Array(n),a=new Array(r);for(i=0;i<n;++i)o[i]=zr(t[i],e[i]);for(;i<r;++i)a[i]=e[i];return function(t){for(i=0;i<n;++i)a[i]=o[i](t);return a}}function Dr(t,e){var i=new Date;return t=+t,e=+e,function(r){return i.setTime(t*(1-r)+e*r),i}}function qr(t,e){var i,r={},n={};for(i in null!==t&&"object"==typeof t||(t={}),null!==e&&"object"==typeof e||(e={}),e)i in t?r[i]=zr(t[i],e[i]):n[i]=e[i];return function(t){for(i in r)n[i]=r[i](t);return n}}function $r(t,e){e||(e=[]);var i,r=t?Math.min(e.length,t.length):0,n=e.slice();return function(o){for(i=0;i<r;++i)n[i]=t[i]*(1-o)+e[i]*o;return n}}function zr(t,e){var i,r,n=typeof e;return null==e||"boolean"===n?ci(e):("number"===n?me:"string"===n?(i=We(e))?(e=i,fi):yi:e instanceof We?fi:e instanceof Date?Dr:(r=e,!ArrayBuffer.isView(r)||r instanceof DataView?Array.isArray(e)?Or:"function"!=typeof e.valueOf&&"function"!=typeof e.toString||isNaN(e)?qr:me:$r))(t,e)}function Pr(t,e){return t=+t,e=+e,function(i){return Math.round(t*(1-i)+e*i)}}function Rr(t){return+t}var Hr=[0,1];function Wr(t){return t}function Ur(t,e){return(e-=t=+t)?function(i){return(i-t)/e}:(i=isNaN(e)?NaN:.5,function(){return i});var i}function Yr(t,e,i){var r=t[0],n=t[1],o=e[0],a=e[1];return n<r?(r=Ur(n,r),o=i(a,o)):(r=Ur(r,n),o=i(o,a)),function(t){return o(r(t))}}function Vr(t,e,i){var r=Math.min(t.length,e.length)-1,n=new Array(r),o=new Array(r),a=-1;for(t[r]<t[0]&&(t=t.slice().reverse(),e=e.slice().reverse());++a<r;)n[a]=Ur(t[a],t[a+1]),o[a]=i(e[a],e[a+1]);return function(e){var i=Ir(t,e,1,r)-1;return o[i](n[i](e))}}function Gr(t,e){return e.domain(t.domain()).range(t.range()).interpolate(t.interpolate()).clamp(t.clamp()).unknown(t.unknown())}function Xr(){var t,e,i,r,n,o,a=Hr,s=Hr,l=zr,c=Wr;function h(){var t,e,i,l=Math.min(a.length,s.length);return c!==Wr&&(t=a[0],e=a[l-1],t>e&&(i=t,t=e,e=i),c=function(i){return Math.max(t,Math.min(e,i))}),r=l>2?Vr:Yr,n=o=null,u}function u(e){return null==e||isNaN(e=+e)?i:(n||(n=r(a.map(t),s,l)))(t(c(e)))}return u.invert=function(i){return c(e((o||(o=r(s,a.map(t),me)))(i)))},u.domain=function(t){return arguments.length?(a=Array.from(t,Rr),h()):a.slice()},u.range=function(t){return arguments.length?(s=Array.from(t),h()):s.slice()},u.rangeRound=function(t){return s=Array.from(t),l=Pr,h()},u.clamp=function(t){return arguments.length?(c=!!t||Wr,h()):c!==Wr},u.interpolate=function(t){return arguments.length?(l=t,h()):l},u.unknown=function(t){return arguments.length?(i=t,u):i},function(i,r){return t=i,e=r,h()}}function Jr(){return Xr()(Wr,Wr)}var Qr,Kr=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function tn(t){if(!(e=Kr.exec(t)))throw new Error("invalid format: "+t);var e;return new en({fill:e[1],align:e[2],sign:e[3],symbol:e[4],zero:e[5],width:e[6],comma:e[7],precision:e[8]&&e[8].slice(1),trim:e[9],type:e[10]})}function en(t){this.fill=void 0===t.fill?" ":t.fill+"",this.align=void 0===t.align?">":t.align+"",this.sign=void 0===t.sign?"-":t.sign+"",this.symbol=void 0===t.symbol?"":t.symbol+"",this.zero=!!t.zero,this.width=void 0===t.width?void 0:+t.width,this.comma=!!t.comma,this.precision=void 0===t.precision?void 0:+t.precision,this.trim=!!t.trim,this.type=void 0===t.type?"":t.type+""}function rn(t,e){if((i=(t=e?t.toExponential(e-1):t.toExponential()).indexOf("e"))<0)return null;var i,r=t.slice(0,i);return[r.length>1?r[0]+r.slice(2):r,+t.slice(i+1)]}function nn(t){return(t=rn(Math.abs(t)))?t[1]:NaN}function on(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1];return n<0?"0."+new Array(-n).join("0")+r:r.length>n+1?r.slice(0,n+1)+"."+r.slice(n+1):r+new Array(n-r.length+2).join("0")}tn.prototype=en.prototype,en.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(void 0===this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(void 0===this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};const an={"%":(t,e)=>(100*t).toFixed(e),b:t=>Math.round(t).toString(2),c:t=>t+"",d:function(t){return Math.abs(t=Math.round(t))>=1e21?t.toLocaleString("en").replace(/,/g,""):t.toString(10)},e:(t,e)=>t.toExponential(e),f:(t,e)=>t.toFixed(e),g:(t,e)=>t.toPrecision(e),o:t=>Math.round(t).toString(8),p:(t,e)=>on(100*t,e),r:on,s:function(t,e){var i=rn(t,e);if(!i)return t+"";var r=i[0],n=i[1],o=n-(Qr=3*Math.max(-8,Math.min(8,Math.floor(n/3))))+1,a=r.length;return o===a?r:o>a?r+new Array(o-a+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+rn(t,Math.max(0,e+o-1))[0]},X:t=>Math.round(t).toString(16).toUpperCase(),x:t=>Math.round(t).toString(16)};function sn(t){return t}var ln,cn,hn,un=Array.prototype.map,dn=["y","z","a","f","p","n","\xb5","m","","k","M","G","T","P","E","Z","Y"];function fn(t){var e,i,r=void 0===t.grouping||void 0===t.thousands?sn:(e=un.call(t.grouping,Number),i=t.thousands+"",function(t,r){for(var n=t.length,o=[],a=0,s=e[0],l=0;n>0&&s>0&&(l+s+1>r&&(s=Math.max(1,r-l)),o.push(t.substring(n-=s,n+s)),!((l+=s+1)>r));)s=e[a=(a+1)%e.length];return o.reverse().join(i)}),n=void 0===t.currency?"":t.currency[0]+"",o=void 0===t.currency?"":t.currency[1]+"",a=void 0===t.decimal?".":t.decimal+"",s=void 0===t.numerals?sn:function(t){return function(e){return e.replace(/[0-9]/g,(function(e){return t[+e]}))}}(un.call(t.numerals,String)),l=void 0===t.percent?"%":t.percent+"",c=void 0===t.minus?"\u2212":t.minus+"",h=void 0===t.nan?"NaN":t.nan+"";function u(t){var e=(t=tn(t)).fill,i=t.align,u=t.sign,d=t.symbol,f=t.zero,p=t.width,g=t.comma,m=t.precision,y=t.trim,x=t.type;"n"===x?(g=!0,x="g"):an[x]||(void 0===m&&(m=12),y=!0,x="g"),(f||"0"===e&&"="===i)&&(f=!0,e="0",i="=");var b="$"===d?n:"#"===d&&/[boxX]/.test(x)?"0"+x.toLowerCase():"",C="$"===d?o:/[%p]/.test(x)?l:"",_=an[x],v=/[defgprs%]/.test(x);function k(t){var n,o,l,d=b,k=C;if("c"===x)k=_(t)+k,t="";else{var T=(t=+t)<0||1/t<0;if(t=isNaN(t)?h:_(Math.abs(t),m),y&&(t=function(t){t:for(var e,i=t.length,r=1,n=-1;r<i;++r)switch(t[r]){case".":n=e=r;break;case"0":0===n&&(n=r),e=r;break;default:if(!+t[r])break t;n>0&&(n=0)}return n>0?t.slice(0,n)+t.slice(e+1):t}(t)),T&&0==+t&&"+"!==u&&(T=!1),d=(T?"("===u?u:c:"-"===u||"("===u?"":u)+d,k=("s"===x?dn[8+Qr/3]:"")+k+(T&&"("===u?")":""),v)for(n=-1,o=t.length;++n<o;)if(48>(l=t.charCodeAt(n))||l>57){k=(46===l?a+t.slice(n+1):t.slice(n))+k,t=t.slice(0,n);break}}g&&!f&&(t=r(t,1/0));var w=d.length+t.length+k.length,S=w<p?new Array(p-w+1).join(e):"";switch(g&&f&&(t=r(S+t,S.length?p-k.length:1/0),S=""),i){case"<":t=d+t+k+S;break;case"=":t=d+S+t+k;break;case"^":t=S.slice(0,w=S.length>>1)+d+t+k+S.slice(w);break;default:t=S+d+t+k}return s(t)}return m=void 0===m?6:/[gprs]/.test(x)?Math.max(1,Math.min(21,m)):Math.max(0,Math.min(20,m)),k.toString=function(){return t+""},k}return{format:u,formatPrefix:function(t,e){var i=u(((t=tn(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3))),n=Math.pow(10,-r),o=dn[8+r/3];return function(t){return i(n*t)+o}}}}function pn(t,e,i,r){var n,o=Lr(t,e,i);switch((r=tn(null==r?",f":r)).type){case"s":var a=Math.max(Math.abs(t),Math.abs(e));return null!=r.precision||isNaN(n=function(t,e){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(nn(e)/3)))-nn(Math.abs(t)))}(o,a))||(r.precision=n),hn(r,a);case"":case"e":case"g":case"p":case"r":null!=r.precision||isNaN(n=function(t,e){return t=Math.abs(t),e=Math.abs(e)-t,Math.max(0,nn(e)-nn(t))+1}(o,Math.max(Math.abs(t),Math.abs(e))))||(r.precision=n-("e"===r.type));break;case"f":case"%":null!=r.precision||isNaN(n=function(t){return Math.max(0,-nn(Math.abs(t)))}(o))||(r.precision=n-2*("%"===r.type))}return cn(r)}function gn(t){var e=t.domain;return t.ticks=function(t){var i=e();return function(t,e,i){if(!((i=+i)>0))return[];if((t=+t)==(e=+e))return[t];const r=e<t,[n,o,a]=r?Br(e,t,i):Br(t,e,i);if(!(o>=n))return[];const s=o-n+1,l=new Array(s);if(r)if(a<0)for(let c=0;c<s;++c)l[c]=(o-c)/-a;else for(let c=0;c<s;++c)l[c]=(o-c)*a;else if(a<0)for(let c=0;c<s;++c)l[c]=(n+c)/-a;else for(let c=0;c<s;++c)l[c]=(n+c)*a;return l}(i[0],i[i.length-1],null==t?10:t)},t.tickFormat=function(t,i){var r=e();return pn(r[0],r[r.length-1],null==t?10:t,i)},t.nice=function(i){null==i&&(i=10);var r,n,o=e(),a=0,s=o.length-1,l=o[a],c=o[s],h=10;for(c<l&&(n=l,l=c,c=n,n=a,a=s,s=n);h-- >0;){if((n=Fr(l,c,i))===r)return o[a]=l,o[s]=c,e(o);if(n>0)l=Math.floor(l/n)*n,c=Math.ceil(c/n)*n;else{if(!(n<0))break;l=Math.ceil(l*n)/n,c=Math.floor(c*n)/n}r=n}return t},t}function mn(){var t=Jr();return t.copy=function(){return Gr(t,mn())},gr.apply(t,arguments),gn(t)}ln=fn({thousands:",",grouping:[3],currency:["$",""]}),cn=ln.format,hn=ln.formatPrefix;const yn=1e3,xn=6e4,bn=36e5,Cn=864e5,_n=6048e5,vn=2592e6,kn=31536e6,Tn=new Date,wn=new Date;function Sn(t,e,i,r){function n(e){return t(e=0===arguments.length?new Date:new Date(+e)),e}return n.floor=e=>(t(e=new Date(+e)),e),n.ceil=i=>(t(i=new Date(i-1)),e(i,1),t(i),i),n.round=t=>{const e=n(t),i=n.ceil(t);return t-e<i-t?e:i},n.offset=(t,i)=>(e(t=new Date(+t),null==i?1:Math.floor(i)),t),n.range=(i,r,o)=>{const a=[];if(i=n.ceil(i),o=null==o?1:Math.floor(o),!(i<r&&o>0))return a;let s;do{a.push(s=new Date(+i)),e(i,o),t(i)}while(s<i&&i<r);return a},n.filter=i=>Sn((e=>{if(e>=e)for(;t(e),!i(e);)e.setTime(e-1)}),((t,r)=>{if(t>=t)if(r<0)for(;++r<=0;)for(;e(t,-1),!i(t););else for(;--r>=0;)for(;e(t,1),!i(t););})),i&&(n.count=(e,r)=>(Tn.setTime(+e),wn.setTime(+r),t(Tn),t(wn),Math.floor(i(Tn,wn))),n.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?n.filter(r?e=>r(e)%t==0:e=>n.count(0,e)%t==0):n:null)),n}const Bn=Sn((()=>{}),((t,e)=>{t.setTime(+t+e)}),((t,e)=>e-t));Bn.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?Sn((e=>{e.setTime(Math.floor(e/t)*t)}),((e,i)=>{e.setTime(+e+i*t)}),((e,i)=>(i-e)/t)):Bn:null);Bn.range;const Fn=Sn((t=>{t.setTime(t-t.getMilliseconds())}),((t,e)=>{t.setTime(+t+e*yn)}),((t,e)=>(e-t)/yn),(t=>t.getUTCSeconds())),Ln=(Fn.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getMinutes()))),An=(Ln.range,Sn((t=>{t.setUTCSeconds(0,0)}),((t,e)=>{t.setTime(+t+e*xn)}),((t,e)=>(e-t)/xn),(t=>t.getUTCMinutes()))),Mn=(An.range,Sn((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*yn-t.getMinutes()*xn)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getHours()))),En=(Mn.range,Sn((t=>{t.setUTCMinutes(0,0,0)}),((t,e)=>{t.setTime(+t+e*bn)}),((t,e)=>(e-t)/bn),(t=>t.getUTCHours()))),Nn=(En.range,Sn((t=>t.setHours(0,0,0,0)),((t,e)=>t.setDate(t.getDate()+e)),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/Cn),(t=>t.getDate()-1))),Zn=(Nn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>t.getUTCDate()-1))),jn=(Zn.range,Sn((t=>{t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+e)}),((t,e)=>(e-t)/Cn),(t=>Math.floor(t/Cn))));jn.range;function In(t){return Sn((e=>{e.setDate(e.getDate()-(e.getDay()+7-t)%7),e.setHours(0,0,0,0)}),((t,e)=>{t.setDate(t.getDate()+7*e)}),((t,e)=>(e-t-(e.getTimezoneOffset()-t.getTimezoneOffset())*xn)/_n))}const On=In(0),Dn=In(1),qn=In(2),$n=In(3),zn=In(4),Pn=In(5),Rn=In(6);On.range,Dn.range,qn.range,$n.range,zn.range,Pn.range,Rn.range;function Hn(t){return Sn((e=>{e.setUTCDate(e.getUTCDate()-(e.getUTCDay()+7-t)%7),e.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCDate(t.getUTCDate()+7*e)}),((t,e)=>(e-t)/_n))}const Wn=Hn(0),Un=Hn(1),Yn=Hn(2),Vn=Hn(3),Gn=Hn(4),Xn=Hn(5),Jn=Hn(6),Qn=(Wn.range,Un.range,Yn.range,Vn.range,Gn.range,Xn.range,Jn.range,Sn((t=>{t.setDate(1),t.setHours(0,0,0,0)}),((t,e)=>{t.setMonth(t.getMonth()+e)}),((t,e)=>e.getMonth()-t.getMonth()+12*(e.getFullYear()-t.getFullYear())),(t=>t.getMonth()))),Kn=(Qn.range,Sn((t=>{t.setUTCDate(1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCMonth(t.getUTCMonth()+e)}),((t,e)=>e.getUTCMonth()-t.getUTCMonth()+12*(e.getUTCFullYear()-t.getUTCFullYear())),(t=>t.getUTCMonth()))),to=(Kn.range,Sn((t=>{t.setMonth(0,1),t.setHours(0,0,0,0)}),((t,e)=>{t.setFullYear(t.getFullYear()+e)}),((t,e)=>e.getFullYear()-t.getFullYear()),(t=>t.getFullYear())));to.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setFullYear(Math.floor(e.getFullYear()/t)*t),e.setMonth(0,1),e.setHours(0,0,0,0)}),((e,i)=>{e.setFullYear(e.getFullYear()+i*t)})):null;to.range;const eo=Sn((t=>{t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)}),((t,e)=>{t.setUTCFullYear(t.getUTCFullYear()+e)}),((t,e)=>e.getUTCFullYear()-t.getUTCFullYear()),(t=>t.getUTCFullYear()));eo.every=t=>isFinite(t=Math.floor(t))&&t>0?Sn((e=>{e.setUTCFullYear(Math.floor(e.getUTCFullYear()/t)*t),e.setUTCMonth(0,1),e.setUTCHours(0,0,0,0)}),((e,i)=>{e.setUTCFullYear(e.getUTCFullYear()+i*t)})):null;eo.range;function io(t,e,i,r,n,o){const a=[[Fn,1,yn],[Fn,5,5e3],[Fn,15,15e3],[Fn,30,3e4],[o,1,xn],[o,5,3e5],[o,15,9e5],[o,30,18e5],[n,1,bn],[n,3,108e5],[n,6,216e5],[n,12,432e5],[r,1,Cn],[r,2,1728e5],[i,1,_n],[e,1,vn],[e,3,7776e6],[t,1,kn]];function s(e,i,r){const n=Math.abs(i-e)/r,o=Er((([,,t])=>t)).right(a,n);if(o===a.length)return t.every(Lr(e/kn,i/kn,r));if(0===o)return Bn.every(Math.max(Lr(e,i,r),1));const[s,l]=a[n/a[o-1][2]<a[o][2]/n?o-1:o];return s.every(l)}return[function(t,e,i){const r=e<t;r&&([t,e]=[e,t]);const n=i&&"function"==typeof i.range?i:s(t,e,i),o=n?n.range(t,+e+1):[];return r?o.reverse():o},s]}const[ro,no]=io(eo,Kn,Wn,jn,En,An),[oo,ao]=io(to,Qn,On,Nn,Mn,Ln);function so(t){if(0<=t.y&&t.y<100){var e=new Date(-1,t.m,t.d,t.H,t.M,t.S,t.L);return e.setFullYear(t.y),e}return new Date(t.y,t.m,t.d,t.H,t.M,t.S,t.L)}function lo(t){if(0<=t.y&&t.y<100){var e=new Date(Date.UTC(-1,t.m,t.d,t.H,t.M,t.S,t.L));return e.setUTCFullYear(t.y),e}return new Date(Date.UTC(t.y,t.m,t.d,t.H,t.M,t.S,t.L))}function co(t,e,i){return{y:t,m:e,d:i,H:0,M:0,S:0,L:0}}var ho,uo,fo={"-":"",_:" ",0:"0"},po=/^\s*\d+/,go=/^%/,mo=/[\\^$*+?|[\]().{}]/g;function yo(t,e,i){var r=t<0?"-":"",n=(r?-t:t)+"",o=n.length;return r+(o<i?new Array(i-o+1).join(e)+n:n)}function xo(t){return t.replace(mo,"\\$&")}function bo(t){return new RegExp("^(?:"+t.map(xo).join("|")+")","i")}function Co(t){return new Map(t.map(((t,e)=>[t.toLowerCase(),e])))}function _o(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.w=+r[0],i+r[0].length):-1}function vo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.u=+r[0],i+r[0].length):-1}function ko(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.U=+r[0],i+r[0].length):-1}function To(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.V=+r[0],i+r[0].length):-1}function wo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.W=+r[0],i+r[0].length):-1}function So(t,e,i){var r=po.exec(e.slice(i,i+4));return r?(t.y=+r[0],i+r[0].length):-1}function Bo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.y=+r[0]+(+r[0]>68?1900:2e3),i+r[0].length):-1}function Fo(t,e,i){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(e.slice(i,i+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),i+r[0].length):-1}function Lo(t,e,i){var r=po.exec(e.slice(i,i+1));return r?(t.q=3*r[0]-3,i+r[0].length):-1}function Ao(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.m=r[0]-1,i+r[0].length):-1}function Mo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.d=+r[0],i+r[0].length):-1}function Eo(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.m=0,t.d=+r[0],i+r[0].length):-1}function No(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.H=+r[0],i+r[0].length):-1}function Zo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.M=+r[0],i+r[0].length):-1}function jo(t,e,i){var r=po.exec(e.slice(i,i+2));return r?(t.S=+r[0],i+r[0].length):-1}function Io(t,e,i){var r=po.exec(e.slice(i,i+3));return r?(t.L=+r[0],i+r[0].length):-1}function Oo(t,e,i){var r=po.exec(e.slice(i,i+6));return r?(t.L=Math.floor(r[0]/1e3),i+r[0].length):-1}function Do(t,e,i){var r=go.exec(e.slice(i,i+1));return r?i+r[0].length:-1}function qo(t,e,i){var r=po.exec(e.slice(i));return r?(t.Q=+r[0],i+r[0].length):-1}function $o(t,e,i){var r=po.exec(e.slice(i));return r?(t.s=+r[0],i+r[0].length):-1}function zo(t,e){return yo(t.getDate(),e,2)}function Po(t,e){return yo(t.getHours(),e,2)}function Ro(t,e){return yo(t.getHours()%12||12,e,2)}function Ho(t,e){return yo(1+Nn.count(to(t),t),e,3)}function Wo(t,e){return yo(t.getMilliseconds(),e,3)}function Uo(t,e){return Wo(t,e)+"000"}function Yo(t,e){return yo(t.getMonth()+1,e,2)}function Vo(t,e){return yo(t.getMinutes(),e,2)}function Go(t,e){return yo(t.getSeconds(),e,2)}function Xo(t){var e=t.getDay();return 0===e?7:e}function Jo(t,e){return yo(On.count(to(t)-1,t),e,2)}function Qo(t){var e=t.getDay();return e>=4||0===e?zn(t):zn.ceil(t)}function Ko(t,e){return t=Qo(t),yo(zn.count(to(t),t)+(4===to(t).getDay()),e,2)}function ta(t){return t.getDay()}function ea(t,e){return yo(Dn.count(to(t)-1,t),e,2)}function ia(t,e){return yo(t.getFullYear()%100,e,2)}function ra(t,e){return yo((t=Qo(t)).getFullYear()%100,e,2)}function na(t,e){return yo(t.getFullYear()%1e4,e,4)}function oa(t,e){var i=t.getDay();return yo((t=i>=4||0===i?zn(t):zn.ceil(t)).getFullYear()%1e4,e,4)}function aa(t){var e=t.getTimezoneOffset();return(e>0?"-":(e*=-1,"+"))+yo(e/60|0,"0",2)+yo(e%60,"0",2)}function sa(t,e){return yo(t.getUTCDate(),e,2)}function la(t,e){return yo(t.getUTCHours(),e,2)}function ca(t,e){return yo(t.getUTCHours()%12||12,e,2)}function ha(t,e){return yo(1+Zn.count(eo(t),t),e,3)}function ua(t,e){return yo(t.getUTCMilliseconds(),e,3)}function da(t,e){return ua(t,e)+"000"}function fa(t,e){return yo(t.getUTCMonth()+1,e,2)}function pa(t,e){return yo(t.getUTCMinutes(),e,2)}function ga(t,e){return yo(t.getUTCSeconds(),e,2)}function ma(t){var e=t.getUTCDay();return 0===e?7:e}function ya(t,e){return yo(Wn.count(eo(t)-1,t),e,2)}function xa(t){var e=t.getUTCDay();return e>=4||0===e?Gn(t):Gn.ceil(t)}function ba(t,e){return t=xa(t),yo(Gn.count(eo(t),t)+(4===eo(t).getUTCDay()),e,2)}function Ca(t){return t.getUTCDay()}function _a(t,e){return yo(Un.count(eo(t)-1,t),e,2)}function va(t,e){return yo(t.getUTCFullYear()%100,e,2)}function ka(t,e){return yo((t=xa(t)).getUTCFullYear()%100,e,2)}function Ta(t,e){return yo(t.getUTCFullYear()%1e4,e,4)}function wa(t,e){var i=t.getUTCDay();return yo((t=i>=4||0===i?Gn(t):Gn.ceil(t)).getUTCFullYear()%1e4,e,4)}function Sa(){return"+0000"}function Ba(){return"%"}function Fa(t){return+t}function La(t){return Math.floor(+t/1e3)}function Aa(t){return new Date(t)}function Ma(t){return t instanceof Date?+t:+new Date(+t)}function Ea(t,e,i,r,n,o,a,s,l,c){var h=Jr(),u=h.invert,d=h.domain,f=c(".%L"),p=c(":%S"),g=c("%I:%M"),m=c("%I %p"),y=c("%a %d"),x=c("%b %d"),b=c("%B"),C=c("%Y");function _(t){return(l(t)<t?f:s(t)<t?p:a(t)<t?g:o(t)<t?m:r(t)<t?n(t)<t?y:x:i(t)<t?b:C)(t)}return h.invert=function(t){return new Date(u(t))},h.domain=function(t){return arguments.length?d(Array.from(t,Ma)):d().map(Aa)},h.ticks=function(e){var i=d();return t(i[0],i[i.length-1],null==e?10:e)},h.tickFormat=function(t,e){return null==e?_:c(e)},h.nice=function(t){var i=d();return t&&"function"==typeof t.range||(t=e(i[0],i[i.length-1],null==t?10:t)),t?d(function(t,e){var i,r=0,n=(t=t.slice()).length-1,o=t[r],a=t[n];return a<o&&(i=r,r=n,n=i,i=o,o=a,a=i),t[r]=e.floor(o),t[n]=e.ceil(a),t}(i,t)):h},h.copy=function(){return Gr(h,Ea(t,e,i,r,n,o,a,s,l,c))},h}function Na(){return gr.apply(Ea(oo,ao,to,Qn,On,Nn,Mn,Ln,Fn,uo).domain([new Date(2e3,0,1),new Date(2e3,0,2)]),arguments)}!function(t){ho=function(t){var e=t.dateTime,i=t.date,r=t.time,n=t.periods,o=t.days,a=t.shortDays,s=t.months,l=t.shortMonths,c=bo(n),h=Co(n),u=bo(o),d=Co(o),f=bo(a),p=Co(a),g=bo(s),m=Co(s),y=bo(l),x=Co(l),b={a:function(t){return a[t.getDay()]},A:function(t){return o[t.getDay()]},b:function(t){return l[t.getMonth()]},B:function(t){return s[t.getMonth()]},c:null,d:zo,e:zo,f:Uo,g:ra,G:oa,H:Po,I:Ro,j:Ho,L:Wo,m:Yo,M:Vo,p:function(t){return n[+(t.getHours()>=12)]},q:function(t){return 1+~~(t.getMonth()/3)},Q:Fa,s:La,S:Go,u:Xo,U:Jo,V:Ko,w:ta,W:ea,x:null,X:null,y:ia,Y:na,Z:aa,"%":Ba},C={a:function(t){return a[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return l[t.getUTCMonth()]},B:function(t){return s[t.getUTCMonth()]},c:null,d:sa,e:sa,f:da,g:ka,G:wa,H:la,I:ca,j:ha,L:ua,m:fa,M:pa,p:function(t){return n[+(t.getUTCHours()>=12)]},q:function(t){return 1+~~(t.getUTCMonth()/3)},Q:Fa,s:La,S:ga,u:ma,U:ya,V:ba,w:Ca,W:_a,x:null,X:null,y:va,Y:Ta,Z:Sa,"%":Ba},_={a:function(t,e,i){var r=f.exec(e.slice(i));return r?(t.w=p.get(r[0].toLowerCase()),i+r[0].length):-1},A:function(t,e,i){var r=u.exec(e.slice(i));return r?(t.w=d.get(r[0].toLowerCase()),i+r[0].length):-1},b:function(t,e,i){var r=y.exec(e.slice(i));return r?(t.m=x.get(r[0].toLowerCase()),i+r[0].length):-1},B:function(t,e,i){var r=g.exec(e.slice(i));return r?(t.m=m.get(r[0].toLowerCase()),i+r[0].length):-1},c:function(t,i,r){return T(t,e,i,r)},d:Mo,e:Mo,f:Oo,g:Bo,G:So,H:No,I:No,j:Eo,L:Io,m:Ao,M:Zo,p:function(t,e,i){var r=c.exec(e.slice(i));return r?(t.p=h.get(r[0].toLowerCase()),i+r[0].length):-1},q:Lo,Q:qo,s:$o,S:jo,u:vo,U:ko,V:To,w:_o,W:wo,x:function(t,e,r){return T(t,i,e,r)},X:function(t,e,i){return T(t,r,e,i)},y:Bo,Y:So,Z:Fo,"%":Do};function v(t,e){return function(i){var r,n,o,a=[],s=-1,l=0,c=t.length;for(i instanceof Date||(i=new Date(+i));++s<c;)37===t.charCodeAt(s)&&(a.push(t.slice(l,s)),null!=(n=fo[r=t.charAt(++s)])?r=t.charAt(++s):n="e"===r?" ":"0",(o=e[r])&&(r=o(i,n)),a.push(r),l=s+1);return a.push(t.slice(l,s)),a.join("")}}function k(t,e){return function(i){var r,n,o=co(1900,void 0,1);if(T(o,t,i+="",0)!=i.length)return null;if("Q"in o)return new Date(o.Q);if("s"in o)return new Date(1e3*o.s+("L"in o?o.L:0));if(e&&!("Z"in o)&&(o.Z=0),"p"in o&&(o.H=o.H%12+12*o.p),void 0===o.m&&(o.m="q"in o?o.q:0),"V"in o){if(o.V<1||o.V>53)return null;"w"in o||(o.w=1),"Z"in o?(n=(r=lo(co(o.y,0,1))).getUTCDay(),r=n>4||0===n?Un.ceil(r):Un(r),r=Zn.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(n=(r=so(co(o.y,0,1))).getDay(),r=n>4||0===n?Dn.ceil(r):Dn(r),r=Nn.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),n="Z"in o?lo(co(o.y,0,1)).getUTCDay():so(co(o.y,0,1)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(n+5)%7:o.w+7*o.U-(n+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,lo(o)):so(o)}}function T(t,e,i,r){for(var n,o,a=0,s=e.length,l=i.length;a<s;){if(r>=l)return-1;if(37===(n=e.charCodeAt(a++))){if(n=e.charAt(a++),!(o=_[n in fo?e.charAt(a++):n])||(r=o(t,i,r))<0)return-1}else if(n!=i.charCodeAt(r++))return-1}return r}return b.x=v(i,b),b.X=v(r,b),b.c=v(e,b),C.x=v(i,C),C.X=v(r,C),C.c=v(e,C),{format:function(t){var e=v(t+="",b);return e.toString=function(){return t},e},parse:function(t){var e=k(t+="",!1);return e.toString=function(){return t},e},utcFormat:function(t){var e=v(t+="",C);return e.toString=function(){return t},e},utcParse:function(t){var e=k(t+="",!0);return e.toString=function(){return t},e}}}(t),uo=ho.format,ho.parse,ho.utcFormat,ho.utcParse}({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});const Za=function(t){for(var e=t.length/6|0,i=new Array(e),r=0;r<e;)i[r]="#"+t.slice(6*r,6*++r);return i}("4e79a7f28e2ce1575976b7b259a14fedc949af7aa1ff9da79c755fbab0ab");function ja(t){return"string"==typeof t?new Lt([[document.querySelector(t)]],[document.documentElement]):new Lt([[t]],Ft)}function Ia(t){return"string"==typeof t?new Lt([document.querySelectorAll(t)],[document.documentElement]):new Lt([_(t)],Ft)}function Oa(t){return function(){return t}}const Da=Math.abs,qa=Math.atan2,$a=Math.cos,za=Math.max,Pa=Math.min,Ra=Math.sin,Ha=Math.sqrt,Wa=1e-12,Ua=Math.PI,Ya=Ua/2,Va=2*Ua;function Ga(t){return t>=1?Ya:t<=-1?-Ya:Math.asin(t)}const Xa=Math.PI,Ja=2*Xa,Qa=1e-6,Ka=Ja-Qa;function ts(t){this._+=t[0];for(let e=1,i=t.length;e<i;++e)this._+=arguments[e]+t[e]}class es{constructor(t){this._x0=this._y0=this._x1=this._y1=null,this._="",this._append=null==t?ts:function(t){let e=Math.floor(t);if(!(e>=0))throw new Error(`invalid digits: ${t}`);if(e>15)return ts;const i=10**e;return function(t){this._+=t[0];for(let e=1,r=t.length;e<r;++e)this._+=Math.round(arguments[e]*i)/i+t[e]}}(t)}moveTo(t,e){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}`}closePath(){null!==this._x1&&(this._x1=this._x0,this._y1=this._y0,this._append`Z`)}lineTo(t,e){this._append`L${this._x1=+t},${this._y1=+e}`}quadraticCurveTo(t,e,i,r){this._append`Q${+t},${+e},${this._x1=+i},${this._y1=+r}`}bezierCurveTo(t,e,i,r,n,o){this._append`C${+t},${+e},${+i},${+r},${this._x1=+n},${this._y1=+o}`}arcTo(t,e,i,r,n){if(t=+t,e=+e,i=+i,r=+r,(n=+n)<0)throw new Error(`negative radius: ${n}`);let o=this._x1,a=this._y1,s=i-t,l=r-e,c=o-t,h=a-e,u=c*c+h*h;if(null===this._x1)this._append`M${this._x1=t},${this._y1=e}`;else if(u>Qa)if(Math.abs(h*s-l*c)>Qa&&n){let d=i-o,f=r-a,p=s*s+l*l,g=d*d+f*f,m=Math.sqrt(p),y=Math.sqrt(u),x=n*Math.tan((Xa-Math.acos((p+u-g)/(2*m*y)))/2),b=x/y,C=x/m;Math.abs(b-1)>Qa&&this._append`L${t+b*c},${e+b*h}`,this._append`A${n},${n},0,0,${+(h*d>c*f)},${this._x1=t+C*s},${this._y1=e+C*l}`}else this._append`L${this._x1=t},${this._y1=e}`;else;}arc(t,e,i,r,n,o){if(t=+t,e=+e,o=!!o,(i=+i)<0)throw new Error(`negative radius: ${i}`);let a=i*Math.cos(r),s=i*Math.sin(r),l=t+a,c=e+s,h=1^o,u=o?r-n:n-r;null===this._x1?this._append`M${l},${c}`:(Math.abs(this._x1-l)>Qa||Math.abs(this._y1-c)>Qa)&&this._append`L${l},${c}`,i&&(u<0&&(u=u%Ja+Ja),u>Ka?this._append`A${i},${i},0,1,${h},${t-a},${e-s}A${i},${i},0,1,${h},${this._x1=l},${this._y1=c}`:u>Qa&&this._append`A${i},${i},0,${+(u>=Xa)},${h},${this._x1=t+i*Math.cos(n)},${this._y1=e+i*Math.sin(n)}`)}rect(t,e,i,r){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+e}h${i=+i}v${+r}h${-i}Z`}toString(){return this._}}function is(t){let e=3;return t.digits=function(i){if(!arguments.length)return e;if(null==i)e=null;else{const t=Math.floor(i);if(!(t>=0))throw new RangeError(`invalid digits: ${i}`);e=t}return t},()=>new es(e)}function rs(t){return t.innerRadius}function ns(t){return t.outerRadius}function os(t){return t.startAngle}function as(t){return t.endAngle}function ss(t){return t&&t.padAngle}function ls(t,e,i,r,n,o,a){var s=t-i,l=e-r,c=(a?o:-o)/Ha(s*s+l*l),h=c*l,u=-c*s,d=t+h,f=e+u,p=i+h,g=r+u,m=(d+p)/2,y=(f+g)/2,x=p-d,b=g-f,C=x*x+b*b,_=n-o,v=d*g-p*f,k=(b<0?-1:1)*Ha(za(0,_*_*C-v*v)),T=(v*b-x*k)/C,w=(-v*x-b*k)/C,S=(v*b+x*k)/C,B=(-v*x+b*k)/C,F=T-m,L=w-y,A=S-m,M=B-y;return F*F+L*L>A*A+M*M&&(T=S,w=B),{cx:T,cy:w,x01:-h,y01:-u,x11:T*(n/_-1),y11:w*(n/_-1)}}function cs(){var t=rs,e=ns,i=Oa(0),r=null,n=os,o=as,a=ss,s=null,l=is(c);function c(){var c,h,u,d=+t.apply(this,arguments),f=+e.apply(this,arguments),p=n.apply(this,arguments)-Ya,g=o.apply(this,arguments)-Ya,m=Da(g-p),y=g>p;if(s||(s=c=l()),f<d&&(h=f,f=d,d=h),f>Wa)if(m>Va-Wa)s.moveTo(f*$a(p),f*Ra(p)),s.arc(0,0,f,p,g,!y),d>Wa&&(s.moveTo(d*$a(g),d*Ra(g)),s.arc(0,0,d,g,p,y));else{var x,b,C=p,_=g,v=p,k=g,T=m,w=m,S=a.apply(this,arguments)/2,B=S>Wa&&(r?+r.apply(this,arguments):Ha(d*d+f*f)),F=Pa(Da(f-d)/2,+i.apply(this,arguments)),L=F,A=F;if(B>Wa){var M=Ga(B/d*Ra(S)),E=Ga(B/f*Ra(S));(T-=2*M)>Wa?(v+=M*=y?1:-1,k-=M):(T=0,v=k=(p+g)/2),(w-=2*E)>Wa?(C+=E*=y?1:-1,_-=E):(w=0,C=_=(p+g)/2)}var N=f*$a(C),Z=f*Ra(C),j=d*$a(k),I=d*Ra(k);if(F>Wa){var O,D=f*$a(_),q=f*Ra(_),$=d*$a(v),z=d*Ra(v);if(m<Ua)if(O=function(t,e,i,r,n,o,a,s){var l=i-t,c=r-e,h=a-n,u=s-o,d=u*l-h*c;if(!(d*d<Wa))return[t+(d=(h*(e-o)-u*(t-n))/d)*l,e+d*c]}(N,Z,$,z,D,q,j,I)){var P=N-O[0],R=Z-O[1],H=D-O[0],W=q-O[1],U=1/Ra(((u=(P*H+R*W)/(Ha(P*P+R*R)*Ha(H*H+W*W)))>1?0:u<-1?Ua:Math.acos(u))/2),Y=Ha(O[0]*O[0]+O[1]*O[1]);L=Pa(F,(d-Y)/(U-1)),A=Pa(F,(f-Y)/(U+1))}else L=A=0}w>Wa?A>Wa?(x=ls($,z,N,Z,f,A,y),b=ls(D,q,j,I,f,A,y),s.moveTo(x.cx+x.x01,x.cy+x.y01),A<F?s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,A,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,f,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),!y),s.arc(b.cx,b.cy,A,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):(s.moveTo(N,Z),s.arc(0,0,f,C,_,!y)):s.moveTo(N,Z),d>Wa&&T>Wa?L>Wa?(x=ls(j,I,D,q,d,-L,y),b=ls(N,Z,$,z,d,-L,y),s.lineTo(x.cx+x.x01,x.cy+x.y01),L<F?s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(b.y01,b.x01),!y):(s.arc(x.cx,x.cy,L,qa(x.y01,x.x01),qa(x.y11,x.x11),!y),s.arc(0,0,d,qa(x.cy+x.y11,x.cx+x.x11),qa(b.cy+b.y11,b.cx+b.x11),y),s.arc(b.cx,b.cy,L,qa(b.y11,b.x11),qa(b.y01,b.x01),!y))):s.arc(0,0,d,k,v,y):s.lineTo(j,I)}else s.moveTo(0,0);if(s.closePath(),c)return s=null,c+""||null}return c.centroid=function(){var i=(+t.apply(this,arguments)+ +e.apply(this,arguments))/2,r=(+n.apply(this,arguments)+ +o.apply(this,arguments))/2-Ua/2;return[$a(r)*i,Ra(r)*i]},c.innerRadius=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),c):t},c.outerRadius=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),c):e},c.cornerRadius=function(t){return arguments.length?(i="function"==typeof t?t:Oa(+t),c):i},c.padRadius=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:Oa(+t),c):r},c.startAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),c):n},c.endAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),c):o},c.padAngle=function(t){return arguments.length?(a="function"==typeof t?t:Oa(+t),c):a},c.context=function(t){return arguments.length?(s=null==t?null:t,c):s},c}es.prototype;Array.prototype.slice;function hs(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function us(t){this._context=t}function ds(t){return new us(t)}function fs(t){return t[0]}function ps(t){return t[1]}function gs(t,e){var i=Oa(!0),r=null,n=ds,o=null,a=is(s);function s(s){var l,c,h,u=(s=hs(s)).length,d=!1;for(null==r&&(o=n(h=a())),l=0;l<=u;++l)!(l<u&&i(c=s[l],l,s))===d&&((d=!d)?o.lineStart():o.lineEnd()),d&&o.point(+t(c,l,s),+e(c,l,s));if(h)return o=null,h+""||null}return t="function"==typeof t?t:void 0===t?fs:Oa(t),e="function"==typeof e?e:void 0===e?ps:Oa(e),s.x=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),s):t},s.y=function(t){return arguments.length?(e="function"==typeof t?t:Oa(+t),s):e},s.defined=function(t){return arguments.length?(i="function"==typeof t?t:Oa(!!t),s):i},s.curve=function(t){return arguments.length?(n=t,null!=r&&(o=n(r)),s):n},s.context=function(t){return arguments.length?(null==t?r=o=null:o=n(r=t),s):r},s}function ms(t,e){return e<t?-1:e>t?1:e>=t?0:NaN}function ys(t){return t}function xs(){var t=ys,e=ms,i=null,r=Oa(0),n=Oa(Va),o=Oa(0);function a(a){var s,l,c,h,u,d=(a=hs(a)).length,f=0,p=new Array(d),g=new Array(d),m=+r.apply(this,arguments),y=Math.min(Va,Math.max(-Va,n.apply(this,arguments)-m)),x=Math.min(Math.abs(y)/d,o.apply(this,arguments)),b=x*(y<0?-1:1);for(s=0;s<d;++s)(u=g[p[s]=s]=+t(a[s],s,a))>0&&(f+=u);for(null!=e?p.sort((function(t,i){return e(g[t],g[i])})):null!=i&&p.sort((function(t,e){return i(a[t],a[e])})),s=0,c=f?(y-d*b)/f:0;s<d;++s,m=h)l=p[s],h=m+((u=g[l])>0?u*c:0)+b,g[l]={data:a[l],index:s,value:u,startAngle:m,endAngle:h,padAngle:x};return g}return a.value=function(e){return arguments.length?(t="function"==typeof e?e:Oa(+e),a):t},a.sortValues=function(t){return arguments.length?(e=t,i=null,a):e},a.sort=function(t){return arguments.length?(i=t,e=null,a):i},a.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:Oa(+t),a):r},a.endAngle=function(t){return arguments.length?(n="function"==typeof t?t:Oa(+t),a):n},a.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:Oa(+t),a):o},a}function bs(){}function Cs(t,e,i){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+e)/6,(t._y0+4*t._y1+i)/6)}function _s(t){this._context=t}function vs(t){return new _s(t)}function ks(t){this._context=t}function Ts(t){return new ks(t)}function ws(t){this._context=t}function Ss(t){return new ws(t)}us.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._context.lineTo(t,e)}}},_s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Cs(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ks.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x2=t,this._y2=e;break;case 1:this._point=2,this._x3=t,this._y3=e;break;case 2:this._point=3,this._x4=t,this._y4=e,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+e)/6);break;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}},ws.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var i=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+e)/6;this._line?this._context.lineTo(i,r):this._context.moveTo(i,r);break;case 3:this._point=4;default:Cs(this,t,e)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e}};class Bs{constructor(t,e){this._context=t,this._x=e}areaStart(){this._line=0}areaEnd(){this._line=NaN}lineStart(){this._point=0}lineEnd(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line}point(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:this._x?this._context.bezierCurveTo(this._x0=(this._x0+t)/2,this._y0,this._x0,e,t,e):this._context.bezierCurveTo(this._x0,this._y0=(this._y0+e)/2,t,this._y0,t,e)}this._x0=t,this._y0=e}}function Fs(t){return new Bs(t,!0)}function Ls(t){return new Bs(t,!1)}function As(t,e){this._basis=new _s(t),this._beta=e}As.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,e=this._y,i=t.length-1;if(i>0)for(var r,n=t[0],o=e[0],a=t[i]-n,s=e[i]-o,l=-1;++l<=i;)r=l/i,this._basis.point(this._beta*t[l]+(1-this._beta)*(n+r*a),this._beta*e[l]+(1-this._beta)*(o+r*s));this._x=this._y=null,this._basis.lineEnd()},point:function(t,e){this._x.push(+t),this._y.push(+e)}};const Ms=function t(e){function i(t){return 1===e?new _s(t):new As(t,e)}return i.beta=function(e){return t(+e)},i}(.85);function Es(t,e,i){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-e),t._y2+t._k*(t._y1-i),t._x2,t._y2)}function Ns(t,e){this._context=t,this._k=(1-e)/6}Ns.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:Es(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2,this._x1=t,this._y1=e;break;case 2:this._point=3;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Zs=function t(e){function i(t){return new Ns(t,e)}return i.tension=function(e){return t(+e)},i}(0);function js(t,e){this._context=t,this._k=(1-e)/6}js.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Is=function t(e){function i(t){return new js(t,e)}return i.tension=function(e){return t(+e)},i}(0);function Os(t,e){this._context=t,this._k=(1-e)/6}Os.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Es(this,t,e)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ds=function t(e){function i(t){return new Os(t,e)}return i.tension=function(e){return t(+e)},i}(0);function qs(t,e,i){var r=t._x1,n=t._y1,o=t._x2,a=t._y2;if(t._l01_a>Wa){var s=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,l=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*s-t._x0*t._l12_2a+t._x2*t._l01_2a)/l,n=(n*s-t._y0*t._l12_2a+t._y2*t._l01_2a)/l}if(t._l23_a>Wa){var c=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,h=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*c+t._x1*t._l23_2a-e*t._l12_2a)/h,a=(a*c+t._y1*t._l23_2a-i*t._l12_2a)/h}t._context.bezierCurveTo(r,n,o,a,t._x2,t._y2)}function $s(t,e){this._context=t,this._alpha=e}$s.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const zs=function t(e){function i(t){return e?new $s(t,e):new Ns(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Ps(t,e){this._context=t,this._alpha=e}Ps.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=e;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=e);break;case 2:this._point=3,this._x5=t,this._y5=e;break;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Rs=function t(e){function i(t){return e?new Ps(t,e):new js(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Hs(t,e){this._context=t,this._alpha=e}Hs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){if(t=+t,e=+e,this._point){var i=this._x2-t,r=this._y2-e;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(i*i+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:qs(this,t,e)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=e}};const Ws=function t(e){function i(t){return e?new Hs(t,e):new Os(t,0)}return i.alpha=function(e){return t(+e)},i}(.5);function Us(t){this._context=t}function Ys(t){return new Us(t)}function Vs(t){return t<0?-1:1}function Gs(t,e,i){var r=t._x1-t._x0,n=e-t._x1,o=(t._y1-t._y0)/(r||n<0&&-0),a=(i-t._y1)/(n||r<0&&-0),s=(o*n+a*r)/(r+n);return(Vs(o)+Vs(a))*Math.min(Math.abs(o),Math.abs(a),.5*Math.abs(s))||0}function Xs(t,e){var i=t._x1-t._x0;return i?(3*(t._y1-t._y0)/i-e)/2:e}function Js(t,e,i){var r=t._x0,n=t._y0,o=t._x1,a=t._y1,s=(o-r)/3;t._context.bezierCurveTo(r+s,n+s*e,o-s,a-s*i,o,a)}function Qs(t){this._context=t}function Ks(t){this._context=new tl(t)}function tl(t){this._context=t}function el(t){return new Qs(t)}function il(t){return new Ks(t)}function rl(t){this._context=t}function nl(t){var e,i,r=t.length-1,n=new Array(r),o=new Array(r),a=new Array(r);for(n[0]=0,o[0]=2,a[0]=t[0]+2*t[1],e=1;e<r-1;++e)n[e]=1,o[e]=4,a[e]=4*t[e]+2*t[e+1];for(n[r-1]=2,o[r-1]=7,a[r-1]=8*t[r-1]+t[r],e=1;e<r;++e)i=n[e]/o[e-1],o[e]-=i,a[e]-=i*a[e-1];for(n[r-1]=a[r-1]/o[r-1],e=r-2;e>=0;--e)n[e]=(a[e]-n[e+1])/o[e];for(o[r-1]=(t[r]+n[r-1])/2,e=0;e<r-1;++e)o[e]=2*t[e+1]-n[e+1];return[n,o]}function ol(t){return new rl(t)}function al(t,e){this._context=t,this._t=e}function sl(t){return new al(t,.5)}function ll(t){return new al(t,0)}function cl(t){return new al(t,1)}function hl(t,e,i){this.k=t,this.x=e,this.y=i}Us.prototype={areaStart:bs,areaEnd:bs,lineStart:function(){this._point=0},lineEnd:function(){this._point&&this._context.closePath()},point:function(t,e){t=+t,e=+e,this._point?this._context.lineTo(t,e):(this._point=1,this._context.moveTo(t,e))}},Qs.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=this._t0=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x1,this._y1);break;case 3:Js(this,this._t0,Xs(this,this._t0))}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,e){var i=NaN;if(e=+e,(t=+t)!==this._x1||e!==this._y1){switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;break;case 2:this._point=3,Js(this,Xs(this,i=Gs(this,t,e)),i);break;default:Js(this,this._t0,i=Gs(this,t,e))}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=e,this._t0=i}}},(Ks.prototype=Object.create(Qs.prototype)).point=function(t,e){Qs.prototype.point.call(this,e,t)},tl.prototype={moveTo:function(t,e){this._context.moveTo(e,t)},closePath:function(){this._context.closePath()},lineTo:function(t,e){this._context.lineTo(e,t)},bezierCurveTo:function(t,e,i,r,n,o){this._context.bezierCurveTo(e,t,r,i,o,n)}},rl.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=[],this._y=[]},lineEnd:function(){var t=this._x,e=this._y,i=t.length;if(i)if(this._line?this._context.lineTo(t[0],e[0]):this._context.moveTo(t[0],e[0]),2===i)this._context.lineTo(t[1],e[1]);else for(var r=nl(t),n=nl(e),o=0,a=1;a<i;++o,++a)this._context.bezierCurveTo(r[0][o],n[0][o],r[1][o],n[1][o],t[a],e[a]);(this._line||0!==this._line&&1===i)&&this._context.closePath(),this._line=1-this._line,this._x=this._y=null},point:function(t,e){this._x.push(+t),this._y.push(+e)}},al.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x=this._y=NaN,this._point=0},lineEnd:function(){0<this._t&&this._t<1&&2===this._point&&this._context.lineTo(this._x,this._y),(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line>=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,e){switch(t=+t,e=+e,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,e):this._context.moveTo(t,e);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,e),this._context.lineTo(t,e);else{var i=this._x*(1-this._t)+t*this._t;this._context.lineTo(i,this._y),this._context.lineTo(i,e)}}this._x=t,this._y=e}},hl.prototype={constructor:hl,scale:function(t){return 1===t?this:new hl(this.k*t,this.x,this.y)},translate:function(t,e){return 0===t&0===e?this:new hl(this.k,this.x+this.k*t,this.y+this.k*e)},apply:function(t){return[t[0]*this.k+this.x,t[1]*this.k+this.y]},applyX:function(t){return t*this.k+this.x},applyY:function(t){return t*this.k+this.y},invert:function(t){return[(t[0]-this.x)/this.k,(t[1]-this.y)/this.k]},invertX:function(t){return(t-this.x)/this.k},invertY:function(t){return(t-this.y)/this.k},rescaleX:function(t){return t.copy().domain(t.range().map(this.invertX,this).map(t.invert,t))},rescaleY:function(t){return t.copy().domain(t.range().map(this.invertY,this).map(t.invert,t))},toString:function(){return"translate("+this.x+","+this.y+") scale("+this.k+")"}};new hl(1,0,0);hl.prototype},1883:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(1691),n=i(2142);const o=class{constructor(){this.type=n.w.ALL}get(){return this.type}set(t){if(this.type&&this.type!==t)throw new Error("Cannot change both RGB and HSL channels at the same time");this.type=t}reset(){this.type=n.w.ALL}is(t){return this.type===t}};const a=new class{constructor(t,e){this.color=e,this.changed=!1,this.data=t,this.type=new o}set(t,e){return this.color=e,this.changed=!1,this.data=t,this.type.type=n.w.ALL,this}_ensureHSL(){const t=this.data,{h:e,s:i,l:n}=t;void 0===e&&(t.h=r.Z.channel.rgb2hsl(t,"h")),void 0===i&&(t.s=r.Z.channel.rgb2hsl(t,"s")),void 0===n&&(t.l=r.Z.channel.rgb2hsl(t,"l"))}_ensureRGB(){const t=this.data,{r:e,g:i,b:n}=t;void 0===e&&(t.r=r.Z.channel.hsl2rgb(t,"r")),void 0===i&&(t.g=r.Z.channel.hsl2rgb(t,"g")),void 0===n&&(t.b=r.Z.channel.hsl2rgb(t,"b"))}get r(){const t=this.data,e=t.r;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"r")):e}get g(){const t=this.data,e=t.g;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"g")):e}get b(){const t=this.data,e=t.b;return this.type.is(n.w.HSL)||void 0===e?(this._ensureHSL(),r.Z.channel.hsl2rgb(t,"b")):e}get h(){const t=this.data,e=t.h;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"h")):e}get s(){const t=this.data,e=t.s;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"s")):e}get l(){const t=this.data,e=t.l;return this.type.is(n.w.RGB)||void 0===e?(this._ensureRGB(),r.Z.channel.rgb2hsl(t,"l")):e}get a(){return this.data.a}set r(t){this.type.set(n.w.RGB),this.changed=!0,this.data.r=t}set g(t){this.type.set(n.w.RGB),this.changed=!0,this.data.g=t}set b(t){this.type.set(n.w.RGB),this.changed=!0,this.data.b=t}set h(t){this.type.set(n.w.HSL),this.changed=!0,this.data.h=t}set s(t){this.type.set(n.w.HSL),this.changed=!0,this.data.s=t}set l(t){this.type.set(n.w.HSL),this.changed=!0,this.data.l=t}set a(t){this.changed=!0,this.data.a=t}}({r:0,g:0,b:0,a:0},"transparent")},1610:(t,e,i)=>{"use strict";i.d(e,{Z:()=>g});var r=i(1883),n=i(2142);const o={re:/^#((?:[a-f0-9]{2}){2,4}|[a-f0-9]{3})$/i,parse:t=>{if(35!==t.charCodeAt(0))return;const e=t.match(o.re);if(!e)return;const i=e[1],n=parseInt(i,16),a=i.length,s=a%4==0,l=a>4,c=l?1:17,h=l?8:4,u=s?0:-1,d=l?255:15;return r.Z.set({r:(n>>h*(u+3)&d)*c,g:(n>>h*(u+2)&d)*c,b:(n>>h*(u+1)&d)*c,a:s?(n&d)*c/255:1},t)},stringify:t=>{const{r:e,g:i,b:r,a:o}=t;return o<1?`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}${n.Q[Math.round(255*o)]}`:`#${n.Q[Math.round(e)]}${n.Q[Math.round(i)]}${n.Q[Math.round(r)]}`}},a=o;var s=i(1691);const l={re:/^hsla?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(?:deg|grad|rad|turn)?)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?%)(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e-?\d+)?(%)?))?\s*?\)$/i,hueRe:/^(.+?)(deg|grad|rad|turn)$/i,_hue2deg:t=>{const e=t.match(l.hueRe);if(e){const[,t,i]=e;switch(i){case"grad":return s.Z.channel.clamp.h(.9*parseFloat(t));case"rad":return s.Z.channel.clamp.h(180*parseFloat(t)/Math.PI);case"turn":return s.Z.channel.clamp.h(360*parseFloat(t))}}return s.Z.channel.clamp.h(parseFloat(t))},parse:t=>{const e=t.charCodeAt(0);if(104!==e&&72!==e)return;const i=t.match(l.re);if(!i)return;const[,n,o,a,c,h]=i;return r.Z.set({h:l._hue2deg(n),s:s.Z.channel.clamp.s(parseFloat(o)),l:s.Z.channel.clamp.l(parseFloat(a)),a:c?s.Z.channel.clamp.a(h?parseFloat(c)/100:parseFloat(c)):1},t)},stringify:t=>{const{h:e,s:i,l:r,a:n}=t;return n<1?`hsla(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%, ${n})`:`hsl(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}%, ${s.Z.lang.round(r)}%)`}},c=l,h={colors:{aliceblue:"#f0f8ff",antiquewhite:"#faebd7",aqua:"#00ffff",aquamarine:"#7fffd4",azure:"#f0ffff",beige:"#f5f5dc",bisque:"#ffe4c4",black:"#000000",blanchedalmond:"#ffebcd",blue:"#0000ff",blueviolet:"#8a2be2",brown:"#a52a2a",burlywood:"#deb887",cadetblue:"#5f9ea0",chartreuse:"#7fff00",chocolate:"#d2691e",coral:"#ff7f50",cornflowerblue:"#6495ed",cornsilk:"#fff8dc",crimson:"#dc143c",cyanaqua:"#00ffff",darkblue:"#00008b",darkcyan:"#008b8b",darkgoldenrod:"#b8860b",darkgray:"#a9a9a9",darkgreen:"#006400",darkgrey:"#a9a9a9",darkkhaki:"#bdb76b",darkmagenta:"#8b008b",darkolivegreen:"#556b2f",darkorange:"#ff8c00",darkorchid:"#9932cc",darkred:"#8b0000",darksalmon:"#e9967a",darkseagreen:"#8fbc8f",darkslateblue:"#483d8b",darkslategray:"#2f4f4f",darkslategrey:"#2f4f4f",darkturquoise:"#00ced1",darkviolet:"#9400d3",deeppink:"#ff1493",deepskyblue:"#00bfff",dimgray:"#696969",dimgrey:"#696969",dodgerblue:"#1e90ff",firebrick:"#b22222",floralwhite:"#fffaf0",forestgreen:"#228b22",fuchsia:"#ff00ff",gainsboro:"#dcdcdc",ghostwhite:"#f8f8ff",gold:"#ffd700",goldenrod:"#daa520",gray:"#808080",green:"#008000",greenyellow:"#adff2f",grey:"#808080",honeydew:"#f0fff0",hotpink:"#ff69b4",indianred:"#cd5c5c",indigo:"#4b0082",ivory:"#fffff0",khaki:"#f0e68c",lavender:"#e6e6fa",lavenderblush:"#fff0f5",lawngreen:"#7cfc00",lemonchiffon:"#fffacd",lightblue:"#add8e6",lightcoral:"#f08080",lightcyan:"#e0ffff",lightgoldenrodyellow:"#fafad2",lightgray:"#d3d3d3",lightgreen:"#90ee90",lightgrey:"#d3d3d3",lightpink:"#ffb6c1",lightsalmon:"#ffa07a",lightseagreen:"#20b2aa",lightskyblue:"#87cefa",lightslategray:"#778899",lightslategrey:"#778899",lightsteelblue:"#b0c4de",lightyellow:"#ffffe0",lime:"#00ff00",limegreen:"#32cd32",linen:"#faf0e6",magenta:"#ff00ff",maroon:"#800000",mediumaquamarine:"#66cdaa",mediumblue:"#0000cd",mediumorchid:"#ba55d3",mediumpurple:"#9370db",mediumseagreen:"#3cb371",mediumslateblue:"#7b68ee",mediumspringgreen:"#00fa9a",mediumturquoise:"#48d1cc",mediumvioletred:"#c71585",midnightblue:"#191970",mintcream:"#f5fffa",mistyrose:"#ffe4e1",moccasin:"#ffe4b5",navajowhite:"#ffdead",navy:"#000080",oldlace:"#fdf5e6",olive:"#808000",olivedrab:"#6b8e23",orange:"#ffa500",orangered:"#ff4500",orchid:"#da70d6",palegoldenrod:"#eee8aa",palegreen:"#98fb98",paleturquoise:"#afeeee",palevioletred:"#db7093",papayawhip:"#ffefd5",peachpuff:"#ffdab9",peru:"#cd853f",pink:"#ffc0cb",plum:"#dda0dd",powderblue:"#b0e0e6",purple:"#800080",rebeccapurple:"#663399",red:"#ff0000",rosybrown:"#bc8f8f",royalblue:"#4169e1",saddlebrown:"#8b4513",salmon:"#fa8072",sandybrown:"#f4a460",seagreen:"#2e8b57",seashell:"#fff5ee",sienna:"#a0522d",silver:"#c0c0c0",skyblue:"#87ceeb",slateblue:"#6a5acd",slategray:"#708090",slategrey:"#708090",snow:"#fffafa",springgreen:"#00ff7f",tan:"#d2b48c",teal:"#008080",thistle:"#d8bfd8",transparent:"#00000000",turquoise:"#40e0d0",violet:"#ee82ee",wheat:"#f5deb3",white:"#ffffff",whitesmoke:"#f5f5f5",yellow:"#ffff00",yellowgreen:"#9acd32"},parse:t=>{t=t.toLowerCase();const e=h.colors[t];if(e)return a.parse(e)},stringify:t=>{const e=a.stringify(t);for(const i in h.colors)if(h.colors[i]===e)return i}},u=h,d={re:/^rgba?\(\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))\s*?(?:,|\s)\s*?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?))(?:\s*?(?:,|\/)\s*?\+?(-?(?:\d+(?:\.\d+)?|(?:\.\d+))(?:e\d+)?(%?)))?\s*?\)$/i,parse:t=>{const e=t.charCodeAt(0);if(114!==e&&82!==e)return;const i=t.match(d.re);if(!i)return;const[,n,o,a,l,c,h,u,f]=i;return r.Z.set({r:s.Z.channel.clamp.r(o?2.55*parseFloat(n):parseFloat(n)),g:s.Z.channel.clamp.g(l?2.55*parseFloat(a):parseFloat(a)),b:s.Z.channel.clamp.b(h?2.55*parseFloat(c):parseFloat(c)),a:u?s.Z.channel.clamp.a(f?parseFloat(u)/100:parseFloat(u)):1},t)},stringify:t=>{const{r:e,g:i,b:r,a:n}=t;return n<1?`rgba(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)}, ${s.Z.lang.round(n)})`:`rgb(${s.Z.lang.round(e)}, ${s.Z.lang.round(i)}, ${s.Z.lang.round(r)})`}},f=d,p={format:{keyword:h,hex:a,rgb:d,rgba:d,hsl:l,hsla:l},parse:t=>{if("string"!=typeof t)return t;const e=a.parse(t)||f.parse(t)||c.parse(t)||u.parse(t);if(e)return e;throw new Error(`Unsupported color format: "${t}"`)},stringify:t=>!t.changed&&t.color?t.color:t.type.is(n.w.HSL)||void 0===t.data.r?c.stringify(t):t.a<1||!Number.isInteger(t.r)||!Number.isInteger(t.g)||!Number.isInteger(t.b)?f.stringify(t):a.stringify(t)},g=p},2142:(t,e,i)=>{"use strict";i.d(e,{Q:()=>n,w:()=>o});var r=i(1691);const n={};for(let a=0;a<=255;a++)n[a]=r.Z.unit.dec2hex(a);const o={ALL:0,RGB:1,HSL:2}},6174:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e,i)=>{const o=n.Z.parse(t),a=o[e],s=r.Z.channel.clamp[e](a+i);return a!==s&&(o[e]=s),n.Z.stringify(o)}},9807:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(1691),n=i(1610);const o=(t,e)=>{const i=n.Z.parse(t);for(const n in e)i[n]=r.Z.channel.clamp[n](e[n]);return n.Z.stringify(i)}},7201:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",-e)},1619:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1610);const o=t=>{const{r:e,g:i,b:o}=n.Z.parse(t),a=.2126*r.Z.channel.toLinear(e)+.7152*r.Z.channel.toLinear(i)+.0722*r.Z.channel.toLinear(o);return r.Z.lang.round(a)},a=t=>o(t)>=.5,s=t=>!a(t)},2281:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(6174);const n=(t,e)=>(0,r.Z)(t,"l",e)},1117:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(1691),n=i(1883),o=i(1610),a=i(9807);const s=(t,e,i=0,s=1)=>{if("number"!=typeof t)return(0,a.Z)(t,{a:e});const l=n.Z.set({r:r.Z.channel.clamp.r(t),g:r.Z.channel.clamp.g(e),b:r.Z.channel.clamp.b(i),a:r.Z.channel.clamp.a(s)});return o.Z.stringify(l)}},1691:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});const r={min:{r:0,g:0,b:0,s:0,l:0,a:0},max:{r:255,g:255,b:255,h:360,s:100,l:100,a:1},clamp:{r:t=>t>=255?255:t<0?0:t,g:t=>t>=255?255:t<0?0:t,b:t=>t>=255?255:t<0?0:t,h:t=>t%360,s:t=>t>=100?100:t<0?0:t,l:t=>t>=100?100:t<0?0:t,a:t=>t>=1?1:t<0?0:t},toLinear:t=>{const e=t/255;return t>.03928?Math.pow((e+.055)/1.055,2.4):e/12.92},hue2rgb:(t,e,i)=>(i<0&&(i+=1),i>1&&(i-=1),i<1/6?t+6*(e-t)*i:i<.5?e:i<2/3?t+(e-t)*(2/3-i)*6:t),hsl2rgb:({h:t,s:e,l:i},n)=>{if(!e)return 2.55*i;t/=360,e/=100;const o=(i/=100)<.5?i*(1+e):i+e-i*e,a=2*i-o;switch(n){case"r":return 255*r.hue2rgb(a,o,t+1/3);case"g":return 255*r.hue2rgb(a,o,t);case"b":return 255*r.hue2rgb(a,o,t-1/3)}},rgb2hsl:({r:t,g:e,b:i},r)=>{t/=255,e/=255,i/=255;const n=Math.max(t,e,i),o=Math.min(t,e,i),a=(n+o)/2;if("l"===r)return 100*a;if(n===o)return 0;const s=n-o;if("s"===r)return 100*(a>.5?s/(2-n-o):s/(n+o));switch(n){case t:return 60*((e-i)/s+(e<i?6:0));case e:return 60*((i-t)/s+2);case i:return 60*((t-e)/s+4);default:return-1}}},n={channel:r,lang:{clamp:(t,e,i)=>e>i?Math.min(e,Math.max(i,t)):Math.min(i,Math.max(e,t)),round:t=>Math.round(1e10*t)/1e10},unit:{dec2hex:t=>{const e=Math.round(t).toString(16);return e.length>1?e:`0${e}`}}}},7308:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});const r=function(){this.__data__=[],this.size=0};var n=i(9651);const o=function(t,e){for(var i=t.length;i--;)if((0,n.Z)(t[i][0],e))return i;return-1};var a=Array.prototype.splice;const s=function(t){var e=this.__data__,i=o(e,t);return!(i<0)&&(i==e.length-1?e.pop():a.call(e,i,1),--this.size,!0)};const l=function(t){var e=this.__data__,i=o(e,t);return i<0?void 0:e[i][1]};const c=function(t){return o(this.__data__,t)>-1};const h=function(t,e){var i=this.__data__,r=o(i,t);return r<0?(++this.size,i.push([t,e])):i[r][1]=e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=r,u.prototype.delete=s,u.prototype.get=l,u.prototype.has=c,u.prototype.set=h;const d=u},6183:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Map")},7834:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});const r=(0,i(2508).Z)(Object,"create");const n=function(){this.__data__=r?r(null):{},this.size=0};const o=function(t){var e=this.has(t)&&delete this.__data__[t];return this.size-=e?1:0,e};var a=Object.prototype.hasOwnProperty;const s=function(t){var e=this.__data__;if(r){var i=e[t];return"__lodash_hash_undefined__"===i?void 0:i}return a.call(e,t)?e[t]:void 0};var l=Object.prototype.hasOwnProperty;const c=function(t){var e=this.__data__;return r?void 0!==e[t]:l.call(e,t)};const h=function(t,e){var i=this.__data__;return this.size+=this.has(t)?0:1,i[t]=r&&void 0===e?"__lodash_hash_undefined__":e,this};function u(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=s,u.prototype.has=c,u.prototype.set=h;const d=u;var f=i(7308),p=i(6183);const g=function(){this.size=0,this.__data__={hash:new d,map:new(p.Z||f.Z),string:new d}};const m=function(t){var e=typeof t;return"string"==e||"number"==e||"symbol"==e||"boolean"==e?"__proto__"!==t:null===t};const y=function(t,e){var i=t.__data__;return m(e)?i["string"==typeof e?"string":"hash"]:i.map};const x=function(t){var e=y(this,t).delete(t);return this.size-=e?1:0,e};const b=function(t){return y(this,t).get(t)};const C=function(t){return y(this,t).has(t)};const _=function(t,e){var i=y(this,t),r=i.size;return i.set(t,e),this.size+=i.size==r?0:1,this};function v(t){var e=-1,i=null==t?0:t.length;for(this.clear();++e<i;){var r=t[e];this.set(r[0],r[1])}}v.prototype.clear=g,v.prototype.delete=x,v.prototype.get=b,v.prototype.has=C,v.prototype.set=_;const k=v},3203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"Set")},1667:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7308);const n=function(){this.__data__=new r.Z,this.size=0};const o=function(t){var e=this.__data__,i=e.delete(t);return this.size=e.size,i};const a=function(t){return this.__data__.get(t)};const s=function(t){return this.__data__.has(t)};var l=i(6183),c=i(7834);const h=function(t,e){var i=this.__data__;if(i instanceof r.Z){var n=i.__data__;if(!l.Z||n.length<199)return n.push([t,e]),this.size=++i.size,this;i=this.__data__=new c.Z(n)}return i.set(t,e),this.size=i.size,this};function u(t){var e=this.__data__=new r.Z(t);this.size=e.size}u.prototype.clear=n,u.prototype.delete=o,u.prototype.get=a,u.prototype.has=s,u.prototype.set=h;const d=u},7685:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Symbol},4073:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=i(6092).Z.Uint8Array},7668:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});const r=function(t,e){for(var i=-1,r=Array(t);++i<t;)r[i]=e(i);return r};var n=i(9169),o=i(7771),a=i(7008),s=i(6009),l=i(8843),c=Object.prototype.hasOwnProperty;const h=function(t,e){var i=(0,o.Z)(t),h=!i&&(0,n.Z)(t),u=!i&&!h&&(0,a.Z)(t),d=!i&&!h&&!u&&(0,l.Z)(t),f=i||h||u||d,p=f?r(t.length,String):[],g=p.length;for(var m in t)!e&&!c.call(t,m)||f&&("length"==m||u&&("offset"==m||"parent"==m)||d&&("buffer"==m||"byteLength"==m||"byteOffset"==m)||(0,s.Z)(m,g))||p.push(m);return p}},2954:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(4752),n=i(9651),o=Object.prototype.hasOwnProperty;const a=function(t,e,i){var a=t[e];o.call(t,e)&&(0,n.Z)(a,i)&&(void 0!==i||e in t)||(0,r.Z)(t,e,i)}},4752:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(7904);const n=function(t,e,i){"__proto__"==e&&r.Z?(0,r.Z)(t,e,{configurable:!0,enumerable:!0,value:i,writable:!0}):t[e]=i}},1395:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e,i,r){for(var n=-1,o=Object(e),a=r(e),s=a.length;s--;){var l=a[t?s:++n];if(!1===i(o[l],l,o))break}return e}}()},3589:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(7685),n=Object.prototype,o=n.hasOwnProperty,a=n.toString,s=r.Z?r.Z.toStringTag:void 0;const l=function(t){var e=o.call(t,s),i=t[s];try{t[s]=void 0;var r=!0}catch(l){}var n=a.call(t);return r&&(e?t[s]=i:delete t[s]),n};var c=Object.prototype.toString;const h=function(t){return c.call(t)};var u=r.Z?r.Z.toStringTag:void 0;const d=function(t){return null==t?void 0===t?"[object Undefined]":"[object Null]":u&&u in Object(t)?l(t):h(t)}},9473:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(2764);const n=(0,i(1851).Z)(Object.keys,Object);var o=Object.prototype.hasOwnProperty;const a=function(t){if(!(0,r.Z)(t))return n(t);var e=[];for(var i in Object(t))o.call(t,i)&&"constructor"!=i&&e.push(i);return e}},9581:(t,e,i)=>{"use strict";i.d(e,{Z:()=>a});var r=i(9203),n=i(1211),o=i(7227);const a=function(t,e){return(0,o.Z)((0,n.Z)(t,e,r.Z),t+"")}},1162:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(e){return t(e)}}},1884:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(4073);const n=function(t){var e=new t.constructor(t.byteLength);return new r.Z(e).set(new r.Z(t)),e}},1050:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n?r.Z.Buffer:void 0,s=a?a.allocUnsafe:void 0;const l=function(t,e){if(e)return t.slice();var i=t.length,r=s?s(i):new t.constructor(i);return t.copy(r),r}},2701:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(1884);const n=function(t,e){var i=e?(0,r.Z)(t.buffer):t.buffer;return new t.constructor(i,t.byteOffset,t.length)}},7215:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){var i=-1,r=t.length;for(e||(e=Array(r));++i<r;)e[i]=t[i];return e}},1899:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(2954),n=i(4752);const o=function(t,e,i,o){var a=!i;i||(i={});for(var s=-1,l=e.length;++s<l;){var c=e[s],h=o?o(i[c],t[c],c,i,t):void 0;void 0===h&&(h=t[c]),a?(0,n.Z)(i,c,h):(0,r.Z)(i,c,h)}return i}},7904:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=i(2508);const n=function(){try{var t=(0,r.Z)(Object,"defineProperty");return t({},"",{}),t}catch(e){}}()},3413:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r="object"==typeof global&&global&&global.Object===Object&&global},2508:(t,e,i)=>{"use strict";i.d(e,{Z:()=>x});var r=i(3234);const n=i(6092).Z["__core-js_shared__"];var o,a=(o=/[^.]+$/.exec(n&&n.keys&&n.keys.IE_PROTO||""))?"Symbol(src)_1."+o:"";const s=function(t){return!!a&&a in t};var l=i(7226),c=i(19),h=/^\[object .+?Constructor\]$/,u=Function.prototype,d=Object.prototype,f=u.toString,p=d.hasOwnProperty,g=RegExp("^"+f.call(p).replace(/[\\^$.*+?()[\]{}|]/g,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$");const m=function(t){return!(!(0,l.Z)(t)||s(t))&&((0,r.Z)(t)?g:h).test((0,c.Z)(t))};const y=function(t,e){return null==t?void 0:t[e]};const x=function(t,e){var i=y(t,e);return m(i)?i:void 0}},2513:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=(0,i(1851).Z)(Object.getPrototypeOf,Object)},3970:(t,e,i)=>{"use strict";i.d(e,{Z:()=>k});var r=i(2508),n=i(6092);const o=(0,r.Z)(n.Z,"DataView");var a=i(6183);const s=(0,r.Z)(n.Z,"Promise");var l=i(3203);const c=(0,r.Z)(n.Z,"WeakMap");var h=i(3589),u=i(19),d="[object Map]",f="[object Promise]",p="[object Set]",g="[object WeakMap]",m="[object DataView]",y=(0,u.Z)(o),x=(0,u.Z)(a.Z),b=(0,u.Z)(s),C=(0,u.Z)(l.Z),_=(0,u.Z)(c),v=h.Z;(o&&v(new o(new ArrayBuffer(1)))!=m||a.Z&&v(new a.Z)!=d||s&&v(s.resolve())!=f||l.Z&&v(new l.Z)!=p||c&&v(new c)!=g)&&(v=function(t){var e=(0,h.Z)(t),i="[object Object]"==e?t.constructor:void 0,r=i?(0,u.Z)(i):"";if(r)switch(r){case y:return m;case x:return d;case b:return f;case C:return p;case _:return g}return e});const k=v},3658:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(7226),n=Object.create;const o=function(){function t(){}return function(e){if(!(0,r.Z)(e))return{};if(n)return n(e);t.prototype=e;var i=new t;return t.prototype=void 0,i}}();var a=i(2513),s=i(2764);const l=function(t){return"function"!=typeof t.constructor||(0,s.Z)(t)?{}:o((0,a.Z)(t))}},6009:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=/^(?:0|[1-9]\d*)$/;const n=function(t,e){var i=typeof t;return!!(e=null==e?9007199254740991:e)&&("number"==i||"symbol"!=i&&r.test(t))&&t>-1&&t%1==0&&t<e}},439:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(9651),n=i(585),o=i(6009),a=i(7226);const s=function(t,e,i){if(!(0,a.Z)(i))return!1;var s=typeof e;return!!("number"==s?(0,n.Z)(i)&&(0,o.Z)(e,i.length):"string"==s&&e in i)&&(0,r.Z)(i[e],t)}},2764:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Object.prototype;const n=function(t){var e=t&&t.constructor;return t===("function"==typeof e&&e.prototype||r)}},8351:(t,e,i)=>{"use strict";i.d(e,{Z:()=>s});var r=i(3413),n="object"==typeof exports&&exports&&!exports.nodeType&&exports,o=n&&"object"==typeof module&&module&&!module.nodeType&&module,a=o&&o.exports===n&&r.Z.process;const s=function(){try{var t=o&&o.require&&o.require("util").types;return t||a&&a.binding&&a.binding("util")}catch(e){}}()},1851:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return function(i){return t(e(i))}}},1211:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});const r=function(t,e,i){switch(i.length){case 0:return t.call(e);case 1:return t.call(e,i[0]);case 2:return t.call(e,i[0],i[1]);case 3:return t.call(e,i[0],i[1],i[2])}return t.apply(e,i)};var n=Math.max;const o=function(t,e,i){return e=n(void 0===e?t.length-1:e,0),function(){for(var o=arguments,a=-1,s=n(o.length-e,0),l=Array(s);++a<s;)l[a]=o[e+a];a=-1;for(var c=Array(e+1);++a<e;)c[a]=o[a];return c[e]=i(l),r(t,this,c)}}},6092:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3413),n="object"==typeof self&&self&&self.Object===Object&&self;const o=r.Z||n||Function("return this")()},7227:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(2002),n=i(7904),o=i(9203);const a=n.Z?function(t,e){return(0,n.Z)(t,"toString",{configurable:!0,enumerable:!1,value:(0,r.Z)(e),writable:!0})}:o.Z;var s=Date.now;const l=function(t){var e=0,i=0;return function(){var r=s(),n=16-(r-i);if(i=r,n>0){if(++e>=800)return arguments[0]}else e=0;return t.apply(void 0,arguments)}}(a)},19:(t,e,i)=>{"use strict";i.d(e,{Z:()=>n});var r=Function.prototype.toString;const n=function(t){if(null!=t){try{return r.call(t)}catch(e){}try{return t+""}catch(e){}}return""}},2002:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return function(){return t}}},9651:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t,e){return t===e||t!=t&&e!=e}},9203:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return t}},9169:(t,e,i)=>{"use strict";i.d(e,{Z:()=>c});var r=i(3589),n=i(8533);const o=function(t){return(0,n.Z)(t)&&"[object Arguments]"==(0,r.Z)(t)};var a=Object.prototype,s=a.hasOwnProperty,l=a.propertyIsEnumerable;const c=o(function(){return arguments}())?o:function(t){return(0,n.Z)(t)&&s.call(t,"callee")&&!l.call(t,"callee")}},7771:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=Array.isArray},585:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3234),n=i(1656);const o=function(t){return null!=t&&(0,n.Z)(t.length)&&!(0,r.Z)(t)}},836:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(585),n=i(8533);const o=function(t){return(0,n.Z)(t)&&(0,r.Z)(t)}},7008:(t,e,i)=>{"use strict";i.d(e,{Z:()=>l});var r=i(6092);const n=function(){return!1};var o="object"==typeof exports&&exports&&!exports.nodeType&&exports,a=o&&"object"==typeof module&&module&&!module.nodeType&&module,s=a&&a.exports===o?r.Z.Buffer:void 0;const l=(s?s.isBuffer:void 0)||n},9697:(t,e,i)=>{"use strict";i.d(e,{Z:()=>d});var r=i(9473),n=i(3970),o=i(9169),a=i(7771),s=i(585),l=i(7008),c=i(2764),h=i(8843),u=Object.prototype.hasOwnProperty;const d=function(t){if(null==t)return!0;if((0,s.Z)(t)&&((0,a.Z)(t)||"string"==typeof t||"function"==typeof t.splice||(0,l.Z)(t)||(0,h.Z)(t)||(0,o.Z)(t)))return!t.length;var e=(0,n.Z)(t);if("[object Map]"==e||"[object Set]"==e)return!t.size;if((0,c.Z)(t))return!(0,r.Z)(t).length;for(var i in t)if(u.call(t,i))return!1;return!0}},3234:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(3589),n=i(7226);const o=function(t){if(!(0,n.Z)(t))return!1;var e=(0,r.Z)(t);return"[object Function]"==e||"[object GeneratorFunction]"==e||"[object AsyncFunction]"==e||"[object Proxy]"==e}},1656:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=9007199254740991}},7226:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){var e=typeof t;return null!=t&&("object"==e||"function"==e)}},8533:(t,e,i)=>{"use strict";i.d(e,{Z:()=>r});const r=function(t){return null!=t&&"object"==typeof t}},7514:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(2513),o=i(8533),a=Function.prototype,s=Object.prototype,l=a.toString,c=s.hasOwnProperty,h=l.call(Object);const u=function(t){if(!(0,o.Z)(t)||"[object Object]"!=(0,r.Z)(t))return!1;var e=(0,n.Z)(t);if(null===e)return!0;var i=c.call(e,"constructor")&&e.constructor;return"function"==typeof i&&i instanceof i&&l.call(i)==h}},8843:(t,e,i)=>{"use strict";i.d(e,{Z:()=>u});var r=i(3589),n=i(1656),o=i(8533),a={};a["[object Float32Array]"]=a["[object Float64Array]"]=a["[object Int8Array]"]=a["[object Int16Array]"]=a["[object Int32Array]"]=a["[object Uint8Array]"]=a["[object Uint8ClampedArray]"]=a["[object Uint16Array]"]=a["[object Uint32Array]"]=!0,a["[object Arguments]"]=a["[object Array]"]=a["[object ArrayBuffer]"]=a["[object Boolean]"]=a["[object DataView]"]=a["[object Date]"]=a["[object Error]"]=a["[object Function]"]=a["[object Map]"]=a["[object Number]"]=a["[object Object]"]=a["[object RegExp]"]=a["[object Set]"]=a["[object String]"]=a["[object WeakMap]"]=!1;const s=function(t){return(0,o.Z)(t)&&(0,n.Z)(t.length)&&!!a[(0,r.Z)(t)]};var l=i(1162),c=i(8351),h=c.Z&&c.Z.isTypedArray;const u=h?(0,l.Z)(h):s},2957:(t,e,i)=>{"use strict";i.d(e,{Z:()=>h});var r=i(7668),n=i(7226),o=i(2764);const a=function(t){var e=[];if(null!=t)for(var i in Object(t))e.push(i);return e};var s=Object.prototype.hasOwnProperty;const l=function(t){if(!(0,n.Z)(t))return a(t);var e=(0,o.Z)(t),i=[];for(var r in t)("constructor"!=r||!e&&s.call(t,r))&&i.push(r);return i};var c=i(585);const h=function(t){return(0,c.Z)(t)?(0,r.Z)(t,!0):l(t)}},2454:(t,e,i)=>{"use strict";i.d(e,{Z:()=>o});var r=i(7834);function n(t,e){if("function"!=typeof t||null!=e&&"function"!=typeof e)throw new TypeError("Expected a function");var i=function(){var r=arguments,n=e?e.apply(this,r):r[0],o=i.cache;if(o.has(n))return o.get(n);var a=t.apply(this,r);return i.cache=o.set(n,a)||o,a};return i.cache=new(n.Cache||r.Z),i}n.Cache=r.Z;const o=n},9236:(t,e,i)=>{"use strict";i.d(e,{Z:()=>F});var r=i(1667),n=i(4752),o=i(9651);const a=function(t,e,i){(void 0!==i&&!(0,o.Z)(t[e],i)||void 0===i&&!(e in t))&&(0,n.Z)(t,e,i)};var s=i(1395),l=i(1050),c=i(2701),h=i(7215),u=i(3658),d=i(9169),f=i(7771),p=i(836),g=i(7008),m=i(3234),y=i(7226),x=i(7514),b=i(8843);const C=function(t,e){if(("constructor"!==e||"function"!=typeof t[e])&&"__proto__"!=e)return t[e]};var _=i(1899),v=i(2957);const k=function(t){return(0,_.Z)(t,(0,v.Z)(t))};const T=function(t,e,i,r,n,o,s){var _=C(t,i),v=C(e,i),T=s.get(v);if(T)a(t,i,T);else{var w=o?o(_,v,i+"",t,e,s):void 0,S=void 0===w;if(S){var B=(0,f.Z)(v),F=!B&&(0,g.Z)(v),L=!B&&!F&&(0,b.Z)(v);w=v,B||F||L?(0,f.Z)(_)?w=_:(0,p.Z)(_)?w=(0,h.Z)(_):F?(S=!1,w=(0,l.Z)(v,!0)):L?(S=!1,w=(0,c.Z)(v,!0)):w=[]:(0,x.Z)(v)||(0,d.Z)(v)?(w=_,(0,d.Z)(_)?w=k(_):(0,y.Z)(_)&&!(0,m.Z)(_)||(w=(0,u.Z)(v))):S=!1}S&&(s.set(v,w),n(w,v,r,o,s),s.delete(v)),a(t,i,w)}};const w=function t(e,i,n,o,l){e!==i&&(0,s.Z)(i,(function(s,c){if(l||(l=new r.Z),(0,y.Z)(s))T(e,i,c,n,t,o,l);else{var h=o?o(C(e,c),s,c+"",e,i,l):void 0;void 0===h&&(h=s),a(e,c,h)}}),v.Z)};var S=i(9581),B=i(439);const F=function(t){return(0,S.Z)((function(e,i){var r=-1,n=i.length,o=n>1?i[n-1]:void 0,a=n>2?i[2]:void 0;for(o=t.length>3&&"function"==typeof o?(n--,o):void 0,a&&(0,B.Z)(i[0],i[1],a)&&(o=n<3?void 0:o,n=1),e=Object(e);++r<n;){var s=i[r];s&&t(e,s,r,o)}return e}))}((function(t,e,i){w(t,e,i)}))},5322:(t,e,i)=>{"use strict";i.d(e,{A:()=>It,B:()=>me,C:()=>ge,D:()=>Ft,E:()=>Be,F:()=>er,G:()=>oe,H:()=>ht,I:()=>Mi,J:()=>qn,K:()=>Si,L:()=>to,Z:()=>Gt,a:()=>ki,b:()=>vi,c:()=>Li,d:()=>ft,e:()=>_t,f:()=>Vt,g:()=>_i,h:()=>ue,i:()=>ui,j:()=>he,k:()=>re,l:()=>st,m:()=>mt,n:()=>Kt,o:()=>di,p:()=>Ai,q:()=>Ti,r:()=>wi,s:()=>Ci,t:()=>bi,u:()=>ye,v:()=>yt,w:()=>le,x:()=>ae,y:()=>Ni,z:()=>Di});var r=i(8464),n=i(7484),o=i(7967),a=i(4218),s=i(7856),l=i(1610),c=i(9807);const h=(t,e)=>{const i=l.Z.parse(t),r={};for(const n in e)e[n]&&(r[n]=i[n]+e[n]);return(0,c.Z)(t,r)};var u=i(1117);const d=(t,e,i=50)=>{const{r:r,g:n,b:o,a:a}=l.Z.parse(t),{r:s,g:c,b:h,a:d}=l.Z.parse(e),f=i/100,p=2*f-1,g=a-d,m=((p*g==-1?p:(p+g)/(1+p*g))+1)/2,y=1-m,x=r*m+s*y,b=n*m+c*y,C=o*m+h*y,_=a*f+d*(1-f);return(0,u.Z)(x,b,C,_)},f=(t,e=100)=>{const i=l.Z.parse(t);return i.r=255-i.r,i.g=255-i.g,i.b=255-i.b,d(i,t,e)};var p=i(7201),g=i(2281),m=i(1619),y=i(2454),x=i(9236),b="comm",C="rule",_="decl",v=Math.abs,k=String.fromCharCode;Object.assign;function T(t){return t.trim()}function w(t,e,i){return t.replace(e,i)}function S(t,e){return t.indexOf(e)}function B(t,e){return 0|t.charCodeAt(e)}function F(t,e,i){return t.slice(e,i)}function L(t){return t.length}function A(t,e){return e.push(t),t}function M(t,e){for(var i="",r=0;r<t.length;r++)i+=e(t[r],r,t,e)||"";return i}function E(t,e,i,r){switch(t.type){case"@layer":if(t.children.length)break;case"@import":case _:return t.return=t.return||t.value;case b:return"";case"@keyframes":return t.return=t.value+"{"+M(t.children,r)+"}";case C:if(!L(t.value=t.props.join(",")))return""}return L(i=M(t.children,r))?t.return=t.value+"{"+i+"}":""}var N=1,Z=1,j=0,I=0,O=0,D="";function q(t,e,i,r,n,o,a,s){return{value:t,root:e,parent:i,type:r,props:n,children:o,line:N,column:Z,length:a,return:"",siblings:s}}function $(){return O=I>0?B(D,--I):0,Z--,10===O&&(Z=1,N--),O}function z(){return O=I<j?B(D,I++):0,Z++,10===O&&(Z=1,N++),O}function P(){return B(D,I)}function R(){return I}function H(t,e){return F(D,t,e)}function W(t){switch(t){case 0:case 9:case 10:case 13:case 32:return 5;case 33:case 43:case 44:case 47:case 62:case 64:case 126:case 59:case 123:case 125:return 4;case 58:return 3;case 34:case 39:case 40:case 91:return 2;case 41:case 93:return 1}return 0}function U(t){return N=Z=1,j=L(D=t),I=0,[]}function Y(t){return D="",t}function V(t){return T(H(I-1,J(91===t?t+2:40===t?t+1:t)))}function G(t){for(;(O=P())&&O<33;)z();return W(t)>2||W(O)>3?"":" "}function X(t,e){for(;--e&&z()&&!(O<48||O>102||O>57&&O<65||O>70&&O<97););return H(t,R()+(e<6&&32==P()&&32==z()))}function J(t){for(;z();)switch(O){case t:return I;case 34:case 39:34!==t&&39!==t&&J(O);break;case 40:41===t&&J(t);break;case 92:z()}return I}function Q(t,e){for(;z()&&t+O!==57&&(t+O!==84||47!==P()););return"/*"+H(e,I-1)+"*"+k(47===t?t:z())}function K(t){for(;!W(P());)z();return H(t,I)}function tt(t){return Y(et("",null,null,null,[""],t=U(t),0,[0],t))}function et(t,e,i,r,n,o,a,s,l){for(var c=0,h=0,u=a,d=0,f=0,p=0,g=1,m=1,y=1,x=0,b="",C=n,_=o,v=r,T=b;m;)switch(p=x,x=z()){case 40:if(108!=p&&58==B(T,u-1)){-1!=S(T+=w(V(x),"&","&\f"),"&\f")&&(y=-1);break}case 34:case 39:case 91:T+=V(x);break;case 9:case 10:case 13:case 32:T+=G(p);break;case 92:T+=X(R()-1,7);continue;case 47:switch(P()){case 42:case 47:A(rt(Q(z(),R()),e,i,l),l);break;default:T+="/"}break;case 123*g:s[c++]=L(T)*y;case 125*g:case 59:case 0:switch(x){case 0:case 125:m=0;case 59+h:-1==y&&(T=w(T,/\f/g,"")),f>0&&L(T)-u&&A(f>32?nt(T+";",r,i,u-1,l):nt(w(T," ","")+";",r,i,u-2,l),l);break;case 59:T+=";";default:if(A(v=it(T,e,i,c,h,n,s,b,C=[],_=[],u,o),o),123===x)if(0===h)et(T,e,v,v,C,o,u,s,_);else switch(99===d&&110===B(T,3)?100:d){case 100:case 108:case 109:case 115:et(t,v,v,r&&A(it(t,v,v,0,0,n,s,b,n,C=[],u,_),_),n,_,u,s,r?C:_);break;default:et(T,v,v,v,[""],_,0,s,_)}}c=h=f=0,g=y=1,b=T="",u=a;break;case 58:u=1+L(T),f=p;default:if(g<1)if(123==x)--g;else if(125==x&&0==g++&&125==$())continue;switch(T+=k(x),x*g){case 38:y=h>0?1:(T+="\f",-1);break;case 44:s[c++]=(L(T)-1)*y,y=1;break;case 64:45===P()&&(T+=V(z())),d=P(),h=u=L(b=T+=K(R())),x++;break;case 45:45===p&&2==L(T)&&(g=0)}}return o}function it(t,e,i,r,n,o,a,s,l,c,h,u){for(var d=n-1,f=0===n?o:[""],p=function(t){return t.length}(f),g=0,m=0,y=0;g<r;++g)for(var x=0,b=F(t,d+1,d=v(m=a[g])),_=t;x<p;++x)(_=T(m>0?f[x]+" "+b:w(b,/&\f/g,f[x])))&&(l[y++]=_);return q(t,e,i,0===n?C:s,l,c,h,u)}function rt(t,e,i,r){return q(t,e,i,b,k(O),F(t,2,-2),0,r)}function nt(t,e,i,r,n){return q(t,e,i,_,F(t,0,r),F(t,r+1,-1),r,n)}var ot=i(9697);const at={trace:0,debug:1,info:2,warn:3,error:4,fatal:5},st={trace:(...t)=>{},debug:(...t)=>{},info:(...t)=>{},warn:(...t)=>{},error:(...t)=>{},fatal:(...t)=>{}},lt=function(t="fatal"){let e=at.fatal;"string"==typeof t?(t=t.toLowerCase())in at&&(e=at[t]):"number"==typeof t&&(e=t),st.trace=()=>{},st.debug=()=>{},st.info=()=>{},st.warn=()=>{},st.error=()=>{},st.fatal=()=>{},e<=at.fatal&&(st.fatal=console.error?console.error.bind(console,ct("FATAL"),"color: orange"):console.log.bind(console,"\x1b[35m",ct("FATAL"))),e<=at.error&&(st.error=console.error?console.error.bind(console,ct("ERROR"),"color: orange"):console.log.bind(console,"\x1b[31m",ct("ERROR"))),e<=at.warn&&(st.warn=console.warn?console.warn.bind(console,ct("WARN"),"color: orange"):console.log.bind(console,"\x1b[33m",ct("WARN"))),e<=at.info&&(st.info=console.info?console.info.bind(console,ct("INFO"),"color: lightblue"):console.log.bind(console,"\x1b[34m",ct("INFO"))),e<=at.debug&&(st.debug=console.debug?console.debug.bind(console,ct("DEBUG"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("DEBUG"))),e<=at.trace&&(st.trace=console.debug?console.debug.bind(console,ct("TRACE"),"color: lightgreen"):console.log.bind(console,"\x1b[32m",ct("TRACE")))},ct=t=>`%c${n().format("ss.SSS")} : ${t} : `,ht=/<br\s*\/?>/gi,ut=t=>s.sanitize(t),dt=(t,e)=>{var i;if(!1!==(null==(i=e.flowchart)?void 0:i.htmlLabels)){const i=e.securityLevel;"antiscript"===i||"strict"===i?t=ut(t):"loose"!==i&&(t=(t=(t=gt(t)).replace(/</g,"<").replace(/>/g,">")).replace(/=/g,"="),t=pt(t))}return t},ft=(t,e)=>t?t=e.dompurifyConfig?s.sanitize(dt(t,e),e.dompurifyConfig).toString():s.sanitize(dt(t,e),{FORBID_TAGS:["style"]}).toString():t,pt=t=>t.replace(/#br#/g,"<br/>"),gt=t=>t.replace(ht,"#br#"),mt=t=>!1!==t&&!["false","null","0"].includes(String(t).trim().toLowerCase()),yt=function(t){const e=t.split(/(,)/),i=[];for(let r=0;r<e.length;r++){let t=e[r];if(","===t&&r>0&&r+1<e.length){const n=e[r-1],o=e[r+1];bt(n,o)&&(t=n+","+o,r++,i.pop())}i.push(Ct(t))}return i.join("")},xt=(t,e)=>Math.max(0,t.split(e).length-1),bt=(t,e)=>{const i=xt(t,"~"),r=xt(e,"~");return 1===i&&1===r},Ct=t=>{const e=xt(t,"~");let i=!1;if(e<=1)return t;e%2!=0&&t.startsWith("~")&&(t=t.substring(1),i=!0);const r=[...t];let n=r.indexOf("~"),o=r.lastIndexOf("~");for(;-1!==n&&-1!==o&&n!==o;)r[n]="<",r[o]=">",n=r.indexOf("~"),o=r.lastIndexOf("~");return i&&r.unshift("~"),r.join("")},_t={getRows:t=>{if(!t)return[""];return gt(t).replace(/\\n/g,"#br#").split("#br#")},sanitizeText:ft,sanitizeTextOrArray:(t,e)=>"string"==typeof t?ft(t,e):t.flat().map((t=>ft(t,e))),hasBreaks:t=>ht.test(t),splitBreaks:t=>t.split(ht),lineBreakRegex:ht,removeScript:ut,getUrl:t=>{let e="";return t&&(e=window.location.protocol+"//"+window.location.host+window.location.pathname+window.location.search,e=e.replaceAll(/\(/g,"\\("),e=e.replaceAll(/\)/g,"\\)")),e},evaluate:mt,getMax:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.max(...e)},getMin:function(...t){const e=t.filter((t=>!isNaN(t)));return Math.min(...e)}},vt=(t,e)=>h(t,e?{s:-40,l:10}:{s:-40,l:-10}),kt="#ffffff",Tt="#f2f2f2";let wt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#fff4dd",this.noteBkgColor="#fff5ad",this.noteTextColor="#333",this.THEME_COLOR_LIMIT=12,this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;if(this.primaryTextColor=this.primaryTextColor||(this.darkMode?"#eee":"#333"),this.secondaryColor=this.secondaryColor||h(this.primaryColor,{h:-120}),this.tertiaryColor=this.tertiaryColor||h(this.primaryColor,{h:180,l:5}),this.primaryBorderColor=this.primaryBorderColor||vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=this.secondaryBorderColor||vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=this.tertiaryBorderColor||vt(this.tertiaryColor,this.darkMode),this.noteBorderColor=this.noteBorderColor||vt(this.noteBkgColor,this.darkMode),this.noteBkgColor=this.noteBkgColor||"#fff5ad",this.noteTextColor=this.noteTextColor||"#333",this.secondaryTextColor=this.secondaryTextColor||f(this.secondaryColor),this.tertiaryTextColor=this.tertiaryTextColor||f(this.tertiaryColor),this.lineColor=this.lineColor||f(this.background),this.arrowheadColor=this.arrowheadColor||f(this.background),this.textColor=this.textColor||this.primaryTextColor,this.border2=this.border2||this.tertiaryBorderColor,this.nodeBkg=this.nodeBkg||this.primaryColor,this.mainBkg=this.mainBkg||this.primaryColor,this.nodeBorder=this.nodeBorder||this.primaryBorderColor,this.clusterBkg=this.clusterBkg||this.tertiaryColor,this.clusterBorder=this.clusterBorder||this.tertiaryBorderColor,this.defaultLinkColor=this.defaultLinkColor||this.lineColor,this.titleColor=this.titleColor||this.tertiaryTextColor,this.edgeLabelBackground=this.edgeLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.nodeTextColor=this.nodeTextColor||this.primaryTextColor,this.actorBorder=this.actorBorder||this.primaryBorderColor,this.actorBkg=this.actorBkg||this.mainBkg,this.actorTextColor=this.actorTextColor||this.primaryTextColor,this.actorLineColor=this.actorLineColor||"grey",this.labelBoxBkgColor=this.labelBoxBkgColor||this.actorBkg,this.signalColor=this.signalColor||this.textColor,this.signalTextColor=this.signalTextColor||this.textColor,this.labelBoxBorderColor=this.labelBoxBorderColor||this.actorBorder,this.labelTextColor=this.labelTextColor||this.actorTextColor,this.loopTextColor=this.loopTextColor||this.actorTextColor,this.activationBorderColor=this.activationBorderColor||(0,p.Z)(this.secondaryColor,10),this.activationBkgColor=this.activationBkgColor||this.secondaryColor,this.sequenceNumberColor=this.sequenceNumberColor||f(this.lineColor),this.sectionBkgColor=this.sectionBkgColor||this.tertiaryColor,this.altSectionBkgColor=this.altSectionBkgColor||"white",this.sectionBkgColor=this.sectionBkgColor||this.secondaryColor,this.sectionBkgColor2=this.sectionBkgColor2||this.primaryColor,this.excludeBkgColor=this.excludeBkgColor||"#eeeeee",this.taskBorderColor=this.taskBorderColor||this.primaryBorderColor,this.taskBkgColor=this.taskBkgColor||this.primaryColor,this.activeTaskBorderColor=this.activeTaskBorderColor||this.primaryColor,this.activeTaskBkgColor=this.activeTaskBkgColor||(0,g.Z)(this.primaryColor,23),this.gridColor=this.gridColor||"lightgrey",this.doneTaskBkgColor=this.doneTaskBkgColor||"lightgrey",this.doneTaskBorderColor=this.doneTaskBorderColor||"grey",this.critBorderColor=this.critBorderColor||"#ff8888",this.critBkgColor=this.critBkgColor||"red",this.todayLineColor=this.todayLineColor||"red",this.taskTextColor=this.taskTextColor||this.textColor,this.taskTextOutsideColor=this.taskTextOutsideColor||this.textColor,this.taskTextLightColor=this.taskTextLightColor||this.textColor,this.taskTextColor=this.taskTextColor||this.primaryTextColor,this.taskTextDarkColor=this.taskTextDarkColor||this.textColor,this.taskTextClickableColor=this.taskTextClickableColor||"#003163",this.personBorder=this.personBorder||this.primaryBorderColor,this.personBkg=this.personBkg||this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||this.tertiaryColor,this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.specialStateColor=this.lineColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210,l:150}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.darkMode)for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],75);else for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],25);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;const d=this.darkMode?-4:-1;for(let f=0;f<5;f++)this["surface"+f]=this["surface"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(5+3*f)}),this["surfacePeer"+f]=this["surfacePeer"+f]||h(this.mainBkg,{h:180,s:-15,l:d*(8+3*f)});this.classText=this.classText||this.textColor,this.fillType0=this.fillType0||this.primaryColor,this.fillType1=this.fillType1||this.secondaryColor,this.fillType2=this.fillType2||h(this.primaryColor,{h:64}),this.fillType3=this.fillType3||h(this.secondaryColor,{h:64}),this.fillType4=this.fillType4||h(this.primaryColor,{h:-64}),this.fillType5=this.fillType5||h(this.secondaryColor,{h:-64}),this.fillType6=this.fillType6||h(this.primaryColor,{h:128}),this.fillType7=this.fillType7||h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-10}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-10}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-20}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-20}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-10}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#FFF4DD,#FFD8B1,#FFA07A,#ECEFF1,#D6DBDF,#C3E0A8,#FFB6A4,#FFD74D,#738FA7,#FFFFF0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||(this.darkMode?"black":this.labelTextColor),this.gitBranchLabel0=this.gitBranchLabel0||this.branchLabelColor,this.gitBranchLabel1=this.gitBranchLabel1||this.branchLabelColor,this.gitBranchLabel2=this.gitBranchLabel2||this.branchLabelColor,this.gitBranchLabel3=this.gitBranchLabel3||this.branchLabelColor,this.gitBranchLabel4=this.gitBranchLabel4||this.branchLabelColor,this.gitBranchLabel5=this.gitBranchLabel5||this.branchLabelColor,this.gitBranchLabel6=this.gitBranchLabel6||this.branchLabelColor,this.gitBranchLabel7=this.gitBranchLabel7||this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let St=class{constructor(){this.background="#333",this.primaryColor="#1f2020",this.secondaryColor=(0,g.Z)(this.primaryColor,16),this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=f(this.background),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#1f2020",this.secondBkg="calculated",this.mainContrastColor="lightgrey",this.darkTextColor=(0,g.Z)(f("#323D47"),10),this.lineColor="calculated",this.border1="#81B1DB",this.border2=(0,u.Z)(255,255,255,.25),this.arrowheadColor="calculated",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#181818",this.textColor="#ccc",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#F9FFFE",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="calculated",this.activationBkgColor="calculated",this.sequenceNumberColor="black",this.sectionBkgColor=(0,p.Z)("#EAE8D9",30),this.altSectionBkgColor="calculated",this.sectionBkgColor2="#EAE8D9",this.excludeBkgColor=(0,p.Z)(this.sectionBkgColor,10),this.taskBorderColor=(0,u.Z)(255,255,255,70),this.taskBkgColor="calculated",this.taskTextColor="calculated",this.taskTextLightColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor=(0,u.Z)(255,255,255,50),this.activeTaskBkgColor="#81B1DB",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="grey",this.critBorderColor="#E83737",this.critBkgColor="#E83737",this.taskTextDarkColor="calculated",this.todayLineColor="#DB5757",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="calculated",this.errorBkgColor="#a44141",this.errorTextColor="#ddd"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.mainBkg,16),this.lineColor=this.mainContrastColor,this.arrowheadColor=this.mainContrastColor,this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.edgeLabelBackground=(0,g.Z)(this.labelBackground,25),this.actorBorder=this.border1,this.actorBkg=this.mainBkg,this.actorTextColor=this.mainContrastColor,this.actorLineColor=this.mainContrastColor,this.signalColor=this.mainContrastColor,this.signalTextColor=this.mainContrastColor,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.mainContrastColor,this.loopTextColor=this.mainContrastColor,this.noteBorderColor=this.secondaryBorderColor,this.noteBkgColor=this.secondBkg,this.noteTextColor=this.secondaryTextColor,this.activationBorderColor=this.border1,this.activationBkgColor=this.secondBkg,this.altSectionBkgColor=this.background,this.taskBkgColor=(0,g.Z)(this.mainBkg,23),this.taskTextColor=this.darkTextColor,this.taskTextLightColor=this.mainContrastColor,this.taskTextOutsideColor=this.taskTextLightColor,this.gridColor=this.mainContrastColor,this.doneTaskBkgColor=this.mainContrastColor,this.taskTextDarkColor=this.darkTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#555",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#f4f4f4",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.cScale1=this.cScale1||"#0b0000",this.cScale2=this.cScale2||"#4d1037",this.cScale3=this.cScale3||"#3f5258",this.cScale4=this.cScale4||"#4f2f1b",this.cScale5=this.cScale5||"#6e0a0a",this.cScale6=this.cScale6||"#3b0048",this.cScale7=this.cScale7||"#995a01",this.cScale8=this.cScale8||"#154706",this.cScale9=this.cScale9||"#161722",this.cScale10=this.cScale10||"#00296f",this.cScale11=this.cScale11||"#01629c",this.cScale12=this.cScale12||"#010029",this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10);for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-10)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(4*d-7)});this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#3498db,#2ecc71,#e74c3c,#f1c40f,#bdc3c7,#ffffff,#34495e,#9b59b6,#1abc9c,#e67e22"},this.classText=this.primaryTextColor,this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||(this.darkMode?(0,p.Z)(this.secondaryColor,30):this.secondaryColor),this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,g.Z)(this.secondaryColor,20),this.git1=(0,g.Z)(this.pie2||this.secondaryColor,20),this.git2=(0,g.Z)(this.pie3||this.tertiaryColor,20),this.git3=(0,g.Z)(this.pie4||h(this.primaryColor,{h:-30}),20),this.git4=(0,g.Z)(this.pie5||h(this.primaryColor,{h:-60}),20),this.git5=(0,g.Z)(this.pie6||h(this.primaryColor,{h:-90}),10),this.git6=(0,g.Z)(this.pie7||h(this.primaryColor,{h:60}),10),this.git7=(0,g.Z)(this.pie8||h(this.primaryColor,{h:120}),20),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||(0,g.Z)(this.background,12),this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||(0,g.Z)(this.background,2)}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};let Bt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#ECECFF",this.secondaryColor=h(this.primaryColor,{h:120}),this.secondaryColor="#ffffde",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.background="white",this.mainBkg="#ECECFF",this.secondBkg="#ffffde",this.lineColor="#333333",this.border1="#9370DB",this.border2="#aaaa33",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.labelBackground="#e8e8e8",this.textColor="#333",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="calculated",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="calculated",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="calculated",this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor="calculated",this.taskTextOutsideColor=this.taskTextDarkColor,this.taskTextClickableColor="calculated",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBorderColor="calculated",this.critBkgColor="calculated",this.todayLineColor="calculated",this.sectionBkgColor=(0,u.Z)(102,102,255,.49),this.altSectionBkgColor="white",this.sectionBkgColor2="#fff400",this.taskBorderColor="#534fbc",this.taskBkgColor="#8a90dd",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="#534fbc",this.activeTaskBkgColor="#bfc7ff",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222",this.updateColors()}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,l:-(7+5*d)});if(this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor,"calculated"!==this.labelTextColor){this.cScaleLabel0=this.cScaleLabel0||f(this.labelTextColor),this.cScaleLabel3=this.cScaleLabel3||f(this.labelTextColor);for(let t=0;t<this.THEME_COLOR_LIMIT;t++)this["cScaleLabel"+t]=this["cScaleLabel"+t]||this.labelTextColor}this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.textColor,this.edgeLabelBackground=this.labelBackground,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.signalColor=this.textColor,this.signalTextColor=this.textColor,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.nodeBorder,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||h(this.tertiaryColor,{l:-40}),this.pie4=this.pie4||h(this.primaryColor,{l:-10}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{l:-20}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-20}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-40}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:-40}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-40}),this.pie11=this.pie11||h(this.primaryColor,{h:-90,l:-40}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-30}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#ECECFF,#8493A6,#FFC3A0,#DCDDE1,#B8E994,#D1A36F,#C3CDE6,#FFB6C1,#496078,#F8F3E3"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.labelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||(0,p.Z)(f(this.git0),25),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};const Ft=t=>{const e=new Bt;return e.calculate(t),e};let Lt=class{constructor(){this.background="#f4f4f4",this.primaryColor="#cde498",this.secondaryColor="#cdffb2",this.background="white",this.mainBkg="#cde498",this.secondBkg="#cdffb2",this.lineColor="green",this.border1="#13540c",this.border2="#6eaa49",this.arrowheadColor="green",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.tertiaryColor=(0,g.Z)("#cde498",10),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.primaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="#333",this.edgeLabelBackground="#e8e8e8",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="black",this.actorLineColor="grey",this.signalColor="#333",this.signalTextColor="#333",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="#326932",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="#fff5ad",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="#6eaa49",this.altSectionBkgColor="white",this.sectionBkgColor2="#6eaa49",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="#487e3a",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="black",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="lightgrey",this.doneTaskBkgColor="lightgrey",this.doneTaskBorderColor="grey",this.critBorderColor="#ff8888",this.critBkgColor="red",this.todayLineColor="red",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.actorBorder=(0,p.Z)(this.mainBkg,20),this.actorBkg=this.mainBkg,this.labelBoxBkgColor=this.actorBkg,this.labelTextColor=this.actorTextColor,this.loopTextColor=this.actorTextColor,this.noteBorderColor=this.border2,this.noteTextColor=this.actorTextColor,this.cScale0=this.cScale0||this.primaryColor,this.cScale1=this.cScale1||this.secondaryColor,this.cScale2=this.cScale2||this.tertiaryColor,this.cScale3=this.cScale3||h(this.primaryColor,{h:30}),this.cScale4=this.cScale4||h(this.primaryColor,{h:60}),this.cScale5=this.cScale5||h(this.primaryColor,{h:90}),this.cScale6=this.cScale6||h(this.primaryColor,{h:120}),this.cScale7=this.cScale7||h(this.primaryColor,{h:150}),this.cScale8=this.cScale8||h(this.primaryColor,{h:210}),this.cScale9=this.cScale9||h(this.primaryColor,{h:270}),this.cScale10=this.cScale10||h(this.primaryColor,{h:300}),this.cScale11=this.cScale11||h(this.primaryColor,{h:330}),this.cScalePeer1=this.cScalePeer1||(0,p.Z)(this.secondaryColor,45),this.cScalePeer2=this.cScalePeer2||(0,p.Z)(this.tertiaryColor,40);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScale"+h]=(0,p.Z)(this["cScale"+h],10),this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],25);for(let d=0;d<this.THEME_COLOR_LIMIT;d++)this["cScaleInv"+d]=this["cScaleInv"+d]||h(this["cScale"+d],{h:180});this.scaleLabelColor="calculated"!==this.scaleLabelColor&&this.scaleLabelColor?this.scaleLabelColor:this.labelTextColor;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{h:30,s:-30,l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{h:30,s:-30,l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.taskBorderColor=this.border1,this.taskTextColor=this.taskTextLightColor,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.transitionColor=this.transitionColor||this.lineColor,this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f0f0f0",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.compositeBorder=this.compositeBorder||this.nodeBorder,this.innerEndBackground=this.primaryBorderColor,this.specialStateColor=this.lineColor,this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.transitionColor=this.transitionColor||this.lineColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128}),this.pie1=this.pie1||this.primaryColor,this.pie2=this.pie2||this.secondaryColor,this.pie3=this.pie3||this.tertiaryColor,this.pie4=this.pie4||h(this.primaryColor,{l:-30}),this.pie5=this.pie5||h(this.secondaryColor,{l:-30}),this.pie6=this.pie6||h(this.tertiaryColor,{h:40,l:-40}),this.pie7=this.pie7||h(this.primaryColor,{h:60,l:-10}),this.pie8=this.pie8||h(this.primaryColor,{h:-60,l:-10}),this.pie9=this.pie9||h(this.primaryColor,{h:120,l:0}),this.pie10=this.pie10||h(this.primaryColor,{h:60,l:-50}),this.pie11=this.pie11||h(this.primaryColor,{h:-60,l:-50}),this.pie12=this.pie12||h(this.primaryColor,{h:120,l:-50}),this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#CDE498,#FF6B6B,#A0D2DB,#D7BDE2,#F0F0F0,#FFC3A0,#7FD8BE,#FF9A8B,#FAF3E0,#FFF176"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=this.git0||this.primaryColor,this.git1=this.git1||this.secondaryColor,this.git2=this.git2||this.tertiaryColor,this.git3=this.git3||h(this.primaryColor,{h:-30}),this.git4=this.git4||h(this.primaryColor,{h:-60}),this.git5=this.git5||h(this.primaryColor,{h:-90}),this.git6=this.git6||h(this.primaryColor,{h:60}),this.git7=this.git7||h(this.primaryColor,{h:120}),this.darkMode?(this.git0=(0,g.Z)(this.git0,25),this.git1=(0,g.Z)(this.git1,25),this.git2=(0,g.Z)(this.git2,25),this.git3=(0,g.Z)(this.git3,25),this.git4=(0,g.Z)(this.git4,25),this.git5=(0,g.Z)(this.git5,25),this.git6=(0,g.Z)(this.git6,25),this.git7=(0,g.Z)(this.git7,25)):(this.git0=(0,p.Z)(this.git0,25),this.git1=(0,p.Z)(this.git1,25),this.git2=(0,p.Z)(this.git2,25),this.git3=(0,p.Z)(this.git3,25),this.git4=(0,p.Z)(this.git4,25),this.git5=(0,p.Z)(this.git5,25),this.git6=(0,p.Z)(this.git6,25),this.git7=(0,p.Z)(this.git7,25)),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.gitBranchLabel0=this.gitBranchLabel0||f(this.labelTextColor),this.gitBranchLabel1=this.gitBranchLabel1||this.labelTextColor,this.gitBranchLabel2=this.gitBranchLabel2||this.labelTextColor,this.gitBranchLabel3=this.gitBranchLabel3||f(this.labelTextColor),this.gitBranchLabel4=this.gitBranchLabel4||this.labelTextColor,this.gitBranchLabel5=this.gitBranchLabel5||this.labelTextColor,this.gitBranchLabel6=this.gitBranchLabel6||this.labelTextColor,this.gitBranchLabel7=this.gitBranchLabel7||this.labelTextColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}};class At{constructor(){this.primaryColor="#eee",this.contrast="#707070",this.secondaryColor=(0,g.Z)(this.contrast,55),this.background="#ffffff",this.tertiaryColor=h(this.primaryColor,{h:-160}),this.primaryBorderColor=vt(this.primaryColor,this.darkMode),this.secondaryBorderColor=vt(this.secondaryColor,this.darkMode),this.tertiaryBorderColor=vt(this.tertiaryColor,this.darkMode),this.primaryTextColor=f(this.primaryColor),this.secondaryTextColor=f(this.secondaryColor),this.tertiaryTextColor=f(this.tertiaryColor),this.lineColor=f(this.background),this.textColor=f(this.background),this.mainBkg="#eee",this.secondBkg="calculated",this.lineColor="#666",this.border1="#999",this.border2="calculated",this.note="#ffa",this.text="#333",this.critical="#d42",this.done="#bbb",this.arrowheadColor="#333333",this.fontFamily='"trebuchet ms", verdana, arial, sans-serif',this.fontSize="16px",this.THEME_COLOR_LIMIT=12,this.nodeBkg="calculated",this.nodeBorder="calculated",this.clusterBkg="calculated",this.clusterBorder="calculated",this.defaultLinkColor="calculated",this.titleColor="calculated",this.edgeLabelBackground="white",this.actorBorder="calculated",this.actorBkg="calculated",this.actorTextColor="calculated",this.actorLineColor="calculated",this.signalColor="calculated",this.signalTextColor="calculated",this.labelBoxBkgColor="calculated",this.labelBoxBorderColor="calculated",this.labelTextColor="calculated",this.loopTextColor="calculated",this.noteBorderColor="calculated",this.noteBkgColor="calculated",this.noteTextColor="calculated",this.activationBorderColor="#666",this.activationBkgColor="#f4f4f4",this.sequenceNumberColor="white",this.sectionBkgColor="calculated",this.altSectionBkgColor="white",this.sectionBkgColor2="calculated",this.excludeBkgColor="#eeeeee",this.taskBorderColor="calculated",this.taskBkgColor="calculated",this.taskTextLightColor="white",this.taskTextColor="calculated",this.taskTextDarkColor="calculated",this.taskTextOutsideColor="calculated",this.taskTextClickableColor="#003163",this.activeTaskBorderColor="calculated",this.activeTaskBkgColor="calculated",this.gridColor="calculated",this.doneTaskBkgColor="calculated",this.doneTaskBorderColor="calculated",this.critBkgColor="calculated",this.critBorderColor="calculated",this.todayLineColor="calculated",this.personBorder=this.primaryBorderColor,this.personBkg=this.mainBkg,this.labelColor="black",this.errorBkgColor="#552222",this.errorTextColor="#552222"}updateColors(){var t,e,i,r,n,o,a,s,l,c,u;this.secondBkg=(0,g.Z)(this.contrast,55),this.border2=this.contrast,this.actorBorder=(0,g.Z)(this.border1,23),this.actorBkg=this.mainBkg,this.actorTextColor=this.text,this.actorLineColor=this.lineColor,this.signalColor=this.text,this.signalTextColor=this.text,this.labelBoxBkgColor=this.actorBkg,this.labelBoxBorderColor=this.actorBorder,this.labelTextColor=this.text,this.loopTextColor=this.text,this.noteBorderColor="#999",this.noteBkgColor="#666",this.noteTextColor="#fff",this.cScale0=this.cScale0||"#555",this.cScale1=this.cScale1||"#F4F4F4",this.cScale2=this.cScale2||"#555",this.cScale3=this.cScale3||"#BBB",this.cScale4=this.cScale4||"#777",this.cScale5=this.cScale5||"#999",this.cScale6=this.cScale6||"#DDD",this.cScale7=this.cScale7||"#FFF",this.cScale8=this.cScale8||"#DDD",this.cScale9=this.cScale9||"#BBB",this.cScale10=this.cScale10||"#999",this.cScale11=this.cScale11||"#777";for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleInv"+h]=this["cScaleInv"+h]||f(this["cScale"+h]);for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this.darkMode?this["cScalePeer"+h]=this["cScalePeer"+h]||(0,g.Z)(this["cScale"+h],10):this["cScalePeer"+h]=this["cScalePeer"+h]||(0,p.Z)(this["cScale"+h],10);this.scaleLabelColor=this.scaleLabelColor||(this.darkMode?"black":this.labelTextColor),this.cScaleLabel0=this.cScaleLabel0||this.cScale1,this.cScaleLabel2=this.cScaleLabel2||this.cScale1;for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["cScaleLabel"+h]=this["cScaleLabel"+h]||this.scaleLabelColor;for(let d=0;d<5;d++)this["surface"+d]=this["surface"+d]||h(this.mainBkg,{l:-(5+5*d)}),this["surfacePeer"+d]=this["surfacePeer"+d]||h(this.mainBkg,{l:-(8+5*d)});this.nodeBkg=this.mainBkg,this.nodeBorder=this.border1,this.clusterBkg=this.secondBkg,this.clusterBorder=this.border2,this.defaultLinkColor=this.lineColor,this.titleColor=this.text,this.sectionBkgColor=(0,g.Z)(this.contrast,30),this.sectionBkgColor2=(0,g.Z)(this.contrast,30),this.taskBorderColor=(0,p.Z)(this.contrast,10),this.taskBkgColor=this.contrast,this.taskTextColor=this.taskTextLightColor,this.taskTextDarkColor=this.text,this.taskTextOutsideColor=this.taskTextDarkColor,this.activeTaskBorderColor=this.taskBorderColor,this.activeTaskBkgColor=this.mainBkg,this.gridColor=(0,g.Z)(this.border1,30),this.doneTaskBkgColor=this.done,this.doneTaskBorderColor=this.lineColor,this.critBkgColor=this.critical,this.critBorderColor=(0,p.Z)(this.critBkgColor,10),this.todayLineColor=this.critBkgColor,this.transitionColor=this.transitionColor||"#000",this.transitionLabelColor=this.transitionLabelColor||this.textColor,this.stateLabelColor=this.stateLabelColor||this.stateBkg||this.primaryTextColor,this.stateBkg=this.stateBkg||this.mainBkg,this.labelBackgroundColor=this.labelBackgroundColor||this.stateBkg,this.compositeBackground=this.compositeBackground||this.background||this.tertiaryColor,this.altBackground=this.altBackground||"#f4f4f4",this.compositeTitleBackground=this.compositeTitleBackground||this.mainBkg,this.stateBorder=this.stateBorder||"#000",this.innerEndBackground=this.primaryBorderColor,this.specialStateColor="#222",this.errorBkgColor=this.errorBkgColor||this.tertiaryColor,this.errorTextColor=this.errorTextColor||this.tertiaryTextColor,this.classText=this.primaryTextColor,this.fillType0=this.primaryColor,this.fillType1=this.secondaryColor,this.fillType2=h(this.primaryColor,{h:64}),this.fillType3=h(this.secondaryColor,{h:64}),this.fillType4=h(this.primaryColor,{h:-64}),this.fillType5=h(this.secondaryColor,{h:-64}),this.fillType6=h(this.primaryColor,{h:128}),this.fillType7=h(this.secondaryColor,{h:128});for(let h=0;h<this.THEME_COLOR_LIMIT;h++)this["pie"+h]=this["cScale"+h];this.pie12=this.pie0,this.pieTitleTextSize=this.pieTitleTextSize||"25px",this.pieTitleTextColor=this.pieTitleTextColor||this.taskTextDarkColor,this.pieSectionTextSize=this.pieSectionTextSize||"17px",this.pieSectionTextColor=this.pieSectionTextColor||this.textColor,this.pieLegendTextSize=this.pieLegendTextSize||"17px",this.pieLegendTextColor=this.pieLegendTextColor||this.taskTextDarkColor,this.pieStrokeColor=this.pieStrokeColor||"black",this.pieStrokeWidth=this.pieStrokeWidth||"2px",this.pieOuterStrokeWidth=this.pieOuterStrokeWidth||"2px",this.pieOuterStrokeColor=this.pieOuterStrokeColor||"black",this.pieOpacity=this.pieOpacity||"0.7",this.quadrant1Fill=this.quadrant1Fill||this.primaryColor,this.quadrant2Fill=this.quadrant2Fill||h(this.primaryColor,{r:5,g:5,b:5}),this.quadrant3Fill=this.quadrant3Fill||h(this.primaryColor,{r:10,g:10,b:10}),this.quadrant4Fill=this.quadrant4Fill||h(this.primaryColor,{r:15,g:15,b:15}),this.quadrant1TextFill=this.quadrant1TextFill||this.primaryTextColor,this.quadrant2TextFill=this.quadrant2TextFill||h(this.primaryTextColor,{r:-5,g:-5,b:-5}),this.quadrant3TextFill=this.quadrant3TextFill||h(this.primaryTextColor,{r:-10,g:-10,b:-10}),this.quadrant4TextFill=this.quadrant4TextFill||h(this.primaryTextColor,{r:-15,g:-15,b:-15}),this.quadrantPointFill=this.quadrantPointFill||(0,m.Z)(this.quadrant1Fill)?(0,g.Z)(this.quadrant1Fill):(0,p.Z)(this.quadrant1Fill),this.quadrantPointTextFill=this.quadrantPointTextFill||this.primaryTextColor,this.quadrantXAxisTextFill=this.quadrantXAxisTextFill||this.primaryTextColor,this.quadrantYAxisTextFill=this.quadrantYAxisTextFill||this.primaryTextColor,this.quadrantInternalBorderStrokeFill=this.quadrantInternalBorderStrokeFill||this.primaryBorderColor,this.quadrantExternalBorderStrokeFill=this.quadrantExternalBorderStrokeFill||this.primaryBorderColor,this.quadrantTitleFill=this.quadrantTitleFill||this.primaryTextColor,this.xyChart={backgroundColor:(null==(t=this.xyChart)?void 0:t.backgroundColor)||this.background,titleColor:(null==(e=this.xyChart)?void 0:e.titleColor)||this.primaryTextColor,xAxisTitleColor:(null==(i=this.xyChart)?void 0:i.xAxisTitleColor)||this.primaryTextColor,xAxisLabelColor:(null==(r=this.xyChart)?void 0:r.xAxisLabelColor)||this.primaryTextColor,xAxisTickColor:(null==(n=this.xyChart)?void 0:n.xAxisTickColor)||this.primaryTextColor,xAxisLineColor:(null==(o=this.xyChart)?void 0:o.xAxisLineColor)||this.primaryTextColor,yAxisTitleColor:(null==(a=this.xyChart)?void 0:a.yAxisTitleColor)||this.primaryTextColor,yAxisLabelColor:(null==(s=this.xyChart)?void 0:s.yAxisLabelColor)||this.primaryTextColor,yAxisTickColor:(null==(l=this.xyChart)?void 0:l.yAxisTickColor)||this.primaryTextColor,yAxisLineColor:(null==(c=this.xyChart)?void 0:c.yAxisLineColor)||this.primaryTextColor,plotColorPalette:(null==(u=this.xyChart)?void 0:u.plotColorPalette)||"#EEE,#6BB8E4,#8ACB88,#C7ACD6,#E8DCC2,#FFB2A8,#FFF380,#7E8D91,#FFD8B1,#FAF3E0"},this.requirementBackground=this.requirementBackground||this.primaryColor,this.requirementBorderColor=this.requirementBorderColor||this.primaryBorderColor,this.requirementBorderSize=this.requirementBorderSize||"1",this.requirementTextColor=this.requirementTextColor||this.primaryTextColor,this.relationColor=this.relationColor||this.lineColor,this.relationLabelBackground=this.relationLabelBackground||this.edgeLabelBackground,this.relationLabelColor=this.relationLabelColor||this.actorTextColor,this.git0=(0,p.Z)(this.pie1,25)||this.primaryColor,this.git1=this.pie2||this.secondaryColor,this.git2=this.pie3||this.tertiaryColor,this.git3=this.pie4||h(this.primaryColor,{h:-30}),this.git4=this.pie5||h(this.primaryColor,{h:-60}),this.git5=this.pie6||h(this.primaryColor,{h:-90}),this.git6=this.pie7||h(this.primaryColor,{h:60}),this.git7=this.pie8||h(this.primaryColor,{h:120}),this.gitInv0=this.gitInv0||f(this.git0),this.gitInv1=this.gitInv1||f(this.git1),this.gitInv2=this.gitInv2||f(this.git2),this.gitInv3=this.gitInv3||f(this.git3),this.gitInv4=this.gitInv4||f(this.git4),this.gitInv5=this.gitInv5||f(this.git5),this.gitInv6=this.gitInv6||f(this.git6),this.gitInv7=this.gitInv7||f(this.git7),this.branchLabelColor=this.branchLabelColor||this.labelTextColor,this.gitBranchLabel0=this.branchLabelColor,this.gitBranchLabel1="white",this.gitBranchLabel2=this.branchLabelColor,this.gitBranchLabel3="white",this.gitBranchLabel4=this.branchLabelColor,this.gitBranchLabel5=this.branchLabelColor,this.gitBranchLabel6=this.branchLabelColor,this.gitBranchLabel7=this.branchLabelColor,this.tagLabelColor=this.tagLabelColor||this.primaryTextColor,this.tagLabelBackground=this.tagLabelBackground||this.primaryColor,this.tagLabelBorder=this.tagBorder||this.primaryBorderColor,this.tagLabelFontSize=this.tagLabelFontSize||"10px",this.commitLabelColor=this.commitLabelColor||this.secondaryTextColor,this.commitLabelBackground=this.commitLabelBackground||this.secondaryColor,this.commitLabelFontSize=this.commitLabelFontSize||"10px",this.attributeBackgroundColorOdd=this.attributeBackgroundColorOdd||kt,this.attributeBackgroundColorEven=this.attributeBackgroundColorEven||Tt}calculate(t){if("object"!=typeof t)return void this.updateColors();const e=Object.keys(t);e.forEach((e=>{this[e]=t[e]})),this.updateColors(),e.forEach((e=>{this[e]=t[e]}))}}const Mt={base:{getThemeVariables:t=>{const e=new wt;return e.calculate(t),e}},dark:{getThemeVariables:t=>{const e=new St;return e.calculate(t),e}},default:{getThemeVariables:Ft},forest:{getThemeVariables:t=>{const e=new Lt;return e.calculate(t),e}},neutral:{getThemeVariables:t=>{const e=new At;return e.calculate(t),e}}},Et={flowchart:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,htmlLabels:!0,nodeSpacing:50,rankSpacing:50,curve:"basis",padding:15,defaultRenderer:"dagre-wrapper",wrappingWidth:200},sequence:{useMaxWidth:!0,hideUnusedParticipants:!1,activationWidth:10,diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",mirrorActors:!0,forceMenus:!1,bottomMarginAdj:1,rightAngles:!1,showSequenceNumbers:!1,actorFontSize:14,actorFontFamily:'"Open Sans", sans-serif',actorFontWeight:400,noteFontSize:14,noteFontFamily:'"trebuchet ms", verdana, arial, sans-serif',noteFontWeight:400,noteAlign:"center",messageFontSize:16,messageFontFamily:'"trebuchet ms", verdana, arial, sans-serif',messageFontWeight:400,wrap:!1,wrapPadding:10,labelBoxWidth:50,labelBoxHeight:20},gantt:{useMaxWidth:!0,titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,rightPadding:75,leftPadding:75,gridLineStartPadding:35,fontSize:11,sectionFontSize:11,numberSectionStyles:4,axisFormat:"%Y-%m-%d",topAxis:!1,displayMode:"",weekday:"sunday"},journey:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"]},class:{useMaxWidth:!0,titleTopMargin:25,arrowMarkerAbsolute:!1,dividerMargin:10,padding:5,textHeight:10,defaultRenderer:"dagre-wrapper",htmlLabels:!1},state:{useMaxWidth:!0,titleTopMargin:25,dividerMargin:10,sizeUnit:5,padding:8,textHeight:10,titleShift:-15,noteMargin:10,forkWidth:70,forkHeight:7,miniPadding:2,fontSizeFactor:5.02,fontSize:24,labelHeight:16,edgeLengthFactor:"20",compositTitleSize:35,radius:5,defaultRenderer:"dagre-wrapper"},er:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:20,layoutDirection:"TB",minEntityWidth:100,minEntityHeight:75,entityPadding:15,stroke:"gray",fill:"honeydew",fontSize:12},pie:{useMaxWidth:!0,textPosition:.75},quadrantChart:{useMaxWidth:!0,chartWidth:500,chartHeight:500,titleFontSize:20,titlePadding:10,quadrantPadding:5,xAxisLabelPadding:5,yAxisLabelPadding:5,xAxisLabelFontSize:16,yAxisLabelFontSize:16,quadrantLabelFontSize:16,quadrantTextTopPadding:5,pointTextPadding:5,pointLabelFontSize:12,pointRadius:5,xAxisPosition:"top",yAxisPosition:"left",quadrantInternalBorderStrokeWidth:1,quadrantExternalBorderStrokeWidth:2},xyChart:{useMaxWidth:!0,width:700,height:500,titleFontSize:20,titlePadding:10,showTitle:!0,xAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},yAxis:{$ref:"#/$defs/XYChartAxisConfig",showLabel:!0,labelFontSize:14,labelPadding:5,showTitle:!0,titleFontSize:16,titlePadding:5,showTick:!0,tickLength:5,tickWidth:2,showAxisLine:!0,axisLineWidth:2},chartOrientation:"vertical",plotReservedSpacePercent:50},requirement:{useMaxWidth:!0,rect_fill:"#f9f9f9",text_color:"#333",rect_border_size:"0.5px",rect_border_color:"#bbb",rect_min_width:200,rect_min_height:200,fontSize:14,rect_padding:10,line_height:20},mindmap:{useMaxWidth:!0,padding:10,maxNodeWidth:200},timeline:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,leftMargin:150,width:150,height:50,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,messageAlign:"center",bottomMarginAdj:1,rightAngles:!1,taskFontSize:14,taskFontFamily:'"Open Sans", sans-serif',taskMargin:50,activationWidth:10,textPlacement:"fo",actorColours:["#8FBC8F","#7CFC00","#00FFFF","#20B2AA","#B0E0E6","#FFFFE0"],sectionFills:["#191970","#8B008B","#4B0082","#2F4F4F","#800000","#8B4513","#00008B"],sectionColours:["#fff"],disableMulticolor:!1},gitGraph:{useMaxWidth:!0,titleTopMargin:25,diagramPadding:8,nodeLabel:{width:75,height:100,x:-25,y:0},mainBranchName:"main",mainBranchOrder:0,showCommitLabel:!0,showBranches:!0,rotateCommitLabel:!0,arrowMarkerAbsolute:!1},c4:{useMaxWidth:!0,diagramMarginX:50,diagramMarginY:10,c4ShapeMargin:50,c4ShapePadding:20,width:216,height:60,boxMargin:10,c4ShapeInRow:4,nextLinePaddingX:0,c4BoundaryInRow:2,personFontSize:14,personFontFamily:'"Open Sans", sans-serif',personFontWeight:"normal",external_personFontSize:14,external_personFontFamily:'"Open Sans", sans-serif',external_personFontWeight:"normal",systemFontSize:14,systemFontFamily:'"Open Sans", sans-serif',systemFontWeight:"normal",external_systemFontSize:14,external_systemFontFamily:'"Open Sans", sans-serif',external_systemFontWeight:"normal",system_dbFontSize:14,system_dbFontFamily:'"Open Sans", sans-serif',system_dbFontWeight:"normal",external_system_dbFontSize:14,external_system_dbFontFamily:'"Open Sans", sans-serif',external_system_dbFontWeight:"normal",system_queueFontSize:14,system_queueFontFamily:'"Open Sans", sans-serif',system_queueFontWeight:"normal",external_system_queueFontSize:14,external_system_queueFontFamily:'"Open Sans", sans-serif',external_system_queueFontWeight:"normal",boundaryFontSize:14,boundaryFontFamily:'"Open Sans", sans-serif',boundaryFontWeight:"normal",messageFontSize:12,messageFontFamily:'"Open Sans", sans-serif',messageFontWeight:"normal",containerFontSize:14,containerFontFamily:'"Open Sans", sans-serif',containerFontWeight:"normal",external_containerFontSize:14,external_containerFontFamily:'"Open Sans", sans-serif',external_containerFontWeight:"normal",container_dbFontSize:14,container_dbFontFamily:'"Open Sans", sans-serif',container_dbFontWeight:"normal",external_container_dbFontSize:14,external_container_dbFontFamily:'"Open Sans", sans-serif',external_container_dbFontWeight:"normal",container_queueFontSize:14,container_queueFontFamily:'"Open Sans", sans-serif',container_queueFontWeight:"normal",external_container_queueFontSize:14,external_container_queueFontFamily:'"Open Sans", sans-serif',external_container_queueFontWeight:"normal",componentFontSize:14,componentFontFamily:'"Open Sans", sans-serif',componentFontWeight:"normal",external_componentFontSize:14,external_componentFontFamily:'"Open Sans", sans-serif',external_componentFontWeight:"normal",component_dbFontSize:14,component_dbFontFamily:'"Open Sans", sans-serif',component_dbFontWeight:"normal",external_component_dbFontSize:14,external_component_dbFontFamily:'"Open Sans", sans-serif',external_component_dbFontWeight:"normal",component_queueFontSize:14,component_queueFontFamily:'"Open Sans", sans-serif',component_queueFontWeight:"normal",external_component_queueFontSize:14,external_component_queueFontFamily:'"Open Sans", sans-serif',external_component_queueFontWeight:"normal",wrap:!0,wrapPadding:10,person_bg_color:"#08427B",person_border_color:"#073B6F",external_person_bg_color:"#686868",external_person_border_color:"#8A8A8A",system_bg_color:"#1168BD",system_border_color:"#3C7FC0",system_db_bg_color:"#1168BD",system_db_border_color:"#3C7FC0",system_queue_bg_color:"#1168BD",system_queue_border_color:"#3C7FC0",external_system_bg_color:"#999999",external_system_border_color:"#8A8A8A",external_system_db_bg_color:"#999999",external_system_db_border_color:"#8A8A8A",external_system_queue_bg_color:"#999999",external_system_queue_border_color:"#8A8A8A",container_bg_color:"#438DD5",container_border_color:"#3C7FC0",container_db_bg_color:"#438DD5",container_db_border_color:"#3C7FC0",container_queue_bg_color:"#438DD5",container_queue_border_color:"#3C7FC0",external_container_bg_color:"#B3B3B3",external_container_border_color:"#A6A6A6",external_container_db_bg_color:"#B3B3B3",external_container_db_border_color:"#A6A6A6",external_container_queue_bg_color:"#B3B3B3",external_container_queue_border_color:"#A6A6A6",component_bg_color:"#85BBF0",component_border_color:"#78A8D8",component_db_bg_color:"#85BBF0",component_db_border_color:"#78A8D8",component_queue_bg_color:"#85BBF0",component_queue_border_color:"#78A8D8",external_component_bg_color:"#CCCCCC",external_component_border_color:"#BFBFBF",external_component_db_bg_color:"#CCCCCC",external_component_db_border_color:"#BFBFBF",external_component_queue_bg_color:"#CCCCCC",external_component_queue_border_color:"#BFBFBF"},sankey:{useMaxWidth:!0,width:600,height:400,linkColor:"gradient",nodeAlignment:"justify",showValues:!0,prefix:"",suffix:""},theme:"default",maxTextSize:5e4,darkMode:!1,fontFamily:'"trebuchet ms", verdana, arial, sans-serif;',logLevel:5,securityLevel:"strict",startOnLoad:!0,arrowMarkerAbsolute:!1,secure:["secure","securityLevel","startOnLoad","maxTextSize"],deterministicIds:!1,fontSize:16},Nt={...Et,deterministicIDSeed:void 0,themeCSS:void 0,themeVariables:Mt.default.getThemeVariables(),sequence:{...Et.sequence,messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}},noteFont:function(){return{fontFamily:this.noteFontFamily,fontSize:this.noteFontSize,fontWeight:this.noteFontWeight}},actorFont:function(){return{fontFamily:this.actorFontFamily,fontSize:this.actorFontSize,fontWeight:this.actorFontWeight}}},gantt:{...Et.gantt,tickInterval:void 0,useWidth:void 0},c4:{...Et.c4,useWidth:void 0,personFont:function(){return{fontFamily:this.personFontFamily,fontSize:this.personFontSize,fontWeight:this.personFontWeight}},external_personFont:function(){return{fontFamily:this.external_personFontFamily,fontSize:this.external_personFontSize,fontWeight:this.external_personFontWeight}},systemFont:function(){return{fontFamily:this.systemFontFamily,fontSize:this.systemFontSize,fontWeight:this.systemFontWeight}},external_systemFont:function(){return{fontFamily:this.external_systemFontFamily,fontSize:this.external_systemFontSize,fontWeight:this.external_systemFontWeight}},system_dbFont:function(){return{fontFamily:this.system_dbFontFamily,fontSize:this.system_dbFontSize,fontWeight:this.system_dbFontWeight}},external_system_dbFont:function(){return{fontFamily:this.external_system_dbFontFamily,fontSize:this.external_system_dbFontSize,fontWeight:this.external_system_dbFontWeight}},system_queueFont:function(){return{fontFamily:this.system_queueFontFamily,fontSize:this.system_queueFontSize,fontWeight:this.system_queueFontWeight}},external_system_queueFont:function(){return{fontFamily:this.external_system_queueFontFamily,fontSize:this.external_system_queueFontSize,fontWeight:this.external_system_queueFontWeight}},containerFont:function(){return{fontFamily:this.containerFontFamily,fontSize:this.containerFontSize,fontWeight:this.containerFontWeight}},external_containerFont:function(){return{fontFamily:this.external_containerFontFamily,fontSize:this.external_containerFontSize,fontWeight:this.external_containerFontWeight}},container_dbFont:function(){return{fontFamily:this.container_dbFontFamily,fontSize:this.container_dbFontSize,fontWeight:this.container_dbFontWeight}},external_container_dbFont:function(){return{fontFamily:this.external_container_dbFontFamily,fontSize:this.external_container_dbFontSize,fontWeight:this.external_container_dbFontWeight}},container_queueFont:function(){return{fontFamily:this.container_queueFontFamily,fontSize:this.container_queueFontSize,fontWeight:this.container_queueFontWeight}},external_container_queueFont:function(){return{fontFamily:this.external_container_queueFontFamily,fontSize:this.external_container_queueFontSize,fontWeight:this.external_container_queueFontWeight}},componentFont:function(){return{fontFamily:this.componentFontFamily,fontSize:this.componentFontSize,fontWeight:this.componentFontWeight}},external_componentFont:function(){return{fontFamily:this.external_componentFontFamily,fontSize:this.external_componentFontSize,fontWeight:this.external_componentFontWeight}},component_dbFont:function(){return{fontFamily:this.component_dbFontFamily,fontSize:this.component_dbFontSize,fontWeight:this.component_dbFontWeight}},external_component_dbFont:function(){return{fontFamily:this.external_component_dbFontFamily,fontSize:this.external_component_dbFontSize,fontWeight:this.external_component_dbFontWeight}},component_queueFont:function(){return{fontFamily:this.component_queueFontFamily,fontSize:this.component_queueFontSize,fontWeight:this.component_queueFontWeight}},external_component_queueFont:function(){return{fontFamily:this.external_component_queueFontFamily,fontSize:this.external_component_queueFontSize,fontWeight:this.external_component_queueFontWeight}},boundaryFont:function(){return{fontFamily:this.boundaryFontFamily,fontSize:this.boundaryFontSize,fontWeight:this.boundaryFontWeight}},messageFont:function(){return{fontFamily:this.messageFontFamily,fontSize:this.messageFontSize,fontWeight:this.messageFontWeight}}},pie:{...Et.pie,useWidth:984},xyChart:{...Et.xyChart,useWidth:void 0},requirement:{...Et.requirement,useWidth:void 0},gitGraph:{...Et.gitGraph,useMaxWidth:!1},sankey:{...Et.sankey,useMaxWidth:!1}},Zt=(t,e="")=>Object.keys(t).reduce(((i,r)=>Array.isArray(t[r])?i:"object"==typeof t[r]&&null!==t[r]?[...i,e+r,...Zt(t[r],"")]:[...i,e+r]),[]),jt=new Set(Zt(Nt,"")),It=Nt,Ot=t=>{if(st.debug("sanitizeDirective called with",t),"object"==typeof t&&null!=t)if(Array.isArray(t))t.forEach((t=>Ot(t)));else{for(const e of Object.keys(t)){if(st.debug("Checking key",e),e.startsWith("__")||e.includes("proto")||e.includes("constr")||!jt.has(e)||null==t[e]){st.debug("sanitize deleting key: ",e),delete t[e];continue}if("object"==typeof t[e]){st.debug("sanitizing object",e),Ot(t[e]);continue}const i=["themeCSS","fontFamily","altFontFamily"];for(const r of i)e.includes(r)&&(st.debug("sanitizing css option",e),t[e]=Dt(t[e]))}if(t.themeVariables)for(const e of Object.keys(t.themeVariables)){const i=t.themeVariables[e];(null==i?void 0:i.match)&&!i.match(/^[\d "#%(),.;A-Za-z]+$/)&&(t.themeVariables[e]="")}st.debug("After sanitization",t)}},Dt=t=>{let e=0,i=0;for(const r of t){if(e<i)return"{ /* ERROR: Unbalanced CSS */ }";"{"===r?e++:"}"===r&&i++}return e!==i?"{ /* ERROR: Unbalanced CSS */ }":t},qt=/^-{3}\s*[\n\r](.*?)[\n\r]-{3}\s*[\n\r]+/s,$t=/%{2}{\s*(?:(\w+)\s*:|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,zt=/\s*%%.*\n/gm;class Pt extends Error{constructor(t){super(t),this.name="UnknownDiagramError"}}const Rt={},Ht=function(t,e){t=t.replace(qt,"").replace($t,"").replace(zt,"\n");for(const[i,{detector:r}]of Object.entries(Rt)){if(r(t,e))return i}throw new Pt(`No diagram type detected matching given configuration for text: ${t}`)},Wt=(...t)=>{for(const{id:e,detector:i,loader:r}of t)Ut(e,i,r)},Ut=(t,e,i)=>{Rt[t]?st.error(`Detector with key ${t} already exists`):Rt[t]={detector:e,loader:i},st.debug(`Detector with key ${t} added${i?" with loader":""}`)},Yt=(t,e,{depth:i=2,clobber:r=!1}={})=>{const n={depth:i,clobber:r};return Array.isArray(e)&&!Array.isArray(t)?(e.forEach((e=>Yt(t,e,n))),t):Array.isArray(e)&&Array.isArray(t)?(e.forEach((e=>{t.includes(e)||t.push(e)})),t):void 0===t||i<=0?null!=t&&"object"==typeof t&&"object"==typeof e?Object.assign(t,e):e:(void 0!==e&&"object"==typeof t&&"object"==typeof e&&Object.keys(e).forEach((n=>{"object"!=typeof e[n]||void 0!==t[n]&&"object"!=typeof t[n]?(r||"object"!=typeof t[n]&&"object"!=typeof e[n])&&(t[n]=e[n]):(void 0===t[n]&&(t[n]=Array.isArray(e[n])?[]:{}),t[n]=Yt(t[n],e[n],{depth:i-1,clobber:r}))})),t)},Vt=Yt,Gt="\u200b",Xt={curveBasis:a.$0Z,curveBasisClosed:a.Dts,curveBasisOpen:a.WQY,curveBumpX:a.qpX,curveBumpY:a.u93,curveBundle:a.tFB,curveCardinalClosed:a.OvA,curveCardinalOpen:a.dCK,curveCardinal:a.YY7,curveCatmullRomClosed:a.fGX,curveCatmullRomOpen:a.$m7,curveCatmullRom:a.zgE,curveLinear:a.c_6,curveLinearClosed:a.fxm,curveMonotoneX:a.FdL,curveMonotoneY:a.ak_,curveNatural:a.SxZ,curveStep:a.eA_,curveStepAfter:a.jsv,curveStepBefore:a.iJ},Jt=/\s*(?:(\w+)(?=:):|(\w+))\s*(?:(\w+)|((?:(?!}%{2}).|\r?\n)*))?\s*(?:}%{2})?/gi,Qt=function(t,e=null){try{const i=new RegExp(`[%]{2}(?![{]${Jt.source})(?=[}][%]{2}).*\n`,"ig");let r;t=t.trim().replace(i,"").replace(/'/gm,'"'),st.debug(`Detecting diagram directive${null!==e?" type:"+e:""} based on the text:${t}`);const n=[];for(;null!==(r=$t.exec(t));)if(r.index===$t.lastIndex&&$t.lastIndex++,r&&!e||e&&r[1]&&r[1].match(e)||e&&r[2]&&r[2].match(e)){const t=r[1]?r[1]:r[2],e=r[3]?r[3].trim():r[4]?JSON.parse(r[4].trim()):null;n.push({type:t,args:e})}return 0===n.length?{type:t,args:null}:1===n.length?n[0]:n}catch(i){return st.error(`ERROR: ${i.message} - Unable to parse directive type: '${e}' based on the text: '${t}'`),{type:void 0,args:null}}};function Kt(t,e){if(!t)return e;const i=`curve${t.charAt(0).toUpperCase()+t.slice(1)}`;return Xt[i]??e}function te(t,e){return t&&e?Math.sqrt(Math.pow(e.x-t.x,2)+Math.pow(e.y-t.y,2)):0}const ee=(t,e=2)=>{const i=Math.pow(10,e);return Math.round(t*i)/i},ie=(t,e)=>{let i,r=e;for(const n of t){if(i){const t=te(n,i);if(t<r)r-=t;else{const e=r/t;if(e<=0)return i;if(e>=1)return{x:n.x,y:n.y};if(e>0&&e<1)return{x:ee((1-e)*i.x+e*n.x,5),y:ee((1-e)*i.y+e*n.y,5)}}}i=n}throw new Error("Could not find a suitable point for the given distance")};function re(t){let e="",i="";for(const r of t)void 0!==r&&(r.startsWith("color:")||r.startsWith("text-align:")?i=i+r+";":e=e+r+";");return{style:e,labelStyle:i}}let ne=0;const oe=()=>(ne++,"id-"+Math.random().toString(36).substr(2,12)+"-"+ne);const ae=t=>function(t){let e="";const i="0123456789abcdef";for(let r=0;r<t;r++)e+=i.charAt(Math.floor(16*Math.random()));return e}(t.length),se=function(t,e){const i=e.text.replace(_t.lineBreakRegex," "),[,r]=ge(e.fontSize),n=t.append("text");n.attr("x",e.x),n.attr("y",e.y),n.style("text-anchor",e.anchor),n.style("font-family",e.fontFamily),n.style("font-size",r),n.style("font-weight",e.fontWeight),n.attr("fill",e.fill),void 0!==e.class&&n.attr("class",e.class);const o=n.append("tspan");return o.attr("x",e.x+2*e.textMargin),o.attr("fill",e.fill),o.text(i),n},le=(0,y.Z)(((t,e,i)=>{if(!t)return t;if(i=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",joinWith:"<br/>"},i),_t.lineBreakRegex.test(t))return t;const r=t.split(" "),n=[];let o="";return r.forEach(((t,a)=>{const s=ue(`${t} `,i),l=ue(o,i);if(s>e){const{hyphenatedStrings:r,remainingWord:a}=ce(t,e,"-",i);n.push(o,...r),o=a}else l+s>=e?(n.push(o),o=t):o=[o,t].filter(Boolean).join(" ");a+1===r.length&&n.push(o)})),n.filter((t=>""!==t)).join(i.joinWith)}),((t,e,i)=>`${t}${e}${i.fontSize}${i.fontWeight}${i.fontFamily}${i.joinWith}`)),ce=(0,y.Z)(((t,e,i="-",r)=>{r=Object.assign({fontSize:12,fontWeight:400,fontFamily:"Arial",margin:0},r);const n=[...t],o=[];let a="";return n.forEach(((t,s)=>{const l=`${a}${t}`;if(ue(l,r)>=e){const t=s+1,e=n.length===t,r=`${l}${i}`;o.push(e?l:r),a=""}else a=l})),{hyphenatedStrings:o,remainingWord:a}}),((t,e,i="-",r)=>`${t}${e}${i}${r.fontSize}${r.fontWeight}${r.fontFamily}`));function he(t,e){return de(t,e).height}function ue(t,e){return de(t,e).width}const de=(0,y.Z)(((t,e)=>{const{fontSize:i=12,fontFamily:r="Arial",fontWeight:n=400}=e;if(!t)return{width:0,height:0};const[,o]=ge(i),s=["sans-serif",r],l=t.split(_t.lineBreakRegex),c=[],h=(0,a.Ys)("body");if(!h.remove)return{width:0,height:0,lineHeight:0};const u=h.append("svg");for(const a of s){let t=0;const e={width:0,height:0,lineHeight:0};for(const i of l){const r={x:0,y:0,fill:void 0,anchor:"start",style:"#666",width:100,height:100,textMargin:0,rx:0,ry:0,valign:void 0,text:""};r.text=i||Gt;const s=se(u,r).style("font-size",o).style("font-weight",n).style("font-family",a),l=(s._groups||s)[0][0].getBBox();if(0===l.width&&0===l.height)throw new Error("svg element not in render tree");e.width=Math.round(Math.max(e.width,l.width)),t=Math.round(l.height),e.height+=t,e.lineHeight=Math.round(Math.max(e.lineHeight,t))}c.push(e)}u.remove();return c[isNaN(c[1].height)||isNaN(c[1].width)||isNaN(c[1].lineHeight)||c[0].height>c[1].height&&c[0].width>c[1].width&&c[0].lineHeight>c[1].lineHeight?0:1]}),((t,e)=>`${t}${e.fontSize}${e.fontWeight}${e.fontFamily}`));let fe;function pe(t){return"str"in t}const ge=t=>{if("number"==typeof t)return[t,t+"px"];const e=parseInt(t??"",10);return Number.isNaN(e)?[void 0,void 0]:t===String(e)?[e,t+"px"]:[e,t]};function me(t,e){return(0,x.Z)({},t,e)}const ye={assignWithDepth:Vt,wrapLabel:le,calculateTextHeight:he,calculateTextWidth:ue,calculateTextDimensions:de,cleanAndMerge:me,detectInit:function(t,e){const i=Qt(t,/(?:init\b)|(?:initialize\b)/);let r={};if(Array.isArray(i)){const t=i.map((t=>t.args));Ot(t),r=Vt(r,[...t])}else r=i.args;if(!r)return;let n=Ht(t,e);const o="config";return void 0!==r[o]&&("flowchart-v2"===n&&(n="flowchart"),r[n]=r[o],delete r[o]),r},detectDirective:Qt,isSubstringInArray:function(t,e){for(const[i,r]of e.entries())if(r.match(t))return i;return-1},interpolateToCurve:Kt,calcLabelPosition:function(t){return 1===t.length?t[0]:function(t){let e,i=0;return t.forEach((t=>{i+=te(t,e),e=t})),ie(t,i/2)}(t)},calcCardinalityPosition:(t,e,i)=>{st.info(`our points ${JSON.stringify(e)}`),e[0]!==i&&(e=e.reverse());const r=ie(e,25),n=t?10:5,o=Math.atan2(e[0].y-r.y,e[0].x-r.x),a={x:0,y:0};return a.x=Math.sin(o)*n+(e[0].x+r.x)/2,a.y=-Math.cos(o)*n+(e[0].y+r.y)/2,a},calcTerminalLabelPosition:function(t,e,i){const r=structuredClone(i);st.info("our points",r),"start_left"!==e&&"start_right"!==e&&r.reverse();const n=ie(r,25+t),o=10+.5*t,a=Math.atan2(r[0].y-n.y,r[0].x-n.x),s={x:0,y:0};return"start_left"===e?(s.x=Math.sin(a+Math.PI)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a+Math.PI)*o+(r[0].y+n.y)/2):"end_right"===e?(s.x=Math.sin(a-Math.PI)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a-Math.PI)*o+(r[0].y+n.y)/2-5):"end_left"===e?(s.x=Math.sin(a)*o+(r[0].x+n.x)/2-5,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2-5):(s.x=Math.sin(a)*o+(r[0].x+n.x)/2,s.y=-Math.cos(a)*o+(r[0].y+n.y)/2),s},formatUrl:function(t,e){const i=t.trim();if(i)return"loose"!==e.securityLevel?(0,o.Nm)(i):i},getStylesFromArray:re,generateId:oe,random:ae,runFunc:(t,...e)=>{const i=t.split("."),r=i.length-1,n=i[r];let o=window;for(let a=0;a<r;a++)if(o=o[i[a]],!o)return void st.error(`Function name: ${t} not found in window`);o[n](...e)},entityDecode:function(t){return fe=fe||document.createElement("div"),t=escape(t).replace(/%26/g,"&").replace(/%23/g,"#").replace(/%3B/g,";"),fe.innerHTML=t,unescape(fe.textContent)},insertTitle:(t,e,i,r)=>{var n;if(!r)return;const o=null==(n=t.node())?void 0:n.getBBox();o&&t.append("text").text(r).attr("x",o.x+o.width/2).attr("y",-i).attr("class",e)},parseFontSize:ge,InitIDGenerator:class{constructor(t=!1,e){this.count=0,this.count=e?e.length:0,this.next=t?()=>this.count++:()=>Date.now()}}},xe="10.6.1",be=Object.freeze(It);let Ce,_e=Vt({},be),ve=[],ke=Vt({},be);const Te=(t,e)=>{let i=Vt({},t),r={};for(const n of e)Fe(n),r=Vt(r,n);if(i=Vt(i,r),r.theme&&r.theme in Mt){const t=Vt({},Ce),e=Vt(t.themeVariables||{},r.themeVariables);i.theme&&i.theme in Mt&&(i.themeVariables=Mt[i.theme].getThemeVariables(e))}return ke=i,Ne(ke),ke},we=()=>Vt({},_e),Se=t=>(Ne(t),Vt(ke,t),Be()),Be=()=>Vt({},ke),Fe=t=>{t&&(["secure",..._e.secure??[]].forEach((e=>{Object.hasOwn(t,e)&&(st.debug(`Denied attempt to modify a secure key ${e}`,t[e]),delete t[e])})),Object.keys(t).forEach((e=>{e.startsWith("__")&&delete t[e]})),Object.keys(t).forEach((e=>{"string"==typeof t[e]&&(t[e].includes("<")||t[e].includes(">")||t[e].includes("url(data:"))&&delete t[e],"object"==typeof t[e]&&Fe(t[e])})))},Le=t=>{Ot(t),!t.fontFamily||t.themeVariables&&t.themeVariables.fontFamily||(t.themeVariables={fontFamily:t.fontFamily}),ve.push(t),Te(_e,ve)},Ae=(t=_e)=>{ve=[],Te(t,ve)},Me={LAZY_LOAD_DEPRECATED:"The configuration options lazyLoadedDiagrams and loadExternalDiagramsAtStartup are deprecated. Please use registerExternalDiagrams instead."},Ee={},Ne=t=>{var e;t&&((t.lazyLoadedDiagrams||t.loadExternalDiagramsAtStartup)&&(Ee[e="LAZY_LOAD_DEPRECATED"]||(st.warn(Me[e]),Ee[e]=!0)))},Ze={id:"c4",detector:t=>/^\s*C4Context|C4Container|C4Component|C4Dynamic|C4Deployment/.test(t),loader:async()=>{const{diagram:t}=await i.e(132).then(i.bind(i,132));return{id:"c4",diagram:t}}},je="flowchart",Ie={id:je,detector:(t,e)=>{var i,r;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&/^\s*graph/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(1763)]).then(i.bind(i,1763));return{id:je,diagram:t}}},Oe="flowchart-v2",De={id:Oe,detector:(t,e)=>{var i,r,n;return"dagre-d3"!==(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer)&&"elk"!==(null==(r=null==e?void 0:e.flowchart)?void 0:r.defaultRenderer)&&(!(!/^\s*graph/.test(t)||"dagre-wrapper"!==(null==(n=null==e?void 0:e.flowchart)?void 0:n.defaultRenderer))||/^\s*flowchart/.test(t))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(8955),i.e(9893)]).then(i.bind(i,9893));return{id:Oe,diagram:t}}},qe={id:"er",detector:t=>/^\s*erDiagram/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3343)]).then(i.bind(i,3343));return{id:"er",diagram:t}}},$e="gitGraph",ze={id:$e,detector:t=>/^\s*gitGraph/.test(t),loader:async()=>{const{diagram:t}=await i.e(3619).then(i.bind(i,3619));return{id:$e,diagram:t}}},Pe="gantt",Re={id:Pe,detector:t=>/^\s*gantt/.test(t),loader:async()=>{const{diagram:t}=await i.e(8016).then(i.bind(i,8016));return{id:Pe,diagram:t}}},He="info",We={id:He,detector:t=>/^\s*info/.test(t),loader:async()=>{const{diagram:t}=await i.e(5326).then(i.bind(i,5326));return{id:He,diagram:t}}},Ue={id:"pie",detector:t=>/^\s*pie/.test(t),loader:async()=>{const{diagram:t}=await i.e(2661).then(i.bind(i,2661));return{id:"pie",diagram:t}}},Ye="quadrantChart",Ve={id:Ye,detector:t=>/^\s*quadrantChart/.test(t),loader:async()=>{const{diagram:t}=await i.e(6648).then(i.bind(i,6648));return{id:Ye,diagram:t}}},Ge="xychart",Xe={id:Ge,detector:t=>/^\s*xychart-beta/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(2693)]).then(i.bind(i,8088));return{id:Ge,diagram:t}}},Je="requirement",Qe={id:Je,detector:t=>/^\s*requirement(Diagram)?/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(6985)]).then(i.bind(i,6985));return{id:Je,diagram:t}}},Ke="sequence",ti={id:Ke,detector:t=>/^\s*sequenceDiagram/.test(t),loader:async()=>{const{diagram:t}=await i.e(5790).then(i.bind(i,5790));return{id:Ke,diagram:t}}},ei="class",ii={id:ei,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer)&&/^\s*classDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(4706),i.e(109)]).then(i.bind(i,109));return{id:ei,diagram:t}}},ri="classDiagram",ni={id:ri,detector:(t,e)=>{var i;return!(!/^\s*classDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.class)?void 0:i.defaultRenderer))||/^\s*classDiagram-v2/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(4706),i.e(6255)]).then(i.bind(i,6255));return{id:ri,diagram:t}}},oi="state",ai={id:oi,detector:(t,e)=>{var i;return"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer)&&/^\s*stateDiagram/.test(t)},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(1504),i.e(2696)]).then(i.bind(i,2696));return{id:oi,diagram:t}}},si="stateDiagram",li={id:si,detector:(t,e)=>{var i;return!!/^\s*stateDiagram-v2/.test(t)||!(!/^\s*stateDiagram/.test(t)||"dagre-wrapper"!==(null==(i=null==e?void 0:e.state)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(1644),i.e(3076),i.e(5269),i.e(7936),i.e(1504),i.e(5943)]).then(i.bind(i,5943));return{id:si,diagram:t}}},ci="journey",hi={id:ci,detector:t=>/^\s*journey/.test(t),loader:async()=>{const{diagram:t}=await i.e(2183).then(i.bind(i,2183));return{id:ci,diagram:t}}},ui=function(t,e,i,r){const n=function(t,e,i){let r=new Map;return i?(r.set("width","100%"),r.set("style",`max-width: ${e}px;`)):(r.set("height",t),r.set("width",e)),r}(e,i,r);!function(t,e){for(let i of e)t.attr(i[0],i[1])}(t,n)},di=function(t,e,i,r){const n=e.node().getBBox(),o=n.width,a=n.height;st.info(`SVG bounds: ${o}x${a}`,n);let s=0,l=0;st.info(`Graph bounds: ${s}x${l}`,t),s=o+2*i,l=a+2*i,st.info(`Calculated bounds: ${s}x${l}`),ui(e,l,s,r);const c=`${n.x-i} ${n.y-i} ${n.width+2*i} ${n.height+2*i}`;e.attr("viewBox",c)},fi={},pi=(t,e,i)=>{let r="";return t in fi&&fi[t]?r=fi[t](i):st.warn(`No theme found for ${t}`),` & {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n fill: ${i.textColor}\n }\n\n /* Classes common for multiple diagrams */\n\n & .error-icon {\n fill: ${i.errorBkgColor};\n }\n & .error-text {\n fill: ${i.errorTextColor};\n stroke: ${i.errorTextColor};\n }\n\n & .edge-thickness-normal {\n stroke-width: 2px;\n }\n & .edge-thickness-thick {\n stroke-width: 3.5px\n }\n & .edge-pattern-solid {\n stroke-dasharray: 0;\n }\n\n & .edge-pattern-dashed{\n stroke-dasharray: 3;\n }\n .edge-pattern-dotted {\n stroke-dasharray: 2;\n }\n\n & .marker {\n fill: ${i.lineColor};\n stroke: ${i.lineColor};\n }\n & .marker.cross {\n stroke: ${i.lineColor};\n }\n\n & svg {\n font-family: ${i.fontFamily};\n font-size: ${i.fontSize};\n }\n\n ${r}\n\n ${e}\n`};let gi="",mi="",yi="";const xi=t=>ft(t,Be()),bi=()=>{gi="",yi="",mi=""},Ci=t=>{gi=xi(t).replace(/^\s+/g,"")},_i=()=>gi,vi=t=>{yi=xi(t).replace(/\n\s+/g,"\n")},ki=()=>yi,Ti=t=>{mi=xi(t)},wi=()=>mi,Si=Object.freeze(Object.defineProperty({__proto__:null,clear:bi,getAccDescription:ki,getAccTitle:_i,getDiagramTitle:wi,setAccDescription:vi,setAccTitle:Ci,setDiagramTitle:Ti},Symbol.toStringTag,{value:"Module"})),Bi=st,Fi=lt,Li=Be,Ai=Se,Mi=be,Ei=t=>ft(t,Li()),Ni=di,Zi={},ji=(t,e,i)=>{var r,n,o;if(Zi[t])throw new Error(`Diagram ${t} already registered.`);Zi[t]=e,i&&Ut(t,i),n=t,void 0!==(o=e.styles)&&(fi[n]=o),null==(r=e.injectUtils)||r.call(e,Bi,Fi,Li,Ei,Ni,Si,(()=>{}))},Ii=t=>{if(t in Zi)return Zi[t];throw new Oi(t)};class Oi extends Error{constructor(t){super(`Diagram ${t} not found.`)}}const Di=t=>{var e;const{securityLevel:i}=Li();let r=(0,a.Ys)("body");if("sandbox"===i){const i=(null==(e=(0,a.Ys)(`#i${t}`).node())?void 0:e.contentDocument)??document;r=(0,a.Ys)(i.body)}return r.select(`#${t}`)},qi={draw:(t,e,i)=>{st.debug("renering svg for syntax error\n");const r=Di(e);r.attr("viewBox","0 0 2412 512"),ui(r,100,512,!0);const n=r.append("g");n.append("path").attr("class","error-icon").attr("d","m411.313,123.313c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32-9.375,9.375-20.688-20.688c-12.484-12.5-32.766-12.5-45.25,0l-16,16c-1.261,1.261-2.304,2.648-3.31,4.051-21.739-8.561-45.324-13.426-70.065-13.426-105.867,0-192,86.133-192,192s86.133,192 192,192 192-86.133 192-192c0-24.741-4.864-48.327-13.426-70.065 1.402-1.007 2.79-2.049 4.051-3.31l16-16c12.5-12.492 12.5-32.758 0-45.25l-20.688-20.688 9.375-9.375 32.001-31.999zm-219.313,100.687c-52.938,0-96,43.063-96,96 0,8.836-7.164,16-16,16s-16-7.164-16-16c0-70.578 57.422-128 128-128 8.836,0 16,7.164 16,16s-7.164,16-16,16z"),n.append("path").attr("class","error-icon").attr("d","m459.02,148.98c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l16,16c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16.001-16z"),n.append("path").attr("class","error-icon").attr("d","m340.395,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688 6.25-6.25 6.25-16.375 0-22.625l-16-16c-6.25-6.25-16.375-6.25-22.625,0s-6.25,16.375 0,22.625l15.999,16z"),n.append("path").attr("class","error-icon").attr("d","m400,64c8.844,0 16-7.164 16-16v-32c0-8.836-7.156-16-16-16-8.844,0-16,7.164-16,16v32c0,8.836 7.156,16 16,16z"),n.append("path").attr("class","error-icon").attr("d","m496,96.586h-32c-8.844,0-16,7.164-16,16 0,8.836 7.156,16 16,16h32c8.844,0 16-7.164 16-16 0-8.836-7.156-16-16-16z"),n.append("path").attr("class","error-icon").attr("d","m436.98,75.605c3.125,3.125 7.219,4.688 11.313,4.688 4.094,0 8.188-1.563 11.313-4.688l32-32c6.25-6.25 6.25-16.375 0-22.625s-16.375-6.25-22.625,0l-32,32c-6.251,6.25-6.251,16.375-0.001,22.625z"),n.append("text").attr("class","error-text").attr("x",1440).attr("y",250).attr("font-size","150px").style("text-anchor","middle").text("Syntax error in text"),n.append("text").attr("class","error-text").attr("x",1250).attr("y",400).attr("font-size","100px").style("text-anchor","middle").text(`mermaid version ${i}`)}},$i=qi,zi={db:{},renderer:qi,parser:{parser:{yy:{}},parse:()=>{}}},Pi="flowchart-elk",Ri={id:Pi,detector:(t,e)=>{var i;return!!(/^\s*flowchart-elk/.test(t)||/^\s*flowchart|graph/.test(t)&&"elk"===(null==(i=null==e?void 0:e.flowchart)?void 0:i.defaultRenderer))},loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(5269),i.e(8955),i.e(4238)]).then(i.bind(i,4238));return{id:Pi,diagram:t}}},Hi="timeline",Wi={id:Hi,detector:t=>/^\s*timeline/.test(t),loader:async()=>{const{diagram:t}=await i.e(2700).then(i.bind(i,2700));return{id:Hi,diagram:t}}},Ui="mindmap",Yi={id:Ui,detector:t=>/^\s*mindmap/.test(t),loader:async()=>{const{diagram:t}=await Promise.all([i.e(3076),i.e(9138)]).then(i.bind(i,9138));return{id:Ui,diagram:t}}},Vi="sankey",Gi={id:Vi,detector:t=>/^\s*sankey-beta/.test(t),loader:async()=>{const{diagram:t}=await i.e(6591).then(i.bind(i,240));return{id:Vi,diagram:t}}};let Xi=!1;const Ji=()=>{Xi||(Xi=!0,ji("error",zi,(t=>"error"===t.toLowerCase().trim())),ji("---",{db:{clear:()=>{}},styles:{},renderer:{draw:()=>{}},parser:{parser:{yy:{}},parse:()=>{throw new Error("Diagrams beginning with --- are not valid. If you were trying to use a YAML front-matter, please ensure that you've correctly opened and closed the YAML front-matter with un-indented `---` blocks")}},init:()=>null},(t=>t.toLowerCase().trimStart().startsWith("---"))),Wt(Ze,ni,ii,qe,Re,We,Ue,Qe,ti,Ri,De,Ie,Yi,Wi,ze,li,ai,hi,Ve,Gi,Xe))};class Qi{constructor(t,e={}){this.text=t,this.metadata=e,this.type="graph",this.text+="\n";const i=Be();try{this.type=Ht(t,i)}catch(n){this.type="error",this.detectError=n}const r=Ii(this.type);st.debug("Type "+this.type),this.db=r.db,this.renderer=r.renderer,this.parser=r.parser,this.parser.parser.yy=this.db,this.init=r.init,this.parse()}parse(){var t,e,i,r,n;if(this.detectError)throw this.detectError;null==(e=(t=this.db).clear)||e.call(t);const o=Be();null==(i=this.init)||i.call(this,o),this.metadata.title&&(null==(n=(r=this.db).setDiagramTitle)||n.call(r,this.metadata.title)),this.parser.parse(this.text)}async render(t,e){await this.renderer.draw(this.text,t,e,this)}getParser(){return this.parser}getType(){return this.type}}const Ki=async(t,e={})=>{const i=Ht(t,Be());try{Ii(i)}catch(r){const t=Rt[i].loader;if(!t)throw new Pt(`Diagram ${i} not found.`);const{id:e,diagram:n}=await t();ji(e,n)}return new Qi(t,e)};let tr=[];const er=t=>{tr.push(t)},ir="graphics-document document";const rr=t=>t.replace(/^\s*%%(?!{)[^\n]+\n?/gm,"").trimStart();function nr(t){return null==t}var or={isNothing:nr,isObject:function(t){return"object"==typeof t&&null!==t},toArray:function(t){return Array.isArray(t)?t:nr(t)?[]:[t]},repeat:function(t,e){var i,r="";for(i=0;i<e;i+=1)r+=t;return r},isNegativeZero:function(t){return 0===t&&Number.NEGATIVE_INFINITY===1/t},extend:function(t,e){var i,r,n,o;if(e)for(i=0,r=(o=Object.keys(e)).length;i<r;i+=1)t[n=o[i]]=e[n];return t}};function ar(t,e){var i="",r=t.reason||"(unknown reason)";return t.mark?(t.mark.name&&(i+='in "'+t.mark.name+'" '),i+="("+(t.mark.line+1)+":"+(t.mark.column+1)+")",!e&&t.mark.snippet&&(i+="\n\n"+t.mark.snippet),r+" "+i):r}function sr(t,e){Error.call(this),this.name="YAMLException",this.reason=t,this.mark=e,this.message=ar(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}sr.prototype=Object.create(Error.prototype),sr.prototype.constructor=sr,sr.prototype.toString=function(t){return this.name+": "+ar(this,t)};var lr=sr;function cr(t,e,i,r,n){var o="",a="",s=Math.floor(n/2)-1;return r-e>s&&(e=r-s+(o=" ... ").length),i-r>s&&(i=r+s-(a=" ...").length),{str:o+t.slice(e,i).replace(/\t/g,"\u2192")+a,pos:r-e+o.length}}function hr(t,e){return or.repeat(" ",e-t.length)+t}var ur=function(t,e){if(e=Object.create(e||null),!t.buffer)return null;e.maxLength||(e.maxLength=79),"number"!=typeof e.indent&&(e.indent=1),"number"!=typeof e.linesBefore&&(e.linesBefore=3),"number"!=typeof e.linesAfter&&(e.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,n=[0],o=[],a=-1;i=r.exec(t.buffer);)o.push(i.index),n.push(i.index+i[0].length),t.position<=i.index&&a<0&&(a=n.length-2);a<0&&(a=n.length-1);var s,l,c="",h=Math.min(t.line+e.linesAfter,o.length).toString().length,u=e.maxLength-(e.indent+h+3);for(s=1;s<=e.linesBefore&&!(a-s<0);s++)l=cr(t.buffer,n[a-s],o[a-s],t.position-(n[a]-n[a-s]),u),c=or.repeat(" ",e.indent)+hr((t.line-s+1).toString(),h)+" | "+l.str+"\n"+c;for(l=cr(t.buffer,n[a],o[a],t.position,u),c+=or.repeat(" ",e.indent)+hr((t.line+1).toString(),h)+" | "+l.str+"\n",c+=or.repeat("-",e.indent+h+3+l.pos)+"^\n",s=1;s<=e.linesAfter&&!(a+s>=o.length);s++)l=cr(t.buffer,n[a+s],o[a+s],t.position-(n[a]-n[a+s]),u),c+=or.repeat(" ",e.indent)+hr((t.line+s+1).toString(),h)+" | "+l.str+"\n";return c.replace(/\n$/,"")},dr=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],fr=["scalar","sequence","mapping"];var pr=function(t,e){var i,r;if(e=e||{},Object.keys(e).forEach((function(e){if(-1===dr.indexOf(e))throw new lr('Unknown option "'+e+'" is met in definition of "'+t+'" YAML type.')})),this.options=e,this.tag=t,this.kind=e.kind||null,this.resolve=e.resolve||function(){return!0},this.construct=e.construct||function(t){return t},this.instanceOf=e.instanceOf||null,this.predicate=e.predicate||null,this.represent=e.represent||null,this.representName=e.representName||null,this.defaultStyle=e.defaultStyle||null,this.multi=e.multi||!1,this.styleAliases=(i=e.styleAliases||null,r={},null!==i&&Object.keys(i).forEach((function(t){i[t].forEach((function(e){r[String(e)]=t}))})),r),-1===fr.indexOf(this.kind))throw new lr('Unknown kind "'+this.kind+'" is specified for "'+t+'" YAML type.')};function gr(t,e){var i=[];return t[e].forEach((function(t){var e=i.length;i.forEach((function(i,r){i.tag===t.tag&&i.kind===t.kind&&i.multi===t.multi&&(e=r)})),i[e]=t})),i}function mr(t){return this.extend(t)}mr.prototype.extend=function(t){var e=[],i=[];if(t instanceof pr)i.push(t);else if(Array.isArray(t))i=i.concat(t);else{if(!t||!Array.isArray(t.implicit)&&!Array.isArray(t.explicit))throw new lr("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");t.implicit&&(e=e.concat(t.implicit)),t.explicit&&(i=i.concat(t.explicit))}e.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(t.loadKind&&"scalar"!==t.loadKind)throw new lr("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(t.multi)throw new lr("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),i.forEach((function(t){if(!(t instanceof pr))throw new lr("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var r=Object.create(mr.prototype);return r.implicit=(this.implicit||[]).concat(e),r.explicit=(this.explicit||[]).concat(i),r.compiledImplicit=gr(r,"implicit"),r.compiledExplicit=gr(r,"explicit"),r.compiledTypeMap=function(){var t,e,i={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function r(t){t.multi?(i.multi[t.kind].push(t),i.multi.fallback.push(t)):i[t.kind][t.tag]=i.fallback[t.tag]=t}for(t=0,e=arguments.length;t<e;t+=1)arguments[t].forEach(r);return i}(r.compiledImplicit,r.compiledExplicit),r};var yr=new mr({explicit:[new pr("tag:yaml.org,2002:str",{kind:"scalar",construct:function(t){return null!==t?t:""}}),new pr("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(t){return null!==t?t:[]}}),new pr("tag:yaml.org,2002:map",{kind:"mapping",construct:function(t){return null!==t?t:{}}})]});var xr=new pr("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(t){if(null===t)return!0;var e=t.length;return 1===e&&"~"===t||4===e&&("null"===t||"Null"===t||"NULL"===t)},construct:function(){return null},predicate:function(t){return null===t},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var br=new pr("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e=t.length;return 4===e&&("true"===t||"True"===t||"TRUE"===t)||5===e&&("false"===t||"False"===t||"FALSE"===t)},construct:function(t){return"true"===t||"True"===t||"TRUE"===t},predicate:function(t){return"[object Boolean]"===Object.prototype.toString.call(t)},represent:{lowercase:function(t){return t?"true":"false"},uppercase:function(t){return t?"TRUE":"FALSE"},camelcase:function(t){return t?"True":"False"}},defaultStyle:"lowercase"});function Cr(t){return 48<=t&&t<=55}function _r(t){return 48<=t&&t<=57}var vr=new pr("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=t.length,n=0,o=!1;if(!r)return!1;if("-"!==(e=t[n])&&"+"!==e||(e=t[++n]),"0"===e){if(n+1===r)return!0;if("b"===(e=t[++n])){for(n++;n<r;n++)if("_"!==(e=t[n])){if("0"!==e&&"1"!==e)return!1;o=!0}return o&&"_"!==e}if("x"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!(48<=(i=t.charCodeAt(n))&&i<=57||65<=i&&i<=70||97<=i&&i<=102))return!1;o=!0}return o&&"_"!==e}if("o"===e){for(n++;n<r;n++)if("_"!==(e=t[n])){if(!Cr(t.charCodeAt(n)))return!1;o=!0}return o&&"_"!==e}}if("_"===e)return!1;for(;n<r;n++)if("_"!==(e=t[n])){if(!_r(t.charCodeAt(n)))return!1;o=!0}return!(!o||"_"===e)},construct:function(t){var e,i=t,r=1;if(-1!==i.indexOf("_")&&(i=i.replace(/_/g,"")),"-"!==(e=i[0])&&"+"!==e||("-"===e&&(r=-1),e=(i=i.slice(1))[0]),"0"===i)return 0;if("0"===e){if("b"===i[1])return r*parseInt(i.slice(2),2);if("x"===i[1])return r*parseInt(i.slice(2),16);if("o"===i[1])return r*parseInt(i.slice(2),8)}return r*parseInt(i,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&t%1==0&&!or.isNegativeZero(t)},represent:{binary:function(t){return t>=0?"0b"+t.toString(2):"-0b"+t.toString(2).slice(1)},octal:function(t){return t>=0?"0o"+t.toString(8):"-0o"+t.toString(8).slice(1)},decimal:function(t){return t.toString(10)},hexadecimal:function(t){return t>=0?"0x"+t.toString(16).toUpperCase():"-0x"+t.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),kr=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var Tr=/^[-+]?[0-9]+e/;var wr=new pr("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(t){return null!==t&&!(!kr.test(t)||"_"===t[t.length-1])},construct:function(t){var e,i;return i="-"===(e=t.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(e[0])>=0&&(e=e.slice(1)),".inf"===e?1===i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===e?NaN:i*parseFloat(e,10)},predicate:function(t){return"[object Number]"===Object.prototype.toString.call(t)&&(t%1!=0||or.isNegativeZero(t))},represent:function(t,e){var i;if(isNaN(t))switch(e){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===t)switch(e){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===t)switch(e){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(or.isNegativeZero(t))return"-0.0";return i=t.toString(10),Tr.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),Sr=yr.extend({implicit:[xr,br,vr,wr]}),Br=Sr,Fr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),Lr=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var Ar=new pr("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(t){return null!==t&&(null!==Fr.exec(t)||null!==Lr.exec(t))},construct:function(t){var e,i,r,n,o,a,s,l,c=0,h=null;if(null===(e=Fr.exec(t))&&(e=Lr.exec(t)),null===e)throw new Error("Date resolve error");if(i=+e[1],r=+e[2]-1,n=+e[3],!e[4])return new Date(Date.UTC(i,r,n));if(o=+e[4],a=+e[5],s=+e[6],e[7]){for(c=e[7].slice(0,3);c.length<3;)c+="0";c=+c}return e[9]&&(h=6e4*(60*+e[10]+ +(e[11]||0)),"-"===e[9]&&(h=-h)),l=new Date(Date.UTC(i,r,n,o,a,s,c)),h&&l.setTime(l.getTime()-h),l},instanceOf:Date,represent:function(t){return t.toISOString()}});var Mr=new pr("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(t){return"<<"===t||null===t}}),Er="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var Nr=new pr("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(t){if(null===t)return!1;var e,i,r=0,n=t.length,o=Er;for(i=0;i<n;i++)if(!((e=o.indexOf(t.charAt(i)))>64)){if(e<0)return!1;r+=6}return r%8==0},construct:function(t){var e,i,r=t.replace(/[\r\n=]/g,""),n=r.length,o=Er,a=0,s=[];for(e=0;e<n;e++)e%4==0&&e&&(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(r.charAt(e));return 0===(i=n%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18===i?(s.push(a>>10&255),s.push(a>>2&255)):12===i&&s.push(a>>4&255),new Uint8Array(s)},predicate:function(t){return"[object Uint8Array]"===Object.prototype.toString.call(t)},represent:function(t){var e,i,r="",n=0,o=t.length,a=Er;for(e=0;e<o;e++)e%3==0&&e&&(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]),n=(n<<8)+t[e];return 0===(i=o%3)?(r+=a[n>>18&63],r+=a[n>>12&63],r+=a[n>>6&63],r+=a[63&n]):2===i?(r+=a[n>>10&63],r+=a[n>>4&63],r+=a[n<<2&63],r+=a[64]):1===i&&(r+=a[n>>2&63],r+=a[n<<4&63],r+=a[64],r+=a[64]),r}}),Zr=Object.prototype.hasOwnProperty,jr=Object.prototype.toString;var Ir=new pr("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=[],s=t;for(e=0,i=s.length;e<i;e+=1){if(r=s[e],o=!1,"[object Object]"!==jr.call(r))return!1;for(n in r)if(Zr.call(r,n)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(n))return!1;a.push(n)}return!0},construct:function(t){return null!==t?t:[]}}),Or=Object.prototype.toString;var Dr=new pr("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(t){if(null===t)return!0;var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1){if(r=a[e],"[object Object]"!==Or.call(r))return!1;if(1!==(n=Object.keys(r)).length)return!1;o[e]=[n[0],r[n[0]]]}return!0},construct:function(t){if(null===t)return[];var e,i,r,n,o,a=t;for(o=new Array(a.length),e=0,i=a.length;e<i;e+=1)r=a[e],n=Object.keys(r),o[e]=[n[0],r[n[0]]];return o}}),qr=Object.prototype.hasOwnProperty;var $r=new pr("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(t){if(null===t)return!0;var e,i=t;for(e in i)if(qr.call(i,e)&&null!==i[e])return!1;return!0},construct:function(t){return null!==t?t:{}}}),zr=Br.extend({implicit:[Ar,Mr],explicit:[Nr,Ir,Dr,$r]}),Pr=Object.prototype.hasOwnProperty,Rr=1,Hr=2,Wr=3,Ur=4,Yr=1,Vr=2,Gr=3,Xr=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,Jr=/[\x85\u2028\u2029]/,Qr=/[,\[\]\{\}]/,Kr=/^(?:!|!!|![a-z\-]+!)$/i,tn=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function en(t){return Object.prototype.toString.call(t)}function rn(t){return 10===t||13===t}function nn(t){return 9===t||32===t}function on(t){return 9===t||32===t||10===t||13===t}function an(t){return 44===t||91===t||93===t||123===t||125===t}function sn(t){var e;return 48<=t&&t<=57?t-48:97<=(e=32|t)&&e<=102?e-97+10:-1}function ln(t){return 48===t?"\0":97===t?"\x07":98===t?"\b":116===t||9===t?"\t":110===t?"\n":118===t?"\v":102===t?"\f":114===t?"\r":101===t?"\x1b":32===t?" ":34===t?'"':47===t?"/":92===t?"\\":78===t?"\x85":95===t?"\xa0":76===t?"\u2028":80===t?"\u2029":""}function cn(t){return t<=65535?String.fromCharCode(t):String.fromCharCode(55296+(t-65536>>10),56320+(t-65536&1023))}for(var hn=new Array(256),un=new Array(256),dn=0;dn<256;dn++)hn[dn]=ln(dn)?1:0,un[dn]=ln(dn);function fn(t,e){this.input=t,this.filename=e.filename||null,this.schema=e.schema||zr,this.onWarning=e.onWarning||null,this.legacy=e.legacy||!1,this.json=e.json||!1,this.listener=e.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=t.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function pn(t,e){var i={name:t.filename,buffer:t.input.slice(0,-1),position:t.position,line:t.line,column:t.position-t.lineStart};return i.snippet=ur(i),new lr(e,i)}function gn(t,e){throw pn(t,e)}function mn(t,e){t.onWarning&&t.onWarning.call(null,pn(t,e))}var yn={YAML:function(t,e,i){var r,n,o;null!==t.version&&gn(t,"duplication of %YAML directive"),1!==i.length&&gn(t,"YAML directive accepts exactly one argument"),null===(r=/^([0-9]+)\.([0-9]+)$/.exec(i[0]))&&gn(t,"ill-formed argument of the YAML directive"),n=parseInt(r[1],10),o=parseInt(r[2],10),1!==n&&gn(t,"unacceptable YAML version of the document"),t.version=i[0],t.checkLineBreaks=o<2,1!==o&&2!==o&&mn(t,"unsupported YAML version of the document")},TAG:function(t,e,i){var r,n;2!==i.length&&gn(t,"TAG directive accepts exactly two arguments"),r=i[0],n=i[1],Kr.test(r)||gn(t,"ill-formed tag handle (first argument) of the TAG directive"),Pr.call(t.tagMap,r)&&gn(t,'there is a previously declared suffix for "'+r+'" tag handle'),tn.test(n)||gn(t,"ill-formed tag prefix (second argument) of the TAG directive");try{n=decodeURIComponent(n)}catch(o){gn(t,"tag prefix is malformed: "+n)}t.tagMap[r]=n}};function xn(t,e,i,r){var n,o,a,s;if(e<i){if(s=t.input.slice(e,i),r)for(n=0,o=s.length;n<o;n+=1)9===(a=s.charCodeAt(n))||32<=a&&a<=1114111||gn(t,"expected valid JSON character");else Xr.test(s)&&gn(t,"the stream contains non-printable characters");t.result+=s}}function bn(t,e,i,r){var n,o,a,s;for(or.isObject(i)||gn(t,"cannot merge mappings; the provided source object is unacceptable"),a=0,s=(n=Object.keys(i)).length;a<s;a+=1)o=n[a],Pr.call(e,o)||(e[o]=i[o],r[o]=!0)}function Cn(t,e,i,r,n,o,a,s,l){var c,h;if(Array.isArray(n))for(c=0,h=(n=Array.prototype.slice.call(n)).length;c<h;c+=1)Array.isArray(n[c])&&gn(t,"nested arrays are not supported inside keys"),"object"==typeof n&&"[object Object]"===en(n[c])&&(n[c]="[object Object]");if("object"==typeof n&&"[object Object]"===en(n)&&(n="[object Object]"),n=String(n),null===e&&(e={}),"tag:yaml.org,2002:merge"===r)if(Array.isArray(o))for(c=0,h=o.length;c<h;c+=1)bn(t,e,o[c],i);else bn(t,e,o,i);else t.json||Pr.call(i,n)||!Pr.call(e,n)||(t.line=a||t.line,t.lineStart=s||t.lineStart,t.position=l||t.position,gn(t,"duplicated mapping key")),"__proto__"===n?Object.defineProperty(e,n,{configurable:!0,enumerable:!0,writable:!0,value:o}):e[n]=o,delete i[n];return e}function _n(t){var e;10===(e=t.input.charCodeAt(t.position))?t.position++:13===e?(t.position++,10===t.input.charCodeAt(t.position)&&t.position++):gn(t,"a line break is expected"),t.line+=1,t.lineStart=t.position,t.firstTabInLine=-1}function vn(t,e,i){for(var r=0,n=t.input.charCodeAt(t.position);0!==n;){for(;nn(n);)9===n&&-1===t.firstTabInLine&&(t.firstTabInLine=t.position),n=t.input.charCodeAt(++t.position);if(e&&35===n)do{n=t.input.charCodeAt(++t.position)}while(10!==n&&13!==n&&0!==n);if(!rn(n))break;for(_n(t),n=t.input.charCodeAt(t.position),r++,t.lineIndent=0;32===n;)t.lineIndent++,n=t.input.charCodeAt(++t.position)}return-1!==i&&0!==r&&t.lineIndent<i&&mn(t,"deficient indentation"),r}function kn(t){var e,i=t.position;return!(45!==(e=t.input.charCodeAt(i))&&46!==e||e!==t.input.charCodeAt(i+1)||e!==t.input.charCodeAt(i+2)||(i+=3,0!==(e=t.input.charCodeAt(i))&&!on(e)))}function Tn(t,e){1===e?t.result+=" ":e>1&&(t.result+=or.repeat("\n",e-1))}function wn(t,e){var i,r,n=t.tag,o=t.anchor,a=[],s=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=a),r=t.input.charCodeAt(t.position);0!==r&&(-1!==t.firstTabInLine&&(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),45===r)&&on(t.input.charCodeAt(t.position+1));)if(s=!0,t.position++,vn(t,!0,-1)&&t.lineIndent<=e)a.push(null),r=t.input.charCodeAt(t.position);else if(i=t.line,Fn(t,e,Wr,!1,!0),a.push(t.result),vn(t,!0,-1),r=t.input.charCodeAt(t.position),(t.line===i||t.lineIndent>e)&&0!==r)gn(t,"bad indentation of a sequence entry");else if(t.lineIndent<e)break;return!!s&&(t.tag=n,t.anchor=o,t.kind="sequence",t.result=a,!0)}function Sn(t){var e,i,r,n,o=!1,a=!1;if(33!==(n=t.input.charCodeAt(t.position)))return!1;if(null!==t.tag&&gn(t,"duplication of a tag property"),60===(n=t.input.charCodeAt(++t.position))?(o=!0,n=t.input.charCodeAt(++t.position)):33===n?(a=!0,i="!!",n=t.input.charCodeAt(++t.position)):i="!",e=t.position,o){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&62!==n);t.position<t.length?(r=t.input.slice(e,t.position),n=t.input.charCodeAt(++t.position)):gn(t,"unexpected end of the stream within a verbatim tag")}else{for(;0!==n&&!on(n);)33===n&&(a?gn(t,"tag suffix cannot contain exclamation marks"):(i=t.input.slice(e-1,t.position+1),Kr.test(i)||gn(t,"named tag handle cannot contain such characters"),a=!0,e=t.position+1)),n=t.input.charCodeAt(++t.position);r=t.input.slice(e,t.position),Qr.test(r)&&gn(t,"tag suffix cannot contain flow indicator characters")}r&&!tn.test(r)&&gn(t,"tag name cannot contain such characters: "+r);try{r=decodeURIComponent(r)}catch(s){gn(t,"tag name is malformed: "+r)}return o?t.tag=r:Pr.call(t.tagMap,i)?t.tag=t.tagMap[i]+r:"!"===i?t.tag="!"+r:"!!"===i?t.tag="tag:yaml.org,2002:"+r:gn(t,'undeclared tag handle "'+i+'"'),!0}function Bn(t){var e,i;if(38!==(i=t.input.charCodeAt(t.position)))return!1;for(null!==t.anchor&&gn(t,"duplication of an anchor property"),i=t.input.charCodeAt(++t.position),e=t.position;0!==i&&!on(i)&&!an(i);)i=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an anchor node must contain at least one character"),t.anchor=t.input.slice(e,t.position),!0}function Fn(t,e,i,r,n){var o,a,s,l,c,h,u,d,f,p=1,g=!1,m=!1;if(null!==t.listener&&t.listener("open",t),t.tag=null,t.anchor=null,t.kind=null,t.result=null,o=a=s=Ur===i||Wr===i,r&&vn(t,!0,-1)&&(g=!0,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)),1===p)for(;Sn(t)||Bn(t);)vn(t,!0,-1)?(g=!0,s=o,t.lineIndent>e?p=1:t.lineIndent===e?p=0:t.lineIndent<e&&(p=-1)):s=!1;if(s&&(s=g||n),1!==p&&Ur!==i||(d=Rr===i||Hr===i?e:e+1,f=t.position-t.lineStart,1===p?s&&(wn(t,f)||function(t,e,i){var r,n,o,a,s,l,c,h=t.tag,u=t.anchor,d={},f=Object.create(null),p=null,g=null,m=null,y=!1,x=!1;if(-1!==t.firstTabInLine)return!1;for(null!==t.anchor&&(t.anchorMap[t.anchor]=d),c=t.input.charCodeAt(t.position);0!==c;){if(y||-1===t.firstTabInLine||(t.position=t.firstTabInLine,gn(t,"tab characters must not be used in indentation")),r=t.input.charCodeAt(t.position+1),o=t.line,63!==c&&58!==c||!on(r)){if(a=t.line,s=t.lineStart,l=t.position,!Fn(t,i,Hr,!1,!0))break;if(t.line===o){for(c=t.input.charCodeAt(t.position);nn(c);)c=t.input.charCodeAt(++t.position);if(58===c)on(c=t.input.charCodeAt(++t.position))||gn(t,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!1,n=!1,p=t.tag,g=t.result;else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read an implicit mapping pair; a colon is missed")}}else{if(!x)return t.tag=h,t.anchor=u,!0;gn(t,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===c?(y&&(Cn(t,d,f,p,g,null,a,s,l),p=g=m=null),x=!0,y=!0,n=!0):y?(y=!1,n=!0):gn(t,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),t.position+=1,c=r;if((t.line===o||t.lineIndent>e)&&(y&&(a=t.line,s=t.lineStart,l=t.position),Fn(t,e,Ur,!0,n)&&(y?g=t.result:m=t.result),y||(Cn(t,d,f,p,g,m,a,s,l),p=g=m=null),vn(t,!0,-1),c=t.input.charCodeAt(t.position)),(t.line===o||t.lineIndent>e)&&0!==c)gn(t,"bad indentation of a mapping entry");else if(t.lineIndent<e)break}return y&&Cn(t,d,f,p,g,null,a,s,l),x&&(t.tag=h,t.anchor=u,t.kind="mapping",t.result=d),x}(t,f,d))||function(t,e){var i,r,n,o,a,s,l,c,h,u,d,f,p=!0,g=t.tag,m=t.anchor,y=Object.create(null);if(91===(f=t.input.charCodeAt(t.position)))a=93,c=!1,o=[];else{if(123!==f)return!1;a=125,c=!0,o={}}for(null!==t.anchor&&(t.anchorMap[t.anchor]=o),f=t.input.charCodeAt(++t.position);0!==f;){if(vn(t,!0,e),(f=t.input.charCodeAt(t.position))===a)return t.position++,t.tag=g,t.anchor=m,t.kind=c?"mapping":"sequence",t.result=o,!0;p?44===f&&gn(t,"expected the node content, but found ','"):gn(t,"missed comma between flow collection entries"),d=null,s=l=!1,63===f&&on(t.input.charCodeAt(t.position+1))&&(s=l=!0,t.position++,vn(t,!0,e)),i=t.line,r=t.lineStart,n=t.position,Fn(t,e,Rr,!1,!0),u=t.tag,h=t.result,vn(t,!0,e),f=t.input.charCodeAt(t.position),!l&&t.line!==i||58!==f||(s=!0,f=t.input.charCodeAt(++t.position),vn(t,!0,e),Fn(t,e,Rr,!1,!0),d=t.result),c?Cn(t,o,y,u,h,d,i,r,n):s?o.push(Cn(t,null,y,u,h,d,i,r,n)):o.push(h),vn(t,!0,e),44===(f=t.input.charCodeAt(t.position))?(p=!0,f=t.input.charCodeAt(++t.position)):p=!1}gn(t,"unexpected end of the stream within a flow collection")}(t,d)?m=!0:(a&&function(t,e){var i,r,n,o,a,s=Yr,l=!1,c=!1,h=e,u=0,d=!1;if(124===(o=t.input.charCodeAt(t.position)))r=!1;else{if(62!==o)return!1;r=!0}for(t.kind="scalar",t.result="";0!==o;)if(43===(o=t.input.charCodeAt(++t.position))||45===o)Yr===s?s=43===o?Gr:Vr:gn(t,"repeat of a chomping mode identifier");else{if(!((n=48<=(a=o)&&a<=57?a-48:-1)>=0))break;0===n?gn(t,"bad explicit indentation width of a block scalar; it cannot be less than one"):c?gn(t,"repeat of an indentation width identifier"):(h=e+n-1,c=!0)}if(nn(o)){do{o=t.input.charCodeAt(++t.position)}while(nn(o));if(35===o)do{o=t.input.charCodeAt(++t.position)}while(!rn(o)&&0!==o)}for(;0!==o;){for(_n(t),t.lineIndent=0,o=t.input.charCodeAt(t.position);(!c||t.lineIndent<h)&&32===o;)t.lineIndent++,o=t.input.charCodeAt(++t.position);if(!c&&t.lineIndent>h&&(h=t.lineIndent),rn(o))u++;else{if(t.lineIndent<h){s===Gr?t.result+=or.repeat("\n",l?1+u:u):s===Yr&&l&&(t.result+="\n");break}for(r?nn(o)?(d=!0,t.result+=or.repeat("\n",l?1+u:u)):d?(d=!1,t.result+=or.repeat("\n",u+1)):0===u?l&&(t.result+=" "):t.result+=or.repeat("\n",u):t.result+=or.repeat("\n",l?1+u:u),l=!0,c=!0,u=0,i=t.position;!rn(o)&&0!==o;)o=t.input.charCodeAt(++t.position);xn(t,i,t.position,!1)}}return!0}(t,d)||function(t,e){var i,r,n;if(39!==(i=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,r=n=t.position;0!==(i=t.input.charCodeAt(t.position));)if(39===i){if(xn(t,r,t.position,!0),39!==(i=t.input.charCodeAt(++t.position)))return!0;r=t.position,t.position++,n=t.position}else rn(i)?(xn(t,r,n,!0),Tn(t,vn(t,!1,e)),r=n=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a single quoted scalar"):(t.position++,n=t.position);gn(t,"unexpected end of the stream within a single quoted scalar")}(t,d)||function(t,e){var i,r,n,o,a,s,l;if(34!==(s=t.input.charCodeAt(t.position)))return!1;for(t.kind="scalar",t.result="",t.position++,i=r=t.position;0!==(s=t.input.charCodeAt(t.position));){if(34===s)return xn(t,i,t.position,!0),t.position++,!0;if(92===s){if(xn(t,i,t.position,!0),rn(s=t.input.charCodeAt(++t.position)))vn(t,!1,e);else if(s<256&&hn[s])t.result+=un[s],t.position++;else if((a=120===(l=s)?2:117===l?4:85===l?8:0)>0){for(n=a,o=0;n>0;n--)(a=sn(s=t.input.charCodeAt(++t.position)))>=0?o=(o<<4)+a:gn(t,"expected hexadecimal character");t.result+=cn(o),t.position++}else gn(t,"unknown escape sequence");i=r=t.position}else rn(s)?(xn(t,i,r,!0),Tn(t,vn(t,!1,e)),i=r=t.position):t.position===t.lineStart&&kn(t)?gn(t,"unexpected end of the document within a double quoted scalar"):(t.position++,r=t.position)}gn(t,"unexpected end of the stream within a double quoted scalar")}(t,d)?m=!0:!function(t){var e,i,r;if(42!==(r=t.input.charCodeAt(t.position)))return!1;for(r=t.input.charCodeAt(++t.position),e=t.position;0!==r&&!on(r)&&!an(r);)r=t.input.charCodeAt(++t.position);return t.position===e&&gn(t,"name of an alias node must contain at least one character"),i=t.input.slice(e,t.position),Pr.call(t.anchorMap,i)||gn(t,'unidentified alias "'+i+'"'),t.result=t.anchorMap[i],vn(t,!0,-1),!0}(t)?function(t,e,i){var r,n,o,a,s,l,c,h,u=t.kind,d=t.result;if(on(h=t.input.charCodeAt(t.position))||an(h)||35===h||38===h||42===h||33===h||124===h||62===h||39===h||34===h||37===h||64===h||96===h)return!1;if((63===h||45===h)&&(on(r=t.input.charCodeAt(t.position+1))||i&&an(r)))return!1;for(t.kind="scalar",t.result="",n=o=t.position,a=!1;0!==h;){if(58===h){if(on(r=t.input.charCodeAt(t.position+1))||i&&an(r))break}else if(35===h){if(on(t.input.charCodeAt(t.position-1)))break}else{if(t.position===t.lineStart&&kn(t)||i&&an(h))break;if(rn(h)){if(s=t.line,l=t.lineStart,c=t.lineIndent,vn(t,!1,-1),t.lineIndent>=e){a=!0,h=t.input.charCodeAt(t.position);continue}t.position=o,t.line=s,t.lineStart=l,t.lineIndent=c;break}}a&&(xn(t,n,o,!1),Tn(t,t.line-s),n=o=t.position,a=!1),nn(h)||(o=t.position+1),h=t.input.charCodeAt(++t.position)}return xn(t,n,o,!1),!!t.result||(t.kind=u,t.result=d,!1)}(t,d,Rr===i)&&(m=!0,null===t.tag&&(t.tag="?")):(m=!0,null===t.tag&&null===t.anchor||gn(t,"alias node should not have any properties")),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):0===p&&(m=s&&wn(t,f))),null===t.tag)null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);else if("?"===t.tag){for(null!==t.result&&"scalar"!==t.kind&&gn(t,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+t.kind+'"'),l=0,c=t.implicitTypes.length;l<c;l+=1)if((u=t.implicitTypes[l]).resolve(t.result)){t.result=u.construct(t.result),t.tag=u.tag,null!==t.anchor&&(t.anchorMap[t.anchor]=t.result);break}}else if("!"!==t.tag){if(Pr.call(t.typeMap[t.kind||"fallback"],t.tag))u=t.typeMap[t.kind||"fallback"][t.tag];else for(u=null,l=0,c=(h=t.typeMap.multi[t.kind||"fallback"]).length;l<c;l+=1)if(t.tag.slice(0,h[l].tag.length)===h[l].tag){u=h[l];break}u||gn(t,"unknown tag !<"+t.tag+">"),null!==t.result&&u.kind!==t.kind&&gn(t,"unacceptable node kind for !<"+t.tag+'> tag; it should be "'+u.kind+'", not "'+t.kind+'"'),u.resolve(t.result,t.tag)?(t.result=u.construct(t.result,t.tag),null!==t.anchor&&(t.anchorMap[t.anchor]=t.result)):gn(t,"cannot resolve a node with !<"+t.tag+"> explicit tag")}return null!==t.listener&&t.listener("close",t),null!==t.tag||null!==t.anchor||m}function Ln(t){var e,i,r,n,o=t.position,a=!1;for(t.version=null,t.checkLineBreaks=t.legacy,t.tagMap=Object.create(null),t.anchorMap=Object.create(null);0!==(n=t.input.charCodeAt(t.position))&&(vn(t,!0,-1),n=t.input.charCodeAt(t.position),!(t.lineIndent>0||37!==n));){for(a=!0,n=t.input.charCodeAt(++t.position),e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);for(r=[],(i=t.input.slice(e,t.position)).length<1&&gn(t,"directive name must not be less than one character in length");0!==n;){for(;nn(n);)n=t.input.charCodeAt(++t.position);if(35===n){do{n=t.input.charCodeAt(++t.position)}while(0!==n&&!rn(n));break}if(rn(n))break;for(e=t.position;0!==n&&!on(n);)n=t.input.charCodeAt(++t.position);r.push(t.input.slice(e,t.position))}0!==n&&_n(t),Pr.call(yn,i)?yn[i](t,i,r):mn(t,'unknown document directive "'+i+'"')}vn(t,!0,-1),0===t.lineIndent&&45===t.input.charCodeAt(t.position)&&45===t.input.charCodeAt(t.position+1)&&45===t.input.charCodeAt(t.position+2)?(t.position+=3,vn(t,!0,-1)):a&&gn(t,"directives end mark is expected"),Fn(t,t.lineIndent-1,Ur,!1,!0),vn(t,!0,-1),t.checkLineBreaks&&Jr.test(t.input.slice(o,t.position))&&mn(t,"non-ASCII line breaks are interpreted as content"),t.documents.push(t.result),t.position===t.lineStart&&kn(t)?46===t.input.charCodeAt(t.position)&&(t.position+=3,vn(t,!0,-1)):t.position<t.length-1&&gn(t,"end of the stream or a document separator is expected")}function An(t,e){e=e||{},0!==(t=String(t)).length&&(10!==t.charCodeAt(t.length-1)&&13!==t.charCodeAt(t.length-1)&&(t+="\n"),65279===t.charCodeAt(0)&&(t=t.slice(1)));var i=new fn(t,e),r=t.indexOf("\0");for(-1!==r&&(i.position=r,gn(i,"null byte is not allowed in input")),i.input+="\0";32===i.input.charCodeAt(i.position);)i.lineIndent+=1,i.position+=1;for(;i.position<i.length-1;)Ln(i);return i.documents}var Mn=Sr,En={loadAll:function(t,e,i){null!==e&&"object"==typeof e&&void 0===i&&(i=e,e=null);var r=An(t,i);if("function"!=typeof e)return r;for(var n=0,o=r.length;n<o;n+=1)e(r[n])},load:function(t,e){var i=An(t,e);if(0!==i.length){if(1===i.length)return i[0];throw new lr("expected a single document in the stream, but found more")}}}.load;const Nn=t=>t.replace(/\r\n?/g,"\n").replace(/<(\w+)([^>]*)>/g,((t,e,i)=>"<"+e+i.replace(/="([^"]*)"/g,"='$1'")+">")),Zn=t=>{const{text:e,metadata:i}=function(t){const e=t.match(qt);if(!e)return{text:t,metadata:{}};let i=En(e[1],{schema:Mn})??{};i="object"!=typeof i||Array.isArray(i)?{}:i;const r={};return i.displayMode&&(r.displayMode=i.displayMode.toString()),i.title&&(r.title=i.title.toString()),i.config&&(r.config=i.config),{text:t.slice(e[0].length),metadata:r}}(t),{displayMode:r,title:n,config:o={}}=i;return r&&(o.gantt||(o.gantt={}),o.gantt.displayMode=r),{title:n,config:o,text:e}},jn=t=>{const e=ye.detectInit(t)??{},i=ye.detectDirective(t,"wrap");return Array.isArray(i)?e.wrap=i.some((({type:t})=>{})):"wrap"===(null==i?void 0:i.type)&&(e.wrap=!0),{text:(r=t,r.replace($t,"")),directive:e};var r};const In=["foreignobject"],On=["dominant-baseline"];function Dn(t){const e=function(t){const e=Nn(t),i=Zn(e),r=jn(i.text),n=me(i.config,r.directive);return{code:t=rr(r.text),title:i.title,config:n}}(t);return Ae(),Le(e.config??{}),e}const qn=function(t){return t.replace(/\ufb02\xb0\xb0/g,"&#").replace(/\ufb02\xb0/g,"&").replace(/\xb6\xdf/g,";")},$n=(t,e,i=[])=>`\n.${t} ${e} { ${i.join(" !important; ")} !important; }`,zn=(t,e,i,r)=>{const n=((t,e={})=>{var i;let r="";if(void 0!==t.themeCSS&&(r+=`\n${t.themeCSS}`),void 0!==t.fontFamily&&(r+=`\n:root { --mermaid-font-family: ${t.fontFamily}}`),void 0!==t.altFontFamily&&(r+=`\n:root { --mermaid-alt-font-family: ${t.altFontFamily}}`),!(0,ot.Z)(e)){const n=t.htmlLabels||(null==(i=t.flowchart)?void 0:i.htmlLabels)?["> *","span"]:["rect","polygon","ellipse","circle","path"];for(const t in e){const i=e[t];(0,ot.Z)(i.styles)||n.forEach((t=>{r+=$n(i.id,t,i.styles)})),(0,ot.Z)(i.textStyles)||(r+=$n(i.id,"tspan",i.textStyles))}}return r})(t,i);return M(tt(`${r}{${pi(e,n,t.themeVariables)}}`),E)},Pn=(t,e,i,r,n)=>{const o=t.append("div");o.attr("id",i),r&&o.attr("style",r);const a=o.append("svg").attr("id",e).attr("width","100%").attr("xmlns","http://www.w3.org/2000/svg");return n&&a.attr("xmlns:xlink",n),a.append("g"),t};function Rn(t,e){return t.append("iframe").attr("id",e).attr("style","width: 100%; height: 100%;").attr("sandbox","")}const Hn=Object.freeze({render:async function(t,e,i){var r,n,o,l,c,h;Ji();const u=Dn(e);e=u.code;const d=Be();st.debug(d),e.length>((null==d?void 0:d.maxTextSize)??5e4)&&(e="graph TB;a[Maximum text size in diagram exceeded];style a fill:#faa");const f="#"+t,p="i"+t,g="#"+p,m="d"+t,y="#"+m;let x=(0,a.Ys)("body");const b="sandbox"===d.securityLevel,C="loose"===d.securityLevel,_=d.fontFamily;if(void 0!==i){if(i&&(i.innerHTML=""),b){const t=Rn((0,a.Ys)(i),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)(i);Pn(x,t,m,`font-family: ${_}`,"http://www.w3.org/1999/xlink")}else{if(((t,e,i,r)=>{var n,o,a;null==(n=t.getElementById(e))||n.remove(),null==(o=t.getElementById(i))||o.remove(),null==(a=t.getElementById(r))||a.remove()})(document,t,m,p),b){const t=Rn((0,a.Ys)("body"),p);x=(0,a.Ys)(t.nodes()[0].contentDocument.body),x.node().style.margin=0}else x=(0,a.Ys)("body");Pn(x,t,m)}let v,k;e=function(t){let e=t;return e=e.replace(/style.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/classDef.*:\S*#.*;/g,(function(t){return t.substring(0,t.length-1)})),e=e.replace(/#\w+;/g,(function(t){const e=t.substring(1,t.length-1);return/^\+?\d+$/.test(e)?"\ufb02\xb0\xb0"+e+"\xb6\xdf":"\ufb02\xb0"+e+"\xb6\xdf"})),e}(e);try{v=await Ki(e,{title:u.title})}catch(Z){v=new Qi("error"),k=Z}const T=x.select(y).node(),w=v.type,S=T.firstChild,B=S.firstChild,F=null==(n=(r=v.renderer).getClasses)?void 0:n.call(r,e,v),L=zn(d,w,F,f),A=document.createElement("style");A.innerHTML=L,S.insertBefore(A,B);try{await v.renderer.draw(e,t,xe,v)}catch(j){throw $i.draw(e,t,xe),j}!function(t,e,i,r){(function(t,e){t.attr("role",ir),""!==e&&t.attr("aria-roledescription",e)})(e,t),function(t,e,i,r){if(void 0!==t.insert){if(i){const e=`chart-desc-${r}`;t.attr("aria-describedby",e),t.insert("desc",":first-child").attr("id",e).text(i)}if(e){const i=`chart-title-${r}`;t.attr("aria-labelledby",i),t.insert("title",":first-child").attr("id",i).text(e)}}}(e,i,r,e.attr("id"))}(w,x.select(`${y} svg`),null==(l=(o=v.db).getAccTitle)?void 0:l.call(o),null==(h=(c=v.db).getAccDescription)?void 0:h.call(c)),x.select(`[id="${t}"]`).selectAll("foreignobject > *").attr("xmlns","http://www.w3.org/1999/xhtml");let M=x.select(y).node().innerHTML;if(st.debug("config.arrowMarkerAbsolute",d.arrowMarkerAbsolute),M=((t="",e,i)=>{let r=t;return i||e||(r=r.replace(/marker-end="url\([\d+./:=?A-Za-z-]*?#/g,'marker-end="url(#')),r=qn(r),r=r.replace(/<br>/g,"<br/>"),r})(M,b,mt(d.arrowMarkerAbsolute)),b){M=((t="",e)=>{var i,r;return`<iframe style="width:100%;height:${(null==(r=null==(i=null==e?void 0:e.viewBox)?void 0:i.baseVal)?void 0:r.height)?e.viewBox.baseVal.height+"px":"100%"};border:0;margin:0;" src="data:text/html;base64,${btoa('<body style="margin:0">'+t+"</body>")}" sandbox="allow-top-navigation-by-user-activation allow-popups">\n The "iframe" tag is not supported by your browser.\n</iframe>`})(M,x.select(y+" svg").node())}else C||(M=s.sanitize(M,{ADD_TAGS:In,ADD_ATTR:On}));if(tr.forEach((t=>{t()})),tr=[],k)throw k;const E=b?g:y,N=(0,a.Ys)(E).node();return N&&"remove"in N&&N.remove(),{svg:M,bindFunctions:v.db.bindFunctions}},parse:async function(t,e){Ji(),t=Dn(t).code;try{await Ki(t)}catch(i){if(null==e?void 0:e.suppressErrors)return!1;throw i}return!0},getDiagramFromText:Ki,initialize:function(t={}){var e;(null==t?void 0:t.fontFamily)&&!(null==(e=t.themeVariables)?void 0:e.fontFamily)&&(t.themeVariables||(t.themeVariables={}),t.themeVariables.fontFamily=t.fontFamily),Ce=Vt({},t),(null==t?void 0:t.theme)&&t.theme in Mt?t.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables):t&&(t.themeVariables=Mt.default.getThemeVariables(t.themeVariables));const i="object"==typeof t?(t=>(_e=Vt({},be),_e=Vt(_e,t),t.theme&&Mt[t.theme]&&(_e.themeVariables=Mt[t.theme].getThemeVariables(t.themeVariables)),Te(_e,ve),_e))(t):we();lt(i.logLevel),Ji()},getConfig:Be,setConfig:Se,getSiteConfig:we,updateSiteConfig:t=>(_e=Vt(_e,t),Te(_e,ve),_e),reset:()=>{Ae()},globalReset:()=>{Ae(be)},defaultConfig:be});lt(Be().logLevel),Ae(Be());const Wn=(t,e,i)=>{st.warn(t),pe(t)?(i&&i(t.str,t.hash),e.push({...t,message:t.str,error:t})):(i&&i(t),t instanceof Error&&e.push({str:t.message,message:t.message,hash:t.name,error:t}))},Un=async function(t={querySelector:".mermaid"}){try{await Yn(t)}catch(e){if(pe(e)&&st.error(e.str),to.parseError&&to.parseError(e),!t.suppressErrors)throw st.error("Use the suppressErrors option to suppress these errors"),e}},Yn=async function({postRenderCallback:t,querySelector:e,nodes:i}={querySelector:".mermaid"}){const n=Hn.getConfig();let o;if(st.debug((t?"":"No ")+"Callback function found"),i)o=i;else{if(!e)throw new Error("Nodes and querySelector are both undefined");o=document.querySelectorAll(e)}st.debug(`Found ${o.length} diagrams`),void 0!==(null==n?void 0:n.startOnLoad)&&(st.debug("Start On Load: "+(null==n?void 0:n.startOnLoad)),Hn.updateSiteConfig({startOnLoad:null==n?void 0:n.startOnLoad}));const a=new ye.InitIDGenerator(n.deterministicIds,n.deterministicIDSeed);let s;const l=[];for(const h of Array.from(o)){if(st.info("Rendering diagram: "+h.id),h.getAttribute("data-processed"))continue;h.setAttribute("data-processed","true");const e=`mermaid-${a.next()}`;s=h.innerHTML,s=(0,r.Z)(ye.entityDecode(s)).trim().replace(/<br\s*\/?>/gi,"<br/>");const i=ye.detectInit(s);i&&st.debug("Detected early reinit: ",i);try{const{svg:i,bindFunctions:r}=await Kn(e,s,h);h.innerHTML=i,t&&await t(e),r&&r(h)}catch(c){Wn(c,l,to.parseError)}}if(l.length>0)throw l[0]},Vn=function(t){Hn.initialize(t)},Gn=function(){if(to.startOnLoad){const{startOnLoad:t}=Hn.getConfig();t&&to.run().catch((t=>st.error("Mermaid failed to initialize",t)))}};"undefined"!=typeof document&&window.addEventListener("load",Gn,!1);const Xn=[];let Jn=!1;const Qn=async()=>{if(!Jn){for(Jn=!0;Xn.length>0;){const e=Xn.shift();if(e)try{await e()}catch(t){st.error("Error executing queue",t)}}Jn=!1}},Kn=(t,e,i)=>new Promise(((r,n)=>{Xn.push((()=>new Promise(((o,a)=>{Hn.render(t,e,i).then((t=>{o(t),r(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),a(t),n(t)}))})))),Qn().catch(n)})),to={startOnLoad:!0,mermaidAPI:Hn,parse:async(t,e)=>new Promise(((i,r)=>{Xn.push((()=>new Promise(((n,o)=>{Hn.parse(t,e).then((t=>{n(t),i(t)}),(t=>{var e;st.error("Error parsing",t),null==(e=to.parseError)||e.call(to,t),o(t),r(t)}))})))),Qn().catch(r)})),render:Kn,init:async function(t,e,i){st.warn("mermaid.init is deprecated. Please use run instead."),t&&Vn(t);const r={postRenderCallback:i,querySelector:".mermaid"};"string"==typeof e?r.querySelector=e:e&&(e instanceof HTMLElement?r.nodes=[e]:r.nodes=e),await Un(r)},run:Un,registerExternalDiagrams:async(t,{lazyLoad:e=!0}={})=>{Wt(...t),!1===e&&await(async()=>{st.debug("Loading registered diagrams");const t=(await Promise.allSettled(Object.entries(Rt).map((async([t,{detector:e,loader:i}])=>{if(i)try{Ii(t)}catch(r){try{const{diagram:t,id:r}=await i();ji(r,t,e)}catch(n){throw st.error(`Failed to load external diagram with key ${t}. Removing from detectors.`),delete Rt[t],n}}})))).filter((t=>"rejected"===t.status));if(t.length>0){st.error(`Failed to load ${t.length} external diagrams`);for(const e of t)st.error(e);throw new Error(`Failed to load ${t.length} external diagrams`)}})()},initialize:Vn,parseError:void 0,contentLoaded:Gn,setParseErrorHandler:function(t){to.parseError=t},detectType:Ht}}}]); \ No newline at end of file diff --git a/kr/assets/js/81cffba8.5273758c.js b/kr/assets/js/81cffba8.5273758c.js deleted file mode 100644 index 0ce3c8c27..000000000 --- a/kr/assets/js/81cffba8.5273758c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[804],{8247:(n,e,i)=>{i.r(e),i.d(e,{assets:()=>d,contentTitle:()=>t,default:()=>u,frontMatter:()=>l,metadata:()=>c,toc:()=>o});var s=i(5893),r=i(1151);const l={slug:"/",title:"K3s - Lightweight Kubernetes"},t="k3s\ub780 \ubb34\uc5c7\uc785\ub2c8\uae4c?",c={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"\uacbd\ub7c9\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4. \uac04\ud3b8\ud55c \uc124\uce58\uc640 \uc808\ubc18\uc758 \uba54\ubaa8\ub9ac, \ubaa8\ub4e0\uac78 100MB \ubbf8\ub9cc\uc758 \ubc14\uc774\ub108\ub9ac\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/introduction.md",sourceDirName:".",slug:"/",permalink:"/kr/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",permalink:"/kr/quick-start"}},d={},o=[];function h(n){const e={h1:"h1",li:"li",p:"p",ul:"ul",...(0,r.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.p,{children:"\uacbd\ub7c9\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4. \uac04\ud3b8\ud55c \uc124\uce58\uc640 \uc808\ubc18\uc758 \uba54\ubaa8\ub9ac, \ubaa8\ub4e0\uac78 100MB \ubbf8\ub9cc\uc758 \ubc14\uc774\ub108\ub9ac\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4."}),"\n",(0,s.jsx)(e.p,{children:"\uc801\ud569\ud55c \ud658\uacbd:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"\uc5e3\uc9c0(Edge)"}),"\n",(0,s.jsx)(e.li,{children:"\uc0ac\ubb3c\uc778\ud130\ub137(IoT)"}),"\n",(0,s.jsx)(e.li,{children:"\uc9c0\uc18d\uc801\uc778 \ud1b5\ud569(CI)"}),"\n",(0,s.jsx)(e.li,{children:"\uac1c\ubc1c"}),"\n",(0,s.jsx)(e.li,{children:"ARM"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub529 K8s"}),"\n",(0,s.jsx)(e.li,{children:"k8s \ud074\ub7ec\uc2a4\ud130 \ubd84\uc57c\uc758 \ubc15\uc0ac \ud559\uc704\ub97c \ucde8\ub4dd\ud558\uae30 \uc5b4\ub824\uc6b4 \uc0c1\ud669"}),"\n"]}),"\n",(0,s.jsx)(e.h1,{id:"k3s\ub780-\ubb34\uc5c7\uc785\ub2c8\uae4c",children:"k3s\ub780 \ubb34\uc5c7\uc785\ub2c8\uae4c?"}),"\n",(0,s.jsx)(e.p,{children:"K3s\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc640 \uc644\uc804\ud788 \ud638\ud658\ub418\uba70 \ub2e4\uc74c\uacfc \uac19\uc740 \ud5a5\uc0c1\ub41c \uae30\ub2a5\uc744 \uac16\ucd98 \ubc30\ud3ec\ud310\uc785\ub2c8\ub2e4:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"\ub2e8\uc77c \ubc14\uc774\ub108\ub9ac\ub85c \ud328\ud0a4\uc9c0\ud654."}),"\n",(0,s.jsx)(e.li,{children:"\uae30\ubcf8 \uc2a4\ud1a0\ub9ac\uc9c0 \uba54\ucee4\ub2c8\uc998\uc73c\ub85c sqlite3\ub97c \uae30\ubc18\uc73c\ub85c \ud558\ub294 \uacbd\ub7c9 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc31\uc5d4\ub4dc. etcd3, MySQL, Postgres\ub3c4 \uc0ac\uc6a9 \uac00\ub2a5."}),"\n",(0,s.jsx)(e.li,{children:"\ubcf5\uc7a1\ud55c TLS \ubc0f \uc635\uc158\uc744 \ucc98\ub9ac\ud558\ub294 \uac04\ub2e8\ud55c \ub7f0\ucc98\uc5d0 \ud3ec\ud568."}),"\n",(0,s.jsx)(e.li,{children:"\uacbd\ub7c9 \ud658\uacbd\uc744 \uc704\ud55c \ud569\ub9ac\uc801\uc778 \uae30\ubcf8\uac12\uc73c\ub85c \uae30\ubcf8\uc801\uc73c\ub85c \ubcf4\uc548\uc744 \uc720\uc9c0\ud568."}),"\n",(0,s.jsxs)(e.li,{children:["\ub2e4\uc74c\uacfc \uac19\uc774 \uac04\ub2e8\ud558\uc9c0\ub9cc \uac15\ub825\ud55c 'batteries-included' \uae30\ub2a5 \ucd94\uac00. \uc608\ub97c \ub4e4\uc5b4:","\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"local storage provider"}),"\n",(0,s.jsx)(e.li,{children:"service load balancer"}),"\n",(0,s.jsx)(e.li,{children:"Helm controller"}),"\n",(0,s.jsx)(e.li,{children:"Traefik ingress controller"}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(e.li,{children:"\ubaa8\ub4e0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uad6c\uc131 \uc694\uc18c\uc758 \uc791\ub3d9\uc740 \ub2e8\uc77c \ubc14\uc774\ub108\ub9ac \ubc0f \ud504\ub85c\uc138\uc2a4\ub85c \ucea1\uc290\ud654. \uc774\ub97c \ud1b5\ud574 K3s\ub294 \uc778\uc99d\uc11c \ubc30\ud3ec\uc640 \uac19\uc740 \ubcf5\uc7a1\ud55c \ud074\ub7ec\uc2a4\ud130 \uc791\uc5c5\uc744 \uc790\ub3d9\ud654\ud558\uace0 \uad00\ub9ac."}),"\n",(0,s.jsx)(e.li,{children:"\uc678\ubd80 \uc885\uc18d\uc131 \ucd5c\uc18c\ud654(\ucd5c\uc2e0 \ucee4\ub110\uacfc cgroup \ub9c8\uc6b4\ud2b8\ub9cc \ud544\uc694)"}),"\n"]}),"\n",(0,s.jsx)(e.p,{children:"K3s\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud544\uc218 \uc885\uc18d\uc131\uc744 \ud328\ud0a4\uc9c0\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"Containerd"}),"\n",(0,s.jsx)(e.li,{children:"Flannel (CNI)"}),"\n",(0,s.jsx)(e.li,{children:"CoreDNS"}),"\n",(0,s.jsx)(e.li,{children:"Traefik (\uc778\uadf8\ub808\uc2a4)"}),"\n",(0,s.jsx)(e.li,{children:"Klipper-lb (\uc11c\ube44\uc2a4 \ub85c\ub4dc\ubc38\ub7f0\uc11c)"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub514\ub4dc \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ucee8\ud2b8\ub864\ub7ec"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub514\ub4dc \ub85c\uceec \uacbd\ub85c \ud504\ub85c\ube44\uc800\ub108"}),"\n",(0,s.jsx)(e.li,{children:"\ud638\uc2a4\ud2b8 \uc720\ud2f8\ub9ac\ud2f0(iptables, socat \ub4f1)"}),"\n"]}),"\n",(0,s.jsx)(e.h1,{id:"\uc774\ub984\uc5d0\ub294-\ubb34\uc2a8-\ub73b\uc774-\uc788\ub098\uc694",children:"\uc774\ub984\uc5d0\ub294 \ubb34\uc2a8 \ub73b\uc774 \uc788\ub098\uc694?"}),"\n",(0,s.jsx)(e.p,{children:"\uc6b0\ub9ac\ub294 \uba54\ubaa8\ub9ac \ud48b\ud504\ub9b0\ud2b8 \uce21\uba74\uc5d0\uc11c \uc808\ubc18 \ud06c\uae30\uc758 Kubernetes\ub97c \uc124\uce58\ud558\uae30\ub97c \uc6d0\ud588\uc2b5\ub2c8\ub2e4. Kubernetes\ub294 K8s\ub85c \ud45c\uae30\ub418\ub294 10\uae00\uc790 \ub2e8\uc5b4\uc785\ub2c8\ub2e4. \ub530\ub77c\uc11c \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \uc808\ubc18 \ud06c\uae30\ub77c\uba74 K3s\ub85c \ud45c\uae30\ub41c 5\uae00\uc790 \ub2e8\uc5b4\uac00 \ub420 \uac83\uc785\ub2c8\ub2e4. K3s\uc758 \uae34 \ud615\ud0dc\ub294 \uc5c6\uc73c\uba70 \uacf5\uc2dd\uc801\uc778 \ubc1c\uc74c\ub3c4 \uc5c6\uc2b5\ub2c8\ub2e4."})]})}function u(n={}){const{wrapper:e}={...(0,r.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(h,{...n})}):h(n)}},1151:(n,e,i)=>{i.d(e,{Z:()=>c,a:()=>t});var s=i(7294);const r={},l=s.createContext(r);function t(n){const e=s.useContext(l);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(r):n.components||r:t(n.components),s.createElement(l.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/81cffba8.564bbbe3.js b/kr/assets/js/81cffba8.564bbbe3.js new file mode 100644 index 000000000..677d26754 --- /dev/null +++ b/kr/assets/js/81cffba8.564bbbe3.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[804],{8247:(n,e,i)=>{i.r(e),i.d(e,{assets:()=>d,contentTitle:()=>t,default:()=>u,frontMatter:()=>l,metadata:()=>c,toc:()=>o});var s=i(5893),r=i(1151);const l={slug:"/",title:"K3s - Lightweight Kubernetes"},t="k3s\ub780 \ubb34\uc5c7\uc785\ub2c8\uae4c?",c={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"\uacbd\ub7c9\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4. \uac04\ud3b8\ud55c \uc124\uce58\uc640 \uc808\ubc18\uc758 \uba54\ubaa8\ub9ac, \ubaa8\ub4e0\uac78 100MB \ubbf8\ub9cc\uc758 \ubc14\uc774\ub108\ub9ac\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/introduction.md",sourceDirName:".",slug:"/",permalink:"/kr/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",permalink:"/kr/quick-start"}},d={},o=[];function h(n){const e={h1:"h1",header:"header",li:"li",p:"p",ul:"ul",...(0,r.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.p,{children:"\uacbd\ub7c9\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4. \uac04\ud3b8\ud55c \uc124\uce58\uc640 \uc808\ubc18\uc758 \uba54\ubaa8\ub9ac, \ubaa8\ub4e0\uac78 100MB \ubbf8\ub9cc\uc758 \ubc14\uc774\ub108\ub9ac\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4."}),"\n",(0,s.jsx)(e.p,{children:"\uc801\ud569\ud55c \ud658\uacbd:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"\uc5e3\uc9c0(Edge)"}),"\n",(0,s.jsx)(e.li,{children:"\uc0ac\ubb3c\uc778\ud130\ub137(IoT)"}),"\n",(0,s.jsx)(e.li,{children:"\uc9c0\uc18d\uc801\uc778 \ud1b5\ud569(CI)"}),"\n",(0,s.jsx)(e.li,{children:"\uac1c\ubc1c"}),"\n",(0,s.jsx)(e.li,{children:"ARM"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub529 K8s"}),"\n",(0,s.jsx)(e.li,{children:"k8s \ud074\ub7ec\uc2a4\ud130 \ubd84\uc57c\uc758 \ubc15\uc0ac \ud559\uc704\ub97c \ucde8\ub4dd\ud558\uae30 \uc5b4\ub824\uc6b4 \uc0c1\ud669"}),"\n"]}),"\n",(0,s.jsx)(e.header,{children:(0,s.jsx)(e.h1,{id:"k3s\ub780-\ubb34\uc5c7\uc785\ub2c8\uae4c",children:"k3s\ub780 \ubb34\uc5c7\uc785\ub2c8\uae4c?"})}),"\n",(0,s.jsx)(e.p,{children:"K3s\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc640 \uc644\uc804\ud788 \ud638\ud658\ub418\uba70 \ub2e4\uc74c\uacfc \uac19\uc740 \ud5a5\uc0c1\ub41c \uae30\ub2a5\uc744 \uac16\ucd98 \ubc30\ud3ec\ud310\uc785\ub2c8\ub2e4:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"\ub2e8\uc77c \ubc14\uc774\ub108\ub9ac\ub85c \ud328\ud0a4\uc9c0\ud654."}),"\n",(0,s.jsx)(e.li,{children:"\uae30\ubcf8 \uc2a4\ud1a0\ub9ac\uc9c0 \uba54\ucee4\ub2c8\uc998\uc73c\ub85c sqlite3\ub97c \uae30\ubc18\uc73c\ub85c \ud558\ub294 \uacbd\ub7c9 \uc2a4\ud1a0\ub9ac\uc9c0 \ubc31\uc5d4\ub4dc. etcd3, MySQL, Postgres\ub3c4 \uc0ac\uc6a9 \uac00\ub2a5."}),"\n",(0,s.jsx)(e.li,{children:"\ubcf5\uc7a1\ud55c TLS \ubc0f \uc635\uc158\uc744 \ucc98\ub9ac\ud558\ub294 \uac04\ub2e8\ud55c \ub7f0\ucc98\uc5d0 \ud3ec\ud568."}),"\n",(0,s.jsx)(e.li,{children:"\uacbd\ub7c9 \ud658\uacbd\uc744 \uc704\ud55c \ud569\ub9ac\uc801\uc778 \uae30\ubcf8\uac12\uc73c\ub85c \uae30\ubcf8\uc801\uc73c\ub85c \ubcf4\uc548\uc744 \uc720\uc9c0\ud568."}),"\n",(0,s.jsxs)(e.li,{children:["\ub2e4\uc74c\uacfc \uac19\uc774 \uac04\ub2e8\ud558\uc9c0\ub9cc \uac15\ub825\ud55c 'batteries-included' \uae30\ub2a5 \ucd94\uac00. \uc608\ub97c \ub4e4\uc5b4:","\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"local storage provider"}),"\n",(0,s.jsx)(e.li,{children:"service load balancer"}),"\n",(0,s.jsx)(e.li,{children:"Helm controller"}),"\n",(0,s.jsx)(e.li,{children:"Traefik ingress controller"}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(e.li,{children:"\ubaa8\ub4e0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uad6c\uc131 \uc694\uc18c\uc758 \uc791\ub3d9\uc740 \ub2e8\uc77c \ubc14\uc774\ub108\ub9ac \ubc0f \ud504\ub85c\uc138\uc2a4\ub85c \ucea1\uc290\ud654. \uc774\ub97c \ud1b5\ud574 K3s\ub294 \uc778\uc99d\uc11c \ubc30\ud3ec\uc640 \uac19\uc740 \ubcf5\uc7a1\ud55c \ud074\ub7ec\uc2a4\ud130 \uc791\uc5c5\uc744 \uc790\ub3d9\ud654\ud558\uace0 \uad00\ub9ac."}),"\n",(0,s.jsx)(e.li,{children:"\uc678\ubd80 \uc885\uc18d\uc131 \ucd5c\uc18c\ud654(\ucd5c\uc2e0 \ucee4\ub110\uacfc cgroup \ub9c8\uc6b4\ud2b8\ub9cc \ud544\uc694)"}),"\n"]}),"\n",(0,s.jsx)(e.p,{children:"K3s\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud544\uc218 \uc885\uc18d\uc131\uc744 \ud328\ud0a4\uc9c0\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsxs)(e.ul,{children:["\n",(0,s.jsx)(e.li,{children:"Containerd"}),"\n",(0,s.jsx)(e.li,{children:"Flannel (CNI)"}),"\n",(0,s.jsx)(e.li,{children:"CoreDNS"}),"\n",(0,s.jsx)(e.li,{children:"Traefik (\uc778\uadf8\ub808\uc2a4)"}),"\n",(0,s.jsx)(e.li,{children:"Klipper-lb (\uc11c\ube44\uc2a4 \ub85c\ub4dc\ubc38\ub7f0\uc11c)"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub514\ub4dc \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ucee8\ud2b8\ub864\ub7ec"}),"\n",(0,s.jsx)(e.li,{children:"\uc784\ubca0\ub514\ub4dc \ub85c\uceec \uacbd\ub85c \ud504\ub85c\ube44\uc800\ub108"}),"\n",(0,s.jsx)(e.li,{children:"\ud638\uc2a4\ud2b8 \uc720\ud2f8\ub9ac\ud2f0(iptables, socat \ub4f1)"}),"\n"]}),"\n",(0,s.jsx)(e.h1,{id:"\uc774\ub984\uc5d0\ub294-\ubb34\uc2a8-\ub73b\uc774-\uc788\ub098\uc694",children:"\uc774\ub984\uc5d0\ub294 \ubb34\uc2a8 \ub73b\uc774 \uc788\ub098\uc694?"}),"\n",(0,s.jsx)(e.p,{children:"\uc6b0\ub9ac\ub294 \uba54\ubaa8\ub9ac \ud48b\ud504\ub9b0\ud2b8 \uce21\uba74\uc5d0\uc11c \uc808\ubc18 \ud06c\uae30\uc758 Kubernetes\ub97c \uc124\uce58\ud558\uae30\ub97c \uc6d0\ud588\uc2b5\ub2c8\ub2e4. Kubernetes\ub294 K8s\ub85c \ud45c\uae30\ub418\ub294 10\uae00\uc790 \ub2e8\uc5b4\uc785\ub2c8\ub2e4. \ub530\ub77c\uc11c \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \uc808\ubc18 \ud06c\uae30\ub77c\uba74 K3s\ub85c \ud45c\uae30\ub41c 5\uae00\uc790 \ub2e8\uc5b4\uac00 \ub420 \uac83\uc785\ub2c8\ub2e4. K3s\uc758 \uae34 \ud615\ud0dc\ub294 \uc5c6\uc73c\uba70 \uacf5\uc2dd\uc801\uc778 \ubc1c\uc74c\ub3c4 \uc5c6\uc2b5\ub2c8\ub2e4."})]})}function u(n={}){const{wrapper:e}={...(0,r.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(h,{...n})}):h(n)}},1151:(n,e,i)=>{i.d(e,{Z:()=>c,a:()=>t});var s=i(7294);const r={},l=s.createContext(r);function t(n){const e=s.useContext(l);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(r):n.components||r:t(n.components),s.createElement(l.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/832e9842.75e1e2e4.js b/kr/assets/js/832e9842.75e1e2e4.js new file mode 100644 index 000000000..82612070f --- /dev/null +++ b/kr/assets/js/832e9842.75e1e2e4.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9184],{9266:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/kr/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/kr/cli/server"},next:{title:"certificate",permalink:"/kr/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",header:"header",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"})}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/832e9842.c6b3dec0.js b/kr/assets/js/832e9842.c6b3dec0.js deleted file mode 100644 index dc28a41fe..000000000 --- a/kr/assets/js/832e9842.c6b3dec0.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9184],{9266:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/kr/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/kr/cli/server"},next:{title:"certificate",permalink:"/kr/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/8443.26559c8c.js b/kr/assets/js/8443.a5d9c459.js similarity index 99% rename from assets/js/8443.26559c8c.js rename to kr/assets/js/8443.a5d9c459.js index 0cfcd5948..d07fabef4 100644 --- a/assets/js/8443.26559c8c.js +++ b/kr/assets/js/8443.a5d9c459.js @@ -1,2 +1,2 @@ -/*! For license information please see 8443.26559c8c.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8443],{8443:(t,e,n)=>{"use strict";t.exports=n(295)},1228:(t,e,n)=>{"use strict";var i=n(2856),s={wrapper:{position:"relative",display:"inline-block"},hint:{position:"absolute",top:"0",left:"0",borderColor:"transparent",boxShadow:"none",opacity:"1"},input:{position:"relative",verticalAlign:"top",backgroundColor:"transparent"},inputWithNoHint:{position:"relative",verticalAlign:"top"},dropdown:{position:"absolute",top:"100%",left:"0",zIndex:"100",display:"none"},suggestions:{display:"block"},suggestion:{whiteSpace:"nowrap",cursor:"pointer"},suggestionChild:{whiteSpace:"normal"},ltr:{left:"0",right:"auto"},rtl:{left:"auto",right:"0"},defaultClasses:{root:"algolia-autocomplete",prefix:"aa",noPrefix:!1,dropdownMenu:"dropdown-menu",input:"input",hint:"hint",suggestions:"suggestions",suggestion:"suggestion",cursor:"cursor",dataset:"dataset",empty:"empty"},appendTo:{wrapper:{position:"absolute",zIndex:"100",display:"none"},input:{},inputWithNoHint:{},dropdown:{display:"block"}}};i.isMsie()&&i.mixin(s.input,{backgroundImage:"url(data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)"}),i.isMsie()&&i.isMsie()<=7&&i.mixin(s.input,{marginTop:"-1px"}),t.exports=s},9050:(t,e,n)=>{"use strict";var i="aaDataset",s="aaValue",r="aaDatum",o=n(2856),a=n(4910),u=n(3561),c=n(1228),l=n(3109);function h(t){var e;(t=t||{}).templates=t.templates||{},t.source||o.error("missing source"),t.name&&(e=t.name,!/^[_a-zA-Z0-9-]+$/.test(e))&&o.error("invalid dataset name: "+t.name),this.query=null,this._isEmpty=!0,this.highlight=!!t.highlight,this.name=void 0===t.name||null===t.name?o.getUniqueId():t.name,this.source=t.source,this.displayFn=function(t){return t=t||"value",o.isFunction(t)?t:e;function e(e){return e[t]}}(t.display||t.displayKey),this.debounce=t.debounce,this.cache=!1!==t.cache,this.templates=function(t,e){return{empty:t.empty&&o.templatify(t.empty),header:t.header&&o.templatify(t.header),footer:t.footer&&o.templatify(t.footer),suggestion:t.suggestion||n};function n(t){return"<p>"+e(t)+"</p>"}}(t.templates,this.displayFn),this.css=o.mixin({},c,t.appendTo?c.appendTo:{}),this.cssClasses=t.cssClasses=o.mixin({},c.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||o.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix);var n=o.className(this.cssClasses.prefix,this.cssClasses.dataset);this.$el=t.$menu&&t.$menu.find(n+"-"+this.name).length>0?a.element(t.$menu.find(n+"-"+this.name)[0]):a.element(u.dataset.replace("%CLASS%",this.name).replace("%PREFIX%",this.cssClasses.prefix).replace("%DATASET%",this.cssClasses.dataset)),this.$menu=t.$menu,this.clearCachedSuggestions()}h.extractDatasetName=function(t){return a.element(t).data(i)},h.extractValue=function(t){return a.element(t).data(s)},h.extractDatum=function(t){var e=a.element(t).data(r);return"string"==typeof e&&(e=JSON.parse(e)),e},o.mixin(h.prototype,l,{_render:function(t,e){if(this.$el){var n,c=this,l=[].slice.call(arguments,2);if(this.$el.empty(),n=e&&e.length,this._isEmpty=!n,!n&&this.templates.empty)this.$el.html(function(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!0}].concat(e),c.templates.empty.apply(this,e)}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(n)this.$el.html(function(){var t,n,l=[].slice.call(arguments,0),h=this,p=u.suggestions.replace("%PREFIX%",this.cssClasses.prefix).replace("%SUGGESTIONS%",this.cssClasses.suggestions);return t=a.element(p).css(this.css.suggestions),n=o.map(e,f),t.append.apply(t,n),t;function f(t){var e,n=u.suggestion.replace("%PREFIX%",h.cssClasses.prefix).replace("%SUGGESTION%",h.cssClasses.suggestion);return(e=a.element(n).attr({role:"option",id:["option",Math.floor(1e8*Math.random())].join("-")}).append(c.templates.suggestion.apply(this,[t].concat(l)))).data(i,c.name),e.data(s,c.displayFn(t)||void 0),e.data(r,JSON.stringify(t)),e.children().each((function(){a.element(this).css(h.css.suggestionChild)})),e}}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(e&&!Array.isArray(e))throw new TypeError("suggestions must be an array");this.$menu&&this.$menu.addClass(this.cssClasses.prefix+(n?"with":"without")+"-"+this.name).removeClass(this.cssClasses.prefix+(n?"without":"with")+"-"+this.name),this.trigger("rendered",t)}function h(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.header.apply(this,e)}function p(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.footer.apply(this,e)}},getRoot:function(){return this.$el},update:function(t){function e(e){if(!this.canceled&&t===this.query){var n=[].slice.call(arguments,1);this.cacheSuggestions(t,e,n),this._render.apply(this,[t,e].concat(n))}}if(this.query=t,this.canceled=!1,this.shouldFetchFromCache(t))e.apply(this,[this.cachedSuggestions].concat(this.cachedRenderExtraArgs));else{var n=this,i=function(){n.canceled||n.source(t,e.bind(n))};if(this.debounce){clearTimeout(this.debounceTimeout),this.debounceTimeout=setTimeout((function(){n.debounceTimeout=null,i()}),this.debounce)}else i()}},cacheSuggestions:function(t,e,n){this.cachedQuery=t,this.cachedSuggestions=e,this.cachedRenderExtraArgs=n},shouldFetchFromCache:function(t){return this.cache&&this.cachedQuery===t&&this.cachedSuggestions&&this.cachedSuggestions.length},clearCachedSuggestions:function(){delete this.cachedQuery,delete this.cachedSuggestions,delete this.cachedRenderExtraArgs},cancel:function(){this.canceled=!0},clear:function(){this.$el&&(this.cancel(),this.$el.empty(),this.trigger("rendered",""))},isEmpty:function(){return this._isEmpty},destroy:function(){this.clearCachedSuggestions(),this.$el=null}}),t.exports=h},3354:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910),r=n(3109),o=n(9050),a=n(1228);function u(t){var e,n,r,o=this;(t=t||{}).menu||i.error("menu is required"),i.isArray(t.datasets)||i.isObject(t.datasets)||i.error("1 or more datasets required"),t.datasets||i.error("datasets is required"),this.isOpen=!1,this.isEmpty=!0,this.minLength=t.minLength||0,this.templates={},this.appendTo=t.appendTo||!1,this.css=i.mixin({},a,t.appendTo?a.appendTo:{}),this.cssClasses=t.cssClasses=i.mixin({},a.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||i.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),e=i.bind(this._onSuggestionClick,this),n=i.bind(this._onSuggestionMouseEnter,this),r=i.bind(this._onSuggestionMouseLeave,this);var c=i.className(this.cssClasses.prefix,this.cssClasses.suggestion);this.$menu=s.element(t.menu).on("mouseenter.aa",c,n).on("mouseleave.aa",c,r).on("click.aa",c,e),this.$container=t.appendTo?t.wrapper:this.$menu,t.templates&&t.templates.header&&(this.templates.header=i.templatify(t.templates.header),this.$menu.prepend(this.templates.header())),t.templates&&t.templates.empty&&(this.templates.empty=i.templatify(t.templates.empty),this.$empty=s.element('<div class="'+i.className(this.cssClasses.prefix,this.cssClasses.empty,!0)+'"></div>'),this.$menu.append(this.$empty),this.$empty.hide()),this.datasets=i.map(t.datasets,(function(e){return function(t,e,n){return new u.Dataset(i.mixin({$menu:t,cssClasses:n},e))}(o.$menu,e,t.cssClasses)})),i.each(this.datasets,(function(t){var e=t.getRoot();e&&0===e.parent().length&&o.$menu.append(e),t.onSync("rendered",o._onRendered,o)})),t.templates&&t.templates.footer&&(this.templates.footer=i.templatify(t.templates.footer),this.$menu.append(this.templates.footer()));var l=this;s.element(window).resize((function(){l._redraw()}))}i.mixin(u.prototype,r,{_onSuggestionClick:function(t){this.trigger("suggestionClicked",s.element(t.currentTarget))},_onSuggestionMouseEnter:function(t){var e=s.element(t.currentTarget);if(!e.hasClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0))){this._removeCursor();var n=this;setTimeout((function(){n._setCursor(e,!1)}),0)}},_onSuggestionMouseLeave:function(t){if(t.relatedTarget&&s.element(t.relatedTarget).closest("."+i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).length>0)return;this._removeCursor(),this.trigger("cursorRemoved")},_onRendered:function(t,e){if(this.isEmpty=i.every(this.datasets,(function(t){return t.isEmpty()})),this.isEmpty)if(e.length>=this.minLength&&this.trigger("empty"),this.$empty)if(e.length<this.minLength)this._hide();else{var n=this.templates.empty({query:this.datasets[0]&&this.datasets[0].query});this.$empty.html(n),this.$empty.show(),this._show()}else i.any(this.datasets,(function(t){return t.templates&&t.templates.empty}))?e.length<this.minLength?this._hide():this._show():this._hide();else this.isOpen&&(this.$empty&&(this.$empty.empty(),this.$empty.hide()),e.length>=this.minLength?this._show():this._hide());this.trigger("datasetRendered")},_hide:function(){this.$container.hide()},_show:function(){this.$container.css("display","block"),this._redraw(),this.trigger("shown")},_redraw:function(){this.isOpen&&this.appendTo&&this.trigger("redrawn")},_getSuggestions:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.suggestion))},_getCursor:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.cursor)).first()},_setCursor:function(t,e){t.first().addClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).attr("aria-selected","true"),this.trigger("cursorMoved",e)},_removeCursor:function(){this._getCursor().removeClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).removeAttr("aria-selected")},_moveCursor:function(t){var e,n,i,s;this.isOpen&&(n=this._getCursor(),e=this._getSuggestions(),this._removeCursor(),-1!==(i=((i=e.index(n)+t)+1)%(e.length+1)-1)?(i<-1&&(i=e.length-1),this._setCursor(s=e.eq(i),!0),this._ensureVisible(s)):this.trigger("cursorRemoved"))},_ensureVisible:function(t){var e,n,i,s;n=(e=t.position().top)+t.height()+parseInt(t.css("margin-top"),10)+parseInt(t.css("margin-bottom"),10),i=this.$menu.scrollTop(),s=this.$menu.height()+parseInt(this.$menu.css("padding-top"),10)+parseInt(this.$menu.css("padding-bottom"),10),e<0?this.$menu.scrollTop(i+e):s<n&&this.$menu.scrollTop(i+(n-s))},close:function(){this.isOpen&&(this.isOpen=!1,this._removeCursor(),this._hide(),this.trigger("closed"))},open:function(){this.isOpen||(this.isOpen=!0,this.isEmpty||this._show(),this.trigger("opened"))},setLanguageDirection:function(t){this.$menu.css("ltr"===t?this.css.ltr:this.css.rtl)},moveCursorUp:function(){this._moveCursor(-1)},moveCursorDown:function(){this._moveCursor(1)},getDatumForSuggestion:function(t){var e=null;return t.length&&(e={raw:o.extractDatum(t),value:o.extractValue(t),datasetName:o.extractDatasetName(t)}),e},getCurrentCursor:function(){return this._getCursor().first()},getDatumForCursor:function(){return this.getDatumForSuggestion(this._getCursor().first())},getDatumForTopSuggestion:function(){return this.getDatumForSuggestion(this._getSuggestions().first())},cursorTopSuggestion:function(){this._setCursor(this._getSuggestions().first(),!1)},update:function(t){i.each(this.datasets,(function(e){e.update(t)}))},empty:function(){i.each(this.datasets,(function(t){t.clear()})),this.isEmpty=!0},isVisible:function(){return this.isOpen&&!this.isEmpty},destroy:function(){this.$menu.off(".aa"),this.$menu=null,i.each(this.datasets,(function(t){t.destroy()}))}}),u.Dataset=o,t.exports=u},50:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910);function r(t){t&&t.el||i.error("EventBus initialized without el"),this.$el=s.element(t.el)}i.mixin(r.prototype,{trigger:function(t,e,n,s){var r=i.Event("autocomplete:"+t);return this.$el.trigger(r,[e,n,s]),r}}),t.exports=r},3109:(t,e,n)=>{"use strict";var i=n(624),s=/\s+/;function r(t,e,n,i){var r;if(!n)return this;for(e=e.split(s),n=i?function(t,e){return t.bind?t.bind(e):function(){t.apply(e,[].slice.call(arguments,0))}}(n,i):n,this._callbacks=this._callbacks||{};r=e.shift();)this._callbacks[r]=this._callbacks[r]||{sync:[],async:[]},this._callbacks[r][t].push(n);return this}function o(t,e,n){return function(){for(var i,s=0,r=t.length;!i&&s<r;s+=1)i=!1===t[s].apply(e,n);return!i}}t.exports={onSync:function(t,e,n){return r.call(this,"sync",t,e,n)},onAsync:function(t,e,n){return r.call(this,"async",t,e,n)},off:function(t){var e;if(!this._callbacks)return this;t=t.split(s);for(;e=t.shift();)delete this._callbacks[e];return this},trigger:function(t){var e,n,r,a,u;if(!this._callbacks)return this;t=t.split(s),r=[].slice.call(arguments,1);for(;(e=t.shift())&&(n=this._callbacks[e]);)a=o(n.sync,this,[e].concat(r)),u=o(n.async,this,[e].concat(r)),a()&&i(u);return this}}},3561:t=>{"use strict";t.exports={wrapper:'<span class="%ROOT%"></span>',dropdown:'<span class="%PREFIX%%DROPDOWN_MENU%"></span>',dataset:'<div class="%PREFIX%%DATASET%-%CLASS%"></div>',suggestions:'<span class="%PREFIX%%SUGGESTIONS%"></span>',suggestion:'<div class="%PREFIX%%SUGGESTION%"></div>'}},2534:(t,e,n)=>{"use strict";var i;i={9:"tab",27:"esc",37:"left",39:"right",13:"enter",38:"up",40:"down"};var s=n(2856),r=n(4910),o=n(3109);function a(t){var e,n,o,a,u,c=this;(t=t||{}).input||s.error("input is missing"),e=s.bind(this._onBlur,this),n=s.bind(this._onFocus,this),o=s.bind(this._onKeydown,this),a=s.bind(this._onInput,this),this.$hint=r.element(t.hint),this.$input=r.element(t.input).on("blur.aa",e).on("focus.aa",n).on("keydown.aa",o),0===this.$hint.length&&(this.setHint=this.getHint=this.clearHint=this.clearHintIfInvalid=s.noop),s.isMsie()?this.$input.on("keydown.aa keypress.aa cut.aa paste.aa",(function(t){i[t.which||t.keyCode]||s.defer(s.bind(c._onInput,c,t))})):this.$input.on("input.aa",a),this.query=this.$input.val(),this.$overflowHelper=(u=this.$input,r.element('<pre aria-hidden="true"></pre>').css({position:"absolute",visibility:"hidden",whiteSpace:"pre",fontFamily:u.css("font-family"),fontSize:u.css("font-size"),fontStyle:u.css("font-style"),fontVariant:u.css("font-variant"),fontWeight:u.css("font-weight"),wordSpacing:u.css("word-spacing"),letterSpacing:u.css("letter-spacing"),textIndent:u.css("text-indent"),textRendering:u.css("text-rendering"),textTransform:u.css("text-transform")}).insertAfter(u))}function u(t){return t.altKey||t.ctrlKey||t.metaKey||t.shiftKey}a.normalizeQuery=function(t){return(t||"").replace(/^\s*/g,"").replace(/\s{2,}/g," ")},s.mixin(a.prototype,o,{_onBlur:function(){this.resetInputValue(),this.$input.removeAttr("aria-activedescendant"),this.trigger("blurred")},_onFocus:function(){this.trigger("focused")},_onKeydown:function(t){var e=i[t.which||t.keyCode];this._managePreventDefault(e,t),e&&this._shouldTrigger(e,t)&&this.trigger(e+"Keyed",t)},_onInput:function(){this._checkInputValue()},_managePreventDefault:function(t,e){var n,i,s;switch(t){case"tab":i=this.getHint(),s=this.getInputValue(),n=i&&i!==s&&!u(e);break;case"up":case"down":n=!u(e);break;default:n=!1}n&&e.preventDefault()},_shouldTrigger:function(t,e){var n;if("tab"===t)n=!u(e);else n=!0;return n},_checkInputValue:function(){var t,e,n,i,s;t=this.getInputValue(),i=t,s=this.query,n=!(!(e=a.normalizeQuery(i)===a.normalizeQuery(s))||!this.query)&&this.query.length!==t.length,this.query=t,e?n&&this.trigger("whitespaceChanged",this.query):this.trigger("queryChanged",this.query)},focus:function(){this.$input.focus()},blur:function(){this.$input.blur()},getQuery:function(){return this.query},setQuery:function(t){this.query=t},getInputValue:function(){return this.$input.val()},setInputValue:function(t,e){void 0===t&&(t=this.query),this.$input.val(t),e?this.clearHint():this._checkInputValue()},expand:function(){this.$input.attr("aria-expanded","true")},collapse:function(){this.$input.attr("aria-expanded","false")},setActiveDescendant:function(t){this.$input.attr("aria-activedescendant",t)},removeActiveDescendant:function(){this.$input.removeAttr("aria-activedescendant")},resetInputValue:function(){this.setInputValue(this.query,!0)},getHint:function(){return this.$hint.val()},setHint:function(t){this.$hint.val(t)},clearHint:function(){this.setHint("")},clearHintIfInvalid:function(){var t,e,n;n=(t=this.getInputValue())!==(e=this.getHint())&&0===e.indexOf(t),""!==t&&n&&!this.hasOverflow()||this.clearHint()},getLanguageDirection:function(){return(this.$input.css("direction")||"ltr").toLowerCase()},hasOverflow:function(){var t=this.$input.width()-2;return this.$overflowHelper.text(this.getInputValue()),this.$overflowHelper.width()>=t},isCursorAtEnd:function(){var t,e,n;return t=this.$input.val().length,e=this.$input[0].selectionStart,s.isNumber(e)?e===t:!document.selection||((n=document.selection.createRange()).moveStart("character",-t),t===n.text.length)},destroy:function(){this.$hint.off(".aa"),this.$input.off(".aa"),this.$hint=this.$input=this.$overflowHelper=null}}),t.exports=a},6549:(t,e,n)=>{"use strict";var i="aaAttrs",s=n(2856),r=n(4910),o=n(50),a=n(2534),u=n(3354),c=n(3561),l=n(1228);function h(t){var e,n;if((t=t||{}).input||s.error("missing input"),this.isActivated=!1,this.debug=!!t.debug,this.autoselect=!!t.autoselect,this.autoselectOnBlur=!!t.autoselectOnBlur,this.openOnFocus=!!t.openOnFocus,this.minLength=s.isNumber(t.minLength)?t.minLength:1,this.autoWidth=void 0===t.autoWidth||!!t.autoWidth,this.clearOnSelected=!!t.clearOnSelected,this.tabAutocomplete=void 0===t.tabAutocomplete||!!t.tabAutocomplete,t.hint=!!t.hint,t.hint&&t.appendTo)throw new Error("[autocomplete.js] hint and appendTo options can't be used at the same time");this.css=t.css=s.mixin({},l,t.appendTo?l.appendTo:{}),this.cssClasses=t.cssClasses=s.mixin({},l.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix=s.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),this.listboxId=t.listboxId=[this.cssClasses.root,"listbox",s.getUniqueId()].join("-");var a=function(t){var e,n,o,a;e=r.element(t.input),n=r.element(c.wrapper.replace("%ROOT%",t.cssClasses.root)).css(t.css.wrapper),t.appendTo||"block"!==e.css("display")||"table"!==e.parent().css("display")||n.css("display","table-cell");var u=c.dropdown.replace("%PREFIX%",t.cssClasses.prefix).replace("%DROPDOWN_MENU%",t.cssClasses.dropdownMenu);o=r.element(u).css(t.css.dropdown).attr({role:"listbox",id:t.listboxId}),t.templates&&t.templates.dropdownMenu&&o.html(s.templatify(t.templates.dropdownMenu)());a=e.clone().css(t.css.hint).css(function(t){return{backgroundAttachment:t.css("background-attachment"),backgroundClip:t.css("background-clip"),backgroundColor:t.css("background-color"),backgroundImage:t.css("background-image"),backgroundOrigin:t.css("background-origin"),backgroundPosition:t.css("background-position"),backgroundRepeat:t.css("background-repeat"),backgroundSize:t.css("background-size")}}(e)),a.val("").addClass(s.className(t.cssClasses.prefix,t.cssClasses.hint,!0)).removeAttr("id name placeholder required").prop("readonly",!0).attr({"aria-hidden":"true",autocomplete:"off",spellcheck:"false",tabindex:-1}),a.removeData&&a.removeData();e.data(i,{"aria-autocomplete":e.attr("aria-autocomplete"),"aria-expanded":e.attr("aria-expanded"),"aria-owns":e.attr("aria-owns"),autocomplete:e.attr("autocomplete"),dir:e.attr("dir"),role:e.attr("role"),spellcheck:e.attr("spellcheck"),style:e.attr("style"),type:e.attr("type")}),e.addClass(s.className(t.cssClasses.prefix,t.cssClasses.input,!0)).attr({autocomplete:"off",spellcheck:!1,role:"combobox","aria-autocomplete":t.datasets&&t.datasets[0]&&t.datasets[0].displayKey?"both":"list","aria-expanded":"false","aria-label":t.ariaLabel,"aria-owns":t.listboxId}).css(t.hint?t.css.input:t.css.inputWithNoHint);try{e.attr("dir")||e.attr("dir","auto")}catch(l){}return n=t.appendTo?n.appendTo(r.element(t.appendTo).eq(0)).eq(0):e.wrap(n).parent(),n.prepend(t.hint?a:null).append(o),{wrapper:n,input:e,hint:a,menu:o}}(t);this.$node=a.wrapper;var u=this.$input=a.input;e=a.menu,n=a.hint,t.dropdownMenuContainer&&r.element(t.dropdownMenuContainer).css("position","relative").append(e.css("top","0")),u.on("blur.aa",(function(t){var n=document.activeElement;s.isMsie()&&(e[0]===n||e[0].contains(n))&&(t.preventDefault(),t.stopImmediatePropagation(),s.defer((function(){u.focus()})))})),e.on("mousedown.aa",(function(t){t.preventDefault()})),this.eventBus=t.eventBus||new o({el:u}),this.dropdown=new h.Dropdown({appendTo:t.appendTo,wrapper:this.$node,menu:e,datasets:t.datasets,templates:t.templates,cssClasses:t.cssClasses,minLength:this.minLength}).onSync("suggestionClicked",this._onSuggestionClicked,this).onSync("cursorMoved",this._onCursorMoved,this).onSync("cursorRemoved",this._onCursorRemoved,this).onSync("opened",this._onOpened,this).onSync("closed",this._onClosed,this).onSync("shown",this._onShown,this).onSync("empty",this._onEmpty,this).onSync("redrawn",this._onRedrawn,this).onAsync("datasetRendered",this._onDatasetRendered,this),this.input=new h.Input({input:u,hint:n}).onSync("focused",this._onFocused,this).onSync("blurred",this._onBlurred,this).onSync("enterKeyed",this._onEnterKeyed,this).onSync("tabKeyed",this._onTabKeyed,this).onSync("escKeyed",this._onEscKeyed,this).onSync("upKeyed",this._onUpKeyed,this).onSync("downKeyed",this._onDownKeyed,this).onSync("leftKeyed",this._onLeftKeyed,this).onSync("rightKeyed",this._onRightKeyed,this).onSync("queryChanged",this._onQueryChanged,this).onSync("whitespaceChanged",this._onWhitespaceChanged,this),this._bindKeyboardShortcuts(t),this._setLanguageDirection()}s.mixin(h.prototype,{_bindKeyboardShortcuts:function(t){if(t.keyboardShortcuts){var e=this.$input,n=[];s.each(t.keyboardShortcuts,(function(t){"string"==typeof t&&(t=t.toUpperCase().charCodeAt(0)),n.push(t)})),r.element(document).keydown((function(t){var i=t.target||t.srcElement,s=i.tagName;if(!i.isContentEditable&&"INPUT"!==s&&"SELECT"!==s&&"TEXTAREA"!==s){var r=t.which||t.keyCode;-1!==n.indexOf(r)&&(e.focus(),t.stopPropagation(),t.preventDefault())}}))}},_onSuggestionClicked:function(t,e){var n;(n=this.dropdown.getDatumForSuggestion(e))&&this._select(n,{selectionMethod:"click"})},_onCursorMoved:function(t,e){var n=this.dropdown.getDatumForCursor(),i=this.dropdown.getCurrentCursor().attr("id");this.input.setActiveDescendant(i),n&&(e&&this.input.setInputValue(n.value,!0),this.eventBus.trigger("cursorchanged",n.raw,n.datasetName))},_onCursorRemoved:function(){this.input.resetInputValue(),this._updateHint(),this.eventBus.trigger("cursorremoved")},_onDatasetRendered:function(){this._updateHint(),this.eventBus.trigger("updated")},_onOpened:function(){this._updateHint(),this.input.expand(),this.eventBus.trigger("opened")},_onEmpty:function(){this.eventBus.trigger("empty")},_onRedrawn:function(){this.$node.css("top","0px"),this.$node.css("left","0px");var t=this.$input[0].getBoundingClientRect();this.autoWidth&&this.$node.css("width",t.width+"px");var e=this.$node[0].getBoundingClientRect(),n=t.bottom-e.top;this.$node.css("top",n+"px");var i=t.left-e.left;this.$node.css("left",i+"px"),this.eventBus.trigger("redrawn")},_onShown:function(){this.eventBus.trigger("shown"),this.autoselect&&this.dropdown.cursorTopSuggestion()},_onClosed:function(){this.input.clearHint(),this.input.removeActiveDescendant(),this.input.collapse(),this.eventBus.trigger("closed")},_onFocused:function(){if(this.isActivated=!0,this.openOnFocus){var t=this.input.getQuery();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty(),this.dropdown.open()}},_onBlurred:function(){var t,e;t=this.dropdown.getDatumForCursor(),e=this.dropdown.getDatumForTopSuggestion();var n={selectionMethod:"blur"};this.debug||(this.autoselectOnBlur&&t?this._select(t,n):this.autoselectOnBlur&&e?this._select(e,n):(this.isActivated=!1,this.dropdown.empty(),this.dropdown.close()))},_onEnterKeyed:function(t,e){var n,i;n=this.dropdown.getDatumForCursor(),i=this.dropdown.getDatumForTopSuggestion();var s={selectionMethod:"enterKey"};n?(this._select(n,s),e.preventDefault()):this.autoselect&&i&&(this._select(i,s),e.preventDefault())},_onTabKeyed:function(t,e){if(this.tabAutocomplete){var n;(n=this.dropdown.getDatumForCursor())?(this._select(n,{selectionMethod:"tabKey"}),e.preventDefault()):this._autocomplete(!0)}else this.dropdown.close()},_onEscKeyed:function(){this.dropdown.close(),this.input.resetInputValue()},_onUpKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorUp(),this.dropdown.open()},_onDownKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorDown(),this.dropdown.open()},_onLeftKeyed:function(){"rtl"===this.dir&&this._autocomplete()},_onRightKeyed:function(){"ltr"===this.dir&&this._autocomplete()},_onQueryChanged:function(t,e){this.input.clearHintIfInvalid(),e.length>=this.minLength?this.dropdown.update(e):this.dropdown.empty(),this.dropdown.open(),this._setLanguageDirection()},_onWhitespaceChanged:function(){this._updateHint(),this.dropdown.open()},_setLanguageDirection:function(){var t=this.input.getLanguageDirection();this.dir!==t&&(this.dir=t,this.$node.css("direction",t),this.dropdown.setLanguageDirection(t))},_updateHint:function(){var t,e,n,i,r;(t=this.dropdown.getDatumForTopSuggestion())&&this.dropdown.isVisible()&&!this.input.hasOverflow()?(e=this.input.getInputValue(),n=a.normalizeQuery(e),i=s.escapeRegExChars(n),(r=new RegExp("^(?:"+i+")(.+$)","i").exec(t.value))?this.input.setHint(e+r[1]):this.input.clearHint()):this.input.clearHint()},_autocomplete:function(t){var e,n,i,s;e=this.input.getHint(),n=this.input.getQuery(),i=t||this.input.isCursorAtEnd(),e&&n!==e&&i&&((s=this.dropdown.getDatumForTopSuggestion())&&this.input.setInputValue(s.value),this.eventBus.trigger("autocompleted",s.raw,s.datasetName))},_select:function(t,e){void 0!==t.value&&this.input.setQuery(t.value),this.clearOnSelected?this.setVal(""):this.input.setInputValue(t.value,!0),this._setLanguageDirection(),!1===this.eventBus.trigger("selected",t.raw,t.datasetName,e).isDefaultPrevented()&&(this.dropdown.close(),s.defer(s.bind(this.dropdown.empty,this.dropdown)))},open:function(){if(!this.isActivated){var t=this.input.getInputValue();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty()}this.dropdown.open()},close:function(){this.dropdown.close()},setVal:function(t){t=s.toStr(t),this.isActivated?this.input.setInputValue(t):(this.input.setQuery(t),this.input.setInputValue(t,!0)),this._setLanguageDirection()},getVal:function(){return this.input.getQuery()},destroy:function(){this.input.destroy(),this.dropdown.destroy(),function(t,e){var n=t.find(s.className(e.prefix,e.input));s.each(n.data(i),(function(t,e){void 0===t?n.removeAttr(e):n.attr(e,t)})),n.detach().removeClass(s.className(e.prefix,e.input,!0)).insertAfter(t),n.removeData&&n.removeData(i);t.remove()}(this.$node,this.cssClasses),this.$node=null},getWrapper:function(){return this.dropdown.$container[0]}}),h.Dropdown=u,h.Input=a,h.sources=n(8840),t.exports=h},4910:t=>{"use strict";t.exports={element:null}},6177:t=>{"use strict";t.exports=function(t){var e=t.match(/Algolia for JavaScript \((\d+\.)(\d+\.)(\d+)\)/)||t.match(/Algolia for vanilla JavaScript (\d+\.)(\d+\.)(\d+)/);if(e)return[e[1],e[2],e[3]]}},2856:(t,e,n)=>{"use strict";var i,s=n(8820),r=n(4910);function o(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}t.exports={isArray:null,isFunction:null,isObject:null,bind:null,each:null,map:null,mixin:null,isMsie:function(t){if(void 0===t&&(t=navigator.userAgent),/(msie|trident)/i.test(t)){var e=t.match(/(msie |rv:)(\d+(.\d+)?)/i);if(e)return e[2]}return!1},escapeRegExChars:function(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")},isNumber:function(t){return"number"==typeof t},toStr:function(t){return null==t?"":t+""},cloneDeep:function(t){var e=this.mixin({},t),n=this;return this.each(e,(function(t,i){t&&(n.isArray(t)?e[i]=[].concat(t):n.isObject(t)&&(e[i]=n.cloneDeep(t)))})),e},error:function(t){throw new Error(t)},every:function(t,e){var n=!0;return t?(this.each(t,(function(i,s){n&&(n=e.call(null,i,s,t)&&n)})),!!n):n},any:function(t,e){var n=!1;return t?(this.each(t,(function(i,s){if(e.call(null,i,s,t))return n=!0,!1})),n):n},getUniqueId:(i=0,function(){return i++}),templatify:function(t){if(this.isFunction(t))return t;var e=r.element(t);return"SCRIPT"===e.prop("tagName")?function(){return e.text()}:function(){return String(t)}},defer:function(t){setTimeout(t,0)},noop:function(){},formatPrefix:function(t,e){return e?"":t+"-"},className:function(t,e,n){return n?t+e:"."+s(t+e,{isIdentifier:!0})},escapeHighlightedString:function(t,e,n){e=e||"<em>";var i=document.createElement("div");i.appendChild(document.createTextNode(e)),n=n||"</em>";var s=document.createElement("div");s.appendChild(document.createTextNode(n));var r=document.createElement("div");return r.appendChild(document.createTextNode(t)),r.innerHTML.replace(RegExp(o(i.innerHTML),"g"),e).replace(RegExp(o(s.innerHTML),"g"),n)}}},9983:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);var o,a,u=(o=[],a=window.Promise.resolve(),function(t,e){return function(n,s){(function(t,e){return window.Promise.resolve().then((function(){return o.length&&(a=t.search(o),o=[]),a})).then((function(t){if(t)return t.results[e]}))})(t.as,o.push({indexName:t.indexName,query:n,params:e})-1).then((function(t){t&&s(t.hits,t)})).catch((function(t){i.error(t.message)}))}});t.exports=function(t,e){var n=r(t.as._ua);if(n&&n[0]>=3&&n[1]>20){var i="autocomplete.js "+s;-1===t.as._ua.indexOf(i)&&(t.as._ua+="; "+i)}return u(t,e)}},8840:(t,e,n)=>{"use strict";t.exports={hits:n(9983),popularIn:n(4445)}},4445:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);t.exports=function(t,e,n,o){var a=r(t.as._ua);if(a&&a[0]>=3&&a[1]>20&&((e=e||{}).additionalUA="autocomplete.js "+s),!n.source)return i.error("Missing 'source' key");var u=i.isFunction(n.source)?n.source:function(t){return t[n.source]};if(!n.index)return i.error("Missing 'index' key");var c=n.index;return o=o||{},function(a,l){t.search(a,e,(function(t,a){if(t)i.error(t.message);else{if(a.hits.length>0){var h=a.hits[0],p=i.mixin({hitsPerPage:0},n);delete p.source,delete p.index;var f=r(c.as._ua);return f&&f[0]>=3&&f[1]>20&&(e.additionalUA="autocomplete.js "+s),void c.search(u(h),p,(function(t,e){if(t)i.error(t.message);else{var n=[];if(o.includeAll){var s=o.allTitle||"All departments";n.push(i.mixin({facet:{value:s,count:e.nbHits}},i.cloneDeep(h)))}i.each(e.facets,(function(t,e){i.each(t,(function(t,s){n.push(i.mixin({facet:{facet:e,value:s,count:t}},i.cloneDeep(h)))}))}));for(var r=1;r<a.hits.length;++r)n.push(a.hits[r]);l(n,a)}}))}l([])}}))}}},295:(t,e,n)=>{"use strict";var i=n(6990);n(4910).element=i;var s=n(2856);s.isArray=i.isArray,s.isFunction=i.isFunction,s.isObject=i.isPlainObject,s.bind=i.proxy,s.each=function(t,e){i.each(t,(function(t,n){return e(n,t)}))},s.map=i.map,s.mixin=i.extend,s.Event=i.Event;var r="aaAutocomplete",o=n(6549),a=n(50);function u(t,e,n,u){n=s.isArray(n)?n:[].slice.call(arguments,2);var c=i(t).each((function(t,s){var c=i(s),l=new a({el:c}),h=u||new o({input:c,eventBus:l,dropdownMenuContainer:e.dropdownMenuContainer,hint:void 0===e.hint||!!e.hint,minLength:e.minLength,autoselect:e.autoselect,autoselectOnBlur:e.autoselectOnBlur,tabAutocomplete:e.tabAutocomplete,openOnFocus:e.openOnFocus,templates:e.templates,debug:e.debug,clearOnSelected:e.clearOnSelected,cssClasses:e.cssClasses,datasets:n,keyboardShortcuts:e.keyboardShortcuts,appendTo:e.appendTo,autoWidth:e.autoWidth,ariaLabel:e.ariaLabel||s.getAttribute("aria-label")});c.data(r,h)}));return c.autocomplete={},s.each(["open","close","getVal","setVal","destroy","getWrapper"],(function(t){c.autocomplete[t]=function(){var e,n=arguments;return c.each((function(s,o){var a=i(o).data(r);e=a[t].apply(a,n)})),e}})),c}u.sources=o.sources,u.escapeHighlightedString=s.escapeHighlightedString;var c="autocomplete"in window,l=window.autocomplete;u.noConflict=function(){return c?window.autocomplete=l:delete window.autocomplete,u},t.exports=u},533:t=>{t.exports="0.38.1"},6990:t=>{var e;e=window,t.exports=function(t){var e,n,i=function(){var e,n,i,s,r,o,a=[],u=a.concat,c=a.filter,l=a.slice,h=t.document,p={},f={},d={"column-count":1,columns:1,"font-weight":1,"line-height":1,opacity:1,"z-index":1,zoom:1},g=/^\s*<(\w+|!)[^>]*>/,m=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,y=/^(?:body|html)$/i,w=/([A-Z])/g,b=["val","css","html","text","data","width","height","offset"],C=["after","prepend","before","append"],x=h.createElement("table"),_=h.createElement("tr"),S={tr:h.createElement("tbody"),tbody:x,thead:x,tfoot:x,td:_,th:_,"*":h.createElement("div")},E=/complete|loaded|interactive/,A=/^[\w-]*$/,$={},T=$.toString,O={},D=h.createElement("div"),N={tabindex:"tabIndex",readonly:"readOnly",for:"htmlFor",class:"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},k=Array.isArray||function(t){return t instanceof Array};function I(t){return null==t?String(t):$[T.call(t)]||"object"}function P(t){return"function"==I(t)}function L(t){return null!=t&&t==t.window}function M(t){return null!=t&&t.nodeType==t.DOCUMENT_NODE}function F(t){return"object"==I(t)}function R(t){return F(t)&&!L(t)&&Object.getPrototypeOf(t)==Object.prototype}function q(t){var e=!!t&&"length"in t&&t.length,n=i.type(t);return"function"!=n&&!L(t)&&("array"==n||0===e||"number"==typeof e&&e>0&&e-1 in t)}function V(t){return c.call(t,(function(t){return null!=t}))}function H(t){return t.length>0?i.fn.concat.apply([],t):t}function B(t){return t.replace(/::/g,"/").replace(/([A-Z]+)([A-Z][a-z])/g,"$1_$2").replace(/([a-z\d])([A-Z])/g,"$1_$2").replace(/_/g,"-").toLowerCase()}function K(t){return t in f?f[t]:f[t]=new RegExp("(^|\\s)"+t+"(\\s|$)")}function j(t,e){return"number"!=typeof e||d[B(t)]?e:e+"px"}function z(t){var e,n;return p[t]||(e=h.createElement(t),h.body.appendChild(e),n=getComputedStyle(e,"").getPropertyValue("display"),e.parentNode.removeChild(e),"none"==n&&(n="block"),p[t]=n),p[t]}function U(t){return"children"in t?l.call(t.children):i.map(t.childNodes,(function(t){if(1==t.nodeType)return t}))}function Q(t,e){var n,i=t?t.length:0;for(n=0;n<i;n++)this[n]=t[n];this.length=i,this.selector=e||""}function W(t,i,s){for(n in i)s&&(R(i[n])||k(i[n]))?(R(i[n])&&!R(t[n])&&(t[n]={}),k(i[n])&&!k(t[n])&&(t[n]=[]),W(t[n],i[n],s)):i[n]!==e&&(t[n]=i[n])}function Z(t,e){return null==e?i(t):i(t).filter(e)}function X(t,e,n,i){return P(e)?e.call(t,n,i):e}function G(t,e,n){null==n?t.removeAttribute(e):t.setAttribute(e,n)}function J(t,n){var i=t.className||"",s=i&&i.baseVal!==e;if(n===e)return s?i.baseVal:i;s?i.baseVal=n:t.className=n}function Y(t){try{return t?"true"==t||"false"!=t&&("null"==t?null:+t+""==t?+t:/^[\[\{]/.test(t)?i.parseJSON(t):t):t}catch(e){return t}}function tt(t,e){e(t);for(var n=0,i=t.childNodes.length;n<i;n++)tt(t.childNodes[n],e)}return O.matches=function(t,e){if(!e||!t||1!==t.nodeType)return!1;var n=t.matches||t.webkitMatchesSelector||t.mozMatchesSelector||t.oMatchesSelector||t.matchesSelector;if(n)return n.call(t,e);var i,s=t.parentNode,r=!s;return r&&(s=D).appendChild(t),i=~O.qsa(s,e).indexOf(t),r&&D.removeChild(t),i},r=function(t){return t.replace(/-+(.)?/g,(function(t,e){return e?e.toUpperCase():""}))},o=function(t){return c.call(t,(function(e,n){return t.indexOf(e)==n}))},O.fragment=function(t,n,s){var r,o,a;return m.test(t)&&(r=i(h.createElement(RegExp.$1))),r||(t.replace&&(t=t.replace(v,"<$1></$2>")),n===e&&(n=g.test(t)&&RegExp.$1),n in S||(n="*"),(a=S[n]).innerHTML=""+t,r=i.each(l.call(a.childNodes),(function(){a.removeChild(this)}))),R(s)&&(o=i(r),i.each(s,(function(t,e){b.indexOf(t)>-1?o[t](e):o.attr(t,e)}))),r},O.Z=function(t,e){return new Q(t,e)},O.isZ=function(t){return t instanceof O.Z},O.init=function(t,n){var s;if(!t)return O.Z();if("string"==typeof t)if("<"==(t=t.trim())[0]&&g.test(t))s=O.fragment(t,RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}else{if(P(t))return i(h).ready(t);if(O.isZ(t))return t;if(k(t))s=V(t);else if(F(t))s=[t],t=null;else if(g.test(t))s=O.fragment(t.trim(),RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}}return O.Z(s,t)},(i=function(t,e){return O.init(t,e)}).extend=function(t){var e,n=l.call(arguments,1);return"boolean"==typeof t&&(e=t,t=n.shift()),n.forEach((function(n){W(t,n,e)})),t},O.qsa=function(t,e){var n,i="#"==e[0],s=!i&&"."==e[0],r=i||s?e.slice(1):e,o=A.test(r);return t.getElementById&&o&&i?(n=t.getElementById(r))?[n]:[]:1!==t.nodeType&&9!==t.nodeType&&11!==t.nodeType?[]:l.call(o&&!i&&t.getElementsByClassName?s?t.getElementsByClassName(r):t.getElementsByTagName(e):t.querySelectorAll(e))},i.contains=h.documentElement.contains?function(t,e){return t!==e&&t.contains(e)}:function(t,e){for(;e&&(e=e.parentNode);)if(e===t)return!0;return!1},i.type=I,i.isFunction=P,i.isWindow=L,i.isArray=k,i.isPlainObject=R,i.isEmptyObject=function(t){var e;for(e in t)return!1;return!0},i.isNumeric=function(t){var e=Number(t),n=typeof t;return null!=t&&"boolean"!=n&&("string"!=n||t.length)&&!isNaN(e)&&isFinite(e)||!1},i.inArray=function(t,e,n){return a.indexOf.call(e,t,n)},i.camelCase=r,i.trim=function(t){return null==t?"":String.prototype.trim.call(t)},i.uuid=0,i.support={},i.expr={},i.noop=function(){},i.map=function(t,e){var n,i,s,r=[];if(q(t))for(i=0;i<t.length;i++)null!=(n=e(t[i],i))&&r.push(n);else for(s in t)null!=(n=e(t[s],s))&&r.push(n);return H(r)},i.each=function(t,e){var n,i;if(q(t)){for(n=0;n<t.length;n++)if(!1===e.call(t[n],n,t[n]))return t}else for(i in t)if(!1===e.call(t[i],i,t[i]))return t;return t},i.grep=function(t,e){return c.call(t,e)},t.JSON&&(i.parseJSON=JSON.parse),i.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),(function(t,e){$["[object "+e+"]"]=e.toLowerCase()})),i.fn={constructor:O.Z,length:0,forEach:a.forEach,reduce:a.reduce,push:a.push,sort:a.sort,splice:a.splice,indexOf:a.indexOf,concat:function(){var t,e,n=[];for(t=0;t<arguments.length;t++)e=arguments[t],n[t]=O.isZ(e)?e.toArray():e;return u.apply(O.isZ(this)?this.toArray():this,n)},map:function(t){return i(i.map(this,(function(e,n){return t.call(e,n,e)})))},slice:function(){return i(l.apply(this,arguments))},ready:function(t){return E.test(h.readyState)&&h.body?t(i):h.addEventListener("DOMContentLoaded",(function(){t(i)}),!1),this},get:function(t){return t===e?l.call(this):this[t>=0?t:t+this.length]},toArray:function(){return this.get()},size:function(){return this.length},remove:function(){return this.each((function(){null!=this.parentNode&&this.parentNode.removeChild(this)}))},each:function(t){return a.every.call(this,(function(e,n){return!1!==t.call(e,n,e)})),this},filter:function(t){return P(t)?this.not(this.not(t)):i(c.call(this,(function(e){return O.matches(e,t)})))},add:function(t,e){return i(o(this.concat(i(t,e))))},is:function(t){return this.length>0&&O.matches(this[0],t)},not:function(t){var n=[];if(P(t)&&t.call!==e)this.each((function(e){t.call(this,e)||n.push(this)}));else{var s="string"==typeof t?this.filter(t):q(t)&&P(t.item)?l.call(t):i(t);this.forEach((function(t){s.indexOf(t)<0&&n.push(t)}))}return i(n)},has:function(t){return this.filter((function(){return F(t)?i.contains(this,t):i(this).find(t).size()}))},eq:function(t){return-1===t?this.slice(t):this.slice(t,+t+1)},first:function(){var t=this[0];return t&&!F(t)?t:i(t)},last:function(){var t=this[this.length-1];return t&&!F(t)?t:i(t)},find:function(t){var e=this;return t?"object"==typeof t?i(t).filter((function(){var t=this;return a.some.call(e,(function(e){return i.contains(e,t)}))})):1==this.length?i(O.qsa(this[0],t)):this.map((function(){return O.qsa(this,t)})):i()},closest:function(t,e){var n=[],s="object"==typeof t&&i(t);return this.each((function(i,r){for(;r&&!(s?s.indexOf(r)>=0:O.matches(r,t));)r=r!==e&&!M(r)&&r.parentNode;r&&n.indexOf(r)<0&&n.push(r)})),i(n)},parents:function(t){for(var e=[],n=this;n.length>0;)n=i.map(n,(function(t){if((t=t.parentNode)&&!M(t)&&e.indexOf(t)<0)return e.push(t),t}));return Z(e,t)},parent:function(t){return Z(o(this.pluck("parentNode")),t)},children:function(t){return Z(this.map((function(){return U(this)})),t)},contents:function(){return this.map((function(){return this.contentDocument||l.call(this.childNodes)}))},siblings:function(t){return Z(this.map((function(t,e){return c.call(U(e.parentNode),(function(t){return t!==e}))})),t)},empty:function(){return this.each((function(){this.innerHTML=""}))},pluck:function(t){return i.map(this,(function(e){return e[t]}))},show:function(){return this.each((function(){"none"==this.style.display&&(this.style.display=""),"none"==getComputedStyle(this,"").getPropertyValue("display")&&(this.style.display=z(this.nodeName))}))},replaceWith:function(t){return this.before(t).remove()},wrap:function(t){var e=P(t);if(this[0]&&!e)var n=i(t).get(0),s=n.parentNode||this.length>1;return this.each((function(r){i(this).wrapAll(e?t.call(this,r):s?n.cloneNode(!0):n)}))},wrapAll:function(t){if(this[0]){var e;for(i(this[0]).before(t=i(t));(e=t.children()).length;)t=e.first();i(t).append(this)}return this},wrapInner:function(t){var e=P(t);return this.each((function(n){var s=i(this),r=s.contents(),o=e?t.call(this,n):t;r.length?r.wrapAll(o):s.append(o)}))},unwrap:function(){return this.parent().each((function(){i(this).replaceWith(i(this).children())})),this},clone:function(){return this.map((function(){return this.cloneNode(!0)}))},hide:function(){return this.css("display","none")},toggle:function(t){return this.each((function(){var n=i(this);(t===e?"none"==n.css("display"):t)?n.show():n.hide()}))},prev:function(t){return i(this.pluck("previousElementSibling")).filter(t||"*")},next:function(t){return i(this.pluck("nextElementSibling")).filter(t||"*")},html:function(t){return 0 in arguments?this.each((function(e){var n=this.innerHTML;i(this).empty().append(X(this,t,e,n))})):0 in this?this[0].innerHTML:null},text:function(t){return 0 in arguments?this.each((function(e){var n=X(this,t,e,this.textContent);this.textContent=null==n?"":""+n})):0 in this?this.pluck("textContent").join(""):null},attr:function(t,i){var s;return"string"!=typeof t||1 in arguments?this.each((function(e){if(1===this.nodeType)if(F(t))for(n in t)G(this,n,t[n]);else G(this,t,X(this,i,e,this.getAttribute(t)))})):0 in this&&1==this[0].nodeType&&null!=(s=this[0].getAttribute(t))?s:e},removeAttr:function(t){return this.each((function(){1===this.nodeType&&t.split(" ").forEach((function(t){G(this,t)}),this)}))},prop:function(t,e){return t=N[t]||t,1 in arguments?this.each((function(n){this[t]=X(this,e,n,this[t])})):this[0]&&this[0][t]},removeProp:function(t){return t=N[t]||t,this.each((function(){delete this[t]}))},data:function(t,n){var i="data-"+t.replace(w,"-$1").toLowerCase(),s=1 in arguments?this.attr(i,n):this.attr(i);return null!==s?Y(s):e},val:function(t){return 0 in arguments?(null==t&&(t=""),this.each((function(e){this.value=X(this,t,e,this.value)}))):this[0]&&(this[0].multiple?i(this[0]).find("option").filter((function(){return this.selected})).pluck("value"):this[0].value)},offset:function(e){if(e)return this.each((function(t){var n=i(this),s=X(this,e,t,n.offset()),r=n.offsetParent().offset(),o={top:s.top-r.top,left:s.left-r.left};"static"==n.css("position")&&(o.position="relative"),n.css(o)}));if(!this.length)return null;if(h.documentElement!==this[0]&&!i.contains(h.documentElement,this[0]))return{top:0,left:0};var n=this[0].getBoundingClientRect();return{left:n.left+t.pageXOffset,top:n.top+t.pageYOffset,width:Math.round(n.width),height:Math.round(n.height)}},css:function(t,e){if(arguments.length<2){var s=this[0];if("string"==typeof t){if(!s)return;return s.style[r(t)]||getComputedStyle(s,"").getPropertyValue(t)}if(k(t)){if(!s)return;var o={},a=getComputedStyle(s,"");return i.each(t,(function(t,e){o[e]=s.style[r(e)]||a.getPropertyValue(e)})),o}}var u="";if("string"==I(t))e||0===e?u=B(t)+":"+j(t,e):this.each((function(){this.style.removeProperty(B(t))}));else for(n in t)t[n]||0===t[n]?u+=B(n)+":"+j(n,t[n])+";":this.each((function(){this.style.removeProperty(B(n))}));return this.each((function(){this.style.cssText+=";"+u}))},index:function(t){return t?this.indexOf(i(t)[0]):this.parent().children().indexOf(this[0])},hasClass:function(t){return!!t&&a.some.call(this,(function(t){return this.test(J(t))}),K(t))},addClass:function(t){return t?this.each((function(e){if("className"in this){s=[];var n=J(this);X(this,t,e,n).split(/\s+/g).forEach((function(t){i(this).hasClass(t)||s.push(t)}),this),s.length&&J(this,n+(n?" ":"")+s.join(" "))}})):this},removeClass:function(t){return this.each((function(n){if("className"in this){if(t===e)return J(this,"");s=J(this),X(this,t,n,s).split(/\s+/g).forEach((function(t){s=s.replace(K(t)," ")})),J(this,s.trim())}}))},toggleClass:function(t,n){return t?this.each((function(s){var r=i(this);X(this,t,s,J(this)).split(/\s+/g).forEach((function(t){(n===e?!r.hasClass(t):n)?r.addClass(t):r.removeClass(t)}))})):this},scrollTop:function(t){if(this.length){var n="scrollTop"in this[0];return t===e?n?this[0].scrollTop:this[0].pageYOffset:this.each(n?function(){this.scrollTop=t}:function(){this.scrollTo(this.scrollX,t)})}},scrollLeft:function(t){if(this.length){var n="scrollLeft"in this[0];return t===e?n?this[0].scrollLeft:this[0].pageXOffset:this.each(n?function(){this.scrollLeft=t}:function(){this.scrollTo(t,this.scrollY)})}},position:function(){if(this.length){var t=this[0],e=this.offsetParent(),n=this.offset(),s=y.test(e[0].nodeName)?{top:0,left:0}:e.offset();return n.top-=parseFloat(i(t).css("margin-top"))||0,n.left-=parseFloat(i(t).css("margin-left"))||0,s.top+=parseFloat(i(e[0]).css("border-top-width"))||0,s.left+=parseFloat(i(e[0]).css("border-left-width"))||0,{top:n.top-s.top,left:n.left-s.left}}},offsetParent:function(){return this.map((function(){for(var t=this.offsetParent||h.body;t&&!y.test(t.nodeName)&&"static"==i(t).css("position");)t=t.offsetParent;return t}))}},i.fn.detach=i.fn.remove,["width","height"].forEach((function(t){var n=t.replace(/./,(function(t){return t[0].toUpperCase()}));i.fn[t]=function(s){var r,o=this[0];return s===e?L(o)?o["inner"+n]:M(o)?o.documentElement["scroll"+n]:(r=this.offset())&&r[t]:this.each((function(e){(o=i(this)).css(t,X(this,s,e,o[t]()))}))}})),C.forEach((function(n,s){var r=s%2;i.fn[n]=function(){var n,o,a=i.map(arguments,(function(t){var s=[];return"array"==(n=I(t))?(t.forEach((function(t){return t.nodeType!==e?s.push(t):i.zepto.isZ(t)?s=s.concat(t.get()):void(s=s.concat(O.fragment(t)))})),s):"object"==n||null==t?t:O.fragment(t)})),u=this.length>1;return a.length<1?this:this.each((function(e,n){o=r?n:n.parentNode,n=0==s?n.nextSibling:1==s?n.firstChild:2==s?n:null;var c=i.contains(h.documentElement,o);a.forEach((function(e){if(u)e=e.cloneNode(!0);else if(!o)return i(e).remove();o.insertBefore(e,n),c&&tt(e,(function(e){if(!(null==e.nodeName||"SCRIPT"!==e.nodeName.toUpperCase()||e.type&&"text/javascript"!==e.type||e.src)){var n=e.ownerDocument?e.ownerDocument.defaultView:t;n.eval.call(n,e.innerHTML)}}))}))}))},i.fn[r?n+"To":"insert"+(s?"Before":"After")]=function(t){return i(t)[n](this),this}})),O.Z.prototype=Q.prototype=i.fn,O.uniq=o,O.deserializeValue=Y,i.zepto=O,i}();return function(e){var n,i=1,s=Array.prototype.slice,r=e.isFunction,o=function(t){return"string"==typeof t},a={},u={},c="onfocusin"in t,l={focus:"focusin",blur:"focusout"},h={mouseenter:"mouseover",mouseleave:"mouseout"};function p(t){return t._zid||(t._zid=i++)}function f(t,e,n,i){if((e=d(e)).ns)var s=g(e.ns);return(a[p(t)]||[]).filter((function(t){return t&&(!e.e||t.e==e.e)&&(!e.ns||s.test(t.ns))&&(!n||p(t.fn)===p(n))&&(!i||t.sel==i)}))}function d(t){var e=(""+t).split(".");return{e:e[0],ns:e.slice(1).sort().join(" ")}}function g(t){return new RegExp("(?:^| )"+t.replace(" "," .* ?")+"(?: |$)")}function m(t,e){return t.del&&!c&&t.e in l||!!e}function v(t){return h[t]||c&&l[t]||t}function y(t,i,s,r,o,u,c){var l=p(t),f=a[l]||(a[l]=[]);i.split(/\s/).forEach((function(i){if("ready"==i)return e(document).ready(s);var a=d(i);a.fn=s,a.sel=o,a.e in h&&(s=function(t){var n=t.relatedTarget;if(!n||n!==this&&!e.contains(this,n))return a.fn.apply(this,arguments)}),a.del=u;var l=u||s;a.proxy=function(e){if(!(e=S(e)).isImmediatePropagationStopped()){try{var i=Object.getOwnPropertyDescriptor(e,"data");i&&!i.writable||(e.data=r)}catch(e){}var s=l.apply(t,e._args==n?[e]:[e].concat(e._args));return!1===s&&(e.preventDefault(),e.stopPropagation()),s}},a.i=f.length,f.push(a),"addEventListener"in t&&t.addEventListener(v(a.e),a.proxy,m(a,c))}))}function w(t,e,n,i,s){var r=p(t);(e||"").split(/\s/).forEach((function(e){f(t,e,n,i).forEach((function(e){delete a[r][e.i],"removeEventListener"in t&&t.removeEventListener(v(e.e),e.proxy,m(e,s))}))}))}u.click=u.mousedown=u.mouseup=u.mousemove="MouseEvents",e.event={add:y,remove:w},e.proxy=function(t,n){var i=2 in arguments&&s.call(arguments,2);if(r(t)){var a=function(){return t.apply(n,i?i.concat(s.call(arguments)):arguments)};return a._zid=p(t),a}if(o(n))return i?(i.unshift(t[n],t),e.proxy.apply(null,i)):e.proxy(t[n],t);throw new TypeError("expected function")},e.fn.bind=function(t,e,n){return this.on(t,e,n)},e.fn.unbind=function(t,e){return this.off(t,e)},e.fn.one=function(t,e,n,i){return this.on(t,e,n,i,1)};var b=function(){return!0},C=function(){return!1},x=/^([A-Z]|returnValue$|layer[XY]$|webkitMovement[XY]$)/,_={preventDefault:"isDefaultPrevented",stopImmediatePropagation:"isImmediatePropagationStopped",stopPropagation:"isPropagationStopped"};function S(t,i){if(i||!t.isDefaultPrevented){i||(i=t),e.each(_,(function(e,n){var s=i[e];t[e]=function(){return this[n]=b,s&&s.apply(i,arguments)},t[n]=C}));try{t.timeStamp||(t.timeStamp=Date.now())}catch(s){}(i.defaultPrevented!==n?i.defaultPrevented:"returnValue"in i?!1===i.returnValue:i.getPreventDefault&&i.getPreventDefault())&&(t.isDefaultPrevented=b)}return t}function E(t){var e,i={originalEvent:t};for(e in t)x.test(e)||t[e]===n||(i[e]=t[e]);return S(i,t)}e.fn.delegate=function(t,e,n){return this.on(e,t,n)},e.fn.undelegate=function(t,e,n){return this.off(e,t,n)},e.fn.live=function(t,n){return e(document.body).delegate(this.selector,t,n),this},e.fn.die=function(t,n){return e(document.body).undelegate(this.selector,t,n),this},e.fn.on=function(t,i,a,u,c){var l,h,p=this;return t&&!o(t)?(e.each(t,(function(t,e){p.on(t,i,a,e,c)})),p):(o(i)||r(u)||!1===u||(u=a,a=i,i=n),u!==n&&!1!==a||(u=a,a=n),!1===u&&(u=C),p.each((function(n,r){c&&(l=function(t){return w(r,t.type,u),u.apply(this,arguments)}),i&&(h=function(t){var n,o=e(t.target).closest(i,r).get(0);if(o&&o!==r)return n=e.extend(E(t),{currentTarget:o,liveFired:r}),(l||u).apply(o,[n].concat(s.call(arguments,1)))}),y(r,t,u,a,i,h||l)})))},e.fn.off=function(t,i,s){var a=this;return t&&!o(t)?(e.each(t,(function(t,e){a.off(t,i,e)})),a):(o(i)||r(s)||!1===s||(s=i,i=n),!1===s&&(s=C),a.each((function(){w(this,t,s,i)})))},e.fn.trigger=function(t,n){return(t=o(t)||e.isPlainObject(t)?e.Event(t):S(t))._args=n,this.each((function(){t.type in l&&"function"==typeof this[t.type]?this[t.type]():"dispatchEvent"in this?this.dispatchEvent(t):e(this).triggerHandler(t,n)}))},e.fn.triggerHandler=function(t,n){var i,s;return this.each((function(r,a){(i=E(o(t)?e.Event(t):t))._args=n,i.target=a,e.each(f(a,t.type||t),(function(t,e){if(s=e.proxy(i),i.isImmediatePropagationStopped())return!1}))})),s},"focusin focusout focus blur load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select keydown keypress keyup error".split(" ").forEach((function(t){e.fn[t]=function(e){return 0 in arguments?this.bind(t,e):this.trigger(t)}})),e.Event=function(t,e){o(t)||(t=(e=t).type);var n=document.createEvent(u[t]||"Events"),i=!0;if(e)for(var s in e)"bubbles"==s?i=!!e[s]:n[s]=e[s];return n.initEvent(t,i,!0),S(n)}}(i),n=[],i.fn.remove=function(){return this.each((function(){this.parentNode&&("IMG"===this.tagName&&(n.push(this),this.src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=",e&&clearTimeout(e),e=setTimeout((function(){n=[]}),6e4)),this.parentNode.removeChild(this))}))},function(t){var e={},n=t.fn.data,i=t.camelCase,s=t.expando="Zepto"+ +new Date,r=[];function o(r,o){var u=r[s],c=u&&e[u];if(void 0===o)return c||a(r);if(c){if(o in c)return c[o];var l=i(o);if(l in c)return c[l]}return n.call(t(r),o)}function a(n,r,o){var a=n[s]||(n[s]=++t.uuid),c=e[a]||(e[a]=u(n));return void 0!==r&&(c[i(r)]=o),c}function u(e){var n={};return t.each(e.attributes||r,(function(e,s){0==s.name.indexOf("data-")&&(n[i(s.name.replace("data-",""))]=t.zepto.deserializeValue(s.value))})),n}t.fn.data=function(e,n){return void 0===n?t.isPlainObject(e)?this.each((function(n,i){t.each(e,(function(t,e){a(i,t,e)}))})):0 in this?o(this[0],e):void 0:this.each((function(){a(this,e,n)}))},t.data=function(e,n,i){return t(e).data(n,i)},t.hasData=function(n){var i=n[s],r=i&&e[i];return!!r&&!t.isEmptyObject(r)},t.fn.removeData=function(n){return"string"==typeof n&&(n=n.split(/\s+/)),this.each((function(){var r=this[s],o=r&&e[r];o&&t.each(n||o,(function(t){delete o[n?i(this):t]}))}))},["remove","empty"].forEach((function(e){var n=t.fn[e];t.fn[e]=function(){var t=this.find("*");return"remove"===e&&(t=t.add(this)),t.removeData(),n.call(this)}}))}(i),i}(e)},8820:t=>{"use strict";var e={}.hasOwnProperty,n=/[ -,\.\/:-@\[-\^`\{-~]/,i=/[ -,\.\/:-@\[\]\^`\{-~]/,s=/(^|\\+)?(\\[A-F0-9]{1,6})\x20(?![a-fA-F0-9\x20])/g,r=function t(r,o){"single"!=(o=function(t,n){if(!t)return n;var i={};for(var s in n)i[s]=e.call(t,s)?t[s]:n[s];return i}(o,t.options)).quotes&&"double"!=o.quotes&&(o.quotes="single");for(var a="double"==o.quotes?'"':"'",u=o.isIdentifier,c=r.charAt(0),l="",h=0,p=r.length;h<p;){var f=r.charAt(h++),d=f.charCodeAt(),g=void 0;if(d<32||d>126){if(d>=55296&&d<=56319&&h<p){var m=r.charCodeAt(h++);56320==(64512&m)?d=((1023&d)<<10)+(1023&m)+65536:h--}g="\\"+d.toString(16).toUpperCase()+" "}else g=o.escapeEverything?n.test(f)?"\\"+f:"\\"+d.toString(16).toUpperCase()+" ":/[\t\n\f\r\x0B]/.test(f)?"\\"+d.toString(16).toUpperCase()+" ":"\\"==f||!u&&('"'==f&&a==f||"'"==f&&a==f)||u&&i.test(f)?"\\"+f:f;l+=g}return u&&(/^-[-\d]/.test(l)?l="\\-"+l.slice(1):/\d/.test(c)&&(l="\\3"+c+" "+l.slice(1))),l=l.replace(s,(function(t,e,n){return e&&e.length%2?t:(e||"")+n})),!u&&o.wrap?a+l+a:l};r.options={escapeEverything:!1,isIdentifier:!1,quotes:"single",wrap:!1},r.version="3.0.0",t.exports=r},624:(t,e,n)=>{"use strict";var i,s,r,o=[n(5525),n(4785),n(8291),n(2709),n(2506),n(9176)],a=-1,u=[],c=!1;function l(){i&&s&&(i=!1,s.length?u=s.concat(u):a=-1,u.length&&h())}function h(){if(!i){c=!1,i=!0;for(var t=u.length,e=setTimeout(l);t;){for(s=u,u=[];s&&++a<t;)s[a].run();a=-1,t=u.length}s=null,a=-1,i=!1,clearTimeout(e)}}for(var p=-1,f=o.length;++p<f;)if(o[p]&&o[p].test&&o[p].test()){r=o[p].install(h);break}function d(t,e){this.fun=t,this.array=e}d.prototype.run=function(){var t=this.fun,e=this.array;switch(e.length){case 0:return t();case 1:return t(e[0]);case 2:return t(e[0],e[1]);case 3:return t(e[0],e[1],e[2]);default:return t.apply(null,e)}},t.exports=function(t){var e=new Array(arguments.length-1);if(arguments.length>1)for(var n=1;n<arguments.length;n++)e[n-1]=arguments[n];u.push(new d(t,e)),c||i||(c=!0,r())}},2709:(t,e,n)=>{"use strict";e.test=function(){return!n.g.setImmediate&&void 0!==n.g.MessageChannel},e.install=function(t){var e=new n.g.MessageChannel;return e.port1.onmessage=t,function(){e.port2.postMessage(0)}}},8291:(t,e,n)=>{"use strict";var i=n.g.MutationObserver||n.g.WebKitMutationObserver;e.test=function(){return i},e.install=function(t){var e=0,s=new i(t),r=n.g.document.createTextNode("");return s.observe(r,{characterData:!0}),function(){r.data=e=++e%2}}},4785:(t,e,n)=>{"use strict";e.test=function(){return"function"==typeof n.g.queueMicrotask},e.install=function(t){return function(){n.g.queueMicrotask(t)}}},2506:(t,e,n)=>{"use strict";e.test=function(){return"document"in n.g&&"onreadystatechange"in n.g.document.createElement("script")},e.install=function(t){return function(){var e=n.g.document.createElement("script");return e.onreadystatechange=function(){t(),e.onreadystatechange=null,e.parentNode.removeChild(e),e=null},n.g.document.documentElement.appendChild(e),t}}},9176:(t,e)=>{"use strict";e.test=function(){return!0},e.install=function(t){return function(){setTimeout(t,0)}}}}]); \ No newline at end of file +/*! For license information please see 8443.a5d9c459.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8443],{8443:(t,e,n)=>{"use strict";t.exports=n(295)},1228:(t,e,n)=>{"use strict";var i=n(2856),s={wrapper:{position:"relative",display:"inline-block"},hint:{position:"absolute",top:"0",left:"0",borderColor:"transparent",boxShadow:"none",opacity:"1"},input:{position:"relative",verticalAlign:"top",backgroundColor:"transparent"},inputWithNoHint:{position:"relative",verticalAlign:"top"},dropdown:{position:"absolute",top:"100%",left:"0",zIndex:"100",display:"none"},suggestions:{display:"block"},suggestion:{whiteSpace:"nowrap",cursor:"pointer"},suggestionChild:{whiteSpace:"normal"},ltr:{left:"0",right:"auto"},rtl:{left:"auto",right:"0"},defaultClasses:{root:"algolia-autocomplete",prefix:"aa",noPrefix:!1,dropdownMenu:"dropdown-menu",input:"input",hint:"hint",suggestions:"suggestions",suggestion:"suggestion",cursor:"cursor",dataset:"dataset",empty:"empty"},appendTo:{wrapper:{position:"absolute",zIndex:"100",display:"none"},input:{},inputWithNoHint:{},dropdown:{display:"block"}}};i.isMsie()&&i.mixin(s.input,{backgroundImage:"url(data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)"}),i.isMsie()&&i.isMsie()<=7&&i.mixin(s.input,{marginTop:"-1px"}),t.exports=s},9050:(t,e,n)=>{"use strict";var i="aaDataset",s="aaValue",r="aaDatum",o=n(2856),a=n(4910),u=n(3561),c=n(1228),l=n(3109);function h(t){var e;(t=t||{}).templates=t.templates||{},t.source||o.error("missing source"),t.name&&(e=t.name,!/^[_a-zA-Z0-9-]+$/.test(e))&&o.error("invalid dataset name: "+t.name),this.query=null,this._isEmpty=!0,this.highlight=!!t.highlight,this.name=void 0===t.name||null===t.name?o.getUniqueId():t.name,this.source=t.source,this.displayFn=function(t){return t=t||"value",o.isFunction(t)?t:e;function e(e){return e[t]}}(t.display||t.displayKey),this.debounce=t.debounce,this.cache=!1!==t.cache,this.templates=function(t,e){return{empty:t.empty&&o.templatify(t.empty),header:t.header&&o.templatify(t.header),footer:t.footer&&o.templatify(t.footer),suggestion:t.suggestion||n};function n(t){return"<p>"+e(t)+"</p>"}}(t.templates,this.displayFn),this.css=o.mixin({},c,t.appendTo?c.appendTo:{}),this.cssClasses=t.cssClasses=o.mixin({},c.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||o.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix);var n=o.className(this.cssClasses.prefix,this.cssClasses.dataset);this.$el=t.$menu&&t.$menu.find(n+"-"+this.name).length>0?a.element(t.$menu.find(n+"-"+this.name)[0]):a.element(u.dataset.replace("%CLASS%",this.name).replace("%PREFIX%",this.cssClasses.prefix).replace("%DATASET%",this.cssClasses.dataset)),this.$menu=t.$menu,this.clearCachedSuggestions()}h.extractDatasetName=function(t){return a.element(t).data(i)},h.extractValue=function(t){return a.element(t).data(s)},h.extractDatum=function(t){var e=a.element(t).data(r);return"string"==typeof e&&(e=JSON.parse(e)),e},o.mixin(h.prototype,l,{_render:function(t,e){if(this.$el){var n,c=this,l=[].slice.call(arguments,2);if(this.$el.empty(),n=e&&e.length,this._isEmpty=!n,!n&&this.templates.empty)this.$el.html(function(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!0}].concat(e),c.templates.empty.apply(this,e)}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(n)this.$el.html(function(){var t,n,l=[].slice.call(arguments,0),h=this,p=u.suggestions.replace("%PREFIX%",this.cssClasses.prefix).replace("%SUGGESTIONS%",this.cssClasses.suggestions);return t=a.element(p).css(this.css.suggestions),n=o.map(e,f),t.append.apply(t,n),t;function f(t){var e,n=u.suggestion.replace("%PREFIX%",h.cssClasses.prefix).replace("%SUGGESTION%",h.cssClasses.suggestion);return(e=a.element(n).attr({role:"option",id:["option",Math.floor(1e8*Math.random())].join("-")}).append(c.templates.suggestion.apply(this,[t].concat(l)))).data(i,c.name),e.data(s,c.displayFn(t)||void 0),e.data(r,JSON.stringify(t)),e.children().each((function(){a.element(this).css(h.css.suggestionChild)})),e}}.apply(this,l)).prepend(c.templates.header?h.apply(this,l):null).append(c.templates.footer?p.apply(this,l):null);else if(e&&!Array.isArray(e))throw new TypeError("suggestions must be an array");this.$menu&&this.$menu.addClass(this.cssClasses.prefix+(n?"with":"without")+"-"+this.name).removeClass(this.cssClasses.prefix+(n?"without":"with")+"-"+this.name),this.trigger("rendered",t)}function h(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.header.apply(this,e)}function p(){var e=[].slice.call(arguments,0);return e=[{query:t,isEmpty:!n}].concat(e),c.templates.footer.apply(this,e)}},getRoot:function(){return this.$el},update:function(t){function e(e){if(!this.canceled&&t===this.query){var n=[].slice.call(arguments,1);this.cacheSuggestions(t,e,n),this._render.apply(this,[t,e].concat(n))}}if(this.query=t,this.canceled=!1,this.shouldFetchFromCache(t))e.apply(this,[this.cachedSuggestions].concat(this.cachedRenderExtraArgs));else{var n=this,i=function(){n.canceled||n.source(t,e.bind(n))};if(this.debounce){clearTimeout(this.debounceTimeout),this.debounceTimeout=setTimeout((function(){n.debounceTimeout=null,i()}),this.debounce)}else i()}},cacheSuggestions:function(t,e,n){this.cachedQuery=t,this.cachedSuggestions=e,this.cachedRenderExtraArgs=n},shouldFetchFromCache:function(t){return this.cache&&this.cachedQuery===t&&this.cachedSuggestions&&this.cachedSuggestions.length},clearCachedSuggestions:function(){delete this.cachedQuery,delete this.cachedSuggestions,delete this.cachedRenderExtraArgs},cancel:function(){this.canceled=!0},clear:function(){this.$el&&(this.cancel(),this.$el.empty(),this.trigger("rendered",""))},isEmpty:function(){return this._isEmpty},destroy:function(){this.clearCachedSuggestions(),this.$el=null}}),t.exports=h},2407:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910),r=n(3109),o=n(9050),a=n(1228);function u(t){var e,n,r,o=this;(t=t||{}).menu||i.error("menu is required"),i.isArray(t.datasets)||i.isObject(t.datasets)||i.error("1 or more datasets required"),t.datasets||i.error("datasets is required"),this.isOpen=!1,this.isEmpty=!0,this.minLength=t.minLength||0,this.templates={},this.appendTo=t.appendTo||!1,this.css=i.mixin({},a,t.appendTo?a.appendTo:{}),this.cssClasses=t.cssClasses=i.mixin({},a.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix||i.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),e=i.bind(this._onSuggestionClick,this),n=i.bind(this._onSuggestionMouseEnter,this),r=i.bind(this._onSuggestionMouseLeave,this);var c=i.className(this.cssClasses.prefix,this.cssClasses.suggestion);this.$menu=s.element(t.menu).on("mouseenter.aa",c,n).on("mouseleave.aa",c,r).on("click.aa",c,e),this.$container=t.appendTo?t.wrapper:this.$menu,t.templates&&t.templates.header&&(this.templates.header=i.templatify(t.templates.header),this.$menu.prepend(this.templates.header())),t.templates&&t.templates.empty&&(this.templates.empty=i.templatify(t.templates.empty),this.$empty=s.element('<div class="'+i.className(this.cssClasses.prefix,this.cssClasses.empty,!0)+'"></div>'),this.$menu.append(this.$empty),this.$empty.hide()),this.datasets=i.map(t.datasets,(function(e){return function(t,e,n){return new u.Dataset(i.mixin({$menu:t,cssClasses:n},e))}(o.$menu,e,t.cssClasses)})),i.each(this.datasets,(function(t){var e=t.getRoot();e&&0===e.parent().length&&o.$menu.append(e),t.onSync("rendered",o._onRendered,o)})),t.templates&&t.templates.footer&&(this.templates.footer=i.templatify(t.templates.footer),this.$menu.append(this.templates.footer()));var l=this;s.element(window).resize((function(){l._redraw()}))}i.mixin(u.prototype,r,{_onSuggestionClick:function(t){this.trigger("suggestionClicked",s.element(t.currentTarget))},_onSuggestionMouseEnter:function(t){var e=s.element(t.currentTarget);if(!e.hasClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0))){this._removeCursor();var n=this;setTimeout((function(){n._setCursor(e,!1)}),0)}},_onSuggestionMouseLeave:function(t){if(t.relatedTarget&&s.element(t.relatedTarget).closest("."+i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).length>0)return;this._removeCursor(),this.trigger("cursorRemoved")},_onRendered:function(t,e){if(this.isEmpty=i.every(this.datasets,(function(t){return t.isEmpty()})),this.isEmpty)if(e.length>=this.minLength&&this.trigger("empty"),this.$empty)if(e.length<this.minLength)this._hide();else{var n=this.templates.empty({query:this.datasets[0]&&this.datasets[0].query});this.$empty.html(n),this.$empty.show(),this._show()}else i.any(this.datasets,(function(t){return t.templates&&t.templates.empty}))?e.length<this.minLength?this._hide():this._show():this._hide();else this.isOpen&&(this.$empty&&(this.$empty.empty(),this.$empty.hide()),e.length>=this.minLength?this._show():this._hide());this.trigger("datasetRendered")},_hide:function(){this.$container.hide()},_show:function(){this.$container.css("display","block"),this._redraw(),this.trigger("shown")},_redraw:function(){this.isOpen&&this.appendTo&&this.trigger("redrawn")},_getSuggestions:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.suggestion))},_getCursor:function(){return this.$menu.find(i.className(this.cssClasses.prefix,this.cssClasses.cursor)).first()},_setCursor:function(t,e){t.first().addClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).attr("aria-selected","true"),this.trigger("cursorMoved",e)},_removeCursor:function(){this._getCursor().removeClass(i.className(this.cssClasses.prefix,this.cssClasses.cursor,!0)).removeAttr("aria-selected")},_moveCursor:function(t){var e,n,i,s;this.isOpen&&(n=this._getCursor(),e=this._getSuggestions(),this._removeCursor(),-1!==(i=((i=e.index(n)+t)+1)%(e.length+1)-1)?(i<-1&&(i=e.length-1),this._setCursor(s=e.eq(i),!0),this._ensureVisible(s)):this.trigger("cursorRemoved"))},_ensureVisible:function(t){var e,n,i,s;n=(e=t.position().top)+t.height()+parseInt(t.css("margin-top"),10)+parseInt(t.css("margin-bottom"),10),i=this.$menu.scrollTop(),s=this.$menu.height()+parseInt(this.$menu.css("padding-top"),10)+parseInt(this.$menu.css("padding-bottom"),10),e<0?this.$menu.scrollTop(i+e):s<n&&this.$menu.scrollTop(i+(n-s))},close:function(){this.isOpen&&(this.isOpen=!1,this._removeCursor(),this._hide(),this.trigger("closed"))},open:function(){this.isOpen||(this.isOpen=!0,this.isEmpty||this._show(),this.trigger("opened"))},setLanguageDirection:function(t){this.$menu.css("ltr"===t?this.css.ltr:this.css.rtl)},moveCursorUp:function(){this._moveCursor(-1)},moveCursorDown:function(){this._moveCursor(1)},getDatumForSuggestion:function(t){var e=null;return t.length&&(e={raw:o.extractDatum(t),value:o.extractValue(t),datasetName:o.extractDatasetName(t)}),e},getCurrentCursor:function(){return this._getCursor().first()},getDatumForCursor:function(){return this.getDatumForSuggestion(this._getCursor().first())},getDatumForTopSuggestion:function(){return this.getDatumForSuggestion(this._getSuggestions().first())},cursorTopSuggestion:function(){this._setCursor(this._getSuggestions().first(),!1)},update:function(t){i.each(this.datasets,(function(e){e.update(t)}))},empty:function(){i.each(this.datasets,(function(t){t.clear()})),this.isEmpty=!0},isVisible:function(){return this.isOpen&&!this.isEmpty},destroy:function(){this.$menu.off(".aa"),this.$menu=null,i.each(this.datasets,(function(t){t.destroy()}))}}),u.Dataset=o,t.exports=u},50:(t,e,n)=>{"use strict";var i=n(2856),s=n(4910);function r(t){t&&t.el||i.error("EventBus initialized without el"),this.$el=s.element(t.el)}i.mixin(r.prototype,{trigger:function(t,e,n,s){var r=i.Event("autocomplete:"+t);return this.$el.trigger(r,[e,n,s]),r}}),t.exports=r},3109:(t,e,n)=>{"use strict";var i=n(624),s=/\s+/;function r(t,e,n,i){var r;if(!n)return this;for(e=e.split(s),n=i?function(t,e){return t.bind?t.bind(e):function(){t.apply(e,[].slice.call(arguments,0))}}(n,i):n,this._callbacks=this._callbacks||{};r=e.shift();)this._callbacks[r]=this._callbacks[r]||{sync:[],async:[]},this._callbacks[r][t].push(n);return this}function o(t,e,n){return function(){for(var i,s=0,r=t.length;!i&&s<r;s+=1)i=!1===t[s].apply(e,n);return!i}}t.exports={onSync:function(t,e,n){return r.call(this,"sync",t,e,n)},onAsync:function(t,e,n){return r.call(this,"async",t,e,n)},off:function(t){var e;if(!this._callbacks)return this;t=t.split(s);for(;e=t.shift();)delete this._callbacks[e];return this},trigger:function(t){var e,n,r,a,u;if(!this._callbacks)return this;t=t.split(s),r=[].slice.call(arguments,1);for(;(e=t.shift())&&(n=this._callbacks[e]);)a=o(n.sync,this,[e].concat(r)),u=o(n.async,this,[e].concat(r)),a()&&i(u);return this}}},3561:t=>{"use strict";t.exports={wrapper:'<span class="%ROOT%"></span>',dropdown:'<span class="%PREFIX%%DROPDOWN_MENU%"></span>',dataset:'<div class="%PREFIX%%DATASET%-%CLASS%"></div>',suggestions:'<span class="%PREFIX%%SUGGESTIONS%"></span>',suggestion:'<div class="%PREFIX%%SUGGESTION%"></div>'}},2534:(t,e,n)=>{"use strict";var i;i={9:"tab",27:"esc",37:"left",39:"right",13:"enter",38:"up",40:"down"};var s=n(2856),r=n(4910),o=n(3109);function a(t){var e,n,o,a,u,c=this;(t=t||{}).input||s.error("input is missing"),e=s.bind(this._onBlur,this),n=s.bind(this._onFocus,this),o=s.bind(this._onKeydown,this),a=s.bind(this._onInput,this),this.$hint=r.element(t.hint),this.$input=r.element(t.input).on("blur.aa",e).on("focus.aa",n).on("keydown.aa",o),0===this.$hint.length&&(this.setHint=this.getHint=this.clearHint=this.clearHintIfInvalid=s.noop),s.isMsie()?this.$input.on("keydown.aa keypress.aa cut.aa paste.aa",(function(t){i[t.which||t.keyCode]||s.defer(s.bind(c._onInput,c,t))})):this.$input.on("input.aa",a),this.query=this.$input.val(),this.$overflowHelper=(u=this.$input,r.element('<pre aria-hidden="true"></pre>').css({position:"absolute",visibility:"hidden",whiteSpace:"pre",fontFamily:u.css("font-family"),fontSize:u.css("font-size"),fontStyle:u.css("font-style"),fontVariant:u.css("font-variant"),fontWeight:u.css("font-weight"),wordSpacing:u.css("word-spacing"),letterSpacing:u.css("letter-spacing"),textIndent:u.css("text-indent"),textRendering:u.css("text-rendering"),textTransform:u.css("text-transform")}).insertAfter(u))}function u(t){return t.altKey||t.ctrlKey||t.metaKey||t.shiftKey}a.normalizeQuery=function(t){return(t||"").replace(/^\s*/g,"").replace(/\s{2,}/g," ")},s.mixin(a.prototype,o,{_onBlur:function(){this.resetInputValue(),this.$input.removeAttr("aria-activedescendant"),this.trigger("blurred")},_onFocus:function(){this.trigger("focused")},_onKeydown:function(t){var e=i[t.which||t.keyCode];this._managePreventDefault(e,t),e&&this._shouldTrigger(e,t)&&this.trigger(e+"Keyed",t)},_onInput:function(){this._checkInputValue()},_managePreventDefault:function(t,e){var n,i,s;switch(t){case"tab":i=this.getHint(),s=this.getInputValue(),n=i&&i!==s&&!u(e);break;case"up":case"down":n=!u(e);break;default:n=!1}n&&e.preventDefault()},_shouldTrigger:function(t,e){var n;if("tab"===t)n=!u(e);else n=!0;return n},_checkInputValue:function(){var t,e,n,i,s;t=this.getInputValue(),i=t,s=this.query,n=!(!(e=a.normalizeQuery(i)===a.normalizeQuery(s))||!this.query)&&this.query.length!==t.length,this.query=t,e?n&&this.trigger("whitespaceChanged",this.query):this.trigger("queryChanged",this.query)},focus:function(){this.$input.focus()},blur:function(){this.$input.blur()},getQuery:function(){return this.query},setQuery:function(t){this.query=t},getInputValue:function(){return this.$input.val()},setInputValue:function(t,e){void 0===t&&(t=this.query),this.$input.val(t),e?this.clearHint():this._checkInputValue()},expand:function(){this.$input.attr("aria-expanded","true")},collapse:function(){this.$input.attr("aria-expanded","false")},setActiveDescendant:function(t){this.$input.attr("aria-activedescendant",t)},removeActiveDescendant:function(){this.$input.removeAttr("aria-activedescendant")},resetInputValue:function(){this.setInputValue(this.query,!0)},getHint:function(){return this.$hint.val()},setHint:function(t){this.$hint.val(t)},clearHint:function(){this.setHint("")},clearHintIfInvalid:function(){var t,e,n;n=(t=this.getInputValue())!==(e=this.getHint())&&0===e.indexOf(t),""!==t&&n&&!this.hasOverflow()||this.clearHint()},getLanguageDirection:function(){return(this.$input.css("direction")||"ltr").toLowerCase()},hasOverflow:function(){var t=this.$input.width()-2;return this.$overflowHelper.text(this.getInputValue()),this.$overflowHelper.width()>=t},isCursorAtEnd:function(){var t,e,n;return t=this.$input.val().length,e=this.$input[0].selectionStart,s.isNumber(e)?e===t:!document.selection||((n=document.selection.createRange()).moveStart("character",-t),t===n.text.length)},destroy:function(){this.$hint.off(".aa"),this.$input.off(".aa"),this.$hint=this.$input=this.$overflowHelper=null}}),t.exports=a},6549:(t,e,n)=>{"use strict";var i="aaAttrs",s=n(2856),r=n(4910),o=n(50),a=n(2534),u=n(2407),c=n(3561),l=n(1228);function h(t){var e,n;if((t=t||{}).input||s.error("missing input"),this.isActivated=!1,this.debug=!!t.debug,this.autoselect=!!t.autoselect,this.autoselectOnBlur=!!t.autoselectOnBlur,this.openOnFocus=!!t.openOnFocus,this.minLength=s.isNumber(t.minLength)?t.minLength:1,this.autoWidth=void 0===t.autoWidth||!!t.autoWidth,this.clearOnSelected=!!t.clearOnSelected,this.tabAutocomplete=void 0===t.tabAutocomplete||!!t.tabAutocomplete,t.hint=!!t.hint,t.hint&&t.appendTo)throw new Error("[autocomplete.js] hint and appendTo options can't be used at the same time");this.css=t.css=s.mixin({},l,t.appendTo?l.appendTo:{}),this.cssClasses=t.cssClasses=s.mixin({},l.defaultClasses,t.cssClasses||{}),this.cssClasses.prefix=t.cssClasses.formattedPrefix=s.formatPrefix(this.cssClasses.prefix,this.cssClasses.noPrefix),this.listboxId=t.listboxId=[this.cssClasses.root,"listbox",s.getUniqueId()].join("-");var a=function(t){var e,n,o,a;e=r.element(t.input),n=r.element(c.wrapper.replace("%ROOT%",t.cssClasses.root)).css(t.css.wrapper),t.appendTo||"block"!==e.css("display")||"table"!==e.parent().css("display")||n.css("display","table-cell");var u=c.dropdown.replace("%PREFIX%",t.cssClasses.prefix).replace("%DROPDOWN_MENU%",t.cssClasses.dropdownMenu);o=r.element(u).css(t.css.dropdown).attr({role:"listbox",id:t.listboxId}),t.templates&&t.templates.dropdownMenu&&o.html(s.templatify(t.templates.dropdownMenu)());a=e.clone().css(t.css.hint).css(function(t){return{backgroundAttachment:t.css("background-attachment"),backgroundClip:t.css("background-clip"),backgroundColor:t.css("background-color"),backgroundImage:t.css("background-image"),backgroundOrigin:t.css("background-origin"),backgroundPosition:t.css("background-position"),backgroundRepeat:t.css("background-repeat"),backgroundSize:t.css("background-size")}}(e)),a.val("").addClass(s.className(t.cssClasses.prefix,t.cssClasses.hint,!0)).removeAttr("id name placeholder required").prop("readonly",!0).attr({"aria-hidden":"true",autocomplete:"off",spellcheck:"false",tabindex:-1}),a.removeData&&a.removeData();e.data(i,{"aria-autocomplete":e.attr("aria-autocomplete"),"aria-expanded":e.attr("aria-expanded"),"aria-owns":e.attr("aria-owns"),autocomplete:e.attr("autocomplete"),dir:e.attr("dir"),role:e.attr("role"),spellcheck:e.attr("spellcheck"),style:e.attr("style"),type:e.attr("type")}),e.addClass(s.className(t.cssClasses.prefix,t.cssClasses.input,!0)).attr({autocomplete:"off",spellcheck:!1,role:"combobox","aria-autocomplete":t.datasets&&t.datasets[0]&&t.datasets[0].displayKey?"both":"list","aria-expanded":"false","aria-label":t.ariaLabel,"aria-owns":t.listboxId}).css(t.hint?t.css.input:t.css.inputWithNoHint);try{e.attr("dir")||e.attr("dir","auto")}catch(l){}return n=t.appendTo?n.appendTo(r.element(t.appendTo).eq(0)).eq(0):e.wrap(n).parent(),n.prepend(t.hint?a:null).append(o),{wrapper:n,input:e,hint:a,menu:o}}(t);this.$node=a.wrapper;var u=this.$input=a.input;e=a.menu,n=a.hint,t.dropdownMenuContainer&&r.element(t.dropdownMenuContainer).css("position","relative").append(e.css("top","0")),u.on("blur.aa",(function(t){var n=document.activeElement;s.isMsie()&&(e[0]===n||e[0].contains(n))&&(t.preventDefault(),t.stopImmediatePropagation(),s.defer((function(){u.focus()})))})),e.on("mousedown.aa",(function(t){t.preventDefault()})),this.eventBus=t.eventBus||new o({el:u}),this.dropdown=new h.Dropdown({appendTo:t.appendTo,wrapper:this.$node,menu:e,datasets:t.datasets,templates:t.templates,cssClasses:t.cssClasses,minLength:this.minLength}).onSync("suggestionClicked",this._onSuggestionClicked,this).onSync("cursorMoved",this._onCursorMoved,this).onSync("cursorRemoved",this._onCursorRemoved,this).onSync("opened",this._onOpened,this).onSync("closed",this._onClosed,this).onSync("shown",this._onShown,this).onSync("empty",this._onEmpty,this).onSync("redrawn",this._onRedrawn,this).onAsync("datasetRendered",this._onDatasetRendered,this),this.input=new h.Input({input:u,hint:n}).onSync("focused",this._onFocused,this).onSync("blurred",this._onBlurred,this).onSync("enterKeyed",this._onEnterKeyed,this).onSync("tabKeyed",this._onTabKeyed,this).onSync("escKeyed",this._onEscKeyed,this).onSync("upKeyed",this._onUpKeyed,this).onSync("downKeyed",this._onDownKeyed,this).onSync("leftKeyed",this._onLeftKeyed,this).onSync("rightKeyed",this._onRightKeyed,this).onSync("queryChanged",this._onQueryChanged,this).onSync("whitespaceChanged",this._onWhitespaceChanged,this),this._bindKeyboardShortcuts(t),this._setLanguageDirection()}s.mixin(h.prototype,{_bindKeyboardShortcuts:function(t){if(t.keyboardShortcuts){var e=this.$input,n=[];s.each(t.keyboardShortcuts,(function(t){"string"==typeof t&&(t=t.toUpperCase().charCodeAt(0)),n.push(t)})),r.element(document).keydown((function(t){var i=t.target||t.srcElement,s=i.tagName;if(!i.isContentEditable&&"INPUT"!==s&&"SELECT"!==s&&"TEXTAREA"!==s){var r=t.which||t.keyCode;-1!==n.indexOf(r)&&(e.focus(),t.stopPropagation(),t.preventDefault())}}))}},_onSuggestionClicked:function(t,e){var n;(n=this.dropdown.getDatumForSuggestion(e))&&this._select(n,{selectionMethod:"click"})},_onCursorMoved:function(t,e){var n=this.dropdown.getDatumForCursor(),i=this.dropdown.getCurrentCursor().attr("id");this.input.setActiveDescendant(i),n&&(e&&this.input.setInputValue(n.value,!0),this.eventBus.trigger("cursorchanged",n.raw,n.datasetName))},_onCursorRemoved:function(){this.input.resetInputValue(),this._updateHint(),this.eventBus.trigger("cursorremoved")},_onDatasetRendered:function(){this._updateHint(),this.eventBus.trigger("updated")},_onOpened:function(){this._updateHint(),this.input.expand(),this.eventBus.trigger("opened")},_onEmpty:function(){this.eventBus.trigger("empty")},_onRedrawn:function(){this.$node.css("top","0px"),this.$node.css("left","0px");var t=this.$input[0].getBoundingClientRect();this.autoWidth&&this.$node.css("width",t.width+"px");var e=this.$node[0].getBoundingClientRect(),n=t.bottom-e.top;this.$node.css("top",n+"px");var i=t.left-e.left;this.$node.css("left",i+"px"),this.eventBus.trigger("redrawn")},_onShown:function(){this.eventBus.trigger("shown"),this.autoselect&&this.dropdown.cursorTopSuggestion()},_onClosed:function(){this.input.clearHint(),this.input.removeActiveDescendant(),this.input.collapse(),this.eventBus.trigger("closed")},_onFocused:function(){if(this.isActivated=!0,this.openOnFocus){var t=this.input.getQuery();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty(),this.dropdown.open()}},_onBlurred:function(){var t,e;t=this.dropdown.getDatumForCursor(),e=this.dropdown.getDatumForTopSuggestion();var n={selectionMethod:"blur"};this.debug||(this.autoselectOnBlur&&t?this._select(t,n):this.autoselectOnBlur&&e?this._select(e,n):(this.isActivated=!1,this.dropdown.empty(),this.dropdown.close()))},_onEnterKeyed:function(t,e){var n,i;n=this.dropdown.getDatumForCursor(),i=this.dropdown.getDatumForTopSuggestion();var s={selectionMethod:"enterKey"};n?(this._select(n,s),e.preventDefault()):this.autoselect&&i&&(this._select(i,s),e.preventDefault())},_onTabKeyed:function(t,e){if(this.tabAutocomplete){var n;(n=this.dropdown.getDatumForCursor())?(this._select(n,{selectionMethod:"tabKey"}),e.preventDefault()):this._autocomplete(!0)}else this.dropdown.close()},_onEscKeyed:function(){this.dropdown.close(),this.input.resetInputValue()},_onUpKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorUp(),this.dropdown.open()},_onDownKeyed:function(){var t=this.input.getQuery();this.dropdown.isEmpty&&t.length>=this.minLength?this.dropdown.update(t):this.dropdown.moveCursorDown(),this.dropdown.open()},_onLeftKeyed:function(){"rtl"===this.dir&&this._autocomplete()},_onRightKeyed:function(){"ltr"===this.dir&&this._autocomplete()},_onQueryChanged:function(t,e){this.input.clearHintIfInvalid(),e.length>=this.minLength?this.dropdown.update(e):this.dropdown.empty(),this.dropdown.open(),this._setLanguageDirection()},_onWhitespaceChanged:function(){this._updateHint(),this.dropdown.open()},_setLanguageDirection:function(){var t=this.input.getLanguageDirection();this.dir!==t&&(this.dir=t,this.$node.css("direction",t),this.dropdown.setLanguageDirection(t))},_updateHint:function(){var t,e,n,i,r;(t=this.dropdown.getDatumForTopSuggestion())&&this.dropdown.isVisible()&&!this.input.hasOverflow()?(e=this.input.getInputValue(),n=a.normalizeQuery(e),i=s.escapeRegExChars(n),(r=new RegExp("^(?:"+i+")(.+$)","i").exec(t.value))?this.input.setHint(e+r[1]):this.input.clearHint()):this.input.clearHint()},_autocomplete:function(t){var e,n,i,s;e=this.input.getHint(),n=this.input.getQuery(),i=t||this.input.isCursorAtEnd(),e&&n!==e&&i&&((s=this.dropdown.getDatumForTopSuggestion())&&this.input.setInputValue(s.value),this.eventBus.trigger("autocompleted",s.raw,s.datasetName))},_select:function(t,e){void 0!==t.value&&this.input.setQuery(t.value),this.clearOnSelected?this.setVal(""):this.input.setInputValue(t.value,!0),this._setLanguageDirection(),!1===this.eventBus.trigger("selected",t.raw,t.datasetName,e).isDefaultPrevented()&&(this.dropdown.close(),s.defer(s.bind(this.dropdown.empty,this.dropdown)))},open:function(){if(!this.isActivated){var t=this.input.getInputValue();t.length>=this.minLength?this.dropdown.update(t):this.dropdown.empty()}this.dropdown.open()},close:function(){this.dropdown.close()},setVal:function(t){t=s.toStr(t),this.isActivated?this.input.setInputValue(t):(this.input.setQuery(t),this.input.setInputValue(t,!0)),this._setLanguageDirection()},getVal:function(){return this.input.getQuery()},destroy:function(){this.input.destroy(),this.dropdown.destroy(),function(t,e){var n=t.find(s.className(e.prefix,e.input));s.each(n.data(i),(function(t,e){void 0===t?n.removeAttr(e):n.attr(e,t)})),n.detach().removeClass(s.className(e.prefix,e.input,!0)).insertAfter(t),n.removeData&&n.removeData(i);t.remove()}(this.$node,this.cssClasses),this.$node=null},getWrapper:function(){return this.dropdown.$container[0]}}),h.Dropdown=u,h.Input=a,h.sources=n(8840),t.exports=h},4910:t=>{"use strict";t.exports={element:null}},6177:t=>{"use strict";t.exports=function(t){var e=t.match(/Algolia for JavaScript \((\d+\.)(\d+\.)(\d+)\)/)||t.match(/Algolia for vanilla JavaScript (\d+\.)(\d+\.)(\d+)/);if(e)return[e[1],e[2],e[3]]}},2856:(t,e,n)=>{"use strict";var i,s=n(8820),r=n(4910);function o(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}t.exports={isArray:null,isFunction:null,isObject:null,bind:null,each:null,map:null,mixin:null,isMsie:function(t){if(void 0===t&&(t=navigator.userAgent),/(msie|trident)/i.test(t)){var e=t.match(/(msie |rv:)(\d+(.\d+)?)/i);if(e)return e[2]}return!1},escapeRegExChars:function(t){return t.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")},isNumber:function(t){return"number"==typeof t},toStr:function(t){return null==t?"":t+""},cloneDeep:function(t){var e=this.mixin({},t),n=this;return this.each(e,(function(t,i){t&&(n.isArray(t)?e[i]=[].concat(t):n.isObject(t)&&(e[i]=n.cloneDeep(t)))})),e},error:function(t){throw new Error(t)},every:function(t,e){var n=!0;return t?(this.each(t,(function(i,s){n&&(n=e.call(null,i,s,t)&&n)})),!!n):n},any:function(t,e){var n=!1;return t?(this.each(t,(function(i,s){if(e.call(null,i,s,t))return n=!0,!1})),n):n},getUniqueId:(i=0,function(){return i++}),templatify:function(t){if(this.isFunction(t))return t;var e=r.element(t);return"SCRIPT"===e.prop("tagName")?function(){return e.text()}:function(){return String(t)}},defer:function(t){setTimeout(t,0)},noop:function(){},formatPrefix:function(t,e){return e?"":t+"-"},className:function(t,e,n){return n?t+e:"."+s(t+e,{isIdentifier:!0})},escapeHighlightedString:function(t,e,n){e=e||"<em>";var i=document.createElement("div");i.appendChild(document.createTextNode(e)),n=n||"</em>";var s=document.createElement("div");s.appendChild(document.createTextNode(n));var r=document.createElement("div");return r.appendChild(document.createTextNode(t)),r.innerHTML.replace(RegExp(o(i.innerHTML),"g"),e).replace(RegExp(o(s.innerHTML),"g"),n)}}},9983:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);var o,a,u=(o=[],a=window.Promise.resolve(),function(t,e){return function(n,s){(function(t,e){return window.Promise.resolve().then((function(){return o.length&&(a=t.search(o),o=[]),a})).then((function(t){if(t)return t.results[e]}))})(t.as,o.push({indexName:t.indexName,query:n,params:e})-1).then((function(t){t&&s(t.hits,t)})).catch((function(t){i.error(t.message)}))}});t.exports=function(t,e){var n=r(t.as._ua);if(n&&n[0]>=3&&n[1]>20){var i="autocomplete.js "+s;-1===t.as._ua.indexOf(i)&&(t.as._ua+="; "+i)}return u(t,e)}},8840:(t,e,n)=>{"use strict";t.exports={hits:n(9983),popularIn:n(4445)}},4445:(t,e,n)=>{"use strict";var i=n(2856),s=n(533),r=n(6177);t.exports=function(t,e,n,o){var a=r(t.as._ua);if(a&&a[0]>=3&&a[1]>20&&((e=e||{}).additionalUA="autocomplete.js "+s),!n.source)return i.error("Missing 'source' key");var u=i.isFunction(n.source)?n.source:function(t){return t[n.source]};if(!n.index)return i.error("Missing 'index' key");var c=n.index;return o=o||{},function(a,l){t.search(a,e,(function(t,a){if(t)i.error(t.message);else{if(a.hits.length>0){var h=a.hits[0],p=i.mixin({hitsPerPage:0},n);delete p.source,delete p.index;var f=r(c.as._ua);return f&&f[0]>=3&&f[1]>20&&(e.additionalUA="autocomplete.js "+s),void c.search(u(h),p,(function(t,e){if(t)i.error(t.message);else{var n=[];if(o.includeAll){var s=o.allTitle||"All departments";n.push(i.mixin({facet:{value:s,count:e.nbHits}},i.cloneDeep(h)))}i.each(e.facets,(function(t,e){i.each(t,(function(t,s){n.push(i.mixin({facet:{facet:e,value:s,count:t}},i.cloneDeep(h)))}))}));for(var r=1;r<a.hits.length;++r)n.push(a.hits[r]);l(n,a)}}))}l([])}}))}}},295:(t,e,n)=>{"use strict";var i=n(6990);n(4910).element=i;var s=n(2856);s.isArray=i.isArray,s.isFunction=i.isFunction,s.isObject=i.isPlainObject,s.bind=i.proxy,s.each=function(t,e){i.each(t,(function(t,n){return e(n,t)}))},s.map=i.map,s.mixin=i.extend,s.Event=i.Event;var r="aaAutocomplete",o=n(6549),a=n(50);function u(t,e,n,u){n=s.isArray(n)?n:[].slice.call(arguments,2);var c=i(t).each((function(t,s){var c=i(s),l=new a({el:c}),h=u||new o({input:c,eventBus:l,dropdownMenuContainer:e.dropdownMenuContainer,hint:void 0===e.hint||!!e.hint,minLength:e.minLength,autoselect:e.autoselect,autoselectOnBlur:e.autoselectOnBlur,tabAutocomplete:e.tabAutocomplete,openOnFocus:e.openOnFocus,templates:e.templates,debug:e.debug,clearOnSelected:e.clearOnSelected,cssClasses:e.cssClasses,datasets:n,keyboardShortcuts:e.keyboardShortcuts,appendTo:e.appendTo,autoWidth:e.autoWidth,ariaLabel:e.ariaLabel||s.getAttribute("aria-label")});c.data(r,h)}));return c.autocomplete={},s.each(["open","close","getVal","setVal","destroy","getWrapper"],(function(t){c.autocomplete[t]=function(){var e,n=arguments;return c.each((function(s,o){var a=i(o).data(r);e=a[t].apply(a,n)})),e}})),c}u.sources=o.sources,u.escapeHighlightedString=s.escapeHighlightedString;var c="autocomplete"in window,l=window.autocomplete;u.noConflict=function(){return c?window.autocomplete=l:delete window.autocomplete,u},t.exports=u},533:t=>{t.exports="0.38.1"},6990:t=>{var e;e=window,t.exports=function(t){var e,n,i=function(){var e,n,i,s,r,o,a=[],u=a.concat,c=a.filter,l=a.slice,h=t.document,p={},f={},d={"column-count":1,columns:1,"font-weight":1,"line-height":1,opacity:1,"z-index":1,zoom:1},g=/^\s*<(\w+|!)[^>]*>/,m=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,y=/^(?:body|html)$/i,w=/([A-Z])/g,b=["val","css","html","text","data","width","height","offset"],C=["after","prepend","before","append"],x=h.createElement("table"),_=h.createElement("tr"),S={tr:h.createElement("tbody"),tbody:x,thead:x,tfoot:x,td:_,th:_,"*":h.createElement("div")},E=/complete|loaded|interactive/,A=/^[\w-]*$/,$={},T=$.toString,O={},D=h.createElement("div"),N={tabindex:"tabIndex",readonly:"readOnly",for:"htmlFor",class:"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},k=Array.isArray||function(t){return t instanceof Array};function I(t){return null==t?String(t):$[T.call(t)]||"object"}function P(t){return"function"==I(t)}function L(t){return null!=t&&t==t.window}function M(t){return null!=t&&t.nodeType==t.DOCUMENT_NODE}function F(t){return"object"==I(t)}function R(t){return F(t)&&!L(t)&&Object.getPrototypeOf(t)==Object.prototype}function q(t){var e=!!t&&"length"in t&&t.length,n=i.type(t);return"function"!=n&&!L(t)&&("array"==n||0===e||"number"==typeof e&&e>0&&e-1 in t)}function V(t){return c.call(t,(function(t){return null!=t}))}function H(t){return t.length>0?i.fn.concat.apply([],t):t}function B(t){return t.replace(/::/g,"/").replace(/([A-Z]+)([A-Z][a-z])/g,"$1_$2").replace(/([a-z\d])([A-Z])/g,"$1_$2").replace(/_/g,"-").toLowerCase()}function K(t){return t in f?f[t]:f[t]=new RegExp("(^|\\s)"+t+"(\\s|$)")}function j(t,e){return"number"!=typeof e||d[B(t)]?e:e+"px"}function z(t){var e,n;return p[t]||(e=h.createElement(t),h.body.appendChild(e),n=getComputedStyle(e,"").getPropertyValue("display"),e.parentNode.removeChild(e),"none"==n&&(n="block"),p[t]=n),p[t]}function U(t){return"children"in t?l.call(t.children):i.map(t.childNodes,(function(t){if(1==t.nodeType)return t}))}function Q(t,e){var n,i=t?t.length:0;for(n=0;n<i;n++)this[n]=t[n];this.length=i,this.selector=e||""}function W(t,i,s){for(n in i)s&&(R(i[n])||k(i[n]))?(R(i[n])&&!R(t[n])&&(t[n]={}),k(i[n])&&!k(t[n])&&(t[n]=[]),W(t[n],i[n],s)):i[n]!==e&&(t[n]=i[n])}function Z(t,e){return null==e?i(t):i(t).filter(e)}function X(t,e,n,i){return P(e)?e.call(t,n,i):e}function G(t,e,n){null==n?t.removeAttribute(e):t.setAttribute(e,n)}function J(t,n){var i=t.className||"",s=i&&i.baseVal!==e;if(n===e)return s?i.baseVal:i;s?i.baseVal=n:t.className=n}function Y(t){try{return t?"true"==t||"false"!=t&&("null"==t?null:+t+""==t?+t:/^[\[\{]/.test(t)?i.parseJSON(t):t):t}catch(e){return t}}function tt(t,e){e(t);for(var n=0,i=t.childNodes.length;n<i;n++)tt(t.childNodes[n],e)}return O.matches=function(t,e){if(!e||!t||1!==t.nodeType)return!1;var n=t.matches||t.webkitMatchesSelector||t.mozMatchesSelector||t.oMatchesSelector||t.matchesSelector;if(n)return n.call(t,e);var i,s=t.parentNode,r=!s;return r&&(s=D).appendChild(t),i=~O.qsa(s,e).indexOf(t),r&&D.removeChild(t),i},r=function(t){return t.replace(/-+(.)?/g,(function(t,e){return e?e.toUpperCase():""}))},o=function(t){return c.call(t,(function(e,n){return t.indexOf(e)==n}))},O.fragment=function(t,n,s){var r,o,a;return m.test(t)&&(r=i(h.createElement(RegExp.$1))),r||(t.replace&&(t=t.replace(v,"<$1></$2>")),n===e&&(n=g.test(t)&&RegExp.$1),n in S||(n="*"),(a=S[n]).innerHTML=""+t,r=i.each(l.call(a.childNodes),(function(){a.removeChild(this)}))),R(s)&&(o=i(r),i.each(s,(function(t,e){b.indexOf(t)>-1?o[t](e):o.attr(t,e)}))),r},O.Z=function(t,e){return new Q(t,e)},O.isZ=function(t){return t instanceof O.Z},O.init=function(t,n){var s;if(!t)return O.Z();if("string"==typeof t)if("<"==(t=t.trim())[0]&&g.test(t))s=O.fragment(t,RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}else{if(P(t))return i(h).ready(t);if(O.isZ(t))return t;if(k(t))s=V(t);else if(F(t))s=[t],t=null;else if(g.test(t))s=O.fragment(t.trim(),RegExp.$1,n),t=null;else{if(n!==e)return i(n).find(t);s=O.qsa(h,t)}}return O.Z(s,t)},(i=function(t,e){return O.init(t,e)}).extend=function(t){var e,n=l.call(arguments,1);return"boolean"==typeof t&&(e=t,t=n.shift()),n.forEach((function(n){W(t,n,e)})),t},O.qsa=function(t,e){var n,i="#"==e[0],s=!i&&"."==e[0],r=i||s?e.slice(1):e,o=A.test(r);return t.getElementById&&o&&i?(n=t.getElementById(r))?[n]:[]:1!==t.nodeType&&9!==t.nodeType&&11!==t.nodeType?[]:l.call(o&&!i&&t.getElementsByClassName?s?t.getElementsByClassName(r):t.getElementsByTagName(e):t.querySelectorAll(e))},i.contains=h.documentElement.contains?function(t,e){return t!==e&&t.contains(e)}:function(t,e){for(;e&&(e=e.parentNode);)if(e===t)return!0;return!1},i.type=I,i.isFunction=P,i.isWindow=L,i.isArray=k,i.isPlainObject=R,i.isEmptyObject=function(t){var e;for(e in t)return!1;return!0},i.isNumeric=function(t){var e=Number(t),n=typeof t;return null!=t&&"boolean"!=n&&("string"!=n||t.length)&&!isNaN(e)&&isFinite(e)||!1},i.inArray=function(t,e,n){return a.indexOf.call(e,t,n)},i.camelCase=r,i.trim=function(t){return null==t?"":String.prototype.trim.call(t)},i.uuid=0,i.support={},i.expr={},i.noop=function(){},i.map=function(t,e){var n,i,s,r=[];if(q(t))for(i=0;i<t.length;i++)null!=(n=e(t[i],i))&&r.push(n);else for(s in t)null!=(n=e(t[s],s))&&r.push(n);return H(r)},i.each=function(t,e){var n,i;if(q(t)){for(n=0;n<t.length;n++)if(!1===e.call(t[n],n,t[n]))return t}else for(i in t)if(!1===e.call(t[i],i,t[i]))return t;return t},i.grep=function(t,e){return c.call(t,e)},t.JSON&&(i.parseJSON=JSON.parse),i.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),(function(t,e){$["[object "+e+"]"]=e.toLowerCase()})),i.fn={constructor:O.Z,length:0,forEach:a.forEach,reduce:a.reduce,push:a.push,sort:a.sort,splice:a.splice,indexOf:a.indexOf,concat:function(){var t,e,n=[];for(t=0;t<arguments.length;t++)e=arguments[t],n[t]=O.isZ(e)?e.toArray():e;return u.apply(O.isZ(this)?this.toArray():this,n)},map:function(t){return i(i.map(this,(function(e,n){return t.call(e,n,e)})))},slice:function(){return i(l.apply(this,arguments))},ready:function(t){return E.test(h.readyState)&&h.body?t(i):h.addEventListener("DOMContentLoaded",(function(){t(i)}),!1),this},get:function(t){return t===e?l.call(this):this[t>=0?t:t+this.length]},toArray:function(){return this.get()},size:function(){return this.length},remove:function(){return this.each((function(){null!=this.parentNode&&this.parentNode.removeChild(this)}))},each:function(t){return a.every.call(this,(function(e,n){return!1!==t.call(e,n,e)})),this},filter:function(t){return P(t)?this.not(this.not(t)):i(c.call(this,(function(e){return O.matches(e,t)})))},add:function(t,e){return i(o(this.concat(i(t,e))))},is:function(t){return this.length>0&&O.matches(this[0],t)},not:function(t){var n=[];if(P(t)&&t.call!==e)this.each((function(e){t.call(this,e)||n.push(this)}));else{var s="string"==typeof t?this.filter(t):q(t)&&P(t.item)?l.call(t):i(t);this.forEach((function(t){s.indexOf(t)<0&&n.push(t)}))}return i(n)},has:function(t){return this.filter((function(){return F(t)?i.contains(this,t):i(this).find(t).size()}))},eq:function(t){return-1===t?this.slice(t):this.slice(t,+t+1)},first:function(){var t=this[0];return t&&!F(t)?t:i(t)},last:function(){var t=this[this.length-1];return t&&!F(t)?t:i(t)},find:function(t){var e=this;return t?"object"==typeof t?i(t).filter((function(){var t=this;return a.some.call(e,(function(e){return i.contains(e,t)}))})):1==this.length?i(O.qsa(this[0],t)):this.map((function(){return O.qsa(this,t)})):i()},closest:function(t,e){var n=[],s="object"==typeof t&&i(t);return this.each((function(i,r){for(;r&&!(s?s.indexOf(r)>=0:O.matches(r,t));)r=r!==e&&!M(r)&&r.parentNode;r&&n.indexOf(r)<0&&n.push(r)})),i(n)},parents:function(t){for(var e=[],n=this;n.length>0;)n=i.map(n,(function(t){if((t=t.parentNode)&&!M(t)&&e.indexOf(t)<0)return e.push(t),t}));return Z(e,t)},parent:function(t){return Z(o(this.pluck("parentNode")),t)},children:function(t){return Z(this.map((function(){return U(this)})),t)},contents:function(){return this.map((function(){return this.contentDocument||l.call(this.childNodes)}))},siblings:function(t){return Z(this.map((function(t,e){return c.call(U(e.parentNode),(function(t){return t!==e}))})),t)},empty:function(){return this.each((function(){this.innerHTML=""}))},pluck:function(t){return i.map(this,(function(e){return e[t]}))},show:function(){return this.each((function(){"none"==this.style.display&&(this.style.display=""),"none"==getComputedStyle(this,"").getPropertyValue("display")&&(this.style.display=z(this.nodeName))}))},replaceWith:function(t){return this.before(t).remove()},wrap:function(t){var e=P(t);if(this[0]&&!e)var n=i(t).get(0),s=n.parentNode||this.length>1;return this.each((function(r){i(this).wrapAll(e?t.call(this,r):s?n.cloneNode(!0):n)}))},wrapAll:function(t){if(this[0]){var e;for(i(this[0]).before(t=i(t));(e=t.children()).length;)t=e.first();i(t).append(this)}return this},wrapInner:function(t){var e=P(t);return this.each((function(n){var s=i(this),r=s.contents(),o=e?t.call(this,n):t;r.length?r.wrapAll(o):s.append(o)}))},unwrap:function(){return this.parent().each((function(){i(this).replaceWith(i(this).children())})),this},clone:function(){return this.map((function(){return this.cloneNode(!0)}))},hide:function(){return this.css("display","none")},toggle:function(t){return this.each((function(){var n=i(this);(t===e?"none"==n.css("display"):t)?n.show():n.hide()}))},prev:function(t){return i(this.pluck("previousElementSibling")).filter(t||"*")},next:function(t){return i(this.pluck("nextElementSibling")).filter(t||"*")},html:function(t){return 0 in arguments?this.each((function(e){var n=this.innerHTML;i(this).empty().append(X(this,t,e,n))})):0 in this?this[0].innerHTML:null},text:function(t){return 0 in arguments?this.each((function(e){var n=X(this,t,e,this.textContent);this.textContent=null==n?"":""+n})):0 in this?this.pluck("textContent").join(""):null},attr:function(t,i){var s;return"string"!=typeof t||1 in arguments?this.each((function(e){if(1===this.nodeType)if(F(t))for(n in t)G(this,n,t[n]);else G(this,t,X(this,i,e,this.getAttribute(t)))})):0 in this&&1==this[0].nodeType&&null!=(s=this[0].getAttribute(t))?s:e},removeAttr:function(t){return this.each((function(){1===this.nodeType&&t.split(" ").forEach((function(t){G(this,t)}),this)}))},prop:function(t,e){return t=N[t]||t,1 in arguments?this.each((function(n){this[t]=X(this,e,n,this[t])})):this[0]&&this[0][t]},removeProp:function(t){return t=N[t]||t,this.each((function(){delete this[t]}))},data:function(t,n){var i="data-"+t.replace(w,"-$1").toLowerCase(),s=1 in arguments?this.attr(i,n):this.attr(i);return null!==s?Y(s):e},val:function(t){return 0 in arguments?(null==t&&(t=""),this.each((function(e){this.value=X(this,t,e,this.value)}))):this[0]&&(this[0].multiple?i(this[0]).find("option").filter((function(){return this.selected})).pluck("value"):this[0].value)},offset:function(e){if(e)return this.each((function(t){var n=i(this),s=X(this,e,t,n.offset()),r=n.offsetParent().offset(),o={top:s.top-r.top,left:s.left-r.left};"static"==n.css("position")&&(o.position="relative"),n.css(o)}));if(!this.length)return null;if(h.documentElement!==this[0]&&!i.contains(h.documentElement,this[0]))return{top:0,left:0};var n=this[0].getBoundingClientRect();return{left:n.left+t.pageXOffset,top:n.top+t.pageYOffset,width:Math.round(n.width),height:Math.round(n.height)}},css:function(t,e){if(arguments.length<2){var s=this[0];if("string"==typeof t){if(!s)return;return s.style[r(t)]||getComputedStyle(s,"").getPropertyValue(t)}if(k(t)){if(!s)return;var o={},a=getComputedStyle(s,"");return i.each(t,(function(t,e){o[e]=s.style[r(e)]||a.getPropertyValue(e)})),o}}var u="";if("string"==I(t))e||0===e?u=B(t)+":"+j(t,e):this.each((function(){this.style.removeProperty(B(t))}));else for(n in t)t[n]||0===t[n]?u+=B(n)+":"+j(n,t[n])+";":this.each((function(){this.style.removeProperty(B(n))}));return this.each((function(){this.style.cssText+=";"+u}))},index:function(t){return t?this.indexOf(i(t)[0]):this.parent().children().indexOf(this[0])},hasClass:function(t){return!!t&&a.some.call(this,(function(t){return this.test(J(t))}),K(t))},addClass:function(t){return t?this.each((function(e){if("className"in this){s=[];var n=J(this);X(this,t,e,n).split(/\s+/g).forEach((function(t){i(this).hasClass(t)||s.push(t)}),this),s.length&&J(this,n+(n?" ":"")+s.join(" "))}})):this},removeClass:function(t){return this.each((function(n){if("className"in this){if(t===e)return J(this,"");s=J(this),X(this,t,n,s).split(/\s+/g).forEach((function(t){s=s.replace(K(t)," ")})),J(this,s.trim())}}))},toggleClass:function(t,n){return t?this.each((function(s){var r=i(this);X(this,t,s,J(this)).split(/\s+/g).forEach((function(t){(n===e?!r.hasClass(t):n)?r.addClass(t):r.removeClass(t)}))})):this},scrollTop:function(t){if(this.length){var n="scrollTop"in this[0];return t===e?n?this[0].scrollTop:this[0].pageYOffset:this.each(n?function(){this.scrollTop=t}:function(){this.scrollTo(this.scrollX,t)})}},scrollLeft:function(t){if(this.length){var n="scrollLeft"in this[0];return t===e?n?this[0].scrollLeft:this[0].pageXOffset:this.each(n?function(){this.scrollLeft=t}:function(){this.scrollTo(t,this.scrollY)})}},position:function(){if(this.length){var t=this[0],e=this.offsetParent(),n=this.offset(),s=y.test(e[0].nodeName)?{top:0,left:0}:e.offset();return n.top-=parseFloat(i(t).css("margin-top"))||0,n.left-=parseFloat(i(t).css("margin-left"))||0,s.top+=parseFloat(i(e[0]).css("border-top-width"))||0,s.left+=parseFloat(i(e[0]).css("border-left-width"))||0,{top:n.top-s.top,left:n.left-s.left}}},offsetParent:function(){return this.map((function(){for(var t=this.offsetParent||h.body;t&&!y.test(t.nodeName)&&"static"==i(t).css("position");)t=t.offsetParent;return t}))}},i.fn.detach=i.fn.remove,["width","height"].forEach((function(t){var n=t.replace(/./,(function(t){return t[0].toUpperCase()}));i.fn[t]=function(s){var r,o=this[0];return s===e?L(o)?o["inner"+n]:M(o)?o.documentElement["scroll"+n]:(r=this.offset())&&r[t]:this.each((function(e){(o=i(this)).css(t,X(this,s,e,o[t]()))}))}})),C.forEach((function(n,s){var r=s%2;i.fn[n]=function(){var n,o,a=i.map(arguments,(function(t){var s=[];return"array"==(n=I(t))?(t.forEach((function(t){return t.nodeType!==e?s.push(t):i.zepto.isZ(t)?s=s.concat(t.get()):void(s=s.concat(O.fragment(t)))})),s):"object"==n||null==t?t:O.fragment(t)})),u=this.length>1;return a.length<1?this:this.each((function(e,n){o=r?n:n.parentNode,n=0==s?n.nextSibling:1==s?n.firstChild:2==s?n:null;var c=i.contains(h.documentElement,o);a.forEach((function(e){if(u)e=e.cloneNode(!0);else if(!o)return i(e).remove();o.insertBefore(e,n),c&&tt(e,(function(e){if(!(null==e.nodeName||"SCRIPT"!==e.nodeName.toUpperCase()||e.type&&"text/javascript"!==e.type||e.src)){var n=e.ownerDocument?e.ownerDocument.defaultView:t;n.eval.call(n,e.innerHTML)}}))}))}))},i.fn[r?n+"To":"insert"+(s?"Before":"After")]=function(t){return i(t)[n](this),this}})),O.Z.prototype=Q.prototype=i.fn,O.uniq=o,O.deserializeValue=Y,i.zepto=O,i}();return function(e){var n,i=1,s=Array.prototype.slice,r=e.isFunction,o=function(t){return"string"==typeof t},a={},u={},c="onfocusin"in t,l={focus:"focusin",blur:"focusout"},h={mouseenter:"mouseover",mouseleave:"mouseout"};function p(t){return t._zid||(t._zid=i++)}function f(t,e,n,i){if((e=d(e)).ns)var s=g(e.ns);return(a[p(t)]||[]).filter((function(t){return t&&(!e.e||t.e==e.e)&&(!e.ns||s.test(t.ns))&&(!n||p(t.fn)===p(n))&&(!i||t.sel==i)}))}function d(t){var e=(""+t).split(".");return{e:e[0],ns:e.slice(1).sort().join(" ")}}function g(t){return new RegExp("(?:^| )"+t.replace(" "," .* ?")+"(?: |$)")}function m(t,e){return t.del&&!c&&t.e in l||!!e}function v(t){return h[t]||c&&l[t]||t}function y(t,i,s,r,o,u,c){var l=p(t),f=a[l]||(a[l]=[]);i.split(/\s/).forEach((function(i){if("ready"==i)return e(document).ready(s);var a=d(i);a.fn=s,a.sel=o,a.e in h&&(s=function(t){var n=t.relatedTarget;if(!n||n!==this&&!e.contains(this,n))return a.fn.apply(this,arguments)}),a.del=u;var l=u||s;a.proxy=function(e){if(!(e=S(e)).isImmediatePropagationStopped()){try{var i=Object.getOwnPropertyDescriptor(e,"data");i&&!i.writable||(e.data=r)}catch(e){}var s=l.apply(t,e._args==n?[e]:[e].concat(e._args));return!1===s&&(e.preventDefault(),e.stopPropagation()),s}},a.i=f.length,f.push(a),"addEventListener"in t&&t.addEventListener(v(a.e),a.proxy,m(a,c))}))}function w(t,e,n,i,s){var r=p(t);(e||"").split(/\s/).forEach((function(e){f(t,e,n,i).forEach((function(e){delete a[r][e.i],"removeEventListener"in t&&t.removeEventListener(v(e.e),e.proxy,m(e,s))}))}))}u.click=u.mousedown=u.mouseup=u.mousemove="MouseEvents",e.event={add:y,remove:w},e.proxy=function(t,n){var i=2 in arguments&&s.call(arguments,2);if(r(t)){var a=function(){return t.apply(n,i?i.concat(s.call(arguments)):arguments)};return a._zid=p(t),a}if(o(n))return i?(i.unshift(t[n],t),e.proxy.apply(null,i)):e.proxy(t[n],t);throw new TypeError("expected function")},e.fn.bind=function(t,e,n){return this.on(t,e,n)},e.fn.unbind=function(t,e){return this.off(t,e)},e.fn.one=function(t,e,n,i){return this.on(t,e,n,i,1)};var b=function(){return!0},C=function(){return!1},x=/^([A-Z]|returnValue$|layer[XY]$|webkitMovement[XY]$)/,_={preventDefault:"isDefaultPrevented",stopImmediatePropagation:"isImmediatePropagationStopped",stopPropagation:"isPropagationStopped"};function S(t,i){if(i||!t.isDefaultPrevented){i||(i=t),e.each(_,(function(e,n){var s=i[e];t[e]=function(){return this[n]=b,s&&s.apply(i,arguments)},t[n]=C}));try{t.timeStamp||(t.timeStamp=Date.now())}catch(s){}(i.defaultPrevented!==n?i.defaultPrevented:"returnValue"in i?!1===i.returnValue:i.getPreventDefault&&i.getPreventDefault())&&(t.isDefaultPrevented=b)}return t}function E(t){var e,i={originalEvent:t};for(e in t)x.test(e)||t[e]===n||(i[e]=t[e]);return S(i,t)}e.fn.delegate=function(t,e,n){return this.on(e,t,n)},e.fn.undelegate=function(t,e,n){return this.off(e,t,n)},e.fn.live=function(t,n){return e(document.body).delegate(this.selector,t,n),this},e.fn.die=function(t,n){return e(document.body).undelegate(this.selector,t,n),this},e.fn.on=function(t,i,a,u,c){var l,h,p=this;return t&&!o(t)?(e.each(t,(function(t,e){p.on(t,i,a,e,c)})),p):(o(i)||r(u)||!1===u||(u=a,a=i,i=n),u!==n&&!1!==a||(u=a,a=n),!1===u&&(u=C),p.each((function(n,r){c&&(l=function(t){return w(r,t.type,u),u.apply(this,arguments)}),i&&(h=function(t){var n,o=e(t.target).closest(i,r).get(0);if(o&&o!==r)return n=e.extend(E(t),{currentTarget:o,liveFired:r}),(l||u).apply(o,[n].concat(s.call(arguments,1)))}),y(r,t,u,a,i,h||l)})))},e.fn.off=function(t,i,s){var a=this;return t&&!o(t)?(e.each(t,(function(t,e){a.off(t,i,e)})),a):(o(i)||r(s)||!1===s||(s=i,i=n),!1===s&&(s=C),a.each((function(){w(this,t,s,i)})))},e.fn.trigger=function(t,n){return(t=o(t)||e.isPlainObject(t)?e.Event(t):S(t))._args=n,this.each((function(){t.type in l&&"function"==typeof this[t.type]?this[t.type]():"dispatchEvent"in this?this.dispatchEvent(t):e(this).triggerHandler(t,n)}))},e.fn.triggerHandler=function(t,n){var i,s;return this.each((function(r,a){(i=E(o(t)?e.Event(t):t))._args=n,i.target=a,e.each(f(a,t.type||t),(function(t,e){if(s=e.proxy(i),i.isImmediatePropagationStopped())return!1}))})),s},"focusin focusout focus blur load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select keydown keypress keyup error".split(" ").forEach((function(t){e.fn[t]=function(e){return 0 in arguments?this.bind(t,e):this.trigger(t)}})),e.Event=function(t,e){o(t)||(t=(e=t).type);var n=document.createEvent(u[t]||"Events"),i=!0;if(e)for(var s in e)"bubbles"==s?i=!!e[s]:n[s]=e[s];return n.initEvent(t,i,!0),S(n)}}(i),n=[],i.fn.remove=function(){return this.each((function(){this.parentNode&&("IMG"===this.tagName&&(n.push(this),this.src="data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=",e&&clearTimeout(e),e=setTimeout((function(){n=[]}),6e4)),this.parentNode.removeChild(this))}))},function(t){var e={},n=t.fn.data,i=t.camelCase,s=t.expando="Zepto"+ +new Date,r=[];function o(r,o){var u=r[s],c=u&&e[u];if(void 0===o)return c||a(r);if(c){if(o in c)return c[o];var l=i(o);if(l in c)return c[l]}return n.call(t(r),o)}function a(n,r,o){var a=n[s]||(n[s]=++t.uuid),c=e[a]||(e[a]=u(n));return void 0!==r&&(c[i(r)]=o),c}function u(e){var n={};return t.each(e.attributes||r,(function(e,s){0==s.name.indexOf("data-")&&(n[i(s.name.replace("data-",""))]=t.zepto.deserializeValue(s.value))})),n}t.fn.data=function(e,n){return void 0===n?t.isPlainObject(e)?this.each((function(n,i){t.each(e,(function(t,e){a(i,t,e)}))})):0 in this?o(this[0],e):void 0:this.each((function(){a(this,e,n)}))},t.data=function(e,n,i){return t(e).data(n,i)},t.hasData=function(n){var i=n[s],r=i&&e[i];return!!r&&!t.isEmptyObject(r)},t.fn.removeData=function(n){return"string"==typeof n&&(n=n.split(/\s+/)),this.each((function(){var r=this[s],o=r&&e[r];o&&t.each(n||o,(function(t){delete o[n?i(this):t]}))}))},["remove","empty"].forEach((function(e){var n=t.fn[e];t.fn[e]=function(){var t=this.find("*");return"remove"===e&&(t=t.add(this)),t.removeData(),n.call(this)}}))}(i),i}(e)},8820:t=>{"use strict";var e={}.hasOwnProperty,n=/[ -,\.\/:-@\[-\^`\{-~]/,i=/[ -,\.\/:-@\[\]\^`\{-~]/,s=/(^|\\+)?(\\[A-F0-9]{1,6})\x20(?![a-fA-F0-9\x20])/g,r=function t(r,o){"single"!=(o=function(t,n){if(!t)return n;var i={};for(var s in n)i[s]=e.call(t,s)?t[s]:n[s];return i}(o,t.options)).quotes&&"double"!=o.quotes&&(o.quotes="single");for(var a="double"==o.quotes?'"':"'",u=o.isIdentifier,c=r.charAt(0),l="",h=0,p=r.length;h<p;){var f=r.charAt(h++),d=f.charCodeAt(),g=void 0;if(d<32||d>126){if(d>=55296&&d<=56319&&h<p){var m=r.charCodeAt(h++);56320==(64512&m)?d=((1023&d)<<10)+(1023&m)+65536:h--}g="\\"+d.toString(16).toUpperCase()+" "}else g=o.escapeEverything?n.test(f)?"\\"+f:"\\"+d.toString(16).toUpperCase()+" ":/[\t\n\f\r\x0B]/.test(f)?"\\"+d.toString(16).toUpperCase()+" ":"\\"==f||!u&&('"'==f&&a==f||"'"==f&&a==f)||u&&i.test(f)?"\\"+f:f;l+=g}return u&&(/^-[-\d]/.test(l)?l="\\-"+l.slice(1):/\d/.test(c)&&(l="\\3"+c+" "+l.slice(1))),l=l.replace(s,(function(t,e,n){return e&&e.length%2?t:(e||"")+n})),!u&&o.wrap?a+l+a:l};r.options={escapeEverything:!1,isIdentifier:!1,quotes:"single",wrap:!1},r.version="3.0.0",t.exports=r},624:(t,e,n)=>{"use strict";var i,s,r,o=[n(5525),n(4785),n(8291),n(2709),n(2506),n(9176)],a=-1,u=[],c=!1;function l(){i&&s&&(i=!1,s.length?u=s.concat(u):a=-1,u.length&&h())}function h(){if(!i){c=!1,i=!0;for(var t=u.length,e=setTimeout(l);t;){for(s=u,u=[];s&&++a<t;)s[a].run();a=-1,t=u.length}s=null,a=-1,i=!1,clearTimeout(e)}}for(var p=-1,f=o.length;++p<f;)if(o[p]&&o[p].test&&o[p].test()){r=o[p].install(h);break}function d(t,e){this.fun=t,this.array=e}d.prototype.run=function(){var t=this.fun,e=this.array;switch(e.length){case 0:return t();case 1:return t(e[0]);case 2:return t(e[0],e[1]);case 3:return t(e[0],e[1],e[2]);default:return t.apply(null,e)}},t.exports=function(t){var e=new Array(arguments.length-1);if(arguments.length>1)for(var n=1;n<arguments.length;n++)e[n-1]=arguments[n];u.push(new d(t,e)),c||i||(c=!0,r())}},2709:(t,e,n)=>{"use strict";e.test=function(){return!n.g.setImmediate&&void 0!==n.g.MessageChannel},e.install=function(t){var e=new n.g.MessageChannel;return e.port1.onmessage=t,function(){e.port2.postMessage(0)}}},8291:(t,e,n)=>{"use strict";var i=n.g.MutationObserver||n.g.WebKitMutationObserver;e.test=function(){return i},e.install=function(t){var e=0,s=new i(t),r=n.g.document.createTextNode("");return s.observe(r,{characterData:!0}),function(){r.data=e=++e%2}}},4785:(t,e,n)=>{"use strict";e.test=function(){return"function"==typeof n.g.queueMicrotask},e.install=function(t){return function(){n.g.queueMicrotask(t)}}},2506:(t,e,n)=>{"use strict";e.test=function(){return"document"in n.g&&"onreadystatechange"in n.g.document.createElement("script")},e.install=function(t){return function(){var e=n.g.document.createElement("script");return e.onreadystatechange=function(){t(),e.onreadystatechange=null,e.parentNode.removeChild(e),e=null},n.g.document.documentElement.appendChild(e),t}}},9176:(t,e)=>{"use strict";e.test=function(){return!0},e.install=function(t){return function(){setTimeout(t,0)}}}}]); \ No newline at end of file diff --git a/kr/assets/js/8443.26559c8c.js.LICENSE.txt b/kr/assets/js/8443.a5d9c459.js.LICENSE.txt similarity index 100% rename from kr/assets/js/8443.26559c8c.js.LICENSE.txt rename to kr/assets/js/8443.a5d9c459.js.LICENSE.txt diff --git a/assets/js/893.bef64808.js b/kr/assets/js/893.c93e490f.js similarity index 99% rename from assets/js/893.bef64808.js rename to kr/assets/js/893.c93e490f.js index 80ba702b6..fd939b687 100644 --- a/assets/js/893.bef64808.js +++ b/kr/assets/js/893.c93e490f.js @@ -1898,7 +1898,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4461,7 +4461,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5274,7 +5274,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5342,7 +5342,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/kr/assets/js/914a16f4.1f47a5fa.js b/kr/assets/js/914a16f4.1f47a5fa.js deleted file mode 100644 index f6be76232..000000000 --- a/kr/assets/js/914a16f4.1f47a5fa.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/kr/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/kr/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/kr/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/914a16f4.ce008661.js b/kr/assets/js/914a16f4.ce008661.js new file mode 100644 index 000000000..542e6c8df --- /dev/null +++ b/kr/assets/js/914a16f4.ce008661.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/kr/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/kr/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/kr/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/943.288d0bb4.js b/kr/assets/js/943.3c7831dd.js similarity index 99% rename from kr/assets/js/943.288d0bb4.js rename to kr/assets/js/943.3c7831dd.js index 1a8c22ec7..9bb7c0cb0 100644 --- a/kr/assets/js/943.288d0bb4.js +++ b/kr/assets/js/943.3c7831dd.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib @@ -5234,7 +5234,7 @@ function clone(value) { // EXTERNAL MODULE: ./node_modules/lodash-es/map.js var map = __webpack_require__(3836); // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/json.js diff --git a/kr/assets/js/944a1646.0f1c836e.js b/kr/assets/js/944a1646.0f1c836e.js deleted file mode 100644 index c8ce023ee..000000000 --- a/kr/assets/js/944a1646.0f1c836e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2399],{4273:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>c});var r=t(5893),n=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/kr/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/kr/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/kr/datastore/ha"}},o={},c=[{value:"New cluster",id:"new-cluster",level:2},{value:"Existing clusters",id:"existing-clusters",level:2}];function l(e){const s={admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.admonition,{type:"warning",children:(0,r.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,r.jsx)(s.h2,{id:"new-cluster",children:"New cluster"}),"\n",(0,r.jsx)(s.p,{children:"To run K3s in this mode, you must have an odd number of server nodes. We recommend starting with three nodes."}),"\n",(0,r.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,r.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --cluster-init\n"})}),"\n",(0,r.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --server https://<ip or hostname of server1>:6443\n"})}),"\n",(0,r.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\n"})}),"\n",(0,r.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,r.jsx)(s.code,{children:"--server"})," argument to join additional server and worker nodes. Joining additional worker nodes to the cluster follows the same procedure as a single server cluster."]}),"\n",(0,r.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Network related flags: ",(0,r.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,r.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,r.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,r.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,r.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,r.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,r.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,r.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,r.jsx)(s.code,{children:"--disable"})]}),"\n",(0,r.jsxs)(s.li,{children:["Feature related flags: ",(0,r.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"existing-clusters",children:"Existing clusters"}),"\n",(0,r.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,r.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,r.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,r.jsx)(s.code,{children:"--cluster-init"}),", ",(0,r.jsx)(s.code,{children:"--server"}),", ",(0,r.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Important:"})," K3s v1.22.2 and newer support migration from SQLite to etcd. Older versions will create a new empty datastore if you add ",(0,r.jsx)(s.code,{children:"--cluster-init"})," to an existing server."]}),"\n"]})]})}function h(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var r=t(7294);const n={},d=r.createContext(n);function i(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/944a1646.37a7041d.js b/kr/assets/js/944a1646.37a7041d.js new file mode 100644 index 000000000..95ff22086 --- /dev/null +++ b/kr/assets/js/944a1646.37a7041d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2399],{4273:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>c});var r=t(5893),n=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/kr/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/kr/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/kr/datastore/ha"}},o={},c=[{value:"New cluster",id:"new-cluster",level:2},{value:"Existing clusters",id:"existing-clusters",level:2}];function l(e){const s={admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.admonition,{type:"warning",children:(0,r.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,r.jsx)(s.h2,{id:"new-cluster",children:"New cluster"}),"\n",(0,r.jsx)(s.p,{children:"To run K3s in this mode, you must have an odd number of server nodes. We recommend starting with three nodes."}),"\n",(0,r.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,r.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --cluster-init\n"})}),"\n",(0,r.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --server https://<ip or hostname of server1>:6443\n"})}),"\n",(0,r.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\n"})}),"\n",(0,r.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,r.jsx)(s.code,{children:"--server"})," argument to join additional server and worker nodes. Joining additional worker nodes to the cluster follows the same procedure as a single server cluster."]}),"\n",(0,r.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Network related flags: ",(0,r.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,r.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,r.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,r.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,r.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,r.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,r.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,r.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,r.jsx)(s.code,{children:"--disable"})]}),"\n",(0,r.jsxs)(s.li,{children:["Feature related flags: ",(0,r.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"existing-clusters",children:"Existing clusters"}),"\n",(0,r.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,r.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,r.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,r.jsx)(s.code,{children:"--cluster-init"}),", ",(0,r.jsx)(s.code,{children:"--server"}),", ",(0,r.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Important:"})," K3s v1.22.2 and newer support migration from SQLite to etcd. Older versions will create a new empty datastore if you add ",(0,r.jsx)(s.code,{children:"--cluster-init"})," to an existing server."]}),"\n"]})]})}function h(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var r=t(7294);const n={},d=r.createContext(n);function i(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/985.59c3c4c4.js b/kr/assets/js/985.fc87dcc9.js similarity index 99% rename from assets/js/985.59c3c4c4.js rename to kr/assets/js/985.fc87dcc9.js index fa6dc05fd..70bed5b1a 100644 --- a/assets/js/985.59c3c4c4.js +++ b/kr/assets/js/985.fc87dcc9.js @@ -1790,7 +1790,7 @@ function preorder(g, vs) { } // EXTERNAL MODULE: ./node_modules/dagre-d3-es/src/graphlib/graph.js + 9 modules -var graph = __webpack_require__(2544); +var graph = __webpack_require__(4404); ;// CONCATENATED MODULE: ./node_modules/dagre-d3-es/src/graphlib/alg/prim.js @@ -4353,7 +4353,7 @@ function canonicalize(attrs) { /***/ }), -/***/ 2544: +/***/ 4404: /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => { @@ -5166,7 +5166,7 @@ function edgeObjToId(isDirected, edgeObj) { /* harmony export */ k: () => (/* reexport safe */ _graph_js__WEBPACK_IMPORTED_MODULE_0__.k) /* harmony export */ }); /* unused harmony export version */ -/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(2544); +/* harmony import */ var _graph_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(4404); // Includes only the "core" of graphlib diff --git a/kr/assets/js/9a11c291.7fb475ca.js b/kr/assets/js/9a11c291.7fb475ca.js new file mode 100644 index 000000000..f40d54c6c --- /dev/null +++ b/kr/assets/js/9a11c291.7fb475ca.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7162],{9636:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>a,default:()=>d,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Multus and IPAM plugins"},a=void 0,l={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/kr/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/kr/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/kr/networking/networking-services"}},o={},c=[];function u(e){const n={a:"a",code:"code",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||h("TabItem",!0),i||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.p,{children:"Then, to set the necessary configuration for it to work, a correct config file must be created. The configuration will depend on the IPAM plugin to be used, i.e. how your pods using Multus extra interfaces will configure the IPs for those extra interfaces. There are three options: host-local, DHCP Daemon and whereabouts:"}),"\n",(0,s.jsxs)(i,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsx)(n.p,{children:"To use the Whereabouts IPAM plugin, please create a file called multus-values.yaml with the following content:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsx)(n.p,{children:"To use this DHCP plugin, please create a file called multus-values.yaml with the following content:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsx)(n.p,{children:"That will create a daemonset called multus which will deploy multus and all regular cni binaries in /var/lib/rancher/k3s/data/current/ (e.g. macvlan) and the correct Multus config in /var/lib/rancher/k3s/agent/etc/cni/net.d"}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(u,{...e})}):u(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>a});var s=t(7294);const r={},i=s.createContext(r);function a(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/9a11c291.eb38d005.js b/kr/assets/js/9a11c291.eb38d005.js deleted file mode 100644 index c7afa7ca9..000000000 --- a/kr/assets/js/9a11c291.eb38d005.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7162],{9636:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>a,default:()=>d,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Multus and IPAM plugins"},a=void 0,l={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/kr/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/kr/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/kr/networking/networking-services"}},o={},c=[];function u(e){const n={a:"a",code:"code",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||h("TabItem",!0),i||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.p,{children:"Then, to set the necessary configuration for it to work, a correct config file must be created. The configuration will depend on the IPAM plugin to be used, i.e. how your pods using Multus extra interfaces will configure the IPs for those extra interfaces. There are three options: host-local, DHCP Daemon and whereabouts:"}),"\n",(0,s.jsxs)(i,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsx)(n.p,{children:"To use the Whereabouts IPAM plugin, please create a file called multus-values.yaml with the following content:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsx)(n.p,{children:"To use this DHCP plugin, please create a file called multus-values.yaml with the following content:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsx)(n.p,{children:"That will create a daemonset called multus which will deploy multus and all regular cni binaries in /var/lib/rancher/k3s/data/current/ (e.g. macvlan) and the correct Multus config in /var/lib/rancher/k3s/agent/etc/cni/net.d"}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(u,{...e})}):u(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>a});var s=t(7294);const r={},i=s.createContext(r);function a(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/9c4d4f7f.1d881b09.js b/kr/assets/js/9c4d4f7f.1d881b09.js new file mode 100644 index 000000000..b1e8209a9 --- /dev/null +++ b/kr/assets/js/9c4d4f7f.1d881b09.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6094],{932:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>c,metadata:()=>o,toc:()=>d});var t=n(5893),r=n(1151);const c={title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc"},i=void 0,o={id:"quick-start",title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",description:"\uc774 \uac00\uc774\ub4dc\ub294 \uae30\ubcf8 \uc635\uc158\uc73c\ub85c \ud074\ub7ec\uc2a4\ud130\ub97c \ube60\ub974\uac8c \uc2dc\uc791\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4. \uc124\uce58 \uc139\uc158\uc5d0\uc11c\ub294 K3s\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/kr/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/kr/"},next:{title:"Installation",permalink:"/kr/installation/"}},l={},d=[{value:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8",id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8",level:2}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsxs)(s.p,{children:["\uc774 \uac00\uc774\ub4dc\ub294 \uae30\ubcf8 \uc635\uc158\uc73c\ub85c \ud074\ub7ec\uc2a4\ud130\ub97c \ube60\ub974\uac8c \uc2dc\uc791\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4. ",(0,t.jsx)(s.a,{href:"/kr/installation/",children:"\uc124\uce58 \uc139\uc158"}),"\uc5d0\uc11c\ub294 K3s\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s \uad6c\uc131 \uc694\uc18c\ub4e4\uc774 \uc791\ub3d9\ud558\ub294 \ubc29\uc2dd\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"/kr/architecture",children:"\uc544\ud0a4\ud14d\ucc98 \uc139\uc158"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,t.jsx)(s.admonition,{type:"info",children:(0,t.jsxs)(s.p,{children:["Kubernetes\ub97c \ucc98\uc74c \uc0ac\uc6a9\ud558\uc2dc\ub098\uc694?\n\uacf5\uc2dd \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubb38\uc11c\uc5d0\ub294 \uc774\ubbf8 \uae30\ubcf8 \uc0ac\ud56d\uc744 \uc124\uba85\ud558\ub294 \ud6cc\ub96d\ud55c \ud29c\ud1a0\ub9ac\uc5bc\uc774 ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/tutorials/kubernetes-basics/",children:"\uc5ec\uae30"})," \uc788\uc2b5\ub2c8\ub2e4."]})}),"\n",(0,t.jsx)(s.h2,{id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 systemd \ub610\ub294 openrc \uae30\ubc18 \uc2dc\uc2a4\ud15c\uc5d0 \uc11c\ube44\uc2a4\ub85c \uc124\uce58\ud558\ub294 \ud3b8\ub9ac\ud55c \ubc29\ubc95\uc73c\ub85c \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc774 \uc2a4\ud06c\ub9bd\ud2b8\ub294 ",(0,t.jsx)(s.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," \uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ubc29\ubc95\uc73c\ub85c K3s\ub97c \uc124\uce58\ud558\ub824\uba74, \uac04\ub2e8\ud558\uac8c \ub2e4\uc74c\uc744 \uc2e4\ud589\ud558\uc138\uc694:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,t.jsx)(s.p,{children:"\uc774 \uc124\uce58\ub97c \uc2e4\ud589\ud55c \ud6c4:"}),"\n",(0,t.jsxs)(s.ul,{children:["\n",(0,t.jsx)(s.li,{children:"\ub178\ub4dc\uac00 \uc7ac\ubd80\ud305\ub418\uac70\ub098 \ud504\ub85c\uc138\uc2a4\uac00 \ucda9\ub3cc \ub610\ub294 \uc885\ub8cc\ub41c \uacbd\uc6b0 \uc790\ub3d9\uc73c\ub85c \uc7ac\uc2dc\uc791\ub418\ub3c4\ub85d K3s \uc11c\ube44\uc2a4\uac00 \uad6c\uc131\ub429\ub2c8\ub2e4."}),"\n",(0,t.jsxs)(s.li,{children:[(0,t.jsx)(s.code,{children:"kubectl"}),", ",(0,t.jsx)(s.code,{children:"crictl"}),", ",(0,t.jsx)(s.code,{children:"ctr"}),", ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," \ubc0f ",(0,t.jsx)(s.code,{children:"k3s-uninstall.sh"}),"\ub97c \ud3ec\ud568\ud55c \ucd94\uac00 \uc720\ud2f8\ub9ac\ud2f0\uac00 \uc124\uce58\ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.li,{children:[(0,t.jsx)(s.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0 ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," \ud30c\uc77c\uc744 \uc791\uc131\ud558\uace0, K3s\uac00 \uc124\uce58\ud55c kubectl\uc774 \uc790\ub3d9\uc73c\ub85c \uc774\ub97c \uc0ac\uc6a9\ud558\uac8c \ub429\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,t.jsx)(s.p,{children:"\ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \uc124\uce58\ub294 \uc6cc\ud06c\ub85c\ub4dc \ud30c\ub4dc\ub97c \ud638\uc2a4\ud305\ud558\ub294 \ub370 \ud544\uc694\ud55c \ubaa8\ub4e0 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4, \ucee8\ud2b8\ub864 \ud50c\ub808\uc778, kubelet \ubc0f \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uad6c\uc131 \uc694\uc18c\ub97c \ud3ec\ud568\ud558\uc5ec \ubaa8\ub4e0 \uae30\ub2a5\uc744 \uac16\ucd98 Kubernetes \ud074\ub7ec\uc2a4\ud130\uc785\ub2c8\ub2e4. \uc11c\ubc84 \ub610\ub294 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \ucd94\uac00\ud560 \ud544\uc694\ub294 \uc5c6\uc9c0\ub9cc, \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucd94\uac00 \uc6a9\ub7c9 \ub610\ub294 \uc911\ubcf5\uc131\uc744 \ucd94\uac00\ud558\uae30 \uc704\ud574 \ucd94\uac00\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,t.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \ucd94\uac00\ub85c \uc124\uce58\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucd94\uac00\ud558\ub824\uba74, ",(0,t.jsx)(s.code,{children:"K3S_URL"})," \ubc0f ",(0,t.jsx)(s.code,{children:"K3S_TOKEN"})," \ud658\uacbd \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \ub2e4\uc74c\uc740 \uc5d0\uc774\uc804\ud2b8 \uac00\uc785 \ubc29\ubc95\uc744 \ubcf4\uc5ec\uc8fc\ub294 \uc608\uc81c\uc785\ub2c8\ub2e4:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"K3S_URL"})," \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud558\uba74 \uc778\uc2a4\ud1a8\ub7ec\uac00 K3s\ub97c \uc11c\ubc84\uac00 \uc544\ub2cc \uc5d0\uc774\uc804\ud2b8\ub85c \uad6c\uc131\ud569\ub2c8\ub2e4. K3s \uc5d0\uc774\uc804\ud2b8\ub294 \uc81c\uacf5\ub41c URL\uc5d0\uc11c \uc218\uc2e0 \ub300\uae30 \uc911\uc778 K3s \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ub429\ub2c8\ub2e4. ",(0,t.jsx)(s.code,{children:"K3S_TOKEN"}),"\uc5d0 \uc0ac\uc6a9\ud560 \uac12\uc740 \uc11c\ubc84 \ub178\ub4dc\uc758 ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/node-token"}),"\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["\uac01 \uba38\uc2e0\uc740 \uace0\uc720\ud55c \ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \uac00\uc838\uc57c \ud569\ub2c8\ub2e4. \uba38\uc2e0\uc5d0 \uace0\uc720 \ud638\uc2a4\ud2b8\uba85\uc774 \uc5c6\ub294 \uacbd\uc6b0, ",(0,t.jsx)(s.code,{children:"K3S_NODE_NAME"})," \ud658\uacbd \ubcc0\uc218\ub97c \uc804\ub2ec\ud558\uace0 \uac01 \ub178\ub4dc\uc5d0 \ub300\ud574 \uc720\ud6a8\ud55c \uace0\uc720 \ud638\uc2a4\ud2b8\uba85\uc774 \uc788\ub294 \uac12\uc744 \uc81c\uacf5\ud558\uc138\uc694."]})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>o,a:()=>i});var t=n(7294);const r={},c=t.createContext(r);function i(e){const s=t.useContext(c);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),t.createElement(c.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/9c4d4f7f.9da27a87.js b/kr/assets/js/9c4d4f7f.9da27a87.js deleted file mode 100644 index faa337de3..000000000 --- a/kr/assets/js/9c4d4f7f.9da27a87.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6094],{932:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>c,metadata:()=>o,toc:()=>d});var t=n(5893),r=n(1151);const c={title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc"},i=void 0,o={id:"quick-start",title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",description:"\uc774 \uac00\uc774\ub4dc\ub294 \uae30\ubcf8 \uc635\uc158\uc73c\ub85c \ud074\ub7ec\uc2a4\ud130\ub97c \ube60\ub974\uac8c \uc2dc\uc791\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4. \uc124\uce58 \uc139\uc158\uc5d0\uc11c\ub294 K3s\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/kr/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/kr/"},next:{title:"Installation",permalink:"/kr/installation/"}},l={},d=[{value:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8",id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8",level:2}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsxs)(s.p,{children:["\uc774 \uac00\uc774\ub4dc\ub294 \uae30\ubcf8 \uc635\uc158\uc73c\ub85c \ud074\ub7ec\uc2a4\ud130\ub97c \ube60\ub974\uac8c \uc2dc\uc791\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4. ",(0,t.jsx)(s.a,{href:"/kr/installation/",children:"\uc124\uce58 \uc139\uc158"}),"\uc5d0\uc11c\ub294 K3s\ub97c \uc124\uc815\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s \uad6c\uc131 \uc694\uc18c\ub4e4\uc774 \uc791\ub3d9\ud558\ub294 \ubc29\uc2dd\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"/kr/architecture",children:"\uc544\ud0a4\ud14d\ucc98 \uc139\uc158"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,t.jsx)(s.admonition,{type:"info",children:(0,t.jsxs)(s.p,{children:["Kubernetes\ub97c \ucc98\uc74c \uc0ac\uc6a9\ud558\uc2dc\ub098\uc694?\n\uacf5\uc2dd \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubb38\uc11c\uc5d0\ub294 \uc774\ubbf8 \uae30\ubcf8 \uc0ac\ud56d\uc744 \uc124\uba85\ud558\ub294 \ud6cc\ub96d\ud55c \ud29c\ud1a0\ub9ac\uc5bc\uc774 ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/tutorials/kubernetes-basics/",children:"\uc5ec\uae30"})," \uc788\uc2b5\ub2c8\ub2e4."]})}),"\n",(0,t.jsx)(s.h2,{id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 systemd \ub610\ub294 openrc \uae30\ubc18 \uc2dc\uc2a4\ud15c\uc5d0 \uc11c\ube44\uc2a4\ub85c \uc124\uce58\ud558\ub294 \ud3b8\ub9ac\ud55c \ubc29\ubc95\uc73c\ub85c \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc774 \uc2a4\ud06c\ub9bd\ud2b8\ub294 ",(0,t.jsx)(s.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," \uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ubc29\ubc95\uc73c\ub85c K3s\ub97c \uc124\uce58\ud558\ub824\uba74, \uac04\ub2e8\ud558\uac8c \ub2e4\uc74c\uc744 \uc2e4\ud589\ud558\uc138\uc694:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,t.jsx)(s.p,{children:"\uc774 \uc124\uce58\ub97c \uc2e4\ud589\ud55c \ud6c4:"}),"\n",(0,t.jsxs)(s.ul,{children:["\n",(0,t.jsx)(s.li,{children:"\ub178\ub4dc\uac00 \uc7ac\ubd80\ud305\ub418\uac70\ub098 \ud504\ub85c\uc138\uc2a4\uac00 \ucda9\ub3cc \ub610\ub294 \uc885\ub8cc\ub41c \uacbd\uc6b0 \uc790\ub3d9\uc73c\ub85c \uc7ac\uc2dc\uc791\ub418\ub3c4\ub85d K3s \uc11c\ube44\uc2a4\uac00 \uad6c\uc131\ub429\ub2c8\ub2e4."}),"\n",(0,t.jsxs)(s.li,{children:[(0,t.jsx)(s.code,{children:"kubectl"}),", ",(0,t.jsx)(s.code,{children:"crictl"}),", ",(0,t.jsx)(s.code,{children:"ctr"}),", ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," \ubc0f ",(0,t.jsx)(s.code,{children:"k3s-uninstall.sh"}),"\ub97c \ud3ec\ud568\ud55c \ucd94\uac00 \uc720\ud2f8\ub9ac\ud2f0\uac00 \uc124\uce58\ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.li,{children:[(0,t.jsx)(s.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0 ",(0,t.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," \ud30c\uc77c\uc744 \uc791\uc131\ud558\uace0, K3s\uac00 \uc124\uce58\ud55c kubectl\uc774 \uc790\ub3d9\uc73c\ub85c \uc774\ub97c \uc0ac\uc6a9\ud558\uac8c \ub429\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,t.jsx)(s.p,{children:"\ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \uc124\uce58\ub294 \uc6cc\ud06c\ub85c\ub4dc \ud30c\ub4dc\ub97c \ud638\uc2a4\ud305\ud558\ub294 \ub370 \ud544\uc694\ud55c \ubaa8\ub4e0 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4, \ucee8\ud2b8\ub864 \ud50c\ub808\uc778, kubelet \ubc0f \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uad6c\uc131 \uc694\uc18c\ub97c \ud3ec\ud568\ud558\uc5ec \ubaa8\ub4e0 \uae30\ub2a5\uc744 \uac16\ucd98 Kubernetes \ud074\ub7ec\uc2a4\ud130\uc785\ub2c8\ub2e4. \uc11c\ubc84 \ub610\ub294 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \ucd94\uac00\ud560 \ud544\uc694\ub294 \uc5c6\uc9c0\ub9cc, \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucd94\uac00 \uc6a9\ub7c9 \ub610\ub294 \uc911\ubcf5\uc131\uc744 \ucd94\uac00\ud558\uae30 \uc704\ud574 \ucd94\uac00\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,t.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \ucd94\uac00\ub85c \uc124\uce58\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucd94\uac00\ud558\ub824\uba74, ",(0,t.jsx)(s.code,{children:"K3S_URL"})," \ubc0f ",(0,t.jsx)(s.code,{children:"K3S_TOKEN"})," \ud658\uacbd \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \ub2e4\uc74c\uc740 \uc5d0\uc774\uc804\ud2b8 \uac00\uc785 \ubc29\ubc95\uc744 \ubcf4\uc5ec\uc8fc\ub294 \uc608\uc81c\uc785\ub2c8\ub2e4:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"K3S_URL"})," \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud558\uba74 \uc778\uc2a4\ud1a8\ub7ec\uac00 K3s\ub97c \uc11c\ubc84\uac00 \uc544\ub2cc \uc5d0\uc774\uc804\ud2b8\ub85c \uad6c\uc131\ud569\ub2c8\ub2e4. K3s \uc5d0\uc774\uc804\ud2b8\ub294 \uc81c\uacf5\ub41c URL\uc5d0\uc11c \uc218\uc2e0 \ub300\uae30 \uc911\uc778 K3s \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ub429\ub2c8\ub2e4. ",(0,t.jsx)(s.code,{children:"K3S_TOKEN"}),"\uc5d0 \uc0ac\uc6a9\ud560 \uac12\uc740 \uc11c\ubc84 \ub178\ub4dc\uc758 ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/node-token"}),"\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["\uac01 \uba38\uc2e0\uc740 \uace0\uc720\ud55c \ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \uac00\uc838\uc57c \ud569\ub2c8\ub2e4. \uba38\uc2e0\uc5d0 \uace0\uc720 \ud638\uc2a4\ud2b8\uba85\uc774 \uc5c6\ub294 \uacbd\uc6b0, ",(0,t.jsx)(s.code,{children:"K3S_NODE_NAME"})," \ud658\uacbd \ubcc0\uc218\ub97c \uc804\ub2ec\ud558\uace0 \uac01 \ub178\ub4dc\uc5d0 \ub300\ud574 \uc720\ud6a8\ud55c \uace0\uc720 \ud638\uc2a4\ud2b8\uba85\uc774 \uc788\ub294 \uac12\uc744 \uc81c\uacf5\ud558\uc138\uc694."]})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>o,a:()=>i});var t=n(7294);const r={},c=t.createContext(r);function i(e){const s=t.useContext(c);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),t.createElement(c.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/9e7a009d.0d33ad0c.js b/kr/assets/js/9e7a009d.0d33ad0c.js deleted file mode 100644 index 65ada52ef..000000000 --- a/kr/assets/js/9e7a009d.0d33ad0c.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=t(5893),i=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/kr/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/kr/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/kr/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v125x",children:"v1.25.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 12 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Testing Backports for September ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["S3 and Startup tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["VPN integration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix Carolines github id ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new ",(0,r.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix artifact upload with ",(0,r.jsx)(s.code,{children:"aws s3 cp"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating rel docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["update e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["None ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,r.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Avoid wrong config for ",(0,r.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nightly test fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add cluster reset test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ",(0,r.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the typo in the test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,r.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand startup integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Usage of ",(0,r.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,r.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,r.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,r.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix deprecation message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const i={},n=r.createContext(i);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/9e7a009d.204a0230.js b/kr/assets/js/9e7a009d.204a0230.js new file mode 100644 index 000000000..3be951244 --- /dev/null +++ b/kr/assets/js/9e7a009d.204a0230.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=t(5893),i=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/kr/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/kr/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/kr/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v125x",children:"v1.25.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 12 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Testing Backports for September ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["S3 and Startup tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["VPN integration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix Carolines github id ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new ",(0,r.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix artifact upload with ",(0,r.jsx)(s.code,{children:"aws s3 cp"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating rel docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["update e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["None ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,r.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Avoid wrong config for ",(0,r.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nightly test fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add cluster reset test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ",(0,r.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the typo in the test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,r.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand startup integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Usage of ",(0,r.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,r.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,r.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,r.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix deprecation message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const i={},n=r.createContext(i);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a0c5848d.894c4224.js b/kr/assets/js/a0c5848d.894c4224.js deleted file mode 100644 index a5a4c48d8..000000000 --- a/kr/assets/js/a0c5848d.894c4224.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9059],{5626:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>l,contentTitle:()=>o,default:()=>u,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var i=t(5893),s=t(1151);const r={title:"Installation"},o=void 0,a={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/kr/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",permalink:"/kr/quick-start"},next:{title:"Requirements",permalink:"/kr/installation/requirements"}},l={},c=[];function d(n){const e={a:"a",code:"code",p:"p",...(0,s.a)(),...n.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(e.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(e.a,{href:"/kr/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(e.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(e.code,{children:"control-plane"})," or ",(0,i.jsx)(e.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(n={}){const{wrapper:e}={...(0,s.a)(),...n.components};return e?(0,i.jsx)(e,{...n,children:(0,i.jsx)(d,{...n})}):d(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>a,a:()=>o});var i=t(7294);const s={},r=i.createContext(s);function o(n){const e=i.useContext(r);return i.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function a(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(s):n.components||s:o(n.components),i.createElement(r.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a0c5848d.a7bb9059.js b/kr/assets/js/a0c5848d.a7bb9059.js new file mode 100644 index 000000000..7bc9845bb --- /dev/null +++ b/kr/assets/js/a0c5848d.a7bb9059.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9059],{5626:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>l,contentTitle:()=>o,default:()=>u,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var i=t(5893),s=t(1151);const r={title:"Installation"},o=void 0,a={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/kr/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"\ube60\ub978 \uc2dc\uc791 \uac00\uc774\ub4dc",permalink:"/kr/quick-start"},next:{title:"Requirements",permalink:"/kr/installation/requirements"}},l={},c=[];function d(n){const e={a:"a",code:"code",p:"p",...(0,s.a)(),...n.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(e.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(e.a,{href:"/kr/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(e.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(e.code,{children:"control-plane"})," or ",(0,i.jsx)(e.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(e.p,{children:[(0,i.jsx)(e.a,{href:"/kr/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(n={}){const{wrapper:e}={...(0,s.a)(),...n.components};return e?(0,i.jsx)(e,{...n,children:(0,i.jsx)(d,{...n})}):d(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>a,a:()=>o});var i=t(7294);const s={},r=i.createContext(s);function o(n){const e=i.useContext(r);return i.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function a(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(s):n.components||s:o(n.components),i.createElement(r.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a101d863.a48e323f.js b/kr/assets/js/a101d863.a48e323f.js deleted file mode 100644 index 7964a92c7..000000000 --- a/kr/assets/js/a101d863.a48e323f.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9166],{2683:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>a,contentTitle:()=>s,default:()=>d,frontMatter:()=>o,metadata:()=>c,toc:()=>l});var r=t(5893),i=t(1151);const o={title:"Networking"},s=void 0,c={id:"networking/networking",title:"Networking",description:"This section contains instructions for configuring networking in K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking.md",sourceDirName:"networking",slug:"/networking/",permalink:"/kr/networking/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Networking"},sidebar:"mySidebar",previous:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",permalink:"/kr/storage"},next:{title:"Basic Network Options",permalink:"/kr/networking/basic-network-options"}},a={},l=[];function u(n){const e={a:"a",p:"p",...(0,i.a)(),...n.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(e.p,{children:"This section contains instructions for configuring networking in K3s."}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/basic-network-options",children:"Basic Network Options"})," covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/distributed-multicloud",children:"Hybrid/Multicloud cluster"})," provides guidance on the options available to span the k3s cluster over remote or hybrid nodes"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/multus-ipams",children:"Multus and IPAM plugins"})," provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/networking-services",children:"Networking services: dns, ingress, etc"})," explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s"]})]})}function d(n={}){const{wrapper:e}={...(0,i.a)(),...n.components};return e?(0,r.jsx)(e,{...n,children:(0,r.jsx)(u,{...n})}):u(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>c,a:()=>s});var r=t(7294);const i={},o=r.createContext(i);function s(n){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(i):n.components||i:s(n.components),r.createElement(o.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a101d863.d286647e.js b/kr/assets/js/a101d863.d286647e.js new file mode 100644 index 000000000..38f65c100 --- /dev/null +++ b/kr/assets/js/a101d863.d286647e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9166],{2683:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>a,contentTitle:()=>s,default:()=>d,frontMatter:()=>o,metadata:()=>c,toc:()=>l});var r=t(5893),i=t(1151);const o={title:"Networking"},s=void 0,c={id:"networking/networking",title:"Networking",description:"This section contains instructions for configuring networking in K3s.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking.md",sourceDirName:"networking",slug:"/networking/",permalink:"/kr/networking/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Networking"},sidebar:"mySidebar",previous:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",permalink:"/kr/storage"},next:{title:"Basic Network Options",permalink:"/kr/networking/basic-network-options"}},a={},l=[];function u(n){const e={a:"a",p:"p",...(0,i.a)(),...n.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(e.p,{children:"This section contains instructions for configuring networking in K3s."}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/basic-network-options",children:"Basic Network Options"})," covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/distributed-multicloud",children:"Hybrid/Multicloud cluster"})," provides guidance on the options available to span the k3s cluster over remote or hybrid nodes"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/multus-ipams",children:"Multus and IPAM plugins"})," provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod"]}),"\n",(0,r.jsxs)(e.p,{children:[(0,r.jsx)(e.a,{href:"/kr/networking/networking-services",children:"Networking services: dns, ingress, etc"})," explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s"]})]})}function d(n={}){const{wrapper:e}={...(0,i.a)(),...n.components};return e?(0,r.jsx)(e,{...n,children:(0,r.jsx)(u,{...n})}):u(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>c,a:()=>s});var r=t(7294);const i={},o=r.createContext(i);function s(n){const e=r.useContext(o);return r.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function c(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(i):n.components||i:s(n.components),r.createElement(o.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a1ce2930.30638b81.js b/kr/assets/js/a1ce2930.30638b81.js new file mode 100644 index 000000000..79476b43d --- /dev/null +++ b/kr/assets/js/a1ce2930.30638b81.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2257],{4229:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>d});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/kr/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/kr/cli/etcd-snapshot"},next:{title:"token",permalink:"/kr/cli/token"}},a={},d=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"Encryption Key Rotation",id:"encryption-key-rotation",level:3},{value:"Secrets Encryption Disable/Enable",id:"secrets-encryption-disableenable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function o(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation",children:"Encryption Key Rotation"}),"\n",(0,r.jsxs)(i,{children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",default:!0,children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disableenable",children:"Secrets Encryption Disable/Enable"}),"\n",(0,r.jsxs)(i,{children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(o,{...e})}):o(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a1ce2930.7d48a7ad.js b/kr/assets/js/a1ce2930.7d48a7ad.js deleted file mode 100644 index dcf50535b..000000000 --- a/kr/assets/js/a1ce2930.7d48a7ad.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2257],{4229:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/kr/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/kr/cli/etcd-snapshot"},next:{title:"token",permalink:"/kr/cli/token"}},a={},o=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"Encryption Key Rotation",id:"encryption-key-rotation",level:3},{value:"Secrets Encryption Disable/Enable",id:"secrets-encryption-disableenable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/kr/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation",children:"Encryption Key Rotation"}),"\n",(0,r.jsxs)(i,{children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n"]}),(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",default:!0,children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disableenable",children:"Secrets Encryption Disable/Enable"}),"\n",(0,r.jsxs)(i,{children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a43d9b4f.928d733e.js b/kr/assets/js/a43d9b4f.928d733e.js new file mode 100644 index 000000000..84643935f --- /dev/null +++ b/kr/assets/js/a43d9b4f.928d733e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3667],{1080:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>a,contentTitle:()=>l,default:()=>x,frontMatter:()=>d,metadata:()=>o,toc:()=>h});var r=n(5893),t=n(1151),i=n(9965),c=n(4996);const d={title:"\uc544\ud0a4\ud14d\ucc98"},l=void 0,o={id:"architecture",title:"\uc544\ud0a4\ud14d\ucc98",description:"\uc774 \ud398\uc774\uc9c0\uc5d0\uc11c\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc758 \uc544\ud0a4\ud14d\ucc98\uc640 \ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc640\uc758 \ucc28\uc774\uc810\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/kr/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uc544\ud0a4\ud14d\ucc98"},sidebar:"mySidebar",previous:{title:"token",permalink:"/kr/cli/token"},next:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",permalink:"/kr/cluster-access"}},a={},h=[{value:"\uc784\ubca0\ub514\ub4dc DB\uac00 \uc788\ub294 \ub2e8\uc77c \uc11c\ubc84 \uc124\uc815",id:"\uc784\ubca0\ub514\ub4dc-db\uac00-\uc788\ub294-\ub2e8\uc77c-\uc11c\ubc84-\uc124\uc815",level:3},{value:"\uc678\ubd80 DB\uac00 \uc788\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84",id:"\uc678\ubd80-db\uac00-\uc788\ub294-\uace0\uac00\uc6a9\uc131-k3s-\uc11c\ubc84",level:3},{value:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc704\ud55c \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c",id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc\ub97c-\uc704\ud55c-\uace0\uc815-\ub4f1\ub85d-\uc8fc\uc18c",level:3},{value:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc \ub4f1\ub85d \uc791\ub3d9 \ubc29\uc2dd",id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc-\ub4f1\ub85d-\uc791\ub3d9-\ubc29\uc2dd",level:3}];function u(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\uc5d0\uc11c\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc758 \uc544\ud0a4\ud14d\ucc98\uc640 \ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc640\uc758 \ucc28\uc774\uc810\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\ub610\ud55c \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\uac00 K3s \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ub418\ub294 \ubc29\ubc95\ub3c4 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\uc11c\ubc84 \ub178\ub4dc\ub294 ",(0,r.jsx)(s.code,{children:"k3s server"})," \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \ud638\uc2a4\ud2b8\ub85c \uc815\uc758\ub418\uba70, \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ubc0f \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \uc694\uc18c\ub294 K3s\uc5d0\uc11c \uad00\ub9ac\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \ub610\ub294 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uad6c\uc131 \uc694\uc18c \uc5c6\uc774 ",(0,r.jsx)(s.code,{children:"k3s agent"})," \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \ud638\uc2a4\ud2b8\ub85c \uc815\uc758\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:["\uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ubaa8\ub450 kubelet, \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ubc0f CNI\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"\uace0\uae09 \uc635\uc158"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.img,{src:n(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,r.jsx)(s.h3,{id:"\uc784\ubca0\ub514\ub4dc-db\uac00-\uc788\ub294-\ub2e8\uc77c-\uc11c\ubc84-\uc124\uc815",children:"\uc784\ubca0\ub514\ub4dc DB\uac00 \uc788\ub294 \ub2e8\uc77c \uc11c\ubc84 \uc124\uc815"}),"\n",(0,r.jsx)(s.p,{children:"\ub2e4\uc74c \ub2e4\uc774\uc5b4\uadf8\ub7a8\uc740 \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc788\ub294 \ub2e8\uc77c \ub178\ub4dc K3s \uc11c\ubc84\uac00 \uc788\ub294 \ud074\ub7ec\uc2a4\ud130\uc758 \uc608\ub97c \ubcf4\uc5ec\uc90d\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\uc774 \uad6c\uc131\uc5d0\uc11c \uac01 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \ub3d9\uc77c\ud55c \uc11c\ubc84 \ub178\ub4dc\uc5d0 \ub4f1\ub85d\ub429\ub2c8\ub2e4. K3s \uc0ac\uc6a9\uc790\ub294 \uc11c\ubc84 \ub178\ub4dc\uc5d0\uc11c K3s API\ub97c \ud638\ucd9c\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub9ac\uc18c\uc2a4\ub97c \uc870\uc791\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,c.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,c.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc678\ubd80-db\uac00-\uc788\ub294-\uace0\uac00\uc6a9\uc131-k3s-\uc11c\ubc84",children:"\uc678\ubd80 DB\uac00 \uc788\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84"}),"\n",(0,r.jsx)(s.p,{children:"\ub2e8\uc77c \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\ub294 \ub2e4\uc591\ud55c \uc0ac\uc6a9 \uc0ac\ub840\ub97c \ucda9\uc871\ud560 \uc218 \uc788\uc9c0\ub9cc, Kubernetes \ucee8\ud2b8\ub864 \ud50c\ub808\uc778\uc758 \uac00\ub3d9 \uc2dc\uac04\uc774 \uc911\uc694\ud55c \ud658\uacbd\uc758 \uacbd\uc6b0, HA \uad6c\uc131\uc73c\ub85c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. HA K3s \ud074\ub7ec\uc2a4\ud130\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \uad6c\uc131\ub429\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\ub450 \uac1c \uc774\uc0c1\uc758 ",(0,r.jsx)(s.strong,{children:"\uc11c\ubc84 \ub178\ub4dc"}),"\uac00 Kubernetes API\ub97c \uc81c\uacf5\ud558\uace0 \ub2e4\ub978 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uc11c\ube44\uc2a4\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4"}),"(\ub2e8\uc77c \uc11c\ubc84 \uc124\uc815\uc5d0 \uc0ac\uc6a9\ub418\ub294 \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640 \ubc18\ub300)"]}),"\n"]}),"\n",(0,r.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,c.ZP)("/img/k3s-architecture-ha-server.svg"),dark:(0,c.ZP)("/img/k3s-architecture-ha-server-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc\ub97c-\uc704\ud55c-\uace0\uc815-\ub4f1\ub85d-\uc8fc\uc18c",children:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc704\ud55c \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c"}),"\n",(0,r.jsx)(s.p,{children:"\uace0\uac00\uc6a9\uc131 \uc11c\ubc84 \uad6c\uc131\uc5d0\uc11c \uac01 \ub178\ub4dc\ub294 \uc544\ub798 \ub2e4\uc774\uc5b4\uadf8\ub7a8\uacfc \uac19\uc774 \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c\ub97c \uc0ac\uc6a9\ud558\uc5ec Kubernetes API\uc5d0 \ub4f1\ub85d\ud574\uc57c \ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\ub4f1\ub85d \ud6c4 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \uc11c\ubc84 \ub178\ub4dc \uc911 \ud558\ub098\uc5d0 \uc9c1\uc811 \uc5f0\uacb0\uc744 \uc124\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,c.ZP)("/img/k3s-production-setup.svg"),dark:(0,c.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc-\ub4f1\ub85d-\uc791\ub3d9-\ubc29\uc2dd",children:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc \ub4f1\ub85d \uc791\ub3d9 \ubc29\uc2dd"}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 ",(0,r.jsx)(s.code,{children:"k3s agent"})," \ud504\ub85c\uc138\uc2a4\uc5d0 \uc758\ud574 \uc2dc\uc791\ub41c \uc6f9\uc18c\ucf13 \uc5f0\uacb0\ub85c \ub4f1\ub85d\ub418\uba70, \uc5d0\uc774\uc804\ud2b8 \ud504\ub85c\uc138\uc2a4\uc758 \uc77c\ubd80\ub85c \uc2e4\ud589\ub418\ub294 \ud074\ub77c\uc774\uc5b8\ud2b8 \uce21 \ub85c\ub4dc\ubc38\ub7f0\uc11c\uc5d0 \uc758\ud574 \uc5f0\uacb0\uc774 \uc720\uc9c0\ub429\ub2c8\ub2e4. \uc774 \ub85c\ub4dc \ubc38\ub7f0\uc11c\ub294 \ud074\ub7ec\uc2a4\ud130\uc758 \ubaa8\ub4e0 \uc11c\ubc84\uc5d0 \ub300\ud55c \uc548\uc815\uc801\uc778 \uc5f0\uacb0\uc744 \uc720\uc9c0\ud558\uc5ec \uac1c\ubcc4 \uc11c\ubc84\uc758 \uc911\ub2e8\uc744 \ud5c8\uc6a9\ud558\ub294 \uc5d0\uc774\uc804\uc2dc \uc11c\ubc84\uc5d0 \ub300\ud55c \uc5f0\uacb0\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8\ub294 \ub178\ub4dc \ud074\ub7ec\uc2a4\ud130 \uc2dc\ud06c\ub9bf\uacfc \ub178\ub4dc\uc5d0 \ub300\ud574 \ubb34\uc791\uc704\ub85c \uc0dd\uc131\ub41c \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ud558\uba70, \uc774 \ube44\ubc00\ubc88\ud638\ub294 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node/password"}),"\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4. \uc11c\ubc84\ub294 \uac1c\ubcc4 \ub178\ub4dc\uc758 \ube44\ubc00\ubc88\ud638\ub97c \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc2dc\ud06c\ub9bf\uc73c\ub85c \uc800\uc7a5\ud558\uba70, \uc774\ud6c4 \ubaa8\ub4e0 \uc2dc\ub3c4\ub294 \ub3d9\uc77c\ud55c \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4. \ub178\ub4dc \ud328\uc2a4\uc6cc\ub4dc \uc2dc\ud06c\ub9bf\uc740 ",(0,r.jsx)(s.code,{children:"<host>.node-password.k3s"})," \ud15c\ud50c\ub9bf\uc744 \uc0ac\uc6a9\ud558\ub294 \uc774\ub984\uc73c\ub85c ",(0,r.jsx)(s.code,{children:"kube-system"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4. \uc774\ub294 \ub178\ub4dc ID\uc758 \ubb34\uacb0\uc131\uc744 \ubcf4\ud638\ud558\uae30 \uc704\ud574 \uc218\ud589\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8\uc758 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node"})," \ub514\ub809\ud130\ub9ac\uac00 \uc81c\uac70\ub418\uac70\ub098 \uae30\uc874 \uc774\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub178\ub4dc\uc5d0 \ub2e4\uc2dc \uac00\uc785\ud558\ub824\ub294 \uacbd\uc6b0, \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \ub178\ub4dc\ub97c \uc0ad\uc81c\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\ub807\uac8c \ud558\uba74 \uc774\uc804 \ub178\ub4dc \ud56d\ubaa9\uacfc \ub178\ub4dc \ube44\ubc00\ubc88\ud638 \uc2dc\ud06c\ub9bf\uc774 \ubaa8\ub450 \uc815\ub9ac\ub418\uace0 \ub178\ub4dc\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 (\uc7ac)\uc870\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(s.admonition,{type:"note",children:(0,r.jsxs)(s.p,{children:["K3s v1.20.2 \uc774\uc804 \uc11c\ubc84\ub294 ",(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/cred/node-passwd"}),"\uc5d0 \ub514\uc2a4\ud06c\uc5d0 \ube44\ubc00\ubc88\ud638\ub97c \uc800\uc7a5\ud569\ub2c8\ub2e4."]})}),"\n",(0,r.jsxs)(s.p,{children:["\ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \uc790\uc8fc \uc7ac\uc0ac\uc6a9\ud558\uc9c0\ub9cc \ub178\ub4dc \uc554\ud638 \uc2dc\ud06c\ub9bf\uc744 \uc81c\uac70\ud560 \uc218 \uc5c6\ub294 \uacbd\uc6b0, ",(0,r.jsx)(s.code,{children:"--with-node-id"})," \ud50c\ub798\uadf8\ub97c \uc0ac\uc6a9\ud558\uc5ec K3s \uc11c\ubc84 \ub610\ub294 \uc5d0\uc774\uc804\ud2b8\ub97c \uc2dc\uc791\ud558\uba74 \ud638\uc2a4\ud2b8 \uc774\ub984\uc5d0 \uace0\uc720 \ub178\ub4dc ID\ub97c \uc790\ub3d9\uc73c\ub85c \ucd94\uac00\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud65c\uc131\ud654\ud558\uba74 \ub178\ub4dc ID\ub294 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node/"}),"\uc5d0\ub3c4 \uc800\uc7a5\ub429\ub2c8\ub2e4."]})]})}function x(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(u,{...e})}):u(e)}},4530:(e,s,n)=>{n.d(s,{Z:()=>r});const r=n.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,s,n)=>{n.d(s,{Z:()=>d,a:()=>c});var r=n(7294);const t={},i=r.createContext(t);function c(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function d(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a43d9b4f.b2ed37e7.js b/kr/assets/js/a43d9b4f.b2ed37e7.js deleted file mode 100644 index ad65d8705..000000000 --- a/kr/assets/js/a43d9b4f.b2ed37e7.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3667],{1080:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>a,contentTitle:()=>l,default:()=>x,frontMatter:()=>d,metadata:()=>o,toc:()=>h});var r=n(5893),t=n(1151),i=n(9965),c=n(4996);const d={title:"\uc544\ud0a4\ud14d\ucc98"},l=void 0,o={id:"architecture",title:"\uc544\ud0a4\ud14d\ucc98",description:"\uc774 \ud398\uc774\uc9c0\uc5d0\uc11c\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc758 \uc544\ud0a4\ud14d\ucc98\uc640 \ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc640\uc758 \ucc28\uc774\uc810\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/kr/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uc544\ud0a4\ud14d\ucc98"},sidebar:"mySidebar",previous:{title:"token",permalink:"/kr/cli/token"},next:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",permalink:"/kr/cluster-access"}},a={},h=[{value:"\uc784\ubca0\ub514\ub4dc DB\uac00 \uc788\ub294 \ub2e8\uc77c \uc11c\ubc84 \uc124\uc815",id:"\uc784\ubca0\ub514\ub4dc-db\uac00-\uc788\ub294-\ub2e8\uc77c-\uc11c\ubc84-\uc124\uc815",level:3},{value:"\uc678\ubd80 DB\uac00 \uc788\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84",id:"\uc678\ubd80-db\uac00-\uc788\ub294-\uace0\uac00\uc6a9\uc131-k3s-\uc11c\ubc84",level:3},{value:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc704\ud55c \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c",id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc\ub97c-\uc704\ud55c-\uace0\uc815-\ub4f1\ub85d-\uc8fc\uc18c",level:3},{value:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc \ub4f1\ub85d \uc791\ub3d9 \ubc29\uc2dd",id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc-\ub4f1\ub85d-\uc791\ub3d9-\ubc29\uc2dd",level:3}];function u(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\uc5d0\uc11c\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc758 \uc544\ud0a4\ud14d\ucc98\uc640 \ub2e8\uc77c \ub178\ub4dc \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\uc640\uc758 \ucc28\uc774\uc810\uc5d0 \ub300\ud574 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\ub610\ud55c \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\uac00 K3s \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ub418\ub294 \ubc29\ubc95\ub3c4 \uc124\uba85\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\uc11c\ubc84 \ub178\ub4dc\ub294 ",(0,r.jsx)(s.code,{children:"k3s server"})," \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \ud638\uc2a4\ud2b8\ub85c \uc815\uc758\ub418\uba70, \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ubc0f \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \uc694\uc18c\ub294 K3s\uc5d0\uc11c \uad00\ub9ac\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \ub610\ub294 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uad6c\uc131 \uc694\uc18c \uc5c6\uc774 ",(0,r.jsx)(s.code,{children:"k3s agent"})," \uba85\ub839\uc744 \uc2e4\ud589\ud558\ub294 \ud638\uc2a4\ud2b8\ub85c \uc815\uc758\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:["\uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ubaa8\ub450 kubelet, \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ubc0f CNI\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%97%90%EC%9D%B4%EC%A0%84%ED%8A%B8-%EC%97%86%EB%8A%94-%EC%84%9C%EB%B2%84-%EC%8B%A4%ED%96%89%ED%95%98%EA%B8%B0%EC%8B%A4%ED%97%98%EC%A0%81",children:"\uace0\uae09 \uc635\uc158"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.img,{src:n(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,r.jsx)(s.h3,{id:"\uc784\ubca0\ub514\ub4dc-db\uac00-\uc788\ub294-\ub2e8\uc77c-\uc11c\ubc84-\uc124\uc815",children:"\uc784\ubca0\ub514\ub4dc DB\uac00 \uc788\ub294 \ub2e8\uc77c \uc11c\ubc84 \uc124\uc815"}),"\n",(0,r.jsx)(s.p,{children:"\ub2e4\uc74c \ub2e4\uc774\uc5b4\uadf8\ub7a8\uc740 \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc788\ub294 \ub2e8\uc77c \ub178\ub4dc K3s \uc11c\ubc84\uac00 \uc788\ub294 \ud074\ub7ec\uc2a4\ud130\uc758 \uc608\ub97c \ubcf4\uc5ec\uc90d\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\uc774 \uad6c\uc131\uc5d0\uc11c \uac01 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \ub3d9\uc77c\ud55c \uc11c\ubc84 \ub178\ub4dc\uc5d0 \ub4f1\ub85d\ub429\ub2c8\ub2e4. K3s \uc0ac\uc6a9\uc790\ub294 \uc11c\ubc84 \ub178\ub4dc\uc5d0\uc11c K3s API\ub97c \ud638\ucd9c\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub9ac\uc18c\uc2a4\ub97c \uc870\uc791\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,c.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,c.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc678\ubd80-db\uac00-\uc788\ub294-\uace0\uac00\uc6a9\uc131-k3s-\uc11c\ubc84",children:"\uc678\ubd80 DB\uac00 \uc788\ub294 \uace0\uac00\uc6a9\uc131 K3s \uc11c\ubc84"}),"\n",(0,r.jsx)(s.p,{children:"\ub2e8\uc77c \uc11c\ubc84 \ud074\ub7ec\uc2a4\ud130\ub294 \ub2e4\uc591\ud55c \uc0ac\uc6a9 \uc0ac\ub840\ub97c \ucda9\uc871\ud560 \uc218 \uc788\uc9c0\ub9cc, Kubernetes \ucee8\ud2b8\ub864 \ud50c\ub808\uc778\uc758 \uac00\ub3d9 \uc2dc\uac04\uc774 \uc911\uc694\ud55c \ud658\uacbd\uc758 \uacbd\uc6b0, HA \uad6c\uc131\uc73c\ub85c K3s\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. HA K3s \ud074\ub7ec\uc2a4\ud130\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \uad6c\uc131\ub429\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\ub450 \uac1c \uc774\uc0c1\uc758 ",(0,r.jsx)(s.strong,{children:"\uc11c\ubc84 \ub178\ub4dc"}),"\uac00 Kubernetes API\ub97c \uc81c\uacf5\ud558\uace0 \ub2e4\ub978 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uc11c\ube44\uc2a4\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4"}),"(\ub2e8\uc77c \uc11c\ubc84 \uc124\uc815\uc5d0 \uc0ac\uc6a9\ub418\ub294 \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640 \ubc18\ub300)"]}),"\n"]}),"\n",(0,r.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,c.ZP)("/img/k3s-architecture-ha-server.svg"),dark:(0,c.ZP)("/img/k3s-architecture-ha-server-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc\ub97c-\uc704\ud55c-\uace0\uc815-\ub4f1\ub85d-\uc8fc\uc18c",children:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc704\ud55c \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c"}),"\n",(0,r.jsx)(s.p,{children:"\uace0\uac00\uc6a9\uc131 \uc11c\ubc84 \uad6c\uc131\uc5d0\uc11c \uac01 \ub178\ub4dc\ub294 \uc544\ub798 \ub2e4\uc774\uc5b4\uadf8\ub7a8\uacfc \uac19\uc774 \uace0\uc815 \ub4f1\ub85d \uc8fc\uc18c\ub97c \uc0ac\uc6a9\ud558\uc5ec Kubernetes API\uc5d0 \ub4f1\ub85d\ud574\uc57c \ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.p,{children:"\ub4f1\ub85d \ud6c4 \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 \uc11c\ubc84 \ub178\ub4dc \uc911 \ud558\ub098\uc5d0 \uc9c1\uc811 \uc5f0\uacb0\uc744 \uc124\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,c.ZP)("/img/k3s-production-setup.svg"),dark:(0,c.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,r.jsx)(s.h3,{id:"\uc5d0\uc774\uc804\ud2b8-\ub178\ub4dc-\ub4f1\ub85d-\uc791\ub3d9-\ubc29\uc2dd",children:"\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc \ub4f1\ub85d \uc791\ub3d9 \ubc29\uc2dd"}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub294 ",(0,r.jsx)(s.code,{children:"k3s agent"})," \ud504\ub85c\uc138\uc2a4\uc5d0 \uc758\ud574 \uc2dc\uc791\ub41c \uc6f9\uc18c\ucf13 \uc5f0\uacb0\ub85c \ub4f1\ub85d\ub418\uba70, \uc5d0\uc774\uc804\ud2b8 \ud504\ub85c\uc138\uc2a4\uc758 \uc77c\ubd80\ub85c \uc2e4\ud589\ub418\ub294 \ud074\ub77c\uc774\uc5b8\ud2b8 \uce21 \ub85c\ub4dc\ubc38\ub7f0\uc11c\uc5d0 \uc758\ud574 \uc5f0\uacb0\uc774 \uc720\uc9c0\ub429\ub2c8\ub2e4. \uc774 \ub85c\ub4dc \ubc38\ub7f0\uc11c\ub294 \ud074\ub7ec\uc2a4\ud130\uc758 \ubaa8\ub4e0 \uc11c\ubc84\uc5d0 \ub300\ud55c \uc548\uc815\uc801\uc778 \uc5f0\uacb0\uc744 \uc720\uc9c0\ud558\uc5ec \uac1c\ubcc4 \uc11c\ubc84\uc758 \uc911\ub2e8\uc744 \ud5c8\uc6a9\ud558\ub294 \uc5d0\uc774\uc804\uc2dc \uc11c\ubc84\uc5d0 \ub300\ud55c \uc5f0\uacb0\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8\ub294 \ub178\ub4dc \ud074\ub7ec\uc2a4\ud130 \uc2dc\ud06c\ub9bf\uacfc \ub178\ub4dc\uc5d0 \ub300\ud574 \ubb34\uc791\uc704\ub85c \uc0dd\uc131\ub41c \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ud558\uba70, \uc774 \ube44\ubc00\ubc88\ud638\ub294 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node/password"}),"\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4. \uc11c\ubc84\ub294 \uac1c\ubcc4 \ub178\ub4dc\uc758 \ube44\ubc00\ubc88\ud638\ub97c \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc2dc\ud06c\ub9bf\uc73c\ub85c \uc800\uc7a5\ud558\uba70, \uc774\ud6c4 \ubaa8\ub4e0 \uc2dc\ub3c4\ub294 \ub3d9\uc77c\ud55c \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4. \ub178\ub4dc \ud328\uc2a4\uc6cc\ub4dc \uc2dc\ud06c\ub9bf\uc740 ",(0,r.jsx)(s.code,{children:"<host>.node-password.k3s"})," \ud15c\ud50c\ub9bf\uc744 \uc0ac\uc6a9\ud558\ub294 \uc774\ub984\uc73c\ub85c ",(0,r.jsx)(s.code,{children:"kube-system"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \uc800\uc7a5\ub429\ub2c8\ub2e4. \uc774\ub294 \ub178\ub4dc ID\uc758 \ubb34\uacb0\uc131\uc744 \ubcf4\ud638\ud558\uae30 \uc704\ud574 \uc218\ud589\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.p,{children:["\uc5d0\uc774\uc804\ud2b8\uc758 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node"})," \ub514\ub809\ud130\ub9ac\uac00 \uc81c\uac70\ub418\uac70\ub098 \uae30\uc874 \uc774\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \ub178\ub4dc\uc5d0 \ub2e4\uc2dc \uac00\uc785\ud558\ub824\ub294 \uacbd\uc6b0, \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \ub178\ub4dc\ub97c \uc0ad\uc81c\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\ub807\uac8c \ud558\uba74 \uc774\uc804 \ub178\ub4dc \ud56d\ubaa9\uacfc \ub178\ub4dc \ube44\ubc00\ubc88\ud638 \uc2dc\ud06c\ub9bf\uc774 \ubaa8\ub450 \uc815\ub9ac\ub418\uace0 \ub178\ub4dc\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 (\uc7ac)\uc870\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(s.admonition,{type:"note",children:(0,r.jsxs)(s.p,{children:["K3s v1.20.2 \uc774\uc804 \uc11c\ubc84\ub294 ",(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/cred/node-passwd"}),"\uc5d0 \ub514\uc2a4\ud06c\uc5d0 \ube44\ubc00\ubc88\ud638\ub97c \uc800\uc7a5\ud569\ub2c8\ub2e4."]})}),"\n",(0,r.jsxs)(s.p,{children:["\ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \uc790\uc8fc \uc7ac\uc0ac\uc6a9\ud558\uc9c0\ub9cc \ub178\ub4dc \uc554\ud638 \uc2dc\ud06c\ub9bf\uc744 \uc81c\uac70\ud560 \uc218 \uc5c6\ub294 \uacbd\uc6b0, ",(0,r.jsx)(s.code,{children:"--with-node-id"})," \ud50c\ub798\uadf8\ub97c \uc0ac\uc6a9\ud558\uc5ec K3s \uc11c\ubc84 \ub610\ub294 \uc5d0\uc774\uc804\ud2b8\ub97c \uc2dc\uc791\ud558\uba74 \ud638\uc2a4\ud2b8 \uc774\ub984\uc5d0 \uace0\uc720 \ub178\ub4dc ID\ub97c \uc790\ub3d9\uc73c\ub85c \ucd94\uac00\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud65c\uc131\ud654\ud558\uba74 \ub178\ub4dc ID\ub294 ",(0,r.jsx)(s.code,{children:"/etc/rancher/node/"}),"\uc5d0\ub3c4 \uc800\uc7a5\ub429\ub2c8\ub2e4."]})]})}function x(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(u,{...e})}):u(e)}},4530:(e,s,n)=>{n.d(s,{Z:()=>r});const r=n.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,s,n)=>{n.d(s,{Z:()=>d,a:()=>c});var r=n(7294);const t={},i=r.createContext(t);function c(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function d(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/a7bd4aaa.d2fc12fe.js b/kr/assets/js/a7bd4aaa.d2fc12fe.js new file mode 100644 index 000000000..f05c6aff2 --- /dev/null +++ b/kr/assets/js/a7bd4aaa.d2fc12fe.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8518],{4974:(n,s,e)=>{e.r(s),e.d(s,{default:()=>l});e(7294);var r=e(1944);function o(n,s){return`docs-${n}-${s}`}var t=e(3797),c=e(8790),i=e(197),u=e(5893);function a(n){const{version:s}=n;return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(i.Z,{version:s.version,tag:o(s.pluginId,s.version)}),(0,u.jsx)(r.d,{children:s.noIndex&&(0,u.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})]})}function d(n){const{version:s,route:e}=n;return(0,u.jsx)(r.FG,{className:s.className,children:(0,u.jsx)(t.q,{version:s,children:(0,c.H)(e.routes)})})}function l(n){return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(a,{...n}),(0,u.jsx)(d,{...n})]})}}}]); \ No newline at end of file diff --git a/kr/assets/js/a7bd4aaa.f175b6d3.js b/kr/assets/js/a7bd4aaa.f175b6d3.js deleted file mode 100644 index 3717fcd8d..000000000 --- a/kr/assets/js/a7bd4aaa.f175b6d3.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8518],{8564:(n,s,e)=>{e.r(s),e.d(s,{default:()=>l});e(7294);var r=e(1944),o=e(3320),t=e(4477),c=e(8790),i=e(197),u=e(5893);function a(n){const{version:s}=n;return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(i.Z,{version:s.version,tag:(0,o.os)(s.pluginId,s.version)}),(0,u.jsx)(r.d,{children:s.noIndex&&(0,u.jsx)("meta",{name:"robots",content:"noindex, nofollow"})})]})}function d(n){const{version:s,route:e}=n;return(0,u.jsx)(r.FG,{className:s.className,children:(0,u.jsx)(t.q,{version:s,children:(0,c.H)(e.routes)})})}function l(n){return(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(a,{...n}),(0,u.jsx)(d,{...n})]})}}}]); \ No newline at end of file diff --git a/zh/assets/js/a94703ab.1e5da719.js b/kr/assets/js/a94703ab.c2f69992.js similarity index 98% rename from zh/assets/js/a94703ab.1e5da719.js rename to kr/assets/js/a94703ab.c2f69992.js index a49e954da..6268237ca 100644 --- a/zh/assets/js/a94703ab.1e5da719.js +++ b/kr/assets/js/a94703ab.c2f69992.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4368],{2674:(e,t,n)=>{n.r(t),n.d(t,{default:()=>be});var a=n(7294),o=n(512),i=n(1944),s=n(5281),l=n(3438),r=n(1116),c=n(5999),d=n(2466),u=n(5936);const m={backToTopButton:"backToTopButton_sjWU",backToTopButtonShow:"backToTopButtonShow_xfvO"};var b=n(5893);function h(){const{shown:e,scrollToTop:t}=function(e){let{threshold:t}=e;const[n,o]=(0,a.useState)(!1),i=(0,a.useRef)(!1),{startScroll:s,cancelScroll:l}=(0,d.Ct)();return(0,d.RF)(((e,n)=>{let{scrollY:a}=e;const s=n?.scrollY;s&&(i.current?i.current=!1:a>=s?(l(),o(!1)):a<t?o(!1):a+window.innerHeight<document.documentElement.scrollHeight&&o(!0))})),(0,u.S)((e=>{e.location.hash&&(i.current=!0,o(!1))})),{shown:n,scrollToTop:()=>s(0)}}({threshold:300});return(0,b.jsx)("button",{"aria-label":(0,c.I)({id:"theme.BackToTopButton.buttonAriaLabel",message:"Scroll back to top",description:"The ARIA label for the back to top button"}),className:(0,o.Z)("clean-btn",s.k.common.backToTopButton,m.backToTopButton,e&&m.backToTopButtonShow),type:"button",onClick:t})}var p=n(1442),x=n(6550),f=n(7524),j=n(6668),k=n(1327);function _(e){return(0,b.jsx)("svg",{width:"20",height:"20","aria-hidden":"true",...e,children:(0,b.jsxs)("g",{fill:"#7a7a7a",children:[(0,b.jsx)("path",{d:"M9.992 10.023c0 .2-.062.399-.172.547l-4.996 7.492a.982.982 0 01-.828.454H1c-.55 0-1-.453-1-1 0-.2.059-.403.168-.551l4.629-6.942L.168 3.078A.939.939 0 010 2.528c0-.548.45-.997 1-.997h2.996c.352 0 .649.18.828.45L9.82 9.472c.11.148.172.347.172.55zm0 0"}),(0,b.jsx)("path",{d:"M19.98 10.023c0 .2-.058.399-.168.547l-4.996 7.492a.987.987 0 01-.828.454h-3c-.547 0-.996-.453-.996-1 0-.2.059-.403.168-.551l4.625-6.942-4.625-6.945a.939.939 0 01-.168-.55 1 1 0 01.996-.997h3c.348 0 .649.18.828.45l4.996 7.492c.11.148.168.347.168.55zm0 0"})]})})}const v={collapseSidebarButton:"collapseSidebarButton_PEFL",collapseSidebarButtonIcon:"collapseSidebarButtonIcon_kv0_"};function g(e){let{onClick:t}=e;return(0,b.jsx)("button",{type:"button",title:(0,c.I)({id:"theme.docs.sidebar.collapseButtonTitle",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.collapseButtonAriaLabel",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),className:(0,o.Z)("button button--secondary button--outline",v.collapseSidebarButton),onClick:t,children:(0,b.jsx)(_,{className:v.collapseSidebarButtonIcon})})}var C=n(9689),S=n(902);const I=Symbol("EmptyContext"),N=a.createContext(I);function T(e){let{children:t}=e;const[n,o]=(0,a.useState)(null),i=(0,a.useMemo)((()=>({expandedItem:n,setExpandedItem:o})),[n]);return(0,b.jsx)(N.Provider,{value:i,children:t})}var B=n(6043),Z=n(8596),A=n(3692),L=n(2389);function y(e){let{collapsed:t,categoryLabel:n,onClick:a}=e;return(0,b.jsx)("button",{"aria-label":t?(0,c.I)({id:"theme.DocSidebarItem.expandCategoryAriaLabel",message:"Expand sidebar category '{label}'",description:"The ARIA label to expand the sidebar category"},{label:n}):(0,c.I)({id:"theme.DocSidebarItem.collapseCategoryAriaLabel",message:"Collapse sidebar category '{label}'",description:"The ARIA label to collapse the sidebar category"},{label:n}),"aria-expanded":!t,type:"button",className:"clean-btn menu__caret",onClick:a})}function w(e){let{item:t,onItemClick:n,activePath:i,level:r,index:c,...d}=e;const{items:u,label:m,collapsible:h,className:p,href:x}=t,{docs:{sidebar:{autoCollapseCategories:f}}}=(0,j.L)(),k=function(e){const t=(0,L.Z)();return(0,a.useMemo)((()=>e.href&&!e.linkUnlisted?e.href:!t&&e.collapsible?(0,l.LM)(e):void 0),[e,t])}(t),_=(0,l._F)(t,i),v=(0,Z.Mg)(x,i),{collapsed:g,setCollapsed:C}=(0,B.u)({initialState:()=>!!h&&(!_&&t.collapsed)}),{expandedItem:T,setExpandedItem:w}=function(){const e=(0,a.useContext)(N);if(e===I)throw new S.i6("DocSidebarItemsExpandedStateProvider");return e}(),E=function(e){void 0===e&&(e=!g),w(e?null:c),C(e)};return function(e){let{isActive:t,collapsed:n,updateCollapsed:o}=e;const i=(0,S.D9)(t);(0,a.useEffect)((()=>{t&&!i&&n&&o(!1)}),[t,i,n,o])}({isActive:_,collapsed:g,updateCollapsed:E}),(0,a.useEffect)((()=>{h&&null!=T&&T!==c&&f&&C(!0)}),[h,T,c,C,f]),(0,b.jsxs)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemCategory,s.k.docs.docSidebarItemCategoryLevel(r),"menu__list-item",{"menu__list-item--collapsed":g},p),children:[(0,b.jsxs)("div",{className:(0,o.Z)("menu__list-item-collapsible",{"menu__list-item-collapsible--active":v}),children:[(0,b.jsx)(A.Z,{className:(0,o.Z)("menu__link",{"menu__link--sublist":h,"menu__link--sublist-caret":!x&&h,"menu__link--active":_}),onClick:h?e=>{n?.(t),x?E(!1):(e.preventDefault(),E())}:()=>{n?.(t)},"aria-current":v?"page":void 0,role:h&&!x?"button":void 0,"aria-expanded":h&&!x?!g:void 0,href:h?k??"#":k,...d,children:m}),x&&h&&(0,b.jsx)(y,{collapsed:g,categoryLabel:m,onClick:e=>{e.preventDefault(),E()}})]}),(0,b.jsx)(B.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:g,children:(0,b.jsx)(V,{items:u,tabIndex:g?-1:0,onItemClick:n,activePath:i,level:r+1})})]})}var E=n(3919),H=n(9471);const M={menuExternalLink:"menuExternalLink_NmtK"};function R(e){let{item:t,onItemClick:n,activePath:a,level:i,index:r,...c}=e;const{href:d,label:u,className:m,autoAddBaseUrl:h}=t,p=(0,l._F)(t,a),x=(0,E.Z)(d);return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(i),"menu__list-item",m),children:(0,b.jsxs)(A.Z,{className:(0,o.Z)("menu__link",!x&&M.menuExternalLink,{"menu__link--active":p}),autoAddBaseUrl:h,"aria-current":p?"page":void 0,to:d,...x&&{onClick:n?()=>n(t):void 0},...c,children:[u,!x&&(0,b.jsx)(H.Z,{})]})},u)}const W={menuHtmlItem:"menuHtmlItem_M9Kj"};function F(e){let{item:t,level:n,index:a}=e;const{value:i,defaultStyle:l,className:r}=t;return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(n),l&&[W.menuHtmlItem,"menu__list-item"],r),dangerouslySetInnerHTML:{__html:i}},a)}function P(e){let{item:t,...n}=e;switch(t.type){case"category":return(0,b.jsx)(w,{item:t,...n});case"html":return(0,b.jsx)(F,{item:t,...n});default:return(0,b.jsx)(R,{item:t,...n})}}function D(e){let{items:t,...n}=e;const a=(0,l.f)(t,n.activePath);return(0,b.jsx)(T,{children:a.map(((e,t)=>(0,b.jsx)(P,{item:e,index:t,...n},t)))})}const V=(0,a.memo)(D),U={menu:"menu_SIkG",menuWithAnnouncementBar:"menuWithAnnouncementBar_GW3s"};function K(e){let{path:t,sidebar:n,className:i}=e;const l=function(){const{isActive:e}=(0,C.n)(),[t,n]=(0,a.useState)(e);return(0,d.RF)((t=>{let{scrollY:a}=t;e&&n(0===a)}),[e]),e&&t}();return(0,b.jsx)("nav",{"aria-label":(0,c.I)({id:"theme.docs.sidebar.navAriaLabel",message:"Docs sidebar",description:"The ARIA label for the sidebar navigation"}),className:(0,o.Z)("menu thin-scrollbar",U.menu,l&&U.menuWithAnnouncementBar,i),children:(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:n,activePath:t,level:1})})})}const Y="sidebar_njMd",z="sidebarWithHideableNavbar_wUlq",G="sidebarHidden_VK0M",O="sidebarLogo_isFc";function q(e){let{path:t,sidebar:n,onCollapse:a,isHidden:i}=e;const{navbar:{hideOnScroll:s},docs:{sidebar:{hideable:l}}}=(0,j.L)();return(0,b.jsxs)("div",{className:(0,o.Z)(Y,s&&z,i&&G),children:[s&&(0,b.jsx)(k.Z,{tabIndex:-1,className:O}),(0,b.jsx)(K,{path:t,sidebar:n}),l&&(0,b.jsx)(g,{onClick:a})]})}const J=a.memo(q);var Q=n(3102),X=n(3163);const $=e=>{let{sidebar:t,path:n}=e;const a=(0,X.e)();return(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:t,activePath:n,onItemClick:e=>{"category"===e.type&&e.href&&a.toggle(),"link"===e.type&&a.toggle()},level:1})})};function ee(e){return(0,b.jsx)(Q.Zo,{component:$,props:e})}const te=a.memo(ee);function ne(e){const t=(0,f.i)(),n="desktop"===t||"ssr"===t,a="mobile"===t;return(0,b.jsxs)(b.Fragment,{children:[n&&(0,b.jsx)(J,{...e}),a&&(0,b.jsx)(te,{...e})]})}const ae={expandButton:"expandButton_TmdG",expandButtonIcon:"expandButtonIcon_i1dp"};function oe(e){let{toggleSidebar:t}=e;return(0,b.jsx)("div",{className:ae.expandButton,title:(0,c.I)({id:"theme.docs.sidebar.expandButtonTitle",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.expandButtonAriaLabel",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),tabIndex:0,role:"button",onKeyDown:t,onClick:t,children:(0,b.jsx)(_,{className:ae.expandButtonIcon})})}const ie={docSidebarContainer:"docSidebarContainer_YfHR",docSidebarContainerHidden:"docSidebarContainerHidden_DPk8",sidebarViewport:"sidebarViewport_aRkj"};function se(e){let{children:t}=e;const n=(0,r.V)();return(0,b.jsx)(a.Fragment,{children:t},n?.name??"noSidebar")}function le(e){let{sidebar:t,hiddenSidebarContainer:n,setHiddenSidebarContainer:i}=e;const{pathname:l}=(0,x.TH)(),[r,c]=(0,a.useState)(!1),d=(0,a.useCallback)((()=>{r&&c(!1),!r&&(0,p.n)()&&c(!0),i((e=>!e))}),[i,r]);return(0,b.jsx)("aside",{className:(0,o.Z)(s.k.docs.docSidebarContainer,ie.docSidebarContainer,n&&ie.docSidebarContainerHidden),onTransitionEnd:e=>{e.currentTarget.classList.contains(ie.docSidebarContainer)&&n&&c(!0)},children:(0,b.jsx)(se,{children:(0,b.jsxs)("div",{className:(0,o.Z)(ie.sidebarViewport,r&&ie.sidebarViewportHidden),children:[(0,b.jsx)(ne,{sidebar:t,path:l,onCollapse:d,isHidden:r}),r&&(0,b.jsx)(oe,{toggleSidebar:d})]})})})}const re={docMainContainer:"docMainContainer_TBSr",docMainContainerEnhanced:"docMainContainerEnhanced_lQrH",docItemWrapperEnhanced:"docItemWrapperEnhanced_JWYK"};function ce(e){let{hiddenSidebarContainer:t,children:n}=e;const a=(0,r.V)();return(0,b.jsx)("main",{className:(0,o.Z)(re.docMainContainer,(t||!a)&&re.docMainContainerEnhanced),children:(0,b.jsx)("div",{className:(0,o.Z)("container padding-top--md padding-bottom--lg",re.docItemWrapper,t&&re.docItemWrapperEnhanced),children:n})})}const de={docRoot:"docRoot_UBD9",docsWrapper:"docsWrapper_hBAB"};function ue(e){let{children:t}=e;const n=(0,r.V)(),[o,i]=(0,a.useState)(!1);return(0,b.jsxs)("div",{className:de.docsWrapper,children:[(0,b.jsx)(h,{}),(0,b.jsxs)("div",{className:de.docRoot,children:[n&&(0,b.jsx)(le,{sidebar:n.items,hiddenSidebarContainer:o,setHiddenSidebarContainer:i}),(0,b.jsx)(ce,{hiddenSidebarContainer:o,children:t})]})]})}var me=n(5658);function be(e){const t=(0,l.SN)(e);if(!t)return(0,b.jsx)(me.Z,{});const{docElement:n,sidebarName:a,sidebarItems:c}=t;return(0,b.jsx)(i.FG,{className:(0,o.Z)(s.k.page.docsDocPage),children:(0,b.jsx)(r.b,{name:a,items:c,children:(0,b.jsx)(ue,{children:n})})})}},5658:(e,t,n)=>{n.d(t,{Z:()=>l});n(7294);var a=n(512),o=n(5999),i=n(2503),s=n(5893);function l(e){let{className:t}=e;return(0,s.jsx)("main",{className:(0,a.Z)("container margin-vert--xl",t),children:(0,s.jsx)("div",{className:"row",children:(0,s.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,s.jsx)(i.Z,{as:"h1",className:"hero__title",children:(0,s.jsx)(o.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4368],{4547:(e,t,n)=>{n.r(t),n.d(t,{default:()=>be});var a=n(7294),o=n(512),i=n(1944),s=n(5281),l=n(9690),r=n(4731),c=n(5999),d=n(2466),u=n(5936);const m={backToTopButton:"backToTopButton_sjWU",backToTopButtonShow:"backToTopButtonShow_xfvO"};var b=n(5893);function h(){const{shown:e,scrollToTop:t}=function(e){let{threshold:t}=e;const[n,o]=(0,a.useState)(!1),i=(0,a.useRef)(!1),{startScroll:s,cancelScroll:l}=(0,d.Ct)();return(0,d.RF)(((e,n)=>{let{scrollY:a}=e;const s=n?.scrollY;s&&(i.current?i.current=!1:a>=s?(l(),o(!1)):a<t?o(!1):a+window.innerHeight<document.documentElement.scrollHeight&&o(!0))})),(0,u.S)((e=>{e.location.hash&&(i.current=!0,o(!1))})),{shown:n,scrollToTop:()=>s(0)}}({threshold:300});return(0,b.jsx)("button",{"aria-label":(0,c.I)({id:"theme.BackToTopButton.buttonAriaLabel",message:"Scroll back to top",description:"The ARIA label for the back to top button"}),className:(0,o.Z)("clean-btn",s.k.common.backToTopButton,m.backToTopButton,e&&m.backToTopButtonShow),type:"button",onClick:t})}var p=n(1442),x=n(6550),f=n(7524),j=n(6668),k=n(1327);function _(e){return(0,b.jsx)("svg",{width:"20",height:"20","aria-hidden":"true",...e,children:(0,b.jsxs)("g",{fill:"#7a7a7a",children:[(0,b.jsx)("path",{d:"M9.992 10.023c0 .2-.062.399-.172.547l-4.996 7.492a.982.982 0 01-.828.454H1c-.55 0-1-.453-1-1 0-.2.059-.403.168-.551l4.629-6.942L.168 3.078A.939.939 0 010 2.528c0-.548.45-.997 1-.997h2.996c.352 0 .649.18.828.45L9.82 9.472c.11.148.172.347.172.55zm0 0"}),(0,b.jsx)("path",{d:"M19.98 10.023c0 .2-.058.399-.168.547l-4.996 7.492a.987.987 0 01-.828.454h-3c-.547 0-.996-.453-.996-1 0-.2.059-.403.168-.551l4.625-6.942-4.625-6.945a.939.939 0 01-.168-.55 1 1 0 01.996-.997h3c.348 0 .649.18.828.45l4.996 7.492c.11.148.168.347.168.55zm0 0"})]})})}const v={collapseSidebarButton:"collapseSidebarButton_PEFL",collapseSidebarButtonIcon:"collapseSidebarButtonIcon_kv0_"};function g(e){let{onClick:t}=e;return(0,b.jsx)("button",{type:"button",title:(0,c.I)({id:"theme.docs.sidebar.collapseButtonTitle",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.collapseButtonAriaLabel",message:"Collapse sidebar",description:"The title attribute for collapse button of doc sidebar"}),className:(0,o.Z)("button button--secondary button--outline",v.collapseSidebarButton),onClick:t,children:(0,b.jsx)(_,{className:v.collapseSidebarButtonIcon})})}var C=n(9689),S=n(902);const I=Symbol("EmptyContext"),N=a.createContext(I);function T(e){let{children:t}=e;const[n,o]=(0,a.useState)(null),i=(0,a.useMemo)((()=>({expandedItem:n,setExpandedItem:o})),[n]);return(0,b.jsx)(N.Provider,{value:i,children:t})}var B=n(6043),Z=n(8596),A=n(3692),L=n(2389);function y(e){let{collapsed:t,categoryLabel:n,onClick:a}=e;return(0,b.jsx)("button",{"aria-label":t?(0,c.I)({id:"theme.DocSidebarItem.expandCategoryAriaLabel",message:"Expand sidebar category '{label}'",description:"The ARIA label to expand the sidebar category"},{label:n}):(0,c.I)({id:"theme.DocSidebarItem.collapseCategoryAriaLabel",message:"Collapse sidebar category '{label}'",description:"The ARIA label to collapse the sidebar category"},{label:n}),"aria-expanded":!t,type:"button",className:"clean-btn menu__caret",onClick:a})}function w(e){let{item:t,onItemClick:n,activePath:i,level:r,index:c,...d}=e;const{items:u,label:m,collapsible:h,className:p,href:x}=t,{docs:{sidebar:{autoCollapseCategories:f}}}=(0,j.L)(),k=function(e){const t=(0,L.Z)();return(0,a.useMemo)((()=>e.href&&!e.linkUnlisted?e.href:!t&&e.collapsible?(0,l.LM)(e):void 0),[e,t])}(t),_=(0,l._F)(t,i),v=(0,Z.Mg)(x,i),{collapsed:g,setCollapsed:C}=(0,B.u)({initialState:()=>!!h&&(!_&&t.collapsed)}),{expandedItem:T,setExpandedItem:w}=function(){const e=(0,a.useContext)(N);if(e===I)throw new S.i6("DocSidebarItemsExpandedStateProvider");return e}(),E=function(e){void 0===e&&(e=!g),w(e?null:c),C(e)};return function(e){let{isActive:t,collapsed:n,updateCollapsed:o}=e;const i=(0,S.D9)(t);(0,a.useEffect)((()=>{t&&!i&&n&&o(!1)}),[t,i,n,o])}({isActive:_,collapsed:g,updateCollapsed:E}),(0,a.useEffect)((()=>{h&&null!=T&&T!==c&&f&&C(!0)}),[h,T,c,C,f]),(0,b.jsxs)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemCategory,s.k.docs.docSidebarItemCategoryLevel(r),"menu__list-item",{"menu__list-item--collapsed":g},p),children:[(0,b.jsxs)("div",{className:(0,o.Z)("menu__list-item-collapsible",{"menu__list-item-collapsible--active":v}),children:[(0,b.jsx)(A.Z,{className:(0,o.Z)("menu__link",{"menu__link--sublist":h,"menu__link--sublist-caret":!x&&h,"menu__link--active":_}),onClick:h?e=>{n?.(t),x?E(!1):(e.preventDefault(),E())}:()=>{n?.(t)},"aria-current":v?"page":void 0,role:h&&!x?"button":void 0,"aria-expanded":h&&!x?!g:void 0,href:h?k??"#":k,...d,children:m}),x&&h&&(0,b.jsx)(y,{collapsed:g,categoryLabel:m,onClick:e=>{e.preventDefault(),E()}})]}),(0,b.jsx)(B.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:g,children:(0,b.jsx)(V,{items:u,tabIndex:g?-1:0,onItemClick:n,activePath:i,level:r+1})})]})}var E=n(3919),H=n(9471);const M={menuExternalLink:"menuExternalLink_NmtK"};function R(e){let{item:t,onItemClick:n,activePath:a,level:i,index:r,...c}=e;const{href:d,label:u,className:m,autoAddBaseUrl:h}=t,p=(0,l._F)(t,a),x=(0,E.Z)(d);return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(i),"menu__list-item",m),children:(0,b.jsxs)(A.Z,{className:(0,o.Z)("menu__link",!x&&M.menuExternalLink,{"menu__link--active":p}),autoAddBaseUrl:h,"aria-current":p?"page":void 0,to:d,...x&&{onClick:n?()=>n(t):void 0},...c,children:[u,!x&&(0,b.jsx)(H.Z,{})]})},u)}const W={menuHtmlItem:"menuHtmlItem_M9Kj"};function F(e){let{item:t,level:n,index:a}=e;const{value:i,defaultStyle:l,className:r}=t;return(0,b.jsx)("li",{className:(0,o.Z)(s.k.docs.docSidebarItemLink,s.k.docs.docSidebarItemLinkLevel(n),l&&[W.menuHtmlItem,"menu__list-item"],r),dangerouslySetInnerHTML:{__html:i}},a)}function P(e){let{item:t,...n}=e;switch(t.type){case"category":return(0,b.jsx)(w,{item:t,...n});case"html":return(0,b.jsx)(F,{item:t,...n});default:return(0,b.jsx)(R,{item:t,...n})}}function D(e){let{items:t,...n}=e;const a=(0,l.f)(t,n.activePath);return(0,b.jsx)(T,{children:a.map(((e,t)=>(0,b.jsx)(P,{item:e,index:t,...n},t)))})}const V=(0,a.memo)(D),U={menu:"menu_SIkG",menuWithAnnouncementBar:"menuWithAnnouncementBar_GW3s"};function K(e){let{path:t,sidebar:n,className:i}=e;const l=function(){const{isActive:e}=(0,C.n)(),[t,n]=(0,a.useState)(e);return(0,d.RF)((t=>{let{scrollY:a}=t;e&&n(0===a)}),[e]),e&&t}();return(0,b.jsx)("nav",{"aria-label":(0,c.I)({id:"theme.docs.sidebar.navAriaLabel",message:"Docs sidebar",description:"The ARIA label for the sidebar navigation"}),className:(0,o.Z)("menu thin-scrollbar",U.menu,l&&U.menuWithAnnouncementBar,i),children:(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:n,activePath:t,level:1})})})}const Y="sidebar_njMd",z="sidebarWithHideableNavbar_wUlq",G="sidebarHidden_VK0M",O="sidebarLogo_isFc";function q(e){let{path:t,sidebar:n,onCollapse:a,isHidden:i}=e;const{navbar:{hideOnScroll:s},docs:{sidebar:{hideable:l}}}=(0,j.L)();return(0,b.jsxs)("div",{className:(0,o.Z)(Y,s&&z,i&&G),children:[s&&(0,b.jsx)(k.Z,{tabIndex:-1,className:O}),(0,b.jsx)(K,{path:t,sidebar:n}),l&&(0,b.jsx)(g,{onClick:a})]})}const J=a.memo(q);var Q=n(3102),X=n(3163);const $=e=>{let{sidebar:t,path:n}=e;const a=(0,X.e)();return(0,b.jsx)("ul",{className:(0,o.Z)(s.k.docs.docSidebarMenu,"menu__list"),children:(0,b.jsx)(V,{items:t,activePath:n,onItemClick:e=>{"category"===e.type&&e.href&&a.toggle(),"link"===e.type&&a.toggle()},level:1})})};function ee(e){return(0,b.jsx)(Q.Zo,{component:$,props:e})}const te=a.memo(ee);function ne(e){const t=(0,f.i)(),n="desktop"===t||"ssr"===t,a="mobile"===t;return(0,b.jsxs)(b.Fragment,{children:[n&&(0,b.jsx)(J,{...e}),a&&(0,b.jsx)(te,{...e})]})}const ae={expandButton:"expandButton_TmdG",expandButtonIcon:"expandButtonIcon_i1dp"};function oe(e){let{toggleSidebar:t}=e;return(0,b.jsx)("div",{className:ae.expandButton,title:(0,c.I)({id:"theme.docs.sidebar.expandButtonTitle",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),"aria-label":(0,c.I)({id:"theme.docs.sidebar.expandButtonAriaLabel",message:"Expand sidebar",description:"The ARIA label and title attribute for expand button of doc sidebar"}),tabIndex:0,role:"button",onKeyDown:t,onClick:t,children:(0,b.jsx)(_,{className:ae.expandButtonIcon})})}const ie={docSidebarContainer:"docSidebarContainer_YfHR",docSidebarContainerHidden:"docSidebarContainerHidden_DPk8",sidebarViewport:"sidebarViewport_aRkj"};function se(e){let{children:t}=e;const n=(0,r.V)();return(0,b.jsx)(a.Fragment,{children:t},n?.name??"noSidebar")}function le(e){let{sidebar:t,hiddenSidebarContainer:n,setHiddenSidebarContainer:i}=e;const{pathname:l}=(0,x.TH)(),[r,c]=(0,a.useState)(!1),d=(0,a.useCallback)((()=>{r&&c(!1),!r&&(0,p.n)()&&c(!0),i((e=>!e))}),[i,r]);return(0,b.jsx)("aside",{className:(0,o.Z)(s.k.docs.docSidebarContainer,ie.docSidebarContainer,n&&ie.docSidebarContainerHidden),onTransitionEnd:e=>{e.currentTarget.classList.contains(ie.docSidebarContainer)&&n&&c(!0)},children:(0,b.jsx)(se,{children:(0,b.jsxs)("div",{className:(0,o.Z)(ie.sidebarViewport,r&&ie.sidebarViewportHidden),children:[(0,b.jsx)(ne,{sidebar:t,path:l,onCollapse:d,isHidden:r}),r&&(0,b.jsx)(oe,{toggleSidebar:d})]})})})}const re={docMainContainer:"docMainContainer_TBSr",docMainContainerEnhanced:"docMainContainerEnhanced_lQrH",docItemWrapperEnhanced:"docItemWrapperEnhanced_JWYK"};function ce(e){let{hiddenSidebarContainer:t,children:n}=e;const a=(0,r.V)();return(0,b.jsx)("main",{className:(0,o.Z)(re.docMainContainer,(t||!a)&&re.docMainContainerEnhanced),children:(0,b.jsx)("div",{className:(0,o.Z)("container padding-top--md padding-bottom--lg",re.docItemWrapper,t&&re.docItemWrapperEnhanced),children:n})})}const de={docRoot:"docRoot_UBD9",docsWrapper:"docsWrapper_hBAB"};function ue(e){let{children:t}=e;const n=(0,r.V)(),[o,i]=(0,a.useState)(!1);return(0,b.jsxs)("div",{className:de.docsWrapper,children:[(0,b.jsx)(h,{}),(0,b.jsxs)("div",{className:de.docRoot,children:[n&&(0,b.jsx)(le,{sidebar:n.items,hiddenSidebarContainer:o,setHiddenSidebarContainer:i}),(0,b.jsx)(ce,{hiddenSidebarContainer:o,children:t})]})]})}var me=n(5658);function be(e){const t=(0,l.SN)(e);if(!t)return(0,b.jsx)(me.Z,{});const{docElement:n,sidebarName:a,sidebarItems:c}=t;return(0,b.jsx)(i.FG,{className:(0,o.Z)(s.k.page.docsDocPage),children:(0,b.jsx)(r.b,{name:a,items:c,children:(0,b.jsx)(ue,{children:n})})})}},5658:(e,t,n)=>{n.d(t,{Z:()=>l});n(7294);var a=n(512),o=n(5999),i=n(2503),s=n(5893);function l(e){let{className:t}=e;return(0,s.jsx)("main",{className:(0,a.Z)("container margin-vert--xl",t),children:(0,s.jsx)("div",{className:"row",children:(0,s.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,s.jsx)(i.Z,{as:"h1",className:"hero__title",children:(0,s.jsx)(o.Z,{id:"theme.NotFound.title",description:"The title of the 404 page",children:"Page Not Found"})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p1",description:"The first paragraph of the 404 page",children:"We could not find what you were looking for."})}),(0,s.jsx)("p",{children:(0,s.jsx)(o.Z,{id:"theme.NotFound.p2",description:"The 2nd paragraph of the 404 page",children:"Please contact the owner of the site that linked you to the original URL and let them know their link is broken."})})]})})})}}}]); \ No newline at end of file diff --git a/kr/assets/js/b1445c4f.ccb42167.js b/kr/assets/js/b1445c4f.ccb42167.js deleted file mode 100644 index 94ccda79c..000000000 --- a/kr/assets/js/b1445c4f.ccb42167.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[547],{5832:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/kr/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/kr/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/kr/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/kr/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot \\\n --s3 \\\n --s3-bucket=<S3-BUCKET-NAME> \\\n --s3-access-key=<S3-ACCESS-KEY> \\\n --s3-secret-key=<S3-SECRET-KEY>\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path=<SNAPSHOT-NAME> \\\n --etcd-s3-bucket=<S3-BUCKET-NAME> \\\n --etcd-s3-access-key=<S3-ACCESS-KEY> \\\n --etcd-s3-secret-key=<S3-SECRET-KEY>\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket=<S3-BUCKET-NAME> \\\n --s3-access-key=<S3-ACCESS-KEY> \\\n --s3-secret-key=<S3-SECRET-KEY> \\\n <SNAPSHOT-NAME>\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b1445c4f.edd374f3.js b/kr/assets/js/b1445c4f.edd374f3.js new file mode 100644 index 000000000..e624b74ed --- /dev/null +++ b/kr/assets/js/b1445c4f.edd374f3.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[547],{5832:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/kr/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/kr/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/kr/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.header,{children:(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"})}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/kr/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot \\\n --s3 \\\n --s3-bucket=<S3-BUCKET-NAME> \\\n --s3-access-key=<S3-ACCESS-KEY> \\\n --s3-secret-key=<S3-SECRET-KEY>\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path=<SNAPSHOT-NAME> \\\n --etcd-s3-bucket=<S3-BUCKET-NAME> \\\n --etcd-s3-access-key=<S3-ACCESS-KEY> \\\n --etcd-s3-secret-key=<S3-SECRET-KEY>\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket=<S3-BUCKET-NAME> \\\n --s3-access-key=<S3-ACCESS-KEY> \\\n --s3-secret-key=<S3-SECRET-KEY> \\\n <SNAPSHOT-NAME>\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b44e7719.1e65b95e.js b/kr/assets/js/b44e7719.1e65b95e.js new file mode 100644 index 000000000..af60e7ab8 --- /dev/null +++ b/kr/assets/js/b44e7719.1e65b95e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7565],{6245:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>o,default:()=>u,frontMatter:()=>t,metadata:()=>a,toc:()=>l});var r=n(5893),i=n(1151);const t={title:"\uc54c\ub824\uc9c4 \uc774\uc288"},o=void 0,a={id:"known-issues",title:"\uc54c\ub824\uc9c4 \uc774\uc288",description:"\uc54c\ub824\uc9c4 \uc774\uc288\ub294 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \ub2e4\uc74c \ub9b4\ub9ac\uc2a4\uc5d0\uc11c \uc989\uc2dc \ud574\uacb0\ub418\uc9c0 \uc54a\uc744 \uc218 \uc788\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc54c\ub824\ub4dc\ub9ac\uae30 \uc704\ud574 \uace0\uc548\ub418\uc5c8\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/known-issues.md",sourceDirName:".",slug:"/known-issues",permalink:"/kr/known-issues",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/known-issues.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uc54c\ub824\uc9c4 \uc774\uc288"},sidebar:"mySidebar",previous:{title:"Related Projects",permalink:"/kr/related-projects"},next:{title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38",permalink:"/kr/faq"}},c={},l=[{value:"\uc2a4\ub0c5(Snap) \ub3c4\ucee4",id:"\uc2a4\ub0c5snap-\ub3c4\ucee4",level:3},{value:"Iptables",id:"iptables",level:3},{value:"Rootless Mode",id:"rootless-mode",level:3}];function d(e){const s={a:"a",code:"code",h1:"h1",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,i.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"\uc54c\ub824\uc9c4 \uc774\uc288\ub294 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \ub2e4\uc74c \ub9b4\ub9ac\uc2a4\uc5d0\uc11c \uc989\uc2dc \ud574\uacb0\ub418\uc9c0 \uc54a\uc744 \uc218 \uc788\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc54c\ub824\ub4dc\ub9ac\uae30 \uc704\ud574 \uace0\uc548\ub418\uc5c8\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"\uc2a4\ub0c5snap-\ub3c4\ucee4",children:"\uc2a4\ub0c5(Snap) \ub3c4\ucee4"}),"\n",(0,r.jsx)(s.p,{children:"\uc2a4\ub0c5(Snap) \ud328\ud0a4\uc9c0\ub97c \ud1b5\ud574 \uc124\uce58\ub41c \ub3c4\ucee4\ub294 K3s\ub97c \uc2e4\ud589\ud558\ub294 \ub370 \ubb38\uc81c\ub97c \uc77c\uc73c\ud0a4\ub294 \uac83\uc73c\ub85c \uc54c\ub824\uc838 \uc788\uc73c\ubbc0\ub85c K3s\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud558\ub824\ub294 \uacbd\uc6b0 \uad8c\uc7a5\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"iptables",children:"Iptables"}),"\n",(0,r.jsx)(s.p,{children:"\ub808\uac70\uc2dc \ub300\uc2e0 nftables \ubaa8\ub4dc\uc5d0\uc11c iptables\ub97c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0 \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ubb38\uc81c\ub97c \ubc29\uc9c0\ud558\ub824\uba74 \ucd5c\uc2e0 \ubc84\uc804(\uc608: 1.6.1+)\uc758 iptables\ub97c \uc0ac\uc6a9\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.p,{children:["\ub610\ud55c 1.8.0-1.8.4 \ubc84\uc804\uc5d0\ub294 K3s\uac00 \uc2e4\ud328\ud560 \uc218 \uc788\ub294 \uc54c\ub824\uc9c4 \ubb38\uc81c\uac00 \uc788\uc2b5\ub2c8\ub2e4. \ud574\uacb0 \ubc29\ubc95\uc740 ",(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%9D%B4%EC%A0%84-iptables-%EB%B2%84%EC%A0%84",children:"\ucd94\uac00 OS \uc900\ube44"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(s.h3,{id:"rootless-mode",children:"Rootless Mode"}),"\n",(0,r.jsxs)(s.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\ub85c K3s\ub97c \uc2e4\ud589\ud558\ub294 \uac83\uc740 \uc2e4\ud5d8 \uc911\uc774\uba70 \uba87 \uac00\uc9c0 ",(0,r.jsx)(s.a,{href:"/kr/advanced#known-issues-with-rootless-mode",children:"\uc54c\ub824\uc9c4 \uc774\uc288"}),"\uac00 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(s.h1,{id:"\uac15\ud654\ub41chardened-\ud074\ub7ec\uc2a4\ud130\ub97c-v124x\uc5d0\uc11c-v125x\ub85c-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",children:"\uac15\ud654\ub41c(Hardened) \ud074\ub7ec\uc2a4\ud130\ub97c v1.24.x\uc5d0\uc11c v1.25.x\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30"}),"\n",(0,r.jsxs)(s.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ud30c\ub4dc \ubcf4\uc548 \ud45c\uc900(PSS, Pod Security Standards)\uc744 \uc704\ud574 v1.25\uc5d0\uc11c PodSecurityPolicy\ub97c \uc81c\uac70\ud588\uc2b5\ub2c8\ub2e4. PSS\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/concepts/security/pod-security-standards/",children:"\uc5c5\uc2a4\ud2b8\ub9bc \ubb38\uc11c"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. K3S\uc758 \uacbd\uc6b0, \ub178\ub4dc\uc5d0 'PodSecurityPolicy'\uac00 \uad6c\uc131\ub41c \uacbd\uc6b0 \uc218\ud589\ud574\uc57c \ud558\ub294 \uba87 \uac00\uc9c0 \uc218\ub3d9 \ub2e8\uacc4\uac00 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.ol,{children:["\n",(0,r.jsxs)(s.li,{children:["\ubaa8\ub4e0 \ub178\ub4dc\uc5d0\uc11c ",(0,r.jsx)(s.code,{children:"kube-apiserver-arg"})," \uac12\uc744 \uc5c5\ub370\uc774\ud2b8\ud558\uc5ec ",(0,r.jsx)(s.code,{children:"PodSecurityPolicy"})," \uc5b4\ub4dc\ubbf8\uc158 \ud50c\ub7ec\uadf8\uc778\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4. \ub300\uc2e0 \ub2e4\uc74c arg \uac12\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4: ",(0,r.jsx)(s.code,{children:"'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"})," \uc774\uc9c0\ub9cc, \uc544\uc9c1 K3S\ub97c \uc7ac\uc2dc\uc791\ud558\uac70\ub098 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uc9c0 \ub9c8\uc2ed\uc2dc\uc624. \uc544\ub798\ub294 \ub178\ub4dc\ub97c \uac15\ud654\ud55c \ud6c4 \uad6c\uc131 \ud30c\uc77c\uc758 \uc608\uc2dc\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:'protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n - "audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml"\n - "audit-log-maxage=30"\n - "audit-log-maxbackup=10"\n - "audit-log-maxsize=100"\nkube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n - "use-service-account-credentials=true"\nkubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n - "make-iptables-util-chains=true"\n'})}),"\n",(0,r.jsxs)(s.ol,{start:"2",children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/psa.yaml"})," \ud30c\uc77c\uc744 \ub2e4\uc74c \ub0b4\uc6a9\uc73c\ub85c \uc791\uc131\ud569\ub2c8\ub2e4. \ub354 \ub9ce\uc740 \ub124\uc784\uc2a4\ud398\uc774\uc2a4\ub97c \uc81c\uc678\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798 \uc608\uc2dc\ub294 ",(0,r.jsx)(s.code,{children:"kube-system"}),"(\ud544\uc218), ",(0,r.jsx)(s.code,{children:"cis-operator-system"}),"(\uc120\ud0dd\uc801\uc774\uc9c0\ub9cc Rancher\ub97c \ud1b5\ud574 \ubcf4\uc548 \uc2a4\uce94\uc744 \uc2e4\ud589\ud560 \ub54c \uc720\uc6a9), ",(0,r.jsx)(s.code,{children:"system-upgrade"}),"(\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud558\ub294 \uacbd\uc6b0 \ud544\uc218)\uc744 \uc81c\uc678\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n - name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system, system-upgrade]\n'})}),"\n",(0,r.jsxs)(s.ol,{start:"3",children:["\n",(0,r.jsxs)(s.li,{children:["\uc77c\ubc18\uc801\uc73c\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud569\ub2c8\ub2e4. ",(0,r.jsx)(s.a,{href:"/kr/upgrades/automated",children:"\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\ub97c \uc218\ud589\ud558\ub294 \uacbd\uc6b0 ",(0,r.jsx)(s.code,{children:"system-upgrade-controller"}),"\uac00 \uc2e4\ud589\ub418\ub294 \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uac00 ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels",children:"\ud30c\ub4dc \ubcf4\uc548 \uc218\uc900"}),"\uc5d0 \ub530\ub77c \uad8c\ud55c\uc774 \ubd80\uc5ec\ub41c \uac83\uc73c\ub85c \uc124\uc815\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: system-upgrade\n labels:\n # This value must be privileged for the controller to run successfully.\n pod-security.kubernetes.io/enforce: privileged\n pod-security.kubernetes.io/enforce-version: v1.25\n # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options.\n pod-security.kubernetes.io/audit: privileged\n pod-security.kubernetes.io/audit-version: v1.25\n pod-security.kubernetes.io/warn: privileged\n pod-security.kubernetes.io/warn-version: v1.25\n"})}),"\n",(0,r.jsxs)(s.ol,{start:"4",children:["\n",(0,r.jsxs)(s.li,{children:["\uc5c5\uadf8\ub808\uc774\ub4dc\uac00 \uc644\ub8cc\ub41c \ud6c4, \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \ub0a8\uc544\uc788\ub294 \ubaa8\ub4e0 PSP \ub9ac\uc18c\uc2a4\ub97c \uc81c\uac70\ud569\ub2c8\ub2e4. \ub300\ubd80\ubd84\uc758 \uacbd\uc6b0, ",(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/"})," \ub0b4\ubd80\uc5d0\uc11c \uac15\ud654\ub97c \uc704\ud574 \uc0ac\uc6a9\ub41c \uc0ac\uc6a9\uc790 \uc815\uc758 \ud30c\uc77c\uc5d0\ub294 PodSecurityPolicies \ubc0f \uad00\ub828 RBAC \ub9ac\uc18c\uc2a4\uac00 \uc788\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ub9ac\uc18c\uc2a4\ub97c \uc81c\uac70\ud558\uba74 k3s\uac00 \uc790\ub3d9\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub429\ub2c8\ub2e4. \ub54c\ub54c\ub85c \uc2dc\uac04\uc774 \uc9c0\ub09c \ud6c4\uc5d0 \uc774\ub7ec\ud55c \ub9ac\uc18c\uc2a4\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub0a8\uc544\uc788\uc744 \uc218 \uc788\uc73c\ubbc0\ub85c \uc218\ub3d9\uc73c\ub85c \uc0ad\uc81c\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\uc804\uc5d0 ",(0,r.jsx)(s.a,{href:"/kr/security/hardening-guide",children:"\uac15\ud654 \uac00\uc774\ub4dc"}),"\ub97c \ub530\ub974\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 \uc0ad\uc81c\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-sh",children:"# Get the resources associated with PSPs\n$ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp\n\n# Delete those resources:\n$ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding\n"})})]})}function u(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>a,a:()=>o});var r=n(7294);const i={},t=r.createContext(i);function o(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b44e7719.c35ed88b.js b/kr/assets/js/b44e7719.c35ed88b.js deleted file mode 100644 index 6e2af8fc1..000000000 --- a/kr/assets/js/b44e7719.c35ed88b.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7565],{6245:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>o,default:()=>u,frontMatter:()=>t,metadata:()=>a,toc:()=>l});var r=n(5893),i=n(1151);const t={title:"\uc54c\ub824\uc9c4 \uc774\uc288"},o=void 0,a={id:"known-issues",title:"\uc54c\ub824\uc9c4 \uc774\uc288",description:"\uc54c\ub824\uc9c4 \uc774\uc288\ub294 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \ub2e4\uc74c \ub9b4\ub9ac\uc2a4\uc5d0\uc11c \uc989\uc2dc \ud574\uacb0\ub418\uc9c0 \uc54a\uc744 \uc218 \uc788\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc54c\ub824\ub4dc\ub9ac\uae30 \uc704\ud574 \uace0\uc548\ub418\uc5c8\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/known-issues.md",sourceDirName:".",slug:"/known-issues",permalink:"/kr/known-issues",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/known-issues.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uc54c\ub824\uc9c4 \uc774\uc288"},sidebar:"mySidebar",previous:{title:"Related Projects",permalink:"/kr/related-projects"},next:{title:"\uc790\uc8fc \ubb3b\ub294 \uc9c8\ubb38",permalink:"/kr/faq"}},c={},l=[{value:"\uc2a4\ub0c5(Snap) \ub3c4\ucee4",id:"\uc2a4\ub0c5snap-\ub3c4\ucee4",level:3},{value:"Iptables",id:"iptables",level:3},{value:"Rootless Mode",id:"rootless-mode",level:3}];function d(e){const s={a:"a",code:"code",h1:"h1",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,i.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"\uc54c\ub824\uc9c4 \uc774\uc288\ub294 \uc8fc\uae30\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba70, \ub2e4\uc74c \ub9b4\ub9ac\uc2a4\uc5d0\uc11c \uc989\uc2dc \ud574\uacb0\ub418\uc9c0 \uc54a\uc744 \uc218 \uc788\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc54c\ub824\ub4dc\ub9ac\uae30 \uc704\ud574 \uace0\uc548\ub418\uc5c8\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"\uc2a4\ub0c5snap-\ub3c4\ucee4",children:"\uc2a4\ub0c5(Snap) \ub3c4\ucee4"}),"\n",(0,r.jsx)(s.p,{children:"\uc2a4\ub0c5(Snap) \ud328\ud0a4\uc9c0\ub97c \ud1b5\ud574 \uc124\uce58\ub41c \ub3c4\ucee4\ub294 K3s\ub97c \uc2e4\ud589\ud558\ub294 \ub370 \ubb38\uc81c\ub97c \uc77c\uc73c\ud0a4\ub294 \uac83\uc73c\ub85c \uc54c\ub824\uc838 \uc788\uc73c\ubbc0\ub85c K3s\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud558\ub824\ub294 \uacbd\uc6b0 \uad8c\uc7a5\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"iptables",children:"Iptables"}),"\n",(0,r.jsx)(s.p,{children:"\ub808\uac70\uc2dc \ub300\uc2e0 nftables \ubaa8\ub4dc\uc5d0\uc11c iptables\ub97c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0 \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ubb38\uc81c\ub97c \ubc29\uc9c0\ud558\ub824\uba74 \ucd5c\uc2e0 \ubc84\uc804(\uc608: 1.6.1+)\uc758 iptables\ub97c \uc0ac\uc6a9\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.p,{children:["\ub610\ud55c 1.8.0-1.8.4 \ubc84\uc804\uc5d0\ub294 K3s\uac00 \uc2e4\ud328\ud560 \uc218 \uc788\ub294 \uc54c\ub824\uc9c4 \ubb38\uc81c\uac00 \uc788\uc2b5\ub2c8\ub2e4. \ud574\uacb0 \ubc29\ubc95\uc740 ",(0,r.jsx)(s.a,{href:"/kr/advanced#%EC%9D%B4%EC%A0%84-iptables-%EB%B2%84%EC%A0%84",children:"\ucd94\uac00 OS \uc900\ube44"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(s.h3,{id:"rootless-mode",children:"Rootless Mode"}),"\n",(0,r.jsxs)(s.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\ub85c K3s\ub97c \uc2e4\ud589\ud558\ub294 \uac83\uc740 \uc2e4\ud5d8 \uc911\uc774\uba70 \uba87 \uac00\uc9c0 ",(0,r.jsx)(s.a,{href:"/kr/advanced#known-issues-with-rootless-mode",children:"\uc54c\ub824\uc9c4 \uc774\uc288"}),"\uac00 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(s.h1,{id:"\uac15\ud654\ub41chardened-\ud074\ub7ec\uc2a4\ud130\ub97c-v124x\uc5d0\uc11c-v125x\ub85c-\uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30",children:"\uac15\ud654\ub41c(Hardened) \ud074\ub7ec\uc2a4\ud130\ub97c v1.24.x\uc5d0\uc11c v1.25.x\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uae30"}),"\n",(0,r.jsxs)(s.p,{children:["\ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ud30c\ub4dc \ubcf4\uc548 \ud45c\uc900(PSS, Pod Security Standards)\uc744 \uc704\ud574 v1.25\uc5d0\uc11c PodSecurityPolicy\ub97c \uc81c\uac70\ud588\uc2b5\ub2c8\ub2e4. PSS\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/ko/docs/concepts/security/pod-security-standards/",children:"\uc5c5\uc2a4\ud2b8\ub9bc \ubb38\uc11c"}),"\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. K3S\uc758 \uacbd\uc6b0, \ub178\ub4dc\uc5d0 'PodSecurityPolicy'\uac00 \uad6c\uc131\ub41c \uacbd\uc6b0 \uc218\ud589\ud574\uc57c \ud558\ub294 \uba87 \uac00\uc9c0 \uc218\ub3d9 \ub2e8\uacc4\uac00 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.ol,{children:["\n",(0,r.jsxs)(s.li,{children:["\ubaa8\ub4e0 \ub178\ub4dc\uc5d0\uc11c ",(0,r.jsx)(s.code,{children:"kube-apiserver-arg"})," \uac12\uc744 \uc5c5\ub370\uc774\ud2b8\ud558\uc5ec ",(0,r.jsx)(s.code,{children:"PodSecurityPolicy"})," \uc5b4\ub4dc\ubbf8\uc158 \ud50c\ub7ec\uadf8\uc778\uc744 \uc81c\uac70\ud569\ub2c8\ub2e4. \ub300\uc2e0 \ub2e4\uc74c arg \uac12\uc744 \ucd94\uac00\ud569\ub2c8\ub2e4: ",(0,r.jsx)(s.code,{children:"'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"})," \uc774\uc9c0\ub9cc, \uc544\uc9c1 K3S\ub97c \uc7ac\uc2dc\uc791\ud558\uac70\ub098 \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uc9c0 \ub9c8\uc2ed\uc2dc\uc624. \uc544\ub798\ub294 \ub178\ub4dc\ub97c \uac15\ud654\ud55c \ud6c4 \uad6c\uc131 \ud30c\uc77c\uc758 \uc608\uc2dc\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:'protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n - "audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml"\n - "audit-log-maxage=30"\n - "audit-log-maxbackup=10"\n - "audit-log-maxsize=100"\nkube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n - "use-service-account-credentials=true"\nkubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n - "make-iptables-util-chains=true"\n'})}),"\n",(0,r.jsxs)(s.ol,{start:"2",children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/psa.yaml"})," \ud30c\uc77c\uc744 \ub2e4\uc74c \ub0b4\uc6a9\uc73c\ub85c \uc791\uc131\ud569\ub2c8\ub2e4. \ub354 \ub9ce\uc740 \ub124\uc784\uc2a4\ud398\uc774\uc2a4\ub97c \uc81c\uc678\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798 \uc608\uc2dc\ub294 ",(0,r.jsx)(s.code,{children:"kube-system"}),"(\ud544\uc218), ",(0,r.jsx)(s.code,{children:"cis-operator-system"}),"(\uc120\ud0dd\uc801\uc774\uc9c0\ub9cc Rancher\ub97c \ud1b5\ud574 \ubcf4\uc548 \uc2a4\uce94\uc744 \uc2e4\ud589\ud560 \ub54c \uc720\uc6a9), ",(0,r.jsx)(s.code,{children:"system-upgrade"}),"(\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud558\ub294 \uacbd\uc6b0 \ud544\uc218)\uc744 \uc81c\uc678\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n - name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system, system-upgrade]\n'})}),"\n",(0,r.jsxs)(s.ol,{start:"3",children:["\n",(0,r.jsxs)(s.li,{children:["\uc77c\ubc18\uc801\uc73c\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc\ub97c \uc218\ud589\ud569\ub2c8\ub2e4. ",(0,r.jsx)(s.a,{href:"/kr/upgrades/automated",children:"\uc790\ub3d9 \uc5c5\uadf8\ub808\uc774\ub4dc"}),"\ub97c \uc218\ud589\ud558\ub294 \uacbd\uc6b0 ",(0,r.jsx)(s.code,{children:"system-upgrade-controller"}),"\uac00 \uc2e4\ud589\ub418\ub294 \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uac00 ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels",children:"\ud30c\ub4dc \ubcf4\uc548 \uc218\uc900"}),"\uc5d0 \ub530\ub77c \uad8c\ud55c\uc774 \ubd80\uc5ec\ub41c \uac83\uc73c\ub85c \uc124\uc815\ub418\uc5c8\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: system-upgrade\n labels:\n # This value must be privileged for the controller to run successfully.\n pod-security.kubernetes.io/enforce: privileged\n pod-security.kubernetes.io/enforce-version: v1.25\n # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options.\n pod-security.kubernetes.io/audit: privileged\n pod-security.kubernetes.io/audit-version: v1.25\n pod-security.kubernetes.io/warn: privileged\n pod-security.kubernetes.io/warn-version: v1.25\n"})}),"\n",(0,r.jsxs)(s.ol,{start:"4",children:["\n",(0,r.jsxs)(s.li,{children:["\uc5c5\uadf8\ub808\uc774\ub4dc\uac00 \uc644\ub8cc\ub41c \ud6c4, \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c \ub0a8\uc544\uc788\ub294 \ubaa8\ub4e0 PSP \ub9ac\uc18c\uc2a4\ub97c \uc81c\uac70\ud569\ub2c8\ub2e4. \ub300\ubd80\ubd84\uc758 \uacbd\uc6b0, ",(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/"})," \ub0b4\ubd80\uc5d0\uc11c \uac15\ud654\ub97c \uc704\ud574 \uc0ac\uc6a9\ub41c \uc0ac\uc6a9\uc790 \uc815\uc758 \ud30c\uc77c\uc5d0\ub294 PodSecurityPolicies \ubc0f \uad00\ub828 RBAC \ub9ac\uc18c\uc2a4\uac00 \uc788\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ub9ac\uc18c\uc2a4\ub97c \uc81c\uac70\ud558\uba74 k3s\uac00 \uc790\ub3d9\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub429\ub2c8\ub2e4. \ub54c\ub54c\ub85c \uc2dc\uac04\uc774 \uc9c0\ub09c \ud6c4\uc5d0 \uc774\ub7ec\ud55c \ub9ac\uc18c\uc2a4\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub0a8\uc544\uc788\uc744 \uc218 \uc788\uc73c\ubbc0\ub85c \uc218\ub3d9\uc73c\ub85c \uc0ad\uc81c\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\uc804\uc5d0 ",(0,r.jsx)(s.a,{href:"/kr/security/hardening-guide",children:"\uac15\ud654 \uac00\uc774\ub4dc"}),"\ub97c \ub530\ub974\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 \uc0ad\uc81c\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-sh",children:"# Get the resources associated with PSPs\n$ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp\n\n# Delete those resources:\n$ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding\n"})})]})}function u(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>a,a:()=>o});var r=n(7294);const i={},t=r.createContext(i);function o(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b8002741.213dd26e.js b/kr/assets/js/b8002741.213dd26e.js new file mode 100644 index 000000000..89cebe04e --- /dev/null +++ b/kr/assets/js/b8002741.213dd26e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/kr/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/kr/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/kr/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b8002741.fd36fa70.js b/kr/assets/js/b8002741.fd36fa70.js deleted file mode 100644 index 51b3f1b36..000000000 --- a/kr/assets/js/b8002741.fd36fa70.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/kr/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/kr/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/kr/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b87d0734.0d2ae43b.js b/kr/assets/js/b87d0734.0d2ae43b.js deleted file mode 100644 index 604803ade..000000000 --- a/kr/assets/js/b87d0734.0d2ae43b.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[660],{8147:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>d,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},l=void 0,d={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/kr/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",permalink:"/kr/advanced"},next:{title:"Flag Deprecation",permalink:"/kr/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/kr/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>d,a:()=>l});var n=s(7294);const i={},r=n.createContext(i);function l(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b87d0734.309f13dc.js b/kr/assets/js/b87d0734.309f13dc.js new file mode 100644 index 000000000..7f608c64a --- /dev/null +++ b/kr/assets/js/b87d0734.309f13dc.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[660],{8147:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>d,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},l=void 0,d={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/kr/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",permalink:"/kr/advanced"},next:{title:"Flag Deprecation",permalink:"/kr/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/kr/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>d,a:()=>l});var n=s(7294);const i={},r=n.createContext(i);function l(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b97d3598.fa076b01.js b/kr/assets/js/b97d3598.fa076b01.js new file mode 100644 index 000000000..202ba9ace --- /dev/null +++ b/kr/assets/js/b97d3598.fa076b01.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7563],{8984:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/kr/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/kr/installation/"},next:{title:"Configuration Options",permalink:"/kr/installation/configuration"}},o={},c=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function a(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/kr/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/kr/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"Starting with Ubuntu 21.10, vxlan support on Raspberry Pi has been moved into a separate kernel module."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/kr/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/kr/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/b97d3598.fcc9795e.js b/kr/assets/js/b97d3598.fcc9795e.js deleted file mode 100644 index 97d916c7d..000000000 --- a/kr/assets/js/b97d3598.fcc9795e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7563],{8984:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>c});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/kr/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/kr/installation/"},next:{title:"Configuration Options",permalink:"/kr/installation/configuration"}},o={},c=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function a(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/kr/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/kr/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"Starting with Ubuntu 21.10, vxlan support on Raspberry Pi has been moved into a separate kernel module."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/kr/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/kr/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/zh/assets/js/97691ddb.3c80872d.js b/kr/assets/js/bccfb1cb.4240bdfb.js similarity index 77% rename from zh/assets/js/97691ddb.3c80872d.js rename to kr/assets/js/bccfb1cb.4240bdfb.js index e8261a476..5b0efee42 100644 --- a/zh/assets/js/97691ddb.3c80872d.js +++ b/kr/assets/js/bccfb1cb.4240bdfb.js @@ -1 +1 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6499],{5916:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>r,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),o=t(1151);const i={title:"Managing Server Roles"},r=void 0,l={id:"installation/server-roles",title:"Managing Server Roles",description:"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.",source:"@site/i18n/zh/docusaurus-plugin-content-docs/current/installation/server-roles.md",sourceDirName:"installation",slug:"/installation/server-roles",permalink:"/zh/installation/server-roles",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/server-roles.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Server Roles"},sidebar:"mySidebar",previous:{title:"Air-Gap Install",permalink:"/zh/installation/airgap"},next:{title:"Managing Packaged Components",permalink:"/zh/installation/packaged-components"}},d={},a=[{value:"Dedicated <code>etcd</code> Nodes",id:"dedicated-etcd-nodes",level:2},{value:"Dedicated <code>control-plane</code> Nodes",id:"dedicated-control-plane-nodes",level:2},{value:"Adding Roles To Existing Servers",id:"adding-roles-to-existing-servers",level:2},{value:"Configuration File Syntax",id:"configuration-file-syntax",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["Starting the K3s server with ",(0,s.jsx)(n.code,{children:"--cluster-init"})," will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes."]}),"\n",(0,s.jsx)(n.admonition,{type:"info",children:(0,s.jsx)(n.p,{children:"This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components."})}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-etcd-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," Nodes"]}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"etcd"})," role, start K3s with all the control-plane components disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler\n"})}),"\n",(0,s.jsxs)(n.p,{children:["This first node will start etcd, and wait for additional ",(0,s.jsx)(n.code,{children:"etcd"})," and/or ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes to join. The cluster will not be usable until you join an additional server with the ",(0,s.jsx)(n.code,{children:"control-plane"})," components enabled."]}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-control-plane-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," Nodes"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["A dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," node cannot be the first server in the cluster; there must be an existing node with the ",(0,s.jsx)(n.code,{children:"etcd"})," role before joining dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes."]})}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"control-plane"})," role, start k3s with etcd disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443 \n"})}),"\n",(0,s.jsxs)(n.p,{children:["After creating dedicated server nodes, the selected roles will be visible in ",(0,s.jsx)(n.code,{children:"kubectl get node"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nk3s-server-1 Ready etcd 5h39m v1.20.4+k3s1\nk3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1\n"})}),"\n",(0,s.jsx)(n.h2,{id:"adding-roles-to-existing-servers",children:"Adding Roles To Existing Servers"}),"\n",(0,s.jsxs)(n.p,{children:["Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the ",(0,s.jsx)(n.code,{children:"control-plane"})," role to a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can remove the ",(0,s.jsx)(n.code,{children:"--disable-apiserver --disable-controller-manager --disable-scheduler"})," flags from the systemd unit or config file, and restart the service."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file-syntax",children:"Configuration File Syntax"}),"\n",(0,s.jsxs)(n.p,{children:["As with all other CLI flags, you can use the ",(0,s.jsx)(n.a,{href:"/zh/installation/configuration#configuration-file",children:"Configuration File"})," to disable components, instead of passing the options as CLI flags. For example, to create a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can place the following values in ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"cluster-init: true\ndisable-apiserver: true\ndisable-controller-manager: true\ndisable-scheduler: true\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var s=t(7294);const o={},i=s.createContext(o);function r(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]); \ No newline at end of file +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[910],{5009:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>i,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var s=t(5893),o=t(1151);const r={title:"Managing Server Roles"},i=void 0,l={id:"installation/server-roles",title:"Managing Server Roles",description:"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/server-roles.md",sourceDirName:"installation",slug:"/installation/server-roles",permalink:"/kr/installation/server-roles",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/server-roles.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Managing Server Roles"},sidebar:"mySidebar",previous:{title:"Air-Gap Install",permalink:"/kr/installation/airgap"},next:{title:"Managing Packaged Components",permalink:"/kr/installation/packaged-components"}},d={},a=[{value:"Dedicated <code>etcd</code> Nodes",id:"dedicated-etcd-nodes",level:2},{value:"Dedicated <code>control-plane</code> Nodes",id:"dedicated-control-plane-nodes",level:2},{value:"Adding Roles To Existing Servers",id:"adding-roles-to-existing-servers",level:2},{value:"Configuration File Syntax",id:"configuration-file-syntax",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["Starting the K3s server with ",(0,s.jsx)(n.code,{children:"--cluster-init"})," will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes."]}),"\n",(0,s.jsx)(n.admonition,{type:"info",children:(0,s.jsx)(n.p,{children:"This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components."})}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-etcd-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," Nodes"]}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"etcd"})," role, start K3s with all the control-plane components disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler\n"})}),"\n",(0,s.jsxs)(n.p,{children:["This first node will start etcd, and wait for additional ",(0,s.jsx)(n.code,{children:"etcd"})," and/or ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes to join. The cluster will not be usable until you join an additional server with the ",(0,s.jsx)(n.code,{children:"control-plane"})," components enabled."]}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-control-plane-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," Nodes"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["A dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," node cannot be the first server in the cluster; there must be an existing node with the ",(0,s.jsx)(n.code,{children:"etcd"})," role before joining dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes."]})}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"control-plane"})," role, start k3s with etcd disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443 \n"})}),"\n",(0,s.jsxs)(n.p,{children:["After creating dedicated server nodes, the selected roles will be visible in ",(0,s.jsx)(n.code,{children:"kubectl get node"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nk3s-server-1 Ready etcd 5h39m v1.20.4+k3s1\nk3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1\n"})}),"\n",(0,s.jsx)(n.h2,{id:"adding-roles-to-existing-servers",children:"Adding Roles To Existing Servers"}),"\n",(0,s.jsxs)(n.p,{children:["Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the ",(0,s.jsx)(n.code,{children:"control-plane"})," role to a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can remove the ",(0,s.jsx)(n.code,{children:"--disable-apiserver --disable-controller-manager --disable-scheduler"})," flags from the systemd unit or config file, and restart the service."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file-syntax",children:"Configuration File Syntax"}),"\n",(0,s.jsxs)(n.p,{children:["As with all other CLI flags, you can use the ",(0,s.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," to disable components, instead of passing the options as CLI flags. For example, to create a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can place the following values in ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"cluster-init: true\ndisable-apiserver: true\ndisable-controller-manager: true\ndisable-scheduler: true\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>i});var s=t(7294);const o={},r=s.createContext(o);function i(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:i(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/bccfb1cb.d1ce3eb3.js b/kr/assets/js/bccfb1cb.d1ce3eb3.js deleted file mode 100644 index a2918af09..000000000 --- a/kr/assets/js/bccfb1cb.d1ce3eb3.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[910],{5009:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>d,contentTitle:()=>i,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var s=t(5893),o=t(1151);const r={title:"Managing Server Roles"},i=void 0,l={id:"installation/server-roles",title:"Managing Server Roles",description:"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/server-roles.md",sourceDirName:"installation",slug:"/installation/server-roles",permalink:"/kr/installation/server-roles",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/server-roles.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Managing Server Roles"},sidebar:"mySidebar",previous:{title:"Air-Gap Install",permalink:"/kr/installation/airgap"},next:{title:"Managing Packaged Components",permalink:"/kr/installation/packaged-components"}},d={},a=[{value:"Dedicated <code>etcd</code> Nodes",id:"dedicated-etcd-nodes",level:2},{value:"Dedicated <code>control-plane</code> Nodes",id:"dedicated-control-plane-nodes",level:2},{value:"Adding Roles To Existing Servers",id:"adding-roles-to-existing-servers",level:2},{value:"Configuration File Syntax",id:"configuration-file-syntax",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["Starting the K3s server with ",(0,s.jsx)(n.code,{children:"--cluster-init"})," will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes."]}),"\n",(0,s.jsx)(n.admonition,{type:"info",children:(0,s.jsx)(n.p,{children:"This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components."})}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-etcd-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," Nodes"]}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"etcd"})," role, start K3s with all the control-plane components disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler\n"})}),"\n",(0,s.jsxs)(n.p,{children:["This first node will start etcd, and wait for additional ",(0,s.jsx)(n.code,{children:"etcd"})," and/or ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes to join. The cluster will not be usable until you join an additional server with the ",(0,s.jsx)(n.code,{children:"control-plane"})," components enabled."]}),"\n",(0,s.jsxs)(n.h2,{id:"dedicated-control-plane-nodes",children:["Dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," Nodes"]}),"\n",(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["A dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," node cannot be the first server in the cluster; there must be an existing node with the ",(0,s.jsx)(n.code,{children:"etcd"})," role before joining dedicated ",(0,s.jsx)(n.code,{children:"control-plane"})," nodes."]})}),"\n",(0,s.jsxs)(n.p,{children:["To create a server with only the ",(0,s.jsx)(n.code,{children:"control-plane"})," role, start k3s with etcd disabled:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443 \n"})}),"\n",(0,s.jsxs)(n.p,{children:["After creating dedicated server nodes, the selected roles will be visible in ",(0,s.jsx)(n.code,{children:"kubectl get node"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nk3s-server-1 Ready etcd 5h39m v1.20.4+k3s1\nk3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1\n"})}),"\n",(0,s.jsx)(n.h2,{id:"adding-roles-to-existing-servers",children:"Adding Roles To Existing Servers"}),"\n",(0,s.jsxs)(n.p,{children:["Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the ",(0,s.jsx)(n.code,{children:"control-plane"})," role to a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can remove the ",(0,s.jsx)(n.code,{children:"--disable-apiserver --disable-controller-manager --disable-scheduler"})," flags from the systemd unit or config file, and restart the service."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file-syntax",children:"Configuration File Syntax"}),"\n",(0,s.jsxs)(n.p,{children:["As with all other CLI flags, you can use the ",(0,s.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"Configuration File"})," to disable components, instead of passing the options as CLI flags. For example, to create a dedicated ",(0,s.jsx)(n.code,{children:"etcd"})," node, you can place the following values in ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"cluster-init: true\ndisable-apiserver: true\ndisable-controller-manager: true\ndisable-scheduler: true\n"})})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>i});var s=t(7294);const o={},r=s.createContext(o);function i(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:i(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/c5022e3f.6d9082f4.js b/kr/assets/js/c5022e3f.6d9082f4.js deleted file mode 100644 index c672c9a03..000000000 --- a/kr/assets/js/c5022e3f.6d9082f4.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[107],{2531:(e,c,n)=>{n.r(c),n.d(c,{assets:()=>a,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>o,toc:()=>i});var s=n(5893),t=n(1151);const r={title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"},l=void 0,o={id:"cluster-access",title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",description:"/etc/rancher/k3s/k3s.yaml\uc5d0 \uc800\uc7a5\ub41c kubeconfig \ud30c\uc77c\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uad6c\uc131\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. kubectl \ub610\ub294 helm\uacfc \uac19\uc740 \uc5c5\uc2a4\ud2b8\ub9bc Kubernetes \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc124\uce58\ud55c \uacbd\uc6b0 \uc62c\ubc14\ub978 kubeconfig \uacbd\ub85c\ub85c \uad6c\uc131\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774 \uc791\uc5c5\uc740 kubeconfig \ud658\uacbd \ubcc0\uc218\ub97c \ub0b4\ubcf4\ub0b4\uac70\ub098 --kubeconfig \uba85\ub839\uc904 \ud50c\ub798\uadf8\ub97c \ud638\ucd9c\ud558\uc5ec \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc544\ub798 \uc608\uc2dc\ub97c \ucc38\uace0\ud558\uc138\uc694.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/kr/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"},sidebar:"mySidebar",previous:{title:"\uc544\ud0a4\ud14d\ucc98",permalink:"/kr/architecture"},next:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",permalink:"/kr/storage"}},a={},i=[{value:"\uc678\ubd80\uc5d0\uc11c kubectl\ub85c \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc811\uadfc\ud558\uae30",id:"\uc678\ubd80\uc5d0\uc11c-kubectl\ub85c-\ud074\ub7ec\uc2a4\ud130\uc5d0-\uc811\uadfc\ud558\uae30",level:3}];function u(e){const c={code:"code",h3:"h3",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(c.p,{children:[(0,s.jsx)(c.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0 \uc800\uc7a5\ub41c kubeconfig \ud30c\uc77c\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uad6c\uc131\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. kubectl \ub610\ub294 helm\uacfc \uac19\uc740 \uc5c5\uc2a4\ud2b8\ub9bc Kubernetes \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc124\uce58\ud55c \uacbd\uc6b0 \uc62c\ubc14\ub978 kubeconfig \uacbd\ub85c\ub85c \uad6c\uc131\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774 \uc791\uc5c5\uc740 ",(0,s.jsx)(c.code,{children:"kubeconfig"})," \ud658\uacbd \ubcc0\uc218\ub97c \ub0b4\ubcf4\ub0b4\uac70\ub098 ",(0,s.jsx)(c.code,{children:"--kubeconfig"})," \uba85\ub839\uc904 \ud50c\ub798\uadf8\ub97c \ud638\ucd9c\ud558\uc5ec \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc544\ub798 \uc608\uc2dc\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,s.jsx)(c.p,{children:"KUBECONFIG \ud658\uacbd \ubcc0\uc218\ub97c \ud65c\uc6a9\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsx)(c.pre,{children:(0,s.jsx)(c.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,s.jsx)(c.p,{children:"\ub610\ub294 \uba85\ub839\uc5d0 kubeconfig \ud30c\uc77c\uc758 \uc704\uce58\ub97c \uc9c0\uc815\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsx)(c.pre,{children:(0,s.jsx)(c.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,s.jsx)(c.h3,{id:"\uc678\ubd80\uc5d0\uc11c-kubectl\ub85c-\ud074\ub7ec\uc2a4\ud130\uc5d0-\uc811\uadfc\ud558\uae30",children:"\uc678\ubd80\uc5d0\uc11c kubectl\ub85c \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc811\uadfc\ud558\uae30"}),"\n",(0,s.jsxs)(c.p,{children:[(0,s.jsx)(c.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\ud30c\uc77c\uc744 \ud074\ub7ec\uc2a4\ud130 \uc678\ubd80\uc5d0 \uc704\uce58\ud55c \uba38\uc2e0\uc758 ",(0,s.jsx)(c.code,{children:"~/.kube/config"}),"\ub85c \ubcf5\uc0ac\ud569\ub2c8\ub2e4. \uadf8\ub7f0 \ub2e4\uc74c ",(0,s.jsx)(c.code,{children:"server"})," \ud544\ub4dc\uc758 \uac12\uc744 K3s \uc11c\ubc84\uc758 IP \ub610\ub294 \uc774\ub984\uc73c\ub85c \ubc14\uafc9\ub2c8\ub2e4. \uc774\uc81c ",(0,s.jsx)(c.code,{children:"kubectl"}),"\uc774 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \uad00\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})]})}function d(e={}){const{wrapper:c}={...(0,t.a)(),...e.components};return c?(0,s.jsx)(c,{...e,children:(0,s.jsx)(u,{...e})}):u(e)}},1151:(e,c,n)=>{n.d(c,{Z:()=>o,a:()=>l});var s=n(7294);const t={},r=s.createContext(t);function l(e){const c=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(c):{...c,...e}}),[c,e])}function o(e){let c;return c=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),s.createElement(r.Provider,{value:c},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/c5022e3f.b4406196.js b/kr/assets/js/c5022e3f.b4406196.js new file mode 100644 index 000000000..ec4000738 --- /dev/null +++ b/kr/assets/js/c5022e3f.b4406196.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[107],{2531:(e,c,n)=>{n.r(c),n.d(c,{assets:()=>a,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>o,toc:()=>i});var s=n(5893),t=n(1151);const r={title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"},l=void 0,o={id:"cluster-access",title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc",description:"/etc/rancher/k3s/k3s.yaml\uc5d0 \uc800\uc7a5\ub41c kubeconfig \ud30c\uc77c\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uad6c\uc131\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. kubectl \ub610\ub294 helm\uacfc \uac19\uc740 \uc5c5\uc2a4\ud2b8\ub9bc Kubernetes \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc124\uce58\ud55c \uacbd\uc6b0 \uc62c\ubc14\ub978 kubeconfig \uacbd\ub85c\ub85c \uad6c\uc131\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774 \uc791\uc5c5\uc740 kubeconfig \ud658\uacbd \ubcc0\uc218\ub97c \ub0b4\ubcf4\ub0b4\uac70\ub098 --kubeconfig \uba85\ub839\uc904 \ud50c\ub798\uadf8\ub97c \ud638\ucd9c\ud558\uc5ec \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc544\ub798 \uc608\uc2dc\ub97c \ucc38\uace0\ud558\uc138\uc694.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/kr/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"},sidebar:"mySidebar",previous:{title:"\uc544\ud0a4\ud14d\ucc98",permalink:"/kr/architecture"},next:{title:"\ubcfc\ub968\uacfc \uc800\uc7a5\uc18c",permalink:"/kr/storage"}},a={},i=[{value:"\uc678\ubd80\uc5d0\uc11c kubectl\ub85c \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc811\uadfc\ud558\uae30",id:"\uc678\ubd80\uc5d0\uc11c-kubectl\ub85c-\ud074\ub7ec\uc2a4\ud130\uc5d0-\uc811\uadfc\ud558\uae30",level:3}];function u(e){const c={code:"code",h3:"h3",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(c.p,{children:[(0,s.jsx)(c.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0 \uc800\uc7a5\ub41c kubeconfig \ud30c\uc77c\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uad6c\uc131\ud558\ub294 \ub370 \uc0ac\uc6a9\ub429\ub2c8\ub2e4. kubectl \ub610\ub294 helm\uacfc \uac19\uc740 \uc5c5\uc2a4\ud2b8\ub9bc Kubernetes \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc124\uce58\ud55c \uacbd\uc6b0 \uc62c\ubc14\ub978 kubeconfig \uacbd\ub85c\ub85c \uad6c\uc131\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774 \uc791\uc5c5\uc740 ",(0,s.jsx)(c.code,{children:"kubeconfig"})," \ud658\uacbd \ubcc0\uc218\ub97c \ub0b4\ubcf4\ub0b4\uac70\ub098 ",(0,s.jsx)(c.code,{children:"--kubeconfig"})," \uba85\ub839\uc904 \ud50c\ub798\uadf8\ub97c \ud638\ucd9c\ud558\uc5ec \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc544\ub798 \uc608\uc2dc\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,s.jsx)(c.p,{children:"KUBECONFIG \ud658\uacbd \ubcc0\uc218\ub97c \ud65c\uc6a9\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsx)(c.pre,{children:(0,s.jsx)(c.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,s.jsx)(c.p,{children:"\ub610\ub294 \uba85\ub839\uc5d0 kubeconfig \ud30c\uc77c\uc758 \uc704\uce58\ub97c \uc9c0\uc815\ud569\ub2c8\ub2e4:"}),"\n",(0,s.jsx)(c.pre,{children:(0,s.jsx)(c.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,s.jsx)(c.h3,{id:"\uc678\ubd80\uc5d0\uc11c-kubectl\ub85c-\ud074\ub7ec\uc2a4\ud130\uc5d0-\uc811\uadfc\ud558\uae30",children:"\uc678\ubd80\uc5d0\uc11c kubectl\ub85c \ud074\ub7ec\uc2a4\ud130\uc5d0 \uc811\uadfc\ud558\uae30"}),"\n",(0,s.jsxs)(c.p,{children:[(0,s.jsx)(c.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\ud30c\uc77c\uc744 \ud074\ub7ec\uc2a4\ud130 \uc678\ubd80\uc5d0 \uc704\uce58\ud55c \uba38\uc2e0\uc758 ",(0,s.jsx)(c.code,{children:"~/.kube/config"}),"\ub85c \ubcf5\uc0ac\ud569\ub2c8\ub2e4. \uadf8\ub7f0 \ub2e4\uc74c ",(0,s.jsx)(c.code,{children:"server"})," \ud544\ub4dc\uc758 \uac12\uc744 K3s \uc11c\ubc84\uc758 IP \ub610\ub294 \uc774\ub984\uc73c\ub85c \ubc14\uafc9\ub2c8\ub2e4. \uc774\uc81c ",(0,s.jsx)(c.code,{children:"kubectl"}),"\uc774 K3s \ud074\ub7ec\uc2a4\ud130\ub97c \uad00\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})]})}function d(e={}){const{wrapper:c}={...(0,t.a)(),...e.components};return c?(0,s.jsx)(c,{...e,children:(0,s.jsx)(u,{...e})}):u(e)}},1151:(e,c,n)=>{n.d(c,{Z:()=>o,a:()=>l});var s=n(7294);const t={},r=s.createContext(t);function l(e){const c=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(c):{...c,...e}}),[c,e])}function o(e){let c;return c=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),s.createElement(r.Provider,{value:c},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/c7700003.3cbaaec1.js b/kr/assets/js/c7700003.3cbaaec1.js new file mode 100644 index 000000000..a602f4eb0 --- /dev/null +++ b/kr/assets/js/c7700003.3cbaaec1.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[240],{1083:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>c});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/kr/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/kr/upgrades/manual"},next:{title:"\ubcf4\uc548",permalink:"/kr/security/"}},i={},c=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/kr/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/c7700003.cdcda1c1.js b/kr/assets/js/c7700003.cdcda1c1.js deleted file mode 100644 index 3523e8b7c..000000000 --- a/kr/assets/js/c7700003.cdcda1c1.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[240],{1083:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>c});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/kr/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/kr/upgrades/manual"},next:{title:"\ubcf4\uc548",permalink:"/kr/security/"}},i={},c=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/kr/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/cfa0e807.798b7325.js b/kr/assets/js/cfa0e807.798b7325.js deleted file mode 100644 index f44c6a255..000000000 --- a/kr/assets/js/cfa0e807.798b7325.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1385],{3934:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>c,default:()=>o,frontMatter:()=>d,metadata:()=>i,toc:()=>h});var t=n(5893),r=n(1151);const d={title:"\ud5ec\ub984(Helm)"},c=void 0,i={id:"helm",title:"\ud5ec\ub984(Helm)",description:"\ud5ec\ub984(Helm)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc704\ud55c \ud328\ud0a4\uc9c0 \uad00\ub9ac \ub3c4\uad6c\uc785\ub2c8\ub2e4. \ud5ec\ub984 \ucc28\ud2b8\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4 YAML \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \ubb38\uc11c\ub97c \uc704\ud55c \ud15c\ud50c\ub9bf \uad6c\ubb38\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uac1c\ubc1c\uc790 \ub610\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc790\ub294 \ud5ec\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\uc801 \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub9cc \uc0ac\uc6a9\ud558\ub294 \ub300\uc2e0 \ucc28\ud2b8\ub77c\ub294 \uad6c\uc131 \uac00\ub2a5\ud55c \ud15c\ud50c\ub9bf\uc744 \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc790\uc2e0\ub9cc\uc758 \ucc28\ud2b8 \uce74\ud0c8\ub85c\uadf8 \uc0dd\uc131\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 https://helm.sh/docs/intro/quickstart/\uc5d0\uc11c \ubb38\uc11c\ub97c \ud655\uc778\ud558\uc138\uc694.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/helm.md",sourceDirName:".",slug:"/helm",permalink:"/kr/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ud5ec\ub984(Helm)"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/kr/networking/networking-services"},next:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",permalink:"/kr/advanced"}},l={},h=[{value:"\ud5ec\ub984 \ucee8\ud2b8\ub864\ub7ec \uc0ac\uc6a9\ud558\uae30",id:"\ud5ec\ub984-\ucee8\ud2b8\ub864\ub7ec-\uc0ac\uc6a9\ud558\uae30",level:3},{value:"HelmChart \ud544\ub4dc \uc815\uc758",id:"helmchart-\ud544\ub4dc-\uc815\uc758",level:4},{value:"HelmChartConfig\ub85c \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",id:"helmchartconfig\ub85c-\ud328\ud0a4\uc9c0-\ucef4\ud3ec\ub10c\ud2b8-\ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",level:3},{value:"\ud5ec\ub984 \ubc84\uc804 2\uc5d0\uc11c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",id:"\ud5ec\ub984-\ubc84\uc804-2\uc5d0\uc11c-\ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsxs)(s.p,{children:["\ud5ec\ub984(Helm)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc704\ud55c \ud328\ud0a4\uc9c0 \uad00\ub9ac \ub3c4\uad6c\uc785\ub2c8\ub2e4. \ud5ec\ub984 \ucc28\ud2b8\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4 YAML \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \ubb38\uc11c\ub97c \uc704\ud55c \ud15c\ud50c\ub9bf \uad6c\ubb38\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uac1c\ubc1c\uc790 \ub610\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc790\ub294 \ud5ec\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\uc801 \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub9cc \uc0ac\uc6a9\ud558\ub294 \ub300\uc2e0 \ucc28\ud2b8\ub77c\ub294 \uad6c\uc131 \uac00\ub2a5\ud55c \ud15c\ud50c\ub9bf\uc744 \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc790\uc2e0\ub9cc\uc758 \ucc28\ud2b8 \uce74\ud0c8\ub85c\uadf8 \uc0dd\uc131\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"\uc5d0\uc11c \ubb38\uc11c\ub97c \ud655\uc778\ud558\uc138\uc694."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 \ud5ec\ub984\uc744 \uc9c0\uc6d0\ud558\uae30 \uc704\ud55c \ubcc4\ub3c4\uc758 \uad6c\uc131\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub2e4\ub9cc, ",(0,t.jsx)(s.a,{href:"/kr/cluster-access",children:"\ud074\ub7ec\uc2a4\ud130 \uc561\uc138\uc2a4"})," \ubb38\uc11c\uc5d0 \ub530\ub77c kubeconfig \uacbd\ub85c\ub97c \uc62c\ubc14\ub974\uac8c \uc124\uc815\ud588\ub294\uc9c0 \ud655\uc778\ud558\uba74 \ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s\uc5d0\ub294 \ud5ec\ub984 \ucc28\ud2b8\uc758 \uc124\uce58, \uc5c5\uadf8\ub808\uc774\ub4dc/\uc7ac\uad6c\uc131 \ubc0f \uc81c\uac70\ub97c \uad00\ub9ac\ud558\ub294 ",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"}),"\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc73c\uba70, \ud5ec\ub984 \ucc28\ud2b8 \ucee4\uc2a4\ud140 \ub9ac\uc18c\uc2a4 \uc815\uc758(CRD)\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58, \uc5c5\uadf8\ub808\uc774\ub4dc/\uc7ac\uad6c\uc131 \ubc0f \uc81c\uac70\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc560\ub4dc\uc628 \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \uc790\ub3d9 \ubc30\ud3ec](./installation/packaged-components.md)\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud558\uba74 \ub514\uc2a4\ud06c\uc5d0 \ub2e8\uc77c \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130\uc5d0 \ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58\ud558\ub294 \uac83\uc744 \uc790\ub3d9\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.h3,{id:"\ud5ec\ub984-\ucee8\ud2b8\ub864\ub7ec-\uc0ac\uc6a9\ud558\uae30",children:"\ud5ec\ub984 \ucee8\ud2b8\ub864\ub7ec \uc0ac\uc6a9\ud558\uae30"}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"\ud5ec\ub984 \ucc28\ud2b8 \ucee4\uc2a4\ud140 \ub9ac\uc18c\uc2a4"}),"\ub294 \uc77c\ubc18\uc801\uc73c\ub85c ",(0,t.jsx)(s.code,{children:"helm"})," \uba85\ub839\uc904 \ub3c4\uad6c\uc5d0 \uc804\ub2ec\ud560 \ub300\ubd80\ubd84\uc758 \uc635\uc158\uc744 \ub2f4\uace0 \uc788\uc2b5\ub2c8\ub2e4. \ub2e4\uc74c\uc740 Bitnami \ucc28\ud2b8 \uc800\uc7a5\uc18c\uc5d0\uc11c \uc544\ud30c\uce58\ub97c \ubc30\ud3ec\ud558\uc5ec \uae30\ubcf8 \ucc28\ud2b8 \uac12 \uc911 \uc77c\ubd80\ub97c \uc7ac\uc815\uc758\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc608\uc81c\uc785\ub2c8\ub2e4. HelmChart \ub9ac\uc18c\uc2a4 \uc790\uccb4\ub294 ",(0,t.jsx)(s.code,{children:"kube-system"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \uc788\uc9c0\ub9cc, \ucc28\ud2b8\uc758 \ub9ac\uc18c\uc2a4\ub294 \ub3d9\uc77c\ud55c \ub9e4\ub2c8\ud398\uc2a4\ud2b8\uc5d0 \uc0dd\uc131\ub418\ub294 ",(0,t.jsx)(s.code,{children:"web"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \ubc30\ud3ec\ub41c\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694. \uc774\ub294 HelmChart \ub9ac\uc18c\uc2a4\ub97c \ubc30\ud3ec\ud558\ub294 \ub9ac\uc18c\uc2a4\uc640 \ubd84\ub9ac\ud558\uc5ec \uc720\uc9c0\ud558\ub824\ub294 \uacbd\uc6b0\uc5d0 \uc720\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,t.jsx)(s.h4,{id:"helmchart-\ud544\ub4dc-\uc815\uc758",children:"HelmChart \ud544\ub4dc \uc815\uc758"}),"\n",(0,t.jsxs)(s.table,{children:[(0,t.jsx)(s.thead,{children:(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.th,{children:"\ud544\ub4dc"}),(0,t.jsx)(s.th,{children:"\uae30\ubcf8\uac12"}),(0,t.jsx)(s.th,{children:"\uc124\uba85"}),(0,t.jsx)(s.th,{children:"\ud5ec\ub984 \uc778\uc218 / \ud50c\ub798\uadf8 \uc0c1\uc751\uac12"})]})}),(0,t.jsxs)(s.tbody,{children:[(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"metadata.name"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \uc774\ub984"}),(0,t.jsx)(s.td,{children:"NAME"})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.chart"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc5d0 \uc788\ub294 \ud5ec\ub984 \ucc28\ud2b8 \uc774\ub984 \ub610\ub294 \ucc28\ud2b8 \uc544\uce74\uc774\ube0c(.tgz)\uc5d0 \ub300\ud55c \uc804\uccb4 HTTPS URL"}),(0,t.jsx)(s.td,{children:"CHART"})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.targetNamespace"}),(0,t.jsx)(s.td,{children:"default"}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ub300\uc0c1 \ub124\uc784\uc2a4\ud398\uc774\uc2a4"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--namespace"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.version"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ubc84\uc804(\ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc5d0\uc11c \uc124\uce58\ud558\ub294 \uacbd\uc6b0)"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--version"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.repo"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac URL"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--repo"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.repoCA"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"HTTPS \uc0ac\uc6a9 \uc11c\ubc84\uc758 \uc778\uc99d\uc11c\ub97c \uc9c0\uc815"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--ca-file"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.helmVersion"}),(0,t.jsx)(s.td,{children:"v3"}),(0,t.jsxs)(s.td,{children:["\uc0ac\uc6a9\ud560 \ud5ec\ub984 \ubc84\uc804 (",(0,t.jsx)(s.code,{children:"v2"})," \ud639\uc740 ",(0,t.jsx)(s.code,{children:"v3"}),")"]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.bootstrap"}),(0,t.jsx)(s.td,{children:"False"}),(0,t.jsx)(s.td,{children:"\ud074\ub7ec\uc2a4\ud130(\ud074\ub77c\uc6b0\ub4dc \ucee8\ud2b8\ub864\ub7ec \uad00\ub9ac\uc790 \ub4f1)\ub97c \ubd80\ud2b8\uc2a4\ud2b8\ub7a9\ud558\ub294 \ub370 \uc774 \ucc28\ud2b8\uac00 \ud544\uc694\ud55c \uacbd\uc6b0 True\ub85c \uc124\uc815\ud569\ub2c8\ub2e4."}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.set"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\uac04\ub2e8\ud55c \uae30\ubcf8 \ucc28\ud2b8 \uac12\uc744 \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4. \uac12\uc744 \ud1b5\ud574 \uc124\uc815\ub41c \uc635\uc158\ubcf4\ub2e4 \uc6b0\uc120\ud569\ub2c8\ub2e4."}),(0,t.jsxs)(s.td,{children:[(0,t.jsx)(s.code,{children:"--set"})," / ",(0,t.jsx)(s.code,{children:"--set-string"})]})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.jobImage"}),(0,t.jsx)(s.td,{}),(0,t.jsxs)(s.td,{children:["\ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58\ud560 \ub54c \uc0ac\uc6a9\ud560 \uc774\ubbf8\uc9c0\ub97c \uc9c0\uc815\ud569\ub2c8\ub2e4. \uc608\uc2dc. rancher/klipper-helm",":v0",".3.0 ."]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.timeout"}),(0,t.jsx)(s.td,{children:"300"}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \uc791\uc5c5 \uc2dc\uac04 \ucd08\uacfc(\ucd08)"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--timeout"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.failurePolicy"}),(0,t.jsx)(s.td,{children:"reinstall"}),(0,t.jsxs)(s.td,{children:[(0,t.jsx)(s.code,{children:"abort"}),"\ub85c \uc124\uc815\ud558\uba74 \ud5ec\ub984 \uc791\uc5c5\uc774 \uc911\ub2e8\ub418\uace0 \uc6b4\uc601\uc790\uc758 \uc218\ub3d9 \uac1c\uc785\uc774 \uc788\uc744 \ub54c\uae4c\uc9c0 \uc911\ub2e8\ub41c\ub2e4."]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.valuesContent"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"YAML \ud30c\uc77c \ucf58\ud150\uce20\ub97c \ud1b5\ud574 \ubcf5\uc7a1\ud55c \uae30\ubcf8 \ucc28\ud2b8 \uac12 \uc7ac\uc815\uc758"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--values"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.chartContent"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"Base64\ub85c \uc778\ucf54\ub529\ub41c \ucc28\ud2b8 \uc544\uce74\uc774\ube0c .tgz - spec.chart\ub97c \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4."}),(0,t.jsx)(s.td,{children:"CHART"})]})]})]}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/static/"}),"\uc5d0 \uc704\uce58\ud55c \ucf58\ud150\uce20\ub294 \ud074\ub7ec\uc2a4\ud130 \ub0b4\uc5d0\uc11c \ucfe0\ubc84\ub124\ud2f0\uc2a4 APIServer\ub97c \ud1b5\ud574 \uc775\uba85\uc73c\ub85c \uc561\uc138\uc2a4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 URL\uc740 ",(0,t.jsx)(s.code,{children:"spec.chart"})," \ud544\ub4dc\uc5d0 \uc788\ub294 \ud2b9\uc218 \ubcc0\uc218 ",(0,t.jsx)(s.code,{children:"%{KUBERNETES_API}%"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud15c\ud50c\ub9bf\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4, \ud328\ud0a4\uc9c0\ud654\ub41c Traefik \ucef4\ud3ec\ub10c\ud2b8\ub294 ",(0,t.jsx)(s.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"\uc5d0\uc11c \ud574\ub2f9 \ucc28\ud2b8\ub97c \ub85c\ub4dc\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"name"})," \ud544\ub4dc\ub294 \ud5ec\ub984 \ucc28\ud2b8 \uba85\uba85 \uaddc\uce59\uc744 \ub530\ub77c\uc57c \ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"\ud5ec\ub984 \ubca0\uc2a4\ud2b8 \ud504\ub799\ud2f0\uc2a4 \ubb38\uc11c"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]})}),"\n",(0,t.jsx)(s.h3,{id:"helmchartconfig\ub85c-\ud328\ud0a4\uc9c0-\ucef4\ud3ec\ub10c\ud2b8-\ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",children:"HelmChartConfig\ub85c \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30"}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})," \ubd80\ud130 \uc0ac\uc6a9 \uac00\ub2a5"]})}),"\n",(0,t.jsxs)(s.p,{children:["HelmChart\ub85c \ubc30\ud3ec\ub418\ub294 \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8(\uc608\ub85c Traefik)\uc758 \uac12\uc744 \uc7ac\uc815\uc758\ud560 \uc218 \uc788\ub3c4\ub85d, K3s\ub294 HelmChartConfig \ub9ac\uc18c\uc2a4\ub97c \ud1b5\ud574 \ubc30\ud3ec\ub97c \uc0ac\uc6a9\uc790 \uc815\uc758\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud569\ub2c8\ub2e4. HelmChartConfig \ub9ac\uc18c\uc2a4\ub294 \ud574\ub2f9 HelmChart\uc758 \uc774\ub984\uacfc \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc640 \uc77c\uce58\ud574\uc57c \ud558\uba70, \ucd94\uac00 \uac12 \ud30c\uc77c\ub85c ",(0,t.jsx)(s.code,{children:"helm"})," \uba85\ub839\uc5d0 \uc804\ub2ec\ub418\ub294 ",(0,t.jsx)(s.code,{children:"valuesContent"}),"\ub97c \ucd94\uac00\ub85c \uc81c\uacf5\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["HelmChart ",(0,t.jsx)(s.code,{children:"spec.set"})," \uac12\uc740 HelmChart \ubc0f HelmChartConfig ",(0,t.jsx)(s.code,{children:"spec.valuesContent"})," \uc124\uc815\uc744 \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4."]})}),"\n",(0,t.jsxs)(s.p,{children:["\uc608\ub97c \ub4e4\uc5b4, \ud328\ud0a4\uc9d5\ub41c \ud2b8\ub798\ud53d \uc778\uadf8\ub808\uc2a4 \uad6c\uc131\uc744 \uc0ac\uc6a9\uc790 \uc815\uc758\ud558\ub824\uba74 ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"}),"\uc774\ub77c\ub294 \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uace0 \ub2e4\uc74c \ub0b4\uc6a9\uc73c\ub85c \ucc44\uc6b0\uba74 \ub429\ub2c8\ub2e4:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: v2.8.5\n forwardedHeaders:\n enabled: true\n trustedIPs:\n - 10.0.0.0/8\n ssl:\n enabled: true\n permanentRedirect: false\n"})}),"\n",(0,t.jsx)(s.h3,{id:"\ud5ec\ub984-\ubc84\uc804-2\uc5d0\uc11c-\ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",children:"\ud5ec\ub984 \ubc84\uc804 2\uc5d0\uc11c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30"}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:["v1.17.",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.17.0%2Bk3s.1",children:"v1.17.0+k3s.1"}),"\ubd80\ud130 \ud5ec\ub984 v3\uac00 \uae30\ubcf8\uc801\uc73c\ub85c \uc9c0\uc6d0 \ubc0f \uc0ac\uc6a9\ub429\ub2c8\ub2e4."]})}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 \ud5ec\ub984 v2 \ub610\ub294 \ud5ec\ub984 v3\ub97c \ucc98\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud5ec\ub984 v3\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\ub824\ub294 \uacbd\uc6b0, ",(0,t.jsx)(s.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"\uc774"})," \ud5ec\ub984 \ube14\ub85c\uadf8 \uac8c\uc2dc\ubb3c\uc5d0\uc11c \ud50c\ub7ec\uadf8\uc778\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc131\uacf5\uc801\uc73c\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ud5ec\ub984 3 \uacf5\uc2dd \ubb38\uc11c ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694. ",(0,t.jsx)(s.a,{href:"/kr/cluster-access",children:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"}),"\uc5d0 \ub300\ud55c \uc139\uc158\uc5d0 \ub530\ub77c kubeconfig\ub97c \uc62c\ubc14\ub974\uac8c \uc124\uc815\ud588\ub294\uc9c0 \ud655\uc778\ud558\uc138\uc694."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["\ud5ec\ub984 3\uc5d0\uc11c\ub294 \ub354 \uc774\uc0c1 Tiller\uc640 ",(0,t.jsx)(s.code,{children:"helm init"})," \uba85\ub839\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uacf5\uc2dd \ubb38\uc11c\ub97c \ucc38\uace0\ud558\uc138\uc694."]})})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>c});var t=n(7294);const r={},d=t.createContext(r);function c(e){const s=t.useContext(d);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),t.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/cfa0e807.be961597.js b/kr/assets/js/cfa0e807.be961597.js new file mode 100644 index 000000000..55ea776f8 --- /dev/null +++ b/kr/assets/js/cfa0e807.be961597.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1385],{3934:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>l,contentTitle:()=>c,default:()=>o,frontMatter:()=>d,metadata:()=>i,toc:()=>h});var t=n(5893),r=n(1151);const d={title:"\ud5ec\ub984(Helm)"},c=void 0,i={id:"helm",title:"\ud5ec\ub984(Helm)",description:"\ud5ec\ub984(Helm)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc704\ud55c \ud328\ud0a4\uc9c0 \uad00\ub9ac \ub3c4\uad6c\uc785\ub2c8\ub2e4. \ud5ec\ub984 \ucc28\ud2b8\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4 YAML \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \ubb38\uc11c\ub97c \uc704\ud55c \ud15c\ud50c\ub9bf \uad6c\ubb38\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uac1c\ubc1c\uc790 \ub610\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc790\ub294 \ud5ec\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\uc801 \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub9cc \uc0ac\uc6a9\ud558\ub294 \ub300\uc2e0 \ucc28\ud2b8\ub77c\ub294 \uad6c\uc131 \uac00\ub2a5\ud55c \ud15c\ud50c\ub9bf\uc744 \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc790\uc2e0\ub9cc\uc758 \ucc28\ud2b8 \uce74\ud0c8\ub85c\uadf8 \uc0dd\uc131\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 https://helm.sh/docs/intro/quickstart/\uc5d0\uc11c \ubb38\uc11c\ub97c \ud655\uc778\ud558\uc138\uc694.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/helm.md",sourceDirName:".",slug:"/helm",permalink:"/kr/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ud5ec\ub984(Helm)"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/kr/networking/networking-services"},next:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",permalink:"/kr/advanced"}},l={},h=[{value:"\ud5ec\ub984 \ucee8\ud2b8\ub864\ub7ec \uc0ac\uc6a9\ud558\uae30",id:"\ud5ec\ub984-\ucee8\ud2b8\ub864\ub7ec-\uc0ac\uc6a9\ud558\uae30",level:3},{value:"HelmChart \ud544\ub4dc \uc815\uc758",id:"helmchart-\ud544\ub4dc-\uc815\uc758",level:4},{value:"HelmChartConfig\ub85c \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",id:"helmchartconfig\ub85c-\ud328\ud0a4\uc9c0-\ucef4\ud3ec\ub10c\ud2b8-\ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",level:3},{value:"\ud5ec\ub984 \ubc84\uc804 2\uc5d0\uc11c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",id:"\ud5ec\ub984-\ubc84\uc804-2\uc5d0\uc11c-\ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsxs)(s.p,{children:["\ud5ec\ub984(Helm)\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc704\ud55c \ud328\ud0a4\uc9c0 \uad00\ub9ac \ub3c4\uad6c\uc785\ub2c8\ub2e4. \ud5ec\ub984 \ucc28\ud2b8\ub294 \ucfe0\ubc84\ub124\ud2f0\uc2a4 YAML \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \ubb38\uc11c\ub97c \uc704\ud55c \ud15c\ud50c\ub9bf \uad6c\ubb38\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uac1c\ubc1c\uc790 \ub610\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc790\ub294 \ud5ec\ub984\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\uc801 \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub9cc \uc0ac\uc6a9\ud558\ub294 \ub300\uc2e0 \ucc28\ud2b8\ub77c\ub294 \uad6c\uc131 \uac00\ub2a5\ud55c \ud15c\ud50c\ub9bf\uc744 \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc790\uc2e0\ub9cc\uc758 \ucc28\ud2b8 \uce74\ud0c8\ub85c\uadf8 \uc0dd\uc131\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"\uc5d0\uc11c \ubb38\uc11c\ub97c \ud655\uc778\ud558\uc138\uc694."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 \ud5ec\ub984\uc744 \uc9c0\uc6d0\ud558\uae30 \uc704\ud55c \ubcc4\ub3c4\uc758 \uad6c\uc131\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub2e4\ub9cc, ",(0,t.jsx)(s.a,{href:"/kr/cluster-access",children:"\ud074\ub7ec\uc2a4\ud130 \uc561\uc138\uc2a4"})," \ubb38\uc11c\uc5d0 \ub530\ub77c kubeconfig \uacbd\ub85c\ub97c \uc62c\ubc14\ub974\uac8c \uc124\uc815\ud588\ub294\uc9c0 \ud655\uc778\ud558\uba74 \ub429\ub2c8\ub2e4."]}),"\n",(0,t.jsxs)(s.p,{children:["K3s\uc5d0\ub294 \ud5ec\ub984 \ucc28\ud2b8\uc758 \uc124\uce58, \uc5c5\uadf8\ub808\uc774\ub4dc/\uc7ac\uad6c\uc131 \ubc0f \uc81c\uac70\ub97c \uad00\ub9ac\ud558\ub294 ",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"}),"\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc73c\uba70, \ud5ec\ub984 \ucc28\ud2b8 \ucee4\uc2a4\ud140 \ub9ac\uc18c\uc2a4 \uc815\uc758(CRD)\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58, \uc5c5\uadf8\ub808\uc774\ub4dc/\uc7ac\uad6c\uc131 \ubc0f \uc81c\uac70\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc560\ub4dc\uc628 \ub9e4\ub2c8\ud398\uc2a4\ud2b8 \uc790\ub3d9 \ubc30\ud3ec](./installation/packaged-components.md)\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud558\uba74 \ub514\uc2a4\ud06c\uc5d0 \ub2e8\uc77c \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130\uc5d0 \ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58\ud558\ub294 \uac83\uc744 \uc790\ub3d9\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.h3,{id:"\ud5ec\ub984-\ucee8\ud2b8\ub864\ub7ec-\uc0ac\uc6a9\ud558\uae30",children:"\ud5ec\ub984 \ucee8\ud2b8\ub864\ub7ec \uc0ac\uc6a9\ud558\uae30"}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"\ud5ec\ub984 \ucc28\ud2b8 \ucee4\uc2a4\ud140 \ub9ac\uc18c\uc2a4"}),"\ub294 \uc77c\ubc18\uc801\uc73c\ub85c ",(0,t.jsx)(s.code,{children:"helm"})," \uba85\ub839\uc904 \ub3c4\uad6c\uc5d0 \uc804\ub2ec\ud560 \ub300\ubd80\ubd84\uc758 \uc635\uc158\uc744 \ub2f4\uace0 \uc788\uc2b5\ub2c8\ub2e4. \ub2e4\uc74c\uc740 Bitnami \ucc28\ud2b8 \uc800\uc7a5\uc18c\uc5d0\uc11c \uc544\ud30c\uce58\ub97c \ubc30\ud3ec\ud558\uc5ec \uae30\ubcf8 \ucc28\ud2b8 \uac12 \uc911 \uc77c\ubd80\ub97c \uc7ac\uc815\uc758\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc608\uc81c\uc785\ub2c8\ub2e4. HelmChart \ub9ac\uc18c\uc2a4 \uc790\uccb4\ub294 ",(0,t.jsx)(s.code,{children:"kube-system"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \uc788\uc9c0\ub9cc, \ucc28\ud2b8\uc758 \ub9ac\uc18c\uc2a4\ub294 \ub3d9\uc77c\ud55c \ub9e4\ub2c8\ud398\uc2a4\ud2b8\uc5d0 \uc0dd\uc131\ub418\ub294 ",(0,t.jsx)(s.code,{children:"web"})," \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \ubc30\ud3ec\ub41c\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694. \uc774\ub294 HelmChart \ub9ac\uc18c\uc2a4\ub97c \ubc30\ud3ec\ud558\ub294 \ub9ac\uc18c\uc2a4\uc640 \ubd84\ub9ac\ud558\uc5ec \uc720\uc9c0\ud558\ub824\ub294 \uacbd\uc6b0\uc5d0 \uc720\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,t.jsx)(s.h4,{id:"helmchart-\ud544\ub4dc-\uc815\uc758",children:"HelmChart \ud544\ub4dc \uc815\uc758"}),"\n",(0,t.jsxs)(s.table,{children:[(0,t.jsx)(s.thead,{children:(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.th,{children:"\ud544\ub4dc"}),(0,t.jsx)(s.th,{children:"\uae30\ubcf8\uac12"}),(0,t.jsx)(s.th,{children:"\uc124\uba85"}),(0,t.jsx)(s.th,{children:"\ud5ec\ub984 \uc778\uc218 / \ud50c\ub798\uadf8 \uc0c1\uc751\uac12"})]})}),(0,t.jsxs)(s.tbody,{children:[(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"metadata.name"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \uc774\ub984"}),(0,t.jsx)(s.td,{children:"NAME"})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.chart"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc5d0 \uc788\ub294 \ud5ec\ub984 \ucc28\ud2b8 \uc774\ub984 \ub610\ub294 \ucc28\ud2b8 \uc544\uce74\uc774\ube0c(.tgz)\uc5d0 \ub300\ud55c \uc804\uccb4 HTTPS URL"}),(0,t.jsx)(s.td,{children:"CHART"})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.targetNamespace"}),(0,t.jsx)(s.td,{children:"default"}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ub300\uc0c1 \ub124\uc784\uc2a4\ud398\uc774\uc2a4"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--namespace"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.version"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ubc84\uc804(\ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc5d0\uc11c \uc124\uce58\ud558\ub294 \uacbd\uc6b0)"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--version"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.repo"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \ucc28\ud2b8 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac URL"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--repo"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.repoCA"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"HTTPS \uc0ac\uc6a9 \uc11c\ubc84\uc758 \uc778\uc99d\uc11c\ub97c \uc9c0\uc815"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--ca-file"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.helmVersion"}),(0,t.jsx)(s.td,{children:"v3"}),(0,t.jsxs)(s.td,{children:["\uc0ac\uc6a9\ud560 \ud5ec\ub984 \ubc84\uc804 (",(0,t.jsx)(s.code,{children:"v2"})," \ud639\uc740 ",(0,t.jsx)(s.code,{children:"v3"}),")"]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.bootstrap"}),(0,t.jsx)(s.td,{children:"False"}),(0,t.jsx)(s.td,{children:"\ud074\ub7ec\uc2a4\ud130(\ud074\ub77c\uc6b0\ub4dc \ucee8\ud2b8\ub864\ub7ec \uad00\ub9ac\uc790 \ub4f1)\ub97c \ubd80\ud2b8\uc2a4\ud2b8\ub7a9\ud558\ub294 \ub370 \uc774 \ucc28\ud2b8\uac00 \ud544\uc694\ud55c \uacbd\uc6b0 True\ub85c \uc124\uc815\ud569\ub2c8\ub2e4."}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.set"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"\uac04\ub2e8\ud55c \uae30\ubcf8 \ucc28\ud2b8 \uac12\uc744 \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4. \uac12\uc744 \ud1b5\ud574 \uc124\uc815\ub41c \uc635\uc158\ubcf4\ub2e4 \uc6b0\uc120\ud569\ub2c8\ub2e4."}),(0,t.jsxs)(s.td,{children:[(0,t.jsx)(s.code,{children:"--set"})," / ",(0,t.jsx)(s.code,{children:"--set-string"})]})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.jobImage"}),(0,t.jsx)(s.td,{}),(0,t.jsxs)(s.td,{children:["\ud5ec\ub984 \ucc28\ud2b8\ub97c \uc124\uce58\ud560 \ub54c \uc0ac\uc6a9\ud560 \uc774\ubbf8\uc9c0\ub97c \uc9c0\uc815\ud569\ub2c8\ub2e4. \uc608\uc2dc. rancher/klipper-helm",":v0",".3.0 ."]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.timeout"}),(0,t.jsx)(s.td,{children:"300"}),(0,t.jsx)(s.td,{children:"\ud5ec\ub984 \uc791\uc5c5 \uc2dc\uac04 \ucd08\uacfc(\ucd08)"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--timeout"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.failurePolicy"}),(0,t.jsx)(s.td,{children:"reinstall"}),(0,t.jsxs)(s.td,{children:[(0,t.jsx)(s.code,{children:"abort"}),"\ub85c \uc124\uc815\ud558\uba74 \ud5ec\ub984 \uc791\uc5c5\uc774 \uc911\ub2e8\ub418\uace0 \uc6b4\uc601\uc790\uc758 \uc218\ub3d9 \uac1c\uc785\uc774 \uc788\uc744 \ub54c\uae4c\uc9c0 \uc911\ub2e8\ub41c\ub2e4."]}),(0,t.jsx)(s.td,{})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.valuesContent"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"YAML \ud30c\uc77c \ucf58\ud150\uce20\ub97c \ud1b5\ud574 \ubcf5\uc7a1\ud55c \uae30\ubcf8 \ucc28\ud2b8 \uac12 \uc7ac\uc815\uc758"}),(0,t.jsx)(s.td,{children:(0,t.jsx)(s.code,{children:"--values"})})]}),(0,t.jsxs)(s.tr,{children:[(0,t.jsx)(s.td,{children:"spec.chartContent"}),(0,t.jsx)(s.td,{}),(0,t.jsx)(s.td,{children:"Base64\ub85c \uc778\ucf54\ub529\ub41c \ucc28\ud2b8 \uc544\uce74\uc774\ube0c .tgz - spec.chart\ub97c \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4."}),(0,t.jsx)(s.td,{children:"CHART"})]})]})]}),"\n",(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/static/"}),"\uc5d0 \uc704\uce58\ud55c \ucf58\ud150\uce20\ub294 \ud074\ub7ec\uc2a4\ud130 \ub0b4\uc5d0\uc11c \ucfe0\ubc84\ub124\ud2f0\uc2a4 APIServer\ub97c \ud1b5\ud574 \uc775\uba85\uc73c\ub85c \uc561\uc138\uc2a4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774 URL\uc740 ",(0,t.jsx)(s.code,{children:"spec.chart"})," \ud544\ub4dc\uc5d0 \uc788\ub294 \ud2b9\uc218 \ubcc0\uc218 ",(0,t.jsx)(s.code,{children:"%{KUBERNETES_API}%"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud15c\ud50c\ub9bf\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4, \ud328\ud0a4\uc9c0\ud654\ub41c Traefik \ucef4\ud3ec\ub10c\ud2b8\ub294 ",(0,t.jsx)(s.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"\uc5d0\uc11c \ud574\ub2f9 \ucc28\ud2b8\ub97c \ub85c\ub4dc\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.code,{children:"name"})," \ud544\ub4dc\ub294 \ud5ec\ub984 \ucc28\ud2b8 \uba85\uba85 \uaddc\uce59\uc744 \ub530\ub77c\uc57c \ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"\ud5ec\ub984 \ubca0\uc2a4\ud2b8 \ud504\ub799\ud2f0\uc2a4 \ubb38\uc11c"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]})}),"\n",(0,t.jsx)(s.h3,{id:"helmchartconfig\ub85c-\ud328\ud0a4\uc9c0-\ucef4\ud3ec\ub10c\ud2b8-\ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30",children:"HelmChartConfig\ub85c \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\ud558\uae30"}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:[(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})," \ubd80\ud130 \uc0ac\uc6a9 \uac00\ub2a5"]})}),"\n",(0,t.jsxs)(s.p,{children:["HelmChart\ub85c \ubc30\ud3ec\ub418\ub294 \ud328\ud0a4\uc9c0 \ucef4\ud3ec\ub10c\ud2b8(\uc608\ub85c Traefik)\uc758 \uac12\uc744 \uc7ac\uc815\uc758\ud560 \uc218 \uc788\ub3c4\ub85d, K3s\ub294 HelmChartConfig \ub9ac\uc18c\uc2a4\ub97c \ud1b5\ud574 \ubc30\ud3ec\ub97c \uc0ac\uc6a9\uc790 \uc815\uc758\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud569\ub2c8\ub2e4. HelmChartConfig \ub9ac\uc18c\uc2a4\ub294 \ud574\ub2f9 HelmChart\uc758 \uc774\ub984\uacfc \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc640 \uc77c\uce58\ud574\uc57c \ud558\uba70, \ucd94\uac00 \uac12 \ud30c\uc77c\ub85c ",(0,t.jsx)(s.code,{children:"helm"})," \uba85\ub839\uc5d0 \uc804\ub2ec\ub418\ub294 ",(0,t.jsx)(s.code,{children:"valuesContent"}),"\ub97c \ucd94\uac00\ub85c \uc81c\uacf5\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud569\ub2c8\ub2e4."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["HelmChart ",(0,t.jsx)(s.code,{children:"spec.set"})," \uac12\uc740 HelmChart \ubc0f HelmChartConfig ",(0,t.jsx)(s.code,{children:"spec.valuesContent"})," \uc124\uc815\uc744 \uc7ac\uc815\uc758\ud569\ub2c8\ub2e4."]})}),"\n",(0,t.jsxs)(s.p,{children:["\uc608\ub97c \ub4e4\uc5b4, \ud328\ud0a4\uc9d5\ub41c \ud2b8\ub798\ud53d \uc778\uadf8\ub808\uc2a4 \uad6c\uc131\uc744 \uc0ac\uc6a9\uc790 \uc815\uc758\ud558\ub824\uba74 ",(0,t.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"}),"\uc774\ub77c\ub294 \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uace0 \ub2e4\uc74c \ub0b4\uc6a9\uc73c\ub85c \ucc44\uc6b0\uba74 \ub429\ub2c8\ub2e4:"]}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: v2.8.5\n forwardedHeaders:\n enabled: true\n trustedIPs:\n - 10.0.0.0/8\n ssl:\n enabled: true\n permanentRedirect: false\n"})}),"\n",(0,t.jsx)(s.h3,{id:"\ud5ec\ub984-\ubc84\uc804-2\uc5d0\uc11c-\ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30",children:"\ud5ec\ub984 \ubc84\uc804 2\uc5d0\uc11c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\uae30"}),"\n",(0,t.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(s.p,{children:["v1.17.",(0,t.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.17.0%2Bk3s.1",children:"v1.17.0+k3s.1"}),"\ubd80\ud130 \ud5ec\ub984 v3\uac00 \uae30\ubcf8\uc801\uc73c\ub85c \uc9c0\uc6d0 \ubc0f \uc0ac\uc6a9\ub429\ub2c8\ub2e4."]})}),"\n",(0,t.jsxs)(s.p,{children:["K3s\ub294 \ud5ec\ub984 v2 \ub610\ub294 \ud5ec\ub984 v3\ub97c \ucc98\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud5ec\ub984 v3\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\ub824\ub294 \uacbd\uc6b0, ",(0,t.jsx)(s.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"\uc774"})," \ud5ec\ub984 \ube14\ub85c\uadf8 \uac8c\uc2dc\ubb3c\uc5d0\uc11c \ud50c\ub7ec\uadf8\uc778\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc131\uacf5\uc801\uc73c\ub85c \ub9c8\uc774\uadf8\ub808\uc774\uc158\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ud5ec\ub984 3 \uacf5\uc2dd \ubb38\uc11c ",(0,t.jsx)(s.a,{href:"https://helm.sh/docs/",children:"\uc5ec\uae30"}),"\ub97c \ucc38\uace0\ud558\uc138\uc694. ",(0,t.jsx)(s.a,{href:"/kr/cluster-access",children:"\ud074\ub7ec\uc2a4\ud130 \uc811\uadfc"}),"\uc5d0 \ub300\ud55c \uc139\uc158\uc5d0 \ub530\ub77c kubeconfig\ub97c \uc62c\ubc14\ub974\uac8c \uc124\uc815\ud588\ub294\uc9c0 \ud655\uc778\ud558\uc138\uc694."]}),"\n",(0,t.jsx)(s.admonition,{type:"note",children:(0,t.jsxs)(s.p,{children:["\ud5ec\ub984 3\uc5d0\uc11c\ub294 \ub354 \uc774\uc0c1 Tiller\uc640 ",(0,t.jsx)(s.code,{children:"helm init"})," \uba85\ub839\uc774 \ud544\uc694\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uacf5\uc2dd \ubb38\uc11c\ub97c \ucc38\uace0\ud558\uc138\uc694."]})})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>c});var t=n(7294);const r={},d=t.createContext(r);function c(e){const s=t.useContext(d);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),t.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/d123a91e.18f3a6fd.js b/kr/assets/js/d123a91e.18f3a6fd.js new file mode 100644 index 000000000..514ac3e73 --- /dev/null +++ b/kr/assets/js/d123a91e.18f3a6fd.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[855],{5418:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>i,metadata:()=>h,toc:()=>d});var r=t(5893),n=t(1151);const i={hide_table_of_contents:!0,sidebar_position:7},l="v1.24.X",h={id:"release-notes/v1.24.X",title:"v1.24.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.24.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.24.X",permalink:"/kr/release-notes/v1.24.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.24.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:7,frontMatter:{hide_table_of_contents:!0,sidebar_position:7},sidebar:"mySidebar",previous:{title:"v1.25.X",permalink:"/kr/release-notes/v1.25.X"},next:{title:"Related Projects",permalink:"/kr/related-projects"}},c={},d=[{value:"Release v1.24.17+k3s1",id:"release-v12417k3s1",level:2},{value:"Changes since v1.24.16+k3s1:",id:"changes-since-v12416k3s1",level:3},{value:"Release v1.24.16+k3s1",id:"release-v12416k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1",level:3},{value:"Release v1.24.15+k3s1",id:"release-v12415k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1-1",level:3},{value:"Release v1.24.14+k3s1",id:"release-v12414k3s1",level:2},{value:"Changes since v1.24.13+k3s1:",id:"changes-since-v12413k3s1",level:3},{value:"Release v1.24.13+k3s1",id:"release-v12413k3s1",level:2},{value:"Changes since v1.24.12+k3s1:",id:"changes-since-v12412k3s1",level:3},{value:"Release v1.24.12+k3s1",id:"release-v12412k3s1",level:2},{value:"Changes since v1.24.11+k3s1:",id:"changes-since-v12411k3s1",level:3},{value:"Release v1.24.11+k3s1",id:"release-v12411k3s1",level:2},{value:"Changes since v1.24.10+k3s1:",id:"changes-since-v12410k3s1",level:3},{value:"Release v1.24.10+k3s1",id:"release-v12410k3s1",level:2},{value:"Changes since v1.24.9+k3s2:",id:"changes-since-v1249k3s2",level:3},{value:"Release v1.24.9+k3s2",id:"release-v1249k3s2",level:2},{value:"Changes since v1.24.9+k3s1:",id:"changes-since-v1249k3s1",level:3},{value:"Release v1.24.9+k3s1",id:"release-v1249k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.24.8+k3s1:",id:"changes-since-v1248k3s1",level:3},{value:"Release v1.24.8+k3s1",id:"release-v1248k3s1",level:2},{value:"Changes since v1.24.7+k3s1:",id:"changes-since-v1247k3s1",level:3},{value:"Release v1.24.7+k3s1",id:"release-v1247k3s1",level:2},{value:"Changes since v1.24.6+k3s1:",id:"changes-since-v1246k3s1",level:3},{value:"Release v1.24.6+k3s1",id:"release-v1246k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3},{value:"Release v1.24.4+k3s1",id:"release-v1244k3s1",level:2},{value:"Changes since v1.24.3+k3s1:",id:"changes-since-v1243k3s1",level:3},{value:"Release v1.24.3+k3s1",id:"release-v1243k3s1",level:2},{value:"Changes since v1.24.2+k3s2:",id:"changes-since-v1242k3s2",level:3},{value:"Release v1.24.2+k3s2",id:"release-v1242k3s2",level:2},{value:"Changes since v1.24.2+k3s1:",id:"changes-since-v1242k3s1",level:3},{value:"Release v1.24.2+k3s1",id:"release-v1242k3s1",level:2},{value:"Changes since v1.24.1+k3s1:",id:"changes-since-v1241k3s1",level:3},{value:"Release v1.24.1+k3s1",id:"release-v1241k3s1",level:2},{value:"Changes since v1.24.0+k3s1:",id:"changes-since-v1240k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v124x",children:"v1.24.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12417k3s1",children:"v1.24.17+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12417",children:"v1.24.17"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12416k3s1",children:"v1.24.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12416",children:"v1.24.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12415k3s1",children:"v1.24.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12415",children:"v1.24.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12414k3s1",children:"v1.24.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12414",children:"v1.24.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12413k3s1",children:"v1.24.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12413",children:"v1.24.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12412k3s1",children:"v1.24.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12412",children:"v1.24.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12411k3s1",children:"v1.24.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12411",children:"v1.24.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1-k3s1.23",children:"v0.21.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12410k3s1",children:"v1.24.10+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12410",children:"v1.24.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1249k3s2",children:"v1.24.9+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1249k3s1",children:"v1.24.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1248k3s1",children:"v1.24.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1248",children:"v1.24.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1-k3s1.23",children:"v0.20.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1247k3s1",children:"v1.24.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1247",children:"v1.24.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1246k3s1",children:"v1.24.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1246",children:"v1.24.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1244k3s1",children:"v1.24.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Aug 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1244",children:"v1.24.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1243k3s1",children:"v1.24.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 19 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1243",children:"v1.24.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1242k3s2",children:"v1.24.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 06 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1242k3s1",children:"v1.24.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 27 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.6-k3s1",children:"v1.6.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1241k3s1",children:"v1.24.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 11 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1241",children:"v1.24.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.11-k3s1",children:"v1.5.11-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.1",children:"v1.1.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.17.0",children:"v0.17.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.1",children:"v0.12.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12417k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.17+k3s1",children:"v1.24.17+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.17, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"IMPORTANT",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12416",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12416k3s1",children:"Changes since v1.24.16+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8087",children:"(#8087)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8124",children:"(#8124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8128",children:"(#8128)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8135",children:"(#8135)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8146",children:"(#8146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8168",children:"(#8168)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8191",children:"(#8191)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8214",children:"(#8214)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8243",children:"(#8243)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.17 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8240",children:"(#8240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8260",children:"(#8260)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8276",children:"(#8276)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12416k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.16+k3s1",children:"v1.24.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12415",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7861",children:"(#7861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7857",children:"(#7857)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7872",children:"(#7872)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7899",children:"(#7899)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7910",children:"(#7910)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7916",children:"(#7916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7946",children:"(#7946)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7955",children:"(#7955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7970",children:"(#7970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7985",children:"(#7985)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8023",children:"(#8023)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12415k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.15+k3s1",children:"v1.24.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12414",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1-1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7726",children:"(#7726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7753",children:"(#7753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7719",children:"(#7719)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7759",children:"(#7759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7764",children:"(#7764)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.24.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7785",children:"(#7785)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12414k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.14+k3s1",children:"v1.24.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12413",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12413k3s1",children:"Changes since v1.24.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7376",children:"(#7376)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7379",children:"(#7379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7407",children:"(#7407)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7435",children:"(#7435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7453",children:"(#7453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7462",children:"(#7462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn tests 1.24 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7467",children:"(#7467)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7472",children:"(#7472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7516",children:"(#7516)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7536",children:"(#7536)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7549",children:"(#7549)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7577",children:"(#7577)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12413k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.13+k3s1",children:"v1.24.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12412",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12412k3s1",children:"Changes since v1.24.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7165",children:"(#7165)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7122",children:"(#7122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7229",children:"(#7229)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7222",children:"(#7222)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7241",children:"(#7241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7277",children:"(#7277)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.13-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7284",children:"(#7284)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12412k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.12+k3s1",children:"v1.24.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12411",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12411k3s1",children:"Changes since v1.24.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7063",children:"(#7063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7042",children:"(#7042)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7046",children:"(#7046)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7065",children:"(#7065)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7080",children:"(#7080)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7076",children:"(#7076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7105",children:"(#7105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12411k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.11+k3s1",children:"v1.24.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12410",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12410k3s1",children:"Changes since v1.24.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6783",children:"(#6783)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6799",children:"(#6799)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6838",children:"(#6838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6859",children:"(#6859)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6865",children:"(#6865)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6868",children:"(#6868)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6854",children:"(#6854)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6888",children:"(#6888)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6918",children:"(#6918)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6908",children:"(#6908)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6905",children:"(#6905)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6920",children:"(#6920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6930",children:"(#6930)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6937",children:"(#6937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6925",children:"(#6925)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6942",children:"(#6942)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6955",children:"(#6955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6988",children:"(#6988)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6976",children:"(#6976)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.11-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7009",children:"(#7009)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12410k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.10+k3s1",children:"v1.24.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.10+k3s1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1249",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s2",children:"Changes since v1.24.9+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6731",children:"(#6731)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6736",children:"(#6736)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6748",children:"(#6748)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s2",children:"v1.24.9+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s1",children:"Changes since v1.24.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backport missing E2E test commits ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6616",children:"(#6616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6695",children:"(#6695)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s1",children:"v1.24.9+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.24.9+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1248",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1248k3s1",children:"Changes since v1.24.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6502",children:"(#6502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6535",children:"(#6535)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6540",children:"(#6540)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6570",children:"(#6570)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change secrets-encryption flag to GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6591",children:"(#6591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6589",children:"(#6589)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6599",children:"(#6599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6595",children:"(#6595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6623",children:"(#6623)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6630",children:"(#6630)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6647",children:"(#6647)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1248k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.8+k3s1",children:"v1.24.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1247",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1247k3s1",children:"Changes since v1.24.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6341",children:"(#6341)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a netpol test for podSelector & ingress type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6348",children:"(#6348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade kube-router to v1.5.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6356",children:"(#6356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump install tests OS images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6379",children:"(#6379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6363",children:"(#6363)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to v0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6418",children:"(#6418)"})]}),"\n",(0,r.jsx)(s.li,{children:"Backports for 2022-11"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressclass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsx)(s.li,{children:"The packaged coredns has been bumped to v1.9.4"}),"\n",(0,r.jsx)(s.li,{children:"Fix incorrect defer usage"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik has been updated to v2.9.4 / helm chart v18.3.0"}),"\n",(0,r.jsx)(s.li,{children:"Use debugger-friendly compile settings if debug is set"}),"\n",(0,r.jsx)(s.li,{children:"Add test for node-external-ip config parameter"}),"\n",(0,r.jsx)(s.li,{children:"Convert containerd config.toml.tmpl linux template to v2 syntax"}),"\n",(0,r.jsx)(s.li,{children:"Replace fedora-coreos with fedora 36 for install tests"}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.13.0"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik helm chart has been updated to v18.0.0"}),"\n",(0,r.jsx)(s.li,{children:"Add hardened cluster and upgrade tests"}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/cve-2022-35737",children:"cve-2022-35737"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6411",children:"(#6411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add some helping logs to avoid wrong configs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6432",children:"(#6432)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change the priority of address types depending on flannel-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6434",children:"(#6434)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6439",children:"(#6439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6446",children:"(#6446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6469",children:"(#6469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6479",children:"(#6479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6495",children:"(#6495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6509",children:"(#6509)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1247k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.7+k3s1",children:"v1.24.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["The K3s ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/security/hardening-guide",children:"CIS Hardening Guide"})," has been updated to include configuration changes required to support embedding ServiceLB in the cloud controller manager. If you have followed the hardening guide, please update your policies and RBAC in accordingly."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1246",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1246k3s1",children:"Changes since v1.24.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add flannel-external-ip when there is a k3s node-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6189",children:"(#6189)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6227",children:"(#6227)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded metrics-server version has been bumped to v0.6.1"}),"\n",(0,r.jsx)(s.li,{children:"The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager."}),"\n",(0,r.jsx)(s.li,{children:"Events recorded to the cluster by embedded controllers are now properly formatted in the service logs."}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n",(0,r.jsx)(s.li,{children:"The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6235",children:"(#6235)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6250",children:"(#6250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6270",children:"(#6270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6276",children:"(#6276)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6287",children:"(#6287)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6307",children:"(#6307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6322",children:"(#6322)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1246k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.6+k3s1",children:"v1.24.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1244",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6036",children:"(#6036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6088",children:"(#6088)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6072",children:"(#6072)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6079",children:"(#6079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bulk Backport of Testing Changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6085",children:"(#6085)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6113",children:"(#6113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6143",children:"(#6143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.6-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6164",children:"(#6164)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1244k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.4+k3s1",children:"v1.24.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["This release restores use of the ",(0,r.jsx)(s.code,{children:"--docker"})," flag to the v1.24 branch. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/docs/adrs/cri-dockerd.md",children:"docs/adrs/cri-dockerd.md"})," for more information."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1243",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1243k3s1",children:"Changes since v1.24.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Put the terraform tests into their own packages and cleanup the test runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5861",children:"(#5861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped rootlesskit to v1.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5773",children:"(#5773)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The initial health-check time for the etcd datastore has been raised from 10 to 30 seconds. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5882",children:"(#5882)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused systemd cgroup driver autoconfiguration to fail on server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5851",children:"(#5851)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded network policy controller has been updated to kube-router v1.5.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5789",children:"(#5789)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The configured service CIDR is now passed to the Kubernetes controller-manager via the ",(0,r.jsx)(s.code,{children:"--service-cluster-ip-range"})," flag. Previously this value was only passed to the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5894",children:"(#5894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated dynamiclistener to fix a regression that prevented certificate renewal from working properly. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5896",children:"(#5896)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.24.3+k3s1 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5889",children:"(#5889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["ADR: Depreciating and Removing Old Flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5890",children:"(#5890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer sets containerd's ",(0,r.jsx)(s.code,{children:"enable_unprivileged_icmp"})," and ",(0,r.jsx)(s.code,{children:"enable_unprivileged_ports"})," options on kernels that do not support them. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5913",children:"(#5913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The etcd error on incorrect peer urls now correctly includes the expected https and 2380 port. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5909",children:"(#5909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["When set, the agent-token value is now written to ",(0,r.jsx)(s.code,{children:"$datadir/server/agent-token"}),", in the same manner as the default (server) token is written to ",(0,r.jsx)(s.code,{children:"$datadir/server/token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5906",children:"(#5906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Deprecated flags now warn of their v1.25 removal ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5937",children:"(#5937)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix secrets reencryption for clusters with 8K+ secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5936",children:"(#5936)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped minio-go to v7.0.33. This adds support for IMDSv2 credentials. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5928",children:"(#5928)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade GH Actions macos-10.15 to macos-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5953",children:"(#5953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added dualstack IP auto detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5920",children:"(#5920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--docker"})," flag has been restored to k3s, as a shortcut to enabling embedded cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5916",children:"(#5916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update MAINTAINERS with new folks and departures ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5948",children:"(#5948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Removing checkbox indicating backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5947",children:"(#5947)"})]}),"\n",(0,r.jsxs)(s.li,{children:["fix checkError in terraform/testutils ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5893",children:"(#5893)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add scripts to run e2e test using ansible ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5134",children:"(#5134)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel to v0.19.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5962",children:"(#5962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update run scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5979",children:"(#5979)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install/cgroup tests to yaml based config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5992",children:"(#5992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Local cluster testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5977",children:"(#5977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add nightly install github action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5998",children:"(#5998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert codespell from Drone to GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6004",children:"(#6004)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6014",children:"(#6014)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1243k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.3+k3s1",children:"v1.24.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1242",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s2",children:"Changes since v1.24.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Updated rancher/remotedialer to address a potential memory leak. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5784",children:"(#5784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded runc binary has been bumped to v1.1.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5783",children:"(#5783)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused some containerd labels to be empty in cadvisor pod metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5812",children:"(#5812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace dapper testing with regular docker ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5805",children:"(#5805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.23.8+k3s2 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5814",children:"(#5814)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would cause etcd restore to fail when restoring a snapshot made with secrets encryption enabled if the --secrets-encryption command was not included in the config file or restore command. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5817",children:"(#5817)"})]}),"\n",(0,r.jsx)(s.li,{children:"Fix deletion of svclb DaemonSet when Service is deleted"}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused ServiceLB DaemonSets to remain present after their corresponding Services were deleted.\r\nManual cleanup of orphaned ",(0,r.jsx)(s.code,{children:"svclb-*"})," DaemonSets from the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace may be necessary if any LoadBalancer Services were deleted while running an affected release. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5824",children:"(#5824)"})]}),"\n",(0,r.jsx)(s.li,{children:"Address issues with etcd snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now compressed when snapshot compression is enabled."}),"\n",(0,r.jsx)(s.li,{children:"The default etcd snapshot timeout has been raised to 5 minutes.\r\nOnly one scheduled etcd snapshot will run at a time. If another snapshot would occur while the previous snapshot is still in progress, an error will be logged and the second scheduled snapshot will be skipped."}),"\n",(0,r.jsxs)(s.li,{children:["S3 objects for etcd snapshots are now labeled with the correct content-type when compression is not enabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5833",children:"(#5833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5870",children:"(#5870)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s2",children:"v1.24.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This fixes several issues in the v1.24.2+k3s1 and prior releases."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s1",children:"Changes since v1.24.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bumped kine to fix an issue where namespaced lists that included a field-selector on metadata.name would fail to return results when using a sql storage backend. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5795",children:"#5795"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s will no longer log panics after upgrading directly from much older kubernetes releases, or when deploying services with ",(0,r.jsx)(s.code,{children:"type: externalname"}),". (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5771",children:"#5771"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented ",(0,r.jsx)(s.code,{children:"kubectl logs"})," and other functionality that requires a connection to the agent from working correctly when the server's ",(0,r.jsx)(s.code,{children:"--bind-address"})," flag was used, or when k3s is used behind a http proxy. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5780",children:"#5780"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented newer versions of k3s from joining clusters that do not have egress-selector-mode support. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5785",children:"#5785"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove go-powershell dead dependency (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5777",children:"#5777"}),")"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s1",children:"v1.24.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1241",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1241k3s1",children:"Changes since v1.24.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove kube-ipvs0 interface when cleaning up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5644",children:"(#5644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--flannel-wireguard-mode"})," switch was added to the k3s cli to configure the wireguard tunnel mode with the wireguard native backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5552",children:"(#5552)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce the flannelcniconf flag to set the desired flannel cni configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5656",children:"(#5656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integration Test: Startup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5630",children:"(#5630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Improvements and groundwork for test-pad tool ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5593",children:"(#5593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update SECURITY.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5607",children:"(#5607)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce --enable-pprof flag to optionally run pprof server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5527",children:"(#5527)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Dualstack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5617",children:"(#5617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pods created by ServiceLB are now all placed in the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace, instead of in the same namespace as the Service. This allows for ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",children:"enforcing Pod Security Standards"})," in user namespaces without breaking ServiceLB. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5657",children:"(#5657)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: testpad prep, add alternate scripts location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5692",children:"(#5692)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add arm tests and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5526",children:"(#5526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Delay service readiness until after startuphooks have finished ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5649",children:"(#5649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable urfave markdown/man docs generation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5566",children:"(#5566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd snapshot controller will no longer fail to process snapshot files containing characters that are invalid for use in ConfigMap keys. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5702",children:"(#5702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Environment variables prefixed with ",(0,r.jsx)(s.code,{children:"CONTAINERD_"})," now take priority over other existing variables, when passed through to containerd. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5706",children:"(#5706)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd instance no longer accepts connections from other nodes while resetting or restoring. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5542",children:"(#5542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable compatibility tests for k3s s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5658",children:"(#5658)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Containerd: Enable enable_unprivileged_ports and enable_unprivileged_\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5538",children:"(#5538)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller now properly updates Chart deployments when HelmChartConfig resources are updated or deleted. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5731",children:"(#5731)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5749",children:"(#5749)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1241k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.1+k3s1",children:"v1.24.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1240",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1240k3s1",children:"Changes since v1.24.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Objects will be removed from Kubernetes when they are removed from manifest files. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5560",children:"(#5560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove errant unversioned etcd go.mod entry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5548",children:"(#5548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass the node-ip values to kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5579",children:"(#5579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The integrated apiserver network proxy's operational mode can now be set with ",(0,r.jsx)(s.code,{children:"--egress-selector-mode"}),". ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5577",children:"(#5577)"})]}),"\n",(0,r.jsxs)(s.li,{children:["remove dweomer from maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5582",children:"(#5582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener to v0.3.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5554",children:"(#5554)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.1-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5616",children:"(#5616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-add ",(0,r.jsx)(s.code,{children:"--cloud-provider=external"})," kubelet arg ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5628",children:"(#5628)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Give kubelet the node-ip value (#5579)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5636",children:"(#5636)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const n={},i=r.createContext(n);function l(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/d123a91e.325b80fb.js b/kr/assets/js/d123a91e.325b80fb.js deleted file mode 100644 index 676dccead..000000000 --- a/kr/assets/js/d123a91e.325b80fb.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[855],{5418:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>i,metadata:()=>h,toc:()=>d});var r=t(5893),n=t(1151);const i={hide_table_of_contents:!0,sidebar_position:7},l="v1.24.X",h={id:"release-notes/v1.24.X",title:"v1.24.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.24.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.24.X",permalink:"/kr/release-notes/v1.24.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.24.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:7,frontMatter:{hide_table_of_contents:!0,sidebar_position:7},sidebar:"mySidebar",previous:{title:"v1.25.X",permalink:"/kr/release-notes/v1.25.X"},next:{title:"Related Projects",permalink:"/kr/related-projects"}},c={},d=[{value:"Release v1.24.17+k3s1",id:"release-v12417k3s1",level:2},{value:"Changes since v1.24.16+k3s1:",id:"changes-since-v12416k3s1",level:3},{value:"Release v1.24.16+k3s1",id:"release-v12416k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1",level:3},{value:"Release v1.24.15+k3s1",id:"release-v12415k3s1",level:2},{value:"Changes since v1.24.14+k3s1:",id:"changes-since-v12414k3s1-1",level:3},{value:"Release v1.24.14+k3s1",id:"release-v12414k3s1",level:2},{value:"Changes since v1.24.13+k3s1:",id:"changes-since-v12413k3s1",level:3},{value:"Release v1.24.13+k3s1",id:"release-v12413k3s1",level:2},{value:"Changes since v1.24.12+k3s1:",id:"changes-since-v12412k3s1",level:3},{value:"Release v1.24.12+k3s1",id:"release-v12412k3s1",level:2},{value:"Changes since v1.24.11+k3s1:",id:"changes-since-v12411k3s1",level:3},{value:"Release v1.24.11+k3s1",id:"release-v12411k3s1",level:2},{value:"Changes since v1.24.10+k3s1:",id:"changes-since-v12410k3s1",level:3},{value:"Release v1.24.10+k3s1",id:"release-v12410k3s1",level:2},{value:"Changes since v1.24.9+k3s2:",id:"changes-since-v1249k3s2",level:3},{value:"Release v1.24.9+k3s2",id:"release-v1249k3s2",level:2},{value:"Changes since v1.24.9+k3s1:",id:"changes-since-v1249k3s1",level:3},{value:"Release v1.24.9+k3s1",id:"release-v1249k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.24.8+k3s1:",id:"changes-since-v1248k3s1",level:3},{value:"Release v1.24.8+k3s1",id:"release-v1248k3s1",level:2},{value:"Changes since v1.24.7+k3s1:",id:"changes-since-v1247k3s1",level:3},{value:"Release v1.24.7+k3s1",id:"release-v1247k3s1",level:2},{value:"Changes since v1.24.6+k3s1:",id:"changes-since-v1246k3s1",level:3},{value:"Release v1.24.6+k3s1",id:"release-v1246k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3},{value:"Release v1.24.4+k3s1",id:"release-v1244k3s1",level:2},{value:"Changes since v1.24.3+k3s1:",id:"changes-since-v1243k3s1",level:3},{value:"Release v1.24.3+k3s1",id:"release-v1243k3s1",level:2},{value:"Changes since v1.24.2+k3s2:",id:"changes-since-v1242k3s2",level:3},{value:"Release v1.24.2+k3s2",id:"release-v1242k3s2",level:2},{value:"Changes since v1.24.2+k3s1:",id:"changes-since-v1242k3s1",level:3},{value:"Release v1.24.2+k3s1",id:"release-v1242k3s1",level:2},{value:"Changes since v1.24.1+k3s1:",id:"changes-since-v1241k3s1",level:3},{value:"Release v1.24.1+k3s1",id:"release-v1241k3s1",level:2},{value:"Changes since v1.24.0+k3s1:",id:"changes-since-v1240k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v124x",children:"v1.24.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12417k3s1",children:"v1.24.17+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12417",children:"v1.24.17"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12416k3s1",children:"v1.24.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12416",children:"v1.24.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12415k3s1",children:"v1.24.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12415",children:"v1.24.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12414k3s1",children:"v1.24.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12414",children:"v1.24.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12413k3s1",children:"v1.24.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12413",children:"v1.24.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12412k3s1",children:"v1.24.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12412",children:"v1.24.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.3-k3s1.23",children:"v0.21.3-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12411k3s1",children:"v1.24.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 10 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12411",children:"v1.24.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1-k3s1.23",children:"v0.21.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v12410k3s1",children:"v1.24.10+k3s1"})}),(0,r.jsx)(s.td,{children:"Jan 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v12410",children:"v1.24.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1249k3s2",children:"v1.24.9+k3s2"})}),(0,r.jsx)(s.td,{children:"Jan 11 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1249k3s1",children:"v1.24.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 20 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1249",children:"v1.24.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2-k3s1.23",children:"v0.20.2-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1248k3s1",children:"v1.24.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Nov 18 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1248",children:"v1.24.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1-k3s1.23",children:"v0.20.1-k3s1.23"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1247k3s1",children:"v1.24.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1247",children:"v1.24.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1246k3s1",children:"v1.24.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 28 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1246",children:"v1.24.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1244k3s1",children:"v1.24.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Aug 25 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1244",children:"v1.24.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1243k3s1",children:"v1.24.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 19 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1243",children:"v1.24.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1242k3s2",children:"v1.24.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 06 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s1",children:"v1.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1242k3s1",children:"v1.24.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 27 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1242",children:"v1.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.6-k3s1",children:"v1.6.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.2",children:"v1.1.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.18.1",children:"v0.18.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.24.X#release-v1241k3s1",children:"v1.24.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 11 2022"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#v1241",children:"v1.24.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.1",children:"v0.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.11-k3s1",children:"v1.5.11-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.1",children:"v1.1.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.17.0",children:"v0.17.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.1",children:"v0.12.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12417k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.17+k3s1",children:"v1.24.17+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.17, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"IMPORTANT",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12416",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12416k3s1",children:"Changes since v1.24.16+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8087",children:"(#8087)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8124",children:"(#8124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["August Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8128",children:"(#8128)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8135",children:"(#8135)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8146",children:"(#8146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8168",children:"(#8168)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8191",children:"(#8191)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8214",children:"(#8214)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix runc version bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8243",children:"(#8243)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.17 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8240",children:"(#8240)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8260",children:"(#8260)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8276",children:"(#8276)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12416k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.16+k3s1",children:"v1.24.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12415",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7861",children:"(#7861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7857",children:"(#7857)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7872",children:"(#7872)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7899",children:"(#7899)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7910",children:"(#7910)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7916",children:"(#7916)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7946",children:"(#7946)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7955",children:"(#7955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7970",children:"(#7970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7985",children:"(#7985)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.16 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8023",children:"(#8023)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12415k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.15+k3s1",children:"v1.24.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12414",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12414k3s1-1",children:"Changes since v1.24.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["E2E Backports - June ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7726",children:"(#7726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,r.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,r.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7753",children:"(#7753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7719",children:"(#7719)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,r.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7759",children:"(#7759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7764",children:"(#7764)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.24.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7785",children:"(#7785)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12414k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.14+k3s1",children:"v1.24.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12413",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12413k3s1",children:"Changes since v1.24.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7376",children:"(#7376)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7379",children:"(#7379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7407",children:"(#7407)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,r.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,r.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7435",children:"(#7435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7453",children:"(#7453)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7462",children:"(#7462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Kube flags and longhorn tests 1.24 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7467",children:"(#7467)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7472",children:"(#7472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7516",children:"(#7516)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7536",children:"(#7536)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7549",children:"(#7549)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7577",children:"(#7577)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12413k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.13+k3s1",children:"v1.24.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12412",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12412k3s1",children:"Changes since v1.24.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Enhance ",(0,r.jsx)(s.code,{children:"check-config"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7165",children:"(#7165)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7122",children:"(#7122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7229",children:"(#7229)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,r.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,r.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,r.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,r.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,r.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7222",children:"(#7222)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7241",children:"(#7241)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7277",children:"(#7277)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.13-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7284",children:"(#7284)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12412k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.12+k3s1",children:"v1.24.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12411",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12411k3s1",children:"Changes since v1.24.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7063",children:"(#7063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7042",children:"(#7042)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable dependabot ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7046",children:"(#7046)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7065",children:"(#7065)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7080",children:"(#7080)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,r.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7076",children:"(#7076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7105",children:"(#7105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12411k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.11+k3s1",children:"v1.24.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v12410",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12410k3s1",children:"Changes since v1.24.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6783",children:"(#6783)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6799",children:"(#6799)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6838",children:"(#6838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6859",children:"(#6859)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix cronjob example ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6865",children:"(#6865)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6868",children:"(#6868)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6854",children:"(#6854)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6888",children:"(#6888)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6918",children:"(#6918)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,r.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6908",children:"(#6908)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6905",children:"(#6905)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6920",children:"(#6920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,r.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6930",children:"(#6930)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now supports ",(0,r.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,r.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,r.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6937",children:"(#6937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.21.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6925",children:"(#6925)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6942",children:"(#6942)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6955",children:"(#6955)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6988",children:"(#6988)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6976",children:"(#6976)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,r.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.11-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7009",children:"(#7009)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12410k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.10+k3s1",children:"v1.24.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.10+k3s1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1249",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s2",children:"Changes since v1.24.9+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6731",children:"(#6731)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6736",children:"(#6736)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6748",children:"(#6748)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s2",children:"v1.24.9+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1249k3s1",children:"Changes since v1.24.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backport missing E2E test commits ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6616",children:"(#6616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6695",children:"(#6695)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1249k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.9+k3s1",children:"v1.24.9+k3s1"})]}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,r.jsxs)(s.p,{children:["This release is affected by ",(0,r.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,r.jsx)(s.code,{children:"v1.24.9+k3s2"})," instead."]}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:[(0,r.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1248",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1248k3s1",children:"Changes since v1.24.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6502",children:"(#6502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Github CI Updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6535",children:"(#6535)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6540",children:"(#6540)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6570",children:"(#6570)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change secrets-encryption flag to GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6591",children:"(#6591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6589",children:"(#6589)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6599",children:"(#6599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n",(0,r.jsxs)(s.li,{children:["The rootless ",(0,r.jsx)(s.code,{children:"port-driver"}),", ",(0,r.jsx)(s.code,{children:"cidr"}),", ",(0,r.jsx)(s.code,{children:"mtu"}),", ",(0,r.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,r.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n",(0,r.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,r.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n",(0,r.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,r.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,r.jsx)(s.code,{children:"swanctl"})," and ",(0,r.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6595",children:"(#6595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6623",children:"(#6623)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6630",children:"(#6630)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6647",children:"(#6647)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1248k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.8+k3s1",children:"v1.24.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1247",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1247k3s1",children:"Changes since v1.24.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6341",children:"(#6341)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a netpol test for podSelector & ingress type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6348",children:"(#6348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade kube-router to v1.5.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6356",children:"(#6356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump install tests OS images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6379",children:"(#6379)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6363",children:"(#6363)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel to v0.20.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6418",children:"(#6418)"})]}),"\n",(0,r.jsx)(s.li,{children:"Backports for 2022-11"}),"\n",(0,r.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressclass support by default."}),"\n",(0,r.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,r.jsx)(s.li,{children:"The packaged coredns has been bumped to v1.9.4"}),"\n",(0,r.jsx)(s.li,{children:"Fix incorrect defer usage"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik has been updated to v2.9.4 / helm chart v18.3.0"}),"\n",(0,r.jsx)(s.li,{children:"Use debugger-friendly compile settings if debug is set"}),"\n",(0,r.jsx)(s.li,{children:"Add test for node-external-ip config parameter"}),"\n",(0,r.jsx)(s.li,{children:"Convert containerd config.toml.tmpl linux template to v2 syntax"}),"\n",(0,r.jsx)(s.li,{children:"Replace fedora-coreos with fedora 36 for install tests"}),"\n",(0,r.jsx)(s.li,{children:"Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver."}),"\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.13.0"}),"\n",(0,r.jsx)(s.li,{children:"The bundled traefik helm chart has been updated to v18.0.0"}),"\n",(0,r.jsx)(s.li,{children:"Add hardened cluster and upgrade tests"}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/cve-2022-35737",children:"cve-2022-35737"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6411",children:"(#6411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add some helping logs to avoid wrong configs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6432",children:"(#6432)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Change the priority of address types depending on flannel-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6434",children:"(#6434)"})]}),"\n",(0,r.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6439",children:"(#6439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6446",children:"(#6446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6469",children:"(#6469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6479",children:"(#6479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6495",children:"(#6495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6509",children:"(#6509)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1247k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.7+k3s1",children:"v1.24.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["The K3s ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/security/hardening-guide",children:"CIS Hardening Guide"})," has been updated to include configuration changes required to support embedding ServiceLB in the cloud controller manager. If you have followed the hardening guide, please update your policies and RBAC in accordingly."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1246",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1246k3s1",children:"Changes since v1.24.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add flannel-external-ip when there is a k3s node-external-ip ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6189",children:"(#6189)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2022-10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6227",children:"(#6227)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded metrics-server version has been bumped to v0.6.1"}),"\n",(0,r.jsx)(s.li,{children:"The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager."}),"\n",(0,r.jsx)(s.li,{children:"Events recorded to the cluster by embedded controllers are now properly formatted in the service logs."}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,r.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,r.jsx)(s.code,{children:"kubectl exec"})," and ",(0,r.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n",(0,r.jsx)(s.li,{children:"The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6235",children:"(#6235)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6250",children:"(#6250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6270",children:"(#6270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6276",children:"(#6276)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6287",children:"(#6287)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6307",children:"(#6307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6322",children:"(#6322)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,r.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1246k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.6+k3s1",children:"v1.24.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1244",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove ",(0,r.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Mark v1.24.4+k3s1 as stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6036",children:"(#6036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6088",children:"(#6088)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6072",children:"(#6072)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6079",children:"(#6079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bulk Backport of Testing Changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6085",children:"(#6085)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6113",children:"(#6113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6143",children:"(#6143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.6-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6164",children:"(#6164)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1244k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.4+k3s1",children:"v1.24.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["This release restores use of the ",(0,r.jsx)(s.code,{children:"--docker"})," flag to the v1.24 branch. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/docs/adrs/cri-dockerd.md",children:"docs/adrs/cri-dockerd.md"})," for more information."]}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1243",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1243k3s1",children:"Changes since v1.24.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Put the terraform tests into their own packages and cleanup the test runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5861",children:"(#5861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped rootlesskit to v1.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5773",children:"(#5773)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The initial health-check time for the etcd datastore has been raised from 10 to 30 seconds. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5882",children:"(#5882)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused systemd cgroup driver autoconfiguration to fail on server nodes. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5851",children:"(#5851)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded network policy controller has been updated to kube-router v1.5.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5789",children:"(#5789)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The configured service CIDR is now passed to the Kubernetes controller-manager via the ",(0,r.jsx)(s.code,{children:"--service-cluster-ip-range"})," flag. Previously this value was only passed to the apiserver. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5894",children:"(#5894)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated dynamiclistener to fix a regression that prevented certificate renewal from working properly. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5896",children:"(#5896)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.24.3+k3s1 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5889",children:"(#5889)"})]}),"\n",(0,r.jsxs)(s.li,{children:["ADR: Depreciating and Removing Old Flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5890",children:"(#5890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["K3s no longer sets containerd's ",(0,r.jsx)(s.code,{children:"enable_unprivileged_icmp"})," and ",(0,r.jsx)(s.code,{children:"enable_unprivileged_ports"})," options on kernels that do not support them. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5913",children:"(#5913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The etcd error on incorrect peer urls now correctly includes the expected https and 2380 port. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5909",children:"(#5909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["When set, the agent-token value is now written to ",(0,r.jsx)(s.code,{children:"$datadir/server/agent-token"}),", in the same manner as the default (server) token is written to ",(0,r.jsx)(s.code,{children:"$datadir/server/token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5906",children:"(#5906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Deprecated flags now warn of their v1.25 removal ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5937",children:"(#5937)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix secrets reencryption for clusters with 8K+ secrets ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5936",children:"(#5936)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bumped minio-go to v7.0.33. This adds support for IMDSv2 credentials. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5928",children:"(#5928)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade GH Actions macos-10.15 to macos-12 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5953",children:"(#5953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added dualstack IP auto detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5920",children:"(#5920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--docker"})," flag has been restored to k3s, as a shortcut to enabling embedded cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5916",children:"(#5916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update MAINTAINERS with new folks and departures ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5948",children:"(#5948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Removing checkbox indicating backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5947",children:"(#5947)"})]}),"\n",(0,r.jsxs)(s.li,{children:["fix checkError in terraform/testutils ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5893",children:"(#5893)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add scripts to run e2e test using ansible ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5134",children:"(#5134)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updated flannel to v0.19.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5962",children:"(#5962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update run scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5979",children:"(#5979)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert install/cgroup tests to yaml based config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5992",children:"(#5992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Local cluster testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5977",children:"(#5977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add nightly install github action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5998",children:"(#5998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Convert codespell from Drone to GH actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6004",children:"(#6004)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6014",children:"(#6014)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1243k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.3+k3s1",children:"v1.24.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1242",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s2",children:"Changes since v1.24.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Updated rancher/remotedialer to address a potential memory leak. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5784",children:"(#5784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded runc binary has been bumped to v1.1.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5783",children:"(#5783)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused some containerd labels to be empty in cadvisor pod metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5812",children:"(#5812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace dapper testing with regular docker ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5805",children:"(#5805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Promote v1.23.8+k3s2 to stable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5814",children:"(#5814)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that would cause etcd restore to fail when restoring a snapshot made with secrets encryption enabled if the --secrets-encryption command was not included in the config file or restore command. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5817",children:"(#5817)"})]}),"\n",(0,r.jsx)(s.li,{children:"Fix deletion of svclb DaemonSet when Service is deleted"}),"\n",(0,r.jsxs)(s.li,{children:["Fixed a regression that caused ServiceLB DaemonSets to remain present after their corresponding Services were deleted.\r\nManual cleanup of orphaned ",(0,r.jsx)(s.code,{children:"svclb-*"})," DaemonSets from the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace may be necessary if any LoadBalancer Services were deleted while running an affected release. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5824",children:"(#5824)"})]}),"\n",(0,r.jsx)(s.li,{children:"Address issues with etcd snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Scheduled etcd snapshots are now compressed when snapshot compression is enabled."}),"\n",(0,r.jsx)(s.li,{children:"The default etcd snapshot timeout has been raised to 5 minutes.\r\nOnly one scheduled etcd snapshot will run at a time. If another snapshot would occur while the previous snapshot is still in progress, an error will be logged and the second scheduled snapshot will be skipped."}),"\n",(0,r.jsxs)(s.li,{children:["S3 objects for etcd snapshots are now labeled with the correct content-type when compression is not enabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5833",children:"(#5833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5870",children:"(#5870)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s2",children:"v1.24.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This fixes several issues in the v1.24.2+k3s1 and prior releases."}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1242k3s1",children:"Changes since v1.24.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bumped kine to fix an issue where namespaced lists that included a field-selector on metadata.name would fail to return results when using a sql storage backend. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5795",children:"#5795"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["K3s will no longer log panics after upgrading directly from much older kubernetes releases, or when deploying services with ",(0,r.jsx)(s.code,{children:"type: externalname"}),". (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5771",children:"#5771"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented ",(0,r.jsx)(s.code,{children:"kubectl logs"})," and other functionality that requires a connection to the agent from working correctly when the server's ",(0,r.jsx)(s.code,{children:"--bind-address"})," flag was used, or when k3s is used behind a http proxy. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5780",children:"#5780"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed an issue that prevented newer versions of k3s from joining clusters that do not have egress-selector-mode support. (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5785",children:"#5785"}),")"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove go-powershell dead dependency (",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5777",children:"#5777"}),")"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1242k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.2+k3s1",children:"v1.24.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1241",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1241k3s1",children:"Changes since v1.24.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove kube-ipvs0 interface when cleaning up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5644",children:"(#5644)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"--flannel-wireguard-mode"})," switch was added to the k3s cli to configure the wireguard tunnel mode with the wireguard native backend ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5552",children:"(#5552)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce the flannelcniconf flag to set the desired flannel cni configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5656",children:"(#5656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integration Test: Startup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5630",children:"(#5630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Improvements and groundwork for test-pad tool ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5593",children:"(#5593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update SECURITY.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5607",children:"(#5607)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Introduce --enable-pprof flag to optionally run pprof server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5527",children:"(#5527)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Dualstack test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5617",children:"(#5617)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pods created by ServiceLB are now all placed in the ",(0,r.jsx)(s.code,{children:"kube-system"})," namespace, instead of in the same namespace as the Service. This allows for ",(0,r.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/",children:"enforcing Pod Security Standards"})," in user namespaces without breaking ServiceLB. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5657",children:"(#5657)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: testpad prep, add alternate scripts location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5692",children:"(#5692)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add arm tests and upgrade tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5526",children:"(#5526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Delay service readiness until after startuphooks have finished ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5649",children:"(#5649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable urfave markdown/man docs generation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5566",children:"(#5566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd snapshot controller will no longer fail to process snapshot files containing characters that are invalid for use in ConfigMap keys. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5702",children:"(#5702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Environment variables prefixed with ",(0,r.jsx)(s.code,{children:"CONTAINERD_"})," now take priority over other existing variables, when passed through to containerd. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5706",children:"(#5706)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded etcd instance no longer accepts connections from other nodes while resetting or restoring. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5542",children:"(#5542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable compatibility tests for k3s s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5658",children:"(#5658)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Containerd: Enable enable_unprivileged_ports and enable_unprivileged_\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5538",children:"(#5538)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The embedded Helm controller now properly updates Chart deployments when HelmChartConfig resources are updated or deleted. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5731",children:"(#5731)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5749",children:"(#5749)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1241k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.24.1+k3s1",children:"v1.24.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.24.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1240",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1240k3s1",children:"Changes since v1.24.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Objects will be removed from Kubernetes when they are removed from manifest files. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5560",children:"(#5560)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove errant unversioned etcd go.mod entry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5548",children:"(#5548)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass the node-ip values to kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5579",children:"(#5579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["The integrated apiserver network proxy's operational mode can now be set with ",(0,r.jsx)(s.code,{children:"--egress-selector-mode"}),". ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5577",children:"(#5577)"})]}),"\n",(0,r.jsxs)(s.li,{children:["remove dweomer from maintainers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5582",children:"(#5582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener to v0.3.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5554",children:"(#5554)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.24.1-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5616",children:"(#5616)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-add ",(0,r.jsx)(s.code,{children:"--cloud-provider=external"})," kubelet arg ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5628",children:"(#5628)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Give kubelet the node-ip value (#5579)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5636",children:"(#5636)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var r=t(7294);const n={},i=r.createContext(n);function l(e){const s=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/d1c3e381.dff08217.js b/kr/assets/js/d1c3e381.dff08217.js new file mode 100644 index 000000000..a23492219 --- /dev/null +++ b/kr/assets/js/d1c3e381.dff08217.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7213],{676:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>c});var i=t(5893),s=t(1151);const r={title:"Distributed hybrid or multicloud cluster"},o=void 0,l={id:"networking/distributed-multicloud",title:"Distributed hybrid or multicloud cluster",description:"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/distributed-multicloud.md",sourceDirName:"networking",slug:"/networking/distributed-multicloud",permalink:"/kr/networking/distributed-multicloud",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/distributed-multicloud.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Distributed hybrid or multicloud cluster"},sidebar:"mySidebar",previous:{title:"Basic Network Options",permalink:"/kr/networking/basic-network-options"},next:{title:"Multus and IPAM plugins",permalink:"/kr/networking/multus-ipams"}},a={},c=[{value:"Embedded k3s multicloud solution",id:"embedded-k3s-multicloud-solution",level:3},{value:"Integration with the Tailscale VPN provider (experimental)",id:"integration-with-the-tailscale-vpn-provider-experimental",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the ",(0,i.jsx)(n.code,{children:"tailscale"})," VPN provider."]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high."})}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsx)(n.p,{children:"Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location."})}),"\n",(0,i.jsx)(n.h3,{id:"embedded-k3s-multicloud-solution",children:"Embedded k3s multicloud solution"}),"\n",(0,i.jsx)(n.p,{children:"K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel."}),"\n",(0,i.jsx)(n.p,{children:"To enable this type of deployment, you must add the following parameters on servers:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<SERVER_EXTERNAL_IP> --flannel-backend=wireguard-native --flannel-external-ip\n"})}),"\n",(0,i.jsx)(n.p,{children:"and on agents:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--node-external-ip=<AGENT_EXTERNAL_IP>\n"})}),"\n",(0,i.jsxs)(n.p,{children:["where ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," is the IP through which we can reach the server node and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," is the IP through which we can reach the agent node. Note that the ",(0,i.jsx)(n.code,{children:"K3S_URL"})," config parameter in the agent should use the ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," to be able to connect to it. Remember to check the ",(0,i.jsx)(n.a,{href:"/kr/installation/requirements#networking",children:"Networking Requirements"})," and allow access to the listed ports on both internal and external addresses."]}),"\n",(0,i.jsxs)(n.p,{children:["Both ",(0,i.jsx)(n.code,{children:"SERVER_EXTERNAL_IP"})," and ",(0,i.jsx)(n.code,{children:"AGENT_EXTERNAL_IP"})," must have connectivity between them and are normally public IPs."]}),"\n",(0,i.jsxs)(n.admonition,{title:"Dynamic IPs",type:"info",children:[(0,i.jsxs)(n.p,{children:["If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the ",(0,i.jsx)(n.code,{children:"--node-external-ip"})," parameter to reflect the new IP. If running K3s as a service, you must modify ",(0,i.jsx)(n.code,{children:"/etc/systemd/system/k3s.service"})," then run:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"systemctl daemon-reload\nsystemctl restart k3s\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"integration-with-the-tailscale-vpn-provider-experimental",children:"Integration with the Tailscale VPN provider (experimental)"}),"\n",(0,i.jsx)(n.p,{children:"Available in v1.27.3, v1.26.6, v1.25.11 and newer."}),"\n",(0,i.jsxs)(n.p,{children:["K3s can integrate with ",(0,i.jsx)(n.a,{href:"https://tailscale.com/",children:"Tailscale"})," so that nodes use the Tailscale VPN service to build a mesh between nodes."]}),"\n",(0,i.jsx)(n.p,{children:"There are four steps to be done with Tailscale before deploying K3s:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsx)(n.p,{children:"Log in to your Tailscale account"}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["In ",(0,i.jsx)(n.code,{children:"Settings > Keys"}),", generate an auth key ($AUTH-KEY), which may be reusable for all nodes in your cluster"]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Decide on the podCIDR the cluster will use (by default ",(0,i.jsx)(n.code,{children:"10.42.0.0/16"}),"). Append the CIDR (or CIDRs for dual-stack) in Access controls with the stanza:"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'"autoApprovers": {\n "routes": {\n "10.42.0.0/16": ["your_account@xyz.com"],\n "2001:cafe:42::/56": ["your_account@xyz.com"],\n },\n },\n'})}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsx)(n.li,{children:"Install Tailscale in your nodes:"}),"\n"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"curl -fsSL https://tailscale.com/install.sh | sh\n"})}),"\n",(0,i.jsx)(n.p,{children:"To deploy K3s with Tailscale integration enabled, you must add the following parameter on each of your nodes:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:'--vpn-auth="name=tailscale,joinKey=$AUTH-KEY\n'})}),"\n",(0,i.jsx)(n.p,{children:"or provide that information in a file and use the parameter:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--vpn-auth-file=$PATH_TO_FILE\n"})}),"\n",(0,i.jsxs)(n.p,{children:["Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ",(0,i.jsx)(n.code,{children:",controlServerURL=$URL"})," to the vpn-auth parameters"]}),"\n",(0,i.jsx)(n.admonition,{type:"warning",children:(0,i.jsxs)(n.p,{children:["If you plan on running several K3s clusters using the same tailscale network, please create appropriate ",(0,i.jsx)(n.a,{href:"https://tailscale.com/kb/1018/acls/",children:"ACLs"})," to avoid IP conflicts or use different podCIDR subnets for each cluster."]})})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>o});var i=t(7294);const s={},r=i.createContext(s);function o(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:o(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/d428bf88.52d60868.js b/kr/assets/js/d428bf88.52d60868.js deleted file mode 100644 index f3d3e359c..000000000 --- a/kr/assets/js/d428bf88.52d60868.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3083],{5538:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var s=r(5893),a=r(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/kr/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/kr/datastore/ha"},next:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc",permalink:"/kr/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:r,Tabs:l}=n;return r||x("TabItem",!0),l||x("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,s.jsxs)(n.admonition,{type:"tip",children:[(0,s.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,s.jsx)(n.a,{href:"/kr/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,s.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,s.jsxs)(n.p,{children:["For both examples, assume that a ",(0,s.jsx)(n.a,{href:"/kr/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,s.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,s.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["server-1: ",(0,s.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,s.jsxs)(n.li,{children:["server-2: ",(0,s.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,s.jsxs)(n.li,{children:["server-3: ",(0,s.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["lb-1: ",(0,s.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,s.jsxs)(n.li,{children:["lb-2: ",(0,s.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["agent-1: ",(0,s.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,s.jsxs)(n.li,{children:["agent-2: ",(0,s.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,s.jsxs)(n.li,{children:["agent-3: ",(0,s.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,s.jsxs)(l,{children:[(0,s.jsxs)(r,{value:"HAProxy",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,s.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,s.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,s.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,s.jsxs)(n.ol,{start:"2",children:["\n",(0,s.jsxs)(n.li,{children:["Add the following to ",(0,s.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,s.jsxs)(n.ol,{start:"3",children:["\n",(0,s.jsxs)(n.li,{children:["Add the following to ",(0,s.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"vrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state <STATE> # MASTER on lb-1, BACKUP on lb-2\n priority <PRIORITY> # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,s.jsxs)(n.ol,{start:"6",children:["\n",(0,s.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,s.jsxs)(n.ol,{start:"5",children:["\n",(0,s.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,s.jsxs)(n.p,{children:["You can now use ",(0,s.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready <none> 32s v1.27.3+k3s1\nagent-2 Ready <none> 20s v1.27.3+k3s1\nagent-3 Ready <none> 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,s.jsxs)(r,{value:"Nginx",children:[(0,s.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,s.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Create a ",(0,s.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,s.jsxs)(n.ol,{start:"2",children:["\n",(0,s.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,s.jsx)(n.p,{children:"Using docker:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,s.jsxs)(n.p,{children:["Or ",(0,s.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,s.jsxs)(n.ol,{start:"3",children:["\n",(0,s.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443\n"})}),(0,s.jsxs)(n.p,{children:["You can now use ",(0,s.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready <none> 30s v1.27.3+k3s1\nagent-2 Ready <none> 22s v1.27.3+k3s1\nagent-3 Ready <none> 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,r)=>{r.d(n,{Z:()=>o,a:()=>t});var s=r(7294);const a={},l=s.createContext(a);function t(e){const n=s.useContext(l);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),s.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/d428bf88.92f76c8d.js b/kr/assets/js/d428bf88.92f76c8d.js new file mode 100644 index 000000000..78d74a731 --- /dev/null +++ b/kr/assets/js/d428bf88.92f76c8d.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3083],{5538:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var s=r(5893),a=r(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/kr/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/kr/datastore/ha"},next:{title:"\uc5c5\uadf8\ub808\uc774\ub4dc",permalink:"/kr/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:r,Tabs:l}=n;return r||x("TabItem",!0),l||x("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,s.jsxs)(n.admonition,{type:"tip",children:[(0,s.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,s.jsx)(n.a,{href:"/kr/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,s.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,s.jsxs)(n.p,{children:["For both examples, assume that a ",(0,s.jsx)(n.a,{href:"/kr/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,s.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,s.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["server-1: ",(0,s.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,s.jsxs)(n.li,{children:["server-2: ",(0,s.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,s.jsxs)(n.li,{children:["server-3: ",(0,s.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["lb-1: ",(0,s.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,s.jsxs)(n.li,{children:["lb-2: ",(0,s.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["agent-1: ",(0,s.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,s.jsxs)(n.li,{children:["agent-2: ",(0,s.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,s.jsxs)(n.li,{children:["agent-3: ",(0,s.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,s.jsxs)(l,{children:[(0,s.jsxs)(r,{value:"HAProxy",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,s.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,s.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,s.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,s.jsxs)(n.ol,{start:"2",children:["\n",(0,s.jsxs)(n.li,{children:["Add the following to ",(0,s.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,s.jsxs)(n.ol,{start:"3",children:["\n",(0,s.jsxs)(n.li,{children:["Add the following to ",(0,s.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"vrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state <STATE> # MASTER on lb-1, BACKUP on lb-2\n priority <PRIORITY> # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,s.jsxs)(n.ol,{start:"6",children:["\n",(0,s.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,s.jsxs)(n.ol,{start:"5",children:["\n",(0,s.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,s.jsxs)(n.p,{children:["You can now use ",(0,s.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready <none> 32s v1.27.3+k3s1\nagent-2 Ready <none> 20s v1.27.3+k3s1\nagent-3 Ready <none> 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,s.jsxs)(r,{value:"Nginx",children:[(0,s.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,s.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Create a ",(0,s.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,s.jsxs)(n.ol,{start:"2",children:["\n",(0,s.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,s.jsx)(n.p,{children:"Using docker:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,s.jsxs)(n.p,{children:["Or ",(0,s.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,s.jsxs)(n.ol,{start:"3",children:["\n",(0,s.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443\n"})}),(0,s.jsxs)(n.p,{children:["You can now use ",(0,s.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready <none> 30s v1.27.3+k3s1\nagent-2 Ready <none> 22s v1.27.3+k3s1\nagent-3 Ready <none> 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,r)=>{r.d(n,{Z:()=>o,a:()=>t});var s=r(7294);const a={},l=s.createContext(a);function t(e){const n=s.useContext(l);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),s.createElement(l.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/dd0fba39.a599df5d.js b/kr/assets/js/dd0fba39.a599df5d.js deleted file mode 100644 index 5c4f1fa3f..000000000 --- a/kr/assets/js/dd0fba39.a599df5d.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7713],{6964:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>l,contentTitle:()=>c,default:()=>a,frontMatter:()=>n,metadata:()=>i,toc:()=>o});var r=t(5893),d=t(1151);const n={title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c"},c=void 0,i={id:"datastore/datastore",title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",description:"etcd\uac00 \uc544\ub2cc \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \uae30\ub2a5\uc740 K3s\ub97c \ub2e4\ub978 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc30\ud3ec\ud310\uacfc \ucc28\ubcc4\ud654\ud569\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc6b4\uc601\uc790\uc5d0\uac8c \uc720\uc5f0\uc131\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc0ac\uc6a9 \uac00\ub2a5\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \ud1b5\ud574 \uc0ac\uc6a9 \uc0ac\ub840\uc5d0 \uac00\uc7a5 \uc801\ud569\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4:",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/kr/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/kr/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/kr/datastore/backup-restore"}},l={},o=[{value:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \ud30c\ub77c\ubbf8\ud130",id:"\uc678\ubd80-\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uad6c\uc131-\ud30c\ub77c\ubbf8\ud130",level:3},{value:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ud615\uc2dd \ubc0f \uae30\ub2a5",id:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uc5d4\ub4dc\ud3ec\uc778\ud2b8-\ud615\uc2dd-\ubc0f-\uae30\ub2a5",level:3}];function h(e){const s={a:"a",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,d.a)(),...e.components},{TabItem:t,Tabs:n}=s;return t||x("TabItem",!0),n||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"etcd\uac00 \uc544\ub2cc \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \uae30\ub2a5\uc740 K3s\ub97c \ub2e4\ub978 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc30\ud3ec\ud310\uacfc \ucc28\ubcc4\ud654\ud569\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc6b4\uc601\uc790\uc5d0\uac8c \uc720\uc5f0\uc131\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc0ac\uc6a9 \uac00\ub2a5\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \ud1b5\ud574 \uc0ac\uc6a9 \uc0ac\ub840\uc5d0 \uac00\uc7a5 \uc801\ud569\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"\ud300\uc5d0 etcd \uc6b4\uc601\uc5d0 \ub300\ud55c \uc804\ubb38 \uc9c0\uc2dd\uc774 \uc5c6\ub294 \uacbd\uc6b0, MySQL \ub610\ub294 PostgreSQL\uacfc \uac19\uc740 \uc5d4\ud130\ud504\ub77c\uc774\uc988\uae09 SQL \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.li,{children:"CI/CD \ud658\uacbd\uc5d0\uc11c \ub2e8\uc21c\ud558\uace0 \uc218\uba85\uc774 \uc9e7\uc740 \ud074\ub7ec\uc2a4\ud130\ub97c \uc2e4\ud589\ud574\uc57c \ud558\ub294 \uacbd\uc6b0, \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.li,{children:"\uc5e3\uc9c0\uc5d0 Kubernetes\ub97c \ubc30\ud3ec\ud558\uace0 \uace0\uac00\uc6a9\uc131 \uc194\ub8e8\uc158\uc774 \ud544\uc694\ud558\uc9c0\ub9cc \uc5e3\uc9c0\uc5d0\uc11c \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uad00\ub9ac\ud558\ub294 \ub370 \ub530\ub978 \uc6b4\uc601 \uc624\ubc84\ud5e4\ub4dc\ub97c \uac10\ub2f9\ud560 \uc218 \uc5c6\ub294 \uacbd\uc6b0, \uc784\ubca0\ub514\ub4dc etcd\ub97c \uae30\ubc18\uc73c\ub85c \uad6c\ucd95\ub41c K3s\uc758 \uc784\ubca0\ub514\ub4dc HA \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"K3s\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \uc9c0\uc6d0\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsxs)(s.strong,{children:["\uc784\ubca0\ub514\ub4dc ",(0,r.jsx)(s.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,r.jsx)(s.br,{}),"\n","SQLite\ub294 \uc5ec\ub7ec \uc11c\ubc84\uac00 \uc788\ub294 \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c\ub294 \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.",(0,r.jsx)(s.br,{}),"\n","SQLite\ub294 \uae30\ubcf8 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc774\uba70, \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131\uc774 \uc5c6\uace0 \ub514\uc2a4\ud06c\uc5d0 \uc784\ubca0\ub514\ub4dc etcd \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ud30c\uc77c\uc774 \uc5c6\ub294 \uacbd\uc6b0 \uc0ac\uc6a9\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc784\ubca0\ub514\ub4dc etcd"}),(0,r.jsx)(s.br,{}),"\n","\uc5ec\ub7ec \uc11c\ubc84\uc5d0\uc11c \uc784\ubca0\ub514\ub4dc etcd\ub97c \uc0ac\uc6a9\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/datastore/ha-embedded",children:"\uace0\uac00\uc6a9\uc131 \uc784\ubca0\ub514\ub4dc etcd"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694.\nK3s\uac00 \uc0c8 etcd \ud074\ub7ec\uc2a4\ud130\ub97c \ucd08\uae30\ud654\ud558\uac70\ub098 \uae30\uc874 etcd \ud074\ub7ec\uc2a4\ud130\uc5d0 \uac00\uc785\ud558\ub3c4\ub85d \uad6c\uc131\ub418\uc5c8\uac70\ub098 \uc2dc\uc791 \uc2dc \ub514\uc2a4\ud06c\uc5d0 etcd \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ud30c\uc77c\uc774 \uc788\ub294 \uacbd\uc6b0 \uc784\ubca0\ub514\ub4dc etcd\uac00 \uc790\ub3d9\uc73c\ub85c \uc120\ud0dd\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc678\ubd80 \ub370\uc774\ud130\ubca0\uc774\uc2a4"}),(0,r.jsx)(s.br,{}),"\n","\uc5ec\ub7ec \uc11c\ubc84\uc5d0\uc11c \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/datastore/ha",children:"\uace0\uac00\uc6a9\uc131 \uc678\ubd80 DB"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694.",(0,r.jsx)(s.br,{}),"\n","\uc9c0\uc6d0\ub418\ub294 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://etcd.io/",children:"etcd"})," (3.5.4 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://www.mysql.com/",children:"MySQL"})," (5.7 and 8.0 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://mariadb.org/",children:"MariaDB"})," (10.6.8 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (10.7, 11.5, and 14.2 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.h3,{id:"\uc678\ubd80-\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uad6c\uc131-\ud30c\ub77c\ubbf8\ud130",children:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \ud30c\ub77c\ubbf8\ud130"}),"\n",(0,r.jsxs)(s.p,{children:["PostgreSQL, MySQL, etcd\uc640 \uac19\uc740 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 K3s\uac00 \uc5f0\uacb0 \ubc29\ubc95\uc744 \uc54c \uc218 \uc788\ub3c4\ub85d ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud574\uc57c \ud569\ub2c8\ub2e4. \ub610\ud55c \uc5f0\uacb0\uc758 \uc778\uc99d \ubc0f \uc554\ud638\ud654\ub97c \uad6c\uc131\ud558\ub294 \ud30c\ub77c\ubbf8\ud130\ub97c \uc9c0\uc815\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798 \ud45c\uc5d0\ub294 \uc774\ub7ec\ud55c \ub9e4\uac1c\ubcc0\uc218\uac00 \uc694\uc57d\ub418\uc5b4 \uc788\uc73c\uba70, CLI \ud50c\ub798\uadf8 \ub610\ub294 \ud658\uacbd \ubcc0\uc218\ub85c \uc804\ub2ec\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"CLI Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-endpoint"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{children:"PostgreSQL, MySQL \ub610\ub294 etcd \uc5f0\uacb0 \ubb38\uc790\uc5f4\uc744 \uc9c0\uc815\ud569\ub2c8\ub2e4. \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \uc5f0\uacb0\uc744 \uc124\uba85\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 \ubb38\uc790\uc5f4\uc785\ub2c8\ub2e4. \uc774 \ubb38\uc790\uc5f4\uc758 \uad6c\uc870\ub294 \uac01 \ubc31\uc5d4\ub4dc\uc5d0 \ub530\ub77c \ub2e4\ub974\uba70 \uc544\ub798\uc5d0 \uc790\uc138\ud788 \uc124\uba85\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-cafile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{children:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640\uc758 \ud1b5\uc2e0\uc744 \ubcf4\ud638\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 TLS \uc778\uc99d \uae30\uad00(CA: Certificate Authority) \ud30c\uc77c\uc785\ub2c8\ub2e4. \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0\uc11c \uc0ac\uc6a9\uc790 \uc9c0\uc815 \uc778\uc99d \uae30\uad00\uc5d0\uc11c \uc11c\uba85\ud55c \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud558\uc5ec TLS\ub97c \ud1b5\ud574 \uc694\uccad\uc744 \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, \uc774 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud574\ub2f9 CA\ub97c \uc9c0\uc815\ud558\uba74 K3s \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \uc778\uc99d\uc11c\ub97c \uc62c\ubc14\ub974\uac8c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-certfile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc5d0 \uc0ac\uc6a9\ub418\ub294 TLS \uc778\uc99d\uc11c \ud30c\uc77c\uc785\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc744 \uc0ac\uc6a9\ud558\ub824\uba74 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uac00 \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc744 \uc9c0\uc6d0\ud558\ub3c4\ub85d \uad6c\uc131\ub418\uc5b4 \uc788\uc5b4\uc57c \ud569\ub2c8\ub2e4. \uc774 \ud30c\ub77c\ubbf8\ud130\ub97c \uc9c0\uc815\ud558\ub294 \uacbd\uc6b0 ",(0,r.jsx)(s.code,{children:"datastore-keyfile"})," \ud30c\ub77c\ubbf8\ud130\ub3c4 \uc9c0\uc815\ud574\uc57c \ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-keyfile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc5d0 \uc0ac\uc6a9\ub418\ub294 TLS \ud0a4 \ud30c\uc77c\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc774\uc804 ",(0,r.jsx)(s.code,{children:"datastore-certfile"})," \ub9e4\uac1c\ubcc0\uc218\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]})]})]}),"\n",(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc790\uaca9 \uc99d\uba85\uc774\ub098 \uae30\ud0c0 \ubbfc\uac10\ud55c \uc815\ubcf4\uac00 \ud504\ub85c\uc138\uc2a4 \uc815\ubcf4\uc758 \uc77c\ubd80\ub85c \ub178\ucd9c\ub418\uc9c0 \uc54a\ub3c4\ub85d \uc774\ub7ec\ud55c \ub9e4\uac1c \ubcc0\uc218\ub97c \uba85\ub839\uc904 \uc778\uc218\uac00 \uc544\ub2cc \ud658\uacbd \ubcc0\uc218\ub85c \uc124\uc815\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uc5d4\ub4dc\ud3ec\uc778\ud2b8-\ud615\uc2dd-\ubc0f-\uae30\ub2a5",children:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ud615\uc2dd \ubc0f \uae30\ub2a5"}),"\n",(0,r.jsxs)(s.p,{children:["\uc55e\uc11c \uc5b8\uae09\ud588\ub4ef\uc774, ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ub9e4\uac1c\ubcc0\uc218\uc5d0 \uc804\ub2ec\ub418\ub294 \uac12\uc758 \ud615\uc2dd\uc740 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \ubc31\uc5d4\ub4dc\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9d1\ub2c8\ub2e4. \ub2e4\uc74c\uc740 \uc9c0\uc6d0\ub418\ub294 \uac01 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \uc774 \ud615\uc2dd\uacfc \uae30\ub2a5\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n,{children:[(0,r.jsxs)(t,{value:"PostgreSQL",children:[(0,r.jsx)(s.p,{children:"\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\uc2dd\uc758 PostgreSQL\uc6a9 \ub370\uc774\ud130 \uc800\uc7a5\uc18c \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ub9e4\uac1c \ubcc0\uc218\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud615\uc2dd\uc744 \uac16\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,r.jsxs)(s.p,{children:["\ub354 \uace0\uae09 \uad6c\uc131 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc774\ub984\uc744 \uc9c0\uc815\ud588\ub294\ub370 \ud574\ub2f9 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc73c\uba74 \uc11c\ubc84\uc5d0\uc11c \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc0dd\uc131\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."}),(0,r.jsxs)(s.p,{children:["\uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub85c ",(0,r.jsx)(s.code,{children:"postgres://"}),"\ub9cc \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, K3s\ub294 \ub2e4\uc74c\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4:"]}),(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\uc0ac\uc6a9\uc790 \uc774\ub984\uacfc \ube44\ubc00\ubc88\ud638\ub85c ",(0,r.jsx)(s.code,{children:"postgres"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec localhost\uc5d0 \uc5f0\uacb0\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"kubernetes"}),"\ub77c\ub294 \uc774\ub984\uc758 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n"]})]}),(0,r.jsxs)(t,{value:"MySQL / MariaDB",children:[(0,r.jsxs)(s.p,{children:["\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\ud0dc\uc778 MySQL\uacfc MariaDB\uc758 ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud615\uc2dd\uc744 \uac16\uc2b5\ub2c8\ub2e4:"]}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,r.jsxs)(s.p,{children:["\ub354 \uace0\uae09 \uad6c\uc131 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),(0,r.jsxs)(s.p,{children:["K3s\uc758 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"\uc54c\ub824\uc9c4 \uc774\uc288"}),"\ub85c \uc778\ud574 ",(0,r.jsx)(s.code,{children:"tls"}),' \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4. TLS \ud1b5\uc2e0\uc740 \uc9c0\uc6d0\ub418\uc9c0\ub9cc \uc608\ub97c \ub4e4\uc5b4 \uc774 \ub9e4\uac1c\ubcc0\uc218\ub97c "skip-verify"\ub85c \uc124\uc815\ud558\uc5ec K3s\uac00 \uc778\uc99d\uc11c \ud655\uc778\uc744 \uac74\ub108\ub6f0\ub3c4\ub85d \ud560 \uc218\ub294 \uc5c6\uc2b5\ub2c8\ub2e4.']}),(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc774\ub984\uc744 \uc9c0\uc815\ud588\ub294\ub370 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc73c\uba74 \uc11c\ubc84\uc5d0\uc11c \ub9cc\ub4e4\ub824\uace0 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."}),(0,r.jsxs)(s.p,{children:["\uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub85c ",(0,r.jsx)(s.code,{children:"mysql://"}),"\ub9cc \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, K3s\ub294 \ub2e4\uc74c\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4:"]}),(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"root"})," \uc0ac\uc6a9\uc790\uc640 \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 ",(0,r.jsx)(s.code,{children:"/var/run/mysqld/mysqld.sock"}),"\uc5d0\uc11c MySQL \uc18c\ucf13\uc5d0 \uc5f0\uacb0\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"kubernetes"}),"\ub77c\ub294 \uc774\ub984\uc758 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n"]})]}),(0,r.jsxs)(t,{value:"etcd",children:[(0,r.jsxs)(s.p,{children:["\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\ud0dc\uc778 etcd\uc758 ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\uc758 \ud615\uc2dd\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:"]}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,r.jsx)(s.p,{children:"\uc704\ub294 \uc77c\ubc18\uc801\uc778 \uc138 \uac1c\uc758 \ub178\ub4dc\uc778 etcd \ud074\ub7ec\uc2a4\ud130\ub97c \uac00\uc815\ud569\ub2c8\ub2e4. \uc774 \ub9e4\uac1c\ubcc0\uc218\ub294 \uc27c\ud45c\ub85c \uad6c\ubd84\ub41c \ud558\ub098 \uc774\uc0c1\uc758 etcd URL\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."})]})]})]})}function a(e={}){const{wrapper:s}={...(0,d.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(h,{...e})}):h(e)}function x(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var r=t(7294);const d={},n=r.createContext(d);function c(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:c(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/dd0fba39.e82585e9.js b/kr/assets/js/dd0fba39.e82585e9.js new file mode 100644 index 000000000..533448008 --- /dev/null +++ b/kr/assets/js/dd0fba39.e82585e9.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7713],{6964:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>l,contentTitle:()=>c,default:()=>a,frontMatter:()=>n,metadata:()=>i,toc:()=>o});var r=t(5893),d=t(1151);const n={title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c"},c=void 0,i={id:"datastore/datastore",title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",description:"etcd\uac00 \uc544\ub2cc \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \uae30\ub2a5\uc740 K3s\ub97c \ub2e4\ub978 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc30\ud3ec\ud310\uacfc \ucc28\ubcc4\ud654\ud569\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc6b4\uc601\uc790\uc5d0\uac8c \uc720\uc5f0\uc131\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc0ac\uc6a9 \uac00\ub2a5\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \ud1b5\ud574 \uc0ac\uc6a9 \uc0ac\ub840\uc5d0 \uac00\uc7a5 \uc801\ud569\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4:",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/kr/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/kr/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/kr/datastore/backup-restore"}},l={},o=[{value:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \ud30c\ub77c\ubbf8\ud130",id:"\uc678\ubd80-\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uad6c\uc131-\ud30c\ub77c\ubbf8\ud130",level:3},{value:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ud615\uc2dd \ubc0f \uae30\ub2a5",id:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uc5d4\ub4dc\ud3ec\uc778\ud2b8-\ud615\uc2dd-\ubc0f-\uae30\ub2a5",level:3}];function h(e){const s={a:"a",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,d.a)(),...e.components},{TabItem:t,Tabs:n}=s;return t||x("TabItem",!0),n||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"etcd\uac00 \uc544\ub2cc \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\uc5ec \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \uae30\ub2a5\uc740 K3s\ub97c \ub2e4\ub978 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ubc30\ud3ec\ud310\uacfc \ucc28\ubcc4\ud654\ud569\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc6b4\uc601\uc790\uc5d0\uac8c \uc720\uc5f0\uc131\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4. \uc0ac\uc6a9 \uac00\ub2a5\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \ud1b5\ud574 \uc0ac\uc6a9 \uc0ac\ub840\uc5d0 \uac00\uc7a5 \uc801\ud569\ud55c \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc608\ub97c \ub4e4\uc5b4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"\ud300\uc5d0 etcd \uc6b4\uc601\uc5d0 \ub300\ud55c \uc804\ubb38 \uc9c0\uc2dd\uc774 \uc5c6\ub294 \uacbd\uc6b0, MySQL \ub610\ub294 PostgreSQL\uacfc \uac19\uc740 \uc5d4\ud130\ud504\ub77c\uc774\uc988\uae09 SQL \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc120\ud0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.li,{children:"CI/CD \ud658\uacbd\uc5d0\uc11c \ub2e8\uc21c\ud558\uace0 \uc218\uba85\uc774 \uc9e7\uc740 \ud074\ub7ec\uc2a4\ud130\ub97c \uc2e4\ud589\ud574\uc57c \ud558\ub294 \uacbd\uc6b0, \uc784\ubca0\ub514\ub4dc SQLite \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.li,{children:"\uc5e3\uc9c0\uc5d0 Kubernetes\ub97c \ubc30\ud3ec\ud558\uace0 \uace0\uac00\uc6a9\uc131 \uc194\ub8e8\uc158\uc774 \ud544\uc694\ud558\uc9c0\ub9cc \uc5e3\uc9c0\uc5d0\uc11c \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uad00\ub9ac\ud558\ub294 \ub370 \ub530\ub978 \uc6b4\uc601 \uc624\ubc84\ud5e4\ub4dc\ub97c \uac10\ub2f9\ud560 \uc218 \uc5c6\ub294 \uacbd\uc6b0, \uc784\ubca0\ub514\ub4dc etcd\ub97c \uae30\ubc18\uc73c\ub85c \uad6c\ucd95\ub41c K3s\uc758 \uc784\ubca0\ub514\ub4dc HA \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsx)(s.p,{children:"K3s\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc635\uc158\uc744 \uc9c0\uc6d0\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsxs)(s.strong,{children:["\uc784\ubca0\ub514\ub4dc ",(0,r.jsx)(s.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,r.jsx)(s.br,{}),"\n","SQLite\ub294 \uc5ec\ub7ec \uc11c\ubc84\uac00 \uc788\ub294 \ud074\ub7ec\uc2a4\ud130\uc5d0\uc11c\ub294 \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.",(0,r.jsx)(s.br,{}),"\n","SQLite\ub294 \uae30\ubcf8 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc774\uba70, \ub2e4\ub978 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131\uc774 \uc5c6\uace0 \ub514\uc2a4\ud06c\uc5d0 \uc784\ubca0\ub514\ub4dc etcd \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ud30c\uc77c\uc774 \uc5c6\ub294 \uacbd\uc6b0 \uc0ac\uc6a9\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc784\ubca0\ub514\ub4dc etcd"}),(0,r.jsx)(s.br,{}),"\n","\uc5ec\ub7ec \uc11c\ubc84\uc5d0\uc11c \uc784\ubca0\ub514\ub4dc etcd\ub97c \uc0ac\uc6a9\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/datastore/ha-embedded",children:"\uace0\uac00\uc6a9\uc131 \uc784\ubca0\ub514\ub4dc etcd"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694.\nK3s\uac00 \uc0c8 etcd \ud074\ub7ec\uc2a4\ud130\ub97c \ucd08\uae30\ud654\ud558\uac70\ub098 \uae30\uc874 etcd \ud074\ub7ec\uc2a4\ud130\uc5d0 \uac00\uc785\ud558\ub3c4\ub85d \uad6c\uc131\ub418\uc5c8\uac70\ub098 \uc2dc\uc791 \uc2dc \ub514\uc2a4\ud06c\uc5d0 etcd \ub370\uc774\ud130\ubca0\uc774\uc2a4 \ud30c\uc77c\uc774 \uc788\ub294 \uacbd\uc6b0 \uc784\ubca0\ub514\ub4dc etcd\uac00 \uc790\ub3d9\uc73c\ub85c \uc120\ud0dd\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.strong,{children:"\uc678\ubd80 \ub370\uc774\ud130\ubca0\uc774\uc2a4"}),(0,r.jsx)(s.br,{}),"\n","\uc5ec\ub7ec \uc11c\ubc84\uc5d0\uc11c \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"/kr/datastore/ha",children:"\uace0\uac00\uc6a9\uc131 \uc678\ubd80 DB"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694.",(0,r.jsx)(s.br,{}),"\n","\uc9c0\uc6d0\ub418\ub294 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://etcd.io/",children:"etcd"})," (3.5.4 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://www.mysql.com/",children:"MySQL"})," (5.7 and 8.0 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://mariadb.org/",children:"MariaDB"})," (10.6.8 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (10.7, 11.5, and 14.2 \ubc84\uc804\uc5d0 \ub300\ud574 \uac80\uc99d\ub428)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.h3,{id:"\uc678\ubd80-\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uad6c\uc131-\ud30c\ub77c\ubbf8\ud130",children:"\uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uad6c\uc131 \ud30c\ub77c\ubbf8\ud130"}),"\n",(0,r.jsxs)(s.p,{children:["PostgreSQL, MySQL, etcd\uc640 \uac19\uc740 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 K3s\uac00 \uc5f0\uacb0 \ubc29\ubc95\uc744 \uc54c \uc218 \uc788\ub3c4\ub85d ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud574\uc57c \ud569\ub2c8\ub2e4. \ub610\ud55c \uc5f0\uacb0\uc758 \uc778\uc99d \ubc0f \uc554\ud638\ud654\ub97c \uad6c\uc131\ud558\ub294 \ud30c\ub77c\ubbf8\ud130\ub97c \uc9c0\uc815\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798 \ud45c\uc5d0\ub294 \uc774\ub7ec\ud55c \ub9e4\uac1c\ubcc0\uc218\uac00 \uc694\uc57d\ub418\uc5b4 \uc788\uc73c\uba70, CLI \ud50c\ub798\uadf8 \ub610\ub294 \ud658\uacbd \ubcc0\uc218\ub85c \uc804\ub2ec\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"CLI Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-endpoint"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{children:"PostgreSQL, MySQL \ub610\ub294 etcd \uc5f0\uacb0 \ubb38\uc790\uc5f4\uc744 \uc9c0\uc815\ud569\ub2c8\ub2e4. \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \uc5f0\uacb0\uc744 \uc124\uba85\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 \ubb38\uc790\uc5f4\uc785\ub2c8\ub2e4. \uc774 \ubb38\uc790\uc5f4\uc758 \uad6c\uc870\ub294 \uac01 \ubc31\uc5d4\ub4dc\uc5d0 \ub530\ub77c \ub2e4\ub974\uba70 \uc544\ub798\uc5d0 \uc790\uc138\ud788 \uc124\uba85\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-cafile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{children:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640\uc758 \ud1b5\uc2e0\uc744 \ubcf4\ud638\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 TLS \uc778\uc99d \uae30\uad00(CA: Certificate Authority) \ud30c\uc77c\uc785\ub2c8\ub2e4. \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0\uc11c \uc0ac\uc6a9\uc790 \uc9c0\uc815 \uc778\uc99d \uae30\uad00\uc5d0\uc11c \uc11c\uba85\ud55c \uc778\uc99d\uc11c\ub97c \uc0ac\uc6a9\ud558\uc5ec TLS\ub97c \ud1b5\ud574 \uc694\uccad\uc744 \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, \uc774 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud574\ub2f9 CA\ub97c \uc9c0\uc815\ud558\uba74 K3s \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \uc778\uc99d\uc11c\ub97c \uc62c\ubc14\ub974\uac8c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-certfile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc5d0 \uc0ac\uc6a9\ub418\ub294 TLS \uc778\uc99d\uc11c \ud30c\uc77c\uc785\ub2c8\ub2e4. \uc774 \uae30\ub2a5\uc744 \uc0ac\uc6a9\ud558\ub824\uba74 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uac00 \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc744 \uc9c0\uc6d0\ud558\ub3c4\ub85d \uad6c\uc131\ub418\uc5b4 \uc788\uc5b4\uc57c \ud569\ub2c8\ub2e4. \uc774 \ud30c\ub77c\ubbf8\ud130\ub97c \uc9c0\uc815\ud558\ub294 \uacbd\uc6b0 ",(0,r.jsx)(s.code,{children:"datastore-keyfile"})," \ud30c\ub77c\ubbf8\ud130\ub3c4 \uc9c0\uc815\ud574\uc57c \ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--datastore-keyfile"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8 \uc778\uc99d\uc11c \uae30\ubc18 \uc778\uc99d\uc5d0 \uc0ac\uc6a9\ub418\ub294 TLS \ud0a4 \ud30c\uc77c\uc785\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \uc774\uc804 ",(0,r.jsx)(s.code,{children:"datastore-certfile"})," \ub9e4\uac1c\ubcc0\uc218\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]})]})]}),"\n",(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc790\uaca9 \uc99d\uba85\uc774\ub098 \uae30\ud0c0 \ubbfc\uac10\ud55c \uc815\ubcf4\uac00 \ud504\ub85c\uc138\uc2a4 \uc815\ubcf4\uc758 \uc77c\ubd80\ub85c \ub178\ucd9c\ub418\uc9c0 \uc54a\ub3c4\ub85d \uc774\ub7ec\ud55c \ub9e4\uac1c \ubcc0\uc218\ub97c \uba85\ub839\uc904 \uc778\uc218\uac00 \uc544\ub2cc \ud658\uacbd \ubcc0\uc218\ub85c \uc124\uc815\ud558\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(s.h3,{id:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4-\uc5d4\ub4dc\ud3ec\uc778\ud2b8-\ud615\uc2dd-\ubc0f-\uae30\ub2a5",children:"\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ud615\uc2dd \ubc0f \uae30\ub2a5"}),"\n",(0,r.jsxs)(s.p,{children:["\uc55e\uc11c \uc5b8\uae09\ud588\ub4ef\uc774, ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ub9e4\uac1c\ubcc0\uc218\uc5d0 \uc804\ub2ec\ub418\ub294 \uac12\uc758 \ud615\uc2dd\uc740 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4 \ubc31\uc5d4\ub4dc\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9d1\ub2c8\ub2e4. \ub2e4\uc74c\uc740 \uc9c0\uc6d0\ub418\ub294 \uac01 \uc678\ubd80 \ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc5d0 \ub300\ud55c \uc774 \ud615\uc2dd\uacfc \uae30\ub2a5\uc5d0 \ub300\ud574 \uc790\uc138\ud788 \uc124\uba85\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n,{children:[(0,r.jsxs)(t,{value:"PostgreSQL",children:[(0,r.jsx)(s.p,{children:"\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\uc2dd\uc758 PostgreSQL\uc6a9 \ub370\uc774\ud130 \uc800\uc7a5\uc18c \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ub9e4\uac1c \ubcc0\uc218\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud615\uc2dd\uc744 \uac16\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,r.jsxs)(s.p,{children:["\ub354 \uace0\uae09 \uad6c\uc131 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc774\ub984\uc744 \uc9c0\uc815\ud588\ub294\ub370 \ud574\ub2f9 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc73c\uba74 \uc11c\ubc84\uc5d0\uc11c \ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc0dd\uc131\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."}),(0,r.jsxs)(s.p,{children:["\uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub85c ",(0,r.jsx)(s.code,{children:"postgres://"}),"\ub9cc \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, K3s\ub294 \ub2e4\uc74c\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4:"]}),(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\uc0ac\uc6a9\uc790 \uc774\ub984\uacfc \ube44\ubc00\ubc88\ud638\ub85c ",(0,r.jsx)(s.code,{children:"postgres"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec localhost\uc5d0 \uc5f0\uacb0\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"kubernetes"}),"\ub77c\ub294 \uc774\ub984\uc758 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n"]})]}),(0,r.jsxs)(t,{value:"MySQL / MariaDB",children:[(0,r.jsxs)(s.p,{children:["\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\ud0dc\uc778 MySQL\uacfc MariaDB\uc758 ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud615\uc2dd\uc744 \uac16\uc2b5\ub2c8\ub2e4:"]}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,r.jsxs)(s.p,{children:["\ub354 \uace0\uae09 \uad6c\uc131 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc0ac\uc6a9\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc774\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(s.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),(0,r.jsxs)(s.p,{children:["K3s\uc758 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"\uc54c\ub824\uc9c4 \uc774\uc288"}),"\ub85c \uc778\ud574 ",(0,r.jsx)(s.code,{children:"tls"}),' \ud30c\ub77c\ubbf8\ud130\ub97c \uc124\uc815\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4. TLS \ud1b5\uc2e0\uc740 \uc9c0\uc6d0\ub418\uc9c0\ub9cc \uc608\ub97c \ub4e4\uc5b4 \uc774 \ub9e4\uac1c\ubcc0\uc218\ub97c "skip-verify"\ub85c \uc124\uc815\ud558\uc5ec K3s\uac00 \uc778\uc99d\uc11c \ud655\uc778\uc744 \uac74\ub108\ub6f0\ub3c4\ub85d \ud560 \uc218\ub294 \uc5c6\uc2b5\ub2c8\ub2e4.']}),(0,r.jsx)(s.p,{children:"\ub370\uc774\ud130\ubca0\uc774\uc2a4 \uc774\ub984\uc744 \uc9c0\uc815\ud588\ub294\ub370 \ub370\uc774\ud130\ubca0\uc774\uc2a4\uac00 \uc874\uc7ac\ud558\uc9c0 \uc54a\uc73c\uba74 \uc11c\ubc84\uc5d0\uc11c \ub9cc\ub4e4\ub824\uace0 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."}),(0,r.jsxs)(s.p,{children:["\uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub85c ",(0,r.jsx)(s.code,{children:"mysql://"}),"\ub9cc \uc81c\uacf5\ud558\ub294 \uacbd\uc6b0, K3s\ub294 \ub2e4\uc74c\uc744 \uc2dc\ub3c4\ud569\ub2c8\ub2e4:"]}),(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"root"})," \uc0ac\uc6a9\uc790\uc640 \ube44\ubc00\ubc88\ud638\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 ",(0,r.jsx)(s.code,{children:"/var/run/mysqld/mysqld.sock"}),"\uc5d0\uc11c MySQL \uc18c\ucf13\uc5d0 \uc5f0\uacb0\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"kubernetes"}),"\ub77c\ub294 \uc774\ub984\uc758 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n"]})]}),(0,r.jsxs)(t,{value:"etcd",children:[(0,r.jsxs)(s.p,{children:["\uac00\uc7a5 \uc77c\ubc18\uc801\uc778 \ud615\ud0dc\uc778 etcd\uc758 ",(0,r.jsx)(s.code,{children:"datastore-endpoint"})," \ud30c\ub77c\ubbf8\ud130\uc758 \ud615\uc2dd\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:"]}),(0,r.jsx)(s.p,{children:(0,r.jsx)(s.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,r.jsx)(s.p,{children:"\uc704\ub294 \uc77c\ubc18\uc801\uc778 \uc138 \uac1c\uc758 \ub178\ub4dc\uc778 etcd \ud074\ub7ec\uc2a4\ud130\ub97c \uac00\uc815\ud569\ub2c8\ub2e4. \uc774 \ub9e4\uac1c\ubcc0\uc218\ub294 \uc27c\ud45c\ub85c \uad6c\ubd84\ub41c \ud558\ub098 \uc774\uc0c1\uc758 etcd URL\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."})]})]})]})}function a(e={}){const{wrapper:s}={...(0,d.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(h,{...e})}):h(e)}function x(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var r=t(7294);const d={},n=r.createContext(d);function c(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:c(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/dd22e55f.7f767527.js b/kr/assets/js/dd22e55f.7f767527.js new file mode 100644 index 000000000..c23e8c60a --- /dev/null +++ b/kr/assets/js/dd22e55f.7f767527.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5668],{4840:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>t,metadata:()=>h,toc:()=>d});var r=i(5893),n=i(1151);const t={hide_table_of_contents:!0,sidebar_position:4},l="v1.27.X",h={id:"release-notes/v1.27.X",title:"v1.27.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.27.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.27.X",permalink:"/kr/release-notes/v1.27.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.27.X.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,sidebarPosition:4,frontMatter:{hide_table_of_contents:!0,sidebar_position:4},sidebar:"mySidebar",previous:{title:"v1.28.X",permalink:"/kr/release-notes/v1.28.X"},next:{title:"v1.26.X",permalink:"/kr/release-notes/v1.26.X"}},c={},d=[{value:"Release v1.27.16+k3s1",id:"release-v12716k3s1",level:2},{value:"Changes since v1.27.15+k3s2:",id:"changes-since-v12715k3s2",level:3},{value:"Release v1.27.15+k3s2",id:"release-v12715k3s2",level:2},{value:"Changes since v1.27.15+k3s1:",id:"changes-since-v12715k3s1",level:3},{value:"Release v1.27.15+k3s1",id:"release-v12715k3s1",level:2},{value:"Changes since v1.27.14+k3s1:",id:"changes-since-v12714k3s1",level:3},{value:"Release v1.27.14+k3s1",id:"release-v12714k3s1",level:2},{value:"Changes since v1.27.13+k3s1:",id:"changes-since-v12713k3s1",level:3},{value:"Release v1.27.13+k3s1",id:"release-v12713k3s1",level:2},{value:"Changes since v1.27.12+k3s1:",id:"changes-since-v12712k3s1",level:3},{value:"Release v1.27.12+k3s1",id:"release-v12712k3s1",level:2},{value:"Changes since v1.27.11+k3s1:",id:"changes-since-v12711k3s1",level:3},{value:"Release v1.27.11+k3s1",id:"release-v12711k3s1",level:2},{value:"Changes since v1.27.10+k3s2:",id:"changes-since-v12710k3s2",level:3},{value:"Release v1.27.10+k3s2",id:"release-v12710k3s2",level:2},{value:"Changes since v1.27.9+k3s1:",id:"changes-since-v1279k3s1",level:3},{value:"Release v1.27.9+k3s1",id:"release-v1279k3s1",level:2},{value:"Changes since v1.27.8+k3s2:",id:"changes-since-v1278k3s2",level:3},{value:"Release v1.27.8+k3s2",id:"release-v1278k3s2",level:2},{value:"Changes since v1.27.7+k3s2:",id:"changes-since-v1277k3s2",level:3},{value:"Release v1.27.7+k3s2",id:"release-v1277k3s2",level:2},{value:"Changes since v1.27.7+k3s1:",id:"changes-since-v1277k3s1",level:3},{value:"Release v1.27.7+k3s1",id:"release-v1277k3s1",level:2},{value:"Changes since v1.27.6+k3s1:",id:"changes-since-v1276k3s1",level:3},{value:"Release v1.27.6+k3s1",id:"release-v1276k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3},{value:"Release v1.27.5+k3s1",id:"release-v1275k3s1",level:2},{value:"Changes since v1.27.4+k3s1:",id:"changes-since-v1274k3s1",level:3},{value:"Release v1.27.4+k3s1",id:"release-v1274k3s1",level:2},{value:"Changes since v1.27.3+k3s1:",id:"changes-since-v1273k3s1",level:3},{value:"Release v1.27.3+k3s1",id:"release-v1273k3s1",level:2},{value:"Changes since v1.27.2+k3s1:",id:"changes-since-v1272k3s1",level:3},{value:"Release v1.27.2+k3s1",id:"release-v1272k3s1",level:2},{value:"Changes since v1.27.1+k3s1:",id:"changes-since-v1271k3s1",level:3},{value:"Release v1.27.1+k3s1",id:"release-v1271k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v127x",children:"v1.27.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12716k3s1",children:"v1.27.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12716",children:"v1.27.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12715k3s2",children:"v1.27.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12715k3s1",children:"v1.27.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12714k3s1",children:"v1.27.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12714",children:"v1.27.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12713k3s1",children:"v1.27.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12713",children:"v1.27.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12712k3s1",children:"v1.27.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12712",children:"v1.27.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12711k3s1",children:"v1.27.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12711",children:"v1.27.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12710k3s2",children:"v1.27.10+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12710",children:"v1.27.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1279k3s1",children:"v1.27.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1279",children:"v1.27.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1278k3s2",children:"v1.27.8+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1278",children:"v1.27.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1277k3s2",children:"v1.27.7+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1277k3s1",children:"v1.27.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1276k3s1",children:"v1.27.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1276",children:"v1.27.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.27",children:"v1.7.6-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1275k3s1",children:"v1.27.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1275",children:"v1.27.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1274k3s1",children:"v1.27.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1274",children:"v1.27.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1273k3s1",children:"v1.27.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1273",children:"v1.27.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1272k3s1",children:"v1.27.2+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1272",children:"v1.27.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1271k3s1",children:"v1.27.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1271",children:"v1.27.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12716k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.16+k3s1",children:"v1.27.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s2",children:"Changes since v1.27.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10500",children:"(#10500)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10510",children:"(#10510)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.16-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10542",children:"(#10542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10599",children:"(#10599)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s2",children:"v1.27.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s1",children:"Changes since v1.27.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10429",children:"(#10429)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s1",children:"v1.27.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12714",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12714k3s1",children:"Changes since v1.27.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10089",children:"(#10089)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10143",children:"(#10143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10222",children:"(#10222)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10183",children:"(#10183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10214",children:"(#10214)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10259",children:"(#10259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10290",children:"(#10290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10314",children:"(#10314)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10332",children:"(#10332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10324",children:"(#10324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10297",children:"(#10297)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10346",children:"(#10346)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update Kubernetes to v1.27.15"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10356",children:"(#10356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10378",children:"(#10378)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12714k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.14+k3s1",children:"v1.27.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12713",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12713k3s1",children:"Changes since v1.27.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10096",children:"(#10096)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10113",children:"(#10113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.14-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10103",children:"(#10103)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12713k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.13+k3s1",children:"v1.27.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12712",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12712k3s1",children:"Changes since v1.27.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9803",children:"(#9803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9828",children:"(#9828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9825",children:"(#9825)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9822",children:"(#9822)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9850",children:"(#9850)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9881",children:"(#9881)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9912",children:"(#9912)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9939",children:"(#9939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9943",children:"(#9943)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.13-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9958",children:"(#9958)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9995",children:"(#9995)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10003",children:"(#10003)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12712k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.12+k3s1",children:"v1.27.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12711",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12711k3s1",children:"Changes since v1.27.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9609",children:"(#9609)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9642",children:"(#9642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9606",children:"(#9606)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9632",children:"(#9632)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9654",children:"(#9654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9670",children:"(#9670)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9708",children:"(#9708)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9734",children:"(#9734)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.12-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9745",children:"(#9745)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12711k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.11+k3s1",children:"v1.27.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12710",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12710k3s2",children:"Changes since v1.27.10+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9427",children:"(#9427)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9291",children:"(#9291)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9420",children:"(#9420)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9430",children:"(#9430)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9425",children:"(#9425)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9253",children:"(#9253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9405",children:"(#9405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9463",children:"(#9463)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9407",children:"(#9407)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9445",children:"(#9445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9441",children:"(#9441)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9470",children:"(#9470)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9491",children:"(#9491)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9509",children:"(#9509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9515",children:"(#9515)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9546",children:"(#9546)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9579",children:"(#9579)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12710k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.10+k3s2",children:"v1.27.10+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1279",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1279k3s1",children:"Changes since v1.27.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9124",children:"(#9124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9117",children:"(#9117)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9176",children:"(#9176)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9182",children:"(#9182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9211",children:"(#9211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9220",children:"(#9220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9217",children:"(#9217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9229",children:"(#9229)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.10 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9261",children:"(#9261)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9270",children:"(#9270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9337",children:"(#9337)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9347",children:"(#9347)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1279k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.9+k3s1",children:"v1.27.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1278",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1278k3s2",children:"Changes since v1.27.8+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8963",children:"(#8963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9018",children:"(#9018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes backport ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9013",children:"(#9013)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9041",children:"(#9041)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9078",children:"(#9078)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1278k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.8+k3s2",children:"v1.27.8+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s2",children:"Changes since v1.27.7+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8821",children:"(#8821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8759",children:"(#8759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8878",children:"(#8878)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8887",children:"(#8887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8828",children:"(#8828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8902",children:"(#8902)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8907",children:"(#8907)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8937",children:"(#8937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.8 and Go to 1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8921",children:"(#8921)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8999",children:"(#8999)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s2",children:"v1.27.7+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s1",children:"Changes since v1.27.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8765",children:"(#8765)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8775",children:"(#8775)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8789",children:"(#8789)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s1",children:"v1.27.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1276",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1276k3s1",children:"Changes since v1.27.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8411",children:"(#8411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8419",children:"(#8419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8435",children:"(#8435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8443",children:"(#8443)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8464",children:"(#8464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8455",children:"(#8455)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8451",children:"(#8451)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8504",children:"(#8504)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8509",children:"(#8509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8551",children:"(#8551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8516",children:"(#8516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8569",children:"(#8569)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8558",children:"(#8558)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8576",children:"(#8576)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8582",children:"(#8582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8587",children:"(#8587)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8597",children:"(#8597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8615",children:"(#8615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8634",children:"(#8634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8642",children:"(#8642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8656",children:"(#8656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8650",children:"(#8650)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8669",children:"(#8669)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8662",children:"(#8662)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8690",children:"(#8690)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.7 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8681",children:"(#8681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8733",children:"(#8733)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1276k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.6+k3s1",children:"v1.27.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1275",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8324",children:"(#8324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.6 and Go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8356",children:"(#8356)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1275k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.5+k3s1",children:"v1.27.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.5, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1274",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1274k3s1",children:"Changes since v1.27.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8056",children:"(#8056)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Upgraded cni-plugins to v1.3.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.22.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8057",children:"(#8057)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR on secrets encryption v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7938",children:"(#7938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit test for MustFindString ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8013",children:"(#8013)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for using base template in etc/containerd/config.toml.tmpl ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7991",children:"(#7991)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Make apiserver egress args conditional on egress-selector-mode ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7972",children:"(#7972)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Security bump to ",(0,r.jsx)(s.code,{children:"docker/distribution"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8047",children:"(#8047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coreos multiple installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8083",children:"(#8083)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8067",children:"(#8067)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8077",children:"(#8077)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate CopyFile functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8079",children:"(#8079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Support GOCOVER for more tests + fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8080",children:"(#8080)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo in terraform/README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8090",children:"(#8090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add FilterCN function to prevent SAN Stuffing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8085",children:"(#8085)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker/docker to master commit; cri-dockerd to 0.3.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8092",children:"(#8092)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump versions for etcd, containerd, runc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8109",children:"(#8109)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8099",children:"(#8099)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8125",children:"(#8125)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove terraform package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8136",children:"(#8136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd-snapshot delete when etcd-s3 is true ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8110",children:"(#8110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --disable-cloud-controller and --disable-kube-proxy test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8018",children:"(#8018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"go list -m"})," instead of grep to look up versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8138",children:"(#8138)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use VERSION_K8S in tests instead of grep go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8147",children:"(#8147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for Kubeflag Integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8154",children:"(#8154)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8155",children:"(#8155)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run integration test CI in parallel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8156",children:"(#8156)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8150",children:"(#8150)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8178",children:"(#8178)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8177",children:"(#8177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8193",children:"(#8193)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8204",children:"(#8204)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add test for ",(0,r.jsx)(s.code,{children:"k3s token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8184",children:"(#8184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8219",children:"(#8219)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Move flannel to v0.22.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8236",children:"(#8236)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8257",children:"(#8257)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8273",children:"(#8273)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1274k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.4+k3s1",children:"v1.27.4+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.27.4, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1273",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1273k3s1",children:"Changes since v1.27.3+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pkg imported more than once ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7803",children:"(#7803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Faster K3s Binary Build Option ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7805",children:"(#7805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7827",children:"(#7827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7682",children:"(#7682)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7838",children:"(#7838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7845",children:"(#7845)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a k3s data directory location specified by the cli ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7791",children:"(#7791)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e startup flaky test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7839",children:"(#7839)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7834",children:"(#7834)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fall back to basic/bearer auth when node identity auth is rejected ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7836",children:"(#7836)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7858",children:"(#7858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e s3 test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7833",children:"(#7833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn that v1.28 will deprecate reencrypt/prepare ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7848",children:"(#7848)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7807",children:"(#7807)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Support connecting tailscale to a separate server (e.g. headscale)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve for K3s release Docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7864",children:"(#7864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7887",children:"(#7887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7879",children:"(#7879)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add retry for clone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7862",children:"(#7862)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certificates and keys for etcd gated if etcd is disabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6998",children:"(#6998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7939",children:"(#7939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7950",children:"(#7950)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Warn that v1.28 will deprecate reencrypt/prepare" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7977",children:"(#7977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7978",children:"(#7978)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix update go version command on release documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8028",children:"(#8028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8014",children:"(#8014)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1273k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.3+k3s1",children:"v1.27.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1272",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1272k3s1",children:"Changes since v1.27.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7628",children:"(#7628)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7635",children:"(#7635)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7634",children:"(#7634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow coredns override extensions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7583",children:"(#7583)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-lb to v0.4.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7617",children:"(#7617)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.6.3 and update tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7564",children:"(#7564)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Do not use the admin kubeconfig for the supervisor and core controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7616",children:"(#7616)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7619",children:"(#7619)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make LB image configurable when compiling k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7626",children:"(#7626)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7605",children:"(#7605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7437",children:"(#7437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use el8 rpm for fedora 38 and 39 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7664",children:"(#7664)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check variant before version to decide rpm target and packager closes #7666 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7667",children:"(#7667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test Coverage Reports for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7526",children:"(#7526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Soft-fail on node password verification if the secret cannot be created ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7655",children:"(#7655)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable containerd aufs/devmapper/zfs snapshotter plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7661",children:"(#7661)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7681",children:"(#7681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Shortcircuit commands with version or help flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7683",children:"(#7683)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Non root users can now call ",(0,r.jsx)(s.code,{children:"k3s --help"})," and ",(0,r.jsx)(s.code,{children:"k3s --version"})," commands without running into permission errors over the default config file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7672",children:"(#7672)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Capture coverage of K3s subcommands ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7686",children:"(#7686)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integrate tailscale into k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7352",children:"(#7352)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Integration of tailscale VPN into k3s"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7653",children:"(#7653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Remove unnecessary daemonset addition/deletion ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7696",children:"(#7696)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add issue template for OS validation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7695",children:"(#7695)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7740",children:"(#7740)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove useless libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7745",children:"(#7745)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to v0.15.0 for create-namespace support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7716",children:"(#7716)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error logging in tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7776",children:"(#7776)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add commands to remove advertised routes of tailscale in k3s-killall.sh ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7777",children:"(#7777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7790",children:"(#7790)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1272k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.2+k3s1",children:"v1.27.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1271",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1271k3s1",children:"Changes since v1.27.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7303",children:"(#7303)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create CRDs with schema ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7308",children:"(#7308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root for aarch64 page size fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7364",children:"(#7364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7339",children:"(#7339)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7300",children:"(#7300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik to v2.9.10 / chart 21.2.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7324",children:"(#7324)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add longhorn storage test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6445",children:"(#6445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve error message when CLI wrapper Exec fails ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7373",children:"(#7373)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with ",(0,r.jsx)(s.code,{children:"--disable-agent"})," and ",(0,r.jsx)(s.code,{children:"--egress-selector-mode=pod|cluster"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7331",children:"(#7331)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:['Retry cluster join on "too many learners" error ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7351",children:"(#7351)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix MemberList error handling and incorrect etcd-arg passthrough ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7371",children:"(#7371)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7383",children:"(#7383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle multiple arguments with StringSlice flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7380",children:"(#7380)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add v1.27 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7387",children:"(#7387)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable FindString to search dotD config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7323",children:"(#7323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /util/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7422",children:"(#7422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7217",children:"(#7217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cni plugins to v1.2.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7425",children:"(#7425)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add dependabot label and reviewer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7423",children:"(#7423)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Startup test cleanup + RunCommand Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7388",children:"(#7388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fail to validate server tokens that use bootstrap id/secret format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7389",children:"(#7389)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix token startup test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7442",children:"(#7442)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7414",children:"(#7414)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add kube-* server flags integration tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7416",children:"(#7416)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for ",(0,r.jsx)(s.code,{children:"-cover"})," + integration test code coverage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7415",children:"(#7415)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7454",children:"(#7454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consistently use constant-time comparison of password hashes instead of bare password strings ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7455",children:"(#7455)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7418",children:"(#7418)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,r.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7524",children:"(#7524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller version for repo auth/ca support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7525",children:"(#7525)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7533",children:"(#7533)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7539",children:"(#7539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Rotation certification Check, remove func to restart agents ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7097",children:"(#7097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7550",children:"(#7550)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7551",children:"(#7551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive systemd units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7567",children:"(#7567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7575",children:"(#7575)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables rules clean during upgrade ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7591",children:"(#7591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7597",children:"(#7597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7443",children:"(#7443)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Add el9 selinux rpm (#7443)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7608",children:"(#7608)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1271k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.1+k3s1",children:"v1.27.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.27 line. This release updates Kubernetes to v1.27.1."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes 1.27.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7271",children:"(#7271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["V1.27.1 CLI Deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7311",children:"(#7311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=wireguard"})," has been completely replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command will now print a help message, to save a snapshot use: ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot save"})]}),"\n",(0,r.jsxs)(s.li,{children:["The following flags will now cause fatal errors (with full removal coming in v1.28.0):","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=ipsec"}),": replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})," ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/installation/network-options#migrating-from-wireguard-or-ipsec-to-wireguard-native",children:"see docs for more info."})]}),"\n",(0,r.jsxs)(s.li,{children:["Supplying multiple ",(0,r.jsx)(s.code,{children:"--flannel-backend"})," values is no longer valid. Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," instead."]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed command -v redirection for iptables bin check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7315",children:"(#7315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for april 2023 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7327",children:"(#7327)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7347",children:"(#7347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Cleanup help messages ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7369",children:"(#7369)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const n={},t=r.createContext(n);function l(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/dd22e55f.83da3868.js b/kr/assets/js/dd22e55f.83da3868.js deleted file mode 100644 index 61974fa92..000000000 --- a/kr/assets/js/dd22e55f.83da3868.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5668],{4840:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>t,metadata:()=>h,toc:()=>d});var r=i(5893),n=i(1151);const t={hide_table_of_contents:!0,sidebar_position:4},l="v1.27.X",h={id:"release-notes/v1.27.X",title:"v1.27.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.27.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.27.X",permalink:"/kr/release-notes/v1.27.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.27.X.md",tags:[],version:"current",lastUpdatedAt:172365169e4,sidebarPosition:4,frontMatter:{hide_table_of_contents:!0,sidebar_position:4},sidebar:"mySidebar",previous:{title:"v1.28.X",permalink:"/kr/release-notes/v1.28.X"},next:{title:"v1.26.X",permalink:"/kr/release-notes/v1.26.X"}},c={},d=[{value:"Release v1.27.16+k3s1",id:"release-v12716k3s1",level:2},{value:"Changes since v1.27.15+k3s2:",id:"changes-since-v12715k3s2",level:3},{value:"Release v1.27.15+k3s2",id:"release-v12715k3s2",level:2},{value:"Changes since v1.27.15+k3s1:",id:"changes-since-v12715k3s1",level:3},{value:"Release v1.27.15+k3s1",id:"release-v12715k3s1",level:2},{value:"Changes since v1.27.14+k3s1:",id:"changes-since-v12714k3s1",level:3},{value:"Release v1.27.14+k3s1",id:"release-v12714k3s1",level:2},{value:"Changes since v1.27.13+k3s1:",id:"changes-since-v12713k3s1",level:3},{value:"Release v1.27.13+k3s1",id:"release-v12713k3s1",level:2},{value:"Changes since v1.27.12+k3s1:",id:"changes-since-v12712k3s1",level:3},{value:"Release v1.27.12+k3s1",id:"release-v12712k3s1",level:2},{value:"Changes since v1.27.11+k3s1:",id:"changes-since-v12711k3s1",level:3},{value:"Release v1.27.11+k3s1",id:"release-v12711k3s1",level:2},{value:"Changes since v1.27.10+k3s2:",id:"changes-since-v12710k3s2",level:3},{value:"Release v1.27.10+k3s2",id:"release-v12710k3s2",level:2},{value:"Changes since v1.27.9+k3s1:",id:"changes-since-v1279k3s1",level:3},{value:"Release v1.27.9+k3s1",id:"release-v1279k3s1",level:2},{value:"Changes since v1.27.8+k3s2:",id:"changes-since-v1278k3s2",level:3},{value:"Release v1.27.8+k3s2",id:"release-v1278k3s2",level:2},{value:"Changes since v1.27.7+k3s2:",id:"changes-since-v1277k3s2",level:3},{value:"Release v1.27.7+k3s2",id:"release-v1277k3s2",level:2},{value:"Changes since v1.27.7+k3s1:",id:"changes-since-v1277k3s1",level:3},{value:"Release v1.27.7+k3s1",id:"release-v1277k3s1",level:2},{value:"Changes since v1.27.6+k3s1:",id:"changes-since-v1276k3s1",level:3},{value:"Release v1.27.6+k3s1",id:"release-v1276k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3},{value:"Release v1.27.5+k3s1",id:"release-v1275k3s1",level:2},{value:"Changes since v1.27.4+k3s1:",id:"changes-since-v1274k3s1",level:3},{value:"Release v1.27.4+k3s1",id:"release-v1274k3s1",level:2},{value:"Changes since v1.27.3+k3s1:",id:"changes-since-v1273k3s1",level:3},{value:"Release v1.27.3+k3s1",id:"release-v1273k3s1",level:2},{value:"Changes since v1.27.2+k3s1:",id:"changes-since-v1272k3s1",level:3},{value:"Release v1.27.2+k3s1",id:"release-v1272k3s1",level:2},{value:"Changes since v1.27.1+k3s1:",id:"changes-since-v1271k3s1",level:3},{value:"Release v1.27.1+k3s1",id:"release-v1271k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.h1,{id:"v127x",children:"v1.27.X"}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12716k3s1",children:"v1.27.16+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12716",children:"v1.27.16"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12715k3s2",children:"v1.27.15+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12715k3s1",children:"v1.27.15+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12715",children:"v1.27.15"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s2.27",children:"v1.7.17-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12714k3s1",children:"v1.27.14+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12714",children:"v1.27.14"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12713k3s1",children:"v1.27.13+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12713",children:"v1.27.13"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1.27",children:"v1.7.15-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12712k3s1",children:"v1.27.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12712",children:"v1.27.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12711k3s1",children:"v1.27.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12711",children:"v1.27.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v12710k3s2",children:"v1.27.10+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v12710",children:"v1.27.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1279k3s1",children:"v1.27.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1279",children:"v1.27.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.27",children:"v1.7.11-k3s2.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1278k3s2",children:"v1.27.8+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 07 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1278",children:"v1.27.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1277k3s2",children:"v1.27.7+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1277k3s1",children:"v1.27.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1277",children:"v1.27.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.27",children:"v1.7.7-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1276k3s1",children:"v1.27.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1276",children:"v1.27.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.27",children:"v1.7.6-k3s1.27"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1275k3s1",children:"v1.27.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 05 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1275",children:"v1.27.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1274k3s1",children:"v1.27.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1274",children:"v1.27.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1273k3s1",children:"v1.27.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1273",children:"v1.27.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1272k3s1",children:"v1.27.2+k3s1"})}),(0,r.jsx)(s.td,{children:"May 26 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1272",children:"v1.27.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/kr/release-notes/v1.27.X#release-v1271k3s1",children:"v1.27.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1271",children:"v1.27.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12716k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.16+k3s1",children:"v1.27.16+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.16, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s2",children:"Changes since v1.27.15+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10500",children:"(#10500)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10510",children:"(#10510)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.16-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10542",children:"(#10542)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10599",children:"(#10599)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s2",children:"v1.27.15+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12715",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12715k3s1",children:"Changes since v1.27.15+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10429",children:"(#10429)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12715k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.15+k3s1",children:"v1.27.15+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.15, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12714",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12714k3s1",children:"Changes since v1.27.14+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10089",children:"(#10089)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10143",children:"(#10143)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10222",children:"(#10222)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10183",children:"(#10183)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10214",children:"(#10214)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10259",children:"(#10259)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10290",children:"(#10290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10314",children:"(#10314)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10332",children:"(#10332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10324",children:"(#10324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10297",children:"(#10297)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.15 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10346",children:"(#10346)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update Kubernetes to v1.27.15"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10356",children:"(#10356)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10378",children:"(#10378)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12714k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.14+k3s1",children:"v1.27.14+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.14, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12713",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12713k3s1",children:"Changes since v1.27.13+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10096",children:"(#10096)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10113",children:"(#10113)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.14-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10103",children:"(#10103)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12713k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.13+k3s1",children:"v1.27.13+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.13, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12712",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12712k3s1",children:"Changes since v1.27.12+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9803",children:"(#9803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9828",children:"(#9828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9825",children:"(#9825)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9822",children:"(#9822)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9850",children:"(#9850)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9881",children:"(#9881)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9912",children:"(#9912)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9939",children:"(#9939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9943",children:"(#9943)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.13-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9958",children:"(#9958)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9995",children:"(#9995)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10003",children:"(#10003)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12712k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.12+k3s1",children:"v1.27.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12711",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12711k3s1",children:"Changes since v1.27.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9609",children:"(#9609)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9642",children:"(#9642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9606",children:"(#9606)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9632",children:"(#9632)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9654",children:"(#9654)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9670",children:"(#9670)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9708",children:"(#9708)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9734",children:"(#9734)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.12-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9745",children:"(#9745)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12711k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.11+k3s1",children:"v1.27.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v12710",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12710k3s2",children:"Changes since v1.27.10+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9427",children:"(#9427)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9291",children:"(#9291)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9420",children:"(#9420)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9430",children:"(#9430)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9425",children:"(#9425)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9253",children:"(#9253)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9405",children:"(#9405)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9463",children:"(#9463)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9407",children:"(#9407)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9445",children:"(#9445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9441",children:"(#9441)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9470",children:"(#9470)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9491",children:"(#9491)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9509",children:"(#9509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9515",children:"(#9515)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9546",children:"(#9546)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9579",children:"(#9579)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12710k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.10+k3s2",children:"v1.27.10+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1279",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1279k3s1",children:"Changes since v1.27.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9124",children:"(#9124)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9117",children:"(#9117)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9176",children:"(#9176)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9182",children:"(#9182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9211",children:"(#9211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9220",children:"(#9220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9217",children:"(#9217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9229",children:"(#9229)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.10 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9261",children:"(#9261)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9270",children:"(#9270)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9337",children:"(#9337)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9347",children:"(#9347)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1279k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.9+k3s1",children:"v1.27.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1278",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1278k3s2",children:"Changes since v1.27.8+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8963",children:"(#8963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9018",children:"(#9018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes backport ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9013",children:"(#9013)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9041",children:"(#9041)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.9-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9078",children:"(#9078)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1278k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.8+k3s2",children:"v1.27.8+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s2",children:"Changes since v1.27.7+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8821",children:"(#8821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8759",children:"(#8759)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8878",children:"(#8878)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,r.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,r.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8887",children:"(#8887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8828",children:"(#8828)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8902",children:"(#8902)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8907",children:"(#8907)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8937",children:"(#8937)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.8 and Go to 1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8921",children:"(#8921)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8999",children:"(#8999)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s2",children:"v1.27.7+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1277",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1277k3s1",children:"Changes since v1.27.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8765",children:"(#8765)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8775",children:"(#8775)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8789",children:"(#8789)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1277k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.7+k3s1",children:"v1.27.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1276",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1276k3s1",children:"Changes since v1.27.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8411",children:"(#8411)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8419",children:"(#8419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8435",children:"(#8435)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8443",children:"(#8443)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8464",children:"(#8464)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8455",children:"(#8455)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8451",children:"(#8451)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8504",children:"(#8504)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8509",children:"(#8509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8551",children:"(#8551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8516",children:"(#8516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8569",children:"(#8569)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8558",children:"(#8558)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8576",children:"(#8576)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>"}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8582",children:"(#8582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8587",children:"(#8587)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8597",children:"(#8597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8615",children:"(#8615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8634",children:"(#8634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8642",children:"(#8642)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8656",children:"(#8656)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows agent support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8650",children:"(#8650)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8669",children:"(#8669)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8662",children:"(#8662)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Backport etcd fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8690",children:"(#8690)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,r.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.7 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8681",children:"(#8681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8733",children:"(#8733)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1276k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.6+k3s1",children:"v1.27.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1275",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8324",children:"(#8324)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.6 and Go to 1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8356",children:"(#8356)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1275k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.5+k3s1",children:"v1.27.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.5, and fixes a number of issues."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1274",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1274k3s1",children:"Changes since v1.27.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update cni plugins version to v1.3.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8056",children:"(#8056)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Upgraded cni-plugins to v1.3.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.22.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8057",children:"(#8057)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR on secrets encryption v3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7938",children:"(#7938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit test for MustFindString ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8013",children:"(#8013)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for using base template in etc/containerd/config.toml.tmpl ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7991",children:"(#7991)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,r.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Make apiserver egress args conditional on egress-selector-mode ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7972",children:"(#7972)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,r.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Security bump to ",(0,r.jsx)(s.code,{children:"docker/distribution"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8047",children:"(#8047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coreos multiple installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8083",children:"(#8083)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8067",children:"(#8067)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8077",children:"(#8077)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consolidate CopyFile functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8079",children:"(#8079)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Support GOCOVER for more tests + fixes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8080",children:"(#8080)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo in terraform/README.md ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8090",children:"(#8090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add FilterCN function to prevent SAN Stuffing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8085",children:"(#8085)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker/docker to master commit; cri-dockerd to 0.3.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8092",children:"(#8092)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump versions for etcd, containerd, runc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8109",children:"(#8109)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,r.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8099",children:"(#8099)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8125",children:"(#8125)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove terraform package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8136",children:"(#8136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd-snapshot delete when etcd-s3 is true ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8110",children:"(#8110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add --disable-cloud-controller and --disable-kube-proxy test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8018",children:"(#8018)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"go list -m"})," instead of grep to look up versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8138",children:"(#8138)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use VERSION_K8S in tests instead of grep go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8147",children:"(#8147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for Kubeflag Integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8154",children:"(#8154)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8155",children:"(#8155)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run integration test CI in parallel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8156",children:"(#8156)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8150",children:"(#8150)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8178",children:"(#8178)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8177",children:"(#8177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8193",children:"(#8193)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,r.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8204",children:"(#8204)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The version of ",(0,r.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Add test for ",(0,r.jsx)(s.code,{children:"k3s token"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8184",children:"(#8184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8219",children:"(#8219)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Move flannel to v0.22.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8236",children:"(#8236)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8257",children:"(#8257)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8273",children:"(#8273)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1274k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.4+k3s1",children:"v1.27.4+k3s1"})]}),"\n",(0,r.jsxs)(s.p,{children:["This release updates Kubernetes to v1.27.4, and fixes a number of issues.",(0,r.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1273",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1273k3s1",children:"Changes since v1.27.3+k3s1:"}),"\n",(0,r.jsx)(s.p,{children:"\u200b"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Pkg imported more than once ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7803",children:"(#7803)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Faster K3s Binary Build Option ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7805",children:"(#7805)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.27.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7827",children:"(#7827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7682",children:"(#7682)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7838",children:"(#7838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove file_windows.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7845",children:"(#7845)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a k3s data directory location specified by the cli ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7791",children:"(#7791)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e startup flaky test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7839",children:"(#7839)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7834",children:"(#7834)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fall back to basic/bearer auth when node identity auth is rejected ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7836",children:"(#7836)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix code spell check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7858",children:"(#7858)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e s3 test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7833",children:"(#7833)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn that v1.28 will deprecate reencrypt/prepare ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7848",children:"(#7848)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support setting control server URL for Tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7807",children:"(#7807)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Support connecting tailscale to a separate server (e.g. headscale)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve for K3s release Docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7864",children:"(#7864)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix rootless node password location ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7887",children:"(#7887)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7879",children:"(#7879)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add retry for clone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7862",children:"(#7862)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Generation of certificates and keys for etcd gated if etcd is disabled. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6998",children:"(#6998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use zgrep in ",(0,r.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7939",children:"(#7939)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7950",children:"(#7950)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Warn that v1.28 will deprecate reencrypt/prepare" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7977",children:"(#7977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7978",children:"(#7978)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix update go version command on release documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8028",children:"(#8028)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8014",children:"(#8014)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1273k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.3+k3s1",children:"v1.27.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1272",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1272k3s1",children:"Changes since v1.27.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7628",children:"(#7628)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update flannel to v0.22.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7635",children:"(#7635)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7634",children:"(#7634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow coredns override extensions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7583",children:"(#7583)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,r.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,r.jsx)(s.code,{children:".:53"})," default server block."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-lb to v0.4.4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7617",children:"(#7617)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.6.3 and update tls-cipher-suites ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7564",children:"(#7564)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Do not use the admin kubeconfig for the supervisor and core controllers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7616",children:"(#7616)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7619",children:"(#7619)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make LB image configurable when compiling k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7626",children:"(#7626)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7605",children:"(#7605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add format command on Makefile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7437",children:"(#7437)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use el8 rpm for fedora 38 and 39 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7664",children:"(#7664)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Check variant before version to decide rpm target and packager closes #7666 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7667",children:"(#7667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test Coverage Reports for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7526",children:"(#7526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Soft-fail on node password verification if the secret cannot be created ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7655",children:"(#7655)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable containerd aufs/devmapper/zfs snapshotter plugins ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7661",children:"(#7661)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump docker go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7681",children:"(#7681)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Shortcircuit commands with version or help flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7683",children:"(#7683)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Non root users can now call ",(0,r.jsx)(s.code,{children:"k3s --help"})," and ",(0,r.jsx)(s.code,{children:"k3s --version"})," commands without running into permission errors over the default config file."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7672",children:"(#7672)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Capture coverage of K3s subcommands ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7686",children:"(#7686)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Integrate tailscale into k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7352",children:"(#7352)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Integration of tailscale VPN into k3s"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add private registry e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7653",children:"(#7653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Remove unnecessary daemonset addition/deletion ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7696",children:"(#7696)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add issue template for OS validation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7695",children:"(#7695)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spelling check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7740",children:"(#7740)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove useless libvirt config ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7745",children:"(#7745)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to v0.15.0 for create-namespace support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7716",children:"(#7716)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error logging in tailscale ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7776",children:"(#7776)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add commands to remove advertised routes of tailscale in k3s-killall.sh ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7777",children:"(#7777)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.27.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7790",children:"(#7790)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1272k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.2+k3s1",children:"v1.27.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.27.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1271",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1271k3s1",children:"Changes since v1.27.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7303",children:"(#7303)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create CRDs with schema ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7308",children:"(#7308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root for aarch64 page size fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7364",children:"(#7364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7339",children:"(#7339)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7300",children:"(#7300)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik to v2.9.10 / chart 21.2.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7324",children:"(#7324)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add longhorn storage test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6445",children:"(#6445)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve error message when CLI wrapper Exec fails ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7373",children:"(#7373)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,r.jsx)(s.code,{children:"noexec"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with ",(0,r.jsx)(s.code,{children:"--disable-agent"})," and ",(0,r.jsx)(s.code,{children:"--egress-selector-mode=pod|cluster"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7331",children:"(#7331)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,r.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:['Retry cluster join on "too many learners" error ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7351",children:"(#7351)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix MemberList error handling and incorrect etcd-arg passthrough ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7371",children:"(#7371)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,r.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7383",children:"(#7383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle multiple arguments with StringSlice flags ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7380",children:"(#7380)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add v1.27 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7387",children:"(#7387)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable FindString to search dotD config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7323",children:"(#7323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate netutil methods into /util/net.go ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7422",children:"(#7422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7217",children:"(#7217)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cni plugins to v1.2.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7425",children:"(#7425)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add dependabot label and reviewer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7423",children:"(#7423)"})]}),"\n",(0,r.jsxs)(s.li,{children:["E2E: Startup test cleanup + RunCommand Enhancement ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7388",children:"(#7388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fail to validate server tokens that use bootstrap id/secret format ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7389",children:"(#7389)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,r.jsx)(s.code,{children:"id.secret"})," format."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix token startup test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7442",children:"(#7442)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7414",children:"(#7414)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,r.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,r.jsx)(s.code,{children:"pgx"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add kube-* server flags integration tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7416",children:"(#7416)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for ",(0,r.jsx)(s.code,{children:"-cover"})," + integration test code coverage ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7415",children:"(#7415)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7454",children:"(#7454)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Consistently use constant-time comparison of password hashes instead of bare password strings ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7455",children:"(#7455)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7418",children:"(#7418)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,r.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7524",children:"(#7524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller version for repo auth/ca support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7525",children:"(#7525)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7533",children:"(#7533)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7539",children:"(#7539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add Rotation certification Check, remove func to restart agents ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7097",children:"(#7097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7550",children:"(#7550)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.17 to 3.18 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7551",children:"(#7551)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive systemd units ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7567",children:"(#7567)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.27.2-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7575",children:"(#7575)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables rules clean during upgrade ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7591",children:"(#7591)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7597",children:"(#7597)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add el9 selinux rpm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7443",children:"(#7443)"})]}),"\n",(0,r.jsxs)(s.li,{children:['Revert "Add el9 selinux rpm (#7443)" ',(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7608",children:"(#7608)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1271k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.27.1+k3s1",children:"v1.27.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.27 line. This release updates Kubernetes to v1.27.1."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes 1.27.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7271",children:"(#7271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["V1.27.1 CLI Deprecation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7311",children:"(#7311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=wireguard"})," has been completely replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command will now print a help message, to save a snapshot use: ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot save"})]}),"\n",(0,r.jsxs)(s.li,{children:["The following flags will now cause fatal errors (with full removal coming in v1.28.0):","\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--flannel-backed=ipsec"}),": replaced with ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})," ",(0,r.jsx)(s.a,{href:"https://docs.k3s.io/installation/network-options#migrating-from-wireguard-or-ipsec-to-wireguard-native",children:"see docs for more info."})]}),"\n",(0,r.jsxs)(s.li,{children:["Supplying multiple ",(0,r.jsx)(s.code,{children:"--flannel-backend"})," values is no longer valid. Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," instead."]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed command -v redirection for iptables bin check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7315",children:"(#7315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for april 2023 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7327",children:"(#7327)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7347",children:"(#7347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Cleanup help messages ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7369",children:"(#7369)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,n.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const n={},t=r.createContext(n);function l(e){const s=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:l(e.components),r.createElement(t.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/df1a3a69.0e3431df.js b/kr/assets/js/df1a3a69.0e3431df.js new file mode 100644 index 000000000..5600a2a52 --- /dev/null +++ b/kr/assets/js/df1a3a69.0e3431df.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6153],{8246:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>t,contentTitle:()=>l,default:()=>h,frontMatter:()=>c,metadata:()=>d,toc:()=>a});var r=s(5893),i=s(1151);const c={title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",aliases:["/k3s/latest/kr/running/","/k3s/latest/kr/configuration/"]},l=void 0,d={id:"advanced",title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",description:"\uc774 \uc139\uc158\uc5d0\ub294 K3s\ub97c \uc2e4\ud589\ud558\uace0 \uad00\ub9ac\ud560 \uc218 \uc788\ub294 \ub2e4\uc591\ud55c \ubc29\ubc95\uacfc K3s \uc0ac\uc6a9\uc744 \uc704\ud574 \ud638\uc2a4\ud2b8 OS\ub97c \uc900\ube44\ud558\ub294 \ub370 \ud544\uc694\ud55c \ub2e8\uacc4\ub97c \uc124\uba85\ud558\ub294 \uace0\uae09 \uc815\ubcf4\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/kr/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",aliases:["/k3s/latest/kr/running/","/k3s/latest/kr/configuration/"]},sidebar:"mySidebar",previous:{title:"\ud5ec\ub984(Helm)",permalink:"/kr/helm"},next:{title:"Environment Variables",permalink:"/kr/reference/env-variables"}},t={},a=[{value:"\uc778\uc99d\uc11c \uad00\ub9ac",id:"\uc778\uc99d\uc11c-\uad00\ub9ac",level:2},{value:"\uc778\uc99d \uae30\uad00 \uc778\uc99d\uc11c",id:"\uc778\uc99d-\uae30\uad00-\uc778\uc99d\uc11c",level:3},{value:"\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c",id:"\ud074\ub77c\uc774\uc5b8\ud2b8-\ubc0f-\uc11c\ubc84-\uc778\uc99d\uc11c",level:3},{value:"\ud1a0\ud070 \uad00\ub9ac",id:"\ud1a0\ud070-\uad00\ub9ac",level:2},{value:"HTTP \ud504\ub85d\uc2dc \uad6c\uc131\ud558\uae30",id:"http-\ud504\ub85d\uc2dc-\uad6c\uc131\ud558\uae30",level:2},{value:"\ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc73c\ub85c Docker \uc0ac\uc6a9",id:"\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784\uc73c\ub85c-docker-\uc0ac\uc6a9",level:2},{value:"etcdctl \uc0ac\uc6a9\ud558\uae30",id:"etcdctl-\uc0ac\uc6a9\ud558\uae30",level:2},{value:"\ucee8\ud14c\uc774\ub108 \uc124\uc815\ud558\uae30",id:"\ucee8\ud14c\uc774\ub108-\uc124\uc815\ud558\uae30",level:2},{value:"NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc9c0\uc6d0",id:"nvidia-\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784-\uc9c0\uc6d0",level:2},{value:"\uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\ud558\uae30(\uc2e4\ud5d8\uc801)",id:"\uc5d0\uc774\uc804\ud2b8-\uc5c6\ub294-\uc11c\ubc84-\uc2e4\ud589\ud558\uae30\uc2e4\ud5d8\uc801",level:2},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2e4\ud589(\uc2e4\ud5d8\uc801)",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2e4\ud589\uc2e4\ud5d8\uc801",level:2},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\uc758 \uc54c\ub824\uc9c4 \uc774\uc288",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubaa8\ub4dc\uc758-\uc54c\ub824\uc9c4-\uc774\uc288",level:3},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2dc\uc791\ud558\uae30",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2dc\uc791\ud558\uae30",level:3},{value:"\uace0\uae09 \ub8e8\ud2b8\ub9ac\uc2a4 \uad6c\uc131",id:"\uace0\uae09-\ub8e8\ud2b8\ub9ac\uc2a4-\uad6c\uc131",level:3},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubb38\uc81c \ud574\uacb0\ud558\uae30",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubb38\uc81c-\ud574\uacb0\ud558\uae30",level:3},{value:"\ub178\ub4dc \ub808\uc774\ube14 \ubc0f \ud14c\uc778\ud2b8",id:"\ub178\ub4dc-\ub808\uc774\ube14-\ubc0f-\ud14c\uc778\ud2b8",level:2},{value:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc11c\ube44\uc2a4 \uc2dc\uc791\ud558\uae30",id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8\ub85c-\uc11c\ube44\uc2a4-\uc2dc\uc791\ud558\uae30",level:2},{value:"\ucd94\uac00 OS \uc900\ube44 \uc0ac\ud56d",id:"\ucd94\uac00-os-\uc900\ube44-\uc0ac\ud56d",level:2},{value:"\uc774\uc804 iptables \ubc84\uc804",id:"\uc774\uc804-iptables-\ubc84\uc804",level:3},{value:"Red Hat Enterprise Linux / CentOS",id:"red-hat-enterprise-linux--centos",level:3},{value:"Ubuntu",id:"ubuntu",level:3},{value:"Raspberry Pi",id:"raspberry-pi",level:3},{value:"Docker\uc5d0\uc11c k3s \uc2e4\ud589\ud558\uae30",id:"docker\uc5d0\uc11c-k3s-\uc2e4\ud589\ud558\uae30",level:2},{value:"SELinux \uc9c0\uc6d0",id:"selinux-\uc9c0\uc6d0",level:2},{value:"SELinux \uc801\uc6a9 \ud65c\uc131\ud654\ud558\uae30",id:"selinux-\uc801\uc6a9-\ud65c\uc131\ud654\ud558\uae30",level:3},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uc758 \uc9c0\uc5f0 \ud480\ub9c1 \ud65c\uc131\ud654 (\uc2e4\ud5d8\uc801)",id:"\uc9c0\uc5f0-\ud480\ub9c1\uc758-\uc9c0\uc5f0-\ud480\ub9c1-\ud65c\uc131\ud654-\uc2e4\ud5d8\uc801",level:2},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\ub780 \ubb34\uc5c7\uc778\uac00\uc694?",id:"\uc9c0\uc5f0-\ud480\ub9c1\uacfc-estargz\ub780-\ubb34\uc5c7\uc778\uac00\uc694",level:3},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uc774 \uac00\ub2a5\ud558\ub3c4\ub85d k3s \uad6c\uc131\ud558\uae30",id:"\uc9c0\uc5f0-\ud480\ub9c1\uc774-\uac00\ub2a5\ud558\ub3c4\ub85d-k3s-\uad6c\uc131\ud558\uae30",level:3},{value:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4",id:"\ucd94\uac00-\ub85c\uae45-\uc18c\uc2a4",level:2},{value:"\ucd94\uac00 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ub85c\uae45",id:"\ucd94\uac00-\ub124\ud2b8\uc6cc\ud06c-\uc815\ucc45-\ub85c\uae45",level:2}];function o(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:s,Tabs:c}=n;return s||x("TabItem",!0),c||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"\uc774 \uc139\uc158\uc5d0\ub294 K3s\ub97c \uc2e4\ud589\ud558\uace0 \uad00\ub9ac\ud560 \uc218 \uc788\ub294 \ub2e4\uc591\ud55c \ubc29\ubc95\uacfc K3s \uc0ac\uc6a9\uc744 \uc704\ud574 \ud638\uc2a4\ud2b8 OS\ub97c \uc900\ube44\ud558\ub294 \ub370 \ud544\uc694\ud55c \ub2e8\uacc4\ub97c \uc124\uba85\ud558\ub294 \uace0\uae09 \uc815\ubcf4\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.h2,{id:"\uc778\uc99d\uc11c-\uad00\ub9ac",children:"\uc778\uc99d\uc11c \uad00\ub9ac"}),"\n",(0,r.jsx)(n.h3,{id:"\uc778\uc99d-\uae30\uad00-\uc778\uc99d\uc11c",children:"\uc778\uc99d \uae30\uad00 \uc778\uc99d\uc11c"}),"\n",(0,r.jsx)(n.p,{children:"K3s\ub294 \uccab \ubc88\uc9f8 \uc11c\ubc84 \ub178\ub4dc\ub97c \uc2dc\uc791\ud558\ub294 \ub3d9\uc548 \uc790\uccb4 \uc11c\uba85\ub41c CA(\uc778\uc99d \uae30\uad00) \uc778\uc99d\uc11c\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4. \uc774 CA \uc778\uc99d\uc11c\ub294 10\ub144 \ub3d9\uc548 \uc720\ud6a8\ud558\uba70 \uc790\ub3d9\uc73c\ub85c \uac31\uc2e0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\uc0ac\uc6a9\uc790 \uc9c0\uc815 CA \uc778\uc99d\uc11c \uc0ac\uc6a9 \ub610\ub294 \uc790\uccb4 \uc11c\uba85 CA \uc778\uc99d\uc11c \uac31\uc2e0\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(n.a,{href:"/kr/cli/certificate#certificate-authority-ca-certificates",children:[(0,r.jsx)(n.code,{children:"k3s \uc778\uc99d\uc11c rotate-ca"})," \uba85\ub839 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h3,{id:"\ud074\ub77c\uc774\uc5b8\ud2b8-\ubc0f-\uc11c\ubc84-\uc778\uc99d\uc11c",children:"\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c"}),"\n",(0,r.jsx)(n.p,{children:"K3s \ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c\ub294 \ubc1c\uae09\ud55c \ub0a0\ub85c\ubd80\ud130 365\uc77c \ub3d9\uc548 \uc720\ud6a8\ud569\ub2c8\ub2e4. \ub9cc\ub8cc\ub418\uc5c8\uac70\ub098 \ub9cc\ub8cc \ud6c4 90\uc77c \uc774\ub0b4\uc5d0 \ub9cc\ub8cc\ub41c \uc778\uc99d\uc11c\ub294 K3s\ub97c \uc2dc\uc791\ud560 \ub54c\ub9c8\ub2e4 \uc790\ub3d9\uc73c\ub85c \uac31\uc2e0\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c\ub97c \uc218\ub3d9\uc73c\ub85c \ub85c\ud14c\uc774\uc158\ud558\ub294 \uac83\uc5d0 \ub300\ud55c \uc815\ubcf4\ub294 ",(0,r.jsxs)(n.a,{href:"/kr/cli/certificate#client-and-server-certificates",children:[(0,r.jsx)(n.code,{children:"k3s \uc778\uc99d\uc11c \ub85c\ud14c\uc774\uc158"})," \uba85\ub839 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\ud1a0\ud070-\uad00\ub9ac",children:"\ud1a0\ud070 \uad00\ub9ac"}),"\n",(0,r.jsxs)(n.p,{children:["\uae30\ubcf8\uc801\uc73c\ub85c K3s\ub294 \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ubaa8\ub450\uc5d0 \ub2e8\uc77c \uc815\uc801 \ud1a0\ud070\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \uc774 \ud1a0\ud070\uc740 \ud074\ub7ec\uc2a4\ud130\uac00 \uc0dd\uc131\ub41c \ud6c4\uc5d0\ub294 \ubcc0\uacbd\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.\n\uc5d0\uc774\uc804\ud2b8 \uc870\uc778\uc5d0\ub9cc \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \ub450 \ubc88\uc9f8 \uc815\uc801 \ud1a0\ud070\uc744 \ud65c\uc131\ud654\ud558\uac70\ub098 \uc790\ub3d9\uc73c\ub85c \ub9cc\ub8cc\ub418\ub294 \uc784\uc2dc ",(0,r.jsx)(n.code,{children:"kubeadm"})," \uc2a4\ud0c0\uc77c \uc870\uc778 \ud1a0\ud070\uc744 \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(n.a,{href:"/kr/cli/token",children:[(0,r.jsx)(n.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"http-\ud504\ub85d\uc2dc-\uad6c\uc131\ud558\uae30",children:"HTTP \ud504\ub85d\uc2dc \uad6c\uc131\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"HTTP \ud504\ub85d\uc2dc\ub97c \ud1b5\ud574\uc11c\ub9cc \uc678\ubd80\uc640 \uc5f0\uacb0\ud560 \uc218 \uc788\ub294 \ud658\uacbd\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, K3s \uc2dc\uc2a4\ud15c\ub4dc \uc11c\ube44\uc2a4\uc5d0\uc11c \ud504\ub85d\uc2dc \uc124\uc815\uc744 \uad6c\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub7ec\uba74 \uc774 \ud504\ub85d\uc2dc \uc124\uc815\uc774 K3s\uc5d0\uc11c \uc0ac\uc6a9\ub418\uc5b4 \ub0b4\uc7a5 \ucee8\ud14c\uc774\ub108\uc640 kubelet\uc5d0 \uc804\ub2ec\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["K3s \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc790\ub3d9\uc73c\ub85c \ud604\uc7ac \uc178\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,r.jsx)(n.code,{children:"HTTPS_PROXY"})," \ubc0f ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ubcc0\uc218\uc640 ",(0,r.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,r.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," \ubc0f ",(0,r.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," \ubcc0\uc218\uac00 \uc788\ub294 \uacbd\uc6b0 \uc774\ub97c systemd \uc11c\ube44\uc2a4\uc758 \ud658\uacbd \ud30c\uc77c\uc5d0 \uc791\uc131\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\ubb3c\ub860 \uc774 \ud30c\uc77c\uc744 \ud3b8\uc9d1\ud558\uc5ec \ud504\ub85d\uc2dc\ub97c \uad6c\uc131\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 \ud074\ub7ec\uc2a4\ud130 \ub0b4\ubd80 \ud30c\ub4dc \ubc0f \uc11c\ube44\uc2a4 IP \ubc94\uc704\uc640 \ud074\ub7ec\uc2a4\ud130 DNS \ub3c4\uba54\uc778\uc744 \uc790\ub3d9\uc73c\ub85c ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ud56d\ubaa9 \ubaa9\ub85d\uc5d0 \ucd94\uac00\ud569\ub2c8\ub2e4. \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub178\ub4dc \uc790\uccb4\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 IP \uc8fc\uc18c \ubc94\uc704(\uc989, \ub178\ub4dc\uc758 \ud37c\ube14\ub9ad \ubc0f \ud504\ub77c\uc774\ube57 IP)\uac00 ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ubaa9\ub85d\uc5d0 \ud3ec\ud568\ub418\uc5b4 \uc788\ub294\uc9c0 \ub610\ub294 \ud504\ub85d\uc2dc\ub97c \ud1b5\ud574 \ub178\ub4dc\uc5d0 \ub3c4\ub2ec\ud560 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc640 Kubelet\uc5d0 \uc601\ud5a5\uc744 \uc8fc\uc9c0 \uc54a\uace0 \ucee8\ud14c\uc774\ub108\uc5d0 \ub300\ud55c \ud504\ub85d\uc2dc \uc124\uc815\uc744 \uad6c\uc131\ud558\ub824\uba74, \ubcc0\uc218 \uc55e\uc5d0 ",(0,r.jsx)(n.code,{children:"CONTAINERD_"}),"\ub97c \ubd99\uc774\uba74 \ub429\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784\uc73c\ub85c-docker-\uc0ac\uc6a9",children:"\ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc73c\ub85c Docker \uc0ac\uc6a9"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 \uc5c5\uacc4 \ud45c\uc900 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc778 ",(0,r.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),"\ub97c \ud3ec\ud568\ud558\uba70 \uae30\ubcf8\uac12\uc73c\ub85c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\ucfe0\ubc84\ub124\ud2f0\uc2a4 1.24\ubd80\ud130, kubelet\uc740 \ub354 \uc774\uc0c1 kubelet\uc774 dockerd\uc640 \ud1b5\uc2e0\ud560 \uc218 \uc788\ub3c4\ub85d \ud558\ub294 \ucef4\ud3ec\ub10c\ud2b8\uc778 dockershim\uc744 \ud3ec\ud568\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\nK3s 1.24 \uc774\uc0c1\uc5d0\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),"\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc5b4 \uc774\uc804 \ub9b4\ub9ac\uc988\uc758 K3s\uc5d0\uc11c \uc6d0\ud65c\ud558\uac8c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uba74\uc11c Docker \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc744 \uacc4\uc18d \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\ucee8\ud14c\uc774\ub108 \ub300\uc2e0 Docker\ub97c \uc0ac\uc6a9\ud558\ub824\uba74:"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["K3s \ub178\ub4dc\uc5d0 Docker\ub97c \uc124\uce58\ud569\ub2c8\ub2e4. \ub79c\ucc98\uc758 ",(0,r.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"})," \uc911 \ud558\ub098\ub97c \uc0ac\uc6a9\ud558\uc5ec Docker\ub97c \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"--docker"})," \uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uc5ec K3s\ub97c \uc124\uce58\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"\ud074\ub7ec\uc2a4\ud130\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Docker \ucee8\ud14c\uc774\ub108\uac00 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"etcdctl-\uc0ac\uc6a9\ud558\uae30",children:"etcdctl \uc0ac\uc6a9\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"etcdctl\uc740 etcd \uc11c\ubc84\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4. K3s\ub294 etcdctl\uc744 \ubc88\ub4e4\ub85c \uc81c\uacf5\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["etcdctl\uc744 \uc0ac\uc6a9\ud558\uc5ec K3s\uc758 \ub0b4\uc7a5\ub41c etcd\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\ub824\uba74 ",(0,r.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"\uacf5\uc2dd \ubb38\uc11c"}),"\ub97c \ucc38\uc870\ud558\uc5ec etcdctl\uc744 \uc124\uce58\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,r.jsx)(n.p,{children:"\uadf8\ub7f0 \ub2e4\uc74c \uc778\uc99d\uc5d0 K3s\uc5d0\uc11c \uad00\ub9ac\ud558\ub294 \uc778\uc99d\uc11c \ubc0f \ud0a4\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d etcdctl\uc744 \uad6c\uc131\ud558\uc5ec \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucee8\ud14c\uc774\ub108-\uc124\uc815\ud558\uae30",children:"\ucee8\ud14c\uc774\ub108 \uc124\uc815\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"\uc5d0 \ucee8\ud14c\uc774\ub108\uc5d0 \ub300\ud55c config.toml\uc744 \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \ud30c\uc77c\uc5d0 \ub300\ud55c \uace0\uae09 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\uc744 \uc704\ud574 \uac19\uc740 \ub514\ub809\ud130\ub9ac\uc5d0 ",(0,r.jsx)(n.code,{children:"config.toml.tmpl"}),"\uc774\ub77c\ub294 \ub2e4\ub978 \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uba74 \uc774 \ud30c\uc77c\uc774 \ub300\uc2e0 \uc0ac\uc6a9\ub41c\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"config.toml.tmpl"}),"\uc740 Go \ud15c\ud50c\ub9bf \ud30c\uc77c\ub85c \ucde8\uae09\ub418\uba70, ",(0,r.jsx)(n.code,{children:"config.Node"})," \uad6c\uc870\uac00 \ud15c\ud50c\ub9bf\uc73c\ub85c \uc804\ub2ec\ub429\ub2c8\ub2e4. \uc774 \uad6c\uc870\ub97c \uc0ac\uc6a9\ud558\uc5ec \uad6c\uc131 \ud30c\uc77c\uc744 \uc0ac\uc6a9\uc790 \uc815\uc758\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c Linux \ubc0f Windows \uc608\uc81c\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"\uc774 \ud3f4\ub354"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694.\nconfig.Node Go \uc5b8\uc5b4 \uad6c\uc870\uccb4\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"\uc5ec\uae30"}),"\uc5d0 \uc815\uc758\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h2,{id:"nvidia-\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784-\uc9c0\uc6d0",children:"NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc9c0\uc6d0"}),"\n",(0,r.jsx)(n.p,{children:"K3s\ub294 K3s \uc2dc\uc791 \uc2dc NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc774 \uc788\uc73c\uba74 \uc790\ub3d9\uc73c\ub85c \uac10\uc9c0\ud558\uc5ec \uc124\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\uc544\ub798\uc758 \uc548\ub0b4\uc5d0 \ub530\ub77c \ub178\ub4dc\uc5d0 \uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ud328\ud0a4\uc9c0 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\ub97c \uc124\uce58\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,r.jsxs)(n.li,{children:["\uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ud328\ud0a4\uc9c0\ub97c \uc124\uce58\ud569\ub2c8\ub2e4. \uc608\uc2dc:\n",(0,r.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,r.jsxs)(n.li,{children:["K3s\ub97c \uc124\uce58\ud558\uac70\ub098 \uc774\ubbf8 \uc124\uce58\ub418\uc5b4 \uc788\ub294 \uacbd\uc6b0 \ub2e4\uc2dc \uc2dc\uc791\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,r.jsxs)(n.li,{children:["k3s\uac00 \uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc744 \ucc3e\uc558\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774\ub807\uac8c \ud558\uba74 \ubc1c\uacac\ub41c \ub7f0\ud0c0\uc784 \uc2e4\ud589 \ud30c\uc77c\uc5d0 \ub530\ub77c \ucee8\ud14c\uc774\ub108 \uc124\uc815\uc5d0 ",(0,r.jsx)(n.code,{children:"nvidia"})," \ubc0f/\ub610\ub294 ",(0,r.jsx)(n.code,{children:"nvidia-experimental"})," \ub7f0\ud0c0\uc784\uc774 \uc790\ub3d9\uc73c\ub85c \ucd94\uac00\ub429\ub2c8\ub2e4.\n\uc5ec\uc804\ud788 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub7f0\ud0c0\uc784\ud074\ub798\uc2a4 \uc815\uc758\ub97c \ucd94\uac00\ud558\uace0, \ud30c\ub4dc \uc2a4\ud399\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"runtimeClassName: nvidia"}),"\ub97c \uc124\uc815\ud558\uc5ec \uc801\uc808\ud55c \ub7f0\ud0c0\uc784\uc744 \uba85\uc2dc\uc801\uc73c\ub85c \uc694\uccad\ud558\ub294 \ud30c\ub4dc\ub97c \ubc30\ud3ec\ud574\uc57c \ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,r.jsxs)(n.p,{children:["\uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"\uc5d4\ube44\ub514\uc544 \ub514\ubc14\uc774\uc2a4 \ud50c\ub7ec\uadf8\uc778"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://github.com/NVIDIA/gpu-feature-discovery/",children:"GPU \uae30\ub2a5 \uac80\uc0c9"}),"\uacfc \ud568\uaed8 \uc790\uc8fc \uc0ac\uc6a9\ub418\uba70, \uc704\uc5d0\uc11c \uc5b8\uae09\ud55c \uac83\ucc98\ub7fc \ud30c\ub4dc \uc0ac\uc591\uc5d0 ",(0,r.jsx)(n.code,{children:"runtimeClassName: nvidia"}),"\uac00 \ud3ec\ud568\ub418\ub3c4\ub85d \uc218\uc815\ud558\uc5ec \ubcc4\ub3c4\ub85c \uc124\uce58\ud574\uc57c \ud55c\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc5d0\uc774\uc804\ud2b8-\uc5c6\ub294-\uc11c\ubc84-\uc2e4\ud589\ud558\uae30\uc2e4\ud5d8\uc801",children:"\uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\ud558\uae30(\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"\uacbd\uace0:"})," \uc774 \uae30\ub2a5\uc740 \uc2e4\ud5d8 \ub2e8\uacc4\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"disable-agent"})," \ud50c\ub798\uadf8\ub85c \uc2dc\uc791\ud558\uba74, \uc11c\ubc84\ub294 kubelet, \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ub610\ub294 CNI\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub178\ub4dc \ub9ac\uc18c\uc2a4\ub97c \ub4f1\ub85d\ud558\uc9c0 \uc54a\uc73c\uba70, ",(0,r.jsx)(n.code,{children:"kubectl get nodes"})," \ucd9c\ub825\uc5d0 \ub098\ud0c0\ub098\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\n\uc5d0\uc774\uc804\ud2b8\ub9ac\uc2a4 \uc11c\ubc84\ub294 kubelet\uc744 \ud638\uc2a4\ud2b8\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0, \ud30c\ub4dc\ub97c \uc2e4\ud589\ud558\uac70\ub098 \ub0b4\uc7a5\ub41c etcd \ucee8\ud2b8\ub864\ub7ec \ubc0f \uc2dc\uc2a4\ud15c \uc5c5\uadf8\ub808\uc774\ub4dc \ucee8\ud2b8\ub864\ub7ec\ub97c \ud3ec\ud568\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130 \ub178\ub4dc\ub97c \uc5f4\uac70\ud558\ub294 \ub370 \uc758\uc874\ud558\ub294 \uc6b4\uc601\uc790\uac00 \uad00\ub9ac\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\uc5d0\uc774\uc804\ud2b8\ub9ac\uc2a4 \uc11c\ubc84\ub97c \uc2e4\ud589\ud558\ub294 \uac83\uc740 \ud074\ub7ec\uc2a4\ud130 \uc6b4\uc601\uc790 \uc9c0\uc6d0 \ubd80\uc871\uc73c\ub85c \uc778\ud55c \uad00\ub9ac \uc624\ubc84\ud5e4\ub4dc \uc99d\uac00\ub97c \uac10\uc218\ud558\uace0\uc11c\ub77c\ub3c4 \uc5d0\uc774\uc804\ud2b8\uc640 \uc6cc\ud06c\ub85c\ub4dc\uc5d0 \uc758\ud55c \uac80\uc0c9\uc73c\ub85c\ubd80\ud130 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ub178\ub4dc\ub97c \uc228\uae30\uace0\uc790 \ud558\ub294 \uacbd\uc6b0\uc5d0 \uc720\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.h2,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2e4\ud589\uc2e4\ud5d8\uc801",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2e4\ud589(\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"\uacbd\uace0:"})," \uc774 \uae30\ub2a5\uc740 \uc2e4\ud5d8 \ub2e8\uacc4\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\ub294 \uc7a0\uc7ac\uc801\uc778 \ucee8\ud14c\uc774\ub108 \ube0c\ub808\uc774\ud06c\uc544\uc6c3 \uacf5\uaca9\uc73c\ub85c\ubd80\ud130 \ud638\uc2a4\ud2b8\uc758 \uc2e4\uc81c \ub8e8\ud2b8\ub97c \ubcf4\ud638\ud558\uae30 \uc704\ud574 \uad8c\ud55c\uc774 \uc5c6\ub294 \uc0ac\uc6a9\uc790\ub85c K3s \uc11c\ubc84\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubaa8\ub4dc\uc758-\uc54c\ub824\uc9c4-\uc774\uc288",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\uc758 \uc54c\ub824\uc9c4 \uc774\uc288"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"\ud3ec\ud2b8"})}),"\n",(0,r.jsx)(n.p,{children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc2e4\ud589 \uc2dc \uc0c8\ub85c\uc6b4 \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4. \uc774\ub294 K3s \uc778\uc2a4\ud134\uc2a4\uac00 \ud638\uc2a4\ud2b8\uc640 \ub124\ud2b8\uc6cc\ud0b9\uc774 \uc0c1\ub2f9\ud788 \ubd84\ub9ac\ub41c \uc0c1\ud0dc\ub85c \uc2e4\ud589\ub41c\ub2e4\ub294 \uac83\uc744 \uc758\ubbf8\ud569\ub2c8\ub2e4.\n\ud638\uc2a4\ud2b8\uc5d0\uc11c K3s\uc5d0\uc11c \uc2e4\ud589\ub418\ub294 \uc11c\ube44\uc2a4\uc5d0 \uc561\uc138\uc2a4\ud558\ub294 \uc720\uc77c\ud55c \ubc29\ubc95\uc740 K3s \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \ud3ec\ud2b8 \ud3ec\uc6cc\ub4dc\ub97c \uc124\uc815\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.\n\ub8e8\ud2b8\ub9ac\uc2a4 K3s\uc5d0\ub294 6443 \ubc0f 1024 \ubbf8\ub9cc\uc758 \uc11c\ube44\uc2a4 \ud3ec\ud2b8\ub97c 10000 \uc624\ud504\uc14b\uc73c\ub85c \ud638\uc2a4\ud2b8\uc5d0 \uc790\ub3d9\uc73c\ub85c \ubc14\uc778\ub529\ud558\ub294 \ucee8\ud2b8\ub864\ub7ec\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.p,{children:"\uc608\ub97c \ub4e4\uc5b4, \ud3ec\ud2b8 80\uc758 \uc11c\ube44\uc2a4\ub294 \ud638\uc2a4\ud2b8\uc5d0\uc11c 10080\uc774 \ub418\uc9c0\ub9cc 8080\uc740 \uc624\ud504\uc14b \uc5c6\uc774 8080\uc774 \ub429\ub2c8\ub2e4. \ud604\uc7ac \ub85c\ub4dc\ubc38\ub7f0\uc11c \uc11c\ube44\uc2a4\ub9cc \uc790\ub3d9\uc73c\ub85c \ubc14\uc778\ub529\ub429\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"Cgroup"})}),"\n",(0,r.jsx)(n.p,{children:'Cgroup v1 \ubc0f \ud558\uc774\ube0c\ub9ac\ub4dc v1/v2\ub294 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc73c\uba70, \uc21c\uc218 Cgroup v2\ub9cc \uc9c0\uc6d0\ub429\ub2c8\ub2e4. \ub8e8\ud2b8\ub9ac\uc2a4 \uc2e4\ud589 \uc2dc \ub204\ub77d\ub41c Cgroup\uc73c\ub85c \uc778\ud574 K3s\uac00 \uc2dc\uc791\ub418\uc9c0 \uc54a\ub294 \uacbd\uc6b0, \ub178\ub4dc\uac00 \ud558\uc774\ube0c\ub9ac\ub4dc \ubaa8\ub4dc\uc5d0 \uc788\uace0 "\ub204\ub77d\ub41c" Cgroup\uc774 \uc5ec\uc804\ud788 v1 \ucee8\ud2b8\ub864\ub7ec\uc5d0 \ubc14\uc778\ub529\ub418\uc5b4 \uc788\uc744 \uac00\ub2a5\uc131\uc774 \ub192\uc2b5\ub2c8\ub2e4.'}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"\uba40\ud2f0\ub178\ub4dc/\uba40\ud2f0\ud504\ub85c\uc138\uc2a4 \ud074\ub7ec\uc2a4\ud130"})}),"\n",(0,r.jsxs)(n.p,{children:["\ub2e4\uc911 \ub178\ub4dc \ub8e8\ud2b8\ub9ac\uc2a4 \ud074\ub7ec\uc2a4\ud130 \ub610\ub294 \ub3d9\uc77c\ud55c \ub178\ub4dc\uc5d0 \uc788\ub294 \uc5ec\ub7ec \uac1c\uc758 \ub8e8\ud2b8\ub9ac\uc2a4 k3s \ud504\ub85c\uc138\uc2a4\ub294 \ud604\uc7ac \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2dc\uc791\ud558\uae30",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2dc\uc791\ud558\uae30"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," \uc744 \ucc38\uc870\ud558\uc5ec cgroup v2 \uc704\uc784\uc744 \ud65c\uc131\ud654\ud569\ub2c8\ub2e4.\n\uc774 \ub2e8\uacc4\ub294 \ud544\uc218\uc774\uba70, \uc801\uc808\ud55c cgroups\uac00 \uc704\uc784\ub418\uc9c0 \uc54a\uc73c\uba74 \ub8e8\ud2b8\ub9ac\uc2a4 kubelet\uc744 \uc2dc\uc791\ud558\uc9c0 \ubabb\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob/<VERSION>/k3s-rootless.service"}),"](",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)%EC%97%90%EC%84%9C",children:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)\uc5d0\uc11c"})," ",(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\ub97c \ub2e4\uc6b4\ub85c\ub4dc\ud55c\ub2e4.\n",(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\uc640 ",(0,r.jsx)(n.code,{children:"k3s"}),"\uc758 \ubc84\uc804\uc774 \uac19\uc740 \uac83\uc744 \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\ub97c ",(0,r.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),"\uc5d0 \uc124\uce58\ud569\ub2c8\ub2e4.\n\uc774 \ud30c\uc77c\uc744 \uc2dc\uc2a4\ud15c \uc804\uccb4 \uc11c\ube44\uc2a4(",(0,r.jsx)(n.code,{children:"/etc/systemd/..."}),")\ub85c \uc124\uce58\ud558\ub294 \uac83\uc740 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\n",(0,r.jsx)(n.code,{children:"k3s"})," \ubc14\uc774\ub108\ub9ac\uc758 \uacbd\ub85c\uc5d0 \ub530\ub77c \ud30c\uc77c\uc758 ",(0,r.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," \ud589\uc744 \uc218\uc815\ud574\uc57c \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"systemctl --user daemon-reload"}),"\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"}),"\ub97c \uc2e4\ud589\ud55c\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),"\ub97c \uc2e4\ud589\ud558\uace0, \ud30c\ub4dc\uac00 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud55c\ub2e4."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["\ucc38\uace0: \ud130\ubbf8\ub110 \uc138\uc158\uc740 cgroups v2 \uc704\uc784\uc744 \ud5c8\uc6a9\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c \ud130\ubbf8\ub110\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"k3s server --rootless"}),"\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\ub294\ub2e4.\n\ud130\ubbf8\ub110\uc5d0\uc11c \uaf2d \uc2e4\ud589\ud574\uc57c \ud558\ub294 \uacbd\uc6b0, ",(0,r.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --roolless"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec systemd \ubc94\uc704\ub85c \ub798\ud551\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"\uace0\uae09-\ub8e8\ud2b8\ub9ac\uc2a4-\uad6c\uc131",children:"\uace0\uae09 \ub8e8\ud2b8\ub9ac\uc2a4 \uad6c\uc131"}),"\n",(0,r.jsxs)(n.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 K3s\ub294 \ud638\uc2a4\ud2b8\uc640 \uc0ac\uc6a9\uc790 \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4 \uac04 \ud1b5\uc2e0\uc744 \uc704\ud574 ",(0,r.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"}),"\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\ub8e8\ud2b8\ub9ac\uc2a4\ud0b7\uacfc slirp4net\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 \uad6c\uc131 \uc911 \uc77c\ubd80\ub294 \ud658\uacbd \ubcc0\uc218\ub85c \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub97c \uc124\uc815\ud558\ub294 \uac00\uc7a5 \uc88b\uc740 \ubc29\ubc95\uc740 k3s-rootless systemd \uc720\ub2db\uc758 ",(0,r.jsx)(n.code,{children:"Environment"})," \ud544\ub4dc\uc5d0 \ucd94\uac00\ud558\ub294 \uac83\uc785\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Variable"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,r.jsx)(n.td,{children:"1500"}),(0,r.jsx)(n.td,{children:"slirp4netns \uac00\uc0c1 \uc778\ud130\ud398\uc774\uc2a4\uc758 MTU\ub97c \uc124\uc815\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,r.jsx)(n.td,{children:"10.41.0.0/16"}),(0,r.jsx)(n.td,{children:"slirp4netns \uac00\uc0c1 \uc778\ud130\ud398\uc774\uc2a4\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 CIDR\uc744 \uc124\uc815\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,r.jsx)(n.td,{children:"autotedected"}),(0,r.jsx)(n.td,{children:"Enables slirp4netns IPv6 \uc9c0\uc6d0. \uc9c0\uc815\ud558\uc9c0 \uc54a\uc73c\uba74 K3\uac00 \ub4c0\uc5bc \uc2a4\ud0dd \uc791\ub3d9\uc744 \uc704\ud574 \uad6c\uc131\ub418\uba74 \uc790\ub3d9\uc73c\ub85c \ud65c\uc131\ud654\ub429\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,r.jsx)(n.td,{children:"builtin"}),(0,r.jsxs)(n.td,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ud3ec\ud2b8 \ub4dc\ub77c\uc774\ubc84\ub97c \uc120\ud0dd\ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"builtin"})," \ub610\ub294 ",(0,r.jsx)(n.code,{children:"slirp4netns"})," \uc911 \ud558\ub098\ub97c \uc120\ud0dd\ud569\ub2c8\ub2e4. \ube4c\ud2b8\uc778\uc774 \ub354 \ube60\ub974\uc9c0\ub9cc \uc778\ubc14\uc6b4\ub4dc \ud328\ud0b7\uc758 \uc6d0\ub798 \uc18c\uc2a4 \uc8fc\uc18c\ub97c \uac00\uc7a5\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,r.jsx)(n.td,{children:"true"}),(0,r.jsx)(n.td,{children:"\uac8c\uc774\ud2b8\uc6e8\uc774 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud1b5\ud55c \ud638\uc2a4\ud2b8\uc758 \ub8e8\ud504\ubc31 \uc8fc\uc18c\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uc0ac\uc6a9\ud560\uc9c0 \uc5ec\ubd80\ub97c \uc81c\uc5b4\ud569\ub2c8\ub2e4. \ubcf4\uc548\uc0c1\uc758 \uc774\uc720\ub85c \ubcc0\uacbd\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubb38\uc81c-\ud574\uacb0\ud558\uae30",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubb38\uc81c \ud574\uacb0\ud558\uae30"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"systemctl --user status k3s-rootless"}),"\ub97c \uc2e4\ud589\ud558\uc5ec \ub370\ubaac \uc0c1\ud0dc\ub97c \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"}),"\ub97c \uc2e4\ud589\ud558\uc5ec \ub370\ubaac \ub85c\uadf8\ub97c \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," \ucc38\uc870"]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"\ub178\ub4dc-\ub808\uc774\ube14-\ubc0f-\ud14c\uc778\ud2b8",children:"\ub178\ub4dc \ub808\uc774\ube14 \ubc0f \ud14c\uc778\ud2b8"}),"\n",(0,r.jsxs)(n.p,{children:["K3s \uc5d0\uc774\uc804\ud2b8\ub294 ",(0,r.jsx)(n.code,{children:"--node-label"})," \ubc0f ",(0,r.jsx)(n.code,{children:"--node-taint"})," \uc635\uc158\uc73c\ub85c \uad6c\uc131\ud560 \uc218 \uc788\uc73c\uba70, \uc774 \uc635\uc158\uc740 kubelet\uc5d0 \ub808\uc774\ube14\uacfc \ud14c\uc778\ud2b8\ub97c \ucd94\uac00\ud569\ub2c8\ub2e4. \uc774 \ub450 \uc635\uc158\uc740 [\ub4f1\ub85d \uc2dc\uc810\uc5d0] \ub808\uc774\ube14 \ubc0f/\ub610\ub294 \ud14c\uc778\ud2b8\ub9cc \ucd94\uac00\ud558\ubbc0\ub85c(./cli/agent.md#node-labels-and-taints-for-agents), \ub178\ub4dc\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucc98\uc74c \uc870\uc778\ub420 \ub54c\ub9cc \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\ud604\uc7ac \ubaa8\ub4e0 \ubc84\uc804\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ub178\ub4dc\uac00 ",(0,r.jsx)(n.code,{children:"kubernetes.io"})," \ubc0f ",(0,r.jsx)(n.code,{children:"k8s.io"})," \uc811\ub450\uc0ac\uac00 \ud3ec\ud568\ub41c \ub300\ubd80\ubd84\uc758 \ub808\uc774\ube14, \ud2b9\ud788 ",(0,r.jsx)(n.code,{children:"kubernetes.io/role"})," \ub808\uc774\ube14\uc5d0 \ub4f1\ub85d\ud558\ub294 \uac83\uc744 \uc81c\ud55c\ud569\ub2c8\ub2e4. \ud5c8\uc6a9\ub418\uc9c0 \uc54a\ub294 \ub808\uc774\ube14\uc744 \uac00\uc9c4 \ub178\ub4dc\ub97c \uc2dc\uc791\ud558\ub824\uace0 \ud558\uba74 K3s\uac00 \uc2dc\uc791\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc791\uc131\uc790\uac00 \uc5b8\uae09\ud588\ub4ef\uc774:"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsx)(n.p,{children:"\ub178\ub4dc\ub294 \uc790\uccb4 \uc5ed\ud560 \ub808\uc774\ube14\uc744 \uc5b4\uc124\ud2b8\ud558\ub294 \uac83\uc774 \ud5c8\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub178\ub4dc \uc5ed\ud560\uc740 \uc77c\ubc18\uc801\uc73c\ub85c \uad8c\ud55c \ub610\ub294 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uc720\ud615\uc758 \ub178\ub4dc\ub97c \uc2dd\ubcc4\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\uba70, \ub178\ub4dc\uac00 \ud574\ub2f9 \ud480\uc5d0 \ub808\uc774\ube14\uc744 \uc9c0\uc815\ud558\ub3c4\ub85d \ud5c8\uc6a9\ud558\uba74 \uc190\uc0c1\ub41c \ub178\ub4dc\uac00 \ub354 \ub192\uc740 \uad8c\ud55c \uc790\uaca9 \uc99d\uba85\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4 \uad8c\ud55c\uc744 \ubd80\uc5ec\ud558\ub294 \uc6cc\ud06c\ub85c\ub4dc(\uc608: \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ub370\ubaac\uc14b)\ub97c \uc0ac\uc18c\ud558\uac8c \ub04c\uc5b4\ub4e4\uc77c \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\ub178\ub4dc \ub4f1\ub85d \ud6c4 \ub178\ub4dc \ub808\uc774\ube14\uacfc \ud2f4\ud2b8\ub97c \ubcc0\uacbd\ud558\uac70\ub098 \uc608\uc57d \ub808\uc774\ube14\uc744 \ucd94\uac00\ud558\ub824\uba74 ",(0,r.jsx)(n.code,{children:"kubectl"}),"\uc744 \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/concepts/scheduling-eviction/taint-and-toleration/",children:"taint"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"\ub178\ub4dc \ub808\uc774\ube14"}),"\uc744 \ucd94\uac00\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uacf5\uc2dd \ubb38\uc11c\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8\ub85c-\uc11c\ube44\uc2a4-\uc2dc\uc791\ud558\uae30",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc11c\ube44\uc2a4 \uc2dc\uc791\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc124\uce58 \ud504\ub85c\uc138\uc2a4\uc758 \uc77c\ubd80\ub85c OS\uac00 systemd \ub610\ub294 openrc\ub97c \uc0ac\uc6a9\ud558\ub294\uc9c0 \uc790\ub3d9\uc73c\ub85c \uac10\uc9c0\ud558\uace0 \uc11c\ube44\uc2a4\ub97c \ud65c\uc131\ud654 \ubc0f \uc2dc\uc791\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["openrc\ub85c \uc2e4\ud589\ud558\uba74 ",(0,r.jsx)(n.code,{children:"/var/log/k3s.log"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:["systemd\ub85c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, ",(0,r.jsx)(n.code,{children:"/var/log/syslog"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub418\uba70 ",(0,r.jsx)(n.code,{children:"journalctl -u k3s"}),"(\ub610\ub294 \uc5d0\uc774\uc804\ud2b8\uc5d0\uc11c\ub294 ",(0,r.jsx)(n.code,{children:"journalctl -u k3s-agent"}),")\ub97c \uc0ac\uc6a9\ud558\uc5ec \ub85c\uadf8\ub97c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc790\ub3d9 \uc2dc\uc791 \ubc0f \uc11c\ube44\uc2a4 \ud65c\uc131\ud654\ub97c \ube44\ud65c\uc131\ud654\ud558\ub294 \uc608\uc81c\uc785\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-os-\uc900\ube44-\uc0ac\ud56d",children:"\ucd94\uac00 OS \uc900\ube44 \uc0ac\ud56d"}),"\n",(0,r.jsx)(n.h3,{id:"\uc774\uc804-iptables-\ubc84\uc804",children:"\uc774\uc804 iptables \ubc84\uc804"}),"\n",(0,r.jsxs)(n.p,{children:["\uba87\uba87 \uc720\uba85 Linux \ubc30\ud3ec\ud310\uc5d0\ub294 \uc911\ubcf5 \uaddc\uce59\uc774 \ub204\uc801\ub418\uc5b4 \ub178\ub4dc\uc758 \uc131\ub2a5\uacfc \uc548\uc815\uc131\uc5d0 \ubd80\uc815\uc801\uc778 \uc601\ud5a5\uc744 \uc8fc\ub294 \ubc84\uadf8\uac00 \ud3ec\ud568\ub41c \ubc84\uc804\uc758 iptables\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ubb38\uc81c\uc758 \uc601\ud5a5\uc744 \ubc1b\ub294\uc9c0 \ud655\uc778\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/3117",children:"Issue #3117"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc5d0\ub294 \uc815\uc0c1\uc801\uc73c\ub85c \uc791\ub3d9\ud558\ub294 iptables(v1.8.8) \ubc84\uc804\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})," \uc635\uc158\uc73c\ub85c K3s\ub97c \uc2dc\uc791\ud558\uac70\ub098 \uc6b4\uc601 \uccb4\uc81c\uc5d0\uc11c iptables/nftables \ud328\ud0a4\uc9c0\ub97c \uc81c\uac70\ud558\uc5ec K3s\uac00 \ubc88\ub4e4 \ubc84\uc804\uc758 iptables\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"prefer-bundled-bin"})," \ud50c\ub798\uadf8\ub294 2022-12 \ub9b4\ub9ac\uc2a4(v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1) \ubd80\ud130 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})}),"\n",(0,r.jsx)(n.h3,{id:"red-hat-enterprise-linux--centos",children:"Red Hat Enterprise Linux / CentOS"}),"\n",(0,r.jsx)(n.p,{children:"firewalld\ub97c \ub044\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),"\n",(0,r.jsx)(n.p,{children:"\ubc29\ud654\ubcbd\uc744 \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud558\ub824\uba74 \uae30\ubcf8\uc801\uc73c\ub85c \ub2e4\uc74c \uaddc\uce59\uc774 \ud544\uc694\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc124\uc815\uc5d0 \ub530\ub77c \ucd94\uac00 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\uc57c \ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"/kr/installation/requirements#inbound-rules-for-k3s-nodes",children:"\uc778\ubc14\uc6b4\ub4dc \uaddc\uce59"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694. \ud30c\ub4dc \ub610\ub294 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uae30\ubcf8 CIDR\uc744 \ubcc0\uacbd\ud558\ub294 \uacbd\uc6b0, \uadf8\uc5d0 \ub530\ub77c \ubc29\ud654\ubcbd \uaddc\uce59\uc744 \uc5c5\ub370\uc774\ud2b8\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\ud65c\uc131\ud654\ub41c \uacbd\uc6b0, nm-cloud-setup\uc744 \ube44\ud65c\uc131\ud654\ud558\uace0 \ub178\ub4dc\ub97c \uc7ac\ubd80\ud305\ud574\uc57c \ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})}),"\n",(0,r.jsx)(n.h3,{id:"ubuntu",children:"Ubuntu"}),"\n",(0,r.jsx)(n.p,{children:"ufw(uncomplicated firewall)\ub97c \ub044\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),"\n",(0,r.jsx)(n.p,{children:"ufw\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud558\ub824\uba74 \uae30\ubcf8\uc801\uc73c\ub85c \ub2e4\uc74c \uaddc\uce59\uc774 \ud544\uc694\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc124\uc815\uc5d0 \ub530\ub77c \ucd94\uac00 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\uc57c \ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"/kr/installation/requirements#inbound-rules-for-k3s-nodes",children:"\uc778\ubc14\uc6b4\ub4dc \uaddc\uce59"}),"\uc744 \ucc38\uc870\ud55c\ub2e4. \ud30c\ub4dc \ub610\ub294 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uae30\ubcf8 CIDR\uc744 \ubcc0\uacbd\ud558\ub294 \uacbd\uc6b0, \uadf8\uc5d0 \ub530\ub77c \ubc29\ud654\ubcbd \uaddc\uce59\uc744 \uc5c5\ub370\uc774\ud2b8\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h3,{id:"raspberry-pi",children:"Raspberry Pi"}),"\n",(0,r.jsxs)(n.p,{children:["\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 OS\ub294 \ub370\ube44\uc548 \uae30\ubc18\uc774\uba70, \uc624\ub798\ub41c iptables \ubc84\uc804\uc73c\ub85c \uc778\ud574 \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.a,{href:"#%EC%9D%B4%EC%A0%84-iptables-%EB%B2%84%EC%A0%84",children:"\ud574\uacb0 \ubc29\ubc95"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\ud45c\uc900 \ub77c\uc988\ubca0\ub9ac\ud30c\uc774 OS \uc124\uce58\ub294 ",(0,r.jsx)(n.code,{children:"cgroups"}),"\uac00 \ud65c\uc131\ud654\ub41c \uc0c1\ud0dc\uc5d0\uc11c \uc2dc\uc791\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.strong,{children:"K3S"}),"\ub294 systemd \uc11c\ube44\uc2a4\ub97c \uc2dc\uc791\ud558\uae30 \uc704\ud574 ",(0,r.jsx)(n.code,{children:"cgroups"}),"\uac00 \ud544\uc694\ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"cgroups"}),"\ub294 ",(0,r.jsx)(n.code,{children:"/boot/cmdline.txt"}),"\uc5d0 ",(0,r.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"}),"\ub97c \ucd94\uac00\ud558\uc5ec \ud65c\uc131\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"cmdline.txt \uc608\uc2dc:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),"\n",(0,r.jsx)(n.p,{children:"\uc6b0\ubd84\ud22c 21.10\ubd80\ud130 \ub77c\uc988\ubca0\ub9ac\ud30c\uc774\uc758 vxlan \uc9c0\uc6d0\uc740 \ubcc4\ub3c4\uc758 \ucee4\ub110 \ubaa8\ub4c8\ub85c \uc62e\uaca8\uc84c\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})}),"\n",(0,r.jsx)(n.h2,{id:"docker\uc5d0\uc11c-k3s-\uc2e4\ud589\ud558\uae30",children:"Docker\uc5d0\uc11c k3s \uc2e4\ud589\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc5d0\ub294 \uc5ec\ub7ec \uac00\uc9c0\uac00 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(c,{children:[(0,r.jsxs)(s,{value:"K3d",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"}),"\ub294 \ub3c4\ucee4\uc5d0\uc11c \uba40\ud2f0\ub178\ub4dc K3s \ud074\ub7ec\uc2a4\ud130\ub97c \uc27d\uac8c \uc2e4\ud589\ud560 \uc218 \uc788\ub3c4\ub85d \uc124\uacc4\ub41c \uc720\ud2f8\ub9ac\ud2f0\uc785\ub2c8\ub2e4."]}),(0,r.jsx)(n.p,{children:"k3d\ub97c \uc0ac\uc6a9\ud558\uba74 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \ub85c\uceec \uac1c\ubc1c \ub4f1\uc744 \uc704\ud574 \ub3c4\ucee4\uc5d0\uc11c \ub2e8\uc77c \ub178\ub4dc \ubc0f \ub2e4\uc911 \ub178\ub4dc k3s \ud074\ub7ec\uc2a4\ud130\ub97c \ub9e4\uc6b0 \uc27d\uac8c \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),(0,r.jsxs)(n.p,{children:["k3d \uc124\uce58 \ubc0f \uc0ac\uc6a9 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://k3d.io/#installation",children:"\uc124\uce58"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s,{value:"Docker",children:[(0,r.jsxs)(n.p,{children:["Docker\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 ",(0,r.jsx)(n.code,{children:"rancher/k3s"})," \uc774\ubbf8\uc9c0\ub97c \uc0ac\uc6a9\ud558\uc5ec K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8\ub97c \uc2e4\ud589\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.\n",(0,r.jsx)(n.code,{children:"docker run"})," \uba85\ub839\uc5b4\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["\ud0dc\uadf8\uc5d0 \uc720\ud6a8\ud55c K3s \ubc84\uc804\uc744 \uc9c0\uc815\ud574\uc57c \ud558\uba70, ",(0,r.jsx)(n.code,{children:"latest"})," \ud0dc\uadf8\ub294 \uc720\uc9c0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.",(0,r.jsx)(n.br,{}),"\n","\ub3c4\ucee4 \uc774\ubbf8\uc9c0\ub294 \ud0dc\uadf8\uc5d0 ",(0,r.jsx)(n.code,{children:"+"})," \uae30\ud638\ub97c \ud5c8\uc6a9\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c \ud0dc\uadf8\uc5d0 ",(0,r.jsx)(n.code,{children:"-"}),"\ub97c \ub300\uc2e0 \uc0ac\uc6a9\ud558\uc138\uc694."]})}),(0,r.jsx)(n.p,{children:"K3s\uac00 \uc2e4\ud589\ub418\uace0 \ub098\uba74, \uad00\ub9ac\uc790 kubeconfig\ub97c Docker \ucee8\ud14c\uc774\ub108\uc5d0\uc11c \ubcf5\uc0ac\ud558\uc5ec \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,r.jsx)(n.h2,{id:"selinux-\uc9c0\uc6d0",children:"SELinux \uc9c0\uc6d0"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsx)(n.p,{children:"v1.19.4+k3s1\ubd80\ud130 \uc0ac\uc6a9 \uac00\ub2a5"})}),"\n",(0,r.jsx)(n.p,{children:"\uae30\ubcf8\uc801\uc73c\ub85c SELinux\uac00 \ud65c\uc131\ud654\ub41c \uc2dc\uc2a4\ud15c(\uc608\ub85c CentOS)\uc5d0 K3s\ub97c \uc124\uce58\ud558\ub294 \uacbd\uc6b0 \uc801\uc808\ud55c SELinux \uc815\ucc45\uc774 \uc124\uce58\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(c,{children:[(0,r.jsx)(s,{value:"\uc790\ub3d9 \uc124\uce58",default:!0,children:(0,r.jsxs)(n.p,{children:["\uc5d0\uc5b4 \uac2d(\ud3d0\uc1c4\ub9dd) \uc124\uce58\ub97c \uc218\ud589\ud558\uc9c0 \uc54a\ub294 \uacbd\uc6b0 \ud638\ud658\ub418\ub294 \uc2dc\uc2a4\ud15c\uc5d0\uc11c ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"}),"\ub294 \ub79c\ucc98 RPM \uc800\uc7a5\uc18c\uc5d0\uc11c SELinux RPM\uc744 \uc790\ub3d9\uc73c\ub85c \uc124\uce58\ud569\ub2c8\ub2e4. \uc790\ub3d9 \uc124\uce58\ub294 ",(0,r.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"\ub85c \uc124\uc815\ud558\uc5ec \uac74\ub108\ub6f8 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})}),(0,r.jsxs)(s,{value:"\uc218\ub3d9 \uc124\uce58",default:!0,children:[(0,r.jsx)(n.p,{children:"\ud544\uc694\ud55c policy\ub294 \ub2e4\uc74c \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm\n"})}),(0,r.jsxs)(n.p,{children:["\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\uac00 \uc2e4\ud328\ud558\uc9c0 \uc54a\uace0 \uacbd\uace0\ub97c \uae30\ub85d\ud558\ub3c4\ub85d \ud558\ub824\uba74 \ub2e4\uc74c \ud658\uacbd \ubcc0\uc218\ub97c \uc124\uc815\ud558\uba74 \ub429\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"selinux-\uc801\uc6a9-\ud65c\uc131\ud654\ud558\uae30",children:"SELinux \uc801\uc6a9 \ud65c\uc131\ud654\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["SELinux\ub97c \ud65c\uc6a9\ud558\ub824\uba74 K3s \uc11c\ubc84 \ubc0f \uc5d0\uc774\uc804\ud2b8\ub97c \uc2dc\uc791\ud560 \ub54c ",(0,r.jsx)(n.code,{children:"--selinux"})," \ud50c\ub798\uadf8\ub97c \uc9c0\uc815\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \uc635\uc158\uc740 K3s ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"\uad6c\uc131 \ud30c\uc77c"}),"\uc5d0\uc11c\ub3c4 \uc9c0\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,r.jsxs)(n.p,{children:["SELinux\uc5d0\uc11c \uc0ac\uc6a9\uc790 \uc9c0\uc815 ",(0,r.jsx)(n.code,{children:"--data-dir"}),"\uc744 \uc0ac\uc6a9\ud558\ub294 \uac83\uc740 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc0ac\uc6a9\uc790 \uc9c0\uc815\ud558\ub824\uba74 \uc0ac\uc6a9\uc790 \uc9c0\uc815 \uc815\ucc45\uc744 \uc9c1\uc811 \uc791\uc131\ud574\uc57c \ud560 \uac00\ub2a5\uc131\uc774 \ub192\uc2b5\ub2c8\ub2e4. \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc5d0 \ub300\ud55c SELinux \uc815\ucc45 \ud30c\uc77c\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc640 K3s\ub97c \uc704\ud55c SELinux \uc815\ucc45\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\ub97c \ucc38\uace0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uc758-\uc9c0\uc5f0-\ud480\ub9c1-\ud65c\uc131\ud654-\uc2e4\ud5d8\uc801",children:"\uc9c0\uc5f0 \ud480\ub9c1\uc758 \uc9c0\uc5f0 \ud480\ub9c1 \ud65c\uc131\ud654 (\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsx)(n.h3,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uacfc-estargz\ub780-\ubb34\uc5c7\uc778\uac00\uc694",children:"\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\ub780 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,r.jsxs)(n.p,{children:["\uc774\ubbf8\uc9c0 \ud480\ub9c1\uc740 \ucee8\ud14c\uc774\ub108 \ub77c\uc774\ud504\uc0ac\uc774\ud074\uc5d0\uc11c \uc2dc\uac04\uc774 \ub9ce\uc774 \uc18c\uc694\ub418\ub294 \ub2e8\uacc4 \uc911 \ud558\ub098\ub85c \uc54c\ub824\uc838 \uc788\uc2b5\ub2c8\ub2e4.\nHarter, et al.(",(0,r.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter"}),"),"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsx)(n.p,{children:"\ud328\ud0a4\uc9c0 \ud480\ub9c1\uc740 \ucee8\ud14c\uc774\ub108 \uc2dc\uc791 \uc2dc\uac04\uc758 76%\ub97c \ucc28\uc9c0\ud558\uc9c0\ub9cc, \uadf8 \uc911 \uc77d\uae30 \ub370\uc774\ud130\ub294 6.4%\uc5d0 \ubd88\uacfc\ud569\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \ubb38\uc81c\ub97c \ud574\uacb0\ud558\uae30 \uc704\ud574 k3s\ub294 \uc774\ubbf8\uc9c0 \ucf58\ud150\uce20\uc758 ",(0,r.jsx)(n.em,{children:"lazy pulling"}),"\uc744 \uc2e4\ud5d8\uc801\uc73c\ub85c \uc9c0\uc6d0\ud569\ub2c8\ub2e4.\n\uc774\ub97c \ud1b5\ud574 k3s\ub294 \uc804\uccb4 \uc774\ubbf8\uc9c0\uac00 \ud480\ub9c1\ub418\uae30 \uc804\uc5d0 \ucee8\ud14c\uc774\ub108\ub97c \uc2dc\uc791\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\ub300\uc2e0 \ud544\uc694\ud55c \ucf58\ud150\uce20 \uccad\ud06c(\uc608: \uac1c\ubcc4 \ud30c\uc77c)\ub97c \uc628\ub514\ub9e8\ub4dc \ubc29\uc2dd\uc73c\ub85c \uac00\uc838\uc635\ub2c8\ub2e4.\n\ud2b9\ud788 \ub300\uc6a9\ub7c9 \uc774\ubbf8\uc9c0\uc758 \uacbd\uc6b0 \uc774 \uae30\uc220\uc744 \uc0ac\uc6a9\ud558\uba74 \ucee8\ud14c\uc774\ub108 \uc2dc\uc791 \uc9c0\uc5f0 \uc2dc\uac04\uc744 \ub2e8\ucd95\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc0ac\uc6a9\ud558\ub824\uba74 \ub300\uc0c1 \uc774\ubbf8\uc9c0\uc758 \ud3ec\ub9f7\uc744 ",(0,r.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,r.jsx)(n.em,{children:"eStargz"})}),"\ub85c \uc9c0\uc815\ud574\uc57c \ud569\ub2c8\ub2e4.\n\uc774 \ud615\uc2dd\uc740 OCI \ub300\uccb4 \ud615\uc2dd\uc774\uc9c0\ub9cc \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc704\ud55c 100% \ud638\ud658\ub418\ub294 \uc774\ubbf8\uc9c0 \ud615\uc2dd\uc785\ub2c8\ub2e4.\n\ud638\ud658\uc131 \ub54c\ubb38\uc5d0 eStargz\ub294 \ud45c\uc900 \ucee8\ud14c\uc774\ub108 \ub808\uc9c0\uc2a4\ud2b8\ub9ac(\uc608: ghcr.io)\ub85c \ud478\uc2dc\ud560 \uc218 \uc788\uc744 \ubfd0\ub9cc \uc544\ub2c8\ub77c eStargz\uc640 \ubb34\uad00\ud55c \ub7f0\ud0c0\uc784\uc5d0\uc11c\ub3c4 ",(0,r.jsx)(n.em,{children:"\uc2e4\ud589 \uac00\ub2a5"})," \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["eStargz\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/google/crfs",children:"Google CRFS \ud504\ub85c\uc81d\ud2b8\uc5d0\uc11c \uc81c\uc548\ud55c stargz \ud615\uc2dd"}),"\uc744 \uae30\ubc18\uc73c\ub85c \uac1c\ubc1c\ub418\uc5c8\uc9c0\ub9cc \ucf58\ud150\uce20 \uac80\uc99d \ubc0f \uc131\ub2a5 \ucd5c\uc801\ud654\ub97c \ud3ec\ud568\ud55c \uc2e4\uc6a9\uc801\uc778 \uae30\ub2a5\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4.\n\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter \ud504\ub85c\uc81d\ud2b8 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac"}),"\ub97c \ucc38\uace0\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h3,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uc774-\uac00\ub2a5\ud558\ub3c4\ub85d-k3s-\uad6c\uc131\ud558\uae30",children:"\uc9c0\uc5f0 \ud480\ub9c1\uc774 \uac00\ub2a5\ud558\ub3c4\ub85d k3s \uad6c\uc131\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["\uc544\ub798\uc640 \uac19\uc774 k3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8\uc5d0\ub294 ",(0,r.jsx)(n.code,{children:"--snapshotter=stargz"})," \uc635\uc158\uc774 \ud544\uc694\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \uad6c\uc131\uc744 \uc0ac\uc6a9\ud558\uba74, eStargz \ud615\uc2dd\uc758 \uc774\ubbf8\uc9c0\uc5d0 \ub300\ud574 \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\ub2e4\uc74c \uc608\uc81c \ud30c\ub4dc \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub294 eStargz \ud615\uc2dd\uc758 ",(0,r.jsx)(n.code,{children:"node:13.13.0"})," \uc774\ubbf8\uc9c0(",(0,r.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),")\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\uc2a4\ud0c0\uc988 \uc2a4\ub0c5\uc0f7\ud130\uac00 \ud65c\uc131\ud654\ub418\uba74 K3s\ub294 \uc774 \uc774\ubbf8\uc9c0\uc5d0 \ub300\ud574 \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc218\ud589\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-\ub85c\uae45-\uc18c\uc2a4",children:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc6a9 ",(0,r.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"\ub79c\ucc98 \ub85c\uae45"}),"\uc740 \ub79c\ucc98\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub97c \uc704\ud574\uc11c\ub294 \ub2e4\uc74c \uc9c0\uce68\uc744 \uc2e4\ud589\ud574\uc57c \ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-\ub124\ud2b8\uc6cc\ud06c-\uc815\ucc45-\ub85c\uae45",children:"\ucd94\uac00 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ub85c\uae45"}),"\n",(0,r.jsx)(n.p,{children:"\ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc5d0 \uc758\ud574 \ucc28\ub2e8\ub41c \ud328\ud0b7\uc744 \ub85c\uae45\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud328\ud0b7\uc740 \ucc28\ub2e8 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc744 \ud3ec\ud568\ud55c \ud328\ud0b7 \uc138\ubd80 \uc815\ubcf4\ub97c \ud45c\uc2dc\ud558\ub294 iptables NFLOG \uc791\uc5c5\uc73c\ub85c \uc804\uc1a1\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ud2b8\ub798\ud53d\uc774 \ub9ce\uc73c\uba74 \ub85c\uadf8 \uba54\uc2dc\uc9c0 \uc218\uac00 \ub9e4\uc6b0 \ub9ce\uc544\uc9c8 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc815\ucc45\ubcc4\ub85c \ub85c\uadf8 \uc18d\ub3c4\ub97c \uc81c\uc5b4\ud558\ub824\uba74, \ud574\ub2f9 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc5d0 \ub2e4\uc74c \uc5b4\ub178\ud14c\uc774\uc158\uc744 \ucd94\uac00\ud558\uc5ec ",(0,r.jsx)(n.code,{children:"limit"})," \ubc0f ",(0,r.jsx)(n.code,{children:"limit-burst"})," iptables \ub9e4\uac1c\ubcc0\uc218\ub97c \uc124\uc815\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit=<LIMIT-VALUE>"})}),"\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst=<LIMIT-BURST-VALUE>"})}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uae30\ubcf8\uac12\uc740 ",(0,r.jsx)(n.code,{children:"limit=10/minute"}),"\uc640 ",(0,r.jsx)(n.code,{children:"limit-burst=10"}),"\uc785\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ud544\ub4dc\uc758 \ud615\uc2dd\uacfc \uc0ac\uc6a9 \uac00\ub2a5\ud55c \uac12\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["NFLOG \ud328\ud0b7\uc744 \ub85c\uadf8 \ud56d\ubaa9\uc73c\ub85c \ubcc0\ud658\ud558\ub824\uba74 ulogd2\ub97c \uc124\uce58\ud558\uace0 ",(0,r.jsx)(n.code,{children:"[log1]"}),"\uc744 ",(0,r.jsx)(n.code,{children:"group=100"}),"\uc5d0\uc11c \uc77d\ub3c4\ub85d \uad6c\uc131\ud569\ub2c8\ub2e4. \uadf8\ub7f0 \ub2e4\uc74c ulogd2 \uc11c\ube44\uc2a4\ub97c \ub2e4\uc2dc \uc2dc\uc791\ud558\uc5ec \uc0c8 \uad6c\uc131\uc774 \ucee4\ubc0b\ub418\ub3c4\ub85d \ud569\ub2c8\ub2e4.\n\ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \uaddc\uce59\uc5d0 \uc758\ud574 \ud328\ud0b7\uc774 \ucc28\ub2e8\ub418\uba74 ",(0,r.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"\uc5d0 \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 \ub098\ud0c0\ub0a9\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"NFLOG \ub137\ub9c1\ud06c \uc18c\ucf13\uc73c\ub85c \uc804\uc1a1\ub41c \ud328\ud0b7\uc740 tcpdump \ub610\ub294 tshark\uc640 \uac19\uc740 \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc77d\uc744 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\ub354 \uc27d\uac8c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc9c0\ub9cc, tcpdump\ub294 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud55c \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc758 \uc774\ub984\uc744 \ud45c\uc2dc\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub300\uc2e0 \uc640\uc774\uc5b4\uc0e4\ud06c\uc758 tshark \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\ucc45 \uc774\ub984\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.code,{children:"nflog.prefix"})," \ud544\ub4dc\ub97c \ud3ec\ud568\ud55c \uc804\uccb4 NFLOG \ud328\ud0b7 \ud5e4\ub354\ub97c \ud45c\uc2dc\ud558\uc138\uc694."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(o,{...e})}):o(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>d,a:()=>l});var r=s(7294);const i={},c=r.createContext(i);function l(e){const n=r.useContext(c);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function d(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),r.createElement(c.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/df1a3a69.561c08d1.js b/kr/assets/js/df1a3a69.561c08d1.js deleted file mode 100644 index f1477e7f4..000000000 --- a/kr/assets/js/df1a3a69.561c08d1.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6153],{8246:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>t,contentTitle:()=>l,default:()=>h,frontMatter:()=>c,metadata:()=>d,toc:()=>a});var r=s(5893),i=s(1151);const c={title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",aliases:["/k3s/latest/kr/running/","/k3s/latest/kr/configuration/"]},l=void 0,d={id:"advanced",title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",description:"\uc774 \uc139\uc158\uc5d0\ub294 K3s\ub97c \uc2e4\ud589\ud558\uace0 \uad00\ub9ac\ud560 \uc218 \uc788\ub294 \ub2e4\uc591\ud55c \ubc29\ubc95\uacfc K3s \uc0ac\uc6a9\uc744 \uc704\ud574 \ud638\uc2a4\ud2b8 OS\ub97c \uc900\ube44\ud558\ub294 \ub370 \ud544\uc694\ud55c \ub2e8\uacc4\ub97c \uc124\uba85\ud558\ub294 \uace0\uae09 \uc815\ubcf4\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/kr/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uace0\uae09 \uc635\uc158 / \uc124\uc815",aliases:["/k3s/latest/kr/running/","/k3s/latest/kr/configuration/"]},sidebar:"mySidebar",previous:{title:"\ud5ec\ub984(Helm)",permalink:"/kr/helm"},next:{title:"Environment Variables",permalink:"/kr/reference/env-variables"}},t={},a=[{value:"\uc778\uc99d\uc11c \uad00\ub9ac",id:"\uc778\uc99d\uc11c-\uad00\ub9ac",level:2},{value:"\uc778\uc99d \uae30\uad00 \uc778\uc99d\uc11c",id:"\uc778\uc99d-\uae30\uad00-\uc778\uc99d\uc11c",level:3},{value:"\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c",id:"\ud074\ub77c\uc774\uc5b8\ud2b8-\ubc0f-\uc11c\ubc84-\uc778\uc99d\uc11c",level:3},{value:"\ud1a0\ud070 \uad00\ub9ac",id:"\ud1a0\ud070-\uad00\ub9ac",level:2},{value:"HTTP \ud504\ub85d\uc2dc \uad6c\uc131\ud558\uae30",id:"http-\ud504\ub85d\uc2dc-\uad6c\uc131\ud558\uae30",level:2},{value:"\ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc73c\ub85c Docker \uc0ac\uc6a9",id:"\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784\uc73c\ub85c-docker-\uc0ac\uc6a9",level:2},{value:"etcdctl \uc0ac\uc6a9\ud558\uae30",id:"etcdctl-\uc0ac\uc6a9\ud558\uae30",level:2},{value:"\ucee8\ud14c\uc774\ub108 \uc124\uc815\ud558\uae30",id:"\ucee8\ud14c\uc774\ub108-\uc124\uc815\ud558\uae30",level:2},{value:"NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc9c0\uc6d0",id:"nvidia-\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784-\uc9c0\uc6d0",level:2},{value:"\uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\ud558\uae30(\uc2e4\ud5d8\uc801)",id:"\uc5d0\uc774\uc804\ud2b8-\uc5c6\ub294-\uc11c\ubc84-\uc2e4\ud589\ud558\uae30\uc2e4\ud5d8\uc801",level:2},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2e4\ud589(\uc2e4\ud5d8\uc801)",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2e4\ud589\uc2e4\ud5d8\uc801",level:2},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\uc758 \uc54c\ub824\uc9c4 \uc774\uc288",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubaa8\ub4dc\uc758-\uc54c\ub824\uc9c4-\uc774\uc288",level:3},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2dc\uc791\ud558\uae30",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2dc\uc791\ud558\uae30",level:3},{value:"\uace0\uae09 \ub8e8\ud2b8\ub9ac\uc2a4 \uad6c\uc131",id:"\uace0\uae09-\ub8e8\ud2b8\ub9ac\uc2a4-\uad6c\uc131",level:3},{value:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubb38\uc81c \ud574\uacb0\ud558\uae30",id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubb38\uc81c-\ud574\uacb0\ud558\uae30",level:3},{value:"\ub178\ub4dc \ub808\uc774\ube14 \ubc0f \ud14c\uc778\ud2b8",id:"\ub178\ub4dc-\ub808\uc774\ube14-\ubc0f-\ud14c\uc778\ud2b8",level:2},{value:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc11c\ube44\uc2a4 \uc2dc\uc791\ud558\uae30",id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8\ub85c-\uc11c\ube44\uc2a4-\uc2dc\uc791\ud558\uae30",level:2},{value:"\ucd94\uac00 OS \uc900\ube44 \uc0ac\ud56d",id:"\ucd94\uac00-os-\uc900\ube44-\uc0ac\ud56d",level:2},{value:"\uc774\uc804 iptables \ubc84\uc804",id:"\uc774\uc804-iptables-\ubc84\uc804",level:3},{value:"Red Hat Enterprise Linux / CentOS",id:"red-hat-enterprise-linux--centos",level:3},{value:"Ubuntu",id:"ubuntu",level:3},{value:"Raspberry Pi",id:"raspberry-pi",level:3},{value:"Docker\uc5d0\uc11c k3s \uc2e4\ud589\ud558\uae30",id:"docker\uc5d0\uc11c-k3s-\uc2e4\ud589\ud558\uae30",level:2},{value:"SELinux \uc9c0\uc6d0",id:"selinux-\uc9c0\uc6d0",level:2},{value:"SELinux \uc801\uc6a9 \ud65c\uc131\ud654\ud558\uae30",id:"selinux-\uc801\uc6a9-\ud65c\uc131\ud654\ud558\uae30",level:3},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uc758 \uc9c0\uc5f0 \ud480\ub9c1 \ud65c\uc131\ud654 (\uc2e4\ud5d8\uc801)",id:"\uc9c0\uc5f0-\ud480\ub9c1\uc758-\uc9c0\uc5f0-\ud480\ub9c1-\ud65c\uc131\ud654-\uc2e4\ud5d8\uc801",level:2},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\ub780 \ubb34\uc5c7\uc778\uac00\uc694?",id:"\uc9c0\uc5f0-\ud480\ub9c1\uacfc-estargz\ub780-\ubb34\uc5c7\uc778\uac00\uc694",level:3},{value:"\uc9c0\uc5f0 \ud480\ub9c1\uc774 \uac00\ub2a5\ud558\ub3c4\ub85d k3s \uad6c\uc131\ud558\uae30",id:"\uc9c0\uc5f0-\ud480\ub9c1\uc774-\uac00\ub2a5\ud558\ub3c4\ub85d-k3s-\uad6c\uc131\ud558\uae30",level:3},{value:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4",id:"\ucd94\uac00-\ub85c\uae45-\uc18c\uc2a4",level:2},{value:"\ucd94\uac00 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ub85c\uae45",id:"\ucd94\uac00-\ub124\ud2b8\uc6cc\ud06c-\uc815\ucc45-\ub85c\uae45",level:2}];function o(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:s,Tabs:c}=n;return s||x("TabItem",!0),c||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"\uc774 \uc139\uc158\uc5d0\ub294 K3s\ub97c \uc2e4\ud589\ud558\uace0 \uad00\ub9ac\ud560 \uc218 \uc788\ub294 \ub2e4\uc591\ud55c \ubc29\ubc95\uacfc K3s \uc0ac\uc6a9\uc744 \uc704\ud574 \ud638\uc2a4\ud2b8 OS\ub97c \uc900\ube44\ud558\ub294 \ub370 \ud544\uc694\ud55c \ub2e8\uacc4\ub97c \uc124\uba85\ud558\ub294 \uace0\uae09 \uc815\ubcf4\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.h2,{id:"\uc778\uc99d\uc11c-\uad00\ub9ac",children:"\uc778\uc99d\uc11c \uad00\ub9ac"}),"\n",(0,r.jsx)(n.h3,{id:"\uc778\uc99d-\uae30\uad00-\uc778\uc99d\uc11c",children:"\uc778\uc99d \uae30\uad00 \uc778\uc99d\uc11c"}),"\n",(0,r.jsx)(n.p,{children:"K3s\ub294 \uccab \ubc88\uc9f8 \uc11c\ubc84 \ub178\ub4dc\ub97c \uc2dc\uc791\ud558\ub294 \ub3d9\uc548 \uc790\uccb4 \uc11c\uba85\ub41c CA(\uc778\uc99d \uae30\uad00) \uc778\uc99d\uc11c\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4. \uc774 CA \uc778\uc99d\uc11c\ub294 10\ub144 \ub3d9\uc548 \uc720\ud6a8\ud558\uba70 \uc790\ub3d9\uc73c\ub85c \uac31\uc2e0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\uc0ac\uc6a9\uc790 \uc9c0\uc815 CA \uc778\uc99d\uc11c \uc0ac\uc6a9 \ub610\ub294 \uc790\uccb4 \uc11c\uba85 CA \uc778\uc99d\uc11c \uac31\uc2e0\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(n.a,{href:"/kr/cli/certificate#certificate-authority-ca-certificates",children:[(0,r.jsx)(n.code,{children:"k3s \uc778\uc99d\uc11c rotate-ca"})," \uba85\ub839 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h3,{id:"\ud074\ub77c\uc774\uc5b8\ud2b8-\ubc0f-\uc11c\ubc84-\uc778\uc99d\uc11c",children:"\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c"}),"\n",(0,r.jsx)(n.p,{children:"K3s \ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c\ub294 \ubc1c\uae09\ud55c \ub0a0\ub85c\ubd80\ud130 365\uc77c \ub3d9\uc548 \uc720\ud6a8\ud569\ub2c8\ub2e4. \ub9cc\ub8cc\ub418\uc5c8\uac70\ub098 \ub9cc\ub8cc \ud6c4 90\uc77c \uc774\ub0b4\uc5d0 \ub9cc\ub8cc\ub41c \uc778\uc99d\uc11c\ub294 K3s\ub97c \uc2dc\uc791\ud560 \ub54c\ub9c8\ub2e4 \uc790\ub3d9\uc73c\ub85c \uac31\uc2e0\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ud074\ub77c\uc774\uc5b8\ud2b8 \ubc0f \uc11c\ubc84 \uc778\uc99d\uc11c\ub97c \uc218\ub3d9\uc73c\ub85c \ub85c\ud14c\uc774\uc158\ud558\ub294 \uac83\uc5d0 \ub300\ud55c \uc815\ubcf4\ub294 ",(0,r.jsxs)(n.a,{href:"/kr/cli/certificate#client-and-server-certificates",children:[(0,r.jsx)(n.code,{children:"k3s \uc778\uc99d\uc11c \ub85c\ud14c\uc774\uc158"})," \uba85\ub839 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\ud1a0\ud070-\uad00\ub9ac",children:"\ud1a0\ud070 \uad00\ub9ac"}),"\n",(0,r.jsxs)(n.p,{children:["\uae30\ubcf8\uc801\uc73c\ub85c K3s\ub294 \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8 \ubaa8\ub450\uc5d0 \ub2e8\uc77c \uc815\uc801 \ud1a0\ud070\uc744 \uc0ac\uc6a9\ud569\ub2c8\ub2e4. \uc774 \ud1a0\ud070\uc740 \ud074\ub7ec\uc2a4\ud130\uac00 \uc0dd\uc131\ub41c \ud6c4\uc5d0\ub294 \ubcc0\uacbd\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.\n\uc5d0\uc774\uc804\ud2b8 \uc870\uc778\uc5d0\ub9cc \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \ub450 \ubc88\uc9f8 \uc815\uc801 \ud1a0\ud070\uc744 \ud65c\uc131\ud654\ud558\uac70\ub098 \uc790\ub3d9\uc73c\ub85c \ub9cc\ub8cc\ub418\ub294 \uc784\uc2dc ",(0,r.jsx)(n.code,{children:"kubeadm"})," \uc2a4\ud0c0\uc77c \uc870\uc778 \ud1a0\ud070\uc744 \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(n.a,{href:"/kr/cli/token",children:[(0,r.jsx)(n.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"http-\ud504\ub85d\uc2dc-\uad6c\uc131\ud558\uae30",children:"HTTP \ud504\ub85d\uc2dc \uad6c\uc131\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"HTTP \ud504\ub85d\uc2dc\ub97c \ud1b5\ud574\uc11c\ub9cc \uc678\ubd80\uc640 \uc5f0\uacb0\ud560 \uc218 \uc788\ub294 \ud658\uacbd\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, K3s \uc2dc\uc2a4\ud15c\ub4dc \uc11c\ube44\uc2a4\uc5d0\uc11c \ud504\ub85d\uc2dc \uc124\uc815\uc744 \uad6c\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub7ec\uba74 \uc774 \ud504\ub85d\uc2dc \uc124\uc815\uc774 K3s\uc5d0\uc11c \uc0ac\uc6a9\ub418\uc5b4 \ub0b4\uc7a5 \ucee8\ud14c\uc774\ub108\uc640 kubelet\uc5d0 \uc804\ub2ec\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["K3s \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc790\ub3d9\uc73c\ub85c \ud604\uc7ac \uc178\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,r.jsx)(n.code,{children:"HTTPS_PROXY"})," \ubc0f ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ubcc0\uc218\uc640 ",(0,r.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,r.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," \ubc0f ",(0,r.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," \ubcc0\uc218\uac00 \uc788\ub294 \uacbd\uc6b0 \uc774\ub97c systemd \uc11c\ube44\uc2a4\uc758 \ud658\uacbd \ud30c\uc77c\uc5d0 \uc791\uc131\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\ubb3c\ub860 \uc774 \ud30c\uc77c\uc744 \ud3b8\uc9d1\ud558\uc5ec \ud504\ub85d\uc2dc\ub97c \uad6c\uc131\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 \ud074\ub7ec\uc2a4\ud130 \ub0b4\ubd80 \ud30c\ub4dc \ubc0f \uc11c\ube44\uc2a4 IP \ubc94\uc704\uc640 \ud074\ub7ec\uc2a4\ud130 DNS \ub3c4\uba54\uc778\uc744 \uc790\ub3d9\uc73c\ub85c ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ud56d\ubaa9 \ubaa9\ub85d\uc5d0 \ucd94\uac00\ud569\ub2c8\ub2e4. \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub178\ub4dc \uc790\uccb4\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 IP \uc8fc\uc18c \ubc94\uc704(\uc989, \ub178\ub4dc\uc758 \ud37c\ube14\ub9ad \ubc0f \ud504\ub77c\uc774\ube57 IP)\uac00 ",(0,r.jsx)(n.code,{children:"NO_PROXY"})," \ubaa9\ub85d\uc5d0 \ud3ec\ud568\ub418\uc5b4 \uc788\ub294\uc9c0 \ub610\ub294 \ud504\ub85d\uc2dc\ub97c \ud1b5\ud574 \ub178\ub4dc\uc5d0 \ub3c4\ub2ec\ud560 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc640 Kubelet\uc5d0 \uc601\ud5a5\uc744 \uc8fc\uc9c0 \uc54a\uace0 \ucee8\ud14c\uc774\ub108\uc5d0 \ub300\ud55c \ud504\ub85d\uc2dc \uc124\uc815\uc744 \uad6c\uc131\ud558\ub824\uba74, \ubcc0\uc218 \uc55e\uc5d0 ",(0,r.jsx)(n.code,{children:"CONTAINERD_"}),"\ub97c \ubd99\uc774\uba74 \ub429\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784\uc73c\ub85c-docker-\uc0ac\uc6a9",children:"\ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc73c\ub85c Docker \uc0ac\uc6a9"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 \uc5c5\uacc4 \ud45c\uc900 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc778 ",(0,r.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),"\ub97c \ud3ec\ud568\ud558\uba70 \uae30\ubcf8\uac12\uc73c\ub85c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\ucfe0\ubc84\ub124\ud2f0\uc2a4 1.24\ubd80\ud130, kubelet\uc740 \ub354 \uc774\uc0c1 kubelet\uc774 dockerd\uc640 \ud1b5\uc2e0\ud560 \uc218 \uc788\ub3c4\ub85d \ud558\ub294 \ucef4\ud3ec\ub10c\ud2b8\uc778 dockershim\uc744 \ud3ec\ud568\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\nK3s 1.24 \uc774\uc0c1\uc5d0\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),"\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc5b4 \uc774\uc804 \ub9b4\ub9ac\uc988\uc758 K3s\uc5d0\uc11c \uc6d0\ud65c\ud558\uac8c \uc5c5\uadf8\ub808\uc774\ub4dc\ud558\uba74\uc11c Docker \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc744 \uacc4\uc18d \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\ucee8\ud14c\uc774\ub108 \ub300\uc2e0 Docker\ub97c \uc0ac\uc6a9\ud558\ub824\uba74:"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["K3s \ub178\ub4dc\uc5d0 Docker\ub97c \uc124\uce58\ud569\ub2c8\ub2e4. \ub79c\ucc98\uc758 ",(0,r.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker \uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"})," \uc911 \ud558\ub098\ub97c \uc0ac\uc6a9\ud558\uc5ec Docker\ub97c \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"--docker"})," \uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uc5ec K3s\ub97c \uc124\uce58\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"\ud074\ub7ec\uc2a4\ud130\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Docker \ucee8\ud14c\uc774\ub108\uac00 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"etcdctl-\uc0ac\uc6a9\ud558\uae30",children:"etcdctl \uc0ac\uc6a9\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"etcdctl\uc740 etcd \uc11c\ubc84\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4. K3s\ub294 etcdctl\uc744 \ubc88\ub4e4\ub85c \uc81c\uacf5\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["etcdctl\uc744 \uc0ac\uc6a9\ud558\uc5ec K3s\uc758 \ub0b4\uc7a5\ub41c etcd\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\ub824\uba74 ",(0,r.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"\uacf5\uc2dd \ubb38\uc11c"}),"\ub97c \ucc38\uc870\ud558\uc5ec etcdctl\uc744 \uc124\uce58\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,r.jsx)(n.p,{children:"\uadf8\ub7f0 \ub2e4\uc74c \uc778\uc99d\uc5d0 K3s\uc5d0\uc11c \uad00\ub9ac\ud558\ub294 \uc778\uc99d\uc11c \ubc0f \ud0a4\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d etcdctl\uc744 \uad6c\uc131\ud558\uc5ec \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucee8\ud14c\uc774\ub108-\uc124\uc815\ud558\uae30",children:"\ucee8\ud14c\uc774\ub108 \uc124\uc815\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\ub294 ",(0,r.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"\uc5d0 \ucee8\ud14c\uc774\ub108\uc5d0 \ub300\ud55c config.toml\uc744 \uc0dd\uc131\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \ud30c\uc77c\uc5d0 \ub300\ud55c \uace0\uae09 \ucee4\uc2a4\ud130\ub9c8\uc774\uc9d5\uc744 \uc704\ud574 \uac19\uc740 \ub514\ub809\ud130\ub9ac\uc5d0 ",(0,r.jsx)(n.code,{children:"config.toml.tmpl"}),"\uc774\ub77c\ub294 \ub2e4\ub978 \ud30c\uc77c\uc744 \uc0dd\uc131\ud558\uba74 \uc774 \ud30c\uc77c\uc774 \ub300\uc2e0 \uc0ac\uc6a9\ub41c\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"config.toml.tmpl"}),"\uc740 Go \ud15c\ud50c\ub9bf \ud30c\uc77c\ub85c \ucde8\uae09\ub418\uba70, ",(0,r.jsx)(n.code,{children:"config.Node"})," \uad6c\uc870\uac00 \ud15c\ud50c\ub9bf\uc73c\ub85c \uc804\ub2ec\ub429\ub2c8\ub2e4. \uc774 \uad6c\uc870\ub97c \uc0ac\uc6a9\ud558\uc5ec \uad6c\uc131 \ud30c\uc77c\uc744 \uc0ac\uc6a9\uc790 \uc815\uc758\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c Linux \ubc0f Windows \uc608\uc81c\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"\uc774 \ud3f4\ub354"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694.\nconfig.Node Go \uc5b8\uc5b4 \uad6c\uc870\uccb4\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"\uc5ec\uae30"}),"\uc5d0 \uc815\uc758\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h2,{id:"nvidia-\ucee8\ud14c\uc774\ub108-\ub7f0\ud0c0\uc784-\uc9c0\uc6d0",children:"NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc9c0\uc6d0"}),"\n",(0,r.jsx)(n.p,{children:"K3s\ub294 K3s \uc2dc\uc791 \uc2dc NVIDIA \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc774 \uc788\uc73c\uba74 \uc790\ub3d9\uc73c\ub85c \uac10\uc9c0\ud558\uc5ec \uc124\uc815\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\uc544\ub798\uc758 \uc548\ub0b4\uc5d0 \ub530\ub77c \ub178\ub4dc\uc5d0 \uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ud328\ud0a4\uc9c0 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\ub97c \uc124\uce58\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,r.jsxs)(n.li,{children:["\uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ud328\ud0a4\uc9c0\ub97c \uc124\uce58\ud569\ub2c8\ub2e4. \uc608\uc2dc:\n",(0,r.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,r.jsxs)(n.li,{children:["K3s\ub97c \uc124\uce58\ud558\uac70\ub098 \uc774\ubbf8 \uc124\uce58\ub418\uc5b4 \uc788\ub294 \uacbd\uc6b0 \ub2e4\uc2dc \uc2dc\uc791\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,r.jsxs)(n.li,{children:["k3s\uac00 \uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc744 \ucc3e\uc558\ub294\uc9c0 \ud655\uc778\ud569\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774\ub807\uac8c \ud558\uba74 \ubc1c\uacac\ub41c \ub7f0\ud0c0\uc784 \uc2e4\ud589 \ud30c\uc77c\uc5d0 \ub530\ub77c \ucee8\ud14c\uc774\ub108 \uc124\uc815\uc5d0 ",(0,r.jsx)(n.code,{children:"nvidia"})," \ubc0f/\ub610\ub294 ",(0,r.jsx)(n.code,{children:"nvidia-experimental"})," \ub7f0\ud0c0\uc784\uc774 \uc790\ub3d9\uc73c\ub85c \ucd94\uac00\ub429\ub2c8\ub2e4.\n\uc5ec\uc804\ud788 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub7f0\ud0c0\uc784\ud074\ub798\uc2a4 \uc815\uc758\ub97c \ucd94\uac00\ud558\uace0, \ud30c\ub4dc \uc2a4\ud399\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"runtimeClassName: nvidia"}),"\ub97c \uc124\uc815\ud558\uc5ec \uc801\uc808\ud55c \ub7f0\ud0c0\uc784\uc744 \uba85\uc2dc\uc801\uc73c\ub85c \uc694\uccad\ud558\ub294 \ud30c\ub4dc\ub97c \ubc30\ud3ec\ud574\uc57c \ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,r.jsxs)(n.p,{children:["\uc5d4\ube44\ub514\uc544 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"\uc5d4\ube44\ub514\uc544 \ub514\ubc14\uc774\uc2a4 \ud50c\ub7ec\uadf8\uc778"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://github.com/NVIDIA/gpu-feature-discovery/",children:"GPU \uae30\ub2a5 \uac80\uc0c9"}),"\uacfc \ud568\uaed8 \uc790\uc8fc \uc0ac\uc6a9\ub418\uba70, \uc704\uc5d0\uc11c \uc5b8\uae09\ud55c \uac83\ucc98\ub7fc \ud30c\ub4dc \uc0ac\uc591\uc5d0 ",(0,r.jsx)(n.code,{children:"runtimeClassName: nvidia"}),"\uac00 \ud3ec\ud568\ub418\ub3c4\ub85d \uc218\uc815\ud558\uc5ec \ubcc4\ub3c4\ub85c \uc124\uce58\ud574\uc57c \ud55c\ub2e4\ub294 \uc810\uc5d0 \uc720\uc758\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc5d0\uc774\uc804\ud2b8-\uc5c6\ub294-\uc11c\ubc84-\uc2e4\ud589\ud558\uae30\uc2e4\ud5d8\uc801",children:"\uc5d0\uc774\uc804\ud2b8 \uc5c6\ub294 \uc11c\ubc84 \uc2e4\ud589\ud558\uae30(\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"\uacbd\uace0:"})," \uc774 \uae30\ub2a5\uc740 \uc2e4\ud5d8 \ub2e8\uacc4\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"disable-agent"})," \ud50c\ub798\uadf8\ub85c \uc2dc\uc791\ud558\uba74, \uc11c\ubc84\ub294 kubelet, \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \ub610\ub294 CNI\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ud074\ub7ec\uc2a4\ud130\uc5d0 \ub178\ub4dc \ub9ac\uc18c\uc2a4\ub97c \ub4f1\ub85d\ud558\uc9c0 \uc54a\uc73c\uba70, ",(0,r.jsx)(n.code,{children:"kubectl get nodes"})," \ucd9c\ub825\uc5d0 \ub098\ud0c0\ub098\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\n\uc5d0\uc774\uc804\ud2b8\ub9ac\uc2a4 \uc11c\ubc84\ub294 kubelet\uc744 \ud638\uc2a4\ud2b8\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0, \ud30c\ub4dc\ub97c \uc2e4\ud589\ud558\uac70\ub098 \ub0b4\uc7a5\ub41c etcd \ucee8\ud2b8\ub864\ub7ec \ubc0f \uc2dc\uc2a4\ud15c \uc5c5\uadf8\ub808\uc774\ub4dc \ucee8\ud2b8\ub864\ub7ec\ub97c \ud3ec\ud568\ud558\uc5ec \ud074\ub7ec\uc2a4\ud130 \ub178\ub4dc\ub97c \uc5f4\uac70\ud558\ub294 \ub370 \uc758\uc874\ud558\ub294 \uc6b4\uc601\uc790\uac00 \uad00\ub9ac\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\uc5d0\uc774\uc804\ud2b8\ub9ac\uc2a4 \uc11c\ubc84\ub97c \uc2e4\ud589\ud558\ub294 \uac83\uc740 \ud074\ub7ec\uc2a4\ud130 \uc6b4\uc601\uc790 \uc9c0\uc6d0 \ubd80\uc871\uc73c\ub85c \uc778\ud55c \uad00\ub9ac \uc624\ubc84\ud5e4\ub4dc \uc99d\uac00\ub97c \uac10\uc218\ud558\uace0\uc11c\ub77c\ub3c4 \uc5d0\uc774\uc804\ud2b8\uc640 \uc6cc\ud06c\ub85c\ub4dc\uc5d0 \uc758\ud55c \uac80\uc0c9\uc73c\ub85c\ubd80\ud130 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ub178\ub4dc\ub97c \uc228\uae30\uace0\uc790 \ud558\ub294 \uacbd\uc6b0\uc5d0 \uc720\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.h2,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2e4\ud589\uc2e4\ud5d8\uc801",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2e4\ud589(\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.strong,{children:"\uacbd\uace0:"})," \uc774 \uae30\ub2a5\uc740 \uc2e4\ud5d8 \ub2e8\uacc4\uc785\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\ub294 \uc7a0\uc7ac\uc801\uc778 \ucee8\ud14c\uc774\ub108 \ube0c\ub808\uc774\ud06c\uc544\uc6c3 \uacf5\uaca9\uc73c\ub85c\ubd80\ud130 \ud638\uc2a4\ud2b8\uc758 \uc2e4\uc81c \ub8e8\ud2b8\ub97c \ubcf4\ud638\ud558\uae30 \uc704\ud574 \uad8c\ud55c\uc774 \uc5c6\ub294 \uc0ac\uc6a9\uc790\ub85c K3s \uc11c\ubc84\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," \uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubaa8\ub4dc\uc758-\uc54c\ub824\uc9c4-\uc774\uc288",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubaa8\ub4dc\uc758 \uc54c\ub824\uc9c4 \uc774\uc288"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"\ud3ec\ud2b8"})}),"\n",(0,r.jsx)(n.p,{children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc2e4\ud589 \uc2dc \uc0c8\ub85c\uc6b4 \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4. \uc774\ub294 K3s \uc778\uc2a4\ud134\uc2a4\uac00 \ud638\uc2a4\ud2b8\uc640 \ub124\ud2b8\uc6cc\ud0b9\uc774 \uc0c1\ub2f9\ud788 \ubd84\ub9ac\ub41c \uc0c1\ud0dc\ub85c \uc2e4\ud589\ub41c\ub2e4\ub294 \uac83\uc744 \uc758\ubbf8\ud569\ub2c8\ub2e4.\n\ud638\uc2a4\ud2b8\uc5d0\uc11c K3s\uc5d0\uc11c \uc2e4\ud589\ub418\ub294 \uc11c\ube44\uc2a4\uc5d0 \uc561\uc138\uc2a4\ud558\ub294 \uc720\uc77c\ud55c \ubc29\ubc95\uc740 K3s \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0 \ud3ec\ud2b8 \ud3ec\uc6cc\ub4dc\ub97c \uc124\uc815\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.\n\ub8e8\ud2b8\ub9ac\uc2a4 K3s\uc5d0\ub294 6443 \ubc0f 1024 \ubbf8\ub9cc\uc758 \uc11c\ube44\uc2a4 \ud3ec\ud2b8\ub97c 10000 \uc624\ud504\uc14b\uc73c\ub85c \ud638\uc2a4\ud2b8\uc5d0 \uc790\ub3d9\uc73c\ub85c \ubc14\uc778\ub529\ud558\ub294 \ucee8\ud2b8\ub864\ub7ec\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.p,{children:"\uc608\ub97c \ub4e4\uc5b4, \ud3ec\ud2b8 80\uc758 \uc11c\ube44\uc2a4\ub294 \ud638\uc2a4\ud2b8\uc5d0\uc11c 10080\uc774 \ub418\uc9c0\ub9cc 8080\uc740 \uc624\ud504\uc14b \uc5c6\uc774 8080\uc774 \ub429\ub2c8\ub2e4. \ud604\uc7ac \ub85c\ub4dc\ubc38\ub7f0\uc11c \uc11c\ube44\uc2a4\ub9cc \uc790\ub3d9\uc73c\ub85c \ubc14\uc778\ub529\ub429\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"Cgroup"})}),"\n",(0,r.jsx)(n.p,{children:'Cgroup v1 \ubc0f \ud558\uc774\ube0c\ub9ac\ub4dc v1/v2\ub294 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc73c\uba70, \uc21c\uc218 Cgroup v2\ub9cc \uc9c0\uc6d0\ub429\ub2c8\ub2e4. \ub8e8\ud2b8\ub9ac\uc2a4 \uc2e4\ud589 \uc2dc \ub204\ub77d\ub41c Cgroup\uc73c\ub85c \uc778\ud574 K3s\uac00 \uc2dc\uc791\ub418\uc9c0 \uc54a\ub294 \uacbd\uc6b0, \ub178\ub4dc\uac00 \ud558\uc774\ube0c\ub9ac\ub4dc \ubaa8\ub4dc\uc5d0 \uc788\uace0 "\ub204\ub77d\ub41c" Cgroup\uc774 \uc5ec\uc804\ud788 v1 \ucee8\ud2b8\ub864\ub7ec\uc5d0 \ubc14\uc778\ub529\ub418\uc5b4 \uc788\uc744 \uac00\ub2a5\uc131\uc774 \ub192\uc2b5\ub2c8\ub2e4.'}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:(0,r.jsx)(n.strong,{children:"\uba40\ud2f0\ub178\ub4dc/\uba40\ud2f0\ud504\ub85c\uc138\uc2a4 \ud074\ub7ec\uc2a4\ud130"})}),"\n",(0,r.jsxs)(n.p,{children:["\ub2e4\uc911 \ub178\ub4dc \ub8e8\ud2b8\ub9ac\uc2a4 \ud074\ub7ec\uc2a4\ud130 \ub610\ub294 \ub3d9\uc77c\ud55c \ub178\ub4dc\uc5d0 \uc788\ub294 \uc5ec\ub7ec \uac1c\uc758 \ub8e8\ud2b8\ub9ac\uc2a4 k3s \ud504\ub85c\uc138\uc2a4\ub294 \ud604\uc7ac \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\uc11c\ubc84-\uc2dc\uc791\ud558\uae30",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \uc11c\ubc84 \uc2dc\uc791\ud558\uae30"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," \uc744 \ucc38\uc870\ud558\uc5ec cgroup v2 \uc704\uc784\uc744 \ud65c\uc131\ud654\ud569\ub2c8\ub2e4.\n\uc774 \ub2e8\uacc4\ub294 \ud544\uc218\uc774\uba70, \uc801\uc808\ud55c cgroups\uac00 \uc704\uc784\ub418\uc9c0 \uc54a\uc73c\uba74 \ub8e8\ud2b8\ub9ac\uc2a4 kubelet\uc744 \uc2dc\uc791\ud558\uc9c0 \ubabb\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob/<VERSION>/k3s-rootless.service"}),"](",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)%EC%97%90%EC%84%9C",children:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)\uc5d0\uc11c"})," ",(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\ub97c \ub2e4\uc6b4\ub85c\ub4dc\ud55c\ub2e4.\n",(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\uc640 ",(0,r.jsx)(n.code,{children:"k3s"}),"\uc758 \ubc84\uc804\uc774 \uac19\uc740 \uac83\uc744 \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"k3s-rootless.service"}),"\ub97c ",(0,r.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),"\uc5d0 \uc124\uce58\ud569\ub2c8\ub2e4.\n\uc774 \ud30c\uc77c\uc744 \uc2dc\uc2a4\ud15c \uc804\uccb4 \uc11c\ube44\uc2a4(",(0,r.jsx)(n.code,{children:"/etc/systemd/..."}),")\ub85c \uc124\uce58\ud558\ub294 \uac83\uc740 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\n",(0,r.jsx)(n.code,{children:"k3s"})," \ubc14\uc774\ub108\ub9ac\uc758 \uacbd\ub85c\uc5d0 \ub530\ub77c \ud30c\uc77c\uc758 ",(0,r.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," \ud589\uc744 \uc218\uc815\ud574\uc57c \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"systemctl --user daemon-reload"}),"\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"}),"\ub97c \uc2e4\ud589\ud55c\ub2e4."]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),"\ub97c \uc2e4\ud589\ud558\uace0, \ud30c\ub4dc\uac00 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud55c\ub2e4."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["\ucc38\uace0: \ud130\ubbf8\ub110 \uc138\uc158\uc740 cgroups v2 \uc704\uc784\uc744 \ud5c8\uc6a9\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c \ud130\ubbf8\ub110\uc5d0\uc11c ",(0,r.jsx)(n.code,{children:"k3s server --rootless"}),"\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\ub294\ub2e4.\n\ud130\ubbf8\ub110\uc5d0\uc11c \uaf2d \uc2e4\ud589\ud574\uc57c \ud558\ub294 \uacbd\uc6b0, ",(0,r.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --roolless"}),"\ub97c \uc0ac\uc6a9\ud558\uc5ec systemd \ubc94\uc704\ub85c \ub798\ud551\ud569\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"\uace0\uae09-\ub8e8\ud2b8\ub9ac\uc2a4-\uad6c\uc131",children:"\uace0\uae09 \ub8e8\ud2b8\ub9ac\uc2a4 \uad6c\uc131"}),"\n",(0,r.jsxs)(n.p,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 K3s\ub294 \ud638\uc2a4\ud2b8\uc640 \uc0ac\uc6a9\uc790 \ub124\ud2b8\uc6cc\ud06c \ub124\uc784\uc2a4\ud398\uc774\uc2a4 \uac04 \ud1b5\uc2e0\uc744 \uc704\ud574 ",(0,r.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"}),"\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\ub8e8\ud2b8\ub9ac\uc2a4\ud0b7\uacfc slirp4net\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 \uad6c\uc131 \uc911 \uc77c\ubd80\ub294 \ud658\uacbd \ubcc0\uc218\ub85c \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub97c \uc124\uc815\ud558\ub294 \uac00\uc7a5 \uc88b\uc740 \ubc29\ubc95\uc740 k3s-rootless systemd \uc720\ub2db\uc758 ",(0,r.jsx)(n.code,{children:"Environment"})," \ud544\ub4dc\uc5d0 \ucd94\uac00\ud558\ub294 \uac83\uc785\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Variable"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,r.jsx)(n.td,{children:"1500"}),(0,r.jsx)(n.td,{children:"slirp4netns \uac00\uc0c1 \uc778\ud130\ud398\uc774\uc2a4\uc758 MTU\ub97c \uc124\uc815\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,r.jsx)(n.td,{children:"10.41.0.0/16"}),(0,r.jsx)(n.td,{children:"slirp4netns \uac00\uc0c1 \uc778\ud130\ud398\uc774\uc2a4\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 CIDR\uc744 \uc124\uc815\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,r.jsx)(n.td,{children:"autotedected"}),(0,r.jsx)(n.td,{children:"Enables slirp4netns IPv6 \uc9c0\uc6d0. \uc9c0\uc815\ud558\uc9c0 \uc54a\uc73c\uba74 K3\uac00 \ub4c0\uc5bc \uc2a4\ud0dd \uc791\ub3d9\uc744 \uc704\ud574 \uad6c\uc131\ub418\uba74 \uc790\ub3d9\uc73c\ub85c \ud65c\uc131\ud654\ub429\ub2c8\ub2e4."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,r.jsx)(n.td,{children:"builtin"}),(0,r.jsxs)(n.td,{children:["\ub8e8\ud2b8\ub9ac\uc2a4 \ud3ec\ud2b8 \ub4dc\ub77c\uc774\ubc84\ub97c \uc120\ud0dd\ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"builtin"})," \ub610\ub294 ",(0,r.jsx)(n.code,{children:"slirp4netns"})," \uc911 \ud558\ub098\ub97c \uc120\ud0dd\ud569\ub2c8\ub2e4. \ube4c\ud2b8\uc778\uc774 \ub354 \ube60\ub974\uc9c0\ub9cc \uc778\ubc14\uc6b4\ub4dc \ud328\ud0b7\uc758 \uc6d0\ub798 \uc18c\uc2a4 \uc8fc\uc18c\ub97c \uac00\uc7a5\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,r.jsx)(n.td,{children:"true"}),(0,r.jsx)(n.td,{children:"\uac8c\uc774\ud2b8\uc6e8\uc774 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud1b5\ud55c \ud638\uc2a4\ud2b8\uc758 \ub8e8\ud504\ubc31 \uc8fc\uc18c\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4\ub97c \uc0ac\uc6a9\ud560\uc9c0 \uc5ec\ubd80\ub97c \uc81c\uc5b4\ud569\ub2c8\ub2e4. \ubcf4\uc548\uc0c1\uc758 \uc774\uc720\ub85c \ubcc0\uacbd\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4."})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"\ub8e8\ud2b8\ub9ac\uc2a4-\ubb38\uc81c-\ud574\uacb0\ud558\uae30",children:"\ub8e8\ud2b8\ub9ac\uc2a4 \ubb38\uc81c \ud574\uacb0\ud558\uae30"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"systemctl --user status k3s-rootless"}),"\ub97c \uc2e4\ud589\ud558\uc5ec \ub370\ubaac \uc0c1\ud0dc\ub97c \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"}),"\ub97c \uc2e4\ud589\ud558\uc5ec \ub370\ubaac \ub85c\uadf8\ub97c \ud655\uc778\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," \ucc38\uc870"]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"\ub178\ub4dc-\ub808\uc774\ube14-\ubc0f-\ud14c\uc778\ud2b8",children:"\ub178\ub4dc \ub808\uc774\ube14 \ubc0f \ud14c\uc778\ud2b8"}),"\n",(0,r.jsxs)(n.p,{children:["K3s \uc5d0\uc774\uc804\ud2b8\ub294 ",(0,r.jsx)(n.code,{children:"--node-label"})," \ubc0f ",(0,r.jsx)(n.code,{children:"--node-taint"})," \uc635\uc158\uc73c\ub85c \uad6c\uc131\ud560 \uc218 \uc788\uc73c\uba70, \uc774 \uc635\uc158\uc740 kubelet\uc5d0 \ub808\uc774\ube14\uacfc \ud14c\uc778\ud2b8\ub97c \ucd94\uac00\ud569\ub2c8\ub2e4. \uc774 \ub450 \uc635\uc158\uc740 [\ub4f1\ub85d \uc2dc\uc810\uc5d0] \ub808\uc774\ube14 \ubc0f/\ub610\ub294 \ud14c\uc778\ud2b8\ub9cc \ucd94\uac00\ud558\ubbc0\ub85c(./cli/agent.md#node-labels-and-taints-for-agents), \ub178\ub4dc\uac00 \ud074\ub7ec\uc2a4\ud130\uc5d0 \ucc98\uc74c \uc870\uc778\ub420 \ub54c\ub9cc \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\ud604\uc7ac \ubaa8\ub4e0 \ubc84\uc804\uc758 \ucfe0\ubc84\ub124\ud2f0\uc2a4\ub294 \ub178\ub4dc\uac00 ",(0,r.jsx)(n.code,{children:"kubernetes.io"})," \ubc0f ",(0,r.jsx)(n.code,{children:"k8s.io"})," \uc811\ub450\uc0ac\uac00 \ud3ec\ud568\ub41c \ub300\ubd80\ubd84\uc758 \ub808\uc774\ube14, \ud2b9\ud788 ",(0,r.jsx)(n.code,{children:"kubernetes.io/role"})," \ub808\uc774\ube14\uc5d0 \ub4f1\ub85d\ud558\ub294 \uac83\uc744 \uc81c\ud55c\ud569\ub2c8\ub2e4. \ud5c8\uc6a9\ub418\uc9c0 \uc54a\ub294 \ub808\uc774\ube14\uc744 \uac00\uc9c4 \ub178\ub4dc\ub97c \uc2dc\uc791\ud558\ub824\uace0 \ud558\uba74 K3s\uac00 \uc2dc\uc791\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uc791\uc131\uc790\uac00 \uc5b8\uae09\ud588\ub4ef\uc774:"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsx)(n.p,{children:"\ub178\ub4dc\ub294 \uc790\uccb4 \uc5ed\ud560 \ub808\uc774\ube14\uc744 \uc5b4\uc124\ud2b8\ud558\ub294 \uac83\uc774 \ud5c8\uc6a9\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub178\ub4dc \uc5ed\ud560\uc740 \uc77c\ubc18\uc801\uc73c\ub85c \uad8c\ud55c \ub610\ub294 \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \uc720\ud615\uc758 \ub178\ub4dc\ub97c \uc2dd\ubcc4\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\uba70, \ub178\ub4dc\uac00 \ud574\ub2f9 \ud480\uc5d0 \ub808\uc774\ube14\uc744 \uc9c0\uc815\ud558\ub3c4\ub85d \ud5c8\uc6a9\ud558\uba74 \uc190\uc0c1\ub41c \ub178\ub4dc\uac00 \ub354 \ub192\uc740 \uad8c\ud55c \uc790\uaca9 \uc99d\uba85\uc5d0 \ub300\ud55c \uc561\uc138\uc2a4 \uad8c\ud55c\uc744 \ubd80\uc5ec\ud558\ub294 \uc6cc\ud06c\ub85c\ub4dc(\uc608: \ucee8\ud2b8\ub864 \ud50c\ub808\uc778 \ub370\ubaac\uc14b)\ub97c \uc0ac\uc18c\ud558\uac8c \ub04c\uc5b4\ub4e4\uc77c \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\ub178\ub4dc \ub4f1\ub85d \ud6c4 \ub178\ub4dc \ub808\uc774\ube14\uacfc \ud2f4\ud2b8\ub97c \ubcc0\uacbd\ud558\uac70\ub098 \uc608\uc57d \ub808\uc774\ube14\uc744 \ucd94\uac00\ud558\ub824\uba74 ",(0,r.jsx)(n.code,{children:"kubectl"}),"\uc744 \uc0ac\uc6a9\ud574\uc57c \ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/concepts/scheduling-eviction/taint-and-toleration/",children:"taint"})," \ubc0f ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/ko/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"\ub178\ub4dc \ub808\uc774\ube14"}),"\uc744 \ucd94\uac00\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 \uacf5\uc2dd \ubb38\uc11c\ub97c \ucc38\uace0\ud558\uc138\uc694."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc124\uce58-\uc2a4\ud06c\ub9bd\ud2b8\ub85c-\uc11c\ube44\uc2a4-\uc2dc\uc791\ud558\uae30",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc11c\ube44\uc2a4 \uc2dc\uc791\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc124\uce58 \ud504\ub85c\uc138\uc2a4\uc758 \uc77c\ubd80\ub85c OS\uac00 systemd \ub610\ub294 openrc\ub97c \uc0ac\uc6a9\ud558\ub294\uc9c0 \uc790\ub3d9\uc73c\ub85c \uac10\uc9c0\ud558\uace0 \uc11c\ube44\uc2a4\ub97c \ud65c\uc131\ud654 \ubc0f \uc2dc\uc791\ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["openrc\ub85c \uc2e4\ud589\ud558\uba74 ",(0,r.jsx)(n.code,{children:"/var/log/k3s.log"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub429\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.li,{children:["systemd\ub85c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0, ",(0,r.jsx)(n.code,{children:"/var/log/syslog"}),"\uc5d0 \ub85c\uadf8\uac00 \uc0dd\uc131\ub418\uba70 ",(0,r.jsx)(n.code,{children:"journalctl -u k3s"}),"(\ub610\ub294 \uc5d0\uc774\uc804\ud2b8\uc5d0\uc11c\ub294 ",(0,r.jsx)(n.code,{children:"journalctl -u k3s-agent"}),")\ub97c \uc0ac\uc6a9\ud558\uc5ec \ub85c\uadf8\ub97c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\ub85c \uc790\ub3d9 \uc2dc\uc791 \ubc0f \uc11c\ube44\uc2a4 \ud65c\uc131\ud654\ub97c \ube44\ud65c\uc131\ud654\ud558\ub294 \uc608\uc81c\uc785\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-os-\uc900\ube44-\uc0ac\ud56d",children:"\ucd94\uac00 OS \uc900\ube44 \uc0ac\ud56d"}),"\n",(0,r.jsx)(n.h3,{id:"\uc774\uc804-iptables-\ubc84\uc804",children:"\uc774\uc804 iptables \ubc84\uc804"}),"\n",(0,r.jsxs)(n.p,{children:["\uba87\uba87 \uc720\uba85 Linux \ubc30\ud3ec\ud310\uc5d0\ub294 \uc911\ubcf5 \uaddc\uce59\uc774 \ub204\uc801\ub418\uc5b4 \ub178\ub4dc\uc758 \uc131\ub2a5\uacfc \uc548\uc815\uc131\uc5d0 \ubd80\uc815\uc801\uc778 \uc601\ud5a5\uc744 \uc8fc\ub294 \ubc84\uadf8\uac00 \ud3ec\ud568\ub41c \ubc84\uc804\uc758 iptables\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4. \uc774 \ubb38\uc81c\uc758 \uc601\ud5a5\uc744 \ubc1b\ub294\uc9c0 \ud655\uc778\ud558\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/3117",children:"Issue #3117"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc5d0\ub294 \uc815\uc0c1\uc801\uc73c\ub85c \uc791\ub3d9\ud558\ub294 iptables(v1.8.8) \ubc84\uc804\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})," \uc635\uc158\uc73c\ub85c K3s\ub97c \uc2dc\uc791\ud558\uac70\ub098 \uc6b4\uc601 \uccb4\uc81c\uc5d0\uc11c iptables/nftables \ud328\ud0a4\uc9c0\ub97c \uc81c\uac70\ud558\uc5ec K3s\uac00 \ubc88\ub4e4 \ubc84\uc804\uc758 iptables\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"prefer-bundled-bin"})," \ud50c\ub798\uadf8\ub294 2022-12 \ub9b4\ub9ac\uc2a4(v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1) \ubd80\ud130 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})}),"\n",(0,r.jsx)(n.h3,{id:"red-hat-enterprise-linux--centos",children:"Red Hat Enterprise Linux / CentOS"}),"\n",(0,r.jsx)(n.p,{children:"firewalld\ub97c \ub044\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),"\n",(0,r.jsx)(n.p,{children:"\ubc29\ud654\ubcbd\uc744 \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud558\ub824\uba74 \uae30\ubcf8\uc801\uc73c\ub85c \ub2e4\uc74c \uaddc\uce59\uc774 \ud544\uc694\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc124\uc815\uc5d0 \ub530\ub77c \ucd94\uac00 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\uc57c \ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"/kr/installation/requirements#inbound-rules-for-k3s-nodes",children:"\uc778\ubc14\uc6b4\ub4dc \uaddc\uce59"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694. \ud30c\ub4dc \ub610\ub294 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uae30\ubcf8 CIDR\uc744 \ubcc0\uacbd\ud558\ub294 \uacbd\uc6b0, \uadf8\uc5d0 \ub530\ub77c \ubc29\ud654\ubcbd \uaddc\uce59\uc744 \uc5c5\ub370\uc774\ud2b8\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"\ud65c\uc131\ud654\ub41c \uacbd\uc6b0, nm-cloud-setup\uc744 \ube44\ud65c\uc131\ud654\ud558\uace0 \ub178\ub4dc\ub97c \uc7ac\ubd80\ud305\ud574\uc57c \ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})}),"\n",(0,r.jsx)(n.h3,{id:"ubuntu",children:"Ubuntu"}),"\n",(0,r.jsx)(n.p,{children:"ufw(uncomplicated firewall)\ub97c \ub044\ub294 \uac83\uc774 \uc88b\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),"\n",(0,r.jsx)(n.p,{children:"ufw\ub97c \uc0ac\uc6a9\ud558\ub3c4\ub85d \uc124\uc815\ud558\ub824\uba74 \uae30\ubcf8\uc801\uc73c\ub85c \ub2e4\uc74c \uaddc\uce59\uc774 \ud544\uc694\ud569\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc124\uc815\uc5d0 \ub530\ub77c \ucd94\uac00 \ud3ec\ud2b8\ub97c \uc5f4\uc5b4\uc57c \ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"/kr/installation/requirements#inbound-rules-for-k3s-nodes",children:"\uc778\ubc14\uc6b4\ub4dc \uaddc\uce59"}),"\uc744 \ucc38\uc870\ud55c\ub2e4. \ud30c\ub4dc \ub610\ub294 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud55c \uae30\ubcf8 CIDR\uc744 \ubcc0\uacbd\ud558\ub294 \uacbd\uc6b0, \uadf8\uc5d0 \ub530\ub77c \ubc29\ud654\ubcbd \uaddc\uce59\uc744 \uc5c5\ub370\uc774\ud2b8\ud574\uc57c \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h3,{id:"raspberry-pi",children:"Raspberry Pi"}),"\n",(0,r.jsxs)(n.p,{children:["\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 OS\ub294 \ub370\ube44\uc548 \uae30\ubc18\uc774\uba70, \uc624\ub798\ub41c iptables \ubc84\uc804\uc73c\ub85c \uc778\ud574 \ubb38\uc81c\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.a,{href:"#%EC%9D%B4%EC%A0%84-iptables-%EB%B2%84%EC%A0%84",children:"\ud574\uacb0 \ubc29\ubc95"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\ud45c\uc900 \ub77c\uc988\ubca0\ub9ac\ud30c\uc774 OS \uc124\uce58\ub294 ",(0,r.jsx)(n.code,{children:"cgroups"}),"\uac00 \ud65c\uc131\ud654\ub41c \uc0c1\ud0dc\uc5d0\uc11c \uc2dc\uc791\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. ",(0,r.jsx)(n.strong,{children:"K3S"}),"\ub294 systemd \uc11c\ube44\uc2a4\ub97c \uc2dc\uc791\ud558\uae30 \uc704\ud574 ",(0,r.jsx)(n.code,{children:"cgroups"}),"\uac00 \ud544\uc694\ud569\ub2c8\ub2e4. ",(0,r.jsx)(n.code,{children:"cgroups"}),"\ub294 ",(0,r.jsx)(n.code,{children:"/boot/cmdline.txt"}),"\uc5d0 ",(0,r.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"}),"\ub97c \ucd94\uac00\ud558\uc5ec \ud65c\uc131\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"cmdline.txt \uc608\uc2dc:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),"\n",(0,r.jsx)(n.p,{children:"\uc6b0\ubd84\ud22c 21.10\ubd80\ud130 \ub77c\uc988\ubca0\ub9ac\ud30c\uc774\uc758 vxlan \uc9c0\uc6d0\uc740 \ubcc4\ub3c4\uc758 \ucee4\ub110 \ubaa8\ub4c8\ub85c \uc62e\uaca8\uc84c\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})}),"\n",(0,r.jsx)(n.h2,{id:"docker\uc5d0\uc11c-k3s-\uc2e4\ud589\ud558\uae30",children:"Docker\uc5d0\uc11c k3s \uc2e4\ud589\ud558\uae30"}),"\n",(0,r.jsx)(n.p,{children:"Docker\uc5d0\uc11c K3s\ub97c \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc5d0\ub294 \uc5ec\ub7ec \uac00\uc9c0\uac00 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsxs)(c,{children:[(0,r.jsxs)(s,{value:"K3d",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"}),"\ub294 \ub3c4\ucee4\uc5d0\uc11c \uba40\ud2f0\ub178\ub4dc K3s \ud074\ub7ec\uc2a4\ud130\ub97c \uc27d\uac8c \uc2e4\ud589\ud560 \uc218 \uc788\ub3c4\ub85d \uc124\uacc4\ub41c \uc720\ud2f8\ub9ac\ud2f0\uc785\ub2c8\ub2e4."]}),(0,r.jsx)(n.p,{children:"k3d\ub97c \uc0ac\uc6a9\ud558\uba74 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \ub85c\uceec \uac1c\ubc1c \ub4f1\uc744 \uc704\ud574 \ub3c4\ucee4\uc5d0\uc11c \ub2e8\uc77c \ub178\ub4dc \ubc0f \ub2e4\uc911 \ub178\ub4dc k3s \ud074\ub7ec\uc2a4\ud130\ub97c \ub9e4\uc6b0 \uc27d\uac8c \uc0dd\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."}),(0,r.jsxs)(n.p,{children:["k3d \uc124\uce58 \ubc0f \uc0ac\uc6a9 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://k3d.io/#installation",children:"\uc124\uce58"})," \uc124\uba85\uc11c\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s,{value:"Docker",children:[(0,r.jsxs)(n.p,{children:["Docker\ub97c \uc0ac\uc6a9\ud558\ub824\uba74 ",(0,r.jsx)(n.code,{children:"rancher/k3s"})," \uc774\ubbf8\uc9c0\ub97c \uc0ac\uc6a9\ud558\uc5ec K3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8\ub97c \uc2e4\ud589\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.\n",(0,r.jsx)(n.code,{children:"docker run"})," \uba85\ub839\uc5b4\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["\ud0dc\uadf8\uc5d0 \uc720\ud6a8\ud55c K3s \ubc84\uc804\uc744 \uc9c0\uc815\ud574\uc57c \ud558\uba70, ",(0,r.jsx)(n.code,{children:"latest"})," \ud0dc\uadf8\ub294 \uc720\uc9c0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.",(0,r.jsx)(n.br,{}),"\n","\ub3c4\ucee4 \uc774\ubbf8\uc9c0\ub294 \ud0dc\uadf8\uc5d0 ",(0,r.jsx)(n.code,{children:"+"})," \uae30\ud638\ub97c \ud5c8\uc6a9\ud558\uc9c0 \uc54a\uc73c\ubbc0\ub85c \ud0dc\uadf8\uc5d0 ",(0,r.jsx)(n.code,{children:"-"}),"\ub97c \ub300\uc2e0 \uc0ac\uc6a9\ud558\uc138\uc694."]})}),(0,r.jsx)(n.p,{children:"K3s\uac00 \uc2e4\ud589\ub418\uace0 \ub098\uba74, \uad00\ub9ac\uc790 kubeconfig\ub97c Docker \ucee8\ud14c\uc774\ub108\uc5d0\uc11c \ubcf5\uc0ac\ud558\uc5ec \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,r.jsx)(n.h2,{id:"selinux-\uc9c0\uc6d0",children:"SELinux \uc9c0\uc6d0"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsx)(n.p,{children:"v1.19.4+k3s1\ubd80\ud130 \uc0ac\uc6a9 \uac00\ub2a5"})}),"\n",(0,r.jsx)(n.p,{children:"\uae30\ubcf8\uc801\uc73c\ub85c SELinux\uac00 \ud65c\uc131\ud654\ub41c \uc2dc\uc2a4\ud15c(\uc608\ub85c CentOS)\uc5d0 K3s\ub97c \uc124\uce58\ud558\ub294 \uacbd\uc6b0 \uc801\uc808\ud55c SELinux \uc815\ucc45\uc774 \uc124\uce58\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(c,{children:[(0,r.jsx)(s,{value:"\uc790\ub3d9 \uc124\uce58",default:!0,children:(0,r.jsxs)(n.p,{children:["\uc5d0\uc5b4 \uac2d(\ud3d0\uc1c4\ub9dd) \uc124\uce58\ub97c \uc218\ud589\ud558\uc9c0 \uc54a\ub294 \uacbd\uc6b0 \ud638\ud658\ub418\ub294 \uc2dc\uc2a4\ud15c\uc5d0\uc11c ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-with-install-script",children:"\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8"}),"\ub294 \ub79c\ucc98 RPM \uc800\uc7a5\uc18c\uc5d0\uc11c SELinux RPM\uc744 \uc790\ub3d9\uc73c\ub85c \uc124\uce58\ud569\ub2c8\ub2e4. \uc790\ub3d9 \uc124\uce58\ub294 ",(0,r.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"\ub85c \uc124\uc815\ud558\uc5ec \uac74\ub108\ub6f8 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]})}),(0,r.jsxs)(s,{value:"\uc218\ub3d9 \uc124\uce58",default:!0,children:[(0,r.jsx)(n.p,{children:"\ud544\uc694\ud55c policy\ub294 \ub2e4\uc74c \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm\n"})}),(0,r.jsxs)(n.p,{children:["\uc124\uce58 \uc2a4\ud06c\ub9bd\ud2b8\uac00 \uc2e4\ud328\ud558\uc9c0 \uc54a\uace0 \uacbd\uace0\ub97c \uae30\ub85d\ud558\ub3c4\ub85d \ud558\ub824\uba74 \ub2e4\uc74c \ud658\uacbd \ubcc0\uc218\ub97c \uc124\uc815\ud558\uba74 \ub429\ub2c8\ub2e4:\n",(0,r.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"selinux-\uc801\uc6a9-\ud65c\uc131\ud654\ud558\uae30",children:"SELinux \uc801\uc6a9 \ud65c\uc131\ud654\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["SELinux\ub97c \ud65c\uc6a9\ud558\ub824\uba74 K3s \uc11c\ubc84 \ubc0f \uc5d0\uc774\uc804\ud2b8\ub97c \uc2dc\uc791\ud560 \ub54c ",(0,r.jsx)(n.code,{children:"--selinux"})," \ud50c\ub798\uadf8\ub97c \uc9c0\uc815\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \uc635\uc158\uc740 K3s ",(0,r.jsx)(n.a,{href:"/kr/installation/configuration#configuration-file",children:"\uad6c\uc131 \ud30c\uc77c"}),"\uc5d0\uc11c\ub3c4 \uc9c0\uc815\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,r.jsxs)(n.p,{children:["SELinux\uc5d0\uc11c \uc0ac\uc6a9\uc790 \uc9c0\uc815 ",(0,r.jsx)(n.code,{children:"--data-dir"}),"\uc744 \uc0ac\uc6a9\ud558\ub294 \uac83\uc740 \uc9c0\uc6d0\ub418\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc0ac\uc6a9\uc790 \uc9c0\uc815\ud558\ub824\uba74 \uc0ac\uc6a9\uc790 \uc9c0\uc815 \uc815\ucc45\uc744 \uc9c1\uc811 \uc791\uc131\ud574\uc57c \ud560 \uac00\ub2a5\uc131\uc774 \ub192\uc2b5\ub2c8\ub2e4. \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784\uc5d0 \ub300\ud55c SELinux \uc815\ucc45 \ud30c\uc77c\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc640 K3s\ub97c \uc704\ud55c SELinux \uc815\ucc45\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\ub97c \ucc38\uace0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h2,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uc758-\uc9c0\uc5f0-\ud480\ub9c1-\ud65c\uc131\ud654-\uc2e4\ud5d8\uc801",children:"\uc9c0\uc5f0 \ud480\ub9c1\uc758 \uc9c0\uc5f0 \ud480\ub9c1 \ud65c\uc131\ud654 (\uc2e4\ud5d8\uc801)"}),"\n",(0,r.jsx)(n.h3,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uacfc-estargz\ub780-\ubb34\uc5c7\uc778\uac00\uc694",children:"\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\ub780 \ubb34\uc5c7\uc778\uac00\uc694?"}),"\n",(0,r.jsxs)(n.p,{children:["\uc774\ubbf8\uc9c0 \ud480\ub9c1\uc740 \ucee8\ud14c\uc774\ub108 \ub77c\uc774\ud504\uc0ac\uc774\ud074\uc5d0\uc11c \uc2dc\uac04\uc774 \ub9ce\uc774 \uc18c\uc694\ub418\ub294 \ub2e8\uacc4 \uc911 \ud558\ub098\ub85c \uc54c\ub824\uc838 \uc788\uc2b5\ub2c8\ub2e4.\nHarter, et al.(",(0,r.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter"}),"),"]}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsx)(n.p,{children:"\ud328\ud0a4\uc9c0 \ud480\ub9c1\uc740 \ucee8\ud14c\uc774\ub108 \uc2dc\uc791 \uc2dc\uac04\uc758 76%\ub97c \ucc28\uc9c0\ud558\uc9c0\ub9cc, \uadf8 \uc911 \uc77d\uae30 \ub370\uc774\ud130\ub294 6.4%\uc5d0 \ubd88\uacfc\ud569\ub2c8\ub2e4."}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \ubb38\uc81c\ub97c \ud574\uacb0\ud558\uae30 \uc704\ud574 k3s\ub294 \uc774\ubbf8\uc9c0 \ucf58\ud150\uce20\uc758 ",(0,r.jsx)(n.em,{children:"lazy pulling"}),"\uc744 \uc2e4\ud5d8\uc801\uc73c\ub85c \uc9c0\uc6d0\ud569\ub2c8\ub2e4.\n\uc774\ub97c \ud1b5\ud574 k3s\ub294 \uc804\uccb4 \uc774\ubbf8\uc9c0\uac00 \ud480\ub9c1\ub418\uae30 \uc804\uc5d0 \ucee8\ud14c\uc774\ub108\ub97c \uc2dc\uc791\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\ub300\uc2e0 \ud544\uc694\ud55c \ucf58\ud150\uce20 \uccad\ud06c(\uc608: \uac1c\ubcc4 \ud30c\uc77c)\ub97c \uc628\ub514\ub9e8\ub4dc \ubc29\uc2dd\uc73c\ub85c \uac00\uc838\uc635\ub2c8\ub2e4.\n\ud2b9\ud788 \ub300\uc6a9\ub7c9 \uc774\ubbf8\uc9c0\uc758 \uacbd\uc6b0 \uc774 \uae30\uc220\uc744 \uc0ac\uc6a9\ud558\uba74 \ucee8\ud14c\uc774\ub108 \uc2dc\uc791 \uc9c0\uc5f0 \uc2dc\uac04\uc744 \ub2e8\ucd95\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["\uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc0ac\uc6a9\ud558\ub824\uba74 \ub300\uc0c1 \uc774\ubbf8\uc9c0\uc758 \ud3ec\ub9f7\uc744 ",(0,r.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,r.jsx)(n.em,{children:"eStargz"})}),"\ub85c \uc9c0\uc815\ud574\uc57c \ud569\ub2c8\ub2e4.\n\uc774 \ud615\uc2dd\uc740 OCI \ub300\uccb4 \ud615\uc2dd\uc774\uc9c0\ub9cc \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc704\ud55c 100% \ud638\ud658\ub418\ub294 \uc774\ubbf8\uc9c0 \ud615\uc2dd\uc785\ub2c8\ub2e4.\n\ud638\ud658\uc131 \ub54c\ubb38\uc5d0 eStargz\ub294 \ud45c\uc900 \ucee8\ud14c\uc774\ub108 \ub808\uc9c0\uc2a4\ud2b8\ub9ac(\uc608: ghcr.io)\ub85c \ud478\uc2dc\ud560 \uc218 \uc788\uc744 \ubfd0\ub9cc \uc544\ub2c8\ub77c eStargz\uc640 \ubb34\uad00\ud55c \ub7f0\ud0c0\uc784\uc5d0\uc11c\ub3c4 ",(0,r.jsx)(n.em,{children:"\uc2e4\ud589 \uac00\ub2a5"})," \ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsxs)(n.p,{children:["eStargz\ub294 ",(0,r.jsx)(n.a,{href:"https://github.com/google/crfs",children:"Google CRFS \ud504\ub85c\uc81d\ud2b8\uc5d0\uc11c \uc81c\uc548\ud55c stargz \ud615\uc2dd"}),"\uc744 \uae30\ubc18\uc73c\ub85c \uac1c\ubc1c\ub418\uc5c8\uc9c0\ub9cc \ucf58\ud150\uce20 \uac80\uc99d \ubc0f \uc131\ub2a5 \ucd5c\uc801\ud654\ub97c \ud3ec\ud568\ud55c \uc2e4\uc6a9\uc801\uc778 \uae30\ub2a5\uc744 \uc81c\uacf5\ud569\ub2c8\ub2e4.\n\uc9c0\uc5f0 \ud480\ub9c1\uacfc eStargz\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter \ud504\ub85c\uc81d\ud2b8 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac"}),"\ub97c \ucc38\uace0\ud558\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.h3,{id:"\uc9c0\uc5f0-\ud480\ub9c1\uc774-\uac00\ub2a5\ud558\ub3c4\ub85d-k3s-\uad6c\uc131\ud558\uae30",children:"\uc9c0\uc5f0 \ud480\ub9c1\uc774 \uac00\ub2a5\ud558\ub3c4\ub85d k3s \uad6c\uc131\ud558\uae30"}),"\n",(0,r.jsxs)(n.p,{children:["\uc544\ub798\uc640 \uac19\uc774 k3s \uc11c\ubc84\uc640 \uc5d0\uc774\uc804\ud2b8\uc5d0\ub294 ",(0,r.jsx)(n.code,{children:"--snapshotter=stargz"})," \uc635\uc158\uc774 \ud544\uc694\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\uc774 \uad6c\uc131\uc744 \uc0ac\uc6a9\ud558\uba74, eStargz \ud615\uc2dd\uc758 \uc774\ubbf8\uc9c0\uc5d0 \ub300\ud574 \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n\ub2e4\uc74c \uc608\uc81c \ud30c\ub4dc \ub9e4\ub2c8\ud398\uc2a4\ud2b8\ub294 eStargz \ud615\uc2dd\uc758 ",(0,r.jsx)(n.code,{children:"node:13.13.0"})," \uc774\ubbf8\uc9c0(",(0,r.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),")\ub97c \uc0ac\uc6a9\ud569\ub2c8\ub2e4.\n\uc2a4\ud0c0\uc988 \uc2a4\ub0c5\uc0f7\ud130\uac00 \ud65c\uc131\ud654\ub418\uba74 K3s\ub294 \uc774 \uc774\ubbf8\uc9c0\uc5d0 \ub300\ud574 \uc9c0\uc5f0 \ud480\ub9c1\uc744 \uc218\ud589\ud569\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-\ub85c\uae45-\uc18c\uc2a4",children:"\ucd94\uac00 \ub85c\uae45 \uc18c\uc2a4"}),"\n",(0,r.jsxs)(n.p,{children:["K3s\uc6a9 ",(0,r.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"\ub79c\ucc98 \ub85c\uae45"}),"\uc740 \ub79c\ucc98\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 \uc124\uce58\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ub97c \uc704\ud574\uc11c\ub294 \ub2e4\uc74c \uc9c0\uce68\uc744 \uc2e4\ud589\ud574\uc57c \ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,r.jsx)(n.h2,{id:"\ucd94\uac00-\ub124\ud2b8\uc6cc\ud06c-\uc815\ucc45-\ub85c\uae45",children:"\ucd94\uac00 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ub85c\uae45"}),"\n",(0,r.jsx)(n.p,{children:"\ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc5d0 \uc758\ud574 \ucc28\ub2e8\ub41c \ud328\ud0b7\uc744 \ub85c\uae45\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud328\ud0b7\uc740 \ucc28\ub2e8 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc744 \ud3ec\ud568\ud55c \ud328\ud0b7 \uc138\ubd80 \uc815\ubcf4\ub97c \ud45c\uc2dc\ud558\ub294 iptables NFLOG \uc791\uc5c5\uc73c\ub85c \uc804\uc1a1\ub429\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(n.p,{children:["\ud2b8\ub798\ud53d\uc774 \ub9ce\uc73c\uba74 \ub85c\uadf8 \uba54\uc2dc\uc9c0 \uc218\uac00 \ub9e4\uc6b0 \ub9ce\uc544\uc9c8 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc815\ucc45\ubcc4\ub85c \ub85c\uadf8 \uc18d\ub3c4\ub97c \uc81c\uc5b4\ud558\ub824\uba74, \ud574\ub2f9 \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc5d0 \ub2e4\uc74c \uc5b4\ub178\ud14c\uc774\uc158\uc744 \ucd94\uac00\ud558\uc5ec ",(0,r.jsx)(n.code,{children:"limit"})," \ubc0f ",(0,r.jsx)(n.code,{children:"limit-burst"})," iptables \ub9e4\uac1c\ubcc0\uc218\ub97c \uc124\uc815\ud569\ub2c8\ub2e4:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit=<LIMIT-VALUE>"})}),"\n",(0,r.jsx)(n.li,{children:(0,r.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst=<LIMIT-BURST-VALUE>"})}),"\n"]}),"\n",(0,r.jsxs)(n.p,{children:["\uae30\ubcf8\uac12\uc740 ",(0,r.jsx)(n.code,{children:"limit=10/minute"}),"\uc640 ",(0,r.jsx)(n.code,{children:"limit-burst=10"}),"\uc785\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ud544\ub4dc\uc758 \ud615\uc2dd\uacfc \uc0ac\uc6a9 \uac00\ub2a5\ud55c \uac12\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"}),"\uc744 \ucc38\uc870\ud558\uc138\uc694."]}),"\n",(0,r.jsxs)(n.p,{children:["NFLOG \ud328\ud0b7\uc744 \ub85c\uadf8 \ud56d\ubaa9\uc73c\ub85c \ubcc0\ud658\ud558\ub824\uba74 ulogd2\ub97c \uc124\uce58\ud558\uace0 ",(0,r.jsx)(n.code,{children:"[log1]"}),"\uc744 ",(0,r.jsx)(n.code,{children:"group=100"}),"\uc5d0\uc11c \uc77d\ub3c4\ub85d \uad6c\uc131\ud569\ub2c8\ub2e4. \uadf8\ub7f0 \ub2e4\uc74c ulogd2 \uc11c\ube44\uc2a4\ub97c \ub2e4\uc2dc \uc2dc\uc791\ud558\uc5ec \uc0c8 \uad6c\uc131\uc774 \ucee4\ubc0b\ub418\ub3c4\ub85d \ud569\ub2c8\ub2e4.\n\ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \uaddc\uce59\uc5d0 \uc758\ud574 \ud328\ud0b7\uc774 \ucc28\ub2e8\ub418\uba74 ",(0,r.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"\uc5d0 \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 \ub098\ud0c0\ub0a9\ub2c8\ub2e4."]}),"\n",(0,r.jsx)(n.p,{children:"NFLOG \ub137\ub9c1\ud06c \uc18c\ucf13\uc73c\ub85c \uc804\uc1a1\ub41c \ud328\ud0b7\uc740 tcpdump \ub610\ub294 tshark\uc640 \uac19\uc740 \uba85\ub839\uc904 \ub3c4\uad6c\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc77d\uc744 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,r.jsxs)(n.p,{children:["\ub354 \uc27d\uac8c \uc0ac\uc6a9\ud560 \uc218 \uc788\uc9c0\ub9cc, tcpdump\ub294 \ud328\ud0b7\uc744 \ucc28\ub2e8\ud55c \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45\uc758 \uc774\ub984\uc744 \ud45c\uc2dc\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \ub300\uc2e0 \uc640\uc774\uc5b4\uc0e4\ud06c\uc758 tshark \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\ucc45 \uc774\ub984\uc774 \ud3ec\ud568\ub41c ",(0,r.jsx)(n.code,{children:"nflog.prefix"})," \ud544\ub4dc\ub97c \ud3ec\ud568\ud55c \uc804\uccb4 NFLOG \ud328\ud0b7 \ud5e4\ub354\ub97c \ud45c\uc2dc\ud558\uc138\uc694."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(o,{...e})}):o(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>d,a:()=>l});var r=s(7294);const i={},c=r.createContext(i);function l(e){const n=r.useContext(c);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function d(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),r.createElement(c.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e7c9153a.3ba97217.js b/kr/assets/js/e7c9153a.3ba97217.js new file mode 100644 index 000000000..729bab4b9 --- /dev/null +++ b/kr/assets/js/e7c9153a.3ba97217.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7544],{1875:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>p,frontMatter:()=>i,metadata:()=>r,toc:()=>c});var o=s(5893),n=s(1151);const i={title:"Related Projects"},a=void 0,r={id:"related-projects",title:"Related Projects",description:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.",source:"@site/docs/related-projects.md",sourceDirName:".",slug:"/related-projects",permalink:"/kr/related-projects",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/related-projects.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Related Projects"},sidebar:"mySidebar",previous:{title:"v1.24.X",permalink:"/kr/release-notes/v1.24.X"},next:{title:"\uc54c\ub824\uc9c4 \uc774\uc288",permalink:"/kr/known-issues"}},l={},c=[{value:"k3s-ansible",id:"k3s-ansible",level:2},{value:"k3sup",id:"k3sup",level:2},{value:"autok3s",id:"autok3s",level:2}];function d(e){const t={a:"a",h2:"h2",p:"p",...(0,n.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(t.p,{children:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications."}),"\n",(0,o.jsx)(t.p,{children:"These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters."}),"\n",(0,o.jsx)(t.h2,{id:"k3s-ansible",children:"k3s-ansible"}),"\n",(0,o.jsxs)(t.p,{children:["For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at ",(0,o.jsx)(t.a,{href:"https://github.com/k3s-io/k3s-ansible",children:"k3s-io/k3s-ansible"})," repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process."]}),"\n",(0,o.jsx)(t.h2,{id:"k3sup",children:"k3sup"}),"\n",(0,o.jsxs)(t.p,{children:["Another project that simplifies the process of setting up a K3s cluster is ",(0,o.jsx)(t.a,{href:"https://github.com/alexellis/k3sup",children:"k3sup"}),". This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd."]}),"\n",(0,o.jsx)(t.h2,{id:"autok3s",children:"autok3s"}),"\n",(0,o.jsxs)(t.p,{children:["Another provisioning tool, ",(0,o.jsx)(t.a,{href:"https://github.com/cnrancher/autok3s",children:"autok3s"}),", provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters."]})]})}function p(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,o.jsx)(t,{...e,children:(0,o.jsx)(d,{...e})}):d(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>r,a:()=>a});var o=s(7294);const n={},i=o.createContext(n);function a(e){const t=o.useContext(i);return o.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function r(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),o.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e7c9153a.9e70a0bd.js b/kr/assets/js/e7c9153a.9e70a0bd.js deleted file mode 100644 index 9d1207dae..000000000 --- a/kr/assets/js/e7c9153a.9e70a0bd.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7544],{1875:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>p,frontMatter:()=>i,metadata:()=>r,toc:()=>c});var o=s(5893),n=s(1151);const i={title:"Related Projects"},a=void 0,r={id:"related-projects",title:"Related Projects",description:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.",source:"@site/docs/related-projects.md",sourceDirName:".",slug:"/related-projects",permalink:"/kr/related-projects",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/related-projects.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Related Projects"},sidebar:"mySidebar",previous:{title:"v1.24.X",permalink:"/kr/release-notes/v1.24.X"},next:{title:"\uc54c\ub824\uc9c4 \uc774\uc288",permalink:"/kr/known-issues"}},l={},c=[{value:"k3s-ansible",id:"k3s-ansible",level:2},{value:"k3sup",id:"k3sup",level:2},{value:"autok3s",id:"autok3s",level:2}];function d(e){const t={a:"a",h2:"h2",p:"p",...(0,n.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(t.p,{children:"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications."}),"\n",(0,o.jsx)(t.p,{children:"These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters."}),"\n",(0,o.jsx)(t.h2,{id:"k3s-ansible",children:"k3s-ansible"}),"\n",(0,o.jsxs)(t.p,{children:["For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at ",(0,o.jsx)(t.a,{href:"https://github.com/k3s-io/k3s-ansible",children:"k3s-io/k3s-ansible"})," repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process."]}),"\n",(0,o.jsx)(t.h2,{id:"k3sup",children:"k3sup"}),"\n",(0,o.jsxs)(t.p,{children:["Another project that simplifies the process of setting up a K3s cluster is ",(0,o.jsx)(t.a,{href:"https://github.com/alexellis/k3sup",children:"k3sup"}),". This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd."]}),"\n",(0,o.jsx)(t.h2,{id:"autok3s",children:"autok3s"}),"\n",(0,o.jsxs)(t.p,{children:["Another provisioning tool, ",(0,o.jsx)(t.a,{href:"https://github.com/cnrancher/autok3s",children:"autok3s"}),", provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters."]})]})}function p(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,o.jsx)(t,{...e,children:(0,o.jsx)(d,{...e})}):d(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>r,a:()=>a});var o=s(7294);const n={},i=o.createContext(n);function a(e){const t=o.useContext(i);return o.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function r(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),o.createElement(i.Provider,{value:t},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e8666366.45f94ebc.js b/kr/assets/js/e8666366.45f94ebc.js new file mode 100644 index 000000000..6a8c0ac90 --- /dev/null +++ b/kr/assets/js/e8666366.45f94ebc.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3936],{8925:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>o,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>r,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,r={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/kr/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/kr/installation/packaged-components"},next:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",permalink:"/kr/datastore/"}},o={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/kr/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>r,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function r(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e8666366.b5cdde90.js b/kr/assets/js/e8666366.b5cdde90.js deleted file mode 100644 index 5399b147c..000000000 --- a/kr/assets/js/e8666366.b5cdde90.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3936],{8925:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>o,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>r,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,r={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/kr/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/kr/installation/packaged-components"},next:{title:"\ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130 \uc800\uc7a5\uc18c",permalink:"/kr/datastore/"}},o={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/kr/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>r,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function r(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e92581be.3f96b3a6.js b/kr/assets/js/e92581be.3f96b3a6.js deleted file mode 100644 index 9e8e88fbb..000000000 --- a/kr/assets/js/e92581be.3f96b3a6.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5470],{7454:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Manual Upgrades"},i=void 0,l={id:"upgrades/manual",title:"Manual Upgrades",description:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/manual.md",sourceDirName:"upgrades",slug:"/upgrades/manual",permalink:"/kr/upgrades/manual",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/manual.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"Manual Upgrades"},sidebar:"mySidebar",previous:{title:"Stopping K3s",permalink:"/kr/upgrades/killall"},next:{title:"Automated Upgrades",permalink:"/kr/upgrades/automated"}},o={},d=[{value:"Release Channels",id:"release-channels",level:3},{value:"Upgrade K3s Using the Installation Script",id:"upgrade-k3s-using-the-installation-script",level:3},{value:"Manually Upgrade K3s Using the Binary",id:"manually-upgrade-k3s-using-the-binary",level:3},{value:"Restarting K3s",id:"restarting-k3s",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.p,{children:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version."}),"\n",(0,t.jsx)(n.admonition,{type:"note",children:(0,t.jsx)(n.p,{children:"When upgrading, upgrade server nodes first one at a time, then any agent nodes."})}),"\n",(0,t.jsx)(n.h3,{id:"release-channels",children:"Release Channels"}),"\n",(0,t.jsxs)(n.p,{children:["Upgrades performed via the installation script or using our ",(0,t.jsx)(n.a,{href:"/kr/upgrades/automated",children:"automated upgrades"})," feature can be tied to different release channels. The following channels are available:"]}),"\n",(0,t.jsxs)(n.table,{children:[(0,t.jsx)(n.thead,{children:(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.th,{children:"Channel"}),(0,t.jsx)(n.th,{children:"Description"})]})}),(0,t.jsxs)(n.tbody,{children:[(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"stable"}),(0,t.jsx)(n.td,{children:"(Default) Stable is recommended for production environments. These releases have been through a period of community hardening."})]}),(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"latest"}),(0,t.jsx)(n.td,{children:"Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening."})]}),(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"v1.26 (example)"}),(0,t.jsx)(n.td,{children:"There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release."})]})]})]}),"\n",(0,t.jsxs)(n.p,{children:["For an exhaustive and up-to-date list of channels, you can visit the ",(0,t.jsx)(n.a,{href:"https://update.k3s.io/v1-release/channels",children:"k3s channel service API"}),". For more technical details on how channels work, you see the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/channelserver",children:"channelserver project"}),"."]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"upgrade-k3s-using-the-installation-script",children:"Upgrade K3s Using the Installation Script"}),"\n",(0,t.jsx)(n.p,{children:"To upgrade K3s from an older version you can re-run the installation script using the same flags, for example:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,t.jsx)(n.p,{children:"This will upgrade to a newer version in the stable channel by default."}),"\n",(0,t.jsx)(n.p,{children:"If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,t.jsx)(n.p,{children:"If you want to upgrade to a specific version you can run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -\n"})}),"\n",(0,t.jsx)(n.h3,{id:"manually-upgrade-k3s-using-the-binary",children:"Manually Upgrade K3s Using the Binary"}),"\n",(0,t.jsx)(n.p,{children:"Or to manually upgrade K3s:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["Download the desired version of the K3s binary from ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})]}),"\n",(0,t.jsxs)(n.li,{children:["Copy the downloaded binary to ",(0,t.jsx)(n.code,{children:"/usr/local/bin/k3s"})," (or your desired location)"]}),"\n",(0,t.jsx)(n.li,{children:"Stop the old k3s binary"}),"\n",(0,t.jsx)(n.li,{children:"Launch the new k3s binary"}),"\n"]}),"\n",(0,t.jsx)(n.h3,{id:"restarting-k3s",children:"Restarting K3s"}),"\n",(0,t.jsx)(n.p,{children:"Restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsx)(n.p,{children:(0,t.jsx)(n.strong,{children:"systemd"})}),"\n",(0,t.jsx)(n.p,{children:"To restart servers manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo systemctl restart k3s\n"})}),"\n",(0,t.jsx)(n.p,{children:"To restart agents manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo systemctl restart k3s-agent\n"})}),"\n",(0,t.jsx)(n.p,{children:(0,t.jsx)(n.strong,{children:"OpenRC"})}),"\n",(0,t.jsx)(n.p,{children:"To restart servers manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo service k3s restart\n"})}),"\n",(0,t.jsx)(n.p,{children:"To restart agents manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo service k3s-agent restart\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>i});var t=s(7294);const r={},a=t.createContext(r);function i(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/e92581be.70bed0e9.js b/kr/assets/js/e92581be.70bed0e9.js new file mode 100644 index 000000000..75f26c53c --- /dev/null +++ b/kr/assets/js/e92581be.70bed0e9.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5470],{7454:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Manual Upgrades"},i=void 0,l={id:"upgrades/manual",title:"Manual Upgrades",description:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/manual.md",sourceDirName:"upgrades",slug:"/upgrades/manual",permalink:"/kr/upgrades/manual",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/manual.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"Manual Upgrades"},sidebar:"mySidebar",previous:{title:"Stopping K3s",permalink:"/kr/upgrades/killall"},next:{title:"Automated Upgrades",permalink:"/kr/upgrades/automated"}},o={},d=[{value:"Release Channels",id:"release-channels",level:3},{value:"Upgrade K3s Using the Installation Script",id:"upgrade-k3s-using-the-installation-script",level:3},{value:"Manually Upgrade K3s Using the Binary",id:"manually-upgrade-k3s-using-the-binary",level:3},{value:"Restarting K3s",id:"restarting-k3s",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.p,{children:"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version."}),"\n",(0,t.jsx)(n.admonition,{type:"note",children:(0,t.jsx)(n.p,{children:"When upgrading, upgrade server nodes first one at a time, then any agent nodes."})}),"\n",(0,t.jsx)(n.h3,{id:"release-channels",children:"Release Channels"}),"\n",(0,t.jsxs)(n.p,{children:["Upgrades performed via the installation script or using our ",(0,t.jsx)(n.a,{href:"/kr/upgrades/automated",children:"automated upgrades"})," feature can be tied to different release channels. The following channels are available:"]}),"\n",(0,t.jsxs)(n.table,{children:[(0,t.jsx)(n.thead,{children:(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.th,{children:"Channel"}),(0,t.jsx)(n.th,{children:"Description"})]})}),(0,t.jsxs)(n.tbody,{children:[(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"stable"}),(0,t.jsx)(n.td,{children:"(Default) Stable is recommended for production environments. These releases have been through a period of community hardening."})]}),(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"latest"}),(0,t.jsx)(n.td,{children:"Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening."})]}),(0,t.jsxs)(n.tr,{children:[(0,t.jsx)(n.td,{children:"v1.26 (example)"}),(0,t.jsx)(n.td,{children:"There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release."})]})]})]}),"\n",(0,t.jsxs)(n.p,{children:["For an exhaustive and up-to-date list of channels, you can visit the ",(0,t.jsx)(n.a,{href:"https://update.k3s.io/v1-release/channels",children:"k3s channel service API"}),". For more technical details on how channels work, you see the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/channelserver",children:"channelserver project"}),"."]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"upgrade-k3s-using-the-installation-script",children:"Upgrade K3s Using the Installation Script"}),"\n",(0,t.jsx)(n.p,{children:"To upgrade K3s from an older version you can re-run the installation script using the same flags, for example:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,t.jsx)(n.p,{children:"This will upgrade to a newer version in the stable channel by default."}),"\n",(0,t.jsx)(n.p,{children:"If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,t.jsx)(n.p,{children:"If you want to upgrade to a specific version you can run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -\n"})}),"\n",(0,t.jsx)(n.h3,{id:"manually-upgrade-k3s-using-the-binary",children:"Manually Upgrade K3s Using the Binary"}),"\n",(0,t.jsx)(n.p,{children:"Or to manually upgrade K3s:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["Download the desired version of the K3s binary from ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases",children:"releases"})]}),"\n",(0,t.jsxs)(n.li,{children:["Copy the downloaded binary to ",(0,t.jsx)(n.code,{children:"/usr/local/bin/k3s"})," (or your desired location)"]}),"\n",(0,t.jsx)(n.li,{children:"Stop the old k3s binary"}),"\n",(0,t.jsx)(n.li,{children:"Launch the new k3s binary"}),"\n"]}),"\n",(0,t.jsx)(n.h3,{id:"restarting-k3s",children:"Restarting K3s"}),"\n",(0,t.jsx)(n.p,{children:"Restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsx)(n.p,{children:(0,t.jsx)(n.strong,{children:"systemd"})}),"\n",(0,t.jsx)(n.p,{children:"To restart servers manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo systemctl restart k3s\n"})}),"\n",(0,t.jsx)(n.p,{children:"To restart agents manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo systemctl restart k3s-agent\n"})}),"\n",(0,t.jsx)(n.p,{children:(0,t.jsx)(n.strong,{children:"OpenRC"})}),"\n",(0,t.jsx)(n.p,{children:"To restart servers manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo service k3s restart\n"})}),"\n",(0,t.jsx)(n.p,{children:"To restart agents manually:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-sh",children:"sudo service k3s-agent restart\n"})})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>i});var t=s(7294);const r={},a=t.createContext(r);function i(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/f5fc080a.74d620d3.js b/kr/assets/js/f5fc080a.74d620d3.js deleted file mode 100644 index 0e36a0cfb..000000000 --- a/kr/assets/js/f5fc080a.74d620d3.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9176],{2296:(e,s,c)=>{c.r(s),c.d(s,{assets:()=>l,contentTitle:()=>n,default:()=>x,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=c(5893),t=c(1151);const d={title:"\uba85\ub839\uc904 \ub3c4\uad6c"},n=void 0,i={id:"cli/cli",title:"\uba85\ub839\uc904 \ub3c4\uad6c",description:"K3s \ubc14\uc774\ub108\ub9ac\uc5d0\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc5d0 \ub3c4\uc6c0\uc774 \ub418\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ucd94\uac00 \ub3c4\uad6c\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/kr/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{title:"\uba85\ub839\uc904 \ub3c4\uad6c"},sidebar:"mySidebar",previous:{title:"self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24"},next:{title:"server",permalink:"/kr/cli/server"}},l={},o=[];function h(e){const s={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"K3s \ubc14\uc774\ub108\ub9ac\uc5d0\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc5d0 \ub3c4\uc6c0\uc774 \ub418\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ucd94\uac00 \ub3c4\uad6c\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Command"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s server"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640 \uc5d0\uc774\uc804\ud2b8 \ucef4\ud3ec\ub10c\ud2b8 \uc678\uc5d0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,r.jsx)(s.code,{children:"apiserver"}),", ",(0,r.jsx)(s.code,{children:"scheduler"}),", ",(0,r.jsx)(s.code,{children:"controller-manager"}),", \uadf8\ub9ac\uace0 ",(0,r.jsx)(s.code,{children:"cloud-controller-manager"})," \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc2e4\ud589\ud558\ub294 K3s \uc11c\ubc84 \ub178\ub4dc\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/server",children:[(0,r.jsx)(s.code,{children:"k3s server"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s agent"})}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"containerd"}),", ",(0,r.jsx)(s.code,{children:"flannel"}),", ",(0,r.jsx)(s.code,{children:"kube-router"})," \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ucee8\ud2b8\ub864\ub7ec\uc640 \ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,r.jsx)(s.code,{children:"kubelet"})," \ubc0f ",(0,r.jsx)(s.code,{children:"kube-proxy"})," \uad6c\uc131 \uc694\uc18c\ub97c \uc2e4\ud589\ud558\ub294 K3s \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc2e4\ud589\ud55c\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s kubectl"})}),(0,r.jsxs)(s.td,{children:["\uc784\ubca0\ub4dc\ub41c ",(0,r.jsxs)(s.a,{href:"https://kubernetes.io/ko/docs/reference/kubectl",children:[(0,r.jsx)(s.code,{children:"kubectl"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\uac83\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 apiserver\uc640 \uc0c1\ud638\uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\uc785\ub2c8\ub2e4. ",(0,r.jsx)(s.code,{children:"KUBECONFIG"})," \ud658\uacbd \ubcc0\uc218\uac00 \uc124\uc815\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc73c\uba74, \uc790\ub3d9\uc73c\ub85c ",(0,r.jsx)(s.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0\uc11c kubeconfig\ub97c \uc0ac\uc6a9\ud558\ub824\uace0 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s crictl"})}),(0,r.jsxs)(s.td,{children:["\uc784\ubca0\ub4dc\ub41c ",(0,r.jsxs)(s.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,r.jsx)(s.code,{children:"crictl"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\uac83\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc778\ud130\ud398\uc774\uc2a4(CRI: Container Runtime Interface)\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\uc785\ub2c8\ub2e4. \ub514\ubc84\uae45\uc5d0 \uc720\uc6a9\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s ctr"})}),(0,r.jsxs)(s.td,{children:["\ub0b4\uc7a5\ub41c ",(0,r.jsxs)(s.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,r.jsx)(s.code,{children:"ctr"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\ub294 K3s\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 \ucee8\ud14c\uc774\ub108 \ub370\ubaac\uc778 containerd\uc758 CLI\uc785\ub2c8\ub2e4. \ub514\ubc84\uae45\uc5d0 \uc720\uc6a9\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s token"})}),(0,r.jsxs)(s.td,{children:["\ubd80\ud2b8\uc2a4\ud2b8\ub7a9 \ud1a0\ud070\uc744 \uad00\ub9ac\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/token",children:[(0,r.jsx)(s.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})}),(0,r.jsxs)(s.td,{children:["K3s \ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130\uc758 \uc628\ub514\ub9e8\ub4dc \ubc31\uc5c5\uc744 \uc218\ud589\ud558\uc5ec S3\uc5d0 \uc5c5\ub85c\ub4dc\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/etcd-snapshot",children:[(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s secrets-encrypt"})}),(0,r.jsxs)(s.td,{children:["\ud074\ub7ec\uc2a4\ud130\uc5d0 \uc2dc\ud06c\ub9bf\uc744 \uc800\uc7a5\ud560 \ub54c \uc554\ud638\ud654\ud558\ub3c4\ub85d K3s\ub97c \uad6c\uc131\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/secrets-encrypt",children:[(0,r.jsx)(s.code,{children:"k3s secrets-encrypt"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s certificate"})}),(0,r.jsxs)(s.td,{children:["K3s \uc778\uc99d\uc11c\ub97c \uad00\ub9ac\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/certificate",children:[(0,r.jsx)(s.code,{children:"k3s certificate"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s completion"})}),(0,r.jsx)(s.td,{children:"k3s\uc6a9 \uc178 \uc790\ub3d9\uc644\uc131 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s help"})}),(0,r.jsx)(s.td,{children:"\uba85\ub839 \ubaa9\ub85d \ub610\ub294 \ud55c \uba85\ub839\uc5b4\uc5d0 \ub300\ud55c \ub3c4\uc6c0\ub9d0\uc744 \ud45c\uc2dc\ud569\ub2c8\ub2e4."})]})]})]})]})}function x(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(h,{...e})}):h(e)}},1151:(e,s,c)=>{c.d(s,{Z:()=>i,a:()=>n});var r=c(7294);const t={},d=r.createContext(t);function n(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:n(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/f5fc080a.f8d911d8.js b/kr/assets/js/f5fc080a.f8d911d8.js new file mode 100644 index 000000000..af1f44b0a --- /dev/null +++ b/kr/assets/js/f5fc080a.f8d911d8.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9176],{2296:(e,s,c)=>{c.r(s),c.d(s,{assets:()=>l,contentTitle:()=>n,default:()=>x,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=c(5893),t=c(1151);const d={title:"\uba85\ub839\uc904 \ub3c4\uad6c"},n=void 0,i={id:"cli/cli",title:"\uba85\ub839\uc904 \ub3c4\uad6c",description:"K3s \ubc14\uc774\ub108\ub9ac\uc5d0\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc5d0 \ub3c4\uc6c0\uc774 \ub418\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ucd94\uac00 \ub3c4\uad6c\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/kr/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{title:"\uba85\ub839\uc904 \ub3c4\uad6c"},sidebar:"mySidebar",previous:{title:"self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24"},next:{title:"server",permalink:"/kr/cli/server"}},l={},o=[];function h(e){const s={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.p,{children:"K3s \ubc14\uc774\ub108\ub9ac\uc5d0\ub294 \ud074\ub7ec\uc2a4\ud130 \uad00\ub9ac\uc5d0 \ub3c4\uc6c0\uc774 \ub418\ub294 \uc5ec\ub7ec \uac00\uc9c0 \ucd94\uac00 \ub3c4\uad6c\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4."}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Command"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s server"})}),(0,r.jsxs)(s.td,{children:["\ub370\uc774\ud130\uc2a4\ud1a0\uc5b4\uc640 \uc5d0\uc774\uc804\ud2b8 \ucef4\ud3ec\ub10c\ud2b8 \uc678\uc5d0 \ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,r.jsx)(s.code,{children:"apiserver"}),", ",(0,r.jsx)(s.code,{children:"scheduler"}),", ",(0,r.jsx)(s.code,{children:"controller-manager"}),", \uadf8\ub9ac\uace0 ",(0,r.jsx)(s.code,{children:"cloud-controller-manager"})," \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc2e4\ud589\ud558\ub294 K3s \uc11c\ubc84 \ub178\ub4dc\ub97c \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/server",children:[(0,r.jsx)(s.code,{children:"k3s server"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uace0\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s agent"})}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"containerd"}),", ",(0,r.jsx)(s.code,{children:"flannel"}),", ",(0,r.jsx)(s.code,{children:"kube-router"})," \ub124\ud2b8\uc6cc\ud06c \uc815\ucc45 \ucee8\ud2b8\ub864\ub7ec\uc640 \ucfe0\ubc84\ub124\ud2f0\uc2a4 ",(0,r.jsx)(s.code,{children:"kubelet"})," \ubc0f ",(0,r.jsx)(s.code,{children:"kube-proxy"})," \uad6c\uc131 \uc694\uc18c\ub97c \uc2e4\ud589\ud558\ub294 K3s \uc5d0\uc774\uc804\ud2b8 \ub178\ub4dc\ub97c \uc2e4\ud589\ud55c\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s kubectl"})}),(0,r.jsxs)(s.td,{children:["\uc784\ubca0\ub4dc\ub41c ",(0,r.jsxs)(s.a,{href:"https://kubernetes.io/ko/docs/reference/kubectl",children:[(0,r.jsx)(s.code,{children:"kubectl"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\uac83\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4 apiserver\uc640 \uc0c1\ud638\uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\uc785\ub2c8\ub2e4. ",(0,r.jsx)(s.code,{children:"KUBECONFIG"})," \ud658\uacbd \ubcc0\uc218\uac00 \uc124\uc815\ub418\uc5b4 \uc788\uc9c0 \uc54a\uc73c\uba74, \uc790\ub3d9\uc73c\ub85c ",(0,r.jsx)(s.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"\uc5d0\uc11c kubeconfig\ub97c \uc0ac\uc6a9\ud558\ub824\uace0 \uc2dc\ub3c4\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s crictl"})}),(0,r.jsxs)(s.td,{children:["\uc784\ubca0\ub4dc\ub41c ",(0,r.jsxs)(s.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,r.jsx)(s.code,{children:"crictl"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\uac83\uc740 \ucfe0\ubc84\ub124\ud2f0\uc2a4\uc758 \ucee8\ud14c\uc774\ub108 \ub7f0\ud0c0\uc784 \uc778\ud130\ud398\uc774\uc2a4(CRI: Container Runtime Interface)\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\uae30 \uc704\ud55c CLI\uc785\ub2c8\ub2e4. \ub514\ubc84\uae45\uc5d0 \uc720\uc6a9\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s ctr"})}),(0,r.jsxs)(s.td,{children:["\ub0b4\uc7a5\ub41c ",(0,r.jsxs)(s.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,r.jsx)(s.code,{children:"ctr"})," \uba85\ub839"]}),"\uc744 \uc2e4\ud589\ud569\ub2c8\ub2e4. \uc774\ub294 K3s\uc5d0\uc11c \uc0ac\uc6a9\ud558\ub294 \ucee8\ud14c\uc774\ub108 \ub370\ubaac\uc778 containerd\uc758 CLI\uc785\ub2c8\ub2e4. \ub514\ubc84\uae45\uc5d0 \uc720\uc6a9\ud569\ub2c8\ub2e4."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s token"})}),(0,r.jsxs)(s.td,{children:["\ubd80\ud2b8\uc2a4\ud2b8\ub7a9 \ud1a0\ud070\uc744 \uad00\ub9ac\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/token",children:[(0,r.jsx)(s.code,{children:"k3s token"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})}),(0,r.jsxs)(s.td,{children:["K3s \ud074\ub7ec\uc2a4\ud130 \ub370\uc774\ud130\uc758 \uc628\ub514\ub9e8\ub4dc \ubc31\uc5c5\uc744 \uc218\ud589\ud558\uc5ec S3\uc5d0 \uc5c5\ub85c\ub4dc\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/etcd-snapshot",children:[(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s secrets-encrypt"})}),(0,r.jsxs)(s.td,{children:["\ud074\ub7ec\uc2a4\ud130\uc5d0 \uc2dc\ud06c\ub9bf\uc744 \uc800\uc7a5\ud560 \ub54c \uc554\ud638\ud654\ud558\ub3c4\ub85d K3s\ub97c \uad6c\uc131\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/secrets-encrypt",children:[(0,r.jsx)(s.code,{children:"k3s secrets-encrypt"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s certificate"})}),(0,r.jsxs)(s.td,{children:["K3s \uc778\uc99d\uc11c\ub97c \uad00\ub9ac\ud569\ub2c8\ub2e4. \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 ",(0,r.jsxs)(s.a,{href:"/kr/cli/certificate",children:[(0,r.jsx)(s.code,{children:"k3s certificate"})," \uba85\ub839\uc5b4 \uc124\uba85\uc11c"]}),"\ub97c \ucc38\uc870\ud558\uc138\uc694."]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s completion"})}),(0,r.jsx)(s.td,{children:"k3s\uc6a9 \uc178 \uc790\ub3d9\uc644\uc131 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc0dd\uc131\ud569\ub2c8\ub2e4."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"k3s help"})}),(0,r.jsx)(s.td,{children:"\uba85\ub839 \ubaa9\ub85d \ub610\ub294 \ud55c \uba85\ub839\uc5b4\uc5d0 \ub300\ud55c \ub3c4\uc6c0\ub9d0\uc744 \ud45c\uc2dc\ud569\ub2c8\ub2e4."})]})]})]})]})}function x(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(h,{...e})}):h(e)}},1151:(e,s,c)=>{c.d(s,{Z:()=>i,a:()=>n});var r=c(7294);const t={},d=r.createContext(t);function n(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:n(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/f9fc8d33.bb9794c1.js b/kr/assets/js/f9fc8d33.bb9794c1.js deleted file mode 100644 index d770ce796..000000000 --- a/kr/assets/js/f9fc8d33.bb9794c1.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8804],{1773:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>o,default:()=>l,frontMatter:()=>i,metadata:()=>c,toc:()=>u});var n=t(5893),r=t(1151);const i={},o=void 0,c={id:"security/self-assessment-1.8",title:"self-assessment-1.8",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.8.md",sourceDirName:"security",slug:"/security/self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.8.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{},sidebar:"mySidebar",previous:{title:"CIS Hardening Guide",permalink:"/kr/security/hardening-guide"},next:{title:"self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7"}},a={},u=[];function d(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function l(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(d,{...e})}):d(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>c,a:()=>o});var n=t(7294);const r={},i=n.createContext(r);function o(e){const s=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function c(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),n.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/f9fc8d33.ec3eeee7.js b/kr/assets/js/f9fc8d33.ec3eeee7.js new file mode 100644 index 000000000..10ad8826e --- /dev/null +++ b/kr/assets/js/f9fc8d33.ec3eeee7.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8804],{1773:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>o,default:()=>l,frontMatter:()=>i,metadata:()=>c,toc:()=>u});var n=t(5893),r=t(1151);const i={},o=void 0,c={id:"security/self-assessment-1.8",title:"self-assessment-1.8",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.8.md",sourceDirName:"security",slug:"/security/self-assessment-1.8",permalink:"/kr/security/self-assessment-1.8",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.8.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{},sidebar:"mySidebar",previous:{title:"CIS Hardening Guide",permalink:"/kr/security/hardening-guide"},next:{title:"self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7"}},a={},u=[];function d(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function l(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(d,{...e})}):d(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>c,a:()=>o});var n=t(7294);const r={},i=n.createContext(r);function o(e){const s=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function c(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),n.createElement(i.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/feba781c.63981e19.js b/kr/assets/js/feba781c.63981e19.js new file mode 100644 index 000000000..aa358e5e4 --- /dev/null +++ b/kr/assets/js/feba781c.63981e19.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5361],{2674:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>c,default:()=>d,frontMatter:()=>o,metadata:()=>i,toc:()=>u});var n=t(5893),r=t(1151);const o={},c=void 0,i={id:"security/self-assessment-1.24",title:"self-assessment-1.24",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:1723651715e3,frontMatter:{},sidebar:"mySidebar",previous:{title:"self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7"},next:{title:"\uba85\ub839\uc904 \ub3c4\uad6c",permalink:"/kr/cli/"}},a={},u=[];function l(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function d(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},o=n.createContext(r);function c(e){const s=n.useContext(o);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(o.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/feba781c.825960db.js b/kr/assets/js/feba781c.825960db.js deleted file mode 100644 index 17fccde5f..000000000 --- a/kr/assets/js/feba781c.825960db.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5361],{1743:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>a,contentTitle:()=>c,default:()=>d,frontMatter:()=>o,metadata:()=>i,toc:()=>u});var n=t(5893),r=t(1151);const o={},c=void 0,i={id:"security/self-assessment-1.24",title:"self-assessment-1.24",description:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4",source:"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/kr/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:172365169e4,frontMatter:{},sidebar:"mySidebar",previous:{title:"self-assessment-1.7",permalink:"/kr/security/self-assessment-1.7"},next:{title:"\uba85\ub839\uc904 \ub3c4\uad6c",permalink:"/kr/cli/"}},a={},u=[];function l(e){const s={p:"p",...(0,r.a)(),...e.components};return(0,n.jsx)(s.p,{children:"\uc774 \ud398\uc774\uc9c0\ub294 \ubc88\uc5ed\ub418\uc9c0 \uc54a\uc558\uc2b5\ub2c8\ub2e4"})}function d(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},o=n.createContext(r);function c(e){const s=n.useContext(o);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(o.Provider,{value:s},e.children)}}}]); \ No newline at end of file diff --git a/kr/assets/js/main.1bd5d7d5.js b/kr/assets/js/main.1bd5d7d5.js new file mode 100644 index 000000000..8db06cdba --- /dev/null +++ b/kr/assets/js/main.1bd5d7d5.js @@ -0,0 +1,2 @@ +/*! For license information please see main.1bd5d7d5.js.LICENSE.txt */ +(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[179],{1728:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n);else for(t in e)e[t]&&(a&&(a+=" "),a+=t);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="";n<arguments.length;)(e=arguments[n++])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},723:(e,t,n)=>{"use strict";n.d(t,{Z:()=>p});n(7294);var r=n(8356),a=n.n(r),o=n(6887);const i={"03ee9047":[()=>n.e(9482).then(n.bind(n,6029)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md",6029],"0759a3f5":[()=>n.e(2409).then(n.bind(n,2714)),"@site/docs/release-notes/v1.29.X.md",2714],"0a63d2fd":[()=>n.e(9341).then(n.bind(n,490)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md",490],"0ce5aa86":[()=>n.e(1620).then(n.bind(n,3012)),"@site/docs/release-notes/v1.26.X.md",3012],"105936f9":[()=>n.e(3217).then(n.bind(n,2262)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/resource-profiling.md",2262],"138e0e15":[()=>n.e(9524).then(n.t.bind(n,536,19)),"@generated/@easyops-cn/docusaurus-search-local/default/__plugin.json",536],17896441:[()=>Promise.all([n.e(532),n.e(7236),n.e(7918)]).then(n.bind(n,3354)),"@theme/DocItem",3354],"18ace21a":[()=>n.e(9269).then(n.bind(n,3497)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/hardening-guide.md",3497],"1a0c5791":[()=>n.e(482).then(n.bind(n,5319)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.7.md",5319],"1a4e3797":[()=>Promise.all([n.e(532),n.e(7920)]).then(n.bind(n,2027)),"@theme/SearchPage",2027],"1aef17e6":[()=>n.e(9169).then(n.bind(n,8761)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/security.md",8761],"1fbd281a":[()=>n.e(3229).then(n.bind(n,8803)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/configuration.md",8803],"20aafa33":[()=>n.e(6515).then(n.bind(n,8188)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/server.md",8188],"289875c4":[()=>n.e(6687).then(n.bind(n,9481)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/registry-mirror.md",9481],"2c7731a3":[()=>n.e(3411).then(n.bind(n,3023)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.23.md",3023],"2f797aa4":[()=>n.e(101).then(n.bind(n,3989)),"@site/docs/release-notes/v1.28.X.md",3989],"310030e7":[()=>n.e(5749).then(n.bind(n,8235)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md",8235],"37e09f03":[()=>n.e(6328).then(n.bind(n,5288)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/killall.md",5288],"3f659917":[()=>n.e(6278).then(n.bind(n,3595)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/upgrades.md",3595],"412d1b91":[()=>n.e(651).then(n.bind(n,5142)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/storage.md",5142],"42e456bb":[()=>n.e(9654).then(n.bind(n,5706)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/airgap.md",5706],"43a3241e":[()=>n.e(3892).then(n.bind(n,1465)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/faq.md",1465],"4636d62b":[()=>n.e(7364).then(n.t.bind(n,1416,19)),"@generated/docusaurus-plugin-content-docs/default/p/kr-817.json",1416],"49689b7d":[()=>n.e(1184).then(n.bind(n,9275)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking-services.md",9275],"5133fc91":[()=>n.e(7355).then(n.bind(n,506)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md",506],"5e95c892":[()=>n.e(9661).then(n.bind(n,1892)),"@theme/DocsRoot",1892],"609981e6":[()=>n.e(2466).then(n.bind(n,509)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/private-registry.md",509],"65309f9a":[()=>n.e(6005).then(n.bind(n,4417)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/secrets-encryption.md",4417],"6a7149bd":[()=>n.e(1894).then(n.bind(n,9280)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha.md",9280],"6eb212a2":[()=>n.e(5579).then(n.bind(n,711)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/basic-network-options.md",711],"81cffba8":[()=>n.e(804).then(n.bind(n,8247)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/introduction.md",8247],"832e9842":[()=>n.e(9184).then(n.bind(n,9266)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/agent.md",9266],"914a16f4":[()=>n.e(7626).then(n.bind(n,6050)),"@site/docs/reference/flag-deprecation.md",6050],"944a1646":[()=>n.e(2399).then(n.bind(n,4273)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md",4273],"9a11c291":[()=>n.e(7162).then(n.bind(n,9636)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/multus-ipams.md",9636],"9c4d4f7f":[()=>n.e(6094).then(n.bind(n,932)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/quick-start.md",932],"9e7a009d":[()=>n.e(7251).then(n.bind(n,6253)),"@site/docs/release-notes/v1.25.X.md",6253],a0c5848d:[()=>n.e(9059).then(n.bind(n,5626)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/installation.md",5626],a101d863:[()=>n.e(9166).then(n.bind(n,2683)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking.md",2683],a1ce2930:[()=>n.e(2257).then(n.bind(n,4229)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md",4229],a43d9b4f:[()=>n.e(3667).then(n.bind(n,1080)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/architecture.md",1080],a7bd4aaa:[()=>n.e(8518).then(n.bind(n,4974)),"@theme/DocVersionRoot",4974],a94703ab:[()=>Promise.all([n.e(532),n.e(4368)]).then(n.bind(n,4547)),"@theme/DocRoot",4547],aba21aa0:[()=>n.e(3629).then(n.t.bind(n,1765,19)),"@generated/docusaurus-plugin-content-docs/default/__plugin.json",1765],b1445c4f:[()=>n.e(547).then(n.bind(n,5832)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/etcd-snapshot.md",5832],b44e7719:[()=>n.e(7565).then(n.bind(n,6245)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/known-issues.md",6245],b8002741:[()=>n.e(2573).then(n.bind(n,3338)),"@site/docs/release-notes/v1.30.X.md",3338],b87d0734:[()=>n.e(660).then(n.bind(n,8147)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/env-variables.md",8147],b97d3598:[()=>n.e(7563).then(n.bind(n,8984)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md",8984],bccfb1cb:[()=>n.e(910).then(n.bind(n,5009)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/server-roles.md",5009],c5022e3f:[()=>n.e(107).then(n.bind(n,2531)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cluster-access.md",2531],c7700003:[()=>n.e(240).then(n.bind(n,1083)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/automated.md",1083],cfa0e807:[()=>n.e(1385).then(n.bind(n,3934)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/helm.md",3934],d123a91e:[()=>n.e(855).then(n.bind(n,5418)),"@site/docs/release-notes/v1.24.X.md",5418],d1c3e381:[()=>n.e(7213).then(n.bind(n,676)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/distributed-multicloud.md",676],d428bf88:[()=>n.e(3083).then(n.bind(n,5538)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md",5538],dd0fba39:[()=>n.e(7713).then(n.bind(n,6964)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/datastore.md",6964],dd22e55f:[()=>n.e(5668).then(n.bind(n,4840)),"@site/docs/release-notes/v1.27.X.md",4840],df1a3a69:[()=>n.e(6153).then(n.bind(n,8246)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/advanced.md",8246],e7c9153a:[()=>n.e(7544).then(n.bind(n,1875)),"@site/docs/related-projects.md",1875],e8666366:[()=>n.e(3936).then(n.bind(n,8925)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md",8925],e92581be:[()=>n.e(5470).then(n.bind(n,7454)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/manual.md",7454],f5fc080a:[()=>n.e(9176).then(n.bind(n,2296)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/cli.md",2296],f9fc8d33:[()=>n.e(8804).then(n.bind(n,1773)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.8.md",1773],feba781c:[()=>n.e(5361).then(n.bind(n,2674)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.24.md",2674]};var s=n(5893);function l(e){let{error:t,retry:n,pastDelay:r}=e;return t?(0,s.jsxs)("div",{style:{textAlign:"center",color:"#fff",backgroundColor:"#fa383e",borderColor:"#fa383e",borderStyle:"solid",borderRadius:"0.25rem",borderWidth:"1px",boxSizing:"border-box",display:"block",padding:"1rem",flex:"0 0 50%",marginLeft:"25%",marginRight:"25%",marginTop:"5rem",maxWidth:"50%",width:"100%"},children:[(0,s.jsx)("p",{children:String(t)}),(0,s.jsx)("div",{children:(0,s.jsx)("button",{type:"button",onClick:n,children:"Retry"})})]}):r?(0,s.jsx)("div",{style:{display:"flex",justifyContent:"center",alignItems:"center",height:"100vh"},children:(0,s.jsx)("svg",{id:"loader",style:{width:128,height:110,position:"absolute",top:"calc(100vh - 64%)"},viewBox:"0 0 45 45",xmlns:"http://www.w3.org/2000/svg",stroke:"#61dafb",children:(0,s.jsxs)("g",{fill:"none",fillRule:"evenodd",transform:"translate(1 1)",strokeWidth:"2",children:[(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"1.5s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"1.5s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"1.5s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"3s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"3s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"3s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsx)("circle",{cx:"22",cy:"22",r:"8",children:(0,s.jsx)("animate",{attributeName:"r",begin:"0s",dur:"1.5s",values:"6;1;2;3;4;5;6",calcMode:"linear",repeatCount:"indefinite"})})]})})}):null}var c=n(9670),u=n(226);function d(e,t){if("*"===e)return a()({loading:l,loader:()=>n.e(1772).then(n.bind(n,1772)),modules:["@theme/NotFound"],webpack:()=>[1772],render(e,t){const n=e.default;return(0,s.jsx)(u.z,{value:{plugin:{name:"native",id:"default"}},children:(0,s.jsx)(n,{...t})})}});const r=o[`${e}-${t}`],d={},p=[],f=[],h=(0,c.Z)(r);return Object.entries(h).forEach((e=>{let[t,n]=e;const r=i[n];r&&(d[t]=r[0],p.push(r[1]),f.push(r[2]))})),a().Map({loading:l,loader:d,modules:p,webpack:()=>f,render(t,n){const a=JSON.parse(JSON.stringify(r));Object.entries(t).forEach((t=>{let[n,r]=t;const o=r.default;if(!o)throw new Error(`The page component at ${e} doesn't have a default export. This makes it impossible to render anything. Consider default-exporting a React component.`);"object"!=typeof o&&"function"!=typeof o||Object.keys(r).filter((e=>"default"!==e)).forEach((e=>{o[e]=r[e]}));let i=a;const s=n.split(".");s.slice(0,-1).forEach((e=>{i=i[e]})),i[s[s.length-1]]=o}));const o=a.__comp;delete a.__comp;const i=a.__context;delete a.__context;const l=a.__props;return delete a.__props,(0,s.jsx)(u.z,{value:i,children:(0,s.jsx)(o,{...a,...l,...n})})}})}const p=[{path:"/kr/search",component:d("/kr/search","e20"),exact:!0},{path:"/kr/",component:d("/kr/","3c5"),routes:[{path:"/kr/",component:d("/kr/","8a7"),routes:[{path:"/kr/",component:d("/kr/","e13"),routes:[{path:"/kr/advanced",component:d("/kr/advanced","5d7"),exact:!0,sidebar:"mySidebar"},{path:"/kr/architecture",component:d("/kr/architecture","cbc"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli",component:d("/kr/cli","f99"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/agent",component:d("/kr/cli/agent","ca4"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/certificate",component:d("/kr/cli/certificate","b65"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/etcd-snapshot",component:d("/kr/cli/etcd-snapshot","dd1"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/secrets-encrypt",component:d("/kr/cli/secrets-encrypt","69f"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/server",component:d("/kr/cli/server","0e8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/token",component:d("/kr/cli/token","a77"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cluster-access",component:d("/kr/cluster-access","3e1"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore",component:d("/kr/datastore","2fa"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/backup-restore",component:d("/kr/datastore/backup-restore","df3"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/cluster-loadbalancer",component:d("/kr/datastore/cluster-loadbalancer","162"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/ha",component:d("/kr/datastore/ha","4e8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/ha-embedded",component:d("/kr/datastore/ha-embedded","6bf"),exact:!0,sidebar:"mySidebar"},{path:"/kr/faq",component:d("/kr/faq","6ff"),exact:!0,sidebar:"mySidebar"},{path:"/kr/helm",component:d("/kr/helm","91c"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation",component:d("/kr/installation","17d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/airgap",component:d("/kr/installation/airgap","8e2"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/configuration",component:d("/kr/installation/configuration","133"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/packaged-components",component:d("/kr/installation/packaged-components","4fa"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/private-registry",component:d("/kr/installation/private-registry","365"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/registry-mirror",component:d("/kr/installation/registry-mirror","6d6"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/requirements",component:d("/kr/installation/requirements","78d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/server-roles",component:d("/kr/installation/server-roles","3ed"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/uninstall",component:d("/kr/installation/uninstall","975"),exact:!0,sidebar:"mySidebar"},{path:"/kr/known-issues",component:d("/kr/known-issues","200"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking",component:d("/kr/networking","f9e"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/basic-network-options",component:d("/kr/networking/basic-network-options","f76"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/distributed-multicloud",component:d("/kr/networking/distributed-multicloud","fac"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/multus-ipams",component:d("/kr/networking/multus-ipams","b20"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/networking-services",component:d("/kr/networking/networking-services","e95"),exact:!0,sidebar:"mySidebar"},{path:"/kr/quick-start",component:d("/kr/quick-start","8fd"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/env-variables",component:d("/kr/reference/env-variables","6fa"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/flag-deprecation",component:d("/kr/reference/flag-deprecation","048"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/resource-profiling",component:d("/kr/reference/resource-profiling","903"),exact:!0,sidebar:"mySidebar"},{path:"/kr/related-projects",component:d("/kr/related-projects","291"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.24.X",component:d("/kr/release-notes/v1.24.X","72c"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.25.X",component:d("/kr/release-notes/v1.25.X","204"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.26.X",component:d("/kr/release-notes/v1.26.X","5c4"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.27.X",component:d("/kr/release-notes/v1.27.X","3b3"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.28.X",component:d("/kr/release-notes/v1.28.X","a19"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.29.X",component:d("/kr/release-notes/v1.29.X","188"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.30.X",component:d("/kr/release-notes/v1.30.X","ca5"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security",component:d("/kr/security","853"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/hardening-guide",component:d("/kr/security/hardening-guide","351"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/secrets-encryption",component:d("/kr/security/secrets-encryption","d90"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.23",component:d("/kr/security/self-assessment-1.23","1c2"),exact:!0},{path:"/kr/security/self-assessment-1.24",component:d("/kr/security/self-assessment-1.24","6b8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.7",component:d("/kr/security/self-assessment-1.7","8b7"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.8",component:d("/kr/security/self-assessment-1.8","f0d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/storage",component:d("/kr/storage","4ad"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades",component:d("/kr/upgrades","028"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/automated",component:d("/kr/upgrades/automated","c02"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/killall",component:d("/kr/upgrades/killall","7a9"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/manual",component:d("/kr/upgrades/manual","acb"),exact:!0,sidebar:"mySidebar"},{path:"/kr/",component:d("/kr/","bea"),exact:!0,sidebar:"mySidebar"}]}]}]},{path:"*",component:d("*")}]},8934:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,t:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(!1);function i(e){let{children:t}=e;const[n,i]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{i(!0)}),[]),(0,a.jsx)(o.Provider,{value:n,children:t})}},2849:(e,t,n)=>{"use strict";var r=n(7294),a=n(745),o=n(405),i=n(3727),s=n(6809),l=n(412);const c=[n(2497),n(3310),n(8320),n(2295)];var u=n(723),d=n(6550),p=n(8790),f=n(5893);function h(e){let{children:t}=e;return(0,f.jsx)(f.Fragment,{children:t})}var m=n(5742),g=n(2263),y=n(4996),b=n(6668),v=n(1944),w=n(4711),k=n(9727);const x="default";var S=n(8780),E=n(197);function _(){const{i18n:{currentLocale:e,defaultLocale:t,localeConfigs:n}}=(0,g.Z)(),r=(0,w.l)(),a=n[e].htmlLang,o=e=>e.replace("-","_");return(0,f.jsxs)(m.Z,{children:[Object.entries(n).map((e=>{let[t,{htmlLang:n}]=e;return(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:n},t)})),(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:"x-default"}),(0,f.jsx)("meta",{property:"og:locale",content:o(a)}),Object.values(n).filter((e=>a!==e.htmlLang)).map((e=>(0,f.jsx)("meta",{property:"og:locale:alternate",content:o(e.htmlLang)},`meta-og-${e.htmlLang}`)))]})}function C(e){let{permalink:t}=e;const{siteConfig:{url:n}}=(0,g.Z)(),r=function(){const{siteConfig:{url:e,baseUrl:t,trailingSlash:n}}=(0,g.Z)(),{pathname:r}=(0,d.TH)();return e+(0,S.Do)((0,y.ZP)(r),{trailingSlash:n,baseUrl:t})}(),a=t?`${n}${t}`:r;return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{property:"og:url",content:a}),(0,f.jsx)("link",{rel:"canonical",href:a})]})}function T(){const{i18n:{currentLocale:e}}=(0,g.Z)(),{metadata:t,image:n}=(0,b.L)();return(0,f.jsxs)(f.Fragment,{children:[(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{name:"twitter:card",content:"summary_large_image"}),(0,f.jsx)("body",{className:k.h})]}),n&&(0,f.jsx)(v.d,{image:n}),(0,f.jsx)(C,{}),(0,f.jsx)(_,{}),(0,f.jsx)(E.Z,{tag:x,locale:e}),(0,f.jsx)(m.Z,{children:t.map(((e,t)=>(0,f.jsx)("meta",{...e},t)))})]})}const L=new Map;var j=n(8934),R=n(8940),P=n(469);function N(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),r=1;r<t;r++)n[r-1]=arguments[r];const a=c.map((t=>{const r=t.default?.[e]??t[e];return r?.(...n)}));return()=>a.forEach((e=>e?.()))}const A=function(e){let{children:t,location:n,previousLocation:r}=e;return(0,P.Z)((()=>{r!==n&&(!function(e){let{location:t,previousLocation:n}=e;if(!n)return;const r=t.pathname===n.pathname,a=t.hash===n.hash,o=t.search===n.search;if(r&&a&&!o)return;const{hash:i}=t;if(i){const e=decodeURIComponent(i.substring(1)),t=document.getElementById(e);t?.scrollIntoView()}else window.scrollTo(0,0)}({location:n,previousLocation:r}),N("onRouteDidUpdate",{previousLocation:r,location:n}))}),[r,n]),t};function O(e){const t=Array.from(new Set([e,decodeURI(e)])).map((e=>(0,p.f)(u.Z,e))).flat();return Promise.all(t.map((e=>e.route.component.preload?.())))}class I extends r.Component{previousLocation;routeUpdateCleanupCb;constructor(e){super(e),this.previousLocation=null,this.routeUpdateCleanupCb=l.Z.canUseDOM?N("onRouteUpdate",{previousLocation:null,location:this.props.location}):()=>{},this.state={nextRouteHasLoaded:!0}}shouldComponentUpdate(e,t){if(e.location===this.props.location)return t.nextRouteHasLoaded;const n=e.location;return this.previousLocation=this.props.location,this.setState({nextRouteHasLoaded:!1}),this.routeUpdateCleanupCb=N("onRouteUpdate",{previousLocation:this.previousLocation,location:n}),O(n.pathname).then((()=>{this.routeUpdateCleanupCb(),this.setState({nextRouteHasLoaded:!0})})).catch((e=>{console.warn(e),window.location.reload()})),!1}render(){const{children:e,location:t}=this.props;return(0,f.jsx)(A,{previousLocation:this.previousLocation,location:t,children:(0,f.jsx)(d.AW,{location:t,render:()=>e})})}}const D=I,F="__docusaurus-base-url-issue-banner-container",M="__docusaurus-base-url-issue-banner",B="__docusaurus-base-url-issue-banner-suggestion-container";function z(e){return`\ndocument.addEventListener('DOMContentLoaded', function maybeInsertBanner() {\n var shouldInsert = typeof window['docusaurus'] === 'undefined';\n shouldInsert && insertBanner();\n});\n\nfunction insertBanner() {\n var bannerContainer = document.createElement('div');\n bannerContainer.id = '${F}';\n var bannerHtml = ${JSON.stringify(function(e){return`\n<div id="${M}" style="border: thick solid red; background-color: rgb(255, 230, 179); margin: 20px; padding: 20px; font-size: 20px;">\n <p style="font-weight: bold; font-size: 30px;">Your Docusaurus site did not load properly.</p>\n <p>A very common reason is a wrong site <a href="https://docusaurus.io/docs/docusaurus.config.js/#baseUrl" style="font-weight: bold;">baseUrl configuration</a>.</p>\n <p>Current configured baseUrl = <span style="font-weight: bold; color: red;">${e}</span> ${"/"===e?" (default value)":""}</p>\n <p>We suggest trying baseUrl = <span id="${B}" style="font-weight: bold; color: green;"></span></p>\n</div>\n`}(e)).replace(/</g,"\\<")};\n bannerContainer.innerHTML = bannerHtml;\n document.body.prepend(bannerContainer);\n var suggestionContainer = document.getElementById('${B}');\n var actualHomePagePath = window.location.pathname;\n var suggestedBaseUrl = actualHomePagePath.substr(-1) === '/'\n ? actualHomePagePath\n : actualHomePagePath + '/';\n suggestionContainer.innerHTML = suggestedBaseUrl;\n}\n`}function $(){const{siteConfig:{baseUrl:e}}=(0,g.Z)();return(0,f.jsx)(f.Fragment,{children:!l.Z.canUseDOM&&(0,f.jsx)(m.Z,{children:(0,f.jsx)("script",{children:z(e)})})})}function U(){const{siteConfig:{baseUrl:e,baseUrlIssueBanner:t}}=(0,g.Z)(),{pathname:n}=(0,d.TH)();return t&&n===e?(0,f.jsx)($,{}):null}function q(){const{siteConfig:{favicon:e,title:t,noIndex:n},i18n:{currentLocale:r,localeConfigs:a}}=(0,g.Z)(),o=(0,y.ZP)(e),{htmlLang:i,direction:s}=a[r];return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("html",{lang:i,dir:s}),(0,f.jsx)("title",{children:t}),(0,f.jsx)("meta",{property:"og:title",content:t}),(0,f.jsx)("meta",{name:"viewport",content:"width=device-width, initial-scale=1.0"}),n&&(0,f.jsx)("meta",{name:"robots",content:"noindex, nofollow"}),e&&(0,f.jsx)("link",{rel:"icon",href:o})]})}var H=n(4763),Q=n(2389);function Z(){const e=(0,Q.Z)();return(0,f.jsx)(m.Z,{children:(0,f.jsx)("html",{"data-has-hydrated":e})})}const V=(0,p.H)(u.Z);function W(){const e=function(e){if(L.has(e.pathname))return{...e,pathname:L.get(e.pathname)};if((0,p.f)(u.Z,e.pathname).some((e=>{let{route:t}=e;return!0===t.exact})))return L.set(e.pathname,e.pathname),e;const t=e.pathname.trim().replace(/(?:\/index)?\.html$/,"")||"/";return L.set(e.pathname,t),{...e,pathname:t}}((0,d.TH)());return(0,f.jsx)(D,{location:e,children:V})}function G(){return(0,f.jsx)(H.Z,{children:(0,f.jsx)(R.M,{children:(0,f.jsxs)(j.t,{children:[(0,f.jsxs)(h,{children:[(0,f.jsx)(q,{}),(0,f.jsx)(T,{}),(0,f.jsx)(U,{}),(0,f.jsx)(W,{})]}),(0,f.jsx)(Z,{})]})})})}var X=n(6887);const K=function(e){try{return document.createElement("link").relList.supports(e)}catch{return!1}}("prefetch")?function(e){return new Promise(((t,n)=>{if("undefined"==typeof document)return void n();const r=document.createElement("link");r.setAttribute("rel","prefetch"),r.setAttribute("href",e),r.onload=()=>t(),r.onerror=()=>n();const a=document.getElementsByTagName("head")[0]??document.getElementsByName("script")[0]?.parentNode;a?.appendChild(r)}))}:function(e){return new Promise(((t,n)=>{const r=new XMLHttpRequest;r.open("GET",e,!0),r.withCredentials=!0,r.onload=()=>{200===r.status?t():n()},r.send(null)}))};var Y=n(9670);const J=new Set,ee=new Set,te=()=>navigator.connection?.effectiveType.includes("2g")||navigator.connection?.saveData,ne={prefetch:e=>{if(!(e=>!te()&&!ee.has(e)&&!J.has(e))(e))return!1;J.add(e);const t=(0,p.f)(u.Z,e).flatMap((e=>{return t=e.route.path,Object.entries(X).filter((e=>{let[n]=e;return n.replace(/-[^-]+$/,"")===t})).flatMap((e=>{let[,t]=e;return Object.values((0,Y.Z)(t))}));var t}));return Promise.all(t.map((e=>{const t=n.gca(e);return t&&!t.includes("undefined")?K(t).catch((()=>{})):Promise.resolve()})))},preload:e=>!!(e=>!te()&&!ee.has(e))(e)&&(ee.add(e),O(e))},re=Object.freeze(ne);function ae(e){let{children:t}=e;return"hash"===s.default.future.experimental_router?(0,f.jsx)(i.UT,{children:t}):(0,f.jsx)(i.VK,{children:t})}const oe=Boolean(!0);if(l.Z.canUseDOM){window.docusaurus=re;const e=document.getElementById("__docusaurus"),t=(0,f.jsx)(o.B6,{children:(0,f.jsx)(ae,{children:(0,f.jsx)(G,{})})}),n=(e,t)=>{console.error("Docusaurus React Root onRecoverableError:",e,t)},i=()=>{if(window.docusaurusRoot)window.docusaurusRoot.render(t);else if(oe)window.docusaurusRoot=a.hydrateRoot(e,t,{onRecoverableError:n});else{const r=a.createRoot(e,{onRecoverableError:n});r.render(t),window.docusaurusRoot=r}};O(window.location.pathname).then((()=>{(0,r.startTransition)(i)}))}},8940:(e,t,n)=>{"use strict";n.d(t,{_:()=>d,M:()=>p});var r=n(7294),a=n(6809);const o=JSON.parse('{"docusaurus-plugin-content-docs":{"default":{"path":"/kr/","versions":[{"name":"current","label":"\ud604\uc7ac \ubc84\uc804","isLast":true,"path":"/kr/","mainDocId":"introduction","docs":[{"id":"advanced","path":"/kr/advanced","sidebar":"mySidebar"},{"id":"architecture","path":"/kr/architecture","sidebar":"mySidebar"},{"id":"cli/agent","path":"/kr/cli/agent","sidebar":"mySidebar"},{"id":"cli/certificate","path":"/kr/cli/certificate","sidebar":"mySidebar"},{"id":"cli/cli","path":"/kr/cli/","sidebar":"mySidebar"},{"id":"cli/etcd-snapshot","path":"/kr/cli/etcd-snapshot","sidebar":"mySidebar"},{"id":"cli/secrets-encrypt","path":"/kr/cli/secrets-encrypt","sidebar":"mySidebar"},{"id":"cli/server","path":"/kr/cli/server","sidebar":"mySidebar"},{"id":"cli/token","path":"/kr/cli/token","sidebar":"mySidebar"},{"id":"cluster-access","path":"/kr/cluster-access","sidebar":"mySidebar"},{"id":"datastore/backup-restore","path":"/kr/datastore/backup-restore","sidebar":"mySidebar"},{"id":"datastore/cluster-loadbalancer","path":"/kr/datastore/cluster-loadbalancer","sidebar":"mySidebar"},{"id":"datastore/datastore","path":"/kr/datastore/","sidebar":"mySidebar"},{"id":"datastore/ha","path":"/kr/datastore/ha","sidebar":"mySidebar"},{"id":"datastore/ha-embedded","path":"/kr/datastore/ha-embedded","sidebar":"mySidebar"},{"id":"faq","path":"/kr/faq","sidebar":"mySidebar"},{"id":"helm","path":"/kr/helm","sidebar":"mySidebar"},{"id":"installation/airgap","path":"/kr/installation/airgap","sidebar":"mySidebar"},{"id":"installation/configuration","path":"/kr/installation/configuration","sidebar":"mySidebar"},{"id":"installation/installation","path":"/kr/installation/","sidebar":"mySidebar"},{"id":"installation/packaged-components","path":"/kr/installation/packaged-components","sidebar":"mySidebar"},{"id":"installation/private-registry","path":"/kr/installation/private-registry","sidebar":"mySidebar"},{"id":"installation/registry-mirror","path":"/kr/installation/registry-mirror","sidebar":"mySidebar"},{"id":"installation/requirements","path":"/kr/installation/requirements","sidebar":"mySidebar"},{"id":"installation/server-roles","path":"/kr/installation/server-roles","sidebar":"mySidebar"},{"id":"installation/uninstall","path":"/kr/installation/uninstall","sidebar":"mySidebar"},{"id":"introduction","path":"/kr/","sidebar":"mySidebar"},{"id":"known-issues","path":"/kr/known-issues","sidebar":"mySidebar"},{"id":"networking/basic-network-options","path":"/kr/networking/basic-network-options","sidebar":"mySidebar"},{"id":"networking/distributed-multicloud","path":"/kr/networking/distributed-multicloud","sidebar":"mySidebar"},{"id":"networking/multus-ipams","path":"/kr/networking/multus-ipams","sidebar":"mySidebar"},{"id":"networking/networking","path":"/kr/networking/","sidebar":"mySidebar"},{"id":"networking/networking-services","path":"/kr/networking/networking-services","sidebar":"mySidebar"},{"id":"quick-start","path":"/kr/quick-start","sidebar":"mySidebar"},{"id":"reference/env-variables","path":"/kr/reference/env-variables","sidebar":"mySidebar"},{"id":"reference/flag-deprecation","path":"/kr/reference/flag-deprecation","sidebar":"mySidebar"},{"id":"reference/resource-profiling","path":"/kr/reference/resource-profiling","sidebar":"mySidebar"},{"id":"related-projects","path":"/kr/related-projects","sidebar":"mySidebar"},{"id":"release-notes/v1.24.X","path":"/kr/release-notes/v1.24.X","sidebar":"mySidebar"},{"id":"release-notes/v1.25.X","path":"/kr/release-notes/v1.25.X","sidebar":"mySidebar"},{"id":"release-notes/v1.26.X","path":"/kr/release-notes/v1.26.X","sidebar":"mySidebar"},{"id":"release-notes/v1.27.X","path":"/kr/release-notes/v1.27.X","sidebar":"mySidebar"},{"id":"release-notes/v1.28.X","path":"/kr/release-notes/v1.28.X","sidebar":"mySidebar"},{"id":"release-notes/v1.29.X","path":"/kr/release-notes/v1.29.X","sidebar":"mySidebar"},{"id":"release-notes/v1.30.X","path":"/kr/release-notes/v1.30.X","sidebar":"mySidebar"},{"id":"security/hardening-guide","path":"/kr/security/hardening-guide","sidebar":"mySidebar"},{"id":"security/secrets-encryption","path":"/kr/security/secrets-encryption","sidebar":"mySidebar"},{"id":"security/security","path":"/kr/security/","sidebar":"mySidebar"},{"id":"security/self-assessment-1.23","path":"/kr/security/self-assessment-1.23"},{"id":"security/self-assessment-1.24","path":"/kr/security/self-assessment-1.24","sidebar":"mySidebar"},{"id":"security/self-assessment-1.7","path":"/kr/security/self-assessment-1.7","sidebar":"mySidebar"},{"id":"security/self-assessment-1.8","path":"/kr/security/self-assessment-1.8","sidebar":"mySidebar"},{"id":"storage","path":"/kr/storage","sidebar":"mySidebar"},{"id":"upgrades/automated","path":"/kr/upgrades/automated","sidebar":"mySidebar"},{"id":"upgrades/killall","path":"/kr/upgrades/killall","sidebar":"mySidebar"},{"id":"upgrades/manual","path":"/kr/upgrades/manual","sidebar":"mySidebar"},{"id":"upgrades/upgrades","path":"/kr/upgrades/","sidebar":"mySidebar"}],"draftIds":[],"sidebars":{"mySidebar":{"link":{"path":"/kr/","label":"introduction"}}}}],"breadcrumbs":true}}}'),i=JSON.parse('{"defaultLocale":"en","locales":["en","zh","kr"],"path":"i18n","currentLocale":"kr","localeConfigs":{"en":{"label":"English","direction":"ltr","htmlLang":"en","calendar":"gregory","path":"en"},"zh":{"label":"\u7b80\u4f53\u4e2d\u6587","direction":"ltr","htmlLang":"zh","calendar":"gregory","path":"zh"},"kr":{"label":"\ud55c\uad6d\uc5b4","direction":"ltr","htmlLang":"kr","calendar":"gregory","path":"kr"}}}');var s=n(7529);const l=JSON.parse('{"docusaurusVersion":"3.5.1","siteVersion":"0.0.1","pluginVersions":{"docusaurus-plugin-content-docs":{"type":"package","name":"@docusaurus/plugin-content-docs","version":"3.5.1"},"docusaurus-plugin-content-pages":{"type":"package","name":"@docusaurus/plugin-content-pages","version":"3.5.1"},"docusaurus-plugin-sitemap":{"type":"package","name":"@docusaurus/plugin-sitemap","version":"3.5.1"},"docusaurus-theme-classic":{"type":"package","name":"@docusaurus/theme-classic","version":"3.5.1"},"docusaurus-plugin-client-redirects":{"type":"package","name":"@docusaurus/plugin-client-redirects","version":"3.5.1"},"docusaurus-theme-mermaid":{"type":"package","name":"@docusaurus/theme-mermaid","version":"3.5.1"},"@easyops-cn/docusaurus-search-local":{"type":"package","name":"@easyops-cn/docusaurus-search-local","version":"0.44.4"}}}');var c=n(5893);const u={siteConfig:a.default,siteMetadata:l,globalData:o,i18n:i,codeTranslations:s},d=r.createContext(u);function p(e){let{children:t}=e;return(0,c.jsx)(d.Provider,{value:u,children:t})}},4763:(e,t,n)=>{"use strict";n.d(t,{Z:()=>m});var r=n(7294),a=n(412),o=n(5742),i=n(8780),s=n(8947),l=n(226),c=n(5893);function u(e){let{error:t,tryAgain:n}=e;return(0,c.jsxs)("div",{style:{display:"flex",flexDirection:"column",justifyContent:"center",alignItems:"flex-start",minHeight:"100vh",width:"100%",maxWidth:"80ch",fontSize:"20px",margin:"0 auto",padding:"1rem"},children:[(0,c.jsx)("h1",{style:{fontSize:"3rem"},children:"This page crashed"}),(0,c.jsx)("button",{type:"button",onClick:n,style:{margin:"1rem 0",fontSize:"2rem",cursor:"pointer",borderRadius:20,padding:"1rem"},children:"Try again"}),(0,c.jsx)(d,{error:t})]})}function d(e){let{error:t}=e;const n=(0,i.BN)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,c.jsx)("p",{style:{whiteSpace:"pre-wrap"},children:n})}function p(e){let{children:t}=e;return(0,c.jsx)(l.z,{value:{plugin:{name:"docusaurus-core-error-boundary",id:"default"}},children:t})}function f(e){let{error:t,tryAgain:n}=e;return(0,c.jsx)(p,{children:(0,c.jsxs)(m,{fallback:()=>(0,c.jsx)(u,{error:t,tryAgain:n}),children:[(0,c.jsx)(o.Z,{children:(0,c.jsx)("title",{children:"Page Error"})}),(0,c.jsx)(s.Z,{children:(0,c.jsx)(u,{error:t,tryAgain:n})})]})})}const h=e=>(0,c.jsx)(f,{...e});class m extends r.Component{constructor(e){super(e),this.state={error:null}}componentDidCatch(e){a.Z.canUseDOM&&this.setState({error:e})}render(){const{children:e}=this.props,{error:t}=this.state;if(t){const e={error:t,tryAgain:()=>this.setState({error:null})};return(this.props.fallback??h)(e)}return e??null}}},412:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r="undefined"!=typeof window&&"document"in window&&"createElement"in window.document,a={canUseDOM:r,canUseEventListeners:r&&("addEventListener"in window||"attachEvent"in window),canUseIntersectionObserver:r&&"IntersectionObserver"in window,canUseViewport:r&&"screen"in window}},5742:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(405),a=n(5893);function o(e){return(0,a.jsx)(r.ql,{...e})}},3692:(e,t,n)=>{"use strict";n.d(t,{Z:()=>f});var r=n(7294),a=n(3727),o=n(8780),i=n(2263),s=n(3919),l=n(412),c=n(8138),u=n(4996),d=n(5893);function p(e,t){let{isNavLink:n,to:p,href:f,activeClassName:h,isActive:m,"data-noBrokenLinkCheck":g,autoAddBaseUrl:y=!0,...b}=e;const{siteConfig:v}=(0,i.Z)(),{trailingSlash:w,baseUrl:k}=v,x=v.future.experimental_router,{withBaseUrl:S}=(0,u.Cg)(),E=(0,c.Z)(),_=(0,r.useRef)(null);(0,r.useImperativeHandle)(t,(()=>_.current));const C=p||f;const T=(0,s.Z)(C),L=C?.replace("pathname://","");let j=void 0!==L?(R=L,y&&(e=>e.startsWith("/"))(R)?S(R):R):void 0;var R;"hash"===x&&j?.startsWith("./")&&(j=j?.slice(1)),j&&T&&(j=(0,o.Do)(j,{trailingSlash:w,baseUrl:k}));const P=(0,r.useRef)(!1),N=n?a.OL:a.rU,A=l.Z.canUseIntersectionObserver,O=(0,r.useRef)(),I=()=>{P.current||null==j||(window.docusaurus.preload(j),P.current=!0)};(0,r.useEffect)((()=>(!A&&T&&l.Z.canUseDOM&&null!=j&&window.docusaurus.prefetch(j),()=>{A&&O.current&&O.current.disconnect()})),[O,j,A,T]);const D=j?.startsWith("#")??!1,F=!b.target||"_self"===b.target,M=!j||!T||!F||D&&"hash"!==x;g||!D&&M||E.collectLink(j),b.id&&E.collectAnchor(b.id);const B={};return M?(0,d.jsx)("a",{ref:_,href:j,...C&&!T&&{target:"_blank",rel:"noopener noreferrer"},...b,...B}):(0,d.jsx)(N,{...b,onMouseEnter:I,onTouchStart:I,innerRef:e=>{_.current=e,A&&e&&T&&(O.current=new window.IntersectionObserver((t=>{t.forEach((t=>{e===t.target&&(t.isIntersecting||t.intersectionRatio>0)&&(O.current.unobserve(e),O.current.disconnect(),null!=j&&window.docusaurus.prefetch(j))}))})),O.current.observe(e))},to:j,...n&&{isActive:m,activeClassName:h},...B})}const f=r.forwardRef(p)},5999:(e,t,n)=>{"use strict";n.d(t,{Z:()=>c,I:()=>l});var r=n(7294),a=n(5893);function o(e,t){const n=e.split(/(\{\w+\})/).map(((e,n)=>{if(n%2==1){const n=t?.[e.slice(1,-1)];if(void 0!==n)return n}return e}));return n.some((e=>(0,r.isValidElement)(e)))?n.map(((e,t)=>(0,r.isValidElement)(e)?r.cloneElement(e,{key:t}):e)).filter((e=>""!==e)):n.join("")}var i=n(7529);function s(e){let{id:t,message:n}=e;if(void 0===t&&void 0===n)throw new Error("Docusaurus translation declarations must have at least a translation id or a default translation message");return i[t??n]??n??t}function l(e,t){let{message:n,id:r}=e;return o(s({message:n,id:r}),t)}function c(e){let{children:t,id:n,values:r}=e;if(t&&"string"!=typeof t)throw console.warn("Illegal <Translate> children",t),new Error("The Docusaurus <Translate> component only accept simple string values");const i=s({message:t,id:n});return(0,a.jsx)(a.Fragment,{children:o(i,r)})}},9935:(e,t,n)=>{"use strict";n.d(t,{m:()=>r});const r="default"},3919:(e,t,n)=>{"use strict";function r(e){return/^(?:\w*:|\/\/)/.test(e)}function a(e){return void 0!==e&&!r(e)}n.d(t,{Z:()=>a,b:()=>r})},4996:(e,t,n)=>{"use strict";n.d(t,{Cg:()=>i,ZP:()=>s});var r=n(7294),a=n(2263),o=n(3919);function i(){const{siteConfig:e}=(0,a.Z)(),{baseUrl:t,url:n}=e,i=e.future.experimental_router,s=(0,r.useCallback)(((e,r)=>function(e){let{siteUrl:t,baseUrl:n,url:r,options:{forcePrependBaseUrl:a=!1,absolute:i=!1}={},router:s}=e;if(!r||r.startsWith("#")||(0,o.b)(r))return r;if("hash"===s)return r.startsWith("/")?`.${r}`:`./${r}`;if(a)return n+r.replace(/^\//,"");if(r===n.replace(/\/$/,""))return n;const l=r.startsWith(n)?r:n+r.replace(/^\//,"");return i?t+l:l}({siteUrl:n,baseUrl:t,url:e,options:r,router:i})),[n,t,i]);return{withBaseUrl:s}}function s(e,t){void 0===t&&(t={});const{withBaseUrl:n}=i();return n(e,t)}},8138:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});var r=n(7294);n(5893);const a=r.createContext({collectAnchor:()=>{},collectLink:()=>{}}),o=()=>(0,r.useContext)(a);function i(){return o()}},2263:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8940);function o(){return(0,r.useContext)(a._)}},2389:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8934);function o(){return(0,r.useContext)(a._)}},469:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});var r=n(7294);const a=n(412).Z.canUseDOM?r.useLayoutEffect:r.useEffect},9670:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r=e=>"object"==typeof e&&!!e&&Object.keys(e).length>0;function a(e){const t={};return function e(n,a){Object.entries(n).forEach((n=>{let[o,i]=n;const s=a?`${a}.${o}`:o;r(i)?e(i,s):t[s]=i}))}(e),t}},226:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,z:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(null);function i(e){let{children:t,value:n}=e;const i=r.useContext(o),s=(0,r.useMemo)((()=>function(e){let{parent:t,value:n}=e;if(!t){if(!n)throw new Error("Unexpected: no Docusaurus route context found");if(!("plugin"in n))throw new Error("Unexpected: Docusaurus topmost route context has no `plugin` attribute");return n}const r={...t.data,...n?.data};return{plugin:t.plugin,data:r}}({parent:i,value:n})),[i,n]);return(0,a.jsx)(o.Provider,{value:s,children:t})}},298:(e,t,n)=>{"use strict";n.d(t,{J:()=>b,L5:()=>g});var r=n(7294),a=n(143),o=n(9935),i=n(6668),s=n(812),l=n(902),c=n(5893);const u=e=>`docs-preferred-version-${e}`,d={save:(e,t,n)=>{(0,s.WA)(u(e),{persistence:t}).set(n)},read:(e,t)=>(0,s.WA)(u(e),{persistence:t}).get(),clear:(e,t)=>{(0,s.WA)(u(e),{persistence:t}).del()}},p=e=>Object.fromEntries(e.map((e=>[e,{preferredVersionName:null}])));const f=r.createContext(null);function h(){const e=(0,a._r)(),t=(0,i.L)().docs.versionPersistence,n=(0,r.useMemo)((()=>Object.keys(e)),[e]),[o,s]=(0,r.useState)((()=>p(n)));(0,r.useEffect)((()=>{s(function(e){let{pluginIds:t,versionPersistence:n,allDocsData:r}=e;function a(e){const t=d.read(e,n);return r[e].versions.some((e=>e.name===t))?{preferredVersionName:t}:(d.clear(e,n),{preferredVersionName:null})}return Object.fromEntries(t.map((e=>[e,a(e)])))}({allDocsData:e,versionPersistence:t,pluginIds:n}))}),[e,t,n]);return[o,(0,r.useMemo)((()=>({savePreferredVersion:function(e,n){d.save(e,t,n),s((t=>({...t,[e]:{preferredVersionName:n}})))}})),[t])]}function m(e){let{children:t}=e;const n=h();return(0,c.jsx)(f.Provider,{value:n,children:t})}function g(e){let{children:t}=e;return(0,c.jsx)(m,{children:t})}function y(){const e=(0,r.useContext)(f);if(!e)throw new l.i6("DocsPreferredVersionContextProvider");return e}function b(e){void 0===e&&(e=o.m);const t=(0,a.zh)(e),[n,i]=y(),{preferredVersionName:s}=n[e];return{preferredVersion:t.versions.find((e=>e.name===s))??null,savePreferredVersionName:(0,r.useCallback)((t=>{i.savePreferredVersion(e,t)}),[i,e])}}},4731:(e,t,n)=>{"use strict";n.d(t,{V:()=>c,b:()=>l});var r=n(7294),a=n(902),o=n(5893);const i=Symbol("EmptyContext"),s=r.createContext(i);function l(e){let{children:t,name:n,items:a}=e;const i=(0,r.useMemo)((()=>n&&a?{name:n,items:a}:null),[n,a]);return(0,o.jsx)(s.Provider,{value:i,children:t})}function c(){const e=(0,r.useContext)(s);if(e===i)throw new a.i6("DocsSidebarProvider");return e}},9690:(e,t,n)=>{"use strict";n.d(t,{LM:()=>p,MN:()=>_,SN:()=>E,_F:()=>g,f:()=>b,jA:()=>f,lO:()=>k,oz:()=>x,s1:()=>w,vY:()=>S});var r=n(7294),a=n(6550),o=n(8790),i=n(143),s=n(8596),l=n(7392),c=n(298),u=n(3797),d=n(4731);function p(e){return"link"!==e.type||e.unlisted?"category"===e.type?function(e){if(e.href&&!e.linkUnlisted)return e.href;for(const t of e.items){const e=p(t);if(e)return e}}(e):void 0:e.href}function f(){const{pathname:e}=(0,a.TH)(),t=(0,d.V)();if(!t)throw new Error("Unexpected: cant find current sidebar in context");const n=v({sidebarItems:t.items,pathname:e,onlyCategories:!0}).slice(-1)[0];if(!n)throw new Error(`${e} is not associated with a category. useCurrentSidebarCategory() should only be used on category index pages.`);return n}const h=(e,t)=>void 0!==e&&(0,s.Mg)(e,t),m=(e,t)=>e.some((e=>g(e,t)));function g(e,t){return"link"===e.type?h(e.href,t):"category"===e.type&&(h(e.href,t)||m(e.items,t))}function y(e,t){switch(e.type){case"category":return g(e,t)||e.items.some((e=>y(e,t)));case"link":return!e.unlisted||g(e,t);default:return!0}}function b(e,t){return(0,r.useMemo)((()=>e.filter((e=>y(e,t)))),[e,t])}function v(e){let{sidebarItems:t,pathname:n,onlyCategories:r=!1}=e;const a=[];return function e(t){for(const o of t)if("category"===o.type&&((0,s.Mg)(o.href,n)||e(o.items))||"link"===o.type&&(0,s.Mg)(o.href,n)){return r&&"category"!==o.type||a.unshift(o),!0}return!1}(t),a}function w(){const e=(0,d.V)(),{pathname:t}=(0,a.TH)(),n=(0,i.gA)()?.pluginData.breadcrumbs;return!1!==n&&e?v({sidebarItems:e.items,pathname:t}):null}function k(e){const{activeVersion:t}=(0,i.Iw)(e),{preferredVersion:n}=(0,c.J)(e),a=(0,i.yW)(e);return(0,r.useMemo)((()=>(0,l.jj)([t,n,a].filter(Boolean))),[t,n,a])}function x(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.sidebars?Object.entries(e.sidebars):[])),r=t.find((t=>t[0]===e));if(!r)throw new Error(`Can't find any sidebar with id "${e}" in version${n.length>1?"s":""} ${n.map((e=>e.name)).join(", ")}".\nAvailable sidebar ids are:\n- ${t.map((e=>e[0])).join("\n- ")}`);return r[1]}),[e,n])}function S(e,t){const n=k(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.docs)),r=t.find((t=>t.id===e));if(!r){if(n.flatMap((e=>e.draftIds)).includes(e))return null;throw new Error(`Couldn't find any doc with id "${e}" in version${n.length>1?"s":""} "${n.map((e=>e.name)).join(", ")}".\nAvailable doc ids are:\n- ${(0,l.jj)(t.map((e=>e.id))).join("\n- ")}`)}return r}),[e,n])}function E(e){let{route:t}=e;const n=(0,a.TH)(),r=(0,u.E)(),i=t.routes,s=i.find((e=>(0,a.LX)(n.pathname,e)));if(!s)return null;const l=s.sidebar,c=l?r.docsSidebars[l]:void 0;return{docElement:(0,o.H)(i),sidebarName:l,sidebarItems:c}}function _(e){return e.filter((e=>!("category"===e.type||"link"===e.type)||!!p(e)))}},3797:(e,t,n)=>{"use strict";n.d(t,{E:()=>l,q:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t,version:n}=e;return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(null===e)throw new a.i6("DocsVersionProvider");return e}},143:(e,t,n)=>{"use strict";n.d(t,{MN:()=>c.MN,Iw:()=>y,gA:()=>h,_r:()=>p,jA:()=>c.jA,Jo:()=>b,zh:()=>f,J:()=>u.J,yW:()=>g,gB:()=>m});var r=n(6550),a=n(2263),o=n(9935);function i(e,t){void 0===t&&(t={});const n=function(){const{globalData:e}=(0,a.Z)();return e}()[e];if(!n&&t.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin.`);return n}const s=e=>e.versions.find((e=>e.isLast));function l(e,t){const n=function(e,t){return[...e.versions].sort(((e,t)=>e.path===t.path?0:e.path.includes(t.path)?-1:t.path.includes(e.path)?1:0)).find((e=>!!(0,r.LX)(t,{path:e.path,exact:!1,strict:!1})))}(e,t),a=n?.docs.find((e=>!!(0,r.LX)(t,{path:e.path,exact:!0,strict:!1})));return{activeVersion:n,activeDoc:a,alternateDocVersions:a?function(t){const n={};return e.versions.forEach((e=>{e.docs.forEach((r=>{r.id===t&&(n[e.name]=r)}))})),n}(a.id):{}}}var c=n(9690),u=n(298);const d={},p=()=>i("docusaurus-plugin-content-docs")??d,f=e=>{try{return function(e,t,n){void 0===t&&(t=o.m),void 0===n&&(n={});const r=i(e),a=r?.[t];if(!a&&n.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin with id "${t}".`);return a}("docusaurus-plugin-content-docs",e,{failfast:!0})}catch(t){throw new Error("You are using a feature of the Docusaurus docs plugin, but this plugin does not seem to be enabled"+("Default"===e?"":` (pluginId=${e}`),{cause:t})}};function h(e){void 0===e&&(e={});const t=p(),{pathname:n}=(0,r.TH)();return function(e,t,n){void 0===n&&(n={});const a=Object.entries(e).sort(((e,t)=>t[1].path.localeCompare(e[1].path))).find((e=>{let[,n]=e;return!!(0,r.LX)(t,{path:n.path,exact:!1,strict:!1})})),o=a?{pluginId:a[0],pluginData:a[1]}:void 0;if(!o&&n.failfast)throw new Error(`Can't find active docs plugin for "${t}" pathname, while it was expected to be found. Maybe you tried to use a docs feature that can only be used on a docs-related page? Existing docs plugin paths are: ${Object.values(e).map((e=>e.path)).join(", ")}`);return o}(t,n,e)}function m(e){return f(e).versions}function g(e){const t=f(e);return s(t)}function y(e){const t=f(e),{pathname:n}=(0,r.TH)();return l(t,n)}function b(e){const t=f(e),{pathname:n}=(0,r.TH)();return function(e,t){const n=s(e);return{latestDocSuggestion:l(e,t).alternateDocVersions[n.name],latestVersionSuggestion:n}}(t,n)}},8320:(e,t,n)=>{"use strict";n.r(t),n.d(t,{default:()=>o});var r=n(4865),a=n.n(r);a().configure({showSpinner:!1});const o={onRouteUpdate(e){let{location:t,previousLocation:n}=e;if(n&&t.pathname!==n.pathname){const e=window.setTimeout((()=>{a().start()}),200);return()=>window.clearTimeout(e)}},onRouteDidUpdate(){a().done()}}},3310:(e,t,n)=>{"use strict";n.r(t);var r=n(2573),a=n(6809);!function(e){const{themeConfig:{prism:t}}=a.default,{additionalLanguages:r}=t;globalThis.Prism=e,r.forEach((e=>{"php"===e&&n(6854),n(6726)(`./prism-${e}`)})),delete globalThis.Prism}(r.p1)},2503:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(512),a=n(5999),o=n(6668),i=n(3692),s=n(8138);const l={anchorWithStickyNavbar:"anchorWithStickyNavbar_LWe7",anchorWithHideOnScrollNavbar:"anchorWithHideOnScrollNavbar_WYt5"};var c=n(5893);function u(e){let{as:t,id:n,...u}=e;const d=(0,s.Z)(),{navbar:{hideOnScroll:p}}=(0,o.L)();if("h1"===t||!n)return(0,c.jsx)(t,{...u,id:void 0});d.collectAnchor(n);const f=(0,a.I)({id:"theme.common.headingLinkTitle",message:"Direct link to {heading}",description:"Title for link to heading"},{heading:"string"==typeof u.children?u.children:n});return(0,c.jsxs)(t,{...u,className:(0,r.Z)("anchor",p?l.anchorWithHideOnScrollNavbar:l.anchorWithStickyNavbar,u.className),id:n,children:[u.children,(0,c.jsx)(i.Z,{className:"hash-link",to:`#${n}`,"aria-label":f,title:f,children:"\u200b"})]})}},9471:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);const r={iconExternalLink:"iconExternalLink_nPIU"};var a=n(5893);function o(e){let{width:t=13.5,height:n=13.5}=e;return(0,a.jsx)("svg",{width:t,height:n,"aria-hidden":"true",viewBox:"0 0 24 24",className:r.iconExternalLink,children:(0,a.jsx)("path",{fill:"currentColor",d:"M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"})})}},8947:(e,t,n)=>{"use strict";n.d(t,{Z:()=>Nt});var r=n(7294),a=n(512),o=n(4763),i=n(1944),s=n(6550),l=n(5999),c=n(5936),u=n(5893);const d="__docusaurus_skipToContent_fallback";function p(e){e.setAttribute("tabindex","-1"),e.focus(),e.removeAttribute("tabindex")}function f(){const e=(0,r.useRef)(null),{action:t}=(0,s.k6)(),n=(0,r.useCallback)((e=>{e.preventDefault();const t=document.querySelector("main:first-of-type")??document.getElementById(d);t&&p(t)}),[]);return(0,c.S)((n=>{let{location:r}=n;e.current&&!r.hash&&"PUSH"===t&&p(e.current)})),{containerRef:e,onClick:n}}const h=(0,l.I)({id:"theme.common.skipToMainContent",description:"The skip to content label used for accessibility, allowing to rapidly navigate to main content with keyboard tab/enter navigation",message:"Skip to main content"});function m(e){const t=e.children??h,{containerRef:n,onClick:r}=f();return(0,u.jsx)("div",{ref:n,role:"region","aria-label":h,children:(0,u.jsx)("a",{...e,href:`#${d}`,onClick:r,children:t})})}var g=n(5281),y=n(9727);const b={skipToContent:"skipToContent_fXgn"};function v(){return(0,u.jsx)(m,{className:b.skipToContent})}var w=n(6668),k=n(9689);function x(e){let{width:t=21,height:n=21,color:r="currentColor",strokeWidth:a=1.2,className:o,...i}=e;return(0,u.jsx)("svg",{viewBox:"0 0 15 15",width:t,height:n,...i,children:(0,u.jsx)("g",{stroke:r,strokeWidth:a,children:(0,u.jsx)("path",{d:"M.75.75l13.5 13.5M14.25.75L.75 14.25"})})})}const S={closeButton:"closeButton_CVFx"};function E(e){return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.AnnouncementBar.closeButtonAriaLabel",message:"Close",description:"The ARIA label for close button of announcement bar"}),...e,className:(0,a.Z)("clean-btn close",S.closeButton,e.className),children:(0,u.jsx)(x,{width:14,height:14,strokeWidth:3.1})})}const _={content:"content_knG7"};function C(e){const{announcementBar:t}=(0,w.L)(),{content:n}=t;return(0,u.jsx)("div",{...e,className:(0,a.Z)(_.content,e.className),dangerouslySetInnerHTML:{__html:n}})}const T={announcementBar:"announcementBar_mb4j",announcementBarPlaceholder:"announcementBarPlaceholder_vyr4",announcementBarClose:"announcementBarClose_gvF7",announcementBarContent:"announcementBarContent_xLdY"};function L(){const{announcementBar:e}=(0,w.L)(),{isActive:t,close:n}=(0,k.n)();if(!t)return null;const{backgroundColor:r,textColor:a,isCloseable:o}=e;return(0,u.jsxs)("div",{className:T.announcementBar,style:{backgroundColor:r,color:a},role:"banner",children:[o&&(0,u.jsx)("div",{className:T.announcementBarPlaceholder}),(0,u.jsx)(C,{className:T.announcementBarContent}),o&&(0,u.jsx)(E,{onClick:n,className:T.announcementBarClose})]})}var j=n(3163),R=n(2466);var P=n(902),N=n(3102);const A=r.createContext(null);function O(e){let{children:t}=e;const n=function(){const e=(0,j.e)(),t=(0,N.HY)(),[n,a]=(0,r.useState)(!1),o=null!==t.component,i=(0,P.D9)(o);return(0,r.useEffect)((()=>{o&&!i&&a(!0)}),[o,i]),(0,r.useEffect)((()=>{o?e.shown||a(!0):a(!1)}),[e.shown,o]),(0,r.useMemo)((()=>[n,a]),[n])}();return(0,u.jsx)(A.Provider,{value:n,children:t})}function I(e){if(e.component){const t=e.component;return(0,u.jsx)(t,{...e.props})}}function D(){const e=(0,r.useContext)(A);if(!e)throw new P.i6("NavbarSecondaryMenuDisplayProvider");const[t,n]=e,a=(0,r.useCallback)((()=>n(!1)),[n]),o=(0,N.HY)();return(0,r.useMemo)((()=>({shown:t,hide:a,content:I(o)})),[a,o,t])}function F(e){let{header:t,primaryMenu:n,secondaryMenu:r}=e;const{shown:o}=D();return(0,u.jsxs)("div",{className:"navbar-sidebar",children:[t,(0,u.jsxs)("div",{className:(0,a.Z)("navbar-sidebar__items",{"navbar-sidebar__items--show-secondary":o}),children:[(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:n}),(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:r})]})]})}var M=n(2949),B=n(2389);function z(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"})})}function $(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"})})}const U={toggle:"toggle_vylO",toggleButton:"toggleButton_gllP",darkToggleIcon:"darkToggleIcon_wfgR",lightToggleIcon:"lightToggleIcon_pyhR",toggleButtonDisabled:"toggleButtonDisabled_aARS"};function q(e){let{className:t,buttonClassName:n,value:r,onChange:o}=e;const i=(0,B.Z)(),s=(0,l.I)({message:"Switch between dark and light mode (currently {mode})",id:"theme.colorToggle.ariaLabel",description:"The ARIA label for the navbar color mode toggle"},{mode:"dark"===r?(0,l.I)({message:"dark mode",id:"theme.colorToggle.ariaLabel.mode.dark",description:"The name for the dark color mode"}):(0,l.I)({message:"light mode",id:"theme.colorToggle.ariaLabel.mode.light",description:"The name for the light color mode"})});return(0,u.jsx)("div",{className:(0,a.Z)(U.toggle,t),children:(0,u.jsxs)("button",{className:(0,a.Z)("clean-btn",U.toggleButton,!i&&U.toggleButtonDisabled,n),type:"button",onClick:()=>o("dark"===r?"light":"dark"),disabled:!i,title:s,"aria-label":s,"aria-live":"polite",children:[(0,u.jsx)(z,{className:(0,a.Z)(U.toggleIcon,U.lightToggleIcon)}),(0,u.jsx)($,{className:(0,a.Z)(U.toggleIcon,U.darkToggleIcon)})]})})}const H=r.memo(q),Q={darkNavbarColorModeToggle:"darkNavbarColorModeToggle_X3D1"};function Z(e){let{className:t}=e;const n=(0,w.L)().navbar.style,r=(0,w.L)().colorMode.disableSwitch,{colorMode:a,setColorMode:o}=(0,M.I)();return r?null:(0,u.jsx)(H,{className:t,buttonClassName:"dark"===n?Q.darkNavbarColorModeToggle:void 0,value:a,onChange:o})}var V=n(1327);function W(){return(0,u.jsx)(V.Z,{className:"navbar__brand",imageClassName:"navbar__logo",titleClassName:"navbar__title text--truncate"})}function G(){const e=(0,j.e)();return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.docs.sidebar.closeSidebarButtonAriaLabel",message:"Close navigation bar",description:"The ARIA label for close button of mobile sidebar"}),className:"clean-btn navbar-sidebar__close",onClick:()=>e.toggle(),children:(0,u.jsx)(x,{color:"var(--ifm-color-emphasis-600)"})})}function X(){return(0,u.jsxs)("div",{className:"navbar-sidebar__brand",children:[(0,u.jsx)(W,{}),(0,u.jsx)("a",{href:"https://github.com/k3s-io/k3s",target:"_blank",rel:"noopener noreferrer",className:"margin-right--md header-github-link"}),(0,u.jsx)(Z,{className:"margin-right--md"}),(0,u.jsx)(G,{})]})}var K=n(3692),Y=n(4996),J=n(3919);function ee(e,t){return void 0!==e&&void 0!==t&&new RegExp(e,"gi").test(t)}var te=n(9471);function ne(e){let{activeBasePath:t,activeBaseRegex:n,to:r,href:a,label:o,html:i,isDropdownLink:s,prependBaseUrlToHref:l,...c}=e;const d=(0,Y.ZP)(r),p=(0,Y.ZP)(t),f=(0,Y.ZP)(a,{forcePrependBaseUrl:!0}),h=o&&a&&!(0,J.Z)(a),m=i?{dangerouslySetInnerHTML:{__html:i}}:{children:(0,u.jsxs)(u.Fragment,{children:[o,h&&(0,u.jsx)(te.Z,{...s&&{width:12,height:12}})]})};return a?(0,u.jsx)(K.Z,{href:l?f:a,...c,...m}):(0,u.jsx)(K.Z,{to:d,isNavLink:!0,...(t||n)&&{isActive:(e,t)=>n?ee(n,t.pathname):t.pathname.startsWith(p)},...c,...m})}function re(e){let{className:t,isDropdownItem:n=!1,...r}=e;const o=(0,u.jsx)(ne,{className:(0,a.Z)(n?"dropdown__link":"navbar__item navbar__link",t),isDropdownLink:n,...r});return n?(0,u.jsx)("li",{children:o}):o}function ae(e){let{className:t,isDropdownItem:n,...r}=e;return(0,u.jsx)("li",{className:"menu__list-item",children:(0,u.jsx)(ne,{className:(0,a.Z)("menu__link",t),...r})})}function oe(e){let{mobile:t=!1,position:n,...r}=e;const a=t?ae:re;return(0,u.jsx)(a,{...r,activeClassName:r.activeClassName??(t?"menu__link--active":"navbar__link--active")})}var ie=n(6043),se=n(8596),le=n(2263);const ce={dropdownNavbarItemMobile:"dropdownNavbarItemMobile_S0Fm"};function ue(e,t){return e.some((e=>function(e,t){return!!(0,se.Mg)(e.to,t)||!!ee(e.activeBaseRegex,t)||!(!e.activeBasePath||!t.startsWith(e.activeBasePath))}(e,t)))}function de(e){let{items:t,position:n,className:o,onClick:i,...s}=e;const l=(0,r.useRef)(null),[c,d]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{const e=e=>{l.current&&!l.current.contains(e.target)&&d(!1)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),document.addEventListener("focusin",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e),document.removeEventListener("focusin",e)}}),[l]),(0,u.jsxs)("div",{ref:l,className:(0,a.Z)("navbar__item","dropdown","dropdown--hoverable",{"dropdown--right":"right"===n,"dropdown--show":c}),children:[(0,u.jsx)(ne,{"aria-haspopup":"true","aria-expanded":c,role:"button",href:s.to?void 0:"#",className:(0,a.Z)("navbar__link",o),...s,onClick:s.to?void 0:e=>e.preventDefault(),onKeyDown:e=>{"Enter"===e.key&&(e.preventDefault(),d(!c))},children:s.children??s.label}),(0,u.jsx)("ul",{className:"dropdown__menu",children:t.map(((e,t)=>(0,r.createElement)(We,{isDropdownItem:!0,activeClassName:"dropdown__link--active",...e,key:t})))})]})}function pe(e){let{items:t,className:n,position:o,onClick:i,...l}=e;const c=function(){const{siteConfig:{baseUrl:e}}=(0,le.Z)(),{pathname:t}=(0,s.TH)();return t.replace(e,"/")}(),d=ue(t,c),{collapsed:p,toggleCollapsed:f,setCollapsed:h}=(0,ie.u)({initialState:()=>!d});return(0,r.useEffect)((()=>{d&&h(!d)}),[c,d,h]),(0,u.jsxs)("li",{className:(0,a.Z)("menu__list-item",{"menu__list-item--collapsed":p}),children:[(0,u.jsx)(ne,{role:"button",className:(0,a.Z)(ce.dropdownNavbarItemMobile,"menu__link menu__link--sublist menu__link--sublist-caret",n),...l,onClick:e=>{e.preventDefault(),f()},children:l.children??l.label}),(0,u.jsx)(ie.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:p,children:t.map(((e,t)=>(0,r.createElement)(We,{mobile:!0,isDropdownItem:!0,onClick:i,activeClassName:"menu__link--active",...e,key:t})))})]})}function fe(e){let{mobile:t=!1,...n}=e;const r=t?pe:de;return(0,u.jsx)(r,{...n})}var he=n(4711);function me(e){let{width:t=20,height:n=20,...r}=e;return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:t,height:n,"aria-hidden":!0,...r,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"})})}const ge="iconLanguage_nlXk";var ye=n(1029),be=n(1728);var ve=n(143),we=n(22),ke=n(8202),xe=n(3545),Se=n(3926),Ee=n(1073),_e=n(2539),Ce=n(726);const Te='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 6v12c0 .52-.2 1-1 1H4c-.7 0-1-.33-1-1V2c0-.55.42-1 1-1h8l5 5zM14 8h-3.13c-.51 0-.87-.34-.87-.87V4" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Le='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M13 13h4-4V8H7v5h6v4-4H7V8H3h4V3v5h6V3v5h4-4v5zm-6 0v4-4H3h4z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg>',je='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 5H3h14zm0 5H3h14zm0 5H3h14z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Re='<svg width="20" height="20" viewBox="0 0 20 20"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M18 3v4c0 2-2 4-4 4H2"></path><path d="M8 17l-6-6 6-6"></path></g></svg>',Pe='<svg width="40" height="40" viewBox="0 0 20 20" fill="none" fill-rule="evenodd" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round"><path d="M15.5 4.8c2 3 1.7 7-1 9.7h0l4.3 4.3-4.3-4.3a7.8 7.8 0 01-9.8 1m-2.2-2.2A7.8 7.8 0 0113.2 2.4M2 18L18 2"></path></svg>',Ne='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v42M20 27H8.3"></path></g></svg>',Ae='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v21M20 27H8.3"></path></g></svg>',Oe={searchBar:"searchBar_RVTs",dropdownMenu:"dropdownMenu_qbY6",searchBarLeft:"searchBarLeft_MXDe",suggestion:"suggestion_fB_2",cursor:"cursor_eG29",hitTree:"hitTree_kk6K",hitIcon:"hitIcon_a7Zy",hitPath:"hitPath_ieM4",noResultsIcon:"noResultsIcon_EBY5",hitFooter:"hitFooter_E9YW",hitWrapper:"hitWrapper_sAK8",hitTitle:"hitTitle_vyVt",hitAction:"hitAction_NqkB",hideAction:"hideAction_vcyE",noResults:"noResults_l6Q3",searchBarContainer:"searchBarContainer_NW3z",searchBarLoadingRing:"searchBarLoadingRing_YnHq",searchClearButton:"searchClearButton_qk4g",searchIndexLoading:"searchIndexLoading_EJ1f",searchHintContainer:"searchHintContainer_Pkmr",searchHint:"searchHint_iIMx",focused:"focused_OWtg",input:"input_FOTf",hint:"hint_URu1",suggestions:"suggestions_X8XU",dataset:"dataset_QiCy",empty:"empty_eITn"};function Ie(e){let{document:t,type:n,page:r,metadata:a,tokens:o,isInterOfTree:i,isLastOfTree:s}=e;const l=n===xe.P.Title,c=n===xe.P.Keywords,u=l||c,d=n===xe.P.Heading,p=[];i?p.push(Ne):s&&p.push(Ae);const f=p.map((e=>`<span class="${Oe.hitTree}">${e}</span>`)),h=`<span class="${Oe.hitIcon}">${u?Te:d?Le:je}</span>`,m=[`<span class="${Oe.hitTitle}">${c?(0,_e.C)(t.s,o):(0,Ce.o)(t.t,(0,Ee.m)(a,"t"),o)}</span>`];if(!i&&!s&&ye.H6){const e=r?r.b?.concat(r.t).concat(t.s&&t.s!==r.t?t.s:[]):t.b;m.push(`<span class="${Oe.hitPath}">${(0,Se.e)(e??[])}</span>`)}else u||m.push(`<span class="${Oe.hitPath}">${(0,_e.C)(r.t||(t.u.startsWith("/docs/api-reference/")?"API Reference":""),o)}</span>`);const g=`<span class="${Oe.hitAction}">${Re}</span>`;return[...f,h,`<span class="${Oe.hitWrapper}">`,...m,"</span>",g].join("")}function De(){return`<span class="${Oe.noResults}"><span class="${Oe.noResultsIcon}">${Pe}</span><span>${(0,l.I)({id:"theme.SearchBar.noResultsText",message:"No results"})}</span></span>`}var Fe=n(311),Me=n(51);async function Be(){const e=await Promise.all([n.e(8443),n.e(5525)]).then(n.t.bind(n,8443,23)),t=e.default;return t.noConflict?t.noConflict():e.noConflict&&e.noConflict(),t}const ze="_highlight";const $e=function(e){let{handleSearchBarToggle:t}=e;const a=(0,B.Z)(),{siteConfig:{baseUrl:o},i18n:{currentLocale:i}}=(0,le.Z)(),c=(0,ve.gA)();let d=o;try{const{preferredVersion:e}=function(){return n(143).J(...arguments)}(c?.pluginId??ye.gQ);e&&!e.isLast&&(d=e.path+"/")}catch(M){if(ye.l9&&!(M instanceof P.i6))throw M}const p=(0,s.k6)(),f=(0,s.TH)(),h=(0,r.useRef)(null),m=(0,r.useRef)(new Map),g=(0,r.useRef)(!1),[y,b]=(0,r.useState)(!1),[v,w]=(0,r.useState)(!1),[k,x]=(0,r.useState)(""),S=(0,r.useRef)(null),E=(0,r.useRef)(""),[_,C]=(0,r.useState)("");(0,r.useEffect)((()=>{if(!Array.isArray(ye.Kc))return;let e="";if(f.pathname.startsWith(d)){const t=f.pathname.substring(d.length);let n;for(const e of ye.Kc){const r="string"==typeof e?e:e.path;if(t===r||t.startsWith(`${r}/`)){n=r;break}}n&&(e=n)}E.current!==e&&(m.current.delete(e),E.current=e),C(e)}),[f.pathname,d]);const T=!!ye.hG&&Array.isArray(ye.Kc)&&""===_,L=(0,r.useCallback)((async()=>{if(T||m.current.get(_))return;m.current.set(_,"loading"),S.current?.autocomplete.destroy(),b(!0);const[{wrappedIndexes:e,zhDictionary:t},n]=await Promise.all([(0,we.w)(d,_),Be()]);if(S.current=n(h.current,{hint:!1,autoselect:!0,openOnFocus:!0,cssClasses:{root:(0,be.Z)(Oe.searchBar,{[Oe.searchBarLeft]:"left"===ye.pu}),noPrefix:!0,dropdownMenu:Oe.dropdownMenu,input:Oe.input,hint:Oe.hint,suggestions:Oe.suggestions,suggestion:Oe.suggestion,cursor:Oe.cursor,dataset:Oe.dataset,empty:Oe.empty}},[{source:(0,ke.v)(e,t,ye.qo),templates:{suggestion:Ie,empty:De,footer:e=>{let{query:t,isEmpty:n}=e;if(n&&(!_||!ye.pQ))return;const r=(e=>{let{query:t,isEmpty:n}=e;const r=document.createElement("a"),a=new URLSearchParams;let s;if(a.set("q",t),_){const e=_&&Array.isArray(ye.Kc)?ye.Kc.find((e=>"string"==typeof e?e===_:e.path===_)):_,t=e?(0,Me._)(e,i).label:_;s=ye.pQ&&n?(0,l.I)({id:"theme.SearchBar.seeAllOutsideContext",message:'See all results outside "{context}"'},{context:t}):(0,l.I)({id:"theme.SearchBar.searchInContext",message:'See all results within "{context}"'},{context:t})}else s=(0,l.I)({id:"theme.SearchBar.seeAll",message:"See all results"});if(!_||!Array.isArray(ye.Kc)||ye.pQ&&n||a.set("ctx",_),d!==o){if(!d.startsWith(o))throw new Error(`Version url '${d}' does not start with base url '${o}', this is a bug of \`@easyops-cn/docusaurus-search-local\`, please report it.`);a.set("version",d.substring(o.length))}const c=`${o}search/?${a.toString()}`;return r.href=c,r.textContent=s,r.addEventListener("click",(e=>{e.ctrlKey||e.metaKey||(e.preventDefault(),S.current?.autocomplete.close(),p.push(c))})),r})({query:t,isEmpty:n}),a=document.createElement("div");return a.className=Oe.hitFooter,a.appendChild(r),a}}}]).on("autocomplete:selected",(function(e,t){let{document:{u:n,h:r},tokens:a}=t;h.current?.blur();let o=n;if(ye.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append(ze,t);o+=`?${e.toString()}`}r&&(o+=r),p.push(o)})).on("autocomplete:closed",(()=>{h.current?.blur()})),m.current.set(_,"done"),b(!1),g.current){const e=h.current;e.value&&S.current?.autocomplete.open(),e.focus()}}),[T,_,d,o,p]);(0,r.useEffect)((()=>{if(!ye.vc)return;const e=a?new URLSearchParams(f.search).getAll(ze):[];setTimeout((()=>{const t=document.querySelector("article");if(!t)return;const n=new ye.vc(t);n.unmark(),0!==e.length&&n.mark(e),x(e.join(" ")),S.current?.autocomplete.setVal(e.join(" "))}))}),[a,f.search,f.pathname]);const[j,R]=(0,r.useState)(!1),N=(0,r.useCallback)((()=>{g.current=!0,L(),R(!0),t?.(!0)}),[t,L]),A=(0,r.useCallback)((()=>{R(!1),t?.(!1)}),[t]),O=(0,r.useCallback)((()=>{L()}),[L]),I=(0,r.useCallback)((e=>{x(e.target.value),e.target.value&&w(!0)}),[]),D=!!a&&/mac/i.test(navigator.userAgentData?.platform??navigator.platform);(0,r.useEffect)((()=>{if(!ye.AY)return;const e=e=>{!(D?e.metaKey:e.ctrlKey)||"k"!==e.key&&"K"!==e.key||(e.preventDefault(),h.current?.focus(),N())};return document.addEventListener("keydown",e),()=>{document.removeEventListener("keydown",e)}}),[D,N]);const F=(0,r.useCallback)((()=>{const e=new URLSearchParams(f.search);e.delete(ze);const t=e.toString(),n=f.pathname+(""!=t?`?${t}`:"")+f.hash;n!=f.pathname+f.search+f.hash&&p.push(n),x(""),S.current?.autocomplete.setVal("")}),[f.pathname,f.search,f.hash,p]);return(0,u.jsxs)("div",{className:(0,be.Z)("navbar__search",Oe.searchBarContainer,{[Oe.searchIndexLoading]:y&&v,[Oe.focused]:j}),hidden:T,dir:"ltr",children:[(0,u.jsx)("input",{placeholder:(0,l.I)({id:"theme.SearchBar.label",message:"Search",description:"The ARIA label and placeholder for search button"}),"aria-label":"Search",className:"navbar__search-input",onMouseEnter:O,onFocus:N,onBlur:A,onChange:I,ref:h,value:k}),(0,u.jsx)(Fe.Z,{className:Oe.searchBarLoadingRing}),ye.AY&&ye.t_&&(""!==k?(0,u.jsx)("button",{className:Oe.searchClearButton,onClick:F,children:"\u2715"}):a&&(0,u.jsxs)("div",{className:Oe.searchHintContainer,children:[(0,u.jsx)("kbd",{className:Oe.searchHint,children:D?"\u2318":"ctrl"}),(0,u.jsx)("kbd",{className:Oe.searchHint,children:"K"})]}))]})},Ue={navbarSearchContainer:"navbarSearchContainer_Bca1"};function qe(e){let{children:t,className:n}=e;return(0,u.jsx)("div",{className:(0,a.Z)(n,Ue.navbarSearchContainer),children:t})}var He=n(9690);var Qe=n(298);function Ze(e,t){return t.alternateDocVersions[e.name]??function(e){return e.docs.find((t=>t.id===e.mainDocId))}(e)}const Ve={default:oe,localeDropdown:function(e){let{mobile:t,dropdownItemsBefore:n,dropdownItemsAfter:r,queryString:a="",...o}=e;const{i18n:{currentLocale:i,locales:c,localeConfigs:d}}=(0,le.Z)(),p=(0,he.l)(),{search:f,hash:h}=(0,s.TH)(),m=[...n,...c.map((e=>{const n=`${`pathname://${p.createUrl({locale:e,fullyQualified:!1})}`}${f}${h}${a}`;return{label:d[e].label,lang:d[e].htmlLang,to:n,target:"_self",autoAddBaseUrl:!1,className:e===i?t?"menu__link--active":"dropdown__link--active":""}})),...r],g=t?(0,l.I)({message:"Languages",id:"theme.navbar.mobileLanguageDropdown.label",description:"The label for the mobile language switcher dropdown"}):d[i].label;return(0,u.jsx)(fe,{...o,mobile:t,label:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(me,{className:ge}),g]}),items:m})},search:function(e){let{mobile:t,className:n}=e;return t?null:(0,u.jsx)(qe,{className:n,children:(0,u.jsx)($e,{})})},dropdown:fe,html:function(e){let{value:t,className:n,mobile:r=!1,isDropdownItem:o=!1}=e;const i=o?"li":"div";return(0,u.jsx)(i,{className:(0,a.Z)({navbar__item:!r&&!o,"menu__list-item":r},n),dangerouslySetInnerHTML:{__html:t}})},doc:function(e){let{docId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ve.Iw)(r),i=(0,He.vY)(t,r),s=o?.path===i?.path;return null===i||i.unlisted&&!s?null:(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>s||!!o?.sidebar&&o.sidebar===i.sidebar,label:n??i.id,to:i.path})},docSidebar:function(e){let{sidebarId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ve.Iw)(r),i=(0,He.oz)(t,r).link;if(!i)throw new Error(`DocSidebarNavbarItem: Sidebar with ID "${t}" doesn't have anything to be linked to.`);return(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>o?.sidebar===t,label:n??i.label,to:i.path})},docsVersion:function(e){let{label:t,to:n,docsPluginId:r,...a}=e;const o=(0,He.lO)(r)[0],i=t??o.label,s=n??(e=>e.docs.find((t=>t.id===e.mainDocId)))(o).path;return(0,u.jsx)(oe,{...a,label:i,to:s})},docsVersionDropdown:function(e){let{mobile:t,docsPluginId:n,dropdownActiveClassDisabled:r,dropdownItemsBefore:a,dropdownItemsAfter:o,...i}=e;const{search:c,hash:d}=(0,s.TH)(),p=(0,ve.Iw)(n),f=(0,ve.gB)(n),{savePreferredVersionName:h}=(0,Qe.J)(n),m=[...a,...f.map((function(e){const t=Ze(e,p);return{label:e.label,to:`${t.path}${c}${d}`,isActive:()=>e===p.activeVersion,onClick:()=>h(e.name)}})),...o],g=(0,He.lO)(n)[0],y=t&&m.length>1?(0,l.I)({id:"theme.navbar.mobileVersionsDropdown.label",message:"Versions",description:"The label for the navbar versions dropdown on mobile view"}):g.label,b=t&&m.length>1?void 0:Ze(g,p).path;return m.length<=1?(0,u.jsx)(oe,{...i,mobile:t,label:y,to:b,isActive:r?()=>!1:void 0}):(0,u.jsx)(fe,{...i,mobile:t,label:y,to:b,items:m,isActive:r?()=>!1:void 0})}};function We(e){let{type:t,...n}=e;const r=function(e,t){return e&&"default"!==e?e:"items"in t?"dropdown":"default"}(t,n),a=Ve[r];if(!a)throw new Error(`No NavbarItem component found for type "${t}".`);return(0,u.jsx)(a,{...n})}function Ge(){const e=(0,j.e)(),t=(0,w.L)().navbar.items;return(0,u.jsx)("ul",{className:"menu__list",children:t.map(((t,n)=>(0,r.createElement)(We,{mobile:!0,...t,onClick:()=>e.toggle(),key:n})))})}function Xe(e){return(0,u.jsx)("button",{...e,type:"button",className:"clean-btn navbar-sidebar__back",children:(0,u.jsx)(l.Z,{id:"theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel",description:"The label of the back button to return to main menu, inside the mobile navbar sidebar secondary menu (notably used to display the docs sidebar)",children:"\u2190 Back to main menu"})})}function Ke(){const e=0===(0,w.L)().navbar.items.length,t=D();return(0,u.jsxs)(u.Fragment,{children:[!e&&(0,u.jsx)(Xe,{onClick:()=>t.hide()}),t.content]})}function Ye(){const e=(0,j.e)();var t;return void 0===(t=e.shown)&&(t=!0),(0,r.useEffect)((()=>(document.body.style.overflow=t?"hidden":"visible",()=>{document.body.style.overflow="visible"})),[t]),e.shouldRender?(0,u.jsx)(F,{header:(0,u.jsx)(X,{}),primaryMenu:(0,u.jsx)(Ge,{}),secondaryMenu:(0,u.jsx)(Ke,{})}):null}const Je={navbarHideable:"navbarHideable_m1mJ",navbarHidden:"navbarHidden_jGov"};function et(e){return(0,u.jsx)("div",{role:"presentation",...e,className:(0,a.Z)("navbar-sidebar__backdrop",e.className)})}function tt(e){let{children:t}=e;const{navbar:{hideOnScroll:n,style:o}}=(0,w.L)(),i=(0,j.e)(),{navbarRef:s,isNavbarVisible:d}=function(e){const[t,n]=(0,r.useState)(e),a=(0,r.useRef)(!1),o=(0,r.useRef)(0),i=(0,r.useCallback)((e=>{null!==e&&(o.current=e.getBoundingClientRect().height)}),[]);return(0,R.RF)(((t,r)=>{let{scrollY:i}=t;if(!e)return;if(i<o.current)return void n(!0);if(a.current)return void(a.current=!1);const s=r?.scrollY,l=document.documentElement.scrollHeight-o.current,c=window.innerHeight;s&&i>=s?n(!1):i+c<l&&n(!0)})),(0,c.S)((t=>{if(!e)return;const r=t.location.hash;if(r?document.getElementById(r.substring(1)):void 0)return a.current=!0,void n(!1);n(!0)})),{navbarRef:i,isNavbarVisible:t}}(n);return(0,u.jsxs)("nav",{ref:s,"aria-label":(0,l.I)({id:"theme.NavBar.navAriaLabel",message:"Main",description:"The ARIA label for the main navigation"}),className:(0,a.Z)("navbar","navbar--fixed-top",n&&[Je.navbarHideable,!d&&Je.navbarHidden],{"navbar--dark":"dark"===o,"navbar--primary":"primary"===o,"navbar-sidebar--show":i.shown}),children:[t,(0,u.jsx)(et,{onClick:i.toggle}),(0,u.jsx)(Ye,{})]})}var nt=n(3087);const rt="right";function at(e){let{width:t=30,height:n=30,className:r,...a}=e;return(0,u.jsx)("svg",{className:r,width:t,height:n,viewBox:"0 0 30 30","aria-hidden":"true",...a,children:(0,u.jsx)("path",{stroke:"currentColor",strokeLinecap:"round",strokeMiterlimit:"10",strokeWidth:"2",d:"M4 7h22M4 15h22M4 23h22"})})}function ot(){const{toggle:e,shown:t}=(0,j.e)();return(0,u.jsx)("button",{onClick:e,"aria-label":(0,l.I)({id:"theme.docs.sidebar.toggleSidebarButtonAriaLabel",message:"Toggle navigation bar",description:"The ARIA label for hamburger menu button of mobile navigation"}),"aria-expanded":t,className:"navbar__toggle clean-btn",type:"button",children:(0,u.jsx)(at,{})})}const it={colorModeToggle:"colorModeToggle_DEke"};function st(e){let{items:t}=e;return(0,u.jsx)(u.Fragment,{children:t.map(((e,t)=>(0,u.jsx)(nt.QW,{onError:t=>new Error(`A theme navbar item failed to render.\nPlease double-check the following navbar item (themeConfig.navbar.items) of your Docusaurus config:\n${JSON.stringify(e,null,2)}`,{cause:t}),children:(0,u.jsx)(We,{...e})},t)))})}function lt(e){let{left:t,right:n}=e;return(0,u.jsxs)("div",{className:"navbar__inner",children:[(0,u.jsx)("div",{className:"navbar__items",children:t}),(0,u.jsx)("div",{className:"navbar__items navbar__items--right",children:n})]})}function ct(){const e=(0,j.e)(),t=(0,w.L)().navbar.items,[n,r]=function(e){function t(e){return"left"===(e.position??rt)}return[e.filter(t),e.filter((e=>!t(e)))]}(t),a=t.find((e=>"search"===e.type));return(0,u.jsx)(lt,{left:(0,u.jsxs)(u.Fragment,{children:[!e.disabled&&(0,u.jsx)(ot,{}),(0,u.jsx)(W,{}),(0,u.jsx)(st,{items:n})]}),right:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(st,{items:r}),(0,u.jsx)(Z,{className:it.colorModeToggle}),!a&&(0,u.jsx)(qe,{children:(0,u.jsx)($e,{})})]})})}function ut(){return(0,u.jsx)(tt,{children:(0,u.jsx)(ct,{})})}function dt(e){let{item:t}=e;const{to:n,href:r,label:a,prependBaseUrlToHref:o,...i}=t,s=(0,Y.ZP)(n),l=(0,Y.ZP)(r,{forcePrependBaseUrl:!0});return(0,u.jsxs)(K.Z,{className:"footer__link-item",...r?{href:o?l:r}:{to:s},...i,children:[a,r&&!(0,J.Z)(r)&&(0,u.jsx)(te.Z,{})]})}function pt(e){let{item:t}=e;return t.html?(0,u.jsx)("li",{className:"footer__item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)("li",{className:"footer__item",children:(0,u.jsx)(dt,{item:t})},t.href??t.to)}function ft(e){let{column:t}=e;return(0,u.jsxs)("div",{className:"col footer__col",children:[(0,u.jsx)("div",{className:"footer__title",children:t.title}),(0,u.jsx)("ul",{className:"footer__items clean-list",children:t.items.map(((e,t)=>(0,u.jsx)(pt,{item:e},t)))})]})}function ht(e){let{columns:t}=e;return(0,u.jsx)("div",{className:"row footer__links",children:t.map(((e,t)=>(0,u.jsx)(ft,{column:e},t)))})}function mt(){return(0,u.jsx)("span",{className:"footer__link-separator",children:"\xb7"})}function gt(e){let{item:t}=e;return t.html?(0,u.jsx)("span",{className:"footer__link-item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)(dt,{item:t})}function yt(e){let{links:t}=e;return(0,u.jsx)("div",{className:"footer__links text--center",children:(0,u.jsx)("div",{className:"footer__links",children:t.map(((e,n)=>(0,u.jsxs)(r.Fragment,{children:[(0,u.jsx)(gt,{item:e}),t.length!==n+1&&(0,u.jsx)(mt,{})]},n)))})})}function bt(e){let{links:t}=e;return function(e){return"title"in e[0]}(t)?(0,u.jsx)(ht,{columns:t}):(0,u.jsx)(yt,{links:t})}var vt=n(9965);const wt={footerLogoLink:"footerLogoLink_BH7S"};function kt(e){let{logo:t}=e;const{withBaseUrl:n}=(0,Y.Cg)(),r={light:n(t.src),dark:n(t.srcDark??t.src)};return(0,u.jsx)(vt.Z,{className:(0,a.Z)("footer__logo",t.className),alt:t.alt,sources:r,width:t.width,height:t.height,style:t.style})}function xt(e){let{logo:t}=e;return t.href?(0,u.jsx)(K.Z,{href:t.href,className:wt.footerLogoLink,target:t.target,children:(0,u.jsx)(kt,{logo:t})}):(0,u.jsx)(kt,{logo:t})}function St(e){let{copyright:t}=e;return(0,u.jsx)("div",{className:"footer__copyright",dangerouslySetInnerHTML:{__html:t}})}function Et(e){let{style:t,links:n,logo:r,copyright:o}=e;return(0,u.jsx)("footer",{className:(0,a.Z)("footer",{"footer--dark":"dark"===t}),children:(0,u.jsxs)("div",{className:"container container-fluid",children:[n,(r||o)&&(0,u.jsxs)("div",{className:"footer__bottom text--center",children:[r&&(0,u.jsx)("div",{className:"margin-bottom--sm",children:r}),o]})]})})}function _t(){const{footer:e}=(0,w.L)();if(!e)return null;const{copyright:t,links:n,logo:r,style:a}=e;return(0,u.jsx)(Et,{style:a,links:n&&n.length>0&&(0,u.jsx)(bt,{links:n}),logo:r&&(0,u.jsx)(xt,{logo:r}),copyright:t&&(0,u.jsx)(St,{copyright:t})})}const Ct=r.memo(_t),Tt=(0,P.Qc)([M.S,k.p,R.OC,Qe.L5,i.VC,function(e){let{children:t}=e;return(0,u.jsx)(N.n2,{children:(0,u.jsx)(j.M,{children:(0,u.jsx)(O,{children:t})})})}]);function Lt(e){let{children:t}=e;return(0,u.jsx)(Tt,{children:t})}var jt=n(2503);function Rt(e){let{error:t,tryAgain:n}=e;return(0,u.jsx)("main",{className:"container margin-vert--xl",children:(0,u.jsx)("div",{className:"row",children:(0,u.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,u.jsx)(jt.Z,{as:"h1",className:"hero__title",children:(0,u.jsx)(l.Z,{id:"theme.ErrorPageContent.title",description:"The title of the fallback page when the page crashed",children:"This page crashed."})}),(0,u.jsx)("div",{className:"margin-vert--lg",children:(0,u.jsx)(nt.Cw,{onClick:n,className:"button button--primary shadow--lw"})}),(0,u.jsx)("hr",{}),(0,u.jsx)("div",{className:"margin-vert--md",children:(0,u.jsx)(nt.aG,{error:t})})]})})})}const Pt={mainWrapper:"mainWrapper_z2l0"};function Nt(e){const{children:t,noFooter:n,wrapperClassName:r,title:s,description:l}=e;return(0,y.t)(),(0,u.jsxs)(Lt,{children:[(0,u.jsx)(i.d,{title:s,description:l}),(0,u.jsx)(v,{}),(0,u.jsx)(L,{}),(0,u.jsx)(ut,{}),(0,u.jsx)("div",{id:d,className:(0,a.Z)(g.k.wrapper.main,Pt.mainWrapper,r),children:(0,u.jsx)(o.Z,{fallback:e=>(0,u.jsx)(Rt,{...e}),children:t})}),!n&&(0,u.jsx)(Ct,{})]})}},1327:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(3692),a=n(4996),o=n(2263),i=n(6668),s=n(9965),l=n(5893);function c(e){let{logo:t,alt:n,imageClassName:r}=e;const o={light:(0,a.ZP)(t.src),dark:(0,a.ZP)(t.srcDark||t.src)},i=(0,l.jsx)(s.Z,{className:t.className,sources:o,height:t.height,width:t.width,alt:n,style:t.style});return r?(0,l.jsx)("div",{className:r,children:i}):i}function u(e){const{siteConfig:{title:t}}=(0,o.Z)(),{navbar:{title:n,logo:s}}=(0,i.L)(),{imageClassName:u,titleClassName:d,...p}=e,f=(0,a.ZP)(s?.href||"/"),h=n?"":t,m=s?.alt??h;return(0,l.jsxs)(r.Z,{to:f,...p,...s?.target&&{target:s.target},children:[s&&(0,l.jsx)(c,{logo:s,alt:m,imageClassName:u}),null!=n&&(0,l.jsx)("b",{className:d,children:n})]})}},197:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(5742),a=n(5893);function o(e){let{locale:t,version:n,tag:o}=e;const i=t;return(0,a.jsxs)(r.Z,{children:[t&&(0,a.jsx)("meta",{name:"docusaurus_locale",content:t}),n&&(0,a.jsx)("meta",{name:"docusaurus_version",content:n}),o&&(0,a.jsx)("meta",{name:"docusaurus_tag",content:o}),i&&(0,a.jsx)("meta",{name:"docsearch:language",content:i}),n&&(0,a.jsx)("meta",{name:"docsearch:version",content:n}),o&&(0,a.jsx)("meta",{name:"docsearch:docusaurus_tag",content:o})]})}},9965:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});var r=n(7294),a=n(512),o=n(2389),i=n(2949);const s={themedComponent:"themedComponent_mlkZ","themedComponent--light":"themedComponent--light_NVdE","themedComponent--dark":"themedComponent--dark_xIcU"};var l=n(5893);function c(e){let{className:t,children:n}=e;const c=(0,o.Z)(),{colorMode:u}=(0,i.I)();return(0,l.jsx)(l.Fragment,{children:(c?"dark"===u?["dark"]:["light"]:["light","dark"]).map((e=>{const o=n({theme:e,className:(0,a.Z)(t,s.themedComponent,s[`themedComponent--${e}`])});return(0,l.jsx)(r.Fragment,{children:o},e)}))})}function u(e){const{sources:t,className:n,alt:r,...a}=e;return(0,l.jsx)(c,{className:n,children:e=>{let{theme:n,className:o}=e;return(0,l.jsx)("img",{src:t[n],alt:r,className:o,...a})}})}},6043:(e,t,n)=>{"use strict";n.d(t,{u:()=>c,z:()=>y});var r=n(7294),a=n(412),o=n(469),i=n(1442),s=n(5893);const l="ease-in-out";function c(e){let{initialState:t}=e;const[n,a]=(0,r.useState)(t??!1),o=(0,r.useCallback)((()=>{a((e=>!e))}),[]);return{collapsed:n,setCollapsed:a,toggleCollapsed:o}}const u={display:"none",overflow:"hidden",height:"0px"},d={display:"block",overflow:"visible",height:"auto"};function p(e,t){const n=t?u:d;e.style.display=n.display,e.style.overflow=n.overflow,e.style.height=n.height}function f(e){let{collapsibleRef:t,collapsed:n,animation:a}=e;const o=(0,r.useRef)(!1);(0,r.useEffect)((()=>{const e=t.current;function r(){const t=e.scrollHeight,n=a?.duration??function(e){if((0,i.n)())return 1;const t=e/36;return Math.round(10*(4+15*t**.25+t/5))}(t);return{transition:`height ${n}ms ${a?.easing??l}`,height:`${t}px`}}function s(){const t=r();e.style.transition=t.transition,e.style.height=t.height}if(!o.current)return p(e,n),void(o.current=!0);return e.style.willChange="height",function(){const t=requestAnimationFrame((()=>{n?(s(),requestAnimationFrame((()=>{e.style.height=u.height,e.style.overflow=u.overflow}))):(e.style.display="block",requestAnimationFrame((()=>{s()})))}));return()=>cancelAnimationFrame(t)}()}),[t,n,a])}function h(e){if(!a.Z.canUseDOM)return e?u:d}function m(e){let{as:t="div",collapsed:n,children:a,animation:o,onCollapseTransitionEnd:i,className:l,disableSSRStyle:c}=e;const u=(0,r.useRef)(null);return f({collapsibleRef:u,collapsed:n,animation:o}),(0,s.jsx)(t,{ref:u,style:c?void 0:h(n),onTransitionEnd:e=>{"height"===e.propertyName&&(p(u.current,n),i?.(n))},className:l,children:a})}function g(e){let{collapsed:t,...n}=e;const[a,i]=(0,r.useState)(!t),[l,c]=(0,r.useState)(t);return(0,o.Z)((()=>{t||i(!0)}),[t]),(0,o.Z)((()=>{a&&c(t)}),[a,t]),a?(0,s.jsx)(m,{...n,collapsed:l}):null}function y(e){let{lazy:t,...n}=e;const r=t?g:m;return(0,s.jsx)(r,{...n})}},9689:(e,t,n)=>{"use strict";n.d(t,{n:()=>m,p:()=>h});var r=n(7294),a=n(2389),o=n(812),i=n(902),s=n(6668),l=n(5893);const c=(0,o.WA)("docusaurus.announcement.dismiss"),u=(0,o.WA)("docusaurus.announcement.id"),d=()=>"true"===c.get(),p=e=>c.set(String(e)),f=r.createContext(null);function h(e){let{children:t}=e;const n=function(){const{announcementBar:e}=(0,s.L)(),t=(0,a.Z)(),[n,o]=(0,r.useState)((()=>!!t&&d()));(0,r.useEffect)((()=>{o(d())}),[]);const i=(0,r.useCallback)((()=>{p(!0),o(!0)}),[]);return(0,r.useEffect)((()=>{if(!e)return;const{id:t}=e;let n=u.get();"annoucement-bar"===n&&(n="announcement-bar");const r=t!==n;u.set(t),r&&p(!1),!r&&d()||o(!1)}),[e]),(0,r.useMemo)((()=>({isActive:!!e&&!n,close:i})),[e,n,i])}();return(0,l.jsx)(f.Provider,{value:n,children:t})}function m(){const e=(0,r.useContext)(f);if(!e)throw new i.i6("AnnouncementBarProvider");return e}},2949:(e,t,n)=>{"use strict";n.d(t,{I:()=>y,S:()=>g});var r=n(7294),a=n(412),o=n(902),i=n(812),s=n(6668),l=n(5893);const c=r.createContext(void 0),u="theme",d=(0,i.WA)(u),p={light:"light",dark:"dark"},f=e=>e===p.dark?p.dark:p.light,h=e=>a.Z.canUseDOM?f(document.documentElement.getAttribute("data-theme")):f(e),m=e=>{d.set(f(e))};function g(e){let{children:t}=e;const n=function(){const{colorMode:{defaultMode:e,disableSwitch:t,respectPrefersColorScheme:n}}=(0,s.L)(),[a,o]=(0,r.useState)(h(e));(0,r.useEffect)((()=>{t&&d.del()}),[t]);const i=(0,r.useCallback)((function(t,r){void 0===r&&(r={});const{persist:a=!0}=r;t?(o(t),a&&m(t)):(o(n?window.matchMedia("(prefers-color-scheme: dark)").matches?p.dark:p.light:e),d.del())}),[n,e]);(0,r.useEffect)((()=>{document.documentElement.setAttribute("data-theme",f(a))}),[a]),(0,r.useEffect)((()=>{if(t)return;const e=e=>{if(e.key!==u)return;const t=d.get();null!==t&&i(f(t))};return window.addEventListener("storage",e),()=>window.removeEventListener("storage",e)}),[t,i]);const l=(0,r.useRef)(!1);return(0,r.useEffect)((()=>{if(t&&!n)return;const e=window.matchMedia("(prefers-color-scheme: dark)"),r=()=>{window.matchMedia("print").matches||l.current?l.current=window.matchMedia("print").matches:i(null)};return e.addListener(r),()=>e.removeListener(r)}),[i,t,n]),(0,r.useMemo)((()=>({colorMode:a,setColorMode:i,get isDarkTheme(){return a===p.dark},setLightTheme(){i(p.light)},setDarkTheme(){i(p.dark)}})),[a,i])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function y(){const e=(0,r.useContext)(c);if(null==e)throw new o.i6("ColorModeProvider","Please see https://docusaurus.io/docs/api/themes/configuration#use-color-mode.");return e}},3163:(e,t,n)=>{"use strict";n.d(t,{M:()=>p,e:()=>f});var r=n(7294),a=n(3102),o=n(7524),i=n(1980),s=n(6668),l=n(902),c=n(5893);const u=r.createContext(void 0);function d(){const e=function(){const e=(0,a.HY)(),{items:t}=(0,s.L)().navbar;return 0===t.length&&!e.component}(),t=(0,o.i)(),n=!e&&"mobile"===t,[l,c]=(0,r.useState)(!1);(0,i.Rb)((()=>{if(l)return c(!1),!1}));const u=(0,r.useCallback)((()=>{c((e=>!e))}),[]);return(0,r.useEffect)((()=>{"desktop"===t&&c(!1)}),[t]),(0,r.useMemo)((()=>({disabled:e,shouldRender:n,toggle:u,shown:l})),[e,n,u,l])}function p(e){let{children:t}=e;const n=d();return(0,c.jsx)(u.Provider,{value:n,children:t})}function f(){const e=r.useContext(u);if(void 0===e)throw new l.i6("NavbarMobileSidebarProvider");return e}},3102:(e,t,n)=>{"use strict";n.d(t,{HY:()=>l,Zo:()=>c,n2:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t}=e;const n=(0,r.useState)({component:null,props:null});return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(!e)throw new a.i6("NavbarSecondaryMenuContentProvider");return e[0]}function c(e){let{component:t,props:n}=e;const o=(0,r.useContext)(i);if(!o)throw new a.i6("NavbarSecondaryMenuContentProvider");const[,s]=o,l=(0,a.Ql)(n);return(0,r.useEffect)((()=>{s({component:t,props:l})}),[s,t,l]),(0,r.useEffect)((()=>()=>s({component:null,props:null})),[s]),null}},9727:(e,t,n)=>{"use strict";n.d(t,{h:()=>a,t:()=>o});var r=n(7294);const a="navigation-with-keyboard";function o(){(0,r.useEffect)((()=>{function e(e){"keydown"===e.type&&"Tab"===e.key&&document.body.classList.add(a),"mousedown"===e.type&&document.body.classList.remove(a)}return document.addEventListener("keydown",e),document.addEventListener("mousedown",e),()=>{document.body.classList.remove(a),document.removeEventListener("keydown",e),document.removeEventListener("mousedown",e)}}),[])}},7524:(e,t,n)=>{"use strict";n.d(t,{i:()=>s});var r=n(7294),a=n(412);const o={desktop:"desktop",mobile:"mobile",ssr:"ssr"},i=996;function s(e){let{desktopBreakpoint:t=i}=void 0===e?{}:e;const[n,s]=(0,r.useState)((()=>"ssr"));return(0,r.useEffect)((()=>{function e(){s(function(e){if(!a.Z.canUseDOM)throw new Error("getWindowSize() should only be called after React hydration");return window.innerWidth>e?o.desktop:o.mobile}(t))}return e(),window.addEventListener("resize",e),()=>{window.removeEventListener("resize",e)}}),[t]),n}},5281:(e,t,n)=>{"use strict";n.d(t,{k:()=>r});const r={page:{blogListPage:"blog-list-page",blogPostPage:"blog-post-page",blogTagsListPage:"blog-tags-list-page",blogTagPostListPage:"blog-tags-post-list-page",blogAuthorsListPage:"blog-authors-list-page",blogAuthorsPostsPage:"blog-authors-posts-page",docsDocPage:"docs-doc-page",docsTagsListPage:"docs-tags-list-page",docsTagDocListPage:"docs-tags-doc-list-page",mdxPage:"mdx-page"},wrapper:{main:"main-wrapper",blogPages:"blog-wrapper",docsPages:"docs-wrapper",mdxPages:"mdx-wrapper"},common:{editThisPage:"theme-edit-this-page",lastUpdated:"theme-last-updated",backToTopButton:"theme-back-to-top-button",codeBlock:"theme-code-block",admonition:"theme-admonition",unlistedBanner:"theme-unlisted-banner",draftBanner:"theme-draft-banner",admonitionType:e=>`theme-admonition-${e}`},layout:{},docs:{docVersionBanner:"theme-doc-version-banner",docVersionBadge:"theme-doc-version-badge",docBreadcrumbs:"theme-doc-breadcrumbs",docMarkdown:"theme-doc-markdown",docTocMobile:"theme-doc-toc-mobile",docTocDesktop:"theme-doc-toc-desktop",docFooter:"theme-doc-footer",docFooterTagsRow:"theme-doc-footer-tags-row",docFooterEditMetaRow:"theme-doc-footer-edit-meta-row",docSidebarContainer:"theme-doc-sidebar-container",docSidebarMenu:"theme-doc-sidebar-menu",docSidebarItemCategory:"theme-doc-sidebar-item-category",docSidebarItemLink:"theme-doc-sidebar-item-link",docSidebarItemCategoryLevel:e=>`theme-doc-sidebar-item-category-level-${e}`,docSidebarItemLinkLevel:e=>`theme-doc-sidebar-item-link-level-${e}`},blog:{blogFooterTagsRow:"theme-blog-footer-tags-row",blogFooterEditMetaRow:"theme-blog-footer-edit-meta-row"},pages:{pageFooterEditMetaRow:"theme-pages-footer-edit-meta-row"}}},1442:(e,t,n)=>{"use strict";function r(){return window.matchMedia("(prefers-reduced-motion: reduce)").matches}n.d(t,{n:()=>r})},3087:(e,t,n)=>{"use strict";n.d(t,{aG:()=>u,Ac:()=>c,Cw:()=>l,QW:()=>d});var r=n(7294),a=n(5999),o=n(8780);const i={errorBoundaryError:"errorBoundaryError_a6uf",errorBoundaryFallback:"errorBoundaryFallback_VBag"};var s=n(5893);function l(e){return(0,s.jsx)("button",{type:"button",...e,children:(0,s.jsx)(a.Z,{id:"theme.ErrorPageContent.tryAgain",description:"The label of the button to try again rendering when the React error boundary captures an error",children:"Try again"})})}function c(e){let{error:t,tryAgain:n}=e;return(0,s.jsxs)("div",{className:i.errorBoundaryFallback,children:[(0,s.jsx)("p",{children:t.message}),(0,s.jsx)(l,{onClick:n})]})}function u(e){let{error:t}=e;const n=(0,o.BN)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,s.jsx)("p",{className:i.errorBoundaryError,children:n})}class d extends r.Component{componentDidCatch(e,t){throw this.props.onError(e,t)}render(){return this.props.children}}},1980:(e,t,n)=>{"use strict";n.d(t,{Rb:()=>i,_X:()=>l});var r=n(7294),a=n(6550),o=n(902);function i(e){!function(e){const t=(0,a.k6)(),n=(0,o.zX)(e);(0,r.useEffect)((()=>t.block(((e,t)=>n(e,t)))),[t,n])}(((t,n)=>{if("POP"===n)return e(t,n)}))}function s(e){const t=(0,a.k6)();return(0,r.useSyncExternalStore)(t.listen,(()=>e(t)),(()=>e(t)))}function l(e){return s((t=>null===e?null:new URLSearchParams(t.location.search).get(e)))}},7392:(e,t,n)=>{"use strict";function r(e,t){return void 0===t&&(t=(e,t)=>e===t),e.filter(((n,r)=>e.findIndex((e=>t(e,n)))!==r))}function a(e){return Array.from(new Set(e))}n.d(t,{jj:()=>a,lx:()=>r})},1944:(e,t,n)=>{"use strict";n.d(t,{FG:()=>f,d:()=>d,VC:()=>h});var r=n(7294),a=n(512),o=n(5742),i=n(226);function s(){const e=r.useContext(i._);if(!e)throw new Error("Unexpected: no Docusaurus route context found");return e}var l=n(4996),c=n(2263);var u=n(5893);function d(e){let{title:t,description:n,keywords:r,image:a,children:i}=e;const s=function(e){const{siteConfig:t}=(0,c.Z)(),{title:n,titleDelimiter:r}=t;return e?.trim().length?`${e.trim()} ${r} ${n}`:n}(t),{withBaseUrl:d}=(0,l.Cg)(),p=a?d(a,{absolute:!0}):void 0;return(0,u.jsxs)(o.Z,{children:[t&&(0,u.jsx)("title",{children:s}),t&&(0,u.jsx)("meta",{property:"og:title",content:s}),n&&(0,u.jsx)("meta",{name:"description",content:n}),n&&(0,u.jsx)("meta",{property:"og:description",content:n}),r&&(0,u.jsx)("meta",{name:"keywords",content:Array.isArray(r)?r.join(","):r}),p&&(0,u.jsx)("meta",{property:"og:image",content:p}),p&&(0,u.jsx)("meta",{name:"twitter:image",content:p}),i]})}const p=r.createContext(void 0);function f(e){let{className:t,children:n}=e;const i=r.useContext(p),s=(0,a.Z)(i,t);return(0,u.jsxs)(p.Provider,{value:s,children:[(0,u.jsx)(o.Z,{children:(0,u.jsx)("html",{className:s})}),n]})}function h(e){let{children:t}=e;const n=s(),r=`plugin-${n.plugin.name.replace(/docusaurus-(?:plugin|theme)-(?:content-)?/gi,"")}`;const o=`plugin-id-${n.plugin.id}`;return(0,u.jsx)(f,{className:(0,a.Z)(r,o),children:t})}},902:(e,t,n)=>{"use strict";n.d(t,{D9:()=>s,Qc:()=>u,Ql:()=>c,i6:()=>l,zX:()=>i});var r=n(7294),a=n(469),o=n(5893);function i(e){const t=(0,r.useRef)(e);return(0,a.Z)((()=>{t.current=e}),[e]),(0,r.useCallback)((function(){return t.current(...arguments)}),[])}function s(e){const t=(0,r.useRef)();return(0,a.Z)((()=>{t.current=e})),t.current}class l extends Error{constructor(e,t){super(),this.name="ReactContextError",this.message=`Hook ${this.stack?.split("\n")[1]?.match(/at (?:\w+\.)?(?<name>\w+)/)?.groups.name??""} is called outside the <${e}>. ${t??""}`}}function c(e){const t=Object.entries(e);return t.sort(((e,t)=>e[0].localeCompare(t[0]))),(0,r.useMemo)((()=>e),t.flat())}function u(e){return t=>{let{children:n}=t;return(0,o.jsx)(o.Fragment,{children:e.reduceRight(((e,t)=>(0,o.jsx)(t,{children:e})),n)})}}},8596:(e,t,n)=>{"use strict";n.d(t,{Mg:()=>i,Ns:()=>s});var r=n(7294),a=n(723),o=n(2263);function i(e,t){const n=e=>(!e||e.endsWith("/")?e:`${e}/`)?.toLowerCase();return n(e)===n(t)}function s(){const{baseUrl:e}=(0,o.Z)().siteConfig;return(0,r.useMemo)((()=>function(e){let{baseUrl:t,routes:n}=e;function r(e){return e.path===t&&!0===e.exact}function a(e){return e.path===t&&!e.exact}return function e(t){if(0===t.length)return;return t.find(r)||e(t.filter(a).flatMap((e=>e.routes??[])))}(n)}({routes:a.Z,baseUrl:e})),[e])}},2466:(e,t,n)=>{"use strict";n.d(t,{Ct:()=>m,OC:()=>u,RF:()=>f,o5:()=>h});var r=n(7294),a=n(412),o=n(2389),i=n(469),s=n(902),l=n(5893);const c=r.createContext(void 0);function u(e){let{children:t}=e;const n=function(){const e=(0,r.useRef)(!0);return(0,r.useMemo)((()=>({scrollEventsEnabledRef:e,enableScrollEvents:()=>{e.current=!0},disableScrollEvents:()=>{e.current=!1}})),[])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function d(){const e=(0,r.useContext)(c);if(null==e)throw new s.i6("ScrollControllerProvider");return e}const p=()=>a.Z.canUseDOM?{scrollX:window.pageXOffset,scrollY:window.pageYOffset}:null;function f(e,t){void 0===t&&(t=[]);const{scrollEventsEnabledRef:n}=d(),a=(0,r.useRef)(p()),o=(0,s.zX)(e);(0,r.useEffect)((()=>{const e=()=>{if(!n.current)return;const e=p();o(e,a.current),a.current=e},t={passive:!0};return e(),window.addEventListener("scroll",e,t),()=>window.removeEventListener("scroll",e,t)}),[o,n,...t])}function h(){const e=d(),t=function(){const e=(0,r.useRef)({elem:null,top:0}),t=(0,r.useCallback)((t=>{e.current={elem:t,top:t.getBoundingClientRect().top}}),[]),n=(0,r.useCallback)((()=>{const{current:{elem:t,top:n}}=e;if(!t)return{restored:!1};const r=t.getBoundingClientRect().top-n;return r&&window.scrollBy({left:0,top:r}),e.current={elem:null,top:0},{restored:0!==r}}),[]);return(0,r.useMemo)((()=>({save:t,restore:n})),[n,t])}(),n=(0,r.useRef)(void 0),a=(0,r.useCallback)((r=>{t.save(r),e.disableScrollEvents(),n.current=()=>{const{restored:r}=t.restore();if(n.current=void 0,r){const t=()=>{e.enableScrollEvents(),window.removeEventListener("scroll",t)};window.addEventListener("scroll",t)}else e.enableScrollEvents()}}),[e,t]);return(0,i.Z)((()=>{queueMicrotask((()=>n.current?.()))})),{blockElementScrollPositionUntilNextRender:a}}function m(){const e=(0,r.useRef)(null),t=(0,o.Z)()&&"smooth"===getComputedStyle(document.documentElement).scrollBehavior;return{startScroll:n=>{e.current=t?function(e){return window.scrollTo({top:e,behavior:"smooth"}),()=>{}}(n):function(e){let t=null;const n=document.documentElement.scrollTop>e;return function r(){const a=document.documentElement.scrollTop;(n&&a>e||!n&&a<e)&&(t=requestAnimationFrame(r),window.scrollTo(0,Math.floor(.85*(a-e))+e))}(),()=>t&&cancelAnimationFrame(t)}(n)},cancelScroll:()=>e.current?.()}}},812:(e,t,n)=>{"use strict";n.d(t,{WA:()=>u,Nk:()=>d});var r=n(7294);const a=JSON.parse('{"d":"localStorage","u":""}'),o=a.d;function i(e){let{key:t,oldValue:n,newValue:r,storage:a}=e;if(n===r)return;const o=document.createEvent("StorageEvent");o.initStorageEvent("storage",!1,!1,t,n,r,window.location.href,a),window.dispatchEvent(o)}function s(e){if(void 0===e&&(e=o),"undefined"==typeof window)throw new Error("Browser storage is not available on Node.js/Docusaurus SSR process.");if("none"===e)return null;try{return window[e]}catch(n){return t=n,l||(console.warn("Docusaurus browser storage is not available.\nPossible reasons: running Docusaurus in an iframe, in an incognito browser session, or using too strict browser privacy settings.",t),l=!0),null}var t}let l=!1;const c={get:()=>null,set:()=>{},del:()=>{},listen:()=>()=>{}};function u(e,t){const n=`${e}${a.u}`;if("undefined"==typeof window)return function(e){function t(){throw new Error(`Illegal storage API usage for storage key "${e}".\nDocusaurus storage APIs are not supposed to be called on the server-rendering process.\nPlease only call storage APIs in effects and event handlers.`)}return{get:t,set:t,del:t,listen:t}}(n);const r=s(t?.persistence);return null===r?c:{get:()=>{try{return r.getItem(n)}catch(e){return console.error(`Docusaurus storage error, can't get key=${n}`,e),null}},set:e=>{try{const t=r.getItem(n);r.setItem(n,e),i({key:n,oldValue:t,newValue:e,storage:r})}catch(t){console.error(`Docusaurus storage error, can't set ${n}=${e}`,t)}},del:()=>{try{const e=r.getItem(n);r.removeItem(n),i({key:n,oldValue:e,newValue:null,storage:r})}catch(e){console.error(`Docusaurus storage error, can't delete key=${n}`,e)}},listen:e=>{try{const t=t=>{t.storageArea===r&&t.key===n&&e(t)};return window.addEventListener("storage",t),()=>window.removeEventListener("storage",t)}catch(t){return console.error(`Docusaurus storage error, can't listen for changes of key=${n}`,t),()=>{}}}}}function d(e,t){const n=(0,r.useRef)((()=>null===e?c:u(e,t))).current(),a=(0,r.useCallback)((e=>"undefined"==typeof window?()=>{}:n.listen(e)),[n]);return[(0,r.useSyncExternalStore)(a,(()=>"undefined"==typeof window?null:n.get()),(()=>null)),n]}},4711:(e,t,n)=>{"use strict";n.d(t,{l:()=>i});var r=n(2263),a=n(6550),o=n(8780);function i(){const{siteConfig:{baseUrl:e,url:t,trailingSlash:n},i18n:{defaultLocale:i,currentLocale:s}}=(0,r.Z)(),{pathname:l}=(0,a.TH)(),c=(0,o.Do)(l,{trailingSlash:n,baseUrl:e}),u=s===i?e:e.replace(`/${s}/`,"/"),d=c.replace(e,"");return{createUrl:function(e){let{locale:n,fullyQualified:r}=e;return`${r?t:""}${function(e){return e===i?`${u}`:`${u}${e}/`}(n)}${d}`}}}},5936:(e,t,n)=>{"use strict";n.d(t,{S:()=>i});var r=n(7294),a=n(6550),o=n(902);function i(e){const t=(0,a.TH)(),n=(0,o.D9)(t),i=(0,o.zX)(e);(0,r.useEffect)((()=>{n&&t!==n&&i({location:t,previousLocation:n})}),[i,t,n])}},6668:(e,t,n)=>{"use strict";n.d(t,{L:()=>a});var r=n(2263);function a(){return(0,r.Z)().siteConfig.themeConfig}},8802:(e,t,n)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.addTrailingSlash=a,t.default=function(e,t){const{trailingSlash:n,baseUrl:r}=t;if(e.startsWith("#"))return e;if(void 0===n)return e;const[i]=e.split(/[#?]/),s="/"===i||i===r?i:(l=i,c=n,c?a(l):o(l));var l,c;return e.replace(i,s)},t.addLeadingSlash=function(e){return(0,r.addPrefix)(e,"/")},t.removeTrailingSlash=o;const r=n(5913);function a(e){return e.endsWith("/")?e:`${e}/`}function o(e){return(0,r.removeSuffix)(e,"/")}},4143:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=function e(t){if(t.cause)return[t,...e(t.cause)];return[t]}},8780:(e,t,n)=>{"use strict";t.BN=t.Do=void 0;const r=n(7582);var a=n(8802);Object.defineProperty(t,"Do",{enumerable:!0,get:function(){return r.__importDefault(a).default}});var o=n(5913);var i=n(4143);Object.defineProperty(t,"BN",{enumerable:!0,get:function(){return i.getErrorCausalChain}})},5913:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.addPrefix=function(e,t){return e.startsWith(t)?e:`${t}${e}`},t.removeSuffix=function(e,t){if(""===t)return e;return e.endsWith(t)?e.slice(0,-t.length):e},t.addSuffix=function(e,t){return e.endsWith(t)?e:`${e}${t}`},t.removePrefix=function(e,t){return e.startsWith(t)?e.slice(t.length):e}},311:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});n(7294);var r=n(1728);const a={loadingRing:"loadingRing_RJI3","loading-ring":"loading-ring_FB5o"};var o=n(5893);function i(e){let{className:t}=e;return(0,o.jsxs)("div",{className:(0,r.Z)(a.loadingRing,t),children:[(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{})]})}},22:(e,t,n)=>{"use strict";n.d(t,{w:()=>s});var r=n(1336),a=n.n(r),o=n(1029);const i=new Map;function s(e,t){const n=`${e}${t}`;let r=i.get(n);return r||(r=async function(e,t){{const n=`${e}${o.J.replace("{dir}",t?`-${t.replace(/\//g,"-")}`:"")}`;if(new URL(n,location.origin).origin!==location.origin)throw new Error("Unexpected version url");const r=await(await fetch(n)).json(),i=r.map(((e,t)=>{let{documents:n,index:r}=e;return{type:t,documents:n,index:a().Index.load(r)}})),s=r.reduce(((e,t)=>{for(const n of t.index.invertedIndex)/\p{Unified_Ideograph}/u.test(n[0][0])&&e.add(n[0]);return e}),new Set);return{wrappedIndexes:i,zhDictionary:Array.from(s)}}return{wrappedIndexes:[],zhDictionary:[]}}(e,t),i.set(n,r)),r}},8202:(e,t,n)=>{"use strict";n.d(t,{v:()=>c});var r=n(1336),a=n.n(r);var o=n(1029);function i(e){return s(e).concat(s(e.filter((e=>{const t=e[e.length-1];return!t.trailing&&t.maybeTyping})),!0))}function s(e,t){return e.map((e=>({tokens:e.map((e=>e.value)),term:e.map((e=>({value:e.value,presence:a().Query.presence.REQUIRED,wildcard:(t?e.trailing||e.maybeTyping:e.trailing)?a().Query.wildcard.TRAILING:a().Query.wildcard.NONE})))})))}var l=n(3545);function c(e,t,n){return function(r,s){const c=function(e,t){if(1===t.length&&["ja","jp","th"].includes(t[0]))return a()[t[0]].tokenizer(e).map((e=>e.toString()));let n=/[^-\s]+/g;return t.includes("zh")&&(n=/\w+|\p{Unified_Ideograph}+/gu),e.toLowerCase().match(n)||[]}(r,o.dK);if(0===c.length)return void s([]);const u=function(e,t){const n=function(e,t){const n=[];return function e(r,a){if(0===r.length)return void n.push(a);const o=r[0];if(/\p{Unified_Ideograph}/u.test(o)){const n=function(e,t){const n=[];return function e(r,a){let o=0,i=!1;for(const s of t)if(r.substr(0,s.length)===s){const t={missed:a.missed,term:a.term.concat({value:s})};r.length>s.length?e(r.substr(s.length),t):n.push(t),i=!0}else for(let t=s.length-1;t>o;t-=1){const l=s.substr(0,t);if(r.substr(0,t)===l){o=t;const s={missed:a.missed,term:a.term.concat({value:l,trailing:!0})};r.length>t?e(r.substr(t),s):n.push(s),i=!0;break}}i||(r.length>0?e(r.substr(1),{missed:a.missed+1,term:a.term}):a.term.length>0&&n.push(a))}(e,{missed:0,term:[]}),n.sort(((e,t)=>{const n=e.missed>0?1:0,r=t.missed>0?1:0;return n!==r?n-r:e.term.length-t.term.length})).map((e=>e.term))}(o,t);for(const t of n){const n=a.concat(...t);e(r.slice(1),n)}}else{const t=a.concat({value:o});e(r.slice(1),t)}}(e,[]),n}(e,t);if(0===n.length)return[{tokens:e,term:e.map((e=>({value:e,presence:a().Query.presence.REQUIRED,wildcard:a().Query.wildcard.LEADING|a().Query.wildcard.TRAILING})))}];for(const a of n)a[a.length-1].maybeTyping=!0;const r=[];for(const i of o.dK)if("en"===i)o._k||r.unshift(a().stopWordFilter);else{const e=a()[i];e.stopWordFilter&&r.unshift(e.stopWordFilter)}let s;if(r.length>0){const e=e=>r.reduce(((e,t)=>e.filter((e=>t(e.value)))),e);s=[];const t=[];for(const r of n){const n=e(r);s.push(n),n.length<r.length&&n.length>0&&t.push(n)}n.push(...t)}else s=n.slice();const l=[];for(const a of s)if(a.length>2)for(let e=a.length-1;e>=0;e-=1)l.push(a.slice(0,e).concat(a.slice(e+1)));return i(n).concat(i(l))}(c,t),d=[];e:for(const{term:t,tokens:a}of u)for(const{documents:r,index:o,type:i}of e)if(d.push(...o.query((e=>{for(const n of t)e.term(n.value,{wildcard:n.wildcard,presence:n.presence})})).slice(0,n).filter((e=>!d.some((t=>t.document.i.toString()===e.ref)))).slice(0,n-d.length).map((t=>{const n=r.find((e=>e.i.toString()===t.ref));return{document:n,type:i,page:i!==l.P.Title&&e[0].documents.find((e=>e.i===n.p)),metadata:t.matchData.metadata,tokens:a,score:t.score}}))),d.length>=n)break e;!function(e){e.forEach(((e,t)=>{e.index=t})),e.sort(((t,n)=>{let r=t.type!==l.P.Heading&&t.type!==l.P.Content&&t.type!==l.P.Description||!t.page?t.index:e.findIndex((e=>e.document===t.page)),a=n.type!==l.P.Heading&&n.type!==l.P.Content&&n.type!==l.P.Description||!n.page?n.index:e.findIndex((e=>e.document===n.page));if(-1===r&&(r=t.index),-1===a&&(a=n.index),r===a){const e=(0===n.type?1:0)-(0===t.type?1:0);return 0===e?t.index-n.index:e}return r-a}))}(d),function(e){e.forEach(((t,n)=>{n>0&&t.page&&e.slice(0,n).some((e=>(e.type===l.P.Keywords?e.page:e.document)===t.page))&&(n<e.length-1&&e[n+1].page===t.page?t.isInterOfTree=!0:t.isLastOfTree=!0)}))}(d),s(d)}}},3926:(e,t,n)=>{"use strict";function r(e){return e.join(" \u203a ")}n.d(t,{e:()=>r})},1690:(e,t,n)=>{"use strict";function r(e){return e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")}n.d(t,{X:()=>r})},1073:(e,t,n)=>{"use strict";function r(e,t){const n=[];for(const r of Object.values(e))r[t]&&n.push(...r[t].position);return n.sort(((e,t)=>e[0]-t[0]||t[1]-e[1]))}n.d(t,{m:()=>r})},2539:(e,t,n)=>{"use strict";n.d(t,{C:()=>a});var r=n(1690);function a(e,t,n){const o=[];for(const i of t){const n=e.toLowerCase().indexOf(i);if(n>=0){n>0&&o.push(a(e.substr(0,n),t)),o.push(`<mark>${(0,r.X)(e.substr(n,i.length))}</mark>`);const s=n+i.length;s<e.length&&o.push(a(e.substr(s),t));break}}return 0===o.length?n?`<mark>${(0,r.X)(e)}</mark>`:(0,r.X)(e):o.join("")}},726:(e,t,n)=>{"use strict";n.d(t,{o:()=>l});var r=n(1690),a=n(2539);const o=/\w+|\p{Unified_Ideograph}/u;function i(e){const t=[];let n=0,r=e;for(;r.length>0;){const a=r.match(o);if(!a){t.push(r);break}a.index>0&&t.push(r.substring(0,a.index)),t.push(a[0]),n+=a.index+a[0].length,r=e.substring(n)}return t}var s=n(1029);function l(e,t,n,o){void 0===o&&(o=s.Hk);const{chunkIndex:l,chunks:c}=function(e,t,n){const o=[];let s=0,l=0,c=-1;for(;s<t.length;){const[u,d]=t[s];if(s+=1,!(u<l)){if(u>l){const t=i(e.substring(l,u)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}-1===c&&(c=o.length),l=u+d,o.push({html:(0,a.C)(e.substring(u,l),n,!0),textLength:d})}}if(l<e.length){const t=i(e.substring(l)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}return{chunkIndex:c,chunks:o}}(e,t,n),u=c.slice(0,l),d=c[l],p=[d.html],f=c.slice(l+1);let h=d.textLength,m=0,g=0,y=!1,b=!1;for(;h<o;)if((m<=g||0===f.length)&&u.length>0){const e=u.pop();h+e.textLength<=o?(p.unshift(e.html),m+=e.textLength,h+=e.textLength):(y=!0,u.length=0)}else{if(!(f.length>0))break;{const e=f.shift();h+e.textLength<=o?(p.push(e.html),g+=e.textLength,h+=e.textLength):(b=!0,f.length=0)}}return(y||u.length>0)&&p.unshift("\u2026"),(b||f.length>0)&&p.push("\u2026"),p.join("")}},51:(e,t,n)=>{"use strict";function r(e,t){if("string"==typeof e)return{label:e,path:e};{const{label:n,path:r}=e;return"string"==typeof n?{label:n,path:r}:Object.prototype.hasOwnProperty.call(n,t)?{label:n[t],path:r}:{label:r,path:r}}}n.d(t,{_:()=>r})},1029:(e,t,n)=>{"use strict";n.d(t,{vc:()=>a(),gQ:()=>h,H6:()=>u,hG:()=>y,l9:()=>m,dK:()=>o,_k:()=>i,pu:()=>f,AY:()=>d,t_:()=>p,Kc:()=>g,J:()=>s,Hk:()=>c,qo:()=>l,pQ:()=>b});n(1336);var r=n(813),a=n.n(r);const o=["en"],i=!1,s="search-index{dir}.json?_=77f662a8",l=8,c=50,u=!1,d=!0,p=!0,f="right",h=void 0,m=!0,g=null,y=!1,b=!1},3545:(e,t,n)=>{"use strict";var r;n.d(t,{P:()=>r}),function(e){e[e.Title=0]="Title",e[e.Heading=1]="Heading",e[e.Description=2]="Description",e[e.Keywords=3]="Keywords",e[e.Content=4]="Content"}(r||(r={}))},9318:(e,t,n)=>{"use strict";n.d(t,{lX:()=>w,q_:()=>C,ob:()=>f,PP:()=>L,Ep:()=>p});var r=n(7462);function a(e){return"/"===e.charAt(0)}function o(e,t){for(var n=t,r=n+1,a=e.length;r<a;n+=1,r+=1)e[n]=e[r];e.pop()}const i=function(e,t){void 0===t&&(t="");var n,r=e&&e.split("/")||[],i=t&&t.split("/")||[],s=e&&a(e),l=t&&a(t),c=s||l;if(e&&a(e)?i=r:r.length&&(i.pop(),i=i.concat(r)),!i.length)return"/";if(i.length){var u=i[i.length-1];n="."===u||".."===u||""===u}else n=!1;for(var d=0,p=i.length;p>=0;p--){var f=i[p];"."===f?o(i,p):".."===f?(o(i,p),d++):d&&(o(i,p),d--)}if(!c)for(;d--;d)i.unshift("..");!c||""===i[0]||i[0]&&a(i[0])||i.unshift("");var h=i.join("/");return n&&"/"!==h.substr(-1)&&(h+="/"),h};var s=n(8776);function l(e){return"/"===e.charAt(0)?e:"/"+e}function c(e){return"/"===e.charAt(0)?e.substr(1):e}function u(e,t){return function(e,t){return 0===e.toLowerCase().indexOf(t.toLowerCase())&&-1!=="/?#".indexOf(e.charAt(t.length))}(e,t)?e.substr(t.length):e}function d(e){return"/"===e.charAt(e.length-1)?e.slice(0,-1):e}function p(e){var t=e.pathname,n=e.search,r=e.hash,a=t||"/";return n&&"?"!==n&&(a+="?"===n.charAt(0)?n:"?"+n),r&&"#"!==r&&(a+="#"===r.charAt(0)?r:"#"+r),a}function f(e,t,n,a){var o;"string"==typeof e?(o=function(e){var t=e||"/",n="",r="",a=t.indexOf("#");-1!==a&&(r=t.substr(a),t=t.substr(0,a));var o=t.indexOf("?");return-1!==o&&(n=t.substr(o),t=t.substr(0,o)),{pathname:t,search:"?"===n?"":n,hash:"#"===r?"":r}}(e),o.state=t):(void 0===(o=(0,r.Z)({},e)).pathname&&(o.pathname=""),o.search?"?"!==o.search.charAt(0)&&(o.search="?"+o.search):o.search="",o.hash?"#"!==o.hash.charAt(0)&&(o.hash="#"+o.hash):o.hash="",void 0!==t&&void 0===o.state&&(o.state=t));try{o.pathname=decodeURI(o.pathname)}catch(s){throw s instanceof URIError?new URIError('Pathname "'+o.pathname+'" could not be decoded. This is likely caused by an invalid percent-encoding.'):s}return n&&(o.key=n),a?o.pathname?"/"!==o.pathname.charAt(0)&&(o.pathname=i(o.pathname,a.pathname)):o.pathname=a.pathname:o.pathname||(o.pathname="/"),o}function h(){var e=null;var t=[];return{setPrompt:function(t){return e=t,function(){e===t&&(e=null)}},confirmTransitionTo:function(t,n,r,a){if(null!=e){var o="function"==typeof e?e(t,n):e;"string"==typeof o?"function"==typeof r?r(o,a):a(!0):a(!1!==o)}else a(!0)},appendListener:function(e){var n=!0;function r(){n&&e.apply(void 0,arguments)}return t.push(r),function(){n=!1,t=t.filter((function(e){return e!==r}))}},notifyListeners:function(){for(var e=arguments.length,n=new Array(e),r=0;r<e;r++)n[r]=arguments[r];t.forEach((function(e){return e.apply(void 0,n)}))}}}var m=!("undefined"==typeof window||!window.document||!window.document.createElement);function g(e,t){t(window.confirm(e))}var y="popstate",b="hashchange";function v(){try{return window.history.state||{}}catch(e){return{}}}function w(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t,n=window.history,a=(-1===(t=window.navigator.userAgent).indexOf("Android 2.")&&-1===t.indexOf("Android 4.0")||-1===t.indexOf("Mobile Safari")||-1!==t.indexOf("Chrome")||-1!==t.indexOf("Windows Phone"))&&window.history&&"pushState"in window.history,o=!(-1===window.navigator.userAgent.indexOf("Trident")),i=e,c=i.forceRefresh,w=void 0!==c&&c,k=i.getUserConfirmation,x=void 0===k?g:k,S=i.keyLength,E=void 0===S?6:S,_=e.basename?d(l(e.basename)):"";function C(e){var t=e||{},n=t.key,r=t.state,a=window.location,o=a.pathname+a.search+a.hash;return _&&(o=u(o,_)),f(o,r,n)}function T(){return Math.random().toString(36).substr(2,E)}var L=h();function j(e){(0,r.Z)($,e),$.length=n.length,L.notifyListeners($.location,$.action)}function R(e){(function(e){return void 0===e.state&&-1===navigator.userAgent.indexOf("CriOS")})(e)||A(C(e.state))}function P(){A(C(v()))}var N=!1;function A(e){if(N)N=!1,j();else{L.confirmTransitionTo(e,"POP",x,(function(t){t?j({action:"POP",location:e}):function(e){var t=$.location,n=I.indexOf(t.key);-1===n&&(n=0);var r=I.indexOf(e.key);-1===r&&(r=0);var a=n-r;a&&(N=!0,F(a))}(e)}))}}var O=C(v()),I=[O.key];function D(e){return _+p(e)}function F(e){n.go(e)}var M=0;function B(e){1===(M+=e)&&1===e?(window.addEventListener(y,R),o&&window.addEventListener(b,P)):0===M&&(window.removeEventListener(y,R),o&&window.removeEventListener(b,P))}var z=!1;var $={length:n.length,action:"POP",location:O,createHref:D,push:function(e,t){var r="PUSH",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.pushState({key:i,state:s},null,t),w)window.location.href=t;else{var l=I.indexOf($.location.key),c=I.slice(0,l+1);c.push(o.key),I=c,j({action:r,location:o})}else window.location.href=t}}))},replace:function(e,t){var r="REPLACE",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.replaceState({key:i,state:s},null,t),w)window.location.replace(t);else{var l=I.indexOf($.location.key);-1!==l&&(I[l]=o.key),j({action:r,location:o})}else window.location.replace(t)}}))},go:F,goBack:function(){F(-1)},goForward:function(){F(1)},block:function(e){void 0===e&&(e=!1);var t=L.setPrompt(e);return z||(B(1),z=!0),function(){return z&&(z=!1,B(-1)),t()}},listen:function(e){var t=L.appendListener(e);return B(1),function(){B(-1),t()}}};return $}var k="hashchange",x={hashbang:{encodePath:function(e){return"!"===e.charAt(0)?e:"!/"+c(e)},decodePath:function(e){return"!"===e.charAt(0)?e.substr(1):e}},noslash:{encodePath:c,decodePath:l},slash:{encodePath:l,decodePath:l}};function S(e){var t=e.indexOf("#");return-1===t?e:e.slice(0,t)}function E(){var e=window.location.href,t=e.indexOf("#");return-1===t?"":e.substring(t+1)}function _(e){window.location.replace(S(window.location.href)+"#"+e)}function C(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t=window.history,n=(window.navigator.userAgent.indexOf("Firefox"),e),a=n.getUserConfirmation,o=void 0===a?g:a,i=n.hashType,c=void 0===i?"slash":i,y=e.basename?d(l(e.basename)):"",b=x[c],v=b.encodePath,w=b.decodePath;function C(){var e=w(E());return y&&(e=u(e,y)),f(e)}var T=h();function L(e){(0,r.Z)(z,e),z.length=t.length,T.notifyListeners(z.location,z.action)}var j=!1,R=null;function P(){var e,t,n=E(),r=v(n);if(n!==r)_(r);else{var a=C(),i=z.location;if(!j&&(t=a,(e=i).pathname===t.pathname&&e.search===t.search&&e.hash===t.hash))return;if(R===p(a))return;R=null,function(e){if(j)j=!1,L();else{var t="POP";T.confirmTransitionTo(e,t,o,(function(n){n?L({action:t,location:e}):function(e){var t=z.location,n=I.lastIndexOf(p(t));-1===n&&(n=0);var r=I.lastIndexOf(p(e));-1===r&&(r=0);var a=n-r;a&&(j=!0,D(a))}(e)}))}}(a)}}var N=E(),A=v(N);N!==A&&_(A);var O=C(),I=[p(O)];function D(e){t.go(e)}var F=0;function M(e){1===(F+=e)&&1===e?window.addEventListener(k,P):0===F&&window.removeEventListener(k,P)}var B=!1;var z={length:t.length,action:"POP",location:O,createHref:function(e){var t=document.querySelector("base"),n="";return t&&t.getAttribute("href")&&(n=S(window.location.href)),n+"#"+v(y+p(e))},push:function(e,t){var n="PUSH",r=f(e,void 0,void 0,z.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);if(E()!==a){R=t,function(e){window.location.hash=e}(a);var o=I.lastIndexOf(p(z.location)),i=I.slice(0,o+1);i.push(t),I=i,L({action:n,location:r})}else L()}}))},replace:function(e,t){var n="REPLACE",r=f(e,void 0,void 0,z.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);E()!==a&&(R=t,_(a));var o=I.indexOf(p(z.location));-1!==o&&(I[o]=t),L({action:n,location:r})}}))},go:D,goBack:function(){D(-1)},goForward:function(){D(1)},block:function(e){void 0===e&&(e=!1);var t=T.setPrompt(e);return B||(M(1),B=!0),function(){return B&&(B=!1,M(-1)),t()}},listen:function(e){var t=T.appendListener(e);return M(1),function(){M(-1),t()}}};return z}function T(e,t,n){return Math.min(Math.max(e,t),n)}function L(e){void 0===e&&(e={});var t=e,n=t.getUserConfirmation,a=t.initialEntries,o=void 0===a?["/"]:a,i=t.initialIndex,s=void 0===i?0:i,l=t.keyLength,c=void 0===l?6:l,u=h();function d(e){(0,r.Z)(w,e),w.length=w.entries.length,u.notifyListeners(w.location,w.action)}function m(){return Math.random().toString(36).substr(2,c)}var g=T(s,0,o.length-1),y=o.map((function(e){return f(e,void 0,"string"==typeof e?m():e.key||m())})),b=p;function v(e){var t=T(w.index+e,0,w.entries.length-1),r=w.entries[t];u.confirmTransitionTo(r,"POP",n,(function(e){e?d({action:"POP",location:r,index:t}):d()}))}var w={length:y.length,action:"POP",location:y[g],index:g,entries:y,createHref:b,push:function(e,t){var r="PUSH",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){if(e){var t=w.index+1,n=w.entries.slice(0);n.length>t?n.splice(t,n.length-t,a):n.push(a),d({action:r,location:a,index:t,entries:n})}}))},replace:function(e,t){var r="REPLACE",a=f(e,t,m(),w.location);u.confirmTransitionTo(a,r,n,(function(e){e&&(w.entries[w.index]=a,d({action:r,location:a}))}))},go:v,goBack:function(){v(-1)},goForward:function(){v(1)},canGo:function(e){var t=w.index+e;return t>=0&&t<w.entries.length},block:function(e){return void 0===e&&(e=!1),u.setPrompt(e)},listen:function(e){return u.appendListener(e)}};return w}},8679:(e,t,n)=>{"use strict";var r=n(9864),a={childContextTypes:!0,contextType:!0,contextTypes:!0,defaultProps:!0,displayName:!0,getDefaultProps:!0,getDerivedStateFromError:!0,getDerivedStateFromProps:!0,mixins:!0,propTypes:!0,type:!0},o={name:!0,length:!0,prototype:!0,caller:!0,callee:!0,arguments:!0,arity:!0},i={$$typeof:!0,compare:!0,defaultProps:!0,displayName:!0,propTypes:!0,type:!0},s={};function l(e){return r.isMemo(e)?i:s[e.$$typeof]||a}s[r.ForwardRef]={$$typeof:!0,render:!0,defaultProps:!0,displayName:!0,propTypes:!0},s[r.Memo]=i;var c=Object.defineProperty,u=Object.getOwnPropertyNames,d=Object.getOwnPropertySymbols,p=Object.getOwnPropertyDescriptor,f=Object.getPrototypeOf,h=Object.prototype;e.exports=function e(t,n,r){if("string"!=typeof n){if(h){var a=f(n);a&&a!==h&&e(t,a,r)}var i=u(n);d&&(i=i.concat(d(n)));for(var s=l(t),m=l(n),g=0;g<i.length;++g){var y=i[g];if(!(o[y]||r&&r[y]||m&&m[y]||s&&s[y])){var b=p(n,y);try{c(t,y,b)}catch(v){}}}}return t}},1143:e=>{"use strict";e.exports=function(e,t,n,r,a,o,i,s){if(!e){var l;if(void 0===t)l=new Error("Minified exception occurred; use the non-minified dev environment for the full error message and additional helpful warnings.");else{var c=[n,r,a,o,i,s],u=0;(l=new Error(t.replace(/%s/g,(function(){return c[u++]})))).name="Invariant Violation"}throw l.framesToPop=1,l}}},5826:e=>{e.exports=Array.isArray||function(e){return"[object Array]"==Object.prototype.toString.call(e)}},1336:(e,t,n)=>{var r,a;!function(){var o,i,s,l,c,u,d,p,f,h,m,g,y,b,v,w,k,x,S,E,_,C,T,L,j,R,P,N,A,O,I=function(e){var t=new I.Builder;return t.pipeline.add(I.trimmer,I.stopWordFilter,I.stemmer),t.searchPipeline.add(I.stemmer),e.call(t,t),t.build()};I.version="2.3.9",I.utils={},I.utils.warn=(o=this,function(e){o.console&&console.warn&&console.warn(e)}),I.utils.asString=function(e){return null==e?"":e.toString()},I.utils.clone=function(e){if(null==e)return e;for(var t=Object.create(null),n=Object.keys(e),r=0;r<n.length;r++){var a=n[r],o=e[a];if(Array.isArray(o))t[a]=o.slice();else{if("string"!=typeof o&&"number"!=typeof o&&"boolean"!=typeof o)throw new TypeError("clone is not deep and does not support nested objects");t[a]=o}}return t},I.FieldRef=function(e,t,n){this.docRef=e,this.fieldName=t,this._stringValue=n},I.FieldRef.joiner="/",I.FieldRef.fromString=function(e){var t=e.indexOf(I.FieldRef.joiner);if(-1===t)throw"malformed field ref string";var n=e.slice(0,t),r=e.slice(t+1);return new I.FieldRef(r,n,e)},I.FieldRef.prototype.toString=function(){return null==this._stringValue&&(this._stringValue=this.fieldName+I.FieldRef.joiner+this.docRef),this._stringValue},I.Set=function(e){if(this.elements=Object.create(null),e){this.length=e.length;for(var t=0;t<this.length;t++)this.elements[e[t]]=!0}else this.length=0},I.Set.complete={intersect:function(e){return e},union:function(){return this},contains:function(){return!0}},I.Set.empty={intersect:function(){return this},union:function(e){return e},contains:function(){return!1}},I.Set.prototype.contains=function(e){return!!this.elements[e]},I.Set.prototype.intersect=function(e){var t,n,r,a=[];if(e===I.Set.complete)return this;if(e===I.Set.empty)return e;this.length<e.length?(t=this,n=e):(t=e,n=this),r=Object.keys(t.elements);for(var o=0;o<r.length;o++){var i=r[o];i in n.elements&&a.push(i)}return new I.Set(a)},I.Set.prototype.union=function(e){return e===I.Set.complete?I.Set.complete:e===I.Set.empty?this:new I.Set(Object.keys(this.elements).concat(Object.keys(e.elements)))},I.idf=function(e,t){var n=0;for(var r in e)"_index"!=r&&(n+=Object.keys(e[r]).length);var a=(t-n+.5)/(n+.5);return Math.log(1+Math.abs(a))},I.Token=function(e,t){this.str=e||"",this.metadata=t||{}},I.Token.prototype.toString=function(){return this.str},I.Token.prototype.update=function(e){return this.str=e(this.str,this.metadata),this},I.Token.prototype.clone=function(e){return e=e||function(e){return e},new I.Token(e(this.str,this.metadata),this.metadata)},I.tokenizer=function(e,t){if(null==e||null==e)return[];if(Array.isArray(e))return e.map((function(e){return new I.Token(I.utils.asString(e).toLowerCase(),I.utils.clone(t))}));for(var n=e.toString().toLowerCase(),r=n.length,a=[],o=0,i=0;o<=r;o++){var s=o-i;if(n.charAt(o).match(I.tokenizer.separator)||o==r){if(s>0){var l=I.utils.clone(t)||{};l.position=[i,s],l.index=a.length,a.push(new I.Token(n.slice(i,o),l))}i=o+1}}return a},I.tokenizer.separator=/[\s\-]+/,I.Pipeline=function(){this._stack=[]},I.Pipeline.registeredFunctions=Object.create(null),I.Pipeline.registerFunction=function(e,t){t in this.registeredFunctions&&I.utils.warn("Overwriting existing registered function: "+t),e.label=t,I.Pipeline.registeredFunctions[e.label]=e},I.Pipeline.warnIfFunctionNotRegistered=function(e){e.label&&e.label in this.registeredFunctions||I.utils.warn("Function is not registered with pipeline. This may cause problems when serialising the index.\n",e)},I.Pipeline.load=function(e){var t=new I.Pipeline;return e.forEach((function(e){var n=I.Pipeline.registeredFunctions[e];if(!n)throw new Error("Cannot load unregistered function: "+e);t.add(n)})),t},I.Pipeline.prototype.add=function(){Array.prototype.slice.call(arguments).forEach((function(e){I.Pipeline.warnIfFunctionNotRegistered(e),this._stack.push(e)}),this)},I.Pipeline.prototype.after=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");n+=1,this._stack.splice(n,0,t)},I.Pipeline.prototype.before=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");this._stack.splice(n,0,t)},I.Pipeline.prototype.remove=function(e){var t=this._stack.indexOf(e);-1!=t&&this._stack.splice(t,1)},I.Pipeline.prototype.run=function(e){for(var t=this._stack.length,n=0;n<t;n++){for(var r=this._stack[n],a=[],o=0;o<e.length;o++){var i=r(e[o],o,e);if(null!=i&&""!==i)if(Array.isArray(i))for(var s=0;s<i.length;s++)a.push(i[s]);else a.push(i)}e=a}return e},I.Pipeline.prototype.runString=function(e,t){var n=new I.Token(e,t);return this.run([n]).map((function(e){return e.toString()}))},I.Pipeline.prototype.reset=function(){this._stack=[]},I.Pipeline.prototype.toJSON=function(){return this._stack.map((function(e){return I.Pipeline.warnIfFunctionNotRegistered(e),e.label}))},I.Vector=function(e){this._magnitude=0,this.elements=e||[]},I.Vector.prototype.positionForIndex=function(e){if(0==this.elements.length)return 0;for(var t=0,n=this.elements.length/2,r=n-t,a=Math.floor(r/2),o=this.elements[2*a];r>1&&(o<e&&(t=a),o>e&&(n=a),o!=e);)r=n-t,a=t+Math.floor(r/2),o=this.elements[2*a];return o==e||o>e?2*a:o<e?2*(a+1):void 0},I.Vector.prototype.insert=function(e,t){this.upsert(e,t,(function(){throw"duplicate index"}))},I.Vector.prototype.upsert=function(e,t,n){this._magnitude=0;var r=this.positionForIndex(e);this.elements[r]==e?this.elements[r+1]=n(this.elements[r+1],t):this.elements.splice(r,0,e,t)},I.Vector.prototype.magnitude=function(){if(this._magnitude)return this._magnitude;for(var e=0,t=this.elements.length,n=1;n<t;n+=2){var r=this.elements[n];e+=r*r}return this._magnitude=Math.sqrt(e)},I.Vector.prototype.dot=function(e){for(var t=0,n=this.elements,r=e.elements,a=n.length,o=r.length,i=0,s=0,l=0,c=0;l<a&&c<o;)(i=n[l])<(s=r[c])?l+=2:i>s?c+=2:i==s&&(t+=n[l+1]*r[c+1],l+=2,c+=2);return t},I.Vector.prototype.similarity=function(e){return this.dot(e)/this.magnitude()||0},I.Vector.prototype.toArray=function(){for(var e=new Array(this.elements.length/2),t=1,n=0;t<this.elements.length;t+=2,n++)e[n]=this.elements[t];return e},I.Vector.prototype.toJSON=function(){return this.elements},I.stemmer=(i={ational:"ate",tional:"tion",enci:"ence",anci:"ance",izer:"ize",bli:"ble",alli:"al",entli:"ent",eli:"e",ousli:"ous",ization:"ize",ation:"ate",ator:"ate",alism:"al",iveness:"ive",fulness:"ful",ousness:"ous",aliti:"al",iviti:"ive",biliti:"ble",logi:"log"},s={icate:"ic",ative:"",alize:"al",iciti:"ic",ical:"ic",ful:"",ness:""},d="^("+(c="[^aeiou][^aeiouy]*")+")?"+(u=(l="[aeiouy]")+"[aeiou]*")+c+"("+u+")?$",p="^("+c+")?"+u+c+u+c,f="^("+c+")?"+l,h=new RegExp("^("+c+")?"+u+c),m=new RegExp(p),g=new RegExp(d),y=new RegExp(f),b=/^(.+?)(ss|i)es$/,v=/^(.+?)([^s])s$/,w=/^(.+?)eed$/,k=/^(.+?)(ed|ing)$/,x=/.$/,S=/(at|bl|iz)$/,E=new RegExp("([^aeiouylsz])\\1$"),_=new RegExp("^"+c+l+"[^aeiouwxy]$"),C=/^(.+?[^aeiou])y$/,T=/^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/,L=/^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/,j=/^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/,R=/^(.+?)(s|t)(ion)$/,P=/^(.+?)e$/,N=/ll$/,A=new RegExp("^"+c+l+"[^aeiouwxy]$"),O=function(e){var t,n,r,a,o,l,c;if(e.length<3)return e;if("y"==(r=e.substr(0,1))&&(e=r.toUpperCase()+e.substr(1)),o=v,(a=b).test(e)?e=e.replace(a,"$1$2"):o.test(e)&&(e=e.replace(o,"$1$2")),o=k,(a=w).test(e)){var u=a.exec(e);(a=h).test(u[1])&&(a=x,e=e.replace(a,""))}else o.test(e)&&(t=(u=o.exec(e))[1],(o=y).test(t)&&(l=E,c=_,(o=S).test(e=t)?e+="e":l.test(e)?(a=x,e=e.replace(a,"")):c.test(e)&&(e+="e")));return(a=C).test(e)&&(e=(t=(u=a.exec(e))[1])+"i"),(a=T).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+i[n])),(a=L).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+s[n])),o=R,(a=j).test(e)?(t=(u=a.exec(e))[1],(a=m).test(t)&&(e=t)):o.test(e)&&(t=(u=o.exec(e))[1]+u[2],(o=m).test(t)&&(e=t)),(a=P).test(e)&&(t=(u=a.exec(e))[1],o=g,l=A,((a=m).test(t)||o.test(t)&&!l.test(t))&&(e=t)),o=m,(a=N).test(e)&&o.test(e)&&(a=x,e=e.replace(a,"")),"y"==r&&(e=r.toLowerCase()+e.substr(1)),e},function(e){return e.update(O)}),I.Pipeline.registerFunction(I.stemmer,"stemmer"),I.generateStopWordFilter=function(e){var t=e.reduce((function(e,t){return e[t]=t,e}),{});return function(e){if(e&&t[e.toString()]!==e.toString())return e}},I.stopWordFilter=I.generateStopWordFilter(["a","able","about","across","after","all","almost","also","am","among","an","and","any","are","as","at","be","because","been","but","by","can","cannot","could","dear","did","do","does","either","else","ever","every","for","from","get","got","had","has","have","he","her","hers","him","his","how","however","i","if","in","into","is","it","its","just","least","let","like","likely","may","me","might","most","must","my","neither","no","nor","not","of","off","often","on","only","or","other","our","own","rather","said","say","says","she","should","since","so","some","than","that","the","their","them","then","there","these","they","this","tis","to","too","twas","us","wants","was","we","were","what","when","where","which","while","who","whom","why","will","with","would","yet","you","your"]),I.Pipeline.registerFunction(I.stopWordFilter,"stopWordFilter"),I.trimmer=function(e){return e.update((function(e){return e.replace(/^\W+/,"").replace(/\W+$/,"")}))},I.Pipeline.registerFunction(I.trimmer,"trimmer"),I.TokenSet=function(){this.final=!1,this.edges={},this.id=I.TokenSet._nextId,I.TokenSet._nextId+=1},I.TokenSet._nextId=1,I.TokenSet.fromArray=function(e){for(var t=new I.TokenSet.Builder,n=0,r=e.length;n<r;n++)t.insert(e[n]);return t.finish(),t.root},I.TokenSet.fromClause=function(e){return"editDistance"in e?I.TokenSet.fromFuzzyString(e.term,e.editDistance):I.TokenSet.fromString(e.term)},I.TokenSet.fromFuzzyString=function(e,t){for(var n=new I.TokenSet,r=[{node:n,editsRemaining:t,str:e}];r.length;){var a=r.pop();if(a.str.length>0){var o,i=a.str.charAt(0);i in a.node.edges?o=a.node.edges[i]:(o=new I.TokenSet,a.node.edges[i]=o),1==a.str.length&&(o.final=!0),r.push({node:o,editsRemaining:a.editsRemaining,str:a.str.slice(1)})}if(0!=a.editsRemaining){if("*"in a.node.edges)var s=a.node.edges["*"];else{s=new I.TokenSet;a.node.edges["*"]=s}if(0==a.str.length&&(s.final=!0),r.push({node:s,editsRemaining:a.editsRemaining-1,str:a.str}),a.str.length>1&&r.push({node:a.node,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)}),1==a.str.length&&(a.node.final=!0),a.str.length>=1){if("*"in a.node.edges)var l=a.node.edges["*"];else{l=new I.TokenSet;a.node.edges["*"]=l}1==a.str.length&&(l.final=!0),r.push({node:l,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)})}if(a.str.length>1){var c,u=a.str.charAt(0),d=a.str.charAt(1);d in a.node.edges?c=a.node.edges[d]:(c=new I.TokenSet,a.node.edges[d]=c),1==a.str.length&&(c.final=!0),r.push({node:c,editsRemaining:a.editsRemaining-1,str:u+a.str.slice(2)})}}}return n},I.TokenSet.fromString=function(e){for(var t=new I.TokenSet,n=t,r=0,a=e.length;r<a;r++){var o=e[r],i=r==a-1;if("*"==o)t.edges[o]=t,t.final=i;else{var s=new I.TokenSet;s.final=i,t.edges[o]=s,t=s}}return n},I.TokenSet.prototype.toArray=function(){for(var e=[],t=[{prefix:"",node:this}];t.length;){var n=t.pop(),r=Object.keys(n.node.edges),a=r.length;n.node.final&&(n.prefix.charAt(0),e.push(n.prefix));for(var o=0;o<a;o++){var i=r[o];t.push({prefix:n.prefix.concat(i),node:n.node.edges[i]})}}return e},I.TokenSet.prototype.toString=function(){if(this._str)return this._str;for(var e=this.final?"1":"0",t=Object.keys(this.edges).sort(),n=t.length,r=0;r<n;r++){var a=t[r];e=e+a+this.edges[a].id}return e},I.TokenSet.prototype.intersect=function(e){for(var t=new I.TokenSet,n=void 0,r=[{qNode:e,output:t,node:this}];r.length;){n=r.pop();for(var a=Object.keys(n.qNode.edges),o=a.length,i=Object.keys(n.node.edges),s=i.length,l=0;l<o;l++)for(var c=a[l],u=0;u<s;u++){var d=i[u];if(d==c||"*"==c){var p=n.node.edges[d],f=n.qNode.edges[c],h=p.final&&f.final,m=void 0;d in n.output.edges?(m=n.output.edges[d]).final=m.final||h:((m=new I.TokenSet).final=h,n.output.edges[d]=m),r.push({qNode:f,output:m,node:p})}}}return t},I.TokenSet.Builder=function(){this.previousWord="",this.root=new I.TokenSet,this.uncheckedNodes=[],this.minimizedNodes={}},I.TokenSet.Builder.prototype.insert=function(e){var t,n=0;if(e<this.previousWord)throw new Error("Out of order word insertion");for(var r=0;r<e.length&&r<this.previousWord.length&&e[r]==this.previousWord[r];r++)n++;this.minimize(n),t=0==this.uncheckedNodes.length?this.root:this.uncheckedNodes[this.uncheckedNodes.length-1].child;for(r=n;r<e.length;r++){var a=new I.TokenSet,o=e[r];t.edges[o]=a,this.uncheckedNodes.push({parent:t,char:o,child:a}),t=a}t.final=!0,this.previousWord=e},I.TokenSet.Builder.prototype.finish=function(){this.minimize(0)},I.TokenSet.Builder.prototype.minimize=function(e){for(var t=this.uncheckedNodes.length-1;t>=e;t--){var n=this.uncheckedNodes[t],r=n.child.toString();r in this.minimizedNodes?n.parent.edges[n.char]=this.minimizedNodes[r]:(n.child._str=r,this.minimizedNodes[r]=n.child),this.uncheckedNodes.pop()}},I.Index=function(e){this.invertedIndex=e.invertedIndex,this.fieldVectors=e.fieldVectors,this.tokenSet=e.tokenSet,this.fields=e.fields,this.pipeline=e.pipeline},I.Index.prototype.search=function(e){return this.query((function(t){new I.QueryParser(e,t).parse()}))},I.Index.prototype.query=function(e){for(var t=new I.Query(this.fields),n=Object.create(null),r=Object.create(null),a=Object.create(null),o=Object.create(null),i=Object.create(null),s=0;s<this.fields.length;s++)r[this.fields[s]]=new I.Vector;e.call(t,t);for(s=0;s<t.clauses.length;s++){var l=t.clauses[s],c=null,u=I.Set.empty;c=l.usePipeline?this.pipeline.runString(l.term,{fields:l.fields}):[l.term];for(var d=0;d<c.length;d++){var p=c[d];l.term=p;var f=I.TokenSet.fromClause(l),h=this.tokenSet.intersect(f).toArray();if(0===h.length&&l.presence===I.Query.presence.REQUIRED){for(var m=0;m<l.fields.length;m++){o[P=l.fields[m]]=I.Set.empty}break}for(var g=0;g<h.length;g++){var y=h[g],b=this.invertedIndex[y],v=b._index;for(m=0;m<l.fields.length;m++){var w=b[P=l.fields[m]],k=Object.keys(w),x=y+"/"+P,S=new I.Set(k);if(l.presence==I.Query.presence.REQUIRED&&(u=u.union(S),void 0===o[P]&&(o[P]=I.Set.complete)),l.presence!=I.Query.presence.PROHIBITED){if(r[P].upsert(v,l.boost,(function(e,t){return e+t})),!a[x]){for(var E=0;E<k.length;E++){var _,C=k[E],T=new I.FieldRef(C,P),L=w[C];void 0===(_=n[T])?n[T]=new I.MatchData(y,P,L):_.add(y,P,L)}a[x]=!0}}else void 0===i[P]&&(i[P]=I.Set.empty),i[P]=i[P].union(S)}}}if(l.presence===I.Query.presence.REQUIRED)for(m=0;m<l.fields.length;m++){o[P=l.fields[m]]=o[P].intersect(u)}}var j=I.Set.complete,R=I.Set.empty;for(s=0;s<this.fields.length;s++){var P;o[P=this.fields[s]]&&(j=j.intersect(o[P])),i[P]&&(R=R.union(i[P]))}var N=Object.keys(n),A=[],O=Object.create(null);if(t.isNegated()){N=Object.keys(this.fieldVectors);for(s=0;s<N.length;s++){T=N[s];var D=I.FieldRef.fromString(T);n[T]=new I.MatchData}}for(s=0;s<N.length;s++){var F=(D=I.FieldRef.fromString(N[s])).docRef;if(j.contains(F)&&!R.contains(F)){var M,B=this.fieldVectors[D],z=r[D.fieldName].similarity(B);if(void 0!==(M=O[F]))M.score+=z,M.matchData.combine(n[D]);else{var $={ref:F,score:z,matchData:n[D]};O[F]=$,A.push($)}}}return A.sort((function(e,t){return t.score-e.score}))},I.Index.prototype.toJSON=function(){var e=Object.keys(this.invertedIndex).sort().map((function(e){return[e,this.invertedIndex[e]]}),this),t=Object.keys(this.fieldVectors).map((function(e){return[e,this.fieldVectors[e].toJSON()]}),this);return{version:I.version,fields:this.fields,fieldVectors:t,invertedIndex:e,pipeline:this.pipeline.toJSON()}},I.Index.load=function(e){var t={},n={},r=e.fieldVectors,a=Object.create(null),o=e.invertedIndex,i=new I.TokenSet.Builder,s=I.Pipeline.load(e.pipeline);e.version!=I.version&&I.utils.warn("Version mismatch when loading serialised index. Current version of lunr '"+I.version+"' does not match serialized index '"+e.version+"'");for(var l=0;l<r.length;l++){var c=(d=r[l])[0],u=d[1];n[c]=new I.Vector(u)}for(l=0;l<o.length;l++){var d,p=(d=o[l])[0],f=d[1];i.insert(p),a[p]=f}return i.finish(),t.fields=e.fields,t.fieldVectors=n,t.invertedIndex=a,t.tokenSet=i.root,t.pipeline=s,new I.Index(t)},I.Builder=function(){this._ref="id",this._fields=Object.create(null),this._documents=Object.create(null),this.invertedIndex=Object.create(null),this.fieldTermFrequencies={},this.fieldLengths={},this.tokenizer=I.tokenizer,this.pipeline=new I.Pipeline,this.searchPipeline=new I.Pipeline,this.documentCount=0,this._b=.75,this._k1=1.2,this.termIndex=0,this.metadataWhitelist=[]},I.Builder.prototype.ref=function(e){this._ref=e},I.Builder.prototype.field=function(e,t){if(/\//.test(e))throw new RangeError("Field '"+e+"' contains illegal character '/'");this._fields[e]=t||{}},I.Builder.prototype.b=function(e){this._b=e<0?0:e>1?1:e},I.Builder.prototype.k1=function(e){this._k1=e},I.Builder.prototype.add=function(e,t){var n=e[this._ref],r=Object.keys(this._fields);this._documents[n]=t||{},this.documentCount+=1;for(var a=0;a<r.length;a++){var o=r[a],i=this._fields[o].extractor,s=i?i(e):e[o],l=this.tokenizer(s,{fields:[o]}),c=this.pipeline.run(l),u=new I.FieldRef(n,o),d=Object.create(null);this.fieldTermFrequencies[u]=d,this.fieldLengths[u]=0,this.fieldLengths[u]+=c.length;for(var p=0;p<c.length;p++){var f=c[p];if(null==d[f]&&(d[f]=0),d[f]+=1,null==this.invertedIndex[f]){var h=Object.create(null);h._index=this.termIndex,this.termIndex+=1;for(var m=0;m<r.length;m++)h[r[m]]=Object.create(null);this.invertedIndex[f]=h}null==this.invertedIndex[f][o][n]&&(this.invertedIndex[f][o][n]=Object.create(null));for(var g=0;g<this.metadataWhitelist.length;g++){var y=this.metadataWhitelist[g],b=f.metadata[y];null==this.invertedIndex[f][o][n][y]&&(this.invertedIndex[f][o][n][y]=[]),this.invertedIndex[f][o][n][y].push(b)}}}},I.Builder.prototype.calculateAverageFieldLengths=function(){for(var e=Object.keys(this.fieldLengths),t=e.length,n={},r={},a=0;a<t;a++){var o=I.FieldRef.fromString(e[a]),i=o.fieldName;r[i]||(r[i]=0),r[i]+=1,n[i]||(n[i]=0),n[i]+=this.fieldLengths[o]}var s=Object.keys(this._fields);for(a=0;a<s.length;a++){var l=s[a];n[l]=n[l]/r[l]}this.averageFieldLength=n},I.Builder.prototype.createFieldVectors=function(){for(var e={},t=Object.keys(this.fieldTermFrequencies),n=t.length,r=Object.create(null),a=0;a<n;a++){for(var o=I.FieldRef.fromString(t[a]),i=o.fieldName,s=this.fieldLengths[o],l=new I.Vector,c=this.fieldTermFrequencies[o],u=Object.keys(c),d=u.length,p=this._fields[i].boost||1,f=this._documents[o.docRef].boost||1,h=0;h<d;h++){var m,g,y,b=u[h],v=c[b],w=this.invertedIndex[b]._index;void 0===r[b]?(m=I.idf(this.invertedIndex[b],this.documentCount),r[b]=m):m=r[b],g=m*((this._k1+1)*v)/(this._k1*(1-this._b+this._b*(s/this.averageFieldLength[i]))+v),g*=p,g*=f,y=Math.round(1e3*g)/1e3,l.insert(w,y)}e[o]=l}this.fieldVectors=e},I.Builder.prototype.createTokenSet=function(){this.tokenSet=I.TokenSet.fromArray(Object.keys(this.invertedIndex).sort())},I.Builder.prototype.build=function(){return this.calculateAverageFieldLengths(),this.createFieldVectors(),this.createTokenSet(),new I.Index({invertedIndex:this.invertedIndex,fieldVectors:this.fieldVectors,tokenSet:this.tokenSet,fields:Object.keys(this._fields),pipeline:this.searchPipeline})},I.Builder.prototype.use=function(e){var t=Array.prototype.slice.call(arguments,1);t.unshift(this),e.apply(this,t)},I.MatchData=function(e,t,n){for(var r=Object.create(null),a=Object.keys(n||{}),o=0;o<a.length;o++){var i=a[o];r[i]=n[i].slice()}this.metadata=Object.create(null),void 0!==e&&(this.metadata[e]=Object.create(null),this.metadata[e][t]=r)},I.MatchData.prototype.combine=function(e){for(var t=Object.keys(e.metadata),n=0;n<t.length;n++){var r=t[n],a=Object.keys(e.metadata[r]);null==this.metadata[r]&&(this.metadata[r]=Object.create(null));for(var o=0;o<a.length;o++){var i=a[o],s=Object.keys(e.metadata[r][i]);null==this.metadata[r][i]&&(this.metadata[r][i]=Object.create(null));for(var l=0;l<s.length;l++){var c=s[l];null==this.metadata[r][i][c]?this.metadata[r][i][c]=e.metadata[r][i][c]:this.metadata[r][i][c]=this.metadata[r][i][c].concat(e.metadata[r][i][c])}}}},I.MatchData.prototype.add=function(e,t,n){if(!(e in this.metadata))return this.metadata[e]=Object.create(null),void(this.metadata[e][t]=n);if(t in this.metadata[e])for(var r=Object.keys(n),a=0;a<r.length;a++){var o=r[a];o in this.metadata[e][t]?this.metadata[e][t][o]=this.metadata[e][t][o].concat(n[o]):this.metadata[e][t][o]=n[o]}else this.metadata[e][t]=n},I.Query=function(e){this.clauses=[],this.allFields=e},I.Query.wildcard=new String("*"),I.Query.wildcard.NONE=0,I.Query.wildcard.LEADING=1,I.Query.wildcard.TRAILING=2,I.Query.presence={OPTIONAL:1,REQUIRED:2,PROHIBITED:3},I.Query.prototype.clause=function(e){return"fields"in e||(e.fields=this.allFields),"boost"in e||(e.boost=1),"usePipeline"in e||(e.usePipeline=!0),"wildcard"in e||(e.wildcard=I.Query.wildcard.NONE),e.wildcard&I.Query.wildcard.LEADING&&e.term.charAt(0)!=I.Query.wildcard&&(e.term="*"+e.term),e.wildcard&I.Query.wildcard.TRAILING&&e.term.slice(-1)!=I.Query.wildcard&&(e.term=e.term+"*"),"presence"in e||(e.presence=I.Query.presence.OPTIONAL),this.clauses.push(e),this},I.Query.prototype.isNegated=function(){for(var e=0;e<this.clauses.length;e++)if(this.clauses[e].presence!=I.Query.presence.PROHIBITED)return!1;return!0},I.Query.prototype.term=function(e,t){if(Array.isArray(e))return e.forEach((function(e){this.term(e,I.utils.clone(t))}),this),this;var n=t||{};return n.term=e.toString(),this.clause(n),this},I.QueryParseError=function(e,t,n){this.name="QueryParseError",this.message=e,this.start=t,this.end=n},I.QueryParseError.prototype=new Error,I.QueryLexer=function(e){this.lexemes=[],this.str=e,this.length=e.length,this.pos=0,this.start=0,this.escapeCharPositions=[]},I.QueryLexer.prototype.run=function(){for(var e=I.QueryLexer.lexText;e;)e=e(this)},I.QueryLexer.prototype.sliceString=function(){for(var e=[],t=this.start,n=this.pos,r=0;r<this.escapeCharPositions.length;r++)n=this.escapeCharPositions[r],e.push(this.str.slice(t,n)),t=n+1;return e.push(this.str.slice(t,this.pos)),this.escapeCharPositions.length=0,e.join("")},I.QueryLexer.prototype.emit=function(e){this.lexemes.push({type:e,str:this.sliceString(),start:this.start,end:this.pos}),this.start=this.pos},I.QueryLexer.prototype.escapeCharacter=function(){this.escapeCharPositions.push(this.pos-1),this.pos+=1},I.QueryLexer.prototype.next=function(){if(this.pos>=this.length)return I.QueryLexer.EOS;var e=this.str.charAt(this.pos);return this.pos+=1,e},I.QueryLexer.prototype.width=function(){return this.pos-this.start},I.QueryLexer.prototype.ignore=function(){this.start==this.pos&&(this.pos+=1),this.start=this.pos},I.QueryLexer.prototype.backup=function(){this.pos-=1},I.QueryLexer.prototype.acceptDigitRun=function(){var e,t;do{t=(e=this.next()).charCodeAt(0)}while(t>47&&t<58);e!=I.QueryLexer.EOS&&this.backup()},I.QueryLexer.prototype.more=function(){return this.pos<this.length},I.QueryLexer.EOS="EOS",I.QueryLexer.FIELD="FIELD",I.QueryLexer.TERM="TERM",I.QueryLexer.EDIT_DISTANCE="EDIT_DISTANCE",I.QueryLexer.BOOST="BOOST",I.QueryLexer.PRESENCE="PRESENCE",I.QueryLexer.lexField=function(e){return e.backup(),e.emit(I.QueryLexer.FIELD),e.ignore(),I.QueryLexer.lexText},I.QueryLexer.lexTerm=function(e){if(e.width()>1&&(e.backup(),e.emit(I.QueryLexer.TERM)),e.ignore(),e.more())return I.QueryLexer.lexText},I.QueryLexer.lexEditDistance=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.EDIT_DISTANCE),I.QueryLexer.lexText},I.QueryLexer.lexBoost=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.BOOST),I.QueryLexer.lexText},I.QueryLexer.lexEOS=function(e){e.width()>0&&e.emit(I.QueryLexer.TERM)},I.QueryLexer.termSeparator=I.tokenizer.separator,I.QueryLexer.lexText=function(e){for(;;){var t=e.next();if(t==I.QueryLexer.EOS)return I.QueryLexer.lexEOS;if(92!=t.charCodeAt(0)){if(":"==t)return I.QueryLexer.lexField;if("~"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexEditDistance;if("^"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexBoost;if("+"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if("-"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if(t.match(I.QueryLexer.termSeparator))return I.QueryLexer.lexTerm}else e.escapeCharacter()}},I.QueryParser=function(e,t){this.lexer=new I.QueryLexer(e),this.query=t,this.currentClause={},this.lexemeIdx=0},I.QueryParser.prototype.parse=function(){this.lexer.run(),this.lexemes=this.lexer.lexemes;for(var e=I.QueryParser.parseClause;e;)e=e(this);return this.query},I.QueryParser.prototype.peekLexeme=function(){return this.lexemes[this.lexemeIdx]},I.QueryParser.prototype.consumeLexeme=function(){var e=this.peekLexeme();return this.lexemeIdx+=1,e},I.QueryParser.prototype.nextClause=function(){var e=this.currentClause;this.query.clause(e),this.currentClause={}},I.QueryParser.parseClause=function(e){var t=e.peekLexeme();if(null!=t)switch(t.type){case I.QueryLexer.PRESENCE:return I.QueryParser.parsePresence;case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:var n="expected either a field or a term, found "+t.type;throw t.str.length>=1&&(n+=" with value '"+t.str+"'"),new I.QueryParseError(n,t.start,t.end)}},I.QueryParser.parsePresence=function(e){var t=e.consumeLexeme();if(null!=t){switch(t.str){case"-":e.currentClause.presence=I.Query.presence.PROHIBITED;break;case"+":e.currentClause.presence=I.Query.presence.REQUIRED;break;default:var n="unrecognised presence operator'"+t.str+"'";throw new I.QueryParseError(n,t.start,t.end)}var r=e.peekLexeme();if(null==r){n="expecting term or field, found nothing";throw new I.QueryParseError(n,t.start,t.end)}switch(r.type){case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:n="expecting term or field, found '"+r.type+"'";throw new I.QueryParseError(n,r.start,r.end)}}},I.QueryParser.parseField=function(e){var t=e.consumeLexeme();if(null!=t){if(-1==e.query.allFields.indexOf(t.str)){var n=e.query.allFields.map((function(e){return"'"+e+"'"})).join(", "),r="unrecognised field '"+t.str+"', possible fields: "+n;throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.fields=[t.str];var a=e.peekLexeme();if(null==a){r="expecting term, found nothing";throw new I.QueryParseError(r,t.start,t.end)}if(a.type===I.QueryLexer.TERM)return I.QueryParser.parseTerm;r="expecting term, found '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}},I.QueryParser.parseTerm=function(e){var t=e.consumeLexeme();if(null!=t){e.currentClause.term=t.str.toLowerCase(),-1!=t.str.indexOf("*")&&(e.currentClause.usePipeline=!1);var n=e.peekLexeme();if(null!=n)switch(n.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:var r="Unexpected lexeme type '"+n.type+"'";throw new I.QueryParseError(r,n.start,n.end)}else e.nextClause()}},I.QueryParser.parseEditDistance=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="edit distance must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.editDistance=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},I.QueryParser.parseBoost=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="boost must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.boost=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},void 0===(a="function"==typeof(r=function(){return I})?r.call(t,n,t,e):r)||(e.exports=a)}()},813:function(e){e.exports=function(){"use strict";var e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},t=function(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")},n=function(){function e(e,t){for(var n=0;n<t.length;n++){var r=t[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(e,r.key,r)}}return function(t,n,r){return n&&e(t.prototype,n),r&&e(t,r),t}}(),r=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},a=function(){function e(n){var r=!(arguments.length>1&&void 0!==arguments[1])||arguments[1],a=arguments.length>2&&void 0!==arguments[2]?arguments[2]:[],o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:5e3;t(this,e),this.ctx=n,this.iframes=r,this.exclude=a,this.iframesTimeout=o}return n(e,[{key:"getContexts",value:function(){var e=[];return(void 0!==this.ctx&&this.ctx?NodeList.prototype.isPrototypeOf(this.ctx)?Array.prototype.slice.call(this.ctx):Array.isArray(this.ctx)?this.ctx:"string"==typeof this.ctx?Array.prototype.slice.call(document.querySelectorAll(this.ctx)):[this.ctx]:[]).forEach((function(t){var n=e.filter((function(e){return e.contains(t)})).length>0;-1!==e.indexOf(t)||n||e.push(t)})),e}},{key:"getIframeContents",value:function(e,t){var n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:function(){},r=void 0;try{var a=e.contentWindow;if(r=a.document,!a||!r)throw new Error("iframe inaccessible")}catch(o){n()}r&&t(r)}},{key:"isIframeBlank",value:function(e){var t="about:blank",n=e.getAttribute("src").trim();return e.contentWindow.location.href===t&&n!==t&&n}},{key:"observeIframeLoad",value:function(e,t,n){var r=this,a=!1,o=null,i=function i(){if(!a){a=!0,clearTimeout(o);try{r.isIframeBlank(e)||(e.removeEventListener("load",i),r.getIframeContents(e,t,n))}catch(s){n()}}};e.addEventListener("load",i),o=setTimeout(i,this.iframesTimeout)}},{key:"onIframeReady",value:function(e,t,n){try{"complete"===e.contentWindow.document.readyState?this.isIframeBlank(e)?this.observeIframeLoad(e,t,n):this.getIframeContents(e,t,n):this.observeIframeLoad(e,t,n)}catch(r){n()}}},{key:"waitForIframes",value:function(e,t){var n=this,r=0;this.forEachIframe(e,(function(){return!0}),(function(e){r++,n.waitForIframes(e.querySelector("html"),(function(){--r||t()}))}),(function(e){e||t()}))}},{key:"forEachIframe",value:function(t,n,r){var a=this,o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},i=t.querySelectorAll("iframe"),s=i.length,l=0;i=Array.prototype.slice.call(i);var c=function(){--s<=0&&o(l)};s||c(),i.forEach((function(t){e.matches(t,a.exclude)?c():a.onIframeReady(t,(function(e){n(t)&&(l++,r(e)),c()}),c)}))}},{key:"createIterator",value:function(e,t,n){return document.createNodeIterator(e,t,n,!1)}},{key:"createInstanceOnIframe",value:function(t){return new e(t.querySelector("html"),this.iframes)}},{key:"compareNodeIframe",value:function(e,t,n){if(e.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_PRECEDING){if(null===t)return!0;if(t.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_FOLLOWING)return!0}return!1}},{key:"getIteratorNode",value:function(e){var t=e.previousNode();return{prevNode:t,node:(null===t||e.nextNode())&&e.nextNode()}}},{key:"checkIframeFilter",value:function(e,t,n,r){var a=!1,o=!1;return r.forEach((function(e,t){e.val===n&&(a=t,o=e.handled)})),this.compareNodeIframe(e,t,n)?(!1!==a||o?!1===a||o||(r[a].handled=!0):r.push({val:n,handled:!0}),!0):(!1===a&&r.push({val:n,handled:!1}),!1)}},{key:"handleOpenIframes",value:function(e,t,n,r){var a=this;e.forEach((function(e){e.handled||a.getIframeContents(e.val,(function(e){a.createInstanceOnIframe(e).forEachNode(t,n,r)}))}))}},{key:"iterateThroughNodes",value:function(e,t,n,r,a){for(var o=this,i=this.createIterator(t,e,r),s=[],l=[],c=void 0,u=void 0,d=function(){var e=o.getIteratorNode(i);return u=e.prevNode,c=e.node};d();)this.iframes&&this.forEachIframe(t,(function(e){return o.checkIframeFilter(c,u,e,s)}),(function(t){o.createInstanceOnIframe(t).forEachNode(e,(function(e){return l.push(e)}),r)})),l.push(c);l.forEach((function(e){n(e)})),this.iframes&&this.handleOpenIframes(s,e,n,r),a()}},{key:"forEachNode",value:function(e,t,n){var r=this,a=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},o=this.getContexts(),i=o.length;i||a(),o.forEach((function(o){var s=function(){r.iterateThroughNodes(e,o,t,n,(function(){--i<=0&&a()}))};r.iframes?r.waitForIframes(o,s):s()}))}}],[{key:"matches",value:function(e,t){var n="string"==typeof t?[t]:t,r=e.matches||e.matchesSelector||e.msMatchesSelector||e.mozMatchesSelector||e.oMatchesSelector||e.webkitMatchesSelector;if(r){var a=!1;return n.every((function(t){return!r.call(e,t)||(a=!0,!1)})),a}return!1}}]),e}(),o=function(){function o(e){t(this,o),this.ctx=e,this.ie=!1;var n=window.navigator.userAgent;(n.indexOf("MSIE")>-1||n.indexOf("Trident")>-1)&&(this.ie=!0)}return n(o,[{key:"log",value:function(t){var n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"debug",r=this.opt.log;this.opt.debug&&"object"===(void 0===r?"undefined":e(r))&&"function"==typeof r[n]&&r[n]("mark.js: "+t)}},{key:"escapeStr",value:function(e){return e.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}},{key:"createRegExp",value:function(e){return"disabled"!==this.opt.wildcards&&(e=this.setupWildcardsRegExp(e)),e=this.escapeStr(e),Object.keys(this.opt.synonyms).length&&(e=this.createSynonymsRegExp(e)),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),this.opt.diacritics&&(e=this.createDiacriticsRegExp(e)),e=this.createMergedBlanksRegExp(e),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.createJoinersRegExp(e)),"disabled"!==this.opt.wildcards&&(e=this.createWildcardsRegExp(e)),e=this.createAccuracyRegExp(e)}},{key:"createSynonymsRegExp",value:function(e){var t=this.opt.synonyms,n=this.opt.caseSensitive?"":"i",r=this.opt.ignoreJoiners||this.opt.ignorePunctuation.length?"\0":"";for(var a in t)if(t.hasOwnProperty(a)){var o=t[a],i="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(a):this.escapeStr(a),s="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(o):this.escapeStr(o);""!==i&&""!==s&&(e=e.replace(new RegExp("("+this.escapeStr(i)+"|"+this.escapeStr(s)+")","gm"+n),r+"("+this.processSynomyms(i)+"|"+this.processSynomyms(s)+")"+r))}return e}},{key:"processSynomyms",value:function(e){return(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),e}},{key:"setupWildcardsRegExp",value:function(e){return(e=e.replace(/(?:\\)*\?/g,(function(e){return"\\"===e.charAt(0)?"?":"\x01"}))).replace(/(?:\\)*\*/g,(function(e){return"\\"===e.charAt(0)?"*":"\x02"}))}},{key:"createWildcardsRegExp",value:function(e){var t="withSpaces"===this.opt.wildcards;return e.replace(/\u0001/g,t?"[\\S\\s]?":"\\S?").replace(/\u0002/g,t?"[\\S\\s]*?":"\\S*")}},{key:"setupIgnoreJoinersRegExp",value:function(e){return e.replace(/[^(|)\\]/g,(function(e,t,n){var r=n.charAt(t+1);return/[(|)\\]/.test(r)||""===r?e:e+"\0"}))}},{key:"createJoinersRegExp",value:function(e){var t=[],n=this.opt.ignorePunctuation;return Array.isArray(n)&&n.length&&t.push(this.escapeStr(n.join(""))),this.opt.ignoreJoiners&&t.push("\\u00ad\\u200b\\u200c\\u200d"),t.length?e.split(/\u0000+/).join("["+t.join("")+"]*"):e}},{key:"createDiacriticsRegExp",value:function(e){var t=this.opt.caseSensitive?"":"i",n=this.opt.caseSensitive?["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105","A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010d","C\xc7\u0106\u010c","d\u0111\u010f","D\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119","E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012b","I\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142","L\u0141","n\xf1\u0148\u0144","N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014d","O\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159","R\u0158","s\u0161\u015b\u0219\u015f","S\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163","T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016b","U\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xff","Y\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017a","Z\u017d\u017b\u0179"]:["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010dC\xc7\u0106\u010c","d\u0111\u010fD\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012bI\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142L\u0141","n\xf1\u0148\u0144N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014dO\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159R\u0158","s\u0161\u015b\u0219\u015fS\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016bU\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xffY\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017aZ\u017d\u017b\u0179"],r=[];return e.split("").forEach((function(a){n.every((function(n){if(-1!==n.indexOf(a)){if(r.indexOf(n)>-1)return!1;e=e.replace(new RegExp("["+n+"]","gm"+t),"["+n+"]"),r.push(n)}return!0}))})),e}},{key:"createMergedBlanksRegExp",value:function(e){return e.replace(/[\s]+/gim,"[\\s]+")}},{key:"createAccuracyRegExp",value:function(e){var t=this,n="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~\xa1\xbf",r=this.opt.accuracy,a="string"==typeof r?r:r.value,o="string"==typeof r?[]:r.limiters,i="";switch(o.forEach((function(e){i+="|"+t.escapeStr(e)})),a){case"partially":default:return"()("+e+")";case"complementary":return"()([^"+(i="\\s"+(i||this.escapeStr(n)))+"]*"+e+"[^"+i+"]*)";case"exactly":return"(^|\\s"+i+")("+e+")(?=$|\\s"+i+")"}}},{key:"getSeparatedKeywords",value:function(e){var t=this,n=[];return e.forEach((function(e){t.opt.separateWordSearch?e.split(" ").forEach((function(e){e.trim()&&-1===n.indexOf(e)&&n.push(e)})):e.trim()&&-1===n.indexOf(e)&&n.push(e)})),{keywords:n.sort((function(e,t){return t.length-e.length})),length:n.length}}},{key:"isNumeric",value:function(e){return Number(parseFloat(e))==e}},{key:"checkRanges",value:function(e){var t=this;if(!Array.isArray(e)||"[object Object]"!==Object.prototype.toString.call(e[0]))return this.log("markRanges() will only accept an array of objects"),this.opt.noMatch(e),[];var n=[],r=0;return e.sort((function(e,t){return e.start-t.start})).forEach((function(e){var a=t.callNoMatchOnInvalidRanges(e,r),o=a.start,i=a.end;a.valid&&(e.start=o,e.length=i-o,n.push(e),r=i)})),n}},{key:"callNoMatchOnInvalidRanges",value:function(e,t){var n=void 0,r=void 0,a=!1;return e&&void 0!==e.start?(r=(n=parseInt(e.start,10))+parseInt(e.length,10),this.isNumeric(e.start)&&this.isNumeric(e.length)&&r-t>0&&r-n>0?a=!0:(this.log("Ignoring invalid or overlapping range: "+JSON.stringify(e)),this.opt.noMatch(e))):(this.log("Ignoring invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:n,end:r,valid:a}}},{key:"checkWhitespaceRanges",value:function(e,t,n){var r=void 0,a=!0,o=n.length,i=t-o,s=parseInt(e.start,10)-i;return(r=(s=s>o?o:s)+parseInt(e.length,10))>o&&(r=o,this.log("End range automatically set to the max value of "+o)),s<0||r-s<0||s>o||r>o?(a=!1,this.log("Invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)):""===n.substring(s,r).replace(/\s+/g,"")&&(a=!1,this.log("Skipping whitespace only range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:s,end:r,valid:a}}},{key:"getTextNodes",value:function(e){var t=this,n="",r=[];this.iterator.forEachNode(NodeFilter.SHOW_TEXT,(function(e){r.push({start:n.length,end:(n+=e.textContent).length,node:e})}),(function(e){return t.matchesExclude(e.parentNode)?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),(function(){e({value:n,nodes:r})}))}},{key:"matchesExclude",value:function(e){return a.matches(e,this.opt.exclude.concat(["script","style","title","head","html"]))}},{key:"wrapRangeInTextNode",value:function(e,t,n){var r=this.opt.element?this.opt.element:"mark",a=e.splitText(t),o=a.splitText(n-t),i=document.createElement(r);return i.setAttribute("data-markjs","true"),this.opt.className&&i.setAttribute("class",this.opt.className),i.textContent=a.textContent,a.parentNode.replaceChild(i,a),o}},{key:"wrapRangeInMappedTextNode",value:function(e,t,n,r,a){var o=this;e.nodes.every((function(i,s){var l=e.nodes[s+1];if(void 0===l||l.start>t){if(!r(i.node))return!1;var c=t-i.start,u=(n>i.end?i.end:n)-i.start,d=e.value.substr(0,i.start),p=e.value.substr(u+i.start);if(i.node=o.wrapRangeInTextNode(i.node,c,u),e.value=d+p,e.nodes.forEach((function(t,n){n>=s&&(e.nodes[n].start>0&&n!==s&&(e.nodes[n].start-=u),e.nodes[n].end-=u)})),n-=u,a(i.node.previousSibling,i.start),!(n>i.end))return!1;t=i.end}return!0}))}},{key:"wrapMatches",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){t.nodes.forEach((function(t){t=t.node;for(var a=void 0;null!==(a=e.exec(t.textContent))&&""!==a[i];)if(n(a[i],t)){var s=a.index;if(0!==i)for(var l=1;l<i;l++)s+=a[l].length;t=o.wrapRangeInTextNode(t,s,s+a[i].length),r(t.previousSibling),e.lastIndex=0}})),a()}))}},{key:"wrapMatchesAcrossElements",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){for(var s=void 0;null!==(s=e.exec(t.value))&&""!==s[i];){var l=s.index;if(0!==i)for(var c=1;c<i;c++)l+=s[c].length;var u=l+s[i].length;o.wrapRangeInMappedTextNode(t,l,u,(function(e){return n(s[i],e)}),(function(t,n){e.lastIndex=n,r(t)}))}a()}))}},{key:"wrapRangeFromIndex",value:function(e,t,n,r){var a=this;this.getTextNodes((function(o){var i=o.value.length;e.forEach((function(e,r){var s=a.checkWhitespaceRanges(e,i,o.value),l=s.start,c=s.end;s.valid&&a.wrapRangeInMappedTextNode(o,l,c,(function(n){return t(n,e,o.value.substring(l,c),r)}),(function(t){n(t,e)}))})),r()}))}},{key:"unwrapMatches",value:function(e){for(var t=e.parentNode,n=document.createDocumentFragment();e.firstChild;)n.appendChild(e.removeChild(e.firstChild));t.replaceChild(n,e),this.ie?this.normalizeTextNode(t):t.normalize()}},{key:"normalizeTextNode",value:function(e){if(e){if(3===e.nodeType)for(;e.nextSibling&&3===e.nextSibling.nodeType;)e.nodeValue+=e.nextSibling.nodeValue,e.parentNode.removeChild(e.nextSibling);else this.normalizeTextNode(e.firstChild);this.normalizeTextNode(e.nextSibling)}}},{key:"markRegExp",value:function(e,t){var n=this;this.opt=t,this.log('Searching with expression "'+e+'"');var r=0,a="wrapMatches",o=function(e){r++,n.opt.each(e)};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),this[a](e,this.opt.ignoreGroups,(function(e,t){return n.opt.filter(t,e,r)}),o,(function(){0===r&&n.opt.noMatch(e),n.opt.done(r)}))}},{key:"mark",value:function(e,t){var n=this;this.opt=t;var r=0,a="wrapMatches",o=this.getSeparatedKeywords("string"==typeof e?[e]:e),i=o.keywords,s=o.length,l=this.opt.caseSensitive?"":"i",c=function e(t){var o=new RegExp(n.createRegExp(t),"gm"+l),c=0;n.log('Searching with expression "'+o+'"'),n[a](o,1,(function(e,a){return n.opt.filter(a,t,r,c)}),(function(e){c++,r++,n.opt.each(e)}),(function(){0===c&&n.opt.noMatch(t),i[s-1]===t?n.opt.done(r):e(i[i.indexOf(t)+1])}))};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),0===s?this.opt.done(r):c(i[0])}},{key:"markRanges",value:function(e,t){var n=this;this.opt=t;var r=0,a=this.checkRanges(e);a&&a.length?(this.log("Starting to mark with the following ranges: "+JSON.stringify(a)),this.wrapRangeFromIndex(a,(function(e,t,r,a){return n.opt.filter(e,t,r,a)}),(function(e,t){r++,n.opt.each(e,t)}),(function(){n.opt.done(r)}))):this.opt.done(r)}},{key:"unmark",value:function(e){var t=this;this.opt=e;var n=this.opt.element?this.opt.element:"*";n+="[data-markjs]",this.opt.className&&(n+="."+this.opt.className),this.log('Removal selector "'+n+'"'),this.iterator.forEachNode(NodeFilter.SHOW_ELEMENT,(function(e){t.unwrapMatches(e)}),(function(e){var r=a.matches(e,n),o=t.matchesExclude(e);return!r||o?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),this.opt.done)}},{key:"opt",set:function(e){this._opt=r({},{element:"",className:"",exclude:[],iframes:!1,iframesTimeout:5e3,separateWordSearch:!0,diacritics:!0,synonyms:{},accuracy:"partially",acrossElements:!1,caseSensitive:!1,ignoreJoiners:!1,ignoreGroups:0,ignorePunctuation:[],wildcards:"disabled",each:function(){},noMatch:function(){},filter:function(){return!0},done:function(){},debug:!1,log:window.console},e)},get:function(){return this._opt}},{key:"iterator",get:function(){return new a(this.ctx,this.opt.iframes,this.opt.exclude,this.opt.iframesTimeout)}}]),o}();function i(e){var t=this,n=new o(e);return this.mark=function(e,r){return n.mark(e,r),t},this.markRegExp=function(e,r){return n.markRegExp(e,r),t},this.markRanges=function(e,r){return n.markRanges(e,r),t},this.unmark=function(e){return n.unmark(e),t},this}return i}()},2497:(e,t,n)=>{"use strict";n.r(t)},2295:(e,t,n)=>{"use strict";n.r(t)},4865:function(e,t,n){var r,a;r=function(){var e,t,n={version:"0.2.0"},r=n.settings={minimum:.08,easing:"ease",positionUsing:"",speed:200,trickle:!0,trickleRate:.02,trickleSpeed:800,showSpinner:!0,barSelector:'[role="bar"]',spinnerSelector:'[role="spinner"]',parent:"body",template:'<div class="bar" role="bar"><div class="peg"></div></div><div class="spinner" role="spinner"><div class="spinner-icon"></div></div>'};function a(e,t,n){return e<t?t:e>n?n:e}function o(e){return 100*(-1+e)}function i(e,t,n){var a;return(a="translate3d"===r.positionUsing?{transform:"translate3d("+o(e)+"%,0,0)"}:"translate"===r.positionUsing?{transform:"translate("+o(e)+"%,0)"}:{"margin-left":o(e)+"%"}).transition="all "+t+"ms "+n,a}n.configure=function(e){var t,n;for(t in e)void 0!==(n=e[t])&&e.hasOwnProperty(t)&&(r[t]=n);return this},n.status=null,n.set=function(e){var t=n.isStarted();e=a(e,r.minimum,1),n.status=1===e?null:e;var o=n.render(!t),c=o.querySelector(r.barSelector),u=r.speed,d=r.easing;return o.offsetWidth,s((function(t){""===r.positionUsing&&(r.positionUsing=n.getPositioningCSS()),l(c,i(e,u,d)),1===e?(l(o,{transition:"none",opacity:1}),o.offsetWidth,setTimeout((function(){l(o,{transition:"all "+u+"ms linear",opacity:0}),setTimeout((function(){n.remove(),t()}),u)}),u)):setTimeout(t,u)})),this},n.isStarted=function(){return"number"==typeof n.status},n.start=function(){n.status||n.set(0);var e=function(){setTimeout((function(){n.status&&(n.trickle(),e())}),r.trickleSpeed)};return r.trickle&&e(),this},n.done=function(e){return e||n.status?n.inc(.3+.5*Math.random()).set(1):this},n.inc=function(e){var t=n.status;return t?("number"!=typeof e&&(e=(1-t)*a(Math.random()*t,.1,.95)),t=a(t+e,0,.994),n.set(t)):n.start()},n.trickle=function(){return n.inc(Math.random()*r.trickleRate)},e=0,t=0,n.promise=function(r){return r&&"resolved"!==r.state()?(0===t&&n.start(),e++,t++,r.always((function(){0==--t?(e=0,n.done()):n.set((e-t)/e)})),this):this},n.render=function(e){if(n.isRendered())return document.getElementById("nprogress");u(document.documentElement,"nprogress-busy");var t=document.createElement("div");t.id="nprogress",t.innerHTML=r.template;var a,i=t.querySelector(r.barSelector),s=e?"-100":o(n.status||0),c=document.querySelector(r.parent);return l(i,{transition:"all 0 linear",transform:"translate3d("+s+"%,0,0)"}),r.showSpinner||(a=t.querySelector(r.spinnerSelector))&&f(a),c!=document.body&&u(c,"nprogress-custom-parent"),c.appendChild(t),t},n.remove=function(){d(document.documentElement,"nprogress-busy"),d(document.querySelector(r.parent),"nprogress-custom-parent");var e=document.getElementById("nprogress");e&&f(e)},n.isRendered=function(){return!!document.getElementById("nprogress")},n.getPositioningCSS=function(){var e=document.body.style,t="WebkitTransform"in e?"Webkit":"MozTransform"in e?"Moz":"msTransform"in e?"ms":"OTransform"in e?"O":"";return t+"Perspective"in e?"translate3d":t+"Transform"in e?"translate":"margin"};var s=function(){var e=[];function t(){var n=e.shift();n&&n(t)}return function(n){e.push(n),1==e.length&&t()}}(),l=function(){var e=["Webkit","O","Moz","ms"],t={};function n(e){return e.replace(/^-ms-/,"ms-").replace(/-([\da-z])/gi,(function(e,t){return t.toUpperCase()}))}function r(t){var n=document.body.style;if(t in n)return t;for(var r,a=e.length,o=t.charAt(0).toUpperCase()+t.slice(1);a--;)if((r=e[a]+o)in n)return r;return t}function a(e){return e=n(e),t[e]||(t[e]=r(e))}function o(e,t,n){t=a(t),e.style[t]=n}return function(e,t){var n,r,a=arguments;if(2==a.length)for(n in t)void 0!==(r=t[n])&&t.hasOwnProperty(n)&&o(e,n,r);else o(e,a[1],a[2])}}();function c(e,t){return("string"==typeof e?e:p(e)).indexOf(" "+t+" ")>=0}function u(e,t){var n=p(e),r=n+t;c(n,t)||(e.className=r.substring(1))}function d(e,t){var n,r=p(e);c(e,t)&&(n=r.replace(" "+t+" "," "),e.className=n.substring(1,n.length-1))}function p(e){return(" "+(e.className||"")+" ").replace(/\s+/gi," ")}function f(e){e&&e.parentNode&&e.parentNode.removeChild(e)}return n},void 0===(a="function"==typeof r?r.call(t,n,t,e):r)||(e.exports=a)},9901:e=>{e.exports&&(e.exports={core:{meta:{path:"components/prism-core.js",option:"mandatory"},core:"Core"},themes:{meta:{path:"themes/{id}.css",link:"index.html?theme={id}",exclusive:!0},prism:{title:"Default",option:"default"},"prism-dark":"Dark","prism-funky":"Funky","prism-okaidia":{title:"Okaidia",owner:"ocodia"},"prism-twilight":{title:"Twilight",owner:"remybach"},"prism-coy":{title:"Coy",owner:"tshedor"},"prism-solarizedlight":{title:"Solarized Light",owner:"hectormatos2011 "},"prism-tomorrow":{title:"Tomorrow Night",owner:"Rosey"}},languages:{meta:{path:"components/prism-{id}",noCSS:!0,examplesPath:"examples/prism-{id}",addCheckAll:!0},markup:{title:"Markup",alias:["html","xml","svg","mathml","ssml","atom","rss"],aliasTitles:{html:"HTML",xml:"XML",svg:"SVG",mathml:"MathML",ssml:"SSML",atom:"Atom",rss:"RSS"},option:"default"},css:{title:"CSS",option:"default",modify:"markup"},clike:{title:"C-like",option:"default"},javascript:{title:"JavaScript",require:"clike",modify:"markup",optional:"regex",alias:"js",option:"default"},abap:{title:"ABAP",owner:"dellagustin"},abnf:{title:"ABNF",owner:"RunDevelopment"},actionscript:{title:"ActionScript",require:"javascript",modify:"markup",owner:"Golmote"},ada:{title:"Ada",owner:"Lucretia"},agda:{title:"Agda",owner:"xy-ren"},al:{title:"AL",owner:"RunDevelopment"},antlr4:{title:"ANTLR4",alias:"g4",owner:"RunDevelopment"},apacheconf:{title:"Apache Configuration",owner:"GuiTeK"},apex:{title:"Apex",require:["clike","sql"],owner:"RunDevelopment"},apl:{title:"APL",owner:"ngn"},applescript:{title:"AppleScript",owner:"Golmote"},aql:{title:"AQL",owner:"RunDevelopment"},arduino:{title:"Arduino",require:"cpp",alias:"ino",owner:"dkern"},arff:{title:"ARFF",owner:"Golmote"},armasm:{title:"ARM Assembly",alias:"arm-asm",owner:"RunDevelopment"},arturo:{title:"Arturo",alias:"art",optional:["bash","css","javascript","markup","markdown","sql"],owner:"drkameleon"},asciidoc:{alias:"adoc",title:"AsciiDoc",owner:"Golmote"},aspnet:{title:"ASP.NET (C#)",require:["markup","csharp"],owner:"nauzilus"},asm6502:{title:"6502 Assembly",owner:"kzurawel"},asmatmel:{title:"Atmel AVR Assembly",owner:"cerkit"},autohotkey:{title:"AutoHotkey",owner:"aviaryan"},autoit:{title:"AutoIt",owner:"Golmote"},avisynth:{title:"AviSynth",alias:"avs",owner:"Zinfidel"},"avro-idl":{title:"Avro IDL",alias:"avdl",owner:"RunDevelopment"},awk:{title:"AWK",alias:"gawk",aliasTitles:{gawk:"GAWK"},owner:"RunDevelopment"},bash:{title:"Bash",alias:["sh","shell"],aliasTitles:{sh:"Shell",shell:"Shell"},owner:"zeitgeist87"},basic:{title:"BASIC",owner:"Golmote"},batch:{title:"Batch",owner:"Golmote"},bbcode:{title:"BBcode",alias:"shortcode",aliasTitles:{shortcode:"Shortcode"},owner:"RunDevelopment"},bbj:{title:"BBj",owner:"hyyan"},bicep:{title:"Bicep",owner:"johnnyreilly"},birb:{title:"Birb",require:"clike",owner:"Calamity210"},bison:{title:"Bison",require:"c",owner:"Golmote"},bnf:{title:"BNF",alias:"rbnf",aliasTitles:{rbnf:"RBNF"},owner:"RunDevelopment"},bqn:{title:"BQN",owner:"yewscion"},brainfuck:{title:"Brainfuck",owner:"Golmote"},brightscript:{title:"BrightScript",owner:"RunDevelopment"},bro:{title:"Bro",owner:"wayward710"},bsl:{title:"BSL (1C:Enterprise)",alias:"oscript",aliasTitles:{oscript:"OneScript"},owner:"Diversus23"},c:{title:"C",require:"clike",owner:"zeitgeist87"},csharp:{title:"C#",require:"clike",alias:["cs","dotnet"],owner:"mvalipour"},cpp:{title:"C++",require:"c",owner:"zeitgeist87"},cfscript:{title:"CFScript",require:"clike",alias:"cfc",owner:"mjclemente"},chaiscript:{title:"ChaiScript",require:["clike","cpp"],owner:"RunDevelopment"},cil:{title:"CIL",owner:"sbrl"},cilkc:{title:"Cilk/C",require:"c",alias:"cilk-c",owner:"OpenCilk"},cilkcpp:{title:"Cilk/C++",require:"cpp",alias:["cilk-cpp","cilk"],owner:"OpenCilk"},clojure:{title:"Clojure",owner:"troglotit"},cmake:{title:"CMake",owner:"mjrogozinski"},cobol:{title:"COBOL",owner:"RunDevelopment"},coffeescript:{title:"CoffeeScript",require:"javascript",alias:"coffee",owner:"R-osey"},concurnas:{title:"Concurnas",alias:"conc",owner:"jasontatton"},csp:{title:"Content-Security-Policy",owner:"ScottHelme"},cooklang:{title:"Cooklang",owner:"ahue"},coq:{title:"Coq",owner:"RunDevelopment"},crystal:{title:"Crystal",require:"ruby",owner:"MakeNowJust"},"css-extras":{title:"CSS Extras",require:"css",modify:"css",owner:"milesj"},csv:{title:"CSV",owner:"RunDevelopment"},cue:{title:"CUE",owner:"RunDevelopment"},cypher:{title:"Cypher",owner:"RunDevelopment"},d:{title:"D",require:"clike",owner:"Golmote"},dart:{title:"Dart",require:"clike",owner:"Golmote"},dataweave:{title:"DataWeave",owner:"machaval"},dax:{title:"DAX",owner:"peterbud"},dhall:{title:"Dhall",owner:"RunDevelopment"},diff:{title:"Diff",owner:"uranusjr"},django:{title:"Django/Jinja2",require:"markup-templating",alias:"jinja2",owner:"romanvm"},"dns-zone-file":{title:"DNS zone file",owner:"RunDevelopment",alias:"dns-zone"},docker:{title:"Docker",alias:"dockerfile",owner:"JustinBeckwith"},dot:{title:"DOT (Graphviz)",alias:"gv",optional:"markup",owner:"RunDevelopment"},ebnf:{title:"EBNF",owner:"RunDevelopment"},editorconfig:{title:"EditorConfig",owner:"osipxd"},eiffel:{title:"Eiffel",owner:"Conaclos"},ejs:{title:"EJS",require:["javascript","markup-templating"],owner:"RunDevelopment",alias:"eta",aliasTitles:{eta:"Eta"}},elixir:{title:"Elixir",owner:"Golmote"},elm:{title:"Elm",owner:"zwilias"},etlua:{title:"Embedded Lua templating",require:["lua","markup-templating"],owner:"RunDevelopment"},erb:{title:"ERB",require:["ruby","markup-templating"],owner:"Golmote"},erlang:{title:"Erlang",owner:"Golmote"},"excel-formula":{title:"Excel Formula",alias:["xlsx","xls"],owner:"RunDevelopment"},fsharp:{title:"F#",require:"clike",owner:"simonreynolds7"},factor:{title:"Factor",owner:"catb0t"},false:{title:"False",owner:"edukisto"},"firestore-security-rules":{title:"Firestore security rules",require:"clike",owner:"RunDevelopment"},flow:{title:"Flow",require:"javascript",owner:"Golmote"},fortran:{title:"Fortran",owner:"Golmote"},ftl:{title:"FreeMarker Template Language",require:"markup-templating",owner:"RunDevelopment"},gml:{title:"GameMaker Language",alias:"gamemakerlanguage",require:"clike",owner:"LiarOnce"},gap:{title:"GAP (CAS)",owner:"RunDevelopment"},gcode:{title:"G-code",owner:"RunDevelopment"},gdscript:{title:"GDScript",owner:"RunDevelopment"},gedcom:{title:"GEDCOM",owner:"Golmote"},gettext:{title:"gettext",alias:"po",owner:"RunDevelopment"},gherkin:{title:"Gherkin",owner:"hason"},git:{title:"Git",owner:"lgiraudel"},glsl:{title:"GLSL",require:"c",owner:"Golmote"},gn:{title:"GN",alias:"gni",owner:"RunDevelopment"},"linker-script":{title:"GNU Linker Script",alias:"ld",owner:"RunDevelopment"},go:{title:"Go",require:"clike",owner:"arnehormann"},"go-module":{title:"Go module",alias:"go-mod",owner:"RunDevelopment"},gradle:{title:"Gradle",require:"clike",owner:"zeabdelkhalek-badido18"},graphql:{title:"GraphQL",optional:"markdown",owner:"Golmote"},groovy:{title:"Groovy",require:"clike",owner:"robfletcher"},haml:{title:"Haml",require:"ruby",optional:["css","css-extras","coffeescript","erb","javascript","less","markdown","scss","textile"],owner:"Golmote"},handlebars:{title:"Handlebars",require:"markup-templating",alias:["hbs","mustache"],aliasTitles:{mustache:"Mustache"},owner:"Golmote"},haskell:{title:"Haskell",alias:"hs",owner:"bholst"},haxe:{title:"Haxe",require:"clike",optional:"regex",owner:"Golmote"},hcl:{title:"HCL",owner:"outsideris"},hlsl:{title:"HLSL",require:"c",owner:"RunDevelopment"},hoon:{title:"Hoon",owner:"matildepark"},http:{title:"HTTP",optional:["csp","css","hpkp","hsts","javascript","json","markup","uri"],owner:"danielgtaylor"},hpkp:{title:"HTTP Public-Key-Pins",owner:"ScottHelme"},hsts:{title:"HTTP Strict-Transport-Security",owner:"ScottHelme"},ichigojam:{title:"IchigoJam",owner:"BlueCocoa"},icon:{title:"Icon",owner:"Golmote"},"icu-message-format":{title:"ICU Message Format",owner:"RunDevelopment"},idris:{title:"Idris",alias:"idr",owner:"KeenS",require:"haskell"},ignore:{title:".ignore",owner:"osipxd",alias:["gitignore","hgignore","npmignore"],aliasTitles:{gitignore:".gitignore",hgignore:".hgignore",npmignore:".npmignore"}},inform7:{title:"Inform 7",owner:"Golmote"},ini:{title:"Ini",owner:"aviaryan"},io:{title:"Io",owner:"AlesTsurko"},j:{title:"J",owner:"Golmote"},java:{title:"Java",require:"clike",owner:"sherblot"},javadoc:{title:"JavaDoc",require:["markup","java","javadoclike"],modify:"java",optional:"scala",owner:"RunDevelopment"},javadoclike:{title:"JavaDoc-like",modify:["java","javascript","php"],owner:"RunDevelopment"},javastacktrace:{title:"Java stack trace",owner:"RunDevelopment"},jexl:{title:"Jexl",owner:"czosel"},jolie:{title:"Jolie",require:"clike",owner:"thesave"},jq:{title:"JQ",owner:"RunDevelopment"},jsdoc:{title:"JSDoc",require:["javascript","javadoclike","typescript"],modify:"javascript",optional:["actionscript","coffeescript"],owner:"RunDevelopment"},"js-extras":{title:"JS Extras",require:"javascript",modify:"javascript",optional:["actionscript","coffeescript","flow","n4js","typescript"],owner:"RunDevelopment"},json:{title:"JSON",alias:"webmanifest",aliasTitles:{webmanifest:"Web App Manifest"},owner:"CupOfTea696"},json5:{title:"JSON5",require:"json",owner:"RunDevelopment"},jsonp:{title:"JSONP",require:"json",owner:"RunDevelopment"},jsstacktrace:{title:"JS stack trace",owner:"sbrl"},"js-templates":{title:"JS Templates",require:"javascript",modify:"javascript",optional:["css","css-extras","graphql","markdown","markup","sql"],owner:"RunDevelopment"},julia:{title:"Julia",owner:"cdagnino"},keepalived:{title:"Keepalived Configure",owner:"dev-itsheng"},keyman:{title:"Keyman",owner:"mcdurdin"},kotlin:{title:"Kotlin",alias:["kt","kts"],aliasTitles:{kts:"Kotlin Script"},require:"clike",owner:"Golmote"},kumir:{title:"KuMir (\u041a\u0443\u041c\u0438\u0440)",alias:"kum",owner:"edukisto"},kusto:{title:"Kusto",owner:"RunDevelopment"},latex:{title:"LaTeX",alias:["tex","context"],aliasTitles:{tex:"TeX",context:"ConTeXt"},owner:"japborst"},latte:{title:"Latte",require:["clike","markup-templating","php"],owner:"nette"},less:{title:"Less",require:"css",optional:"css-extras",owner:"Golmote"},lilypond:{title:"LilyPond",require:"scheme",alias:"ly",owner:"RunDevelopment"},liquid:{title:"Liquid",require:"markup-templating",owner:"cinhtau"},lisp:{title:"Lisp",alias:["emacs","elisp","emacs-lisp"],owner:"JuanCaicedo"},livescript:{title:"LiveScript",owner:"Golmote"},llvm:{title:"LLVM IR",owner:"porglezomp"},log:{title:"Log file",optional:"javastacktrace",owner:"RunDevelopment"},lolcode:{title:"LOLCODE",owner:"Golmote"},lua:{title:"Lua",owner:"Golmote"},magma:{title:"Magma (CAS)",owner:"RunDevelopment"},makefile:{title:"Makefile",owner:"Golmote"},markdown:{title:"Markdown",require:"markup",optional:"yaml",alias:"md",owner:"Golmote"},"markup-templating":{title:"Markup templating",require:"markup",owner:"Golmote"},mata:{title:"Mata",owner:"RunDevelopment"},matlab:{title:"MATLAB",owner:"Golmote"},maxscript:{title:"MAXScript",owner:"RunDevelopment"},mel:{title:"MEL",owner:"Golmote"},mermaid:{title:"Mermaid",owner:"RunDevelopment"},metafont:{title:"METAFONT",owner:"LaeriExNihilo"},mizar:{title:"Mizar",owner:"Golmote"},mongodb:{title:"MongoDB",owner:"airs0urce",require:"javascript"},monkey:{title:"Monkey",owner:"Golmote"},moonscript:{title:"MoonScript",alias:"moon",owner:"RunDevelopment"},n1ql:{title:"N1QL",owner:"TMWilds"},n4js:{title:"N4JS",require:"javascript",optional:"jsdoc",alias:"n4jsd",owner:"bsmith-n4"},"nand2tetris-hdl":{title:"Nand To Tetris HDL",owner:"stephanmax"},naniscript:{title:"Naninovel Script",owner:"Elringus",alias:"nani"},nasm:{title:"NASM",owner:"rbmj"},neon:{title:"NEON",owner:"nette"},nevod:{title:"Nevod",owner:"nezaboodka"},nginx:{title:"nginx",owner:"volado"},nim:{title:"Nim",owner:"Golmote"},nix:{title:"Nix",owner:"Golmote"},nsis:{title:"NSIS",owner:"idleberg"},objectivec:{title:"Objective-C",require:"c",alias:"objc",owner:"uranusjr"},ocaml:{title:"OCaml",owner:"Golmote"},odin:{title:"Odin",owner:"edukisto"},opencl:{title:"OpenCL",require:"c",modify:["c","cpp"],owner:"Milania1"},openqasm:{title:"OpenQasm",alias:"qasm",owner:"RunDevelopment"},oz:{title:"Oz",owner:"Golmote"},parigp:{title:"PARI/GP",owner:"Golmote"},parser:{title:"Parser",require:"markup",owner:"Golmote"},pascal:{title:"Pascal",alias:"objectpascal",aliasTitles:{objectpascal:"Object Pascal"},owner:"Golmote"},pascaligo:{title:"Pascaligo",owner:"DefinitelyNotAGoat"},psl:{title:"PATROL Scripting Language",owner:"bertysentry"},pcaxis:{title:"PC-Axis",alias:"px",owner:"RunDevelopment"},peoplecode:{title:"PeopleCode",alias:"pcode",owner:"RunDevelopment"},perl:{title:"Perl",owner:"Golmote"},php:{title:"PHP",require:"markup-templating",owner:"milesj"},phpdoc:{title:"PHPDoc",require:["php","javadoclike"],modify:"php",owner:"RunDevelopment"},"php-extras":{title:"PHP Extras",require:"php",modify:"php",owner:"milesj"},"plant-uml":{title:"PlantUML",alias:"plantuml",owner:"RunDevelopment"},plsql:{title:"PL/SQL",require:"sql",owner:"Golmote"},powerquery:{title:"PowerQuery",alias:["pq","mscript"],owner:"peterbud"},powershell:{title:"PowerShell",owner:"nauzilus"},processing:{title:"Processing",require:"clike",owner:"Golmote"},prolog:{title:"Prolog",owner:"Golmote"},promql:{title:"PromQL",owner:"arendjr"},properties:{title:".properties",owner:"Golmote"},protobuf:{title:"Protocol Buffers",require:"clike",owner:"just-boris"},pug:{title:"Pug",require:["markup","javascript"],optional:["coffeescript","ejs","handlebars","less","livescript","markdown","scss","stylus","twig"],owner:"Golmote"},puppet:{title:"Puppet",owner:"Golmote"},pure:{title:"Pure",optional:["c","cpp","fortran"],owner:"Golmote"},purebasic:{title:"PureBasic",require:"clike",alias:"pbfasm",owner:"HeX0R101"},purescript:{title:"PureScript",require:"haskell",alias:"purs",owner:"sriharshachilakapati"},python:{title:"Python",alias:"py",owner:"multipetros"},qsharp:{title:"Q#",require:"clike",alias:"qs",owner:"fedonman"},q:{title:"Q (kdb+ database)",owner:"Golmote"},qml:{title:"QML",require:"javascript",owner:"RunDevelopment"},qore:{title:"Qore",require:"clike",owner:"temnroegg"},r:{title:"R",owner:"Golmote"},racket:{title:"Racket",require:"scheme",alias:"rkt",owner:"RunDevelopment"},cshtml:{title:"Razor C#",alias:"razor",require:["markup","csharp"],optional:["css","css-extras","javascript","js-extras"],owner:"RunDevelopment"},jsx:{title:"React JSX",require:["markup","javascript"],optional:["jsdoc","js-extras","js-templates"],owner:"vkbansal"},tsx:{title:"React TSX",require:["jsx","typescript"]},reason:{title:"Reason",require:"clike",owner:"Golmote"},regex:{title:"Regex",owner:"RunDevelopment"},rego:{title:"Rego",owner:"JordanSh"},renpy:{title:"Ren'py",alias:"rpy",owner:"HyuchiaDiego"},rescript:{title:"ReScript",alias:"res",owner:"vmarcosp"},rest:{title:"reST (reStructuredText)",owner:"Golmote"},rip:{title:"Rip",owner:"ravinggenius"},roboconf:{title:"Roboconf",owner:"Golmote"},robotframework:{title:"Robot Framework",alias:"robot",owner:"RunDevelopment"},ruby:{title:"Ruby",require:"clike",alias:"rb",owner:"samflores"},rust:{title:"Rust",owner:"Golmote"},sas:{title:"SAS",optional:["groovy","lua","sql"],owner:"Golmote"},sass:{title:"Sass (Sass)",require:"css",optional:"css-extras",owner:"Golmote"},scss:{title:"Sass (SCSS)",require:"css",optional:"css-extras",owner:"MoOx"},scala:{title:"Scala",require:"java",owner:"jozic"},scheme:{title:"Scheme",owner:"bacchus123"},"shell-session":{title:"Shell session",require:"bash",alias:["sh-session","shellsession"],owner:"RunDevelopment"},smali:{title:"Smali",owner:"RunDevelopment"},smalltalk:{title:"Smalltalk",owner:"Golmote"},smarty:{title:"Smarty",require:"markup-templating",optional:"php",owner:"Golmote"},sml:{title:"SML",alias:"smlnj",aliasTitles:{smlnj:"SML/NJ"},owner:"RunDevelopment"},solidity:{title:"Solidity (Ethereum)",alias:"sol",require:"clike",owner:"glachaud"},"solution-file":{title:"Solution file",alias:"sln",owner:"RunDevelopment"},soy:{title:"Soy (Closure Template)",require:"markup-templating",owner:"Golmote"},sparql:{title:"SPARQL",require:"turtle",owner:"Triply-Dev",alias:"rq"},"splunk-spl":{title:"Splunk SPL",owner:"RunDevelopment"},sqf:{title:"SQF: Status Quo Function (Arma 3)",require:"clike",owner:"RunDevelopment"},sql:{title:"SQL",owner:"multipetros"},squirrel:{title:"Squirrel",require:"clike",owner:"RunDevelopment"},stan:{title:"Stan",owner:"RunDevelopment"},stata:{title:"Stata Ado",require:["mata","java","python"],owner:"RunDevelopment"},iecst:{title:"Structured Text (IEC 61131-3)",owner:"serhioromano"},stylus:{title:"Stylus",owner:"vkbansal"},supercollider:{title:"SuperCollider",alias:"sclang",owner:"RunDevelopment"},swift:{title:"Swift",owner:"chrischares"},systemd:{title:"Systemd configuration file",owner:"RunDevelopment"},"t4-templating":{title:"T4 templating",owner:"RunDevelopment"},"t4-cs":{title:"T4 Text Templates (C#)",require:["t4-templating","csharp"],alias:"t4",owner:"RunDevelopment"},"t4-vb":{title:"T4 Text Templates (VB)",require:["t4-templating","vbnet"],owner:"RunDevelopment"},tap:{title:"TAP",owner:"isaacs",require:"yaml"},tcl:{title:"Tcl",owner:"PeterChaplin"},tt2:{title:"Template Toolkit 2",require:["clike","markup-templating"],owner:"gflohr"},textile:{title:"Textile",require:"markup",optional:"css",owner:"Golmote"},toml:{title:"TOML",owner:"RunDevelopment"},tremor:{title:"Tremor",alias:["trickle","troy"],owner:"darach",aliasTitles:{trickle:"trickle",troy:"troy"}},turtle:{title:"Turtle",alias:"trig",aliasTitles:{trig:"TriG"},owner:"jakubklimek"},twig:{title:"Twig",require:"markup-templating",owner:"brandonkelly"},typescript:{title:"TypeScript",require:"javascript",optional:"js-templates",alias:"ts",owner:"vkbansal"},typoscript:{title:"TypoScript",alias:"tsconfig",aliasTitles:{tsconfig:"TSConfig"},owner:"dkern"},unrealscript:{title:"UnrealScript",alias:["uscript","uc"],owner:"RunDevelopment"},uorazor:{title:"UO Razor Script",owner:"jaseowns"},uri:{title:"URI",alias:"url",aliasTitles:{url:"URL"},owner:"RunDevelopment"},v:{title:"V",require:"clike",owner:"taggon"},vala:{title:"Vala",require:"clike",optional:"regex",owner:"TemplarVolk"},vbnet:{title:"VB.Net",require:"basic",owner:"Bigsby"},velocity:{title:"Velocity",require:"markup",owner:"Golmote"},verilog:{title:"Verilog",owner:"a-rey"},vhdl:{title:"VHDL",owner:"a-rey"},vim:{title:"vim",owner:"westonganger"},"visual-basic":{title:"Visual Basic",alias:["vb","vba"],aliasTitles:{vba:"VBA"},owner:"Golmote"},warpscript:{title:"WarpScript",owner:"RunDevelopment"},wasm:{title:"WebAssembly",owner:"Golmote"},"web-idl":{title:"Web IDL",alias:"webidl",owner:"RunDevelopment"},wgsl:{title:"WGSL",owner:"Dr4gonthree"},wiki:{title:"Wiki markup",require:"markup",owner:"Golmote"},wolfram:{title:"Wolfram language",alias:["mathematica","nb","wl"],aliasTitles:{mathematica:"Mathematica",nb:"Mathematica Notebook"},owner:"msollami"},wren:{title:"Wren",owner:"clsource"},xeora:{title:"Xeora",require:"markup",alias:"xeoracube",aliasTitles:{xeoracube:"XeoraCube"},owner:"freakmaxi"},"xml-doc":{title:"XML doc (.net)",require:"markup",modify:["csharp","fsharp","vbnet"],owner:"RunDevelopment"},xojo:{title:"Xojo (REALbasic)",owner:"Golmote"},xquery:{title:"XQuery",require:"markup",owner:"Golmote"},yaml:{title:"YAML",alias:"yml",owner:"hason"},yang:{title:"YANG",owner:"RunDevelopment"},zig:{title:"Zig",owner:"RunDevelopment"}},plugins:{meta:{path:"plugins/{id}/prism-{id}",link:"plugins/{id}/"},"line-highlight":{title:"Line Highlight",description:"Highlights specific lines and/or line ranges."},"line-numbers":{title:"Line Numbers",description:"Line number at the beginning of code lines.",owner:"kuba-kubula"},"show-invisibles":{title:"Show Invisibles",description:"Show hidden characters such as tabs and line breaks.",optional:["autolinker","data-uri-highlight"]},autolinker:{title:"Autolinker",description:"Converts URLs and emails in code to clickable links. Parses Markdown links in comments."},wpd:{title:"WebPlatform Docs",description:'Makes tokens link to <a href="https://webplatform.github.io/docs/">WebPlatform.org documentation</a>. The links open in a new tab.'},"custom-class":{title:"Custom Class",description:"This plugin allows you to prefix Prism's default classes (<code>.comment</code> can become <code>.namespace--comment</code>) or replace them with your defined ones (like <code>.editor__comment</code>). You can even add new classes.",owner:"dvkndn",noCSS:!0},"file-highlight":{title:"File Highlight",description:"Fetch external files and highlight them with Prism. Used on the Prism website itself.",noCSS:!0},"show-language":{title:"Show Language",description:"Display the highlighted language in code blocks (inline code does not show the label).",owner:"nauzilus",noCSS:!0,require:"toolbar"},"jsonp-highlight":{title:"JSONP Highlight",description:"Fetch content with JSONP and highlight some interesting content (e.g. GitHub/Gists or Bitbucket API).",noCSS:!0,owner:"nauzilus"},"highlight-keywords":{title:"Highlight Keywords",description:"Adds special CSS classes for each keyword for fine-grained highlighting.",owner:"vkbansal",noCSS:!0},"remove-initial-line-feed":{title:"Remove initial line feed",description:"Removes the initial line feed in code blocks.",owner:"Golmote",noCSS:!0},"inline-color":{title:"Inline color",description:"Adds a small inline preview for colors in style sheets.",require:"css-extras",owner:"RunDevelopment"},previewers:{title:"Previewers",description:"Previewers for angles, colors, gradients, easing and time.",require:"css-extras",owner:"Golmote"},autoloader:{title:"Autoloader",description:"Automatically loads the needed languages to highlight the code blocks.",owner:"Golmote",noCSS:!0},"keep-markup":{title:"Keep Markup",description:"Prevents custom markup from being dropped out during highlighting.",owner:"Golmote",optional:"normalize-whitespace",noCSS:!0},"command-line":{title:"Command Line",description:"Display a command line with a prompt and, optionally, the output/response from the commands.",owner:"chriswells0"},"unescaped-markup":{title:"Unescaped Markup",description:"Write markup without having to escape anything."},"normalize-whitespace":{title:"Normalize Whitespace",description:"Supports multiple operations to normalize whitespace in code blocks.",owner:"zeitgeist87",optional:"unescaped-markup",noCSS:!0},"data-uri-highlight":{title:"Data-URI Highlight",description:"Highlights data-URI contents.",owner:"Golmote",noCSS:!0},toolbar:{title:"Toolbar",description:"Attach a toolbar for plugins to easily register buttons on the top of a code block.",owner:"mAAdhaTTah"},"copy-to-clipboard":{title:"Copy to Clipboard Button",description:"Add a button that copies the code block to the clipboard when clicked.",owner:"mAAdhaTTah",require:"toolbar",noCSS:!0},"download-button":{title:"Download Button",description:"A button in the toolbar of a code block adding a convenient way to download a code file.",owner:"Golmote",require:"toolbar",noCSS:!0},"match-braces":{title:"Match braces",description:"Highlights matching braces.",owner:"RunDevelopment"},"diff-highlight":{title:"Diff Highlight",description:"Highlights the code inside diff blocks.",owner:"RunDevelopment",require:"diff"},"filter-highlight-all":{title:"Filter highlightAll",description:"Filters the elements the <code>highlightAll</code> and <code>highlightAllUnder</code> methods actually highlight.",owner:"RunDevelopment",noCSS:!0},treeview:{title:"Treeview",description:"A language with special styles to highlight file system tree structures.",owner:"Golmote"}}})},2885:(e,t,n)=>{const r=n(9901),a=n(9642),o=new Set;function i(e){void 0===e?e=Object.keys(r.languages).filter((e=>"meta"!=e)):Array.isArray(e)||(e=[e]);const t=[...o,...Object.keys(Prism.languages)];a(r,e,t).load((e=>{if(!(e in r.languages))return void(i.silent||console.warn("Language does not exist: "+e));const t="./prism-"+e;delete n.c[n(6500).resolve(t)],delete Prism.languages[e],n(6500)(t),o.add(e)}))}i.silent=!1,e.exports=i},6854:()=>{!function(e){function t(e,t){return"___"+e.toUpperCase()+t+"___"}Object.defineProperties(e.languages["markup-templating"]={},{buildPlaceholders:{value:function(n,r,a,o){if(n.language===r){var i=n.tokenStack=[];n.code=n.code.replace(a,(function(e){if("function"==typeof o&&!o(e))return e;for(var a,s=i.length;-1!==n.code.indexOf(a=t(r,s));)++s;return i[s]=e,a})),n.grammar=e.languages.markup}}},tokenizePlaceholders:{value:function(n,r){if(n.language===r&&n.tokenStack){n.grammar=e.languages[r];var a=0,o=Object.keys(n.tokenStack);!function i(s){for(var l=0;l<s.length&&!(a>=o.length);l++){var c=s[l];if("string"==typeof c||c.content&&"string"==typeof c.content){var u=o[a],d=n.tokenStack[u],p="string"==typeof c?c:c.content,f=t(r,u),h=p.indexOf(f);if(h>-1){++a;var m=p.substring(0,h),g=new e.Token(r,e.tokenize(d,n.grammar),"language-"+r,d),y=p.substring(h+f.length),b=[];m&&b.push.apply(b,i([m])),b.push(g),y&&b.push.apply(b,i([y])),"string"==typeof c?s.splice.apply(s,[l,1].concat(b)):c.content=b}}else c.content&&i(c.content)}return s}(n.tokens)}}}})}(Prism)},6726:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6726},6500:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6500},9642:e=>{"use strict";var t=function(){var e=function(){};function t(e,t){Array.isArray(e)?e.forEach(t):null!=e&&t(e,0)}function n(e){for(var t={},n=0,r=e.length;n<r;n++)t[e[n]]=!0;return t}function r(e){var n={},r=[];function a(r,o){if(!(r in n)){o.push(r);var i=o.indexOf(r);if(i<o.length-1)throw new Error("Circular dependency: "+o.slice(i).join(" -> "));var s={},l=e[r];if(l){function c(t){if(!(t in e))throw new Error(r+" depends on an unknown component "+t);if(!(t in s))for(var i in a(t,o),s[t]=!0,n[t])s[i]=!0}t(l.require,c),t(l.optional,c),t(l.modify,c)}n[r]=s,o.pop()}}return function(e){var t=n[e];return t||(a(e,r),t=n[e]),t}}function a(e){for(var t in e)return!0;return!1}return function(o,i,s){var l=function(e){var t={};for(var n in e){var r=e[n];for(var a in r)if("meta"!=a){var o=r[a];t[a]="string"==typeof o?{title:o}:o}}return t}(o),c=function(e){var n;return function(r){if(r in e)return r;if(!n)for(var a in n={},e){var o=e[a];t(o&&o.alias,(function(t){if(t in n)throw new Error(t+" cannot be alias for both "+a+" and "+n[t]);if(t in e)throw new Error(t+" cannot be alias of "+a+" because it is a component.");n[t]=a}))}return n[r]||r}}(l);i=i.map(c),s=(s||[]).map(c);var u=n(i),d=n(s);i.forEach((function e(n){var r=l[n];t(r&&r.require,(function(t){t in d||(u[t]=!0,e(t))}))}));for(var p,f=r(l),h=u;a(h);){for(var m in p={},h){var g=l[m];t(g&&g.modify,(function(e){e in d&&(p[e]=!0)}))}for(var y in d)if(!(y in u))for(var b in f(y))if(b in u){p[y]=!0;break}for(var v in h=p)u[v]=!0}var w={getIds:function(){var e=[];return w.load((function(t){e.push(t)})),e},load:function(t,n){return function(t,n,r,a){var o=a?a.series:void 0,i=a?a.parallel:e,s={},l={};function c(e){if(e in s)return s[e];l[e]=!0;var a,u=[];for(var d in t(e))d in n&&u.push(d);if(0===u.length)a=r(e);else{var p=i(u.map((function(e){var t=c(e);return delete l[e],t})));o?a=o(p,(function(){return r(e)})):r(e)}return s[e]=a}for(var u in n)c(u);var d=[];for(var p in l)d.push(s[p]);return i(d)}(f,u,t,n)}};return w}}();e.exports=t},2703:(e,t,n)=>{"use strict";var r=n(414);function a(){}function o(){}o.resetWarningCache=a,e.exports=function(){function e(e,t,n,a,o,i){if(i!==r){var s=new Error("Calling PropTypes validators directly is not supported by the `prop-types` package. Use PropTypes.checkPropTypes() to call them. Read more at http://fb.me/use-check-prop-types");throw s.name="Invariant Violation",s}}function t(){return e}e.isRequired=e;var n={array:e,bigint:e,bool:e,func:e,number:e,object:e,string:e,symbol:e,any:e,arrayOf:t,element:e,elementType:e,instanceOf:t,node:e,objectOf:t,oneOf:t,oneOfType:t,shape:t,exact:t,checkPropTypes:o,resetWarningCache:a};return n.PropTypes=n,n}},5697:(e,t,n)=>{e.exports=n(2703)()},414:e=>{"use strict";e.exports="SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED"},4448:(e,t,n)=>{"use strict";var r=n(7294),a=n(3840);function o(e){for(var t="https://reactjs.org/docs/error-decoder.html?invariant="+e,n=1;n<arguments.length;n++)t+="&args[]="+encodeURIComponent(arguments[n]);return"Minified React error #"+e+"; visit "+t+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}var i=new Set,s={};function l(e,t){c(e,t),c(e+"Capture",t)}function c(e,t){for(s[e]=t,e=0;e<t.length;e++)i.add(t[e])}var u=!("undefined"==typeof window||void 0===window.document||void 0===window.document.createElement),d=Object.prototype.hasOwnProperty,p=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,f={},h={};function m(e,t,n,r,a,o,i){this.acceptsBooleans=2===t||3===t||4===t,this.attributeName=r,this.attributeNamespace=a,this.mustUseProperty=n,this.propertyName=e,this.type=t,this.sanitizeURL=o,this.removeEmptyString=i}var g={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach((function(e){g[e]=new m(e,0,!1,e,null,!1,!1)})),[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach((function(e){var t=e[0];g[t]=new m(t,1,!1,e[1],null,!1,!1)})),["contentEditable","draggable","spellCheck","value"].forEach((function(e){g[e]=new m(e,2,!1,e.toLowerCase(),null,!1,!1)})),["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach((function(e){g[e]=new m(e,2,!1,e,null,!1,!1)})),"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture disableRemotePlayback formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach((function(e){g[e]=new m(e,3,!1,e.toLowerCase(),null,!1,!1)})),["checked","multiple","muted","selected"].forEach((function(e){g[e]=new m(e,3,!0,e,null,!1,!1)})),["capture","download"].forEach((function(e){g[e]=new m(e,4,!1,e,null,!1,!1)})),["cols","rows","size","span"].forEach((function(e){g[e]=new m(e,6,!1,e,null,!1,!1)})),["rowSpan","start"].forEach((function(e){g[e]=new m(e,5,!1,e.toLowerCase(),null,!1,!1)}));var y=/[\-:]([a-z])/g;function b(e){return e[1].toUpperCase()}function v(e,t,n,r){var a=g.hasOwnProperty(t)?g[t]:null;(null!==a?0!==a.type:r||!(2<t.length)||"o"!==t[0]&&"O"!==t[0]||"n"!==t[1]&&"N"!==t[1])&&(function(e,t,n,r){if(null==t||function(e,t,n,r){if(null!==n&&0===n.type)return!1;switch(typeof t){case"function":case"symbol":return!0;case"boolean":return!r&&(null!==n?!n.acceptsBooleans:"data-"!==(e=e.toLowerCase().slice(0,5))&&"aria-"!==e);default:return!1}}(e,t,n,r))return!0;if(r)return!1;if(null!==n)switch(n.type){case 3:return!t;case 4:return!1===t;case 5:return isNaN(t);case 6:return isNaN(t)||1>t}return!1}(t,n,a,r)&&(n=null),r||null===a?function(e){return!!d.call(h,e)||!d.call(f,e)&&(p.test(e)?h[e]=!0:(f[e]=!0,!1))}(t)&&(null===n?e.removeAttribute(t):e.setAttribute(t,""+n)):a.mustUseProperty?e[a.propertyName]=null===n?3!==a.type&&"":n:(t=a.attributeName,r=a.attributeNamespace,null===n?e.removeAttribute(t):(n=3===(a=a.type)||4===a&&!0===n?"":""+n,r?e.setAttributeNS(r,t,n):e.setAttribute(t,n))))}"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,null,!1,!1)})),"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/1999/xlink",!1,!1)})),["xml:base","xml:lang","xml:space"].forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/XML/1998/namespace",!1,!1)})),["tabIndex","crossOrigin"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!1,!1)})),g.xlinkHref=new m("xlinkHref",1,!1,"xlink:href","http://www.w3.org/1999/xlink",!0,!1),["src","href","action","formAction"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!0,!0)}));var w=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED,k=Symbol.for("react.element"),x=Symbol.for("react.portal"),S=Symbol.for("react.fragment"),E=Symbol.for("react.strict_mode"),_=Symbol.for("react.profiler"),C=Symbol.for("react.provider"),T=Symbol.for("react.context"),L=Symbol.for("react.forward_ref"),j=Symbol.for("react.suspense"),R=Symbol.for("react.suspense_list"),P=Symbol.for("react.memo"),N=Symbol.for("react.lazy");Symbol.for("react.scope"),Symbol.for("react.debug_trace_mode");var A=Symbol.for("react.offscreen");Symbol.for("react.legacy_hidden"),Symbol.for("react.cache"),Symbol.for("react.tracing_marker");var O=Symbol.iterator;function I(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=O&&e[O]||e["@@iterator"])?e:null}var D,F=Object.assign;function M(e){if(void 0===D)try{throw Error()}catch(n){var t=n.stack.trim().match(/\n( *(at )?)/);D=t&&t[1]||""}return"\n"+D+e}var B=!1;function z(e,t){if(!e||B)return"";B=!0;var n=Error.prepareStackTrace;Error.prepareStackTrace=void 0;try{if(t)if(t=function(){throw Error()},Object.defineProperty(t.prototype,"props",{set:function(){throw Error()}}),"object"==typeof Reflect&&Reflect.construct){try{Reflect.construct(t,[])}catch(c){var r=c}Reflect.construct(e,[],t)}else{try{t.call()}catch(c){r=c}e.call(t.prototype)}else{try{throw Error()}catch(c){r=c}e()}}catch(c){if(c&&r&&"string"==typeof c.stack){for(var a=c.stack.split("\n"),o=r.stack.split("\n"),i=a.length-1,s=o.length-1;1<=i&&0<=s&&a[i]!==o[s];)s--;for(;1<=i&&0<=s;i--,s--)if(a[i]!==o[s]){if(1!==i||1!==s)do{if(i--,0>--s||a[i]!==o[s]){var l="\n"+a[i].replace(" at new "," at ");return e.displayName&&l.includes("<anonymous>")&&(l=l.replace("<anonymous>",e.displayName)),l}}while(1<=i&&0<=s);break}}}finally{B=!1,Error.prepareStackTrace=n}return(e=e?e.displayName||e.name:"")?M(e):""}function $(e){switch(e.tag){case 5:return M(e.type);case 16:return M("Lazy");case 13:return M("Suspense");case 19:return M("SuspenseList");case 0:case 2:case 15:return e=z(e.type,!1);case 11:return e=z(e.type.render,!1);case 1:return e=z(e.type,!0);default:return""}}function U(e){if(null==e)return null;if("function"==typeof e)return e.displayName||e.name||null;if("string"==typeof e)return e;switch(e){case S:return"Fragment";case x:return"Portal";case _:return"Profiler";case E:return"StrictMode";case j:return"Suspense";case R:return"SuspenseList"}if("object"==typeof e)switch(e.$$typeof){case T:return(e.displayName||"Context")+".Consumer";case C:return(e._context.displayName||"Context")+".Provider";case L:var t=e.render;return(e=e.displayName)||(e=""!==(e=t.displayName||t.name||"")?"ForwardRef("+e+")":"ForwardRef"),e;case P:return null!==(t=e.displayName||null)?t:U(e.type)||"Memo";case N:t=e._payload,e=e._init;try{return U(e(t))}catch(n){}}return null}function q(e){var t=e.type;switch(e.tag){case 24:return"Cache";case 9:return(t.displayName||"Context")+".Consumer";case 10:return(t._context.displayName||"Context")+".Provider";case 18:return"DehydratedFragment";case 11:return e=(e=t.render).displayName||e.name||"",t.displayName||(""!==e?"ForwardRef("+e+")":"ForwardRef");case 7:return"Fragment";case 5:return t;case 4:return"Portal";case 3:return"Root";case 6:return"Text";case 16:return U(t);case 8:return t===E?"StrictMode":"Mode";case 22:return"Offscreen";case 12:return"Profiler";case 21:return"Scope";case 13:return"Suspense";case 19:return"SuspenseList";case 25:return"TracingMarker";case 1:case 0:case 17:case 2:case 14:case 15:if("function"==typeof t)return t.displayName||t.name||null;if("string"==typeof t)return t}return null}function H(e){switch(typeof e){case"boolean":case"number":case"string":case"undefined":case"object":return e;default:return""}}function Q(e){var t=e.type;return(e=e.nodeName)&&"input"===e.toLowerCase()&&("checkbox"===t||"radio"===t)}function Z(e){e._valueTracker||(e._valueTracker=function(e){var t=Q(e)?"checked":"value",n=Object.getOwnPropertyDescriptor(e.constructor.prototype,t),r=""+e[t];if(!e.hasOwnProperty(t)&&void 0!==n&&"function"==typeof n.get&&"function"==typeof n.set){var a=n.get,o=n.set;return Object.defineProperty(e,t,{configurable:!0,get:function(){return a.call(this)},set:function(e){r=""+e,o.call(this,e)}}),Object.defineProperty(e,t,{enumerable:n.enumerable}),{getValue:function(){return r},setValue:function(e){r=""+e},stopTracking:function(){e._valueTracker=null,delete e[t]}}}}(e))}function V(e){if(!e)return!1;var t=e._valueTracker;if(!t)return!0;var n=t.getValue(),r="";return e&&(r=Q(e)?e.checked?"true":"false":e.value),(e=r)!==n&&(t.setValue(e),!0)}function W(e){if(void 0===(e=e||("undefined"!=typeof document?document:void 0)))return null;try{return e.activeElement||e.body}catch(t){return e.body}}function G(e,t){var n=t.checked;return F({},t,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=n?n:e._wrapperState.initialChecked})}function X(e,t){var n=null==t.defaultValue?"":t.defaultValue,r=null!=t.checked?t.checked:t.defaultChecked;n=H(null!=t.value?t.value:n),e._wrapperState={initialChecked:r,initialValue:n,controlled:"checkbox"===t.type||"radio"===t.type?null!=t.checked:null!=t.value}}function K(e,t){null!=(t=t.checked)&&v(e,"checked",t,!1)}function Y(e,t){K(e,t);var n=H(t.value),r=t.type;if(null!=n)"number"===r?(0===n&&""===e.value||e.value!=n)&&(e.value=""+n):e.value!==""+n&&(e.value=""+n);else if("submit"===r||"reset"===r)return void e.removeAttribute("value");t.hasOwnProperty("value")?ee(e,t.type,n):t.hasOwnProperty("defaultValue")&&ee(e,t.type,H(t.defaultValue)),null==t.checked&&null!=t.defaultChecked&&(e.defaultChecked=!!t.defaultChecked)}function J(e,t,n){if(t.hasOwnProperty("value")||t.hasOwnProperty("defaultValue")){var r=t.type;if(!("submit"!==r&&"reset"!==r||void 0!==t.value&&null!==t.value))return;t=""+e._wrapperState.initialValue,n||t===e.value||(e.value=t),e.defaultValue=t}""!==(n=e.name)&&(e.name=""),e.defaultChecked=!!e._wrapperState.initialChecked,""!==n&&(e.name=n)}function ee(e,t,n){"number"===t&&W(e.ownerDocument)===e||(null==n?e.defaultValue=""+e._wrapperState.initialValue:e.defaultValue!==""+n&&(e.defaultValue=""+n))}var te=Array.isArray;function ne(e,t,n,r){if(e=e.options,t){t={};for(var a=0;a<n.length;a++)t["$"+n[a]]=!0;for(n=0;n<e.length;n++)a=t.hasOwnProperty("$"+e[n].value),e[n].selected!==a&&(e[n].selected=a),a&&r&&(e[n].defaultSelected=!0)}else{for(n=""+H(n),t=null,a=0;a<e.length;a++){if(e[a].value===n)return e[a].selected=!0,void(r&&(e[a].defaultSelected=!0));null!==t||e[a].disabled||(t=e[a])}null!==t&&(t.selected=!0)}}function re(e,t){if(null!=t.dangerouslySetInnerHTML)throw Error(o(91));return F({},t,{value:void 0,defaultValue:void 0,children:""+e._wrapperState.initialValue})}function ae(e,t){var n=t.value;if(null==n){if(n=t.children,t=t.defaultValue,null!=n){if(null!=t)throw Error(o(92));if(te(n)){if(1<n.length)throw Error(o(93));n=n[0]}t=n}null==t&&(t=""),n=t}e._wrapperState={initialValue:H(n)}}function oe(e,t){var n=H(t.value),r=H(t.defaultValue);null!=n&&((n=""+n)!==e.value&&(e.value=n),null==t.defaultValue&&e.defaultValue!==n&&(e.defaultValue=n)),null!=r&&(e.defaultValue=""+r)}function ie(e){var t=e.textContent;t===e._wrapperState.initialValue&&""!==t&&null!==t&&(e.value=t)}function se(e){switch(e){case"svg":return"http://www.w3.org/2000/svg";case"math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function le(e,t){return null==e||"http://www.w3.org/1999/xhtml"===e?se(t):"http://www.w3.org/2000/svg"===e&&"foreignObject"===t?"http://www.w3.org/1999/xhtml":e}var ce,ue,de=(ue=function(e,t){if("http://www.w3.org/2000/svg"!==e.namespaceURI||"innerHTML"in e)e.innerHTML=t;else{for((ce=ce||document.createElement("div")).innerHTML="<svg>"+t.valueOf().toString()+"</svg>",t=ce.firstChild;e.firstChild;)e.removeChild(e.firstChild);for(;t.firstChild;)e.appendChild(t.firstChild)}},"undefined"!=typeof MSApp&&MSApp.execUnsafeLocalFunction?function(e,t,n,r){MSApp.execUnsafeLocalFunction((function(){return ue(e,t)}))}:ue);function pe(e,t){if(t){var n=e.firstChild;if(n&&n===e.lastChild&&3===n.nodeType)return void(n.nodeValue=t)}e.textContent=t}var fe={animationIterationCount:!0,aspectRatio:!0,borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},he=["Webkit","ms","Moz","O"];function me(e,t,n){return null==t||"boolean"==typeof t||""===t?"":n||"number"!=typeof t||0===t||fe.hasOwnProperty(e)&&fe[e]?(""+t).trim():t+"px"}function ge(e,t){for(var n in e=e.style,t)if(t.hasOwnProperty(n)){var r=0===n.indexOf("--"),a=me(n,t[n],r);"float"===n&&(n="cssFloat"),r?e.setProperty(n,a):e[n]=a}}Object.keys(fe).forEach((function(e){he.forEach((function(t){t=t+e.charAt(0).toUpperCase()+e.substring(1),fe[t]=fe[e]}))}));var ye=F({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0});function be(e,t){if(t){if(ye[e]&&(null!=t.children||null!=t.dangerouslySetInnerHTML))throw Error(o(137,e));if(null!=t.dangerouslySetInnerHTML){if(null!=t.children)throw Error(o(60));if("object"!=typeof t.dangerouslySetInnerHTML||!("__html"in t.dangerouslySetInnerHTML))throw Error(o(61))}if(null!=t.style&&"object"!=typeof t.style)throw Error(o(62))}}function ve(e,t){if(-1===e.indexOf("-"))return"string"==typeof t.is;switch(e){case"annotation-xml":case"color-profile":case"font-face":case"font-face-src":case"font-face-uri":case"font-face-format":case"font-face-name":case"missing-glyph":return!1;default:return!0}}var we=null;function ke(e){return(e=e.target||e.srcElement||window).correspondingUseElement&&(e=e.correspondingUseElement),3===e.nodeType?e.parentNode:e}var xe=null,Se=null,Ee=null;function _e(e){if(e=va(e)){if("function"!=typeof xe)throw Error(o(280));var t=e.stateNode;t&&(t=ka(t),xe(e.stateNode,e.type,t))}}function Ce(e){Se?Ee?Ee.push(e):Ee=[e]:Se=e}function Te(){if(Se){var e=Se,t=Ee;if(Ee=Se=null,_e(e),t)for(e=0;e<t.length;e++)_e(t[e])}}function Le(e,t){return e(t)}function je(){}var Re=!1;function Pe(e,t,n){if(Re)return e(t,n);Re=!0;try{return Le(e,t,n)}finally{Re=!1,(null!==Se||null!==Ee)&&(je(),Te())}}function Ne(e,t){var n=e.stateNode;if(null===n)return null;var r=ka(n);if(null===r)return null;n=r[t];e:switch(t){case"onClick":case"onClickCapture":case"onDoubleClick":case"onDoubleClickCapture":case"onMouseDown":case"onMouseDownCapture":case"onMouseMove":case"onMouseMoveCapture":case"onMouseUp":case"onMouseUpCapture":case"onMouseEnter":(r=!r.disabled)||(r=!("button"===(e=e.type)||"input"===e||"select"===e||"textarea"===e)),e=!r;break e;default:e=!1}if(e)return null;if(n&&"function"!=typeof n)throw Error(o(231,t,typeof n));return n}var Ae=!1;if(u)try{var Oe={};Object.defineProperty(Oe,"passive",{get:function(){Ae=!0}}),window.addEventListener("test",Oe,Oe),window.removeEventListener("test",Oe,Oe)}catch(ue){Ae=!1}function Ie(e,t,n,r,a,o,i,s,l){var c=Array.prototype.slice.call(arguments,3);try{t.apply(n,c)}catch(u){this.onError(u)}}var De=!1,Fe=null,Me=!1,Be=null,ze={onError:function(e){De=!0,Fe=e}};function $e(e,t,n,r,a,o,i,s,l){De=!1,Fe=null,Ie.apply(ze,arguments)}function Ue(e){var t=e,n=e;if(e.alternate)for(;t.return;)t=t.return;else{e=t;do{0!=(4098&(t=e).flags)&&(n=t.return),e=t.return}while(e)}return 3===t.tag?n:null}function qe(e){if(13===e.tag){var t=e.memoizedState;if(null===t&&(null!==(e=e.alternate)&&(t=e.memoizedState)),null!==t)return t.dehydrated}return null}function He(e){if(Ue(e)!==e)throw Error(o(188))}function Qe(e){return null!==(e=function(e){var t=e.alternate;if(!t){if(null===(t=Ue(e)))throw Error(o(188));return t!==e?null:e}for(var n=e,r=t;;){var a=n.return;if(null===a)break;var i=a.alternate;if(null===i){if(null!==(r=a.return)){n=r;continue}break}if(a.child===i.child){for(i=a.child;i;){if(i===n)return He(a),e;if(i===r)return He(a),t;i=i.sibling}throw Error(o(188))}if(n.return!==r.return)n=a,r=i;else{for(var s=!1,l=a.child;l;){if(l===n){s=!0,n=a,r=i;break}if(l===r){s=!0,r=a,n=i;break}l=l.sibling}if(!s){for(l=i.child;l;){if(l===n){s=!0,n=i,r=a;break}if(l===r){s=!0,r=i,n=a;break}l=l.sibling}if(!s)throw Error(o(189))}}if(n.alternate!==r)throw Error(o(190))}if(3!==n.tag)throw Error(o(188));return n.stateNode.current===n?e:t}(e))?Ze(e):null}function Ze(e){if(5===e.tag||6===e.tag)return e;for(e=e.child;null!==e;){var t=Ze(e);if(null!==t)return t;e=e.sibling}return null}var Ve=a.unstable_scheduleCallback,We=a.unstable_cancelCallback,Ge=a.unstable_shouldYield,Xe=a.unstable_requestPaint,Ke=a.unstable_now,Ye=a.unstable_getCurrentPriorityLevel,Je=a.unstable_ImmediatePriority,et=a.unstable_UserBlockingPriority,tt=a.unstable_NormalPriority,nt=a.unstable_LowPriority,rt=a.unstable_IdlePriority,at=null,ot=null;var it=Math.clz32?Math.clz32:function(e){return e>>>=0,0===e?32:31-(st(e)/lt|0)|0},st=Math.log,lt=Math.LN2;var ct=64,ut=4194304;function dt(e){switch(e&-e){case 1:return 1;case 2:return 2;case 4:return 4;case 8:return 8;case 16:return 16;case 32:return 32;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return 4194240&e;case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:return 130023424&e;case 134217728:return 134217728;case 268435456:return 268435456;case 536870912:return 536870912;case 1073741824:return 1073741824;default:return e}}function pt(e,t){var n=e.pendingLanes;if(0===n)return 0;var r=0,a=e.suspendedLanes,o=e.pingedLanes,i=268435455&n;if(0!==i){var s=i&~a;0!==s?r=dt(s):0!==(o&=i)&&(r=dt(o))}else 0!==(i=n&~a)?r=dt(i):0!==o&&(r=dt(o));if(0===r)return 0;if(0!==t&&t!==r&&0==(t&a)&&((a=r&-r)>=(o=t&-t)||16===a&&0!=(4194240&o)))return t;if(0!=(4&r)&&(r|=16&n),0!==(t=e.entangledLanes))for(e=e.entanglements,t&=r;0<t;)a=1<<(n=31-it(t)),r|=e[n],t&=~a;return r}function ft(e,t){switch(e){case 1:case 2:case 4:return t+250;case 8:case 16:case 32:case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return t+5e3;default:return-1}}function ht(e){return 0!==(e=-1073741825&e.pendingLanes)?e:1073741824&e?1073741824:0}function mt(){var e=ct;return 0==(4194240&(ct<<=1))&&(ct=64),e}function gt(e){for(var t=[],n=0;31>n;n++)t.push(e);return t}function yt(e,t,n){e.pendingLanes|=t,536870912!==t&&(e.suspendedLanes=0,e.pingedLanes=0),(e=e.eventTimes)[t=31-it(t)]=n}function bt(e,t){var n=e.entangledLanes|=t;for(e=e.entanglements;n;){var r=31-it(n),a=1<<r;a&t|e[r]&t&&(e[r]|=t),n&=~a}}var vt=0;function wt(e){return 1<(e&=-e)?4<e?0!=(268435455&e)?16:536870912:4:1}var kt,xt,St,Et,_t,Ct=!1,Tt=[],Lt=null,jt=null,Rt=null,Pt=new Map,Nt=new Map,At=[],Ot="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput copy cut paste click change contextmenu reset submit".split(" ");function It(e,t){switch(e){case"focusin":case"focusout":Lt=null;break;case"dragenter":case"dragleave":jt=null;break;case"mouseover":case"mouseout":Rt=null;break;case"pointerover":case"pointerout":Pt.delete(t.pointerId);break;case"gotpointercapture":case"lostpointercapture":Nt.delete(t.pointerId)}}function Dt(e,t,n,r,a,o){return null===e||e.nativeEvent!==o?(e={blockedOn:t,domEventName:n,eventSystemFlags:r,nativeEvent:o,targetContainers:[a]},null!==t&&(null!==(t=va(t))&&xt(t)),e):(e.eventSystemFlags|=r,t=e.targetContainers,null!==a&&-1===t.indexOf(a)&&t.push(a),e)}function Ft(e){var t=ba(e.target);if(null!==t){var n=Ue(t);if(null!==n)if(13===(t=n.tag)){if(null!==(t=qe(n)))return e.blockedOn=t,void _t(e.priority,(function(){St(n)}))}else if(3===t&&n.stateNode.current.memoizedState.isDehydrated)return void(e.blockedOn=3===n.tag?n.stateNode.containerInfo:null)}e.blockedOn=null}function Mt(e){if(null!==e.blockedOn)return!1;for(var t=e.targetContainers;0<t.length;){var n=Gt(e.domEventName,e.eventSystemFlags,t[0],e.nativeEvent);if(null!==n)return null!==(t=va(n))&&xt(t),e.blockedOn=n,!1;var r=new(n=e.nativeEvent).constructor(n.type,n);we=r,n.target.dispatchEvent(r),we=null,t.shift()}return!0}function Bt(e,t,n){Mt(e)&&n.delete(t)}function zt(){Ct=!1,null!==Lt&&Mt(Lt)&&(Lt=null),null!==jt&&Mt(jt)&&(jt=null),null!==Rt&&Mt(Rt)&&(Rt=null),Pt.forEach(Bt),Nt.forEach(Bt)}function $t(e,t){e.blockedOn===t&&(e.blockedOn=null,Ct||(Ct=!0,a.unstable_scheduleCallback(a.unstable_NormalPriority,zt)))}function Ut(e){function t(t){return $t(t,e)}if(0<Tt.length){$t(Tt[0],e);for(var n=1;n<Tt.length;n++){var r=Tt[n];r.blockedOn===e&&(r.blockedOn=null)}}for(null!==Lt&&$t(Lt,e),null!==jt&&$t(jt,e),null!==Rt&&$t(Rt,e),Pt.forEach(t),Nt.forEach(t),n=0;n<At.length;n++)(r=At[n]).blockedOn===e&&(r.blockedOn=null);for(;0<At.length&&null===(n=At[0]).blockedOn;)Ft(n),null===n.blockedOn&&At.shift()}var qt=w.ReactCurrentBatchConfig,Ht=!0;function Qt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=1,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Zt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=4,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Vt(e,t,n,r){if(Ht){var a=Gt(e,t,n,r);if(null===a)Hr(e,t,r,Wt,n),It(e,r);else if(function(e,t,n,r,a){switch(t){case"focusin":return Lt=Dt(Lt,e,t,n,r,a),!0;case"dragenter":return jt=Dt(jt,e,t,n,r,a),!0;case"mouseover":return Rt=Dt(Rt,e,t,n,r,a),!0;case"pointerover":var o=a.pointerId;return Pt.set(o,Dt(Pt.get(o)||null,e,t,n,r,a)),!0;case"gotpointercapture":return o=a.pointerId,Nt.set(o,Dt(Nt.get(o)||null,e,t,n,r,a)),!0}return!1}(a,e,t,n,r))r.stopPropagation();else if(It(e,r),4&t&&-1<Ot.indexOf(e)){for(;null!==a;){var o=va(a);if(null!==o&&kt(o),null===(o=Gt(e,t,n,r))&&Hr(e,t,r,Wt,n),o===a)break;a=o}null!==a&&r.stopPropagation()}else Hr(e,t,r,null,n)}}var Wt=null;function Gt(e,t,n,r){if(Wt=null,null!==(e=ba(e=ke(r))))if(null===(t=Ue(e)))e=null;else if(13===(n=t.tag)){if(null!==(e=qe(t)))return e;e=null}else if(3===n){if(t.stateNode.current.memoizedState.isDehydrated)return 3===t.tag?t.stateNode.containerInfo:null;e=null}else t!==e&&(e=null);return Wt=e,null}function Xt(e){switch(e){case"cancel":case"click":case"close":case"contextmenu":case"copy":case"cut":case"auxclick":case"dblclick":case"dragend":case"dragstart":case"drop":case"focusin":case"focusout":case"input":case"invalid":case"keydown":case"keypress":case"keyup":case"mousedown":case"mouseup":case"paste":case"pause":case"play":case"pointercancel":case"pointerdown":case"pointerup":case"ratechange":case"reset":case"resize":case"seeked":case"submit":case"touchcancel":case"touchend":case"touchstart":case"volumechange":case"change":case"selectionchange":case"textInput":case"compositionstart":case"compositionend":case"compositionupdate":case"beforeblur":case"afterblur":case"beforeinput":case"blur":case"fullscreenchange":case"focus":case"hashchange":case"popstate":case"select":case"selectstart":return 1;case"drag":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"mousemove":case"mouseout":case"mouseover":case"pointermove":case"pointerout":case"pointerover":case"scroll":case"toggle":case"touchmove":case"wheel":case"mouseenter":case"mouseleave":case"pointerenter":case"pointerleave":return 4;case"message":switch(Ye()){case Je:return 1;case et:return 4;case tt:case nt:return 16;case rt:return 536870912;default:return 16}default:return 16}}var Kt=null,Yt=null,Jt=null;function en(){if(Jt)return Jt;var e,t,n=Yt,r=n.length,a="value"in Kt?Kt.value:Kt.textContent,o=a.length;for(e=0;e<r&&n[e]===a[e];e++);var i=r-e;for(t=1;t<=i&&n[r-t]===a[o-t];t++);return Jt=a.slice(e,1<t?1-t:void 0)}function tn(e){var t=e.keyCode;return"charCode"in e?0===(e=e.charCode)&&13===t&&(e=13):e=t,10===e&&(e=13),32<=e||13===e?e:0}function nn(){return!0}function rn(){return!1}function an(e){function t(t,n,r,a,o){for(var i in this._reactName=t,this._targetInst=r,this.type=n,this.nativeEvent=a,this.target=o,this.currentTarget=null,e)e.hasOwnProperty(i)&&(t=e[i],this[i]=t?t(a):a[i]);return this.isDefaultPrevented=(null!=a.defaultPrevented?a.defaultPrevented:!1===a.returnValue)?nn:rn,this.isPropagationStopped=rn,this}return F(t.prototype,{preventDefault:function(){this.defaultPrevented=!0;var e=this.nativeEvent;e&&(e.preventDefault?e.preventDefault():"unknown"!=typeof e.returnValue&&(e.returnValue=!1),this.isDefaultPrevented=nn)},stopPropagation:function(){var e=this.nativeEvent;e&&(e.stopPropagation?e.stopPropagation():"unknown"!=typeof e.cancelBubble&&(e.cancelBubble=!0),this.isPropagationStopped=nn)},persist:function(){},isPersistent:nn}),t}var on,sn,ln,cn={eventPhase:0,bubbles:0,cancelable:0,timeStamp:function(e){return e.timeStamp||Date.now()},defaultPrevented:0,isTrusted:0},un=an(cn),dn=F({},cn,{view:0,detail:0}),pn=an(dn),fn=F({},dn,{screenX:0,screenY:0,clientX:0,clientY:0,pageX:0,pageY:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,getModifierState:_n,button:0,buttons:0,relatedTarget:function(e){return void 0===e.relatedTarget?e.fromElement===e.srcElement?e.toElement:e.fromElement:e.relatedTarget},movementX:function(e){return"movementX"in e?e.movementX:(e!==ln&&(ln&&"mousemove"===e.type?(on=e.screenX-ln.screenX,sn=e.screenY-ln.screenY):sn=on=0,ln=e),on)},movementY:function(e){return"movementY"in e?e.movementY:sn}}),hn=an(fn),mn=an(F({},fn,{dataTransfer:0})),gn=an(F({},dn,{relatedTarget:0})),yn=an(F({},cn,{animationName:0,elapsedTime:0,pseudoElement:0})),bn=F({},cn,{clipboardData:function(e){return"clipboardData"in e?e.clipboardData:window.clipboardData}}),vn=an(bn),wn=an(F({},cn,{data:0})),kn={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},xn={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",224:"Meta"},Sn={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"};function En(e){var t=this.nativeEvent;return t.getModifierState?t.getModifierState(e):!!(e=Sn[e])&&!!t[e]}function _n(){return En}var Cn=F({},dn,{key:function(e){if(e.key){var t=kn[e.key]||e.key;if("Unidentified"!==t)return t}return"keypress"===e.type?13===(e=tn(e))?"Enter":String.fromCharCode(e):"keydown"===e.type||"keyup"===e.type?xn[e.keyCode]||"Unidentified":""},code:0,location:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,repeat:0,locale:0,getModifierState:_n,charCode:function(e){return"keypress"===e.type?tn(e):0},keyCode:function(e){return"keydown"===e.type||"keyup"===e.type?e.keyCode:0},which:function(e){return"keypress"===e.type?tn(e):"keydown"===e.type||"keyup"===e.type?e.keyCode:0}}),Tn=an(Cn),Ln=an(F({},fn,{pointerId:0,width:0,height:0,pressure:0,tangentialPressure:0,tiltX:0,tiltY:0,twist:0,pointerType:0,isPrimary:0})),jn=an(F({},dn,{touches:0,targetTouches:0,changedTouches:0,altKey:0,metaKey:0,ctrlKey:0,shiftKey:0,getModifierState:_n})),Rn=an(F({},cn,{propertyName:0,elapsedTime:0,pseudoElement:0})),Pn=F({},fn,{deltaX:function(e){return"deltaX"in e?e.deltaX:"wheelDeltaX"in e?-e.wheelDeltaX:0},deltaY:function(e){return"deltaY"in e?e.deltaY:"wheelDeltaY"in e?-e.wheelDeltaY:"wheelDelta"in e?-e.wheelDelta:0},deltaZ:0,deltaMode:0}),Nn=an(Pn),An=[9,13,27,32],On=u&&"CompositionEvent"in window,In=null;u&&"documentMode"in document&&(In=document.documentMode);var Dn=u&&"TextEvent"in window&&!In,Fn=u&&(!On||In&&8<In&&11>=In),Mn=String.fromCharCode(32),Bn=!1;function zn(e,t){switch(e){case"keyup":return-1!==An.indexOf(t.keyCode);case"keydown":return 229!==t.keyCode;case"keypress":case"mousedown":case"focusout":return!0;default:return!1}}function $n(e){return"object"==typeof(e=e.detail)&&"data"in e?e.data:null}var Un=!1;var qn={color:!0,date:!0,datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0};function Hn(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return"input"===t?!!qn[e.type]:"textarea"===t}function Qn(e,t,n,r){Ce(r),0<(t=Zr(t,"onChange")).length&&(n=new un("onChange","change",null,n,r),e.push({event:n,listeners:t}))}var Zn=null,Vn=null;function Wn(e){Mr(e,0)}function Gn(e){if(V(wa(e)))return e}function Xn(e,t){if("change"===e)return t}var Kn=!1;if(u){var Yn;if(u){var Jn="oninput"in document;if(!Jn){var er=document.createElement("div");er.setAttribute("oninput","return;"),Jn="function"==typeof er.oninput}Yn=Jn}else Yn=!1;Kn=Yn&&(!document.documentMode||9<document.documentMode)}function tr(){Zn&&(Zn.detachEvent("onpropertychange",nr),Vn=Zn=null)}function nr(e){if("value"===e.propertyName&&Gn(Vn)){var t=[];Qn(t,Vn,e,ke(e)),Pe(Wn,t)}}function rr(e,t,n){"focusin"===e?(tr(),Vn=n,(Zn=t).attachEvent("onpropertychange",nr)):"focusout"===e&&tr()}function ar(e){if("selectionchange"===e||"keyup"===e||"keydown"===e)return Gn(Vn)}function or(e,t){if("click"===e)return Gn(t)}function ir(e,t){if("input"===e||"change"===e)return Gn(t)}var sr="function"==typeof Object.is?Object.is:function(e,t){return e===t&&(0!==e||1/e==1/t)||e!=e&&t!=t};function lr(e,t){if(sr(e,t))return!0;if("object"!=typeof e||null===e||"object"!=typeof t||null===t)return!1;var n=Object.keys(e),r=Object.keys(t);if(n.length!==r.length)return!1;for(r=0;r<n.length;r++){var a=n[r];if(!d.call(t,a)||!sr(e[a],t[a]))return!1}return!0}function cr(e){for(;e&&e.firstChild;)e=e.firstChild;return e}function ur(e,t){var n,r=cr(e);for(e=0;r;){if(3===r.nodeType){if(n=e+r.textContent.length,e<=t&&n>=t)return{node:r,offset:t-e};e=n}e:{for(;r;){if(r.nextSibling){r=r.nextSibling;break e}r=r.parentNode}r=void 0}r=cr(r)}}function dr(e,t){return!(!e||!t)&&(e===t||(!e||3!==e.nodeType)&&(t&&3===t.nodeType?dr(e,t.parentNode):"contains"in e?e.contains(t):!!e.compareDocumentPosition&&!!(16&e.compareDocumentPosition(t))))}function pr(){for(var e=window,t=W();t instanceof e.HTMLIFrameElement;){try{var n="string"==typeof t.contentWindow.location.href}catch(r){n=!1}if(!n)break;t=W((e=t.contentWindow).document)}return t}function fr(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return t&&("input"===t&&("text"===e.type||"search"===e.type||"tel"===e.type||"url"===e.type||"password"===e.type)||"textarea"===t||"true"===e.contentEditable)}function hr(e){var t=pr(),n=e.focusedElem,r=e.selectionRange;if(t!==n&&n&&n.ownerDocument&&dr(n.ownerDocument.documentElement,n)){if(null!==r&&fr(n))if(t=r.start,void 0===(e=r.end)&&(e=t),"selectionStart"in n)n.selectionStart=t,n.selectionEnd=Math.min(e,n.value.length);else if((e=(t=n.ownerDocument||document)&&t.defaultView||window).getSelection){e=e.getSelection();var a=n.textContent.length,o=Math.min(r.start,a);r=void 0===r.end?o:Math.min(r.end,a),!e.extend&&o>r&&(a=r,r=o,o=a),a=ur(n,o);var i=ur(n,r);a&&i&&(1!==e.rangeCount||e.anchorNode!==a.node||e.anchorOffset!==a.offset||e.focusNode!==i.node||e.focusOffset!==i.offset)&&((t=t.createRange()).setStart(a.node,a.offset),e.removeAllRanges(),o>r?(e.addRange(t),e.extend(i.node,i.offset)):(t.setEnd(i.node,i.offset),e.addRange(t)))}for(t=[],e=n;e=e.parentNode;)1===e.nodeType&&t.push({element:e,left:e.scrollLeft,top:e.scrollTop});for("function"==typeof n.focus&&n.focus(),n=0;n<t.length;n++)(e=t[n]).element.scrollLeft=e.left,e.element.scrollTop=e.top}}var mr=u&&"documentMode"in document&&11>=document.documentMode,gr=null,yr=null,br=null,vr=!1;function wr(e,t,n){var r=n.window===n?n.document:9===n.nodeType?n:n.ownerDocument;vr||null==gr||gr!==W(r)||("selectionStart"in(r=gr)&&fr(r)?r={start:r.selectionStart,end:r.selectionEnd}:r={anchorNode:(r=(r.ownerDocument&&r.ownerDocument.defaultView||window).getSelection()).anchorNode,anchorOffset:r.anchorOffset,focusNode:r.focusNode,focusOffset:r.focusOffset},br&&lr(br,r)||(br=r,0<(r=Zr(yr,"onSelect")).length&&(t=new un("onSelect","select",null,t,n),e.push({event:t,listeners:r}),t.target=gr)))}function kr(e,t){var n={};return n[e.toLowerCase()]=t.toLowerCase(),n["Webkit"+e]="webkit"+t,n["Moz"+e]="moz"+t,n}var xr={animationend:kr("Animation","AnimationEnd"),animationiteration:kr("Animation","AnimationIteration"),animationstart:kr("Animation","AnimationStart"),transitionend:kr("Transition","TransitionEnd")},Sr={},Er={};function _r(e){if(Sr[e])return Sr[e];if(!xr[e])return e;var t,n=xr[e];for(t in n)if(n.hasOwnProperty(t)&&t in Er)return Sr[e]=n[t];return e}u&&(Er=document.createElement("div").style,"AnimationEvent"in window||(delete xr.animationend.animation,delete xr.animationiteration.animation,delete xr.animationstart.animation),"TransitionEvent"in window||delete xr.transitionend.transition);var Cr=_r("animationend"),Tr=_r("animationiteration"),Lr=_r("animationstart"),jr=_r("transitionend"),Rr=new Map,Pr="abort auxClick cancel canPlay canPlayThrough click close contextMenu copy cut drag dragEnd dragEnter dragExit dragLeave dragOver dragStart drop durationChange emptied encrypted ended error gotPointerCapture input invalid keyDown keyPress keyUp load loadedData loadedMetadata loadStart lostPointerCapture mouseDown mouseMove mouseOut mouseOver mouseUp paste pause play playing pointerCancel pointerDown pointerMove pointerOut pointerOver pointerUp progress rateChange reset resize seeked seeking stalled submit suspend timeUpdate touchCancel touchEnd touchStart volumeChange scroll toggle touchMove waiting wheel".split(" ");function Nr(e,t){Rr.set(e,t),l(t,[e])}for(var Ar=0;Ar<Pr.length;Ar++){var Or=Pr[Ar];Nr(Or.toLowerCase(),"on"+(Or[0].toUpperCase()+Or.slice(1)))}Nr(Cr,"onAnimationEnd"),Nr(Tr,"onAnimationIteration"),Nr(Lr,"onAnimationStart"),Nr("dblclick","onDoubleClick"),Nr("focusin","onFocus"),Nr("focusout","onBlur"),Nr(jr,"onTransitionEnd"),c("onMouseEnter",["mouseout","mouseover"]),c("onMouseLeave",["mouseout","mouseover"]),c("onPointerEnter",["pointerout","pointerover"]),c("onPointerLeave",["pointerout","pointerover"]),l("onChange","change click focusin focusout input keydown keyup selectionchange".split(" ")),l("onSelect","focusout contextmenu dragend focusin keydown keyup mousedown mouseup selectionchange".split(" ")),l("onBeforeInput",["compositionend","keypress","textInput","paste"]),l("onCompositionEnd","compositionend focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionStart","compositionstart focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionUpdate","compositionupdate focusout keydown keypress keyup mousedown".split(" "));var Ir="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange resize seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Dr=new Set("cancel close invalid load scroll toggle".split(" ").concat(Ir));function Fr(e,t,n){var r=e.type||"unknown-event";e.currentTarget=n,function(e,t,n,r,a,i,s,l,c){if($e.apply(this,arguments),De){if(!De)throw Error(o(198));var u=Fe;De=!1,Fe=null,Me||(Me=!0,Be=u)}}(r,t,void 0,e),e.currentTarget=null}function Mr(e,t){t=0!=(4&t);for(var n=0;n<e.length;n++){var r=e[n],a=r.event;r=r.listeners;e:{var o=void 0;if(t)for(var i=r.length-1;0<=i;i--){var s=r[i],l=s.instance,c=s.currentTarget;if(s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}else for(i=0;i<r.length;i++){if(l=(s=r[i]).instance,c=s.currentTarget,s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}}}if(Me)throw e=Be,Me=!1,Be=null,e}function Br(e,t){var n=t[ma];void 0===n&&(n=t[ma]=new Set);var r=e+"__bubble";n.has(r)||(qr(t,e,2,!1),n.add(r))}function zr(e,t,n){var r=0;t&&(r|=4),qr(n,e,r,t)}var $r="_reactListening"+Math.random().toString(36).slice(2);function Ur(e){if(!e[$r]){e[$r]=!0,i.forEach((function(t){"selectionchange"!==t&&(Dr.has(t)||zr(t,!1,e),zr(t,!0,e))}));var t=9===e.nodeType?e:e.ownerDocument;null===t||t[$r]||(t[$r]=!0,zr("selectionchange",!1,t))}}function qr(e,t,n,r){switch(Xt(t)){case 1:var a=Qt;break;case 4:a=Zt;break;default:a=Vt}n=a.bind(null,t,n,e),a=void 0,!Ae||"touchstart"!==t&&"touchmove"!==t&&"wheel"!==t||(a=!0),r?void 0!==a?e.addEventListener(t,n,{capture:!0,passive:a}):e.addEventListener(t,n,!0):void 0!==a?e.addEventListener(t,n,{passive:a}):e.addEventListener(t,n,!1)}function Hr(e,t,n,r,a){var o=r;if(0==(1&t)&&0==(2&t)&&null!==r)e:for(;;){if(null===r)return;var i=r.tag;if(3===i||4===i){var s=r.stateNode.containerInfo;if(s===a||8===s.nodeType&&s.parentNode===a)break;if(4===i)for(i=r.return;null!==i;){var l=i.tag;if((3===l||4===l)&&((l=i.stateNode.containerInfo)===a||8===l.nodeType&&l.parentNode===a))return;i=i.return}for(;null!==s;){if(null===(i=ba(s)))return;if(5===(l=i.tag)||6===l){r=o=i;continue e}s=s.parentNode}}r=r.return}Pe((function(){var r=o,a=ke(n),i=[];e:{var s=Rr.get(e);if(void 0!==s){var l=un,c=e;switch(e){case"keypress":if(0===tn(n))break e;case"keydown":case"keyup":l=Tn;break;case"focusin":c="focus",l=gn;break;case"focusout":c="blur",l=gn;break;case"beforeblur":case"afterblur":l=gn;break;case"click":if(2===n.button)break e;case"auxclick":case"dblclick":case"mousedown":case"mousemove":case"mouseup":case"mouseout":case"mouseover":case"contextmenu":l=hn;break;case"drag":case"dragend":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"dragstart":case"drop":l=mn;break;case"touchcancel":case"touchend":case"touchmove":case"touchstart":l=jn;break;case Cr:case Tr:case Lr:l=yn;break;case jr:l=Rn;break;case"scroll":l=pn;break;case"wheel":l=Nn;break;case"copy":case"cut":case"paste":l=vn;break;case"gotpointercapture":case"lostpointercapture":case"pointercancel":case"pointerdown":case"pointermove":case"pointerout":case"pointerover":case"pointerup":l=Ln}var u=0!=(4&t),d=!u&&"scroll"===e,p=u?null!==s?s+"Capture":null:s;u=[];for(var f,h=r;null!==h;){var m=(f=h).stateNode;if(5===f.tag&&null!==m&&(f=m,null!==p&&(null!=(m=Ne(h,p))&&u.push(Qr(h,m,f)))),d)break;h=h.return}0<u.length&&(s=new l(s,c,null,n,a),i.push({event:s,listeners:u}))}}if(0==(7&t)){if(l="mouseout"===e||"pointerout"===e,(!(s="mouseover"===e||"pointerover"===e)||n===we||!(c=n.relatedTarget||n.fromElement)||!ba(c)&&!c[ha])&&(l||s)&&(s=a.window===a?a:(s=a.ownerDocument)?s.defaultView||s.parentWindow:window,l?(l=r,null!==(c=(c=n.relatedTarget||n.toElement)?ba(c):null)&&(c!==(d=Ue(c))||5!==c.tag&&6!==c.tag)&&(c=null)):(l=null,c=r),l!==c)){if(u=hn,m="onMouseLeave",p="onMouseEnter",h="mouse","pointerout"!==e&&"pointerover"!==e||(u=Ln,m="onPointerLeave",p="onPointerEnter",h="pointer"),d=null==l?s:wa(l),f=null==c?s:wa(c),(s=new u(m,h+"leave",l,n,a)).target=d,s.relatedTarget=f,m=null,ba(a)===r&&((u=new u(p,h+"enter",c,n,a)).target=f,u.relatedTarget=d,m=u),d=m,l&&c)e:{for(p=c,h=0,f=u=l;f;f=Vr(f))h++;for(f=0,m=p;m;m=Vr(m))f++;for(;0<h-f;)u=Vr(u),h--;for(;0<f-h;)p=Vr(p),f--;for(;h--;){if(u===p||null!==p&&u===p.alternate)break e;u=Vr(u),p=Vr(p)}u=null}else u=null;null!==l&&Wr(i,s,l,u,!1),null!==c&&null!==d&&Wr(i,d,c,u,!0)}if("select"===(l=(s=r?wa(r):window).nodeName&&s.nodeName.toLowerCase())||"input"===l&&"file"===s.type)var g=Xn;else if(Hn(s))if(Kn)g=ir;else{g=ar;var y=rr}else(l=s.nodeName)&&"input"===l.toLowerCase()&&("checkbox"===s.type||"radio"===s.type)&&(g=or);switch(g&&(g=g(e,r))?Qn(i,g,n,a):(y&&y(e,s,r),"focusout"===e&&(y=s._wrapperState)&&y.controlled&&"number"===s.type&&ee(s,"number",s.value)),y=r?wa(r):window,e){case"focusin":(Hn(y)||"true"===y.contentEditable)&&(gr=y,yr=r,br=null);break;case"focusout":br=yr=gr=null;break;case"mousedown":vr=!0;break;case"contextmenu":case"mouseup":case"dragend":vr=!1,wr(i,n,a);break;case"selectionchange":if(mr)break;case"keydown":case"keyup":wr(i,n,a)}var b;if(On)e:{switch(e){case"compositionstart":var v="onCompositionStart";break e;case"compositionend":v="onCompositionEnd";break e;case"compositionupdate":v="onCompositionUpdate";break e}v=void 0}else Un?zn(e,n)&&(v="onCompositionEnd"):"keydown"===e&&229===n.keyCode&&(v="onCompositionStart");v&&(Fn&&"ko"!==n.locale&&(Un||"onCompositionStart"!==v?"onCompositionEnd"===v&&Un&&(b=en()):(Yt="value"in(Kt=a)?Kt.value:Kt.textContent,Un=!0)),0<(y=Zr(r,v)).length&&(v=new wn(v,e,null,n,a),i.push({event:v,listeners:y}),b?v.data=b:null!==(b=$n(n))&&(v.data=b))),(b=Dn?function(e,t){switch(e){case"compositionend":return $n(t);case"keypress":return 32!==t.which?null:(Bn=!0,Mn);case"textInput":return(e=t.data)===Mn&&Bn?null:e;default:return null}}(e,n):function(e,t){if(Un)return"compositionend"===e||!On&&zn(e,t)?(e=en(),Jt=Yt=Kt=null,Un=!1,e):null;switch(e){case"paste":default:return null;case"keypress":if(!(t.ctrlKey||t.altKey||t.metaKey)||t.ctrlKey&&t.altKey){if(t.char&&1<t.char.length)return t.char;if(t.which)return String.fromCharCode(t.which)}return null;case"compositionend":return Fn&&"ko"!==t.locale?null:t.data}}(e,n))&&(0<(r=Zr(r,"onBeforeInput")).length&&(a=new wn("onBeforeInput","beforeinput",null,n,a),i.push({event:a,listeners:r}),a.data=b))}Mr(i,t)}))}function Qr(e,t,n){return{instance:e,listener:t,currentTarget:n}}function Zr(e,t){for(var n=t+"Capture",r=[];null!==e;){var a=e,o=a.stateNode;5===a.tag&&null!==o&&(a=o,null!=(o=Ne(e,n))&&r.unshift(Qr(e,o,a)),null!=(o=Ne(e,t))&&r.push(Qr(e,o,a))),e=e.return}return r}function Vr(e){if(null===e)return null;do{e=e.return}while(e&&5!==e.tag);return e||null}function Wr(e,t,n,r,a){for(var o=t._reactName,i=[];null!==n&&n!==r;){var s=n,l=s.alternate,c=s.stateNode;if(null!==l&&l===r)break;5===s.tag&&null!==c&&(s=c,a?null!=(l=Ne(n,o))&&i.unshift(Qr(n,l,s)):a||null!=(l=Ne(n,o))&&i.push(Qr(n,l,s))),n=n.return}0!==i.length&&e.push({event:t,listeners:i})}var Gr=/\r\n?/g,Xr=/\u0000|\uFFFD/g;function Kr(e){return("string"==typeof e?e:""+e).replace(Gr,"\n").replace(Xr,"")}function Yr(e,t,n){if(t=Kr(t),Kr(e)!==t&&n)throw Error(o(425))}function Jr(){}var ea=null,ta=null;function na(e,t){return"textarea"===e||"noscript"===e||"string"==typeof t.children||"number"==typeof t.children||"object"==typeof t.dangerouslySetInnerHTML&&null!==t.dangerouslySetInnerHTML&&null!=t.dangerouslySetInnerHTML.__html}var ra="function"==typeof setTimeout?setTimeout:void 0,aa="function"==typeof clearTimeout?clearTimeout:void 0,oa="function"==typeof Promise?Promise:void 0,ia="function"==typeof queueMicrotask?queueMicrotask:void 0!==oa?function(e){return oa.resolve(null).then(e).catch(sa)}:ra;function sa(e){setTimeout((function(){throw e}))}function la(e,t){var n=t,r=0;do{var a=n.nextSibling;if(e.removeChild(n),a&&8===a.nodeType)if("/$"===(n=a.data)){if(0===r)return e.removeChild(a),void Ut(t);r--}else"$"!==n&&"$?"!==n&&"$!"!==n||r++;n=a}while(n);Ut(t)}function ca(e){for(;null!=e;e=e.nextSibling){var t=e.nodeType;if(1===t||3===t)break;if(8===t){if("$"===(t=e.data)||"$!"===t||"$?"===t)break;if("/$"===t)return null}}return e}function ua(e){e=e.previousSibling;for(var t=0;e;){if(8===e.nodeType){var n=e.data;if("$"===n||"$!"===n||"$?"===n){if(0===t)return e;t--}else"/$"===n&&t++}e=e.previousSibling}return null}var da=Math.random().toString(36).slice(2),pa="__reactFiber$"+da,fa="__reactProps$"+da,ha="__reactContainer$"+da,ma="__reactEvents$"+da,ga="__reactListeners$"+da,ya="__reactHandles$"+da;function ba(e){var t=e[pa];if(t)return t;for(var n=e.parentNode;n;){if(t=n[ha]||n[pa]){if(n=t.alternate,null!==t.child||null!==n&&null!==n.child)for(e=ua(e);null!==e;){if(n=e[pa])return n;e=ua(e)}return t}n=(e=n).parentNode}return null}function va(e){return!(e=e[pa]||e[ha])||5!==e.tag&&6!==e.tag&&13!==e.tag&&3!==e.tag?null:e}function wa(e){if(5===e.tag||6===e.tag)return e.stateNode;throw Error(o(33))}function ka(e){return e[fa]||null}var xa=[],Sa=-1;function Ea(e){return{current:e}}function _a(e){0>Sa||(e.current=xa[Sa],xa[Sa]=null,Sa--)}function Ca(e,t){Sa++,xa[Sa]=e.current,e.current=t}var Ta={},La=Ea(Ta),ja=Ea(!1),Ra=Ta;function Pa(e,t){var n=e.type.contextTypes;if(!n)return Ta;var r=e.stateNode;if(r&&r.__reactInternalMemoizedUnmaskedChildContext===t)return r.__reactInternalMemoizedMaskedChildContext;var a,o={};for(a in n)o[a]=t[a];return r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=t,e.__reactInternalMemoizedMaskedChildContext=o),o}function Na(e){return null!=(e=e.childContextTypes)}function Aa(){_a(ja),_a(La)}function Oa(e,t,n){if(La.current!==Ta)throw Error(o(168));Ca(La,t),Ca(ja,n)}function Ia(e,t,n){var r=e.stateNode;if(t=t.childContextTypes,"function"!=typeof r.getChildContext)return n;for(var a in r=r.getChildContext())if(!(a in t))throw Error(o(108,q(e)||"Unknown",a));return F({},n,r)}function Da(e){return e=(e=e.stateNode)&&e.__reactInternalMemoizedMergedChildContext||Ta,Ra=La.current,Ca(La,e),Ca(ja,ja.current),!0}function Fa(e,t,n){var r=e.stateNode;if(!r)throw Error(o(169));n?(e=Ia(e,t,Ra),r.__reactInternalMemoizedMergedChildContext=e,_a(ja),_a(La),Ca(La,e)):_a(ja),Ca(ja,n)}var Ma=null,Ba=!1,za=!1;function $a(e){null===Ma?Ma=[e]:Ma.push(e)}function Ua(){if(!za&&null!==Ma){za=!0;var e=0,t=vt;try{var n=Ma;for(vt=1;e<n.length;e++){var r=n[e];do{r=r(!0)}while(null!==r)}Ma=null,Ba=!1}catch(a){throw null!==Ma&&(Ma=Ma.slice(e+1)),Ve(Je,Ua),a}finally{vt=t,za=!1}}return null}var qa=[],Ha=0,Qa=null,Za=0,Va=[],Wa=0,Ga=null,Xa=1,Ka="";function Ya(e,t){qa[Ha++]=Za,qa[Ha++]=Qa,Qa=e,Za=t}function Ja(e,t,n){Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Ga=e;var r=Xa;e=Ka;var a=32-it(r)-1;r&=~(1<<a),n+=1;var o=32-it(t)+a;if(30<o){var i=a-a%5;o=(r&(1<<i)-1).toString(32),r>>=i,a-=i,Xa=1<<32-it(t)+a|n<<a|r,Ka=o+e}else Xa=1<<o|n<<a|r,Ka=e}function eo(e){null!==e.return&&(Ya(e,1),Ja(e,1,0))}function to(e){for(;e===Qa;)Qa=qa[--Ha],qa[Ha]=null,Za=qa[--Ha],qa[Ha]=null;for(;e===Ga;)Ga=Va[--Wa],Va[Wa]=null,Ka=Va[--Wa],Va[Wa]=null,Xa=Va[--Wa],Va[Wa]=null}var no=null,ro=null,ao=!1,oo=null;function io(e,t){var n=Pc(5,null,null,0);n.elementType="DELETED",n.stateNode=t,n.return=e,null===(t=e.deletions)?(e.deletions=[n],e.flags|=16):t.push(n)}function so(e,t){switch(e.tag){case 5:var n=e.type;return null!==(t=1!==t.nodeType||n.toLowerCase()!==t.nodeName.toLowerCase()?null:t)&&(e.stateNode=t,no=e,ro=ca(t.firstChild),!0);case 6:return null!==(t=""===e.pendingProps||3!==t.nodeType?null:t)&&(e.stateNode=t,no=e,ro=null,!0);case 13:return null!==(t=8!==t.nodeType?null:t)&&(n=null!==Ga?{id:Xa,overflow:Ka}:null,e.memoizedState={dehydrated:t,treeContext:n,retryLane:1073741824},(n=Pc(18,null,null,0)).stateNode=t,n.return=e,e.child=n,no=e,ro=null,!0);default:return!1}}function lo(e){return 0!=(1&e.mode)&&0==(128&e.flags)}function co(e){if(ao){var t=ro;if(t){var n=t;if(!so(e,t)){if(lo(e))throw Error(o(418));t=ca(n.nextSibling);var r=no;t&&so(e,t)?io(r,n):(e.flags=-4097&e.flags|2,ao=!1,no=e)}}else{if(lo(e))throw Error(o(418));e.flags=-4097&e.flags|2,ao=!1,no=e}}}function uo(e){for(e=e.return;null!==e&&5!==e.tag&&3!==e.tag&&13!==e.tag;)e=e.return;no=e}function po(e){if(e!==no)return!1;if(!ao)return uo(e),ao=!0,!1;var t;if((t=3!==e.tag)&&!(t=5!==e.tag)&&(t="head"!==(t=e.type)&&"body"!==t&&!na(e.type,e.memoizedProps)),t&&(t=ro)){if(lo(e))throw fo(),Error(o(418));for(;t;)io(e,t),t=ca(t.nextSibling)}if(uo(e),13===e.tag){if(!(e=null!==(e=e.memoizedState)?e.dehydrated:null))throw Error(o(317));e:{for(e=e.nextSibling,t=0;e;){if(8===e.nodeType){var n=e.data;if("/$"===n){if(0===t){ro=ca(e.nextSibling);break e}t--}else"$"!==n&&"$!"!==n&&"$?"!==n||t++}e=e.nextSibling}ro=null}}else ro=no?ca(e.stateNode.nextSibling):null;return!0}function fo(){for(var e=ro;e;)e=ca(e.nextSibling)}function ho(){ro=no=null,ao=!1}function mo(e){null===oo?oo=[e]:oo.push(e)}var go=w.ReactCurrentBatchConfig;function yo(e,t,n){if(null!==(e=n.ref)&&"function"!=typeof e&&"object"!=typeof e){if(n._owner){if(n=n._owner){if(1!==n.tag)throw Error(o(309));var r=n.stateNode}if(!r)throw Error(o(147,e));var a=r,i=""+e;return null!==t&&null!==t.ref&&"function"==typeof t.ref&&t.ref._stringRef===i?t.ref:(t=function(e){var t=a.refs;null===e?delete t[i]:t[i]=e},t._stringRef=i,t)}if("string"!=typeof e)throw Error(o(284));if(!n._owner)throw Error(o(290,e))}return e}function bo(e,t){throw e=Object.prototype.toString.call(t),Error(o(31,"[object Object]"===e?"object with keys {"+Object.keys(t).join(", ")+"}":e))}function vo(e){return(0,e._init)(e._payload)}function wo(e){function t(t,n){if(e){var r=t.deletions;null===r?(t.deletions=[n],t.flags|=16):r.push(n)}}function n(n,r){if(!e)return null;for(;null!==r;)t(n,r),r=r.sibling;return null}function r(e,t){for(e=new Map;null!==t;)null!==t.key?e.set(t.key,t):e.set(t.index,t),t=t.sibling;return e}function a(e,t){return(e=Ac(e,t)).index=0,e.sibling=null,e}function i(t,n,r){return t.index=r,e?null!==(r=t.alternate)?(r=r.index)<n?(t.flags|=2,n):r:(t.flags|=2,n):(t.flags|=1048576,n)}function s(t){return e&&null===t.alternate&&(t.flags|=2),t}function l(e,t,n,r){return null===t||6!==t.tag?((t=Fc(n,e.mode,r)).return=e,t):((t=a(t,n)).return=e,t)}function c(e,t,n,r){var o=n.type;return o===S?d(e,t,n.props.children,r,n.key):null!==t&&(t.elementType===o||"object"==typeof o&&null!==o&&o.$$typeof===N&&vo(o)===t.type)?((r=a(t,n.props)).ref=yo(e,t,n),r.return=e,r):((r=Oc(n.type,n.key,n.props,null,e.mode,r)).ref=yo(e,t,n),r.return=e,r)}function u(e,t,n,r){return null===t||4!==t.tag||t.stateNode.containerInfo!==n.containerInfo||t.stateNode.implementation!==n.implementation?((t=Mc(n,e.mode,r)).return=e,t):((t=a(t,n.children||[])).return=e,t)}function d(e,t,n,r,o){return null===t||7!==t.tag?((t=Ic(n,e.mode,r,o)).return=e,t):((t=a(t,n)).return=e,t)}function p(e,t,n){if("string"==typeof t&&""!==t||"number"==typeof t)return(t=Fc(""+t,e.mode,n)).return=e,t;if("object"==typeof t&&null!==t){switch(t.$$typeof){case k:return(n=Oc(t.type,t.key,t.props,null,e.mode,n)).ref=yo(e,null,t),n.return=e,n;case x:return(t=Mc(t,e.mode,n)).return=e,t;case N:return p(e,(0,t._init)(t._payload),n)}if(te(t)||I(t))return(t=Ic(t,e.mode,n,null)).return=e,t;bo(e,t)}return null}function f(e,t,n,r){var a=null!==t?t.key:null;if("string"==typeof n&&""!==n||"number"==typeof n)return null!==a?null:l(e,t,""+n,r);if("object"==typeof n&&null!==n){switch(n.$$typeof){case k:return n.key===a?c(e,t,n,r):null;case x:return n.key===a?u(e,t,n,r):null;case N:return f(e,t,(a=n._init)(n._payload),r)}if(te(n)||I(n))return null!==a?null:d(e,t,n,r,null);bo(e,n)}return null}function h(e,t,n,r,a){if("string"==typeof r&&""!==r||"number"==typeof r)return l(t,e=e.get(n)||null,""+r,a);if("object"==typeof r&&null!==r){switch(r.$$typeof){case k:return c(t,e=e.get(null===r.key?n:r.key)||null,r,a);case x:return u(t,e=e.get(null===r.key?n:r.key)||null,r,a);case N:return h(e,t,n,(0,r._init)(r._payload),a)}if(te(r)||I(r))return d(t,e=e.get(n)||null,r,a,null);bo(t,r)}return null}function m(a,o,s,l){for(var c=null,u=null,d=o,m=o=0,g=null;null!==d&&m<s.length;m++){d.index>m?(g=d,d=null):g=d.sibling;var y=f(a,d,s[m],l);if(null===y){null===d&&(d=g);break}e&&d&&null===y.alternate&&t(a,d),o=i(y,o,m),null===u?c=y:u.sibling=y,u=y,d=g}if(m===s.length)return n(a,d),ao&&Ya(a,m),c;if(null===d){for(;m<s.length;m++)null!==(d=p(a,s[m],l))&&(o=i(d,o,m),null===u?c=d:u.sibling=d,u=d);return ao&&Ya(a,m),c}for(d=r(a,d);m<s.length;m++)null!==(g=h(d,a,m,s[m],l))&&(e&&null!==g.alternate&&d.delete(null===g.key?m:g.key),o=i(g,o,m),null===u?c=g:u.sibling=g,u=g);return e&&d.forEach((function(e){return t(a,e)})),ao&&Ya(a,m),c}function g(a,s,l,c){var u=I(l);if("function"!=typeof u)throw Error(o(150));if(null==(l=u.call(l)))throw Error(o(151));for(var d=u=null,m=s,g=s=0,y=null,b=l.next();null!==m&&!b.done;g++,b=l.next()){m.index>g?(y=m,m=null):y=m.sibling;var v=f(a,m,b.value,c);if(null===v){null===m&&(m=y);break}e&&m&&null===v.alternate&&t(a,m),s=i(v,s,g),null===d?u=v:d.sibling=v,d=v,m=y}if(b.done)return n(a,m),ao&&Ya(a,g),u;if(null===m){for(;!b.done;g++,b=l.next())null!==(b=p(a,b.value,c))&&(s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return ao&&Ya(a,g),u}for(m=r(a,m);!b.done;g++,b=l.next())null!==(b=h(m,a,g,b.value,c))&&(e&&null!==b.alternate&&m.delete(null===b.key?g:b.key),s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return e&&m.forEach((function(e){return t(a,e)})),ao&&Ya(a,g),u}return function e(r,o,i,l){if("object"==typeof i&&null!==i&&i.type===S&&null===i.key&&(i=i.props.children),"object"==typeof i&&null!==i){switch(i.$$typeof){case k:e:{for(var c=i.key,u=o;null!==u;){if(u.key===c){if((c=i.type)===S){if(7===u.tag){n(r,u.sibling),(o=a(u,i.props.children)).return=r,r=o;break e}}else if(u.elementType===c||"object"==typeof c&&null!==c&&c.$$typeof===N&&vo(c)===u.type){n(r,u.sibling),(o=a(u,i.props)).ref=yo(r,u,i),o.return=r,r=o;break e}n(r,u);break}t(r,u),u=u.sibling}i.type===S?((o=Ic(i.props.children,r.mode,l,i.key)).return=r,r=o):((l=Oc(i.type,i.key,i.props,null,r.mode,l)).ref=yo(r,o,i),l.return=r,r=l)}return s(r);case x:e:{for(u=i.key;null!==o;){if(o.key===u){if(4===o.tag&&o.stateNode.containerInfo===i.containerInfo&&o.stateNode.implementation===i.implementation){n(r,o.sibling),(o=a(o,i.children||[])).return=r,r=o;break e}n(r,o);break}t(r,o),o=o.sibling}(o=Mc(i,r.mode,l)).return=r,r=o}return s(r);case N:return e(r,o,(u=i._init)(i._payload),l)}if(te(i))return m(r,o,i,l);if(I(i))return g(r,o,i,l);bo(r,i)}return"string"==typeof i&&""!==i||"number"==typeof i?(i=""+i,null!==o&&6===o.tag?(n(r,o.sibling),(o=a(o,i)).return=r,r=o):(n(r,o),(o=Fc(i,r.mode,l)).return=r,r=o),s(r)):n(r,o)}}var ko=wo(!0),xo=wo(!1),So=Ea(null),Eo=null,_o=null,Co=null;function To(){Co=_o=Eo=null}function Lo(e){var t=So.current;_a(So),e._currentValue=t}function jo(e,t,n){for(;null!==e;){var r=e.alternate;if((e.childLanes&t)!==t?(e.childLanes|=t,null!==r&&(r.childLanes|=t)):null!==r&&(r.childLanes&t)!==t&&(r.childLanes|=t),e===n)break;e=e.return}}function Ro(e,t){Eo=e,Co=_o=null,null!==(e=e.dependencies)&&null!==e.firstContext&&(0!=(e.lanes&t)&&(vs=!0),e.firstContext=null)}function Po(e){var t=e._currentValue;if(Co!==e)if(e={context:e,memoizedValue:t,next:null},null===_o){if(null===Eo)throw Error(o(308));_o=e,Eo.dependencies={lanes:0,firstContext:e}}else _o=_o.next=e;return t}var No=null;function Ao(e){null===No?No=[e]:No.push(e)}function Oo(e,t,n,r){var a=t.interleaved;return null===a?(n.next=n,Ao(t)):(n.next=a.next,a.next=n),t.interleaved=n,Io(e,r)}function Io(e,t){e.lanes|=t;var n=e.alternate;for(null!==n&&(n.lanes|=t),n=e,e=e.return;null!==e;)e.childLanes|=t,null!==(n=e.alternate)&&(n.childLanes|=t),n=e,e=e.return;return 3===n.tag?n.stateNode:null}var Do=!1;function Fo(e){e.updateQueue={baseState:e.memoizedState,firstBaseUpdate:null,lastBaseUpdate:null,shared:{pending:null,interleaved:null,lanes:0},effects:null}}function Mo(e,t){e=e.updateQueue,t.updateQueue===e&&(t.updateQueue={baseState:e.baseState,firstBaseUpdate:e.firstBaseUpdate,lastBaseUpdate:e.lastBaseUpdate,shared:e.shared,effects:e.effects})}function Bo(e,t){return{eventTime:e,lane:t,tag:0,payload:null,callback:null,next:null}}function zo(e,t,n){var r=e.updateQueue;if(null===r)return null;if(r=r.shared,0!=(2&Ll)){var a=r.pending;return null===a?t.next=t:(t.next=a.next,a.next=t),r.pending=t,Io(e,n)}return null===(a=r.interleaved)?(t.next=t,Ao(r)):(t.next=a.next,a.next=t),r.interleaved=t,Io(e,n)}function $o(e,t,n){if(null!==(t=t.updateQueue)&&(t=t.shared,0!=(4194240&n))){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}function Uo(e,t){var n=e.updateQueue,r=e.alternate;if(null!==r&&n===(r=r.updateQueue)){var a=null,o=null;if(null!==(n=n.firstBaseUpdate)){do{var i={eventTime:n.eventTime,lane:n.lane,tag:n.tag,payload:n.payload,callback:n.callback,next:null};null===o?a=o=i:o=o.next=i,n=n.next}while(null!==n);null===o?a=o=t:o=o.next=t}else a=o=t;return n={baseState:r.baseState,firstBaseUpdate:a,lastBaseUpdate:o,shared:r.shared,effects:r.effects},void(e.updateQueue=n)}null===(e=n.lastBaseUpdate)?n.firstBaseUpdate=t:e.next=t,n.lastBaseUpdate=t}function qo(e,t,n,r){var a=e.updateQueue;Do=!1;var o=a.firstBaseUpdate,i=a.lastBaseUpdate,s=a.shared.pending;if(null!==s){a.shared.pending=null;var l=s,c=l.next;l.next=null,null===i?o=c:i.next=c,i=l;var u=e.alternate;null!==u&&((s=(u=u.updateQueue).lastBaseUpdate)!==i&&(null===s?u.firstBaseUpdate=c:s.next=c,u.lastBaseUpdate=l))}if(null!==o){var d=a.baseState;for(i=0,u=c=l=null,s=o;;){var p=s.lane,f=s.eventTime;if((r&p)===p){null!==u&&(u=u.next={eventTime:f,lane:0,tag:s.tag,payload:s.payload,callback:s.callback,next:null});e:{var h=e,m=s;switch(p=t,f=n,m.tag){case 1:if("function"==typeof(h=m.payload)){d=h.call(f,d,p);break e}d=h;break e;case 3:h.flags=-65537&h.flags|128;case 0:if(null==(p="function"==typeof(h=m.payload)?h.call(f,d,p):h))break e;d=F({},d,p);break e;case 2:Do=!0}}null!==s.callback&&0!==s.lane&&(e.flags|=64,null===(p=a.effects)?a.effects=[s]:p.push(s))}else f={eventTime:f,lane:p,tag:s.tag,payload:s.payload,callback:s.callback,next:null},null===u?(c=u=f,l=d):u=u.next=f,i|=p;if(null===(s=s.next)){if(null===(s=a.shared.pending))break;s=(p=s).next,p.next=null,a.lastBaseUpdate=p,a.shared.pending=null}}if(null===u&&(l=d),a.baseState=l,a.firstBaseUpdate=c,a.lastBaseUpdate=u,null!==(t=a.shared.interleaved)){a=t;do{i|=a.lane,a=a.next}while(a!==t)}else null===o&&(a.shared.lanes=0);Dl|=i,e.lanes=i,e.memoizedState=d}}function Ho(e,t,n){if(e=t.effects,t.effects=null,null!==e)for(t=0;t<e.length;t++){var r=e[t],a=r.callback;if(null!==a){if(r.callback=null,r=n,"function"!=typeof a)throw Error(o(191,a));a.call(r)}}}var Qo={},Zo=Ea(Qo),Vo=Ea(Qo),Wo=Ea(Qo);function Go(e){if(e===Qo)throw Error(o(174));return e}function Xo(e,t){switch(Ca(Wo,t),Ca(Vo,e),Ca(Zo,Qo),e=t.nodeType){case 9:case 11:t=(t=t.documentElement)?t.namespaceURI:le(null,"");break;default:t=le(t=(e=8===e?t.parentNode:t).namespaceURI||null,e=e.tagName)}_a(Zo),Ca(Zo,t)}function Ko(){_a(Zo),_a(Vo),_a(Wo)}function Yo(e){Go(Wo.current);var t=Go(Zo.current),n=le(t,e.type);t!==n&&(Ca(Vo,e),Ca(Zo,n))}function Jo(e){Vo.current===e&&(_a(Zo),_a(Vo))}var ei=Ea(0);function ti(e){for(var t=e;null!==t;){if(13===t.tag){var n=t.memoizedState;if(null!==n&&(null===(n=n.dehydrated)||"$?"===n.data||"$!"===n.data))return t}else if(19===t.tag&&void 0!==t.memoizedProps.revealOrder){if(0!=(128&t.flags))return t}else if(null!==t.child){t.child.return=t,t=t.child;continue}if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return null;t=t.return}t.sibling.return=t.return,t=t.sibling}return null}var ni=[];function ri(){for(var e=0;e<ni.length;e++)ni[e]._workInProgressVersionPrimary=null;ni.length=0}var ai=w.ReactCurrentDispatcher,oi=w.ReactCurrentBatchConfig,ii=0,si=null,li=null,ci=null,ui=!1,di=!1,pi=0,fi=0;function hi(){throw Error(o(321))}function mi(e,t){if(null===t)return!1;for(var n=0;n<t.length&&n<e.length;n++)if(!sr(e[n],t[n]))return!1;return!0}function gi(e,t,n,r,a,i){if(ii=i,si=t,t.memoizedState=null,t.updateQueue=null,t.lanes=0,ai.current=null===e||null===e.memoizedState?Ji:es,e=n(r,a),di){i=0;do{if(di=!1,pi=0,25<=i)throw Error(o(301));i+=1,ci=li=null,t.updateQueue=null,ai.current=ts,e=n(r,a)}while(di)}if(ai.current=Yi,t=null!==li&&null!==li.next,ii=0,ci=li=si=null,ui=!1,t)throw Error(o(300));return e}function yi(){var e=0!==pi;return pi=0,e}function bi(){var e={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};return null===ci?si.memoizedState=ci=e:ci=ci.next=e,ci}function vi(){if(null===li){var e=si.alternate;e=null!==e?e.memoizedState:null}else e=li.next;var t=null===ci?si.memoizedState:ci.next;if(null!==t)ci=t,li=e;else{if(null===e)throw Error(o(310));e={memoizedState:(li=e).memoizedState,baseState:li.baseState,baseQueue:li.baseQueue,queue:li.queue,next:null},null===ci?si.memoizedState=ci=e:ci=ci.next=e}return ci}function wi(e,t){return"function"==typeof t?t(e):t}function ki(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=li,a=r.baseQueue,i=n.pending;if(null!==i){if(null!==a){var s=a.next;a.next=i.next,i.next=s}r.baseQueue=a=i,n.pending=null}if(null!==a){i=a.next,r=r.baseState;var l=s=null,c=null,u=i;do{var d=u.lane;if((ii&d)===d)null!==c&&(c=c.next={lane:0,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null}),r=u.hasEagerState?u.eagerState:e(r,u.action);else{var p={lane:d,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null};null===c?(l=c=p,s=r):c=c.next=p,si.lanes|=d,Dl|=d}u=u.next}while(null!==u&&u!==i);null===c?s=r:c.next=l,sr(r,t.memoizedState)||(vs=!0),t.memoizedState=r,t.baseState=s,t.baseQueue=c,n.lastRenderedState=r}if(null!==(e=n.interleaved)){a=e;do{i=a.lane,si.lanes|=i,Dl|=i,a=a.next}while(a!==e)}else null===a&&(n.lanes=0);return[t.memoizedState,n.dispatch]}function xi(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=n.dispatch,a=n.pending,i=t.memoizedState;if(null!==a){n.pending=null;var s=a=a.next;do{i=e(i,s.action),s=s.next}while(s!==a);sr(i,t.memoizedState)||(vs=!0),t.memoizedState=i,null===t.baseQueue&&(t.baseState=i),n.lastRenderedState=i}return[i,r]}function Si(){}function Ei(e,t){var n=si,r=vi(),a=t(),i=!sr(r.memoizedState,a);if(i&&(r.memoizedState=a,vs=!0),r=r.queue,Di(Ti.bind(null,n,r,e),[e]),r.getSnapshot!==t||i||null!==ci&&1&ci.memoizedState.tag){if(n.flags|=2048,Pi(9,Ci.bind(null,n,r,a,t),void 0,null),null===jl)throw Error(o(349));0!=(30&ii)||_i(n,t,a)}return a}function _i(e,t,n){e.flags|=16384,e={getSnapshot:t,value:n},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.stores=[e]):null===(n=t.stores)?t.stores=[e]:n.push(e)}function Ci(e,t,n,r){t.value=n,t.getSnapshot=r,Li(t)&&ji(e)}function Ti(e,t,n){return n((function(){Li(t)&&ji(e)}))}function Li(e){var t=e.getSnapshot;e=e.value;try{var n=t();return!sr(e,n)}catch(r){return!0}}function ji(e){var t=Io(e,1);null!==t&&nc(t,e,1,-1)}function Ri(e){var t=bi();return"function"==typeof e&&(e=e()),t.memoizedState=t.baseState=e,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:wi,lastRenderedState:e},t.queue=e,e=e.dispatch=Wi.bind(null,si,e),[t.memoizedState,e]}function Pi(e,t,n,r){return e={tag:e,create:t,destroy:n,deps:r,next:null},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.lastEffect=e.next=e):null===(n=t.lastEffect)?t.lastEffect=e.next=e:(r=n.next,n.next=e,e.next=r,t.lastEffect=e),e}function Ni(){return vi().memoizedState}function Ai(e,t,n,r){var a=bi();si.flags|=e,a.memoizedState=Pi(1|t,n,void 0,void 0===r?null:r)}function Oi(e,t,n,r){var a=vi();r=void 0===r?null:r;var o=void 0;if(null!==li){var i=li.memoizedState;if(o=i.destroy,null!==r&&mi(r,i.deps))return void(a.memoizedState=Pi(t,n,o,r))}si.flags|=e,a.memoizedState=Pi(1|t,n,o,r)}function Ii(e,t){return Ai(8390656,8,e,t)}function Di(e,t){return Oi(2048,8,e,t)}function Fi(e,t){return Oi(4,2,e,t)}function Mi(e,t){return Oi(4,4,e,t)}function Bi(e,t){return"function"==typeof t?(e=e(),t(e),function(){t(null)}):null!=t?(e=e(),t.current=e,function(){t.current=null}):void 0}function zi(e,t,n){return n=null!=n?n.concat([e]):null,Oi(4,4,Bi.bind(null,t,e),n)}function $i(){}function Ui(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(n.memoizedState=[e,t],e)}function qi(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(e=e(),n.memoizedState=[e,t],e)}function Hi(e,t,n){return 0==(21&ii)?(e.baseState&&(e.baseState=!1,vs=!0),e.memoizedState=n):(sr(n,t)||(n=mt(),si.lanes|=n,Dl|=n,e.baseState=!0),t)}function Qi(e,t){var n=vt;vt=0!==n&&4>n?n:4,e(!0);var r=oi.transition;oi.transition={};try{e(!1),t()}finally{vt=n,oi.transition=r}}function Zi(){return vi().memoizedState}function Vi(e,t,n){var r=tc(e);if(n={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null},Gi(e))Xi(t,n);else if(null!==(n=Oo(e,t,n,r))){nc(n,e,r,ec()),Ki(n,t,r)}}function Wi(e,t,n){var r=tc(e),a={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null};if(Gi(e))Xi(t,a);else{var o=e.alternate;if(0===e.lanes&&(null===o||0===o.lanes)&&null!==(o=t.lastRenderedReducer))try{var i=t.lastRenderedState,s=o(i,n);if(a.hasEagerState=!0,a.eagerState=s,sr(s,i)){var l=t.interleaved;return null===l?(a.next=a,Ao(t)):(a.next=l.next,l.next=a),void(t.interleaved=a)}}catch(c){}null!==(n=Oo(e,t,a,r))&&(nc(n,e,r,a=ec()),Ki(n,t,r))}}function Gi(e){var t=e.alternate;return e===si||null!==t&&t===si}function Xi(e,t){di=ui=!0;var n=e.pending;null===n?t.next=t:(t.next=n.next,n.next=t),e.pending=t}function Ki(e,t,n){if(0!=(4194240&n)){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}var Yi={readContext:Po,useCallback:hi,useContext:hi,useEffect:hi,useImperativeHandle:hi,useInsertionEffect:hi,useLayoutEffect:hi,useMemo:hi,useReducer:hi,useRef:hi,useState:hi,useDebugValue:hi,useDeferredValue:hi,useTransition:hi,useMutableSource:hi,useSyncExternalStore:hi,useId:hi,unstable_isNewReconciler:!1},Ji={readContext:Po,useCallback:function(e,t){return bi().memoizedState=[e,void 0===t?null:t],e},useContext:Po,useEffect:Ii,useImperativeHandle:function(e,t,n){return n=null!=n?n.concat([e]):null,Ai(4194308,4,Bi.bind(null,t,e),n)},useLayoutEffect:function(e,t){return Ai(4194308,4,e,t)},useInsertionEffect:function(e,t){return Ai(4,2,e,t)},useMemo:function(e,t){var n=bi();return t=void 0===t?null:t,e=e(),n.memoizedState=[e,t],e},useReducer:function(e,t,n){var r=bi();return t=void 0!==n?n(t):t,r.memoizedState=r.baseState=t,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:e,lastRenderedState:t},r.queue=e,e=e.dispatch=Vi.bind(null,si,e),[r.memoizedState,e]},useRef:function(e){return e={current:e},bi().memoizedState=e},useState:Ri,useDebugValue:$i,useDeferredValue:function(e){return bi().memoizedState=e},useTransition:function(){var e=Ri(!1),t=e[0];return e=Qi.bind(null,e[1]),bi().memoizedState=e,[t,e]},useMutableSource:function(){},useSyncExternalStore:function(e,t,n){var r=si,a=bi();if(ao){if(void 0===n)throw Error(o(407));n=n()}else{if(n=t(),null===jl)throw Error(o(349));0!=(30&ii)||_i(r,t,n)}a.memoizedState=n;var i={value:n,getSnapshot:t};return a.queue=i,Ii(Ti.bind(null,r,i,e),[e]),r.flags|=2048,Pi(9,Ci.bind(null,r,i,n,t),void 0,null),n},useId:function(){var e=bi(),t=jl.identifierPrefix;if(ao){var n=Ka;t=":"+t+"R"+(n=(Xa&~(1<<32-it(Xa)-1)).toString(32)+n),0<(n=pi++)&&(t+="H"+n.toString(32)),t+=":"}else t=":"+t+"r"+(n=fi++).toString(32)+":";return e.memoizedState=t},unstable_isNewReconciler:!1},es={readContext:Po,useCallback:Ui,useContext:Po,useEffect:Di,useImperativeHandle:zi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:ki,useRef:Ni,useState:function(){return ki(wi)},useDebugValue:$i,useDeferredValue:function(e){return Hi(vi(),li.memoizedState,e)},useTransition:function(){return[ki(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1},ts={readContext:Po,useCallback:Ui,useContext:Po,useEffect:Di,useImperativeHandle:zi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:xi,useRef:Ni,useState:function(){return xi(wi)},useDebugValue:$i,useDeferredValue:function(e){var t=vi();return null===li?t.memoizedState=e:Hi(t,li.memoizedState,e)},useTransition:function(){return[xi(wi)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1};function ns(e,t){if(e&&e.defaultProps){for(var n in t=F({},t),e=e.defaultProps)void 0===t[n]&&(t[n]=e[n]);return t}return t}function rs(e,t,n,r){n=null==(n=n(r,t=e.memoizedState))?t:F({},t,n),e.memoizedState=n,0===e.lanes&&(e.updateQueue.baseState=n)}var as={isMounted:function(e){return!!(e=e._reactInternals)&&Ue(e)===e},enqueueSetState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=Bo(r,a);o.payload=t,null!=n&&(o.callback=n),null!==(t=zo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueReplaceState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=Bo(r,a);o.tag=1,o.payload=t,null!=n&&(o.callback=n),null!==(t=zo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueForceUpdate:function(e,t){e=e._reactInternals;var n=ec(),r=tc(e),a=Bo(n,r);a.tag=2,null!=t&&(a.callback=t),null!==(t=zo(e,a,r))&&(nc(t,e,r,n),$o(t,e,r))}};function os(e,t,n,r,a,o,i){return"function"==typeof(e=e.stateNode).shouldComponentUpdate?e.shouldComponentUpdate(r,o,i):!t.prototype||!t.prototype.isPureReactComponent||(!lr(n,r)||!lr(a,o))}function is(e,t,n){var r=!1,a=Ta,o=t.contextType;return"object"==typeof o&&null!==o?o=Po(o):(a=Na(t)?Ra:La.current,o=(r=null!=(r=t.contextTypes))?Pa(e,a):Ta),t=new t(n,o),e.memoizedState=null!==t.state&&void 0!==t.state?t.state:null,t.updater=as,e.stateNode=t,t._reactInternals=e,r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=a,e.__reactInternalMemoizedMaskedChildContext=o),t}function ss(e,t,n,r){e=t.state,"function"==typeof t.componentWillReceiveProps&&t.componentWillReceiveProps(n,r),"function"==typeof t.UNSAFE_componentWillReceiveProps&&t.UNSAFE_componentWillReceiveProps(n,r),t.state!==e&&as.enqueueReplaceState(t,t.state,null)}function ls(e,t,n,r){var a=e.stateNode;a.props=n,a.state=e.memoizedState,a.refs={},Fo(e);var o=t.contextType;"object"==typeof o&&null!==o?a.context=Po(o):(o=Na(t)?Ra:La.current,a.context=Pa(e,o)),a.state=e.memoizedState,"function"==typeof(o=t.getDerivedStateFromProps)&&(rs(e,t,o,n),a.state=e.memoizedState),"function"==typeof t.getDerivedStateFromProps||"function"==typeof a.getSnapshotBeforeUpdate||"function"!=typeof a.UNSAFE_componentWillMount&&"function"!=typeof a.componentWillMount||(t=a.state,"function"==typeof a.componentWillMount&&a.componentWillMount(),"function"==typeof a.UNSAFE_componentWillMount&&a.UNSAFE_componentWillMount(),t!==a.state&&as.enqueueReplaceState(a,a.state,null),qo(e,n,a,r),a.state=e.memoizedState),"function"==typeof a.componentDidMount&&(e.flags|=4194308)}function cs(e,t){try{var n="",r=t;do{n+=$(r),r=r.return}while(r);var a=n}catch(o){a="\nError generating stack: "+o.message+"\n"+o.stack}return{value:e,source:t,stack:a,digest:null}}function us(e,t,n){return{value:e,source:null,stack:null!=n?n:null,digest:null!=t?t:null}}function ds(e,t){try{console.error(t.value)}catch(n){setTimeout((function(){throw n}))}}var ps="function"==typeof WeakMap?WeakMap:Map;function fs(e,t,n){(n=Bo(-1,n)).tag=3,n.payload={element:null};var r=t.value;return n.callback=function(){Hl||(Hl=!0,Ql=r),ds(0,t)},n}function hs(e,t,n){(n=Bo(-1,n)).tag=3;var r=e.type.getDerivedStateFromError;if("function"==typeof r){var a=t.value;n.payload=function(){return r(a)},n.callback=function(){ds(0,t)}}var o=e.stateNode;return null!==o&&"function"==typeof o.componentDidCatch&&(n.callback=function(){ds(0,t),"function"!=typeof r&&(null===Zl?Zl=new Set([this]):Zl.add(this));var e=t.stack;this.componentDidCatch(t.value,{componentStack:null!==e?e:""})}),n}function ms(e,t,n){var r=e.pingCache;if(null===r){r=e.pingCache=new ps;var a=new Set;r.set(t,a)}else void 0===(a=r.get(t))&&(a=new Set,r.set(t,a));a.has(n)||(a.add(n),e=_c.bind(null,e,t,n),t.then(e,e))}function gs(e){do{var t;if((t=13===e.tag)&&(t=null===(t=e.memoizedState)||null!==t.dehydrated),t)return e;e=e.return}while(null!==e);return null}function ys(e,t,n,r,a){return 0==(1&e.mode)?(e===t?e.flags|=65536:(e.flags|=128,n.flags|=131072,n.flags&=-52805,1===n.tag&&(null===n.alternate?n.tag=17:((t=Bo(-1,1)).tag=2,zo(n,t,1))),n.lanes|=1),e):(e.flags|=65536,e.lanes=a,e)}var bs=w.ReactCurrentOwner,vs=!1;function ws(e,t,n,r){t.child=null===e?xo(t,null,n,r):ko(t,e.child,n,r)}function ks(e,t,n,r,a){n=n.render;var o=t.ref;return Ro(t,a),r=gi(e,t,n,r,o,a),n=yi(),null===e||vs?(ao&&n&&eo(t),t.flags|=1,ws(e,t,r,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function xs(e,t,n,r,a){if(null===e){var o=n.type;return"function"!=typeof o||Nc(o)||void 0!==o.defaultProps||null!==n.compare||void 0!==n.defaultProps?((e=Oc(n.type,null,r,t,t.mode,a)).ref=t.ref,e.return=t,t.child=e):(t.tag=15,t.type=o,Ss(e,t,o,r,a))}if(o=e.child,0==(e.lanes&a)){var i=o.memoizedProps;if((n=null!==(n=n.compare)?n:lr)(i,r)&&e.ref===t.ref)return Hs(e,t,a)}return t.flags|=1,(e=Ac(o,r)).ref=t.ref,e.return=t,t.child=e}function Ss(e,t,n,r,a){if(null!==e){var o=e.memoizedProps;if(lr(o,r)&&e.ref===t.ref){if(vs=!1,t.pendingProps=r=o,0==(e.lanes&a))return t.lanes=e.lanes,Hs(e,t,a);0!=(131072&e.flags)&&(vs=!0)}}return Cs(e,t,n,r,a)}function Es(e,t,n){var r=t.pendingProps,a=r.children,o=null!==e?e.memoizedState:null;if("hidden"===r.mode)if(0==(1&t.mode))t.memoizedState={baseLanes:0,cachePool:null,transitions:null},Ca(Al,Nl),Nl|=n;else{if(0==(1073741824&n))return e=null!==o?o.baseLanes|n:n,t.lanes=t.childLanes=1073741824,t.memoizedState={baseLanes:e,cachePool:null,transitions:null},t.updateQueue=null,Ca(Al,Nl),Nl|=e,null;t.memoizedState={baseLanes:0,cachePool:null,transitions:null},r=null!==o?o.baseLanes:n,Ca(Al,Nl),Nl|=r}else null!==o?(r=o.baseLanes|n,t.memoizedState=null):r=n,Ca(Al,Nl),Nl|=r;return ws(e,t,a,n),t.child}function _s(e,t){var n=t.ref;(null===e&&null!==n||null!==e&&e.ref!==n)&&(t.flags|=512,t.flags|=2097152)}function Cs(e,t,n,r,a){var o=Na(n)?Ra:La.current;return o=Pa(t,o),Ro(t,a),n=gi(e,t,n,r,o,a),r=yi(),null===e||vs?(ao&&r&&eo(t),t.flags|=1,ws(e,t,n,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function Ts(e,t,n,r,a){if(Na(n)){var o=!0;Da(t)}else o=!1;if(Ro(t,a),null===t.stateNode)qs(e,t),is(t,n,r),ls(t,n,r,a),r=!0;else if(null===e){var i=t.stateNode,s=t.memoizedProps;i.props=s;var l=i.context,c=n.contextType;"object"==typeof c&&null!==c?c=Po(c):c=Pa(t,c=Na(n)?Ra:La.current);var u=n.getDerivedStateFromProps,d="function"==typeof u||"function"==typeof i.getSnapshotBeforeUpdate;d||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==r||l!==c)&&ss(t,i,r,c),Do=!1;var p=t.memoizedState;i.state=p,qo(t,r,i,a),l=t.memoizedState,s!==r||p!==l||ja.current||Do?("function"==typeof u&&(rs(t,n,u,r),l=t.memoizedState),(s=Do||os(t,n,s,r,p,l,c))?(d||"function"!=typeof i.UNSAFE_componentWillMount&&"function"!=typeof i.componentWillMount||("function"==typeof i.componentWillMount&&i.componentWillMount(),"function"==typeof i.UNSAFE_componentWillMount&&i.UNSAFE_componentWillMount()),"function"==typeof i.componentDidMount&&(t.flags|=4194308)):("function"==typeof i.componentDidMount&&(t.flags|=4194308),t.memoizedProps=r,t.memoizedState=l),i.props=r,i.state=l,i.context=c,r=s):("function"==typeof i.componentDidMount&&(t.flags|=4194308),r=!1)}else{i=t.stateNode,Mo(e,t),s=t.memoizedProps,c=t.type===t.elementType?s:ns(t.type,s),i.props=c,d=t.pendingProps,p=i.context,"object"==typeof(l=n.contextType)&&null!==l?l=Po(l):l=Pa(t,l=Na(n)?Ra:La.current);var f=n.getDerivedStateFromProps;(u="function"==typeof f||"function"==typeof i.getSnapshotBeforeUpdate)||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==d||p!==l)&&ss(t,i,r,l),Do=!1,p=t.memoizedState,i.state=p,qo(t,r,i,a);var h=t.memoizedState;s!==d||p!==h||ja.current||Do?("function"==typeof f&&(rs(t,n,f,r),h=t.memoizedState),(c=Do||os(t,n,c,r,p,h,l)||!1)?(u||"function"!=typeof i.UNSAFE_componentWillUpdate&&"function"!=typeof i.componentWillUpdate||("function"==typeof i.componentWillUpdate&&i.componentWillUpdate(r,h,l),"function"==typeof i.UNSAFE_componentWillUpdate&&i.UNSAFE_componentWillUpdate(r,h,l)),"function"==typeof i.componentDidUpdate&&(t.flags|=4),"function"==typeof i.getSnapshotBeforeUpdate&&(t.flags|=1024)):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),t.memoizedProps=r,t.memoizedState=h),i.props=r,i.state=h,i.context=l,r=c):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),r=!1)}return Ls(e,t,n,r,o,a)}function Ls(e,t,n,r,a,o){_s(e,t);var i=0!=(128&t.flags);if(!r&&!i)return a&&Fa(t,n,!1),Hs(e,t,o);r=t.stateNode,bs.current=t;var s=i&&"function"!=typeof n.getDerivedStateFromError?null:r.render();return t.flags|=1,null!==e&&i?(t.child=ko(t,e.child,null,o),t.child=ko(t,null,s,o)):ws(e,t,s,o),t.memoizedState=r.state,a&&Fa(t,n,!0),t.child}function js(e){var t=e.stateNode;t.pendingContext?Oa(0,t.pendingContext,t.pendingContext!==t.context):t.context&&Oa(0,t.context,!1),Xo(e,t.containerInfo)}function Rs(e,t,n,r,a){return ho(),mo(a),t.flags|=256,ws(e,t,n,r),t.child}var Ps,Ns,As,Os,Is={dehydrated:null,treeContext:null,retryLane:0};function Ds(e){return{baseLanes:e,cachePool:null,transitions:null}}function Fs(e,t,n){var r,a=t.pendingProps,i=ei.current,s=!1,l=0!=(128&t.flags);if((r=l)||(r=(null===e||null!==e.memoizedState)&&0!=(2&i)),r?(s=!0,t.flags&=-129):null!==e&&null===e.memoizedState||(i|=1),Ca(ei,1&i),null===e)return co(t),null!==(e=t.memoizedState)&&null!==(e=e.dehydrated)?(0==(1&t.mode)?t.lanes=1:"$!"===e.data?t.lanes=8:t.lanes=1073741824,null):(l=a.children,e=a.fallback,s?(a=t.mode,s=t.child,l={mode:"hidden",children:l},0==(1&a)&&null!==s?(s.childLanes=0,s.pendingProps=l):s=Dc(l,a,0,null),e=Ic(e,a,n,null),s.return=t,e.return=t,s.sibling=e,t.child=s,t.child.memoizedState=Ds(n),t.memoizedState=Is,e):Ms(t,l));if(null!==(i=e.memoizedState)&&null!==(r=i.dehydrated))return function(e,t,n,r,a,i,s){if(n)return 256&t.flags?(t.flags&=-257,Bs(e,t,s,r=us(Error(o(422))))):null!==t.memoizedState?(t.child=e.child,t.flags|=128,null):(i=r.fallback,a=t.mode,r=Dc({mode:"visible",children:r.children},a,0,null),(i=Ic(i,a,s,null)).flags|=2,r.return=t,i.return=t,r.sibling=i,t.child=r,0!=(1&t.mode)&&ko(t,e.child,null,s),t.child.memoizedState=Ds(s),t.memoizedState=Is,i);if(0==(1&t.mode))return Bs(e,t,s,null);if("$!"===a.data){if(r=a.nextSibling&&a.nextSibling.dataset)var l=r.dgst;return r=l,Bs(e,t,s,r=us(i=Error(o(419)),r,void 0))}if(l=0!=(s&e.childLanes),vs||l){if(null!==(r=jl)){switch(s&-s){case 4:a=2;break;case 16:a=8;break;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:a=32;break;case 536870912:a=268435456;break;default:a=0}0!==(a=0!=(a&(r.suspendedLanes|s))?0:a)&&a!==i.retryLane&&(i.retryLane=a,Io(e,a),nc(r,e,a,-1))}return mc(),Bs(e,t,s,r=us(Error(o(421))))}return"$?"===a.data?(t.flags|=128,t.child=e.child,t=Tc.bind(null,e),a._reactRetry=t,null):(e=i.treeContext,ro=ca(a.nextSibling),no=t,ao=!0,oo=null,null!==e&&(Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Xa=e.id,Ka=e.overflow,Ga=t),t=Ms(t,r.children),t.flags|=4096,t)}(e,t,l,a,r,i,n);if(s){s=a.fallback,l=t.mode,r=(i=e.child).sibling;var c={mode:"hidden",children:a.children};return 0==(1&l)&&t.child!==i?((a=t.child).childLanes=0,a.pendingProps=c,t.deletions=null):(a=Ac(i,c)).subtreeFlags=14680064&i.subtreeFlags,null!==r?s=Ac(r,s):(s=Ic(s,l,n,null)).flags|=2,s.return=t,a.return=t,a.sibling=s,t.child=a,a=s,s=t.child,l=null===(l=e.child.memoizedState)?Ds(n):{baseLanes:l.baseLanes|n,cachePool:null,transitions:l.transitions},s.memoizedState=l,s.childLanes=e.childLanes&~n,t.memoizedState=Is,a}return e=(s=e.child).sibling,a=Ac(s,{mode:"visible",children:a.children}),0==(1&t.mode)&&(a.lanes=n),a.return=t,a.sibling=null,null!==e&&(null===(n=t.deletions)?(t.deletions=[e],t.flags|=16):n.push(e)),t.child=a,t.memoizedState=null,a}function Ms(e,t){return(t=Dc({mode:"visible",children:t},e.mode,0,null)).return=e,e.child=t}function Bs(e,t,n,r){return null!==r&&mo(r),ko(t,e.child,null,n),(e=Ms(t,t.pendingProps.children)).flags|=2,t.memoizedState=null,e}function zs(e,t,n){e.lanes|=t;var r=e.alternate;null!==r&&(r.lanes|=t),jo(e.return,t,n)}function $s(e,t,n,r,a){var o=e.memoizedState;null===o?e.memoizedState={isBackwards:t,rendering:null,renderingStartTime:0,last:r,tail:n,tailMode:a}:(o.isBackwards=t,o.rendering=null,o.renderingStartTime=0,o.last=r,o.tail=n,o.tailMode=a)}function Us(e,t,n){var r=t.pendingProps,a=r.revealOrder,o=r.tail;if(ws(e,t,r.children,n),0!=(2&(r=ei.current)))r=1&r|2,t.flags|=128;else{if(null!==e&&0!=(128&e.flags))e:for(e=t.child;null!==e;){if(13===e.tag)null!==e.memoizedState&&zs(e,n,t);else if(19===e.tag)zs(e,n,t);else if(null!==e.child){e.child.return=e,e=e.child;continue}if(e===t)break e;for(;null===e.sibling;){if(null===e.return||e.return===t)break e;e=e.return}e.sibling.return=e.return,e=e.sibling}r&=1}if(Ca(ei,r),0==(1&t.mode))t.memoizedState=null;else switch(a){case"forwards":for(n=t.child,a=null;null!==n;)null!==(e=n.alternate)&&null===ti(e)&&(a=n),n=n.sibling;null===(n=a)?(a=t.child,t.child=null):(a=n.sibling,n.sibling=null),$s(t,!1,a,n,o);break;case"backwards":for(n=null,a=t.child,t.child=null;null!==a;){if(null!==(e=a.alternate)&&null===ti(e)){t.child=a;break}e=a.sibling,a.sibling=n,n=a,a=e}$s(t,!0,n,null,o);break;case"together":$s(t,!1,null,null,void 0);break;default:t.memoizedState=null}return t.child}function qs(e,t){0==(1&t.mode)&&null!==e&&(e.alternate=null,t.alternate=null,t.flags|=2)}function Hs(e,t,n){if(null!==e&&(t.dependencies=e.dependencies),Dl|=t.lanes,0==(n&t.childLanes))return null;if(null!==e&&t.child!==e.child)throw Error(o(153));if(null!==t.child){for(n=Ac(e=t.child,e.pendingProps),t.child=n,n.return=t;null!==e.sibling;)e=e.sibling,(n=n.sibling=Ac(e,e.pendingProps)).return=t;n.sibling=null}return t.child}function Qs(e,t){if(!ao)switch(e.tailMode){case"hidden":t=e.tail;for(var n=null;null!==t;)null!==t.alternate&&(n=t),t=t.sibling;null===n?e.tail=null:n.sibling=null;break;case"collapsed":n=e.tail;for(var r=null;null!==n;)null!==n.alternate&&(r=n),n=n.sibling;null===r?t||null===e.tail?e.tail=null:e.tail.sibling=null:r.sibling=null}}function Zs(e){var t=null!==e.alternate&&e.alternate.child===e.child,n=0,r=0;if(t)for(var a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=14680064&a.subtreeFlags,r|=14680064&a.flags,a.return=e,a=a.sibling;else for(a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=a.subtreeFlags,r|=a.flags,a.return=e,a=a.sibling;return e.subtreeFlags|=r,e.childLanes=n,t}function Vs(e,t,n){var r=t.pendingProps;switch(to(t),t.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return Zs(t),null;case 1:case 17:return Na(t.type)&&Aa(),Zs(t),null;case 3:return r=t.stateNode,Ko(),_a(ja),_a(La),ri(),r.pendingContext&&(r.context=r.pendingContext,r.pendingContext=null),null!==e&&null!==e.child||(po(t)?t.flags|=4:null===e||e.memoizedState.isDehydrated&&0==(256&t.flags)||(t.flags|=1024,null!==oo&&(ic(oo),oo=null))),Ns(e,t),Zs(t),null;case 5:Jo(t);var a=Go(Wo.current);if(n=t.type,null!==e&&null!=t.stateNode)As(e,t,n,r,a),e.ref!==t.ref&&(t.flags|=512,t.flags|=2097152);else{if(!r){if(null===t.stateNode)throw Error(o(166));return Zs(t),null}if(e=Go(Zo.current),po(t)){r=t.stateNode,n=t.type;var i=t.memoizedProps;switch(r[pa]=t,r[fa]=i,e=0!=(1&t.mode),n){case"dialog":Br("cancel",r),Br("close",r);break;case"iframe":case"object":case"embed":Br("load",r);break;case"video":case"audio":for(a=0;a<Ir.length;a++)Br(Ir[a],r);break;case"source":Br("error",r);break;case"img":case"image":case"link":Br("error",r),Br("load",r);break;case"details":Br("toggle",r);break;case"input":X(r,i),Br("invalid",r);break;case"select":r._wrapperState={wasMultiple:!!i.multiple},Br("invalid",r);break;case"textarea":ae(r,i),Br("invalid",r)}for(var l in be(n,i),a=null,i)if(i.hasOwnProperty(l)){var c=i[l];"children"===l?"string"==typeof c?r.textContent!==c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",c]):"number"==typeof c&&r.textContent!==""+c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",""+c]):s.hasOwnProperty(l)&&null!=c&&"onScroll"===l&&Br("scroll",r)}switch(n){case"input":Z(r),J(r,i,!0);break;case"textarea":Z(r),ie(r);break;case"select":case"option":break;default:"function"==typeof i.onClick&&(r.onclick=Jr)}r=a,t.updateQueue=r,null!==r&&(t.flags|=4)}else{l=9===a.nodeType?a:a.ownerDocument,"http://www.w3.org/1999/xhtml"===e&&(e=se(n)),"http://www.w3.org/1999/xhtml"===e?"script"===n?((e=l.createElement("div")).innerHTML="<script><\/script>",e=e.removeChild(e.firstChild)):"string"==typeof r.is?e=l.createElement(n,{is:r.is}):(e=l.createElement(n),"select"===n&&(l=e,r.multiple?l.multiple=!0:r.size&&(l.size=r.size))):e=l.createElementNS(e,n),e[pa]=t,e[fa]=r,Ps(e,t,!1,!1),t.stateNode=e;e:{switch(l=ve(n,r),n){case"dialog":Br("cancel",e),Br("close",e),a=r;break;case"iframe":case"object":case"embed":Br("load",e),a=r;break;case"video":case"audio":for(a=0;a<Ir.length;a++)Br(Ir[a],e);a=r;break;case"source":Br("error",e),a=r;break;case"img":case"image":case"link":Br("error",e),Br("load",e),a=r;break;case"details":Br("toggle",e),a=r;break;case"input":X(e,r),a=G(e,r),Br("invalid",e);break;case"option":default:a=r;break;case"select":e._wrapperState={wasMultiple:!!r.multiple},a=F({},r,{value:void 0}),Br("invalid",e);break;case"textarea":ae(e,r),a=re(e,r),Br("invalid",e)}for(i in be(n,a),c=a)if(c.hasOwnProperty(i)){var u=c[i];"style"===i?ge(e,u):"dangerouslySetInnerHTML"===i?null!=(u=u?u.__html:void 0)&&de(e,u):"children"===i?"string"==typeof u?("textarea"!==n||""!==u)&&pe(e,u):"number"==typeof u&&pe(e,""+u):"suppressContentEditableWarning"!==i&&"suppressHydrationWarning"!==i&&"autoFocus"!==i&&(s.hasOwnProperty(i)?null!=u&&"onScroll"===i&&Br("scroll",e):null!=u&&v(e,i,u,l))}switch(n){case"input":Z(e),J(e,r,!1);break;case"textarea":Z(e),ie(e);break;case"option":null!=r.value&&e.setAttribute("value",""+H(r.value));break;case"select":e.multiple=!!r.multiple,null!=(i=r.value)?ne(e,!!r.multiple,i,!1):null!=r.defaultValue&&ne(e,!!r.multiple,r.defaultValue,!0);break;default:"function"==typeof a.onClick&&(e.onclick=Jr)}switch(n){case"button":case"input":case"select":case"textarea":r=!!r.autoFocus;break e;case"img":r=!0;break e;default:r=!1}}r&&(t.flags|=4)}null!==t.ref&&(t.flags|=512,t.flags|=2097152)}return Zs(t),null;case 6:if(e&&null!=t.stateNode)Os(e,t,e.memoizedProps,r);else{if("string"!=typeof r&&null===t.stateNode)throw Error(o(166));if(n=Go(Wo.current),Go(Zo.current),po(t)){if(r=t.stateNode,n=t.memoizedProps,r[pa]=t,(i=r.nodeValue!==n)&&null!==(e=no))switch(e.tag){case 3:Yr(r.nodeValue,n,0!=(1&e.mode));break;case 5:!0!==e.memoizedProps.suppressHydrationWarning&&Yr(r.nodeValue,n,0!=(1&e.mode))}i&&(t.flags|=4)}else(r=(9===n.nodeType?n:n.ownerDocument).createTextNode(r))[pa]=t,t.stateNode=r}return Zs(t),null;case 13:if(_a(ei),r=t.memoizedState,null===e||null!==e.memoizedState&&null!==e.memoizedState.dehydrated){if(ao&&null!==ro&&0!=(1&t.mode)&&0==(128&t.flags))fo(),ho(),t.flags|=98560,i=!1;else if(i=po(t),null!==r&&null!==r.dehydrated){if(null===e){if(!i)throw Error(o(318));if(!(i=null!==(i=t.memoizedState)?i.dehydrated:null))throw Error(o(317));i[pa]=t}else ho(),0==(128&t.flags)&&(t.memoizedState=null),t.flags|=4;Zs(t),i=!1}else null!==oo&&(ic(oo),oo=null),i=!0;if(!i)return 65536&t.flags?t:null}return 0!=(128&t.flags)?(t.lanes=n,t):((r=null!==r)!==(null!==e&&null!==e.memoizedState)&&r&&(t.child.flags|=8192,0!=(1&t.mode)&&(null===e||0!=(1&ei.current)?0===Ol&&(Ol=3):mc())),null!==t.updateQueue&&(t.flags|=4),Zs(t),null);case 4:return Ko(),Ns(e,t),null===e&&Ur(t.stateNode.containerInfo),Zs(t),null;case 10:return Lo(t.type._context),Zs(t),null;case 19:if(_a(ei),null===(i=t.memoizedState))return Zs(t),null;if(r=0!=(128&t.flags),null===(l=i.rendering))if(r)Qs(i,!1);else{if(0!==Ol||null!==e&&0!=(128&e.flags))for(e=t.child;null!==e;){if(null!==(l=ti(e))){for(t.flags|=128,Qs(i,!1),null!==(r=l.updateQueue)&&(t.updateQueue=r,t.flags|=4),t.subtreeFlags=0,r=n,n=t.child;null!==n;)e=r,(i=n).flags&=14680066,null===(l=i.alternate)?(i.childLanes=0,i.lanes=e,i.child=null,i.subtreeFlags=0,i.memoizedProps=null,i.memoizedState=null,i.updateQueue=null,i.dependencies=null,i.stateNode=null):(i.childLanes=l.childLanes,i.lanes=l.lanes,i.child=l.child,i.subtreeFlags=0,i.deletions=null,i.memoizedProps=l.memoizedProps,i.memoizedState=l.memoizedState,i.updateQueue=l.updateQueue,i.type=l.type,e=l.dependencies,i.dependencies=null===e?null:{lanes:e.lanes,firstContext:e.firstContext}),n=n.sibling;return Ca(ei,1&ei.current|2),t.child}e=e.sibling}null!==i.tail&&Ke()>Ul&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304)}else{if(!r)if(null!==(e=ti(l))){if(t.flags|=128,r=!0,null!==(n=e.updateQueue)&&(t.updateQueue=n,t.flags|=4),Qs(i,!0),null===i.tail&&"hidden"===i.tailMode&&!l.alternate&&!ao)return Zs(t),null}else 2*Ke()-i.renderingStartTime>Ul&&1073741824!==n&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304);i.isBackwards?(l.sibling=t.child,t.child=l):(null!==(n=i.last)?n.sibling=l:t.child=l,i.last=l)}return null!==i.tail?(t=i.tail,i.rendering=t,i.tail=t.sibling,i.renderingStartTime=Ke(),t.sibling=null,n=ei.current,Ca(ei,r?1&n|2:1&n),t):(Zs(t),null);case 22:case 23:return dc(),r=null!==t.memoizedState,null!==e&&null!==e.memoizedState!==r&&(t.flags|=8192),r&&0!=(1&t.mode)?0!=(1073741824&Nl)&&(Zs(t),6&t.subtreeFlags&&(t.flags|=8192)):Zs(t),null;case 24:case 25:return null}throw Error(o(156,t.tag))}function Ws(e,t){switch(to(t),t.tag){case 1:return Na(t.type)&&Aa(),65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 3:return Ko(),_a(ja),_a(La),ri(),0!=(65536&(e=t.flags))&&0==(128&e)?(t.flags=-65537&e|128,t):null;case 5:return Jo(t),null;case 13:if(_a(ei),null!==(e=t.memoizedState)&&null!==e.dehydrated){if(null===t.alternate)throw Error(o(340));ho()}return 65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 19:return _a(ei),null;case 4:return Ko(),null;case 10:return Lo(t.type._context),null;case 22:case 23:return dc(),null;default:return null}}Ps=function(e,t){for(var n=t.child;null!==n;){if(5===n.tag||6===n.tag)e.appendChild(n.stateNode);else if(4!==n.tag&&null!==n.child){n.child.return=n,n=n.child;continue}if(n===t)break;for(;null===n.sibling;){if(null===n.return||n.return===t)return;n=n.return}n.sibling.return=n.return,n=n.sibling}},Ns=function(){},As=function(e,t,n,r){var a=e.memoizedProps;if(a!==r){e=t.stateNode,Go(Zo.current);var o,i=null;switch(n){case"input":a=G(e,a),r=G(e,r),i=[];break;case"select":a=F({},a,{value:void 0}),r=F({},r,{value:void 0}),i=[];break;case"textarea":a=re(e,a),r=re(e,r),i=[];break;default:"function"!=typeof a.onClick&&"function"==typeof r.onClick&&(e.onclick=Jr)}for(u in be(n,r),n=null,a)if(!r.hasOwnProperty(u)&&a.hasOwnProperty(u)&&null!=a[u])if("style"===u){var l=a[u];for(o in l)l.hasOwnProperty(o)&&(n||(n={}),n[o]="")}else"dangerouslySetInnerHTML"!==u&&"children"!==u&&"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&"autoFocus"!==u&&(s.hasOwnProperty(u)?i||(i=[]):(i=i||[]).push(u,null));for(u in r){var c=r[u];if(l=null!=a?a[u]:void 0,r.hasOwnProperty(u)&&c!==l&&(null!=c||null!=l))if("style"===u)if(l){for(o in l)!l.hasOwnProperty(o)||c&&c.hasOwnProperty(o)||(n||(n={}),n[o]="");for(o in c)c.hasOwnProperty(o)&&l[o]!==c[o]&&(n||(n={}),n[o]=c[o])}else n||(i||(i=[]),i.push(u,n)),n=c;else"dangerouslySetInnerHTML"===u?(c=c?c.__html:void 0,l=l?l.__html:void 0,null!=c&&l!==c&&(i=i||[]).push(u,c)):"children"===u?"string"!=typeof c&&"number"!=typeof c||(i=i||[]).push(u,""+c):"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&(s.hasOwnProperty(u)?(null!=c&&"onScroll"===u&&Br("scroll",e),i||l===c||(i=[])):(i=i||[]).push(u,c))}n&&(i=i||[]).push("style",n);var u=i;(t.updateQueue=u)&&(t.flags|=4)}},Os=function(e,t,n,r){n!==r&&(t.flags|=4)};var Gs=!1,Xs=!1,Ks="function"==typeof WeakSet?WeakSet:Set,Ys=null;function Js(e,t){var n=e.ref;if(null!==n)if("function"==typeof n)try{n(null)}catch(r){Ec(e,t,r)}else n.current=null}function el(e,t,n){try{n()}catch(r){Ec(e,t,r)}}var tl=!1;function nl(e,t,n){var r=t.updateQueue;if(null!==(r=null!==r?r.lastEffect:null)){var a=r=r.next;do{if((a.tag&e)===e){var o=a.destroy;a.destroy=void 0,void 0!==o&&el(t,n,o)}a=a.next}while(a!==r)}}function rl(e,t){if(null!==(t=null!==(t=t.updateQueue)?t.lastEffect:null)){var n=t=t.next;do{if((n.tag&e)===e){var r=n.create;n.destroy=r()}n=n.next}while(n!==t)}}function al(e){var t=e.ref;if(null!==t){var n=e.stateNode;e.tag,e=n,"function"==typeof t?t(e):t.current=e}}function ol(e){var t=e.alternate;null!==t&&(e.alternate=null,ol(t)),e.child=null,e.deletions=null,e.sibling=null,5===e.tag&&(null!==(t=e.stateNode)&&(delete t[pa],delete t[fa],delete t[ma],delete t[ga],delete t[ya])),e.stateNode=null,e.return=null,e.dependencies=null,e.memoizedProps=null,e.memoizedState=null,e.pendingProps=null,e.stateNode=null,e.updateQueue=null}function il(e){return 5===e.tag||3===e.tag||4===e.tag}function sl(e){e:for(;;){for(;null===e.sibling;){if(null===e.return||il(e.return))return null;e=e.return}for(e.sibling.return=e.return,e=e.sibling;5!==e.tag&&6!==e.tag&&18!==e.tag;){if(2&e.flags)continue e;if(null===e.child||4===e.tag)continue e;e.child.return=e,e=e.child}if(!(2&e.flags))return e.stateNode}}function ll(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?8===n.nodeType?n.parentNode.insertBefore(e,t):n.insertBefore(e,t):(8===n.nodeType?(t=n.parentNode).insertBefore(e,n):(t=n).appendChild(e),null!=(n=n._reactRootContainer)||null!==t.onclick||(t.onclick=Jr));else if(4!==r&&null!==(e=e.child))for(ll(e,t,n),e=e.sibling;null!==e;)ll(e,t,n),e=e.sibling}function cl(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?n.insertBefore(e,t):n.appendChild(e);else if(4!==r&&null!==(e=e.child))for(cl(e,t,n),e=e.sibling;null!==e;)cl(e,t,n),e=e.sibling}var ul=null,dl=!1;function pl(e,t,n){for(n=n.child;null!==n;)fl(e,t,n),n=n.sibling}function fl(e,t,n){if(ot&&"function"==typeof ot.onCommitFiberUnmount)try{ot.onCommitFiberUnmount(at,n)}catch(s){}switch(n.tag){case 5:Xs||Js(n,t);case 6:var r=ul,a=dl;ul=null,pl(e,t,n),dl=a,null!==(ul=r)&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?e.parentNode.removeChild(n):e.removeChild(n)):ul.removeChild(n.stateNode));break;case 18:null!==ul&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?la(e.parentNode,n):1===e.nodeType&&la(e,n),Ut(e)):la(ul,n.stateNode));break;case 4:r=ul,a=dl,ul=n.stateNode.containerInfo,dl=!0,pl(e,t,n),ul=r,dl=a;break;case 0:case 11:case 14:case 15:if(!Xs&&(null!==(r=n.updateQueue)&&null!==(r=r.lastEffect))){a=r=r.next;do{var o=a,i=o.destroy;o=o.tag,void 0!==i&&(0!=(2&o)||0!=(4&o))&&el(n,t,i),a=a.next}while(a!==r)}pl(e,t,n);break;case 1:if(!Xs&&(Js(n,t),"function"==typeof(r=n.stateNode).componentWillUnmount))try{r.props=n.memoizedProps,r.state=n.memoizedState,r.componentWillUnmount()}catch(s){Ec(n,t,s)}pl(e,t,n);break;case 21:pl(e,t,n);break;case 22:1&n.mode?(Xs=(r=Xs)||null!==n.memoizedState,pl(e,t,n),Xs=r):pl(e,t,n);break;default:pl(e,t,n)}}function hl(e){var t=e.updateQueue;if(null!==t){e.updateQueue=null;var n=e.stateNode;null===n&&(n=e.stateNode=new Ks),t.forEach((function(t){var r=Lc.bind(null,e,t);n.has(t)||(n.add(t),t.then(r,r))}))}}function ml(e,t){var n=t.deletions;if(null!==n)for(var r=0;r<n.length;r++){var a=n[r];try{var i=e,s=t,l=s;e:for(;null!==l;){switch(l.tag){case 5:ul=l.stateNode,dl=!1;break e;case 3:case 4:ul=l.stateNode.containerInfo,dl=!0;break e}l=l.return}if(null===ul)throw Error(o(160));fl(i,s,a),ul=null,dl=!1;var c=a.alternate;null!==c&&(c.return=null),a.return=null}catch(u){Ec(a,t,u)}}if(12854&t.subtreeFlags)for(t=t.child;null!==t;)gl(t,e),t=t.sibling}function gl(e,t){var n=e.alternate,r=e.flags;switch(e.tag){case 0:case 11:case 14:case 15:if(ml(t,e),yl(e),4&r){try{nl(3,e,e.return),rl(3,e)}catch(g){Ec(e,e.return,g)}try{nl(5,e,e.return)}catch(g){Ec(e,e.return,g)}}break;case 1:ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return);break;case 5:if(ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return),32&e.flags){var a=e.stateNode;try{pe(a,"")}catch(g){Ec(e,e.return,g)}}if(4&r&&null!=(a=e.stateNode)){var i=e.memoizedProps,s=null!==n?n.memoizedProps:i,l=e.type,c=e.updateQueue;if(e.updateQueue=null,null!==c)try{"input"===l&&"radio"===i.type&&null!=i.name&&K(a,i),ve(l,s);var u=ve(l,i);for(s=0;s<c.length;s+=2){var d=c[s],p=c[s+1];"style"===d?ge(a,p):"dangerouslySetInnerHTML"===d?de(a,p):"children"===d?pe(a,p):v(a,d,p,u)}switch(l){case"input":Y(a,i);break;case"textarea":oe(a,i);break;case"select":var f=a._wrapperState.wasMultiple;a._wrapperState.wasMultiple=!!i.multiple;var h=i.value;null!=h?ne(a,!!i.multiple,h,!1):f!==!!i.multiple&&(null!=i.defaultValue?ne(a,!!i.multiple,i.defaultValue,!0):ne(a,!!i.multiple,i.multiple?[]:"",!1))}a[fa]=i}catch(g){Ec(e,e.return,g)}}break;case 6:if(ml(t,e),yl(e),4&r){if(null===e.stateNode)throw Error(o(162));a=e.stateNode,i=e.memoizedProps;try{a.nodeValue=i}catch(g){Ec(e,e.return,g)}}break;case 3:if(ml(t,e),yl(e),4&r&&null!==n&&n.memoizedState.isDehydrated)try{Ut(t.containerInfo)}catch(g){Ec(e,e.return,g)}break;case 4:default:ml(t,e),yl(e);break;case 13:ml(t,e),yl(e),8192&(a=e.child).flags&&(i=null!==a.memoizedState,a.stateNode.isHidden=i,!i||null!==a.alternate&&null!==a.alternate.memoizedState||($l=Ke())),4&r&&hl(e);break;case 22:if(d=null!==n&&null!==n.memoizedState,1&e.mode?(Xs=(u=Xs)||d,ml(t,e),Xs=u):ml(t,e),yl(e),8192&r){if(u=null!==e.memoizedState,(e.stateNode.isHidden=u)&&!d&&0!=(1&e.mode))for(Ys=e,d=e.child;null!==d;){for(p=Ys=d;null!==Ys;){switch(h=(f=Ys).child,f.tag){case 0:case 11:case 14:case 15:nl(4,f,f.return);break;case 1:Js(f,f.return);var m=f.stateNode;if("function"==typeof m.componentWillUnmount){r=f,n=f.return;try{t=r,m.props=t.memoizedProps,m.state=t.memoizedState,m.componentWillUnmount()}catch(g){Ec(r,n,g)}}break;case 5:Js(f,f.return);break;case 22:if(null!==f.memoizedState){kl(p);continue}}null!==h?(h.return=f,Ys=h):kl(p)}d=d.sibling}e:for(d=null,p=e;;){if(5===p.tag){if(null===d){d=p;try{a=p.stateNode,u?"function"==typeof(i=a.style).setProperty?i.setProperty("display","none","important"):i.display="none":(l=p.stateNode,s=null!=(c=p.memoizedProps.style)&&c.hasOwnProperty("display")?c.display:null,l.style.display=me("display",s))}catch(g){Ec(e,e.return,g)}}}else if(6===p.tag){if(null===d)try{p.stateNode.nodeValue=u?"":p.memoizedProps}catch(g){Ec(e,e.return,g)}}else if((22!==p.tag&&23!==p.tag||null===p.memoizedState||p===e)&&null!==p.child){p.child.return=p,p=p.child;continue}if(p===e)break e;for(;null===p.sibling;){if(null===p.return||p.return===e)break e;d===p&&(d=null),p=p.return}d===p&&(d=null),p.sibling.return=p.return,p=p.sibling}}break;case 19:ml(t,e),yl(e),4&r&&hl(e);case 21:}}function yl(e){var t=e.flags;if(2&t){try{e:{for(var n=e.return;null!==n;){if(il(n)){var r=n;break e}n=n.return}throw Error(o(160))}switch(r.tag){case 5:var a=r.stateNode;32&r.flags&&(pe(a,""),r.flags&=-33),cl(e,sl(e),a);break;case 3:case 4:var i=r.stateNode.containerInfo;ll(e,sl(e),i);break;default:throw Error(o(161))}}catch(s){Ec(e,e.return,s)}e.flags&=-3}4096&t&&(e.flags&=-4097)}function bl(e,t,n){Ys=e,vl(e,t,n)}function vl(e,t,n){for(var r=0!=(1&e.mode);null!==Ys;){var a=Ys,o=a.child;if(22===a.tag&&r){var i=null!==a.memoizedState||Gs;if(!i){var s=a.alternate,l=null!==s&&null!==s.memoizedState||Xs;s=Gs;var c=Xs;if(Gs=i,(Xs=l)&&!c)for(Ys=a;null!==Ys;)l=(i=Ys).child,22===i.tag&&null!==i.memoizedState?xl(a):null!==l?(l.return=i,Ys=l):xl(a);for(;null!==o;)Ys=o,vl(o,t,n),o=o.sibling;Ys=a,Gs=s,Xs=c}wl(e)}else 0!=(8772&a.subtreeFlags)&&null!==o?(o.return=a,Ys=o):wl(e)}}function wl(e){for(;null!==Ys;){var t=Ys;if(0!=(8772&t.flags)){var n=t.alternate;try{if(0!=(8772&t.flags))switch(t.tag){case 0:case 11:case 15:Xs||rl(5,t);break;case 1:var r=t.stateNode;if(4&t.flags&&!Xs)if(null===n)r.componentDidMount();else{var a=t.elementType===t.type?n.memoizedProps:ns(t.type,n.memoizedProps);r.componentDidUpdate(a,n.memoizedState,r.__reactInternalSnapshotBeforeUpdate)}var i=t.updateQueue;null!==i&&Ho(t,i,r);break;case 3:var s=t.updateQueue;if(null!==s){if(n=null,null!==t.child)switch(t.child.tag){case 5:case 1:n=t.child.stateNode}Ho(t,s,n)}break;case 5:var l=t.stateNode;if(null===n&&4&t.flags){n=l;var c=t.memoizedProps;switch(t.type){case"button":case"input":case"select":case"textarea":c.autoFocus&&n.focus();break;case"img":c.src&&(n.src=c.src)}}break;case 6:case 4:case 12:case 19:case 17:case 21:case 22:case 23:case 25:break;case 13:if(null===t.memoizedState){var u=t.alternate;if(null!==u){var d=u.memoizedState;if(null!==d){var p=d.dehydrated;null!==p&&Ut(p)}}}break;default:throw Error(o(163))}Xs||512&t.flags&&al(t)}catch(f){Ec(t,t.return,f)}}if(t===e){Ys=null;break}if(null!==(n=t.sibling)){n.return=t.return,Ys=n;break}Ys=t.return}}function kl(e){for(;null!==Ys;){var t=Ys;if(t===e){Ys=null;break}var n=t.sibling;if(null!==n){n.return=t.return,Ys=n;break}Ys=t.return}}function xl(e){for(;null!==Ys;){var t=Ys;try{switch(t.tag){case 0:case 11:case 15:var n=t.return;try{rl(4,t)}catch(l){Ec(t,n,l)}break;case 1:var r=t.stateNode;if("function"==typeof r.componentDidMount){var a=t.return;try{r.componentDidMount()}catch(l){Ec(t,a,l)}}var o=t.return;try{al(t)}catch(l){Ec(t,o,l)}break;case 5:var i=t.return;try{al(t)}catch(l){Ec(t,i,l)}}}catch(l){Ec(t,t.return,l)}if(t===e){Ys=null;break}var s=t.sibling;if(null!==s){s.return=t.return,Ys=s;break}Ys=t.return}}var Sl,El=Math.ceil,_l=w.ReactCurrentDispatcher,Cl=w.ReactCurrentOwner,Tl=w.ReactCurrentBatchConfig,Ll=0,jl=null,Rl=null,Pl=0,Nl=0,Al=Ea(0),Ol=0,Il=null,Dl=0,Fl=0,Ml=0,Bl=null,zl=null,$l=0,Ul=1/0,ql=null,Hl=!1,Ql=null,Zl=null,Vl=!1,Wl=null,Gl=0,Xl=0,Kl=null,Yl=-1,Jl=0;function ec(){return 0!=(6&Ll)?Ke():-1!==Yl?Yl:Yl=Ke()}function tc(e){return 0==(1&e.mode)?1:0!=(2&Ll)&&0!==Pl?Pl&-Pl:null!==go.transition?(0===Jl&&(Jl=mt()),Jl):0!==(e=vt)?e:e=void 0===(e=window.event)?16:Xt(e.type)}function nc(e,t,n,r){if(50<Xl)throw Xl=0,Kl=null,Error(o(185));yt(e,n,r),0!=(2&Ll)&&e===jl||(e===jl&&(0==(2&Ll)&&(Fl|=n),4===Ol&&sc(e,Pl)),rc(e,r),1===n&&0===Ll&&0==(1&t.mode)&&(Ul=Ke()+500,Ba&&Ua()))}function rc(e,t){var n=e.callbackNode;!function(e,t){for(var n=e.suspendedLanes,r=e.pingedLanes,a=e.expirationTimes,o=e.pendingLanes;0<o;){var i=31-it(o),s=1<<i,l=a[i];-1===l?0!=(s&n)&&0==(s&r)||(a[i]=ft(s,t)):l<=t&&(e.expiredLanes|=s),o&=~s}}(e,t);var r=pt(e,e===jl?Pl:0);if(0===r)null!==n&&We(n),e.callbackNode=null,e.callbackPriority=0;else if(t=r&-r,e.callbackPriority!==t){if(null!=n&&We(n),1===t)0===e.tag?function(e){Ba=!0,$a(e)}(lc.bind(null,e)):$a(lc.bind(null,e)),ia((function(){0==(6&Ll)&&Ua()})),n=null;else{switch(wt(r)){case 1:n=Je;break;case 4:n=et;break;case 16:default:n=tt;break;case 536870912:n=rt}n=jc(n,ac.bind(null,e))}e.callbackPriority=t,e.callbackNode=n}}function ac(e,t){if(Yl=-1,Jl=0,0!=(6&Ll))throw Error(o(327));var n=e.callbackNode;if(xc()&&e.callbackNode!==n)return null;var r=pt(e,e===jl?Pl:0);if(0===r)return null;if(0!=(30&r)||0!=(r&e.expiredLanes)||t)t=gc(e,r);else{t=r;var a=Ll;Ll|=2;var i=hc();for(jl===e&&Pl===t||(ql=null,Ul=Ke()+500,pc(e,t));;)try{bc();break}catch(l){fc(e,l)}To(),_l.current=i,Ll=a,null!==Rl?t=0:(jl=null,Pl=0,t=Ol)}if(0!==t){if(2===t&&(0!==(a=ht(e))&&(r=a,t=oc(e,a))),1===t)throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;if(6===t)sc(e,r);else{if(a=e.current.alternate,0==(30&r)&&!function(e){for(var t=e;;){if(16384&t.flags){var n=t.updateQueue;if(null!==n&&null!==(n=n.stores))for(var r=0;r<n.length;r++){var a=n[r],o=a.getSnapshot;a=a.value;try{if(!sr(o(),a))return!1}catch(s){return!1}}}if(n=t.child,16384&t.subtreeFlags&&null!==n)n.return=t,t=n;else{if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return!0;t=t.return}t.sibling.return=t.return,t=t.sibling}}return!0}(a)&&(2===(t=gc(e,r))&&(0!==(i=ht(e))&&(r=i,t=oc(e,i))),1===t))throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;switch(e.finishedWork=a,e.finishedLanes=r,t){case 0:case 1:throw Error(o(345));case 2:case 5:kc(e,zl,ql);break;case 3:if(sc(e,r),(130023424&r)===r&&10<(t=$l+500-Ke())){if(0!==pt(e,0))break;if(((a=e.suspendedLanes)&r)!==r){ec(),e.pingedLanes|=e.suspendedLanes&a;break}e.timeoutHandle=ra(kc.bind(null,e,zl,ql),t);break}kc(e,zl,ql);break;case 4:if(sc(e,r),(4194240&r)===r)break;for(t=e.eventTimes,a=-1;0<r;){var s=31-it(r);i=1<<s,(s=t[s])>a&&(a=s),r&=~i}if(r=a,10<(r=(120>(r=Ke()-r)?120:480>r?480:1080>r?1080:1920>r?1920:3e3>r?3e3:4320>r?4320:1960*El(r/1960))-r)){e.timeoutHandle=ra(kc.bind(null,e,zl,ql),r);break}kc(e,zl,ql);break;default:throw Error(o(329))}}}return rc(e,Ke()),e.callbackNode===n?ac.bind(null,e):null}function oc(e,t){var n=Bl;return e.current.memoizedState.isDehydrated&&(pc(e,t).flags|=256),2!==(e=gc(e,t))&&(t=zl,zl=n,null!==t&&ic(t)),e}function ic(e){null===zl?zl=e:zl.push.apply(zl,e)}function sc(e,t){for(t&=~Ml,t&=~Fl,e.suspendedLanes|=t,e.pingedLanes&=~t,e=e.expirationTimes;0<t;){var n=31-it(t),r=1<<n;e[n]=-1,t&=~r}}function lc(e){if(0!=(6&Ll))throw Error(o(327));xc();var t=pt(e,0);if(0==(1&t))return rc(e,Ke()),null;var n=gc(e,t);if(0!==e.tag&&2===n){var r=ht(e);0!==r&&(t=r,n=oc(e,r))}if(1===n)throw n=Il,pc(e,0),sc(e,t),rc(e,Ke()),n;if(6===n)throw Error(o(345));return e.finishedWork=e.current.alternate,e.finishedLanes=t,kc(e,zl,ql),rc(e,Ke()),null}function cc(e,t){var n=Ll;Ll|=1;try{return e(t)}finally{0===(Ll=n)&&(Ul=Ke()+500,Ba&&Ua())}}function uc(e){null!==Wl&&0===Wl.tag&&0==(6&Ll)&&xc();var t=Ll;Ll|=1;var n=Tl.transition,r=vt;try{if(Tl.transition=null,vt=1,e)return e()}finally{vt=r,Tl.transition=n,0==(6&(Ll=t))&&Ua()}}function dc(){Nl=Al.current,_a(Al)}function pc(e,t){e.finishedWork=null,e.finishedLanes=0;var n=e.timeoutHandle;if(-1!==n&&(e.timeoutHandle=-1,aa(n)),null!==Rl)for(n=Rl.return;null!==n;){var r=n;switch(to(r),r.tag){case 1:null!=(r=r.type.childContextTypes)&&Aa();break;case 3:Ko(),_a(ja),_a(La),ri();break;case 5:Jo(r);break;case 4:Ko();break;case 13:case 19:_a(ei);break;case 10:Lo(r.type._context);break;case 22:case 23:dc()}n=n.return}if(jl=e,Rl=e=Ac(e.current,null),Pl=Nl=t,Ol=0,Il=null,Ml=Fl=Dl=0,zl=Bl=null,null!==No){for(t=0;t<No.length;t++)if(null!==(r=(n=No[t]).interleaved)){n.interleaved=null;var a=r.next,o=n.pending;if(null!==o){var i=o.next;o.next=a,r.next=i}n.pending=r}No=null}return e}function fc(e,t){for(;;){var n=Rl;try{if(To(),ai.current=Yi,ui){for(var r=si.memoizedState;null!==r;){var a=r.queue;null!==a&&(a.pending=null),r=r.next}ui=!1}if(ii=0,ci=li=si=null,di=!1,pi=0,Cl.current=null,null===n||null===n.return){Ol=1,Il=t,Rl=null;break}e:{var i=e,s=n.return,l=n,c=t;if(t=Pl,l.flags|=32768,null!==c&&"object"==typeof c&&"function"==typeof c.then){var u=c,d=l,p=d.tag;if(0==(1&d.mode)&&(0===p||11===p||15===p)){var f=d.alternate;f?(d.updateQueue=f.updateQueue,d.memoizedState=f.memoizedState,d.lanes=f.lanes):(d.updateQueue=null,d.memoizedState=null)}var h=gs(s);if(null!==h){h.flags&=-257,ys(h,s,l,0,t),1&h.mode&&ms(i,u,t),c=u;var m=(t=h).updateQueue;if(null===m){var g=new Set;g.add(c),t.updateQueue=g}else m.add(c);break e}if(0==(1&t)){ms(i,u,t),mc();break e}c=Error(o(426))}else if(ao&&1&l.mode){var y=gs(s);if(null!==y){0==(65536&y.flags)&&(y.flags|=256),ys(y,s,l,0,t),mo(cs(c,l));break e}}i=c=cs(c,l),4!==Ol&&(Ol=2),null===Bl?Bl=[i]:Bl.push(i),i=s;do{switch(i.tag){case 3:i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,fs(0,c,t));break e;case 1:l=c;var b=i.type,v=i.stateNode;if(0==(128&i.flags)&&("function"==typeof b.getDerivedStateFromError||null!==v&&"function"==typeof v.componentDidCatch&&(null===Zl||!Zl.has(v)))){i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,hs(i,l,t));break e}}i=i.return}while(null!==i)}wc(n)}catch(w){t=w,Rl===n&&null!==n&&(Rl=n=n.return);continue}break}}function hc(){var e=_l.current;return _l.current=Yi,null===e?Yi:e}function mc(){0!==Ol&&3!==Ol&&2!==Ol||(Ol=4),null===jl||0==(268435455&Dl)&&0==(268435455&Fl)||sc(jl,Pl)}function gc(e,t){var n=Ll;Ll|=2;var r=hc();for(jl===e&&Pl===t||(ql=null,pc(e,t));;)try{yc();break}catch(a){fc(e,a)}if(To(),Ll=n,_l.current=r,null!==Rl)throw Error(o(261));return jl=null,Pl=0,Ol}function yc(){for(;null!==Rl;)vc(Rl)}function bc(){for(;null!==Rl&&!Ge();)vc(Rl)}function vc(e){var t=Sl(e.alternate,e,Nl);e.memoizedProps=e.pendingProps,null===t?wc(e):Rl=t,Cl.current=null}function wc(e){var t=e;do{var n=t.alternate;if(e=t.return,0==(32768&t.flags)){if(null!==(n=Vs(n,t,Nl)))return void(Rl=n)}else{if(null!==(n=Ws(n,t)))return n.flags&=32767,void(Rl=n);if(null===e)return Ol=6,void(Rl=null);e.flags|=32768,e.subtreeFlags=0,e.deletions=null}if(null!==(t=t.sibling))return void(Rl=t);Rl=t=e}while(null!==t);0===Ol&&(Ol=5)}function kc(e,t,n){var r=vt,a=Tl.transition;try{Tl.transition=null,vt=1,function(e,t,n,r){do{xc()}while(null!==Wl);if(0!=(6&Ll))throw Error(o(327));n=e.finishedWork;var a=e.finishedLanes;if(null===n)return null;if(e.finishedWork=null,e.finishedLanes=0,n===e.current)throw Error(o(177));e.callbackNode=null,e.callbackPriority=0;var i=n.lanes|n.childLanes;if(function(e,t){var n=e.pendingLanes&~t;e.pendingLanes=t,e.suspendedLanes=0,e.pingedLanes=0,e.expiredLanes&=t,e.mutableReadLanes&=t,e.entangledLanes&=t,t=e.entanglements;var r=e.eventTimes;for(e=e.expirationTimes;0<n;){var a=31-it(n),o=1<<a;t[a]=0,r[a]=-1,e[a]=-1,n&=~o}}(e,i),e===jl&&(Rl=jl=null,Pl=0),0==(2064&n.subtreeFlags)&&0==(2064&n.flags)||Vl||(Vl=!0,jc(tt,(function(){return xc(),null}))),i=0!=(15990&n.flags),0!=(15990&n.subtreeFlags)||i){i=Tl.transition,Tl.transition=null;var s=vt;vt=1;var l=Ll;Ll|=4,Cl.current=null,function(e,t){if(ea=Ht,fr(e=pr())){if("selectionStart"in e)var n={start:e.selectionStart,end:e.selectionEnd};else e:{var r=(n=(n=e.ownerDocument)&&n.defaultView||window).getSelection&&n.getSelection();if(r&&0!==r.rangeCount){n=r.anchorNode;var a=r.anchorOffset,i=r.focusNode;r=r.focusOffset;try{n.nodeType,i.nodeType}catch(k){n=null;break e}var s=0,l=-1,c=-1,u=0,d=0,p=e,f=null;t:for(;;){for(var h;p!==n||0!==a&&3!==p.nodeType||(l=s+a),p!==i||0!==r&&3!==p.nodeType||(c=s+r),3===p.nodeType&&(s+=p.nodeValue.length),null!==(h=p.firstChild);)f=p,p=h;for(;;){if(p===e)break t;if(f===n&&++u===a&&(l=s),f===i&&++d===r&&(c=s),null!==(h=p.nextSibling))break;f=(p=f).parentNode}p=h}n=-1===l||-1===c?null:{start:l,end:c}}else n=null}n=n||{start:0,end:0}}else n=null;for(ta={focusedElem:e,selectionRange:n},Ht=!1,Ys=t;null!==Ys;)if(e=(t=Ys).child,0!=(1028&t.subtreeFlags)&&null!==e)e.return=t,Ys=e;else for(;null!==Ys;){t=Ys;try{var m=t.alternate;if(0!=(1024&t.flags))switch(t.tag){case 0:case 11:case 15:case 5:case 6:case 4:case 17:break;case 1:if(null!==m){var g=m.memoizedProps,y=m.memoizedState,b=t.stateNode,v=b.getSnapshotBeforeUpdate(t.elementType===t.type?g:ns(t.type,g),y);b.__reactInternalSnapshotBeforeUpdate=v}break;case 3:var w=t.stateNode.containerInfo;1===w.nodeType?w.textContent="":9===w.nodeType&&w.documentElement&&w.removeChild(w.documentElement);break;default:throw Error(o(163))}}catch(k){Ec(t,t.return,k)}if(null!==(e=t.sibling)){e.return=t.return,Ys=e;break}Ys=t.return}m=tl,tl=!1}(e,n),gl(n,e),hr(ta),Ht=!!ea,ta=ea=null,e.current=n,bl(n,e,a),Xe(),Ll=l,vt=s,Tl.transition=i}else e.current=n;if(Vl&&(Vl=!1,Wl=e,Gl=a),i=e.pendingLanes,0===i&&(Zl=null),function(e){if(ot&&"function"==typeof ot.onCommitFiberRoot)try{ot.onCommitFiberRoot(at,e,void 0,128==(128&e.current.flags))}catch(t){}}(n.stateNode),rc(e,Ke()),null!==t)for(r=e.onRecoverableError,n=0;n<t.length;n++)a=t[n],r(a.value,{componentStack:a.stack,digest:a.digest});if(Hl)throw Hl=!1,e=Ql,Ql=null,e;0!=(1&Gl)&&0!==e.tag&&xc(),i=e.pendingLanes,0!=(1&i)?e===Kl?Xl++:(Xl=0,Kl=e):Xl=0,Ua()}(e,t,n,r)}finally{Tl.transition=a,vt=r}return null}function xc(){if(null!==Wl){var e=wt(Gl),t=Tl.transition,n=vt;try{if(Tl.transition=null,vt=16>e?16:e,null===Wl)var r=!1;else{if(e=Wl,Wl=null,Gl=0,0!=(6&Ll))throw Error(o(331));var a=Ll;for(Ll|=4,Ys=e.current;null!==Ys;){var i=Ys,s=i.child;if(0!=(16&Ys.flags)){var l=i.deletions;if(null!==l){for(var c=0;c<l.length;c++){var u=l[c];for(Ys=u;null!==Ys;){var d=Ys;switch(d.tag){case 0:case 11:case 15:nl(8,d,i)}var p=d.child;if(null!==p)p.return=d,Ys=p;else for(;null!==Ys;){var f=(d=Ys).sibling,h=d.return;if(ol(d),d===u){Ys=null;break}if(null!==f){f.return=h,Ys=f;break}Ys=h}}}var m=i.alternate;if(null!==m){var g=m.child;if(null!==g){m.child=null;do{var y=g.sibling;g.sibling=null,g=y}while(null!==g)}}Ys=i}}if(0!=(2064&i.subtreeFlags)&&null!==s)s.return=i,Ys=s;else e:for(;null!==Ys;){if(0!=(2048&(i=Ys).flags))switch(i.tag){case 0:case 11:case 15:nl(9,i,i.return)}var b=i.sibling;if(null!==b){b.return=i.return,Ys=b;break e}Ys=i.return}}var v=e.current;for(Ys=v;null!==Ys;){var w=(s=Ys).child;if(0!=(2064&s.subtreeFlags)&&null!==w)w.return=s,Ys=w;else e:for(s=v;null!==Ys;){if(0!=(2048&(l=Ys).flags))try{switch(l.tag){case 0:case 11:case 15:rl(9,l)}}catch(x){Ec(l,l.return,x)}if(l===s){Ys=null;break e}var k=l.sibling;if(null!==k){k.return=l.return,Ys=k;break e}Ys=l.return}}if(Ll=a,Ua(),ot&&"function"==typeof ot.onPostCommitFiberRoot)try{ot.onPostCommitFiberRoot(at,e)}catch(x){}r=!0}return r}finally{vt=n,Tl.transition=t}}return!1}function Sc(e,t,n){e=zo(e,t=fs(0,t=cs(n,t),1),1),t=ec(),null!==e&&(yt(e,1,t),rc(e,t))}function Ec(e,t,n){if(3===e.tag)Sc(e,e,n);else for(;null!==t;){if(3===t.tag){Sc(t,e,n);break}if(1===t.tag){var r=t.stateNode;if("function"==typeof t.type.getDerivedStateFromError||"function"==typeof r.componentDidCatch&&(null===Zl||!Zl.has(r))){t=zo(t,e=hs(t,e=cs(n,e),1),1),e=ec(),null!==t&&(yt(t,1,e),rc(t,e));break}}t=t.return}}function _c(e,t,n){var r=e.pingCache;null!==r&&r.delete(t),t=ec(),e.pingedLanes|=e.suspendedLanes&n,jl===e&&(Pl&n)===n&&(4===Ol||3===Ol&&(130023424&Pl)===Pl&&500>Ke()-$l?pc(e,0):Ml|=n),rc(e,t)}function Cc(e,t){0===t&&(0==(1&e.mode)?t=1:(t=ut,0==(130023424&(ut<<=1))&&(ut=4194304)));var n=ec();null!==(e=Io(e,t))&&(yt(e,t,n),rc(e,n))}function Tc(e){var t=e.memoizedState,n=0;null!==t&&(n=t.retryLane),Cc(e,n)}function Lc(e,t){var n=0;switch(e.tag){case 13:var r=e.stateNode,a=e.memoizedState;null!==a&&(n=a.retryLane);break;case 19:r=e.stateNode;break;default:throw Error(o(314))}null!==r&&r.delete(t),Cc(e,n)}function jc(e,t){return Ve(e,t)}function Rc(e,t,n,r){this.tag=e,this.key=n,this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null,this.index=0,this.ref=null,this.pendingProps=t,this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null,this.mode=r,this.subtreeFlags=this.flags=0,this.deletions=null,this.childLanes=this.lanes=0,this.alternate=null}function Pc(e,t,n,r){return new Rc(e,t,n,r)}function Nc(e){return!(!(e=e.prototype)||!e.isReactComponent)}function Ac(e,t){var n=e.alternate;return null===n?((n=Pc(e.tag,t,e.key,e.mode)).elementType=e.elementType,n.type=e.type,n.stateNode=e.stateNode,n.alternate=e,e.alternate=n):(n.pendingProps=t,n.type=e.type,n.flags=0,n.subtreeFlags=0,n.deletions=null),n.flags=14680064&e.flags,n.childLanes=e.childLanes,n.lanes=e.lanes,n.child=e.child,n.memoizedProps=e.memoizedProps,n.memoizedState=e.memoizedState,n.updateQueue=e.updateQueue,t=e.dependencies,n.dependencies=null===t?null:{lanes:t.lanes,firstContext:t.firstContext},n.sibling=e.sibling,n.index=e.index,n.ref=e.ref,n}function Oc(e,t,n,r,a,i){var s=2;if(r=e,"function"==typeof e)Nc(e)&&(s=1);else if("string"==typeof e)s=5;else e:switch(e){case S:return Ic(n.children,a,i,t);case E:s=8,a|=8;break;case _:return(e=Pc(12,n,t,2|a)).elementType=_,e.lanes=i,e;case j:return(e=Pc(13,n,t,a)).elementType=j,e.lanes=i,e;case R:return(e=Pc(19,n,t,a)).elementType=R,e.lanes=i,e;case A:return Dc(n,a,i,t);default:if("object"==typeof e&&null!==e)switch(e.$$typeof){case C:s=10;break e;case T:s=9;break e;case L:s=11;break e;case P:s=14;break e;case N:s=16,r=null;break e}throw Error(o(130,null==e?e:typeof e,""))}return(t=Pc(s,n,t,a)).elementType=e,t.type=r,t.lanes=i,t}function Ic(e,t,n,r){return(e=Pc(7,e,r,t)).lanes=n,e}function Dc(e,t,n,r){return(e=Pc(22,e,r,t)).elementType=A,e.lanes=n,e.stateNode={isHidden:!1},e}function Fc(e,t,n){return(e=Pc(6,e,null,t)).lanes=n,e}function Mc(e,t,n){return(t=Pc(4,null!==e.children?e.children:[],e.key,t)).lanes=n,t.stateNode={containerInfo:e.containerInfo,pendingChildren:null,implementation:e.implementation},t}function Bc(e,t,n,r,a){this.tag=t,this.containerInfo=e,this.finishedWork=this.pingCache=this.current=this.pendingChildren=null,this.timeoutHandle=-1,this.callbackNode=this.pendingContext=this.context=null,this.callbackPriority=0,this.eventTimes=gt(0),this.expirationTimes=gt(-1),this.entangledLanes=this.finishedLanes=this.mutableReadLanes=this.expiredLanes=this.pingedLanes=this.suspendedLanes=this.pendingLanes=0,this.entanglements=gt(0),this.identifierPrefix=r,this.onRecoverableError=a,this.mutableSourceEagerHydrationData=null}function zc(e,t,n,r,a,o,i,s,l){return e=new Bc(e,t,n,s,l),1===t?(t=1,!0===o&&(t|=8)):t=0,o=Pc(3,null,null,t),e.current=o,o.stateNode=e,o.memoizedState={element:r,isDehydrated:n,cache:null,transitions:null,pendingSuspenseBoundaries:null},Fo(o),e}function $c(e){if(!e)return Ta;e:{if(Ue(e=e._reactInternals)!==e||1!==e.tag)throw Error(o(170));var t=e;do{switch(t.tag){case 3:t=t.stateNode.context;break e;case 1:if(Na(t.type)){t=t.stateNode.__reactInternalMemoizedMergedChildContext;break e}}t=t.return}while(null!==t);throw Error(o(171))}if(1===e.tag){var n=e.type;if(Na(n))return Ia(e,n,t)}return t}function Uc(e,t,n,r,a,o,i,s,l){return(e=zc(n,r,!0,e,0,o,0,s,l)).context=$c(null),n=e.current,(o=Bo(r=ec(),a=tc(n))).callback=null!=t?t:null,zo(n,o,a),e.current.lanes=a,yt(e,a,r),rc(e,r),e}function qc(e,t,n,r){var a=t.current,o=ec(),i=tc(a);return n=$c(n),null===t.context?t.context=n:t.pendingContext=n,(t=Bo(o,i)).payload={element:e},null!==(r=void 0===r?null:r)&&(t.callback=r),null!==(e=zo(a,t,i))&&(nc(e,a,i,o),$o(e,a,i)),i}function Hc(e){return(e=e.current).child?(e.child.tag,e.child.stateNode):null}function Qc(e,t){if(null!==(e=e.memoizedState)&&null!==e.dehydrated){var n=e.retryLane;e.retryLane=0!==n&&n<t?n:t}}function Zc(e,t){Qc(e,t),(e=e.alternate)&&Qc(e,t)}Sl=function(e,t,n){if(null!==e)if(e.memoizedProps!==t.pendingProps||ja.current)vs=!0;else{if(0==(e.lanes&n)&&0==(128&t.flags))return vs=!1,function(e,t,n){switch(t.tag){case 3:js(t),ho();break;case 5:Yo(t);break;case 1:Na(t.type)&&Da(t);break;case 4:Xo(t,t.stateNode.containerInfo);break;case 10:var r=t.type._context,a=t.memoizedProps.value;Ca(So,r._currentValue),r._currentValue=a;break;case 13:if(null!==(r=t.memoizedState))return null!==r.dehydrated?(Ca(ei,1&ei.current),t.flags|=128,null):0!=(n&t.child.childLanes)?Fs(e,t,n):(Ca(ei,1&ei.current),null!==(e=Hs(e,t,n))?e.sibling:null);Ca(ei,1&ei.current);break;case 19:if(r=0!=(n&t.childLanes),0!=(128&e.flags)){if(r)return Us(e,t,n);t.flags|=128}if(null!==(a=t.memoizedState)&&(a.rendering=null,a.tail=null,a.lastEffect=null),Ca(ei,ei.current),r)break;return null;case 22:case 23:return t.lanes=0,Es(e,t,n)}return Hs(e,t,n)}(e,t,n);vs=0!=(131072&e.flags)}else vs=!1,ao&&0!=(1048576&t.flags)&&Ja(t,Za,t.index);switch(t.lanes=0,t.tag){case 2:var r=t.type;qs(e,t),e=t.pendingProps;var a=Pa(t,La.current);Ro(t,n),a=gi(null,t,r,e,a,n);var i=yi();return t.flags|=1,"object"==typeof a&&null!==a&&"function"==typeof a.render&&void 0===a.$$typeof?(t.tag=1,t.memoizedState=null,t.updateQueue=null,Na(r)?(i=!0,Da(t)):i=!1,t.memoizedState=null!==a.state&&void 0!==a.state?a.state:null,Fo(t),a.updater=as,t.stateNode=a,a._reactInternals=t,ls(t,r,e,n),t=Ls(null,t,r,!0,i,n)):(t.tag=0,ao&&i&&eo(t),ws(null,t,a,n),t=t.child),t;case 16:r=t.elementType;e:{switch(qs(e,t),e=t.pendingProps,r=(a=r._init)(r._payload),t.type=r,a=t.tag=function(e){if("function"==typeof e)return Nc(e)?1:0;if(null!=e){if((e=e.$$typeof)===L)return 11;if(e===P)return 14}return 2}(r),e=ns(r,e),a){case 0:t=Cs(null,t,r,e,n);break e;case 1:t=Ts(null,t,r,e,n);break e;case 11:t=ks(null,t,r,e,n);break e;case 14:t=xs(null,t,r,ns(r.type,e),n);break e}throw Error(o(306,r,""))}return t;case 0:return r=t.type,a=t.pendingProps,Cs(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 1:return r=t.type,a=t.pendingProps,Ts(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 3:e:{if(js(t),null===e)throw Error(o(387));r=t.pendingProps,a=(i=t.memoizedState).element,Mo(e,t),qo(t,r,null,n);var s=t.memoizedState;if(r=s.element,i.isDehydrated){if(i={element:r,isDehydrated:!1,cache:s.cache,pendingSuspenseBoundaries:s.pendingSuspenseBoundaries,transitions:s.transitions},t.updateQueue.baseState=i,t.memoizedState=i,256&t.flags){t=Rs(e,t,r,n,a=cs(Error(o(423)),t));break e}if(r!==a){t=Rs(e,t,r,n,a=cs(Error(o(424)),t));break e}for(ro=ca(t.stateNode.containerInfo.firstChild),no=t,ao=!0,oo=null,n=xo(t,null,r,n),t.child=n;n;)n.flags=-3&n.flags|4096,n=n.sibling}else{if(ho(),r===a){t=Hs(e,t,n);break e}ws(e,t,r,n)}t=t.child}return t;case 5:return Yo(t),null===e&&co(t),r=t.type,a=t.pendingProps,i=null!==e?e.memoizedProps:null,s=a.children,na(r,a)?s=null:null!==i&&na(r,i)&&(t.flags|=32),_s(e,t),ws(e,t,s,n),t.child;case 6:return null===e&&co(t),null;case 13:return Fs(e,t,n);case 4:return Xo(t,t.stateNode.containerInfo),r=t.pendingProps,null===e?t.child=ko(t,null,r,n):ws(e,t,r,n),t.child;case 11:return r=t.type,a=t.pendingProps,ks(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 7:return ws(e,t,t.pendingProps,n),t.child;case 8:case 12:return ws(e,t,t.pendingProps.children,n),t.child;case 10:e:{if(r=t.type._context,a=t.pendingProps,i=t.memoizedProps,s=a.value,Ca(So,r._currentValue),r._currentValue=s,null!==i)if(sr(i.value,s)){if(i.children===a.children&&!ja.current){t=Hs(e,t,n);break e}}else for(null!==(i=t.child)&&(i.return=t);null!==i;){var l=i.dependencies;if(null!==l){s=i.child;for(var c=l.firstContext;null!==c;){if(c.context===r){if(1===i.tag){(c=Bo(-1,n&-n)).tag=2;var u=i.updateQueue;if(null!==u){var d=(u=u.shared).pending;null===d?c.next=c:(c.next=d.next,d.next=c),u.pending=c}}i.lanes|=n,null!==(c=i.alternate)&&(c.lanes|=n),jo(i.return,n,t),l.lanes|=n;break}c=c.next}}else if(10===i.tag)s=i.type===t.type?null:i.child;else if(18===i.tag){if(null===(s=i.return))throw Error(o(341));s.lanes|=n,null!==(l=s.alternate)&&(l.lanes|=n),jo(s,n,t),s=i.sibling}else s=i.child;if(null!==s)s.return=i;else for(s=i;null!==s;){if(s===t){s=null;break}if(null!==(i=s.sibling)){i.return=s.return,s=i;break}s=s.return}i=s}ws(e,t,a.children,n),t=t.child}return t;case 9:return a=t.type,r=t.pendingProps.children,Ro(t,n),r=r(a=Po(a)),t.flags|=1,ws(e,t,r,n),t.child;case 14:return a=ns(r=t.type,t.pendingProps),xs(e,t,r,a=ns(r.type,a),n);case 15:return Ss(e,t,t.type,t.pendingProps,n);case 17:return r=t.type,a=t.pendingProps,a=t.elementType===r?a:ns(r,a),qs(e,t),t.tag=1,Na(r)?(e=!0,Da(t)):e=!1,Ro(t,n),is(t,r,a),ls(t,r,a,n),Ls(null,t,r,!0,e,n);case 19:return Us(e,t,n);case 22:return Es(e,t,n)}throw Error(o(156,t.tag))};var Vc="function"==typeof reportError?reportError:function(e){console.error(e)};function Wc(e){this._internalRoot=e}function Gc(e){this._internalRoot=e}function Xc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType)}function Kc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType&&(8!==e.nodeType||" react-mount-point-unstable "!==e.nodeValue))}function Yc(){}function Jc(e,t,n,r,a){var o=n._reactRootContainer;if(o){var i=o;if("function"==typeof a){var s=a;a=function(){var e=Hc(i);s.call(e)}}qc(t,i,e,a)}else i=function(e,t,n,r,a){if(a){if("function"==typeof r){var o=r;r=function(){var e=Hc(i);o.call(e)}}var i=Uc(t,r,e,0,null,!1,0,"",Yc);return e._reactRootContainer=i,e[ha]=i.current,Ur(8===e.nodeType?e.parentNode:e),uc(),i}for(;a=e.lastChild;)e.removeChild(a);if("function"==typeof r){var s=r;r=function(){var e=Hc(l);s.call(e)}}var l=zc(e,0,!1,null,0,!1,0,"",Yc);return e._reactRootContainer=l,e[ha]=l.current,Ur(8===e.nodeType?e.parentNode:e),uc((function(){qc(t,l,n,r)})),l}(n,t,e,a,r);return Hc(i)}Gc.prototype.render=Wc.prototype.render=function(e){var t=this._internalRoot;if(null===t)throw Error(o(409));qc(e,t,null,null)},Gc.prototype.unmount=Wc.prototype.unmount=function(){var e=this._internalRoot;if(null!==e){this._internalRoot=null;var t=e.containerInfo;uc((function(){qc(null,e,null,null)})),t[ha]=null}},Gc.prototype.unstable_scheduleHydration=function(e){if(e){var t=Et();e={blockedOn:null,target:e,priority:t};for(var n=0;n<At.length&&0!==t&&t<At[n].priority;n++);At.splice(n,0,e),0===n&&Ft(e)}},kt=function(e){switch(e.tag){case 3:var t=e.stateNode;if(t.current.memoizedState.isDehydrated){var n=dt(t.pendingLanes);0!==n&&(bt(t,1|n),rc(t,Ke()),0==(6&Ll)&&(Ul=Ke()+500,Ua()))}break;case 13:uc((function(){var t=Io(e,1);if(null!==t){var n=ec();nc(t,e,1,n)}})),Zc(e,1)}},xt=function(e){if(13===e.tag){var t=Io(e,134217728);if(null!==t)nc(t,e,134217728,ec());Zc(e,134217728)}},St=function(e){if(13===e.tag){var t=tc(e),n=Io(e,t);if(null!==n)nc(n,e,t,ec());Zc(e,t)}},Et=function(){return vt},_t=function(e,t){var n=vt;try{return vt=e,t()}finally{vt=n}},xe=function(e,t,n){switch(t){case"input":if(Y(e,n),t=n.name,"radio"===n.type&&null!=t){for(n=e;n.parentNode;)n=n.parentNode;for(n=n.querySelectorAll("input[name="+JSON.stringify(""+t)+'][type="radio"]'),t=0;t<n.length;t++){var r=n[t];if(r!==e&&r.form===e.form){var a=ka(r);if(!a)throw Error(o(90));V(r),Y(r,a)}}}break;case"textarea":oe(e,n);break;case"select":null!=(t=n.value)&&ne(e,!!n.multiple,t,!1)}},Le=cc,je=uc;var eu={usingClientEntryPoint:!1,Events:[va,wa,ka,Ce,Te,cc]},tu={findFiberByHostInstance:ba,bundleType:0,version:"18.3.1",rendererPackageName:"react-dom"},nu={bundleType:tu.bundleType,version:tu.version,rendererPackageName:tu.rendererPackageName,rendererConfig:tu.rendererConfig,overrideHookState:null,overrideHookStateDeletePath:null,overrideHookStateRenamePath:null,overrideProps:null,overridePropsDeletePath:null,overridePropsRenamePath:null,setErrorHandler:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:w.ReactCurrentDispatcher,findHostInstanceByFiber:function(e){return null===(e=Qe(e))?null:e.stateNode},findFiberByHostInstance:tu.findFiberByHostInstance||function(){return null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null,reconcilerVersion:"18.3.1-next-f1338f8080-20240426"};if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__){var ru=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(!ru.isDisabled&&ru.supportsFiber)try{at=ru.inject(nu),ot=ru}catch(ue){}}t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=eu,t.createPortal=function(e,t){var n=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;if(!Xc(t))throw Error(o(200));return function(e,t,n){var r=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:x,key:null==r?null:""+r,children:e,containerInfo:t,implementation:n}}(e,t,null,n)},t.createRoot=function(e,t){if(!Xc(e))throw Error(o(299));var n=!1,r="",a=Vc;return null!=t&&(!0===t.unstable_strictMode&&(n=!0),void 0!==t.identifierPrefix&&(r=t.identifierPrefix),void 0!==t.onRecoverableError&&(a=t.onRecoverableError)),t=zc(e,1,!1,null,0,n,0,r,a),e[ha]=t.current,Ur(8===e.nodeType?e.parentNode:e),new Wc(t)},t.findDOMNode=function(e){if(null==e)return null;if(1===e.nodeType)return e;var t=e._reactInternals;if(void 0===t){if("function"==typeof e.render)throw Error(o(188));throw e=Object.keys(e).join(","),Error(o(268,e))}return e=null===(e=Qe(t))?null:e.stateNode},t.flushSync=function(e){return uc(e)},t.hydrate=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!0,n)},t.hydrateRoot=function(e,t,n){if(!Xc(e))throw Error(o(405));var r=null!=n&&n.hydratedSources||null,a=!1,i="",s=Vc;if(null!=n&&(!0===n.unstable_strictMode&&(a=!0),void 0!==n.identifierPrefix&&(i=n.identifierPrefix),void 0!==n.onRecoverableError&&(s=n.onRecoverableError)),t=Uc(t,null,e,1,null!=n?n:null,a,0,i,s),e[ha]=t.current,Ur(e),r)for(e=0;e<r.length;e++)a=(a=(n=r[e])._getVersion)(n._source),null==t.mutableSourceEagerHydrationData?t.mutableSourceEagerHydrationData=[n,a]:t.mutableSourceEagerHydrationData.push(n,a);return new Gc(t)},t.render=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!1,n)},t.unmountComponentAtNode=function(e){if(!Kc(e))throw Error(o(40));return!!e._reactRootContainer&&(uc((function(){Jc(null,null,e,!1,(function(){e._reactRootContainer=null,e[ha]=null}))})),!0)},t.unstable_batchedUpdates=cc,t.unstable_renderSubtreeIntoContainer=function(e,t,n,r){if(!Kc(n))throw Error(o(200));if(null==e||void 0===e._reactInternals)throw Error(o(38));return Jc(e,t,n,!1,r)},t.version="18.3.1-next-f1338f8080-20240426"},745:(e,t,n)=>{"use strict";var r=n(3935);t.createRoot=r.createRoot,t.hydrateRoot=r.hydrateRoot},3935:(e,t,n)=>{"use strict";!function e(){if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__&&"function"==typeof __REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE)try{__REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE(e)}catch(t){console.error(t)}}(),e.exports=n(4448)},9590:e=>{var t="undefined"!=typeof Element,n="function"==typeof Map,r="function"==typeof Set,a="function"==typeof ArrayBuffer&&!!ArrayBuffer.isView;function o(e,i){if(e===i)return!0;if(e&&i&&"object"==typeof e&&"object"==typeof i){if(e.constructor!==i.constructor)return!1;var s,l,c,u;if(Array.isArray(e)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(!o(e[l],i[l]))return!1;return!0}if(n&&e instanceof Map&&i instanceof Map){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;for(u=e.entries();!(l=u.next()).done;)if(!o(l.value[1],i.get(l.value[0])))return!1;return!0}if(r&&e instanceof Set&&i instanceof Set){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;return!0}if(a&&ArrayBuffer.isView(e)&&ArrayBuffer.isView(i)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(e[l]!==i[l])return!1;return!0}if(e.constructor===RegExp)return e.source===i.source&&e.flags===i.flags;if(e.valueOf!==Object.prototype.valueOf&&"function"==typeof e.valueOf&&"function"==typeof i.valueOf)return e.valueOf()===i.valueOf();if(e.toString!==Object.prototype.toString&&"function"==typeof e.toString&&"function"==typeof i.toString)return e.toString()===i.toString();if((s=(c=Object.keys(e)).length)!==Object.keys(i).length)return!1;for(l=s;0!=l--;)if(!Object.prototype.hasOwnProperty.call(i,c[l]))return!1;if(t&&e instanceof Element)return!1;for(l=s;0!=l--;)if(("_owner"!==c[l]&&"__v"!==c[l]&&"__o"!==c[l]||!e.$$typeof)&&!o(e[c[l]],i[c[l]]))return!1;return!0}return e!=e&&i!=i}e.exports=function(e,t){try{return o(e,t)}catch(n){if((n.message||"").match(/stack|recursion/i))return console.warn("react-fast-compare cannot handle circular refs"),!1;throw n}}},405:(e,t,n)=>{"use strict";n.d(t,{B6:()=>Q,ql:()=>J});var r=n(7294),a=n(5697),o=n.n(a),i=n(9590),s=n.n(i),l=n(1143),c=n.n(l),u=n(6774),d=n.n(u);function p(){return p=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},p.apply(this,arguments)}function f(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,h(e,t)}function h(e,t){return h=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e},h(e,t)}function m(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)t.indexOf(n=o[r])>=0||(a[n]=e[n]);return a}var g={BASE:"base",BODY:"body",HEAD:"head",HTML:"html",LINK:"link",META:"meta",NOSCRIPT:"noscript",SCRIPT:"script",STYLE:"style",TITLE:"title",FRAGMENT:"Symbol(react.fragment)"},y={rel:["amphtml","canonical","alternate"]},b={type:["application/ld+json"]},v={charset:"",name:["robots","description"],property:["og:type","og:title","og:url","og:image","og:image:alt","og:description","twitter:url","twitter:title","twitter:description","twitter:image","twitter:image:alt","twitter:card","twitter:site"]},w=Object.keys(g).map((function(e){return g[e]})),k={accesskey:"accessKey",charset:"charSet",class:"className",contenteditable:"contentEditable",contextmenu:"contextMenu","http-equiv":"httpEquiv",itemprop:"itemProp",tabindex:"tabIndex"},x=Object.keys(k).reduce((function(e,t){return e[k[t]]=t,e}),{}),S=function(e,t){for(var n=e.length-1;n>=0;n-=1){var r=e[n];if(Object.prototype.hasOwnProperty.call(r,t))return r[t]}return null},E=function(e){var t=S(e,g.TITLE),n=S(e,"titleTemplate");if(Array.isArray(t)&&(t=t.join("")),n&&t)return n.replace(/%s/g,(function(){return t}));var r=S(e,"defaultTitle");return t||r||void 0},_=function(e){return S(e,"onChangeClientState")||function(){}},C=function(e,t){return t.filter((function(t){return void 0!==t[e]})).map((function(t){return t[e]})).reduce((function(e,t){return p({},e,t)}),{})},T=function(e,t){return t.filter((function(e){return void 0!==e[g.BASE]})).map((function(e){return e[g.BASE]})).reverse().reduce((function(t,n){if(!t.length)for(var r=Object.keys(n),a=0;a<r.length;a+=1){var o=r[a].toLowerCase();if(-1!==e.indexOf(o)&&n[o])return t.concat(n)}return t}),[])},L=function(e,t,n){var r={};return n.filter((function(t){return!!Array.isArray(t[e])||(void 0!==t[e]&&console&&"function"==typeof console.warn&&console.warn("Helmet: "+e+' should be of type "Array". Instead found type "'+typeof t[e]+'"'),!1)})).map((function(t){return t[e]})).reverse().reduce((function(e,n){var a={};n.filter((function(e){for(var n,o=Object.keys(e),i=0;i<o.length;i+=1){var s=o[i],l=s.toLowerCase();-1===t.indexOf(l)||"rel"===n&&"canonical"===e[n].toLowerCase()||"rel"===l&&"stylesheet"===e[l].toLowerCase()||(n=l),-1===t.indexOf(s)||"innerHTML"!==s&&"cssText"!==s&&"itemprop"!==s||(n=s)}if(!n||!e[n])return!1;var c=e[n].toLowerCase();return r[n]||(r[n]={}),a[n]||(a[n]={}),!r[n][c]&&(a[n][c]=!0,!0)})).reverse().forEach((function(t){return e.push(t)}));for(var o=Object.keys(a),i=0;i<o.length;i+=1){var s=o[i],l=p({},r[s],a[s]);r[s]=l}return e}),[]).reverse()},j=function(e,t){if(Array.isArray(e)&&e.length)for(var n=0;n<e.length;n+=1)if(e[n][t])return!0;return!1},R=function(e){return Array.isArray(e)?e.join(""):e},P=function(e,t){return Array.isArray(e)?e.reduce((function(e,n){return function(e,t){for(var n=Object.keys(e),r=0;r<n.length;r+=1)if(t[n[r]]&&t[n[r]].includes(e[n[r]]))return!0;return!1}(n,t)?e.priority.push(n):e.default.push(n),e}),{priority:[],default:[]}):{default:e}},N=function(e,t){var n;return p({},e,((n={})[t]=void 0,n))},A=[g.NOSCRIPT,g.SCRIPT,g.STYLE],O=function(e,t){return void 0===t&&(t=!0),!1===t?String(e):String(e).replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")},I=function(e){return Object.keys(e).reduce((function(t,n){var r=void 0!==e[n]?n+'="'+e[n]+'"':""+n;return t?t+" "+r:r}),"")},D=function(e,t){return void 0===t&&(t={}),Object.keys(e).reduce((function(t,n){return t[k[n]||n]=e[n],t}),t)},F=function(e,t){return t.map((function(t,n){var a,o=((a={key:n})["data-rh"]=!0,a);return Object.keys(t).forEach((function(e){var n=k[e]||e;"innerHTML"===n||"cssText"===n?o.dangerouslySetInnerHTML={__html:t.innerHTML||t.cssText}:o[n]=t[e]})),r.createElement(e,o)}))},M=function(e,t,n){switch(e){case g.TITLE:return{toComponent:function(){return n=t.titleAttributes,(a={key:e=t.title})["data-rh"]=!0,o=D(n,a),[r.createElement(g.TITLE,o,e)];var e,n,a,o},toString:function(){return function(e,t,n,r){var a=I(n),o=R(t);return a?"<"+e+' data-rh="true" '+a+">"+O(o,r)+"</"+e+">":"<"+e+' data-rh="true">'+O(o,r)+"</"+e+">"}(e,t.title,t.titleAttributes,n)}};case"bodyAttributes":case"htmlAttributes":return{toComponent:function(){return D(t)},toString:function(){return I(t)}};default:return{toComponent:function(){return F(e,t)},toString:function(){return function(e,t,n){return t.reduce((function(t,r){var a=Object.keys(r).filter((function(e){return!("innerHTML"===e||"cssText"===e)})).reduce((function(e,t){var a=void 0===r[t]?t:t+'="'+O(r[t],n)+'"';return e?e+" "+a:a}),""),o=r.innerHTML||r.cssText||"",i=-1===A.indexOf(e);return t+"<"+e+' data-rh="true" '+a+(i?"/>":">"+o+"</"+e+">")}),"")}(e,t,n)}}}},B=function(e){var t=e.baseTag,n=e.bodyAttributes,r=e.encode,a=e.htmlAttributes,o=e.noscriptTags,i=e.styleTags,s=e.title,l=void 0===s?"":s,c=e.titleAttributes,u=e.linkTags,d=e.metaTags,p=e.scriptTags,f={toComponent:function(){},toString:function(){return""}};if(e.prioritizeSeoTags){var h=function(e){var t=e.linkTags,n=e.scriptTags,r=e.encode,a=P(e.metaTags,v),o=P(t,y),i=P(n,b);return{priorityMethods:{toComponent:function(){return[].concat(F(g.META,a.priority),F(g.LINK,o.priority),F(g.SCRIPT,i.priority))},toString:function(){return M(g.META,a.priority,r)+" "+M(g.LINK,o.priority,r)+" "+M(g.SCRIPT,i.priority,r)}},metaTags:a.default,linkTags:o.default,scriptTags:i.default}}(e);f=h.priorityMethods,u=h.linkTags,d=h.metaTags,p=h.scriptTags}return{priority:f,base:M(g.BASE,t,r),bodyAttributes:M("bodyAttributes",n,r),htmlAttributes:M("htmlAttributes",a,r),link:M(g.LINK,u,r),meta:M(g.META,d,r),noscript:M(g.NOSCRIPT,o,r),script:M(g.SCRIPT,p,r),style:M(g.STYLE,i,r),title:M(g.TITLE,{title:l,titleAttributes:c},r)}},z=[],$=function(e,t){var n=this;void 0===t&&(t="undefined"!=typeof document),this.instances=[],this.value={setHelmet:function(e){n.context.helmet=e},helmetInstances:{get:function(){return n.canUseDOM?z:n.instances},add:function(e){(n.canUseDOM?z:n.instances).push(e)},remove:function(e){var t=(n.canUseDOM?z:n.instances).indexOf(e);(n.canUseDOM?z:n.instances).splice(t,1)}}},this.context=e,this.canUseDOM=t,t||(e.helmet=B({baseTag:[],bodyAttributes:{},encodeSpecialCharacters:!0,htmlAttributes:{},linkTags:[],metaTags:[],noscriptTags:[],scriptTags:[],styleTags:[],title:"",titleAttributes:{}}))},U=r.createContext({}),q=o().shape({setHelmet:o().func,helmetInstances:o().shape({get:o().func,add:o().func,remove:o().func})}),H="undefined"!=typeof document,Q=function(e){function t(n){var r;return(r=e.call(this,n)||this).helmetData=new $(r.props.context,t.canUseDOM),r}return f(t,e),t.prototype.render=function(){return r.createElement(U.Provider,{value:this.helmetData.value},this.props.children)},t}(r.Component);Q.canUseDOM=H,Q.propTypes={context:o().shape({helmet:o().shape()}),children:o().node.isRequired},Q.defaultProps={context:{}},Q.displayName="HelmetProvider";var Z=function(e,t){var n,r=document.head||document.querySelector(g.HEAD),a=r.querySelectorAll(e+"[data-rh]"),o=[].slice.call(a),i=[];return t&&t.length&&t.forEach((function(t){var r=document.createElement(e);for(var a in t)Object.prototype.hasOwnProperty.call(t,a)&&("innerHTML"===a?r.innerHTML=t.innerHTML:"cssText"===a?r.styleSheet?r.styleSheet.cssText=t.cssText:r.appendChild(document.createTextNode(t.cssText)):r.setAttribute(a,void 0===t[a]?"":t[a]));r.setAttribute("data-rh","true"),o.some((function(e,t){return n=t,r.isEqualNode(e)}))?o.splice(n,1):i.push(r)})),o.forEach((function(e){return e.parentNode.removeChild(e)})),i.forEach((function(e){return r.appendChild(e)})),{oldTags:o,newTags:i}},V=function(e,t){var n=document.getElementsByTagName(e)[0];if(n){for(var r=n.getAttribute("data-rh"),a=r?r.split(","):[],o=[].concat(a),i=Object.keys(t),s=0;s<i.length;s+=1){var l=i[s],c=t[l]||"";n.getAttribute(l)!==c&&n.setAttribute(l,c),-1===a.indexOf(l)&&a.push(l);var u=o.indexOf(l);-1!==u&&o.splice(u,1)}for(var d=o.length-1;d>=0;d-=1)n.removeAttribute(o[d]);a.length===o.length?n.removeAttribute("data-rh"):n.getAttribute("data-rh")!==i.join(",")&&n.setAttribute("data-rh",i.join(","))}},W=function(e,t){var n=e.baseTag,r=e.htmlAttributes,a=e.linkTags,o=e.metaTags,i=e.noscriptTags,s=e.onChangeClientState,l=e.scriptTags,c=e.styleTags,u=e.title,d=e.titleAttributes;V(g.BODY,e.bodyAttributes),V(g.HTML,r),function(e,t){void 0!==e&&document.title!==e&&(document.title=R(e)),V(g.TITLE,t)}(u,d);var p={baseTag:Z(g.BASE,n),linkTags:Z(g.LINK,a),metaTags:Z(g.META,o),noscriptTags:Z(g.NOSCRIPT,i),scriptTags:Z(g.SCRIPT,l),styleTags:Z(g.STYLE,c)},f={},h={};Object.keys(p).forEach((function(e){var t=p[e],n=t.newTags,r=t.oldTags;n.length&&(f[e]=n),r.length&&(h[e]=p[e].oldTags)})),t&&t(),s(e,f,h)},G=null,X=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).rendered=!1,t}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!d()(e,this.props)},n.componentDidUpdate=function(){this.emitChange()},n.componentWillUnmount=function(){this.props.context.helmetInstances.remove(this),this.emitChange()},n.emitChange=function(){var e,t,n=this.props.context,r=n.setHelmet,a=null,o=(e=n.helmetInstances.get().map((function(e){var t=p({},e.props);return delete t.context,t})),{baseTag:T(["href"],e),bodyAttributes:C("bodyAttributes",e),defer:S(e,"defer"),encode:S(e,"encodeSpecialCharacters"),htmlAttributes:C("htmlAttributes",e),linkTags:L(g.LINK,["rel","href"],e),metaTags:L(g.META,["name","charset","http-equiv","property","itemprop"],e),noscriptTags:L(g.NOSCRIPT,["innerHTML"],e),onChangeClientState:_(e),scriptTags:L(g.SCRIPT,["src","innerHTML"],e),styleTags:L(g.STYLE,["cssText"],e),title:E(e),titleAttributes:C("titleAttributes",e),prioritizeSeoTags:j(e,"prioritizeSeoTags")});Q.canUseDOM?(t=o,G&&cancelAnimationFrame(G),t.defer?G=requestAnimationFrame((function(){W(t,(function(){G=null}))})):(W(t),G=null)):B&&(a=B(o)),r(a)},n.init=function(){this.rendered||(this.rendered=!0,this.props.context.helmetInstances.add(this),this.emitChange())},n.render=function(){return this.init(),null},t}(r.Component);X.propTypes={context:q.isRequired},X.displayName="HelmetDispatcher";var K=["children"],Y=["children"],J=function(e){function t(){return e.apply(this,arguments)||this}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!s()(N(this.props,"helmetData"),N(e,"helmetData"))},n.mapNestedChildrenToProps=function(e,t){if(!t)return null;switch(e.type){case g.SCRIPT:case g.NOSCRIPT:return{innerHTML:t};case g.STYLE:return{cssText:t};default:throw new Error("<"+e.type+" /> elements are self-closing and can not contain children. Refer to our API for more information.")}},n.flattenArrayTypeChildren=function(e){var t,n=e.child,r=e.arrayTypeChildren;return p({},r,((t={})[n.type]=[].concat(r[n.type]||[],[p({},e.newChildProps,this.mapNestedChildrenToProps(n,e.nestedChildren))]),t))},n.mapObjectTypeChildren=function(e){var t,n,r=e.child,a=e.newProps,o=e.newChildProps,i=e.nestedChildren;switch(r.type){case g.TITLE:return p({},a,((t={})[r.type]=i,t.titleAttributes=p({},o),t));case g.BODY:return p({},a,{bodyAttributes:p({},o)});case g.HTML:return p({},a,{htmlAttributes:p({},o)});default:return p({},a,((n={})[r.type]=p({},o),n))}},n.mapArrayTypeChildrenToProps=function(e,t){var n=p({},t);return Object.keys(e).forEach((function(t){var r;n=p({},n,((r={})[t]=e[t],r))})),n},n.warnOnInvalidChildren=function(e,t){return c()(w.some((function(t){return e.type===t})),"function"==typeof e.type?"You may be attempting to nest <Helmet> components within each other, which is not allowed. Refer to our API for more information.":"Only elements types "+w.join(", ")+" are allowed. Helmet does not support rendering <"+e.type+"> elements. Refer to our API for more information."),c()(!t||"string"==typeof t||Array.isArray(t)&&!t.some((function(e){return"string"!=typeof e})),"Helmet expects a string as a child of <"+e.type+">. Did you forget to wrap your children in braces? ( <"+e.type+">{``}</"+e.type+"> ) Refer to our API for more information."),!0},n.mapChildrenToProps=function(e,t){var n=this,a={};return r.Children.forEach(e,(function(e){if(e&&e.props){var r=e.props,o=r.children,i=m(r,K),s=Object.keys(i).reduce((function(e,t){return e[x[t]||t]=i[t],e}),{}),l=e.type;switch("symbol"==typeof l?l=l.toString():n.warnOnInvalidChildren(e,o),l){case g.FRAGMENT:t=n.mapChildrenToProps(o,t);break;case g.LINK:case g.META:case g.NOSCRIPT:case g.SCRIPT:case g.STYLE:a=n.flattenArrayTypeChildren({child:e,arrayTypeChildren:a,newChildProps:s,nestedChildren:o});break;default:t=n.mapObjectTypeChildren({child:e,newProps:t,newChildProps:s,nestedChildren:o})}}})),this.mapArrayTypeChildrenToProps(a,t)},n.render=function(){var e=this.props,t=e.children,n=m(e,Y),a=p({},n),o=n.helmetData;return t&&(a=this.mapChildrenToProps(t,a)),!o||o instanceof $||(o=new $(o.context,o.instances)),o?r.createElement(X,p({},a,{context:o.value,helmetData:void 0})):r.createElement(U.Consumer,null,(function(e){return r.createElement(X,p({},a,{context:e}))}))},t}(r.Component);J.propTypes={base:o().object,bodyAttributes:o().object,children:o().oneOfType([o().arrayOf(o().node),o().node]),defaultTitle:o().string,defer:o().bool,encodeSpecialCharacters:o().bool,htmlAttributes:o().object,link:o().arrayOf(o().object),meta:o().arrayOf(o().object),noscript:o().arrayOf(o().object),onChangeClientState:o().func,script:o().arrayOf(o().object),style:o().arrayOf(o().object),title:o().string,titleAttributes:o().object,titleTemplate:o().string,prioritizeSeoTags:o().bool,helmetData:o().object},J.defaultProps={defer:!0,encodeSpecialCharacters:!0,prioritizeSeoTags:!1},J.displayName="Helmet"},9921:(e,t)=>{"use strict";var n="function"==typeof Symbol&&Symbol.for,r=n?Symbol.for("react.element"):60103,a=n?Symbol.for("react.portal"):60106,o=n?Symbol.for("react.fragment"):60107,i=n?Symbol.for("react.strict_mode"):60108,s=n?Symbol.for("react.profiler"):60114,l=n?Symbol.for("react.provider"):60109,c=n?Symbol.for("react.context"):60110,u=n?Symbol.for("react.async_mode"):60111,d=n?Symbol.for("react.concurrent_mode"):60111,p=n?Symbol.for("react.forward_ref"):60112,f=n?Symbol.for("react.suspense"):60113,h=n?Symbol.for("react.suspense_list"):60120,m=n?Symbol.for("react.memo"):60115,g=n?Symbol.for("react.lazy"):60116,y=n?Symbol.for("react.block"):60121,b=n?Symbol.for("react.fundamental"):60117,v=n?Symbol.for("react.responder"):60118,w=n?Symbol.for("react.scope"):60119;function k(e){if("object"==typeof e&&null!==e){var t=e.$$typeof;switch(t){case r:switch(e=e.type){case u:case d:case o:case s:case i:case f:return e;default:switch(e=e&&e.$$typeof){case c:case p:case g:case m:case l:return e;default:return t}}case a:return t}}}function x(e){return k(e)===d}t.AsyncMode=u,t.ConcurrentMode=d,t.ContextConsumer=c,t.ContextProvider=l,t.Element=r,t.ForwardRef=p,t.Fragment=o,t.Lazy=g,t.Memo=m,t.Portal=a,t.Profiler=s,t.StrictMode=i,t.Suspense=f,t.isAsyncMode=function(e){return x(e)||k(e)===u},t.isConcurrentMode=x,t.isContextConsumer=function(e){return k(e)===c},t.isContextProvider=function(e){return k(e)===l},t.isElement=function(e){return"object"==typeof e&&null!==e&&e.$$typeof===r},t.isForwardRef=function(e){return k(e)===p},t.isFragment=function(e){return k(e)===o},t.isLazy=function(e){return k(e)===g},t.isMemo=function(e){return k(e)===m},t.isPortal=function(e){return k(e)===a},t.isProfiler=function(e){return k(e)===s},t.isStrictMode=function(e){return k(e)===i},t.isSuspense=function(e){return k(e)===f},t.isValidElementType=function(e){return"string"==typeof e||"function"==typeof e||e===o||e===d||e===s||e===i||e===f||e===h||"object"==typeof e&&null!==e&&(e.$$typeof===g||e.$$typeof===m||e.$$typeof===l||e.$$typeof===c||e.$$typeof===p||e.$$typeof===b||e.$$typeof===v||e.$$typeof===w||e.$$typeof===y)},t.typeOf=k},9864:(e,t,n)=>{"use strict";e.exports=n(9921)},8356:(e,t,n)=>{"use strict";function r(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}function a(e){if(void 0===e)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return e}function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(){return i=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},i.apply(this,arguments)}var s=n(7294),l=[],c=[];var u=s.createContext(null);function d(e){var t=e(),n={loading:!0,loaded:null,error:null};return n.promise=t.then((function(e){return n.loading=!1,n.loaded=e,e})).catch((function(e){throw n.loading=!1,n.error=e,e})),n}function p(e){var t={loading:!1,loaded:{},error:null},n=[];try{Object.keys(e).forEach((function(r){var a=d(e[r]);a.loading?t.loading=!0:(t.loaded[r]=a.loaded,t.error=a.error),n.push(a.promise),a.promise.then((function(e){t.loaded[r]=e})).catch((function(e){t.error=e}))}))}catch(r){t.error=r}return t.promise=Promise.all(n).then((function(e){return t.loading=!1,e})).catch((function(e){throw t.loading=!1,e})),t}function f(e,t){return s.createElement((n=e)&&n.__esModule?n.default:n,t);var n}function h(e,t){var d,p;if(!t.loading)throw new Error("react-loadable requires a `loading` component");var h=i({loader:null,loading:null,delay:200,timeout:null,render:f,webpack:null,modules:null},t),m=null;function g(){return m||(m=e(h.loader)),m.promise}return l.push(g),"function"==typeof h.webpack&&c.push((function(){if((0,h.webpack)().every((function(e){return void 0!==e&&void 0!==n.m[e]})))return g()})),p=d=function(t){function n(n){var r;return o(a(a(r=t.call(this,n)||this)),"retry",(function(){r.setState({error:null,loading:!0,timedOut:!1}),m=e(h.loader),r._loadModule()})),g(),r.state={error:m.error,pastDelay:!1,timedOut:!1,loading:m.loading,loaded:m.loaded},r}r(n,t),n.preload=function(){return g()};var i=n.prototype;return i.UNSAFE_componentWillMount=function(){this._loadModule()},i.componentDidMount=function(){this._mounted=!0},i._loadModule=function(){var e=this;if(this.context&&Array.isArray(h.modules)&&h.modules.forEach((function(t){e.context.report(t)})),m.loading){var t=function(t){e._mounted&&e.setState(t)};"number"==typeof h.delay&&(0===h.delay?this.setState({pastDelay:!0}):this._delay=setTimeout((function(){t({pastDelay:!0})}),h.delay)),"number"==typeof h.timeout&&(this._timeout=setTimeout((function(){t({timedOut:!0})}),h.timeout));var n=function(){t({error:m.error,loaded:m.loaded,loading:m.loading}),e._clearTimeouts()};m.promise.then((function(){return n(),null})).catch((function(e){return n(),null}))}},i.componentWillUnmount=function(){this._mounted=!1,this._clearTimeouts()},i._clearTimeouts=function(){clearTimeout(this._delay),clearTimeout(this._timeout)},i.render=function(){return this.state.loading||this.state.error?s.createElement(h.loading,{isLoading:this.state.loading,pastDelay:this.state.pastDelay,timedOut:this.state.timedOut,error:this.state.error,retry:this.retry}):this.state.loaded?h.render(this.state.loaded,this.props):null},n}(s.Component),o(d,"contextType",u),p}function m(e){return h(d,e)}m.Map=function(e){if("function"!=typeof e.render)throw new Error("LoadableMap requires a `render(loaded, props)` function");return h(p,e)};var g=function(e){function t(){return e.apply(this,arguments)||this}return r(t,e),t.prototype.render=function(){return s.createElement(u.Provider,{value:{report:this.props.report}},s.Children.only(this.props.children))},t}(s.Component);function y(e){for(var t=[];e.length;){var n=e.pop();t.push(n())}return Promise.all(t).then((function(){if(e.length)return y(e)}))}m.Capture=g,m.preloadAll=function(){return new Promise((function(e,t){y(l).then(e,t)}))},m.preloadReady=function(){return new Promise((function(e,t){y(c).then(e,e)}))},e.exports=m},8790:(e,t,n)=>{"use strict";n.d(t,{H:()=>s,f:()=>i});var r=n(6550),a=n(7462),o=n(7294);function i(e,t,n){return void 0===n&&(n=[]),e.some((function(e){var a=e.path?(0,r.LX)(t,e):n.length?n[n.length-1].match:r.F0.computeRootMatch(t);return a&&(n.push({route:e,match:a}),e.routes&&i(e.routes,t,n)),a})),n}function s(e,t,n){return void 0===t&&(t={}),void 0===n&&(n={}),e?o.createElement(r.rs,n,e.map((function(e,n){return o.createElement(r.AW,{key:e.key||n,path:e.path,exact:e.exact,strict:e.strict,render:function(n){return e.render?e.render((0,a.Z)({},n,{},t,{route:e})):o.createElement(e.component,(0,a.Z)({},n,t,{route:e}))}})}))):null}},3727:(e,t,n)=>{"use strict";n.d(t,{OL:()=>w,UT:()=>d,VK:()=>u,rU:()=>y});var r=n(6550),a=n(5068),o=n(7294),i=n(9318),s=n(7462),l=n(3366),c=n(8776),u=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.lX)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var d=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.q_)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var p=function(e,t){return"function"==typeof e?e(t):e},f=function(e,t){return"string"==typeof e?(0,i.ob)(e,null,null,t):e},h=function(e){return e},m=o.forwardRef;void 0===m&&(m=h);var g=m((function(e,t){var n=e.innerRef,r=e.navigate,a=e.onClick,i=(0,l.Z)(e,["innerRef","navigate","onClick"]),c=i.target,u=(0,s.Z)({},i,{onClick:function(e){try{a&&a(e)}catch(t){throw e.preventDefault(),t}e.defaultPrevented||0!==e.button||c&&"_self"!==c||function(e){return!!(e.metaKey||e.altKey||e.ctrlKey||e.shiftKey)}(e)||(e.preventDefault(),r())}});return u.ref=h!==m&&t||n,o.createElement("a",u)}));var y=m((function(e,t){var n=e.component,a=void 0===n?g:n,u=e.replace,d=e.to,y=e.innerRef,b=(0,l.Z)(e,["component","replace","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=e.history,r=f(p(d,e.location),e.location),l=r?n.createHref(r):"",g=(0,s.Z)({},b,{href:l,navigate:function(){var t=p(d,e.location),r=(0,i.Ep)(e.location)===(0,i.Ep)(f(t));(u||r?n.replace:n.push)(t)}});return h!==m?g.ref=t||y:g.innerRef=y,o.createElement(a,g)}))})),b=function(e){return e},v=o.forwardRef;void 0===v&&(v=b);var w=v((function(e,t){var n=e["aria-current"],a=void 0===n?"page":n,i=e.activeClassName,u=void 0===i?"active":i,d=e.activeStyle,h=e.className,m=e.exact,g=e.isActive,w=e.location,k=e.sensitive,x=e.strict,S=e.style,E=e.to,_=e.innerRef,C=(0,l.Z)(e,["aria-current","activeClassName","activeStyle","className","exact","isActive","location","sensitive","strict","style","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=w||e.location,i=f(p(E,n),n),l=i.pathname,T=l&&l.replace(/([.+*?=^!:${}()[\]|/\\])/g,"\\$1"),L=T?(0,r.LX)(n.pathname,{path:T,exact:m,sensitive:k,strict:x}):null,j=!!(g?g(L,n):L),R="function"==typeof h?h(j):h,P="function"==typeof S?S(j):S;j&&(R=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return t.filter((function(e){return e})).join(" ")}(R,u),P=(0,s.Z)({},P,d));var N=(0,s.Z)({"aria-current":j&&a||null,className:R,style:P,to:i},C);return b!==v?N.ref=t||_:N.innerRef=_,o.createElement(y,N)}))}))},6550:(e,t,n)=>{"use strict";n.d(t,{AW:()=>E,F0:()=>v,LX:()=>S,TH:()=>A,k6:()=>N,rs:()=>R,s6:()=>b});var r=n(5068),a=n(7294),o=n(5697),i=n.n(o),s=n(9318),l=n(8776),c=n(7462),u=n(9658),d=n.n(u),p=(n(9864),n(3366)),f=(n(8679),1073741823),h="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:void 0!==n.g?n.g:{};var m=a.createContext||function(e,t){var n,o,s="__create-react-context-"+function(){var e="__global_unique_id__";return h[e]=(h[e]||0)+1}()+"__",l=function(e){function n(){for(var t,n,r,a=arguments.length,o=new Array(a),i=0;i<a;i++)o[i]=arguments[i];return(t=e.call.apply(e,[this].concat(o))||this).emitter=(n=t.props.value,r=[],{on:function(e){r.push(e)},off:function(e){r=r.filter((function(t){return t!==e}))},get:function(){return n},set:function(e,t){n=e,r.forEach((function(e){return e(n,t)}))}}),t}(0,r.Z)(n,e);var a=n.prototype;return a.getChildContext=function(){var e;return(e={})[s]=this.emitter,e},a.componentWillReceiveProps=function(e){if(this.props.value!==e.value){var n,r=this.props.value,a=e.value;((o=r)===(i=a)?0!==o||1/o==1/i:o!=o&&i!=i)?n=0:(n="function"==typeof t?t(r,a):f,0!==(n|=0)&&this.emitter.set(e.value,n))}var o,i},a.render=function(){return this.props.children},n}(a.Component);l.childContextTypes=((n={})[s]=i().object.isRequired,n);var c=function(t){function n(){for(var e,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(e=t.call.apply(t,[this].concat(r))||this).observedBits=void 0,e.state={value:e.getValue()},e.onUpdate=function(t,n){0!=((0|e.observedBits)&n)&&e.setState({value:e.getValue()})},e}(0,r.Z)(n,t);var a=n.prototype;return a.componentWillReceiveProps=function(e){var t=e.observedBits;this.observedBits=null==t?f:t},a.componentDidMount=function(){this.context[s]&&this.context[s].on(this.onUpdate);var e=this.props.observedBits;this.observedBits=null==e?f:e},a.componentWillUnmount=function(){this.context[s]&&this.context[s].off(this.onUpdate)},a.getValue=function(){return this.context[s]?this.context[s].get():e},a.render=function(){return(e=this.props.children,Array.isArray(e)?e[0]:e)(this.state.value);var e},n}(a.Component);return c.contextTypes=((o={})[s]=i().object,o),{Provider:l,Consumer:c}},g=function(e){var t=m();return t.displayName=e,t},y=g("Router-History"),b=g("Router"),v=function(e){function t(t){var n;return(n=e.call(this,t)||this).state={location:t.history.location},n._isMounted=!1,n._pendingLocation=null,t.staticContext||(n.unlisten=t.history.listen((function(e){n._pendingLocation=e}))),n}(0,r.Z)(t,e),t.computeRootMatch=function(e){return{path:"/",url:"/",params:{},isExact:"/"===e}};var n=t.prototype;return n.componentDidMount=function(){var e=this;this._isMounted=!0,this.unlisten&&this.unlisten(),this.props.staticContext||(this.unlisten=this.props.history.listen((function(t){e._isMounted&&e.setState({location:t})}))),this._pendingLocation&&this.setState({location:this._pendingLocation})},n.componentWillUnmount=function(){this.unlisten&&(this.unlisten(),this._isMounted=!1,this._pendingLocation=null)},n.render=function(){return a.createElement(b.Provider,{value:{history:this.props.history,location:this.state.location,match:t.computeRootMatch(this.state.location.pathname),staticContext:this.props.staticContext}},a.createElement(y.Provider,{children:this.props.children||null,value:this.props.history}))},t}(a.Component);a.Component;a.Component;var w={},k=1e4,x=0;function S(e,t){void 0===t&&(t={}),("string"==typeof t||Array.isArray(t))&&(t={path:t});var n=t,r=n.path,a=n.exact,o=void 0!==a&&a,i=n.strict,s=void 0!==i&&i,l=n.sensitive,c=void 0!==l&&l;return[].concat(r).reduce((function(t,n){if(!n&&""!==n)return null;if(t)return t;var r=function(e,t){var n=""+t.end+t.strict+t.sensitive,r=w[n]||(w[n]={});if(r[e])return r[e];var a=[],o={regexp:d()(e,a,t),keys:a};return x<k&&(r[e]=o,x++),o}(n,{end:o,strict:s,sensitive:c}),a=r.regexp,i=r.keys,l=a.exec(e);if(!l)return null;var u=l[0],p=l.slice(1),f=e===u;return o&&!f?null:{path:n,url:"/"===n&&""===u?"/":u,isExact:f,params:i.reduce((function(e,t,n){return e[t.name]=p[n],e}),{})}}),null)}var E=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n=e.props.location||t.location,r=e.props.computedMatch?e.props.computedMatch:e.props.path?S(n.pathname,e.props):t.match,o=(0,c.Z)({},t,{location:n,match:r}),i=e.props,s=i.children,u=i.component,d=i.render;return Array.isArray(s)&&function(e){return 0===a.Children.count(e)}(s)&&(s=null),a.createElement(b.Provider,{value:o},o.match?s?"function"==typeof s?s(o):s:u?a.createElement(u,o):d?d(o):null:"function"==typeof s?s(o):null)}))},t}(a.Component);function _(e){return"/"===e.charAt(0)?e:"/"+e}function C(e,t){if(!e)return t;var n=_(e);return 0!==t.pathname.indexOf(n)?t:(0,c.Z)({},t,{pathname:t.pathname.substr(n.length)})}function T(e){return"string"==typeof e?e:(0,s.Ep)(e)}function L(e){return function(){(0,l.Z)(!1)}}function j(){}a.Component;var R=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n,r,o=e.props.location||t.location;return a.Children.forEach(e.props.children,(function(e){if(null==r&&a.isValidElement(e)){n=e;var i=e.props.path||e.props.from;r=i?S(o.pathname,(0,c.Z)({},e.props,{path:i})):t.match}})),r?a.cloneElement(n,{location:o,computedMatch:r}):null}))},t}(a.Component);var P=a.useContext;function N(){return P(y)}function A(){return P(b).location}},9658:(e,t,n)=>{var r=n(5826);e.exports=f,e.exports.parse=o,e.exports.compile=function(e,t){return s(o(e,t),t)},e.exports.tokensToFunction=s,e.exports.tokensToRegExp=p;var a=new RegExp(["(\\\\.)","([\\/.])?(?:(?:\\:(\\w+)(?:\\(((?:\\\\.|[^\\\\()])+)\\))?|\\(((?:\\\\.|[^\\\\()])+)\\))([+*?])?|(\\*))"].join("|"),"g");function o(e,t){for(var n,r=[],o=0,i=0,s="",u=t&&t.delimiter||"/";null!=(n=a.exec(e));){var d=n[0],p=n[1],f=n.index;if(s+=e.slice(i,f),i=f+d.length,p)s+=p[1];else{var h=e[i],m=n[2],g=n[3],y=n[4],b=n[5],v=n[6],w=n[7];s&&(r.push(s),s="");var k=null!=m&&null!=h&&h!==m,x="+"===v||"*"===v,S="?"===v||"*"===v,E=n[2]||u,_=y||b;r.push({name:g||o++,prefix:m||"",delimiter:E,optional:S,repeat:x,partial:k,asterisk:!!w,pattern:_?c(_):w?".*":"[^"+l(E)+"]+?"})}}return i<e.length&&(s+=e.substr(i)),s&&r.push(s),r}function i(e){return encodeURI(e).replace(/[\/?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()}))}function s(e,t){for(var n=new Array(e.length),a=0;a<e.length;a++)"object"==typeof e[a]&&(n[a]=new RegExp("^(?:"+e[a].pattern+")$",d(t)));return function(t,a){for(var o="",s=t||{},l=(a||{}).pretty?i:encodeURIComponent,c=0;c<e.length;c++){var u=e[c];if("string"!=typeof u){var d,p=s[u.name];if(null==p){if(u.optional){u.partial&&(o+=u.prefix);continue}throw new TypeError('Expected "'+u.name+'" to be defined')}if(r(p)){if(!u.repeat)throw new TypeError('Expected "'+u.name+'" to not repeat, but received `'+JSON.stringify(p)+"`");if(0===p.length){if(u.optional)continue;throw new TypeError('Expected "'+u.name+'" to not be empty')}for(var f=0;f<p.length;f++){if(d=l(p[f]),!n[c].test(d))throw new TypeError('Expected all "'+u.name+'" to match "'+u.pattern+'", but received `'+JSON.stringify(d)+"`");o+=(0===f?u.prefix:u.delimiter)+d}}else{if(d=u.asterisk?encodeURI(p).replace(/[?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()})):l(p),!n[c].test(d))throw new TypeError('Expected "'+u.name+'" to match "'+u.pattern+'", but received "'+d+'"');o+=u.prefix+d}}else o+=u}return o}}function l(e){return e.replace(/([.+*?=^!:${}()[\]|\/\\])/g,"\\$1")}function c(e){return e.replace(/([=!:$\/()])/g,"\\$1")}function u(e,t){return e.keys=t,e}function d(e){return e&&e.sensitive?"":"i"}function p(e,t,n){r(t)||(n=t||n,t=[]);for(var a=(n=n||{}).strict,o=!1!==n.end,i="",s=0;s<e.length;s++){var c=e[s];if("string"==typeof c)i+=l(c);else{var p=l(c.prefix),f="(?:"+c.pattern+")";t.push(c),c.repeat&&(f+="(?:"+p+f+")*"),i+=f=c.optional?c.partial?p+"("+f+")?":"(?:"+p+"("+f+"))?":p+"("+f+")"}}var h=l(n.delimiter||"/"),m=i.slice(-h.length)===h;return a||(i=(m?i.slice(0,-h.length):i)+"(?:"+h+"(?=$))?"),i+=o?"$":a&&m?"":"(?="+h+"|$)",u(new RegExp("^"+i,d(n)),t)}function f(e,t,n){return r(t)||(n=t||n,t=[]),n=n||{},e instanceof RegExp?function(e,t){var n=e.source.match(/\((?!\?)/g);if(n)for(var r=0;r<n.length;r++)t.push({name:r,prefix:null,delimiter:null,optional:!1,repeat:!1,partial:!1,asterisk:!1,pattern:null});return u(e,t)}(e,t):r(e)?function(e,t,n){for(var r=[],a=0;a<e.length;a++)r.push(f(e[a],t,n).source);return u(new RegExp("(?:"+r.join("|")+")",d(n)),t)}(e,t,n):function(e,t,n){return p(o(e,n),t,n)}(e,t,n)}},5251:(e,t,n)=>{"use strict";var r=n(7294),a=Symbol.for("react.element"),o=Symbol.for("react.fragment"),i=Object.prototype.hasOwnProperty,s=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.ReactCurrentOwner,l={key:!0,ref:!0,__self:!0,__source:!0};function c(e,t,n){var r,o={},c=null,u=null;for(r in void 0!==n&&(c=""+n),void 0!==t.key&&(c=""+t.key),void 0!==t.ref&&(u=t.ref),t)i.call(t,r)&&!l.hasOwnProperty(r)&&(o[r]=t[r]);if(e&&e.defaultProps)for(r in t=e.defaultProps)void 0===o[r]&&(o[r]=t[r]);return{$$typeof:a,type:e,key:c,ref:u,props:o,_owner:s.current}}t.Fragment=o,t.jsx=c,t.jsxs=c},2408:(e,t)=>{"use strict";var n=Symbol.for("react.element"),r=Symbol.for("react.portal"),a=Symbol.for("react.fragment"),o=Symbol.for("react.strict_mode"),i=Symbol.for("react.profiler"),s=Symbol.for("react.provider"),l=Symbol.for("react.context"),c=Symbol.for("react.forward_ref"),u=Symbol.for("react.suspense"),d=Symbol.for("react.memo"),p=Symbol.for("react.lazy"),f=Symbol.iterator;var h={isMounted:function(){return!1},enqueueForceUpdate:function(){},enqueueReplaceState:function(){},enqueueSetState:function(){}},m=Object.assign,g={};function y(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}function b(){}function v(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}y.prototype.isReactComponent={},y.prototype.setState=function(e,t){if("object"!=typeof e&&"function"!=typeof e&&null!=e)throw Error("setState(...): takes an object of state variables to update or a function which returns an object of state variables.");this.updater.enqueueSetState(this,e,t,"setState")},y.prototype.forceUpdate=function(e){this.updater.enqueueForceUpdate(this,e,"forceUpdate")},b.prototype=y.prototype;var w=v.prototype=new b;w.constructor=v,m(w,y.prototype),w.isPureReactComponent=!0;var k=Array.isArray,x=Object.prototype.hasOwnProperty,S={current:null},E={key:!0,ref:!0,__self:!0,__source:!0};function _(e,t,r){var a,o={},i=null,s=null;if(null!=t)for(a in void 0!==t.ref&&(s=t.ref),void 0!==t.key&&(i=""+t.key),t)x.call(t,a)&&!E.hasOwnProperty(a)&&(o[a]=t[a]);var l=arguments.length-2;if(1===l)o.children=r;else if(1<l){for(var c=Array(l),u=0;u<l;u++)c[u]=arguments[u+2];o.children=c}if(e&&e.defaultProps)for(a in l=e.defaultProps)void 0===o[a]&&(o[a]=l[a]);return{$$typeof:n,type:e,key:i,ref:s,props:o,_owner:S.current}}function C(e){return"object"==typeof e&&null!==e&&e.$$typeof===n}var T=/\/+/g;function L(e,t){return"object"==typeof e&&null!==e&&null!=e.key?function(e){var t={"=":"=0",":":"=2"};return"$"+e.replace(/[=:]/g,(function(e){return t[e]}))}(""+e.key):t.toString(36)}function j(e,t,a,o,i){var s=typeof e;"undefined"!==s&&"boolean"!==s||(e=null);var l=!1;if(null===e)l=!0;else switch(s){case"string":case"number":l=!0;break;case"object":switch(e.$$typeof){case n:case r:l=!0}}if(l)return i=i(l=e),e=""===o?"."+L(l,0):o,k(i)?(a="",null!=e&&(a=e.replace(T,"$&/")+"/"),j(i,t,a,"",(function(e){return e}))):null!=i&&(C(i)&&(i=function(e,t){return{$$typeof:n,type:e.type,key:t,ref:e.ref,props:e.props,_owner:e._owner}}(i,a+(!i.key||l&&l.key===i.key?"":(""+i.key).replace(T,"$&/")+"/")+e)),t.push(i)),1;if(l=0,o=""===o?".":o+":",k(e))for(var c=0;c<e.length;c++){var u=o+L(s=e[c],c);l+=j(s,t,a,u,i)}else if(u=function(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=f&&e[f]||e["@@iterator"])?e:null}(e),"function"==typeof u)for(e=u.call(e),c=0;!(s=e.next()).done;)l+=j(s=s.value,t,a,u=o+L(s,c++),i);else if("object"===s)throw t=String(e),Error("Objects are not valid as a React child (found: "+("[object Object]"===t?"object with keys {"+Object.keys(e).join(", ")+"}":t)+"). If you meant to render a collection of children, use an array instead.");return l}function R(e,t,n){if(null==e)return e;var r=[],a=0;return j(e,r,"","",(function(e){return t.call(n,e,a++)})),r}function P(e){if(-1===e._status){var t=e._result;(t=t()).then((function(t){0!==e._status&&-1!==e._status||(e._status=1,e._result=t)}),(function(t){0!==e._status&&-1!==e._status||(e._status=2,e._result=t)})),-1===e._status&&(e._status=0,e._result=t)}if(1===e._status)return e._result.default;throw e._result}var N={current:null},A={transition:null},O={ReactCurrentDispatcher:N,ReactCurrentBatchConfig:A,ReactCurrentOwner:S};function I(){throw Error("act(...) is not supported in production builds of React.")}t.Children={map:R,forEach:function(e,t,n){R(e,(function(){t.apply(this,arguments)}),n)},count:function(e){var t=0;return R(e,(function(){t++})),t},toArray:function(e){return R(e,(function(e){return e}))||[]},only:function(e){if(!C(e))throw Error("React.Children.only expected to receive a single React element child.");return e}},t.Component=y,t.Fragment=a,t.Profiler=i,t.PureComponent=v,t.StrictMode=o,t.Suspense=u,t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=O,t.act=I,t.cloneElement=function(e,t,r){if(null==e)throw Error("React.cloneElement(...): The argument must be a React element, but you passed "+e+".");var a=m({},e.props),o=e.key,i=e.ref,s=e._owner;if(null!=t){if(void 0!==t.ref&&(i=t.ref,s=S.current),void 0!==t.key&&(o=""+t.key),e.type&&e.type.defaultProps)var l=e.type.defaultProps;for(c in t)x.call(t,c)&&!E.hasOwnProperty(c)&&(a[c]=void 0===t[c]&&void 0!==l?l[c]:t[c])}var c=arguments.length-2;if(1===c)a.children=r;else if(1<c){l=Array(c);for(var u=0;u<c;u++)l[u]=arguments[u+2];a.children=l}return{$$typeof:n,type:e.type,key:o,ref:i,props:a,_owner:s}},t.createContext=function(e){return(e={$$typeof:l,_currentValue:e,_currentValue2:e,_threadCount:0,Provider:null,Consumer:null,_defaultValue:null,_globalName:null}).Provider={$$typeof:s,_context:e},e.Consumer=e},t.createElement=_,t.createFactory=function(e){var t=_.bind(null,e);return t.type=e,t},t.createRef=function(){return{current:null}},t.forwardRef=function(e){return{$$typeof:c,render:e}},t.isValidElement=C,t.lazy=function(e){return{$$typeof:p,_payload:{_status:-1,_result:e},_init:P}},t.memo=function(e,t){return{$$typeof:d,type:e,compare:void 0===t?null:t}},t.startTransition=function(e){var t=A.transition;A.transition={};try{e()}finally{A.transition=t}},t.unstable_act=I,t.useCallback=function(e,t){return N.current.useCallback(e,t)},t.useContext=function(e){return N.current.useContext(e)},t.useDebugValue=function(){},t.useDeferredValue=function(e){return N.current.useDeferredValue(e)},t.useEffect=function(e,t){return N.current.useEffect(e,t)},t.useId=function(){return N.current.useId()},t.useImperativeHandle=function(e,t,n){return N.current.useImperativeHandle(e,t,n)},t.useInsertionEffect=function(e,t){return N.current.useInsertionEffect(e,t)},t.useLayoutEffect=function(e,t){return N.current.useLayoutEffect(e,t)},t.useMemo=function(e,t){return N.current.useMemo(e,t)},t.useReducer=function(e,t,n){return N.current.useReducer(e,t,n)},t.useRef=function(e){return N.current.useRef(e)},t.useState=function(e){return N.current.useState(e)},t.useSyncExternalStore=function(e,t,n){return N.current.useSyncExternalStore(e,t,n)},t.useTransition=function(){return N.current.useTransition()},t.version="18.3.1"},7294:(e,t,n)=>{"use strict";e.exports=n(2408)},5893:(e,t,n)=>{"use strict";e.exports=n(5251)},53:(e,t)=>{"use strict";function n(e,t){var n=e.length;e.push(t);e:for(;0<n;){var r=n-1>>>1,a=e[r];if(!(0<o(a,t)))break e;e[r]=t,e[n]=a,n=r}}function r(e){return 0===e.length?null:e[0]}function a(e){if(0===e.length)return null;var t=e[0],n=e.pop();if(n!==t){e[0]=n;e:for(var r=0,a=e.length,i=a>>>1;r<i;){var s=2*(r+1)-1,l=e[s],c=s+1,u=e[c];if(0>o(l,n))c<a&&0>o(u,l)?(e[r]=u,e[c]=n,r=c):(e[r]=l,e[s]=n,r=s);else{if(!(c<a&&0>o(u,n)))break e;e[r]=u,e[c]=n,r=c}}}return t}function o(e,t){var n=e.sortIndex-t.sortIndex;return 0!==n?n:e.id-t.id}if("object"==typeof performance&&"function"==typeof performance.now){var i=performance;t.unstable_now=function(){return i.now()}}else{var s=Date,l=s.now();t.unstable_now=function(){return s.now()-l}}var c=[],u=[],d=1,p=null,f=3,h=!1,m=!1,g=!1,y="function"==typeof setTimeout?setTimeout:null,b="function"==typeof clearTimeout?clearTimeout:null,v="undefined"!=typeof setImmediate?setImmediate:null;function w(e){for(var t=r(u);null!==t;){if(null===t.callback)a(u);else{if(!(t.startTime<=e))break;a(u),t.sortIndex=t.expirationTime,n(c,t)}t=r(u)}}function k(e){if(g=!1,w(e),!m)if(null!==r(c))m=!0,A(x);else{var t=r(u);null!==t&&O(k,t.startTime-e)}}function x(e,n){m=!1,g&&(g=!1,b(C),C=-1),h=!0;var o=f;try{for(w(n),p=r(c);null!==p&&(!(p.expirationTime>n)||e&&!j());){var i=p.callback;if("function"==typeof i){p.callback=null,f=p.priorityLevel;var s=i(p.expirationTime<=n);n=t.unstable_now(),"function"==typeof s?p.callback=s:p===r(c)&&a(c),w(n)}else a(c);p=r(c)}if(null!==p)var l=!0;else{var d=r(u);null!==d&&O(k,d.startTime-n),l=!1}return l}finally{p=null,f=o,h=!1}}"undefined"!=typeof navigator&&void 0!==navigator.scheduling&&void 0!==navigator.scheduling.isInputPending&&navigator.scheduling.isInputPending.bind(navigator.scheduling);var S,E=!1,_=null,C=-1,T=5,L=-1;function j(){return!(t.unstable_now()-L<T)}function R(){if(null!==_){var e=t.unstable_now();L=e;var n=!0;try{n=_(!0,e)}finally{n?S():(E=!1,_=null)}}else E=!1}if("function"==typeof v)S=function(){v(R)};else if("undefined"!=typeof MessageChannel){var P=new MessageChannel,N=P.port2;P.port1.onmessage=R,S=function(){N.postMessage(null)}}else S=function(){y(R,0)};function A(e){_=e,E||(E=!0,S())}function O(e,n){C=y((function(){e(t.unstable_now())}),n)}t.unstable_IdlePriority=5,t.unstable_ImmediatePriority=1,t.unstable_LowPriority=4,t.unstable_NormalPriority=3,t.unstable_Profiling=null,t.unstable_UserBlockingPriority=2,t.unstable_cancelCallback=function(e){e.callback=null},t.unstable_continueExecution=function(){m||h||(m=!0,A(x))},t.unstable_forceFrameRate=function(e){0>e||125<e?console.error("forceFrameRate takes a positive int between 0 and 125, forcing frame rates higher than 125 fps is not supported"):T=0<e?Math.floor(1e3/e):5},t.unstable_getCurrentPriorityLevel=function(){return f},t.unstable_getFirstCallbackNode=function(){return r(c)},t.unstable_next=function(e){switch(f){case 1:case 2:case 3:var t=3;break;default:t=f}var n=f;f=t;try{return e()}finally{f=n}},t.unstable_pauseExecution=function(){},t.unstable_requestPaint=function(){},t.unstable_runWithPriority=function(e,t){switch(e){case 1:case 2:case 3:case 4:case 5:break;default:e=3}var n=f;f=e;try{return t()}finally{f=n}},t.unstable_scheduleCallback=function(e,a,o){var i=t.unstable_now();switch("object"==typeof o&&null!==o?o="number"==typeof(o=o.delay)&&0<o?i+o:i:o=i,e){case 1:var s=-1;break;case 2:s=250;break;case 5:s=1073741823;break;case 4:s=1e4;break;default:s=5e3}return e={id:d++,callback:a,priorityLevel:e,startTime:o,expirationTime:s=o+s,sortIndex:-1},o>i?(e.sortIndex=o,n(u,e),null===r(c)&&e===r(u)&&(g?(b(C),C=-1):g=!0,O(k,o-i))):(e.sortIndex=s,n(c,e),m||h||(m=!0,A(x))),e},t.unstable_shouldYield=j,t.unstable_wrapCallback=function(e){var t=f;return function(){var n=f;f=t;try{return e.apply(this,arguments)}finally{f=n}}}},3840:(e,t,n)=>{"use strict";e.exports=n(53)},6774:e=>{e.exports=function(e,t,n,r){var a=n?n.call(r,e,t):void 0;if(void 0!==a)return!!a;if(e===t)return!0;if("object"!=typeof e||!e||"object"!=typeof t||!t)return!1;var o=Object.keys(e),i=Object.keys(t);if(o.length!==i.length)return!1;for(var s=Object.prototype.hasOwnProperty.bind(t),l=0;l<o.length;l++){var c=o[l];if(!s(c))return!1;var u=e[c],d=t[c];if(!1===(a=n?n.call(r,u,d,c):void 0)||void 0===a&&u!==d)return!1}return!0}},6809:(e,t,n)=>{"use strict";n.d(t,{default:()=>r});const r={title:"K3s",tagline:"",url:"https://docs.k3s.io",baseUrl:"/kr/",onBrokenLinks:"throw",onBrokenMarkdownLinks:"warn",favicon:"img/favicon.ico",organizationName:"k3s-io",projectName:"docs",trailingSlash:!1,markdown:{mermaid:!0,format:"mdx",mdx1Compat:{comments:!0,admonitions:!0,headingIds:!0},anchors:{maintainCase:!1}},themes:["@docusaurus/theme-mermaid",["@easyops-cn/docusaurus-search-local",{docsRouteBasePath:"/",hashed:!0,highlightSearchTermsOnTargetPage:!0,indexBlog:!1,ignoreFiles:[{}]}]],i18n:{defaultLocale:"en",locales:["en","zh","kr"],localeConfigs:{en:{label:"English",direction:"ltr"},zh:{label:"\u7b80\u4f53\u4e2d\u6587",direction:"ltr"},kr:{label:"\ud55c\uad6d\uc5b4",direction:"ltr"}},path:"i18n"},themeConfig:{colorMode:{defaultMode:"light",respectPrefersColorScheme:!0,disableSwitch:!1},navbar:{title:"",logo:{alt:"logo",src:"img/k3s-logo-light.svg",srcDark:"img/k3s-logo-dark.svg"},items:[{type:"search",position:"right"},{type:"localeDropdown",position:"right",dropdownItemsBefore:[],dropdownItemsAfter:[]},{to:"https://github.com/k3s-io/k3s/",label:"GitHub",position:"right",className:"navbar__github btn"}],hideOnScroll:!1},footer:{style:"dark",links:[],copyright:'Copyright \xa9 2024 K3s Project Authors. All rights reserved. <br>The Linux Foundation has registered trademarks\n and uses trademarks. For a list of trademarks of The Linux Foundation, \n please see our <a href="https://www.linuxfoundation.org/trademark-usage"> Trademark Usage</a> page.'},docs:{versionPersistence:"localStorage",sidebar:{hideable:!1,autoCollapseCategories:!1}},blog:{sidebar:{groupByYear:!0}},metadata:[],prism:{additionalLanguages:[],theme:{plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},magicComments:[{className:"theme-code-block-highlighted-line",line:"highlight-next-line",block:{start:"highlight-start",end:"highlight-end"}}]},tableOfContents:{minHeadingLevel:2,maxHeadingLevel:3},mermaid:{theme:{dark:"dark",light:"default"},options:{}}},presets:[["@docusaurus/preset-classic",{docs:{routeBasePath:"/",sidebarPath:"/home/runner/work/docs/docs/sidebars.js",showLastUpdateTime:!0,editUrl:"https://github.com/k3s-io/docs/edit/main/"},blog:!1,theme:{customCss:["/home/runner/work/docs/docs/src/css/custom.css"]}}]],plugins:[["@docusaurus/plugin-client-redirects",{redirects:[{from:"/installation/ha",to:"/datastore/ha"},{from:"/installation/ha-embedded",to:"/datastore/ha-embedded"},{from:"/installation/datastore",to:"/datastore"},{from:"/installation/disable-flags",to:"/installation/server-roles"},{from:"/backup-restore/backup-restore",to:"/datastore/backup-restore"},{from:"/reference/agent-config",to:"/cli/agent"},{from:"/reference/server-config",to:"/cli/server"},{from:"/installation/network-options",to:"/networking/basic-network-options"},{from:"/security/self-assessment",to:"/security/self-assessment-1.23"}]}]],baseUrlIssueBanner:!0,future:{experimental_storage:{type:"localStorage",namespace:!1},experimental_router:"browser"},onBrokenAnchors:"warn",onDuplicateRoutes:"warn",staticDirectories:["static"],customFields:{},scripts:[],headTags:[],stylesheets:[],clientModules:[],titleDelimiter:"|",noIndex:!1}},7462:(e,t,n)=>{"use strict";function r(){return r=Object.assign?Object.assign.bind():function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},r.apply(this,arguments)}n.d(t,{Z:()=>r})},5068:(e,t,n)=>{"use strict";function r(e,t){return r=Object.setPrototypeOf?Object.setPrototypeOf.bind():function(e,t){return e.__proto__=t,e},r(e,t)}function a(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,r(e,t)}n.d(t,{Z:()=>a})},3366:(e,t,n)=>{"use strict";function r(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}n.d(t,{Z:()=>r})},512:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e)){var o=e.length;for(t=0;t<o;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n)}else for(n in e)e[n]&&(a&&(a+=" "),a+=n);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="",o=arguments.length;n<o;n++)(e=arguments[n])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},2573:(e,t,n)=>{"use strict";n.d(t,{p1:()=>T,y$:()=>ee});var r,a,o,i,s,l,c,u=n(7294),d=n(512),p=Object.create,f=Object.defineProperty,h=Object.defineProperties,m=Object.getOwnPropertyDescriptor,g=Object.getOwnPropertyDescriptors,y=Object.getOwnPropertyNames,b=Object.getOwnPropertySymbols,v=Object.getPrototypeOf,w=Object.prototype.hasOwnProperty,k=Object.prototype.propertyIsEnumerable,x=(e,t,n)=>t in e?f(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,S=(e,t)=>{for(var n in t||(t={}))w.call(t,n)&&x(e,n,t[n]);if(b)for(var n of b(t))k.call(t,n)&&x(e,n,t[n]);return e},E=(e,t)=>h(e,g(t)),_=(e,t)=>{var n={};for(var r in e)w.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&b)for(var r of b(e))t.indexOf(r)<0&&k.call(e,r)&&(n[r]=e[r]);return n},C=(r={"../../node_modules/.pnpm/prismjs@1.29.0_patch_hash=vrxx3pzkik6jpmgpayxfjunetu/node_modules/prismjs/prism.js"(e,t){var n=function(){var e=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,n={},r={util:{encode:function e(t){return t instanceof a?new a(t.type,e(t.content),t.alias):Array.isArray(t)?t.map(e):t.replace(/&/g,"&").replace(/</g,"<").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(t,n){var a,o;switch(n=n||{},r.util.type(t)){case"Object":if(o=r.util.objId(t),n[o])return n[o];for(var i in a={},n[o]=a,t)t.hasOwnProperty(i)&&(a[i]=e(t[i],n));return a;case"Array":return o=r.util.objId(t),n[o]?n[o]:(a=[],n[o]=a,t.forEach((function(t,r){a[r]=e(t,n)})),a);default:return t}},getLanguage:function(t){for(;t;){var n=e.exec(t.className);if(n)return n[1].toLowerCase();t=t.parentElement}return"none"},setLanguage:function(t,n){t.className=t.className.replace(RegExp(e,"gi"),""),t.classList.add("language-"+n)},isActive:function(e,t,n){for(var r="no-"+t;e;){var a=e.classList;if(a.contains(t))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!n}},languages:{plain:n,plaintext:n,text:n,txt:n,extend:function(e,t){var n=r.util.clone(r.languages[e]);for(var a in t)n[a]=t[a];return n},insertBefore:function(e,t,n,a){var o=(a=a||r.languages)[e],i={};for(var s in o)if(o.hasOwnProperty(s)){if(s==t)for(var l in n)n.hasOwnProperty(l)&&(i[l]=n[l]);n.hasOwnProperty(s)||(i[s]=o[s])}var c=a[e];return a[e]=i,r.languages.DFS(r.languages,(function(t,n){n===c&&t!=e&&(this[t]=i)})),i},DFS:function e(t,n,a,o){o=o||{};var i=r.util.objId;for(var s in t)if(t.hasOwnProperty(s)){n.call(t,s,t[s],a||s);var l=t[s],c=r.util.type(l);"Object"!==c||o[i(l)]?"Array"!==c||o[i(l)]||(o[i(l)]=!0,e(l,n,s,o)):(o[i(l)]=!0,e(l,n,null,o))}}},plugins:{},highlight:function(e,t,n){var o={code:e,grammar:t,language:n};if(r.hooks.run("before-tokenize",o),!o.grammar)throw new Error('The language "'+o.language+'" has no grammar.');return o.tokens=r.tokenize(o.code,o.grammar),r.hooks.run("after-tokenize",o),a.stringify(r.util.encode(o.tokens),o.language)},tokenize:function(e,t){var n=t.rest;if(n){for(var r in n)t[r]=n[r];delete t.rest}var a=new s;return l(a,a.head,e),i(e,a,t,a.head,0),function(e){for(var t=[],n=e.head.next;n!==e.tail;)t.push(n.value),n=n.next;return t}(a)},hooks:{all:{},add:function(e,t){var n=r.hooks.all;n[e]=n[e]||[],n[e].push(t)},run:function(e,t){var n=r.hooks.all[e];if(n&&n.length)for(var a,o=0;a=n[o++];)a(t)}},Token:a};function a(e,t,n,r){this.type=e,this.content=t,this.alias=n,this.length=0|(r||"").length}function o(e,t,n,r){e.lastIndex=t;var a=e.exec(n);if(a&&r&&a[1]){var o=a[1].length;a.index+=o,a[0]=a[0].slice(o)}return a}function i(e,t,n,s,u,d){for(var p in n)if(n.hasOwnProperty(p)&&n[p]){var f=n[p];f=Array.isArray(f)?f:[f];for(var h=0;h<f.length;++h){if(d&&d.cause==p+","+h)return;var m=f[h],g=m.inside,y=!!m.lookbehind,b=!!m.greedy,v=m.alias;if(b&&!m.pattern.global){var w=m.pattern.toString().match(/[imsuy]*$/)[0];m.pattern=RegExp(m.pattern.source,w+"g")}for(var k=m.pattern||m,x=s.next,S=u;x!==t.tail&&!(d&&S>=d.reach);S+=x.value.length,x=x.next){var E=x.value;if(t.length>e.length)return;if(!(E instanceof a)){var _,C=1;if(b){if(!(_=o(k,S,e,y))||_.index>=e.length)break;var T=_.index,L=_.index+_[0].length,j=S;for(j+=x.value.length;T>=j;)j+=(x=x.next).value.length;if(S=j-=x.value.length,x.value instanceof a)continue;for(var R=x;R!==t.tail&&(j<L||"string"==typeof R.value);R=R.next)C++,j+=R.value.length;C--,E=e.slice(S,j),_.index-=S}else if(!(_=o(k,0,E,y)))continue;T=_.index;var P=_[0],N=E.slice(0,T),A=E.slice(T+P.length),O=S+E.length;d&&O>d.reach&&(d.reach=O);var I=x.prev;if(N&&(I=l(t,I,N),S+=N.length),c(t,I,C),x=l(t,I,new a(p,g?r.tokenize(P,g):P,v,P)),A&&l(t,x,A),C>1){var D={cause:p+","+h,reach:O};i(e,t,n,x.prev,S,D),d&&D.reach>d.reach&&(d.reach=D.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},t={value:null,prev:e,next:null};e.next=t,this.head=e,this.tail=t,this.length=0}function l(e,t,n){var r=t.next,a={value:n,prev:t,next:r};return t.next=a,r.prev=a,e.length++,a}function c(e,t,n){for(var r=t.next,a=0;a<n&&r!==e.tail;a++)r=r.next;t.next=r,r.prev=t,e.length-=a}return a.stringify=function e(t,n){if("string"==typeof t)return t;if(Array.isArray(t)){var a="";return t.forEach((function(t){a+=e(t,n)})),a}var o={type:t.type,content:e(t.content,n),tag:"span",classes:["token",t.type],attributes:{},language:n},i=t.alias;i&&(Array.isArray(i)?Array.prototype.push.apply(o.classes,i):o.classes.push(i)),r.hooks.run("wrap",o);var s="";for(var l in o.attributes)s+=" "+l+'="'+(o.attributes[l]||"").replace(/"/g,""")+'"';return"<"+o.tag+' class="'+o.classes.join(" ")+'"'+s+">"+o.content+"</"+o.tag+">"},r}();t.exports=n,n.default=n}},function(){return a||(0,r[y(r)[0]])((a={exports:{}}).exports,a),a.exports}),T=((e,t,n)=>(n=null!=e?p(v(e)):{},((e,t,n,r)=>{if(t&&"object"==typeof t||"function"==typeof t)for(let a of y(t))w.call(e,a)||a===n||f(e,a,{get:()=>t[a],enumerable:!(r=m(t,a))||r.enumerable});return e})(!t&&e&&e.__esModule?n:f(n,"default",{value:e,enumerable:!0}),e)))(C());T.languages.markup={comment:{pattern:/<!--(?:(?!<!--)[\s\S])*?-->/,greedy:!0},prolog:{pattern:/<\?[\s\S]+?\?>/,greedy:!0},doctype:{pattern:/<!DOCTYPE(?:[^>"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:[^<"'\]]|"[^"]*"|'[^']*'|<(?!!--)|<!--(?:[^-]|-(?!->))*-->)*\]\s*)?>/i,greedy:!0,inside:{"internal-subset":{pattern:/(^[^\[]*\[)[\s\S]+(?=\]>$)/,lookbehind:!0,greedy:!0,inside:null},string:{pattern:/"[^"]*"|'[^']*'/,greedy:!0},punctuation:/^<!|>$|[[\]]/,"doctype-tag":/^DOCTYPE/i,name:/[^\s<>'"]+/}},cdata:{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,greedy:!0},tag:{pattern:/<\/?(?!\d)[^\s>\/=$<%]+(?:\s(?:\s*[^\s>\/=]+(?:\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))|(?=[\s/>])))+)?\s*\/?>/,greedy:!0,inside:{tag:{pattern:/^<\/?[^\s>\/]+/,inside:{punctuation:/^<\/?/,namespace:/^[^\s>\/:]+:/}},"special-attr":[],"attr-value":{pattern:/=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+)/,inside:{punctuation:[{pattern:/^=/,alias:"attr-equals"},{pattern:/^(\s*)["']|["']$/,lookbehind:!0}]}},punctuation:/\/?>/,"attr-name":{pattern:/[^\s>\/]+/,inside:{namespace:/^[^\s>\/:]+:/}}}},entity:[{pattern:/&[\da-z]{1,8};/i,alias:"named-entity"},/&#x?[\da-f]{1,8};/i]},T.languages.markup.tag.inside["attr-value"].inside.entity=T.languages.markup.entity,T.languages.markup.doctype.inside["internal-subset"].inside=T.languages.markup,T.hooks.add("wrap",(function(e){"entity"===e.type&&(e.attributes.title=e.content.replace(/&/,"&"))})),Object.defineProperty(T.languages.markup.tag,"addInlined",{value:function(e,t){var n;(t=((n=((n={})["language-"+t]={pattern:/(^<!\[CDATA\[)[\s\S]+?(?=\]\]>$)/i,lookbehind:!0,inside:T.languages[t]},n.cdata=/^<!\[CDATA\[|\]\]>$/i,{"included-cdata":{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,inside:n}}))["language-"+t]={pattern:/[\s\S]+/,inside:T.languages[t]},{}))[e]={pattern:RegExp(/(<__[^>]*>)(?:<!\[CDATA\[(?:[^\]]|\](?!\]>))*\]\]>|(?!<!\[CDATA\[)[\s\S])*?(?=<\/__>)/.source.replace(/__/g,(function(){return e})),"i"),lookbehind:!0,greedy:!0,inside:n},T.languages.insertBefore("markup","cdata",t)}}),Object.defineProperty(T.languages.markup.tag,"addAttribute",{value:function(e,t){T.languages.markup.tag.inside["special-attr"].push({pattern:RegExp(/(^|["'\s])/.source+"(?:"+e+")"+/\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))/.source,"i"),lookbehind:!0,inside:{"attr-name":/^[^\s=]+/,"attr-value":{pattern:/=[\s\S]+/,inside:{value:{pattern:/(^=\s*(["']|(?!["'])))\S[\s\S]*(?=\2$)/,lookbehind:!0,alias:[t,"language-"+t],inside:T.languages[t]},punctuation:[{pattern:/^=/,alias:"attr-equals"},/"|'/]}}}})}}),T.languages.html=T.languages.markup,T.languages.mathml=T.languages.markup,T.languages.svg=T.languages.markup,T.languages.xml=T.languages.extend("markup",{}),T.languages.ssml=T.languages.xml,T.languages.atom=T.languages.xml,T.languages.rss=T.languages.xml,o=T,i={pattern:/\\[\\(){}[\]^$+*?|.]/,alias:"escape"},l="(?:[^\\\\-]|"+(s=/\\(?:x[\da-fA-F]{2}|u[\da-fA-F]{4}|u\{[\da-fA-F]+\}|0[0-7]{0,2}|[123][0-7]{2}|c[a-zA-Z]|.)/).source+")",l=RegExp(l+"-"+l),c={pattern:/(<|')[^<>']+(?=[>']$)/,lookbehind:!0,alias:"variable"},o.languages.regex={"char-class":{pattern:/((?:^|[^\\])(?:\\\\)*)\[(?:[^\\\]]|\\[\s\S])*\]/,lookbehind:!0,inside:{"char-class-negation":{pattern:/(^\[)\^/,lookbehind:!0,alias:"operator"},"char-class-punctuation":{pattern:/^\[|\]$/,alias:"punctuation"},range:{pattern:l,inside:{escape:s,"range-punctuation":{pattern:/-/,alias:"operator"}}},"special-escape":i,"char-set":{pattern:/\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},escape:s}},"special-escape":i,"char-set":{pattern:/\.|\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},backreference:[{pattern:/\\(?![123][0-7]{2})[1-9]/,alias:"keyword"},{pattern:/\\k<[^<>']+>/,alias:"keyword",inside:{"group-name":c}}],anchor:{pattern:/[$^]|\\[ABbGZz]/,alias:"function"},escape:s,group:[{pattern:/\((?:\?(?:<[^<>']+>|'[^<>']+'|[>:]|<?[=!]|[idmnsuxU]+(?:-[idmnsuxU]+)?:?))?/,alias:"punctuation",inside:{"group-name":c}},{pattern:/\)/,alias:"punctuation"}],quantifier:{pattern:/(?:[+*?]|\{\d+(?:,\d*)?\})[?+]?/,alias:"number"},alternation:{pattern:/\|/,alias:"keyword"}},T.languages.clike={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|trait)\s+|\bcatch\s+\()[\w.\\]+/i,lookbehind:!0,inside:{punctuation:/[.\\]/}},keyword:/\b(?:break|catch|continue|do|else|finally|for|function|if|in|instanceof|new|null|return|throw|try|while)\b/,boolean:/\b(?:false|true)\b/,function:/\b\w+(?=\()/,number:/\b0x[\da-f]+\b|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?/i,operator:/[<>]=?|[!=]=?=?|--?|\+\+?|&&?|\|\|?|[?*/~^%]/,punctuation:/[{}[\];(),.:]/},T.languages.javascript=T.languages.extend("clike",{"class-name":[T.languages.clike["class-name"],{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$A-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\.(?:constructor|prototype))/,lookbehind:!0}],keyword:[{pattern:/((?:^|\})\s*)catch\b/,lookbehind:!0},{pattern:/(^|[^.]|\.\.\.\s*)\b(?:as|assert(?=\s*\{)|async(?=\s*(?:function\b|\(|[$\w\xA0-\uFFFF]|$))|await|break|case|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally(?=\s*(?:\{|$))|for|from(?=\s*(?:['"]|$))|function|(?:get|set)(?=\s*(?:[#\[$\w\xA0-\uFFFF]|$))|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)\b/,lookbehind:!0}],function:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*(?:\.\s*(?:apply|bind|call)\s*)?\()/,number:{pattern:RegExp(/(^|[^\w$])/.source+"(?:"+/NaN|Infinity/.source+"|"+/0[bB][01]+(?:_[01]+)*n?/.source+"|"+/0[oO][0-7]+(?:_[0-7]+)*n?/.source+"|"+/0[xX][\dA-Fa-f]+(?:_[\dA-Fa-f]+)*n?/.source+"|"+/\d+(?:_\d+)*n/.source+"|"+/(?:\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\.\d+(?:_\d+)*)(?:[Ee][+-]?\d+(?:_\d+)*)?/.source+")"+/(?![\w$])/.source),lookbehind:!0},operator:/--|\+\+|\*\*=?|=>|&&=?|\|\|=?|[!=]==|<<=?|>>>?=?|[-+*/%&|^!=<>]=?|\.{3}|\?\?=?|\?\.?|[~:]/}),T.languages.javascript["class-name"][0].pattern=/(\b(?:class|extends|implements|instanceof|interface|new)\s+)[\w.\\]+/,T.languages.insertBefore("javascript","keyword",{regex:{pattern:RegExp(/((?:^|[^$\w\xA0-\uFFFF."'\])\s]|\b(?:return|yield))\s*)/.source+/\//.source+"(?:"+/(?:\[(?:[^\]\\\r\n]|\\.)*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}/.source+"|"+/(?:\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.)*\])*\])*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}v[dgimyus]{0,7}/.source+")"+/(?=(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/.source),lookbehind:!0,greedy:!0,inside:{"regex-source":{pattern:/^(\/)[\s\S]+(?=\/[a-z]*$)/,lookbehind:!0,alias:"language-regex",inside:T.languages.regex},"regex-delimiter":/^\/|\/$/,"regex-flags":/^[a-z]+$/}},"function-variable":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*[=:]\s*(?:async\s*)?(?:\bfunction\b|(?:\((?:[^()]|\([^()]*\))*\)|(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/,alias:"function"},parameter:[{pattern:/(function(?:\s+(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)?\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\))/,lookbehind:!0,inside:T.languages.javascript},{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=>)/i,lookbehind:!0,inside:T.languages.javascript},{pattern:/(\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*=>)/,lookbehind:!0,inside:T.languages.javascript},{pattern:/((?:\b|\s|^)(?!(?:as|async|await|break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)(?![$\w\xA0-\uFFFF]))(?:(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*)\(\s*|\]\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*\{)/,lookbehind:!0,inside:T.languages.javascript}],constant:/\b[A-Z](?:[A-Z_]|\dx?)*\b/}),T.languages.insertBefore("javascript","string",{hashbang:{pattern:/^#!.*/,greedy:!0,alias:"comment"},"template-string":{pattern:/`(?:\\[\s\S]|\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}|(?!\$\{)[^\\`])*`/,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}/,lookbehind:!0,inside:{"interpolation-punctuation":{pattern:/^\$\{|\}$/,alias:"punctuation"},rest:T.languages.javascript}},string:/[\s\S]+/}},"string-property":{pattern:/((?:^|[,{])[ \t]*)(["'])(?:\\(?:\r\n|[\s\S])|(?!\2)[^\\\r\n])*\2(?=\s*:)/m,lookbehind:!0,greedy:!0,alias:"property"}}),T.languages.insertBefore("javascript","operator",{"literal-property":{pattern:/((?:^|[,{])[ \t]*)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*:)/m,lookbehind:!0,alias:"property"}}),T.languages.markup&&(T.languages.markup.tag.addInlined("script","javascript"),T.languages.markup.tag.addAttribute(/on(?:abort|blur|change|click|composition(?:end|start|update)|dblclick|error|focus(?:in|out)?|key(?:down|up)|load|mouse(?:down|enter|leave|move|out|over|up)|reset|resize|scroll|select|slotchange|submit|unload|wheel)/.source,"javascript")),T.languages.js=T.languages.javascript,T.languages.actionscript=T.languages.extend("javascript",{keyword:/\b(?:as|break|case|catch|class|const|default|delete|do|dynamic|each|else|extends|final|finally|for|function|get|if|implements|import|in|include|instanceof|interface|internal|is|namespace|native|new|null|override|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|use|var|void|while|with)\b/,operator:/\+\+|--|(?:[+\-*\/%^]|&&?|\|\|?|<<?|>>?>?|[!=]=?)=?|[~?@]/}),T.languages.actionscript["class-name"].alias="function",delete T.languages.actionscript.parameter,delete T.languages.actionscript["literal-property"],T.languages.markup&&T.languages.insertBefore("actionscript","string",{xml:{pattern:/(^|[^.])<\/?\w+(?:\s+[^\s>\/=]+=("|')(?:\\[\s\S]|(?!\2)[^\\])*\2)*\s*\/?>/,lookbehind:!0,inside:T.languages.markup}}),function(e){var t=/#(?!\{).+/,n={pattern:/#\{[^}]+\}/,alias:"variable"};e.languages.coffeescript=e.languages.extend("javascript",{comment:t,string:[{pattern:/'(?:\\[\s\S]|[^\\'])*'/,greedy:!0},{pattern:/"(?:\\[\s\S]|[^\\"])*"/,greedy:!0,inside:{interpolation:n}}],keyword:/\b(?:and|break|by|catch|class|continue|debugger|delete|do|each|else|extend|extends|false|finally|for|if|in|instanceof|is|isnt|let|loop|namespace|new|no|not|null|of|off|on|or|own|return|super|switch|then|this|throw|true|try|typeof|undefined|unless|until|when|while|window|with|yes|yield)\b/,"class-member":{pattern:/@(?!\d)\w+/,alias:"variable"}}),e.languages.insertBefore("coffeescript","comment",{"multiline-comment":{pattern:/###[\s\S]+?###/,alias:"comment"},"block-regex":{pattern:/\/{3}[\s\S]*?\/{3}/,alias:"regex",inside:{comment:t,interpolation:n}}}),e.languages.insertBefore("coffeescript","string",{"inline-javascript":{pattern:/`(?:\\[\s\S]|[^\\`])*`/,inside:{delimiter:{pattern:/^`|`$/,alias:"punctuation"},script:{pattern:/[\s\S]+/,alias:"language-javascript",inside:e.languages.javascript}}},"multiline-string":[{pattern:/'''[\s\S]*?'''/,greedy:!0,alias:"string"},{pattern:/"""[\s\S]*?"""/,greedy:!0,alias:"string",inside:{interpolation:n}}]}),e.languages.insertBefore("coffeescript","keyword",{property:/(?!\d)\w+(?=\s*:(?!:))/}),delete e.languages.coffeescript["template-string"],e.languages.coffee=e.languages.coffeescript}(T),function(e){var t=e.languages.javadoclike={parameter:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*@(?:arg|arguments|param)\s+)\w+/m,lookbehind:!0},keyword:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*|\{)@[a-z][a-zA-Z-]+\b/m,lookbehind:!0},punctuation:/[{}]/};Object.defineProperty(t,"addSupport",{value:function(t,n){(t="string"==typeof t?[t]:t).forEach((function(t){var r=function(e){e.inside||(e.inside={}),e.inside.rest=n},a="doc-comment";if(o=e.languages[t]){var o,i=o[a];if((i=i||(o=e.languages.insertBefore(t,"comment",{"doc-comment":{pattern:/(^|[^\\])\/\*\*[^/][\s\S]*?(?:\*\/|$)/,lookbehind:!0,alias:"comment"}}))[a])instanceof RegExp&&(i=o[a]={pattern:i}),Array.isArray(i))for(var s=0,l=i.length;s<l;s++)i[s]instanceof RegExp&&(i[s]={pattern:i[s]}),r(i[s]);else r(i)}}))}}),t.addSupport(["java","javascript","php"],t)}(T),function(e){var t=/(?:"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n])*')/;(t=(e.languages.css={comment:/\/\*[\s\S]*?\*\//,atrule:{pattern:RegExp("@[\\w-](?:"+/[^;{\s"']|\s+(?!\s)/.source+"|"+t.source+")*?"+/(?:;|(?=\s*\{))/.source),inside:{rule:/^@[\w-]+/,"selector-function-argument":{pattern:/(\bselector\s*\(\s*(?![\s)]))(?:[^()\s]|\s+(?![\s)])|\((?:[^()]|\([^()]*\))*\))+(?=\s*\))/,lookbehind:!0,alias:"selector"},keyword:{pattern:/(^|[^\w-])(?:and|not|only|or)(?![\w-])/,lookbehind:!0}}},url:{pattern:RegExp("\\burl\\((?:"+t.source+"|"+/(?:[^\\\r\n()"']|\\[\s\S])*/.source+")\\)","i"),greedy:!0,inside:{function:/^url/i,punctuation:/^\(|\)$/,string:{pattern:RegExp("^"+t.source+"$"),alias:"url"}}},selector:{pattern:RegExp("(^|[{}\\s])[^{}\\s](?:[^{};\"'\\s]|\\s+(?![\\s{])|"+t.source+")*(?=\\s*\\{)"),lookbehind:!0},string:{pattern:t,greedy:!0},property:{pattern:/(^|[^-\w\xA0-\uFFFF])(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*(?=\s*:)/i,lookbehind:!0},important:/!important\b/i,function:{pattern:/(^|[^-a-z0-9])[-a-z0-9]+(?=\()/i,lookbehind:!0},punctuation:/[(){};:,]/},e.languages.css.atrule.inside.rest=e.languages.css,e.languages.markup))&&(t.tag.addInlined("style","css"),t.tag.addAttribute("style","css"))}(T),function(e){var t=/("|')(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,n=(t=(e.languages.css.selector={pattern:e.languages.css.selector.pattern,lookbehind:!0,inside:t={"pseudo-element":/:(?:after|before|first-letter|first-line|selection)|::[-\w]+/,"pseudo-class":/:[-\w]+/,class:/\.[-\w]+/,id:/#[-\w]+/,attribute:{pattern:RegExp("\\[(?:[^[\\]\"']|"+t.source+")*\\]"),greedy:!0,inside:{punctuation:/^\[|\]$/,"case-sensitivity":{pattern:/(\s)[si]$/i,lookbehind:!0,alias:"keyword"},namespace:{pattern:/^(\s*)(?:(?!\s)[-*\w\xA0-\uFFFF])*\|(?!=)/,lookbehind:!0,inside:{punctuation:/\|$/}},"attr-name":{pattern:/^(\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+/,lookbehind:!0},"attr-value":[t,{pattern:/(=\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+(?=\s*$)/,lookbehind:!0}],operator:/[|~*^$]?=/}},"n-th":[{pattern:/(\(\s*)[+-]?\d*[\dn](?:\s*[+-]\s*\d+)?(?=\s*\))/,lookbehind:!0,inside:{number:/[\dn]+/,operator:/[+-]/}},{pattern:/(\(\s*)(?:even|odd)(?=\s*\))/i,lookbehind:!0}],combinator:/>|\+|~|\|\|/,punctuation:/[(),]/}},e.languages.css.atrule.inside["selector-function-argument"].inside=t,e.languages.insertBefore("css","property",{variable:{pattern:/(^|[^-\w\xA0-\uFFFF])--(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*/i,lookbehind:!0}}),{pattern:/(\b\d+)(?:%|[a-z]+(?![\w-]))/,lookbehind:!0}),{pattern:/(^|[^\w.-])-?(?:\d+(?:\.\d+)?|\.\d+)/,lookbehind:!0});e.languages.insertBefore("css","function",{operator:{pattern:/(\s)[+\-*\/](?=\s)/,lookbehind:!0},hexcode:{pattern:/\B#[\da-f]{3,8}\b/i,alias:"color"},color:[{pattern:/(^|[^\w-])(?:AliceBlue|AntiqueWhite|Aqua|Aquamarine|Azure|Beige|Bisque|Black|BlanchedAlmond|Blue|BlueViolet|Brown|BurlyWood|CadetBlue|Chartreuse|Chocolate|Coral|CornflowerBlue|Cornsilk|Crimson|Cyan|DarkBlue|DarkCyan|DarkGoldenRod|DarkGr[ae]y|DarkGreen|DarkKhaki|DarkMagenta|DarkOliveGreen|DarkOrange|DarkOrchid|DarkRed|DarkSalmon|DarkSeaGreen|DarkSlateBlue|DarkSlateGr[ae]y|DarkTurquoise|DarkViolet|DeepPink|DeepSkyBlue|DimGr[ae]y|DodgerBlue|FireBrick|FloralWhite|ForestGreen|Fuchsia|Gainsboro|GhostWhite|Gold|GoldenRod|Gr[ae]y|Green|GreenYellow|HoneyDew|HotPink|IndianRed|Indigo|Ivory|Khaki|Lavender|LavenderBlush|LawnGreen|LemonChiffon|LightBlue|LightCoral|LightCyan|LightGoldenRodYellow|LightGr[ae]y|LightGreen|LightPink|LightSalmon|LightSeaGreen|LightSkyBlue|LightSlateGr[ae]y|LightSteelBlue|LightYellow|Lime|LimeGreen|Linen|Magenta|Maroon|MediumAquaMarine|MediumBlue|MediumOrchid|MediumPurple|MediumSeaGreen|MediumSlateBlue|MediumSpringGreen|MediumTurquoise|MediumVioletRed|MidnightBlue|MintCream|MistyRose|Moccasin|NavajoWhite|Navy|OldLace|Olive|OliveDrab|Orange|OrangeRed|Orchid|PaleGoldenRod|PaleGreen|PaleTurquoise|PaleVioletRed|PapayaWhip|PeachPuff|Peru|Pink|Plum|PowderBlue|Purple|RebeccaPurple|Red|RosyBrown|RoyalBlue|SaddleBrown|Salmon|SandyBrown|SeaGreen|SeaShell|Sienna|Silver|SkyBlue|SlateBlue|SlateGr[ae]y|Snow|SpringGreen|SteelBlue|Tan|Teal|Thistle|Tomato|Transparent|Turquoise|Violet|Wheat|White|WhiteSmoke|Yellow|YellowGreen)(?![\w-])/i,lookbehind:!0},{pattern:/\b(?:hsl|rgb)\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*\)\B|\b(?:hsl|rgb)a\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*,\s*(?:0|0?\.\d+|1)\s*\)\B/i,inside:{unit:t,number:n,function:/[\w-]+(?=\()/,punctuation:/[(),]/}}],entity:/\\[\da-f]{1,8}/i,unit:t,number:n})}(T),function(e){var t=/[*&][^\s[\]{},]+/,n=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,r="(?:"+n.source+"(?:[ \t]+"+t.source+")?|"+t.source+"(?:[ \t]+"+n.source+")?)",a=/(?:[^\s\x00-\x08\x0e-\x1f!"#%&'*,\-:>?@[\]`{|}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*/.source.replace(/<PLAIN>/g,(function(){return/[^\s\x00-\x08\x0e-\x1f,[\]{}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]/.source})),o=/"(?:[^"\\\r\n]|\\.)*"|'(?:[^'\\\r\n]|\\.)*'/.source;function i(e,t){t=(t||"").replace(/m/g,"")+"m";var n=/([:\-,[{]\s*(?:\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\]|\}|(?:[\r\n]\s*)?#))/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<value>>/g,(function(){return e}));return RegExp(n,t)}e.languages.yaml={scalar:{pattern:RegExp(/([\-:]\s*(?:\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\S[^\r\n]*(?:\2[^\r\n]+)*)/.source.replace(/<<prop>>/g,(function(){return r}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp(/((?:^|[:\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\s*:\s)/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+o+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:i(/\d{4}-\d\d?-\d\d?(?:[tT]|[ \t]+)\d\d?:\d{2}:\d{2}(?:\.\d*)?(?:[ \t]*(?:Z|[-+]\d\d?(?::\d{2})?))?|\d{4}-\d{2}-\d{2}|\d\d?:\d{2}(?::\d{2}(?:\.\d*)?)?/.source),lookbehind:!0,alias:"number"},boolean:{pattern:i(/false|true/.source,"i"),lookbehind:!0,alias:"important"},null:{pattern:i(/null|~/.source,"i"),lookbehind:!0,alias:"important"},string:{pattern:i(o),lookbehind:!0,greedy:!0},number:{pattern:i(/[+-]?(?:0x[\da-f]+|0o[0-7]+|(?:\d+(?:\.\d*)?|\.\d+)(?:e[+-]?\d+)?|\.inf|\.nan)/.source,"i"),lookbehind:!0},tag:n,important:t,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(T),function(e){var t=/(?:\\.|[^\\\n\r]|(?:\n|\r\n?)(?![\r\n]))/.source;function n(e){return e=e.replace(/<inner>/g,(function(){return t})),RegExp(/((?:^|[^\\])(?:\\{2})*)/.source+"(?:"+e+")")}var r=/(?:\\.|``(?:[^`\r\n]|`(?!`))+``|`[^`\r\n]+`|[^\\|\r\n`])+/.source,a=/\|?__(?:\|__)+\|?(?:(?:\n|\r\n?)|(?![\s\S]))/.source.replace(/__/g,(function(){return r})),o=/\|?[ \t]*:?-{3,}:?[ \t]*(?:\|[ \t]*:?-{3,}:?[ \t]*)+\|?(?:\n|\r\n?)/.source,i=(e.languages.markdown=e.languages.extend("markup",{}),e.languages.insertBefore("markdown","prolog",{"front-matter-block":{pattern:/(^(?:\s*[\r\n])?)---(?!.)[\s\S]*?[\r\n]---(?!.)/,lookbehind:!0,greedy:!0,inside:{punctuation:/^---|---$/,"front-matter":{pattern:/\S+(?:\s+\S+)*/,alias:["yaml","language-yaml"],inside:e.languages.yaml}}},blockquote:{pattern:/^>(?:[\t ]*>)*/m,alias:"punctuation"},table:{pattern:RegExp("^"+a+o+"(?:"+a+")*","m"),inside:{"table-data-rows":{pattern:RegExp("^("+a+o+")(?:"+a+")*$"),lookbehind:!0,inside:{"table-data":{pattern:RegExp(r),inside:e.languages.markdown},punctuation:/\|/}},"table-line":{pattern:RegExp("^("+a+")"+o+"$"),lookbehind:!0,inside:{punctuation:/\||:?-{3,}:?/}},"table-header-row":{pattern:RegExp("^"+a+"$"),inside:{"table-header":{pattern:RegExp(r),alias:"important",inside:e.languages.markdown},punctuation:/\|/}}}},code:[{pattern:/((?:^|\n)[ \t]*\n|(?:^|\r\n?)[ \t]*\r\n?)(?: {4}|\t).+(?:(?:\n|\r\n?)(?: {4}|\t).+)*/,lookbehind:!0,alias:"keyword"},{pattern:/^```[\s\S]*?^```$/m,greedy:!0,inside:{"code-block":{pattern:/^(```.*(?:\n|\r\n?))[\s\S]+?(?=(?:\n|\r\n?)^```$)/m,lookbehind:!0},"code-language":{pattern:/^(```).+/,lookbehind:!0},punctuation:/```/}}],title:[{pattern:/\S.*(?:\n|\r\n?)(?:==+|--+)(?=[ \t]*$)/m,alias:"important",inside:{punctuation:/==+$|--+$/}},{pattern:/(^\s*)#.+/m,lookbehind:!0,alias:"important",inside:{punctuation:/^#+|#+$/}}],hr:{pattern:/(^\s*)([*-])(?:[\t ]*\2){2,}(?=\s*$)/m,lookbehind:!0,alias:"punctuation"},list:{pattern:/(^\s*)(?:[*+-]|\d+\.)(?=[\t ].)/m,lookbehind:!0,alias:"punctuation"},"url-reference":{pattern:/!?\[[^\]]+\]:[\t ]+(?:\S+|<(?:\\.|[^>\\])+>)(?:[\t ]+(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\)))?/,inside:{variable:{pattern:/^(!?\[)[^\]]+/,lookbehind:!0},string:/(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\))$/,punctuation:/^[\[\]!:]|[<>]/},alias:"url"},bold:{pattern:n(/\b__(?:(?!_)<inner>|_(?:(?!_)<inner>)+_)+__\b|\*\*(?:(?!\*)<inner>|\*(?:(?!\*)<inner>)+\*)+\*\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^..)[\s\S]+(?=..$)/,lookbehind:!0,inside:{}},punctuation:/\*\*|__/}},italic:{pattern:n(/\b_(?:(?!_)<inner>|__(?:(?!_)<inner>)+__)+_\b|\*(?:(?!\*)<inner>|\*\*(?:(?!\*)<inner>)+\*\*)+\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^.)[\s\S]+(?=.$)/,lookbehind:!0,inside:{}},punctuation:/[*_]/}},strike:{pattern:n(/(~~?)(?:(?!~)<inner>)+\2/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^~~?)[\s\S]+(?=\1$)/,lookbehind:!0,inside:{}},punctuation:/~~?/}},"code-snippet":{pattern:/(^|[^\\`])(?:``[^`\r\n]+(?:`[^`\r\n]+)*``(?!`)|`[^`\r\n]+`(?!`))/,lookbehind:!0,greedy:!0,alias:["code","keyword"]},url:{pattern:n(/!?\[(?:(?!\])<inner>)+\](?:\([^\s)]+(?:[\t ]+"(?:\\.|[^"\\])*")?\)|[ \t]?\[(?:(?!\])<inner>)+\])/.source),lookbehind:!0,greedy:!0,inside:{operator:/^!/,content:{pattern:/(^\[)[^\]]+(?=\])/,lookbehind:!0,inside:{}},variable:{pattern:/(^\][ \t]?\[)[^\]]+(?=\]$)/,lookbehind:!0},url:{pattern:/(^\]\()[^\s)]+/,lookbehind:!0},string:{pattern:/(^[ \t]+)"(?:\\.|[^"\\])*"(?=\)$)/,lookbehind:!0}}}}),["url","bold","italic","strike"].forEach((function(t){["url","bold","italic","strike","code-snippet"].forEach((function(n){t!==n&&(e.languages.markdown[t].inside.content.inside[n]=e.languages.markdown[n])}))})),e.hooks.add("after-tokenize",(function(e){"markdown"!==e.language&&"md"!==e.language||function e(t){if(t&&"string"!=typeof t)for(var n=0,r=t.length;n<r;n++){var a,o=t[n];"code"!==o.type?e(o.content):(a=o.content[1],o=o.content[3],a&&o&&"code-language"===a.type&&"code-block"===o.type&&"string"==typeof a.content&&(a=a.content.replace(/\b#/g,"sharp").replace(/\b\+\+/g,"pp"),a="language-"+(a=(/[a-z][\w-]*/i.exec(a)||[""])[0].toLowerCase()),o.alias?"string"==typeof o.alias?o.alias=[o.alias,a]:o.alias.push(a):o.alias=[a]))}}(e.tokens)})),e.hooks.add("wrap",(function(t){if("code-block"===t.type){for(var n="",r=0,a=t.classes.length;r<a;r++){var o=t.classes[r];if(o=/language-(.+)/.exec(o)){n=o[1];break}}var c,u=e.languages[n];u?t.content=e.highlight(t.content.replace(i,"").replace(/&(\w{1,8}|#x?[\da-f]{1,8});/gi,(function(e,t){var n;return"#"===(t=t.toLowerCase())[0]?(n="x"===t[1]?parseInt(t.slice(2),16):Number(t.slice(1)),l(n)):s[t]||e})),u,n):n&&"none"!==n&&e.plugins.autoloader&&(c="md-"+(new Date).valueOf()+"-"+Math.floor(1e16*Math.random()),t.attributes.id=c,e.plugins.autoloader.loadLanguages(n,(function(){var t=document.getElementById(c);t&&(t.innerHTML=e.highlight(t.textContent,e.languages[n],n))})))}})),RegExp(e.languages.markup.tag.pattern.source,"gi")),s={amp:"&",lt:"<",gt:">",quot:'"'},l=String.fromCodePoint||String.fromCharCode;e.languages.md=e.languages.markdown}(T),T.languages.graphql={comment:/#.*/,description:{pattern:/(?:"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*")(?=\s*[a-z_])/i,greedy:!0,alias:"string",inside:{"language-markdown":{pattern:/(^"(?:"")?)(?!\1)[\s\S]+(?=\1$)/,lookbehind:!0,inside:T.languages.markdown}}},string:{pattern:/"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*"/,greedy:!0},number:/(?:\B-|\b)\d+(?:\.\d+)?(?:e[+-]?\d+)?\b/i,boolean:/\b(?:false|true)\b/,variable:/\$[a-z_]\w*/i,directive:{pattern:/@[a-z_]\w*/i,alias:"function"},"attr-name":{pattern:/\b[a-z_]\w*(?=\s*(?:\((?:[^()"]|"(?:\\.|[^\\"\r\n])*")*\))?:)/i,greedy:!0},"atom-input":{pattern:/\b[A-Z]\w*Input\b/,alias:"class-name"},scalar:/\b(?:Boolean|Float|ID|Int|String)\b/,constant:/\b[A-Z][A-Z_\d]*\b/,"class-name":{pattern:/(\b(?:enum|implements|interface|on|scalar|type|union)\s+|&\s*|:\s*|\[)[A-Z_]\w*/,lookbehind:!0},fragment:{pattern:/(\bfragment\s+|\.{3}\s*(?!on\b))[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-mutation":{pattern:/(\bmutation\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-query":{pattern:/(\bquery\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},keyword:/\b(?:directive|enum|extend|fragment|implements|input|interface|mutation|on|query|repeatable|scalar|schema|subscription|type|union)\b/,operator:/[!=|&]|\.{3}/,"property-query":/\w+(?=\s*\()/,object:/\w+(?=\s*\{)/,punctuation:/[!(){}\[\]:=,]/,property:/\w+/},T.hooks.add("after-tokenize",(function(e){if("graphql"===e.language)for(var t=e.tokens.filter((function(e){return"string"!=typeof e&&"comment"!==e.type&&"scalar"!==e.type})),n=0;n<t.length;){var r=t[n++];if("keyword"===r.type&&"mutation"===r.content){var a=[];if(d(["definition-mutation","punctuation"])&&"("===u(1).content){n+=2;var o=p(/^\($/,/^\)$/);if(-1===o)continue;for(;n<o;n++){var i=u(0);"variable"===i.type&&(f(i,"variable-input"),a.push(i.content))}n=o+1}if(d(["punctuation","property-query"])&&"{"===u(0).content&&(n++,f(u(0),"property-mutation"),0<a.length)){var s=p(/^\{$/,/^\}$/);if(-1!==s)for(var l=n;l<s;l++){var c=t[l];"variable"===c.type&&0<=a.indexOf(c.content)&&f(c,"variable-input")}}}}function u(e){return t[n+e]}function d(e,t){t=t||0;for(var n=0;n<e.length;n++){var r=u(n+t);if(!r||r.type!==e[n])return}return 1}function p(e,r){for(var a=1,o=n;o<t.length;o++){var i=t[o],s=i.content;if("punctuation"===i.type&&"string"==typeof s)if(e.test(s))a++;else if(r.test(s)&&0==--a)return o}return-1}function f(e,t){var n=e.alias;n?Array.isArray(n)||(e.alias=n=[n]):e.alias=n=[],n.push(t)}})),T.languages.sql={comment:{pattern:/(^|[^\\])(?:\/\*[\s\S]*?\*\/|(?:--|\/\/|#).*)/,lookbehind:!0},variable:[{pattern:/@(["'`])(?:\\[\s\S]|(?!\1)[^\\])+\1/,greedy:!0},/@[\w.$]+/],string:{pattern:/(^|[^@\\])("|')(?:\\[\s\S]|(?!\2)[^\\]|\2\2)*\2/,greedy:!0,lookbehind:!0},identifier:{pattern:/(^|[^@\\])`(?:\\[\s\S]|[^`\\]|``)*`/,greedy:!0,lookbehind:!0,inside:{punctuation:/^`|`$/}},function:/\b(?:AVG|COUNT|FIRST|FORMAT|LAST|LCASE|LEN|MAX|MID|MIN|MOD|NOW|ROUND|SUM|UCASE)(?=\s*\()/i,keyword:/\b(?:ACTION|ADD|AFTER|ALGORITHM|ALL|ALTER|ANALYZE|ANY|APPLY|AS|ASC|AUTHORIZATION|AUTO_INCREMENT|BACKUP|BDB|BEGIN|BERKELEYDB|BIGINT|BINARY|BIT|BLOB|BOOL|BOOLEAN|BREAK|BROWSE|BTREE|BULK|BY|CALL|CASCADED?|CASE|CHAIN|CHAR(?:ACTER|SET)?|CHECK(?:POINT)?|CLOSE|CLUSTERED|COALESCE|COLLATE|COLUMNS?|COMMENT|COMMIT(?:TED)?|COMPUTE|CONNECT|CONSISTENT|CONSTRAINT|CONTAINS(?:TABLE)?|CONTINUE|CONVERT|CREATE|CROSS|CURRENT(?:_DATE|_TIME|_TIMESTAMP|_USER)?|CURSOR|CYCLE|DATA(?:BASES?)?|DATE(?:TIME)?|DAY|DBCC|DEALLOCATE|DEC|DECIMAL|DECLARE|DEFAULT|DEFINER|DELAYED|DELETE|DELIMITERS?|DENY|DESC|DESCRIBE|DETERMINISTIC|DISABLE|DISCARD|DISK|DISTINCT|DISTINCTROW|DISTRIBUTED|DO|DOUBLE|DROP|DUMMY|DUMP(?:FILE)?|DUPLICATE|ELSE(?:IF)?|ENABLE|ENCLOSED|END|ENGINE|ENUM|ERRLVL|ERRORS|ESCAPED?|EXCEPT|EXEC(?:UTE)?|EXISTS|EXIT|EXPLAIN|EXTENDED|FETCH|FIELDS|FILE|FILLFACTOR|FIRST|FIXED|FLOAT|FOLLOWING|FOR(?: EACH ROW)?|FORCE|FOREIGN|FREETEXT(?:TABLE)?|FROM|FULL|FUNCTION|GEOMETRY(?:COLLECTION)?|GLOBAL|GOTO|GRANT|GROUP|HANDLER|HASH|HAVING|HOLDLOCK|HOUR|IDENTITY(?:COL|_INSERT)?|IF|IGNORE|IMPORT|INDEX|INFILE|INNER|INNODB|INOUT|INSERT|INT|INTEGER|INTERSECT|INTERVAL|INTO|INVOKER|ISOLATION|ITERATE|JOIN|KEYS?|KILL|LANGUAGE|LAST|LEAVE|LEFT|LEVEL|LIMIT|LINENO|LINES|LINESTRING|LOAD|LOCAL|LOCK|LONG(?:BLOB|TEXT)|LOOP|MATCH(?:ED)?|MEDIUM(?:BLOB|INT|TEXT)|MERGE|MIDDLEINT|MINUTE|MODE|MODIFIES|MODIFY|MONTH|MULTI(?:LINESTRING|POINT|POLYGON)|NATIONAL|NATURAL|NCHAR|NEXT|NO|NONCLUSTERED|NULLIF|NUMERIC|OFF?|OFFSETS?|ON|OPEN(?:DATASOURCE|QUERY|ROWSET)?|OPTIMIZE|OPTION(?:ALLY)?|ORDER|OUT(?:ER|FILE)?|OVER|PARTIAL|PARTITION|PERCENT|PIVOT|PLAN|POINT|POLYGON|PRECEDING|PRECISION|PREPARE|PREV|PRIMARY|PRINT|PRIVILEGES|PROC(?:EDURE)?|PUBLIC|PURGE|QUICK|RAISERROR|READS?|REAL|RECONFIGURE|REFERENCES|RELEASE|RENAME|REPEAT(?:ABLE)?|REPLACE|REPLICATION|REQUIRE|RESIGNAL|RESTORE|RESTRICT|RETURN(?:ING|S)?|REVOKE|RIGHT|ROLLBACK|ROUTINE|ROW(?:COUNT|GUIDCOL|S)?|RTREE|RULE|SAVE(?:POINT)?|SCHEMA|SECOND|SELECT|SERIAL(?:IZABLE)?|SESSION(?:_USER)?|SET(?:USER)?|SHARE|SHOW|SHUTDOWN|SIMPLE|SMALLINT|SNAPSHOT|SOME|SONAME|SQL|START(?:ING)?|STATISTICS|STATUS|STRIPED|SYSTEM_USER|TABLES?|TABLESPACE|TEMP(?:ORARY|TABLE)?|TERMINATED|TEXT(?:SIZE)?|THEN|TIME(?:STAMP)?|TINY(?:BLOB|INT|TEXT)|TOP?|TRAN(?:SACTIONS?)?|TRIGGER|TRUNCATE|TSEQUAL|TYPES?|UNBOUNDED|UNCOMMITTED|UNDEFINED|UNION|UNIQUE|UNLOCK|UNPIVOT|UNSIGNED|UPDATE(?:TEXT)?|USAGE|USE|USER|USING|VALUES?|VAR(?:BINARY|CHAR|CHARACTER|YING)|VIEW|WAITFOR|WARNINGS|WHEN|WHERE|WHILE|WITH(?: ROLLUP|IN)?|WORK|WRITE(?:TEXT)?|YEAR)\b/i,boolean:/\b(?:FALSE|NULL|TRUE)\b/i,number:/\b0x[\da-f]+\b|\b\d+(?:\.\d*)?|\B\.\d+\b/i,operator:/[-+*\/=%^~]|&&?|\|\|?|!=?|<(?:=>?|<|>)?|>[>=]?|\b(?:AND|BETWEEN|DIV|ILIKE|IN|IS|LIKE|NOT|OR|REGEXP|RLIKE|SOUNDS LIKE|XOR)\b/i,punctuation:/[;[\]()`,.]/},function(e){var t=e.languages.javascript["template-string"],n=t.pattern.source,r=t.inside.interpolation,a=r.inside["interpolation-punctuation"],o=r.pattern.source;function i(t,r){if(e.languages[t])return{pattern:RegExp("((?:"+r+")\\s*)"+n),lookbehind:!0,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},"embedded-code":{pattern:/[\s\S]+/,alias:t}}}}function s(t,n,r){return t={code:t,grammar:n,language:r},e.hooks.run("before-tokenize",t),t.tokens=e.tokenize(t.code,t.grammar),e.hooks.run("after-tokenize",t),t.tokens}function l(t,n,i){var l=e.tokenize(t,{interpolation:{pattern:RegExp(o),lookbehind:!0}}),c=0,u={},d=(l=s(l.map((function(e){if("string"==typeof e)return e;var n,r;for(e=e.content;-1!==t.indexOf((r=c++,n="___"+i.toUpperCase()+"_"+r+"___")););return u[n]=e,n})).join(""),n,i),Object.keys(u));return c=0,function t(n){for(var o=0;o<n.length;o++){if(c>=d.length)return;var i,l,p,f,h,m,g,y=n[o];"string"==typeof y||"string"==typeof y.content?(i=d[c],-1!==(g=(m="string"==typeof y?y:y.content).indexOf(i))&&(++c,l=m.substring(0,g),h=u[i],p=void 0,(f={})["interpolation-punctuation"]=a,3===(f=e.tokenize(h,f)).length&&((p=[1,1]).push.apply(p,s(f[1],e.languages.javascript,"javascript")),f.splice.apply(f,p)),p=new e.Token("interpolation",f,r.alias,h),f=m.substring(g+i.length),h=[],l&&h.push(l),h.push(p),f&&(t(m=[f]),h.push.apply(h,m)),"string"==typeof y?(n.splice.apply(n,[o,1].concat(h)),o+=h.length-1):y.content=h)):(g=y.content,Array.isArray(g)?t(g):t([g]))}}(l),new e.Token(i,l,"language-"+i,t)}e.languages.javascript["template-string"]=[i("css",/\b(?:styled(?:\([^)]*\))?(?:\s*\.\s*\w+(?:\([^)]*\))*)*|css(?:\s*\.\s*(?:global|resolve))?|createGlobalStyle|keyframes)/.source),i("html",/\bhtml|\.\s*(?:inner|outer)HTML\s*\+?=/.source),i("svg",/\bsvg/.source),i("markdown",/\b(?:markdown|md)/.source),i("graphql",/\b(?:gql|graphql(?:\s*\.\s*experimental)?)/.source),i("sql",/\bsql/.source),t].filter(Boolean);var c={javascript:!0,js:!0,typescript:!0,ts:!0,jsx:!0,tsx:!0};function u(e){return"string"==typeof e?e:Array.isArray(e)?e.map(u).join(""):u(e.content)}e.hooks.add("after-tokenize",(function(t){t.language in c&&function t(n){for(var r=0,a=n.length;r<a;r++){var o,i,s,c=n[r];"string"!=typeof c&&(o=c.content,Array.isArray(o)?"template-string"===c.type?(c=o[1],3===o.length&&"string"!=typeof c&&"embedded-code"===c.type&&(i=u(c),c=c.alias,c=Array.isArray(c)?c[0]:c,s=e.languages[c])&&(o[1]=l(i,s,c))):t(o):"string"!=typeof o&&t([o]))}}(t.tokens)}))}(T),function(e){e.languages.typescript=e.languages.extend("javascript",{"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|type)\s+)(?!keyof\b)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?:\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>)?/,lookbehind:!0,greedy:!0,inside:null},builtin:/\b(?:Array|Function|Promise|any|boolean|console|never|number|string|symbol|unknown)\b/}),e.languages.typescript.keyword.push(/\b(?:abstract|declare|is|keyof|readonly|require)\b/,/\b(?:asserts|infer|interface|module|namespace|type)\b(?=\s*(?:[{_$a-zA-Z\xA0-\uFFFF]|$))/,/\btype\b(?=\s*(?:[\{*]|$))/),delete e.languages.typescript.parameter,delete e.languages.typescript["literal-property"];var t=e.languages.extend("typescript",{});delete t["class-name"],e.languages.typescript["class-name"].inside=t,e.languages.insertBefore("typescript","function",{decorator:{pattern:/@[$\w\xA0-\uFFFF]+/,inside:{at:{pattern:/^@/,alias:"operator"},function:/^[\s\S]+/}},"generic-function":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>(?=\s*\()/,greedy:!0,inside:{function:/^#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:t}}}}),e.languages.ts=e.languages.typescript}(T),function(e){var t=e.languages.javascript,n=/\{(?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})+\}/.source,r="(@(?:arg|argument|param|property)\\s+(?:"+n+"\\s+)?)";e.languages.jsdoc=e.languages.extend("javadoclike",{parameter:{pattern:RegExp(r+/(?:(?!\s)[$\w\xA0-\uFFFF.])+(?=\s|$)/.source),lookbehind:!0,inside:{punctuation:/\./}}}),e.languages.insertBefore("jsdoc","keyword",{"optional-parameter":{pattern:RegExp(r+/\[(?:(?!\s)[$\w\xA0-\uFFFF.])+(?:=[^[\]]+)?\](?=\s|$)/.source),lookbehind:!0,inside:{parameter:{pattern:/(^\[)[$\w\xA0-\uFFFF\.]+/,lookbehind:!0,inside:{punctuation:/\./}},code:{pattern:/(=)[\s\S]*(?=\]$)/,lookbehind:!0,inside:t,alias:"language-javascript"},punctuation:/[=[\]]/}},"class-name":[{pattern:RegExp(/(@(?:augments|class|extends|interface|memberof!?|template|this|typedef)\s+(?:<TYPE>\s+)?)[A-Z]\w*(?:\.[A-Z]\w*)*/.source.replace(/<TYPE>/g,(function(){return n}))),lookbehind:!0,inside:{punctuation:/\./}},{pattern:RegExp("(@[a-z]+\\s+)"+n),lookbehind:!0,inside:{string:t.string,number:t.number,boolean:t.boolean,keyword:e.languages.typescript.keyword,operator:/=>|\.\.\.|[&|?:*]/,punctuation:/[.,;=<>{}()[\]]/}}],example:{pattern:/(@example\s+(?!\s))(?:[^@\s]|\s+(?!\s))+?(?=\s*(?:\*\s*)?(?:@\w|\*\/))/,lookbehind:!0,inside:{code:{pattern:/^([\t ]*(?:\*\s*)?)\S.*$/m,lookbehind:!0,inside:t,alias:"language-javascript"}}}}),e.languages.javadoclike.addSupport("javascript",e.languages.jsdoc)}(T),function(e){e.languages.flow=e.languages.extend("javascript",{}),e.languages.insertBefore("flow","keyword",{type:[{pattern:/\b(?:[Bb]oolean|Function|[Nn]umber|[Ss]tring|[Ss]ymbol|any|mixed|null|void)\b/,alias:"class-name"}]}),e.languages.flow["function-variable"].pattern=/(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=\s*(?:function\b|(?:\([^()]*\)(?:\s*:\s*\w+)?|(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/i,delete e.languages.flow.parameter,e.languages.insertBefore("flow","operator",{"flow-punctuation":{pattern:/\{\||\|\}/,alias:"punctuation"}}),Array.isArray(e.languages.flow.keyword)||(e.languages.flow.keyword=[e.languages.flow.keyword]),e.languages.flow.keyword.unshift({pattern:/(^|[^$]\b)(?:Class|declare|opaque|type)\b(?!\$)/,lookbehind:!0},{pattern:/(^|[^$]\B)\$(?:Diff|Enum|Exact|Keys|ObjMap|PropertyType|Record|Shape|Subtype|Supertype|await)\b(?!\$)/,lookbehind:!0})}(T),T.languages.n4js=T.languages.extend("javascript",{keyword:/\b(?:Array|any|boolean|break|case|catch|class|const|constructor|continue|debugger|declare|default|delete|do|else|enum|export|extends|false|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|module|new|null|number|package|private|protected|public|return|set|static|string|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/}),T.languages.insertBefore("n4js","constant",{annotation:{pattern:/@+\w+/,alias:"operator"}}),T.languages.n4jsd=T.languages.n4js,function(e){function t(e,t){return RegExp(e.replace(/<ID>/g,(function(){return/(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/.source})),t)}e.languages.insertBefore("javascript","function-variable",{"method-variable":{pattern:RegExp("(\\.\\s*)"+e.languages.javascript["function-variable"].pattern.source),lookbehind:!0,alias:["function-variable","method","function","property-access"]}}),e.languages.insertBefore("javascript","function",{method:{pattern:RegExp("(\\.\\s*)"+e.languages.javascript.function.source),lookbehind:!0,alias:["function","property-access"]}}),e.languages.insertBefore("javascript","constant",{"known-class-name":[{pattern:/\b(?:(?:Float(?:32|64)|(?:Int|Uint)(?:8|16|32)|Uint8Clamped)?Array|ArrayBuffer|BigInt|Boolean|DataView|Date|Error|Function|Intl|JSON|(?:Weak)?(?:Map|Set)|Math|Number|Object|Promise|Proxy|Reflect|RegExp|String|Symbol|WebAssembly)\b/,alias:"class-name"},{pattern:/\b(?:[A-Z]\w*)Error\b/,alias:"class-name"}]}),e.languages.insertBefore("javascript","keyword",{imports:{pattern:t(/(\bimport\b\s*)(?:<ID>(?:\s*,\s*(?:\*\s*as\s+<ID>|\{[^{}]*\}))?|\*\s*as\s+<ID>|\{[^{}]*\})(?=\s*\bfrom\b)/.source),lookbehind:!0,inside:e.languages.javascript},exports:{pattern:t(/(\bexport\b\s*)(?:\*(?:\s*as\s+<ID>)?(?=\s*\bfrom\b)|\{[^{}]*\})/.source),lookbehind:!0,inside:e.languages.javascript}}),e.languages.javascript.keyword.unshift({pattern:/\b(?:as|default|export|from|import)\b/,alias:"module"},{pattern:/\b(?:await|break|catch|continue|do|else|finally|for|if|return|switch|throw|try|while|yield)\b/,alias:"control-flow"},{pattern:/\bnull\b/,alias:["null","nil"]},{pattern:/\bundefined\b/,alias:"nil"}),e.languages.insertBefore("javascript","operator",{spread:{pattern:/\.{3}/,alias:"operator"},arrow:{pattern:/=>/,alias:"operator"}}),e.languages.insertBefore("javascript","punctuation",{"property-access":{pattern:t(/(\.\s*)#?<ID>/.source),lookbehind:!0},"maybe-class-name":{pattern:/(^|[^$\w\xA0-\uFFFF])[A-Z][$\w\xA0-\uFFFF]+/,lookbehind:!0},dom:{pattern:/\b(?:document|(?:local|session)Storage|location|navigator|performance|window)\b/,alias:"variable"},console:{pattern:/\bconsole(?=\s*\.)/,alias:"class-name"}});for(var n=["function","function-variable","method","method-variable","property-access"],r=0;r<n.length;r++){var a=n[r],o=e.languages.javascript[a];a=(o="RegExp"===e.util.type(o)?e.languages.javascript[a]={pattern:o}:o).inside||{};(o.inside=a)["maybe-class-name"]=/^[A-Z][\s\S]*/}}(T),function(e){var t=e.util.clone(e.languages.javascript),n=/(?:\s|\/\/.*(?!.)|\/\*(?:[^*]|\*(?!\/))\*\/)/.source,r=/(?:\{(?:\{(?:\{[^{}]*\}|[^{}])*\}|[^{}])*\})/.source,a=/(?:\{<S>*\.{3}(?:[^{}]|<BRACES>)*\})/.source;function o(e,t){return e=e.replace(/<S>/g,(function(){return n})).replace(/<BRACES>/g,(function(){return r})).replace(/<SPREAD>/g,(function(){return a})),RegExp(e,t)}function i(t){for(var n=[],r=0;r<t.length;r++){var a=t[r],o=!1;"string"!=typeof a&&("tag"===a.type&&a.content[0]&&"tag"===a.content[0].type?"</"===a.content[0].content[0].content?0<n.length&&n[n.length-1].tagName===s(a.content[0].content[1])&&n.pop():"/>"!==a.content[a.content.length-1].content&&n.push({tagName:s(a.content[0].content[1]),openedBraces:0}):0<n.length&&"punctuation"===a.type&&"{"===a.content?n[n.length-1].openedBraces++:0<n.length&&0<n[n.length-1].openedBraces&&"punctuation"===a.type&&"}"===a.content?n[n.length-1].openedBraces--:o=!0),(o||"string"==typeof a)&&0<n.length&&0===n[n.length-1].openedBraces&&(o=s(a),r<t.length-1&&("string"==typeof t[r+1]||"plain-text"===t[r+1].type)&&(o+=s(t[r+1]),t.splice(r+1,1)),0<r&&("string"==typeof t[r-1]||"plain-text"===t[r-1].type)&&(o=s(t[r-1])+o,t.splice(r-1,1),r--),t[r]=new e.Token("plain-text",o,null,o)),a.content&&"string"!=typeof a.content&&i(a.content)}}a=o(a).source,e.languages.jsx=e.languages.extend("markup",t),e.languages.jsx.tag.pattern=o(/<\/?(?:[\w.:-]+(?:<S>+(?:[\w.:$-]+(?:=(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s{'"/>=]+|<BRACES>))?|<SPREAD>))*<S>*\/?)?>/.source),e.languages.jsx.tag.inside.tag.pattern=/^<\/?[^\s>\/]*/,e.languages.jsx.tag.inside["attr-value"].pattern=/=(?!\{)(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s'">]+)/,e.languages.jsx.tag.inside.tag.inside["class-name"]=/^[A-Z]\w*(?:\.[A-Z]\w*)*$/,e.languages.jsx.tag.inside.comment=t.comment,e.languages.insertBefore("inside","attr-name",{spread:{pattern:o(/<SPREAD>/.source),inside:e.languages.jsx}},e.languages.jsx.tag),e.languages.insertBefore("inside","special-attr",{script:{pattern:o(/=<BRACES>/.source),alias:"language-javascript",inside:{"script-punctuation":{pattern:/^=(?=\{)/,alias:"punctuation"},rest:e.languages.jsx}}},e.languages.jsx.tag);var s=function(e){return e?"string"==typeof e?e:"string"==typeof e.content?e.content:e.content.map(s).join(""):""};e.hooks.add("after-tokenize",(function(e){"jsx"!==e.language&&"tsx"!==e.language||i(e.tokens)}))}(T),function(e){var t=e.util.clone(e.languages.typescript);(t=(e.languages.tsx=e.languages.extend("jsx",t),delete e.languages.tsx.parameter,delete e.languages.tsx["literal-property"],e.languages.tsx.tag)).pattern=RegExp(/(^|[^\w$]|(?=<\/))/.source+"(?:"+t.pattern.source+")",t.pattern.flags),t.lookbehind=!0}(T),T.languages.swift={comment:{pattern:/(^|[^\\:])(?:\/\/.*|\/\*(?:[^/*]|\/(?!\*)|\*(?!\/)|\/\*(?:[^*]|\*(?!\/))*\*\/)*\*\/)/,lookbehind:!0,greedy:!0},"string-literal":[{pattern:RegExp(/(^|[^"#])/.source+"(?:"+/"(?:\\(?:\((?:[^()]|\([^()]*\))*\)|\r\n|[^(])|[^\\\r\n"])*"/.source+"|"+/"""(?:\\(?:\((?:[^()]|\([^()]*\))*\)|[^(])|[^\\"]|"(?!""))*"""/.source+")"+/(?!["#])/.source),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\\($/,alias:"punctuation"},punctuation:/\\(?=[\r\n])/,string:/[\s\S]+/}},{pattern:RegExp(/(^|[^"#])(#+)/.source+"(?:"+/"(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|\r\n|[^#])|[^\\\r\n])*?"/.source+"|"+/"""(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|[^#])|[^\\])*?"""/.source+")\\2"),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\#+\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\#+\($/,alias:"punctuation"},string:/[\s\S]+/}}],directive:{pattern:RegExp(/#/.source+"(?:"+/(?:elseif|if)\b/.source+"(?:[ \t]*"+/(?:![ \t]*)?(?:\b\w+\b(?:[ \t]*\((?:[^()]|\([^()]*\))*\))?|\((?:[^()]|\([^()]*\))*\))(?:[ \t]*(?:&&|\|\|))?/.source+")+|"+/(?:else|endif)\b/.source+")"),alias:"property",inside:{"directive-name":/^#\w+/,boolean:/\b(?:false|true)\b/,number:/\b\d+(?:\.\d+)*\b/,operator:/!|&&|\|\||[<>]=?/,punctuation:/[(),]/}},literal:{pattern:/#(?:colorLiteral|column|dsohandle|file(?:ID|Literal|Path)?|function|imageLiteral|line)\b/,alias:"constant"},"other-directive":{pattern:/#\w+\b/,alias:"property"},attribute:{pattern:/@\w+/,alias:"atrule"},"function-definition":{pattern:/(\bfunc\s+)\w+/,lookbehind:!0,alias:"function"},label:{pattern:/\b(break|continue)\s+\w+|\b[a-zA-Z_]\w*(?=\s*:\s*(?:for|repeat|while)\b)/,lookbehind:!0,alias:"important"},keyword:/\b(?:Any|Protocol|Self|Type|actor|as|assignment|associatedtype|associativity|async|await|break|case|catch|class|continue|convenience|default|defer|deinit|didSet|do|dynamic|else|enum|extension|fallthrough|fileprivate|final|for|func|get|guard|higherThan|if|import|in|indirect|infix|init|inout|internal|is|isolated|lazy|left|let|lowerThan|mutating|none|nonisolated|nonmutating|open|operator|optional|override|postfix|precedencegroup|prefix|private|protocol|public|repeat|required|rethrows|return|right|safe|self|set|some|static|struct|subscript|super|switch|throw|throws|try|typealias|unowned|unsafe|var|weak|where|while|willSet)\b/,boolean:/\b(?:false|true)\b/,nil:{pattern:/\bnil\b/,alias:"constant"},"short-argument":/\$\d+\b/,omit:{pattern:/\b_\b/,alias:"keyword"},number:/\b(?:[\d_]+(?:\.[\de_]+)?|0x[a-f0-9_]+(?:\.[a-f0-9p_]+)?|0b[01_]+|0o[0-7_]+)\b/i,"class-name":/\b[A-Z](?:[A-Z_\d]*[a-z]\w*)?\b/,function:/\b[a-z_]\w*(?=\s*\()/i,constant:/\b(?:[A-Z_]{2,}|k[A-Z][A-Za-z_]+)\b/,operator:/[-+*/%=!<>&|^~?]+|\.[.\-+*/%=!<>&|^~?]+/,punctuation:/[{}[\]();,.:\\]/},T.languages.swift["string-literal"].forEach((function(e){e.inside.interpolation.inside=T.languages.swift})),function(e){e.languages.kotlin=e.languages.extend("clike",{keyword:{pattern:/(^|[^.])\b(?:abstract|actual|annotation|as|break|by|catch|class|companion|const|constructor|continue|crossinline|data|do|dynamic|else|enum|expect|external|final|finally|for|fun|get|if|import|in|infix|init|inline|inner|interface|internal|is|lateinit|noinline|null|object|open|operator|out|override|package|private|protected|public|reified|return|sealed|set|super|suspend|tailrec|this|throw|to|try|typealias|val|var|vararg|when|where|while)\b/,lookbehind:!0},function:[{pattern:/(?:`[^\r\n`]+`|\b\w+)(?=\s*\()/,greedy:!0},{pattern:/(\.)(?:`[^\r\n`]+`|\w+)(?=\s*\{)/,lookbehind:!0,greedy:!0}],number:/\b(?:0[xX][\da-fA-F]+(?:_[\da-fA-F]+)*|0[bB][01]+(?:_[01]+)*|\d+(?:_\d+)*(?:\.\d+(?:_\d+)*)?(?:[eE][+-]?\d+(?:_\d+)*)?[fFL]?)\b/,operator:/\+[+=]?|-[-=>]?|==?=?|!(?:!|==?)?|[\/*%<>]=?|[?:]:?|\.\.|&&|\|\||\b(?:and|inv|or|shl|shr|ushr|xor)\b/}),delete e.languages.kotlin["class-name"];var t={"interpolation-punctuation":{pattern:/^\$\{?|\}$/,alias:"punctuation"},expression:{pattern:/[\s\S]+/,inside:e.languages.kotlin}};e.languages.insertBefore("kotlin","string",{"string-literal":[{pattern:/"""(?:[^$]|\$(?:(?!\{)|\{[^{}]*\}))*?"""/,alias:"multiline",inside:{interpolation:{pattern:/\$(?:[a-z_]\w*|\{[^{}]*\})/i,inside:t},string:/[\s\S]+/}},{pattern:/"(?:[^"\\\r\n$]|\\.|\$(?:(?!\{)|\{[^{}]*\}))*"/,alias:"singleline",inside:{interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$(?:[a-z_]\w*|\{[^{}]*\})/i,lookbehind:!0,inside:t},string:/[\s\S]+/}}],char:{pattern:/'(?:[^'\\\r\n]|\\(?:.|u[a-fA-F0-9]{0,4}))'/,greedy:!0}}),delete e.languages.kotlin.string,e.languages.insertBefore("kotlin","keyword",{annotation:{pattern:/\B@(?:\w+:)?(?:[A-Z]\w*|\[[^\]]+\])/,alias:"builtin"}}),e.languages.insertBefore("kotlin","function",{label:{pattern:/\b\w+@|@\w+\b/,alias:"symbol"}}),e.languages.kt=e.languages.kotlin,e.languages.kts=e.languages.kotlin}(T),T.languages.c=T.languages.extend("clike",{comment:{pattern:/\/\/(?:[^\r\n\\]|\\(?:\r\n?|\n|(?![\r\n])))*|\/\*[\s\S]*?(?:\*\/|$)/,greedy:!0},string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},"class-name":{pattern:/(\b(?:enum|struct)\s+(?:__attribute__\s*\(\([\s\S]*?\)\)\s*)?)\w+|\b[a-z]\w*_t\b/,lookbehind:!0},keyword:/\b(?:_Alignas|_Alignof|_Atomic|_Bool|_Complex|_Generic|_Imaginary|_Noreturn|_Static_assert|_Thread_local|__attribute__|asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|inline|int|long|register|return|short|signed|sizeof|static|struct|switch|typedef|typeof|union|unsigned|void|volatile|while)\b/,function:/\b[a-z_]\w*(?=\s*\()/i,number:/(?:\b0x(?:[\da-f]+(?:\.[\da-f]*)?|\.[\da-f]+)(?:p[+-]?\d+)?|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?)[ful]{0,4}/i,operator:/>>=?|<<=?|->|([-+&|:])\1|[?:~]|[-+*/%&|^!=<>]=?/}),T.languages.insertBefore("c","string",{char:{pattern:/'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n]){0,32}'/,greedy:!0}}),T.languages.insertBefore("c","string",{macro:{pattern:/(^[\t ]*)#\s*[a-z](?:[^\r\n\\/]|\/(?!\*)|\/\*(?:[^*]|\*(?!\/))*\*\/|\\(?:\r\n|[\s\S]))*/im,lookbehind:!0,greedy:!0,alias:"property",inside:{string:[{pattern:/^(#\s*include\s*)<[^>]+>/,lookbehind:!0},T.languages.c.string],char:T.languages.c.char,comment:T.languages.c.comment,"macro-name":[{pattern:/(^#\s*define\s+)\w+\b(?!\()/i,lookbehind:!0},{pattern:/(^#\s*define\s+)\w+\b(?=\()/i,lookbehind:!0,alias:"function"}],directive:{pattern:/^(#\s*)[a-z]+/,lookbehind:!0,alias:"keyword"},"directive-hash":/^#/,punctuation:/##|\\(?=[\r\n])/,expression:{pattern:/\S[\s\S]*/,inside:T.languages.c}}}}),T.languages.insertBefore("c","function",{constant:/\b(?:EOF|NULL|SEEK_CUR|SEEK_END|SEEK_SET|__DATE__|__FILE__|__LINE__|__TIMESTAMP__|__TIME__|__func__|stderr|stdin|stdout)\b/}),delete T.languages.c.boolean,T.languages.objectivec=T.languages.extend("c",{string:{pattern:/@?"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},keyword:/\b(?:asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|in|inline|int|long|register|return|self|short|signed|sizeof|static|struct|super|switch|typedef|typeof|union|unsigned|void|volatile|while)\b|(?:@interface|@end|@implementation|@protocol|@class|@public|@protected|@private|@property|@try|@catch|@finally|@throw|@synthesize|@dynamic|@selector)\b/,operator:/-[->]?|\+\+?|!=?|<<?=?|>>?=?|==?|&&?|\|\|?|[~^%?*\/@]/}),delete T.languages.objectivec["class-name"],T.languages.objc=T.languages.objectivec,T.languages.reason=T.languages.extend("clike",{string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^\\\r\n"])*"/,greedy:!0},"class-name":/\b[A-Z]\w*/,keyword:/\b(?:and|as|assert|begin|class|constraint|do|done|downto|else|end|exception|external|for|fun|function|functor|if|in|include|inherit|initializer|lazy|let|method|module|mutable|new|nonrec|object|of|open|or|private|rec|sig|struct|switch|then|to|try|type|val|virtual|when|while|with)\b/,operator:/\.{3}|:[:=]|\|>|->|=(?:==?|>)?|<=?|>=?|[|^?'#!~`]|[+\-*\/]\.?|\b(?:asr|land|lor|lsl|lsr|lxor|mod)\b/}),T.languages.insertBefore("reason","class-name",{char:{pattern:/'(?:\\x[\da-f]{2}|\\o[0-3][0-7][0-7]|\\\d{3}|\\.|[^'\\\r\n])'/,greedy:!0},constructor:/\b[A-Z]\w*\b(?!\s*\.)/,label:{pattern:/\b[a-z]\w*(?=::)/,alias:"symbol"}}),delete T.languages.reason.function,function(e){for(var t=/\/\*(?:[^*/]|\*(?!\/)|\/(?!\*)|<self>)*\*\//.source,n=0;n<2;n++)t=t.replace(/<self>/g,(function(){return t}));t=t.replace(/<self>/g,(function(){return/[^\s\S]/.source})),e.languages.rust={comment:[{pattern:RegExp(/(^|[^\\])/.source+t),lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/b?"(?:\\[\s\S]|[^\\"])*"|b?r(#*)"(?:[^"]|"(?!\1))*"\1/,greedy:!0},char:{pattern:/b?'(?:\\(?:x[0-7][\da-fA-F]|u\{(?:[\da-fA-F]_*){1,6}\}|.)|[^\\\r\n\t'])'/,greedy:!0},attribute:{pattern:/#!?\[(?:[^\[\]"]|"(?:\\[\s\S]|[^\\"])*")*\]/,greedy:!0,alias:"attr-name",inside:{string:null}},"closure-params":{pattern:/([=(,:]\s*|\bmove\s*)\|[^|]*\||\|[^|]*\|(?=\s*(?:\{|->))/,lookbehind:!0,greedy:!0,inside:{"closure-punctuation":{pattern:/^\||\|$/,alias:"punctuation"},rest:null}},"lifetime-annotation":{pattern:/'\w+/,alias:"symbol"},"fragment-specifier":{pattern:/(\$\w+:)[a-z]+/,lookbehind:!0,alias:"punctuation"},variable:/\$\w+/,"function-definition":{pattern:/(\bfn\s+)\w+/,lookbehind:!0,alias:"function"},"type-definition":{pattern:/(\b(?:enum|struct|trait|type|union)\s+)\w+/,lookbehind:!0,alias:"class-name"},"module-declaration":[{pattern:/(\b(?:crate|mod)\s+)[a-z][a-z_\d]*/,lookbehind:!0,alias:"namespace"},{pattern:/(\b(?:crate|self|super)\s*)::\s*[a-z][a-z_\d]*\b(?:\s*::(?:\s*[a-z][a-z_\d]*\s*::)*)?/,lookbehind:!0,alias:"namespace",inside:{punctuation:/::/}}],keyword:[/\b(?:Self|abstract|as|async|await|become|box|break|const|continue|crate|do|dyn|else|enum|extern|final|fn|for|if|impl|in|let|loop|macro|match|mod|move|mut|override|priv|pub|ref|return|self|static|struct|super|trait|try|type|typeof|union|unsafe|unsized|use|virtual|where|while|yield)\b/,/\b(?:bool|char|f(?:32|64)|[ui](?:8|16|32|64|128|size)|str)\b/],function:/\b[a-z_]\w*(?=\s*(?:::\s*<|\())/,macro:{pattern:/\b\w+!/,alias:"property"},constant:/\b[A-Z_][A-Z_\d]+\b/,"class-name":/\b[A-Z]\w*\b/,namespace:{pattern:/(?:\b[a-z][a-z_\d]*\s*::\s*)*\b[a-z][a-z_\d]*\s*::(?!\s*<)/,inside:{punctuation:/::/}},number:/\b(?:0x[\dA-Fa-f](?:_?[\dA-Fa-f])*|0o[0-7](?:_?[0-7])*|0b[01](?:_?[01])*|(?:(?:\d(?:_?\d)*)?\.)?\d(?:_?\d)*(?:[Ee][+-]?\d+)?)(?:_?(?:f32|f64|[iu](?:8|16|32|64|size)?))?\b/,boolean:/\b(?:false|true)\b/,punctuation:/->|\.\.=|\.{1,3}|::|[{}[\];(),:]/,operator:/[-+*\/%!^]=?|=[=>]?|&[&=]?|\|[|=]?|<<?=?|>>?=?|[@?]/},e.languages.rust["closure-params"].inside.rest=e.languages.rust,e.languages.rust.attribute.inside.string=e.languages.rust.string}(T),T.languages.go=T.languages.extend("clike",{string:{pattern:/(^|[^\\])"(?:\\.|[^"\\\r\n])*"|`[^`]*`/,lookbehind:!0,greedy:!0},keyword:/\b(?:break|case|chan|const|continue|default|defer|else|fallthrough|for|func|go(?:to)?|if|import|interface|map|package|range|return|select|struct|switch|type|var)\b/,boolean:/\b(?:_|false|iota|nil|true)\b/,number:[/\b0(?:b[01_]+|o[0-7_]+)i?\b/i,/\b0x(?:[a-f\d_]+(?:\.[a-f\d_]*)?|\.[a-f\d_]+)(?:p[+-]?\d+(?:_\d+)*)?i?(?!\w)/i,/(?:\b\d[\d_]*(?:\.[\d_]*)?|\B\.\d[\d_]*)(?:e[+-]?[\d_]+)?i?(?!\w)/i],operator:/[*\/%^!=]=?|\+[=+]?|-[=-]?|\|[=|]?|&(?:=|&|\^=?)?|>(?:>=?|=)?|<(?:<=?|=|-)?|:=|\.\.\./,builtin:/\b(?:append|bool|byte|cap|close|complex|complex(?:64|128)|copy|delete|error|float(?:32|64)|u?int(?:8|16|32|64)?|imag|len|make|new|panic|print(?:ln)?|real|recover|rune|string|uintptr)\b/}),T.languages.insertBefore("go","string",{char:{pattern:/'(?:\\.|[^'\\\r\n]){0,10}'/,greedy:!0}}),delete T.languages.go["class-name"],function(e){var t=/\b(?:alignas|alignof|asm|auto|bool|break|case|catch|char|char16_t|char32_t|char8_t|class|co_await|co_return|co_yield|compl|concept|const|const_cast|consteval|constexpr|constinit|continue|decltype|default|delete|do|double|dynamic_cast|else|enum|explicit|export|extern|final|float|for|friend|goto|if|import|inline|int|int16_t|int32_t|int64_t|int8_t|long|module|mutable|namespace|new|noexcept|nullptr|operator|override|private|protected|public|register|reinterpret_cast|requires|return|short|signed|sizeof|static|static_assert|static_cast|struct|switch|template|this|thread_local|throw|try|typedef|typeid|typename|uint16_t|uint32_t|uint64_t|uint8_t|union|unsigned|using|virtual|void|volatile|wchar_t|while)\b/,n=/\b(?!<keyword>)\w+(?:\s*\.\s*\w+)*\b/.source.replace(/<keyword>/g,(function(){return t.source}));e.languages.cpp=e.languages.extend("c",{"class-name":[{pattern:RegExp(/(\b(?:class|concept|enum|struct|typename)\s+)(?!<keyword>)\w+/.source.replace(/<keyword>/g,(function(){return t.source}))),lookbehind:!0},/\b[A-Z]\w*(?=\s*::\s*\w+\s*\()/,/\b[A-Z_]\w*(?=\s*::\s*~\w+\s*\()/i,/\b\w+(?=\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>\s*::\s*\w+\s*\()/],keyword:t,number:{pattern:/(?:\b0b[01']+|\b0x(?:[\da-f']+(?:\.[\da-f']*)?|\.[\da-f']+)(?:p[+-]?[\d']+)?|(?:\b[\d']+(?:\.[\d']*)?|\B\.[\d']+)(?:e[+-]?[\d']+)?)[ful]{0,4}/i,greedy:!0},operator:/>>=?|<<=?|->|--|\+\+|&&|\|\||[?:~]|<=>|[-+*/%&|^!=<>]=?|\b(?:and|and_eq|bitand|bitor|not|not_eq|or|or_eq|xor|xor_eq)\b/,boolean:/\b(?:false|true)\b/}),e.languages.insertBefore("cpp","string",{module:{pattern:RegExp(/(\b(?:import|module)\s+)/.source+"(?:"+/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|<[^<>\r\n]*>/.source+"|"+/<mod-name>(?:\s*:\s*<mod-name>)?|:\s*<mod-name>/.source.replace(/<mod-name>/g,(function(){return n}))+")"),lookbehind:!0,greedy:!0,inside:{string:/^[<"][\s\S]+/,operator:/:/,punctuation:/\./}},"raw-string":{pattern:/R"([^()\\ ]{0,16})\([\s\S]*?\)\1"/,alias:"string",greedy:!0}}),e.languages.insertBefore("cpp","keyword",{"generic-function":{pattern:/\b(?!operator\b)[a-z_]\w*\s*<(?:[^<>]|<[^<>]*>)*>(?=\s*\()/i,inside:{function:/^\w+/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:e.languages.cpp}}}}),e.languages.insertBefore("cpp","operator",{"double-colon":{pattern:/::/,alias:"punctuation"}}),e.languages.insertBefore("cpp","class-name",{"base-clause":{pattern:/(\b(?:class|struct)\s+\w+\s*:\s*)[^;{}"'\s]+(?:\s+[^;{}"'\s]+)*(?=\s*[;{])/,lookbehind:!0,greedy:!0,inside:e.languages.extend("cpp",{})}}),e.languages.insertBefore("inside","double-colon",{"class-name":/\b[a-z_]\w*\b(?!\s*::)/i},e.languages.cpp["base-clause"])}(T),T.languages.python={comment:{pattern:/(^|[^\\])#.*/,lookbehind:!0,greedy:!0},"string-interpolation":{pattern:/(?:f|fr|rf)(?:("""|''')[\s\S]*?\1|("|')(?:\\.|(?!\2)[^\\\r\n])*\2)/i,greedy:!0,inside:{interpolation:{pattern:/((?:^|[^{])(?:\{\{)*)\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}])+\})+\})+\}/,lookbehind:!0,inside:{"format-spec":{pattern:/(:)[^:(){}]+(?=\}$)/,lookbehind:!0},"conversion-option":{pattern:/![sra](?=[:}]$)/,alias:"punctuation"},rest:null}},string:/[\s\S]+/}},"triple-quoted-string":{pattern:/(?:[rub]|br|rb)?("""|''')[\s\S]*?\1/i,greedy:!0,alias:"string"},string:{pattern:/(?:[rub]|br|rb)?("|')(?:\\.|(?!\1)[^\\\r\n])*\1/i,greedy:!0},function:{pattern:/((?:^|\s)def[ \t]+)[a-zA-Z_]\w*(?=\s*\()/g,lookbehind:!0},"class-name":{pattern:/(\bclass\s+)\w+/i,lookbehind:!0},decorator:{pattern:/(^[\t ]*)@\w+(?:\.\w+)*/m,lookbehind:!0,alias:["annotation","punctuation"],inside:{punctuation:/\./}},keyword:/\b(?:_(?=\s*:)|and|as|assert|async|await|break|case|class|continue|def|del|elif|else|except|exec|finally|for|from|global|if|import|in|is|lambda|match|nonlocal|not|or|pass|print|raise|return|try|while|with|yield)\b/,builtin:/\b(?:__import__|abs|all|any|apply|ascii|basestring|bin|bool|buffer|bytearray|bytes|callable|chr|classmethod|cmp|coerce|compile|complex|delattr|dict|dir|divmod|enumerate|eval|execfile|file|filter|float|format|frozenset|getattr|globals|hasattr|hash|help|hex|id|input|int|intern|isinstance|issubclass|iter|len|list|locals|long|map|max|memoryview|min|next|object|oct|open|ord|pow|property|range|raw_input|reduce|reload|repr|reversed|round|set|setattr|slice|sorted|staticmethod|str|sum|super|tuple|type|unichr|unicode|vars|xrange|zip)\b/,boolean:/\b(?:False|None|True)\b/,number:/\b0(?:b(?:_?[01])+|o(?:_?[0-7])+|x(?:_?[a-f0-9])+)\b|(?:\b\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\B\.\d+(?:_\d+)*)(?:e[+-]?\d+(?:_\d+)*)?j?(?!\w)/i,operator:/[-+%=]=?|!=|:=|\*\*?=?|\/\/?=?|<[<=>]?|>[=>]?|[&|^~]/,punctuation:/[{}[\];(),.:]/},T.languages.python["string-interpolation"].inside.interpolation.inside.rest=T.languages.python,T.languages.py=T.languages.python;((e,t)=>{for(var n in t)f(e,n,{get:t[n],enumerable:!0})})({},{dracula:()=>L,duotoneDark:()=>j,duotoneLight:()=>R,github:()=>P,jettwaveDark:()=>H,jettwaveLight:()=>Q,nightOwl:()=>N,nightOwlLight:()=>A,oceanicNext:()=>D,okaidia:()=>F,oneDark:()=>Z,oneLight:()=>V,palenight:()=>M,shadesOfPurple:()=>B,synthwave84:()=>z,ultramin:()=>$,vsDark:()=>U,vsLight:()=>q});var L={plain:{color:"#F8F8F2",backgroundColor:"#282A36"},styles:[{types:["prolog","constant","builtin"],style:{color:"rgb(189, 147, 249)"}},{types:["inserted","function"],style:{color:"rgb(80, 250, 123)"}},{types:["deleted"],style:{color:"rgb(255, 85, 85)"}},{types:["changed"],style:{color:"rgb(255, 184, 108)"}},{types:["punctuation","symbol"],style:{color:"rgb(248, 248, 242)"}},{types:["string","char","tag","selector"],style:{color:"rgb(255, 121, 198)"}},{types:["keyword","variable"],style:{color:"rgb(189, 147, 249)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(98, 114, 164)"}},{types:["attr-name"],style:{color:"rgb(241, 250, 140)"}}]},j={plain:{backgroundColor:"#2a2734",color:"#9a86fd"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#6c6783"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#e09142"}},{types:["property","function"],style:{color:"#9a86fd"}},{types:["tag-id","selector","atrule-id"],style:{color:"#eeebff"}},{types:["attr-name"],style:{color:"#c4b9fe"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule","placeholder","variable"],style:{color:"#ffcc99"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#c4b9fe"}}]},R={plain:{backgroundColor:"#faf8f5",color:"#728fcb"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#b6ad9a"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#063289"}},{types:["property","function"],style:{color:"#b29762"}},{types:["tag-id","selector","atrule-id"],style:{color:"#2d2006"}},{types:["attr-name"],style:{color:"#896724"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule"],style:{color:"#728fcb"}},{types:["placeholder","variable"],style:{color:"#93abdc"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#896724"}}]},P={plain:{color:"#393A34",backgroundColor:"#f6f8fa"},styles:[{types:["comment","prolog","doctype","cdata"],style:{color:"#999988",fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}},{types:["string","attr-value"],style:{color:"#e3116c"}},{types:["punctuation","operator"],style:{color:"#393A34"}},{types:["entity","url","symbol","number","boolean","variable","constant","property","regex","inserted"],style:{color:"#36acaa"}},{types:["atrule","keyword","attr-name","selector"],style:{color:"#00a4db"}},{types:["function","deleted","tag"],style:{color:"#d73a49"}},{types:["function-variable"],style:{color:"#6f42c1"}},{types:["tag","selector","keyword"],style:{color:"#00009f"}}]},N={plain:{color:"#d6deeb",backgroundColor:"#011627"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(99, 119, 119)",fontStyle:"italic"}},{types:["string","url"],style:{color:"rgb(173, 219, 103)"}},{types:["variable"],style:{color:"rgb(214, 222, 235)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation"],style:{color:"rgb(199, 146, 234)"}},{types:["selector","doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(255, 203, 139)"}},{types:["tag","operator","keyword"],style:{color:"rgb(127, 219, 202)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["property"],style:{color:"rgb(128, 203, 196)"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}}]},A={plain:{color:"#403f53",backgroundColor:"#FBFBFB"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(72, 118, 214)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(152, 159, 177)",fontStyle:"italic"}},{types:["string","builtin","char","constant","url"],style:{color:"rgb(72, 118, 214)"}},{types:["variable"],style:{color:"rgb(201, 103, 101)"}},{types:["number"],style:{color:"rgb(170, 9, 130)"}},{types:["punctuation"],style:{color:"rgb(153, 76, 195)"}},{types:["function","selector","doctype"],style:{color:"rgb(153, 76, 195)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(17, 17, 17)"}},{types:["tag"],style:{color:"rgb(153, 76, 195)"}},{types:["operator","property","keyword","namespace"],style:{color:"rgb(12, 150, 155)"}},{types:["boolean"],style:{color:"rgb(188, 84, 84)"}}]},O="#c5a5c5",I="#8dc891",D={plain:{backgroundColor:"#282c34",color:"#ffffff"},styles:[{types:["attr-name"],style:{color:O}},{types:["attr-value"],style:{color:I}},{types:["comment","block-comment","prolog","doctype","cdata","shebang"],style:{color:"#999999"}},{types:["property","number","function-name","constant","symbol","deleted"],style:{color:"#5a9bcf"}},{types:["boolean"],style:{color:"#ff8b50"}},{types:["tag"],style:{color:"#fc929e"}},{types:["string"],style:{color:I}},{types:["punctuation"],style:{color:I}},{types:["selector","char","builtin","inserted"],style:{color:"#D8DEE9"}},{types:["function"],style:{color:"#79b6f2"}},{types:["operator","entity","url","variable"],style:{color:"#d7deea"}},{types:["keyword"],style:{color:O}},{types:["atrule","class-name"],style:{color:"#FAC863"}},{types:["important"],style:{fontWeight:"400"}},{types:["bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}}]},F={plain:{color:"#f8f8f2",backgroundColor:"#272822"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"#f92672",fontStyle:"italic"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"#8292a2",fontStyle:"italic"}},{types:["string","url"],style:{color:"#a6e22e"}},{types:["variable"],style:{color:"#f8f8f2"}},{types:["number"],style:{color:"#ae81ff"}},{types:["builtin","char","constant","function","class-name"],style:{color:"#e6db74"}},{types:["punctuation"],style:{color:"#f8f8f2"}},{types:["selector","doctype"],style:{color:"#a6e22e",fontStyle:"italic"}},{types:["tag","operator","keyword"],style:{color:"#66d9ef"}},{types:["boolean"],style:{color:"#ae81ff"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)",opacity:.7}},{types:["tag","property"],style:{color:"#f92672"}},{types:["attr-name"],style:{color:"#a6e22e !important"}},{types:["doctype"],style:{color:"#8292a2"}},{types:["rule"],style:{color:"#e6db74"}}]},M={plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},B={plain:{color:"#9EFEFF",backgroundColor:"#2D2A55"},styles:[{types:["changed"],style:{color:"rgb(255, 238, 128)"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)"}},{types:["comment"],style:{color:"rgb(179, 98, 255)",fontStyle:"italic"}},{types:["punctuation"],style:{color:"rgb(255, 255, 255)"}},{types:["constant"],style:{color:"rgb(255, 98, 140)"}},{types:["string","url"],style:{color:"rgb(165, 255, 144)"}},{types:["variable"],style:{color:"rgb(255, 238, 128)"}},{types:["number","boolean"],style:{color:"rgb(255, 98, 140)"}},{types:["attr-name"],style:{color:"rgb(255, 180, 84)"}},{types:["keyword","operator","property","namespace","tag","selector","doctype"],style:{color:"rgb(255, 157, 0)"}},{types:["builtin","char","constant","function","class-name"],style:{color:"rgb(250, 208, 0)"}}]},z={plain:{backgroundColor:"linear-gradient(to bottom, #2a2139 75%, #34294f)",backgroundImage:"#34294f",color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"},styles:[{types:["comment","block-comment","prolog","doctype","cdata"],style:{color:"#495495",fontStyle:"italic"}},{types:["punctuation"],style:{color:"#ccc"}},{types:["tag","attr-name","namespace","number","unit","hexcode","deleted"],style:{color:"#e2777a"}},{types:["property","selector"],style:{color:"#72f1b8",textShadow:"0 0 2px #100c0f, 0 0 10px #257c5575, 0 0 35px #21272475"}},{types:["function-name"],style:{color:"#6196cc"}},{types:["boolean","selector-id","function"],style:{color:"#fdfdfd",textShadow:"0 0 2px #001716, 0 0 3px #03edf975, 0 0 5px #03edf975, 0 0 8px #03edf975"}},{types:["class-name","maybe-class-name","builtin"],style:{color:"#fff5f6",textShadow:"0 0 2px #000, 0 0 10px #fc1f2c75, 0 0 5px #fc1f2c75, 0 0 25px #fc1f2c75"}},{types:["constant","symbol"],style:{color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"}},{types:["important","atrule","keyword","selector-class"],style:{color:"#f4eee4",textShadow:"0 0 2px #393a33, 0 0 8px #f39f0575, 0 0 2px #f39f0575"}},{types:["string","char","attr-value","regex","variable"],style:{color:"#f87c32"}},{types:["parameter"],style:{fontStyle:"italic"}},{types:["entity","url"],style:{color:"#67cdcc"}},{types:["operator"],style:{color:"ffffffee"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["entity"],style:{cursor:"help"}},{types:["inserted"],style:{color:"green"}}]},$={plain:{color:"#282a2e",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(197, 200, 198)"}},{types:["string","number","builtin","variable"],style:{color:"rgb(150, 152, 150)"}},{types:["class-name","function","tag","attr-name"],style:{color:"rgb(40, 42, 46)"}}]},U={plain:{color:"#9CDCFE",backgroundColor:"#1E1E1E"},styles:[{types:["prolog"],style:{color:"rgb(0, 0, 128)"}},{types:["comment"],style:{color:"rgb(106, 153, 85)"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"rgb(86, 156, 214)"}},{types:["number","inserted"],style:{color:"rgb(181, 206, 168)"}},{types:["constant"],style:{color:"rgb(100, 102, 149)"}},{types:["attr-name","variable"],style:{color:"rgb(156, 220, 254)"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"rgb(206, 145, 120)"}},{types:["selector"],style:{color:"rgb(215, 186, 125)"}},{types:["tag"],style:{color:"rgb(78, 201, 176)"}},{types:["tag"],languages:["markup"],style:{color:"rgb(86, 156, 214)"}},{types:["punctuation","operator"],style:{color:"rgb(212, 212, 212)"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"rgb(220, 220, 170)"}},{types:["class-name"],style:{color:"rgb(78, 201, 176)"}},{types:["char"],style:{color:"rgb(209, 105, 105)"}}]},q={plain:{color:"#000000",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(0, 128, 0)"}},{types:["builtin"],style:{color:"rgb(0, 112, 193)"}},{types:["number","variable","inserted"],style:{color:"rgb(9, 134, 88)"}},{types:["operator"],style:{color:"rgb(0, 0, 0)"}},{types:["constant","char"],style:{color:"rgb(129, 31, 63)"}},{types:["tag"],style:{color:"rgb(128, 0, 0)"}},{types:["attr-name"],style:{color:"rgb(255, 0, 0)"}},{types:["deleted","string"],style:{color:"rgb(163, 21, 21)"}},{types:["changed","punctuation"],style:{color:"rgb(4, 81, 165)"}},{types:["function","keyword"],style:{color:"rgb(0, 0, 255)"}},{types:["class-name"],style:{color:"rgb(38, 127, 153)"}}]},H={plain:{color:"#f8fafc",backgroundColor:"#011627"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#569CD6"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#f8fafc"}},{types:["attr-name","variable"],style:{color:"#9CDCFE"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#cbd5e1"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#D4D4D4"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#7dd3fc"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Q={plain:{color:"#0f172a",backgroundColor:"#f1f5f9"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#0c4a6e"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#0f172a"}},{types:["attr-name","variable"],style:{color:"#0c4a6e"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#64748b"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#475569"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#0e7490"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Z={plain:{backgroundColor:"hsl(220, 13%, 18%)",color:"hsl(220, 14%, 71%)",textShadow:"0 1px rgba(0, 0, 0, 0.3)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(220, 10%, 40%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(220, 14%, 71%)"}},{types:["attr-name","class-name","maybe-class-name","boolean","constant","number","atrule"],style:{color:"hsl(29, 54%, 61%)"}},{types:["keyword"],style:{color:"hsl(286, 60%, 67%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(355, 65%, 65%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value"],style:{color:"hsl(95, 38%, 62%)"}},{types:["variable","operator","function"],style:{color:"hsl(207, 82%, 66%)"}},{types:["url"],style:{color:"hsl(187, 47%, 55%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(220, 14%, 71%)"}}]},V={plain:{backgroundColor:"hsl(230, 1%, 98%)",color:"hsl(230, 8%, 24%)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(230, 4%, 64%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(230, 8%, 24%)"}},{types:["attr-name","class-name","boolean","constant","number","atrule"],style:{color:"hsl(35, 99%, 36%)"}},{types:["keyword"],style:{color:"hsl(301, 63%, 40%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(5, 74%, 59%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value","punctuation"],style:{color:"hsl(119, 34%, 47%)"}},{types:["variable","operator","function"],style:{color:"hsl(221, 87%, 60%)"}},{types:["url"],style:{color:"hsl(198, 99%, 37%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(230, 8%, 24%)"}}]},W=(e,t)=>{const{plain:n}=e,r=e.styles.reduce(((e,n)=>{const{languages:r,style:a}=n;return r&&!r.includes(t)||n.types.forEach((t=>{const n=S(S({},e[t]),a);e[t]=n})),e}),{});return r.root=n,r.plain=E(S({},n),{backgroundColor:void 0}),r},G=/\r\n|\r|\n/,X=e=>{0===e.length?e.push({types:["plain"],content:"\n",empty:!0}):1===e.length&&""===e[0].content&&(e[0].content="\n",e[0].empty=!0)},K=(e,t)=>{const n=e.length;return n>0&&e[n-1]===t?e:e.concat(t)},Y=e=>{const t=[[]],n=[e],r=[0],a=[e.length];let o=0,i=0,s=[];const l=[s];for(;i>-1;){for(;(o=r[i]++)<a[i];){let e,c=t[i];const u=n[i][o];if("string"==typeof u?(c=i>0?c:["plain"],e=u):(c=K(c,u.type),u.alias&&(c=K(c,u.alias)),e=u.content),"string"!=typeof e){i++,t.push(c),n.push(e),r.push(0),a.push(e.length);continue}const d=e.split(G),p=d.length;s.push({types:c,content:d[0]});for(let t=1;t<p;t++)X(s),l.push(s=[]),s.push({types:c,content:d[t]})}i--,t.pop(),n.pop(),r.pop(),a.pop()}return X(s),l},J=({children:e,language:t,code:n,theme:r,prism:a})=>{const o=t.toLowerCase(),i=((e,t)=>{const[n,r]=(0,u.useState)(W(t,e)),a=(0,u.useRef)(),o=(0,u.useRef)();return(0,u.useEffect)((()=>{t===a.current&&e===o.current||(a.current=t,o.current=e,r(W(t,e)))}),[e,t]),n})(o,r),s=(e=>(0,u.useCallback)((t=>{var n=t,{className:r,style:a,line:o}=n,i=_(n,["className","style","line"]);const s=E(S({},i),{className:(0,d.Z)("token-line",r)});return"object"==typeof e&&"plain"in e&&(s.style=e.plain),"object"==typeof a&&(s.style=S(S({},s.style||{}),a)),s}),[e]))(i),l=(e=>{const t=(0,u.useCallback)((({types:t,empty:n})=>{if(null!=e)return 1===t.length&&"plain"===t[0]?null!=n?{display:"inline-block"}:void 0:1===t.length&&null!=n?e[t[0]]:Object.assign(null!=n?{display:"inline-block"}:{},...t.map((t=>e[t])))}),[e]);return(0,u.useCallback)((e=>{var n=e,{token:r,className:a,style:o}=n,i=_(n,["token","className","style"]);const s=E(S({},i),{className:(0,d.Z)("token",...r.types,a),children:r.content,style:t(r)});return null!=o&&(s.style=S(S({},s.style||{}),o)),s}),[t])})(i),c=(({prism:e,code:t,grammar:n,language:r})=>{const a=(0,u.useRef)(e);return(0,u.useMemo)((()=>{if(null==n)return Y([t]);const e={code:t,grammar:n,language:r,tokens:[]};return a.current.hooks.run("before-tokenize",e),e.tokens=a.current.tokenize(t,n),a.current.hooks.run("after-tokenize",e),Y(e.tokens)}),[t,n,r])})({prism:a,language:o,code:n,grammar:a.languages[o]});return e({tokens:c,className:`prism-code language-${o}`,style:null!=i?i.root:{},getLineProps:s,getTokenProps:l})},ee=e=>(0,u.createElement)(J,E(S({},e),{prism:e.prism||T,theme:e.theme||U,code:e.code,language:e.language}))},8776:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=!0,a="Invariant failed";function o(e,t){if(!e){if(r)throw new Error(a);var n="function"==typeof t?t():t,o=n?"".concat(a,": ").concat(n):a;throw new Error(o)}}},7582:(e,t,n)=>{"use strict";n.r(t),n.d(t,{__addDisposableResource:()=>O,__assign:()=>o,__asyncDelegator:()=>_,__asyncGenerator:()=>E,__asyncValues:()=>C,__await:()=>S,__awaiter:()=>h,__classPrivateFieldGet:()=>P,__classPrivateFieldIn:()=>A,__classPrivateFieldSet:()=>N,__createBinding:()=>g,__decorate:()=>s,__disposeResources:()=>D,__esDecorate:()=>c,__exportStar:()=>y,__extends:()=>a,__generator:()=>m,__importDefault:()=>R,__importStar:()=>j,__makeTemplateObject:()=>T,__metadata:()=>f,__param:()=>l,__propKey:()=>d,__read:()=>v,__rest:()=>i,__runInitializers:()=>u,__setFunctionName:()=>p,__spread:()=>w,__spreadArray:()=>x,__spreadArrays:()=>k,__values:()=>b,default:()=>F});var r=function(e,t){return r=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}||function(e,t){for(var n in t)Object.prototype.hasOwnProperty.call(t,n)&&(e[n]=t[n])},r(e,t)};function a(e,t){if("function"!=typeof t&&null!==t)throw new TypeError("Class extends value "+String(t)+" is not a constructor or null");function n(){this.constructor=e}r(e,t),e.prototype=null===t?Object.create(t):(n.prototype=t.prototype,new n)}var o=function(){return o=Object.assign||function(e){for(var t,n=1,r=arguments.length;n<r;n++)for(var a in t=arguments[n])Object.prototype.hasOwnProperty.call(t,a)&&(e[a]=t[a]);return e},o.apply(this,arguments)};function i(e,t){var n={};for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var a=0;for(r=Object.getOwnPropertySymbols(e);a<r.length;a++)t.indexOf(r[a])<0&&Object.prototype.propertyIsEnumerable.call(e,r[a])&&(n[r[a]]=e[r[a]])}return n}function s(e,t,n,r){var a,o=arguments.length,i=o<3?t:null===r?r=Object.getOwnPropertyDescriptor(t,n):r;if("object"==typeof Reflect&&"function"==typeof Reflect.decorate)i=Reflect.decorate(e,t,n,r);else for(var s=e.length-1;s>=0;s--)(a=e[s])&&(i=(o<3?a(i):o>3?a(t,n,i):a(t,n))||i);return o>3&&i&&Object.defineProperty(t,n,i),i}function l(e,t){return function(n,r){t(n,r,e)}}function c(e,t,n,r,a,o){function i(e){if(void 0!==e&&"function"!=typeof e)throw new TypeError("Function expected");return e}for(var s,l=r.kind,c="getter"===l?"get":"setter"===l?"set":"value",u=!t&&e?r.static?e:e.prototype:null,d=t||(u?Object.getOwnPropertyDescriptor(u,r.name):{}),p=!1,f=n.length-1;f>=0;f--){var h={};for(var m in r)h[m]="access"===m?{}:r[m];for(var m in r.access)h.access[m]=r.access[m];h.addInitializer=function(e){if(p)throw new TypeError("Cannot add initializers after decoration has completed");o.push(i(e||null))};var g=(0,n[f])("accessor"===l?{get:d.get,set:d.set}:d[c],h);if("accessor"===l){if(void 0===g)continue;if(null===g||"object"!=typeof g)throw new TypeError("Object expected");(s=i(g.get))&&(d.get=s),(s=i(g.set))&&(d.set=s),(s=i(g.init))&&a.unshift(s)}else(s=i(g))&&("field"===l?a.unshift(s):d[c]=s)}u&&Object.defineProperty(u,r.name,d),p=!0}function u(e,t,n){for(var r=arguments.length>2,a=0;a<t.length;a++)n=r?t[a].call(e,n):t[a].call(e);return r?n:void 0}function d(e){return"symbol"==typeof e?e:"".concat(e)}function p(e,t,n){return"symbol"==typeof t&&(t=t.description?"[".concat(t.description,"]"):""),Object.defineProperty(e,"name",{configurable:!0,value:n?"".concat(n," ",t):t})}function f(e,t){if("object"==typeof Reflect&&"function"==typeof Reflect.metadata)return Reflect.metadata(e,t)}function h(e,t,n,r){return new(n||(n=Promise))((function(a,o){function i(e){try{l(r.next(e))}catch(t){o(t)}}function s(e){try{l(r.throw(e))}catch(t){o(t)}}function l(e){var t;e.done?a(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(i,s)}l((r=r.apply(e,t||[])).next())}))}function m(e,t){var n,r,a,o,i={label:0,sent:function(){if(1&a[0])throw a[1];return a[1]},trys:[],ops:[]};return o={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(o[Symbol.iterator]=function(){return this}),o;function s(s){return function(l){return function(s){if(n)throw new TypeError("Generator is already executing.");for(;o&&(o=0,s[0]&&(i=0)),i;)try{if(n=1,r&&(a=2&s[0]?r.return:s[0]?r.throw||((a=r.return)&&a.call(r),0):r.next)&&!(a=a.call(r,s[1])).done)return a;switch(r=0,a&&(s=[2&s[0],a.value]),s[0]){case 0:case 1:a=s;break;case 4:return i.label++,{value:s[1],done:!1};case 5:i.label++,r=s[1],s=[0];continue;case 7:s=i.ops.pop(),i.trys.pop();continue;default:if(!(a=i.trys,(a=a.length>0&&a[a.length-1])||6!==s[0]&&2!==s[0])){i=0;continue}if(3===s[0]&&(!a||s[1]>a[0]&&s[1]<a[3])){i.label=s[1];break}if(6===s[0]&&i.label<a[1]){i.label=a[1],a=s;break}if(a&&i.label<a[2]){i.label=a[2],i.ops.push(s);break}a[2]&&i.ops.pop(),i.trys.pop();continue}s=t.call(e,i)}catch(l){s=[6,l],r=0}finally{n=a=0}if(5&s[0])throw s[1];return{value:s[0]?s[1]:void 0,done:!0}}([s,l])}}}var g=Object.create?function(e,t,n,r){void 0===r&&(r=n);var a=Object.getOwnPropertyDescriptor(t,n);a&&!("get"in a?!t.__esModule:a.writable||a.configurable)||(a={enumerable:!0,get:function(){return t[n]}}),Object.defineProperty(e,r,a)}:function(e,t,n,r){void 0===r&&(r=n),e[r]=t[n]};function y(e,t){for(var n in e)"default"===n||Object.prototype.hasOwnProperty.call(t,n)||g(t,e,n)}function b(e){var t="function"==typeof Symbol&&Symbol.iterator,n=t&&e[t],r=0;if(n)return n.call(e);if(e&&"number"==typeof e.length)return{next:function(){return e&&r>=e.length&&(e=void 0),{value:e&&e[r++],done:!e}}};throw new TypeError(t?"Object is not iterable.":"Symbol.iterator is not defined.")}function v(e,t){var n="function"==typeof Symbol&&e[Symbol.iterator];if(!n)return e;var r,a,o=n.call(e),i=[];try{for(;(void 0===t||t-- >0)&&!(r=o.next()).done;)i.push(r.value)}catch(s){a={error:s}}finally{try{r&&!r.done&&(n=o.return)&&n.call(o)}finally{if(a)throw a.error}}return i}function w(){for(var e=[],t=0;t<arguments.length;t++)e=e.concat(v(arguments[t]));return e}function k(){for(var e=0,t=0,n=arguments.length;t<n;t++)e+=arguments[t].length;var r=Array(e),a=0;for(t=0;t<n;t++)for(var o=arguments[t],i=0,s=o.length;i<s;i++,a++)r[a]=o[i];return r}function x(e,t,n){if(n||2===arguments.length)for(var r,a=0,o=t.length;a<o;a++)!r&&a in t||(r||(r=Array.prototype.slice.call(t,0,a)),r[a]=t[a]);return e.concat(r||Array.prototype.slice.call(t))}function S(e){return this instanceof S?(this.v=e,this):new S(e)}function E(e,t,n){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var r,a=n.apply(e,t||[]),o=[];return r={},i("next"),i("throw"),i("return"),r[Symbol.asyncIterator]=function(){return this},r;function i(e){a[e]&&(r[e]=function(t){return new Promise((function(n,r){o.push([e,t,n,r])>1||s(e,t)}))})}function s(e,t){try{(n=a[e](t)).value instanceof S?Promise.resolve(n.value.v).then(l,c):u(o[0][2],n)}catch(r){u(o[0][3],r)}var n}function l(e){s("next",e)}function c(e){s("throw",e)}function u(e,t){e(t),o.shift(),o.length&&s(o[0][0],o[0][1])}}function _(e){var t,n;return t={},r("next"),r("throw",(function(e){throw e})),r("return"),t[Symbol.iterator]=function(){return this},t;function r(r,a){t[r]=e[r]?function(t){return(n=!n)?{value:S(e[r](t)),done:!1}:a?a(t):t}:a}}function C(e){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var t,n=e[Symbol.asyncIterator];return n?n.call(e):(e=b(e),t={},r("next"),r("throw"),r("return"),t[Symbol.asyncIterator]=function(){return this},t);function r(n){t[n]=e[n]&&function(t){return new Promise((function(r,a){(function(e,t,n,r){Promise.resolve(r).then((function(t){e({value:t,done:n})}),t)})(r,a,(t=e[n](t)).done,t.value)}))}}}function T(e,t){return Object.defineProperty?Object.defineProperty(e,"raw",{value:t}):e.raw=t,e}var L=Object.create?function(e,t){Object.defineProperty(e,"default",{enumerable:!0,value:t})}:function(e,t){e.default=t};function j(e){if(e&&e.__esModule)return e;var t={};if(null!=e)for(var n in e)"default"!==n&&Object.prototype.hasOwnProperty.call(e,n)&&g(t,e,n);return L(t,e),t}function R(e){return e&&e.__esModule?e:{default:e}}function P(e,t,n,r){if("a"===n&&!r)throw new TypeError("Private accessor was defined without a getter");if("function"==typeof t?e!==t||!r:!t.has(e))throw new TypeError("Cannot read private member from an object whose class did not declare it");return"m"===n?r:"a"===n?r.call(e):r?r.value:t.get(e)}function N(e,t,n,r,a){if("m"===r)throw new TypeError("Private method is not writable");if("a"===r&&!a)throw new TypeError("Private accessor was defined without a setter");if("function"==typeof t?e!==t||!a:!t.has(e))throw new TypeError("Cannot write private member to an object whose class did not declare it");return"a"===r?a.call(e,n):a?a.value=n:t.set(e,n),n}function A(e,t){if(null===t||"object"!=typeof t&&"function"!=typeof t)throw new TypeError("Cannot use 'in' operator on non-object");return"function"==typeof e?t===e:e.has(t)}function O(e,t,n){if(null!=t){if("object"!=typeof t&&"function"!=typeof t)throw new TypeError("Object expected.");var r;if(n){if(!Symbol.asyncDispose)throw new TypeError("Symbol.asyncDispose is not defined.");r=t[Symbol.asyncDispose]}if(void 0===r){if(!Symbol.dispose)throw new TypeError("Symbol.dispose is not defined.");r=t[Symbol.dispose]}if("function"!=typeof r)throw new TypeError("Object not disposable.");e.stack.push({value:t,dispose:r,async:n})}else n&&e.stack.push({async:!0});return t}var I="function"==typeof SuppressedError?SuppressedError:function(e,t,n){var r=new Error(n);return r.name="SuppressedError",r.error=e,r.suppressed=t,r};function D(e){function t(t){e.error=e.hasError?new I(t,e.error,"An error was suppressed during disposal."):t,e.hasError=!0}return function n(){for(;e.stack.length;){var r=e.stack.pop();try{var a=r.dispose&&r.dispose.call(r.value);if(r.async)return Promise.resolve(a).then(n,(function(e){return t(e),n()}))}catch(o){t(o)}}if(e.hasError)throw e.error}()}const F={__extends:a,__assign:o,__rest:i,__decorate:s,__param:l,__metadata:f,__awaiter:h,__generator:m,__createBinding:g,__exportStar:y,__values:b,__read:v,__spread:w,__spreadArrays:k,__spreadArray:x,__await:S,__asyncGenerator:E,__asyncDelegator:_,__asyncValues:C,__makeTemplateObject:T,__importStar:j,__importDefault:R,__classPrivateFieldGet:P,__classPrivateFieldSet:N,__classPrivateFieldIn:A,__addDisposableResource:O,__disposeResources:D}},7529:e=>{"use strict";e.exports=JSON.parse('{"theme.ErrorPageContent.title":"\ud398\uc774\uc9c0\uac00 \ub2e4\uc6b4\ub418\uc5c8\uc2b5\ub2c8\ub2e4.","theme.ErrorPageContent.tryAgain":"\uc7ac\uc2dc\ub3c4","theme.NotFound.title":"\ud398\uc774\uc9c0\ub97c \ucc3e\uc744 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4","theme.NotFound.p1":"\ucc3e\uc73c\uc2dc\ub824\ub294 \ud398\uc774\uc9c0\ub97c \ucc3e\uc744 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.","theme.NotFound.p2":"\uc6d0\ub798 \ub9c1\ud06c\uc758 \ucd9c\ucc98\uc778 \uc0ac\uc774\ud2b8\uc758 \uc18c\uc720\uc790\uc5d0\uac8c \uc5f0\ub77d\ud558\uc5ec \ub9c1\ud06c\uac00 \ub04a\uc5b4\uc84c\uc74c\uc744 \uc54c\ub824\uc8fc\uc138\uc694.","theme.admonition.note":"\ube44\uace0","theme.admonition.tip":"\ud301","theme.admonition.danger":"\uc704\ud5d8","theme.admonition.info":"\uc815\ubcf4","theme.admonition.caution":"\uacbd\uace0","theme.AnnouncementBar.closeButtonAriaLabel":"\ub2eb\uae30","theme.BackToTopButton.buttonAriaLabel":"\ub9e8 \uc704\ub85c","theme.blog.archive.title":"\uc81c\ubaa9","theme.blog.archive.description":"\uc124\uba85","theme.blog.paginator.navAriaLabel":"\ube14\ub85c\uadf8 \ub124\ube44\uac8c\uc774\uc158","theme.blog.paginator.newerEntries":"\uc0c8\ub85c\uc6b4 \uae00","theme.blog.paginator.olderEntries":"\uc774\uc804 \uae00","theme.blog.post.paginator.navAriaLabel":"\ube14\ub85c\uadf8 \ud3ec\uc2a4\ud2b8 \ub124\ube44\uac8c\uc774\uc158","theme.blog.post.paginator.newerPost":"\uc0c8\ub85c\uc6b4 \ud3ec\uc2a4\ud2b8","theme.blog.post.paginator.olderPost":"\uc774\uc804 \ud3ec\uc2a4\ud2b8","theme.blog.post.plurals":"{count} \uac1c\uc758 \ud3ec\uc2a4\ud2b8","theme.blog.tagTitle":"\u300c{tagName}\u300d \ud0dc\uadf8\uba85\uc744 \uac00\uc9c4 {nPosts}\uac1c\uc758 \ud3ec\uc2a4\ud2b8","theme.tags.tagsPageLink":"\ubaa8\ub4e0 \ud0dc\uadf8 \ubaa9\ub85d","theme.colorToggle.ariaLabel":"\ubc1d\uc740/\uc5b4\ub450\uc6b4 \ubaa8\ub4dc \uc804\ud658 (\ud604\uc7ac \ubaa8\ub4dc: {mode})","theme.colorToggle.ariaLabel.mode.dark":"\uc5b4\ub450\uc6b4 \ubaa8\ub4dc","theme.colorToggle.ariaLabel.mode.light":"\ubc1d\uc740 \ubaa8\ub4dc","theme.docs.breadcrumbs.home":"\ud648","theme.docs.breadcrumbs.navAriaLabel":"\ud398\uc774\uc9c0 \uacbd\ub85c","theme.docs.DocCard.categoryDescription":"{count} \uac1c\uc758 \ubb38\uc11c","theme.docs.paginator.navAriaLabel":"\ubb38\uc11c \ub124\ube44\uac8c\uc774\uc158","theme.docs.paginator.previous":"\uc774\uc804","theme.docs.paginator.next":"\ub2e4\uc74c","theme.docs.tagDocListPageTitle.nDocsTagged":"{count} \uac1c\uc758 \ubb38\uc11c","theme.docs.tagDocListPageTitle":"{nDocsTagged}\u300c{tagName}\u300d","theme.docs.versionBadge.label":"version: {versionLabel}","theme.docs.versions.unreleasedVersionLabel":"\uc774\uac83\uc740 \uc544\uc9c1 \ub9b4\ub9ac\uc988\ub418\uc9c0 \uc54a\uc740 \ubb38\uc11c\uc758 {siteTitle} {versionLabel} \ubc84\uc804\uc785\ub2c8\ub2e4.","theme.docs.versions.unmaintainedVersionLabel":"\uc774\uac83\uc740 \ub354 \uc774\uc0c1 \ud65c\ubc1c\ud558\uac8c \uc720\uc9c0 \uad00\ub9ac\ub418\uc9c0 \uc54a\ub294 {siteTitle} {versionLabel} \ubc84\uc804\uc5d0 \ub300\ud55c \ubb38\uc11c\uc785\ub2c8\ub2e4.","theme.docs.versions.latestVersionSuggestionLabel":"\ucd5c\uc2e0 \ubb38\uc11c\ub294 {latestVersionLink} ({versionLabel}) \uc744 \ucc38\uc870\ud558\uc138\uc694.","theme.docs.versions.latestVersionLinkLabel":"\ucd5c\uc2e0 \ubc84\uc804","theme.common.editThisPage":"\uc774 \ud398\uc774\uc9c0 \ud3b8\uc9d1","theme.common.headingLinkTitle":"\uc81c\ubaa9\uc5d0 \ub300\ud55c \uc9c1\uc811 \ub9c1\ud06c","theme.lastUpdated.atDate":"{date}\uc5d0","theme.lastUpdated.byUser":"{user}\uac00","theme.lastUpdated.lastUpdatedAtBy":"\ub9c8\uc9c0\ub9c9 {byUser}{atDate} \uc5c5\ub370\uc774\ud2b8","theme.navbar.mobileVersionsDropdown.label":"\ubc84\uc804 \uc120\ud0dd","theme.common.skipToMainContent":"\ubcf8\ubb38\uc73c\ub85c \uac74\ub108\ub6f0\uae30","theme.tags.tagsListLabel":"\ud0dc\uadf8 \ubaa9\ub85d","theme.blog.sidebar.navAriaLabel":"\ube14\ub85c\uadf8 \uc0ac\uc774\ub4dc\ubc14","theme.CodeBlock.copied":"\ubcf5\uc0ac\ub428","theme.CodeBlock.copyButtonAriaLabel":"\ucf54\ub4dc \ube14\ub85d \ubcf5\uc0ac","theme.CodeBlock.copy":"\ubcf5\uc0ac","theme.CodeBlock.wordWrapToggle":"\uc904 \ubc14\uafc8 \ud1a0\uae00","theme.DocSidebarItem.toggleCollapsedCategoryAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uba54\ub274 \u300c{label}\u300d \uc5f4\uae30/\ub2eb\uae30","theme.navbar.mobileLanguageDropdown.label":"\uc5b8\uc5b4 \uc120\ud0dd","theme.TOCCollapsible.toggleButtonLabel":"\ubaa9\ucc28 \uc5f4\uae30/\ub2eb\uae30","theme.blog.post.readMore":"\ub354 \uc77d\uae30","theme.blog.post.readMoreLabel":"{title} \ube14\ub85c\uadf8 \uae00 \uc77d\uae30","theme.blog.post.readingTime.plurals":"\uc77d\ub294 \ub370 {readingTime} \ubd84\uc774 \uac78\ub9bd\ub2c8\ub2e4","theme.docs.sidebar.collapseButtonTitle":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.docs.sidebar.collapseButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel":"\u2190 \uba54\uc778 \uba54\ub274\ub85c \ub3cc\uc544\uac00\uae30","theme.docs.sidebar.expandButtonTitle":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30","theme.docs.sidebar.expandButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30","theme.docs.sidebar.closeSidebarButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.docs.sidebar.toggleSidebarButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30/\ub2eb\uae30","theme.SearchBar.seeAll":"{count} \uac1c\uc758 \uacb0\uacfc \ub354 \ubcf4\uae30","theme.SearchPage.documentsFound.plurals":"{count} \uac1c\uc758 \ubb38\uc11c\ub97c \ucc3e\uc558\uc2b5\ub2c8\ub2e4","theme.SearchPage.existingResultsTitle":"\u300c{query}\u300d\uc5d0 \ub300\ud55c \uac80\uc0c9 \uacb0\uacfc","theme.SearchPage.emptyResultsTitle":"\uac80\uc0c9 \uacb0\uacfc \uc5c6\uc74c","theme.SearchPage.inputPlaceholder":"\uc5ec\uae30\uc5d0 \uac80\uc0c9\uc5b4 \uc785\ub825","theme.SearchPage.inputLabel":"\uac80\uc0c9","theme.SearchPage.algoliaLabel":"Algolia \uac80\uc0c9","theme.SearchPage.noResultsText":"\uac80\uc0c9 \uacb0\uacfc\uac00 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchPage.fetchingNewResults":"\uc0c8 \uac80\uc0c9 \uacb0\uacfc \uac00\uc838\uc624\ub294 \uc911...","theme.SearchBar.label":"\uac80\uc0c9","theme.SearchModal.searchBox.resetButtonTitle":"\uac80\uc0c9\uc5b4 \ucd08\uae30\ud654","theme.SearchModal.searchBox.cancelButtonText":"\ucde8\uc18c","theme.SearchModal.startScreen.recentSearchesTitle":"\ucd5c\uadfc \uac80\uc0c9","theme.SearchModal.startScreen.noRecentSearchesText":"\ucd5c\uadfc \uac80\uc0c9 \uae30\ub85d\uc774 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchModal.startScreen.saveRecentSearchButtonTitle":"\uc774 \uac80\uc0c9\uc744 \ucd5c\uadfc \uac80\uc0c9\uc5d0 \uc800\uc7a5","theme.SearchModal.startScreen.removeRecentSearchButtonTitle":"\ucd5c\uadfc \uac80\uc0c9\uc5d0\uc11c \uc774 \uac80\uc0c9 \uc0ad\uc81c","theme.SearchModal.startScreen.favoriteSearchesTitle":"\uc990\uaca8\ucc3e\uae30 \uac80\uc0c9","theme.SearchModal.startScreen.removeFavoriteSearchButtonTitle":"\uc990\uaca8\ucc3e\uae30 \uac80\uc0c9\uc5d0\uc11c \uc774 \uac80\uc0c9 \uc0ad\uc81c","theme.SearchModal.errorScreen.titleText":"\uac80\uc0c9 \uacb0\uacfc\ub97c \uac00\uc838\uc624\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4","theme.SearchModal.errorScreen.helpText":"\uac80\uc0c9 \uacb0\uacfc\ub97c \uac00\uc838\uc624\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4. \ub2e4\uc2dc \uc2dc\ub3c4\ud574 \uc8fc\uc138\uc694.","theme.SearchModal.footer.selectText":"\uc120\ud0dd","theme.SearchModal.footer.selectKeyAriaLabel":"Enter \ud0a4","theme.SearchModal.footer.navigateText":"\uc704\ucabd/\uc544\ub798\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.navigateUpKeyAriaLabel":"\uc704\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.navigateDownKeyAriaLabel":"\uc544\ub798\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.closeText":"\ub2eb\uae30 \ud0a4","theme.SearchModal.footer.closeKeyAriaLabel":"Esc \ud0a4","theme.SearchModal.footer.searchByText":"\uac80\uc0c9 \uacb0\uacfc","theme.SearchModal.noResultsScreen.noResultsText":"\uac80\uc0c9 \uacb0\uacfc\uac00 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchModal.noResultsScreen.suggestedQueryText":"\ub2e4\uc74c \uac80\uc0c9\uc5b4\ub97c \uc2dc\ub3c4\ud574 \ubcf4\uc138\uc694:","theme.SearchModal.noResultsScreen.reportMissingResultsText":"\uc774 \uac80\uc0c9 \uacb0\uacfc\uac00 \ub204\ub77d\ub418\uc5c8\ub2e4\uace0 \uc0dd\uac01\ud569\ub2c8\uae4c?","theme.SearchModal.noResultsScreen.reportMissingResultsLinkText":"\uacb0\uacfc\ub97c \ubcf4\uace0\ud558\uae30","theme.SearchModal.placeholder":"\ubb38\uc11c \uac80\uc0c9","theme.tags.tagsPageTitle":"\ud0dc\uadf8 \ubaa9\ub85d"}')},6887:e=>{"use strict";e.exports=JSON.parse('{"/kr/search-e20":{"__comp":"1a4e3797","__context":{"plugin":"138e0e15"}},"/kr/-3c5":{"__comp":"5e95c892","__context":{"plugin":"aba21aa0"}},"/kr/-8a7":{"__comp":"a7bd4aaa","__props":"4636d62b"},"/kr/-e13":{"__comp":"a94703ab"},"/kr/advanced-5d7":{"__comp":"17896441","content":"df1a3a69"},"/kr/architecture-cbc":{"__comp":"17896441","content":"a43d9b4f"},"/kr/cli-f99":{"__comp":"17896441","content":"f5fc080a"},"/kr/cli/agent-ca4":{"__comp":"17896441","content":"832e9842"},"/kr/cli/certificate-b65":{"__comp":"17896441","content":"03ee9047"},"/kr/cli/etcd-snapshot-dd1":{"__comp":"17896441","content":"b1445c4f"},"/kr/cli/secrets-encrypt-69f":{"__comp":"17896441","content":"a1ce2930"},"/kr/cli/server-0e8":{"__comp":"17896441","content":"20aafa33"},"/kr/cli/token-a77":{"__comp":"17896441","content":"310030e7"},"/kr/cluster-access-3e1":{"__comp":"17896441","content":"c5022e3f"},"/kr/datastore-2fa":{"__comp":"17896441","content":"dd0fba39"},"/kr/datastore/backup-restore-df3":{"__comp":"17896441","content":"0a63d2fd"},"/kr/datastore/cluster-loadbalancer-162":{"__comp":"17896441","content":"d428bf88"},"/kr/datastore/ha-4e8":{"__comp":"17896441","content":"6a7149bd"},"/kr/datastore/ha-embedded-6bf":{"__comp":"17896441","content":"944a1646"},"/kr/faq-6ff":{"__comp":"17896441","content":"43a3241e"},"/kr/helm-91c":{"__comp":"17896441","content":"cfa0e807"},"/kr/installation-17d":{"__comp":"17896441","content":"a0c5848d"},"/kr/installation/airgap-8e2":{"__comp":"17896441","content":"42e456bb"},"/kr/installation/configuration-133":{"__comp":"17896441","content":"1fbd281a"},"/kr/installation/packaged-components-4fa":{"__comp":"17896441","content":"5133fc91"},"/kr/installation/private-registry-365":{"__comp":"17896441","content":"609981e6"},"/kr/installation/registry-mirror-6d6":{"__comp":"17896441","content":"289875c4"},"/kr/installation/requirements-78d":{"__comp":"17896441","content":"b97d3598"},"/kr/installation/server-roles-3ed":{"__comp":"17896441","content":"bccfb1cb"},"/kr/installation/uninstall-975":{"__comp":"17896441","content":"e8666366"},"/kr/known-issues-200":{"__comp":"17896441","content":"b44e7719"},"/kr/networking-f9e":{"__comp":"17896441","content":"a101d863"},"/kr/networking/basic-network-options-f76":{"__comp":"17896441","content":"6eb212a2"},"/kr/networking/distributed-multicloud-fac":{"__comp":"17896441","content":"d1c3e381"},"/kr/networking/multus-ipams-b20":{"__comp":"17896441","content":"9a11c291"},"/kr/networking/networking-services-e95":{"__comp":"17896441","content":"49689b7d"},"/kr/quick-start-8fd":{"__comp":"17896441","content":"9c4d4f7f"},"/kr/reference/env-variables-6fa":{"__comp":"17896441","content":"b87d0734"},"/kr/reference/flag-deprecation-048":{"__comp":"17896441","content":"914a16f4"},"/kr/reference/resource-profiling-903":{"__comp":"17896441","content":"105936f9"},"/kr/related-projects-291":{"__comp":"17896441","content":"e7c9153a"},"/kr/release-notes/v1.24.X-72c":{"__comp":"17896441","content":"d123a91e"},"/kr/release-notes/v1.25.X-204":{"__comp":"17896441","content":"9e7a009d"},"/kr/release-notes/v1.26.X-5c4":{"__comp":"17896441","content":"0ce5aa86"},"/kr/release-notes/v1.27.X-3b3":{"__comp":"17896441","content":"dd22e55f"},"/kr/release-notes/v1.28.X-a19":{"__comp":"17896441","content":"2f797aa4"},"/kr/release-notes/v1.29.X-188":{"__comp":"17896441","content":"0759a3f5"},"/kr/release-notes/v1.30.X-ca5":{"__comp":"17896441","content":"b8002741"},"/kr/security-853":{"__comp":"17896441","content":"1aef17e6"},"/kr/security/hardening-guide-351":{"__comp":"17896441","content":"18ace21a"},"/kr/security/secrets-encryption-d90":{"__comp":"17896441","content":"65309f9a"},"/kr/security/self-assessment-1.23-1c2":{"__comp":"17896441","content":"2c7731a3"},"/kr/security/self-assessment-1.24-6b8":{"__comp":"17896441","content":"feba781c"},"/kr/security/self-assessment-1.7-8b7":{"__comp":"17896441","content":"1a0c5791"},"/kr/security/self-assessment-1.8-f0d":{"__comp":"17896441","content":"f9fc8d33"},"/kr/storage-4ad":{"__comp":"17896441","content":"412d1b91"},"/kr/upgrades-028":{"__comp":"17896441","content":"3f659917"},"/kr/upgrades/automated-c02":{"__comp":"17896441","content":"c7700003"},"/kr/upgrades/killall-7a9":{"__comp":"17896441","content":"37e09f03"},"/kr/upgrades/manual-acb":{"__comp":"17896441","content":"e92581be"},"/kr/-bea":{"__comp":"17896441","content":"81cffba8"}}')}},e=>{e.O(0,[532],(()=>{return t=2849,e(e.s=t);var t}));e.O()}]); \ No newline at end of file diff --git a/kr/assets/js/main.fa808223.js.LICENSE.txt b/kr/assets/js/main.1bd5d7d5.js.LICENSE.txt similarity index 100% rename from kr/assets/js/main.fa808223.js.LICENSE.txt rename to kr/assets/js/main.1bd5d7d5.js.LICENSE.txt diff --git a/kr/assets/js/main.fa808223.js b/kr/assets/js/main.fa808223.js deleted file mode 100644 index 108399141..000000000 --- a/kr/assets/js/main.fa808223.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! For license information please see main.fa808223.js.LICENSE.txt */ -(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[179],{1728:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e))for(t=0;t<e.length;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n);else for(t in e)e[t]&&(a&&(a+=" "),a+=t);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="";n<arguments.length;)(e=arguments[n++])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},723:(e,t,n)=>{"use strict";n.d(t,{Z:()=>p});n(7294);var r=n(8356),a=n.n(r),o=n(6887);const i={"03ee9047":[()=>n.e(9482).then(n.bind(n,6029)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/certificate.md",6029],"0759a3f5":[()=>n.e(2409).then(n.bind(n,2714)),"@site/docs/release-notes/v1.29.X.md",2714],"0a63d2fd":[()=>n.e(9341).then(n.bind(n,490)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/backup-restore.md",490],"0ce5aa86":[()=>n.e(1620).then(n.bind(n,3012)),"@site/docs/release-notes/v1.26.X.md",3012],"105936f9":[()=>n.e(3217).then(n.bind(n,2262)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/resource-profiling.md",2262],"138e0e15":[()=>n.e(9524).then(n.t.bind(n,536,19)),"@generated/@easyops-cn/docusaurus-search-local/default/__plugin.json",536],17896441:[()=>Promise.all([n.e(532),n.e(7837),n.e(7918)]).then(n.bind(n,9666)),"@theme/DocItem",9666],"18ace21a":[()=>n.e(9269).then(n.bind(n,3497)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/hardening-guide.md",3497],"1a0c5791":[()=>n.e(482).then(n.bind(n,5319)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.7.md",5319],"1a4e3797":[()=>Promise.all([n.e(532),n.e(7920)]).then(n.bind(n,2027)),"@theme/SearchPage",2027],"1aef17e6":[()=>n.e(9169).then(n.bind(n,8761)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/security.md",8761],"1fbd281a":[()=>n.e(3229).then(n.bind(n,8803)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/configuration.md",8803],"20aafa33":[()=>n.e(6515).then(n.bind(n,8188)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/server.md",8188],"289875c4":[()=>n.e(6687).then(n.bind(n,9481)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/registry-mirror.md",9481],"2c7731a3":[()=>n.e(3411).then(n.bind(n,3023)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.23.md",3023],"2f797aa4":[()=>n.e(101).then(n.bind(n,3989)),"@site/docs/release-notes/v1.28.X.md",3989],"310030e7":[()=>n.e(5749).then(n.bind(n,8235)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/token.md",8235],"37e09f03":[()=>n.e(6328).then(n.bind(n,5288)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/killall.md",5288],"3f659917":[()=>n.e(6278).then(n.bind(n,3595)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/upgrades.md",3595],"412d1b91":[()=>n.e(651).then(n.bind(n,5142)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/storage.md",5142],"42e456bb":[()=>n.e(9654).then(n.bind(n,5706)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/airgap.md",5706],"43a3241e":[()=>n.e(3892).then(n.bind(n,1465)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/faq.md",1465],"4636d62b":[()=>n.e(7364).then(n.t.bind(n,1416,19)),"@generated/docusaurus-plugin-content-docs/default/p/kr-817.json",1416],"49689b7d":[()=>n.e(1184).then(n.bind(n,9275)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking-services.md",9275],"5133fc91":[()=>n.e(7355).then(n.bind(n,506)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/packaged-components.md",506],"5e95c892":[()=>n.e(9661).then(n.bind(n,1892)),"@theme/DocsRoot",1892],"609981e6":[()=>n.e(2466).then(n.bind(n,509)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/private-registry.md",509],"65309f9a":[()=>n.e(6005).then(n.bind(n,4417)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/secrets-encryption.md",4417],"6a7149bd":[()=>n.e(1894).then(n.bind(n,9280)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha.md",9280],"6eb212a2":[()=>n.e(5579).then(n.bind(n,711)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/basic-network-options.md",711],"81cffba8":[()=>n.e(804).then(n.bind(n,8247)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/introduction.md",8247],"832e9842":[()=>n.e(9184).then(n.bind(n,9266)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/agent.md",9266],"914a16f4":[()=>n.e(7626).then(n.bind(n,6050)),"@site/docs/reference/flag-deprecation.md",6050],"944a1646":[()=>n.e(2399).then(n.bind(n,4273)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/ha-embedded.md",4273],"9a11c291":[()=>n.e(7162).then(n.bind(n,9636)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/multus-ipams.md",9636],"9c4d4f7f":[()=>n.e(6094).then(n.bind(n,932)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/quick-start.md",932],"9e7a009d":[()=>n.e(7251).then(n.bind(n,6253)),"@site/docs/release-notes/v1.25.X.md",6253],a0c5848d:[()=>n.e(9059).then(n.bind(n,5626)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/installation.md",5626],a101d863:[()=>n.e(9166).then(n.bind(n,2683)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/networking.md",2683],a1ce2930:[()=>n.e(2257).then(n.bind(n,4229)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/secrets-encrypt.md",4229],a43d9b4f:[()=>n.e(3667).then(n.bind(n,1080)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/architecture.md",1080],a7bd4aaa:[()=>n.e(8518).then(n.bind(n,8564)),"@theme/DocVersionRoot",8564],a94703ab:[()=>Promise.all([n.e(532),n.e(4368)]).then(n.bind(n,2674)),"@theme/DocRoot",2674],aba21aa0:[()=>n.e(3629).then(n.t.bind(n,1765,19)),"@generated/docusaurus-plugin-content-docs/default/__plugin.json",1765],b1445c4f:[()=>n.e(547).then(n.bind(n,5832)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/etcd-snapshot.md",5832],b44e7719:[()=>n.e(7565).then(n.bind(n,6245)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/known-issues.md",6245],b8002741:[()=>n.e(2573).then(n.bind(n,3338)),"@site/docs/release-notes/v1.30.X.md",3338],b87d0734:[()=>n.e(660).then(n.bind(n,8147)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/reference/env-variables.md",8147],b97d3598:[()=>n.e(7563).then(n.bind(n,8984)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/requirements.md",8984],bccfb1cb:[()=>n.e(910).then(n.bind(n,5009)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/server-roles.md",5009],c5022e3f:[()=>n.e(107).then(n.bind(n,2531)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cluster-access.md",2531],c7700003:[()=>n.e(240).then(n.bind(n,1083)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/automated.md",1083],cfa0e807:[()=>n.e(1385).then(n.bind(n,3934)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/helm.md",3934],d123a91e:[()=>n.e(855).then(n.bind(n,5418)),"@site/docs/release-notes/v1.24.X.md",5418],d1c3e381:[()=>n.e(7213).then(n.bind(n,676)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/networking/distributed-multicloud.md",676],d428bf88:[()=>n.e(3083).then(n.bind(n,5538)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/cluster-loadbalancer.md",5538],dd0fba39:[()=>n.e(7713).then(n.bind(n,6964)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/datastore/datastore.md",6964],dd22e55f:[()=>n.e(5668).then(n.bind(n,4840)),"@site/docs/release-notes/v1.27.X.md",4840],df1a3a69:[()=>n.e(6153).then(n.bind(n,8246)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/advanced.md",8246],e7c9153a:[()=>n.e(7544).then(n.bind(n,1875)),"@site/docs/related-projects.md",1875],e8666366:[()=>n.e(3936).then(n.bind(n,8925)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/installation/uninstall.md",8925],e92581be:[()=>n.e(5470).then(n.bind(n,7454)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/upgrades/manual.md",7454],f5fc080a:[()=>n.e(9176).then(n.bind(n,2296)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/cli/cli.md",2296],f9fc8d33:[()=>n.e(8804).then(n.bind(n,1773)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.8.md",1773],feba781c:[()=>n.e(5361).then(n.bind(n,1743)),"@site/i18n/kr/docusaurus-plugin-content-docs/current/security/self-assessment-1.24.md",1743]};var s=n(5893);function l(e){let{error:t,retry:n,pastDelay:r}=e;return t?(0,s.jsxs)("div",{style:{textAlign:"center",color:"#fff",backgroundColor:"#fa383e",borderColor:"#fa383e",borderStyle:"solid",borderRadius:"0.25rem",borderWidth:"1px",boxSizing:"border-box",display:"block",padding:"1rem",flex:"0 0 50%",marginLeft:"25%",marginRight:"25%",marginTop:"5rem",maxWidth:"50%",width:"100%"},children:[(0,s.jsx)("p",{children:String(t)}),(0,s.jsx)("div",{children:(0,s.jsx)("button",{type:"button",onClick:n,children:"Retry"})})]}):r?(0,s.jsx)("div",{style:{display:"flex",justifyContent:"center",alignItems:"center",height:"100vh"},children:(0,s.jsx)("svg",{id:"loader",style:{width:128,height:110,position:"absolute",top:"calc(100vh - 64%)"},viewBox:"0 0 45 45",xmlns:"http://www.w3.org/2000/svg",stroke:"#61dafb",children:(0,s.jsxs)("g",{fill:"none",fillRule:"evenodd",transform:"translate(1 1)",strokeWidth:"2",children:[(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"1.5s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"1.5s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"1.5s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsxs)("circle",{cx:"22",cy:"22",r:"6",strokeOpacity:"0",children:[(0,s.jsx)("animate",{attributeName:"r",begin:"3s",dur:"3s",values:"6;22",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-opacity",begin:"3s",dur:"3s",values:"1;0",calcMode:"linear",repeatCount:"indefinite"}),(0,s.jsx)("animate",{attributeName:"stroke-width",begin:"3s",dur:"3s",values:"2;0",calcMode:"linear",repeatCount:"indefinite"})]}),(0,s.jsx)("circle",{cx:"22",cy:"22",r:"8",children:(0,s.jsx)("animate",{attributeName:"r",begin:"0s",dur:"1.5s",values:"6;1;2;3;4;5;6",calcMode:"linear",repeatCount:"indefinite"})})]})})}):null}var c=n(9670),u=n(226);function d(e,t){if("*"===e)return a()({loading:l,loader:()=>n.e(1772).then(n.bind(n,1772)),modules:["@theme/NotFound"],webpack:()=>[1772],render(e,t){const n=e.default;return(0,s.jsx)(u.z,{value:{plugin:{name:"native",id:"default"}},children:(0,s.jsx)(n,{...t})})}});const r=o[`${e}-${t}`],d={},p=[],f=[],h=(0,c.Z)(r);return Object.entries(h).forEach((e=>{let[t,n]=e;const r=i[n];r&&(d[t]=r[0],p.push(r[1]),f.push(r[2]))})),a().Map({loading:l,loader:d,modules:p,webpack:()=>f,render(t,n){const a=JSON.parse(JSON.stringify(r));Object.entries(t).forEach((t=>{let[n,r]=t;const o=r.default;if(!o)throw new Error(`The page component at ${e} doesn't have a default export. This makes it impossible to render anything. Consider default-exporting a React component.`);"object"!=typeof o&&"function"!=typeof o||Object.keys(r).filter((e=>"default"!==e)).forEach((e=>{o[e]=r[e]}));let i=a;const s=n.split(".");s.slice(0,-1).forEach((e=>{i=i[e]})),i[s[s.length-1]]=o}));const o=a.__comp;delete a.__comp;const i=a.__context;delete a.__context;const l=a.__props;return delete a.__props,(0,s.jsx)(u.z,{value:i,children:(0,s.jsx)(o,{...a,...l,...n})})}})}const p=[{path:"/kr/search",component:d("/kr/search","e20"),exact:!0},{path:"/kr/",component:d("/kr/","707"),routes:[{path:"/kr/",component:d("/kr/","5a1"),routes:[{path:"/kr/",component:d("/kr/","c77"),routes:[{path:"/kr/advanced",component:d("/kr/advanced","1b6"),exact:!0,sidebar:"mySidebar"},{path:"/kr/architecture",component:d("/kr/architecture","06d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli",component:d("/kr/cli","c8f"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/agent",component:d("/kr/cli/agent","2be"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/certificate",component:d("/kr/cli/certificate","141"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/etcd-snapshot",component:d("/kr/cli/etcd-snapshot","4a0"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/secrets-encrypt",component:d("/kr/cli/secrets-encrypt","681"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/server",component:d("/kr/cli/server","4c7"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cli/token",component:d("/kr/cli/token","6a3"),exact:!0,sidebar:"mySidebar"},{path:"/kr/cluster-access",component:d("/kr/cluster-access","d4b"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore",component:d("/kr/datastore","b2b"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/backup-restore",component:d("/kr/datastore/backup-restore","bc0"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/cluster-loadbalancer",component:d("/kr/datastore/cluster-loadbalancer","59d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/ha",component:d("/kr/datastore/ha","065"),exact:!0,sidebar:"mySidebar"},{path:"/kr/datastore/ha-embedded",component:d("/kr/datastore/ha-embedded","ab9"),exact:!0,sidebar:"mySidebar"},{path:"/kr/faq",component:d("/kr/faq","155"),exact:!0,sidebar:"mySidebar"},{path:"/kr/helm",component:d("/kr/helm","4d3"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation",component:d("/kr/installation","c12"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/airgap",component:d("/kr/installation/airgap","41b"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/configuration",component:d("/kr/installation/configuration","ae9"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/packaged-components",component:d("/kr/installation/packaged-components","aa1"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/private-registry",component:d("/kr/installation/private-registry","0a8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/registry-mirror",component:d("/kr/installation/registry-mirror","76f"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/requirements",component:d("/kr/installation/requirements","a42"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/server-roles",component:d("/kr/installation/server-roles","300"),exact:!0,sidebar:"mySidebar"},{path:"/kr/installation/uninstall",component:d("/kr/installation/uninstall","65f"),exact:!0,sidebar:"mySidebar"},{path:"/kr/known-issues",component:d("/kr/known-issues","9ae"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking",component:d("/kr/networking","77f"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/basic-network-options",component:d("/kr/networking/basic-network-options","853"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/distributed-multicloud",component:d("/kr/networking/distributed-multicloud","92d"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/multus-ipams",component:d("/kr/networking/multus-ipams","b26"),exact:!0,sidebar:"mySidebar"},{path:"/kr/networking/networking-services",component:d("/kr/networking/networking-services","4ce"),exact:!0,sidebar:"mySidebar"},{path:"/kr/quick-start",component:d("/kr/quick-start","4a8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/env-variables",component:d("/kr/reference/env-variables","279"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/flag-deprecation",component:d("/kr/reference/flag-deprecation","9d8"),exact:!0,sidebar:"mySidebar"},{path:"/kr/reference/resource-profiling",component:d("/kr/reference/resource-profiling","e03"),exact:!0,sidebar:"mySidebar"},{path:"/kr/related-projects",component:d("/kr/related-projects","5a0"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.24.X",component:d("/kr/release-notes/v1.24.X","6bb"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.25.X",component:d("/kr/release-notes/v1.25.X","545"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.26.X",component:d("/kr/release-notes/v1.26.X","472"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.27.X",component:d("/kr/release-notes/v1.27.X","123"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.28.X",component:d("/kr/release-notes/v1.28.X","3aa"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.29.X",component:d("/kr/release-notes/v1.29.X","e1c"),exact:!0,sidebar:"mySidebar"},{path:"/kr/release-notes/v1.30.X",component:d("/kr/release-notes/v1.30.X","dcd"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security",component:d("/kr/security","024"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/hardening-guide",component:d("/kr/security/hardening-guide","894"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/secrets-encryption",component:d("/kr/security/secrets-encryption","67b"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.23",component:d("/kr/security/self-assessment-1.23","405"),exact:!0},{path:"/kr/security/self-assessment-1.24",component:d("/kr/security/self-assessment-1.24","4d1"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.7",component:d("/kr/security/self-assessment-1.7","352"),exact:!0,sidebar:"mySidebar"},{path:"/kr/security/self-assessment-1.8",component:d("/kr/security/self-assessment-1.8","cfc"),exact:!0,sidebar:"mySidebar"},{path:"/kr/storage",component:d("/kr/storage","962"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades",component:d("/kr/upgrades","6c0"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/automated",component:d("/kr/upgrades/automated","8df"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/killall",component:d("/kr/upgrades/killall","1c5"),exact:!0,sidebar:"mySidebar"},{path:"/kr/upgrades/manual",component:d("/kr/upgrades/manual","43b"),exact:!0,sidebar:"mySidebar"},{path:"/kr/",component:d("/kr/","46f"),exact:!0,sidebar:"mySidebar"}]}]}]},{path:"*",component:d("*")}]},8934:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,t:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(!1);function i(e){let{children:t}=e;const[n,i]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{i(!0)}),[]),(0,a.jsx)(o.Provider,{value:n,children:t})}},7221:(e,t,n)=>{"use strict";var r=n(7294),a=n(745),o=n(405),i=n(3727),s=n(6809),l=n(412);const c=[n(2497),n(3310),n(8320),n(2295)];var u=n(723),d=n(6550),p=n(8790),f=n(5893);function h(e){let{children:t}=e;return(0,f.jsx)(f.Fragment,{children:t})}var m=n(5742),g=n(2263),y=n(4996),b=n(6668),v=n(1944),k=n(4711),w=n(9727),x=n(3320),S=n(8780),E=n(197);function C(){const{i18n:{currentLocale:e,defaultLocale:t,localeConfigs:n}}=(0,g.Z)(),r=(0,k.l)(),a=n[e].htmlLang,o=e=>e.replace("-","_");return(0,f.jsxs)(m.Z,{children:[Object.entries(n).map((e=>{let[t,{htmlLang:n}]=e;return(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:n},t)})),(0,f.jsx)("link",{rel:"alternate",href:r.createUrl({locale:t,fullyQualified:!0}),hrefLang:"x-default"}),(0,f.jsx)("meta",{property:"og:locale",content:o(a)}),Object.values(n).filter((e=>a!==e.htmlLang)).map((e=>(0,f.jsx)("meta",{property:"og:locale:alternate",content:o(e.htmlLang)},`meta-og-${e.htmlLang}`)))]})}function _(e){let{permalink:t}=e;const{siteConfig:{url:n}}=(0,g.Z)(),r=function(){const{siteConfig:{url:e,baseUrl:t,trailingSlash:n}}=(0,g.Z)(),{pathname:r}=(0,d.TH)();return e+(0,S.applyTrailingSlash)((0,y.ZP)(r),{trailingSlash:n,baseUrl:t})}(),a=t?`${n}${t}`:r;return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{property:"og:url",content:a}),(0,f.jsx)("link",{rel:"canonical",href:a})]})}function T(){const{i18n:{currentLocale:e}}=(0,g.Z)(),{metadata:t,image:n}=(0,b.L)();return(0,f.jsxs)(f.Fragment,{children:[(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("meta",{name:"twitter:card",content:"summary_large_image"}),(0,f.jsx)("body",{className:w.h})]}),n&&(0,f.jsx)(v.d,{image:n}),(0,f.jsx)(_,{}),(0,f.jsx)(C,{}),(0,f.jsx)(E.Z,{tag:x.HX,locale:e}),(0,f.jsx)(m.Z,{children:t.map(((e,t)=>(0,f.jsx)("meta",{...e},t)))})]})}const L=new Map;var R=n(8934),j=n(8940),P=n(469);function N(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),r=1;r<t;r++)n[r-1]=arguments[r];const a=c.map((t=>{const r=t.default?.[e]??t[e];return r?.(...n)}));return()=>a.forEach((e=>e?.()))}const A=function(e){let{children:t,location:n,previousLocation:r}=e;return(0,P.Z)((()=>{r!==n&&(!function(e){let{location:t,previousLocation:n}=e;if(!n)return;const r=t.pathname===n.pathname,a=t.hash===n.hash,o=t.search===n.search;if(r&&a&&!o)return;const{hash:i}=t;if(i){const e=decodeURIComponent(i.substring(1)),t=document.getElementById(e);t?.scrollIntoView()}else window.scrollTo(0,0)}({location:n,previousLocation:r}),N("onRouteDidUpdate",{previousLocation:r,location:n}))}),[r,n]),t};function O(e){const t=Array.from(new Set([e,decodeURI(e)])).map((e=>(0,p.f)(u.Z,e))).flat();return Promise.all(t.map((e=>e.route.component.preload?.())))}class I extends r.Component{previousLocation;routeUpdateCleanupCb;constructor(e){super(e),this.previousLocation=null,this.routeUpdateCleanupCb=l.Z.canUseDOM?N("onRouteUpdate",{previousLocation:null,location:this.props.location}):()=>{},this.state={nextRouteHasLoaded:!0}}shouldComponentUpdate(e,t){if(e.location===this.props.location)return t.nextRouteHasLoaded;const n=e.location;return this.previousLocation=this.props.location,this.setState({nextRouteHasLoaded:!1}),this.routeUpdateCleanupCb=N("onRouteUpdate",{previousLocation:this.previousLocation,location:n}),O(n.pathname).then((()=>{this.routeUpdateCleanupCb(),this.setState({nextRouteHasLoaded:!0})})).catch((e=>{console.warn(e),window.location.reload()})),!1}render(){const{children:e,location:t}=this.props;return(0,f.jsx)(A,{previousLocation:this.previousLocation,location:t,children:(0,f.jsx)(d.AW,{location:t,render:()=>e})})}}const D=I,F="__docusaurus-base-url-issue-banner-container",M="__docusaurus-base-url-issue-banner",B="__docusaurus-base-url-issue-banner-suggestion-container";function z(e){return`\ndocument.addEventListener('DOMContentLoaded', function maybeInsertBanner() {\n var shouldInsert = typeof window['docusaurus'] === 'undefined';\n shouldInsert && insertBanner();\n});\n\nfunction insertBanner() {\n var bannerContainer = document.createElement('div');\n bannerContainer.id = '${F}';\n var bannerHtml = ${JSON.stringify(function(e){return`\n<div id="${M}" style="border: thick solid red; background-color: rgb(255, 230, 179); margin: 20px; padding: 20px; font-size: 20px;">\n <p style="font-weight: bold; font-size: 30px;">Your Docusaurus site did not load properly.</p>\n <p>A very common reason is a wrong site <a href="https://docusaurus.io/docs/docusaurus.config.js/#baseUrl" style="font-weight: bold;">baseUrl configuration</a>.</p>\n <p>Current configured baseUrl = <span style="font-weight: bold; color: red;">${e}</span> ${"/"===e?" (default value)":""}</p>\n <p>We suggest trying baseUrl = <span id="${B}" style="font-weight: bold; color: green;"></span></p>\n</div>\n`}(e)).replace(/</g,"\\<")};\n bannerContainer.innerHTML = bannerHtml;\n document.body.prepend(bannerContainer);\n var suggestionContainer = document.getElementById('${B}');\n var actualHomePagePath = window.location.pathname;\n var suggestedBaseUrl = actualHomePagePath.substr(-1) === '/'\n ? actualHomePagePath\n : actualHomePagePath + '/';\n suggestionContainer.innerHTML = suggestedBaseUrl;\n}\n`}function $(){const{siteConfig:{baseUrl:e}}=(0,g.Z)();return(0,f.jsx)(f.Fragment,{children:!l.Z.canUseDOM&&(0,f.jsx)(m.Z,{children:(0,f.jsx)("script",{children:z(e)})})})}function U(){const{siteConfig:{baseUrl:e,baseUrlIssueBanner:t}}=(0,g.Z)(),{pathname:n}=(0,d.TH)();return t&&n===e?(0,f.jsx)($,{}):null}function q(){const{siteConfig:{favicon:e,title:t,noIndex:n},i18n:{currentLocale:r,localeConfigs:a}}=(0,g.Z)(),o=(0,y.ZP)(e),{htmlLang:i,direction:s}=a[r];return(0,f.jsxs)(m.Z,{children:[(0,f.jsx)("html",{lang:i,dir:s}),(0,f.jsx)("title",{children:t}),(0,f.jsx)("meta",{property:"og:title",content:t}),(0,f.jsx)("meta",{name:"viewport",content:"width=device-width, initial-scale=1.0"}),n&&(0,f.jsx)("meta",{name:"robots",content:"noindex, nofollow"}),e&&(0,f.jsx)("link",{rel:"icon",href:o})]})}var H=n(4763),Q=n(2389);function Z(){const e=(0,Q.Z)();return(0,f.jsx)(m.Z,{children:(0,f.jsx)("html",{"data-has-hydrated":e})})}const V=(0,p.H)(u.Z);function W(){const e=function(e){if(L.has(e.pathname))return{...e,pathname:L.get(e.pathname)};if((0,p.f)(u.Z,e.pathname).some((e=>{let{route:t}=e;return!0===t.exact})))return L.set(e.pathname,e.pathname),e;const t=e.pathname.trim().replace(/(?:\/index)?\.html$/,"")||"/";return L.set(e.pathname,t),{...e,pathname:t}}((0,d.TH)());return(0,f.jsx)(D,{location:e,children:V})}function G(){return(0,f.jsx)(H.Z,{children:(0,f.jsx)(j.M,{children:(0,f.jsxs)(R.t,{children:[(0,f.jsxs)(h,{children:[(0,f.jsx)(q,{}),(0,f.jsx)(T,{}),(0,f.jsx)(U,{}),(0,f.jsx)(W,{})]}),(0,f.jsx)(Z,{})]})})})}var X=n(6887);const K=function(e){try{return document.createElement("link").relList.supports(e)}catch{return!1}}("prefetch")?function(e){return new Promise(((t,n)=>{if("undefined"==typeof document)return void n();const r=document.createElement("link");r.setAttribute("rel","prefetch"),r.setAttribute("href",e),r.onload=()=>t(),r.onerror=()=>n();const a=document.getElementsByTagName("head")[0]??document.getElementsByName("script")[0]?.parentNode;a?.appendChild(r)}))}:function(e){return new Promise(((t,n)=>{const r=new XMLHttpRequest;r.open("GET",e,!0),r.withCredentials=!0,r.onload=()=>{200===r.status?t():n()},r.send(null)}))};var Y=n(9670);const J=new Set,ee=new Set,te=()=>navigator.connection?.effectiveType.includes("2g")||navigator.connection?.saveData,ne={prefetch:e=>{if(!(e=>!te()&&!ee.has(e)&&!J.has(e))(e))return!1;J.add(e);const t=(0,p.f)(u.Z,e).flatMap((e=>{return t=e.route.path,Object.entries(X).filter((e=>{let[n]=e;return n.replace(/-[^-]+$/,"")===t})).flatMap((e=>{let[,t]=e;return Object.values((0,Y.Z)(t))}));var t}));return Promise.all(t.map((e=>{const t=n.gca(e);return t&&!t.includes("undefined")?K(t).catch((()=>{})):Promise.resolve()})))},preload:e=>!!(e=>!te()&&!ee.has(e))(e)&&(ee.add(e),O(e))},re=Object.freeze(ne);function ae(e){let{children:t}=e;return"hash"===s.default.future.experimental_router?(0,f.jsx)(i.UT,{children:t}):(0,f.jsx)(i.VK,{children:t})}const oe=Boolean(!0);if(l.Z.canUseDOM){window.docusaurus=re;const e=document.getElementById("__docusaurus"),t=(0,f.jsx)(o.B6,{children:(0,f.jsx)(ae,{children:(0,f.jsx)(G,{})})}),n=(e,t)=>{console.error("Docusaurus React Root onRecoverableError:",e,t)},i=()=>{if(window.docusaurusRoot)window.docusaurusRoot.render(t);else if(oe)window.docusaurusRoot=a.hydrateRoot(e,t,{onRecoverableError:n});else{const r=a.createRoot(e,{onRecoverableError:n});r.render(t),window.docusaurusRoot=r}};O(window.location.pathname).then((()=>{(0,r.startTransition)(i)}))}},8940:(e,t,n)=>{"use strict";n.d(t,{_:()=>d,M:()=>p});var r=n(7294),a=n(6809);const o=JSON.parse('{"docusaurus-plugin-content-docs":{"default":{"path":"/kr/","versions":[{"name":"current","label":"\ud604\uc7ac \ubc84\uc804","isLast":true,"path":"/kr/","mainDocId":"introduction","docs":[{"id":"advanced","path":"/kr/advanced","sidebar":"mySidebar"},{"id":"architecture","path":"/kr/architecture","sidebar":"mySidebar"},{"id":"cli/agent","path":"/kr/cli/agent","sidebar":"mySidebar"},{"id":"cli/certificate","path":"/kr/cli/certificate","sidebar":"mySidebar"},{"id":"cli/cli","path":"/kr/cli/","sidebar":"mySidebar"},{"id":"cli/etcd-snapshot","path":"/kr/cli/etcd-snapshot","sidebar":"mySidebar"},{"id":"cli/secrets-encrypt","path":"/kr/cli/secrets-encrypt","sidebar":"mySidebar"},{"id":"cli/server","path":"/kr/cli/server","sidebar":"mySidebar"},{"id":"cli/token","path":"/kr/cli/token","sidebar":"mySidebar"},{"id":"cluster-access","path":"/kr/cluster-access","sidebar":"mySidebar"},{"id":"datastore/backup-restore","path":"/kr/datastore/backup-restore","sidebar":"mySidebar"},{"id":"datastore/cluster-loadbalancer","path":"/kr/datastore/cluster-loadbalancer","sidebar":"mySidebar"},{"id":"datastore/datastore","path":"/kr/datastore/","sidebar":"mySidebar"},{"id":"datastore/ha","path":"/kr/datastore/ha","sidebar":"mySidebar"},{"id":"datastore/ha-embedded","path":"/kr/datastore/ha-embedded","sidebar":"mySidebar"},{"id":"faq","path":"/kr/faq","sidebar":"mySidebar"},{"id":"helm","path":"/kr/helm","sidebar":"mySidebar"},{"id":"installation/airgap","path":"/kr/installation/airgap","sidebar":"mySidebar"},{"id":"installation/configuration","path":"/kr/installation/configuration","sidebar":"mySidebar"},{"id":"installation/installation","path":"/kr/installation/","sidebar":"mySidebar"},{"id":"installation/packaged-components","path":"/kr/installation/packaged-components","sidebar":"mySidebar"},{"id":"installation/private-registry","path":"/kr/installation/private-registry","sidebar":"mySidebar"},{"id":"installation/registry-mirror","path":"/kr/installation/registry-mirror","sidebar":"mySidebar"},{"id":"installation/requirements","path":"/kr/installation/requirements","sidebar":"mySidebar"},{"id":"installation/server-roles","path":"/kr/installation/server-roles","sidebar":"mySidebar"},{"id":"installation/uninstall","path":"/kr/installation/uninstall","sidebar":"mySidebar"},{"id":"introduction","path":"/kr/","sidebar":"mySidebar"},{"id":"known-issues","path":"/kr/known-issues","sidebar":"mySidebar"},{"id":"networking/basic-network-options","path":"/kr/networking/basic-network-options","sidebar":"mySidebar"},{"id":"networking/distributed-multicloud","path":"/kr/networking/distributed-multicloud","sidebar":"mySidebar"},{"id":"networking/multus-ipams","path":"/kr/networking/multus-ipams","sidebar":"mySidebar"},{"id":"networking/networking","path":"/kr/networking/","sidebar":"mySidebar"},{"id":"networking/networking-services","path":"/kr/networking/networking-services","sidebar":"mySidebar"},{"id":"quick-start","path":"/kr/quick-start","sidebar":"mySidebar"},{"id":"reference/env-variables","path":"/kr/reference/env-variables","sidebar":"mySidebar"},{"id":"reference/flag-deprecation","path":"/kr/reference/flag-deprecation","sidebar":"mySidebar"},{"id":"reference/resource-profiling","path":"/kr/reference/resource-profiling","sidebar":"mySidebar"},{"id":"related-projects","path":"/kr/related-projects","sidebar":"mySidebar"},{"id":"release-notes/v1.24.X","path":"/kr/release-notes/v1.24.X","sidebar":"mySidebar"},{"id":"release-notes/v1.25.X","path":"/kr/release-notes/v1.25.X","sidebar":"mySidebar"},{"id":"release-notes/v1.26.X","path":"/kr/release-notes/v1.26.X","sidebar":"mySidebar"},{"id":"release-notes/v1.27.X","path":"/kr/release-notes/v1.27.X","sidebar":"mySidebar"},{"id":"release-notes/v1.28.X","path":"/kr/release-notes/v1.28.X","sidebar":"mySidebar"},{"id":"release-notes/v1.29.X","path":"/kr/release-notes/v1.29.X","sidebar":"mySidebar"},{"id":"release-notes/v1.30.X","path":"/kr/release-notes/v1.30.X","sidebar":"mySidebar"},{"id":"security/hardening-guide","path":"/kr/security/hardening-guide","sidebar":"mySidebar"},{"id":"security/secrets-encryption","path":"/kr/security/secrets-encryption","sidebar":"mySidebar"},{"id":"security/security","path":"/kr/security/","sidebar":"mySidebar"},{"id":"security/self-assessment-1.23","path":"/kr/security/self-assessment-1.23"},{"id":"security/self-assessment-1.24","path":"/kr/security/self-assessment-1.24","sidebar":"mySidebar"},{"id":"security/self-assessment-1.7","path":"/kr/security/self-assessment-1.7","sidebar":"mySidebar"},{"id":"security/self-assessment-1.8","path":"/kr/security/self-assessment-1.8","sidebar":"mySidebar"},{"id":"storage","path":"/kr/storage","sidebar":"mySidebar"},{"id":"upgrades/automated","path":"/kr/upgrades/automated","sidebar":"mySidebar"},{"id":"upgrades/killall","path":"/kr/upgrades/killall","sidebar":"mySidebar"},{"id":"upgrades/manual","path":"/kr/upgrades/manual","sidebar":"mySidebar"},{"id":"upgrades/upgrades","path":"/kr/upgrades/","sidebar":"mySidebar"}],"draftIds":[],"sidebars":{"mySidebar":{"link":{"path":"/kr/","label":"introduction"}}}}],"breadcrumbs":true}}}'),i=JSON.parse('{"defaultLocale":"en","locales":["en","zh","kr"],"path":"i18n","currentLocale":"kr","localeConfigs":{"en":{"label":"English","direction":"ltr","htmlLang":"en","calendar":"gregory","path":"en"},"zh":{"label":"\u7b80\u4f53\u4e2d\u6587","direction":"ltr","htmlLang":"zh","calendar":"gregory","path":"zh"},"kr":{"label":"\ud55c\uad6d\uc5b4","direction":"ltr","htmlLang":"kr","calendar":"gregory","path":"kr"}}}');var s=n(7529);const l=JSON.parse('{"docusaurusVersion":"3.4.0","siteVersion":"0.0.1","pluginVersions":{"docusaurus-plugin-content-docs":{"type":"package","name":"@docusaurus/plugin-content-docs","version":"3.4.0"},"docusaurus-plugin-content-pages":{"type":"package","name":"@docusaurus/plugin-content-pages","version":"3.4.0"},"docusaurus-plugin-sitemap":{"type":"package","name":"@docusaurus/plugin-sitemap","version":"3.4.0"},"docusaurus-theme-classic":{"type":"package","name":"@docusaurus/theme-classic","version":"3.4.0"},"docusaurus-plugin-client-redirects":{"type":"package","name":"@docusaurus/plugin-client-redirects","version":"3.4.0"},"docusaurus-theme-mermaid":{"type":"package","name":"@docusaurus/theme-mermaid","version":"3.4.0"},"@easyops-cn/docusaurus-search-local":{"type":"package","name":"@easyops-cn/docusaurus-search-local","version":"0.44.4"}}}');var c=n(5893);const u={siteConfig:a.default,siteMetadata:l,globalData:o,i18n:i,codeTranslations:s},d=r.createContext(u);function p(e){let{children:t}=e;return(0,c.jsx)(d.Provider,{value:u,children:t})}},4763:(e,t,n)=>{"use strict";n.d(t,{Z:()=>m});var r=n(7294),a=n(412),o=n(5742),i=n(8780),s=n(2315),l=n(226),c=n(5893);function u(e){let{error:t,tryAgain:n}=e;return(0,c.jsxs)("div",{style:{display:"flex",flexDirection:"column",justifyContent:"center",alignItems:"flex-start",minHeight:"100vh",width:"100%",maxWidth:"80ch",fontSize:"20px",margin:"0 auto",padding:"1rem"},children:[(0,c.jsx)("h1",{style:{fontSize:"3rem"},children:"This page crashed"}),(0,c.jsx)("button",{type:"button",onClick:n,style:{margin:"1rem 0",fontSize:"2rem",cursor:"pointer",borderRadius:20,padding:"1rem"},children:"Try again"}),(0,c.jsx)(d,{error:t})]})}function d(e){let{error:t}=e;const n=(0,i.getErrorCausalChain)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,c.jsx)("p",{style:{whiteSpace:"pre-wrap"},children:n})}function p(e){let{children:t}=e;return(0,c.jsx)(l.z,{value:{plugin:{name:"docusaurus-core-error-boundary",id:"default"}},children:t})}function f(e){let{error:t,tryAgain:n}=e;return(0,c.jsx)(p,{children:(0,c.jsxs)(m,{fallback:()=>(0,c.jsx)(u,{error:t,tryAgain:n}),children:[(0,c.jsx)(o.Z,{children:(0,c.jsx)("title",{children:"Page Error"})}),(0,c.jsx)(s.Z,{children:(0,c.jsx)(u,{error:t,tryAgain:n})})]})})}const h=e=>(0,c.jsx)(f,{...e});class m extends r.Component{constructor(e){super(e),this.state={error:null}}componentDidCatch(e){a.Z.canUseDOM&&this.setState({error:e})}render(){const{children:e}=this.props,{error:t}=this.state;if(t){const e={error:t,tryAgain:()=>this.setState({error:null})};return(this.props.fallback??h)(e)}return e??null}}},412:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r="undefined"!=typeof window&&"document"in window&&"createElement"in window.document,a={canUseDOM:r,canUseEventListeners:r&&("addEventListener"in window||"attachEvent"in window),canUseIntersectionObserver:r&&"IntersectionObserver"in window,canUseViewport:r&&"screen"in window}},5742:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(405),a=n(5893);function o(e){return(0,a.jsx)(r.ql,{...e})}},3692:(e,t,n)=>{"use strict";n.d(t,{Z:()=>f});var r=n(7294),a=n(3727),o=n(8780),i=n(2263),s=n(3919),l=n(412),c=n(8138),u=n(4996),d=n(5893);function p(e,t){let{isNavLink:n,to:p,href:f,activeClassName:h,isActive:m,"data-noBrokenLinkCheck":g,autoAddBaseUrl:y=!0,...b}=e;const{siteConfig:v}=(0,i.Z)(),{trailingSlash:k,baseUrl:w}=v,x=v.future.experimental_router,{withBaseUrl:S}=(0,u.Cg)(),E=(0,c.Z)(),C=(0,r.useRef)(null);(0,r.useImperativeHandle)(t,(()=>C.current));const _=p||f;const T=(0,s.Z)(_),L=_?.replace("pathname://","");let R=void 0!==L?(j=L,y&&(e=>e.startsWith("/"))(j)?S(j):j):void 0;var j;"hash"===x&&R?.startsWith("./")&&(R=R?.slice(1)),R&&T&&(R=(0,o.applyTrailingSlash)(R,{trailingSlash:k,baseUrl:w}));const P=(0,r.useRef)(!1),N=n?a.OL:a.rU,A=l.Z.canUseIntersectionObserver,O=(0,r.useRef)(),I=()=>{P.current||null==R||(window.docusaurus.preload(R),P.current=!0)};(0,r.useEffect)((()=>(!A&&T&&null!=R&&window.docusaurus.prefetch(R),()=>{A&&O.current&&O.current.disconnect()})),[O,R,A,T]);const D=R?.startsWith("#")??!1,F=!b.target||"_self"===b.target,M=!R||!T||!F;return g||!D&&M||E.collectLink(R),b.id&&E.collectAnchor(b.id),M?(0,d.jsx)("a",{ref:C,href:R,..._&&!T&&{target:"_blank",rel:"noopener noreferrer"},...b}):(0,d.jsx)(N,{...b,onMouseEnter:I,onTouchStart:I,innerRef:e=>{C.current=e,A&&e&&T&&(O.current=new window.IntersectionObserver((t=>{t.forEach((t=>{e===t.target&&(t.isIntersecting||t.intersectionRatio>0)&&(O.current.unobserve(e),O.current.disconnect(),null!=R&&window.docusaurus.prefetch(R))}))})),O.current.observe(e))},to:R,...n&&{isActive:m,activeClassName:h}})}const f=r.forwardRef(p)},5999:(e,t,n)=>{"use strict";n.d(t,{Z:()=>c,I:()=>l});var r=n(7294),a=n(5893);function o(e,t){const n=e.split(/(\{\w+\})/).map(((e,n)=>{if(n%2==1){const n=t?.[e.slice(1,-1)];if(void 0!==n)return n}return e}));return n.some((e=>(0,r.isValidElement)(e)))?n.map(((e,t)=>(0,r.isValidElement)(e)?r.cloneElement(e,{key:t}):e)).filter((e=>""!==e)):n.join("")}var i=n(7529);function s(e){let{id:t,message:n}=e;if(void 0===t&&void 0===n)throw new Error("Docusaurus translation declarations must have at least a translation id or a default translation message");return i[t??n]??n??t}function l(e,t){let{message:n,id:r}=e;return o(s({message:n,id:r}),t)}function c(e){let{children:t,id:n,values:r}=e;if(t&&"string"!=typeof t)throw console.warn("Illegal <Translate> children",t),new Error("The Docusaurus <Translate> component only accept simple string values");const i=s({message:t,id:n});return(0,a.jsx)(a.Fragment,{children:o(i,r)})}},9935:(e,t,n)=>{"use strict";n.d(t,{m:()=>r});const r="default"},3919:(e,t,n)=>{"use strict";function r(e){return/^(?:\w*:|\/\/)/.test(e)}function a(e){return void 0!==e&&!r(e)}n.d(t,{Z:()=>a,b:()=>r})},4996:(e,t,n)=>{"use strict";n.d(t,{Cg:()=>i,ZP:()=>s});var r=n(7294),a=n(2263),o=n(3919);function i(){const{siteConfig:e}=(0,a.Z)(),{baseUrl:t,url:n}=e,i=e.future.experimental_router,s=(0,r.useCallback)(((e,r)=>function(e){let{siteUrl:t,baseUrl:n,url:r,options:{forcePrependBaseUrl:a=!1,absolute:i=!1}={},router:s}=e;if(!r||r.startsWith("#")||(0,o.b)(r))return r;if("hash"===s)return r.startsWith("/")?`.${r}`:`./${r}`;if(a)return n+r.replace(/^\//,"");if(r===n.replace(/\/$/,""))return n;const l=r.startsWith(n)?r:n+r.replace(/^\//,"");return i?t+l:l}({siteUrl:n,baseUrl:t,url:e,options:r,router:i})),[n,t,i]);return{withBaseUrl:s}}function s(e,t){void 0===t&&(t={});const{withBaseUrl:n}=i();return n(e,t)}},8138:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});var r=n(7294);n(5893);const a=r.createContext({collectAnchor:()=>{},collectLink:()=>{}}),o=()=>(0,r.useContext)(a);function i(){return o()}},2263:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8940);function o(){return(0,r.useContext)(a._)}},2389:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=n(7294),a=n(8934);function o(){return(0,r.useContext)(a._)}},469:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});var r=n(7294);const a=n(412).Z.canUseDOM?r.useLayoutEffect:r.useEffect},9670:(e,t,n)=>{"use strict";n.d(t,{Z:()=>a});const r=e=>"object"==typeof e&&!!e&&Object.keys(e).length>0;function a(e){const t={};return function e(n,a){Object.entries(n).forEach((n=>{let[o,i]=n;const s=a?`${a}.${o}`:o;r(i)?e(i,s):t[s]=i}))}(e),t}},226:(e,t,n)=>{"use strict";n.d(t,{_:()=>o,z:()=>i});var r=n(7294),a=n(5893);const o=r.createContext(null);function i(e){let{children:t,value:n}=e;const i=r.useContext(o),s=(0,r.useMemo)((()=>function(e){let{parent:t,value:n}=e;if(!t){if(!n)throw new Error("Unexpected: no Docusaurus route context found");if(!("plugin"in n))throw new Error("Unexpected: Docusaurus topmost route context has no `plugin` attribute");return n}const r={...t.data,...n?.data};return{plugin:t.plugin,data:r}}({parent:i,value:n})),[i,n]);return(0,a.jsx)(o.Provider,{value:s,children:t})}},143:(e,t,n)=>{"use strict";n.d(t,{Iw:()=>m,gA:()=>p,_r:()=>u,Jo:()=>g,zh:()=>d,yW:()=>h,gB:()=>f});var r=n(6550),a=n(2263),o=n(9935);function i(e,t){void 0===t&&(t={});const n=function(){const{globalData:e}=(0,a.Z)();return e}()[e];if(!n&&t.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin.`);return n}const s=e=>e.versions.find((e=>e.isLast));function l(e,t){const n=function(e,t){const n=s(e);return[...e.versions.filter((e=>e!==n)),n].find((e=>!!(0,r.LX)(t,{path:e.path,exact:!1,strict:!1})))}(e,t),a=n?.docs.find((e=>!!(0,r.LX)(t,{path:e.path,exact:!0,strict:!1})));return{activeVersion:n,activeDoc:a,alternateDocVersions:a?function(t){const n={};return e.versions.forEach((e=>{e.docs.forEach((r=>{r.id===t&&(n[e.name]=r)}))})),n}(a.id):{}}}const c={},u=()=>i("docusaurus-plugin-content-docs")??c,d=e=>{try{return function(e,t,n){void 0===t&&(t=o.m),void 0===n&&(n={});const r=i(e),a=r?.[t];if(!a&&n.failfast)throw new Error(`Docusaurus plugin global data not found for "${e}" plugin with id "${t}".`);return a}("docusaurus-plugin-content-docs",e,{failfast:!0})}catch(t){throw new Error("You are using a feature of the Docusaurus docs plugin, but this plugin does not seem to be enabled"+("Default"===e?"":` (pluginId=${e}`),{cause:t})}};function p(e){void 0===e&&(e={});const t=u(),{pathname:n}=(0,r.TH)();return function(e,t,n){void 0===n&&(n={});const a=Object.entries(e).sort(((e,t)=>t[1].path.localeCompare(e[1].path))).find((e=>{let[,n]=e;return!!(0,r.LX)(t,{path:n.path,exact:!1,strict:!1})})),o=a?{pluginId:a[0],pluginData:a[1]}:void 0;if(!o&&n.failfast)throw new Error(`Can't find active docs plugin for "${t}" pathname, while it was expected to be found. Maybe you tried to use a docs feature that can only be used on a docs-related page? Existing docs plugin paths are: ${Object.values(e).map((e=>e.path)).join(", ")}`);return o}(t,n,e)}function f(e){return d(e).versions}function h(e){const t=d(e);return s(t)}function m(e){const t=d(e),{pathname:n}=(0,r.TH)();return l(t,n)}function g(e){const t=d(e),{pathname:n}=(0,r.TH)();return function(e,t){const n=s(e);return{latestDocSuggestion:l(e,t).alternateDocVersions[n.name],latestVersionSuggestion:n}}(t,n)}},8320:(e,t,n)=>{"use strict";n.r(t),n.d(t,{default:()=>o});var r=n(4865),a=n.n(r);a().configure({showSpinner:!1});const o={onRouteUpdate(e){let{location:t,previousLocation:n}=e;if(n&&t.pathname!==n.pathname){const e=window.setTimeout((()=>{a().start()}),200);return()=>window.clearTimeout(e)}},onRouteDidUpdate(){a().done()}}},3310:(e,t,n)=>{"use strict";n.r(t);var r=n(2573),a=n(6809);!function(e){const{themeConfig:{prism:t}}=a.default,{additionalLanguages:r}=t;globalThis.Prism=e,r.forEach((e=>{"php"===e&&n(6854),n(6726)(`./prism-${e}`)})),delete globalThis.Prism}(r.p1)},2503:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(512),a=n(5999),o=n(6668),i=n(3692),s=n(8138);const l={anchorWithStickyNavbar:"anchorWithStickyNavbar_LWe7",anchorWithHideOnScrollNavbar:"anchorWithHideOnScrollNavbar_WYt5"};var c=n(5893);function u(e){let{as:t,id:n,...u}=e;const d=(0,s.Z)(),{navbar:{hideOnScroll:p}}=(0,o.L)();if("h1"===t||!n)return(0,c.jsx)(t,{...u,id:void 0});d.collectAnchor(n);const f=(0,a.I)({id:"theme.common.headingLinkTitle",message:"Direct link to {heading}",description:"Title for link to heading"},{heading:"string"==typeof u.children?u.children:n});return(0,c.jsxs)(t,{...u,className:(0,r.Z)("anchor",p?l.anchorWithHideOnScrollNavbar:l.anchorWithStickyNavbar,u.className),id:n,children:[u.children,(0,c.jsx)(i.Z,{className:"hash-link",to:`#${n}`,"aria-label":f,title:f,children:"\u200b"})]})}},9471:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);const r={iconExternalLink:"iconExternalLink_nPIU"};var a=n(5893);function o(e){let{width:t=13.5,height:n=13.5}=e;return(0,a.jsx)("svg",{width:t,height:n,"aria-hidden":"true",viewBox:"0 0 24 24",className:r.iconExternalLink,children:(0,a.jsx)("path",{fill:"currentColor",d:"M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"})})}},2315:(e,t,n)=>{"use strict";n.d(t,{Z:()=>Nt});var r=n(7294),a=n(512),o=n(4763),i=n(1944),s=n(6550),l=n(5999),c=n(5936),u=n(5893);const d="__docusaurus_skipToContent_fallback";function p(e){e.setAttribute("tabindex","-1"),e.focus(),e.removeAttribute("tabindex")}function f(){const e=(0,r.useRef)(null),{action:t}=(0,s.k6)(),n=(0,r.useCallback)((e=>{e.preventDefault();const t=document.querySelector("main:first-of-type")??document.getElementById(d);t&&p(t)}),[]);return(0,c.S)((n=>{let{location:r}=n;e.current&&!r.hash&&"PUSH"===t&&p(e.current)})),{containerRef:e,onClick:n}}const h=(0,l.I)({id:"theme.common.skipToMainContent",description:"The skip to content label used for accessibility, allowing to rapidly navigate to main content with keyboard tab/enter navigation",message:"Skip to main content"});function m(e){const t=e.children??h,{containerRef:n,onClick:r}=f();return(0,u.jsx)("div",{ref:n,role:"region","aria-label":h,children:(0,u.jsx)("a",{...e,href:`#${d}`,onClick:r,children:t})})}var g=n(5281),y=n(9727);const b={skipToContent:"skipToContent_fXgn"};function v(){return(0,u.jsx)(m,{className:b.skipToContent})}var k=n(6668),w=n(9689);function x(e){let{width:t=21,height:n=21,color:r="currentColor",strokeWidth:a=1.2,className:o,...i}=e;return(0,u.jsx)("svg",{viewBox:"0 0 15 15",width:t,height:n,...i,children:(0,u.jsx)("g",{stroke:r,strokeWidth:a,children:(0,u.jsx)("path",{d:"M.75.75l13.5 13.5M14.25.75L.75 14.25"})})})}const S={closeButton:"closeButton_CVFx"};function E(e){return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.AnnouncementBar.closeButtonAriaLabel",message:"Close",description:"The ARIA label for close button of announcement bar"}),...e,className:(0,a.Z)("clean-btn close",S.closeButton,e.className),children:(0,u.jsx)(x,{width:14,height:14,strokeWidth:3.1})})}const C={content:"content_knG7"};function _(e){const{announcementBar:t}=(0,k.L)(),{content:n}=t;return(0,u.jsx)("div",{...e,className:(0,a.Z)(C.content,e.className),dangerouslySetInnerHTML:{__html:n}})}const T={announcementBar:"announcementBar_mb4j",announcementBarPlaceholder:"announcementBarPlaceholder_vyr4",announcementBarClose:"announcementBarClose_gvF7",announcementBarContent:"announcementBarContent_xLdY"};function L(){const{announcementBar:e}=(0,k.L)(),{isActive:t,close:n}=(0,w.n)();if(!t)return null;const{backgroundColor:r,textColor:a,isCloseable:o}=e;return(0,u.jsxs)("div",{className:T.announcementBar,style:{backgroundColor:r,color:a},role:"banner",children:[o&&(0,u.jsx)("div",{className:T.announcementBarPlaceholder}),(0,u.jsx)(_,{className:T.announcementBarContent}),o&&(0,u.jsx)(E,{onClick:n,className:T.announcementBarClose})]})}var R=n(3163),j=n(2466);var P=n(902),N=n(3102);const A=r.createContext(null);function O(e){let{children:t}=e;const n=function(){const e=(0,R.e)(),t=(0,N.HY)(),[n,a]=(0,r.useState)(!1),o=null!==t.component,i=(0,P.D9)(o);return(0,r.useEffect)((()=>{o&&!i&&a(!0)}),[o,i]),(0,r.useEffect)((()=>{o?e.shown||a(!0):a(!1)}),[e.shown,o]),(0,r.useMemo)((()=>[n,a]),[n])}();return(0,u.jsx)(A.Provider,{value:n,children:t})}function I(e){if(e.component){const t=e.component;return(0,u.jsx)(t,{...e.props})}}function D(){const e=(0,r.useContext)(A);if(!e)throw new P.i6("NavbarSecondaryMenuDisplayProvider");const[t,n]=e,a=(0,r.useCallback)((()=>n(!1)),[n]),o=(0,N.HY)();return(0,r.useMemo)((()=>({shown:t,hide:a,content:I(o)})),[a,o,t])}function F(e){let{header:t,primaryMenu:n,secondaryMenu:r}=e;const{shown:o}=D();return(0,u.jsxs)("div",{className:"navbar-sidebar",children:[t,(0,u.jsxs)("div",{className:(0,a.Z)("navbar-sidebar__items",{"navbar-sidebar__items--show-secondary":o}),children:[(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:n}),(0,u.jsx)("div",{className:"navbar-sidebar__item menu",children:r})]})]})}var M=n(2949),B=n(2389);function z(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"})})}function $(e){return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:24,height:24,...e,children:(0,u.jsx)("path",{fill:"currentColor",d:"M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"})})}const U={toggle:"toggle_vylO",toggleButton:"toggleButton_gllP",darkToggleIcon:"darkToggleIcon_wfgR",lightToggleIcon:"lightToggleIcon_pyhR",toggleButtonDisabled:"toggleButtonDisabled_aARS"};function q(e){let{className:t,buttonClassName:n,value:r,onChange:o}=e;const i=(0,B.Z)(),s=(0,l.I)({message:"Switch between dark and light mode (currently {mode})",id:"theme.colorToggle.ariaLabel",description:"The ARIA label for the navbar color mode toggle"},{mode:"dark"===r?(0,l.I)({message:"dark mode",id:"theme.colorToggle.ariaLabel.mode.dark",description:"The name for the dark color mode"}):(0,l.I)({message:"light mode",id:"theme.colorToggle.ariaLabel.mode.light",description:"The name for the light color mode"})});return(0,u.jsx)("div",{className:(0,a.Z)(U.toggle,t),children:(0,u.jsxs)("button",{className:(0,a.Z)("clean-btn",U.toggleButton,!i&&U.toggleButtonDisabled,n),type:"button",onClick:()=>o("dark"===r?"light":"dark"),disabled:!i,title:s,"aria-label":s,"aria-live":"polite",children:[(0,u.jsx)(z,{className:(0,a.Z)(U.toggleIcon,U.lightToggleIcon)}),(0,u.jsx)($,{className:(0,a.Z)(U.toggleIcon,U.darkToggleIcon)})]})})}const H=r.memo(q),Q={darkNavbarColorModeToggle:"darkNavbarColorModeToggle_X3D1"};function Z(e){let{className:t}=e;const n=(0,k.L)().navbar.style,r=(0,k.L)().colorMode.disableSwitch,{colorMode:a,setColorMode:o}=(0,M.I)();return r?null:(0,u.jsx)(H,{className:t,buttonClassName:"dark"===n?Q.darkNavbarColorModeToggle:void 0,value:a,onChange:o})}var V=n(1327);function W(){return(0,u.jsx)(V.Z,{className:"navbar__brand",imageClassName:"navbar__logo",titleClassName:"navbar__title text--truncate"})}function G(){const e=(0,R.e)();return(0,u.jsx)("button",{type:"button","aria-label":(0,l.I)({id:"theme.docs.sidebar.closeSidebarButtonAriaLabel",message:"Close navigation bar",description:"The ARIA label for close button of mobile sidebar"}),className:"clean-btn navbar-sidebar__close",onClick:()=>e.toggle(),children:(0,u.jsx)(x,{color:"var(--ifm-color-emphasis-600)"})})}function X(){return(0,u.jsxs)("div",{className:"navbar-sidebar__brand",children:[(0,u.jsx)(W,{}),(0,u.jsx)("a",{href:"https://github.com/k3s-io/k3s",target:"_blank",rel:"noopener noreferrer",className:"margin-right--md header-github-link"}),(0,u.jsx)(Z,{className:"margin-right--md"}),(0,u.jsx)(G,{})]})}var K=n(3692),Y=n(4996),J=n(3919);function ee(e,t){return void 0!==e&&void 0!==t&&new RegExp(e,"gi").test(t)}var te=n(9471);function ne(e){let{activeBasePath:t,activeBaseRegex:n,to:r,href:a,label:o,html:i,isDropdownLink:s,prependBaseUrlToHref:l,...c}=e;const d=(0,Y.ZP)(r),p=(0,Y.ZP)(t),f=(0,Y.ZP)(a,{forcePrependBaseUrl:!0}),h=o&&a&&!(0,J.Z)(a),m=i?{dangerouslySetInnerHTML:{__html:i}}:{children:(0,u.jsxs)(u.Fragment,{children:[o,h&&(0,u.jsx)(te.Z,{...s&&{width:12,height:12}})]})};return a?(0,u.jsx)(K.Z,{href:l?f:a,...c,...m}):(0,u.jsx)(K.Z,{to:d,isNavLink:!0,...(t||n)&&{isActive:(e,t)=>n?ee(n,t.pathname):t.pathname.startsWith(p)},...c,...m})}function re(e){let{className:t,isDropdownItem:n=!1,...r}=e;const o=(0,u.jsx)(ne,{className:(0,a.Z)(n?"dropdown__link":"navbar__item navbar__link",t),isDropdownLink:n,...r});return n?(0,u.jsx)("li",{children:o}):o}function ae(e){let{className:t,isDropdownItem:n,...r}=e;return(0,u.jsx)("li",{className:"menu__list-item",children:(0,u.jsx)(ne,{className:(0,a.Z)("menu__link",t),...r})})}function oe(e){let{mobile:t=!1,position:n,...r}=e;const a=t?ae:re;return(0,u.jsx)(a,{...r,activeClassName:r.activeClassName??(t?"menu__link--active":"navbar__link--active")})}var ie=n(6043),se=n(8596),le=n(2263);const ce={dropdownNavbarItemMobile:"dropdownNavbarItemMobile_S0Fm"};function ue(e,t){return e.some((e=>function(e,t){return!!(0,se.Mg)(e.to,t)||!!ee(e.activeBaseRegex,t)||!(!e.activeBasePath||!t.startsWith(e.activeBasePath))}(e,t)))}function de(e){let{items:t,position:n,className:o,onClick:i,...s}=e;const l=(0,r.useRef)(null),[c,d]=(0,r.useState)(!1);return(0,r.useEffect)((()=>{const e=e=>{l.current&&!l.current.contains(e.target)&&d(!1)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),document.addEventListener("focusin",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e),document.removeEventListener("focusin",e)}}),[l]),(0,u.jsxs)("div",{ref:l,className:(0,a.Z)("navbar__item","dropdown","dropdown--hoverable",{"dropdown--right":"right"===n,"dropdown--show":c}),children:[(0,u.jsx)(ne,{"aria-haspopup":"true","aria-expanded":c,role:"button",href:s.to?void 0:"#",className:(0,a.Z)("navbar__link",o),...s,onClick:s.to?void 0:e=>e.preventDefault(),onKeyDown:e=>{"Enter"===e.key&&(e.preventDefault(),d(!c))},children:s.children??s.label}),(0,u.jsx)("ul",{className:"dropdown__menu",children:t.map(((e,t)=>(0,r.createElement)(We,{isDropdownItem:!0,activeClassName:"dropdown__link--active",...e,key:t})))})]})}function pe(e){let{items:t,className:n,position:o,onClick:i,...l}=e;const c=function(){const{siteConfig:{baseUrl:e}}=(0,le.Z)(),{pathname:t}=(0,s.TH)();return t.replace(e,"/")}(),d=ue(t,c),{collapsed:p,toggleCollapsed:f,setCollapsed:h}=(0,ie.u)({initialState:()=>!d});return(0,r.useEffect)((()=>{d&&h(!d)}),[c,d,h]),(0,u.jsxs)("li",{className:(0,a.Z)("menu__list-item",{"menu__list-item--collapsed":p}),children:[(0,u.jsx)(ne,{role:"button",className:(0,a.Z)(ce.dropdownNavbarItemMobile,"menu__link menu__link--sublist menu__link--sublist-caret",n),...l,onClick:e=>{e.preventDefault(),f()},children:l.children??l.label}),(0,u.jsx)(ie.z,{lazy:!0,as:"ul",className:"menu__list",collapsed:p,children:t.map(((e,t)=>(0,r.createElement)(We,{mobile:!0,isDropdownItem:!0,onClick:i,activeClassName:"menu__link--active",...e,key:t})))})]})}function fe(e){let{mobile:t=!1,...n}=e;const r=t?pe:de;return(0,u.jsx)(r,{...n})}var he=n(4711);function me(e){let{width:t=20,height:n=20,...r}=e;return(0,u.jsx)("svg",{viewBox:"0 0 24 24",width:t,height:n,"aria-hidden":!0,...r,children:(0,u.jsx)("path",{fill:"currentColor",d:"M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"})})}const ge="iconLanguage_nlXk";var ye=n(1029),be=n(1728),ve=n(373),ke=n(143),we=n(22),xe=n(8202),Se=n(3545),Ee=n(3926),Ce=n(1073),_e=n(2539),Te=n(726);const Le='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 6v12c0 .52-.2 1-1 1H4c-.7 0-1-.33-1-1V2c0-.55.42-1 1-1h8l5 5zM14 8h-3.13c-.51 0-.87-.34-.87-.87V4" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Re='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M13 13h4-4V8H7v5h6v4-4H7V8H3h4V3v5h6V3v5h4-4v5zm-6 0v4-4H3h4z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg>',je='<svg width="20" height="20" viewBox="0 0 20 20"><path d="M17 5H3h14zm0 5H3h14zm0 5H3h14z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linejoin="round"></path></svg>',Pe='<svg width="20" height="20" viewBox="0 0 20 20"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M18 3v4c0 2-2 4-4 4H2"></path><path d="M8 17l-6-6 6-6"></path></g></svg>',Ne='<svg width="40" height="40" viewBox="0 0 20 20" fill="none" fill-rule="evenodd" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round"><path d="M15.5 4.8c2 3 1.7 7-1 9.7h0l4.3 4.3-4.3-4.3a7.8 7.8 0 01-9.8 1m-2.2-2.2A7.8 7.8 0 0113.2 2.4M2 18L18 2"></path></svg>',Ae='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v42M20 27H8.3"></path></g></svg>',Oe='<svg viewBox="0 0 24 54"><g stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"><path d="M8 6v21M20 27H8.3"></path></g></svg>',Ie={searchBar:"searchBar_RVTs",dropdownMenu:"dropdownMenu_qbY6",searchBarLeft:"searchBarLeft_MXDe",suggestion:"suggestion_fB_2",cursor:"cursor_eG29",hitTree:"hitTree_kk6K",hitIcon:"hitIcon_a7Zy",hitPath:"hitPath_ieM4",noResultsIcon:"noResultsIcon_EBY5",hitFooter:"hitFooter_E9YW",hitWrapper:"hitWrapper_sAK8",hitTitle:"hitTitle_vyVt",hitAction:"hitAction_NqkB",hideAction:"hideAction_vcyE",noResults:"noResults_l6Q3",searchBarContainer:"searchBarContainer_NW3z",searchBarLoadingRing:"searchBarLoadingRing_YnHq",searchClearButton:"searchClearButton_qk4g",searchIndexLoading:"searchIndexLoading_EJ1f",searchHintContainer:"searchHintContainer_Pkmr",searchHint:"searchHint_iIMx",focused:"focused_OWtg",input:"input_FOTf",hint:"hint_URu1",suggestions:"suggestions_X8XU",dataset:"dataset_QiCy",empty:"empty_eITn"};function De(e){let{document:t,type:n,page:r,metadata:a,tokens:o,isInterOfTree:i,isLastOfTree:s}=e;const l=n===Se.P.Title,c=n===Se.P.Keywords,u=l||c,d=n===Se.P.Heading,p=[];i?p.push(Ae):s&&p.push(Oe);const f=p.map((e=>`<span class="${Ie.hitTree}">${e}</span>`)),h=`<span class="${Ie.hitIcon}">${u?Le:d?Re:je}</span>`,m=[`<span class="${Ie.hitTitle}">${c?(0,_e.C)(t.s,o):(0,Te.o)(t.t,(0,Ce.m)(a,"t"),o)}</span>`];if(!i&&!s&&ye.H6){const e=r?r.b?.concat(r.t).concat(t.s&&t.s!==r.t?t.s:[]):t.b;m.push(`<span class="${Ie.hitPath}">${(0,Ee.e)(e??[])}</span>`)}else u||m.push(`<span class="${Ie.hitPath}">${(0,_e.C)(r.t||(t.u.startsWith("/docs/api-reference/")?"API Reference":""),o)}</span>`);const g=`<span class="${Ie.hitAction}">${Pe}</span>`;return[...f,h,`<span class="${Ie.hitWrapper}">`,...m,"</span>",g].join("")}function Fe(){return`<span class="${Ie.noResults}"><span class="${Ie.noResultsIcon}">${Ne}</span><span>${(0,l.I)({id:"theme.SearchBar.noResultsText",message:"No results"})}</span></span>`}var Me=n(311),Be=n(51);async function ze(){const e=await Promise.all([n.e(8443),n.e(5525)]).then(n.t.bind(n,8443,23)),t=e.default;return t.noConflict?t.noConflict():e.noConflict&&e.noConflict(),t}const $e="_highlight";const Ue=function(e){let{handleSearchBarToggle:t}=e;const n=(0,B.Z)(),{siteConfig:{baseUrl:a},i18n:{currentLocale:o}}=(0,le.Z)(),i=(0,ke.gA)();let c=a;try{const{preferredVersion:e}=(0,ve.J)(i?.pluginId??ye.gQ);e&&!e.isLast&&(c=e.path+"/")}catch(F){if(ye.l9&&!(F instanceof P.i6))throw F}const d=(0,s.k6)(),p=(0,s.TH)(),f=(0,r.useRef)(null),h=(0,r.useRef)(new Map),m=(0,r.useRef)(!1),[g,y]=(0,r.useState)(!1),[b,v]=(0,r.useState)(!1),[k,w]=(0,r.useState)(""),x=(0,r.useRef)(null),S=(0,r.useRef)(""),[E,C]=(0,r.useState)("");(0,r.useEffect)((()=>{if(!Array.isArray(ye.Kc))return;let e="";if(p.pathname.startsWith(c)){const t=p.pathname.substring(c.length);let n;for(const e of ye.Kc){const r="string"==typeof e?e:e.path;if(t===r||t.startsWith(`${r}/`)){n=r;break}}n&&(e=n)}S.current!==e&&(h.current.delete(e),S.current=e),C(e)}),[p.pathname,c]);const _=!!ye.hG&&Array.isArray(ye.Kc)&&""===E,T=(0,r.useCallback)((async()=>{if(_||h.current.get(E))return;h.current.set(E,"loading"),x.current?.autocomplete.destroy(),y(!0);const[{wrappedIndexes:e,zhDictionary:t},n]=await Promise.all([(0,we.w)(c,E),ze()]);if(x.current=n(f.current,{hint:!1,autoselect:!0,openOnFocus:!0,cssClasses:{root:(0,be.Z)(Ie.searchBar,{[Ie.searchBarLeft]:"left"===ye.pu}),noPrefix:!0,dropdownMenu:Ie.dropdownMenu,input:Ie.input,hint:Ie.hint,suggestions:Ie.suggestions,suggestion:Ie.suggestion,cursor:Ie.cursor,dataset:Ie.dataset,empty:Ie.empty}},[{source:(0,xe.v)(e,t,ye.qo),templates:{suggestion:De,empty:Fe,footer:e=>{let{query:t,isEmpty:n}=e;if(n&&(!E||!ye.pQ))return;const r=(e=>{let{query:t,isEmpty:n}=e;const r=document.createElement("a"),i=new URLSearchParams;let s;if(i.set("q",t),E){const e=E&&Array.isArray(ye.Kc)?ye.Kc.find((e=>"string"==typeof e?e===E:e.path===E)):E,t=e?(0,Be._)(e,o).label:E;s=ye.pQ&&n?(0,l.I)({id:"theme.SearchBar.seeAllOutsideContext",message:'See all results outside "{context}"'},{context:t}):(0,l.I)({id:"theme.SearchBar.searchInContext",message:'See all results within "{context}"'},{context:t})}else s=(0,l.I)({id:"theme.SearchBar.seeAll",message:"See all results"});if(!E||!Array.isArray(ye.Kc)||ye.pQ&&n||i.set("ctx",E),c!==a){if(!c.startsWith(a))throw new Error(`Version url '${c}' does not start with base url '${a}', this is a bug of \`@easyops-cn/docusaurus-search-local\`, please report it.`);i.set("version",c.substring(a.length))}const u=`${a}search/?${i.toString()}`;return r.href=u,r.textContent=s,r.addEventListener("click",(e=>{e.ctrlKey||e.metaKey||(e.preventDefault(),x.current?.autocomplete.close(),d.push(u))})),r})({query:t,isEmpty:n}),i=document.createElement("div");return i.className=Ie.hitFooter,i.appendChild(r),i}}}]).on("autocomplete:selected",(function(e,t){let{document:{u:n,h:r},tokens:a}=t;f.current?.blur();let o=n;if(ye.vc&&a.length>0){const e=new URLSearchParams;for(const t of a)e.append($e,t);o+=`?${e.toString()}`}r&&(o+=r),d.push(o)})).on("autocomplete:closed",(()=>{f.current?.blur()})),h.current.set(E,"done"),y(!1),m.current){const e=f.current;e.value&&x.current?.autocomplete.open(),e.focus()}}),[_,E,c,a,d]);(0,r.useEffect)((()=>{if(!ye.vc)return;const e=n?new URLSearchParams(p.search).getAll($e):[];setTimeout((()=>{const t=document.querySelector("article");if(!t)return;const n=new ye.vc(t);n.unmark(),0!==e.length&&n.mark(e),w(e.join(" ")),x.current?.autocomplete.setVal(e.join(" "))}))}),[n,p.search,p.pathname]);const[L,R]=(0,r.useState)(!1),j=(0,r.useCallback)((()=>{m.current=!0,T(),R(!0),t?.(!0)}),[t,T]),N=(0,r.useCallback)((()=>{R(!1),t?.(!1)}),[t]),A=(0,r.useCallback)((()=>{T()}),[T]),O=(0,r.useCallback)((e=>{w(e.target.value),e.target.value&&v(!0)}),[]),I=!!n&&/mac/i.test(navigator.userAgentData?.platform??navigator.platform);(0,r.useEffect)((()=>{if(!ye.AY)return;const e=e=>{!(I?e.metaKey:e.ctrlKey)||"k"!==e.key&&"K"!==e.key||(e.preventDefault(),f.current?.focus(),j())};return document.addEventListener("keydown",e),()=>{document.removeEventListener("keydown",e)}}),[I,j]);const D=(0,r.useCallback)((()=>{const e=new URLSearchParams(p.search);e.delete($e);const t=e.toString(),n=p.pathname+(""!=t?`?${t}`:"")+p.hash;n!=p.pathname+p.search+p.hash&&d.push(n),w(""),x.current?.autocomplete.setVal("")}),[p.pathname,p.search,p.hash,d]);return(0,u.jsxs)("div",{className:(0,be.Z)("navbar__search",Ie.searchBarContainer,{[Ie.searchIndexLoading]:g&&b,[Ie.focused]:L}),hidden:_,dir:"ltr",children:[(0,u.jsx)("input",{placeholder:(0,l.I)({id:"theme.SearchBar.label",message:"Search",description:"The ARIA label and placeholder for search button"}),"aria-label":"Search",className:"navbar__search-input",onMouseEnter:A,onFocus:j,onBlur:N,onChange:O,ref:f,value:k}),(0,u.jsx)(Me.Z,{className:Ie.searchBarLoadingRing}),ye.AY&&ye.t_&&(""!==k?(0,u.jsx)("button",{className:Ie.searchClearButton,onClick:D,children:"\u2715"}):n&&(0,u.jsxs)("div",{className:Ie.searchHintContainer,children:[(0,u.jsx)("kbd",{className:Ie.searchHint,children:I?"\u2318":"ctrl"}),(0,u.jsx)("kbd",{className:Ie.searchHint,children:"K"})]}))]})},qe={navbarSearchContainer:"navbarSearchContainer_Bca1"};function He(e){let{children:t,className:n}=e;return(0,u.jsx)("div",{className:(0,a.Z)(n,qe.navbarSearchContainer),children:t})}var Qe=n(3438);const Ze=e=>e.docs.find((t=>t.id===e.mainDocId));const Ve={default:oe,localeDropdown:function(e){let{mobile:t,dropdownItemsBefore:n,dropdownItemsAfter:r,queryString:a="",...o}=e;const{i18n:{currentLocale:i,locales:c,localeConfigs:d}}=(0,le.Z)(),p=(0,he.l)(),{search:f,hash:h}=(0,s.TH)(),m=[...n,...c.map((e=>{const n=`${`pathname://${p.createUrl({locale:e,fullyQualified:!1})}`}${f}${h}${a}`;return{label:d[e].label,lang:d[e].htmlLang,to:n,target:"_self",autoAddBaseUrl:!1,className:e===i?t?"menu__link--active":"dropdown__link--active":""}})),...r],g=t?(0,l.I)({message:"Languages",id:"theme.navbar.mobileLanguageDropdown.label",description:"The label for the mobile language switcher dropdown"}):d[i].label;return(0,u.jsx)(fe,{...o,mobile:t,label:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(me,{className:ge}),g]}),items:m})},search:function(e){let{mobile:t,className:n}=e;return t?null:(0,u.jsx)(He,{className:n,children:(0,u.jsx)(Ue,{})})},dropdown:fe,html:function(e){let{value:t,className:n,mobile:r=!1,isDropdownItem:o=!1}=e;const i=o?"li":"div";return(0,u.jsx)(i,{className:(0,a.Z)({navbar__item:!r&&!o,"menu__list-item":r},n),dangerouslySetInnerHTML:{__html:t}})},doc:function(e){let{docId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ke.Iw)(r),i=(0,Qe.vY)(t,r),s=o?.path===i?.path;return null===i||i.unlisted&&!s?null:(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>s||!!o?.sidebar&&o.sidebar===i.sidebar,label:n??i.id,to:i.path})},docSidebar:function(e){let{sidebarId:t,label:n,docsPluginId:r,...a}=e;const{activeDoc:o}=(0,ke.Iw)(r),i=(0,Qe.oz)(t,r).link;if(!i)throw new Error(`DocSidebarNavbarItem: Sidebar with ID "${t}" doesn't have anything to be linked to.`);return(0,u.jsx)(oe,{exact:!0,...a,isActive:()=>o?.sidebar===t,label:n??i.label,to:i.path})},docsVersion:function(e){let{label:t,to:n,docsPluginId:r,...a}=e;const o=(0,Qe.lO)(r)[0],i=t??o.label,s=n??(e=>e.docs.find((t=>t.id===e.mainDocId)))(o).path;return(0,u.jsx)(oe,{...a,label:i,to:s})},docsVersionDropdown:function(e){let{mobile:t,docsPluginId:n,dropdownActiveClassDisabled:r,dropdownItemsBefore:a,dropdownItemsAfter:o,...i}=e;const{search:c,hash:d}=(0,s.TH)(),p=(0,ke.Iw)(n),f=(0,ke.gB)(n),{savePreferredVersionName:h}=(0,ve.J)(n),m=[...a,...f.map((e=>{const t=p.alternateDocVersions[e.name]??Ze(e);return{label:e.label,to:`${t.path}${c}${d}`,isActive:()=>e===p.activeVersion,onClick:()=>h(e.name)}})),...o],g=(0,Qe.lO)(n)[0],y=t&&m.length>1?(0,l.I)({id:"theme.navbar.mobileVersionsDropdown.label",message:"Versions",description:"The label for the navbar versions dropdown on mobile view"}):g.label,b=t&&m.length>1?void 0:Ze(g).path;return m.length<=1?(0,u.jsx)(oe,{...i,mobile:t,label:y,to:b,isActive:r?()=>!1:void 0}):(0,u.jsx)(fe,{...i,mobile:t,label:y,to:b,items:m,isActive:r?()=>!1:void 0})}};function We(e){let{type:t,...n}=e;const r=function(e,t){return e&&"default"!==e?e:"items"in t?"dropdown":"default"}(t,n),a=Ve[r];if(!a)throw new Error(`No NavbarItem component found for type "${t}".`);return(0,u.jsx)(a,{...n})}function Ge(){const e=(0,R.e)(),t=(0,k.L)().navbar.items;return(0,u.jsx)("ul",{className:"menu__list",children:t.map(((t,n)=>(0,r.createElement)(We,{mobile:!0,...t,onClick:()=>e.toggle(),key:n})))})}function Xe(e){return(0,u.jsx)("button",{...e,type:"button",className:"clean-btn navbar-sidebar__back",children:(0,u.jsx)(l.Z,{id:"theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel",description:"The label of the back button to return to main menu, inside the mobile navbar sidebar secondary menu (notably used to display the docs sidebar)",children:"\u2190 Back to main menu"})})}function Ke(){const e=0===(0,k.L)().navbar.items.length,t=D();return(0,u.jsxs)(u.Fragment,{children:[!e&&(0,u.jsx)(Xe,{onClick:()=>t.hide()}),t.content]})}function Ye(){const e=(0,R.e)();var t;return void 0===(t=e.shown)&&(t=!0),(0,r.useEffect)((()=>(document.body.style.overflow=t?"hidden":"visible",()=>{document.body.style.overflow="visible"})),[t]),e.shouldRender?(0,u.jsx)(F,{header:(0,u.jsx)(X,{}),primaryMenu:(0,u.jsx)(Ge,{}),secondaryMenu:(0,u.jsx)(Ke,{})}):null}const Je={navbarHideable:"navbarHideable_m1mJ",navbarHidden:"navbarHidden_jGov"};function et(e){return(0,u.jsx)("div",{role:"presentation",...e,className:(0,a.Z)("navbar-sidebar__backdrop",e.className)})}function tt(e){let{children:t}=e;const{navbar:{hideOnScroll:n,style:o}}=(0,k.L)(),i=(0,R.e)(),{navbarRef:s,isNavbarVisible:d}=function(e){const[t,n]=(0,r.useState)(e),a=(0,r.useRef)(!1),o=(0,r.useRef)(0),i=(0,r.useCallback)((e=>{null!==e&&(o.current=e.getBoundingClientRect().height)}),[]);return(0,j.RF)(((t,r)=>{let{scrollY:i}=t;if(!e)return;if(i<o.current)return void n(!0);if(a.current)return void(a.current=!1);const s=r?.scrollY,l=document.documentElement.scrollHeight-o.current,c=window.innerHeight;s&&i>=s?n(!1):i+c<l&&n(!0)})),(0,c.S)((t=>{if(!e)return;const r=t.location.hash;if(r?document.getElementById(r.substring(1)):void 0)return a.current=!0,void n(!1);n(!0)})),{navbarRef:i,isNavbarVisible:t}}(n);return(0,u.jsxs)("nav",{ref:s,"aria-label":(0,l.I)({id:"theme.NavBar.navAriaLabel",message:"Main",description:"The ARIA label for the main navigation"}),className:(0,a.Z)("navbar","navbar--fixed-top",n&&[Je.navbarHideable,!d&&Je.navbarHidden],{"navbar--dark":"dark"===o,"navbar--primary":"primary"===o,"navbar-sidebar--show":i.shown}),children:[t,(0,u.jsx)(et,{onClick:i.toggle}),(0,u.jsx)(Ye,{})]})}var nt=n(9690);const rt="right";function at(e){let{width:t=30,height:n=30,className:r,...a}=e;return(0,u.jsx)("svg",{className:r,width:t,height:n,viewBox:"0 0 30 30","aria-hidden":"true",...a,children:(0,u.jsx)("path",{stroke:"currentColor",strokeLinecap:"round",strokeMiterlimit:"10",strokeWidth:"2",d:"M4 7h22M4 15h22M4 23h22"})})}function ot(){const{toggle:e,shown:t}=(0,R.e)();return(0,u.jsx)("button",{onClick:e,"aria-label":(0,l.I)({id:"theme.docs.sidebar.toggleSidebarButtonAriaLabel",message:"Toggle navigation bar",description:"The ARIA label for hamburger menu button of mobile navigation"}),"aria-expanded":t,className:"navbar__toggle clean-btn",type:"button",children:(0,u.jsx)(at,{})})}const it={colorModeToggle:"colorModeToggle_DEke"};function st(e){let{items:t}=e;return(0,u.jsx)(u.Fragment,{children:t.map(((e,t)=>(0,u.jsx)(nt.QW,{onError:t=>new Error(`A theme navbar item failed to render.\nPlease double-check the following navbar item (themeConfig.navbar.items) of your Docusaurus config:\n${JSON.stringify(e,null,2)}`,{cause:t}),children:(0,u.jsx)(We,{...e})},t)))})}function lt(e){let{left:t,right:n}=e;return(0,u.jsxs)("div",{className:"navbar__inner",children:[(0,u.jsx)("div",{className:"navbar__items",children:t}),(0,u.jsx)("div",{className:"navbar__items navbar__items--right",children:n})]})}function ct(){const e=(0,R.e)(),t=(0,k.L)().navbar.items,[n,r]=function(e){function t(e){return"left"===(e.position??rt)}return[e.filter(t),e.filter((e=>!t(e)))]}(t),a=t.find((e=>"search"===e.type));return(0,u.jsx)(lt,{left:(0,u.jsxs)(u.Fragment,{children:[!e.disabled&&(0,u.jsx)(ot,{}),(0,u.jsx)(W,{}),(0,u.jsx)(st,{items:n})]}),right:(0,u.jsxs)(u.Fragment,{children:[(0,u.jsx)(st,{items:r}),(0,u.jsx)(Z,{className:it.colorModeToggle}),!a&&(0,u.jsx)(He,{children:(0,u.jsx)(Ue,{})})]})})}function ut(){return(0,u.jsx)(tt,{children:(0,u.jsx)(ct,{})})}function dt(e){let{item:t}=e;const{to:n,href:r,label:a,prependBaseUrlToHref:o,...i}=t,s=(0,Y.ZP)(n),l=(0,Y.ZP)(r,{forcePrependBaseUrl:!0});return(0,u.jsxs)(K.Z,{className:"footer__link-item",...r?{href:o?l:r}:{to:s},...i,children:[a,r&&!(0,J.Z)(r)&&(0,u.jsx)(te.Z,{})]})}function pt(e){let{item:t}=e;return t.html?(0,u.jsx)("li",{className:"footer__item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)("li",{className:"footer__item",children:(0,u.jsx)(dt,{item:t})},t.href??t.to)}function ft(e){let{column:t}=e;return(0,u.jsxs)("div",{className:"col footer__col",children:[(0,u.jsx)("div",{className:"footer__title",children:t.title}),(0,u.jsx)("ul",{className:"footer__items clean-list",children:t.items.map(((e,t)=>(0,u.jsx)(pt,{item:e},t)))})]})}function ht(e){let{columns:t}=e;return(0,u.jsx)("div",{className:"row footer__links",children:t.map(((e,t)=>(0,u.jsx)(ft,{column:e},t)))})}function mt(){return(0,u.jsx)("span",{className:"footer__link-separator",children:"\xb7"})}function gt(e){let{item:t}=e;return t.html?(0,u.jsx)("span",{className:"footer__link-item",dangerouslySetInnerHTML:{__html:t.html}}):(0,u.jsx)(dt,{item:t})}function yt(e){let{links:t}=e;return(0,u.jsx)("div",{className:"footer__links text--center",children:(0,u.jsx)("div",{className:"footer__links",children:t.map(((e,n)=>(0,u.jsxs)(r.Fragment,{children:[(0,u.jsx)(gt,{item:e}),t.length!==n+1&&(0,u.jsx)(mt,{})]},n)))})})}function bt(e){let{links:t}=e;return function(e){return"title"in e[0]}(t)?(0,u.jsx)(ht,{columns:t}):(0,u.jsx)(yt,{links:t})}var vt=n(9965);const kt={footerLogoLink:"footerLogoLink_BH7S"};function wt(e){let{logo:t}=e;const{withBaseUrl:n}=(0,Y.Cg)(),r={light:n(t.src),dark:n(t.srcDark??t.src)};return(0,u.jsx)(vt.Z,{className:(0,a.Z)("footer__logo",t.className),alt:t.alt,sources:r,width:t.width,height:t.height,style:t.style})}function xt(e){let{logo:t}=e;return t.href?(0,u.jsx)(K.Z,{href:t.href,className:kt.footerLogoLink,target:t.target,children:(0,u.jsx)(wt,{logo:t})}):(0,u.jsx)(wt,{logo:t})}function St(e){let{copyright:t}=e;return(0,u.jsx)("div",{className:"footer__copyright",dangerouslySetInnerHTML:{__html:t}})}function Et(e){let{style:t,links:n,logo:r,copyright:o}=e;return(0,u.jsx)("footer",{className:(0,a.Z)("footer",{"footer--dark":"dark"===t}),children:(0,u.jsxs)("div",{className:"container container-fluid",children:[n,(r||o)&&(0,u.jsxs)("div",{className:"footer__bottom text--center",children:[r&&(0,u.jsx)("div",{className:"margin-bottom--sm",children:r}),o]})]})})}function Ct(){const{footer:e}=(0,k.L)();if(!e)return null;const{copyright:t,links:n,logo:r,style:a}=e;return(0,u.jsx)(Et,{style:a,links:n&&n.length>0&&(0,u.jsx)(bt,{links:n}),logo:r&&(0,u.jsx)(xt,{logo:r}),copyright:t&&(0,u.jsx)(St,{copyright:t})})}const _t=r.memo(Ct),Tt=(0,P.Qc)([M.S,w.p,j.OC,ve.L5,i.VC,function(e){let{children:t}=e;return(0,u.jsx)(N.n2,{children:(0,u.jsx)(R.M,{children:(0,u.jsx)(O,{children:t})})})}]);function Lt(e){let{children:t}=e;return(0,u.jsx)(Tt,{children:t})}var Rt=n(2503);function jt(e){let{error:t,tryAgain:n}=e;return(0,u.jsx)("main",{className:"container margin-vert--xl",children:(0,u.jsx)("div",{className:"row",children:(0,u.jsxs)("div",{className:"col col--6 col--offset-3",children:[(0,u.jsx)(Rt.Z,{as:"h1",className:"hero__title",children:(0,u.jsx)(l.Z,{id:"theme.ErrorPageContent.title",description:"The title of the fallback page when the page crashed",children:"This page crashed."})}),(0,u.jsx)("div",{className:"margin-vert--lg",children:(0,u.jsx)(nt.Cw,{onClick:n,className:"button button--primary shadow--lw"})}),(0,u.jsx)("hr",{}),(0,u.jsx)("div",{className:"margin-vert--md",children:(0,u.jsx)(nt.aG,{error:t})})]})})})}const Pt={mainWrapper:"mainWrapper_z2l0"};function Nt(e){const{children:t,noFooter:n,wrapperClassName:r,title:s,description:l}=e;return(0,y.t)(),(0,u.jsxs)(Lt,{children:[(0,u.jsx)(i.d,{title:s,description:l}),(0,u.jsx)(v,{}),(0,u.jsx)(L,{}),(0,u.jsx)(ut,{}),(0,u.jsx)("div",{id:d,className:(0,a.Z)(g.k.wrapper.main,Pt.mainWrapper,r),children:(0,u.jsx)(o.Z,{fallback:e=>(0,u.jsx)(jt,{...e}),children:t})}),!n&&(0,u.jsx)(_t,{})]})}},1327:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});n(7294);var r=n(3692),a=n(4996),o=n(2263),i=n(6668),s=n(9965),l=n(5893);function c(e){let{logo:t,alt:n,imageClassName:r}=e;const o={light:(0,a.ZP)(t.src),dark:(0,a.ZP)(t.srcDark||t.src)},i=(0,l.jsx)(s.Z,{className:t.className,sources:o,height:t.height,width:t.width,alt:n,style:t.style});return r?(0,l.jsx)("div",{className:r,children:i}):i}function u(e){const{siteConfig:{title:t}}=(0,o.Z)(),{navbar:{title:n,logo:s}}=(0,i.L)(),{imageClassName:u,titleClassName:d,...p}=e,f=(0,a.ZP)(s?.href||"/"),h=n?"":t,m=s?.alt??h;return(0,l.jsxs)(r.Z,{to:f,...p,...s?.target&&{target:s.target},children:[s&&(0,l.jsx)(c,{logo:s,alt:m,imageClassName:u}),null!=n&&(0,l.jsx)("b",{className:d,children:n})]})}},197:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});n(7294);var r=n(5742),a=n(5893);function o(e){let{locale:t,version:n,tag:o}=e;const i=t;return(0,a.jsxs)(r.Z,{children:[t&&(0,a.jsx)("meta",{name:"docusaurus_locale",content:t}),n&&(0,a.jsx)("meta",{name:"docusaurus_version",content:n}),o&&(0,a.jsx)("meta",{name:"docusaurus_tag",content:o}),i&&(0,a.jsx)("meta",{name:"docsearch:language",content:i}),n&&(0,a.jsx)("meta",{name:"docsearch:version",content:n}),o&&(0,a.jsx)("meta",{name:"docsearch:docusaurus_tag",content:o})]})}},9965:(e,t,n)=>{"use strict";n.d(t,{Z:()=>u});var r=n(7294),a=n(512),o=n(2389),i=n(2949);const s={themedComponent:"themedComponent_mlkZ","themedComponent--light":"themedComponent--light_NVdE","themedComponent--dark":"themedComponent--dark_xIcU"};var l=n(5893);function c(e){let{className:t,children:n}=e;const c=(0,o.Z)(),{colorMode:u}=(0,i.I)();return(0,l.jsx)(l.Fragment,{children:(c?"dark"===u?["dark"]:["light"]:["light","dark"]).map((e=>{const o=n({theme:e,className:(0,a.Z)(t,s.themedComponent,s[`themedComponent--${e}`])});return(0,l.jsx)(r.Fragment,{children:o},e)}))})}function u(e){const{sources:t,className:n,alt:r,...a}=e;return(0,l.jsx)(c,{className:n,children:e=>{let{theme:n,className:o}=e;return(0,l.jsx)("img",{src:t[n],alt:r,className:o,...a})}})}},6043:(e,t,n)=>{"use strict";n.d(t,{u:()=>c,z:()=>y});var r=n(7294),a=n(412),o=n(469),i=n(1442),s=n(5893);const l="ease-in-out";function c(e){let{initialState:t}=e;const[n,a]=(0,r.useState)(t??!1),o=(0,r.useCallback)((()=>{a((e=>!e))}),[]);return{collapsed:n,setCollapsed:a,toggleCollapsed:o}}const u={display:"none",overflow:"hidden",height:"0px"},d={display:"block",overflow:"visible",height:"auto"};function p(e,t){const n=t?u:d;e.style.display=n.display,e.style.overflow=n.overflow,e.style.height=n.height}function f(e){let{collapsibleRef:t,collapsed:n,animation:a}=e;const o=(0,r.useRef)(!1);(0,r.useEffect)((()=>{const e=t.current;function r(){const t=e.scrollHeight,n=a?.duration??function(e){if((0,i.n)())return 1;const t=e/36;return Math.round(10*(4+15*t**.25+t/5))}(t);return{transition:`height ${n}ms ${a?.easing??l}`,height:`${t}px`}}function s(){const t=r();e.style.transition=t.transition,e.style.height=t.height}if(!o.current)return p(e,n),void(o.current=!0);return e.style.willChange="height",function(){const t=requestAnimationFrame((()=>{n?(s(),requestAnimationFrame((()=>{e.style.height=u.height,e.style.overflow=u.overflow}))):(e.style.display="block",requestAnimationFrame((()=>{s()})))}));return()=>cancelAnimationFrame(t)}()}),[t,n,a])}function h(e){if(!a.Z.canUseDOM)return e?u:d}function m(e){let{as:t="div",collapsed:n,children:a,animation:o,onCollapseTransitionEnd:i,className:l,disableSSRStyle:c}=e;const u=(0,r.useRef)(null);return f({collapsibleRef:u,collapsed:n,animation:o}),(0,s.jsx)(t,{ref:u,style:c?void 0:h(n),onTransitionEnd:e=>{"height"===e.propertyName&&(p(u.current,n),i?.(n))},className:l,children:a})}function g(e){let{collapsed:t,...n}=e;const[a,i]=(0,r.useState)(!t),[l,c]=(0,r.useState)(t);return(0,o.Z)((()=>{t||i(!0)}),[t]),(0,o.Z)((()=>{a&&c(t)}),[a,t]),a?(0,s.jsx)(m,{...n,collapsed:l}):null}function y(e){let{lazy:t,...n}=e;const r=t?g:m;return(0,s.jsx)(r,{...n})}},9689:(e,t,n)=>{"use strict";n.d(t,{n:()=>m,p:()=>h});var r=n(7294),a=n(2389),o=n(812),i=n(902),s=n(6668),l=n(5893);const c=(0,o.WA)("docusaurus.announcement.dismiss"),u=(0,o.WA)("docusaurus.announcement.id"),d=()=>"true"===c.get(),p=e=>c.set(String(e)),f=r.createContext(null);function h(e){let{children:t}=e;const n=function(){const{announcementBar:e}=(0,s.L)(),t=(0,a.Z)(),[n,o]=(0,r.useState)((()=>!!t&&d()));(0,r.useEffect)((()=>{o(d())}),[]);const i=(0,r.useCallback)((()=>{p(!0),o(!0)}),[]);return(0,r.useEffect)((()=>{if(!e)return;const{id:t}=e;let n=u.get();"annoucement-bar"===n&&(n="announcement-bar");const r=t!==n;u.set(t),r&&p(!1),!r&&d()||o(!1)}),[e]),(0,r.useMemo)((()=>({isActive:!!e&&!n,close:i})),[e,n,i])}();return(0,l.jsx)(f.Provider,{value:n,children:t})}function m(){const e=(0,r.useContext)(f);if(!e)throw new i.i6("AnnouncementBarProvider");return e}},2949:(e,t,n)=>{"use strict";n.d(t,{I:()=>y,S:()=>g});var r=n(7294),a=n(412),o=n(902),i=n(812),s=n(6668),l=n(5893);const c=r.createContext(void 0),u="theme",d=(0,i.WA)(u),p={light:"light",dark:"dark"},f=e=>e===p.dark?p.dark:p.light,h=e=>a.Z.canUseDOM?f(document.documentElement.getAttribute("data-theme")):f(e),m=e=>{d.set(f(e))};function g(e){let{children:t}=e;const n=function(){const{colorMode:{defaultMode:e,disableSwitch:t,respectPrefersColorScheme:n}}=(0,s.L)(),[a,o]=(0,r.useState)(h(e));(0,r.useEffect)((()=>{t&&d.del()}),[t]);const i=(0,r.useCallback)((function(t,r){void 0===r&&(r={});const{persist:a=!0}=r;t?(o(t),a&&m(t)):(o(n?window.matchMedia("(prefers-color-scheme: dark)").matches?p.dark:p.light:e),d.del())}),[n,e]);(0,r.useEffect)((()=>{document.documentElement.setAttribute("data-theme",f(a))}),[a]),(0,r.useEffect)((()=>{if(t)return;const e=e=>{if(e.key!==u)return;const t=d.get();null!==t&&i(f(t))};return window.addEventListener("storage",e),()=>window.removeEventListener("storage",e)}),[t,i]);const l=(0,r.useRef)(!1);return(0,r.useEffect)((()=>{if(t&&!n)return;const e=window.matchMedia("(prefers-color-scheme: dark)"),r=()=>{window.matchMedia("print").matches||l.current?l.current=window.matchMedia("print").matches:i(null)};return e.addListener(r),()=>e.removeListener(r)}),[i,t,n]),(0,r.useMemo)((()=>({colorMode:a,setColorMode:i,get isDarkTheme(){return a===p.dark},setLightTheme(){i(p.light)},setDarkTheme(){i(p.dark)}})),[a,i])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function y(){const e=(0,r.useContext)(c);if(null==e)throw new o.i6("ColorModeProvider","Please see https://docusaurus.io/docs/api/themes/configuration#use-color-mode.");return e}},373:(e,t,n)=>{"use strict";n.d(t,{J:()=>v,L5:()=>y});var r=n(7294),a=n(143),o=n(9935),i=n(6668),s=n(3438),l=n(902),c=n(812),u=n(5893);const d=e=>`docs-preferred-version-${e}`,p={save:(e,t,n)=>{(0,c.WA)(d(e),{persistence:t}).set(n)},read:(e,t)=>(0,c.WA)(d(e),{persistence:t}).get(),clear:(e,t)=>{(0,c.WA)(d(e),{persistence:t}).del()}},f=e=>Object.fromEntries(e.map((e=>[e,{preferredVersionName:null}])));const h=r.createContext(null);function m(){const e=(0,a._r)(),t=(0,i.L)().docs.versionPersistence,n=(0,r.useMemo)((()=>Object.keys(e)),[e]),[o,s]=(0,r.useState)((()=>f(n)));(0,r.useEffect)((()=>{s(function(e){let{pluginIds:t,versionPersistence:n,allDocsData:r}=e;function a(e){const t=p.read(e,n);return r[e].versions.some((e=>e.name===t))?{preferredVersionName:t}:(p.clear(e,n),{preferredVersionName:null})}return Object.fromEntries(t.map((e=>[e,a(e)])))}({allDocsData:e,versionPersistence:t,pluginIds:n}))}),[e,t,n]);return[o,(0,r.useMemo)((()=>({savePreferredVersion:function(e,n){p.save(e,t,n),s((t=>({...t,[e]:{preferredVersionName:n}})))}})),[t])]}function g(e){let{children:t}=e;const n=m();return(0,u.jsx)(h.Provider,{value:n,children:t})}function y(e){let{children:t}=e;return s.cE?(0,u.jsx)(g,{children:t}):(0,u.jsx)(u.Fragment,{children:t})}function b(){const e=(0,r.useContext)(h);if(!e)throw new l.i6("DocsPreferredVersionContextProvider");return e}function v(e){void 0===e&&(e=o.m);const t=(0,a.zh)(e),[n,i]=b(),{preferredVersionName:s}=n[e];return{preferredVersion:t.versions.find((e=>e.name===s))??null,savePreferredVersionName:(0,r.useCallback)((t=>{i.savePreferredVersion(e,t)}),[i,e])}}},1116:(e,t,n)=>{"use strict";n.d(t,{V:()=>c,b:()=>l});var r=n(7294),a=n(902),o=n(5893);const i=Symbol("EmptyContext"),s=r.createContext(i);function l(e){let{children:t,name:n,items:a}=e;const i=(0,r.useMemo)((()=>n&&a?{name:n,items:a}:null),[n,a]);return(0,o.jsx)(s.Provider,{value:i,children:t})}function c(){const e=(0,r.useContext)(s);if(e===i)throw new a.i6("DocsSidebarProvider");return e}},4477:(e,t,n)=>{"use strict";n.d(t,{E:()=>l,q:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t,version:n}=e;return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(null===e)throw new a.i6("DocsVersionProvider");return e}},3163:(e,t,n)=>{"use strict";n.d(t,{M:()=>p,e:()=>f});var r=n(7294),a=n(3102),o=n(7524),i=n(1980),s=n(6668),l=n(902),c=n(5893);const u=r.createContext(void 0);function d(){const e=function(){const e=(0,a.HY)(),{items:t}=(0,s.L)().navbar;return 0===t.length&&!e.component}(),t=(0,o.i)(),n=!e&&"mobile"===t,[l,c]=(0,r.useState)(!1);(0,i.Rb)((()=>{if(l)return c(!1),!1}));const u=(0,r.useCallback)((()=>{c((e=>!e))}),[]);return(0,r.useEffect)((()=>{"desktop"===t&&c(!1)}),[t]),(0,r.useMemo)((()=>({disabled:e,shouldRender:n,toggle:u,shown:l})),[e,n,u,l])}function p(e){let{children:t}=e;const n=d();return(0,c.jsx)(u.Provider,{value:n,children:t})}function f(){const e=r.useContext(u);if(void 0===e)throw new l.i6("NavbarMobileSidebarProvider");return e}},3102:(e,t,n)=>{"use strict";n.d(t,{HY:()=>l,Zo:()=>c,n2:()=>s});var r=n(7294),a=n(902),o=n(5893);const i=r.createContext(null);function s(e){let{children:t}=e;const n=(0,r.useState)({component:null,props:null});return(0,o.jsx)(i.Provider,{value:n,children:t})}function l(){const e=(0,r.useContext)(i);if(!e)throw new a.i6("NavbarSecondaryMenuContentProvider");return e[0]}function c(e){let{component:t,props:n}=e;const o=(0,r.useContext)(i);if(!o)throw new a.i6("NavbarSecondaryMenuContentProvider");const[,s]=o,l=(0,a.Ql)(n);return(0,r.useEffect)((()=>{s({component:t,props:l})}),[s,t,l]),(0,r.useEffect)((()=>()=>s({component:null,props:null})),[s]),null}},9727:(e,t,n)=>{"use strict";n.d(t,{h:()=>a,t:()=>o});var r=n(7294);const a="navigation-with-keyboard";function o(){(0,r.useEffect)((()=>{function e(e){"keydown"===e.type&&"Tab"===e.key&&document.body.classList.add(a),"mousedown"===e.type&&document.body.classList.remove(a)}return document.addEventListener("keydown",e),document.addEventListener("mousedown",e),()=>{document.body.classList.remove(a),document.removeEventListener("keydown",e),document.removeEventListener("mousedown",e)}}),[])}},7524:(e,t,n)=>{"use strict";n.d(t,{i:()=>s});var r=n(7294),a=n(412);const o={desktop:"desktop",mobile:"mobile",ssr:"ssr"},i=996;function s(e){let{desktopBreakpoint:t=i}=void 0===e?{}:e;const[n,s]=(0,r.useState)((()=>"ssr"));return(0,r.useEffect)((()=>{function e(){s(function(e){if(!a.Z.canUseDOM)throw new Error("getWindowSize() should only be called after React hydration");return window.innerWidth>e?o.desktop:o.mobile}(t))}return e(),window.addEventListener("resize",e),()=>{window.removeEventListener("resize",e)}}),[t]),n}},5281:(e,t,n)=>{"use strict";n.d(t,{k:()=>r});const r={page:{blogListPage:"blog-list-page",blogPostPage:"blog-post-page",blogTagsListPage:"blog-tags-list-page",blogTagPostListPage:"blog-tags-post-list-page",docsDocPage:"docs-doc-page",docsTagsListPage:"docs-tags-list-page",docsTagDocListPage:"docs-tags-doc-list-page",mdxPage:"mdx-page"},wrapper:{main:"main-wrapper",blogPages:"blog-wrapper",docsPages:"docs-wrapper",mdxPages:"mdx-wrapper"},common:{editThisPage:"theme-edit-this-page",lastUpdated:"theme-last-updated",backToTopButton:"theme-back-to-top-button",codeBlock:"theme-code-block",admonition:"theme-admonition",unlistedBanner:"theme-unlisted-banner",admonitionType:e=>`theme-admonition-${e}`},layout:{},docs:{docVersionBanner:"theme-doc-version-banner",docVersionBadge:"theme-doc-version-badge",docBreadcrumbs:"theme-doc-breadcrumbs",docMarkdown:"theme-doc-markdown",docTocMobile:"theme-doc-toc-mobile",docTocDesktop:"theme-doc-toc-desktop",docFooter:"theme-doc-footer",docFooterTagsRow:"theme-doc-footer-tags-row",docFooterEditMetaRow:"theme-doc-footer-edit-meta-row",docSidebarContainer:"theme-doc-sidebar-container",docSidebarMenu:"theme-doc-sidebar-menu",docSidebarItemCategory:"theme-doc-sidebar-item-category",docSidebarItemLink:"theme-doc-sidebar-item-link",docSidebarItemCategoryLevel:e=>`theme-doc-sidebar-item-category-level-${e}`,docSidebarItemLinkLevel:e=>`theme-doc-sidebar-item-link-level-${e}`},blog:{blogFooterTagsRow:"theme-blog-footer-tags-row",blogFooterEditMetaRow:"theme-blog-footer-edit-meta-row"},pages:{pageFooterEditMetaRow:"theme-pages-footer-edit-meta-row"}}},1442:(e,t,n)=>{"use strict";function r(){return window.matchMedia("(prefers-reduced-motion: reduce)").matches}n.d(t,{n:()=>r})},3438:(e,t,n)=>{"use strict";n.d(t,{LM:()=>f,SN:()=>E,_F:()=>g,cE:()=>p,f:()=>b,lO:()=>w,oz:()=>x,s1:()=>k,vY:()=>S});var r=n(7294),a=n(6550),o=n(8790),i=n(143),s=n(373),l=n(4477),c=n(1116),u=n(7392),d=n(8596);const p=!!i._r;function f(e){return"link"!==e.type||e.unlisted?"category"===e.type?function(e){if(e.href&&!e.linkUnlisted)return e.href;for(const t of e.items){const e=f(t);if(e)return e}}(e):void 0:e.href}const h=(e,t)=>void 0!==e&&(0,d.Mg)(e,t),m=(e,t)=>e.some((e=>g(e,t)));function g(e,t){return"link"===e.type?h(e.href,t):"category"===e.type&&(h(e.href,t)||m(e.items,t))}function y(e,t){switch(e.type){case"category":return g(e,t)||e.items.some((e=>y(e,t)));case"link":return!e.unlisted||g(e,t);default:return!0}}function b(e,t){return(0,r.useMemo)((()=>e.filter((e=>y(e,t)))),[e,t])}function v(e){let{sidebarItems:t,pathname:n,onlyCategories:r=!1}=e;const a=[];return function e(t){for(const o of t)if("category"===o.type&&((0,d.Mg)(o.href,n)||e(o.items))||"link"===o.type&&(0,d.Mg)(o.href,n)){return r&&"category"!==o.type||a.unshift(o),!0}return!1}(t),a}function k(){const e=(0,c.V)(),{pathname:t}=(0,a.TH)(),n=(0,i.gA)()?.pluginData.breadcrumbs;return!1!==n&&e?v({sidebarItems:e.items,pathname:t}):null}function w(e){const{activeVersion:t}=(0,i.Iw)(e),{preferredVersion:n}=(0,s.J)(e),a=(0,i.yW)(e);return(0,r.useMemo)((()=>(0,u.j)([t,n,a].filter(Boolean))),[t,n,a])}function x(e,t){const n=w(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.sidebars?Object.entries(e.sidebars):[])),r=t.find((t=>t[0]===e));if(!r)throw new Error(`Can't find any sidebar with id "${e}" in version${n.length>1?"s":""} ${n.map((e=>e.name)).join(", ")}".\nAvailable sidebar ids are:\n- ${t.map((e=>e[0])).join("\n- ")}`);return r[1]}),[e,n])}function S(e,t){const n=w(t);return(0,r.useMemo)((()=>{const t=n.flatMap((e=>e.docs)),r=t.find((t=>t.id===e));if(!r){if(n.flatMap((e=>e.draftIds)).includes(e))return null;throw new Error(`Couldn't find any doc with id "${e}" in version${n.length>1?"s":""} "${n.map((e=>e.name)).join(", ")}".\nAvailable doc ids are:\n- ${(0,u.j)(t.map((e=>e.id))).join("\n- ")}`)}return r}),[e,n])}function E(e){let{route:t}=e;const n=(0,a.TH)(),r=(0,l.E)(),i=t.routes,s=i.find((e=>(0,a.LX)(n.pathname,e)));if(!s)return null;const c=s.sidebar,u=c?r.docsSidebars[c]:void 0;return{docElement:(0,o.H)(i),sidebarName:c,sidebarItems:u}}},9690:(e,t,n)=>{"use strict";n.d(t,{aG:()=>u,Ac:()=>c,Cw:()=>l,QW:()=>d});var r=n(7294),a=n(5999),o=n(8780);const i={errorBoundaryError:"errorBoundaryError_a6uf",errorBoundaryFallback:"errorBoundaryFallback_VBag"};var s=n(5893);function l(e){return(0,s.jsx)("button",{type:"button",...e,children:(0,s.jsx)(a.Z,{id:"theme.ErrorPageContent.tryAgain",description:"The label of the button to try again rendering when the React error boundary captures an error",children:"Try again"})})}function c(e){let{error:t,tryAgain:n}=e;return(0,s.jsxs)("div",{className:i.errorBoundaryFallback,children:[(0,s.jsx)("p",{children:t.message}),(0,s.jsx)(l,{onClick:n})]})}function u(e){let{error:t}=e;const n=(0,o.getErrorCausalChain)(t).map((e=>e.message)).join("\n\nCause:\n");return(0,s.jsx)("p",{className:i.errorBoundaryError,children:n})}class d extends r.Component{componentDidCatch(e,t){throw this.props.onError(e,t)}render(){return this.props.children}}},1980:(e,t,n)=>{"use strict";n.d(t,{Rb:()=>i,_X:()=>l});var r=n(7294),a=n(6550),o=n(902);function i(e){!function(e){const t=(0,a.k6)(),n=(0,o.zX)(e);(0,r.useEffect)((()=>t.block(((e,t)=>n(e,t)))),[t,n])}(((t,n)=>{if("POP"===n)return e(t,n)}))}function s(e){const t=(0,a.k6)();return(0,r.useSyncExternalStore)(t.listen,(()=>e(t)),(()=>e(t)))}function l(e){return s((t=>null===e?null:new URLSearchParams(t.location.search).get(e)))}},7392:(e,t,n)=>{"use strict";function r(e,t){return void 0===t&&(t=(e,t)=>e===t),e.filter(((n,r)=>e.findIndex((e=>t(e,n)))!==r))}function a(e){return Array.from(new Set(e))}n.d(t,{j:()=>a,l:()=>r})},1944:(e,t,n)=>{"use strict";n.d(t,{FG:()=>f,d:()=>d,VC:()=>h});var r=n(7294),a=n(512),o=n(5742),i=n(226);function s(){const e=r.useContext(i._);if(!e)throw new Error("Unexpected: no Docusaurus route context found");return e}var l=n(4996),c=n(2263);var u=n(5893);function d(e){let{title:t,description:n,keywords:r,image:a,children:i}=e;const s=function(e){const{siteConfig:t}=(0,c.Z)(),{title:n,titleDelimiter:r}=t;return e?.trim().length?`${e.trim()} ${r} ${n}`:n}(t),{withBaseUrl:d}=(0,l.Cg)(),p=a?d(a,{absolute:!0}):void 0;return(0,u.jsxs)(o.Z,{children:[t&&(0,u.jsx)("title",{children:s}),t&&(0,u.jsx)("meta",{property:"og:title",content:s}),n&&(0,u.jsx)("meta",{name:"description",content:n}),n&&(0,u.jsx)("meta",{property:"og:description",content:n}),r&&(0,u.jsx)("meta",{name:"keywords",content:Array.isArray(r)?r.join(","):r}),p&&(0,u.jsx)("meta",{property:"og:image",content:p}),p&&(0,u.jsx)("meta",{name:"twitter:image",content:p}),i]})}const p=r.createContext(void 0);function f(e){let{className:t,children:n}=e;const i=r.useContext(p),s=(0,a.Z)(i,t);return(0,u.jsxs)(p.Provider,{value:s,children:[(0,u.jsx)(o.Z,{children:(0,u.jsx)("html",{className:s})}),n]})}function h(e){let{children:t}=e;const n=s(),r=`plugin-${n.plugin.name.replace(/docusaurus-(?:plugin|theme)-(?:content-)?/gi,"")}`;const o=`plugin-id-${n.plugin.id}`;return(0,u.jsx)(f,{className:(0,a.Z)(r,o),children:t})}},902:(e,t,n)=>{"use strict";n.d(t,{D9:()=>s,Qc:()=>u,Ql:()=>c,i6:()=>l,zX:()=>i});var r=n(7294),a=n(469),o=n(5893);function i(e){const t=(0,r.useRef)(e);return(0,a.Z)((()=>{t.current=e}),[e]),(0,r.useCallback)((function(){return t.current(...arguments)}),[])}function s(e){const t=(0,r.useRef)();return(0,a.Z)((()=>{t.current=e})),t.current}class l extends Error{constructor(e,t){super(),this.name="ReactContextError",this.message=`Hook ${this.stack?.split("\n")[1]?.match(/at (?:\w+\.)?(?<name>\w+)/)?.groups.name??""} is called outside the <${e}>. ${t??""}`}}function c(e){const t=Object.entries(e);return t.sort(((e,t)=>e[0].localeCompare(t[0]))),(0,r.useMemo)((()=>e),t.flat())}function u(e){return t=>{let{children:n}=t;return(0,o.jsx)(o.Fragment,{children:e.reduceRight(((e,t)=>(0,o.jsx)(t,{children:e})),n)})}}},8596:(e,t,n)=>{"use strict";n.d(t,{Mg:()=>i,Ns:()=>s});var r=n(7294),a=n(723),o=n(2263);function i(e,t){const n=e=>(!e||e.endsWith("/")?e:`${e}/`)?.toLowerCase();return n(e)===n(t)}function s(){const{baseUrl:e}=(0,o.Z)().siteConfig;return(0,r.useMemo)((()=>function(e){let{baseUrl:t,routes:n}=e;function r(e){return e.path===t&&!0===e.exact}function a(e){return e.path===t&&!e.exact}return function e(t){if(0===t.length)return;return t.find(r)||e(t.filter(a).flatMap((e=>e.routes??[])))}(n)}({routes:a.Z,baseUrl:e})),[e])}},2466:(e,t,n)=>{"use strict";n.d(t,{Ct:()=>m,OC:()=>u,RF:()=>f,o5:()=>h});var r=n(7294),a=n(412),o=n(2389),i=n(469),s=n(902),l=n(5893);const c=r.createContext(void 0);function u(e){let{children:t}=e;const n=function(){const e=(0,r.useRef)(!0);return(0,r.useMemo)((()=>({scrollEventsEnabledRef:e,enableScrollEvents:()=>{e.current=!0},disableScrollEvents:()=>{e.current=!1}})),[])}();return(0,l.jsx)(c.Provider,{value:n,children:t})}function d(){const e=(0,r.useContext)(c);if(null==e)throw new s.i6("ScrollControllerProvider");return e}const p=()=>a.Z.canUseDOM?{scrollX:window.pageXOffset,scrollY:window.pageYOffset}:null;function f(e,t){void 0===t&&(t=[]);const{scrollEventsEnabledRef:n}=d(),a=(0,r.useRef)(p()),o=(0,s.zX)(e);(0,r.useEffect)((()=>{const e=()=>{if(!n.current)return;const e=p();o(e,a.current),a.current=e},t={passive:!0};return e(),window.addEventListener("scroll",e,t),()=>window.removeEventListener("scroll",e,t)}),[o,n,...t])}function h(){const e=d(),t=function(){const e=(0,r.useRef)({elem:null,top:0}),t=(0,r.useCallback)((t=>{e.current={elem:t,top:t.getBoundingClientRect().top}}),[]),n=(0,r.useCallback)((()=>{const{current:{elem:t,top:n}}=e;if(!t)return{restored:!1};const r=t.getBoundingClientRect().top-n;return r&&window.scrollBy({left:0,top:r}),e.current={elem:null,top:0},{restored:0!==r}}),[]);return(0,r.useMemo)((()=>({save:t,restore:n})),[n,t])}(),n=(0,r.useRef)(void 0),a=(0,r.useCallback)((r=>{t.save(r),e.disableScrollEvents(),n.current=()=>{const{restored:r}=t.restore();if(n.current=void 0,r){const t=()=>{e.enableScrollEvents(),window.removeEventListener("scroll",t)};window.addEventListener("scroll",t)}else e.enableScrollEvents()}}),[e,t]);return(0,i.Z)((()=>{queueMicrotask((()=>n.current?.()))})),{blockElementScrollPositionUntilNextRender:a}}function m(){const e=(0,r.useRef)(null),t=(0,o.Z)()&&"smooth"===getComputedStyle(document.documentElement).scrollBehavior;return{startScroll:n=>{e.current=t?function(e){return window.scrollTo({top:e,behavior:"smooth"}),()=>{}}(n):function(e){let t=null;const n=document.documentElement.scrollTop>e;return function r(){const a=document.documentElement.scrollTop;(n&&a>e||!n&&a<e)&&(t=requestAnimationFrame(r),window.scrollTo(0,Math.floor(.85*(a-e))+e))}(),()=>t&&cancelAnimationFrame(t)}(n)},cancelScroll:()=>e.current?.()}}},3320:(e,t,n)=>{"use strict";n.d(t,{HX:()=>r,os:()=>a});n(2263);const r="default";function a(e,t){return`docs-${e}-${t}`}},812:(e,t,n)=>{"use strict";n.d(t,{WA:()=>u,Nk:()=>d});var r=n(7294);const a=JSON.parse('{"d":"localStorage","u":""}'),o=a.d;function i(e){let{key:t,oldValue:n,newValue:r,storage:a}=e;if(n===r)return;const o=document.createEvent("StorageEvent");o.initStorageEvent("storage",!1,!1,t,n,r,window.location.href,a),window.dispatchEvent(o)}function s(e){if(void 0===e&&(e=o),"undefined"==typeof window)throw new Error("Browser storage is not available on Node.js/Docusaurus SSR process.");if("none"===e)return null;try{return window[e]}catch(n){return t=n,l||(console.warn("Docusaurus browser storage is not available.\nPossible reasons: running Docusaurus in an iframe, in an incognito browser session, or using too strict browser privacy settings.",t),l=!0),null}var t}let l=!1;const c={get:()=>null,set:()=>{},del:()=>{},listen:()=>()=>{}};function u(e,t){const n=`${e}${a.u}`;if("undefined"==typeof window)return function(e){function t(){throw new Error(`Illegal storage API usage for storage key "${e}".\nDocusaurus storage APIs are not supposed to be called on the server-rendering process.\nPlease only call storage APIs in effects and event handlers.`)}return{get:t,set:t,del:t,listen:t}}(n);const r=s(t?.persistence);return null===r?c:{get:()=>{try{return r.getItem(n)}catch(e){return console.error(`Docusaurus storage error, can't get key=${n}`,e),null}},set:e=>{try{const t=r.getItem(n);r.setItem(n,e),i({key:n,oldValue:t,newValue:e,storage:r})}catch(t){console.error(`Docusaurus storage error, can't set ${n}=${e}`,t)}},del:()=>{try{const e=r.getItem(n);r.removeItem(n),i({key:n,oldValue:e,newValue:null,storage:r})}catch(e){console.error(`Docusaurus storage error, can't delete key=${n}`,e)}},listen:e=>{try{const t=t=>{t.storageArea===r&&t.key===n&&e(t)};return window.addEventListener("storage",t),()=>window.removeEventListener("storage",t)}catch(t){return console.error(`Docusaurus storage error, can't listen for changes of key=${n}`,t),()=>{}}}}}function d(e,t){const n=(0,r.useRef)((()=>null===e?c:u(e,t))).current(),a=(0,r.useCallback)((e=>"undefined"==typeof window?()=>{}:n.listen(e)),[n]);return[(0,r.useSyncExternalStore)(a,(()=>"undefined"==typeof window?null:n.get()),(()=>null)),n]}},4711:(e,t,n)=>{"use strict";n.d(t,{l:()=>i});var r=n(2263),a=n(6550),o=n(8780);function i(){const{siteConfig:{baseUrl:e,url:t,trailingSlash:n},i18n:{defaultLocale:i,currentLocale:s}}=(0,r.Z)(),{pathname:l}=(0,a.TH)(),c=(0,o.applyTrailingSlash)(l,{trailingSlash:n,baseUrl:e}),u=s===i?e:e.replace(`/${s}/`,"/"),d=c.replace(e,"");return{createUrl:function(e){let{locale:n,fullyQualified:r}=e;return`${r?t:""}${function(e){return e===i?`${u}`:`${u}${e}/`}(n)}${d}`}}}},5936:(e,t,n)=>{"use strict";n.d(t,{S:()=>i});var r=n(7294),a=n(6550),o=n(902);function i(e){const t=(0,a.TH)(),n=(0,o.D9)(t),i=(0,o.zX)(e);(0,r.useEffect)((()=>{n&&t!==n&&i({location:t,previousLocation:n})}),[i,t,n])}},6668:(e,t,n)=>{"use strict";n.d(t,{L:()=>a});var r=n(2263);function a(){return(0,r.Z)().siteConfig.themeConfig}},8802:(e,t,n)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.removeTrailingSlash=t.addLeadingSlash=t.addTrailingSlash=void 0;const r=n(5913);function a(e){return e.endsWith("/")?e:`${e}/`}function o(e){return(0,r.removeSuffix)(e,"/")}t.addTrailingSlash=a,t.default=function(e,t){const{trailingSlash:n,baseUrl:r}=t;if(e.startsWith("#"))return e;if(void 0===n)return e;const[i]=e.split(/[#?]/),s="/"===i||i===r?i:(l=i,n?a(l):o(l));var l;return e.replace(i,s)},t.addLeadingSlash=function(e){return(0,r.addPrefix)(e,"/")},t.removeTrailingSlash=o},4143:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=void 0,t.getErrorCausalChain=function e(t){return t.cause?[t,...e(t.cause)]:[t]}},8780:function(e,t,n){"use strict";var r=this&&this.__importDefault||function(e){return e&&e.__esModule?e:{default:e}};Object.defineProperty(t,"__esModule",{value:!0}),t.getErrorCausalChain=t.removePrefix=t.addSuffix=t.removeSuffix=t.addPrefix=t.removeTrailingSlash=t.addLeadingSlash=t.addTrailingSlash=t.applyTrailingSlash=t.blogPostContainerID=void 0,t.blogPostContainerID="__blog-post-container";var a=n(8802);Object.defineProperty(t,"applyTrailingSlash",{enumerable:!0,get:function(){return r(a).default}}),Object.defineProperty(t,"addTrailingSlash",{enumerable:!0,get:function(){return a.addTrailingSlash}}),Object.defineProperty(t,"addLeadingSlash",{enumerable:!0,get:function(){return a.addLeadingSlash}}),Object.defineProperty(t,"removeTrailingSlash",{enumerable:!0,get:function(){return a.removeTrailingSlash}});var o=n(5913);Object.defineProperty(t,"addPrefix",{enumerable:!0,get:function(){return o.addPrefix}}),Object.defineProperty(t,"removeSuffix",{enumerable:!0,get:function(){return o.removeSuffix}}),Object.defineProperty(t,"addSuffix",{enumerable:!0,get:function(){return o.addSuffix}}),Object.defineProperty(t,"removePrefix",{enumerable:!0,get:function(){return o.removePrefix}});var i=n(4143);Object.defineProperty(t,"getErrorCausalChain",{enumerable:!0,get:function(){return i.getErrorCausalChain}})},5913:(e,t)=>{"use strict";Object.defineProperty(t,"__esModule",{value:!0}),t.removePrefix=t.addSuffix=t.removeSuffix=t.addPrefix=void 0,t.addPrefix=function(e,t){return e.startsWith(t)?e:`${t}${e}`},t.removeSuffix=function(e,t){return""===t?e:e.endsWith(t)?e.slice(0,-t.length):e},t.addSuffix=function(e,t){return e.endsWith(t)?e:`${e}${t}`},t.removePrefix=function(e,t){return e.startsWith(t)?e.slice(t.length):e}},311:(e,t,n)=>{"use strict";n.d(t,{Z:()=>i});n(7294);var r=n(1728);const a={loadingRing:"loadingRing_RJI3","loading-ring":"loading-ring_FB5o"};var o=n(5893);function i(e){let{className:t}=e;return(0,o.jsxs)("div",{className:(0,r.Z)(a.loadingRing,t),children:[(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{}),(0,o.jsx)("div",{})]})}},22:(e,t,n)=>{"use strict";n.d(t,{w:()=>s});var r=n(1336),a=n.n(r),o=n(1029);const i=new Map;function s(e,t){const n=`${e}${t}`;let r=i.get(n);return r||(r=async function(e,t){{const n=`${e}${o.J.replace("{dir}",t?`-${t.replace(/\//g,"-")}`:"")}`;if(new URL(n,location.origin).origin!==location.origin)throw new Error("Unexpected version url");const r=await(await fetch(n)).json(),i=r.map(((e,t)=>{let{documents:n,index:r}=e;return{type:t,documents:n,index:a().Index.load(r)}})),s=r.reduce(((e,t)=>{for(const n of t.index.invertedIndex)/\p{Unified_Ideograph}/u.test(n[0][0])&&e.add(n[0]);return e}),new Set);return{wrappedIndexes:i,zhDictionary:Array.from(s)}}return{wrappedIndexes:[],zhDictionary:[]}}(e,t),i.set(n,r)),r}},8202:(e,t,n)=>{"use strict";n.d(t,{v:()=>c});var r=n(1336),a=n.n(r);var o=n(1029);function i(e){return s(e).concat(s(e.filter((e=>{const t=e[e.length-1];return!t.trailing&&t.maybeTyping})),!0))}function s(e,t){return e.map((e=>({tokens:e.map((e=>e.value)),term:e.map((e=>({value:e.value,presence:a().Query.presence.REQUIRED,wildcard:(t?e.trailing||e.maybeTyping:e.trailing)?a().Query.wildcard.TRAILING:a().Query.wildcard.NONE})))})))}var l=n(3545);function c(e,t,n){return function(r,s){const c=function(e,t){if(1===t.length&&["ja","jp","th"].includes(t[0]))return a()[t[0]].tokenizer(e).map((e=>e.toString()));let n=/[^-\s]+/g;return t.includes("zh")&&(n=/\w+|\p{Unified_Ideograph}+/gu),e.toLowerCase().match(n)||[]}(r,o.dK);if(0===c.length)return void s([]);const u=function(e,t){const n=function(e,t){const n=[];return function e(r,a){if(0===r.length)return void n.push(a);const o=r[0];if(/\p{Unified_Ideograph}/u.test(o)){const n=function(e,t){const n=[];return function e(r,a){let o=0,i=!1;for(const s of t)if(r.substr(0,s.length)===s){const t={missed:a.missed,term:a.term.concat({value:s})};r.length>s.length?e(r.substr(s.length),t):n.push(t),i=!0}else for(let t=s.length-1;t>o;t-=1){const l=s.substr(0,t);if(r.substr(0,t)===l){o=t;const s={missed:a.missed,term:a.term.concat({value:l,trailing:!0})};r.length>t?e(r.substr(t),s):n.push(s),i=!0;break}}i||(r.length>0?e(r.substr(1),{missed:a.missed+1,term:a.term}):a.term.length>0&&n.push(a))}(e,{missed:0,term:[]}),n.sort(((e,t)=>{const n=e.missed>0?1:0,r=t.missed>0?1:0;return n!==r?n-r:e.term.length-t.term.length})).map((e=>e.term))}(o,t);for(const t of n){const n=a.concat(...t);e(r.slice(1),n)}}else{const t=a.concat({value:o});e(r.slice(1),t)}}(e,[]),n}(e,t);if(0===n.length)return[{tokens:e,term:e.map((e=>({value:e,presence:a().Query.presence.REQUIRED,wildcard:a().Query.wildcard.LEADING|a().Query.wildcard.TRAILING})))}];for(const a of n)a[a.length-1].maybeTyping=!0;const r=[];for(const i of o.dK)if("en"===i)o._k||r.unshift(a().stopWordFilter);else{const e=a()[i];e.stopWordFilter&&r.unshift(e.stopWordFilter)}let s;if(r.length>0){const e=e=>r.reduce(((e,t)=>e.filter((e=>t(e.value)))),e);s=[];const t=[];for(const r of n){const n=e(r);s.push(n),n.length<r.length&&n.length>0&&t.push(n)}n.push(...t)}else s=n.slice();const l=[];for(const a of s)if(a.length>2)for(let e=a.length-1;e>=0;e-=1)l.push(a.slice(0,e).concat(a.slice(e+1)));return i(n).concat(i(l))}(c,t),d=[];e:for(const{term:t,tokens:a}of u)for(const{documents:r,index:o,type:i}of e)if(d.push(...o.query((e=>{for(const n of t)e.term(n.value,{wildcard:n.wildcard,presence:n.presence})})).slice(0,n).filter((e=>!d.some((t=>t.document.i.toString()===e.ref)))).slice(0,n-d.length).map((t=>{const n=r.find((e=>e.i.toString()===t.ref));return{document:n,type:i,page:i!==l.P.Title&&e[0].documents.find((e=>e.i===n.p)),metadata:t.matchData.metadata,tokens:a,score:t.score}}))),d.length>=n)break e;!function(e){e.forEach(((e,t)=>{e.index=t})),e.sort(((t,n)=>{let r=t.type!==l.P.Heading&&t.type!==l.P.Content&&t.type!==l.P.Description||!t.page?t.index:e.findIndex((e=>e.document===t.page)),a=n.type!==l.P.Heading&&n.type!==l.P.Content&&n.type!==l.P.Description||!n.page?n.index:e.findIndex((e=>e.document===n.page));if(-1===r&&(r=t.index),-1===a&&(a=n.index),r===a){const e=(0===n.type?1:0)-(0===t.type?1:0);return 0===e?t.index-n.index:e}return r-a}))}(d),function(e){e.forEach(((t,n)=>{n>0&&t.page&&e.slice(0,n).some((e=>(e.type===l.P.Keywords?e.page:e.document)===t.page))&&(n<e.length-1&&e[n+1].page===t.page?t.isInterOfTree=!0:t.isLastOfTree=!0)}))}(d),s(d)}}},3926:(e,t,n)=>{"use strict";function r(e){return e.join(" \u203a ")}n.d(t,{e:()=>r})},1690:(e,t,n)=>{"use strict";function r(e){return e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")}n.d(t,{X:()=>r})},1073:(e,t,n)=>{"use strict";function r(e,t){const n=[];for(const r of Object.values(e))r[t]&&n.push(...r[t].position);return n.sort(((e,t)=>e[0]-t[0]||t[1]-e[1]))}n.d(t,{m:()=>r})},2539:(e,t,n)=>{"use strict";n.d(t,{C:()=>a});var r=n(1690);function a(e,t,n){const o=[];for(const i of t){const n=e.toLowerCase().indexOf(i);if(n>=0){n>0&&o.push(a(e.substr(0,n),t)),o.push(`<mark>${(0,r.X)(e.substr(n,i.length))}</mark>`);const s=n+i.length;s<e.length&&o.push(a(e.substr(s),t));break}}return 0===o.length?n?`<mark>${(0,r.X)(e)}</mark>`:(0,r.X)(e):o.join("")}},726:(e,t,n)=>{"use strict";n.d(t,{o:()=>l});var r=n(1690),a=n(2539);const o=/\w+|\p{Unified_Ideograph}/u;function i(e){const t=[];let n=0,r=e;for(;r.length>0;){const a=r.match(o);if(!a){t.push(r);break}a.index>0&&t.push(r.substring(0,a.index)),t.push(a[0]),n+=a.index+a[0].length,r=e.substring(n)}return t}var s=n(1029);function l(e,t,n,o){void 0===o&&(o=s.Hk);const{chunkIndex:l,chunks:c}=function(e,t,n){const o=[];let s=0,l=0,c=-1;for(;s<t.length;){const[u,d]=t[s];if(s+=1,!(u<l)){if(u>l){const t=i(e.substring(l,u)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}-1===c&&(c=o.length),l=u+d,o.push({html:(0,a.C)(e.substring(u,l),n,!0),textLength:d})}}if(l<e.length){const t=i(e.substring(l)).map((e=>({html:(0,r.X)(e),textLength:e.length})));for(const e of t)o.push(e)}return{chunkIndex:c,chunks:o}}(e,t,n),u=c.slice(0,l),d=c[l],p=[d.html],f=c.slice(l+1);let h=d.textLength,m=0,g=0,y=!1,b=!1;for(;h<o;)if((m<=g||0===f.length)&&u.length>0){const e=u.pop();h+e.textLength<=o?(p.unshift(e.html),m+=e.textLength,h+=e.textLength):(y=!0,u.length=0)}else{if(!(f.length>0))break;{const e=f.shift();h+e.textLength<=o?(p.push(e.html),g+=e.textLength,h+=e.textLength):(b=!0,f.length=0)}}return(y||u.length>0)&&p.unshift("\u2026"),(b||f.length>0)&&p.push("\u2026"),p.join("")}},51:(e,t,n)=>{"use strict";function r(e,t){if("string"==typeof e)return{label:e,path:e};{const{label:n,path:r}=e;return"string"==typeof n?{label:n,path:r}:Object.prototype.hasOwnProperty.call(n,t)?{label:n[t],path:r}:{label:r,path:r}}}n.d(t,{_:()=>r})},1029:(e,t,n)=>{"use strict";n.d(t,{vc:()=>a(),gQ:()=>h,H6:()=>u,hG:()=>y,l9:()=>m,dK:()=>o,_k:()=>i,pu:()=>f,AY:()=>d,t_:()=>p,Kc:()=>g,J:()=>s,Hk:()=>c,qo:()=>l,pQ:()=>b});n(1336);var r=n(813),a=n.n(r);const o=["en"],i=!1,s="search-index{dir}.json?_=77f662a8",l=8,c=50,u=!1,d=!0,p=!0,f="right",h=void 0,m=!0,g=null,y=!1,b=!1},3545:(e,t,n)=>{"use strict";var r;n.d(t,{P:()=>r}),function(e){e[e.Title=0]="Title",e[e.Heading=1]="Heading",e[e.Description=2]="Description",e[e.Keywords=3]="Keywords",e[e.Content=4]="Content"}(r||(r={}))},9318:(e,t,n)=>{"use strict";n.d(t,{lX:()=>k,q_:()=>_,ob:()=>f,PP:()=>L,Ep:()=>p});var r=n(7462);function a(e){return"/"===e.charAt(0)}function o(e,t){for(var n=t,r=n+1,a=e.length;r<a;n+=1,r+=1)e[n]=e[r];e.pop()}const i=function(e,t){void 0===t&&(t="");var n,r=e&&e.split("/")||[],i=t&&t.split("/")||[],s=e&&a(e),l=t&&a(t),c=s||l;if(e&&a(e)?i=r:r.length&&(i.pop(),i=i.concat(r)),!i.length)return"/";if(i.length){var u=i[i.length-1];n="."===u||".."===u||""===u}else n=!1;for(var d=0,p=i.length;p>=0;p--){var f=i[p];"."===f?o(i,p):".."===f?(o(i,p),d++):d&&(o(i,p),d--)}if(!c)for(;d--;d)i.unshift("..");!c||""===i[0]||i[0]&&a(i[0])||i.unshift("");var h=i.join("/");return n&&"/"!==h.substr(-1)&&(h+="/"),h};var s=n(8776);function l(e){return"/"===e.charAt(0)?e:"/"+e}function c(e){return"/"===e.charAt(0)?e.substr(1):e}function u(e,t){return function(e,t){return 0===e.toLowerCase().indexOf(t.toLowerCase())&&-1!=="/?#".indexOf(e.charAt(t.length))}(e,t)?e.substr(t.length):e}function d(e){return"/"===e.charAt(e.length-1)?e.slice(0,-1):e}function p(e){var t=e.pathname,n=e.search,r=e.hash,a=t||"/";return n&&"?"!==n&&(a+="?"===n.charAt(0)?n:"?"+n),r&&"#"!==r&&(a+="#"===r.charAt(0)?r:"#"+r),a}function f(e,t,n,a){var o;"string"==typeof e?(o=function(e){var t=e||"/",n="",r="",a=t.indexOf("#");-1!==a&&(r=t.substr(a),t=t.substr(0,a));var o=t.indexOf("?");return-1!==o&&(n=t.substr(o),t=t.substr(0,o)),{pathname:t,search:"?"===n?"":n,hash:"#"===r?"":r}}(e),o.state=t):(void 0===(o=(0,r.Z)({},e)).pathname&&(o.pathname=""),o.search?"?"!==o.search.charAt(0)&&(o.search="?"+o.search):o.search="",o.hash?"#"!==o.hash.charAt(0)&&(o.hash="#"+o.hash):o.hash="",void 0!==t&&void 0===o.state&&(o.state=t));try{o.pathname=decodeURI(o.pathname)}catch(s){throw s instanceof URIError?new URIError('Pathname "'+o.pathname+'" could not be decoded. This is likely caused by an invalid percent-encoding.'):s}return n&&(o.key=n),a?o.pathname?"/"!==o.pathname.charAt(0)&&(o.pathname=i(o.pathname,a.pathname)):o.pathname=a.pathname:o.pathname||(o.pathname="/"),o}function h(){var e=null;var t=[];return{setPrompt:function(t){return e=t,function(){e===t&&(e=null)}},confirmTransitionTo:function(t,n,r,a){if(null!=e){var o="function"==typeof e?e(t,n):e;"string"==typeof o?"function"==typeof r?r(o,a):a(!0):a(!1!==o)}else a(!0)},appendListener:function(e){var n=!0;function r(){n&&e.apply(void 0,arguments)}return t.push(r),function(){n=!1,t=t.filter((function(e){return e!==r}))}},notifyListeners:function(){for(var e=arguments.length,n=new Array(e),r=0;r<e;r++)n[r]=arguments[r];t.forEach((function(e){return e.apply(void 0,n)}))}}}var m=!("undefined"==typeof window||!window.document||!window.document.createElement);function g(e,t){t(window.confirm(e))}var y="popstate",b="hashchange";function v(){try{return window.history.state||{}}catch(e){return{}}}function k(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t,n=window.history,a=(-1===(t=window.navigator.userAgent).indexOf("Android 2.")&&-1===t.indexOf("Android 4.0")||-1===t.indexOf("Mobile Safari")||-1!==t.indexOf("Chrome")||-1!==t.indexOf("Windows Phone"))&&window.history&&"pushState"in window.history,o=!(-1===window.navigator.userAgent.indexOf("Trident")),i=e,c=i.forceRefresh,k=void 0!==c&&c,w=i.getUserConfirmation,x=void 0===w?g:w,S=i.keyLength,E=void 0===S?6:S,C=e.basename?d(l(e.basename)):"";function _(e){var t=e||{},n=t.key,r=t.state,a=window.location,o=a.pathname+a.search+a.hash;return C&&(o=u(o,C)),f(o,r,n)}function T(){return Math.random().toString(36).substr(2,E)}var L=h();function R(e){(0,r.Z)($,e),$.length=n.length,L.notifyListeners($.location,$.action)}function j(e){(function(e){return void 0===e.state&&-1===navigator.userAgent.indexOf("CriOS")})(e)||A(_(e.state))}function P(){A(_(v()))}var N=!1;function A(e){if(N)N=!1,R();else{L.confirmTransitionTo(e,"POP",x,(function(t){t?R({action:"POP",location:e}):function(e){var t=$.location,n=I.indexOf(t.key);-1===n&&(n=0);var r=I.indexOf(e.key);-1===r&&(r=0);var a=n-r;a&&(N=!0,F(a))}(e)}))}}var O=_(v()),I=[O.key];function D(e){return C+p(e)}function F(e){n.go(e)}var M=0;function B(e){1===(M+=e)&&1===e?(window.addEventListener(y,j),o&&window.addEventListener(b,P)):0===M&&(window.removeEventListener(y,j),o&&window.removeEventListener(b,P))}var z=!1;var $={length:n.length,action:"POP",location:O,createHref:D,push:function(e,t){var r="PUSH",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.pushState({key:i,state:s},null,t),k)window.location.href=t;else{var l=I.indexOf($.location.key),c=I.slice(0,l+1);c.push(o.key),I=c,R({action:r,location:o})}else window.location.href=t}}))},replace:function(e,t){var r="REPLACE",o=f(e,t,T(),$.location);L.confirmTransitionTo(o,r,x,(function(e){if(e){var t=D(o),i=o.key,s=o.state;if(a)if(n.replaceState({key:i,state:s},null,t),k)window.location.replace(t);else{var l=I.indexOf($.location.key);-1!==l&&(I[l]=o.key),R({action:r,location:o})}else window.location.replace(t)}}))},go:F,goBack:function(){F(-1)},goForward:function(){F(1)},block:function(e){void 0===e&&(e=!1);var t=L.setPrompt(e);return z||(B(1),z=!0),function(){return z&&(z=!1,B(-1)),t()}},listen:function(e){var t=L.appendListener(e);return B(1),function(){B(-1),t()}}};return $}var w="hashchange",x={hashbang:{encodePath:function(e){return"!"===e.charAt(0)?e:"!/"+c(e)},decodePath:function(e){return"!"===e.charAt(0)?e.substr(1):e}},noslash:{encodePath:c,decodePath:l},slash:{encodePath:l,decodePath:l}};function S(e){var t=e.indexOf("#");return-1===t?e:e.slice(0,t)}function E(){var e=window.location.href,t=e.indexOf("#");return-1===t?"":e.substring(t+1)}function C(e){window.location.replace(S(window.location.href)+"#"+e)}function _(e){void 0===e&&(e={}),m||(0,s.Z)(!1);var t=window.history,n=(window.navigator.userAgent.indexOf("Firefox"),e),a=n.getUserConfirmation,o=void 0===a?g:a,i=n.hashType,c=void 0===i?"slash":i,y=e.basename?d(l(e.basename)):"",b=x[c],v=b.encodePath,k=b.decodePath;function _(){var e=k(E());return y&&(e=u(e,y)),f(e)}var T=h();function L(e){(0,r.Z)(z,e),z.length=t.length,T.notifyListeners(z.location,z.action)}var R=!1,j=null;function P(){var e,t,n=E(),r=v(n);if(n!==r)C(r);else{var a=_(),i=z.location;if(!R&&(t=a,(e=i).pathname===t.pathname&&e.search===t.search&&e.hash===t.hash))return;if(j===p(a))return;j=null,function(e){if(R)R=!1,L();else{var t="POP";T.confirmTransitionTo(e,t,o,(function(n){n?L({action:t,location:e}):function(e){var t=z.location,n=I.lastIndexOf(p(t));-1===n&&(n=0);var r=I.lastIndexOf(p(e));-1===r&&(r=0);var a=n-r;a&&(R=!0,D(a))}(e)}))}}(a)}}var N=E(),A=v(N);N!==A&&C(A);var O=_(),I=[p(O)];function D(e){t.go(e)}var F=0;function M(e){1===(F+=e)&&1===e?window.addEventListener(w,P):0===F&&window.removeEventListener(w,P)}var B=!1;var z={length:t.length,action:"POP",location:O,createHref:function(e){var t=document.querySelector("base"),n="";return t&&t.getAttribute("href")&&(n=S(window.location.href)),n+"#"+v(y+p(e))},push:function(e,t){var n="PUSH",r=f(e,void 0,void 0,z.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);if(E()!==a){j=t,function(e){window.location.hash=e}(a);var o=I.lastIndexOf(p(z.location)),i=I.slice(0,o+1);i.push(t),I=i,L({action:n,location:r})}else L()}}))},replace:function(e,t){var n="REPLACE",r=f(e,void 0,void 0,z.location);T.confirmTransitionTo(r,n,o,(function(e){if(e){var t=p(r),a=v(y+t);E()!==a&&(j=t,C(a));var o=I.indexOf(p(z.location));-1!==o&&(I[o]=t),L({action:n,location:r})}}))},go:D,goBack:function(){D(-1)},goForward:function(){D(1)},block:function(e){void 0===e&&(e=!1);var t=T.setPrompt(e);return B||(M(1),B=!0),function(){return B&&(B=!1,M(-1)),t()}},listen:function(e){var t=T.appendListener(e);return M(1),function(){M(-1),t()}}};return z}function T(e,t,n){return Math.min(Math.max(e,t),n)}function L(e){void 0===e&&(e={});var t=e,n=t.getUserConfirmation,a=t.initialEntries,o=void 0===a?["/"]:a,i=t.initialIndex,s=void 0===i?0:i,l=t.keyLength,c=void 0===l?6:l,u=h();function d(e){(0,r.Z)(k,e),k.length=k.entries.length,u.notifyListeners(k.location,k.action)}function m(){return Math.random().toString(36).substr(2,c)}var g=T(s,0,o.length-1),y=o.map((function(e){return f(e,void 0,"string"==typeof e?m():e.key||m())})),b=p;function v(e){var t=T(k.index+e,0,k.entries.length-1),r=k.entries[t];u.confirmTransitionTo(r,"POP",n,(function(e){e?d({action:"POP",location:r,index:t}):d()}))}var k={length:y.length,action:"POP",location:y[g],index:g,entries:y,createHref:b,push:function(e,t){var r="PUSH",a=f(e,t,m(),k.location);u.confirmTransitionTo(a,r,n,(function(e){if(e){var t=k.index+1,n=k.entries.slice(0);n.length>t?n.splice(t,n.length-t,a):n.push(a),d({action:r,location:a,index:t,entries:n})}}))},replace:function(e,t){var r="REPLACE",a=f(e,t,m(),k.location);u.confirmTransitionTo(a,r,n,(function(e){e&&(k.entries[k.index]=a,d({action:r,location:a}))}))},go:v,goBack:function(){v(-1)},goForward:function(){v(1)},canGo:function(e){var t=k.index+e;return t>=0&&t<k.entries.length},block:function(e){return void 0===e&&(e=!1),u.setPrompt(e)},listen:function(e){return u.appendListener(e)}};return k}},8679:(e,t,n)=>{"use strict";var r=n(9864),a={childContextTypes:!0,contextType:!0,contextTypes:!0,defaultProps:!0,displayName:!0,getDefaultProps:!0,getDerivedStateFromError:!0,getDerivedStateFromProps:!0,mixins:!0,propTypes:!0,type:!0},o={name:!0,length:!0,prototype:!0,caller:!0,callee:!0,arguments:!0,arity:!0},i={$$typeof:!0,compare:!0,defaultProps:!0,displayName:!0,propTypes:!0,type:!0},s={};function l(e){return r.isMemo(e)?i:s[e.$$typeof]||a}s[r.ForwardRef]={$$typeof:!0,render:!0,defaultProps:!0,displayName:!0,propTypes:!0},s[r.Memo]=i;var c=Object.defineProperty,u=Object.getOwnPropertyNames,d=Object.getOwnPropertySymbols,p=Object.getOwnPropertyDescriptor,f=Object.getPrototypeOf,h=Object.prototype;e.exports=function e(t,n,r){if("string"!=typeof n){if(h){var a=f(n);a&&a!==h&&e(t,a,r)}var i=u(n);d&&(i=i.concat(d(n)));for(var s=l(t),m=l(n),g=0;g<i.length;++g){var y=i[g];if(!(o[y]||r&&r[y]||m&&m[y]||s&&s[y])){var b=p(n,y);try{c(t,y,b)}catch(v){}}}}return t}},1143:e=>{"use strict";e.exports=function(e,t,n,r,a,o,i,s){if(!e){var l;if(void 0===t)l=new Error("Minified exception occurred; use the non-minified dev environment for the full error message and additional helpful warnings.");else{var c=[n,r,a,o,i,s],u=0;(l=new Error(t.replace(/%s/g,(function(){return c[u++]})))).name="Invariant Violation"}throw l.framesToPop=1,l}}},5826:e=>{e.exports=Array.isArray||function(e){return"[object Array]"==Object.prototype.toString.call(e)}},1336:(e,t,n)=>{var r,a;!function(){var o,i,s,l,c,u,d,p,f,h,m,g,y,b,v,k,w,x,S,E,C,_,T,L,R,j,P,N,A,O,I=function(e){var t=new I.Builder;return t.pipeline.add(I.trimmer,I.stopWordFilter,I.stemmer),t.searchPipeline.add(I.stemmer),e.call(t,t),t.build()};I.version="2.3.9",I.utils={},I.utils.warn=(o=this,function(e){o.console&&console.warn&&console.warn(e)}),I.utils.asString=function(e){return null==e?"":e.toString()},I.utils.clone=function(e){if(null==e)return e;for(var t=Object.create(null),n=Object.keys(e),r=0;r<n.length;r++){var a=n[r],o=e[a];if(Array.isArray(o))t[a]=o.slice();else{if("string"!=typeof o&&"number"!=typeof o&&"boolean"!=typeof o)throw new TypeError("clone is not deep and does not support nested objects");t[a]=o}}return t},I.FieldRef=function(e,t,n){this.docRef=e,this.fieldName=t,this._stringValue=n},I.FieldRef.joiner="/",I.FieldRef.fromString=function(e){var t=e.indexOf(I.FieldRef.joiner);if(-1===t)throw"malformed field ref string";var n=e.slice(0,t),r=e.slice(t+1);return new I.FieldRef(r,n,e)},I.FieldRef.prototype.toString=function(){return null==this._stringValue&&(this._stringValue=this.fieldName+I.FieldRef.joiner+this.docRef),this._stringValue},I.Set=function(e){if(this.elements=Object.create(null),e){this.length=e.length;for(var t=0;t<this.length;t++)this.elements[e[t]]=!0}else this.length=0},I.Set.complete={intersect:function(e){return e},union:function(){return this},contains:function(){return!0}},I.Set.empty={intersect:function(){return this},union:function(e){return e},contains:function(){return!1}},I.Set.prototype.contains=function(e){return!!this.elements[e]},I.Set.prototype.intersect=function(e){var t,n,r,a=[];if(e===I.Set.complete)return this;if(e===I.Set.empty)return e;this.length<e.length?(t=this,n=e):(t=e,n=this),r=Object.keys(t.elements);for(var o=0;o<r.length;o++){var i=r[o];i in n.elements&&a.push(i)}return new I.Set(a)},I.Set.prototype.union=function(e){return e===I.Set.complete?I.Set.complete:e===I.Set.empty?this:new I.Set(Object.keys(this.elements).concat(Object.keys(e.elements)))},I.idf=function(e,t){var n=0;for(var r in e)"_index"!=r&&(n+=Object.keys(e[r]).length);var a=(t-n+.5)/(n+.5);return Math.log(1+Math.abs(a))},I.Token=function(e,t){this.str=e||"",this.metadata=t||{}},I.Token.prototype.toString=function(){return this.str},I.Token.prototype.update=function(e){return this.str=e(this.str,this.metadata),this},I.Token.prototype.clone=function(e){return e=e||function(e){return e},new I.Token(e(this.str,this.metadata),this.metadata)},I.tokenizer=function(e,t){if(null==e||null==e)return[];if(Array.isArray(e))return e.map((function(e){return new I.Token(I.utils.asString(e).toLowerCase(),I.utils.clone(t))}));for(var n=e.toString().toLowerCase(),r=n.length,a=[],o=0,i=0;o<=r;o++){var s=o-i;if(n.charAt(o).match(I.tokenizer.separator)||o==r){if(s>0){var l=I.utils.clone(t)||{};l.position=[i,s],l.index=a.length,a.push(new I.Token(n.slice(i,o),l))}i=o+1}}return a},I.tokenizer.separator=/[\s\-]+/,I.Pipeline=function(){this._stack=[]},I.Pipeline.registeredFunctions=Object.create(null),I.Pipeline.registerFunction=function(e,t){t in this.registeredFunctions&&I.utils.warn("Overwriting existing registered function: "+t),e.label=t,I.Pipeline.registeredFunctions[e.label]=e},I.Pipeline.warnIfFunctionNotRegistered=function(e){e.label&&e.label in this.registeredFunctions||I.utils.warn("Function is not registered with pipeline. This may cause problems when serialising the index.\n",e)},I.Pipeline.load=function(e){var t=new I.Pipeline;return e.forEach((function(e){var n=I.Pipeline.registeredFunctions[e];if(!n)throw new Error("Cannot load unregistered function: "+e);t.add(n)})),t},I.Pipeline.prototype.add=function(){Array.prototype.slice.call(arguments).forEach((function(e){I.Pipeline.warnIfFunctionNotRegistered(e),this._stack.push(e)}),this)},I.Pipeline.prototype.after=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");n+=1,this._stack.splice(n,0,t)},I.Pipeline.prototype.before=function(e,t){I.Pipeline.warnIfFunctionNotRegistered(t);var n=this._stack.indexOf(e);if(-1==n)throw new Error("Cannot find existingFn");this._stack.splice(n,0,t)},I.Pipeline.prototype.remove=function(e){var t=this._stack.indexOf(e);-1!=t&&this._stack.splice(t,1)},I.Pipeline.prototype.run=function(e){for(var t=this._stack.length,n=0;n<t;n++){for(var r=this._stack[n],a=[],o=0;o<e.length;o++){var i=r(e[o],o,e);if(null!=i&&""!==i)if(Array.isArray(i))for(var s=0;s<i.length;s++)a.push(i[s]);else a.push(i)}e=a}return e},I.Pipeline.prototype.runString=function(e,t){var n=new I.Token(e,t);return this.run([n]).map((function(e){return e.toString()}))},I.Pipeline.prototype.reset=function(){this._stack=[]},I.Pipeline.prototype.toJSON=function(){return this._stack.map((function(e){return I.Pipeline.warnIfFunctionNotRegistered(e),e.label}))},I.Vector=function(e){this._magnitude=0,this.elements=e||[]},I.Vector.prototype.positionForIndex=function(e){if(0==this.elements.length)return 0;for(var t=0,n=this.elements.length/2,r=n-t,a=Math.floor(r/2),o=this.elements[2*a];r>1&&(o<e&&(t=a),o>e&&(n=a),o!=e);)r=n-t,a=t+Math.floor(r/2),o=this.elements[2*a];return o==e||o>e?2*a:o<e?2*(a+1):void 0},I.Vector.prototype.insert=function(e,t){this.upsert(e,t,(function(){throw"duplicate index"}))},I.Vector.prototype.upsert=function(e,t,n){this._magnitude=0;var r=this.positionForIndex(e);this.elements[r]==e?this.elements[r+1]=n(this.elements[r+1],t):this.elements.splice(r,0,e,t)},I.Vector.prototype.magnitude=function(){if(this._magnitude)return this._magnitude;for(var e=0,t=this.elements.length,n=1;n<t;n+=2){var r=this.elements[n];e+=r*r}return this._magnitude=Math.sqrt(e)},I.Vector.prototype.dot=function(e){for(var t=0,n=this.elements,r=e.elements,a=n.length,o=r.length,i=0,s=0,l=0,c=0;l<a&&c<o;)(i=n[l])<(s=r[c])?l+=2:i>s?c+=2:i==s&&(t+=n[l+1]*r[c+1],l+=2,c+=2);return t},I.Vector.prototype.similarity=function(e){return this.dot(e)/this.magnitude()||0},I.Vector.prototype.toArray=function(){for(var e=new Array(this.elements.length/2),t=1,n=0;t<this.elements.length;t+=2,n++)e[n]=this.elements[t];return e},I.Vector.prototype.toJSON=function(){return this.elements},I.stemmer=(i={ational:"ate",tional:"tion",enci:"ence",anci:"ance",izer:"ize",bli:"ble",alli:"al",entli:"ent",eli:"e",ousli:"ous",ization:"ize",ation:"ate",ator:"ate",alism:"al",iveness:"ive",fulness:"ful",ousness:"ous",aliti:"al",iviti:"ive",biliti:"ble",logi:"log"},s={icate:"ic",ative:"",alize:"al",iciti:"ic",ical:"ic",ful:"",ness:""},d="^("+(c="[^aeiou][^aeiouy]*")+")?"+(u=(l="[aeiouy]")+"[aeiou]*")+c+"("+u+")?$",p="^("+c+")?"+u+c+u+c,f="^("+c+")?"+l,h=new RegExp("^("+c+")?"+u+c),m=new RegExp(p),g=new RegExp(d),y=new RegExp(f),b=/^(.+?)(ss|i)es$/,v=/^(.+?)([^s])s$/,k=/^(.+?)eed$/,w=/^(.+?)(ed|ing)$/,x=/.$/,S=/(at|bl|iz)$/,E=new RegExp("([^aeiouylsz])\\1$"),C=new RegExp("^"+c+l+"[^aeiouwxy]$"),_=/^(.+?[^aeiou])y$/,T=/^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/,L=/^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/,R=/^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/,j=/^(.+?)(s|t)(ion)$/,P=/^(.+?)e$/,N=/ll$/,A=new RegExp("^"+c+l+"[^aeiouwxy]$"),O=function(e){var t,n,r,a,o,l,c;if(e.length<3)return e;if("y"==(r=e.substr(0,1))&&(e=r.toUpperCase()+e.substr(1)),o=v,(a=b).test(e)?e=e.replace(a,"$1$2"):o.test(e)&&(e=e.replace(o,"$1$2")),o=w,(a=k).test(e)){var u=a.exec(e);(a=h).test(u[1])&&(a=x,e=e.replace(a,""))}else o.test(e)&&(t=(u=o.exec(e))[1],(o=y).test(t)&&(l=E,c=C,(o=S).test(e=t)?e+="e":l.test(e)?(a=x,e=e.replace(a,"")):c.test(e)&&(e+="e")));return(a=_).test(e)&&(e=(t=(u=a.exec(e))[1])+"i"),(a=T).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+i[n])),(a=L).test(e)&&(t=(u=a.exec(e))[1],n=u[2],(a=h).test(t)&&(e=t+s[n])),o=j,(a=R).test(e)?(t=(u=a.exec(e))[1],(a=m).test(t)&&(e=t)):o.test(e)&&(t=(u=o.exec(e))[1]+u[2],(o=m).test(t)&&(e=t)),(a=P).test(e)&&(t=(u=a.exec(e))[1],o=g,l=A,((a=m).test(t)||o.test(t)&&!l.test(t))&&(e=t)),o=m,(a=N).test(e)&&o.test(e)&&(a=x,e=e.replace(a,"")),"y"==r&&(e=r.toLowerCase()+e.substr(1)),e},function(e){return e.update(O)}),I.Pipeline.registerFunction(I.stemmer,"stemmer"),I.generateStopWordFilter=function(e){var t=e.reduce((function(e,t){return e[t]=t,e}),{});return function(e){if(e&&t[e.toString()]!==e.toString())return e}},I.stopWordFilter=I.generateStopWordFilter(["a","able","about","across","after","all","almost","also","am","among","an","and","any","are","as","at","be","because","been","but","by","can","cannot","could","dear","did","do","does","either","else","ever","every","for","from","get","got","had","has","have","he","her","hers","him","his","how","however","i","if","in","into","is","it","its","just","least","let","like","likely","may","me","might","most","must","my","neither","no","nor","not","of","off","often","on","only","or","other","our","own","rather","said","say","says","she","should","since","so","some","than","that","the","their","them","then","there","these","they","this","tis","to","too","twas","us","wants","was","we","were","what","when","where","which","while","who","whom","why","will","with","would","yet","you","your"]),I.Pipeline.registerFunction(I.stopWordFilter,"stopWordFilter"),I.trimmer=function(e){return e.update((function(e){return e.replace(/^\W+/,"").replace(/\W+$/,"")}))},I.Pipeline.registerFunction(I.trimmer,"trimmer"),I.TokenSet=function(){this.final=!1,this.edges={},this.id=I.TokenSet._nextId,I.TokenSet._nextId+=1},I.TokenSet._nextId=1,I.TokenSet.fromArray=function(e){for(var t=new I.TokenSet.Builder,n=0,r=e.length;n<r;n++)t.insert(e[n]);return t.finish(),t.root},I.TokenSet.fromClause=function(e){return"editDistance"in e?I.TokenSet.fromFuzzyString(e.term,e.editDistance):I.TokenSet.fromString(e.term)},I.TokenSet.fromFuzzyString=function(e,t){for(var n=new I.TokenSet,r=[{node:n,editsRemaining:t,str:e}];r.length;){var a=r.pop();if(a.str.length>0){var o,i=a.str.charAt(0);i in a.node.edges?o=a.node.edges[i]:(o=new I.TokenSet,a.node.edges[i]=o),1==a.str.length&&(o.final=!0),r.push({node:o,editsRemaining:a.editsRemaining,str:a.str.slice(1)})}if(0!=a.editsRemaining){if("*"in a.node.edges)var s=a.node.edges["*"];else{s=new I.TokenSet;a.node.edges["*"]=s}if(0==a.str.length&&(s.final=!0),r.push({node:s,editsRemaining:a.editsRemaining-1,str:a.str}),a.str.length>1&&r.push({node:a.node,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)}),1==a.str.length&&(a.node.final=!0),a.str.length>=1){if("*"in a.node.edges)var l=a.node.edges["*"];else{l=new I.TokenSet;a.node.edges["*"]=l}1==a.str.length&&(l.final=!0),r.push({node:l,editsRemaining:a.editsRemaining-1,str:a.str.slice(1)})}if(a.str.length>1){var c,u=a.str.charAt(0),d=a.str.charAt(1);d in a.node.edges?c=a.node.edges[d]:(c=new I.TokenSet,a.node.edges[d]=c),1==a.str.length&&(c.final=!0),r.push({node:c,editsRemaining:a.editsRemaining-1,str:u+a.str.slice(2)})}}}return n},I.TokenSet.fromString=function(e){for(var t=new I.TokenSet,n=t,r=0,a=e.length;r<a;r++){var o=e[r],i=r==a-1;if("*"==o)t.edges[o]=t,t.final=i;else{var s=new I.TokenSet;s.final=i,t.edges[o]=s,t=s}}return n},I.TokenSet.prototype.toArray=function(){for(var e=[],t=[{prefix:"",node:this}];t.length;){var n=t.pop(),r=Object.keys(n.node.edges),a=r.length;n.node.final&&(n.prefix.charAt(0),e.push(n.prefix));for(var o=0;o<a;o++){var i=r[o];t.push({prefix:n.prefix.concat(i),node:n.node.edges[i]})}}return e},I.TokenSet.prototype.toString=function(){if(this._str)return this._str;for(var e=this.final?"1":"0",t=Object.keys(this.edges).sort(),n=t.length,r=0;r<n;r++){var a=t[r];e=e+a+this.edges[a].id}return e},I.TokenSet.prototype.intersect=function(e){for(var t=new I.TokenSet,n=void 0,r=[{qNode:e,output:t,node:this}];r.length;){n=r.pop();for(var a=Object.keys(n.qNode.edges),o=a.length,i=Object.keys(n.node.edges),s=i.length,l=0;l<o;l++)for(var c=a[l],u=0;u<s;u++){var d=i[u];if(d==c||"*"==c){var p=n.node.edges[d],f=n.qNode.edges[c],h=p.final&&f.final,m=void 0;d in n.output.edges?(m=n.output.edges[d]).final=m.final||h:((m=new I.TokenSet).final=h,n.output.edges[d]=m),r.push({qNode:f,output:m,node:p})}}}return t},I.TokenSet.Builder=function(){this.previousWord="",this.root=new I.TokenSet,this.uncheckedNodes=[],this.minimizedNodes={}},I.TokenSet.Builder.prototype.insert=function(e){var t,n=0;if(e<this.previousWord)throw new Error("Out of order word insertion");for(var r=0;r<e.length&&r<this.previousWord.length&&e[r]==this.previousWord[r];r++)n++;this.minimize(n),t=0==this.uncheckedNodes.length?this.root:this.uncheckedNodes[this.uncheckedNodes.length-1].child;for(r=n;r<e.length;r++){var a=new I.TokenSet,o=e[r];t.edges[o]=a,this.uncheckedNodes.push({parent:t,char:o,child:a}),t=a}t.final=!0,this.previousWord=e},I.TokenSet.Builder.prototype.finish=function(){this.minimize(0)},I.TokenSet.Builder.prototype.minimize=function(e){for(var t=this.uncheckedNodes.length-1;t>=e;t--){var n=this.uncheckedNodes[t],r=n.child.toString();r in this.minimizedNodes?n.parent.edges[n.char]=this.minimizedNodes[r]:(n.child._str=r,this.minimizedNodes[r]=n.child),this.uncheckedNodes.pop()}},I.Index=function(e){this.invertedIndex=e.invertedIndex,this.fieldVectors=e.fieldVectors,this.tokenSet=e.tokenSet,this.fields=e.fields,this.pipeline=e.pipeline},I.Index.prototype.search=function(e){return this.query((function(t){new I.QueryParser(e,t).parse()}))},I.Index.prototype.query=function(e){for(var t=new I.Query(this.fields),n=Object.create(null),r=Object.create(null),a=Object.create(null),o=Object.create(null),i=Object.create(null),s=0;s<this.fields.length;s++)r[this.fields[s]]=new I.Vector;e.call(t,t);for(s=0;s<t.clauses.length;s++){var l=t.clauses[s],c=null,u=I.Set.empty;c=l.usePipeline?this.pipeline.runString(l.term,{fields:l.fields}):[l.term];for(var d=0;d<c.length;d++){var p=c[d];l.term=p;var f=I.TokenSet.fromClause(l),h=this.tokenSet.intersect(f).toArray();if(0===h.length&&l.presence===I.Query.presence.REQUIRED){for(var m=0;m<l.fields.length;m++){o[P=l.fields[m]]=I.Set.empty}break}for(var g=0;g<h.length;g++){var y=h[g],b=this.invertedIndex[y],v=b._index;for(m=0;m<l.fields.length;m++){var k=b[P=l.fields[m]],w=Object.keys(k),x=y+"/"+P,S=new I.Set(w);if(l.presence==I.Query.presence.REQUIRED&&(u=u.union(S),void 0===o[P]&&(o[P]=I.Set.complete)),l.presence!=I.Query.presence.PROHIBITED){if(r[P].upsert(v,l.boost,(function(e,t){return e+t})),!a[x]){for(var E=0;E<w.length;E++){var C,_=w[E],T=new I.FieldRef(_,P),L=k[_];void 0===(C=n[T])?n[T]=new I.MatchData(y,P,L):C.add(y,P,L)}a[x]=!0}}else void 0===i[P]&&(i[P]=I.Set.empty),i[P]=i[P].union(S)}}}if(l.presence===I.Query.presence.REQUIRED)for(m=0;m<l.fields.length;m++){o[P=l.fields[m]]=o[P].intersect(u)}}var R=I.Set.complete,j=I.Set.empty;for(s=0;s<this.fields.length;s++){var P;o[P=this.fields[s]]&&(R=R.intersect(o[P])),i[P]&&(j=j.union(i[P]))}var N=Object.keys(n),A=[],O=Object.create(null);if(t.isNegated()){N=Object.keys(this.fieldVectors);for(s=0;s<N.length;s++){T=N[s];var D=I.FieldRef.fromString(T);n[T]=new I.MatchData}}for(s=0;s<N.length;s++){var F=(D=I.FieldRef.fromString(N[s])).docRef;if(R.contains(F)&&!j.contains(F)){var M,B=this.fieldVectors[D],z=r[D.fieldName].similarity(B);if(void 0!==(M=O[F]))M.score+=z,M.matchData.combine(n[D]);else{var $={ref:F,score:z,matchData:n[D]};O[F]=$,A.push($)}}}return A.sort((function(e,t){return t.score-e.score}))},I.Index.prototype.toJSON=function(){var e=Object.keys(this.invertedIndex).sort().map((function(e){return[e,this.invertedIndex[e]]}),this),t=Object.keys(this.fieldVectors).map((function(e){return[e,this.fieldVectors[e].toJSON()]}),this);return{version:I.version,fields:this.fields,fieldVectors:t,invertedIndex:e,pipeline:this.pipeline.toJSON()}},I.Index.load=function(e){var t={},n={},r=e.fieldVectors,a=Object.create(null),o=e.invertedIndex,i=new I.TokenSet.Builder,s=I.Pipeline.load(e.pipeline);e.version!=I.version&&I.utils.warn("Version mismatch when loading serialised index. Current version of lunr '"+I.version+"' does not match serialized index '"+e.version+"'");for(var l=0;l<r.length;l++){var c=(d=r[l])[0],u=d[1];n[c]=new I.Vector(u)}for(l=0;l<o.length;l++){var d,p=(d=o[l])[0],f=d[1];i.insert(p),a[p]=f}return i.finish(),t.fields=e.fields,t.fieldVectors=n,t.invertedIndex=a,t.tokenSet=i.root,t.pipeline=s,new I.Index(t)},I.Builder=function(){this._ref="id",this._fields=Object.create(null),this._documents=Object.create(null),this.invertedIndex=Object.create(null),this.fieldTermFrequencies={},this.fieldLengths={},this.tokenizer=I.tokenizer,this.pipeline=new I.Pipeline,this.searchPipeline=new I.Pipeline,this.documentCount=0,this._b=.75,this._k1=1.2,this.termIndex=0,this.metadataWhitelist=[]},I.Builder.prototype.ref=function(e){this._ref=e},I.Builder.prototype.field=function(e,t){if(/\//.test(e))throw new RangeError("Field '"+e+"' contains illegal character '/'");this._fields[e]=t||{}},I.Builder.prototype.b=function(e){this._b=e<0?0:e>1?1:e},I.Builder.prototype.k1=function(e){this._k1=e},I.Builder.prototype.add=function(e,t){var n=e[this._ref],r=Object.keys(this._fields);this._documents[n]=t||{},this.documentCount+=1;for(var a=0;a<r.length;a++){var o=r[a],i=this._fields[o].extractor,s=i?i(e):e[o],l=this.tokenizer(s,{fields:[o]}),c=this.pipeline.run(l),u=new I.FieldRef(n,o),d=Object.create(null);this.fieldTermFrequencies[u]=d,this.fieldLengths[u]=0,this.fieldLengths[u]+=c.length;for(var p=0;p<c.length;p++){var f=c[p];if(null==d[f]&&(d[f]=0),d[f]+=1,null==this.invertedIndex[f]){var h=Object.create(null);h._index=this.termIndex,this.termIndex+=1;for(var m=0;m<r.length;m++)h[r[m]]=Object.create(null);this.invertedIndex[f]=h}null==this.invertedIndex[f][o][n]&&(this.invertedIndex[f][o][n]=Object.create(null));for(var g=0;g<this.metadataWhitelist.length;g++){var y=this.metadataWhitelist[g],b=f.metadata[y];null==this.invertedIndex[f][o][n][y]&&(this.invertedIndex[f][o][n][y]=[]),this.invertedIndex[f][o][n][y].push(b)}}}},I.Builder.prototype.calculateAverageFieldLengths=function(){for(var e=Object.keys(this.fieldLengths),t=e.length,n={},r={},a=0;a<t;a++){var o=I.FieldRef.fromString(e[a]),i=o.fieldName;r[i]||(r[i]=0),r[i]+=1,n[i]||(n[i]=0),n[i]+=this.fieldLengths[o]}var s=Object.keys(this._fields);for(a=0;a<s.length;a++){var l=s[a];n[l]=n[l]/r[l]}this.averageFieldLength=n},I.Builder.prototype.createFieldVectors=function(){for(var e={},t=Object.keys(this.fieldTermFrequencies),n=t.length,r=Object.create(null),a=0;a<n;a++){for(var o=I.FieldRef.fromString(t[a]),i=o.fieldName,s=this.fieldLengths[o],l=new I.Vector,c=this.fieldTermFrequencies[o],u=Object.keys(c),d=u.length,p=this._fields[i].boost||1,f=this._documents[o.docRef].boost||1,h=0;h<d;h++){var m,g,y,b=u[h],v=c[b],k=this.invertedIndex[b]._index;void 0===r[b]?(m=I.idf(this.invertedIndex[b],this.documentCount),r[b]=m):m=r[b],g=m*((this._k1+1)*v)/(this._k1*(1-this._b+this._b*(s/this.averageFieldLength[i]))+v),g*=p,g*=f,y=Math.round(1e3*g)/1e3,l.insert(k,y)}e[o]=l}this.fieldVectors=e},I.Builder.prototype.createTokenSet=function(){this.tokenSet=I.TokenSet.fromArray(Object.keys(this.invertedIndex).sort())},I.Builder.prototype.build=function(){return this.calculateAverageFieldLengths(),this.createFieldVectors(),this.createTokenSet(),new I.Index({invertedIndex:this.invertedIndex,fieldVectors:this.fieldVectors,tokenSet:this.tokenSet,fields:Object.keys(this._fields),pipeline:this.searchPipeline})},I.Builder.prototype.use=function(e){var t=Array.prototype.slice.call(arguments,1);t.unshift(this),e.apply(this,t)},I.MatchData=function(e,t,n){for(var r=Object.create(null),a=Object.keys(n||{}),o=0;o<a.length;o++){var i=a[o];r[i]=n[i].slice()}this.metadata=Object.create(null),void 0!==e&&(this.metadata[e]=Object.create(null),this.metadata[e][t]=r)},I.MatchData.prototype.combine=function(e){for(var t=Object.keys(e.metadata),n=0;n<t.length;n++){var r=t[n],a=Object.keys(e.metadata[r]);null==this.metadata[r]&&(this.metadata[r]=Object.create(null));for(var o=0;o<a.length;o++){var i=a[o],s=Object.keys(e.metadata[r][i]);null==this.metadata[r][i]&&(this.metadata[r][i]=Object.create(null));for(var l=0;l<s.length;l++){var c=s[l];null==this.metadata[r][i][c]?this.metadata[r][i][c]=e.metadata[r][i][c]:this.metadata[r][i][c]=this.metadata[r][i][c].concat(e.metadata[r][i][c])}}}},I.MatchData.prototype.add=function(e,t,n){if(!(e in this.metadata))return this.metadata[e]=Object.create(null),void(this.metadata[e][t]=n);if(t in this.metadata[e])for(var r=Object.keys(n),a=0;a<r.length;a++){var o=r[a];o in this.metadata[e][t]?this.metadata[e][t][o]=this.metadata[e][t][o].concat(n[o]):this.metadata[e][t][o]=n[o]}else this.metadata[e][t]=n},I.Query=function(e){this.clauses=[],this.allFields=e},I.Query.wildcard=new String("*"),I.Query.wildcard.NONE=0,I.Query.wildcard.LEADING=1,I.Query.wildcard.TRAILING=2,I.Query.presence={OPTIONAL:1,REQUIRED:2,PROHIBITED:3},I.Query.prototype.clause=function(e){return"fields"in e||(e.fields=this.allFields),"boost"in e||(e.boost=1),"usePipeline"in e||(e.usePipeline=!0),"wildcard"in e||(e.wildcard=I.Query.wildcard.NONE),e.wildcard&I.Query.wildcard.LEADING&&e.term.charAt(0)!=I.Query.wildcard&&(e.term="*"+e.term),e.wildcard&I.Query.wildcard.TRAILING&&e.term.slice(-1)!=I.Query.wildcard&&(e.term=e.term+"*"),"presence"in e||(e.presence=I.Query.presence.OPTIONAL),this.clauses.push(e),this},I.Query.prototype.isNegated=function(){for(var e=0;e<this.clauses.length;e++)if(this.clauses[e].presence!=I.Query.presence.PROHIBITED)return!1;return!0},I.Query.prototype.term=function(e,t){if(Array.isArray(e))return e.forEach((function(e){this.term(e,I.utils.clone(t))}),this),this;var n=t||{};return n.term=e.toString(),this.clause(n),this},I.QueryParseError=function(e,t,n){this.name="QueryParseError",this.message=e,this.start=t,this.end=n},I.QueryParseError.prototype=new Error,I.QueryLexer=function(e){this.lexemes=[],this.str=e,this.length=e.length,this.pos=0,this.start=0,this.escapeCharPositions=[]},I.QueryLexer.prototype.run=function(){for(var e=I.QueryLexer.lexText;e;)e=e(this)},I.QueryLexer.prototype.sliceString=function(){for(var e=[],t=this.start,n=this.pos,r=0;r<this.escapeCharPositions.length;r++)n=this.escapeCharPositions[r],e.push(this.str.slice(t,n)),t=n+1;return e.push(this.str.slice(t,this.pos)),this.escapeCharPositions.length=0,e.join("")},I.QueryLexer.prototype.emit=function(e){this.lexemes.push({type:e,str:this.sliceString(),start:this.start,end:this.pos}),this.start=this.pos},I.QueryLexer.prototype.escapeCharacter=function(){this.escapeCharPositions.push(this.pos-1),this.pos+=1},I.QueryLexer.prototype.next=function(){if(this.pos>=this.length)return I.QueryLexer.EOS;var e=this.str.charAt(this.pos);return this.pos+=1,e},I.QueryLexer.prototype.width=function(){return this.pos-this.start},I.QueryLexer.prototype.ignore=function(){this.start==this.pos&&(this.pos+=1),this.start=this.pos},I.QueryLexer.prototype.backup=function(){this.pos-=1},I.QueryLexer.prototype.acceptDigitRun=function(){var e,t;do{t=(e=this.next()).charCodeAt(0)}while(t>47&&t<58);e!=I.QueryLexer.EOS&&this.backup()},I.QueryLexer.prototype.more=function(){return this.pos<this.length},I.QueryLexer.EOS="EOS",I.QueryLexer.FIELD="FIELD",I.QueryLexer.TERM="TERM",I.QueryLexer.EDIT_DISTANCE="EDIT_DISTANCE",I.QueryLexer.BOOST="BOOST",I.QueryLexer.PRESENCE="PRESENCE",I.QueryLexer.lexField=function(e){return e.backup(),e.emit(I.QueryLexer.FIELD),e.ignore(),I.QueryLexer.lexText},I.QueryLexer.lexTerm=function(e){if(e.width()>1&&(e.backup(),e.emit(I.QueryLexer.TERM)),e.ignore(),e.more())return I.QueryLexer.lexText},I.QueryLexer.lexEditDistance=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.EDIT_DISTANCE),I.QueryLexer.lexText},I.QueryLexer.lexBoost=function(e){return e.ignore(),e.acceptDigitRun(),e.emit(I.QueryLexer.BOOST),I.QueryLexer.lexText},I.QueryLexer.lexEOS=function(e){e.width()>0&&e.emit(I.QueryLexer.TERM)},I.QueryLexer.termSeparator=I.tokenizer.separator,I.QueryLexer.lexText=function(e){for(;;){var t=e.next();if(t==I.QueryLexer.EOS)return I.QueryLexer.lexEOS;if(92!=t.charCodeAt(0)){if(":"==t)return I.QueryLexer.lexField;if("~"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexEditDistance;if("^"==t)return e.backup(),e.width()>0&&e.emit(I.QueryLexer.TERM),I.QueryLexer.lexBoost;if("+"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if("-"==t&&1===e.width())return e.emit(I.QueryLexer.PRESENCE),I.QueryLexer.lexText;if(t.match(I.QueryLexer.termSeparator))return I.QueryLexer.lexTerm}else e.escapeCharacter()}},I.QueryParser=function(e,t){this.lexer=new I.QueryLexer(e),this.query=t,this.currentClause={},this.lexemeIdx=0},I.QueryParser.prototype.parse=function(){this.lexer.run(),this.lexemes=this.lexer.lexemes;for(var e=I.QueryParser.parseClause;e;)e=e(this);return this.query},I.QueryParser.prototype.peekLexeme=function(){return this.lexemes[this.lexemeIdx]},I.QueryParser.prototype.consumeLexeme=function(){var e=this.peekLexeme();return this.lexemeIdx+=1,e},I.QueryParser.prototype.nextClause=function(){var e=this.currentClause;this.query.clause(e),this.currentClause={}},I.QueryParser.parseClause=function(e){var t=e.peekLexeme();if(null!=t)switch(t.type){case I.QueryLexer.PRESENCE:return I.QueryParser.parsePresence;case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:var n="expected either a field or a term, found "+t.type;throw t.str.length>=1&&(n+=" with value '"+t.str+"'"),new I.QueryParseError(n,t.start,t.end)}},I.QueryParser.parsePresence=function(e){var t=e.consumeLexeme();if(null!=t){switch(t.str){case"-":e.currentClause.presence=I.Query.presence.PROHIBITED;break;case"+":e.currentClause.presence=I.Query.presence.REQUIRED;break;default:var n="unrecognised presence operator'"+t.str+"'";throw new I.QueryParseError(n,t.start,t.end)}var r=e.peekLexeme();if(null==r){n="expecting term or field, found nothing";throw new I.QueryParseError(n,t.start,t.end)}switch(r.type){case I.QueryLexer.FIELD:return I.QueryParser.parseField;case I.QueryLexer.TERM:return I.QueryParser.parseTerm;default:n="expecting term or field, found '"+r.type+"'";throw new I.QueryParseError(n,r.start,r.end)}}},I.QueryParser.parseField=function(e){var t=e.consumeLexeme();if(null!=t){if(-1==e.query.allFields.indexOf(t.str)){var n=e.query.allFields.map((function(e){return"'"+e+"'"})).join(", "),r="unrecognised field '"+t.str+"', possible fields: "+n;throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.fields=[t.str];var a=e.peekLexeme();if(null==a){r="expecting term, found nothing";throw new I.QueryParseError(r,t.start,t.end)}if(a.type===I.QueryLexer.TERM)return I.QueryParser.parseTerm;r="expecting term, found '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}},I.QueryParser.parseTerm=function(e){var t=e.consumeLexeme();if(null!=t){e.currentClause.term=t.str.toLowerCase(),-1!=t.str.indexOf("*")&&(e.currentClause.usePipeline=!1);var n=e.peekLexeme();if(null!=n)switch(n.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:var r="Unexpected lexeme type '"+n.type+"'";throw new I.QueryParseError(r,n.start,n.end)}else e.nextClause()}},I.QueryParser.parseEditDistance=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="edit distance must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.editDistance=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},I.QueryParser.parseBoost=function(e){var t=e.consumeLexeme();if(null!=t){var n=parseInt(t.str,10);if(isNaN(n)){var r="boost must be numeric";throw new I.QueryParseError(r,t.start,t.end)}e.currentClause.boost=n;var a=e.peekLexeme();if(null!=a)switch(a.type){case I.QueryLexer.TERM:return e.nextClause(),I.QueryParser.parseTerm;case I.QueryLexer.FIELD:return e.nextClause(),I.QueryParser.parseField;case I.QueryLexer.EDIT_DISTANCE:return I.QueryParser.parseEditDistance;case I.QueryLexer.BOOST:return I.QueryParser.parseBoost;case I.QueryLexer.PRESENCE:return e.nextClause(),I.QueryParser.parsePresence;default:r="Unexpected lexeme type '"+a.type+"'";throw new I.QueryParseError(r,a.start,a.end)}else e.nextClause()}},void 0===(a="function"==typeof(r=function(){return I})?r.call(t,n,t,e):r)||(e.exports=a)}()},813:function(e){e.exports=function(){"use strict";var e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},t=function(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")},n=function(){function e(e,t){for(var n=0;n<t.length;n++){var r=t[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(e,r.key,r)}}return function(t,n,r){return n&&e(t.prototype,n),r&&e(t,r),t}}(),r=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},a=function(){function e(n){var r=!(arguments.length>1&&void 0!==arguments[1])||arguments[1],a=arguments.length>2&&void 0!==arguments[2]?arguments[2]:[],o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:5e3;t(this,e),this.ctx=n,this.iframes=r,this.exclude=a,this.iframesTimeout=o}return n(e,[{key:"getContexts",value:function(){var e=[];return(void 0!==this.ctx&&this.ctx?NodeList.prototype.isPrototypeOf(this.ctx)?Array.prototype.slice.call(this.ctx):Array.isArray(this.ctx)?this.ctx:"string"==typeof this.ctx?Array.prototype.slice.call(document.querySelectorAll(this.ctx)):[this.ctx]:[]).forEach((function(t){var n=e.filter((function(e){return e.contains(t)})).length>0;-1!==e.indexOf(t)||n||e.push(t)})),e}},{key:"getIframeContents",value:function(e,t){var n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:function(){},r=void 0;try{var a=e.contentWindow;if(r=a.document,!a||!r)throw new Error("iframe inaccessible")}catch(o){n()}r&&t(r)}},{key:"isIframeBlank",value:function(e){var t="about:blank",n=e.getAttribute("src").trim();return e.contentWindow.location.href===t&&n!==t&&n}},{key:"observeIframeLoad",value:function(e,t,n){var r=this,a=!1,o=null,i=function i(){if(!a){a=!0,clearTimeout(o);try{r.isIframeBlank(e)||(e.removeEventListener("load",i),r.getIframeContents(e,t,n))}catch(s){n()}}};e.addEventListener("load",i),o=setTimeout(i,this.iframesTimeout)}},{key:"onIframeReady",value:function(e,t,n){try{"complete"===e.contentWindow.document.readyState?this.isIframeBlank(e)?this.observeIframeLoad(e,t,n):this.getIframeContents(e,t,n):this.observeIframeLoad(e,t,n)}catch(r){n()}}},{key:"waitForIframes",value:function(e,t){var n=this,r=0;this.forEachIframe(e,(function(){return!0}),(function(e){r++,n.waitForIframes(e.querySelector("html"),(function(){--r||t()}))}),(function(e){e||t()}))}},{key:"forEachIframe",value:function(t,n,r){var a=this,o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},i=t.querySelectorAll("iframe"),s=i.length,l=0;i=Array.prototype.slice.call(i);var c=function(){--s<=0&&o(l)};s||c(),i.forEach((function(t){e.matches(t,a.exclude)?c():a.onIframeReady(t,(function(e){n(t)&&(l++,r(e)),c()}),c)}))}},{key:"createIterator",value:function(e,t,n){return document.createNodeIterator(e,t,n,!1)}},{key:"createInstanceOnIframe",value:function(t){return new e(t.querySelector("html"),this.iframes)}},{key:"compareNodeIframe",value:function(e,t,n){if(e.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_PRECEDING){if(null===t)return!0;if(t.compareDocumentPosition(n)&Node.DOCUMENT_POSITION_FOLLOWING)return!0}return!1}},{key:"getIteratorNode",value:function(e){var t=e.previousNode();return{prevNode:t,node:(null===t||e.nextNode())&&e.nextNode()}}},{key:"checkIframeFilter",value:function(e,t,n,r){var a=!1,o=!1;return r.forEach((function(e,t){e.val===n&&(a=t,o=e.handled)})),this.compareNodeIframe(e,t,n)?(!1!==a||o?!1===a||o||(r[a].handled=!0):r.push({val:n,handled:!0}),!0):(!1===a&&r.push({val:n,handled:!1}),!1)}},{key:"handleOpenIframes",value:function(e,t,n,r){var a=this;e.forEach((function(e){e.handled||a.getIframeContents(e.val,(function(e){a.createInstanceOnIframe(e).forEachNode(t,n,r)}))}))}},{key:"iterateThroughNodes",value:function(e,t,n,r,a){for(var o=this,i=this.createIterator(t,e,r),s=[],l=[],c=void 0,u=void 0,d=function(){var e=o.getIteratorNode(i);return u=e.prevNode,c=e.node};d();)this.iframes&&this.forEachIframe(t,(function(e){return o.checkIframeFilter(c,u,e,s)}),(function(t){o.createInstanceOnIframe(t).forEachNode(e,(function(e){return l.push(e)}),r)})),l.push(c);l.forEach((function(e){n(e)})),this.iframes&&this.handleOpenIframes(s,e,n,r),a()}},{key:"forEachNode",value:function(e,t,n){var r=this,a=arguments.length>3&&void 0!==arguments[3]?arguments[3]:function(){},o=this.getContexts(),i=o.length;i||a(),o.forEach((function(o){var s=function(){r.iterateThroughNodes(e,o,t,n,(function(){--i<=0&&a()}))};r.iframes?r.waitForIframes(o,s):s()}))}}],[{key:"matches",value:function(e,t){var n="string"==typeof t?[t]:t,r=e.matches||e.matchesSelector||e.msMatchesSelector||e.mozMatchesSelector||e.oMatchesSelector||e.webkitMatchesSelector;if(r){var a=!1;return n.every((function(t){return!r.call(e,t)||(a=!0,!1)})),a}return!1}}]),e}(),o=function(){function o(e){t(this,o),this.ctx=e,this.ie=!1;var n=window.navigator.userAgent;(n.indexOf("MSIE")>-1||n.indexOf("Trident")>-1)&&(this.ie=!0)}return n(o,[{key:"log",value:function(t){var n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"debug",r=this.opt.log;this.opt.debug&&"object"===(void 0===r?"undefined":e(r))&&"function"==typeof r[n]&&r[n]("mark.js: "+t)}},{key:"escapeStr",value:function(e){return e.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g,"\\$&")}},{key:"createRegExp",value:function(e){return"disabled"!==this.opt.wildcards&&(e=this.setupWildcardsRegExp(e)),e=this.escapeStr(e),Object.keys(this.opt.synonyms).length&&(e=this.createSynonymsRegExp(e)),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),this.opt.diacritics&&(e=this.createDiacriticsRegExp(e)),e=this.createMergedBlanksRegExp(e),(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.createJoinersRegExp(e)),"disabled"!==this.opt.wildcards&&(e=this.createWildcardsRegExp(e)),e=this.createAccuracyRegExp(e)}},{key:"createSynonymsRegExp",value:function(e){var t=this.opt.synonyms,n=this.opt.caseSensitive?"":"i",r=this.opt.ignoreJoiners||this.opt.ignorePunctuation.length?"\0":"";for(var a in t)if(t.hasOwnProperty(a)){var o=t[a],i="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(a):this.escapeStr(a),s="disabled"!==this.opt.wildcards?this.setupWildcardsRegExp(o):this.escapeStr(o);""!==i&&""!==s&&(e=e.replace(new RegExp("("+this.escapeStr(i)+"|"+this.escapeStr(s)+")","gm"+n),r+"("+this.processSynomyms(i)+"|"+this.processSynomyms(s)+")"+r))}return e}},{key:"processSynomyms",value:function(e){return(this.opt.ignoreJoiners||this.opt.ignorePunctuation.length)&&(e=this.setupIgnoreJoinersRegExp(e)),e}},{key:"setupWildcardsRegExp",value:function(e){return(e=e.replace(/(?:\\)*\?/g,(function(e){return"\\"===e.charAt(0)?"?":"\x01"}))).replace(/(?:\\)*\*/g,(function(e){return"\\"===e.charAt(0)?"*":"\x02"}))}},{key:"createWildcardsRegExp",value:function(e){var t="withSpaces"===this.opt.wildcards;return e.replace(/\u0001/g,t?"[\\S\\s]?":"\\S?").replace(/\u0002/g,t?"[\\S\\s]*?":"\\S*")}},{key:"setupIgnoreJoinersRegExp",value:function(e){return e.replace(/[^(|)\\]/g,(function(e,t,n){var r=n.charAt(t+1);return/[(|)\\]/.test(r)||""===r?e:e+"\0"}))}},{key:"createJoinersRegExp",value:function(e){var t=[],n=this.opt.ignorePunctuation;return Array.isArray(n)&&n.length&&t.push(this.escapeStr(n.join(""))),this.opt.ignoreJoiners&&t.push("\\u00ad\\u200b\\u200c\\u200d"),t.length?e.split(/\u0000+/).join("["+t.join("")+"]*"):e}},{key:"createDiacriticsRegExp",value:function(e){var t=this.opt.caseSensitive?"":"i",n=this.opt.caseSensitive?["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105","A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010d","C\xc7\u0106\u010c","d\u0111\u010f","D\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119","E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012b","I\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142","L\u0141","n\xf1\u0148\u0144","N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014d","O\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159","R\u0158","s\u0161\u015b\u0219\u015f","S\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163","T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016b","U\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xff","Y\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017a","Z\u017d\u017b\u0179"]:["a\xe0\xe1\u1ea3\xe3\u1ea1\u0103\u1eb1\u1eaf\u1eb3\u1eb5\u1eb7\xe2\u1ea7\u1ea5\u1ea9\u1eab\u1ead\xe4\xe5\u0101\u0105A\xc0\xc1\u1ea2\xc3\u1ea0\u0102\u1eb0\u1eae\u1eb2\u1eb4\u1eb6\xc2\u1ea6\u1ea4\u1ea8\u1eaa\u1eac\xc4\xc5\u0100\u0104","c\xe7\u0107\u010dC\xc7\u0106\u010c","d\u0111\u010fD\u0110\u010e","e\xe8\xe9\u1ebb\u1ebd\u1eb9\xea\u1ec1\u1ebf\u1ec3\u1ec5\u1ec7\xeb\u011b\u0113\u0119E\xc8\xc9\u1eba\u1ebc\u1eb8\xca\u1ec0\u1ebe\u1ec2\u1ec4\u1ec6\xcb\u011a\u0112\u0118","i\xec\xed\u1ec9\u0129\u1ecb\xee\xef\u012bI\xcc\xcd\u1ec8\u0128\u1eca\xce\xcf\u012a","l\u0142L\u0141","n\xf1\u0148\u0144N\xd1\u0147\u0143","o\xf2\xf3\u1ecf\xf5\u1ecd\xf4\u1ed3\u1ed1\u1ed5\u1ed7\u1ed9\u01a1\u1edf\u1ee1\u1edb\u1edd\u1ee3\xf6\xf8\u014dO\xd2\xd3\u1ece\xd5\u1ecc\xd4\u1ed2\u1ed0\u1ed4\u1ed6\u1ed8\u01a0\u1ede\u1ee0\u1eda\u1edc\u1ee2\xd6\xd8\u014c","r\u0159R\u0158","s\u0161\u015b\u0219\u015fS\u0160\u015a\u0218\u015e","t\u0165\u021b\u0163T\u0164\u021a\u0162","u\xf9\xfa\u1ee7\u0169\u1ee5\u01b0\u1eeb\u1ee9\u1eed\u1eef\u1ef1\xfb\xfc\u016f\u016bU\xd9\xda\u1ee6\u0168\u1ee4\u01af\u1eea\u1ee8\u1eec\u1eee\u1ef0\xdb\xdc\u016e\u016a","y\xfd\u1ef3\u1ef7\u1ef9\u1ef5\xffY\xdd\u1ef2\u1ef6\u1ef8\u1ef4\u0178","z\u017e\u017c\u017aZ\u017d\u017b\u0179"],r=[];return e.split("").forEach((function(a){n.every((function(n){if(-1!==n.indexOf(a)){if(r.indexOf(n)>-1)return!1;e=e.replace(new RegExp("["+n+"]","gm"+t),"["+n+"]"),r.push(n)}return!0}))})),e}},{key:"createMergedBlanksRegExp",value:function(e){return e.replace(/[\s]+/gim,"[\\s]+")}},{key:"createAccuracyRegExp",value:function(e){var t=this,n="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~\xa1\xbf",r=this.opt.accuracy,a="string"==typeof r?r:r.value,o="string"==typeof r?[]:r.limiters,i="";switch(o.forEach((function(e){i+="|"+t.escapeStr(e)})),a){case"partially":default:return"()("+e+")";case"complementary":return"()([^"+(i="\\s"+(i||this.escapeStr(n)))+"]*"+e+"[^"+i+"]*)";case"exactly":return"(^|\\s"+i+")("+e+")(?=$|\\s"+i+")"}}},{key:"getSeparatedKeywords",value:function(e){var t=this,n=[];return e.forEach((function(e){t.opt.separateWordSearch?e.split(" ").forEach((function(e){e.trim()&&-1===n.indexOf(e)&&n.push(e)})):e.trim()&&-1===n.indexOf(e)&&n.push(e)})),{keywords:n.sort((function(e,t){return t.length-e.length})),length:n.length}}},{key:"isNumeric",value:function(e){return Number(parseFloat(e))==e}},{key:"checkRanges",value:function(e){var t=this;if(!Array.isArray(e)||"[object Object]"!==Object.prototype.toString.call(e[0]))return this.log("markRanges() will only accept an array of objects"),this.opt.noMatch(e),[];var n=[],r=0;return e.sort((function(e,t){return e.start-t.start})).forEach((function(e){var a=t.callNoMatchOnInvalidRanges(e,r),o=a.start,i=a.end;a.valid&&(e.start=o,e.length=i-o,n.push(e),r=i)})),n}},{key:"callNoMatchOnInvalidRanges",value:function(e,t){var n=void 0,r=void 0,a=!1;return e&&void 0!==e.start?(r=(n=parseInt(e.start,10))+parseInt(e.length,10),this.isNumeric(e.start)&&this.isNumeric(e.length)&&r-t>0&&r-n>0?a=!0:(this.log("Ignoring invalid or overlapping range: "+JSON.stringify(e)),this.opt.noMatch(e))):(this.log("Ignoring invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:n,end:r,valid:a}}},{key:"checkWhitespaceRanges",value:function(e,t,n){var r=void 0,a=!0,o=n.length,i=t-o,s=parseInt(e.start,10)-i;return(r=(s=s>o?o:s)+parseInt(e.length,10))>o&&(r=o,this.log("End range automatically set to the max value of "+o)),s<0||r-s<0||s>o||r>o?(a=!1,this.log("Invalid range: "+JSON.stringify(e)),this.opt.noMatch(e)):""===n.substring(s,r).replace(/\s+/g,"")&&(a=!1,this.log("Skipping whitespace only range: "+JSON.stringify(e)),this.opt.noMatch(e)),{start:s,end:r,valid:a}}},{key:"getTextNodes",value:function(e){var t=this,n="",r=[];this.iterator.forEachNode(NodeFilter.SHOW_TEXT,(function(e){r.push({start:n.length,end:(n+=e.textContent).length,node:e})}),(function(e){return t.matchesExclude(e.parentNode)?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),(function(){e({value:n,nodes:r})}))}},{key:"matchesExclude",value:function(e){return a.matches(e,this.opt.exclude.concat(["script","style","title","head","html"]))}},{key:"wrapRangeInTextNode",value:function(e,t,n){var r=this.opt.element?this.opt.element:"mark",a=e.splitText(t),o=a.splitText(n-t),i=document.createElement(r);return i.setAttribute("data-markjs","true"),this.opt.className&&i.setAttribute("class",this.opt.className),i.textContent=a.textContent,a.parentNode.replaceChild(i,a),o}},{key:"wrapRangeInMappedTextNode",value:function(e,t,n,r,a){var o=this;e.nodes.every((function(i,s){var l=e.nodes[s+1];if(void 0===l||l.start>t){if(!r(i.node))return!1;var c=t-i.start,u=(n>i.end?i.end:n)-i.start,d=e.value.substr(0,i.start),p=e.value.substr(u+i.start);if(i.node=o.wrapRangeInTextNode(i.node,c,u),e.value=d+p,e.nodes.forEach((function(t,n){n>=s&&(e.nodes[n].start>0&&n!==s&&(e.nodes[n].start-=u),e.nodes[n].end-=u)})),n-=u,a(i.node.previousSibling,i.start),!(n>i.end))return!1;t=i.end}return!0}))}},{key:"wrapMatches",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){t.nodes.forEach((function(t){t=t.node;for(var a=void 0;null!==(a=e.exec(t.textContent))&&""!==a[i];)if(n(a[i],t)){var s=a.index;if(0!==i)for(var l=1;l<i;l++)s+=a[l].length;t=o.wrapRangeInTextNode(t,s,s+a[i].length),r(t.previousSibling),e.lastIndex=0}})),a()}))}},{key:"wrapMatchesAcrossElements",value:function(e,t,n,r,a){var o=this,i=0===t?0:t+1;this.getTextNodes((function(t){for(var s=void 0;null!==(s=e.exec(t.value))&&""!==s[i];){var l=s.index;if(0!==i)for(var c=1;c<i;c++)l+=s[c].length;var u=l+s[i].length;o.wrapRangeInMappedTextNode(t,l,u,(function(e){return n(s[i],e)}),(function(t,n){e.lastIndex=n,r(t)}))}a()}))}},{key:"wrapRangeFromIndex",value:function(e,t,n,r){var a=this;this.getTextNodes((function(o){var i=o.value.length;e.forEach((function(e,r){var s=a.checkWhitespaceRanges(e,i,o.value),l=s.start,c=s.end;s.valid&&a.wrapRangeInMappedTextNode(o,l,c,(function(n){return t(n,e,o.value.substring(l,c),r)}),(function(t){n(t,e)}))})),r()}))}},{key:"unwrapMatches",value:function(e){for(var t=e.parentNode,n=document.createDocumentFragment();e.firstChild;)n.appendChild(e.removeChild(e.firstChild));t.replaceChild(n,e),this.ie?this.normalizeTextNode(t):t.normalize()}},{key:"normalizeTextNode",value:function(e){if(e){if(3===e.nodeType)for(;e.nextSibling&&3===e.nextSibling.nodeType;)e.nodeValue+=e.nextSibling.nodeValue,e.parentNode.removeChild(e.nextSibling);else this.normalizeTextNode(e.firstChild);this.normalizeTextNode(e.nextSibling)}}},{key:"markRegExp",value:function(e,t){var n=this;this.opt=t,this.log('Searching with expression "'+e+'"');var r=0,a="wrapMatches",o=function(e){r++,n.opt.each(e)};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),this[a](e,this.opt.ignoreGroups,(function(e,t){return n.opt.filter(t,e,r)}),o,(function(){0===r&&n.opt.noMatch(e),n.opt.done(r)}))}},{key:"mark",value:function(e,t){var n=this;this.opt=t;var r=0,a="wrapMatches",o=this.getSeparatedKeywords("string"==typeof e?[e]:e),i=o.keywords,s=o.length,l=this.opt.caseSensitive?"":"i",c=function e(t){var o=new RegExp(n.createRegExp(t),"gm"+l),c=0;n.log('Searching with expression "'+o+'"'),n[a](o,1,(function(e,a){return n.opt.filter(a,t,r,c)}),(function(e){c++,r++,n.opt.each(e)}),(function(){0===c&&n.opt.noMatch(t),i[s-1]===t?n.opt.done(r):e(i[i.indexOf(t)+1])}))};this.opt.acrossElements&&(a="wrapMatchesAcrossElements"),0===s?this.opt.done(r):c(i[0])}},{key:"markRanges",value:function(e,t){var n=this;this.opt=t;var r=0,a=this.checkRanges(e);a&&a.length?(this.log("Starting to mark with the following ranges: "+JSON.stringify(a)),this.wrapRangeFromIndex(a,(function(e,t,r,a){return n.opt.filter(e,t,r,a)}),(function(e,t){r++,n.opt.each(e,t)}),(function(){n.opt.done(r)}))):this.opt.done(r)}},{key:"unmark",value:function(e){var t=this;this.opt=e;var n=this.opt.element?this.opt.element:"*";n+="[data-markjs]",this.opt.className&&(n+="."+this.opt.className),this.log('Removal selector "'+n+'"'),this.iterator.forEachNode(NodeFilter.SHOW_ELEMENT,(function(e){t.unwrapMatches(e)}),(function(e){var r=a.matches(e,n),o=t.matchesExclude(e);return!r||o?NodeFilter.FILTER_REJECT:NodeFilter.FILTER_ACCEPT}),this.opt.done)}},{key:"opt",set:function(e){this._opt=r({},{element:"",className:"",exclude:[],iframes:!1,iframesTimeout:5e3,separateWordSearch:!0,diacritics:!0,synonyms:{},accuracy:"partially",acrossElements:!1,caseSensitive:!1,ignoreJoiners:!1,ignoreGroups:0,ignorePunctuation:[],wildcards:"disabled",each:function(){},noMatch:function(){},filter:function(){return!0},done:function(){},debug:!1,log:window.console},e)},get:function(){return this._opt}},{key:"iterator",get:function(){return new a(this.ctx,this.opt.iframes,this.opt.exclude,this.opt.iframesTimeout)}}]),o}();function i(e){var t=this,n=new o(e);return this.mark=function(e,r){return n.mark(e,r),t},this.markRegExp=function(e,r){return n.markRegExp(e,r),t},this.markRanges=function(e,r){return n.markRanges(e,r),t},this.unmark=function(e){return n.unmark(e),t},this}return i}()},2497:(e,t,n)=>{"use strict";n.r(t)},2295:(e,t,n)=>{"use strict";n.r(t)},4865:function(e,t,n){var r,a;r=function(){var e,t,n={version:"0.2.0"},r=n.settings={minimum:.08,easing:"ease",positionUsing:"",speed:200,trickle:!0,trickleRate:.02,trickleSpeed:800,showSpinner:!0,barSelector:'[role="bar"]',spinnerSelector:'[role="spinner"]',parent:"body",template:'<div class="bar" role="bar"><div class="peg"></div></div><div class="spinner" role="spinner"><div class="spinner-icon"></div></div>'};function a(e,t,n){return e<t?t:e>n?n:e}function o(e){return 100*(-1+e)}function i(e,t,n){var a;return(a="translate3d"===r.positionUsing?{transform:"translate3d("+o(e)+"%,0,0)"}:"translate"===r.positionUsing?{transform:"translate("+o(e)+"%,0)"}:{"margin-left":o(e)+"%"}).transition="all "+t+"ms "+n,a}n.configure=function(e){var t,n;for(t in e)void 0!==(n=e[t])&&e.hasOwnProperty(t)&&(r[t]=n);return this},n.status=null,n.set=function(e){var t=n.isStarted();e=a(e,r.minimum,1),n.status=1===e?null:e;var o=n.render(!t),c=o.querySelector(r.barSelector),u=r.speed,d=r.easing;return o.offsetWidth,s((function(t){""===r.positionUsing&&(r.positionUsing=n.getPositioningCSS()),l(c,i(e,u,d)),1===e?(l(o,{transition:"none",opacity:1}),o.offsetWidth,setTimeout((function(){l(o,{transition:"all "+u+"ms linear",opacity:0}),setTimeout((function(){n.remove(),t()}),u)}),u)):setTimeout(t,u)})),this},n.isStarted=function(){return"number"==typeof n.status},n.start=function(){n.status||n.set(0);var e=function(){setTimeout((function(){n.status&&(n.trickle(),e())}),r.trickleSpeed)};return r.trickle&&e(),this},n.done=function(e){return e||n.status?n.inc(.3+.5*Math.random()).set(1):this},n.inc=function(e){var t=n.status;return t?("number"!=typeof e&&(e=(1-t)*a(Math.random()*t,.1,.95)),t=a(t+e,0,.994),n.set(t)):n.start()},n.trickle=function(){return n.inc(Math.random()*r.trickleRate)},e=0,t=0,n.promise=function(r){return r&&"resolved"!==r.state()?(0===t&&n.start(),e++,t++,r.always((function(){0==--t?(e=0,n.done()):n.set((e-t)/e)})),this):this},n.render=function(e){if(n.isRendered())return document.getElementById("nprogress");u(document.documentElement,"nprogress-busy");var t=document.createElement("div");t.id="nprogress",t.innerHTML=r.template;var a,i=t.querySelector(r.barSelector),s=e?"-100":o(n.status||0),c=document.querySelector(r.parent);return l(i,{transition:"all 0 linear",transform:"translate3d("+s+"%,0,0)"}),r.showSpinner||(a=t.querySelector(r.spinnerSelector))&&f(a),c!=document.body&&u(c,"nprogress-custom-parent"),c.appendChild(t),t},n.remove=function(){d(document.documentElement,"nprogress-busy"),d(document.querySelector(r.parent),"nprogress-custom-parent");var e=document.getElementById("nprogress");e&&f(e)},n.isRendered=function(){return!!document.getElementById("nprogress")},n.getPositioningCSS=function(){var e=document.body.style,t="WebkitTransform"in e?"Webkit":"MozTransform"in e?"Moz":"msTransform"in e?"ms":"OTransform"in e?"O":"";return t+"Perspective"in e?"translate3d":t+"Transform"in e?"translate":"margin"};var s=function(){var e=[];function t(){var n=e.shift();n&&n(t)}return function(n){e.push(n),1==e.length&&t()}}(),l=function(){var e=["Webkit","O","Moz","ms"],t={};function n(e){return e.replace(/^-ms-/,"ms-").replace(/-([\da-z])/gi,(function(e,t){return t.toUpperCase()}))}function r(t){var n=document.body.style;if(t in n)return t;for(var r,a=e.length,o=t.charAt(0).toUpperCase()+t.slice(1);a--;)if((r=e[a]+o)in n)return r;return t}function a(e){return e=n(e),t[e]||(t[e]=r(e))}function o(e,t,n){t=a(t),e.style[t]=n}return function(e,t){var n,r,a=arguments;if(2==a.length)for(n in t)void 0!==(r=t[n])&&t.hasOwnProperty(n)&&o(e,n,r);else o(e,a[1],a[2])}}();function c(e,t){return("string"==typeof e?e:p(e)).indexOf(" "+t+" ")>=0}function u(e,t){var n=p(e),r=n+t;c(n,t)||(e.className=r.substring(1))}function d(e,t){var n,r=p(e);c(e,t)&&(n=r.replace(" "+t+" "," "),e.className=n.substring(1,n.length-1))}function p(e){return(" "+(e.className||"")+" ").replace(/\s+/gi," ")}function f(e){e&&e.parentNode&&e.parentNode.removeChild(e)}return n},void 0===(a="function"==typeof r?r.call(t,n,t,e):r)||(e.exports=a)},9901:e=>{e.exports&&(e.exports={core:{meta:{path:"components/prism-core.js",option:"mandatory"},core:"Core"},themes:{meta:{path:"themes/{id}.css",link:"index.html?theme={id}",exclusive:!0},prism:{title:"Default",option:"default"},"prism-dark":"Dark","prism-funky":"Funky","prism-okaidia":{title:"Okaidia",owner:"ocodia"},"prism-twilight":{title:"Twilight",owner:"remybach"},"prism-coy":{title:"Coy",owner:"tshedor"},"prism-solarizedlight":{title:"Solarized Light",owner:"hectormatos2011 "},"prism-tomorrow":{title:"Tomorrow Night",owner:"Rosey"}},languages:{meta:{path:"components/prism-{id}",noCSS:!0,examplesPath:"examples/prism-{id}",addCheckAll:!0},markup:{title:"Markup",alias:["html","xml","svg","mathml","ssml","atom","rss"],aliasTitles:{html:"HTML",xml:"XML",svg:"SVG",mathml:"MathML",ssml:"SSML",atom:"Atom",rss:"RSS"},option:"default"},css:{title:"CSS",option:"default",modify:"markup"},clike:{title:"C-like",option:"default"},javascript:{title:"JavaScript",require:"clike",modify:"markup",optional:"regex",alias:"js",option:"default"},abap:{title:"ABAP",owner:"dellagustin"},abnf:{title:"ABNF",owner:"RunDevelopment"},actionscript:{title:"ActionScript",require:"javascript",modify:"markup",owner:"Golmote"},ada:{title:"Ada",owner:"Lucretia"},agda:{title:"Agda",owner:"xy-ren"},al:{title:"AL",owner:"RunDevelopment"},antlr4:{title:"ANTLR4",alias:"g4",owner:"RunDevelopment"},apacheconf:{title:"Apache Configuration",owner:"GuiTeK"},apex:{title:"Apex",require:["clike","sql"],owner:"RunDevelopment"},apl:{title:"APL",owner:"ngn"},applescript:{title:"AppleScript",owner:"Golmote"},aql:{title:"AQL",owner:"RunDevelopment"},arduino:{title:"Arduino",require:"cpp",alias:"ino",owner:"dkern"},arff:{title:"ARFF",owner:"Golmote"},armasm:{title:"ARM Assembly",alias:"arm-asm",owner:"RunDevelopment"},arturo:{title:"Arturo",alias:"art",optional:["bash","css","javascript","markup","markdown","sql"],owner:"drkameleon"},asciidoc:{alias:"adoc",title:"AsciiDoc",owner:"Golmote"},aspnet:{title:"ASP.NET (C#)",require:["markup","csharp"],owner:"nauzilus"},asm6502:{title:"6502 Assembly",owner:"kzurawel"},asmatmel:{title:"Atmel AVR Assembly",owner:"cerkit"},autohotkey:{title:"AutoHotkey",owner:"aviaryan"},autoit:{title:"AutoIt",owner:"Golmote"},avisynth:{title:"AviSynth",alias:"avs",owner:"Zinfidel"},"avro-idl":{title:"Avro IDL",alias:"avdl",owner:"RunDevelopment"},awk:{title:"AWK",alias:"gawk",aliasTitles:{gawk:"GAWK"},owner:"RunDevelopment"},bash:{title:"Bash",alias:["sh","shell"],aliasTitles:{sh:"Shell",shell:"Shell"},owner:"zeitgeist87"},basic:{title:"BASIC",owner:"Golmote"},batch:{title:"Batch",owner:"Golmote"},bbcode:{title:"BBcode",alias:"shortcode",aliasTitles:{shortcode:"Shortcode"},owner:"RunDevelopment"},bbj:{title:"BBj",owner:"hyyan"},bicep:{title:"Bicep",owner:"johnnyreilly"},birb:{title:"Birb",require:"clike",owner:"Calamity210"},bison:{title:"Bison",require:"c",owner:"Golmote"},bnf:{title:"BNF",alias:"rbnf",aliasTitles:{rbnf:"RBNF"},owner:"RunDevelopment"},bqn:{title:"BQN",owner:"yewscion"},brainfuck:{title:"Brainfuck",owner:"Golmote"},brightscript:{title:"BrightScript",owner:"RunDevelopment"},bro:{title:"Bro",owner:"wayward710"},bsl:{title:"BSL (1C:Enterprise)",alias:"oscript",aliasTitles:{oscript:"OneScript"},owner:"Diversus23"},c:{title:"C",require:"clike",owner:"zeitgeist87"},csharp:{title:"C#",require:"clike",alias:["cs","dotnet"],owner:"mvalipour"},cpp:{title:"C++",require:"c",owner:"zeitgeist87"},cfscript:{title:"CFScript",require:"clike",alias:"cfc",owner:"mjclemente"},chaiscript:{title:"ChaiScript",require:["clike","cpp"],owner:"RunDevelopment"},cil:{title:"CIL",owner:"sbrl"},cilkc:{title:"Cilk/C",require:"c",alias:"cilk-c",owner:"OpenCilk"},cilkcpp:{title:"Cilk/C++",require:"cpp",alias:["cilk-cpp","cilk"],owner:"OpenCilk"},clojure:{title:"Clojure",owner:"troglotit"},cmake:{title:"CMake",owner:"mjrogozinski"},cobol:{title:"COBOL",owner:"RunDevelopment"},coffeescript:{title:"CoffeeScript",require:"javascript",alias:"coffee",owner:"R-osey"},concurnas:{title:"Concurnas",alias:"conc",owner:"jasontatton"},csp:{title:"Content-Security-Policy",owner:"ScottHelme"},cooklang:{title:"Cooklang",owner:"ahue"},coq:{title:"Coq",owner:"RunDevelopment"},crystal:{title:"Crystal",require:"ruby",owner:"MakeNowJust"},"css-extras":{title:"CSS Extras",require:"css",modify:"css",owner:"milesj"},csv:{title:"CSV",owner:"RunDevelopment"},cue:{title:"CUE",owner:"RunDevelopment"},cypher:{title:"Cypher",owner:"RunDevelopment"},d:{title:"D",require:"clike",owner:"Golmote"},dart:{title:"Dart",require:"clike",owner:"Golmote"},dataweave:{title:"DataWeave",owner:"machaval"},dax:{title:"DAX",owner:"peterbud"},dhall:{title:"Dhall",owner:"RunDevelopment"},diff:{title:"Diff",owner:"uranusjr"},django:{title:"Django/Jinja2",require:"markup-templating",alias:"jinja2",owner:"romanvm"},"dns-zone-file":{title:"DNS zone file",owner:"RunDevelopment",alias:"dns-zone"},docker:{title:"Docker",alias:"dockerfile",owner:"JustinBeckwith"},dot:{title:"DOT (Graphviz)",alias:"gv",optional:"markup",owner:"RunDevelopment"},ebnf:{title:"EBNF",owner:"RunDevelopment"},editorconfig:{title:"EditorConfig",owner:"osipxd"},eiffel:{title:"Eiffel",owner:"Conaclos"},ejs:{title:"EJS",require:["javascript","markup-templating"],owner:"RunDevelopment",alias:"eta",aliasTitles:{eta:"Eta"}},elixir:{title:"Elixir",owner:"Golmote"},elm:{title:"Elm",owner:"zwilias"},etlua:{title:"Embedded Lua templating",require:["lua","markup-templating"],owner:"RunDevelopment"},erb:{title:"ERB",require:["ruby","markup-templating"],owner:"Golmote"},erlang:{title:"Erlang",owner:"Golmote"},"excel-formula":{title:"Excel Formula",alias:["xlsx","xls"],owner:"RunDevelopment"},fsharp:{title:"F#",require:"clike",owner:"simonreynolds7"},factor:{title:"Factor",owner:"catb0t"},false:{title:"False",owner:"edukisto"},"firestore-security-rules":{title:"Firestore security rules",require:"clike",owner:"RunDevelopment"},flow:{title:"Flow",require:"javascript",owner:"Golmote"},fortran:{title:"Fortran",owner:"Golmote"},ftl:{title:"FreeMarker Template Language",require:"markup-templating",owner:"RunDevelopment"},gml:{title:"GameMaker Language",alias:"gamemakerlanguage",require:"clike",owner:"LiarOnce"},gap:{title:"GAP (CAS)",owner:"RunDevelopment"},gcode:{title:"G-code",owner:"RunDevelopment"},gdscript:{title:"GDScript",owner:"RunDevelopment"},gedcom:{title:"GEDCOM",owner:"Golmote"},gettext:{title:"gettext",alias:"po",owner:"RunDevelopment"},gherkin:{title:"Gherkin",owner:"hason"},git:{title:"Git",owner:"lgiraudel"},glsl:{title:"GLSL",require:"c",owner:"Golmote"},gn:{title:"GN",alias:"gni",owner:"RunDevelopment"},"linker-script":{title:"GNU Linker Script",alias:"ld",owner:"RunDevelopment"},go:{title:"Go",require:"clike",owner:"arnehormann"},"go-module":{title:"Go module",alias:"go-mod",owner:"RunDevelopment"},gradle:{title:"Gradle",require:"clike",owner:"zeabdelkhalek-badido18"},graphql:{title:"GraphQL",optional:"markdown",owner:"Golmote"},groovy:{title:"Groovy",require:"clike",owner:"robfletcher"},haml:{title:"Haml",require:"ruby",optional:["css","css-extras","coffeescript","erb","javascript","less","markdown","scss","textile"],owner:"Golmote"},handlebars:{title:"Handlebars",require:"markup-templating",alias:["hbs","mustache"],aliasTitles:{mustache:"Mustache"},owner:"Golmote"},haskell:{title:"Haskell",alias:"hs",owner:"bholst"},haxe:{title:"Haxe",require:"clike",optional:"regex",owner:"Golmote"},hcl:{title:"HCL",owner:"outsideris"},hlsl:{title:"HLSL",require:"c",owner:"RunDevelopment"},hoon:{title:"Hoon",owner:"matildepark"},http:{title:"HTTP",optional:["csp","css","hpkp","hsts","javascript","json","markup","uri"],owner:"danielgtaylor"},hpkp:{title:"HTTP Public-Key-Pins",owner:"ScottHelme"},hsts:{title:"HTTP Strict-Transport-Security",owner:"ScottHelme"},ichigojam:{title:"IchigoJam",owner:"BlueCocoa"},icon:{title:"Icon",owner:"Golmote"},"icu-message-format":{title:"ICU Message Format",owner:"RunDevelopment"},idris:{title:"Idris",alias:"idr",owner:"KeenS",require:"haskell"},ignore:{title:".ignore",owner:"osipxd",alias:["gitignore","hgignore","npmignore"],aliasTitles:{gitignore:".gitignore",hgignore:".hgignore",npmignore:".npmignore"}},inform7:{title:"Inform 7",owner:"Golmote"},ini:{title:"Ini",owner:"aviaryan"},io:{title:"Io",owner:"AlesTsurko"},j:{title:"J",owner:"Golmote"},java:{title:"Java",require:"clike",owner:"sherblot"},javadoc:{title:"JavaDoc",require:["markup","java","javadoclike"],modify:"java",optional:"scala",owner:"RunDevelopment"},javadoclike:{title:"JavaDoc-like",modify:["java","javascript","php"],owner:"RunDevelopment"},javastacktrace:{title:"Java stack trace",owner:"RunDevelopment"},jexl:{title:"Jexl",owner:"czosel"},jolie:{title:"Jolie",require:"clike",owner:"thesave"},jq:{title:"JQ",owner:"RunDevelopment"},jsdoc:{title:"JSDoc",require:["javascript","javadoclike","typescript"],modify:"javascript",optional:["actionscript","coffeescript"],owner:"RunDevelopment"},"js-extras":{title:"JS Extras",require:"javascript",modify:"javascript",optional:["actionscript","coffeescript","flow","n4js","typescript"],owner:"RunDevelopment"},json:{title:"JSON",alias:"webmanifest",aliasTitles:{webmanifest:"Web App Manifest"},owner:"CupOfTea696"},json5:{title:"JSON5",require:"json",owner:"RunDevelopment"},jsonp:{title:"JSONP",require:"json",owner:"RunDevelopment"},jsstacktrace:{title:"JS stack trace",owner:"sbrl"},"js-templates":{title:"JS Templates",require:"javascript",modify:"javascript",optional:["css","css-extras","graphql","markdown","markup","sql"],owner:"RunDevelopment"},julia:{title:"Julia",owner:"cdagnino"},keepalived:{title:"Keepalived Configure",owner:"dev-itsheng"},keyman:{title:"Keyman",owner:"mcdurdin"},kotlin:{title:"Kotlin",alias:["kt","kts"],aliasTitles:{kts:"Kotlin Script"},require:"clike",owner:"Golmote"},kumir:{title:"KuMir (\u041a\u0443\u041c\u0438\u0440)",alias:"kum",owner:"edukisto"},kusto:{title:"Kusto",owner:"RunDevelopment"},latex:{title:"LaTeX",alias:["tex","context"],aliasTitles:{tex:"TeX",context:"ConTeXt"},owner:"japborst"},latte:{title:"Latte",require:["clike","markup-templating","php"],owner:"nette"},less:{title:"Less",require:"css",optional:"css-extras",owner:"Golmote"},lilypond:{title:"LilyPond",require:"scheme",alias:"ly",owner:"RunDevelopment"},liquid:{title:"Liquid",require:"markup-templating",owner:"cinhtau"},lisp:{title:"Lisp",alias:["emacs","elisp","emacs-lisp"],owner:"JuanCaicedo"},livescript:{title:"LiveScript",owner:"Golmote"},llvm:{title:"LLVM IR",owner:"porglezomp"},log:{title:"Log file",optional:"javastacktrace",owner:"RunDevelopment"},lolcode:{title:"LOLCODE",owner:"Golmote"},lua:{title:"Lua",owner:"Golmote"},magma:{title:"Magma (CAS)",owner:"RunDevelopment"},makefile:{title:"Makefile",owner:"Golmote"},markdown:{title:"Markdown",require:"markup",optional:"yaml",alias:"md",owner:"Golmote"},"markup-templating":{title:"Markup templating",require:"markup",owner:"Golmote"},mata:{title:"Mata",owner:"RunDevelopment"},matlab:{title:"MATLAB",owner:"Golmote"},maxscript:{title:"MAXScript",owner:"RunDevelopment"},mel:{title:"MEL",owner:"Golmote"},mermaid:{title:"Mermaid",owner:"RunDevelopment"},metafont:{title:"METAFONT",owner:"LaeriExNihilo"},mizar:{title:"Mizar",owner:"Golmote"},mongodb:{title:"MongoDB",owner:"airs0urce",require:"javascript"},monkey:{title:"Monkey",owner:"Golmote"},moonscript:{title:"MoonScript",alias:"moon",owner:"RunDevelopment"},n1ql:{title:"N1QL",owner:"TMWilds"},n4js:{title:"N4JS",require:"javascript",optional:"jsdoc",alias:"n4jsd",owner:"bsmith-n4"},"nand2tetris-hdl":{title:"Nand To Tetris HDL",owner:"stephanmax"},naniscript:{title:"Naninovel Script",owner:"Elringus",alias:"nani"},nasm:{title:"NASM",owner:"rbmj"},neon:{title:"NEON",owner:"nette"},nevod:{title:"Nevod",owner:"nezaboodka"},nginx:{title:"nginx",owner:"volado"},nim:{title:"Nim",owner:"Golmote"},nix:{title:"Nix",owner:"Golmote"},nsis:{title:"NSIS",owner:"idleberg"},objectivec:{title:"Objective-C",require:"c",alias:"objc",owner:"uranusjr"},ocaml:{title:"OCaml",owner:"Golmote"},odin:{title:"Odin",owner:"edukisto"},opencl:{title:"OpenCL",require:"c",modify:["c","cpp"],owner:"Milania1"},openqasm:{title:"OpenQasm",alias:"qasm",owner:"RunDevelopment"},oz:{title:"Oz",owner:"Golmote"},parigp:{title:"PARI/GP",owner:"Golmote"},parser:{title:"Parser",require:"markup",owner:"Golmote"},pascal:{title:"Pascal",alias:"objectpascal",aliasTitles:{objectpascal:"Object Pascal"},owner:"Golmote"},pascaligo:{title:"Pascaligo",owner:"DefinitelyNotAGoat"},psl:{title:"PATROL Scripting Language",owner:"bertysentry"},pcaxis:{title:"PC-Axis",alias:"px",owner:"RunDevelopment"},peoplecode:{title:"PeopleCode",alias:"pcode",owner:"RunDevelopment"},perl:{title:"Perl",owner:"Golmote"},php:{title:"PHP",require:"markup-templating",owner:"milesj"},phpdoc:{title:"PHPDoc",require:["php","javadoclike"],modify:"php",owner:"RunDevelopment"},"php-extras":{title:"PHP Extras",require:"php",modify:"php",owner:"milesj"},"plant-uml":{title:"PlantUML",alias:"plantuml",owner:"RunDevelopment"},plsql:{title:"PL/SQL",require:"sql",owner:"Golmote"},powerquery:{title:"PowerQuery",alias:["pq","mscript"],owner:"peterbud"},powershell:{title:"PowerShell",owner:"nauzilus"},processing:{title:"Processing",require:"clike",owner:"Golmote"},prolog:{title:"Prolog",owner:"Golmote"},promql:{title:"PromQL",owner:"arendjr"},properties:{title:".properties",owner:"Golmote"},protobuf:{title:"Protocol Buffers",require:"clike",owner:"just-boris"},pug:{title:"Pug",require:["markup","javascript"],optional:["coffeescript","ejs","handlebars","less","livescript","markdown","scss","stylus","twig"],owner:"Golmote"},puppet:{title:"Puppet",owner:"Golmote"},pure:{title:"Pure",optional:["c","cpp","fortran"],owner:"Golmote"},purebasic:{title:"PureBasic",require:"clike",alias:"pbfasm",owner:"HeX0R101"},purescript:{title:"PureScript",require:"haskell",alias:"purs",owner:"sriharshachilakapati"},python:{title:"Python",alias:"py",owner:"multipetros"},qsharp:{title:"Q#",require:"clike",alias:"qs",owner:"fedonman"},q:{title:"Q (kdb+ database)",owner:"Golmote"},qml:{title:"QML",require:"javascript",owner:"RunDevelopment"},qore:{title:"Qore",require:"clike",owner:"temnroegg"},r:{title:"R",owner:"Golmote"},racket:{title:"Racket",require:"scheme",alias:"rkt",owner:"RunDevelopment"},cshtml:{title:"Razor C#",alias:"razor",require:["markup","csharp"],optional:["css","css-extras","javascript","js-extras"],owner:"RunDevelopment"},jsx:{title:"React JSX",require:["markup","javascript"],optional:["jsdoc","js-extras","js-templates"],owner:"vkbansal"},tsx:{title:"React TSX",require:["jsx","typescript"]},reason:{title:"Reason",require:"clike",owner:"Golmote"},regex:{title:"Regex",owner:"RunDevelopment"},rego:{title:"Rego",owner:"JordanSh"},renpy:{title:"Ren'py",alias:"rpy",owner:"HyuchiaDiego"},rescript:{title:"ReScript",alias:"res",owner:"vmarcosp"},rest:{title:"reST (reStructuredText)",owner:"Golmote"},rip:{title:"Rip",owner:"ravinggenius"},roboconf:{title:"Roboconf",owner:"Golmote"},robotframework:{title:"Robot Framework",alias:"robot",owner:"RunDevelopment"},ruby:{title:"Ruby",require:"clike",alias:"rb",owner:"samflores"},rust:{title:"Rust",owner:"Golmote"},sas:{title:"SAS",optional:["groovy","lua","sql"],owner:"Golmote"},sass:{title:"Sass (Sass)",require:"css",optional:"css-extras",owner:"Golmote"},scss:{title:"Sass (SCSS)",require:"css",optional:"css-extras",owner:"MoOx"},scala:{title:"Scala",require:"java",owner:"jozic"},scheme:{title:"Scheme",owner:"bacchus123"},"shell-session":{title:"Shell session",require:"bash",alias:["sh-session","shellsession"],owner:"RunDevelopment"},smali:{title:"Smali",owner:"RunDevelopment"},smalltalk:{title:"Smalltalk",owner:"Golmote"},smarty:{title:"Smarty",require:"markup-templating",optional:"php",owner:"Golmote"},sml:{title:"SML",alias:"smlnj",aliasTitles:{smlnj:"SML/NJ"},owner:"RunDevelopment"},solidity:{title:"Solidity (Ethereum)",alias:"sol",require:"clike",owner:"glachaud"},"solution-file":{title:"Solution file",alias:"sln",owner:"RunDevelopment"},soy:{title:"Soy (Closure Template)",require:"markup-templating",owner:"Golmote"},sparql:{title:"SPARQL",require:"turtle",owner:"Triply-Dev",alias:"rq"},"splunk-spl":{title:"Splunk SPL",owner:"RunDevelopment"},sqf:{title:"SQF: Status Quo Function (Arma 3)",require:"clike",owner:"RunDevelopment"},sql:{title:"SQL",owner:"multipetros"},squirrel:{title:"Squirrel",require:"clike",owner:"RunDevelopment"},stan:{title:"Stan",owner:"RunDevelopment"},stata:{title:"Stata Ado",require:["mata","java","python"],owner:"RunDevelopment"},iecst:{title:"Structured Text (IEC 61131-3)",owner:"serhioromano"},stylus:{title:"Stylus",owner:"vkbansal"},supercollider:{title:"SuperCollider",alias:"sclang",owner:"RunDevelopment"},swift:{title:"Swift",owner:"chrischares"},systemd:{title:"Systemd configuration file",owner:"RunDevelopment"},"t4-templating":{title:"T4 templating",owner:"RunDevelopment"},"t4-cs":{title:"T4 Text Templates (C#)",require:["t4-templating","csharp"],alias:"t4",owner:"RunDevelopment"},"t4-vb":{title:"T4 Text Templates (VB)",require:["t4-templating","vbnet"],owner:"RunDevelopment"},tap:{title:"TAP",owner:"isaacs",require:"yaml"},tcl:{title:"Tcl",owner:"PeterChaplin"},tt2:{title:"Template Toolkit 2",require:["clike","markup-templating"],owner:"gflohr"},textile:{title:"Textile",require:"markup",optional:"css",owner:"Golmote"},toml:{title:"TOML",owner:"RunDevelopment"},tremor:{title:"Tremor",alias:["trickle","troy"],owner:"darach",aliasTitles:{trickle:"trickle",troy:"troy"}},turtle:{title:"Turtle",alias:"trig",aliasTitles:{trig:"TriG"},owner:"jakubklimek"},twig:{title:"Twig",require:"markup-templating",owner:"brandonkelly"},typescript:{title:"TypeScript",require:"javascript",optional:"js-templates",alias:"ts",owner:"vkbansal"},typoscript:{title:"TypoScript",alias:"tsconfig",aliasTitles:{tsconfig:"TSConfig"},owner:"dkern"},unrealscript:{title:"UnrealScript",alias:["uscript","uc"],owner:"RunDevelopment"},uorazor:{title:"UO Razor Script",owner:"jaseowns"},uri:{title:"URI",alias:"url",aliasTitles:{url:"URL"},owner:"RunDevelopment"},v:{title:"V",require:"clike",owner:"taggon"},vala:{title:"Vala",require:"clike",optional:"regex",owner:"TemplarVolk"},vbnet:{title:"VB.Net",require:"basic",owner:"Bigsby"},velocity:{title:"Velocity",require:"markup",owner:"Golmote"},verilog:{title:"Verilog",owner:"a-rey"},vhdl:{title:"VHDL",owner:"a-rey"},vim:{title:"vim",owner:"westonganger"},"visual-basic":{title:"Visual Basic",alias:["vb","vba"],aliasTitles:{vba:"VBA"},owner:"Golmote"},warpscript:{title:"WarpScript",owner:"RunDevelopment"},wasm:{title:"WebAssembly",owner:"Golmote"},"web-idl":{title:"Web IDL",alias:"webidl",owner:"RunDevelopment"},wgsl:{title:"WGSL",owner:"Dr4gonthree"},wiki:{title:"Wiki markup",require:"markup",owner:"Golmote"},wolfram:{title:"Wolfram language",alias:["mathematica","nb","wl"],aliasTitles:{mathematica:"Mathematica",nb:"Mathematica Notebook"},owner:"msollami"},wren:{title:"Wren",owner:"clsource"},xeora:{title:"Xeora",require:"markup",alias:"xeoracube",aliasTitles:{xeoracube:"XeoraCube"},owner:"freakmaxi"},"xml-doc":{title:"XML doc (.net)",require:"markup",modify:["csharp","fsharp","vbnet"],owner:"RunDevelopment"},xojo:{title:"Xojo (REALbasic)",owner:"Golmote"},xquery:{title:"XQuery",require:"markup",owner:"Golmote"},yaml:{title:"YAML",alias:"yml",owner:"hason"},yang:{title:"YANG",owner:"RunDevelopment"},zig:{title:"Zig",owner:"RunDevelopment"}},plugins:{meta:{path:"plugins/{id}/prism-{id}",link:"plugins/{id}/"},"line-highlight":{title:"Line Highlight",description:"Highlights specific lines and/or line ranges."},"line-numbers":{title:"Line Numbers",description:"Line number at the beginning of code lines.",owner:"kuba-kubula"},"show-invisibles":{title:"Show Invisibles",description:"Show hidden characters such as tabs and line breaks.",optional:["autolinker","data-uri-highlight"]},autolinker:{title:"Autolinker",description:"Converts URLs and emails in code to clickable links. Parses Markdown links in comments."},wpd:{title:"WebPlatform Docs",description:'Makes tokens link to <a href="https://webplatform.github.io/docs/">WebPlatform.org documentation</a>. The links open in a new tab.'},"custom-class":{title:"Custom Class",description:"This plugin allows you to prefix Prism's default classes (<code>.comment</code> can become <code>.namespace--comment</code>) or replace them with your defined ones (like <code>.editor__comment</code>). You can even add new classes.",owner:"dvkndn",noCSS:!0},"file-highlight":{title:"File Highlight",description:"Fetch external files and highlight them with Prism. Used on the Prism website itself.",noCSS:!0},"show-language":{title:"Show Language",description:"Display the highlighted language in code blocks (inline code does not show the label).",owner:"nauzilus",noCSS:!0,require:"toolbar"},"jsonp-highlight":{title:"JSONP Highlight",description:"Fetch content with JSONP and highlight some interesting content (e.g. GitHub/Gists or Bitbucket API).",noCSS:!0,owner:"nauzilus"},"highlight-keywords":{title:"Highlight Keywords",description:"Adds special CSS classes for each keyword for fine-grained highlighting.",owner:"vkbansal",noCSS:!0},"remove-initial-line-feed":{title:"Remove initial line feed",description:"Removes the initial line feed in code blocks.",owner:"Golmote",noCSS:!0},"inline-color":{title:"Inline color",description:"Adds a small inline preview for colors in style sheets.",require:"css-extras",owner:"RunDevelopment"},previewers:{title:"Previewers",description:"Previewers for angles, colors, gradients, easing and time.",require:"css-extras",owner:"Golmote"},autoloader:{title:"Autoloader",description:"Automatically loads the needed languages to highlight the code blocks.",owner:"Golmote",noCSS:!0},"keep-markup":{title:"Keep Markup",description:"Prevents custom markup from being dropped out during highlighting.",owner:"Golmote",optional:"normalize-whitespace",noCSS:!0},"command-line":{title:"Command Line",description:"Display a command line with a prompt and, optionally, the output/response from the commands.",owner:"chriswells0"},"unescaped-markup":{title:"Unescaped Markup",description:"Write markup without having to escape anything."},"normalize-whitespace":{title:"Normalize Whitespace",description:"Supports multiple operations to normalize whitespace in code blocks.",owner:"zeitgeist87",optional:"unescaped-markup",noCSS:!0},"data-uri-highlight":{title:"Data-URI Highlight",description:"Highlights data-URI contents.",owner:"Golmote",noCSS:!0},toolbar:{title:"Toolbar",description:"Attach a toolbar for plugins to easily register buttons on the top of a code block.",owner:"mAAdhaTTah"},"copy-to-clipboard":{title:"Copy to Clipboard Button",description:"Add a button that copies the code block to the clipboard when clicked.",owner:"mAAdhaTTah",require:"toolbar",noCSS:!0},"download-button":{title:"Download Button",description:"A button in the toolbar of a code block adding a convenient way to download a code file.",owner:"Golmote",require:"toolbar",noCSS:!0},"match-braces":{title:"Match braces",description:"Highlights matching braces.",owner:"RunDevelopment"},"diff-highlight":{title:"Diff Highlight",description:"Highlights the code inside diff blocks.",owner:"RunDevelopment",require:"diff"},"filter-highlight-all":{title:"Filter highlightAll",description:"Filters the elements the <code>highlightAll</code> and <code>highlightAllUnder</code> methods actually highlight.",owner:"RunDevelopment",noCSS:!0},treeview:{title:"Treeview",description:"A language with special styles to highlight file system tree structures.",owner:"Golmote"}}})},2885:(e,t,n)=>{const r=n(9901),a=n(9642),o=new Set;function i(e){void 0===e?e=Object.keys(r.languages).filter((e=>"meta"!=e)):Array.isArray(e)||(e=[e]);const t=[...o,...Object.keys(Prism.languages)];a(r,e,t).load((e=>{if(!(e in r.languages))return void(i.silent||console.warn("Language does not exist: "+e));const t="./prism-"+e;delete n.c[n(6500).resolve(t)],delete Prism.languages[e],n(6500)(t),o.add(e)}))}i.silent=!1,e.exports=i},6854:()=>{!function(e){function t(e,t){return"___"+e.toUpperCase()+t+"___"}Object.defineProperties(e.languages["markup-templating"]={},{buildPlaceholders:{value:function(n,r,a,o){if(n.language===r){var i=n.tokenStack=[];n.code=n.code.replace(a,(function(e){if("function"==typeof o&&!o(e))return e;for(var a,s=i.length;-1!==n.code.indexOf(a=t(r,s));)++s;return i[s]=e,a})),n.grammar=e.languages.markup}}},tokenizePlaceholders:{value:function(n,r){if(n.language===r&&n.tokenStack){n.grammar=e.languages[r];var a=0,o=Object.keys(n.tokenStack);!function i(s){for(var l=0;l<s.length&&!(a>=o.length);l++){var c=s[l];if("string"==typeof c||c.content&&"string"==typeof c.content){var u=o[a],d=n.tokenStack[u],p="string"==typeof c?c:c.content,f=t(r,u),h=p.indexOf(f);if(h>-1){++a;var m=p.substring(0,h),g=new e.Token(r,e.tokenize(d,n.grammar),"language-"+r,d),y=p.substring(h+f.length),b=[];m&&b.push.apply(b,i([m])),b.push(g),y&&b.push.apply(b,i([y])),"string"==typeof c?s.splice.apply(s,[l,1].concat(b)):c.content=b}}else c.content&&i(c.content)}return s}(n.tokens)}}}})}(Prism)},6726:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6726},6500:(e,t,n)=>{var r={"./":2885};function a(e){var t=o(e);return n(t)}function o(e){if(!n.o(r,e)){var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}return r[e]}a.keys=function(){return Object.keys(r)},a.resolve=o,e.exports=a,a.id=6500},9642:e=>{"use strict";var t=function(){var e=function(){};function t(e,t){Array.isArray(e)?e.forEach(t):null!=e&&t(e,0)}function n(e){for(var t={},n=0,r=e.length;n<r;n++)t[e[n]]=!0;return t}function r(e){var n={},r=[];function a(r,o){if(!(r in n)){o.push(r);var i=o.indexOf(r);if(i<o.length-1)throw new Error("Circular dependency: "+o.slice(i).join(" -> "));var s={},l=e[r];if(l){function c(t){if(!(t in e))throw new Error(r+" depends on an unknown component "+t);if(!(t in s))for(var i in a(t,o),s[t]=!0,n[t])s[i]=!0}t(l.require,c),t(l.optional,c),t(l.modify,c)}n[r]=s,o.pop()}}return function(e){var t=n[e];return t||(a(e,r),t=n[e]),t}}function a(e){for(var t in e)return!0;return!1}return function(o,i,s){var l=function(e){var t={};for(var n in e){var r=e[n];for(var a in r)if("meta"!=a){var o=r[a];t[a]="string"==typeof o?{title:o}:o}}return t}(o),c=function(e){var n;return function(r){if(r in e)return r;if(!n)for(var a in n={},e){var o=e[a];t(o&&o.alias,(function(t){if(t in n)throw new Error(t+" cannot be alias for both "+a+" and "+n[t]);if(t in e)throw new Error(t+" cannot be alias of "+a+" because it is a component.");n[t]=a}))}return n[r]||r}}(l);i=i.map(c),s=(s||[]).map(c);var u=n(i),d=n(s);i.forEach((function e(n){var r=l[n];t(r&&r.require,(function(t){t in d||(u[t]=!0,e(t))}))}));for(var p,f=r(l),h=u;a(h);){for(var m in p={},h){var g=l[m];t(g&&g.modify,(function(e){e in d&&(p[e]=!0)}))}for(var y in d)if(!(y in u))for(var b in f(y))if(b in u){p[y]=!0;break}for(var v in h=p)u[v]=!0}var k={getIds:function(){var e=[];return k.load((function(t){e.push(t)})),e},load:function(t,n){return function(t,n,r,a){var o=a?a.series:void 0,i=a?a.parallel:e,s={},l={};function c(e){if(e in s)return s[e];l[e]=!0;var a,u=[];for(var d in t(e))d in n&&u.push(d);if(0===u.length)a=r(e);else{var p=i(u.map((function(e){var t=c(e);return delete l[e],t})));o?a=o(p,(function(){return r(e)})):r(e)}return s[e]=a}for(var u in n)c(u);var d=[];for(var p in l)d.push(s[p]);return i(d)}(f,u,t,n)}};return k}}();e.exports=t},2703:(e,t,n)=>{"use strict";var r=n(414);function a(){}function o(){}o.resetWarningCache=a,e.exports=function(){function e(e,t,n,a,o,i){if(i!==r){var s=new Error("Calling PropTypes validators directly is not supported by the `prop-types` package. Use PropTypes.checkPropTypes() to call them. Read more at http://fb.me/use-check-prop-types");throw s.name="Invariant Violation",s}}function t(){return e}e.isRequired=e;var n={array:e,bigint:e,bool:e,func:e,number:e,object:e,string:e,symbol:e,any:e,arrayOf:t,element:e,elementType:e,instanceOf:t,node:e,objectOf:t,oneOf:t,oneOfType:t,shape:t,exact:t,checkPropTypes:o,resetWarningCache:a};return n.PropTypes=n,n}},5697:(e,t,n)=>{e.exports=n(2703)()},414:e=>{"use strict";e.exports="SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED"},4448:(e,t,n)=>{"use strict";var r=n(7294),a=n(3840);function o(e){for(var t="https://reactjs.org/docs/error-decoder.html?invariant="+e,n=1;n<arguments.length;n++)t+="&args[]="+encodeURIComponent(arguments[n]);return"Minified React error #"+e+"; visit "+t+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings."}var i=new Set,s={};function l(e,t){c(e,t),c(e+"Capture",t)}function c(e,t){for(s[e]=t,e=0;e<t.length;e++)i.add(t[e])}var u=!("undefined"==typeof window||void 0===window.document||void 0===window.document.createElement),d=Object.prototype.hasOwnProperty,p=/^[:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD][:A-Z_a-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD\-.0-9\u00B7\u0300-\u036F\u203F-\u2040]*$/,f={},h={};function m(e,t,n,r,a,o,i){this.acceptsBooleans=2===t||3===t||4===t,this.attributeName=r,this.attributeNamespace=a,this.mustUseProperty=n,this.propertyName=e,this.type=t,this.sanitizeURL=o,this.removeEmptyString=i}var g={};"children dangerouslySetInnerHTML defaultValue defaultChecked innerHTML suppressContentEditableWarning suppressHydrationWarning style".split(" ").forEach((function(e){g[e]=new m(e,0,!1,e,null,!1,!1)})),[["acceptCharset","accept-charset"],["className","class"],["htmlFor","for"],["httpEquiv","http-equiv"]].forEach((function(e){var t=e[0];g[t]=new m(t,1,!1,e[1],null,!1,!1)})),["contentEditable","draggable","spellCheck","value"].forEach((function(e){g[e]=new m(e,2,!1,e.toLowerCase(),null,!1,!1)})),["autoReverse","externalResourcesRequired","focusable","preserveAlpha"].forEach((function(e){g[e]=new m(e,2,!1,e,null,!1,!1)})),"allowFullScreen async autoFocus autoPlay controls default defer disabled disablePictureInPicture disableRemotePlayback formNoValidate hidden loop noModule noValidate open playsInline readOnly required reversed scoped seamless itemScope".split(" ").forEach((function(e){g[e]=new m(e,3,!1,e.toLowerCase(),null,!1,!1)})),["checked","multiple","muted","selected"].forEach((function(e){g[e]=new m(e,3,!0,e,null,!1,!1)})),["capture","download"].forEach((function(e){g[e]=new m(e,4,!1,e,null,!1,!1)})),["cols","rows","size","span"].forEach((function(e){g[e]=new m(e,6,!1,e,null,!1,!1)})),["rowSpan","start"].forEach((function(e){g[e]=new m(e,5,!1,e.toLowerCase(),null,!1,!1)}));var y=/[\-:]([a-z])/g;function b(e){return e[1].toUpperCase()}function v(e,t,n,r){var a=g.hasOwnProperty(t)?g[t]:null;(null!==a?0!==a.type:r||!(2<t.length)||"o"!==t[0]&&"O"!==t[0]||"n"!==t[1]&&"N"!==t[1])&&(function(e,t,n,r){if(null==t||function(e,t,n,r){if(null!==n&&0===n.type)return!1;switch(typeof t){case"function":case"symbol":return!0;case"boolean":return!r&&(null!==n?!n.acceptsBooleans:"data-"!==(e=e.toLowerCase().slice(0,5))&&"aria-"!==e);default:return!1}}(e,t,n,r))return!0;if(r)return!1;if(null!==n)switch(n.type){case 3:return!t;case 4:return!1===t;case 5:return isNaN(t);case 6:return isNaN(t)||1>t}return!1}(t,n,a,r)&&(n=null),r||null===a?function(e){return!!d.call(h,e)||!d.call(f,e)&&(p.test(e)?h[e]=!0:(f[e]=!0,!1))}(t)&&(null===n?e.removeAttribute(t):e.setAttribute(t,""+n)):a.mustUseProperty?e[a.propertyName]=null===n?3!==a.type&&"":n:(t=a.attributeName,r=a.attributeNamespace,null===n?e.removeAttribute(t):(n=3===(a=a.type)||4===a&&!0===n?"":""+n,r?e.setAttributeNS(r,t,n):e.setAttribute(t,n))))}"accent-height alignment-baseline arabic-form baseline-shift cap-height clip-path clip-rule color-interpolation color-interpolation-filters color-profile color-rendering dominant-baseline enable-background fill-opacity fill-rule flood-color flood-opacity font-family font-size font-size-adjust font-stretch font-style font-variant font-weight glyph-name glyph-orientation-horizontal glyph-orientation-vertical horiz-adv-x horiz-origin-x image-rendering letter-spacing lighting-color marker-end marker-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity stroke-width text-anchor text-decoration text-rendering underline-position underline-thickness unicode-bidi unicode-range units-per-em v-alphabetic v-hanging v-ideographic v-mathematical vector-effect vert-adv-y vert-origin-x vert-origin-y word-spacing writing-mode xmlns:xlink x-height".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,null,!1,!1)})),"xlink:actuate xlink:arcrole xlink:role xlink:show xlink:title xlink:type".split(" ").forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/1999/xlink",!1,!1)})),["xml:base","xml:lang","xml:space"].forEach((function(e){var t=e.replace(y,b);g[t]=new m(t,1,!1,e,"http://www.w3.org/XML/1998/namespace",!1,!1)})),["tabIndex","crossOrigin"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!1,!1)})),g.xlinkHref=new m("xlinkHref",1,!1,"xlink:href","http://www.w3.org/1999/xlink",!0,!1),["src","href","action","formAction"].forEach((function(e){g[e]=new m(e,1,!1,e.toLowerCase(),null,!0,!0)}));var k=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED,w=Symbol.for("react.element"),x=Symbol.for("react.portal"),S=Symbol.for("react.fragment"),E=Symbol.for("react.strict_mode"),C=Symbol.for("react.profiler"),_=Symbol.for("react.provider"),T=Symbol.for("react.context"),L=Symbol.for("react.forward_ref"),R=Symbol.for("react.suspense"),j=Symbol.for("react.suspense_list"),P=Symbol.for("react.memo"),N=Symbol.for("react.lazy");Symbol.for("react.scope"),Symbol.for("react.debug_trace_mode");var A=Symbol.for("react.offscreen");Symbol.for("react.legacy_hidden"),Symbol.for("react.cache"),Symbol.for("react.tracing_marker");var O=Symbol.iterator;function I(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=O&&e[O]||e["@@iterator"])?e:null}var D,F=Object.assign;function M(e){if(void 0===D)try{throw Error()}catch(n){var t=n.stack.trim().match(/\n( *(at )?)/);D=t&&t[1]||""}return"\n"+D+e}var B=!1;function z(e,t){if(!e||B)return"";B=!0;var n=Error.prepareStackTrace;Error.prepareStackTrace=void 0;try{if(t)if(t=function(){throw Error()},Object.defineProperty(t.prototype,"props",{set:function(){throw Error()}}),"object"==typeof Reflect&&Reflect.construct){try{Reflect.construct(t,[])}catch(c){var r=c}Reflect.construct(e,[],t)}else{try{t.call()}catch(c){r=c}e.call(t.prototype)}else{try{throw Error()}catch(c){r=c}e()}}catch(c){if(c&&r&&"string"==typeof c.stack){for(var a=c.stack.split("\n"),o=r.stack.split("\n"),i=a.length-1,s=o.length-1;1<=i&&0<=s&&a[i]!==o[s];)s--;for(;1<=i&&0<=s;i--,s--)if(a[i]!==o[s]){if(1!==i||1!==s)do{if(i--,0>--s||a[i]!==o[s]){var l="\n"+a[i].replace(" at new "," at ");return e.displayName&&l.includes("<anonymous>")&&(l=l.replace("<anonymous>",e.displayName)),l}}while(1<=i&&0<=s);break}}}finally{B=!1,Error.prepareStackTrace=n}return(e=e?e.displayName||e.name:"")?M(e):""}function $(e){switch(e.tag){case 5:return M(e.type);case 16:return M("Lazy");case 13:return M("Suspense");case 19:return M("SuspenseList");case 0:case 2:case 15:return e=z(e.type,!1);case 11:return e=z(e.type.render,!1);case 1:return e=z(e.type,!0);default:return""}}function U(e){if(null==e)return null;if("function"==typeof e)return e.displayName||e.name||null;if("string"==typeof e)return e;switch(e){case S:return"Fragment";case x:return"Portal";case C:return"Profiler";case E:return"StrictMode";case R:return"Suspense";case j:return"SuspenseList"}if("object"==typeof e)switch(e.$$typeof){case T:return(e.displayName||"Context")+".Consumer";case _:return(e._context.displayName||"Context")+".Provider";case L:var t=e.render;return(e=e.displayName)||(e=""!==(e=t.displayName||t.name||"")?"ForwardRef("+e+")":"ForwardRef"),e;case P:return null!==(t=e.displayName||null)?t:U(e.type)||"Memo";case N:t=e._payload,e=e._init;try{return U(e(t))}catch(n){}}return null}function q(e){var t=e.type;switch(e.tag){case 24:return"Cache";case 9:return(t.displayName||"Context")+".Consumer";case 10:return(t._context.displayName||"Context")+".Provider";case 18:return"DehydratedFragment";case 11:return e=(e=t.render).displayName||e.name||"",t.displayName||(""!==e?"ForwardRef("+e+")":"ForwardRef");case 7:return"Fragment";case 5:return t;case 4:return"Portal";case 3:return"Root";case 6:return"Text";case 16:return U(t);case 8:return t===E?"StrictMode":"Mode";case 22:return"Offscreen";case 12:return"Profiler";case 21:return"Scope";case 13:return"Suspense";case 19:return"SuspenseList";case 25:return"TracingMarker";case 1:case 0:case 17:case 2:case 14:case 15:if("function"==typeof t)return t.displayName||t.name||null;if("string"==typeof t)return t}return null}function H(e){switch(typeof e){case"boolean":case"number":case"string":case"undefined":case"object":return e;default:return""}}function Q(e){var t=e.type;return(e=e.nodeName)&&"input"===e.toLowerCase()&&("checkbox"===t||"radio"===t)}function Z(e){e._valueTracker||(e._valueTracker=function(e){var t=Q(e)?"checked":"value",n=Object.getOwnPropertyDescriptor(e.constructor.prototype,t),r=""+e[t];if(!e.hasOwnProperty(t)&&void 0!==n&&"function"==typeof n.get&&"function"==typeof n.set){var a=n.get,o=n.set;return Object.defineProperty(e,t,{configurable:!0,get:function(){return a.call(this)},set:function(e){r=""+e,o.call(this,e)}}),Object.defineProperty(e,t,{enumerable:n.enumerable}),{getValue:function(){return r},setValue:function(e){r=""+e},stopTracking:function(){e._valueTracker=null,delete e[t]}}}}(e))}function V(e){if(!e)return!1;var t=e._valueTracker;if(!t)return!0;var n=t.getValue(),r="";return e&&(r=Q(e)?e.checked?"true":"false":e.value),(e=r)!==n&&(t.setValue(e),!0)}function W(e){if(void 0===(e=e||("undefined"!=typeof document?document:void 0)))return null;try{return e.activeElement||e.body}catch(t){return e.body}}function G(e,t){var n=t.checked;return F({},t,{defaultChecked:void 0,defaultValue:void 0,value:void 0,checked:null!=n?n:e._wrapperState.initialChecked})}function X(e,t){var n=null==t.defaultValue?"":t.defaultValue,r=null!=t.checked?t.checked:t.defaultChecked;n=H(null!=t.value?t.value:n),e._wrapperState={initialChecked:r,initialValue:n,controlled:"checkbox"===t.type||"radio"===t.type?null!=t.checked:null!=t.value}}function K(e,t){null!=(t=t.checked)&&v(e,"checked",t,!1)}function Y(e,t){K(e,t);var n=H(t.value),r=t.type;if(null!=n)"number"===r?(0===n&&""===e.value||e.value!=n)&&(e.value=""+n):e.value!==""+n&&(e.value=""+n);else if("submit"===r||"reset"===r)return void e.removeAttribute("value");t.hasOwnProperty("value")?ee(e,t.type,n):t.hasOwnProperty("defaultValue")&&ee(e,t.type,H(t.defaultValue)),null==t.checked&&null!=t.defaultChecked&&(e.defaultChecked=!!t.defaultChecked)}function J(e,t,n){if(t.hasOwnProperty("value")||t.hasOwnProperty("defaultValue")){var r=t.type;if(!("submit"!==r&&"reset"!==r||void 0!==t.value&&null!==t.value))return;t=""+e._wrapperState.initialValue,n||t===e.value||(e.value=t),e.defaultValue=t}""!==(n=e.name)&&(e.name=""),e.defaultChecked=!!e._wrapperState.initialChecked,""!==n&&(e.name=n)}function ee(e,t,n){"number"===t&&W(e.ownerDocument)===e||(null==n?e.defaultValue=""+e._wrapperState.initialValue:e.defaultValue!==""+n&&(e.defaultValue=""+n))}var te=Array.isArray;function ne(e,t,n,r){if(e=e.options,t){t={};for(var a=0;a<n.length;a++)t["$"+n[a]]=!0;for(n=0;n<e.length;n++)a=t.hasOwnProperty("$"+e[n].value),e[n].selected!==a&&(e[n].selected=a),a&&r&&(e[n].defaultSelected=!0)}else{for(n=""+H(n),t=null,a=0;a<e.length;a++){if(e[a].value===n)return e[a].selected=!0,void(r&&(e[a].defaultSelected=!0));null!==t||e[a].disabled||(t=e[a])}null!==t&&(t.selected=!0)}}function re(e,t){if(null!=t.dangerouslySetInnerHTML)throw Error(o(91));return F({},t,{value:void 0,defaultValue:void 0,children:""+e._wrapperState.initialValue})}function ae(e,t){var n=t.value;if(null==n){if(n=t.children,t=t.defaultValue,null!=n){if(null!=t)throw Error(o(92));if(te(n)){if(1<n.length)throw Error(o(93));n=n[0]}t=n}null==t&&(t=""),n=t}e._wrapperState={initialValue:H(n)}}function oe(e,t){var n=H(t.value),r=H(t.defaultValue);null!=n&&((n=""+n)!==e.value&&(e.value=n),null==t.defaultValue&&e.defaultValue!==n&&(e.defaultValue=n)),null!=r&&(e.defaultValue=""+r)}function ie(e){var t=e.textContent;t===e._wrapperState.initialValue&&""!==t&&null!==t&&(e.value=t)}function se(e){switch(e){case"svg":return"http://www.w3.org/2000/svg";case"math":return"http://www.w3.org/1998/Math/MathML";default:return"http://www.w3.org/1999/xhtml"}}function le(e,t){return null==e||"http://www.w3.org/1999/xhtml"===e?se(t):"http://www.w3.org/2000/svg"===e&&"foreignObject"===t?"http://www.w3.org/1999/xhtml":e}var ce,ue,de=(ue=function(e,t){if("http://www.w3.org/2000/svg"!==e.namespaceURI||"innerHTML"in e)e.innerHTML=t;else{for((ce=ce||document.createElement("div")).innerHTML="<svg>"+t.valueOf().toString()+"</svg>",t=ce.firstChild;e.firstChild;)e.removeChild(e.firstChild);for(;t.firstChild;)e.appendChild(t.firstChild)}},"undefined"!=typeof MSApp&&MSApp.execUnsafeLocalFunction?function(e,t,n,r){MSApp.execUnsafeLocalFunction((function(){return ue(e,t)}))}:ue);function pe(e,t){if(t){var n=e.firstChild;if(n&&n===e.lastChild&&3===n.nodeType)return void(n.nodeValue=t)}e.textContent=t}var fe={animationIterationCount:!0,aspectRatio:!0,borderImageOutset:!0,borderImageSlice:!0,borderImageWidth:!0,boxFlex:!0,boxFlexGroup:!0,boxOrdinalGroup:!0,columnCount:!0,columns:!0,flex:!0,flexGrow:!0,flexPositive:!0,flexShrink:!0,flexNegative:!0,flexOrder:!0,gridArea:!0,gridRow:!0,gridRowEnd:!0,gridRowSpan:!0,gridRowStart:!0,gridColumn:!0,gridColumnEnd:!0,gridColumnSpan:!0,gridColumnStart:!0,fontWeight:!0,lineClamp:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,tabSize:!0,widows:!0,zIndex:!0,zoom:!0,fillOpacity:!0,floodOpacity:!0,stopOpacity:!0,strokeDasharray:!0,strokeDashoffset:!0,strokeMiterlimit:!0,strokeOpacity:!0,strokeWidth:!0},he=["Webkit","ms","Moz","O"];function me(e,t,n){return null==t||"boolean"==typeof t||""===t?"":n||"number"!=typeof t||0===t||fe.hasOwnProperty(e)&&fe[e]?(""+t).trim():t+"px"}function ge(e,t){for(var n in e=e.style,t)if(t.hasOwnProperty(n)){var r=0===n.indexOf("--"),a=me(n,t[n],r);"float"===n&&(n="cssFloat"),r?e.setProperty(n,a):e[n]=a}}Object.keys(fe).forEach((function(e){he.forEach((function(t){t=t+e.charAt(0).toUpperCase()+e.substring(1),fe[t]=fe[e]}))}));var ye=F({menuitem:!0},{area:!0,base:!0,br:!0,col:!0,embed:!0,hr:!0,img:!0,input:!0,keygen:!0,link:!0,meta:!0,param:!0,source:!0,track:!0,wbr:!0});function be(e,t){if(t){if(ye[e]&&(null!=t.children||null!=t.dangerouslySetInnerHTML))throw Error(o(137,e));if(null!=t.dangerouslySetInnerHTML){if(null!=t.children)throw Error(o(60));if("object"!=typeof t.dangerouslySetInnerHTML||!("__html"in t.dangerouslySetInnerHTML))throw Error(o(61))}if(null!=t.style&&"object"!=typeof t.style)throw Error(o(62))}}function ve(e,t){if(-1===e.indexOf("-"))return"string"==typeof t.is;switch(e){case"annotation-xml":case"color-profile":case"font-face":case"font-face-src":case"font-face-uri":case"font-face-format":case"font-face-name":case"missing-glyph":return!1;default:return!0}}var ke=null;function we(e){return(e=e.target||e.srcElement||window).correspondingUseElement&&(e=e.correspondingUseElement),3===e.nodeType?e.parentNode:e}var xe=null,Se=null,Ee=null;function Ce(e){if(e=va(e)){if("function"!=typeof xe)throw Error(o(280));var t=e.stateNode;t&&(t=wa(t),xe(e.stateNode,e.type,t))}}function _e(e){Se?Ee?Ee.push(e):Ee=[e]:Se=e}function Te(){if(Se){var e=Se,t=Ee;if(Ee=Se=null,Ce(e),t)for(e=0;e<t.length;e++)Ce(t[e])}}function Le(e,t){return e(t)}function Re(){}var je=!1;function Pe(e,t,n){if(je)return e(t,n);je=!0;try{return Le(e,t,n)}finally{je=!1,(null!==Se||null!==Ee)&&(Re(),Te())}}function Ne(e,t){var n=e.stateNode;if(null===n)return null;var r=wa(n);if(null===r)return null;n=r[t];e:switch(t){case"onClick":case"onClickCapture":case"onDoubleClick":case"onDoubleClickCapture":case"onMouseDown":case"onMouseDownCapture":case"onMouseMove":case"onMouseMoveCapture":case"onMouseUp":case"onMouseUpCapture":case"onMouseEnter":(r=!r.disabled)||(r=!("button"===(e=e.type)||"input"===e||"select"===e||"textarea"===e)),e=!r;break e;default:e=!1}if(e)return null;if(n&&"function"!=typeof n)throw Error(o(231,t,typeof n));return n}var Ae=!1;if(u)try{var Oe={};Object.defineProperty(Oe,"passive",{get:function(){Ae=!0}}),window.addEventListener("test",Oe,Oe),window.removeEventListener("test",Oe,Oe)}catch(ue){Ae=!1}function Ie(e,t,n,r,a,o,i,s,l){var c=Array.prototype.slice.call(arguments,3);try{t.apply(n,c)}catch(u){this.onError(u)}}var De=!1,Fe=null,Me=!1,Be=null,ze={onError:function(e){De=!0,Fe=e}};function $e(e,t,n,r,a,o,i,s,l){De=!1,Fe=null,Ie.apply(ze,arguments)}function Ue(e){var t=e,n=e;if(e.alternate)for(;t.return;)t=t.return;else{e=t;do{0!=(4098&(t=e).flags)&&(n=t.return),e=t.return}while(e)}return 3===t.tag?n:null}function qe(e){if(13===e.tag){var t=e.memoizedState;if(null===t&&(null!==(e=e.alternate)&&(t=e.memoizedState)),null!==t)return t.dehydrated}return null}function He(e){if(Ue(e)!==e)throw Error(o(188))}function Qe(e){return null!==(e=function(e){var t=e.alternate;if(!t){if(null===(t=Ue(e)))throw Error(o(188));return t!==e?null:e}for(var n=e,r=t;;){var a=n.return;if(null===a)break;var i=a.alternate;if(null===i){if(null!==(r=a.return)){n=r;continue}break}if(a.child===i.child){for(i=a.child;i;){if(i===n)return He(a),e;if(i===r)return He(a),t;i=i.sibling}throw Error(o(188))}if(n.return!==r.return)n=a,r=i;else{for(var s=!1,l=a.child;l;){if(l===n){s=!0,n=a,r=i;break}if(l===r){s=!0,r=a,n=i;break}l=l.sibling}if(!s){for(l=i.child;l;){if(l===n){s=!0,n=i,r=a;break}if(l===r){s=!0,r=i,n=a;break}l=l.sibling}if(!s)throw Error(o(189))}}if(n.alternate!==r)throw Error(o(190))}if(3!==n.tag)throw Error(o(188));return n.stateNode.current===n?e:t}(e))?Ze(e):null}function Ze(e){if(5===e.tag||6===e.tag)return e;for(e=e.child;null!==e;){var t=Ze(e);if(null!==t)return t;e=e.sibling}return null}var Ve=a.unstable_scheduleCallback,We=a.unstable_cancelCallback,Ge=a.unstable_shouldYield,Xe=a.unstable_requestPaint,Ke=a.unstable_now,Ye=a.unstable_getCurrentPriorityLevel,Je=a.unstable_ImmediatePriority,et=a.unstable_UserBlockingPriority,tt=a.unstable_NormalPriority,nt=a.unstable_LowPriority,rt=a.unstable_IdlePriority,at=null,ot=null;var it=Math.clz32?Math.clz32:function(e){return e>>>=0,0===e?32:31-(st(e)/lt|0)|0},st=Math.log,lt=Math.LN2;var ct=64,ut=4194304;function dt(e){switch(e&-e){case 1:return 1;case 2:return 2;case 4:return 4;case 8:return 8;case 16:return 16;case 32:return 32;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return 4194240&e;case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:return 130023424&e;case 134217728:return 134217728;case 268435456:return 268435456;case 536870912:return 536870912;case 1073741824:return 1073741824;default:return e}}function pt(e,t){var n=e.pendingLanes;if(0===n)return 0;var r=0,a=e.suspendedLanes,o=e.pingedLanes,i=268435455&n;if(0!==i){var s=i&~a;0!==s?r=dt(s):0!==(o&=i)&&(r=dt(o))}else 0!==(i=n&~a)?r=dt(i):0!==o&&(r=dt(o));if(0===r)return 0;if(0!==t&&t!==r&&0==(t&a)&&((a=r&-r)>=(o=t&-t)||16===a&&0!=(4194240&o)))return t;if(0!=(4&r)&&(r|=16&n),0!==(t=e.entangledLanes))for(e=e.entanglements,t&=r;0<t;)a=1<<(n=31-it(t)),r|=e[n],t&=~a;return r}function ft(e,t){switch(e){case 1:case 2:case 4:return t+250;case 8:case 16:case 32:case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:return t+5e3;default:return-1}}function ht(e){return 0!==(e=-1073741825&e.pendingLanes)?e:1073741824&e?1073741824:0}function mt(){var e=ct;return 0==(4194240&(ct<<=1))&&(ct=64),e}function gt(e){for(var t=[],n=0;31>n;n++)t.push(e);return t}function yt(e,t,n){e.pendingLanes|=t,536870912!==t&&(e.suspendedLanes=0,e.pingedLanes=0),(e=e.eventTimes)[t=31-it(t)]=n}function bt(e,t){var n=e.entangledLanes|=t;for(e=e.entanglements;n;){var r=31-it(n),a=1<<r;a&t|e[r]&t&&(e[r]|=t),n&=~a}}var vt=0;function kt(e){return 1<(e&=-e)?4<e?0!=(268435455&e)?16:536870912:4:1}var wt,xt,St,Et,Ct,_t=!1,Tt=[],Lt=null,Rt=null,jt=null,Pt=new Map,Nt=new Map,At=[],Ot="mousedown mouseup touchcancel touchend touchstart auxclick dblclick pointercancel pointerdown pointerup dragend dragstart drop compositionend compositionstart keydown keypress keyup input textInput copy cut paste click change contextmenu reset submit".split(" ");function It(e,t){switch(e){case"focusin":case"focusout":Lt=null;break;case"dragenter":case"dragleave":Rt=null;break;case"mouseover":case"mouseout":jt=null;break;case"pointerover":case"pointerout":Pt.delete(t.pointerId);break;case"gotpointercapture":case"lostpointercapture":Nt.delete(t.pointerId)}}function Dt(e,t,n,r,a,o){return null===e||e.nativeEvent!==o?(e={blockedOn:t,domEventName:n,eventSystemFlags:r,nativeEvent:o,targetContainers:[a]},null!==t&&(null!==(t=va(t))&&xt(t)),e):(e.eventSystemFlags|=r,t=e.targetContainers,null!==a&&-1===t.indexOf(a)&&t.push(a),e)}function Ft(e){var t=ba(e.target);if(null!==t){var n=Ue(t);if(null!==n)if(13===(t=n.tag)){if(null!==(t=qe(n)))return e.blockedOn=t,void Ct(e.priority,(function(){St(n)}))}else if(3===t&&n.stateNode.current.memoizedState.isDehydrated)return void(e.blockedOn=3===n.tag?n.stateNode.containerInfo:null)}e.blockedOn=null}function Mt(e){if(null!==e.blockedOn)return!1;for(var t=e.targetContainers;0<t.length;){var n=Gt(e.domEventName,e.eventSystemFlags,t[0],e.nativeEvent);if(null!==n)return null!==(t=va(n))&&xt(t),e.blockedOn=n,!1;var r=new(n=e.nativeEvent).constructor(n.type,n);ke=r,n.target.dispatchEvent(r),ke=null,t.shift()}return!0}function Bt(e,t,n){Mt(e)&&n.delete(t)}function zt(){_t=!1,null!==Lt&&Mt(Lt)&&(Lt=null),null!==Rt&&Mt(Rt)&&(Rt=null),null!==jt&&Mt(jt)&&(jt=null),Pt.forEach(Bt),Nt.forEach(Bt)}function $t(e,t){e.blockedOn===t&&(e.blockedOn=null,_t||(_t=!0,a.unstable_scheduleCallback(a.unstable_NormalPriority,zt)))}function Ut(e){function t(t){return $t(t,e)}if(0<Tt.length){$t(Tt[0],e);for(var n=1;n<Tt.length;n++){var r=Tt[n];r.blockedOn===e&&(r.blockedOn=null)}}for(null!==Lt&&$t(Lt,e),null!==Rt&&$t(Rt,e),null!==jt&&$t(jt,e),Pt.forEach(t),Nt.forEach(t),n=0;n<At.length;n++)(r=At[n]).blockedOn===e&&(r.blockedOn=null);for(;0<At.length&&null===(n=At[0]).blockedOn;)Ft(n),null===n.blockedOn&&At.shift()}var qt=k.ReactCurrentBatchConfig,Ht=!0;function Qt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=1,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Zt(e,t,n,r){var a=vt,o=qt.transition;qt.transition=null;try{vt=4,Vt(e,t,n,r)}finally{vt=a,qt.transition=o}}function Vt(e,t,n,r){if(Ht){var a=Gt(e,t,n,r);if(null===a)Hr(e,t,r,Wt,n),It(e,r);else if(function(e,t,n,r,a){switch(t){case"focusin":return Lt=Dt(Lt,e,t,n,r,a),!0;case"dragenter":return Rt=Dt(Rt,e,t,n,r,a),!0;case"mouseover":return jt=Dt(jt,e,t,n,r,a),!0;case"pointerover":var o=a.pointerId;return Pt.set(o,Dt(Pt.get(o)||null,e,t,n,r,a)),!0;case"gotpointercapture":return o=a.pointerId,Nt.set(o,Dt(Nt.get(o)||null,e,t,n,r,a)),!0}return!1}(a,e,t,n,r))r.stopPropagation();else if(It(e,r),4&t&&-1<Ot.indexOf(e)){for(;null!==a;){var o=va(a);if(null!==o&&wt(o),null===(o=Gt(e,t,n,r))&&Hr(e,t,r,Wt,n),o===a)break;a=o}null!==a&&r.stopPropagation()}else Hr(e,t,r,null,n)}}var Wt=null;function Gt(e,t,n,r){if(Wt=null,null!==(e=ba(e=we(r))))if(null===(t=Ue(e)))e=null;else if(13===(n=t.tag)){if(null!==(e=qe(t)))return e;e=null}else if(3===n){if(t.stateNode.current.memoizedState.isDehydrated)return 3===t.tag?t.stateNode.containerInfo:null;e=null}else t!==e&&(e=null);return Wt=e,null}function Xt(e){switch(e){case"cancel":case"click":case"close":case"contextmenu":case"copy":case"cut":case"auxclick":case"dblclick":case"dragend":case"dragstart":case"drop":case"focusin":case"focusout":case"input":case"invalid":case"keydown":case"keypress":case"keyup":case"mousedown":case"mouseup":case"paste":case"pause":case"play":case"pointercancel":case"pointerdown":case"pointerup":case"ratechange":case"reset":case"resize":case"seeked":case"submit":case"touchcancel":case"touchend":case"touchstart":case"volumechange":case"change":case"selectionchange":case"textInput":case"compositionstart":case"compositionend":case"compositionupdate":case"beforeblur":case"afterblur":case"beforeinput":case"blur":case"fullscreenchange":case"focus":case"hashchange":case"popstate":case"select":case"selectstart":return 1;case"drag":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"mousemove":case"mouseout":case"mouseover":case"pointermove":case"pointerout":case"pointerover":case"scroll":case"toggle":case"touchmove":case"wheel":case"mouseenter":case"mouseleave":case"pointerenter":case"pointerleave":return 4;case"message":switch(Ye()){case Je:return 1;case et:return 4;case tt:case nt:return 16;case rt:return 536870912;default:return 16}default:return 16}}var Kt=null,Yt=null,Jt=null;function en(){if(Jt)return Jt;var e,t,n=Yt,r=n.length,a="value"in Kt?Kt.value:Kt.textContent,o=a.length;for(e=0;e<r&&n[e]===a[e];e++);var i=r-e;for(t=1;t<=i&&n[r-t]===a[o-t];t++);return Jt=a.slice(e,1<t?1-t:void 0)}function tn(e){var t=e.keyCode;return"charCode"in e?0===(e=e.charCode)&&13===t&&(e=13):e=t,10===e&&(e=13),32<=e||13===e?e:0}function nn(){return!0}function rn(){return!1}function an(e){function t(t,n,r,a,o){for(var i in this._reactName=t,this._targetInst=r,this.type=n,this.nativeEvent=a,this.target=o,this.currentTarget=null,e)e.hasOwnProperty(i)&&(t=e[i],this[i]=t?t(a):a[i]);return this.isDefaultPrevented=(null!=a.defaultPrevented?a.defaultPrevented:!1===a.returnValue)?nn:rn,this.isPropagationStopped=rn,this}return F(t.prototype,{preventDefault:function(){this.defaultPrevented=!0;var e=this.nativeEvent;e&&(e.preventDefault?e.preventDefault():"unknown"!=typeof e.returnValue&&(e.returnValue=!1),this.isDefaultPrevented=nn)},stopPropagation:function(){var e=this.nativeEvent;e&&(e.stopPropagation?e.stopPropagation():"unknown"!=typeof e.cancelBubble&&(e.cancelBubble=!0),this.isPropagationStopped=nn)},persist:function(){},isPersistent:nn}),t}var on,sn,ln,cn={eventPhase:0,bubbles:0,cancelable:0,timeStamp:function(e){return e.timeStamp||Date.now()},defaultPrevented:0,isTrusted:0},un=an(cn),dn=F({},cn,{view:0,detail:0}),pn=an(dn),fn=F({},dn,{screenX:0,screenY:0,clientX:0,clientY:0,pageX:0,pageY:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,getModifierState:Cn,button:0,buttons:0,relatedTarget:function(e){return void 0===e.relatedTarget?e.fromElement===e.srcElement?e.toElement:e.fromElement:e.relatedTarget},movementX:function(e){return"movementX"in e?e.movementX:(e!==ln&&(ln&&"mousemove"===e.type?(on=e.screenX-ln.screenX,sn=e.screenY-ln.screenY):sn=on=0,ln=e),on)},movementY:function(e){return"movementY"in e?e.movementY:sn}}),hn=an(fn),mn=an(F({},fn,{dataTransfer:0})),gn=an(F({},dn,{relatedTarget:0})),yn=an(F({},cn,{animationName:0,elapsedTime:0,pseudoElement:0})),bn=F({},cn,{clipboardData:function(e){return"clipboardData"in e?e.clipboardData:window.clipboardData}}),vn=an(bn),kn=an(F({},cn,{data:0})),wn={Esc:"Escape",Spacebar:" ",Left:"ArrowLeft",Up:"ArrowUp",Right:"ArrowRight",Down:"ArrowDown",Del:"Delete",Win:"OS",Menu:"ContextMenu",Apps:"ContextMenu",Scroll:"ScrollLock",MozPrintableKey:"Unidentified"},xn={8:"Backspace",9:"Tab",12:"Clear",13:"Enter",16:"Shift",17:"Control",18:"Alt",19:"Pause",20:"CapsLock",27:"Escape",32:" ",33:"PageUp",34:"PageDown",35:"End",36:"Home",37:"ArrowLeft",38:"ArrowUp",39:"ArrowRight",40:"ArrowDown",45:"Insert",46:"Delete",112:"F1",113:"F2",114:"F3",115:"F4",116:"F5",117:"F6",118:"F7",119:"F8",120:"F9",121:"F10",122:"F11",123:"F12",144:"NumLock",145:"ScrollLock",224:"Meta"},Sn={Alt:"altKey",Control:"ctrlKey",Meta:"metaKey",Shift:"shiftKey"};function En(e){var t=this.nativeEvent;return t.getModifierState?t.getModifierState(e):!!(e=Sn[e])&&!!t[e]}function Cn(){return En}var _n=F({},dn,{key:function(e){if(e.key){var t=wn[e.key]||e.key;if("Unidentified"!==t)return t}return"keypress"===e.type?13===(e=tn(e))?"Enter":String.fromCharCode(e):"keydown"===e.type||"keyup"===e.type?xn[e.keyCode]||"Unidentified":""},code:0,location:0,ctrlKey:0,shiftKey:0,altKey:0,metaKey:0,repeat:0,locale:0,getModifierState:Cn,charCode:function(e){return"keypress"===e.type?tn(e):0},keyCode:function(e){return"keydown"===e.type||"keyup"===e.type?e.keyCode:0},which:function(e){return"keypress"===e.type?tn(e):"keydown"===e.type||"keyup"===e.type?e.keyCode:0}}),Tn=an(_n),Ln=an(F({},fn,{pointerId:0,width:0,height:0,pressure:0,tangentialPressure:0,tiltX:0,tiltY:0,twist:0,pointerType:0,isPrimary:0})),Rn=an(F({},dn,{touches:0,targetTouches:0,changedTouches:0,altKey:0,metaKey:0,ctrlKey:0,shiftKey:0,getModifierState:Cn})),jn=an(F({},cn,{propertyName:0,elapsedTime:0,pseudoElement:0})),Pn=F({},fn,{deltaX:function(e){return"deltaX"in e?e.deltaX:"wheelDeltaX"in e?-e.wheelDeltaX:0},deltaY:function(e){return"deltaY"in e?e.deltaY:"wheelDeltaY"in e?-e.wheelDeltaY:"wheelDelta"in e?-e.wheelDelta:0},deltaZ:0,deltaMode:0}),Nn=an(Pn),An=[9,13,27,32],On=u&&"CompositionEvent"in window,In=null;u&&"documentMode"in document&&(In=document.documentMode);var Dn=u&&"TextEvent"in window&&!In,Fn=u&&(!On||In&&8<In&&11>=In),Mn=String.fromCharCode(32),Bn=!1;function zn(e,t){switch(e){case"keyup":return-1!==An.indexOf(t.keyCode);case"keydown":return 229!==t.keyCode;case"keypress":case"mousedown":case"focusout":return!0;default:return!1}}function $n(e){return"object"==typeof(e=e.detail)&&"data"in e?e.data:null}var Un=!1;var qn={color:!0,date:!0,datetime:!0,"datetime-local":!0,email:!0,month:!0,number:!0,password:!0,range:!0,search:!0,tel:!0,text:!0,time:!0,url:!0,week:!0};function Hn(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return"input"===t?!!qn[e.type]:"textarea"===t}function Qn(e,t,n,r){_e(r),0<(t=Zr(t,"onChange")).length&&(n=new un("onChange","change",null,n,r),e.push({event:n,listeners:t}))}var Zn=null,Vn=null;function Wn(e){Mr(e,0)}function Gn(e){if(V(ka(e)))return e}function Xn(e,t){if("change"===e)return t}var Kn=!1;if(u){var Yn;if(u){var Jn="oninput"in document;if(!Jn){var er=document.createElement("div");er.setAttribute("oninput","return;"),Jn="function"==typeof er.oninput}Yn=Jn}else Yn=!1;Kn=Yn&&(!document.documentMode||9<document.documentMode)}function tr(){Zn&&(Zn.detachEvent("onpropertychange",nr),Vn=Zn=null)}function nr(e){if("value"===e.propertyName&&Gn(Vn)){var t=[];Qn(t,Vn,e,we(e)),Pe(Wn,t)}}function rr(e,t,n){"focusin"===e?(tr(),Vn=n,(Zn=t).attachEvent("onpropertychange",nr)):"focusout"===e&&tr()}function ar(e){if("selectionchange"===e||"keyup"===e||"keydown"===e)return Gn(Vn)}function or(e,t){if("click"===e)return Gn(t)}function ir(e,t){if("input"===e||"change"===e)return Gn(t)}var sr="function"==typeof Object.is?Object.is:function(e,t){return e===t&&(0!==e||1/e==1/t)||e!=e&&t!=t};function lr(e,t){if(sr(e,t))return!0;if("object"!=typeof e||null===e||"object"!=typeof t||null===t)return!1;var n=Object.keys(e),r=Object.keys(t);if(n.length!==r.length)return!1;for(r=0;r<n.length;r++){var a=n[r];if(!d.call(t,a)||!sr(e[a],t[a]))return!1}return!0}function cr(e){for(;e&&e.firstChild;)e=e.firstChild;return e}function ur(e,t){var n,r=cr(e);for(e=0;r;){if(3===r.nodeType){if(n=e+r.textContent.length,e<=t&&n>=t)return{node:r,offset:t-e};e=n}e:{for(;r;){if(r.nextSibling){r=r.nextSibling;break e}r=r.parentNode}r=void 0}r=cr(r)}}function dr(e,t){return!(!e||!t)&&(e===t||(!e||3!==e.nodeType)&&(t&&3===t.nodeType?dr(e,t.parentNode):"contains"in e?e.contains(t):!!e.compareDocumentPosition&&!!(16&e.compareDocumentPosition(t))))}function pr(){for(var e=window,t=W();t instanceof e.HTMLIFrameElement;){try{var n="string"==typeof t.contentWindow.location.href}catch(r){n=!1}if(!n)break;t=W((e=t.contentWindow).document)}return t}function fr(e){var t=e&&e.nodeName&&e.nodeName.toLowerCase();return t&&("input"===t&&("text"===e.type||"search"===e.type||"tel"===e.type||"url"===e.type||"password"===e.type)||"textarea"===t||"true"===e.contentEditable)}function hr(e){var t=pr(),n=e.focusedElem,r=e.selectionRange;if(t!==n&&n&&n.ownerDocument&&dr(n.ownerDocument.documentElement,n)){if(null!==r&&fr(n))if(t=r.start,void 0===(e=r.end)&&(e=t),"selectionStart"in n)n.selectionStart=t,n.selectionEnd=Math.min(e,n.value.length);else if((e=(t=n.ownerDocument||document)&&t.defaultView||window).getSelection){e=e.getSelection();var a=n.textContent.length,o=Math.min(r.start,a);r=void 0===r.end?o:Math.min(r.end,a),!e.extend&&o>r&&(a=r,r=o,o=a),a=ur(n,o);var i=ur(n,r);a&&i&&(1!==e.rangeCount||e.anchorNode!==a.node||e.anchorOffset!==a.offset||e.focusNode!==i.node||e.focusOffset!==i.offset)&&((t=t.createRange()).setStart(a.node,a.offset),e.removeAllRanges(),o>r?(e.addRange(t),e.extend(i.node,i.offset)):(t.setEnd(i.node,i.offset),e.addRange(t)))}for(t=[],e=n;e=e.parentNode;)1===e.nodeType&&t.push({element:e,left:e.scrollLeft,top:e.scrollTop});for("function"==typeof n.focus&&n.focus(),n=0;n<t.length;n++)(e=t[n]).element.scrollLeft=e.left,e.element.scrollTop=e.top}}var mr=u&&"documentMode"in document&&11>=document.documentMode,gr=null,yr=null,br=null,vr=!1;function kr(e,t,n){var r=n.window===n?n.document:9===n.nodeType?n:n.ownerDocument;vr||null==gr||gr!==W(r)||("selectionStart"in(r=gr)&&fr(r)?r={start:r.selectionStart,end:r.selectionEnd}:r={anchorNode:(r=(r.ownerDocument&&r.ownerDocument.defaultView||window).getSelection()).anchorNode,anchorOffset:r.anchorOffset,focusNode:r.focusNode,focusOffset:r.focusOffset},br&&lr(br,r)||(br=r,0<(r=Zr(yr,"onSelect")).length&&(t=new un("onSelect","select",null,t,n),e.push({event:t,listeners:r}),t.target=gr)))}function wr(e,t){var n={};return n[e.toLowerCase()]=t.toLowerCase(),n["Webkit"+e]="webkit"+t,n["Moz"+e]="moz"+t,n}var xr={animationend:wr("Animation","AnimationEnd"),animationiteration:wr("Animation","AnimationIteration"),animationstart:wr("Animation","AnimationStart"),transitionend:wr("Transition","TransitionEnd")},Sr={},Er={};function Cr(e){if(Sr[e])return Sr[e];if(!xr[e])return e;var t,n=xr[e];for(t in n)if(n.hasOwnProperty(t)&&t in Er)return Sr[e]=n[t];return e}u&&(Er=document.createElement("div").style,"AnimationEvent"in window||(delete xr.animationend.animation,delete xr.animationiteration.animation,delete xr.animationstart.animation),"TransitionEvent"in window||delete xr.transitionend.transition);var _r=Cr("animationend"),Tr=Cr("animationiteration"),Lr=Cr("animationstart"),Rr=Cr("transitionend"),jr=new Map,Pr="abort auxClick cancel canPlay canPlayThrough click close contextMenu copy cut drag dragEnd dragEnter dragExit dragLeave dragOver dragStart drop durationChange emptied encrypted ended error gotPointerCapture input invalid keyDown keyPress keyUp load loadedData loadedMetadata loadStart lostPointerCapture mouseDown mouseMove mouseOut mouseOver mouseUp paste pause play playing pointerCancel pointerDown pointerMove pointerOut pointerOver pointerUp progress rateChange reset resize seeked seeking stalled submit suspend timeUpdate touchCancel touchEnd touchStart volumeChange scroll toggle touchMove waiting wheel".split(" ");function Nr(e,t){jr.set(e,t),l(t,[e])}for(var Ar=0;Ar<Pr.length;Ar++){var Or=Pr[Ar];Nr(Or.toLowerCase(),"on"+(Or[0].toUpperCase()+Or.slice(1)))}Nr(_r,"onAnimationEnd"),Nr(Tr,"onAnimationIteration"),Nr(Lr,"onAnimationStart"),Nr("dblclick","onDoubleClick"),Nr("focusin","onFocus"),Nr("focusout","onBlur"),Nr(Rr,"onTransitionEnd"),c("onMouseEnter",["mouseout","mouseover"]),c("onMouseLeave",["mouseout","mouseover"]),c("onPointerEnter",["pointerout","pointerover"]),c("onPointerLeave",["pointerout","pointerover"]),l("onChange","change click focusin focusout input keydown keyup selectionchange".split(" ")),l("onSelect","focusout contextmenu dragend focusin keydown keyup mousedown mouseup selectionchange".split(" ")),l("onBeforeInput",["compositionend","keypress","textInput","paste"]),l("onCompositionEnd","compositionend focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionStart","compositionstart focusout keydown keypress keyup mousedown".split(" ")),l("onCompositionUpdate","compositionupdate focusout keydown keypress keyup mousedown".split(" "));var Ir="abort canplay canplaythrough durationchange emptied encrypted ended error loadeddata loadedmetadata loadstart pause play playing progress ratechange resize seeked seeking stalled suspend timeupdate volumechange waiting".split(" "),Dr=new Set("cancel close invalid load scroll toggle".split(" ").concat(Ir));function Fr(e,t,n){var r=e.type||"unknown-event";e.currentTarget=n,function(e,t,n,r,a,i,s,l,c){if($e.apply(this,arguments),De){if(!De)throw Error(o(198));var u=Fe;De=!1,Fe=null,Me||(Me=!0,Be=u)}}(r,t,void 0,e),e.currentTarget=null}function Mr(e,t){t=0!=(4&t);for(var n=0;n<e.length;n++){var r=e[n],a=r.event;r=r.listeners;e:{var o=void 0;if(t)for(var i=r.length-1;0<=i;i--){var s=r[i],l=s.instance,c=s.currentTarget;if(s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}else for(i=0;i<r.length;i++){if(l=(s=r[i]).instance,c=s.currentTarget,s=s.listener,l!==o&&a.isPropagationStopped())break e;Fr(a,s,c),o=l}}}if(Me)throw e=Be,Me=!1,Be=null,e}function Br(e,t){var n=t[ma];void 0===n&&(n=t[ma]=new Set);var r=e+"__bubble";n.has(r)||(qr(t,e,2,!1),n.add(r))}function zr(e,t,n){var r=0;t&&(r|=4),qr(n,e,r,t)}var $r="_reactListening"+Math.random().toString(36).slice(2);function Ur(e){if(!e[$r]){e[$r]=!0,i.forEach((function(t){"selectionchange"!==t&&(Dr.has(t)||zr(t,!1,e),zr(t,!0,e))}));var t=9===e.nodeType?e:e.ownerDocument;null===t||t[$r]||(t[$r]=!0,zr("selectionchange",!1,t))}}function qr(e,t,n,r){switch(Xt(t)){case 1:var a=Qt;break;case 4:a=Zt;break;default:a=Vt}n=a.bind(null,t,n,e),a=void 0,!Ae||"touchstart"!==t&&"touchmove"!==t&&"wheel"!==t||(a=!0),r?void 0!==a?e.addEventListener(t,n,{capture:!0,passive:a}):e.addEventListener(t,n,!0):void 0!==a?e.addEventListener(t,n,{passive:a}):e.addEventListener(t,n,!1)}function Hr(e,t,n,r,a){var o=r;if(0==(1&t)&&0==(2&t)&&null!==r)e:for(;;){if(null===r)return;var i=r.tag;if(3===i||4===i){var s=r.stateNode.containerInfo;if(s===a||8===s.nodeType&&s.parentNode===a)break;if(4===i)for(i=r.return;null!==i;){var l=i.tag;if((3===l||4===l)&&((l=i.stateNode.containerInfo)===a||8===l.nodeType&&l.parentNode===a))return;i=i.return}for(;null!==s;){if(null===(i=ba(s)))return;if(5===(l=i.tag)||6===l){r=o=i;continue e}s=s.parentNode}}r=r.return}Pe((function(){var r=o,a=we(n),i=[];e:{var s=jr.get(e);if(void 0!==s){var l=un,c=e;switch(e){case"keypress":if(0===tn(n))break e;case"keydown":case"keyup":l=Tn;break;case"focusin":c="focus",l=gn;break;case"focusout":c="blur",l=gn;break;case"beforeblur":case"afterblur":l=gn;break;case"click":if(2===n.button)break e;case"auxclick":case"dblclick":case"mousedown":case"mousemove":case"mouseup":case"mouseout":case"mouseover":case"contextmenu":l=hn;break;case"drag":case"dragend":case"dragenter":case"dragexit":case"dragleave":case"dragover":case"dragstart":case"drop":l=mn;break;case"touchcancel":case"touchend":case"touchmove":case"touchstart":l=Rn;break;case _r:case Tr:case Lr:l=yn;break;case Rr:l=jn;break;case"scroll":l=pn;break;case"wheel":l=Nn;break;case"copy":case"cut":case"paste":l=vn;break;case"gotpointercapture":case"lostpointercapture":case"pointercancel":case"pointerdown":case"pointermove":case"pointerout":case"pointerover":case"pointerup":l=Ln}var u=0!=(4&t),d=!u&&"scroll"===e,p=u?null!==s?s+"Capture":null:s;u=[];for(var f,h=r;null!==h;){var m=(f=h).stateNode;if(5===f.tag&&null!==m&&(f=m,null!==p&&(null!=(m=Ne(h,p))&&u.push(Qr(h,m,f)))),d)break;h=h.return}0<u.length&&(s=new l(s,c,null,n,a),i.push({event:s,listeners:u}))}}if(0==(7&t)){if(l="mouseout"===e||"pointerout"===e,(!(s="mouseover"===e||"pointerover"===e)||n===ke||!(c=n.relatedTarget||n.fromElement)||!ba(c)&&!c[ha])&&(l||s)&&(s=a.window===a?a:(s=a.ownerDocument)?s.defaultView||s.parentWindow:window,l?(l=r,null!==(c=(c=n.relatedTarget||n.toElement)?ba(c):null)&&(c!==(d=Ue(c))||5!==c.tag&&6!==c.tag)&&(c=null)):(l=null,c=r),l!==c)){if(u=hn,m="onMouseLeave",p="onMouseEnter",h="mouse","pointerout"!==e&&"pointerover"!==e||(u=Ln,m="onPointerLeave",p="onPointerEnter",h="pointer"),d=null==l?s:ka(l),f=null==c?s:ka(c),(s=new u(m,h+"leave",l,n,a)).target=d,s.relatedTarget=f,m=null,ba(a)===r&&((u=new u(p,h+"enter",c,n,a)).target=f,u.relatedTarget=d,m=u),d=m,l&&c)e:{for(p=c,h=0,f=u=l;f;f=Vr(f))h++;for(f=0,m=p;m;m=Vr(m))f++;for(;0<h-f;)u=Vr(u),h--;for(;0<f-h;)p=Vr(p),f--;for(;h--;){if(u===p||null!==p&&u===p.alternate)break e;u=Vr(u),p=Vr(p)}u=null}else u=null;null!==l&&Wr(i,s,l,u,!1),null!==c&&null!==d&&Wr(i,d,c,u,!0)}if("select"===(l=(s=r?ka(r):window).nodeName&&s.nodeName.toLowerCase())||"input"===l&&"file"===s.type)var g=Xn;else if(Hn(s))if(Kn)g=ir;else{g=ar;var y=rr}else(l=s.nodeName)&&"input"===l.toLowerCase()&&("checkbox"===s.type||"radio"===s.type)&&(g=or);switch(g&&(g=g(e,r))?Qn(i,g,n,a):(y&&y(e,s,r),"focusout"===e&&(y=s._wrapperState)&&y.controlled&&"number"===s.type&&ee(s,"number",s.value)),y=r?ka(r):window,e){case"focusin":(Hn(y)||"true"===y.contentEditable)&&(gr=y,yr=r,br=null);break;case"focusout":br=yr=gr=null;break;case"mousedown":vr=!0;break;case"contextmenu":case"mouseup":case"dragend":vr=!1,kr(i,n,a);break;case"selectionchange":if(mr)break;case"keydown":case"keyup":kr(i,n,a)}var b;if(On)e:{switch(e){case"compositionstart":var v="onCompositionStart";break e;case"compositionend":v="onCompositionEnd";break e;case"compositionupdate":v="onCompositionUpdate";break e}v=void 0}else Un?zn(e,n)&&(v="onCompositionEnd"):"keydown"===e&&229===n.keyCode&&(v="onCompositionStart");v&&(Fn&&"ko"!==n.locale&&(Un||"onCompositionStart"!==v?"onCompositionEnd"===v&&Un&&(b=en()):(Yt="value"in(Kt=a)?Kt.value:Kt.textContent,Un=!0)),0<(y=Zr(r,v)).length&&(v=new kn(v,e,null,n,a),i.push({event:v,listeners:y}),b?v.data=b:null!==(b=$n(n))&&(v.data=b))),(b=Dn?function(e,t){switch(e){case"compositionend":return $n(t);case"keypress":return 32!==t.which?null:(Bn=!0,Mn);case"textInput":return(e=t.data)===Mn&&Bn?null:e;default:return null}}(e,n):function(e,t){if(Un)return"compositionend"===e||!On&&zn(e,t)?(e=en(),Jt=Yt=Kt=null,Un=!1,e):null;switch(e){case"paste":default:return null;case"keypress":if(!(t.ctrlKey||t.altKey||t.metaKey)||t.ctrlKey&&t.altKey){if(t.char&&1<t.char.length)return t.char;if(t.which)return String.fromCharCode(t.which)}return null;case"compositionend":return Fn&&"ko"!==t.locale?null:t.data}}(e,n))&&(0<(r=Zr(r,"onBeforeInput")).length&&(a=new kn("onBeforeInput","beforeinput",null,n,a),i.push({event:a,listeners:r}),a.data=b))}Mr(i,t)}))}function Qr(e,t,n){return{instance:e,listener:t,currentTarget:n}}function Zr(e,t){for(var n=t+"Capture",r=[];null!==e;){var a=e,o=a.stateNode;5===a.tag&&null!==o&&(a=o,null!=(o=Ne(e,n))&&r.unshift(Qr(e,o,a)),null!=(o=Ne(e,t))&&r.push(Qr(e,o,a))),e=e.return}return r}function Vr(e){if(null===e)return null;do{e=e.return}while(e&&5!==e.tag);return e||null}function Wr(e,t,n,r,a){for(var o=t._reactName,i=[];null!==n&&n!==r;){var s=n,l=s.alternate,c=s.stateNode;if(null!==l&&l===r)break;5===s.tag&&null!==c&&(s=c,a?null!=(l=Ne(n,o))&&i.unshift(Qr(n,l,s)):a||null!=(l=Ne(n,o))&&i.push(Qr(n,l,s))),n=n.return}0!==i.length&&e.push({event:t,listeners:i})}var Gr=/\r\n?/g,Xr=/\u0000|\uFFFD/g;function Kr(e){return("string"==typeof e?e:""+e).replace(Gr,"\n").replace(Xr,"")}function Yr(e,t,n){if(t=Kr(t),Kr(e)!==t&&n)throw Error(o(425))}function Jr(){}var ea=null,ta=null;function na(e,t){return"textarea"===e||"noscript"===e||"string"==typeof t.children||"number"==typeof t.children||"object"==typeof t.dangerouslySetInnerHTML&&null!==t.dangerouslySetInnerHTML&&null!=t.dangerouslySetInnerHTML.__html}var ra="function"==typeof setTimeout?setTimeout:void 0,aa="function"==typeof clearTimeout?clearTimeout:void 0,oa="function"==typeof Promise?Promise:void 0,ia="function"==typeof queueMicrotask?queueMicrotask:void 0!==oa?function(e){return oa.resolve(null).then(e).catch(sa)}:ra;function sa(e){setTimeout((function(){throw e}))}function la(e,t){var n=t,r=0;do{var a=n.nextSibling;if(e.removeChild(n),a&&8===a.nodeType)if("/$"===(n=a.data)){if(0===r)return e.removeChild(a),void Ut(t);r--}else"$"!==n&&"$?"!==n&&"$!"!==n||r++;n=a}while(n);Ut(t)}function ca(e){for(;null!=e;e=e.nextSibling){var t=e.nodeType;if(1===t||3===t)break;if(8===t){if("$"===(t=e.data)||"$!"===t||"$?"===t)break;if("/$"===t)return null}}return e}function ua(e){e=e.previousSibling;for(var t=0;e;){if(8===e.nodeType){var n=e.data;if("$"===n||"$!"===n||"$?"===n){if(0===t)return e;t--}else"/$"===n&&t++}e=e.previousSibling}return null}var da=Math.random().toString(36).slice(2),pa="__reactFiber$"+da,fa="__reactProps$"+da,ha="__reactContainer$"+da,ma="__reactEvents$"+da,ga="__reactListeners$"+da,ya="__reactHandles$"+da;function ba(e){var t=e[pa];if(t)return t;for(var n=e.parentNode;n;){if(t=n[ha]||n[pa]){if(n=t.alternate,null!==t.child||null!==n&&null!==n.child)for(e=ua(e);null!==e;){if(n=e[pa])return n;e=ua(e)}return t}n=(e=n).parentNode}return null}function va(e){return!(e=e[pa]||e[ha])||5!==e.tag&&6!==e.tag&&13!==e.tag&&3!==e.tag?null:e}function ka(e){if(5===e.tag||6===e.tag)return e.stateNode;throw Error(o(33))}function wa(e){return e[fa]||null}var xa=[],Sa=-1;function Ea(e){return{current:e}}function Ca(e){0>Sa||(e.current=xa[Sa],xa[Sa]=null,Sa--)}function _a(e,t){Sa++,xa[Sa]=e.current,e.current=t}var Ta={},La=Ea(Ta),Ra=Ea(!1),ja=Ta;function Pa(e,t){var n=e.type.contextTypes;if(!n)return Ta;var r=e.stateNode;if(r&&r.__reactInternalMemoizedUnmaskedChildContext===t)return r.__reactInternalMemoizedMaskedChildContext;var a,o={};for(a in n)o[a]=t[a];return r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=t,e.__reactInternalMemoizedMaskedChildContext=o),o}function Na(e){return null!=(e=e.childContextTypes)}function Aa(){Ca(Ra),Ca(La)}function Oa(e,t,n){if(La.current!==Ta)throw Error(o(168));_a(La,t),_a(Ra,n)}function Ia(e,t,n){var r=e.stateNode;if(t=t.childContextTypes,"function"!=typeof r.getChildContext)return n;for(var a in r=r.getChildContext())if(!(a in t))throw Error(o(108,q(e)||"Unknown",a));return F({},n,r)}function Da(e){return e=(e=e.stateNode)&&e.__reactInternalMemoizedMergedChildContext||Ta,ja=La.current,_a(La,e),_a(Ra,Ra.current),!0}function Fa(e,t,n){var r=e.stateNode;if(!r)throw Error(o(169));n?(e=Ia(e,t,ja),r.__reactInternalMemoizedMergedChildContext=e,Ca(Ra),Ca(La),_a(La,e)):Ca(Ra),_a(Ra,n)}var Ma=null,Ba=!1,za=!1;function $a(e){null===Ma?Ma=[e]:Ma.push(e)}function Ua(){if(!za&&null!==Ma){za=!0;var e=0,t=vt;try{var n=Ma;for(vt=1;e<n.length;e++){var r=n[e];do{r=r(!0)}while(null!==r)}Ma=null,Ba=!1}catch(a){throw null!==Ma&&(Ma=Ma.slice(e+1)),Ve(Je,Ua),a}finally{vt=t,za=!1}}return null}var qa=[],Ha=0,Qa=null,Za=0,Va=[],Wa=0,Ga=null,Xa=1,Ka="";function Ya(e,t){qa[Ha++]=Za,qa[Ha++]=Qa,Qa=e,Za=t}function Ja(e,t,n){Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Ga=e;var r=Xa;e=Ka;var a=32-it(r)-1;r&=~(1<<a),n+=1;var o=32-it(t)+a;if(30<o){var i=a-a%5;o=(r&(1<<i)-1).toString(32),r>>=i,a-=i,Xa=1<<32-it(t)+a|n<<a|r,Ka=o+e}else Xa=1<<o|n<<a|r,Ka=e}function eo(e){null!==e.return&&(Ya(e,1),Ja(e,1,0))}function to(e){for(;e===Qa;)Qa=qa[--Ha],qa[Ha]=null,Za=qa[--Ha],qa[Ha]=null;for(;e===Ga;)Ga=Va[--Wa],Va[Wa]=null,Ka=Va[--Wa],Va[Wa]=null,Xa=Va[--Wa],Va[Wa]=null}var no=null,ro=null,ao=!1,oo=null;function io(e,t){var n=Pc(5,null,null,0);n.elementType="DELETED",n.stateNode=t,n.return=e,null===(t=e.deletions)?(e.deletions=[n],e.flags|=16):t.push(n)}function so(e,t){switch(e.tag){case 5:var n=e.type;return null!==(t=1!==t.nodeType||n.toLowerCase()!==t.nodeName.toLowerCase()?null:t)&&(e.stateNode=t,no=e,ro=ca(t.firstChild),!0);case 6:return null!==(t=""===e.pendingProps||3!==t.nodeType?null:t)&&(e.stateNode=t,no=e,ro=null,!0);case 13:return null!==(t=8!==t.nodeType?null:t)&&(n=null!==Ga?{id:Xa,overflow:Ka}:null,e.memoizedState={dehydrated:t,treeContext:n,retryLane:1073741824},(n=Pc(18,null,null,0)).stateNode=t,n.return=e,e.child=n,no=e,ro=null,!0);default:return!1}}function lo(e){return 0!=(1&e.mode)&&0==(128&e.flags)}function co(e){if(ao){var t=ro;if(t){var n=t;if(!so(e,t)){if(lo(e))throw Error(o(418));t=ca(n.nextSibling);var r=no;t&&so(e,t)?io(r,n):(e.flags=-4097&e.flags|2,ao=!1,no=e)}}else{if(lo(e))throw Error(o(418));e.flags=-4097&e.flags|2,ao=!1,no=e}}}function uo(e){for(e=e.return;null!==e&&5!==e.tag&&3!==e.tag&&13!==e.tag;)e=e.return;no=e}function po(e){if(e!==no)return!1;if(!ao)return uo(e),ao=!0,!1;var t;if((t=3!==e.tag)&&!(t=5!==e.tag)&&(t="head"!==(t=e.type)&&"body"!==t&&!na(e.type,e.memoizedProps)),t&&(t=ro)){if(lo(e))throw fo(),Error(o(418));for(;t;)io(e,t),t=ca(t.nextSibling)}if(uo(e),13===e.tag){if(!(e=null!==(e=e.memoizedState)?e.dehydrated:null))throw Error(o(317));e:{for(e=e.nextSibling,t=0;e;){if(8===e.nodeType){var n=e.data;if("/$"===n){if(0===t){ro=ca(e.nextSibling);break e}t--}else"$"!==n&&"$!"!==n&&"$?"!==n||t++}e=e.nextSibling}ro=null}}else ro=no?ca(e.stateNode.nextSibling):null;return!0}function fo(){for(var e=ro;e;)e=ca(e.nextSibling)}function ho(){ro=no=null,ao=!1}function mo(e){null===oo?oo=[e]:oo.push(e)}var go=k.ReactCurrentBatchConfig;function yo(e,t,n){if(null!==(e=n.ref)&&"function"!=typeof e&&"object"!=typeof e){if(n._owner){if(n=n._owner){if(1!==n.tag)throw Error(o(309));var r=n.stateNode}if(!r)throw Error(o(147,e));var a=r,i=""+e;return null!==t&&null!==t.ref&&"function"==typeof t.ref&&t.ref._stringRef===i?t.ref:(t=function(e){var t=a.refs;null===e?delete t[i]:t[i]=e},t._stringRef=i,t)}if("string"!=typeof e)throw Error(o(284));if(!n._owner)throw Error(o(290,e))}return e}function bo(e,t){throw e=Object.prototype.toString.call(t),Error(o(31,"[object Object]"===e?"object with keys {"+Object.keys(t).join(", ")+"}":e))}function vo(e){return(0,e._init)(e._payload)}function ko(e){function t(t,n){if(e){var r=t.deletions;null===r?(t.deletions=[n],t.flags|=16):r.push(n)}}function n(n,r){if(!e)return null;for(;null!==r;)t(n,r),r=r.sibling;return null}function r(e,t){for(e=new Map;null!==t;)null!==t.key?e.set(t.key,t):e.set(t.index,t),t=t.sibling;return e}function a(e,t){return(e=Ac(e,t)).index=0,e.sibling=null,e}function i(t,n,r){return t.index=r,e?null!==(r=t.alternate)?(r=r.index)<n?(t.flags|=2,n):r:(t.flags|=2,n):(t.flags|=1048576,n)}function s(t){return e&&null===t.alternate&&(t.flags|=2),t}function l(e,t,n,r){return null===t||6!==t.tag?((t=Fc(n,e.mode,r)).return=e,t):((t=a(t,n)).return=e,t)}function c(e,t,n,r){var o=n.type;return o===S?d(e,t,n.props.children,r,n.key):null!==t&&(t.elementType===o||"object"==typeof o&&null!==o&&o.$$typeof===N&&vo(o)===t.type)?((r=a(t,n.props)).ref=yo(e,t,n),r.return=e,r):((r=Oc(n.type,n.key,n.props,null,e.mode,r)).ref=yo(e,t,n),r.return=e,r)}function u(e,t,n,r){return null===t||4!==t.tag||t.stateNode.containerInfo!==n.containerInfo||t.stateNode.implementation!==n.implementation?((t=Mc(n,e.mode,r)).return=e,t):((t=a(t,n.children||[])).return=e,t)}function d(e,t,n,r,o){return null===t||7!==t.tag?((t=Ic(n,e.mode,r,o)).return=e,t):((t=a(t,n)).return=e,t)}function p(e,t,n){if("string"==typeof t&&""!==t||"number"==typeof t)return(t=Fc(""+t,e.mode,n)).return=e,t;if("object"==typeof t&&null!==t){switch(t.$$typeof){case w:return(n=Oc(t.type,t.key,t.props,null,e.mode,n)).ref=yo(e,null,t),n.return=e,n;case x:return(t=Mc(t,e.mode,n)).return=e,t;case N:return p(e,(0,t._init)(t._payload),n)}if(te(t)||I(t))return(t=Ic(t,e.mode,n,null)).return=e,t;bo(e,t)}return null}function f(e,t,n,r){var a=null!==t?t.key:null;if("string"==typeof n&&""!==n||"number"==typeof n)return null!==a?null:l(e,t,""+n,r);if("object"==typeof n&&null!==n){switch(n.$$typeof){case w:return n.key===a?c(e,t,n,r):null;case x:return n.key===a?u(e,t,n,r):null;case N:return f(e,t,(a=n._init)(n._payload),r)}if(te(n)||I(n))return null!==a?null:d(e,t,n,r,null);bo(e,n)}return null}function h(e,t,n,r,a){if("string"==typeof r&&""!==r||"number"==typeof r)return l(t,e=e.get(n)||null,""+r,a);if("object"==typeof r&&null!==r){switch(r.$$typeof){case w:return c(t,e=e.get(null===r.key?n:r.key)||null,r,a);case x:return u(t,e=e.get(null===r.key?n:r.key)||null,r,a);case N:return h(e,t,n,(0,r._init)(r._payload),a)}if(te(r)||I(r))return d(t,e=e.get(n)||null,r,a,null);bo(t,r)}return null}function m(a,o,s,l){for(var c=null,u=null,d=o,m=o=0,g=null;null!==d&&m<s.length;m++){d.index>m?(g=d,d=null):g=d.sibling;var y=f(a,d,s[m],l);if(null===y){null===d&&(d=g);break}e&&d&&null===y.alternate&&t(a,d),o=i(y,o,m),null===u?c=y:u.sibling=y,u=y,d=g}if(m===s.length)return n(a,d),ao&&Ya(a,m),c;if(null===d){for(;m<s.length;m++)null!==(d=p(a,s[m],l))&&(o=i(d,o,m),null===u?c=d:u.sibling=d,u=d);return ao&&Ya(a,m),c}for(d=r(a,d);m<s.length;m++)null!==(g=h(d,a,m,s[m],l))&&(e&&null!==g.alternate&&d.delete(null===g.key?m:g.key),o=i(g,o,m),null===u?c=g:u.sibling=g,u=g);return e&&d.forEach((function(e){return t(a,e)})),ao&&Ya(a,m),c}function g(a,s,l,c){var u=I(l);if("function"!=typeof u)throw Error(o(150));if(null==(l=u.call(l)))throw Error(o(151));for(var d=u=null,m=s,g=s=0,y=null,b=l.next();null!==m&&!b.done;g++,b=l.next()){m.index>g?(y=m,m=null):y=m.sibling;var v=f(a,m,b.value,c);if(null===v){null===m&&(m=y);break}e&&m&&null===v.alternate&&t(a,m),s=i(v,s,g),null===d?u=v:d.sibling=v,d=v,m=y}if(b.done)return n(a,m),ao&&Ya(a,g),u;if(null===m){for(;!b.done;g++,b=l.next())null!==(b=p(a,b.value,c))&&(s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return ao&&Ya(a,g),u}for(m=r(a,m);!b.done;g++,b=l.next())null!==(b=h(m,a,g,b.value,c))&&(e&&null!==b.alternate&&m.delete(null===b.key?g:b.key),s=i(b,s,g),null===d?u=b:d.sibling=b,d=b);return e&&m.forEach((function(e){return t(a,e)})),ao&&Ya(a,g),u}return function e(r,o,i,l){if("object"==typeof i&&null!==i&&i.type===S&&null===i.key&&(i=i.props.children),"object"==typeof i&&null!==i){switch(i.$$typeof){case w:e:{for(var c=i.key,u=o;null!==u;){if(u.key===c){if((c=i.type)===S){if(7===u.tag){n(r,u.sibling),(o=a(u,i.props.children)).return=r,r=o;break e}}else if(u.elementType===c||"object"==typeof c&&null!==c&&c.$$typeof===N&&vo(c)===u.type){n(r,u.sibling),(o=a(u,i.props)).ref=yo(r,u,i),o.return=r,r=o;break e}n(r,u);break}t(r,u),u=u.sibling}i.type===S?((o=Ic(i.props.children,r.mode,l,i.key)).return=r,r=o):((l=Oc(i.type,i.key,i.props,null,r.mode,l)).ref=yo(r,o,i),l.return=r,r=l)}return s(r);case x:e:{for(u=i.key;null!==o;){if(o.key===u){if(4===o.tag&&o.stateNode.containerInfo===i.containerInfo&&o.stateNode.implementation===i.implementation){n(r,o.sibling),(o=a(o,i.children||[])).return=r,r=o;break e}n(r,o);break}t(r,o),o=o.sibling}(o=Mc(i,r.mode,l)).return=r,r=o}return s(r);case N:return e(r,o,(u=i._init)(i._payload),l)}if(te(i))return m(r,o,i,l);if(I(i))return g(r,o,i,l);bo(r,i)}return"string"==typeof i&&""!==i||"number"==typeof i?(i=""+i,null!==o&&6===o.tag?(n(r,o.sibling),(o=a(o,i)).return=r,r=o):(n(r,o),(o=Fc(i,r.mode,l)).return=r,r=o),s(r)):n(r,o)}}var wo=ko(!0),xo=ko(!1),So=Ea(null),Eo=null,Co=null,_o=null;function To(){_o=Co=Eo=null}function Lo(e){var t=So.current;Ca(So),e._currentValue=t}function Ro(e,t,n){for(;null!==e;){var r=e.alternate;if((e.childLanes&t)!==t?(e.childLanes|=t,null!==r&&(r.childLanes|=t)):null!==r&&(r.childLanes&t)!==t&&(r.childLanes|=t),e===n)break;e=e.return}}function jo(e,t){Eo=e,_o=Co=null,null!==(e=e.dependencies)&&null!==e.firstContext&&(0!=(e.lanes&t)&&(vs=!0),e.firstContext=null)}function Po(e){var t=e._currentValue;if(_o!==e)if(e={context:e,memoizedValue:t,next:null},null===Co){if(null===Eo)throw Error(o(308));Co=e,Eo.dependencies={lanes:0,firstContext:e}}else Co=Co.next=e;return t}var No=null;function Ao(e){null===No?No=[e]:No.push(e)}function Oo(e,t,n,r){var a=t.interleaved;return null===a?(n.next=n,Ao(t)):(n.next=a.next,a.next=n),t.interleaved=n,Io(e,r)}function Io(e,t){e.lanes|=t;var n=e.alternate;for(null!==n&&(n.lanes|=t),n=e,e=e.return;null!==e;)e.childLanes|=t,null!==(n=e.alternate)&&(n.childLanes|=t),n=e,e=e.return;return 3===n.tag?n.stateNode:null}var Do=!1;function Fo(e){e.updateQueue={baseState:e.memoizedState,firstBaseUpdate:null,lastBaseUpdate:null,shared:{pending:null,interleaved:null,lanes:0},effects:null}}function Mo(e,t){e=e.updateQueue,t.updateQueue===e&&(t.updateQueue={baseState:e.baseState,firstBaseUpdate:e.firstBaseUpdate,lastBaseUpdate:e.lastBaseUpdate,shared:e.shared,effects:e.effects})}function Bo(e,t){return{eventTime:e,lane:t,tag:0,payload:null,callback:null,next:null}}function zo(e,t,n){var r=e.updateQueue;if(null===r)return null;if(r=r.shared,0!=(2&Ll)){var a=r.pending;return null===a?t.next=t:(t.next=a.next,a.next=t),r.pending=t,Io(e,n)}return null===(a=r.interleaved)?(t.next=t,Ao(r)):(t.next=a.next,a.next=t),r.interleaved=t,Io(e,n)}function $o(e,t,n){if(null!==(t=t.updateQueue)&&(t=t.shared,0!=(4194240&n))){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}function Uo(e,t){var n=e.updateQueue,r=e.alternate;if(null!==r&&n===(r=r.updateQueue)){var a=null,o=null;if(null!==(n=n.firstBaseUpdate)){do{var i={eventTime:n.eventTime,lane:n.lane,tag:n.tag,payload:n.payload,callback:n.callback,next:null};null===o?a=o=i:o=o.next=i,n=n.next}while(null!==n);null===o?a=o=t:o=o.next=t}else a=o=t;return n={baseState:r.baseState,firstBaseUpdate:a,lastBaseUpdate:o,shared:r.shared,effects:r.effects},void(e.updateQueue=n)}null===(e=n.lastBaseUpdate)?n.firstBaseUpdate=t:e.next=t,n.lastBaseUpdate=t}function qo(e,t,n,r){var a=e.updateQueue;Do=!1;var o=a.firstBaseUpdate,i=a.lastBaseUpdate,s=a.shared.pending;if(null!==s){a.shared.pending=null;var l=s,c=l.next;l.next=null,null===i?o=c:i.next=c,i=l;var u=e.alternate;null!==u&&((s=(u=u.updateQueue).lastBaseUpdate)!==i&&(null===s?u.firstBaseUpdate=c:s.next=c,u.lastBaseUpdate=l))}if(null!==o){var d=a.baseState;for(i=0,u=c=l=null,s=o;;){var p=s.lane,f=s.eventTime;if((r&p)===p){null!==u&&(u=u.next={eventTime:f,lane:0,tag:s.tag,payload:s.payload,callback:s.callback,next:null});e:{var h=e,m=s;switch(p=t,f=n,m.tag){case 1:if("function"==typeof(h=m.payload)){d=h.call(f,d,p);break e}d=h;break e;case 3:h.flags=-65537&h.flags|128;case 0:if(null==(p="function"==typeof(h=m.payload)?h.call(f,d,p):h))break e;d=F({},d,p);break e;case 2:Do=!0}}null!==s.callback&&0!==s.lane&&(e.flags|=64,null===(p=a.effects)?a.effects=[s]:p.push(s))}else f={eventTime:f,lane:p,tag:s.tag,payload:s.payload,callback:s.callback,next:null},null===u?(c=u=f,l=d):u=u.next=f,i|=p;if(null===(s=s.next)){if(null===(s=a.shared.pending))break;s=(p=s).next,p.next=null,a.lastBaseUpdate=p,a.shared.pending=null}}if(null===u&&(l=d),a.baseState=l,a.firstBaseUpdate=c,a.lastBaseUpdate=u,null!==(t=a.shared.interleaved)){a=t;do{i|=a.lane,a=a.next}while(a!==t)}else null===o&&(a.shared.lanes=0);Dl|=i,e.lanes=i,e.memoizedState=d}}function Ho(e,t,n){if(e=t.effects,t.effects=null,null!==e)for(t=0;t<e.length;t++){var r=e[t],a=r.callback;if(null!==a){if(r.callback=null,r=n,"function"!=typeof a)throw Error(o(191,a));a.call(r)}}}var Qo={},Zo=Ea(Qo),Vo=Ea(Qo),Wo=Ea(Qo);function Go(e){if(e===Qo)throw Error(o(174));return e}function Xo(e,t){switch(_a(Wo,t),_a(Vo,e),_a(Zo,Qo),e=t.nodeType){case 9:case 11:t=(t=t.documentElement)?t.namespaceURI:le(null,"");break;default:t=le(t=(e=8===e?t.parentNode:t).namespaceURI||null,e=e.tagName)}Ca(Zo),_a(Zo,t)}function Ko(){Ca(Zo),Ca(Vo),Ca(Wo)}function Yo(e){Go(Wo.current);var t=Go(Zo.current),n=le(t,e.type);t!==n&&(_a(Vo,e),_a(Zo,n))}function Jo(e){Vo.current===e&&(Ca(Zo),Ca(Vo))}var ei=Ea(0);function ti(e){for(var t=e;null!==t;){if(13===t.tag){var n=t.memoizedState;if(null!==n&&(null===(n=n.dehydrated)||"$?"===n.data||"$!"===n.data))return t}else if(19===t.tag&&void 0!==t.memoizedProps.revealOrder){if(0!=(128&t.flags))return t}else if(null!==t.child){t.child.return=t,t=t.child;continue}if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return null;t=t.return}t.sibling.return=t.return,t=t.sibling}return null}var ni=[];function ri(){for(var e=0;e<ni.length;e++)ni[e]._workInProgressVersionPrimary=null;ni.length=0}var ai=k.ReactCurrentDispatcher,oi=k.ReactCurrentBatchConfig,ii=0,si=null,li=null,ci=null,ui=!1,di=!1,pi=0,fi=0;function hi(){throw Error(o(321))}function mi(e,t){if(null===t)return!1;for(var n=0;n<t.length&&n<e.length;n++)if(!sr(e[n],t[n]))return!1;return!0}function gi(e,t,n,r,a,i){if(ii=i,si=t,t.memoizedState=null,t.updateQueue=null,t.lanes=0,ai.current=null===e||null===e.memoizedState?Ji:es,e=n(r,a),di){i=0;do{if(di=!1,pi=0,25<=i)throw Error(o(301));i+=1,ci=li=null,t.updateQueue=null,ai.current=ts,e=n(r,a)}while(di)}if(ai.current=Yi,t=null!==li&&null!==li.next,ii=0,ci=li=si=null,ui=!1,t)throw Error(o(300));return e}function yi(){var e=0!==pi;return pi=0,e}function bi(){var e={memoizedState:null,baseState:null,baseQueue:null,queue:null,next:null};return null===ci?si.memoizedState=ci=e:ci=ci.next=e,ci}function vi(){if(null===li){var e=si.alternate;e=null!==e?e.memoizedState:null}else e=li.next;var t=null===ci?si.memoizedState:ci.next;if(null!==t)ci=t,li=e;else{if(null===e)throw Error(o(310));e={memoizedState:(li=e).memoizedState,baseState:li.baseState,baseQueue:li.baseQueue,queue:li.queue,next:null},null===ci?si.memoizedState=ci=e:ci=ci.next=e}return ci}function ki(e,t){return"function"==typeof t?t(e):t}function wi(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=li,a=r.baseQueue,i=n.pending;if(null!==i){if(null!==a){var s=a.next;a.next=i.next,i.next=s}r.baseQueue=a=i,n.pending=null}if(null!==a){i=a.next,r=r.baseState;var l=s=null,c=null,u=i;do{var d=u.lane;if((ii&d)===d)null!==c&&(c=c.next={lane:0,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null}),r=u.hasEagerState?u.eagerState:e(r,u.action);else{var p={lane:d,action:u.action,hasEagerState:u.hasEagerState,eagerState:u.eagerState,next:null};null===c?(l=c=p,s=r):c=c.next=p,si.lanes|=d,Dl|=d}u=u.next}while(null!==u&&u!==i);null===c?s=r:c.next=l,sr(r,t.memoizedState)||(vs=!0),t.memoizedState=r,t.baseState=s,t.baseQueue=c,n.lastRenderedState=r}if(null!==(e=n.interleaved)){a=e;do{i=a.lane,si.lanes|=i,Dl|=i,a=a.next}while(a!==e)}else null===a&&(n.lanes=0);return[t.memoizedState,n.dispatch]}function xi(e){var t=vi(),n=t.queue;if(null===n)throw Error(o(311));n.lastRenderedReducer=e;var r=n.dispatch,a=n.pending,i=t.memoizedState;if(null!==a){n.pending=null;var s=a=a.next;do{i=e(i,s.action),s=s.next}while(s!==a);sr(i,t.memoizedState)||(vs=!0),t.memoizedState=i,null===t.baseQueue&&(t.baseState=i),n.lastRenderedState=i}return[i,r]}function Si(){}function Ei(e,t){var n=si,r=vi(),a=t(),i=!sr(r.memoizedState,a);if(i&&(r.memoizedState=a,vs=!0),r=r.queue,Di(Ti.bind(null,n,r,e),[e]),r.getSnapshot!==t||i||null!==ci&&1&ci.memoizedState.tag){if(n.flags|=2048,Pi(9,_i.bind(null,n,r,a,t),void 0,null),null===Rl)throw Error(o(349));0!=(30&ii)||Ci(n,t,a)}return a}function Ci(e,t,n){e.flags|=16384,e={getSnapshot:t,value:n},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.stores=[e]):null===(n=t.stores)?t.stores=[e]:n.push(e)}function _i(e,t,n,r){t.value=n,t.getSnapshot=r,Li(t)&&Ri(e)}function Ti(e,t,n){return n((function(){Li(t)&&Ri(e)}))}function Li(e){var t=e.getSnapshot;e=e.value;try{var n=t();return!sr(e,n)}catch(r){return!0}}function Ri(e){var t=Io(e,1);null!==t&&nc(t,e,1,-1)}function ji(e){var t=bi();return"function"==typeof e&&(e=e()),t.memoizedState=t.baseState=e,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:ki,lastRenderedState:e},t.queue=e,e=e.dispatch=Wi.bind(null,si,e),[t.memoizedState,e]}function Pi(e,t,n,r){return e={tag:e,create:t,destroy:n,deps:r,next:null},null===(t=si.updateQueue)?(t={lastEffect:null,stores:null},si.updateQueue=t,t.lastEffect=e.next=e):null===(n=t.lastEffect)?t.lastEffect=e.next=e:(r=n.next,n.next=e,e.next=r,t.lastEffect=e),e}function Ni(){return vi().memoizedState}function Ai(e,t,n,r){var a=bi();si.flags|=e,a.memoizedState=Pi(1|t,n,void 0,void 0===r?null:r)}function Oi(e,t,n,r){var a=vi();r=void 0===r?null:r;var o=void 0;if(null!==li){var i=li.memoizedState;if(o=i.destroy,null!==r&&mi(r,i.deps))return void(a.memoizedState=Pi(t,n,o,r))}si.flags|=e,a.memoizedState=Pi(1|t,n,o,r)}function Ii(e,t){return Ai(8390656,8,e,t)}function Di(e,t){return Oi(2048,8,e,t)}function Fi(e,t){return Oi(4,2,e,t)}function Mi(e,t){return Oi(4,4,e,t)}function Bi(e,t){return"function"==typeof t?(e=e(),t(e),function(){t(null)}):null!=t?(e=e(),t.current=e,function(){t.current=null}):void 0}function zi(e,t,n){return n=null!=n?n.concat([e]):null,Oi(4,4,Bi.bind(null,t,e),n)}function $i(){}function Ui(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(n.memoizedState=[e,t],e)}function qi(e,t){var n=vi();t=void 0===t?null:t;var r=n.memoizedState;return null!==r&&null!==t&&mi(t,r[1])?r[0]:(e=e(),n.memoizedState=[e,t],e)}function Hi(e,t,n){return 0==(21&ii)?(e.baseState&&(e.baseState=!1,vs=!0),e.memoizedState=n):(sr(n,t)||(n=mt(),si.lanes|=n,Dl|=n,e.baseState=!0),t)}function Qi(e,t){var n=vt;vt=0!==n&&4>n?n:4,e(!0);var r=oi.transition;oi.transition={};try{e(!1),t()}finally{vt=n,oi.transition=r}}function Zi(){return vi().memoizedState}function Vi(e,t,n){var r=tc(e);if(n={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null},Gi(e))Xi(t,n);else if(null!==(n=Oo(e,t,n,r))){nc(n,e,r,ec()),Ki(n,t,r)}}function Wi(e,t,n){var r=tc(e),a={lane:r,action:n,hasEagerState:!1,eagerState:null,next:null};if(Gi(e))Xi(t,a);else{var o=e.alternate;if(0===e.lanes&&(null===o||0===o.lanes)&&null!==(o=t.lastRenderedReducer))try{var i=t.lastRenderedState,s=o(i,n);if(a.hasEagerState=!0,a.eagerState=s,sr(s,i)){var l=t.interleaved;return null===l?(a.next=a,Ao(t)):(a.next=l.next,l.next=a),void(t.interleaved=a)}}catch(c){}null!==(n=Oo(e,t,a,r))&&(nc(n,e,r,a=ec()),Ki(n,t,r))}}function Gi(e){var t=e.alternate;return e===si||null!==t&&t===si}function Xi(e,t){di=ui=!0;var n=e.pending;null===n?t.next=t:(t.next=n.next,n.next=t),e.pending=t}function Ki(e,t,n){if(0!=(4194240&n)){var r=t.lanes;n|=r&=e.pendingLanes,t.lanes=n,bt(e,n)}}var Yi={readContext:Po,useCallback:hi,useContext:hi,useEffect:hi,useImperativeHandle:hi,useInsertionEffect:hi,useLayoutEffect:hi,useMemo:hi,useReducer:hi,useRef:hi,useState:hi,useDebugValue:hi,useDeferredValue:hi,useTransition:hi,useMutableSource:hi,useSyncExternalStore:hi,useId:hi,unstable_isNewReconciler:!1},Ji={readContext:Po,useCallback:function(e,t){return bi().memoizedState=[e,void 0===t?null:t],e},useContext:Po,useEffect:Ii,useImperativeHandle:function(e,t,n){return n=null!=n?n.concat([e]):null,Ai(4194308,4,Bi.bind(null,t,e),n)},useLayoutEffect:function(e,t){return Ai(4194308,4,e,t)},useInsertionEffect:function(e,t){return Ai(4,2,e,t)},useMemo:function(e,t){var n=bi();return t=void 0===t?null:t,e=e(),n.memoizedState=[e,t],e},useReducer:function(e,t,n){var r=bi();return t=void 0!==n?n(t):t,r.memoizedState=r.baseState=t,e={pending:null,interleaved:null,lanes:0,dispatch:null,lastRenderedReducer:e,lastRenderedState:t},r.queue=e,e=e.dispatch=Vi.bind(null,si,e),[r.memoizedState,e]},useRef:function(e){return e={current:e},bi().memoizedState=e},useState:ji,useDebugValue:$i,useDeferredValue:function(e){return bi().memoizedState=e},useTransition:function(){var e=ji(!1),t=e[0];return e=Qi.bind(null,e[1]),bi().memoizedState=e,[t,e]},useMutableSource:function(){},useSyncExternalStore:function(e,t,n){var r=si,a=bi();if(ao){if(void 0===n)throw Error(o(407));n=n()}else{if(n=t(),null===Rl)throw Error(o(349));0!=(30&ii)||Ci(r,t,n)}a.memoizedState=n;var i={value:n,getSnapshot:t};return a.queue=i,Ii(Ti.bind(null,r,i,e),[e]),r.flags|=2048,Pi(9,_i.bind(null,r,i,n,t),void 0,null),n},useId:function(){var e=bi(),t=Rl.identifierPrefix;if(ao){var n=Ka;t=":"+t+"R"+(n=(Xa&~(1<<32-it(Xa)-1)).toString(32)+n),0<(n=pi++)&&(t+="H"+n.toString(32)),t+=":"}else t=":"+t+"r"+(n=fi++).toString(32)+":";return e.memoizedState=t},unstable_isNewReconciler:!1},es={readContext:Po,useCallback:Ui,useContext:Po,useEffect:Di,useImperativeHandle:zi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:wi,useRef:Ni,useState:function(){return wi(ki)},useDebugValue:$i,useDeferredValue:function(e){return Hi(vi(),li.memoizedState,e)},useTransition:function(){return[wi(ki)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1},ts={readContext:Po,useCallback:Ui,useContext:Po,useEffect:Di,useImperativeHandle:zi,useInsertionEffect:Fi,useLayoutEffect:Mi,useMemo:qi,useReducer:xi,useRef:Ni,useState:function(){return xi(ki)},useDebugValue:$i,useDeferredValue:function(e){var t=vi();return null===li?t.memoizedState=e:Hi(t,li.memoizedState,e)},useTransition:function(){return[xi(ki)[0],vi().memoizedState]},useMutableSource:Si,useSyncExternalStore:Ei,useId:Zi,unstable_isNewReconciler:!1};function ns(e,t){if(e&&e.defaultProps){for(var n in t=F({},t),e=e.defaultProps)void 0===t[n]&&(t[n]=e[n]);return t}return t}function rs(e,t,n,r){n=null==(n=n(r,t=e.memoizedState))?t:F({},t,n),e.memoizedState=n,0===e.lanes&&(e.updateQueue.baseState=n)}var as={isMounted:function(e){return!!(e=e._reactInternals)&&Ue(e)===e},enqueueSetState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=Bo(r,a);o.payload=t,null!=n&&(o.callback=n),null!==(t=zo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueReplaceState:function(e,t,n){e=e._reactInternals;var r=ec(),a=tc(e),o=Bo(r,a);o.tag=1,o.payload=t,null!=n&&(o.callback=n),null!==(t=zo(e,o,a))&&(nc(t,e,a,r),$o(t,e,a))},enqueueForceUpdate:function(e,t){e=e._reactInternals;var n=ec(),r=tc(e),a=Bo(n,r);a.tag=2,null!=t&&(a.callback=t),null!==(t=zo(e,a,r))&&(nc(t,e,r,n),$o(t,e,r))}};function os(e,t,n,r,a,o,i){return"function"==typeof(e=e.stateNode).shouldComponentUpdate?e.shouldComponentUpdate(r,o,i):!t.prototype||!t.prototype.isPureReactComponent||(!lr(n,r)||!lr(a,o))}function is(e,t,n){var r=!1,a=Ta,o=t.contextType;return"object"==typeof o&&null!==o?o=Po(o):(a=Na(t)?ja:La.current,o=(r=null!=(r=t.contextTypes))?Pa(e,a):Ta),t=new t(n,o),e.memoizedState=null!==t.state&&void 0!==t.state?t.state:null,t.updater=as,e.stateNode=t,t._reactInternals=e,r&&((e=e.stateNode).__reactInternalMemoizedUnmaskedChildContext=a,e.__reactInternalMemoizedMaskedChildContext=o),t}function ss(e,t,n,r){e=t.state,"function"==typeof t.componentWillReceiveProps&&t.componentWillReceiveProps(n,r),"function"==typeof t.UNSAFE_componentWillReceiveProps&&t.UNSAFE_componentWillReceiveProps(n,r),t.state!==e&&as.enqueueReplaceState(t,t.state,null)}function ls(e,t,n,r){var a=e.stateNode;a.props=n,a.state=e.memoizedState,a.refs={},Fo(e);var o=t.contextType;"object"==typeof o&&null!==o?a.context=Po(o):(o=Na(t)?ja:La.current,a.context=Pa(e,o)),a.state=e.memoizedState,"function"==typeof(o=t.getDerivedStateFromProps)&&(rs(e,t,o,n),a.state=e.memoizedState),"function"==typeof t.getDerivedStateFromProps||"function"==typeof a.getSnapshotBeforeUpdate||"function"!=typeof a.UNSAFE_componentWillMount&&"function"!=typeof a.componentWillMount||(t=a.state,"function"==typeof a.componentWillMount&&a.componentWillMount(),"function"==typeof a.UNSAFE_componentWillMount&&a.UNSAFE_componentWillMount(),t!==a.state&&as.enqueueReplaceState(a,a.state,null),qo(e,n,a,r),a.state=e.memoizedState),"function"==typeof a.componentDidMount&&(e.flags|=4194308)}function cs(e,t){try{var n="",r=t;do{n+=$(r),r=r.return}while(r);var a=n}catch(o){a="\nError generating stack: "+o.message+"\n"+o.stack}return{value:e,source:t,stack:a,digest:null}}function us(e,t,n){return{value:e,source:null,stack:null!=n?n:null,digest:null!=t?t:null}}function ds(e,t){try{console.error(t.value)}catch(n){setTimeout((function(){throw n}))}}var ps="function"==typeof WeakMap?WeakMap:Map;function fs(e,t,n){(n=Bo(-1,n)).tag=3,n.payload={element:null};var r=t.value;return n.callback=function(){Hl||(Hl=!0,Ql=r),ds(0,t)},n}function hs(e,t,n){(n=Bo(-1,n)).tag=3;var r=e.type.getDerivedStateFromError;if("function"==typeof r){var a=t.value;n.payload=function(){return r(a)},n.callback=function(){ds(0,t)}}var o=e.stateNode;return null!==o&&"function"==typeof o.componentDidCatch&&(n.callback=function(){ds(0,t),"function"!=typeof r&&(null===Zl?Zl=new Set([this]):Zl.add(this));var e=t.stack;this.componentDidCatch(t.value,{componentStack:null!==e?e:""})}),n}function ms(e,t,n){var r=e.pingCache;if(null===r){r=e.pingCache=new ps;var a=new Set;r.set(t,a)}else void 0===(a=r.get(t))&&(a=new Set,r.set(t,a));a.has(n)||(a.add(n),e=Cc.bind(null,e,t,n),t.then(e,e))}function gs(e){do{var t;if((t=13===e.tag)&&(t=null===(t=e.memoizedState)||null!==t.dehydrated),t)return e;e=e.return}while(null!==e);return null}function ys(e,t,n,r,a){return 0==(1&e.mode)?(e===t?e.flags|=65536:(e.flags|=128,n.flags|=131072,n.flags&=-52805,1===n.tag&&(null===n.alternate?n.tag=17:((t=Bo(-1,1)).tag=2,zo(n,t,1))),n.lanes|=1),e):(e.flags|=65536,e.lanes=a,e)}var bs=k.ReactCurrentOwner,vs=!1;function ks(e,t,n,r){t.child=null===e?xo(t,null,n,r):wo(t,e.child,n,r)}function ws(e,t,n,r,a){n=n.render;var o=t.ref;return jo(t,a),r=gi(e,t,n,r,o,a),n=yi(),null===e||vs?(ao&&n&&eo(t),t.flags|=1,ks(e,t,r,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function xs(e,t,n,r,a){if(null===e){var o=n.type;return"function"!=typeof o||Nc(o)||void 0!==o.defaultProps||null!==n.compare||void 0!==n.defaultProps?((e=Oc(n.type,null,r,t,t.mode,a)).ref=t.ref,e.return=t,t.child=e):(t.tag=15,t.type=o,Ss(e,t,o,r,a))}if(o=e.child,0==(e.lanes&a)){var i=o.memoizedProps;if((n=null!==(n=n.compare)?n:lr)(i,r)&&e.ref===t.ref)return Hs(e,t,a)}return t.flags|=1,(e=Ac(o,r)).ref=t.ref,e.return=t,t.child=e}function Ss(e,t,n,r,a){if(null!==e){var o=e.memoizedProps;if(lr(o,r)&&e.ref===t.ref){if(vs=!1,t.pendingProps=r=o,0==(e.lanes&a))return t.lanes=e.lanes,Hs(e,t,a);0!=(131072&e.flags)&&(vs=!0)}}return _s(e,t,n,r,a)}function Es(e,t,n){var r=t.pendingProps,a=r.children,o=null!==e?e.memoizedState:null;if("hidden"===r.mode)if(0==(1&t.mode))t.memoizedState={baseLanes:0,cachePool:null,transitions:null},_a(Al,Nl),Nl|=n;else{if(0==(1073741824&n))return e=null!==o?o.baseLanes|n:n,t.lanes=t.childLanes=1073741824,t.memoizedState={baseLanes:e,cachePool:null,transitions:null},t.updateQueue=null,_a(Al,Nl),Nl|=e,null;t.memoizedState={baseLanes:0,cachePool:null,transitions:null},r=null!==o?o.baseLanes:n,_a(Al,Nl),Nl|=r}else null!==o?(r=o.baseLanes|n,t.memoizedState=null):r=n,_a(Al,Nl),Nl|=r;return ks(e,t,a,n),t.child}function Cs(e,t){var n=t.ref;(null===e&&null!==n||null!==e&&e.ref!==n)&&(t.flags|=512,t.flags|=2097152)}function _s(e,t,n,r,a){var o=Na(n)?ja:La.current;return o=Pa(t,o),jo(t,a),n=gi(e,t,n,r,o,a),r=yi(),null===e||vs?(ao&&r&&eo(t),t.flags|=1,ks(e,t,n,a),t.child):(t.updateQueue=e.updateQueue,t.flags&=-2053,e.lanes&=~a,Hs(e,t,a))}function Ts(e,t,n,r,a){if(Na(n)){var o=!0;Da(t)}else o=!1;if(jo(t,a),null===t.stateNode)qs(e,t),is(t,n,r),ls(t,n,r,a),r=!0;else if(null===e){var i=t.stateNode,s=t.memoizedProps;i.props=s;var l=i.context,c=n.contextType;"object"==typeof c&&null!==c?c=Po(c):c=Pa(t,c=Na(n)?ja:La.current);var u=n.getDerivedStateFromProps,d="function"==typeof u||"function"==typeof i.getSnapshotBeforeUpdate;d||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==r||l!==c)&&ss(t,i,r,c),Do=!1;var p=t.memoizedState;i.state=p,qo(t,r,i,a),l=t.memoizedState,s!==r||p!==l||Ra.current||Do?("function"==typeof u&&(rs(t,n,u,r),l=t.memoizedState),(s=Do||os(t,n,s,r,p,l,c))?(d||"function"!=typeof i.UNSAFE_componentWillMount&&"function"!=typeof i.componentWillMount||("function"==typeof i.componentWillMount&&i.componentWillMount(),"function"==typeof i.UNSAFE_componentWillMount&&i.UNSAFE_componentWillMount()),"function"==typeof i.componentDidMount&&(t.flags|=4194308)):("function"==typeof i.componentDidMount&&(t.flags|=4194308),t.memoizedProps=r,t.memoizedState=l),i.props=r,i.state=l,i.context=c,r=s):("function"==typeof i.componentDidMount&&(t.flags|=4194308),r=!1)}else{i=t.stateNode,Mo(e,t),s=t.memoizedProps,c=t.type===t.elementType?s:ns(t.type,s),i.props=c,d=t.pendingProps,p=i.context,"object"==typeof(l=n.contextType)&&null!==l?l=Po(l):l=Pa(t,l=Na(n)?ja:La.current);var f=n.getDerivedStateFromProps;(u="function"==typeof f||"function"==typeof i.getSnapshotBeforeUpdate)||"function"!=typeof i.UNSAFE_componentWillReceiveProps&&"function"!=typeof i.componentWillReceiveProps||(s!==d||p!==l)&&ss(t,i,r,l),Do=!1,p=t.memoizedState,i.state=p,qo(t,r,i,a);var h=t.memoizedState;s!==d||p!==h||Ra.current||Do?("function"==typeof f&&(rs(t,n,f,r),h=t.memoizedState),(c=Do||os(t,n,c,r,p,h,l)||!1)?(u||"function"!=typeof i.UNSAFE_componentWillUpdate&&"function"!=typeof i.componentWillUpdate||("function"==typeof i.componentWillUpdate&&i.componentWillUpdate(r,h,l),"function"==typeof i.UNSAFE_componentWillUpdate&&i.UNSAFE_componentWillUpdate(r,h,l)),"function"==typeof i.componentDidUpdate&&(t.flags|=4),"function"==typeof i.getSnapshotBeforeUpdate&&(t.flags|=1024)):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),t.memoizedProps=r,t.memoizedState=h),i.props=r,i.state=h,i.context=l,r=c):("function"!=typeof i.componentDidUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=4),"function"!=typeof i.getSnapshotBeforeUpdate||s===e.memoizedProps&&p===e.memoizedState||(t.flags|=1024),r=!1)}return Ls(e,t,n,r,o,a)}function Ls(e,t,n,r,a,o){Cs(e,t);var i=0!=(128&t.flags);if(!r&&!i)return a&&Fa(t,n,!1),Hs(e,t,o);r=t.stateNode,bs.current=t;var s=i&&"function"!=typeof n.getDerivedStateFromError?null:r.render();return t.flags|=1,null!==e&&i?(t.child=wo(t,e.child,null,o),t.child=wo(t,null,s,o)):ks(e,t,s,o),t.memoizedState=r.state,a&&Fa(t,n,!0),t.child}function Rs(e){var t=e.stateNode;t.pendingContext?Oa(0,t.pendingContext,t.pendingContext!==t.context):t.context&&Oa(0,t.context,!1),Xo(e,t.containerInfo)}function js(e,t,n,r,a){return ho(),mo(a),t.flags|=256,ks(e,t,n,r),t.child}var Ps,Ns,As,Os,Is={dehydrated:null,treeContext:null,retryLane:0};function Ds(e){return{baseLanes:e,cachePool:null,transitions:null}}function Fs(e,t,n){var r,a=t.pendingProps,i=ei.current,s=!1,l=0!=(128&t.flags);if((r=l)||(r=(null===e||null!==e.memoizedState)&&0!=(2&i)),r?(s=!0,t.flags&=-129):null!==e&&null===e.memoizedState||(i|=1),_a(ei,1&i),null===e)return co(t),null!==(e=t.memoizedState)&&null!==(e=e.dehydrated)?(0==(1&t.mode)?t.lanes=1:"$!"===e.data?t.lanes=8:t.lanes=1073741824,null):(l=a.children,e=a.fallback,s?(a=t.mode,s=t.child,l={mode:"hidden",children:l},0==(1&a)&&null!==s?(s.childLanes=0,s.pendingProps=l):s=Dc(l,a,0,null),e=Ic(e,a,n,null),s.return=t,e.return=t,s.sibling=e,t.child=s,t.child.memoizedState=Ds(n),t.memoizedState=Is,e):Ms(t,l));if(null!==(i=e.memoizedState)&&null!==(r=i.dehydrated))return function(e,t,n,r,a,i,s){if(n)return 256&t.flags?(t.flags&=-257,Bs(e,t,s,r=us(Error(o(422))))):null!==t.memoizedState?(t.child=e.child,t.flags|=128,null):(i=r.fallback,a=t.mode,r=Dc({mode:"visible",children:r.children},a,0,null),(i=Ic(i,a,s,null)).flags|=2,r.return=t,i.return=t,r.sibling=i,t.child=r,0!=(1&t.mode)&&wo(t,e.child,null,s),t.child.memoizedState=Ds(s),t.memoizedState=Is,i);if(0==(1&t.mode))return Bs(e,t,s,null);if("$!"===a.data){if(r=a.nextSibling&&a.nextSibling.dataset)var l=r.dgst;return r=l,Bs(e,t,s,r=us(i=Error(o(419)),r,void 0))}if(l=0!=(s&e.childLanes),vs||l){if(null!==(r=Rl)){switch(s&-s){case 4:a=2;break;case 16:a=8;break;case 64:case 128:case 256:case 512:case 1024:case 2048:case 4096:case 8192:case 16384:case 32768:case 65536:case 131072:case 262144:case 524288:case 1048576:case 2097152:case 4194304:case 8388608:case 16777216:case 33554432:case 67108864:a=32;break;case 536870912:a=268435456;break;default:a=0}0!==(a=0!=(a&(r.suspendedLanes|s))?0:a)&&a!==i.retryLane&&(i.retryLane=a,Io(e,a),nc(r,e,a,-1))}return mc(),Bs(e,t,s,r=us(Error(o(421))))}return"$?"===a.data?(t.flags|=128,t.child=e.child,t=Tc.bind(null,e),a._reactRetry=t,null):(e=i.treeContext,ro=ca(a.nextSibling),no=t,ao=!0,oo=null,null!==e&&(Va[Wa++]=Xa,Va[Wa++]=Ka,Va[Wa++]=Ga,Xa=e.id,Ka=e.overflow,Ga=t),t=Ms(t,r.children),t.flags|=4096,t)}(e,t,l,a,r,i,n);if(s){s=a.fallback,l=t.mode,r=(i=e.child).sibling;var c={mode:"hidden",children:a.children};return 0==(1&l)&&t.child!==i?((a=t.child).childLanes=0,a.pendingProps=c,t.deletions=null):(a=Ac(i,c)).subtreeFlags=14680064&i.subtreeFlags,null!==r?s=Ac(r,s):(s=Ic(s,l,n,null)).flags|=2,s.return=t,a.return=t,a.sibling=s,t.child=a,a=s,s=t.child,l=null===(l=e.child.memoizedState)?Ds(n):{baseLanes:l.baseLanes|n,cachePool:null,transitions:l.transitions},s.memoizedState=l,s.childLanes=e.childLanes&~n,t.memoizedState=Is,a}return e=(s=e.child).sibling,a=Ac(s,{mode:"visible",children:a.children}),0==(1&t.mode)&&(a.lanes=n),a.return=t,a.sibling=null,null!==e&&(null===(n=t.deletions)?(t.deletions=[e],t.flags|=16):n.push(e)),t.child=a,t.memoizedState=null,a}function Ms(e,t){return(t=Dc({mode:"visible",children:t},e.mode,0,null)).return=e,e.child=t}function Bs(e,t,n,r){return null!==r&&mo(r),wo(t,e.child,null,n),(e=Ms(t,t.pendingProps.children)).flags|=2,t.memoizedState=null,e}function zs(e,t,n){e.lanes|=t;var r=e.alternate;null!==r&&(r.lanes|=t),Ro(e.return,t,n)}function $s(e,t,n,r,a){var o=e.memoizedState;null===o?e.memoizedState={isBackwards:t,rendering:null,renderingStartTime:0,last:r,tail:n,tailMode:a}:(o.isBackwards=t,o.rendering=null,o.renderingStartTime=0,o.last=r,o.tail=n,o.tailMode=a)}function Us(e,t,n){var r=t.pendingProps,a=r.revealOrder,o=r.tail;if(ks(e,t,r.children,n),0!=(2&(r=ei.current)))r=1&r|2,t.flags|=128;else{if(null!==e&&0!=(128&e.flags))e:for(e=t.child;null!==e;){if(13===e.tag)null!==e.memoizedState&&zs(e,n,t);else if(19===e.tag)zs(e,n,t);else if(null!==e.child){e.child.return=e,e=e.child;continue}if(e===t)break e;for(;null===e.sibling;){if(null===e.return||e.return===t)break e;e=e.return}e.sibling.return=e.return,e=e.sibling}r&=1}if(_a(ei,r),0==(1&t.mode))t.memoizedState=null;else switch(a){case"forwards":for(n=t.child,a=null;null!==n;)null!==(e=n.alternate)&&null===ti(e)&&(a=n),n=n.sibling;null===(n=a)?(a=t.child,t.child=null):(a=n.sibling,n.sibling=null),$s(t,!1,a,n,o);break;case"backwards":for(n=null,a=t.child,t.child=null;null!==a;){if(null!==(e=a.alternate)&&null===ti(e)){t.child=a;break}e=a.sibling,a.sibling=n,n=a,a=e}$s(t,!0,n,null,o);break;case"together":$s(t,!1,null,null,void 0);break;default:t.memoizedState=null}return t.child}function qs(e,t){0==(1&t.mode)&&null!==e&&(e.alternate=null,t.alternate=null,t.flags|=2)}function Hs(e,t,n){if(null!==e&&(t.dependencies=e.dependencies),Dl|=t.lanes,0==(n&t.childLanes))return null;if(null!==e&&t.child!==e.child)throw Error(o(153));if(null!==t.child){for(n=Ac(e=t.child,e.pendingProps),t.child=n,n.return=t;null!==e.sibling;)e=e.sibling,(n=n.sibling=Ac(e,e.pendingProps)).return=t;n.sibling=null}return t.child}function Qs(e,t){if(!ao)switch(e.tailMode){case"hidden":t=e.tail;for(var n=null;null!==t;)null!==t.alternate&&(n=t),t=t.sibling;null===n?e.tail=null:n.sibling=null;break;case"collapsed":n=e.tail;for(var r=null;null!==n;)null!==n.alternate&&(r=n),n=n.sibling;null===r?t||null===e.tail?e.tail=null:e.tail.sibling=null:r.sibling=null}}function Zs(e){var t=null!==e.alternate&&e.alternate.child===e.child,n=0,r=0;if(t)for(var a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=14680064&a.subtreeFlags,r|=14680064&a.flags,a.return=e,a=a.sibling;else for(a=e.child;null!==a;)n|=a.lanes|a.childLanes,r|=a.subtreeFlags,r|=a.flags,a.return=e,a=a.sibling;return e.subtreeFlags|=r,e.childLanes=n,t}function Vs(e,t,n){var r=t.pendingProps;switch(to(t),t.tag){case 2:case 16:case 15:case 0:case 11:case 7:case 8:case 12:case 9:case 14:return Zs(t),null;case 1:case 17:return Na(t.type)&&Aa(),Zs(t),null;case 3:return r=t.stateNode,Ko(),Ca(Ra),Ca(La),ri(),r.pendingContext&&(r.context=r.pendingContext,r.pendingContext=null),null!==e&&null!==e.child||(po(t)?t.flags|=4:null===e||e.memoizedState.isDehydrated&&0==(256&t.flags)||(t.flags|=1024,null!==oo&&(ic(oo),oo=null))),Ns(e,t),Zs(t),null;case 5:Jo(t);var a=Go(Wo.current);if(n=t.type,null!==e&&null!=t.stateNode)As(e,t,n,r,a),e.ref!==t.ref&&(t.flags|=512,t.flags|=2097152);else{if(!r){if(null===t.stateNode)throw Error(o(166));return Zs(t),null}if(e=Go(Zo.current),po(t)){r=t.stateNode,n=t.type;var i=t.memoizedProps;switch(r[pa]=t,r[fa]=i,e=0!=(1&t.mode),n){case"dialog":Br("cancel",r),Br("close",r);break;case"iframe":case"object":case"embed":Br("load",r);break;case"video":case"audio":for(a=0;a<Ir.length;a++)Br(Ir[a],r);break;case"source":Br("error",r);break;case"img":case"image":case"link":Br("error",r),Br("load",r);break;case"details":Br("toggle",r);break;case"input":X(r,i),Br("invalid",r);break;case"select":r._wrapperState={wasMultiple:!!i.multiple},Br("invalid",r);break;case"textarea":ae(r,i),Br("invalid",r)}for(var l in be(n,i),a=null,i)if(i.hasOwnProperty(l)){var c=i[l];"children"===l?"string"==typeof c?r.textContent!==c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",c]):"number"==typeof c&&r.textContent!==""+c&&(!0!==i.suppressHydrationWarning&&Yr(r.textContent,c,e),a=["children",""+c]):s.hasOwnProperty(l)&&null!=c&&"onScroll"===l&&Br("scroll",r)}switch(n){case"input":Z(r),J(r,i,!0);break;case"textarea":Z(r),ie(r);break;case"select":case"option":break;default:"function"==typeof i.onClick&&(r.onclick=Jr)}r=a,t.updateQueue=r,null!==r&&(t.flags|=4)}else{l=9===a.nodeType?a:a.ownerDocument,"http://www.w3.org/1999/xhtml"===e&&(e=se(n)),"http://www.w3.org/1999/xhtml"===e?"script"===n?((e=l.createElement("div")).innerHTML="<script><\/script>",e=e.removeChild(e.firstChild)):"string"==typeof r.is?e=l.createElement(n,{is:r.is}):(e=l.createElement(n),"select"===n&&(l=e,r.multiple?l.multiple=!0:r.size&&(l.size=r.size))):e=l.createElementNS(e,n),e[pa]=t,e[fa]=r,Ps(e,t,!1,!1),t.stateNode=e;e:{switch(l=ve(n,r),n){case"dialog":Br("cancel",e),Br("close",e),a=r;break;case"iframe":case"object":case"embed":Br("load",e),a=r;break;case"video":case"audio":for(a=0;a<Ir.length;a++)Br(Ir[a],e);a=r;break;case"source":Br("error",e),a=r;break;case"img":case"image":case"link":Br("error",e),Br("load",e),a=r;break;case"details":Br("toggle",e),a=r;break;case"input":X(e,r),a=G(e,r),Br("invalid",e);break;case"option":default:a=r;break;case"select":e._wrapperState={wasMultiple:!!r.multiple},a=F({},r,{value:void 0}),Br("invalid",e);break;case"textarea":ae(e,r),a=re(e,r),Br("invalid",e)}for(i in be(n,a),c=a)if(c.hasOwnProperty(i)){var u=c[i];"style"===i?ge(e,u):"dangerouslySetInnerHTML"===i?null!=(u=u?u.__html:void 0)&&de(e,u):"children"===i?"string"==typeof u?("textarea"!==n||""!==u)&&pe(e,u):"number"==typeof u&&pe(e,""+u):"suppressContentEditableWarning"!==i&&"suppressHydrationWarning"!==i&&"autoFocus"!==i&&(s.hasOwnProperty(i)?null!=u&&"onScroll"===i&&Br("scroll",e):null!=u&&v(e,i,u,l))}switch(n){case"input":Z(e),J(e,r,!1);break;case"textarea":Z(e),ie(e);break;case"option":null!=r.value&&e.setAttribute("value",""+H(r.value));break;case"select":e.multiple=!!r.multiple,null!=(i=r.value)?ne(e,!!r.multiple,i,!1):null!=r.defaultValue&&ne(e,!!r.multiple,r.defaultValue,!0);break;default:"function"==typeof a.onClick&&(e.onclick=Jr)}switch(n){case"button":case"input":case"select":case"textarea":r=!!r.autoFocus;break e;case"img":r=!0;break e;default:r=!1}}r&&(t.flags|=4)}null!==t.ref&&(t.flags|=512,t.flags|=2097152)}return Zs(t),null;case 6:if(e&&null!=t.stateNode)Os(e,t,e.memoizedProps,r);else{if("string"!=typeof r&&null===t.stateNode)throw Error(o(166));if(n=Go(Wo.current),Go(Zo.current),po(t)){if(r=t.stateNode,n=t.memoizedProps,r[pa]=t,(i=r.nodeValue!==n)&&null!==(e=no))switch(e.tag){case 3:Yr(r.nodeValue,n,0!=(1&e.mode));break;case 5:!0!==e.memoizedProps.suppressHydrationWarning&&Yr(r.nodeValue,n,0!=(1&e.mode))}i&&(t.flags|=4)}else(r=(9===n.nodeType?n:n.ownerDocument).createTextNode(r))[pa]=t,t.stateNode=r}return Zs(t),null;case 13:if(Ca(ei),r=t.memoizedState,null===e||null!==e.memoizedState&&null!==e.memoizedState.dehydrated){if(ao&&null!==ro&&0!=(1&t.mode)&&0==(128&t.flags))fo(),ho(),t.flags|=98560,i=!1;else if(i=po(t),null!==r&&null!==r.dehydrated){if(null===e){if(!i)throw Error(o(318));if(!(i=null!==(i=t.memoizedState)?i.dehydrated:null))throw Error(o(317));i[pa]=t}else ho(),0==(128&t.flags)&&(t.memoizedState=null),t.flags|=4;Zs(t),i=!1}else null!==oo&&(ic(oo),oo=null),i=!0;if(!i)return 65536&t.flags?t:null}return 0!=(128&t.flags)?(t.lanes=n,t):((r=null!==r)!==(null!==e&&null!==e.memoizedState)&&r&&(t.child.flags|=8192,0!=(1&t.mode)&&(null===e||0!=(1&ei.current)?0===Ol&&(Ol=3):mc())),null!==t.updateQueue&&(t.flags|=4),Zs(t),null);case 4:return Ko(),Ns(e,t),null===e&&Ur(t.stateNode.containerInfo),Zs(t),null;case 10:return Lo(t.type._context),Zs(t),null;case 19:if(Ca(ei),null===(i=t.memoizedState))return Zs(t),null;if(r=0!=(128&t.flags),null===(l=i.rendering))if(r)Qs(i,!1);else{if(0!==Ol||null!==e&&0!=(128&e.flags))for(e=t.child;null!==e;){if(null!==(l=ti(e))){for(t.flags|=128,Qs(i,!1),null!==(r=l.updateQueue)&&(t.updateQueue=r,t.flags|=4),t.subtreeFlags=0,r=n,n=t.child;null!==n;)e=r,(i=n).flags&=14680066,null===(l=i.alternate)?(i.childLanes=0,i.lanes=e,i.child=null,i.subtreeFlags=0,i.memoizedProps=null,i.memoizedState=null,i.updateQueue=null,i.dependencies=null,i.stateNode=null):(i.childLanes=l.childLanes,i.lanes=l.lanes,i.child=l.child,i.subtreeFlags=0,i.deletions=null,i.memoizedProps=l.memoizedProps,i.memoizedState=l.memoizedState,i.updateQueue=l.updateQueue,i.type=l.type,e=l.dependencies,i.dependencies=null===e?null:{lanes:e.lanes,firstContext:e.firstContext}),n=n.sibling;return _a(ei,1&ei.current|2),t.child}e=e.sibling}null!==i.tail&&Ke()>Ul&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304)}else{if(!r)if(null!==(e=ti(l))){if(t.flags|=128,r=!0,null!==(n=e.updateQueue)&&(t.updateQueue=n,t.flags|=4),Qs(i,!0),null===i.tail&&"hidden"===i.tailMode&&!l.alternate&&!ao)return Zs(t),null}else 2*Ke()-i.renderingStartTime>Ul&&1073741824!==n&&(t.flags|=128,r=!0,Qs(i,!1),t.lanes=4194304);i.isBackwards?(l.sibling=t.child,t.child=l):(null!==(n=i.last)?n.sibling=l:t.child=l,i.last=l)}return null!==i.tail?(t=i.tail,i.rendering=t,i.tail=t.sibling,i.renderingStartTime=Ke(),t.sibling=null,n=ei.current,_a(ei,r?1&n|2:1&n),t):(Zs(t),null);case 22:case 23:return dc(),r=null!==t.memoizedState,null!==e&&null!==e.memoizedState!==r&&(t.flags|=8192),r&&0!=(1&t.mode)?0!=(1073741824&Nl)&&(Zs(t),6&t.subtreeFlags&&(t.flags|=8192)):Zs(t),null;case 24:case 25:return null}throw Error(o(156,t.tag))}function Ws(e,t){switch(to(t),t.tag){case 1:return Na(t.type)&&Aa(),65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 3:return Ko(),Ca(Ra),Ca(La),ri(),0!=(65536&(e=t.flags))&&0==(128&e)?(t.flags=-65537&e|128,t):null;case 5:return Jo(t),null;case 13:if(Ca(ei),null!==(e=t.memoizedState)&&null!==e.dehydrated){if(null===t.alternate)throw Error(o(340));ho()}return 65536&(e=t.flags)?(t.flags=-65537&e|128,t):null;case 19:return Ca(ei),null;case 4:return Ko(),null;case 10:return Lo(t.type._context),null;case 22:case 23:return dc(),null;default:return null}}Ps=function(e,t){for(var n=t.child;null!==n;){if(5===n.tag||6===n.tag)e.appendChild(n.stateNode);else if(4!==n.tag&&null!==n.child){n.child.return=n,n=n.child;continue}if(n===t)break;for(;null===n.sibling;){if(null===n.return||n.return===t)return;n=n.return}n.sibling.return=n.return,n=n.sibling}},Ns=function(){},As=function(e,t,n,r){var a=e.memoizedProps;if(a!==r){e=t.stateNode,Go(Zo.current);var o,i=null;switch(n){case"input":a=G(e,a),r=G(e,r),i=[];break;case"select":a=F({},a,{value:void 0}),r=F({},r,{value:void 0}),i=[];break;case"textarea":a=re(e,a),r=re(e,r),i=[];break;default:"function"!=typeof a.onClick&&"function"==typeof r.onClick&&(e.onclick=Jr)}for(u in be(n,r),n=null,a)if(!r.hasOwnProperty(u)&&a.hasOwnProperty(u)&&null!=a[u])if("style"===u){var l=a[u];for(o in l)l.hasOwnProperty(o)&&(n||(n={}),n[o]="")}else"dangerouslySetInnerHTML"!==u&&"children"!==u&&"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&"autoFocus"!==u&&(s.hasOwnProperty(u)?i||(i=[]):(i=i||[]).push(u,null));for(u in r){var c=r[u];if(l=null!=a?a[u]:void 0,r.hasOwnProperty(u)&&c!==l&&(null!=c||null!=l))if("style"===u)if(l){for(o in l)!l.hasOwnProperty(o)||c&&c.hasOwnProperty(o)||(n||(n={}),n[o]="");for(o in c)c.hasOwnProperty(o)&&l[o]!==c[o]&&(n||(n={}),n[o]=c[o])}else n||(i||(i=[]),i.push(u,n)),n=c;else"dangerouslySetInnerHTML"===u?(c=c?c.__html:void 0,l=l?l.__html:void 0,null!=c&&l!==c&&(i=i||[]).push(u,c)):"children"===u?"string"!=typeof c&&"number"!=typeof c||(i=i||[]).push(u,""+c):"suppressContentEditableWarning"!==u&&"suppressHydrationWarning"!==u&&(s.hasOwnProperty(u)?(null!=c&&"onScroll"===u&&Br("scroll",e),i||l===c||(i=[])):(i=i||[]).push(u,c))}n&&(i=i||[]).push("style",n);var u=i;(t.updateQueue=u)&&(t.flags|=4)}},Os=function(e,t,n,r){n!==r&&(t.flags|=4)};var Gs=!1,Xs=!1,Ks="function"==typeof WeakSet?WeakSet:Set,Ys=null;function Js(e,t){var n=e.ref;if(null!==n)if("function"==typeof n)try{n(null)}catch(r){Ec(e,t,r)}else n.current=null}function el(e,t,n){try{n()}catch(r){Ec(e,t,r)}}var tl=!1;function nl(e,t,n){var r=t.updateQueue;if(null!==(r=null!==r?r.lastEffect:null)){var a=r=r.next;do{if((a.tag&e)===e){var o=a.destroy;a.destroy=void 0,void 0!==o&&el(t,n,o)}a=a.next}while(a!==r)}}function rl(e,t){if(null!==(t=null!==(t=t.updateQueue)?t.lastEffect:null)){var n=t=t.next;do{if((n.tag&e)===e){var r=n.create;n.destroy=r()}n=n.next}while(n!==t)}}function al(e){var t=e.ref;if(null!==t){var n=e.stateNode;e.tag,e=n,"function"==typeof t?t(e):t.current=e}}function ol(e){var t=e.alternate;null!==t&&(e.alternate=null,ol(t)),e.child=null,e.deletions=null,e.sibling=null,5===e.tag&&(null!==(t=e.stateNode)&&(delete t[pa],delete t[fa],delete t[ma],delete t[ga],delete t[ya])),e.stateNode=null,e.return=null,e.dependencies=null,e.memoizedProps=null,e.memoizedState=null,e.pendingProps=null,e.stateNode=null,e.updateQueue=null}function il(e){return 5===e.tag||3===e.tag||4===e.tag}function sl(e){e:for(;;){for(;null===e.sibling;){if(null===e.return||il(e.return))return null;e=e.return}for(e.sibling.return=e.return,e=e.sibling;5!==e.tag&&6!==e.tag&&18!==e.tag;){if(2&e.flags)continue e;if(null===e.child||4===e.tag)continue e;e.child.return=e,e=e.child}if(!(2&e.flags))return e.stateNode}}function ll(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?8===n.nodeType?n.parentNode.insertBefore(e,t):n.insertBefore(e,t):(8===n.nodeType?(t=n.parentNode).insertBefore(e,n):(t=n).appendChild(e),null!=(n=n._reactRootContainer)||null!==t.onclick||(t.onclick=Jr));else if(4!==r&&null!==(e=e.child))for(ll(e,t,n),e=e.sibling;null!==e;)ll(e,t,n),e=e.sibling}function cl(e,t,n){var r=e.tag;if(5===r||6===r)e=e.stateNode,t?n.insertBefore(e,t):n.appendChild(e);else if(4!==r&&null!==(e=e.child))for(cl(e,t,n),e=e.sibling;null!==e;)cl(e,t,n),e=e.sibling}var ul=null,dl=!1;function pl(e,t,n){for(n=n.child;null!==n;)fl(e,t,n),n=n.sibling}function fl(e,t,n){if(ot&&"function"==typeof ot.onCommitFiberUnmount)try{ot.onCommitFiberUnmount(at,n)}catch(s){}switch(n.tag){case 5:Xs||Js(n,t);case 6:var r=ul,a=dl;ul=null,pl(e,t,n),dl=a,null!==(ul=r)&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?e.parentNode.removeChild(n):e.removeChild(n)):ul.removeChild(n.stateNode));break;case 18:null!==ul&&(dl?(e=ul,n=n.stateNode,8===e.nodeType?la(e.parentNode,n):1===e.nodeType&&la(e,n),Ut(e)):la(ul,n.stateNode));break;case 4:r=ul,a=dl,ul=n.stateNode.containerInfo,dl=!0,pl(e,t,n),ul=r,dl=a;break;case 0:case 11:case 14:case 15:if(!Xs&&(null!==(r=n.updateQueue)&&null!==(r=r.lastEffect))){a=r=r.next;do{var o=a,i=o.destroy;o=o.tag,void 0!==i&&(0!=(2&o)||0!=(4&o))&&el(n,t,i),a=a.next}while(a!==r)}pl(e,t,n);break;case 1:if(!Xs&&(Js(n,t),"function"==typeof(r=n.stateNode).componentWillUnmount))try{r.props=n.memoizedProps,r.state=n.memoizedState,r.componentWillUnmount()}catch(s){Ec(n,t,s)}pl(e,t,n);break;case 21:pl(e,t,n);break;case 22:1&n.mode?(Xs=(r=Xs)||null!==n.memoizedState,pl(e,t,n),Xs=r):pl(e,t,n);break;default:pl(e,t,n)}}function hl(e){var t=e.updateQueue;if(null!==t){e.updateQueue=null;var n=e.stateNode;null===n&&(n=e.stateNode=new Ks),t.forEach((function(t){var r=Lc.bind(null,e,t);n.has(t)||(n.add(t),t.then(r,r))}))}}function ml(e,t){var n=t.deletions;if(null!==n)for(var r=0;r<n.length;r++){var a=n[r];try{var i=e,s=t,l=s;e:for(;null!==l;){switch(l.tag){case 5:ul=l.stateNode,dl=!1;break e;case 3:case 4:ul=l.stateNode.containerInfo,dl=!0;break e}l=l.return}if(null===ul)throw Error(o(160));fl(i,s,a),ul=null,dl=!1;var c=a.alternate;null!==c&&(c.return=null),a.return=null}catch(u){Ec(a,t,u)}}if(12854&t.subtreeFlags)for(t=t.child;null!==t;)gl(t,e),t=t.sibling}function gl(e,t){var n=e.alternate,r=e.flags;switch(e.tag){case 0:case 11:case 14:case 15:if(ml(t,e),yl(e),4&r){try{nl(3,e,e.return),rl(3,e)}catch(g){Ec(e,e.return,g)}try{nl(5,e,e.return)}catch(g){Ec(e,e.return,g)}}break;case 1:ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return);break;case 5:if(ml(t,e),yl(e),512&r&&null!==n&&Js(n,n.return),32&e.flags){var a=e.stateNode;try{pe(a,"")}catch(g){Ec(e,e.return,g)}}if(4&r&&null!=(a=e.stateNode)){var i=e.memoizedProps,s=null!==n?n.memoizedProps:i,l=e.type,c=e.updateQueue;if(e.updateQueue=null,null!==c)try{"input"===l&&"radio"===i.type&&null!=i.name&&K(a,i),ve(l,s);var u=ve(l,i);for(s=0;s<c.length;s+=2){var d=c[s],p=c[s+1];"style"===d?ge(a,p):"dangerouslySetInnerHTML"===d?de(a,p):"children"===d?pe(a,p):v(a,d,p,u)}switch(l){case"input":Y(a,i);break;case"textarea":oe(a,i);break;case"select":var f=a._wrapperState.wasMultiple;a._wrapperState.wasMultiple=!!i.multiple;var h=i.value;null!=h?ne(a,!!i.multiple,h,!1):f!==!!i.multiple&&(null!=i.defaultValue?ne(a,!!i.multiple,i.defaultValue,!0):ne(a,!!i.multiple,i.multiple?[]:"",!1))}a[fa]=i}catch(g){Ec(e,e.return,g)}}break;case 6:if(ml(t,e),yl(e),4&r){if(null===e.stateNode)throw Error(o(162));a=e.stateNode,i=e.memoizedProps;try{a.nodeValue=i}catch(g){Ec(e,e.return,g)}}break;case 3:if(ml(t,e),yl(e),4&r&&null!==n&&n.memoizedState.isDehydrated)try{Ut(t.containerInfo)}catch(g){Ec(e,e.return,g)}break;case 4:default:ml(t,e),yl(e);break;case 13:ml(t,e),yl(e),8192&(a=e.child).flags&&(i=null!==a.memoizedState,a.stateNode.isHidden=i,!i||null!==a.alternate&&null!==a.alternate.memoizedState||($l=Ke())),4&r&&hl(e);break;case 22:if(d=null!==n&&null!==n.memoizedState,1&e.mode?(Xs=(u=Xs)||d,ml(t,e),Xs=u):ml(t,e),yl(e),8192&r){if(u=null!==e.memoizedState,(e.stateNode.isHidden=u)&&!d&&0!=(1&e.mode))for(Ys=e,d=e.child;null!==d;){for(p=Ys=d;null!==Ys;){switch(h=(f=Ys).child,f.tag){case 0:case 11:case 14:case 15:nl(4,f,f.return);break;case 1:Js(f,f.return);var m=f.stateNode;if("function"==typeof m.componentWillUnmount){r=f,n=f.return;try{t=r,m.props=t.memoizedProps,m.state=t.memoizedState,m.componentWillUnmount()}catch(g){Ec(r,n,g)}}break;case 5:Js(f,f.return);break;case 22:if(null!==f.memoizedState){wl(p);continue}}null!==h?(h.return=f,Ys=h):wl(p)}d=d.sibling}e:for(d=null,p=e;;){if(5===p.tag){if(null===d){d=p;try{a=p.stateNode,u?"function"==typeof(i=a.style).setProperty?i.setProperty("display","none","important"):i.display="none":(l=p.stateNode,s=null!=(c=p.memoizedProps.style)&&c.hasOwnProperty("display")?c.display:null,l.style.display=me("display",s))}catch(g){Ec(e,e.return,g)}}}else if(6===p.tag){if(null===d)try{p.stateNode.nodeValue=u?"":p.memoizedProps}catch(g){Ec(e,e.return,g)}}else if((22!==p.tag&&23!==p.tag||null===p.memoizedState||p===e)&&null!==p.child){p.child.return=p,p=p.child;continue}if(p===e)break e;for(;null===p.sibling;){if(null===p.return||p.return===e)break e;d===p&&(d=null),p=p.return}d===p&&(d=null),p.sibling.return=p.return,p=p.sibling}}break;case 19:ml(t,e),yl(e),4&r&&hl(e);case 21:}}function yl(e){var t=e.flags;if(2&t){try{e:{for(var n=e.return;null!==n;){if(il(n)){var r=n;break e}n=n.return}throw Error(o(160))}switch(r.tag){case 5:var a=r.stateNode;32&r.flags&&(pe(a,""),r.flags&=-33),cl(e,sl(e),a);break;case 3:case 4:var i=r.stateNode.containerInfo;ll(e,sl(e),i);break;default:throw Error(o(161))}}catch(s){Ec(e,e.return,s)}e.flags&=-3}4096&t&&(e.flags&=-4097)}function bl(e,t,n){Ys=e,vl(e,t,n)}function vl(e,t,n){for(var r=0!=(1&e.mode);null!==Ys;){var a=Ys,o=a.child;if(22===a.tag&&r){var i=null!==a.memoizedState||Gs;if(!i){var s=a.alternate,l=null!==s&&null!==s.memoizedState||Xs;s=Gs;var c=Xs;if(Gs=i,(Xs=l)&&!c)for(Ys=a;null!==Ys;)l=(i=Ys).child,22===i.tag&&null!==i.memoizedState?xl(a):null!==l?(l.return=i,Ys=l):xl(a);for(;null!==o;)Ys=o,vl(o,t,n),o=o.sibling;Ys=a,Gs=s,Xs=c}kl(e)}else 0!=(8772&a.subtreeFlags)&&null!==o?(o.return=a,Ys=o):kl(e)}}function kl(e){for(;null!==Ys;){var t=Ys;if(0!=(8772&t.flags)){var n=t.alternate;try{if(0!=(8772&t.flags))switch(t.tag){case 0:case 11:case 15:Xs||rl(5,t);break;case 1:var r=t.stateNode;if(4&t.flags&&!Xs)if(null===n)r.componentDidMount();else{var a=t.elementType===t.type?n.memoizedProps:ns(t.type,n.memoizedProps);r.componentDidUpdate(a,n.memoizedState,r.__reactInternalSnapshotBeforeUpdate)}var i=t.updateQueue;null!==i&&Ho(t,i,r);break;case 3:var s=t.updateQueue;if(null!==s){if(n=null,null!==t.child)switch(t.child.tag){case 5:case 1:n=t.child.stateNode}Ho(t,s,n)}break;case 5:var l=t.stateNode;if(null===n&&4&t.flags){n=l;var c=t.memoizedProps;switch(t.type){case"button":case"input":case"select":case"textarea":c.autoFocus&&n.focus();break;case"img":c.src&&(n.src=c.src)}}break;case 6:case 4:case 12:case 19:case 17:case 21:case 22:case 23:case 25:break;case 13:if(null===t.memoizedState){var u=t.alternate;if(null!==u){var d=u.memoizedState;if(null!==d){var p=d.dehydrated;null!==p&&Ut(p)}}}break;default:throw Error(o(163))}Xs||512&t.flags&&al(t)}catch(f){Ec(t,t.return,f)}}if(t===e){Ys=null;break}if(null!==(n=t.sibling)){n.return=t.return,Ys=n;break}Ys=t.return}}function wl(e){for(;null!==Ys;){var t=Ys;if(t===e){Ys=null;break}var n=t.sibling;if(null!==n){n.return=t.return,Ys=n;break}Ys=t.return}}function xl(e){for(;null!==Ys;){var t=Ys;try{switch(t.tag){case 0:case 11:case 15:var n=t.return;try{rl(4,t)}catch(l){Ec(t,n,l)}break;case 1:var r=t.stateNode;if("function"==typeof r.componentDidMount){var a=t.return;try{r.componentDidMount()}catch(l){Ec(t,a,l)}}var o=t.return;try{al(t)}catch(l){Ec(t,o,l)}break;case 5:var i=t.return;try{al(t)}catch(l){Ec(t,i,l)}}}catch(l){Ec(t,t.return,l)}if(t===e){Ys=null;break}var s=t.sibling;if(null!==s){s.return=t.return,Ys=s;break}Ys=t.return}}var Sl,El=Math.ceil,Cl=k.ReactCurrentDispatcher,_l=k.ReactCurrentOwner,Tl=k.ReactCurrentBatchConfig,Ll=0,Rl=null,jl=null,Pl=0,Nl=0,Al=Ea(0),Ol=0,Il=null,Dl=0,Fl=0,Ml=0,Bl=null,zl=null,$l=0,Ul=1/0,ql=null,Hl=!1,Ql=null,Zl=null,Vl=!1,Wl=null,Gl=0,Xl=0,Kl=null,Yl=-1,Jl=0;function ec(){return 0!=(6&Ll)?Ke():-1!==Yl?Yl:Yl=Ke()}function tc(e){return 0==(1&e.mode)?1:0!=(2&Ll)&&0!==Pl?Pl&-Pl:null!==go.transition?(0===Jl&&(Jl=mt()),Jl):0!==(e=vt)?e:e=void 0===(e=window.event)?16:Xt(e.type)}function nc(e,t,n,r){if(50<Xl)throw Xl=0,Kl=null,Error(o(185));yt(e,n,r),0!=(2&Ll)&&e===Rl||(e===Rl&&(0==(2&Ll)&&(Fl|=n),4===Ol&&sc(e,Pl)),rc(e,r),1===n&&0===Ll&&0==(1&t.mode)&&(Ul=Ke()+500,Ba&&Ua()))}function rc(e,t){var n=e.callbackNode;!function(e,t){for(var n=e.suspendedLanes,r=e.pingedLanes,a=e.expirationTimes,o=e.pendingLanes;0<o;){var i=31-it(o),s=1<<i,l=a[i];-1===l?0!=(s&n)&&0==(s&r)||(a[i]=ft(s,t)):l<=t&&(e.expiredLanes|=s),o&=~s}}(e,t);var r=pt(e,e===Rl?Pl:0);if(0===r)null!==n&&We(n),e.callbackNode=null,e.callbackPriority=0;else if(t=r&-r,e.callbackPriority!==t){if(null!=n&&We(n),1===t)0===e.tag?function(e){Ba=!0,$a(e)}(lc.bind(null,e)):$a(lc.bind(null,e)),ia((function(){0==(6&Ll)&&Ua()})),n=null;else{switch(kt(r)){case 1:n=Je;break;case 4:n=et;break;case 16:default:n=tt;break;case 536870912:n=rt}n=Rc(n,ac.bind(null,e))}e.callbackPriority=t,e.callbackNode=n}}function ac(e,t){if(Yl=-1,Jl=0,0!=(6&Ll))throw Error(o(327));var n=e.callbackNode;if(xc()&&e.callbackNode!==n)return null;var r=pt(e,e===Rl?Pl:0);if(0===r)return null;if(0!=(30&r)||0!=(r&e.expiredLanes)||t)t=gc(e,r);else{t=r;var a=Ll;Ll|=2;var i=hc();for(Rl===e&&Pl===t||(ql=null,Ul=Ke()+500,pc(e,t));;)try{bc();break}catch(l){fc(e,l)}To(),Cl.current=i,Ll=a,null!==jl?t=0:(Rl=null,Pl=0,t=Ol)}if(0!==t){if(2===t&&(0!==(a=ht(e))&&(r=a,t=oc(e,a))),1===t)throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;if(6===t)sc(e,r);else{if(a=e.current.alternate,0==(30&r)&&!function(e){for(var t=e;;){if(16384&t.flags){var n=t.updateQueue;if(null!==n&&null!==(n=n.stores))for(var r=0;r<n.length;r++){var a=n[r],o=a.getSnapshot;a=a.value;try{if(!sr(o(),a))return!1}catch(s){return!1}}}if(n=t.child,16384&t.subtreeFlags&&null!==n)n.return=t,t=n;else{if(t===e)break;for(;null===t.sibling;){if(null===t.return||t.return===e)return!0;t=t.return}t.sibling.return=t.return,t=t.sibling}}return!0}(a)&&(2===(t=gc(e,r))&&(0!==(i=ht(e))&&(r=i,t=oc(e,i))),1===t))throw n=Il,pc(e,0),sc(e,r),rc(e,Ke()),n;switch(e.finishedWork=a,e.finishedLanes=r,t){case 0:case 1:throw Error(o(345));case 2:case 5:wc(e,zl,ql);break;case 3:if(sc(e,r),(130023424&r)===r&&10<(t=$l+500-Ke())){if(0!==pt(e,0))break;if(((a=e.suspendedLanes)&r)!==r){ec(),e.pingedLanes|=e.suspendedLanes&a;break}e.timeoutHandle=ra(wc.bind(null,e,zl,ql),t);break}wc(e,zl,ql);break;case 4:if(sc(e,r),(4194240&r)===r)break;for(t=e.eventTimes,a=-1;0<r;){var s=31-it(r);i=1<<s,(s=t[s])>a&&(a=s),r&=~i}if(r=a,10<(r=(120>(r=Ke()-r)?120:480>r?480:1080>r?1080:1920>r?1920:3e3>r?3e3:4320>r?4320:1960*El(r/1960))-r)){e.timeoutHandle=ra(wc.bind(null,e,zl,ql),r);break}wc(e,zl,ql);break;default:throw Error(o(329))}}}return rc(e,Ke()),e.callbackNode===n?ac.bind(null,e):null}function oc(e,t){var n=Bl;return e.current.memoizedState.isDehydrated&&(pc(e,t).flags|=256),2!==(e=gc(e,t))&&(t=zl,zl=n,null!==t&&ic(t)),e}function ic(e){null===zl?zl=e:zl.push.apply(zl,e)}function sc(e,t){for(t&=~Ml,t&=~Fl,e.suspendedLanes|=t,e.pingedLanes&=~t,e=e.expirationTimes;0<t;){var n=31-it(t),r=1<<n;e[n]=-1,t&=~r}}function lc(e){if(0!=(6&Ll))throw Error(o(327));xc();var t=pt(e,0);if(0==(1&t))return rc(e,Ke()),null;var n=gc(e,t);if(0!==e.tag&&2===n){var r=ht(e);0!==r&&(t=r,n=oc(e,r))}if(1===n)throw n=Il,pc(e,0),sc(e,t),rc(e,Ke()),n;if(6===n)throw Error(o(345));return e.finishedWork=e.current.alternate,e.finishedLanes=t,wc(e,zl,ql),rc(e,Ke()),null}function cc(e,t){var n=Ll;Ll|=1;try{return e(t)}finally{0===(Ll=n)&&(Ul=Ke()+500,Ba&&Ua())}}function uc(e){null!==Wl&&0===Wl.tag&&0==(6&Ll)&&xc();var t=Ll;Ll|=1;var n=Tl.transition,r=vt;try{if(Tl.transition=null,vt=1,e)return e()}finally{vt=r,Tl.transition=n,0==(6&(Ll=t))&&Ua()}}function dc(){Nl=Al.current,Ca(Al)}function pc(e,t){e.finishedWork=null,e.finishedLanes=0;var n=e.timeoutHandle;if(-1!==n&&(e.timeoutHandle=-1,aa(n)),null!==jl)for(n=jl.return;null!==n;){var r=n;switch(to(r),r.tag){case 1:null!=(r=r.type.childContextTypes)&&Aa();break;case 3:Ko(),Ca(Ra),Ca(La),ri();break;case 5:Jo(r);break;case 4:Ko();break;case 13:case 19:Ca(ei);break;case 10:Lo(r.type._context);break;case 22:case 23:dc()}n=n.return}if(Rl=e,jl=e=Ac(e.current,null),Pl=Nl=t,Ol=0,Il=null,Ml=Fl=Dl=0,zl=Bl=null,null!==No){for(t=0;t<No.length;t++)if(null!==(r=(n=No[t]).interleaved)){n.interleaved=null;var a=r.next,o=n.pending;if(null!==o){var i=o.next;o.next=a,r.next=i}n.pending=r}No=null}return e}function fc(e,t){for(;;){var n=jl;try{if(To(),ai.current=Yi,ui){for(var r=si.memoizedState;null!==r;){var a=r.queue;null!==a&&(a.pending=null),r=r.next}ui=!1}if(ii=0,ci=li=si=null,di=!1,pi=0,_l.current=null,null===n||null===n.return){Ol=1,Il=t,jl=null;break}e:{var i=e,s=n.return,l=n,c=t;if(t=Pl,l.flags|=32768,null!==c&&"object"==typeof c&&"function"==typeof c.then){var u=c,d=l,p=d.tag;if(0==(1&d.mode)&&(0===p||11===p||15===p)){var f=d.alternate;f?(d.updateQueue=f.updateQueue,d.memoizedState=f.memoizedState,d.lanes=f.lanes):(d.updateQueue=null,d.memoizedState=null)}var h=gs(s);if(null!==h){h.flags&=-257,ys(h,s,l,0,t),1&h.mode&&ms(i,u,t),c=u;var m=(t=h).updateQueue;if(null===m){var g=new Set;g.add(c),t.updateQueue=g}else m.add(c);break e}if(0==(1&t)){ms(i,u,t),mc();break e}c=Error(o(426))}else if(ao&&1&l.mode){var y=gs(s);if(null!==y){0==(65536&y.flags)&&(y.flags|=256),ys(y,s,l,0,t),mo(cs(c,l));break e}}i=c=cs(c,l),4!==Ol&&(Ol=2),null===Bl?Bl=[i]:Bl.push(i),i=s;do{switch(i.tag){case 3:i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,fs(0,c,t));break e;case 1:l=c;var b=i.type,v=i.stateNode;if(0==(128&i.flags)&&("function"==typeof b.getDerivedStateFromError||null!==v&&"function"==typeof v.componentDidCatch&&(null===Zl||!Zl.has(v)))){i.flags|=65536,t&=-t,i.lanes|=t,Uo(i,hs(i,l,t));break e}}i=i.return}while(null!==i)}kc(n)}catch(k){t=k,jl===n&&null!==n&&(jl=n=n.return);continue}break}}function hc(){var e=Cl.current;return Cl.current=Yi,null===e?Yi:e}function mc(){0!==Ol&&3!==Ol&&2!==Ol||(Ol=4),null===Rl||0==(268435455&Dl)&&0==(268435455&Fl)||sc(Rl,Pl)}function gc(e,t){var n=Ll;Ll|=2;var r=hc();for(Rl===e&&Pl===t||(ql=null,pc(e,t));;)try{yc();break}catch(a){fc(e,a)}if(To(),Ll=n,Cl.current=r,null!==jl)throw Error(o(261));return Rl=null,Pl=0,Ol}function yc(){for(;null!==jl;)vc(jl)}function bc(){for(;null!==jl&&!Ge();)vc(jl)}function vc(e){var t=Sl(e.alternate,e,Nl);e.memoizedProps=e.pendingProps,null===t?kc(e):jl=t,_l.current=null}function kc(e){var t=e;do{var n=t.alternate;if(e=t.return,0==(32768&t.flags)){if(null!==(n=Vs(n,t,Nl)))return void(jl=n)}else{if(null!==(n=Ws(n,t)))return n.flags&=32767,void(jl=n);if(null===e)return Ol=6,void(jl=null);e.flags|=32768,e.subtreeFlags=0,e.deletions=null}if(null!==(t=t.sibling))return void(jl=t);jl=t=e}while(null!==t);0===Ol&&(Ol=5)}function wc(e,t,n){var r=vt,a=Tl.transition;try{Tl.transition=null,vt=1,function(e,t,n,r){do{xc()}while(null!==Wl);if(0!=(6&Ll))throw Error(o(327));n=e.finishedWork;var a=e.finishedLanes;if(null===n)return null;if(e.finishedWork=null,e.finishedLanes=0,n===e.current)throw Error(o(177));e.callbackNode=null,e.callbackPriority=0;var i=n.lanes|n.childLanes;if(function(e,t){var n=e.pendingLanes&~t;e.pendingLanes=t,e.suspendedLanes=0,e.pingedLanes=0,e.expiredLanes&=t,e.mutableReadLanes&=t,e.entangledLanes&=t,t=e.entanglements;var r=e.eventTimes;for(e=e.expirationTimes;0<n;){var a=31-it(n),o=1<<a;t[a]=0,r[a]=-1,e[a]=-1,n&=~o}}(e,i),e===Rl&&(jl=Rl=null,Pl=0),0==(2064&n.subtreeFlags)&&0==(2064&n.flags)||Vl||(Vl=!0,Rc(tt,(function(){return xc(),null}))),i=0!=(15990&n.flags),0!=(15990&n.subtreeFlags)||i){i=Tl.transition,Tl.transition=null;var s=vt;vt=1;var l=Ll;Ll|=4,_l.current=null,function(e,t){if(ea=Ht,fr(e=pr())){if("selectionStart"in e)var n={start:e.selectionStart,end:e.selectionEnd};else e:{var r=(n=(n=e.ownerDocument)&&n.defaultView||window).getSelection&&n.getSelection();if(r&&0!==r.rangeCount){n=r.anchorNode;var a=r.anchorOffset,i=r.focusNode;r=r.focusOffset;try{n.nodeType,i.nodeType}catch(w){n=null;break e}var s=0,l=-1,c=-1,u=0,d=0,p=e,f=null;t:for(;;){for(var h;p!==n||0!==a&&3!==p.nodeType||(l=s+a),p!==i||0!==r&&3!==p.nodeType||(c=s+r),3===p.nodeType&&(s+=p.nodeValue.length),null!==(h=p.firstChild);)f=p,p=h;for(;;){if(p===e)break t;if(f===n&&++u===a&&(l=s),f===i&&++d===r&&(c=s),null!==(h=p.nextSibling))break;f=(p=f).parentNode}p=h}n=-1===l||-1===c?null:{start:l,end:c}}else n=null}n=n||{start:0,end:0}}else n=null;for(ta={focusedElem:e,selectionRange:n},Ht=!1,Ys=t;null!==Ys;)if(e=(t=Ys).child,0!=(1028&t.subtreeFlags)&&null!==e)e.return=t,Ys=e;else for(;null!==Ys;){t=Ys;try{var m=t.alternate;if(0!=(1024&t.flags))switch(t.tag){case 0:case 11:case 15:case 5:case 6:case 4:case 17:break;case 1:if(null!==m){var g=m.memoizedProps,y=m.memoizedState,b=t.stateNode,v=b.getSnapshotBeforeUpdate(t.elementType===t.type?g:ns(t.type,g),y);b.__reactInternalSnapshotBeforeUpdate=v}break;case 3:var k=t.stateNode.containerInfo;1===k.nodeType?k.textContent="":9===k.nodeType&&k.documentElement&&k.removeChild(k.documentElement);break;default:throw Error(o(163))}}catch(w){Ec(t,t.return,w)}if(null!==(e=t.sibling)){e.return=t.return,Ys=e;break}Ys=t.return}m=tl,tl=!1}(e,n),gl(n,e),hr(ta),Ht=!!ea,ta=ea=null,e.current=n,bl(n,e,a),Xe(),Ll=l,vt=s,Tl.transition=i}else e.current=n;if(Vl&&(Vl=!1,Wl=e,Gl=a),i=e.pendingLanes,0===i&&(Zl=null),function(e){if(ot&&"function"==typeof ot.onCommitFiberRoot)try{ot.onCommitFiberRoot(at,e,void 0,128==(128&e.current.flags))}catch(t){}}(n.stateNode),rc(e,Ke()),null!==t)for(r=e.onRecoverableError,n=0;n<t.length;n++)a=t[n],r(a.value,{componentStack:a.stack,digest:a.digest});if(Hl)throw Hl=!1,e=Ql,Ql=null,e;0!=(1&Gl)&&0!==e.tag&&xc(),i=e.pendingLanes,0!=(1&i)?e===Kl?Xl++:(Xl=0,Kl=e):Xl=0,Ua()}(e,t,n,r)}finally{Tl.transition=a,vt=r}return null}function xc(){if(null!==Wl){var e=kt(Gl),t=Tl.transition,n=vt;try{if(Tl.transition=null,vt=16>e?16:e,null===Wl)var r=!1;else{if(e=Wl,Wl=null,Gl=0,0!=(6&Ll))throw Error(o(331));var a=Ll;for(Ll|=4,Ys=e.current;null!==Ys;){var i=Ys,s=i.child;if(0!=(16&Ys.flags)){var l=i.deletions;if(null!==l){for(var c=0;c<l.length;c++){var u=l[c];for(Ys=u;null!==Ys;){var d=Ys;switch(d.tag){case 0:case 11:case 15:nl(8,d,i)}var p=d.child;if(null!==p)p.return=d,Ys=p;else for(;null!==Ys;){var f=(d=Ys).sibling,h=d.return;if(ol(d),d===u){Ys=null;break}if(null!==f){f.return=h,Ys=f;break}Ys=h}}}var m=i.alternate;if(null!==m){var g=m.child;if(null!==g){m.child=null;do{var y=g.sibling;g.sibling=null,g=y}while(null!==g)}}Ys=i}}if(0!=(2064&i.subtreeFlags)&&null!==s)s.return=i,Ys=s;else e:for(;null!==Ys;){if(0!=(2048&(i=Ys).flags))switch(i.tag){case 0:case 11:case 15:nl(9,i,i.return)}var b=i.sibling;if(null!==b){b.return=i.return,Ys=b;break e}Ys=i.return}}var v=e.current;for(Ys=v;null!==Ys;){var k=(s=Ys).child;if(0!=(2064&s.subtreeFlags)&&null!==k)k.return=s,Ys=k;else e:for(s=v;null!==Ys;){if(0!=(2048&(l=Ys).flags))try{switch(l.tag){case 0:case 11:case 15:rl(9,l)}}catch(x){Ec(l,l.return,x)}if(l===s){Ys=null;break e}var w=l.sibling;if(null!==w){w.return=l.return,Ys=w;break e}Ys=l.return}}if(Ll=a,Ua(),ot&&"function"==typeof ot.onPostCommitFiberRoot)try{ot.onPostCommitFiberRoot(at,e)}catch(x){}r=!0}return r}finally{vt=n,Tl.transition=t}}return!1}function Sc(e,t,n){e=zo(e,t=fs(0,t=cs(n,t),1),1),t=ec(),null!==e&&(yt(e,1,t),rc(e,t))}function Ec(e,t,n){if(3===e.tag)Sc(e,e,n);else for(;null!==t;){if(3===t.tag){Sc(t,e,n);break}if(1===t.tag){var r=t.stateNode;if("function"==typeof t.type.getDerivedStateFromError||"function"==typeof r.componentDidCatch&&(null===Zl||!Zl.has(r))){t=zo(t,e=hs(t,e=cs(n,e),1),1),e=ec(),null!==t&&(yt(t,1,e),rc(t,e));break}}t=t.return}}function Cc(e,t,n){var r=e.pingCache;null!==r&&r.delete(t),t=ec(),e.pingedLanes|=e.suspendedLanes&n,Rl===e&&(Pl&n)===n&&(4===Ol||3===Ol&&(130023424&Pl)===Pl&&500>Ke()-$l?pc(e,0):Ml|=n),rc(e,t)}function _c(e,t){0===t&&(0==(1&e.mode)?t=1:(t=ut,0==(130023424&(ut<<=1))&&(ut=4194304)));var n=ec();null!==(e=Io(e,t))&&(yt(e,t,n),rc(e,n))}function Tc(e){var t=e.memoizedState,n=0;null!==t&&(n=t.retryLane),_c(e,n)}function Lc(e,t){var n=0;switch(e.tag){case 13:var r=e.stateNode,a=e.memoizedState;null!==a&&(n=a.retryLane);break;case 19:r=e.stateNode;break;default:throw Error(o(314))}null!==r&&r.delete(t),_c(e,n)}function Rc(e,t){return Ve(e,t)}function jc(e,t,n,r){this.tag=e,this.key=n,this.sibling=this.child=this.return=this.stateNode=this.type=this.elementType=null,this.index=0,this.ref=null,this.pendingProps=t,this.dependencies=this.memoizedState=this.updateQueue=this.memoizedProps=null,this.mode=r,this.subtreeFlags=this.flags=0,this.deletions=null,this.childLanes=this.lanes=0,this.alternate=null}function Pc(e,t,n,r){return new jc(e,t,n,r)}function Nc(e){return!(!(e=e.prototype)||!e.isReactComponent)}function Ac(e,t){var n=e.alternate;return null===n?((n=Pc(e.tag,t,e.key,e.mode)).elementType=e.elementType,n.type=e.type,n.stateNode=e.stateNode,n.alternate=e,e.alternate=n):(n.pendingProps=t,n.type=e.type,n.flags=0,n.subtreeFlags=0,n.deletions=null),n.flags=14680064&e.flags,n.childLanes=e.childLanes,n.lanes=e.lanes,n.child=e.child,n.memoizedProps=e.memoizedProps,n.memoizedState=e.memoizedState,n.updateQueue=e.updateQueue,t=e.dependencies,n.dependencies=null===t?null:{lanes:t.lanes,firstContext:t.firstContext},n.sibling=e.sibling,n.index=e.index,n.ref=e.ref,n}function Oc(e,t,n,r,a,i){var s=2;if(r=e,"function"==typeof e)Nc(e)&&(s=1);else if("string"==typeof e)s=5;else e:switch(e){case S:return Ic(n.children,a,i,t);case E:s=8,a|=8;break;case C:return(e=Pc(12,n,t,2|a)).elementType=C,e.lanes=i,e;case R:return(e=Pc(13,n,t,a)).elementType=R,e.lanes=i,e;case j:return(e=Pc(19,n,t,a)).elementType=j,e.lanes=i,e;case A:return Dc(n,a,i,t);default:if("object"==typeof e&&null!==e)switch(e.$$typeof){case _:s=10;break e;case T:s=9;break e;case L:s=11;break e;case P:s=14;break e;case N:s=16,r=null;break e}throw Error(o(130,null==e?e:typeof e,""))}return(t=Pc(s,n,t,a)).elementType=e,t.type=r,t.lanes=i,t}function Ic(e,t,n,r){return(e=Pc(7,e,r,t)).lanes=n,e}function Dc(e,t,n,r){return(e=Pc(22,e,r,t)).elementType=A,e.lanes=n,e.stateNode={isHidden:!1},e}function Fc(e,t,n){return(e=Pc(6,e,null,t)).lanes=n,e}function Mc(e,t,n){return(t=Pc(4,null!==e.children?e.children:[],e.key,t)).lanes=n,t.stateNode={containerInfo:e.containerInfo,pendingChildren:null,implementation:e.implementation},t}function Bc(e,t,n,r,a){this.tag=t,this.containerInfo=e,this.finishedWork=this.pingCache=this.current=this.pendingChildren=null,this.timeoutHandle=-1,this.callbackNode=this.pendingContext=this.context=null,this.callbackPriority=0,this.eventTimes=gt(0),this.expirationTimes=gt(-1),this.entangledLanes=this.finishedLanes=this.mutableReadLanes=this.expiredLanes=this.pingedLanes=this.suspendedLanes=this.pendingLanes=0,this.entanglements=gt(0),this.identifierPrefix=r,this.onRecoverableError=a,this.mutableSourceEagerHydrationData=null}function zc(e,t,n,r,a,o,i,s,l){return e=new Bc(e,t,n,s,l),1===t?(t=1,!0===o&&(t|=8)):t=0,o=Pc(3,null,null,t),e.current=o,o.stateNode=e,o.memoizedState={element:r,isDehydrated:n,cache:null,transitions:null,pendingSuspenseBoundaries:null},Fo(o),e}function $c(e){if(!e)return Ta;e:{if(Ue(e=e._reactInternals)!==e||1!==e.tag)throw Error(o(170));var t=e;do{switch(t.tag){case 3:t=t.stateNode.context;break e;case 1:if(Na(t.type)){t=t.stateNode.__reactInternalMemoizedMergedChildContext;break e}}t=t.return}while(null!==t);throw Error(o(171))}if(1===e.tag){var n=e.type;if(Na(n))return Ia(e,n,t)}return t}function Uc(e,t,n,r,a,o,i,s,l){return(e=zc(n,r,!0,e,0,o,0,s,l)).context=$c(null),n=e.current,(o=Bo(r=ec(),a=tc(n))).callback=null!=t?t:null,zo(n,o,a),e.current.lanes=a,yt(e,a,r),rc(e,r),e}function qc(e,t,n,r){var a=t.current,o=ec(),i=tc(a);return n=$c(n),null===t.context?t.context=n:t.pendingContext=n,(t=Bo(o,i)).payload={element:e},null!==(r=void 0===r?null:r)&&(t.callback=r),null!==(e=zo(a,t,i))&&(nc(e,a,i,o),$o(e,a,i)),i}function Hc(e){return(e=e.current).child?(e.child.tag,e.child.stateNode):null}function Qc(e,t){if(null!==(e=e.memoizedState)&&null!==e.dehydrated){var n=e.retryLane;e.retryLane=0!==n&&n<t?n:t}}function Zc(e,t){Qc(e,t),(e=e.alternate)&&Qc(e,t)}Sl=function(e,t,n){if(null!==e)if(e.memoizedProps!==t.pendingProps||Ra.current)vs=!0;else{if(0==(e.lanes&n)&&0==(128&t.flags))return vs=!1,function(e,t,n){switch(t.tag){case 3:Rs(t),ho();break;case 5:Yo(t);break;case 1:Na(t.type)&&Da(t);break;case 4:Xo(t,t.stateNode.containerInfo);break;case 10:var r=t.type._context,a=t.memoizedProps.value;_a(So,r._currentValue),r._currentValue=a;break;case 13:if(null!==(r=t.memoizedState))return null!==r.dehydrated?(_a(ei,1&ei.current),t.flags|=128,null):0!=(n&t.child.childLanes)?Fs(e,t,n):(_a(ei,1&ei.current),null!==(e=Hs(e,t,n))?e.sibling:null);_a(ei,1&ei.current);break;case 19:if(r=0!=(n&t.childLanes),0!=(128&e.flags)){if(r)return Us(e,t,n);t.flags|=128}if(null!==(a=t.memoizedState)&&(a.rendering=null,a.tail=null,a.lastEffect=null),_a(ei,ei.current),r)break;return null;case 22:case 23:return t.lanes=0,Es(e,t,n)}return Hs(e,t,n)}(e,t,n);vs=0!=(131072&e.flags)}else vs=!1,ao&&0!=(1048576&t.flags)&&Ja(t,Za,t.index);switch(t.lanes=0,t.tag){case 2:var r=t.type;qs(e,t),e=t.pendingProps;var a=Pa(t,La.current);jo(t,n),a=gi(null,t,r,e,a,n);var i=yi();return t.flags|=1,"object"==typeof a&&null!==a&&"function"==typeof a.render&&void 0===a.$$typeof?(t.tag=1,t.memoizedState=null,t.updateQueue=null,Na(r)?(i=!0,Da(t)):i=!1,t.memoizedState=null!==a.state&&void 0!==a.state?a.state:null,Fo(t),a.updater=as,t.stateNode=a,a._reactInternals=t,ls(t,r,e,n),t=Ls(null,t,r,!0,i,n)):(t.tag=0,ao&&i&&eo(t),ks(null,t,a,n),t=t.child),t;case 16:r=t.elementType;e:{switch(qs(e,t),e=t.pendingProps,r=(a=r._init)(r._payload),t.type=r,a=t.tag=function(e){if("function"==typeof e)return Nc(e)?1:0;if(null!=e){if((e=e.$$typeof)===L)return 11;if(e===P)return 14}return 2}(r),e=ns(r,e),a){case 0:t=_s(null,t,r,e,n);break e;case 1:t=Ts(null,t,r,e,n);break e;case 11:t=ws(null,t,r,e,n);break e;case 14:t=xs(null,t,r,ns(r.type,e),n);break e}throw Error(o(306,r,""))}return t;case 0:return r=t.type,a=t.pendingProps,_s(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 1:return r=t.type,a=t.pendingProps,Ts(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 3:e:{if(Rs(t),null===e)throw Error(o(387));r=t.pendingProps,a=(i=t.memoizedState).element,Mo(e,t),qo(t,r,null,n);var s=t.memoizedState;if(r=s.element,i.isDehydrated){if(i={element:r,isDehydrated:!1,cache:s.cache,pendingSuspenseBoundaries:s.pendingSuspenseBoundaries,transitions:s.transitions},t.updateQueue.baseState=i,t.memoizedState=i,256&t.flags){t=js(e,t,r,n,a=cs(Error(o(423)),t));break e}if(r!==a){t=js(e,t,r,n,a=cs(Error(o(424)),t));break e}for(ro=ca(t.stateNode.containerInfo.firstChild),no=t,ao=!0,oo=null,n=xo(t,null,r,n),t.child=n;n;)n.flags=-3&n.flags|4096,n=n.sibling}else{if(ho(),r===a){t=Hs(e,t,n);break e}ks(e,t,r,n)}t=t.child}return t;case 5:return Yo(t),null===e&&co(t),r=t.type,a=t.pendingProps,i=null!==e?e.memoizedProps:null,s=a.children,na(r,a)?s=null:null!==i&&na(r,i)&&(t.flags|=32),Cs(e,t),ks(e,t,s,n),t.child;case 6:return null===e&&co(t),null;case 13:return Fs(e,t,n);case 4:return Xo(t,t.stateNode.containerInfo),r=t.pendingProps,null===e?t.child=wo(t,null,r,n):ks(e,t,r,n),t.child;case 11:return r=t.type,a=t.pendingProps,ws(e,t,r,a=t.elementType===r?a:ns(r,a),n);case 7:return ks(e,t,t.pendingProps,n),t.child;case 8:case 12:return ks(e,t,t.pendingProps.children,n),t.child;case 10:e:{if(r=t.type._context,a=t.pendingProps,i=t.memoizedProps,s=a.value,_a(So,r._currentValue),r._currentValue=s,null!==i)if(sr(i.value,s)){if(i.children===a.children&&!Ra.current){t=Hs(e,t,n);break e}}else for(null!==(i=t.child)&&(i.return=t);null!==i;){var l=i.dependencies;if(null!==l){s=i.child;for(var c=l.firstContext;null!==c;){if(c.context===r){if(1===i.tag){(c=Bo(-1,n&-n)).tag=2;var u=i.updateQueue;if(null!==u){var d=(u=u.shared).pending;null===d?c.next=c:(c.next=d.next,d.next=c),u.pending=c}}i.lanes|=n,null!==(c=i.alternate)&&(c.lanes|=n),Ro(i.return,n,t),l.lanes|=n;break}c=c.next}}else if(10===i.tag)s=i.type===t.type?null:i.child;else if(18===i.tag){if(null===(s=i.return))throw Error(o(341));s.lanes|=n,null!==(l=s.alternate)&&(l.lanes|=n),Ro(s,n,t),s=i.sibling}else s=i.child;if(null!==s)s.return=i;else for(s=i;null!==s;){if(s===t){s=null;break}if(null!==(i=s.sibling)){i.return=s.return,s=i;break}s=s.return}i=s}ks(e,t,a.children,n),t=t.child}return t;case 9:return a=t.type,r=t.pendingProps.children,jo(t,n),r=r(a=Po(a)),t.flags|=1,ks(e,t,r,n),t.child;case 14:return a=ns(r=t.type,t.pendingProps),xs(e,t,r,a=ns(r.type,a),n);case 15:return Ss(e,t,t.type,t.pendingProps,n);case 17:return r=t.type,a=t.pendingProps,a=t.elementType===r?a:ns(r,a),qs(e,t),t.tag=1,Na(r)?(e=!0,Da(t)):e=!1,jo(t,n),is(t,r,a),ls(t,r,a,n),Ls(null,t,r,!0,e,n);case 19:return Us(e,t,n);case 22:return Es(e,t,n)}throw Error(o(156,t.tag))};var Vc="function"==typeof reportError?reportError:function(e){console.error(e)};function Wc(e){this._internalRoot=e}function Gc(e){this._internalRoot=e}function Xc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType)}function Kc(e){return!(!e||1!==e.nodeType&&9!==e.nodeType&&11!==e.nodeType&&(8!==e.nodeType||" react-mount-point-unstable "!==e.nodeValue))}function Yc(){}function Jc(e,t,n,r,a){var o=n._reactRootContainer;if(o){var i=o;if("function"==typeof a){var s=a;a=function(){var e=Hc(i);s.call(e)}}qc(t,i,e,a)}else i=function(e,t,n,r,a){if(a){if("function"==typeof r){var o=r;r=function(){var e=Hc(i);o.call(e)}}var i=Uc(t,r,e,0,null,!1,0,"",Yc);return e._reactRootContainer=i,e[ha]=i.current,Ur(8===e.nodeType?e.parentNode:e),uc(),i}for(;a=e.lastChild;)e.removeChild(a);if("function"==typeof r){var s=r;r=function(){var e=Hc(l);s.call(e)}}var l=zc(e,0,!1,null,0,!1,0,"",Yc);return e._reactRootContainer=l,e[ha]=l.current,Ur(8===e.nodeType?e.parentNode:e),uc((function(){qc(t,l,n,r)})),l}(n,t,e,a,r);return Hc(i)}Gc.prototype.render=Wc.prototype.render=function(e){var t=this._internalRoot;if(null===t)throw Error(o(409));qc(e,t,null,null)},Gc.prototype.unmount=Wc.prototype.unmount=function(){var e=this._internalRoot;if(null!==e){this._internalRoot=null;var t=e.containerInfo;uc((function(){qc(null,e,null,null)})),t[ha]=null}},Gc.prototype.unstable_scheduleHydration=function(e){if(e){var t=Et();e={blockedOn:null,target:e,priority:t};for(var n=0;n<At.length&&0!==t&&t<At[n].priority;n++);At.splice(n,0,e),0===n&&Ft(e)}},wt=function(e){switch(e.tag){case 3:var t=e.stateNode;if(t.current.memoizedState.isDehydrated){var n=dt(t.pendingLanes);0!==n&&(bt(t,1|n),rc(t,Ke()),0==(6&Ll)&&(Ul=Ke()+500,Ua()))}break;case 13:uc((function(){var t=Io(e,1);if(null!==t){var n=ec();nc(t,e,1,n)}})),Zc(e,1)}},xt=function(e){if(13===e.tag){var t=Io(e,134217728);if(null!==t)nc(t,e,134217728,ec());Zc(e,134217728)}},St=function(e){if(13===e.tag){var t=tc(e),n=Io(e,t);if(null!==n)nc(n,e,t,ec());Zc(e,t)}},Et=function(){return vt},Ct=function(e,t){var n=vt;try{return vt=e,t()}finally{vt=n}},xe=function(e,t,n){switch(t){case"input":if(Y(e,n),t=n.name,"radio"===n.type&&null!=t){for(n=e;n.parentNode;)n=n.parentNode;for(n=n.querySelectorAll("input[name="+JSON.stringify(""+t)+'][type="radio"]'),t=0;t<n.length;t++){var r=n[t];if(r!==e&&r.form===e.form){var a=wa(r);if(!a)throw Error(o(90));V(r),Y(r,a)}}}break;case"textarea":oe(e,n);break;case"select":null!=(t=n.value)&&ne(e,!!n.multiple,t,!1)}},Le=cc,Re=uc;var eu={usingClientEntryPoint:!1,Events:[va,ka,wa,_e,Te,cc]},tu={findFiberByHostInstance:ba,bundleType:0,version:"18.3.1",rendererPackageName:"react-dom"},nu={bundleType:tu.bundleType,version:tu.version,rendererPackageName:tu.rendererPackageName,rendererConfig:tu.rendererConfig,overrideHookState:null,overrideHookStateDeletePath:null,overrideHookStateRenamePath:null,overrideProps:null,overridePropsDeletePath:null,overridePropsRenamePath:null,setErrorHandler:null,setSuspenseHandler:null,scheduleUpdate:null,currentDispatcherRef:k.ReactCurrentDispatcher,findHostInstanceByFiber:function(e){return null===(e=Qe(e))?null:e.stateNode},findFiberByHostInstance:tu.findFiberByHostInstance||function(){return null},findHostInstancesForRefresh:null,scheduleRefresh:null,scheduleRoot:null,setRefreshHandler:null,getCurrentFiber:null,reconcilerVersion:"18.3.1-next-f1338f8080-20240426"};if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__){var ru=__REACT_DEVTOOLS_GLOBAL_HOOK__;if(!ru.isDisabled&&ru.supportsFiber)try{at=ru.inject(nu),ot=ru}catch(ue){}}t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=eu,t.createPortal=function(e,t){var n=2<arguments.length&&void 0!==arguments[2]?arguments[2]:null;if(!Xc(t))throw Error(o(200));return function(e,t,n){var r=3<arguments.length&&void 0!==arguments[3]?arguments[3]:null;return{$$typeof:x,key:null==r?null:""+r,children:e,containerInfo:t,implementation:n}}(e,t,null,n)},t.createRoot=function(e,t){if(!Xc(e))throw Error(o(299));var n=!1,r="",a=Vc;return null!=t&&(!0===t.unstable_strictMode&&(n=!0),void 0!==t.identifierPrefix&&(r=t.identifierPrefix),void 0!==t.onRecoverableError&&(a=t.onRecoverableError)),t=zc(e,1,!1,null,0,n,0,r,a),e[ha]=t.current,Ur(8===e.nodeType?e.parentNode:e),new Wc(t)},t.findDOMNode=function(e){if(null==e)return null;if(1===e.nodeType)return e;var t=e._reactInternals;if(void 0===t){if("function"==typeof e.render)throw Error(o(188));throw e=Object.keys(e).join(","),Error(o(268,e))}return e=null===(e=Qe(t))?null:e.stateNode},t.flushSync=function(e){return uc(e)},t.hydrate=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!0,n)},t.hydrateRoot=function(e,t,n){if(!Xc(e))throw Error(o(405));var r=null!=n&&n.hydratedSources||null,a=!1,i="",s=Vc;if(null!=n&&(!0===n.unstable_strictMode&&(a=!0),void 0!==n.identifierPrefix&&(i=n.identifierPrefix),void 0!==n.onRecoverableError&&(s=n.onRecoverableError)),t=Uc(t,null,e,1,null!=n?n:null,a,0,i,s),e[ha]=t.current,Ur(e),r)for(e=0;e<r.length;e++)a=(a=(n=r[e])._getVersion)(n._source),null==t.mutableSourceEagerHydrationData?t.mutableSourceEagerHydrationData=[n,a]:t.mutableSourceEagerHydrationData.push(n,a);return new Gc(t)},t.render=function(e,t,n){if(!Kc(t))throw Error(o(200));return Jc(null,e,t,!1,n)},t.unmountComponentAtNode=function(e){if(!Kc(e))throw Error(o(40));return!!e._reactRootContainer&&(uc((function(){Jc(null,null,e,!1,(function(){e._reactRootContainer=null,e[ha]=null}))})),!0)},t.unstable_batchedUpdates=cc,t.unstable_renderSubtreeIntoContainer=function(e,t,n,r){if(!Kc(n))throw Error(o(200));if(null==e||void 0===e._reactInternals)throw Error(o(38));return Jc(e,t,n,!1,r)},t.version="18.3.1-next-f1338f8080-20240426"},745:(e,t,n)=>{"use strict";var r=n(3935);t.createRoot=r.createRoot,t.hydrateRoot=r.hydrateRoot},3935:(e,t,n)=>{"use strict";!function e(){if("undefined"!=typeof __REACT_DEVTOOLS_GLOBAL_HOOK__&&"function"==typeof __REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE)try{__REACT_DEVTOOLS_GLOBAL_HOOK__.checkDCE(e)}catch(t){console.error(t)}}(),e.exports=n(4448)},9590:e=>{var t="undefined"!=typeof Element,n="function"==typeof Map,r="function"==typeof Set,a="function"==typeof ArrayBuffer&&!!ArrayBuffer.isView;function o(e,i){if(e===i)return!0;if(e&&i&&"object"==typeof e&&"object"==typeof i){if(e.constructor!==i.constructor)return!1;var s,l,c,u;if(Array.isArray(e)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(!o(e[l],i[l]))return!1;return!0}if(n&&e instanceof Map&&i instanceof Map){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;for(u=e.entries();!(l=u.next()).done;)if(!o(l.value[1],i.get(l.value[0])))return!1;return!0}if(r&&e instanceof Set&&i instanceof Set){if(e.size!==i.size)return!1;for(u=e.entries();!(l=u.next()).done;)if(!i.has(l.value[0]))return!1;return!0}if(a&&ArrayBuffer.isView(e)&&ArrayBuffer.isView(i)){if((s=e.length)!=i.length)return!1;for(l=s;0!=l--;)if(e[l]!==i[l])return!1;return!0}if(e.constructor===RegExp)return e.source===i.source&&e.flags===i.flags;if(e.valueOf!==Object.prototype.valueOf&&"function"==typeof e.valueOf&&"function"==typeof i.valueOf)return e.valueOf()===i.valueOf();if(e.toString!==Object.prototype.toString&&"function"==typeof e.toString&&"function"==typeof i.toString)return e.toString()===i.toString();if((s=(c=Object.keys(e)).length)!==Object.keys(i).length)return!1;for(l=s;0!=l--;)if(!Object.prototype.hasOwnProperty.call(i,c[l]))return!1;if(t&&e instanceof Element)return!1;for(l=s;0!=l--;)if(("_owner"!==c[l]&&"__v"!==c[l]&&"__o"!==c[l]||!e.$$typeof)&&!o(e[c[l]],i[c[l]]))return!1;return!0}return e!=e&&i!=i}e.exports=function(e,t){try{return o(e,t)}catch(n){if((n.message||"").match(/stack|recursion/i))return console.warn("react-fast-compare cannot handle circular refs"),!1;throw n}}},405:(e,t,n)=>{"use strict";n.d(t,{B6:()=>Q,ql:()=>J});var r=n(7294),a=n(5697),o=n.n(a),i=n(9590),s=n.n(i),l=n(1143),c=n.n(l),u=n(6774),d=n.n(u);function p(){return p=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},p.apply(this,arguments)}function f(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,h(e,t)}function h(e,t){return h=Object.setPrototypeOf||function(e,t){return e.__proto__=t,e},h(e,t)}function m(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)t.indexOf(n=o[r])>=0||(a[n]=e[n]);return a}var g={BASE:"base",BODY:"body",HEAD:"head",HTML:"html",LINK:"link",META:"meta",NOSCRIPT:"noscript",SCRIPT:"script",STYLE:"style",TITLE:"title",FRAGMENT:"Symbol(react.fragment)"},y={rel:["amphtml","canonical","alternate"]},b={type:["application/ld+json"]},v={charset:"",name:["robots","description"],property:["og:type","og:title","og:url","og:image","og:image:alt","og:description","twitter:url","twitter:title","twitter:description","twitter:image","twitter:image:alt","twitter:card","twitter:site"]},k=Object.keys(g).map((function(e){return g[e]})),w={accesskey:"accessKey",charset:"charSet",class:"className",contenteditable:"contentEditable",contextmenu:"contextMenu","http-equiv":"httpEquiv",itemprop:"itemProp",tabindex:"tabIndex"},x=Object.keys(w).reduce((function(e,t){return e[w[t]]=t,e}),{}),S=function(e,t){for(var n=e.length-1;n>=0;n-=1){var r=e[n];if(Object.prototype.hasOwnProperty.call(r,t))return r[t]}return null},E=function(e){var t=S(e,g.TITLE),n=S(e,"titleTemplate");if(Array.isArray(t)&&(t=t.join("")),n&&t)return n.replace(/%s/g,(function(){return t}));var r=S(e,"defaultTitle");return t||r||void 0},C=function(e){return S(e,"onChangeClientState")||function(){}},_=function(e,t){return t.filter((function(t){return void 0!==t[e]})).map((function(t){return t[e]})).reduce((function(e,t){return p({},e,t)}),{})},T=function(e,t){return t.filter((function(e){return void 0!==e[g.BASE]})).map((function(e){return e[g.BASE]})).reverse().reduce((function(t,n){if(!t.length)for(var r=Object.keys(n),a=0;a<r.length;a+=1){var o=r[a].toLowerCase();if(-1!==e.indexOf(o)&&n[o])return t.concat(n)}return t}),[])},L=function(e,t,n){var r={};return n.filter((function(t){return!!Array.isArray(t[e])||(void 0!==t[e]&&console&&"function"==typeof console.warn&&console.warn("Helmet: "+e+' should be of type "Array". Instead found type "'+typeof t[e]+'"'),!1)})).map((function(t){return t[e]})).reverse().reduce((function(e,n){var a={};n.filter((function(e){for(var n,o=Object.keys(e),i=0;i<o.length;i+=1){var s=o[i],l=s.toLowerCase();-1===t.indexOf(l)||"rel"===n&&"canonical"===e[n].toLowerCase()||"rel"===l&&"stylesheet"===e[l].toLowerCase()||(n=l),-1===t.indexOf(s)||"innerHTML"!==s&&"cssText"!==s&&"itemprop"!==s||(n=s)}if(!n||!e[n])return!1;var c=e[n].toLowerCase();return r[n]||(r[n]={}),a[n]||(a[n]={}),!r[n][c]&&(a[n][c]=!0,!0)})).reverse().forEach((function(t){return e.push(t)}));for(var o=Object.keys(a),i=0;i<o.length;i+=1){var s=o[i],l=p({},r[s],a[s]);r[s]=l}return e}),[]).reverse()},R=function(e,t){if(Array.isArray(e)&&e.length)for(var n=0;n<e.length;n+=1)if(e[n][t])return!0;return!1},j=function(e){return Array.isArray(e)?e.join(""):e},P=function(e,t){return Array.isArray(e)?e.reduce((function(e,n){return function(e,t){for(var n=Object.keys(e),r=0;r<n.length;r+=1)if(t[n[r]]&&t[n[r]].includes(e[n[r]]))return!0;return!1}(n,t)?e.priority.push(n):e.default.push(n),e}),{priority:[],default:[]}):{default:e}},N=function(e,t){var n;return p({},e,((n={})[t]=void 0,n))},A=[g.NOSCRIPT,g.SCRIPT,g.STYLE],O=function(e,t){return void 0===t&&(t=!0),!1===t?String(e):String(e).replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")},I=function(e){return Object.keys(e).reduce((function(t,n){var r=void 0!==e[n]?n+'="'+e[n]+'"':""+n;return t?t+" "+r:r}),"")},D=function(e,t){return void 0===t&&(t={}),Object.keys(e).reduce((function(t,n){return t[w[n]||n]=e[n],t}),t)},F=function(e,t){return t.map((function(t,n){var a,o=((a={key:n})["data-rh"]=!0,a);return Object.keys(t).forEach((function(e){var n=w[e]||e;"innerHTML"===n||"cssText"===n?o.dangerouslySetInnerHTML={__html:t.innerHTML||t.cssText}:o[n]=t[e]})),r.createElement(e,o)}))},M=function(e,t,n){switch(e){case g.TITLE:return{toComponent:function(){return n=t.titleAttributes,(a={key:e=t.title})["data-rh"]=!0,o=D(n,a),[r.createElement(g.TITLE,o,e)];var e,n,a,o},toString:function(){return function(e,t,n,r){var a=I(n),o=j(t);return a?"<"+e+' data-rh="true" '+a+">"+O(o,r)+"</"+e+">":"<"+e+' data-rh="true">'+O(o,r)+"</"+e+">"}(e,t.title,t.titleAttributes,n)}};case"bodyAttributes":case"htmlAttributes":return{toComponent:function(){return D(t)},toString:function(){return I(t)}};default:return{toComponent:function(){return F(e,t)},toString:function(){return function(e,t,n){return t.reduce((function(t,r){var a=Object.keys(r).filter((function(e){return!("innerHTML"===e||"cssText"===e)})).reduce((function(e,t){var a=void 0===r[t]?t:t+'="'+O(r[t],n)+'"';return e?e+" "+a:a}),""),o=r.innerHTML||r.cssText||"",i=-1===A.indexOf(e);return t+"<"+e+' data-rh="true" '+a+(i?"/>":">"+o+"</"+e+">")}),"")}(e,t,n)}}}},B=function(e){var t=e.baseTag,n=e.bodyAttributes,r=e.encode,a=e.htmlAttributes,o=e.noscriptTags,i=e.styleTags,s=e.title,l=void 0===s?"":s,c=e.titleAttributes,u=e.linkTags,d=e.metaTags,p=e.scriptTags,f={toComponent:function(){},toString:function(){return""}};if(e.prioritizeSeoTags){var h=function(e){var t=e.linkTags,n=e.scriptTags,r=e.encode,a=P(e.metaTags,v),o=P(t,y),i=P(n,b);return{priorityMethods:{toComponent:function(){return[].concat(F(g.META,a.priority),F(g.LINK,o.priority),F(g.SCRIPT,i.priority))},toString:function(){return M(g.META,a.priority,r)+" "+M(g.LINK,o.priority,r)+" "+M(g.SCRIPT,i.priority,r)}},metaTags:a.default,linkTags:o.default,scriptTags:i.default}}(e);f=h.priorityMethods,u=h.linkTags,d=h.metaTags,p=h.scriptTags}return{priority:f,base:M(g.BASE,t,r),bodyAttributes:M("bodyAttributes",n,r),htmlAttributes:M("htmlAttributes",a,r),link:M(g.LINK,u,r),meta:M(g.META,d,r),noscript:M(g.NOSCRIPT,o,r),script:M(g.SCRIPT,p,r),style:M(g.STYLE,i,r),title:M(g.TITLE,{title:l,titleAttributes:c},r)}},z=[],$=function(e,t){var n=this;void 0===t&&(t="undefined"!=typeof document),this.instances=[],this.value={setHelmet:function(e){n.context.helmet=e},helmetInstances:{get:function(){return n.canUseDOM?z:n.instances},add:function(e){(n.canUseDOM?z:n.instances).push(e)},remove:function(e){var t=(n.canUseDOM?z:n.instances).indexOf(e);(n.canUseDOM?z:n.instances).splice(t,1)}}},this.context=e,this.canUseDOM=t,t||(e.helmet=B({baseTag:[],bodyAttributes:{},encodeSpecialCharacters:!0,htmlAttributes:{},linkTags:[],metaTags:[],noscriptTags:[],scriptTags:[],styleTags:[],title:"",titleAttributes:{}}))},U=r.createContext({}),q=o().shape({setHelmet:o().func,helmetInstances:o().shape({get:o().func,add:o().func,remove:o().func})}),H="undefined"!=typeof document,Q=function(e){function t(n){var r;return(r=e.call(this,n)||this).helmetData=new $(r.props.context,t.canUseDOM),r}return f(t,e),t.prototype.render=function(){return r.createElement(U.Provider,{value:this.helmetData.value},this.props.children)},t}(r.Component);Q.canUseDOM=H,Q.propTypes={context:o().shape({helmet:o().shape()}),children:o().node.isRequired},Q.defaultProps={context:{}},Q.displayName="HelmetProvider";var Z=function(e,t){var n,r=document.head||document.querySelector(g.HEAD),a=r.querySelectorAll(e+"[data-rh]"),o=[].slice.call(a),i=[];return t&&t.length&&t.forEach((function(t){var r=document.createElement(e);for(var a in t)Object.prototype.hasOwnProperty.call(t,a)&&("innerHTML"===a?r.innerHTML=t.innerHTML:"cssText"===a?r.styleSheet?r.styleSheet.cssText=t.cssText:r.appendChild(document.createTextNode(t.cssText)):r.setAttribute(a,void 0===t[a]?"":t[a]));r.setAttribute("data-rh","true"),o.some((function(e,t){return n=t,r.isEqualNode(e)}))?o.splice(n,1):i.push(r)})),o.forEach((function(e){return e.parentNode.removeChild(e)})),i.forEach((function(e){return r.appendChild(e)})),{oldTags:o,newTags:i}},V=function(e,t){var n=document.getElementsByTagName(e)[0];if(n){for(var r=n.getAttribute("data-rh"),a=r?r.split(","):[],o=[].concat(a),i=Object.keys(t),s=0;s<i.length;s+=1){var l=i[s],c=t[l]||"";n.getAttribute(l)!==c&&n.setAttribute(l,c),-1===a.indexOf(l)&&a.push(l);var u=o.indexOf(l);-1!==u&&o.splice(u,1)}for(var d=o.length-1;d>=0;d-=1)n.removeAttribute(o[d]);a.length===o.length?n.removeAttribute("data-rh"):n.getAttribute("data-rh")!==i.join(",")&&n.setAttribute("data-rh",i.join(","))}},W=function(e,t){var n=e.baseTag,r=e.htmlAttributes,a=e.linkTags,o=e.metaTags,i=e.noscriptTags,s=e.onChangeClientState,l=e.scriptTags,c=e.styleTags,u=e.title,d=e.titleAttributes;V(g.BODY,e.bodyAttributes),V(g.HTML,r),function(e,t){void 0!==e&&document.title!==e&&(document.title=j(e)),V(g.TITLE,t)}(u,d);var p={baseTag:Z(g.BASE,n),linkTags:Z(g.LINK,a),metaTags:Z(g.META,o),noscriptTags:Z(g.NOSCRIPT,i),scriptTags:Z(g.SCRIPT,l),styleTags:Z(g.STYLE,c)},f={},h={};Object.keys(p).forEach((function(e){var t=p[e],n=t.newTags,r=t.oldTags;n.length&&(f[e]=n),r.length&&(h[e]=p[e].oldTags)})),t&&t(),s(e,f,h)},G=null,X=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).rendered=!1,t}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!d()(e,this.props)},n.componentDidUpdate=function(){this.emitChange()},n.componentWillUnmount=function(){this.props.context.helmetInstances.remove(this),this.emitChange()},n.emitChange=function(){var e,t,n=this.props.context,r=n.setHelmet,a=null,o=(e=n.helmetInstances.get().map((function(e){var t=p({},e.props);return delete t.context,t})),{baseTag:T(["href"],e),bodyAttributes:_("bodyAttributes",e),defer:S(e,"defer"),encode:S(e,"encodeSpecialCharacters"),htmlAttributes:_("htmlAttributes",e),linkTags:L(g.LINK,["rel","href"],e),metaTags:L(g.META,["name","charset","http-equiv","property","itemprop"],e),noscriptTags:L(g.NOSCRIPT,["innerHTML"],e),onChangeClientState:C(e),scriptTags:L(g.SCRIPT,["src","innerHTML"],e),styleTags:L(g.STYLE,["cssText"],e),title:E(e),titleAttributes:_("titleAttributes",e),prioritizeSeoTags:R(e,"prioritizeSeoTags")});Q.canUseDOM?(t=o,G&&cancelAnimationFrame(G),t.defer?G=requestAnimationFrame((function(){W(t,(function(){G=null}))})):(W(t),G=null)):B&&(a=B(o)),r(a)},n.init=function(){this.rendered||(this.rendered=!0,this.props.context.helmetInstances.add(this),this.emitChange())},n.render=function(){return this.init(),null},t}(r.Component);X.propTypes={context:q.isRequired},X.displayName="HelmetDispatcher";var K=["children"],Y=["children"],J=function(e){function t(){return e.apply(this,arguments)||this}f(t,e);var n=t.prototype;return n.shouldComponentUpdate=function(e){return!s()(N(this.props,"helmetData"),N(e,"helmetData"))},n.mapNestedChildrenToProps=function(e,t){if(!t)return null;switch(e.type){case g.SCRIPT:case g.NOSCRIPT:return{innerHTML:t};case g.STYLE:return{cssText:t};default:throw new Error("<"+e.type+" /> elements are self-closing and can not contain children. Refer to our API for more information.")}},n.flattenArrayTypeChildren=function(e){var t,n=e.child,r=e.arrayTypeChildren;return p({},r,((t={})[n.type]=[].concat(r[n.type]||[],[p({},e.newChildProps,this.mapNestedChildrenToProps(n,e.nestedChildren))]),t))},n.mapObjectTypeChildren=function(e){var t,n,r=e.child,a=e.newProps,o=e.newChildProps,i=e.nestedChildren;switch(r.type){case g.TITLE:return p({},a,((t={})[r.type]=i,t.titleAttributes=p({},o),t));case g.BODY:return p({},a,{bodyAttributes:p({},o)});case g.HTML:return p({},a,{htmlAttributes:p({},o)});default:return p({},a,((n={})[r.type]=p({},o),n))}},n.mapArrayTypeChildrenToProps=function(e,t){var n=p({},t);return Object.keys(e).forEach((function(t){var r;n=p({},n,((r={})[t]=e[t],r))})),n},n.warnOnInvalidChildren=function(e,t){return c()(k.some((function(t){return e.type===t})),"function"==typeof e.type?"You may be attempting to nest <Helmet> components within each other, which is not allowed. Refer to our API for more information.":"Only elements types "+k.join(", ")+" are allowed. Helmet does not support rendering <"+e.type+"> elements. Refer to our API for more information."),c()(!t||"string"==typeof t||Array.isArray(t)&&!t.some((function(e){return"string"!=typeof e})),"Helmet expects a string as a child of <"+e.type+">. Did you forget to wrap your children in braces? ( <"+e.type+">{``}</"+e.type+"> ) Refer to our API for more information."),!0},n.mapChildrenToProps=function(e,t){var n=this,a={};return r.Children.forEach(e,(function(e){if(e&&e.props){var r=e.props,o=r.children,i=m(r,K),s=Object.keys(i).reduce((function(e,t){return e[x[t]||t]=i[t],e}),{}),l=e.type;switch("symbol"==typeof l?l=l.toString():n.warnOnInvalidChildren(e,o),l){case g.FRAGMENT:t=n.mapChildrenToProps(o,t);break;case g.LINK:case g.META:case g.NOSCRIPT:case g.SCRIPT:case g.STYLE:a=n.flattenArrayTypeChildren({child:e,arrayTypeChildren:a,newChildProps:s,nestedChildren:o});break;default:t=n.mapObjectTypeChildren({child:e,newProps:t,newChildProps:s,nestedChildren:o})}}})),this.mapArrayTypeChildrenToProps(a,t)},n.render=function(){var e=this.props,t=e.children,n=m(e,Y),a=p({},n),o=n.helmetData;return t&&(a=this.mapChildrenToProps(t,a)),!o||o instanceof $||(o=new $(o.context,o.instances)),o?r.createElement(X,p({},a,{context:o.value,helmetData:void 0})):r.createElement(U.Consumer,null,(function(e){return r.createElement(X,p({},a,{context:e}))}))},t}(r.Component);J.propTypes={base:o().object,bodyAttributes:o().object,children:o().oneOfType([o().arrayOf(o().node),o().node]),defaultTitle:o().string,defer:o().bool,encodeSpecialCharacters:o().bool,htmlAttributes:o().object,link:o().arrayOf(o().object),meta:o().arrayOf(o().object),noscript:o().arrayOf(o().object),onChangeClientState:o().func,script:o().arrayOf(o().object),style:o().arrayOf(o().object),title:o().string,titleAttributes:o().object,titleTemplate:o().string,prioritizeSeoTags:o().bool,helmetData:o().object},J.defaultProps={defer:!0,encodeSpecialCharacters:!0,prioritizeSeoTags:!1},J.displayName="Helmet"},9921:(e,t)=>{"use strict";var n="function"==typeof Symbol&&Symbol.for,r=n?Symbol.for("react.element"):60103,a=n?Symbol.for("react.portal"):60106,o=n?Symbol.for("react.fragment"):60107,i=n?Symbol.for("react.strict_mode"):60108,s=n?Symbol.for("react.profiler"):60114,l=n?Symbol.for("react.provider"):60109,c=n?Symbol.for("react.context"):60110,u=n?Symbol.for("react.async_mode"):60111,d=n?Symbol.for("react.concurrent_mode"):60111,p=n?Symbol.for("react.forward_ref"):60112,f=n?Symbol.for("react.suspense"):60113,h=n?Symbol.for("react.suspense_list"):60120,m=n?Symbol.for("react.memo"):60115,g=n?Symbol.for("react.lazy"):60116,y=n?Symbol.for("react.block"):60121,b=n?Symbol.for("react.fundamental"):60117,v=n?Symbol.for("react.responder"):60118,k=n?Symbol.for("react.scope"):60119;function w(e){if("object"==typeof e&&null!==e){var t=e.$$typeof;switch(t){case r:switch(e=e.type){case u:case d:case o:case s:case i:case f:return e;default:switch(e=e&&e.$$typeof){case c:case p:case g:case m:case l:return e;default:return t}}case a:return t}}}function x(e){return w(e)===d}t.AsyncMode=u,t.ConcurrentMode=d,t.ContextConsumer=c,t.ContextProvider=l,t.Element=r,t.ForwardRef=p,t.Fragment=o,t.Lazy=g,t.Memo=m,t.Portal=a,t.Profiler=s,t.StrictMode=i,t.Suspense=f,t.isAsyncMode=function(e){return x(e)||w(e)===u},t.isConcurrentMode=x,t.isContextConsumer=function(e){return w(e)===c},t.isContextProvider=function(e){return w(e)===l},t.isElement=function(e){return"object"==typeof e&&null!==e&&e.$$typeof===r},t.isForwardRef=function(e){return w(e)===p},t.isFragment=function(e){return w(e)===o},t.isLazy=function(e){return w(e)===g},t.isMemo=function(e){return w(e)===m},t.isPortal=function(e){return w(e)===a},t.isProfiler=function(e){return w(e)===s},t.isStrictMode=function(e){return w(e)===i},t.isSuspense=function(e){return w(e)===f},t.isValidElementType=function(e){return"string"==typeof e||"function"==typeof e||e===o||e===d||e===s||e===i||e===f||e===h||"object"==typeof e&&null!==e&&(e.$$typeof===g||e.$$typeof===m||e.$$typeof===l||e.$$typeof===c||e.$$typeof===p||e.$$typeof===b||e.$$typeof===v||e.$$typeof===k||e.$$typeof===y)},t.typeOf=w},9864:(e,t,n)=>{"use strict";e.exports=n(9921)},8356:(e,t,n)=>{"use strict";function r(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,e.__proto__=t}function a(e){if(void 0===e)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return e}function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(){return i=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},i.apply(this,arguments)}var s=n(7294),l=[],c=[];var u=s.createContext(null);function d(e){var t=e(),n={loading:!0,loaded:null,error:null};return n.promise=t.then((function(e){return n.loading=!1,n.loaded=e,e})).catch((function(e){throw n.loading=!1,n.error=e,e})),n}function p(e){var t={loading:!1,loaded:{},error:null},n=[];try{Object.keys(e).forEach((function(r){var a=d(e[r]);a.loading?t.loading=!0:(t.loaded[r]=a.loaded,t.error=a.error),n.push(a.promise),a.promise.then((function(e){t.loaded[r]=e})).catch((function(e){t.error=e}))}))}catch(r){t.error=r}return t.promise=Promise.all(n).then((function(e){return t.loading=!1,e})).catch((function(e){throw t.loading=!1,e})),t}function f(e,t){return s.createElement((n=e)&&n.__esModule?n.default:n,t);var n}function h(e,t){var d,p;if(!t.loading)throw new Error("react-loadable requires a `loading` component");var h=i({loader:null,loading:null,delay:200,timeout:null,render:f,webpack:null,modules:null},t),m=null;function g(){return m||(m=e(h.loader)),m.promise}return l.push(g),"function"==typeof h.webpack&&c.push((function(){if((0,h.webpack)().every((function(e){return void 0!==e&&void 0!==n.m[e]})))return g()})),p=d=function(t){function n(n){var r;return o(a(a(r=t.call(this,n)||this)),"retry",(function(){r.setState({error:null,loading:!0,timedOut:!1}),m=e(h.loader),r._loadModule()})),g(),r.state={error:m.error,pastDelay:!1,timedOut:!1,loading:m.loading,loaded:m.loaded},r}r(n,t),n.preload=function(){return g()};var i=n.prototype;return i.UNSAFE_componentWillMount=function(){this._loadModule()},i.componentDidMount=function(){this._mounted=!0},i._loadModule=function(){var e=this;if(this.context&&Array.isArray(h.modules)&&h.modules.forEach((function(t){e.context.report(t)})),m.loading){var t=function(t){e._mounted&&e.setState(t)};"number"==typeof h.delay&&(0===h.delay?this.setState({pastDelay:!0}):this._delay=setTimeout((function(){t({pastDelay:!0})}),h.delay)),"number"==typeof h.timeout&&(this._timeout=setTimeout((function(){t({timedOut:!0})}),h.timeout));var n=function(){t({error:m.error,loaded:m.loaded,loading:m.loading}),e._clearTimeouts()};m.promise.then((function(){return n(),null})).catch((function(e){return n(),null}))}},i.componentWillUnmount=function(){this._mounted=!1,this._clearTimeouts()},i._clearTimeouts=function(){clearTimeout(this._delay),clearTimeout(this._timeout)},i.render=function(){return this.state.loading||this.state.error?s.createElement(h.loading,{isLoading:this.state.loading,pastDelay:this.state.pastDelay,timedOut:this.state.timedOut,error:this.state.error,retry:this.retry}):this.state.loaded?h.render(this.state.loaded,this.props):null},n}(s.Component),o(d,"contextType",u),p}function m(e){return h(d,e)}m.Map=function(e){if("function"!=typeof e.render)throw new Error("LoadableMap requires a `render(loaded, props)` function");return h(p,e)};var g=function(e){function t(){return e.apply(this,arguments)||this}return r(t,e),t.prototype.render=function(){return s.createElement(u.Provider,{value:{report:this.props.report}},s.Children.only(this.props.children))},t}(s.Component);function y(e){for(var t=[];e.length;){var n=e.pop();t.push(n())}return Promise.all(t).then((function(){if(e.length)return y(e)}))}m.Capture=g,m.preloadAll=function(){return new Promise((function(e,t){y(l).then(e,t)}))},m.preloadReady=function(){return new Promise((function(e,t){y(c).then(e,e)}))},e.exports=m},8790:(e,t,n)=>{"use strict";n.d(t,{H:()=>s,f:()=>i});var r=n(6550),a=n(7462),o=n(7294);function i(e,t,n){return void 0===n&&(n=[]),e.some((function(e){var a=e.path?(0,r.LX)(t,e):n.length?n[n.length-1].match:r.F0.computeRootMatch(t);return a&&(n.push({route:e,match:a}),e.routes&&i(e.routes,t,n)),a})),n}function s(e,t,n){return void 0===t&&(t={}),void 0===n&&(n={}),e?o.createElement(r.rs,n,e.map((function(e,n){return o.createElement(r.AW,{key:e.key||n,path:e.path,exact:e.exact,strict:e.strict,render:function(n){return e.render?e.render((0,a.Z)({},n,{},t,{route:e})):o.createElement(e.component,(0,a.Z)({},n,t,{route:e}))}})}))):null}},3727:(e,t,n)=>{"use strict";n.d(t,{OL:()=>k,UT:()=>d,VK:()=>u,rU:()=>y});var r=n(6550),a=n(5068),o=n(7294),i=n(9318),s=n(7462),l=n(3366),c=n(8776),u=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.lX)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var d=function(e){function t(){for(var t,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(t=e.call.apply(e,[this].concat(r))||this).history=(0,i.q_)(t.props),t}return(0,a.Z)(t,e),t.prototype.render=function(){return o.createElement(r.F0,{history:this.history,children:this.props.children})},t}(o.Component);var p=function(e,t){return"function"==typeof e?e(t):e},f=function(e,t){return"string"==typeof e?(0,i.ob)(e,null,null,t):e},h=function(e){return e},m=o.forwardRef;void 0===m&&(m=h);var g=m((function(e,t){var n=e.innerRef,r=e.navigate,a=e.onClick,i=(0,l.Z)(e,["innerRef","navigate","onClick"]),c=i.target,u=(0,s.Z)({},i,{onClick:function(e){try{a&&a(e)}catch(t){throw e.preventDefault(),t}e.defaultPrevented||0!==e.button||c&&"_self"!==c||function(e){return!!(e.metaKey||e.altKey||e.ctrlKey||e.shiftKey)}(e)||(e.preventDefault(),r())}});return u.ref=h!==m&&t||n,o.createElement("a",u)}));var y=m((function(e,t){var n=e.component,a=void 0===n?g:n,u=e.replace,d=e.to,y=e.innerRef,b=(0,l.Z)(e,["component","replace","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=e.history,r=f(p(d,e.location),e.location),l=r?n.createHref(r):"",g=(0,s.Z)({},b,{href:l,navigate:function(){var t=p(d,e.location),r=(0,i.Ep)(e.location)===(0,i.Ep)(f(t));(u||r?n.replace:n.push)(t)}});return h!==m?g.ref=t||y:g.innerRef=y,o.createElement(a,g)}))})),b=function(e){return e},v=o.forwardRef;void 0===v&&(v=b);var k=v((function(e,t){var n=e["aria-current"],a=void 0===n?"page":n,i=e.activeClassName,u=void 0===i?"active":i,d=e.activeStyle,h=e.className,m=e.exact,g=e.isActive,k=e.location,w=e.sensitive,x=e.strict,S=e.style,E=e.to,C=e.innerRef,_=(0,l.Z)(e,["aria-current","activeClassName","activeStyle","className","exact","isActive","location","sensitive","strict","style","to","innerRef"]);return o.createElement(r.s6.Consumer,null,(function(e){e||(0,c.Z)(!1);var n=k||e.location,i=f(p(E,n),n),l=i.pathname,T=l&&l.replace(/([.+*?=^!:${}()[\]|/\\])/g,"\\$1"),L=T?(0,r.LX)(n.pathname,{path:T,exact:m,sensitive:w,strict:x}):null,R=!!(g?g(L,n):L),j="function"==typeof h?h(R):h,P="function"==typeof S?S(R):S;R&&(j=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return t.filter((function(e){return e})).join(" ")}(j,u),P=(0,s.Z)({},P,d));var N=(0,s.Z)({"aria-current":R&&a||null,className:j,style:P,to:i},_);return b!==v?N.ref=t||C:N.innerRef=C,o.createElement(y,N)}))}))},6550:(e,t,n)=>{"use strict";n.d(t,{AW:()=>E,F0:()=>v,LX:()=>S,TH:()=>A,k6:()=>N,rs:()=>j,s6:()=>b});var r=n(5068),a=n(7294),o=n(5697),i=n.n(o),s=n(9318),l=n(8776),c=n(7462),u=n(9658),d=n.n(u),p=(n(9864),n(3366)),f=(n(8679),1073741823),h="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:void 0!==n.g?n.g:{};var m=a.createContext||function(e,t){var n,o,s="__create-react-context-"+function(){var e="__global_unique_id__";return h[e]=(h[e]||0)+1}()+"__",l=function(e){function n(){for(var t,n,r,a=arguments.length,o=new Array(a),i=0;i<a;i++)o[i]=arguments[i];return(t=e.call.apply(e,[this].concat(o))||this).emitter=(n=t.props.value,r=[],{on:function(e){r.push(e)},off:function(e){r=r.filter((function(t){return t!==e}))},get:function(){return n},set:function(e,t){n=e,r.forEach((function(e){return e(n,t)}))}}),t}(0,r.Z)(n,e);var a=n.prototype;return a.getChildContext=function(){var e;return(e={})[s]=this.emitter,e},a.componentWillReceiveProps=function(e){if(this.props.value!==e.value){var n,r=this.props.value,a=e.value;((o=r)===(i=a)?0!==o||1/o==1/i:o!=o&&i!=i)?n=0:(n="function"==typeof t?t(r,a):f,0!==(n|=0)&&this.emitter.set(e.value,n))}var o,i},a.render=function(){return this.props.children},n}(a.Component);l.childContextTypes=((n={})[s]=i().object.isRequired,n);var c=function(t){function n(){for(var e,n=arguments.length,r=new Array(n),a=0;a<n;a++)r[a]=arguments[a];return(e=t.call.apply(t,[this].concat(r))||this).observedBits=void 0,e.state={value:e.getValue()},e.onUpdate=function(t,n){0!=((0|e.observedBits)&n)&&e.setState({value:e.getValue()})},e}(0,r.Z)(n,t);var a=n.prototype;return a.componentWillReceiveProps=function(e){var t=e.observedBits;this.observedBits=null==t?f:t},a.componentDidMount=function(){this.context[s]&&this.context[s].on(this.onUpdate);var e=this.props.observedBits;this.observedBits=null==e?f:e},a.componentWillUnmount=function(){this.context[s]&&this.context[s].off(this.onUpdate)},a.getValue=function(){return this.context[s]?this.context[s].get():e},a.render=function(){return(e=this.props.children,Array.isArray(e)?e[0]:e)(this.state.value);var e},n}(a.Component);return c.contextTypes=((o={})[s]=i().object,o),{Provider:l,Consumer:c}},g=function(e){var t=m();return t.displayName=e,t},y=g("Router-History"),b=g("Router"),v=function(e){function t(t){var n;return(n=e.call(this,t)||this).state={location:t.history.location},n._isMounted=!1,n._pendingLocation=null,t.staticContext||(n.unlisten=t.history.listen((function(e){n._pendingLocation=e}))),n}(0,r.Z)(t,e),t.computeRootMatch=function(e){return{path:"/",url:"/",params:{},isExact:"/"===e}};var n=t.prototype;return n.componentDidMount=function(){var e=this;this._isMounted=!0,this.unlisten&&this.unlisten(),this.props.staticContext||(this.unlisten=this.props.history.listen((function(t){e._isMounted&&e.setState({location:t})}))),this._pendingLocation&&this.setState({location:this._pendingLocation})},n.componentWillUnmount=function(){this.unlisten&&(this.unlisten(),this._isMounted=!1,this._pendingLocation=null)},n.render=function(){return a.createElement(b.Provider,{value:{history:this.props.history,location:this.state.location,match:t.computeRootMatch(this.state.location.pathname),staticContext:this.props.staticContext}},a.createElement(y.Provider,{children:this.props.children||null,value:this.props.history}))},t}(a.Component);a.Component;a.Component;var k={},w=1e4,x=0;function S(e,t){void 0===t&&(t={}),("string"==typeof t||Array.isArray(t))&&(t={path:t});var n=t,r=n.path,a=n.exact,o=void 0!==a&&a,i=n.strict,s=void 0!==i&&i,l=n.sensitive,c=void 0!==l&&l;return[].concat(r).reduce((function(t,n){if(!n&&""!==n)return null;if(t)return t;var r=function(e,t){var n=""+t.end+t.strict+t.sensitive,r=k[n]||(k[n]={});if(r[e])return r[e];var a=[],o={regexp:d()(e,a,t),keys:a};return x<w&&(r[e]=o,x++),o}(n,{end:o,strict:s,sensitive:c}),a=r.regexp,i=r.keys,l=a.exec(e);if(!l)return null;var u=l[0],p=l.slice(1),f=e===u;return o&&!f?null:{path:n,url:"/"===n&&""===u?"/":u,isExact:f,params:i.reduce((function(e,t,n){return e[t.name]=p[n],e}),{})}}),null)}var E=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n=e.props.location||t.location,r=e.props.computedMatch?e.props.computedMatch:e.props.path?S(n.pathname,e.props):t.match,o=(0,c.Z)({},t,{location:n,match:r}),i=e.props,s=i.children,u=i.component,d=i.render;return Array.isArray(s)&&function(e){return 0===a.Children.count(e)}(s)&&(s=null),a.createElement(b.Provider,{value:o},o.match?s?"function"==typeof s?s(o):s:u?a.createElement(u,o):d?d(o):null:"function"==typeof s?s(o):null)}))},t}(a.Component);function C(e){return"/"===e.charAt(0)?e:"/"+e}function _(e,t){if(!e)return t;var n=C(e);return 0!==t.pathname.indexOf(n)?t:(0,c.Z)({},t,{pathname:t.pathname.substr(n.length)})}function T(e){return"string"==typeof e?e:(0,s.Ep)(e)}function L(e){return function(){(0,l.Z)(!1)}}function R(){}a.Component;var j=function(e){function t(){return e.apply(this,arguments)||this}return(0,r.Z)(t,e),t.prototype.render=function(){var e=this;return a.createElement(b.Consumer,null,(function(t){t||(0,l.Z)(!1);var n,r,o=e.props.location||t.location;return a.Children.forEach(e.props.children,(function(e){if(null==r&&a.isValidElement(e)){n=e;var i=e.props.path||e.props.from;r=i?S(o.pathname,(0,c.Z)({},e.props,{path:i})):t.match}})),r?a.cloneElement(n,{location:o,computedMatch:r}):null}))},t}(a.Component);var P=a.useContext;function N(){return P(y)}function A(){return P(b).location}},9658:(e,t,n)=>{var r=n(5826);e.exports=f,e.exports.parse=o,e.exports.compile=function(e,t){return s(o(e,t),t)},e.exports.tokensToFunction=s,e.exports.tokensToRegExp=p;var a=new RegExp(["(\\\\.)","([\\/.])?(?:(?:\\:(\\w+)(?:\\(((?:\\\\.|[^\\\\()])+)\\))?|\\(((?:\\\\.|[^\\\\()])+)\\))([+*?])?|(\\*))"].join("|"),"g");function o(e,t){for(var n,r=[],o=0,i=0,s="",u=t&&t.delimiter||"/";null!=(n=a.exec(e));){var d=n[0],p=n[1],f=n.index;if(s+=e.slice(i,f),i=f+d.length,p)s+=p[1];else{var h=e[i],m=n[2],g=n[3],y=n[4],b=n[5],v=n[6],k=n[7];s&&(r.push(s),s="");var w=null!=m&&null!=h&&h!==m,x="+"===v||"*"===v,S="?"===v||"*"===v,E=n[2]||u,C=y||b;r.push({name:g||o++,prefix:m||"",delimiter:E,optional:S,repeat:x,partial:w,asterisk:!!k,pattern:C?c(C):k?".*":"[^"+l(E)+"]+?"})}}return i<e.length&&(s+=e.substr(i)),s&&r.push(s),r}function i(e){return encodeURI(e).replace(/[\/?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()}))}function s(e,t){for(var n=new Array(e.length),a=0;a<e.length;a++)"object"==typeof e[a]&&(n[a]=new RegExp("^(?:"+e[a].pattern+")$",d(t)));return function(t,a){for(var o="",s=t||{},l=(a||{}).pretty?i:encodeURIComponent,c=0;c<e.length;c++){var u=e[c];if("string"!=typeof u){var d,p=s[u.name];if(null==p){if(u.optional){u.partial&&(o+=u.prefix);continue}throw new TypeError('Expected "'+u.name+'" to be defined')}if(r(p)){if(!u.repeat)throw new TypeError('Expected "'+u.name+'" to not repeat, but received `'+JSON.stringify(p)+"`");if(0===p.length){if(u.optional)continue;throw new TypeError('Expected "'+u.name+'" to not be empty')}for(var f=0;f<p.length;f++){if(d=l(p[f]),!n[c].test(d))throw new TypeError('Expected all "'+u.name+'" to match "'+u.pattern+'", but received `'+JSON.stringify(d)+"`");o+=(0===f?u.prefix:u.delimiter)+d}}else{if(d=u.asterisk?encodeURI(p).replace(/[?#]/g,(function(e){return"%"+e.charCodeAt(0).toString(16).toUpperCase()})):l(p),!n[c].test(d))throw new TypeError('Expected "'+u.name+'" to match "'+u.pattern+'", but received "'+d+'"');o+=u.prefix+d}}else o+=u}return o}}function l(e){return e.replace(/([.+*?=^!:${}()[\]|\/\\])/g,"\\$1")}function c(e){return e.replace(/([=!:$\/()])/g,"\\$1")}function u(e,t){return e.keys=t,e}function d(e){return e&&e.sensitive?"":"i"}function p(e,t,n){r(t)||(n=t||n,t=[]);for(var a=(n=n||{}).strict,o=!1!==n.end,i="",s=0;s<e.length;s++){var c=e[s];if("string"==typeof c)i+=l(c);else{var p=l(c.prefix),f="(?:"+c.pattern+")";t.push(c),c.repeat&&(f+="(?:"+p+f+")*"),i+=f=c.optional?c.partial?p+"("+f+")?":"(?:"+p+"("+f+"))?":p+"("+f+")"}}var h=l(n.delimiter||"/"),m=i.slice(-h.length)===h;return a||(i=(m?i.slice(0,-h.length):i)+"(?:"+h+"(?=$))?"),i+=o?"$":a&&m?"":"(?="+h+"|$)",u(new RegExp("^"+i,d(n)),t)}function f(e,t,n){return r(t)||(n=t||n,t=[]),n=n||{},e instanceof RegExp?function(e,t){var n=e.source.match(/\((?!\?)/g);if(n)for(var r=0;r<n.length;r++)t.push({name:r,prefix:null,delimiter:null,optional:!1,repeat:!1,partial:!1,asterisk:!1,pattern:null});return u(e,t)}(e,t):r(e)?function(e,t,n){for(var r=[],a=0;a<e.length;a++)r.push(f(e[a],t,n).source);return u(new RegExp("(?:"+r.join("|")+")",d(n)),t)}(e,t,n):function(e,t,n){return p(o(e,n),t,n)}(e,t,n)}},5251:(e,t,n)=>{"use strict";var r=n(7294),a=Symbol.for("react.element"),o=Symbol.for("react.fragment"),i=Object.prototype.hasOwnProperty,s=r.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED.ReactCurrentOwner,l={key:!0,ref:!0,__self:!0,__source:!0};function c(e,t,n){var r,o={},c=null,u=null;for(r in void 0!==n&&(c=""+n),void 0!==t.key&&(c=""+t.key),void 0!==t.ref&&(u=t.ref),t)i.call(t,r)&&!l.hasOwnProperty(r)&&(o[r]=t[r]);if(e&&e.defaultProps)for(r in t=e.defaultProps)void 0===o[r]&&(o[r]=t[r]);return{$$typeof:a,type:e,key:c,ref:u,props:o,_owner:s.current}}t.Fragment=o,t.jsx=c,t.jsxs=c},2408:(e,t)=>{"use strict";var n=Symbol.for("react.element"),r=Symbol.for("react.portal"),a=Symbol.for("react.fragment"),o=Symbol.for("react.strict_mode"),i=Symbol.for("react.profiler"),s=Symbol.for("react.provider"),l=Symbol.for("react.context"),c=Symbol.for("react.forward_ref"),u=Symbol.for("react.suspense"),d=Symbol.for("react.memo"),p=Symbol.for("react.lazy"),f=Symbol.iterator;var h={isMounted:function(){return!1},enqueueForceUpdate:function(){},enqueueReplaceState:function(){},enqueueSetState:function(){}},m=Object.assign,g={};function y(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}function b(){}function v(e,t,n){this.props=e,this.context=t,this.refs=g,this.updater=n||h}y.prototype.isReactComponent={},y.prototype.setState=function(e,t){if("object"!=typeof e&&"function"!=typeof e&&null!=e)throw Error("setState(...): takes an object of state variables to update or a function which returns an object of state variables.");this.updater.enqueueSetState(this,e,t,"setState")},y.prototype.forceUpdate=function(e){this.updater.enqueueForceUpdate(this,e,"forceUpdate")},b.prototype=y.prototype;var k=v.prototype=new b;k.constructor=v,m(k,y.prototype),k.isPureReactComponent=!0;var w=Array.isArray,x=Object.prototype.hasOwnProperty,S={current:null},E={key:!0,ref:!0,__self:!0,__source:!0};function C(e,t,r){var a,o={},i=null,s=null;if(null!=t)for(a in void 0!==t.ref&&(s=t.ref),void 0!==t.key&&(i=""+t.key),t)x.call(t,a)&&!E.hasOwnProperty(a)&&(o[a]=t[a]);var l=arguments.length-2;if(1===l)o.children=r;else if(1<l){for(var c=Array(l),u=0;u<l;u++)c[u]=arguments[u+2];o.children=c}if(e&&e.defaultProps)for(a in l=e.defaultProps)void 0===o[a]&&(o[a]=l[a]);return{$$typeof:n,type:e,key:i,ref:s,props:o,_owner:S.current}}function _(e){return"object"==typeof e&&null!==e&&e.$$typeof===n}var T=/\/+/g;function L(e,t){return"object"==typeof e&&null!==e&&null!=e.key?function(e){var t={"=":"=0",":":"=2"};return"$"+e.replace(/[=:]/g,(function(e){return t[e]}))}(""+e.key):t.toString(36)}function R(e,t,a,o,i){var s=typeof e;"undefined"!==s&&"boolean"!==s||(e=null);var l=!1;if(null===e)l=!0;else switch(s){case"string":case"number":l=!0;break;case"object":switch(e.$$typeof){case n:case r:l=!0}}if(l)return i=i(l=e),e=""===o?"."+L(l,0):o,w(i)?(a="",null!=e&&(a=e.replace(T,"$&/")+"/"),R(i,t,a,"",(function(e){return e}))):null!=i&&(_(i)&&(i=function(e,t){return{$$typeof:n,type:e.type,key:t,ref:e.ref,props:e.props,_owner:e._owner}}(i,a+(!i.key||l&&l.key===i.key?"":(""+i.key).replace(T,"$&/")+"/")+e)),t.push(i)),1;if(l=0,o=""===o?".":o+":",w(e))for(var c=0;c<e.length;c++){var u=o+L(s=e[c],c);l+=R(s,t,a,u,i)}else if(u=function(e){return null===e||"object"!=typeof e?null:"function"==typeof(e=f&&e[f]||e["@@iterator"])?e:null}(e),"function"==typeof u)for(e=u.call(e),c=0;!(s=e.next()).done;)l+=R(s=s.value,t,a,u=o+L(s,c++),i);else if("object"===s)throw t=String(e),Error("Objects are not valid as a React child (found: "+("[object Object]"===t?"object with keys {"+Object.keys(e).join(", ")+"}":t)+"). If you meant to render a collection of children, use an array instead.");return l}function j(e,t,n){if(null==e)return e;var r=[],a=0;return R(e,r,"","",(function(e){return t.call(n,e,a++)})),r}function P(e){if(-1===e._status){var t=e._result;(t=t()).then((function(t){0!==e._status&&-1!==e._status||(e._status=1,e._result=t)}),(function(t){0!==e._status&&-1!==e._status||(e._status=2,e._result=t)})),-1===e._status&&(e._status=0,e._result=t)}if(1===e._status)return e._result.default;throw e._result}var N={current:null},A={transition:null},O={ReactCurrentDispatcher:N,ReactCurrentBatchConfig:A,ReactCurrentOwner:S};function I(){throw Error("act(...) is not supported in production builds of React.")}t.Children={map:j,forEach:function(e,t,n){j(e,(function(){t.apply(this,arguments)}),n)},count:function(e){var t=0;return j(e,(function(){t++})),t},toArray:function(e){return j(e,(function(e){return e}))||[]},only:function(e){if(!_(e))throw Error("React.Children.only expected to receive a single React element child.");return e}},t.Component=y,t.Fragment=a,t.Profiler=i,t.PureComponent=v,t.StrictMode=o,t.Suspense=u,t.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED=O,t.act=I,t.cloneElement=function(e,t,r){if(null==e)throw Error("React.cloneElement(...): The argument must be a React element, but you passed "+e+".");var a=m({},e.props),o=e.key,i=e.ref,s=e._owner;if(null!=t){if(void 0!==t.ref&&(i=t.ref,s=S.current),void 0!==t.key&&(o=""+t.key),e.type&&e.type.defaultProps)var l=e.type.defaultProps;for(c in t)x.call(t,c)&&!E.hasOwnProperty(c)&&(a[c]=void 0===t[c]&&void 0!==l?l[c]:t[c])}var c=arguments.length-2;if(1===c)a.children=r;else if(1<c){l=Array(c);for(var u=0;u<c;u++)l[u]=arguments[u+2];a.children=l}return{$$typeof:n,type:e.type,key:o,ref:i,props:a,_owner:s}},t.createContext=function(e){return(e={$$typeof:l,_currentValue:e,_currentValue2:e,_threadCount:0,Provider:null,Consumer:null,_defaultValue:null,_globalName:null}).Provider={$$typeof:s,_context:e},e.Consumer=e},t.createElement=C,t.createFactory=function(e){var t=C.bind(null,e);return t.type=e,t},t.createRef=function(){return{current:null}},t.forwardRef=function(e){return{$$typeof:c,render:e}},t.isValidElement=_,t.lazy=function(e){return{$$typeof:p,_payload:{_status:-1,_result:e},_init:P}},t.memo=function(e,t){return{$$typeof:d,type:e,compare:void 0===t?null:t}},t.startTransition=function(e){var t=A.transition;A.transition={};try{e()}finally{A.transition=t}},t.unstable_act=I,t.useCallback=function(e,t){return N.current.useCallback(e,t)},t.useContext=function(e){return N.current.useContext(e)},t.useDebugValue=function(){},t.useDeferredValue=function(e){return N.current.useDeferredValue(e)},t.useEffect=function(e,t){return N.current.useEffect(e,t)},t.useId=function(){return N.current.useId()},t.useImperativeHandle=function(e,t,n){return N.current.useImperativeHandle(e,t,n)},t.useInsertionEffect=function(e,t){return N.current.useInsertionEffect(e,t)},t.useLayoutEffect=function(e,t){return N.current.useLayoutEffect(e,t)},t.useMemo=function(e,t){return N.current.useMemo(e,t)},t.useReducer=function(e,t,n){return N.current.useReducer(e,t,n)},t.useRef=function(e){return N.current.useRef(e)},t.useState=function(e){return N.current.useState(e)},t.useSyncExternalStore=function(e,t,n){return N.current.useSyncExternalStore(e,t,n)},t.useTransition=function(){return N.current.useTransition()},t.version="18.3.1"},7294:(e,t,n)=>{"use strict";e.exports=n(2408)},5893:(e,t,n)=>{"use strict";e.exports=n(5251)},53:(e,t)=>{"use strict";function n(e,t){var n=e.length;e.push(t);e:for(;0<n;){var r=n-1>>>1,a=e[r];if(!(0<o(a,t)))break e;e[r]=t,e[n]=a,n=r}}function r(e){return 0===e.length?null:e[0]}function a(e){if(0===e.length)return null;var t=e[0],n=e.pop();if(n!==t){e[0]=n;e:for(var r=0,a=e.length,i=a>>>1;r<i;){var s=2*(r+1)-1,l=e[s],c=s+1,u=e[c];if(0>o(l,n))c<a&&0>o(u,l)?(e[r]=u,e[c]=n,r=c):(e[r]=l,e[s]=n,r=s);else{if(!(c<a&&0>o(u,n)))break e;e[r]=u,e[c]=n,r=c}}}return t}function o(e,t){var n=e.sortIndex-t.sortIndex;return 0!==n?n:e.id-t.id}if("object"==typeof performance&&"function"==typeof performance.now){var i=performance;t.unstable_now=function(){return i.now()}}else{var s=Date,l=s.now();t.unstable_now=function(){return s.now()-l}}var c=[],u=[],d=1,p=null,f=3,h=!1,m=!1,g=!1,y="function"==typeof setTimeout?setTimeout:null,b="function"==typeof clearTimeout?clearTimeout:null,v="undefined"!=typeof setImmediate?setImmediate:null;function k(e){for(var t=r(u);null!==t;){if(null===t.callback)a(u);else{if(!(t.startTime<=e))break;a(u),t.sortIndex=t.expirationTime,n(c,t)}t=r(u)}}function w(e){if(g=!1,k(e),!m)if(null!==r(c))m=!0,A(x);else{var t=r(u);null!==t&&O(w,t.startTime-e)}}function x(e,n){m=!1,g&&(g=!1,b(_),_=-1),h=!0;var o=f;try{for(k(n),p=r(c);null!==p&&(!(p.expirationTime>n)||e&&!R());){var i=p.callback;if("function"==typeof i){p.callback=null,f=p.priorityLevel;var s=i(p.expirationTime<=n);n=t.unstable_now(),"function"==typeof s?p.callback=s:p===r(c)&&a(c),k(n)}else a(c);p=r(c)}if(null!==p)var l=!0;else{var d=r(u);null!==d&&O(w,d.startTime-n),l=!1}return l}finally{p=null,f=o,h=!1}}"undefined"!=typeof navigator&&void 0!==navigator.scheduling&&void 0!==navigator.scheduling.isInputPending&&navigator.scheduling.isInputPending.bind(navigator.scheduling);var S,E=!1,C=null,_=-1,T=5,L=-1;function R(){return!(t.unstable_now()-L<T)}function j(){if(null!==C){var e=t.unstable_now();L=e;var n=!0;try{n=C(!0,e)}finally{n?S():(E=!1,C=null)}}else E=!1}if("function"==typeof v)S=function(){v(j)};else if("undefined"!=typeof MessageChannel){var P=new MessageChannel,N=P.port2;P.port1.onmessage=j,S=function(){N.postMessage(null)}}else S=function(){y(j,0)};function A(e){C=e,E||(E=!0,S())}function O(e,n){_=y((function(){e(t.unstable_now())}),n)}t.unstable_IdlePriority=5,t.unstable_ImmediatePriority=1,t.unstable_LowPriority=4,t.unstable_NormalPriority=3,t.unstable_Profiling=null,t.unstable_UserBlockingPriority=2,t.unstable_cancelCallback=function(e){e.callback=null},t.unstable_continueExecution=function(){m||h||(m=!0,A(x))},t.unstable_forceFrameRate=function(e){0>e||125<e?console.error("forceFrameRate takes a positive int between 0 and 125, forcing frame rates higher than 125 fps is not supported"):T=0<e?Math.floor(1e3/e):5},t.unstable_getCurrentPriorityLevel=function(){return f},t.unstable_getFirstCallbackNode=function(){return r(c)},t.unstable_next=function(e){switch(f){case 1:case 2:case 3:var t=3;break;default:t=f}var n=f;f=t;try{return e()}finally{f=n}},t.unstable_pauseExecution=function(){},t.unstable_requestPaint=function(){},t.unstable_runWithPriority=function(e,t){switch(e){case 1:case 2:case 3:case 4:case 5:break;default:e=3}var n=f;f=e;try{return t()}finally{f=n}},t.unstable_scheduleCallback=function(e,a,o){var i=t.unstable_now();switch("object"==typeof o&&null!==o?o="number"==typeof(o=o.delay)&&0<o?i+o:i:o=i,e){case 1:var s=-1;break;case 2:s=250;break;case 5:s=1073741823;break;case 4:s=1e4;break;default:s=5e3}return e={id:d++,callback:a,priorityLevel:e,startTime:o,expirationTime:s=o+s,sortIndex:-1},o>i?(e.sortIndex=o,n(u,e),null===r(c)&&e===r(u)&&(g?(b(_),_=-1):g=!0,O(w,o-i))):(e.sortIndex=s,n(c,e),m||h||(m=!0,A(x))),e},t.unstable_shouldYield=R,t.unstable_wrapCallback=function(e){var t=f;return function(){var n=f;f=t;try{return e.apply(this,arguments)}finally{f=n}}}},3840:(e,t,n)=>{"use strict";e.exports=n(53)},6774:e=>{e.exports=function(e,t,n,r){var a=n?n.call(r,e,t):void 0;if(void 0!==a)return!!a;if(e===t)return!0;if("object"!=typeof e||!e||"object"!=typeof t||!t)return!1;var o=Object.keys(e),i=Object.keys(t);if(o.length!==i.length)return!1;for(var s=Object.prototype.hasOwnProperty.bind(t),l=0;l<o.length;l++){var c=o[l];if(!s(c))return!1;var u=e[c],d=t[c];if(!1===(a=n?n.call(r,u,d,c):void 0)||void 0===a&&u!==d)return!1}return!0}},6809:(e,t,n)=>{"use strict";n.d(t,{default:()=>r});const r={title:"K3s",tagline:"",url:"https://docs.k3s.io",baseUrl:"/kr/",onBrokenLinks:"throw",onBrokenMarkdownLinks:"warn",favicon:"img/favicon.ico",organizationName:"k3s-io",projectName:"docs",trailingSlash:!1,markdown:{mermaid:!0,format:"mdx",mdx1Compat:{comments:!0,admonitions:!0,headingIds:!0},anchors:{maintainCase:!1}},themes:["@docusaurus/theme-mermaid",["@easyops-cn/docusaurus-search-local",{docsRouteBasePath:"/",hashed:!0,highlightSearchTermsOnTargetPage:!0,indexBlog:!1,ignoreFiles:[{}]}]],i18n:{defaultLocale:"en",locales:["en","zh","kr"],localeConfigs:{en:{label:"English",direction:"ltr"},zh:{label:"\u7b80\u4f53\u4e2d\u6587",direction:"ltr"},kr:{label:"\ud55c\uad6d\uc5b4",direction:"ltr"}},path:"i18n"},themeConfig:{colorMode:{defaultMode:"light",respectPrefersColorScheme:!0,disableSwitch:!1},navbar:{title:"",logo:{alt:"logo",src:"img/k3s-logo-light.svg",srcDark:"img/k3s-logo-dark.svg"},items:[{type:"search",position:"right"},{type:"localeDropdown",position:"right",dropdownItemsBefore:[],dropdownItemsAfter:[]},{to:"https://github.com/k3s-io/k3s/",label:"GitHub",position:"right",className:"navbar__github btn"}],hideOnScroll:!1},footer:{style:"dark",links:[],copyright:'Copyright \xa9 2024 K3s Project Authors. All rights reserved. <br>The Linux Foundation has registered trademarks\n and uses trademarks. For a list of trademarks of The Linux Foundation, \n please see our <a href="https://www.linuxfoundation.org/trademark-usage"> Trademark Usage</a> page.'},docs:{versionPersistence:"localStorage",sidebar:{hideable:!1,autoCollapseCategories:!1}},metadata:[],prism:{additionalLanguages:[],theme:{plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},magicComments:[{className:"theme-code-block-highlighted-line",line:"highlight-next-line",block:{start:"highlight-start",end:"highlight-end"}}]},tableOfContents:{minHeadingLevel:2,maxHeadingLevel:3},mermaid:{theme:{dark:"dark",light:"default"},options:{}}},presets:[["@docusaurus/preset-classic",{docs:{routeBasePath:"/",sidebarPath:"/home/runner/work/docs/docs/sidebars.js",showLastUpdateTime:!0,editUrl:"https://github.com/k3s-io/docs/edit/main/"},blog:!1,theme:{customCss:["/home/runner/work/docs/docs/src/css/custom.css"]}}]],plugins:[["@docusaurus/plugin-client-redirects",{redirects:[{from:"/installation/ha",to:"/datastore/ha"},{from:"/installation/ha-embedded",to:"/datastore/ha-embedded"},{from:"/installation/datastore",to:"/datastore"},{from:"/installation/disable-flags",to:"/installation/server-roles"},{from:"/backup-restore/backup-restore",to:"/datastore/backup-restore"},{from:"/reference/agent-config",to:"/cli/agent"},{from:"/reference/server-config",to:"/cli/server"},{from:"/installation/network-options",to:"/networking/basic-network-options"},{from:"/security/self-assessment",to:"/security/self-assessment-1.23"}]}]],baseUrlIssueBanner:!0,future:{experimental_storage:{type:"localStorage",namespace:!1},experimental_router:"browser"},onBrokenAnchors:"warn",onDuplicateRoutes:"warn",staticDirectories:["static"],customFields:{},scripts:[],headTags:[],stylesheets:[],clientModules:[],titleDelimiter:"|",noIndex:!1}},7462:(e,t,n)=>{"use strict";function r(){return r=Object.assign?Object.assign.bind():function(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(e[r]=n[r])}return e},r.apply(this,arguments)}n.d(t,{Z:()=>r})},5068:(e,t,n)=>{"use strict";function r(e,t){return r=Object.setPrototypeOf?Object.setPrototypeOf.bind():function(e,t){return e.__proto__=t,e},r(e,t)}function a(e,t){e.prototype=Object.create(t.prototype),e.prototype.constructor=e,r(e,t)}n.d(t,{Z:()=>a})},3366:(e,t,n)=>{"use strict";function r(e,t){if(null==e)return{};var n,r,a={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(a[n]=e[n]);return a}n.d(t,{Z:()=>r})},512:(e,t,n)=>{"use strict";function r(e){var t,n,a="";if("string"==typeof e||"number"==typeof e)a+=e;else if("object"==typeof e)if(Array.isArray(e)){var o=e.length;for(t=0;t<o;t++)e[t]&&(n=r(e[t]))&&(a&&(a+=" "),a+=n)}else for(n in e)e[n]&&(a&&(a+=" "),a+=n);return a}n.d(t,{Z:()=>a});const a=function(){for(var e,t,n=0,a="",o=arguments.length;n<o;n++)(e=arguments[n])&&(t=r(e))&&(a&&(a+=" "),a+=t);return a}},2573:(e,t,n)=>{"use strict";n.d(t,{p1:()=>T,y$:()=>ee});var r,a,o,i,s,l,c,u=n(7294),d=n(512),p=Object.create,f=Object.defineProperty,h=Object.defineProperties,m=Object.getOwnPropertyDescriptor,g=Object.getOwnPropertyDescriptors,y=Object.getOwnPropertyNames,b=Object.getOwnPropertySymbols,v=Object.getPrototypeOf,k=Object.prototype.hasOwnProperty,w=Object.prototype.propertyIsEnumerable,x=(e,t,n)=>t in e?f(e,t,{enumerable:!0,configurable:!0,writable:!0,value:n}):e[t]=n,S=(e,t)=>{for(var n in t||(t={}))k.call(t,n)&&x(e,n,t[n]);if(b)for(var n of b(t))w.call(t,n)&&x(e,n,t[n]);return e},E=(e,t)=>h(e,g(t)),C=(e,t)=>{var n={};for(var r in e)k.call(e,r)&&t.indexOf(r)<0&&(n[r]=e[r]);if(null!=e&&b)for(var r of b(e))t.indexOf(r)<0&&w.call(e,r)&&(n[r]=e[r]);return n},_=(r={"../../node_modules/.pnpm/prismjs@1.29.0_patch_hash=vrxx3pzkik6jpmgpayxfjunetu/node_modules/prismjs/prism.js"(e,t){var n=function(){var e=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,n={},r={util:{encode:function e(t){return t instanceof a?new a(t.type,e(t.content),t.alias):Array.isArray(t)?t.map(e):t.replace(/&/g,"&").replace(/</g,"<").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(t,n){var a,o;switch(n=n||{},r.util.type(t)){case"Object":if(o=r.util.objId(t),n[o])return n[o];for(var i in a={},n[o]=a,t)t.hasOwnProperty(i)&&(a[i]=e(t[i],n));return a;case"Array":return o=r.util.objId(t),n[o]?n[o]:(a=[],n[o]=a,t.forEach((function(t,r){a[r]=e(t,n)})),a);default:return t}},getLanguage:function(t){for(;t;){var n=e.exec(t.className);if(n)return n[1].toLowerCase();t=t.parentElement}return"none"},setLanguage:function(t,n){t.className=t.className.replace(RegExp(e,"gi"),""),t.classList.add("language-"+n)},isActive:function(e,t,n){for(var r="no-"+t;e;){var a=e.classList;if(a.contains(t))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!n}},languages:{plain:n,plaintext:n,text:n,txt:n,extend:function(e,t){var n=r.util.clone(r.languages[e]);for(var a in t)n[a]=t[a];return n},insertBefore:function(e,t,n,a){var o=(a=a||r.languages)[e],i={};for(var s in o)if(o.hasOwnProperty(s)){if(s==t)for(var l in n)n.hasOwnProperty(l)&&(i[l]=n[l]);n.hasOwnProperty(s)||(i[s]=o[s])}var c=a[e];return a[e]=i,r.languages.DFS(r.languages,(function(t,n){n===c&&t!=e&&(this[t]=i)})),i},DFS:function e(t,n,a,o){o=o||{};var i=r.util.objId;for(var s in t)if(t.hasOwnProperty(s)){n.call(t,s,t[s],a||s);var l=t[s],c=r.util.type(l);"Object"!==c||o[i(l)]?"Array"!==c||o[i(l)]||(o[i(l)]=!0,e(l,n,s,o)):(o[i(l)]=!0,e(l,n,null,o))}}},plugins:{},highlight:function(e,t,n){var o={code:e,grammar:t,language:n};if(r.hooks.run("before-tokenize",o),!o.grammar)throw new Error('The language "'+o.language+'" has no grammar.');return o.tokens=r.tokenize(o.code,o.grammar),r.hooks.run("after-tokenize",o),a.stringify(r.util.encode(o.tokens),o.language)},tokenize:function(e,t){var n=t.rest;if(n){for(var r in n)t[r]=n[r];delete t.rest}var a=new s;return l(a,a.head,e),i(e,a,t,a.head,0),function(e){for(var t=[],n=e.head.next;n!==e.tail;)t.push(n.value),n=n.next;return t}(a)},hooks:{all:{},add:function(e,t){var n=r.hooks.all;n[e]=n[e]||[],n[e].push(t)},run:function(e,t){var n=r.hooks.all[e];if(n&&n.length)for(var a,o=0;a=n[o++];)a(t)}},Token:a};function a(e,t,n,r){this.type=e,this.content=t,this.alias=n,this.length=0|(r||"").length}function o(e,t,n,r){e.lastIndex=t;var a=e.exec(n);if(a&&r&&a[1]){var o=a[1].length;a.index+=o,a[0]=a[0].slice(o)}return a}function i(e,t,n,s,u,d){for(var p in n)if(n.hasOwnProperty(p)&&n[p]){var f=n[p];f=Array.isArray(f)?f:[f];for(var h=0;h<f.length;++h){if(d&&d.cause==p+","+h)return;var m=f[h],g=m.inside,y=!!m.lookbehind,b=!!m.greedy,v=m.alias;if(b&&!m.pattern.global){var k=m.pattern.toString().match(/[imsuy]*$/)[0];m.pattern=RegExp(m.pattern.source,k+"g")}for(var w=m.pattern||m,x=s.next,S=u;x!==t.tail&&!(d&&S>=d.reach);S+=x.value.length,x=x.next){var E=x.value;if(t.length>e.length)return;if(!(E instanceof a)){var C,_=1;if(b){if(!(C=o(w,S,e,y))||C.index>=e.length)break;var T=C.index,L=C.index+C[0].length,R=S;for(R+=x.value.length;T>=R;)R+=(x=x.next).value.length;if(S=R-=x.value.length,x.value instanceof a)continue;for(var j=x;j!==t.tail&&(R<L||"string"==typeof j.value);j=j.next)_++,R+=j.value.length;_--,E=e.slice(S,R),C.index-=S}else if(!(C=o(w,0,E,y)))continue;T=C.index;var P=C[0],N=E.slice(0,T),A=E.slice(T+P.length),O=S+E.length;d&&O>d.reach&&(d.reach=O);var I=x.prev;if(N&&(I=l(t,I,N),S+=N.length),c(t,I,_),x=l(t,I,new a(p,g?r.tokenize(P,g):P,v,P)),A&&l(t,x,A),_>1){var D={cause:p+","+h,reach:O};i(e,t,n,x.prev,S,D),d&&D.reach>d.reach&&(d.reach=D.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},t={value:null,prev:e,next:null};e.next=t,this.head=e,this.tail=t,this.length=0}function l(e,t,n){var r=t.next,a={value:n,prev:t,next:r};return t.next=a,r.prev=a,e.length++,a}function c(e,t,n){for(var r=t.next,a=0;a<n&&r!==e.tail;a++)r=r.next;t.next=r,r.prev=t,e.length-=a}return a.stringify=function e(t,n){if("string"==typeof t)return t;if(Array.isArray(t)){var a="";return t.forEach((function(t){a+=e(t,n)})),a}var o={type:t.type,content:e(t.content,n),tag:"span",classes:["token",t.type],attributes:{},language:n},i=t.alias;i&&(Array.isArray(i)?Array.prototype.push.apply(o.classes,i):o.classes.push(i)),r.hooks.run("wrap",o);var s="";for(var l in o.attributes)s+=" "+l+'="'+(o.attributes[l]||"").replace(/"/g,""")+'"';return"<"+o.tag+' class="'+o.classes.join(" ")+'"'+s+">"+o.content+"</"+o.tag+">"},r}();t.exports=n,n.default=n}},function(){return a||(0,r[y(r)[0]])((a={exports:{}}).exports,a),a.exports}),T=((e,t,n)=>(n=null!=e?p(v(e)):{},((e,t,n,r)=>{if(t&&"object"==typeof t||"function"==typeof t)for(let a of y(t))k.call(e,a)||a===n||f(e,a,{get:()=>t[a],enumerable:!(r=m(t,a))||r.enumerable});return e})(!t&&e&&e.__esModule?n:f(n,"default",{value:e,enumerable:!0}),e)))(_());T.languages.markup={comment:{pattern:/<!--(?:(?!<!--)[\s\S])*?-->/,greedy:!0},prolog:{pattern:/<\?[\s\S]+?\?>/,greedy:!0},doctype:{pattern:/<!DOCTYPE(?:[^>"'[\]]|"[^"]*"|'[^']*')+(?:\[(?:[^<"'\]]|"[^"]*"|'[^']*'|<(?!!--)|<!--(?:[^-]|-(?!->))*-->)*\]\s*)?>/i,greedy:!0,inside:{"internal-subset":{pattern:/(^[^\[]*\[)[\s\S]+(?=\]>$)/,lookbehind:!0,greedy:!0,inside:null},string:{pattern:/"[^"]*"|'[^']*'/,greedy:!0},punctuation:/^<!|>$|[[\]]/,"doctype-tag":/^DOCTYPE/i,name:/[^\s<>'"]+/}},cdata:{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,greedy:!0},tag:{pattern:/<\/?(?!\d)[^\s>\/=$<%]+(?:\s(?:\s*[^\s>\/=]+(?:\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))|(?=[\s/>])))+)?\s*\/?>/,greedy:!0,inside:{tag:{pattern:/^<\/?[^\s>\/]+/,inside:{punctuation:/^<\/?/,namespace:/^[^\s>\/:]+:/}},"special-attr":[],"attr-value":{pattern:/=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+)/,inside:{punctuation:[{pattern:/^=/,alias:"attr-equals"},{pattern:/^(\s*)["']|["']$/,lookbehind:!0}]}},punctuation:/\/?>/,"attr-name":{pattern:/[^\s>\/]+/,inside:{namespace:/^[^\s>\/:]+:/}}}},entity:[{pattern:/&[\da-z]{1,8};/i,alias:"named-entity"},/&#x?[\da-f]{1,8};/i]},T.languages.markup.tag.inside["attr-value"].inside.entity=T.languages.markup.entity,T.languages.markup.doctype.inside["internal-subset"].inside=T.languages.markup,T.hooks.add("wrap",(function(e){"entity"===e.type&&(e.attributes.title=e.content.replace(/&/,"&"))})),Object.defineProperty(T.languages.markup.tag,"addInlined",{value:function(e,t){var n;(t=((n=((n={})["language-"+t]={pattern:/(^<!\[CDATA\[)[\s\S]+?(?=\]\]>$)/i,lookbehind:!0,inside:T.languages[t]},n.cdata=/^<!\[CDATA\[|\]\]>$/i,{"included-cdata":{pattern:/<!\[CDATA\[[\s\S]*?\]\]>/i,inside:n}}))["language-"+t]={pattern:/[\s\S]+/,inside:T.languages[t]},{}))[e]={pattern:RegExp(/(<__[^>]*>)(?:<!\[CDATA\[(?:[^\]]|\](?!\]>))*\]\]>|(?!<!\[CDATA\[)[\s\S])*?(?=<\/__>)/.source.replace(/__/g,(function(){return e})),"i"),lookbehind:!0,greedy:!0,inside:n},T.languages.insertBefore("markup","cdata",t)}}),Object.defineProperty(T.languages.markup.tag,"addAttribute",{value:function(e,t){T.languages.markup.tag.inside["special-attr"].push({pattern:RegExp(/(^|["'\s])/.source+"(?:"+e+")"+/\s*=\s*(?:"[^"]*"|'[^']*'|[^\s'">=]+(?=[\s>]))/.source,"i"),lookbehind:!0,inside:{"attr-name":/^[^\s=]+/,"attr-value":{pattern:/=[\s\S]+/,inside:{value:{pattern:/(^=\s*(["']|(?!["'])))\S[\s\S]*(?=\2$)/,lookbehind:!0,alias:[t,"language-"+t],inside:T.languages[t]},punctuation:[{pattern:/^=/,alias:"attr-equals"},/"|'/]}}}})}}),T.languages.html=T.languages.markup,T.languages.mathml=T.languages.markup,T.languages.svg=T.languages.markup,T.languages.xml=T.languages.extend("markup",{}),T.languages.ssml=T.languages.xml,T.languages.atom=T.languages.xml,T.languages.rss=T.languages.xml,o=T,i={pattern:/\\[\\(){}[\]^$+*?|.]/,alias:"escape"},l="(?:[^\\\\-]|"+(s=/\\(?:x[\da-fA-F]{2}|u[\da-fA-F]{4}|u\{[\da-fA-F]+\}|0[0-7]{0,2}|[123][0-7]{2}|c[a-zA-Z]|.)/).source+")",l=RegExp(l+"-"+l),c={pattern:/(<|')[^<>']+(?=[>']$)/,lookbehind:!0,alias:"variable"},o.languages.regex={"char-class":{pattern:/((?:^|[^\\])(?:\\\\)*)\[(?:[^\\\]]|\\[\s\S])*\]/,lookbehind:!0,inside:{"char-class-negation":{pattern:/(^\[)\^/,lookbehind:!0,alias:"operator"},"char-class-punctuation":{pattern:/^\[|\]$/,alias:"punctuation"},range:{pattern:l,inside:{escape:s,"range-punctuation":{pattern:/-/,alias:"operator"}}},"special-escape":i,"char-set":{pattern:/\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},escape:s}},"special-escape":i,"char-set":{pattern:/\.|\\[wsd]|\\p\{[^{}]+\}/i,alias:"class-name"},backreference:[{pattern:/\\(?![123][0-7]{2})[1-9]/,alias:"keyword"},{pattern:/\\k<[^<>']+>/,alias:"keyword",inside:{"group-name":c}}],anchor:{pattern:/[$^]|\\[ABbGZz]/,alias:"function"},escape:s,group:[{pattern:/\((?:\?(?:<[^<>']+>|'[^<>']+'|[>:]|<?[=!]|[idmnsuxU]+(?:-[idmnsuxU]+)?:?))?/,alias:"punctuation",inside:{"group-name":c}},{pattern:/\)/,alias:"punctuation"}],quantifier:{pattern:/(?:[+*?]|\{\d+(?:,\d*)?\})[?+]?/,alias:"number"},alternation:{pattern:/\|/,alias:"keyword"}},T.languages.clike={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|trait)\s+|\bcatch\s+\()[\w.\\]+/i,lookbehind:!0,inside:{punctuation:/[.\\]/}},keyword:/\b(?:break|catch|continue|do|else|finally|for|function|if|in|instanceof|new|null|return|throw|try|while)\b/,boolean:/\b(?:false|true)\b/,function:/\b\w+(?=\()/,number:/\b0x[\da-f]+\b|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?/i,operator:/[<>]=?|[!=]=?=?|--?|\+\+?|&&?|\|\|?|[?*/~^%]/,punctuation:/[{}[\];(),.:]/},T.languages.javascript=T.languages.extend("clike",{"class-name":[T.languages.clike["class-name"],{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$A-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\.(?:constructor|prototype))/,lookbehind:!0}],keyword:[{pattern:/((?:^|\})\s*)catch\b/,lookbehind:!0},{pattern:/(^|[^.]|\.\.\.\s*)\b(?:as|assert(?=\s*\{)|async(?=\s*(?:function\b|\(|[$\w\xA0-\uFFFF]|$))|await|break|case|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally(?=\s*(?:\{|$))|for|from(?=\s*(?:['"]|$))|function|(?:get|set)(?=\s*(?:[#\[$\w\xA0-\uFFFF]|$))|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)\b/,lookbehind:!0}],function:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*(?:\.\s*(?:apply|bind|call)\s*)?\()/,number:{pattern:RegExp(/(^|[^\w$])/.source+"(?:"+/NaN|Infinity/.source+"|"+/0[bB][01]+(?:_[01]+)*n?/.source+"|"+/0[oO][0-7]+(?:_[0-7]+)*n?/.source+"|"+/0[xX][\dA-Fa-f]+(?:_[\dA-Fa-f]+)*n?/.source+"|"+/\d+(?:_\d+)*n/.source+"|"+/(?:\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\.\d+(?:_\d+)*)(?:[Ee][+-]?\d+(?:_\d+)*)?/.source+")"+/(?![\w$])/.source),lookbehind:!0},operator:/--|\+\+|\*\*=?|=>|&&=?|\|\|=?|[!=]==|<<=?|>>>?=?|[-+*/%&|^!=<>]=?|\.{3}|\?\?=?|\?\.?|[~:]/}),T.languages.javascript["class-name"][0].pattern=/(\b(?:class|extends|implements|instanceof|interface|new)\s+)[\w.\\]+/,T.languages.insertBefore("javascript","keyword",{regex:{pattern:RegExp(/((?:^|[^$\w\xA0-\uFFFF."'\])\s]|\b(?:return|yield))\s*)/.source+/\//.source+"(?:"+/(?:\[(?:[^\]\\\r\n]|\\.)*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}/.source+"|"+/(?:\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.|\[(?:[^[\]\\\r\n]|\\.)*\])*\])*\]|\\.|[^/\\\[\r\n])+\/[dgimyus]{0,7}v[dgimyus]{0,7}/.source+")"+/(?=(?:\s|\/\*(?:[^*]|\*(?!\/))*\*\/)*(?:$|[\r\n,.;:})\]]|\/\/))/.source),lookbehind:!0,greedy:!0,inside:{"regex-source":{pattern:/^(\/)[\s\S]+(?=\/[a-z]*$)/,lookbehind:!0,alias:"language-regex",inside:T.languages.regex},"regex-delimiter":/^\/|\/$/,"regex-flags":/^[a-z]+$/}},"function-variable":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*[=:]\s*(?:async\s*)?(?:\bfunction\b|(?:\((?:[^()]|\([^()]*\))*\)|(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/,alias:"function"},parameter:[{pattern:/(function(?:\s+(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)?\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\))/,lookbehind:!0,inside:T.languages.javascript},{pattern:/(^|[^$\w\xA0-\uFFFF])(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=>)/i,lookbehind:!0,inside:T.languages.javascript},{pattern:/(\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*=>)/,lookbehind:!0,inside:T.languages.javascript},{pattern:/((?:\b|\s|^)(?!(?:as|async|await|break|case|catch|class|const|continue|debugger|default|delete|do|else|enum|export|extends|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|new|null|of|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|undefined|var|void|while|with|yield)(?![$\w\xA0-\uFFFF]))(?:(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*)\(\s*|\]\s*\(\s*)(?!\s)(?:[^()\s]|\s+(?![\s)])|\([^()]*\))+(?=\s*\)\s*\{)/,lookbehind:!0,inside:T.languages.javascript}],constant:/\b[A-Z](?:[A-Z_]|\dx?)*\b/}),T.languages.insertBefore("javascript","string",{hashbang:{pattern:/^#!.*/,greedy:!0,alias:"comment"},"template-string":{pattern:/`(?:\\[\s\S]|\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}|(?!\$\{)[^\\`])*`/,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$\{(?:[^{}]|\{(?:[^{}]|\{[^}]*\})*\})+\}/,lookbehind:!0,inside:{"interpolation-punctuation":{pattern:/^\$\{|\}$/,alias:"punctuation"},rest:T.languages.javascript}},string:/[\s\S]+/}},"string-property":{pattern:/((?:^|[,{])[ \t]*)(["'])(?:\\(?:\r\n|[\s\S])|(?!\2)[^\\\r\n])*\2(?=\s*:)/m,lookbehind:!0,greedy:!0,alias:"property"}}),T.languages.insertBefore("javascript","operator",{"literal-property":{pattern:/((?:^|[,{])[ \t]*)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*:)/m,lookbehind:!0,alias:"property"}}),T.languages.markup&&(T.languages.markup.tag.addInlined("script","javascript"),T.languages.markup.tag.addAttribute(/on(?:abort|blur|change|click|composition(?:end|start|update)|dblclick|error|focus(?:in|out)?|key(?:down|up)|load|mouse(?:down|enter|leave|move|out|over|up)|reset|resize|scroll|select|slotchange|submit|unload|wheel)/.source,"javascript")),T.languages.js=T.languages.javascript,T.languages.actionscript=T.languages.extend("javascript",{keyword:/\b(?:as|break|case|catch|class|const|default|delete|do|dynamic|each|else|extends|final|finally|for|function|get|if|implements|import|in|include|instanceof|interface|internal|is|namespace|native|new|null|override|package|private|protected|public|return|set|static|super|switch|this|throw|try|typeof|use|var|void|while|with)\b/,operator:/\+\+|--|(?:[+\-*\/%^]|&&?|\|\|?|<<?|>>?>?|[!=]=?)=?|[~?@]/}),T.languages.actionscript["class-name"].alias="function",delete T.languages.actionscript.parameter,delete T.languages.actionscript["literal-property"],T.languages.markup&&T.languages.insertBefore("actionscript","string",{xml:{pattern:/(^|[^.])<\/?\w+(?:\s+[^\s>\/=]+=("|')(?:\\[\s\S]|(?!\2)[^\\])*\2)*\s*\/?>/,lookbehind:!0,inside:T.languages.markup}}),function(e){var t=/#(?!\{).+/,n={pattern:/#\{[^}]+\}/,alias:"variable"};e.languages.coffeescript=e.languages.extend("javascript",{comment:t,string:[{pattern:/'(?:\\[\s\S]|[^\\'])*'/,greedy:!0},{pattern:/"(?:\\[\s\S]|[^\\"])*"/,greedy:!0,inside:{interpolation:n}}],keyword:/\b(?:and|break|by|catch|class|continue|debugger|delete|do|each|else|extend|extends|false|finally|for|if|in|instanceof|is|isnt|let|loop|namespace|new|no|not|null|of|off|on|or|own|return|super|switch|then|this|throw|true|try|typeof|undefined|unless|until|when|while|window|with|yes|yield)\b/,"class-member":{pattern:/@(?!\d)\w+/,alias:"variable"}}),e.languages.insertBefore("coffeescript","comment",{"multiline-comment":{pattern:/###[\s\S]+?###/,alias:"comment"},"block-regex":{pattern:/\/{3}[\s\S]*?\/{3}/,alias:"regex",inside:{comment:t,interpolation:n}}}),e.languages.insertBefore("coffeescript","string",{"inline-javascript":{pattern:/`(?:\\[\s\S]|[^\\`])*`/,inside:{delimiter:{pattern:/^`|`$/,alias:"punctuation"},script:{pattern:/[\s\S]+/,alias:"language-javascript",inside:e.languages.javascript}}},"multiline-string":[{pattern:/'''[\s\S]*?'''/,greedy:!0,alias:"string"},{pattern:/"""[\s\S]*?"""/,greedy:!0,alias:"string",inside:{interpolation:n}}]}),e.languages.insertBefore("coffeescript","keyword",{property:/(?!\d)\w+(?=\s*:(?!:))/}),delete e.languages.coffeescript["template-string"],e.languages.coffee=e.languages.coffeescript}(T),function(e){var t=e.languages.javadoclike={parameter:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*@(?:arg|arguments|param)\s+)\w+/m,lookbehind:!0},keyword:{pattern:/(^[\t ]*(?:\/{3}|\*|\/\*\*)\s*|\{)@[a-z][a-zA-Z-]+\b/m,lookbehind:!0},punctuation:/[{}]/};Object.defineProperty(t,"addSupport",{value:function(t,n){(t="string"==typeof t?[t]:t).forEach((function(t){var r=function(e){e.inside||(e.inside={}),e.inside.rest=n},a="doc-comment";if(o=e.languages[t]){var o,i=o[a];if((i=i||(o=e.languages.insertBefore(t,"comment",{"doc-comment":{pattern:/(^|[^\\])\/\*\*[^/][\s\S]*?(?:\*\/|$)/,lookbehind:!0,alias:"comment"}}))[a])instanceof RegExp&&(i=o[a]={pattern:i}),Array.isArray(i))for(var s=0,l=i.length;s<l;s++)i[s]instanceof RegExp&&(i[s]={pattern:i[s]}),r(i[s]);else r(i)}}))}}),t.addSupport(["java","javascript","php"],t)}(T),function(e){var t=/(?:"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n])*')/;(t=(e.languages.css={comment:/\/\*[\s\S]*?\*\//,atrule:{pattern:RegExp("@[\\w-](?:"+/[^;{\s"']|\s+(?!\s)/.source+"|"+t.source+")*?"+/(?:;|(?=\s*\{))/.source),inside:{rule:/^@[\w-]+/,"selector-function-argument":{pattern:/(\bselector\s*\(\s*(?![\s)]))(?:[^()\s]|\s+(?![\s)])|\((?:[^()]|\([^()]*\))*\))+(?=\s*\))/,lookbehind:!0,alias:"selector"},keyword:{pattern:/(^|[^\w-])(?:and|not|only|or)(?![\w-])/,lookbehind:!0}}},url:{pattern:RegExp("\\burl\\((?:"+t.source+"|"+/(?:[^\\\r\n()"']|\\[\s\S])*/.source+")\\)","i"),greedy:!0,inside:{function:/^url/i,punctuation:/^\(|\)$/,string:{pattern:RegExp("^"+t.source+"$"),alias:"url"}}},selector:{pattern:RegExp("(^|[{}\\s])[^{}\\s](?:[^{};\"'\\s]|\\s+(?![\\s{])|"+t.source+")*(?=\\s*\\{)"),lookbehind:!0},string:{pattern:t,greedy:!0},property:{pattern:/(^|[^-\w\xA0-\uFFFF])(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*(?=\s*:)/i,lookbehind:!0},important:/!important\b/i,function:{pattern:/(^|[^-a-z0-9])[-a-z0-9]+(?=\()/i,lookbehind:!0},punctuation:/[(){};:,]/},e.languages.css.atrule.inside.rest=e.languages.css,e.languages.markup))&&(t.tag.addInlined("style","css"),t.tag.addAttribute("style","css"))}(T),function(e){var t=/("|')(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,n=(t=(e.languages.css.selector={pattern:e.languages.css.selector.pattern,lookbehind:!0,inside:t={"pseudo-element":/:(?:after|before|first-letter|first-line|selection)|::[-\w]+/,"pseudo-class":/:[-\w]+/,class:/\.[-\w]+/,id:/#[-\w]+/,attribute:{pattern:RegExp("\\[(?:[^[\\]\"']|"+t.source+")*\\]"),greedy:!0,inside:{punctuation:/^\[|\]$/,"case-sensitivity":{pattern:/(\s)[si]$/i,lookbehind:!0,alias:"keyword"},namespace:{pattern:/^(\s*)(?:(?!\s)[-*\w\xA0-\uFFFF])*\|(?!=)/,lookbehind:!0,inside:{punctuation:/\|$/}},"attr-name":{pattern:/^(\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+/,lookbehind:!0},"attr-value":[t,{pattern:/(=\s*)(?:(?!\s)[-\w\xA0-\uFFFF])+(?=\s*$)/,lookbehind:!0}],operator:/[|~*^$]?=/}},"n-th":[{pattern:/(\(\s*)[+-]?\d*[\dn](?:\s*[+-]\s*\d+)?(?=\s*\))/,lookbehind:!0,inside:{number:/[\dn]+/,operator:/[+-]/}},{pattern:/(\(\s*)(?:even|odd)(?=\s*\))/i,lookbehind:!0}],combinator:/>|\+|~|\|\|/,punctuation:/[(),]/}},e.languages.css.atrule.inside["selector-function-argument"].inside=t,e.languages.insertBefore("css","property",{variable:{pattern:/(^|[^-\w\xA0-\uFFFF])--(?!\s)[-_a-z\xA0-\uFFFF](?:(?!\s)[-\w\xA0-\uFFFF])*/i,lookbehind:!0}}),{pattern:/(\b\d+)(?:%|[a-z]+(?![\w-]))/,lookbehind:!0}),{pattern:/(^|[^\w.-])-?(?:\d+(?:\.\d+)?|\.\d+)/,lookbehind:!0});e.languages.insertBefore("css","function",{operator:{pattern:/(\s)[+\-*\/](?=\s)/,lookbehind:!0},hexcode:{pattern:/\B#[\da-f]{3,8}\b/i,alias:"color"},color:[{pattern:/(^|[^\w-])(?:AliceBlue|AntiqueWhite|Aqua|Aquamarine|Azure|Beige|Bisque|Black|BlanchedAlmond|Blue|BlueViolet|Brown|BurlyWood|CadetBlue|Chartreuse|Chocolate|Coral|CornflowerBlue|Cornsilk|Crimson|Cyan|DarkBlue|DarkCyan|DarkGoldenRod|DarkGr[ae]y|DarkGreen|DarkKhaki|DarkMagenta|DarkOliveGreen|DarkOrange|DarkOrchid|DarkRed|DarkSalmon|DarkSeaGreen|DarkSlateBlue|DarkSlateGr[ae]y|DarkTurquoise|DarkViolet|DeepPink|DeepSkyBlue|DimGr[ae]y|DodgerBlue|FireBrick|FloralWhite|ForestGreen|Fuchsia|Gainsboro|GhostWhite|Gold|GoldenRod|Gr[ae]y|Green|GreenYellow|HoneyDew|HotPink|IndianRed|Indigo|Ivory|Khaki|Lavender|LavenderBlush|LawnGreen|LemonChiffon|LightBlue|LightCoral|LightCyan|LightGoldenRodYellow|LightGr[ae]y|LightGreen|LightPink|LightSalmon|LightSeaGreen|LightSkyBlue|LightSlateGr[ae]y|LightSteelBlue|LightYellow|Lime|LimeGreen|Linen|Magenta|Maroon|MediumAquaMarine|MediumBlue|MediumOrchid|MediumPurple|MediumSeaGreen|MediumSlateBlue|MediumSpringGreen|MediumTurquoise|MediumVioletRed|MidnightBlue|MintCream|MistyRose|Moccasin|NavajoWhite|Navy|OldLace|Olive|OliveDrab|Orange|OrangeRed|Orchid|PaleGoldenRod|PaleGreen|PaleTurquoise|PaleVioletRed|PapayaWhip|PeachPuff|Peru|Pink|Plum|PowderBlue|Purple|RebeccaPurple|Red|RosyBrown|RoyalBlue|SaddleBrown|Salmon|SandyBrown|SeaGreen|SeaShell|Sienna|Silver|SkyBlue|SlateBlue|SlateGr[ae]y|Snow|SpringGreen|SteelBlue|Tan|Teal|Thistle|Tomato|Transparent|Turquoise|Violet|Wheat|White|WhiteSmoke|Yellow|YellowGreen)(?![\w-])/i,lookbehind:!0},{pattern:/\b(?:hsl|rgb)\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*\)\B|\b(?:hsl|rgb)a\(\s*\d{1,3}\s*,\s*\d{1,3}%?\s*,\s*\d{1,3}%?\s*,\s*(?:0|0?\.\d+|1)\s*\)\B/i,inside:{unit:t,number:n,function:/[\w-]+(?=\()/,punctuation:/[(),]/}}],entity:/\\[\da-f]{1,8}/i,unit:t,number:n})}(T),function(e){var t=/[*&][^\s[\]{},]+/,n=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,r="(?:"+n.source+"(?:[ \t]+"+t.source+")?|"+t.source+"(?:[ \t]+"+n.source+")?)",a=/(?:[^\s\x00-\x08\x0e-\x1f!"#%&'*,\-:>?@[\]`{|}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*/.source.replace(/<PLAIN>/g,(function(){return/[^\s\x00-\x08\x0e-\x1f,[\]{}\x7f-\x84\x86-\x9f\ud800-\udfff\ufffe\uffff]/.source})),o=/"(?:[^"\\\r\n]|\\.)*"|'(?:[^'\\\r\n]|\\.)*'/.source;function i(e,t){t=(t||"").replace(/m/g,"")+"m";var n=/([:\-,[{]\s*(?:\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\]|\}|(?:[\r\n]\s*)?#))/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<value>>/g,(function(){return e}));return RegExp(n,t)}e.languages.yaml={scalar:{pattern:RegExp(/([\-:]\s*(?:\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\S[^\r\n]*(?:\2[^\r\n]+)*)/.source.replace(/<<prop>>/g,(function(){return r}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp(/((?:^|[:\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\s*:\s)/.source.replace(/<<prop>>/g,(function(){return r})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+o+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:i(/\d{4}-\d\d?-\d\d?(?:[tT]|[ \t]+)\d\d?:\d{2}:\d{2}(?:\.\d*)?(?:[ \t]*(?:Z|[-+]\d\d?(?::\d{2})?))?|\d{4}-\d{2}-\d{2}|\d\d?:\d{2}(?::\d{2}(?:\.\d*)?)?/.source),lookbehind:!0,alias:"number"},boolean:{pattern:i(/false|true/.source,"i"),lookbehind:!0,alias:"important"},null:{pattern:i(/null|~/.source,"i"),lookbehind:!0,alias:"important"},string:{pattern:i(o),lookbehind:!0,greedy:!0},number:{pattern:i(/[+-]?(?:0x[\da-f]+|0o[0-7]+|(?:\d+(?:\.\d*)?|\.\d+)(?:e[+-]?\d+)?|\.inf|\.nan)/.source,"i"),lookbehind:!0},tag:n,important:t,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(T),function(e){var t=/(?:\\.|[^\\\n\r]|(?:\n|\r\n?)(?![\r\n]))/.source;function n(e){return e=e.replace(/<inner>/g,(function(){return t})),RegExp(/((?:^|[^\\])(?:\\{2})*)/.source+"(?:"+e+")")}var r=/(?:\\.|``(?:[^`\r\n]|`(?!`))+``|`[^`\r\n]+`|[^\\|\r\n`])+/.source,a=/\|?__(?:\|__)+\|?(?:(?:\n|\r\n?)|(?![\s\S]))/.source.replace(/__/g,(function(){return r})),o=/\|?[ \t]*:?-{3,}:?[ \t]*(?:\|[ \t]*:?-{3,}:?[ \t]*)+\|?(?:\n|\r\n?)/.source,i=(e.languages.markdown=e.languages.extend("markup",{}),e.languages.insertBefore("markdown","prolog",{"front-matter-block":{pattern:/(^(?:\s*[\r\n])?)---(?!.)[\s\S]*?[\r\n]---(?!.)/,lookbehind:!0,greedy:!0,inside:{punctuation:/^---|---$/,"front-matter":{pattern:/\S+(?:\s+\S+)*/,alias:["yaml","language-yaml"],inside:e.languages.yaml}}},blockquote:{pattern:/^>(?:[\t ]*>)*/m,alias:"punctuation"},table:{pattern:RegExp("^"+a+o+"(?:"+a+")*","m"),inside:{"table-data-rows":{pattern:RegExp("^("+a+o+")(?:"+a+")*$"),lookbehind:!0,inside:{"table-data":{pattern:RegExp(r),inside:e.languages.markdown},punctuation:/\|/}},"table-line":{pattern:RegExp("^("+a+")"+o+"$"),lookbehind:!0,inside:{punctuation:/\||:?-{3,}:?/}},"table-header-row":{pattern:RegExp("^"+a+"$"),inside:{"table-header":{pattern:RegExp(r),alias:"important",inside:e.languages.markdown},punctuation:/\|/}}}},code:[{pattern:/((?:^|\n)[ \t]*\n|(?:^|\r\n?)[ \t]*\r\n?)(?: {4}|\t).+(?:(?:\n|\r\n?)(?: {4}|\t).+)*/,lookbehind:!0,alias:"keyword"},{pattern:/^```[\s\S]*?^```$/m,greedy:!0,inside:{"code-block":{pattern:/^(```.*(?:\n|\r\n?))[\s\S]+?(?=(?:\n|\r\n?)^```$)/m,lookbehind:!0},"code-language":{pattern:/^(```).+/,lookbehind:!0},punctuation:/```/}}],title:[{pattern:/\S.*(?:\n|\r\n?)(?:==+|--+)(?=[ \t]*$)/m,alias:"important",inside:{punctuation:/==+$|--+$/}},{pattern:/(^\s*)#.+/m,lookbehind:!0,alias:"important",inside:{punctuation:/^#+|#+$/}}],hr:{pattern:/(^\s*)([*-])(?:[\t ]*\2){2,}(?=\s*$)/m,lookbehind:!0,alias:"punctuation"},list:{pattern:/(^\s*)(?:[*+-]|\d+\.)(?=[\t ].)/m,lookbehind:!0,alias:"punctuation"},"url-reference":{pattern:/!?\[[^\]]+\]:[\t ]+(?:\S+|<(?:\\.|[^>\\])+>)(?:[\t ]+(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\)))?/,inside:{variable:{pattern:/^(!?\[)[^\]]+/,lookbehind:!0},string:/(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|\((?:\\.|[^)\\])*\))$/,punctuation:/^[\[\]!:]|[<>]/},alias:"url"},bold:{pattern:n(/\b__(?:(?!_)<inner>|_(?:(?!_)<inner>)+_)+__\b|\*\*(?:(?!\*)<inner>|\*(?:(?!\*)<inner>)+\*)+\*\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^..)[\s\S]+(?=..$)/,lookbehind:!0,inside:{}},punctuation:/\*\*|__/}},italic:{pattern:n(/\b_(?:(?!_)<inner>|__(?:(?!_)<inner>)+__)+_\b|\*(?:(?!\*)<inner>|\*\*(?:(?!\*)<inner>)+\*\*)+\*/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^.)[\s\S]+(?=.$)/,lookbehind:!0,inside:{}},punctuation:/[*_]/}},strike:{pattern:n(/(~~?)(?:(?!~)<inner>)+\2/.source),lookbehind:!0,greedy:!0,inside:{content:{pattern:/(^~~?)[\s\S]+(?=\1$)/,lookbehind:!0,inside:{}},punctuation:/~~?/}},"code-snippet":{pattern:/(^|[^\\`])(?:``[^`\r\n]+(?:`[^`\r\n]+)*``(?!`)|`[^`\r\n]+`(?!`))/,lookbehind:!0,greedy:!0,alias:["code","keyword"]},url:{pattern:n(/!?\[(?:(?!\])<inner>)+\](?:\([^\s)]+(?:[\t ]+"(?:\\.|[^"\\])*")?\)|[ \t]?\[(?:(?!\])<inner>)+\])/.source),lookbehind:!0,greedy:!0,inside:{operator:/^!/,content:{pattern:/(^\[)[^\]]+(?=\])/,lookbehind:!0,inside:{}},variable:{pattern:/(^\][ \t]?\[)[^\]]+(?=\]$)/,lookbehind:!0},url:{pattern:/(^\]\()[^\s)]+/,lookbehind:!0},string:{pattern:/(^[ \t]+)"(?:\\.|[^"\\])*"(?=\)$)/,lookbehind:!0}}}}),["url","bold","italic","strike"].forEach((function(t){["url","bold","italic","strike","code-snippet"].forEach((function(n){t!==n&&(e.languages.markdown[t].inside.content.inside[n]=e.languages.markdown[n])}))})),e.hooks.add("after-tokenize",(function(e){"markdown"!==e.language&&"md"!==e.language||function e(t){if(t&&"string"!=typeof t)for(var n=0,r=t.length;n<r;n++){var a,o=t[n];"code"!==o.type?e(o.content):(a=o.content[1],o=o.content[3],a&&o&&"code-language"===a.type&&"code-block"===o.type&&"string"==typeof a.content&&(a=a.content.replace(/\b#/g,"sharp").replace(/\b\+\+/g,"pp"),a="language-"+(a=(/[a-z][\w-]*/i.exec(a)||[""])[0].toLowerCase()),o.alias?"string"==typeof o.alias?o.alias=[o.alias,a]:o.alias.push(a):o.alias=[a]))}}(e.tokens)})),e.hooks.add("wrap",(function(t){if("code-block"===t.type){for(var n="",r=0,a=t.classes.length;r<a;r++){var o=t.classes[r];if(o=/language-(.+)/.exec(o)){n=o[1];break}}var c,u=e.languages[n];u?t.content=e.highlight(t.content.replace(i,"").replace(/&(\w{1,8}|#x?[\da-f]{1,8});/gi,(function(e,t){var n;return"#"===(t=t.toLowerCase())[0]?(n="x"===t[1]?parseInt(t.slice(2),16):Number(t.slice(1)),l(n)):s[t]||e})),u,n):n&&"none"!==n&&e.plugins.autoloader&&(c="md-"+(new Date).valueOf()+"-"+Math.floor(1e16*Math.random()),t.attributes.id=c,e.plugins.autoloader.loadLanguages(n,(function(){var t=document.getElementById(c);t&&(t.innerHTML=e.highlight(t.textContent,e.languages[n],n))})))}})),RegExp(e.languages.markup.tag.pattern.source,"gi")),s={amp:"&",lt:"<",gt:">",quot:'"'},l=String.fromCodePoint||String.fromCharCode;e.languages.md=e.languages.markdown}(T),T.languages.graphql={comment:/#.*/,description:{pattern:/(?:"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*")(?=\s*[a-z_])/i,greedy:!0,alias:"string",inside:{"language-markdown":{pattern:/(^"(?:"")?)(?!\1)[\s\S]+(?=\1$)/,lookbehind:!0,inside:T.languages.markdown}}},string:{pattern:/"""(?:[^"]|(?!""")")*"""|"(?:\\.|[^\\"\r\n])*"/,greedy:!0},number:/(?:\B-|\b)\d+(?:\.\d+)?(?:e[+-]?\d+)?\b/i,boolean:/\b(?:false|true)\b/,variable:/\$[a-z_]\w*/i,directive:{pattern:/@[a-z_]\w*/i,alias:"function"},"attr-name":{pattern:/\b[a-z_]\w*(?=\s*(?:\((?:[^()"]|"(?:\\.|[^\\"\r\n])*")*\))?:)/i,greedy:!0},"atom-input":{pattern:/\b[A-Z]\w*Input\b/,alias:"class-name"},scalar:/\b(?:Boolean|Float|ID|Int|String)\b/,constant:/\b[A-Z][A-Z_\d]*\b/,"class-name":{pattern:/(\b(?:enum|implements|interface|on|scalar|type|union)\s+|&\s*|:\s*|\[)[A-Z_]\w*/,lookbehind:!0},fragment:{pattern:/(\bfragment\s+|\.{3}\s*(?!on\b))[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-mutation":{pattern:/(\bmutation\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},"definition-query":{pattern:/(\bquery\s+)[a-zA-Z_]\w*/,lookbehind:!0,alias:"function"},keyword:/\b(?:directive|enum|extend|fragment|implements|input|interface|mutation|on|query|repeatable|scalar|schema|subscription|type|union)\b/,operator:/[!=|&]|\.{3}/,"property-query":/\w+(?=\s*\()/,object:/\w+(?=\s*\{)/,punctuation:/[!(){}\[\]:=,]/,property:/\w+/},T.hooks.add("after-tokenize",(function(e){if("graphql"===e.language)for(var t=e.tokens.filter((function(e){return"string"!=typeof e&&"comment"!==e.type&&"scalar"!==e.type})),n=0;n<t.length;){var r=t[n++];if("keyword"===r.type&&"mutation"===r.content){var a=[];if(d(["definition-mutation","punctuation"])&&"("===u(1).content){n+=2;var o=p(/^\($/,/^\)$/);if(-1===o)continue;for(;n<o;n++){var i=u(0);"variable"===i.type&&(f(i,"variable-input"),a.push(i.content))}n=o+1}if(d(["punctuation","property-query"])&&"{"===u(0).content&&(n++,f(u(0),"property-mutation"),0<a.length)){var s=p(/^\{$/,/^\}$/);if(-1!==s)for(var l=n;l<s;l++){var c=t[l];"variable"===c.type&&0<=a.indexOf(c.content)&&f(c,"variable-input")}}}}function u(e){return t[n+e]}function d(e,t){t=t||0;for(var n=0;n<e.length;n++){var r=u(n+t);if(!r||r.type!==e[n])return}return 1}function p(e,r){for(var a=1,o=n;o<t.length;o++){var i=t[o],s=i.content;if("punctuation"===i.type&&"string"==typeof s)if(e.test(s))a++;else if(r.test(s)&&0==--a)return o}return-1}function f(e,t){var n=e.alias;n?Array.isArray(n)||(e.alias=n=[n]):e.alias=n=[],n.push(t)}})),T.languages.sql={comment:{pattern:/(^|[^\\])(?:\/\*[\s\S]*?\*\/|(?:--|\/\/|#).*)/,lookbehind:!0},variable:[{pattern:/@(["'`])(?:\\[\s\S]|(?!\1)[^\\])+\1/,greedy:!0},/@[\w.$]+/],string:{pattern:/(^|[^@\\])("|')(?:\\[\s\S]|(?!\2)[^\\]|\2\2)*\2/,greedy:!0,lookbehind:!0},identifier:{pattern:/(^|[^@\\])`(?:\\[\s\S]|[^`\\]|``)*`/,greedy:!0,lookbehind:!0,inside:{punctuation:/^`|`$/}},function:/\b(?:AVG|COUNT|FIRST|FORMAT|LAST|LCASE|LEN|MAX|MID|MIN|MOD|NOW|ROUND|SUM|UCASE)(?=\s*\()/i,keyword:/\b(?:ACTION|ADD|AFTER|ALGORITHM|ALL|ALTER|ANALYZE|ANY|APPLY|AS|ASC|AUTHORIZATION|AUTO_INCREMENT|BACKUP|BDB|BEGIN|BERKELEYDB|BIGINT|BINARY|BIT|BLOB|BOOL|BOOLEAN|BREAK|BROWSE|BTREE|BULK|BY|CALL|CASCADED?|CASE|CHAIN|CHAR(?:ACTER|SET)?|CHECK(?:POINT)?|CLOSE|CLUSTERED|COALESCE|COLLATE|COLUMNS?|COMMENT|COMMIT(?:TED)?|COMPUTE|CONNECT|CONSISTENT|CONSTRAINT|CONTAINS(?:TABLE)?|CONTINUE|CONVERT|CREATE|CROSS|CURRENT(?:_DATE|_TIME|_TIMESTAMP|_USER)?|CURSOR|CYCLE|DATA(?:BASES?)?|DATE(?:TIME)?|DAY|DBCC|DEALLOCATE|DEC|DECIMAL|DECLARE|DEFAULT|DEFINER|DELAYED|DELETE|DELIMITERS?|DENY|DESC|DESCRIBE|DETERMINISTIC|DISABLE|DISCARD|DISK|DISTINCT|DISTINCTROW|DISTRIBUTED|DO|DOUBLE|DROP|DUMMY|DUMP(?:FILE)?|DUPLICATE|ELSE(?:IF)?|ENABLE|ENCLOSED|END|ENGINE|ENUM|ERRLVL|ERRORS|ESCAPED?|EXCEPT|EXEC(?:UTE)?|EXISTS|EXIT|EXPLAIN|EXTENDED|FETCH|FIELDS|FILE|FILLFACTOR|FIRST|FIXED|FLOAT|FOLLOWING|FOR(?: EACH ROW)?|FORCE|FOREIGN|FREETEXT(?:TABLE)?|FROM|FULL|FUNCTION|GEOMETRY(?:COLLECTION)?|GLOBAL|GOTO|GRANT|GROUP|HANDLER|HASH|HAVING|HOLDLOCK|HOUR|IDENTITY(?:COL|_INSERT)?|IF|IGNORE|IMPORT|INDEX|INFILE|INNER|INNODB|INOUT|INSERT|INT|INTEGER|INTERSECT|INTERVAL|INTO|INVOKER|ISOLATION|ITERATE|JOIN|KEYS?|KILL|LANGUAGE|LAST|LEAVE|LEFT|LEVEL|LIMIT|LINENO|LINES|LINESTRING|LOAD|LOCAL|LOCK|LONG(?:BLOB|TEXT)|LOOP|MATCH(?:ED)?|MEDIUM(?:BLOB|INT|TEXT)|MERGE|MIDDLEINT|MINUTE|MODE|MODIFIES|MODIFY|MONTH|MULTI(?:LINESTRING|POINT|POLYGON)|NATIONAL|NATURAL|NCHAR|NEXT|NO|NONCLUSTERED|NULLIF|NUMERIC|OFF?|OFFSETS?|ON|OPEN(?:DATASOURCE|QUERY|ROWSET)?|OPTIMIZE|OPTION(?:ALLY)?|ORDER|OUT(?:ER|FILE)?|OVER|PARTIAL|PARTITION|PERCENT|PIVOT|PLAN|POINT|POLYGON|PRECEDING|PRECISION|PREPARE|PREV|PRIMARY|PRINT|PRIVILEGES|PROC(?:EDURE)?|PUBLIC|PURGE|QUICK|RAISERROR|READS?|REAL|RECONFIGURE|REFERENCES|RELEASE|RENAME|REPEAT(?:ABLE)?|REPLACE|REPLICATION|REQUIRE|RESIGNAL|RESTORE|RESTRICT|RETURN(?:ING|S)?|REVOKE|RIGHT|ROLLBACK|ROUTINE|ROW(?:COUNT|GUIDCOL|S)?|RTREE|RULE|SAVE(?:POINT)?|SCHEMA|SECOND|SELECT|SERIAL(?:IZABLE)?|SESSION(?:_USER)?|SET(?:USER)?|SHARE|SHOW|SHUTDOWN|SIMPLE|SMALLINT|SNAPSHOT|SOME|SONAME|SQL|START(?:ING)?|STATISTICS|STATUS|STRIPED|SYSTEM_USER|TABLES?|TABLESPACE|TEMP(?:ORARY|TABLE)?|TERMINATED|TEXT(?:SIZE)?|THEN|TIME(?:STAMP)?|TINY(?:BLOB|INT|TEXT)|TOP?|TRAN(?:SACTIONS?)?|TRIGGER|TRUNCATE|TSEQUAL|TYPES?|UNBOUNDED|UNCOMMITTED|UNDEFINED|UNION|UNIQUE|UNLOCK|UNPIVOT|UNSIGNED|UPDATE(?:TEXT)?|USAGE|USE|USER|USING|VALUES?|VAR(?:BINARY|CHAR|CHARACTER|YING)|VIEW|WAITFOR|WARNINGS|WHEN|WHERE|WHILE|WITH(?: ROLLUP|IN)?|WORK|WRITE(?:TEXT)?|YEAR)\b/i,boolean:/\b(?:FALSE|NULL|TRUE)\b/i,number:/\b0x[\da-f]+\b|\b\d+(?:\.\d*)?|\B\.\d+\b/i,operator:/[-+*\/=%^~]|&&?|\|\|?|!=?|<(?:=>?|<|>)?|>[>=]?|\b(?:AND|BETWEEN|DIV|ILIKE|IN|IS|LIKE|NOT|OR|REGEXP|RLIKE|SOUNDS LIKE|XOR)\b/i,punctuation:/[;[\]()`,.]/},function(e){var t=e.languages.javascript["template-string"],n=t.pattern.source,r=t.inside.interpolation,a=r.inside["interpolation-punctuation"],o=r.pattern.source;function i(t,r){if(e.languages[t])return{pattern:RegExp("((?:"+r+")\\s*)"+n),lookbehind:!0,greedy:!0,inside:{"template-punctuation":{pattern:/^`|`$/,alias:"string"},"embedded-code":{pattern:/[\s\S]+/,alias:t}}}}function s(t,n,r){return t={code:t,grammar:n,language:r},e.hooks.run("before-tokenize",t),t.tokens=e.tokenize(t.code,t.grammar),e.hooks.run("after-tokenize",t),t.tokens}function l(t,n,i){var l=e.tokenize(t,{interpolation:{pattern:RegExp(o),lookbehind:!0}}),c=0,u={},d=(l=s(l.map((function(e){if("string"==typeof e)return e;var n,r;for(e=e.content;-1!==t.indexOf((r=c++,n="___"+i.toUpperCase()+"_"+r+"___")););return u[n]=e,n})).join(""),n,i),Object.keys(u));return c=0,function t(n){for(var o=0;o<n.length;o++){if(c>=d.length)return;var i,l,p,f,h,m,g,y=n[o];"string"==typeof y||"string"==typeof y.content?(i=d[c],-1!==(g=(m="string"==typeof y?y:y.content).indexOf(i))&&(++c,l=m.substring(0,g),h=u[i],p=void 0,(f={})["interpolation-punctuation"]=a,3===(f=e.tokenize(h,f)).length&&((p=[1,1]).push.apply(p,s(f[1],e.languages.javascript,"javascript")),f.splice.apply(f,p)),p=new e.Token("interpolation",f,r.alias,h),f=m.substring(g+i.length),h=[],l&&h.push(l),h.push(p),f&&(t(m=[f]),h.push.apply(h,m)),"string"==typeof y?(n.splice.apply(n,[o,1].concat(h)),o+=h.length-1):y.content=h)):(g=y.content,Array.isArray(g)?t(g):t([g]))}}(l),new e.Token(i,l,"language-"+i,t)}e.languages.javascript["template-string"]=[i("css",/\b(?:styled(?:\([^)]*\))?(?:\s*\.\s*\w+(?:\([^)]*\))*)*|css(?:\s*\.\s*(?:global|resolve))?|createGlobalStyle|keyframes)/.source),i("html",/\bhtml|\.\s*(?:inner|outer)HTML\s*\+?=/.source),i("svg",/\bsvg/.source),i("markdown",/\b(?:markdown|md)/.source),i("graphql",/\b(?:gql|graphql(?:\s*\.\s*experimental)?)/.source),i("sql",/\bsql/.source),t].filter(Boolean);var c={javascript:!0,js:!0,typescript:!0,ts:!0,jsx:!0,tsx:!0};function u(e){return"string"==typeof e?e:Array.isArray(e)?e.map(u).join(""):u(e.content)}e.hooks.add("after-tokenize",(function(t){t.language in c&&function t(n){for(var r=0,a=n.length;r<a;r++){var o,i,s,c=n[r];"string"!=typeof c&&(o=c.content,Array.isArray(o)?"template-string"===c.type?(c=o[1],3===o.length&&"string"!=typeof c&&"embedded-code"===c.type&&(i=u(c),c=c.alias,c=Array.isArray(c)?c[0]:c,s=e.languages[c])&&(o[1]=l(i,s,c))):t(o):"string"!=typeof o&&t([o]))}}(t.tokens)}))}(T),function(e){e.languages.typescript=e.languages.extend("javascript",{"class-name":{pattern:/(\b(?:class|extends|implements|instanceof|interface|new|type)\s+)(?!keyof\b)(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?:\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>)?/,lookbehind:!0,greedy:!0,inside:null},builtin:/\b(?:Array|Function|Promise|any|boolean|console|never|number|string|symbol|unknown)\b/}),e.languages.typescript.keyword.push(/\b(?:abstract|declare|is|keyof|readonly|require)\b/,/\b(?:asserts|infer|interface|module|namespace|type)\b(?=\s*(?:[{_$a-zA-Z\xA0-\uFFFF]|$))/,/\btype\b(?=\s*(?:[\{*]|$))/),delete e.languages.typescript.parameter,delete e.languages.typescript["literal-property"];var t=e.languages.extend("typescript",{});delete t["class-name"],e.languages.typescript["class-name"].inside=t,e.languages.insertBefore("typescript","function",{decorator:{pattern:/@[$\w\xA0-\uFFFF]+/,inside:{at:{pattern:/^@/,alias:"operator"},function:/^[\s\S]+/}},"generic-function":{pattern:/#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>(?=\s*\()/,greedy:!0,inside:{function:/^#?(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:t}}}}),e.languages.ts=e.languages.typescript}(T),function(e){var t=e.languages.javascript,n=/\{(?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})+\}/.source,r="(@(?:arg|argument|param|property)\\s+(?:"+n+"\\s+)?)";e.languages.jsdoc=e.languages.extend("javadoclike",{parameter:{pattern:RegExp(r+/(?:(?!\s)[$\w\xA0-\uFFFF.])+(?=\s|$)/.source),lookbehind:!0,inside:{punctuation:/\./}}}),e.languages.insertBefore("jsdoc","keyword",{"optional-parameter":{pattern:RegExp(r+/\[(?:(?!\s)[$\w\xA0-\uFFFF.])+(?:=[^[\]]+)?\](?=\s|$)/.source),lookbehind:!0,inside:{parameter:{pattern:/(^\[)[$\w\xA0-\uFFFF\.]+/,lookbehind:!0,inside:{punctuation:/\./}},code:{pattern:/(=)[\s\S]*(?=\]$)/,lookbehind:!0,inside:t,alias:"language-javascript"},punctuation:/[=[\]]/}},"class-name":[{pattern:RegExp(/(@(?:augments|class|extends|interface|memberof!?|template|this|typedef)\s+(?:<TYPE>\s+)?)[A-Z]\w*(?:\.[A-Z]\w*)*/.source.replace(/<TYPE>/g,(function(){return n}))),lookbehind:!0,inside:{punctuation:/\./}},{pattern:RegExp("(@[a-z]+\\s+)"+n),lookbehind:!0,inside:{string:t.string,number:t.number,boolean:t.boolean,keyword:e.languages.typescript.keyword,operator:/=>|\.\.\.|[&|?:*]/,punctuation:/[.,;=<>{}()[\]]/}}],example:{pattern:/(@example\s+(?!\s))(?:[^@\s]|\s+(?!\s))+?(?=\s*(?:\*\s*)?(?:@\w|\*\/))/,lookbehind:!0,inside:{code:{pattern:/^([\t ]*(?:\*\s*)?)\S.*$/m,lookbehind:!0,inside:t,alias:"language-javascript"}}}}),e.languages.javadoclike.addSupport("javascript",e.languages.jsdoc)}(T),function(e){e.languages.flow=e.languages.extend("javascript",{}),e.languages.insertBefore("flow","keyword",{type:[{pattern:/\b(?:[Bb]oolean|Function|[Nn]umber|[Ss]tring|[Ss]ymbol|any|mixed|null|void)\b/,alias:"class-name"}]}),e.languages.flow["function-variable"].pattern=/(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*(?=\s*=\s*(?:function\b|(?:\([^()]*\)(?:\s*:\s*\w+)?|(?!\s)[_$a-z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*)\s*=>))/i,delete e.languages.flow.parameter,e.languages.insertBefore("flow","operator",{"flow-punctuation":{pattern:/\{\||\|\}/,alias:"punctuation"}}),Array.isArray(e.languages.flow.keyword)||(e.languages.flow.keyword=[e.languages.flow.keyword]),e.languages.flow.keyword.unshift({pattern:/(^|[^$]\b)(?:Class|declare|opaque|type)\b(?!\$)/,lookbehind:!0},{pattern:/(^|[^$]\B)\$(?:Diff|Enum|Exact|Keys|ObjMap|PropertyType|Record|Shape|Subtype|Supertype|await)\b(?!\$)/,lookbehind:!0})}(T),T.languages.n4js=T.languages.extend("javascript",{keyword:/\b(?:Array|any|boolean|break|case|catch|class|const|constructor|continue|debugger|declare|default|delete|do|else|enum|export|extends|false|finally|for|from|function|get|if|implements|import|in|instanceof|interface|let|module|new|null|number|package|private|protected|public|return|set|static|string|super|switch|this|throw|true|try|typeof|var|void|while|with|yield)\b/}),T.languages.insertBefore("n4js","constant",{annotation:{pattern:/@+\w+/,alias:"operator"}}),T.languages.n4jsd=T.languages.n4js,function(e){function t(e,t){return RegExp(e.replace(/<ID>/g,(function(){return/(?!\s)[_$a-zA-Z\xA0-\uFFFF](?:(?!\s)[$\w\xA0-\uFFFF])*/.source})),t)}e.languages.insertBefore("javascript","function-variable",{"method-variable":{pattern:RegExp("(\\.\\s*)"+e.languages.javascript["function-variable"].pattern.source),lookbehind:!0,alias:["function-variable","method","function","property-access"]}}),e.languages.insertBefore("javascript","function",{method:{pattern:RegExp("(\\.\\s*)"+e.languages.javascript.function.source),lookbehind:!0,alias:["function","property-access"]}}),e.languages.insertBefore("javascript","constant",{"known-class-name":[{pattern:/\b(?:(?:Float(?:32|64)|(?:Int|Uint)(?:8|16|32)|Uint8Clamped)?Array|ArrayBuffer|BigInt|Boolean|DataView|Date|Error|Function|Intl|JSON|(?:Weak)?(?:Map|Set)|Math|Number|Object|Promise|Proxy|Reflect|RegExp|String|Symbol|WebAssembly)\b/,alias:"class-name"},{pattern:/\b(?:[A-Z]\w*)Error\b/,alias:"class-name"}]}),e.languages.insertBefore("javascript","keyword",{imports:{pattern:t(/(\bimport\b\s*)(?:<ID>(?:\s*,\s*(?:\*\s*as\s+<ID>|\{[^{}]*\}))?|\*\s*as\s+<ID>|\{[^{}]*\})(?=\s*\bfrom\b)/.source),lookbehind:!0,inside:e.languages.javascript},exports:{pattern:t(/(\bexport\b\s*)(?:\*(?:\s*as\s+<ID>)?(?=\s*\bfrom\b)|\{[^{}]*\})/.source),lookbehind:!0,inside:e.languages.javascript}}),e.languages.javascript.keyword.unshift({pattern:/\b(?:as|default|export|from|import)\b/,alias:"module"},{pattern:/\b(?:await|break|catch|continue|do|else|finally|for|if|return|switch|throw|try|while|yield)\b/,alias:"control-flow"},{pattern:/\bnull\b/,alias:["null","nil"]},{pattern:/\bundefined\b/,alias:"nil"}),e.languages.insertBefore("javascript","operator",{spread:{pattern:/\.{3}/,alias:"operator"},arrow:{pattern:/=>/,alias:"operator"}}),e.languages.insertBefore("javascript","punctuation",{"property-access":{pattern:t(/(\.\s*)#?<ID>/.source),lookbehind:!0},"maybe-class-name":{pattern:/(^|[^$\w\xA0-\uFFFF])[A-Z][$\w\xA0-\uFFFF]+/,lookbehind:!0},dom:{pattern:/\b(?:document|(?:local|session)Storage|location|navigator|performance|window)\b/,alias:"variable"},console:{pattern:/\bconsole(?=\s*\.)/,alias:"class-name"}});for(var n=["function","function-variable","method","method-variable","property-access"],r=0;r<n.length;r++){var a=n[r],o=e.languages.javascript[a];a=(o="RegExp"===e.util.type(o)?e.languages.javascript[a]={pattern:o}:o).inside||{};(o.inside=a)["maybe-class-name"]=/^[A-Z][\s\S]*/}}(T),function(e){var t=e.util.clone(e.languages.javascript),n=/(?:\s|\/\/.*(?!.)|\/\*(?:[^*]|\*(?!\/))\*\/)/.source,r=/(?:\{(?:\{(?:\{[^{}]*\}|[^{}])*\}|[^{}])*\})/.source,a=/(?:\{<S>*\.{3}(?:[^{}]|<BRACES>)*\})/.source;function o(e,t){return e=e.replace(/<S>/g,(function(){return n})).replace(/<BRACES>/g,(function(){return r})).replace(/<SPREAD>/g,(function(){return a})),RegExp(e,t)}function i(t){for(var n=[],r=0;r<t.length;r++){var a=t[r],o=!1;"string"!=typeof a&&("tag"===a.type&&a.content[0]&&"tag"===a.content[0].type?"</"===a.content[0].content[0].content?0<n.length&&n[n.length-1].tagName===s(a.content[0].content[1])&&n.pop():"/>"!==a.content[a.content.length-1].content&&n.push({tagName:s(a.content[0].content[1]),openedBraces:0}):0<n.length&&"punctuation"===a.type&&"{"===a.content?n[n.length-1].openedBraces++:0<n.length&&0<n[n.length-1].openedBraces&&"punctuation"===a.type&&"}"===a.content?n[n.length-1].openedBraces--:o=!0),(o||"string"==typeof a)&&0<n.length&&0===n[n.length-1].openedBraces&&(o=s(a),r<t.length-1&&("string"==typeof t[r+1]||"plain-text"===t[r+1].type)&&(o+=s(t[r+1]),t.splice(r+1,1)),0<r&&("string"==typeof t[r-1]||"plain-text"===t[r-1].type)&&(o=s(t[r-1])+o,t.splice(r-1,1),r--),t[r]=new e.Token("plain-text",o,null,o)),a.content&&"string"!=typeof a.content&&i(a.content)}}a=o(a).source,e.languages.jsx=e.languages.extend("markup",t),e.languages.jsx.tag.pattern=o(/<\/?(?:[\w.:-]+(?:<S>+(?:[\w.:$-]+(?:=(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s{'"/>=]+|<BRACES>))?|<SPREAD>))*<S>*\/?)?>/.source),e.languages.jsx.tag.inside.tag.pattern=/^<\/?[^\s>\/]*/,e.languages.jsx.tag.inside["attr-value"].pattern=/=(?!\{)(?:"(?:\\[\s\S]|[^\\"])*"|'(?:\\[\s\S]|[^\\'])*'|[^\s'">]+)/,e.languages.jsx.tag.inside.tag.inside["class-name"]=/^[A-Z]\w*(?:\.[A-Z]\w*)*$/,e.languages.jsx.tag.inside.comment=t.comment,e.languages.insertBefore("inside","attr-name",{spread:{pattern:o(/<SPREAD>/.source),inside:e.languages.jsx}},e.languages.jsx.tag),e.languages.insertBefore("inside","special-attr",{script:{pattern:o(/=<BRACES>/.source),alias:"language-javascript",inside:{"script-punctuation":{pattern:/^=(?=\{)/,alias:"punctuation"},rest:e.languages.jsx}}},e.languages.jsx.tag);var s=function(e){return e?"string"==typeof e?e:"string"==typeof e.content?e.content:e.content.map(s).join(""):""};e.hooks.add("after-tokenize",(function(e){"jsx"!==e.language&&"tsx"!==e.language||i(e.tokens)}))}(T),function(e){var t=e.util.clone(e.languages.typescript);(t=(e.languages.tsx=e.languages.extend("jsx",t),delete e.languages.tsx.parameter,delete e.languages.tsx["literal-property"],e.languages.tsx.tag)).pattern=RegExp(/(^|[^\w$]|(?=<\/))/.source+"(?:"+t.pattern.source+")",t.pattern.flags),t.lookbehind=!0}(T),T.languages.swift={comment:{pattern:/(^|[^\\:])(?:\/\/.*|\/\*(?:[^/*]|\/(?!\*)|\*(?!\/)|\/\*(?:[^*]|\*(?!\/))*\*\/)*\*\/)/,lookbehind:!0,greedy:!0},"string-literal":[{pattern:RegExp(/(^|[^"#])/.source+"(?:"+/"(?:\\(?:\((?:[^()]|\([^()]*\))*\)|\r\n|[^(])|[^\\\r\n"])*"/.source+"|"+/"""(?:\\(?:\((?:[^()]|\([^()]*\))*\)|[^(])|[^\\"]|"(?!""))*"""/.source+")"+/(?!["#])/.source),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\\($/,alias:"punctuation"},punctuation:/\\(?=[\r\n])/,string:/[\s\S]+/}},{pattern:RegExp(/(^|[^"#])(#+)/.source+"(?:"+/"(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|\r\n|[^#])|[^\\\r\n])*?"/.source+"|"+/"""(?:\\(?:#+\((?:[^()]|\([^()]*\))*\)|[^#])|[^\\])*?"""/.source+")\\2"),lookbehind:!0,greedy:!0,inside:{interpolation:{pattern:/(\\#+\()(?:[^()]|\([^()]*\))*(?=\))/,lookbehind:!0,inside:null},"interpolation-punctuation":{pattern:/^\)|\\#+\($/,alias:"punctuation"},string:/[\s\S]+/}}],directive:{pattern:RegExp(/#/.source+"(?:"+/(?:elseif|if)\b/.source+"(?:[ \t]*"+/(?:![ \t]*)?(?:\b\w+\b(?:[ \t]*\((?:[^()]|\([^()]*\))*\))?|\((?:[^()]|\([^()]*\))*\))(?:[ \t]*(?:&&|\|\|))?/.source+")+|"+/(?:else|endif)\b/.source+")"),alias:"property",inside:{"directive-name":/^#\w+/,boolean:/\b(?:false|true)\b/,number:/\b\d+(?:\.\d+)*\b/,operator:/!|&&|\|\||[<>]=?/,punctuation:/[(),]/}},literal:{pattern:/#(?:colorLiteral|column|dsohandle|file(?:ID|Literal|Path)?|function|imageLiteral|line)\b/,alias:"constant"},"other-directive":{pattern:/#\w+\b/,alias:"property"},attribute:{pattern:/@\w+/,alias:"atrule"},"function-definition":{pattern:/(\bfunc\s+)\w+/,lookbehind:!0,alias:"function"},label:{pattern:/\b(break|continue)\s+\w+|\b[a-zA-Z_]\w*(?=\s*:\s*(?:for|repeat|while)\b)/,lookbehind:!0,alias:"important"},keyword:/\b(?:Any|Protocol|Self|Type|actor|as|assignment|associatedtype|associativity|async|await|break|case|catch|class|continue|convenience|default|defer|deinit|didSet|do|dynamic|else|enum|extension|fallthrough|fileprivate|final|for|func|get|guard|higherThan|if|import|in|indirect|infix|init|inout|internal|is|isolated|lazy|left|let|lowerThan|mutating|none|nonisolated|nonmutating|open|operator|optional|override|postfix|precedencegroup|prefix|private|protocol|public|repeat|required|rethrows|return|right|safe|self|set|some|static|struct|subscript|super|switch|throw|throws|try|typealias|unowned|unsafe|var|weak|where|while|willSet)\b/,boolean:/\b(?:false|true)\b/,nil:{pattern:/\bnil\b/,alias:"constant"},"short-argument":/\$\d+\b/,omit:{pattern:/\b_\b/,alias:"keyword"},number:/\b(?:[\d_]+(?:\.[\de_]+)?|0x[a-f0-9_]+(?:\.[a-f0-9p_]+)?|0b[01_]+|0o[0-7_]+)\b/i,"class-name":/\b[A-Z](?:[A-Z_\d]*[a-z]\w*)?\b/,function:/\b[a-z_]\w*(?=\s*\()/i,constant:/\b(?:[A-Z_]{2,}|k[A-Z][A-Za-z_]+)\b/,operator:/[-+*/%=!<>&|^~?]+|\.[.\-+*/%=!<>&|^~?]+/,punctuation:/[{}[\]();,.:\\]/},T.languages.swift["string-literal"].forEach((function(e){e.inside.interpolation.inside=T.languages.swift})),function(e){e.languages.kotlin=e.languages.extend("clike",{keyword:{pattern:/(^|[^.])\b(?:abstract|actual|annotation|as|break|by|catch|class|companion|const|constructor|continue|crossinline|data|do|dynamic|else|enum|expect|external|final|finally|for|fun|get|if|import|in|infix|init|inline|inner|interface|internal|is|lateinit|noinline|null|object|open|operator|out|override|package|private|protected|public|reified|return|sealed|set|super|suspend|tailrec|this|throw|to|try|typealias|val|var|vararg|when|where|while)\b/,lookbehind:!0},function:[{pattern:/(?:`[^\r\n`]+`|\b\w+)(?=\s*\()/,greedy:!0},{pattern:/(\.)(?:`[^\r\n`]+`|\w+)(?=\s*\{)/,lookbehind:!0,greedy:!0}],number:/\b(?:0[xX][\da-fA-F]+(?:_[\da-fA-F]+)*|0[bB][01]+(?:_[01]+)*|\d+(?:_\d+)*(?:\.\d+(?:_\d+)*)?(?:[eE][+-]?\d+(?:_\d+)*)?[fFL]?)\b/,operator:/\+[+=]?|-[-=>]?|==?=?|!(?:!|==?)?|[\/*%<>]=?|[?:]:?|\.\.|&&|\|\||\b(?:and|inv|or|shl|shr|ushr|xor)\b/}),delete e.languages.kotlin["class-name"];var t={"interpolation-punctuation":{pattern:/^\$\{?|\}$/,alias:"punctuation"},expression:{pattern:/[\s\S]+/,inside:e.languages.kotlin}};e.languages.insertBefore("kotlin","string",{"string-literal":[{pattern:/"""(?:[^$]|\$(?:(?!\{)|\{[^{}]*\}))*?"""/,alias:"multiline",inside:{interpolation:{pattern:/\$(?:[a-z_]\w*|\{[^{}]*\})/i,inside:t},string:/[\s\S]+/}},{pattern:/"(?:[^"\\\r\n$]|\\.|\$(?:(?!\{)|\{[^{}]*\}))*"/,alias:"singleline",inside:{interpolation:{pattern:/((?:^|[^\\])(?:\\{2})*)\$(?:[a-z_]\w*|\{[^{}]*\})/i,lookbehind:!0,inside:t},string:/[\s\S]+/}}],char:{pattern:/'(?:[^'\\\r\n]|\\(?:.|u[a-fA-F0-9]{0,4}))'/,greedy:!0}}),delete e.languages.kotlin.string,e.languages.insertBefore("kotlin","keyword",{annotation:{pattern:/\B@(?:\w+:)?(?:[A-Z]\w*|\[[^\]]+\])/,alias:"builtin"}}),e.languages.insertBefore("kotlin","function",{label:{pattern:/\b\w+@|@\w+\b/,alias:"symbol"}}),e.languages.kt=e.languages.kotlin,e.languages.kts=e.languages.kotlin}(T),T.languages.c=T.languages.extend("clike",{comment:{pattern:/\/\/(?:[^\r\n\\]|\\(?:\r\n?|\n|(?![\r\n])))*|\/\*[\s\S]*?(?:\*\/|$)/,greedy:!0},string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},"class-name":{pattern:/(\b(?:enum|struct)\s+(?:__attribute__\s*\(\([\s\S]*?\)\)\s*)?)\w+|\b[a-z]\w*_t\b/,lookbehind:!0},keyword:/\b(?:_Alignas|_Alignof|_Atomic|_Bool|_Complex|_Generic|_Imaginary|_Noreturn|_Static_assert|_Thread_local|__attribute__|asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|inline|int|long|register|return|short|signed|sizeof|static|struct|switch|typedef|typeof|union|unsigned|void|volatile|while)\b/,function:/\b[a-z_]\w*(?=\s*\()/i,number:/(?:\b0x(?:[\da-f]+(?:\.[\da-f]*)?|\.[\da-f]+)(?:p[+-]?\d+)?|(?:\b\d+(?:\.\d*)?|\B\.\d+)(?:e[+-]?\d+)?)[ful]{0,4}/i,operator:/>>=?|<<=?|->|([-+&|:])\1|[?:~]|[-+*/%&|^!=<>]=?/}),T.languages.insertBefore("c","string",{char:{pattern:/'(?:\\(?:\r\n|[\s\S])|[^'\\\r\n]){0,32}'/,greedy:!0}}),T.languages.insertBefore("c","string",{macro:{pattern:/(^[\t ]*)#\s*[a-z](?:[^\r\n\\/]|\/(?!\*)|\/\*(?:[^*]|\*(?!\/))*\*\/|\\(?:\r\n|[\s\S]))*/im,lookbehind:!0,greedy:!0,alias:"property",inside:{string:[{pattern:/^(#\s*include\s*)<[^>]+>/,lookbehind:!0},T.languages.c.string],char:T.languages.c.char,comment:T.languages.c.comment,"macro-name":[{pattern:/(^#\s*define\s+)\w+\b(?!\()/i,lookbehind:!0},{pattern:/(^#\s*define\s+)\w+\b(?=\()/i,lookbehind:!0,alias:"function"}],directive:{pattern:/^(#\s*)[a-z]+/,lookbehind:!0,alias:"keyword"},"directive-hash":/^#/,punctuation:/##|\\(?=[\r\n])/,expression:{pattern:/\S[\s\S]*/,inside:T.languages.c}}}}),T.languages.insertBefore("c","function",{constant:/\b(?:EOF|NULL|SEEK_CUR|SEEK_END|SEEK_SET|__DATE__|__FILE__|__LINE__|__TIMESTAMP__|__TIME__|__func__|stderr|stdin|stdout)\b/}),delete T.languages.c.boolean,T.languages.objectivec=T.languages.extend("c",{string:{pattern:/@?"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"/,greedy:!0},keyword:/\b(?:asm|auto|break|case|char|const|continue|default|do|double|else|enum|extern|float|for|goto|if|in|inline|int|long|register|return|self|short|signed|sizeof|static|struct|super|switch|typedef|typeof|union|unsigned|void|volatile|while)\b|(?:@interface|@end|@implementation|@protocol|@class|@public|@protected|@private|@property|@try|@catch|@finally|@throw|@synthesize|@dynamic|@selector)\b/,operator:/-[->]?|\+\+?|!=?|<<?=?|>>?=?|==?|&&?|\|\|?|[~^%?*\/@]/}),delete T.languages.objectivec["class-name"],T.languages.objc=T.languages.objectivec,T.languages.reason=T.languages.extend("clike",{string:{pattern:/"(?:\\(?:\r\n|[\s\S])|[^\\\r\n"])*"/,greedy:!0},"class-name":/\b[A-Z]\w*/,keyword:/\b(?:and|as|assert|begin|class|constraint|do|done|downto|else|end|exception|external|for|fun|function|functor|if|in|include|inherit|initializer|lazy|let|method|module|mutable|new|nonrec|object|of|open|or|private|rec|sig|struct|switch|then|to|try|type|val|virtual|when|while|with)\b/,operator:/\.{3}|:[:=]|\|>|->|=(?:==?|>)?|<=?|>=?|[|^?'#!~`]|[+\-*\/]\.?|\b(?:asr|land|lor|lsl|lsr|lxor|mod)\b/}),T.languages.insertBefore("reason","class-name",{char:{pattern:/'(?:\\x[\da-f]{2}|\\o[0-3][0-7][0-7]|\\\d{3}|\\.|[^'\\\r\n])'/,greedy:!0},constructor:/\b[A-Z]\w*\b(?!\s*\.)/,label:{pattern:/\b[a-z]\w*(?=::)/,alias:"symbol"}}),delete T.languages.reason.function,function(e){for(var t=/\/\*(?:[^*/]|\*(?!\/)|\/(?!\*)|<self>)*\*\//.source,n=0;n<2;n++)t=t.replace(/<self>/g,(function(){return t}));t=t.replace(/<self>/g,(function(){return/[^\s\S]/.source})),e.languages.rust={comment:[{pattern:RegExp(/(^|[^\\])/.source+t),lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/b?"(?:\\[\s\S]|[^\\"])*"|b?r(#*)"(?:[^"]|"(?!\1))*"\1/,greedy:!0},char:{pattern:/b?'(?:\\(?:x[0-7][\da-fA-F]|u\{(?:[\da-fA-F]_*){1,6}\}|.)|[^\\\r\n\t'])'/,greedy:!0},attribute:{pattern:/#!?\[(?:[^\[\]"]|"(?:\\[\s\S]|[^\\"])*")*\]/,greedy:!0,alias:"attr-name",inside:{string:null}},"closure-params":{pattern:/([=(,:]\s*|\bmove\s*)\|[^|]*\||\|[^|]*\|(?=\s*(?:\{|->))/,lookbehind:!0,greedy:!0,inside:{"closure-punctuation":{pattern:/^\||\|$/,alias:"punctuation"},rest:null}},"lifetime-annotation":{pattern:/'\w+/,alias:"symbol"},"fragment-specifier":{pattern:/(\$\w+:)[a-z]+/,lookbehind:!0,alias:"punctuation"},variable:/\$\w+/,"function-definition":{pattern:/(\bfn\s+)\w+/,lookbehind:!0,alias:"function"},"type-definition":{pattern:/(\b(?:enum|struct|trait|type|union)\s+)\w+/,lookbehind:!0,alias:"class-name"},"module-declaration":[{pattern:/(\b(?:crate|mod)\s+)[a-z][a-z_\d]*/,lookbehind:!0,alias:"namespace"},{pattern:/(\b(?:crate|self|super)\s*)::\s*[a-z][a-z_\d]*\b(?:\s*::(?:\s*[a-z][a-z_\d]*\s*::)*)?/,lookbehind:!0,alias:"namespace",inside:{punctuation:/::/}}],keyword:[/\b(?:Self|abstract|as|async|await|become|box|break|const|continue|crate|do|dyn|else|enum|extern|final|fn|for|if|impl|in|let|loop|macro|match|mod|move|mut|override|priv|pub|ref|return|self|static|struct|super|trait|try|type|typeof|union|unsafe|unsized|use|virtual|where|while|yield)\b/,/\b(?:bool|char|f(?:32|64)|[ui](?:8|16|32|64|128|size)|str)\b/],function:/\b[a-z_]\w*(?=\s*(?:::\s*<|\())/,macro:{pattern:/\b\w+!/,alias:"property"},constant:/\b[A-Z_][A-Z_\d]+\b/,"class-name":/\b[A-Z]\w*\b/,namespace:{pattern:/(?:\b[a-z][a-z_\d]*\s*::\s*)*\b[a-z][a-z_\d]*\s*::(?!\s*<)/,inside:{punctuation:/::/}},number:/\b(?:0x[\dA-Fa-f](?:_?[\dA-Fa-f])*|0o[0-7](?:_?[0-7])*|0b[01](?:_?[01])*|(?:(?:\d(?:_?\d)*)?\.)?\d(?:_?\d)*(?:[Ee][+-]?\d+)?)(?:_?(?:f32|f64|[iu](?:8|16|32|64|size)?))?\b/,boolean:/\b(?:false|true)\b/,punctuation:/->|\.\.=|\.{1,3}|::|[{}[\];(),:]/,operator:/[-+*\/%!^]=?|=[=>]?|&[&=]?|\|[|=]?|<<?=?|>>?=?|[@?]/},e.languages.rust["closure-params"].inside.rest=e.languages.rust,e.languages.rust.attribute.inside.string=e.languages.rust.string}(T),T.languages.go=T.languages.extend("clike",{string:{pattern:/(^|[^\\])"(?:\\.|[^"\\\r\n])*"|`[^`]*`/,lookbehind:!0,greedy:!0},keyword:/\b(?:break|case|chan|const|continue|default|defer|else|fallthrough|for|func|go(?:to)?|if|import|interface|map|package|range|return|select|struct|switch|type|var)\b/,boolean:/\b(?:_|false|iota|nil|true)\b/,number:[/\b0(?:b[01_]+|o[0-7_]+)i?\b/i,/\b0x(?:[a-f\d_]+(?:\.[a-f\d_]*)?|\.[a-f\d_]+)(?:p[+-]?\d+(?:_\d+)*)?i?(?!\w)/i,/(?:\b\d[\d_]*(?:\.[\d_]*)?|\B\.\d[\d_]*)(?:e[+-]?[\d_]+)?i?(?!\w)/i],operator:/[*\/%^!=]=?|\+[=+]?|-[=-]?|\|[=|]?|&(?:=|&|\^=?)?|>(?:>=?|=)?|<(?:<=?|=|-)?|:=|\.\.\./,builtin:/\b(?:append|bool|byte|cap|close|complex|complex(?:64|128)|copy|delete|error|float(?:32|64)|u?int(?:8|16|32|64)?|imag|len|make|new|panic|print(?:ln)?|real|recover|rune|string|uintptr)\b/}),T.languages.insertBefore("go","string",{char:{pattern:/'(?:\\.|[^'\\\r\n]){0,10}'/,greedy:!0}}),delete T.languages.go["class-name"],function(e){var t=/\b(?:alignas|alignof|asm|auto|bool|break|case|catch|char|char16_t|char32_t|char8_t|class|co_await|co_return|co_yield|compl|concept|const|const_cast|consteval|constexpr|constinit|continue|decltype|default|delete|do|double|dynamic_cast|else|enum|explicit|export|extern|final|float|for|friend|goto|if|import|inline|int|int16_t|int32_t|int64_t|int8_t|long|module|mutable|namespace|new|noexcept|nullptr|operator|override|private|protected|public|register|reinterpret_cast|requires|return|short|signed|sizeof|static|static_assert|static_cast|struct|switch|template|this|thread_local|throw|try|typedef|typeid|typename|uint16_t|uint32_t|uint64_t|uint8_t|union|unsigned|using|virtual|void|volatile|wchar_t|while)\b/,n=/\b(?!<keyword>)\w+(?:\s*\.\s*\w+)*\b/.source.replace(/<keyword>/g,(function(){return t.source}));e.languages.cpp=e.languages.extend("c",{"class-name":[{pattern:RegExp(/(\b(?:class|concept|enum|struct|typename)\s+)(?!<keyword>)\w+/.source.replace(/<keyword>/g,(function(){return t.source}))),lookbehind:!0},/\b[A-Z]\w*(?=\s*::\s*\w+\s*\()/,/\b[A-Z_]\w*(?=\s*::\s*~\w+\s*\()/i,/\b\w+(?=\s*<(?:[^<>]|<(?:[^<>]|<[^<>]*>)*>)*>\s*::\s*\w+\s*\()/],keyword:t,number:{pattern:/(?:\b0b[01']+|\b0x(?:[\da-f']+(?:\.[\da-f']*)?|\.[\da-f']+)(?:p[+-]?[\d']+)?|(?:\b[\d']+(?:\.[\d']*)?|\B\.[\d']+)(?:e[+-]?[\d']+)?)[ful]{0,4}/i,greedy:!0},operator:/>>=?|<<=?|->|--|\+\+|&&|\|\||[?:~]|<=>|[-+*/%&|^!=<>]=?|\b(?:and|and_eq|bitand|bitor|not|not_eq|or|or_eq|xor|xor_eq)\b/,boolean:/\b(?:false|true)\b/}),e.languages.insertBefore("cpp","string",{module:{pattern:RegExp(/(\b(?:import|module)\s+)/.source+"(?:"+/"(?:\\(?:\r\n|[\s\S])|[^"\\\r\n])*"|<[^<>\r\n]*>/.source+"|"+/<mod-name>(?:\s*:\s*<mod-name>)?|:\s*<mod-name>/.source.replace(/<mod-name>/g,(function(){return n}))+")"),lookbehind:!0,greedy:!0,inside:{string:/^[<"][\s\S]+/,operator:/:/,punctuation:/\./}},"raw-string":{pattern:/R"([^()\\ ]{0,16})\([\s\S]*?\)\1"/,alias:"string",greedy:!0}}),e.languages.insertBefore("cpp","keyword",{"generic-function":{pattern:/\b(?!operator\b)[a-z_]\w*\s*<(?:[^<>]|<[^<>]*>)*>(?=\s*\()/i,inside:{function:/^\w+/,generic:{pattern:/<[\s\S]+/,alias:"class-name",inside:e.languages.cpp}}}}),e.languages.insertBefore("cpp","operator",{"double-colon":{pattern:/::/,alias:"punctuation"}}),e.languages.insertBefore("cpp","class-name",{"base-clause":{pattern:/(\b(?:class|struct)\s+\w+\s*:\s*)[^;{}"'\s]+(?:\s+[^;{}"'\s]+)*(?=\s*[;{])/,lookbehind:!0,greedy:!0,inside:e.languages.extend("cpp",{})}}),e.languages.insertBefore("inside","double-colon",{"class-name":/\b[a-z_]\w*\b(?!\s*::)/i},e.languages.cpp["base-clause"])}(T),T.languages.python={comment:{pattern:/(^|[^\\])#.*/,lookbehind:!0,greedy:!0},"string-interpolation":{pattern:/(?:f|fr|rf)(?:("""|''')[\s\S]*?\1|("|')(?:\\.|(?!\2)[^\\\r\n])*\2)/i,greedy:!0,inside:{interpolation:{pattern:/((?:^|[^{])(?:\{\{)*)\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}]|\{(?!\{)(?:[^{}])+\})+\})+\}/,lookbehind:!0,inside:{"format-spec":{pattern:/(:)[^:(){}]+(?=\}$)/,lookbehind:!0},"conversion-option":{pattern:/![sra](?=[:}]$)/,alias:"punctuation"},rest:null}},string:/[\s\S]+/}},"triple-quoted-string":{pattern:/(?:[rub]|br|rb)?("""|''')[\s\S]*?\1/i,greedy:!0,alias:"string"},string:{pattern:/(?:[rub]|br|rb)?("|')(?:\\.|(?!\1)[^\\\r\n])*\1/i,greedy:!0},function:{pattern:/((?:^|\s)def[ \t]+)[a-zA-Z_]\w*(?=\s*\()/g,lookbehind:!0},"class-name":{pattern:/(\bclass\s+)\w+/i,lookbehind:!0},decorator:{pattern:/(^[\t ]*)@\w+(?:\.\w+)*/m,lookbehind:!0,alias:["annotation","punctuation"],inside:{punctuation:/\./}},keyword:/\b(?:_(?=\s*:)|and|as|assert|async|await|break|case|class|continue|def|del|elif|else|except|exec|finally|for|from|global|if|import|in|is|lambda|match|nonlocal|not|or|pass|print|raise|return|try|while|with|yield)\b/,builtin:/\b(?:__import__|abs|all|any|apply|ascii|basestring|bin|bool|buffer|bytearray|bytes|callable|chr|classmethod|cmp|coerce|compile|complex|delattr|dict|dir|divmod|enumerate|eval|execfile|file|filter|float|format|frozenset|getattr|globals|hasattr|hash|help|hex|id|input|int|intern|isinstance|issubclass|iter|len|list|locals|long|map|max|memoryview|min|next|object|oct|open|ord|pow|property|range|raw_input|reduce|reload|repr|reversed|round|set|setattr|slice|sorted|staticmethod|str|sum|super|tuple|type|unichr|unicode|vars|xrange|zip)\b/,boolean:/\b(?:False|None|True)\b/,number:/\b0(?:b(?:_?[01])+|o(?:_?[0-7])+|x(?:_?[a-f0-9])+)\b|(?:\b\d+(?:_\d+)*(?:\.(?:\d+(?:_\d+)*)?)?|\B\.\d+(?:_\d+)*)(?:e[+-]?\d+(?:_\d+)*)?j?(?!\w)/i,operator:/[-+%=]=?|!=|:=|\*\*?=?|\/\/?=?|<[<=>]?|>[=>]?|[&|^~]/,punctuation:/[{}[\];(),.:]/},T.languages.python["string-interpolation"].inside.interpolation.inside.rest=T.languages.python,T.languages.py=T.languages.python;((e,t)=>{for(var n in t)f(e,n,{get:t[n],enumerable:!0})})({},{dracula:()=>L,duotoneDark:()=>R,duotoneLight:()=>j,github:()=>P,jettwaveDark:()=>H,jettwaveLight:()=>Q,nightOwl:()=>N,nightOwlLight:()=>A,oceanicNext:()=>D,okaidia:()=>F,oneDark:()=>Z,oneLight:()=>V,palenight:()=>M,shadesOfPurple:()=>B,synthwave84:()=>z,ultramin:()=>$,vsDark:()=>U,vsLight:()=>q});var L={plain:{color:"#F8F8F2",backgroundColor:"#282A36"},styles:[{types:["prolog","constant","builtin"],style:{color:"rgb(189, 147, 249)"}},{types:["inserted","function"],style:{color:"rgb(80, 250, 123)"}},{types:["deleted"],style:{color:"rgb(255, 85, 85)"}},{types:["changed"],style:{color:"rgb(255, 184, 108)"}},{types:["punctuation","symbol"],style:{color:"rgb(248, 248, 242)"}},{types:["string","char","tag","selector"],style:{color:"rgb(255, 121, 198)"}},{types:["keyword","variable"],style:{color:"rgb(189, 147, 249)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(98, 114, 164)"}},{types:["attr-name"],style:{color:"rgb(241, 250, 140)"}}]},R={plain:{backgroundColor:"#2a2734",color:"#9a86fd"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#6c6783"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#e09142"}},{types:["property","function"],style:{color:"#9a86fd"}},{types:["tag-id","selector","atrule-id"],style:{color:"#eeebff"}},{types:["attr-name"],style:{color:"#c4b9fe"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule","placeholder","variable"],style:{color:"#ffcc99"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#c4b9fe"}}]},j={plain:{backgroundColor:"#faf8f5",color:"#728fcb"},styles:[{types:["comment","prolog","doctype","cdata","punctuation"],style:{color:"#b6ad9a"}},{types:["namespace"],style:{opacity:.7}},{types:["tag","operator","number"],style:{color:"#063289"}},{types:["property","function"],style:{color:"#b29762"}},{types:["tag-id","selector","atrule-id"],style:{color:"#2d2006"}},{types:["attr-name"],style:{color:"#896724"}},{types:["boolean","string","entity","url","attr-value","keyword","control","directive","unit","statement","regex","atrule"],style:{color:"#728fcb"}},{types:["placeholder","variable"],style:{color:"#93abdc"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"#896724"}}]},P={plain:{color:"#393A34",backgroundColor:"#f6f8fa"},styles:[{types:["comment","prolog","doctype","cdata"],style:{color:"#999988",fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}},{types:["string","attr-value"],style:{color:"#e3116c"}},{types:["punctuation","operator"],style:{color:"#393A34"}},{types:["entity","url","symbol","number","boolean","variable","constant","property","regex","inserted"],style:{color:"#36acaa"}},{types:["atrule","keyword","attr-name","selector"],style:{color:"#00a4db"}},{types:["function","deleted","tag"],style:{color:"#d73a49"}},{types:["function-variable"],style:{color:"#6f42c1"}},{types:["tag","selector","keyword"],style:{color:"#00009f"}}]},N={plain:{color:"#d6deeb",backgroundColor:"#011627"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(99, 119, 119)",fontStyle:"italic"}},{types:["string","url"],style:{color:"rgb(173, 219, 103)"}},{types:["variable"],style:{color:"rgb(214, 222, 235)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation"],style:{color:"rgb(199, 146, 234)"}},{types:["selector","doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(255, 203, 139)"}},{types:["tag","operator","keyword"],style:{color:"rgb(127, 219, 202)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["property"],style:{color:"rgb(128, 203, 196)"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}}]},A={plain:{color:"#403f53",backgroundColor:"#FBFBFB"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)",fontStyle:"italic"}},{types:["inserted","attr-name"],style:{color:"rgb(72, 118, 214)",fontStyle:"italic"}},{types:["comment"],style:{color:"rgb(152, 159, 177)",fontStyle:"italic"}},{types:["string","builtin","char","constant","url"],style:{color:"rgb(72, 118, 214)"}},{types:["variable"],style:{color:"rgb(201, 103, 101)"}},{types:["number"],style:{color:"rgb(170, 9, 130)"}},{types:["punctuation"],style:{color:"rgb(153, 76, 195)"}},{types:["function","selector","doctype"],style:{color:"rgb(153, 76, 195)",fontStyle:"italic"}},{types:["class-name"],style:{color:"rgb(17, 17, 17)"}},{types:["tag"],style:{color:"rgb(153, 76, 195)"}},{types:["operator","property","keyword","namespace"],style:{color:"rgb(12, 150, 155)"}},{types:["boolean"],style:{color:"rgb(188, 84, 84)"}}]},O="#c5a5c5",I="#8dc891",D={plain:{backgroundColor:"#282c34",color:"#ffffff"},styles:[{types:["attr-name"],style:{color:O}},{types:["attr-value"],style:{color:I}},{types:["comment","block-comment","prolog","doctype","cdata","shebang"],style:{color:"#999999"}},{types:["property","number","function-name","constant","symbol","deleted"],style:{color:"#5a9bcf"}},{types:["boolean"],style:{color:"#ff8b50"}},{types:["tag"],style:{color:"#fc929e"}},{types:["string"],style:{color:I}},{types:["punctuation"],style:{color:I}},{types:["selector","char","builtin","inserted"],style:{color:"#D8DEE9"}},{types:["function"],style:{color:"#79b6f2"}},{types:["operator","entity","url","variable"],style:{color:"#d7deea"}},{types:["keyword"],style:{color:O}},{types:["atrule","class-name"],style:{color:"#FAC863"}},{types:["important"],style:{fontWeight:"400"}},{types:["bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["namespace"],style:{opacity:.7}}]},F={plain:{color:"#f8f8f2",backgroundColor:"#272822"},styles:[{types:["changed"],style:{color:"rgb(162, 191, 252)",fontStyle:"italic"}},{types:["deleted"],style:{color:"#f92672",fontStyle:"italic"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)",fontStyle:"italic"}},{types:["comment"],style:{color:"#8292a2",fontStyle:"italic"}},{types:["string","url"],style:{color:"#a6e22e"}},{types:["variable"],style:{color:"#f8f8f2"}},{types:["number"],style:{color:"#ae81ff"}},{types:["builtin","char","constant","function","class-name"],style:{color:"#e6db74"}},{types:["punctuation"],style:{color:"#f8f8f2"}},{types:["selector","doctype"],style:{color:"#a6e22e",fontStyle:"italic"}},{types:["tag","operator","keyword"],style:{color:"#66d9ef"}},{types:["boolean"],style:{color:"#ae81ff"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)",opacity:.7}},{types:["tag","property"],style:{color:"#f92672"}},{types:["attr-name"],style:{color:"#a6e22e !important"}},{types:["doctype"],style:{color:"#8292a2"}},{types:["rule"],style:{color:"#e6db74"}}]},M={plain:{color:"#bfc7d5",backgroundColor:"#292d3e"},styles:[{types:["comment"],style:{color:"rgb(105, 112, 152)",fontStyle:"italic"}},{types:["string","inserted"],style:{color:"rgb(195, 232, 141)"}},{types:["number"],style:{color:"rgb(247, 140, 108)"}},{types:["builtin","char","constant","function"],style:{color:"rgb(130, 170, 255)"}},{types:["punctuation","selector"],style:{color:"rgb(199, 146, 234)"}},{types:["variable"],style:{color:"rgb(191, 199, 213)"}},{types:["class-name","attr-name"],style:{color:"rgb(255, 203, 107)"}},{types:["tag","deleted"],style:{color:"rgb(255, 85, 114)"}},{types:["operator"],style:{color:"rgb(137, 221, 255)"}},{types:["boolean"],style:{color:"rgb(255, 88, 116)"}},{types:["keyword"],style:{fontStyle:"italic"}},{types:["doctype"],style:{color:"rgb(199, 146, 234)",fontStyle:"italic"}},{types:["namespace"],style:{color:"rgb(178, 204, 214)"}},{types:["url"],style:{color:"rgb(221, 221, 221)"}}]},B={plain:{color:"#9EFEFF",backgroundColor:"#2D2A55"},styles:[{types:["changed"],style:{color:"rgb(255, 238, 128)"}},{types:["deleted"],style:{color:"rgba(239, 83, 80, 0.56)"}},{types:["inserted"],style:{color:"rgb(173, 219, 103)"}},{types:["comment"],style:{color:"rgb(179, 98, 255)",fontStyle:"italic"}},{types:["punctuation"],style:{color:"rgb(255, 255, 255)"}},{types:["constant"],style:{color:"rgb(255, 98, 140)"}},{types:["string","url"],style:{color:"rgb(165, 255, 144)"}},{types:["variable"],style:{color:"rgb(255, 238, 128)"}},{types:["number","boolean"],style:{color:"rgb(255, 98, 140)"}},{types:["attr-name"],style:{color:"rgb(255, 180, 84)"}},{types:["keyword","operator","property","namespace","tag","selector","doctype"],style:{color:"rgb(255, 157, 0)"}},{types:["builtin","char","constant","function","class-name"],style:{color:"rgb(250, 208, 0)"}}]},z={plain:{backgroundColor:"linear-gradient(to bottom, #2a2139 75%, #34294f)",backgroundImage:"#34294f",color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"},styles:[{types:["comment","block-comment","prolog","doctype","cdata"],style:{color:"#495495",fontStyle:"italic"}},{types:["punctuation"],style:{color:"#ccc"}},{types:["tag","attr-name","namespace","number","unit","hexcode","deleted"],style:{color:"#e2777a"}},{types:["property","selector"],style:{color:"#72f1b8",textShadow:"0 0 2px #100c0f, 0 0 10px #257c5575, 0 0 35px #21272475"}},{types:["function-name"],style:{color:"#6196cc"}},{types:["boolean","selector-id","function"],style:{color:"#fdfdfd",textShadow:"0 0 2px #001716, 0 0 3px #03edf975, 0 0 5px #03edf975, 0 0 8px #03edf975"}},{types:["class-name","maybe-class-name","builtin"],style:{color:"#fff5f6",textShadow:"0 0 2px #000, 0 0 10px #fc1f2c75, 0 0 5px #fc1f2c75, 0 0 25px #fc1f2c75"}},{types:["constant","symbol"],style:{color:"#f92aad",textShadow:"0 0 2px #100c0f, 0 0 5px #dc078e33, 0 0 10px #fff3"}},{types:["important","atrule","keyword","selector-class"],style:{color:"#f4eee4",textShadow:"0 0 2px #393a33, 0 0 8px #f39f0575, 0 0 2px #f39f0575"}},{types:["string","char","attr-value","regex","variable"],style:{color:"#f87c32"}},{types:["parameter"],style:{fontStyle:"italic"}},{types:["entity","url"],style:{color:"#67cdcc"}},{types:["operator"],style:{color:"ffffffee"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["entity"],style:{cursor:"help"}},{types:["inserted"],style:{color:"green"}}]},$={plain:{color:"#282a2e",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(197, 200, 198)"}},{types:["string","number","builtin","variable"],style:{color:"rgb(150, 152, 150)"}},{types:["class-name","function","tag","attr-name"],style:{color:"rgb(40, 42, 46)"}}]},U={plain:{color:"#9CDCFE",backgroundColor:"#1E1E1E"},styles:[{types:["prolog"],style:{color:"rgb(0, 0, 128)"}},{types:["comment"],style:{color:"rgb(106, 153, 85)"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"rgb(86, 156, 214)"}},{types:["number","inserted"],style:{color:"rgb(181, 206, 168)"}},{types:["constant"],style:{color:"rgb(100, 102, 149)"}},{types:["attr-name","variable"],style:{color:"rgb(156, 220, 254)"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"rgb(206, 145, 120)"}},{types:["selector"],style:{color:"rgb(215, 186, 125)"}},{types:["tag"],style:{color:"rgb(78, 201, 176)"}},{types:["tag"],languages:["markup"],style:{color:"rgb(86, 156, 214)"}},{types:["punctuation","operator"],style:{color:"rgb(212, 212, 212)"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"rgb(220, 220, 170)"}},{types:["class-name"],style:{color:"rgb(78, 201, 176)"}},{types:["char"],style:{color:"rgb(209, 105, 105)"}}]},q={plain:{color:"#000000",backgroundColor:"#ffffff"},styles:[{types:["comment"],style:{color:"rgb(0, 128, 0)"}},{types:["builtin"],style:{color:"rgb(0, 112, 193)"}},{types:["number","variable","inserted"],style:{color:"rgb(9, 134, 88)"}},{types:["operator"],style:{color:"rgb(0, 0, 0)"}},{types:["constant","char"],style:{color:"rgb(129, 31, 63)"}},{types:["tag"],style:{color:"rgb(128, 0, 0)"}},{types:["attr-name"],style:{color:"rgb(255, 0, 0)"}},{types:["deleted","string"],style:{color:"rgb(163, 21, 21)"}},{types:["changed","punctuation"],style:{color:"rgb(4, 81, 165)"}},{types:["function","keyword"],style:{color:"rgb(0, 0, 255)"}},{types:["class-name"],style:{color:"rgb(38, 127, 153)"}}]},H={plain:{color:"#f8fafc",backgroundColor:"#011627"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#569CD6"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#f8fafc"}},{types:["attr-name","variable"],style:{color:"#9CDCFE"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#cbd5e1"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#D4D4D4"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#7dd3fc"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Q={plain:{color:"#0f172a",backgroundColor:"#f1f5f9"},styles:[{types:["prolog"],style:{color:"#000080"}},{types:["comment"],style:{color:"#6A9955"}},{types:["builtin","changed","keyword","interpolation-punctuation"],style:{color:"#0c4a6e"}},{types:["number","inserted"],style:{color:"#B5CEA8"}},{types:["constant"],style:{color:"#0f172a"}},{types:["attr-name","variable"],style:{color:"#0c4a6e"}},{types:["deleted","string","attr-value","template-punctuation"],style:{color:"#64748b"}},{types:["selector"],style:{color:"#D7BA7D"}},{types:["tag"],style:{color:"#0ea5e9"}},{types:["tag"],languages:["markup"],style:{color:"#0ea5e9"}},{types:["punctuation","operator"],style:{color:"#475569"}},{types:["punctuation"],languages:["markup"],style:{color:"#808080"}},{types:["function"],style:{color:"#0e7490"}},{types:["class-name"],style:{color:"#0ea5e9"}},{types:["char"],style:{color:"#D16969"}}]},Z={plain:{backgroundColor:"hsl(220, 13%, 18%)",color:"hsl(220, 14%, 71%)",textShadow:"0 1px rgba(0, 0, 0, 0.3)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(220, 10%, 40%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(220, 14%, 71%)"}},{types:["attr-name","class-name","maybe-class-name","boolean","constant","number","atrule"],style:{color:"hsl(29, 54%, 61%)"}},{types:["keyword"],style:{color:"hsl(286, 60%, 67%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(355, 65%, 65%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value"],style:{color:"hsl(95, 38%, 62%)"}},{types:["variable","operator","function"],style:{color:"hsl(207, 82%, 66%)"}},{types:["url"],style:{color:"hsl(187, 47%, 55%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(220, 14%, 71%)"}}]},V={plain:{backgroundColor:"hsl(230, 1%, 98%)",color:"hsl(230, 8%, 24%)"},styles:[{types:["comment","prolog","cdata"],style:{color:"hsl(230, 4%, 64%)"}},{types:["doctype","punctuation","entity"],style:{color:"hsl(230, 8%, 24%)"}},{types:["attr-name","class-name","boolean","constant","number","atrule"],style:{color:"hsl(35, 99%, 36%)"}},{types:["keyword"],style:{color:"hsl(301, 63%, 40%)"}},{types:["property","tag","symbol","deleted","important"],style:{color:"hsl(5, 74%, 59%)"}},{types:["selector","string","char","builtin","inserted","regex","attr-value","punctuation"],style:{color:"hsl(119, 34%, 47%)"}},{types:["variable","operator","function"],style:{color:"hsl(221, 87%, 60%)"}},{types:["url"],style:{color:"hsl(198, 99%, 37%)"}},{types:["deleted"],style:{textDecorationLine:"line-through"}},{types:["inserted"],style:{textDecorationLine:"underline"}},{types:["italic"],style:{fontStyle:"italic"}},{types:["important","bold"],style:{fontWeight:"bold"}},{types:["important"],style:{color:"hsl(230, 8%, 24%)"}}]},W=(e,t)=>{const{plain:n}=e,r=e.styles.reduce(((e,n)=>{const{languages:r,style:a}=n;return r&&!r.includes(t)||n.types.forEach((t=>{const n=S(S({},e[t]),a);e[t]=n})),e}),{});return r.root=n,r.plain=E(S({},n),{backgroundColor:void 0}),r},G=/\r\n|\r|\n/,X=e=>{0===e.length?e.push({types:["plain"],content:"\n",empty:!0}):1===e.length&&""===e[0].content&&(e[0].content="\n",e[0].empty=!0)},K=(e,t)=>{const n=e.length;return n>0&&e[n-1]===t?e:e.concat(t)},Y=e=>{const t=[[]],n=[e],r=[0],a=[e.length];let o=0,i=0,s=[];const l=[s];for(;i>-1;){for(;(o=r[i]++)<a[i];){let e,c=t[i];const u=n[i][o];if("string"==typeof u?(c=i>0?c:["plain"],e=u):(c=K(c,u.type),u.alias&&(c=K(c,u.alias)),e=u.content),"string"!=typeof e){i++,t.push(c),n.push(e),r.push(0),a.push(e.length);continue}const d=e.split(G),p=d.length;s.push({types:c,content:d[0]});for(let t=1;t<p;t++)X(s),l.push(s=[]),s.push({types:c,content:d[t]})}i--,t.pop(),n.pop(),r.pop(),a.pop()}return X(s),l},J=({children:e,language:t,code:n,theme:r,prism:a})=>{const o=t.toLowerCase(),i=((e,t)=>{const[n,r]=(0,u.useState)(W(t,e)),a=(0,u.useRef)(),o=(0,u.useRef)();return(0,u.useEffect)((()=>{t===a.current&&e===o.current||(a.current=t,o.current=e,r(W(t,e)))}),[e,t]),n})(o,r),s=(e=>(0,u.useCallback)((t=>{var n=t,{className:r,style:a,line:o}=n,i=C(n,["className","style","line"]);const s=E(S({},i),{className:(0,d.Z)("token-line",r)});return"object"==typeof e&&"plain"in e&&(s.style=e.plain),"object"==typeof a&&(s.style=S(S({},s.style||{}),a)),s}),[e]))(i),l=(e=>{const t=(0,u.useCallback)((({types:t,empty:n})=>{if(null!=e)return 1===t.length&&"plain"===t[0]?null!=n?{display:"inline-block"}:void 0:1===t.length&&null!=n?e[t[0]]:Object.assign(null!=n?{display:"inline-block"}:{},...t.map((t=>e[t])))}),[e]);return(0,u.useCallback)((e=>{var n=e,{token:r,className:a,style:o}=n,i=C(n,["token","className","style"]);const s=E(S({},i),{className:(0,d.Z)("token",...r.types,a),children:r.content,style:t(r)});return null!=o&&(s.style=S(S({},s.style||{}),o)),s}),[t])})(i),c=(({prism:e,code:t,grammar:n,language:r})=>{const a=(0,u.useRef)(e);return(0,u.useMemo)((()=>{if(null==n)return Y([t]);const e={code:t,grammar:n,language:r,tokens:[]};return a.current.hooks.run("before-tokenize",e),e.tokens=a.current.tokenize(t,n),a.current.hooks.run("after-tokenize",e),Y(e.tokens)}),[t,n,r])})({prism:a,language:o,code:n,grammar:a.languages[o]});return e({tokens:c,className:`prism-code language-${o}`,style:null!=i?i.root:{},getLineProps:s,getTokenProps:l})},ee=e=>(0,u.createElement)(J,E(S({},e),{prism:e.prism||T,theme:e.theme||U,code:e.code,language:e.language}))},8776:(e,t,n)=>{"use strict";n.d(t,{Z:()=>o});var r=!0,a="Invariant failed";function o(e,t){if(!e){if(r)throw new Error(a);var n="function"==typeof t?t():t,o=n?"".concat(a,": ").concat(n):a;throw new Error(o)}}},7529:e=>{"use strict";e.exports=JSON.parse('{"theme.ErrorPageContent.title":"\ud398\uc774\uc9c0\uac00 \ub2e4\uc6b4\ub418\uc5c8\uc2b5\ub2c8\ub2e4.","theme.ErrorPageContent.tryAgain":"\uc7ac\uc2dc\ub3c4","theme.NotFound.title":"\ud398\uc774\uc9c0\ub97c \ucc3e\uc744 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4","theme.NotFound.p1":"\ucc3e\uc73c\uc2dc\ub824\ub294 \ud398\uc774\uc9c0\ub97c \ucc3e\uc744 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.","theme.NotFound.p2":"\uc6d0\ub798 \ub9c1\ud06c\uc758 \ucd9c\ucc98\uc778 \uc0ac\uc774\ud2b8\uc758 \uc18c\uc720\uc790\uc5d0\uac8c \uc5f0\ub77d\ud558\uc5ec \ub9c1\ud06c\uac00 \ub04a\uc5b4\uc84c\uc74c\uc744 \uc54c\ub824\uc8fc\uc138\uc694.","theme.admonition.note":"\ube44\uace0","theme.admonition.tip":"\ud301","theme.admonition.danger":"\uc704\ud5d8","theme.admonition.info":"\uc815\ubcf4","theme.admonition.caution":"\uacbd\uace0","theme.AnnouncementBar.closeButtonAriaLabel":"\ub2eb\uae30","theme.BackToTopButton.buttonAriaLabel":"\ub9e8 \uc704\ub85c","theme.blog.archive.title":"\uc81c\ubaa9","theme.blog.archive.description":"\uc124\uba85","theme.blog.paginator.navAriaLabel":"\ube14\ub85c\uadf8 \ub124\ube44\uac8c\uc774\uc158","theme.blog.paginator.newerEntries":"\uc0c8\ub85c\uc6b4 \uae00","theme.blog.paginator.olderEntries":"\uc774\uc804 \uae00","theme.blog.post.paginator.navAriaLabel":"\ube14\ub85c\uadf8 \ud3ec\uc2a4\ud2b8 \ub124\ube44\uac8c\uc774\uc158","theme.blog.post.paginator.newerPost":"\uc0c8\ub85c\uc6b4 \ud3ec\uc2a4\ud2b8","theme.blog.post.paginator.olderPost":"\uc774\uc804 \ud3ec\uc2a4\ud2b8","theme.blog.post.plurals":"{count} \uac1c\uc758 \ud3ec\uc2a4\ud2b8","theme.blog.tagTitle":"\u300c{tagName}\u300d \ud0dc\uadf8\uba85\uc744 \uac00\uc9c4 {nPosts}\uac1c\uc758 \ud3ec\uc2a4\ud2b8","theme.tags.tagsPageLink":"\ubaa8\ub4e0 \ud0dc\uadf8 \ubaa9\ub85d","theme.colorToggle.ariaLabel":"\ubc1d\uc740/\uc5b4\ub450\uc6b4 \ubaa8\ub4dc \uc804\ud658 (\ud604\uc7ac \ubaa8\ub4dc: {mode})","theme.colorToggle.ariaLabel.mode.dark":"\uc5b4\ub450\uc6b4 \ubaa8\ub4dc","theme.colorToggle.ariaLabel.mode.light":"\ubc1d\uc740 \ubaa8\ub4dc","theme.docs.breadcrumbs.home":"\ud648","theme.docs.breadcrumbs.navAriaLabel":"\ud398\uc774\uc9c0 \uacbd\ub85c","theme.docs.DocCard.categoryDescription":"{count} \uac1c\uc758 \ubb38\uc11c","theme.docs.paginator.navAriaLabel":"\ubb38\uc11c \ub124\ube44\uac8c\uc774\uc158","theme.docs.paginator.previous":"\uc774\uc804","theme.docs.paginator.next":"\ub2e4\uc74c","theme.docs.tagDocListPageTitle.nDocsTagged":"{count} \uac1c\uc758 \ubb38\uc11c","theme.docs.tagDocListPageTitle":"{nDocsTagged}\u300c{tagName}\u300d","theme.docs.versionBadge.label":"version: {versionLabel}","theme.docs.versions.unreleasedVersionLabel":"\uc774\uac83\uc740 \uc544\uc9c1 \ub9b4\ub9ac\uc988\ub418\uc9c0 \uc54a\uc740 \ubb38\uc11c\uc758 {siteTitle} {versionLabel} \ubc84\uc804\uc785\ub2c8\ub2e4.","theme.docs.versions.unmaintainedVersionLabel":"\uc774\uac83\uc740 \ub354 \uc774\uc0c1 \ud65c\ubc1c\ud558\uac8c \uc720\uc9c0 \uad00\ub9ac\ub418\uc9c0 \uc54a\ub294 {siteTitle} {versionLabel} \ubc84\uc804\uc5d0 \ub300\ud55c \ubb38\uc11c\uc785\ub2c8\ub2e4.","theme.docs.versions.latestVersionSuggestionLabel":"\ucd5c\uc2e0 \ubb38\uc11c\ub294 {latestVersionLink} ({versionLabel}) \uc744 \ucc38\uc870\ud558\uc138\uc694.","theme.docs.versions.latestVersionLinkLabel":"\ucd5c\uc2e0 \ubc84\uc804","theme.common.editThisPage":"\uc774 \ud398\uc774\uc9c0 \ud3b8\uc9d1","theme.common.headingLinkTitle":"\uc81c\ubaa9\uc5d0 \ub300\ud55c \uc9c1\uc811 \ub9c1\ud06c","theme.lastUpdated.atDate":"{date}\uc5d0","theme.lastUpdated.byUser":"{user}\uac00","theme.lastUpdated.lastUpdatedAtBy":"\ub9c8\uc9c0\ub9c9 {byUser}{atDate} \uc5c5\ub370\uc774\ud2b8","theme.navbar.mobileVersionsDropdown.label":"\ubc84\uc804 \uc120\ud0dd","theme.common.skipToMainContent":"\ubcf8\ubb38\uc73c\ub85c \uac74\ub108\ub6f0\uae30","theme.tags.tagsListLabel":"\ud0dc\uadf8 \ubaa9\ub85d","theme.blog.sidebar.navAriaLabel":"\ube14\ub85c\uadf8 \uc0ac\uc774\ub4dc\ubc14","theme.CodeBlock.copied":"\ubcf5\uc0ac\ub428","theme.CodeBlock.copyButtonAriaLabel":"\ucf54\ub4dc \ube14\ub85d \ubcf5\uc0ac","theme.CodeBlock.copy":"\ubcf5\uc0ac","theme.CodeBlock.wordWrapToggle":"\uc904 \ubc14\uafc8 \ud1a0\uae00","theme.DocSidebarItem.toggleCollapsedCategoryAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uba54\ub274 \u300c{label}\u300d \uc5f4\uae30/\ub2eb\uae30","theme.navbar.mobileLanguageDropdown.label":"\uc5b8\uc5b4 \uc120\ud0dd","theme.TOCCollapsible.toggleButtonLabel":"\ubaa9\ucc28 \uc5f4\uae30/\ub2eb\uae30","theme.blog.post.readMore":"\ub354 \uc77d\uae30","theme.blog.post.readMoreLabel":"{title} \ube14\ub85c\uadf8 \uae00 \uc77d\uae30","theme.blog.post.readingTime.plurals":"\uc77d\ub294 \ub370 {readingTime} \ubd84\uc774 \uac78\ub9bd\ub2c8\ub2e4","theme.docs.sidebar.collapseButtonTitle":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.docs.sidebar.collapseButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.navbar.mobileSidebarSecondaryMenu.backButtonLabel":"\u2190 \uba54\uc778 \uba54\ub274\ub85c \ub3cc\uc544\uac00\uae30","theme.docs.sidebar.expandButtonTitle":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30","theme.docs.sidebar.expandButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30","theme.docs.sidebar.closeSidebarButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \ub2eb\uae30","theme.docs.sidebar.toggleSidebarButtonAriaLabel":"\uc0ac\uc774\ub4dc\ubc14 \uc5f4\uae30/\ub2eb\uae30","theme.SearchBar.seeAll":"{count} \uac1c\uc758 \uacb0\uacfc \ub354 \ubcf4\uae30","theme.SearchPage.documentsFound.plurals":"{count} \uac1c\uc758 \ubb38\uc11c\ub97c \ucc3e\uc558\uc2b5\ub2c8\ub2e4","theme.SearchPage.existingResultsTitle":"\u300c{query}\u300d\uc5d0 \ub300\ud55c \uac80\uc0c9 \uacb0\uacfc","theme.SearchPage.emptyResultsTitle":"\uac80\uc0c9 \uacb0\uacfc \uc5c6\uc74c","theme.SearchPage.inputPlaceholder":"\uc5ec\uae30\uc5d0 \uac80\uc0c9\uc5b4 \uc785\ub825","theme.SearchPage.inputLabel":"\uac80\uc0c9","theme.SearchPage.algoliaLabel":"Algolia \uac80\uc0c9","theme.SearchPage.noResultsText":"\uac80\uc0c9 \uacb0\uacfc\uac00 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchPage.fetchingNewResults":"\uc0c8 \uac80\uc0c9 \uacb0\uacfc \uac00\uc838\uc624\ub294 \uc911...","theme.SearchBar.label":"\uac80\uc0c9","theme.SearchModal.searchBox.resetButtonTitle":"\uac80\uc0c9\uc5b4 \ucd08\uae30\ud654","theme.SearchModal.searchBox.cancelButtonText":"\ucde8\uc18c","theme.SearchModal.startScreen.recentSearchesTitle":"\ucd5c\uadfc \uac80\uc0c9","theme.SearchModal.startScreen.noRecentSearchesText":"\ucd5c\uadfc \uac80\uc0c9 \uae30\ub85d\uc774 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchModal.startScreen.saveRecentSearchButtonTitle":"\uc774 \uac80\uc0c9\uc744 \ucd5c\uadfc \uac80\uc0c9\uc5d0 \uc800\uc7a5","theme.SearchModal.startScreen.removeRecentSearchButtonTitle":"\ucd5c\uadfc \uac80\uc0c9\uc5d0\uc11c \uc774 \uac80\uc0c9 \uc0ad\uc81c","theme.SearchModal.startScreen.favoriteSearchesTitle":"\uc990\uaca8\ucc3e\uae30 \uac80\uc0c9","theme.SearchModal.startScreen.removeFavoriteSearchButtonTitle":"\uc990\uaca8\ucc3e\uae30 \uac80\uc0c9\uc5d0\uc11c \uc774 \uac80\uc0c9 \uc0ad\uc81c","theme.SearchModal.errorScreen.titleText":"\uac80\uc0c9 \uacb0\uacfc\ub97c \uac00\uc838\uc624\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4","theme.SearchModal.errorScreen.helpText":"\uac80\uc0c9 \uacb0\uacfc\ub97c \uac00\uc838\uc624\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4. \ub2e4\uc2dc \uc2dc\ub3c4\ud574 \uc8fc\uc138\uc694.","theme.SearchModal.footer.selectText":"\uc120\ud0dd","theme.SearchModal.footer.selectKeyAriaLabel":"Enter \ud0a4","theme.SearchModal.footer.navigateText":"\uc704\ucabd/\uc544\ub798\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.navigateUpKeyAriaLabel":"\uc704\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.navigateDownKeyAriaLabel":"\uc544\ub798\ucabd \ud654\uc0b4\ud45c \ud0a4","theme.SearchModal.footer.closeText":"\ub2eb\uae30 \ud0a4","theme.SearchModal.footer.closeKeyAriaLabel":"Esc \ud0a4","theme.SearchModal.footer.searchByText":"\uac80\uc0c9 \uacb0\uacfc","theme.SearchModal.noResultsScreen.noResultsText":"\uac80\uc0c9 \uacb0\uacfc\uac00 \uc5c6\uc2b5\ub2c8\ub2e4","theme.SearchModal.noResultsScreen.suggestedQueryText":"\ub2e4\uc74c \uac80\uc0c9\uc5b4\ub97c \uc2dc\ub3c4\ud574 \ubcf4\uc138\uc694:","theme.SearchModal.noResultsScreen.reportMissingResultsText":"\uc774 \uac80\uc0c9 \uacb0\uacfc\uac00 \ub204\ub77d\ub418\uc5c8\ub2e4\uace0 \uc0dd\uac01\ud569\ub2c8\uae4c?","theme.SearchModal.noResultsScreen.reportMissingResultsLinkText":"\uacb0\uacfc\ub97c \ubcf4\uace0\ud558\uae30","theme.SearchModal.placeholder":"\ubb38\uc11c \uac80\uc0c9","theme.tags.tagsPageTitle":"\ud0dc\uadf8 \ubaa9\ub85d"}')},6887:e=>{"use strict";e.exports=JSON.parse('{"/kr/search-e20":{"__comp":"1a4e3797","__context":{"plugin":"138e0e15"}},"/kr/-707":{"__comp":"5e95c892","__context":{"plugin":"aba21aa0"}},"/kr/-5a1":{"__comp":"a7bd4aaa","__props":"4636d62b"},"/kr/-c77":{"__comp":"a94703ab"},"/kr/advanced-1b6":{"__comp":"17896441","content":"df1a3a69"},"/kr/architecture-06d":{"__comp":"17896441","content":"a43d9b4f"},"/kr/cli-c8f":{"__comp":"17896441","content":"f5fc080a"},"/kr/cli/agent-2be":{"__comp":"17896441","content":"832e9842"},"/kr/cli/certificate-141":{"__comp":"17896441","content":"03ee9047"},"/kr/cli/etcd-snapshot-4a0":{"__comp":"17896441","content":"b1445c4f"},"/kr/cli/secrets-encrypt-681":{"__comp":"17896441","content":"a1ce2930"},"/kr/cli/server-4c7":{"__comp":"17896441","content":"20aafa33"},"/kr/cli/token-6a3":{"__comp":"17896441","content":"310030e7"},"/kr/cluster-access-d4b":{"__comp":"17896441","content":"c5022e3f"},"/kr/datastore-b2b":{"__comp":"17896441","content":"dd0fba39"},"/kr/datastore/backup-restore-bc0":{"__comp":"17896441","content":"0a63d2fd"},"/kr/datastore/cluster-loadbalancer-59d":{"__comp":"17896441","content":"d428bf88"},"/kr/datastore/ha-065":{"__comp":"17896441","content":"6a7149bd"},"/kr/datastore/ha-embedded-ab9":{"__comp":"17896441","content":"944a1646"},"/kr/faq-155":{"__comp":"17896441","content":"43a3241e"},"/kr/helm-4d3":{"__comp":"17896441","content":"cfa0e807"},"/kr/installation-c12":{"__comp":"17896441","content":"a0c5848d"},"/kr/installation/airgap-41b":{"__comp":"17896441","content":"42e456bb"},"/kr/installation/configuration-ae9":{"__comp":"17896441","content":"1fbd281a"},"/kr/installation/packaged-components-aa1":{"__comp":"17896441","content":"5133fc91"},"/kr/installation/private-registry-0a8":{"__comp":"17896441","content":"609981e6"},"/kr/installation/registry-mirror-76f":{"__comp":"17896441","content":"289875c4"},"/kr/installation/requirements-a42":{"__comp":"17896441","content":"b97d3598"},"/kr/installation/server-roles-300":{"__comp":"17896441","content":"bccfb1cb"},"/kr/installation/uninstall-65f":{"__comp":"17896441","content":"e8666366"},"/kr/known-issues-9ae":{"__comp":"17896441","content":"b44e7719"},"/kr/networking-77f":{"__comp":"17896441","content":"a101d863"},"/kr/networking/basic-network-options-853":{"__comp":"17896441","content":"6eb212a2"},"/kr/networking/distributed-multicloud-92d":{"__comp":"17896441","content":"d1c3e381"},"/kr/networking/multus-ipams-b26":{"__comp":"17896441","content":"9a11c291"},"/kr/networking/networking-services-4ce":{"__comp":"17896441","content":"49689b7d"},"/kr/quick-start-4a8":{"__comp":"17896441","content":"9c4d4f7f"},"/kr/reference/env-variables-279":{"__comp":"17896441","content":"b87d0734"},"/kr/reference/flag-deprecation-9d8":{"__comp":"17896441","content":"914a16f4"},"/kr/reference/resource-profiling-e03":{"__comp":"17896441","content":"105936f9"},"/kr/related-projects-5a0":{"__comp":"17896441","content":"e7c9153a"},"/kr/release-notes/v1.24.X-6bb":{"__comp":"17896441","content":"d123a91e"},"/kr/release-notes/v1.25.X-545":{"__comp":"17896441","content":"9e7a009d"},"/kr/release-notes/v1.26.X-472":{"__comp":"17896441","content":"0ce5aa86"},"/kr/release-notes/v1.27.X-123":{"__comp":"17896441","content":"dd22e55f"},"/kr/release-notes/v1.28.X-3aa":{"__comp":"17896441","content":"2f797aa4"},"/kr/release-notes/v1.29.X-e1c":{"__comp":"17896441","content":"0759a3f5"},"/kr/release-notes/v1.30.X-dcd":{"__comp":"17896441","content":"b8002741"},"/kr/security-024":{"__comp":"17896441","content":"1aef17e6"},"/kr/security/hardening-guide-894":{"__comp":"17896441","content":"18ace21a"},"/kr/security/secrets-encryption-67b":{"__comp":"17896441","content":"65309f9a"},"/kr/security/self-assessment-1.23-405":{"__comp":"17896441","content":"2c7731a3"},"/kr/security/self-assessment-1.24-4d1":{"__comp":"17896441","content":"feba781c"},"/kr/security/self-assessment-1.7-352":{"__comp":"17896441","content":"1a0c5791"},"/kr/security/self-assessment-1.8-cfc":{"__comp":"17896441","content":"f9fc8d33"},"/kr/storage-962":{"__comp":"17896441","content":"412d1b91"},"/kr/upgrades-6c0":{"__comp":"17896441","content":"3f659917"},"/kr/upgrades/automated-8df":{"__comp":"17896441","content":"c7700003"},"/kr/upgrades/killall-1c5":{"__comp":"17896441","content":"37e09f03"},"/kr/upgrades/manual-43b":{"__comp":"17896441","content":"e92581be"},"/kr/-46f":{"__comp":"17896441","content":"81cffba8"}}')}},e=>{e.O(0,[532],(()=>{return t=7221,e(e.s=t);var t}));e.O()}]); \ No newline at end of file diff --git a/kr/assets/js/runtime~main.e0b2a96e.js b/kr/assets/js/runtime~main.bbf98367.js similarity index 52% rename from kr/assets/js/runtime~main.e0b2a96e.js rename to kr/assets/js/runtime~main.bbf98367.js index 6c51f5702..9ef6950f3 100644 --- a/kr/assets/js/runtime~main.e0b2a96e.js +++ b/kr/assets/js/runtime~main.bbf98367.js @@ -1 +1 @@ -(()=>{"use strict";var e,a,f,d,c,b={},t={};function r(e){var a=t[e];if(void 0!==a)return a.exports;var f=t[e]={id:e,loaded:!1,exports:{}};return b[e].call(f.exports,f,f.exports,r),f.loaded=!0,f.exports}r.m=b,r.c=t,e=[],r.O=(a,f,d,c)=>{if(!f){var b=1/0;for(i=0;i<e.length;i++){f=e[i][0],d=e[i][1],c=e[i][2];for(var t=!0,o=0;o<f.length;o++)(!1&c||b>=c)&&Object.keys(r.O).every((e=>r.O[e](f[o])))?f.splice(o--,1):(t=!1,c<b&&(b=c));if(t){e.splice(i--,1);var n=d();void 0!==n&&(a=n)}}return a}c=c||0;for(var i=e.length;i>0&&e[i-1][2]>c;i--)e[i]=e[i-1];e[i]=[f,d,c]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},f=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,d){if(1&d&&(e=this(e)),8&d)return e;if("object"==typeof e&&e){if(4&d&&e.__esModule)return e;if(16&d&&"function"==typeof e.then)return e}var c=Object.create(null);r.r(c);var b={};a=a||[null,f({}),f([]),f(f)];for(var t=2&d&&e;"object"==typeof t&&!~a.indexOf(t);t=f(t))Object.getOwnPropertyNames(t).forEach((a=>b[a]=()=>e[a]));return b.default=()=>e,r.d(c,b),c},r.d=(e,a)=>{for(var f in a)r.o(a,f)&&!r.o(e,f)&&Object.defineProperty(e,f,{enumerable:!0,get:a[f]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,f)=>(r.f[f](e,a),a)),[])),r.u=e=>"assets/js/"+({101:"2f797aa4",107:"c5022e3f",240:"c7700003",482:"1a0c5791",547:"b1445c4f",651:"412d1b91",660:"b87d0734",804:"81cffba8",855:"d123a91e",910:"bccfb1cb",1184:"49689b7d",1385:"cfa0e807",1620:"0ce5aa86",1894:"6a7149bd",2257:"a1ce2930",2399:"944a1646",2409:"0759a3f5",2466:"609981e6",2573:"b8002741",3083:"d428bf88",3217:"105936f9",3229:"1fbd281a",3411:"2c7731a3",3629:"aba21aa0",3667:"a43d9b4f",3892:"43a3241e",3936:"e8666366",4368:"a94703ab",5361:"feba781c",5470:"e92581be",5579:"6eb212a2",5668:"dd22e55f",5749:"310030e7",6005:"65309f9a",6094:"9c4d4f7f",6153:"df1a3a69",6278:"3f659917",6328:"37e09f03",6515:"20aafa33",6687:"289875c4",7162:"9a11c291",7213:"d1c3e381",7251:"9e7a009d",7355:"5133fc91",7364:"4636d62b",7544:"e7c9153a",7563:"b97d3598",7565:"b44e7719",7626:"914a16f4",7713:"dd0fba39",7918:"17896441",7920:"1a4e3797",8518:"a7bd4aaa",8804:"f9fc8d33",9059:"a0c5848d",9166:"a101d863",9169:"1aef17e6",9176:"f5fc080a",9184:"832e9842",9269:"18ace21a",9341:"0a63d2fd",9482:"03ee9047",9524:"138e0e15",9654:"42e456bb",9661:"5e95c892"}[e]||e)+"."+{101:"e34a8141",107:"6d9082f4",109:"01756420",132:"dd9e691d",240:"cdcda1c1",482:"a58bbcc5",547:"ccb42167",651:"9f8f881e",660:"0d2ae43b",804:"5273758c",855:"325b80fb",910:"d1ce3eb3",1184:"cbd6fedd",1385:"798b7325",1504:"97b84f00",1620:"9dc7bad8",1644:"fcd060a4",1763:"ce221339",1772:"61c7be9f",1894:"6a1c6b4a",2183:"b5f5fa5e",2257:"7d48a7ad",2399:"0f1c836e",2409:"abfeb73e",2466:"2001baf2",2573:"fd36fa70",2661:"8726bbab",2693:"6fc271a2",2696:"be8f6690",2700:"ffd76ef3",3076:"f0118536",3083:"52d60868",3217:"cf1e9242",3229:"ad7c8e02",3343:"22235bc8",3411:"78ce50e1",3619:"c61e616d",3629:"48c0a166",3667:"b2ed37e7",3892:"464912cc",3936:"b5cdde90",4238:"492cd0f6",4368:"1e5da719",4706:"3f431cbe",5269:"1c7af5ff",5326:"f85d6565",5361:"825960db",5470:"3f96b3a6",5525:"ab860f59",5579:"d763d6d7",5668:"83da3868",5749:"2d105a0b",5790:"b62892d5",5943:"fbf216e9",6005:"9f97a04a",6094:"9da27a87",6153:"561c08d1",6255:"5d3ef35b",6278:"da165abb",6328:"d3c38896",6515:"ecfa7dc8",6591:"389caff7",6648:"85f6378f",6687:"58dc5d8c",6985:"abc8fa53",7162:"eb38d005",7213:"ec3ab634",7251:"0d33ad0c",7355:"27f5d387",7364:"be0559e3",7544:"9e70a0bd",7563:"fcc9795e",7565:"c35ed88b",7626:"1f47a5fa",7713:"a599df5d",7837:"55715d2b",7918:"69b4e1f0",7920:"4376c566",7936:"ecd6f6b4",8016:"9b7b3383",8443:"26559c8c",8518:"f175b6d3",8804:"bb9794c1",8955:"0ae96596",9059:"894c4224",9138:"dcafeafb",9166:"a48e323f",9169:"f6995567",9176:"74d620d3",9184:"c6b3dec0",9269:"ce51c42a",9341:"caee5ba0",9482:"b4f3bf19",9524:"96b88364",9654:"71d7aebb",9661:"34e77302",9893:"0687af38"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),d={},c="k-3-s-docs:",r.l=(e,a,f,b)=>{if(d[e])d[e].push(a);else{var t,o;if(void 0!==f)for(var n=document.getElementsByTagName("script"),i=0;i<n.length;i++){var u=n[i];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==c+f){t=u;break}}t||(o=!0,(t=document.createElement("script")).charset="utf-8",t.timeout=120,r.nc&&t.setAttribute("nonce",r.nc),t.setAttribute("data-webpack",c+f),t.src=e),d[e]=[a];var l=(a,f)=>{t.onerror=t.onload=null,clearTimeout(s);var c=d[e];if(delete d[e],t.parentNode&&t.parentNode.removeChild(t),c&&c.forEach((e=>e(f))),a)return a(f)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/kr/",r.gca=function(e){return e={17896441:"7918","2f797aa4":"101",c5022e3f:"107",c7700003:"240","1a0c5791":"482",b1445c4f:"547","412d1b91":"651",b87d0734:"660","81cffba8":"804",d123a91e:"855",bccfb1cb:"910","49689b7d":"1184",cfa0e807:"1385","0ce5aa86":"1620","6a7149bd":"1894",a1ce2930:"2257","944a1646":"2399","0759a3f5":"2409","609981e6":"2466",b8002741:"2573",d428bf88:"3083","105936f9":"3217","1fbd281a":"3229","2c7731a3":"3411",aba21aa0:"3629",a43d9b4f:"3667","43a3241e":"3892",e8666366:"3936",a94703ab:"4368",feba781c:"5361",e92581be:"5470","6eb212a2":"5579",dd22e55f:"5668","310030e7":"5749","65309f9a":"6005","9c4d4f7f":"6094",df1a3a69:"6153","3f659917":"6278","37e09f03":"6328","20aafa33":"6515","289875c4":"6687","9a11c291":"7162",d1c3e381:"7213","9e7a009d":"7251","5133fc91":"7355","4636d62b":"7364",e7c9153a:"7544",b97d3598:"7563",b44e7719:"7565","914a16f4":"7626",dd0fba39:"7713","1a4e3797":"7920",a7bd4aaa:"8518",f9fc8d33:"8804",a0c5848d:"9059",a101d863:"9166","1aef17e6":"9169",f5fc080a:"9176","832e9842":"9184","18ace21a":"9269","0a63d2fd":"9341","03ee9047":"9482","138e0e15":"9524","42e456bb":"9654","5e95c892":"9661"}[e]||e,r.p+r.u(e)},(()=>{var e={1303:0,532:0};r.f.j=(a,f)=>{var d=r.o(e,a)?e[a]:void 0;if(0!==d)if(d)f.push(d[2]);else if(/^(1303|532)$/.test(a))e[a]=0;else{var c=new Promise(((f,c)=>d=e[a]=[f,c]));f.push(d[2]=c);var b=r.p+r.u(a),t=new Error;r.l(b,(f=>{if(r.o(e,a)&&(0!==(d=e[a])&&(e[a]=void 0),d)){var c=f&&("load"===f.type?"missing":f.type),b=f&&f.target&&f.target.src;t.message="Loading chunk "+a+" failed.\n("+c+": "+b+")",t.name="ChunkLoadError",t.type=c,t.request=b,d[1](t)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,f)=>{var d,c,b=f[0],t=f[1],o=f[2],n=0;if(b.some((a=>0!==e[a]))){for(d in t)r.o(t,d)&&(r.m[d]=t[d]);if(o)var i=o(r)}for(a&&a(f);n<b.length;n++)c=b[n],r.o(e,c)&&e[c]&&e[c][0](),e[c]=0;return r.O(i)},f=self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[];f.forEach(a.bind(null,0)),f.push=a.bind(null,f.push.bind(f))})()})(); \ No newline at end of file +(()=>{"use strict";var e,a,f,c,d,b={},t={};function r(e){var a=t[e];if(void 0!==a)return a.exports;var f=t[e]={id:e,loaded:!1,exports:{}};return b[e].call(f.exports,f,f.exports,r),f.loaded=!0,f.exports}r.m=b,r.c=t,e=[],r.O=(a,f,c,d)=>{if(!f){var b=1/0;for(i=0;i<e.length;i++){f=e[i][0],c=e[i][1],d=e[i][2];for(var t=!0,o=0;o<f.length;o++)(!1&d||b>=d)&&Object.keys(r.O).every((e=>r.O[e](f[o])))?f.splice(o--,1):(t=!1,d<b&&(b=d));if(t){e.splice(i--,1);var n=c();void 0!==n&&(a=n)}}return a}d=d||0;for(var i=e.length;i>0&&e[i-1][2]>d;i--)e[i]=e[i-1];e[i]=[f,c,d]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},f=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,c){if(1&c&&(e=this(e)),8&c)return e;if("object"==typeof e&&e){if(4&c&&e.__esModule)return e;if(16&c&&"function"==typeof e.then)return e}var d=Object.create(null);r.r(d);var b={};a=a||[null,f({}),f([]),f(f)];for(var t=2&c&&e;"object"==typeof t&&!~a.indexOf(t);t=f(t))Object.getOwnPropertyNames(t).forEach((a=>b[a]=()=>e[a]));return b.default=()=>e,r.d(d,b),d},r.d=(e,a)=>{for(var f in a)r.o(a,f)&&!r.o(e,f)&&Object.defineProperty(e,f,{enumerable:!0,get:a[f]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,f)=>(r.f[f](e,a),a)),[])),r.u=e=>"assets/js/"+({101:"2f797aa4",107:"c5022e3f",240:"c7700003",482:"1a0c5791",547:"b1445c4f",651:"412d1b91",660:"b87d0734",804:"81cffba8",855:"d123a91e",910:"bccfb1cb",1184:"49689b7d",1385:"cfa0e807",1620:"0ce5aa86",1894:"6a7149bd",2257:"a1ce2930",2399:"944a1646",2409:"0759a3f5",2466:"609981e6",2573:"b8002741",3083:"d428bf88",3217:"105936f9",3229:"1fbd281a",3411:"2c7731a3",3629:"aba21aa0",3667:"a43d9b4f",3892:"43a3241e",3936:"e8666366",4368:"a94703ab",5361:"feba781c",5470:"e92581be",5579:"6eb212a2",5668:"dd22e55f",5749:"310030e7",6005:"65309f9a",6094:"9c4d4f7f",6153:"df1a3a69",6278:"3f659917",6328:"37e09f03",6515:"20aafa33",6687:"289875c4",7162:"9a11c291",7213:"d1c3e381",7251:"9e7a009d",7355:"5133fc91",7364:"4636d62b",7544:"e7c9153a",7563:"b97d3598",7565:"b44e7719",7626:"914a16f4",7713:"dd0fba39",7918:"17896441",7920:"1a4e3797",8518:"a7bd4aaa",8804:"f9fc8d33",9059:"a0c5848d",9166:"a101d863",9169:"1aef17e6",9176:"f5fc080a",9184:"832e9842",9269:"18ace21a",9341:"0a63d2fd",9482:"03ee9047",9524:"138e0e15",9654:"42e456bb",9661:"5e95c892"}[e]||e)+"."+{101:"d5c63ad6",107:"b4406196",109:"01756420",132:"dd9e691d",240:"3cbaaec1",482:"d6e14a35",547:"edd374f3",651:"83360818",660:"309f13dc",804:"564bbbe3",855:"18f3a6fd",910:"4240bdfb",1184:"da5127a9",1385:"be961597",1504:"97b84f00",1620:"51903c7f",1644:"fcd060a4",1763:"ce221339",1772:"edd9b014",1894:"ac31f11d",2183:"b5f5fa5e",2257:"30638b81",2399:"37a7041d",2409:"403e480f",2466:"8c1da051",2573:"213dd26e",2661:"8726bbab",2693:"6fc271a2",2696:"be8f6690",2700:"ffd76ef3",3076:"f0118536",3083:"92f76c8d",3217:"c2eec2a9",3229:"95cd42bf",3343:"22235bc8",3411:"ad50e493",3619:"c61e616d",3629:"48c0a166",3667:"928d733e",3892:"b53b6c5a",3936:"45f94ebc",4238:"492cd0f6",4368:"c2f69992",4706:"3f431cbe",5269:"1c7af5ff",5326:"f85d6565",5361:"63981e19",5470:"70bed0e9",5525:"ab860f59",5579:"3ba9f0bd",5668:"7f767527",5749:"d99bd5f3",5790:"b62892d5",5943:"fbf216e9",6005:"72799433",6094:"1d881b09",6153:"0e3431df",6255:"5d3ef35b",6278:"9a56c135",6328:"53592bcd",6515:"3bcbd266",6591:"389caff7",6648:"85f6378f",6687:"d86a86f4",6985:"abc8fa53",7162:"7fb475ca",7213:"dff08217",7236:"db30f9fd",7251:"204a0230",7355:"07233669",7364:"be0559e3",7544:"3ba97217",7563:"fa076b01",7565:"1e65b95e",7626:"ce008661",7713:"e82585e9",7918:"69b4e1f0",7920:"7f3d6643",7936:"ecd6f6b4",8016:"9b7b3383",8443:"a5d9c459",8518:"d2fc12fe",8804:"ec3eeee7",8955:"0ae96596",9059:"a7bb9059",9138:"dcafeafb",9166:"d286647e",9169:"3c429484",9176:"f8d911d8",9184:"75e1e2e4",9269:"bffc2fc9",9341:"7f075bc5",9482:"19e209ec",9524:"96b88364",9654:"20337826",9661:"06469c98",9893:"0687af38"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),c={},d="k-3-s-docs:",r.l=(e,a,f,b)=>{if(c[e])c[e].push(a);else{var t,o;if(void 0!==f)for(var n=document.getElementsByTagName("script"),i=0;i<n.length;i++){var u=n[i];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==d+f){t=u;break}}t||(o=!0,(t=document.createElement("script")).charset="utf-8",t.timeout=120,r.nc&&t.setAttribute("nonce",r.nc),t.setAttribute("data-webpack",d+f),t.src=e),c[e]=[a];var l=(a,f)=>{t.onerror=t.onload=null,clearTimeout(s);var d=c[e];if(delete c[e],t.parentNode&&t.parentNode.removeChild(t),d&&d.forEach((e=>e(f))),a)return a(f)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/kr/",r.gca=function(e){return e={17896441:"7918","2f797aa4":"101",c5022e3f:"107",c7700003:"240","1a0c5791":"482",b1445c4f:"547","412d1b91":"651",b87d0734:"660","81cffba8":"804",d123a91e:"855",bccfb1cb:"910","49689b7d":"1184",cfa0e807:"1385","0ce5aa86":"1620","6a7149bd":"1894",a1ce2930:"2257","944a1646":"2399","0759a3f5":"2409","609981e6":"2466",b8002741:"2573",d428bf88:"3083","105936f9":"3217","1fbd281a":"3229","2c7731a3":"3411",aba21aa0:"3629",a43d9b4f:"3667","43a3241e":"3892",e8666366:"3936",a94703ab:"4368",feba781c:"5361",e92581be:"5470","6eb212a2":"5579",dd22e55f:"5668","310030e7":"5749","65309f9a":"6005","9c4d4f7f":"6094",df1a3a69:"6153","3f659917":"6278","37e09f03":"6328","20aafa33":"6515","289875c4":"6687","9a11c291":"7162",d1c3e381:"7213","9e7a009d":"7251","5133fc91":"7355","4636d62b":"7364",e7c9153a:"7544",b97d3598:"7563",b44e7719:"7565","914a16f4":"7626",dd0fba39:"7713","1a4e3797":"7920",a7bd4aaa:"8518",f9fc8d33:"8804",a0c5848d:"9059",a101d863:"9166","1aef17e6":"9169",f5fc080a:"9176","832e9842":"9184","18ace21a":"9269","0a63d2fd":"9341","03ee9047":"9482","138e0e15":"9524","42e456bb":"9654","5e95c892":"9661"}[e]||e,r.p+r.u(e)},(()=>{var e={1303:0,532:0};r.f.j=(a,f)=>{var c=r.o(e,a)?e[a]:void 0;if(0!==c)if(c)f.push(c[2]);else if(/^(1303|532)$/.test(a))e[a]=0;else{var d=new Promise(((f,d)=>c=e[a]=[f,d]));f.push(c[2]=d);var b=r.p+r.u(a),t=new Error;r.l(b,(f=>{if(r.o(e,a)&&(0!==(c=e[a])&&(e[a]=void 0),c)){var d=f&&("load"===f.type?"missing":f.type),b=f&&f.target&&f.target.src;t.message="Loading chunk "+a+" failed.\n("+d+": "+b+")",t.name="ChunkLoadError",t.type=d,t.request=b,c[1](t)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,f)=>{var c,d,b=f[0],t=f[1],o=f[2],n=0;if(b.some((a=>0!==e[a]))){for(c in t)r.o(t,c)&&(r.m[c]=t[c]);if(o)var i=o(r)}for(a&&a(f);n<b.length;n++)d=b[n],r.o(e,d)&&e[d]&&e[d][0](),e[d]=0;return r.O(i)},f=self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[];f.forEach(a.bind(null,0)),f.push=a.bind(null,f.push.bind(f))})()})(); \ No newline at end of file diff --git a/kr/cli.html b/kr/cli.html index 0d73a54b6..fa1a1e902 100644 --- a/kr/cli.html +++ b/kr/cli.html @@ -2,14 +2,14 @@ <html lang="kr" dir="ltr" class="docs-wrapper plugin-docs plugin-id-default docs-version-current docs-doc-page docs-doc-id-cli/cli" data-has-hydrated="false"> <head> <meta charset="UTF-8"> -<meta name="generator" content="Docusaurus v3.4.0"> -<title data-rh="true">명령줄 도구 | K3s - - + +명령줄 도구 | K3s + + -

    명령줄 도구

    K3s 바이너리에는 클러스터 관리에 도움이 되는 여러 가지 추가 도구가 포함되어 있습니다.

    -
    CommandDescription
    k3s server데이터스토어와 에이전트 컴포넌트 외에 쿠버네티스 apiserver, scheduler, controller-manager, 그리고 cloud-controller-manager 컴포넌트를 실행하는 K3s 서버 노드를 실행합니다. 자세한 내용은 k3s server 명령어 설명서를 참고하세요.
    k3s agentcontainerd, flannel, kube-router 네트워크 정책 컨트롤러와 쿠버네티스 kubeletkube-proxy 구성 요소를 실행하는 K3s 에이전트 노드를 실행한다. 자세한 내용은 k3s agent 명령어 설명서를 참조하세요.
    k3s kubectl임베드된 kubectl 명령을 실행합니다. 이것은 쿠버네티스 apiserver와 상호작용하기 위한 CLI입니다. KUBECONFIG 환경 변수가 설정되어 있지 않으면, 자동으로 /etc/rancher/k3s/k3s.yaml에서 kubeconfig를 사용하려고 시도합니다.
    k3s crictl임베드된 crictl 명령을 실행합니다. 이것은 쿠버네티스의 컨테이너 런타임 인터페이스(CRI: Container Runtime Interface)와 상호 작용하기 위한 CLI입니다. 디버깅에 유용합니다.
    k3s ctr내장된 ctr 명령을 실행합니다. 이는 K3s에서 사용하는 컨테이너 데몬인 containerd의 CLI입니다. 디버깅에 유용합니다.
    k3s token부트스트랩 토큰을 관리합니다. 자세한 내용은 k3s token 명령어 설명서를 참조하세요.
    k3s etcd-snapshotK3s 클러스터 데이터의 온디맨드 백업을 수행하여 S3에 업로드합니다. 자세한 내용은 k3s etcd-snapshot 명령어 설명서를 참조하세요.
    k3s secrets-encrypt클러스터에 시크릿을 저장할 때 암호화하도록 K3s를 구성합니다. 자세한 내용은 k3s secrets-encrypt 명령어 설명서를 참조하세요.
    k3s certificateK3s 인증서를 관리합니다. 자세한 내용은 k3s certificate 명령어 설명서를 참조하세요.
    k3s completionk3s용 셸 자동완성 스크립트를 생성합니다.
    k3s help명령 목록 또는 한 명령어에 대한 도움말을 표시합니다.
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    명령줄 도구

    K3s 바이너리에는 클러스터 관리에 도움이 되는 여러 가지 추가 도구가 포함되어 있습니다.

    +
    CommandDescription
    k3s server데이터스토어와 에이전트 컴포넌트 외에 쿠버네티스 apiserver, scheduler, controller-manager, 그리고 cloud-controller-manager 컴포넌트를 실행하는 K3s 서버 노드를 실행합니다. 자세한 내용은 k3s server 명령어 설명서를 참고하세요.
    k3s agentcontainerd, flannel, kube-router 네트워크 정책 컨트롤러와 쿠버네티스 kubeletkube-proxy 구성 요소를 실행하는 K3s 에이전트 노드를 실행한다. 자세한 내용은 k3s agent 명령어 설명서를 참조하세요.
    k3s kubectl임베드된 kubectl 명령을 실행합니다. 이것은 쿠버네티스 apiserver와 상호작용하기 위한 CLI입니다. KUBECONFIG 환경 변수가 설정되어 있지 않으면, 자동으로 /etc/rancher/k3s/k3s.yaml에서 kubeconfig를 사용하려고 시도합니다.
    k3s crictl임베드된 crictl 명령을 실행합니다. 이것은 쿠버네티스의 컨테이너 런타임 인터페이스(CRI: Container Runtime Interface)와 상호 작용하기 위한 CLI입니다. 디버깅에 유용합니다.
    k3s ctr내장된 ctr 명령을 실행합니다. 이는 K3s에서 사용하는 컨테이너 데몬인 containerd의 CLI입니다. 디버깅에 유용합니다.
    k3s token부트스트랩 토큰을 관리합니다. 자세한 내용은 k3s token 명령어 설명서를 참조하세요.
    k3s etcd-snapshotK3s 클러스터 데이터의 온디맨드 백업을 수행하여 S3에 업로드합니다. 자세한 내용은 k3s etcd-snapshot 명령어 설명서를 참조하세요.
    k3s secrets-encrypt클러스터에 시크릿을 저장할 때 암호화하도록 K3s를 구성합니다. 자세한 내용은 k3s secrets-encrypt 명령어 설명서를 참조하세요.
    k3s certificateK3s 인증서를 관리합니다. 자세한 내용은 k3s certificate 명령어 설명서를 참조하세요.
    k3s completionk3s용 셸 자동완성 스크립트를 생성합니다.
    k3s help명령 목록 또는 한 명령어에 대한 도움말을 표시합니다.
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/agent.html b/kr/cli/agent.html index 45ff6ce29..c95820f65 100644 --- a/kr/cli/agent.html +++ b/kr/cli/agent.html @@ -2,44 +2,44 @@ - -agent | K3s - - + +agent | K3s + + -

    k3s agent

    +

    k3s agent

    In this section, you'll learn how to configure the K3s agent.

    Note that servers also run an agent, so all flags listed on this page are also valid for use on servers.

    Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.

    -

    Logging

    +

    Logging

    FlagDefaultDescription
    -v value0Number for the log level verbosity
    --vmodule valueN/AComma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
    --log value, -l valueN/ALog to file
    --alsologtostderrN/ALog to standard error as well as file (if set)
    -

    Cluster Options

    +

    Cluster Options

    FlagEnvironment VariableDescription
    --token value, -t valueK3S_TOKENToken to use for authentication
    --token-file valueK3S_TOKEN_FILEToken file to use for authentication
    --server value, -s valueK3S_URLServer to connect to
    -

    Data

    +

    Data

    FlagDefaultDescription
    --data-dir value, -d value"/var/lib/rancher/k3s"Folder to hold state
    -

    Node

    +

    Node

    FlagEnvironment VariableDescription
    --node-name valueK3S_NODE_NAMENode name
    --with-node-idN/AAppend id to node name
    --node-label valueN/ARegistering and starting kubelet with set of labels
    --node-taint valueN/ARegistering kubelet with set of taints
    --protect-kernel-defaultsN/AKernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults.
    --selinuxK3S_SELINUXEnable SELinux in containerd
    --lb-server-port valueK3S_LB_SERVER_PORTLocal port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)
    -

    Runtime

    +

    Runtime

    FlagDefaultDescription
    --container-runtime-endpoint valueN/ADisable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path
    --pause-image value"docker.io/rancher/pause:3.1"Customized pause image for containerd or docker sandbox
    --private-registry value"/etc/rancher/k3s/registries.yaml"Private registry configuration file
    -

    Networking

    +

    Networking

    FlagEnvironment VariableDescription
    --node-ip value, -i valueN/AIP address to advertise for node
    --node-external-ip valueN/AExternal IP address to advertise for node
    --resolv-conf valueK3S_RESOLV_CONFKubelet resolv.conf file
    --flannel-iface valueN/AOverride default flannel interface
    --flannel-conf valueN/AOverride default flannel config file
    --flannel-cni-conf valueN/AOverride default flannel cni config file
    -

    Customized Flags

    +

    Customized Flags

    FlagDescription
    --kubelet-arg valueCustomized flag for kubelet process
    --kube-proxy-arg valueCustomized flag for kube-proxy process
    -

    Experimental

    +

    Experimental

    FlagDescription
    --rootlessRun rootless
    --dockerUse cri-dockerd instead of containerd
    --prefer-bundled-binPrefer bundled userspace binaries over host binaries
    -

    Deprecated

    +

    Deprecated

    FlagEnvironment VariableDescription
    --no-flannelN/AUse --flannel-backend=none
    --cluster-secret valueK3S_CLUSTER_SECRETUse --token
    -

    Node Labels and Taints for Agents

    +

    Node Labels and Taints for Agents

    K3s agents can be configured with the options --node-label and --node-taint which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands.

    Below is an example showing how to add labels and a taint:

         --node-label foo=bar \
         --node-label hello=world \
         --node-taint key1=value1:NoExecute

    If you want to change node labels and taints after node registration you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.

    -

    K3s Agent CLI Help

    +

    K3s Agent CLI Help

    If an option appears in brackets below, for example [$K3S_URL], it means that the option can be passed in as an environment variable of that name.

    -
    NAME:
       k3s agent - Run node agent

    USAGE:
       k3s agent [OPTIONS]

    OPTIONS:
       --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
       --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
       -v value                                   (logging) Number for the log level verbosity (default: 0)
       --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
       --log value, -l value                      (logging) Log to file
       --alsologtostderr                          (logging) Log to standard error as well as file (if set)
       --token value, -t value                    (cluster) Token to use for authentication [$K3S_TOKEN]
       --token-file value                         (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]
       --server value, -s value                   (cluster) Server to connect to [$K3S_URL]
       --data-dir value, -d value                 (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")
       --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
       --with-node-id                             (agent/node) Append id to node name
       --node-label value                         (agent/node) Registering and starting kubelet with set of labels
       --node-taint value                         (agent/node) Registering kubelet with set of taints
       --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
       --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
       --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
       --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
       --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
       --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
       --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
       --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
       --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
       --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
       --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
       --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
       --flannel-iface value                      (agent/networking) Override default flannel interface
       --flannel-conf value                       (agent/networking) Override default flannel config file
       --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
       --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
       --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
       --rootless                                 (experimental) Run rootless
       --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
       --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    NAME:
       k3s agent - Run node agent

    USAGE:
       k3s agent [OPTIONS]

    OPTIONS:
       --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
       --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
       -v value                                   (logging) Number for the log level verbosity (default: 0)
       --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
       --log value, -l value                      (logging) Log to file
       --alsologtostderr                          (logging) Log to standard error as well as file (if set)
       --token value, -t value                    (cluster) Token to use for authentication [$K3S_TOKEN]
       --token-file value                         (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]
       --server value, -s value                   (cluster) Server to connect to [$K3S_URL]
       --data-dir value, -d value                 (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")
       --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
       --with-node-id                             (agent/node) Append id to node name
       --node-label value                         (agent/node) Registering and starting kubelet with set of labels
       --node-taint value                         (agent/node) Registering kubelet with set of taints
       --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
       --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
       --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
       --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
       --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
       --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
       --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
       --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
       --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
       --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
       --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
       --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
       --flannel-iface value                      (agent/networking) Override default flannel interface
       --flannel-conf value                       (agent/networking) Override default flannel config file
       --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
       --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
       --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
       --rootless                                 (experimental) Run rootless
       --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
       --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/certificate.html b/kr/cli/certificate.html index 6a3c8e993..97070adb2 100644 --- a/kr/cli/certificate.html +++ b/kr/cli/certificate.html @@ -2,22 +2,22 @@ - -certificate | K3s - - + +certificate | K3s + + -

    k3s certificate

    -

    Client and Server Certificates

    +

    k3s certificate

    +

    Client and Server Certificates

    K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts.

    -

    Rotating Client and Server Certificates

    +

    Rotating Client and Server Certificates

    To rotate client and server certificates manually, use the k3s certificate rotate subcommand:

    # Stop K3s
    systemctl stop k3s

    # Rotate certificates
    k3s certificate rotate

    # Start K3s
    systemctl start k3s

    Individual or lists of certificates can be rotated by specifying the certificate name:

    k3s certificate rotate --service <SERVICE>,<SERVICE>

    The following certificates can be rotated: admin, api-server, controller-manager, scheduler, k3s-controller, k3s-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy.

    -

    Certificate Authority (CA) Certificates

    +

    Certificate Authority (CA) Certificates

    Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes PKI Certificates and Requirements documentation.

    By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed.

    The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the server token as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1. @@ -28,7 +28,7 @@

    Version Gate

    Support for the k3s certificate rotate-ca command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).

    -

    Using Custom CA Certificates

    +

    Using Custom CA Certificates

    If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed.

    An example script to pre-create the appropriate certificates and keys is available in the K3s repo at contrib/util/generate-custom-ca-certs.sh. This script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates. @@ -49,10 +49,10 @@

    // note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate.
  • service.key
    • -

    Custom CA Topology

    +

    Custom CA Topology

    Custom CA Certificates should observe the following topology:

    -

    Using the Example Script

    +

    Using the Example Script

    중요한

    If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates.

    If you want to use only an existing root CA certificate, provide the following files:

    @@ -70,14 +70,14 @@

    Usi 
    # Create the target directory for cert generation.
    mkdir -p /var/lib/rancher/k3s/server/tls

    # Copy your root CA cert and intermediate CA cert+key into the correct location for the script.
    # For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.
    # If you do not have an existing root and/or intermediate CA, the script will generate them for you.
    cp /etc/ssl/certs/root.pem /etc/ssl/certs/intermediate.pem /etc/ssl/private/intermediate.key /var/lib/rancher/k3s/server/tls

    # Generate custom CA certs and keys.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -

    If the command completes successfully, you may install and/or start K3s for the first time. If the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date.

    -

    Rotating Custom CA Certificates

    +

    Rotating Custom CA Certificates

    To rotate custom CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates.

    warning

    You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls.
    Stage the updated certificates and keys into a separate directory.

    A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used.

    If a new root CA is required, the rotation will be disruptive. The k3s certificate rotate-ca --force option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA.

    -

    Using the Example Script

    +

    Using the Example Script

    The example generate-custom-ca-certs.sh script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the DATA_DIR environment variable. To use the example script to generate updated certs and keys, run the following commands:

    # Create a temporary directory for cert generation.
    mkdir -p /opt/k3s/server/tls

    # Copy your root CA cert and intermediate CA cert+key into the correct location for the script.
    # Non-disruptive rotation requires the same root CA that was used to generate the original certificates.
    # If the original files are still in the data directory, you can just run:
    cp /var/lib/rancher/k3s/server/root.* /var/lib/rancher/k3s/server/intermediate.* /opt/k3s/server/tls

    # Copy the current service-account signing key, so that existing service-account tokens are not invalidated.
    cp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls

    # Generate updated custom CA certs and keys.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -

    # Load the updated CA certs and keys into the datastore.
    k3s certificate rotate-ca --path=/opt/k3s/server
    @@ -85,19 +85,19 @@

    U If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents.

    If you used the --force option or changed the root CA, ensure that any nodes that were joined with a secure token are reconfigured to use the new token value, prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.

    -

    Rotating Self-Signed CA Certificates

    +

    Rotating Self-Signed CA Certificates

    To rotate the K3s-generated self-signed CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates.

    warning

    You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls.
    Stage the updated certificates and keys into a separate directory.

    If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a secure token will need to be reconfigured to trust the new CA hash. If the new CA certificates are not cross-signed by the old CA certificates, you will need to use the --force option to bypass integrity checks, and pods will need to be restarted to trust the new root CA.

    -

    Default CA Topology

    +

    Default CA Topology

    The default self-signed CA certificates have the following topology:

    When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:

    -

    Using The Example Script

    +

    Using The Example Script

    An example script to create updated CA certificates and keys cross-signed by the existing CAs is available in the K3s repo at contrib/util/rotate-default-ca-certs.sh.

    To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:

    # Create updated CA certs and keys, cross-signed by the current CAs.
    # This script will create a new temporary directory containing the updated certs, and output the new token values.
    curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -

    # Load the updated certs into the datastore; see the script output for the updated token values.
    k3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca
    @@ -105,7 +105,7 @@

    U If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents.

    Ensure that any nodes that were joined with a secure token, including other server nodes, are reconfigured to use the new token value prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.

    -

    Service-Account Issuer Key Rotation

    +

    Service-Account Issuer Key Rotation

    The service-account issuer key is an RSA private key used to sign service-account tokens. When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the k3s certificate rotate-ca to install only an updated service.key file that includes both the new and old keys.

    @@ -114,7 +114,7 @@ 

    # Create a temporary directory for cert generation
    mkdir -p /opt/k3s/server/tls

    # Check OpenSSL version
    openssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional

    # Generate a new key
    openssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048

    # Append the existing key to avoid invalidating current tokens
    cat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key

    # Load the updated key into the datastore
    k3s certificate rotate-ca --path=/opt/k3s/server

    It is normal to see warnings for files that are not being updated. If the rotate-ca command returns an error, check the service log for errors. -If the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/etcd-snapshot.html b/kr/cli/etcd-snapshot.html index bc8bdfd43..29b7b0a60 100644 --- a/kr/cli/etcd-snapshot.html +++ b/kr/cli/etcd-snapshot.html @@ -2,19 +2,19 @@ - -etcd-snapshot | K3s - - + +etcd-snapshot | K3s + + -

    k3s etcd-snapshot

    +

    k3s etcd-snapshot

    Version Gate

    Available as of v1.19.1+k3s1

    In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup.

    -

    Creating Snapshots

    -

    Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options.

    +

    Creating Snapshots

    +

    Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options.

    The snapshot directory defaults to ${data-dir}/server/db/snapshots. The data-dir value defaults to /var/lib/rancher/k3s and can be changed by setting the --data-dir flag.

    -

    Restoring a Cluster from a Snapshot

    +

    Restoring a Cluster from a Snapshot

    When K3s is restored from backup, the old data directory will be moved to ${data-dir}/server/db/etcd-old/. Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member.

    To restore the cluster from backup:

    Run K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given:

    k3s server \
      --cluster-reset \
      --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>

    Result: A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot.

    -

    Options

    +

    Options

    These options can be passed in with the command line, or in the configuration file, which may be easier to use.

    OptionsDescription
    --etcd-disable-snapshotsDisable automatic etcd snapshots
    --etcd-snapshot-schedule-cron valueSnapshot interval time in cron spec. eg. every 5 hours 0 */5 * * *(default: 0 */12 * * *)
    --etcd-snapshot-retention valueNumber of snapshots to retain (default: 5)
    --etcd-snapshot-dir valueDirectory to save db snapshots. (Default location: ${data-dir}/db/snapshots)
    --cluster-resetForget all peers and become sole member of a new cluster. This can also be set with the environment variable [$K3S_CLUSTER_RESET].
    --cluster-reset-restore-path valuePath to snapshot file to be restored
    -

    S3 Compatible API Support

    +

    S3 Compatible API Support

    K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots.

    The arguments below have been added to the server subcommand. These flags exist for the etcd-snapshot subcommand as well however the --etcd-s3 portion is removed to avoid redundancy.

    OptionsDescription
    --etcd-s3Enable backup to S3
    --etcd-s3-endpointS3 endpoint url
    --etcd-s3-endpoint-caS3 custom CA cert to connect to S3 endpoint
    --etcd-s3-skip-ssl-verifyDisables S3 SSL certificate validation
    --etcd-s3-access-keyS3 access key
    --etcd-s3-secret-keyS3 secret key
    --etcd-s3-bucketS3 bucket name
    --etcd-s3-regionS3 region / bucket location (optional). defaults to us-east-1
    --etcd-s3-folderS3 folder
    @@ -47,7 +47,7 @@

    S3 
    k3s etcd-snapshot \
      --s3 \
      --s3-bucket=<S3-BUCKET-NAME> \
      --s3-access-key=<S3-ACCESS-KEY> \
      --s3-secret-key=<S3-SECRET-KEY>

    To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:

    k3s server \
      --cluster-init \
      --cluster-reset \
      --etcd-s3 \
      --cluster-reset-restore-path=<SNAPSHOT-NAME> \
      --etcd-s3-bucket=<S3-BUCKET-NAME> \
      --etcd-s3-access-key=<S3-ACCESS-KEY> \
      --etcd-s3-secret-key=<S3-SECRET-KEY>
    -

    Etcd Snapshot and Restore Subcommands

    +

    Etcd Snapshot and Restore Subcommands

    k3s supports a set of subcommands for working with your etcd snapshots.

    SubcommandDescription
    deleteDelete given snapshot(s)
    ls, list, lList snapshots
    pruneRemove snapshots that exceed the configured retention count
    saveTrigger an immediate etcd snapshot
    비고

    The save subcommand is the same as k3s etcd-snapshot. The latter will eventually be deprecated in favor of the former.

    @@ -57,7 +57,7 @@ 

    k3s etcd-snapshot delete          \
      --s3                            \
      --s3-bucket=<S3-BUCKET-NAME>    \
      --s3-access-key=<S3-ACCESS-KEY> \
      --s3-secret-key=<S3-SECRET-KEY> \
      <SNAPSHOT-NAME>

    Prune local snapshots with the default retention policy (5). The prune subcommand takes an additional flag --snapshot-retention that allows for overriding the default retention policy.

    k3s etcd-snapshot prune
    -
    k3s etcd-snapshot prune --snapshot-retention 10
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/secrets-encrypt.html b/kr/cli/secrets-encrypt.html index 4a4d9df6d..0bb20fba7 100644 --- a/kr/cli/secrets-encrypt.html +++ b/kr/cli/secrets-encrypt.html @@ -2,15 +2,15 @@ - -secrets-encrypt | K3s - - + +secrets-encrypt | K3s + + -

    k3s secrets-encrypt

    +

    k3s secrets-encrypt

    K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.

    -

    Secrets Encryption Tool

    +

    Secrets Encryption Tool

    Version Gate

    Available as of v1.21.8+k3s1

    K3s contains a CLI tool secrets-encrypt, which enables automatic control over the following:

      @@ -20,7 +20,7 @@

      Secr
    • Reencrypting secrets

    warning

    Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution.

    -

    Encryption Key Rotation

    +

    Encryption Key Rotation

    To rotate secrets encryption keys on a single-server cluster:

    • Start the K3s server with the flag --secrets-encryption
    비고

    Starting K3s without encryption and enabling it at a later time is currently not supported.

      @@ -86,7 +86,7 @@

      Encr

      Once S1 is up, kill and restart the S2 and S3

    -

    Secrets Encryption Disable/Enable

    +

    Secrets Encryption Disable/Enable

    After launching a server with --secrets-encryption flag, secrets encryption can be disabled.

    To disable secrets encryption on a single-node cluster:

    1. Disable

      @@ -98,7 +98,7 @@ 

      k3s secrets-encrypt reencrypt --force --skip

    +
    k3s secrets-encrypt reencrypt --force --skip

    To re-enable secrets encryption on a single node cluster:

    1. @@ -119,7 +119,7 @@ 

      # If using systemd
      systemctl restart k3s
      # If using openrc
      rc-service k3s restart

    +
    # If using systemd
    systemctl restart k3s
    # If using openrc
    rc-service k3s restart

  • Once S1 is up, kill and restart the S2 and S3

    @@ -144,7 +144,7 @@ 

    k3s secrets-encrypt reencrypt --force --skip

    • -

    Secrets Encryption Status

    +

    Secrets Encryption Status

    The secrets-encrypt tool includes a status command that displays information about the current status of secrets encryption on the node.

    An example of the command on a single-server node:

    $ k3s secrets-encrypt status
    Encryption Status: Enabled
    Current Rotation Stage: start
    Server Encryption Hashes: All hashes match

    Active  Key Type  Name
    ------  --------  ----
     *      AES-CBC   aescbckey

    @@ -163,7 +163,7 @@

    Se
  • Name: Name of the encryption key.
    • -

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/server.html b/kr/cli/server.html index 295ff79ac..924f66089 100644 --- a/kr/cli/server.html +++ b/kr/cli/server.html @@ -2,17 +2,17 @@ - -server | K3s - - + +server | K3s + + -

    k3s server

    +

    k3s server

    In this section, you'll learn how to configure the K3s server.

    Note that servers also run an agent, so all of the configuration options listed in the k3s agent documentation are also supported on servers.

    Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.

    -

    Critical Configuration Values

    +

    Critical Configuration Values

    The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore.

    • --agent-token
      • @@ -30,39 +30,39 @@

      Commonly Used Options

      -

      Database

      +

      Commonly Used Options

      +

      Database

      FlagEnvironment VariableDescription
      --datastore-endpoint valueK3S_DATASTORE_ENDPOINTSpecify etcd, Mysql, Postgres, or Sqlite (default) data source name
      --datastore-cafile valueK3S_DATASTORE_CAFILETLS Certificate Authority file used to secure datastore backend communication
      --datastore-certfile valueK3S_DATASTORE_CERTFILETLS certification file used to secure datastore backend communication
      --datastore-keyfile valueK3S_DATASTORE_KEYFILETLS key file used to secure datastore backend communication
      --etcd-expose-metricsN/AExpose etcd metrics to client interface (default: false)
      --etcd-disable-snapshotsN/ADisable automatic etcd snapshots
      --etcd-snapshot-name valueN/ASet the base name of etcd snapshots. Default: etcd-snapshot-<unix-timestamp> (default:"etcd-snapshot")
      --etcd-snapshot-schedule-cron valueN/ASnapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _' (default: "0 */12 * * *")
      --etcd-snapshot-retention valueN/ANumber of snapshots to retain (default: 5)
      --etcd-snapshot-dir valueN/ADirectory to save db snapshots (default: ${data-dir}/db/snapshots)
      --etcd-s3N/AEnable backup to S3
      --etcd-s3-endpoint valueN/AS3 endpoint url (default: "s3.amazonaws.com")
      --etcd-s3-endpoint-ca valueN/AS3 custom CA cert to connect to S3 endpoint
      --etcd-s3-skip-ssl-verifyN/ADisables S3 SSL certificate validation
      --etcd-s3-access-key valueAWS_ACCESS_KEY_IDS3 access key
      --etcd-s3-secret-key valueAWS_SECRET_ACCESS_KEYS3 secret key
      --etcd-s3-bucket valueN/AS3 bucket name
      --etcd-s3-region valueN/AS3 region / bucket location (optional) (default: "us-east-1")
      --etcd-s3-folder valueN/AS3 folder
      --etcd-s3-insecureDisables S3 over HTTPS
      --etcd-s3-timeout valueS3 timeout (default: 5m0s)
      -

      Cluster Options

      +

      Cluster Options

      FlagEnvironment VariableDescription
      --token value, -t valueK3S_TOKENShared secret used to join a server or agent to a cluster
      --token-file valueK3S_TOKEN_FILEFile containing the cluster-secret/token
      --agent-token valueK3S_AGENT_TOKENShared secret used to join agents to the cluster, but not servers
      --agent-token-file valueK3S_AGENT_TOKEN_FILEFile containing the agent secret
      --server valueK3S_URLServer to connect to, used to join a cluster
      --cluster-initK3S_CLUSTER_INITInitialize a new cluster using embedded Etcd
      --cluster-resetK3S_CLUSTER_RESETForget all peers and become sole member of a new cluster
      -

      Admin Kubeconfig Options

      +

      Admin Kubeconfig Options

      FlagEnvironment VariableDescription
      --write-kubeconfig value, -o valueK3S_KUBECONFIG_OUTPUTWrite kubeconfig for admin client to this file
      --write-kubeconfig-mode valueK3S_KUBECONFIG_MODEWrite kubeconfig with this mode. The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host.
      -

      Advanced Options

      -

      Logging

      +

      Advanced Options

      +

      Logging

      FlagDefaultDescription
      --debugN/ATurn on debug logs
      -v value0Number for the log level verbosity
      --vmodule valueN/AComma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
      --log value, -l valueN/ALog to file
      --alsologtostderrN/ALog to standard error as well as file (if set)
      -

      Listeners

      +

      Listeners

      FlagDefaultDescription
      --bind-address value0.0.0.0k3s bind address
      --https-listen-port value6443HTTPS listen port
      --advertise-address valuenode-external-ip/node-ipIPv4 address that apiserver uses to advertise to members of the cluster
      --advertise-port valuelisten-port/0Port that apiserver uses to advertise to members of the cluster
      --tls-san valueN/AAdd additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert
      -

      Data

      +

      Data

      FlagDefaultDescription
      --data-dir value, -d value/var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not rootFolder to hold state
      -

      Secrets Encryption

      +

      Secrets Encryption

      FlagDefaultDescription
      --secrets-encryptionfalseEnable Secret encryption at rest
      -

      Networking

      +

      Networking

      FlagDefaultDescription
      --cluster-cidr value"10.42.0.0/16"IPv4/IPv6 network CIDRs to use for pod IPs
      --service-cidr value"10.43.0.0/16"IPv4/IPv6 network CIDRs to use for service IPs
      --service-node-port-range value"30000-32767"Port range to reserve for services with NodePort visibility
      --cluster-dns value"10.43.0.10"IPv4 Cluster IP for coredns service. Should be in your service-cidr range
      --cluster-domain value"cluster.local"Cluster Domain
      --flannel-backend value"vxlan"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)
      --flannel-ipv6-masq"N/A"Enable IPv6 masquerading for pod
      --flannel-external-ip"N/A"Use node external IP addresses for Flannel traffic
      --servicelb-namespace value"kube-system"Namespace of the pods for the servicelb component
      --egress-selector-mode value"agent"Must be one of the following:
      • disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs.
      • agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s.
      • pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node.
      • cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range.
      -

      Storage Class

      +

      Storage Class

      FlagDescription
      --default-local-storage-path valueDefault local storage path for local provisioner storage class
      -

      Kubernetes Components

      +

      Kubernetes Components

      FlagDescription
      --disable valueSee "Using the --disable flag"
      --disable-schedulerDisable Kubernetes default scheduler
      --disable-cloud-controllerDisable k3s default cloud controller manager
      --disable-kube-proxyDisable running kube-proxy
      --disable-network-policyDisable k3s default network policy controller
      --disable-helm-controllerDisable Helm controller
      -

      Customized Flags for Kubernetes Processes

      +

      Customized Flags for Kubernetes Processes

      FlagDescription
      --etcd-arg valueCustomized flag for etcd process
      --kube-apiserver-arg valueCustomized flag for kube-apiserver process
      --kube-scheduler-arg valueCustomized flag for kube-scheduler process
      --kube-controller-manager-arg valueCustomized flag for kube-controller-manager process
      --kube-cloud-controller-manager-arg valueCustomized flag for kube-cloud-controller-manager process
      --kubelet-arg valueCustomized flag for kubelet process
      --kube-proxy-arg valueCustomized flag for kube-proxy process
      -

      Experimental Options

      +

      Experimental Options

      FlagDescription
      --rootlessRun rootless
      --enable-pprofEnable pprof endpoint on supervisor port
      --dockerUse cri-dockerd instead of containerd
      --prefer-bundled-binPrefer bundled userspace binaries over host binaries
      --disable-agentSee "Running Agentless Servers (Experimental)"
      -

      Deprecated Options

      +

      Deprecated Options

      FlagEnvironment VariableDescription
      --no-flannelN/AUse --flannel-backend=none
      --no-deploy valueN/AUse --disable
      --cluster-secret valueK3S_CLUSTER_SECRETUse --token
      --flannel-backend wireguardN/AUse --flannel-backend=wireguard-native
      --flannel-backend value=option1=valueN/AUse --flannel-conf to specify the flannel config file with the backend config

      K3s Server CLI Help

      If an option appears in brackets below, for example [$K3S_TOKEN], it means that the option can be passed in as an environment variable of that name.

      -
      NAME:
         k3s server - Run management server

      USAGE:
         k3s server [OPTIONS]

      OPTIONS:
         --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
         --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
         -v value                                   (logging) Number for the log level verbosity (default: 0)
         --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
         --log value, -l value                      (logging) Log to file
         --alsologtostderr                          (logging) Log to standard error as well as file (if set)
         --bind-address value                       (listener) k3s bind address (default: 0.0.0.0)
         --https-listen-port value                  (listener) HTTPS listen port (default: 6443)
         --advertise-address value                  (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)
         --advertise-port value                     (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)
         --tls-san value                            (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert
         --data-dir value, -d value                 (data) Folder to hold state (default: /var/lib/rancher/k3s or $\{HOME\}/.rancher/k3s if not root)
         --cluster-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)
         --service-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)
         --service-node-port-range value            (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")
         --cluster-dns value                        (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
         --cluster-domain value                     (networking) Cluster Domain (default: "cluster.local")
         --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
         --flannel-ipv6-masq                        (networking) Enable IPv6 masquerading for pod
         --flannel-external-ip                      (networking) Use node external IP addresses for Flannel traffic
         --egress-selector-mode value               (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: "agent")
         --servicelb-namespace value                (networking) Namespace of the pods for the servicelb component (default: "kube-system")
         --write-kubeconfig value, -o value         (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]
         --write-kubeconfig-mode value              (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]
         --token value, -t value                    (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]
         --token-file value                         (cluster) File containing the token [$K3S_TOKEN_FILE]
         --agent-token value                        (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]
         --agent-token-file value                   (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]
         --server value, -s value                   (cluster) Server to connect to, used to join a cluster [$K3S_URL]
         --cluster-init                             (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]
         --cluster-reset                            (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]
         --cluster-reset-restore-path value         (db) Path to snapshot file to be restored
         --kube-apiserver-arg value                 (flags) Customized flag for kube-apiserver process
         --etcd-arg value                           (flags) Customized flag for etcd process
         --kube-controller-manager-arg value        (flags) Customized flag for kube-controller-manager process
         --kube-scheduler-arg value                 (flags) Customized flag for kube-scheduler process
         --kube-cloud-controller-manager-arg value  (flags) Customized flag for kube-cloud-controller-manager process
         --datastore-endpoint value                 (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]
         --datastore-cafile value                   (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]
         --datastore-certfile value                 (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]
         --datastore-keyfile value                  (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]
         --etcd-expose-metrics                      (db) Expose etcd metrics to client interface. (default: false)
         --etcd-disable-snapshots                   (db) Disable automatic etcd snapshots
         --etcd-snapshot-name value                 (db) Set the base name of etcd snapshots (default: etcd-snapshot-<unix-timestamp>) (default: "etcd-snapshot")
         --etcd-snapshot-schedule-cron value        (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: "0 */12 * * *")
         --etcd-snapshot-retention value            (db) Number of snapshots to retain (default: 5)
         --etcd-snapshot-dir value                  (db) Directory to save db snapshots. (default: $\{data-dir\}/db/snapshots)
         --etcd-snapshot-compress                   (db) Compress etcd snapshot
         --etcd-s3                                  (db) Enable backup to S3
         --etcd-s3-endpoint value                   (db) S3 endpoint url (default: "s3.amazonaws.com")
         --etcd-s3-endpoint-ca value                (db) S3 custom CA cert to connect to S3 endpoint
         --etcd-s3-skip-ssl-verify                  (db) Disables S3 SSL certificate validation
         --etcd-s3-access-key value                 (db) S3 access key [$AWS_ACCESS_KEY_ID]
         --etcd-s3-secret-key value                 (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]
         --etcd-s3-bucket value                     (db) S3 bucket name
         --etcd-s3-region value                     (db) S3 region / bucket location (optional) (default: "us-east-1")
         --etcd-s3-folder value                     (db) S3 folder
         --etcd-s3-insecure                         (db) Disables S3 over HTTPS
         --etcd-s3-timeout value                    (db) S3 timeout (default: 5m0s)
         --default-local-storage-path value         (storage) Default local storage path for local provisioner storage class
         --disable value                            (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
         --disable-scheduler                        (components) Disable Kubernetes default scheduler
         --disable-cloud-controller                 (components) Disable k3s default cloud controller manager
         --disable-kube-proxy                       (components) Disable running kube-proxy
         --disable-network-policy                   (components) Disable k3s default network policy controller
         --disable-helm-controller                  (components) Disable Helm controller
         --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
         --with-node-id                             (agent/node) Append id to node name
         --node-label value                         (agent/node) Registering and starting kubelet with set of labels
         --node-taint value                         (agent/node) Registering kubelet with set of taints
         --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
         --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
         --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
         --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
         --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
         --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
         --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
         --system-default-registry value            (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]
         --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
         --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
         --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
         --flannel-iface value                      (agent/networking) Override default flannel interface
         --flannel-conf value                       (agent/networking) Override default flannel config file
         --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
         --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
         --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
         --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
         --secrets-encryption                       Enable secret encryption at rest
         --enable-pprof                             (experimental) Enable pprof endpoint on supervisor port
         --rootless                                 (experimental) Run rootless
         --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
         --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
         --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    NAME:
       k3s server - Run management server

    USAGE:
       k3s server [OPTIONS]

    OPTIONS:
       --config FILE, -c FILE                     (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
       --debug                                    (logging) Turn on debug logs [$K3S_DEBUG]
       -v value                                   (logging) Number for the log level verbosity (default: 0)
       --vmodule value                            (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
       --log value, -l value                      (logging) Log to file
       --alsologtostderr                          (logging) Log to standard error as well as file (if set)
       --bind-address value                       (listener) k3s bind address (default: 0.0.0.0)
       --https-listen-port value                  (listener) HTTPS listen port (default: 6443)
       --advertise-address value                  (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)
       --advertise-port value                     (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)
       --tls-san value                            (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert
       --data-dir value, -d value                 (data) Folder to hold state (default: /var/lib/rancher/k3s or $\{HOME\}/.rancher/k3s if not root)
       --cluster-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)
       --service-cidr value                       (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)
       --service-node-port-range value            (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")
       --cluster-dns value                        (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
       --cluster-domain value                     (networking) Cluster Domain (default: "cluster.local")
       --flannel-backend value                    (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: "vxlan")
       --flannel-ipv6-masq                        (networking) Enable IPv6 masquerading for pod
       --flannel-external-ip                      (networking) Use node external IP addresses for Flannel traffic
       --egress-selector-mode value               (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: "agent")
       --servicelb-namespace value                (networking) Namespace of the pods for the servicelb component (default: "kube-system")
       --write-kubeconfig value, -o value         (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]
       --write-kubeconfig-mode value              (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]
       --token value, -t value                    (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]
       --token-file value                         (cluster) File containing the token [$K3S_TOKEN_FILE]
       --agent-token value                        (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]
       --agent-token-file value                   (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]
       --server value, -s value                   (cluster) Server to connect to, used to join a cluster [$K3S_URL]
       --cluster-init                             (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]
       --cluster-reset                            (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]
       --cluster-reset-restore-path value         (db) Path to snapshot file to be restored
       --kube-apiserver-arg value                 (flags) Customized flag for kube-apiserver process
       --etcd-arg value                           (flags) Customized flag for etcd process
       --kube-controller-manager-arg value        (flags) Customized flag for kube-controller-manager process
       --kube-scheduler-arg value                 (flags) Customized flag for kube-scheduler process
       --kube-cloud-controller-manager-arg value  (flags) Customized flag for kube-cloud-controller-manager process
       --datastore-endpoint value                 (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]
       --datastore-cafile value                   (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]
       --datastore-certfile value                 (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]
       --datastore-keyfile value                  (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]
       --etcd-expose-metrics                      (db) Expose etcd metrics to client interface. (default: false)
       --etcd-disable-snapshots                   (db) Disable automatic etcd snapshots
       --etcd-snapshot-name value                 (db) Set the base name of etcd snapshots (default: etcd-snapshot-<unix-timestamp>) (default: "etcd-snapshot")
       --etcd-snapshot-schedule-cron value        (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: "0 */12 * * *")
       --etcd-snapshot-retention value            (db) Number of snapshots to retain (default: 5)
       --etcd-snapshot-dir value                  (db) Directory to save db snapshots. (default: $\{data-dir\}/db/snapshots)
       --etcd-snapshot-compress                   (db) Compress etcd snapshot
       --etcd-s3                                  (db) Enable backup to S3
       --etcd-s3-endpoint value                   (db) S3 endpoint url (default: "s3.amazonaws.com")
       --etcd-s3-endpoint-ca value                (db) S3 custom CA cert to connect to S3 endpoint
       --etcd-s3-skip-ssl-verify                  (db) Disables S3 SSL certificate validation
       --etcd-s3-access-key value                 (db) S3 access key [$AWS_ACCESS_KEY_ID]
       --etcd-s3-secret-key value                 (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]
       --etcd-s3-bucket value                     (db) S3 bucket name
       --etcd-s3-region value                     (db) S3 region / bucket location (optional) (default: "us-east-1")
       --etcd-s3-folder value                     (db) S3 folder
       --etcd-s3-insecure                         (db) Disables S3 over HTTPS
       --etcd-s3-timeout value                    (db) S3 timeout (default: 5m0s)
       --default-local-storage-path value         (storage) Default local storage path for local provisioner storage class
       --disable value                            (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
       --disable-scheduler                        (components) Disable Kubernetes default scheduler
       --disable-cloud-controller                 (components) Disable k3s default cloud controller manager
       --disable-kube-proxy                       (components) Disable running kube-proxy
       --disable-network-policy                   (components) Disable k3s default network policy controller
       --disable-helm-controller                  (components) Disable Helm controller
       --node-name value                          (agent/node) Node name [$K3S_NODE_NAME]
       --with-node-id                             (agent/node) Append id to node name
       --node-label value                         (agent/node) Registering and starting kubelet with set of labels
       --node-taint value                         (agent/node) Registering kubelet with set of taints
       --image-credential-provider-bin-dir value  (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
       --image-credential-provider-config value   (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
       --docker                                   (agent/runtime) (experimental) Use cri-dockerd instead of containerd
       --container-runtime-endpoint value         (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
       --pause-image value                        (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
       --snapshotter value                        (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
       --private-registry value                   (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
       --system-default-registry value            (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]
       --node-ip value, -i value                  (agent/networking) IPv4/IPv6 addresses to advertise for node
       --node-external-ip value                   (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
       --resolv-conf value                        (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
       --flannel-iface value                      (agent/networking) Override default flannel interface
       --flannel-conf value                       (agent/networking) Override default flannel config file
       --flannel-cni-conf value                   (agent/networking) Override default flannel cni config file
       --kubelet-arg value                        (agent/flags) Customized flag for kubelet process
       --kube-proxy-arg value                     (agent/flags) Customized flag for kube-proxy process
       --protect-kernel-defaults                  (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
       --secrets-encryption                       Enable secret encryption at rest
       --enable-pprof                             (experimental) Enable pprof endpoint on supervisor port
       --rootless                                 (experimental) Run rootless
       --prefer-bundled-bin                       (experimental) Prefer bundled userspace binaries over host binaries
       --selinux                                  (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
       --lb-server-port value                     (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cli/token.html b/kr/cli/token.html index 60c1611c7..79567383a 100644 --- a/kr/cli/token.html +++ b/kr/cli/token.html @@ -2,17 +2,17 @@ - -token | K3s - - + +token | K3s + + -

    k3s token

    +

    k3s token

    K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.

    -

    Token Format

    +

    Token Format

    K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials.

    -

    Secure

    +

    Secure

    The secure token format (occasionally referred to as a "full" token) contains the following parts:

    <prefix><cluster CA hash>::<credentials>

      @@ -25,7 +25,7 @@

      SecureTLS Bootstrapping

      +

      TLS Bootstrapping

      When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:

      1. With TLS verification disabled, download the CA bundle from /cacerts on the server it is joining.
        2. @@ -34,42 +34,42 @@

        TLS Bootst
      2. If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle.
      3. If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type.

      -

      Short

      +

      Short

      The short token format includes only the password or bearer token used to authenticate the joining node to the cluster.

      If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to man-in-the-middle attack.

      -

      Token Types

      +

      Token Types

      K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator.

      TypeCLI OptionEnvironment Variable
      Server--tokenK3S_TOKEN
      Agent--agent-tokenK3S_AGENT_TOKEN
      Bootstrapn/an/a
      -

      Server

      +

      Server

      If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to /var/lib/rancher/k3s/server/token, in secure format.

      The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully.

      The server token is also used as the PBKDF2 passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself.

      warning

      Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates.

      For more information on using custom CA certificates, see the k3s certificate documentation.
      For more information on backing up your cluster, see the Backup and Restore documentation.

      -

      Agent

      +

      Agent

      By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire.

      The agent token is written to /var/lib/rancher/k3s/server/agent-token, in secure format. If no agent token is specified, this file is a link to the server token.

      -

      Bootstrap

      +

      Bootstrap

      Version Gate

      Support for the k3s token command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).

      K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents.

      -

      k3s token

      +

      k3s token

      K3s bootstrap tokens use the same generation and validation code as kubeadm token bootstrap tokens, and the k3s token CLI is similar.

      NAME:
         k3s token - Manage bootstrap tokens

      USAGE:
         k3s token command [command options] [arguments...]

      COMMANDS:
         create    Create bootstrap tokens on the server
         delete    Delete bootstrap tokens on the server
         generate  Generate and print a bootstrap token, but do not create it on the server
         list      List bootstrap tokens on the server

      OPTIONS:
         --help, -h  show help
      -

      k3s token create [token]

      +

      k3s token create [token]

      Create a new token. The [token] is the actual token to write, as generated by k3s token generate. If no token is given, a random one will be generated.

      A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again.

      FlagDescription
      --data-dir value(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
      --kubeconfig value(cluster) Server to connect to [$KUBECONFIG]
      --description valueA human friendly description of how this token is used
      --groups valueExtra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s:default-node-token")
      --ttl valueThe duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)
      --usages valueDescribes the ways in which this token can be used. (default: "signing,authentication")
      -

      k3s token delete

      +

      k3s token delete

      Delete one or more tokens. The full token can be provided, or just the token ID.

      FlagDescription
      --data-dir value(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
      --kubeconfig value(cluster) Server to connect to [$KUBECONFIG]
      -

      k3s token generate

      +

      k3s token generate

      Generate a randomly-generated bootstrap token.

      You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format "[a-z0-9]6.[a-z0-9]16", where the first portion is the token ID, and the second portion is the secret.

      FlagDescription
      --data-dir value(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
      --kubeconfig value(cluster) Server to connect to [$KUBECONFIG]
      -

      k3s token list

      +

      k3s token list

      List bootstrap tokens, showing their ID, description, and remaining time-to-live.

      -
      FlagDescription
      --data-dir value(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
      --kubeconfig value(cluster) Server to connect to [$KUBECONFIG]
      --output valueOutput format. Valid options: text, json (default: "text")
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    FlagDescription
    --data-dir value(data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
    --kubeconfig value(cluster) Server to connect to [$KUBECONFIG]
    --output valueOutput format. Valid options: text, json (default: "text")
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/cluster-access.html b/kr/cluster-access.html index 387445f37..e69be9057 100644 --- a/kr/cluster-access.html +++ b/kr/cluster-access.html @@ -2,19 +2,19 @@ - -클러스터 접근 | K3s - - + +클러스터 접근 | K3s + + -

    클러스터 접근

    /etc/rancher/k3s/k3s.yaml에 저장된 kubeconfig 파일은 쿠버네티스 클러스터에 대한 액세스를 구성하는 데 사용됩니다. kubectl 또는 helm과 같은 업스트림 Kubernetes 명령줄 도구를 설치한 경우 올바른 kubeconfig 경로로 구성해야 합니다. 이 작업은 kubeconfig 환경 변수를 내보내거나 --kubeconfig 명령줄 플래그를 호출하여 수행할 수 있습니다. 자세한 내용은 아래 예시를 참고하세요.

    +

    클러스터 접근

    /etc/rancher/k3s/k3s.yaml에 저장된 kubeconfig 파일은 쿠버네티스 클러스터에 대한 액세스를 구성하는 데 사용됩니다. kubectl 또는 helm과 같은 업스트림 Kubernetes 명령줄 도구를 설치한 경우 올바른 kubeconfig 경로로 구성해야 합니다. 이 작업은 kubeconfig 환경 변수를 내보내거나 --kubeconfig 명령줄 플래그를 호출하여 수행할 수 있습니다. 자세한 내용은 아래 예시를 참고하세요.

    KUBECONFIG 환경 변수를 활용합니다:

    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
    kubectl get pods --all-namespaces
    helm ls --all-namespaces

    또는 명령에 kubeconfig 파일의 위치를 지정합니다:

    kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces
    helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces
    -

    외부에서 kubectl로 클러스터에 접근하기

    -

    /etc/rancher/k3s/k3s.yaml파일을 클러스터 외부에 위치한 머신의 ~/.kube/config로 복사합니다. 그런 다음 server 필드의 값을 K3s 서버의 IP 또는 이름으로 바꿉니다. 이제 kubectl이 K3s 클러스터를 관리할 수 있습니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    외부에서 kubectl로 클러스터에 접근하기

    +

    /etc/rancher/k3s/k3s.yaml파일을 클러스터 외부에 위치한 머신의 ~/.kube/config로 복사합니다. 그런 다음 server 필드의 값을 K3s 서버의 IP 또는 이름으로 바꿉니다. 이제 kubectl이 K3s 클러스터를 관리할 수 있습니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/datastore.html b/kr/datastore.html index ca0d1b380..47a25c1cd 100644 --- a/kr/datastore.html +++ b/kr/datastore.html @@ -2,13 +2,13 @@ - -클러스터 데이터 저장소 | K3s - - + +클러스터 데이터 저장소 | K3s + + -

    클러스터 데이터 저장소

    etcd가 아닌 다른 데이터스토어를 사용하여 쿠버네티스를 실행할 수 있는 기능은 K3s를 다른 쿠버네티스 배포판과 차별화합니다. 이 기능은 쿠버네티스 운영자에게 유연성을 제공합니다. 사용 가능한 데이터스토어 옵션을 통해 사용 사례에 가장 적합한 데이터스토어를 선택할 수 있습니다. 예를 들어:

    +

    클러스터 데이터 저장소

    etcd가 아닌 다른 데이터스토어를 사용하여 쿠버네티스를 실행할 수 있는 기능은 K3s를 다른 쿠버네티스 배포판과 차별화합니다. 이 기능은 쿠버네티스 운영자에게 유연성을 제공합니다. 사용 가능한 데이터스토어 옵션을 통해 사용 사례에 가장 적합한 데이터스토어를 선택할 수 있습니다. 예를 들어:

    • 팀에 etcd 운영에 대한 전문 지식이 없는 경우, MySQL 또는 PostgreSQL과 같은 엔터프라이즈급 SQL 데이터베이스를 선택할 수 있습니다.
    • CI/CD 환경에서 단순하고 수명이 짧은 클러스터를 실행해야 하는 경우, 임베디드 SQLite 데이터베이스를 사용할 수 있습니다.
      • @@ -33,19 +33,19 @@
    -

    외부 데이터스토어 구성 파라미터

    +

    외부 데이터스토어 구성 파라미터

    PostgreSQL, MySQL, etcd와 같은 외부 데이터스토어를 사용하려면 K3s가 연결 방법을 알 수 있도록 datastore-endpoint 파라미터를 설정해야 합니다. 또한 연결의 인증 및 암호화를 구성하는 파라미터를 지정할 수도 있습니다. 아래 표에는 이러한 매개변수가 요약되어 있으며, CLI 플래그 또는 환경 변수로 전달할 수 있습니다.

    CLI FlagEnvironment VariableDescription
    --datastore-endpointK3S_DATASTORE_ENDPOINTPostgreSQL, MySQL 또는 etcd 연결 문자열을 지정합니다. 데이터스토어에 대한 연결을 설명하는 데 사용되는 문자열입니다. 이 문자열의 구조는 각 백엔드에 따라 다르며 아래에 자세히 설명되어 있습니다.
    --datastore-cafileK3S_DATASTORE_CAFILE데이터스토어와의 통신을 보호하는 데 사용되는 TLS 인증 기관(CA: Certificate Authority) 파일입니다. 데이터스토어에서 사용자 지정 인증 기관에서 서명한 인증서를 사용하여 TLS를 통해 요청을 제공하는 경우, 이 매개변수를 사용하여 해당 CA를 지정하면 K3s 클라이언트가 인증서를 올바르게 확인할 수 있습니다.
    --datastore-certfileK3S_DATASTORE_CERTFILE데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 인증서 파일입니다. 이 기능을 사용하려면 데이터스토어가 클라이언트 인증서 기반 인증을 지원하도록 구성되어 있어야 합니다. 이 파라미터를 지정하는 경우 datastore-keyfile 파라미터도 지정해야 합니다.
    --datastore-keyfileK3S_DATASTORE_KEYFILE데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 키 파일입니다. 자세한 내용은 이전 datastore-certfile 매개변수를 참조하세요.

    데이터베이스 자격 증명이나 기타 민감한 정보가 프로세스 정보의 일부로 노출되지 않도록 이러한 매개 변수를 명령줄 인수가 아닌 환경 변수로 설정하는 것이 좋습니다.

    -

    데이터스토어 엔드포인트 형식 및 기능

    -

    앞서 언급했듯이, datastore-endpoint 매개변수에 전달되는 값의 형식은 데이터스토어 백엔드에 따라 달라집니다. 다음은 지원되는 각 외부 데이터스토어에 대한 이 형식과 기능에 대해 자세히 설명합니다.

    +

    데이터스토어 엔드포인트 형식 및 기능

    +

    앞서 언급했듯이, datastore-endpoint 매개변수에 전달되는 값의 형식은 데이터스토어 백엔드에 따라 달라집니다. 다음은 지원되는 각 외부 데이터스토어에 대한 이 형식과 기능에 대해 자세히 설명합니다.

    가장 일반적인 형식의 PostgreSQL용 데이터 저장소 엔드포인트 매개 변수는 다음과 같은 형식을 갖습니다:

    postgres://username:password@hostname:port/database-name

    더 고급 구성 매개변수를 사용할 수 있습니다. 이에 대한 자세한 내용은 https://godoc.org/github.com/lib/pq 을 참조하세요.

    데이터베이스 이름을 지정했는데 해당 데이터베이스가 존재하지 않으면 서버에서 데이터베이스 생성을 시도합니다.

    엔드포인트로 postgres://만 제공하는 경우, K3s는 다음을 시도합니다:

    • 사용자 이름과 비밀번호로 postgres를 사용하여 localhost에 연결합니다.
    • kubernetes라는 이름의 데이터베이스를 생성합니다.
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/datastore/backup-restore.html b/kr/datastore/backup-restore.html index f2cf93366..4b80035b3 100644 --- a/kr/datastore/backup-restore.html +++ b/kr/datastore/backup-restore.html @@ -2,23 +2,23 @@ - -Backup and Restore | K3s - - + +Backup and Restore | K3s + + -

    Backup and Restore

    The way K3s is backed up and restored depends on which type of datastore is used.

    +

    Backup and Restore

    The way K3s is backed up and restored depends on which type of datastore is used.

    warning

    In addition to backing up the datastore itself, you must also back up the server token file at /var/lib/rancher/k3s/server/token. You must restore this file, or pass its value into the --token option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself.

    -

    Backup and Restore with SQLite

    +

    Backup and Restore with SQLite

    No special commands are required to back up or restore the SQLite datastore.

    • To back up the SQLite datastore, take a copy of /var/lib/rancher/k3s/server/db/.
    • To restore the SQLite datastore, restore the contents of /var/lib/rancher/k3s/server/db (and the token, as discussed above).
    -

    Backup and Restore with External Datastore

    +

    Backup and Restore with External Datastore

    When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump.

    We recommend configuring the database to take recurring snapshots.

    For details on taking database snapshots and restoring your database from them, refer to the official database documentation:

    @@ -27,8 +27,8 @@

    Official PostgreSQL documentation
  • Official etcd documentation
    • -

    Backup and Restore with Embedded etcd Datastore

    -

    See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Backup and Restore with Embedded etcd Datastore

    +

    See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/datastore/cluster-loadbalancer.html b/kr/datastore/cluster-loadbalancer.html index eac9fa1ca..edc656334 100644 --- a/kr/datastore/cluster-loadbalancer.html +++ b/kr/datastore/cluster-loadbalancer.html @@ -2,15 +2,15 @@ - -Cluster Load Balancer | K3s - - + +Cluster Load Balancer | K3s + + -

    Cluster Load Balancer

    This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.

    +

    Cluster Load Balancer

    This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.

    External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see Service Load Balancer.

    External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice.

    -

    Prerequisites

    +

    Prerequisites

    All nodes in this example are running Ubuntu 20.04.

    For both examples, assume that a HA K3s cluster with embedded etcd has been installed on 3 nodes.

    Each k3s server is configured with:

    @@ -32,7 +32,7 @@

    Prerequisites<
  • agent-2: 10.10.10.102
  • agent-3: 10.10.10.103
    • -

    Setup Load Balancer

    +

    Setup Load Balancer

    HAProxy is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See HAProxy Documentation for more info.

    Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See KeepAlived Documentation for more info.

    1. Install HAProxy and KeepAlived:
    sudo apt-get install haproxy keepalived
      @@ -43,13 +43,13 @@

      Setup Lo
    1. Restart HAProxy and KeepAlived on lb-1 and lb-2:

    systemctl restart haproxy
    systemctl restart keepalived
    1. On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:
      2. -
    curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443

    You can now use kubectl from server node to interact with the cluster.

    root@server-1 $ k3s kubectl get nodes -A
    NAME       STATUS   ROLES                       AGE     VERSION
    agent-1    Ready    <none>                      32s     v1.27.3+k3s1
    agent-2    Ready    <none>                      20s     v1.27.3+k3s1
    agent-3    Ready    <none>                      9s      v1.27.3+k3s1
    server-1   Ready    control-plane,etcd,master   4m22s   v1.27.3+k3s1
    server-2   Ready    control-plane,etcd,master   3m58s   v1.27.3+k3s1
    server-3   Ready    control-plane,etcd,master   3m12s   v1.27.3+k3s1
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443

    You can now use kubectl from server node to interact with the cluster.

    root@server1 $ k3s kubectl get nodes -A
    NAME       STATUS   ROLES                       AGE     VERSION
    agent-1    Ready    <none>                      30s     v1.27.3+k3s1
    agent-2    Ready    <none>                      22s     v1.27.3+k3s1
    agent-3    Ready    <none>                      13s     v1.27.3+k3s1
    server-1   Ready    control-plane,etcd,master   4m49s   v1.27.3+k3s1
    server-2   Ready    control-plane,etcd,master   3m58s   v1.27.3+k3s1
    server-3   Ready    control-plane,etcd,master   3m16s   v1.27.3+k3s1
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/datastore/ha-embedded.html b/kr/datastore/ha-embedded.html index 663cf6675..f51ed59e9 100644 --- a/kr/datastore/ha-embedded.html +++ b/kr/datastore/ha-embedded.html @@ -2,14 +2,14 @@ - -High Availability Embedded etcd | K3s - - + +High Availability Embedded etcd | K3s + + -

    High Availability Embedded etcd

    warning

    Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.

    -

    New cluster

    +

    High Availability Embedded etcd

    warning

    Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.

    +

    New cluster

    To run K3s in this mode, you must have an odd number of server nodes. We recommend starting with three nodes.

    To get started, first launch a server node with the cluster-init flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster.

    curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --cluster-init
    @@ -24,12 +24,12 @@

    New clusterFlags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable
  • Feature related flags: --secrets-encryption
    • -

    Existing clusters

    +

    Existing clusters

    If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the --cluster-init flag. Once you've done that, you'll be able to add additional instances as described above.

    If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (--cluster-init, --server, --datastore-endpoint, etc) are ignored.

    Important: K3s v1.22.2 and newer support migration from SQLite to etcd. Older versions will create a new empty datastore if you add --cluster-init to an existing server.

    -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/datastore/ha.html b/kr/datastore/ha.html index 445ac9adc..9e7dcf455 100644 --- a/kr/datastore/ha.html +++ b/kr/datastore/ha.html @@ -2,13 +2,13 @@ - -High Availability External DB | K3s - - + +High Availability External DB | K3s + + -

    High Availability External DB

    +

    High Availability External DB

    Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release.

    This section describes how to install a high-availability K3s cluster with an external database.

    @@ -21,11 +21,11 @@

    For more details on how these components work together, refer to the architecture section.

    Agents register through the fixed registration address, but after registration they establish a connection directly to one of the server nodes. This is a websocket connection initiated by the k3s agent process, it is maintained by a client-side load balancer running as part of the agent process.

    -

    Installation Outline

    +

    Installation Outline

    Setting up an HA cluster requires the following steps:

    -

    1. Create an External Datastore

    +

    1. Create an External Datastore

    You will first need to create an external datastore for the cluster. See the Cluster Datastore Options documentation for more details.

    -

    2. Launch Server Nodes

    +

    2. Launch Server Nodes

    K3s requires two or more server nodes for this HA configuration. See the Requirements guide for minimum machine requirements.

    When running the k3s server command on these nodes, you must set the datastore-endpoint parameter so that K3s knows how to connect to the external datastore. The token parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use.

    For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and set a token:

    @@ -35,7 +35,7 @@

    2. Lau
    비고

    The same installation options available to single-server installs are also available for high-availability installs. For more details, see the Configuration Options documentation.

    By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The node-taint parameter will allow you to configure nodes with taints, for example --node-taint CriticalAddonsOnly=true:NoExecute.

    Once you've launched the k3s server process on all server nodes, ensure that the cluster has come up properly with k3s kubectl get nodes. You should see your server nodes in the Ready state.

    -

    3. Configure the Fixed Registration Address

    +

    3. Configure the Fixed Registration Address

    Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as:

    • A layer-4 (TCP) load balancer
      • @@ -43,7 +43,7 @@

      kubeconfig file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the --tls-san YOUR_IP_OR_HOSTNAME_HERE option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.

      -

      4. Optional: Join Additional Server Nodes

      +

      4. Optional: Join Additional Server Nodes

      The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used.

      If the first server node was started without the --token CLI flag or K3S_TOKEN variable, the token value can be retrieved from any server already joined to the cluster:

      cat /var/lib/rancher/k3s/server/token
      @@ -56,10 +56,10 @@

      비고

      Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores.

    -

    5. Optional: Join Agent Nodes

    +

    5. Optional: Join Agent Nodes

    Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster.

    Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use.

    -
    K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/faq.html b/kr/faq.html index ef8e0cab3..a53c162fc 100644 --- a/kr/faq.html +++ b/kr/faq.html @@ -2,22 +2,22 @@ - -자주 묻는 질문 | K3s - - + +자주 묻는 질문 | K3s + + -

    자주 묻는 질문

    자주 묻는 질문은 주기적으로 업데이트되며, 사용자가 K3s에 대해 가장 자주 묻는 질문에 대한 답변으로 구성되어 있습니다.

    -

    K3s가 Kubernetes를 대체하기에 적합한가요?

    +

    자주 묻는 질문

    자주 묻는 질문은 주기적으로 업데이트되며, 사용자가 K3s에 대해 가장 자주 묻는 질문에 대한 답변으로 구성되어 있습니다.

    +

    K3s가 Kubernetes를 대체하기에 적합한가요?

    K3s는 CNCF 인증을 받은 Kubernetes 배포판으로, 표준 Kubernetes 클러스터에 필요한 모든 작업을 수행할 수 있습니다. 단지 더 가벼운 버전일 뿐입니다. 자세한 내용은 main 문서 페이지를 참조하세요.

    -

    Traefik 대신 자체 Ingress를 사용하려면 어떻게 해야 하나요?

    +

    Traefik 대신 자체 Ingress를 사용하려면 어떻게 해야 하나요?

    --disable=traefik으로 K3s 서버를 시작하고 인그레스를 배포하기만 하면 됩니다.

    -

    K3s는 Windows를 지원하나요?

    +

    K3s는 Windows를 지원하나요?

    현재 K3s는 기본적으로 Windows를 지원하지 않지만, 추후에 지원할 수 있습니다.

    -

    소스로부터 빌드하려면 어떻게 해야 하나요?

    +

    소스로부터 빌드하려면 어떻게 해야 하나요?

    K3s BUILDING.md에서 지침을 참조하시기 바랍니다.

    -

    K3s 로그는 어디에 있나요?

    +

    K3s 로그는 어디에 있나요?

    K3s 로그의 위치는 K3s를 실행하는 방법과 노드의 OS에 따라 달라집니다.

    • 명령줄에서 실행할 경우, 로그는 stdout과 stderr로 전송됩니다.
      • @@ -31,14 +31,14 @@

      추가 로깅 소스를 참조하세요.

      -

      Docker에서 K3s를 실행할 수 있나요?

      +

      Docker에서 K3s를 실행할 수 있나요?

      예, Docker에서 K3s를 실행하는 방법은 여러 가지가 있습니다. 자세한 내용은 고급 옵션을 참조하세요.

      -

      K3s 서버와 에이전트 토큰의 차이점은 무엇인가요?

      +

      K3s 서버와 에이전트 토큰의 차이점은 무엇인가요?

      K3s 조인 토큰 관리에 대한 자세한 내용은 k3s token 명령어 설명서를 참조하세요.

      -

      K3s의 다른 버전들은 얼마나 호환되나요?

      +

      K3s의 다른 버전들은 얼마나 호환되나요?

      일반적으로 쿠버네티스 버전 skew 정책이 적용됩니다.

      즉, 서버가 에이전트보다 최신 버전일 수는 있지만 에이전트가 서버보다 최신 버전일 수는 없습니다.

      -

      문제가 발생했는데 어디서 도움을 받을 수 있나요?

      +

      문제가 발생했는데 어디서 도움을 받을 수 있나요?

      K3s를 배포하는 데 문제가 있는 경우 다음과 같이 하세요:

      1. @@ -58,7 +58,7 @@

        새 이슈를 제출합니다.

        2. -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/helm.html b/kr/helm.html index 65d21cbcc..9f91f80e6 100644 --- a/kr/helm.html +++ b/kr/helm.html @@ -2,32 +2,32 @@ - -헬름(Helm) | K3s - - + +헬름(Helm) | K3s + + -

    헬름(Helm)

    헬름(Helm)은 쿠버네티스를 위한 패키지 관리 도구입니다. 헬름 차트는 쿠버네티스 YAML 매니페스트 문서를 위한 템플릿 구문을 제공합니다. 개발자 또는 클러스터 관리자는 헬름을 사용하여 정적 매니페스트만 사용하는 대신 차트라는 구성 가능한 템플릿을 만들 수 있다. 자신만의 차트 카탈로그 생성에 대한 자세한 내용은 https://helm.sh/docs/intro/quickstart/에서 문서를 확인하세요.

    +

    헬름(Helm)

    헬름(Helm)은 쿠버네티스를 위한 패키지 관리 도구입니다. 헬름 차트는 쿠버네티스 YAML 매니페스트 문서를 위한 템플릿 구문을 제공합니다. 개발자 또는 클러스터 관리자는 헬름을 사용하여 정적 매니페스트만 사용하는 대신 차트라는 구성 가능한 템플릿을 만들 수 있다. 자신만의 차트 카탈로그 생성에 대한 자세한 내용은 https://helm.sh/docs/intro/quickstart/에서 문서를 확인하세요.

    K3s는 헬름을 지원하기 위한 별도의 구성이 필요하지 않습니다. 다만, 클러스터 액세스 문서에 따라 kubeconfig 경로를 올바르게 설정했는지 확인하면 됩니다.

    K3s에는 헬름 차트의 설치, 업그레이드/재구성 및 제거를 관리하는 Helm Controller가 포함되어 있으며, 헬름 차트 커스텀 리소스 정의(CRD)를 사용하여 헬름 차트를 설치, 업그레이드/재구성 및 제거할 수 있습니다. 애드온 매니페스트 자동 배포](./installation/packaged-components.md)와 함께 사용하면 디스크에 단일 파일을 생성하여 클러스터에 헬름 차트를 설치하는 것을 자동화할 수 있습니다.

    -

    헬름 컨트롤러 사용하기

    +

    헬름 컨트롤러 사용하기

    헬름 차트 커스텀 리소스는 일반적으로 helm 명령줄 도구에 전달할 대부분의 옵션을 담고 있습니다. 다음은 Bitnami 차트 저장소에서 아파치를 배포하여 기본 차트 값 중 일부를 재정의하는 방법에 대한 예제입니다. HelmChart 리소스 자체는 kube-system 네임스페이스에 있지만, 차트의 리소스는 동일한 매니페스트에 생성되는 web 네임스페이스에 배포된다는 점에 유의하세요. 이는 HelmChart 리소스를 배포하는 리소스와 분리하여 유지하려는 경우에 유용할 수 있습니다.

    apiVersion: v1
    kind: Namespace
    metadata:
      name: web
    ---
    apiVersion: helm.cattle.io/v1
    kind: HelmChart
    metadata:
      name: apache
      namespace: kube-system
    spec:
      repo: https://charts.bitnami.com/bitnami
      chart: apache
      targetNamespace: web
      valuesContent: |-
        service:
          type: ClusterIP
        ingress:
          enabled: true
          hostname: www.example.com
        metrics:
          enabled: true
    -

    HelmChart 필드 정의

    +

    HelmChart 필드 정의

    필드기본값설명헬름 인수 / 플래그 상응값
    metadata.name헬름 차트 이름NAME
    spec.chart리포지토리에 있는 헬름 차트 이름 또는 차트 아카이브(.tgz)에 대한 전체 HTTPS URLCHART
    spec.targetNamespacedefault헬름 차트 대상 네임스페이스--namespace
    spec.version헬름 차트 버전(리포지토리에서 설치하는 경우)--version
    spec.repo헬름 차트 리포지토리 URL--repo
    spec.repoCAHTTPS 사용 서버의 인증서를 지정--ca-file
    spec.helmVersionv3사용할 헬름 버전 (v2 혹은 v3)
    spec.bootstrapFalse클러스터(클라우드 컨트롤러 관리자 등)를 부트스트랩하는 데 이 차트가 필요한 경우 True로 설정합니다.
    spec.set간단한 기본 차트 값을 재정의합니다. 값을 통해 설정된 옵션보다 우선합니다.--set / --set-string
    spec.jobImage헬름 차트를 설치할 때 사용할 이미지를 지정합니다. 예시. rancher/klipper-helm:v0.3.0 .
    spec.timeout300헬름 작업 시간 초과(초)--timeout
    spec.failurePolicyreinstallabort로 설정하면 헬름 작업이 중단되고 운영자의 수동 개입이 있을 때까지 중단된다.
    spec.valuesContentYAML 파일 콘텐츠를 통해 복잡한 기본 차트 값 재정의--values
    spec.chartContentBase64로 인코딩된 차트 아카이브 .tgz - spec.chart를 재정의합니다.CHART

    /var/lib/rancher/k3s/server/static/에 위치한 콘텐츠는 클러스터 내에서 쿠버네티스 APIServer를 통해 익명으로 액세스할 수 있습니다. 이 URL은 spec.chart 필드에 있는 특수 변수 %{KUBERNETES_API}%를 사용하여 템플릿화할 수 있습니다. 예를 들어, 패키지화된 Traefik 컴포넌트는 https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz에서 해당 차트를 로드합니다.

    -
    비고

    name 필드는 헬름 차트 명명 규칙을 따라야 합니다. 자세한 내용은 헬름 베스트 프랙티스 문서를 참고하세요.

    -

    HelmChartConfig로 패키지 컴포넌트 커스터마이징하기

    +
    비고

    name 필드는 헬름 차트 명명 규칙을 따라야 합니다. 자세한 내용은 헬름 베스트 프랙티스 문서를 참고하세요.

    +

    HelmChartConfig로 패키지 컴포넌트 커스터마이징하기

    Version Gate

    v1.19.1+k3s1 부터 사용 가능

    HelmChart로 배포되는 패키지 컴포넌트(예로 Traefik)의 값을 재정의할 수 있도록, K3s는 HelmChartConfig 리소스를 통해 배포를 사용자 정의할 수 있도록 지원합니다. HelmChartConfig 리소스는 해당 HelmChart의 이름과 네임스페이스와 일치해야 하며, 추가 값 파일로 helm 명령에 전달되는 valuesContent를 추가로 제공할 수 있도록 지원합니다.

    비고

    HelmChart spec.set 값은 HelmChart 및 HelmChartConfig spec.valuesContent 설정을 재정의합니다.

    예를 들어, 패키징된 트래픽 인그레스 구성을 사용자 정의하려면 /var/lib/rancher/k3s/server/manifests/traefik-config.yaml이라는 파일을 생성하고 다음 내용으로 채우면 됩니다:

    apiVersion: helm.cattle.io/v1
    kind: HelmChartConfig
    metadata:
      name: traefik
      namespace: kube-system
    spec:
      valuesContent: |-
        image:
          name: traefik
          tag: v2.8.5
        forwardedHeaders:
          enabled: true
          trustedIPs:
            - 10.0.0.0/8
        ssl:
          enabled: true
          permanentRedirect: false
    -

    헬름 버전 2에서 마이그레이션하기

    +

    헬름 버전 2에서 마이그레이션하기

    Version Gate

    v1.17.v1.17.0+k3s.1부터 헬름 v3가 기본적으로 지원 및 사용됩니다.

    -

    K3s는 헬름 v2 또는 헬름 v3를 처리할 수 있습니다. 헬름 v3로 마이그레이션하려는 경우, 헬름 블로그 게시물에서 플러그인을 사용하여 성공적으로 마이그레이션하는 방법을 설명합니다. 자세한 내용은 헬름 3 공식 문서 여기를 참고하세요. 클러스터 접근에 대한 섹션에 따라 kubeconfig를 올바르게 설정했는지 확인하세요.

    -
    비고

    헬름 3에서는 더 이상 Tiller와 helm init 명령이 필요하지 않습니다. 자세한 내용은 공식 문서를 참고하세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    K3s는 헬름 v2 또는 헬름 v3를 처리할 수 있습니다. 헬름 v3로 마이그레이션하려는 경우, 헬름 블로그 게시물에서 플러그인을 사용하여 성공적으로 마이그레이션하는 방법을 설명합니다. 자세한 내용은 헬름 3 공식 문서 여기를 참고하세요. 클러스터 접근에 대한 섹션에 따라 kubeconfig를 올바르게 설정했는지 확인하세요.

    +
    비고

    헬름 3에서는 더 이상 Tiller와 helm init 명령이 필요하지 않습니다. 자세한 내용은 공식 문서를 참고하세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/index.html b/kr/index.html index fed429a8c..7889a6700 100644 --- a/kr/index.html +++ b/kr/index.html @@ -2,13 +2,13 @@ - -K3s - Lightweight Kubernetes | K3s - - + +K3s - Lightweight Kubernetes | K3s + + -

    경량의 쿠버네티스. 간편한 설치와 절반의 메모리, 모든걸 100MB 미만의 바이너리로 제공합니다.

    +

    경량의 쿠버네티스. 간편한 설치와 절반의 메모리, 모든걸 100MB 미만의 바이너리로 제공합니다.

    적합한 환경:

    • 엣지(Edge)
      • @@ -19,7 +19,7 @@
    • 임베딩 K8s
    • k8s 클러스터 분야의 박사 학위를 취득하기 어려운 상황
    -

    k3s란 무엇입니까?

    +

    k3s란 무엇입니까?

    K3s는 쿠버네티스와 완전히 호환되며 다음과 같은 향상된 기능을 갖춘 배포판입니다:

    • 단일 바이너리로 패키지화.
      • @@ -49,7 +49,7 @@

      k3s란 무엇입니까?

    • 호스트 유틸리티(iptables, socat 등)

    이름에는 무슨 뜻이 있나요?

    -

    우리는 메모리 풋프린트 측면에서 절반 크기의 Kubernetes를 설치하기를 원했습니다. Kubernetes는 K8s로 표기되는 10글자 단어입니다. 따라서 쿠버네티스의 절반 크기라면 K3s로 표기된 5글자 단어가 될 것입니다. K3s의 긴 형태는 없으며 공식적인 발음도 없습니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    우리는 메모리 풋프린트 측면에서 절반 크기의 Kubernetes를 설치하기를 원했습니다. Kubernetes는 K8s로 표기되는 10글자 단어입니다. 따라서 쿠버네티스의 절반 크기라면 K3s로 표기된 5글자 단어가 될 것입니다. K3s의 긴 형태는 없으며 공식적인 발음도 없습니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation.html b/kr/installation.html index 9e7e7c70e..358354e2f 100644 --- a/kr/installation.html +++ b/kr/installation.html @@ -2,20 +2,20 @@ - -Installation | K3s - - + +Installation | K3s + + -

    Installation

    This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.

    +

    Installation

    This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.

    Configuration Options provides guidance on the options available to you when installing K3s.

    Private Registry Configuration covers use of registries.yaml to configure container image registry mirrors.

    Embedded Mirror shows how to enable the embedded distributed image registry mirror.

    Air-Gap Install details how to set up K3s in environments that do not have direct access to the Internet.

    Managing Server Roles details how to set up K3s with dedicated control-plane or etcd servers.

    Managing Packaged Components details how to disable packaged components, or install your own using auto-deploying manifests.

    -

    Uninstalling K3s details how to remove K3s from a host.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Uninstalling K3s details how to remove K3s from a host.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/airgap.html b/kr/installation/airgap.html index 18a4d5683..89bae32ab 100644 --- a/kr/installation/airgap.html +++ b/kr/installation/airgap.html @@ -2,70 +2,70 @@ - -Air-Gap Install | K3s - - + +Air-Gap Install | K3s + + -

    Air-Gap Install

    You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.

    -

    Load Images

    -

    Private Registry Method

    +

    Air-Gap Install

    You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.

    +

    Load Images

    +

    Private Registry Method

    These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and have a OCI-compliant private registry available in your environment.

    If you have not yet set up a private Docker registry, refer to the official Registry documentation.

    -

    Create the Registry YAML and Push Images

    +

    Create the Registry YAML and Push Images

    1. Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
    2. Use docker image load k3s-airgap-images-amd64.tar.zst to import images from the tar file into docker.
    3. Use docker tag and docker push to retag and push the loaded images to your private registry.
    4. Follow the Private Registry Configuration guide to create and configure the registries.yaml file.
      5. -
    5. Proceed to the Install K3s section below.
      6. +
    6. Proceed to the Install K3s section below.
    -

    Manually Deploy Images Method

    +

    Manually Deploy Images Method

    These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and cannot or do not want to use a private registry.

    This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical.

    -

    Prepare the Images Directory and Airgap Image Tarball

    +

    Prepare the Images Directory and Airgap Image Tarball

    1. Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
    2. Download the images archive to the agent's images directory, for example:
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/
    sudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst
      -
    1. Proceed to the Install K3s section below.
      2. +
    2. Proceed to the Install K3s section below.
    -

    Embedded Registry Mirror

    +

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    K3s includes an embedded distributed OCI-compliant registry mirror. When enabled and properly configured, images available in the containerd image store on any node can be pulled by other cluster members without access to an external image registry.

    The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball. For more information on enabling the embedded distributed registry mirror, see the Embedded Registry Mirror documentation.

    -

    Install K3s

    -

    Prerequisites

    -

    Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install.

    -

    Binaries

    +

    Install K3s

    +

    Prerequisites

    +

    Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install.

    +

    Binaries

    • Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in /usr/local/bin on each air-gapped node and ensure it is executable.
    • Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it install.sh.
    -

    Default Network Route

    +

    Default Network Route

    If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:

    ip link add dummy0 type dummy
    ip link set dummy0 up
    ip addr add 203.0.113.254/31 dev dummy0
    ip route add default via 203.0.113.255 dev dummy0 metric 1000

    When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary.

    -

    SELinux RPM

    +

    SELinux RPM

    If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found here. For example, on CentOS 8:

    On internet accessible machine:
    curl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm

    # Transfer RPM to air-gapped machine
    On air-gapped machine:
    sudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm

    See the SELinux section for more information.

    -

    Installing K3s in an Air-Gapped Environment

    +

    Installing K3s in an Air-Gapped Environment

    You can install K3s on one or more servers as described below.

    To install K3s on a single server, simply do the following on the server node:

    INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh

    To add additional agents, do the following on each agent node:

    INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://<SERVER_IP>:6443 K3S_TOKEN=<YOUR_TOKEN> ./install.sh
    비고

    The token from the server is typically found at /var/lib/rancher/k3s/server/token.

    비고

    K3s's --resolv-conf flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured.

    -

    Upgrading

    -

    Install Script Method

    +

    Upgrading

    +

    Install Script Method

    Upgrading an air-gap environment can be accomplished in the following manner:

    1. Download the new air-gap images (tar file) from the releases page for the version of K3s you will be upgrading to. Place the tar in the /var/lib/rancher/k3s/agent/images/ directory on each @@ -74,12 +74,12 @@

      Instal with the same environment variables.

    2. Restart the K3s service (if not restarted automatically by installer).
    -

    Automated Upgrades Method

    +

    Automated Upgrades Method

    K3s supports automated upgrades. To enable this in air-gapped environments, you must ensure the required images are available in your private registry.

    You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the + in the K3s release with a - because Docker images do not support +.

    You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller here and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML:

    rancher/system-upgrade-controller:v0.4.0
    rancher/kubectl:v0.17.0
    -

    Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/configuration.html b/kr/installation/configuration.html index 762137fab..6ae30981c 100644 --- a/kr/installation/configuration.html +++ b/kr/installation/configuration.html @@ -2,14 +2,14 @@ - -Configuration Options | K3s - - + +Configuration Options | K3s + + -

    Configuration Options

    This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.

    -

    Configuration with install script

    +

    Configuration Options

    This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.

    +

    Configuration with install script

    As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.

    You can use a combination of INSTALL_K3S_EXEC, K3S_ environment variables, and command flags to pass configuration to the service configuration. The prefixed environment variables, INSTALL_K3S_EXEC value, and trailing shell arguments are all persisted into the service configuration. @@ -19,9 +19,9 @@ 

    curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -
    curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com
    curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword
    curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL

    For details on all environment variables, see Environment Variables.

    -
    Note

    If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost.

    The contents of the configuration file are not managed by the install script. +

    Note

    If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost.

    The contents of the configuration file are not managed by the install script. If you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script.

    -

    Configuration with binary

    +

    Configuration with binary

    As stated, the installation script is primarily concerned with configuring K3s to run as a service.
    If you choose to not use the script, you can run K3s simply by downloading the binary from our release page, placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service.

    curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s
    @@ -38,7 +38,7 @@

    Co --disable servicelb or --cluster-cidr=10.200.0.0/16 on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as: failed to validate server configuration: critical configuration value mismatch. See the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes.

    -

    Configuration File

    +

    Configuration File

    Version Gate

    Available as of v1.19.1+k3s1

    In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file.

    By default, values present in a YAML file located at /etc/rancher/k3s/config.yaml will be used on install.

    @@ -49,7 +49,7 @@

    Configura

    In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as true or false in the YAML file.

    It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as --node-label, the CLI arguments will overwrite all values in the list.

    Finally, the location of the config file can be changed either through the CLI argument --config FILE, -c FILE, or the environment variable $K3S_CONFIG_FILE.

    -

    Multiple Config Files

    +

    Multiple Config Files

    Version Gate

    Available as of v1.21.0+k3s1

    Multiple configuration files are supported. By default, configuration files are read from /etc/rancher/k3s/config.yaml and /etc/rancher/k3s/config.yaml.d/*.yaml in alphabetical order.

    By default, the last value found for a given key will be used. A + can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a + to prevent overwriting the accumulated value.

    @@ -57,7 +57,7 @@

    Multip 
    # config.yaml
    token: boop
    node-label:
      - foo=bar
      - bar=baz


    # config.yaml.d/test1.yaml
    write-kubeconfig-mode: 600
    node-taint:
      - alice=bob:NoExecute

    # config.yaml.d/test2.yaml
    write-kubeconfig-mode: 777
    node-label:
      - other=what
      - foo=three
    node-taint+:
      - charlie=delta:NoSchedule

    This results in a final configuration of:

    write-kubeconfig-mode: 777
    token: boop
    node-label:
      - other=what
      - foo=three
    node-taint:
      - alice=bob:NoExecute
      - charlie=delta:NoSchedule
    -

    Putting it all together

    +

    Putting it all together

    All of the above options can be combined into a single example.

    A config.yaml file is created at /etc/rancher/k3s/config.yaml:

    token: "secret"
    debug: true
    @@ -71,7 +71,7 @@

    Putt
  • Flannel backend set to none
  • The token set to secret
  • Debug logging enabled
    • -

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/packaged-components.html b/kr/installation/packaged-components.html index 5948bb639..dcdd13615 100644 --- a/kr/installation/packaged-components.html +++ b/kr/installation/packaged-components.html @@ -2,21 +2,21 @@ - -Managing Packaged Components | K3s - - + +Managing Packaged Components | K3s + + -

    Managing Packaged Components

    Auto-Deploying Manifests (AddOns)

    +

    Managing Packaged Components

    Auto-Deploying Manifests (AddOns)

    On server nodes, any file found in /var/lib/rancher/k3s/server/manifests will automatically be deployed to Kubernetes in a manner similar to kubectl apply, both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster.

    Manifests are tracked as AddOn custom resources in the kube-system namespace. Any errors or warnings encountered when applying the manifest file may seen by using kubectl describe on the corresponding AddOn, or by using kubectl get event -n kube-system to view all events for that namespace, including those from the deploy controller.

    -

    Packaged Components

    +

    Packaged Components

    K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: coredns, traefik, local-storage, and metrics-server. The embedded servicelb LoadBalancer controller does not have a manifest file, but can be disabled as if it were an AddOn for historical reasons.

    Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity.

    -

    User AddOns

    +

    User AddOns

    You may place additional files in the manifests directory for deployment as an AddOn. Each file may contain multiple Kubernetes resources, delmited by the --- YAML document separator. For more information on organizing resources in manifests, see the Managing Resources section of the Kubernetes documentation.

    -

    File Naming Requirements

    +

    File Naming Requirements

    The AddOn name for each file in the manifest directory is derived from the file basename. Ensure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes object naming restrictions. Care should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled.

    @@ -25,18 +25,18 @@

    Fil

    Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io "example_manifest" is invalid: metadata.name: Invalid value: "example_manifest": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

    위험

    If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests.

    -

    Disabling Manifests

    +

    Disabling Manifests

    There are two ways to disable deployment of specific content from the manifests directory.

    -

    Using the --disable flag

    +

    Using the --disable flag

    The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the manifests directory, can be disabled with the --disable flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the manifests directory.

    For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with --disable=traefik. Multiple items can be disabled by separating their names with commas, or by repeating the flag.

    -

    Using .skip files

    +

    Using .skip files

    For any file under /var/lib/rancher/k3s/server/manifests, you can create a .skip file which will cause K3s to ignore the corresponding manifest. The contents of the .skip file do not matter, only its existence is checked. Note that creating a .skip file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist.

    For example, creating an empty traefik.yaml.skip file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying traefik.yaml:

    $ ls /var/lib/rancher/k3s/server/manifests
    ccm.yaml      local-storage.yaml  rolebindings.yaml  traefik.yaml.skip
    coredns.yaml  traefik.yaml

    $ kubectl get pods -A
    NAMESPACE     NAME                                     READY   STATUS    RESTARTS   AGE
    kube-system   local-path-provisioner-64ffb68fd-xx98j   1/1     Running   0          74s
    kube-system   metrics-server-5489f84d5d-7zwkt          1/1     Running   0          74s
    kube-system   coredns-85cb69466-vcq7j                  1/1     Running   0          74s

    If Traefik had already been deployed prior to creating the traefik.skip file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded.

    -

    Helm AddOns

    -

    For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Helm AddOns

    +

    For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/private-registry.html b/kr/installation/private-registry.html index 097be2397..6966255e1 100644 --- a/kr/installation/private-registry.html +++ b/kr/installation/private-registry.html @@ -2,13 +2,13 @@ - -Private Registry Configuration | K3s - - + +Private Registry Configuration | K3s + + -

    Private Registry Configuration

    Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.

    +

    Private Registry Configuration

    Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.

    Upon startup, K3s will check to see if /etc/rancher/k3s/registries.yaml exists. If so, the registry configuration contained in this file is used when generating the containerd configuration.

    • If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure registries.yaml on each node that you want to use the mirror.
      • @@ -16,7 +16,7 @@

    Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them, please ensure you also create the registries.yaml file on each server as well.

    -

    Default Endpoint Fallback

    +

    Default Endpoint Fallback

    Containerd has an implicit "default endpoint" for all registries. The default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in registries.yaml. For example, when pulling registry.example.com:5000/rancher/mirrored-pause:3.6, containerd will use a default endpoint of https://registry.example.com:5000/v2.

    @@ -34,48 +34,48 @@

    De or if you wish to have only some nodes pull from the upstream registry.

    Disabling the default registry endpoint applies only to registries configured via registries.yaml. If the registry is not explicitly configured via mirror entry in registries.yaml, the default fallback behavior will still be used.

    -

    Registries Configuration File

    +

    Registries Configuration File

    The file consists of two top-level keys, with subkeys for each registry:

    mirrors:
      <REGISTRY>:
        endpoint:
          - https://<REGISTRY>/v2
    configs:
      <REGISTRY>:
        auth:
          username: <BASIC AUTH USERNAME>
          password: <BASIC AUTH PASSWORD>
          token: <BEARER TOKEN>
        tls:
          ca_file: <PATH TO SERVER CA>
          cert_file: <PATH TO CLIENT CERT>
          key_file: <PATH TO CLIENT KEY>
          insecure_skip_verify: <SKIP TLS CERT VERIFICATION BOOLEAN>
    -

    Mirrors

    +

    Mirrors

    The mirrors section defines the names and endpoints of registries, for example:

    mirrors:
      registry.example.com:
        endpoint:
          - "https://registry.example.com:5000"

    Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one.

    -

    Redirects

    +

    Redirects

    If the private registry is used as a mirror for another registry, such as when configuring a pull through cache, images pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ns query parameter.

    For example, if you have a mirror configured for docker.io:

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"

    Then pulling docker.io/rancher/mirrored-pause:3.6 will transparently pull the image as registry.example.com:5000/rancher/mirrored-pause:3.6.

    -

    Rewrites

    +

    Rewrites

    Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions. This is useful if the organization/project structure in the private registry is different than the registry it is mirroring.

    For example, the following configuration would transparently pull the image docker.io/rancher/mirrored-pause:3.6 as registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6:

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"
        rewrite:
          "^rancher/(.*)": "mirrorproject/rancher-images/$1"

    When using redirects and rewrites, images will still be stored under the original name. For example, crictl image ls will show docker.io/rancher/mirrored-pause:3.6 as available on the node, even though the image was pulled from the mirrored registry with a different name.

    -

    Configs

    +

    Configs

    The configs section defines the TLS and credential configuration for each mirror. For each mirror you can define auth and/or tls.

    The tls part consists of:

    DirectiveDescription
    cert_fileThe client certificate path that will be used to authenticate with the registry
    key_fileThe client key path that will be used to authenticate with the registry
    ca_fileDefines the CA certificate path to be used to verify the registry's server cert file
    insecure_skip_verifyBoolean that defines if TLS verification should be skipped for the registry

    The auth part consists of either username/password or authentication token:

    DirectiveDescription
    usernameuser name of the private registry basic auth
    passworduser password of the private registry basic auth
    authauthentication token of the private registry basic auth

    Below are basic examples of using private registries in different modes:

    -

    With TLS

    +

    With TLS

    Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when using TLS.

    mirrors:
      docker.io:
        endpoint:
          - "https://registry.example.com:5000"
    configs:
      "registry.example.com:5000":
        auth:
          username: xxxxxx # this is the registry username
          password: xxxxxx # this is the registry password
        tls:
          cert_file: # path to the cert file used in the registry
          key_file:  # path to the key file used in the registry
          ca_file:   # path to the ca file used in the registry
    -

    Without TLS

    +

    Without TLS

    Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when not using TLS.

    mirrors:
      docker.io:
        endpoint:
          - "http://registry.example.com:5000"
    configs:
      "registry.example.com:5000":
        auth:
          username: xxxxxx # this is the registry username
          password: xxxxxx # this is the registry password

    In case of no TLS communication, you need to specify http:// for the endpoints, otherwise it will default to https.

    In order for the registry changes to take effect, you need to restart K3s on each node.

    -

    Troubleshooting Image Pulls

    +

    Troubleshooting Image Pulls

    When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned by the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used.

    Check the containerd log on the node at /var/lib/rancher/k3s/agent/containerd/containerd.log for detailed information on the root cause of the failure.

    -

    Adding Images to the Private Registry

    +

    Adding Images to the Private Registry

    Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.
    The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry.

      @@ -86,7 +86,7 @@

      이 페이지 편집
      마지막 업데이트

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/registry-mirror.html b/kr/installation/registry-mirror.html index 83ae8dffe..5313961ec 100644 --- a/kr/installation/registry-mirror.html +++ b/kr/installation/registry-mirror.html @@ -2,16 +2,16 @@ - -Embedded Registry Mirror | K3s - - + +Embedded Registry Mirror | K3s + + -

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    +

    Embedded Registry Mirror

    Version Gate

    The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1

    K3s embeds Spegel, a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster. The distributed registry mirror is disabled by default.

    -

    Enabling The Distributed OCI Registry Mirror

    +

    Enabling The Distributed OCI Registry Mirror

    In order to enable the embedded registry mirror, server nodes must be started with the --embedded-registry flag, or with embedded-registry: true in the configuration file. This option enables the embedded mirror for use on all nodes in the cluster.

    When enabled at a cluster level, all nodes will host a local OCI registry on port 6443, @@ -19,10 +19,10 @@

    air-gap image tar files are pinned in containerd to ensure that they remain available and are not pruned by Kubelet garbage collection.

    -

    Requirements

    +

    Requirements

    When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443. If nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints.

    -

    Enabling Registry Mirroring

    +

    Enabling Registry Mirroring

    Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes. If a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry.

    In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the mirrors section of registries.yaml for that registry. @@ -37,19 +37,19 @@ 

    mirrors:
      mirror.example.com:

    If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity.

    For more information on the structure of the registries.yaml file, see Private Registry Configuration.

    -

    Default Endpoint Fallback

    +

    Default Endpoint Fallback

    By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this, and only pull images from the configured mirrors and/or the embedded mirror, see the Default Endpoint Fallback section of the Private Registry Configuration documentation.

    Note that if you are using the --disable-default-endpoint option and want to allow pulling directly from a particular registry, while disallowing the rest, you can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:

    mirrors:
      docker.io:           # no default endpoint, pulls will fail if not available on a node
      registry.k8s.io:     # no default endpoint, pulls will fail if not available on a node
      mirror.example.com:  # explicit default endpoint, can pull from upstream if not available on a node
        endpoint:
          - https://mirror.example.com
    -

    Security

    -

    Authentication

    +

    Security

    +

    Authentication

    Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority.

    Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes. Nodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority.

    -

    Potential Concerns

    +

    Potential Concerns

    warning

    The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members. If this does not match your cluster's security posture, you should not enable the embedded distributed registry.

    The embedded registry may make available images that a node may not otherwise have access to. @@ -58,18 +58,18 @@

    Potential

    Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes, as other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry. If image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner.

    -

    Sharing Air-gap or Manually Loaded Images

    +

    Sharing Air-gap or Manually Loaded Images

    Images sharing is controlled based on the source registry. Images loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ctr command line tool, will be shared between nodes if they are tagged as being from a registry that is enabled for mirroring.

    Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable. For example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store. You would then be able to pull those images from all cluster members, as long as that registry is listed in registries.yaml

    -

    Pushing Images

    +

    Pushing Images

    The embedded registry is read-only, and cannot be pushed to directly using docker push or other common tools that interact with OCI registries.

    Images can be manually made available via the embedded registry by running ctr -n k8s.io image pull to pull an image, or by loading image archives via the ctr -n k8s.io import or ctr -n k8s.io load commands. -Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/requirements.html b/kr/installation/requirements.html index c45febc00..0a536c6d0 100644 --- a/kr/installation/requirements.html +++ b/kr/installation/requirements.html @@ -2,18 +2,18 @@ - -Requirements | K3s - - + +Requirements | K3s + + -

    Requirements

    K3s is very lightweight, but has some minimum requirements as outlined below.

    +

    Requirements

    K3s is very lightweight, but has some minimum requirements as outlined below.

    Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself.

    -

    Prerequisites

    +

    Prerequisites

    Two nodes cannot have the same hostname.

    If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the --with-node-id option to append a random suffix for each node, or devise a unique name to pass with --node-name or $K3S_NODE_NAME for each node you add to the cluster.

    -

    Architecture

    +

    Architecture

    K3s is available for the following architectures:

    • x86_64
      • @@ -22,47 +22,47 @@

      Architectures390x

    ARM64 Page Size

    Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on aarch64/arm64 systems, the kernel must use 4k pages. RHEL9, Ubuntu, Raspberry PI OS, and SLES all meet this requirement.

    -

    Operating Systems

    +

    Operating Systems

    K3s is expected to work on most modern Linux systems.

    Some OSs have additional setup requirements:

    -

    It is recommended to turn off firewalld:

    systemctl disable firewalld --now

    If you wish to keep firewalld enabled, by default, the following rules are required:

    firewall-cmd --permanent --add-port=6443/tcp #apiserver
    firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods
    firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services
    firewall-cmd --reload

    Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly.

    If enabled, it is required to disable nm-cloud-setup and reboot the node:

    systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
    reboot
    +

    It is recommended to turn off firewalld:

    systemctl disable firewalld --now

    If you wish to keep firewalld enabled, by default, the following rules are required:

    firewall-cmd --permanent --add-port=6443/tcp #apiserver
    firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods
    firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services
    firewall-cmd --reload

    Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly.

    If enabled, it is required to disable nm-cloud-setup and reboot the node:

    systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
    reboot

    For more information on which OSs were tested with Rancher managed K3s clusters, refer to the Rancher support and maintenance terms.

    -

    Hardware

    +

    Hardware

    Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here.

    SpecMinimumRecommended
    CPU1 core2 cores
    RAM512 MB1 GB

    Resource Profiling captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads.

    Raspberry Pi and embedded etcd

    If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load.

    -

    Disks

    +

    Disks

    K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC.

    -

    Networking

    +

    Networking

    The K3s server needs port 6443 to be accessible by all nodes.

    The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s.

    If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250.

    If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380.

    Important

    The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472.

    위험

    Flannel relies on the Bridge CNI plugin to create a L2 network that switches traffic. Rogue pods with NET_RAW capabilities can abuse that L2 network to launch attacks such as ARP spoofing. Therefore, as documented in the Kubernetes docs, please set a restricted profile that disables NET_RAW on non-trustable pods.

    -

    Inbound Rules for K3s Nodes

    +

    Inbound Rules for K3s Nodes

    ProtocolPortSourceDestinationDescription
    TCP2379-2380ServersServersRequired only for HA with embedded etcd
    TCP6443AgentsServersK3s supervisor and Kubernetes API Server
    UDP8472All nodesAll nodesRequired only for Flannel VXLAN
    TCP10250All nodesAll nodesKubelet metrics
    UDP51820All nodesAll nodesRequired only for Flannel Wireguard with IPv4
    UDP51821All nodesAll nodesRequired only for Flannel Wireguard with IPv6
    TCP5001All nodesAll nodesRequired only for embedded distributed registry (Spegel)
    TCP6443All nodesAll nodesRequired only for embedded distributed registry (Spegel)

    Typically, all outbound traffic is allowed.

    Additional changes to the firewall may be required depending on the OS used.

    -

    Large Clusters

    +

    Large Clusters

    Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:

    • MySQL
    • PostgreSQL
    • etcd
    -

    CPU and Memory

    +

    CPU and Memory

    The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:

    Deployment SizeNodesVCPUSRAM
    SmallUp to 1024 GB
    MediumUp to 10048 GB
    LargeUp to 250816 GB
    X-LargeUp to 5001632 GB
    XX-Large500+3264 GB
    -

    Disks

    +

    Disks

    The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS.

    -

    Network

    +

    Network

    You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the --cluster-cidr option to K3s server upon starting.

    -

    Database

    +

    Database

    K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See Cluster Datastore for more info.

    The following is a sizing guide for the database resources you need to run large clusters:

    -
    Deployment SizeNodesVCPUSRAM
    SmallUp to 1012 GB
    MediumUp to 10028 GB
    LargeUp to 250416 GB
    X-LargeUp to 500832 GB
    XX-Large500+1664 GB
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Deployment SizeNodesVCPUSRAM
    SmallUp to 1012 GB
    MediumUp to 10028 GB
    LargeUp to 250416 GB
    X-LargeUp to 500832 GB
    XX-Large500+1664 GB
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/server-roles.html b/kr/installation/server-roles.html index 110c6ea59..9bc909318 100644 --- a/kr/installation/server-roles.html +++ b/kr/installation/server-roles.html @@ -2,29 +2,29 @@ - -Managing Server Roles | K3s - - + +Managing Server Roles | K3s + + -

    Managing Server Roles

    Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.

    +

    Managing Server Roles

    Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.

    정보

    This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components.

    -

    Dedicated etcd Nodes

    +

    Dedicated etcd Nodes

    To create a server with only the etcd role, start K3s with all the control-plane components disabled:

    curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler

    This first node will start etcd, and wait for additional etcd and/or control-plane nodes to join. The cluster will not be usable until you join an additional server with the control-plane components enabled.

    -

    Dedicated control-plane Nodes

    +

    Dedicated control-plane Nodes

    비고

    A dedicated control-plane node cannot be the first server in the cluster; there must be an existing node with the etcd role before joining dedicated control-plane nodes.

    To create a server with only the control-plane role, start k3s with etcd disabled:

    curl -fL https://get.k3s.io | sh -s - server --token <token> --disable-etcd --server https://<etcd-only-node>:6443

    After creating dedicated server nodes, the selected roles will be visible in kubectl get node:

    $ kubectl get nodes
    NAME           STATUS   ROLES                       AGE     VERSION
    k3s-server-1   Ready    etcd                        5h39m   v1.20.4+k3s1
    k3s-server-2   Ready    control-plane,master        5h39m   v1.20.4+k3s1
    -

    Adding Roles To Existing Servers

    +

    Adding Roles To Existing Servers

    Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the control-plane role to a dedicated etcd node, you can remove the --disable-apiserver --disable-controller-manager --disable-scheduler flags from the systemd unit or config file, and restart the service.

    -

    Configuration File Syntax

    +

    Configuration File Syntax

    As with all other CLI flags, you can use the Configuration File to disable components, instead of passing the options as CLI flags. For example, to create a dedicated etcd node, you can place the following values in /etc/rancher/k3s/config.yaml:

    -
    cluster-init: true
    disable-apiserver: true
    disable-controller-manager: true
    disable-scheduler: true
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    cluster-init: true
    disable-apiserver: true
    disable-controller-manager: true
    disable-scheduler: true
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/installation/uninstall.html b/kr/installation/uninstall.html index d4cba142f..49c51d59b 100644 --- a/kr/installation/uninstall.html +++ b/kr/installation/uninstall.html @@ -2,22 +2,22 @@ - -Uninstalling K3s | K3s - - + +Uninstalling K3s | K3s + + -

    Uninstalling K3s

    warning

    Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.
    +

    Uninstalling K3s

    warning

    Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.
    It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes.

    If you installed K3s using the installation script, a script to uninstall K3s was generated during installation.

    If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the Node Registration documentation for more information.

    -

    Uninstalling Servers

    +

    Uninstalling Servers

    To uninstall K3s from a server node, run:

    /usr/local/bin/k3s-uninstall.sh
    -

    Uninstalling Agents

    +

    Uninstalling Agents

    To uninstall K3s from an agent node, run:

    -
    /usr/local/bin/k3s-agent-uninstall.sh
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    /usr/local/bin/k3s-agent-uninstall.sh
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/known-issues.html b/kr/known-issues.html index 7d14aa6ad..0dc67c98d 100644 --- a/kr/known-issues.html +++ b/kr/known-issues.html @@ -2,19 +2,19 @@ - -알려진 이슈 | K3s - - + +알려진 이슈 | K3s + + -

    알려진 이슈

    알려진 이슈는 주기적으로 업데이트되며, 다음 릴리스에서 즉시 해결되지 않을 수 있는 문제에 대해 알려드리기 위해 고안되었습니다.

    -

    스냅(Snap) 도커

    +

    알려진 이슈

    알려진 이슈는 주기적으로 업데이트되며, 다음 릴리스에서 즉시 해결되지 않을 수 있는 문제에 대해 알려드리기 위해 고안되었습니다.

    +

    스냅(Snap) 도커

    스냅(Snap) 패키지를 통해 설치된 도커는 K3s를 실행하는 데 문제를 일으키는 것으로 알려져 있으므로 K3s와 함께 사용하려는 경우 권장하지 않습니다.

    -

    Iptables

    -

    레거시 대신 nftables 모드에서 iptables를 실행하는 경우 문제가 발생할 수 있습니다. 문제를 방지하려면 최신 버전(예: 1.6.1+)의 iptables를 사용하는 것이 좋습니다.

    +

    Iptables

    +

    레거시 대신 nftables 모드에서 iptables를 실행하는 경우 문제가 발생할 수 있습니다. 문제를 방지하려면 최신 버전(예: 1.6.1+)의 iptables를 사용하는 것이 좋습니다.

    또한 1.8.0-1.8.4 버전에는 K3s가 실패할 수 있는 알려진 문제가 있습니다. 해결 방법은 추가 OS 준비를 참조하세요.

    -

    Rootless Mode

    +

    Rootless Mode

    루트리스 모드로 K3s를 실행하는 것은 실험 중이며 몇 가지 알려진 이슈가 있습니다.

    강화된(Hardened) 클러스터를 v1.24.x에서 v1.25.x로 업그레이드하기

    쿠버네티스는 파드 보안 표준(PSS, Pod Security Standards)을 위해 v1.25에서 PodSecurityPolicy를 제거했습니다. PSS에 대한 자세한 내용은 업스트림 문서에서 확인할 수 있습니다. K3S의 경우, 노드에 'PodSecurityPolicy'가 구성된 경우 수행해야 하는 몇 가지 수동 단계가 있습니다.

    @@ -33,7 +33,7 @@

    강화된(Hardened) 클러스터를 v1.24.x에서 v1.25.x로 업그레이드
    1. 업그레이드가 완료된 후, 클러스터에서 남아있는 모든 PSP 리소스를 제거합니다. 대부분의 경우, /var/lib/rancher/k3s/server/manifests/ 내부에서 강화를 위해 사용된 사용자 정의 파일에는 PodSecurityPolicies 및 관련 RBAC 리소스가 있을 수 있습니다. 이러한 리소스를 제거하면 k3s가 자동으로 업데이트됩니다. 때때로 시간이 지난 후에 이러한 리소스가 클러스터에 남아있을 수 있으므로 수동으로 삭제해야 합니다. 이전에 강화 가이드를 따르면 다음과 같이 삭제할 수 있습니다:
    -
    # Get the resources associated with PSPs
    $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp

    # Delete those resources:
    $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    # Get the resources associated with PSPs
    $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp

    # Delete those resources:
    $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/networking.html b/kr/networking.html index f42200ca1..458485bce 100644 --- a/kr/networking.html +++ b/kr/networking.html @@ -2,17 +2,17 @@ - -Networking | K3s - - + +Networking | K3s + + -

    Networking

    This section contains instructions for configuring networking in K3s.

    +

    Networking

    This section contains instructions for configuring networking in K3s.

    Basic Network Options covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations

    Hybrid/Multicloud cluster provides guidance on the options available to span the k3s cluster over remote or hybrid nodes

    Multus and IPAM plugins provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod

    -

    Networking services: dns, ingress, etc explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Networking services: dns, ingress, etc explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/networking/basic-network-options.html b/kr/networking/basic-network-options.html index 8e54417ca..11fc9f9f4 100644 --- a/kr/networking/basic-network-options.html +++ b/kr/networking/basic-network-options.html @@ -2,14 +2,14 @@ - -Basic Network Options | K3s - - + +Basic Network Options | K3s + + -

    Basic Network Options

    This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.

    -

    Flannel Options

    +

    Basic Network Options

    This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.

    +

    Flannel Options

    Flannel is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin.

    • Flannel options can only be set on server nodes, and must be identical on all servers in the cluster.
      • @@ -21,7 +21,7 @@

      Flannel Opti

    CLI Flag and ValueDescription
    --flannel-ipv6-masqApply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than none.
    --flannel-external-ipUse node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node.
    --flannel-backend=vxlanUse VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi.
    --flannel-backend=host-gwUse IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster.
    --flannel-backend=wireguard-nativeUse WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules.
    --flannel-backend=ipsecUse strongSwan IPSec via the swanctl binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)
    --flannel-backend=noneDisable Flannel entirely.
    Version Gate

    K3s no longer includes strongSwan swanctl and charon binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ipsec backend.

    -

    Migrating from wireguard or ipsec to wireguard-native

    +

    Migrating from wireguard or ipsec to wireguard-native

    The legacy wireguard backend requires installation of the wg tool on the host. This backend is not available in K3s v1.26 and higher, in favor of wireguard-native backend, which directly interfaces with the kernel.

    The legacy ipsec backend requires installation of the swanctl and charon binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the wireguard-native backend.

    We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:

    @@ -29,10 +29,10 @@

    Custom CNI

    +

    Custom CNI

    Start K3s with --flannel-backend=none and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set --disable-network-policy as well to avoid conflicts. Some important information to take into consideration:

    Visit the Canal Docs website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the container_settings section, for example:

    "container_settings": {
      "allow_ip_forwarding": true
    }

    Apply the Canal YAML.

    Ensure the settings were applied by running the following command on the host:

    cat /etc/cni/net.d/10-canal.conflist

    You should see that IP forwarding is set to true.

    -

    Control-Plane Egress Selector configuration

    +

    Control-Plane Egress Selector configuration

    K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components. This allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled. This functionality is equivalent to the Konnectivity service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration.

    @@ -47,7 +47,7 @@

    Dual-stack (IPv4 + IPv6) Networking

    +

    Dual-stack (IPv4 + IPv6) Networking

    Version Gate

    Experimental support is available as of v1.21.0+k3s1.
    Stable support is available as of v1.23.7+k3s1.

    Known Issue

    Before 1.27, Kubernetes Issue #111695 causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:

    --kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic
    #OR
    --kubelet-arg="node-ip=::" # To proritize IPv6 traffic
    @@ -57,13 +57,13 @@

    Known Issue

    When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family.

    -

    Single-stack IPv6 Networking

    +

    Single-stack IPv6 Networking

    Version Gate

    Available as of v1.22.9+k3s1

    Known Issue

    If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl net.ipv6.conf.all.accept_ra=2; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of man-in-the-middle attacks.

    Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the --cluster-cidr and --service-cidr flags. This is an example of a valid configuration:

    --cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112
    -

    Nodes Without a Hostname

    -

    Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the --node-name flag or K3S_NODE_NAME environment variable and this will pass the node name to resolve this issue.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/networking/distributed-multicloud.html b/kr/networking/distributed-multicloud.html index f8615951b..346c85513 100644 --- a/kr/networking/distributed-multicloud.html +++ b/kr/networking/distributed-multicloud.html @@ -2,16 +2,16 @@ - -Distributed hybrid or multicloud cluster | K3s - - + +Distributed hybrid or multicloud cluster | K3s + + -

    Distributed hybrid or multicloud cluster

    A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.

    +

    Distributed hybrid or multicloud cluster

    A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.

    warning

    The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high.

    warning

    Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location.

    -

    Embedded k3s multicloud solution

    +

    Embedded k3s multicloud solution

    K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel.

    To enable this type of deployment, you must add the following parameters on servers:

    --node-external-ip=<SERVER_EXTERNAL_IP> --flannel-backend=wireguard-native --flannel-external-ip
    @@ -20,7 +20,7 @@

    Networking Requirements and allow access to the listed ports on both internal and external addresses.

    Both SERVER_EXTERNAL_IP and AGENT_EXTERNAL_IP must have connectivity between them and are normally public IPs.

    Dynamic IPs

    If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the --node-external-ip parameter to reflect the new IP. If running K3s as a service, you must modify /etc/systemd/system/k3s.service then run:

    systemctl daemon-reload
    systemctl restart k3s
    -

    Integration with the Tailscale VPN provider (experimental)

    +

    Integration with the Tailscale VPN provider (experimental)

    Available in v1.27.3, v1.26.6, v1.25.11 and newer.

    K3s can integrate with Tailscale so that nodes use the Tailscale VPN service to build a mesh between nodes.

    There are four steps to be done with Tailscale before deploying K3s:

    @@ -45,7 +45,7 @@ 

    --vpn-auth-file=$PATH_TO_FILE

    Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ,controlServerURL=$URL to the vpn-auth parameters

    -
    warning

    If you plan on running several K3s clusters using the same tailscale network, please create appropriate ACLs to avoid IP conflicts or use different podCIDR subnets for each cluster.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/networking/multus-ipams.html b/kr/networking/multus-ipams.html index 70f3872fb..e2a287734 100644 --- a/kr/networking/multus-ipams.html +++ b/kr/networking/multus-ipams.html @@ -2,13 +2,13 @@ - -Multus and IPAM plugins | K3s - - + +Multus and IPAM plugins | K3s + + -

    Multus and IPAM plugins

    Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.

    +

    Multus and IPAM plugins

    Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.

    Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel.

    To deploy Multus, we recommend using the following helm repo:

    helm repo add rke2-charts https://rke2-charts.rancher.io
    helm repo update
    @@ -17,7 +17,7 @@

    After creating the multus-values.yaml file, everything is ready to install Multus:

    helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml

    That will create a daemonset called multus which will deploy multus and all regular cni binaries in /var/lib/rancher/k3s/data/current/ (e.g. macvlan) and the correct Multus config in /var/lib/rancher/k3s/agent/etc/cni/net.d

    -

    For more information about Multus, refer to the multus-cni documentation.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    For more information about Multus, refer to the multus-cni documentation.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/networking/networking-services.html b/kr/networking/networking-services.html index e2e848d02..6fe79f748 100644 --- a/kr/networking/networking-services.html +++ b/kr/networking/networking-services.html @@ -2,19 +2,19 @@ - -Networking Services | K3s - - + +Networking Services | K3s + + -

    Networking Services

    This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.

    +

    Networking Services

    This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.

    Refer to the Installation Network Options page for details on Flannel configuration options and backend selection, or how to set up your own CNI.

    For information on which ports need to be opened for K3s, refer to the Networking Requirements.

    -

    CoreDNS

    +

    CoreDNS

    CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the --disable=coredns option.

    If you don't install CoreDNS, you will need to install a cluster DNS provider yourself.

    -

    Traefik Ingress Controller

    +

    Traefik Ingress Controller

    Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications.

    The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443. By default, ServiceLB will expose these ports on all cluster members, meaning these ports will not be usable for other HostPort or NodePort pods.

    Traefik is deployed by default when starting the server. For more information see Managing Packaged Components. The default config file is found in /var/lib/rancher/k3s/server/manifests/traefik.yaml.

    @@ -22,26 +22,26 @@

    T

    To remove Traefik from your cluster, start all servers with the --disable=traefik flag.

    K3s versions 1.20 and earlier include Traefik v1. K3s versions 1.21 and later install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version.

    To migrate from an older Traefik v1 instance please refer to the Traefik documentation and migration tool.

    -

    Network Policy Controller

    +

    Network Policy Controller

    K3s includes an embedded network policy controller. The underlying implementation is kube-router's netpol controller library (no other kube-router functionality is present) and can be found here.

    To disable it, start each server with the --disable-network-policy flag.

    비고

    Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the k3s-killall.sh script, or clean them using iptables-save and iptables-restore. These steps must be run manually on all nodes in the cluster.

    iptables-save | grep -v KUBE-ROUTER | iptables-restore
    ip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore
    -

    Service Load Balancer

    +

    Service Load Balancer

    Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ServiceLB (formerly Klipper LoadBalancer) that uses available host ports.

    Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain pending until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration.

    -

    How ServiceLB Works

    +

    How ServiceLB Works

    The ServiceLB controller watches Kubernetes Services with the spec.type field set to LoadBalancer.

    For each LoadBalancer Service, a DaemonSet is created in the kube-system namespace. This DaemonSet in turn creates Pods with a svc- prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port.

    If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's status.loadBalancer.ingress address list. Otherwise, the node's internal IP is used.

    If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service.

    It is possible to expose multiple Services on the same node, as long as they use different ports.

    If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending.

    -

    Usage

    +

    Usage

    Create a Service of type LoadBalancer in K3s.

    -

    Controlling ServiceLB Node Selection

    +

    Controlling ServiceLB Node Selection

    Adding the svccontroller.k3s.cattle.io/enablelb=true label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB.

    비고

    By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB.

    -

    Creating ServiceLB Node Pools

    +

    Creating ServiceLB Node Pools

    To select a particular subset of nodes to host pods for a LoadBalancer, add the enablelb label to the desired nodes, and set matching lbpool label values on the Nodes and Services. For example:

    1. Label Node A and Node B with svccontroller.k3s.cattle.io/lbpool=pool1 and svccontroller.k3s.cattle.io/enablelb=true
      2. @@ -49,10 +49,10 @@

      Disabling ServiceLB

      +

      Disabling ServiceLB

      To disable ServiceLB, configure all servers in the cluster with the --disable=servicelb flag.

      This is necessary if you wish to run a different LB, such as MetalLB.

      -

      Deploying an External Cloud Controller Manager

      +

      Deploying an External Cloud Controller Manager

      In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:

      • Sets node InternalIP and ExternalIP address fields based on the --node-ip and --node-external-ip flags.
        • @@ -60,7 +60,7 @@

        비고

        If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/quick-start.html b/kr/quick-start.html index e6269ebf3..24edf1479 100644 --- a/kr/quick-start.html +++ b/kr/quick-start.html @@ -2,17 +2,17 @@ - -빠른 시작 가이드 | K3s - - + +빠른 시작 가이드 | K3s + + -

    빠른 시작 가이드

    이 가이드는 기본 옵션으로 클러스터를 빠르게 시작하는 데 도움이 됩니다. 설치 섹션에서는 K3s를 설정하는 방법에 대해 자세히 설명합니다.

    +

    빠른 시작 가이드

    이 가이드는 기본 옵션으로 클러스터를 빠르게 시작하는 데 도움이 됩니다. 설치 섹션에서는 K3s를 설정하는 방법에 대해 자세히 설명합니다.

    K3s 구성 요소들이 작동하는 방식에 대한 자세한 내용은 아키텍처 섹션을 참조하세요.

    정보

    Kubernetes를 처음 사용하시나요? 공식 쿠버네티스 문서에는 이미 기본 사항을 설명하는 훌륭한 튜토리얼이 여기 있습니다.

    -

    설치 스크립트

    +

    설치 스크립트

    K3s는 systemd 또는 openrc 기반 시스템에 서비스로 설치하는 편리한 방법으로 설치 스크립트를 제공합니다. 이 스크립트는 https://get.k3s.io 에서 확인할 수 있습니다. 이 방법으로 K3s를 설치하려면, 간단하게 다음을 실행하세요:

    curl -sfL https://get.k3s.io | sh -

    이 설치를 실행한 후:

    @@ -25,7 +25,7 @@

    설치

    에이전트 노드를 추가로 설치하여 클러스터에 추가하려면, K3S_URLK3S_TOKEN 환경 변수를 사용하여 설치 스크립트를 실행합니다. 다음은 에이전트 가입 방법을 보여주는 예제입니다:

    curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -

    K3S_URL 파라미터를 설정하면 인스톨러가 K3s를 서버가 아닌 에이전트로 구성합니다. K3s 에이전트는 제공된 URL에서 수신 대기 중인 K3s 서버에 등록됩니다. K3S_TOKEN에 사용할 값은 서버 노드의 /var/lib/rancher/k3s/server/node-token에 저장됩니다.

    -
    비고

    각 머신은 고유한 호스트 이름을 가져야 합니다. 머신에 고유 호스트명이 없는 경우, K3S_NODE_NAME 환경 변수를 전달하고 각 노드에 대해 유효한 고유 호스트명이 있는 값을 제공하세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    비고

    각 머신은 고유한 호스트 이름을 가져야 합니다. 머신에 고유 호스트명이 없는 경우, K3S_NODE_NAME 환경 변수를 전달하고 각 노드에 대해 유효한 고유 호스트명이 있는 값을 제공하세요.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/reference/env-variables.html b/kr/reference/env-variables.html index bd7bf9623..5fde23207 100644 --- a/kr/reference/env-variables.html +++ b/kr/reference/env-variables.html @@ -2,13 +2,13 @@ - -Environment Variables | K3s - - + +Environment Variables | K3s + + -

    Environment Variables

    As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.

    +

    Environment Variables

    As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.

    The simplest form of this command is as follows:

    curl -sfL https://get.k3s.io | sh -

    When using this method to install K3s, the following environment variables can be used to configure the installation:

    @@ -17,7 +17,7 @@ 
    curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -

    Environment variables which begin with K3S_ will be preserved for the systemd and openrc services to use.

    Setting K3S_URL without explicitly setting an exec command will default the command to "agent".

    -

    When running the agent, K3S_TOKEN must also be set.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    When running the agent, K3S_TOKEN must also be set.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/reference/flag-deprecation.html b/kr/reference/flag-deprecation.html index ebb8126cb..8ec5c108c 100644 --- a/kr/reference/flag-deprecation.html +++ b/kr/reference/flag-deprecation.html @@ -2,14 +2,14 @@ - -Flag Deprecation | K3s - - + +Flag Deprecation | K3s + + -

    Flag Deprecation

    K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.

    -

    Process

    +

    Flag Deprecation

    K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.

    +

    Process

    1. Flags can be declared as "To Be Deprecated" at any time.
    2. Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.
      3. @@ -17,7 +17,7 @@

      Process

      +

      Example

      An example of the process:

  • In v1.27.0, --foo will be removed completely from all code and documentation.
    • -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/reference/resource-profiling.html b/kr/reference/resource-profiling.html index 799daab1d..8aa22d1d9 100644 --- a/kr/reference/resource-profiling.html +++ b/kr/reference/resource-profiling.html @@ -2,41 +2,41 @@ - -Resource Profiling | K3s - - + +Resource Profiling | K3s + + -

    Resource Profiling

    This section captures the results of tests to determine minimum resource requirements for K3s.

    +

    Resource Profiling

    This section captures the results of tests to determine minimum resource requirements for K3s.

    The results are summarized as follows:

    ComponentsProcessorMin CPUMin RAM with Kine/SQLiteMin RAM with Embedded etcd
    K3s server with a workloadIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz10% of a core768 M896 M
    K3s cluster with a single agentIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz10% of a core512 M768 M
    K3s agentIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz5% of a core256 M256 M
    K3s server with a workloadPi4B BCM2711, 1.50 GHz20% of a core768 M896 M
    K3s cluster with a single agentPi4B BCM2711, 1.50 GHz20% of a core512 M768 M
    K3s agentPi4B BCM2711, 1.50 GHz10% of a core256 M256 M
    -

    Scope of Resource Testing

    +

    Scope of Resource Testing

    The resource tests were intended to address the following problem statements:

    • On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster.
    • On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent).
    -

    Components Included for Baseline Measurements

    +

    Components Included for Baseline Measurements

    The tested components are:

    • K3s 1.19.2 with all packaged components enabled
      • @@ -45,46 +45,46 @@

      Methodology

      +

      Methodology

      A standalone instance of Prometheus v2.21.0 was used to collect host CPU, memory, and disk IO statistics using prometheus-node-exporter installed via apt.

      systemd-cgtop was used to spot-check systemd cgroup-level CPU and memory utilization. system.slice/k3s.service tracks resource utilization for both K3s and containerd, while individual pods are under the kubepods hierarchy.

      Additional detailed K3s memory utilization data was collected from the process_resident_memory_bytes and go_memstats_alloc_bytes metrics using the kubelet exporter integrated into the server and agent processes.

      Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads.

      -

      Environment

      +

      Environment

      OS: Ubuntu 20.04 x86_64, aarch64

      Hardware:

      • AWS c5d.xlarge - 4 core, 8 GB RAM, NVME SSD
      • Raspberry Pi 4 Model B - 4 core, 8 GB RAM, Class 10 SDHC
      -

      Baseline Resource Requirements

      +

      Baseline Resource Requirements

      This section captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent.

      -

      K3s Server with a Workload

      +

      K3s Server with a Workload

      These are the requirements for a single-node cluster in which the K3s server shares resources with a workload.

      The CPU requirements are:

      Resource RequirementTested Processor
      10% of a coreIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz
      20% of a coreLow-power processor such as Pi4B BCM2711, 1.50 GHz

      The IOPS and memory requirements are:

      Tested DatastoreIOPSKiB/secLatencyRAM
      Kine/SQLite10500< 10 ms768 M
      Embedded etcd50250< 5 ms896 M
      -

      K3s Cluster with a Single Agent

      +

      K3s Cluster with a Single Agent

      These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload.

      The CPU requirements are:

      Resource RequirementTested Processor
      10% of a coreIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz
      20% of a corePi4B BCM2711, 1.50 GHz

      The IOPS and memory requirements are:

      DatastoreIOPSKiB/secLatencyRAM
      Kine/SQLite10500< 10 ms512 M
      Embedded etcd50250< 5 ms768 M
      -

      K3s Agent

      +

      K3s Agent

      The CPU requirements are:

      Resource RequirementTested Processor
      5% of a coreIntel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz
      10% of a corePi4B BCM2711, 1.50 GHz

      256 M of RAM is required.

      -

      Analysis

      +

      Analysis

      This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads.

      -

      Primary Resource Utilization Drivers

      +

      Primary Resource Utilization Drivers

      K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements.

      K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts.

      -

      Preventing Agents and Workloads from Interfering with the Cluster Datastore

      +

      Preventing Agents and Workloads from Interfering with the Cluster Datastore

      When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore.

      This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store.

      Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore.

      -

      Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/related-projects.html b/kr/related-projects.html index 1c573405e..52180ec16 100644 --- a/kr/related-projects.html +++ b/kr/related-projects.html @@ -2,20 +2,20 @@ - -Related Projects | K3s - - + +Related Projects | K3s + + -

    Related Projects

    Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.

    +

    Related Projects

    Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.

    These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters.

    -

    k3s-ansible

    +

    k3s-ansible

    For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at k3s-io/k3s-ansible repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process.

    -

    k3sup

    +

    k3sup

    Another project that simplifies the process of setting up a K3s cluster is k3sup. This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd.

    -

    autok3s

    -

    Another provisioning tool, autok3s, provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    autok3s

    +

    Another provisioning tool, autok3s, provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.24.X.html b/kr/release-notes/v1.24.X.html index 1e035e866..2cdb4f70d 100644 --- a/kr/release-notes/v1.24.X.html +++ b/kr/release-notes/v1.24.X.html @@ -2,21 +2,21 @@ - -v1.24.X | K3s - - + +v1.24.X | K3s + + -

    v1.24.X

    +

    v1.24.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.24.17+k3s1Sep 05 2023v1.24.17v0.10.23.42.0v3.5.3-k3s1v1.7.3-k3s1v1.1.8v0.21.3-k3s1.23v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.24.16+k3s1Jul 27 2023v1.24.16v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.21.3-k3s1.23v0.6.3v2.9.10v1.10.1v0.15.2v0.0.24
    v1.24.15+k3s1Jun 26 2023v1.24.15v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.21.3-k3s1.23v0.6.3v2.9.10v1.10.1v0.15.0v0.0.24
    v1.24.14+k3s1May 26 2023v1.24.14v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.21.3-k3s1.23v0.6.2v2.9.10v1.10.1v0.14.0v0.0.24
    v1.24.13+k3s1Apr 20 2023v1.24.13v0.9.93.39.2v3.5.3-k3s1v1.6.19-k3s1v1.1.5v0.21.3-k3s1.23v0.6.2v2.9.4v1.10.1v0.13.3v0.0.24
    v1.24.12+k3s1Mar 27 2023v1.24.12v0.9.93.39.2v3.5.3-k3s1v1.6.19-k3s1v1.1.4v0.21.3-k3s1.23v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.24.11+k3s1Mar 10 2023v1.24.11v0.9.93.39.2v3.5.3-k3s1v1.6.15-k3s1v1.1.4v0.21.1-k3s1.23v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.24.10+k3s1Jan 26 2023v1.24.10v0.9.63.39.2v3.5.3-k3s1v1.6.15-k3s1v1.1.4v0.20.2-k3s1.23v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.24.9+k3s2Jan 11 2023v1.24.9v0.9.63.39.2v3.5.3-k3s1v1.6.14-k3s1v1.1.4v0.20.2-k3s1.23v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.24.9+k3s1Dec 20 2022v1.24.9v0.9.63.39.2v3.5.3-k3s1v1.6.12-k3s1v1.1.4v0.20.2-k3s1.23v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.24.8+k3s1Nov 18 2022v1.24.8v0.9.63.39.2v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.20.1-k3s1.23v0.6.1v2.9.4v1.9.4v0.13.0v0.0.23
    v1.24.7+k3s1Oct 25 2022v1.24.7v0.9.33.36.0v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.19.2v0.6.1v2.9.1v1.9.1v0.12.3v0.0.21
    v1.24.6+k3s1Sep 28 2022v1.24.6v0.9.33.36.0v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.19.2v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.24.4+k3s1Aug 25 2022v1.24.4v0.9.33.36.0v3.5.3-k3s1v1.5.13-k3s1v1.1.3v0.19.1v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.24.3+k3s1Jul 19 2022v1.24.3v0.9.33.36.0v3.5.3-k3s1v1.5.13-k3s1v1.1.3v0.18.1v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.24.2+k3s2Jul 06 2022v1.24.2v0.9.33.36.0v3.5.3-k3s1v1.5.13-k3s1v1.1.2v0.18.1v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.24.2+k3s1Jun 27 2022v1.24.2v0.9.13.36.0v3.5.3-k3s1v1.6.6-k3s1v1.1.2v0.18.1v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.24.1+k3s1Jun 11 2022v1.24.1v0.9.13.36.0v3.5.3-k3s1v1.5.11-k3s1v1.1.1v0.17.0v0.5.2v2.6.2v1.9.1v0.12.1v0.0.21

    -

    Release v1.24.17+k3s1

    +

    Release v1.24.17+k3s1

    This release updates Kubernetes to v1.24.17, and fixes a number of issues.

    IMPORTANT

    This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.24.16+k3s1:

    +

    Changes since v1.24.16+k3s1:

    • Update cni plugins version to v1.3.0 (#8087)
    • Etcd snapshots retention when node name changes (#8124)
      • @@ -52,10 +52,10 @@

      Cha
    • Add RWMutex to address controller (#8276)

    -

    Release v1.24.16+k3s1

    +

    Release v1.24.16+k3s1

    This release updates Kubernetes to v1.24.16, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.24.14+k3s1:

    +

    Changes since v1.24.14+k3s1:

    • Fix code spell check (#7861)
    • Remove file_windows.go (#7857)
      • @@ -79,10 +79,10 @@

      Cha
    • Update to v1.24.16 (#8023)

    -

    Release v1.24.15+k3s1

    +

    Release v1.24.15+k3s1

    This release updates Kubernetes to v1.24.15, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.24.14+k3s1:

    +

    Changes since v1.24.14+k3s1:

    • E2E Backports - June (#7726)
        @@ -109,10 +109,10 @@

        C
      • Update Kubernetes to v1.24.15 (#7785)

      -

      Release v1.24.14+k3s1

      +

      Release v1.24.14+k3s1

      This release updates Kubernetes to v1.24.14, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.24.13+k3s1:

      +

      Changes since v1.24.13+k3s1:

      • Add E2E testing in Drone (#7376)
      • Add integration tests for etc-snapshot server flags (#7379)
        • @@ -153,10 +153,10 @@

        Cha
      • Update to v1.24.14-k3s1 (#7577)

      -

      Release v1.24.13+k3s1

      +

      Release v1.24.13+k3s1

      This release updates Kubernetes to v1.24.13, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.24.12+k3s1:

      +

      Changes since v1.24.12+k3s1:

      • Enhance check-config (#7165)
      • Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) (#7122)
        • @@ -184,10 +184,10 @@

        Cha
      • Update to v1.24.13-k3s1 (#7284)

      -

      Release v1.24.12+k3s1

      +

      Release v1.24.12+k3s1

      This release updates Kubernetes to v1.24.12, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.24.11+k3s1:

      +

      Changes since v1.24.11+k3s1:

      • Update flannel and kube-router (#7063)
      • Bump various dependencies for CVEs (#7042)
        • @@ -206,10 +206,10 @@

        Cha
      • Update to v1.24.12-k3s1 (#7105)

      -

      Release v1.24.11+k3s1

      +

      Release v1.24.11+k3s1

      This release updates Kubernetes to v1.24.11, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.24.10+k3s1:

      +

      Changes since v1.24.10+k3s1:

      • Add jitter to scheduled snapshots and retry harder on conflicts (#6783)
          @@ -275,10 +275,10 @@

          Cha
        • Update to v1.24.11-k3s1 (#7009)

        -

        Release v1.24.10+k3s1

        +

        Release v1.24.10+k3s1

        This release updates Kubernetes to v1.24.10+k3s1, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.24.9+k3s2:

        +

        Changes since v1.24.9+k3s2:

        • Pass through default tls-cipher-suites (#6731)
            @@ -293,9 +293,9 @@

            Chan
          • Bump action/download-artifact to v3 (#6748)

          -

          Release v1.24.9+k3s2

          +

          Release v1.24.9+k3s2

          This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted.

          -

          Changes since v1.24.9+k3s1:

          +

          Changes since v1.24.9+k3s1:

          • Backport missing E2E test commits (#6616)
          • Bump containerd to v1.6.14-k3s1 (#6695) @@ -305,15 +305,15 @@

            Chan

          -

          Release v1.24.9+k3s1

          +

          Release v1.24.9+k3s1

          -

          ⚠️ WARNING

          +

          ⚠️ WARNING

          This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.24.9+k3s2 instead.

          This release updates Kubernetes to v1.24.9, and fixes a number of issues.

          Breaking Change: K3s no longer includes swanctl and charon binaries. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading K3s to this release.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.8+k3s1:

          +

          Changes since v1.24.8+k3s1:

          • Remove stuff which belongs in the windows executor implementation (#6502)
          • Github CI Updates (#6535)
            • @@ -345,10 +345,10 @@

            Chan
          • Preload iptable_filter/ip6table_filter (#6647)

          -

          Release v1.24.8+k3s1

          +

          Release v1.24.8+k3s1

          This release updates Kubernetes to v1.24.8, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.7+k3s1:

          +

          Changes since v1.24.7+k3s1:

          • Add the gateway parameter in netplan (#6341)
          • Add a netpol test for podSelector & ingress type (#6348)
            • @@ -382,11 +382,11 @@

            Chan
          • Move traefik chart repo again (#6509)

          -

          Release v1.24.7+k3s1

          +

          Release v1.24.7+k3s1

          This release updates Kubernetes to v1.24.7, and fixes a number of issues.

          The K3s CIS Hardening Guide has been updated to include configuration changes required to support embedding ServiceLB in the cloud controller manager. If you have followed the hardening guide, please update your policies and RBAC in accordingly.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.6+k3s1:

          +

          Changes since v1.24.6+k3s1:

          • Add flannel-external-ip when there is a k3s node-external-ip (#6189)
          • Backports for 2022-10 (#6227) @@ -413,10 +413,10 @@

            Chan

          -

          Release v1.24.6+k3s1

          +

          Release v1.24.6+k3s1

          This release updates Kubernetes to v1.24.6, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.4+k3s1:

          +

          Changes since v1.24.4+k3s1:

          • Remove --containerd flag from windows kubelet args (#6028)
          • Mark v1.24.4+k3s1 as stable (#6036)
            • @@ -434,11 +434,11 @@

            Chan
          • Update to v1.24.6-k3s1 (#6164)

          -

          Release v1.24.4+k3s1

          +

          Release v1.24.4+k3s1

          This release updates Kubernetes to v1.24.4, and fixes a number of issues.

          This release restores use of the --docker flag to the v1.24 branch. See docs/adrs/cri-dockerd.md for more information.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.3+k3s1:

          +

          Changes since v1.24.3+k3s1:

          • Put the terraform tests into their own packages and cleanup the test runs (#5861)
          • Bumped rootlesskit to v1.0.1 (#5773)
            • @@ -471,10 +471,10 @@

            Chan
          • Update to v1.24.4 (#6014)

          -

          Release v1.24.3+k3s1

          +

          Release v1.24.3+k3s1

          This release updates Kubernetes to v1.24.3, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.2+k3s2:

          +

          Changes since v1.24.2+k3s2:

          • Updated rancher/remotedialer to address a potential memory leak. (#5784)
          • The embedded runc binary has been bumped to v1.1.3 (#5783)
            • @@ -493,9 +493,9 @@

            Chan
          • Update to v1.24.3 (#5870)

          -

          Release v1.24.2+k3s2

          +

          Release v1.24.2+k3s2

          This fixes several issues in the v1.24.2+k3s1 and prior releases.

          -

          Changes since v1.24.2+k3s1:

          +

          Changes since v1.24.2+k3s1:

          • Bumped kine to fix an issue where namespaced lists that included a field-selector on metadata.name would fail to return results when using a sql storage backend. (#5795)
          • K3s will no longer log panics after upgrading directly from much older kubernetes releases, or when deploying services with type: externalname. (#5771)
            • @@ -504,10 +504,10 @@

            Chan
          • Remove go-powershell dead dependency (#5777)

          -

          Release v1.24.2+k3s1

          +

          Release v1.24.2+k3s1

          This release updates Kubernetes to v1.24.2, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.1+k3s1:

          +

          Changes since v1.24.1+k3s1:

          • Remove kube-ipvs0 interface when cleaning up (#5644)
          • The --flannel-wireguard-mode switch was added to the k3s cli to configure the wireguard tunnel mode with the wireguard native backend (#5552)
            • @@ -531,10 +531,10 @@

            Chan
          • Update to v1.24.2 (#5749)

          -

          Release v1.24.1+k3s1

          +

          Release v1.24.1+k3s1

          This release updates Kubernetes to v1.24.1, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.24.0+k3s1:

          +

          Changes since v1.24.0+k3s1:

          • Objects will be removed from Kubernetes when they are removed from manifest files. (#5560)
          • Remove errant unversioned etcd go.mod entry (#5548)
            • @@ -546,7 +546,7 @@

            Chan
          • Re-add --cloud-provider=external kubelet arg (#5628)
          • Revert "Give kubelet the node-ip value (#5579)" (#5636)

          -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.25.X.html b/kr/release-notes/v1.25.X.html index 3d6d3d877..f77441495 100644 --- a/kr/release-notes/v1.25.X.html +++ b/kr/release-notes/v1.25.X.html @@ -2,20 +2,20 @@ - -v1.25.X | K3s - - + +v1.25.X | K3s + + -

    v1.25.X

    +

    v1.25.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.25.16+k3s4Dec 07 2023v1.25.16v0.11.03.42.0v3.5.3-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.25.15+k3s2Nov 08 2023v1.25.15v0.10.33.42.0v3.5.3-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.25.15+k3s1Oct 30 2023v1.25.15v0.10.33.42.0v3.5.3-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.25.14+k3s1Sep 20 2023v1.25.14v0.10.33.42.0v3.5.3-k3s1v1.7.6-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.25.13+k3s1Sep 05 2023v1.25.13v0.10.23.42.0v3.5.3-k3s1v1.7.3-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.25.12+k3s1Jul 27 2023v1.25.12v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.2v0.0.24
    v1.25.11+k3s1Jun 26 2023v1.25.11v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.0v0.0.24
    v1.25.10+k3s1May 26 2023v1.25.10v0.10.13.39.2v3.5.3-k3s1v1.7.1-k3s1v1.1.7v0.21.4v0.6.2v2.9.10v1.10.1v0.14.0v0.0.24
    v1.25.9+k3s1Apr 20 2023v1.25.9v0.9.93.39.2v3.5.3-k3s1v1.6.19-k3s1v1.1.5v0.21.4v0.6.2v2.9.4v1.10.1v0.13.3v0.0.24
    v1.25.8+k3s1Mar 27 2023v1.25.8v0.9.93.39.2v3.5.3-k3s1v1.6.19-k3s1v1.1.4v0.21.4v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.25.7+k3s1Mar 10 2023v1.25.7v0.9.93.39.2v3.5.3-k3s1v1.6.15-k3s1v1.1.4v0.21.1v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.25.6+k3s1Jan 26 2023v1.25.6v0.9.63.39.2v3.5.3-k3s1v1.6.15-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.25.5+k3s2Jan 11 2023v1.25.5v0.9.63.39.2v3.5.3-k3s1v1.6.14-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.25.5+k3s1Dec 20 2022v1.25.5v0.9.63.39.2v3.5.3-k3s1v1.6.12-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.25.4+k3s1Nov 18 2022v1.25.4v0.9.63.39.2v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.20.1v0.6.1v2.9.4v1.9.4v0.13.0v0.0.23
    v1.25.3+k3s1Oct 25 2022v1.25.3v0.9.33.36.0v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.19.2v0.6.1v2.9.1v1.9.1v0.12.3v0.0.21
    v1.25.2+k3s1Sep 28 2022v1.25.2v0.9.33.36.0v3.5.3-k3s1v1.6.8-k3s1v1.1.4v0.19.2v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21
    v1.25.0+k3s1Sep 12 2022v1.25.0v0.9.33.36.0v3.5.3-k3s1v1.5.13-k3s2v1.1.3v0.19.1v0.5.2v2.6.2v1.9.1v0.12.3v0.0.21

    -

    Release v1.25.16+k3s4

    +

    Release v1.25.16+k3s4

    This release updates Kubernetes to v1.25.16, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.15+k3s2:

    +

    Changes since v1.25.15+k3s2:

    • Etcd status condition (#8819)
    • Backports for 2023-11 release (#8880) @@ -50,10 +50,10 @@

      Cha
    • Remove s390x from manifest script (#8994)

    -

    Release v1.25.15+k3s2

    +

    Release v1.25.15+k3s2

    This release updates Kubernetes to v1.25.15, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.15+k3s1:

    +

    Changes since v1.25.15+k3s1:

    • E2E Domain Drone Cleanup (#8584)
    • Fix SystemdCgroup in templates_linux.go (#8767) @@ -65,10 +65,10 @@

      Cha
    • Update traefik to fix registry value (#8791)

    -

    Release v1.25.15+k3s1

    +

    Release v1.25.15+k3s1

    This release updates Kubernetes to v1.25.15, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.14+k3s1:

    +

    Changes since v1.25.14+k3s1:

    • Fix error reporting (#8413)
    • Add context to flannel errors (#8421)
      • @@ -118,10 +118,10 @@

      Cha
    • Fix s3 snapshot restore (#8735)

    -

    Release v1.25.14+k3s1

    +

    Release v1.25.14+k3s1

    This release updates Kubernetes to v1.25.14, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.13+k3s1:

    +

    Changes since v1.25.13+k3s1:

    • Bump kine to v0.10.3 (#8326)
    • Update Kubernetes to v1.25.14 and go to 1.20.8 (#8350)
      • @@ -135,11 +135,11 @@

      Cha

    -

    Release v1.25.13+k3s1

    +

    Release v1.25.13+k3s1

    This release updates Kubernetes to v1.25.13, and fixes a number of issues.

    Important

    This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.12+k3s1:

    +

    Changes since v1.25.12+k3s1:

    • Update flannel and plugins (#8076)
    • Fix tailscale bug with ip modes (#8098)
      • @@ -177,12 +177,12 @@

      Cha
    • Add RWMutex to address controller (#8275)

    -

    Release v1.25.12+k3s1

    +

    Release v1.25.12+k3s1

    This release updates Kubernetes to v1.25.12, and fixes a number of issues.
    ​ For more details on what's new, see the Kubernetes release notes. ​

    -

    Changes since v1.25.11+k3s1:

    +

    Changes since v1.25.11+k3s1:

    • Remove file_windows.go (#7856)
      • @@ -211,10 +211,10 @@

      Cha ​

    -

    Release v1.25.11+k3s1

    +

    Release v1.25.11+k3s1

    This release updates Kubernetes to v1.25.11, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.10+k3s1:

    +

    Changes since v1.25.10+k3s1:

    • Update flannel version (#7649)
    • Bump vagrant libvirt with fix for plugin installs (#7659)
      • @@ -247,10 +247,10 @@

      Cha
    • Path normalization affecting kubectl proxy conformance test for /api endpoint (#7818)

    -

    Release v1.25.10+k3s1

    +

    Release v1.25.10+k3s1

    This release updates Kubernetes to v1.25.10, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.9+k3s1:

    +

    Changes since v1.25.9+k3s1:

    • Ensure that klog verbosity is set to the same level as logrus (#7361)
    • Add E2E testing in Drone (#7375)
      • @@ -293,10 +293,10 @@

      Release <
    • Update to v1.25.10-k3s1 (#7582)

    -

    Release v1.25.9+k3s1

    +

    Release v1.25.9+k3s1

    This release updates Kubernetes to v1.25.9, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.8+k3s1:

    +

    Changes since v1.25.8+k3s1:

    • Enhance check-config (#7164)
    • Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) (#7121)
      • @@ -324,10 +324,10 @@

      Chan
    • Update to v1.25.9-k3s1 (#7283)

    -

    Release v1.25.8+k3s1

    +

    Release v1.25.8+k3s1

    This release updates Kubernetes to v1.25.8, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.7+k3s1:

    +

    Changes since v1.25.7+k3s1:

    • Update flannel and kube-router (#7061)
    • Bump various dependencies for CVEs (#7043)
      • @@ -347,10 +347,10 @@

      Chan
    • Update flannel to fix NAT issue with old iptables version (#7138)

    -

    Release v1.25.7+k3s1

    +

    Release v1.25.7+k3s1

    This release updates Kubernetes to v1.25.7, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.25.6+k3s1:

    +

    Changes since v1.25.6+k3s1:

    • Add jitter to scheduled snapshots and retry harder on conflicts (#6782)
        @@ -416,10 +416,10 @@

        Chan
      • Update to v1.25.7-k3s1 (#7010)

      -

      Release v1.25.6+k3s1

      +

      Release v1.25.6+k3s1

      This release updates Kubernetes to v1.25.6, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.25.5+k3s2:

      +

      Changes since v1.25.5+k3s2:

      • Pass through default tls-cipher-suites (#6730)
          @@ -437,9 +437,9 @@

          Chan
        • Update to v1.25.6+k3s1 (#6775)

        -

        Release v1.25.5+k3s2

        +

        Release v1.25.5+k3s2

        This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted.

        -

        Changes since v1.25.5+k3s1:

        +

        Changes since v1.25.5+k3s1:

        • Bump containerd to v1.6.14-k3s1 (#6694)
            @@ -448,15 +448,15 @@

            Chan

          -

          Release v1.25.5+k3s1

          +

          Release v1.25.5+k3s1

          -

          ⚠️ WARNING

          +

          ⚠️ WARNING

          This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.25.5+k3s2 instead.

          This release updates Kubernetes to v1.25.5, and fixes a number of issues.

          Breaking Change: K3s no longer includes swanctl and charon binaries. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading K3s to this release.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.25.4+k3s1:

          +

          Changes since v1.25.4+k3s1:

          -

          Release v1.25.4+k3s1

          +

          Release v1.25.4+k3s1

          This release updates Kubernetes to v1.25.4, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.25.3+k3s1:

          +

          Changes since v1.25.3+k3s1:

          • Add the gateway parameter in netplan (#6292)
          • Bumped dynamiclistener library to v0.3.5 (#6300)
            • @@ -571,10 +571,10 @@

            Chan
          • Move traefik chart repo again (#6508)

          -

          Release v1.25.3+k3s1

          +

          Release v1.25.3+k3s1

          This release updates Kubernetes to v1.25.3, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.25.2+k3s1:

          +

          Changes since v1.25.2+k3s1:

          • E2E: Groundwork for PR runs (#6131)
          • Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP (#6180)
            • @@ -608,10 +608,10 @@

            Chan

          -

          Release v1.25.2+k3s1

          +

          Release v1.25.2+k3s1

          This release updates Kubernetes to v1.25.2, and fixes a number of issues.

          For more details on what's new, see the Kubernetes release notes.

          -

          Changes since v1.25.0+k3s1:

          +

          Changes since v1.25.0+k3s1:

          • Add k3s v1.25 to the release channel (#6129)
          • Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior (#6130)
            • @@ -620,11 +620,11 @@

            Chan
          • Update to v1.25.2-k3s1 (#6168)

          -

          Release v1.25.0+k3s1

          +

          Release v1.25.0+k3s1

          This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0.

          Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

          Important Note: Kubernetes v1.25 removes the beta PodSecurityPolicy admission plugin. Please follow the upstream documentation to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1.

          -

          Changes since v1.24.4+k3s1:

          +

          Changes since v1.24.4+k3s1:

          • Update Kubernetes to v1.25.0 (#6040)
          • Remove --containerd flag from windows kubelet args (#6028)
            • @@ -645,7 +645,7 @@

            Chan
          • Fix deprecation message (#6112)
          • Added warning message for flannel backend additional options deprecation (#6111)

          -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.26.X.html b/kr/release-notes/v1.26.X.html index e985c2e35..ded0e8b1b 100644 --- a/kr/release-notes/v1.26.X.html +++ b/kr/release-notes/v1.26.X.html @@ -2,20 +2,20 @@ - -v1.26.X | K3s - - + +v1.26.X | K3s + + -

    v1.26.X

    +

    v1.26.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.26.15+k3s1Mar 25 2024v1.26.15v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.26v1.1.12-k3s1v0.24.2v0.7.0v2.10.5v1.10.1v0.15.9v0.0.26
    v1.26.14+k3s1Feb 29 2024v1.26.14v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.26v1.1.12-k3s1v0.24.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.26
    v1.26.13+k3s2Feb 06 2024v1.26.13v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.26v1.1.12-k3s1v0.22.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.24
    v1.26.12+k3s1Dec 27 2023v1.26.12v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.26v1.1.10v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.26.11+k3s2Dec 07 2023v1.26.11v0.11.03.42.0v3.5.9-k3s1v1.7.7-k3s1.26v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.26.10+k3s2Nov 08 2023v1.26.10v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.26v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.26.10+k3s1Oct 30 2023v1.26.10v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.26v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.26.9+k3s1Sep 20 2023v1.26.9v0.10.33.42.0v3.5.9-k3s1v1.7.6-k3s1.26v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.26.8+k3s1Sep 05 2023v1.26.8v0.10.23.42.0v3.5.9-k3s1v1.7.3-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.26.7+k3s1Jul 27 2023v1.26.7v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.2v0.0.24
    v1.26.6+k3s1Jun 26 2023v1.26.6v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.0v0.0.24
    v1.26.5+k3s1May 26 2023v1.26.5v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.21.4v0.6.2v2.9.10v1.10.1v0.14.0v0.0.24
    v1.26.4+k3s1Apr 20 2023v1.26.4v0.9.93.39.2v3.5.7-k3s1v1.6.19-k3s1v1.1.5v0.21.4v0.6.2v2.9.4v1.10.1v0.13.3v0.0.24
    v1.26.3+k3s1Mar 27 2023v1.26.3v0.9.93.39.2v3.5.5-k3s1v1.6.19-k3s1v1.1.4v0.21.4v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.26.2+k3s1Mar 10 2023v1.26.2v0.9.93.39.2v3.5.5-k3s1v1.6.15-k3s1v1.1.4v0.21.1v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.26.1+k3s1Jan 26 2023v1.26.1v0.9.83.39.2v3.5.5-k3s1v1.6.15-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.26.0+k3s2Jan 11 2023v1.26.0v0.9.83.39.2v3.5.5-k3s1v1.6.14-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23
    v1.26.0+k3s1Dec 21 2022v1.26.0v0.9.83.39.2v3.5.5-k3s1v1.6.12-k3s1v1.1.4v0.20.2v0.6.2v2.9.4v1.9.4v0.13.1v0.0.23

    -

    Release v1.26.15+k3s1

    +

    Release v1.26.15+k3s1

    This release updates Kubernetes to v1.26.15, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.26.14+k3s1:

    +

    Changes since v1.26.14+k3s1:

    • Update klipper-lb image version (#9607)
    • Install and Unit test backports (#9645)
      • @@ -46,10 +46,10 @@

      Cha
    • Update to v1.26.15-k3s1 and Go 1.21.8 (#9740)

    -

    Release v1.26.14+k3s1

    +

    Release v1.26.14+k3s1

    This release updates Kubernetes to v1.26.14, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.26.13+k3s2:

    +

    Changes since v1.26.13+k3s2:

    • Chore: bump Local Path Provisioner version (#9428)
    • Bump cri-dockerd to fix compat with Docker Engine 25 (#9292)
      • @@ -74,12 +74,12 @@

      Cha
    • Fix netpol startup when flannel is disabled (#9580)

    -

    Release v1.26.13+k3s2

    +

    Release v1.26.13+k3s2

    This release updates Kubernetes to v1.26.13, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    Important Notes

    Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

    -

    Changes since v1.26.12+k3s1:

    +

    Changes since v1.26.12+k3s1:

    • Add a retry around updating a secrets-encrypt node annotations (#9123)
    • Added support for env *_PROXY variables for agent loadbalancer (#9116)
      • @@ -100,10 +100,10 @@

      Cha
    • Bump helm-controller to fix issue with ChartContent (#9348)

    -

    Release v1.26.12+k3s1

    +

    Release v1.26.12+k3s1

    This release updates Kubernetes to v1.26.12, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.26.11+k3s2:

    +

    Changes since v1.26.11+k3s2:

    • Runtimes backport (#9014)
        @@ -118,10 +118,10 @@

        Cha
      • Update to v1.26.12-k3s1 (#9077)

      -

      Release v1.26.11+k3s2

      +

      Release v1.26.11+k3s2

      This release updates Kubernetes to v1.26.11, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.26.10+k3s2:

      +

      Changes since v1.26.10+k3s2:

      • Etcd status condition (#8820)
      • Backports for 2023-11 release (#8879) @@ -156,10 +156,10 @@

        Cha
      • Remove s390x (#9000)

      -

      Release v1.26.10+k3s2

      +

      Release v1.26.10+k3s2

      This release updates Kubernetes to v1.26.10, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.26.10+k3s1:

      +

      Changes since v1.26.10+k3s1:

      • Fix SystemdCgroup in templates_linux.go (#8766)
          @@ -170,10 +170,10 @@

          Cha
        • Update traefik to fix registry value (#8790)

        -

        Release v1.26.10+k3s1

        +

        Release v1.26.10+k3s1

        This release updates Kubernetes to v1.26.10, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.9+k3s1:

        +

        Changes since v1.26.9+k3s1:

        • Fix error reporting (#8412)
        • Add context to flannel errors (#8420)
          • @@ -225,10 +225,10 @@

          Chan
        • Fix s3 snapshot restore (#8734)

        -

        Release v1.26.9+k3s1

        +

        Release v1.26.9+k3s1

        This release updates Kubernetes to v1.26.9, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.8+k3s1:

        +

        Changes since v1.26.8+k3s1:

        • Bump kine to v0.10.3 (#8325)
        • Update to v1.26.9 and go to v1.20.8 (#8357) @@ -241,11 +241,11 @@

          Chan

        -

        Release v1.26.8+k3s1

        +

        Release v1.26.8+k3s1

        This release updates Kubernetes to v1.26.8, and fixes a number of issues.

        Important

        This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.7+k3s1:

        +

        Changes since v1.26.7+k3s1:

        • Update flannel and plugins (#8075)
        • Fix tailscale bug with ip modes (#8097)
          • @@ -291,12 +291,12 @@

          Chan
        • Add RWMutex to address controller (#8274)

        -

        Release v1.26.7+k3s1

        +

        Release v1.26.7+k3s1

        This release updates Kubernetes to v1.26.7, and fixes a number of issues. ​ For more details on what's new, see the Kubernetes release notes. ​

        -

        Changes since v1.26.6+k3s1:

        +

        Changes since v1.26.6+k3s1:

        • Remove file_windows.go (#7855)
          • @@ -325,10 +325,10 @@

          Chan ​

        -

        Release v1.26.6+k3s1

        +

        Release v1.26.6+k3s1

        This release updates Kubernetes to v1.26.6, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.5+k3s1:

        +

        Changes since v1.26.5+k3s1:

        • Update flannel version (#7648)
        • Bump vagrant libvirt with fix for plugin installs (#7658)
          • @@ -361,10 +361,10 @@

          Chan
        • Update Kubernetes to v1.26.6 (#7789)

        -

        Release v1.26.5+k3s1

        +

        Release v1.26.5+k3s1

        This release updates Kubernetes to v1.26.5, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.4+k3s1:

        +

        Changes since v1.26.4+k3s1:

        • Ensure that klog verbosity is set to the same level as logrus (#7360)
        • Prepend release branch to dependabot (#7374)
          • @@ -413,10 +413,10 @@

          Chan
        • Pin emicklei/go-restful to v3.9.0 (#7598)

        -

        Release v1.26.4+k3s1

        +

        Release v1.26.4+k3s1

        This release updates Kubernetes to v1.26.4, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.3+k3s1:

        +

        Changes since v1.26.3+k3s1:

        • Enhance k3s check-config (#7091)
        • Update stable channel to v1.25.8+k3s1 (#7161)
          • @@ -484,10 +484,10 @@

          Chan
        • Bump Trivy version (#7257)

        -

        Release v1.26.3+k3s1

        +

        Release v1.26.3+k3s1

        This release updates Kubernetes to v1.26.3, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.2+k3s1:

        +

        Changes since v1.26.2+k3s1:

        • Add E2E to Drone (#6890)
        • Add flannel adr (#6973)
          • @@ -523,10 +523,10 @@

          Chan
        • Update flannel to fix NAT issue with old iptables version (#7136)

        -

        Release v1.26.2+k3s1

        +

        Release v1.26.2+k3s1

        This release updates Kubernetes to v1.26.2, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.1+k3s1:

        +

        Changes since v1.26.1+k3s1:

        • Add build tag to disable cri-dockerd (#6760)
        • Bump cri-dockerd (#6797) @@ -600,10 +600,10 @@

          Chan
        • Update to v1.26.2-k3s1 (#7011)

        -

        Release v1.26.1+k3s1

        +

        Release v1.26.1+k3s1

        This release updates Kubernetes to v1.26.1, and fixes a number of issues.

        For more details on what's new, see the Kubernetes release notes.

        -

        Changes since v1.26.0+k3s2:

        +

        Changes since v1.26.0+k3s2:

        • Add jitter to scheduled snapshots and retry harder on conflicts (#6715)
            @@ -638,10 +638,10 @@

            Chan
          • Update to v1.26.1-k3s1 (#6774)

          -

          Release v1.26.0+k3s2

          +

          Release v1.26.0+k3s2

          This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes.

          Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

          -

          Changes since v1.26.0+k3s1:

          +

          Changes since v1.26.0+k3s1:

          • Current status badges (#6653)
          • Add initial Updatecli ADR automation (#6583)
            • @@ -657,14 +657,14 @@

            Chan
          • Exclude December r1 releases from channel server (#6706)

          -

          Release v1.26.0+k3s1

          +

          Release v1.26.0+k3s1

          -

          ⚠️ WARNING

          +

          ⚠️ WARNING

          This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.26.0+k3s2 instead.

          This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0.

          Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

          -

          Changes since v1.25.5+k3s1:

          +

          Changes since v1.25.5+k3s1:

          • Remove deprecated flags in v1.26 (#6574)
          • Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. (#6575)
            • @@ -707,7 +707,7 @@

            Chan
          • Preload iptable_filter/ip6table_filter (#6645)
          • Bump k3s-root version to v0.12.1 (#6651)

          -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.27.X.html b/kr/release-notes/v1.27.X.html index b2e8c617d..e2009a6e5 100644 --- a/kr/release-notes/v1.27.X.html +++ b/kr/release-notes/v1.27.X.html @@ -2,20 +2,20 @@ - -v1.27.X | K3s - - + +v1.27.X | K3s + + -

    v1.27.X

    +

    v1.27.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.27.16+k3s1Jul 31 2024v1.27.16v0.11.113.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.28
    v1.27.15+k3s2Jul 03 2024v1.27.15v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.27.15+k3s1Jun 25 2024v1.27.15v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.2v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.27.14+k3s1May 22 2024v1.27.14v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1.27v1.1.12-k3s1v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.27.13+k3s1Apr 25 2024v1.27.13v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1.27v1.1.12v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.27.12+k3s1Mar 25 2024v1.27.12v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.24.2v0.7.0v2.10.5v1.10.1v0.15.9v0.0.26
    v1.27.11+k3s1Feb 29 2024v1.27.11v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.24.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.26
    v1.27.10+k3s2Feb 06 2024v1.27.10v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.22.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.24
    v1.27.9+k3s1Dec 27 2023v1.27.9v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.10v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.27.8+k3s2Dec 07 2023v1.27.8v0.11.03.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.27.7+k3s2Nov 08 2023v1.27.7v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.27.7+k3s1Oct 30 2023v1.27.7v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.27.6+k3s1Sep 20 2023v1.27.6v0.10.33.42.0v3.5.9-k3s1v1.7.6-k3s1.27v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.27.5+k3s1Sep 05 2023v1.27.5v0.10.23.42.0v3.5.9-k3s1v1.7.3-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.27.4+k3s1Jul 27 2023v1.27.4v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.2v0.0.24
    v1.27.3+k3s1Jun 26 2023v1.27.3v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.0v0.0.24
    v1.27.2+k3s1May 26 2023v1.27.2v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.21.4v0.6.2v2.9.10v1.10.1v0.14.0v0.0.24
    v1.27.1+k3s1Apr 27 2023v1.27.1v0.9.93.39.2v3.5.7-k3s1v1.6.19-k3s1v1.1.5v0.21.4v0.6.2v2.9.4v1.10.1v0.13.3v0.0.24

    -

    Release v1.27.16+k3s1

    +

    Release v1.27.16+k3s1

    This release updates Kubernetes to v1.27.16, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.27.15+k3s2:

    +

    Changes since v1.27.15+k3s2:

    • Backports for 2024-07 release cycle (#10500)
        @@ -32,18 +32,18 @@

        Cha
      • Fix issues loading data-dir value from env vars or dropping config files (#10599)

      -

      Release v1.27.15+k3s2

      +

      Release v1.27.15+k3s2

      This release updates Kubernetes to v1.27.15, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.15+k3s1:

      +

      Changes since v1.27.15+k3s1:

      • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#10429)
      -

      Release v1.27.15+k3s1

      +

      Release v1.27.15+k3s1

      This release updates Kubernetes to v1.27.15, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.14+k3s1:

      +

      Changes since v1.27.14+k3s1:

      • Replace deprecated ruby function (#10089)
      • Fix bug when using tailscale config by file (#10143)
        • @@ -87,20 +87,20 @@

        Cha
      • Fix issue that allowed multiple simultaneous snapshots to be allowed (#10378)

      -

      Release v1.27.14+k3s1

      +

      Release v1.27.14+k3s1

      This release updates Kubernetes to v1.27.14, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.13+k3s1:

      +

      Changes since v1.27.13+k3s1:

      • Bump E2E opensuse leap to 15.6, fix btrfs test (#10096)
      • Windows changes (#10113)
      • Update to v1.27.14-k3s1 and Go 1.21.9 (#10103)
      -

      Release v1.27.13+k3s1

      +

      Release v1.27.13+k3s1

      This release updates Kubernetes to v1.27.13, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.12+k3s1:

      +

      Changes since v1.27.12+k3s1:

      • Add a new error when kine is with disable apiserver or disable etcd (#9803)
      • Remove old pinned dependencies (#9828)
        • @@ -137,10 +137,10 @@

        Cha
      • Make /db/info available anonymously from localhost (#10003)

      -

      Release v1.27.12+k3s1

      +

      Release v1.27.12+k3s1

      This release updates Kubernetes to v1.27.12, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.11+k3s1:

      +

      Changes since v1.27.11+k3s1:

      • Add an integration test for flannel-backend=none (#9609)
      • Install and Unit test backports (#9642)
        • @@ -172,10 +172,10 @@

        Cha
      • Update to v1.27.12-k3s1 and Go 1.21.8 (#9745)

      -

      Release v1.27.11+k3s1

      +

      Release v1.27.11+k3s1

      This release updates Kubernetes to v1.27.11, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.10+k3s2:

      +

      Changes since v1.27.10+k3s2:

      • Chore: bump Local Path Provisioner version (#9427)
      • Bump cri-dockerd to fix compat with Docker Engine 25 (#9291)
        • @@ -200,12 +200,12 @@

        Cha
      • Fix netpol startup when flannel is disabled (#9579)

      -

      Release v1.27.10+k3s2

      +

      Release v1.27.10+k3s2

      This release updates Kubernetes to v1.27.10, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      Important Notes

      Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

      -

      Changes since v1.27.9+k3s1:

      +

      Changes since v1.27.9+k3s1:

      • Add a retry around updating a secrets-encrypt node annotations (#9124)
      • Added support for env *_PROXY variables for agent loadbalancer (#9117)
        • @@ -226,10 +226,10 @@

        Chan
      • Bump helm-controller to fix issue with ChartContent (#9347)

      -

      Release v1.27.9+k3s1

      +

      Release v1.27.9+k3s1

      This release updates Kubernetes to v1.27.9, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.8+k3s2:

      +

      Changes since v1.27.8+k3s2:

      • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#8963)
      • Fix overlapping address range (#9018)
        • @@ -243,10 +243,10 @@

        Chan
      • Update to v1.27.9-k3s1 (#9078)

      -

      Release v1.27.8+k3s2

      +

      Release v1.27.8+k3s2

      This release updates Kubernetes to v1.27.8, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.7+k3s2:

      +

      Changes since v1.27.7+k3s2:

      • Etcd status condition (#8821)
      • Add warning for removal of multiclustercidr flag (#8759)
        • @@ -282,10 +282,10 @@

        Chan
      • Remove s390x (#8999)

      -

      Release v1.27.7+k3s2

      +

      Release v1.27.7+k3s2

      This release updates Kubernetes to v1.27.7, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.7+k3s1:

      +

      Changes since v1.27.7+k3s1:

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.28.X.html b/kr/release-notes/v1.28.X.html index adb0e51c2..9543f0527 100644 --- a/kr/release-notes/v1.28.X.html +++ b/kr/release-notes/v1.28.X.html @@ -2,20 +2,20 @@ - -v1.28.X | K3s - - + +v1.28.X | K3s + + -

    v1.28.X

    +

    v1.28.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.28.12+k3s1Jul 31 2024v1.28.12v0.11.113.44.0v3.5.13-k3s1v1.7.17-k3s1.28v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.28
    v1.28.11+k3s2Jul 03 2024v1.28.11v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1.28v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.28.11+k3s1Jun 25 2024v1.28.11v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1.28v1.1.12v0.25.2v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.28.10+k3s1May 22 2024v1.28.10v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12-k3s1v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.28.9+k3s1Apr 25 2024v1.28.9v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.28.8+k3s1Mar 25 2024v1.28.8v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.24.2v0.7.0v2.10.5v1.10.1v0.15.9v0.0.26
    v1.28.7+k3s1Feb 29 2024v1.28.7v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.24.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.26
    v1.28.6+k3s2Feb 06 2024v1.28.6v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.22.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.24
    v1.28.5+k3s1Dec 27 2023v1.28.5v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2v1.1.10v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.28.4+k3s2Dec 06 2023v1.28.4v0.11.03.42.0v3.5.9-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.28.3+k3s2Nov 08 2023v1.28.3v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.28.3+k3s1Oct 30 2023v1.28.3v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
    v1.28.2+k3s1Sep 20 2023v1.28.2v0.10.33.42.0v3.5.9-k3s1v1.7.6-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
    v1.28.1+k3s1Sep 08 2023v1.28.1v0.10.33.42.0v3.5.9-k3s1v1.7.3-k3s2v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24

    -

    Release v1.28.12+k3s1

    +

    Release v1.28.12+k3s1

    This release updates Kubernetes to v1.28.12, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.28.11+k3s2:

    +

    Changes since v1.28.11+k3s2:

    • Backports for 2024-07 release cycle (#10499)
        @@ -32,18 +32,18 @@

        Cha
      • Fix issues loading data-dir value from env vars or dropping config files (#10598)

      -

      Release v1.28.11+k3s2

      +

      Release v1.28.11+k3s2

      This release updates Kubernetes to v1.28.11, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.11+k3s1:

      +

      Changes since v1.28.11+k3s1:

      • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#10428)
      -

      Release v1.28.11+k3s1

      +

      Release v1.28.11+k3s1

      This release updates Kubernetes to v1.28.11, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.10+k3s1:

      +

      Changes since v1.28.10+k3s1:

      • Replace deprecated ruby function (#10090)
      • Fix bug when using tailscale config by file (#10144)
        • @@ -83,20 +83,20 @@

        Cha
      • Fix issue that allowed multiple simultaneous snapshots to be allowed (#10377)

      -

      Release v1.28.10+k3s1

      +

      Release v1.28.10+k3s1

      This release updates Kubernetes to v1.28.10, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.9+k3s1:

      +

      Changes since v1.28.9+k3s1:

      -

      Release v1.28.9+k3s1

      +

      Release v1.28.9+k3s1

      This release updates Kubernetes to v1.28.9, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.8+k3s1:

      +

      Changes since v1.28.8+k3s1:

      • Add a new error when kine is with disable apiserver or disable etcd (#9804)
      • Remove old pinned dependencies (#9827)
        • @@ -133,10 +133,10 @@

        Chan
      • Make /db/info available anonymously from localhost (#10002)

      -

      Release v1.28.8+k3s1

      +

      Release v1.28.8+k3s1

      This release updates Kubernetes to v1.28.8, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.7+k3s1:

      +

      Changes since v1.28.7+k3s1:

      • Add an integration test for flannel-backend=none (#9608)
      • Install and Unit test backports (#9641)
        • @@ -169,10 +169,10 @@

        Chan
      • Update to v1.28.8-k3s1 and Go 1.21.8 (#9746)

      -

      Release v1.28.7+k3s1

      +

      Release v1.28.7+k3s1

      This release updates Kubernetes to v1.28.7, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.6+k3s2:

      +

      Changes since v1.28.6+k3s2:

      • Chore: bump Local Path Provisioner version (#9426)
      • Bump cri-dockerd to fix compat with Docker Engine 25 (#9293)
        • @@ -197,12 +197,12 @@

        Chan
      • Fix netpol startup when flannel is disabled (#9578)

      -

      Release v1.28.6+k3s2

      +

      Release v1.28.6+k3s2

      This release updates Kubernetes to v1.28.6, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      Important Notes

      Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

      -

      Changes since v1.28.5+k3s1:

      +

      Changes since v1.28.5+k3s1:

      • Add a retry around updating a secrets-encrypt node annotations (#9125)
      • Wait for taint to be gone in the node before starting the netpol controller (#9175)
        • @@ -222,10 +222,10 @@

        Chan
      • Bump helm-controller to fix issue with ChartContent (#9346)

      -

      Release v1.28.5+k3s1

      +

      Release v1.28.5+k3s1

      This release updates Kubernetes to v1.28.5, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.4+k3s1:

      +

      Changes since v1.28.4+k3s1:

      • Remove s390x steps temporarily since runners are disabled (#8983)
      • Remove s390x from manifest (#8998)
        • @@ -244,10 +244,10 @@

        Chan
      • Update to v1.28.5-k3s1 (#9081)

      -

      Release v1.28.4+k3s2

      +

      Release v1.28.4+k3s2

      This release updates Kubernetes to v1.28.4, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.3+k3s2:

      +

      Changes since v1.28.3+k3s2:

      • Update channels latest to v1.27.7+k3s2 (#8799)
      • Add etcd status condition (#8724) @@ -326,10 +326,10 @@

        Chan
      • Remove s390x from manifest (#8998)

      -

      Release v1.28.3+k3s2

      +

      Release v1.28.3+k3s2

      This release updates Kubernetes to v1.28.3, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.3+k3s1:

      +

      Changes since v1.28.3+k3s1:

      • Restore selinux context systemd unit file (#8593)
      • Update channel to v1.27.7+k3s1 (#8753)
        • @@ -345,10 +345,10 @@

        Chan
      • Don't use iptables-save/iptables-restore if it will corrupt rules (#8795)

      -

      Release v1.28.3+k3s1

      +

      Release v1.28.3+k3s1

      This release updates Kubernetes to v1.28.3, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.2+k3s1:

      +

      Changes since v1.28.2+k3s1:

      • Fix error reporting (#8250)
      • Add context to flannel errors (#8284)
        • @@ -436,10 +436,10 @@

        Chan
      • Fix s3 snapshot restore (#8729)

      -

      Release v1.28.2+k3s1

      +

      Release v1.28.2+k3s1

      This release updates Kubernetes to v1.28.2, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.28.1+k3s1:

      +

      Changes since v1.28.1+k3s1:

      • Update channel for version v1.28 (#8305)
      • Bump kine to v0.10.3 (#8323)
        • @@ -453,12 +453,12 @@

        Chan

      -

      Release v1.28.1+k3s1

      +

      Release v1.28.1+k3s1

      This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1.

      Important

      This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including documentation on changes in behavior that harden clusters against this vulnerability.

      Critical Regression

      Kubernetes v1.28 contains a critical regression (kubernetes/kubernetes#120247) that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.27.5+k3s1:

      +

      Changes since v1.27.5+k3s1:

      • Update to v1.28.1 (#8239)
      • CLI Removal for v1.28.0 (#8203)
        • @@ -470,7 +470,7 @@

        Chan
      • Add RWMutex to address controller (#8268)

      -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.29.X.html b/kr/release-notes/v1.29.X.html index e85bf23ee..73a2ba470 100644 --- a/kr/release-notes/v1.29.X.html +++ b/kr/release-notes/v1.29.X.html @@ -2,20 +2,20 @@ - -v1.29.X | K3s - - + +v1.29.X | K3s + + -

    v1.29.X

    +

    v1.29.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.29.7+k3s1Jul 31 2024v1.29.7v0.11.113.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.28
    v1.29.6+k3s2Jul 03 2024v1.29.6v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12-v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.29.6+k3s1Jun 25 2024v1.29.6v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12v0.25.2v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
    v1.29.5+k3s1May 22 2024v1.29.5v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12-k3s1v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.29.4+k3s1Apr 25 2024v1.29.4v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
    v1.29.3+k3s1Mar 25 2024v1.29.3v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.24.2v0.7.0v2.10.5v1.10.1v0.15.9v0.0.26
    v1.29.2+k3s1Feb 29 2024v1.29.2v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.24.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.26
    v1.29.1+k3s2Feb 06 2024v1.29.1v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2v1.1.12-k3s1v0.24.0v0.6.3v2.10.5v1.10.1v0.15.8v0.0.24
    v1.29.0+k3s1Dec 22 2023v1.29.0v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2v1.1.10v0.24.0v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24

    -

    Release v1.29.7+k3s1

    +

    Release v1.29.7+k3s1

    This release updates Kubernetes to v1.29.7, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.29.6+k3s2:

    +

    Changes since v1.29.6+k3s2:

    • Backports for 2024-07 release cycle (#10498)
        @@ -32,18 +32,18 @@

        Chan
      • Fix issues loading data-dir value from env vars or dropping config files (#10597)

      -

      Release v1.29.6+k3s2

      +

      Release v1.29.6+k3s2

      This release updates Kubernetes to v1.29.6, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.6+k3s1:

      +

      Changes since v1.29.6+k3s1:

      • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#10427)
      -

      Release v1.29.6+k3s1

      +

      Release v1.29.6+k3s1

      This release updates Kubernetes to v1.29.6, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.5+k3s1:

      +

      Changes since v1.29.5+k3s1:

      • Fix bug when using tailscale config by file (#10142)
      • Bump flannel version to v0.25.2 (#10220)
        • @@ -83,10 +83,10 @@

        Chan
      • Fix issue that allowed multiple simultaneous snapshots to be allowed (#10376)

      -

      Release v1.29.5+k3s1

      +

      Release v1.29.5+k3s1

      This release updates Kubernetes to v1.29.5, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.4+k3s1:

      +

      Changes since v1.29.4+k3s1:

      • Update stable channel to v1.29.4+k3s1 (#10031)
      • Add E2E Split Server to Drone, support parallel testing in Drone (#9940)
        • @@ -97,10 +97,10 @@

        Chan
      • Update to v1.29.5-k3s1 and Go 1.21.9 (#10108)

      -

      Release v1.29.4+k3s1

      +

      Release v1.29.4+k3s1

      This release updates Kubernetes to v1.29.4, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.3+k3s1:

      +

      Changes since v1.29.3+k3s1:

      • Send error response if member list cannot be retrieved (#9722)
      • Respect cloud-provider fields set by kubelet (#9721) @@ -165,10 +165,10 @@

        Chan
      • Make /db/info available anonymously from localhost (#10001)

      -

      Release v1.29.3+k3s1

      +

      Release v1.29.3+k3s1

      This release updates Kubernetes to v1.29.3, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.2+k3s1:

      +

      Changes since v1.29.2+k3s1:

      • Testing ADR (#9562)
      • Unit Testing Matrix and Actions bump (#9479)
        • @@ -235,10 +235,10 @@

        Chan
      • Update to v1.29.3-k3s1 and Go 1.21.8 (#9747)

      -

      Release v1.29.2+k3s1

      +

      Release v1.29.2+k3s1

      This release updates Kubernetes to v1.29.2, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.1+k3s2:

      +

      Changes since v1.29.1+k3s2:

      • Bump Local Path Provisioner version (#8953)
      • Add ability to install K3s PR Artifact from GitHub (#9185) @@ -300,12 +300,12 @@

        Chan
      • Fix netpol startup when flannel is disabled (#9571)

      -

      Release v1.29.1+k3s2

      +

      Release v1.29.1+k3s2

      This release updates Kubernetes to v1.29.1, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      Important Notes

      Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

      -

      Changes since v1.29.0+k3s1:

      +

      Changes since v1.29.0+k3s1:

      • Bump Sonobuoy version (#8910)
      • Bump actions/setup-go from 4 to 5 (#9036)
        • @@ -364,12 +364,12 @@

        Chan
      • Bump helm-controller to fix issue with ChartContent (#9345)

      -

      Release v1.29.0+k3s1

      +

      Release v1.29.0+k3s1

      This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0.

      Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

      Important

      This release removes the experimental rotate-keys subcommand due to changes in Kubernetes upstream for KMSv2, the subcommand should be added back in future releases.

      Important

      This release also removes the multi-cluster-cidr flag, since the support for this alpha feature has been removed completely from Kubernetes upstream, this flag should be removed from the configuration before upgrade.

      -

      Changes since v1.28.4+k3s2:

      +

      Changes since v1.28.4+k3s2:

      • Fix overlapping address range (#8913)
      • Modify CONTRIBUTING.md guide (#8954)
        • @@ -389,7 +389,7 @@

        Chan
      • Update flannel to v0.24.0 and remove multiclustercidr flag (#9075)
      • Remove rotate-keys subcommand (#9079)

      -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/release-notes/v1.30.X.html b/kr/release-notes/v1.30.X.html index fd21c07da..f972aa6d0 100644 --- a/kr/release-notes/v1.30.X.html +++ b/kr/release-notes/v1.30.X.html @@ -2,20 +2,20 @@ - -v1.30.X | K3s - - + +v1.30.X | K3s + + -

    v1.30.X

    +

    v1.30.X

    Upgrade Notice

    Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

    VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
    v1.30.3+k3s1Jul 31 2024v1.30.3v0.11.113.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.16.1v0.0.28
    v1.30.2+k3s2Jul 03 2024v1.30.2v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.16.1v0.0.27
    v1.30.2+k3s1Jun 25 2024v1.30.2v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s1v1.1.12v0.25.2v0.7.0v2.10.7v1.10.1v0.16.1v0.0.27
    v1.30.1+k3s1May 22 2024v1.30.1v0.11.8-0.20240430184817-f9ce6f8da97b3.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12-k3s1v0.24.2v0.7.0v2.10.7v1.10.1v0.16.1-0.20240502205943-2f32059d43e6v0.0.26
    v1.30.0+k3s1May 10 2024v1.30.0v0.11.83.44.0v3.5.9-k3s1v1.7.15-k3s1v1.1.12v0.24.2v0.7.0v2.10.7v1.10.1v0.16.1v0.0.26

    -

    Release v1.30.3+k3s1

    +

    Release v1.30.3+k3s1

    This release updates Kubernetes to v1.30.3, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.30.2+k3s2:

    +

    Changes since v1.30.2+k3s2:

    • Update channel server for k3s2 (#10446)
    • Set correct release channel for e2e upgrade test (#10460)
      • @@ -34,19 +34,19 @@

      Chan
    • Fix issues loading data-dir value from env vars or dropping config files (#10596)

    -

    Release v1.30.2+k3s2

    +

    Release v1.30.2+k3s2

    This release updates Kubernetes to v1.30.2, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.30.2+k3s1:

    +

    Changes since v1.30.2+k3s1:

    • Update stable channel to v1.29.6+k3s1 (#10417)
    • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#10422)
    -

    Release v1.30.2+k3s1

    +

    Release v1.30.2+k3s1

    This release updates Kubernetes to v1.30.2, and fixes a number of issues.

    For more details on what's new, see the Kubernetes release notes.

    -

    Changes since v1.30.1+k3s1:

    +

    Changes since v1.30.1+k3s1:

    • Fix bug when using tailscale config by file (#10074)
        @@ -136,10 +136,10 @@

        Chan
      • Fix issue that allowed multiple simultaneous snapshots to be allowed (#10372)

      -

      Release v1.30.1+k3s1

      +

      Release v1.30.1+k3s1

      This release updates Kubernetes to v1.30.1, and fixes a number of issues.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.30.0+k3s1:

      +

      Changes since v1.30.0+k3s1:

      • Replace deprecated ruby function in e2e tests (#10084)
      • Update channels with 1.30 (#10097)
        • @@ -147,10 +147,10 @@

        Chan
      • Update to v1.30.1-k3s1 and Go 1.22.2 (#10105)

      -

      Release v1.30.0+k3s1

      +

      Release v1.30.0+k3s1

      This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0.

      For more details on what's new, see the Kubernetes release notes.

      -

      Changes since v1.29.4+k3s1:

      +

      Changes since v1.29.4+k3s1:

      • Kubernetes V1.30.0-k3s1 (#10063)
      • Update stable channel to v1.29.4+k3s1 (#10031)
        • @@ -159,7 +159,7 @@

        Chan
      • Remove deprecated pod-infra-container-image kubelet flag (#7409)
      • Fix e2e tests (#10061)

      -
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/search-index.json b/kr/search-index.json index 6562a30ae..2ad1164d1 100644 --- a/kr/search-index.json +++ b/kr/search-index.json @@ -1 +1 @@ -[{"documents":[{"i":2483,"t":"명령줄 도구","u":"/kr/cli","b":["명령줄 도구"]},{"i":2485,"t":"아키텍처","u":"/kr/architecture","b":[]},{"i":2495,"t":"k3s agent","u":"/kr/cli/agent","b":["명령줄 도구"]},{"i":2519,"t":"k3s etcd-snapshot","u":"/kr/cli/etcd-snapshot","b":["명령줄 도구"]},{"i":2521,"t":"k3s secrets-encrypt","u":"/kr/cli/secrets-encrypt","b":["명령줄 도구"]},{"i":2531,"t":"k3s certificate","u":"/kr/cli/certificate","b":["명령줄 도구"]},{"i":2546,"t":"클러스터 접근","u":"/kr/cluster-access","b":[]},{"i":2550,"t":"고급 옵션 / 설정","u":"/kr/advanced","b":[]},{"i":2609,"t":"Backup and Restore","u":"/kr/datastore/backup-restore","b":["클러스터 데이터 저장소"]},{"i":2617,"t":"Cluster Load Balancer","u":"/kr/datastore/cluster-loadbalancer","b":["클러스터 데이터 저장소"]},{"i":2625,"t":"k3s token","u":"/kr/cli/token","b":["명령줄 도구"]},{"i":2642,"t":"k3s server","u":"/kr/cli/server","b":["명령줄 도구"]},{"i":2676,"t":"클러스터 데이터 저장소","u":"/kr/datastore","b":["클러스터 데이터 저장소"]},{"i":2682,"t":"High Availability Embedded etcd","u":"/kr/datastore/ha-embedded","b":["클러스터 데이터 저장소"]},{"i":2688,"t":"자주 묻는 질문","u":"/kr/faq","b":[]},{"i":2708,"t":"Installation","u":"/kr/installation","b":["설치"]},{"i":2710,"t":"헬름(Helm)","u":"/kr/helm","b":[]},{"i":2718,"t":"High Availability External DB","u":"/kr/datastore/ha","b":["클러스터 데이터 저장소"]},{"i":2732,"t":"Air-Gap Install","u":"/kr/installation/airgap","b":["설치"]},{"i":2751,"t":"Managing Packaged Components","u":"/kr/installation/packaged-components","b":["설치"]},{"i":2766,"t":"Private Registry Configuration","u":"/kr/installation/private-registry","b":["설치"]},{"i":2784,"t":"Requirements","u":"/kr/installation/requirements","b":["설치"]},{"i":2808,"t":"Managing Server Roles","u":"/kr/installation/server-roles","b":["설치"]},{"i":2818,"t":"Configuration Options","u":"/kr/installation/configuration","b":["설치"]},{"i":2830,"t":"Uninstalling K3s","u":"/kr/installation/uninstall","b":["설치"]},{"i":2836,"t":"Embedded Registry Mirror","u":"/kr/installation/registry-mirror","b":["설치"]},{"i":2855,"t":"알려진 이슈","u":"/kr/known-issues","b":[]},{"i":2865,"t":"Networking","u":"/kr/networking","b":["Networking"]},{"i":2867,"t":"Distributed hybrid or multicloud cluster","u":"/kr/networking/distributed-multicloud","b":["Networking"]},{"i":2873,"t":"Multus and IPAM plugins","u":"/kr/networking/multus-ipams","b":["Networking"]},{"i":2875,"t":"Networking Services","u":"/kr/networking/networking-services","b":["Networking"]},{"i":2897,"t":"Flag Deprecation","u":"/kr/reference/flag-deprecation","b":["레퍼런스"]},{"i":2903,"t":"빠른 시작 가이드","u":"/kr/quick-start","b":[]},{"i":2907,"t":"Environment Variables","u":"/kr/reference/env-variables","b":["레퍼런스"]},{"i":2909,"t":"Resource Profiling","u":"/kr/reference/resource-profiling","b":["레퍼런스"]},{"i":2933,"t":"Related Projects","u":"/kr/related-projects","b":[]},{"i":2941,"t":"Basic Network Options","u":"/kr/networking/basic-network-options","b":["Networking"]},{"i":2957,"t":"보안","u":"/kr/security","b":["보안"]},{"i":2959,"t":"Secrets Encryption Config","u":"/kr/security/secrets-encryption","b":["보안"]},{"i":2963,"t":"self-assessment-1.24","u":"/kr/security/self-assessment-1.24","b":["보안"]},{"i":2965,"t":"self-assessment-1.7","u":"/kr/security/self-assessment-1.7","b":["보안"]},{"i":2967,"t":"self-assessment-1.8","u":"/kr/security/self-assessment-1.8","b":["보안"]},{"i":2969,"t":"볼륨과 저장소","u":"/kr/storage","b":[]},{"i":2985,"t":"업그레이드","u":"/kr/upgrades","b":["업그레이드"]},{"i":2990,"t":"Automated Upgrades","u":"/kr/upgrades/automated","b":["업그레이드"]},{"i":2997,"t":"Stopping K3s","u":"/kr/upgrades/killall","b":["업그레이드"]},{"i":2999,"t":"Manual Upgrades","u":"/kr/upgrades/manual","b":["업그레이드"]},{"i":3009,"t":"k3s란 무엇입니까?","u":"/kr/","b":[]},{"i":3013,"t":"CIS Hardening Guide","u":"/kr/security/hardening-guide","b":["보안"]},{"i":3063,"t":"CIS Self Assessment Guide","u":"/kr/security/self-assessment-1.23","b":[]}],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[["t/2483",[0,2.033]],["t/2485",[0,1.85]],["t/2495",[1,1.809,2,3.796]],["t/2519",[1,1.53,3,2.746,4,3.211]],["t/2521",[1,1.53,5,2.746,6,2.746]],["t/2531",[1,1.809,7,3.796]],["t/2546",[0,2.033]],["t/2550",[0,2.138]],["t/2609",[8,3.796,9,3.796]],["t/2617",[10,2.746,11,3.211,12,3.211]],["t/2625",[1,1.809,13,3.796]],["t/2642",[1,1.809,14,3.246]],["t/2676",[0,2.102]],["t/2682",[3,2.38,15,2.38,16,2.38,17,2.38]],["t/2688",[0,2.102]],["t/2708",[18,3.968]],["t/2710",[19,4.64]],["t/2718",[15,2.38,16,2.38,20,2.783,21,2.783]],["t/2732",[18,2.746,22,3.211,23,3.211]],["t/2751",[24,2.746,25,3.211,26,3.211]],["t/2766",[27,3.211,28,2.746,29,2.746]],["t/2784",[30,4.64]],["t/2808",[14,2.746,24,2.746,31,3.211]],["t/2818",[29,3.246,32,3.246]],["t/2830",[1,1.809,33,3.796]],["t/2836",[17,2.746,28,2.746,34,3.211]],["t/2855",[0,2.033]],["t/2865",[35,3.525]],["t/2867",[10,2.38,36,2.783,37,2.783,38,2.783]],["t/2873",[39,3.211,40,3.211,41,3.211]],["t/2875",[35,2.884,42,3.796]],["t/2897",[43,3.796,44,3.796]],["t/2903",[0,2.102]],["t/2907",[45,3.796,46,3.796]],["t/2909",[47,3.796,48,3.796]],["t/2933",[49,3.796,50,3.796]],["t/2941",[32,2.746,35,2.44,51,3.211]],["t/2957",[0,1.85]],["t/2959",[5,2.746,6,2.746,52,3.211]],["t/2963",[53,2.211,54,2.211,55,3.211]],["t/2965",[53,2.211,54,2.211,56,3.211]],["t/2967",[53,2.211,54,2.211,57,3.211]],["t/2969",[0,2.033]],["t/2985",[0,1.85]],["t/2990",[58,3.796,59,3.246]],["t/2997",[1,1.809,60,3.796]],["t/2999",[59,3.246,61,3.796]],["t/3009",[0,1.514,1,1.809]],["t/3013",[62,2.746,63,3.211,64,2.746]],["t/3063",[53,1.916,54,1.916,62,2.38,64,2.38]]],"invertedIndex":[["",{"_index":0,"t":{"2483":{"position":[[0,3],[4,2]]},"2485":{"position":[[0,4]]},"2546":{"position":[[0,4],[5,2]]},"2550":{"position":[[0,2],[3,2],[6,1],[8,2]]},"2676":{"position":[[0,4],[5,3],[9,3]]},"2688":{"position":[[0,2],[3,2],[6,2]]},"2855":{"position":[[0,3],[4,2]]},"2903":{"position":[[0,2],[3,2],[6,3]]},"2957":{"position":[[0,2]]},"2969":{"position":[[0,3],[4,3]]},"2985":{"position":[[0,5]]},"3009":{"position":[[5,6]]}}}],["1.24",{"_index":55,"t":{"2963":{"position":[[16,4]]}}}],["1.7",{"_index":56,"t":{"2965":{"position":[[16,3]]}}}],["1.8",{"_index":57,"t":{"2967":{"position":[[16,3]]}}}],["agent",{"_index":2,"t":{"2495":{"position":[[4,5]]}}}],["air",{"_index":22,"t":{"2732":{"position":[[0,3]]}}}],["assess",{"_index":54,"t":{"2963":{"position":[[5,10]]},"2965":{"position":[[5,10]]},"2967":{"position":[[5,10]]},"3063":{"position":[[9,10]]}}}],["autom",{"_index":58,"t":{"2990":{"position":[[0,9]]}}}],["avail",{"_index":16,"t":{"2682":{"position":[[5,12]]},"2718":{"position":[[5,12]]}}}],["backup",{"_index":8,"t":{"2609":{"position":[[0,6]]}}}],["balanc",{"_index":12,"t":{"2617":{"position":[[13,8]]}}}],["basic",{"_index":51,"t":{"2941":{"position":[[0,5]]}}}],["certif",{"_index":7,"t":{"2531":{"position":[[4,11]]}}}],["ci",{"_index":62,"t":{"3013":{"position":[[0,3]]},"3063":{"position":[[0,3]]}}}],["cluster",{"_index":10,"t":{"2617":{"position":[[0,7]]},"2867":{"position":[[33,7]]}}}],["compon",{"_index":26,"t":{"2751":{"position":[[18,10]]}}}],["config",{"_index":52,"t":{"2959":{"position":[[19,6]]}}}],["configur",{"_index":29,"t":{"2766":{"position":[[17,13]]},"2818":{"position":[[0,13]]}}}],["db",{"_index":21,"t":{"2718":{"position":[[27,2]]}}}],["deprec",{"_index":44,"t":{"2897":{"position":[[5,11]]}}}],["distribut",{"_index":36,"t":{"2867":{"position":[[0,11]]}}}],["embed",{"_index":17,"t":{"2682":{"position":[[18,8]]},"2836":{"position":[[0,8]]}}}],["encrypt",{"_index":6,"t":{"2521":{"position":[[12,7]]},"2959":{"position":[[8,10]]}}}],["environ",{"_index":45,"t":{"2907":{"position":[[0,11]]}}}],["etcd",{"_index":3,"t":{"2519":{"position":[[4,4]]},"2682":{"position":[[27,4]]}}}],["extern",{"_index":20,"t":{"2718":{"position":[[18,8]]}}}],["flag",{"_index":43,"t":{"2897":{"position":[[0,4]]}}}],["gap",{"_index":23,"t":{"2732":{"position":[[4,3]]}}}],["guid",{"_index":64,"t":{"3013":{"position":[[14,5]]},"3063":{"position":[[20,5]]}}}],["harden",{"_index":63,"t":{"3013":{"position":[[4,9]]}}}],["helm",{"_index":19,"t":{"2710":{"position":[[0,8]]}}}],["high",{"_index":15,"t":{"2682":{"position":[[0,4]]},"2718":{"position":[[0,4]]}}}],["hybrid",{"_index":37,"t":{"2867":{"position":[[12,6]]}}}],["instal",{"_index":18,"t":{"2708":{"position":[[0,12]]},"2732":{"position":[[8,7]]}}}],["ipam",{"_index":40,"t":{"2873":{"position":[[11,4]]}}}],["k3",{"_index":1,"t":{"2495":{"position":[[0,3]]},"2519":{"position":[[0,3]]},"2521":{"position":[[0,3]]},"2531":{"position":[[0,3]]},"2625":{"position":[[0,3]]},"2642":{"position":[[0,3]]},"2830":{"position":[[13,3]]},"2997":{"position":[[9,3]]},"3009":{"position":[[0,4]]}}}],["load",{"_index":11,"t":{"2617":{"position":[[8,4]]}}}],["manag",{"_index":24,"t":{"2751":{"position":[[0,8]]},"2808":{"position":[[0,8]]}}}],["manual",{"_index":61,"t":{"2999":{"position":[[0,6]]}}}],["mirror",{"_index":34,"t":{"2836":{"position":[[18,6]]}}}],["multicloud",{"_index":38,"t":{"2867":{"position":[[22,10]]}}}],["multu",{"_index":39,"t":{"2873":{"position":[[0,6]]}}}],["network",{"_index":35,"t":{"2865":{"position":[[0,10]]},"2875":{"position":[[0,10]]},"2941":{"position":[[6,7]]}}}],["option",{"_index":32,"t":{"2818":{"position":[[14,7]]},"2941":{"position":[[14,7]]}}}],["packag",{"_index":25,"t":{"2751":{"position":[[9,8]]}}}],["plugin",{"_index":41,"t":{"2873":{"position":[[16,7]]}}}],["privat",{"_index":27,"t":{"2766":{"position":[[0,7]]}}}],["profil",{"_index":48,"t":{"2909":{"position":[[9,9]]}}}],["project",{"_index":50,"t":{"2933":{"position":[[8,8]]}}}],["registri",{"_index":28,"t":{"2766":{"position":[[8,8]]},"2836":{"position":[[9,8]]}}}],["relat",{"_index":49,"t":{"2933":{"position":[[0,7]]}}}],["requir",{"_index":30,"t":{"2784":{"position":[[0,12]]}}}],["resourc",{"_index":47,"t":{"2909":{"position":[[0,8]]}}}],["restor",{"_index":9,"t":{"2609":{"position":[[11,7]]}}}],["role",{"_index":31,"t":{"2808":{"position":[[16,5]]}}}],["secret",{"_index":5,"t":{"2521":{"position":[[4,7]]},"2959":{"position":[[0,7]]}}}],["self",{"_index":53,"t":{"2963":{"position":[[0,4]]},"2965":{"position":[[0,4]]},"2967":{"position":[[0,4]]},"3063":{"position":[[4,4]]}}}],["server",{"_index":14,"t":{"2642":{"position":[[4,6]]},"2808":{"position":[[9,6]]}}}],["servic",{"_index":42,"t":{"2875":{"position":[[11,8]]}}}],["snapshot",{"_index":4,"t":{"2519":{"position":[[9,8]]}}}],["stop",{"_index":60,"t":{"2997":{"position":[[0,8]]}}}],["token",{"_index":13,"t":{"2625":{"position":[[4,5]]}}}],["uninstal",{"_index":33,"t":{"2830":{"position":[[0,12]]}}}],["upgrad",{"_index":59,"t":{"2990":{"position":[[10,8]]},"2999":{"position":[[7,8]]}}}],["variabl",{"_index":46,"t":{"2907":{"position":[[12,9]]}}}]],"pipeline":["stemmer"]}},{"documents":[{"i":2487,"t":"임베디드 DB가 있는 단일 서버 설정","u":"/kr/architecture","h":"#임베디드-db가-있는-단일-서버-설정","p":2485},{"i":2489,"t":"외부 DB가 있는 고가용성 K3s 서버","u":"/kr/architecture","h":"#외부-db가-있는-고가용성-k3s-서버","p":2485},{"i":2491,"t":"에이전트 노드를 위한 고정 등록 주소","u":"/kr/architecture","h":"#에이전트-노드를-위한-고정-등록-주소","p":2485},{"i":2493,"t":"에이전트 노드 등록 작동 방식","u":"/kr/architecture","h":"#에이전트-노드-등록-작동-방식","p":2485},{"i":2497,"t":"Logging","u":"/kr/cli/agent","h":"#logging","p":2495},{"i":2499,"t":"Cluster Options","u":"/kr/cli/agent","h":"#cluster-options","p":2495},{"i":2501,"t":"Data","u":"/kr/cli/agent","h":"#data","p":2495},{"i":2503,"t":"Node","u":"/kr/cli/agent","h":"#node","p":2495},{"i":2505,"t":"Runtime","u":"/kr/cli/agent","h":"#runtime","p":2495},{"i":2507,"t":"Networking","u":"/kr/cli/agent","h":"#networking","p":2495},{"i":2509,"t":"Customized Flags","u":"/kr/cli/agent","h":"#customized-flags","p":2495},{"i":2511,"t":"Experimental","u":"/kr/cli/agent","h":"#experimental","p":2495},{"i":2513,"t":"Deprecated","u":"/kr/cli/agent","h":"#deprecated","p":2495},{"i":2515,"t":"Node Labels and Taints for Agents","u":"/kr/cli/agent","h":"#node-labels-and-taints-for-agents","p":2495},{"i":2517,"t":"K3s Agent CLI Help","u":"/kr/cli/agent","h":"#k3s-agent-cli-help","p":2495},{"i":2523,"t":"Secrets Encryption Tool","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-tool","p":2521},{"i":2525,"t":"Encryption Key Rotation","u":"/kr/cli/secrets-encrypt","h":"#encryption-key-rotation","p":2521},{"i":2527,"t":"Secrets Encryption Disable/Enable","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-disableenable","p":2521},{"i":2529,"t":"Secrets Encryption Status","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-status","p":2521},{"i":2532,"t":"Client and Server Certificates","u":"/kr/cli/certificate","h":"#client-and-server-certificates","p":2531},{"i":2534,"t":"Rotating Client and Server Certificates","u":"/kr/cli/certificate","h":"#rotating-client-and-server-certificates","p":2531},{"i":2536,"t":"Certificate Authority (CA) Certificates","u":"/kr/cli/certificate","h":"#certificate-authority-ca-certificates","p":2531},{"i":2538,"t":"Using Custom CA Certificates","u":"/kr/cli/certificate","h":"#using-custom-ca-certificates","p":2531},{"i":2540,"t":"Rotating Custom CA Certificates","u":"/kr/cli/certificate","h":"#rotating-custom-ca-certificates","p":2531},{"i":2542,"t":"Rotating Self-Signed CA Certificates","u":"/kr/cli/certificate","h":"#rotating-self-signed-ca-certificates","p":2531},{"i":2544,"t":"Service-Account Issuer Key Rotation","u":"/kr/cli/certificate","h":"#service-account-issuer-key-rotation","p":2531},{"i":2548,"t":"외부에서 kubectl로 클러스터에 접근하기","u":"/kr/cluster-access","h":"#외부에서-kubectl로-클러스터에-접근하기","p":2546},{"i":2552,"t":"인증서 관리","u":"/kr/advanced","h":"#인증서-관리","p":2550},{"i":2553,"t":"인증 기관 인증서","u":"/kr/advanced","h":"#인증-기관-인증서","p":2550},{"i":2555,"t":"클라이언트 및 서버 인증서","u":"/kr/advanced","h":"#클라이언트-및-서버-인증서","p":2550},{"i":2557,"t":"토큰 관리","u":"/kr/advanced","h":"#토큰-관리","p":2550},{"i":2559,"t":"HTTP 프록시 구성하기","u":"/kr/advanced","h":"#http-프록시-구성하기","p":2550},{"i":2561,"t":"컨테이너 런타임으로 Docker 사용","u":"/kr/advanced","h":"#컨테이너-런타임으로-docker-사용","p":2550},{"i":2563,"t":"etcdctl 사용하기","u":"/kr/advanced","h":"#etcdctl-사용하기","p":2550},{"i":2565,"t":"컨테이너 설정하기","u":"/kr/advanced","h":"#컨테이너-설정하기","p":2550},{"i":2567,"t":"NVIDIA 컨테이너 런타임 지원","u":"/kr/advanced","h":"#nvidia-컨테이너-런타임-지원","p":2550},{"i":2569,"t":"에이전트 없는 서버 실행하기(실험적)","u":"/kr/advanced","h":"#에이전트-없는-서버-실행하기실험적","p":2550},{"i":2571,"t":"루트리스 서버 실행(실험적)","u":"/kr/advanced","h":"#루트리스-서버-실행실험적","p":2550},{"i":2573,"t":"루트리스 모드의 알려진 이슈","u":"/kr/advanced","h":"#루트리스-모드의-알려진-이슈","p":2550},{"i":2575,"t":"루트리스 서버 시작하기","u":"/kr/advanced","h":"#루트리스-서버-시작하기","p":2550},{"i":2577,"t":"고급 루트리스 구성","u":"/kr/advanced","h":"#고급-루트리스-구성","p":2550},{"i":2579,"t":"루트리스 문제 해결하기","u":"/kr/advanced","h":"#루트리스-문제-해결하기","p":2550},{"i":2581,"t":"노드 레이블 및 테인트","u":"/kr/advanced","h":"#노드-레이블-및-테인트","p":2550},{"i":2583,"t":"설치 스크립트로 서비스 시작하기","u":"/kr/advanced","h":"#설치-스크립트로-서비스-시작하기","p":2550},{"i":2585,"t":"추가 OS 준비 사항","u":"/kr/advanced","h":"#추가-os-준비-사항","p":2550},{"i":2586,"t":"이전 iptables 버전","u":"/kr/advanced","h":"#이전-iptables-버전","p":2550},{"i":2588,"t":"Red Hat Enterprise Linux / CentOS","u":"/kr/advanced","h":"#red-hat-enterprise-linux--centos","p":2550},{"i":2590,"t":"Ubuntu","u":"/kr/advanced","h":"#ubuntu","p":2550},{"i":2592,"t":"Raspberry Pi","u":"/kr/advanced","h":"#raspberry-pi","p":2550},{"i":2594,"t":"Docker에서 k3s 실행하기","u":"/kr/advanced","h":"#docker에서-k3s-실행하기","p":2550},{"i":2596,"t":"SELinux 지원","u":"/kr/advanced","h":"#selinux-지원","p":2550},{"i":2598,"t":"SELinux 적용 활성화하기","u":"/kr/advanced","h":"#selinux-적용-활성화하기","p":2550},{"i":2600,"t":"지연 풀링의 지연 풀링 활성화 (실험적)","u":"/kr/advanced","h":"#지연-풀링의-지연-풀링-활성화-실험적","p":2550},{"i":2601,"t":"지연 풀링과 eStargz란 무엇인가요?","u":"/kr/advanced","h":"#지연-풀링과-estargz란-무엇인가요","p":2550},{"i":2603,"t":"지연 풀링이 가능하도록 k3s 구성하기","u":"/kr/advanced","h":"#지연-풀링이-가능하도록-k3s-구성하기","p":2550},{"i":2605,"t":"추가 로깅 소스","u":"/kr/advanced","h":"#추가-로깅-소스","p":2550},{"i":2607,"t":"추가 네트워크 정책 로깅","u":"/kr/advanced","h":"#추가-네트워크-정책-로깅","p":2550},{"i":2611,"t":"Backup and Restore with SQLite","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-sqlite","p":2609},{"i":2613,"t":"Backup and Restore with External Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-external-datastore","p":2609},{"i":2615,"t":"Backup and Restore with Embedded etcd Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-embedded-etcd-datastore","p":2609},{"i":2619,"t":"Prerequisites","u":"/kr/datastore/cluster-loadbalancer","h":"#prerequisites","p":2617},{"i":2621,"t":"Setup Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#setup-load-balancer","p":2617},{"i":2623,"t":"Nginx Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#nginx-load-balancer","p":2617},{"i":2627,"t":"Token Format","u":"/kr/cli/token","h":"#token-format","p":2625},{"i":2629,"t":"Secure","u":"/kr/cli/token","h":"#secure","p":2625},{"i":2631,"t":"Short","u":"/kr/cli/token","h":"#short","p":2625},{"i":2633,"t":"Token Types","u":"/kr/cli/token","h":"#token-types","p":2625},{"i":2635,"t":"Server","u":"/kr/cli/token","h":"#server","p":2625},{"i":2637,"t":"Agent","u":"/kr/cli/token","h":"#agent","p":2625},{"i":2639,"t":"Bootstrap","u":"/kr/cli/token","h":"#bootstrap","p":2625},{"i":2644,"t":"Critical Configuration Values","u":"/kr/cli/server","h":"#critical-configuration-values","p":2642},{"i":2646,"t":"Commonly Used Options","u":"/kr/cli/server","h":"#commonly-used-options","p":2642},{"i":2647,"t":"Database","u":"/kr/cli/server","h":"#database","p":2642},{"i":2649,"t":"Cluster Options","u":"/kr/cli/server","h":"#cluster-options","p":2642},{"i":2651,"t":"Admin Kubeconfig Options","u":"/kr/cli/server","h":"#admin-kubeconfig-options","p":2642},{"i":2653,"t":"Advanced Options","u":"/kr/cli/server","h":"#advanced-options","p":2642},{"i":2654,"t":"Logging","u":"/kr/cli/server","h":"#logging","p":2642},{"i":2656,"t":"Listeners","u":"/kr/cli/server","h":"#listeners","p":2642},{"i":2658,"t":"Data","u":"/kr/cli/server","h":"#data","p":2642},{"i":2660,"t":"Secrets Encryption","u":"/kr/cli/server","h":"#secrets-encryption","p":2642},{"i":2662,"t":"Networking","u":"/kr/cli/server","h":"#networking","p":2642},{"i":2664,"t":"Storage Class","u":"/kr/cli/server","h":"#storage-class","p":2642},{"i":2666,"t":"Kubernetes Components","u":"/kr/cli/server","h":"#kubernetes-components","p":2642},{"i":2668,"t":"Customized Flags for Kubernetes Processes","u":"/kr/cli/server","h":"#customized-flags-for-kubernetes-processes","p":2642},{"i":2670,"t":"Experimental Options","u":"/kr/cli/server","h":"#experimental-options","p":2642},{"i":2672,"t":"Deprecated Options","u":"/kr/cli/server","h":"#deprecated-options","p":2642},{"i":2674,"t":"K3s Server CLI Help","u":"/kr/cli/server","h":"","p":2642},{"i":2678,"t":"외부 데이터스토어 구성 파라미터","u":"/kr/datastore","h":"#외부-데이터스토어-구성-파라미터","p":2676},{"i":2680,"t":"데이터스토어 엔드포인트 형식 및 기능","u":"/kr/datastore","h":"#데이터스토어-엔드포인트-형식-및-기능","p":2676},{"i":2684,"t":"New cluster","u":"/kr/datastore/ha-embedded","h":"#new-cluster","p":2682},{"i":2686,"t":"Existing clusters","u":"/kr/datastore/ha-embedded","h":"#existing-clusters","p":2682},{"i":2690,"t":"K3s가 Kubernetes를 대체하기에 적합한가요?","u":"/kr/faq","h":"#k3s가-kubernetes를-대체하기에-적합한가요","p":2688},{"i":2692,"t":"Traefik 대신 자체 Ingress를 사용하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#traefik-대신-자체-ingress를-사용하려면-어떻게-해야-하나요","p":2688},{"i":2694,"t":"K3s는 Windows를 지원하나요?","u":"/kr/faq","h":"#k3s는-windows를-지원하나요","p":2688},{"i":2696,"t":"소스로부터 빌드하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#소스로부터-빌드하려면-어떻게-해야-하나요","p":2688},{"i":2698,"t":"K3s 로그는 어디에 있나요?","u":"/kr/faq","h":"#k3s-로그는-어디에-있나요","p":2688},{"i":2700,"t":"Docker에서 K3s를 실행할 수 있나요?","u":"/kr/faq","h":"#docker에서-k3s를-실행할-수-있나요","p":2688},{"i":2702,"t":"K3s 서버와 에이전트 토큰의 차이점은 무엇인가요?","u":"/kr/faq","h":"#k3s-서버와-에이전트-토큰의-차이점은-무엇인가요","p":2688},{"i":2704,"t":"K3s의 다른 버전들은 얼마나 호환되나요?","u":"/kr/faq","h":"#k3s의-다른-버전들은-얼마나-호환되나요","p":2688},{"i":2706,"t":"문제가 발생했는데 어디서 도움을 받을 수 있나요?","u":"/kr/faq","h":"#문제가-발생했는데-어디서-도움을-받을-수-있나요","p":2688},{"i":2712,"t":"헬름 컨트롤러 사용하기","u":"/kr/helm","h":"#헬름-컨트롤러-사용하기","p":2710},{"i":2714,"t":"HelmChartConfig로 패키지 컴포넌트 커스터마이징하기","u":"/kr/helm","h":"#helmchartconfig로-패키지-컴포넌트-커스터마이징하기","p":2710},{"i":2716,"t":"헬름 버전 2에서 마이그레이션하기","u":"/kr/helm","h":"#헬름-버전-2에서-마이그레이션하기","p":2710},{"i":2720,"t":"Installation Outline","u":"/kr/datastore/ha","h":"#installation-outline","p":2718},{"i":2722,"t":"1. Create an External Datastore","u":"/kr/datastore/ha","h":"#1-create-an-external-datastore","p":2718},{"i":2724,"t":"2. Launch Server Nodes","u":"/kr/datastore/ha","h":"#2-launch-server-nodes","p":2718},{"i":2726,"t":"3. Configure the Fixed Registration Address","u":"/kr/datastore/ha","h":"#3-configure-the-fixed-registration-address","p":2718},{"i":2728,"t":"4. Optional: Join Additional Server Nodes","u":"/kr/datastore/ha","h":"#4-optional-join-additional-server-nodes","p":2718},{"i":2730,"t":"5. Optional: Join Agent Nodes","u":"/kr/datastore/ha","h":"#5-optional-join-agent-nodes","p":2718},{"i":2734,"t":"Load Images","u":"/kr/installation/airgap","h":"#load-images","p":2732},{"i":2735,"t":"Private Registry Method","u":"/kr/installation/airgap","h":"#private-registry-method","p":2732},{"i":2737,"t":"Manually Deploy Images Method","u":"/kr/installation/airgap","h":"#manually-deploy-images-method","p":2732},{"i":2739,"t":"Embedded Registry Mirror","u":"/kr/installation/airgap","h":"#embedded-registry-mirror","p":2732},{"i":2741,"t":"Install K3s","u":"/kr/installation/airgap","h":"#install-k3s","p":2732},{"i":2742,"t":"Prerequisites","u":"/kr/installation/airgap","h":"#prerequisites","p":2732},{"i":2744,"t":"Installing K3s in an Air-Gapped Environment","u":"/kr/installation/airgap","h":"#installing-k3s-in-an-air-gapped-environment","p":2732},{"i":2746,"t":"Upgrading","u":"/kr/installation/airgap","h":"#upgrading","p":2732},{"i":2747,"t":"Install Script Method","u":"/kr/installation/airgap","h":"#install-script-method","p":2732},{"i":2749,"t":"Automated Upgrades Method","u":"/kr/installation/airgap","h":"#automated-upgrades-method","p":2732},{"i":2752,"t":"Auto-Deploying Manifests (AddOns)","u":"/kr/installation/packaged-components","h":"#auto-deploying-manifests-addons","p":2751},{"i":2754,"t":"Packaged Components","u":"/kr/installation/packaged-components","h":"#packaged-components","p":2751},{"i":2756,"t":"User AddOns","u":"/kr/installation/packaged-components","h":"#user-addons","p":2751},{"i":2758,"t":"Disabling Manifests","u":"/kr/installation/packaged-components","h":"#disabling-manifests","p":2751},{"i":2760,"t":"Using the --disable flag","u":"/kr/installation/packaged-components","h":"#using-the---disable-flag","p":2751},{"i":2762,"t":"Using .skip files","u":"/kr/installation/packaged-components","h":"#using-skip-files","p":2751},{"i":2764,"t":"Helm AddOns","u":"/kr/installation/packaged-components","h":"#helm-addons","p":2751},{"i":2768,"t":"Default Endpoint Fallback","u":"/kr/installation/private-registry","h":"#default-endpoint-fallback","p":2766},{"i":2770,"t":"Registries Configuration File","u":"/kr/installation/private-registry","h":"#registries-configuration-file","p":2766},{"i":2772,"t":"Mirrors","u":"/kr/installation/private-registry","h":"#mirrors","p":2766},{"i":2774,"t":"Configs","u":"/kr/installation/private-registry","h":"#configs","p":2766},{"i":2776,"t":"With TLS","u":"/kr/installation/private-registry","h":"#with-tls","p":2766},{"i":2778,"t":"Without TLS","u":"/kr/installation/private-registry","h":"#without-tls","p":2766},{"i":2780,"t":"Troubleshooting Image Pulls","u":"/kr/installation/private-registry","h":"#troubleshooting-image-pulls","p":2766},{"i":2782,"t":"Adding Images to the Private Registry","u":"/kr/installation/private-registry","h":"#adding-images-to-the-private-registry","p":2766},{"i":2786,"t":"Prerequisites","u":"/kr/installation/requirements","h":"#prerequisites","p":2784},{"i":2788,"t":"Architecture","u":"/kr/installation/requirements","h":"#architecture","p":2784},{"i":2790,"t":"Operating Systems","u":"/kr/installation/requirements","h":"#operating-systems","p":2784},{"i":2792,"t":"Hardware","u":"/kr/installation/requirements","h":"#hardware","p":2784},{"i":2794,"t":"Networking","u":"/kr/installation/requirements","h":"#networking","p":2784},{"i":2796,"t":"Inbound Rules for K3s Nodes","u":"/kr/installation/requirements","h":"#inbound-rules-for-k3s-nodes","p":2784},{"i":2798,"t":"Large Clusters","u":"/kr/installation/requirements","h":"#large-clusters","p":2784},{"i":2800,"t":"CPU and Memory","u":"/kr/installation/requirements","h":"#cpu-and-memory","p":2784},{"i":2802,"t":"Disks","u":"/kr/installation/requirements","h":"#disks-1","p":2784},{"i":2804,"t":"Network","u":"/kr/installation/requirements","h":"#network","p":2784},{"i":2806,"t":"Database","u":"/kr/installation/requirements","h":"#database","p":2784},{"i":2810,"t":"Dedicated etcd Nodes","u":"/kr/installation/server-roles","h":"#dedicated-etcd-nodes","p":2808},{"i":2812,"t":"Dedicated control-plane Nodes","u":"/kr/installation/server-roles","h":"#dedicated-control-plane-nodes","p":2808},{"i":2814,"t":"Adding Roles To Existing Servers","u":"/kr/installation/server-roles","h":"#adding-roles-to-existing-servers","p":2808},{"i":2816,"t":"Configuration File Syntax","u":"/kr/installation/server-roles","h":"#configuration-file-syntax","p":2808},{"i":2820,"t":"Configuration with install script","u":"/kr/installation/configuration","h":"#configuration-with-install-script","p":2818},{"i":2822,"t":"Configuration with binary","u":"/kr/installation/configuration","h":"#configuration-with-binary","p":2818},{"i":2824,"t":"Configuration File","u":"/kr/installation/configuration","h":"#configuration-file","p":2818},{"i":2826,"t":"Multiple Config Files","u":"/kr/installation/configuration","h":"#multiple-config-files","p":2818},{"i":2828,"t":"Putting it all together","u":"/kr/installation/configuration","h":"#putting-it-all-together","p":2818},{"i":2832,"t":"Uninstalling Servers","u":"/kr/installation/uninstall","h":"#uninstalling-servers","p":2830},{"i":2834,"t":"Uninstalling Agents","u":"/kr/installation/uninstall","h":"#uninstalling-agents","p":2830},{"i":2838,"t":"Enabling The Distributed OCI Registry Mirror","u":"/kr/installation/registry-mirror","h":"#enabling-the-distributed-oci-registry-mirror","p":2836},{"i":2840,"t":"Requirements","u":"/kr/installation/registry-mirror","h":"#requirements","p":2836},{"i":2842,"t":"Enabling Registry Mirroring","u":"/kr/installation/registry-mirror","h":"#enabling-registry-mirroring","p":2836},{"i":2844,"t":"Default Endpoint Fallback","u":"/kr/installation/registry-mirror","h":"#default-endpoint-fallback","p":2836},{"i":2846,"t":"Security","u":"/kr/installation/registry-mirror","h":"#security","p":2836},{"i":2847,"t":"Authentication","u":"/kr/installation/registry-mirror","h":"#authentication","p":2836},{"i":2849,"t":"Potential Concerns","u":"/kr/installation/registry-mirror","h":"#potential-concerns","p":2836},{"i":2851,"t":"Sharing Air-gap or Manually Loaded Images","u":"/kr/installation/registry-mirror","h":"#sharing-air-gap-or-manually-loaded-images","p":2836},{"i":2853,"t":"Pushing Images","u":"/kr/installation/registry-mirror","h":"#pushing-images","p":2836},{"i":2857,"t":"스냅(Snap) 도커","u":"/kr/known-issues","h":"#스냅snap-도커","p":2855},{"i":2859,"t":"Iptables","u":"/kr/known-issues","h":"#iptables","p":2855},{"i":2861,"t":"Rootless Mode","u":"/kr/known-issues","h":"#rootless-mode","p":2855},{"i":2863,"t":"강화된(Hardened) 클러스터를 v1.24.x에서 v1.25.x로 업그레이드하기","u":"/kr/known-issues","h":"","p":2855},{"i":2869,"t":"Embedded k3s multicloud solution","u":"/kr/networking/distributed-multicloud","h":"#embedded-k3s-multicloud-solution","p":2867},{"i":2871,"t":"Integration with the Tailscale VPN provider (experimental)","u":"/kr/networking/distributed-multicloud","h":"#integration-with-the-tailscale-vpn-provider-experimental","p":2867},{"i":2877,"t":"CoreDNS","u":"/kr/networking/networking-services","h":"#coredns","p":2875},{"i":2879,"t":"Traefik Ingress Controller","u":"/kr/networking/networking-services","h":"#traefik-ingress-controller","p":2875},{"i":2881,"t":"Network Policy Controller","u":"/kr/networking/networking-services","h":"#network-policy-controller","p":2875},{"i":2883,"t":"Service Load Balancer","u":"/kr/networking/networking-services","h":"#service-load-balancer","p":2875},{"i":2885,"t":"How ServiceLB Works","u":"/kr/networking/networking-services","h":"#how-servicelb-works","p":2875},{"i":2887,"t":"Usage","u":"/kr/networking/networking-services","h":"#usage","p":2875},{"i":2889,"t":"Controlling ServiceLB Node Selection","u":"/kr/networking/networking-services","h":"#controlling-servicelb-node-selection","p":2875},{"i":2891,"t":"Creating ServiceLB Node Pools","u":"/kr/networking/networking-services","h":"#creating-servicelb-node-pools","p":2875},{"i":2893,"t":"Disabling ServiceLB","u":"/kr/networking/networking-services","h":"#disabling-servicelb","p":2875},{"i":2895,"t":"Deploying an External Cloud Controller Manager","u":"/kr/networking/networking-services","h":"#deploying-an-external-cloud-controller-manager","p":2875},{"i":2899,"t":"Process","u":"/kr/reference/flag-deprecation","h":"#process","p":2897},{"i":2901,"t":"Example","u":"/kr/reference/flag-deprecation","h":"#example","p":2897},{"i":2905,"t":"설치 스크립트","u":"/kr/quick-start","h":"#설치-스크립트","p":2903},{"i":2911,"t":"Scope of Resource Testing","u":"/kr/reference/resource-profiling","h":"#scope-of-resource-testing","p":2909},{"i":2913,"t":"Components Included for Baseline Measurements","u":"/kr/reference/resource-profiling","h":"#components-included-for-baseline-measurements","p":2909},{"i":2915,"t":"Methodology","u":"/kr/reference/resource-profiling","h":"#methodology","p":2909},{"i":2917,"t":"Environment","u":"/kr/reference/resource-profiling","h":"#environment","p":2909},{"i":2919,"t":"Baseline Resource Requirements","u":"/kr/reference/resource-profiling","h":"#baseline-resource-requirements","p":2909},{"i":2921,"t":"K3s Server with a Workload","u":"/kr/reference/resource-profiling","h":"#k3s-server-with-a-workload","p":2909},{"i":2923,"t":"K3s Cluster with a Single Agent","u":"/kr/reference/resource-profiling","h":"#k3s-cluster-with-a-single-agent","p":2909},{"i":2925,"t":"K3s Agent","u":"/kr/reference/resource-profiling","h":"#k3s-agent","p":2909},{"i":2927,"t":"Analysis","u":"/kr/reference/resource-profiling","h":"#analysis","p":2909},{"i":2929,"t":"Primary Resource Utilization Drivers","u":"/kr/reference/resource-profiling","h":"#primary-resource-utilization-drivers","p":2909},{"i":2931,"t":"Preventing Agents and Workloads from Interfering with the Cluster Datastore","u":"/kr/reference/resource-profiling","h":"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore","p":2909},{"i":2935,"t":"k3s-ansible","u":"/kr/related-projects","h":"#k3s-ansible","p":2933},{"i":2937,"t":"k3sup","u":"/kr/related-projects","h":"#k3sup","p":2933},{"i":2939,"t":"autok3s","u":"/kr/related-projects","h":"#autok3s","p":2933},{"i":2943,"t":"Flannel Options","u":"/kr/networking/basic-network-options","h":"#flannel-options","p":2941},{"i":2945,"t":"Migrating from wireguard or ipsec to wireguard-native","u":"/kr/networking/basic-network-options","h":"#migrating-from-wireguard-or-ipsec-to-wireguard-native","p":2941},{"i":2947,"t":"Custom CNI","u":"/kr/networking/basic-network-options","h":"#custom-cni","p":2941},{"i":2949,"t":"Control-Plane Egress Selector configuration","u":"/kr/networking/basic-network-options","h":"#control-plane-egress-selector-configuration","p":2941},{"i":2951,"t":"Dual-stack (IPv4 + IPv6) Networking","u":"/kr/networking/basic-network-options","h":"#dual-stack-ipv4--ipv6-networking","p":2941},{"i":2953,"t":"Single-stack IPv6 Networking","u":"/kr/networking/basic-network-options","h":"#single-stack-ipv6-networking","p":2941},{"i":2955,"t":"Nodes Without a Hostname","u":"/kr/networking/basic-network-options","h":"#nodes-without-a-hostname","p":2941},{"i":2961,"t":"Secrets Encryption Tool","u":"/kr/security/secrets-encryption","h":"#secrets-encryption-tool","p":2959},{"i":2971,"t":"K3s 스토리지의 차이점은 무엇인가요?","u":"/kr/storage","h":"#k3s-스토리지의-차이점은-무엇인가요","p":2969},{"i":2973,"t":"로컬 스토리지 공급자 설정하기","u":"/kr/storage","h":"#로컬-스토리지-공급자-설정하기","p":2969},{"i":2975,"t":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml","p":2969},{"i":2977,"t":"pod.yaml","u":"/kr/storage","h":"#podyaml","p":2969},{"i":2979,"t":"Longhorn 구성하기","u":"/kr/storage","h":"#longhorn-구성하기","p":2969},{"i":2981,"t":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml-1","p":2969},{"i":2983,"t":"pod.yaml","u":"/kr/storage","h":"#podyaml-1","p":2969},{"i":2986,"t":"K3s 클러스터 업그레이드하기","u":"/kr/upgrades","h":"#k3s-클러스터-업그레이드하기","p":2985},{"i":2988,"t":"버전별 주의사항","u":"/kr/upgrades","h":"#버전별-주의사항","p":2985},{"i":2991,"t":"Overview","u":"/kr/upgrades/automated","h":"#overview","p":2990},{"i":2993,"t":"Install the system-upgrade-controller","u":"/kr/upgrades/automated","h":"#install-the-system-upgrade-controller","p":2990},{"i":2995,"t":"Configure plans","u":"/kr/upgrades/automated","h":"#configure-plans","p":2990},{"i":3001,"t":"Release Channels","u":"/kr/upgrades/manual","h":"#release-channels","p":2999},{"i":3003,"t":"Upgrade K3s Using the Installation Script","u":"/kr/upgrades/manual","h":"#upgrade-k3s-using-the-installation-script","p":2999},{"i":3005,"t":"Manually Upgrade K3s Using the Binary","u":"/kr/upgrades/manual","h":"#manually-upgrade-k3s-using-the-binary","p":2999},{"i":3007,"t":"Restarting K3s","u":"/kr/upgrades/manual","h":"#restarting-k3s","p":2999},{"i":3011,"t":"이름에는 무슨 뜻이 있나요?","u":"/kr/","h":"","p":3009},{"i":3015,"t":"Host-level Requirements","u":"/kr/security/hardening-guide","h":"#host-level-requirements","p":3013},{"i":3017,"t":"Ensure protect-kernel-defaults is set","u":"/kr/security/hardening-guide","h":"#ensure-protect-kernel-defaults-is-set","p":3013},{"i":3019,"t":"Kubernetes Runtime Requirements","u":"/kr/security/hardening-guide","h":"#kubernetes-runtime-requirements","p":3013},{"i":3021,"t":"Pod Security","u":"/kr/security/hardening-guide","h":"#pod-security","p":3013},{"i":3023,"t":"NetworkPolicies","u":"/kr/security/hardening-guide","h":"#networkpolicies","p":3013},{"i":3025,"t":"API Server audit configuration","u":"/kr/security/hardening-guide","h":"#api-server-audit-configuration","p":3013},{"i":3027,"t":"Configuration for Kubernetes Components","u":"/kr/security/hardening-guide","h":"#configuration-for-kubernetes-components","p":3013},{"i":3029,"t":"Control Plane Execution and Arguments","u":"/kr/security/hardening-guide","h":"#control-plane-execution-and-arguments","p":3013},{"i":3031,"t":"Known Issues","u":"/kr/security/hardening-guide","h":"#known-issues","p":3013},{"i":3033,"t":"Control 1.2.15","u":"/kr/security/hardening-guide","h":"#control-1215","p":3013},{"i":3035,"t":"Control 1.2.16","u":"/kr/security/hardening-guide","h":"#control-1216","p":3013},{"i":3037,"t":"Control 1.2.22","u":"/kr/security/hardening-guide","h":"#control-1222","p":3013},{"i":3039,"t":"Control 1.2.23","u":"/kr/security/hardening-guide","h":"#control-1223","p":3013},{"i":3041,"t":"Control 1.2.24","u":"/kr/security/hardening-guide","h":"#control-1224","p":3013},{"i":3043,"t":"Control 1.2.25","u":"/kr/security/hardening-guide","h":"#control-1225","p":3013},{"i":3045,"t":"Control 1.2.26","u":"/kr/security/hardening-guide","h":"#control-1226","p":3013},{"i":3047,"t":"Control 1.2.27","u":"/kr/security/hardening-guide","h":"#control-1227","p":3013},{"i":3049,"t":"Control 1.2.33","u":"/kr/security/hardening-guide","h":"#control-1233","p":3013},{"i":3051,"t":"Control 1.2.34","u":"/kr/security/hardening-guide","h":"#control-1234","p":3013},{"i":3053,"t":"Control 1.3.1","u":"/kr/security/hardening-guide","h":"#control-131","p":3013},{"i":3055,"t":"Control 3.2.1","u":"/kr/security/hardening-guide","h":"#control-321","p":3013},{"i":3057,"t":"Control 4.2.7","u":"/kr/security/hardening-guide","h":"#control-427","p":3013},{"i":3059,"t":"Control 5.1.5","u":"/kr/security/hardening-guide","h":"#control-515","p":3013},{"i":3061,"t":"Conclusion","u":"/kr/security/hardening-guide","h":"#conclusion","p":3013},{"i":3064,"t":"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24","u":"/kr/security/self-assessment-1.23","h":"#cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124","p":3063},{"i":3066,"t":"Controls","u":"/kr/security/self-assessment-1.23","h":"#controls","p":3063},{"i":3067,"t":"1.1 Control Plane Node Configuration Files","u":"/kr/security/self-assessment-1.23","h":"#11-control-plane-node-configuration-files","p":3063},{"i":3068,"t":"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3070,"t":"1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3072,"t":"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3074,"t":"1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3076,"t":"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3078,"t":"1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3080,"t":"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3082,"t":"1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3084,"t":"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3086,"t":"1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual","p":3063},{"i":3088,"t":"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated","p":3063},{"i":3090,"t":"1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated","p":3063},{"i":3092,"t":"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated","p":3063},{"i":3094,"t":"1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3096,"t":"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3098,"t":"1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3100,"t":"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3102,"t":"1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3104,"t":"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated","p":3063},{"i":3106,"t":"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3108,"t":"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual","p":3063},{"i":3110,"t":"1.2 API Server","u":"/kr/security/self-assessment-1.23","h":"#12-api-server","p":3063},{"i":3111,"t":"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)","u":"/kr/security/self-assessment-1.23","h":"#121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual","p":3063},{"i":3113,"t":"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#122-ensure-that-the---token-auth-file-parameter-is-not-set-automated","p":3063},{"i":3115,"t":"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#123-ensure-that-the---denyserviceexternalips-is-not-set-automated","p":3063},{"i":3117,"t":"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated","p":3063},{"i":3119,"t":"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated","p":3063},{"i":3121,"t":"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated","p":3063},{"i":3123,"t":"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3125,"t":"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)","u":"/kr/security/self-assessment-1.23","h":"#128-ensure-that-the---authorization-mode-argument-includes-node-automated","p":3063},{"i":3127,"t":"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)","u":"/kr/security/self-assessment-1.23","h":"#129-ensure-that-the---authorization-mode-argument-includes-rbac-automated","p":3063},{"i":3129,"t":"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual","p":3063},{"i":3131,"t":"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated","p":3063},{"i":3133,"t":"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual","p":3063},{"i":3135,"t":"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual","p":3063},{"i":3137,"t":"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated","p":3063},{"i":3139,"t":"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated","p":3063},{"i":3141,"t":"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated","p":3063},{"i":3143,"t":"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated","p":3063},{"i":3145,"t":"1.2.18 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1218-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3147,"t":"1.2.19 Ensure that the --audit-log-path argument is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1219-ensure-that-the---audit-log-path-argument-is-set-automated","p":3063},{"i":3149,"t":"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated","p":3063},{"i":3151,"t":"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated","p":3063},{"i":3153,"t":"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated","p":3063},{"i":3155,"t":"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated","p":3063},{"i":3157,"t":"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated","p":3063},{"i":3159,"t":"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated","p":3063},{"i":3161,"t":"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3163,"t":"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3165,"t":"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated","p":3063},{"i":3167,"t":"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual","p":3063},{"i":3169,"t":"1.2.31 Ensure that encryption providers are appropriately configured (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1231-ensure-that-encryption-providers-are-appropriately-configured-manual","p":3063},{"i":3171,"t":"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3173,"t":"1.3 Controller Manager","u":"/kr/security/self-assessment-1.23","h":"#13-controller-manager","p":3063},{"i":3174,"t":"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual","p":3063},{"i":3176,"t":"1.3.2 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#132-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3178,"t":"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated","p":3063},{"i":3180,"t":"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3182,"t":"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3184,"t":"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated","p":3063},{"i":3186,"t":"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#137-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3188,"t":"1.4 Scheduler","u":"/kr/security/self-assessment-1.23","h":"#14-scheduler","p":3063},{"i":3189,"t":"1.4.1 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#141-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3191,"t":"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#142-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3193,"t":"2 Etcd Node Configuration","u":"/kr/security/self-assessment-1.23","h":"#2-etcd-node-configuration","p":3063},{"i":3194,"t":"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3196,"t":"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3198,"t":"2.3 Ensure that the --auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3200,"t":"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3202,"t":"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3204,"t":"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3206,"t":"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)","u":"/kr/security/self-assessment-1.23","h":"#27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual","p":3063},{"i":3208,"t":"3.1 Authentication and Authorization","u":"/kr/security/self-assessment-1.23","h":"#31-authentication-and-authorization","p":3063},{"i":3209,"t":"3.1.1 Client certificate authentication should not be used for users (Manual)","u":"/kr/security/self-assessment-1.23","h":"#311-client-certificate-authentication-should-not-be-used-for-users-manual","p":3063},{"i":3211,"t":"3.2 Logging","u":"/kr/security/self-assessment-1.23","h":"#32-logging","p":3063},{"i":3212,"t":"3.2.1 Ensure that a minimal audit policy is created (Manual)","u":"/kr/security/self-assessment-1.23","h":"#321-ensure-that-a-minimal-audit-policy-is-created-manual","p":3063},{"i":3214,"t":"3.2.2 Ensure that the audit policy covers key security concerns (Manual)","u":"/kr/security/self-assessment-1.23","h":"#322-ensure-that-the-audit-policy-covers-key-security-concerns-manual","p":3063},{"i":3216,"t":"4.1 Worker Node Configuration Files","u":"/kr/security/self-assessment-1.23","h":"#41-worker-node-configuration-files","p":3063},{"i":3217,"t":"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3219,"t":"4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated","p":3063},{"i":3221,"t":"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3223,"t":"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual","p":3063},{"i":3225,"t":"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3227,"t":"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3229,"t":"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3231,"t":"4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual","p":3063},{"i":3233,"t":"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated","p":3063},{"i":3235,"t":"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated","p":3063},{"i":3237,"t":"4.2 Kubelet","u":"/kr/security/self-assessment-1.23","h":"#42-kubelet","p":3063},{"i":3238,"t":"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated","p":3063},{"i":3240,"t":"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3242,"t":"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3244,"t":"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#424-ensure-that-the---read-only-port-argument-is-set-to-0-manual","p":3063},{"i":3246,"t":"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual","p":3063},{"i":3248,"t":"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated","p":3063},{"i":3250,"t":"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated","p":3063},{"i":3252,"t":"4.2.8 Ensure that the --hostname-override argument is not set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#428-ensure-that-the---hostname-override-argument-is-not-set-manual","p":3063},{"i":3254,"t":"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)","u":"/kr/security/self-assessment-1.23","h":"#429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual","p":3063},{"i":3256,"t":"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual","p":3063},{"i":3258,"t":"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated","p":3063},{"i":3260,"t":"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual","p":3063},{"i":3262,"t":"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3264,"t":"5.1 RBAC and Service Accounts","u":"/kr/security/self-assessment-1.23","h":"#51-rbac-and-service-accounts","p":3063},{"i":3265,"t":"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)","u":"/kr/security/self-assessment-1.23","h":"#511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual","p":3063},{"i":3267,"t":"5.1.2 Minimize access to secrets (Manual)","u":"/kr/security/self-assessment-1.23","h":"#512-minimize-access-to-secrets-manual","p":3063},{"i":3269,"t":"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)","u":"/kr/security/self-assessment-1.23","h":"#513-minimize-wildcard-use-in-roles-and-clusterroles-manual","p":3063},{"i":3271,"t":"5.1.4 Minimize access to create pods (Manual)","u":"/kr/security/self-assessment-1.23","h":"#514-minimize-access-to-create-pods-manual","p":3063},{"i":3273,"t":"5.1.5 Ensure that default service accounts are not actively used. (Manual)","u":"/kr/security/self-assessment-1.23","h":"#515-ensure-that-default-service-accounts-are-not-actively-used-manual","p":3063},{"i":3275,"t":"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)","u":"/kr/security/self-assessment-1.23","h":"#516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual","p":3063},{"i":3277,"t":"5.1.7 Avoid use of system:masters group (Manual)","u":"/kr/security/self-assessment-1.23","h":"#517-avoid-use-of-system-group-manual","p":3063},{"i":3279,"t":"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)","u":"/kr/security/self-assessment-1.23","h":"#518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual","p":3063},{"i":3281,"t":"5.2 Pod Security Standards","u":"/kr/security/self-assessment-1.23","h":"#52-pod-security-standards","p":3063},{"i":3282,"t":"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)","u":"/kr/security/self-assessment-1.23","h":"#521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual","p":3063},{"i":3284,"t":"5.2.2 Minimize the admission of privileged containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#522-minimize-the-admission-of-privileged-containers-automated","p":3063},{"i":3286,"t":"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated","p":3063},{"i":3288,"t":"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated","p":3063},{"i":3290,"t":"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated","p":3063},{"i":3292,"t":"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)","u":"/kr/security/self-assessment-1.23","h":"#526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated","p":3063},{"i":3294,"t":"5.2.7 Minimize the admission of root containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#527-minimize-the-admission-of-root-containers-automated","p":3063},{"i":3296,"t":"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)","u":"/kr/security/self-assessment-1.23","h":"#528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated","p":3063},{"i":3298,"t":"5.2.9 Minimize the admission of containers with added capabilities (Automated)","u":"/kr/security/self-assessment-1.23","h":"#529-minimize-the-admission-of-containers-with-added-capabilities-automated","p":3063},{"i":3300,"t":"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual","p":3063},{"i":3302,"t":"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5211-minimize-the-admission-of-windows-hostprocess-containers-manual","p":3063},{"i":3304,"t":"5.2.12 Minimize the admission of HostPath volumes (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5212-minimize-the-admission-of-hostpath-volumes-manual","p":3063},{"i":3306,"t":"5.2.13 Minimize the admission of containers which use HostPorts (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5213-minimize-the-admission-of-containers-which-use-hostports-manual","p":3063},{"i":3308,"t":"5.3 Network Policies and CNI","u":"/kr/security/self-assessment-1.23","h":"#53-network-policies-and-cni","p":3063},{"i":3309,"t":"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)","u":"/kr/security/self-assessment-1.23","h":"#531-ensure-that-the-cni-in-use-supports-networkpolicies-manual","p":3063},{"i":3311,"t":"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)","u":"/kr/security/self-assessment-1.23","h":"#532-ensure-that-all-namespaces-have-networkpolicies-defined-manual","p":3063},{"i":3313,"t":"5.4 Secrets Management","u":"/kr/security/self-assessment-1.23","h":"#54-secrets-management","p":3063},{"i":3314,"t":"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)","u":"/kr/security/self-assessment-1.23","h":"#541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual","p":3063},{"i":3316,"t":"5.4.2 Consider external secret storage (Manual)","u":"/kr/security/self-assessment-1.23","h":"#542-consider-external-secret-storage-manual","p":3063},{"i":3318,"t":"5.5 Extensible Admission Control","u":"/kr/security/self-assessment-1.23","h":"#55-extensible-admission-control","p":3063},{"i":3319,"t":"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)","u":"/kr/security/self-assessment-1.23","h":"#551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual","p":3063},{"i":3321,"t":"5.7 General Policies","u":"/kr/security/self-assessment-1.23","h":"#57-general-policies","p":3063},{"i":3322,"t":"5.7.1 Create administrative boundaries between resources using namespaces (Manual)","u":"/kr/security/self-assessment-1.23","h":"#571-create-administrative-boundaries-between-resources-using-namespaces-manual","p":3063},{"i":3324,"t":"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)","u":"/kr/security/self-assessment-1.23","h":"#572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual","p":3063},{"i":3326,"t":"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#573-apply-securitycontext-to-your-pods-and-containers-manual","p":3063},{"i":3328,"t":"5.7.4 The default namespace should not be used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#574-the-default-namespace-should-not-be-used-manual","p":3063}],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[["t/2487",[0,3.274,1,4.582]],["t/2489",[0,3.102,1,4.582,2,2.474]],["t/2491",[0,3.399]],["t/2493",[0,3.372]],["t/2497",[3,5.841]],["t/2499",[4,4.746,5,4.746]],["t/2501",[6,6.597]],["t/2503",[7,4.767]],["t/2505",[8,7.466]],["t/2507",[9,5.209]],["t/2509",[10,5.595,11,6.189]],["t/2511",[12,6.968]],["t/2513",[13,7.466]],["t/2515",[7,3.46,14,5.968,15,5.968,16,4.105]],["t/2517",[2,2.926,16,4.105,17,5.419,18,5.419]],["t/2523",[19,4.387,20,4.518,21,5.964]],["t/2525",[20,4.518,22,4.269,23,4.835]],["t/2527",[19,4.387,20,4.518,24,6.568]],["t/2529",[19,4.387,20,4.518,25,6.568]],["t/2532",[26,4.387,27,3.887,28,3.887]],["t/2534",[23,4.393,26,3.986,27,3.532,28,3.532]],["t/2536",[28,4.747,29,3.878,30,4.24]],["t/2538",[10,4.573,28,3.532,30,4.24,31,3.013]],["t/2540",[10,4.573,23,4.393,28,3.532,30,4.24]],["t/2542",[23,4.026,28,3.236,30,3.885,32,5.468,33,5.468]],["t/2544",[22,3.554,23,4.026,34,3.554,35,3.885,36,5.468]],["t/2548",[0,3.116,37,5.968]],["t/2552",[0,3.145]],["t/2553",[0,3.267]],["t/2555",[0,3.332]],["t/2557",[0,3.145]],["t/2559",[0,2.939,38,5.964]],["t/2561",[0,3.116,39,5.058]],["t/2563",[0,2.512,40,7.302]],["t/2565",[0,3.145]],["t/2567",[0,3.116,41,5.968]],["t/2569",[0,3.332]],["t/2571",[0,3.267]],["t/2573",[0,3.332]],["t/2575",[0,3.267]],["t/2577",[0,3.267]],["t/2579",[0,3.267]],["t/2581",[0,3.332]],["t/2583",[0,3.332]],["t/2585",[0,3.116,42,5.968]],["t/2586",[0,2.939,43,5.567]],["t/2588",[0,1.736,44,5.046,45,5.046,46,5.046,47,5.046,48,5.046]],["t/2590",[49,8.222]],["t/2592",[50,7.302,51,7.302]],["t/2594",[0,2.259,2,3.22,39,5.567]],["t/2596",[0,2.512,52,6.631]],["t/2598",[0,2.939,52,5.964]],["t/2600",[0,3.399]],["t/2601",[0,3.116,53,5.968]],["t/2603",[0,3.213,2,2.681]],["t/2605",[0,3.267]],["t/2607",[0,3.332]],["t/2611",[54,5.567,55,5.567,56,6.568]],["t/2613",[54,5.058,55,5.058,57,4.788,58,4.788]],["t/2615",[54,4.635,55,4.635,58,4.387,59,4.635,60,3.554]],["t/2619",[61,6.968]],["t/2621",[62,6.568,63,5.033,64,5.567]],["t/2623",[63,5.033,64,5.567,65,6.568]],["t/2627",[66,5.859,67,7.302]],["t/2629",[68,6.053]],["t/2631",[69,8.222]],["t/2633",[66,5.859,70,7.302]],["t/2635",[27,4.866]],["t/2637",[16,5.656]],["t/2639",[71,8.222]],["t/2644",[72,6.568,73,3.599,74,6.568]],["t/2646",[5,4.269,31,3.317,75,6.568]],["t/2647",[76,7.466]],["t/2649",[4,4.746,5,4.746]],["t/2651",[5,4.269,77,5.964,78,5.033]],["t/2653",[5,4.746,79,7.302]],["t/2654",[3,5.841]],["t/2656",[80,8.222]],["t/2658",[6,6.597]],["t/2660",[19,4.877,20,5.023]],["t/2662",[9,5.209]],["t/2664",[81,6.631,82,7.302]],["t/2666",[83,4.746,84,5.859]],["t/2668",[10,4.573,11,5.058,83,3.878,85,5.058]],["t/2670",[5,4.746,12,6.189]],["t/2672",[5,4.746,13,6.631]],["t/2674",[2,2.926,17,5.419,18,5.419,27,3.532]],["t/2678",[0,3.332]],["t/2680",[0,3.372]],["t/2684",[4,4.746,86,7.302]],["t/2686",[4,4.746,87,5.859]],["t/2690",[0,2.759,2,2.926,83,3.878]],["t/2692",[0,3.236,88,3.969,89,3.969]],["t/2694",[0,2.259,2,3.22,90,5.964]],["t/2696",[0,3.372]],["t/2698",[0,3.116,2,2.926]],["t/2700",[0,2.979,2,2.681,39,4.635]],["t/2702",[0,3.274,2,2.474]],["t/2704",[0,3.213,2,2.681]],["t/2706",[0,3.419]],["t/2712",[0,3.267]],["t/2714",[0,3.116,91,5.968]],["t/2716",[0,3.116,92,5.058]],["t/2720",[93,5.188,94,7.302]],["t/2722",[57,4.788,58,4.788,95,5.968,96,4.573]],["t/2724",[7,3.46,27,3.532,92,5.058,97,5.968]],["t/2726",[73,2.997,98,5.468,99,5.468,100,5.468,101,4.635]],["t/2728",[5,3.279,7,2.926,27,2.986,102,5.046,103,4.582,104,5.046]],["t/2730",[5,3.554,7,3.171,16,3.762,103,4.966,105,5.468]],["t/2734",[63,5.595,106,5.188]],["t/2735",[107,5.033,108,4.835,109,5.27]],["t/2737",[106,4.24,109,4.788,110,2.15,111,5.058]],["t/2739",[59,5.567,108,4.835,112,5.27]],["t/2741",[2,3.58,93,5.188]],["t/2742",[61,6.968]],["t/2744",[2,2.681,93,3.885,113,4.966,114,4.966,115,4.635]],["t/2746",[116,6.3]],["t/2747",[93,4.666,109,5.27,117,5.567]],["t/2749",[109,5.27,116,5.033,118,1.922]],["t/2752",[111,5.058,119,5.058,120,5.419,121,5.058]],["t/2754",[84,5.859,122,7.302]],["t/2756",[121,6.189,123,6.631]],["t/2758",[120,6.631,124,6.189]],["t/2760",[11,5.567,31,3.317,124,5.567]],["t/2762",[31,3.317,125,6.568,126,2.51]],["t/2764",[121,6.189,127,7.302]],["t/2768",[128,4.835,129,5.964,130,5.964]],["t/2770",[73,3.599,108,4.835,126,2.51]],["t/2772",[112,6.597]],["t/2774",[131,6.3]],["t/2776",[132,6.053]],["t/2778",[132,5.376,133,6.631]],["t/2780",[106,4.666,134,6.568,135,6.568]],["t/2782",[106,4.24,107,4.573,108,4.393,136,5.058]],["t/2786",[61,6.968]],["t/2788",[137,8.222]],["t/2790",[138,7.302,139,6.631]],["t/2792",[140,8.222]],["t/2794",[9,5.209]],["t/2796",[2,2.926,7,3.46,141,5.968,142,5.968]],["t/2798",[4,4.746,143,7.302]],["t/2800",[144,7.302,145,7.302]],["t/2802",[146,8.222]],["t/2804",[9,5.209]],["t/2806",[76,7.466]],["t/2810",[7,3.808,60,4.269,147,5.964]],["t/2812",[7,3.46,147,5.419,148,2.456,149,4.788]],["t/2814",[27,3.532,87,4.788,136,5.058,150,5.058]],["t/2816",[73,3.599,126,2.51,151,6.568]],["t/2820",[73,3.599,93,4.666,117,5.567]],["t/2822",[73,4.002,152,6.631]],["t/2824",[73,4.002,126,2.791]],["t/2826",[126,2.51,131,5.033,153,6.568]],["t/2828",[154,7.302,155,7.302]],["t/2832",[27,4.322,156,6.631]],["t/2834",[16,5.023,156,6.631]],["t/2838",[108,4.026,112,4.387,157,4.966,158,5.468,159,5.468]],["t/2840",[160,6.3]],["t/2842",[108,4.835,112,5.27,157,5.964]],["t/2844",[128,4.835,129,5.964,130,5.964]],["t/2846",[68,6.053]],["t/2847",[161,6.968]],["t/2849",[162,7.302,163,6.631]],["t/2851",[63,3.866,106,3.585,110,1.818,113,4.582,114,4.582,164,4.048]],["t/2853",[106,5.188,165,7.302]],["t/2857",[0,2.512,166,7.302]],["t/2859",[43,6.968]],["t/2861",[167,7.302,168,5.595]],["t/2863",[0,2.599,169,5.468,170,5.468,171,5.468]],["t/2869",[2,2.926,59,5.058,172,5.968,173,5.968]],["t/2871",[12,4.635,174,5.468,175,5.468,176,5.468,177,4.635]],["t/2877",[178,8.222]],["t/2879",[88,5.964,89,5.964,148,2.703]],["t/2881",[9,4.161,148,2.703,179,4.835]],["t/2883",[34,4.269,63,5.033,64,5.567]],["t/2885",[180,5.859,181,7.302]],["t/2887",[182,8.222]],["t/2889",[7,3.46,148,2.456,180,4.788,183,5.968]],["t/2891",[7,3.46,96,4.573,180,4.788,184,5.968]],["t/2893",[124,6.189,180,5.859]],["t/2895",[57,4.387,111,4.635,148,2.25,185,5.468,186,4.19]],["t/2899",[85,6.968]],["t/2901",[187,8.222]],["t/2905",[0,3.145]],["t/2911",[188,6.568,189,5.27,190,6.568]],["t/2913",[84,4.788,191,5.058,192,5.419,193,5.968]],["t/2915",[194,8.222]],["t/2917",[115,6.968]],["t/2919",[160,5.033,189,5.27,192,5.964]],["t/2921",[2,3.22,27,3.887,195,5.964]],["t/2923",[2,2.926,4,3.878,16,4.105,196,5.419]],["t/2925",[2,3.58,16,5.023]],["t/2927",[197,8.222]],["t/2929",[189,4.788,198,5.968,199,5.419,200,5.968]],["t/2931",[4,3.279,16,3.471,58,4.048,195,4.582,201,5.046,202,5.046]],["t/2935",[2,3.58,203,7.302]],["t/2937",[204,8.222]],["t/2939",[205,8.222]],["t/2943",[5,4.746,206,7.302]],["t/2945",[207,5.468,208,7.557,209,5.468,210,5.468]],["t/2947",[10,5.595,211,6.189]],["t/2949",[73,2.997,148,2.25,149,4.387,212,5.468,213,5.468]],["t/2951",[0,1.736,9,3.197,214,5.046,215,4.582,216,5.046,217,4.582]],["t/2953",[9,3.781,196,5.419,215,5.419,217,5.419]],["t/2955",[7,3.808,133,5.964,218,5.964]],["t/2961",[19,4.387,20,4.518,21,5.964]],["t/2971",[0,3.116,2,2.926]],["t/2973",[0,3.332]],["t/2975",[219,7.466]],["t/2977",[220,7.466]],["t/2979",[0,2.512,221,7.302]],["t/2981",[219,7.466]],["t/2983",[220,7.466]],["t/2986",[0,2.939,2,3.22]],["t/2988",[0,3.145]],["t/2991",[222,8.222]],["t/2993",[93,4.24,116,4.573,139,5.419,148,2.456]],["t/2995",[73,4.002,223,7.302]],["t/3001",[224,7.302,225,7.302]],["t/3003",[2,2.681,31,2.761,93,3.885,116,4.19,117,4.635]],["t/3005",[2,2.681,31,2.761,110,1.97,116,4.19,152,4.966]],["t/3007",[2,3.58,226,7.302]],["t/3011",[0,3.332]],["t/3015",[160,5.033,227,5.27,228,5.964]],["t/3017",[128,4.026,229,1.332,230,4.966,231,4.966,232,1.468]],["t/3019",[8,5.964,83,4.269,160,5.033]],["t/3021",[68,5.376,233,4.322]],["t/3023",[234,6.968]],["t/3025",[27,3.532,73,3.27,235,4.573,236,4.24]],["t/3027",[73,3.599,83,4.269,84,5.27]],["t/3029",[148,2.456,149,4.788,237,5.968,238,2.235]],["t/3031",[239,7.302,240,7.302]],["t/3033",[148,3.005,241,6.631]],["t/3035",[148,3.005,242,6.631]],["t/3037",[148,3.005,243,6.631]],["t/3039",[148,3.005,244,7.302]],["t/3041",[148,3.005,245,6.631]],["t/3043",[148,3.005,246,6.631]],["t/3045",[148,3.005,247,6.631]],["t/3047",[148,3.005,248,6.631]],["t/3049",[148,3.005,249,7.302]],["t/3051",[148,3.005,250,7.302]],["t/3053",[148,3.005,251,6.631]],["t/3055",[148,3.005,252,6.631]],["t/3057",[148,3.005,253,6.631]],["t/3059",[148,3.005,254,6.631]],["t/3061",[255,8.222]],["t/3064",[2,2.143,83,4.185,256,4.37,257,4.37,258,4.37,259,4.37,260,4.37]],["t/3066",[148,3.383]],["t/3067",[7,2.926,73,2.765,126,1.928,148,2.076,149,4.048,261,5.046]],["t/3068",[27,1.938,118,0.958,126,1.251,229,0.797,232,0.879,233,1.938,235,2.509,262,3.275,263,2.253,264,1.827,265,1.98,266,1.899,267,1.899]],["t/3070",[27,2.154,118,1.065,126,1.391,229,0.886,232,0.977,233,2.154,235,2.789,263,2.504,268,3.64,269,2.11,270,2.154]],["t/3072",[118,0.958,126,1.251,148,1.348,186,2.509,229,0.797,232,0.879,233,1.938,263,2.253,264,1.827,265,1.98,266,1.899,267,1.899,271,3.275]],["t/3074",[118,1.065,126,1.391,148,1.498,186,2.789,229,0.886,232,0.977,233,2.154,263,2.504,269,2.11,270,2.154,272,3.64]],["t/3076",[118,1.009,126,1.318,229,0.839,232,0.925,233,2.04,263,2.372,264,1.924,265,2.085,266,1.999,267,1.999,273,3.448,274,2.922]],["t/3078",[118,1.128,126,1.473,229,0.939,232,1.035,233,2.281,263,2.652,269,2.235,270,2.281,274,3.267,275,3.854]],["t/3080",[60,2.241,118,1.009,126,1.318,229,0.839,232,0.925,233,2.04,263,2.372,264,1.924,265,2.085,266,1.999,267,1.999,276,3.448]],["t/3082",[60,2.505,118,1.128,126,1.473,229,0.939,232,1.035,233,2.281,263,2.652,269,2.235,270,2.281,277,3.854]],["t/3084",[9,2.184,110,1.242,126,1.318,229,0.839,232,0.925,264,1.924,265,2.085,266,1.999,267,1.999,278,3.448,279,2.04,280,3.131]],["t/3086",[9,2.442,110,1.389,126,1.473,229,0.939,232,1.035,269,2.235,270,2.281,279,2.281,280,3.5,281,3.854]],["t/3088",[6,2.92,60,2.365,118,1.065,229,0.886,232,0.977,264,2.031,266,2.11,267,2.11,282,3.64,283,3.085,284,3.64]],["t/3090",[6,3.287,60,2.662,118,1.199,229,0.997,232,1.1,269,2.375,283,3.472,285,4.096,286,4.096]],["t/3092",[118,1.128,126,1.473,229,0.939,232,1.035,264,2.151,266,2.235,267,2.235,287,3.854,288,3.5,289,3.5]],["t/3094",[118,1.279,126,1.67,229,1.064,232,1.173,269,2.534,270,2.586,288,3.969,290,4.37]],["t/3096",[118,1.128,126,1.473,229,0.939,232,1.035,264,2.151,265,2.331,266,2.235,267,2.235,291,3.854,292,3.5]],["t/3098",[118,1.279,126,1.67,229,1.064,232,1.173,269,2.534,270,2.586,292,3.969,293,4.37]],["t/3100",[118,1.065,126,1.391,148,1.498,229,0.886,232,0.977,264,2.031,265,2.201,266,2.11,267,2.11,294,3.64,295,3.305]],["t/3102",[118,1.199,126,1.565,148,1.686,229,0.997,232,1.1,269,2.375,270,2.424,295,3.72,296,4.096]],["t/3104",[83,2.505,118,1.128,126,1.473,229,0.939,232,1.035,269,2.235,270,2.281,283,3.267,297,3.854,298,3.267]],["t/3106",[28,2.04,83,2.241,110,1.242,126,1.318,229,0.839,232,0.925,264,1.924,265,2.085,266,1.999,267,1.999,298,2.922,299,3.448]],["t/3108",[22,2.505,83,2.505,110,1.389,126,1.473,229,0.939,232,1.035,264,2.151,289,3.5,298,3.267,300,3.854]],["t/3110",[27,3.887,235,5.033,301,6.568]],["t/3111",[110,1.575,229,1.064,232,1.173,238,1.637,302,4.37,303,3.969,304,3.349,305,3.217]],["t/3113",[66,3.507,118,1.279,126,1.67,229,1.064,232,1.173,304,3.349,306,4.37,307,4.37]],["t/3115",[118,1.6,229,1.332,232,1.468,308,5.468,309,5.468]],["t/3117",[38,3.969,118,1.279,229,1.064,232,1.173,238,1.637,310,4.37,311,2.919,312,2.769]],["t/3119",[22,2.241,26,3.592,28,2.04,118,1.009,229,0.839,232,0.925,238,1.291,311,3.592,313,3.448,314,1.826]],["t/3121",[28,2.424,29,2.662,118,1.199,229,0.997,232,1.1,238,1.534,311,2.736,314,2.169,315,4.096]],["t/3123",[29,2.84,118,1.279,168,3.349,229,1.064,232,1.173,238,1.637,316,4.37,317,3.969]],["t/3125",[7,2.534,29,2.84,118,1.279,168,3.349,191,3.704,229,1.064,238,1.637,318,4.37]],["t/3127",[29,2.84,118,1.279,168,3.349,191,3.704,229,1.064,238,1.637,319,4.37,320,3.969]],["t/3129",[110,1.575,148,1.798,229,1.064,232,1.173,321,4.37,322,2.277,323,3.105,324,4.37]],["t/3131",[118,1.279,148,1.798,229,1.064,232,1.173,322,2.277,323,3.105,325,4.37,326,4.37]],["t/3133",[110,1.575,148,1.798,229,1.064,232,1.173,322,2.277,323,3.105,327,4.37,328,4.37]],["t/3135",[31,1.946,110,1.389,148,1.586,229,0.939,232,1.035,322,2.008,323,2.738,329,3.854,330,3.854,331,3.854]],["t/3137",[118,1.279,148,1.798,229,1.064,232,1.173,322,2.277,323,3.105,332,4.37,333,4.37]],["t/3139",[118,1.279,148,1.798,229,1.064,232,1.173,241,3.969,322,2.277,323,3.105,334,4.37]],["t/3141",[118,1.279,148,1.798,229,1.064,232,1.173,242,3.969,322,2.277,323,3.105,335,4.37]],["t/3143",[68,3.217,118,1.279,229,1.064,232,1.173,238,1.637,336,4.37,337,3.969,338,3.507]],["t/3145",[118,1.37,229,1.141,232,1.257,238,1.755,305,3.448,339,4.684,340,3.758]],["t/3147",[3,3.105,118,1.279,229,1.064,232,1.173,236,3.105,238,1.637,341,4.37,342,4.37]],["t/3149",[3,2.738,118,1.128,229,0.939,232,1.035,236,2.738,238,1.444,314,2.041,343,3.854,344,3.854,345,3.854]],["t/3151",[3,2.738,118,1.128,229,0.939,232,1.035,236,2.738,238,1.444,314,2.041,346,3.854,347,3.854,348,3.854]],["t/3153",[3,2.738,118,1.128,229,0.939,232,1.035,236,2.738,238,1.444,243,3.5,314,2.041,349,3.854,350,3.854]],["t/3155",[34,2.662,35,2.91,118,1.199,229,0.997,232,1.1,238,1.534,245,3.72,312,2.595,351,4.096]],["t/3157",[118,1.279,229,1.064,232,1.173,238,1.637,246,3.969,314,2.314,352,4.37,353,3.969]],["t/3159",[60,3.809,118,1.128,229,0.939,232,1.035,238,1.444,247,3.5,314,2.041,354,3.854,355,3.854]],["t/3161",[22,2.128,107,2.509,118,0.958,126,1.974,132,3.803,229,0.797,232,0.879,238,1.227,248,2.974,314,1.734,356,2.411]],["t/3163",[26,2.736,30,2.91,118,1.199,126,1.565,229,0.997,232,1.1,238,1.534,314,2.169,357,4.096]],["t/3165",[60,2.84,118,1.279,229,1.064,232,1.173,238,1.637,314,2.314,358,4.37,359,4.37]],["t/3167",[20,2.818,110,1.476,131,3.139,177,3.472,229,0.997,232,1.1,238,1.534,314,2.169,360,4.096]],["t/3169",[20,3.222,73,2.567,110,1.688,177,3.97,229,1.141,314,2.48,361,4.684]],["t/3171",[27,2.281,31,1.946,110,1.389,229,0.939,235,2.953,362,3.854,363,3.267,364,3.5,365,3.5,366,3.5]],["t/3173",[148,2.703,186,5.033,367,6.568]],["t/3174",[110,1.389,229,0.939,232,1.035,233,2.281,238,1.444,251,3.5,314,2.041,368,3.854,369,3.854,370,3.854]],["t/3176",[118,1.37,229,1.141,232,1.257,238,1.755,305,3.448,340,3.758,371,4.684]],["t/3178",[31,1.946,34,2.505,35,2.738,118,1.128,229,0.939,232,1.035,238,1.444,312,2.442,372,3.854,373,3.854]],["t/3180",[22,2.365,34,2.365,35,2.586,107,2.789,118,1.065,126,1.391,229,0.886,232,0.977,238,1.363,314,1.927,374,3.64]],["t/3182",[30,2.91,118,1.199,126,1.565,229,0.997,232,1.1,238,1.534,314,2.169,375,4.096,376,3.72]],["t/3184",[118,1.37,229,1.141,232,1.257,238,1.755,312,2.967,377,4.684,378,4.253]],["t/3186",[101,3.704,118,1.279,229,1.064,232,1.173,238,1.637,379,4.37,380,3.704,381,3.969]],["t/3188",[274,6.189,382,7.302]],["t/3189",[118,1.37,229,1.141,232,1.257,238,1.755,305,3.448,340,3.758,383,4.684]],["t/3191",[101,3.704,118,1.279,229,1.064,232,1.173,238,1.637,380,3.704,381,3.969,384,4.37]],["t/3193",[7,3.46,60,3.878,73,3.27,92,5.058]],["t/3194",[22,2.505,118,1.128,126,2.24,229,0.939,232,1.035,238,1.444,314,2.041,356,2.838,385,3.854]],["t/3196",[26,2.736,118,1.199,229,0.997,232,1.1,238,1.534,304,3.139,312,2.595,356,3.016,386,4.096]],["t/3198",[118,1.279,119,3.704,132,3.217,229,1.064,232,1.173,238,1.637,312,2.769,387,4.37]],["t/3200",[22,2.241,118,1.009,126,2.056,229,0.839,232,0.925,238,1.291,314,1.826,356,2.538,388,3.448,389,4.559]],["t/3202",[26,2.574,118,1.128,229,0.939,232,1.035,238,1.444,304,2.953,312,2.442,356,2.838,389,3.267,390,3.854]],["t/3204",[118,1.199,119,3.472,132,3.016,229,0.997,232,1.1,238,1.534,312,2.595,389,3.472,391,4.096]],["t/3206",[28,2.586,29,2.84,31,2.207,60,2.84,110,1.575,229,1.064,392,4.37,393,4.37]],["t/3208",[29,4.269,161,5.567,394,6.568]],["t/3209",[26,3.128,28,2.772,31,2.365,110,1.688,123,4.253,161,3.97,395,4.684]],["t/3211",[3,5.188,396,7.302]],["t/3212",[96,3.589,110,1.688,179,3.448,229,1.141,236,3.328,252,4.253,397,2.663]],["t/3214",[22,2.662,68,3.016,110,1.476,163,3.72,179,3.016,229,0.997,236,2.91,398,4.096,399,4.096]],["t/3216",[7,3.171,73,2.997,126,2.09,400,5.468,401,5.468]],["t/3217",[34,2.365,118,1.065,126,1.391,229,0.886,232,0.977,264,2.031,265,2.201,266,2.11,267,2.11,311,2.431,402,3.64]],["t/3219",[34,2.662,118,1.199,126,1.565,229,0.997,232,1.1,269,2.375,270,2.424,311,2.736,403,4.096]],["t/3221",[78,2.642,87,2.766,110,1.242,126,1.318,229,0.839,232,0.925,264,1.924,265,2.085,266,1.999,267,1.999,404,3.448,405,3.131]],["t/3223",[78,2.953,87,3.093,110,1.389,126,1.473,229,0.939,232,1.035,269,2.235,270,2.281,405,3.5,406,3.854]],["t/3225",[78,2.789,118,1.065,126,1.391,229,0.886,232,0.977,264,2.031,265,2.201,266,2.11,267,2.11,407,3.64,408,3.305]],["t/3227",[78,3.139,118,1.199,126,1.565,229,0.997,232,1.1,269,2.375,270,2.424,408,3.72,409,4.096]],["t/3229",[28,2.154,29,2.365,110,1.311,126,1.391,229,0.886,232,0.977,264,2.031,265,2.201,266,2.11,267,2.11,410,3.64]],["t/3231",[26,2.574,28,2.281,29,2.505,110,1.389,126,1.473,229,0.939,232,1.035,269,2.235,270,2.281,411,3.854]],["t/3233",[73,1.889,118,1.009,126,1.318,131,2.642,229,0.839,232,0.925,264,1.924,265,2.085,266,1.999,267,1.999,311,2.303,412,3.448]],["t/3235",[73,2.112,118,1.128,126,1.473,131,2.953,229,0.939,232,1.035,269,2.235,270,2.281,311,2.574,413,3.854]],["t/3237",[311,4.877,414,7.302]],["t/3238",[118,1.279,229,1.064,232,1.173,238,1.637,303,3.969,304,3.349,305,3.217,415,4.37]],["t/3240",[29,2.84,118,1.279,168,3.349,229,1.064,232,1.173,238,1.637,317,3.969,416,4.37]],["t/3242",[26,2.736,30,2.91,118,1.199,126,1.565,229,0.997,232,1.1,238,1.534,314,2.169,417,4.096]],["t/3244",[110,1.575,229,1.064,232,1.173,238,1.637,337,3.969,338,3.507,418,4.37,419,4.37]],["t/3246",[110,1.389,229,0.939,232,1.035,238,1.444,338,3.093,353,3.5,420,3.854,421,3.854,422,3.854,423,3.854]],["t/3248",[118,1.199,128,3.016,229,0.997,230,3.72,231,3.72,232,1.1,238,1.534,312,2.595,424,4.096]],["t/3250",[43,3.267,118,1.128,199,3.5,229,0.939,232,1.035,238,1.444,253,3.5,312,2.442,363,3.267,425,3.854]],["t/3252",[110,1.688,218,4.253,229,1.141,232,1.257,238,1.755,426,4.684,427,4.684]],["t/3254",[110,1.18,228,2.974,229,1.258,232,0.879,238,1.227,314,1.734,338,2.627,428,3.275,429,5.166,430,3.275,431,3.275]],["t/3256",[22,2.128,107,2.509,110,1.18,126,1.974,132,3.803,229,0.797,232,0.879,238,1.227,314,1.734,356,2.411,432,3.275]],["t/3258",[23,3.217,28,2.586,118,1.279,229,1.064,232,1.173,238,1.637,305,3.217,433,4.37]],["t/3260",[110,1.688,232,1.257,238,1.755,312,2.967,378,4.253,434,4.684,435,4.684]],["t/3262",[31,2.068,110,1.476,229,0.997,311,2.736,363,3.472,364,3.72,365,3.72,366,3.72,436,4.096]],["t/3264",[34,3.878,35,4.24,320,5.419,437,5.968]],["t/3265",[4,2.84,31,2.207,77,3.969,110,1.575,150,3.704,160,3.349,229,1.064,438,4.37]],["t/3267",[19,3.652,110,1.97,397,3.109,439,5.468,440,4.966]],["t/3269",[31,2.365,110,1.688,150,3.97,397,2.663,441,4.684,442,4.684,443,4.684]],["t/3271",[96,3.866,110,1.818,233,2.986,397,2.869,440,4.582,444,5.046]],["t/3273",[31,2.207,34,2.84,35,3.105,110,1.575,128,3.217,229,1.064,254,3.969,445,3.969]],["t/3275",[34,2.84,35,3.105,66,3.507,110,1.575,229,1.064,446,4.37,447,4.37,448,4.37]],["t/3277",[31,2.548,110,1.818,449,5.046,450,5.046,451,5.046,452,5.046]],["t/3279",[4,2.505,31,1.946,83,2.505,110,1.389,264,2.151,380,3.267,453,3.854,454,3.854,455,3.854,456,3.854]],["t/3281",[68,4.393,233,3.532,457,5.968,458,5.968]],["t/3282",[4,2.505,110,1.389,148,1.586,179,2.838,229,0.939,445,3.5,459,3.854,460,3.854,461,3.854,462,3.854]],["t/3284",[118,1.476,279,2.986,322,2.629,397,2.869,463,5.046,464,5.046]],["t/3286",[85,3.085,118,1.065,164,2.92,227,2.92,279,2.154,322,1.896,397,2.069,465,3.64,466,3.085,467,3.64,468,2.679]],["t/3288",[118,1.128,164,3.093,227,3.093,279,2.281,322,2.008,397,2.192,466,3.267,468,2.838,469,3.854,470,3.854]],["t/3290",[9,2.442,118,1.128,164,3.093,227,3.093,279,2.281,322,2.008,397,2.192,466,3.267,468,2.838,471,3.854]],["t/3292",[118,1.476,279,2.986,322,2.629,397,2.869,472,5.046,473,5.046]],["t/3294",[118,1.476,279,2.986,322,2.629,376,4.582,397,2.869,474,5.046]],["t/3296",[118,1.37,279,2.772,322,2.44,397,2.663,475,4.684,476,4.684,477,3.97]],["t/3298",[118,1.37,136,3.97,279,2.772,322,2.44,397,2.663,477,3.97,478,4.684]],["t/3300",[110,1.688,279,2.772,322,2.44,397,2.663,477,3.97,479,4.684,480,4.684]],["t/3302",[90,4.253,110,1.688,279,2.772,322,2.44,397,2.663,481,4.684,482,4.684]],["t/3304",[110,1.818,322,2.629,397,2.869,483,5.046,484,5.046,485,5.046]],["t/3306",[31,2.365,110,1.688,279,2.772,322,2.44,397,2.663,486,4.684,487,4.684]],["t/3308",[9,3.781,179,4.393,211,5.058,488,5.968]],["t/3309",[31,2.365,110,1.688,211,3.97,229,1.141,234,3.97,489,4.684,490,4.684]],["t/3311",[110,1.818,229,1.229,234,4.276,468,3.715,491,5.046,492,5.046]],["t/3313",[19,4.387,186,5.033,493,6.568]],["t/3314",[19,3.915,31,1.946,110,1.389,115,3.267,126,1.473,494,3.854,495,3.854,496,3.854,497,3.854]],["t/3316",[19,3.37,57,4.048,81,4.582,110,1.818,498,5.046,499,5.046]],["t/3318",[148,2.456,322,3.109,500,5.968,501,5.968]],["t/3319",[31,2.068,73,2.245,106,2.91,110,1.476,148,1.686,322,2.134,502,4.096,503,4.096,504,4.096]],["t/3321",[179,4.835,505,6.568,506,6.568]],["t/3322",[31,2.068,96,3.139,110,1.476,189,3.287,468,3.016,507,4.096,508,4.096,509,4.096,510,4.096]],["t/3324",[110,1.476,229,0.997,232,1.1,233,2.424,340,3.287,511,4.096,512,4.096,513,4.096,514,4.096]],["t/3326",[110,1.818,233,2.986,279,2.986,515,5.046,516,5.046,517,5.046]],["t/3328",[31,2.761,110,1.97,128,4.026,468,4.026,518,5.468]]],"invertedIndex":[["",{"_index":0,"t":{"2487":{"position":[[0,4],[9,2],[12,2],[15,2],[18,2]]},"2489":{"position":[[0,2],[7,2],[10,4],[19,2]]},"2491":{"position":[[0,4],[5,3],[9,2],[12,2],[15,2],[18,2]]},"2493":{"position":[[0,4],[5,2],[8,2],[11,2],[14,2]]},"2548":{"position":[[0,4],[14,5],[20,4]]},"2552":{"position":[[0,3],[4,2]]},"2553":{"position":[[0,2],[3,2],[6,3]]},"2555":{"position":[[0,5],[6,1],[8,2],[11,3]]},"2557":{"position":[[0,2],[3,2]]},"2559":{"position":[[5,3],[9,4]]},"2561":{"position":[[0,4],[5,5],[18,2]]},"2563":{"position":[[8,4]]},"2565":{"position":[[0,4],[5,4]]},"2567":{"position":[[7,4],[12,3],[16,2]]},"2569":{"position":[[0,4],[5,2],[8,2],[11,9]]},"2571":{"position":[[0,4],[5,2],[8,7]]},"2573":{"position":[[0,4],[5,3],[9,3],[13,2]]},"2575":{"position":[[0,4],[5,2],[8,4]]},"2577":{"position":[[0,2],[3,4],[8,2]]},"2579":{"position":[[0,4],[5,2],[8,4]]},"2581":{"position":[[0,2],[3,3],[7,1],[9,3]]},"2583":{"position":[[0,2],[3,5],[9,3],[13,4]]},"2585":{"position":[[0,2],[6,2],[9,2]]},"2586":{"position":[[0,2],[12,2]]},"2588":{"position":[[25,1]]},"2594":{"position":[[13,4]]},"2596":{"position":[[8,2]]},"2598":{"position":[[8,2],[11,5]]},"2600":{"position":[[0,2],[3,3],[7,2],[10,2],[13,3],[17,5]]},"2601":{"position":[[0,2],[3,3],[16,6]]},"2603":{"position":[[0,2],[3,3],[7,5],[17,4]]},"2605":{"position":[[0,2],[3,2],[6,2]]},"2607":{"position":[[0,2],[3,4],[8,2],[11,2]]},"2678":{"position":[[0,2],[3,6],[10,2],[13,4]]},"2680":{"position":[[0,6],[7,5],[13,2],[16,1],[18,2]]},"2690":{"position":[[17,5],[23,6]]},"2692":{"position":[[8,2],[11,2],[23,5],[29,3],[33,2],[36,4]]},"2694":{"position":[[14,6]]},"2696":{"position":[[0,5],[6,5],[12,3],[16,2],[19,4]]},"2698":{"position":[[4,3],[8,3],[12,4]]},"2700":{"position":[[14,3],[18,1],[20,4]]},"2702":{"position":[[4,3],[8,4],[13,3],[17,4],[22,6]]},"2704":{"position":[[5,2],[8,4],[13,3],[17,6]]},"2706":{"position":[[0,3],[4,5],[10,3],[14,3],[18,2],[21,1],[23,4]]},"2712":{"position":[[0,2],[3,4],[8,4]]},"2714":{"position":[[17,3],[21,4],[26,8]]},"2716":{"position":[[0,2],[3,2],[10,8]]},"2857":{"position":[[9,2]]},"2863":{"position":[[14,5],[39,7]]},"2905":{"position":[[0,2],[3,4]]},"2951":{"position":[[17,1]]},"2971":{"position":[[4,5],[10,4],[15,6]]},"2973":{"position":[[0,2],[3,4],[8,3],[12,4]]},"2979":{"position":[[9,4]]},"2986":{"position":[[4,4],[9,7]]},"2988":{"position":[[0,3],[4,4]]},"3011":{"position":[[0,4],[5,2],[8,2],[11,4]]}}}],["0",{"_index":338,"t":{"3143":{"position":[[60,1]]},"3244":{"position":[[58,1]]},"3246":{"position":[[81,1]]},"3254":{"position":[[53,1]]}}}],["1",{"_index":95,"t":{"2722":{"position":[[0,2]]}}}],["1.1",{"_index":261,"t":{"3067":{"position":[[0,3]]}}}],["1.1.1",{"_index":262,"t":{"3068":{"position":[[0,5]]}}}],["1.1.10",{"_index":281,"t":{"3086":{"position":[[0,6]]}}}],["1.1.11",{"_index":282,"t":{"3088":{"position":[[0,6]]}}}],["1.1.12",{"_index":285,"t":{"3090":{"position":[[0,6]]}}}],["1.1.13",{"_index":287,"t":{"3092":{"position":[[0,6]]}}}],["1.1.14",{"_index":290,"t":{"3094":{"position":[[0,6]]}}}],["1.1.15",{"_index":291,"t":{"3096":{"position":[[0,6]]}}}],["1.1.16",{"_index":293,"t":{"3098":{"position":[[0,6]]}}}],["1.1.17",{"_index":294,"t":{"3100":{"position":[[0,6]]}}}],["1.1.18",{"_index":296,"t":{"3102":{"position":[[0,6]]}}}],["1.1.19",{"_index":297,"t":{"3104":{"position":[[0,6]]}}}],["1.1.2",{"_index":268,"t":{"3070":{"position":[[0,5]]}}}],["1.1.20",{"_index":299,"t":{"3106":{"position":[[0,6]]}}}],["1.1.21",{"_index":300,"t":{"3108":{"position":[[0,6]]}}}],["1.1.3",{"_index":271,"t":{"3072":{"position":[[0,5]]}}}],["1.1.4",{"_index":272,"t":{"3074":{"position":[[0,5]]}}}],["1.1.5",{"_index":273,"t":{"3076":{"position":[[0,5]]}}}],["1.1.6",{"_index":275,"t":{"3078":{"position":[[0,5]]}}}],["1.1.7",{"_index":276,"t":{"3080":{"position":[[0,5]]}}}],["1.1.8",{"_index":277,"t":{"3082":{"position":[[0,5]]}}}],["1.1.9",{"_index":278,"t":{"3084":{"position":[[0,5]]}}}],["1.2",{"_index":301,"t":{"3110":{"position":[[0,3]]}}}],["1.2.1",{"_index":302,"t":{"3111":{"position":[[0,5]]}}}],["1.2.10",{"_index":321,"t":{"3129":{"position":[[0,6]]}}}],["1.2.11",{"_index":325,"t":{"3131":{"position":[[0,6]]}}}],["1.2.12",{"_index":327,"t":{"3133":{"position":[[0,6]]}}}],["1.2.13",{"_index":329,"t":{"3135":{"position":[[0,6]]}}}],["1.2.14",{"_index":332,"t":{"3137":{"position":[[0,6]]}}}],["1.2.15",{"_index":241,"t":{"3033":{"position":[[8,6]]},"3139":{"position":[[0,6]]}}}],["1.2.16",{"_index":242,"t":{"3035":{"position":[[8,6]]},"3141":{"position":[[0,6]]}}}],["1.2.17",{"_index":336,"t":{"3143":{"position":[[0,6]]}}}],["1.2.18",{"_index":339,"t":{"3145":{"position":[[0,6]]}}}],["1.2.19",{"_index":341,"t":{"3147":{"position":[[0,6]]}}}],["1.2.2",{"_index":306,"t":{"3113":{"position":[[0,5]]}}}],["1.2.20",{"_index":343,"t":{"3149":{"position":[[0,6]]}}}],["1.2.21",{"_index":346,"t":{"3151":{"position":[[0,6]]}}}],["1.2.22",{"_index":243,"t":{"3037":{"position":[[8,6]]},"3153":{"position":[[0,6]]}}}],["1.2.23",{"_index":244,"t":{"3039":{"position":[[8,6]]}}}],["1.2.24",{"_index":245,"t":{"3041":{"position":[[8,6]]},"3155":{"position":[[0,6]]}}}],["1.2.25",{"_index":246,"t":{"3043":{"position":[[8,6]]},"3157":{"position":[[0,6]]}}}],["1.2.26",{"_index":247,"t":{"3045":{"position":[[8,6]]},"3159":{"position":[[0,6]]}}}],["1.2.27",{"_index":248,"t":{"3047":{"position":[[8,6]]},"3161":{"position":[[0,6]]}}}],["1.2.28",{"_index":357,"t":{"3163":{"position":[[0,6]]}}}],["1.2.29",{"_index":358,"t":{"3165":{"position":[[0,6]]}}}],["1.2.3",{"_index":308,"t":{"3115":{"position":[[0,5]]}}}],["1.2.30",{"_index":360,"t":{"3167":{"position":[[0,6]]}}}],["1.2.31",{"_index":361,"t":{"3169":{"position":[[0,6]]}}}],["1.2.32",{"_index":362,"t":{"3171":{"position":[[0,6]]}}}],["1.2.33",{"_index":249,"t":{"3049":{"position":[[8,6]]}}}],["1.2.34",{"_index":250,"t":{"3051":{"position":[[8,6]]}}}],["1.2.4",{"_index":310,"t":{"3117":{"position":[[0,5]]}}}],["1.2.5",{"_index":313,"t":{"3119":{"position":[[0,5]]}}}],["1.2.6",{"_index":315,"t":{"3121":{"position":[[0,5]]}}}],["1.2.7",{"_index":316,"t":{"3123":{"position":[[0,5]]}}}],["1.2.8",{"_index":318,"t":{"3125":{"position":[[0,5]]}}}],["1.2.9",{"_index":319,"t":{"3127":{"position":[[0,5]]}}}],["1.3",{"_index":367,"t":{"3173":{"position":[[0,3]]}}}],["1.3.1",{"_index":251,"t":{"3053":{"position":[[8,5]]},"3174":{"position":[[0,5]]}}}],["1.3.2",{"_index":371,"t":{"3176":{"position":[[0,5]]}}}],["1.3.3",{"_index":372,"t":{"3178":{"position":[[0,5]]}}}],["1.3.4",{"_index":374,"t":{"3180":{"position":[[0,5]]}}}],["1.3.5",{"_index":375,"t":{"3182":{"position":[[0,5]]}}}],["1.3.6",{"_index":377,"t":{"3184":{"position":[[0,5]]}}}],["1.3.7",{"_index":379,"t":{"3186":{"position":[[0,5]]}}}],["1.4",{"_index":382,"t":{"3188":{"position":[[0,3]]}}}],["1.4.1",{"_index":383,"t":{"3189":{"position":[[0,5]]}}}],["1.4.2",{"_index":384,"t":{"3191":{"position":[[0,5]]}}}],["10",{"_index":348,"t":{"3151":{"position":[[64,2]]}}}],["100",{"_index":350,"t":{"3153":{"position":[[62,3]]}}}],["127.0.0.1",{"_index":381,"t":{"3186":{"position":[[56,9]]},"3191":{"position":[[56,9]]}}}],["2",{"_index":92,"t":{"2716":{"position":[[6,3]]},"2724":{"position":[[0,2]]},"3193":{"position":[[0,1]]}}}],["2.1",{"_index":385,"t":{"3194":{"position":[[0,3]]}}}],["2.2",{"_index":386,"t":{"3196":{"position":[[0,3]]}}}],["2.3",{"_index":387,"t":{"3198":{"position":[[0,3]]}}}],["2.4",{"_index":388,"t":{"3200":{"position":[[0,3]]}}}],["2.5",{"_index":390,"t":{"3202":{"position":[[0,3]]}}}],["2.6",{"_index":391,"t":{"3204":{"position":[[0,3]]}}}],["2.7",{"_index":392,"t":{"3206":{"position":[[0,3]]}}}],["3",{"_index":98,"t":{"2726":{"position":[[0,2]]}}}],["3.1",{"_index":394,"t":{"3208":{"position":[[0,3]]}}}],["3.1.1",{"_index":395,"t":{"3209":{"position":[[0,5]]}}}],["3.2",{"_index":396,"t":{"3211":{"position":[[0,3]]}}}],["3.2.1",{"_index":252,"t":{"3055":{"position":[[8,5]]},"3212":{"position":[[0,5]]}}}],["3.2.2",{"_index":398,"t":{"3214":{"position":[[0,5]]}}}],["30",{"_index":345,"t":{"3149":{"position":[[61,2]]}}}],["4",{"_index":102,"t":{"2728":{"position":[[0,2]]}}}],["4.1",{"_index":400,"t":{"3216":{"position":[[0,3]]}}}],["4.1.1",{"_index":402,"t":{"3217":{"position":[[0,5]]}}}],["4.1.10",{"_index":413,"t":{"3235":{"position":[[0,6]]}}}],["4.1.2",{"_index":403,"t":{"3219":{"position":[[0,5]]}}}],["4.1.3",{"_index":404,"t":{"3221":{"position":[[0,5]]}}}],["4.1.4",{"_index":406,"t":{"3223":{"position":[[0,5]]}}}],["4.1.5",{"_index":407,"t":{"3225":{"position":[[0,5]]}}}],["4.1.6",{"_index":409,"t":{"3227":{"position":[[0,5]]}}}],["4.1.7",{"_index":410,"t":{"3229":{"position":[[0,5]]}}}],["4.1.8",{"_index":411,"t":{"3231":{"position":[[0,5]]}}}],["4.1.9",{"_index":412,"t":{"3233":{"position":[[0,5]]}}}],["4.2",{"_index":414,"t":{"3237":{"position":[[0,3]]}}}],["4.2.1",{"_index":415,"t":{"3238":{"position":[[0,5]]}}}],["4.2.10",{"_index":432,"t":{"3256":{"position":[[0,6]]}}}],["4.2.11",{"_index":433,"t":{"3258":{"position":[[0,6]]}}}],["4.2.12",{"_index":434,"t":{"3260":{"position":[[0,6]]}}}],["4.2.13",{"_index":436,"t":{"3262":{"position":[[0,6]]}}}],["4.2.2",{"_index":416,"t":{"3240":{"position":[[0,5]]}}}],["4.2.3",{"_index":417,"t":{"3242":{"position":[[0,5]]}}}],["4.2.4",{"_index":418,"t":{"3244":{"position":[[0,5]]}}}],["4.2.5",{"_index":420,"t":{"3246":{"position":[[0,5]]}}}],["4.2.6",{"_index":424,"t":{"3248":{"position":[[0,5]]}}}],["4.2.7",{"_index":253,"t":{"3057":{"position":[[8,5]]},"3250":{"position":[[0,5]]}}}],["4.2.8",{"_index":426,"t":{"3252":{"position":[[0,5]]}}}],["4.2.9",{"_index":428,"t":{"3254":{"position":[[0,5]]}}}],["5",{"_index":105,"t":{"2730":{"position":[[0,2]]}}}],["5.1",{"_index":437,"t":{"3264":{"position":[[0,3]]}}}],["5.1.1",{"_index":438,"t":{"3265":{"position":[[0,5]]}}}],["5.1.2",{"_index":439,"t":{"3267":{"position":[[0,5]]}}}],["5.1.3",{"_index":441,"t":{"3269":{"position":[[0,5]]}}}],["5.1.4",{"_index":444,"t":{"3271":{"position":[[0,5]]}}}],["5.1.5",{"_index":254,"t":{"3059":{"position":[[8,5]]},"3273":{"position":[[0,5]]}}}],["5.1.6",{"_index":446,"t":{"3275":{"position":[[0,5]]}}}],["5.1.7",{"_index":449,"t":{"3277":{"position":[[0,5]]}}}],["5.1.8",{"_index":453,"t":{"3279":{"position":[[0,5]]}}}],["5.2",{"_index":457,"t":{"3281":{"position":[[0,3]]}}}],["5.2.1",{"_index":459,"t":{"3282":{"position":[[0,5]]}}}],["5.2.10",{"_index":479,"t":{"3300":{"position":[[0,6]]}}}],["5.2.11",{"_index":481,"t":{"3302":{"position":[[0,6]]}}}],["5.2.12",{"_index":483,"t":{"3304":{"position":[[0,6]]}}}],["5.2.13",{"_index":486,"t":{"3306":{"position":[[0,6]]}}}],["5.2.2",{"_index":463,"t":{"3284":{"position":[[0,5]]}}}],["5.2.3",{"_index":465,"t":{"3286":{"position":[[0,5]]}}}],["5.2.4",{"_index":469,"t":{"3288":{"position":[[0,5]]}}}],["5.2.5",{"_index":471,"t":{"3290":{"position":[[0,5]]}}}],["5.2.6",{"_index":472,"t":{"3292":{"position":[[0,5]]}}}],["5.2.7",{"_index":474,"t":{"3294":{"position":[[0,5]]}}}],["5.2.8",{"_index":475,"t":{"3296":{"position":[[0,5]]}}}],["5.2.9",{"_index":478,"t":{"3298":{"position":[[0,5]]}}}],["5.3",{"_index":488,"t":{"3308":{"position":[[0,3]]}}}],["5.3.1",{"_index":489,"t":{"3309":{"position":[[0,5]]}}}],["5.3.2",{"_index":491,"t":{"3311":{"position":[[0,5]]}}}],["5.4",{"_index":493,"t":{"3313":{"position":[[0,3]]}}}],["5.4.1",{"_index":494,"t":{"3314":{"position":[[0,5]]}}}],["5.4.2",{"_index":498,"t":{"3316":{"position":[[0,5]]}}}],["5.5",{"_index":500,"t":{"3318":{"position":[[0,3]]}}}],["5.5.1",{"_index":502,"t":{"3319":{"position":[[0,5]]}}}],["5.7",{"_index":505,"t":{"3321":{"position":[[0,3]]}}}],["5.7.1",{"_index":507,"t":{"3322":{"position":[[0,5]]}}}],["5.7.2",{"_index":511,"t":{"3324":{"position":[[0,5]]}}}],["5.7.3",{"_index":515,"t":{"3326":{"position":[[0,5]]}}}],["5.7.4",{"_index":518,"t":{"3328":{"position":[[0,5]]}}}],["600",{"_index":289,"t":{"3092":{"position":[[62,3]]},"3108":{"position":[[70,3]]}}}],["644",{"_index":265,"t":{"3068":{"position":[[79,3]]},"3072":{"position":[[87,3]]},"3076":{"position":[[78,3]]},"3080":{"position":[[73,3]]},"3084":{"position":[[78,3]]},"3096":{"position":[[66,3]]},"3100":{"position":[[75,3]]},"3106":{"position":[[78,3]]},"3217":{"position":[[66,3]]},"3221":{"position":[[68,3]]},"3225":{"position":[[76,3]]},"3229":{"position":[[74,3]]},"3233":{"position":[[81,3]]}}}],["700",{"_index":284,"t":{"3088":{"position":[[66,3]]}}}],["access",{"_index":440,"t":{"3267":{"position":[[15,6]]},"3271":{"position":[[15,6]]}}}],["account",{"_index":35,"t":{"2544":{"position":[[8,7]]},"3155":{"position":[[33,7]]},"3178":{"position":[[36,7]]},"3180":{"position":[[32,7]]},"3264":{"position":[[21,8]]},"3273":{"position":[[34,8]]},"3275":{"position":[[26,7]]}}}],["activ",{"_index":445,"t":{"3273":{"position":[[51,8]]},"3282":{"position":[[47,6]]}}}],["ad",{"_index":136,"t":{"2782":{"position":[[0,6]]},"2814":{"position":[[0,6]]},"3298":{"position":[[48,5]]}}}],["addit",{"_index":104,"t":{"2728":{"position":[[18,10]]}}}],["addon",{"_index":121,"t":{"2752":{"position":[[25,8]]},"2756":{"position":[[5,6]]},"2764":{"position":[[5,6]]}}}],["address",{"_index":101,"t":{"2726":{"position":[[36,7]]},"3186":{"position":[[29,7]]},"3191":{"position":[[29,7]]}}}],["admin",{"_index":77,"t":{"2651":{"position":[[0,5]]},"3265":{"position":[[30,5]]}}}],["admin.conf",{"_index":288,"t":{"3092":{"position":[[23,10]]},"3094":{"position":[[23,10]]}}}],["administr",{"_index":508,"t":{"3322":{"position":[[13,14]]}}}],["admiss",{"_index":322,"t":{"3129":{"position":[[23,9]]},"3131":{"position":[[23,9]]},"3133":{"position":[[23,9]]},"3135":{"position":[[23,9]]},"3137":{"position":[[23,9]]},"3139":{"position":[[23,9]]},"3141":{"position":[[23,9]]},"3284":{"position":[[19,9]]},"3286":{"position":[[19,9]]},"3288":{"position":[[19,9]]},"3290":{"position":[[19,9]]},"3292":{"position":[[19,9]]},"3294":{"position":[[19,9]]},"3296":{"position":[[19,9]]},"3298":{"position":[[19,9]]},"3300":{"position":[[20,9]]},"3302":{"position":[[20,9]]},"3304":{"position":[[20,9]]},"3306":{"position":[[20,9]]},"3318":{"position":[[15,9]]},"3319":{"position":[[58,9]]}}}],["advanc",{"_index":79,"t":{"2653":{"position":[[0,8]]}}}],["agent",{"_index":16,"t":{"2515":{"position":[[27,6]]},"2517":{"position":[[4,5]]},"2637":{"position":[[0,5]]},"2730":{"position":[[18,5]]},"2834":{"position":[[13,6]]},"2923":{"position":[[26,5]]},"2925":{"position":[[4,5]]},"2931":{"position":[[11,6]]}}}],["air",{"_index":113,"t":{"2744":{"position":[[21,3]]},"2851":{"position":[[8,3]]}}}],["allowprivilegeescal",{"_index":473,"t":{"3292":{"position":[[48,24]]}}}],["alwaysadmit",{"_index":326,"t":{"3131":{"position":[[48,11]]}}}],["alwaysallow",{"_index":317,"t":{"3123":{"position":[[66,11]]},"3240":{"position":[[66,11]]}}}],["alwayspullimag",{"_index":328,"t":{"3133":{"position":[[48,16]]}}}],["analysi",{"_index":197,"t":{"2927":{"position":[[0,8]]}}}],["anonym",{"_index":303,"t":{"3111":{"position":[[24,9]]},"3238":{"position":[[24,9]]}}}],["ansibl",{"_index":203,"t":{"2935":{"position":[[4,7]]}}}],["api",{"_index":235,"t":{"3025":{"position":[[0,3]]},"3068":{"position":[[22,3]]},"3070":{"position":[[22,3]]},"3110":{"position":[[4,3]]},"3171":{"position":[[23,3]]}}}],["appli",{"_index":516,"t":{"3326":{"position":[[6,5]]}}}],["appropri",{"_index":314,"t":{"3119":{"position":[[97,11]]},"3121":{"position":[[73,11]]},"3149":{"position":[[70,11]]},"3151":{"position":[[73,11]]},"3153":{"position":[[72,11]]},"3157":{"position":[[60,11]]},"3159":{"position":[[79,11]]},"3161":{"position":[[87,11]]},"3163":{"position":[[59,11]]},"3165":{"position":[[56,11]]},"3167":{"position":[[71,11]]},"3169":{"position":[[44,13]]},"3174":{"position":[[71,11]]},"3180":{"position":[[76,11]]},"3182":{"position":[[56,11]]},"3194":{"position":[[68,11]]},"3200":{"position":[[78,11]]},"3242":{"position":[[58,11]]},"3254":{"position":[[80,11]]},"3256":{"position":[[87,11]]}}}],["architectur",{"_index":137,"t":{"2788":{"position":[[0,12]]}}}],["argument",{"_index":238,"t":{"3029":{"position":[[28,9]]},"3111":{"position":[[39,8]]},"3117":{"position":[[38,8]]},"3119":{"position":[[76,9]]},"3121":{"position":[[54,8]]},"3123":{"position":[[43,8]]},"3125":{"position":[[43,8]]},"3127":{"position":[[43,8]]},"3143":{"position":[[37,8]]},"3145":{"position":[[35,8]]},"3147":{"position":[[40,8]]},"3149":{"position":[[42,8]]},"3151":{"position":[[45,8]]},"3153":{"position":[[43,8]]},"3155":{"position":[[48,8]]},"3157":{"position":[[41,8]]},"3159":{"position":[[58,9]]},"3161":{"position":[[66,9]]},"3163":{"position":[[40,8]]},"3165":{"position":[[37,8]]},"3167":{"position":[[52,8]]},"3174":{"position":[[52,8]]},"3176":{"position":[[34,8]]},"3178":{"position":[[56,8]]},"3180":{"position":[[57,8]]},"3182":{"position":[[37,8]]},"3184":{"position":[[53,8]]},"3186":{"position":[[37,8]]},"3189":{"position":[[34,8]]},"3191":{"position":[[37,8]]},"3194":{"position":[[47,9]]},"3196":{"position":[[39,8]]},"3198":{"position":[[31,8]]},"3200":{"position":[[57,9]]},"3202":{"position":[[44,8]]},"3204":{"position":[[36,8]]},"3238":{"position":[[39,8]]},"3240":{"position":[[43,8]]},"3242":{"position":[[39,8]]},"3244":{"position":[[39,8]]},"3246":{"position":[[58,8]]},"3248":{"position":[[48,8]]},"3250":{"position":[[50,8]]},"3252":{"position":[[42,8]]},"3254":{"position":[[34,8]]},"3256":{"position":[[66,9]]},"3258":{"position":[[45,8]]},"3260":{"position":[[54,8]]}}}],["assign",{"_index":480,"t":{"3300":{"position":[[62,8]]}}}],["audit",{"_index":236,"t":{"3025":{"position":[[11,5]]},"3147":{"position":[[25,5]]},"3149":{"position":[[25,5]]},"3151":{"position":[[25,5]]},"3153":{"position":[[25,5]]},"3212":{"position":[[28,5]]},"3214":{"position":[[22,5]]}}}],["auth",{"_index":304,"t":{"3111":{"position":[[34,4]]},"3113":{"position":[[30,4]]},"3196":{"position":[[34,4]]},"3202":{"position":[[39,4]]},"3238":{"position":[[34,4]]}}}],["authent",{"_index":161,"t":{"2847":{"position":[[0,14]]},"3208":{"position":[[4,14]]},"3209":{"position":[[25,14]]}}}],["author",{"_index":29,"t":{"2536":{"position":[[12,9]]},"3121":{"position":[[44,9]]},"3123":{"position":[[24,13]]},"3125":{"position":[[24,13]]},"3127":{"position":[[24,13]]},"3206":{"position":[[37,9]]},"3208":{"position":[[23,13]]},"3229":{"position":[[34,11]]},"3231":{"position":[[41,11]]},"3240":{"position":[[24,13]]}}}],["auto",{"_index":119,"t":{"2752":{"position":[[0,4]]},"3198":{"position":[[22,4]]},"3204":{"position":[[27,4]]}}}],["autok3",{"_index":205,"t":{"2939":{"position":[[0,7]]}}}],["autom",{"_index":118,"t":{"2749":{"position":[[0,9]]},"3068":{"position":[[103,11]]},"3070":{"position":[[86,11]]},"3072":{"position":[[111,11]]},"3074":{"position":[[94,11]]},"3076":{"position":[[102,11]]},"3078":{"position":[[85,11]]},"3080":{"position":[[97,11]]},"3082":{"position":[[80,11]]},"3088":{"position":[[90,11]]},"3090":{"position":[[73,11]]},"3092":{"position":[[86,11]]},"3094":{"position":[[69,11]]},"3096":{"position":[[90,11]]},"3098":{"position":[[73,11]]},"3100":{"position":[[99,11]]},"3102":{"position":[[82,11]]},"3104":{"position":[[87,11]]},"3113":{"position":[[61,11]]},"3115":{"position":[[58,11]]},"3117":{"position":[[62,11]]},"3119":{"position":[[109,11]]},"3121":{"position":[[85,11]]},"3123":{"position":[[78,11]]},"3125":{"position":[[66,11]]},"3127":{"position":[[66,11]]},"3131":{"position":[[71,11]]},"3137":{"position":[[70,11]]},"3139":{"position":[[74,11]]},"3141":{"position":[[71,11]]},"3143":{"position":[[62,11]]},"3145":{"position":[[60,11]]},"3147":{"position":[[56,11]]},"3149":{"position":[[82,11]]},"3151":{"position":[[85,11]]},"3153":{"position":[[84,11]]},"3155":{"position":[[72,11]]},"3157":{"position":[[72,11]]},"3159":{"position":[[91,11]]},"3161":{"position":[[99,11]]},"3163":{"position":[[71,11]]},"3165":{"position":[[68,11]]},"3176":{"position":[[59,11]]},"3178":{"position":[[80,11]]},"3180":{"position":[[88,11]]},"3182":{"position":[[68,11]]},"3184":{"position":[[77,11]]},"3186":{"position":[[66,11]]},"3189":{"position":[[59,11]]},"3191":{"position":[[66,11]]},"3194":{"position":[[80,11]]},"3196":{"position":[[63,11]]},"3198":{"position":[[59,11]]},"3200":{"position":[[90,11]]},"3202":{"position":[[68,11]]},"3204":{"position":[[64,11]]},"3217":{"position":[[90,11]]},"3219":{"position":[[73,11]]},"3225":{"position":[[100,11]]},"3227":{"position":[[83,11]]},"3233":{"position":[[105,11]]},"3235":{"position":[[89,11]]},"3238":{"position":[[64,11]]},"3240":{"position":[[78,11]]},"3242":{"position":[[70,11]]},"3248":{"position":[[72,11]]},"3250":{"position":[[74,11]]},"3258":{"position":[[74,11]]},"3284":{"position":[[54,11]]},"3286":{"position":[[90,11]]},"3288":{"position":[[83,11]]},"3290":{"position":[[87,11]]},"3292":{"position":[[73,11]]},"3294":{"position":[[48,11]]},"3296":{"position":[[71,11]]},"3298":{"position":[[67,11]]}}}],["avoid",{"_index":450,"t":{"3277":{"position":[[6,5]]}}}],["backup",{"_index":54,"t":{"2611":{"position":[[0,6]]},"2613":{"position":[[0,6]]},"2615":{"position":[[0,6]]}}}],["balanc",{"_index":64,"t":{"2621":{"position":[[11,8]]},"2623":{"position":[[11,8]]},"2883":{"position":[[13,8]]}}}],["baselin",{"_index":192,"t":{"2913":{"position":[[24,8]]},"2919":{"position":[[0,8]]}}}],["benchmark",{"_index":257,"t":{"3064":{"position":[[15,9]]}}}],["between",{"_index":510,"t":{"3322":{"position":[[39,7]]}}}],["binari",{"_index":152,"t":{"2822":{"position":[[19,6]]},"3005":{"position":[[31,6]]}}}],["bind",{"_index":380,"t":{"3186":{"position":[[24,4]]},"3191":{"position":[[24,4]]},"3279":{"position":[[23,5]]}}}],["bootstrap",{"_index":71,"t":{"2639":{"position":[[0,9]]}}}],["boundari",{"_index":509,"t":{"3322":{"position":[[28,10]]}}}],["ca",{"_index":30,"t":{"2536":{"position":[[22,4]]},"2538":{"position":[[13,2]]},"2540":{"position":[[16,2]]},"2542":{"position":[[21,2]]},"3163":{"position":[[32,2]]},"3182":{"position":[[29,2]]},"3242":{"position":[[31,2]]}}}],["cafil",{"_index":359,"t":{"3165":{"position":[[30,6]]}}}],["capabl",{"_index":477,"t":{"3296":{"position":[[60,10]]},"3298":{"position":[[54,12]]},"3300":{"position":[[49,12]]}}}],["captur",{"_index":431,"t":{"3254":{"position":[[98,7]]}}}],["cento",{"_index":48,"t":{"2588":{"position":[[27,6]]}}}],["cert",{"_index":356,"t":{"3161":{"position":[[29,4]]},"3194":{"position":[[22,4]]},"3196":{"position":[[29,4]]},"3200":{"position":[[27,4]]},"3202":{"position":[[34,4]]},"3256":{"position":[[29,4]]}}}],["certfil",{"_index":354,"t":{"3159":{"position":[[30,8]]}}}],["certif",{"_index":28,"t":{"2532":{"position":[[18,12]]},"2534":{"position":[[27,12]]},"2536":{"position":[[0,11],[27,12]]},"2538":{"position":[[16,12]]},"2540":{"position":[[19,12]]},"2542":{"position":[[24,12]]},"3106":{"position":[[38,11]]},"3119":{"position":[[39,11]]},"3121":{"position":[[32,11]]},"3206":{"position":[[25,11]]},"3209":{"position":[[13,11]]},"3229":{"position":[[22,11]]},"3231":{"position":[[29,11]]},"3258":{"position":[[32,12]]}}}],["chain",{"_index":425,"t":{"3250":{"position":[[43,6]]}}}],["channel",{"_index":225,"t":{"3001":{"position":[[8,8]]}}}],["ci",{"_index":256,"t":{"3064":{"position":[[0,3]]}}}],["cipher",{"_index":366,"t":{"3171":{"position":[[73,7]]},"3262":{"position":[[70,7]]}}}],["class",{"_index":82,"t":{"2664":{"position":[[8,5]]}}}],["cli",{"_index":17,"t":{"2517":{"position":[[10,3]]},"2674":{"position":[[11,3]]}}}],["client",{"_index":26,"t":{"2532":{"position":[[0,6]]},"2534":{"position":[[9,6]]},"3119":{"position":[[32,6],[65,6]]},"3163":{"position":[[25,6]]},"3196":{"position":[[22,6]]},"3202":{"position":[[27,6]]},"3209":{"position":[[6,6]]},"3231":{"position":[[22,6]]},"3242":{"position":[[24,6]]}}}],["cloud",{"_index":185,"t":{"2895":{"position":[[22,5]]}}}],["cluster",{"_index":4,"t":{"2499":{"position":[[0,7]]},"2649":{"position":[[0,7]]},"2684":{"position":[[4,7]]},"2686":{"position":[[9,8]]},"2798":{"position":[[6,8]]},"2923":{"position":[[4,7]]},"2931":{"position":[[58,7]]},"3265":{"position":[[22,7]]},"3279":{"position":[[84,7]]},"3282":{"position":[[22,7]]}}}],["clusterrol",{"_index":443,"t":{"3269":{"position":[[41,12]]}}}],["cni",{"_index":211,"t":{"2947":{"position":[[7,3]]},"3308":{"position":[[25,3]]},"3309":{"position":[[22,3]]}}}],["commonli",{"_index":75,"t":{"2646":{"position":[[0,8]]}}}],["compon",{"_index":84,"t":{"2666":{"position":[[11,10]]},"2754":{"position":[[9,10]]},"2913":{"position":[[0,10]]},"3027":{"position":[[29,10]]}}}],["concern",{"_index":163,"t":{"2849":{"position":[[10,8]]},"3214":{"position":[[55,8]]}}}],["conclus",{"_index":255,"t":{"3061":{"position":[[0,10]]}}}],["config",{"_index":131,"t":{"2774":{"position":[[0,7]]},"2826":{"position":[[9,6]]},"3167":{"position":[[45,6]]},"3233":{"position":[[32,6]]},"3235":{"position":[[33,6]]}}}],["configur",{"_index":73,"t":{"2644":{"position":[[9,13]]},"2726":{"position":[[3,9]]},"2770":{"position":[[11,13]]},"2816":{"position":[[0,13]]},"2820":{"position":[[0,13]]},"2822":{"position":[[0,13]]},"2824":{"position":[[0,13]]},"2949":{"position":[[30,13]]},"2995":{"position":[[0,9]]},"3025":{"position":[[17,13]]},"3027":{"position":[[0,13]]},"3067":{"position":[[23,13]]},"3169":{"position":[[58,10]]},"3193":{"position":[[12,13]]},"3216":{"position":[[16,13]]},"3233":{"position":[[39,13]]},"3235":{"position":[[40,13]]},"3319":{"position":[[6,9]]}}}],["connect",{"_index":422,"t":{"3246":{"position":[[34,10]]}}}],["consid",{"_index":499,"t":{"3316":{"position":[[6,8]]}}}],["contain",{"_index":279,"t":{"3084":{"position":[[22,9]]},"3086":{"position":[[23,9]]},"3284":{"position":[[43,10]]},"3286":{"position":[[32,10]]},"3288":{"position":[[32,10]]},"3290":{"position":[[32,10]]},"3292":{"position":[[32,10]]},"3294":{"position":[[37,10]]},"3296":{"position":[[32,10]]},"3298":{"position":[[32,10]]},"3300":{"position":[[33,10]]},"3302":{"position":[[53,10]]},"3306":{"position":[[33,10]]},"3326":{"position":[[45,10]]}}}],["control",{"_index":148,"t":{"2812":{"position":[[10,7]]},"2879":{"position":[[16,10]]},"2881":{"position":[[15,10]]},"2889":{"position":[[0,11]]},"2895":{"position":[[28,10]]},"2949":{"position":[[0,7]]},"2993":{"position":[[27,10]]},"3029":{"position":[[0,7]]},"3033":{"position":[[0,7]]},"3035":{"position":[[0,7]]},"3037":{"position":[[0,7]]},"3039":{"position":[[0,7]]},"3041":{"position":[[0,7]]},"3043":{"position":[[0,7]]},"3045":{"position":[[0,7]]},"3047":{"position":[[0,7]]},"3049":{"position":[[0,7]]},"3051":{"position":[[0,7]]},"3053":{"position":[[0,7]]},"3055":{"position":[[0,7]]},"3057":{"position":[[0,7]]},"3059":{"position":[[0,7]]},"3066":{"position":[[0,8]]},"3067":{"position":[[4,7]]},"3072":{"position":[[22,10]]},"3074":{"position":[[22,10]]},"3100":{"position":[[23,10]]},"3102":{"position":[[23,10]]},"3129":{"position":[[33,7]]},"3131":{"position":[[33,7]]},"3133":{"position":[[33,7]]},"3135":{"position":[[33,7]]},"3137":{"position":[[33,7]]},"3139":{"position":[[33,7]]},"3141":{"position":[[33,7]]},"3173":{"position":[[4,10]]},"3282":{"position":[[61,7]]},"3318":{"position":[[25,7]]},"3319":{"position":[[68,10]]}}}],["coredn",{"_index":178,"t":{"2877":{"position":[[0,7]]}}}],["cover",{"_index":399,"t":{"3214":{"position":[[35,6]]}}}],["cpu",{"_index":144,"t":{"2800":{"position":[[0,3]]}}}],["creat",{"_index":96,"t":{"2722":{"position":[[3,6]]},"2891":{"position":[[0,8]]},"3212":{"position":[[44,7]]},"3271":{"position":[[25,6]]},"3322":{"position":[[6,6]]}}}],["credenti",{"_index":373,"t":{"3178":{"position":[[44,11]]}}}],["critic",{"_index":72,"t":{"2644":{"position":[[0,8]]}}}],["cryptograph",{"_index":365,"t":{"3171":{"position":[[59,13]]},"3262":{"position":[[56,13]]}}}],["custom",{"_index":10,"t":{"2509":{"position":[[0,10]]},"2538":{"position":[[6,6]]},"2540":{"position":[[9,6]]},"2668":{"position":[[0,10]]},"2947":{"position":[[0,6]]}}}],["data",{"_index":6,"t":{"2501":{"position":[[0,4]]},"2658":{"position":[[0,4]]},"3088":{"position":[[28,4]]},"3090":{"position":[[28,4]]}}}],["databas",{"_index":76,"t":{"2647":{"position":[[0,8]]},"2806":{"position":[[0,8]]}}}],["datastor",{"_index":58,"t":{"2613":{"position":[[33,9]]},"2615":{"position":[[38,9]]},"2722":{"position":[[22,9]]},"2931":{"position":[[66,9]]}}}],["db",{"_index":1,"t":{"2487":{"position":[[5,3]]},"2489":{"position":[[3,3]]}}}],["dedic",{"_index":147,"t":{"2810":{"position":[[0,9]]},"2812":{"position":[[0,9]]}}}],["default",{"_index":128,"t":{"2768":{"position":[[0,7]]},"2844":{"position":[[0,7]]},"3017":{"position":[[22,8]]},"3248":{"position":[[39,8]]},"3273":{"position":[[18,7]]},"3328":{"position":[[10,7]]}}}],["defin",{"_index":492,"t":{"3311":{"position":[[54,7]]}}}],["definit",{"_index":514,"t":{"3324":{"position":[[75,11]]}}}],["denyserviceexternalip",{"_index":309,"t":{"3115":{"position":[[24,22]]}}}],["deploy",{"_index":111,"t":{"2737":{"position":[[9,6]]},"2752":{"position":[[5,9]]},"2895":{"position":[[0,9]]}}}],["deprec",{"_index":13,"t":{"2513":{"position":[[0,10]]},"2672":{"position":[[0,10]]}}}],["directori",{"_index":283,"t":{"3088":{"position":[[33,9]]},"3090":{"position":[[33,9]]},"3104":{"position":[[38,9]]}}}],["disabl",{"_index":124,"t":{"2758":{"position":[[0,9]]},"2760":{"position":[[12,7]]},"2893":{"position":[[0,9]]}}}],["disable/en",{"_index":24,"t":{"2527":{"position":[[19,14]]}}}],["disk",{"_index":146,"t":{"2802":{"position":[[0,5]]}}}],["distribut",{"_index":158,"t":{"2838":{"position":[[13,11]]}}}],["docker",{"_index":39,"t":{"2561":{"position":[[11,6]]},"2594":{"position":[[0,8]]},"2700":{"position":[[0,8]]}}}],["docker/default",{"_index":513,"t":{"3324":{"position":[[48,14]]}}}],["driver",{"_index":200,"t":{"2929":{"position":[[29,7]]}}}],["dual",{"_index":214,"t":{"2951":{"position":[[0,4]]}}}],["egress",{"_index":212,"t":{"2949":{"position":[[14,6]]}}}],["embed",{"_index":59,"t":{"2615":{"position":[[24,8]]},"2739":{"position":[[0,8]]},"2869":{"position":[[0,8]]}}}],["enabl",{"_index":157,"t":{"2838":{"position":[[0,8]]},"2842":{"position":[[0,8]]}}}],["encrypt",{"_index":20,"t":{"2523":{"position":[[8,10]]},"2525":{"position":[[0,10]]},"2527":{"position":[[8,10]]},"2529":{"position":[[8,10]]},"2660":{"position":[[8,10]]},"2961":{"position":[[8,10]]},"3167":{"position":[[25,10]]},"3169":{"position":[[19,10]]}}}],["endpoint",{"_index":129,"t":{"2768":{"position":[[8,8]]},"2844":{"position":[[8,8]]}}}],["ensur",{"_index":229,"t":{"3017":{"position":[[0,6]]},"3068":{"position":[[6,6]]},"3070":{"position":[[6,6]]},"3072":{"position":[[6,6]]},"3074":{"position":[[6,6]]},"3076":{"position":[[6,6]]},"3078":{"position":[[6,6]]},"3080":{"position":[[6,6]]},"3082":{"position":[[6,6]]},"3084":{"position":[[6,6]]},"3086":{"position":[[7,6]]},"3088":{"position":[[7,6]]},"3090":{"position":[[7,6]]},"3092":{"position":[[7,6]]},"3094":{"position":[[7,6]]},"3096":{"position":[[7,6]]},"3098":{"position":[[7,6]]},"3100":{"position":[[7,6]]},"3102":{"position":[[7,6]]},"3104":{"position":[[7,6]]},"3106":{"position":[[7,6]]},"3108":{"position":[[7,6]]},"3111":{"position":[[6,6]]},"3113":{"position":[[6,6]]},"3115":{"position":[[6,6]]},"3117":{"position":[[6,6]]},"3119":{"position":[[6,6]]},"3121":{"position":[[6,6]]},"3123":{"position":[[6,6]]},"3125":{"position":[[6,6]]},"3127":{"position":[[6,6]]},"3129":{"position":[[7,6]]},"3131":{"position":[[7,6]]},"3133":{"position":[[7,6]]},"3135":{"position":[[7,6]]},"3137":{"position":[[7,6]]},"3139":{"position":[[7,6]]},"3141":{"position":[[7,6]]},"3143":{"position":[[7,6]]},"3145":{"position":[[7,6]]},"3147":{"position":[[7,6]]},"3149":{"position":[[7,6]]},"3151":{"position":[[7,6]]},"3153":{"position":[[7,6]]},"3155":{"position":[[7,6]]},"3157":{"position":[[7,6]]},"3159":{"position":[[7,6]]},"3161":{"position":[[7,6]]},"3163":{"position":[[7,6]]},"3165":{"position":[[7,6]]},"3167":{"position":[[7,6]]},"3169":{"position":[[7,6]]},"3171":{"position":[[7,6]]},"3174":{"position":[[6,6]]},"3176":{"position":[[6,6]]},"3178":{"position":[[6,6]]},"3180":{"position":[[6,6]]},"3182":{"position":[[6,6]]},"3184":{"position":[[6,6]]},"3186":{"position":[[6,6]]},"3189":{"position":[[6,6]]},"3191":{"position":[[6,6]]},"3194":{"position":[[4,6]]},"3196":{"position":[[4,6]]},"3198":{"position":[[4,6]]},"3200":{"position":[[4,6]]},"3202":{"position":[[4,6]]},"3204":{"position":[[4,6]]},"3206":{"position":[[4,6]]},"3212":{"position":[[6,6]]},"3214":{"position":[[6,6]]},"3217":{"position":[[6,6]]},"3219":{"position":[[6,6]]},"3221":{"position":[[38,6]]},"3223":{"position":[[38,6]]},"3225":{"position":[[6,6]]},"3227":{"position":[[6,6]]},"3229":{"position":[[6,6]]},"3231":{"position":[[6,6]]},"3233":{"position":[[6,6]]},"3235":{"position":[[7,6]]},"3238":{"position":[[6,6]]},"3240":{"position":[[6,6]]},"3242":{"position":[[6,6]]},"3244":{"position":[[6,6]]},"3246":{"position":[[6,6]]},"3248":{"position":[[6,6]]},"3250":{"position":[[6,6]]},"3252":{"position":[[6,6]]},"3254":{"position":[[6,6],[72,7]]},"3256":{"position":[[7,6]]},"3258":{"position":[[7,6]]},"3262":{"position":[[7,6]]},"3265":{"position":[[6,6]]},"3273":{"position":[[6,6]]},"3275":{"position":[[6,6]]},"3282":{"position":[[6,6]]},"3309":{"position":[[6,6]]},"3311":{"position":[[6,6]]},"3324":{"position":[[6,6]]}}}],["enterpris",{"_index":46,"t":{"2588":{"position":[[8,10]]}}}],["environ",{"_index":115,"t":{"2744":{"position":[[32,11]]},"2917":{"position":[[0,11]]},"3314":{"position":[[52,11]]}}}],["escal",{"_index":456,"t":{"3279":{"position":[[45,8]]}}}],["estargz",{"_index":53,"t":{"2601":{"position":[[7,8]]}}}],["etcd",{"_index":60,"t":{"2615":{"position":[[33,4]]},"2810":{"position":[[10,4]]},"3080":{"position":[[22,4]]},"3082":{"position":[[22,4]]},"3088":{"position":[[23,4]]},"3090":{"position":[[23,4]]},"3159":{"position":[[25,4],[45,4]]},"3165":{"position":[[25,4]]},"3193":{"position":[[2,4]]},"3206":{"position":[[59,4]]}}}],["etcd:etcd",{"_index":286,"t":{"3090":{"position":[[63,9]]}}}],["etcdctl",{"_index":40,"t":{"2563":{"position":[[0,7]]}}}],["event",{"_index":429,"t":{"3254":{"position":[[24,5],[92,5]]}}}],["eventratelimit",{"_index":324,"t":{"3129":{"position":[[48,14]]}}}],["exampl",{"_index":187,"t":{"2901":{"position":[[0,7]]}}}],["execut",{"_index":237,"t":{"3029":{"position":[[14,9]]}}}],["exist",{"_index":87,"t":{"2686":{"position":[[0,8]]},"2814":{"position":[[16,8]]},"3221":{"position":[[31,6]]},"3223":{"position":[[31,6]]}}}],["experiment",{"_index":12,"t":{"2511":{"position":[[0,12]]},"2670":{"position":[[0,12]]},"2871":{"position":[[44,14]]}}}],["extens",{"_index":501,"t":{"3318":{"position":[[4,10]]}}}],["extern",{"_index":57,"t":{"2613":{"position":[[24,8]]},"2722":{"position":[[13,8]]},"2895":{"position":[[13,8]]},"3316":{"position":[[15,8]]}}}],["fallback",{"_index":130,"t":{"2768":{"position":[[17,8]]},"2844":{"position":[[17,8]]}}}],["fals",{"_index":305,"t":{"3111":{"position":[[58,5]]},"3145":{"position":[[54,5]]},"3176":{"position":[[53,5]]},"3189":{"position":[[53,5]]},"3238":{"position":[[58,5]]},"3258":{"position":[[68,5]]}}}],["file",{"_index":126,"t":{"2762":{"position":[[12,5]]},"2770":{"position":[[25,4]]},"2816":{"position":[[14,4]]},"2824":{"position":[[14,4]]},"2826":{"position":[[16,5]]},"3067":{"position":[[37,5]]},"3068":{"position":[[51,4]]},"3070":{"position":[[51,4]]},"3072":{"position":[[59,4]]},"3074":{"position":[[59,4]]},"3076":{"position":[[50,4]]},"3078":{"position":[[50,4]]},"3080":{"position":[[45,4]]},"3082":{"position":[[45,4]]},"3084":{"position":[[50,4]]},"3086":{"position":[[51,4]]},"3092":{"position":[[34,4]]},"3094":{"position":[[34,4]]},"3096":{"position":[[38,4]]},"3098":{"position":[[38,4]]},"3100":{"position":[[47,4]]},"3102":{"position":[[47,4]]},"3104":{"position":[[52,4]]},"3106":{"position":[[50,4]]},"3108":{"position":[[42,4]]},"3113":{"position":[[35,4]]},"3161":{"position":[[34,4],[61,4]]},"3163":{"position":[[35,4]]},"3180":{"position":[[52,4]]},"3182":{"position":[[32,4]]},"3194":{"position":[[27,4],[42,4]]},"3200":{"position":[[32,4],[52,4]]},"3216":{"position":[[30,5]]},"3217":{"position":[[38,4]]},"3219":{"position":[[38,4]]},"3221":{"position":[[26,4]]},"3223":{"position":[[26,4]]},"3225":{"position":[[48,4]]},"3227":{"position":[[48,4]]},"3229":{"position":[[46,4]]},"3231":{"position":[[53,4]]},"3233":{"position":[[53,4]]},"3235":{"position":[[54,4]]},"3242":{"position":[[34,4]]},"3256":{"position":[[34,4],[61,4]]},"3314":{"position":[[30,5]]}}}],["fix",{"_index":99,"t":{"2726":{"position":[[17,5]]}}}],["flag",{"_index":11,"t":{"2509":{"position":[[11,5]]},"2668":{"position":[[11,5]]},"2760":{"position":[[20,4]]}}}],["flannel",{"_index":206,"t":{"2943":{"position":[[0,7]]}}}],["format",{"_index":67,"t":{"2627":{"position":[[6,6]]}}}],["gap",{"_index":114,"t":{"2744":{"position":[[25,6]]},"2851":{"position":[[12,3]]}}}],["gc",{"_index":369,"t":{"3174":{"position":[[39,2]]}}}],["gener",{"_index":506,"t":{"3321":{"position":[[4,7]]}}}],["group",{"_index":452,"t":{"3277":{"position":[[34,5]]}}}],["harden",{"_index":169,"t":{"2863":{"position":[[0,13]]}}}],["hardwar",{"_index":140,"t":{"2792":{"position":[[0,8]]}}}],["hat",{"_index":45,"t":{"2588":{"position":[[4,3]]}}}],["helm",{"_index":127,"t":{"2764":{"position":[[0,4]]}}}],["helmchartconfig",{"_index":91,"t":{"2714":{"position":[[0,16]]}}}],["help",{"_index":18,"t":{"2517":{"position":[[14,4]]},"2674":{"position":[[15,4]]}}}],["host",{"_index":227,"t":{"3015":{"position":[[0,4]]},"3286":{"position":[[64,4]]},"3288":{"position":[[64,4]]},"3290":{"position":[[64,4]]}}}],["hostnam",{"_index":218,"t":{"2955":{"position":[[16,8]]},"3252":{"position":[[24,8]]}}}],["hostpath",{"_index":484,"t":{"3304":{"position":[[33,8]]}}}],["hostport",{"_index":487,"t":{"3306":{"position":[[54,9]]}}}],["hostprocess",{"_index":482,"t":{"3302":{"position":[[41,11]]}}}],["http",{"_index":38,"t":{"2559":{"position":[[0,4]]},"3117":{"position":[[32,5]]}}}],["id",{"_index":467,"t":{"3286":{"position":[[77,2]]}}}],["idl",{"_index":423,"t":{"3246":{"position":[[45,4]]}}}],["imag",{"_index":106,"t":{"2734":{"position":[[5,6]]},"2737":{"position":[[16,6]]},"2780":{"position":[[16,5]]},"2782":{"position":[[7,6]]},"2851":{"position":[[35,6]]},"2853":{"position":[[8,6]]},"3319":{"position":[[16,5]]}}}],["imagepolicywebhook",{"_index":504,"t":{"3319":{"position":[[39,18]]}}}],["imperson",{"_index":455,"t":{"3279":{"position":[[29,11]]}}}],["inbound",{"_index":141,"t":{"2796":{"position":[[0,7]]}}}],["includ",{"_index":191,"t":{"2913":{"position":[[11,8]]},"3125":{"position":[[52,8]]},"3127":{"position":[[52,8]]}}}],["ingress",{"_index":89,"t":{"2692":{"position":[[14,8]]},"2879":{"position":[[8,7]]}}}],["instal",{"_index":93,"t":{"2720":{"position":[[0,12]]},"2741":{"position":[[0,7]]},"2744":{"position":[[0,10]]},"2747":{"position":[[0,7]]},"2820":{"position":[[19,7]]},"2993":{"position":[[0,7]]},"3003":{"position":[[22,12]]}}}],["integr",{"_index":174,"t":{"2871":{"position":[[0,11]]}}}],["interf",{"_index":202,"t":{"2931":{"position":[[37,11]]}}}],["interfac",{"_index":280,"t":{"3084":{"position":[[40,9]]},"3086":{"position":[[41,9]]}}}],["ipc",{"_index":470,"t":{"3288":{"position":[[69,3]]}}}],["ipsec",{"_index":209,"t":{"2945":{"position":[[28,5]]}}}],["iptabl",{"_index":43,"t":{"2586":{"position":[[3,8]]},"2859":{"position":[[0,8]]},"3250":{"position":[[29,8]]}}}],["ipv4",{"_index":216,"t":{"2951":{"position":[[11,5]]}}}],["ipv6",{"_index":217,"t":{"2951":{"position":[[19,5]]},"2953":{"position":[[13,4]]}}}],["issu",{"_index":240,"t":{"3031":{"position":[[6,6]]}}}],["issuer",{"_index":36,"t":{"2544":{"position":[[16,6]]}}}],["join",{"_index":103,"t":{"2728":{"position":[[13,4]]},"2730":{"position":[[13,4]]}}}],["k3",{"_index":2,"t":{"2489":{"position":[[15,3]]},"2517":{"position":[[0,3]]},"2594":{"position":[[9,3]]},"2603":{"position":[[13,3]]},"2674":{"position":[[0,3]]},"2690":{"position":[[0,4]]},"2694":{"position":[[0,4]]},"2698":{"position":[[0,3]]},"2700":{"position":[[9,4]]},"2702":{"position":[[0,3]]},"2704":{"position":[[0,4]]},"2741":{"position":[[8,3]]},"2744":{"position":[[11,3]]},"2796":{"position":[[18,3]]},"2869":{"position":[[9,3]]},"2921":{"position":[[0,3]]},"2923":{"position":[[0,3]]},"2925":{"position":[[0,3]]},"2935":{"position":[[0,3]]},"2971":{"position":[[0,3]]},"2986":{"position":[[0,3]]},"3003":{"position":[[8,3]]},"3005":{"position":[[17,3]]},"3007":{"position":[[11,3]]},"3064":{"position":[[33,3]]}}}],["k3sup",{"_index":204,"t":{"2937":{"position":[[0,5]]}}}],["kernel",{"_index":231,"t":{"3017":{"position":[[15,6]]},"3248":{"position":[[32,6]]}}}],["key",{"_index":22,"t":{"2525":{"position":[[11,3]]},"2544":{"position":[[23,3]]},"3108":{"position":[[38,3]]},"3119":{"position":[[72,3]]},"3161":{"position":[[57,3]]},"3180":{"position":[[48,3]]},"3194":{"position":[[38,3]]},"3200":{"position":[[48,3]]},"3214":{"position":[[42,3]]},"3256":{"position":[[57,3]]}}}],["keyfil",{"_index":355,"t":{"3159":{"position":[[50,7]]}}}],["known",{"_index":239,"t":{"3031":{"position":[[0,5]]}}}],["kubeconfig",{"_index":78,"t":{"2651":{"position":[[6,10]]},"3221":{"position":[[15,10]]},"3223":{"position":[[15,10]]},"3225":{"position":[[24,10]]},"3227":{"position":[[24,10]]}}}],["kubectl",{"_index":37,"t":{"2548":{"position":[[5,8]]}}}],["kubelet",{"_index":311,"t":{"3117":{"position":[[24,7]]},"3119":{"position":[[24,7],[57,7]]},"3121":{"position":[[24,7]]},"3217":{"position":[[22,7]]},"3219":{"position":[[22,7]]},"3233":{"position":[[22,7]]},"3235":{"position":[[23,7]]},"3237":{"position":[[4,7]]},"3262":{"position":[[23,7]]}}}],["kubelet.conf",{"_index":408,"t":{"3225":{"position":[[35,12]]},"3227":{"position":[[35,12]]}}}],["kubernet",{"_index":83,"t":{"2666":{"position":[[0,10]]},"2668":{"position":[[21,10]]},"2690":{"position":[[5,11]]},"3019":{"position":[[0,10]]},"3027":{"position":[[18,10]]},"3064":{"position":[[4,10],[42,10]]},"3104":{"position":[[23,10]]},"3106":{"position":[[23,10]]},"3108":{"position":[[23,10]]},"3279":{"position":[[73,10]]}}}],["label",{"_index":14,"t":{"2515":{"position":[[5,6]]}}}],["larg",{"_index":143,"t":{"2798":{"position":[[0,5]]}}}],["launch",{"_index":97,"t":{"2724":{"position":[[3,6]]}}}],["level",{"_index":228,"t":{"3015":{"position":[[5,5]]},"3254":{"position":[[60,5]]}}}],["limit",{"_index":454,"t":{"3279":{"position":[[6,5]]}}}],["linux",{"_index":47,"t":{"2588":{"position":[[19,5]]}}}],["listen",{"_index":80,"t":{"2656":{"position":[[0,9]]}}}],["load",{"_index":63,"t":{"2621":{"position":[[6,4]]},"2623":{"position":[[6,4]]},"2734":{"position":[[0,4]]},"2851":{"position":[[28,6]]},"2883":{"position":[[8,4]]}}}],["log",{"_index":3,"t":{"2497":{"position":[[0,7]]},"2654":{"position":[[0,7]]},"3147":{"position":[[31,3]]},"3149":{"position":[[31,3]]},"3151":{"position":[[31,3]]},"3153":{"position":[[31,3]]},"3211":{"position":[[4,7]]}}}],["longhorn",{"_index":221,"t":{"2979":{"position":[[0,8]]}}}],["lookup",{"_index":351,"t":{"3155":{"position":[[41,6]]}}}],["make",{"_index":363,"t":{"3171":{"position":[[39,5]]},"3250":{"position":[[24,4]]},"3262":{"position":[[36,5]]}}}],["manag",{"_index":186,"t":{"2895":{"position":[[39,7]]},"3072":{"position":[[33,7]]},"3074":{"position":[[33,7]]},"3173":{"position":[[15,7]]},"3313":{"position":[[12,10]]}}}],["manager.conf",{"_index":295,"t":{"3100":{"position":[[34,12]]},"3102":{"position":[[34,12]]}}}],["manifest",{"_index":120,"t":{"2752":{"position":[[15,9]]},"2758":{"position":[[10,9]]}}}],["manual",{"_index":110,"t":{"2737":{"position":[[0,8]]},"2851":{"position":[[19,8]]},"3005":{"position":[[0,8]]},"3084":{"position":[[102,8]]},"3086":{"position":[[86,8]]},"3106":{"position":[[102,8]]},"3108":{"position":[[74,8]]},"3111":{"position":[[64,8]]},"3129":{"position":[[70,8]]},"3133":{"position":[[72,8]]},"3135":{"position":[[108,8]]},"3167":{"position":[[83,8]]},"3169":{"position":[[69,8]]},"3171":{"position":[[81,8]]},"3174":{"position":[[83,8]]},"3206":{"position":[[64,8]]},"3209":{"position":[[69,8]]},"3212":{"position":[[52,8]]},"3214":{"position":[[64,8]]},"3221":{"position":[[92,8]]},"3223":{"position":[[75,8]]},"3229":{"position":[[98,8]]},"3231":{"position":[[88,8]]},"3244":{"position":[[60,8]]},"3246":{"position":[[83,8]]},"3252":{"position":[[62,8]]},"3254":{"position":[[106,8]]},"3256":{"position":[[99,8]]},"3260":{"position":[[78,8]]},"3262":{"position":[[78,8]]},"3265":{"position":[[69,8]]},"3267":{"position":[[33,8]]},"3269":{"position":[[54,8]]},"3271":{"position":[[37,8]]},"3273":{"position":[[66,8]]},"3275":{"position":[[74,8]]},"3277":{"position":[[40,8]]},"3279":{"position":[[92,8]]},"3282":{"position":[[88,8]]},"3300":{"position":[[71,8]]},"3302":{"position":[[64,8]]},"3304":{"position":[[50,8]]},"3306":{"position":[[64,8]]},"3309":{"position":[[58,8]]},"3311":{"position":[[62,8]]},"3314":{"position":[[74,8]]},"3316":{"position":[[39,8]]},"3319":{"position":[[79,8]]},"3322":{"position":[[74,8]]},"3324":{"position":[[87,8]]},"3326":{"position":[[56,8]]},"3328":{"position":[[47,8]]}}}],["maxag",{"_index":344,"t":{"3149":{"position":[[35,6]]}}}],["maxbackup",{"_index":347,"t":{"3151":{"position":[[35,9]]}}}],["maxsiz",{"_index":349,"t":{"3153":{"position":[[35,7]]}}}],["measur",{"_index":193,"t":{"2913":{"position":[[33,12]]}}}],["mechan",{"_index":461,"t":{"3282":{"position":[[69,9]]}}}],["memori",{"_index":145,"t":{"2800":{"position":[[8,6]]}}}],["method",{"_index":109,"t":{"2735":{"position":[[17,6]]},"2737":{"position":[[23,6]]},"2747":{"position":[[15,6]]},"2749":{"position":[[19,6]]}}}],["methodolog",{"_index":194,"t":{"2915":{"position":[[0,11]]}}}],["migrat",{"_index":207,"t":{"2945":{"position":[[0,9]]}}}],["minim",{"_index":397,"t":{"3212":{"position":[[20,7]]},"3267":{"position":[[6,8]]},"3269":{"position":[[6,8]]},"3271":{"position":[[6,8]]},"3284":{"position":[[6,8]]},"3286":{"position":[[6,8]]},"3288":{"position":[[6,8]]},"3290":{"position":[[6,8]]},"3292":{"position":[[6,8]]},"3294":{"position":[[6,8]]},"3296":{"position":[[6,8]]},"3298":{"position":[[6,8]]},"3300":{"position":[[7,8]]},"3302":{"position":[[7,8]]},"3304":{"position":[[7,8]]},"3306":{"position":[[7,8]]}}}],["mirror",{"_index":112,"t":{"2739":{"position":[[18,6]]},"2772":{"position":[[0,7]]},"2838":{"position":[[38,6]]},"2842":{"position":[[18,9]]}}}],["mode",{"_index":168,"t":{"2861":{"position":[[9,4]]},"3123":{"position":[[38,4]]},"3125":{"position":[[38,4]]},"3127":{"position":[[38,4]]},"3240":{"position":[[38,4]]}}}],["more",{"_index":266,"t":{"3068":{"position":[[86,4]]},"3072":{"position":[[94,4]]},"3076":{"position":[[85,4]]},"3080":{"position":[[80,4]]},"3084":{"position":[[85,4]]},"3088":{"position":[[73,4]]},"3092":{"position":[[69,4]]},"3096":{"position":[[73,4]]},"3100":{"position":[[82,4]]},"3106":{"position":[[85,4]]},"3217":{"position":[[73,4]]},"3221":{"position":[[75,4]]},"3225":{"position":[[83,4]]},"3229":{"position":[[81,4]]},"3233":{"position":[[88,4]]}}}],["mount",{"_index":447,"t":{"3275":{"position":[[50,7]]}}}],["multicloud",{"_index":172,"t":{"2869":{"position":[[13,10]]}}}],["multipl",{"_index":153,"t":{"2826":{"position":[[0,8]]}}}],["namespac",{"_index":468,"t":{"3286":{"position":[[80,9]]},"3288":{"position":[[73,9]]},"3290":{"position":[[77,9]]},"3311":{"position":[[22,10]]},"3322":{"position":[[63,10]]},"3328":{"position":[[18,9]]}}}],["namespacelifecycl",{"_index":334,"t":{"3139":{"position":[[48,18]]}}}],["nativ",{"_index":210,"t":{"2945":{"position":[[47,6]]}}}],["necessari",{"_index":448,"t":{"3275":{"position":[[64,9]]}}}],["net_raw",{"_index":476,"t":{"3296":{"position":[[52,7]]}}}],["network",{"_index":9,"t":{"2507":{"position":[[0,10]]},"2662":{"position":[[0,10]]},"2794":{"position":[[0,10]]},"2804":{"position":[[0,7]]},"2881":{"position":[[0,7]]},"2951":{"position":[[25,10]]},"2953":{"position":[[18,10]]},"3084":{"position":[[32,7]]},"3086":{"position":[[33,7]]},"3290":{"position":[[69,7]]},"3308":{"position":[[4,7]]}}}],["networkpolici",{"_index":234,"t":{"3023":{"position":[[0,15]]},"3309":{"position":[[42,15]]},"3311":{"position":[[38,15]]}}}],["new",{"_index":86,"t":{"2684":{"position":[[0,3]]}}}],["nginx",{"_index":65,"t":{"2623":{"position":[[0,5]]}}}],["node",{"_index":7,"t":{"2503":{"position":[[0,4]]},"2515":{"position":[[0,4]]},"2724":{"position":[[17,5]]},"2728":{"position":[[36,5]]},"2730":{"position":[[24,5]]},"2796":{"position":[[22,5]]},"2810":{"position":[[15,5]]},"2812":{"position":[[24,5]]},"2889":{"position":[[22,4]]},"2891":{"position":[[19,4]]},"2955":{"position":[[0,5]]},"3067":{"position":[[18,4]]},"3125":{"position":[[61,4]]},"3193":{"position":[[7,4]]},"3216":{"position":[[11,4]]}}}],["noderestrict",{"_index":335,"t":{"3141":{"position":[[48,15]]}}}],["nvidia",{"_index":41,"t":{"2567":{"position":[[0,6]]}}}],["oci",{"_index":159,"t":{"2838":{"position":[[25,3]]}}}],["on",{"_index":460,"t":{"3282":{"position":[[43,3]]}}}],["oper",{"_index":138,"t":{"2790":{"position":[[0,9]]}}}],["option",{"_index":5,"t":{"2499":{"position":[[8,7]]},"2646":{"position":[[14,7]]},"2649":{"position":[[8,7]]},"2651":{"position":[[17,7]]},"2653":{"position":[[9,7]]},"2670":{"position":[[13,7]]},"2672":{"position":[[11,7]]},"2728":{"position":[[3,9]]},"2730":{"position":[[3,9]]},"2943":{"position":[[8,7]]}}}],["os",{"_index":42,"t":{"2585":{"position":[[3,2]]}}}],["outlin",{"_index":94,"t":{"2720":{"position":[[13,7]]}}}],["over",{"_index":496,"t":{"3314":{"position":[[36,4]]}}}],["overrid",{"_index":427,"t":{"3252":{"position":[[33,8]]}}}],["overview",{"_index":222,"t":{"2991":{"position":[[0,8]]}}}],["ownership",{"_index":269,"t":{"3070":{"position":[[56,9]]},"3074":{"position":[[64,9]]},"3078":{"position":[[55,9]]},"3082":{"position":[[50,9]]},"3086":{"position":[[56,9]]},"3090":{"position":[[43,9]]},"3094":{"position":[[39,9]]},"3098":{"position":[[43,9]]},"3102":{"position":[[52,9]]},"3104":{"position":[[57,9]]},"3219":{"position":[[43,9]]},"3223":{"position":[[45,9]]},"3227":{"position":[[53,9]]},"3231":{"position":[[58,9]]},"3235":{"position":[[59,9]]}}}],["packag",{"_index":122,"t":{"2754":{"position":[[0,8]]}}}],["paramet",{"_index":307,"t":{"3113":{"position":[[40,9]]}}}],["path",{"_index":342,"t":{"3147":{"position":[[35,4]]}}}],["peer",{"_index":389,"t":{"3200":{"position":[[22,4],[43,4]]},"3202":{"position":[[22,4]]},"3204":{"position":[[22,4]]}}}],["permiss",{"_index":264,"t":{"3068":{"position":[[56,11]]},"3072":{"position":[[64,11]]},"3076":{"position":[[55,11]]},"3080":{"position":[[50,11]]},"3084":{"position":[[55,11]]},"3088":{"position":[[43,11]]},"3092":{"position":[[39,11]]},"3096":{"position":[[43,11]]},"3100":{"position":[[52,11]]},"3106":{"position":[[55,11]]},"3108":{"position":[[47,11]]},"3217":{"position":[[43,11]]},"3221":{"position":[[45,11]]},"3225":{"position":[[53,11]]},"3229":{"position":[[51,11]]},"3233":{"position":[[62,11]]},"3279":{"position":[[54,11]]}}}],["pi",{"_index":51,"t":{"2592":{"position":[[10,2]]}}}],["pki",{"_index":298,"t":{"3104":{"position":[[34,3]]},"3106":{"position":[[34,3]]},"3108":{"position":[[34,3]]}}}],["place",{"_index":462,"t":{"3282":{"position":[[82,5]]}}}],["plan",{"_index":223,"t":{"2995":{"position":[[10,5]]}}}],["plane",{"_index":149,"t":{"2812":{"position":[[18,5]]},"2949":{"position":[[8,5]]},"3029":{"position":[[8,5]]},"3067":{"position":[[12,5]]}}}],["plugin",{"_index":323,"t":{"3129":{"position":[[41,6]]},"3131":{"position":[[41,6]]},"3133":{"position":[[41,6]]},"3135":{"position":[[41,6]]},"3137":{"position":[[41,6]]},"3139":{"position":[[41,6]]},"3141":{"position":[[41,6]]}}}],["pod",{"_index":233,"t":{"3021":{"position":[[0,3]]},"3068":{"position":[[33,3]]},"3070":{"position":[[33,3]]},"3072":{"position":[[41,3]]},"3074":{"position":[[41,3]]},"3076":{"position":[[32,3]]},"3078":{"position":[[32,3]]},"3080":{"position":[[27,3]]},"3082":{"position":[[27,3]]},"3174":{"position":[[35,3]]},"3271":{"position":[[32,4]]},"3281":{"position":[[4,3]]},"3324":{"position":[[71,3]]},"3326":{"position":[[36,4]]}}}],["pod.yaml",{"_index":220,"t":{"2977":{"position":[[0,8]]},"2983":{"position":[[0,8]]}}}],["podsecuritypolici",{"_index":331,"t":{"3135":{"position":[[78,17]]}}}],["polici",{"_index":179,"t":{"2881":{"position":[[8,6]]},"3212":{"position":[[34,6]]},"3214":{"position":[[28,6]]},"3282":{"position":[[54,6]]},"3308":{"position":[[12,8]]},"3321":{"position":[[12,8]]}}}],["pool",{"_index":184,"t":{"2891":{"position":[[24,5]]}}}],["port",{"_index":337,"t":{"3143":{"position":[[32,4]]},"3244":{"position":[[34,4]]}}}],["potenti",{"_index":162,"t":{"2849":{"position":[[0,9]]}}}],["prefer",{"_index":495,"t":{"3314":{"position":[[6,6]]}}}],["prerequisit",{"_index":61,"t":{"2619":{"position":[[0,13]]},"2742":{"position":[[0,13]]},"2786":{"position":[[0,13]]}}}],["prevent",{"_index":201,"t":{"2931":{"position":[[0,10]]}}}],["primari",{"_index":198,"t":{"2929":{"position":[[0,7]]}}}],["privat",{"_index":107,"t":{"2735":{"position":[[0,7]]},"2782":{"position":[[21,7]]},"3161":{"position":[[49,7]]},"3180":{"position":[[40,7]]},"3256":{"position":[[49,7]]}}}],["privileg",{"_index":464,"t":{"3284":{"position":[[32,10]]}}}],["process",{"_index":85,"t":{"2668":{"position":[[32,9]]},"2899":{"position":[[0,7]]},"3286":{"position":[[69,7]]}}}],["profil",{"_index":340,"t":{"3145":{"position":[[25,9]]},"3176":{"position":[[24,9]]},"3189":{"position":[[24,9]]},"3324":{"position":[[30,7]]}}}],["protect",{"_index":230,"t":{"3017":{"position":[[7,7]]},"3248":{"position":[[24,7]]}}}],["proven",{"_index":503,"t":{"3319":{"position":[[22,10]]}}}],["provid",{"_index":177,"t":{"2871":{"position":[[35,8]]},"3167":{"position":[[36,8]]},"3169":{"position":[[30,9]]}}}],["proxi",{"_index":405,"t":{"3221":{"position":[[9,5]]},"3223":{"position":[[9,5]]}}}],["pull",{"_index":135,"t":{"2780":{"position":[[22,5]]}}}],["push",{"_index":165,"t":{"2853":{"position":[[0,7]]}}}],["put",{"_index":154,"t":{"2828":{"position":[[0,7]]}}}],["pvc.yaml",{"_index":219,"t":{"2975":{"position":[[0,8]]},"2981":{"position":[[0,8]]}}}],["qp",{"_index":430,"t":{"3254":{"position":[[30,3]]}}}],["raspberri",{"_index":50,"t":{"2592":{"position":[[0,9]]}}}],["rbac",{"_index":320,"t":{"3127":{"position":[[61,4]]},"3264":{"position":[[4,4]]}}}],["read",{"_index":419,"t":{"3244":{"position":[[24,4]]}}}],["red",{"_index":44,"t":{"2588":{"position":[[0,3]]}}}],["registr",{"_index":100,"t":{"2726":{"position":[[23,12]]}}}],["registri",{"_index":108,"t":{"2735":{"position":[[8,8]]},"2739":{"position":[[9,8]]},"2770":{"position":[[0,10]]},"2782":{"position":[[29,8]]},"2838":{"position":[[29,8]]},"2842":{"position":[[9,8]]}}}],["releas",{"_index":224,"t":{"3001":{"position":[[0,7]]}}}],["request",{"_index":352,"t":{"3157":{"position":[[25,7]]}}}],["requir",{"_index":160,"t":{"2840":{"position":[[0,12]]},"2919":{"position":[[18,12]]},"3015":{"position":[[11,12]]},"3019":{"position":[[19,12]]},"3265":{"position":[[60,8]]}}}],["resourc",{"_index":189,"t":{"2911":{"position":[[9,8]]},"2919":{"position":[[9,8]]},"2929":{"position":[[8,8]]},"3322":{"position":[[47,9]]}}}],["restart",{"_index":226,"t":{"3007":{"position":[[0,10]]}}}],["restor",{"_index":55,"t":{"2611":{"position":[[11,7]]},"2613":{"position":[[11,7]]},"2615":{"position":[[11,7]]}}}],["restrict",{"_index":267,"t":{"3068":{"position":[[91,11]]},"3072":{"position":[[99,11]]},"3076":{"position":[[90,11]]},"3080":{"position":[[85,11]]},"3084":{"position":[[90,11]]},"3088":{"position":[[78,11]]},"3092":{"position":[[74,11]]},"3096":{"position":[[78,11]]},"3100":{"position":[[87,11]]},"3106":{"position":[[90,11]]},"3217":{"position":[[78,11]]},"3221":{"position":[[80,11]]},"3225":{"position":[[88,11]]},"3229":{"position":[[86,11]]},"3233":{"position":[[93,11]]}}}],["role",{"_index":150,"t":{"2814":{"position":[[7,5]]},"3265":{"position":[[36,4]]},"3269":{"position":[[31,5]]}}}],["root",{"_index":376,"t":{"3182":{"position":[[24,4]]},"3294":{"position":[[32,4]]}}}],["root:root",{"_index":270,"t":{"3070":{"position":[[76,9]]},"3074":{"position":[[84,9]]},"3078":{"position":[[75,9]]},"3082":{"position":[[70,9]]},"3086":{"position":[[76,9]]},"3094":{"position":[[59,9]]},"3098":{"position":[[63,9]]},"3102":{"position":[[72,9]]},"3104":{"position":[[77,9]]},"3219":{"position":[[63,9]]},"3223":{"position":[[65,9]]},"3227":{"position":[[73,9]]},"3231":{"position":[[78,9]]},"3235":{"position":[[79,9]]}}}],["rootless",{"_index":167,"t":{"2861":{"position":[[0,8]]}}}],["rotat",{"_index":23,"t":{"2525":{"position":[[15,8]]},"2534":{"position":[[0,8]]},"2540":{"position":[[0,8]]},"2542":{"position":[[0,8]]},"2544":{"position":[[27,8]]},"3258":{"position":[[25,6]]}}}],["rotatekubeletservercertif",{"_index":378,"t":{"3184":{"position":[[22,30]]},"3260":{"position":[[23,30]]}}}],["rule",{"_index":142,"t":{"2796":{"position":[[8,5]]}}}],["runtim",{"_index":8,"t":{"2505":{"position":[[0,7]]},"3019":{"position":[[11,7]]}}}],["schedul",{"_index":274,"t":{"3076":{"position":[[22,9]]},"3078":{"position":[[22,9]]},"3188":{"position":[[4,9]]}}}],["scheduler.conf",{"_index":292,"t":{"3096":{"position":[[23,14]]},"3098":{"position":[[23,14]]}}}],["scope",{"_index":188,"t":{"2911":{"position":[[0,5]]}}}],["script",{"_index":117,"t":{"2747":{"position":[[8,6]]},"2820":{"position":[[27,6]]},"3003":{"position":[[35,6]]}}}],["seccomp",{"_index":512,"t":{"3324":{"position":[[22,7]]}}}],["secret",{"_index":19,"t":{"2523":{"position":[[0,7]]},"2527":{"position":[[0,7]]},"2529":{"position":[[0,7]]},"2660":{"position":[[0,7]]},"2961":{"position":[[0,7]]},"3267":{"position":[[25,7]]},"3313":{"position":[[4,7]]},"3314":{"position":[[19,7],[41,7]]},"3316":{"position":[[24,6]]}}}],["secur",{"_index":68,"t":{"2629":{"position":[[0,6]]},"2846":{"position":[[0,8]]},"3021":{"position":[[4,8]]},"3143":{"position":[[25,6]]},"3214":{"position":[[46,8]]},"3281":{"position":[[8,8]]}}}],["securitycontext",{"_index":517,"t":{"3326":{"position":[[12,15]]}}}],["securitycontextdeni",{"_index":330,"t":{"3135":{"position":[[48,19]]}}}],["select",{"_index":183,"t":{"2889":{"position":[[27,9]]}}}],["selector",{"_index":213,"t":{"2949":{"position":[[21,8]]}}}],["self",{"_index":32,"t":{"2542":{"position":[[9,4]]}}}],["selinux",{"_index":52,"t":{"2596":{"position":[[0,7]]},"2598":{"position":[[0,7]]}}}],["server",{"_index":27,"t":{"2532":{"position":[[11,6]]},"2534":{"position":[[20,6]]},"2635":{"position":[[0,6]]},"2674":{"position":[[4,6]]},"2724":{"position":[[10,6]]},"2728":{"position":[[29,6]]},"2814":{"position":[[25,7]]},"2832":{"position":[[13,7]]},"2921":{"position":[[4,6]]},"3025":{"position":[[4,6]]},"3068":{"position":[[26,6]]},"3070":{"position":[[26,6]]},"3110":{"position":[[8,6]]},"3171":{"position":[[27,6]]}}}],["servic",{"_index":34,"t":{"2544":{"position":[[0,7]]},"2883":{"position":[[0,7]]},"3155":{"position":[[25,7]]},"3178":{"position":[[28,7]]},"3180":{"position":[[24,7]]},"3217":{"position":[[30,7]]},"3219":{"position":[[30,7]]},"3264":{"position":[[13,7]]},"3273":{"position":[[26,7]]},"3275":{"position":[[18,7]]}}}],["serviceaccount",{"_index":333,"t":{"3137":{"position":[[48,14]]}}}],["servicelb",{"_index":180,"t":{"2885":{"position":[[4,9]]},"2889":{"position":[[12,9]]},"2891":{"position":[[9,9]]},"2893":{"position":[[10,9]]}}}],["set",{"_index":232,"t":{"3017":{"position":[[34,3]]},"3068":{"position":[[72,3]]},"3070":{"position":[[69,3]]},"3072":{"position":[[80,3]]},"3074":{"position":[[77,3]]},"3076":{"position":[[71,3]]},"3078":{"position":[[68,3]]},"3080":{"position":[[66,3]]},"3082":{"position":[[63,3]]},"3084":{"position":[[71,3]]},"3086":{"position":[[69,3]]},"3088":{"position":[[59,3]]},"3090":{"position":[[56,3]]},"3092":{"position":[[55,3]]},"3094":{"position":[[52,3]]},"3096":{"position":[[59,3]]},"3098":{"position":[[56,3]]},"3100":{"position":[[68,3]]},"3102":{"position":[[65,3]]},"3104":{"position":[[70,3]]},"3106":{"position":[[71,3]]},"3108":{"position":[[63,3]]},"3111":{"position":[[51,3]]},"3113":{"position":[[57,3]]},"3115":{"position":[[54,3]]},"3117":{"position":[[50,3]]},"3119":{"position":[[90,3]]},"3121":{"position":[[66,3]]},"3123":{"position":[[59,3]]},"3129":{"position":[[66,3]]},"3131":{"position":[[67,3]]},"3133":{"position":[[68,3]]},"3135":{"position":[[71,3]]},"3137":{"position":[[66,3]]},"3139":{"position":[[70,3]]},"3141":{"position":[[67,3]]},"3143":{"position":[[53,3]]},"3145":{"position":[[47,3]]},"3147":{"position":[[52,3]]},"3149":{"position":[[54,3]]},"3151":{"position":[[57,3]]},"3153":{"position":[[55,3]]},"3155":{"position":[[60,3]]},"3157":{"position":[[53,3]]},"3159":{"position":[[72,3]]},"3161":{"position":[[80,3]]},"3163":{"position":[[52,3]]},"3165":{"position":[[49,3]]},"3167":{"position":[[64,3]]},"3174":{"position":[[64,3]]},"3176":{"position":[[46,3]]},"3178":{"position":[[68,3]]},"3180":{"position":[[69,3]]},"3182":{"position":[[49,3]]},"3184":{"position":[[65,3]]},"3186":{"position":[[49,3]]},"3189":{"position":[[46,3]]},"3191":{"position":[[49,3]]},"3194":{"position":[[61,3]]},"3196":{"position":[[51,3]]},"3198":{"position":[[47,3]]},"3200":{"position":[[71,3]]},"3202":{"position":[[56,3]]},"3204":{"position":[[52,3]]},"3217":{"position":[[59,3]]},"3219":{"position":[[56,3]]},"3221":{"position":[[61,3]]},"3223":{"position":[[58,3]]},"3225":{"position":[[69,3]]},"3227":{"position":[[66,3]]},"3229":{"position":[[67,3]]},"3231":{"position":[[71,3]]},"3233":{"position":[[74,3]]},"3235":{"position":[[72,3]]},"3238":{"position":[[51,3]]},"3240":{"position":[[59,3]]},"3242":{"position":[[51,3]]},"3244":{"position":[[51,3]]},"3246":{"position":[[74,3]]},"3248":{"position":[[60,3]]},"3250":{"position":[[62,3]]},"3252":{"position":[[58,3]]},"3254":{"position":[[46,3]]},"3256":{"position":[[80,3]]},"3258":{"position":[[61,3]]},"3260":{"position":[[66,3]]},"3324":{"position":[[41,3]]}}}],["setup",{"_index":62,"t":{"2621":{"position":[[0,5]]}}}],["share",{"_index":164,"t":{"2851":{"position":[[0,7]]},"3286":{"position":[[54,5]]},"3288":{"position":[[54,5]]},"3290":{"position":[[54,5]]}}}],["short",{"_index":69,"t":{"2631":{"position":[[0,5]]}}}],["sign",{"_index":33,"t":{"2542":{"position":[[14,6]]}}}],["singl",{"_index":196,"t":{"2923":{"position":[[19,6]]},"2953":{"position":[[0,6]]}}}],["skip",{"_index":125,"t":{"2762":{"position":[[6,5]]}}}],["snap",{"_index":166,"t":{"2857":{"position":[[0,8]]}}}],["solut",{"_index":173,"t":{"2869":{"position":[[24,8]]}}}],["specif",{"_index":263,"t":{"3068":{"position":[[37,13]]},"3070":{"position":[[37,13]]},"3072":{"position":[[45,13]]},"3074":{"position":[[45,13]]},"3076":{"position":[[36,13]]},"3078":{"position":[[36,13]]},"3080":{"position":[[31,13]]},"3082":{"position":[[31,13]]}}}],["sqlite",{"_index":56,"t":{"2611":{"position":[[24,6]]}}}],["stack",{"_index":215,"t":{"2951":{"position":[[5,5]]},"2953":{"position":[[7,5]]}}}],["standard",{"_index":458,"t":{"3281":{"position":[[17,9]]}}}],["statu",{"_index":25,"t":{"2529":{"position":[[19,6]]}}}],["storag",{"_index":81,"t":{"2664":{"position":[[0,7]]},"3316":{"position":[[31,7]]}}}],["stream",{"_index":421,"t":{"3246":{"position":[[24,9]]}}}],["strong",{"_index":364,"t":{"3171":{"position":[[52,6]]},"3262":{"position":[[49,6]]}}}],["support",{"_index":490,"t":{"3309":{"position":[[33,8]]}}}],["syntax",{"_index":151,"t":{"2816":{"position":[[19,6]]}}}],["system",{"_index":139,"t":{"2790":{"position":[[10,7]]},"2993":{"position":[[12,6]]}}}],["system:mast",{"_index":451,"t":{"3277":{"position":[[19,14]]}}}],["tailscal",{"_index":175,"t":{"2871":{"position":[[21,9]]}}}],["taint",{"_index":15,"t":{"2515":{"position":[[16,6]]}}}],["termin",{"_index":368,"t":{"3174":{"position":[[24,10]]}}}],["test",{"_index":190,"t":{"2911":{"position":[[18,7]]}}}],["threshold",{"_index":370,"t":{"3174":{"position":[[42,9]]}}}],["timeout",{"_index":353,"t":{"3157":{"position":[[33,7]]},"3246":{"position":[[50,7]]}}}],["tl",{"_index":132,"t":{"2776":{"position":[[5,3]]},"2778":{"position":[[8,3]]},"3161":{"position":[[25,3],[45,3]]},"3198":{"position":[[27,3]]},"3204":{"position":[[32,3]]},"3256":{"position":[[25,3],[45,3]]}}}],["togeth",{"_index":155,"t":{"2828":{"position":[[15,8]]}}}],["token",{"_index":66,"t":{"2627":{"position":[[0,5]]},"2633":{"position":[[0,5]]},"3113":{"position":[[24,5]]},"3275":{"position":[[34,6]]}}}],["tool",{"_index":21,"t":{"2523":{"position":[[19,4]]},"2961":{"position":[[19,4]]}}}],["traefik",{"_index":88,"t":{"2692":{"position":[[0,7]]},"2879":{"position":[[0,7]]}}}],["troubleshoot",{"_index":134,"t":{"2780":{"position":[[0,15]]}}}],["true",{"_index":312,"t":{"3117":{"position":[[57,4]]},"3155":{"position":[[67,4]]},"3178":{"position":[[75,4]]},"3184":{"position":[[72,4]]},"3196":{"position":[[58,4]]},"3198":{"position":[[54,4]]},"3202":{"position":[[63,4]]},"3204":{"position":[[59,4]]},"3248":{"position":[[67,4]]},"3250":{"position":[[69,4]]},"3260":{"position":[[73,4]]}}}],["type",{"_index":70,"t":{"2633":{"position":[[6,5]]}}}],["ubuntu",{"_index":49,"t":{"2590":{"position":[[0,6]]}}}],["uninstal",{"_index":156,"t":{"2832":{"position":[[0,12]]},"2834":{"position":[[0,12]]}}}],["uniqu",{"_index":393,"t":{"3206":{"position":[[18,6]]}}}],["upgrad",{"_index":116,"t":{"2746":{"position":[[0,9]]},"2749":{"position":[[10,8]]},"2993":{"position":[[19,7]]},"3003":{"position":[[0,7]]},"3005":{"position":[[9,7]]}}}],["us",{"_index":31,"t":{"2538":{"position":[[0,5]]},"2646":{"position":[[9,4]]},"2760":{"position":[[0,5]]},"2762":{"position":[[0,5]]},"3003":{"position":[[12,5]]},"3005":{"position":[[21,5]]},"3135":{"position":[[103,4]]},"3171":{"position":[[45,3]]},"3178":{"position":[[24,3]]},"3206":{"position":[[50,4]]},"3209":{"position":[[54,4]]},"3262":{"position":[[42,3]]},"3265":{"position":[[49,4]]},"3269":{"position":[[24,3]]},"3273":{"position":[[60,5]]},"3277":{"position":[[12,3]]},"3279":{"position":[[12,3]]},"3306":{"position":[[50,3]]},"3309":{"position":[[29,3]]},"3314":{"position":[[13,5]]},"3319":{"position":[[33,5]]},"3322":{"position":[[57,5]]},"3328":{"position":[[42,4]]}}}],["usag",{"_index":182,"t":{"2887":{"position":[[0,5]]}}}],["user",{"_index":123,"t":{"2756":{"position":[[0,4]]},"3209":{"position":[[63,5]]}}}],["util",{"_index":199,"t":{"2929":{"position":[[17,11]]},"3250":{"position":[[38,4]]}}}],["v1.22",{"_index":259,"t":{"3064":{"position":[[53,5]]}}}],["v1.23",{"_index":258,"t":{"3064":{"position":[[25,5]]}}}],["v1.24",{"_index":260,"t":{"3064":{"position":[[62,5]]}}}],["v1.24.x",{"_index":170,"t":{"2863":{"position":[[20,9]]}}}],["v1.25.x",{"_index":171,"t":{"2863":{"position":[[30,8]]}}}],["valu",{"_index":74,"t":{"2644":{"position":[[23,6]]}}}],["variabl",{"_index":497,"t":{"3314":{"position":[[64,9]]}}}],["verifi",{"_index":435,"t":{"3260":{"position":[[7,6]]}}}],["volum",{"_index":485,"t":{"3304":{"position":[[42,7]]}}}],["vpn",{"_index":176,"t":{"2871":{"position":[[31,3]]}}}],["wildcard",{"_index":442,"t":{"3269":{"position":[[15,8]]}}}],["window",{"_index":90,"t":{"2694":{"position":[[5,8]]},"3302":{"position":[[33,7]]}}}],["wireguard",{"_index":208,"t":{"2945":{"position":[[15,9],[37,9]]}}}],["wish",{"_index":466,"t":{"3286":{"position":[[43,7]]},"3288":{"position":[[43,7]]},"3290":{"position":[[43,7]]}}}],["without",{"_index":133,"t":{"2778":{"position":[[0,7]]},"2955":{"position":[[6,7]]}}}],["work",{"_index":181,"t":{"2885":{"position":[[14,5]]}}}],["worker",{"_index":401,"t":{"3216":{"position":[[4,6]]}}}],["workload",{"_index":195,"t":{"2921":{"position":[[18,8]]},"2931":{"position":[[22,9]]}}}]],"pipeline":["stemmer"]}},{"documents":[{"i":2483,"t":"K3s 바이너리에는 클러스터 관리에 도움이 되는 여러 가지 추가 도구가 포함되어 있습니다.","s":"명령줄 도구","u":"/kr/cli","p":2483},{"i":2485,"t":"이 페이지에서는 고가용성 K3s 서버 클러스터의 아키텍처와 단일 노드 서버 클러스터와의 차이점에 대해 설명합니다.","s":"아키텍처","u":"/kr/architecture","p":2485},{"i":2495,"t":"In this section, you'll learn how to configure the K3s agent.","s":"k3s agent","u":"/kr/cli/agent","p":2495},{"i":2519,"t":"Available as of v1.19.1+k3s1","s":"k3s etcd-snapshot","u":"/kr/cli/etcd-snapshot","p":2519},{"i":2521,"t":"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.","s":"k3s secrets-encrypt","u":"/kr/cli/secrets-encrypt","p":2521},{"i":2531,"t":"Client and Server Certificates","s":"k3s certificate","u":"/kr/cli/certificate","p":2531},{"i":2546,"t":"/etc/rancher/k3s/k3s.yaml에 저장된 kubeconfig 파일은 쿠버네티스 클러스터에 대한 액세스를 구성하는 데 사용됩니다. kubectl 또는 helm과 같은 업스트림 Kubernetes 명령줄 도구를 설치한 경우 올바른 kubeconfig 경로로 구성해야 합니다. 이 작업은 kubeconfig 환경 변수를 내보내거나 --kubeconfig 명령줄 플래그를 호출하여 수행할 수 있습니다. 자세한 내용은 아래 예시를 참고하세요.","s":"클러스터 접근","u":"/kr/cluster-access","p":2546},{"i":2550,"t":"이 섹션에는 K3s를 실행하고 관리할 수 있는 다양한 방법과 K3s 사용을 위해 호스트 OS를 준비하는 데 필요한 단계를 설명하는 고급 정보가 포함되어 있습니다.","s":"고급 옵션 / 설정","u":"/kr/advanced","p":2550},{"i":2609,"t":"The way K3s is backed up and restored depends on which type of datastore is used.","s":"Backup and Restore","u":"/kr/datastore/backup-restore","p":2609},{"i":2617,"t":"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.","s":"Cluster Load Balancer","u":"/kr/datastore/cluster-loadbalancer","p":2617},{"i":2625,"t":"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.","s":"k3s token","u":"/kr/cli/token","p":2625},{"i":2642,"t":"In this section, you'll learn how to configure the K3s server.","s":"k3s server","u":"/kr/cli/server","p":2642},{"i":2676,"t":"etcd가 아닌 다른 데이터스토어를 사용하여 쿠버네티스를 실행할 수 있는 기능은 K3s를 다른 쿠버네티스 배포판과 차별화합니다. 이 기능은 쿠버네티스 운영자에게 유연성을 제공합니다. 사용 가능한 데이터스토어 옵션을 통해 사용 사례에 가장 적합한 데이터스토어를 선택할 수 있습니다. 예를 들어:","s":"클러스터 데이터 저장소","u":"/kr/datastore","p":2676},{"i":2682,"t":"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.","s":"High Availability Embedded etcd","u":"/kr/datastore/ha-embedded","p":2682},{"i":2688,"t":"자주 묻는 질문은 주기적으로 업데이트되며, 사용자가 K3s에 대해 가장 자주 묻는 질문에 대한 답변으로 구성되어 있습니다.","s":"자주 묻는 질문","u":"/kr/faq","p":2688},{"i":2708,"t":"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.","s":"Installation","u":"/kr/installation","p":2708},{"i":2710,"t":"헬름(Helm)은 쿠버네티스를 위한 패키지 관리 도구입니다. 헬름 차트는 쿠버네티스 YAML 매니페스트 문서를 위한 템플릿 구문을 제공합니다. 개발자 또는 클러스터 관리자는 헬름을 사용하여 정적 매니페스트만 사용하는 대신 차트라는 구성 가능한 템플릿을 만들 수 있다. 자신만의 차트 카탈로그 생성에 대한 자세한 내용은 https://helm.sh/docs/intro/quickstart/에서 문서를 확인하세요.","s":"헬름(Helm)","u":"/kr/helm","p":2710},{"i":2718,"t":"Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release.","s":"High Availability External DB","u":"/kr/datastore/ha","p":2718},{"i":2732,"t":"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.","s":"Air-Gap Install","u":"/kr/installation/airgap","p":2732},{"i":2751,"t":"Auto-Deploying Manifests (AddOns)","s":"Managing Packaged Components","u":"/kr/installation/packaged-components","p":2751},{"i":2766,"t":"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.","s":"Private Registry Configuration","u":"/kr/installation/private-registry","p":2766},{"i":2784,"t":"K3s is very lightweight, but has some minimum requirements as outlined below.","s":"Requirements","u":"/kr/installation/requirements","p":2784},{"i":2808,"t":"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes.","s":"Managing Server Roles","u":"/kr/installation/server-roles","p":2808},{"i":2818,"t":"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.","s":"Configuration Options","u":"/kr/installation/configuration","p":2818},{"i":2830,"t":"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.","s":"Uninstalling K3s","u":"/kr/installation/uninstall","p":2830},{"i":2836,"t":"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1","s":"Embedded Registry Mirror","u":"/kr/installation/registry-mirror","p":2836},{"i":2855,"t":"알려진 이슈는 주기적으로 업데이트되며, 다음 릴리스에서 즉시 해결되지 않을 수 있는 문제에 대해 알려드리기 위해 고안되었습니다.","s":"알려진 이슈","u":"/kr/known-issues","p":2855},{"i":2865,"t":"This section contains instructions for configuring networking in K3s.","s":"Networking","u":"/kr/networking","p":2865},{"i":2867,"t":"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider.","s":"Distributed hybrid or multicloud cluster","u":"/kr/networking/distributed-multicloud","p":2867},{"i":2873,"t":"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.","s":"Multus and IPAM plugins","u":"/kr/networking/multus-ipams","p":2873},{"i":2875,"t":"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.","s":"Networking Services","u":"/kr/networking/networking-services","p":2875},{"i":2897,"t":"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.","s":"Flag Deprecation","u":"/kr/reference/flag-deprecation","p":2897},{"i":2903,"t":"이 가이드는 기본 옵션으로 클러스터를 빠르게 시작하는 데 도움이 됩니다. 설치 섹션에서는 K3s를 설정하는 방법에 대해 자세히 설명합니다.","s":"빠른 시작 가이드","u":"/kr/quick-start","p":2903},{"i":2907,"t":"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.","s":"Environment Variables","u":"/kr/reference/env-variables","p":2907},{"i":2909,"t":"This section captures the results of tests to determine minimum resource requirements for K3s.","s":"Resource Profiling","u":"/kr/reference/resource-profiling","p":2909},{"i":2933,"t":"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications.","s":"Related Projects","u":"/kr/related-projects","p":2933},{"i":2941,"t":"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.","s":"Basic Network Options","u":"/kr/networking/basic-network-options","p":2941},{"i":2957,"t":"이 섹션에서는 K3s 클러스터를 보호하는 방법론과 수단에 대해 설명합니다. 두 섹션으로 나뉘어져 있습니다. 이 가이드는 K3s가 임베디드 etcd로 실행되고 있다고 가정합니다.","s":"보안","u":"/kr/security","p":2957},{"i":2959,"t":"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:","s":"Secrets Encryption Config","u":"/kr/security/secrets-encryption","p":2959},{"i":2963,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.24","u":"/kr/security/self-assessment-1.24","p":2963},{"i":2965,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.7","u":"/kr/security/self-assessment-1.7","p":2965},{"i":2967,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.8","u":"/kr/security/self-assessment-1.8","p":2967},{"i":2969,"t":"데이터를 유지해야 하는 애플리케이션을 배포할 때는 퍼시스턴트 스토리지를 만들어야 합니다. 퍼시스턴트 스토리지를 사용하면 애플리케이션을 실행하는 파드 외부에 애플리케이션 데이터를 저장할 수 있습니다. 이 스토리지 방식을 사용하면 애플리케이션의 파드에 장애가 발생하더라도 애플리케이션 데이터를 유지할 수 있습니다.","s":"볼륨과 저장소","u":"/kr/storage","p":2969},{"i":2985,"t":"K3s 클러스터 업그레이드하기","s":"업그레이드","u":"/kr/upgrades","p":2985},{"i":2990,"t":"Overview","s":"Automated Upgrades","u":"/kr/upgrades/automated","p":2990},{"i":2997,"t":"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.","s":"Stopping K3s","u":"/kr/upgrades/killall","p":2997},{"i":2999,"t":"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version.","s":"Manual Upgrades","u":"/kr/upgrades/manual","p":2999},{"i":3009,"t":"경량의 쿠버네티스. 간편한 설치와 절반의 메모리, 모든걸 100MB 미만의 바이너리로 제공합니다.","s":"k3s란 무엇입니까?","u":"/kr/","p":3009},{"i":3013,"t":"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).","s":"CIS Hardening Guide","u":"/kr/security/hardening-guide","p":3013},{"i":3063,"t":"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24","s":"CIS Self Assessment Guide","u":"/kr/security/self-assessment-1.23","p":3063}],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[["t/2483",[0,0.463,1,2.276]],["t/2485",[0,0.437,1,2.287]],["t/2495",[0,0.561,2,2.749,3,4.024,4,4.024,5,2.242,6,4.024]],["t/2519",[7,3.459,8,5.478]],["t/2521",[0,0.477,9,2.754,10,3.039,11,4.514,12,4.514,13,3.42,14,3.42,15,4,16,4]],["t/2531",[17,5.262,18,3.074,19,5.262]],["t/2546",[1,2.3,20,2.011,21,4.525,22,2.011,23,1.72,24,1.27]],["t/2550",[0,0.508,1,2.295,25,2.942]],["t/2609",[0,0.507,26,3.639,27,4.255,28,3.639,29,4.255,30,4.255,31,4.255,32,4.255,33,2.162]],["t/2617",[0,0.385,2,1.885,7,2.038,18,1.885,34,2.759,35,1.754,36,3.226,37,2.759,38,2.759,39,3.226,40,2.759,41,2.759,42,3.226,43,2.221,44,2.451,45,3.226,46,2.451,47,3.226,48,3.226]],["t/2625",[0,0.437,33,1.865,43,3.895,49,4.983,50,3.138,51,4.983,52,3.138,53,3.67,54,2.911]],["t/2642",[0,0.561,2,2.749,3,4.024,4,4.024,5,2.242,18,2.749]],["t/2676",[0,0.273,1,2.319,55,1.574]],["t/2682",[41,3.227,55,2.598,56,2.867,57,3.774,58,3.774,59,3.774,60,3.774,61,2.598,62,3.774,63,3.774,64,2.867,65,3.774,66,3.774]],["t/2688",[0,0.415,1,2.294]],["t/2708",[0,0.583,2,2.086,35,2.659,67,2.713,68,3.054,69,3.572,70,3.054,71,3.572,72,3.054,73,3.572,74,2.256,75,3.572,76,3.572]],["t/2710",[1,2.32,23,1.746,77,2.042,78,2.042]],["t/2718",[9,2.839,24,2.604,35,2.242,54,2.409,79,4.124,80,4.124,81,4.124,82,3.526,83,4.124,84,3.526]],["t/2732",[0,0.322,33,1.374,35,1.47,44,2.054,54,1.579,61,1.861,70,4.087,85,4.01,86,4.01,87,2.312,88,2.703,89,2.312,90,2.054,91,2.312,92,3.046,93,2.054,94,2.054,95,2.312,96,2.703,97,2.312,98,2.312,99,2.703]],["t/2751",[92,3.846,100,5.062,101,5.062,102,5.062]],["t/2766",[5,1.965,33,2.095,90,3.133,93,3.133,94,3.133,98,3.526,103,4.124,104,4.124,105,3.526,106,4.124]],["t/2784",[0,0.542,74,2.87,107,4.545,108,4.545,109,3.887,110,3.453,111,4.545]],["t/2808",[0,0.322,18,1.579,43,1.861,54,1.579,55,2.76,64,2.054,112,2.054,113,2.703,114,3.631,115,4.01,116,4.01,117,2.312,118,2.703,119,2.703,120,2.703,121,2.703,122,2.703,123,2.703,124,2.312,125,2.703,126,2.703,127,2.703]],["t/2818",[0,0.359,5,1.434,6,2.572,14,2.572,18,1.757,28,2.572,33,1.528,128,1.9,129,3.008,130,2.985,131,3.008,132,3.008,133,2.572,134,3.008,135,3.008,136,3.707,137,3.008,138,3.008,139,3.008,140,3.008]],["t/2830",[0,0.491,5,1.965,54,2.409,141,4.124,142,4.124,143,4.124,144,4.124,145,3.133,146,4.124,147,4.124]],["t/2836",[7,2.383,56,2.867,84,3.227,94,2.867,95,3.227,148,3.774,149,3.774,150,3.774,151,3.774,152,3.774,153,3.774,154,3.774,155,3.774]],["t/2855",[1,2.305]],["t/2865",[0,0.561,2,2.749,5,2.242,67,3.575,68,4.024,156,2.972]],["t/2867",[0,0.478,43,2.76,44,2.054,46,2.054,54,1.579,56,2.054,87,2.312,89,2.312,90,2.054,92,2.054,93,2.054,130,1.861,156,1.707,157,2.703,158,2.703,159,2.703,160,2.703,161,2.703,162,2.703,163,2.703,164,2.703,165,2.703,166,2.703,167,2.703,168,2.703]],["t/2873",[9,1.497,10,1.652,33,1.726,61,1.497,74,1.373,156,2.64,169,4.18,170,4.725,171,4.18,172,2.175,173,2.175,174,3.397,175,3.397,176,1.86,177,2.175,178,2.175,179,2.175,180,2.175,181,2.175,182,2.175,183,2.175,184,2.175,185,2.175,186,2.175,187,2.175,188,2.175,189,2.175]],["t/2875",[0,0.415,37,2.975,38,2.975,114,4.18,128,2.197,156,2.197,190,3.479,191,3.479,192,3.479,193,3.479,194,2.975,195,3.479,196,3.479,197,3.479]],["t/2897",[0,0.31,5,1.855,24,1.641,26,2.222,52,3.329,61,1.789,72,2.222,105,2.222,110,1.974,124,2.222,128,1.641,130,2.68,194,2.222,198,2.598,199,2.598,200,2.222,201,4.668,202,3.992,203,2.598,204,2.598,205,2.598,206,2.598]],["t/2903",[0,0.394,1,2.3]],["t/2907",[0,0.415,7,2.197,33,1.767,35,2.611,112,2.643,145,2.643,207,3.479,208,3.479,209,3.479,210,3.479,211,2.975,212,3.479,213,3.479,214,3.479,215,3.479]],["t/2909",[0,0.507,2,2.486,74,2.687,109,3.639,216,4.255,217,4.255,218,4.255,219,4.255,220,4.255]],["t/2933",[0,0.525,82,2.632,128,1.944,200,3.768,221,3.077,222,3.077,223,3.077,224,3.077,225,4.407,226,3.077,227,3.077,228,3.077,229,3.077,230,3.077,231,3.077,232,3.077,233,3.077,234,3.077]],["t/2941",[0,0.45,5,2.735,34,3.227,117,3.227,128,2.383,130,2.598,156,2.383,176,3.227,235,3.774,236,3.774,237,3.774]],["t/2957",[0,0.525,1,2.289,55,2.119]],["t/2959",[0,0.426,9,2.459,10,2.713,11,4.183,12,4.183,13,3.054,18,2.086,112,2.713,133,3.054,202,3.054,238,3.572,239,3.572,240,3.572]],["t/2963",[1,2.191]],["t/2965",[1,2.191]],["t/2967",[1,2.191]],["t/2969",[1,2.327]],["t/2985",[0,0.627,1,2.007]],["t/2990",[241,5.712]],["t/2997",[0,0.617,7,2.453,40,3.321,64,2.95,67,2.95,211,3.321,242,3.884,243,3.884,244,3.321,245,3.884,246,3.884]],["t/2999",[0,0.491,33,2.095,35,2.927,97,3.526,145,3.133,244,3.526,247,4.124,248,4.124,249,4.124]],["t/3009",[1,2.269,250,4]],["t/3013",[0,0.375,5,1.501,24,1.989,35,1.712,46,2.393,50,2.694,74,1.989,91,2.694,110,2.393,114,3.404,136,2.694,251,3.15,252,3.15,253,3.15,254,3.15,255,3.15,256,2.694,257,3.15,258,2.694]],["t/3063",[0,0.524,24,3.544,256,3.758,258,3.758,259,4.395,260,4.395,261,4.395]]],"invertedIndex":[["",{"_index":1,"t":{"2483":{"position":[[4,6],[11,4],[16,3],[20,3],[24,2],[27,2],[30,2],[33,2],[36,3],[40,4],[45,5]]},"2485":{"position":[[0,1],[2,6],[9,4],[18,2],[21,5],[27,5],[33,2],[36,2],[39,2],[42,6],[49,4],[54,2],[57,6]]},"2546":{"position":[[27,3],[42,3],[46,5],[52,5],[58,2],[61,4],[66,4],[71,1],[73,6],[88,2],[97,2],[100,4],[116,3],[120,3],[124,3],[128,2],[131,3],[146,3],[150,4],[155,4],[160,1],[162,3],[177,2],[180,3],[184,5],[203,3],[207,4],[212,4],[217,3],[221,1],[223,5],[229,3],[233,3],[237,2],[240,3],[244,6]]},"2550":{"position":[[0,1],[2,4],[12,4],[17,3],[21,1],[23,2],[26,3],[30,3],[38,3],[42,2],[45,3],[53,4],[58,1],[60,3],[64,3],[68,4],[73,2],[76,3],[80,4],[85,5]]},"2676":{"position":[[6,2],[9,2],[12,7],[20,4],[25,6],[32,3],[36,1],[38,2],[41,3],[50,2],[53,5],[59,4],[64,7],[72,1],[74,3],[78,5],[84,5],[90,4],[95,6],[102,2],[105,3],[109,6],[116,3],[120,2],[123,2],[126,3],[130,2],[133,3],[137,7],[145,3],[149,1],[151,5],[157,2],[160,3]]},"2688":{"position":[[0,2],[3,2],[6,3],[10,5],[16,7],[24,4],[34,2],[37,2],[40,2],[43,2],[46,3],[50,2],[53,4],[58,4],[63,5]]},"2710":{"position":[[10,6],[17,2],[20,3],[24,2],[27,6],[34,2],[37,3],[41,5],[52,5],[58,3],[62,2],[65,3],[69,3],[73,6],[80,3],[84,2],[87,4],[92,4],[97,3],[101,4],[106,2],[109,6],[116,4],[121,2],[124,4],[129,2],[132,3],[136,4],[141,2],[144,1],[146,3],[150,4],[155,2],[158,4],[163,3],[167,2],[170,3],[174,3],[219,3],[223,6]]},"2855":{"position":[[0,3],[4,3],[8,5],[14,7],[22,2],[25,5],[31,2],[34,4],[39,2],[42,1],[44,2],[47,3],[51,2],[54,5],[60,2],[63,8]]},"2903":{"position":[[0,1],[2,4],[7,2],[10,4],[15,5],[21,3],[25,4],[30,1],[32,3],[36,4],[41,2],[44,5],[55,4],[60,3],[64,2],[67,3],[71,6]]},"2957":{"position":[[0,1],[2,5],[12,5],[18,4],[23,4],[28,3],[32,2],[35,6],[42,1],[44,4],[49,4],[54,5],[60,1],[62,4],[72,4],[83,4],[88,3],[92,6]]},"2963":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2965":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2967":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2969":{"position":[[0,4],[5,4],[10,2],[13,7],[21,3],[25,2],[28,5],[34,5],[40,4],[45,4],[50,5],[56,5],[62,4],[67,7],[75,4],[80,2],[83,3],[87,6],[94,4],[99,3],[103,1],[105,5],[111,1],[113,4],[118,3],[122,4],[127,7],[135,3],[139,3],[143,6],[150,6],[157,4],[162,3],[166,1],[168,5]]},"2985":{"position":[[4,4],[9,7]]},"3009":{"position":[[0,3],[4,6],[11,3],[15,3],[19,3],[23,4],[28,3],[38,3],[42,5],[48,6]]}}}],["100mb",{"_index":250,"t":{"3009":{"position":[[32,5]]}}}],["2024",{"_index":151,"t":{"2836":{"position":[[83,4]]}}}],["acceler",{"_index":186,"t":{"2873":{"position":[[311,12]]}}}],["achiev",{"_index":163,"t":{"2867":{"position":[[186,7]]}}}],["act",{"_index":178,"t":{"2873":{"position":[[135,4]]}}}],["addit",{"_index":224,"t":{"2933":{"position":[[55,9]]}}}],["addon",{"_index":102,"t":{"2751":{"position":[[25,8]]}}}],["address",{"_index":255,"t":{"3013":{"position":[[149,7]]}}}],["advanc",{"_index":137,"t":{"2818":{"position":[[126,8]]}}}],["agent",{"_index":6,"t":{"2495":{"position":[[55,6]]},"2818":{"position":[[180,5]]}}}],["air",{"_index":85,"t":{"2732":{"position":[[26,3],[81,3]]}}}],["allow",{"_index":242,"t":{"2997":{"position":[[3,5]]}}}],["apiserv",{"_index":118,"t":{"2808":{"position":[[97,10]]}}}],["applic",{"_index":234,"t":{"2933":{"position":[[235,13]]}}}],["attach",{"_index":172,"t":{"2873":{"position":[[40,9]]}}}],["authent",{"_index":53,"t":{"2625":{"position":[[56,12]]}}}],["auto",{"_index":100,"t":{"2751":{"position":[[0,4]]}}}],["automat",{"_index":240,"t":{"2959":{"position":[[142,14]]}}}],["avail",{"_index":7,"t":{"2519":{"position":[[0,9]]},"2617":{"position":[[83,12]]},"2836":{"position":[[32,9]]},"2907":{"position":[[75,9]]},"2997":{"position":[[14,12]]}}}],["back",{"_index":27,"t":{"2609":{"position":[[15,6]]}}}],["balanc",{"_index":38,"t":{"2617":{"position":[[55,8]]},"2875":{"position":[[106,8]]}}}],["base",{"_index":214,"t":{"2907":{"position":[[157,5]]}}}],["befor",{"_index":75,"t":{"2708":{"position":[[123,6]]}}}],["begin",{"_index":76,"t":{"2708":{"position":[[134,5]]}}}],["below",{"_index":111,"t":{"2784":{"position":[[71,6]]}}}],["benchmark",{"_index":256,"t":{"3013":{"position":[[168,9]]},"3063":{"position":[[15,9]]}}}],["binari",{"_index":247,"t":{"2999":{"position":[[84,6]]}}}],["capabl",{"_index":232,"t":{"2933":{"position":[[208,12]]}}}],["captur",{"_index":216,"t":{"2909":{"position":[[13,8]]}}}],["card",{"_index":66,"t":{"2682":{"position":[[101,6]]}}}],["case",{"_index":181,"t":{"2873":{"position":[[201,6]]}}}],["center",{"_index":257,"t":{"3013":{"position":[[196,6]]}}}],["certain",{"_index":180,"t":{"2873":{"position":[[189,7]]}}}],["certif",{"_index":19,"t":{"2531":{"position":[[18,12]]}}}],["ci",{"_index":258,"t":{"3013":{"position":[[225,6]]},"3063":{"position":[[0,3]]}}}],["cli",{"_index":146,"t":{"2830":{"position":[[91,3]]}}}],["client",{"_index":17,"t":{"2531":{"position":[[0,6]]}}}],["cloud",{"_index":162,"t":{"2867":{"position":[[152,8]]}}}],["cluster",{"_index":54,"t":{"2625":{"position":[[73,7],[122,8]]},"2718":{"position":[[62,7]]},"2732":{"position":[[286,9]]},"2808":{"position":[[31,7]]},"2830":{"position":[[35,7]]},"2867":{"position":[[6,7]]}}}],["cluster'",{"_index":42,"t":{"2617":{"position":[[105,9]]}}}],["cni",{"_index":170,"t":{"2873":{"position":[[7,3],[16,3],[111,3],[145,3]]}}}],["command",{"_index":138,"t":{"2818":{"position":[[186,7]]}}}],["common",{"_index":159,"t":{"2867":{"position":[[66,6]]}}}],["commonli",{"_index":131,"t":{"2818":{"position":[[42,8]]}}}],["commun",{"_index":227,"t":{"2933":{"position":[[84,10]]}}}],["compon",{"_index":116,"t":{"2808":{"position":[[71,11],[184,10]]}}}],["configur",{"_index":5,"t":{"2495":{"position":[[37,9]]},"2642":{"position":[[37,9]]},"2766":{"position":[[18,10]]},"2818":{"position":[[147,13]]},"2830":{"position":[[49,14]]},"2865":{"position":[[39,11]]},"2897":{"position":[[80,13],[160,13]]},"2941":{"position":[[32,13],[65,13],[110,11]]},"3013":{"position":[[109,14]]}}}],["connect",{"_index":90,"t":{"2732":{"position":[[144,9]]},"2766":{"position":[[32,7]]},"2867":{"position":[[110,9]]}}}],["contain",{"_index":67,"t":{"2708":{"position":[[13,8]]},"2865":{"position":[[13,8]]},"2997":{"position":[[52,10]]}}}],["containerd",{"_index":103,"t":{"2766":{"position":[[0,10]]}}}],["continu",{"_index":245,"t":{"2997":{"position":[[63,8]]}}}],["control",{"_index":114,"t":{"2808":{"position":[[57,7],[108,10],[217,7]]},"2875":{"position":[[48,11],[75,11],[115,10]]},"3013":{"position":[[128,8],[178,8]]}}}],["coredn",{"_index":191,"t":{"2875":{"position":[[23,8]]}}}],["coverag",{"_index":140,"t":{"2818":{"position":[[226,9]]}}}],["data",{"_index":144,"t":{"2830":{"position":[[43,5]]}}}],["dataplan",{"_index":185,"t":{"2873":{"position":[[301,9]]}}}],["datastor",{"_index":32,"t":{"2609":{"position":[[63,9]]}}}],["delet",{"_index":142,"t":{"2830":{"position":[[17,7]]}}}],["depend",{"_index":30,"t":{"2609":{"position":[[38,7]]}}}],["deploy",{"_index":92,"t":{"2732":{"position":[[186,6],[254,6]]},"2751":{"position":[[5,9]]},"2867":{"position":[[27,8]]}}}],["deprec",{"_index":201,"t":{"2897":{"position":[[60,9],[138,11],[297,11]]}}}],["depth",{"_index":139,"t":{"2818":{"position":[[220,5]]}}}],["describ",{"_index":34,"t":{"2617":{"position":[[13,9]]},"2941":{"position":[[10,9]]}}}],["desir",{"_index":248,"t":{"2999":{"position":[[98,7]]}}}],["determin",{"_index":219,"t":{"2909":{"position":[[46,9]]}}}],["differ",{"_index":87,"t":{"2732":{"position":[[59,9]]},"2867":{"position":[[135,9]]}}}],["directli",{"_index":89,"t":{"2732":{"position":[[135,8]]},"2867":{"position":[[101,8]]}}}],["disabl",{"_index":122,"t":{"2808":{"position":[[167,7]]}}}],["disk",{"_index":60,"t":{"2682":{"position":[[57,5]]}}}],["distribut",{"_index":222,"t":{"2933":{"position":[[30,12]]}}}],["docker.io",{"_index":96,"t":{"2732":{"position":[[223,10]]}}}],["document",{"_index":136,"t":{"2818":{"position":[[109,13],[194,13]]},"3013":{"position":[[5,8]]}}}],["dualstack",{"_index":237,"t":{"2941":{"position":[[130,10]]}}}],["dure",{"_index":243,"t":{"2997":{"position":[[27,6]]}}}],["e.g",{"_index":160,"t":{"2867":{"position":[[120,5]]}}}],["embed",{"_index":56,"t":{"2682":{"position":[[0,8]]},"2836":{"position":[[4,8]]},"2867":{"position":[[204,8]]}}}],["enabl",{"_index":10,"t":{"2521":{"position":[[13,8]]},"2873":{"position":[[32,7]]},"2959":{"position":[[13,8]]}}}],["encrypt",{"_index":12,"t":{"2521":{"position":[[30,10],[84,11]]},"2959":{"position":[[30,10],[109,10]]}}}],["ensur",{"_index":72,"t":{"2708":{"position":[[86,6]]},"2897":{"position":[[195,6]]}}}],["environ",{"_index":70,"t":{"2708":{"position":[[65,13]]},"2732":{"position":[[37,11],[92,11],[111,11]]}}}],["especi",{"_index":182,"t":{"2873":{"position":[[208,10]]}}}],["etc/rancher/k3s/k3s.yaml",{"_index":20,"t":{"2546":{"position":[[0,26]]}}}],["etcd",{"_index":55,"t":{"2676":{"position":[[0,5]]},"2682":{"position":[[9,4]]},"2808":{"position":[[143,5],[235,4]]},"2957":{"position":[[77,5]]}}}],["exampl",{"_index":45,"t":{"2617":{"position":[[133,8]]}}}],["expand",{"_index":226,"t":{"2933":{"position":[[73,6]]}}}],["experiment",{"_index":148,"t":{"2836":{"position":[[48,12]]}}}],["explain",{"_index":190,"t":{"2875":{"position":[[10,8]]}}}],["explor",{"_index":231,"t":{"2933":{"position":[[196,7]]}}}],["extern",{"_index":36,"t":{"2617":{"position":[[41,8]]}}}],["extra",{"_index":184,"t":{"2873":{"position":[[263,5]]}}}],["fast",{"_index":198,"t":{"2897":{"position":[[9,4]]}}}],["featur",{"_index":149,"t":{"2836":{"position":[[61,7]]}}}],["first",{"_index":133,"t":{"2818":{"position":[[84,5]]},"2959":{"position":[[55,5]]}}}],["flag",{"_index":202,"t":{"2897":{"position":[[70,5],[150,5],[249,6]]},"2959":{"position":[[94,4]]}}}],["flannel",{"_index":235,"t":{"2941":{"position":[[97,8]]}}}],["focus",{"_index":129,"t":{"2818":{"position":[[10,7]]}}}],["follow",{"_index":239,"t":{"2959":{"position":[[132,9]]}}}],["front",{"_index":39,"t":{"2617":{"position":[[67,5]]}}}],["further",{"_index":230,"t":{"2933":{"position":[[188,7]]}}}],["gap",{"_index":86,"t":{"2732":{"position":[[30,6],[85,6]]}}}],["guid",{"_index":209,"t":{"2907":{"position":[[32,6]]}}}],["guidanc",{"_index":252,"t":{"3013":{"position":[[36,8]]}}}],["ha",{"_index":41,"t":{"2617":{"position":[[96,4]]},"2682":{"position":[[14,4]]}}}],["haproxi",{"_index":48,"t":{"2617":{"position":[[166,8]]}}}],["harden",{"_index":253,"t":{"3013":{"position":[[49,9]]}}}],["helm",{"_index":23,"t":{"2546":{"position":[[91,5]]},"2710":{"position":[[0,9]]}}}],["help",{"_index":225,"t":{"2933":{"position":[[68,4],[179,4]]}}}],["high",{"_index":40,"t":{"2617":{"position":[[78,4]]},"2997":{"position":[[9,4]]}}}],["https://get.k3s.io",{"_index":210,"t":{"2907":{"position":[[88,18]]}}}],["https://helm.sh/docs/intro/quickstart",{"_index":78,"t":{"2710":{"position":[[178,40]]}}}],["imag",{"_index":98,"t":{"2732":{"position":[[261,6]]},"2766":{"position":[[83,6]]}}}],["implement",{"_index":221,"t":{"2933":{"position":[[9,12]]}}}],["includ",{"_index":117,"t":{"2808":{"position":[[83,9]]},"2941":{"position":[[55,9]]}}}],["inform",{"_index":15,"t":{"2521":{"position":[[59,12]]}}}],["ingress",{"_index":193,"t":{"2875":{"position":[[40,7]]}}}],["init",{"_index":113,"t":{"2808":{"position":[[39,4]]}}}],["instal",{"_index":35,"t":{"2617":{"position":[[30,7]]},"2708":{"position":[[39,10],[140,10]]},"2718":{"position":[[27,10]]},"2732":{"position":[[8,7]]},"2907":{"position":[[55,12],[110,7]]},"2999":{"position":[[33,12],[69,10]]},"3013":{"position":[[72,12]]}}}],["instead",{"_index":177,"t":{"2873":{"position":[[124,7]]}}}],["instruct",{"_index":68,"t":{"2708":{"position":[[22,12]]},"2865":{"position":[[22,12]]}}}],["integr",{"_index":166,"t":{"2867":{"position":[[245,11]]}}}],["intens",{"_index":183,"t":{"2873":{"position":[[241,9]]}}}],["interfac",{"_index":174,"t":{"2873":{"position":[[67,10],[277,10]]}}}],["internet",{"_index":91,"t":{"2732":{"position":[[161,9]]},"3013":{"position":[[207,8]]}}}],["introduc",{"_index":82,"t":{"2718":{"position":[[74,10]]},"2933":{"position":[[110,9]]}}}],["iov",{"_index":189,"t":{"2873":{"position":[[346,4]]}}}],["ipv6",{"_index":236,"t":{"2941":{"position":[[122,4]]}}}],["issu",{"_index":58,"t":{"2682":{"position":[[40,6]]}}}],["januari",{"_index":150,"t":{"2836":{"position":[[75,7]]}}}],["join",{"_index":51,"t":{"2625":{"position":[[35,4],[88,7]]}}}],["k3",{"_index":0,"t":{"2483":{"position":[[0,3]]},"2485":{"position":[[14,3]]},"2495":{"position":[[51,3]]},"2521":{"position":[[0,3]]},"2550":{"position":[[7,4],[34,3]]},"2609":{"position":[[8,3]]},"2617":{"position":[[101,3]]},"2625":{"position":[[0,3]]},"2642":{"position":[[51,3]]},"2676":{"position":[[45,4]]},"2688":{"position":[[29,4]]},"2708":{"position":[[50,3],[151,4]]},"2732":{"position":[[16,3]]},"2784":{"position":[[0,3]]},"2808":{"position":[[13,3]]},"2818":{"position":[[72,3]]},"2830":{"position":[[13,3]]},"2865":{"position":[[65,4]]},"2867":{"position":[[2,3],[213,3]]},"2875":{"position":[[138,4]]},"2897":{"position":[[0,3]]},"2903":{"position":[[50,4]]},"2907":{"position":[[118,3]]},"2909":{"position":[[90,4]]},"2933":{"position":[[26,3],[167,3]]},"2941":{"position":[[20,3]]},"2957":{"position":[[8,3],[67,4]]},"2959":{"position":[[0,3]]},"2985":{"position":[[0,3]]},"2997":{"position":[[48,3],[89,3]]},"2999":{"position":[[16,3]]},"3013":{"position":[[88,4]]},"3063":{"position":[[33,3]]}}}],["kubeconfig",{"_index":21,"t":{"2546":{"position":[[31,10],[135,10],[166,10],[192,10]]}}}],["kubectl",{"_index":22,"t":{"2546":{"position":[[80,7]]}}}],["kubelet",{"_index":106,"t":{"2766":{"position":[[107,8]]}}}],["kubernet",{"_index":24,"t":{"2546":{"position":[[105,10]]},"2718":{"position":[[51,10]]},"2897":{"position":[[286,10]]},"3013":{"position":[[157,10]]},"3063":{"position":[[4,10],[42,10]]}}}],["learn",{"_index":4,"t":{"2495":{"position":[[24,5]]},"2642":{"position":[[24,5]]}}}],["lightweight",{"_index":108,"t":{"2784":{"position":[[12,12]]}}}],["load",{"_index":37,"t":{"2617":{"position":[[50,4]]},"2875":{"position":[[101,4]]}}}],["local",{"_index":143,"t":{"2830":{"position":[[29,5]]}}}],["manag",{"_index":119,"t":{"2808":{"position":[[119,8]]}}}],["manifest",{"_index":101,"t":{"2751":{"position":[[15,9]]}}}],["manual",{"_index":97,"t":{"2732":{"position":[[245,8]]},"2999":{"position":[[60,8]]}}}],["mention",{"_index":207,"t":{"2907":{"position":[[3,9]]}}}],["met",{"_index":73,"t":{"2708":{"position":[[102,3]]}}}],["method",{"_index":88,"t":{"2732":{"position":[[69,8]]}}}],["minimum",{"_index":109,"t":{"2784":{"position":[[38,7]]},"2909":{"position":[[56,7]]}}}],["mirror",{"_index":95,"t":{"2732":{"position":[[216,6]]},"2836":{"position":[[22,6]]}}}],["more",{"_index":14,"t":{"2521":{"position":[[54,4]]},"2818":{"position":[[212,4]]}}}],["move",{"_index":199,"t":{"2897":{"position":[[14,6]]}}}],["multicloud",{"_index":164,"t":{"2867":{"position":[[217,10]]}}}],["multipl",{"_index":173,"t":{"2873":{"position":[[50,8]]}}}],["multiplex",{"_index":179,"t":{"2873":{"position":[[156,12]]}}}],["multu",{"_index":169,"t":{"2873":{"position":[[0,6],[87,6],[169,6]]}}}],["need",{"_index":105,"t":{"2766":{"position":[[93,6]]},"2897":{"position":[[46,4]]}}}],["network",{"_index":156,"t":{"2865":{"position":[[51,10]]},"2867":{"position":[[81,7]]},"2873":{"position":[[59,7],[233,7],[269,7]]},"2875":{"position":[[60,7]]},"2941":{"position":[[24,7]]}}}],["nginx",{"_index":47,"t":{"2617":{"position":[[156,5]]}}}],["node",{"_index":43,"t":{"2617":{"position":[[122,6]]},"2625":{"position":[[30,4],[96,5],[110,4]]},"2808":{"position":[[261,6]]},"2867":{"position":[[39,5],[126,5]]}}}],["note",{"_index":79,"t":{"2718":{"position":[[0,5]]}}}],["offici",{"_index":80,"t":{"2718":{"position":[[6,8]]}}}],["openrc",{"_index":213,"t":{"2907":{"position":[[150,6]]}}}],["option",{"_index":130,"t":{"2818":{"position":[[25,7],[135,7]]},"2867":{"position":[[175,7]]},"2897":{"position":[[94,8],[174,8]]},"2941":{"position":[[46,8]]}}}],["order",{"_index":124,"t":{"2808":{"position":[[198,5]]},"2897":{"position":[[186,5]]}}}],["os",{"_index":25,"t":{"2550":{"position":[[49,3]]}}}],["outlin",{"_index":110,"t":{"2784":{"position":[[62,8]]},"2897":{"position":[[113,8]]},"3013":{"position":[[96,8]]}}}],["overview",{"_index":241,"t":{"2990":{"position":[[0,8]]}}}],["page",{"_index":128,"t":{"2818":{"position":[[5,4]]},"2875":{"position":[[5,4]]},"2897":{"position":[[108,4]]},"2933":{"position":[[100,4]]},"2941":{"position":[[5,4]]}}}],["pass",{"_index":238,"t":{"2959":{"position":[[82,7]]}}}],["perform",{"_index":57,"t":{"2682":{"position":[[28,11]]}}}],["pi",{"_index":63,"t":{"2682":{"position":[[81,3]]}}}],["plane",{"_index":115,"t":{"2808":{"position":[[65,5],[225,5]]}}}],["pleas",{"_index":71,"t":{"2708":{"position":[[79,6]]}}}],["plugin",{"_index":171,"t":{"2873":{"position":[[20,6],[115,8],[149,6]]}}}],["pod",{"_index":175,"t":{"2873":{"position":[[81,5],[224,4]]}}}],["polici",{"_index":194,"t":{"2875":{"position":[[68,6]]},"2897":{"position":[[309,7]]}}}],["possibl",{"_index":121,"t":{"2808":{"position":[[155,8]]}}}],["potenti",{"_index":233,"t":{"2933":{"position":[[225,9]]}}}],["prescript",{"_index":251,"t":{"3013":{"position":[[23,12]]}}}],["privat",{"_index":93,"t":{"2732":{"position":[[195,7]]},"2766":{"position":[[43,7]]},"2867":{"position":[[73,7]]}}}],["process",{"_index":52,"t":{"2625":{"position":[[40,8]]},"2897":{"position":[[126,7],[260,7]]}}}],["product",{"_index":254,"t":{"3013":{"position":[[61,10]]}}}],["project",{"_index":200,"t":{"2897":{"position":[[21,8]]},"2933":{"position":[[0,8],[138,8]]}}}],["provid",{"_index":46,"t":{"2617":{"position":[[146,9]]},"2867":{"position":[[280,9]]},"3013":{"position":[[14,8]]}}}],["public",{"_index":161,"t":{"2867":{"position":[[145,6]]}}}],["pull",{"_index":104,"t":{"2766":{"position":[[78,4]]}}}],["quick",{"_index":208,"t":{"2907":{"position":[[20,5]]}}}],["rancher",{"_index":81,"t":{"2718":{"position":[[38,7]]}}}],["rang",{"_index":228,"t":{"2933":{"position":[[129,5]]}}}],["raspberri",{"_index":62,"t":{"2682":{"position":[[71,9]]}}}],["refer",{"_index":135,"t":{"2818":{"position":[[96,5]]}}}],["registri",{"_index":94,"t":{"2732":{"position":[[203,8]]},"2766":{"position":[[51,10]]},"2836":{"position":[[13,8]]}}}],["relat",{"_index":229,"t":{"2933":{"position":[[156,7]]}}}],["releas",{"_index":84,"t":{"2718":{"position":[[99,8]]},"2836":{"position":[[88,9]]}}}],["remov",{"_index":205,"t":{"2897":{"position":[[238,7]]}}}],["replac",{"_index":176,"t":{"2873":{"position":[[103,7]]},"2941":{"position":[[82,11]]}}}],["requir",{"_index":74,"t":{"2708":{"position":[[110,12]]},"2784":{"position":[[46,12]]},"2873":{"position":[[255,7]]},"2909":{"position":[[73,12]]},"3013":{"position":[[137,8]]}}}],["resourc",{"_index":220,"t":{"2909":{"position":[[64,8]]}}}],["rest",{"_index":13,"t":{"2521":{"position":[[44,5]]},"2959":{"position":[[44,5]]}}}],["restor",{"_index":29,"t":{"2609":{"position":[[29,8]]}}}],["result",{"_index":217,"t":{"2909":{"position":[[26,7]]}}}],["role",{"_index":126,"t":{"2808":{"position":[[240,5]]}}}],["run",{"_index":64,"t":{"2682":{"position":[[85,7]]},"2808":{"position":[[49,3]]},"2997":{"position":[[72,7]]}}}],["schedul",{"_index":120,"t":{"2808":{"position":[[128,10]]}}}],["script",{"_index":145,"t":{"2830":{"position":[[79,7]]},"2907":{"position":[[68,6]]},"2999":{"position":[[46,7]]}}}],["sd",{"_index":65,"t":{"2682":{"position":[[98,2]]}}}],["secret",{"_index":11,"t":{"2521":{"position":[[22,7],[76,7]]},"2959":{"position":[[22,7],[101,7]]}}}],["section",{"_index":2,"t":{"2495":{"position":[[8,8]]},"2617":{"position":[[5,7]]},"2642":{"position":[[8,8]]},"2708":{"position":[[5,7]]},"2865":{"position":[[5,7]]},"2909":{"position":[[5,7]]}}}],["secur",{"_index":50,"t":{"2625":{"position":[[19,6]]},"3013":{"position":[[216,8]]}}}],["see",{"_index":16,"t":{"2521":{"position":[[72,3]]}}}],["separ",{"_index":127,"t":{"2808":{"position":[[252,8]]}}}],["server",{"_index":18,"t":{"2531":{"position":[[11,6]]},"2617":{"position":[[115,6]]},"2642":{"position":[[55,7]]},"2808":{"position":[[17,6]]},"2818":{"position":[[169,6]]},"2959":{"position":[[74,7]]}}}],["servic",{"_index":211,"t":{"2907":{"position":[[127,7]]},"2997":{"position":[[93,7]]}}}],["servicelb",{"_index":195,"t":{"2875":{"position":[[91,9]]}}}],["set",{"_index":132,"t":{"2818":{"position":[[61,7]]}}}],["share",{"_index":158,"t":{"2867":{"position":[[58,5]]}}}],["similar",{"_index":206,"t":{"2897":{"position":[[271,7]]}}}],["slower",{"_index":59,"t":{"2682":{"position":[[50,6]]}}}],["small",{"_index":99,"t":{"2732":{"position":[[280,5]]}}}],["solut",{"_index":165,"t":{"2867":{"position":[[228,8]]}}}],["specif",{"_index":123,"t":{"2808":{"position":[[175,8]]}}}],["split",{"_index":125,"t":{"2808":{"position":[[207,5]]}}}],["sr",{"_index":188,"t":{"2873":{"position":[[343,2]]}}}],["start",{"_index":112,"t":{"2808":{"position":[[0,8]]},"2907":{"position":[[26,5]]},"2959":{"position":[[61,8]]}}}],["still",{"_index":157,"t":{"2867":{"position":[[18,5]]}}}],["stop",{"_index":246,"t":{"2997":{"position":[[104,8]]}}}],["such",{"_index":61,"t":{"2682":{"position":[[63,4]]},"2732":{"position":[[268,4]]},"2873":{"position":[[335,4]]},"2897":{"position":[[37,5]]}}}],["support",{"_index":9,"t":{"2521":{"position":[[4,8]]},"2718":{"position":[[15,7]]},"2873":{"position":[[293,7]]},"2959":{"position":[[4,8]]}}}],["surpris",{"_index":204,"t":{"2897":{"position":[[221,9]]}}}],["system",{"_index":215,"t":{"2907":{"position":[[163,8]]}}}],["systemd",{"_index":212,"t":{"2907":{"position":[[138,7]]}}}],["tailscal",{"_index":167,"t":{"2867":{"position":[[266,9]]}}}],["techniqu",{"_index":187,"t":{"2873":{"position":[[324,10]]}}}],["test",{"_index":218,"t":{"2909":{"position":[[37,5]]}}}],["time",{"_index":134,"t":{"2818":{"position":[[90,5]]}}}],["token",{"_index":49,"t":{"2625":{"position":[[9,6],[49,6]]}}}],["tool",{"_index":147,"t":{"2830":{"position":[[95,6]]}}}],["traefik",{"_index":192,"t":{"2875":{"position":[[32,7]]}}}],["two",{"_index":44,"t":{"2617":{"position":[[129,3]]},"2732":{"position":[[55,3]]},"2867":{"position":[[171,3]]}}}],["type",{"_index":31,"t":{"2609":{"position":[[55,4]]}}}],["uninstal",{"_index":141,"t":{"2830":{"position":[[0,12]]}}}],["up",{"_index":28,"t":{"2609":{"position":[[22,2]]},"2818":{"position":[[69,2]]}}}],["upgrad",{"_index":244,"t":{"2997":{"position":[[34,9]]},"2999":{"position":[[8,7]]}}}],["us",{"_index":33,"t":{"2609":{"position":[[76,5]]},"2625":{"position":[[4,4]]},"2732":{"position":[[49,5]]},"2766":{"position":[[66,3]]},"2818":{"position":[[51,4]]},"2873":{"position":[[179,6],[197,3]]},"2907":{"position":[[47,3]]},"2999":{"position":[[23,5]]}}}],["user",{"_index":203,"t":{"2897":{"position":[[207,5]]}}}],["v1.0.0",{"_index":83,"t":{"2718":{"position":[[92,6]]}}}],["v1.19.1+k3s1",{"_index":8,"t":{"2519":{"position":[[16,12]]}}}],["v1.22",{"_index":260,"t":{"3063":{"position":[[53,5]]}}}],["v1.23",{"_index":259,"t":{"3063":{"position":[[25,5]]}}}],["v1.24",{"_index":261,"t":{"3063":{"position":[[62,5]]}}}],["v1.26.13+k3s1",{"_index":152,"t":{"2836":{"position":[[98,14]]}}}],["v1.27.10+k3s1",{"_index":153,"t":{"2836":{"position":[[113,14]]}}}],["v1.28.6+k3s1",{"_index":154,"t":{"2836":{"position":[[128,13]]}}}],["v1.29.1+k3s1",{"_index":155,"t":{"2836":{"position":[[142,12]]}}}],["variou",{"_index":69,"t":{"2708":{"position":[[57,7]]}}}],["veri",{"_index":107,"t":{"2784":{"position":[[7,4]]}}}],["version",{"_index":249,"t":{"2999":{"position":[[106,8]]}}}],["vpn",{"_index":168,"t":{"2867":{"position":[[276,3]]}}}],["way",{"_index":26,"t":{"2609":{"position":[[4,3]]},"2897":{"position":[[53,3]]}}}],["welcom",{"_index":223,"t":{"2933":{"position":[[47,7]]}}}],["within",{"_index":197,"t":{"2875":{"position":[[131,6]]}}}],["work",{"_index":196,"t":{"2875":{"position":[[126,4]]}}}],["yaml",{"_index":77,"t":{"2710":{"position":[[47,4]]}}}],["you'll",{"_index":3,"t":{"2495":{"position":[[17,6]]},"2642":{"position":[[17,6]]}}}]],"pipeline":["stemmer"]}},{"documents":[],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[],"invertedIndex":[],"pipeline":["stemmer"]}},{"documents":[{"i":2484,"t":"K3s 바이너리에는 클러스터 관리에 도움이 되는 여러 가지 추가 도구가 포함되어 있습니다. Command Description k3s server 데이터스토어와 에이전트 컴포넌트 외에 쿠버네티스 apiserver, scheduler, controller-manager, 그리고 cloud-controller-manager 컴포넌트를 실행하는 K3s 서버 노드를 실행합니다. 자세한 내용은 k3s server 명령어 설명서를 참고하세요. k3s agent containerd, flannel, kube-router 네트워크 정책 컨트롤러와 쿠버네티스 kubelet 및 kube-proxy 구성 요소를 실행하는 K3s 에이전트 노드를 실행한다. 자세한 내용은 k3s agent 명령어 설명서를 참조하세요. k3s kubectl 임베드된 kubectl 명령을 실행합니다. 이것은 쿠버네티스 apiserver와 상호작용하기 위한 CLI입니다. KUBECONFIG 환경 변수가 설정되어 있지 않으면, 자동으로 /etc/rancher/k3s/k3s.yaml에서 kubeconfig를 사용하려고 시도합니다. k3s crictl 임베드된 crictl 명령을 실행합니다. 이것은 쿠버네티스의 컨테이너 런타임 인터페이스(CRI: Container Runtime Interface)와 상호 작용하기 위한 CLI입니다. 디버깅에 유용합니다. k3s ctr 내장된 ctr 명령을 실행합니다. 이는 K3s에서 사용하는 컨테이너 데몬인 containerd의 CLI입니다. 디버깅에 유용합니다. k3s token 부트스트랩 토큰을 관리합니다. 자세한 내용은 k3s token 명령어 설명서를 참조하세요. k3s etcd-snapshot K3s 클러스터 데이터의 온디맨드 백업을 수행하여 S3에 업로드합니다. 자세한 내용은 k3s etcd-snapshot 명령어 설명서를 참조하세요. k3s secrets-encrypt 클러스터에 시크릿을 저장할 때 암호화하도록 K3s를 구성합니다. 자세한 내용은 k3s secrets-encrypt 명령어 설명서를 참조하세요. k3s certificate K3s 인증서를 관리합니다. 자세한 내용은 k3s certificate 명령어 설명서를 참조하세요. k3s completion k3s용 셸 자동완성 스크립트를 생성합니다. k3s help 명령 목록 또는 한 명령어에 대한 도움말을 표시합니다.","s":"명령줄 도구","u":"/kr/cli","h":"","p":2483},{"i":2486,"t":"이 페이지에서는 고가용성 K3s 서버 클러스터의 아키텍처와 단일 노드 서버 클러스터와의 차이점에 대해 설명합니다. 또한 에이전트 노드가 K3s 서버에 등록되는 방법도 설명합니다. 서버 노드는 k3s server 명령을 실행하는 호스트로 정의되며, 컨트롤 플레인 및 데이터스토어 구성 요소는 K3s에서 관리합니다. 에이전트 노드는 데이터스토어 또는 컨트롤 플레인 구성 요소 없이 k3s agent 명령을 실행하는 호스트로 정의됩니다. 서버와 에이전트 모두 kubelet, 컨테이너 런타임 및 CNI를 실행합니다. 에이전트 없는 서버 실행에 대한 자세한 내용은 고급 옵션 설명서를 참조하세요.","s":"아키텍처","u":"/kr/architecture","h":"","p":2485},{"i":2488,"t":"다음 다이어그램은 임베디드 SQLite 데이터베이스가 있는 단일 노드 K3s 서버가 있는 클러스터의 예를 보여줍니다. 이 구성에서 각 에이전트 노드는 동일한 서버 노드에 등록됩니다. K3s 사용자는 서버 노드에서 K3s API를 호출하여 쿠버네티스 리소스를 조작할 수 있습니다.","s":"임베디드 DB가 있는 단일 서버 설정","u":"/kr/architecture","h":"#임베디드-db가-있는-단일-서버-설정","p":2485},{"i":2490,"t":"단일 서버 클러스터는 다양한 사용 사례를 충족할 수 있지만, Kubernetes 컨트롤 플레인의 가동 시간이 중요한 환경의 경우, HA 구성으로 K3s를 실행할 수 있습니다. HA K3s 클러스터는 다음과 같이 구성됩니다: 두 개 이상의 서버 노드가 Kubernetes API를 제공하고 다른 컨트롤 플레인 서비스를 실행합니다. 외부 데이터스토어(단일 서버 설정에 사용되는 임베디드 SQLite 데이터스토어와 반대)","s":"외부 DB가 있는 고가용성 K3s 서버","u":"/kr/architecture","h":"#외부-db가-있는-고가용성-k3s-서버","p":2485},{"i":2492,"t":"고가용성 서버 구성에서 각 노드는 아래 다이어그램과 같이 고정 등록 주소를 사용하여 Kubernetes API에 등록해야 합니다. 등록 후 에이전트 노드는 서버 노드 중 하나에 직접 연결을 설정합니다.","s":"에이전트 노드를 위한 고정 등록 주소","u":"/kr/architecture","h":"#에이전트-노드를-위한-고정-등록-주소","p":2485},{"i":2494,"t":"에이전트 노드는 k3s agent 프로세스에 의해 시작된 웹소켓 연결로 등록되며, 에이전트 프로세스의 일부로 실행되는 클라이언트 측 로드밸런서에 의해 연결이 유지됩니다. 이 로드 밸런서는 클러스터의 모든 서버에 대한 안정적인 연결을 유지하여 개별 서버의 중단을 허용하는 에이전시 서버에 대한 연결을 제공합니다. 에이전트는 노드 클러스터 시크릿과 노드에 대해 무작위로 생성된 비밀번호를 사용하여 서버에 등록하며, 이 비밀번호는 /etc/rancher/node/password에 저장됩니다. 서버는 개별 노드의 비밀번호를 쿠버네티스 시크릿으로 저장하며, 이후 모든 시도는 동일한 비밀번호를 사용해야 합니다. 노드 패스워드 시크릿은 .node-password.k3s 템플릿을 사용하는 이름으로 kube-system 네임스페이스에 저장됩니다. 이는 노드 ID의 무결성을 보호하기 위해 수행됩니다. 에이전트의 /etc/rancher/node 디렉터리가 제거되거나 기존 이름을 사용하여 노드에 다시 가입하려는 경우, 클러스터에서 노드를 삭제해야 합니다. 이렇게 하면 이전 노드 항목과 노드 비밀번호 시크릿이 모두 정리되고 노드가 클러스터에 (재)조인할 수 있습니다. 비고 K3s v1.20.2 이전 서버는 /var/lib/rancher/k3s/server/cred/node-passwd에 디스크에 비밀번호를 저장합니다. 호스트 이름을 자주 재사용하지만 노드 암호 시크릿을 제거할 수 없는 경우, --with-node-id 플래그를 사용하여 K3s 서버 또는 에이전트를 시작하면 호스트 이름에 고유 노드 ID를 자동으로 추가할 수 있습니다. 활성화하면 노드 ID는 /etc/rancher/node/에도 저장됩니다.","s":"에이전트 노드 등록 작동 방식","u":"/kr/architecture","h":"#에이전트-노드-등록-작동-방식","p":2485},{"i":2496,"t":"In this section, you'll learn how to configure the K3s agent. Note that servers also run an agent, so all flags listed on this page are also valid for use on servers. Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.","s":"k3s agent","u":"/kr/cli/agent","h":"","p":2495},{"i":2498,"t":"Flag Default Description -v value 0 Number for the log level verbosity --vmodule value N/A Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value N/A Log to file --alsologtostderr N/A Log to standard error as well as file (if set)","s":"Logging","u":"/kr/cli/agent","h":"#logging","p":2495},{"i":2500,"t":"Flag Environment Variable Description --token value, -t value K3S_TOKEN Token to use for authentication --token-file value K3S_TOKEN_FILE Token file to use for authentication --server value, -s value K3S_URL Server to connect to","s":"Cluster Options","u":"/kr/cli/agent","h":"#cluster-options","p":2495},{"i":2502,"t":"Flag Default Description --data-dir value, -d value \"/var/lib/rancher/k3s\" Folder to hold state","s":"Data","u":"/kr/cli/agent","h":"#data","p":2495},{"i":2504,"t":"Flag Environment Variable Description --node-name value K3S_NODE_NAME Node name --with-node-id N/A Append id to node name --node-label value N/A Registering and starting kubelet with set of labels --node-taint value N/A Registering kubelet with set of taints --protect-kernel-defaults N/A Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults. --selinux K3S_SELINUX Enable SELinux in containerd --lb-server-port value K3S_LB_SERVER_PORT Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)","s":"Node","u":"/kr/cli/agent","h":"#node","p":2495},{"i":2506,"t":"Flag Default Description --container-runtime-endpoint value N/A Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path --pause-image value \"docker.io/rancher/pause:3.1\" Customized pause image for containerd or docker sandbox --private-registry value \"/etc/rancher/k3s/registries.yaml\" Private registry configuration file","s":"Runtime","u":"/kr/cli/agent","h":"#runtime","p":2495},{"i":2508,"t":"Flag Environment Variable Description --node-ip value, -i value N/A IP address to advertise for node --node-external-ip value N/A External IP address to advertise for node --resolv-conf value K3S_RESOLV_CONF Kubelet resolv.conf file --flannel-iface value N/A Override default flannel interface --flannel-conf value N/A Override default flannel config file --flannel-cni-conf value N/A Override default flannel cni config file","s":"Networking","u":"/kr/cli/agent","h":"#networking","p":2495},{"i":2510,"t":"Flag Description --kubelet-arg value Customized flag for kubelet process --kube-proxy-arg value Customized flag for kube-proxy process","s":"Customized Flags","u":"/kr/cli/agent","h":"#customized-flags","p":2495},{"i":2512,"t":"Flag Description --rootless Run rootless --docker Use cri-dockerd instead of containerd --prefer-bundled-bin Prefer bundled userspace binaries over host binaries","s":"Experimental","u":"/kr/cli/agent","h":"#experimental","p":2495},{"i":2514,"t":"Flag Environment Variable Description --no-flannel N/A Use --flannel-backend=none --cluster-secret value K3S_CLUSTER_SECRET Use --token","s":"Deprecated","u":"/kr/cli/agent","h":"#deprecated","p":2495},{"i":2516,"t":"K3s agents can be configured with the options --node-label and --node-taint which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands. Below is an example showing how to add labels and a taint: --node-label foo=bar \\ --node-label hello=world \\ --node-taint key1=value1:NoExecute If you want to change node labels and taints after node registration you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.","s":"Node Labels and Taints for Agents","u":"/kr/cli/agent","h":"#node-labels-and-taints-for-agents","p":2495},{"i":2518,"t":"If an option appears in brackets below, for example [$K3S_URL], it means that the option can be passed in as an environment variable of that name. NAME: k3s agent - Run node agent USAGE: k3s agent [OPTIONS] OPTIONS: --config FILE, -c FILE (config) Load configuration from FILE (default: \"/etc/rancher/k3s/config.yaml\") [$K3S_CONFIG_FILE] --debug (logging) Turn on debug logs [$K3S_DEBUG] -v value (logging) Number for the log level verbosity (default: 0) --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value (logging) Log to file --alsologtostderr (logging) Log to standard error as well as file (if set) --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN] --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE] --server value, -s value (cluster) Server to connect to [$K3S_URL] --data-dir value, -d value (agent/data) Folder to hold state (default: \"/var/lib/rancher/k3s\") --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: \"/var/lib/rancher/credentialprovider/bin\") --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: \"/var/lib/rancher/credentialprovider/config.yaml\") --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX] --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT] --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: \"rancher/mirrored-pause:3.6\") --snapshotter value (agent/runtime) Override default containerd snapshotter (default: \"overlayfs\") --private-registry value (agent/runtime) Private registry configuration file (default: \"/etc/rancher/k3s/registries.yaml\") --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] --flannel-iface value (agent/networking) Override default flannel interface --flannel-conf value (agent/networking) Override default flannel config file --flannel-cni-conf value (agent/networking) Override default flannel cni config file --kubelet-arg value (agent/flags) Customized flag for kubelet process --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process --rootless (experimental) Run rootless --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd","s":"K3s Agent CLI Help","u":"/kr/cli/agent","h":"#k3s-agent-cli-help","p":2495},{"i":2520,"t":"Version Gate Available as of v1.19.1+k3s1 In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup. Creating Snapshots​ Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options. The snapshot directory defaults to ${data-dir}/server/db/snapshots. The data-dir value defaults to /var/lib/rancher/k3s and can be changed by setting the --data-dir flag. Restoring a Cluster from a Snapshot​ When K3s is restored from backup, the old data directory will be moved to ${data-dir}/server/db/etcd-old/. Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member. To restore the cluster from backup: Single Server High Availability Run K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given: k3s server \\ --cluster-reset \\ --cluster-reset-restore-path= Result: A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot. In this example there are 3 servers, S1, S2, and S3. The snapshot is located on S1. On S1, start K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given: k3s server \\ --cluster-reset \\ --cluster-reset-restore-path= Result: A message in the logs says that K3s can be restarted without the flags. On S2 and S3, stop K3s. Then delete the data directory, /var/lib/rancher/k3s/server/db/: systemctl stop k3s rm -rf /var/lib/rancher/k3s/server/db/ On S1, start K3s again: systemctl start k3s On S2 and S3, start K3s again to join the restored cluster: systemctl start k3s Options​ These options can be passed in with the command line, or in the configuration file, which may be easier to use. Options Description --etcd-disable-snapshots Disable automatic etcd snapshots --etcd-snapshot-schedule-cron value Snapshot interval time in cron spec. eg. every 5 hours 0 */5 * * *(default: 0 */12 * * *) --etcd-snapshot-retention value Number of snapshots to retain (default: 5) --etcd-snapshot-dir value Directory to save db snapshots. (Default location: ${data-dir}/db/snapshots) --cluster-reset Forget all peers and become sole member of a new cluster. This can also be set with the environment variable [$K3S_CLUSTER_RESET]. --cluster-reset-restore-path value Path to snapshot file to be restored S3 Compatible API Support​ K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots. The arguments below have been added to the server subcommand. These flags exist for the etcd-snapshot subcommand as well however the --etcd-s3 portion is removed to avoid redundancy. Options Description --etcd-s3 Enable backup to S3 --etcd-s3-endpoint S3 endpoint url --etcd-s3-endpoint-ca S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify Disables S3 SSL certificate validation --etcd-s3-access-key S3 access key --etcd-s3-secret-key S3 secret key --etcd-s3-bucket S3 bucket name --etcd-s3-region S3 region / bucket location (optional). defaults to us-east-1 --etcd-s3-folder S3 folder To perform an on-demand etcd snapshot and save it to S3: k3s etcd-snapshot \\ --s3 \\ --s3-bucket= \\ --s3-access-key= \\ --s3-secret-key= To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands: k3s server \\ --cluster-init \\ --cluster-reset \\ --etcd-s3 \\ --cluster-reset-restore-path= \\ --etcd-s3-bucket= \\ --etcd-s3-access-key= \\ --etcd-s3-secret-key= Etcd Snapshot and Restore Subcommands​ k3s supports a set of subcommands for working with your etcd snapshots. Subcommand Description delete Delete given snapshot(s) ls, list, l List snapshots prune Remove snapshots that exceed the configured retention count save Trigger an immediate etcd snapshot 비고 The save subcommand is the same as k3s etcd-snapshot. The latter will eventually be deprecated in favor of the former. These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store. For additional information on the etcd snapshot subcommands, run k3s etcd-snapshot. Delete a snapshot from S3. k3s etcd-snapshot delete \\ --s3 \\ --s3-bucket= \\ --s3-access-key= \\ --s3-secret-key= \\ Prune local snapshots with the default retention policy (5). The prune subcommand takes an additional flag --snapshot-retention that allows for overriding the default retention policy. k3s etcd-snapshot prune k3s etcd-snapshot prune --snapshot-retention 10","s":"k3s etcd-snapshot","u":"/kr/cli/etcd-snapshot","h":"","p":2519},{"i":2522,"t":"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.","s":"k3s secrets-encrypt","u":"/kr/cli/secrets-encrypt","h":"","p":2521},{"i":2524,"t":"Version Gate Available as of v1.21.8+k3s1 K3s contains a CLI tool secrets-encrypt, which enables automatic control over the following: Disabling/Enabling secrets encryption Adding new encryption keys Rotating and deleting encryption keys Reencrypting secrets warning Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution.","s":"Secrets Encryption Tool","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-tool","p":2521},{"i":2526,"t":"Single-Server High-Availability To rotate secrets encryption keys on a single-server cluster: Start the K3s server with the flag --secrets-encryption 비고 Starting K3s without encryption and enabling it at a later time is currently not supported. Prepare k3s secrets-encrypt prepare Kill and restart the K3s server with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Rotate k3s secrets-encrypt rotate Kill and restart the K3s server with same arguments Reencrypt 정보 K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. k3s secrets-encrypt reencrypt The steps are the same for both embedded DB and external DB clusters. To rotate secrets encryption keys on HA setups: Notes Starting K3s without encryption and enabling it at a later time is currently not supported. While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands. Start up all three K3s servers with the --secrets-encryption flag. For brevity, the servers will be referred to as S1, S2, S3. Prepare on S1 k3s secrets-encrypt prepare Kill and restart S1 with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Once S1 is up, kill and restart the S2 and S3 Rotate on S1 k3s secrets-encrypt rotate Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3 Reencrypt on S1 정보 K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. k3s secrets-encrypt reencrypt Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3","s":"Encryption Key Rotation","u":"/kr/cli/secrets-encrypt","h":"#encryption-key-rotation","p":2521},{"i":2528,"t":"Single-Server High-Availability After launching a server with --secrets-encryption flag, secrets encryption can be disabled. To disable secrets encryption on a single-node cluster: Disable k3s secrets-encrypt disable Kill and restart the K3s server with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Reencrypt with flags k3s secrets-encrypt reencrypt --force --skip To re-enable secrets encryption on a single node cluster: Enable k3s secrets-encrypt enable Kill and restart the K3s server with same arguments Reencrypt with flags k3s secrets-encrypt reencrypt --force --skip After launching a HA cluster with --secrets-encryption flags, secrets encryption can be disabled. 비고 While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands. For brevity, the three servers used in this guide will be referred to as S1, S2, S3. To disable secrets encryption on a HA cluster: Disable on S1 k3s secrets-encrypt disable Kill and restart S1 with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Once S1 is up, kill and restart the S2 and S3 Reencrypt with flags on S1 k3s secrets-encrypt reencrypt --force --skip To re-enable secrets encryption on a HA cluster: Enable on S1 k3s secrets-encrypt enable Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3 Reencrypt with flags on S1 k3s secrets-encrypt reencrypt --force --skip","s":"Secrets Encryption Disable/Enable","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-disableenable","p":2521},{"i":2530,"t":"The secrets-encrypt tool includes a status command that displays information about the current status of secrets encryption on the node. An example of the command on a single-server node: $ k3s secrets-encrypt status Encryption Status: Enabled Current Rotation Stage: start Server Encryption Hashes: All hashes match Active Key Type Name ------ -------- ---- * AES-CBC aescbckey Another example on HA cluster, after rotating the keys, but before restarting the servers: $ k3s secrets-encrypt status Encryption Status: Enabled Current Rotation Stage: rotate Server Encryption Hashes: hash does not match between node-1 and node-2 Active Key Type Name ------ -------- ---- * AES-CBC aescbckey-2021-12-10T22:54:38Z AES-CBC aescbckey Details on each section are as follows: Encryption Status: Displayed whether secrets encryption is disabled or enabled on the node Current Rotation Stage: Indicates the current rotation stage on the node. Stages are: start, prepare, rotate, reencrypt_request, reencrypt_active, reencrypt_finished Server Encryption Hashes: Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration. Key Table: Summarizes information about the secrets encryption keys found on the node. Active: The \"*\" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets. Key Type: All keys using this tool are AES-CBC type. See more info here. Name: Name of the encryption key.","s":"Secrets Encryption Status","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-status","p":2521},{"i":2533,"t":"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts.","s":"Client and Server Certificates","u":"/kr/cli/certificate","h":"#client-and-server-certificates","p":2531},{"i":2535,"t":"To rotate client and server certificates manually, use the k3s certificate rotate subcommand: # Stop K3s systemctl stop k3s # Rotate certificates k3s certificate rotate # Start K3s systemctl start k3s Individual or lists of certificates can be rotated by specifying the certificate name: k3s certificate rotate --service , The following certificates can be rotated: admin, api-server, controller-manager, scheduler, k3s-controller, k3s-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy.","s":"Rotating Client and Server Certificates","u":"/kr/cli/certificate","h":"#rotating-client-and-server-certificates","p":2531},{"i":2537,"t":"Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes PKI Certificates and Requirements documentation. By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed. The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the server token as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1. Copies of the CA certificates and keys are extracted to disk during K3s server startup. Any server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes Certificates API controllers may issue additional certificates at runtime. To rotate CA certificates and keys, use the k3s certificate rotate-ca command. The command performs integrity checks to confirm that the updated certificates and keys are usable. If the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts. If problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes. Version Gate Support for the k3s certificate rotate-ca command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).","s":"Certificate Authority (CA) Certificates","u":"/kr/cli/certificate","h":"#certificate-authority-ca-certificates","p":2531},{"i":2539,"t":"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed. An example script to pre-create the appropriate certificates and keys is available in the K3s repo at contrib/util/generate-custom-ca-certs.sh. This script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates. If you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority. Custom Certificate Authority files must be placed in /var/lib/rancher/k3s/server/tls. The following files are required: server-ca.crt server-ca.key client-ca.crt client-ca.key request-header-ca.crt request-header-ca.key // note: etcd files are required even if embedded etcd is not in use. etcd/peer-ca.crt etcd/peer-ca.key etcd/server-ca.crt etcd/server-ca.key // note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate. service.key Custom CA Topology​ Custom CA Certificates should observe the following topology: Using the Example Script​ 중요한 If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates. If you want to use only an existing root CA certificate, provide the following files: root.pem root.key If you want to use existing root and intermediate CA certificates, provide the following files: root.pem intermediate.pem intermediate.key To use the example script to generate custom certs and keys before starting K3s, run the following commands: # Create the target directory for cert generation. mkdir -p /var/lib/rancher/k3s/server/tls # Copy your root CA cert and intermediate CA cert+key into the correct location for the script. # For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl. # If you do not have an existing root and/or intermediate CA, the script will generate them for you. cp /etc/ssl/certs/root.pem /etc/ssl/certs/intermediate.pem /etc/ssl/private/intermediate.key /var/lib/rancher/k3s/server/tls # Generate custom CA certs and keys. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash - If the command completes successfully, you may install and/or start K3s for the first time. If the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date.","s":"Using Custom CA Certificates","u":"/kr/cli/certificate","h":"#using-custom-ca-certificates","p":2531},{"i":2541,"t":"To rotate custom CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated certificates and keys into a separate directory. A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used. If a new root CA is required, the rotation will be disruptive. The k3s certificate rotate-ca --force option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA. Using the Example Script​ The example generate-custom-ca-certs.sh script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the DATA_DIR environment variable. To use the example script to generate updated certs and keys, run the following commands: # Create a temporary directory for cert generation. mkdir -p /opt/k3s/server/tls # Copy your root CA cert and intermediate CA cert+key into the correct location for the script. # Non-disruptive rotation requires the same root CA that was used to generate the original certificates. # If the original files are still in the data directory, you can just run: cp /var/lib/rancher/k3s/server/root.* /var/lib/rancher/k3s/server/intermediate.* /opt/k3s/server/tls # Copy the current service-account signing key, so that existing service-account tokens are not invalidated. cp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls # Generate updated custom CA certs and keys. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash - # Load the updated CA certs and keys into the datastore. k3s certificate rotate-ca --path=/opt/k3s/server If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents. If you used the --force option or changed the root CA, ensure that any nodes that were joined with a secure token are reconfigured to use the new token value, prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.","s":"Rotating Custom CA Certificates","u":"/kr/cli/certificate","h":"#rotating-custom-ca-certificates","p":2531},{"i":2543,"t":"To rotate the K3s-generated self-signed CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated certificates and keys into a separate directory. If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a secure token will need to be reconfigured to trust the new CA hash. If the new CA certificates are not cross-signed by the old CA certificates, you will need to use the --force option to bypass integrity checks, and pods will need to be restarted to trust the new root CA. Default CA Topology​ The default self-signed CA certificates have the following topology: When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs: Using The Example Script​ An example script to create updated CA certificates and keys cross-signed by the existing CAs is available in the K3s repo at contrib/util/rotate-default-ca-certs.sh. To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands: # Create updated CA certs and keys, cross-signed by the current CAs. # This script will create a new temporary directory containing the updated certs, and output the new token values. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash - # Load the updated certs into the datastore; see the script output for the updated token values. k3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents. Ensure that any nodes that were joined with a secure token, including other server nodes, are reconfigured to use the new token value prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.","s":"Rotating Self-Signed CA Certificates","u":"/kr/cli/certificate","h":"#rotating-self-signed-ca-certificates","p":2531},{"i":2545,"t":"The service-account issuer key is an RSA private key used to sign service-account tokens. When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the k3s certificate rotate-ca to install only an updated service.key file that includes both the new and old keys. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated key into a separate directory. For example, to rotate only the service-account issuer key, run the following commands: # Create a temporary directory for cert generation mkdir -p /opt/k3s/server/tls # Check OpenSSL version openssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional # Generate a new key openssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048 # Append the existing key to avoid invalidating current tokens cat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key # Load the updated key into the datastore k3s certificate rotate-ca --path=/opt/k3s/server It is normal to see warnings for files that are not being updated. If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods.","s":"Service-Account Issuer Key Rotation","u":"/kr/cli/certificate","h":"#service-account-issuer-key-rotation","p":2531},{"i":2547,"t":"/etc/rancher/k3s/k3s.yaml에 저장된 kubeconfig 파일은 쿠버네티스 클러스터에 대한 액세스를 구성하는 데 사용됩니다. kubectl 또는 helm과 같은 업스트림 Kubernetes 명령줄 도구를 설치한 경우 올바른 kubeconfig 경로로 구성해야 합니다. 이 작업은 kubeconfig 환경 변수를 내보내거나 --kubeconfig 명령줄 플래그를 호출하여 수행할 수 있습니다. 자세한 내용은 아래 예시를 참고하세요. KUBECONFIG 환경 변수를 활용합니다: export KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl get pods --all-namespaces helm ls --all-namespaces 또는 명령에 kubeconfig 파일의 위치를 지정합니다: kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces","s":"클러스터 접근","u":"/kr/cluster-access","h":"","p":2546},{"i":2549,"t":"/etc/rancher/k3s/k3s.yaml파일을 클러스터 외부에 위치한 머신의 ~/.kube/config로 복사합니다. 그런 다음 server 필드의 값을 K3s 서버의 IP 또는 이름으로 바꿉니다. 이제 kubectl이 K3s 클러스터를 관리할 수 있습니다.","s":"외부에서 kubectl로 클러스터에 접근하기","u":"/kr/cluster-access","h":"#외부에서-kubectl로-클러스터에-접근하기","p":2546},{"i":2551,"t":"이 섹션에는 K3s를 실행하고 관리할 수 있는 다양한 방법과 K3s 사용을 위해 호스트 OS를 준비하는 데 필요한 단계를 설명하는 고급 정보가 포함되어 있습니다.","s":"고급 옵션 / 설정","u":"/kr/advanced","h":"","p":2550},{"i":2554,"t":"K3s는 첫 번째 서버 노드를 시작하는 동안 자체 서명된 CA(인증 기관) 인증서를 생성합니다. 이 CA 인증서는 10년 동안 유효하며 자동으로 갱신되지 않습니다. 사용자 지정 CA 인증서 사용 또는 자체 서명 CA 인증서 갱신에 대한 자세한 내용은 k3s 인증서 rotate-ca 명령 설명서를 참조하세요.","s":"인증 기관 인증서","u":"/kr/advanced","h":"#인증-기관-인증서","p":2550},{"i":2556,"t":"K3s 클라이언트 및 서버 인증서는 발급한 날로부터 365일 동안 유효합니다. 만료되었거나 만료 후 90일 이내에 만료된 인증서는 K3s를 시작할 때마다 자동으로 갱신됩니다. 클라이언트 및 서버 인증서를 수동으로 로테이션하는 것에 대한 정보는 k3s 인증서 로테이션 명령 설명서를 참조하세요.","s":"클라이언트 및 서버 인증서","u":"/kr/advanced","h":"#클라이언트-및-서버-인증서","p":2550},{"i":2558,"t":"기본적으로 K3s는 서버와 에이전트 모두에 단일 정적 토큰을 사용합니다. 이 토큰은 클러스터가 생성된 후에는 변경할 수 없습니다. 에이전트 조인에만 사용할 수 있는 두 번째 정적 토큰을 활성화하거나 자동으로 만료되는 임시 kubeadm 스타일 조인 토큰을 생성할 수 있습니다. 자세한 내용은 k3s token 명령어 설명서를 참고하세요.","s":"토큰 관리","u":"/kr/advanced","h":"#토큰-관리","p":2550},{"i":2560,"t":"HTTP 프록시를 통해서만 외부와 연결할 수 있는 환경에서 K3s를 실행하는 경우, K3s 시스템드 서비스에서 프록시 설정을 구성할 수 있습니다. 그러면 이 프록시 설정이 K3s에서 사용되어 내장 컨테이너와 kubelet에 전달됩니다. K3s 설치 스크립트는 자동으로 현재 셸에서 HTTP_PROXY, HTTPS_PROXY 및 NO_PROXY 변수와 CONTAINERD_HTTP_PROXY, CONTAINERD_HTTPS_PROXY 및 CONTAINERD_NO_PROXY 변수가 있는 경우 이를 systemd 서비스의 환경 파일에 작성합니다: /etc/systemd/system/k3s.service.env /etc/systemd/system/k3s-agent.service.env 물론 이 파일을 편집하여 프록시를 구성할 수도 있습니다. K3s는 클러스터 내부 파드 및 서비스 IP 범위와 클러스터 DNS 도메인을 자동으로 NO_PROXY 항목 목록에 추가합니다. 쿠버네티스 노드 자체에서 사용하는 IP 주소 범위(즉, 노드의 퍼블릭 및 프라이빗 IP)가 NO_PROXY 목록에 포함되어 있는지 또는 프록시를 통해 노드에 도달할 수 있는지 확인해야 합니다. HTTP_PROXY=http://your-proxy.example.com:8888 HTTPS_PROXY=http://your-proxy.example.com:8888 NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 K3s와 Kubelet에 영향을 주지 않고 컨테이너에 대한 프록시 설정을 구성하려면, 변수 앞에 CONTAINERD_를 붙이면 됩니다: CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888 CONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888 CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16","s":"HTTP 프록시 구성하기","u":"/kr/advanced","h":"#http-프록시-구성하기","p":2550},{"i":2562,"t":"K3s는 업계 표준 컨테이너 런타임인 containerd를 포함하며 기본값으로 사용합니다. 쿠버네티스 1.24부터, kubelet은 더 이상 kubelet이 dockerd와 통신할 수 있도록 하는 컴포넌트인 dockershim을 포함하지 않습니다. K3s 1.24 이상에는 cri-dockerd가 포함되어 있어 이전 릴리즈의 K3s에서 원활하게 업그레이드하면서 Docker 컨테이너 런타임을 계속 사용할 수 있습니다. 컨테이너 대신 Docker를 사용하려면: K3s 노드에 Docker를 설치합니다. 랜처의 Docker 설치 스크립트 중 하나를 사용하여 Docker를 설치할 수 있습니다: curl https://releases.rancher.com/install-docker/20.10.sh | sh --docker 옵션을 사용하여 K3s를 설치합니다: curl -sfL https://get.k3s.io | sh -s - --docker 클러스터를 사용할 수 있는지 확인합니다: $ sudo k3s kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s kube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s kube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s kube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s kube-system svclb-traefik-jbmvl 2/2 Running 0 43s kube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s Docker 컨테이너가 실행 중인지 확인합니다: $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3e4d34729602 897ce3c5fc8f \"entry\" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 bffdc9d7a65f rancher/klipper-lb \"entry\" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 436b85c5e38d rancher/library-traefik \"/traefik --configfi…\" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0 de8fded06188 rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 7c6a30aeeb2f rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0 ae6c58cab4a7 9d12f9848b99 \"local-path-provisio…\" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0 be1450e1a11e 9dd718864ce6 \"/metrics-server\" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0 4454d14e4d3f c4d3d16fe508 \"/coredns -conf /etc…\" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0 c3675b87f96c rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0 4b1fddbe6ca6 rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0 64d3517d4a95 rancher/pause:3.1 \"/pause\"","s":"컨테이너 런타임으로 Docker 사용","u":"/kr/advanced","h":"#컨테이너-런타임으로-docker-사용","p":2550},{"i":2564,"t":"etcdctl은 etcd 서버와 상호 작용하기 위한 CLI를 제공합니다. K3s는 etcdctl을 번들로 제공하지 않습니다. etcdctl을 사용하여 K3s의 내장된 etcd와 상호 작용하려면 공식 문서를 참조하여 etcdctl을 설치하세요. ETCD_VERSION=\"v3.5.5\" ETCD_URL=\"https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz\" curl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin 그런 다음 인증에 K3s에서 관리하는 인증서 및 키를 사용하도록 etcdctl을 구성하여 사용할 수 있습니다: sudo etcdctl version \\ --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\ --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\ --key=/var/lib/rancher/k3s/server/tls/etcd/client.key","s":"etcdctl 사용하기","u":"/kr/advanced","h":"#etcdctl-사용하기","p":2550},{"i":2566,"t":"K3s는 /var/lib/rancher/k3s/agent/etc/containerd/config.toml에 컨테이너에 대한 config.toml을 생성합니다. 이 파일에 대한 고급 커스터마이징을 위해 같은 디렉터리에 config.toml.tmpl이라는 다른 파일을 생성하면 이 파일이 대신 사용된다. config.toml.tmpl은 Go 템플릿 파일로 취급되며, config.Node 구조가 템플릿으로 전달됩니다. 이 구조를 사용하여 구성 파일을 사용자 정의하는 방법에 대한 Linux 및 Windows 예제는 이 폴더를 참조하세요. config.Node Go 언어 구조체는 여기에 정의되어 있습니다.","s":"컨테이너 설정하기","u":"/kr/advanced","h":"#컨테이너-설정하기","p":2550},{"i":2568,"t":"K3s는 K3s 시작 시 NVIDIA 컨테이너 런타임이 있으면 자동으로 감지하여 설정합니다. 아래의 안내에 따라 노드에 엔비디아 컨테이너 패키지 리포지토리를 설치합니다: https://nvidia.github.io/libnvidia-container/ 엔비디아 컨테이너 런타임 패키지를 설치합니다. 예시: apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server K3s를 설치하거나 이미 설치되어 있는 경우 다시 시작합니다: curl -ksL get.k3s.io | sh - k3s가 엔비디아 컨테이너 런타임을 찾았는지 확인합니다: grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml 이렇게 하면 발견된 런타임 실행 파일에 따라 컨테이너 설정에 nvidia 및/또는 nvidia-experimental 런타임이 자동으로 추가됩니다. 여전히 클러스터에 런타임클래스 정의를 추가하고, 파드 스펙에서 runtimeClassName: nvidia를 설정하여 적절한 런타임을 명시적으로 요청하는 파드를 배포해야 합니다: apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: nvidia handler: nvidia --- apiVersion: v1 kind: Pod metadata: name: nbody-gpu-benchmark namespace: default spec: restartPolicy: OnFailure runtimeClassName: nvidia containers: - name: cuda-container image: nvcr.io/nvidia/k8s/cuda-sample:nbody args: [\"nbody\", \"-gpu\", \"-benchmark\"] resources: limits: nvidia.com/gpu: 1 env: - name: NVIDIA_VISIBLE_DEVICES value: all - name: NVIDIA_DRIVER_CAPABILITIES value: all 엔비디아 컨테이너 런타임은 엔비디아 디바이스 플러그인 및 GPU 기능 검색과 함께 자주 사용되며, 위에서 언급한 것처럼 파드 사양에 runtimeClassName: nvidia가 포함되도록 수정하여 별도로 설치해야 한다는 점에 유의하세요.","s":"NVIDIA 컨테이너 런타임 지원","u":"/kr/advanced","h":"#nvidia-컨테이너-런타임-지원","p":2550},{"i":2570,"t":"경고: 이 기능은 실험 단계입니다. disable-agent 플래그로 시작하면, 서버는 kubelet, 컨테이너 런타임 또는 CNI를 실행하지 않습니다. 클러스터에 노드 리소스를 등록하지 않으며, kubectl get nodes 출력에 나타나지 않습니다. 에이전트리스 서버는 kubelet을 호스트하지 않기 때문에, 파드를 실행하거나 내장된 etcd 컨트롤러 및 시스템 업그레이드 컨트롤러를 포함하여 클러스터 노드를 열거하는 데 의존하는 운영자가 관리할 수 없습니다. 에이전트리스 서버를 실행하는 것은 클러스터 운영자 지원 부족으로 인한 관리 오버헤드 증가를 감수하고서라도 에이전트와 워크로드에 의한 검색으로부터 컨트롤 플레인 노드를 숨기고자 하는 경우에 유리할 수 있습니다.","s":"에이전트 없는 서버 실행하기(실험적)","u":"/kr/advanced","h":"#에이전트-없는-서버-실행하기실험적","p":2550},{"i":2572,"t":"경고: 이 기능은 실험 단계입니다. 루트리스 모드는 잠재적인 컨테이너 브레이크아웃 공격으로부터 호스트의 실제 루트를 보호하기 위해 권한이 없는 사용자로 K3s 서버를 실행할 수 있습니다. 루트리스 쿠버네티스에 대한 자세한 내용은 https://rootlesscontaine.rs/ 을 참조하세요.","s":"루트리스 서버 실행(실험적)","u":"/kr/advanced","h":"#루트리스-서버-실행실험적","p":2550},{"i":2574,"t":"포트 루트리스 실행 시 새로운 네트워크 네임스페이스가 생성됩니다. 이는 K3s 인스턴스가 호스트와 네트워킹이 상당히 분리된 상태로 실행된다는 것을 의미합니다. 호스트에서 K3s에서 실행되는 서비스에 액세스하는 유일한 방법은 K3s 네트워크 네임스페이스에 포트 포워드를 설정하는 것입니다. 루트리스 K3s에는 6443 및 1024 미만의 서비스 포트를 10000 오프셋으로 호스트에 자동으로 바인딩하는 컨트롤러가 포함되어 있습니다. 예를 들어, 포트 80의 서비스는 호스트에서 10080이 되지만 8080은 오프셋 없이 8080이 됩니다. 현재 로드밸런서 서비스만 자동으로 바인딩됩니다. Cgroup Cgroup v1 및 하이브리드 v1/v2는 지원되지 않으며, 순수 Cgroup v2만 지원됩니다. 루트리스 실행 시 누락된 Cgroup으로 인해 K3s가 시작되지 않는 경우, 노드가 하이브리드 모드에 있고 \"누락된\" Cgroup이 여전히 v1 컨트롤러에 바인딩되어 있을 가능성이 높습니다. 멀티노드/멀티프로세스 클러스터 다중 노드 루트리스 클러스터 또는 동일한 노드에 있는 여러 개의 루트리스 k3s 프로세스는 현재 지원되지 않습니다. 자세한 내용은 #6488을 참조하세요.","s":"루트리스 모드의 알려진 이슈","u":"/kr/advanced","h":"#루트리스-모드의-알려진-이슈","p":2550},{"i":2576,"t":"https://rootlesscontaine.rs/getting-started/common/cgroup2/ 을 참조하여 cgroup v2 위임을 활성화합니다. 이 단계는 필수이며, 적절한 cgroups가 위임되지 않으면 루트리스 kubelet을 시작하지 못합니다. https://github.com/k3s-io/k3s/blob//k3s-rootless.service](https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)에서 k3s-rootless.service를 다운로드한다. k3s-rootless.service와 k3s의 버전이 같은 것을 사용해야 합니다. k3s-rootless.service를 ~/.config/systemd/user/k3s-rootless.service에 설치합니다. 이 파일을 시스템 전체 서비스(/etc/systemd/...)로 설치하는 것은 지원되지 않습니다. k3s 바이너리의 경로에 따라 파일의 ExecStart=/usr/local/bin/k3s ... 행을 수정해야 할 수 있습니다. systemctl --user daemon-reload를 실행합니다. systemctl --user enable --now k3s-rootless를 실행한다. KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A를 실행하고, 파드가 실행 중인지 확인한다. 참고: 터미널 세션은 cgroups v2 위임을 허용하지 않으므로 터미널에서 k3s server --rootless를 실행하지 않는다. 터미널에서 꼭 실행해야 하는 경우, systemd-run --user -p Delegate=yes --tty k3s server --roolless를 사용하여 systemd 범위로 래핑합니다.","s":"루트리스 서버 시작하기","u":"/kr/advanced","h":"#루트리스-서버-시작하기","p":2550},{"i":2578,"t":"루트리스 K3s는 호스트와 사용자 네트워크 네임스페이스 간 통신을 위해 rootlesskit 및 slirp4netns를 사용합니다. 루트리스킷과 slirp4net에서 사용하는 구성 중 일부는 환경 변수로 설정할 수 있습니다. 이를 설정하는 가장 좋은 방법은 k3s-rootless systemd 유닛의 Environment 필드에 추가하는 것입니다. Variable Default Description K3S_ROOTLESS_MTU 1500 slirp4netns 가상 인터페이스의 MTU를 설정합니다. K3S_ROOTLESS_CIDR 10.41.0.0/16 slirp4netns 가상 인터페이스에서 사용하는 CIDR을 설정합니다. K3S_ROOTLESS_ENABLE_IPV6 autotedected Enables slirp4netns IPv6 지원. 지정하지 않으면 K3가 듀얼 스택 작동을 위해 구성되면 자동으로 활성화됩니다. K3S_ROOTLESS_PORT_DRIVER builtin 루트리스 포트 드라이버를 선택합니다. builtin 또는 slirp4netns 중 하나를 선택합니다. 빌트인이 더 빠르지만 인바운드 패킷의 원래 소스 주소를 가장합니다. K3S_ROOTLESS_DISABLE_HOST_LOOPBACK true 게이트웨이 인터페이스를 통한 호스트의 루프백 주소에 대한 액세스를 사용할지 여부를 제어합니다. 보안상의 이유로 변경하지 않는 것이 좋습니다.","s":"고급 루트리스 구성","u":"/kr/advanced","h":"#고급-루트리스-구성","p":2550},{"i":2580,"t":"systemctl --user status k3s-rootless를 실행하여 데몬 상태를 확인합니다. journalctl --user -f -u k3s-rootless를 실행하여 데몬 로그를 확인합니다. https://rootlesscontaine.rs/ 참조","s":"루트리스 문제 해결하기","u":"/kr/advanced","h":"#루트리스-문제-해결하기","p":2550},{"i":2582,"t":"K3s 에이전트는 --node-label 및 --node-taint 옵션으로 구성할 수 있으며, 이 옵션은 kubelet에 레이블과 테인트를 추가합니다. 이 두 옵션은 [등록 시점에] 레이블 및/또는 테인트만 추가하므로(./cli/agent.md#node-labels-and-taints-for-agents), 노드가 클러스터에 처음 조인될 때만 설정할 수 있습니다. 현재 모든 버전의 쿠버네티스는 노드가 kubernetes.io 및 k8s.io 접두사가 포함된 대부분의 레이블, 특히 kubernetes.io/role 레이블에 등록하는 것을 제한합니다. 허용되지 않는 레이블을 가진 노드를 시작하려고 하면 K3s가 시작되지 않습니다. 쿠버네티스 작성자가 언급했듯이: 노드는 자체 역할 레이블을 어설트하는 것이 허용되지 않습니다. 노드 역할은 일반적으로 권한 또는 컨트롤 플레인 유형의 노드를 식별하는 데 사용되며, 노드가 해당 풀에 레이블을 지정하도록 허용하면 손상된 노드가 더 높은 권한 자격 증명에 대한 액세스 권한을 부여하는 워크로드(예: 컨트롤 플레인 데몬셋)를 사소하게 끌어들일 수 있습니다. 자세한 내용은 SIG-Auth KEP 279를 참조하세요. 노드 등록 후 노드 레이블과 틴트를 변경하거나 예약 레이블을 추가하려면 kubectl을 사용해야 합니다. taint 및 노드 레이블을 추가하는 방법에 대한 자세한 내용은 쿠버네티스 공식 문서를 참고하세요.","s":"노드 레이블 및 테인트","u":"/kr/advanced","h":"#노드-레이블-및-테인트","p":2550},{"i":2584,"t":"설치 스크립트는 설치 프로세스의 일부로 OS가 systemd 또는 openrc를 사용하는지 자동으로 감지하고 서비스를 활성화 및 시작합니다. openrc로 실행하면 /var/log/k3s.log에 로그가 생성됩니다. systemd로 실행하는 경우, /var/log/syslog에 로그가 생성되며 journalctl -u k3s(또는 에이전트에서는 journalctl -u k3s-agent)를 사용하여 로그를 확인할 수 있습니다. 설치 스크립트로 자동 시작 및 서비스 활성화를 비활성화하는 예제입니다: curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -","s":"설치 스크립트로 서비스 시작하기","u":"/kr/advanced","h":"#설치-스크립트로-서비스-시작하기","p":2550},{"i":2587,"t":"몇몇 유명 Linux 배포판에는 중복 규칙이 누적되어 노드의 성능과 안정성에 부정적인 영향을 주는 버그가 포함된 버전의 iptables가 포함되어 있습니다. 이 문제의 영향을 받는지 확인하는 방법에 대한 자세한 내용은 Issue #3117을 참조하세요. K3s에는 정상적으로 작동하는 iptables(v1.8.8) 버전이 포함되어 있습니다. --prefer-bundled-bin 옵션으로 K3s를 시작하거나 운영 체제에서 iptables/nftables 패키지를 제거하여 K3s가 번들 버전의 iptables를 사용하도록 설정할 수 있습니다. Version Gate prefer-bundled-bin 플래그는 2022-12 릴리스(v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1) 부터 사용할 수 있습니다.","s":"이전 iptables 버전","u":"/kr/advanced","h":"#이전-iptables-버전","p":2550},{"i":2589,"t":"firewalld를 끄는 것이 좋습니다: systemctl disable firewalld --now 방화벽을 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다: firewall-cmd --permanent --add-port=6443/tcp #apiserver firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services firewall-cmd --reload 설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조하세요. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다. 활성화된 경우, nm-cloud-setup을 비활성화하고 노드를 재부팅해야 합니다: systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot","s":"Red Hat Enterprise Linux / CentOS","u":"/kr/advanced","h":"#red-hat-enterprise-linux--centos","p":2550},{"i":2591,"t":"ufw(uncomplicated firewall)를 끄는 것이 좋습니다: ufw disable ufw를 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다: ufw allow 6443/tcp #apiserver ufw allow from 10.42.0.0/16 to any #pods ufw allow from 10.43.0.0/16 to any #services 설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조한다. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다.","s":"Ubuntu","u":"/kr/advanced","h":"#ubuntu","p":2550},{"i":2593,"t":"라즈베리파이 OS는 데비안 기반이며, 오래된 iptables 버전으로 인해 문제가 발생할 수 있습니다. 해결 방법을 참조하세요. 표준 라즈베리파이 OS 설치는 cgroups가 활성화된 상태에서 시작되지 않습니다. K3S는 systemd 서비스를 시작하기 위해 cgroups가 필요합니다. cgroups는 /boot/cmdline.txt에 cgroup_memory=1 cgroup_enable=memory를 추가하여 활성화할 수 있습니다. cmdline.txt 예시: console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory 우분투 21.10부터 라즈베리파이의 vxlan 지원은 별도의 커널 모듈로 옮겨졌습니다. sudo apt install linux-modules-extra-raspi","s":"Raspberry Pi","u":"/kr/advanced","h":"#raspberry-pi","p":2550},{"i":2595,"t":"Docker에서 K3s를 실행하는 방법에는 여러 가지가 있습니다: K3d Docker k3d는 도커에서 멀티노드 K3s 클러스터를 쉽게 실행할 수 있도록 설계된 유틸리티입니다. k3d를 사용하면 쿠버네티스의 로컬 개발 등을 위해 도커에서 단일 노드 및 다중 노드 k3s 클러스터를 매우 쉽게 생성할 수 있습니다. k3d 설치 및 사용 방법에 대한 자세한 내용은 설치 설명서를 참조하세요. Docker를 사용하려면 rancher/k3s 이미지를 사용하여 K3s 서버와 에이전트를 실행할 수도 있습니다. docker run 명령어를 사용합니다: sudo docker run \\ --privileged \\ --name k3s-server-1 \\ --hostname k3s-server-1 \\ -p 6443:6443 \\ -d rancher/k3s:v1.24.10-k3s1 \\ server 비고 태그에 유효한 K3s 버전을 지정해야 하며, latest 태그는 유지되지 않습니다. 도커 이미지는 태그에 + 기호를 허용하지 않으므로 태그에 -를 대신 사용하세요. K3s가 실행되고 나면, 관리자 kubeconfig를 Docker 컨테이너에서 복사하여 사용할 수 있습니다: sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config","s":"Docker에서 k3s 실행하기","u":"/kr/advanced","h":"#docker에서-k3s-실행하기","p":2550},{"i":2597,"t":"Version Gate v1.19.4+k3s1부터 사용 가능 기본적으로 SELinux가 활성화된 시스템(예로 CentOS)에 K3s를 설치하는 경우 적절한 SELinux 정책이 설치되어 있는지 확인해야 합니다. 자동 설치 수동 설치 에어 갭(폐쇄망) 설치를 수행하지 않는 경우 호환되는 시스템에서 설치 스크립트는 랜처 RPM 저장소에서 SELinux RPM을 자동으로 설치합니다. 자동 설치는 INSTALL_K3S_SKIP_SELINUX_RPM=true로 설정하여 건너뛸 수 있습니다. 필요한 policy는 다음 명령을 사용하여 설치할 수 있습니다: yum install -y container-selinux selinux-policy-base yum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm 설치 스크립트가 실패하지 않고 경고를 기록하도록 하려면 다음 환경 변수를 설정하면 됩니다: INSTALL_K3S_SELINUX_WARN=true.","s":"SELinux 지원","u":"/kr/advanced","h":"#selinux-지원","p":2550},{"i":2599,"t":"SELinux를 활용하려면 K3s 서버 및 에이전트를 시작할 때 --selinux 플래그를 지정하세요. 이 옵션은 K3s 구성 파일에서도 지정할 수 있습니다. selinux: true SELinux에서 사용자 지정 --data-dir을 사용하는 것은 지원되지 않습니다. 사용자 지정하려면 사용자 지정 정책을 직접 작성해야 할 가능성이 높습니다. 컨테이너 런타임에 대한 SELinux 정책 파일이 포함된 containers/container-selinux 리포지토리와 K3s를 위한 SELinux 정책이 포함된 k3s-io/k3s-selinux 리포지토리를 참고할 수 있습니다.","s":"SELinux 적용 활성화하기","u":"/kr/advanced","h":"#selinux-적용-활성화하기","p":2550},{"i":2602,"t":"이미지 풀링은 컨테이너 라이프사이클에서 시간이 많이 소요되는 단계 중 하나로 알려져 있습니다. Harter, et al.(https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter), 패키지 풀링은 컨테이너 시작 시간의 76%를 차지하지만, 그 중 읽기 데이터는 6.4%에 불과합니다. 이 문제를 해결하기 위해 k3s는 이미지 콘텐츠의 lazy pulling을 실험적으로 지원합니다. 이를 통해 k3s는 전체 이미지가 풀링되기 전에 컨테이너를 시작할 수 있습니다. 대신 필요한 콘텐츠 청크(예: 개별 파일)를 온디맨드 방식으로 가져옵니다. 특히 대용량 이미지의 경우 이 기술을 사용하면 컨테이너 시작 지연 시간을 단축할 수 있습니다. 지연 풀링을 사용하려면 대상 이미지의 포맷을 eStargz로 지정해야 합니다. 이 형식은 OCI 대체 형식이지만 지연 풀링을 위한 100% 호환되는 이미지 형식입니다. 호환성 때문에 eStargz는 표준 컨테이너 레지스트리(예: ghcr.io)로 푸시할 수 있을 뿐만 아니라 eStargz와 무관한 런타임에서도 실행 가능 합니다. eStargz는 Google CRFS 프로젝트에서 제안한 stargz 형식을 기반으로 개발되었지만 콘텐츠 검증 및 성능 최적화를 포함한 실용적인 기능을 제공합니다. 지연 풀링과 eStargz에 대한 자세한 내용은 Stargz Snapshotter 프로젝트 리포지토리를 참고하시기 바랍니다.","s":"지연 풀링과 eStargz란 무엇인가요?","u":"/kr/advanced","h":"#지연-풀링과-estargz란-무엇인가요","p":2550},{"i":2604,"t":"아래와 같이 k3s 서버와 에이전트에는 --snapshotter=stargz 옵션이 필요합니다. k3s server --snapshotter=stargz 이 구성을 사용하면, eStargz 형식의 이미지에 대해 지연 풀링을 수행할 수 있습니다. 다음 예제 파드 매니페스트는 eStargz 형식의 node:13.13.0 이미지(ghcr.io/stargz-containers/node:13.13.0-esgz)를 사용합니다. 스타즈 스냅샷터가 활성화되면 K3s는 이 이미지에 대해 지연 풀링을 수행합니다. apiVersion: v1 kind: Pod metadata: name: nodejs spec: containers: - name: nodejs-estargz image: ghcr.io/stargz-containers/node:13.13.0-esgz command: [\"node\"] args: - -e - var http = require('http'); http.createServer(function(req, res) { res.writeHead(200); res.end('Hello World!\\n'); }).listen(80); ports: - containerPort: 80","s":"지연 풀링이 가능하도록 k3s 구성하기","u":"/kr/advanced","h":"#지연-풀링이-가능하도록-k3s-구성하기","p":2550},{"i":2606,"t":"K3s용 랜처 로깅은 랜처를 사용하지 않고 설치할 수 있습니다. 이를 위해서는 다음 지침을 실행해야 합니다: helm repo add rancher-charts https://charts.rancher.io helm repo update helm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd helm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging","s":"추가 로깅 소스","u":"/kr/advanced","h":"#추가-로깅-소스","p":2550},{"i":2608,"t":"네트워크 정책에 의해 차단된 패킷을 로깅할 수 있습니다. 패킷은 차단 네트워크 정책을 포함한 패킷 세부 정보를 표시하는 iptables NFLOG 작업으로 전송됩니다. 트래픽이 많으면 로그 메시지 수가 매우 많아질 수 있습니다. 정책별로 로그 속도를 제어하려면, 해당 네트워크 정책에 다음 어노테이션을 추가하여 limit 및 limit-burst iptables 매개변수를 설정합니다: kube-router.io/netpol-nflog-limit= kube-router.io/netpol-nflog-limit-burst= 기본값은 limit=10/minute와 limit-burst=10입니다. 이러한 필드의 형식과 사용 가능한 값에 대한 자세한 내용은 iptables manual을 참조하세요. NFLOG 패킷을 로그 항목으로 변환하려면 ulogd2를 설치하고 [log1]을 group=100에서 읽도록 구성합니다. 그런 다음 ulogd2 서비스를 다시 시작하여 새 구성이 커밋되도록 합니다. 네트워크 정책 규칙에 의해 패킷이 차단되면 /var/log/ulog/syslogemu.log에 로그 메시지가 나타납니다. NFLOG 넷링크 소켓으로 전송된 패킷은 tcpdump 또는 tshark와 같은 명령줄 도구를 사용하여 읽을 수도 있습니다: tcpdump -ni nflog:100 더 쉽게 사용할 수 있지만, tcpdump는 패킷을 차단한 네트워크 정책의 이름을 표시하지 않습니다. 대신 와이어샤크의 tshark 명령을 사용하여 정책 이름이 포함된 nflog.prefix 필드를 포함한 전체 NFLOG 패킷 헤더를 표시하세요.","s":"추가 네트워크 정책 로깅","u":"/kr/advanced","h":"#추가-네트워크-정책-로깅","p":2550},{"i":2610,"t":"The way K3s is backed up and restored depends on which type of datastore is used. warning In addition to backing up the datastore itself, you must also back up the server token file at /var/lib/rancher/k3s/server/token. You must restore this file, or pass its value into the --token option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself.","s":"Backup and Restore","u":"/kr/datastore/backup-restore","h":"","p":2609},{"i":2612,"t":"No special commands are required to back up or restore the SQLite datastore. To back up the SQLite datastore, take a copy of /var/lib/rancher/k3s/server/db/. To restore the SQLite datastore, restore the contents of /var/lib/rancher/k3s/server/db (and the token, as discussed above).","s":"Backup and Restore with SQLite","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-sqlite","p":2609},{"i":2614,"t":"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump. We recommend configuring the database to take recurring snapshots. For details on taking database snapshots and restoring your database from them, refer to the official database documentation: Official MySQL documentation Official PostgreSQL documentation Official etcd documentation","s":"Backup and Restore with External Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-external-datastore","p":2609},{"i":2616,"t":"See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.","s":"Backup and Restore with Embedded etcd Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-embedded-etcd-datastore","p":2609},{"i":2618,"t":"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy. 팁 External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see Service Load Balancer. External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice.","s":"Cluster Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"","p":2617},{"i":2620,"t":"All nodes in this example are running Ubuntu 20.04. For both examples, assume that a HA K3s cluster with embedded etcd has been installed on 3 nodes. Each k3s server is configured with: # /etc/rancher/k3s/config.yaml token: lb-cluster-gd tls-san: 10.10.10.100 The nodes have hostnames and IPs of: server-1: 10.10.10.50 server-2: 10.10.10.51 server-3: 10.10.10.52 Two additional nodes for load balancing are configured with hostnames and IPs of: lb-1: 10.10.10.98 lb-2: 10.10.10.99 Three additional nodes exist with hostnames and IPs of: agent-1: 10.10.10.101 agent-2: 10.10.10.102 agent-3: 10.10.10.103","s":"Prerequisites","u":"/kr/datastore/cluster-loadbalancer","h":"#prerequisites","p":2617},{"i":2622,"t":"HAProxy Nginx HAProxy is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See HAProxy Documentation for more info. Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See KeepAlived Documentation for more info. Install HAProxy and KeepAlived: sudo apt-get install haproxy keepalived Add the following to /etc/haproxy/haproxy.cfg on lb-1 and lb-2: frontend k3s-frontend bind *:6443 mode tcp option tcplog default_backend k3s-backend backend k3s-backend mode tcp option tcp-check balance roundrobin default-server inter 10s downinter 5s server server-1 10.10.10.50:6443 check server server-2 10.10.10.51:6443 check server server-3 10.10.10.52:6443 check Add the following to /etc/keepalived/keepalived.conf on lb-1 and lb-2: vrrp_script chk_haproxy { script 'killall -0 haproxy' # faster than pidof interval 2 } vrrp_instance haproxy-vip { interface eth1 state # MASTER on lb-1, BACKUP on lb-2 priority # 200 on lb-1, 100 on lb-2 virtual_router_id 51 virtual_ipaddress { 10.10.10.100/24 } track_script { chk_haproxy } } Restart HAProxy and KeepAlived on lb-1 and lb-2: systemctl restart haproxy systemctl restart keepalived On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443 You can now use kubectl from server node to interact with the cluster. root@server-1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 32s v1.27.3+k3s1 agent-2 Ready 20s v1.27.3+k3s1 agent-3 Ready 9s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1 Nginx Load Balancer​ 위험 Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure. Nginx Open Source provides a TCP load balancer. See Using nginx as HTTP load balancer for more info. Create a nginx.conf file on lb-1 with the following contents: events {} stream { upstream k3s_servers { server 10.10.10.50:6443; server 10.10.10.51:6443; server 10.10.10.52:6443; } server { listen 6443; proxy_pass k3s_servers; } } Run the Nginx load balancer on lb-1: Using docker: docker run -d --restart unless-stopped \\ -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\ -p 6443:6443 \\ nginx:stable Or install nginx and then run: cp nginx.conf /etc/nginx/nginx.conf systemctl start nginx On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443 You can now use kubectl from server node to interact with the cluster. root@server1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 30s v1.27.3+k3s1 agent-2 Ready 22s v1.27.3+k3s1 agent-3 Ready 13s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1","s":"Setup Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#setup-load-balancer","p":2617},{"i":2624,"t":"위험 Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure. Nginx Open Source provides a TCP load balancer. See Using nginx as HTTP load balancer for more info. Create a nginx.conf file on lb-1 with the following contents: events {} stream { upstream k3s_servers { server 10.10.10.50:6443; server 10.10.10.51:6443; server 10.10.10.52:6443; } server { listen 6443; proxy_pass k3s_servers; } } Run the Nginx load balancer on lb-1: Using docker: docker run -d --restart unless-stopped \\ -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\ -p 6443:6443 \\ nginx:stable Or install nginx and then run: cp nginx.conf /etc/nginx/nginx.conf systemctl start nginx On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443 You can now use kubectl from server node to interact with the cluster. root@server1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 30s v1.27.3+k3s1 agent-2 Ready 22s v1.27.3+k3s1 agent-3 Ready 13s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1","s":"Nginx Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#nginx-load-balancer","p":2617},{"i":2626,"t":"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.","s":"k3s token","u":"/kr/cli/token","h":"","p":2625},{"i":2628,"t":"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials.","s":"Token Format","u":"/kr/cli/token","h":"#token-format","p":2625},{"i":2630,"t":"The secure token format (occasionally referred to as a \"full\" token) contains the following parts: :: prefix: a fixed K10 prefix that identifies the token format cluster CA hash: The hash of the cluster's server CA certificate, used to authenticate the server to the joining node. For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk. For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint. credentials: The username and password, or bearer token, used to authenticate the joining node to the cluster. TLS Bootstrapping​ When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials: With TLS verification disabled, download the CA bundle from /cacerts on the server it is joining. Calculate the SHA256 hash of the CA certificate, as described above. Compare the calculated SHA256 hash to the hash from the token. If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle. If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type.","s":"Secure","u":"/kr/cli/token","h":"#secure","p":2625},{"i":2632,"t":"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster. If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to man-in-the-middle attack.","s":"Short","u":"/kr/cli/token","h":"#short","p":2625},{"i":2634,"t":"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator. Type CLI Option Environment Variable Server --token K3S_TOKEN Agent --agent-token K3S_AGENT_TOKEN Bootstrap n/a n/a","s":"Token Types","u":"/kr/cli/token","h":"#token-types","p":2625},{"i":2636,"t":"If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to /var/lib/rancher/k3s/server/token, in secure format. The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully. The server token is also used as the PBKDF2 passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself. warning Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates. For more information on using custom CA certificates, see the k3s certificate documentation. For more information on backing up your cluster, see the Backup and Restore documentation.","s":"Server","u":"/kr/cli/token","h":"#server","p":2625},{"i":2638,"t":"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire. The agent token is written to /var/lib/rancher/k3s/server/agent-token, in secure format. If no agent token is specified, this file is a link to the server token.","s":"Agent","u":"/kr/cli/token","h":"#agent","p":2625},{"i":2640,"t":"Version Gate Support for the k3s token command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1). K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents.","s":"Bootstrap","u":"/kr/cli/token","h":"#bootstrap","p":2625},{"i":2641,"t":"K3s bootstrap tokens use the same generation and validation code as kubeadm token bootstrap tokens, and the k3s token CLI is similar. NAME: k3s token - Manage bootstrap tokens USAGE: k3s token command [command options] [arguments...] COMMANDS: create Create bootstrap tokens on the server delete Delete bootstrap tokens on the server generate Generate and print a bootstrap token, but do not create it on the server list List bootstrap tokens on the server OPTIONS: --help, -h show help k3s token create [token]​ Create a new token. The [token] is the actual token to write, as generated by k3s token generate. If no token is given, a random one will be generated. A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] --description value A human friendly description of how this token is used --groups value Extra groups that this token will authenticate as when used for authentication. (default: Default: \"system:bootstrappers:k3s:default-node-token\") --ttl value The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s) --usages value Describes the ways in which this token can be used. (default: \"signing,authentication\") k3s token delete​ Delete one or more tokens. The full token can be provided, or just the token ID. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] k3s token generate​ Generate a randomly-generated bootstrap token. You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]6.[a-z0-9]16\", where the first portion is the token ID, and the second portion is the secret. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] k3s token list​ List bootstrap tokens, showing their ID, description, and remaining time-to-live. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] --output value Output format. Valid options: text, json (default: \"text\")","s":"k3s token","u":"/kr/cli/token","h":"#k3s-token-1","p":2625},{"i":2643,"t":"In this section, you'll learn how to configure the K3s server. Note that servers also run an agent, so all of the configuration options listed in the k3s agent documentation are also supported on servers. Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.","s":"k3s server","u":"/kr/cli/server","h":"","p":2642},{"i":2645,"t":"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore. --agent-token --cluster-cidr --cluster-dns --cluster-domain --disable-cloud-controller --disable-helm-controller --disable-network-policy --disable-servicelb --egress-selector-mode --flannel-backend --flannel-external-ip --flannel-ipv6-masq --secrets-encryption --service-cidr","s":"Critical Configuration Values","u":"/kr/cli/server","h":"#critical-configuration-values","p":2642},{"i":2648,"t":"Flag Environment Variable Description --datastore-endpoint value K3S_DATASTORE_ENDPOINT Specify etcd, Mysql, Postgres, or Sqlite (default) data source name --datastore-cafile value K3S_DATASTORE_CAFILE TLS Certificate Authority file used to secure datastore backend communication --datastore-certfile value K3S_DATASTORE_CERTFILE TLS certification file used to secure datastore backend communication --datastore-keyfile value K3S_DATASTORE_KEYFILE TLS key file used to secure datastore backend communication --etcd-expose-metrics N/A Expose etcd metrics to client interface (default: false) --etcd-disable-snapshots N/A Disable automatic etcd snapshots --etcd-snapshot-name value N/A Set the base name of etcd snapshots. Default: etcd-snapshot- (default:\"etcd-snapshot\") --etcd-snapshot-schedule-cron value N/A Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _' (default: \"0 */12 * * *\") --etcd-snapshot-retention value N/A Number of snapshots to retain (default: 5) --etcd-snapshot-dir value N/A Directory to save db snapshots (default: ${data-dir}/db/snapshots) --etcd-s3 N/A Enable backup to S3 --etcd-s3-endpoint value N/A S3 endpoint url (default: \"s3.amazonaws.com\") --etcd-s3-endpoint-ca value N/A S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify N/A Disables S3 SSL certificate validation --etcd-s3-access-key value AWS_ACCESS_KEY_ID S3 access key --etcd-s3-secret-key value AWS_SECRET_ACCESS_KEY S3 secret key --etcd-s3-bucket value N/A S3 bucket name --etcd-s3-region value N/A S3 region / bucket location (optional) (default: \"us-east-1\") --etcd-s3-folder value N/A S3 folder --etcd-s3-insecure Disables S3 over HTTPS --etcd-s3-timeout value S3 timeout (default: 5m0s)","s":"Database","u":"/kr/cli/server","h":"#database","p":2642},{"i":2650,"t":"Flag Environment Variable Description --token value, -t value K3S_TOKEN Shared secret used to join a server or agent to a cluster --token-file value K3S_TOKEN_FILE File containing the cluster-secret/token --agent-token value K3S_AGENT_TOKEN Shared secret used to join agents to the cluster, but not servers --agent-token-file value K3S_AGENT_TOKEN_FILE File containing the agent secret --server value K3S_URL Server to connect to, used to join a cluster --cluster-init K3S_CLUSTER_INIT Initialize a new cluster using embedded Etcd --cluster-reset K3S_CLUSTER_RESET Forget all peers and become sole member of a new cluster","s":"Cluster Options","u":"/kr/cli/server","h":"#cluster-options","p":2642},{"i":2652,"t":"Flag Environment Variable Description --write-kubeconfig value, -o value K3S_KUBECONFIG_OUTPUT Write kubeconfig for admin client to this file --write-kubeconfig-mode value K3S_KUBECONFIG_MODE Write kubeconfig with this mode. The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host.","s":"Admin Kubeconfig Options","u":"/kr/cli/server","h":"#admin-kubeconfig-options","p":2642},{"i":2655,"t":"Flag Default Description --debug N/A Turn on debug logs -v value 0 Number for the log level verbosity --vmodule value N/A Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value N/A Log to file --alsologtostderr N/A Log to standard error as well as file (if set)","s":"Logging","u":"/kr/cli/server","h":"#logging","p":2642},{"i":2657,"t":"Flag Default Description --bind-address value 0.0.0.0 k3s bind address --https-listen-port value 6443 HTTPS listen port --advertise-address value node-external-ip/node-ip IPv4 address that apiserver uses to advertise to members of the cluster --advertise-port value listen-port/0 Port that apiserver uses to advertise to members of the cluster --tls-san value N/A Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert","s":"Listeners","u":"/kr/cli/server","h":"#listeners","p":2642},{"i":2659,"t":"Flag Default Description --data-dir value, -d value /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root Folder to hold state","s":"Data","u":"/kr/cli/server","h":"#data","p":2642},{"i":2661,"t":"Flag Default Description --secrets-encryption false Enable Secret encryption at rest","s":"Secrets Encryption","u":"/kr/cli/server","h":"#secrets-encryption","p":2642},{"i":2663,"t":"Flag Default Description --cluster-cidr value \"10.42.0.0/16\" IPv4/IPv6 network CIDRs to use for pod IPs --service-cidr value \"10.43.0.0/16\" IPv4/IPv6 network CIDRs to use for service IPs --service-node-port-range value \"30000-32767\" Port range to reserve for services with NodePort visibility --cluster-dns value \"10.43.0.10\" IPv4 Cluster IP for coredns service. Should be in your service-cidr range --cluster-domain value \"cluster.local\" Cluster Domain --flannel-backend value \"vxlan\" One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated) --flannel-ipv6-masq \"N/A\" Enable IPv6 masquerading for pod --flannel-external-ip \"N/A\" Use node external IP addresses for Flannel traffic --servicelb-namespace value \"kube-system\" Namespace of the pods for the servicelb component --egress-selector-mode value \"agent\" Must be one of the following: disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs. agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s. pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node. cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range.","s":"Networking","u":"/kr/cli/server","h":"#networking","p":2642},{"i":2665,"t":"Flag Description --default-local-storage-path value Default local storage path for local provisioner storage class","s":"Storage Class","u":"/kr/cli/server","h":"#storage-class","p":2642},{"i":2667,"t":"Flag Description --disable value See \"Using the --disable flag\" --disable-scheduler Disable Kubernetes default scheduler --disable-cloud-controller Disable k3s default cloud controller manager --disable-kube-proxy Disable running kube-proxy --disable-network-policy Disable k3s default network policy controller --disable-helm-controller Disable Helm controller","s":"Kubernetes Components","u":"/kr/cli/server","h":"#kubernetes-components","p":2642},{"i":2669,"t":"Flag Description --etcd-arg value Customized flag for etcd process --kube-apiserver-arg value Customized flag for kube-apiserver process --kube-scheduler-arg value Customized flag for kube-scheduler process --kube-controller-manager-arg value Customized flag for kube-controller-manager process --kube-cloud-controller-manager-arg value Customized flag for kube-cloud-controller-manager process --kubelet-arg value Customized flag for kubelet process --kube-proxy-arg value Customized flag for kube-proxy process","s":"Customized Flags for Kubernetes Processes","u":"/kr/cli/server","h":"#customized-flags-for-kubernetes-processes","p":2642},{"i":2671,"t":"Flag Description --rootless Run rootless --enable-pprof Enable pprof endpoint on supervisor port --docker Use cri-dockerd instead of containerd --prefer-bundled-bin Prefer bundled userspace binaries over host binaries --disable-agent See \"Running Agentless Servers (Experimental)\"","s":"Experimental Options","u":"/kr/cli/server","h":"#experimental-options","p":2642},{"i":2673,"t":"Flag Environment Variable Description --no-flannel N/A Use --flannel-backend=none --no-deploy value N/A Use --disable --cluster-secret value K3S_CLUSTER_SECRET Use --token --flannel-backend wireguard N/A Use --flannel-backend=wireguard-native --flannel-backend value=option1=value N/A Use --flannel-conf to specify the flannel config file with the backend config","s":"Deprecated Options","u":"/kr/cli/server","h":"#deprecated-options","p":2642},{"i":2675,"t":"If an option appears in brackets below, for example [$K3S_TOKEN], it means that the option can be passed in as an environment variable of that name. NAME: k3s server - Run management server USAGE: k3s server [OPTIONS] OPTIONS: --config FILE, -c FILE (config) Load configuration from FILE (default: \"/etc/rancher/k3s/config.yaml\") [$K3S_CONFIG_FILE] --debug (logging) Turn on debug logs [$K3S_DEBUG] -v value (logging) Number for the log level verbosity (default: 0) --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value (logging) Log to file --alsologtostderr (logging) Log to standard error as well as file (if set) --bind-address value (listener) k3s bind address (default: 0.0.0.0) --https-listen-port value (listener) HTTPS listen port (default: 6443) --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip) --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0) --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or $\\{HOME\\}/.rancher/k3s if not root) --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16) --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16) --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: \"30000-32767\") --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) --cluster-domain value (networking) Cluster Domain (default: \"cluster.local\") --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: \"vxlan\") --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic --egress-selector-mode value (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: \"agent\") --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: \"kube-system\") --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT] --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE] --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN] --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE] --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN] --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE] --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL] --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT] --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET] --cluster-reset-restore-path value (db) Path to snapshot file to be restored --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process --etcd-arg value (flags) Customized flag for etcd process --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT] --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE] --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE] --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE] --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false) --etcd-disable-snapshots (db) Disable automatic etcd snapshots --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: \"etcd-snapshot\") --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: \"0 */12 * * *\") --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5) --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: $\\{data-dir\\}/db/snapshots) --etcd-snapshot-compress (db) Compress etcd snapshot --etcd-s3 (db) Enable backup to S3 --etcd-s3-endpoint value (db) S3 endpoint url (default: \"s3.amazonaws.com\") --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID] --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY] --etcd-s3-bucket value (db) S3 bucket name --etcd-s3-region value (db) S3 region / bucket location (optional) (default: \"us-east-1\") --etcd-s3-folder value (db) S3 folder --etcd-s3-insecure (db) Disables S3 over HTTPS --etcd-s3-timeout value (db) S3 timeout (default: 5m0s) --default-local-storage-path value (storage) Default local storage path for local provisioner storage class --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) --disable-scheduler (components) Disable Kubernetes default scheduler --disable-cloud-controller (components) Disable k3s default cloud controller manager --disable-kube-proxy (components) Disable running kube-proxy --disable-network-policy (components) Disable k3s default network policy controller --disable-helm-controller (components) Disable Helm controller --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: \"/var/lib/rancher/credentialprovider/bin\") --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: \"/var/lib/rancher/credentialprovider/config.yaml\") --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: \"rancher/mirrored-pause:3.6\") --snapshotter value (agent/runtime) Override default containerd snapshotter (default: \"overlayfs\") --private-registry value (agent/runtime) Private registry configuration file (default: \"/etc/rancher/k3s/registries.yaml\") --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY] --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] --flannel-iface value (agent/networking) Override default flannel interface --flannel-conf value (agent/networking) Override default flannel config file --flannel-cni-conf value (agent/networking) Override default flannel cni config file --kubelet-arg value (agent/flags) Customized flag for kubelet process --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. --secrets-encryption Enable secret encryption at rest --enable-pprof (experimental) Enable pprof endpoint on supervisor port --rootless (experimental) Run rootless --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX] --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]","s":"K3s Server CLI Help","u":"/kr/cli/server","h":"","p":2642},{"i":2677,"t":"etcd가 아닌 다른 데이터스토어를 사용하여 쿠버네티스를 실행할 수 있는 기능은 K3s를 다른 쿠버네티스 배포판과 차별화합니다. 이 기능은 쿠버네티스 운영자에게 유연성을 제공합니다. 사용 가능한 데이터스토어 옵션을 통해 사용 사례에 가장 적합한 데이터스토어를 선택할 수 있습니다. 예를 들어: 팀에 etcd 운영에 대한 전문 지식이 없는 경우, MySQL 또는 PostgreSQL과 같은 엔터프라이즈급 SQL 데이터베이스를 선택할 수 있습니다. CI/CD 환경에서 단순하고 수명이 짧은 클러스터를 실행해야 하는 경우, 임베디드 SQLite 데이터베이스를 사용할 수 있습니다. 엣지에 Kubernetes를 배포하고 고가용성 솔루션이 필요하지만 엣지에서 데이터베이스를 관리하는 데 따른 운영 오버헤드를 감당할 수 없는 경우, 임베디드 etcd를 기반으로 구축된 K3s의 임베디드 HA 데이터스토어를 사용할 수 있습니다. K3s는 다음과 같은 데이터스토어 옵션을 지원합니다: 임베디드 SQLite SQLite는 여러 서버가 있는 클러스터에서는 사용할 수 없습니다. SQLite는 기본 데이터스토어이며, 다른 데이터스토어 구성이 없고 디스크에 임베디드 etcd 데이터베이스 파일이 없는 경우 사용됩니다. 임베디드 etcd 여러 서버에서 임베디드 etcd를 사용하는 방법에 대한 자세한 내용은 고가용성 임베디드 etcd 설명서를 참조하세요. K3s가 새 etcd 클러스터를 초기화하거나 기존 etcd 클러스터에 가입하도록 구성되었거나 시작 시 디스크에 etcd 데이터베이스 파일이 있는 경우 임베디드 etcd가 자동으로 선택됩니다. 외부 데이터베이스 여러 서버에서 외부 데이터스토어를 사용하는 방법에 대한 자세한 내용은 고가용성 외부 DB 설명서를 참조하세요. 지원되는 외부 데이터스토어는 다음과 같습니다: etcd (3.5.4 버전에 대해 검증됨) MySQL (5.7 and 8.0 버전에 대해 검증됨) MariaDB (10.6.8 버전에 대해 검증됨) PostgreSQL (10.7, 11.5, and 14.2 버전에 대해 검증됨)","s":"클러스터 데이터 저장소","u":"/kr/datastore","h":"","p":2676},{"i":2679,"t":"PostgreSQL, MySQL, etcd와 같은 외부 데이터스토어를 사용하려면 K3s가 연결 방법을 알 수 있도록 datastore-endpoint 파라미터를 설정해야 합니다. 또한 연결의 인증 및 암호화를 구성하는 파라미터를 지정할 수도 있습니다. 아래 표에는 이러한 매개변수가 요약되어 있으며, CLI 플래그 또는 환경 변수로 전달할 수 있습니다. CLI Flag Environment Variable Description --datastore-endpoint K3S_DATASTORE_ENDPOINT PostgreSQL, MySQL 또는 etcd 연결 문자열을 지정합니다. 데이터스토어에 대한 연결을 설명하는 데 사용되는 문자열입니다. 이 문자열의 구조는 각 백엔드에 따라 다르며 아래에 자세히 설명되어 있습니다. --datastore-cafile K3S_DATASTORE_CAFILE 데이터스토어와의 통신을 보호하는 데 사용되는 TLS 인증 기관(CA: Certificate Authority) 파일입니다. 데이터스토어에서 사용자 지정 인증 기관에서 서명한 인증서를 사용하여 TLS를 통해 요청을 제공하는 경우, 이 매개변수를 사용하여 해당 CA를 지정하면 K3s 클라이언트가 인증서를 올바르게 확인할 수 있습니다. --datastore-certfile K3S_DATASTORE_CERTFILE 데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 인증서 파일입니다. 이 기능을 사용하려면 데이터스토어가 클라이언트 인증서 기반 인증을 지원하도록 구성되어 있어야 합니다. 이 파라미터를 지정하는 경우 datastore-keyfile 파라미터도 지정해야 합니다. --datastore-keyfile K3S_DATASTORE_KEYFILE 데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 키 파일입니다. 자세한 내용은 이전 datastore-certfile 매개변수를 참조하세요. 데이터베이스 자격 증명이나 기타 민감한 정보가 프로세스 정보의 일부로 노출되지 않도록 이러한 매개 변수를 명령줄 인수가 아닌 환경 변수로 설정하는 것이 좋습니다.","s":"외부 데이터스토어 구성 파라미터","u":"/kr/datastore","h":"#외부-데이터스토어-구성-파라미터","p":2676},{"i":2681,"t":"앞서 언급했듯이, datastore-endpoint 매개변수에 전달되는 값의 형식은 데이터스토어 백엔드에 따라 달라집니다. 다음은 지원되는 각 외부 데이터스토어에 대한 이 형식과 기능에 대해 자세히 설명합니다. PostgreSQL MySQL / MariaDB etcd 가장 일반적인 형식의 PostgreSQL용 데이터 저장소 엔드포인트 매개 변수는 다음과 같은 형식을 갖습니다: postgres://username:password@hostname:port/database-name 더 고급 구성 매개변수를 사용할 수 있습니다. 이에 대한 자세한 내용은 https://godoc.org/github.com/lib/pq 을 참조하세요. 데이터베이스 이름을 지정했는데 해당 데이터베이스가 존재하지 않으면 서버에서 데이터베이스 생성을 시도합니다. 엔드포인트로 postgres://만 제공하는 경우, K3s는 다음을 시도합니다: 사용자 이름과 비밀번호로 postgres를 사용하여 localhost에 연결합니다. kubernetes라는 이름의 데이터베이스를 생성합니다. 가장 일반적인 형태인 MySQL과 MariaDB의 datastore-endpoint 파라미터는 다음과 같은 형식을 갖습니다: mysql://username:password@tcp(hostname:3306)/database-name 더 고급 구성 매개변수를 사용할 수도 있습니다. 이에 대한 자세한 내용은 https://github.com/go-sql-driver/mysql#dsn-data-source-name 을 참조하세요. K3s의 알려진 이슈로 인해 tls 파라미터를 설정할 수 없습니다. TLS 통신은 지원되지만 예를 들어 이 매개변수를 \"skip-verify\"로 설정하여 K3s가 인증서 확인을 건너뛰도록 할 수는 없습니다. 데이터베이스 이름을 지정했는데 데이터베이스가 존재하지 않으면 서버에서 만들려고 시도합니다. 엔드포인트로 mysql://만 제공하는 경우, K3s는 다음을 시도합니다: root 사용자와 비밀번호를 사용하지 않고 /var/run/mysqld/mysqld.sock에서 MySQL 소켓에 연결합니다. kubernetes라는 이름의 데이터베이스를 생성합니다. 가장 일반적인 형태인 etcd의 datastore-endpoint 파라미터의 형식은 다음과 같습니다: https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379 위는 일반적인 세 개의 노드인 etcd 클러스터를 가정합니다. 이 매개변수는 쉼표로 구분된 하나 이상의 etcd URL을 사용할 수 있습니다.","s":"데이터스토어 엔드포인트 형식 및 기능","u":"/kr/datastore","h":"#데이터스토어-엔드포인트-형식-및-기능","p":2676},{"i":2683,"t":"warning Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.","s":"High Availability Embedded etcd","u":"/kr/datastore/ha-embedded","h":"","p":2682},{"i":2685,"t":"To run K3s in this mode, you must have an odd number of server nodes. We recommend starting with three nodes. To get started, first launch a server node with the cluster-init flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster. curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --cluster-init After launching the first server, join the second and third servers to the cluster using the shared secret: curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --server https://:6443 Check to see that the second and third servers are now part of the cluster: $ kubectl get nodes NAME STATUS ROLES AGE VERSION server1 Ready control-plane,etcd,master 28m vX.Y.Z server2 Ready control-plane,etcd,master 13m vX.Y.Z Now you have a highly available control plane. Any successfully clustered servers can be used in the --server argument to join additional server and worker nodes. Joining additional worker nodes to the cluster follows the same procedure as a single server cluster. There are a few config flags that must be the same in all server nodes: Network related flags: --cluster-dns, --cluster-domain, --cluster-cidr, --service-cidr Flags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable Feature related flags: --secrets-encryption","s":"New cluster","u":"/kr/datastore/ha-embedded","h":"#new-cluster","p":2682},{"i":2687,"t":"If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the --cluster-init flag. Once you've done that, you'll be able to add additional instances as described above. If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (--cluster-init, --server, --datastore-endpoint, etc) are ignored. Important: K3s v1.22.2 and newer support migration from SQLite to etcd. Older versions will create a new empty datastore if you add --cluster-init to an existing server.","s":"Existing clusters","u":"/kr/datastore/ha-embedded","h":"#existing-clusters","p":2682},{"i":2689,"t":"자주 묻는 질문은 주기적으로 업데이트되며, 사용자가 K3s에 대해 가장 자주 묻는 질문에 대한 답변으로 구성되어 있습니다.","s":"자주 묻는 질문","u":"/kr/faq","h":"","p":2688},{"i":2691,"t":"K3s는 CNCF 인증을 받은 Kubernetes 배포판으로, 표준 Kubernetes 클러스터에 필요한 모든 작업을 수행할 수 있습니다. 단지 더 가벼운 버전일 뿐입니다. 자세한 내용은 main 문서 페이지를 참조하세요.","s":"K3s가 Kubernetes를 대체하기에 적합한가요?","u":"/kr/faq","h":"#k3s가-kubernetes를-대체하기에-적합한가요","p":2688},{"i":2693,"t":"--disable=traefik으로 K3s 서버를 시작하고 인그레스를 배포하기만 하면 됩니다.","s":"Traefik 대신 자체 Ingress를 사용하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#traefik-대신-자체-ingress를-사용하려면-어떻게-해야-하나요","p":2688},{"i":2695,"t":"현재 K3s는 기본적으로 Windows를 지원하지 않지만, 추후에 지원할 수 있습니다.","s":"K3s는 Windows를 지원하나요?","u":"/kr/faq","h":"#k3s는-windows를-지원하나요","p":2688},{"i":2697,"t":"K3s BUILDING.md에서 지침을 참조하시기 바랍니다.","s":"소스로부터 빌드하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#소스로부터-빌드하려면-어떻게-해야-하나요","p":2688},{"i":2699,"t":"K3s 로그의 위치는 K3s를 실행하는 방법과 노드의 OS에 따라 달라집니다. 명령줄에서 실행할 경우, 로그는 stdout과 stderr로 전송됩니다. openrc에서 실행하면 /var/log/k3s.log에 로그가 생성됩니다. Systemd에서 실행하는 경우, 로그는 저널널로 전송되며 journalctl -u k3s를 사용하여 볼 수 있습니다. 파드 로그는 /var/log/pods에서 확인할 수 있습니다. 컨테이너 로그는 /var/lib/rancher/k3s/agent/containerd/containerd.log에서 확인할 수 있습니다. K3s를 시작할 때 --debug 플래그(또는 환경설정 파일에서 debug: true)를 사용하면 더 자세한 로그를 생성할 수 있습니다. 쿠버네티스는 프로세스 내의 모든 컴포넌트에 대해 단일 로깅 구성을 사용하는 klog라는 로깅 프레임워크를 사용합니다. K3s는 단일 프로세스 내에서 모든 쿠버네티스 컴포넌트를 실행하기 때문에, 개별 쿠버네티스 컴포넌트에 대해 다른 로그 레벨이나 대상을 구성할 수 없습니다. -v=또는--vmodule== 컴포넌트 인수를 사용하면 원하는 효과를 얻지 못할 수 있습니다. 더 많은 로그 옵션은 추가 로깅 소스를 참조하세요.","s":"K3s 로그는 어디에 있나요?","u":"/kr/faq","h":"#k3s-로그는-어디에-있나요","p":2688},{"i":2701,"t":"예, Docker에서 K3s를 실행하는 방법은 여러 가지가 있습니다. 자세한 내용은 고급 옵션을 참조하세요.","s":"Docker에서 K3s를 실행할 수 있나요?","u":"/kr/faq","h":"#docker에서-k3s를-실행할-수-있나요","p":2688},{"i":2703,"t":"K3s 조인 토큰 관리에 대한 자세한 내용은 k3s token 명령어 설명서를 참조하세요.","s":"K3s 서버와 에이전트 토큰의 차이점은 무엇인가요?","u":"/kr/faq","h":"#k3s-서버와-에이전트-토큰의-차이점은-무엇인가요","p":2688},{"i":2705,"t":"일반적으로 쿠버네티스 버전 skew 정책이 적용됩니다. 즉, 서버가 에이전트보다 최신 버전일 수는 있지만 에이전트가 서버보다 최신 버전일 수는 없습니다.","s":"K3s의 다른 버전들은 얼마나 호환되나요?","u":"/kr/faq","h":"#k3s의-다른-버전들은-얼마나-호환되나요","p":2688},{"i":2707,"t":"K3s를 배포하는 데 문제가 있는 경우 다음과 같이 하세요: 알려진 문제 페이지를 확인하세요. 추가 OS 준비사항을 모두 해결했는지 확인합니다. k3s check-config를 실행하고 통과했는지 확인합니다. K3s 이슈 및 토론에서 문제와 일치하는 항목을 검색합니다. Rancher 슬랙 K3s 채널에 가입하여 도움을 받습니다. K3s 깃허브에 설정과 발생한 문제를 설명하는 새 이슈를 제출합니다.","s":"문제가 발생했는데 어디서 도움을 받을 수 있나요?","u":"/kr/faq","h":"#문제가-발생했는데-어디서-도움을-받을-수-있나요","p":2688},{"i":2709,"t":"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s. Configuration Options provides guidance on the options available to you when installing K3s. Private Registry Configuration covers use of registries.yaml to configure container image registry mirrors. Embedded Mirror shows how to enable the embedded distributed image registry mirror. Air-Gap Install details how to set up K3s in environments that do not have direct access to the Internet. Managing Server Roles details how to set up K3s with dedicated control-plane or etcd servers. Managing Packaged Components details how to disable packaged components, or install your own using auto-deploying manifests. Uninstalling K3s details how to remove K3s from a host.","s":"Installation","u":"/kr/installation","h":"","p":2708},{"i":2711,"t":"헬름(Helm)은 쿠버네티스를 위한 패키지 관리 도구입니다. 헬름 차트는 쿠버네티스 YAML 매니페스트 문서를 위한 템플릿 구문을 제공합니다. 개발자 또는 클러스터 관리자는 헬름을 사용하여 정적 매니페스트만 사용하는 대신 차트라는 구성 가능한 템플릿을 만들 수 있다. 자신만의 차트 카탈로그 생성에 대한 자세한 내용은 https://helm.sh/docs/intro/quickstart/에서 문서를 확인하세요. K3s는 헬름을 지원하기 위한 별도의 구성이 필요하지 않습니다. 다만, 클러스터 액세스 문서에 따라 kubeconfig 경로를 올바르게 설정했는지 확인하면 됩니다. K3s에는 헬름 차트의 설치, 업그레이드/재구성 및 제거를 관리하는 Helm Controller가 포함되어 있으며, 헬름 차트 커스텀 리소스 정의(CRD)를 사용하여 헬름 차트를 설치, 업그레이드/재구성 및 제거할 수 있습니다. 애드온 매니페스트 자동 배포](./installation/packaged-components.md)와 함께 사용하면 디스크에 단일 파일을 생성하여 클러스터에 헬름 차트를 설치하는 것을 자동화할 수 있습니다.","s":"헬름(Helm)","u":"/kr/helm","h":"","p":2710},{"i":2713,"t":"헬름 차트 커스텀 리소스는 일반적으로 helm 명령줄 도구에 전달할 대부분의 옵션을 담고 있습니다. 다음은 Bitnami 차트 저장소에서 아파치를 배포하여 기본 차트 값 중 일부를 재정의하는 방법에 대한 예제입니다. HelmChart 리소스 자체는 kube-system 네임스페이스에 있지만, 차트의 리소스는 동일한 매니페스트에 생성되는 web 네임스페이스에 배포된다는 점에 유의하세요. 이는 HelmChart 리소스를 배포하는 리소스와 분리하여 유지하려는 경우에 유용할 수 있습니다. apiVersion: v1 kind: Namespace metadata: name: web --- apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: name: apache namespace: kube-system spec: repo: https://charts.bitnami.com/bitnami chart: apache targetNamespace: web valuesContent: |- service: type: ClusterIP ingress: enabled: true hostname: www.example.com metrics: enabled: true HelmChart 필드 정의​ 필드 기본값 설명 헬름 인수 / 플래그 상응값 metadata.name 헬름 차트 이름 NAME spec.chart 리포지토리에 있는 헬름 차트 이름 또는 차트 아카이브(.tgz)에 대한 전체 HTTPS URL CHART spec.targetNamespace default 헬름 차트 대상 네임스페이스 --namespace spec.version 헬름 차트 버전(리포지토리에서 설치하는 경우) --version spec.repo 헬름 차트 리포지토리 URL --repo spec.repoCA HTTPS 사용 서버의 인증서를 지정 --ca-file spec.helmVersion v3 사용할 헬름 버전 (v2 혹은 v3) spec.bootstrap False 클러스터(클라우드 컨트롤러 관리자 등)를 부트스트랩하는 데 이 차트가 필요한 경우 True로 설정합니다. spec.set 간단한 기본 차트 값을 재정의합니다. 값을 통해 설정된 옵션보다 우선합니다. --set / --set-string spec.jobImage 헬름 차트를 설치할 때 사용할 이미지를 지정합니다. 예시. rancher/klipper-helm:v0.3.0 . spec.timeout 300 헬름 작업 시간 초과(초) --timeout spec.failurePolicy reinstall abort로 설정하면 헬름 작업이 중단되고 운영자의 수동 개입이 있을 때까지 중단된다. spec.valuesContent YAML 파일 콘텐츠를 통해 복잡한 기본 차트 값 재정의 --values spec.chartContent Base64로 인코딩된 차트 아카이브 .tgz - spec.chart를 재정의합니다. CHART /var/lib/rancher/k3s/server/static/에 위치한 콘텐츠는 클러스터 내에서 쿠버네티스 APIServer를 통해 익명으로 액세스할 수 있습니다. 이 URL은 spec.chart 필드에 있는 특수 변수 %{KUBERNETES_API}%를 사용하여 템플릿화할 수 있습니다. 예를 들어, 패키지화된 Traefik 컴포넌트는 https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz에서 해당 차트를 로드합니다. 비고 name 필드는 헬름 차트 명명 규칙을 따라야 합니다. 자세한 내용은 헬름 베스트 프랙티스 문서를 참고하세요.","s":"헬름 컨트롤러 사용하기","u":"/kr/helm","h":"#헬름-컨트롤러-사용하기","p":2710},{"i":2715,"t":"Version Gate v1.19.1+k3s1 부터 사용 가능 HelmChart로 배포되는 패키지 컴포넌트(예로 Traefik)의 값을 재정의할 수 있도록, K3s는 HelmChartConfig 리소스를 통해 배포를 사용자 정의할 수 있도록 지원합니다. HelmChartConfig 리소스는 해당 HelmChart의 이름과 네임스페이스와 일치해야 하며, 추가 값 파일로 helm 명령에 전달되는 valuesContent를 추가로 제공할 수 있도록 지원합니다. 비고 HelmChart spec.set 값은 HelmChart 및 HelmChartConfig spec.valuesContent 설정을 재정의합니다. 예를 들어, 패키징된 트래픽 인그레스 구성을 사용자 정의하려면 /var/lib/rancher/k3s/server/manifests/traefik-config.yaml이라는 파일을 생성하고 다음 내용으로 채우면 됩니다: apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- image: name: traefik tag: v2.8.5 forwardedHeaders: enabled: true trustedIPs: - 10.0.0.0/8 ssl: enabled: true permanentRedirect: false","s":"HelmChartConfig로 패키지 컴포넌트 커스터마이징하기","u":"/kr/helm","h":"#helmchartconfig로-패키지-컴포넌트-커스터마이징하기","p":2710},{"i":2717,"t":"Version Gate v1.17.v1.17.0+k3s.1부터 헬름 v3가 기본적으로 지원 및 사용됩니다. K3s는 헬름 v2 또는 헬름 v3를 처리할 수 있습니다. 헬름 v3로 마이그레이션하려는 경우, 이 헬름 블로그 게시물에서 플러그인을 사용하여 성공적으로 마이그레이션하는 방법을 설명합니다. 자세한 내용은 헬름 3 공식 문서 여기를 참고하세요. 클러스터 접근에 대한 섹션에 따라 kubeconfig를 올바르게 설정했는지 확인하세요. 비고 헬름 3에서는 더 이상 Tiller와 helm init 명령이 필요하지 않습니다. 자세한 내용은 공식 문서를 참고하세요.","s":"헬름 버전 2에서 마이그레이션하기","u":"/kr/helm","h":"#헬름-버전-2에서-마이그레이션하기","p":2710},{"i":2719,"t":"Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release. This section describes how to install a high-availability K3s cluster with an external database. Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is comprised of: Two or more server nodes that will serve the Kubernetes API and run other control plane services Zero or more agent nodes that are designated to run your apps and services An external datastore (as opposed to the embedded SQLite datastore used in single-server setups) A fixed registration address that is placed in front of the server nodes to allow agent nodes to register with the cluster For more details on how these components work together, refer to the architecture section. Agents register through the fixed registration address, but after registration they establish a connection directly to one of the server nodes. This is a websocket connection initiated by the k3s agent process, it is maintained by a client-side load balancer running as part of the agent process.","s":"High Availability External DB","u":"/kr/datastore/ha","h":"","p":2718},{"i":2721,"t":"Setting up an HA cluster requires the following steps:","s":"Installation Outline","u":"/kr/datastore/ha","h":"#installation-outline","p":2718},{"i":2723,"t":"You will first need to create an external datastore for the cluster. See the Cluster Datastore Options documentation for more details.","s":"1. Create an External Datastore","u":"/kr/datastore/ha","h":"#1-create-an-external-datastore","p":2718},{"i":2725,"t":"K3s requires two or more server nodes for this HA configuration. See the Requirements guide for minimum machine requirements. When running the k3s server command on these nodes, you must set the datastore-endpoint parameter so that K3s knows how to connect to the external datastore. The token parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use. For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and set a token: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" The datastore endpoint format differs based on the database type. For details, refer to the section on datastore endpoint formats. To configure TLS certificates when launching server nodes, refer to the datastore configuration guide. 비고 The same installation options available to single-server installs are also available for high-availability installs. For more details, see the Configuration Options documentation. By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The node-taint parameter will allow you to configure nodes with taints, for example --node-taint CriticalAddonsOnly=true:NoExecute. Once you've launched the k3s server process on all server nodes, ensure that the cluster has come up properly with k3s kubectl get nodes. You should see your server nodes in the Ready state.","s":"2. Launch Server Nodes","u":"/kr/datastore/ha","h":"#2-launch-server-nodes","p":2718},{"i":2727,"t":"Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as: A layer-4 (TCP) load balancer Round-robin DNS Virtual or elastic IP addresses This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your kubeconfig file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the --tls-san YOUR_IP_OR_HOSTNAME_HERE option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.","s":"3. Configure the Fixed Registration Address","u":"/kr/datastore/ha","h":"#3-configure-the-fixed-registration-address","p":2718},{"i":2729,"t":"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used. If the first server node was started without the --token CLI flag or K3S_TOKEN variable, the token value can be retrieved from any server already joined to the cluster: cat /var/lib/rancher/k3s/server/token Additional server nodes can then be added using the token: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" There are a few config flags that must be the same in all server nodes: Network related flags: --cluster-dns, --cluster-domain, --cluster-cidr, --service-cidr Flags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable Feature related flags: --secrets-encryption 비고 Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores.","s":"4. Optional: Join Additional Server Nodes","u":"/kr/datastore/ha","h":"#4-optional-join-additional-server-nodes","p":2718},{"i":2731,"t":"Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster. Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use. K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443","s":"5. Optional: Join Agent Nodes","u":"/kr/datastore/ha","h":"#5-optional-join-agent-nodes","p":2718},{"i":2733,"t":"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.","s":"Air-Gap Install","u":"/kr/installation/airgap","h":"","p":2732},{"i":2736,"t":"These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and have a OCI-compliant private registry available in your environment. If you have not yet set up a private Docker registry, refer to the official Registry documentation. Create the Registry YAML and Push Images​ Obtain the images archive for your architecture from the releases page for the version of K3s you will be running. Use docker image load k3s-airgap-images-amd64.tar.zst to import images from the tar file into docker. Use docker tag and docker push to retag and push the loaded images to your private registry. Follow the Private Registry Configuration guide to create and configure the registries.yaml file. Proceed to the Install K3s section below.","s":"Private Registry Method","u":"/kr/installation/airgap","h":"#private-registry-method","p":2732},{"i":2738,"t":"These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and cannot or do not want to use a private registry. This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical. Prepare the Images Directory and Airgap Image Tarball​ Obtain the images archive for your architecture from the releases page for the version of K3s you will be running. Download the images archive to the agent's images directory, for example: sudo mkdir -p /var/lib/rancher/k3s/agent/images/ sudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst Proceed to the Install K3s section below.","s":"Manually Deploy Images Method","u":"/kr/installation/airgap","h":"#manually-deploy-images-method","p":2732},{"i":2740,"t":"Version Gate The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 K3s includes an embedded distributed OCI-compliant registry mirror. When enabled and properly configured, images available in the containerd image store on any node can be pulled by other cluster members without access to an external image registry. The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball. For more information on enabling the embedded distributed registry mirror, see the Embedded Registry Mirror documentation.","s":"Embedded Registry Mirror","u":"/kr/installation/airgap","h":"#embedded-registry-mirror","p":2732},{"i":2743,"t":"Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install. Binaries​ Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in /usr/local/bin on each air-gapped node and ensure it is executable. Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it install.sh. Default Network Route​ If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following: ip link add dummy0 type dummy ip link set dummy0 up ip addr add 203.0.113.254/31 dev dummy0 ip route add default via 203.0.113.255 dev dummy0 metric 1000 When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary. SELinux RPM​ If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found here. For example, on CentOS 8: On internet accessible machine: curl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm # Transfer RPM to air-gapped machine On air-gapped machine: sudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm See the SELinux section for more information.","s":"Prerequisites","u":"/kr/installation/airgap","h":"#prerequisites","p":2732},{"i":2745,"t":"You can install K3s on one or more servers as described below. Single Server Configuration High Availability Configuration To install K3s on a single server, simply do the following on the server node: INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh To add additional agents, do the following on each agent node: INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://:6443 K3S_TOKEN= ./install.sh 비고 The token from the server is typically found at /var/lib/rancher/k3s/server/token. Reference the High Availability with an External DB or High Availability with Embedded DB guides. You will be tweaking install commands so you specify INSTALL_K3S_SKIP_DOWNLOAD=true and run your install script locally instead of via curl. You will also utilize INSTALL_K3S_EXEC='args' to supply any arguments to k3s. For example, step two of the High Availability with an External DB guide mentions the following: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" Instead, you would modify such examples like below: INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\ K3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\ ./install.sh 비고 K3s's --resolv-conf flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured.","s":"Installing K3s in an Air-Gapped Environment","u":"/kr/installation/airgap","h":"#installing-k3s-in-an-air-gapped-environment","p":2732},{"i":2748,"t":"Upgrading an air-gap environment can be accomplished in the following manner: Download the new air-gap images (tar file) from the releases page for the version of K3s you will be upgrading to. Place the tar in the /var/lib/rancher/k3s/agent/images/ directory on each node. Delete the old tar file. Copy and replace the old K3s binary in /usr/local/bin on each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past with the same environment variables. Restart the K3s service (if not restarted automatically by installer).","s":"Install Script Method","u":"/kr/installation/airgap","h":"#install-script-method","p":2732},{"i":2750,"t":"K3s supports automated upgrades. To enable this in air-gapped environments, you must ensure the required images are available in your private registry. You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the + in the K3s release with a - because Docker images do not support +. You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller here and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML: rancher/system-upgrade-controller:v0.4.0 rancher/kubectl:v0.17.0 Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.","s":"Automated Upgrades Method","u":"/kr/installation/airgap","h":"#automated-upgrades-method","p":2732},{"i":2753,"t":"On server nodes, any file found in /var/lib/rancher/k3s/server/manifests will automatically be deployed to Kubernetes in a manner similar to kubectl apply, both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster. Manifests are tracked as AddOn custom resources in the kube-system namespace. Any errors or warnings encountered when applying the manifest file may seen by using kubectl describe on the corresponding AddOn, or by using kubectl get event -n kube-system to view all events for that namespace, including those from the deploy controller.","s":"Auto-Deploying Manifests (AddOns)","u":"/kr/installation/packaged-components","h":"#auto-deploying-manifests-addons","p":2751},{"i":2755,"t":"K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: coredns, traefik, local-storage, and metrics-server. The embedded servicelb LoadBalancer controller does not have a manifest file, but can be disabled as if it were an AddOn for historical reasons. Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity.","s":"Packaged Components","u":"/kr/installation/packaged-components","h":"#packaged-components","p":2751},{"i":2757,"t":"You may place additional files in the manifests directory for deployment as an AddOn. Each file may contain multiple Kubernetes resources, delmited by the --- YAML document separator. For more information on organizing resources in manifests, see the Managing Resources section of the Kubernetes documentation. File Naming Requirements​ The AddOn name for each file in the manifest directory is derived from the file basename. Ensure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes object naming restrictions. Care should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled. Here is en example of an error that would be reported if the file name contains underscores: Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') 위험 If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests.","s":"User AddOns","u":"/kr/installation/packaged-components","h":"#user-addons","p":2751},{"i":2759,"t":"There are two ways to disable deployment of specific content from the manifests directory.","s":"Disabling Manifests","u":"/kr/installation/packaged-components","h":"#disabling-manifests","p":2751},{"i":2761,"t":"The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the manifests directory, can be disabled with the --disable flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the manifests directory. For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with --disable=traefik. Multiple items can be disabled by separating their names with commas, or by repeating the flag.","s":"Using the --disable flag","u":"/kr/installation/packaged-components","h":"#using-the---disable-flag","p":2751},{"i":2763,"t":"For any file under /var/lib/rancher/k3s/server/manifests, you can create a .skip file which will cause K3s to ignore the corresponding manifest. The contents of the .skip file do not matter, only its existence is checked. Note that creating a .skip file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist. For example, creating an empty traefik.yaml.skip file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying traefik.yaml: $ ls /var/lib/rancher/k3s/server/manifests ccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip coredns.yaml traefik.yaml $ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s kube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s kube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s If Traefik had already been deployed prior to creating the traefik.skip file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded.","s":"Using .skip files","u":"/kr/installation/packaged-components","h":"#using-skip-files","p":2751},{"i":2765,"t":"For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.","s":"Helm AddOns","u":"/kr/installation/packaged-components","h":"#helm-addons","p":2751},{"i":2767,"t":"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet. Upon startup, K3s will check to see if /etc/rancher/k3s/registries.yaml exists. If so, the registry configuration contained in this file is used when generating the containerd configuration. If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure registries.yaml on each node that you want to use the mirror. If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure registries.yaml on each node that will pull images from your registry. Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them, please ensure you also create the registries.yaml file on each server as well.","s":"Private Registry Configuration","u":"/kr/installation/private-registry","h":"","p":2766},{"i":2769,"t":"Containerd has an implicit \"default endpoint\" for all registries. The default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in registries.yaml. For example, when pulling registry.example.com:5000/rancher/mirrored-pause:3.6, containerd will use a default endpoint of https://registry.example.com:5000/v2. The default endpoint for docker.io is https://index.docker.io/v2. The default endpoint for all other registries is https:///v2, where is the registry hostname and optional port. In order to be recognized as a registry, the first component of the image name must contain at least one period or colon. For historical reasons, images without a registry specified in their name are implicitly identified as being from docker.io. Version Gate The --disable-default-registry-endpoint option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 Nodes may be started with the --disable-default-registry-endpoint option. When this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints, along with the distributed registry if it is enabled. This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available, or if you wish to have only some nodes pull from the upstream registry. Disabling the default registry endpoint applies only to registries configured via registries.yaml. If the registry is not explicitly configured via mirror entry in registries.yaml, the default fallback behavior will still be used.","s":"Default Endpoint Fallback","u":"/kr/installation/private-registry","h":"#default-endpoint-fallback","p":2766},{"i":2771,"t":"The file consists of two top-level keys, with subkeys for each registry: mirrors: : endpoint: - https:///v2 configs: : auth: username: password: token: tls: ca_file: cert_file: key_file: insecure_skip_verify: ","s":"Registries Configuration File","u":"/kr/installation/private-registry","h":"#registries-configuration-file","p":2766},{"i":2773,"t":"The mirrors section defines the names and endpoints of registries, for example: mirrors: registry.example.com: endpoint: - \"https://registry.example.com:5000\" Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one. Redirects​ If the private registry is used as a mirror for another registry, such as when configuring a pull through cache, images pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ns query parameter. For example, if you have a mirror configured for docker.io: mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" Then pulling docker.io/rancher/mirrored-pause:3.6 will transparently pull the image as registry.example.com:5000/rancher/mirrored-pause:3.6. Rewrites​ Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions. This is useful if the organization/project structure in the private registry is different than the registry it is mirroring. For example, the following configuration would transparently pull the image docker.io/rancher/mirrored-pause:3.6 as registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6: mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" rewrite: \"^rancher/(.*)\": \"mirrorproject/rancher-images/$1\" When using redirects and rewrites, images will still be stored under the original name. For example, crictl image ls will show docker.io/rancher/mirrored-pause:3.6 as available on the node, even though the image was pulled from the mirrored registry with a different name.","s":"Mirrors","u":"/kr/installation/private-registry","h":"#mirrors","p":2766},{"i":2775,"t":"The configs section defines the TLS and credential configuration for each mirror. For each mirror you can define auth and/or tls. The tls part consists of: Directive Description cert_file The client certificate path that will be used to authenticate with the registry key_file The client key path that will be used to authenticate with the registry ca_file Defines the CA certificate path to be used to verify the registry's server cert file insecure_skip_verify Boolean that defines if TLS verification should be skipped for the registry The auth part consists of either username/password or authentication token: Directive Description username user name of the private registry basic auth password user password of the private registry basic auth auth authentication token of the private registry basic auth Below are basic examples of using private registries in different modes:","s":"Configs","u":"/kr/installation/private-registry","h":"#configs","p":2766},{"i":2777,"t":"Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when using TLS. With Authentication Without Authentication mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" configs: \"registry.example.com:5000\": auth: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password tls: cert_file: # path to the cert file used in the registry key_file: # path to the key file used in the registry ca_file: # path to the ca file used in the registry mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" configs: \"registry.example.com:5000\": tls: cert_file: # path to the cert file used in the registry key_file: # path to the key file used in the registry ca_file: # path to the ca file used in the registry","s":"With TLS","u":"/kr/installation/private-registry","h":"#with-tls","p":2766},{"i":2779,"t":"Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when not using TLS. With Authentication Without Authentication mirrors: docker.io: endpoint: - \"http://registry.example.com:5000\" configs: \"registry.example.com:5000\": auth: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password mirrors: docker.io: endpoint: - \"http://registry.example.com:5000\" In case of no TLS communication, you need to specify http:// for the endpoints, otherwise it will default to https. In order for the registry changes to take effect, you need to restart K3s on each node.","s":"Without TLS","u":"/kr/installation/private-registry","h":"#without-tls","p":2766},{"i":2781,"t":"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned by the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used. Check the containerd log on the node at /var/lib/rancher/k3s/agent/containerd/containerd.log for detailed information on the root cause of the failure.","s":"Troubleshooting Image Pulls","u":"/kr/installation/private-registry","h":"#troubleshooting-image-pulls","p":2766},{"i":2783,"t":"Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images. The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry. Obtain the k3s-images.txt file from GitHub for the release you are working with. Pull each of the K3s images listed on the k3s-images.txt file from docker.io. Example: docker pull docker.io/rancher/mirrored-pause:3.6 Retag the images to the private registry. Example: docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6 Push the images to the private registry. Example: docker push registry.example.com:5000/rancher/mirrored-pause:3.6","s":"Adding Images to the Private Registry","u":"/kr/installation/private-registry","h":"#adding-images-to-the-private-registry","p":2766},{"i":2785,"t":"K3s is very lightweight, but has some minimum requirements as outlined below. Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself.","s":"Requirements","u":"/kr/installation/requirements","h":"","p":2784},{"i":2787,"t":"Two nodes cannot have the same hostname. If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the --with-node-id option to append a random suffix for each node, or devise a unique name to pass with --node-name or $K3S_NODE_NAME for each node you add to the cluster.","s":"Prerequisites","u":"/kr/installation/requirements","h":"#prerequisites","p":2784},{"i":2789,"t":"K3s is available for the following architectures: x86_64 armhf arm64/aarch64 s390x ARM64 Page Size Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on aarch64/arm64 systems, the kernel must use 4k pages. RHEL9, Ubuntu, Raspberry PI OS, and SLES all meet this requirement.","s":"Architecture","u":"/kr/installation/requirements","h":"#architecture","p":2784},{"i":2791,"t":"K3s is expected to work on most modern Linux systems. Some OSs have additional setup requirements: Red Hat Enterprise Linux / CentOS / Fedora Ubuntu / Debian Raspberry Pi It is recommended to turn off firewalld: systemctl disable firewalld --now If you wish to keep firewalld enabled, by default, the following rules are required: firewall-cmd --permanent --add-port=6443/tcp #apiserver firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services firewall-cmd --reload Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly. If enabled, it is required to disable nm-cloud-setup and reboot the node: systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot Older Debian release may suffer from a known iptables bug. See Known Issues. It is recommended to turn off ufw (uncomplicated firewall): ufw disable If you wish to keep ufw enabled, by default, the following rules are required: ufw allow 6443/tcp #apiserver ufw allow from 10.42.0.0/16 to any #pods ufw allow from 10.43.0.0/16 to any #services Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly. Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See Known Issues. Standard Raspberry Pi OS installations do not start with cgroups enabled. K3S needs cgroups to start the systemd service. cgroupscan be enabled by appending cgroup_memory=1 cgroup_enable=memory to /boot/cmdline.txt. Example cmdline.txt: console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory Starting with Ubuntu 21.10, vxlan support on Raspberry Pi has been moved into a separate kernel module. sudo apt install linux-modules-extra-raspi For more information on which OSs were tested with Rancher managed K3s clusters, refer to the Rancher support and maintenance terms.","s":"Operating Systems","u":"/kr/installation/requirements","h":"#operating-systems","p":2784},{"i":2793,"t":"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here. Spec Minimum Recommended CPU 1 core 2 cores RAM 512 MB 1 GB Resource Profiling captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads. Raspberry Pi and embedded etcd If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load. Disks​ K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC.","s":"Hardware","u":"/kr/installation/requirements","h":"#hardware","p":2784},{"i":2795,"t":"The K3s server needs port 6443 to be accessible by all nodes. The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s. If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250. If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380. Important The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. 위험 Flannel relies on the Bridge CNI plugin to create a L2 network that switches traffic. Rogue pods with NET_RAW capabilities can abuse that L2 network to launch attacks such as ARP spoofing. Therefore, as documented in the Kubernetes docs, please set a restricted profile that disables NET_RAW on non-trustable pods.","s":"Networking","u":"/kr/installation/requirements","h":"#networking","p":2784},{"i":2797,"t":"Protocol Port Source Destination Description TCP 2379-2380 Servers Servers Required only for HA with embedded etcd TCP 6443 Agents Servers K3s supervisor and Kubernetes API Server UDP 8472 All nodes All nodes Required only for Flannel VXLAN TCP 10250 All nodes All nodes Kubelet metrics UDP 51820 All nodes All nodes Required only for Flannel Wireguard with IPv4 UDP 51821 All nodes All nodes Required only for Flannel Wireguard with IPv6 TCP 5001 All nodes All nodes Required only for embedded distributed registry (Spegel) TCP 6443 All nodes All nodes Required only for embedded distributed registry (Spegel) Typically, all outbound traffic is allowed. Additional changes to the firewall may be required depending on the OS used.","s":"Inbound Rules for K3s Nodes","u":"/kr/installation/requirements","h":"#inbound-rules-for-k3s-nodes","p":2784},{"i":2799,"t":"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: MySQL PostgreSQL etcd","s":"Large Clusters","u":"/kr/installation/requirements","h":"#large-clusters","p":2784},{"i":2801,"t":"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server: Deployment Size Nodes VCPUS RAM Small Up to 10 2 4 GB Medium Up to 100 4 8 GB Large Up to 250 8 16 GB X-Large Up to 500 16 32 GB XX-Large 500+ 32 64 GB","s":"CPU and Memory","u":"/kr/installation/requirements","h":"#cpu-and-memory","p":2784},{"i":2803,"t":"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS.","s":"Disks","u":"/kr/installation/requirements","h":"#disks-1","p":2784},{"i":2805,"t":"You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the --cluster-cidr option to K3s server upon starting.","s":"Network","u":"/kr/installation/requirements","h":"#network","p":2784},{"i":2807,"t":"K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See Cluster Datastore for more info. The following is a sizing guide for the database resources you need to run large clusters: Deployment Size Nodes VCPUS RAM Small Up to 10 1 2 GB Medium Up to 100 2 8 GB Large Up to 250 4 16 GB X-Large Up to 500 8 32 GB XX-Large 500+ 16 64 GB","s":"Database","u":"/kr/installation/requirements","h":"#database","p":2784},{"i":2809,"t":"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes. 정보 This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components.","s":"Managing Server Roles","u":"/kr/installation/server-roles","h":"","p":2808},{"i":2811,"t":"To create a server with only the etcd role, start K3s with all the control-plane components disabled: curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler This first node will start etcd, and wait for additional etcd and/or control-plane nodes to join. The cluster will not be usable until you join an additional server with the control-plane components enabled.","s":"Dedicated etcd Nodes","u":"/kr/installation/server-roles","h":"#dedicated-etcd-nodes","p":2808},{"i":2813,"t":"비고 A dedicated control-plane node cannot be the first server in the cluster; there must be an existing node with the etcd role before joining dedicated control-plane nodes. To create a server with only the control-plane role, start k3s with etcd disabled: curl -fL https://get.k3s.io | sh -s - server --token --disable-etcd --server https://:6443 After creating dedicated server nodes, the selected roles will be visible in kubectl get node: $ kubectl get nodes NAME STATUS ROLES AGE VERSION k3s-server-1 Ready etcd 5h39m v1.20.4+k3s1 k3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1","s":"Dedicated control-plane Nodes","u":"/kr/installation/server-roles","h":"#dedicated-control-plane-nodes","p":2808},{"i":2815,"t":"Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the control-plane role to a dedicated etcd node, you can remove the --disable-apiserver --disable-controller-manager --disable-scheduler flags from the systemd unit or config file, and restart the service.","s":"Adding Roles To Existing Servers","u":"/kr/installation/server-roles","h":"#adding-roles-to-existing-servers","p":2808},{"i":2817,"t":"As with all other CLI flags, you can use the Configuration File to disable components, instead of passing the options as CLI flags. For example, to create a dedicated etcd node, you can place the following values in /etc/rancher/k3s/config.yaml: cluster-init: true disable-apiserver: true disable-controller-manager: true disable-scheduler: true","s":"Configuration File Syntax","u":"/kr/installation/server-roles","h":"#configuration-file-syntax","p":2808},{"i":2819,"t":"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.","s":"Configuration Options","u":"/kr/installation/configuration","h":"","p":2818},{"i":2821,"t":"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. You can use a combination of INSTALL_K3S_EXEC, K3S_ environment variables, and command flags to pass configuration to the service configuration. The prefixed environment variables, INSTALL_K3S_EXEC value, and trailing shell arguments are all persisted into the service configuration. After installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options. To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token: curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"server\" sh -s - --flannel-backend none --token 12345 curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"server --flannel-backend none\" K3S_TOKEN=12345 sh -s - curl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none # server is assumed below because there is no K3S_URL curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"--flannel-backend none --token 12345\" sh -s - curl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345 When registering an agent, the following commands all result in the same behavior: curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"agent --server https://k3s.example.com --token mypassword\" sh -s - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"agent\" K3S_TOKEN=\"mypassword\" sh -s - --server https://k3s.example.com curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL For details on all environment variables, see Environment Variables. Note If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost. The contents of the configuration file are not managed by the install script. If you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script.","s":"Configuration with install script","u":"/kr/installation/configuration","h":"#configuration-with-install-script","p":2818},{"i":2823,"t":"As stated, the installation script is primarily concerned with configuring K3s to run as a service. If you choose to not use the script, you can run K3s simply by downloading the binary from our release page, placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service. curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s You can pass configuration by setting K3S_ environment variables: K3S_KUBECONFIG_MODE=\"644\" k3s server Or command flags: k3s server --write-kubeconfig-mode=644 The k3s agent can also be configured this way: k3s agent --server https://k3s.example.com --token mypassword For details on configuring the K3s server, see the k3s server documentation. For details on configuring the K3s agent, see the k3s agent documentation. You can also use the --help flag to see a list of all available options, and their corresponding environment variables. Matching Flags It is important to match critical flags on your server nodes. For example, if you use the flag --disable servicelb or --cluster-cidr=10.200.0.0/16 on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as: failed to validate server configuration: critical configuration value mismatch. See the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes.","s":"Configuration with binary","u":"/kr/installation/configuration","h":"#configuration-with-binary","p":2818},{"i":2825,"t":"Version Gate Available as of v1.19.1+k3s1 In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file. By default, values present in a YAML file located at /etc/rancher/k3s/config.yaml will be used on install. An example of a basic server config file is below: write-kubeconfig-mode: \"0644\" tls-san: - \"foo.local\" node-label: - \"foo=bar\" - \"something=amazing\" cluster-init: true This is equivalent to the following CLI arguments: k3s server \\ --write-kubeconfig-mode \"0644\" \\ --tls-san \"foo.local\" \\ --node-label \"foo=bar\" \\ --node-label \"something=amazing\" \\ --cluster-init In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as true or false in the YAML file. It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as --node-label, the CLI arguments will overwrite all values in the list. Finally, the location of the config file can be changed either through the CLI argument --config FILE, -c FILE, or the environment variable $K3S_CONFIG_FILE.","s":"Configuration File","u":"/kr/installation/configuration","h":"#configuration-file","p":2818},{"i":2827,"t":"Version Gate Available as of v1.21.0+k3s1 Multiple configuration files are supported. By default, configuration files are read from /etc/rancher/k3s/config.yaml and /etc/rancher/k3s/config.yaml.d/*.yaml in alphabetical order. By default, the last value found for a given key will be used. A + can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a + to prevent overwriting the accumulated value. An example of multiple config files is below: # config.yaml token: boop node-label: - foo=bar - bar=baz # config.yaml.d/test1.yaml write-kubeconfig-mode: 600 node-taint: - alice=bob:NoExecute # config.yaml.d/test2.yaml write-kubeconfig-mode: 777 node-label: - other=what - foo=three node-taint+: - charlie=delta:NoSchedule This results in a final configuration of: write-kubeconfig-mode: 777 token: boop node-label: - other=what - foo=three node-taint: - alice=bob:NoExecute - charlie=delta:NoSchedule","s":"Multiple Config Files","u":"/kr/installation/configuration","h":"#multiple-config-files","p":2818},{"i":2829,"t":"All of the above options can be combined into a single example. A config.yaml file is created at /etc/rancher/k3s/config.yaml: token: \"secret\" debug: true Then the installation script is run with a combination of environment variables and flags: curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=\"644\" INSTALL_K3S_EXEC=\"server\" sh -s - --flannel-backend none Or if you have already installed the K3s Binary: K3S_KUBECONFIG_MODE=\"644\" k3s server --flannel-backend none This results in a server with: A kubeconfig file with permissions 644 Flannel backend set to none The token set to secret Debug logging enabled","s":"Putting it all together","u":"/kr/installation/configuration","h":"#putting-it-all-together","p":2818},{"i":2831,"t":"warning Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools. It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes. If you installed K3s using the installation script, a script to uninstall K3s was generated during installation. If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the Node Registration documentation for more information.","s":"Uninstalling K3s","u":"/kr/installation/uninstall","h":"","p":2830},{"i":2833,"t":"To uninstall K3s from a server node, run: /usr/local/bin/k3s-uninstall.sh","s":"Uninstalling Servers","u":"/kr/installation/uninstall","h":"#uninstalling-servers","p":2830},{"i":2835,"t":"To uninstall K3s from an agent node, run: /usr/local/bin/k3s-agent-uninstall.sh","s":"Uninstalling Agents","u":"/kr/installation/uninstall","h":"#uninstalling-agents","p":2830},{"i":2837,"t":"Version Gate The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 K3s embeds Spegel, a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster. The distributed registry mirror is disabled by default.","s":"Embedded Registry Mirror","u":"/kr/installation/registry-mirror","h":"","p":2836},{"i":2839,"t":"In order to enable the embedded registry mirror, server nodes must be started with the --embedded-registry flag, or with embedded-registry: true in the configuration file. This option enables the embedded mirror for use on all nodes in the cluster. When enabled at a cluster level, all nodes will host a local OCI registry on port 6443, and publish a list of available images via a peer to peer network on port 5001. Any image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry. Images imported via air-gap image tar files are pinned in containerd to ensure that they remain available and are not pruned by Kubelet garbage collection.","s":"Enabling The Distributed OCI Registry Mirror","u":"/kr/installation/registry-mirror","h":"#enabling-the-distributed-oci-registry-mirror","p":2836},{"i":2841,"t":"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443. If nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints.","s":"Requirements","u":"/kr/installation/registry-mirror","h":"#requirements","p":2836},{"i":2843,"t":"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes. If a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry. In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the mirrors section of registries.yaml for that registry. The registry does not need to have any endpoints listed, it just needs to be present. For example, to enable distributed mirroring of images from docker.io and registry.k8s.io, configure registries.yaml with the following content on all cluster nodes: mirrors: docker.io: registry.k8s.io: Endpoints for registry mirrors may also be added as usual. In the following configuration, images pull attempts will first try the embedded mirror, then mirror.example.com, then finally docker.io: mirrors: docker.io: endpoint: - https://mirror.example.com If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public registries are enabled - by listing it in the mirrors section: mirrors: mirror.example.com: If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity. For more information on the structure of the registries.yaml file, see Private Registry Configuration.","s":"Enabling Registry Mirroring","u":"/kr/installation/registry-mirror","h":"#enabling-registry-mirroring","p":2836},{"i":2845,"t":"By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this, and only pull images from the configured mirrors and/or the embedded mirror, see the Default Endpoint Fallback section of the Private Registry Configuration documentation. Note that if you are using the --disable-default-endpoint option and want to allow pulling directly from a particular registry, while disallowing the rest, you can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself: mirrors: docker.io: # no default endpoint, pulls will fail if not available on a node registry.k8s.io: # no default endpoint, pulls will fail if not available on a node mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node endpoint: - https://mirror.example.com","s":"Default Endpoint Fallback","u":"/kr/installation/registry-mirror","h":"#default-endpoint-fallback","p":2836},{"i":2848,"t":"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority. Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes. Nodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority.","s":"Authentication","u":"/kr/installation/registry-mirror","h":"#authentication","p":2836},{"i":2850,"t":"warning The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members. If this does not match your cluster's security posture, you should not enable the embedded distributed registry. The embedded registry may make available images that a node may not otherwise have access to. For example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in registries.yaml, the distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry. Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes, as other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry. If image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner.","s":"Potential Concerns","u":"/kr/installation/registry-mirror","h":"#potential-concerns","p":2836},{"i":2852,"t":"Images sharing is controlled based on the source registry. Images loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ctr command line tool, will be shared between nodes if they are tagged as being from a registry that is enabled for mirroring. Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable. For example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store. You would then be able to pull those images from all cluster members, as long as that registry is listed in registries.yaml","s":"Sharing Air-gap or Manually Loaded Images","u":"/kr/installation/registry-mirror","h":"#sharing-air-gap-or-manually-loaded-images","p":2836},{"i":2854,"t":"The embedded registry is read-only, and cannot be pushed to directly using docker push or other common tools that interact with OCI registries. Images can be manually made available via the embedded registry by running ctr -n k8s.io image pull to pull an image, or by loading image archives via the ctr -n k8s.io import or ctr -n k8s.io load commands. Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.","s":"Pushing Images","u":"/kr/installation/registry-mirror","h":"#pushing-images","p":2836},{"i":2856,"t":"알려진 이슈는 주기적으로 업데이트되며, 다음 릴리스에서 즉시 해결되지 않을 수 있는 문제에 대해 알려드리기 위해 고안되었습니다.","s":"알려진 이슈","u":"/kr/known-issues","h":"","p":2855},{"i":2858,"t":"스냅(Snap) 패키지를 통해 설치된 도커는 K3s를 실행하는 데 문제를 일으키는 것으로 알려져 있으므로 K3s와 함께 사용하려는 경우 권장하지 않습니다.","s":"스냅(Snap) 도커","u":"/kr/known-issues","h":"#스냅snap-도커","p":2855},{"i":2860,"t":"레거시 대신 nftables 모드에서 iptables를 실행하는 경우 문제가 발생할 수 있습니다. 문제를 방지하려면 최신 버전(예: 1.6.1+)의 iptables를 사용하는 것이 좋습니다. 또한 1.8.0-1.8.4 버전에는 K3s가 실패할 수 있는 알려진 문제가 있습니다. 해결 방법은 추가 OS 준비를 참조하세요.","s":"Iptables","u":"/kr/known-issues","h":"#iptables","p":2855},{"i":2862,"t":"루트리스 모드로 K3s를 실행하는 것은 실험 중이며 몇 가지 알려진 이슈가 있습니다.","s":"Rootless Mode","u":"/kr/known-issues","h":"#rootless-mode","p":2855},{"i":2864,"t":"쿠버네티스는 파드 보안 표준(PSS, Pod Security Standards)을 위해 v1.25에서 PodSecurityPolicy를 제거했습니다. PSS에 대한 자세한 내용은 업스트림 문서에서 확인할 수 있습니다. K3S의 경우, 노드에 'PodSecurityPolicy'가 구성된 경우 수행해야 하는 몇 가지 수동 단계가 있습니다. 모든 노드에서 kube-apiserver-arg 값을 업데이트하여 PodSecurityPolicy 어드미션 플러그인을 제거합니다. 대신 다음 arg 값을 추가합니다: 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml' 이지만, 아직 K3S를 재시작하거나 업그레이드하지 마십시오. 아래는 노드를 강화한 후 구성 파일의 예시입니다. protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - \"admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml\" - \"audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log\" - \"audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml\" - \"audit-log-maxage=30\" - \"audit-log-maxbackup=10\" - \"audit-log-maxsize=100\" kube-controller-manager-arg: - \"terminated-pod-gc-threshold=10\" - \"use-service-account-credentials=true\" kubelet-arg: - \"streaming-connection-idle-timeout=5m\" - \"make-iptables-util-chains=true\" /var/lib/rancher/k3s/server/psa.yaml 파일을 다음 내용으로 작성합니다. 더 많은 네임스페이스를 제외할 수도 있습니다. 아래 예시는 kube-system(필수), cis-operator-system(선택적이지만 Rancher를 통해 보안 스캔을 실행할 때 유용), system-upgrade(자동 업그레이드를 수행하는 경우 필수)을 제외합니다. apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: \"restricted\" enforce-version: \"latest\" audit: \"restricted\" audit-version: \"latest\" warn: \"restricted\" warn-version: \"latest\" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system, system-upgrade] 일반적으로 업그레이드를 수행합니다. 자동 업그레이드를 수행하는 경우 system-upgrade-controller가 실행되는 네임스페이스가 파드 보안 수준에 따라 권한이 부여된 것으로 설정되었는지 확인합니다. apiVersion: v1 kind: Namespace metadata: name: system-upgrade labels: # This value must be privileged for the controller to run successfully. pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.25 # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options. pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/audit-version: v1.25 pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/warn-version: v1.25 업그레이드가 완료된 후, 클러스터에서 남아있는 모든 PSP 리소스를 제거합니다. 대부분의 경우, /var/lib/rancher/k3s/server/manifests/ 내부에서 강화를 위해 사용된 사용자 정의 파일에는 PodSecurityPolicies 및 관련 RBAC 리소스가 있을 수 있습니다. 이러한 리소스를 제거하면 k3s가 자동으로 업데이트됩니다. 때때로 시간이 지난 후에 이러한 리소스가 클러스터에 남아있을 수 있으므로 수동으로 삭제해야 합니다. 이전에 강화 가이드를 따르면 다음과 같이 삭제할 수 있습니다: # Get the resources associated with PSPs $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp # Delete those resources: $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding","s":"강화된(Hardened) 클러스터를 v1.24.x에서 v1.25.x로 업그레이드하기","u":"/kr/known-issues","h":"","p":2855},{"i":2866,"t":"This section contains instructions for configuring networking in K3s. Basic Network Options covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations Hybrid/Multicloud cluster provides guidance on the options available to span the k3s cluster over remote or hybrid nodes Multus and IPAM plugins provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod Networking services: dns, ingress, etc explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s","s":"Networking","u":"/kr/networking","h":"","p":2865},{"i":2868,"t":"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider. warning The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high. warning Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location.","s":"Distributed hybrid or multicloud cluster","u":"/kr/networking/distributed-multicloud","h":"","p":2867},{"i":2870,"t":"K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel. To enable this type of deployment, you must add the following parameters on servers: --node-external-ip= --flannel-backend=wireguard-native --flannel-external-ip and on agents: --node-external-ip= where SERVER_EXTERNAL_IP is the IP through which we can reach the server node and AGENT_EXTERNAL_IP is the IP through which we can reach the agent node. Note that the K3S_URL config parameter in the agent should use the SERVER_EXTERNAL_IP to be able to connect to it. Remember to check the Networking Requirements and allow access to the listed ports on both internal and external addresses. Both SERVER_EXTERNAL_IP and AGENT_EXTERNAL_IP must have connectivity between them and are normally public IPs. Dynamic IPs If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the --node-external-ip parameter to reflect the new IP. If running K3s as a service, you must modify /etc/systemd/system/k3s.service then run: systemctl daemon-reload systemctl restart k3s","s":"Embedded k3s multicloud solution","u":"/kr/networking/distributed-multicloud","h":"#embedded-k3s-multicloud-solution","p":2867},{"i":2872,"t":"Available in v1.27.3, v1.26.6, v1.25.11 and newer. K3s can integrate with Tailscale so that nodes use the Tailscale VPN service to build a mesh between nodes. There are four steps to be done with Tailscale before deploying K3s: Log in to your Tailscale account In Settings > Keys, generate an auth key ($AUTH-KEY), which may be reusable for all nodes in your cluster Decide on the podCIDR the cluster will use (by default 10.42.0.0/16). Append the CIDR (or CIDRs for dual-stack) in Access controls with the stanza: \"autoApprovers\": { \"routes\": { \"10.42.0.0/16\": [\"your_account@xyz.com\"], \"2001:cafe:42::/56\": [\"your_account@xyz.com\"], }, }, Install Tailscale in your nodes: curl -fsSL https://tailscale.com/install.sh | sh To deploy K3s with Tailscale integration enabled, you must add the following parameter on each of your nodes: --vpn-auth=\"name=tailscale,joinKey=$AUTH-KEY or provide that information in a file and use the parameter: --vpn-auth-file=$PATH_TO_FILE Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ,controlServerURL=$URL to the vpn-auth parameters warning If you plan on running several K3s clusters using the same tailscale network, please create appropriate ACLs to avoid IP conflicts or use different podCIDR subnets for each cluster.","s":"Integration with the Tailscale VPN provider (experimental)","u":"/kr/networking/distributed-multicloud","h":"#integration-with-the-tailscale-vpn-provider-experimental","p":2867},{"i":2874,"t":"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV. Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel. To deploy Multus, we recommend using the following helm repo: helm repo add rke2-charts https://rke2-charts.rancher.io helm repo update Then, to set the necessary configuration for it to work, a correct config file must be created. The configuration will depend on the IPAM plugin to be used, i.e. how your pods using Multus extra interfaces will configure the IPs for those extra interfaces. There are three options: host-local, DHCP Daemon and whereabouts: host-local Whereabouts Multus DHCP daemon The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: https://www.cni.dev/plugins/current/ipam/host-local/. To use the host-local plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig Whereabouts is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide. To use the Whereabouts IPAM plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig rke2-whereabouts: fullnameOverride: whereabouts enabled: true cniConf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of DHCP IPAM plugin. To use this DHCP plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig manifests: dhcpDaemonSet: true After creating the multus-values.yaml file, everything is ready to install Multus: helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml That will create a daemonset called multus which will deploy multus and all regular cni binaries in /var/lib/rancher/k3s/data/current/ (e.g. macvlan) and the correct Multus config in /var/lib/rancher/k3s/agent/etc/cni/net.d For more information about Multus, refer to the multus-cni documentation.","s":"Multus and IPAM plugins","u":"/kr/networking/multus-ipams","h":"","p":2873},{"i":2876,"t":"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s. Refer to the Installation Network Options page for details on Flannel configuration options and backend selection, or how to set up your own CNI. For information on which ports need to be opened for K3s, refer to the Networking Requirements.","s":"Networking Services","u":"/kr/networking/networking-services","h":"","p":2875},{"i":2878,"t":"CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the --disable=coredns option. If you don't install CoreDNS, you will need to install a cluster DNS provider yourself.","s":"CoreDNS","u":"/kr/networking/networking-services","h":"#coredns","p":2875},{"i":2880,"t":"Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications. The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443. By default, ServiceLB will expose these ports on all cluster members, meaning these ports will not be usable for other HostPort or NodePort pods. Traefik is deployed by default when starting the server. For more information see Managing Packaged Components. The default config file is found in /var/lib/rancher/k3s/server/manifests/traefik.yaml. The traefik.yaml file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional HelmChartConfig manifest in /var/lib/rancher/k3s/server/manifests. For more details and an example see Customizing Packaged Components with HelmChartConfig. For more information on the possible configuration values, refer to the official Traefik Helm Configuration Parameters.. To remove Traefik from your cluster, start all servers with the --disable=traefik flag. K3s versions 1.20 and earlier include Traefik v1. K3s versions 1.21 and later install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version. To migrate from an older Traefik v1 instance please refer to the Traefik documentation and migration tool.","s":"Traefik Ingress Controller","u":"/kr/networking/networking-services","h":"#traefik-ingress-controller","p":2875},{"i":2882,"t":"K3s includes an embedded network policy controller. The underlying implementation is kube-router's netpol controller library (no other kube-router functionality is present) and can be found here. To disable it, start each server with the --disable-network-policy flag. 비고 Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the k3s-killall.sh script, or clean them using iptables-save and iptables-restore. These steps must be run manually on all nodes in the cluster. iptables-save | grep -v KUBE-ROUTER | iptables-restore ip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore","s":"Network Policy Controller","u":"/kr/networking/networking-services","h":"#network-policy-controller","p":2875},{"i":2884,"t":"Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ServiceLB (formerly Klipper LoadBalancer) that uses available host ports. Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain pending until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration.","s":"Service Load Balancer","u":"/kr/networking/networking-services","h":"#service-load-balancer","p":2875},{"i":2886,"t":"The ServiceLB controller watches Kubernetes Services with the spec.type field set to LoadBalancer. For each LoadBalancer Service, a DaemonSet is created in the kube-system namespace. This DaemonSet in turn creates Pods with a svc- prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port. If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's status.loadBalancer.ingress address list. Otherwise, the node's internal IP is used. If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service. It is possible to expose multiple Services on the same node, as long as they use different ports. If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending.","s":"How ServiceLB Works","u":"/kr/networking/networking-services","h":"#how-servicelb-works","p":2875},{"i":2888,"t":"Create a Service of type LoadBalancer in K3s.","s":"Usage","u":"/kr/networking/networking-services","h":"#usage","p":2875},{"i":2890,"t":"Adding the svccontroller.k3s.cattle.io/enablelb=true label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB. 비고 By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB.","s":"Controlling ServiceLB Node Selection","u":"/kr/networking/networking-services","h":"#controlling-servicelb-node-selection","p":2875},{"i":2892,"t":"To select a particular subset of nodes to host pods for a LoadBalancer, add the enablelb label to the desired nodes, and set matching lbpool label values on the Nodes and Services. For example: Label Node A and Node B with svccontroller.k3s.cattle.io/lbpool=pool1 and svccontroller.k3s.cattle.io/enablelb=true Label Node C and Node D with svccontroller.k3s.cattle.io/lbpool=pool2 and svccontroller.k3s.cattle.io/enablelb=true Create one LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool1. The DaemonSet for this service only deploy Pods to Node A and Node B. Create another LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool2. The DaemonSet will only deploy Pods to Node C and Node D.","s":"Creating ServiceLB Node Pools","u":"/kr/networking/networking-services","h":"#creating-servicelb-node-pools","p":2875},{"i":2894,"t":"To disable ServiceLB, configure all servers in the cluster with the --disable=servicelb flag. This is necessary if you wish to run a different LB, such as MetalLB.","s":"Disabling ServiceLB","u":"/kr/networking/networking-services","h":"#disabling-servicelb","p":2875},{"i":2896,"t":"In order to reduce binary size, K3s removes all \"in-tree\" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following: Sets node InternalIP and ExternalIP address fields based on the --node-ip and --node-external-ip flags. Hosts the ServiceLB LoadBalancer controller. Clears the node.cloudprovider.kubernetes.io/uninitialized taint that is present when the cloud-provider is set to external Before deploying an external CCM, you must start all K3s servers with the --disable-cloud-controller flag to disable to embedded CCM. 비고 If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable.","s":"Deploying an External Cloud Controller Manager","u":"/kr/networking/networking-services","h":"#deploying-an-external-cloud-controller-manager","p":2875},{"i":2898,"t":"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.","s":"Flag Deprecation","u":"/kr/reference/flag-deprecation","h":"","p":2897},{"i":2900,"t":"Flags can be declared as \"To Be Deprecated\" at any time. Flags that are \"To Be Deprecated\" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release. On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users. In the following minor release branch, deprecated flags will become \"nonoperational\", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag. In the next minor release, the nonoperational flags will be removed from documentation and code.","s":"Process","u":"/kr/reference/flag-deprecation","h":"#process","p":2897},{"i":2902,"t":"An example of the process: --foo exists in v1.22.14, v1.23.10, and v1.24.2. After the v1.24.2 release, it is decided to deprecate --foo in favor of --new-foo. In v1.22.15, v1.23.11, and v1.24.3, --foo continues to exist, but will warn users: [Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead --foo will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24. In v1.25.0, --foo is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to --new-foo. In v1.26.0, --foo will cause a fatal error if used. The error message will say: [Fatal] exit 1: --foo is no longer supported, use --new-foo instead In v1.27.0, --foo will be removed completely from all code and documentation.","s":"Example","u":"/kr/reference/flag-deprecation","h":"#example","p":2897},{"i":2904,"t":"이 가이드는 기본 옵션으로 클러스터를 빠르게 시작하는 데 도움이 됩니다. 설치 섹션에서는 K3s를 설정하는 방법에 대해 자세히 설명합니다. K3s 구성 요소들이 작동하는 방식에 대한 자세한 내용은 아키텍처 섹션을 참조하세요. 정보 Kubernetes를 처음 사용하시나요? 공식 쿠버네티스 문서에는 이미 기본 사항을 설명하는 훌륭한 튜토리얼이 여기 있습니다.","s":"빠른 시작 가이드","u":"/kr/quick-start","h":"","p":2903},{"i":2906,"t":"K3s는 systemd 또는 openrc 기반 시스템에 서비스로 설치하는 편리한 방법으로 설치 스크립트를 제공합니다. 이 스크립트는 https://get.k3s.io 에서 확인할 수 있습니다. 이 방법으로 K3s를 설치하려면, 간단하게 다음을 실행하세요: curl -sfL https://get.k3s.io | sh - 이 설치를 실행한 후: 노드가 재부팅되거나 프로세스가 충돌 또는 종료된 경우 자동으로 재시작되도록 K3s 서비스가 구성됩니다. kubectl, crictl, ctr, k3s-killall.sh 및 k3s-uninstall.sh를 포함한 추가 유틸리티가 설치됩니다. /etc/rancher/k3s/k3s.yaml에 kubeconfig 파일을 작성하고, K3s가 설치한 kubectl이 자동으로 이를 사용하게 됩니다. 단일 노드 서버 설치는 워크로드 파드를 호스팅하는 데 필요한 모든 데이터스토어, 컨트롤 플레인, kubelet 및 컨테이너 런타임 구성 요소를 포함하여 모든 기능을 갖춘 Kubernetes 클러스터입니다. 서버 또는 에이전트 노드를 추가할 필요는 없지만, 클러스터에 추가 용량 또는 중복성을 추가하기 위해 추가하는 것이 좋습니다. 에이전트 노드를 추가로 설치하여 클러스터에 추가하려면, K3S_URL 및 K3S_TOKEN 환경 변수를 사용하여 설치 스크립트를 실행합니다. 다음은 에이전트 가입 방법을 보여주는 예제입니다: curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh - K3S_URL 파라미터를 설정하면 인스톨러가 K3s를 서버가 아닌 에이전트로 구성합니다. K3s 에이전트는 제공된 URL에서 수신 대기 중인 K3s 서버에 등록됩니다. K3S_TOKEN에 사용할 값은 서버 노드의 /var/lib/rancher/k3s/server/node-token에 저장됩니다. 비고 각 머신은 고유한 호스트 이름을 가져야 합니다. 머신에 고유 호스트명이 없는 경우, K3S_NODE_NAME 환경 변수를 전달하고 각 노드에 대해 유효한 고유 호스트명이 있는 값을 제공하세요.","s":"설치 스크립트","u":"/kr/quick-start","h":"#설치-스크립트","p":2903},{"i":2908,"t":"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. The simplest form of this command is as follows: curl -sfL https://get.k3s.io | sh - When using this method to install K3s, the following environment variables can be used to configure the installation: Environment Variable Description INSTALL_K3S_SKIP_DOWNLOAD If set to true will not download K3s hash or binary. INSTALL_K3S_SYMLINK By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. INSTALL_K3S_SKIP_ENABLE If set to true will not enable or start K3s service. INSTALL_K3S_SKIP_START If set to true will not start K3s service. INSTALL_K3S_VERSION Version of K3s to download from Github. Will attempt to download from the stable channel if not specified. INSTALL_K3S_BIN_DIR Directory to install K3s binary, links, and uninstall script to, or use /usr/local/bin as the default. INSTALL_K3S_BIN_DIR_READ_ONLY If set to true will not write files to INSTALL_K3S_BIN_DIR, forces setting INSTALL_K3S_SKIP_DOWNLOAD=true. INSTALL_K3S_SYSTEMD_DIR Directory to install systemd service and environment files to, or use /etc/systemd/system as the default. INSTALL_K3S_EXEC Command with flags to use for launching K3s in the service. If the command is not specified, and the K3S_URL is set, it will default to \"agent.\" If K3S_URL not set, it will default to \"server.\" For help, refer to this example. INSTALL_K3S_NAME Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. INSTALL_K3S_TYPE Type of systemd service to create, will default from the K3s exec command if not specified. INSTALL_K3S_SELINUX_WARN If set to true will continue if k3s-selinux policy is not found. INSTALL_K3S_SKIP_SELINUX_RPM If set to true will skip automatic installation of the k3s RPM. INSTALL_K3S_CHANNEL_URL Channel URL for fetching K3s download URL. Defaults to https://update.k3s.io/v1-release/channels. INSTALL_K3S_CHANNEL Channel to use for fetching K3s download URL. Defaults to \"stable\". Options include: stable, latest, testing. This example shows where to place aforementioned environment variables as options (after the pipe): curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh - Environment variables which begin with K3S_ will be preserved for the systemd and openrc services to use. Setting K3S_URL without explicitly setting an exec command will default the command to \"agent\". When running the agent, K3S_TOKEN must also be set.","s":"Environment Variables","u":"/kr/reference/env-variables","h":"","p":2907},{"i":2910,"t":"This section captures the results of tests to determine minimum resource requirements for K3s. The results are summarized as follows: Components Processor Min CPU Min RAM with Kine/SQLite Min RAM with Embedded etcd K3s server with a workload Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core 768 M 896 M K3s cluster with a single agent Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core 512 M 768 M K3s agent Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 5% of a core 256 M 256 M K3s server with a workload Pi4B BCM2711, 1.50 GHz 20% of a core 768 M 896 M K3s cluster with a single agent Pi4B BCM2711, 1.50 GHz 20% of a core 512 M 768 M K3s agent Pi4B BCM2711, 1.50 GHz 10% of a core 256 M 256 M Scope of Resource Testing Components Included for Baseline Measurements Methodology Environment Baseline Resource Requirements K3s Server with a Workload K3s Cluster with a Single Agent K3s Agent Analysis Primary Resource Utilization Drivers Preventing Agents and Workloads from Interfering with the Cluster Datastore","s":"Resource Profiling","u":"/kr/reference/resource-profiling","h":"","p":2909},{"i":2912,"t":"The resource tests were intended to address the following problem statements: On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster. On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent).","s":"Scope of Resource Testing","u":"/kr/reference/resource-profiling","h":"#scope-of-resource-testing","p":2909},{"i":2914,"t":"The tested components are: K3s 1.19.2 with all packaged components enabled Prometheus + Grafana monitoring stack Kubernetes Example PHP Guestbook app These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app. Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements.","s":"Components Included for Baseline Measurements","u":"/kr/reference/resource-profiling","h":"#components-included-for-baseline-measurements","p":2909},{"i":2916,"t":"A standalone instance of Prometheus v2.21.0 was used to collect host CPU, memory, and disk IO statistics using prometheus-node-exporter installed via apt. systemd-cgtop was used to spot-check systemd cgroup-level CPU and memory utilization. system.slice/k3s.service tracks resource utilization for both K3s and containerd, while individual pods are under the kubepods hierarchy. Additional detailed K3s memory utilization data was collected from the process_resident_memory_bytes and go_memstats_alloc_bytes metrics using the kubelet exporter integrated into the server and agent processes. Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads.","s":"Methodology","u":"/kr/reference/resource-profiling","h":"#methodology","p":2909},{"i":2918,"t":"OS: Ubuntu 20.04 x86_64, aarch64 Hardware: AWS c5d.xlarge - 4 core, 8 GB RAM, NVME SSD Raspberry Pi 4 Model B - 4 core, 8 GB RAM, Class 10 SDHC","s":"Environment","u":"/kr/reference/resource-profiling","h":"#environment","p":2909},{"i":2920,"t":"This section captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent.","s":"Baseline Resource Requirements","u":"/kr/reference/resource-profiling","h":"#baseline-resource-requirements","p":2909},{"i":2922,"t":"These are the requirements for a single-node cluster in which the K3s server shares resources with a workload. The CPU requirements are: Resource Requirement Tested Processor 10% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 20% of a core Low-power processor such as Pi4B BCM2711, 1.50 GHz The IOPS and memory requirements are: Tested Datastore IOPS KiB/sec Latency RAM Kine/SQLite 10 500 < 10 ms 768 M Embedded etcd 50 250 < 5 ms 896 M","s":"K3s Server with a Workload","u":"/kr/reference/resource-profiling","h":"#k3s-server-with-a-workload","p":2909},{"i":2924,"t":"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload. The CPU requirements are: Resource Requirement Tested Processor 10% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 20% of a core Pi4B BCM2711, 1.50 GHz The IOPS and memory requirements are: Datastore IOPS KiB/sec Latency RAM Kine/SQLite 10 500 < 10 ms 512 M Embedded etcd 50 250 < 5 ms 768 M","s":"K3s Cluster with a Single Agent","u":"/kr/reference/resource-profiling","h":"#k3s-cluster-with-a-single-agent","p":2909},{"i":2926,"t":"The CPU requirements are: Resource Requirement Tested Processor 5% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core Pi4B BCM2711, 1.50 GHz 256 M of RAM is required.","s":"K3s Agent","u":"/kr/reference/resource-profiling","h":"#k3s-agent","p":2909},{"i":2928,"t":"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads.","s":"Analysis","u":"/kr/reference/resource-profiling","h":"#analysis","p":2909},{"i":2930,"t":"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements. K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts.","s":"Primary Resource Utilization Drivers","u":"/kr/reference/resource-profiling","h":"#primary-resource-utilization-drivers","p":2909},{"i":2932,"t":"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore. This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store. Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore. Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state.","s":"Preventing Agents and Workloads from Interfering with the Cluster Datastore","u":"/kr/reference/resource-profiling","h":"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore","p":2909},{"i":2934,"t":"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications. These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters.","s":"Related Projects","u":"/kr/related-projects","h":"","p":2933},{"i":2936,"t":"For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at k3s-io/k3s-ansible repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process.","s":"k3s-ansible","u":"/kr/related-projects","h":"#k3s-ansible","p":2933},{"i":2938,"t":"Another project that simplifies the process of setting up a K3s cluster is k3sup. This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd.","s":"k3sup","u":"/kr/related-projects","h":"#k3sup","p":2933},{"i":2940,"t":"Another provisioning tool, autok3s, provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters.","s":"autok3s","u":"/kr/related-projects","h":"#autok3s","p":2933},{"i":2942,"t":"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.","s":"Basic Network Options","u":"/kr/networking/basic-network-options","h":"","p":2941},{"i":2944,"t":"Flannel is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin. Flannel options can only be set on server nodes, and must be identical on all servers in the cluster. The default backend for Flannel is vxlan. To enable encryption, use the wireguard-native backend. Using vxlan on Rasperry Pi with recent versions of Ubuntu requires additional preparation. Using wireguard-native as the Flannel backend may require additional modules on some Linux distributions. Please see the WireGuard Install Guide for details. The WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system. You must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend. CLI Flag and Value Description --flannel-ipv6-masq Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than none. --flannel-external-ip Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node. --flannel-backend=vxlan Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi. --flannel-backend=host-gw Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster. --flannel-backend=wireguard-native Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules. --flannel-backend=ipsec Use strongSwan IPSec via the swanctl binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0) --flannel-backend=none Disable Flannel entirely. Version Gate K3s no longer includes strongSwan swanctl and charon binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ipsec backend.","s":"Flannel Options","u":"/kr/networking/basic-network-options","h":"#flannel-options","p":2941},{"i":2946,"t":"The legacy wireguard backend requires installation of the wg tool on the host. This backend is not available in K3s v1.26 and higher, in favor of wireguard-native backend, which directly interfaces with the kernel. The legacy ipsec backend requires installation of the swanctl and charon binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the wireguard-native backend. We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps: Update the K3s config on all server nodes. If using config files, the /etc/rancher/k3s/config.yaml should include flannel-backend: wireguard-native instead of flannel-backend: wireguard or flannel-backend: ipsec. If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed. Reboot all nodes, starting with the servers.","s":"Migrating from wireguard or ipsec to wireguard-native","u":"/kr/networking/basic-network-options","h":"#migrating-from-wireguard-or-ipsec-to-wireguard-native","p":2941},{"i":2948,"t":"Start K3s with --flannel-backend=none and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set --disable-network-policy as well to avoid conflicts. Some important information to take into consideration: Canal Calico Cilium Visit the Canal Docs website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the container_settings section, for example: \"container_settings\": { \"allow_ip_forwarding\": true } Apply the Canal YAML. Ensure the settings were applied by running the following command on the host: cat /etc/cni/net.d/10-canal.conflist You should see that IP forwarding is set to true. Follow the Calico CNI Plugins Guide. Modify the Calico YAML so that IP forwarding is allowed in the container_settings section, for example: \"container_settings\": { \"allow_ip_forwarding\": true } Apply the Calico YAML. Ensure the settings were applied by running the following command on the host: cat /etc/cni/net.d/10-calico.conflist You should see that IP forwarding is set to true. Before running k3s-killall.sh or k3s-uninstall.sh, you must manually remove cilium_host, cilium_net and cilium_vxlan interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped ip link delete cilium_host ip link delete cilium_net ip link delete cilium_vxlan Additionally, iptables rules for cilium should be removed: iptables-save | grep -iv cilium | iptables-restore ip6tables-save | grep -iv cilium | ip6tables-restore","s":"Custom CNI","u":"/kr/networking/basic-network-options","h":"#custom-cni","p":2941},{"i":2950,"t":"K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components. This allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled. This functionality is equivalent to the Konnectivity service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration. The default mode is agent. pod or cluster modes are recommended when running agentless servers, in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy. The egress selector mode may be configured on servers via the --egress-selector-mode flag, and offers four modes: disabled: The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints. This mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform kubectl exec and kubectl logs. agent (default): The apiserver uses agent tunnels to communicate with kubelets. This mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints. pod: The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints. NOTE: This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. cluster or agent mode should be used with these CNIs instead. cluster: The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead.","s":"Control-Plane Egress Selector configuration","u":"/kr/networking/basic-network-options","h":"#control-plane-egress-selector-configuration","p":2941},{"i":2952,"t":"Version Gate Experimental support is available as of v1.21.0+k3s1. Stable support is available as of v1.23.7+k3s1. Known Issue Before 1.27, Kubernetes Issue #111695 causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents: --kubelet-arg=\"node-ip=0.0.0.0\" # To proritize IPv4 traffic #OR --kubelet-arg=\"node-ip=::\" # To proritize IPv6 traffic Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only. To enable dual-stack in K3s, you must provide valid dual-stack cluster-cidr and service-cidr on all server nodes. This is an example of a valid configuration: --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112 Note that you may configure any valid cluster-cidr and service-cidr values, but the above masks are recommended. If you change the cluster-cidr mask, you should also change the node-cidr-mask-size-ipv4 and node-cidr-mask-size-ipv6 values to match the planned pods per node and total node count. The largest supported service-cidr mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud. If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled. Known Issue When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family.","s":"Dual-stack (IPv4 + IPv6) Networking","u":"/kr/networking/basic-network-options","h":"#dual-stack-ipv4--ipv6-networking","p":2941},{"i":2954,"t":"Version Gate Available as of v1.22.9+k3s1 Known Issue If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl net.ipv6.conf.all.accept_ra=2; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of man-in-the-middle attacks. Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the --cluster-cidr and --service-cidr flags. This is an example of a valid configuration: --cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112","s":"Single-stack IPv6 Networking","u":"/kr/networking/basic-network-options","h":"#single-stack-ipv6-networking","p":2941},{"i":2956,"t":"Some cloud providers, such as Linode, will create machines with \"localhost\" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the --node-name flag or K3S_NODE_NAME environment variable and this will pass the node name to resolve this issue.","s":"Nodes Without a Hostname","u":"/kr/networking/basic-network-options","h":"#nodes-without-a-hostname","p":2941},{"i":2958,"t":"이 섹션에서는 K3s 클러스터를 보호하는 방법론과 수단에 대해 설명합니다. 두 섹션으로 나뉘어져 있습니다. 이 가이드는 K3s가 임베디드 etcd로 실행되고 있다고 가정합니다. 아래 문서는 CIS 쿠버네티스 벤치마크 v1.23에 적용됩니다. 강화 가이드 CIS 벤치마크 자체 평가 가이드","s":"보안","u":"/kr/security","h":"","p":2957},{"i":2960,"t":"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically: Generate an AES-CBC key Generate an encryption config file with the generated key Pass the config to the KubeAPI as encryption-provider-config 팁 Secrets-encryption cannot be enabled on an existing server without restarting it. Use curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption if installing from script, or other methods described in Configuration Options. Example of the encryption config file: { \"kind\": \"EncryptionConfiguration\", \"apiVersion\": \"apiserver.config.k8s.io/v1\", \"resources\": [ { \"resources\": [ \"secrets\" ], \"providers\": [ { \"aescbc\": { \"keys\": [ { \"name\": \"aescbckey\", \"secret\": \"xxxxxxxxxxxxxxxxxxx\" } ] } }, { \"identity\": {} } ] } ] }","s":"Secrets Encryption Config","u":"/kr/security/secrets-encryption","h":"","p":2959},{"i":2962,"t":"K3s contains a utility tool secrets-encrypt, which enables automatic control over the following: Disabling/Enabling secrets encryption Adding new encryption keys Rotating and deleting encryption keys Reencrypting secrets For more information, see the k3s secrets-encrypt command documentation.","s":"Secrets Encryption Tool","u":"/kr/security/secrets-encryption","h":"#secrets-encryption-tool","p":2959},{"i":2964,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.24","u":"/kr/security/self-assessment-1.24","h":"","p":2963},{"i":2966,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.7","u":"/kr/security/self-assessment-1.7","h":"","p":2965},{"i":2968,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.8","u":"/kr/security/self-assessment-1.8","h":"","p":2967},{"i":2970,"t":"데이터를 유지해야 하는 애플리케이션을 배포할 때는 퍼시스턴트 스토리지를 만들어야 합니다. 퍼시스턴트 스토리지를 사용하면 애플리케이션을 실행하는 파드 외부에 애플리케이션 데이터를 저장할 수 있습니다. 이 스토리지 방식을 사용하면 애플리케이션의 파드에 장애가 발생하더라도 애플리케이션 데이터를 유지할 수 있습니다. 퍼시스턴트 볼륨(PV: persistent volume)은 쿠버네티스 클러스터의 스토리지 조각이며, 퍼시스턴트 볼륨 클레임(PVC: persistent volume claim)은 스토리지에 대한 요청입니다. PV와 PVC의 작동 방식에 대한 자세한 내용은 스토리지 공식 쿠버네티스 문서를 참조하세요. 이 페이지는 로컬 스토리지 제공자 또는 [롱혼(#setting-up-longhorn)]을 사용하여 퍼시스턴트 스토리지를 설정하는 방법을 설명합니다.","s":"볼륨과 저장소","u":"/kr/storage","h":"","p":2969},{"i":2972,"t":"K3s는 몇 가지 선택적 볼륨 플러그인과 모든 내장(\"in-tree\"라고도 함) 클라우드 제공업체를 제거합니다. 이는 더 작은 바이너리 크기를 달성하고 많은 K3s 사용 사례에서 사용할 수 없는 타사 클라우드 또는 데이터센터 기술 및 서비스에 대한 의존을 피하기 위한 것입니다. 이러한 플러그인을 제거해도 핵심 Kubernetes 기능이나 적합성에는 영향을 미치지 않기 때문에 이렇게 할 수 있습니다. 다음 볼륨 플러그인은 K3s에서 제거되었습니다: cephfs fc flocker git_repo glusterfs portworx quobyte rbd storageos K3s와 함께 사용할 수 있는 트리 외 대안인 두 구성 요소가 있습니다: 쿠버네티스 컨테이너 스토리지 인터페이스(CSI) 및 클라우드 프로바이더 인터페이스(CPI)입니다. 쿠버네티스 유지 관리자는 인-트리 볼륨 플러그인을 CSI 드라이버로 적극적으로 마이그레이션하고 있습니다. 이 마이그레이션에 대한 자세한 내용은 여기를 참고하세요.","s":"K3s 스토리지의 차이점은 무엇인가요?","u":"/kr/storage","h":"#k3s-스토리지의-차이점은-무엇인가요","p":2969},{"i":2974,"t":"K3s는 랜처의 로컬 경로 프로비저너와 함께 제공되며, 이를 통해 각 노드의 로컬 스토리지를 사용하여 영구 볼륨 클레임(persistent volume claims)을 즉시 생성할 수 있습니다. 아래에서는 간단한 예제를 다루겠습니다. 자세한 내용은 공식 문서 여기를 참조하세요. 호스트 경로 지원 퍼시스턴트 볼륨 클레임과 이를 활용할 파드를 생성합니다:","s":"로컬 스토리지 공급자 설정하기","u":"/kr/storage","h":"#로컬-스토리지-공급자-설정하기","p":2969},{"i":2976,"t":"apiVersion: v1 kind: PersistentVolumeClaim metadata: name: local-path-pvc namespace: default spec: accessModes: - ReadWriteOnce storageClassName: local-path resources: requests: storage: 2Gi","s":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml","p":2969},{"i":2978,"t":"apiVersion: v1 kind: Pod metadata: name: volume-test namespace: default spec: containers: - name: volume-test image: nginx:stable-alpine imagePullPolicy: IfNotPresent volumeMounts: - name: volv mountPath: /data ports: - containerPort: 80 volumes: - name: volv persistentVolumeClaim: claimName: local-path-pvc yaml을 적용합니다: kubectl create -f pvc.yaml kubectl create -f pod.yaml PV 및 PVC가 생성되었는지 확인합니다: kubectl get pv kubectl get pvc 상태는 각각 Bound여야 합니다.","s":"pod.yaml","u":"/kr/storage","h":"#podyaml","p":2969},{"i":2980,"t":"warning Longhorn은 ARM32를 지원하지 않습니다. K3s는 쿠버네티스용 오픈소스 분산형 블록 스토리지 시스템인 Longhorn을 지원합니다. 아래는 간단한 예제입니다. 자세한 내용은 공식 문서를 참고하시기 바랍니다. longhorn.yaml을 적용하여 Longhorn을 설치합니다: kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml Longhorn은 네임스페이스 longhorn-system에 설치됩니다. yaml을 적용하여 PVC와 파드를 생성합니다: kubectl create -f pvc.yaml kubectl create -f pod.yaml","s":"Longhorn 구성하기","u":"/kr/storage","h":"#longhorn-구성하기","p":2969},{"i":2982,"t":"apiVersion: v1 kind: PersistentVolumeClaim metadata: name: longhorn-volv-pvc spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 2Gi","s":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml-1","p":2969},{"i":2984,"t":"apiVersion: v1 kind: Pod metadata: name: volume-test namespace: default spec: containers: - name: volume-test image: nginx:stable-alpine imagePullPolicy: IfNotPresent volumeMounts: - name: volv mountPath: /data ports: - containerPort: 80 volumes: - name: volv persistentVolumeClaim: claimName: longhorn-volv-pvc PV 및 PVC가 생성되었는지 확인합니다: kubectl get pv kubectl get pvc 상태는 각각 Bound여야 합니다.","s":"pod.yaml","u":"/kr/storage","h":"#podyaml-1","p":2969},{"i":2987,"t":"수동 업그레이드에서는 클러스터를 수동으로 업그레이드하는 몇 가지 기술을 설명합니다. 또한 Terraform과 같은 타사 코드형 인프라 도구(Infrastructure-as-Code)를 통한 업그레이드의 기초로 사용할 수도 있습니다. 자동 업그레이드는 Rancher의 시스템-업그레이드-컨트롤러(system-upgrade-controller)를 사용하여 쿠버네티스 네이티브 자동 업그레이드를 수행하는 방법을 설명합니다.","s":"K3s 클러스터 업그레이드하기","u":"/kr/upgrades","h":"#k3s-클러스터-업그레이드하기","p":2985},{"i":2989,"t":"Traefik: Traefik이 비활성화되지 않은 경우, K3s 버전 1.20 이하에서는 Traefik v1이 설치되고, K3s 버전 1.21 이상에서는 v1이 없는 경우 Traefik v2가 설치됩니다. 구형 Traefik v1에서 Traefik v2로 업그레이드하려면 Traefik 문서를 참조하시고 마이그레이션 도구를 사용하세요. K3s 부트스트랩 데이터: 외부 SQL 데이터스토어가 있는 HA 구성에서 K3s를 사용 중이고 서버(컨트롤 플레인) 노드가 --token CLI 플래그로 시작되지 않은 경우, 토큰을 지정하지 않고는 더 이상 클러스터에 K3s 서버를 추가할 수 없게 됩니다. 백업에서 복원할 때 필요하므로 이 토큰의 사본을 보관해야 합니다. 이전에는 K3s에서 외부 SQL 데이터스토어를 사용할 때 토큰을 사용하도록 강제하지 않았습니다. 영향을 받는 버전은 <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; 이며, 패치된 버전은 v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1 입니다. 다음과 같이 클러스터에 이미 가입된 서버에서 토큰 값을 찾을 수 있습니다: cat /var/lib/rancher/k3s/server/token 실험용 Dqlite: 실험용 내장 Dqlite 데이터 저장소는 K3s v1.19.1에서 더 이상 사용되지 않습니다. 실험용 Dqlite에서 실험용 내장 etcd 업그레이드는 지원되지 않는다는 점에 유의하세요. 업그레이드를 시도하면 성공하지 못하고 데이터가 손실됩니다.","s":"버전별 주의사항","u":"/kr/upgrades","h":"#버전별-주의사항","p":2985},{"i":2992,"t":"You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a custom resource definition (CRD), a plan, and a controller. The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a label selector. See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the CRD. The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade jobs on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly. 비고 The upgrade job that is launched must be highly privileged. It is configured with the following: Host IPC, NET, and PID namespaces The CAP_SYS_BOOT capability Host root mounted at /host with read and write permissions To automate upgrades in this manner, you must do the following: Install the system-upgrade-controller into your cluster Configure plans warning If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades. If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page. If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page. If the K3s cluster is not managed Rancher, you may follow the steps below. For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories: system-upgrade-controller k3s-upgrade 팁 When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version.","s":"Overview","u":"/kr/upgrades/automated","h":"#overview","p":2990},{"i":2994,"t":"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command: kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied.","s":"Install the system-upgrade-controller","u":"/kr/upgrades/automated","h":"#install-the-system-upgrade-controller","p":2990},{"i":2996,"t":"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster. The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1: # Server plan apiVersion: upgrade.cattle.io/v1 kind: Plan metadata: name: server-plan namespace: system-upgrade spec: concurrency: 1 cordon: true nodeSelector: matchExpressions: - key: node-role.kubernetes.io/control-plane operator: In values: - \"true\" serviceAccountName: system-upgrade upgrade: image: rancher/k3s-upgrade version: v1.24.6+k3s1 --- # Agent plan apiVersion: upgrade.cattle.io/v1 kind: Plan metadata: name: agent-plan namespace: system-upgrade spec: concurrency: 1 cordon: true nodeSelector: matchExpressions: - key: node-role.kubernetes.io/control-plane operator: DoesNotExist prepare: args: - prepare - server-plan image: rancher/k3s-upgrade serviceAccountName: system-upgrade upgrade: image: rancher/k3s-upgrade version: v1.24.6+k3s1 There are a few important things to call out regarding these plans: The plans must be created in the same namespace where the controller was deployed. The concurrency field indicates how many nodes can be upgraded at the same time. The server-plan targets server nodes by specifying a label selector that selects nodes with the node-role.kubernetes.io/control-plane label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label. The prepare step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute. Both plans have the version field set to v1.24.6+k3s1. Alternatively, you can omit the version field and set the channel field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the release channels. Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s: apiVersion: upgrade.cattle.io/v1 kind: Plan ... spec: ... channel: https://update.k3s.io/v1-release/channels/stable As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed. You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl: kubectl -n system-upgrade get plans -o yaml kubectl -n system-upgrade get jobs -o yaml","s":"Configure plans","u":"/kr/upgrades/automated","h":"#configure-plans","p":2990},{"i":2998,"t":"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped. To stop all of the K3s containers and reset the containerd state, the k3s-killall.sh script can be used. The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted. To run the killall script from a server node, run: /usr/local/bin/k3s-killall.sh","s":"Stopping K3s","u":"/kr/upgrades/killall","h":"","p":2997},{"i":3000,"t":"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. 비고 When upgrading, upgrade server nodes first one at a time, then any agent nodes.","s":"Manual Upgrades","u":"/kr/upgrades/manual","h":"","p":2999},{"i":3002,"t":"Upgrades performed via the installation script or using our automated upgrades feature can be tied to different release channels. The following channels are available: Channel Description stable (Default) Stable is recommended for production environments. These releases have been through a period of community hardening. latest Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening. v1.26 (example) There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release. For an exhaustive and up-to-date list of channels, you can visit the k3s channel service API. For more technical details on how channels work, you see the channelserver project. 팁 When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version.","s":"Release Channels","u":"/kr/upgrades/manual","h":"#release-channels","p":2999},{"i":3004,"t":"To upgrade K3s from an older version you can re-run the installation script using the same flags, for example: curl -sfL https://get.k3s.io | sh - This will upgrade to a newer version in the stable channel by default. If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel: curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh - If you want to upgrade to a specific version you can run the following command: curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -","s":"Upgrade K3s Using the Installation Script","u":"/kr/upgrades/manual","h":"#upgrade-k3s-using-the-installation-script","p":2999},{"i":3006,"t":"Or to manually upgrade K3s: Download the desired version of the K3s binary from releases Copy the downloaded binary to /usr/local/bin/k3s (or your desired location) Stop the old k3s binary Launch the new k3s binary","s":"Manually Upgrade K3s Using the Binary","u":"/kr/upgrades/manual","h":"#manually-upgrade-k3s-using-the-binary","p":2999},{"i":3008,"t":"Restarting K3s is supported by the installation script for systemd and OpenRC. systemd To restart servers manually: sudo systemctl restart k3s To restart agents manually: sudo systemctl restart k3s-agent OpenRC To restart servers manually: sudo service k3s restart To restart agents manually: sudo service k3s-agent restart","s":"Restarting K3s","u":"/kr/upgrades/manual","h":"#restarting-k3s","p":2999},{"i":3010,"t":"K3s는 쿠버네티스와 완전히 호환되며 다음과 같은 향상된 기능을 갖춘 배포판입니다: 단일 바이너리로 패키지화. 기본 스토리지 메커니즘으로 sqlite3를 기반으로 하는 경량 스토리지 백엔드. etcd3, MySQL, Postgres도 사용 가능. 복잡한 TLS 및 옵션을 처리하는 간단한 런처에 포함. 경량 환경을 위한 합리적인 기본값으로 기본적으로 보안을 유지함. 다음과 같이 간단하지만 강력한 'batteries-included' 기능 추가. 예를 들어: local storage provider service load balancer Helm controller Traefik ingress controller 모든 쿠버네티스 컨트롤 플레인 구성 요소의 작동은 단일 바이너리 및 프로세스로 캡슐화. 이를 통해 K3s는 인증서 배포와 같은 복잡한 클러스터 작업을 자동화하고 관리. 외부 종속성 최소화(최신 커널과 cgroup 마운트만 필요) K3s는 다음과 같은 필수 종속성을 패키지로 제공합니다: Containerd Flannel (CNI) CoreDNS Traefik (인그레스) Klipper-lb (서비스 로드밸런서) 임베디드 네트워크 정책 컨트롤러 임베디드 로컬 경로 프로비저너 호스트 유틸리티(iptables, socat 등)","s":"k3s란 무엇입니까?","u":"/kr/","h":"","p":3009},{"i":3012,"t":"우리는 메모리 풋프린트 측면에서 절반 크기의 Kubernetes를 설치하기를 원했습니다. Kubernetes는 K8s로 표기되는 10글자 단어입니다. 따라서 쿠버네티스의 절반 크기라면 K3s로 표기된 5글자 단어가 될 것입니다. K3s의 긴 형태는 없으며 공식적인 발음도 없습니다.","s":"이름에는 무슨 뜻이 있나요?","u":"/kr/","h":"","p":3009},{"i":3014,"t":"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS). K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark: K3s will not modify the host operating system. Any host-level modifications will need to be done manually. Certain CIS policy controls for NetworkPolicies and PodSecurityStandards (PodSecurityPolicies on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below. The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary.","s":"CIS Hardening Guide","u":"/kr/security/hardening-guide","h":"","p":3013},{"i":3016,"t":"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section.","s":"Host-level Requirements","u":"/kr/security/hardening-guide","h":"#host-level-requirements","p":3013},{"i":3018,"t":"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults. Note: protect-kernel-defaults is exposed as a top-level flag for K3s. Set kernel parameters​ Create a file called /etc/sysctl.d/90-kubelet.conf and add the snippet below. Then run sysctl -p /etc/sysctl.d/90-kubelet.conf. vm.panic_on_oom=0 vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000","s":"Ensure protect-kernel-defaults is set","u":"/kr/security/hardening-guide","h":"#ensure-protect-kernel-defaults-is-set","p":3013},{"i":3020,"t":"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section. By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the PodSecurity and NodeRestriction admission controllers enabled, among others.","s":"Kubernetes Runtime Requirements","u":"/kr/security/hardening-guide","h":"#kubernetes-runtime-requirements","p":3013},{"i":3022,"t":"v1.25 and Newer v1.24 and Older K3s v1.25 and newer support Pod Security Admissions (PSAs) for controlling pod security. PSAs are enabled by passing the following flag to the K3s server: --kube-apiserver-arg=\"admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml\" The policy should be written to a file named psa.yaml in /var/lib/rancher/k3s/server directory. Here is an example of a compliant PSA: apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: \"restricted\" enforce-version: \"latest\" audit: \"restricted\" audit-version: \"latest\" warn: \"restricted\" warn-version: \"latest\" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system] K3s v1.24 and older support Pod Security Policies (PSPs) for controlling pod security. PSPs are enabled by passing the following flag to the K3s server: --kube-apiserver-arg=\"enable-admission-plugins=NodeRestriction,PodSecurityPolicy\" This will have the effect of maintaining the NodeRestriction plugin as well as enabling the PodSecurityPolicy. When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark. Here is an example of a compliant PSP: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: privileged: false # CIS - 5.2.1 allowPrivilegeEscalation: false # CIS - 5.2.5 requiredDropCapabilities: # CIS - 5.2.7/8/9 - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'csi' - 'persistentVolumeClaim' - 'ephemeral' hostNetwork: false # CIS - 5.2.4 hostIPC: false # CIS - 5.2.3 hostPID: false # CIS - 5.2.2 runAsUser: rule: 'MustRunAsNonRoot' # CIS - 5.2.6 seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a \"system unrestricted policy\" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly. Combining the configuration above with the Network Policy described in the next section, a single file can be placed in the /var/lib/rancher/k3s/server/manifests directory. Here is an example of a policy.yaml file: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'csi' - 'persistentVolumeClaim' - 'ephemeral' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: system-unrestricted-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' spec: allowPrivilegeEscalation: true allowedCapabilities: - '*' fsGroup: rule: RunAsAny hostIPC: true hostNetwork: true hostPID: true hostPorts: - max: 65535 min: 0 privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - '*' --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: svclb-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' spec: allowPrivilegeEscalation: false allowedCapabilities: - NET_ADMIN allowedUnsafeSysctls: - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding fsGroup: rule: RunAsAny hostPorts: - max: 65535 min: 0 runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restricted-psp rules: - apiGroups: - policy resources: - podsecuritypolicies verbs: - use resourceNames: - restricted-psp --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:system-unrestricted-psp rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - system-unrestricted-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:svclb-psp rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - svclb-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted-psp roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:restricted-psp subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system-unrestricted-node-psp-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:system-unrestricted-psp subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system-unrestricted-svc-acct-psp-rolebinding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:system-unrestricted-psp subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: svclb-psp-rolebinding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:svclb-psp subjects: - kind: ServiceAccount name: svclb --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-system spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-system --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: default spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: default --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-public spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-public Note: The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the kube-system namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly.","s":"Pod Security","u":"/kr/security/hardening-guide","h":"#pod-security","p":3013},{"i":3024,"t":"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods. Network policies should be placed the /var/lib/rancher/k3s/server/manifests directory, where they will automatically be deployed on startup. Here is an example of a compliant network policy. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-system spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-system With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-network-dns-policy namespace: spec: ingress: - ports: - port: 53 protocol: TCP - port: 53 protocol: UDP podSelector: matchLabels: k8s-app: kube-dns policyTypes: - Ingress The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster. v1.21 and Newer v1.20 and Older apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-metrics-server namespace: kube-system spec: podSelector: matchLabels: k8s-app: metrics-server ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-svclbtraefik-ingress namespace: kube-system spec: podSelector: matchLabels: svccontroller.k3s.cattle.io/svcname: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-traefik-v121-ingress namespace: kube-system spec: podSelector: matchLabels: app.kubernetes.io/name: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-metrics-server namespace: kube-system spec: podSelector: matchLabels: k8s-app: metrics-server ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-svclbtraefik-ingress namespace: kube-system spec: podSelector: matchLabels: svccontroller.k3s.cattle.io/svcname: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-traefik-v120-ingress namespace: kube-system spec: podSelector: matchLabels: app: traefik ingress: - {} policyTypes: - Ingress --- 정보 Operators must manage network policies as normal for additional namespaces that are created.","s":"NetworkPolicies","u":"/kr/security/hardening-guide","h":"#networkpolicies","p":3013},{"i":3026,"t":"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment. The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information. sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs A starter audit policy to log request metadata is provided below. The policy should be written to a file named audit.yaml in /var/lib/rancher/k3s/server directory. Detailed information about policy configuration for the API server can be found in the Kubernetes documentation. apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata Both configurations must be passed as arguments to the API Server as: --kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' --kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' If the configurations are created after K3s is installed, they must be added to K3s' systemd service in /etc/systemd/system/k3s.service. ExecStart=/usr/local/bin/k3s \\ server \\ '--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \\ '--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \\ K3s must be restarted to load the new configuration. sudo systemctl daemon-reload sudo systemctl restart k3s.service","s":"API Server audit configuration","u":"/kr/security/hardening-guide","h":"#api-server-audit-configuration","p":3013},{"i":3028,"t":"The configuration below should be placed in the configuration file, and contains all the necessary remediations to harden the Kubernetes components. v1.25 and Newer v1.24 and Older protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml' - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' - 'use-service-account-credentials=true' kubelet-arg: - 'streaming-connection-idle-timeout=5m' - 'make-iptables-util-chains=true' protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount' - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' - 'use-service-account-credentials=true' kubelet-arg: - 'streaming-connection-idle-timeout=5m' - 'make-iptables-util-chains=true'","s":"Configuration for Kubernetes Components","u":"/kr/security/hardening-guide","h":"#configuration-for-kubernetes-components","p":3013},{"i":3030,"t":"Listed below are the K3s control plane components and the arguments they are given at start, by default. Commented to their right is the CIS 1.6 control that they satisfy. kube-apiserver --advertise-port=6443 --allow-privileged=true --anonymous-auth=false # 1.2.1 --api-audiences=unknown --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt # 1.2.31 --enable-admission-plugins=NodeRestriction,PodSecurityPolicy # 1.2.17 --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt # 1.2.32 --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt # 1.2.29 --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key # 1.2.29 --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 # 1.2.19 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --profiling=false # 1.2.21 --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 # 1.2.20 --service-account-issuer=k3s --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.2.28 --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt # 1.2.30 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key # 1.2.30 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 kube-controller-manager --address=127.0.0.1 --allocate-node-cidrs=true --bind-address=127.0.0.1 # 1.3.7 --cluster-cidr=10.42.0.0/16 --cluster-signing-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --port=10252 --profiling=false # 1.3.2 --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt # 1.3.5 --secure-port=0 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.3.4 --use-service-account-credentials=true # 1.3.3 kube-scheduler --address=127.0.0.1 --bind-address=127.0.0.1 # 1.4.2 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --port=10251 --profiling=false # 1.4.1 --secure-port=0 kubelet --address=0.0.0.0 --anonymous-auth=false # 4.2.1 --authentication-token-webhook=true --authorization-mode=Webhook # 4.2.2 --cgroup-driver=cgroupfs --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt # 4.2.3 --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --cni-bin-dir=/var/lib/rancher/k3s/data/223e6420f8db0d8828a8f5ed3c44489bb8eb47aa71485404f8af8c462a29bea3/bin --cni-conf-dir=/var/lib/rancher/k3s/agent/etc/cni/net.d --container-runtime-endpoint=/run/k3s/containerd/containerd.sock --container-runtime=remote --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=hostname01 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --kubelet-cgroups=/systemd/system.slice --node-labels= --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true # 4.2.6 --read-only-port=0 # 4.2.4 --resolv-conf=/run/systemd/resolve/resolv.conf --runtime-cgroups=/systemd/system.slice --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt # 4.2.10 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key # 4.2.10 Additional information about CIS requirements 1.2.22 to 1.2.25 is presented below.","s":"Control Plane Execution and Arguments","u":"/kr/security/hardening-guide","h":"#control-plane-execution-and-arguments","p":3013},{"i":3032,"t":"The following are controls that K3s currently does not pass by default. Each gap will be explained, along with a note clarifying whether it can be passed through manual operator intervention, or if it will be addressed in a future release of K3s.","s":"Known Issues","u":"/kr/security/hardening-guide","h":"#known-issues","p":3013},{"i":3034,"t":"Ensure that the admission control plugin NamespaceLifecycle is set. Details Rationale Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects. This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.15","u":"/kr/security/hardening-guide","h":"#control-1215","p":3013},{"i":3036,"t":"Ensure that the admission control plugin PodSecurityPolicy is set. Details Rationale A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.16","u":"/kr/security/hardening-guide","h":"#control-1216","p":3013},{"i":3038,"t":"Ensure that the --audit-log-path argument is set. Details Rationale Auditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.22","u":"/kr/security/hardening-guide","h":"#control-1222","p":3013},{"i":3040,"t":"Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. Details Rationale Retaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.23","u":"/kr/security/hardening-guide","h":"#control-1223","p":3013},{"i":3042,"t":"Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate. Details Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.24","u":"/kr/security/hardening-guide","h":"#control-1224","p":3013},{"i":3044,"t":"Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate. Details Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.25","u":"/kr/security/hardening-guide","h":"#control-1225","p":3013},{"i":3046,"t":"Ensure that the --request-timeout argument is set as appropriate. Details Rationale Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.26","u":"/kr/security/hardening-guide","h":"#control-1226","p":3013},{"i":3048,"t":"Ensure that the --service-account-lookup argument is set to true. Details Rationale If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.27","u":"/kr/security/hardening-guide","h":"#control-1227","p":3013},{"i":3050,"t":"Ensure that the --encryption-provider-config argument is set as appropriate. Details Rationale etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures. Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.","s":"Control 1.2.33","u":"/kr/security/hardening-guide","h":"#control-1233","p":3013},{"i":3052,"t":"Ensure that encryption providers are appropriately configured. Details Rationale Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms and secretbox are likely to be appropriate options. This can be remediated by passing a valid configuration to k3s as outlined above. Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.","s":"Control 1.2.34","u":"/kr/security/hardening-guide","h":"#control-1234","p":3013},{"i":3054,"t":"Ensure that the --terminated-pod-gc-threshold argument is set as appropriate. Details Rationale Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.3.1","u":"/kr/security/hardening-guide","h":"#control-131","p":3013},{"i":3056,"t":"Ensure that a minimal audit policy is created. Details Rationale Logging is an important detective control for all systems, to detect potential unauthorized access. This can be remediated by passing controls 1.2.22 - 1.2.25 and verifying their efficacy.","s":"Control 3.2.1","u":"/kr/security/hardening-guide","h":"#control-321","p":3013},{"i":3058,"t":"Ensure that the --make-iptables-util-chains argument is set to true. Details Rationale Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 4.2.7","u":"/kr/security/hardening-guide","h":"#control-427","p":3013},{"i":3060,"t":"Ensure that default service accounts are not actively used Details Rationale Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments. This can be remediated by updating the automountServiceAccountToken field to false for the default service account in each namespace. For default service accounts in the built-in namespaces (kube-system, kube-public, kube-node-lease, and default), K3s does not automatically do this. You can manually update this field on these service accounts to pass the control.","s":"Control 5.1.5","u":"/kr/security/hardening-guide","h":"#control-515","p":3013},{"i":3062,"t":"If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the CIS Benchmark Self-Assessment Guide to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster.","s":"Conclusion","u":"/kr/security/hardening-guide","h":"#conclusion","p":3013},{"i":3065,"t":"Overview​ This document is a companion to the K3s security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers. This guide is specific to the v1.22, v1.23 and v1.24 release line of K3s and the v1.23 release of the CIS Kubernetes Benchmark. For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in Center for Internet Security (CIS). Testing controls methodology​ Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide. Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing. These are the possible results for each control: Pass - The K3s cluster under test passed the audit outlined in the benchmark. Not Applicable - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so. Warn - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed. This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the \"audit\" commands to fit your scenario. NOTE: Only automated tests (previously called scored) are covered in this guide.","s":"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24","u":"/kr/security/self-assessment-1.23","h":"#cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124","p":3063},{"i":3069,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml","s":"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3071,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml","s":"1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3073,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml","s":"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3075,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml","s":"1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3077,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml","s":"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3079,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml","s":"1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3081,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/etcd.yaml","s":"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3083,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/etcd.yaml","s":"1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3085,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 ","s":"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3087,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root ","s":"1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual","p":3063},{"i":3089,"t":"Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chmod 700 /var/lib/etcd Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 1.1.11 Expected Result: '700' is equal to '700' Returned Value: 700","s":"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated","p":3063},{"i":3091,"t":"Result: Not Applicable Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd","s":"1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated","p":3063},{"i":3093,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig","s":"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated","p":3063},{"i":3095,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/admin.conf Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi' Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root","s":"1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3097,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 scheduler Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi' Expected Result: permissions has permissions 644, expected 644 or more restrictive Returned Value: permissions=644","s":"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3099,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root scheduler Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi' Expected Result: 'root:root' is present Returned Value: root:root","s":"1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3101,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 controllermanager Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi' Expected Result: permissions has permissions 644, expected 644 or more restrictive Returned Value: permissions=644","s":"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3103,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root controllermanager Audit: stat -c %U:%G /var/lib/rancher/k3s/server/tls Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root","s":"1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3105,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown -R root:root /etc/kubernetes/pki/ Audit: find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G Expected Result: 'root:root' is present Returned Value: root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root","s":"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated","p":3063},{"i":3107,"t":"Result: warn Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt Audit: stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt","s":"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3109,"t":"Result: warn Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 600 /etc/kubernetes/pki/*.key Audit: stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key","s":"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual","p":3063},{"i":3112,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --anonymous-auth=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'","s":"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)","u":"/kr/security/self-assessment-1.23","h":"#121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual","p":3063},{"i":3114,"t":"Result: pass Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the --token-auth-file= parameter. Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--token-auth-file' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#122-ensure-that-the---token-auth-file-parameter-is-not-set-automated","p":3063},{"i":3116,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the DenyServiceExternalIPs from enabled admission plugins. Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#123-ensure-that-the---denyserviceexternalips-is-not-set-automated","p":3063},{"i":3118,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the --kubelet-https parameter.","s":"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated","p":3063},{"i":3120,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the kubelet client certificate and key parameters as below. --kubelet-client-certificate= --kubelet-client-key= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority' Expected Result: '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated","p":3063},{"i":3122,"t":"Result: pass Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority --kubelet-certificate-authority=. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority' Expected Result: '--kubelet-certificate-authority' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated","p":3063},{"i":3124,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' does not have 'AlwaysAllow' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3126,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to a value that includes Node. --authorization-mode=Node,RBAC Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' has 'Node' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)","u":"/kr/security/self-assessment-1.23","h":"#128-ensure-that-the---authorization-mode-argument-includes-node-automated","p":3063},{"i":3128,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, for example --authorization-mode=Node,RBAC. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' has 'RBAC' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)","u":"/kr/security/self-assessment-1.23","h":"#129-ensure-that-the---authorization-mode-argument-includes-rbac-automated","p":3063},{"i":3130,"t":"Result: warn Remediation: Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters. --enable-admission-plugins=...,EventRateLimit,... --admission-control-config-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'EventRateLimit' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual","p":3063},{"i":3132,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated","p":3063},{"i":3134,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages. --enable-admission-plugins=...,AlwaysPullImages,... Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--enable-admission-plugins' is present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual","p":3063},{"i":3136,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place. --enable-admission-plugins=...,SecurityContextDeny,... Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual","p":3063},{"i":3138,"t":"Result: pass Remediation: Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated","p":3063},{"i":3140,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated","p":3063},{"i":3142,"t":"Result: pass Remediation: Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,... Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'NodeRestriction' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated","p":3063},{"i":3144,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and either remove the --secure-port parameter or set it to a different (non-zero) desired port. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port' Expected Result: '--secure-port' is greater than 0 OR '--secure-port' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated","p":3063},{"i":3146,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling' Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.18 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1218-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3148,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example, --audit-log-path=/var/log/apiserver/audit.log","s":"1.2.19 Ensure that the --audit-log-path argument is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1219-ensure-that-the---audit-log-path-argument-is-set-automated","p":3063},{"i":3150,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days, for example, --audit-log-maxage=30","s":"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated","p":3063},{"i":3152,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. For example, --audit-log-maxbackup=10","s":"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated","p":3063},{"i":3154,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB, --audit-log-maxsize=100","s":"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated","p":3063},{"i":3156,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --service-account-lookup=true Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--service-account-lookup' is not present OR '--service-account-lookup' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated","p":3063},{"i":3158,"t":"Result: Not Applicable Remediation: The request timeout limits the duration of API requests. The default value of 60 seconds is sufficiently low already. Only change the default value if necessary. When extending this limit, make sure to keep it low enough. A large value can exhaust API server resources and make it prone for Denial-of-Service attacks. Edit the config file /etc/rancher/k3s/config.yaml on the control plane node and remove the --request-timeout parameter or set it to an appropriate value if needed. For example, --request-timeout=300s.","s":"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated","p":3063},{"i":3160,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the etcd certificate and key file parameters. --etcd-certfile= --etcd-keyfile= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 1.2.29 Expected Result: '--etcd-certfile' is present AND '--etcd-keyfile' is present Returned Value: --etcd-certfile AND --etcd-keyfile","s":"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated","p":3063},{"i":3162,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the TLS certificate and private key file parameters. --tls-cert-file= --tls-private-key-file= Audit: journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2 Expected Result: '--tls-cert-file' is present AND '--tls-private-key-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3164,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the client certificate authority file. --client-ca-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file' Expected Result: '--client-ca-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3166,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the etcd certificate authority file parameter. --etcd-cafile= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile' Expected Result: '--etcd-cafile' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated","p":3063},{"i":3168,"t":"Result: warn Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --encryption-provider-config parameter to the path of that file. For example, --encryption-provider-config= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'","s":"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual","p":3063},{"i":3170,"t":"Result: warn Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider. Audit: grep aescbc /path/to/encryption-config.json","s":"1.2.31 Ensure that encryption providers are appropriately configured (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1231-ensure-that-encryption-providers-are-appropriately-configured-manual","p":3063},{"i":3172,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'","s":"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3175,"t":"Result: warn Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example, --terminated-pod-gc-threshold=10 Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'","s":"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual","p":3063},{"i":3177,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling' Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.2 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#132-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3179,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node to set the below parameter. --use-service-account-credentials=true Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials' Expected Result: '--use-service-account-credentials' is not equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated","p":3063},{"i":3181,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --service-account-private-key-file parameter to the private key file for service accounts. For example, --service-account-private-key-file=. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file' Expected Result: '--service-account-private-key-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3183,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --root-ca-file parameter to the certificate bundle file. --root-ca-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file' Expected Result: '--root-ca-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3185,"t":"Result: Not Applicable Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true","s":"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated","p":3063},{"i":3187,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and ensure the correct value for the --bind-address parameter Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--bind-address' is present OR '--bind-address' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#137-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3190,"t":"Result: pass Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.4.1 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#141-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3192,"t":"Result: pass Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the control plane node and ensure the correct value for the --bind-address parameter Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address' Expected Result: '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#142-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3195,"t":"Result: pass Remediation: Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.1 Expected Result: 'cert-file' is present AND 'key-file' is present Returned Value: cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file","s":"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3197,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --client-cert-auth=\"true\" Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.2 Expected Result: '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true' Returned Value: --client-cert-auth=true client-cert-auth: true --client-cert-auth=true","s":"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3199,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.3 Expected Result: 'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present Returned Value: error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory","s":"2.3 Ensure that the --auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3201,"t":"Result: pass Remediation: Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --peer-client-file= --peer-key-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.4 Expected Result: 'cert-file' is present AND 'key-file' is present Returned Value: peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file","s":"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3203,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --peer-client-cert-auth=true Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.5 Expected Result: '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true' Returned Value: --client-cert-auth=true client-cert-auth: true --client-cert-auth=true","s":"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3205,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.6 Expected Result: '--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false' Returned Value: --peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false","s":"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3207,"t":"Result: pass Remediation: [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --trusted-ca-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.7 Expected Result: 'trusted-ca-file' is present Returned Value: --trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file","s":"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)","u":"/kr/security/self-assessment-1.23","h":"#27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual","p":3063},{"i":3210,"t":"Result: warn Remediation: Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of client certificates.","s":"3.1.1 Client certificate authentication should not be used for users (Manual)","u":"/kr/security/self-assessment-1.23","h":"#311-client-certificate-authentication-should-not-be-used-for-users-manual","p":3063},{"i":3213,"t":"Result: warn Remediation: Create an audit policy file for your cluster. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'","s":"3.2.1 Ensure that a minimal audit policy is created (Manual)","u":"/kr/security/self-assessment-1.23","h":"#321-ensure-that-a-minimal-audit-policy-is-created-manual","p":3063},{"i":3215,"t":"Result: warn Remediation: Review the audit policy provided for the cluster and ensure that it covers at least the following areas, Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid risk of logging sensitive data. Modification of Pod and Deployment objects. Use of pods/exec, pods/portforward, pods/proxy and services/proxy. For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).","s":"3.2.2 Ensure that the audit policy covers key security concerns (Manual)","u":"/kr/security/self-assessment-1.23","h":"#322-ensure-that-the-audit-policy-covers-key-security-concerns-manual","p":3063},{"i":3218,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf","s":"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3220,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf","s":"4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated","p":3063},{"i":3222,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Audit: stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Expected Result: 'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present Returned Value: 644 644","s":"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3224,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' Expected Result: 'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present Returned Value: root:root root:root","s":"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual","p":3063},{"i":3226,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig Audit: stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig Expected Result: '644' is equal to '644' Returned Value: 644 644","s":"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3228,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig Audit: stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root root:root","s":"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3230,"t":"Result: pass Remediation: Run the following command to modify the file permissions of the --client-ca-file: chmod 644 Audit: stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt Expected Result: '644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present Returned Value: 644 600","s":"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3232,"t":"Result: pass Remediation: Run the following command to modify the ownership of the --client-ca-file: chown root:root . Audit: stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root root:root","s":"4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual","p":3063},{"i":3234,"t":"Result: Not Applicable Remediation: Run the following command (using the config file location identified in the Audit step) chmod 644 /var/lib/kubelet/config.yaml","s":"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated","p":3063},{"i":3236,"t":"Result: Not Applicable Remediation: Run the following command (using the config file location identified in the Audit step) chown root:root /var/lib/kubelet/config.yaml","s":"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated","p":3063},{"i":3239,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"anonymous-auth\" | grep -v grep; else echo \"--anonymous-auth=false\"; fi' Expected Result: '--anonymous-auth' is equal to 'false' Returned Value: --anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated","p":3063},{"i":3241,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authorization.mode to Webhook. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"authorization-mode\" | grep -v grep; else echo \"--authorization-mode=Webhook\"; fi' Expected Result: '--authorization-mode' does not have 'AlwaysAllow' Returned Value: --authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3243,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authentication.x509.clientCAFile to the location of the client CA file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file= Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"client-ca-file\" | grep -v grep; else echo \"--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt\"; fi' Expected Result: '--client-ca-file' is present Returned Value: --client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3245,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' Expected Result: '--read-only-port' is equal to '0' OR '--read-only-port' is not present Returned Value: Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time=\"2022-09-13T13:26:50Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:44Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\"","s":"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#424-ensure-that-the---read-only-port-argument-is-set-to-0-manual","p":3063},{"i":3247,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a value other than 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'","s":"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual","p":3063},{"i":3249,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to set protectKernelDefaults to true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated","p":3063},{"i":3251,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to set makeIPTablesUtilChains to true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated","p":3063},{"i":3253,"t":"Result: Not Applicable Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.8 Ensure that the --hostname-override argument is not set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#428-ensure-that-the---hostname-override-argument-is-not-set-manual","p":3063},{"i":3255,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set eventRecordQPS to an appropriate level. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/ps -fC containerd","s":"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)","u":"/kr/security/self-assessment-1.23","h":"#429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual","p":3063},{"i":3257,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file= --tls-private-key-file= Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 Expected Result: '--tls-cert-file' is present AND '--tls-private-key-file' is present Returned Value: Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time=\"2022-09-13T13:26:50Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:44Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\"","s":"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual","p":3063},{"i":3259,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to add the line rotateCertificates to true or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated","p":3063},{"i":3261,"t":"Result: Not Applicable Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual","p":3063},{"i":3263,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set TLSCipherSuites to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 or to a subset of these values. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the --tls-cipher-suites parameter as follows, or to a subset of these values. --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/ps -fC containerd","s":"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3266,"t":"Result: warn Remediation: Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]","s":"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)","u":"/kr/security/self-assessment-1.23","h":"#511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual","p":3063},{"i":3268,"t":"Result: warn Remediation: Where possible, remove get, list and watch access to Secret objects in the cluster.","s":"5.1.2 Minimize access to secrets (Manual)","u":"/kr/security/self-assessment-1.23","h":"#512-minimize-access-to-secrets-manual","p":3063},{"i":3270,"t":"Result: warn Remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.","s":"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)","u":"/kr/security/self-assessment-1.23","h":"#513-minimize-wildcard-use-in-roles-and-clusterroles-manual","p":3063},{"i":3272,"t":"Result: warn Remediation: Where possible, remove create access to pod objects in the cluster.","s":"5.1.4 Minimize access to create pods (Manual)","u":"/kr/security/self-assessment-1.23","h":"#514-minimize-access-to-create-pods-manual","p":3063},{"i":3274,"t":"Result: warn Remediation: Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false","s":"5.1.5 Ensure that default service accounts are not actively used. (Manual)","u":"/kr/security/self-assessment-1.23","h":"#515-ensure-that-default-service-accounts-are-not-actively-used-manual","p":3063},{"i":3276,"t":"Result: warn Remediation: Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.","s":"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)","u":"/kr/security/self-assessment-1.23","h":"#516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual","p":3063},{"i":3278,"t":"Result: warn Remediation: Remove the system:masters group from all users in the cluster.","s":"5.1.7 Avoid use of system:masters group (Manual)","u":"/kr/security/self-assessment-1.23","h":"#517-avoid-use-of-system-group-manual","p":3063},{"i":3280,"t":"Result: warn Remediation: Where possible, remove the impersonate, bind and escalate rights from subjects.","s":"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)","u":"/kr/security/self-assessment-1.23","h":"#518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual","p":3063},{"i":3283,"t":"Result: warn Remediation: Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.","s":"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)","u":"/kr/security/self-assessment-1.23","h":"#521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual","p":3063},{"i":3285,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.","s":"5.2.2 Minimize the admission of privileged containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#522-minimize-the-admission-of-privileged-containers-automated","p":3063},{"i":3287,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostPID containers.","s":"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated","p":3063},{"i":3289,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostIPC containers.","s":"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated","p":3063},{"i":3291,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostNetwork containers.","s":"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated","p":3063},{"i":3293,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.","s":"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)","u":"/kr/security/self-assessment-1.23","h":"#526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated","p":3063},{"i":3295,"t":"Result: warn Remediation: Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.","s":"5.2.7 Minimize the admission of root containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#527-minimize-the-admission-of-root-containers-automated","p":3063},{"i":3297,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with the NET_RAW capability.","s":"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)","u":"/kr/security/self-assessment-1.23","h":"#528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated","p":3063},{"i":3299,"t":"Result: warn Remediation: Ensure that allowedCapabilities is not present in policies for the cluster unless it is set to an empty array.","s":"5.2.9 Minimize the admission of containers with added capabilities (Automated)","u":"/kr/security/self-assessment-1.23","h":"#529-minimize-the-admission-of-containers-with-added-capabilities-automated","p":3063},{"i":3301,"t":"Result: warn Remediation: Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.","s":"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual","p":3063},{"i":3303,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers that have .securityContext.windowsOptions.hostProcess set to true.","s":"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5211-minimize-the-admission-of-windows-hostprocess-containers-manual","p":3063},{"i":3305,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with hostPath volumes.","s":"5.2.12 Minimize the admission of HostPath volumes (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5212-minimize-the-admission-of-hostpath-volumes-manual","p":3063},{"i":3307,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use hostPort sections.","s":"5.2.13 Minimize the admission of containers which use HostPorts (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5213-minimize-the-admission-of-containers-which-use-hostports-manual","p":3063},{"i":3310,"t":"Result: warn Remediation: If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.","s":"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)","u":"/kr/security/self-assessment-1.23","h":"#531-ensure-that-the-cni-in-use-supports-networkpolicies-manual","p":3063},{"i":3312,"t":"Result: warn Remediation: Follow the documentation and create NetworkPolicy objects as you need them.","s":"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)","u":"/kr/security/self-assessment-1.23","h":"#532-ensure-that-all-namespaces-have-networkpolicies-defined-manual","p":3063},{"i":3315,"t":"Result: warn Remediation: If possible, rewrite application code to read Secrets from mounted secret files, rather than from environment variables.","s":"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)","u":"/kr/security/self-assessment-1.23","h":"#541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual","p":3063},{"i":3317,"t":"Result: warn Remediation: Refer to the Secrets management options offered by your cloud provider or a third-party secrets management solution.","s":"5.4.2 Consider external secret storage (Manual)","u":"/kr/security/self-assessment-1.23","h":"#542-consider-external-secret-storage-manual","p":3063},{"i":3320,"t":"Result: warn Remediation: Follow the Kubernetes documentation and setup image provenance.","s":"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)","u":"/kr/security/self-assessment-1.23","h":"#551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual","p":3063},{"i":3323,"t":"Result: warn Remediation: Follow the documentation and create namespaces for objects in your deployment as you need them.","s":"5.7.1 Create administrative boundaries between resources using namespaces (Manual)","u":"/kr/security/self-assessment-1.23","h":"#571-create-administrative-boundaries-between-resources-using-namespaces-manual","p":3063},{"i":3325,"t":"Result: warn Remediation: Use securityContext to enable the docker/default seccomp profile in your pod definitions. An example is as below: securityContext: seccompProfile: type: RuntimeDefault","s":"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)","u":"/kr/security/self-assessment-1.23","h":"#572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual","p":3063},{"i":3327,"t":"Result: warn Remediation: Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker Containers.","s":"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#573-apply-securitycontext-to-your-pods-and-containers-manual","p":3063},{"i":3329,"t":"Result: warn Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.","s":"5.7.4 The default namespace should not be used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#574-the-default-namespace-should-not-be-used-manual","p":3063}],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[["t/2484",[0,1.006,1,1.748,2,1.117,3,1.628,4,1.019,5,1.796,6,1.887,7,1.229,8,2.142,9,1.831,10,2.025,11,2.575,12,1.858,13,1.634,14,3.096,15,1.163,16,1.628,17,2.711,18,3.866,19,3.287,20,2.802,21,4.528,22,2.601,23,1.401,24,2.219,25,2.172,26,4.327,27,2.142,28,1.725,29,4.015,30,2.694,31,2.544,32,2.787,33,2.206,34,2.382,35,2.447]],["t/2486",[0,0.912,1,1.752,4,1.096,10,2.178,15,1.931,36,3.403]],["t/2488",[0,0.904,1,1.743,37,5.155,38,2.684]],["t/2490",[0,0.782,1,1.748,37,4.695,38,2.445,39,2.842,40,4.928]],["t/2492",[1,1.741,38,2.822,39,2.544]],["t/2494",[0,0.669,1,1.757,10,1.51,13,1.218,41,4.199,42,4.199,43,4.199,44,1.237,45,5.058,46,6.267,47,4.199,48,4.199,49,4.199,50,0.57]],["t/2496",[0,0.666,4,1.684,10,3.345,18,4.195,51,3.546,52,6.001,53,6.335,54,2.815,55,3.921,56,1.378,57,3.118,58,3.594,59,5.54,60,4.356,61,1.576,62,3.505,63,3.539,64,2.069,65,1.81,66,3.217,67,3.254,68,3.643,69,4.54]],["t/2498",[3,3.311,57,2.486,58,3.572,65,1.805,70,2.272,71,3.621,72,2.39,73,3.392,74,4.33,75,5.046,76,3.96,77,5.964,78,5.964,79,6.437,80,5.699,81,4.614,82,5.964,83,2.05,84,5.964,85,4.096,86,5.964,87,5.289,88,4.096,89,4.614]],["t/2500",[3,3.502,4,1.737,27,4.107,57,2.63,61,1.625,65,1.714,72,2.5,90,3.272,91,3.308,92,6.31,93,5.42,94,4.683,95,6.31,96,4.58,97,5.42,98,3.589]],["t/2502",[3,3.876,57,2.911,70,2.66,72,2.302,99,4.299,100,5.672,101,3.211,102,6.414,103,6.193,104,6.673,105,4.795]],["t/2504",[3,2.625,4,1.064,5,2.54,11,2.689,15,2.881,45,4.846,50,1.415,57,1.971,61,0.996,70,2.767,72,2.186,79,6.167,83,1.998,88,3.247,90,2.452,91,2.479,106,3.539,107,4.343,108,4.062,109,4.65,110,5.503,111,2.375,112,5.345,113,3.658,114,5.496,115,4.992,116,4.343,117,4.992,118,2.996,119,5.503,120,4.992,121,1.801,122,3.745,123,3.756,124,4.992,125,3.192,126,5.883,127,2.918,128,4.059,129,4.846,130,4.992,131,2.625,132,2.625,133,4.728,134,4.992]],["t/2506",[3,3.213,11,4.159,22,6.485,23,2.765,24,4.379,54,1.91,57,2.413,61,1.54,65,1.286,70,2.205,72,2.251,79,4.585,83,1.592,135,3.724,136,2.849,137,3.068,138,7.72,139,4.973,140,4.936,141,5.819,142,7.313,143,3.834,144,7.198,145,3.975,146,6.111,147,3.528,148,4.321,149,5.317]],["t/2508",[3,2.92,12,5.48,15,2.086,25,3.896,36,4.807,50,1.371,57,2.193,65,1.702,70,2.919,72,2.474,79,6.678,90,2.728,91,2.758,150,3.844,151,3.419,152,4.118,153,4.064,154,4.389,155,6.794,156,5.554,157,5.554,158,5.554,159,7.321,160,3.021]],["t/2510",[3,3.718,13,2.886,15,3.172,16,4.44,57,3.565,72,2.246,145,5.492,161,5.399,162,5.591]],["t/2512",[3,3.643,11,3.733,22,5.82,56,1.507,57,2.736,61,1.382,141,4.764,163,7.007,164,6.028,165,4.43,166,4.732,167,6.418,168,6.028,169,6.563,170,5.626,171,5.077,172,4.098]],["t/2514",[3,3.795,12,5.131,27,3.235,31,3.841,57,2.85,61,1.706,72,1.92,79,5.416,90,3.546,91,3.585,173,6.837,174,1.479,175,7.728]],["t/2516",[0,0.753,1,1.217,2,1.962,10,2.303,15,2.042,17,3.084,39,2.076,50,1.501,54,1.7,56,1.182,61,1.085,62,3.178,63,2.436,109,6.457,112,7.314,176,4.641,177,3.739,178,4.73,179,6.48,180,3.537,181,3.815,182,4.079,183,4.117,184,4.921,185,1.789,186,1.476,187,4.567,188,5.437,189,6.404,190,6.404,191,4.183,192,3.365,193,4.73,194,2.761]],["t/2518",[0,0.366,4,0.954,5,1.307,10,1.896,11,3.128,12,3.765,13,1.189,15,2.356,16,1.829,22,2.923,23,0.944,24,1.495,25,1.463,27,2.341,36,2.304,45,2.493,50,1.226,54,1.088,56,0.757,57,1.374,58,1.183,61,1.252,62,2.319,64,0.681,65,1.684,70,2.982,71,1.199,72,2.458,73,1.124,74,1.434,75,4.185,76,1.312,77,1.976,78,1.976,80,1.888,81,1.528,82,1.976,83,1.635,84,1.976,85,1.357,86,1.976,87,1.752,88,2.263,89,1.528,90,1.025,91,1.036,92,1.976,93,1.697,94,2.001,95,1.976,96,1.434,97,2.831,98,1.124,99,1.216,100,2.677,101,0.908,102,1.815,103,1.752,104,1.888,105,1.357,106,2.68,107,1.815,108,1.697,109,2.392,110,2.831,111,0.993,112,2.75,113,1.528,114,3.207,115,2.086,116,1.815,117,2.086,118,1.252,119,2.831,120,2.086,121,0.753,122,1.565,123,2.387,124,2.086,125,1.334,126,3.027,127,1.501,128,2.687,129,2.493,130,2.086,131,1.097,132,1.097,133,1.976,134,2.086,135,1.271,136,0.972,137,1.047,138,3.479,139,1.697,140,3.34,141,3.592,142,3.296,143,2.594,145,2.911,146,2.086,147,1.59,148,1.947,149,1.815,150,2.006,151,1.639,152,1.974,153,1.947,154,1.649,155,3.76,156,2.086,157,2.086,158,2.086,159,4.728,160,2.61,161,2.225,162,2.304,163,2.923,164,1.815,165,1.334,166,1.974,167,2.677,168,3.027,169,1.976,170,3.019,171,1.528,172,1.234,174,0.917,185,0.686,186,0.566,195,1.976,196,2.233,197,2.086,198,1.888,199,1.071,200,1.649,201,2.086,202,3.149,203,1.815,204,2.233,205,2.457,206,7.753,207,4.388,208,2.512,209,1.216,210,2.12,211,1.036,212,2.233,213,2.233,214,6.217,215,2.233,216,1.752,217,3.479,218,2.233,219,6.716,220,3.296,221,3.725,222,3.642]],["t/2520",[0,0.893,1,1.443,2,1.218,3,1.775,4,1.089,6,1.537,28,3.243,29,7.72,30,7.927,31,3.117,33,0.662,38,1.068,44,0.875,51,0.802,52,1.358,53,1.433,54,1.055,56,1.007,57,1.829,58,1.43,60,0.986,61,0.286,62,2.6,64,0.468,65,0.531,68,0.824,70,2.223,72,1.232,73,1.359,74,1.734,75,1.376,83,0.88,85,0.932,89,1.05,90,0.704,91,0.712,98,0.772,99,3.416,100,2.598,102,1.247,103,2.118,106,2.357,111,2.622,121,0.91,125,1.612,131,1.326,132,0.754,135,2.477,136,1.574,137,0.72,139,2.748,140,2.599,145,0.932,159,1.297,174,1.612,180,1.64,181,1.006,183,0.824,184,3.056,185,0.472,186,0.389,192,0.887,209,2.701,211,1.677,223,0.697,224,0.949,225,1.418,226,1.433,227,1.38,228,3.661,229,0.772,230,5.88,231,1.688,232,1.688,233,3.013,234,2.748,235,2.389,236,1.688,237,2.118,238,1.358,239,1.688,240,1.166,241,1.89,242,0.873,243,1.94,244,0.917,245,0.967,246,6.505,247,2.97,248,0.594,249,2.7,250,1.342,251,1.612,252,1.166,253,0.932,254,1.204,255,4.065,256,3.376,257,2.118,258,3.185,259,2.7,260,1.942,261,1.688,262,1.688,263,0.873,264,1.05,265,1.688,266,0.873,267,2.522,268,0.986,269,1.433,270,1.433,271,1.204,272,4.838,273,3.537,274,1.247,275,1.535,276,1.433,277,0.967,278,1.297,279,1.433,280,1.433,281,3.615,282,2.306,283,1.103,284,0.932,285,3.977,286,0.728,287,5.549,288,0.873,289,1.535,290,1.359,291,1.103,292,1.535,293,1.075,294,1.049,295,0.63,296,1.05,297,2.389,298,1.166,299,3.237,300,2.603,301,5.107,302,2.522,303,1.433,304,2.322,305,3.977,306,6.016,307,0.86,308,1.006,309,1.433,310,1.688,311,0.497,312,1.103,313,1.688,314,1.05,315,1.688,316,1.358,317,4.96,318,1.535,319,1.535,320,1.688,321,1.688,322,0.848,323,1.688,324,1.688,325,1.247,326,1.433,327,1.688,328,0.596,329,1.358,330,1.807,331,1.05,332,1.213,333,1.075,334,0.642,335,0.986]],["t/2522",[0,0.781,31,4.626,32,5.068,66,3.771,67,3.814,68,4.27,121,2.679,282,4.212,336,6.46]],["t/2524",[0,0.639,7,1.562,18,4.022,23,2.749,31,4.491,32,5.337,121,2.192,171,4.452,174,1.245,181,4.262,223,2.952,224,4.022,225,2.55,241,3.4,258,4.177,266,3.702,300,3.42,311,2.669,337,7.156,338,4.674,339,6.504,340,5.396,341,5.754,342,2.339,343,5.285,344,6.504,345,6.504,346,7.156,347,5.754,348,7.156,349,6.075,350,7.156]],["t/2526",[0,0.979,1,1.393,2,1.079,4,1.701,30,5.606,31,4.778,32,5.123,40,1.979,50,0.478,55,1.85,56,1.242,57,1.837,61,1.285,111,3.066,121,1.678,137,1.501,153,1.673,174,1.32,180,3.025,182,4.284,192,1.85,225,1.255,233,3.025,242,1.821,244,2.974,245,2.016,250,4.613,251,2.974,255,8.38,256,6.443,260,2.675,274,4.047,282,2.638,284,1.944,286,3.545,300,1.885,322,4.372,333,3.49,340,5.186,341,7.559,351,4.651,352,3.579,353,5.832,354,8.543,355,2.059,356,2.925,357,3.785,358,4.98,359,4.21,360,4.21,361,3.907,362,4.98,363,4.98,364,1.88,365,2.432,366,1.096,367,1.88,368,2.989,369,3.309,370,2.601,371,3.2]],["t/2528",[0,0.968,1,1.234,2,1.177,4,1.632,30,5.247,31,4.935,32,5.407,40,3.993,50,0.964,56,1.312,57,3.023,61,1.449,121,2.763,136,3.827,174,1.488,182,3.733,192,2.019,225,1.369,242,1.988,244,3.856,245,2.2,250,4.566,255,8.412,256,6.031,260,2.861,286,3.426,296,4.944,322,3.991,341,7.776,354,8.197,355,2.156,356,3.129,357,4.049,358,5.327,366,1.196,367,2.051,368,3.262,369,2.555,370,2.838,371,3.492,372,4.179,373,6.391,374,4.329,375,2.39]],["t/2530",[0,0.512,1,1.219,2,1.757,4,1.735,31,4.33,32,5.341,39,1.211,40,3.925,50,1.333,51,1.776,54,1.522,61,1.431,65,0.667,66,1.611,67,1.629,68,2.8,106,3.069,111,2.317,118,1.904,121,2.139,125,2.028,132,2.561,136,1.479,174,0.998,186,1.609,194,1.611,241,1.776,244,2.028,250,3.154,271,2.665,300,3.451,311,1.101,322,2.881,329,5.615,338,3.747,340,5.532,352,6.066,353,2.871,366,1.163,369,1.629,376,1.593,377,6.416,378,5.214,379,7.469,380,6.361,381,4.091,382,6.019,383,4.665,384,7.119,385,7.119,386,6.346,387,2.181,388,2.762,389,2.139,390,3.654,391,3.736,392,3.736,393,1.274,394,7.119,395,3.736,396,3.736,397,3.736,398,2.665,399,3.736,400,3.005,401,2.226,402,3.172,403,3.736,404,3.396,405,1.904,406,3.005,407,2.581]],["t/2533",[0,0.88,4,1.487,33,3.866,60,4.796,111,3.319,127,3.01,180,4.537,266,4.25,408,7.468,409,8.376,410,6.607,411,7.468,412,7.581,413,6.069,414,7.468,415,6.607]],["t/2535",[0,1,1,1.364,4,1.711,6,3.331,7,2.063,8,2.449,9,3.233,13,1.868,15,2.053,16,3.778,28,1.972,33,4.339,38,2.316,58,3.1,61,1.091,106,2.523,111,3.419,127,2.358,253,3.555,257,6.035,260,4.131,287,5.177,311,1.897,340,6.501,355,1.746,416,3.495,417,5.466,418,6.438,419,5.177,420,2.685]],["t/2537",[0,0.801,2,2.325,4,1.52,7,0.936,24,2.609,27,1.631,32,3.151,33,4.355,38,1.542,39,2.723,44,1.263,50,0.864,60,3.716,61,1.52,63,1.631,66,1.849,67,1.87,68,2.093,70,1.314,74,2.503,75,1.986,88,2.368,99,2.123,111,2.571,131,1.914,153,2.038,174,0.746,180,2.368,183,2.093,223,1.769,224,2.41,225,1.528,241,2.038,251,2.328,263,2.218,266,2.218,282,2.065,294,3.724,300,3.439,304,2.503,307,2.185,330,2.609,335,2.503,340,4.521,344,3.898,366,1.981,400,3.448,410,3.448,411,3.898,413,3.167,415,3.448,421,3.515,422,3.898,423,3.716,424,3.295,425,2.841,426,4.701,427,4.539,428,4.288,429,4.288,430,6.365,431,4.539,432,3.898,433,3.898,434,4.288,435,4.288,436,4.288,437,4.288,438,3.058,439,4.288,440,2.801,441,3.898,442,2.962,443,2.877,444,2.065,445,4.288,446,4.835,447,3.64,448,3.64,449,3.448,450,3.898,451,3.898,452,4.288,453,3.64,454,3.64,455,3.448,456,2.153,457,3.898,458,3.898,459,3.898,460,3.898]],["t/2539",[0,0.673,1,1.315,2,1.459,4,1.084,27,1.122,28,1.459,33,3.94,34,1.927,55,2.502,56,1.106,61,1.544,65,1.672,83,0.653,111,2.776,127,1.744,137,1.258,145,4.685,147,1.145,174,1.042,178,4.423,180,2.63,186,1.738,191,3.911,208,1.944,209,2.357,211,2.008,225,1.051,227,2.617,241,1.402,252,2.038,266,1.526,288,4.568,294,3.809,295,2.565,300,2.594,307,3.051,311,2.222,340,1.757,351,2.505,355,0.8,366,1.482,369,1.286,388,1.421,405,1.503,410,2.372,422,2.682,423,4.708,425,2.673,426,2.179,427,2.104,438,2.104,441,2.682,461,4.018,462,1.629,463,2.682,464,4.549,465,2.95,466,1.503,467,2.267,468,2.95,469,4.043,470,3.659,471,2.372,472,2.505,473,5.209,474,7.006,475,2.372,476,2.267,477,2.077,478,2.63,479,4.423,480,3.407,481,5.57,482,3.29,483,2.464,484,2.104,485,4.762,486,4.762,487,1.244,488,2.038,489,2.682,490,4.329,491,2.95,492,4.329,493,4.762,494,2.95,495,2.95,496,2.95,497,2.267,498,1.927,499,2.682,500,2.682,501,2.038,502,2.95,503,2.267,504,2.95,505,2.95,506,2.95,507,1.46,508,2.372,509,2.104,510,2.682,511,2.505,512,1.081,513,1.927,514,2.682,515,1.927]],["t/2541",[0,0.696,1,1.306,2,1.919,4,0.91,10,1.135,27,3.162,33,3.655,34,2.062,50,1.059,54,0.838,56,0.928,61,1.683,62,1.894,65,1.276,72,1.135,75,1.462,81,1.963,83,0.698,88,2.776,90,1.316,91,1.331,99,2.489,111,1.275,128,2.562,145,4.308,174,0.874,183,1.541,186,1.444,209,3.862,211,2.119,227,1.095,229,2.299,241,3.707,250,3.228,252,2.18,263,2.601,287,2.538,288,1.633,294,3.753,295,3.102,300,2.859,307,1.608,311,0.93,322,2.524,330,1.92,340,5.391,342,1.032,352,3.284,355,1.699,356,1.685,366,1.565,373,4.043,376,1.345,379,4.043,401,1.88,415,2.538,423,4.852,425,1.409,426,2.331,438,4.468,444,1.52,446,5.553,461,3.373,462,1.743,464,3.395,469,4.268,470,2.425,473,4.438,474,2.425,479,2.331,487,2.119,497,2.425,498,2.062,499,2.869,503,3.863,507,1.562,508,2.538,509,2.251,510,2.869,511,2.68,512,1.156,516,5.038,517,2.331,518,4.043,519,5.694,520,2.331,521,1.76,522,2.389,523,4.569,524,0.814,525,1.92,526,2.331,527,3.156,528,5.694,529,4.043,530,2.538,531,3.156,532,3.156,533,2.68,534,2.869,535,3.156,536,2.869,537,1.105,538,1.095,539,2.18,540,2.68,541,2.425,542,1.562,543,2.062]],["t/2543",[0,0.751,1,1.048,2,1.956,4,0.931,10,1.168,23,1.248,27,3.202,33,3.922,34,2.122,50,1.142,54,0.862,56,0.6,61,1.549,62,1.224,65,0.919,66,1.401,70,2.578,72,1.442,75,1.505,81,2.021,88,2.84,99,1.608,111,1.312,128,2.621,174,0.895,186,1.472,209,3.161,225,1.158,227,2.216,229,2.353,237,4.554,241,4.345,250,3.281,252,2.244,263,2.661,287,2.613,288,2.661,294,3.905,295,2.383,300,2.197,307,1.656,311,1.515,330,1.976,340,5.013,342,1.062,352,3.36,355,0.881,356,1.735,373,2.613,376,1.385,379,4.136,380,2.317,389,1.86,423,3.003,424,6.081,425,4.305,426,2.4,443,2.18,444,2.477,446,5.997,462,1.794,463,2.953,464,3.76,467,2.496,469,4.367,470,2.496,473,2.746,474,2.496,479,2.4,490,5.804,507,1.608,508,2.613,509,2.317,511,2.758,512,1.19,516,4.136,517,2.4,519,2.953,521,1.801,522,3.034,523,4.675,524,0.838,525,3.885,537,1.137,538,1.127,539,2.244,540,2.758,541,2.496,542,1.608,543,2.122,544,7.913,545,2.069,546,2.496,547,2.613,548,3.249,549,4.675,550,3.249,551,3.249]],["t/2545",[0,0.689,1,1.484,2,2.365,4,0.799,10,1.587,27,2.936,33,2.547,34,2.882,56,0.815,61,1.307,65,1.379,66,1.902,75,2.043,81,2.745,88,3.59,99,2.184,108,3.048,128,2.248,147,1.712,174,1.131,186,1.017,209,3.218,223,2.682,227,1.531,229,2.018,234,3.048,237,4.636,241,3.089,242,2.283,250,3.487,252,3.048,254,3.146,284,2.436,288,3.363,291,2.882,294,3.008,295,1.647,300,3.599,311,1.3,340,5.657,342,2.125,352,4.246,355,2.576,376,1.881,379,3.548,423,3.795,425,1.97,444,3.13,446,5.424,479,3.259,487,3.828,489,4.01,497,3.39,498,2.882,512,1.616,515,2.882,516,3.548,517,3.259,524,1.138,528,4.01,533,5.519,534,4.01,536,4.01,537,1.545,539,3.048,552,7.718,553,4.412,554,4.01,555,8.516,556,1.587,557,4.412,558,6.501,559,4.412,560,4.412,561,3.048,562,6.501,563,4.412,564,3.259,565,3.746]],["t/2547",[1,1.74,17,4.427,19,6.385,20,7.063,39,1.973,316,6.555,524,2.102,566,5.263,567,5.531,568,6.085,569,4.051]],["t/2549",[0,0.863,1,1.728,4,1.439,17,3.828,20,6.108,150,3.024,570,7.225]],["t/2551",[0,0.87,1,1.734,571,5.26]],["t/2554",[0,0.805,1,1.743,294,3.801,335,4.153,340,4.237]],["t/2556",[0,0.899,1,1.744,408,6.701,414,6.701]],["t/2558",[0,0.803,1,1.748,27,2.691,572,6.429]],["t/2560",[0,0.868,1,1.751,15,2.178,150,3.052,356,2.52,573,3.006,574,4.719,575,4.719,576,8.023,577,4.719,578,4.719,579,4.719,580,4.719,581,4.719,582,4.719,583,2.936,584,4.719,585,8.792,586,4.719,587,4.719,588,4.719,589,4.719,590,4.719,591,4.719]],["t/2562",[0,0.676,1,1.675,2,0.791,4,0.988,11,1.181,13,2.197,15,1.362,17,1.243,22,1.841,23,0.992,34,1.686,44,2.231,45,1.571,56,1.298,73,3.215,96,1.507,106,1.673,122,1.644,123,2.119,125,2.318,132,1.152,140,3.815,141,5.074,142,5.652,143,1.088,155,1.841,164,3.154,227,0.896,250,1.166,363,9.436,369,3.906,377,2.95,507,2.114,512,0.946,524,0.666,566,1.478,569,1.762,592,4.27,593,2.582,594,2.582,595,2.582,596,2.358,597,1.538,598,1.451,599,2.789,600,1.784,601,1.907,602,4.392,603,5.461,604,2.582,605,5.768,606,5.768,607,2.72,608,4.27,609,2.582,610,4.993,611,2.582,612,2.582,613,2.865,614,5.461,615,2.582,616,2.347,617,2.582,618,2.582,619,4.27,620,5.461,621,2.582,622,1.984,623,2.582,624,2.582,625,3.625,626,8.957,627,4.27,628,2.582,629,5.461,630,5.461,631,5.461,632,5.461,633,5.461,634,5.461,635,2.582,636,2.347,637,2.582,638,2.582,639,2.582,640,2.582,641,2.582,642,4.27,643,4.27,644,4.27,645,4.27,646,4.27,647,4.27,648,2.582,649,7.028,650,2.582,651,2.582,652,2.582,653,2.582,654,2.582,655,2.582,656,2.582,657,2.582,658,4.27,659,4.27,660,4.27,661,4.27,662,4.27,663,4.27,664,2.582,665,2.582,666,2.582,667,2.582,668,2.582,669,2.582,670,2.582,671,2.582,672,2.582,673,2.582,674,2.582,675,2.582,676,2.192,677,2.582,678,4.27,679,4.27,680,4.27,681,4.27,682,4.27,683,4.27,684,2.582,685,2.582,686,2.582,687,2.582,688,2.582]],["t/2564",[0,0.833,1,1.728,18,3.526,28,2.548,199,2.735,223,2.588,480,2.834,507,3.105,508,5.044,599,5.433,689,10.629,690,6.272,691,6.272,692,6.272,693,6.272,694,4.333,695,6.272,696,6.272,697,5.044,698,6.272,699,6.272,700,6.272,701,5.044,702,6.272,703,6.272,704,6.272]],["t/2566",[0,0.597,1,1.746,694,4.618,705,4.938,706,6.685,707,8.673,708,7.363,709,8.673,710,6.076]],["t/2568",[0,0.728,1,1.741,4,0.732,23,3.135,24,2.462,70,1.24,72,1.376,106,3.43,132,1.806,143,1.706,161,2.196,222,2.795,268,2.362,507,2.003,512,1.482,524,1.043,540,3.435,556,1.455,569,1.669,596,2.234,705,2.989,711,10.404,712,4.046,713,3.109,714,3.678,715,6.095,716,3.678,717,4.046,718,6.095,719,4.046,720,4.046,721,3.678,722,7.332,723,3.63,724,4.046,725,3.63,726,3.435,727,3.63,728,4.046,729,2.517,730,6.095,731,7.332,732,4.346,733,4.046,734,4.046,735,4.046,736,4.046,737,1.949,738,2.989,739,4.046,740,4.046,741,4.046]],["t/2570",[1,1.753,10,2.125,15,2.548,17,2.845,28,1.81,36,3.321,50,0.802,136,2.338]],["t/2572",[0,0.678,1,1.744,742,6.909]],["t/2574",[0,0.875,1,1.754,729,4.32,743,3.242,744,4.831,745,4.831,746,3.569,747,4.831,748,6.945,749,6.318,750,4.831,751,3.077,752,4.831]],["t/2576",[0,0.933,1,1.74,4,1.298,15,1.611,17,2.433,56,0.933,121,1.548,163,5.113,260,3.5,356,3.828,498,3.3,509,3.603,524,1.302,749,5.592,751,4.566,753,5.052,754,5.052,755,5.052,756,5.052,757,5.052,758,9.578,759,5.052,760,5.052,761,4.592,762,3.233,763,2.84,764,2.79,765,3.731,766,5.052,767,5.052,768,5.052,769,5.052]],["t/2578",[0,0.747,1,1.75,3,2.274,70,1.56,90,2.124,91,2.148,121,1.56,163,3.633,356,2.72,770,5.094,771,9.608,772,5.094,773,5.094,774,5.094,775,5.094,776,5.094,777,5.094,778,3.099,779,5.094,780,5.094,781,3.327,782,5.094,783,7.212,784,5.094,785,2.487]],["t/2580",[0,0.877,1,1.685,163,7.007,260,3.984,377,5.638,742,7.418,762,3.812,786,3.166,787,6.563,788,3.166]],["t/2582",[0,0.583,1,1.756,10,1.598,15,1.417,17,2.14,50,0.887,109,3.815,112,5.201,420,1.853,789,4.444,790,4.444,791,3.283,792,4.444,793,4.444,794,4.444,795,4.444]],["t/2584",[0,0.769,1,1.739,10,2.378,356,4.598,357,5.949,507,3.273,571,4.319,596,3.652,597,3.939,598,3.717,786,3.341,788,3.341,796,6.01,797,6.612,798,6.612,799,6.612]],["t/2587",[0,0.818,1,1.744,166,3.912,167,5.307,168,6.001,223,2.498,224,3.403,271,4.318,442,4.183,694,4.183,800,4.839,801,6.055,802,6.055,803,6.055,804,5.503,805,5.503,806,5.503,807,5.503,808,5.503]],["t/2589",[1,1.734,5,1.84,9,4.492,136,3.112,176,4.142,260,3.838,347,7.193,355,1.565,365,3.985,524,1.487,764,3.185,765,4.261,778,3.509,809,7.146,810,7.725,811,8.731,812,5.243,813,7.146,814,5.243,815,5.243,816,8.13,817,5.243,818,5.243,819,4.897]],["t/2591",[1,1.739,5,2.144,136,2.66,334,3.672,355,1.823,524,1.733,778,4.089,810,5.406,820,6.722,821,9.612,822,6.11,823,5.165,824,5.406]],["t/2593",[0,0.557,1,1.734,356,3.332,455,5.018,512,2.286,571,5.415,599,4.076,694,4.311,713,4.795,749,6.246,800,3.717,825,5.672,826,7.535,827,7.535,828,5.672,829,5.672,830,5.672,831,5.672,832,5.672,833,5.672,834,5.672,835,5.672,836,5.672,837,4.45,838,5.298,839,3.089,840,5.672]],["t/2595",[0,0.934,1,1.748,4,1.591,19,2.755,56,1.261,101,1.745,106,1.849,132,3.048,141,5.855,498,3.083,503,3.626,570,4.29,599,4.46,841,8.792,842,4.007,843,3.366,844,2.811,845,4.007,846,4.719,847,4.719,848,3.26,849,4.719]],["t/2597",[0,0.512,1,1.745,23,2.206,119,7.156,223,2.369,224,3.227,332,3.199,512,2.871,714,7.124,850,5.741,851,4.874,852,6.654,853,5.741,854,7.124,855,2.046,856,5.741,857,5.741,858,5.741,859,5.741]],["t/2599",[0,0.894,1,1.745,99,3.17,100,4.183,119,7.642,785,3.126,860,6.404,861,5.437]],["t/2602",[0,0.588,1,1.755,217,3.815,862,4.493,863,4.493,864,4.493,865,4.493,866,4.493,867,4.493,868,4.493,869,2.623,870,8.314,871,3.319,872,3.204,873,4.493,874,4.493,875,4.493,876,6.588]],["t/2604",[0,0.808,1,1.725,2,1.81,4,1.069,23,2.27,50,0.802,106,3.131,123,2.292,143,2.491,161,3.207,268,3.449,374,4.364,524,1.523,573,3.763,723,3.519,725,3.519,727,3.519,729,3.675,746,4.364,870,8.231,877,7.991,878,5.908,879,7.991,880,7.991,881,7.991,882,7.991,883,3.449,884,5.908,885,5.908,886,5.908,887,5.908,888,5.908,889,5.908,890,5.908,891,5.016]],["t/2606",[0,0.597,1,1.679,44,2.555,75,5.01,83,1.479,176,3.096,227,3.01,446,4.258,467,6.664,512,3.177,566,5.834,569,3.578,892,7.084,893,5.376,894,6.685,895,5.992,896,8.673,897,7.363,898,8.673,899,6.685]],["t/2608",[1,1.752,13,1.861,72,1.449,416,2.353,738,6.236,800,4.549,900,9.437,901,6.415,902,6.415,903,4.334,904,4.334,905,4.334,906,4.334,907,6.415,908,4.334,909,4.334,910,4.334,911,7.638,912,6.415,913,4.334,914,4.334,915,4.334]],["t/2610",[0,0.631,4,1.28,27,3.959,29,5.044,32,3.501,61,1.675,62,2.665,64,1.961,65,1.606,72,2.031,99,3.501,131,3.157,228,4.746,229,4.522,230,6.796,322,3.552,342,2.312,369,4.312,383,4.213,413,5.224,513,6.458,543,4.62,916,4.886,917,6.212,918,5.435,919,6.429,920,6.429]],["t/2612",[2,2.451,27,3.044,37,7.221,229,4.781,230,6.827,259,8.824,333,5.096,366,2.49,369,4.233,401,4.765,438,5.705,513,6.341,921,8,922,5.226,923,8]],["t/2614",[0,0.631,28,2.167,29,7.051,54,1.877,61,1.198,63,3.959,153,4.273,192,3.716,193,7.686,194,3.049,228,4.746,229,3.235,230,6.458,333,5.728,367,3.776,369,3.084,421,3.906,513,4.62,522,3.361,924,6.429,925,6.429,926,6.172,927,5.688,928,7.073,929,7.073,930,4.62,931,5.224]],["t/2616",[0,0.764,2,2.623,28,3.097,29,6.106,63,3.257,66,3.691,68,4.18,137,3.65,228,5.745,229,3.916,230,5.592,304,4.998,421,4.728]],["t/2618",[0,0.517,1,0.836,4,1.428,7,1.957,13,1.682,38,2.084,39,2.557,40,3.258,50,1.07,51,2.754,61,1.519,66,2.499,67,2.527,110,4.004,128,5.416,129,6.466,137,3.363,151,2.317,153,4.785,165,3.146,177,3.383,179,4.454,186,1.336,194,2.499,208,3.22,225,2.066,245,3.319,251,3.146,299,2.719,334,2.205,355,2.432,512,2.123,932,3.692,933,4.454,934,4.454,935,4.92,936,5.268,937,5.796,938,4.605,939,5.293,940,2.443,941,4.92,942,4.92,943,4.92,944,4.004,945,5.268,946,3.201,947,3.889,948,2.791,949,5.268,950,5.268,951,5.796,952,5.268]],["t/2620",[0,0.732,1,0.887,4,1.784,10,3.323,27,2.338,28,1.883,40,3.455,50,1.394,54,2.178,56,1.135,122,5.884,128,3.132,129,3.739,131,3.663,132,4.124,137,2.62,150,3.515,174,1.427,177,3.588,186,1.891,200,4.124,254,6.588,284,3.394,288,3.18,370,4.54,390,5.884,393,2.096,501,4.246,512,2.251,844,5.503,953,4.723,954,5.586,955,5.218,956,2.273,957,4.723,958,6.146,959,6.146,960,6.146,961,6.146,962,6.146,963,6.146,964,6.146,965,6.146,966,6.146]],["t/2622",[0,0.698,1,1.512,2,1.142,4,1.831,7,1.522,10,3.338,17,2.758,25,1.308,40,2.731,50,0.777,54,0.583,56,1.184,61,1.181,62,1.831,63,1.419,65,0.392,66,2.095,67,2.119,70,0.673,71,1.072,73,1.004,76,1.172,83,0.486,96,2.177,101,0.812,105,2.059,106,1.461,111,0.887,122,5.676,128,3.789,129,4.76,132,4.212,141,2.177,150,0.835,174,1.361,176,1.727,208,1.522,223,1.538,225,0.783,227,0.762,228,1.474,235,1.766,244,2.024,245,1.257,250,2.588,254,5.302,257,1.566,260,2.372,263,1.929,282,1.796,292,1.996,299,1.03,311,1.89,335,1.282,343,1.622,369,0.958,377,2.576,390,5.8,406,3.908,423,1.282,444,2.758,464,1.044,475,1.766,498,1.434,503,1.687,507,1.846,512,2.35,538,0.762,573,1.399,596,2.059,597,2.221,598,2.096,599,1.434,600,6.157,601,2.754,606,1.996,713,1.687,743,2.502,765,2.754,845,1.864,872,1.566,917,1.517,922,1.434,933,1.687,935,6.643,936,7.413,950,3.389,955,3.165,967,2.754,968,2.435,969,4.738,970,1.864,971,6.973,972,1.996,973,2.196,974,3.729,975,0.958,976,2.177,977,2.196,978,2.196,979,3.023,980,2.196,981,2.196,982,2.196,983,2.196,984,3.389,985,3.389,986,3.389,987,2.196,988,2.196,989,3.729,990,1.996,991,2.196,992,2.196,993,2.196,994,2.196,995,1.474,996,3.729,997,2.196,998,2.196,999,2.196,1000,2.196,1001,2.196,1002,3.389,1003,2.196,1004,3.165,1005,2.196,1006,2.435,1007,4.973,1008,1.864,1009,8.1,1010,1.766,1011,2.196,1012,5.92,1013,2.196,1014,3.389,1015,2.196,1016,1.434,1017,1.766,1018,1.996,1019,3.389,1020,1.766,1021,1.622,1022,1.434,1023,3.389,1024,1.622,1025,1.996,1026,1.566,1027,1.996,1028,1.766,1029,1.996,1030,1.996,1031,1.996,1032,1.766,1033,1.996,1034,1.017,1035,1.996,1036,1.996]],["t/2624",[0,0.648,1,1.533,2,1.219,4,1.811,7,1.584,10,3.415,17,2.899,40,3.384,50,0.817,54,1.056,56,1.494,61,1.23,65,0.711,66,1.716,67,1.736,71,1.943,83,0.881,96,2.323,101,1.472,106,1.56,111,1.608,122,3.834,128,4.124,129,4.923,132,3.88,141,3.514,174,1.408,208,1.625,223,1.642,225,1.419,227,1.381,244,3.268,245,2.279,250,1.798,254,5.177,257,2.838,260,1.943,263,2.059,282,1.917,311,1.773,343,2.94,369,1.736,377,2.75,390,4.624,406,3.201,475,3.201,498,2.6,503,3.058,507,1.97,512,2.205,573,2.535,596,2.198,597,2.371,598,2.237,600,6.316,601,2.94,743,2.671,765,2.94,845,3.379,922,2.6,933,3.058,935,7.761,955,3.379,967,2.94,968,2.6,969,2.94,984,3.618,985,3.618,986,3.618,1002,3.618,1004,3.379,1006,2.6,1007,5.177,1009,8.31,1012,6.163,1014,3.618,1016,2.6,1017,3.201,1018,3.618,1019,5.471,1020,3.201,1021,2.94,1022,2.6,1023,5.471,1024,2.94,1025,3.618,1026,2.838,1027,3.618,1028,3.201,1029,3.618,1030,3.618,1031,3.618,1032,3.201,1033,3.618,1034,1.843,1035,3.618,1036,3.618]],["t/2626",[0,0.764,27,3.847,50,1.46,61,1.45,94,4.18,162,4.813,174,1.759,263,5.231,521,2.998]],["t/2628",[0,0.743,27,3.168,94,4.066,121,2.551,127,3.051,166,4.011,174,1.449,207,5.939,253,4.599,263,4.308,388,4.011,521,3.482,1037,6.697,1038,7.093,1039,6.4,1040,8.328]],["t/2630",[4,1.758,23,1.806,27,3.903,33,4.097,50,1.086,60,5.123,61,1.356,94,3.908,98,2.15,136,1.861,145,2.596,167,4.447,174,1.393,192,2.47,207,5.709,253,2.596,263,4.819,294,3.624,304,2.744,311,2.006,330,2.86,364,2.51,380,6.926,381,3.353,383,2.8,388,2.264,398,3.353,401,2.8,424,3.612,425,2.099,431,3.353,440,3.071,471,3.781,473,2.51,521,2.384,543,3.071,932,2.994,934,3.612,943,3.991,956,2.518,1038,5.709,1039,3.612,1041,4.701,1042,3.781,1043,4.701,1044,4.701,1045,5.476,1046,4.701,1047,8.777,1048,6.809,1049,4.701,1050,4.701,1051,4.701,1052,3.781,1053,3.472,1054,4.701,1055,2.234,1056,3.248,1057,5.781,1058,4.273,1059,3.991,1060,3.155,1061,4.701,1062,6.809,1063,4.701,1064,2.695,1065,4.273,1066,3.353]],["t/2632",[4,1.342,27,3.845,50,1.257,61,1.57,94,3.621,98,3.392,162,4.169,167,4.844,174,1.29,263,4.794,294,2.62,296,4.614,364,3.96,376,3.162,390,4.724,431,5.289,462,4.096,525,4.512,956,2.742,1037,7.452,1038,5.289,1056,5.124,1057,6.297,1064,2.935,1067,6.741,1068,5.699,1069,7.417,1070,6.741,1071,6.741,1072,5.699]],["t/2634",[0,0.687,4,1.716,10,3.41,18,4.327,27,4.19,54,2.043,62,2.9,70,2.358,79,6.04,90,3.21,91,3.245,93,5.318,131,3.436,225,2.744,227,2.671,282,3.707,370,5.686,383,6.121,431,5.489,927,6.19,1073,6.535]],["t/2636",[0,0.435,4,1.875,10,1.752,27,4.012,31,2.2,32,3.458,33,3.701,50,0.661,54,1.292,61,1.665,63,2.657,66,3.011,67,3.046,68,3.987,111,2.822,145,3.857,147,1.889,174,1.861,182,3.102,183,2.377,208,1.988,227,2.424,228,3.268,229,3.194,230,3.181,242,2.519,263,2.519,284,2.689,294,3.336,299,3.276,300,2.809,307,3.559,342,1.592,355,1.321,369,3.046,380,3.473,423,2.843,424,3.742,425,2.174,432,4.427,433,4.427,471,3.916,487,2.053,513,4.562,521,1.705,917,3.364,918,3.742,920,4.427,927,3.916,945,4.427,948,2.345,1026,3.473,1037,3.916,1038,4.981,1053,3.597,1056,4.825,1074,4.135,1075,3.597,1076,3.364,1077,4.427,1078,4.87,1079,4.87,1080,4.87,1081,3.742,1082,3.268,1083,3.916,1084,4.135]],["t/2638",[4,1.895,10,3.884,18,4.046,27,4.351,54,1.91,62,2.712,65,1.286,70,2.205,83,1.592,90,3.002,91,3.035,111,2.908,174,1.582,183,3.514,253,3.975,322,3.614,388,3.466,412,5.531,521,2.52,526,5.317,1038,5.133,1076,4.973,1085,5.788,1086,7.198,1087,7.198]],["t/2640",[0,0.833,2,2.3,10,3.358,27,4.045,50,1.019,61,1.272,111,3.033,223,3.098,224,4.22,225,2.676,263,4.83,266,3.884,282,4.496,412,5.769,423,4.383,431,7.247,453,6.374,454,6.374,455,6.038,456,3.77,457,6.824,458,6.824,459,6.824,460,6.824,1088,6.374]],["t/2641",[0,0.818,2,2.33,3,3.814,4,1.608,8,1.142,18,1.687,19,5.187,27,4.322,31,2.181,35,3.24,45,3.685,50,0.407,57,2.327,58,3.343,60,2.818,61,1.289,62,2.283,67,1.309,70,2.81,72,2.249,73,1.373,83,0.664,94,2.357,98,3.175,99,4.399,100,4.534,102,5.127,103,4.95,104,5.334,105,3.833,106,1.176,139,2.073,174,1.323,180,1.657,184,2.306,187,3.443,198,3.71,208,1.225,227,2.64,241,1.426,242,2.498,258,4.441,266,1.552,273,2.217,283,1.96,286,1.294,289,5.506,294,1.06,307,1.529,322,1.507,360,2.306,376,1.279,380,2.14,388,1.445,412,2.306,423,5.495,431,6.54,471,2.413,473,3.706,520,2.217,521,1.051,549,5.506,572,2.728,839,1.486,916,2.073,932,1.911,1038,4.32,1074,2.548,1076,2.073,1085,2.413,1089,2.306,1090,2.728,1091,3.001,1092,1.867,1093,2.728,1094,3.001,1095,6.309,1096,3.001,1097,3.001,1098,2.357,1099,3.001,1100,3.001,1101,2.548,1102,2.217,1103,3.001,1104,3.001,1105,3.001,1106,3.001,1107,3.001,1108,3.001,1109,3.001,1110,2.306,1111,1.687,1112,2.728,1113,4.388,1114,3.001,1115,3.001,1116,2.14,1117,3.001,1118,4.099,1119,3.001]],["t/2643",[0,0.824,4,1.824,10,3.32,18,4.144,51,3.503,52,5.928,53,6.259,54,2.886,55,3.873,56,1.361,57,2.471,58,3.55,59,4.391,61,1.249,62,3.797,63,3.834,64,2.044,65,1.8,66,3.178,67,3.215,68,3.599,69,4.485,282,3.55]],["t/2645",[4,1.553,7,1.873,9,3.303,10,2.365,12,4.868,27,2.502,28,2.015,31,2.971,32,3.256,61,1.454,62,2.478,72,1.485,83,1.455,136,4.007,137,2.804,150,2.502,153,4.078,174,1.873,229,3.008,241,3.125,263,3.402,311,1.938,322,3.303,332,2.685,343,4.858,355,1.784,421,3.632,566,3.766,583,4.091,778,5.221,781,4.296,938,3.839,976,3.839,979,4.091,1120,4.189,1121,4.413,1122,6.577,1123,4.858,1124,3.085,1125,3.303,1126,3.211,1127,5.289]],["t/2648",[1,1.154,3,1.482,6,1.717,25,1.977,28,3.366,29,7.177,30,8.154,31,2.364,33,2.537,37,2.293,57,1.113,60,1.938,61,1.097,62,1.251,65,1.157,70,2.904,72,2.382,73,2.393,74,1.938,79,6.503,83,0.734,90,1.384,91,1.399,98,1.518,99,2.59,100,2.168,103,3.731,106,2.88,121,1.017,127,1.216,132,1.482,135,4.137,136,2.909,145,1.833,171,2.065,180,1.833,209,1.643,211,1.399,228,2.227,229,4.066,233,3.576,234,2.293,235,2.669,253,1.833,266,1.717,267,4.442,268,1.938,269,2.818,270,2.818,271,2.367,272,2.669,273,2.452,274,2.452,275,3.017,293,2.114,294,1.848,295,1.239,296,2.065,297,4.207,298,2.293,299,2.454,300,2.751,301,5.498,302,4.442,303,2.818,477,1.447,521,2.267,573,2.114,607,3.333,855,1.183,930,2.168,944,3.614,956,2.394,968,2.168,979,4.028,1128,2.818,1129,2.669,1130,2.669,1131,2.818,1132,4.474,1133,2.065,1134,2.818,1135,2.065,1136,2.818,1137,1.692,1138,3.017,1139,3.017,1140,3.319,1141,5.232,1142,3.017,1143,3.017,1144,3.017,1145,2.818,1146,3.865,1147,3.017]],["t/2650",[3,2.73,4,1.781,10,3.688,23,3.142,27,3.743,28,1.873,31,4.163,57,2.05,61,1.667,65,1.757,72,2.383,90,2.55,91,2.578,92,4.918,93,4.225,95,4.918,97,4.225,98,2.797,137,2.607,174,1.905,241,3.887,243,3.994,246,4.918,263,4.767,276,5.192,277,3.502,278,4.699,279,5.192,280,5.192,312,3.994,462,3.377,1073,5.192,1148,5.488,1149,6.115,1150,5.558,1151,5.558]],["t/2652",[3,3.251,19,6.327,57,2.442,65,1.636,70,2.231,72,2.263,90,3.038,91,3.071,127,2.668,172,3.658,183,3.556,283,6.87,334,2.771,419,5.858,473,3.889,762,2.826,976,6.139,1076,5.032,1152,5.858,1153,6.621,1154,6.621,1155,7.284,1156,5.597,1157,4.252,1158,4.888,1159,7.284]],["t/2655",[3,3.213,57,2.413,58,3.466,65,1.781,70,2.205,71,3.514,72,2.365,73,3.292,74,4.202,75,5.108,76,3.843,77,5.788,78,5.788,79,6.67,80,5.531,81,4.478,82,5.788,83,2.012,84,5.788,85,3.975,86,5.788,87,5.133,88,3.975,89,4.478,202,6.987,203,5.317]],["t/2657",[0,0.587,3,2.936,5,2.737,50,0.892,57,2.205,61,1.454,70,2.015,72,2.371,79,4.189,106,2.577,123,3.928,131,2.936,150,2.502,151,4.199,152,4.876,153,3.125,174,1.493,176,3.046,220,5.289,243,5.605,295,2.455,573,5.466,743,4.413,844,3.917,956,3.173,957,5.054,975,3.742,1024,7.055,1160,5.978,1161,5.978,1162,4.69,1163,6.577,1164,5.054,1165,4.544]],["t/2659",[3,3.822,57,2.87,70,2.623,72,2.283,99,4.238,100,5.592,101,3.166,102,6.324,103,6.106,104,6.579,105,4.728,473,4.571,1095,7.782]],["t/2661",[3,3.932,31,4.645,32,5.09,57,2.953,70,2.699,121,2.699,336,6.507,1137,4.489]],["t/2663",[0,0.329,3,1.648,4,1.029,5,2.831,10,3.66,12,3.966,13,1.071,15,1.177,17,2.737,44,1.087,50,1.381,54,0.98,56,1.049,57,1.237,61,1.566,70,1.741,72,2.156,75,1.709,79,3.62,98,4.06,121,1.131,123,2.205,135,4.784,136,1.461,150,3.197,151,3.112,153,2.701,172,1.854,174,1.608,220,4.57,242,2.94,299,2.666,304,2.155,311,1.087,334,2.636,355,2.712,366,1.769,461,3.813,524,2.007,569,2.345,583,2.296,613,2.477,778,5.626,781,3.712,823,2.836,824,2.968,837,4.053,938,3.317,976,2.155,979,2.296,1007,2.632,1016,2.411,1082,2.477,1123,4.198,1124,2.666,1125,1.854,1126,1.802,1127,2.968,1132,5.377,1162,2.632,1166,5.55,1167,3.355,1168,1.91,1169,3.355,1170,2.968,1171,2.968,1172,3.355,1173,3.355,1174,3.691,1175,3.134,1176,3.691,1177,3.134,1178,2.411,1179,1.754,1180,7.436,1181,2.836,1182,2.726,1183,3.134,1184,6.929,1185,3.134,1186,3.712,1187,4.57,1188,2.968]],["t/2665",[3,3.795,57,2.85,70,3.085,72,1.92,125,5.824,140,5.466,602,6.837,1189,4.847,1190,7.218]],["t/2667",[0,0.8,3,3.139,6,4.635,7,2.34,8,2.675,9,4.499,13,2.6,16,4,39,2.28,56,1.298,57,3.004,61,1.191,66,3.032,70,3.021,72,1.588,136,4.596,332,3.658,566,5.13,1124,4.203]],["t/2669",[3,2.786,5,2.644,6,4.289,7,2.165,8,3.773,9,4.163,13,3.262,15,2.644,16,3.701,28,2.54,57,3.687,72,2.445,145,5.981,161,5.879,162,6.088]],["t/2671",[3,3.331,4,1.351,10,2.684,11,3.413,22,5.322,56,1.717,57,2.502,61,1.264,66,3.217,121,2.849,123,2.895,126,5.512,135,3.86,136,2.953,141,4.356,163,6.633,164,5.512,165,4.051,166,4.479,167,6.075,168,5.512,169,6.001,170,5.326,171,4.642,172,3.747,222,5.155,1191,8.454,1192,6.783]],["t/2673",[3,3.213,12,5.707,27,2.738,31,3.252,57,2.413,61,1.829,65,1.286,72,2.053,79,6.67,90,3.002,91,3.035,136,2.849,155,5.133,160,3.212,173,5.788,174,1.252,175,6.542,253,3.975,940,3.035,979,6.201,1016,4.701,1082,4.83,1193,6.111,1194,7.198]],["t/2675",[0,0.348,1,0.756,4,1.072,5,1.403,6,2.016,7,1.222,8,1.674,9,1.671,10,1.742,11,1.783,12,3.019,13,1.953,15,1.403,16,1.486,19,1.943,22,1.372,23,1.028,24,0.635,25,1.146,27,1.483,28,2.727,29,5.111,30,6.198,31,2.189,32,0.952,33,1.049,36,1.081,37,0.721,39,0.338,44,0.789,45,1.17,50,0.913,54,0.51,56,0.494,57,2.175,58,0.502,60,1.123,61,1.277,62,1.469,64,0.289,65,1.43,70,3.034,71,0.509,72,2.427,73,1.224,74,1.123,75,2.88,76,0.557,77,0.839,78,0.839,80,0.801,81,0.649,82,0.839,83,1.072,84,0.839,85,0.576,86,0.839,87,0.744,88,1.062,89,0.649,90,0.435,91,0.44,92,0.839,93,1.329,95,0.839,96,0.609,97,0.721,98,0.88,99,1.648,100,1.748,101,0.386,102,0.77,103,1.909,104,0.801,105,0.576,106,2.321,107,0.77,108,0.721,109,1.123,110,1.329,111,0.421,112,1.291,113,0.649,114,1.628,115,0.886,116,0.77,117,0.886,118,0.532,119,1.329,120,0.886,121,1.348,122,0.664,123,2.517,124,0.886,125,2.116,126,1.977,127,1.612,128,1.364,129,1.17,130,0.886,131,0.859,132,0.859,133,0.839,134,0.886,135,2.506,136,2.984,137,0.82,138,1.633,139,0.721,140,2.846,141,1.943,142,1.547,143,1.643,145,3.093,146,0.886,147,1.038,148,1.582,149,0.77,150,2.131,151,2.096,152,2.119,153,1.852,154,0.7,155,1.909,156,0.886,157,0.886,158,0.886,159,2.558,160,1.554,161,2.63,162,2.723,163,1.372,164,0.77,165,0.566,166,0.926,167,1.256,168,1.421,169,0.839,170,1.533,171,1.197,172,0.966,174,1.46,176,0.483,180,0.576,185,0.291,186,0.24,195,0.839,196,0.948,197,0.886,198,0.801,199,0.455,200,0.7,201,0.886,202,1.478,203,0.77,204,0.948,206,5.091,207,2.374,208,1.359,209,0.952,210,0.995,211,0.811,212,0.948,213,0.948,214,3.999,215,0.948,216,0.744,217,1.633,218,0.948,219,3.999,220,3.134,221,1.748,222,2.299,228,0.7,229,2.216,230,1.256,233,1.478,234,0.721,235,0.839,241,0.914,242,0.995,243,1.748,246,1.547,253,0.576,258,0.609,263,1.385,266,0.54,267,1.633,268,0.609,269,0.886,270,0.886,271,0.744,272,0.839,273,0.77,274,6.282,276,0.886,277,0.597,278,0.801,279,0.886,280,0.886,283,2.174,293,0.664,294,0.679,295,0.718,296,0.649,297,1.547,298,0.721,299,0.902,300,1.341,301,2.272,302,1.633,303,0.886,312,0.681,325,1.421,332,0.785,336,0.77,355,1.193,419,0.839,462,0.576,473,0.557,477,0.455,521,0.937,524,0.858,566,1.101,569,0.794,573,1.705,583,0.649,602,0.839,607,1.705,610,0.621,613,1.291,743,0.7,778,2.371,781,1.256,823,0.801,824,0.839,837,1.372,844,0.621,855,0.372,930,0.681,938,1.563,940,0.811,944,1.329,956,1.441,957,0.801,968,0.681,975,0.839,976,1.563,979,2.425,1007,0.744,1016,0.681,1024,3.873,1073,0.886,1082,1.291,1123,1.421,1124,3.264,1125,0.524,1126,0.509,1127,0.839,1128,0.886,1129,0.839,1130,0.839,1131,0.886,1132,1.849,1133,0.649,1134,0.886,1135,0.649,1136,0.886,1137,0.532,1138,0.948,1139,0.948,1142,0.948,1143,0.948,1144,0.948,1145,0.886,1146,1.421,1147,0.948,1148,1.291,1150,0.948,1151,0.948,1152,0.839,1153,0.948,1154,0.948,1160,0.948,1161,0.948,1162,1.372,1164,0.801,1165,0.721,1166,1.909,1167,0.948,1168,0.54,1169,0.948,1170,0.839,1171,0.839,1172,0.948,1173,0.948,1175,0.886,1177,0.886,1178,0.681,1179,2.662,1189,1.761,1190,0.886,1191,1.748,1195,1.043,1196,1.043,1197,0.886,1198,1.043,1199,1.923,1200,0.664,1201,0.948,1202,1.043]],["t/2677",[0,0.686,1,1.756,28,3.146,37,5.309,39,1.168,40,2.026,274,2.662,930,3.644,931,4.121,1203,2.898,1204,3.604,1205,3.604,1206,3.604,1207,3.604,1208,3.06,1209,3.604,1210,3.604,1211,3.604,1212,3.604]],["t/2679",[0,0.52,1,1.755,3,1.704,18,3.279,28,1.787,33,1.496,57,1.28,90,1.592,91,1.61,135,3.017,229,4.28,294,2.06,477,1.665,930,3.81,931,4.308,956,2.929,1128,3.242,1130,3.071,1131,3.242,1133,3.628,1134,3.242,1135,3.628,1136,3.242]],["t/2681",[0,0.685,1,1.754,28,2.351,39,1.805,99,1.779,106,2.67,135,3.525,172,3.421,229,3.116,293,2.289,296,2.235,298,2.482,473,1.919,930,5.011,931,4.111,956,2.058,968,2.347,1129,4.476,1203,2.89,1208,4.726,1213,3.593,1214,3.593,1215,3.266,1216,3.593,1217,3.593,1218,3.593,1219,3.593,1220,3.593,1221,3.593,1222,3.593,1223,3.593]],["t/2683",[28,2.623,40,4.813,56,1.581,137,3.65,304,4.998,342,2.799,440,5.592,442,5.915,948,4.123,1224,7.782,1225,6.324,1226,6.324,1227,7.782,1228,7.782]],["t/2685",[0,0.383,1,1.095,4,1.97,7,1.958,13,1.244,16,1.914,17,2.065,27,1.631,31,3.429,32,2.123,50,1.32,56,0.792,57,3.008,61,1.286,64,1.189,66,1.849,74,2.503,96,3.716,106,1.68,111,2.571,121,1.314,131,3.388,136,3.324,160,1.515,174,1.856,223,1.769,225,1.528,244,2.328,252,2.962,263,4.345,286,1.849,307,3.243,311,1.263,312,4.157,322,3.196,332,1.75,345,3.898,355,1.163,360,4.891,367,2.289,370,3.167,372,4.539,377,2.962,444,2.065,507,3.151,566,2.455,583,2.668,596,3.515,597,3.791,598,3.578,600,4.397,601,3.167,765,4.701,778,3.872,844,2.554,940,1.808,941,5.404,976,2.503,1006,2.801,1012,5.404,1042,3.448,1123,3.167,1124,2.986,1148,4.271,1179,3.025,1229,4.288,1230,5.785,1231,4.288,1232,4.288,1233,4.288,1234,4.288,1235,6.365,1236,4.288,1237,4.288,1238,3.448,1239,1.324,1240,3.344,1241,3.64,1242,5.119,1243,3.448,1244,1.914]],["t/2687",[0,0.75,1,0.919,4,1.702,28,2.881,37,5.806,50,0.864,52,5.123,57,2.136,61,1.079,70,1.952,131,2.844,135,3.296,137,2.716,174,1.808,176,3.892,182,4.058,223,2.628,227,2.211,229,4.574,241,3.027,250,2.878,263,3.296,282,3.068,286,2.747,288,4.348,312,6.143,401,3.795,405,3.246,440,4.161,462,3.518,676,5.409,926,3.581,932,4.058,1245,5.791,1246,4.895,1247,5.791,1248,5.123,1249,5.409,1250,4.161,1251,5.409,1252,3.795,1253,6.371,1254,4.401,1255,5.409,1256,4.401,1257,5.123]],["t/2689",[0,0.754,1,1.727]],["t/2691",[0,0.705,1,1.734,39,3.123,1258,7.897,1259,7.897]],["t/2693",[0,0.798,1,1.674,1260,7.589]],["t/2695",[0,0.786,1,1.696,710,8.007]],["t/2697",[0,0.816,1,1.594,1261,9.139]],["t/2699",[0,0.851,1,1.753,202,5.461,356,2.664,357,3.447,571,3.259,785,2.436,786,1.936,788,1.936,796,4.535,1093,4.535,1262,4.99,1263,4.99,1264,4.535,1265,4.99,1266,4.99,1267,4.99]],["t/2701",[0,0.769,1,1.713,141,5.033]],["t/2703",[0,0.91,1,1.701,27,3.304]],["t/2705",[1,1.733,1268,7.022]],["t/2707",[0,0.95,1,1.746,160,2.428,444,3.31,571,4.49,892,4.612]],["t/2709",[0,0.946,4,1.419,7,1.253,8,2.982,23,3.011,28,1.759,51,2.728,54,2.368,61,1.328,62,2.953,83,1.734,90,3.268,121,1.759,136,2.272,137,3.341,143,3.304,147,2.227,148,4.24,172,2.883,187,4.094,194,4.133,208,2.344,225,2.046,290,2.626,299,2.693,366,1.787,369,3.417,388,2.765,512,3.676,538,1.992,940,2.42,1006,3.75,1179,3.724,1181,4.412,1200,4.992,1239,1.773,1269,5.218,1270,5.218,1271,3.852,1272,5.741,1273,4.617,1274,4.617,1275,4.617,1276,4.094,1277,5.016,1278,3.493,1279,3.657,1280,3.572,1281,4.412,1282,4.241,1283,3.572,1284,3.351,1285,4.241]],["t/2711",[0,0.651,1,1.755,7,1.131,19,3.024,69,3.152,566,4.179,897,4.398,1286,5.18,1287,5.18,1288,5.18]],["t/2713",[1,1.751,5,0.93,13,1.368,44,1.389,65,0.521,69,1.773,70,0.893,72,0.658,83,1.043,106,2.674,121,1.445,223,1.203,268,1.702,293,3.783,294,1.03,355,0.791,383,1.736,467,3.624,566,1.669,569,2.45,573,3.004,607,1.857,610,1.736,636,2.649,723,2.809,725,2.809,727,2.809,729,1.813,751,1.857,785,2.9,844,1.736,893,4.776,1137,1.485,1146,2.153,1289,2.915,1290,6.203,1291,5.939,1292,2.649,1293,4.716,1294,2.915,1295,2.915,1296,2.649,1297,2.475,1298,2.014,1299,2.915,1300,2.649,1301,5.939,1302,4.716,1303,2.915,1304,2.915,1305,2.915,1306,2.915,1307,2.915,1308,4.287,1309,2.915,1310,2.649,1311,2.475,1312,2.915,1313,2.915,1314,2.915,1315,2.915,1316,2.915,1317,2.649,1318,2.915,1319,2.649,1320,2.915,1321,2.915,1322,2.915,1323,2.915,1324,2.915,1325,2.915]],["t/2715",[0,0.479,1,1.739,13,1.556,44,1.58,106,2.93,121,2.291,143,2.261,223,2.212,224,3.014,226,4.553,268,3.13,297,4.312,542,2.655,566,3.071,569,2.212,610,5.127,723,3.194,725,3.194,727,3.194,785,3.65,1137,2.733,1290,8.465,1292,4.874,1296,6.796,1310,4.874,1319,4.874,1326,8.465,1327,5.362,1328,3.961,1329,5.362,1330,5.362,1331,5.362,1332,5.362,1333,5.362]],["t/2717",[0,0.563,1,1.748,19,3.681,223,2.601,224,3.544,254,5.952,312,4.118,566,3.61,751,4.016,1308,8.505,1334,6.305,1335,6.305]],["t/2719",[0,0.803,4,1.723,7,1.546,10,3.423,37,3.433,38,1.787,39,2.677,40,3.983,50,1.291,51,3.367,54,1.319,55,2.611,56,1.662,61,1.2,67,3.601,90,2.072,98,3.241,110,4.895,127,1.82,128,2.532,129,3.023,137,2.118,151,2.833,153,3.367,162,3.983,174,1.656,177,2.901,179,6.346,192,2.611,193,3.671,194,2.142,225,1.771,229,3.241,242,2.571,244,3.847,245,2.845,282,2.393,314,3.091,334,1.891,355,1.922,365,3.433,456,2.495,462,2.744,478,2.744,512,2.596,892,3.334,926,2.793,932,3.165,933,3.818,943,6.016,946,2.744,1042,3.996,1179,2.361,1239,2.188,1336,4.517,1337,4.969,1338,3.996,1339,4.969,1340,4.969,1341,4.219,1342,4.517,1343,3.818,1344,4.219,1345,3.818,1346,3.818,1347,4.969,1348,4.969,1349,3.818,1350,3.334,1351,4.517,1352,3.433,1353,4.219,1354,3.996,1355,4.969]],["t/2721",[40,5.062,83,1.992,174,1.566,311,2.653,364,4.808,366,2.803,369,3.926]],["t/2723",[62,3.249,63,3.28,66,3.717,67,3.76,153,4.097,174,1.766,194,3.717,227,2.992,229,4.644,307,4.394,522,4.097]],["t/2725",[0,0.838,1,1.21,2,1.945,4,1.879,6,2.211,7,0.933,17,2.058,27,3.19,33,1.674,40,2.402,50,1.429,51,2.031,54,2.378,56,1.172,61,1.42,62,2.392,63,1.626,66,3.266,67,2.768,70,1.309,83,1.676,96,2.494,98,1.954,105,2.36,106,1.674,112,5.626,118,2.177,135,3.919,153,3.017,162,2.402,174,0.743,177,2.494,181,2.545,182,2.722,186,1.463,192,3.336,194,2.737,225,2.7,229,4.446,244,2.32,245,2.447,266,2.211,311,1.259,322,2.146,334,1.626,366,2.358,369,1.863,372,5.402,375,3.949,383,2.545,423,2.494,507,2.115,512,3.071,538,1.483,596,2.36,597,2.545,598,2.402,600,2.952,762,1.658,855,1.523,926,3.569,930,2.791,956,1.58,1038,4.527,1239,1.319,1247,3.884,1257,3.436,1282,3.156,1356,2.658,1357,3.436,1358,2.583,1359,4.273,1360,4.273,1361,3.436,1362,3.628,1363,3.628,1364,3.628,1365,3.099,1366,3.283,1367,4.273,1368,3.283,1369,3.283]],["t/2727",[4,1.734,9,2.537,10,1.817,19,2.949,33,1.979,38,1.817,39,1.638,50,1.388,54,1.341,56,0.933,61,1.214,62,2.701,65,0.902,74,2.949,83,1.586,88,2.79,106,1.979,110,3.49,118,2.574,128,2.574,129,3.073,131,2.255,135,4.311,150,3.644,151,2.02,165,2.742,171,5.184,174,0.879,176,2.339,180,5.009,183,3.5,186,1.652,227,1.753,253,2.79,282,2.433,284,2.79,291,3.3,293,3.218,295,1.885,299,3.363,369,3.126,462,2.79,475,4.062,512,1.851,522,2.401,545,3.218,583,3.143,844,4.964,933,3.882,946,2.79,948,3.452,956,2.651,957,3.882,969,3.731,972,4.592,1017,4.062,1068,3.882,1098,3.5,1120,3.218,1164,3.882,1165,3.49,1364,4.289,1370,3.882,1371,4.062,1372,3.603,1373,5.765,1374,5.052,1375,5.052,1376,4.062,1377,3.603,1378,4.592,1379,4.592,1380,5.052,1381,5.052,1382,5.052,1383,1.769,1384,5.052,1385,3.39,1386,2.654]],["t/2729",[0,0.455,1,1.313,2,1.56,4,1.806,7,1.574,13,1.478,16,2.274,18,2.863,27,3.796,31,2.301,32,2.522,50,1.354,57,3.221,61,1.628,64,1.413,72,1.15,91,2.148,93,3.519,96,2.974,106,1.996,111,2.058,131,3.219,136,3.603,153,2.421,160,1.799,174,1.584,181,4.296,186,1.174,228,3.418,229,3.298,230,3.327,234,3.519,251,2.765,263,3.731,307,3.675,322,3.621,332,2.079,355,1.382,364,2.72,366,1.586,390,3.245,438,3.633,507,2.522,522,2.421,538,1.768,564,3.763,566,2.917,583,3.169,596,2.813,597,3.034,598,2.863,778,4.387,918,3.914,940,2.148,1123,3.763,1124,3.383,1179,3.427,1203,4.096,1241,4.325,1242,5.799,1243,4.096,1244,2.274,1250,3.327,1362,4.325,1363,4.325,1387,5.094,1388,4.325,1389,3.914]],["t/2731",[0,0.859,4,1.911,6,3.458,10,3.891,27,2.543,40,4.875,50,1.515,56,1.234,61,1.132,70,2.048,74,3.902,110,4.618,174,1.772,176,3.096,177,3.902,179,5.137,244,3.629,253,3.692,263,4.981,293,4.258,322,3.357,355,1.813,522,3.177,1230,6.076,1344,5.675,1345,5.137,1346,5.137,1356,4.159,1390,6.685,1391,6.685]],["t/2733",[0,0.7,61,1.329,90,4.322,98,3.589,118,3.998,143,3.308,147,3.044,148,3.728,174,1.365,177,4.58,416,4.259,512,2.874,940,4.045,948,3.778,1277,4.41,1279,6.111,1280,5.968,1281,6.029,1352,5.42,1392,6.029,1393,5.265,1394,6.661]],["t/2736",[0,0.804,11,2.676,23,2.248,24,3.56,50,0.794,51,2.781,54,2.107,56,1.08,59,3.485,61,1.526,63,2.226,65,1.418,69,3.56,83,1.294,90,3.311,128,4.046,141,5.897,143,4.392,147,3.749,148,4.95,167,3.822,185,1.635,192,3.074,193,4.322,223,2.414,225,2.086,227,3.127,311,1.724,349,4.968,364,3.124,369,2.552,375,3.64,456,2.938,501,4.042,512,2.143,697,4.706,871,4.322,1250,3.822,1252,3.485,1276,4.173,1279,3.727,1280,3.64,1328,4.322,1349,4.496,1395,4.706,1396,6.924,1397,4.968,1398,4.968,1399,4.706,1400,5.318,1401,5.318]],["t/2738",[0,0.715,11,2.715,23,2.281,24,3.612,50,1.088,51,2.821,56,1.48,59,3.536,61,1.358,85,3.278,90,2.476,143,4.586,147,3.11,148,3.81,167,3.878,185,1.659,186,1.368,191,3.878,209,3.969,223,2.449,227,2.06,349,5.04,353,4.562,364,3.17,366,1.848,393,2.025,416,3.223,456,2.981,466,3.025,497,4.562,498,3.878,501,4.101,507,2.939,509,4.234,512,2.175,515,3.878,599,5.237,940,3.38,1060,3.984,1152,4.774,1250,3.878,1279,3.781,1280,3.693,1349,4.562,1392,4.562,1397,5.04,1398,6.807,1399,7.3,1400,7.287,1402,5.937,1403,5.937,1404,5.04,1405,5.937,1406,5.396,1407,5.937,1408,5.937,1409,5.937]],["t/2740",[0,0.572,11,2.929,50,0.869,54,1.7,63,2.436,66,2.761,67,2.793,68,3.126,121,2.584,137,4.272,143,4.39,148,5.18,153,3.043,174,1.114,222,4.424,223,2.642,224,3.6,225,3.006,243,4.183,251,3.476,299,3.004,330,3.896,376,2.73,456,3.216,869,3.739,871,4.73,968,4.183,1022,4.183,1244,2.859,1277,6.01,1278,5.131,1369,4.921,1395,5.15,1399,5.15,1404,5.437,1410,5.437,1411,5.437,1412,5.437,1413,5.437,1414,5.437,1415,5.437]],["t/2743",[0,0.906,1,0.563,13,1.133,16,1.743,25,3.533,34,2.55,50,1.087,51,1.855,54,1.036,56,0.721,59,2.325,61,1.005,66,1.683,67,1.702,68,1.906,70,2.64,83,0.864,90,1.628,91,1.646,106,1.53,119,6.269,121,1.196,125,2.119,143,3.024,147,1.514,148,1.855,150,3.278,170,4.588,176,3.711,186,0.9,223,2.96,299,1.831,311,1.15,322,1.96,366,1.215,369,1.702,381,2.784,383,2.325,388,1.88,393,2.023,401,2.325,405,1.989,407,2.697,416,2.119,456,1.96,464,3.808,466,1.989,478,3.276,484,2.784,507,1.932,509,2.784,512,3.324,522,2.819,526,4.381,538,1.355,599,2.55,607,2.487,701,3.139,721,3.548,848,2.697,851,3.314,852,6.803,854,3.548,861,3.314,940,2.501,1060,3.98,1111,2.194,1124,1.831,1182,2.883,1186,6.347,1279,5.104,1280,4.985,1281,3,1283,2.429,1297,3.314,1357,5.769,1369,3,1386,3.117,1392,4.558,1399,3.139,1416,3.904,1417,2.279,1418,3.904,1419,3.548,1420,3.904,1421,3.904,1422,7.174,1423,3.904,1424,3.314,1425,3.139,1426,3.139,1427,8.013,1428,3.904,1429,3.904,1430,5.932,1431,3.904,1432,3.904,1433,3.548,1434,3.314,1435,3.139,1436,3.548,1437,3.904,1438,5.932,1439,5.932,1440,3.904]],["t/2745",[0,0.727,1,1.459,2,1.486,4,1.777,10,2.505,15,1.547,27,1.845,35,3.255,50,0.945,54,2.363,56,0.896,57,1.626,64,1.345,67,2.115,96,2.832,106,2.729,125,2.633,131,2.165,137,2.068,153,3.31,154,3.255,155,3.459,165,3.781,172,2.436,176,2.246,177,2.832,185,1.946,186,1.605,192,2.549,225,3.174,229,2.219,242,2.509,244,3.781,245,5.099,253,2.679,274,6.019,286,2.091,311,2.401,364,2.59,375,4.333,393,1.654,405,2.472,464,2.305,507,3.448,512,3.262,524,1.251,545,3.09,583,3.018,596,2.679,597,2.889,598,2.727,918,3.727,932,3.09,948,2.336,1022,3.168,1124,2.275,1246,3.727,1279,3.09,1280,3.018,1350,3.255,1362,5.913,1363,4.118,1386,2.549,1419,7.406,1441,8.094,1442,4.851,1443,4.851,1444,4.118,1445,4.851,1446,2.951,1447,4.851,1448,4.851,1449,3.727,1450,4.851,1451,4.851,1452,4.851,1453,4.409,1454,4.851]],["t/2748",[0,0.846,50,1.152,56,1.195,59,3.855,65,1.517,90,3.541,91,2.729,143,2.729,170,3.706,171,4.026,183,3.16,184,4.973,209,3.204,223,2.67,237,6.056,241,3.076,250,3.837,258,3.778,266,3.348,311,1.907,322,3.25,355,1.756,393,2.896,438,6.056,456,4.264,464,4.035,478,3.574,512,3.111,598,3.638,697,7.622,701,5.205,947,4.343,1060,4.343,1248,5.205,1279,5.409,1280,5.283,1406,5.883,1455,4.957,1456,5.883,1457,5.205,1458,3.706,1459,5.495,1460,6.472]],["t/2750",[0,0.777,1,1.095,7,2.155,17,2.64,44,2.909,55,2.881,69,4.62,90,2.287,121,1.68,141,3.201,143,4.162,147,3.379,148,4.139,181,3.266,182,3.492,186,1.264,223,3.879,225,1.954,253,4.193,282,3.657,311,1.615,366,1.707,375,3.411,407,3.788,444,2.64,456,4.374,488,3.788,515,3.581,522,4.139,538,1.903,842,6.446,848,3.788,940,2.312,947,3.679,1060,3.679,1279,3.492,1280,3.411,1284,4.433,1328,4.05,1396,4.213,1434,4.655,1455,6.525,1461,5.835,1462,4.984,1463,3.91,1464,5.483,1465,7.593,1466,5.483,1467,5.483,1468,5.483]],["t/2753",[4,1.184,7,1.428,13,2.481,17,4.588,39,2.121,44,2.519,50,0.888,61,1.449,65,1.805,88,3.612,145,3.612,174,1.138,183,3.193,209,3.238,258,4.992,266,3.384,284,3.612,342,2.138,376,2.789,405,3.334,427,4.665,440,4.273,450,5.946,488,5.908,561,4.519,569,3.528,737,4.118,895,4.519,932,4.167,940,3.605,1020,6.877,1085,5.261,1284,4.992,1372,4.665,1457,5.261,1469,4.832,1470,5.32,1471,5.946,1472,6.571,1473,6.542,1474,5.946]],["t/2755",[0,0.887,4,1.295,7,1.562,8,2.722,65,1.618,74,4.177,111,2.891,125,3.884,136,2.832,137,3.05,209,3.542,374,5.285,440,4.674,443,4.802,538,2.483,607,4.558,610,4.262,613,4.802,938,4.177,939,4.802,940,3.017,1076,4.943,1083,5.754,1111,4.022,1179,4.305,1185,6.075,1189,3.233,1200,5.771,1284,5.803,1368,5.499,1386,3.76,1472,6.961,1475,6.504,1476,7.156]],["t/2757",[0,0.57,1,1.214,4,1.377,8,1.637,23,2.452,39,2.466,50,1.032,51,2.045,60,2.512,61,1.081,63,2.428,65,1.787,66,1.855,67,2.783,68,2.101,69,2.618,70,1.318,72,0.972,81,2.677,88,2.376,106,3.688,111,1.738,116,3.178,118,2.193,131,2.849,136,1.703,160,1.52,162,3.587,186,0.992,209,3.765,240,2.973,242,2.226,331,2.677,366,1.339,389,2.464,393,2.176,402,5.418,407,2.973,413,4.714,451,3.911,461,2.887,478,3.524,484,3.069,533,5.418,538,2.215,737,3.663,922,2.811,940,2.69,946,2.376,1102,3.178,1113,8.555,1121,4.282,1179,3.033,1200,2.741,1284,5.495,1300,3.911,1372,4.551,1385,4.282,1472,6.465,1477,4.303,1478,4.303,1479,4.303,1480,4.303,1481,4.303,1482,3.461,1483,4.303,1484,2.298,1485,3.461,1486,3.653,1487,5.132,1488,4.303,1489,4.303,1490,4.303,1491,4.303,1492,6.381,1493,4.303,1494,4.303,1495,4.303,1496,4.303,1497,3.653,1498,3.911,1499,6.381,1500,6.381,1501,3.911,1502,4.303,1503,4.303,1504,7.606,1505,6.381,1506,4.303,1507,3.911,1508,3.911,1509,4.303]],["t/2759",[136,3.538,177,5.218,209,4.425,916,6.175,922,5.838,940,3.768,1284,5.218,1383,3.129]],["t/2761",[0,0.617,57,2.971,58,3.329,65,1.235,80,5.312,81,4.3,106,2.708,111,2.792,131,3.956,136,4.222,174,1.701,186,1.593,209,4.387,241,3.285,258,4.035,288,3.576,290,3.161,382,5.312,401,4.117,478,3.817,512,2.532,539,4.775,610,4.117,968,4.515,1179,3.285,1200,4.403,1201,6.283,1260,5.868,1284,6.023,1285,6.546,1385,4.638,1472,7.516,1510,6.283]],["t/2763",[0,0.809,1,1.034,4,0.914,13,2.418,17,2.433,44,2.455,55,2.654,56,1.539,65,1.828,73,3.812,106,1.979,111,2.041,125,3.892,140,2.742,180,2.79,186,1.164,209,2.501,227,3.453,250,2.282,288,3.709,290,2.31,296,5.643,307,2.574,316,4.062,377,3.49,388,2.433,444,2.433,446,3.218,470,3.882,488,3.49,524,1.302,545,3.218,569,2.084,600,3.49,601,3.731,602,4.062,605,7.575,607,3.218,610,4.27,613,3.39,737,2.433,922,3.3,940,3.023,1120,4.566,1246,3.882,1250,4.683,1251,4.289,1257,4.062,1284,4.185,1455,2.949,1469,5.296,1472,3.882,1508,4.592,1511,4.062,1512,5.052,1513,3.882,1514,5.052,1515,7.169,1516,6.516,1517,5.052,1518,5.052,1519,5.052,1520,5.052,1521,5.052,1522,5.052,1523,8.334,1524,5.052,1525,5.052,1526,5.052,1527,5.052,1528,5.052,1529,4.592,1530,4.592]],["t/2765",[8,3.327,51,4.156,68,4.27,192,4.596,566,5.862,893,7.034,940,3.687,1283,5.441,1284,5.106,1386,4.596]],["t/2767",[0,0.527,4,1.639,6,3.056,11,3.655,15,1.884,23,2.27,33,2.315,50,1.316,54,2.69,55,3.104,56,1.091,61,1.77,65,1.427,66,2.547,70,1.81,89,3.675,94,2.884,98,2.702,112,3.964,143,3.369,145,3.263,147,3.513,148,4.964,149,4.364,191,5.22,227,2.05,288,3.056,366,1.839,393,3.088,423,3.449,427,4.213,444,2.845,522,4.303,538,2.05,869,4.665,948,2.845,956,2.955,1271,3.964,1276,6.458,1277,4.492,1365,2.884,1393,3.964,1531,5.37,1532,4.213]],["t/2769",[11,3.638,23,1.785,50,0.916,54,2.111,58,2.238,61,1.144,62,2.997,70,3.244,83,1.028,90,1.938,106,2.646,111,1.877,116,3.433,121,1.424,123,1.803,135,5.55,136,3.148,143,2.847,148,5.316,174,0.808,186,1.071,216,3.314,222,3.211,223,1.917,224,2.612,225,2.407,242,2.404,251,2.523,253,2.566,307,2.368,398,3.314,456,2.334,484,3.314,513,3.036,530,3.737,539,3.211,625,3.946,785,2.269,844,2.768,869,4.643,1022,4.411,1067,4.224,1075,3.433,1083,3.737,1111,2.612,1179,2.208,1185,3.946,1244,2.075,1276,5.672,1277,3.796,1278,2.827,1279,2.96,1280,2.891,1366,3.571,1386,3.548,1393,4.531,1410,3.946,1411,3.946,1412,3.946,1413,3.946,1414,3.946,1415,3.946,1459,3.946,1470,2.891,1533,4.647,1534,3.211,1535,4.647,1536,3.946,1537,4.647,1538,4.647,1539,4.224,1540,4.647,1541,3.433,1542,4.647,1543,3.946,1544,4.224,1545,3.314,1546,3.737,1547,4.224]],["t/2771",[4,1.266,27,3.396,65,1.249,76,3.733,127,3.27,135,3.617,140,5.338,148,4.673,160,2.47,177,4.081,294,2.47,295,3.332,296,4.349,300,3.071,393,2.384,420,4.101,956,3.301,1055,4.242,1056,6.167,1057,5.936,1059,5.936,1066,6.366,1277,3.93,1497,5.936,1539,6.355,1548,6.355,1549,6.992,1550,5.936,1551,5.936,1552,5.936,1553,6.355,1554,5.936]],["t/2773",[11,2.086,21,3.668,50,0.619,51,2.167,54,2.088,58,2.196,61,1.466,64,1.265,70,1.397,83,1.473,106,3.766,118,3.394,135,5.368,143,4.289,147,2.584,148,4.834,183,2.226,186,1.994,187,3.252,216,6.563,225,1.625,242,2.359,293,2.905,307,2.324,311,1.344,314,2.837,316,3.668,330,2.775,387,2.662,393,2.271,484,3.252,529,5.356,530,3.668,855,1.625,869,5.793,892,3.06,948,2.196,1277,6.007,1350,3.06,1358,1.555,1386,2.396,1393,5.279,1511,3.668,1534,3.151,1536,3.872,1555,3.504,1556,4.56,1557,7.151,1558,4.56,1559,7.868,1560,4.56,1561,7.868,1562,4.56,1563,4.56,1564,7.151,1565,8.365,1566,4.145,1567,4.56,1568,4.56,1569,4.145,1570,4.56,1571,4.56,1572,4.56,1573,4.56,1574,4.145]],["t/2775",[3,3.454,4,1.02,27,2.944,33,3.032,51,2.678,54,1.495,61,1.611,65,1.007,94,4.644,106,2.208,118,2.872,127,2.834,140,4.797,147,3.69,148,5.013,160,1.99,178,4.162,185,1.574,186,1.299,207,4.019,294,1.99,295,2.103,296,3.506,298,3.893,300,1.939,393,2.639,420,4.295,762,3.002,956,3.517,976,3.289,1042,6.223,1055,2.678,1056,5.345,1059,4.784,1066,6.784,1181,5.946,1277,4.35,1497,6.569,1550,4.784,1551,4.784,1552,4.784,1553,5.122,1554,4.784,1555,7.31,1575,5.122,1576,5.635]],["t/2777",[1,1.566,50,0.798,54,1.56,61,1.807,65,1.863,94,3.888,135,4.121,140,5.663,148,5.157,149,4.343,160,2.814,185,1.643,186,1.355,187,4.193,251,3.192,294,2.814,295,2.973,300,2.74,393,2.005,420,2.452,956,3.34,1055,3.785,1056,5.503,1277,4.477,1393,5.345,1550,6.762,1551,6.762,1552,6.762,1557,7.24,1577,7.24,1578,7.24]],["t/2779",[0,0.6,1,1.256,50,1.181,54,1.784,61,1.139,70,2.059,94,4.249,135,4.994,148,4.587,149,4.965,160,2.374,183,3.281,185,1.878,186,1.549,187,4.794,250,3.037,251,3.649,253,3.712,333,4.282,393,2.968,420,2.803,522,4.136,573,5.544,946,3.712,956,3.218,1055,4.136,1056,6.013,1111,3.779,1132,4.644,1277,4.893,1393,5.84,1513,5.165,1577,6.11,1578,7.911,1579,8.704,1580,5.406]],["t/2781",[11,3.434,15,2.394,39,2.434,50,1.019,54,1.992,61,1.272,68,3.665,70,2.3,75,3.477,88,5.156,135,4.83,143,3.165,194,3.237,195,6.038,240,5.187,308,4.472,343,5.546,378,6.824,444,3.616,449,6.038,473,4.009,537,2.629,539,5.187,869,5.45,1120,4.782,1264,6.824,1370,5.769,1581,7.508,1582,6.824,1583,5.546,1584,6.374]],["t/2783",[0,0.829,18,3.49,58,2.99,65,1.476,141,6.017,143,4.345,147,3.84,148,4.704,164,4.586,172,4.149,185,1.735,186,2.14,216,7.059,284,3.429,299,2.912,314,3.862,338,5.396,364,3.315,366,1.933,393,2.117,456,3.118,501,4.289,869,5.42,942,5.271,1277,3.49,1328,4.586,1393,5.544,1396,7.135,1397,5.271,1401,5.643,1536,7.014,1564,7.51,1585,6.209,1586,4.428,1587,8.262,1588,5.643]],["t/2785",[0,0.949,23,2.884,50,1.019,54,1.992,56,1.724,185,2.098,311,2.212,329,6.038,355,2.037,366,3.163,376,3.201,393,2.561,694,5.187,737,3.616,917,5.187,1016,4.904,1179,3.568,1200,4.782,1338,6.038,1356,5.808,1365,3.665,1589,7.508,1590,6.824,1591,5.187,1592,7.508,1593,6.038,1594,7.508]],["t/2787",[44,2.226,45,4.596,50,1.515,61,1.28,62,2.847,64,2.095,106,3.672,107,5.58,108,5.219,174,1.314,176,3.499,177,4.41,322,4.707,393,3.197,476,5.805,514,6.867,844,6.07,1074,6.414,1385,5.069,1461,5.805,1482,6.075,1595,7.554,1596,7.554]],["t/2789",[0,0.678,44,2.24,59,5.604,61,1.288,114,4.625,225,2.709,311,2.24,366,2.366,454,6.454,456,3.817,470,5.841,571,4.965,953,5.841,1225,5.615,1226,5.615,1338,6.113,1349,5.841,1597,6.909,1598,7.602,1599,7.602,1600,7.602,1601,7.602,1602,4.729,1603,7.602,1604,7.602,1605,7.602,1606,7.602,1607,7.602,1608,7.602,1609,7.602,1610,7.602]],["t/2791",[0,0.585,1,0.946,5,1.694,8,1.287,9,3.293,44,0.997,50,0.459,66,3.202,67,2.859,68,3.201,70,2.275,81,2.105,87,2.413,108,2.338,111,2.649,114,2.059,121,2.472,123,2.061,131,2.927,136,2.94,174,0.589,176,3.037,183,2.593,186,0.78,192,1.778,203,3.923,238,2.721,260,2.593,282,2.558,311,1.565,314,2.105,328,1.195,334,2.495,347,5.273,355,2.189,356,1.807,365,5.131,366,2.312,367,2.836,442,3.669,446,3.383,455,2.721,456,1.699,512,1.946,522,3.835,524,1.915,543,3.469,571,3.469,599,2.21,694,4.53,713,2.6,749,3.564,764,1.869,765,2.5,778,3.232,800,3.164,809,5.96,810,7.202,811,6.751,812,3.076,813,4.828,814,3.076,815,3.076,816,5.96,817,3.076,818,3.076,819,4.509,821,7.784,822,3.076,823,2.6,824,2.721,825,3.076,826,4.828,827,4.828,828,3.076,829,3.076,830,3.076,831,3.076,832,3.076,833,3.076,834,3.076,835,3.076,836,3.076,837,2.413,838,4.509,839,1.675,840,3.076,851,2.873,855,1.206,892,3.564,953,4.082,967,3.923,1053,5.486,1225,5.486,1226,5.486,1256,2.338,1366,4.082,1611,3.076,1612,5.312,1613,3.384,1614,3.384,1615,3.384,1616,3.384,1617,6.557,1618,4.272,1619,5.917,1620,5.312,1621,4.828,1622,5.312,1623,4.828,1624,3.384,1625,3.384,1626,1.699,1627,3.384,1628,3.384]],["t/2793",[0,0.905,4,1.558,10,3.349,23,2.06,28,2.637,61,1.266,113,3.336,128,2.733,132,3.338,137,3.187,153,2.548,174,0.933,229,2.453,242,2.774,248,1.072,268,3.13,283,3.503,304,5.025,366,2.327,367,4.972,390,3.416,407,3.705,440,4.884,538,1.861,543,3.503,737,3.601,855,1.911,924,4.874,926,3.014,940,3.152,1225,5.523,1226,5.523,1227,6.796,1228,6.796,1356,5.355,1365,3.65,1373,4.312,1446,4.549,1458,3.071,1463,3.824,1591,3.705,1602,3.336,1626,2.693,1629,4.553,1630,3.598,1631,5.332,1632,3.705,1633,4.553,1634,4.312,1635,3.961,1636,3.961,1637,4.312,1638,4.312,1639,4.874,1640,4.553,1641,4.553,1642,6.348,1643,4.874,1644,4.553,1645,4.874,1646,4.553,1647,4.874,1648,5.362,1649,5.362,1650,5.362]],["t/2795",[0,0.705,1,0.663,4,1.572,12,4.704,15,1.465,28,1.408,36,3.765,39,1.49,50,1.41,56,1.237,61,1.564,63,1.748,83,1.017,98,2.102,123,4.033,136,2.651,137,1.959,145,2.537,171,4.166,174,0.799,208,1.876,210,2.377,225,1.638,227,1.595,245,2.631,299,4.33,308,2.737,369,2.004,372,3.277,393,2.284,518,3.695,522,4.126,524,1.727,607,2.927,743,3.083,781,3.001,837,4.776,944,3.174,948,3.225,967,3.394,979,4.166,1024,3.394,1072,3.531,1077,4.177,1082,3.083,1098,2.243,1124,3.706,1178,4.374,1180,5.386,1252,2.737,1271,3.083,1350,3.083,1366,3.531,1376,3.695,1446,2.795,1484,2.453,1586,3.277,1636,3.394,1651,3.901,1652,5.686,1653,6.087,1654,4.177,1655,4.177,1656,4.177,1657,4.177,1658,4.177,1659,3.277,1660,4.177,1661,4.177,1662,4.177,1663,4.177,1664,4.595,1665,4.595,1666,4.595,1667,4.595,1668,6.697,1669,4.177,1670,4.595,1671,6.087,1672,4.595,1673,4.595,1674,4.595,1675,3.901,1676,4.595]],["t/2797",[0,0.52,3,2.6,4,1.746,10,2.094,12,4.581,15,1.857,28,1.784,38,2.094,39,1.888,40,3.273,50,1.532,61,0.986,123,2.259,126,4.301,131,2.6,137,3.832,148,3.76,183,2.843,334,2.215,366,3.312,543,3.804,571,3.804,607,3.709,743,5.31,781,3.804,810,4.683,837,4.153,968,3.804,969,7.449,1082,5.31,1162,4.153,1178,3.804,1278,4.814,1444,4.944,1652,7.631,1653,5.293,1654,5.293,1655,5.293,1657,5.293,1658,5.293,1661,5.293,1662,5.293,1677,5.293,1678,5.293,1679,4.944,1680,7.193]],["t/2799",[0,0.709,28,2.435,61,1.346,62,2.995,153,4.595,174,1.682,225,2.833,245,4.551,311,2.342,361,5.668,365,5.491,366,2.474,367,5.163,855,2.833,926,5.436,930,5.192,931,5.871,1602,4.945,1629,6.748,1681,7.776]],["t/2801",[0,0.624,4,1.266,50,1.211,225,2.492,245,4.003,311,2.06,335,4.081,361,7.013,366,2.176,369,4.518,390,4.453,872,4.986,940,2.948,1008,7.579,1068,6.86,1356,4.349,1394,5.936,1435,7.179,1602,4.349,1630,4.691,1632,4.83,1635,7.907,1682,5.372,1683,6.355,1684,5.936,1685,5.623,1686,8.114,1687,6.355,1688,7.179,1689,6.355,1690,6.355]],["t/2803",[0,0.709,9,3.991,61,1.638,174,1.682,191,5.192,208,3.245,304,5.645,334,3.024,367,4.244,440,5.192,513,5.192,538,2.758,543,5.192,926,4.468,1075,5.871,1356,4.945,1602,4.945,1642,6.748,1645,7.225,1646,6.748,1691,7.948,1692,5.871]],["t/2805",[0,0.738,4,1.497,56,1.527,62,3.117,64,2.294,111,3.342,150,3.147,174,1.723,524,2.133,561,5.714,778,6.026,1110,6.356,1531,7.519,1602,5.146,1693,7.519,1694,6.356,1695,7.022]],["t/2807",[0,0.581,28,1.993,50,0.883,56,1.201,66,2.805,67,2.837,118,3.316,132,2.905,174,1.482,229,2.976,282,3.133,311,1.917,335,3.798,361,7.19,369,4.397,375,4.048,376,2.774,390,5.428,406,5.233,522,3.092,737,3.133,872,4.64,926,4.79,930,4.25,931,4.806,940,2.743,1008,5.524,1068,5,1208,5.524,1394,5.524,1435,6.853,1602,5.301,1632,4.495,1635,7.731,1683,5.914,1684,5.524,1685,5.233,1686,7.746,1687,5.914,1688,6.853,1689,5.914,1690,5.914]],["t/2809",[0,0.631,1,1.02,4,1.628,5,2.256,6,3.659,7,2.344,8,2.691,28,3.188,50,0.96,56,1.66,61,1.523,63,2.691,81,4.4,111,2.857,136,2.799,137,3.834,174,1.23,312,4.62,376,3.015,1006,5.874,1111,3.976,1179,4.699,1239,3.213,1383,2.476,1458,4.05,1696,7.073,1697,6.429]],["t/2811",[0,0.617,1,0.997,4,1.771,5,2.204,6,3.576,7,2.252,8,2.63,28,2.997,50,1.202,96,4.035,111,3.58,121,2.118,131,3.956,136,4.083,174,1.542,178,5.106,227,2.399,263,4.585,307,3.522,312,4.515,447,5.868,507,3.422,596,3.817,598,3.886,1006,4.515,1084,5.868,1179,4.211,1239,3.021,1698,6.283,1699,6.283]],["t/2813",[0,0.818,1,1.323,4,1.946,7,2.139,17,3.912,27,3.091,28,3.002,50,1.428,96,3.534,106,2.372,111,2.446,132,2.703,136,3.215,174,1.053,223,2.498,227,2.819,263,3.132,288,3.132,307,3.085,377,4.183,388,2.916,390,3.857,507,2.997,596,3.343,598,3.403,600,5.612,601,4.472,1006,6.4,1171,4.869,1239,2.831,1282,6.773,1698,5.503,1700,6.055,1701,6.055,1702,4.472,1703,8.124,1704,8.124,1705,6.055]],["t/2815",[0,0.67,5,2.394,6,3.884,7,2.038,8,2.856,28,2.3,50,1.267,57,3.13,65,1.341,136,4.208,160,2.652,176,3.477,181,4.472,186,1.73,191,4.904,250,4.218,288,3.884,290,4.27,355,2.037,356,4.009,541,5.769,1006,6.099,1239,2.318,1282,6.897]],["t/2817",[5,2.394,6,3.884,7,1.639,8,2.856,18,5.249,28,2.3,50,1.019,54,1.992,57,3.13,61,1.272,62,2.829,64,2.082,65,1.341,72,1.695,136,4.208,165,4.076,174,1.306,186,1.73,200,5.038,227,2.606,311,2.212,312,4.904,478,4.146,785,5.19,1179,3.568,1282,5.546]],["t/2819",[0,0.723,2,2.484,4,1.467,10,2.916,54,2.151,59,4.829,61,1.373,62,3.688,63,3.723,67,3.535,83,1.793,180,4.477,192,4.26,307,4.131,369,3.535,1052,6.519,1706,8.107,1707,7.369,1708,8.107,1709,8.107]],["t/2821",[0,0.313,1,1.449,2,2.057,4,1.486,8,1.336,10,2.414,12,4.432,27,3.309,44,1.034,54,2.56,55,1.845,56,1.24,57,1.177,61,1.137,62,1.323,64,1.516,65,1.199,66,1.513,72,1.234,83,1.209,90,3.627,91,3.462,96,5.631,97,3.776,110,3.776,111,1.418,116,4.038,165,1.906,184,2.698,185,0.981,191,2.293,194,1.513,225,1.251,241,1.668,248,1.093,251,1.906,286,2.357,311,1.611,322,2.745,355,2.055,356,1.874,357,2.425,374,4.038,375,2.184,464,4.133,501,3.776,507,4.775,512,3.534,529,2.823,554,3.191,596,5.327,597,5.746,598,5.544,855,1.251,922,2.293,979,5.108,1007,5.856,1045,2.823,1081,2.698,1246,2.698,1449,2.698,1475,3.191,1710,2.98,1711,2.98,1712,6.102,1713,2.98,1714,3.51,1715,3.51,1716,1.848,1717,3.51,1718,4.969,1719,6.713,1720,5.466,1721,5.466,1722,4.969,1723,4.969,1724,3.51,1725,5.466,1726,3.51,1727,3.51]],["t/2823",[0,0.951,2,1.377,4,1.902,8,1.709,10,3.09,19,2.623,27,1.709,35,3.015,44,1.324,50,1.241,54,2.689,56,1.216,57,3.205,58,2.164,59,2.676,60,2.623,61,1.549,62,1.693,63,2.968,64,1.246,66,3.704,67,1.959,68,2.194,72,1.015,83,1.726,88,2.481,90,2.748,91,2.778,105,2.481,136,1.778,140,2.439,170,2.573,174,0.782,186,1.036,194,2.84,225,1.602,263,2.325,283,2.935,304,2.623,347,3.613,355,1.787,381,4.698,401,2.676,456,2.256,464,3.131,478,2.481,488,3.104,507,2.224,509,3.204,512,2.413,526,3.319,916,3.104,938,2.623,948,2.164,995,3.015,1039,3.453,1060,3.015,1090,4.084,1110,3.453,1121,4.421,1246,3.453,1252,2.676,1341,5.593,1417,2.623,1436,4.084,1626,2.256,1710,3.815,1713,3.815,1722,4.084,1723,4.084,1728,3.815,1729,4.084,1730,3.613,1731,4.493,1732,4.493,1733,5.063,1734,4.493,1735,2.526,1736,4.493,1737,4.084,1738,4.493,1739,4.493,1740,4.493]],["t/2825",[0,0.713,1,1.342,4,1.229,18,5.761,19,3.964,50,1.189,54,1.802,57,1.57,58,3.27,61,1.353,65,1.831,69,5.33,70,1.435,72,1.804,90,2.832,91,2.863,109,5.114,128,2.386,131,2.091,160,3.095,174,1.181,183,2.286,185,1.308,186,1.079,188,5.765,199,2.042,200,3.142,201,3.976,211,2.863,223,1.932,224,2.632,225,1.669,226,3.976,283,4.435,284,3.75,286,4.503,300,1.611,311,1.38,312,4.435,333,2.983,423,2.734,512,1.716,517,3.459,539,3.235,785,3.315,948,2.255,956,2.511,957,5.218,968,3.059,976,3.964,1064,1.854,1066,3.34,1137,2.386,1350,3.142,1458,2.682,1510,6.172,1554,3.976,1741,6.79,1742,6.79,1743,6.79,1744,3.976,1745,4.683,1746,4.257,1747,6.79,1748,4.683,1749,4.683,1750,3.976]],["t/2827",[1,1.422,19,5.073,27,2.88,50,1.384,54,2.306,61,0.925,65,1.676,70,2.319,72,1.962,108,5.229,109,5.073,112,5.831,139,3.771,160,1.928,165,2.963,185,1.525,186,1.258,188,4.634,200,3.663,223,2.252,224,3.068,225,1.946,248,1.092,282,2.629,283,5.676,288,2.824,300,2.989,366,1.699,405,2.782,517,4.032,542,2.702,947,3.663,976,5.073,1111,3.068,1156,4.194,1158,3.663,1311,4.634,1385,5.079,1459,4.634,1750,4.634,1751,4.961,1752,5.458,1753,5.458,1754,5.458,1755,5.458,1756,5.458,1757,4.634,1758,5.458,1759,7.57,1760,5.458,1761,5.458,1762,7.57,1763,5.458,1764,7.57,1765,7.57,1766,7.57,1767,7.57]],["t/2829",[0,0.766,1,0.949,4,1.553,12,4.868,19,3.839,27,3.265,31,3.877,56,1.214,57,2.205,62,2.478,65,1.533,75,3.046,83,1.898,90,2.743,91,2.773,96,3.839,121,2.015,170,3.766,186,1.516,200,4.413,202,6.594,227,2.282,244,3.57,248,1.315,401,3.917,464,3.125,507,3.256,512,3.144,542,3.256,596,3.632,597,3.917,598,3.697,785,3.211,979,5.942,1007,6.812,1157,3.839,1250,4.296,1711,7.285,1718,5.978,1737,7.8,1768,4.413]],["t/2831",[0,0.857,18,3.737,31,3.004,39,2.155,50,1.379,54,1.764,61,1.464,63,2.529,66,2.866,67,2.899,68,3.246,99,4.278,125,3.609,153,4.107,174,1.67,179,5.109,227,2.307,229,3.041,258,5.045,288,3.44,290,3.953,309,5.645,338,4.343,342,2.173,423,3.881,426,4.911,464,4.563,512,3.517,524,1.714,538,2.307,1056,4.593,1189,3.004,1285,7.092,1317,6.043,1659,4.741,1769,4.343,1770,6.649]],["t/2833",[0,0.804,4,1.63,50,1.222,56,1.663,1285,6.651,1733,6.919,1771,7.241]],["t/2835",[0,0.798,10,3.729,50,1.213,56,1.65,1285,6.602,1733,6.868,1771,7.188]],["t/2837",[0,0.654,23,2.815,39,2.376,50,0.994,70,2.245,136,2.9,137,3.124,143,3.089,148,4.776,174,1.275,222,5.062,223,3.023,224,4.119,225,2.612,277,5.266,334,2.788,389,4.196,456,3.68,871,5.412,1148,4.917,1244,3.271,1277,5.65,1278,5.595,1410,6.221,1411,6.221,1412,6.221,1413,6.221,1414,6.221,1415,6.221,1680,6.66,1772,7.328,1773,7.328]],["t/2839",[4,1.096,11,3.716,15,1.931,50,1.33,54,1.607,57,2.03,58,2.916,61,1.026,62,2.281,65,1.451,76,3.233,111,2.446,121,2.809,123,3.152,125,3.287,137,4.177,143,4.309,148,4.857,153,2.877,172,3.04,174,1.595,225,3.268,243,3.955,251,3.287,277,4.652,299,2.84,317,5.503,330,3.683,538,2.101,697,4.869,743,4.063,785,2.956,869,3.534,871,4.472,1111,3.403,1116,4.318,1124,2.84,1252,3.606,1277,4.567,1279,3.857,1280,3.767,1386,4.269,1679,5.14,1774,6.055,1775,6.055,1776,5.503,1777,5.14]],["t/2841",[11,3.499,50,1.282,121,2.343,123,2.968,135,3.957,137,3.261,143,3.225,148,4.488,150,2.91,151,3.058,307,3.898,333,4.872,388,3.684,393,3.221,513,4.996,743,5.133,869,4.465,969,5.65,1277,4.3,1278,4.654,1386,4.019,1534,5.284,1543,6.494,1651,8.019,1679,6.494,1778,6.151,1779,6.494]],["t/2843",[23,1.886,50,1.434,51,3.338,54,2.177,58,3.383,61,0.832,65,0.877,66,2.116,67,2.141,68,2.397,121,3.18,135,4.244,137,2.093,143,4.155,147,2.725,148,5.328,165,2.665,174,0.854,181,2.924,186,1.132,240,3.391,284,2.711,307,2.502,311,2.07,322,2.465,334,1.868,522,3.338,625,4.168,869,4.101,916,3.391,922,3.207,1022,4.588,1064,1.943,1111,2.76,1148,3.294,1276,5.85,1277,6.261,1278,4.991,1352,3.391,1393,6.008,1532,3.501,1534,3.391,1569,4.462,1575,4.462,1750,4.168,1780,4.168,1781,4.909,1782,6.385,1783,4.462,1784,6.385,1785,4.462,1786,4.909,1787,4.909]],["t/2845",[1,1.294,11,2.651,50,1.217,51,2.754,54,2.38,55,3.045,61,0.982,62,2.184,63,2.205,66,2.499,70,3.256,135,5.674,136,3.122,137,2.471,143,3.326,147,2.248,148,4.574,178,4.281,191,5.152,208,2.366,225,3.196,334,3.001,336,4.281,513,5.152,869,6.204,917,4.004,1022,3.786,1111,3.258,1121,5.293,1277,5.41,1352,4.004,1393,3.889,1543,6.697,1546,4.661,1547,5.268,1782,5.268,1784,5.268,1785,5.268,1788,4.92,1789,5.796,1790,4.92]],["t/2848",[4,1.318,7,1.59,33,4.121,38,2.62,50,1.243,60,4.252,61,1.234,94,3.556,127,3.356,137,3.105,148,3.461,174,1.267,277,5.246,284,4.022,299,4.297,300,3.152,366,2.852,380,5.194,393,2.484,425,4.09,477,3.995,934,5.597,1124,3.417,1278,4.431,1791,7.284,1792,7.284,1793,9.161]],["t/2850",[11,2.519,31,2.488,39,1.786,50,1.388,61,1.479,76,2.941,94,2.689,121,1.687,137,3.247,143,4.573,148,4.982,152,2.652,165,2.99,174,1.325,186,1.269,207,5.432,208,2.248,225,1.963,242,2.849,243,3.598,251,4.135,277,4.362,299,3.573,308,3.281,330,3.351,334,2.095,342,1.8,366,1.714,381,3.928,389,3.154,443,3.696,444,2.652,501,3.805,521,1.928,525,4.634,762,2.137,843,3.928,869,4.446,934,4.232,1022,4.975,1148,3.696,1252,3.281,1276,3.928,1278,5.312,1328,5.626,1372,3.928,1386,2.894,1396,4.232,1457,4.429,1513,4.232,1794,4.676,1795,5.508,1796,3.042,1797,5.508,1798,4.068,1799,4.676,1800,7.617,1801,7.617]],["t/2852",[2,1.952,7,1.39,11,2.914,26,4.895,50,0.864,55,3.347,58,3.068,61,1.079,121,1.952,128,4.283,143,4.658,148,4.94,174,1.108,186,1.468,195,5.123,243,4.161,264,3.963,288,3.296,330,5.113,338,4.161,389,3.648,520,4.706,539,5.806,855,2.271,869,3.719,968,4.161,1022,5.489,1092,3.963,1148,5.639,1252,3.795,1276,4.543,1277,3.581,1279,4.058,1280,3.963,1328,6.208,1352,5.806,1368,4.895,1372,5.993,1386,3.347,1404,5.409,1802,8.404,1803,5.791,1804,6.371]],["t/2854",[2,2.071,8,2.571,15,2.156,26,7.861,55,3.552,56,1.248,61,1.145,128,4.451,137,3.724,141,3.946,143,4.466,148,4.599,225,2.409,253,3.733,338,4.415,416,3.669,472,5.738,569,2.789,791,7.557,869,5.099,871,4.993,895,6.686,1004,5.738,1111,3.799,1158,4.535,1171,5.436,1252,4.026,1352,4.669,1386,5.085,1396,6.712,1398,5.738,1584,5.738]],["t/2856",[1,1.731]],["t/2858",[0,0.884,1,1.728,1805,8.272]],["t/2860",[0,0.658,1,1.74,571,4.815,800,5.498,1806,7.372,1807,7.372,1808,7.372,1809,7.372]],["t/2862",[0,0.775,1,1.715]],["t/2864",[0,0.477,1,1.735,5,1.327,7,1.508,8,0.952,13,2.163,15,0.798,17,2.572,31,1.131,32,1.239,44,2.531,50,0.34,54,0.664,55,1.315,56,0.462,61,0.424,62,0.943,70,1.275,72,0.94,75,2.882,76,1.336,83,0.554,87,1.784,98,1.144,106,1.63,109,1.461,113,1.557,114,1.522,160,1.47,161,3.751,185,0.699,210,1.295,223,3.076,225,0.892,252,1.729,258,3.118,308,1.49,332,1.022,342,1.36,355,0.679,421,2.298,487,1.055,521,0.876,524,2.215,556,0.9,569,1.717,723,3.182,725,3.182,726,2.124,727,1.49,729,1.557,737,2.004,785,2.031,800,1.49,843,4.439,848,3.69,892,1.679,895,1.729,1021,1.848,1055,1.189,1372,1.784,1389,4.104,1446,1.522,1455,3.633,1469,1.848,1484,2.852,1583,1.848,1810,4.161,1811,5.284,1812,4.783,1813,1.699,1814,3.533,1815,2.258,1816,2.124,1817,2.124,1818,2.124,1819,2.124,1820,2.124,1821,2.012,1822,2.124,1823,1.784,1824,2.124,1825,2.124,1826,2.274,1827,2.502,1828,1.735,1829,2.124,1830,2.274,1831,2.124,1832,2.274,1833,2.274,1834,2.274,1835,4.161,1836,2.502,1837,4.161,1838,4.161,1839,7.125,1840,2.274,1841,2.124,1842,2.502,1843,2.502,1844,2.502,1845,2.502,1846,4.855,1847,2.502,1848,2.502,1849,4.855,1850,2.502,1851,2.502,1852,2.124,1853,2.274]],["t/2866",[0,0.896,7,1.847,12,3.281,23,2.473,25,3.835,50,0.874,51,3.059,54,2.509,62,3.189,171,4.005,174,1.644,208,3.455,210,3.331,225,2.295,314,4.005,332,2.628,355,1.746,359,4.947,413,4.755,524,1.66,583,4.005,610,3.835,613,4.32,676,5.466,938,3.758,948,3.1,1066,6.035,1111,3.619,1124,4.892,1269,5.852,1274,6.805,1275,5.177,1298,4.448,1385,4.32,1854,6.438,1855,4.591,1856,6.438,1857,6.438,1858,3.331,1859,6.438,1860,7.692,1861,5.466,1862,5.852,1863,4.947]],["t/2868",[0,0.735,4,1.49,9,3.102,10,2.222,28,2.522,50,1.34,61,1.046,62,2.328,67,2.694,98,3.766,118,3.148,137,3.948,147,3.194,150,2.35,153,2.935,171,3.843,174,1.432,177,3.606,208,2.522,211,2.604,245,3.537,282,2.975,304,3.606,322,3.102,342,2.692,366,1.923,383,3.679,389,3.537,393,2.107,443,4.145,472,5.244,530,4.968,940,3.471,1102,4.563,1124,4.344,1148,4.145,1278,3.758,1352,4.267,1385,4.145,1386,3.246,1532,4.405,1640,5.244,1660,5.615,1694,4.747,1803,5.615,1864,6.177,1865,5.615,1866,5.615,1867,5.244,1868,6.622,1869,6.177,1870,5.615,1871,6.177]],["t/2870",[0,0.801,4,1.275,10,2.957,12,3.59,36,2.771,50,1.379,55,2.59,56,1.301,58,2.374,61,1.519,97,3.405,98,3.222,121,1.51,123,1.912,126,3.641,150,4.131,151,1.971,153,4.509,160,1.741,174,1.225,176,2.283,183,2.406,241,2.342,250,2.227,260,3.439,284,3.89,299,2.312,311,1.452,334,1.875,355,1.337,366,1.534,383,2.936,389,2.822,393,1.681,444,2.374,545,4.487,565,4.185,763,2.771,764,2.722,940,2.078,1016,3.22,1082,4.727,1088,5.981,1102,3.641,1124,2.312,1178,5.37,1180,5.665,1188,3.964,1193,4.185,1350,5.517,1351,4.48,1353,4.185,1358,2.804,1482,3.964,1532,5.024,1582,4.48,1651,6.98,1778,3.964,1783,4.48,1867,4.185,1872,4.48,1873,4.929,1874,4.929,1875,8.221,1876,7.045,1877,4.48,1878,4.48,1879,4.48]],["t/2872",[0,0.792,1,1.412,4,0.871,7,1.05,50,1.276,56,0.889,61,1.592,62,1.813,65,0.86,68,2.349,70,1.474,75,2.229,83,1.065,98,2.201,108,4.784,118,2.452,121,1.474,150,1.831,174,1.543,176,2.229,208,1.965,225,1.715,227,1.67,291,3.143,299,2.257,300,3.052,311,1.418,322,2.417,342,1.573,355,1.305,362,4.374,364,2.569,388,2.318,389,2.756,393,2.362,420,3.7,423,2.809,443,4.647,466,2.452,487,2.029,507,2.382,512,1.763,596,2.658,778,4.213,823,5.321,940,2.92,1102,3.555,1124,2.257,1186,3.143,1248,3.87,1254,3.325,1271,3.229,1358,2.767,1487,3.87,1659,3.432,1695,4.086,1855,3.432,1866,9.384,1867,7.532,1872,4.374,1880,4.812,1881,4.812,1882,4.812,1883,4.812,1884,4.374,1885,4.812,1886,4.374,1887,6.294,1888,4.086,1889,4.812,1890,4.812,1891,6.925,1892,4.812,1893,4.812,1894,4.812,1895,4.812,1896,4.812,1897,4.812,1898,4.812,1899,4.812]],["t/2874",[0,0.244,4,0.496,8,1.042,12,1.395,13,0.794,19,3.839,20,2.104,25,4.321,36,5.137,39,0.888,44,0.807,50,0.372,54,1.51,56,0.506,61,1.504,62,1.689,63,1.042,65,1.296,67,2.481,68,2.778,70,1.373,72,0.618,83,0.992,105,1.512,121,1.373,125,4.228,150,2.76,151,2.901,160,2.562,165,1.486,170,1.568,172,3.912,174,0.99,176,1.268,192,1.439,193,2.023,208,1.118,210,5.175,227,2.703,242,1.417,244,1.486,278,2.104,282,1.319,311,1.938,314,1.703,330,1.666,333,1.744,366,2.047,367,2.393,370,2.023,415,2.202,444,1.319,446,1.744,461,3.008,467,4.372,512,1.642,515,1.789,524,1.696,538,0.95,543,1.789,561,1.892,566,3.766,600,1.892,763,2.52,785,2.188,839,3.255,893,2.202,895,1.892,922,3.717,940,3.284,946,1.512,947,1.837,948,1.319,1075,2.023,1102,2.023,1110,2.104,1124,3.403,1166,1.953,1188,2.202,1243,2.202,1250,1.789,1271,4.413,1284,1.598,1372,1.953,1376,2.202,1385,1.837,1426,2.202,1482,2.202,1485,2.202,1541,2.023,1566,2.489,1643,2.489,1675,2.325,1860,9.614,1861,6.981,1900,2.738,1901,2.738,1902,2.738,1903,2.738,1904,2.738,1905,2.738,1906,2.738,1907,2.738,1908,2.738,1909,2.489,1910,2.738,1911,2.738,1912,5.69,1913,2.738,1914,2.738,1915,2.489,1916,8.223,1917,7.789,1918,1.953,1919,2.738,1920,2.325,1921,2.489,1922,2.738,1923,5.289,1924,7.254,1925,5.69,1926,6.576,1927,7.254,1928,6.576,1929,6.576,1930,5.69,1931,2.738,1932,2.738,1933,2.738,1934,3.805,1935,2.489,1936,2.738,1937,2.489,1938,2.738,1939,2.738,1940,2.738]],["t/2876",[0,0.821,7,2.193,12,3.734,36,4.119,54,1.945,59,5.478,62,3.465,68,3.577,83,1.621,123,2.843,128,3.734,129,4.458,192,4.832,194,3.159,314,4.558,332,2.991,366,2.281,369,3.195,413,5.412,512,2.684,522,3.482,610,4.365,613,4.917,938,4.278,967,5.412,979,4.558,1124,4.714,1298,5.062,1702,5.412,1863,5.631]],["t/2878",[4,1.786,54,2.18,62,3.096,136,3.252,174,1.716,208,3.354,266,4.25,427,5.859,512,3.614,522,3.904,583,5.111,613,6.62,940,3.464,1110,6.313,1112,7.468,1941,8.216]],["t/2880",[0,0.764,4,1.186,7,0.973,8,1.697,16,1.991,54,1.739,55,2.344,56,0.824,57,1.495,61,0.756,63,1.697,65,1.387,66,2.825,67,3.733,68,3.792,70,2.623,72,1.007,111,2.647,123,3.013,128,2.273,129,2.714,131,1.991,145,3.619,160,1.576,165,2.421,174,1.14,186,1.028,192,3.443,193,3.295,194,1.923,197,3.787,223,3.532,227,1.548,243,2.913,288,2.308,290,2.04,338,2.913,351,3.787,355,1.21,376,2.793,405,3.339,416,2.421,427,3.181,447,3.787,456,2.24,512,2.401,524,1.15,566,2.554,573,2.841,610,6.472,729,4.832,746,3.295,751,4.174,938,2.604,939,2.993,940,3.609,944,3.081,946,2.463,947,2.993,1026,3.181,1124,2.092,1170,3.587,1179,3.114,1200,4.174,1249,3.787,1255,5.563,1256,3.081,1260,3.787,1271,2.993,1284,2.604,1298,3.081,1326,5.956,1345,3.428,1358,1.521,1383,1.562,1455,2.604,1458,2.554,1469,3.295,1516,4.054,1584,3.787,1611,4.054,1656,4.054,1716,1.508,1942,4.46,1943,4.46,1944,4.054,1945,4.46,1946,1.968,1947,4.054,1948,3.787,1949,4.46,1950,3.787,1951,4.46,1952,4.054,1953,4.054]],["t/2882",[0,0.791,1,1.441,4,1.025,7,2.08,13,2.897,14,8.092,50,0.768,54,2.06,56,1.045,57,1.898,61,1.315,71,3.789,111,2.287,136,3.772,137,2.413,174,0.985,183,2.764,230,5.786,273,6.543,290,2.589,332,4.211,364,3.023,369,2.469,376,2.413,393,1.931,405,2.885,407,3.911,416,3.073,464,2.69,556,2.792,800,5.948,1064,2.241,1124,4.838,1182,4.182,1619,5.362,1954,5.661,1955,4.182,1956,5.661,1957,5.661,1958,5.661,1959,7.056,1960,4.553,1961,7.056]],["t/2884",[0,0.831,7,1.362,9,4.163,39,2.023,54,1.656,61,1.404,70,2.54,123,2.421,128,4.744,129,5.663,131,2.786,153,2.965,172,4.163,174,1.085,208,3.8,225,2.224,227,2.166,242,3.228,251,3.388,308,3.717,334,2.374,355,2.69,366,1.942,376,2.66,383,3.717,512,2.286,938,4.839,939,6.655,940,2.631,948,3.005,1022,4.076,1053,4.609,1084,5.298,1116,4.45,1371,5.018,1458,3.573,1955,6.123,1962,6.24,1963,5.298,1964,5.018,1965,5.672,1966,6.24,1967,6.24,1968,6.24,1969,6.24,1970,5.298,1971,6.24]],["t/2886",[7,1.186,13,1.577,39,1.762,44,1.601,50,1.176,54,1.442,56,1.003,58,2.617,61,1.468,81,3.381,83,1.202,118,2.769,122,3.461,123,3.818,150,3.298,151,3.017,153,3.586,172,3.789,174,0.945,203,4.014,225,1.937,227,3.415,322,2.729,355,2.763,393,2.957,520,4.014,524,2.235,569,2.242,746,5.574,800,3.237,938,5.061,939,6.285,944,3.754,1024,4.014,1045,4.37,1116,3.875,1170,4.37,1178,3.549,1187,4.37,1297,4.613,1385,5.064,1425,6.069,1458,3.112,1513,4.176,1534,5.213,1778,4.37,1852,4.613,1934,7.36,1965,4.939,1972,5.434,1973,4.37,1974,4.939,1975,5.434,1976,7.546,1977,5.434,1978,5.434,1979,4.613,1980,4.939]],["t/2888",[0,0.816,227,3.172,355,2.479,383,5.444,939,6.133]],["t/2890",[1,1.063,7,1.609,50,1.506,58,3.55,61,1.564,67,3.215,70,2.258,109,5.883,123,2.86,172,3.702,181,4.391,225,2.627,242,3.814,334,2.805,520,5.445,524,1.901,938,5.883,939,4.947,976,4.303,1116,6.583,1669,6.701,1981,6.701,1982,7.372,1983,9.231,1984,7.372]],["t/2892",[50,1.543,72,1.439,83,1.409,101,3.107,109,6.232,123,3.26,172,3.199,176,2.95,186,1.468,199,3.665,227,2.917,242,3.296,355,2.712,381,4.543,387,3.719,524,2.425,939,6.311,940,3.543,1545,4.543,1702,4.706,1788,5.409,1934,7.135,1947,7.639,1981,7.639,1985,5.791,1986,6.371,1987,6.371,1988,7.639,1989,8.404,1990,8.404]],["t/2894",[4,1.55,54,2.272,56,1.581,57,2.87,118,4.363,122,5.454,136,3.389,174,1.489,515,5.592,938,4.998,948,4.123,949,7.782,1366,6.579,1991,8.562]],["t/2896",[0,0.82,1,0.878,4,1.101,7,2.006,8,2.315,9,4.931,50,1.332,54,1.615,57,2.733,83,1.803,111,2.458,112,5.47,136,3.638,137,3.475,150,3.101,151,2.433,153,4.666,165,3.303,170,3.484,172,3.056,208,3.752,290,2.783,311,1.793,388,2.93,855,2.169,938,3.552,939,4.083,940,3.437,1064,2.408,1111,3.42,1116,4.339,1369,4.676,1602,3.785,1794,6.92,1870,5.531,1973,4.893,1992,5.531,1993,9.819,1994,6.085,1995,6.085,1996,6.085,1997,6.085,1998,6.085,1999,6.085,2000,6.085]],["t/2898",[0,0.691,39,2.511,54,2.526,57,3.455,59,4.614,62,3.587,162,5.351,238,6.23,290,3.543,325,7.612,332,3.162,522,3.681,538,2.688,762,3.005,916,5.351,948,3.73,1085,6.23,1111,4.354,1591,5.351,1798,5.722,2001,7.746,2002,7.746]],["t/2900",[54,1.648,57,3.766,61,1.052,63,3.143,88,4.562,109,3.624,180,3.429,241,2.95,278,4.771,282,2.99,290,2.84,311,1.829,325,7.613,342,2.701,352,4.055,400,7.96,421,3.429,456,5.176,546,4.771,708,5.271,762,3.602,947,4.166,948,2.99,970,5.271,1089,6.349,1120,3.955,1245,5.643,1273,4.993,1863,4.771,2003,6.209,2004,5.643,2005,8.404,2006,5.643,2007,5.643,2008,6.209,2009,6.209,2010,8.262,2011,5.643]],["t/2902",[1,0.848,34,3.84,57,1.971,61,1.53,63,3.03,88,4.398,132,2.625,162,3.305,165,4.324,186,1.355,238,4.728,241,4.601,249,5.344,282,2.831,288,4.673,290,2.689,314,3.658,325,6.672,326,4.992,342,2.953,421,3.247,456,2.952,546,6.941,762,3.09,1089,6.121,1120,3.745,1779,4.992,1886,5.344,2006,5.344,2007,5.344,2011,7.24,2012,11.381,2013,5.879,2014,5.879,2015,7.965,2016,5.879,2017,5.879,2018,5.879,2019,7.965,2020,5.344,2021,5.344,2022,4.992,2023,4.518,2024,5.879,2025,5.344,2026,5.344]],["t/2904",[0,0.803,1,1.749,39,2.293]],["t/2906",[0,0.88,1,1.755,15,1.206,17,2.789,19,2.208,20,2.907,21,3.042,26,2.907,27,1.439,39,1.226,93,4,97,4,107,2.794,293,2.409,356,2.02,357,2.613,507,2.867,596,3.198,597,3.449,598,3.955,1771,3.042,1960,3.042,2027,3.783,2028,3.783,2029,3.783]],["t/2908",[0,0.955,1,0.928,2,2.712,3,1.466,4,0.939,10,2.861,17,1.581,21,2.641,26,2.523,35,2.203,44,0.967,54,0.871,56,1.187,57,1.101,61,1.555,62,1.955,65,0.927,70,2.964,83,2.253,90,3.317,91,3.08,93,2.268,97,4.442,106,2.033,111,2.598,119,2.268,121,1.006,140,1.783,170,3.682,186,1.196,187,2.342,192,1.725,209,2.568,223,1.355,225,1.17,227,2.535,240,2.268,251,1.783,253,4.034,266,1.699,283,2.145,288,1.699,293,4.096,296,3.227,311,1.528,332,1.341,355,2.49,356,4.247,357,3.584,372,2.342,373,4.172,375,2.043,376,1.4,380,2.342,383,1.956,405,1.673,464,2.465,478,1.813,507,2.568,512,3.243,517,2.425,526,2.425,546,2.523,596,2.865,597,3.09,598,3.614,701,2.641,785,4.128,848,2.268,852,2.788,855,1.17,1045,2.641,1060,5.337,1183,4.404,1250,2.145,1273,2.641,1285,2.425,1377,4.586,1392,2.523,1433,2.985,1441,2.985,1449,2.523,1546,2.641,1588,2.985,1626,1.649,1710,2.788,1712,2.985,1713,2.788,2030,3.284,2031,3.284,2032,3.284,2033,5.187,2034,3.284,2035,3.284,2036,3.284,2037,5.171,2038,5.187,2039,3.284,2040,3.284,2041,3.284,2042,3.284,2043,3.284,2044,3.284,2045,3.284,2046,3.284,2047,5.187,2048,2.985,2049,3.284,2050,3.284,2051,3.284,2052,3.284,2053,2.985,2054,3.284]],["t/2910",[0,0.939,4,1.415,10,3.557,28,1.382,51,2.143,90,1.881,137,1.923,174,1.497,229,2.063,233,2.49,244,4.244,248,1.321,311,1.329,335,4.563,366,2.056,376,1.923,404,4.099,716,4.099,737,4.145,1010,5.313,1179,3.139,1356,2.806,1365,4.201,1426,3.627,1446,2.744,1463,3.216,1593,5.313,1626,3.317,1630,5.775,1631,6.827,1632,4.564,1633,5.609,1637,3.627,1638,3.627,1757,3.829,2055,3.627,2056,7.106,2057,3.829,2058,6.287,2059,6.287,2060,6.287,2061,6.287,2062,6.287,2063,7.698,2064,7.307,2065,8.286,2066,6.005,2067,7.823,2068,6.287,2069,6.287,2070,6.287,2071,4.51,2072,4.51,2073,4.099,2074,4.51]],["t/2912",[0,0.868,4,1.237,7,1.492,10,3.164,15,2.18,39,2.216,50,1.194,56,1.262,83,1.946,151,2.733,174,1.53,244,3.71,311,2.014,449,5.497,501,4.722,737,3.291,940,2.882,1179,3.248,1239,2.111,1240,3.591,1356,5.473,1365,3.337,1434,5.803,1463,6.274,1626,3.432,1630,5.904,1682,6.761,1692,6.499,1855,6.274,2075,6.835,2076,8.798,2077,8.798,2078,8.798,2079,6.213,2080,6.835]],["t/2914",[0,0.753,1,0.924,7,1.398,8,3.208,10,2.303,23,2.46,39,2.734,44,2.485,56,1.182,61,1.085,75,2.966,76,3.419,87,4.567,121,1.962,122,4.079,125,3.476,140,3.476,143,2.7,186,1.944,229,2.929,366,1.993,376,3.595,610,3.815,737,3.084,1179,4.481,1189,2.893,1200,5.372,1239,1.978,1298,4.424,1346,6.48,1365,3.126,1377,4.567,1383,2.242,1593,5.15,1626,3.216,1692,4.73,1855,6.014,1963,5.437,2081,6.404,2082,7.665,2083,8.433,2084,7.16,2085,6.404,2086,8.433,2087,7.16,2088,5.821]],["t/2916",[0,0.727,4,1.101,10,2.188,11,2.783,15,1.94,50,1.106,56,1.124,61,1.663,76,3.249,99,3.012,105,3.36,131,2.716,162,3.42,172,3.056,194,2.623,284,3.36,356,4.352,417,5.166,421,3.36,440,3.974,443,4.083,444,2.93,512,2.229,524,1.569,567,7.409,607,3.876,713,4.676,737,2.93,749,4.083,855,2.169,932,3.876,1158,4.083,1249,5.166,1365,2.97,1386,3.197,1446,5.974,1471,5.531,1511,4.893,1630,5.47,1644,5.166,1682,7.063,1777,6.92,1909,5.531,2082,7.409,2087,5.166,2089,6.085,2090,6.085,2091,6.085,2092,6.085,2093,6.085,2094,6.085,2095,6.085,2096,6.085,2097,6.085,2098,6.085,2099,6.085,2100,6.085]],["t/2918",[335,4.551,571,5.092,953,5.991,954,7.086,1068,7.941,1190,6.619,1225,5.758,1226,5.758,1435,7.685,1597,7.086,1629,6.619,1631,6.815,1632,6.602,1635,7.059,1642,6.619,1878,7.086,1988,7.086,2101,7.796,2102,7.796,2103,7.796,2104,7.796,2105,7.796]],["t/2920",[0,0.952,4,1.808,10,3.592,51,3.985,242,4.338,248,1.677,366,2.61,737,4.038,1356,5.217,1365,4.094,1463,5.98,1626,4.211,1637,6.743]],["t/2922",[0,0.578,1,1.225,4,1.172,28,1.983,50,0.878,137,2.759,174,1.126,229,2.96,233,3.574,244,3.513,335,5.533,366,3.132,737,4.089,948,3.117,1010,5.205,1148,4.343,1365,3.16,1626,4.264,1630,5.698,1631,6.056,1632,4.471,1682,4.973,1685,5.205,1688,5.205,1692,6.272,1868,5.205,2055,6.829,2057,5.495,2058,5.205,2059,5.205,2060,5.205,2061,5.205,2062,5.205,2063,6.829,2064,5.495,2065,6.525,2066,5.883,2068,5.205,2069,5.205,2070,5.205,2106,5.883,2107,6.472,2108,5.883,2109,7.719,2110,5.883]],["t/2924",[0,0.855,1,1.242,4,1.197,10,2.378,28,2.026,50,0.897,137,2.819,174,1.15,229,3.024,233,3.652,335,5.591,366,3.158,737,3.184,1010,5.318,1365,3.228,1593,5.318,1626,3.321,1630,5.779,1631,6.141,1632,4.568,1633,5.614,1682,5.081,1685,5.318,1688,5.318,1692,6.361,1868,5.318,2055,5.318,2057,5.614,2058,5.318,2059,5.318,2060,5.318,2061,5.318,2062,5.318,2063,6.925,2064,5.614,2065,6.617,2068,5.318,2069,5.318,2070,5.318,2108,6.01,2109,7.828,2110,6.01]],["t/2926",[233,4.389,335,4.64,366,3.244,737,3.828,1626,3.991,1630,6.489,1631,6.896,1632,5.491,2055,6.392,2058,6.392,2059,6.392,2060,6.392,2061,6.392,2062,6.392,2063,7.776,2065,6.108,2067,7.225,2068,6.392,2069,6.392,2070,6.392]],["t/2928",[0,0.764,4,1.55,10,3.636,51,4.069,113,5.326,174,1.489,229,3.916,1365,4.18,1446,5.209,1637,6.885,1639,7.782,1640,7.269,1641,7.269]],["t/2930",[0,0.623,4,1.264,6,2.519,7,1.947,8,3.394,10,2.512,23,2.683,28,1.492,38,1.752,39,2.647,44,1.435,50,0.661,61,1.183,89,3.03,105,2.689,128,2.482,131,3.118,143,3.443,174,1.215,181,2.901,183,2.377,227,1.69,229,3.194,282,3.364,308,2.901,366,2.174,369,2.124,383,2.901,421,4.926,440,3.181,476,3.742,478,2.689,515,3.181,516,5.617,524,1.256,538,1.69,737,4.548,869,2.843,892,3.268,922,3.181,948,3.364,1065,6.349,1120,4.449,1179,2.314,1189,3.69,1238,3.916,1239,1.504,1346,3.742,1365,2.377,1371,3.916,1373,3.916,1444,4.135,1446,5.427,1458,2.789,1487,3.916,1580,3.916,1630,3.268,1644,4.135,1694,5.367,1728,5.93,1769,3.181,1788,4.135,1946,2.148,2087,5.93,2111,6.984,2112,4.87,2113,6.984,2114,4.87,2115,4.87,2116,6.984,2117,4.427,2118,3.742,2119,6.984,2120,4.87,2121,4.135,2122,4.87,2123,4.135,2124,4.427,2125,4.427]],["t/2932",[4,1.559,7,1.879,10,3.097,11,3.024,44,1.948,56,1.221,90,2.758,105,3.652,118,3.37,143,2.788,172,3.321,178,4.884,229,4.38,248,1.322,330,4.023,343,6.361,366,2.058,376,2.819,478,3.652,524,2.22,538,2.295,1179,4.092,1189,4.327,1239,2.659,1338,5.318,1354,5.318,1365,4.675,1456,6.01,1485,5.318,1486,5.614,1507,6.01,1641,5.614,1684,5.614,1692,4.884,1769,4.319,1868,5.318,2123,5.614,2124,6.01,2125,6.01,2126,6.612,2127,5.614,2128,6.612,2129,6.612]],["t/2934",[0,0.937,35,6.124,39,2.347,40,4.07,59,4.313,61,1.226,89,4.504,90,3.02,131,3.232,174,1.259,225,2.581,227,2.513,245,4.146,361,5.164,1132,5.002,1166,5.164,1242,5.823,1270,6.581,1278,4.405,1336,6.581,1361,5.823,1373,5.823,1586,5.164,1798,7.383,1946,3.194,1955,5.348,2117,6.581,2130,7.241,2131,7.241,2132,7.241,2133,5.564,2134,7.241,2135,7.241,2136,7.241]],["t/2936",[0,0.917,50,1.287,54,2.043,83,1.703,162,4.327,174,1.649,208,3.142,333,4.903,334,2.928,431,5.489,512,3.473,762,2.986,861,6.535,916,5.318,1799,6.535,1921,6.997,2137,7.697,2138,7.697,2139,10.276,2140,7.697,2141,7.697,2142,6.997,2143,7.697]],["t/2938",[0,0.866,28,2.451,50,1.086,83,1.77,137,3.411,153,3.802,162,4.497,174,1.392,208,3.266,229,3.659,299,3.753,366,2.49,369,3.489,387,4.67,916,5.527,940,3.373,1798,5.909,1944,7.272,2142,7.272,2144,8,2145,8,2146,8,2147,8]],["t/2940",[0,0.866,9,4.017,25,4.765,61,1.355,125,4.343,166,3.853,174,1.689,208,3.963,338,6.341,387,4.67,476,8.032,762,3.104,1166,5.705,1357,6.434,2148,8,2149,8,2150,8,2151,8]],["t/2942",[0,0.769,12,4.394,54,2.864,59,5.136,62,3.249,376,3.676,781,5.632,932,5.492,947,5.786,1124,4.044,2152,8.622]],["t/2944",[0,0.311,3,1.554,4,1.208,10,1.252,12,5.377,18,1.956,23,1.337,25,2.073,32,3.305,36,3.052,39,1.128,44,1.025,50,1.27,57,1.167,61,1.667,62,1.311,66,1.5,70,1.663,72,0.786,83,1.201,98,1.592,111,1.406,114,4.588,121,1.066,131,3.367,136,1.378,150,3.297,151,1.392,153,3.173,165,1.889,170,3.109,173,2.799,174,1.161,191,2.273,192,1.829,194,1.5,208,1.421,210,1.801,223,2.24,224,1.956,225,1.241,240,2.404,254,2.482,271,2.482,281,3.164,284,1.922,290,1.592,325,2.571,353,2.674,364,1.858,366,2.546,375,2.165,376,1.484,388,2.615,389,1.993,390,2.217,421,1.922,456,2.727,461,2.335,466,1.774,512,2.996,524,0.897,538,1.884,694,2.404,781,4.361,804,3.164,805,3.164,806,3.164,807,3.164,808,3.164,837,4.761,838,6.943,953,2.674,979,5.391,1007,2.482,1016,4.361,1039,2.674,1052,2.799,1082,6.073,1124,3.538,1127,2.799,1162,2.482,1175,2.955,1177,2.955,1178,4.926,1181,2.674,1186,2.273,1193,2.955,1197,4.61,1200,2.217,1225,2.571,1226,4.011,1271,3.644,1278,2.117,1379,4.935,1386,2.853,1455,2.032,1470,4.153,1590,3.164,1619,2.404,1678,3.164,1695,2.955,1778,2.799,1779,2.955,1855,2.482,1888,2.955,1955,2.571,2026,3.164,2079,3.164,2153,3.48,2154,3.48,2155,3.48,2156,3.48,2157,4.935,2158,3.48,2159,3.48,2160,3.48,2161,5.43,2162,4.935,2163,3.164]],["t/2946",[0,0.841,4,1.379,12,4.449,18,3.096,25,3.281,50,1.185,54,2.021,57,2.554,61,0.933,65,0.984,111,2.225,114,3.351,160,2.691,165,2.99,170,3.154,172,3.825,177,3.215,183,2.689,200,3.696,225,2.715,241,3.62,311,1.623,326,6.467,338,3.598,356,2.941,364,2.941,366,2.718,367,2.941,369,2.402,376,2.348,446,3.508,512,2.79,541,4.232,762,2.137,819,4.676,979,6.831,1016,5.703,1037,4.429,1082,6.636,1197,6.467,1255,6.467,1352,3.805,1368,4.232,1386,2.894,1458,3.154,1541,4.068,1744,4.676,2162,5.006,2163,5.006,2164,5.853,2165,5.508,2166,5.006,2167,7.617,2168,5.508,2169,5.006,2170,5.508]],["t/2948",[0,0.746,1,1.438,2,1.935,12,2.162,25,2.527,36,4.24,51,3.001,56,1.393,66,2.723,68,2.071,69,5.084,83,1.976,89,2.64,98,1.941,111,1.714,136,1.679,150,3.69,172,3.788,173,3.412,186,1.456,210,3.267,230,4.125,257,3.026,258,4.404,273,4.665,290,2.888,291,2.772,311,2.462,332,2.578,333,2.703,334,2.403,364,2.266,367,2.266,375,2.64,388,2.043,416,2.303,512,2.314,526,5.572,538,2.192,545,4.023,556,2.271,564,4.665,785,4.079,800,4.493,952,3.857,970,3.602,1121,2.847,1124,3.538,1252,2.527,1368,3.261,1470,5.198,1487,3.412,1619,2.931,1675,3.602,1771,3.412,1960,3.412,1961,5.74,1974,7.595,2171,4.243,2172,3.857,2173,8.933,2174,8.356,2175,8.356,2176,3.857,2177,4.243,2178,8.356,2179,6.315,2180,6.315,2181,4.243,2182,4.243,2183,6.315,2184,6.315,2185,6.315,2186,4.243,2187,6.315]],["t/2950",[0,0.334,4,1.532,5,3.059,7,1.255,8,1.426,10,3.815,11,1.714,12,1.91,13,2.03,15,3.059,16,3.123,17,2.769,23,1.44,24,2.28,36,4.41,39,1.215,50,0.78,54,1.856,55,1.969,56,1.292,57,1.256,61,1.666,70,1.761,75,1.736,98,3.87,118,1.91,123,1.454,135,5.194,136,2.276,165,2.034,174,1.617,208,1.53,251,2.034,299,3.281,304,2.188,314,2.332,334,1.426,355,2.522,366,1.79,367,2.001,389,3.292,421,3.175,461,3.858,524,1.804,944,2.589,976,5.861,1021,2.768,1052,3.014,1111,2.107,1125,3.513,1126,3.415,1132,5.846,1179,1.781,1180,6.805,1181,2.88,1182,2.768,1183,3.182,1186,3.756,1187,4.624,1192,3.407,1239,1.776,1278,2.28,1353,3.182,1354,3.014,1386,3.021,1425,3.014,1694,2.88,1744,3.182,1746,3.407,1861,3.182,1884,3.407,1887,3.407,1918,2.673,1970,3.182,2088,3.407,2157,3.407,2188,3.748,2189,3.748,2190,3.748,2191,3.748,2192,3.748,2193,3.748,2194,3.748,2195,3.748]],["t/2952",[0,0.516,1,0.833,4,1.046,9,1.894,10,1.356,12,1.922,15,2.51,25,2.246,36,3.247,39,1.223,50,1.264,54,2.089,55,1.981,57,1.264,60,4.099,61,1.333,63,1.435,70,1.155,72,1.304,83,0.834,90,1.573,111,1.523,121,2.151,131,1.683,145,2.082,150,2.198,151,3.147,174,1.714,176,1.746,182,2.402,183,2.82,186,0.869,208,1.539,210,2.989,222,2.605,223,1.556,224,2.12,225,2.059,227,1.309,243,2.463,271,2.689,282,3.382,284,2.082,288,1.951,291,2.463,298,2.605,307,2.944,311,1.111,319,3.428,332,1.539,334,1.435,355,2.302,359,2.898,366,1.174,367,2.013,381,2.689,388,1.816,401,2.246,442,4.851,478,2.082,524,0.972,778,6.119,781,6.086,940,1.59,1053,4.267,1075,2.785,1120,2.402,1124,3.294,1162,6.051,1178,5.141,1251,3.201,1254,2.605,1271,2.53,1377,2.689,1425,3.033,1426,5.647,1532,2.689,1545,2.689,1546,3.033,1555,2.898,1602,3.594,1623,3.428,1659,2.689,1751,3.428,1855,6.051,1877,3.428,1888,7.204,1915,3.428,1953,3.428,2196,3.771,2197,5.777,2198,3.771,2199,5.777,2200,3.771,2201,5.777,2202,3.771,2203,3.771,2204,8.485,2205,3.771,2206,3.771,2207,3.771,2208,3.771,2209,5.777]],["t/2954",[0,0.597,14,5.675,50,0.907,54,1.774,57,2.241,60,3.902,61,1.132,70,2.657,83,1.919,152,3.219,174,1.772,182,4.258,186,1.541,223,2.758,224,3.758,225,2.383,244,3.629,251,3.629,282,3.219,355,2.353,412,5.137,442,4.618,448,5.675,522,3.177,778,5.276,781,5.665,1053,4.938,1070,6.076,1071,6.076,1072,5.137,1162,4.767,1186,5.665,1513,5.137,1694,5.137,1855,4.767,2210,6.685,2211,8.673,2212,5.675,2213,6.685,2214,6.076,2215,6.685,2216,6.076,2217,6.685,2218,6.685]],["t/2956",[0,0.691,9,3.89,50,1.292,56,1.43,57,2.597,64,2.148,83,1.714,90,3.23,91,3.266,106,4.038,107,5.722,154,5.198,208,3.162,227,2.688,442,5.351,449,6.23,844,5.67,948,3.73,1120,4.934,1123,5.722,1215,7.041,1357,6.23,1453,7.041,1780,6.577,2219,7.746]],["t/2958",[0,0.83,1,1.741,28,2.286,1828,3.879,2022,6.335]],["t/2960",[0,0.487,1,1.688,4,1.573,31,4.608,32,5.177,54,1.449,57,1.83,61,0.925,62,2.057,64,2.099,65,1.352,96,3.186,106,2.139,111,2.205,121,2.319,160,3.315,186,1.258,208,3.09,250,2.466,251,2.963,266,2.824,282,2.629,288,2.824,300,2.989,307,2.782,311,1.608,336,4.032,384,4.961,385,4.961,386,4.961,423,5.073,464,2.594,507,2.702,512,2,596,3.014,597,3.251,598,3.068,723,3.251,725,3.251,737,3.645,932,3.477,1039,4.194,1392,4.194,1829,4.634,2220,5.458,2221,5.458,2222,4.634,2223,5.458]],["t/2962",[0,0.84,2,2.329,7,1.659,23,2.92,31,4.824,32,5.433,63,2.892,66,3.277,67,3.315,68,3.711,121,2.329,171,4.729,181,4.528,241,3.612,258,4.437,266,3.933,300,3.237,311,2.24,338,4.965,339,6.909,340,4.528,341,6.113,1446,4.625]],["t/2964",[1,1.641]],["t/2966",[1,1.641]],["t/2968",[1,1.641]],["t/2970",[1,1.752,83,1.301,369,2.564,1081,6.121,1769,5.203,2224,6.762,2225,5.883,2226,5.344,2227,4.728]],["t/2972",[0,0.822,1,1.753,39,1.694,1992,4.749,2228,5.225,2229,4.436,2230,5.225,2231,5.225,2232,5.225,2233,5.225,2234,5.225,2235,5.225,2236,5.225,2237,6.673,2238,5.225]],["t/2974",[0,0.635,1,1.748,1081,5.466,1769,4.647,2226,6.466]],["t/2976",[70,2.5,106,3.198,125,5.334,140,5.334,268,4.764,482,5.638,569,3.367,723,4.861,725,4.861,727,4.861,729,5.077,737,3.93,1189,3.687,2225,6.028,2239,6.271,2240,7.418,2241,7.418,2242,7.418,2243,7.418]],["t/2978",[1,1.578,17,4.855,23,2.5,69,3.959,70,1.993,99,3.221,106,3.951,123,2.524,125,3.532,140,3.532,143,2.743,227,2.957,268,3.798,524,1.678,569,2.685,723,3.876,725,3.876,727,3.876,729,4.048,746,4.806,787,6.853,891,5.524,1028,5.233,1626,4.279,1769,6.207,2121,5.524,2224,7.235,2225,7.019,2239,5,2244,5.914,2245,5.914,2246,5.914,2247,5.914,2248,7.235,2249,5.914,2250,5.914,2251,5.914,2252,5.914]],["t/2980",[0,0.613,1,1.726,17,4.698,44,2.025,69,4.182,227,3.064,342,2.247,787,7.845,1470,4.276,2225,5.077,2227,8.564,2251,6.248,2252,6.248,2253,6.873,2254,6.873,2255,6.873]],["t/2982",[106,3.263,268,4.862,482,5.753,723,4.961,725,4.961,727,4.961,729,5.181,737,4.011,1189,3.763,2225,6.152,2227,7.998,2239,6.4,2240,7.57,2241,7.57,2242,7.57,2243,7.57,2248,7.07]],["t/2984",[1,1.572,17,4.252,23,2.64,70,2.106,99,3.403,106,4.034,123,2.667,143,2.898,268,4.012,524,1.772,569,2.836,723,4.094,725,4.094,727,4.094,729,4.276,746,5.077,891,5.835,1028,5.527,1626,4.434,1769,6.372,2121,5.835,2224,7.496,2225,7.206,2227,5.527,2239,5.282,2244,6.248,2245,6.248,2246,6.248,2247,6.248,2248,8.282,2249,6.248,2250,6.248]],["t/2987",[1,1.743,7,1.59,44,2.146,892,4.888,1089,5.597,1455,4.252,2256,7.284,2257,7.284]],["t/2989",[0,0.882,1,1.751,18,2.526,27,1.709,28,1.377,40,2.526,564,3.319,610,5.884,729,4.853,751,4.197,918,3.453,1203,5.298,1950,3.815,1952,4.084,2258,4.493,2259,4.493,2260,4.493,2261,4.493,2262,4.493,2263,4.493,2264,7.801,2265,4.493]],["t/2992",[0,0.883,1,0.841,6,1.975,7,2.158,8,3.422,10,1.373,34,2.494,39,2.294,44,2.757,50,0.96,54,1.878,56,1.077,59,3.474,61,1.199,62,1.439,66,2.514,67,2.543,70,1.17,109,3.405,113,2.375,145,2.109,172,3.554,174,1.679,183,1.864,185,1.63,194,1.646,223,3.521,240,2.638,241,1.814,252,2.638,283,2.494,296,2.375,311,2.65,332,2.381,342,1.248,364,3.778,366,1.188,372,2.723,443,2.562,466,1.946,473,2.039,474,2.934,476,2.934,512,1.399,538,1.325,569,1.575,737,1.839,843,2.723,892,6.28,897,4.952,917,2.638,940,1.61,1016,2.494,1126,1.864,1158,2.562,1238,3.071,1252,2.274,1268,3.242,1271,2.562,1345,2.934,1349,2.934,1350,2.562,1370,2.934,1378,3.471,1455,6.482,1457,3.071,1461,2.934,1470,2.375,1555,4.482,1586,2.723,1621,3.471,1659,6.882,1702,2.82,1707,3.471,1768,2.562,1799,3.242,1862,3.471,2005,3.242,2084,3.242,2266,3.818,2267,3.242,2268,3.071,2269,6.432,2270,3.818,2271,3.818,2272,3.818,2273,3.818,2274,3.818,2275,3.242,2276,3.818,2277,3.818,2278,3.471]],["t/2994",[2,2.272,7,2.206,17,3.572,44,2.185,54,1.968,56,1.369,145,4.096,174,1.29,183,3.621,311,2.185,355,2.012,366,2.309,487,3.127,512,3.394,787,5.964,940,3.907,1179,3.524,1386,3.897,1388,6.297,1449,5.699,1455,5.899,1462,6.741,1470,5.764,2279,6.297,2280,7.867,2281,7.417,2282,7.417,2283,7.417]],["t/2996",[0,0.541,1,1.003,4,1.548,7,1.866,10,2.926,17,2.922,34,1.965,44,2.397,50,1.306,54,0.798,69,2.943,72,0.679,83,1.07,89,1.871,105,1.661,106,1.896,109,4.058,131,1.343,132,2.16,143,2.558,154,3.246,161,1.633,174,1.209,177,2.824,180,2.671,182,1.916,186,0.693,223,2.868,227,2.643,241,1.43,251,1.633,253,2.671,266,1.556,268,3.542,284,1.661,293,3.081,300,1.664,311,1.425,314,1.871,322,2.429,353,4.662,364,1.606,367,1.606,368,2.554,369,1.312,374,2.222,387,1.756,388,1.449,394,2.734,421,2.671,446,1.916,456,3.491,492,4.397,522,2.299,538,1.044,561,2.078,569,2.503,723,3.614,725,3.614,727,2.882,785,2.962,842,5.151,895,3.342,940,1.268,1075,2.222,1120,3.865,1126,2.362,1152,3.89,1165,2.078,1239,2.146,1241,2.554,1252,1.792,1273,3.89,1364,2.554,1371,2.419,1377,2.145,1386,1.581,1417,1.756,1424,2.554,1455,6.349,1463,2.145,1474,2.734,1659,7.925,1699,2.734,1702,3.573,1923,2.419,1973,5.59,2037,5.59,2048,2.734,2084,4.107,2169,2.734,2269,5.515,2284,3.008,2285,6.951,2286,6.067,2287,6.067,2288,4.838,2289,4.838,2290,4.838,2291,6.067,2292,4.838,2293,3.008,2294,3.008,2295,3.008,2296,3.008,2297,3.008,2298,3.008,2299,2.734,2300,3.008]],["t/2998",[0,0.954,4,1.258,11,3.179,23,3.768,50,0.943,56,1.811,61,1.178,99,3.441,105,3.839,174,1.209,209,3.441,225,2.478,245,3.981,246,5.59,257,6.343,258,4.058,290,3.179,334,2.645,355,1.886,369,3.031,426,5.135,464,4.661,546,5.342,547,5.59,800,4.141,990,8.084,1124,3.261,1179,3.303,1455,4.058,1619,4.802,1733,5.342,1841,5.902,1959,6.319,1960,7.153]],["t/3000",[0,0.733,1,1.185,4,1.487,10,2.955,50,1.339,61,1.392,170,4.705,180,4.537,223,3.39,242,4.25,307,4.187,416,4.46,464,3.904,512,3.614,1455,6.172,1545,5.859]],["t/3002",[0,0.649,1,0.744,3,2.303,7,1.126,38,1.855,39,2.733,44,1.52,58,2.484,61,0.874,66,2.224,67,2.249,70,1.58,90,2.151,113,3.209,118,2.629,183,2.518,186,1.189,194,2.224,223,4.133,225,2.593,240,3.564,241,2.451,296,3.209,304,3.011,311,1.52,314,3.209,332,2.106,355,1.399,367,3.885,369,2.249,376,2.199,393,1.759,410,4.148,456,4.848,464,2.451,474,3.964,512,1.89,538,1.79,561,3.564,848,6.325,917,3.564,1132,5.027,1244,3.248,1268,4.379,1350,4.882,1370,3.964,1377,6.012,1386,2.71,1455,5.636,1461,3.964,1470,3.209,1501,4.689,1534,3.564,1541,5.374,1659,3.679,1681,4.148,1702,3.81,1798,3.81,2004,4.689,2005,6.177,2020,4.689,2037,8.455,2166,4.689,2176,4.689,2278,4.689,2301,7.276,2302,5.851,2303,5.158,2304,4.379,2305,5.158,2306,5.158]],["t/3004",[0,0.6,1,1.392,2,2.059,56,1.607,57,2.253,61,1.139,70,2.059,186,1.549,191,5.685,223,4.212,253,3.712,311,1.98,322,3.375,374,4.965,464,3.194,507,4.778,512,2.462,596,5.33,597,5.75,598,5.426,848,4.644,948,3.237,1254,6.013,1256,4.644,1377,4.794,1383,3.047,1455,5.96,2037,7.763,2053,6.11,2307,6.722,2308,6.722]],["t/3006",[0,0.972,170,6.237,211,3.395,223,3.323,237,5.743,241,3.827,257,5.743,372,5.743,416,4.372,438,5.743,456,4.044,1060,6.54,1455,4.701,1545,6.951,1733,6.188]],["t/3008",[0,0.967,4,1.658,10,3.783,250,5.177,260,4.472,282,3.508,355,2.485,356,4.892,357,6.329,416,5.709,464,3.461,512,2.668,599,6.87]],["t/3010",[0,0.727,1,1.751,7,1.52,11,2.219,12,2.472,36,2.727,122,3.09,125,2.633,128,2.472,129,2.951,208,1.98,355,1.316,376,2.068,566,2.778,610,4.148,613,3.255,749,3.255,800,2.889,930,3.168,956,1.794,1129,3.901,1189,2.192,1298,3.351,1963,4.118,2309,3.168,2310,4.851,2311,4.851,2312,4.851]],["t/3012",[0,0.843,1,1.736,39,3.062,233,4.224,335,4.465,2313,6.953]],["t/3014",[0,0.856,2,1.554,7,1.983,39,2.331,44,1.495,51,3.417,54,2.217,57,1.701,62,1.911,63,1.93,64,1.407,65,0.906,70,1.554,74,4.197,76,2.708,89,3.156,121,1.554,151,2.028,170,2.905,172,3.611,174,0.882,181,3.021,185,1.417,194,2.187,203,3.747,208,2.071,210,2.624,244,2.754,251,2.754,264,3.156,307,2.585,332,2.935,366,2.238,416,4.534,421,2.801,466,3.664,512,1.858,521,2.517,522,2.411,524,1.308,545,3.231,732,5.957,917,3.504,1017,4.079,1064,2.008,1179,2.411,1182,3.747,1200,3.231,1243,4.079,1248,4.079,1256,3.504,1274,4.079,1281,3.898,1284,2.961,1361,4.079,1446,3.086,1470,4.473,1484,2.708,1591,3.504,1631,3.617,1681,4.079,1728,4.307,1729,4.611,1768,3.404,1812,3.898,1813,2.071,1828,4.001,1937,4.611,1964,4.079,2023,3.898,2302,4.079,2314,4.611,2315,4.307,2316,5.073,2317,6.536,2318,5.073,2319,5.073,2320,4.611,2321,5.073,2322,4.307,2323,4.079,2324,5.073,2325,5.073,2326,5.073,2327,4.611]],["t/3016",[28,2.66,51,4.127,54,2.304,76,4.637,114,5.283,172,4.361,177,5.069,366,2.703,1358,2.962,1591,5.999,2328,7.893,2329,8.684]],["t/3018",[0,0.631,15,2.868,55,3.716,56,1.306,57,3.015,65,1.263,70,2.755,72,1.597,76,3.776,83,1.989,113,4.4,114,6.015,118,3.604,176,3.275,185,1.976,227,2.454,366,2.202,498,4.62,944,4.886,1120,4.505,1358,3.067,1548,6.429,1923,5.688,2025,6.429,2212,6.005,2330,7.073,2331,7.073,2332,8.993,2333,8.993,2334,7.073,2335,7.073,2336,7.073,2337,7.073,2338,7.073,2339,7.073]],["t/3020",[0,0.905,4,1.197,7,1.879,24,4.023,38,2.378,51,3.142,54,1.755,56,1.221,70,2.934,75,3.988,121,2.638,227,2.989,284,3.652,332,4.142,366,2.058,376,2.819,416,3.59,521,3.015,524,2.22,732,4.716,1124,4.492,1386,3.474,1389,5.081,1591,4.568,1780,5.614,1813,2.699,1815,2.899,1828,2.758,1831,5.614,1839,5.318,1964,5.318,2315,5.614,2322,5.614,2340,6.612,2341,6.01,2342,6.612,2343,5.614]],["t/3022",[0,0.418,1,1.264,4,0.523,5,0.921,7,1.022,13,2.165,31,1.305,36,0.92,39,0.53,44,2.419,50,0.222,51,1.373,54,0.767,55,0.86,56,0.534,57,0.969,61,0.657,64,0.801,65,0.693,70,1.189,73,1.322,76,0.874,89,1.018,106,3.893,119,3.235,121,1.435,131,1.732,132,2.09,133,1.316,160,0.578,186,0.894,209,1.43,210,1.495,223,1.601,227,0.568,244,0.888,268,3.724,282,1.391,311,0.851,332,3.046,334,0.623,342,0.945,366,0.509,376,0.698,400,1.316,401,1.721,407,2.681,421,0.904,478,0.904,515,1.887,521,1.639,522,1.844,524,1.645,569,3.193,583,1.018,616,4.256,723,5.218,725,5.777,726,1.389,727,5.01,732,1.167,737,1.869,785,2.61,843,3.34,848,2.681,932,1.84,938,0.955,948,0.788,1055,0.778,1076,1.13,1098,1.894,1124,0.768,1137,4.184,1164,3.598,1166,3.34,1179,0.778,1182,1.209,1254,1.996,1256,1.996,1298,3.235,1341,1.389,1354,1.316,1369,2.22,1376,1.316,1389,2.22,1395,2.324,1469,1.209,1470,1.018,1484,3.406,1532,2.061,1580,2.324,1619,6.343,1711,1.389,1769,2.534,1798,2.134,1811,2.453,1812,5.217,1813,1.18,1814,1.389,1815,0.826,1828,2.981,1829,1.389,1830,1.487,1831,1.389,1832,1.487,1833,1.487,1834,1.487,1839,7.728,1846,6.172,1849,4.86,1852,1.389,1853,1.487,1948,2.453,2023,2.22,2056,5.367,2123,2.453,2127,1.389,2212,1.389,2237,2.626,2239,2.22,2279,3.294,2280,2.453,2323,3.12,2341,3.527,2343,1.389,2344,1.636,2345,1.636,2346,1.636,2347,1.487,2348,1.487,2349,1.636,2350,4.683,2351,1.636,2352,4.683,2353,1.636,2354,2.889,2355,1.636,2356,2.889,2357,2.889,2358,3.527,2359,1.636,2360,3.527,2361,1.636,2362,3.527,2363,1.636,2364,4.683,2365,2.626,2366,1.636,2367,7.461,2368,4.683,2369,4.256,2370,5.904,2371,5.904,2372,4.683,2373,2.889,2374,6.172,2375,1.636,2376,2.889,2377,2.889,2378,2.626,2379,1.636,2380,1.636,2381,1.636,2382,1.636,2383,6.38,2384,2.889,2385,7.461,2386,3.88,2387,3.88,2388,3.88,2389,2.889,2390,1.636,2391,4.683,2392,6.38,2393,1.636,2394,1.636,2395,1.636,2396,1.487,2397,3.527,2398,3.527,2399,3.527,2400,3.527,2401,3.527]],["t/3024",[0,0.275,1,1.294,4,1.394,7,0.671,8,1.171,13,2.683,44,2.642,61,0.834,69,1.872,70,1.509,106,3.624,109,1.796,118,1.568,123,2.39,131,1.373,174,0.535,185,1.721,186,0.709,209,1.523,223,2.032,227,1.709,266,1.592,268,5.235,288,1.592,299,1.443,332,3.523,334,3.519,366,0.958,407,2.125,421,1.699,427,2.194,478,1.699,500,2.797,524,0.793,538,1.068,565,2.612,569,4.135,583,4.38,607,4.907,610,5.65,723,5.341,725,5.341,727,5.341,729,1.914,738,2.273,751,1.96,940,1.297,969,2.273,1026,2.194,1064,1.218,1083,2.474,1124,4.048,1178,3.217,1200,1.96,1254,2.125,1256,2.125,1298,7.411,1346,5.411,1395,2.474,1469,2.273,1470,3.064,1484,1.643,1652,2.612,1677,4.477,1828,1.283,1841,2.612,1950,2.612,2313,5.599,2323,7.211,2397,8.151,2398,2.797,2399,8.151,2400,2.797,2401,8.151,2402,4.926,2403,4.926,2404,8.63,2405,3.077,2406,3.077,2407,3.077,2408,4.926,2409,4.926,2410,3.077,2411,3.077,2412,3.077]],["t/3026",[0,0.827,1,1.396,4,1.58,5,2.784,13,2.533,38,2.86,39,1.507,54,2.461,63,1.768,64,1.289,65,0.83,68,3.296,70,1.424,75,4.48,76,2.481,90,1.938,106,1.821,111,1.877,128,2.368,181,2.768,185,1.298,194,2.004,208,1.897,209,3.937,227,2.76,241,2.208,250,3.051,260,3.296,284,2.566,286,2.004,291,3.036,299,2.18,332,4.175,355,1.261,356,2.481,366,2.102,367,2.481,388,2.238,393,1.585,405,2.368,482,3.211,497,3.571,498,3.036,512,1.702,599,5.195,723,2.768,725,2.768,727,4.022,761,4.224,763,2.612,764,2.566,1076,3.211,1242,3.737,1383,1.627,1484,2.481,1619,3.211,1768,3.118,1815,2.495,1816,5.733,1817,5.733,1828,1.938,1879,4.224,1964,3.737,2065,3.571,2127,3.946,2133,3.571,2413,3.946,2414,3.946,2415,4.224,2416,4.647,2417,4.647,2418,3.946,2419,3.036,2420,4.647,2421,4.647,2422,4.647,2423,4.647,2424,6.752,2425,6.752,2426,4.647]],["t/3028",[5,2.266,7,1.806,8,2.704,13,2.617,15,2.266,23,1.917,31,3.211,32,3.518,39,1.618,54,1.886,61,1.204,65,0.891,70,2.177,75,4.827,98,3.25,113,4.421,114,4.323,121,1.529,160,1.763,161,5.379,185,1.394,308,4.233,332,2.901,355,1.928,478,2.755,487,2.996,515,3.259,524,1.832,785,4.403,800,4.233,1021,5.249,1179,2.371,1254,3.447,1256,3.447,1446,4.323,1583,5.249,1811,4.236,1813,2.901,1814,4.236,1815,3.074,1816,6.033,1817,6.033,1818,6.033,1819,6.033,1820,6.033,1821,5.715,1822,6.033,1823,5.068,1824,6.033,1825,6.033,1826,6.459,2023,3.834,2302,4.013,2427,0.959,2428,4.99]],["t/3030",[0,0.241,1,1.566,5,0.862,6,1.398,7,1.23,8,1.028,9,1.357,13,2.372,15,2.297,16,2.517,23,1.703,24,2.697,27,1.028,28,1.999,33,1.059,36,2.492,38,0.972,50,0.602,58,1.301,61,0.458,68,1.319,70,0.828,94,1.319,109,1.577,111,1.091,113,1.681,114,1.644,121,0.828,127,2.995,131,1.206,139,1.867,143,1.139,147,2.187,150,1.028,152,1.301,154,1.813,155,1.927,168,1.996,174,1.346,185,1.239,286,1.165,294,2.304,295,2.889,300,2.813,334,1.687,355,2.099,366,0.841,420,1.849,425,2.517,473,1.443,477,1.933,480,3.694,481,1.996,483,2.293,487,3.037,521,1.974,524,0.697,749,1.813,762,1.048,839,2.195,844,1.609,956,2.663,975,2.845,1055,1.284,1064,1.069,1098,2.164,1121,1.813,1145,2.294,1158,1.813,1179,1.284,1189,1.221,1239,0.834,1284,2.588,1356,1.681,1813,1.103,1823,1.927,1828,1.849,1858,2.917,1918,1.927,2347,2.456,2348,2.456,2413,2.294,2414,2.294,2429,2.702,2430,2.294,2431,2.702,2432,1.42,2433,1.42,2434,2.226,2435,2.226,2436,2.702,2437,2.702,2438,1.42,2439,3.631,2440,1.42,2441,3.566,2442,2.702,2443,2.702,2444,1.42,2445,2.702,2446,1.42,2447,2.896,2448,1.42,2449,1.42,2450,5.538,2451,2.702,2452,1.42,2453,1.42,2454,2.329,2455,1.42,2456,2.329,2457,2.715,2458,2.702,2459,1.42,2460,1.42,2461,3.785,2462,1.42,2463,1.42,2464,1.42,2465,2.329,2466,1.42,2467,2.702,2468,2.702,2469,2.791,2470,2.702,2471,1.337,2472,1.42,2473,2.791,2474,4.433,2475,2.294,2476,2.702,2477,2.076,2478,2.702,2479,2.076,2480,2.076,2481,2.702,2482,2.702,2483,2.702,2484,2.702,2485,2.702,2486,2.702,2487,2.173,2488,2.702,2489,2.702,2490,2.294,2491,2.702,2492,2.294,2493,2.173,2494,2.702,2495,2.702,2496,2.294,2497,2.702,2498,2.294,2499,2.294,2500,2.294,2501,2.702,2502,2.702,2503,2.702,2504,2.702,2505,2.294,2506,3.764,2507,2.294,2508,2.294,2509,2.294,2510,2.294,2511,2.294,2512,2.702,2513,2.294,2514,4.433,2515,2.294,2516,2.456,2517,2.702,2518,2.702,2519,2.294,2520,2.294,2521,2.294,2522,3.764,2523,2.294,2524,4.433,2525,2.294]],["t/3032",[0,0.873,7,1.769,55,4.26,64,2.714,70,2.484,151,3.241,311,2.388,329,6.519,352,5.295,393,2.765,416,4.401,421,4.477,456,4.071,1280,5.043,1350,5.44,1530,7.369,1544,7.369,1863,6.229,2320,7.369,2526,8.107]],["t/3034",[0,0.603,4,1.223,5,2.156,7,1.906,13,1.961,61,1.145,64,2.422,72,1.526,83,1.932,121,2.071,161,3.669,162,3.799,185,1.888,186,1.558,194,2.914,210,4.519,225,2.409,227,3.031,241,3.212,286,3.766,288,3.497,331,6.021,332,2.759,367,3.609,405,3.444,443,4.535,518,5.436,538,3.031,569,3.993,1254,4.669,1389,5.194,1583,6.452,1813,3.951,2427,1.299,2527,7.94,2528,4.026,2529,6.759]],["t/3036",[0,0.566,4,1.147,5,2.021,7,2.178,13,1.839,44,1.867,56,1.17,61,1.074,64,2.323,72,1.431,76,3.384,83,2.075,121,1.942,161,3.44,174,1.102,185,1.771,186,1.461,194,2.732,210,4.333,286,3.611,299,4.4,304,3.7,331,3.943,332,3.419,405,3.23,448,5.381,453,5.381,521,3.284,524,2.748,538,2.199,737,3.052,1111,3.563,1244,2.829,1342,5.761,1555,4.87,1768,4.253,1812,6.436,1813,3.419,1920,5.381,2427,1.218,2528,3.775,2530,5.761,2531,6.338,2532,6.338]],["t/3038",[0,0.59,4,1.559,5,2.109,13,1.919,38,2.378,39,2.792,44,2.537,63,2.516,64,1.834,72,1.493,75,3.988,83,2.119,121,2.638,140,4.675,161,3.59,185,1.848,186,1.524,194,2.851,208,3.516,286,4.129,352,4.319,382,5.081,405,3.37,417,5.614,466,3.37,484,4.716,521,2.315,538,2.295,762,2.565,927,5.318,1066,4.716,1179,3.142,1529,6.01,1574,6.01,1586,4.716,1697,6.01,1815,2.899,2427,1.271,2528,3.939,2533,6.612,2534,6.612,2535,6.612]],["t/3040",[0,0.631,4,1.28,5,2.256,13,2.052,64,1.961,72,1.597,75,4.579,83,1.989,161,3.839,180,3.906,185,1.976,186,1.63,194,3.049,234,4.886,272,5.688,286,4.263,359,5.435,366,2.202,405,3.604,409,7.635,466,3.604,513,4.62,538,3.121,708,6.005,1020,5.688,1032,7.951,1541,5.224,1815,2.57,2427,1.359,2528,4.213,2536,6.429,2537,6.005,2538,6.005,2539,7.073]],["t/3042",[0,0.575,4,1.165,5,2.053,13,1.868,39,2.087,61,1.091,64,1.785,65,1.794,72,1.454,74,3.758,75,4.958,83,1.872,99,4.189,132,2.874,161,3.495,185,1.799,186,1.95,194,2.776,225,2.295,234,4.448,237,6.035,266,3.331,286,4.075,335,4.94,340,3.835,405,3.281,466,3.281,538,2.937,561,4.448,872,4.591,1602,4.005,1618,5.177,1634,5.177,1635,4.755,1638,5.177,1815,1.84,2133,4.947,2427,1.237,2528,3.835,2537,5.466,2538,5.466,2540,5.852,2541,5.177,2542,5.852,2543,5.852]],["t/3044",[0,0.578,4,1.172,5,2.064,13,1.878,39,2.098,61,1.096,64,1.795,65,1.797,72,1.461,74,3.778,75,4.966,83,1.879,99,4.204,132,2.889,161,3.513,185,1.808,186,1.492,194,2.79,225,2.307,234,4.471,237,6.056,266,3.348,286,4.086,335,3.778,340,3.855,405,3.298,466,3.298,538,2.947,561,4.471,872,6.056,1602,4.026,1618,5.205,1634,5.205,1635,4.781,1638,5.205,1815,1.85,2133,4.973,2427,1.244,2528,3.855,2537,5.495,2538,5.495,2541,5.205,2542,5.883,2543,5.883,2544,5.883]],["t/3046",[0,0.522,4,1.631,5,1.866,13,1.698,38,2.855,64,1.623,70,2.432,72,1.321,83,2.235,98,3.631,99,2.897,161,3.176,174,1.018,182,3.727,183,2.856,185,1.635,186,1.349,194,2.523,286,3.885,308,4.729,318,5.318,334,2.226,355,1.587,360,6.924,361,4.173,367,3.124,405,2.982,466,4.592,482,6.676,522,2.781,538,2.031,737,3.823,738,7.138,1058,5.318,1072,4.496,1101,4.968,1146,7.138,1224,5.318,1646,4.968,1769,3.822,1920,4.968,2304,4.968,2415,5.318,2427,1.124,2528,3.485,2545,5.851,2546,5.318,2547,8.19,2548,5.851,2549,5.851,2550,5.318,2551,5.318]],["t/3048",[0,0.587,4,1.19,5,2.737,13,1.908,27,3.634,28,2.015,60,5.009,61,1.454,64,1.824,72,1.485,83,1.455,94,3.211,121,2.015,161,3.57,180,4.739,185,1.838,186,1.978,194,2.835,258,3.839,286,4.118,298,4.544,334,2.502,355,2.849,405,3.351,442,4.544,444,3.167,482,4.544,484,4.69,487,4.428,488,4.544,521,2.303,538,2.282,785,3.211,1064,2.603,1092,4.091,1449,5.054,2427,1.264,2528,3.917,2552,7.8]],["t/3050",[0,0.65,28,2.231,31,4.139,32,5.206,38,2.62,39,2.361,54,1.933,61,1.234,72,1.645,83,1.611,160,2.573,194,3.95,208,2.973,225,3.265,286,3.14,291,4.758,300,2.506,330,4.431,331,5.699,336,6.767,364,3.889,466,3.712,538,2.528,940,3.071,1081,5.597,1189,3.291,1238,5.858,2418,6.184,2528,4.339,2553,7.284,2554,7.284]],["t/3052",[0,0.818,28,2.231,31,4.139,32,5.365,54,2.66,60,4.252,61,1.552,62,2.745,64,2.02,83,1.611,194,3.95,208,3.74,225,2.596,352,4.758,364,3.889,401,4.339,466,5.107,538,3.179,1252,4.339,1591,5.032,2222,6.184,2427,1.4,2528,4.339,2555,6.621,2556,6.621]],["t/3054",[0,0.569,4,1.153,5,2.032,13,1.848,44,2.771,64,1.767,72,1.898,83,1.859,161,3.458,180,3.518,185,1.78,186,1.468,194,2.747,225,2.995,245,3.648,286,4.054,291,4.161,304,3.719,352,4.161,382,4.895,405,3.246,466,4.283,520,4.706,524,2.167,538,2.917,737,4.047,855,2.271,919,5.791,946,3.518,1252,3.795,1541,4.706,1583,6.208,1626,3.199,1730,5.123,1776,8.548,1777,7.984,1821,5.123,2427,1.224,2528,3.795,2541,5.123,2557,7.639,2558,6.371,2559,6.371,2560,6.371,2561,6.371,2562,6.371]],["t/3056",[7,2.127,44,2.373,64,2.233,75,3.73,194,3.472,227,2.795,298,5.563,299,3.777,332,3.288,538,2.795,1252,4.797,1424,8.275,1815,2.301,2133,6.188,2413,6.837,2414,6.837,2427,1.547,2528,4.797,2563,7.32,2564,8.053,2565,8.053]],["t/3058",[0,0.563,4,1.141,5,2.011,8,3.175,13,1.829,15,2.662,54,2.643,62,2.376,64,1.749,72,1.424,83,1.395,161,3.423,183,4.568,185,1.762,186,1.453,194,2.718,266,3.262,286,4.034,308,3.756,366,1.963,367,3.366,389,3.61,402,5.353,405,3.213,416,3.423,524,2.412,538,2.897,547,5.07,785,3.078,800,6.34,855,2.247,925,5.731,967,4.657,1088,5.353,1116,4.496,1124,4.389,1132,4.356,1446,3.836,1484,3.366,1619,4.356,1663,5.731,1730,5.07,2427,1.211,2528,3.756,2566,6.305,2567,6.305]],["t/3060",[0,0.525,7,1.283,13,2.621,27,2.237,38,2.115,39,2.582,44,1.732,50,0.798,54,1.56,61,1.349,64,1.631,70,3.196,174,1.023,194,2.535,208,3.252,227,2.04,266,3.042,299,2.758,355,3.017,366,1.83,382,4.518,393,2.005,416,3.192,446,5.073,487,4.689,524,2.329,538,2.04,569,3.286,948,2.831,1137,2.996,1188,6.405,1365,2.87,1383,2.789,1532,4.193,1790,4.992,1794,4.992,1935,5.344,1973,6.405,2427,1.13,2430,6.762,2528,3.502,2568,5.879,2569,5.344]],["t/3062",[0,0.723,39,2.628,54,2.151,174,1.702,311,2.388,322,4.071,328,2.864,375,6.088,393,2.765,424,6.229,444,3.904,732,6.979,1828,4.081,2268,6.519,2322,6.882,2570,8.107,2571,8.107,2572,8.107]],["t/3065",[0,0.91,2,1.844,3,1.777,7,2.184,35,2.671,39,2.624,51,2.86,54,1.597,55,2.091,56,0.735,61,1.02,63,1.514,64,1.669,67,1.736,68,1.943,76,2.125,118,2.028,174,1.512,192,2.091,194,1.716,208,2.457,227,1.381,248,0.796,264,2.476,304,2.323,308,2.371,342,1.301,356,2.125,366,1.239,375,5.906,376,1.697,393,2.76,416,2.161,421,4.009,456,3.023,487,1.678,488,2.75,512,2.205,521,2.833,529,3.201,538,1.381,541,3.058,543,2.6,732,7.137,934,3.058,946,2.198,1060,2.671,1121,2.671,1274,3.201,1275,3.201,1281,3.058,1345,3.058,1361,3.201,1370,4.625,1383,2.107,1388,3.379,1458,2.279,1461,3.058,1463,2.838,1511,4.841,1591,2.75,1626,4.591,1647,3.618,1681,3.201,1757,3.379,1815,2.484,1828,3.959,1863,3.058,1923,3.201,1946,2.655,1955,2.94,1980,3.618,2021,3.618,2022,5.11,2023,3.058,2073,3.618,2299,6.598,2302,6.989,2314,3.618,2315,3.379,2427,1.157,2573,3.98,2574,3.98,2575,3.98,2576,3.98,2577,3.98,2578,3.98,2579,3.98,2580,3.98,2581,3.98,2582,3.98,2583,3.98,2584,3.98,2585,3.98,2586,3.98,2587,3.98,2588,3.98]],["t/3069",[2,2.551,7,1.818,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,855,2.968,1157,4.862,1239,2.572,1735,4.682,1946,3.674,2427,1.6,2589,3.296,2590,3.809]],["t/3071",[2,2.551,7,1.818,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,855,2.968,1239,2.572,1946,3.674,2427,1.6,2589,3.296,2590,3.809,2591,4.862,2592,4.961]],["t/3073",[2,2.534,7,2.162,44,2.437,50,1.122,56,1.527,65,1.477,185,2.311,186,1.907,211,3.487,248,1.654,855,2.948,1157,4.829,1239,2.554,1735,4.65,1946,3.649,2427,1.589,2589,3.274,2593,5.55]],["t/3075",[2,2.534,7,2.162,44,2.437,50,1.122,56,1.527,65,1.477,185,2.311,186,1.907,211,3.487,248,1.654,855,2.948,1239,2.554,1946,3.649,2427,1.589,2589,3.274,2591,4.829,2592,4.927,2593,5.55]],["t/3077",[2,2.551,7,1.818,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,855,2.968,1157,4.862,1239,2.572,1735,4.682,1946,3.674,2427,1.6,2589,3.296,2594,6.697]],["t/3079",[2,2.551,7,1.818,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,855,2.968,1239,2.572,1946,3.674,2427,1.6,2589,3.296,2591,4.862,2592,4.961,2594,6.697]],["t/3081",[2,2.569,7,1.83,44,2.471,50,1.138,56,1.548,65,1.498,185,2.343,186,1.933,211,3.535,248,1.677,855,2.989,1157,4.895,1239,2.589,1735,4.714,1946,3.699,2427,1.611,2595,5.627]],["t/3083",[2,2.569,7,1.83,44,2.471,50,1.138,56,1.548,65,1.498,185,2.343,186,1.933,211,3.535,248,1.677,855,2.989,1239,2.589,1946,3.699,2427,1.611,2591,4.895,2592,4.995,2595,5.627]],["t/3085",[2,2.569,7,1.83,44,2.471,50,1.138,56,1.548,65,1.498,185,2.343,186,1.933,211,3.535,248,1.677,855,2.989,1157,4.895,1239,2.589,1735,4.714,1946,3.699,2427,1.611,2596,7.622]],["t/3087",[2,2.569,7,1.83,44,2.471,50,1.138,56,1.548,65,1.498,185,2.343,186,1.933,211,3.535,248,1.677,855,2.989,1239,2.589,1946,3.699,2427,1.611,2591,4.895,2592,4.995,2596,7.622]],["t/3089",[0,0.558,1,1.587,2,1.537,4,0.57,5,1.004,8,1.198,13,0.913,28,2.855,50,0.427,56,1.317,61,0.533,64,1.734,65,1.615,71,1.537,72,0.711,73,1.44,83,0.696,85,1.738,99,3.096,100,2.056,101,1.855,127,3.041,132,2.239,174,0.548,185,0.88,186,0.726,199,1.373,209,2.483,233,3.94,248,1.003,277,4.754,286,1.357,294,1.772,295,3.375,300,1.726,328,1.112,366,1.562,387,1.838,388,1.516,401,1.875,405,1.604,420,2.092,444,1.516,462,1.738,464,2.384,521,2.498,525,3.052,537,1.756,538,1.093,556,3.789,622,2.419,786,1.946,788,1.946,855,1.122,883,2.929,926,2.82,946,2.77,956,1.855,1092,1.958,1133,1.958,1135,1.958,1137,2.556,1283,3.891,1417,1.838,1735,1.77,1796,1.738,1815,1.434,2309,2.056,2419,5.089,2427,0.605,2447,3.277,2597,2.325,2598,2.861,2599,3.366,2600,2.112,2601,2.112,2602,3.366,2603,6.656,2604,2.112,2605,2.112,2606,2.006,2607,1.958,2608,1.958,2609,4.197,2610,1.604,2611,2.112,2612,1.259,2613,1.272,2614,3.366,2615,4.787,2616,5.844,2617,3.366,2618,3.366,2619,3.366,2620,3.366,2621,3.366,2622,3.366,2623,3.366,2624,3.366,2625,2.112,2626,2.112,2627,3.366,2628,2.112,2629,1.77]],["t/3091",[1,1.097,2,2.882,4,1.376,28,3.271,50,1.031,56,1.404,64,2.108,99,5.059,100,4.965,185,2.124,186,1.752,209,4.658,248,1.52,286,3.277,401,4.528,405,3.874,556,2.734,622,5.841,855,2.709,1946,3.353,2427,1.461,2591,4.437,2597,5.615,2598,6.909,2630,7.602]],["t/3093",[2,2.569,7,1.83,44,2.471,50,1.138,56,1.548,65,1.498,185,2.343,186,1.933,211,3.535,248,1.677,855,2.989,1156,6.444,1239,2.589,1735,4.714,1946,3.699,2427,1.611,2631,6.743]],["t/3095",[2,2.272,7,1.619,44,2.185,50,1.006,56,1.369,64,2.057,65,1.325,72,1.675,185,2.072,186,1.709,199,4.041,211,3.127,248,1.853,328,2.62,537,2.597,855,2.643,883,4.33,1239,2.29,1626,3.724,1796,4.096,1815,2.119,2427,1.425,2591,4.33,2592,6.305,2610,3.779,2629,4.169,2631,7.452,2632,7.417,2633,5.124,2634,5.289]],["t/3097",[2,2.218,6,3.746,7,1.58,44,2.133,50,0.982,56,1.337,64,2.008,65,1.293,67,3.157,72,1.635,185,2.023,186,1.669,199,3.98,211,3.053,248,1.825,328,3.224,537,2.535,855,2.581,883,4.227,1157,5.835,1239,2.236,1484,3.866,1626,3.636,1735,4.07,1768,6.124,1815,2.069,2427,1.391,2610,3.69,2629,4.07,2633,5.002,2635,8.296,2636,6.581,2637,6.581]],["t/3099",[2,2.286,6,3.86,7,1.629,44,2.199,50,1.012,56,1.378,64,2.069,65,1.333,72,1.685,185,2.085,186,1.72,199,4.056,211,3.146,248,1.86,328,2.636,537,2.613,855,2.66,883,4.356,1064,2.953,1239,2.304,1626,3.747,1815,2.132,2427,1.434,2591,4.356,2592,6.036,2610,3.803,2629,4.195,2633,5.155,2634,5.322,2635,8.454]],["t/3101",[2,2.218,7,1.58,44,2.133,50,0.982,56,1.337,64,2.008,65,1.293,67,3.157,72,1.635,185,2.023,186,1.669,199,3.98,211,3.053,248,1.825,328,3.224,537,2.535,855,2.581,883,4.227,1157,5.835,1239,2.236,1484,3.866,1626,3.636,1735,4.07,1768,6.124,1815,2.069,2427,1.391,2610,3.69,2629,4.07,2633,5.002,2636,6.581,2637,6.581,2638,6.581,2639,9.127]],["t/3103",[2,2.358,7,1.68,44,2.268,50,1.044,56,1.421,64,2.135,65,1.375,72,1.738,185,2.151,186,1.774,199,3.357,211,3.245,248,1.896,328,2.719,479,5.686,537,2.695,855,2.744,1239,2.377,1796,4.251,1815,2.2,2427,1.479,2591,4.493,2592,6.388,2610,3.923,2634,5.489,2638,6.997]],["t/3105",[1,0.824,2,1.751,7,1.247,44,1.684,50,0.775,56,1.055,64,1.585,65,1.021,72,1.29,185,1.597,186,1.317,199,2.492,211,2.409,248,1.562,328,2.018,479,4.221,537,2.001,855,2.037,1064,2.262,1239,1.765,1815,1.633,1979,4.851,2427,1.098,2591,3.336,2592,7.201,2610,2.912,2634,4.075,2640,4.851,2641,5.714,2642,5.714]],["t/3107",[2,2.467,7,1.758,44,2.373,50,1.093,56,1.487,65,1.438,185,2.25,186,1.856,199,3.512,211,3.395,248,1.611,342,2.633,855,2.87,895,5.563,1157,4.701,1239,2.487,1735,4.527,1815,2.301,2427,1.547,2610,4.104,2640,6.837,2643,8.053,2644,8.053]],["t/3109",[2,2.467,7,1.758,44,2.373,50,1.093,56,1.487,65,1.438,185,2.25,186,1.856,199,3.512,211,3.395,248,1.611,342,2.633,855,2.87,895,5.563,1156,6.188,1239,2.487,1735,4.527,1815,2.301,2427,1.547,2610,4.104,2640,6.837,2645,8.053,2646,8.053]],["t/3112",[0,0.658,1,1.454,4,1.334,5,2.351,7,1.609,13,2.139,38,2.651,50,1,56,1.361,65,1.317,83,1.631,101,2.726,185,2.06,248,1.474,342,2.41,420,3.074,524,1.901,556,3.32,786,2.86,788,2.86,1239,2.276,1358,2.514,1383,2.581,1716,2.493,1815,2.107,2427,1.416,2434,4.635,2435,3.702,2589,2.918,2590,3.372,2606,2.948,2612,2.948,2613,2.978]],["t/3114",[1,1.495,4,0.72,7,0.869,11,2.753,27,2.29,38,1.432,45,5.776,50,0.54,54,1.056,63,1.514,64,1.104,65,1.075,71,1.943,72,0.899,73,4.342,94,1.943,105,2.198,132,4.238,151,3.796,199,1.736,248,1.204,290,1.82,311,1.173,328,1.406,420,2.51,473,5.343,524,1.026,537,1.393,556,2.611,569,3.917,705,2.94,751,6.047,791,7.013,1064,1.575,1165,2.75,1239,1.229,1358,1.357,1383,1.393,1716,1.346,1815,1.137,2427,0.765,2589,1.575,2590,1.82,2597,2.94,2647,3.379,2648,3.618,2649,2.94,2650,3.201,2651,3.201,2652,3.201,2653,3.201,2654,3.201,2655,7.862,2656,3.201,2657,3.201,2658,3.201,2659,6.508,2660,7.635,2661,7.635,2662,7.635,2663,7.635,2664,3.201,2665,3.201,2666,3.201,2667,3.201,2668,3.201,2669,3.201,2670,3.201,2671,3.201,2672,4.841,2673,3.201,2674,3.201,2675,3.201,2676,3.201,2677,3.201,2678,3.201]],["t/3116",[1,1.516,4,0.723,7,0.871,11,2.76,38,1.436,45,5.782,50,0.542,64,1.107,65,0.713,71,1.949,72,0.902,73,4.347,105,2.205,121,2.228,132,4.243,151,3.8,199,1.741,210,3.763,248,1.207,290,1.826,328,1.411,473,5.348,524,1.03,537,1.398,556,2.616,569,3.921,705,2.95,751,6.054,791,7.02,1064,2.388,1239,1.233,1383,1.398,1716,1.35,1813,2.969,1815,1.141,2427,0.767,2589,1.58,2590,1.826,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211,2679,3.993]],["t/3118",[4,1.507,7,1.818,15,2.656,38,2.995,50,1.13,65,1.488,248,1.665,290,3.809,524,2.147,573,5.305,1239,2.572,1358,2.84,1383,2.916,1716,2.816,1946,3.674,2427,1.6,2589,3.296,2590,3.809]],["t/3120",[0,0.478,1,1.17,4,0.619,5,2.106,7,0.747,13,2.497,15,3.182,16,2.948,28,2.289,33,3.179,38,1.927,39,1.109,50,0.727,56,0.632,63,1.302,64,0.949,65,1.18,72,0.773,83,1.185,98,1.565,101,1.265,121,1.642,123,1.328,127,3.655,147,1.328,150,1.302,151,1.368,152,2.58,160,1.209,166,1.648,174,0.595,185,0.956,248,1.072,294,1.893,295,2.789,300,3.094,311,1.008,328,1.209,334,2.039,355,2.201,369,1.492,389,1.959,420,2.235,425,1.528,477,2.337,480,3.376,483,2.772,487,2.784,521,1.198,524,0.882,537,1.198,542,1.694,556,1.927,762,1.328,786,1.328,788,1.328,839,2.653,956,2.442,975,1.492,1034,1.585,1055,1.626,1064,2.121,1098,2.616,1125,1.718,1126,2.616,1168,1.77,1189,1.546,1239,1.057,1244,1.528,1358,1.167,1383,1.198,1716,1.157,1813,1.397,1815,0.978,1828,1.427,1858,3.417,2427,0.658,2432,1.798,2433,1.798,2434,1.718,2435,1.718,2438,1.798,2439,1.605,2440,1.798,2441,3.269,2444,1.798,2446,1.798,2448,1.798,2449,1.798,2452,1.798,2453,1.798,2454,2.815,2455,1.798,2456,2.815,2457,1.648,2459,1.798,2460,1.798,2461,4.263,2462,1.798,2463,1.798,2464,1.798,2465,2.815,2466,1.798,2469,2.653,2471,1.694,2472,1.798,2473,2.653,2589,1.354,2590,1.565,2606,1.368,2612,1.368,2613,1.382,2680,3.422,2681,3.422,2682,1.626,2683,1.67,2684,1.626,2685,1.626,2686,1.626,2687,1.626,2688,1.626,2689,1.626,2690,1.626,2691,1.67,2692,1.626,2693,1.626,2694,1.827,2695,1.827,2696,1.827,2697,1.827,2698,1.827,2699,1.827,2700,1.718,2701,1.827,2702,1.827,2703,1.827]],["t/3122",[0,0.488,1,1.093,4,0.635,5,2.141,7,0.766,13,2.523,15,3.076,16,2.997,28,2.321,33,3.408,38,1.966,39,1.138,50,0.742,56,0.648,63,1.336,64,0.974,65,0.976,72,0.793,83,0.777,98,1.606,101,1.298,121,1.675,123,1.362,127,3.186,140,1.906,147,1.362,150,1.336,151,1.404,152,2.632,160,1.24,166,1.691,174,0.611,248,1.093,294,1.931,295,3.065,300,2.607,311,1.034,328,1.24,334,2.08,355,2.227,365,2.425,389,2.01,420,2.28,425,1.567,477,3.581,480,3.423,483,2.828,487,2.83,521,1.229,524,0.905,537,1.229,542,1.738,556,1.966,762,1.362,786,1.362,788,1.362,839,2.706,956,2.482,975,1.531,1034,1.626,1055,1.668,1064,1.389,1098,2.669,1125,1.763,1126,2.669,1168,1.816,1189,1.586,1239,1.084,1244,1.567,1311,2.98,1358,1.197,1383,1.229,1716,1.187,1813,1.433,1815,1.003,1828,1.464,1858,3.473,2427,0.675,2432,1.845,2433,1.845,2434,1.763,2435,1.763,2438,1.845,2439,1.647,2440,1.845,2441,3.323,2444,1.845,2446,1.845,2448,1.845,2449,1.845,2452,1.845,2453,1.845,2454,2.872,2455,1.845,2456,2.872,2457,1.691,2459,1.845,2460,1.845,2461,4.315,2462,1.845,2463,1.845,2464,1.845,2465,2.872,2466,1.845,2469,2.706,2471,1.738,2472,1.845,2473,2.706,2589,1.389,2590,1.606,2606,1.404,2612,1.404,2613,1.418,2682,1.668,2683,1.714,2684,1.668,2685,1.668,2686,1.668,2687,1.668,2688,1.668,2689,1.668,2690,1.668,2691,1.714,2692,1.668,2693,1.668,2694,1.874,2695,1.874,2696,1.874,2697,1.874,2698,1.874,2699,1.874,2700,1.763,2701,1.874,2702,1.874,2703,1.874,2704,3.51]],["t/3124",[0,0.502,1,1.116,4,0.66,5,1.796,7,0.796,13,2.563,15,2.466,16,3.07,28,2.369,33,1.429,38,2.025,50,0.764,56,0.673,64,1.011,65,0.651,72,1.271,83,0.807,101,1.348,121,1.725,123,1.415,127,3.236,147,1.415,150,1.387,151,1.458,152,2.711,160,1.288,166,1.756,174,0.634,185,1.019,186,0.841,242,1.887,248,1.126,294,1.989,295,2.886,300,2.66,328,1.288,334,2.142,355,2.267,420,2.348,425,1.628,477,3.644,480,3.494,483,2.913,487,2.899,521,1.277,524,0.94,537,1.277,542,1.805,556,2.025,762,1.415,786,1.415,788,1.415,839,2.787,948,1.756,956,2.082,975,1.59,976,4.015,1034,1.689,1055,1.733,1098,2.749,1125,1.831,1126,2.749,1168,1.887,1189,1.648,1239,1.126,1244,1.628,1358,1.244,1383,1.277,1716,1.233,1813,1.489,1815,1.042,1828,1.521,1858,3.558,2427,0.701,2432,1.916,2433,1.916,2434,1.831,2435,1.831,2438,1.916,2439,1.711,2440,1.916,2441,3.404,2444,1.916,2446,1.916,2448,1.916,2449,1.916,2452,1.916,2453,1.916,2454,2.958,2455,1.916,2456,2.958,2457,1.756,2459,1.916,2460,1.916,2461,4.391,2462,1.916,2463,1.916,2464,1.916,2465,2.958,2466,1.916,2469,2.787,2471,1.805,2472,1.916,2473,2.787,2589,1.443,2590,1.668,2606,1.458,2612,1.458,2613,1.473,2682,1.733,2683,1.78,2684,1.733,2685,1.733,2686,1.733,2687,1.733,2688,1.733,2689,1.733,2690,1.733,2691,1.78,2692,1.733,2693,1.733,2694,1.947,2695,1.947,2696,1.947,2697,1.947,2698,1.947,2699,1.947,2700,1.831,2701,1.947,2702,1.947,2703,1.947,2705,5.118,2706,3.647]],["t/3126",[0,0.506,1,1.121,4,0.666,5,1.808,7,0.803,13,2.572,15,2.478,16,3.087,28,2.38,33,1.442,38,2.039,50,1.054,56,0.679,64,1.021,65,0.657,72,1.28,83,0.814,101,1.361,121,1.737,123,1.428,127,3.248,147,1.428,150,1.4,151,1.471,152,2.73,160,1.3,166,1.772,174,0.64,248,1.134,294,2.003,295,2.9,300,2.673,328,1.3,334,2.157,355,2.276,376,1.569,420,2.364,425,1.643,477,3.659,480,3.511,483,2.933,487,2.916,521,1.288,524,0.949,537,1.288,542,1.822,556,2.039,762,1.428,786,1.428,788,1.428,839,2.807,956,2.096,975,1.605,976,4.037,1034,1.704,1055,1.749,1098,2.768,1125,1.848,1126,2.768,1168,1.904,1189,1.663,1239,1.136,1244,1.643,1358,1.255,1383,1.288,1716,1.244,1813,1.502,1815,1.052,1828,1.535,1858,3.578,2427,0.707,2432,1.934,2433,1.934,2434,1.848,2435,1.848,2438,2.979,2439,1.726,2440,1.934,2441,3.424,2444,1.934,2446,1.934,2448,1.934,2449,1.934,2452,1.934,2453,1.934,2454,2.979,2455,1.934,2456,2.979,2457,1.772,2459,1.934,2460,1.934,2461,4.41,2462,1.934,2463,1.934,2464,1.934,2465,2.979,2466,1.934,2469,2.807,2471,1.822,2472,1.934,2473,2.807,2589,1.456,2590,1.683,2606,1.471,2612,1.471,2613,1.487,2682,1.749,2683,1.796,2684,1.749,2685,1.749,2686,1.749,2687,1.749,2688,1.749,2689,1.749,2690,1.749,2691,1.796,2692,1.749,2693,1.749,2694,1.965,2695,1.965,2696,1.965,2697,1.965,2698,1.965,2699,1.965,2700,1.848,2701,1.965,2702,1.965,2703,1.965]],["t/3128",[0,0.505,1,1.119,4,0.664,5,1.804,7,0.801,13,2.569,15,2.474,16,3.082,28,2.377,33,1.438,38,2.034,50,0.767,56,0.677,64,1.017,65,0.655,72,1.277,83,0.812,101,1.357,121,1.733,123,1.423,127,3.244,147,1.423,150,1.396,151,1.467,152,2.724,160,1.296,166,1.767,174,0.638,186,0.846,248,1.131,294,1.998,295,2.896,300,2.669,328,1.296,334,2.152,355,2.273,376,1.564,420,2.359,425,1.638,477,3.654,480,3.505,483,2.926,487,2.91,521,1.285,524,0.946,537,1.285,542,1.816,556,2.034,762,1.423,786,1.423,788,1.423,839,2.8,956,2.091,975,1.6,976,4.03,1034,1.699,1055,1.743,1098,2.761,1125,1.842,1126,2.761,1168,1.898,1189,1.658,1239,1.133,1244,1.638,1358,1.251,1383,1.285,1716,1.241,1813,1.498,1815,1.048,1828,1.53,1840,5.141,1858,3.571,2427,0.705,2432,1.928,2433,1.928,2434,1.842,2435,1.842,2438,2.972,2439,1.721,2440,1.928,2441,3.417,2444,1.928,2446,1.928,2448,1.928,2449,1.928,2452,1.928,2453,1.928,2454,2.972,2455,1.928,2456,2.972,2457,1.767,2459,1.928,2460,1.928,2461,4.404,2462,1.928,2463,1.928,2464,1.928,2465,2.972,2466,1.928,2469,2.8,2471,1.816,2472,1.928,2473,2.8,2589,1.452,2590,1.678,2606,1.467,2612,1.467,2613,1.482,2682,1.743,2683,1.791,2684,1.743,2685,1.743,2686,1.743,2687,1.743,2688,1.743,2689,1.743,2690,1.743,2691,1.791,2692,1.743,2693,1.743,2694,1.959,2695,1.959,2696,1.959,2697,1.959,2698,1.959,2699,1.959,2700,1.842,2701,1.959,2702,1.959,2703,1.959]],["t/3130",[0,0.497,1,1.107,4,0.65,5,1.775,7,0.784,13,2.547,15,2.447,16,3.041,28,2.351,33,1.408,38,2.002,39,1.165,50,0.488,54,0.954,56,0.663,63,1.367,65,0.994,72,0.811,83,1.231,101,1.329,121,2.543,123,1.394,127,3.216,147,1.394,150,1.367,151,1.437,152,2.681,160,1.966,166,1.73,174,0.625,185,1.004,210,2.88,248,1.113,294,1.966,295,2.864,300,2.639,311,1.059,328,1.269,334,2.118,342,1.175,355,2.252,420,2.321,425,1.604,477,1.567,480,3.466,483,2.88,487,2.872,521,1.258,524,0.926,537,1.258,542,1.779,556,2.002,738,2.654,762,1.394,786,1.394,788,1.394,839,2.755,956,2.058,975,1.567,1034,1.664,1055,1.708,1098,2.717,1125,1.804,1126,2.717,1168,1.859,1189,1.623,1244,1.604,1358,1.225,1383,1.258,1545,2.562,1716,1.215,1813,3.389,1815,1.027,1828,1.498,1858,3.525,2427,0.69,2432,1.888,2433,1.888,2434,1.804,2435,1.804,2438,1.888,2439,1.685,2440,1.888,2441,3.373,2444,1.888,2446,1.888,2448,1.888,2449,1.888,2452,1.888,2453,1.888,2454,2.925,2455,1.888,2456,2.925,2457,1.73,2459,1.888,2460,1.888,2461,4.362,2462,1.888,2463,1.888,2464,1.888,2465,2.925,2466,1.888,2469,2.755,2471,1.779,2472,1.888,2473,2.755,2589,1.422,2590,1.643,2606,1.437,2612,1.437,2613,1.452,2682,1.708,2683,1.754,2684,1.708,2685,1.708,2686,1.708,2687,1.708,2688,1.708,2689,1.708,2690,1.708,2691,1.754,2692,1.708,2693,1.708,2694,1.919,2695,1.919,2696,1.919,2697,1.919,2698,1.919,2699,1.919,2700,1.804,2701,1.919,2702,1.919,2703,1.919,2707,3.593,2708,3.593,2709,3.593]],["t/3132",[0,0.498,1,1.199,4,0.652,5,1.779,7,0.787,13,2.551,15,2.451,16,3.047,28,2.354,33,1.412,38,2.007,50,0.757,56,0.665,64,0.999,65,0.644,72,1.26,83,0.797,101,1.333,121,2.693,123,1.398,127,3.22,147,1.398,150,1.371,151,1.441,152,2.687,160,1.273,166,1.736,174,0.627,210,3.976,248,1.116,290,1.648,294,1.971,295,2.868,300,2.644,328,1.273,334,2.122,355,2.255,376,1.536,420,2.327,425,1.609,477,1.572,480,3.472,483,2.886,487,2.878,521,1.262,524,0.929,537,1.262,542,1.784,556,2.007,762,1.398,786,1.398,788,1.398,839,2.762,956,2.063,975,1.572,1034,1.669,1055,1.713,1064,1.426,1098,2.723,1125,1.81,1126,2.723,1168,1.864,1189,1.628,1239,1.113,1244,1.609,1358,1.229,1383,1.262,1716,1.219,1813,3.393,1815,1.03,1828,1.503,1858,3.531,2427,0.692,2432,1.894,2433,1.894,2434,1.81,2435,1.81,2438,1.894,2439,1.69,2440,1.894,2441,3.379,2444,1.894,2446,1.894,2448,1.894,2449,1.894,2452,1.894,2453,1.894,2454,2.931,2455,1.894,2456,2.931,2457,1.736,2459,1.894,2460,1.894,2461,4.367,2462,1.894,2463,1.894,2464,1.894,2465,2.931,2466,1.894,2469,2.762,2471,1.784,2472,1.894,2473,2.762,2589,1.426,2590,1.648,2606,1.441,2612,1.441,2613,1.456,2682,1.713,2683,1.759,2684,1.713,2685,1.713,2686,1.713,2687,1.713,2688,1.713,2689,1.713,2690,1.713,2691,1.759,2692,1.713,2693,1.713,2694,1.924,2695,1.924,2696,1.924,2697,1.924,2698,1.924,2699,1.924,2700,1.81,2701,1.924,2702,1.924,2703,1.924,2710,5.579]],["t/3134",[1,1.496,4,0.723,7,0.871,11,2.76,38,1.436,45,5.782,50,0.542,65,0.713,71,1.949,72,0.902,73,4.347,83,0.883,105,2.205,121,2.228,132,4.243,151,3.8,199,1.741,210,3.122,248,1.207,328,1.411,342,1.305,376,1.702,473,5.348,524,1.03,537,1.398,556,2.616,569,3.921,705,2.95,751,6.054,791,7.02,1064,1.58,1239,1.233,1358,1.362,1383,1.398,1716,1.35,1813,2.969,1815,1.141,2427,0.767,2589,1.58,2590,1.826,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211,2711,3.993,2712,3.993]],["t/3136",[0,0.492,1,1.191,4,0.643,5,1.759,7,0.775,13,2.535,15,2.432,16,3.019,28,2.336,33,1.392,38,1.984,50,0.748,56,0.656,65,0.634,72,0.802,83,0.786,101,1.313,121,2.794,123,1.378,127,3.201,147,1.378,150,1.351,151,1.42,152,2.656,160,1.254,166,1.71,174,0.618,210,3.944,248,1.103,294,1.948,295,2.846,300,2.623,328,1.254,334,2.098,342,1.161,355,2.239,376,1.514,420,2.3,425,1.585,477,1.549,478,1.961,480,3.445,483,2.854,487,2.851,521,1.243,524,0.916,537,1.243,542,1.758,556,1.984,762,1.378,786,1.378,788,1.378,839,2.73,956,2.039,975,1.549,1026,2.533,1034,1.645,1055,1.688,1098,2.693,1125,1.783,1126,2.693,1168,1.837,1189,1.605,1239,1.097,1244,1.585,1250,2.32,1358,1.211,1383,1.243,1716,1.201,1812,4.238,1813,3.567,1815,1.015,1828,1.481,1858,3.499,2427,0.682,2432,1.866,2433,1.866,2434,1.783,2435,1.783,2438,1.866,2439,1.666,2440,1.866,2441,3.348,2444,1.866,2446,1.866,2448,1.866,2449,1.866,2452,1.866,2453,1.866,2454,2.898,2455,1.866,2456,2.898,2457,1.71,2459,1.866,2460,1.866,2461,4.338,2462,1.866,2463,1.866,2464,1.866,2465,2.898,2466,1.866,2469,2.73,2471,1.758,2472,1.866,2473,2.73,2589,1.406,2590,1.624,2606,1.42,2612,1.42,2613,1.435,2682,1.688,2683,1.734,2684,1.688,2685,1.688,2686,1.688,2687,1.688,2688,1.688,2689,1.688,2690,1.688,2691,1.734,2692,1.688,2693,1.688,2694,1.896,2695,1.896,2696,1.896,2697,1.896,2698,1.896,2699,1.896,2700,1.783,2701,1.896,2702,1.896,2703,1.896,2713,5.516,2714,3.551]],["t/3138",[0,0.491,1,1.189,4,0.641,5,1.755,7,0.773,13,2.532,15,2.428,16,3.013,28,2.332,33,1.387,38,1.979,50,0.747,56,0.654,63,1.347,64,0.982,65,0.633,71,1.729,72,1.243,83,0.783,90,1.477,101,1.309,121,1.686,123,1.374,127,3.197,136,2.672,147,1.374,150,1.347,151,1.416,152,2.65,160,1.251,166,1.705,174,0.616,210,3.492,227,1.229,248,1.101,294,1.944,295,2.841,300,2.619,311,1.043,328,1.251,331,2.203,334,2.094,355,2.236,359,2.721,376,1.51,420,2.295,425,1.581,477,1.544,480,3.439,483,2.847,487,2.846,521,1.24,524,0.913,537,1.24,538,1.229,542,1.753,556,2.428,762,1.374,786,1.374,788,1.374,839,2.724,956,2.035,975,1.544,1034,1.64,1055,1.683,1064,2.178,1098,2.687,1125,1.778,1126,2.687,1168,1.832,1189,1.6,1239,1.093,1244,1.581,1358,1.208,1383,1.24,1716,1.197,1813,3.108,1815,1.012,1828,1.477,1858,3.492,2396,5.002,2427,0.68,2432,1.861,2433,1.861,2434,1.778,2435,1.778,2438,1.861,2439,1.661,2440,1.861,2441,3.342,2444,1.861,2446,1.861,2448,1.861,2449,1.861,2452,1.861,2453,1.861,2454,2.892,2455,1.861,2456,2.892,2457,1.705,2459,1.861,2460,1.861,2461,4.332,2462,1.861,2463,1.861,2464,1.861,2465,2.892,2466,1.861,2469,2.724,2471,1.753,2472,1.861,2473,2.724,2589,1.402,2590,1.62,2606,1.416,2612,1.416,2613,1.431,2682,1.683,2683,1.729,2684,1.683,2685,1.683,2686,1.683,2687,1.683,2688,1.683,2689,1.683,2690,1.683,2691,1.729,2692,1.683,2693,1.683,2694,1.891,2695,1.891,2696,1.891,2697,1.891,2698,1.891,2699,1.891,2700,1.778,2701,1.891,2702,1.891,2703,1.891]],["t/3140",[0,0.5,1,1.202,4,0.656,5,1.787,7,0.791,13,2.557,15,2.458,16,3.058,28,2.362,33,1.42,38,2.016,50,0.76,56,0.669,64,1.005,65,0.648,71,1.77,72,0.819,83,0.802,101,1.34,121,1.717,123,1.406,127,3.228,136,2.712,147,1.406,150,1.379,151,1.45,152,2.699,160,1.281,166,1.746,174,0.631,210,3.544,248,1.121,294,1.98,295,2.877,300,2.652,328,1.281,334,2.132,355,2.261,376,1.545,420,2.337,425,1.618,477,1.581,480,3.483,483,2.899,487,2.889,521,1.269,524,0.935,537,1.269,538,1.258,542,1.795,556,2.464,762,1.406,786,1.406,788,1.406,839,2.774,956,2.072,975,1.581,1034,1.679,1055,1.723,1064,2.218,1098,2.736,1125,1.82,1126,2.736,1168,1.875,1189,1.638,1239,1.119,1244,1.618,1358,1.236,1383,1.269,1716,1.226,1813,3.147,1815,1.036,1828,1.512,1858,3.544,2427,0.697,2432,1.905,2433,1.905,2434,1.82,2435,1.82,2438,1.905,2439,1.7,2440,1.905,2441,3.392,2444,1.905,2446,1.905,2448,1.905,2449,1.905,2452,1.905,2453,1.905,2454,2.945,2455,1.905,2456,2.945,2457,1.746,2459,1.905,2460,1.905,2461,4.379,2462,1.905,2463,1.905,2464,1.905,2465,2.945,2466,1.905,2469,2.774,2471,1.795,2472,1.905,2473,2.774,2527,3.295,2589,1.435,2590,1.658,2606,1.45,2612,1.45,2613,1.465,2682,1.723,2683,1.77,2684,1.723,2685,1.723,2686,1.723,2687,1.723,2688,1.723,2689,1.723,2690,1.723,2691,1.77,2692,1.723,2693,1.723,2694,1.936,2695,1.936,2696,1.936,2697,1.936,2698,1.936,2699,1.936,2700,1.82,2701,1.936,2702,1.936,2703,1.936]],["t/3142",[0,0.493,1,1.102,4,0.645,5,1.763,7,0.777,13,2.538,15,2.636,16,3.024,28,2.339,33,1.396,38,1.988,39,1.155,50,0.75,54,0.945,56,0.658,63,1.355,64,0.988,65,0.636,72,1.248,83,0.788,101,1.317,121,2.68,123,1.382,127,3.205,147,1.382,150,1.355,151,1.424,152,2.662,160,1.258,166,1.715,174,0.62,210,3.505,248,1.106,294,1.953,295,2.85,300,2.627,311,1.049,328,1.258,334,2.103,355,2.242,376,1.518,420,2.305,425,1.59,477,1.553,480,3.45,483,2.86,487,2.856,521,1.247,524,0.918,537,1.247,542,1.763,556,1.988,762,1.382,786,1.382,788,1.382,839,2.737,956,2.044,975,1.553,1034,1.65,1055,1.693,1098,2.699,1125,1.789,1126,2.699,1168,1.843,1189,1.609,1239,1.1,1244,1.59,1358,1.215,1383,1.247,1716,1.204,1813,3.375,1815,1.018,1828,1.485,1858,3.505,2343,5.752,2427,0.684,2432,1.871,2433,1.871,2434,1.789,2435,1.789,2438,1.871,2439,1.671,2440,1.871,2441,3.354,2444,1.871,2446,1.871,2448,1.871,2449,1.871,2452,1.871,2453,1.871,2454,2.905,2455,1.871,2456,2.905,2457,1.715,2459,1.871,2460,1.871,2461,4.344,2462,1.871,2463,1.871,2464,1.871,2465,2.905,2466,1.871,2469,2.737,2471,1.763,2472,1.871,2473,2.737,2589,1.41,2590,1.629,2606,1.424,2612,1.424,2613,1.439,2682,1.693,2683,1.739,2684,1.693,2685,1.693,2686,1.693,2687,1.693,2688,1.693,2689,1.693,2690,1.693,2691,1.739,2692,1.693,2693,1.693,2694,1.902,2695,1.902,2696,1.902,2697,1.902,2698,1.902,2699,1.902,2700,1.789,2701,1.902,2702,1.902,2703,1.902,2715,3.562,2716,3.562]],["t/3144",[0,0.499,1,1.201,4,0.654,5,1.783,7,0.789,13,2.554,15,2.455,16,3.053,28,2.358,33,1.416,38,2.011,50,0.759,56,0.667,64,1.002,65,0.646,72,0.816,73,1.653,83,0.8,101,1.336,118,1.842,121,1.713,123,3.414,127,3.224,147,1.402,150,1.375,151,1.445,152,2.693,160,1.277,166,1.741,174,0.629,248,1.118,290,1.653,294,1.975,295,2.873,300,2.648,328,1.277,334,2.127,355,2.258,420,2.332,425,1.614,477,1.576,480,3.477,483,2.893,487,2.883,518,2.907,521,2.914,524,0.932,537,1.265,542,1.789,556,2.011,762,1.402,786,1.402,788,1.402,839,2.768,956,2.068,975,1.576,1034,1.674,1055,1.718,1064,1.431,1098,2.73,1125,1.815,1126,2.73,1168,1.87,1189,1.633,1239,1.116,1244,1.614,1344,3.069,1358,1.233,1383,1.265,1545,2.578,1716,1.222,1813,1.476,1815,1.033,1828,1.507,1858,3.538,2427,0.695,2432,1.899,2433,1.899,2434,1.815,2435,1.815,2438,1.899,2439,1.695,2440,1.899,2441,3.385,2444,1.899,2446,1.899,2448,1.899,2449,1.899,2452,1.899,2453,1.899,2454,2.938,2455,1.899,2456,2.938,2457,1.741,2459,1.899,2460,1.899,2461,4.373,2462,1.899,2463,1.899,2464,1.899,2465,2.938,2466,1.899,2469,2.768,2471,1.789,2472,1.899,2473,2.768,2589,1.431,2590,1.653,2606,1.445,2612,1.445,2613,1.46,2682,1.718,2683,1.765,2684,1.718,2685,1.718,2686,1.718,2687,1.718,2688,1.718,2689,1.718,2690,1.718,2691,1.765,2692,1.718,2693,1.718,2694,1.93,2695,1.93,2696,1.93,2697,1.93,2698,1.93,2699,1.93,2700,1.815,2701,1.93,2702,1.93,2703,1.93,2717,3.615]],["t/3146",[0,0.513,1,1.132,4,0.678,5,1.834,7,0.818,13,2.591,15,2.502,16,3.123,28,2.403,33,1.468,38,2.068,50,0.78,56,0.692,64,1.039,65,0.669,72,0.846,83,0.829,101,1.386,121,1.761,123,1.454,127,3.271,147,1.454,150,1.426,151,1.499,152,2.769,160,1.324,166,1.805,174,0.652,185,1.047,248,1.15,294,2.031,295,2.928,300,2.699,328,1.324,334,2.188,355,2.295,420,2.398,425,1.673,477,1.634,480,3.544,483,2.975,487,2.949,521,1.312,524,0.966,537,1.312,542,1.855,556,2.068,762,1.454,786,1.454,788,1.454,839,2.846,956,2.126,975,1.634,1034,1.736,1055,1.781,1098,2.807,1125,1.882,1126,2.807,1137,1.91,1168,1.939,1189,1.693,1239,1.157,1244,1.673,1358,1.278,1383,1.312,1636,4.247,1716,1.267,1796,2.07,1813,1.53,1815,1.071,1828,1.563,1858,3.619,2427,0.72,2432,1.969,2433,1.969,2434,1.882,2435,1.882,2438,1.969,2439,1.758,2440,1.969,2441,3.463,2444,1.969,2446,1.969,2448,1.969,2449,1.969,2452,1.969,2453,1.969,2454,3.021,2455,1.969,2456,3.021,2457,2.769,2459,1.969,2460,1.969,2461,4.446,2462,1.969,2463,1.969,2464,1.969,2465,3.021,2466,1.969,2469,2.846,2471,1.855,2472,1.969,2473,2.846,2589,1.483,2590,1.714,2606,1.499,2612,1.499,2613,1.514,2682,1.781,2683,1.83,2684,1.781,2685,1.781,2686,1.781,2687,1.781,2688,1.781,2689,1.781,2690,1.781,2691,1.83,2692,1.781,2693,1.781,2694,2.001,2695,2.001,2696,2.001,2697,2.001,2698,2.001,2699,2.001,2700,1.882,2701,2.001,2702,2.001,2703,2.001]],["t/3148",[4,1.402,7,1.691,38,2.786,50,1.051,65,1.7,75,4.772,83,1.714,140,5.167,186,1.785,248,1.549,524,1.997,1076,5.351,1239,2.392,1358,2.642,1383,2.712,1716,2.619,1815,2.945,1946,3.417,2427,1.488,2589,3.066,2590,3.543,2718,7.746,2719,7.746]],["t/3150",[4,1.42,7,1.712,38,2.822,50,1.065,65,1.401,74,4.58,75,4.443,83,1.736,186,1.808,248,1.569,409,6.661,466,3.998,524,2.023,1032,6.31,1239,2.423,1358,2.676,1383,2.747,1716,2.653,1815,2.742,1818,6.661,1946,3.461,2427,1.508,2536,7.132,2589,3.105,2590,3.589]],["t/3152",[4,1.429,7,1.723,38,2.84,50,1.071,65,1.411,72,1.783,75,4.461,83,1.747,186,1.82,248,1.579,335,4.61,466,4.024,524,2.036,1239,2.439,1358,2.693,1383,2.765,1716,2.67,1815,2.752,1819,6.704,1946,3.484,2427,1.517,2540,7.178,2589,3.125,2590,3.612]],["t/3154",[4,1.402,7,1.691,38,2.786,50,1.051,65,1.384,75,4.408,83,2.106,186,1.785,248,1.549,466,3.947,524,1.997,872,5.524,1239,2.392,1358,2.642,1383,2.712,1602,4.819,1634,7.655,1716,2.619,1815,2.72,1820,6.577,1946,3.417,2427,1.488,2544,7.041,2589,3.066,2590,3.543]],["t/3156",[0,0.491,1,1.189,4,0.641,5,1.755,7,0.773,13,2.532,15,2.428,16,3.013,28,2.332,33,1.387,38,1.979,50,0.747,56,0.654,64,0.982,65,0.983,70,1.085,71,1.729,72,0.8,83,0.783,101,1.309,121,1.686,123,1.374,127,3.197,147,1.374,150,1.347,151,1.416,152,2.65,160,1.251,166,1.705,174,0.616,185,0.989,248,1.101,258,2.067,294,1.944,295,2.841,300,2.619,328,1.251,333,2.256,334,2.094,355,2.624,420,2.295,425,1.581,477,1.544,480,3.439,483,2.847,487,3.84,521,1.24,524,0.913,537,1.24,542,1.753,556,2.428,762,1.374,786,1.374,788,1.374,839,2.724,956,2.035,975,1.544,1034,1.64,1055,1.683,1064,2.178,1098,2.687,1125,1.778,1126,2.687,1165,2.446,1168,1.832,1189,1.6,1239,1.093,1244,1.581,1358,1.877,1383,1.24,1580,2.848,1716,1.197,1813,1.446,1815,1.012,1828,1.477,1858,3.492,2427,0.68,2432,1.861,2433,1.861,2434,1.778,2435,1.778,2438,1.861,2439,1.661,2440,1.861,2441,3.342,2444,1.861,2446,1.861,2448,1.861,2449,1.861,2452,1.861,2453,1.861,2454,2.892,2455,1.861,2456,2.892,2457,1.705,2459,1.861,2460,1.861,2461,4.332,2462,1.861,2463,1.861,2464,1.861,2465,2.892,2466,1.861,2469,2.724,2471,1.753,2472,1.861,2473,2.724,2552,6.136,2589,1.402,2590,1.62,2606,1.416,2612,1.416,2613,1.431,2682,1.683,2683,1.729,2684,1.683,2685,1.683,2686,1.683,2687,1.683,2688,1.683,2689,1.683,2690,1.683,2691,1.729,2692,1.683,2693,1.683,2694,1.891,2695,1.891,2696,1.891,2697,1.891,2698,1.891,2699,1.891,2700,1.778,2701,1.891,2702,1.891,2703,1.891,2720,3.541]],["t/3158",[4,1.197,7,1.443,38,3.097,50,0.897,65,1.181,70,2.638,72,2.291,83,1.463,160,2.336,183,3.228,186,1.524,200,4.437,248,1.322,290,3.024,308,5.13,309,5.614,355,1.794,360,5.081,361,4.716,466,3.37,482,7.009,515,4.319,522,3.142,737,3.184,738,6.361,1072,5.081,1101,5.614,1146,6.361,1239,2.042,1250,4.319,1358,2.255,1618,5.318,1716,2.236,1946,2.917,2106,7.828,2304,5.614,2427,1.271,2541,5.318,2546,6.01,2547,6.01,2550,6.01,2551,6.01,2721,6.612,2722,6.612]],["t/3160",[0,0.545,1,1.586,4,0.55,5,1.555,7,0.663,8,1.156,13,0.882,28,3.06,33,1.911,38,1.093,39,0.985,50,0.412,56,1.128,61,0.515,63,1.156,64,1.352,65,1.757,71,1.483,72,0.686,73,1.39,83,1.351,85,1.678,98,1.39,101,1.803,127,2.994,132,2.177,174,0.529,199,1.325,233,3.861,248,0.975,277,4.68,294,1.723,295,3.332,300,2.405,311,0.895,328,1.073,366,1.518,369,1.325,387,1.774,388,1.463,389,1.74,420,2.034,444,1.463,462,1.678,464,2.317,521,2.448,524,0.783,525,2.967,537,1.707,538,1.054,556,3.726,786,1.892,788,1.892,883,2.847,926,2.741,946,2.693,956,2.258,1064,1.93,1092,1.89,1133,3.8,1135,3.8,1137,2.485,1239,0.938,1283,3.8,1358,1.036,1383,1.064,1417,1.774,1716,1.027,1815,1.393,2309,1.985,2419,1.985,2427,0.584,2447,3.99,2589,1.203,2590,1.39,2599,3.272,2600,2.039,2601,2.039,2602,3.272,2603,6.613,2604,2.039,2605,2.039,2606,1.95,2607,1.89,2608,1.89,2609,3.272,2610,1.548,2611,2.039,2612,1.215,2613,1.227,2614,3.272,2615,4.691,2616,5.762,2617,3.272,2618,3.272,2619,3.272,2620,3.272,2621,3.272,2622,3.272,2623,3.272,2624,3.272,2625,2.039,2626,2.039,2627,3.272,2628,2.039,2629,1.708,2723,3.038,2724,3.038]],["t/3162",[0,0.563,1,1.037,4,0.577,5,2.012,6,2.622,7,0.696,13,2.54,15,2.292,16,2.816,28,2.202,33,2.472,38,1.823,39,1.034,50,0.688,56,0.589,63,1.213,64,0.884,65,1.491,72,0.72,83,1.121,94,1.557,98,1.459,101,1.179,121,1.553,123,1.237,127,3.059,147,2.788,150,1.213,151,1.275,152,2.441,160,1.127,166,1.536,174,0.555,248,1.014,294,1.791,295,3.267,300,3.125,311,0.94,328,1.127,334,1.928,355,2.127,369,1.391,420,2.114,425,1.424,477,2.21,480,3.247,483,2.622,487,2.66,521,1.775,524,0.822,537,1.117,542,1.579,556,1.147,762,1.237,786,1.237,788,1.237,839,2.509,956,3.359,975,2.21,1034,2.347,1055,1.516,1064,2.006,1098,2.474,1125,1.602,1126,2.474,1168,1.65,1189,1.441,1239,0.985,1244,1.424,1358,1.088,1383,1.117,1716,1.078,1813,1.302,1815,0.911,1828,2.114,1858,3.263,2427,0.613,2432,1.676,2433,1.676,2434,1.602,2435,1.602,2438,1.676,2439,2.378,2440,1.676,2441,3.123,2444,1.676,2446,1.676,2448,1.676,2449,1.676,2452,1.676,2453,1.676,2454,2.663,2455,1.676,2456,2.663,2457,2.441,2459,1.676,2460,1.676,2461,4.12,2462,1.676,2463,1.676,2464,1.676,2465,2.663,2466,1.676,2469,2.509,2471,1.579,2472,1.676,2473,2.509,2487,5.073,2589,1.262,2590,1.459,2606,1.275,2612,1.275,2682,2.409,2683,2.474,2684,2.409,2685,2.409,2686,2.409,2687,2.409,2688,2.409,2689,2.409,2690,2.409,2691,2.474,2692,2.409,2693,2.409,2694,1.703,2695,1.703,2696,1.703,2697,1.703,2698,1.703,2699,1.703,2700,1.602,2701,1.703,2702,1.703,2703,1.703,2725,4.607,2726,3.189,2727,3.189,2728,2.274,2729,2.708]],["t/3164",[0,0.493,1,1.102,4,0.645,5,2.161,7,0.777,13,2.538,15,2.435,16,3.024,28,2.339,33,2.166,38,1.988,39,1.155,50,0.75,56,0.658,63,1.355,64,0.988,65,1.477,72,0.804,83,1.223,98,1.629,101,1.317,121,1.694,123,1.382,127,3.627,147,1.382,150,1.355,151,1.424,152,2.662,160,1.258,166,1.715,174,0.62,248,1.106,294,3.09,295,2.85,300,2.627,311,1.049,328,1.258,334,2.103,355,2.242,369,1.553,420,2.305,425,1.59,477,2.411,480,3.45,483,2.86,487,2.856,521,1.247,524,0.918,537,1.247,542,1.763,556,1.988,762,1.382,786,1.382,788,1.382,839,2.737,956,2.505,975,1.553,1034,1.65,1055,1.693,1064,1.41,1098,2.699,1125,1.789,1126,2.699,1168,1.843,1189,1.609,1239,1.1,1244,1.59,1383,1.247,1716,1.204,1813,1.454,1815,1.018,1828,1.485,1858,3.505,2427,0.684,2432,1.871,2433,1.871,2434,1.789,2435,1.789,2438,1.871,2439,1.671,2440,1.871,2441,3.354,2444,1.871,2446,1.871,2448,1.871,2449,1.871,2452,1.871,2453,1.871,2454,2.905,2455,1.871,2456,2.905,2457,1.715,2459,1.871,2460,1.871,2461,4.344,2462,1.871,2463,1.871,2464,1.871,2465,2.905,2466,1.871,2469,2.737,2471,1.763,2472,1.871,2473,2.737,2589,1.41,2590,1.629,2606,1.424,2612,1.424,2613,1.439,2682,1.693,2683,1.739,2684,1.693,2685,1.693,2686,1.693,2687,1.693,2688,1.693,2689,1.693,2690,1.693,2691,1.739,2692,1.693,2693,1.693,2694,1.902,2695,1.902,2696,1.902,2697,1.902,2698,1.902,2699,1.902,2700,1.789,2701,1.902,2702,1.902,2703,1.902,2730,3.237]],["t/3166",[0,0.494,1,1.103,4,0.647,5,2.165,7,0.78,13,2.541,15,2.439,16,3.03,28,2.971,33,2.171,38,1.993,39,1.158,50,0.752,56,0.66,63,1.359,64,0.991,65,1.212,72,0.807,83,1.226,98,1.634,101,1.321,121,1.697,123,1.386,127,3.209,147,1.386,150,1.359,151,1.428,152,2.668,160,1.262,166,1.72,174,0.621,248,1.108,294,1.957,295,2.855,300,2.631,311,1.052,328,1.262,334,2.108,355,2.245,369,1.558,389,2.045,420,2.311,425,1.595,477,2.416,480,3.456,483,2.867,487,2.862,521,1.251,524,0.921,537,1.251,542,1.768,556,1.993,762,1.386,786,1.386,788,1.386,839,2.743,956,2.51,975,1.558,1034,1.654,1055,1.698,1064,1.414,1098,2.705,1125,1.794,1126,2.705,1130,4.456,1168,1.848,1189,1.614,1239,1.103,1244,1.595,1358,1.218,1383,1.251,1716,1.208,1813,1.458,1815,1.021,1828,1.49,1858,3.512,2427,0.686,2432,1.877,2433,1.877,2434,1.794,2435,1.794,2438,1.877,2439,1.676,2440,1.877,2441,3.36,2444,1.877,2446,1.877,2448,1.877,2449,1.877,2452,1.877,2453,1.877,2454,2.911,2455,1.877,2456,2.911,2457,1.72,2459,1.877,2460,1.877,2461,4.35,2462,1.877,2463,1.877,2464,1.877,2465,2.911,2466,1.877,2469,2.743,2471,1.768,2472,1.877,2473,2.743,2589,1.414,2590,1.634,2606,1.428,2612,1.428,2613,1.443,2682,1.698,2683,1.744,2684,1.698,2685,1.698,2686,1.698,2687,1.698,2688,1.698,2689,1.698,2690,1.698,2691,1.744,2692,1.698,2693,1.698,2694,1.907,2695,1.907,2696,1.907,2697,1.907,2698,1.907,2699,1.907,2700,1.794,2701,1.907,2702,1.907,2703,1.907,2731,3.572]],["t/3168",[0,0.61,1,1.404,4,1.237,5,2.18,7,1.492,13,1.983,32,4.816,38,2.458,39,2.216,50,0.927,54,1.814,56,1.262,63,2.6,65,1.738,83,1.512,101,2.527,140,3.71,160,3.108,186,1.575,208,3.972,248,1.367,311,2.014,342,2.234,524,1.762,556,3.164,786,2.652,788,2.652,1239,2.111,1358,2.331,1383,2.393,1716,2.311,1815,1.953,2427,1.313,2589,2.705,2590,3.126,2606,2.733,2612,2.733,2613,2.761,2732,6.213,2733,6.835]],["t/3170",[32,4.04,39,2.646,54,2.166,63,3.105,65,1.755,208,3.332,248,1.632,311,2.404,342,2.668,556,2.935,1730,6.563,1815,2.332,2222,8.342,2427,1.568,2555,7.418,2556,7.418,2732,7.418,2734,8.161,2735,8.161]],["t/3172",[0,0.624,1,1.419,4,1.266,5,2.23,7,1.526,13,2.029,38,2.515,50,0.949,56,1.291,65,1.249,83,1.547,101,2.585,185,1.953,248,1.398,342,2.285,524,1.803,556,3.211,786,2.712,788,2.712,956,3.301,1239,2.159,1358,2.384,1383,2.448,1716,2.364,1815,1.998,2427,1.343,2475,7.579,2589,2.767,2590,3.198,2606,2.796,2612,2.796,2613,2.824,2736,6.992,2737,6.992,2738,6.992,2739,6.992,2740,6.992,2741,6.992,2742,6.992,2743,6.992,2744,6.355]],["t/3175",[0,0.617,1,1.411,7,2.252,8,3.372,13,2.006,50,0.938,56,1.276,65,1.235,83,1.529,101,2.556,186,1.593,248,1.382,342,2.26,466,3.522,524,2.66,556,3.187,786,2.682,788,2.682,1239,2.134,1383,2.42,1583,7.225,1716,2.337,1815,1.975,1821,7.866,1822,5.868,2427,1.328,2557,8.891,2589,2.736,2593,4.638,2606,2.764,2612,2.764,2613,2.792]],["t/3177",[0,0.551,1,1.187,5,1.968,7,2.095,8,3.131,9,3.099,13,2.388,15,2.624,50,1.005,54,1.092,56,0.76,61,0.697,64,1.141,65,0.735,72,0.929,83,0.91,94,2.009,101,1.521,127,3.014,147,1.596,150,1.565,174,1.789,185,1.15,248,1.234,294,1.453,295,3.291,300,3.033,328,1.453,355,2.232,425,4.408,473,2.197,477,1.794,480,3.983,481,6.078,487,2.602,521,1.44,524,1.061,537,1.44,556,2.22,786,1.596,788,1.596,975,1.794,1034,1.905,1137,2.097,1186,2.687,1239,1.271,1244,1.837,1343,4.742,1358,1.403,1383,1.44,1636,4.559,1716,1.391,1796,2.272,1815,1.176,1823,2.934,1828,1.716,1918,2.934,2118,3.162,2164,4.742,2427,0.791,2439,1.93,2441,4.074,2457,2.972,2469,2.037,2471,2.037,2473,4.365,2477,3.162,2479,3.162,2480,5.691,2589,1.628,2593,2.761,2606,1.645,2612,1.645,2613,1.662,2682,1.955,2683,2.009,2684,1.955,2685,1.955,2686,1.955,2687,1.955,2688,1.955,2689,1.955,2690,1.955,2691,2.009,2692,1.955,2693,1.955,2700,2.066,2728,2.934,2745,4.963,2746,3.309,2747,3.309]],["t/3179",[0,0.539,1,1.169,5,1.924,7,2.074,8,3.084,9,3.03,13,2.352,15,2.585,50,0.987,54,1.06,56,0.737,61,1.373,64,1.107,65,0.713,72,0.902,83,0.883,94,1.949,101,1.476,127,2.969,147,1.549,150,1.519,174,1.776,185,1.116,207,4.303,248,1.207,294,1.411,295,3.249,300,2.994,328,1.411,355,2.578,425,4.368,473,2.132,477,1.741,480,3.932,481,5.987,487,3.669,521,1.398,524,1.03,537,1.398,556,2.17,786,1.549,788,1.549,975,1.741,1034,1.849,1137,2.035,1186,2.608,1239,1.233,1244,1.783,1343,4.637,1358,1.362,1383,1.398,1716,1.35,1796,2.205,1815,1.141,1823,4.303,1828,1.665,1918,2.848,2118,3.068,2164,4.637,2427,0.767,2439,1.873,2441,4.013,2457,1.923,2469,1.977,2471,1.977,2473,4.308,2477,3.068,2479,3.068,2480,5.589,2589,1.58,2593,2.679,2606,1.597,2612,1.597,2613,1.613,2682,1.898,2683,1.949,2684,1.898,2685,1.898,2686,1.898,2687,1.898,2688,1.898,2689,1.898,2690,1.898,2691,1.949,2692,1.898,2693,1.898,2700,2.005,2728,2.848,2745,4.853,2746,3.211,2747,3.211]],["t/3181",[0,0.523,1,1.147,5,1.869,7,2.047,8,3.024,9,2.943,13,2.306,15,2.535,50,0.964,54,1.02,56,0.709,61,0.651,64,1.066,65,1.528,72,0.868,83,0.85,94,1.876,101,1.421,127,2.911,147,3.499,150,1.462,174,1.758,186,0.886,248,1.172,294,1.357,295,3.194,300,3.477,328,1.357,355,2.688,425,4.316,473,2.051,477,1.675,480,3.866,481,5.87,487,3.954,521,1.345,524,0.991,537,1.345,556,2.108,786,1.491,788,1.491,975,1.675,1034,1.779,1064,1.521,1186,2.51,1239,1.186,1244,1.715,1343,4.503,1358,1.31,1383,1.345,1716,1.299,1815,1.098,1823,2.74,1828,1.602,1918,2.74,2118,2.952,2164,4.503,2427,0.738,2439,1.802,2441,3.934,2457,1.85,2469,1.902,2471,1.902,2473,4.236,2477,2.952,2479,2.952,2480,5.459,2589,1.521,2593,2.578,2606,1.536,2612,1.536,2613,1.552,2648,3.492,2682,1.826,2683,1.876,2684,1.826,2685,1.826,2686,1.826,2687,1.826,2688,1.826,2689,1.826,2690,1.826,2691,1.876,2692,1.826,2693,1.826,2700,1.929,2728,2.74,2745,4.713,2746,3.09,2747,3.09]],["t/3183",[0,0.537,1,1.167,5,1.92,7,2.072,8,3.079,9,3.023,13,2.348,15,2.581,33,1.56,50,0.985,54,1.056,56,0.735,61,0.674,64,1.104,65,1.552,72,0.899,83,0.881,94,1.943,101,1.472,127,2.964,147,1.544,150,1.514,167,2.6,174,1.774,248,1.204,294,3.07,295,3.244,300,2.99,328,1.406,355,2.195,425,4.364,473,4.64,477,1.736,480,3.927,481,5.977,487,2.538,521,1.393,524,1.026,537,1.393,556,2.165,786,1.544,788,1.544,975,1.736,1034,1.843,1064,1.575,1186,2.6,1239,1.229,1244,1.777,1343,4.625,1358,1.357,1383,1.393,1716,1.346,1815,1.137,1823,2.838,1828,1.66,1918,2.838,2118,3.058,2164,4.625,2427,0.765,2439,1.867,2441,4.006,2457,1.917,2469,1.97,2471,1.97,2473,4.302,2477,3.058,2479,3.058,2480,5.578,2589,1.575,2593,2.671,2606,1.591,2612,1.591,2613,1.608,2682,1.891,2683,1.943,2684,1.891,2685,1.891,2686,1.891,2687,1.891,2688,1.891,2689,1.891,2690,1.891,2691,1.943,2692,1.891,2693,1.891,2700,1.999,2728,2.838,2745,4.841,2746,3.201,2747,3.201,2748,3.98]],["t/3185",[7,2.288,8,3.064,50,1.093,65,1.438,83,1.782,224,4.527,248,1.611,376,3.433,524,2.076,1239,2.487,1244,4.351,1358,2.747,1383,2.82,1716,2.723,1946,3.553,2427,1.547,2589,3.187,2593,5.404,2749,8.053,2750,7.32]],["t/3187",[1,1.516,7,1.587,8,1.519,11,2.76,45,5.782,50,0.542,64,1.107,65,0.713,71,1.949,72,1.363,73,4.347,105,2.205,132,4.243,151,4.082,199,1.741,248,1.207,328,1.411,461,2.679,473,5.348,524,1.03,537,1.398,538,1.386,556,2.616,569,3.921,705,2.95,751,6.054,791,7.02,975,3.172,1064,2.388,1239,1.233,1358,1.362,1383,1.398,1716,1.35,1815,1.141,2427,0.767,2589,1.58,2593,2.679,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211]],["t/3190",[0,0.732,1,1.333,6,5.1,7,1.341,13,2.381,50,0.834,56,1.135,64,1.704,65,1.466,72,1.388,83,1.36,94,3,101,2.273,185,1.717,248,1.641,295,2.294,328,2.171,477,2.68,521,2.152,524,1.585,537,2.152,556,2.21,786,2.384,788,2.384,975,2.68,1034,2.846,1137,3.132,1239,1.898,1358,2.096,1383,2.152,1636,4.54,1716,2.078,1796,3.394,1815,1.756,1828,2.563,2427,1.181,2439,2.883,2457,3.952,2487,7.429,2589,2.433,2594,4.943,2606,2.457,2612,2.457,2613,2.483,2682,2.921,2683,3,2684,2.921,2685,2.921,2686,2.921,2687,2.921,2688,2.921,2689,2.921,2690,2.921,2691,3,2692,2.921,2693,2.921,2728,4.383,2729,5.218]],["t/3192",[0,0.709,1,1.457,6,4.999,7,1.277,13,2.303,50,0.794,56,1.08,64,1.623,65,1.045,72,1.793,94,2.856,101,2.164,151,3.864,248,1.588,295,2.184,328,2.067,461,3.926,477,2.552,521,2.049,524,1.509,537,2.049,538,2.031,556,2.855,786,2.27,788,2.27,975,4.405,1034,2.71,1064,2.316,1239,1.807,1358,1.996,1383,2.049,1716,1.978,1796,3.231,1815,1.672,1828,2.44,2427,1.124,2439,2.745,2457,2.818,2487,7.246,2589,2.316,2594,4.706,2606,2.34,2612,2.34,2613,2.364,2682,2.781,2683,2.856,2684,2.781,2685,2.781,2686,2.781,2687,2.781,2688,2.781,2689,2.781,2690,2.781,2691,2.856,2692,2.781,2693,2.781,2728,4.173,2729,4.968,2751,5.851]],["t/3195",[0,0.546,1,1.572,5,0.971,8,1.159,13,0.884,28,2.633,32,1.508,50,0.413,54,0.808,56,1.13,61,0.516,63,1.159,64,1.355,65,1.9,71,1.487,72,0.688,73,1.393,83,1.081,85,1.682,101,1.807,127,2.997,132,2.181,174,0.53,185,0.851,199,1.328,233,3.866,248,0.977,277,4.685,294,1.726,295,3.731,300,2.957,311,0.897,328,1.076,355,0.826,366,1.521,387,1.778,388,1.467,420,2.038,444,1.467,462,1.682,464,2.322,521,2.451,524,0.785,525,2.973,537,1.711,538,1.057,556,3.728,786,1.896,788,1.896,883,2.852,926,2.747,946,2.698,956,2.262,995,2.044,1064,1.934,1092,1.895,1133,1.895,1135,1.895,1137,2.49,1283,3.806,1358,1.039,1383,1.066,1417,1.778,1716,1.03,1815,1.396,2309,1.99,2419,1.99,2427,0.585,2447,3.191,2595,2.044,2599,3.279,2600,2.044,2601,2.044,2602,3.279,2603,6.616,2604,2.044,2605,2.044,2606,1.954,2607,1.895,2608,1.895,2609,3.279,2610,1.552,2611,2.044,2612,1.218,2613,1.231,2614,4.105,2615,4.698,2616,5.768,2617,3.279,2618,3.279,2619,3.279,2620,3.279,2621,3.279,2622,3.279,2623,3.279,2624,3.279,2625,2.044,2626,2.044,2627,3.279,2628,2.044,2629,1.712,2752,2.769,2753,3.046,2754,4.441,2755,2.769,2756,2.769]],["t/3197",[0,0.557,1,1.587,5,1.001,8,1.195,13,0.911,28,2.54,50,0.426,56,1.153,61,0.532,64,1.388,65,1.663,71,1.533,72,0.709,73,1.436,83,1.108,85,1.734,101,1.851,127,3.634,132,2.235,174,0.546,185,0.877,199,1.369,233,3.934,248,1.001,277,4.748,294,1.768,295,3.81,300,1.722,328,1.109,366,1.558,387,1.833,388,1.512,420,3.245,444,1.512,462,1.734,464,2.379,521,2.494,524,0.81,525,3.046,537,1.753,538,1.09,556,3.752,785,2.444,786,1.942,788,1.942,883,2.923,926,2.814,946,2.765,956,1.851,995,2.107,1064,1.243,1092,1.953,1133,1.953,1135,1.953,1137,2.551,1283,3.884,1358,1.071,1383,1.099,1417,1.833,1716,1.062,1796,1.734,1815,1.431,2309,2.051,2419,2.051,2427,0.603,2447,3.27,2595,2.107,2599,3.359,2600,2.107,2601,2.107,2602,3.359,2603,6.653,2604,2.107,2605,2.107,2606,2.002,2607,1.953,2608,1.953,2609,3.359,2610,1.6,2611,2.107,2612,1.255,2613,1.269,2614,3.359,2615,4.78,2616,5.838,2617,3.359,2618,4.189,2619,3.359,2620,3.359,2621,3.359,2622,3.359,2623,3.359,2624,3.359,2625,2.107,2626,2.107,2627,4.78,2628,2.107,2629,1.765,2757,3.14]],["t/3199",[0,0.498,1,1.537,5,0.848,8,1.012,13,0.772,28,2.354,35,5.898,45,3.393,50,0.361,56,1.03,58,2.686,61,0.451,62,2.102,64,1.214,65,1.692,66,2.404,67,2.432,71,1.299,72,0.601,73,1.217,83,0.968,85,1.469,88,4.243,101,1.619,127,2.815,131,2.49,132,1.954,162,3.135,174,0.463,194,2.404,198,4.286,199,1.16,209,2.761,233,3.569,248,0.875,277,4.4,290,1.217,294,1.546,295,3.167,300,1.506,328,0.94,366,1.363,387,1.553,388,1.281,420,1.826,444,1.281,462,1.469,464,2.08,521,2.263,524,0.686,525,2.663,537,1.533,538,0.923,556,3.617,564,4.12,622,6.754,786,1.698,788,1.698,883,2.555,926,2.461,946,2.417,948,2.686,956,2.062,995,1.785,1064,1.733,1092,1.655,1118,4.735,1133,1.655,1135,1.655,1137,2.842,1283,4.444,1358,0.907,1383,0.931,1417,1.553,1534,3.853,1716,0.9,1815,1.251,2309,1.738,2419,1.738,2427,0.511,2447,2.859,2595,1.785,2599,2.937,2600,1.785,2601,1.785,2602,2.937,2603,6.444,2604,1.785,2605,1.785,2606,1.75,2607,1.655,2608,1.655,2609,2.937,2610,1.356,2611,1.785,2612,1.064,2613,1.075,2614,2.937,2615,4.337,2616,5.449,2617,2.937,2618,2.937,2619,3.742,2620,2.937,2621,2.937,2622,2.937,2623,2.937,2624,2.937,2625,1.785,2626,1.785,2627,2.937,2628,2.937,2629,1.496,2758,4.378,2759,5.07,2760,5.07,2761,5.07,2762,5.07,2763,5.07]],["t/3201",[0,0.534,1,1.564,4,0.86,5,0.939,8,1.12,13,0.854,28,2.702,32,1.457,50,0.399,54,0.781,56,1.104,61,0.499,63,1.12,64,1.318,65,1.888,71,1.437,72,0.665,73,1.346,83,1.051,85,1.625,101,1.757,127,3.105,132,2.122,174,0.827,185,0.822,199,1.283,233,3.79,248,0.95,277,5.674,294,1.679,295,3.698,300,3.035,311,0.867,328,1.04,355,0.798,366,1.479,387,1.718,388,1.417,420,1.982,444,1.417,462,1.625,464,2.259,466,1.5,521,2.403,524,0.759,525,2.892,537,1.664,538,1.021,556,3.701,786,1.844,788,1.844,883,2.775,926,2.672,946,2.625,956,2.21,995,1.975,1064,1.881,1092,1.831,1133,1.831,1135,1.831,1137,2.422,1283,3.719,1358,1.004,1383,1.03,1417,1.718,1716,0.995,1815,1.358,2309,1.922,2419,1.922,2427,0.565,2447,3.104,2595,1.975,2599,3.189,2600,1.975,2601,1.975,2602,3.189,2603,6.574,2604,1.975,2605,1.975,2606,1.9,2607,1.831,2608,1.831,2609,3.189,2610,1.5,2611,1.975,2612,1.177,2613,1.189,2614,3.189,2615,4.605,2616,5.687,2617,3.189,2618,3.189,2619,3.189,2620,4.012,2621,3.189,2622,3.189,2623,3.189,2624,3.189,2625,1.975,2626,1.975,2627,3.189,2628,1.975,2629,1.654,2755,2.675,2756,2.675,2764,4.753,2765,4.32]],["t/3203",[0,0.556,1,1.586,5,0.999,8,1.192,13,0.909,28,2.538,50,0.425,56,1.151,61,0.531,64,1.386,65,1.662,71,1.529,72,0.707,73,1.432,83,1.105,85,1.73,101,1.847,127,3.632,132,2.23,174,0.545,185,0.875,199,1.366,233,3.928,248,0.999,277,4.977,294,1.765,295,3.807,300,1.719,328,1.106,366,1.555,387,1.828,388,1.508,420,3.241,444,1.508,462,1.73,464,2.374,521,2.49,524,0.808,525,3.04,537,1.749,538,1.087,556,3.75,785,2.439,786,1.938,788,1.938,883,2.917,926,2.809,946,2.759,956,1.847,995,2.102,1064,1.24,1092,1.948,1133,1.948,1135,1.948,1137,2.546,1283,3.877,1358,1.068,1383,1.097,1417,1.828,1716,1.059,1796,1.73,1815,1.428,2309,2.046,2419,2.046,2427,0.602,2447,3.263,2595,2.102,2599,3.352,2600,2.102,2601,2.102,2602,3.352,2603,6.65,2604,2.102,2605,2.102,2606,1.998,2607,1.948,2608,1.948,2609,3.352,2610,1.596,2611,2.102,2612,1.252,2613,1.265,2614,3.352,2615,4.773,2616,5.832,2617,3.352,2618,3.352,2619,3.352,2620,3.352,2621,4.182,2622,3.352,2623,3.352,2624,3.352,2625,2.102,2626,2.102,2627,5.215,2628,2.102,2629,1.761]],["t/3205",[0,0.531,1,1.577,5,0.932,8,1.112,13,0.848,28,2.46,35,3.992,45,1.778,50,0.396,56,1.098,58,1.407,61,0.495,62,1.101,64,1.31,65,1.667,66,1.26,67,1.274,71,1.426,72,0.66,73,1.336,83,1.045,85,1.614,88,2.609,101,1.747,127,2.941,131,1.304,132,2.109,162,1.642,174,0.508,194,1.26,198,2.245,199,1.274,209,1.446,233,3.774,248,0.945,277,5.571,290,1.336,294,1.669,295,3.284,300,1.626,328,1.032,366,1.471,387,1.706,388,1.407,420,1.971,444,1.407,462,1.614,464,2.245,521,2.393,524,0.753,525,2.875,537,1.654,538,1.014,556,3.695,564,2.158,622,4.571,786,1.833,788,1.833,883,2.758,926,2.656,946,2.609,948,1.407,956,2.775,995,1.961,1064,1.156,1092,1.818,1118,2.481,1133,1.818,1135,1.818,1137,3.483,1283,5.653,1358,0.996,1383,1.023,1417,1.706,1534,2.019,1716,0.988,1796,1.614,1815,1.35,2309,1.908,2419,1.908,2427,0.561,2447,3.086,2595,1.961,2599,3.171,2600,1.961,2601,1.961,2602,3.171,2603,6.565,2604,1.961,2605,1.961,2606,1.889,2607,1.818,2608,1.818,2609,3.171,2610,1.489,2611,1.961,2612,1.168,2613,1.18,2614,3.171,2615,4.586,2616,5.671,2617,3.171,2618,3.171,2619,3.171,2620,3.171,2621,3.171,2622,3.992,2623,3.171,2624,3.171,2625,1.961,2626,1.961,2627,3.171,2628,4.586,2629,1.642,2759,2.656,2760,2.656,2761,2.656,2762,2.656,2763,2.656]],["t/3207",[0,0.545,1,1.571,5,0.969,8,1.156,13,0.882,28,2.735,33,1.19,50,0.412,56,1.128,61,0.515,63,1.156,64,1.352,65,1.831,71,1.483,72,0.686,73,1.39,83,1.079,85,1.678,101,1.803,127,2.994,132,2.177,174,0.529,185,0.849,199,1.325,227,1.054,233,3.861,248,0.975,277,4.68,294,3.153,295,3.332,300,1.678,311,0.895,328,1.073,355,0.824,365,2.099,366,1.518,387,1.774,388,1.463,416,1.649,420,2.034,444,1.463,462,1.678,464,2.317,477,1.325,480,2.203,521,2.448,524,0.783,525,5.431,537,1.707,538,1.054,556,3.726,786,1.892,788,1.892,883,2.847,926,2.741,946,2.693,956,1.803,995,2.039,1064,1.203,1092,1.89,1133,1.89,1135,1.89,1137,2.485,1282,2.244,1283,3.8,1358,1.036,1383,1.064,1417,1.774,1626,1.526,1716,1.027,1815,1.393,2309,1.985,2419,1.985,2427,0.584,2447,3.185,2595,2.039,2599,3.272,2600,2.039,2601,2.039,2602,3.272,2603,6.613,2604,2.039,2605,2.039,2606,1.95,2607,1.89,2608,1.89,2609,3.272,2610,1.548,2611,2.039,2612,1.215,2613,1.227,2614,3.272,2615,4.691,2616,5.762,2617,3.272,2618,3.272,2619,3.272,2620,3.272,2621,3.272,2622,3.272,2623,4.099,2624,3.272,2625,2.039,2626,2.039,2627,3.272,2628,2.039,2629,1.708,2752,2.762,2754,2.762,2765,2.762]],["t/3210",[33,3.355,39,2.776,61,1.45,127,3.136,208,3.495,248,1.712,342,2.799,478,4.728,948,4.123,1165,5.915,1955,6.324,2427,1.645,2647,7.269,2766,8.562]],["t/3213",[0,0.7,1,1.495,5,2.502,13,2.276,56,1.449,65,1.714,101,2.901,174,1.365,227,2.723,248,1.569,332,3.916,342,2.565,556,3.451,786,3.044,788,3.044,1815,2.962,2427,1.508,2606,3.137,2612,3.137,2613,3.17]],["t/3215",[8,2.63,31,4.004,61,1.171,75,4.778,76,4.732,99,3.422,174,1.542,208,2.822,248,1.382,291,4.515,299,3.242,311,2.037,331,4.3,332,2.822,342,2.26,367,3.691,482,6.122,524,1.782,538,2.399,727,5.279,940,2.914,1066,4.929,1111,3.886,1275,5.559,1485,5.559,1486,5.868,1815,1.975,2216,6.283,2268,5.559,2280,5.868,2317,6.283,2328,6.283,2418,5.868,2427,1.328,2563,6.283,2767,6.912,2768,6.912,2769,6.912,2770,6.912,2771,6.912]],["t/3218",[2,2.551,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,393,2.84,855,2.968,1157,4.862,1240,4.376,1735,4.682,1946,3.674,2427,1.6,2772,4.862,2773,4.862]],["t/3220",[2,2.551,44,2.454,50,1.13,56,1.538,65,1.488,185,2.327,186,1.92,211,3.511,248,1.665,393,2.84,855,2.968,1240,4.376,1946,3.674,2427,1.6,2591,4.862,2592,4.961,2772,4.862,2773,4.862]],["t/3222",[2,2.343,44,2.254,50,1.038,56,1.412,64,2.121,65,1.366,72,1.727,185,2.137,186,1.763,199,3.336,211,3.225,248,1.889,328,2.702,393,2.609,537,2.678,855,2.726,1064,3.738,1157,5.982,1240,4.019,1735,4.3,1768,5.133,1815,2.186,2427,1.47,2610,3.898,2774,9.314]],["t/3224",[2,2.245,44,2.159,50,0.994,56,1.353,64,2.032,65,1.309,72,1.655,185,2.047,186,1.689,199,4.01,211,3.089,248,1.839,328,2.588,393,2.499,537,2.565,855,2.612,883,4.278,1064,3.64,1240,3.85,1626,3.68,1815,2.094,2427,1.408,2591,4.278,2592,6.278,2610,3.734,2629,4.119,2633,5.062,2634,5.226,2774,9.58]],["t/3226",[2,2.358,44,2.268,50,1.044,56,1.421,64,2.135,65,1.375,72,1.738,185,2.151,186,1.774,199,3.357,211,3.245,248,1.896,328,2.719,393,2.625,537,2.695,855,2.744,1157,6.43,1240,4.045,1735,4.327,1796,4.251,1815,2.2,2427,1.479,2610,3.923,2631,6.19,2775,6.997]],["t/3228",[2,2.343,44,2.254,50,1.038,56,1.412,64,2.121,65,1.366,72,1.727,185,2.137,186,1.763,199,3.336,211,3.225,248,1.889,328,2.702,393,2.609,537,2.678,855,2.726,1240,4.019,1796,4.224,1815,2.186,2427,1.47,2591,4.465,2592,6.549,2610,3.898,2631,6.151,2634,5.455,2775,6.953]],["t/3230",[2,2.205,56,1.329,64,1.996,65,1.624,72,1.625,127,2.637,199,3.139,248,1.818,294,2.543,311,2.121,328,2.543,480,3.252,537,2.52,545,4.585,1064,4.365,1156,7.66,1157,5.819,1735,4.046,1768,4.83,1796,3.975,1815,2.057,2427,1.383,2610,3.668,2776,6.542,2777,7.198,2778,7.198,2779,7.198,2780,7.198,2781,7.198,2782,7.198]],["t/3232",[2,2.373,56,1.43,64,2.148,65,1.384,72,1.749,127,2.838,199,3.378,248,1.904,294,2.736,311,2.282,328,2.736,480,3.5,537,2.712,545,4.934,1796,4.278,1815,2.214,2327,7.041,2427,1.488,2591,4.522,2592,6.572,2610,3.947,2634,5.524,2776,7.041,2783,7.746]],["t/3234",[2,2.587,56,1.559,61,1.43,65,1.508,160,2.983,211,3.56,248,1.689,311,2.488,364,4.508,398,6.021,1157,4.929,1735,4.746,1815,2.413,1946,3.725,2427,1.622,2784,7.675]],["t/3236",[2,2.587,56,1.559,61,1.43,65,1.508,160,2.983,211,3.56,248,1.689,311,2.488,364,4.508,398,6.021,1815,2.413,1946,3.725,2427,1.622,2591,4.929,2592,5.029,2784,7.675]],["t/3239",[0,0.562,1,1.309,5,2.008,13,2.537,15,2.789,16,2.811,28,2.198,33,1.246,38,1.144,44,0.937,50,0.686,56,0.934,61,0.857,64,0.882,65,1.125,71,1.553,72,0.718,73,1.455,83,1.119,85,1.757,91,1.341,94,1.553,101,1.87,121,1.929,123,1.234,127,3.055,147,1.234,150,1.21,151,1.272,152,2.436,160,1.787,166,1.532,174,0.553,185,0.889,186,0.733,199,1.387,248,1.012,250,2.285,260,2.469,286,1.371,294,1.787,295,2.678,300,2.469,328,1.124,334,1.924,355,2.372,393,1.085,420,2.993,425,1.42,477,1.387,480,3.242,483,2.617,487,2.655,521,1.114,537,1.114,542,1.575,556,2.817,762,1.234,763,1.788,764,1.757,786,1.962,788,1.962,839,2.504,855,1.134,956,1.87,975,1.387,1034,1.473,1055,1.512,1098,2.469,1125,1.597,1126,2.469,1137,2.578,1168,1.646,1189,1.437,1240,1.671,1244,1.42,1358,1.085,1417,1.857,1626,1.597,1716,1.71,1796,1.757,1813,1.299,1815,0.909,1828,1.327,1858,3.258,2427,0.611,2432,1.671,2433,1.671,2434,4.391,2435,3.603,2438,1.671,2439,1.492,2440,1.671,2441,3.117,2444,1.671,2446,1.671,2448,1.671,2449,1.671,2452,1.671,2453,1.671,2454,2.658,2455,1.671,2456,2.658,2457,1.532,2459,1.671,2460,1.671,2461,4.115,2462,1.671,2463,1.671,2464,1.671,2465,2.658,2466,1.671,2469,2.504,2471,1.575,2472,1.671,2473,2.504,2603,1.979,2606,2.023,2607,1.979,2608,1.979,2612,1.272,2613,1.285,2629,1.788,2633,2.198,2682,1.512,2683,1.553,2684,1.512,2685,1.512,2686,1.512,2687,1.512,2688,1.512,2689,1.512,2690,1.512,2691,1.553,2692,1.512,2693,1.512,2694,1.698,2695,1.698,2696,1.698,2697,1.698,2698,1.698,2699,1.698,2700,1.597,2701,1.698,2702,1.698,2703,1.698,2772,1.857,2773,1.857,2785,2.268,2786,1.935]],["t/3241",[0,0.565,1,1.313,5,2.019,13,2.545,15,2.797,16,2.826,28,2.208,33,1.256,38,1.153,44,0.945,50,0.691,56,0.94,61,0.862,64,0.889,65,1.131,71,1.565,72,0.724,73,1.466,83,1.126,85,1.77,91,1.352,101,1.882,121,1.559,123,1.244,127,3.066,147,1.244,150,1.22,151,1.282,152,2.451,160,1.798,166,1.544,174,0.558,185,0.896,186,0.739,199,1.398,248,1.018,250,2.3,260,2.485,286,1.382,294,1.798,295,2.69,300,2.48,328,1.132,334,1.936,355,2.379,393,1.093,420,2.123,425,1.431,477,3.649,480,3.256,483,2.633,487,2.669,521,1.122,537,1.122,542,1.587,556,2.828,762,1.244,763,1.802,764,1.77,786,1.975,788,1.975,839,2.52,855,1.143,956,1.882,975,1.398,976,2.971,1034,1.485,1055,1.524,1098,2.485,1125,1.61,1126,2.485,1168,1.659,1189,1.448,1240,1.685,1244,1.431,1358,1.093,1417,1.872,1626,1.61,1716,1.721,1813,1.309,1815,0.916,1828,1.337,1858,3.275,2427,0.616,2432,1.685,2433,1.685,2434,1.61,2435,1.61,2438,1.685,2439,1.504,2440,1.685,2441,3.133,2444,1.685,2446,1.685,2448,1.685,2449,1.685,2452,1.685,2453,1.685,2454,2.674,2455,1.685,2456,2.674,2457,1.544,2459,1.685,2460,1.685,2461,4.131,2462,1.685,2463,1.685,2464,1.685,2465,2.674,2466,1.685,2469,2.52,2471,1.587,2472,1.685,2473,2.52,2493,5.09,2603,1.994,2606,2.035,2607,1.994,2608,1.994,2612,1.282,2613,1.295,2629,1.802,2633,2.215,2682,1.524,2683,1.565,2684,1.524,2685,1.524,2686,1.524,2687,1.524,2688,1.524,2689,1.524,2690,1.524,2691,1.565,2692,1.524,2693,1.524,2694,1.712,2695,1.712,2696,1.712,2697,1.712,2698,1.712,2699,1.712,2700,1.61,2701,1.712,2702,1.712,2703,1.712,2705,2.914,2772,1.872,2773,1.872,2786,1.95,2787,3.206,2788,3.206,2789,2.914]],["t/3243",[0,0.551,1,1.295,2,0.945,5,1.968,13,2.506,15,2.755,16,2.754,28,2.16,33,1.209,38,1.109,44,0.909,50,0.67,56,0.911,61,0.836,64,0.855,65,1.543,71,1.506,72,0.696,73,1.411,83,1.092,85,1.703,91,1.3,101,1.825,121,1.512,123,1.197,127,3.617,147,1.197,150,1.173,151,1.233,152,2.377,160,1.743,166,1.485,174,0.537,185,0.862,186,0.711,199,1.345,211,1.3,248,0.987,250,2.23,260,2.409,264,1.919,286,1.33,294,3.27,295,2.632,300,2.426,328,1.09,334,1.878,355,2.343,393,1.052,420,2.058,425,1.377,477,1.345,480,3.717,483,3.648,487,2.601,521,1.08,537,1.08,542,1.527,556,2.774,762,1.197,763,1.734,764,1.703,786,1.915,788,1.915,839,2.443,855,1.099,956,1.825,975,1.345,1034,1.428,1055,1.466,1064,1.221,1098,2.409,1125,1.549,1126,2.409,1168,1.596,1189,1.394,1240,1.621,1244,1.377,1358,1.052,1626,1.549,1716,1.669,1813,1.259,1815,0.881,1828,1.286,1858,3.192,2427,0.593,2432,1.621,2433,1.621,2434,1.549,2435,1.549,2438,1.621,2439,1.447,2440,1.621,2441,3.054,2444,1.621,2446,1.621,2448,1.621,2449,1.621,2452,1.621,2453,1.621,2454,2.593,2455,1.621,2456,2.593,2457,1.485,2459,1.621,2460,1.621,2461,4.053,2462,1.621,2463,3.242,2464,1.621,2465,2.593,2466,1.621,2469,2.443,2471,1.527,2472,1.621,2473,2.443,2603,1.919,2606,1.973,2607,1.919,2608,1.919,2612,1.233,2613,1.246,2629,1.734,2633,2.131,2682,1.466,2683,1.506,2684,1.466,2685,1.466,2686,1.466,2687,1.466,2688,1.466,2689,1.466,2690,1.466,2691,1.506,2692,1.466,2693,1.466,2694,1.647,2695,1.647,2696,1.647,2697,1.647,2698,1.647,2699,1.647,2700,1.549,2701,1.647,2702,1.647,2703,1.647,2730,2.804,2772,1.801,2773,1.801,2786,1.877,2789,2.804,2790,3.084]],["t/3245",[0,0.563,1,1.131,2,0.977,9,2.545,15,2.663,23,2.761,24,3.084,27,1.928,44,0.94,50,0.856,56,0.589,61,0.859,64,0.884,65,1.127,72,0.72,73,2.318,83,1.121,91,1.345,94,2.474,101,1.179,123,2.447,127,1.857,143,2.137,147,1.966,154,3.401,160,1.127,174,1.25,185,0.891,186,0.735,216,3.615,248,1.014,250,2.29,260,2.474,264,1.984,286,1.375,294,1.791,295,1.892,300,1.744,328,1.127,355,1.375,393,1.088,477,2.21,480,2.29,524,1.853,537,1.117,556,1.823,749,3.401,763,1.793,764,1.761,786,1.237,788,1.237,844,3.019,855,1.137,956,2.657,975,2.21,1034,2.347,1064,1.262,1121,3.401,1158,5.602,1240,1.676,1284,4.195,1356,3.153,1358,1.088,1716,1.714,1796,1.761,1815,0.911,1828,2.997,2427,0.613,2434,2.545,2435,2.545,2439,2.378,2450,5.355,2490,4.303,2492,4.303,2493,4.076,2496,4.303,2498,4.303,2499,4.303,2500,4.303,2505,4.303,2506,6.101,2507,4.303,2508,4.303,2509,4.303,2510,4.303,2511,4.303,2513,4.303,2515,4.303,2519,4.303,2520,4.303,2521,4.303,2522,6.101,2523,4.303,2525,4.303,2606,1.275,2612,1.275,2613,1.288,2682,2.409,2684,3.415,2685,2.409,2686,2.409,2687,2.409,2688,1.516,2689,2.409,2690,2.409,2692,2.409,2693,2.409,2772,1.862,2773,1.862,2785,2.274,2786,1.94,2791,3.189,2792,2.899,2793,4.607,2794,4.607,2795,4.607,2796,2.899,2797,2.899,2798,4.607,2799,4.607,2800,4.607,2801,2.899,2802,2.899,2803,2.899,2804,2.899,2805,2.899,2806,4.607,2807,4.607,2808,2.899,2809,2.899,2810,2.899,2811,2.899,2812,2.899,2813,2.899,2814,2.899]],["t/3247",[0,0.56,1,1.346,2,1.922,15,3.17,44,1.848,50,0.851,56,1.158,61,1.409,65,1.667,72,1.416,73,2.869,83,1.84,91,2.645,98,3.804,101,2.319,160,2.216,185,1.753,186,1.446,248,1.254,250,3.758,260,4.061,264,3.902,286,2.704,342,2.05,355,2.256,393,2.139,556,2.992,763,3.526,764,3.464,786,2.433,788,2.433,855,2.236,1021,6.144,1146,4.633,1240,3.296,1358,2.139,1716,2.813,1815,1.792,1824,7.062,1825,5.325,2427,1.205,2606,2.508,2612,2.508,2613,2.534,2772,3.662,2773,3.662,2785,4.473,2786,3.816,2815,6.272]],["t/3249",[2,2.154,15,3.145,44,2.072,50,0.954,61,1.518,65,1.761,83,1.982,91,2.965,113,4.375,114,4.278,160,2.484,185,1.965,186,1.621,248,1.406,250,4.048,260,4.374,264,4.375,286,3.032,355,2.43,393,2.398,763,3.953,764,3.883,785,3.433,855,2.506,1240,3.695,1358,2.398,1716,3.029,1946,3.102,2427,1.351,2516,6.392,2772,4.105,2773,4.105,2785,5.015,2786,4.278,2816,7.032]],["t/3251",[2,2.154,15,3.145,44,2.072,50,0.954,61,1.518,65,1.761,83,1.556,91,2.965,160,2.484,186,1.621,248,1.406,250,4.048,260,4.374,264,4.375,286,3.863,290,3.216,308,4.189,355,2.43,393,2.398,547,5.655,763,3.953,764,3.883,785,3.433,800,4.189,855,2.506,1240,3.695,1446,4.278,1716,3.029,1946,3.102,2427,1.351,2772,4.105,2773,4.105,2785,5.015,2786,4.278,2817,7.032]],["t/3253",[15,3.024,44,2.268,50,1.044,65,1.375,91,3.245,159,5.915,186,1.774,248,1.539,250,4.284,260,4.629,286,3.318,290,3.521,355,2.572,393,2.625,763,4.327,764,4.251,844,4.585,855,2.744,1240,4.045,1716,2.603,1946,3.396,2427,1.479,2772,4.493,2773,4.493,2785,5.489,2786,4.683]],["t/3255",[2,2.13,11,3.179,15,3.128,44,2.048,50,0.943,61,1.507,65,1.752,76,3.712,83,1.968,91,2.931,160,2.456,185,1.942,186,1.602,248,1.39,250,4.018,260,4.342,264,4.325,286,2.997,342,2.272,355,2.413,393,2.371,466,3.543,763,3.908,764,3.839,855,2.478,1240,3.653,1358,2.371,1716,3.007,1815,1.987,2229,5.902,2427,1.336,2649,5.135,2772,4.058,2773,4.058,2785,4.958,2786,4.229,2818,6.952]],["t/3257",[0,0.546,1,1.01,2,0.933,9,2.454,15,2.741,23,2.689,24,2.973,27,1.859,33,1.915,44,0.897,50,0.83,56,0.562,61,1.036,64,0.845,65,1.646,72,0.688,83,1.081,91,1.284,94,2.385,101,1.126,127,1.79,143,2.06,147,2.973,154,3.279,160,1.076,174,1.218,185,0.851,186,0.702,211,2.06,216,3.484,248,0.977,250,2.208,260,2.385,264,1.895,286,1.313,294,1.726,295,2.613,300,2.815,328,1.076,355,1.325,393,1.039,398,2.172,477,2.131,480,2.208,488,2.104,524,1.805,537,1.066,556,1.095,749,3.279,763,1.712,764,1.682,786,1.182,788,1.182,844,2.91,855,1.086,956,3.304,975,2.131,1034,2.263,1064,1.934,1121,3.279,1158,3.279,1240,1.6,1284,4.087,1356,3.04,1358,1.039,1716,1.652,1815,0.87,1828,2.92,2427,0.585,2434,2.454,2435,2.454,2439,2.292,2450,4.148,2490,4.148,2492,4.148,2493,3.929,2496,4.148,2498,4.148,2499,4.148,2500,4.148,2505,4.148,2506,5.944,2507,4.148,2508,4.148,2509,4.148,2510,4.148,2511,4.148,2513,4.148,2515,4.148,2519,4.148,2520,4.148,2521,4.148,2522,5.944,2523,4.148,2525,4.148,2606,1.218,2612,1.218,2613,1.231,2682,2.322,2684,3.327,2685,2.322,2686,2.322,2687,2.322,2688,1.447,2689,2.322,2690,2.322,2692,2.322,2693,2.322,2725,4.441,2772,1.778,2773,1.778,2786,1.853,2792,2.769,2793,4.441,2794,4.441,2795,4.441,2796,2.769,2797,2.769,2798,4.441,2799,4.441,2800,4.441,2801,2.769,2802,2.769,2803,2.769,2804,2.769,2805,2.769,2806,4.441,2807,4.441,2808,2.769,2809,2.769,2810,2.769,2811,2.769,2812,2.769,2813,2.769,2814,2.769,2819,3.046,2820,3.046,2821,2.586]],["t/3259",[2,2.106,15,3.111,44,2.025,50,0.933,61,1.652,65,1.743,70,2.106,72,1.552,91,2.898,160,2.428,176,3.183,186,1.584,248,1.375,250,3.989,260,4.311,264,5.493,286,3.807,290,4.039,340,4.094,355,2.395,393,2.344,763,3.864,764,3.796,785,3.355,855,2.45,1240,3.612,1716,2.986,1946,3.032,2427,1.321,2772,4.012,2773,4.012,2786,4.182,2821,5.835,2822,6.873,2823,6.873,2824,6.873]],["t/3261",[15,3.012,44,2.254,50,1.038,65,1.366,83,1.692,91,3.225,185,2.137,186,1.763,248,1.53,250,4.267,260,4.611,355,2.562,393,2.609,763,4.3,764,4.224,855,2.726,1240,4.019,1244,3.415,1358,2.609,1716,2.586,1946,3.374,2427,1.47,2750,6.953,2772,4.465,2773,4.465,2786,4.654,2821,6.494]],["t/3263",[11,3.074,15,3.078,44,1.98,50,0.912,61,1.474,65,1.724,72,1.965,83,1.926,160,2.374,186,1.549,248,1.344,250,3.932,260,4.249,286,2.898,311,1.98,342,2.197,355,2.361,393,2.292,763,3.779,764,3.712,855,2.396,956,3.218,1240,3.532,1358,2.292,1417,3.924,1716,2.943,1815,1.921,1985,7.911,2229,5.707,2427,1.292,2475,7.389,2649,4.965,2744,6.11,2772,3.924,2773,3.924,2786,4.089,2825,6.722,2826,6.722,2827,6.722]],["t/3266",[1,1.09,17,3.638,61,1.588,106,2.96,174,1.63,248,1.511,258,4.41,290,3.455,307,3.85,342,2.47,398,5.387,419,7.537,444,3.638,522,3.59,762,2.931,843,6.684,975,3.294,1006,7.155,1458,4.326,1498,6.867,2279,8.651,2427,1.452,2828,7.554]],["t/3268",[31,3.952,58,4.212,174,1.521,248,1.749,290,4,299,4.102,331,5.441,342,2.859,1187,7.034,1458,5.008,2427,1.681]],["t/3270",[61,1.471,248,1.737,331,5.402,342,2.839,947,5.827,1006,5.672,1383,3.04,1458,4.973,2374,7.893,2427,1.669,2530,7.893,2829,8.684]],["t/3272",[174,1.532,227,3.057,248,1.762,290,4.029,299,4.132,331,5.48,342,2.88,524,2.271,1458,5.044,2427,1.693]],["t/3274",[4,1.429,38,2.84,39,3.123,54,2.096,70,2.419,72,1.783,227,2.74,248,1.579,299,3.704,342,2.581,355,2.613,366,2.458,376,3.366,393,2.693,487,4.061,545,5.03,1137,4.024,1365,3.855,1383,2.765,1790,6.704,2427,1.517,2569,7.178,2830,7.897]],["t/3276",[27,3.257,136,3.389,248,1.712,342,2.799,355,2.743,487,4.263,522,4.069,524,2.208,545,5.454,2267,7.269,2275,7.269,2427,1.645]],["t/3278",[174,1.555,248,1.788,290,4.088,342,2.922,762,3.468,1098,4.364,2427,1.718,2831,8.938]],["t/3280",[248,1.762,290,4.029,342,2.88,975,3.841,1164,6.769,1458,5.044,2427,1.693,2430,7.479,2832,8.809,2833,8.809]],["t/3283",[7,1.843,23,3.244,44,2.488,153,4.012,248,1.689,332,3.447,342,2.76,478,4.663,521,2.956,524,2.177,538,2.93,569,3.484,762,3.276,1365,4.122,1813,3.447,2427,1.622]],["t/3285",[23,3.289,174,1.489,176,3.965,248,1.712,332,3.495,342,2.799,393,2.92,569,3.532,762,3.322,843,6.106,1365,4.18,1484,4.571,1813,3.495,2427,1.645]],["t/3287",[23,3.289,174,1.489,176,3.965,248,1.712,332,3.495,342,2.799,393,2.92,569,3.532,762,3.322,1365,4.18,1484,4.571,1813,3.495,2362,7.782,2427,1.645]],["t/3289",[23,3.289,174,1.489,176,3.965,248,1.712,332,3.495,342,2.799,393,2.92,569,3.532,762,3.322,1365,4.18,1484,4.571,1813,3.495,2360,7.782,2427,1.645]],["t/3291",[23,3.289,174,1.489,176,3.965,248,1.712,332,3.495,342,2.799,393,2.92,569,3.532,762,3.322,1365,4.18,1484,4.571,1813,3.495,2358,7.782,2427,1.645]],["t/3293",[23,3.244,83,1.868,174,1.469,176,3.91,248,1.689,332,3.447,342,2.76,393,2.88,569,3.484,762,3.276,785,4.122,1365,4.122,1484,4.508,1813,3.447,2427,1.622,2834,8.443]],["t/3295",[73,3.862,83,1.868,174,1.469,227,2.93,248,1.689,332,3.447,342,2.76,376,3.599,393,2.88,538,2.93,569,3.484,1166,6.021,2365,7.675,2369,7.675,2427,1.622,2835,8.443]],["t/3297",[23,3.266,174,1.479,176,3.938,248,1.7,332,3.471,342,2.779,393,2.9,569,3.508,762,3.299,1365,4.151,1484,4.54,1586,6.063,1671,7.728,1813,3.471,2427,1.634]],["t/3299",[83,1.921,174,1.511,248,1.737,332,3.545,342,2.839,538,3.014,1026,6.193,1064,3.437,1257,6.983,2378,7.893,2427,1.669,2836,8.684]],["t/3301",[23,3.73,56,1.477,61,1.355,174,1.392,181,4.765,248,1.6,342,2.615,366,2.49,421,4.418,569,3.301,694,5.527,1586,7.454,1693,7.272,1813,3.266,1839,6.434,1946,4.283,2214,7.272,2268,6.434,2427,1.537,2837,8]],["t/3303",[23,3.244,83,1.868,174,1.469,176,3.91,248,1.689,332,3.447,342,2.76,393,2.88,569,3.484,762,3.276,785,4.122,1365,4.122,1484,4.508,1813,3.447,2427,1.622,2838,8.443]],["t/3305",[23,3.266,174,1.479,176,3.938,248,1.7,332,3.471,342,2.779,393,2.9,569,3.508,762,3.299,1365,4.151,1484,4.54,1769,5.553,1813,3.471,2427,1.634,2839,8.502]],["t/3307",[23,3.244,51,4.012,61,1.43,174,1.469,176,3.91,248,1.689,332,3.447,342,2.76,393,2.88,569,3.484,762,3.276,1365,4.122,1484,4.508,1813,3.447,1948,7.168,2427,1.622]],["t/3310",[36,4.557,39,2.628,61,1.658,118,4.131,139,5.6,174,1.41,210,5.063,248,1.621,282,3.904,308,4.829,332,3.309,342,2.65,1124,3.803,1165,5.6,1178,5.295,1484,4.328,1979,6.882,2172,7.369,2427,1.558,2647,6.882]],["t/3312",[63,3.376,227,3.079,248,1.775,311,2.614,331,5.52,342,2.901,522,4.217,2323,7.136,2427,1.705]],["t/3315",[31,4.568,65,1.529,90,3.571,91,3.61,248,1.712,342,2.799,1089,6.579,1158,5.745,1458,4.903,1565,7.782,1946,3.777,2275,7.269,2427,1.645]],["t/3317",[8,3.831,9,4.27,31,4.549,62,3.204,192,4.467,208,3.471,248,1.7,342,2.779,941,7.218,942,7.218,1865,7.728,1970,7.218,2427,1.634]],["t/3320",[39,2.877,63,3.376,143,3.741,248,1.775,311,2.614,342,2.901,365,6.13,2427,1.705,2840,8.873]],["t/3323",[63,3.351,227,3.057,248,1.762,311,2.595,331,5.48,342,2.88,522,4.186,569,3.635,940,3.714,2427,1.693]],["t/3325",[61,1.42,121,2.569,185,2.343,186,1.933,248,1.677,342,2.741,383,4.995,524,2.162,1636,6.194,2267,7.119,2427,1.611,2841,9.077,2842,8.385,2843,8.385,2844,8.385,2845,8.385]],["t/3327",[23,3.199,39,2.7,58,4.011,63,3.168,141,4.862,192,4.376,248,1.665,311,2.454,342,2.722,521,2.916,524,2.147,732,5.939,1470,5.181,1828,3.473,2427,1.6,2841,9.04,2846,8.328]],["t/3329",[39,2.737,227,3.48,241,4.012,248,1.689,334,3.212,342,2.76,466,4.303,538,2.93,569,4.137,737,4.829,1383,2.956,2427,1.622,2847,8.443]]],"invertedIndex":[["",{"_index":1,"t":{"2484":{"position":[[4,6],[11,4],[16,3],[20,3],[24,2],[27,2],[30,2],[33,2],[36,3],[40,4],[45,5],[82,7],[90,4],[95,4],[100,2],[103,5],[151,3],[180,5],[186,4],[195,2],[198,3],[202,6],[209,3],[213,3],[228,3],[232,4],[237,6],[287,4],[292,2],[295,5],[301,5],[315,1],[328,2],[331,3],[335,4],[344,4],[349,3],[353,5],[359,3],[363,3],[377,3],[381,4],[386,6],[405,4],[418,3],[422,6],[429,3],[433,5],[450,6],[457,2],[479,2],[482,3],[486,4],[491,2],[494,4],[499,4],[544,5],[550,6],[568,4],[580,3],[584,6],[591,3],[595,6],[602,4],[607,3],[652,2],[655,4],[660,2],[671,4],[676,6],[691,3],[699,3],[703,6],[710,2],[719,4],[724,4],[729,3],[753,4],[758,6],[775,5],[781,3],[785,6],[792,3],[796,3],[810,3],[814,4],[819,6],[848,4],[853,4],[858,4],[863,3],[867,4],[876,7],[884,3],[888,3],[910,3],[914,4],[919,6],[946,5],[952,4],[957,3],[961,1],[963,6],[975,6],[982,3],[986,3],[1010,3],[1014,4],[1019,6],[1046,4],[1051,6],[1058,3],[1062,3],[1082,3],[1086,4],[1091,6],[1118,1],[1120,4],[1125,5],[1131,6],[1147,2],[1150,2],[1153,2],[1156,1],[1158,4],[1163,2],[1166,4],[1171,6]]},"2486":{"position":[[0,1],[2,6],[9,4],[18,2],[21,5],[27,5],[33,2],[36,2],[39,2],[42,6],[49,4],[54,2],[57,6],[64,2],[67,4],[72,3],[80,3],[84,4],[89,3],[93,6],[100,2],[103,3],[118,3],[122,4],[127,4],[132,5],[138,3],[142,3],[146,1],[148,6],[155,2],[158,3],[168,6],[175,4],[180,3],[184,6],[191,2],[194,3],[198,3],[202,2],[205,2],[208,2],[221,3],[225,4],[230,4],[235,6],[242,3],[246,4],[251,2],[263,4],[268,3],[272,1],[279,6],[286,4],[291,2],[294,2],[297,3],[301,2],[304,3],[308,3],[312,2],[315,2],[318,4],[323,6]]},"2488":{"position":[[0,2],[3,6],[10,4],[22,7],[30,2],[33,2],[36,2],[43,3],[47,2],[50,5],[56,2],[59,6],[66,1],[68,4],[73,1],[75,4],[80,3],[84,3],[88,2],[91,3],[95,6],[106,4],[111,2],[114,4],[128,4],[133,5],[139,4],[144,3],[148,1],[150,5]]},"2490":{"position":[[0,2],[3,2],[6,5],[12,3],[16,2],[19,3],[23,3],[27,1],[29,4],[45,3],[49,4],[54,2],[57,3],[61,3],[65,3],[69,3],[76,4],[86,3],[90,1],[92,5],[105,5],[111,3],[115,2],[118,6],[125,1],[127,1],[129,3],[133,2],[136,3],[156,4],[161,2],[164,3],[168,3],[172,4],[177,6],[184,2],[187,9],[197,2],[200,3],[204,4],[209,4],[221,7],[229,3]]},"2492":{"position":[[0,4],[5,2],[8,4],[13,1],[15,3],[19,2],[22,6],[29,2],[32,2],[35,2],[38,3],[42,4],[63,4],[68,4],[73,2],[76,1],[78,4],[83,3],[87,2],[90,2],[93,1],[95,3],[99,2],[102,3],[106,6]]},"2494":{"position":[[0,4],[5,3],[19,5],[25,2],[28,3],[32,3],[36,3],[40,5],[46,4],[51,5],[57,3],[61,4],[66,5],[72,1],[74,6],[81,2],[84,3],[88,6],[95,1],[97,2],[100,4],[105,5],[111,2],[114,3],[118,2],[121,4],[126,3],[130,4],[135,2],[138,3],[142,3],[146,4],[151,4],[156,3],[160,2],[163,3],[167,6],[174,5],[180,2],[183,4],[188,4],[193,3],[197,2],[200,4],[205,3],[209,5],[215,4],[220,3],[224,5],[230,1],[232,5],[266,6],[273,3],[277,2],[280,3],[284,5],[290,5],[296,5],[302,5],[308,2],[311,2],[314,3],[318,3],[322,5],[328,4],[333,4],[338,2],[341,4],[346,4],[376,4],[381,4],[386,4],[403,7],[411,6],[418,2],[421,2],[428,4],[433,4],[438,2],[441,6],[448,5],[472,5],[478,5],[484,2],[487,3],[491,4],[496,3],[500,2],[503,5],[509,3],[513,6],[520,3],[524,4],[529,4],[534,3],[538,2],[541,2],[544,2],[547,3],[551,2],[554,4],[559,4],[564,2],[567,4],[572,3],[576,5],[582,6],[589,1],[591,5],[597,2],[612,2],[615,3],[665,4],[670,5],[676,6],[683,3],[687,3],[691,2],[694,6],[701,2],[704,2],[707,4],[712,3],[716,1],[718,2],[721,3],[740,4],[745,4],[754,2],[757,2],[760,5],[766,4],[771,3],[775,3],[779,2],[782,2],[789,4],[794,3],[798,1],[800,5],[806,5],[812,2],[840,6]]},"2516":{"position":[[358,1],[385,1]]},"2520":{"position":[[1006,1],[1024,1],[1438,1],[1456,1],[2153,1],[2155,1],[2175,1],[2177,1],[2179,2],[3308,1],[3462,1],[3469,1],[3500,1],[3534,1],[3707,1],[3724,1],[3742,1],[3754,1],[3801,1],[3837,1],[3876,1],[4214,2],[4595,1],[4602,1],[4633,1],[4667,1],[4701,1]]},"2526":{"position":[[150,2],[363,1],[404,1],[541,2],[606,1],[1259,1],[1300,1],[1529,2],[1594,1]]},"2528":{"position":[[299,1],[340,1],[755,2],[1118,1],[1159,1]]},"2530":{"position":[[188,1],[359,1],[470,1],[671,1],[1565,3]]},"2535":{"position":[[94,1],[124,1],[169,1]]},"2539":{"position":[[925,2],[1067,2],[1303,3],[1951,1],[2043,1],[2139,1],[2247,1],[2473,1],[2601,1]]},"2541":{"position":[[1206,1],[1287,1],[1383,1],[1488,1],[1664,1],[1840,1],[1976,1],[2003,1]]},"2543":{"position":[[1482,1],[1551,1],[1756,1],[1765,1]]},"2545":{"position":[[652,1],[732,1],[772,1],[795,2],[832,1],[892,1],[936,1],[1047,2],[1082,1]]},"2547":{"position":[[27,3],[42,3],[46,5],[52,5],[58,2],[61,4],[66,4],[71,1],[73,6],[88,2],[97,2],[100,4],[116,3],[120,3],[124,3],[128,2],[131,3],[146,3],[150,4],[155,4],[160,1],[162,3],[177,2],[180,3],[184,5],[203,3],[207,4],[212,4],[217,3],[221,1],[223,5],[229,3],[233,3],[237,2],[240,3],[244,6],[262,2],[265,3],[269,6],[379,2],[382,3],[397,3],[401,3],[405,6]]},"2549":{"position":[[29,4],[34,3],[38,3],[42,3],[62,6],[69,2],[72,2],[82,3],[86,2],[93,3],[100,2],[103,4],[108,5],[114,2],[130,5],[136,3],[140,1],[142,5]]},"2551":{"position":[[0,1],[2,4],[12,4],[17,3],[21,1],[23,2],[26,3],[30,3],[38,3],[42,2],[45,3],[53,4],[58,1],[60,3],[64,3],[68,4],[73,2],[76,3],[80,4],[85,5]]},"2554":{"position":[[5,1],[7,2],[10,2],[13,3],[17,4],[22,2],[25,2],[28,3],[38,3],[42,4],[47,6],[54,1],[59,4],[68,2],[71,4],[76,4],[81,4],[86,5],[92,3],[96,2],[102,3],[106,2],[109,2],[112,2],[115,2],[121,3],[125,3],[129,2],[132,3],[136,3],[144,3],[158,2],[161,4],[166,6]]},"2556":{"position":[[4,5],[10,1],[12,2],[15,4],[20,3],[24,4],[34,2],[37,6],[44,6],[51,2],[54,1],[60,3],[64,3],[68,4],[78,3],[82,3],[86,4],[91,6],[98,5],[104,1],[106,2],[109,4],[114,4],[119,6],[126,2],[129,2],[132,3],[140,3],[144,4],[149,2],[152,4],[157,6]]},"2558":{"position":[[0,5],[11,3],[15,4],[20,3],[24,2],[27,2],[30,3],[34,6],[41,1],[43,3],[47,5],[53,3],[57,3],[61,3],[65,1],[67,5],[73,4],[78,4],[83,3],[87,1],[89,2],[92,1],[94,2],[97,2],[100,3],[104,6],[111,4],[116,4],[121,2],[132,3],[136,2],[139,3],[143,3],[147,1],[149,5],[155,3],[159,3],[173,3],[177,4],[182,6]]},"2560":{"position":[[5,4],[10,4],[15,3],[19,3],[23,1],[25,2],[28,4],[38,4],[43,3],[51,4],[56,5],[62,3],[66,3],[70,3],[74,1],[76,5],[82,3],[86,1],[88,3],[92,3],[102,4],[107,2],[110,5],[125,6],[136,2],[139,5],[145,4],[150,2],[153,3],[181,1],[192,3],[242,1],[264,3],[268,2],[271,2],[274,2],[285,4],[290,2],[293,3],[297,6],[382,2],[385,1],[387,3],[391,4],[396,4],[401,3],[405,2],[408,5],[419,4],[424,2],[427,2],[430,1],[432,3],[439,3],[443,4],[452,4],[457,4],[471,2],[474,3],[478,6],[485,5],[491,2],[494,4],[499,4],[507,2],[510,5],[516,3],[520,3],[524,1],[526,4],[545,3],[549,4],[554,3],[558,2],[561,4],[566,2],[569,3],[573,3],[577,1],[579,3],[583,4],[588,4],[761,3],[765,2],[768,2],[771,5],[777,2],[780,3],[784,3],[788,6],[795,2],[798,2],[814,3],[818,4]]},"2562":{"position":[[5,2],[8,2],[11,4],[16,4],[33,4],[38,5],[44,6],[51,5],[74,1],[76,2],[97,3],[101,1],[103,3],[107,2],[110,5],[128,4],[133,5],[148,4],[166,4],[171,2],[174,2],[177,4],[188,4],[193,8],[209,4],[214,4],[219,2],[222,3],[226,1],[228,5],[234,4],[239,2],[250,6],[261,3],[273,6],[280,3],[291,2],[294,4],[299,1],[301,3],[305,4],[318,3],[322,1],[324,5],[388,1],[402,3],[406,4],[416,6],[452,1],[471,5],[477,3],[481,1],[483,3],[487,6],[494,1],[936,5],[942,2],[945,3],[949,6],[956,1]]},"2564":{"position":[[14,3],[18,2],[21,4],[26,2],[34,6],[55,3],[59,4],[64,5],[79,4],[89,3],[99,2],[102,5],[108,2],[111,3],[115,4],[129,6],[296,1],[351,2],[354,2],[357,3],[367,4],[372,3],[376,1],[378,2],[381,5],[396,4],[401,3],[405,1],[407,5],[434,1],[496,1],[553,1]]},"2566":{"position":[[60,5],[66,2],[82,6],[89,1],[91,3],[95,2],[98,2],[101,7],[109,2],[112,2],[115,5],[141,2],[144,3],[148,4],[153,1],[155,3],[159,2],[162,5],[189,3],[193,3],[197,5],[215,3],[219,5],[225,6],[232,1],[234,3],[238,4],[243,2],[246,3],[250,3],[254,4],[259,3],[263,2],[272,1],[282,3],[286,1],[288,3],[292,6],[314,2],[317,4],[322,3],[326,4],[331,5]]},"2568":{"position":[[9,2],[12,1],[21,4],[26,4],[31,3],[35,4],[40,4],[45,6],[52,3],[56,3],[60,2],[63,3],[67,4],[72,4],[77,3],[81,6],[88,6],[141,4],[146,4],[151,3],[155,4],[160,6],[167,3],[274,5],[280,2],[283,4],[288,2],[291,2],[294,2],[297,6],[325,1],[337,4],[342,4],[347,4],[352,4],[357,6],[430,3],[434,2],[437,3],[441,3],[445,2],[448,3],[452,2],[455,4],[460,3],[471,4],[496,4],[501,4],[506,6],[513,3],[517,5],[523,6],[530,3],[534,5],[540,2],[543,4],[574,4],[579,3],[583,4],[588,5],[594,4],[599,3],[603,4],[608,4],[933,1],[941,1],[1085,4],[1090,4],[1095,4],[1100,4],[1105,4],[1110,4],[1115,1],[1121,2],[1124,3],[1128,2],[1131,2],[1134,5],[1140,3],[1144,3],[1148,3],[1152,2],[1155,3],[1185,5],[1191,4],[1196,3],[1200,4],[1205,3],[1209,2],[1212,6]]},"2570":{"position":[[0,3],[4,1],[6,3],[10,2],[13,6],[34,4],[39,5],[45,3],[58,4],[63,3],[67,2],[75,4],[80,5],[86,5],[92,2],[95,4],[100,4],[105,4],[128,3],[132,4],[137,5],[143,6],[150,3],[163,5],[169,2],[172,4],[177,3],[181,5],[187,3],[196,4],[201,1],[203,3],[207,5],[213,5],[219,4],[224,4],[229,3],[233,4],[238,1],[240,4],[245,4],[250,3],[254,1],[256,5],[262,6],[269,3],[273,4],[278,2],[281,4],[286,3],[290,2],[293,4],[298,2],[301,2],[304,4],[309,3],[313,7],[321,5],[327,5],[333,2],[336,6],[343,3],[347,3],[351,3],[355,4],[360,2],[363,3],[367,3],[371,1],[373,5]]},"2572":{"position":[[0,3],[4,1],[6,3],[10,2],[13,6],[20,4],[25,3],[29,4],[34,4],[39,6],[46,6],[53,4],[58,2],[61,3],[65,4],[70,2],[73,3],[77,2],[80,4],[89,3],[93,3],[97,1],[99,5],[105,4],[110,6],[117,2],[120,3],[124,3],[157,1],[159,6]]},"2574":{"position":[[0,2],[3,4],[8,2],[11,1],[13,3],[17,4],[22,7],[30,6],[37,2],[44,5],[50,4],[55,5],[61,3],[65,3],[69,3],[73,5],[79,2],[82,6],[89,5],[101,4],[106,4],[111,5],[117,3],[121,3],[129,4],[134,7],[142,2],[145,4],[150,4],[155,5],[161,4],[177,1],[184,3],[188,3],[192,3],[202,5],[208,4],[213,4],[218,5],[224,5],[230,4],[235,5],[241,2],[244,3],[248,2],[255,4],[260,5],[273,3],[283,3],[287,2],[296,4],[301,2],[304,5],[310,4],[315,4],[320,7],[345,1],[347,5],[360,4],[365,4],[370,2],[384,6],[391,4],[396,2],[399,1],[401,3],[414,2],[422,4],[427,2],[430,3],[434,3],[438,5],[444,3],[448,2],[451,5],[465,3],[472,5],[478,5],[484,2],[487,4],[492,5],[498,11],[510,4],[515,2],[518,2],[521,4],[526,4],[531,2],[534,3],[538,3],[542,2],[545,2],[548,2],[551,4],[560,5],[566,2],[569,4],[574,5],[580,3],[584,3],[595,6]]},"2576":{"position":[[60,1],[62,4],[77,3],[81,7],[89,1],[91,3],[95,5],[101,3],[114,4],[119,3],[123,4],[137,4],[142,5],[303,7],[338,3],[342,2],[345,2],[348,4],[353,4],[425,6],[432,1],[434,3],[438,3],[442,2],[468,4],[473,2],[476,4],[481,5],[491,5],[497,3],[501,2],[504,3],[537,3],[541,2],[544,4],[549,1],[551,1],[553,5],[591,6],[642,5],[697,5],[703,3],[707,2],[710,3],[714,5],[720,3],[724,3],[728,3],[743,3],[747,4],[752,4],[757,5],[786,4],[791,4],[796,5],[802,1],[804,4],[809,2],[812,3],[880,4],[893,3],[897,6]]},"2578":{"position":[[0,4],[10,4],[15,3],[19,4],[24,6],[31,1],[33,3],[37,2],[52,1],[67,6],[74,6],[93,4],[98,2],[101,1],[103,3],[107,2],[110,3],[114,3],[118,1],[120,5],[126,2],[129,4],[134,2],[137,2],[140,3],[165,3],[181,3],[185,4],[190,5],[259,2],[262,6],[274,6],[324,2],[327,7],[335,4],[346,6],[416,3],[420,4],[425,3],[433,2],[436,2],[439,3],[443,2],[446,4],[451,4],[456,7],[497,4],[502,2],[505,5],[511,6],[526,2],[541,1],[543,3],[547,6],[554,4],[559,1],[561,4],[566,4],[571,3],[575,2],[578,2],[581,3],[585,6],[632,5],[638,6],[645,2],[648,4],[653,3],[657,3],[661,2],[664,4],[669,4],[674,3],[678,6],[685,4],[690,3],[694,4],[699,2],[702,2],[705,5]]},"2580":{"position":[[38,4],[43,2],[46,3],[50,6],[95,4],[100,2],[103,3],[107,6],[143,2]]},"2582":{"position":[[4,5],[23,1],[38,4],[43,3],[47,1],[49,4],[54,1],[56,3],[69,4],[74,4],[79,6],[86,1],[88,1],[90,3],[94,3],[98,4],[103,3],[107,4],[112,4],[174,3],[178,5],[184,2],[187,3],[191,2],[194,3],[198,1],[200,5],[206,2],[209,2],[212,3],[216,6],[223,3],[241,1],[250,4],[255,3],[259,4],[264,4],[269,2],[291,4],[296,4],[301,2],[304,6],[311,4],[316,2],[319,4],[324,2],[327,3],[331,5],[337,2],[345,4],[350,5],[356,5],[362,4],[367,6],[374,3],[378,2],[381,2],[384,4],[389,5],[395,2],[398,4],[403,5],[409,2],[412,3],[416,5],[422,2],[425,2],[428,3],[432,3],[436,3],[440,3],[444,4],[449,1],[451,5],[457,3],[461,2],[464,2],[467,4],[472,5],[478,4],[483,3],[487,3],[491,1],[493,2],[496,2],[499,2],[502,3],[506,2],[509,3],[513,3],[517,4],[522,7],[530,3],[534,3],[538,5],[544,4],[549,4],[554,1],[556,5],[562,3],[566,3],[588,6],[595,2],[598,2],[601,1],[603,2],[606,4],[611,3],[615,5],[621,2],[624,4],[629,5],[644,4],[649,4],[660,1],[662,2],[665,4],[670,4],[675,3],[679,2],[682,3],[686,3],[690,5],[696,2],[699,3],[703,6]]},"2584":{"position":[[0,2],[3,5],[9,2],[12,5],[18,3],[34,2],[45,5],[51,4],[56,4],[61,4],[66,3],[70,1],[72,6],[87,4],[110,3],[114,6],[130,4],[135,3],[156,3],[160,4],[186,7],[220,4],[225,3],[229,3],[233,1],[235,5],[241,2],[244,5],[250,2],[253,2],[256,1],[258,3],[262,4],[267,6],[274,6],[310,1]]},"2587":{"position":[[0,2],[3,2],[12,5],[18,2],[21,3],[25,4],[30,3],[34,3],[38,4],[43,4],[48,3],[52,2],[55,3],[59,3],[63,3],[77,4],[82,5],[88,1],[90,3],[94,3],[98,3],[102,4],[107,3],[111,2],[114,3],[118,3],[135,6],[148,5],[154,4],[176,3],[180,4],[185,5],[212,4],[222,5],[228,2],[231,4],[254,4],[259,4],[269,2],[272,3],[286,5],[292,3],[296,1],[298,5],[336,4],[410,2],[413,3],[417,1],[419,5]]},"2589":{"position":[[11,2],[14,2],[17,5],[57,4],[62,5],[68,5],[74,5],[80,2],[83,3],[87,6],[320,3],[324,2],[327,2],[330,3],[334,3],[338,1],[340,2],[343,5],[349,3],[353,3],[357,4],[362,3],[366,6],[373,2],[376,2],[379,4],[384,2],[387,2],[396,4],[401,3],[405,2],[408,2],[411,3],[415,3],[419,6],[426,4],[431,4],[436,3],[456,6],[463,3],[467,5],[473,4]]},"2591":{"position":[[29,2],[32,2],[35,5],[58,5],[64,5],[70,5],[76,2],[79,3],[83,6],[206,3],[210,2],[213,2],[216,3],[220,3],[224,1],[226,2],[229,5],[235,3],[239,3],[243,4],[248,3],[252,5],[258,2],[261,2],[264,4],[269,2],[272,2],[281,4],[286,3],[290,2],[293,2],[296,3],[300,3],[304,6],[311,4]]},"2593":{"position":[[0,6],[11,3],[15,5],[21,3],[34,4],[39,2],[42,3],[46,3],[50,1],[52,5],[58,2],[61,3],[65,6],[72,2],[75,6],[85,3],[98,4],[103,4],[108,4],[113,5],[132,4],[137,4],[142,2],[154,6],[227,4],[232,4],[237,1],[239,5],[257,3],[419,3],[431,7],[445,3],[449,3],[453,2],[456,3],[460,7]]},"2595":{"position":[[14,4],[19,4],[24,2],[27,3],[31,5],[53,4],[58,4],[67,5],[73,2],[76,3],[80,1],[82,3],[86,3],[90,8],[104,4],[109,6],[116,2],[119,2],[122,2],[125,2],[128,4],[133,2],[136,2],[139,1],[141,2],[144,2],[151,5],[157,2],[160,2],[163,3],[167,1],[169,5],[179,2],[182,1],[184,2],[187,3],[191,2],[194,3],[198,3],[202,2],[205,4],[210,6],[225,5],[243,4],[248,4],[257,3],[261,5],[267,3],[271,2],[274,5],[291,4],[296,6],[319,1],[334,1],[356,1],[382,1],[397,1],[428,1],[437,2],[440,3],[444,3],[452,3],[456,4],[461,3],[472,3],[476,4],[481,5],[487,2],[490,4],[495,3],[499,1],[501,3],[505,4],[510,4],[515,3],[520,1],[522,2],[525,6],[537,4],[542,3],[546,3],[569,6],[576,4],[581,3],[585,1],[587,5]]},"2597":{"position":[[28,2],[31,2],[34,5],[49,4],[54,6],[75,4],[80,2],[83,3],[95,3],[99,4],[104,3],[108,4],[113,4],[118,2],[121,2],[124,2],[127,2],[130,2],[133,6],[140,3],[144,4],[149,2],[152,2],[155,4],[160,5],[166,2],[169,5],[175,2],[182,5],[201,4],[206,6],[213,2],[216,3],[255,4],[260,3],[264,1],[266,5],[272,3],[284,2],[287,3],[291,4],[296,3],[300,1],[302,5],[468,2],[471,5],[477,4],[482,2],[485,3],[489,5],[495,3],[499,2],[502,2],[505,3],[509,4],[514,4]]},"2599":{"position":[[9,5],[19,2],[22,1],[24,5],[30,3],[34,1],[46,4],[51,6],[58,1],[60,3],[68,2],[71,5],[77,3],[81,1],[83,5],[113,3],[117,2],[132,4],[137,2],[140,4],[145,5],[151,3],[155,5],[161,3],[165,2],[168,3],[172,2],[175,4],[180,1],[182,4],[187,5],[193,4],[198,4],[203,2],[214,2],[217,3],[221,3],[254,6],[266,2],[277,3],[281,3],[304,6],[311,3],[315,1],[317,5]]},"2602":{"position":[[0,3],[4,3],[8,4],[13,8],[22,3],[26,2],[29,4],[34,2],[37,1],[39,3],[43,3],[47,5],[150,3],[154,3],[158,4],[163,2],[166,3],[175,6],[182,1],[184,1],[186,2],[189,4],[200,6],[207,1],[209,3],[213,4],[218,2],[226,3],[230,4],[249,5],[255,6],[262,2],[265,2],[273,2],[276,4],[281,4],[286,2],[289,5],[295,3],[299,1],[301,5],[307,2],[310,3],[314,3],[318,5],[324,2],[327,4],[332,4],[337,4],[342,6],[349,2],[352,3],[356,4],[361,2],[364,1],[366,3],[370,4],[375,4],[380,2],[383,2],[386,3],[390,3],[394,1],[396,5],[402,2],[405,3],[409,5],[415,2],[418,4],[423,3],[436,4],[441,4],[446,1],[448,3],[456,2],[459,5],[465,2],[468,3],[472,2],[480,4],[485,3],[489,6],[496,3],[500,3],[513,2],[516,4],[521,8],[540,3],[544,1],[546,2],[549,2],[552,3],[565,3],[569,6],[576,2],[579,2],[582,4],[608,6],[615,3],[626,3],[630,4],[635,6],[642,3],[646,2],[649,1],[651,2],[654,4],[659,3],[663,4],[668,3],[672,6],[679,2],[682,3],[695,2],[698,3],[702,3],[725,4],[730,6],[737,5],[743,5]]},"2604":{"position":[[0,3],[4,2],[11,3],[15,6],[43,3],[47,6],[86,1],[88,3],[92,5],[106,3],[110,4],[115,2],[118,2],[121,3],[125,3],[129,1],[131,5],[137,2],[140,2],[143,2],[146,6],[161,3],[228,6],[235,3],[239,5],[245,5],[256,1],[258,4],[263,2],[266,2],[269,3],[273,6],[460,1],[516,1]]},"2606":{"position":[[5,2],[8,3],[12,3],[16,4],[21,2],[24,3],[28,1],[30,5],[36,2],[39,4],[44,2],[47,3],[51,4],[56,4]]},"2608":{"position":[[0,4],[5,3],[9,2],[12,3],[16,3],[20,3],[24,1],[26,5],[32,3],[36,2],[39,4],[44,3],[48,3],[52,2],[55,2],[58,3],[62,4],[82,4],[87,6],[94,4],[99,3],[103,2],[106,3],[110,2],[113,2],[116,3],[120,1],[122,5],[128,4],[133,2],[136,3],[140,6],[147,2],[150,4],[155,3],[159,2],[162,6],[169,4],[180,1],[203,5],[209,6],[324,4],[365,3],[369,3],[373,3],[377,2],[380,3],[384,2],[387,2],[390,3],[394,3],[415,6],[428,3],[432,2],[435,4],[440,5],[454,4],[479,3],[483,6],[490,2],[493,2],[503,4],[508,2],[511,4],[516,1],[518,3],[522,5],[528,4],[533,4],[538,2],[541,3],[545,2],[548,3],[552,4],[586,2],[589,4],[594,6],[607,3],[611,4],[616,3],[620,3],[632,2],[643,2],[646,3],[650,3],[654,4],[659,2],[662,2],[665,5],[693,1],[695,2],[698,3],[702,1],[704,4],[718,3],[722,3],[726,4],[731,3],[735,3],[739,4],[744,5],[750,2],[753,6],[767,3],[771,4],[776,2],[779,3],[783,3],[800,3],[804,3],[808,2],[817,2],[820,3],[824,6]]},"2618":{"position":[[175,1]]},"2620":{"position":[[186,1]]},"2622":{"position":[[897,1],[927,1],[958,1],[986,1],[1017,1],[1070,1],[1136,1],[1154,1],[1169,1],[1183,1],[1185,1],[1417,1],[1577,1],[1948,2],[2312,2],[2322,1],[2345,1],[2422,1],[2431,1],[2470,1],[2472,1],[2564,1],[2609,1],[2624,1],[2854,1],[3012,1]]},"2624":{"position":[[0,2],[364,2],[374,1],[397,1],[474,1],[483,1],[522,1],[524,1],[616,1],[661,1],[676,1],[906,1],[1064,1]]},"2648":{"position":[[891,1],[914,1],[916,1],[918,3],[1553,1]]},"2675":{"position":[[4749,2],[4756,1],[4758,1],[4760,2],[4781,1],[4783,1],[4785,3],[5500,1]]},"2677":{"position":[[6,2],[9,2],[12,7],[20,4],[25,6],[32,3],[36,1],[38,2],[41,3],[50,2],[53,5],[59,4],[64,7],[72,1],[74,3],[78,5],[84,5],[90,4],[95,6],[102,2],[105,3],[109,6],[116,3],[120,2],[123,2],[126,3],[130,2],[133,3],[137,7],[145,3],[149,1],[151,5],[157,2],[160,3],[164,2],[172,3],[176,2],[179,2],[182,3],[186,2],[189,3],[199,2],[214,2],[217,7],[229,7],[237,3],[241,1],[243,5],[255,4],[260,4],[265,3],[269,2],[272,5],[278,4],[283,2],[286,3],[290,4],[302,7],[310,3],[314,1],[316,5],[322,3],[338,4],[343,4],[348,4],[353,5],[359,4],[364,7],[372,4],[377,1],[379,2],[382,2],[385,5],[391,3],[395,1],[397,2],[400,3],[404,4],[415,4],[420,3],[429,4],[437,7],[445,3],[449,1],[451,5],[462,3],[466,2],[469,6],[476,3],[480,6],[487,4],[507,2],[510,3],[514,2],[517,7],[525,3],[529,1],[531,5],[545,2],[548,9],[558,2],[561,6],[568,3],[572,2],[575,4],[580,4],[590,6],[597,3],[601,2],[604,2],[607,6],[614,4],[624,2],[627,4],[632,4],[643,4],[648,3],[652,2],[655,3],[659,3],[663,4],[668,4],[678,4],[683,6],[695,1],[702,5],[708,6],[715,2],[723,5],[729,5],[735,6],[742,2],[745,1],[747,4],[757,6],[764,3],[768,2],[771,2],[774,4],[785,4],[790,6],[797,2],[800,6],[807,2],[810,4],[815,2],[818,7],[826,4],[831,3],[835,2],[838,3],[842,3],[846,4],[851,2],[857,4],[862,6],[869,4],[874,2],[877,7],[885,3],[889,5],[907,3],[911,2],[914,4],[938,3],[942,2],[945,4],[966,3],[970,2],[973,4],[1011,3],[1015,2],[1018,4]]},"2679":{"position":[[25,2],[28,2],[31,7],[39,5],[50,2],[53,3],[57,1],[59,1],[61,3],[84,5],[90,4],[95,4],[100,2],[103,3],[107,2],[110,1],[112,4],[117,4],[122,5],[128,3],[132,2],[135,5],[141,2],[144,3],[148,3],[152,5],[158,4],[163,4],[172,3],[176,2],[179,2],[182,3],[186,3],[190,1],[192,5],[302,2],[310,2],[313,4],[318,6],[325,7],[333,2],[336,3],[340,4],[345,1],[347,4],[352,7],[360,1],[362,4],[367,3],[371,1],[373,4],[378,2],[381,3],[385,3],[389,3],[393,4],[398,5],[444,8],[453,3],[457,4],[462,1],[464,4],[473,2],[506,6],[513,8],[522,3],[526,2],[529,2],[532,4],[537,3],[541,4],[546,4],[556,2],[559,3],[563,4],[568,3],[572,1],[574,5],[580,4],[585,2],[592,4],[601,6],[608,4],[613,4],[618,3],[622,1],[624,5],[674,7],[682,2],[685,5],[691,3],[695,2],[698,3],[702,4],[711,3],[715,6],[722,1],[724,3],[728,5],[734,7],[742,5],[748,3],[752,2],[755,3],[759,5],[765,4],[770,3],[774,4],[779,1],[781,5],[787,4],[792,2],[813,5],[819,4],[824,4],[871,7],[879,2],[882,5],[888,3],[892,2],[895,3],[899,4],[908,1],[910,6],[917,3],[921,3],[925,2],[947,5],[953,6],[960,6],[967,2],[970,4],[975,2],[978,3],[982,3],[986,4],[991,3],[995,3],[999,4],[1004,3],[1008,3],[1012,2],[1015,3],[1019,3],[1023,3],[1027,2],[1030,2],[1033,3],[1037,4],[1042,2],[1045,5]]},"2681":{"position":[[0,2],[3,6],[29,5],[35,4],[40,2],[43,3],[47,6],[54,4],[59,2],[62,6],[69,3],[73,4],[78,1],[80,2],[83,7],[91,2],[94,1],[96,3],[100,3],[104,2],[107,3],[111,6],[135,1],[150,2],[153,4],[158,3],[174,3],[178,3],[182,5],[188,2],[191,3],[195,3],[199,2],[202,3],[206,5],[269,1],[271,2],[274,2],[277,5],[283,3],[287,1],[289,5],[295,2],[298,2],[301,3],[305,3],[345,1],[347,6],[354,6],[361,3],[365,5],[371,2],[374,7],[382,4],[387,3],[391,4],[396,6],[403,3],[407,6],[414,6],[434,4],[439,3],[448,3],[452,6],[459,3],[463,3],[467,5],[483,4],[499,6],[519,3],[523,7],[531,6],[538,2],[541,4],[546,3],[585,5],[591,3],[595,2],[598,3],[602,5],[667,1],[669,2],[672,2],[675,5],[681,3],[685,2],[688,5],[694,2],[697,2],[700,3],[704,3],[768,1],[770,6],[782,3],[786,3],[790,2],[797,5],[803,3],[807,1],[809,5],[819,3],[823,5],[829,2],[832,2],[835,1],[837,5],[858,4],[868,3],[872,3],[876,5],[882,1],[884,2],[887,5],[893,6],[900,3],[904,5],[910,7],[918,4],[923,3],[927,4],[932,4],[937,6],[944,6],[961,4],[966,3],[975,3],[979,6],[991,4],[996,5],[1002,4],[1007,2],[1046,3],[1050,6],[1070,3],[1074,7],[1082,6],[1089,2],[1092,4],[1097,3],[1126,5],[1132,3],[1136,3],[1140,5],[1221,2],[1224,4],[1229,1],[1231,2],[1234,3],[1243,5],[1249,6],[1256,1],[1258,5],[1264,3],[1268,3],[1272,2],[1275,3],[1289,3],[1293,1],[1295,5]]},"2685":{"position":[[322,1],[508,1],[668,1]]},"2687":{"position":[[395,1]]},"2689":{"position":[[0,2],[3,2],[6,3],[10,5],[16,7],[24,4],[34,2],[37,2],[40,2],[43,2],[46,3],[50,2],[53,4],[58,4],[63,5]]},"2691":{"position":[[10,3],[14,2],[28,6],[35,2],[49,5],[55,3],[59,2],[62,3],[66,3],[70,1],[72,5],[78,2],[81,1],[83,3],[87,3],[91,5],[97,3],[101,3],[110,2],[113,4],[118,6]]},"2693":{"position":[[24,3],[28,4],[33,5],[39,5],[45,2],[48,4]]},"2695":{"position":[[0,2],[8,5],[23,4],[28,4],[33,3],[37,3],[41,1],[43,5]]},"2697":{"position":[[18,3],[22,5],[28,5]]},"2699":{"position":[[4,3],[8,3],[17,4],[22,3],[26,3],[34,2],[37,6],[44,5],[50,3],[54,3],[58,3],[78,6],[94,4],[117,3],[121,6],[138,4],[143,3],[147,3],[151,4],[156,4],[180,4],[185,1],[187,1],[189,5],[195,2],[198,3],[218,3],[222,1],[224,5],[230,4],[235,3],[294,3],[298,1],[300,5],[311,3],[315,1],[325,6],[332,4],[337,4],[356,4],[361,1],[363,3],[367,3],[371,3],[375,1],[377,5],[383,6],[390,4],[395,2],[398,2],[401,5],[407,2],[410,2],[413,2],[416,3],[420,4],[432,2],[435,6],[442,6],[454,2],[457,4],[462,3],[466,2],[469,5],[475,5],[481,4],[486,4],[491,2],[494,5],[500,5],[506,2],[509,2],[512,2],[515,4],[520,3],[524,3],[528,1],[530,5],[575,4],[580,3],[584,4],[589,3],[593,3],[597,2],[600,2],[603,1],[605,5],[611,1],[613,2],[616,2],[619,3],[623,2],[626,2],[629,3],[633,6]]},"2701":{"position":[[0,2],[17,4],[22,3],[26,2],[29,3],[33,5],[39,3],[43,3],[47,2],[50,3],[54,6]]},"2703":{"position":[[4,2],[7,2],[10,3],[14,2],[17,3],[21,3],[35,3],[39,4],[44,6]]},"2705":{"position":[[0,5],[6,5],[12,2],[20,3],[24,6],[31,2],[34,3],[38,6],[45,2],[48,3],[52,2],[55,3],[59,5],[65,4],[70,2],[73,3],[77,2],[80,5]]},"2707":{"position":[[5,4],[10,1],[12,3],[16,2],[19,2],[22,3],[26,2],[29,4],[34,3],[38,2],[41,4],[46,6],[53,2],[59,5],[65,2],[68,5],[74,6],[99,4],[104,5],[110,6],[121,2],[124,1],[126,4],[131,3],[135,4],[140,3],[144,6],[159,2],[166,3],[170,4],[175,3],[179,5],[189,4],[194,3],[198,3],[202,3],[206,4],[211,1],[213,3],[217,6]]},"2711":{"position":[[10,6],[17,2],[20,3],[24,2],[27,6],[34,2],[37,3],[41,5],[52,5],[58,3],[62,2],[65,3],[69,3],[73,6],[80,3],[84,2],[87,4],[92,4],[97,3],[101,4],[106,2],[109,6],[116,4],[121,2],[124,4],[129,2],[132,3],[136,4],[141,2],[144,1],[146,3],[150,4],[155,2],[158,4],[163,3],[167,2],[170,3],[174,3],[219,3],[223,6],[235,3],[239,4],[244,2],[247,3],[251,3],[255,4],[260,5],[266,3],[270,4],[275,3],[279,3],[283,2],[297,3],[301,4],[306,5],[312,4],[317,4],[328,2],[331,3],[335,3],[339,9],[349,1],[351,3],[355,4],[377,4],[382,4],[387,2],[390,2],[393,3],[397,3],[410,4],[415,2],[418,3],[422,3],[426,9],[436,1],[438,3],[442,1],[444,5],[450,3],[454,5],[460,2],[507,2],[510,4],[515,4],[520,2],[523,3],[527,4],[532,5],[538,2],[541,3],[545,4],[550,2],[553,4],[558,1],[560,5]]},"2713":{"position":[[0,2],[3,2],[6,3],[10,4],[15,5],[26,3],[30,3],[34,3],[38,4],[43,3],[47,2],[50,5],[56,3],[68,2],[71,5],[77,4],[82,4],[87,2],[90,2],[93,1],[95,1],[97,3],[101,5],[107,3],[111,2],[114,6],[131,3],[135,3],[151,7],[159,4],[164,3],[168,4],[173,3],[177,6],[184,4],[193,7],[201,5],[207,2],[210,6],[217,2],[230,4],[235,4],[240,4],[245,4],[250,5],[256,3],[260,3],[264,1],[266,5],[516,1],[626,2],[629,3],[633,2],[636,3],[640,2],[643,2],[646,2],[649,1],[651,3],[655,3],[673,2],[676,2],[679,2],[698,6],[705,2],[708,2],[711,2],[714,2],[717,2],[720,2],[735,2],[738,2],[786,2],[789,2],[792,2],[795,6],[827,2],[830,2],[833,10],[844,4],[849,3],[873,2],[876,2],[879,5],[914,2],[917,3],[921,4],[926,2],[959,3],[963,2],[966,2],[973,2],[1001,9],[1011,4],[1016,3],[1020,3],[1024,7],[1032,1],[1034,1],[1036,3],[1040,3],[1044,2],[1053,6],[1069,3],[1073,2],[1076,2],[1079,2],[1082,7],[1090,2],[1093,2],[1096,3],[1100,4],[1105,6],[1118,1],[1147,2],[1150,3],[1154,3],[1158,1],[1160,3],[1164,4],[1169,6],[1176,3],[1208,1],[1227,2],[1230,2],[1233,2],[1236,5],[1288,4],[1293,2],[1296,3],[1300,4],[1305,4],[1310,2],[1313,3],[1317,2],[1320,3],[1324,5],[1354,2],[1357,4],[1362,2],[1365,3],[1369,2],[1372,2],[1375,1],[1377,3],[1416,4],[1421,2],[1424,4],[1448,7],[1499,3],[1503,4],[1508,4],[1513,3],[1517,5],[1534,2],[1537,4],[1542,4],[1547,1],[1549,5],[1555,1],[1573,3],[1577,2],[1580,2],[1583,2],[1606,4],[1611,5],[1617,1],[1619,5],[1625,2],[1628,3],[1632,5],[1646,5],[1716,2],[1719,3],[1723,6],[1730,2],[1738,3],[1742,2],[1745,2],[1748,2],[1751,3],[1755,3],[1759,4],[1764,3],[1768,3],[1772,2],[1775,3],[1779,4],[1784,3],[1788,6]]},"2715":{"position":[[26,2],[29,2],[32,2],[46,4],[51,3],[55,7],[73,2],[76,4],[81,1],[83,4],[109,4],[114,2],[117,3],[121,3],[125,3],[129,1],[131,3],[135,6],[158,4],[163,2],[177,3],[181,7],[189,4],[194,3],[198,2],[201,1],[203,3],[212,3],[216,4],[236,3],[240,3],[244,1],[246,3],[250,6],[257,2],[279,2],[292,1],[329,3],[333,7],[341,2],[344,3],[348,4],[353,3],[357,4],[362,3],[366,3],[370,5],[437,3],[441,4],[446,2],[449,4],[454,3],[458,4],[583,1]]},"2717":{"position":[[35,2],[42,5],[48,2],[51,1],[53,6],[65,2],[71,2],[74,2],[81,3],[85,1],[87,5],[93,2],[100,9],[110,3],[114,1],[116,2],[119,3],[123,5],[129,5],[135,4],[140,5],[146,8],[155,3],[159,6],[166,3],[170,3],[174,2],[179,2],[182,2],[185,3],[189,6],[196,4],[201,3],[205,2],[208,3],[212,2],[227,4],[232,5],[238,6],[245,2],[248,2],[256,1],[258,2],[279,3],[283,4],[288,5],[294,3],[298,3],[302,2],[305,3],[309,6]]},"2725":{"position":[[617,1],[634,1],[651,1],[969,2]]},"2729":{"position":[[429,1],[446,1],[463,1],[918,2]]},"2743":{"position":[[1495,1]]},"2745":{"position":[[409,2],[938,1],[955,1],[972,1],[1180,1],[1266,1],[1281,2]]},"2750":{"position":[[299,1],[366,2]]},"2757":{"position":[[1113,1],[1115,1],[1120,4],[1297,2]]},"2763":{"position":[[579,1],[712,1]]},"2777":{"position":[[283,1],[332,1],[380,1],[435,1],[488,1],[653,1],[708,1],[761,1]]},"2779":{"position":[[286,1],[335,1]]},"2791":{"position":[[124,1],[133,1],[149,1]]},"2795":{"position":[[1014,2]]},"2809":{"position":[[268,2]]},"2811":{"position":[[130,1]]},"2813":{"position":[[0,2],[284,1],[466,1]]},"2821":{"position":[[788,1],[890,1],[994,1],[1050,1],[1133,1],[1228,1],[1387,1],[1503,1],[1623,1],[1719,1],[1782,1]]},"2825":{"position":[[489,1],[522,1],[546,1],[571,1],[606,1]]},"2827":{"position":[[291,1],[466,1],[560,1],[618,1],[706,1]]},"2829":{"position":[[275,1]]},"2845":{"position":[[611,1],[694,1],[780,1]]},"2856":{"position":[[0,3],[4,3],[8,5],[14,7],[22,2],[25,5],[31,2],[34,4],[39,2],[42,1],[44,2],[47,3],[51,2],[54,5],[60,2],[63,8]]},"2858":{"position":[[9,4],[14,2],[17,3],[21,3],[30,4],[35,1],[37,3],[41,4],[46,3],[50,3],[54,4],[64,2],[67,5],[73,2],[76,4],[81,5]]},"2860":{"position":[[0,3],[4,2],[16,4],[31,4],[36,2],[39,3],[43,3],[47,1],[49,5],[55,3],[59,5],[65,2],[68,5],[93,4],[98,2],[101,5],[107,2],[122,4],[132,3],[136,1],[138,2],[141,3],[145,3],[149,5],[155,2],[158,3],[162,2],[168,3],[172,6]]},"2862":{"position":[[0,4],[5,3],[14,4],[19,2],[22,2],[25,3],[29,1],[31,2],[34,3],[38,3],[42,5]]},"2864":{"position":[[0,6],[7,2],[10,2],[46,2],[76,7],[89,2],[92,3],[96,3],[100,4],[105,4],[110,3],[114,1],[116,5],[127,3],[131,3],[156,3],[160,2],[163,4],[168,2],[171,1],[173,2],[176,2],[179,3],[183,5],[189,2],[192,4],[216,2],[219,6],[244,4],[249,5],[255,6],[262,2],[265,2],[272,2],[275,6],[351,4],[356,2],[364,6],[371,7],[379,5],[385,3],[389,3],[393,3],[397,1],[399,2],[402,3],[406,6],[990,3],[994,2],[997,4],[1002,6],[1009,1],[1011,2],[1014,7],[1022,3],[1026,2],[1029,5],[1035,2],[1038,3],[1095,2],[1098,2],[1101,3],[1105,3],[1109,1],[1111,4],[1134,6],[1141,4],[1146,2],[1149,4],[1154,6],[1528,2],[1547,2],[1613,5],[1619,6],[1626,6],[1633,2],[1636,6],[1643,4],[1648,2],[1678,4],[1683,7],[1691,2],[1694,2],[1697,3],[1701,2],[1704,3],[1708,3],[1712,3],[1716,6],[1723,6],[1800,1],[1969,1],[2280,6],[2287,3],[2291,2],[2294,6],[2301,4],[2306,2],[2313,4],[2318,6],[2325,4],[2330,3],[2373,4],[2378,3],[2382,2],[2385,3],[2389,3],[2393,2],[2396,4],[2421,1],[2423,2],[2431,4],[2436,2],[2439,1],[2441,5],[2447,3],[2451,4],[2456,4],[2466,4],[2471,8],[2480,3],[2484,3],[2488,2],[2491,2],[2494,3],[2498,4],[2503,5],[2509,4],[2514,1],[2516,4],[2521,4],[2526,4],[2531,4],[2536,3],[2540,2],[2543,4],[2548,3],[2552,3],[2556,2],[2559,3],[2563,1],[2565,5],[2571,1],[2612,1],[2681,1],[2695,1],[2721,1],[3067,2]]},"2872":{"position":[[273,1],[532,1],[544,1],[635,2],[638,2],[718,1]]},"2882":{"position":[[269,2],[666,1],[688,1],[722,1],[744,1]]},"2890":{"position":[[276,2]]},"2896":{"position":[[587,2]]},"2902":{"position":[[293,1]]},"2904":{"position":[[0,1],[2,4],[7,2],[10,4],[15,5],[21,3],[25,4],[30,1],[32,3],[36,4],[41,2],[44,5],[55,4],[60,3],[64,2],[67,3],[71,6],[82,2],[85,4],[90,4],[95,3],[99,2],[102,3],[106,3],[110,4],[115,3],[119,6],[126,2],[141,2],[144,7],[152,2],[155,5],[161,4],[166,2],[169,2],[172,3],[176,4],[181,3],[185,5],[191,2],[194,5]]},"2906":{"position":[[13,2],[23,2],[26,4],[31,4],[36,4],[41,3],[45,4],[50,2],[53,5],[59,6],[66,1],[68,5],[93,2],[96,3],[100,1],[102,5],[108,1],[110,4],[120,6],[127,4],[132,3],[136,6],[172,1],[179,1],[181,3],[185,3],[189,2],[192,3],[196,6],[203,5],[209,2],[212,2],[215,3],[219,2],[222,4],[227,6],[238,4],[243,6],[287,1],[307,3],[311,2],[314,5],[320,6],[365,3],[369,5],[380,3],[393,4],[398,2],[401,4],[406,4],[411,2],[414,2],[417,2],[420,3],[424,4],[429,3],[433,5],[439,1],[441,3],[445,2],[448,7],[456,3],[460,4],[473,1],[475,4],[480,3],[484,2],[487,3],[491,4],[496,2],[499,3],[503,2],[517,8],[526,2],[529,2],[532,4],[537,3],[541,3],[545,3],[549,4],[554,5],[560,2],[563,2],[566,2],[569,4],[574,4],[579,2],[582,4],[587,2],[590,5],[596,4],[601,3],[605,3],[609,4],[614,5],[620,6],[635,1],[647,2],[650,3],[654,4],[659,2],[662,5],[668,6],[675,3],[679,4],[684,2],[687,3],[691,4],[696,6],[732,1],[799,5],[805,4],[810,5],[821,3],[825,2],[828,5],[834,6],[845,5],[851,3],[861,2],[864,2],[867,2],[874,3],[878,6],[896,3],[900,2],[903,2],[906,3],[950,6],[957,2],[960,1],[962,3],[966,3],[970,3],[974,3],[978,3],[982,4],[987,3],[991,2],[994,5],[1000,2],[1003,3],[1021,2],[1024,3],[1028,4],[1033,1],[1035,3],[1039,2],[1042,3],[1046,2],[1049,5],[1055,2],[1058,2],[1061,6]]},"2908":{"position":[[250,1],[1795,2],[2471,1]]},"2914":{"position":[[86,1]]},"2922":{"position":[[399,1],[434,1]]},"2924":{"position":[[364,1],[399,1]]},"2948":{"position":[[476,1],[506,1],[859,1],[889,1],[1454,1],[1472,1],[1506,1],[1524,1]]},"2952":{"position":[[455,1],[514,1]]},"2958":{"position":[[0,1],[2,5],[12,5],[18,4],[23,4],[28,3],[32,2],[35,6],[42,1],[44,4],[49,4],[54,5],[60,1],[62,4],[72,4],[83,4],[88,3],[92,6],[99,2],[102,3],[110,5],[116,4],[128,6],[135,2],[138,3],[146,4],[151,2],[154,2],[157,3]]},"2960":{"position":[[300,1],[417,1],[574,1],[668,1],[670,1],[685,1],[697,2],[713,1],[715,1],[727,1],[737,1],[739,1],[794,1],[796,1],[798,1],[800,2],[803,1],[817,2],[820,1],[822,1],[824,1],[826,1],[828,1]]},"2964":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2966":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2968":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2970":{"position":[[0,4],[5,4],[10,2],[13,7],[21,3],[25,2],[28,5],[34,5],[40,4],[45,4],[50,5],[56,5],[62,4],[67,7],[75,4],[80,2],[83,3],[87,6],[94,4],[99,3],[103,1],[105,5],[111,1],[113,4],[118,3],[122,4],[127,7],[135,3],[139,3],[143,6],[150,6],[157,4],[162,3],[166,1],[168,5],[174,5],[207,5],[213,5],[219,4],[224,5],[230,5],[236,2],[274,5],[280,2],[283,6],[299,2],[302,3],[306,2],[309,3],[313,3],[317,4],[322,2],[325,5],[331,3],[335,6],[342,1],[344,4],[349,2],[352,4],[357,3],[361,2],[392,4],[397,5],[403,5],[409,4],[414,3],[418,6]]},"2972":{"position":[[5,1],[7,2],[10,3],[14,2],[17,5],[23,2],[42,2],[45,4],[50,5],[56,6],[63,2],[66,1],[68,2],[71,4],[76,3],[80,4],[85,2],[92,2],[95,4],[100,3],[104,1],[106,2],[109,2],[112,4],[117,2],[120,5],[126,2],[129,1],[131,4],[136,2],[139,3],[143,3],[147,2],[150,5],[156,3],[160,5],[166,4],[171,2],[185,4],[190,5],[196,3],[200,3],[204,2],[207,3],[211,3],[215,1],[217,1],[219,5],[225,2],[228,2],[231,5],[243,8],[325,2],[328,3],[332,1],[334,2],[337,2],[340,1],[342,3],[346,1],[348,2],[351,3],[355,5],[361,5],[367,4],[372,4],[388,1],[390,4],[395,5],[416,5],[422,2],[425,4],[430,1],[432,2],[435,2],[438,5],[448,5],[454,5],[460,8],[469,5],[475,1],[477,7],[485,2],[488,3],[492,3],[496,3],[500,6]]},"2974":{"position":[[5,3],[9,2],[12,2],[15,6],[22,2],[25,5],[31,2],[34,2],[37,1],[39,3],[43,2],[46,5],[52,4],[57,2],[60,2],[94,2],[97,3],[101,1],[103,5],[109,5],[115,3],[119,3],[123,7],[131,3],[135,3],[139,2],[142,2],[145,3],[149,6],[156,3],[160,2],[163,2],[166,5],[172,2],[175,4],[180,2],[183,3],[187,3],[191,6]]},"2978":{"position":[[315,6],[379,1],[386,6],[393,6],[431,3],[435,2],[446,4]]},"2980":{"position":[[25,4],[30,5],[41,6],[48,4],[53,3],[57,2],[60,4],[65,4],[80,6],[87,3],[91,3],[95,6],[102,3],[106,3],[110,2],[113,3],[117,5],[123,5],[144,4],[159,6],[273,6],[297,6],[310,4],[320,3],[324,6]]},"2984":{"position":[[315,1],[322,6],[329,6],[367,3],[371,2],[382,4]]},"2987":{"position":[[0,2],[3,8],[12,5],[18,4],[23,7],[31,1],[33,2],[36,3],[40,6],[47,2],[61,2],[64,2],[67,3],[71,3],[103,2],[106,6],[113,3],[117,3],[121,2],[124,5],[130,2],[133,6],[149,3],[153,5],[192,4],[197,5],[203,4],[208,2],[211,6],[218,4],[223,3],[227,6]]},"2989":{"position":[[18,6],[25,2],[28,3],[36,2],[44,5],[62,5],[72,2],[80,5],[90,2],[93,2],[108,6],[115,2],[143,8],[160,3],[164,5],[170,6],[177,3],[181,6],[192,5],[198,4],[203,2],[210,7],[218,2],[224,4],[234,2],[237,3],[241,6],[248,4],[253,3],[269,4],[274,4],[279,2],[282,3],[286,3],[290,4],[295,3],[299,1],[301,2],[304,5],[314,3],[318,3],[322,1],[324,2],[327,4],[332,4],[337,3],[341,1],[343,5],[349,1],[351,3],[355,3],[359,4],[364,4],[369,4],[380,2],[387,7],[395,3],[399,1],[401,3],[405,5],[411,4],[416,6],[423,3],[427,2],[430,3],[434,2],[480,3],[484,3],[488,3],[534,4],[539,3],[543,2],[546,5],[552,2],[555,3],[559,4],[564,2],[567,2],[570,2],[573,1],[575,5],[619,3],[631,3],[635,2],[645,3],[649,4],[668,1],[670,2],[673,4],[678,5],[684,3],[697,3],[701,2],[709,6],[716,4],[721,4],[726,2],[729,6],[736,6],[743,4],[748,4],[753,3],[757,4],[762,6]]},"2992":{"position":[[690,2],[1705,1]]},"2996":{"position":[[406,1],[756,1],[2297,3],[2307,3]]},"3000":{"position":[[115,2]]},"3002":{"position":[[851,1]]},"3004":{"position":[[140,1],[357,1],[500,1]]},"3010":{"position":[[5,6],[12,3],[16,4],[21,3],[25,2],[28,3],[32,3],[36,2],[39,7],[47,2],[50,5],[56,5],[62,2],[65,4],[70,6],[86,4],[91,2],[94,2],[97,4],[102,4],[131,2],[134,3],[138,3],[146,1],[148,3],[152,4],[157,3],[161,3],[165,3],[169,2],[172,3],[176,2],[179,4],[184,5],[190,5],[196,3],[200,4],[205,3],[209,2],[212,5],[218,3],[243,2],[246,3],[250,2],[253,3],[345,2],[348,5],[354,3],[358,3],[362,2],[365,3],[369,3],[373,2],[376,4],[381,1],[383,5],[389,4],[394,2],[397,2],[405,3],[409,3],[413,2],[416,3],[420,4],[425,3],[429,5],[435,3],[439,2],[442,3],[446,6],[453,3],[464,4],[469,3],[478,3],[482,2],[485,2],[488,4],[493,4],[498,6],[546,6],[564,4],[569,6],[576,4],[581,4],[586,2],[589,4],[594,4],[599,2],[602,2],[605,5],[611,3],[636,2]]},"3012":{"position":[[0,3],[4,3],[8,4],[13,4],[18,2],[21,3],[37,5],[43,6],[67,4],[77,6],[84,3],[88,6],[95,2],[98,4],[108,3],[116,3],[120,1],[122,5],[133,1],[135,3],[139,3],[143,4],[148,3],[152,5]]},"3022":{"position":[[779,2],[798,2],[1467,1],[1513,1],[1553,1],[1721,1],[1750,1],[1779,1],[1829,1],[3271,3],[3335,3],[3553,3],[3709,3],[5925,2],[6124,2],[6323,2]]},"3024":{"position":[[438,2],[1476,2],[1717,2],[1945,2],[2159,2],[2400,2],[2609,2],[2639,2]]},"3026":{"position":[[1193,1],[1202,1],[1204,1],[1285,1],[1287,1],[1367,1]]},"3030":{"position":[[256,1],[466,1],[536,1],[610,1],[683,1],[755,1],[820,1],[1091,1],[1554,1],[1663,1],[1890,1],[1981,1],[2338,1],[2620,1],[2689,1],[2792,1],[2839,1],[2907,1],[3013,1],[3086,1],[3159,1],[3250,1],[4064,1],[4091,1],[4279,1],[4358,1]]},"3089":{"position":[[139,1],[308,1],[413,1],[471,1],[486,1],[515,2],[559,1],[602,1],[617,1],[633,3],[775,1],[807,1],[818,1],[831,4],[931,1],[1060,1],[1258,1],[1385,1],[1588,1],[1716,1],[1806,1],[1917,1],[1957,1],[1995,1]]},"3091":{"position":[[149,1]]},"3105":{"position":[[216,1]]},"3112":{"position":[[238,1],[270,1],[281,1]]},"3114":{"position":[[301,1],[319,1],[351,1],[425,1],[636,1],[918,1],[1200,1],[1482,1],[1764,1],[2046,1],[2328,1]]},"3116":{"position":[[230,1],[248,1],[280,1],[323,1],[406,1],[617,1],[899,1],[1181,1],[1463,1],[1745,1],[2027,1],[2309,1]]},"3120":{"position":[[468,1],[500,1],[511,1],[567,1],[613,1]]},"3122":{"position":[[451,1],[483,1],[494,1],[550,1]]},"3124":{"position":[[325,1],[357,1],[368,1],[413,1]]},"3126":{"position":[[291,1],[323,1],[334,1],[379,1]]},"3128":{"position":[[304,1],[336,1],[347,1],[392,1]]},"3130":{"position":[[395,1],[427,1],[438,1],[489,1]]},"3132":{"position":[[302,1],[334,1],[345,1],[396,1],[456,1]]},"3134":{"position":[[290,1],[308,1],[340,1],[419,1],[630,1],[912,1],[1194,1],[1476,1],[1758,1],[2040,1],[2322,1]]},"3136":{"position":[[368,1],[400,1],[411,1],[462,1],[520,1]]},"3138":{"position":[[390,1],[422,1],[433,1],[465,1],[509,1]]},"3140":{"position":[[286,1],[318,1],[329,1],[361,1],[405,1]]},"3142":{"position":[[421,1],[453,1],[464,1],[515,1]]},"3144":{"position":[[282,1],[314,1],[325,1],[363,1],[400,1]]},"3146":{"position":[[233,1],[265,1],[276,1],[312,1]]},"3156":{"position":[[363,1],[395,1],[406,1],[438,1],[483,1]]},"3160":{"position":[[438,1],[543,1],[601,1],[616,1],[645,2],[689,1],[732,1],[747,1],[763,3],[905,1],[937,1],[948,1],[961,4],[1061,1],[1190,1],[1388,1],[1515,1],[1718,1],[1846,1],[1936,1],[2047,1],[2087,1],[2125,1],[2220,1],[2253,1]]},"3162":{"position":[[430,1],[466,1],[494,1],[527,1]]},"3164":{"position":[[365,1],[397,1],[408,1],[449,1]]},"3166":{"position":[[377,1],[409,1],[420,1],[458,1]]},"3168":{"position":[[419,1],[451,1],[462,1]]},"3172":{"position":[[971,1],[1003,1],[1014,1]]},"3175":{"position":[[320,1],[361,1],[372,1]]},"3177":{"position":[[250,1],[291,1],[302,1],[338,1]]},"3179":{"position":[[270,1],[311,1],[322,1],[380,1]]},"3181":{"position":[[366,1],[407,1],[418,1],[477,1]]},"3183":{"position":[[302,1],[343,1],[354,1],[393,1]]},"3187":{"position":[[239,1],[257,1],[289,1],[320,1],[391,1],[602,1],[884,1],[1166,1],[1448,1],[1730,1],[2012,1],[2294,1]]},"3190":{"position":[[237,1],[269,1],[297,1]]},"3192":{"position":[[247,1],[279,1],[290,1],[329,1],[373,1]]},"3195":{"position":[[332,1],[437,1],[495,1],[510,1],[539,2],[583,1],[626,1],[641,1],[657,3],[799,1],[831,1],[842,1],[855,4],[955,1],[1084,1],[1282,1],[1409,1],[1612,1],[1740,1],[1830,1],[1941,1],[1981,1],[2019,1]]},"3197":{"position":[[221,1],[326,1],[384,1],[399,1],[428,2],[472,1],[515,1],[530,1],[546,3],[688,1],[720,1],[731,1],[744,4],[844,1],[973,1],[1171,1],[1298,1],[1501,1],[1629,1],[1719,1],[1830,1],[1870,1],[1908,1],[2000,1]]},"3199":{"position":[[246,1],[351,1],[409,1],[424,1],[453,2],[497,1],[540,1],[555,1],[571,3],[713,1],[745,1],[756,1],[769,4],[869,1],[998,1],[1196,1],[1323,1],[1526,1],[1654,1],[1744,1],[1855,1],[1895,1],[1933,1]]},"3201":{"position":[[398,1],[503,1],[561,1],[576,1],[605,2],[649,1],[692,1],[707,1],[723,3],[865,1],[897,1],[908,1],[921,4],[1021,1],[1150,1],[1348,1],[1475,1],[1678,1],[1806,1],[1896,1],[2007,1],[2047,1],[2085,1]]},"3203":{"position":[[224,1],[329,1],[387,1],[402,1],[431,2],[475,1],[518,1],[533,1],[549,3],[691,1],[723,1],[734,1],[747,4],[847,1],[976,1],[1174,1],[1301,1],[1504,1],[1632,1],[1722,1],[1833,1],[1873,1],[1911,1],[2003,1]]},"3205":{"position":[[256,1],[361,1],[419,1],[434,1],[463,2],[507,1],[550,1],[565,1],[581,3],[723,1],[755,1],[766,1],[779,4],[879,1],[1008,1],[1206,1],[1333,1],[1536,1],[1664,1],[1754,1],[1865,1],[1905,1],[1943,1],[2035,1],[2071,1]]},"3207":{"position":[[355,1],[460,1],[518,1],[533,1],[562,2],[606,1],[649,1],[664,1],[680,3],[822,1],[854,1],[865,1],[878,4],[978,1],[1107,1],[1305,1],[1432,1],[1635,1],[1763,1],[1853,1],[1964,1],[2004,1],[2042,1]]},"3213":{"position":[[117,1],[149,1],[160,1]]},"3239":{"position":[[537,1],[569,1],[628,1],[660,1],[671,1],[695,1],[721,1],[768,1]]},"3241":{"position":[[523,1],[555,1],[614,1],[646,1],[657,1],[685,1],[711,1],[764,1]]},"3243":{"position":[[579,1],[611,1],[670,1],[702,1],[713,1],[737,1],[763,1],[858,1]]},"3245":{"position":[[487,1],[512,1],[523,1],[564,1],[602,1]]},"3247":{"position":[[544,1],[569,1],[580,1]]},"3257":{"position":[[705,1],[730,1],[758,1],[791,1]]},"3266":{"position":[[312,1]]}}}],["0",{"_index":73,"t":{"2498":{"position":[[34,1]]},"2518":{"position":[[452,2]]},"2520":{"position":[[2147,1],[2168,1]]},"2562":{"position":[[643,1],[705,1],[818,1],[868,1],[923,1]]},"2622":{"position":[[916,1]]},"2641":{"position":[[1374,4]]},"2648":{"position":[[882,2],[906,2]]},"2655":{"position":[[65,1]]},"2675":{"position":[[463,2],[1108,2],[4773,2]]},"2763":{"position":[[838,1],[900,1],[954,1]]},"3022":{"position":[[3438,1],[3912,1]]},"3089":{"position":[[631,1]]},"3114":{"position":[[628,1],[910,1],[1192,1],[1474,1],[1756,1],[2038,1],[2320,1]]},"3116":{"position":[[609,1],[891,1],[1173,1],[1455,1],[1737,1],[2019,1],[2301,1]]},"3134":{"position":[[622,1],[904,1],[1186,1],[1468,1],[1750,1],[2032,1],[2314,1]]},"3144":{"position":[[395,1]]},"3160":{"position":[[761,1]]},"3187":{"position":[[594,1],[876,1],[1158,1],[1440,1],[1722,1],[2004,1],[2286,1]]},"3195":{"position":[[655,1]]},"3197":{"position":[[544,1]]},"3199":{"position":[[569,1]]},"3201":{"position":[[721,1]]},"3203":{"position":[[547,1]]},"3205":{"position":[[579,1]]},"3207":{"position":[[678,1]]},"3239":{"position":[[582,2]]},"3241":{"position":[[568,2]]},"3243":{"position":[[624,2]]},"3245":{"position":[[95,2],[595,3]]},"3247":{"position":[[132,2]]},"3295":{"position":[[165,2]]}}}],["0.0.0.0",{"_index":1160,"t":{"2657":{"position":[[46,7]]},"2675":{"position":[[752,8]]}}}],["0.2",{"_index":857,"t":{"2597":{"position":[[445,3]]}}}],["0/1",{"_index":612,"t":{"2562":{"position":[[750,3]]}}}],["000",{"_index":2782,"t":{"3230":{"position":[[337,5]]}}}],["00:00",{"_index":231,"t":{"2520":{"position":[[227,5]]}}}],["00:00:00",{"_index":2660,"t":{"3114":{"position":[[638,8],[920,8],[1202,8],[1484,8],[1766,8],[2048,8],[2330,8]]},"3116":{"position":[[619,8],[901,8],[1183,8],[1465,8],[1747,8],[2029,8],[2311,8]]},"3134":{"position":[[632,8],[914,8],[1196,8],[1478,8],[1760,8],[2042,8],[2324,8]]},"3187":{"position":[[604,8],[886,8],[1168,8],[1450,8],[1732,8],[2014,8],[2296,8]]}}}],["00:01:28",{"_index":2654,"t":{"3114":{"position":[[427,8]]},"3116":{"position":[[408,8]]},"3134":{"position":[[421,8]]},"3187":{"position":[[393,8]]}}}],["02",{"_index":455,"t":{"2537":{"position":[[1499,2]]},"2593":{"position":[[320,2]]},"2640":{"position":[[135,2]]},"2791":{"position":[[1859,2]]}}}],["04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c",{"_index":2673,"t":{"3114":{"position":[[1916,64]]},"3116":{"position":[[1897,64]]},"3134":{"position":[[1910,64]]},"3187":{"position":[[1882,64]]}}}],["0644",{"_index":1741,"t":{"2825":{"position":[[332,6],[515,6]]}}}],["073f",{"_index":631,"t":{"2562":{"position":[[1155,4],[1318,4],[1659,4]]}}}],["09",{"_index":2690,"t":{"3120":{"position":[[734,2]]},"3122":{"position":[[682,2]]},"3124":{"position":[[551,2]]},"3126":{"position":[[500,2]]},"3128":{"position":[[513,2]]},"3130":{"position":[[626,2]]},"3132":{"position":[[587,2]]},"3136":{"position":[[660,2]]},"3138":{"position":[[641,2]]},"3140":{"position":[[537,2]]},"3142":{"position":[[653,2]]},"3144":{"position":[[518,2]]},"3146":{"position":[[433,2]]},"3156":{"position":[[608,2]]},"3162":{"position":[[650,2],[2826,2]]},"3164":{"position":[[566,2]]},"3166":{"position":[[572,2]]},"3177":{"position":[[459,2]]},"3179":{"position":[[527,2]]},"3181":{"position":[[612,2]]},"3183":{"position":[[508,2]]},"3190":{"position":[[418,2]]},"3192":{"position":[[492,2]]},"3239":{"position":[[917,2]]},"3241":{"position":[[931,2]]},"3243":{"position":[[1046,2]]},"3245":{"position":[[723,2],[1946,2]]},"3257":{"position":[[914,2],[2137,2]]}}}],["0b836757eae8",{"_index":2805,"t":{"3245":{"position":[[1516,12]]},"3257":{"position":[[1707,12]]}}}],["1",{"_index":132,"t":{"2504":{"position":[[593,1]]},"2518":{"position":[[1849,1]]},"2520":{"position":[[3358,1]]},"2530":{"position":[[616,1],[1295,1]]},"2562":{"position":[[764,1]]},"2568":{"position":[[990,1]]},"2595":{"position":[[354,1],[380,1]]},"2620":{"position":[[304,2],[448,2],[543,2]]},"2622":{"position":[[485,1],[699,1],[861,1],[1032,2],[1082,2],[1224,1],[1300,2],[1575,1],[1640,1],[1754,1],[2274,1],[2508,2],[2737,2],[3075,1],[3190,1]]},"2624":{"position":[[326,1],[560,2],[789,2],[1127,1],[1242,1]]},"2648":{"position":[[1601,3]]},"2675":{"position":[[5548,3],[8955,1]]},"2793":{"position":[[139,1],[165,1]]},"2807":{"position":[[256,1]]},"2813":{"position":[[527,1]]},"2902":{"position":[[647,2]]},"2996":{"position":[[537,1],[885,1]]},"3022":{"position":[[1922,1],[1977,1],[3007,1],[3062,1]]},"3042":{"position":[[401,1]]},"3044":{"position":[[387,1]]},"3089":{"position":[[647,2],[1672,2]]},"3114":{"position":[[626,1],[908,1],[1190,1],[1472,1],[1754,1],[2036,1],[2318,1]]},"3116":{"position":[[607,1],[889,1],[1171,1],[1453,1],[1735,1],[2017,1],[2299,1]]},"3134":{"position":[[620,1],[902,1],[1184,1],[1466,1],[1748,1],[2030,1],[2312,1]]},"3160":{"position":[[777,2],[1802,2]]},"3187":{"position":[[592,1],[874,1],[1156,1],[1438,1],[1720,1],[2002,1],[2284,1]]},"3195":{"position":[[671,2],[1696,2]]},"3197":{"position":[[560,2],[1585,2]]},"3199":{"position":[[585,2],[1610,2]]},"3201":{"position":[[737,2],[1762,2]]},"3203":{"position":[[563,2],[1588,2]]},"3205":{"position":[[595,2],[1620,2]]},"3207":{"position":[[694,2],[1719,2]]}}}],["1.1",{"_index":2326,"t":{"3014":{"position":[[1048,5]]}}}],["1.1.11",{"_index":2609,"t":{"3089":{"position":[[653,9],[1678,9],[2066,6]]},"3160":{"position":[[783,9],[1808,9]]},"3195":{"position":[[677,9],[1702,9]]},"3197":{"position":[[566,9],[1591,9]]},"3199":{"position":[[591,9],[1616,9]]},"3201":{"position":[[743,9],[1768,9]]},"3203":{"position":[[569,9],[1594,9]]},"3205":{"position":[[601,9],[1626,9]]},"3207":{"position":[[700,9],[1725,9]]}}}],["1.19.2",{"_index":2081,"t":{"2914":{"position":[[31,6]]}}}],["1.2.1",{"_index":2436,"t":{"3030":{"position":[[258,5]]}}}],["1.2.17",{"_index":2443,"t":{"3030":{"position":[[538,6]]}}}],["1.2.19",{"_index":2451,"t":{"3030":{"position":[[822,6]]}}}],["1.2.20",{"_index":2467,"t":{"3030":{"position":[[1556,6]]}}}],["1.2.21",{"_index":2458,"t":{"3030":{"position":[[1093,6]]}}}],["1.2.22",{"_index":2413,"t":{"3026":{"position":[[17,6]]},"3030":{"position":[[4413,6]]},"3056":{"position":[[208,6]]}}}],["1.2.25",{"_index":2414,"t":{"3026":{"position":[[27,6]]},"3030":{"position":[[4423,6]]},"3056":{"position":[[217,6]]}}}],["1.2.28",{"_index":2470,"t":{"3030":{"position":[[1665,6]]}}}],["1.2.29",{"_index":2447,"t":{"3030":{"position":[[685,6],[757,6]]},"3089":{"position":[[720,9],[1701,9]]},"3160":{"position":[[850,9],[1831,9],[2196,6]]},"3195":{"position":[[744,9],[1725,9]]},"3197":{"position":[[633,9],[1614,9]]},"3199":{"position":[[658,9],[1639,9]]},"3201":{"position":[[810,9],[1791,9]]},"3203":{"position":[[636,9],[1617,9]]},"3205":{"position":[[668,9],[1649,9]]},"3207":{"position":[[767,9],[1748,9]]}}}],["1.2.30",{"_index":2474,"t":{"3030":{"position":[[1892,6],[1983,6]]}}}],["1.2.31",{"_index":2442,"t":{"3030":{"position":[[468,6]]}}}],["1.2.32",{"_index":2445,"t":{"3030":{"position":[[612,6]]}}}],["1.20",{"_index":1950,"t":{"2880":{"position":[[1174,4]]},"2989":{"position":[[39,4]]},"3024":{"position":[[1087,4]]}}}],["1.21",{"_index":1952,"t":{"2880":{"position":[[1224,4]]},"2989":{"position":[[75,4]]}}}],["1.24",{"_index":592,"t":{"2562":{"position":[[57,7],[143,4]]}}}],["1.27",{"_index":2197,"t":{"2952":{"position":[[134,5],[351,4]]}}}],["1.3.2",{"_index":2482,"t":{"3030":{"position":[[2622,5]]}}}],["1.3.3",{"_index":2485,"t":{"3030":{"position":[[2841,5]]}}}],["1.3.4",{"_index":2484,"t":{"3030":{"position":[[2794,5]]}}}],["1.3.5",{"_index":2483,"t":{"3030":{"position":[[2691,5]]}}}],["1.3.7",{"_index":2478,"t":{"3030":{"position":[[2340,5]]}}}],["1.4",{"_index":1438,"t":{"2743":{"position":[[1474,3],[1586,3]]}}}],["1.4.1",{"_index":2489,"t":{"3030":{"position":[[3015,5]]}}}],["1.4.2",{"_index":2486,"t":{"3030":{"position":[[2909,5]]}}}],["1.50",{"_index":2070,"t":{"2910":{"position":[[540,4],[621,4],[680,4]]},"2922":{"position":[[291,4]]},"2924":{"position":[[263,4]]},"2926":{"position":[[151,4]]}}}],["1.6",{"_index":2431,"t":{"3030":{"position":[[141,3]]}}}],["1.6.1",{"_index":1807,"t":{"2860":{"position":[[74,8]]}}}],["1.8.0",{"_index":1808,"t":{"2860":{"position":[[110,5]]}}}],["1.8.4",{"_index":1809,"t":{"2860":{"position":[[116,5]]}}}],["1.el7_8.noarch.rpm",{"_index":858,"t":{"2597":{"position":[[449,18]]}}}],["1.el8.noarch.rpm",{"_index":1439,"t":{"2743":{"position":[[1478,16],[1590,16]]}}}],["1/1",{"_index":605,"t":{"2562":{"position":[[631,3],[693,3],[806,3],[911,3]]},"2763":{"position":[[826,3],[888,3],[942,3]]}}}],["10",{"_index":335,"t":{"2520":{"position":[[4973,2]]},"2537":{"position":[[330,2]]},"2554":{"position":[[64,3]]},"2622":{"position":[[668,3]]},"2801":{"position":[[147,2]]},"2807":{"position":[[253,2]]},"2910":{"position":[[288,3],[392,3],[689,3]]},"2918":{"position":[[136,2]]},"2922":{"position":[[175,3],[392,2],[401,2]]},"2924":{"position":[[175,3],[357,2],[366,2]]},"2926":{"position":[[123,3]]},"3012":{"position":[[72,4]]},"3042":{"position":[[57,2],[370,3]]},"3044":{"position":[[356,3]]},"3152":{"position":[[198,2]]}}}],["10.0.0.0/8",{"_index":1332,"t":{"2715":{"position":[[665,10]]}}}],["10.10.10.100",{"_index":958,"t":{"2620":{"position":[[247,12]]}}}],["10.10.10.100/24",{"_index":1000,"t":{"2622":{"position":[[1138,15]]}}}],["10.10.10.101",{"_index":964,"t":{"2620":{"position":[[546,12]]}}}],["10.10.10.102",{"_index":965,"t":{"2620":{"position":[[568,12]]}}}],["10.10.10.103",{"_index":966,"t":{"2620":{"position":[[590,12]]}}}],["10.10.10.50",{"_index":959,"t":{"2620":{"position":[[307,11]]}}}],["10.10.10.50:6443",{"_index":984,"t":{"2622":{"position":[[701,16],[2354,17]]},"2624":{"position":[[406,17]]}}}],["10.10.10.51",{"_index":960,"t":{"2620":{"position":[[329,11]]}}}],["10.10.10.51:6443",{"_index":985,"t":{"2622":{"position":[[740,16],[2379,17]]},"2624":{"position":[[431,17]]}}}],["10.10.10.52",{"_index":961,"t":{"2620":{"position":[[351,11]]}}}],["10.10.10.52:6443",{"_index":986,"t":{"2622":{"position":[[779,16],[2404,17]]},"2624":{"position":[[456,17]]}}}],["10.10.10.98",{"_index":962,"t":{"2620":{"position":[[451,11]]}}}],["10.10.10.99",{"_index":963,"t":{"2620":{"position":[[469,11]]}}}],["10.41.0.0/16",{"_index":777,"t":{"2578":{"position":[[299,12]]}}}],["10.42.0.0/16",{"_index":823,"t":{"2591":{"position":[[135,12]]},"2663":{"position":[[46,14]]},"2675":{"position":[[1450,13]]},"2791":{"position":[[1186,12]]},"2872":{"position":[[422,14],[546,15]]}}}],["10.43.0.0/16",{"_index":824,"t":{"2591":{"position":[[176,12]]},"2663":{"position":[[125,14]]},"2675":{"position":[[1555,13]]},"2791":{"position":[[1227,12]]}}}],["10.43.0.10",{"_index":1172,"t":{"2663":{"position":[[313,12]]},"2675":{"position":[[1816,11]]}}}],["10.6.8",{"_index":1209,"t":{"2677":{"position":[[958,7]]}}}],["10.7",{"_index":1210,"t":{"2677":{"position":[[989,6]]}}}],["100",{"_index":872,"t":{"2602":{"position":[[475,4]]},"2622":{"position":[[1085,3]]},"2801":{"position":[[170,3]]},"2807":{"position":[[276,3]]},"3042":{"position":[[320,3]]},"3044":{"position":[[55,3],[306,3]]},"3154":{"position":[[249,3]]}}}],["1000",{"_index":1432,"t":{"2743":{"position":[[993,4]]}}}],["10000",{"_index":745,"t":{"2574":{"position":[[196,5]]}}}],["10080",{"_index":747,"t":{"2574":{"position":[[266,6]]}}}],["1024",{"_index":744,"t":{"2574":{"position":[[179,4]]}}}],["10250",{"_index":1658,"t":{"2795":{"position":[[660,6]]},"2797":{"position":[[245,5]]}}}],["10t22:54:38z",{"_index":392,"t":{"2530":{"position":[[699,12]]}}}],["11.5",{"_index":1211,"t":{"2677":{"position":[[996,5]]}}}],["111695",{"_index":2198,"t":{"2952":{"position":[[157,7]]}}}],["112",{"_index":2207,"t":{"2952":{"position":[[1309,4]]}}}],["1123",{"_index":1495,"t":{"2757":{"position":[[1046,4]]}}}],["12",{"_index":271,"t":{"2520":{"position":[[2170,4]]},"2530":{"position":[[696,2]]},"2587":{"position":[[346,2]]},"2648":{"position":[[909,4]]},"2675":{"position":[[4776,4]]},"2944":{"position":[[1956,2]]},"2952":{"position":[[1291,3]]}}}],["12,500",{"_index":2561,"t":{"3054":{"position":[[358,6]]}}}],["12.0.000.tgz",{"_index":1325,"t":{"2713":{"position":[[1701,14]]}}}],["123",{"_index":2684,"t":{"3120":{"position":[[683,3]]},"3122":{"position":[[631,3]]},"3124":{"position":[[500,3]]},"3126":{"position":[[449,3]]},"3128":{"position":[[462,3]]},"3130":{"position":[[575,3]]},"3132":{"position":[[536,3]]},"3136":{"position":[[609,3]]},"3138":{"position":[[590,3]]},"3140":{"position":[[486,3]]},"3142":{"position":[[602,3]]},"3144":{"position":[[467,3]]},"3146":{"position":[[382,3]]},"3156":{"position":[[557,3]]},"3162":{"position":[[599,3],[2775,3]]},"3164":{"position":[[515,3]]},"3166":{"position":[[521,3]]},"3177":{"position":[[408,3]]},"3179":{"position":[[476,3]]},"3181":{"position":[[561,3]]},"3183":{"position":[[457,3]]},"3190":{"position":[[367,3]]},"3192":{"position":[[441,3]]},"3239":{"position":[[866,3]]},"3241":{"position":[[880,3]]},"3243":{"position":[[995,3]]},"3245":{"position":[[672,3],[1368,3],[1895,3],[2591,3]]},"3257":{"position":[[863,3],[1559,3],[2086,3],[2782,3]]}}}],["12345",{"_index":1719,"t":{"2821":{"position":[[855,5],[1184,6],[1269,5]]}}}],["127.0.0.1",{"_index":2751,"t":{"3192":{"position":[[358,11]]}}}],["12:00",{"_index":232,"t":{"2520":{"position":[[237,5]]}}}],["13",{"_index":1034,"t":{"2622":{"position":[[3166,3]]},"2624":{"position":[[1218,3]]},"3120":{"position":[[667,2]]},"3122":{"position":[[615,2]]},"3124":{"position":[[484,2]]},"3126":{"position":[[433,2]]},"3128":{"position":[[446,2]]},"3130":{"position":[[559,2]]},"3132":{"position":[[520,2]]},"3136":{"position":[[593,2]]},"3138":{"position":[[574,2]]},"3140":{"position":[[470,2]]},"3142":{"position":[[586,2]]},"3144":{"position":[[451,2]]},"3146":{"position":[[366,2]]},"3156":{"position":[[541,2]]},"3162":{"position":[[583,2],[2759,2]]},"3164":{"position":[[499,2]]},"3166":{"position":[[505,2]]},"3177":{"position":[[392,2]]},"3179":{"position":[[460,2]]},"3181":{"position":[[545,2]]},"3183":{"position":[[441,2]]},"3190":{"position":[[351,2]]},"3192":{"position":[[425,2]]},"3239":{"position":[[850,2]]},"3241":{"position":[[864,2]]},"3243":{"position":[[979,2]]},"3245":{"position":[[656,2],[1879,2]]},"3257":{"position":[[847,2],[2070,2]]}}}],["13:26",{"_index":2653,"t":{"3114":{"position":[[419,5]]},"3116":{"position":[[400,5]]},"3134":{"position":[[413,5]]},"3187":{"position":[[385,5]]}}}],["13:26:40",{"_index":2683,"t":{"3120":{"position":[[670,8]]},"3122":{"position":[[618,8]]},"3124":{"position":[[487,8]]},"3126":{"position":[[436,8]]},"3128":{"position":[[449,8]]},"3130":{"position":[[562,8]]},"3132":{"position":[[523,8]]},"3136":{"position":[[596,8]]},"3138":{"position":[[577,8]]},"3140":{"position":[[473,8]]},"3142":{"position":[[589,8]]},"3144":{"position":[[454,8]]},"3146":{"position":[[369,8]]},"3156":{"position":[[544,8]]},"3162":{"position":[[586,8],[2762,8]]},"3164":{"position":[[502,8]]},"3166":{"position":[[508,8]]},"3177":{"position":[[395,8]]},"3179":{"position":[[463,8]]},"3181":{"position":[[548,8]]},"3183":{"position":[[444,8]]},"3190":{"position":[[354,8]]},"3192":{"position":[[428,8]]},"3239":{"position":[[853,8]]},"3241":{"position":[[867,8]]},"3243":{"position":[[982,8]]}}}],["13:26:44",{"_index":2808,"t":{"3245":{"position":[[1882,8]]},"3257":{"position":[[2073,8]]}}}],["13:26:50",{"_index":2792,"t":{"3245":{"position":[[659,8]]},"3257":{"position":[[850,8]]}}}],["13:27",{"_index":2659,"t":{"3114":{"position":[[630,5],[912,5],[1194,5],[1476,5]]},"3116":{"position":[[611,5],[893,5],[1175,5],[1457,5]]},"3134":{"position":[[624,5],[906,5],[1188,5],[1470,5]]},"3187":{"position":[[596,5],[878,5],[1160,5],[1442,5]]}}}],["13:28",{"_index":2672,"t":{"3114":{"position":[[1758,5],[2040,5]]},"3116":{"position":[[1739,5],[2021,5]]},"3134":{"position":[[1752,5],[2034,5]]},"3187":{"position":[[1724,5],[2006,5]]}}}],["13:47",{"_index":2677,"t":{"3114":{"position":[[2322,5]]},"3116":{"position":[[2303,5]]},"3134":{"position":[[2316,5]]},"3187":{"position":[[2288,5]]}}}],["13m",{"_index":1237,"t":{"2685":{"position":[[809,3]]}}}],["13t13:26:40z",{"_index":2691,"t":{"3120":{"position":[[737,13]]},"3122":{"position":[[685,13]]},"3124":{"position":[[554,13]]},"3126":{"position":[[503,13]]},"3128":{"position":[[516,13]]},"3130":{"position":[[629,13]]},"3132":{"position":[[590,13]]},"3136":{"position":[[663,13]]},"3138":{"position":[[644,13]]},"3140":{"position":[[540,13]]},"3142":{"position":[[656,13]]},"3144":{"position":[[521,13]]},"3146":{"position":[[436,13]]},"3156":{"position":[[611,13]]},"3162":{"position":[[653,13],[2829,13]]},"3164":{"position":[[569,13]]},"3166":{"position":[[575,13]]},"3177":{"position":[[462,13]]},"3179":{"position":[[530,13]]},"3181":{"position":[[615,13]]},"3183":{"position":[[511,13]]},"3190":{"position":[[421,13]]},"3192":{"position":[[495,13]]},"3239":{"position":[[920,13]]},"3241":{"position":[[934,13]]},"3243":{"position":[[1049,13]]}}}],["13t13:26:44z",{"_index":2809,"t":{"3245":{"position":[[1949,13]]},"3257":{"position":[[2140,13]]}}}],["13t13:26:50z",{"_index":2797,"t":{"3245":{"position":[[726,13]]},"3257":{"position":[[917,13]]}}}],["14.2",{"_index":1212,"t":{"2677":{"position":[[1006,4]]}}}],["1500",{"_index":774,"t":{"2578":{"position":[[242,4]]}}}],["16",{"_index":1686,"t":{"2801":{"position":[[199,2],[223,2]]},"2807":{"position":[[305,2],[351,2]]}}}],["1600",{"_index":2651,"t":{"3114":{"position":[[412,4]]},"3116":{"position":[[393,4]]},"3134":{"position":[[406,4]]},"3187":{"position":[[378,4]]}}}],["1616",{"_index":2650,"t":{"3114":{"position":[[407,4]]},"3116":{"position":[[388,4]]},"3134":{"position":[[401,4]]},"3187":{"position":[[373,4]]}}}],["1:/etc/rancher/k3s/k3s.yaml",{"_index":849,"t":{"2595":{"position":[[619,27]]}}}],["1:2379,https://etcd",{"_index":1221,"t":{"2681":{"position":[[1164,19]]}}}],["1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d",{"_index":2678,"t":{"3114":{"position":[[2480,64]]},"3116":{"position":[[2461,64]]},"3134":{"position":[[2474,64]]},"3187":{"position":[[2446,64]]}}}],["1s",{"_index":1103,"t":{"2641":{"position":[[1351,3]]}}}],["2",{"_index":390,"t":{"2530":{"position":[[627,1],[1306,1]]},"2620":{"position":[[326,2],[466,2],[565,2]]},"2622":{"position":[[494,2],[738,1],[870,2],[956,1],[1048,1],[1095,1],[1233,2],[1309,2],[1678,1],[1814,1],[2746,2],[3113,1],[3250,1]]},"2624":{"position":[[798,2],[1165,1],[1302,1]]},"2632":{"position":[[226,1]]},"2729":{"position":[[33,1]]},"2793":{"position":[[146,1]]},"2801":{"position":[[150,1]]},"2807":{"position":[[258,1],[280,1]]},"2813":{"position":[[570,1]]},"2944":{"position":[[1491,1]]}}}],["2.1",{"_index":2614,"t":{"3089":{"position":[[836,6],[1755,6]]},"3160":{"position":[[966,6],[1885,6]]},"3195":{"position":[[860,6],[1779,6],[2090,3]]},"3197":{"position":[[749,6],[1668,6]]},"3199":{"position":[[774,6],[1693,6]]},"3201":{"position":[[926,6],[1845,6]]},"3203":{"position":[[752,6],[1671,6]]},"3205":{"position":[[784,6],[1703,6]]},"3207":{"position":[[883,6],[1802,6]]}}}],["2.2",{"_index":2618,"t":{"3089":{"position":[[965,6],[1794,6]]},"3160":{"position":[[1095,6],[1924,6]]},"3195":{"position":[[989,6],[1818,6]]},"3197":{"position":[[878,6],[1707,6],[1979,3]]},"3199":{"position":[[903,6],[1732,6]]},"3201":{"position":[[1055,6],[1884,6]]},"3203":{"position":[[881,6],[1710,6]]},"3205":{"position":[[913,6],[1742,6]]},"3207":{"position":[[1012,6],[1841,6]]}}}],["2.3",{"_index":2619,"t":{"3089":{"position":[[1089,6],[1834,6]]},"3160":{"position":[[1219,6],[1964,6]]},"3195":{"position":[[1113,6],[1858,6]]},"3197":{"position":[[1002,6],[1747,6]]},"3199":{"position":[[1027,6],[1772,6],[2004,3]]},"3201":{"position":[[1179,6],[1924,6]]},"3203":{"position":[[1005,6],[1750,6]]},"3205":{"position":[[1037,6],[1782,6]]},"3207":{"position":[[1136,6],[1881,6]]}}}],["2.4",{"_index":2620,"t":{"3089":{"position":[[1165,6],[1856,6]]},"3160":{"position":[[1295,6],[1986,6]]},"3195":{"position":[[1189,6],[1880,6]]},"3197":{"position":[[1078,6],[1769,6]]},"3199":{"position":[[1103,6],[1794,6]]},"3201":{"position":[[1255,6],[1946,6],[2156,3]]},"3203":{"position":[[1081,6],[1772,6]]},"3205":{"position":[[1113,6],[1804,6]]},"3207":{"position":[[1212,6],[1903,6]]}}}],["2.5",{"_index":2621,"t":{"3089":{"position":[[1292,6],[1905,6]]},"3160":{"position":[[1422,6],[2035,6]]},"3195":{"position":[[1316,6],[1929,6]]},"3197":{"position":[[1205,6],[1818,6]]},"3199":{"position":[[1230,6],[1843,6]]},"3201":{"position":[[1382,6],[1995,6]]},"3203":{"position":[[1208,6],[1821,6],[1982,3]]},"3205":{"position":[[1240,6],[1853,6]]},"3207":{"position":[[1339,6],[1952,6]]}}}],["2.6",{"_index":2622,"t":{"3089":{"position":[[1414,6],[1945,6]]},"3160":{"position":[[1544,6],[2075,6]]},"3195":{"position":[[1438,6],[1969,6]]},"3197":{"position":[[1327,6],[1858,6]]},"3199":{"position":[[1352,6],[1883,6]]},"3201":{"position":[[1504,6],[2035,6]]},"3203":{"position":[[1330,6],[1861,6]]},"3205":{"position":[[1362,6],[1893,6],[2014,3]]},"3207":{"position":[[1461,6],[1992,6]]}}}],["2.7",{"_index":2623,"t":{"3089":{"position":[[1495,6],[1983,6]]},"3160":{"position":[[1625,6],[2113,6]]},"3195":{"position":[[1519,6],[2007,6]]},"3197":{"position":[[1408,6],[1896,6]]},"3199":{"position":[[1433,6],[1921,6]]},"3201":{"position":[[1585,6],[2073,6]]},"3203":{"position":[[1411,6],[1899,6]]},"3205":{"position":[[1443,6],[1931,6]]},"3207":{"position":[[1542,6],[2030,6],[2113,3]]}}}],["2/2",{"_index":618,"t":{"2562":{"position":[[856,3]]}}}],["20",{"_index":1010,"t":{"2622":{"position":[[1693,3]]},"2910":{"position":[[549,3],[630,3]]},"2922":{"position":[[235,3]]},"2924":{"position":[[235,3]]}}}],["20.04",{"_index":954,"t":{"2620":{"position":[[45,6]]},"2918":{"position":[[11,5]]}}}],["200",{"_index":997,"t":{"2622":{"position":[[1072,3]]}}}],["2001:cafe:42::/56",{"_index":1892,"t":{"2872":{"position":[[588,20]]}}}],["2021",{"_index":391,"t":{"2530":{"position":[[691,4]]}}}],["2022",{"_index":804,"t":{"2587":{"position":[[341,4]]},"2944":{"position":[[1951,4]]}}}],["2023",{"_index":454,"t":{"2537":{"position":[[1494,4]]},"2640":{"position":[[130,4]]},"2789":{"position":[[112,4]]}}}],["2024",{"_index":1411,"t":{"2740":{"position":[[96,4]]},"2769":{"position":[[920,4]]},"2837":{"position":[[96,4]]}}}],["203.0.113.254/31",{"_index":1429,"t":{"2743":{"position":[[908,16]]}}}],["203.0.113.255",{"_index":1431,"t":{"2743":{"position":[[961,13]]}}}],["2048",{"_index":563,"t":{"2545":{"position":[[931,4]]}}}],["21.10",{"_index":836,"t":{"2593":{"position":[[423,7]]},"2791":{"position":[[1979,6]]}}}],["22",{"_index":1033,"t":{"2622":{"position":[[3128,3]]},"2624":{"position":[[1180,3]]}}}],["2318",{"_index":2658,"t":{"3114":{"position":[[621,4]]},"3116":{"position":[[602,4]]},"3134":{"position":[[615,4]]},"3187":{"position":[[587,4]]}}}],["2341",{"_index":2665,"t":{"3114":{"position":[[903,4]]},"3116":{"position":[[884,4]]},"3134":{"position":[[897,4]]},"3187":{"position":[[869,4]]}}}],["2379",{"_index":1661,"t":{"2795":{"position":[[785,4]]},"2797":{"position":[[49,4]]}}}],["2380",{"_index":1662,"t":{"2795":{"position":[[794,5]]},"2797":{"position":[[54,4]]}}}],["24h0m0",{"_index":1107,"t":{"2641":{"position":[[1417,8]]}}}],["250",{"_index":1685,"t":{"2801":{"position":[[193,3]]},"2807":{"position":[[299,3]]},"2922":{"position":[[430,3]]},"2924":{"position":[[395,3]]}}}],["256",{"_index":2067,"t":{"2910":{"position":[[487,3],[493,3],[703,3],[709,3]]},"2926":{"position":[[160,3]]}}}],["279",{"_index":795,"t":{"2582":{"position":[[583,4]]}}}],["28m",{"_index":1234,"t":{"2685":{"position":[[758,3]]}}}],["2:2379,https://etcd",{"_index":1222,"t":{"2681":{"position":[[1189,19]]}}}],["2b1c8278a6a1_0",{"_index":683,"t":{"2562":{"position":[[2394,14],[2554,14]]}}}],["2gi",{"_index":2243,"t":{"2976":{"position":[[187,3]]},"2982":{"position":[[169,3]]}}}],["2m",{"_index":1104,"t":{"2641":{"position":[[1355,3]]}}}],["2wz97",{"_index":621,"t":{"2562":{"position":[[905,5]]}}}],["2wz97_kube",{"_index":642,"t":{"2562":{"position":[[1476,10],[1793,10]]}}}],["3",{"_index":254,"t":{"2520":{"position":[[1269,1]]},"2545":{"position":[[792,2]]},"2620":{"position":[[141,1],[348,2],[587,2]]},"2622":{"position":[[777,1],[1322,2],[1716,1],[1874,1],[2759,2],[3151,1],[3310,1]]},"2624":{"position":[[811,2],[1203,1],[1362,1]]},"2717":{"position":[[177,1],[251,4]]},"2944":{"position":[[43,1]]}}}],["3.00",{"_index":2062,"t":{"2910":{"position":[[279,4],[383,4],[465,4]]},"2922":{"position":[[226,4]]},"2924":{"position":[[226,4]]},"2926":{"position":[[114,4]]}}}],["3.5.4",{"_index":1205,"t":{"2677":{"position":[[900,6]]}}}],["30",{"_index":1032,"t":{"2622":{"position":[[3090,3]]},"2624":{"position":[[1142,3]]},"3040":{"position":[[54,2],[122,2],[247,2]]},"3150":{"position":[[195,2]]}}}],["300",{"_index":1315,"t":{"2713":{"position":[[1223,3]]}}}],["30000",{"_index":1167,"t":{"2663":{"position":[[219,6]]},"2675":{"position":[[1684,6]]}}}],["3117",{"_index":801,"t":{"2587":{"position":[[128,6]]}}}],["3199",{"_index":2667,"t":{"3114":{"position":[[1185,4]]},"3116":{"position":[[1166,4]]},"3134":{"position":[[1179,4]]},"3187":{"position":[[1151,4]]}}}],["32",{"_index":1008,"t":{"2622":{"position":[[1655,3]]},"2801":{"position":[[226,2],[246,2]]},"2807":{"position":[[331,2]]}}}],["32767",{"_index":1168,"t":{"2663":{"position":[[226,6]]},"2675":{"position":[[1691,7]]},"3120":{"position":[[2651,5]]},"3122":{"position":[[2599,5]]},"3124":{"position":[[2468,5]]},"3126":{"position":[[2417,5]]},"3128":{"position":[[2430,5]]},"3130":{"position":[[2543,5]]},"3132":{"position":[[2504,5]]},"3136":{"position":[[2577,5]]},"3138":{"position":[[2558,5]]},"3140":{"position":[[2454,5]]},"3142":{"position":[[2570,5]]},"3144":{"position":[[2435,5]]},"3146":{"position":[[2350,5]]},"3156":{"position":[[2525,5]]},"3162":{"position":[[2567,5]]},"3164":{"position":[[2483,5]]},"3166":{"position":[[2489,5]]},"3239":{"position":[[2834,5]]},"3241":{"position":[[2848,5]]},"3243":{"position":[[2963,5]]}}}],["365",{"_index":408,"t":{"2533":{"position":[[49,3]]},"2556":{"position":[[29,4]]}}}],["3923",{"_index":2669,"t":{"3114":{"position":[[1467,4]]},"3116":{"position":[[1448,4]]},"3134":{"position":[[1461,4]]},"3187":{"position":[[1433,4]]}}}],["3:2379",{"_index":1223,"t":{"2681":{"position":[[1214,6]]}}}],["3e4d34729602",{"_index":623,"t":{"2562":{"position":[[1027,12]]}}}],["3h",{"_index":1105,"t":{"2641":{"position":[[1359,4]]}}}],["3m12",{"_index":1015,"t":{"2622":{"position":[[1908,5]]}}}],["3m16",{"_index":1036,"t":{"2622":{"position":[[3344,5]]},"2624":{"position":[[1396,5]]}}}],["3m58",{"_index":1014,"t":{"2622":{"position":[[1848,5],[3284,5]]},"2624":{"position":[[1336,5]]}}}],["3rd",{"_index":1585,"t":{"2783":{"position":[[76,3]]}}}],["4",{"_index":1068,"t":{"2632":{"position":[[228,1]]},"2727":{"position":[[584,1]]},"2801":{"position":[[152,1],[174,1]]},"2807":{"position":[[303,1]]},"2918":{"position":[[60,1],[100,1],[112,1]]}}}],["4.2.1",{"_index":2491,"t":{"3030":{"position":[[3088,5]]}}}],["4.2.10",{"_index":2524,"t":{"3030":{"position":[[4281,6],[4360,6]]}}}],["4.2.2",{"_index":2494,"t":{"3030":{"position":[[3161,5]]}}}],["4.2.3",{"_index":2497,"t":{"3030":{"position":[[3252,5]]}}}],["4.2.4",{"_index":2518,"t":{"3030":{"position":[[4093,5]]}}}],["4.2.6",{"_index":2517,"t":{"3030":{"position":[[4066,5]]}}}],["400",{"_index":2781,"t":{"3230":{"position":[[317,5]]}}}],["410a",{"_index":681,"t":{"2562":{"position":[[2384,4],[2544,4]]}}}],["4206",{"_index":645,"t":{"2562":{"position":[[1508,4],[1825,4]]}}}],["43",{"_index":619,"t":{"2562":{"position":[[870,3],[925,3]]}}}],["4367",{"_index":2803,"t":{"3245":{"position":[[1506,4]]},"3257":{"position":[[1697,4]]}}}],["436b85c5e38d",{"_index":638,"t":{"2562":{"position":[[1348,12]]}}}],["440",{"_index":2780,"t":{"3230":{"position":[[297,5]]}}}],["443",{"_index":1947,"t":{"2880":{"position":[[272,4]]},"2892":{"position":[[466,3],[637,3]]}}}],["443_svclb",{"_index":628,"t":{"2562":{"position":[[1110,9]]}}}],["444",{"_index":2779,"t":{"3230":{"position":[[277,5]]}}}],["4454d14e4d3f",{"_index":674,"t":{"2562":{"position":[[2236,12]]}}}],["4559",{"_index":2671,"t":{"3114":{"position":[[1749,4]]},"3116":{"position":[[1730,4]]},"3134":{"position":[[1743,4]]},"3187":{"position":[[1715,4]]}}}],["4647",{"_index":2674,"t":{"3114":{"position":[[2031,4]]},"3116":{"position":[[2012,4]]},"3134":{"position":[[2025,4]]},"3187":{"position":[[1997,4]]}}}],["47ef",{"_index":671,"t":{"2562":{"position":[[2211,4]]}}}],["48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9",{"_index":2675,"t":{"3114":{"position":[[2198,64]]},"3116":{"position":[[2179,64]]},"3134":{"position":[[2192,64]]},"3187":{"position":[[2164,64]]}}}],["4b1fddbe6ca6",{"_index":686,"t":{"2562":{"position":[[2569,12]]}}}],["4bea",{"_index":661,"t":{"2562":{"position":[[2028,4],[2719,4]]}}}],["4c10",{"_index":2812,"t":{"3245":{"position":[[2729,4]]},"3257":{"position":[[2920,4]]}}}],["4c7e",{"_index":632,"t":{"2562":{"position":[[1160,4],[1323,4],[1664,4]]}}}],["4fb1",{"_index":680,"t":{"2562":{"position":[[2379,4],[2539,4]]}}}],["4k",{"_index":1608,"t":{"2789":{"position":[[232,2]]}}}],["4m22",{"_index":1013,"t":{"2622":{"position":[[1788,5]]}}}],["4m49",{"_index":1035,"t":{"2622":{"position":[[3224,5]]},"2624":{"position":[[1276,5]]}}}],["5",{"_index":233,"t":{"2520":{"position":[[261,1],[2139,1],[2149,3],[2254,2],[4775,4]]},"2526":{"position":[[563,2],[1551,2]]},"2648":{"position":[[874,1],[885,3],[998,2]]},"2675":{"position":[[4741,1],[4752,3],[4866,2]]},"2910":{"position":[[474,2]]},"2922":{"position":[[436,1]]},"2924":{"position":[[401,1]]},"2926":{"position":[[64,2]]},"3012":{"position":[[112,3]]},"3089":{"position":[[858,1],[987,1],[1187,1],[1314,1]]},"3160":{"position":[[988,1],[1117,1],[1317,1],[1444,1]]},"3195":{"position":[[882,1],[1011,1],[1211,1],[1338,1]]},"3197":{"position":[[771,1],[900,1],[1100,1],[1227,1]]},"3199":{"position":[[796,1],[925,1],[1125,1],[1252,1]]},"3201":{"position":[[948,1],[1077,1],[1277,1],[1404,1]]},"3203":{"position":[[774,1],[903,1],[1103,1],[1230,1]]},"3205":{"position":[[806,1],[935,1],[1135,1],[1262,1]]},"3207":{"position":[[905,1],[1034,1],[1234,1],[1361,1]]}}}],["5.2",{"_index":2349,"t":{"3022":{"position":[[1296,3]]}}}],["5.2.1",{"_index":2351,"t":{"3022":{"position":[[1475,5]]}}}],["5.2.2",{"_index":2363,"t":{"3022":{"position":[[1787,5]]}}}],["5.2.3",{"_index":2361,"t":{"3022":{"position":[[1758,5]]}}}],["5.2.4",{"_index":2359,"t":{"3022":{"position":[[1729,5]]}}}],["5.2.5",{"_index":2353,"t":{"3022":{"position":[[1521,5]]}}}],["5.2.6",{"_index":2366,"t":{"3022":{"position":[[1837,5]]}}}],["5.2.7/8/9",{"_index":2355,"t":{"3022":{"position":[[1561,9]]}}}],["5.7",{"_index":1206,"t":{"2677":{"position":[[925,4]]}}}],["50",{"_index":2110,"t":{"2922":{"position":[[427,2]]},"2924":{"position":[[392,2]]}}}],["500",{"_index":1688,"t":{"2801":{"position":[[219,3],[241,4]]},"2807":{"position":[[325,3],[346,4]]},"2922":{"position":[[395,3]]},"2924":{"position":[[360,3]]}}}],["5001",{"_index":1679,"t":{"2797":{"position":[[443,4]]},"2839":{"position":[[411,5]]},"2841":{"position":[[135,4]]}}}],["51",{"_index":606,"t":{"2562":{"position":[[645,3],[707,3],[766,3],[820,3]]},"2622":{"position":[[1115,2]]}}}],["512",{"_index":1633,"t":{"2793":{"position":[[158,3]]},"2910":{"position":[[406,3],[644,3]]},"2924":{"position":[[372,3]]}}}],["515",{"_index":718,"t":{"2568":{"position":[[238,3],[258,3]]}}}],["51820",{"_index":1654,"t":{"2795":{"position":[[183,5]]},"2797":{"position":[[291,5]]}}}],["51821",{"_index":1655,"t":{"2795":{"position":[[194,5]]},"2797":{"position":[[367,5]]}}}],["53",{"_index":2403,"t":{"3024":{"position":[[810,2],[835,2]]}}}],["5489f84d5d",{"_index":1524,"t":{"2763":{"position":[[871,10]]}}}],["5497",{"_index":2802,"t":{"3245":{"position":[[1501,4]]},"3257":{"position":[[1692,4]]}}}],["5h39m",{"_index":1703,"t":{"2813":{"position":[[540,5],[599,5]]}}}],["5m0",{"_index":1147,"t":{"2648":{"position":[[1729,5]]},"2675":{"position":[[5687,5]]}}}],["5s",{"_index":983,"t":{"2622":{"position":[[682,2]]}}}],["6",{"_index":2652,"t":{"3114":{"position":[[417,1]]},"3116":{"position":[[398,1]]},"3134":{"position":[[411,1]]},"3187":{"position":[[383,1]]}}}],["6.4",{"_index":867,"t":{"2602":{"position":[[194,5]]}}}],["60",{"_index":2547,"t":{"3046":{"position":[[252,2],[419,2],[651,2]]},"3158":{"position":[[114,2]]}}}],["600",{"_index":1156,"t":{"2652":{"position":[[298,4]]},"2827":{"position":[[668,3]]},"3093":{"position":[[148,3]]},"3109":{"position":[[141,3]]},"3230":{"position":[[250,5],[268,5],[374,3]]}}}],["620c90a6c1c1_0",{"_index":663,"t":{"2562":{"position":[[2038,14],[2729,14]]}}}],["64",{"_index":1690,"t":{"2801":{"position":[[249,2]]},"2807":{"position":[[354,2]]}}}],["640",{"_index":2778,"t":{"3230":{"position":[[230,5]]}}}],["644",{"_index":1157,"t":{"2652":{"position":[[324,3]]},"2829":{"position":[[535,3]]},"3069":{"position":[[148,3]]},"3073":{"position":[[148,3]]},"3077":{"position":[[148,3]]},"3081":{"position":[[148,3]]},"3085":{"position":[[148,3]]},"3097":{"position":[[138,3],[369,4],[383,3]]},"3101":{"position":[[138,3],[379,4],[393,3]]},"3107":{"position":[[141,3]]},"3218":{"position":[[146,3]]},"3222":{"position":[[136,3],[380,3],[384,3]]},"3226":{"position":[[136,3],[271,5],[289,5],[311,3],[315,3]]},"3230":{"position":[[114,3],[210,5],[370,3]]},"3234":{"position":[[130,3]]}}}],["6443",{"_index":743,"t":{"2574":{"position":[[172,4]]},"2622":{"position":[[524,6],[2440,5]]},"2624":{"position":[[492,5]]},"2657":{"position":[[97,4]]},"2675":{"position":[[826,5]]},"2795":{"position":[[26,4]]},"2797":{"position":[[119,4],[529,4]]},"2839":{"position":[[331,5]]},"2841":{"position":[[144,5]]}}}],["6443/tcp",{"_index":822,"t":{"2591":{"position":[[100,8]]},"2791":{"position":[[1151,8]]}}}],["6443:6443",{"_index":845,"t":{"2595":{"position":[[387,9]]},"2622":{"position":[[2614,9]]},"2624":{"position":[[666,9]]}}}],["6444",{"_index":134,"t":{"2504":{"position":[[683,5]]},"2518":{"position":[[1939,5]]},"2675":{"position":[[9045,5]]}}}],["6488",{"_index":752,"t":{"2574":{"position":[[588,6]]}}}],["64d3517d4a95",{"_index":688,"t":{"2562":{"position":[[2744,12]]}}}],["64ffb68fd",{"_index":1521,"t":{"2763":{"position":[[810,9]]}}}],["65535",{"_index":2371,"t":{"3022":{"position":[[1929,5],[1984,5],[3014,5],[3069,5],[3427,5],[3901,5]]}}}],["6610",{"_index":2676,"t":{"3114":{"position":[[2313,4]]},"3116":{"position":[[2294,4]]},"3134":{"position":[[2307,4]]},"3187":{"position":[[2279,4]]}}}],["6ad9",{"_index":660,"t":{"2562":{"position":[[2023,4],[2714,4]]}}}],["6b82a38edd8f",{"_index":2814,"t":{"3245":{"position":[[2739,12]]},"3257":{"position":[[2930,12]]}}}],["6d59f47c7",{"_index":603,"t":{"2562":{"position":[[615,9],[1986,9],[2677,9]]}}}],["700",{"_index":2419,"t":{"3026":{"position":[[416,3]]},"3089":{"position":[[242,3],[1693,7],[2090,5],[2108,5],[2130,3]]},"3160":{"position":[[1823,7]]},"3195":{"position":[[1717,7]]},"3197":{"position":[[1606,7]]},"3199":{"position":[[1631,7]]},"3201":{"position":[[1783,7]]},"3203":{"position":[[1609,7]]},"3205":{"position":[[1641,7]]},"3207":{"position":[[1740,7]]}}}],["74",{"_index":1523,"t":{"2763":{"position":[[840,3],[902,3],[956,3]]}}}],["7566d596c8",{"_index":608,"t":{"2562":{"position":[[676,10],[2168,10]]}}}],["758cd5fc85",{"_index":620,"t":{"2562":{"position":[[894,10],[1465,10],[1782,10]]}}}],["76",{"_index":866,"t":{"2602":{"position":[[170,4]]}}}],["768",{"_index":2064,"t":{"2910":{"position":[[302,3],[412,3],[563,3],[650,3]]},"2922":{"position":[[407,3]]},"2924":{"position":[[406,3]]}}}],["777",{"_index":1764,"t":{"2827":{"position":[[756,3],[902,3]]}}}],["7c6a30aeeb2f",{"_index":651,"t":{"2562":{"position":[[1689,12]]}}}],["7c9ca4fb39e7_0",{"_index":647,"t":{"2562":{"position":[[1518,14],[1835,14]]}}}],["7zwkt",{"_index":1525,"t":{"2763":{"position":[[882,5]]}}}],["8",{"_index":1435,"t":{"2743":{"position":[[1348,2]]},"2801":{"position":[[176,1],[197,1]]},"2807":{"position":[[282,1],[329,1]]},"2918":{"position":[[68,1],[120,1]]}}}],["8.0",{"_index":1207,"t":{"2677":{"position":[[934,3]]}}}],["80",{"_index":746,"t":{"2574":{"position":[[251,3]]},"2604":{"position":[[604,2]]},"2880":{"position":[[265,2]]},"2886":{"position":[[838,3],[909,3]]},"2978":{"position":[[235,2]]},"2984":{"position":[[235,2]]}}}],["8080",{"_index":748,"t":{"2574":{"position":[[277,5],[290,5]]}}}],["80_svclb",{"_index":637,"t":{"2562":{"position":[[1274,8]]}}}],["8124m",{"_index":2061,"t":{"2910":{"position":[[268,5],[372,5],[454,5]]},"2922":{"position":[[215,5]]},"2924":{"position":[[215,5]]},"2926":{"position":[[103,5]]}}}],["8472",{"_index":1653,"t":{"2795":{"position":[[123,4],[1008,5]]},"2797":{"position":[[184,4]]}}}],["85cb69466",{"_index":1526,"t":{"2763":{"position":[[926,9]]}}}],["8655855d6",{"_index":614,"t":{"2562":{"position":[[790,9],[2342,9],[2502,9]]}}}],["896",{"_index":2066,"t":{"2910":{"position":[[308,3],[569,3]]},"2922":{"position":[[441,3]]}}}],["897ce3c5fc8f",{"_index":624,"t":{"2562":{"position":[[1040,12]]}}}],["89f5",{"_index":2811,"t":{"3245":{"position":[[2724,4]]},"3257":{"position":[[2915,4]]}}}],["8c7f",{"_index":2813,"t":{"3245":{"position":[[2734,4]]},"3257":{"position":[[2925,4]]}}}],["8d7a",{"_index":633,"t":{"2562":{"position":[[1165,4],[1328,4],[1669,4]]}}}],["8e7ac18f9cb0_0",{"_index":634,"t":{"2562":{"position":[[1170,14],[1333,14],[1674,14]]}}}],["8e82",{"_index":682,"t":{"2562":{"position":[[2389,4],[2549,4]]}}}],["9",{"_index":1504,"t":{"2757":{"position":[[1236,4],[1269,4],[1288,8]]}}}],["90",{"_index":414,"t":{"2533":{"position":[[132,2]]},"2556":{"position":[[56,3]]}}}],["90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528",{"_index":2668,"t":{"3114":{"position":[[1352,64]]},"3116":{"position":[[1333,64]]},"3134":{"position":[[1346,64]]},"3187":{"position":[[1318,64]]}}}],["95th",{"_index":2098,"t":{"2916":{"position":[[625,4]]}}}],["98604672",{"_index":2794,"t":{"3245":{"position":[[686,8],[1382,8]]},"3257":{"position":[[877,8],[1573,8]]}}}],["9])?(\\\\.[a",{"_index":1506,"t":{"2757":{"position":[[1255,10]]}}}],["9]*[a",{"_index":1505,"t":{"2757":{"position":[[1246,5],[1279,5]]}}}],["9]16",{"_index":1115,"t":{"2641":{"position":[[2022,6]]}}}],["9]6.[a",{"_index":1114,"t":{"2641":{"position":[[2012,6]]}}}],["9d12f9848b99",{"_index":654,"t":{"2562":{"position":[[1863,12]]}}}],["9dd718864ce6",{"_index":665,"t":{"2562":{"position":[[2066,12]]}}}],["9s",{"_index":1011,"t":{"2622":{"position":[[1731,2]]}}}],["9tnck",{"_index":609,"t":{"2562":{"position":[[687,5]]}}}],["9tnck_kube",{"_index":668,"t":{"2562":{"position":[[2179,10]]}}}],["_",{"_index":1141,"t":{"2648":{"position":[[889,1],[893,2]]}}}],["_desired_",{"_index":1836,"t":{"2864":{"position":[[1999,9]]}}}],["a+x",{"_index":1736,"t":{"2823":{"position":[[511,3]]}}}],["a1",{"_index":2726,"t":{"3162":{"position":[[438,2]]}}}],["a70c",{"_index":2804,"t":{"3245":{"position":[[1511,4]]},"3257":{"position":[[1702,4]]}}}],["a73d",{"_index":662,"t":{"2562":{"position":[[2033,4],[2724,4]]}}}],["a88d",{"_index":672,"t":{"2562":{"position":[[2216,4]]}}}],["aarch64",{"_index":2101,"t":{"2918":{"position":[[25,7]]}}}],["aarch64/arm64",{"_index":1607,"t":{"2789":{"position":[[189,13]]}}}],["abil",{"_index":453,"t":{"2537":{"position":[[1407,7]]},"2640":{"position":[[55,7]]},"3036":{"position":[[204,7]]}}}],["abort",{"_index":1318,"t":{"2713":{"position":[[1281,6]]}}}],["abov",{"_index":401,"t":{"2530":{"position":[[1283,6]]},"2541":{"position":[[947,5]]},"2612":{"position":[[275,7]]},"2630":{"position":[[1034,6]]},"2687":{"position":[[249,6]]},"2743":{"position":[[97,5]]},"2761":{"position":[[42,6]]},"2823":{"position":[[1490,6]]},"2829":{"position":[[11,5]]},"2952":{"position":[[1037,5]]},"3022":{"position":[[2028,5],[2361,5]]},"3052":{"position":[[350,6]]},"3089":{"position":[[215,7]]},"3091":{"position":[[225,7]]}}}],["absenc",{"_index":2192,"t":{"2950":{"position":[[779,7]]}}}],["abus",{"_index":1672,"t":{"2795":{"position":[[1144,5]]}}}],["acceler",{"_index":1905,"t":{"2874":{"position":[[311,12]]}}}],["accept",{"_index":448,"t":{"2537":{"position":[[1040,11]]},"2954":{"position":[[262,9]]},"3036":{"position":[[320,8]]}}}],["access",{"_index":299,"t":{"2520":{"position":[[3189,6],[3203,6],[3507,6],[3522,6],[3849,6],[3864,6],[4640,6],[4655,6]]},"2618":{"position":[[559,6]]},"2622":{"position":[[297,6]]},"2636":{"position":[[354,6],[416,6]]},"2648":{"position":[[1362,6],[1400,6]]},"2663":{"position":[[1099,6],[1368,6]]},"2675":{"position":[[5291,6],[5316,6]]},"2709":{"position":[[523,6]]},"2727":{"position":[[689,9],[1103,6]]},"2740":{"position":[[380,6]]},"2743":{"position":[[1363,10]]},"2783":{"position":[[223,6]]},"2795":{"position":[[37,10],[627,10],[751,10],[911,8],[993,6]]},"2839":{"position":[[527,6]]},"2848":{"position":[[0,6],[136,6]]},"2850":{"position":[[345,6],[683,6]]},"2870":{"position":[[821,6]]},"2872":{"position":[[482,6]]},"2938":{"position":[[132,6]]},"2950":{"position":[[736,6],[1177,6],[1440,6]]},"3024":{"position":[[1041,7]]},"3026":{"position":[[316,6]]},"3036":{"position":[[215,7],[454,6],[507,6]]},"3056":{"position":[[157,7]]},"3060":{"position":[[222,6]]},"3215":{"position":[[131,6]]},"3268":{"position":[[69,6]]},"3272":{"position":[[56,6]]},"3274":{"position":[[108,6]]}}}],["accessmod",{"_index":2240,"t":{"2976":{"position":[[99,12]]},"2982":{"position":[[83,12]]}}}],["accompani",{"_index":2582,"t":{"3065":{"position":[[980,12]]}}}],["accomplish",{"_index":1456,"t":{"2748":{"position":[[40,12]]},"2932":{"position":[[193,12]]}}}],["accord",{"_index":2581,"t":{"3065":{"position":[[963,9]]}}}],["accordingli",{"_index":1621,"t":{"2791":{"position":[[757,12],[1457,12]]},"2992":{"position":[[677,12]]}}}],["account",{"_index":487,"t":{"2539":{"position":[[1121,7]]},"2541":{"position":[[1691,7],[1737,7]]},"2545":{"position":[[12,7],[74,7],[116,7],[213,7],[604,7]]},"2636":{"position":[[742,7]]},"2864":{"position":[[838,7]]},"2872":{"position":[[253,7]]},"2994":{"position":[[116,8]]},"3028":{"position":[[606,7],[1172,7]]},"3030":{"position":[[1573,7],[1602,7],[1682,7],[2723,7],[2814,7]]},"3048":{"position":[[26,7],[97,7],[235,7],[331,7],[382,7]]},"3060":{"position":[[28,8],[115,7],[184,7],[294,7],[369,8],[398,7],[467,7],[639,7],[686,8],[868,8]]},"3065":{"position":[[784,8]]},"3120":{"position":[[2369,7],[2439,7],[2510,7]]},"3122":{"position":[[2317,7],[2387,7],[2458,7]]},"3124":{"position":[[2186,7],[2256,7],[2327,7]]},"3126":{"position":[[2135,7],[2205,7],[2276,7]]},"3128":{"position":[[2148,7],[2218,7],[2289,7]]},"3130":{"position":[[2261,7],[2331,7],[2402,7]]},"3132":{"position":[[2222,7],[2292,7],[2363,7]]},"3136":{"position":[[2295,7],[2365,7],[2436,7]]},"3138":{"position":[[2276,7],[2346,7],[2417,7]]},"3140":{"position":[[2172,7],[2242,7],[2313,7]]},"3142":{"position":[[2288,7],[2358,7],[2429,7]]},"3144":{"position":[[2153,7],[2223,7],[2294,7]]},"3146":{"position":[[2068,7],[2138,7],[2209,7]]},"3156":{"position":[[180,7],[244,7],[449,7],[494,7],[2243,7],[2313,7],[2384,7]]},"3162":{"position":[[2285,7],[2355,7],[2426,7]]},"3164":{"position":[[2201,7],[2271,7],[2342,7]]},"3166":{"position":[[2207,7],[2277,7],[2348,7]]},"3177":{"position":[[1869,7],[1992,7]]},"3179":{"position":[[200,7],[342,7],[395,7],[1937,7],[2060,7]]},"3181":{"position":[[180,7],[251,9],[284,7],[434,7],[488,7],[2022,7],[2145,7]]},"3183":{"position":[[1918,7],[2041,7]]},"3239":{"position":[[2552,7],[2622,7],[2693,7]]},"3241":{"position":[[2566,7],[2636,7],[2707,7]]},"3243":{"position":[[2681,7],[2751,7],[2822,7]]},"3274":{"position":[[50,8],[194,7]]},"3276":{"position":[[68,8],[112,7]]}}}],["acct",{"_index":1853,"t":{"2864":{"position":[[3222,4]]},"3022":{"position":[[5312,4]]}}}],["accumul",{"_index":1758,"t":{"2827":{"position":[[495,11]]}}}],["achiev",{"_index":1660,"t":{"2795":{"position":[[682,9]]},"2868":{"position":[[186,7]]}}}],["acl",{"_index":1899,"t":{"2872":{"position":[[1234,4]]}}}],["act",{"_index":1901,"t":{"2874":{"position":[[135,4]]}}}],["action",{"_index":2530,"t":{"3036":{"position":[[153,7]]},"3270":{"position":[[121,8]]}}}],["activ",{"_index":382,"t":{"2530":{"position":[[317,6],[629,6],[1553,7],[1652,6]]},"2761":{"position":[[196,8]]},"3038":{"position":[[189,10]]},"3054":{"position":[[516,8]]},"3060":{"position":[[45,8]]}}}],["actual",{"_index":1092,"t":{"2641":{"position":[[552,6]]},"2852":{"position":[[383,8]]},"3048":{"position":[[277,8]]},"3089":{"position":[[352,8]]},"3160":{"position":[[482,8]]},"3195":{"position":[[376,8]]},"3197":{"position":[[265,8]]},"3199":{"position":[[290,8]]},"3201":{"position":[[442,8]]},"3203":{"position":[[268,8]]},"3205":{"position":[[300,8]]},"3207":{"position":[[399,8]]}}}],["ad",{"_index":181,"t":{"2516":{"position":[[209,5]]},"2520":{"position":[[2810,5]]},"2524":{"position":[[173,6]]},"2725":{"position":[[355,6]]},"2729":{"position":[[377,5],[1014,6]]},"2750":{"position":[[907,5]]},"2815":{"position":[[13,5]]},"2843":{"position":[[804,5]]},"2890":{"position":[[0,6]]},"2930":{"position":[[624,6]]},"2962":{"position":[[135,6]]},"3014":{"position":[[814,6]]},"3026":{"position":[[1098,5]]},"3301":{"position":[[202,6]]}}}],["adapt",{"_index":2136,"t":{"2934":{"position":[[293,12]]}}}],["add",{"_index":176,"t":{"2516":{"position":[[82,4],[142,3],[313,3],[584,3]]},"2589":{"position":[[121,3],[192,3],[264,3]]},"2606":{"position":[[71,3]]},"2622":{"position":[[433,3],[802,3]]},"2657":{"position":[[364,3]]},"2675":{"position":[[1138,3]]},"2687":{"position":[[211,3],[590,3]]},"2727":{"position":[[962,4]]},"2731":{"position":[[155,3]]},"2743":{"position":[[807,3],[852,3],[904,3],[945,3]]},"2745":{"position":[[249,3]]},"2787":{"position":[[311,3]]},"2791":{"position":[[358,3],[429,3],[501,3]]},"2815":{"position":[[125,3]]},"2870":{"position":[[305,3]]},"2872":{"position":[[782,3]]},"2874":{"position":[[758,3]]},"2892":{"position":[[72,3]]},"2952":{"position":[[368,3]]},"3018":{"position":[[320,3]]},"3259":{"position":[[85,3]]},"3285":{"position":[[26,3]]},"3287":{"position":[[26,3]]},"3289":{"position":[[26,3]]},"3291":{"position":[[26,3]]},"3293":{"position":[[26,3]]},"3297":{"position":[[26,3]]},"3303":{"position":[[26,3]]},"3305":{"position":[[26,3]]},"3307":{"position":[[26,3]]}}}],["addit",{"_index":131,"t":{"2504":{"position":[[577,10]]},"2518":{"position":[[1833,10]]},"2520":{"position":[[4463,10],[4810,10]]},"2537":{"position":[[802,10]]},"2610":{"position":[[93,8]]},"2620":{"position":[[367,10],[487,10]]},"2634":{"position":[[83,10]]},"2657":{"position":[[368,10]]},"2675":{"position":[[1142,10],[8939,10]]},"2685":{"position":[[258,10],[947,10],[991,10]]},"2687":{"position":[[215,10]]},"2727":{"position":[[970,10]]},"2729":{"position":[[55,10],[341,10]]},"2745":{"position":[[253,10]]},"2757":{"position":[[14,10],[1345,10]]},"2761":{"position":[[52,8],[79,10]]},"2791":{"position":[[68,10],[557,10],[1257,10]]},"2797":{"position":[[655,10]]},"2811":{"position":[[277,10],[378,10]]},"2825":{"position":[[45,8]]},"2880":{"position":[[784,10]]},"2884":{"position":[[628,10]]},"2916":{"position":[[379,10]]},"2930":{"position":[[278,10],[631,10]]},"2934":{"position":[[55,9]]},"2944":{"position":[[445,10],[527,10],[1357,10],[1645,10]]},"2952":{"position":[[1475,10]]},"2996":{"position":[[152,10]]},"3022":{"position":[[2219,10],[2249,10],[6425,9]]},"3024":{"position":[[2695,10]]},"3030":{"position":[[4367,10]]},"3199":{"position":[[2245,10],[2485,10],[2725,10]]},"3205":{"position":[[2290,10]]}}}],["addition",{"_index":970,"t":{"2622":{"position":[[208,13]]},"2900":{"position":[[170,13]]},"2948":{"position":[[1381,13]]}}}],["additionalloggingsources.k3s.enabled=tru",{"_index":899,"t":{"2606":{"position":[[324,41]]}}}],["addon",{"_index":1472,"t":{"2753":{"position":[[334,5],[510,6]]},"2755":{"position":[[68,6],[272,5]]},"2757":{"position":[[79,6],[341,5],[1356,5],[1495,5]]},"2761":{"position":[[4,6],[64,6],[185,6]]},"2763":{"position":[[263,5]]}}}],["addon.k3s.cattle.io",{"_index":1491,"t":{"2757":{"position":[[929,19]]}}}],["addr",{"_index":1428,"t":{"2743":{"position":[[899,4]]}}}],["address",{"_index":151,"t":{"2508":{"position":[[71,7],[142,7]]},"2518":{"position":[[2687,9],[2785,9]]},"2618":{"position":[[512,7]]},"2657":{"position":[[32,7],[63,7],[132,7],[176,7],[402,9]]},"2663":{"position":[[697,9],[1281,10],[1630,10],[1887,10]]},"2675":{"position":[[700,7],[734,7],[844,7],[874,7],[1176,9],[2239,9],[7752,9],[7850,9]]},"2719":{"position":[[705,7],[945,8]]},"2727":{"position":[[644,9]]},"2841":{"position":[[111,10]]},"2870":{"position":[[878,10]]},"2874":{"position":[[1227,9],[1253,7],[1353,9],[1892,7],[1945,9]]},"2886":{"position":[[348,7],[521,7]]},"2896":{"position":[[217,7]]},"2912":{"position":[[36,7]]},"2944":{"position":[[1153,9]]},"2952":{"position":[[208,9],[1796,7],[1817,8],[1882,7]]},"3014":{"position":[[149,7]]},"3032":{"position":[[209,9]]},"3114":{"position":[[854,7],[1136,7],[1418,7],[1700,7],[1982,7],[2264,7],[2546,7]]},"3116":{"position":[[835,7],[1117,7],[1399,7],[1681,7],[1963,7],[2245,7],[2527,7]]},"3120":{"position":[[1842,7]]},"3122":{"position":[[1790,7]]},"3124":{"position":[[1659,7]]},"3126":{"position":[[1608,7]]},"3128":{"position":[[1621,7]]},"3130":{"position":[[1734,7]]},"3132":{"position":[[1695,7]]},"3134":{"position":[[848,7],[1130,7],[1412,7],[1694,7],[1976,7],[2258,7],[2540,7]]},"3136":{"position":[[1768,7]]},"3138":{"position":[[1749,7]]},"3140":{"position":[[1645,7]]},"3142":{"position":[[1761,7]]},"3144":{"position":[[1626,7]]},"3146":{"position":[[1541,7]]},"3156":{"position":[[1716,7]]},"3162":{"position":[[1758,7]]},"3164":{"position":[[1674,7]]},"3166":{"position":[[1680,7]]},"3187":{"position":[[202,7],[297,8],[328,8],[820,7],[1102,7],[1384,7],[1666,7],[1948,7],[2230,7],[2512,7]]},"3192":{"position":[[184,7],[303,8],[337,8],[381,8]]},"3239":{"position":[[2025,7]]},"3241":{"position":[[2039,7]]},"3243":{"position":[[2154,7]]}}}],["address:6443",{"_index":1391,"t":{"2731":{"position":[[495,12]]}}}],["address=0.0.0.0",{"_index":2490,"t":{"3030":{"position":[[3047,15]]},"3245":{"position":[[774,15],[1997,15]]},"3257":{"position":[[965,15],[2188,15]]}}}],["address=127.0.0.1",{"_index":2439,"t":{"3030":{"position":[[326,17],[2268,17],[2320,17],[2864,17],[2889,17],[3809,17]]},"3120":{"position":[[995,17]]},"3122":{"position":[[943,17]]},"3124":{"position":[[812,17]]},"3126":{"position":[[761,17]]},"3128":{"position":[[774,17]]},"3130":{"position":[[887,17]]},"3132":{"position":[[848,17]]},"3136":{"position":[[921,17]]},"3138":{"position":[[902,17]]},"3140":{"position":[[798,17]]},"3142":{"position":[[914,17]]},"3144":{"position":[[779,17]]},"3146":{"position":[[694,17]]},"3156":{"position":[[869,17]]},"3162":{"position":[[911,17],[3052,17]]},"3164":{"position":[[827,17]]},"3166":{"position":[[833,17]]},"3177":{"position":[[723,17]]},"3179":{"position":[[791,17]]},"3181":{"position":[[876,17]]},"3183":{"position":[[772,17]]},"3190":{"position":[[644,17]]},"3192":{"position":[[718,17]]},"3239":{"position":[[1178,17]]},"3241":{"position":[[1192,17]]},"3243":{"position":[[1307,17]]},"3245":{"position":[[1326,17],[2549,17]]},"3257":{"position":[[1517,17],[2740,17]]}}}],["address=172.31.0.140",{"_index":2694,"t":{"3120":{"position":[[802,20]]},"3122":{"position":[[750,20]]},"3124":{"position":[[619,20]]},"3126":{"position":[[568,20]]},"3128":{"position":[[581,20]]},"3130":{"position":[[694,20]]},"3132":{"position":[[655,20]]},"3136":{"position":[[728,20]]},"3138":{"position":[[709,20]]},"3140":{"position":[[605,20]]},"3142":{"position":[[721,20]]},"3144":{"position":[[586,20]]},"3146":{"position":[[501,20]]},"3156":{"position":[[676,20]]},"3162":{"position":[[718,20]]},"3164":{"position":[[634,20]]},"3166":{"position":[[640,20]]},"3239":{"position":[[985,20]]},"3241":{"position":[[999,20]]},"3243":{"position":[[1114,20]]}}}],["adher",{"_index":1483,"t":{"2757":{"position":[[543,6]]}}}],["adjust",{"_index":2585,"t":{"3065":{"position":[[1866,6]]}}}],["admin",{"_index":419,"t":{"2535":{"position":[[384,6]]},"2652":{"position":[[116,5]]},"2675":{"position":[[2556,5]]},"3266":{"position":[[74,5],[301,5]]}}}],["administr",{"_index":927,"t":{"2614":{"position":[[107,13]]},"2634":{"position":[[143,14]]},"2636":{"position":[[402,13]]},"3038":{"position":[[247,14]]}}}],["admiss",{"_index":1813,"t":{"2864":{"position":[[282,10],[490,10]]},"3014":{"position":[[858,9]]},"3020":{"position":[[537,9]]},"3022":{"position":[[73,10],[1030,9]]},"3028":{"position":[[258,10],[806,9]]},"3030":{"position":[[484,9]]},"3034":{"position":[[16,9],[94,9],[501,9]]},"3036":{"position":[[16,9],[600,9]]},"3116":{"position":[[192,9],[290,9],[333,9]]},"3120":{"position":[[1234,9]]},"3122":{"position":[[1182,9]]},"3124":{"position":[[1051,9]]},"3126":{"position":[[1000,9]]},"3128":{"position":[[1013,9]]},"3130":{"position":[[248,9],[291,9],[453,9],[499,9],[1126,9]]},"3132":{"position":[[172,9],[360,9],[406,9],[466,9],[1087,9]]},"3134":{"position":[[162,9],[228,9],[350,9]]},"3136":{"position":[[162,9],[277,9],[426,9],[472,9],[530,9],[1160,9]]},"3138":{"position":[[261,9],[476,9],[520,9],[1141,9]]},"3140":{"position":[[163,9],[372,9],[416,9],[1037,9]]},"3142":{"position":[[255,9],[334,9],[479,9],[525,9],[1153,9]]},"3144":{"position":[[1018,9]]},"3146":{"position":[[933,9]]},"3156":{"position":[[1108,9]]},"3162":{"position":[[1150,9]]},"3164":{"position":[[1066,9]]},"3166":{"position":[[1072,9]]},"3239":{"position":[[1417,9]]},"3241":{"position":[[1431,9]]},"3243":{"position":[[1546,9]]},"3283":{"position":[[58,9]]},"3285":{"position":[[113,9]]},"3287":{"position":[[113,9]]},"3289":{"position":[[113,9]]},"3291":{"position":[[113,9]]},"3293":{"position":[[113,9]]},"3297":{"position":[[113,9]]},"3301":{"position":[[233,9]]},"3303":{"position":[[113,9]]},"3305":{"position":[[113,9]]},"3307":{"position":[[113,9]]}}}],["admissionconfigur",{"_index":1830,"t":{"2864":{"position":[[1206,22]]},"3022":{"position":[[457,22]]}}}],["advanc",{"_index":1707,"t":{"2819":{"position":[[126,8]]},"2992":{"position":[[421,8]]}}}],["advertis",{"_index":152,"t":{"2508":{"position":[[82,9],[153,9]]},"2518":{"position":[[2700,9],[2798,9]]},"2657":{"position":[[122,9],[207,9],[245,9],[308,9]]},"2675":{"position":[[834,9],[905,9],[979,9],[1039,9],[7765,9],[7863,9]]},"2850":{"position":[[854,10]]},"2954":{"position":[[100,13]]},"3030":{"position":[[189,9]]},"3120":{"position":[[792,9],[825,9]]},"3122":{"position":[[740,9],[773,9]]},"3124":{"position":[[609,9],[642,9]]},"3126":{"position":[[558,9],[591,9]]},"3128":{"position":[[571,9],[604,9]]},"3130":{"position":[[684,9],[717,9]]},"3132":{"position":[[645,9],[678,9]]},"3136":{"position":[[718,9],[751,9]]},"3138":{"position":[[699,9],[732,9]]},"3140":{"position":[[595,9],[628,9]]},"3142":{"position":[[711,9],[744,9]]},"3144":{"position":[[576,9],[609,9]]},"3146":{"position":[[491,9],[524,9]]},"3156":{"position":[[666,9],[699,9]]},"3162":{"position":[[708,9],[741,9]]},"3164":{"position":[[624,9],[657,9]]},"3166":{"position":[[630,9],[663,9]]},"3239":{"position":[[975,9],[1008,9]]},"3241":{"position":[[989,9],[1022,9]]},"3243":{"position":[[1104,9],[1137,9]]}}}],["ae",{"_index":384,"t":{"2530":{"position":[[361,3],[673,3],[712,3],[1752,3]]},"2960":{"position":[[169,3]]}}}],["ae6c58cab4a7",{"_index":653,"t":{"2562":{"position":[[1850,12]]}}}],["aes256",{"_index":434,"t":{"2537":{"position":[[552,6]]}}}],["aescbc",{"_index":2222,"t":{"2960":{"position":[[717,9]]},"3052":{"position":[[211,7]]},"3170":{"position":[[122,7],[187,6]]}}}],["aescbckey",{"_index":386,"t":{"2530":{"position":[[369,9],[681,9],[720,9]]},"2960":{"position":[[749,12]]}}}],["affect",{"_index":1529,"t":{"2763":{"position":[[1081,8]]},"3038":{"position":[[210,8]]}}}],["aforement",{"_index":2051,"t":{"2908":{"position":[[2376,14]]}}}],["ag",{"_index":601,"t":{"2562":{"position":[[576,3]]},"2622":{"position":[[1622,3],[3057,3]]},"2624":{"position":[[1109,3]]},"2685":{"position":[[706,3]]},"2763":{"position":[[771,3]]},"2813":{"position":[[504,3]]}}}],["again",{"_index":184,"t":{"2516":{"position":[[247,5]]},"2520":{"position":[[1164,5],[1750,6],[1801,5]]},"2641":{"position":[[844,6]]},"2748":{"position":[[491,5]]},"2821":{"position":[[1970,5]]}}}],["against",{"_index":1370,"t":{"2727":{"position":[[35,8]]},"2781":{"position":[[160,7]]},"2992":{"position":[[1937,7]]},"3002":{"position":[[1083,7]]},"3065":{"position":[[276,7],[921,7]]}}}],["agent",{"_index":10,"t":{"2484":{"position":[[248,5],[371,5]]},"2486":{"position":[[215,5]]},"2494":{"position":[[13,5]]},"2496":{"position":[[55,6],[92,6]]},"2516":{"position":[[4,6]]},"2518":{"position":[[157,5],[174,5],[191,5]]},"2541":{"position":[[2287,7]]},"2543":{"position":[[2111,7]]},"2545":{"position":[[1430,6]]},"2570":{"position":[[28,5]]},"2582":{"position":[[165,8]]},"2584":{"position":[[212,7]]},"2620":{"position":[[537,5],[559,5],[581,5]]},"2622":{"position":[[1294,5],[1303,5],[1316,5],[1451,5],[1634,5],[1672,5],[1710,5],[2731,5],[2740,5],[2753,5],[2888,5],[3069,5],[3107,5],[3145,5]]},"2624":{"position":[[783,5],[792,5],[805,5],[940,5],[1121,5],[1159,5],[1197,5]]},"2634":{"position":[[220,5],[228,5]]},"2636":{"position":[[254,5]]},"2638":{"position":[[16,5],[65,5],[220,5],[325,5],[416,5]]},"2640":{"position":[[266,5],[332,7]]},"2643":{"position":[[93,6],[154,5]]},"2645":{"position":[[251,5]]},"2650":{"position":[[111,5],[207,5],[268,6],[309,5],[373,5]]},"2663":{"position":[[848,7],[923,5],[990,7],[1045,7],[1166,6],[1192,5],[1323,7],[1450,5],[1557,5],[1703,5],[1810,5]]},"2671":{"position":[[228,5]]},"2675":{"position":[[2318,8],[2366,8],[2774,5],[2881,5],[2936,6],[2996,5],[3049,5]]},"2719":{"position":[[525,5],[766,5],[898,6],[1094,5],[1180,5]]},"2727":{"position":[[0,5]]},"2731":{"position":[[139,5],[212,5],[249,5],[301,5],[378,5],[453,5]]},"2745":{"position":[[264,7],[297,5]]},"2793":{"position":[[274,6],[341,6],[426,5],[515,6]]},"2797":{"position":[[124,6]]},"2819":{"position":[[180,5]]},"2821":{"position":[[1295,6],[1665,5],[1784,5]]},"2823":{"position":[[702,5],[745,5],[915,6],[934,5]]},"2835":{"position":[[25,5],[61,5]]},"2868":{"position":[[659,6]]},"2870":{"position":[[450,7],[638,5],[696,5]]},"2908":{"position":[[1510,8],[1711,6],[1739,6],[2698,8],[2724,6]]},"2910":{"position":[[340,5],[422,5],[601,5],[660,5],[895,5],[905,5],[968,6]]},"2912":{"position":[[305,5],[489,7]]},"2914":{"position":[[519,6]]},"2916":{"position":[[574,5]]},"2920":{"position":[[98,6],[165,6]]},"2924":{"position":[[87,6]]},"2928":{"position":[[68,5],[157,6]]},"2930":{"position":[[737,5],[1197,5]]},"2932":{"position":[[115,5],[308,5]]},"2944":{"position":[[831,7]]},"2950":{"position":[[4,6],[163,5],[218,6],[409,5],[621,6],[965,5],[1132,7],[1244,5],[1280,5],[1490,5],[1600,5],[1772,5],[1851,5],[1961,5]]},"2952":{"position":[[415,7]]},"2992":{"position":[[1374,5]]},"2996":{"position":[[124,5],[758,5],[829,5],[1536,5],[1555,5],[1660,5]]},"3000":{"position":[[185,5]]},"3008":{"position":[[154,6],[198,5],[276,6],[310,5]]}}}],["agent'",{"_index":1405,"t":{"2738":{"position":[[566,7]]}}}],["agent.service.env",{"_index":582,"t":{"2560":{"position":[[364,17]]}}}],["agent/data",{"_index":205,"t":{"2518":{"position":[[939,12]]}}}],["agent/flag",{"_index":221,"t":{"2518":{"position":[[3158,13],[3231,13]]},"2675":{"position":[[8223,13],[8296,13]]}}}],["agent/network",{"_index":219,"t":{"2518":{"position":[[2658,18],[2744,18],[2837,18],[2922,18],[2997,18],[3078,18]]},"2675":{"position":[[7723,18],[7809,18],[7902,18],[7987,18],[8062,18],[8143,18]]}}}],["agent/nod",{"_index":206,"t":{"2518":{"position":[[1025,12],[1080,12],[1135,12],[1219,12],[1313,12],[1500,12],[1639,12],[1719,12],[1993,12]]},"2675":{"position":[[6354,12],[6409,12],[6464,12],[6548,12],[6642,12],[6829,12],[8375,12],[8745,12],[8825,12]]}}}],["agent/runtim",{"_index":214,"t":{"2518":{"position":[[2135,15],[2298,15],[2430,15],[2534,15],[3421,15]]},"2675":{"position":[[6967,15],[7071,15],[7234,15],[7366,15],[7470,15],[7600,15]]}}}],["agent_external_ip",{"_index":1876,"t":{"2870":{"position":[[579,17],[917,17]]}}}],["agentless",{"_index":1192,"t":{"2671":{"position":[[247,9]]},"2950":{"position":[[678,9]]}}}],["aggreg",{"_index":2698,"t":{"3120":{"position":[[1277,10]]},"3122":{"position":[[1225,10]]},"3124":{"position":[[1094,10]]},"3126":{"position":[[1043,10]]},"3128":{"position":[[1056,10]]},"3130":{"position":[[1169,10]]},"3132":{"position":[[1130,10]]},"3136":{"position":[[1203,10]]},"3138":{"position":[[1184,10]]},"3140":{"position":[[1080,10]]},"3142":{"position":[[1196,10]]},"3144":{"position":[[1061,10]]},"3146":{"position":[[976,10]]},"3156":{"position":[[1151,10]]},"3162":{"position":[[1193,10]]},"3164":{"position":[[1109,10]]},"3166":{"position":[[1115,10]]},"3239":{"position":[[1460,10]]},"3241":{"position":[[1474,10]]},"3243":{"position":[[1589,10]]}}}],["ago",{"_index":626,"t":{"2562":{"position":[[1076,3],[1240,3],[1423,3],[1588,3],[1744,3],[1914,3],[2112,3],[2300,3],[2464,3],[2624,3]]}}}],["air",{"_index":1279,"t":{"2709":{"position":[[441,3]]},"2733":{"position":[[26,3],[81,3]]},"2736":{"position":[[58,3]]},"2738":{"position":[[58,3]]},"2743":{"position":[[314,3],[448,3],[1513,3],[1535,3]]},"2745":{"position":[[1397,3]]},"2748":{"position":[[13,3],[95,3]]},"2750":{"position":[[51,3]]},"2769":{"position":[[1304,3]]},"2839":{"position":[[579,3]]},"2852":{"position":[[102,3]]}}}],["airgap",{"_index":1399,"t":{"2736":{"position":[[494,6]]},"2738":{"position":[[394,6],[708,6],[807,6]]},"2740":{"position":[[500,6]]},"2743":{"position":[[256,6]]}}}],["al.(https://www.usenix.org/conference/fast16/techn",{"_index":864,"t":{"2602":{"position":[[64,54]]}}}],["alice=bob:noexecut",{"_index":1762,"t":{"2827":{"position":[[686,19],[969,19]]}}}],["alloc",{"_index":1918,"t":{"2874":{"position":[[1214,9]]},"2950":{"position":[[1749,11]]},"3030":{"position":[[2288,8]]},"3177":{"position":[[526,8]]},"3179":{"position":[[594,8]]},"3181":{"position":[[679,8]]},"3183":{"position":[[575,8]]}}}],["allow",{"_index":334,"t":{"2520":{"position":[[4852,6]]},"2591":{"position":[[94,5],[124,5],[165,5]]},"2618":{"position":[[290,6]]},"2652":{"position":[[333,5]]},"2663":{"position":[[1239,5],[1588,5],[1845,5]]},"2719":{"position":[[760,5]]},"2725":{"position":[[1377,5]]},"2791":{"position":[[1145,5],[1175,5],[1216,5]]},"2797":{"position":[[646,8]]},"2803":{"position":[[212,6]]},"2837":{"position":[[236,6]]},"2843":{"position":[[34,6]]},"2845":{"position":[[403,5],[533,5]]},"2850":{"position":[[572,5]]},"2870":{"position":[[815,5]]},"2884":{"position":[[209,6]]},"2890":{"position":[[119,5]]},"2936":{"position":[[215,8]]},"2948":{"position":[[398,7],[781,7]]},"2950":{"position":[[211,6]]},"2952":{"position":[[1336,5]]},"2998":{"position":[[3,5]]},"3022":{"position":[[2272,6]]},"3024":{"position":[[578,8],[623,5],[1035,5],[1361,5],[1575,5],[1816,5],[2044,5],[2258,5],[2499,5]]},"3030":{"position":[[211,5],[1273,7]]},"3046":{"position":[[115,6]]},"3048":{"position":[[308,6]]},"3120":{"position":[[847,5],[2078,7]]},"3122":{"position":[[795,5],[2026,7]]},"3124":{"position":[[664,5],[1895,7]]},"3126":{"position":[[613,5],[1844,7]]},"3128":{"position":[[626,5],[1857,7]]},"3130":{"position":[[739,5],[1970,7]]},"3132":{"position":[[700,5],[1931,7]]},"3136":{"position":[[773,5],[2004,7]]},"3138":{"position":[[754,5],[1985,7]]},"3140":{"position":[[650,5],[1881,7]]},"3142":{"position":[[766,5],[1997,7]]},"3144":{"position":[[631,5],[1862,7]]},"3146":{"position":[[546,5],[1777,7]]},"3156":{"position":[[721,5],[1952,7]]},"3162":{"position":[[763,5],[1994,7]]},"3164":{"position":[[679,5],[1910,7]]},"3166":{"position":[[685,5],[1916,7]]},"3239":{"position":[[1030,5],[2261,7]]},"3241":{"position":[[1044,5],[2275,7]]},"3243":{"position":[[1159,5],[2390,7]]},"3329":{"position":[[64,5]]}}}],["allow_ip_forward",{"_index":2179,"t":{"2948":{"position":[[478,22],[861,22]]}}}],["allowedcap",{"_index":2378,"t":{"3022":{"position":[[3312,20],[3751,20]]},"3299":{"position":[[38,19]]}}}],["allowedunsafesysctl",{"_index":2380,"t":{"3022":{"position":[[3784,21]]}}}],["allowprivilegeescal",{"_index":2352,"t":{"3022":{"position":[[1481,25],[2654,25],[3281,25],[3719,25]]}}}],["along",{"_index":1544,"t":{"2769":{"position":[[1201,5]]},"3032":{"position":[[100,5]]}}}],["alongsid",{"_index":945,"t":{"2618":{"position":[[668,9]]},"2636":{"position":[[803,9]]}}}],["alphabet",{"_index":1753,"t":{"2827":{"position":[[206,12]]}}}],["alphanumer",{"_index":1499,"t":{"2757":{"position":[[1088,12],[1156,12]]}}}],["alpin",{"_index":2244,"t":{"2978":{"position":[[130,6]]},"2984":{"position":[[130,6]]}}}],["alreadi",{"_index":1250,"t":{"2687":{"position":[[362,8]]},"2729":{"position":[[272,7]]},"2736":{"position":[[28,7]]},"2738":{"position":[[28,7]]},"2763":{"position":[[273,7],[975,7]]},"2829":{"position":[[375,7]]},"2874":{"position":[[2494,7]]},"2908":{"position":[[604,7]]},"3136":{"position":[[250,7]]},"3158":{"position":[[145,8]]}}}],["alsologtostderr",{"_index":86,"t":{"2498":{"position":[[213,15]]},"2518":{"position":[[609,15]]},"2655":{"position":[[244,15]]},"2675":{"position":[[620,15]]}}}],["alter",{"_index":1475,"t":{"2755":{"position":[[374,8]]},"2821":{"position":[[497,7]]}}}],["altern",{"_index":1165,"t":{"2657":{"position":[[423,11]]},"2675":{"position":[[1197,11]]},"2727":{"position":[[1009,11]]},"2996":{"position":[[1825,14]]},"3114":{"position":[[65,9]]},"3156":{"position":[[200,14]]},"3210":{"position":[[26,11]]},"3310":{"position":[[167,9]]}}}],["altogeth",{"_index":2823,"t":{"3259":{"position":[[138,10]]}}}],["alway",{"_index":1075,"t":{"2636":{"position":[[130,6]]},"2769":{"position":[[90,6]]},"2803":{"position":[[95,6]]},"2874":{"position":[[393,6]]},"2952":{"position":[[1850,6]]},"2996":{"position":[[2186,6]]}}}],["alwaysadmit",{"_index":2710,"t":{"3132":{"position":[[244,12],[439,13]]}}}],["alwaysallow",{"_index":2705,"t":{"3124":{"position":[[205,12],[450,13]]},"3241":{"position":[[801,13]]}}}],["alwayspullimag",{"_index":2711,"t":{"3134":{"position":[[201,17]]}}}],["amazon",{"_index":1966,"t":{"2884":{"position":[[437,6]]}}}],["amd64.tar.gz",{"_index":695,"t":{"2564":{"position":[[261,13]]}}}],["amd64.tar.zst",{"_index":1400,"t":{"2736":{"position":[[508,13]]},"2738":{"position":[[722,13],[821,13]]}}}],["amount",{"_index":2077,"t":{"2912":{"position":[[137,6],[359,6]]}}}],["analysi",{"_index":1638,"t":{"2793":{"position":[[365,8]]},"2910":{"position":[[911,8]]},"3042":{"position":[[458,9]]},"3044":{"position":[[444,9]]}}}],["and/or",{"_index":178,"t":{"2516":{"position":[[153,6]]},"2539":{"position":[[2285,6],[2665,6],[2731,6]]},"2775":{"position":[[118,6]]},"2811":{"position":[[293,6]]},"2845":{"position":[[203,6]]},"2932":{"position":[[610,6]]}}}],["annot",{"_index":2376,"t":{"3022":{"position":[[3200,12],[3638,12]]}}}],["anonym",{"_index":2434,"t":{"3030":{"position":[[235,9],[3065,9]]},"3112":{"position":[[172,9],[288,10]]},"3120":{"position":[[871,9]]},"3122":{"position":[[819,9]]},"3124":{"position":[[688,9]]},"3126":{"position":[[637,9]]},"3128":{"position":[[650,9]]},"3130":{"position":[[763,9]]},"3132":{"position":[[724,9]]},"3136":{"position":[[797,9]]},"3138":{"position":[[778,9]]},"3140":{"position":[[674,9]]},"3142":{"position":[[790,9]]},"3144":{"position":[[655,9]]},"3146":{"position":[[570,9]]},"3156":{"position":[[745,9]]},"3162":{"position":[[787,9]]},"3164":{"position":[[703,9]]},"3166":{"position":[[709,9]]},"3239":{"position":[[95,10],[327,9],[678,10],[724,9],[771,9],[825,9],[1054,9]]},"3241":{"position":[[1068,9]]},"3243":{"position":[[1183,9]]},"3245":{"position":[[792,9],[2015,9]]},"3257":{"position":[[983,9],[2206,9]]}}}],["anoth",{"_index":387,"t":{"2530":{"position":[[379,7]]},"2773":{"position":[[407,7]]},"2892":{"position":[[600,7]]},"2938":{"position":[[0,7]]},"2940":{"position":[[0,7]]},"2996":{"position":[[2545,7]]},"3089":{"position":[[1593,7]]},"3160":{"position":[[1723,7]]},"3195":{"position":[[1617,7]]},"3197":{"position":[[1506,7]]},"3199":{"position":[[1531,7]]},"3201":{"position":[[1683,7]]},"3203":{"position":[[1509,7]]},"3205":{"position":[[1541,7]]},"3207":{"position":[[1640,7]]}}}],["ansibl",{"_index":2139,"t":{"2936":{"position":[[74,8],[109,7],[141,7]]}}}],["anyon",{"_index":1077,"t":{"2636":{"position":[[342,6]]},"2795":{"position":[[923,7]]}}}],["anywher",{"_index":1418,"t":{"2743":{"position":[[431,8]]}}}],["apach",{"_index":1293,"t":{"2713":{"position":[[389,6],[473,6]]}}}],["api",{"_index":38,"t":{"2488":{"position":[[123,4]]},"2490":{"position":[[151,4]]},"2492":{"position":[[58,4]]},"2520":{"position":[[2593,3],[2706,5]]},"2535":{"position":[[391,3]]},"2537":{"position":[[776,3]]},"2618":{"position":[[584,3]]},"2719":{"position":[[471,3]]},"2727":{"position":[[714,4]]},"2797":{"position":[[169,3]]},"2848":{"position":[[41,3]]},"2930":{"position":[[107,3]]},"3002":{"position":[[762,4]]},"3020":{"position":[[130,3]]},"3026":{"position":[[80,3],[673,3],[851,3]]},"3030":{"position":[[266,3]]},"3038":{"position":[[92,3]]},"3046":{"position":[[136,3],[495,3]]},"3050":{"position":[[211,3]]},"3060":{"position":[[247,3]]},"3112":{"position":[[35,3]]},"3114":{"position":[[121,3]]},"3116":{"position":[[35,3]]},"3118":{"position":[[45,3]]},"3120":{"position":[[139,3],[894,3]]},"3122":{"position":[[142,3],[842,3]]},"3124":{"position":[[35,3],[711,3]]},"3126":{"position":[[35,3],[660,3]]},"3128":{"position":[[35,3],[673,3]]},"3130":{"position":[[129,3],[786,3]]},"3132":{"position":[[35,3],[747,3]]},"3134":{"position":[[35,3]]},"3136":{"position":[[35,3],[820,3]]},"3138":{"position":[[125,3],[801,3]]},"3140":{"position":[[35,3],[697,3]]},"3142":{"position":[[128,3],[813,3]]},"3144":{"position":[[35,3],[678,3]]},"3146":{"position":[[35,3],[593,3]]},"3148":{"position":[[45,3]]},"3150":{"position":[[45,3]]},"3152":{"position":[[45,3]]},"3154":{"position":[[45,3]]},"3156":{"position":[[35,3],[768,3]]},"3158":{"position":[[79,3],[284,3]]},"3160":{"position":[[139,3]]},"3162":{"position":[[125,3],[810,3]]},"3164":{"position":[[125,3],[726,3]]},"3166":{"position":[[139,3],[732,3]]},"3168":{"position":[[116,3]]},"3172":{"position":[[35,3]]},"3239":{"position":[[1077,3]]},"3241":{"position":[[1091,3]]},"3243":{"position":[[1206,3]]},"3274":{"position":[[133,3]]}}}],["apigroup",{"_index":2385,"t":{"3022":{"position":[[4106,10],[4320,10],[4529,10],[4740,9],[4870,9],[5042,9],[5142,9],[5365,9],[5465,9],[5675,9]]}}}],["apiserv",{"_index":5,"t":{"2484":{"position":[[109,10],[439,10]]},"2504":{"position":[[546,9],[641,9]]},"2518":{"position":[[1802,9],[1897,9]]},"2589":{"position":[[139,10]]},"2591":{"position":[[109,10]]},"2657":{"position":[[189,9],[290,9]]},"2663":{"position":[[900,9],[1060,9],[1177,9],[1338,9],[1435,9],[1688,9]]},"2669":{"position":[[74,9],[119,9]]},"2675":{"position":[[887,9],[1021,9],[3455,9],[3508,9],[8908,9],[9003,9]]},"2713":{"position":[[1523,10]]},"2791":{"position":[[376,10],[1160,10]]},"2809":{"position":[[97,10]]},"2811":{"position":[[172,9]]},"2815":{"position":[[207,9]]},"2817":{"position":[[273,10]]},"2864":{"position":[[202,9],[473,9]]},"2950":{"position":[[147,11],[721,9],[942,9],[1147,9],[1265,9],[1410,9],[1475,9],[1836,9]]},"3022":{"position":[[194,9],[1008,9]]},"3026":{"position":[[873,9],[954,9],[1212,9],[1295,9]]},"3028":{"position":[[241,9],[781,9]]},"3030":{"position":[[177,9]]},"3034":{"position":[[544,9]]},"3036":{"position":[[643,9]]},"3038":{"position":[[526,9]]},"3040":{"position":[[366,9]]},"3042":{"position":[[541,9]]},"3044":{"position":[[527,9]]},"3046":{"position":[[751,9]]},"3048":{"position":[[132,9],[542,9]]},"3054":{"position":[[618,9]]},"3058":{"position":[[669,9]]},"3089":{"position":[[796,10]]},"3112":{"position":[[259,10]]},"3120":{"position":[[104,9],[489,10],[780,9]]},"3122":{"position":[[103,9],[472,10],[728,9]]},"3124":{"position":[[346,10],[597,9]]},"3126":{"position":[[312,10],[546,9]]},"3128":{"position":[[325,10],[559,9]]},"3130":{"position":[[416,10],[672,9]]},"3132":{"position":[[323,10],[633,9]]},"3136":{"position":[[389,10],[706,9]]},"3138":{"position":[[411,10],[687,9]]},"3140":{"position":[[307,10],[583,9]]},"3142":{"position":[[442,10],[699,9]]},"3144":{"position":[[303,10],[564,9]]},"3146":{"position":[[254,10],[479,9]]},"3156":{"position":[[384,10],[654,9]]},"3160":{"position":[[104,9],[926,10]]},"3162":{"position":[[99,10],[455,10],[696,9]]},"3164":{"position":[[99,10],[386,10],[612,9]]},"3166":{"position":[[104,9],[398,10],[618,9]]},"3168":{"position":[[440,10]]},"3172":{"position":[[992,10]]},"3177":{"position":[[859,9],[955,9]]},"3179":{"position":[[927,9],[1023,9]]},"3181":{"position":[[1012,9],[1108,9]]},"3183":{"position":[[908,9],[1004,9]]},"3195":{"position":[[820,10]]},"3197":{"position":[[709,10]]},"3199":{"position":[[734,10]]},"3201":{"position":[[886,10]]},"3203":{"position":[[712,10]]},"3205":{"position":[[744,10]]},"3207":{"position":[[843,10]]},"3213":{"position":[[138,10]]},"3239":{"position":[[558,10],[649,10],[963,9]]},"3241":{"position":[[544,10],[635,10],[977,9]]},"3243":{"position":[[600,10],[691,10],[1092,9]]}}}],["apiserver'",{"_index":2191,"t":{"2950":{"position":[[558,11]]}}}],["apiserver.config.k8s.io/v1",{"_index":1829,"t":{"2864":{"position":[[1173,26]]},"2960":{"position":[[625,29]]},"3022":{"position":[[424,26]]}}}],["apiserver.crt",{"_index":2454,"t":{"3030":{"position":[[980,13],[1876,13]]},"3120":{"position":[[1729,13],[2742,13]]},"3122":{"position":[[1677,13],[2690,13]]},"3124":{"position":[[1546,13],[2559,13]]},"3126":{"position":[[1495,13],[2508,13]]},"3128":{"position":[[1508,13],[2521,13]]},"3130":{"position":[[1621,13],[2634,13]]},"3132":{"position":[[1582,13],[2595,13]]},"3136":{"position":[[1655,13],[2668,13]]},"3138":{"position":[[1636,13],[2649,13]]},"3140":{"position":[[1532,13],[2545,13]]},"3142":{"position":[[1648,13],[2661,13]]},"3144":{"position":[[1513,13],[2526,13]]},"3146":{"position":[[1428,13],[2441,13]]},"3156":{"position":[[1603,13],[2616,13]]},"3162":{"position":[[1645,13],[2658,13]]},"3164":{"position":[[1561,13],[2574,13]]},"3166":{"position":[[1567,13],[2580,13]]},"3239":{"position":[[1912,13],[2925,13]]},"3241":{"position":[[1926,13],[2939,13]]},"3243":{"position":[[2041,13],[3054,13]]}}}],["apiserver.key",{"_index":2456,"t":{"3030":{"position":[[1059,13],[1967,13]]},"3120":{"position":[[1808,13],[2824,14]]},"3122":{"position":[[1756,13],[2772,14]]},"3124":{"position":[[1625,13],[2641,14]]},"3126":{"position":[[1574,13],[2590,14]]},"3128":{"position":[[1587,13],[2603,14]]},"3130":{"position":[[1700,13],[2716,14]]},"3132":{"position":[[1661,13],[2677,14]]},"3136":{"position":[[1734,13],[2750,14]]},"3138":{"position":[[1715,13],[2731,14]]},"3140":{"position":[[1611,13],[2627,14]]},"3142":{"position":[[1727,13],[2743,14]]},"3144":{"position":[[1592,13],[2608,14]]},"3146":{"position":[[1507,13],[2523,14]]},"3156":{"position":[[1682,13],[2698,14]]},"3162":{"position":[[1724,13],[2740,14]]},"3164":{"position":[[1640,13],[2656,14]]},"3166":{"position":[[1646,13],[2662,14]]},"3239":{"position":[[1991,13],[3007,14]]},"3241":{"position":[[2005,13],[3021,14]]},"3243":{"position":[[2120,13],[3136,14]]}}}],["apiserver.yaml",{"_index":2590,"t":{"3069":{"position":[[183,14]]},"3071":{"position":[[189,14]]},"3112":{"position":[[100,14]]},"3114":{"position":[[186,14]]},"3116":{"position":[[100,14]]},"3118":{"position":[[110,14]]},"3120":{"position":[[204,14]]},"3122":{"position":[[207,14]]},"3124":{"position":[[100,14]]},"3126":{"position":[[100,14]]},"3128":{"position":[[100,14]]},"3130":{"position":[[194,14]]},"3132":{"position":[[100,14]]},"3134":{"position":[[100,14]]},"3136":{"position":[[100,14]]},"3138":{"position":[[190,14]]},"3140":{"position":[[100,14]]},"3142":{"position":[[193,14]]},"3144":{"position":[[100,14]]},"3146":{"position":[[100,14]]},"3148":{"position":[[110,14]]},"3150":{"position":[[110,14]]},"3152":{"position":[[110,14]]},"3154":{"position":[[110,14]]},"3156":{"position":[[100,14]]},"3160":{"position":[[204,14]]},"3162":{"position":[[190,14]]},"3164":{"position":[[190,14]]},"3166":{"position":[[204,14]]},"3168":{"position":[[181,14]]},"3172":{"position":[[100,14]]}}}],["apivers",{"_index":723,"t":{"2568":{"position":[[613,11],[702,11]]},"2604":{"position":[[280,11]]},"2713":{"position":[[272,11],[327,11]]},"2715":{"position":[[463,11]]},"2864":{"position":[[1161,11],[1273,11],[1730,11]]},"2960":{"position":[[611,13]]},"2976":{"position":[[0,11]]},"2978":{"position":[[0,11]]},"2982":{"position":[[0,11]]},"2984":{"position":[[0,11]]},"2996":{"position":[[420,11],[769,11],[2253,11]]},"3022":{"position":[[412,11],[524,11],[1361,11],[2548,11],[3109,11],[3561,11],[4003,11],[4208,11],[4431,11],[4626,11],[4910,11],[5213,11],[5546,11],[5818,11],[6021,11],[6216,11]]},"3024":{"position":[[331,11],[659,11],[1292,11],[1506,11],[1747,11],[1975,11],[2189,11],[2430,11]]},"3026":{"position":[[730,11]]}}}],["app",{"_index":1346,"t":{"2719":{"position":[[569,4]]},"2731":{"position":[[188,4]]},"2914":{"position":[[146,3],[369,4]]},"2930":{"position":[[437,4]]},"3024":{"position":[[882,4],[1445,4],[2128,4],[2585,4]]}}}],["app.kubernetes.io/nam",{"_index":2411,"t":{"3024":{"position":[[1902,23]]}}}],["appear",{"_index":195,"t":{"2518":{"position":[[13,7]]},"2675":{"position":[[13,7]]},"2781":{"position":[[200,6]]},"2852":{"position":[[354,6]]}}}],["append",{"_index":108,"t":{"2504":{"position":[[99,6]]},"2518":{"position":[[1093,6]]},"2545":{"position":[[938,6]]},"2675":{"position":[[6422,6]]},"2787":{"position":[[188,6]]},"2791":{"position":[[1710,9]]},"2827":{"position":[[300,8],[323,6]]},"2872":{"position":[[437,6],[1062,9]]}}}],["appli",{"_index":1470,"t":{"2753":{"position":[[149,6],[427,8]]},"2769":{"position":[[1485,7]]},"2944":{"position":[[946,5],[1012,7],[1233,7]]},"2948":{"position":[[508,5],[555,7],[891,5],[939,7]]},"2980":{"position":[[174,5]]},"2992":{"position":[[1794,8]]},"2994":{"position":[[226,5],[492,8]]},"3002":{"position":[[940,8]]},"3014":{"position":[[273,7],[946,8]]},"3022":{"position":[[1233,7]]},"3024":{"position":[[55,7],[519,7]]},"3327":{"position":[[66,5]]}}}],["applic",{"_index":1946,"t":{"2880":{"position":[[173,13]]},"2930":{"position":[[534,13]]},"2934":{"position":[[235,13]]},"3065":{"position":[[1263,10],[1295,10]]},"3069":{"position":[[12,10]]},"3071":{"position":[[12,10]]},"3073":{"position":[[12,10]]},"3075":{"position":[[12,10]]},"3077":{"position":[[12,10]]},"3079":{"position":[[12,10]]},"3081":{"position":[[12,10]]},"3083":{"position":[[12,10]]},"3085":{"position":[[12,10]]},"3087":{"position":[[12,10]]},"3091":{"position":[[12,10]]},"3093":{"position":[[12,10]]},"3118":{"position":[[12,10]]},"3148":{"position":[[12,10]]},"3150":{"position":[[12,10]]},"3152":{"position":[[12,10]]},"3154":{"position":[[12,10]]},"3158":{"position":[[12,10]]},"3185":{"position":[[12,10]]},"3218":{"position":[[12,10]]},"3220":{"position":[[12,10]]},"3234":{"position":[[12,10]]},"3236":{"position":[[12,10]]},"3249":{"position":[[12,10]]},"3251":{"position":[[12,10]]},"3253":{"position":[[12,10]]},"3259":{"position":[[12,10]]},"3261":{"position":[[12,10]]},"3301":{"position":[[60,12],[125,12]]},"3315":{"position":[[47,11]]}}}],["approach",{"_index":1378,"t":{"2727":{"position":[[555,11]]},"2992":{"position":[[107,8]]}}}],["appropri",{"_index":466,"t":{"2539":{"position":[[212,11]]},"2738":{"position":[[277,11]]},"2743":{"position":[[1234,11]]},"2872":{"position":[[1222,11]]},"2944":{"position":[[671,11]]},"2992":{"position":[[371,11]]},"3014":{"position":[[825,11],[955,11]]},"3038":{"position":[[425,11]]},"3040":{"position":[[63,12]]},"3042":{"position":[[66,12]]},"3044":{"position":[[65,12]]},"3046":{"position":[[53,12],[183,11],[607,11]]},"3050":{"position":[[64,12]]},"3052":{"position":[[37,13],[147,11],[254,11]]},"3054":{"position":[[65,12],[485,11]]},"3150":{"position":[[207,11]]},"3152":{"position":[[210,11]]},"3154":{"position":[[199,11]]},"3158":{"position":[[489,11]]},"3175":{"position":[[206,11]]},"3201":{"position":[[101,11]]},"3255":{"position":[[100,11]]},"3329":{"position":[[74,11]]}}}],["approxim",{"_index":2543,"t":{"3042":{"position":[[384,11]]},"3044":{"position":[[370,11]]}}}],["apt",{"_index":713,"t":{"2568":{"position":[[171,3]]},"2593":{"position":[[473,3]]},"2622":{"position":[[398,3]]},"2791":{"position":[[2067,3]]},"2916":{"position":[[150,4]]}}}],["architectur",{"_index":1349,"t":{"2719":{"position":[[876,12]]},"2736":{"position":[[388,12]]},"2738":{"position":[[451,12]]},"2789":{"position":[[35,14]]},"2992":{"position":[[1556,12]]}}}],["archiv",{"_index":1398,"t":{"2736":{"position":[[371,7]]},"2738":{"position":[[434,7],[551,7]]},"2854":{"position":[[282,8]]}}}],["area",{"_index":2328,"t":{"3016":{"position":[[14,5]]},"3215":{"position":[[124,6]]}}}],["arg",{"_index":161,"t":{"2510":{"position":[[27,3],[86,3]]},"2518":{"position":[[3148,3],[3221,3]]},"2568":{"position":[[917,5]]},"2604":{"position":[[438,5]]},"2669":{"position":[[24,3],[84,3],[154,3],[233,3],[327,3],[405,3],[464,3]]},"2675":{"position":[[3465,3],[3533,3],[3610,3],[3697,3],[3790,3],[8213,3],[8286,3]]},"2864":{"position":[[212,3],[268,3],[483,4],[783,4],[872,4]]},"2996":{"position":[[1009,5]]},"3028":{"position":[[251,4],[551,4],[640,4],[791,4],[1117,4],[1206,4]]},"3034":{"position":[[554,4]]},"3036":{"position":[[653,4]]},"3038":{"position":[[536,4]]},"3040":{"position":[[376,4]]},"3042":{"position":[[551,4]]},"3044":{"position":[[537,4]]},"3046":{"position":[[761,4]]},"3048":{"position":[[552,4]]},"3054":{"position":[[628,4]]},"3058":{"position":[[679,4]]}}}],["arg=\"admiss",{"_index":2344,"t":{"3022":{"position":[[204,14]]}}}],["arg=\"en",{"_index":2346,"t":{"3022":{"position":[[1018,11]]}}}],["arg=\"nod",{"_index":2199,"t":{"2952":{"position":[[433,9],[497,9]]}}}],["arg='audit",{"_index":2424,"t":{"3026":{"position":[[883,10],[964,10]]}}}],["arg=audit",{"_index":2425,"t":{"3026":{"position":[[1222,9],[1305,9]]}}}],["argument",{"_index":286,"t":{"2520":{"position":[[2784,9]]},"2526":{"position":[[323,10],[521,9],[1219,10],[1457,9],[1706,9]]},"2528":{"position":[[259,10],[581,9],[1078,10],[1437,9]]},"2641":{"position":[[219,14]]},"2685":{"position":[[930,8]]},"2687":{"position":[[385,9]]},"2745":{"position":[[794,9]]},"2821":{"position":[[396,9],[2278,9]]},"2825":{"position":[[108,10],[467,10],[639,9],[703,9],[872,10],[953,9],[1000,9],[1040,9],[1168,8]]},"3026":{"position":[[834,9]]},"3030":{"position":[[58,9]]},"3034":{"position":[[467,8],[559,8]]},"3036":{"position":[[566,8],[658,8]]},"3038":{"position":[[33,8],[492,8],[541,8]]},"3040":{"position":[[35,8],[332,8],[381,8]]},"3042":{"position":[[38,8],[507,8],[556,8]]},"3044":{"position":[[36,8],[493,8],[542,8]]},"3046":{"position":[[34,8],[717,8],[766,8]]},"3048":{"position":[[41,8],[508,8],[557,8]]},"3050":{"position":[[45,8]]},"3054":{"position":[[46,8],[584,8],[633,8]]},"3058":{"position":[[44,8],[635,8],[684,8]]},"3089":{"position":[[93,8]]},"3091":{"position":[[103,8]]},"3239":{"position":[[144,10]]},"3241":{"position":[[130,10]]},"3243":{"position":[[173,10]]},"3245":{"position":[[120,10]]},"3247":{"position":[[157,10]]},"3249":{"position":[[142,10]]},"3251":{"position":[[143,10],[301,8]]},"3253":{"position":[[175,8]]},"3255":{"position":[[141,10]]},"3257":{"position":[[263,10]]},"3259":{"position":[[197,10],[351,8]]},"3263":{"position":[[446,10]]}}}],["arm",{"_index":1648,"t":{"2793":{"position":[[899,3]]}}}],["arm32",{"_index":2253,"t":{"2980":{"position":[[18,6]]}}}],["arm64",{"_index":1601,"t":{"2789":{"position":[[83,5]]}}}],["arm64/aarch64",{"_index":1599,"t":{"2789":{"position":[[63,13]]}}}],["armhf",{"_index":1598,"t":{"2789":{"position":[[57,5]]}}}],["around",{"_index":2340,"t":{"3020":{"position":[[71,6]]}}}],["arp",{"_index":1673,"t":{"2795":{"position":[[1192,3]]}}}],["array",{"_index":2836,"t":{"3299":{"position":[[130,6]]}}}],["asid",{"_index":2078,"t":{"2912":{"position":[[188,5],[410,5]]}}}],["assess",{"_index":2570,"t":{"3062":{"position":[[152,10]]}}}],["assign",{"_index":1188,"t":{"2663":{"position":[[1651,8]]},"2870":{"position":[[1025,8]]},"2874":{"position":[[1934,7]]},"3060":{"position":[[195,8],[519,12]]}}}],["associ",{"_index":1841,"t":{"2864":{"position":[[2591,10]]},"2998":{"position":[[354,10]]},"3024":{"position":[[1196,10]]}}}],["assum",{"_index":501,"t":{"2539":{"position":[[2178,6]]},"2620":{"position":[[71,6]]},"2736":{"position":[[12,6]]},"2738":{"position":[[12,6]]},"2783":{"position":[[157,6]]},"2821":{"position":[[1062,7],[1793,7]]},"2850":{"position":[[74,7]]},"2912":{"position":[[236,8]]}}}],["assumpt",{"_index":2584,"t":{"3065":{"position":[[1765,10]]}}}],["attach",{"_index":1900,"t":{"2874":{"position":[[40,9]]}}}],["attack",{"_index":1072,"t":{"2632":{"position":[[338,7]]},"2795":{"position":[[1176,7]]},"2954":{"position":[[321,8]]},"3046":{"position":[[553,7]]},"3158":{"position":[[345,8]]}}}],["attempt",{"_index":240,"t":{"2520":{"position":[[706,7]]},"2757":{"position":[[1583,7]]},"2781":{"position":[[147,7]]},"2843":{"position":[[864,8]]},"2908":{"position":[[905,7]]},"2944":{"position":[[846,10]]},"2992":{"position":[[1712,10]]},"3002":{"position":[[858,10]]}}}],["audiences=https://kubernetes.default.svc.cluster.local,k3",{"_index":2695,"t":{"3120":{"position":[[898,58]]},"3122":{"position":[[846,58]]},"3124":{"position":[[715,58]]},"3126":{"position":[[664,58]]},"3128":{"position":[[677,58]]},"3130":{"position":[[790,58]]},"3132":{"position":[[751,58]]},"3136":{"position":[[824,58]]},"3138":{"position":[[805,58]]},"3140":{"position":[[701,58]]},"3142":{"position":[[817,58]]},"3144":{"position":[[682,58]]},"3146":{"position":[[597,58]]},"3156":{"position":[[772,58]]},"3162":{"position":[[814,58]]},"3164":{"position":[[730,58]]},"3166":{"position":[[736,58]]},"3239":{"position":[[1081,58]]},"3241":{"position":[[1095,58]]},"3243":{"position":[[1210,58]]}}}],["audiences=unknown",{"_index":2437,"t":{"3030":{"position":[[270,17]]}}}],["audit",{"_index":1815,"t":{"2864":{"position":[[561,6],[623,6],[684,6],[708,6],[735,6],[1419,6],[1439,5]]},"3020":{"position":[[141,8],[375,8],[399,5],[427,5]]},"3022":{"position":[[670,6],[690,5]]},"3026":{"position":[[61,5],[144,5],[161,8],[463,5]]},"3028":{"position":[[329,6],[391,6],[452,6],[476,6],[503,6],[895,6],[957,6],[1018,6],[1042,6],[1069,6]]},"3038":{"position":[[18,5],[68,8],[351,5],[437,5]]},"3040":{"position":[[18,5],[217,5]]},"3042":{"position":[[18,5]]},"3044":{"position":[[18,5]]},"3056":{"position":[[22,5]]},"3065":{"position":[[1024,6],[1075,5],[1226,5],[1689,8],[1877,7]]},"3089":{"position":[[260,5],[2025,5]]},"3095":{"position":[[175,6]]},"3097":{"position":[[152,6]]},"3099":{"position":[[158,6]]},"3101":{"position":[[160,6]]},"3103":{"position":[[166,6]]},"3105":{"position":[[172,6]]},"3107":{"position":[[171,6]]},"3109":{"position":[[171,6]]},"3112":{"position":[[193,6]]},"3114":{"position":[[282,6]]},"3116":{"position":[[211,6]]},"3120":{"position":[[423,6]]},"3122":{"position":[[406,6]]},"3124":{"position":[[280,6]]},"3126":{"position":[[246,6]]},"3128":{"position":[[259,6]]},"3130":{"position":[[350,6]]},"3132":{"position":[[257,6]]},"3134":{"position":[[271,6]]},"3136":{"position":[[323,6]]},"3138":{"position":[[345,6]]},"3140":{"position":[[241,6]]},"3142":{"position":[[376,6]]},"3144":{"position":[[237,6]]},"3146":{"position":[[188,6]]},"3148":{"position":[[165,5],[239,5],[280,5]]},"3150":{"position":[[165,5],[250,5]]},"3152":{"position":[[165,5],[244,5]]},"3154":{"position":[[165,5],[259,5]]},"3156":{"position":[[318,6]]},"3160":{"position":[[390,5],[2155,5]]},"3162":{"position":[[385,6]]},"3164":{"position":[[320,6]]},"3166":{"position":[[332,6]]},"3168":{"position":[[374,6]]},"3170":{"position":[[175,6]]},"3172":{"position":[[926,6]]},"3175":{"position":[[275,6]]},"3177":{"position":[[205,6]]},"3179":{"position":[[225,6]]},"3181":{"position":[[321,6]]},"3183":{"position":[[257,6]]},"3187":{"position":[[220,6]]},"3190":{"position":[[192,6]]},"3192":{"position":[[202,6]]},"3195":{"position":[[284,5],[2049,5]]},"3197":{"position":[[173,5],[1938,5]]},"3199":{"position":[[198,5],[1963,5]]},"3201":{"position":[[350,5],[2115,5]]},"3203":{"position":[[176,5],[1941,5]]},"3205":{"position":[[208,5],[1973,5]]},"3207":{"position":[[307,5],[2072,5]]},"3213":{"position":[[36,5],[72,6],[167,6]]},"3215":{"position":[[37,5]]},"3222":{"position":[[188,6]]},"3224":{"position":[[194,6]]},"3226":{"position":[[190,6]]},"3228":{"position":[[196,6]]},"3230":{"position":[[129,6]]},"3232":{"position":[[129,6]]},"3234":{"position":[[112,5]]},"3236":{"position":[[112,5]]},"3239":{"position":[[470,6]]},"3241":{"position":[[456,6]]},"3243":{"position":[[512,6]]},"3245":{"position":[[442,6]]},"3247":{"position":[[499,6]]},"3255":{"position":[[444,6]]},"3257":{"position":[[660,6]]},"3263":{"position":[[1085,6]]}}}],["audit.k8s.io/v1",{"_index":2423,"t":{"3026":{"position":[[742,15]]}}}],["audit.yaml",{"_index":2422,"t":{"3026":{"position":[[564,10]]}}}],["auditor",{"_index":2577,"t":{"3065":{"position":[[381,9]]}}}],["auth",{"_index":420,"t":{"2535":{"position":[[486,4]]},"2582":{"position":[[574,4]]},"2771":{"position":[[149,5],[172,4],[204,4]]},"2775":{"position":[[113,4],[543,4],[686,4],[744,4],[749,4],[805,4]]},"2777":{"position":[[260,5]]},"2779":{"position":[[263,5]]},"2872":{"position":[[293,4],[302,6],[945,4],[1106,4]]},"3030":{"position":[[1164,4],[1242,4]]},"3089":{"position":[[1080,8],[1405,8]]},"3112":{"position":[[299,5]]},"3114":{"position":[[250,4],[360,4]]},"3120":{"position":[[1969,4],[2047,4]]},"3122":{"position":[[1917,4],[1995,4]]},"3124":{"position":[[1786,4],[1864,4]]},"3126":{"position":[[1735,4],[1813,4]]},"3128":{"position":[[1748,4],[1826,4]]},"3130":{"position":[[1861,4],[1939,4]]},"3132":{"position":[[1822,4],[1900,4]]},"3136":{"position":[[1895,4],[1973,4]]},"3138":{"position":[[1876,4],[1954,4]]},"3140":{"position":[[1772,4],[1850,4]]},"3142":{"position":[[1888,4],[1966,4]]},"3144":{"position":[[1753,4],[1831,4]]},"3146":{"position":[[1668,4],[1746,4]]},"3156":{"position":[[1843,4],[1921,4]]},"3160":{"position":[[1210,8],[1535,8]]},"3162":{"position":[[1885,4],[1963,4]]},"3164":{"position":[[1801,4],[1879,4]]},"3166":{"position":[[1807,4],[1885,4]]},"3195":{"position":[[1104,8],[1429,8]]},"3197":{"position":[[993,8],[1318,8],[2015,5],[2048,5],[2125,5]]},"3199":{"position":[[1018,8],[1343,8]]},"3201":{"position":[[1170,8],[1495,8]]},"3203":{"position":[[996,8],[1321,8],[2018,5],[2051,5],[2128,5]]},"3205":{"position":[[1028,8],[1353,8]]},"3207":{"position":[[1127,8],[1452,8]]},"3239":{"position":[[689,5],[781,5],[2152,4],[2230,4]]},"3241":{"position":[[2166,4],[2244,4]]},"3243":{"position":[[2281,4],[2359,4]]}}}],["auth=\"name=tailscale,joinkey=$auth",{"_index":1895,"t":{"2872":{"position":[[839,34]]}}}],["auth=\"tru",{"_index":2757,"t":{"3197":{"position":[[161,11]]}}}],["auth=fals",{"_index":2435,"t":{"3030":{"position":[[245,10],[3075,10]]},"3112":{"position":[[182,10]]},"3120":{"position":[[881,10]]},"3122":{"position":[[829,10]]},"3124":{"position":[[698,10]]},"3126":{"position":[[647,10]]},"3128":{"position":[[660,10]]},"3130":{"position":[[773,10]]},"3132":{"position":[[734,10]]},"3136":{"position":[[807,10]]},"3138":{"position":[[788,10]]},"3140":{"position":[[684,10]]},"3142":{"position":[[800,10]]},"3144":{"position":[[665,10]]},"3146":{"position":[[580,10]]},"3156":{"position":[[755,10]]},"3162":{"position":[[797,10]]},"3164":{"position":[[713,10]]},"3166":{"position":[[719,10]]},"3239":{"position":[[337,10],[734,12],[835,10],[1064,10]]},"3241":{"position":[[1078,10]]},"3243":{"position":[[1193,10]]},"3245":{"position":[[802,10],[2025,10]]},"3257":{"position":[[993,10],[2216,10]]}}}],["auth=tru",{"_index":2627,"t":{"3089":{"position":[[1821,12],[1932,12]]},"3160":{"position":[[1951,12],[2062,12]]},"3195":{"position":[[1845,12],[1956,12]]},"3197":{"position":[[1734,12],[1845,12],[2103,9],[2150,9]]},"3199":{"position":[[1759,12],[1870,12]]},"3201":{"position":[[1911,12],[2022,12]]},"3203":{"position":[[166,9],[1737,12],[1848,12],[2106,9],[2153,9]]},"3205":{"position":[[1769,12],[1880,12]]},"3207":{"position":[[1868,12],[1979,12]]}}}],["authent",{"_index":94,"t":{"2500":{"position":[[89,14],[160,14]]},"2518":{"position":[[733,14],[812,14]]},"2626":{"position":[[56,12]]},"2628":{"position":[[122,12]]},"2630":{"position":[[274,12],[636,12],[1334,15]]},"2632":{"position":[[74,12]]},"2641":{"position":[[1166,12],[1196,15]]},"2767":{"position":[[526,15]]},"2775":{"position":[[237,12],[318,12],[593,14],[754,14]]},"2777":{"position":[[116,14],[139,14]]},"2779":{"position":[[120,14],[143,14]]},"2848":{"position":[[263,12]]},"2850":{"position":[[457,14]]},"3030":{"position":[[3096,14]]},"3048":{"position":[[165,14]]},"3114":{"position":[[90,15]]},"3162":{"position":[[2884,14]]},"3177":{"position":[[553,14]]},"3179":{"position":[[621,14]]},"3181":{"position":[[706,14]]},"3183":{"position":[[602,14]]},"3190":{"position":[[476,14]]},"3192":{"position":[[550,14]]},"3239":{"position":[[79,15]]},"3245":{"position":[[815,14],[2038,14]]},"3257":{"position":[[1006,14],[2229,14]]}}}],["authentication.x509.clientcafil",{"_index":2790,"t":{"3243":{"position":[[79,32]]}}}],["author",{"_index":477,"t":{"2539":{"position":[[694,10],[724,9]]},"2648":{"position":[[218,9]]},"2675":{"position":[[4038,9]]},"2679":{"position":[[495,10]]},"2848":{"position":[[125,10],[369,10]]},"3030":{"position":[[290,13],[3132,13]]},"3120":{"position":[[539,10],[959,13]]},"3122":{"position":[[282,9],[351,9],[522,10],[573,10],[907,13]]},"3124":{"position":[[155,13],[256,13],[375,14],[416,13],[776,13]]},"3126":{"position":[[155,13],[217,13],[341,14],[382,13],[725,13]]},"3128":{"position":[[155,13],[229,13],[354,14],[395,13],[738,13]]},"3130":{"position":[[851,13]]},"3132":{"position":[[812,13]]},"3136":{"position":[[885,13]]},"3138":{"position":[[866,13]]},"3140":{"position":[[762,13]]},"3142":{"position":[[878,13]]},"3144":{"position":[[743,13]]},"3146":{"position":[[658,13]]},"3156":{"position":[[833,13]]},"3162":{"position":[[875,13],[2966,13]]},"3164":{"position":[[262,9],[791,13]]},"3166":{"position":[[274,9],[797,13]]},"3177":{"position":[[636,13]]},"3179":{"position":[[704,13]]},"3181":{"position":[[789,13]]},"3183":{"position":[[685,13]]},"3190":{"position":[[558,13]]},"3192":{"position":[[632,13]]},"3207":{"position":[[105,9]]},"3239":{"position":[[1142,13]]},"3241":{"position":[[307,13],[664,14],[714,13],[767,13],[833,13],[1156,13]]},"3243":{"position":[[1271,13]]},"3245":{"position":[[851,13],[2074,13]]},"3257":{"position":[[1042,13],[2265,13]]}}}],["authorit",{"_index":429,"t":{"2537":{"position":[[401,13]]}}}],["authority=/var/lib/rancher/k3s/server/tls/serv",{"_index":2452,"t":{"3030":{"position":[[851,48]]},"3120":{"position":[[1600,48]]},"3122":{"position":[[1548,48]]},"3124":{"position":[[1417,48]]},"3126":{"position":[[1366,48]]},"3128":{"position":[[1379,48]]},"3130":{"position":[[1492,48]]},"3132":{"position":[[1453,48]]},"3136":{"position":[[1526,48]]},"3138":{"position":[[1507,48]]},"3140":{"position":[[1403,48]]},"3142":{"position":[[1519,48]]},"3144":{"position":[[1384,48]]},"3146":{"position":[[1299,48]]},"3156":{"position":[[1474,48]]},"3162":{"position":[[1516,48]]},"3164":{"position":[[1432,48]]},"3166":{"position":[[1438,48]]},"3239":{"position":[[1783,48]]},"3241":{"position":[[1797,48]]},"3243":{"position":[[1912,48]]}}}],["authority=::.nod",{"_index":42,"t":{"2494":{"position":[[351,11]]}}}],["hostipc",{"_index":2360,"t":{"3022":{"position":[[1735,8],[2862,8],[3363,8]]},"3289":{"position":[[126,7]]}}}],["hostnam",{"_index":844,"t":{"2595":{"position":[[360,8]]},"2620":{"position":[[275,9],[423,9],[515,9]]},"2657":{"position":[[379,9]]},"2675":{"position":[[1153,9]]},"2685":{"position":[[566,8]]},"2713":{"position":[[567,9]]},"2727":{"position":[[66,8],[981,8],[1134,9]]},"2769":{"position":[[531,8]]},"2787":{"position":[[31,9],[78,9],[94,9]]},"2956":{"position":[[83,8],[118,8]]},"3030":{"position":[[3829,8]]},"3245":{"position":[[1346,8],[2569,8]]},"3253":{"position":[[157,8]]},"3257":{"position":[[1537,8],[2760,8]]}}}],["hostnetwork",{"_index":2358,"t":{"3022":{"position":[[1702,12],[2843,12],[3377,12]]},"3291":{"position":[[126,11]]}}}],["hostpath",{"_index":2839,"t":{"3305":{"position":[[142,8]]}}}],["hostpid",{"_index":2362,"t":{"3022":{"position":[[1764,8],[2877,8],[3395,8]]},"3287":{"position":[[126,7]]}}}],["hostport",{"_index":1948,"t":{"2880":{"position":[[396,8]]},"3022":{"position":[[3409,10],[3883,10]]},"3307":{"position":[[147,8]]}}}],["hour",{"_index":270,"t":{"2520":{"position":[[2141,5]]},"2648":{"position":[[876,5]]},"2675":{"position":[[4743,5]]}}}],["hr9p5",{"_index":2795,"t":{"3245":{"position":[[695,5],[1391,5]]},"3257":{"position":[[886,5],[1582,5]]}}}],["http",{"_index":573,"t":{"2560":{"position":[[0,4]]},"2604":{"position":[[455,4]]},"2622":{"position":[[2209,4]]},"2624":{"position":[[261,4]]},"2648":{"position":[[1678,5]]},"2657":{"position":[[73,5],[102,5]]},"2675":{"position":[[763,5],[798,5],[5631,5]]},"2713":{"position":[[741,5],[908,5]]},"2779":{"position":[[487,7],[543,6]]},"2880":{"position":[[20,4]]},"3118":{"position":[[176,5]]}}}],["http.createserver(function(req",{"_index":886,"t":{"2604":{"position":[[479,31]]}}}],["http://registry.example.com:5000",{"_index":1579,"t":{"2779":{"position":[[190,34],[399,34]]}}}],["http_proxi",{"_index":574,"t":{"2560":{"position":[[157,11]]}}}],["http_proxy=http://your",{"_index":584,"t":{"2560":{"position":[[593,22]]}}}],["https://%{kubernetes_api}%/static/charts/traefik",{"_index":1324,"t":{"2713":{"position":[[1652,48]]}}}],["https://10.10.10.100:6443",{"_index":1003,"t":{"2622":{"position":[[1466,25]]}}}],["https://10.10.10.99:6443",{"_index":1030,"t":{"2622":{"position":[[2903,24]]},"2624":{"position":[[955,24]]}}}],["https:///v2",{"_index":1539,"t":{"2769":{"position":[[475,22]]},"2771":{"position":[[106,21]]}}}],["https://charts.bitnami.com/bitnami",{"_index":1294,"t":{"2713":{"position":[[431,34]]}}}],["https://charts.rancher.io",{"_index":894,"t":{"2606":{"position":[[90,25]]}}}],["https://etcd",{"_index":1220,"t":{"2681":{"position":[[1146,12]]}}}],["https://fix",{"_index":1390,"t":{"2731":{"position":[[468,13]]}}}],["https://get.k3s.io",{"_index":598,"t":{"2562":{"position":[[433,18]]},"2584":{"position":[[291,18]]},"2622":{"position":[[1398,18],[2835,18]]},"2624":{"position":[[887,18]]},"2685":{"position":[[303,18],[489,18]]},"2725":{"position":[[598,18]]},"2729":{"position":[[410,18]]},"2745":{"position":[[919,18]]},"2748":{"position":[[398,18]]},"2811":{"position":[[111,18]]},"2813":{"position":[[265,18]]},"2821":{"position":[[88,18],[769,18],[871,18],[975,18],[1114,18],[1209,18],[1368,18],[1484,18],[1604,18],[1700,18]]},"2829":{"position":[[256,18]]},"2906":{"position":[[74,18],[153,18],[713,18]]},"2908":{"position":[[88,18],[231,18],[2452,18]]},"2960":{"position":[[398,18]]},"3004":{"position":[[121,18],[338,18],[481,18]]}}}],["https://github.com/go",{"_index":1217,"t":{"2681":{"position":[[708,21]]}}}],["https://github.com/k3",{"_index":509,"t":{"2539":{"position":[[2519,22]]},"2541":{"position":[[1894,22]]},"2543":{"position":[[1675,22]]},"2576":{"position":[[148,22]]},"2738":{"position":[[736,22]]},"2743":{"position":[[1392,22]]},"2823":{"position":[[439,22]]}}}],["https://github.com/rancher/system",{"_index":2281,"t":{"2994":{"position":[[235,33]]}}}],["https://godoc.org/github.com/lib/pq",{"_index":1214,"t":{"2681":{"position":[[309,35]]}}}],["https://helm.sh/docs/intro/quickstart",{"_index":1286,"t":{"2711":{"position":[[178,40]]}}}],["https://index.docker.io/v2",{"_index":1538,"t":{"2769":{"position":[[398,27]]}}}],["https://k3s.example.com",{"_index":1722,"t":{"2821":{"position":[[1422,23],[1570,23]]},"2823":{"position":[[760,23]]}}}],["https://mirror.example.com",{"_index":1785,"t":{"2843":{"position":[[990,26]]},"2845":{"position":[[871,26]]}}}],["https://nvidia.github.io/libnvidia",{"_index":712,"t":{"2568":{"position":[[95,34]]}}}],["https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml",{"_index":2255,"t":{"2980":{"position":[[183,79]]}}}],["https://registry.example.com:5000",{"_index":1557,"t":{"2773":{"position":[[123,35],[719,35],[1365,35]]},"2777":{"position":[[186,35],[563,35]]}}}],["https://registry.example.com:5000/v2",{"_index":1537,"t":{"2769":{"position":[[322,37]]}}}],["https://releases.rancher.com/instal",{"_index":594,"t":{"2562":{"position":[[335,36]]}}}],["https://rke2",{"_index":1913,"t":{"2874":{"position":[[774,12]]}}}],["https://rootlesscontaine.r",{"_index":742,"t":{"2572":{"position":[[128,28]]},"2580":{"position":[[114,28]]}}}],["https://rootlesscontaine.rs/get",{"_index":753,"t":{"2576":{"position":[[0,35]]}}}],["https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3",{"_index":856,"t":{"2597":{"position":[[376,60]]}}}],["https://tailscale.com/install.sh",{"_index":1894,"t":{"2872":{"position":[[685,32]]}}}],["https://update.k3s.io/v1",{"_index":2048,"t":{"2908":{"position":[[2169,24]]},"2996":{"position":[[2320,24]]}}}],["https://www.cni.dev/plugins/current/ipam/host",{"_index":1922,"t":{"2874":{"position":[[1517,45]]}}}],["https_proxi",{"_index":575,"t":{"2560":{"position":[[169,11]]}}}],["https_proxy=http://your",{"_index":586,"t":{"2560":{"position":[[639,23]]}}}],["human",{"_index":1096,"t":{"2641":{"position":[[1064,5]]}}}],["hybrid",{"_index":1859,"t":{"2866":{"position":[[310,6]]}}}],["hybrid/multicloud",{"_index":1856,"t":{"2866":{"position":[[202,17]]}}}],["i.",{"_index":1915,"t":{"2874":{"position":[[979,4]]},"2952":{"position":[[1433,4]]}}}],["id",{"_index":45,"t":{"2494":{"position":[[424,3],[737,2],[785,3],[815,3]]},"2504":{"position":[[92,2],[106,2]]},"2518":{"position":[[1077,2],[1100,2]]},"2562":{"position":[[983,2]]},"2641":{"position":[[1624,3],[2066,3],[2352,3]]},"2675":{"position":[[6406,2],[6429,2]]},"2787":{"position":[[175,2]]},"3114":{"position":[[785,2],[1067,2],[1349,2],[1631,2],[1913,2],[2195,2],[2477,2]]},"3116":{"position":[[766,2],[1048,2],[1330,2],[1612,2],[1894,2],[2176,2],[2458,2]]},"3134":{"position":[[779,2],[1061,2],[1343,2],[1625,2],[1907,2],[2189,2],[2471,2]]},"3187":{"position":[[751,2],[1033,2],[1315,2],[1597,2],[1879,2],[2161,2],[2443,2]]},"3199":{"position":[[2117,2],[2357,2],[2597,2]]},"3205":{"position":[[2162,2]]}}}],["ideal",{"_index":2416,"t":{"3026":{"position":[[256,8]]}}}],["ident",{"_index":1039,"t":{"2628":{"position":[[139,8]]},"2630":{"position":[[797,8]]},"2823":{"position":[[1545,11]]},"2944":{"position":[[239,9]]},"2960":{"position":[[805,11]]}}}],["identifi",{"_index":398,"t":{"2530":{"position":[[1178,8]]},"2630":{"position":[[172,10]]},"2769":{"position":[[770,10]]},"3234":{"position":[[94,10]]},"3236":{"position":[[94,10]]},"3257":{"position":[[141,8]]},"3266":{"position":[[26,8]]}}}],["idl",{"_index":1824,"t":{"2864":{"position":[[901,4]]},"3028":{"position":[[669,4],[1235,4]]},"3247":{"position":[[361,4],[609,4]]}}}],["ifac",{"_index":158,"t":{"2508":{"position":[[243,5]]},"2518":{"position":[[2910,5]]},"2675":{"position":[[7975,5]]}}}],["ifnotpres",{"_index":2246,"t":{"2978":{"position":[[154,12]]},"2984":{"position":[[154,12]]}}}],["ignor",{"_index":1251,"t":{"2687":{"position":[[453,8]]},"2763":{"position":[[110,6]]},"2952":{"position":[[187,6]]}}}],["illustr",{"_index":1717,"t":{"2821":{"position":[[629,10]]}}}],["imag",{"_index":143,"t":{"2506":{"position":[[203,5],[262,5]]},"2518":{"position":[[1273,5],[1461,5],[2286,5],[2331,5]]},"2562":{"position":[[986,5]]},"2568":{"position":[[873,6]]},"2604":{"position":[[369,6]]},"2675":{"position":[[6602,5],[6790,5],[7222,5],[7267,5],[7659,6]]},"2709":{"position":[[333,5],[418,5]]},"2715":{"position":[[586,6]]},"2733":{"position":[[261,6]]},"2736":{"position":[[345,7],[364,6],[479,5],[501,6],[532,6],[630,6]]},"2738":{"position":[[249,6],[373,6],[401,5],[427,6],[544,6],[574,6],[715,6],[814,6]]},"2740":{"position":[[274,6],[309,5],[402,5],[431,6],[507,5]]},"2743":{"position":[[83,6],[122,6],[263,7]]},"2748":{"position":[[103,6]]},"2750":{"position":[[105,6],[276,5],[344,6],[785,6],[1003,6]]},"2767":{"position":[[83,6],[664,6]]},"2769":{"position":[[627,5],[705,6]]},"2773":{"position":[[226,5],[472,6],[833,5],[981,5],[1212,5],[1496,6],[1569,5],[1667,5]]},"2781":{"position":[[48,6]]},"2783":{"position":[[10,6],[133,7],[377,6],[502,6],[653,6]]},"2837":{"position":[[277,6]]},"2839":{"position":[[369,6],[421,5],[455,5],[559,6],[587,5]]},"2841":{"position":[[207,6]]},"2843":{"position":[[61,6],[130,6],[283,6],[342,6],[606,6],[852,6]]},"2845":{"position":[[168,6],[543,5]]},"2850":{"position":[[303,6],[385,6],[487,5],[605,6],[698,6],[725,5],[789,5],[937,5],[982,5]]},"2852":{"position":[[0,6],[59,6],[157,5],[347,6],[450,6],[520,6],[545,5],[595,6]]},"2854":{"position":[[144,6],[233,5],[255,6],[276,5],[415,6]]},"2914":{"position":[[548,5]]},"2930":{"position":[[877,7],[985,5],[1080,5]]},"2932":{"position":[[384,5]]},"2978":{"position":[[110,6]]},"2984":{"position":[[110,6]]},"2996":{"position":[[703,6],[1039,6],[1110,6]]},"3030":{"position":[[4198,5]]},"3245":{"position":[[1723,5],[2946,5]]},"3257":{"position":[[1914,5],[3137,5]]},"3320":{"position":[[72,5]]}}}],["image=rancher/mirror",{"_index":2807,"t":{"3245":{"position":[[1551,22],[2774,22]]},"3257":{"position":[[1742,22],[2965,22]]}}}],["imagepullpolici",{"_index":2245,"t":{"2978":{"position":[[137,16]]},"2984":{"position":[[137,16]]}}}],["images.txt",{"_index":1587,"t":{"2783":{"position":[[290,10],[402,10]]}}}],["images/$1",{"_index":1573,"t":{"2773":{"position":[[1450,10]]}}}],["images/mirror",{"_index":1571,"t":{"2773":{"position":[[1306,15]]}}}],["immedi",{"_index":321,"t":{"2520":{"position":[[4190,9]]}}}],["impact",{"_index":1640,"t":{"2793":{"position":[[401,6]]},"2868":{"position":[[439,6]]},"2928":{"position":[[43,6]]}}}],["imperson",{"_index":2832,"t":{"3280":{"position":[[53,12]]}}}],["implement",{"_index":1955,"t":{"2882":{"position":[[67,14]]},"2884":{"position":[[305,15],[502,15]]},"2934":{"position":[[9,12]]},"2944":{"position":[[65,10]]},"3065":{"position":[[1641,15]]},"3210":{"position":[[106,11]]}}}],["implicit",{"_index":1533,"t":{"2769":{"position":[[18,8]]}}}],["implicitli",{"_index":1067,"t":{"2632":{"position":[[163,10]]},"2769":{"position":[[759,10]]}}}],["import",{"_index":1252,"t":{"2687":{"position":[[462,10]]},"2736":{"position":[[525,6]]},"2795":{"position":[[800,9]]},"2823":{"position":[[1096,9]]},"2839":{"position":[[566,8]]},"2850":{"position":[[956,10]]},"2852":{"position":[[507,6]]},"2854":{"position":[[313,6]]},"2948":{"position":[[216,9]]},"2992":{"position":[[1170,8]]},"2996":{"position":[[1175,9]]},"3052":{"position":[[118,9]]},"3054":{"position":[[118,9]]},"3056":{"position":[[79,9]]}}}],["inaccess",{"_index":2549,"t":{"3046":{"position":[[337,12]]}}}],["inbound",{"_index":1620,"t":{"2791":{"position":[[625,7],[1325,7]]}}}],["includ",{"_index":376,"t":{"2530":{"position":[[25,8]]},"2541":{"position":[[729,10]]},"2543":{"position":[[2179,9]]},"2545":{"position":[[386,8]]},"2632":{"position":[[23,8]]},"2641":{"position":[[691,9]]},"2740":{"position":[[172,8]]},"2753":{"position":[[601,9]]},"2785":{"position":[[311,7]]},"2807":{"position":[[33,9]]},"2809":{"position":[[83,9]]},"2880":{"position":[[1191,7],[1416,8]]},"2882":{"position":[[4,8]]},"2884":{"position":[[273,7]]},"2908":{"position":[[2308,8]]},"2910":{"position":[[752,8]]},"2914":{"position":[[391,9],[474,7]]},"2932":{"position":[[361,7]]},"2942":{"position":[[55,9]]},"2944":{"position":[[1885,8]]},"2946":{"position":[[718,7]]},"3002":{"position":[[543,9]]},"3010":{"position":[[233,9]]},"3020":{"position":[[217,7]]},"3022":{"position":[[2129,7]]},"3065":{"position":[[581,9]]},"3126":{"position":[[200,8]]},"3128":{"position":[[200,8]]},"3132":{"position":[[236,7]]},"3134":{"position":[[193,7]]},"3136":{"position":[[193,7]]},"3138":{"position":[[321,7]]},"3140":{"position":[[213,7]]},"3142":{"position":[[299,8]]},"3185":{"position":[[209,7]]},"3274":{"position":[[205,7]]},"3295":{"position":[[155,9]]}}}],["incom",{"_index":2189,"t":{"2950":{"position":[[306,8]]}}}],["incorrect",{"_index":1122,"t":{"2645":{"position":[[180,9]]}}}],["increas",{"_index":1694,"t":{"2805":{"position":[[20,10]]},"2868":{"position":[[329,8]]},"2930":{"position":[[553,8],[688,8]]},"2950":{"position":[[2093,9]]},"2954":{"position":[[282,8]]}}}],["independ",{"_index":554,"t":{"2545":{"position":[[267,11]]},"2821":{"position":[[2161,11]]}}}],["indic",{"_index":394,"t":{"2530":{"position":[[885,9],[1082,9],[1331,10],[1569,9]]},"2996":{"position":[[1332,9]]}}}],["individu",{"_index":417,"t":{"2535":{"position":[[201,10]]},"2916":{"position":[[329,10]]},"3038":{"position":[[229,10]]}}}],["info",{"_index":406,"t":{"2530":{"position":[[1775,4]]},"2622":{"position":[[202,5],[355,5],[2237,5]]},"2624":{"position":[[289,5]]},"2807":{"position":[[112,5]]}}}],["inform",{"_index":68,"t":{"2496":{"position":[[321,11]]},"2520":{"position":[[4474,11]]},"2522":{"position":[[59,12]]},"2530":{"position":[[65,11],[1488,11]]},"2537":{"position":[[79,11]]},"2616":{"position":[[52,11]]},"2636":{"position":[[575,11],[1135,11],[1228,11]]},"2643":{"position":[[359,11]]},"2740":{"position":[[531,11]]},"2743":{"position":[[1640,12]]},"2757":{"position":[[193,11]]},"2765":{"position":[[4,11]]},"2781":{"position":[[363,11]]},"2791":{"position":[[648,12],[1348,12],[2114,11]]},"2823":{"position":[[1506,11]]},"2831":{"position":[[584,12]]},"2843":{"position":[[1403,11]]},"2872":{"position":[[894,11]]},"2874":{"position":[[1504,12],[2616,11],[3448,11]]},"2876":{"position":[[293,11]]},"2880":{"position":[[489,11],[961,11],[1369,11]]},"2948":{"position":[[226,11]]},"2962":{"position":[[230,12]]},"3026":{"position":[[386,12],[626,11]]},"3030":{"position":[[4378,11]]},"3065":{"position":[[549,11]]}}}],["infra",{"_index":2806,"t":{"3245":{"position":[[1535,5],[2758,5]]},"3257":{"position":[[1726,5],[2949,5]]}}}],["infrastructur",{"_index":2257,"t":{"2987":{"position":[[75,17]]}}}],["ingress",{"_index":1298,"t":{"2713":{"position":[[544,8]]},"2866":{"position":[[462,8]]},"2876":{"position":[[40,7]]},"2880":{"position":[[199,7]]},"2914":{"position":[[241,8]]},"3010":{"position":[[326,7]]},"3022":{"position":[[5928,8],[6127,8],[6326,8],[6457,7]]},"3024":{"position":[[441,8],[784,8],[911,7],[950,7],[1465,8],[1494,7],[1598,7],[1706,8],[1735,7],[1839,7],[1934,8],[1963,7],[2148,8],[2177,7],[2281,7],[2389,8],[2418,7],[2522,7],[2598,8],[2627,7]]}}}],["init",{"_index":312,"t":{"2520":{"position":[[3719,4]]},"2650":{"position":[[464,4]]},"2675":{"position":[[3187,4]]},"2685":{"position":[[170,4],[366,4]]},"2687":{"position":[[159,4],[406,5],[604,4]]},"2717":{"position":[[274,4]]},"2809":{"position":[[39,4]]},"2811":{"position":[[157,4]]},"2817":{"position":[[254,5]]},"2825":{"position":[[416,5],[618,4]]}}}],["initi",{"_index":462,"t":{"2539":{"position":[[66,7]]},"2541":{"position":[[2598,7]]},"2543":{"position":[[2397,7]]},"2632":{"position":[[280,7]]},"2650":{"position":[[486,10]]},"2675":{"position":[[3202,10]]},"2687":{"position":[[330,11]]},"2719":{"position":[[1073,9]]},"2727":{"position":[[375,7]]},"3089":{"position":[[588,13]]},"3160":{"position":[[718,13]]},"3195":{"position":[[612,13]]},"3197":{"position":[[501,13]]},"3199":{"position":[[526,13]]},"3201":{"position":[[678,13]]},"3203":{"position":[[504,13]]},"3205":{"position":[[536,13]]},"3207":{"position":[[635,13]]}}}],["insecur",{"_index":1145,"t":{"2648":{"position":[[1652,8]]},"2675":{"position":[[5600,8]]},"3030":{"position":[[804,8]]}}}],["insecure_skip_verifi",{"_index":1553,"t":{"2771":{"position":[[339,21]]},"2775":{"position":[[442,20]]}}}],["instal",{"_index":512,"t":{"2539":{"position":[[2657,7]]},"2541":{"position":[[2606,13]]},"2543":{"position":[[2405,13]]},"2545":{"position":[[340,7]]},"2562":{"position":[[728,7]]},"2568":{"position":[[175,7]]},"2593":{"position":[[477,7]]},"2597":{"position":[[312,7],[365,7]]},"2606":{"position":[[138,7],[250,7]]},"2618":{"position":[[30,7]]},"2620":{"position":[[128,9]]},"2622":{"position":[[361,7],[406,7],[1354,7],[2642,7],[2791,7]]},"2624":{"position":[[694,7],[843,7]]},"2709":{"position":[[39,10],[140,10],[233,10],[449,7],[717,7]]},"2719":{"position":[[27,10],[138,7]]},"2725":{"position":[[500,7],[981,12],[1029,8],[1079,9]]},"2727":{"position":[[879,7]]},"2733":{"position":[[8,7]]},"2736":{"position":[[776,7]]},"2738":{"position":[[850,7]]},"2743":{"position":[[7,10],[147,8],[376,7],[416,7],[1222,7],[1564,7]]},"2745":{"position":[[8,7],[126,7],[614,7],[690,7]]},"2748":{"position":[[380,7],[626,11]]},"2761":{"position":[[337,9]]},"2791":{"position":[[1588,13],[2071,7]]},"2821":{"position":[[55,12],[110,7],[462,13],[598,9],[1936,7],[1996,7],[2108,7],[2182,7],[2295,7]]},"2823":{"position":[[15,12],[298,14]]},"2825":{"position":[[249,8]]},"2829":{"position":[[164,12],[383,9]]},"2831":{"position":[[233,9],[257,12],[325,13]]},"2872":{"position":[[641,7]]},"2874":{"position":[[3073,7],[3094,7]]},"2876":{"position":[[156,12]]},"2878":{"position":[[153,7],[187,7]]},"2880":{"position":[[1239,7],[1278,12]]},"2884":{"position":[[372,10]]},"2908":{"position":[[55,12],[110,7],[283,7],[361,13],[1000,7],[1264,7],[2061,12]]},"2916":{"position":[[136,9]]},"2936":{"position":[[188,7],[290,12]]},"2944":{"position":[[600,7],[641,7],[702,9],[2034,7],[2099,10]]},"2946":{"position":[[38,12],[249,12]]},"2948":{"position":[[42,7],[336,7]]},"2960":{"position":[[458,10]]},"2992":{"position":[[975,7]]},"2994":{"position":[[37,9],[165,7]]},"3000":{"position":[[33,12],[69,10]]},"3002":{"position":[[27,12]]},"3004":{"position":[[56,12]]},"3008":{"position":[[35,12]]},"3014":{"position":[[72,12]]},"3026":{"position":[[1074,10]]},"3065":{"position":[[154,12],[1820,12]]}}}],["install.sh",{"_index":1419,"t":{"2743":{"position":[[477,11]]},"2745":{"position":[[233,12],[396,12],[1268,12]]}}}],["install_k3s_bin_dir",{"_index":2038,"t":{"2908":{"position":[[967,19],[1159,20]]}}}],["install_k3s_bin_dir_read_onli",{"_index":2039,"t":{"2908":{"position":[[1090,29]]}}}],["install_k3s_channel",{"_index":2050,"t":{"2908":{"position":[[2212,19]]}}}],["install_k3s_channel=latest",{"_index":2053,"t":{"2908":{"position":[[2473,26]]},"3004":{"position":[[359,26]]}}}],["install_k3s_channel_url",{"_index":2046,"t":{"2908":{"position":[[2090,23]]}}}],["install_k3s_exec",{"_index":1712,"t":{"2821":{"position":[[201,17],[353,16],[1135,18]]},"2908":{"position":[[1357,16]]}}}],["install_k3s_exec=\"ag",{"_index":1721,"t":{"2821":{"position":[[1389,23],[1505,24]]}}}],["install_k3s_exec=\"serv",{"_index":1718,"t":{"2821":{"position":[[790,25],[892,24]]},"2829":{"position":[[303,25]]}}}],["install_k3s_exec='arg",{"_index":1447,"t":{"2745":{"position":[[756,23]]}}}],["install_k3s_exec='serv",{"_index":1450,"t":{"2745":{"position":[[1139,24]]}}}],["install_k3s_nam",{"_index":2042,"t":{"2908":{"position":[[1601,16]]}}}],["install_k3s_selinux_warn",{"_index":2044,"t":{"2908":{"position":[[1907,24]]}}}],["install_k3s_selinux_warn=tru",{"_index":859,"t":{"2597":{"position":[[519,30]]}}}],["install_k3s_skip_download",{"_index":1433,"t":{"2743":{"position":[[1035,25]]},"2908":{"position":[[408,25]]}}}],["install_k3s_skip_download=tru",{"_index":1441,"t":{"2745":{"position":[[202,30],[309,30],[646,30],[1108,30]]},"2908":{"position":[[1195,31]]}}}],["install_k3s_skip_en",{"_index":2034,"t":{"2908":{"position":[[697,23]]}}}],["install_k3s_skip_enable=tru",{"_index":799,"t":{"2584":{"position":[[340,28]]}}}],["install_k3s_skip_selinux_rpm",{"_index":2045,"t":{"2908":{"position":[[1997,28]]}}}],["install_k3s_skip_selinux_rpm=tru",{"_index":853,"t":{"2597":{"position":[[220,34]]}}}],["install_k3s_skip_start",{"_index":2035,"t":{"2908":{"position":[[774,22]]}}}],["install_k3s_skip_start=tru",{"_index":798,"t":{"2584":{"position":[[312,27]]}}}],["install_k3s_symlink",{"_index":2032,"t":{"2908":{"position":[[487,19]]}}}],["install_k3s_systemd_dir",{"_index":2040,"t":{"2908":{"position":[[1227,23]]}}}],["install_k3s_typ",{"_index":2043,"t":{"2908":{"position":[[1798,16]]}}}],["install_k3s_vers",{"_index":2036,"t":{"2908":{"position":[[840,19]]}}}],["install_k3s_version=vx.y.z",{"_index":2307,"t":{"3004":{"position":[[502,26]]}}}],["installation/packag",{"_index":1287,"t":{"2711":{"position":[[463,27]]}}}],["instanc",{"_index":1249,"t":{"2687":{"position":[[226,9]]},"2880":{"position":[[1515,8]]},"2916":{"position":[[13,8]]}}}],["instead",{"_index":165,"t":{"2512":{"position":[[66,7]]},"2518":{"position":[[3468,7]]},"2618":{"position":[[681,7]]},"2671":{"position":[[122,7]]},"2675":{"position":[[7014,7]]},"2727":{"position":[[787,7]]},"2745":{"position":[[713,7],[1056,8]]},"2817":{"position":[[87,7]]},"2821":{"position":[[2234,7]]},"2827":{"position":[[373,7]]},"2843":{"position":[[1063,7]]},"2850":{"position":[[996,7]]},"2874":{"position":[[124,7]]},"2880":{"position":[[731,8]]},"2896":{"position":[[86,8]]},"2902":{"position":[[305,7],[694,7]]},"2944":{"position":[[1203,7]]},"2946":{"position":[[760,7]]},"2950":{"position":[[1814,8]]}}}],["instruct",{"_index":1269,"t":{"2709":{"position":[[22,12]]},"2866":{"position":[[22,12]]}}}],["integr",{"_index":443,"t":{"2537":{"position":[[938,9]]},"2543":{"position":[[750,9]]},"2755":{"position":[[466,10]]},"2850":{"position":[[943,9]]},"2868":{"position":[[245,11]]},"2872":{"position":[[59,9],[752,11]]},"2916":{"position":[[543,10]]},"2992":{"position":[[1609,11]]},"3034":{"position":[[329,9]]}}}],["intel(r",{"_index":2058,"t":{"2910":{"position":[[242,8],[346,8],[428,8]]},"2922":{"position":[[189,8]]},"2924":{"position":[[189,8]]},"2926":{"position":[[77,8]]}}}],["intend",{"_index":1434,"t":{"2743":{"position":[[1160,6]]},"2750":{"position":[[244,6]]},"2912":{"position":[[24,8]]}}}],["intens",{"_index":1643,"t":{"2793":{"position":[[685,10]]},"2874":{"position":[[241,9]]}}}],["inter",{"_index":981,"t":{"2622":{"position":[[662,5]]}}}],["interact",{"_index":1004,"t":{"2622":{"position":[[1536,8],[2972,8]]},"2624":{"position":[[1024,8]]},"2854":{"position":[[114,8]]}}}],["interf",{"_index":2074,"t":{"2910":{"position":[[994,11]]}}}],["interfac",{"_index":25,"t":{"2484":{"position":[[640,11]]},"2508":{"position":[[284,9]]},"2518":{"position":[[2966,9]]},"2622":{"position":[[988,9]]},"2648":{"position":[[564,9]]},"2675":{"position":[[4425,10],[8031,9]]},"2743":{"position":[[541,9],[645,9]]},"2866":{"position":[[417,10]]},"2874":{"position":[[67,10],[277,10],[593,9],[1017,10],[1067,11]]},"2940":{"position":[[190,9]]},"2944":{"position":[[109,9]]},"2946":{"position":[[187,10]]},"2948":{"position":[[1198,11]]},"2952":{"position":[[297,9]]}}}],["interfer",{"_index":1641,"t":{"2793":{"position":[[497,12]]},"2928":{"position":[[139,12]]},"2932":{"position":[[146,9]]}}}],["intermedi",{"_index":474,"t":{"2539":{"position":[[465,12],[527,12],[1434,12],[1569,12],[1740,12],[2072,12],[2212,12],[2292,12],[2738,12]]},"2541":{"position":[[1316,12]]},"2543":{"position":[[999,12]]},"2992":{"position":[[1839,12]]},"3002":{"position":[[985,12]]}}}],["intermediate.key",{"_index":496,"t":{"2539":{"position":[[1825,16]]}}}],["intermediate.pem",{"_index":495,"t":{"2539":{"position":[[1808,16]]}}}],["intern",{"_index":1778,"t":{"2841":{"position":[[99,8]]},"2870":{"position":[[856,8]]},"2886":{"position":[[557,8]]},"2944":{"position":[[1214,8]]}}}],["internalip",{"_index":1995,"t":{"2896":{"position":[[191,10]]}}}],["internet",{"_index":1281,"t":{"2709":{"position":[[537,9]]},"2733":{"position":[[161,9]]},"2743":{"position":[[1354,8]]},"3014":{"position":[[207,8]]},"3065":{"position":[[807,8]]}}}],["interv",{"_index":235,"t":{"2520":{"position":[[309,8],[2101,8]]},"2622":{"position":[[947,8]]},"2648":{"position":[[836,8]]},"2675":{"position":[[4703,8]]}}}],["intervent",{"_index":2320,"t":{"3014":{"position":[[444,12]]},"3032":{"position":[[178,13]]}}}],["intra",{"_index":2398,"t":{"3022":{"position":[[5867,5],[6070,5],[6265,5]]},"3024":{"position":[[380,5]]}}}],["introduc",{"_index":1336,"t":{"2719":{"position":[[74,10]]},"2934":{"position":[[110,9]]}}}],["invalid",{"_index":533,"t":{"2541":{"position":[[1760,12]]},"2545":{"position":[[236,12],[971,12]]},"2757":{"position":[[971,8],[995,7]]}}}],["investig",{"_index":2537,"t":{"3040":{"position":[[171,11]]},"3042":{"position":[[248,13]]},"3044":{"position":[[247,13]]}}}],["involv",{"_index":2119,"t":{"2930":{"position":[[860,7],[1058,7]]}}}],["io",{"_index":1644,"t":{"2793":{"position":[[727,2]]},"2916":{"position":[[91,2]]},"2930":{"position":[[1040,2]]}}}],["io/etcd/releases/download/${etcd_version}/etcd",{"_index":692,"t":{"2564":{"position":[[192,46]]}}}],["io/k3",{"_index":861,"t":{"2599":{"position":[[289,6]]},"2743":{"position":[[1415,6]]},"2936":{"position":[[102,6]]}}}],["io/k3s/blob//k3",{"_index":755,"t":{"2576":{"position":[[171,25]]}}}],["io/k3s/blob/master/k3",{"_index":757,"t":{"2576":{"position":[[238,22]]}}}],["io/k3s/raw/master/contrib/util/gener",{"_index":510,"t":{"2539":{"position":[[2542,39]]},"2541":{"position":[[1917,39]]}}}],["io/k3s/raw/master/contrib/util/rot",{"_index":550,"t":{"2543":{"position":[[1698,37]]}}}],["io/k3s/releases/download/v1.26.5+k3s1/k3",{"_index":1734,"t":{"2823":{"position":[[462,42]]}}}],["io/k3s/releases/download/v1.29.1",{"_index":1408,"t":{"2738":{"position":[[759,32]]}}}],["iop",{"_index":1692,"t":{"2803":{"position":[[231,5]]},"2912":{"position":[[164,4],[386,4]]},"2914":{"position":[[401,4]]},"2922":{"position":[[304,4],[355,4]]},"2924":{"position":[[276,4],[320,4]]},"2932":{"position":[[134,4]]}}}],["iov",{"_index":1908,"t":{"2874":{"position":[[346,4]]}}}],["ip",{"_index":150,"t":{"2508":{"position":[[45,2],[68,2],[117,2],[139,2]]},"2518":{"position":[[2639,2],[2735,2],[2782,2]]},"2549":{"position":[[97,2]]},"2560":{"position":[[436,2],[504,2],[531,4]]},"2620":{"position":[[289,3],[437,3],[529,3]]},"2622":{"position":[[267,2]]},"2645":{"position":[[467,2]]},"2657":{"position":[[168,2]]},"2663":{"position":[[100,3],[183,3],[339,2],[667,2],[694,2]]},"2675":{"position":[[973,3],[1436,3],[1541,3],[1745,2],[2202,2],[2236,2],[7704,2],[7800,2],[7847,2]]},"2727":{"position":[[60,2],[362,3],[641,2],[993,2],[1123,2]]},"2743":{"position":[[741,3],[844,2],[874,2],[896,2],[936,2]]},"2805":{"position":[[97,3]]},"2841":{"position":[[108,2]]},"2868":{"position":[[654,4]]},"2870":{"position":[[94,2],[149,4],[440,2],[529,2],[604,2],[995,4],[1008,3],[1042,3],[1054,2],[1116,2],[1148,3]]},"2872":{"position":[[1248,2]]},"2874":{"position":[[1047,3],[1224,2],[1350,2],[1889,2],[1942,2]]},"2886":{"position":[[423,2],[458,2],[566,2]]},"2896":{"position":[[252,2],[275,2]]},"2944":{"position":[[1129,2],[1150,2],[1223,4],[1262,2],[1430,2],[1464,4]]},"2948":{"position":[[381,2],[666,2],[764,2],[1051,2],[1300,2],[1327,2],[1353,2]]},"2952":{"position":[[507,6],[1716,2]]},"3030":{"position":[[1769,2]]},"3120":{"position":[[2597,2]]},"3122":{"position":[[2545,2]]},"3124":{"position":[[2414,2]]},"3126":{"position":[[2363,2]]},"3128":{"position":[[2376,2]]},"3130":{"position":[[2489,2]]},"3132":{"position":[[2450,2]]},"3136":{"position":[[2523,2]]},"3138":{"position":[[2504,2]]},"3140":{"position":[[2400,2]]},"3142":{"position":[[2516,2]]},"3144":{"position":[[2381,2]]},"3146":{"position":[[2296,2]]},"3156":{"position":[[2471,2]]},"3162":{"position":[[2513,2]]},"3164":{"position":[[2429,2]]},"3166":{"position":[[2435,2]]},"3177":{"position":[[1956,2]]},"3179":{"position":[[2024,2]]},"3181":{"position":[[2109,2]]},"3183":{"position":[[2005,2]]},"3239":{"position":[[2780,2]]},"3241":{"position":[[2794,2]]},"3243":{"position":[[2909,2]]}}}],["ip/nod",{"_index":1161,"t":{"2657":{"position":[[160,7]]},"2675":{"position":[[965,7]]}}}],["ip6tabl",{"_index":1961,"t":{"2882":{"position":[[707,9],[746,9]]},"2948":{"position":[[1491,9],[1526,9]]}}}],["ip=0.0.0.0",{"_index":2200,"t":{"2952":{"position":[[443,11]]}}}],["ip=:6443",{"_index":1442,"t":{"2745":{"position":[[340,32]]}}}],["k3s_url=https://k3s.example.com",{"_index":1725,"t":{"2821":{"position":[[1625,31],[1721,31]]}}}],["k3s_url=https://myserver:6443",{"_index":2027,"t":{"2906":{"position":[[734,29]]}}}],["k3sup",{"_index":2144,"t":{"2938":{"position":[[75,6]]}}}],["k8",{"_index":2313,"t":{"3012":{"position":[[62,4]]},"3024":{"position":[[878,3],[1441,3],[2124,3]]}}}],["k8s.io",{"_index":791,"t":{"2582":{"position":[[243,6]]},"2854":{"position":[[226,6],[306,6],[330,6],[366,6]]},"3114":{"position":[[777,6],[1059,6],[1341,6],[1623,6],[1905,6],[2187,6],[2469,6]]},"3116":{"position":[[758,6],[1040,6],[1322,6],[1604,6],[1886,6],[2168,6],[2450,6]]},"3134":{"position":[[771,6],[1053,6],[1335,6],[1617,6],[1899,6],[2181,6],[2463,6]]},"3187":{"position":[[743,6],[1025,6],[1307,6],[1589,6],[1871,6],[2153,6],[2435,6]]}}}],["k8s_coredns_coredn",{"_index":677,"t":{"2562":{"position":[[2322,19]]}}}],["k8s_lb",{"_index":627,"t":{"2562":{"position":[[1098,6],[1262,6]]}}}],["k8s_local",{"_index":656,"t":{"2562":{"position":[[1936,9]]}}}],["k8s_metric",{"_index":666,"t":{"2562":{"position":[[2134,11]]}}}],["k8s_pod_coredn",{"_index":685,"t":{"2562":{"position":[[2486,15]]}}}],["k8s_pod_loc",{"_index":687,"t":{"2562":{"position":[[2646,13]]}}}],["k8s_pod_svclb",{"_index":650,"t":{"2562":{"position":[[1610,13]]}}}],["k8s_pod_traefik",{"_index":652,"t":{"2562":{"position":[[1766,15]]}}}],["k8s_traefik_traefik",{"_index":641,"t":{"2562":{"position":[[1445,19]]}}}],["keep",{"_index":1618,"t":{"2791":{"position":[[261,4],[1077,4]]},"3042":{"position":[[362,4]]},"3044":{"position":[[348,4]]},"3158":{"position":[[238,4]]}}}],["keepaliv",{"_index":971,"t":{"2622":{"position":[[234,10],[321,10],[381,11],[422,10],[1207,10],[1280,10]]}}}],["kep",{"_index":794,"t":{"2582":{"position":[[579,3]]}}}],["kernel",{"_index":114,"t":{"2504":{"position":[[269,6],[289,6],[330,6]]},"2518":{"position":[[1977,6],[2006,6],[2047,6]]},"2675":{"position":[[8359,6],[8388,6],[8429,6]]},"2789":{"position":[[216,6]]},"2791":{"position":[[2047,6]]},"2864":{"position":[[421,6]]},"2944":{"position":[[683,6],[770,6],[1368,6],[1656,6]]},"2946":{"position":[[207,7]]},"3016":{"position":[[48,6]]},"3018":{"position":[[75,6],[186,6],[246,6]]},"3028":{"position":[[189,6],[729,6]]},"3030":{"position":[[4043,6]]},"3249":{"position":[[333,6]]}}}],["kernel.keys.root_maxbytes=25000000",{"_index":2339,"t":{"3018":{"position":[[473,34]]}}}],["kernel.panic=10",{"_index":2337,"t":{"3018":{"position":[[434,15]]}}}],["kernel.panic_on_oops=1",{"_index":2338,"t":{"3018":{"position":[[450,22]]}}}],["key",{"_index":300,"t":{"2520":{"position":[[3196,3],[3210,3],[3231,3],[3245,3],[3529,4],[3563,4],[3871,4],[3910,4],[4662,4],[4696,4]]},"2524":{"position":[[195,4],[233,4],[326,4]]},"2526":{"position":[[61,4],[787,4]]},"2530":{"position":[[324,3],[429,5],[636,3],[1466,3],[1529,4],[1601,4],[1659,3],[1713,3],[1727,4],[1815,4]]},"2537":{"position":[[435,4],[484,4],[612,4],[868,5],[1000,4],[1088,3],[1133,4],[1243,5]]},"2539":{"position":[[23,4],[241,4],[1096,3],[1897,4],[2504,5]]},"2541":{"position":[[364,4],[500,4],[1172,5],[1707,4],[1879,5],[2035,4]]},"2543":{"position":[[387,4],[1229,4],[1512,5]]},"2545":{"position":[[27,3],[49,3],[131,4],[153,3],[416,5],[533,3],[619,4],[849,3],[958,3],[1101,3]]},"2636":{"position":[[542,3],[679,5],[697,4]]},"2648":{"position":[[452,3],[1369,3],[1407,3],[1428,3],[1470,3]]},"2675":{"position":[[4287,3],[5298,3],[5323,3],[5365,3],[5390,3]]},"2771":{"position":[[35,5],[334,4]]},"2775":{"position":[[288,3]]},"2777":{"position":[[449,3],[722,3]]},"2825":{"position":[[678,4]]},"2827":{"position":[[271,3],[316,3],[422,3]]},"2848":{"position":[[217,3],[312,4]]},"2872":{"position":[[275,5],[298,3],[309,5],[874,3]]},"2960":{"position":[[177,3],[235,3],[729,7]]},"2962":{"position":[[157,4],[195,4]]},"2996":{"position":[[586,4],[934,4]]},"3030":{"position":[[1194,3],[1610,3],[1698,3],[1913,3],[2466,3],[2739,3],[4302,3]]},"3050":{"position":[[122,3]]},"3089":{"position":[[1782,3],[1893,3]]},"3120":{"position":[[288,3],[413,3],[631,4],[1999,3],[2447,3],[2526,3],[2770,3]]},"3122":{"position":[[1947,3],[2395,3],[2474,3],[2718,3]]},"3124":{"position":[[1816,3],[2264,3],[2343,3],[2587,3]]},"3126":{"position":[[1765,3],[2213,3],[2292,3],[2536,3]]},"3128":{"position":[[1778,3],[2226,3],[2305,3],[2549,3]]},"3130":{"position":[[1891,3],[2339,3],[2418,3],[2662,3]]},"3132":{"position":[[1852,3],[2300,3],[2379,3],[2623,3]]},"3136":{"position":[[1925,3],[2373,3],[2452,3],[2696,3]]},"3138":{"position":[[1906,3],[2354,3],[2433,3],[2677,3]]},"3140":{"position":[[1802,3],[2250,3],[2329,3],[2573,3]]},"3142":{"position":[[1918,3],[2366,3],[2445,3],[2689,3]]},"3144":{"position":[[1783,3],[2231,3],[2310,3],[2554,3]]},"3146":{"position":[[1698,3],[2146,3],[2225,3],[2469,3]]},"3156":{"position":[[1873,3],[2321,3],[2400,3],[2644,3]]},"3160":{"position":[[278,3],[380,3],[1912,3],[2023,3]]},"3162":{"position":[[271,3],[353,3],[375,3],[542,3],[1915,3],[2363,3],[2442,3],[2686,3]]},"3164":{"position":[[1831,3],[2279,3],[2358,3],[2602,3]]},"3166":{"position":[[1837,3],[2285,3],[2364,3],[2608,3]]},"3177":{"position":[[972,3],[1149,3],[1328,3],[1505,3],[1885,3]]},"3179":{"position":[[1040,3],[1217,3],[1396,3],[1573,3],[1953,3]]},"3181":{"position":[[196,3],[230,3],[300,3],[450,3],[504,3],[1125,3],[1302,3],[1481,3],[1658,3],[2038,3]]},"3183":{"position":[[1021,3],[1198,3],[1377,3],[1554,3],[1934,3]]},"3195":{"position":[[255,3],[1806,3],[1917,3],[2138,4],[2190,3],[2265,3],[2344,3]]},"3197":{"position":[[1695,3],[1806,3]]},"3199":{"position":[[1720,3],[1831,3]]},"3201":{"position":[[316,3],[340,3],[1872,3],[1983,3],[2204,4],[2266,3],[2346,3],[2440,3]]},"3203":{"position":[[1698,3],[1809,3]]},"3205":{"position":[[1730,3],[1841,3]]},"3207":{"position":[[1829,3],[1940,3]]},"3239":{"position":[[2182,3],[2630,3],[2709,3],[2953,3]]},"3241":{"position":[[2196,3],[2644,3],[2723,3],[2967,3]]},"3243":{"position":[[2311,3],[2759,3],[2838,3],[3082,3]]},"3245":{"position":[[1818,3],[3041,3]]},"3257":{"position":[[231,3],[506,3],[528,3],[806,3],[2009,3],[3232,3]]}}}],["key1=value1:noexecut",{"_index":190,"t":{"2516":{"position":[[400,21]]}}}],["key=/var/lib/rancher/k3s/server/tls/cli",{"_index":2455,"t":{"3030":{"position":[[1011,42]]},"3120":{"position":[[1760,42]]},"3122":{"position":[[1708,42]]},"3124":{"position":[[1577,42]]},"3126":{"position":[[1526,42]]},"3128":{"position":[[1539,42]]},"3130":{"position":[[1652,42]]},"3132":{"position":[[1613,42]]},"3136":{"position":[[1686,42]]},"3138":{"position":[[1667,42]]},"3140":{"position":[[1563,42]]},"3142":{"position":[[1679,42]]},"3144":{"position":[[1544,42]]},"3146":{"position":[[1459,42]]},"3156":{"position":[[1634,42]]},"3162":{"position":[[1676,42]]},"3164":{"position":[[1592,42]]},"3166":{"position":[[1598,42]]},"3239":{"position":[[1943,42]]},"3241":{"position":[[1957,42]]},"3243":{"position":[[2072,42]]}}}],["key=/var/lib/rancher/k3s/server/tls/etcd/client.key",{"_index":704,"t":{"2564":{"position":[[557,51]]}}}],["key=:6443",{"_index":1701,"t":{"2813":{"position":[[360,10]]}}}],["nodej",{"_index":882,"t":{"2604":{"position":[[321,6],[354,6]]}}}],["nodeport",{"_index":1170,"t":{"2663":{"position":[[273,8]]},"2675":{"position":[[1654,8]]},"2880":{"position":[[408,8]]},"2886":{"position":[[311,9]]}}}],["noderestrict",{"_index":2343,"t":{"3020":{"position":[[521,15]]},"3022":{"position":[[1128,15]]},"3142":{"position":[[76,15],[308,16],[548,17]]}}}],["nodeselector",{"_index":2289,"t":{"2996":{"position":[[552,13],[900,13]]}}}],["non",{"_index":518,"t":{"2541":{"position":[[505,3],[1385,3]]},"2795":{"position":[[1312,3]]},"3034":{"position":[[183,3]]},"3144":{"position":[[212,4]]}}}],["none",{"_index":1007,"t":{"2622":{"position":[[1648,6],[1686,6],[1724,6],[3083,6],[3121,6],[3159,6]]},"2624":{"position":[[1135,6],[1173,6],[1211,6]]},"2663":{"position":[[493,7]]},"2675":{"position":[[2003,7]]},"2821":{"position":[[842,4],[935,5],[1045,4],[1171,4],[1256,4]]},"2829":{"position":[[355,4],[464,4],[562,4]]},"2944":{"position":[[1104,5]]}}}],["nonoper",{"_index":2010,"t":{"2900":{"position":[[533,17],[704,14]]}}}],["normal",{"_index":565,"t":{"2545":{"position":[[1179,6]]},"2870":{"position":[[979,8]]},"3024":{"position":[[2684,6]]}}}],["notabl",{"_index":2318,"t":{"3014":{"position":[[397,7]]}}}],["note",{"_index":55,"t":{"2496":{"position":[[62,4]]},"2526":{"position":[[806,5]]},"2539":{"position":[[928,5],[1070,5]]},"2643":{"position":[[63,4]]},"2719":{"position":[[0,5]]},"2750":{"position":[[266,5]]},"2763":{"position":[[222,4]]},"2767":{"position":[[691,4]]},"2821":{"position":[[1889,4]]},"2845":{"position":[[326,4]]},"2852":{"position":[[306,4]]},"2854":{"position":[[352,4]]},"2864":{"position":[[2030,4]]},"2870":{"position":[[650,4]]},"2880":{"position":[[1455,5]]},"2950":{"position":[[1639,5]]},"2952":{"position":[[953,4]]},"3018":{"position":[[172,5]]},"3022":{"position":[[6395,5]]},"3032":{"position":[[113,4]]},"3065":{"position":[[1916,5]]}}}],["now",{"_index":765,"t":{"2576":{"position":[[624,3]]},"2589":{"position":[[53,3]]},"2622":{"position":[[1500,3],[2936,3]]},"2624":{"position":[[988,3]]},"2685":{"position":[[643,3],[820,3]]},"2791":{"position":[[242,3]]}}}],["ns",{"_index":1562,"t":{"2773":{"position":[[607,2]]}}}],["number",{"_index":74,"t":{"2498":{"position":[[36,6]]},"2518":{"position":[[407,6]]},"2520":{"position":[[325,6],[2214,6]]},"2537":{"position":[[22,6]]},"2648":{"position":[[958,6]]},"2655":{"position":[[67,6]]},"2675":{"position":[[418,6],[4826,6]]},"2685":{"position":[[46,6]]},"2727":{"position":[[548,6]]},"2731":{"position":[[65,6]]},"2755":{"position":[[17,6]]},"3014":{"position":[[242,6],[322,6]]},"3042":{"position":[[335,6]]},"3044":{"position":[[321,6]]},"3150":{"position":[[219,6]]}}}],["nvcr.io/nvidia/k8s/cuda",{"_index":735,"t":{"2568":{"position":[[880,23]]}}}],["nvidia",{"_index":711,"t":{"2568":{"position":[[14,6],[186,6],[242,6],[369,6],[464,6],[476,6],[566,7],[675,6],[691,6],[831,6],[1177,7]]}}}],["nvidia.com/gpu",{"_index":739,"t":{"2568":{"position":[[974,15]]}}}],["nvidia_driver_cap",{"_index":741,"t":{"2568":{"position":[[1047,26]]}}}],["nvidia_visible_devic",{"_index":740,"t":{"2568":{"position":[[1005,22]]}}}],["nvme",{"_index":2103,"t":{"2918":{"position":[[78,4]]}}}],["o",{"_index":1152,"t":{"2652":{"position":[[65,1]]},"2675":{"position":[[2518,1]]},"2738":{"position":[[668,1]]},"2996":{"position":[[2694,1],[2737,1]]}}}],["object",{"_index":331,"t":{"2520":{"position":[[4445,6]]},"2757":{"position":[[564,6]]},"3034":{"position":[[154,7],[285,8],[419,8]]},"3036":{"position":[[245,7]]},"3050":{"position":[[215,8],[230,7]]},"3138":{"position":[[77,7]]},"3215":{"position":[[355,8]]},"3268":{"position":[[86,7]]},"3270":{"position":[[110,7]]},"3272":{"position":[[70,7]]},"3312":{"position":[[76,7]]},"3323":{"position":[[77,7]]}}}],["observ",{"_index":491,"t":{"2539":{"position":[[1245,7]]}}}],["obtain",{"_index":1397,"t":{"2736":{"position":[[353,6]]},"2738":{"position":[[416,6]]},"2783":{"position":[[275,6]]}}}],["occasion",{"_index":1041,"t":{"2630":{"position":[[24,13]]}}}],["occurr",{"_index":1755,"t":{"2827":{"position":[[402,11]]}}}],["oci",{"_index":871,"t":{"2602":{"position":[[452,3]]},"2736":{"position":[[149,3]]},"2740":{"position":[[205,3]]},"2837":{"position":[[211,3]]},"2839":{"position":[[310,3]]},"2854":{"position":[[128,3]]}}}],["odd",{"_index":1229,"t":{"2685":{"position":[[42,3]]}}}],["offer",{"_index":1970,"t":{"2884":{"position":[[470,5]]},"2950":{"position":[[909,6]]},"3317":{"position":[[66,7]]}}}],["offici",{"_index":193,"t":{"2516":{"position":[[528,8]]},"2614":{"position":[[364,8],[397,8],[426,8],[460,8]]},"2719":{"position":[[6,8]]},"2736":{"position":[[278,8]]},"2874":{"position":[[2645,8]]},"2880":{"position":[[1024,8]]}}}],["oidc",{"_index":2766,"t":{"3210":{"position":[[91,4]]}}}],["old",{"_index":237,"t":{"2520":{"position":[[623,3],[686,5]]},"2543":{"position":[[679,3],[1054,3],[1130,3]]},"2545":{"position":[[149,3],[412,3]]},"2748":{"position":[[284,3],[319,3]]},"3006":{"position":[[174,3]]},"3042":{"position":[[155,3],[345,3]]},"3044":{"position":[[154,3],[331,3]]}}}],["older",{"_index":1256,"t":{"2687":{"position":[[534,5]]},"2791":{"position":[[913,5]]},"2880":{"position":[[1498,5]]},"3004":{"position":[[23,5]]},"3014":{"position":[[711,6]]},"3022":{"position":[[26,5],[862,5]]},"3024":{"position":[[1286,5]]},"3028":{"position":[[175,5]]}}}],["omit",{"_index":2296,"t":{"2996":{"position":[[1848,4]]}}}],["on",{"_index":242,"t":{"2520":{"position":[[819,3]]},"2526":{"position":[[956,3]]},"2528":{"position":[[810,3]]},"2545":{"position":[[145,3]]},"2636":{"position":[[71,3]]},"2641":{"position":[[642,3],[1554,3]]},"2663":{"position":[[486,3],[864,3]]},"2675":{"position":[[1996,3],[2311,3]]},"2719":{"position":[[1017,3]]},"2745":{"position":[[23,3]]},"2757":{"position":[[1385,3]]},"2769":{"position":[[660,3]]},"2773":{"position":[[343,4]]},"2793":{"position":[[337,3]]},"2850":{"position":[[740,3]]},"2874":{"position":[[418,3]]},"2884":{"position":[[365,3]]},"2890":{"position":[[62,3]]},"2892":{"position":[[433,3]]},"2920":{"position":[[161,3]]},"3000":{"position":[[161,3]]},"3124":{"position":[[218,3]]}}}],["on=fals",{"_index":2510,"t":{"3030":{"position":[[3785,8]]},"3245":{"position":[[1302,8],[2525,8]]},"3257":{"position":[[1493,8],[2716,8]]}}}],["onc",{"_index":182,"t":{"2516":{"position":[[215,4]]},"2526":{"position":[[1341,4],[1467,4],[1716,4]]},"2528":{"position":[[1200,4],[1447,4]]},"2636":{"position":[[303,4]]},"2687":{"position":[[170,4]]},"2725":{"position":[[1479,4]]},"2750":{"position":[[893,4]]},"2952":{"position":[[662,4]]},"2954":{"position":[[231,4]]},"2996":{"position":[[231,4]]},"3046":{"position":[[350,4]]}}}],["onfailur",{"_index":734,"t":{"2568":{"position":[[803,9]]}}}],["open",{"_index":967,"t":{"2622":{"position":[[28,4],[2148,4]]},"2624":{"position":[[200,4]]},"2791":{"position":[[589,6],[1289,6]]},"2795":{"position":[[875,5]]},"2876":{"position":[[331,6]]},"3058":{"position":[[590,5]]}}}],["openrc",{"_index":357,"t":{"2526":{"position":[[415,6],[1311,6]]},"2528":{"position":[[351,6],[1170,6]]},"2584":{"position":[[37,7],[79,7]]},"2699":{"position":[[85,8]]},"2821":{"position":[[150,6]]},"2906":{"position":[[16,6]]},"2908":{"position":[[150,6],[2587,6]]},"3008":{"position":[[71,7],[204,6]]}}}],["openssl",{"_index":555,"t":{"2545":{"position":[[740,7],[756,7],[783,8],[853,7]]}}}],["openssl_genrsa_flag",{"_index":558,"t":{"2545":{"position":[[798,21],[868,23]]}}}],["oper",{"_index":421,"t":{"2537":{"position":[[59,10],[1296,9]]},"2614":{"position":[[55,10]]},"2616":{"position":[[97,10]]},"2645":{"position":[[190,9]]},"2864":{"position":[[1063,8],[1580,8]]},"2900":{"position":[[429,7]]},"2902":{"position":[[348,11]]},"2916":{"position":[[668,9]]},"2930":{"position":[[256,10],[424,9],[520,8],[844,10]]},"2944":{"position":[[721,9]]},"2950":{"position":[[228,7],[390,9]]},"2996":{"position":[[629,9],[977,9]]},"3014":{"position":[[526,9]]},"3022":{"position":[[831,8]]},"3024":{"position":[[2642,9]]},"3032":{"position":[[169,8]]},"3065":{"position":[[354,10],[1346,8],[1559,9]]},"3301":{"position":[[185,7]]}}}],["oppos",{"_index":1347,"t":{"2719":{"position":[[613,7]]}}}],["opt",{"_index":2325,"t":{"3014":{"position":[[775,3]]}}}],["opt/k3s/server/tl",{"_index":528,"t":{"2541":{"position":[[1267,19],[1644,19],[1820,19]]},"2545":{"position":[[712,19]]}}}],["opt/k3s/server/tls/service.key",{"_index":562,"t":{"2545":{"position":[[899,31],[1050,31]]}}}],["optim",{"_index":1645,"t":{"2793":{"position":[[813,7]]},"2803":{"position":[[67,7]]}}}],["option",{"_index":62,"t":{"2496":{"position":[[167,7],[262,8]]},"2516":{"position":[[38,7],[129,7]]},"2518":{"position":[[6,6],[82,6],[197,9],[207,8]]},"2520":{"position":[[368,8],[937,7],[1369,7],[1857,8],[1872,7],[1978,7],[2963,7],[3326,11]]},"2541":{"position":[[661,6],[2319,6]]},"2543":{"position":[[733,6]]},"2610":{"position":[[283,7]]},"2622":{"position":[[40,6],[540,6],[611,6]]},"2634":{"position":[[167,6]]},"2638":{"position":[[154,6]]},"2641":{"position":[[210,8],[457,8],[2624,8]]},"2643":{"position":[[128,7],[205,7],[300,8]]},"2645":{"position":[[14,7]]},"2648":{"position":[[1571,10]]},"2675":{"position":[[6,6],[84,6],[208,9],[218,8],[5518,10]]},"2709":{"position":[[170,7],[203,7]]},"2723":{"position":[[95,7]]},"2725":{"position":[[994,7],[1129,7]]},"2727":{"position":[[942,7],[955,6]]},"2769":{"position":[[544,8],[859,6],[1058,7]]},"2787":{"position":[[178,6]]},"2799":{"position":[[186,7]]},"2805":{"position":[[161,6]]},"2817":{"position":[[110,7]]},"2819":{"position":[[25,7],[135,7]]},"2821":{"position":[[617,8]]},"2823":{"position":[[1019,8]]},"2829":{"position":[[17,7]]},"2839":{"position":[[177,6]]},"2845":{"position":[[384,6]]},"2864":{"position":[[2087,8]]},"2866":{"position":[[84,7],[253,7]]},"2868":{"position":[[175,7]]},"2872":{"position":[[969,11]]},"2874":{"position":[[649,8],[1095,8]]},"2876":{"position":[[177,7],[227,7]]},"2878":{"position":[[132,7]]},"2898":{"position":[[94,8],[174,8]]},"2908":{"position":[[2300,7],[2416,7]]},"2942":{"position":[[46,8]]},"2944":{"position":[[186,7]]},"2960":{"position":[[526,8]]},"2992":{"position":[[449,8]]},"3014":{"position":[[837,7]]},"3052":{"position":[[266,8]]},"3058":{"position":[[194,7]]},"3199":{"position":[[2148,9],[2388,9],[2628,9]]},"3205":{"position":[[2193,9]]},"3317":{"position":[[58,7]]}}}],["order",{"_index":1111,"t":{"2641":{"position":[[1924,5]]},"2743":{"position":[[701,5]]},"2755":{"position":[[444,5]]},"2769":{"position":[[562,5]]},"2779":{"position":[[553,5]]},"2809":{"position":[[198,5]]},"2827":{"position":[[219,6]]},"2839":{"position":[[3,5]]},"2843":{"position":[[313,5]]},"2845":{"position":[[524,5]]},"2854":{"position":[[433,5]]},"2866":{"position":[[394,5]]},"2896":{"position":[[3,5]]},"2898":{"position":[[186,5]]},"2950":{"position":[[700,5]]},"3036":{"position":[[308,5]]},"3215":{"position":[[273,5]]}}}],["organ",{"_index":1478,"t":{"2757":{"position":[[208,10]]}}}],["organization/project",{"_index":1568,"t":{"2773":{"position":[[1039,20]]}}}],["origin",{"_index":529,"t":{"2541":{"position":[[1465,8],[1497,8]]},"2773":{"position":[[543,8],[1534,8]]},"2821":{"position":[[2016,8]]},"3065":{"position":[[1047,8]]}}}],["os",{"_index":571,"t":{"2551":{"position":[[49,3]]},"2584":{"position":[[22,3]]},"2593":{"position":[[7,3],[82,2]]},"2699":{"position":[[30,3]]},"2707":{"position":[[56,2]]},"2789":{"position":[[270,3]]},"2791":{"position":[[1483,2],[1585,2]]},"2797":{"position":[[723,2]]},"2860":{"position":[[165,2]]},"2918":{"position":[[0,3]]}}}],["oss",{"_index":1612,"t":{"2791":{"position":[[59,3],[2135,3]]}}}],["other",{"_index":1780,"t":{"2843":{"position":[[220,7]]},"2956":{"position":[[96,6]]},"3020":{"position":[[574,7]]}}}],["other=what",{"_index":1765,"t":{"2827":{"position":[[774,10],[932,10]]}}}],["otherwis",{"_index":1513,"t":{"2763":{"position":[[313,9]]},"2779":{"position":[[514,9]]},"2850":{"position":[[330,9]]},"2886":{"position":[[535,10]]},"2954":{"position":[[183,10]]}}}],["out",{"_index":561,"t":{"2545":{"position":[[895,3]]},"2753":{"position":[[225,3]]},"2805":{"position":[[90,3]]},"2874":{"position":[[1237,3]]},"2996":{"position":[[1200,3]]},"3002":{"position":[[362,3]]},"3042":{"position":[[240,3]]},"3044":{"position":[[239,3]]}}}],["outbound",{"_index":1657,"t":{"2795":{"position":[[357,8]]},"2797":{"position":[[626,8]]}}}],["outlin",{"_index":1591,"t":{"2785":{"position":[[62,8]]},"2793":{"position":[[95,8]]},"2898":{"position":[[113,8]]},"3014":{"position":[[96,8]]},"3016":{"position":[[118,8]]},"3020":{"position":[[166,8]]},"3052":{"position":[[341,8]]},"3065":{"position":[[1232,8]]}}}],["output",{"_index":549,"t":{"2543":{"position":[[1637,6],[1825,6]]},"2641":{"position":[[753,6],[2590,6],[2603,6]]}}}],["outsid",{"_index":925,"t":{"2614":{"position":[[78,7]]},"3058":{"position":[[522,7]]}}}],["over",{"_index":171,"t":{"2512":{"position":[[143,4]]},"2518":{"position":[[3393,4]]},"2524":{"position":[[115,4]]},"2648":{"position":[[1673,4]]},"2671":{"position":[[199,4]]},"2675":{"position":[[5626,4],[8716,4]]},"2727":{"position":[[138,4],[283,4],[499,4]]},"2748":{"position":[[371,4]]},"2795":{"position":[[109,4],[169,4]]},"2866":{"position":[[295,4]]},"2868":{"position":[[685,4]]},"2962":{"position":[[77,4]]}}}],["overhead",{"_index":2088,"t":{"2914":{"position":[[482,8]]},"2950":{"position":[[2103,9]]}}}],["overlayf",{"_index":218,"t":{"2518":{"position":[[2496,12]]},"2675":{"position":[[7432,12]]}}}],["overrid",{"_index":159,"t":{"2508":{"position":[[259,8],[319,8],[385,8]]},"2518":{"position":[[2446,8],[2941,8],[3016,8],[3097,8]]},"2520":{"position":[[4863,10]]},"2675":{"position":[[7382,8],[8006,8],[8081,8],[8162,8]]},"3253":{"position":[[166,8]]}}}],["override=hostname01",{"_index":2512,"t":{"3030":{"position":[[3838,19]]}}}],["override=k3",{"_index":2800,"t":{"3245":{"position":[[1355,12],[2578,12]]},"3257":{"position":[[1546,12],[2769,12]]}}}],["overview",{"_index":2573,"t":{"3065":{"position":[[0,9]]}}}],["overwrit",{"_index":517,"t":{"2541":{"position":[[257,9]]},"2543":{"position":[[280,9]]},"2545":{"position":[[443,9]]},"2825":{"position":[[1055,9]]},"2827":{"position":[[479,11]]},"2908":{"position":[[686,10]]}}}],["own",{"_index":1155,"t":{"2652":{"position":[[248,5]]}}}],["ownership",{"_index":2327,"t":{"3014":{"position":[[1135,10]]},"3232":{"position":[[66,9]]}}}],["p",{"_index":498,"t":{"2539":{"position":[[2009,1]]},"2541":{"position":[[1265,1]]},"2545":{"position":[[710,1]]},"2576":{"position":[[836,1]]},"2595":{"position":[[385,1]]},"2622":{"position":[[2612,1]]},"2624":{"position":[[664,1]]},"2738":{"position":[[617,1]]},"3018":{"position":[[360,1]]},"3026":{"position":[[411,1]]}}}],["packag",{"_index":1200,"t":{"2675":{"position":[[5844,8]]},"2709":{"position":[[650,8],[693,8]]},"2755":{"position":[[27,8],[316,8]]},"2757":{"position":[[671,8]]},"2761":{"position":[[15,8]]},"2785":{"position":[[279,8]]},"2880":{"position":[[514,8],[910,8]]},"2914":{"position":[[47,8],[212,8]]},"2944":{"position":[[2054,8]]},"3014":{"position":[[1216,8]]},"3024":{"position":[[1063,8]]}}}],["packet",{"_index":2158,"t":{"2944":{"position":[[1336,8]]}}}],["page",{"_index":59,"t":{"2496":{"position":[[127,4],[198,4]]},"2643":{"position":[[236,4]]},"2736":{"position":[[419,4]]},"2738":{"position":[[482,4]]},"2743":{"position":[[208,5]]},"2748":{"position":[[139,4]]},"2789":{"position":[[89,4],[235,6]]},"2819":{"position":[[5,4]]},"2823":{"position":[[203,5]]},"2876":{"position":[[5,4],[185,4]]},"2898":{"position":[[108,4]]},"2934":{"position":[[100,4]]},"2942":{"position":[[5,4]]},"2992":{"position":[[1297,5],[1440,5]]}}}],["paramet",{"_index":1358,"t":{"2725":{"position":[[214,9],[294,9],[1362,9]]},"2773":{"position":[[616,10]]},"2870":{"position":[[323,10],[679,9],[1119,9]]},"2872":{"position":[[800,9],[928,10],[1111,10]]},"2880":{"position":[[1060,12]]},"3016":{"position":[[55,10]]},"3018":{"position":[[82,10],[253,11]]},"3112":{"position":[[159,10]]},"3114":{"position":[[271,10]]},"3118":{"position":[[182,10]]},"3120":{"position":[[292,10]]},"3122":{"position":[[292,9]]},"3124":{"position":[[174,9]]},"3126":{"position":[[174,9]]},"3128":{"position":[[174,9]]},"3130":{"position":[[227,11]]},"3132":{"position":[[190,10]]},"3134":{"position":[[180,9]]},"3136":{"position":[[180,9]]},"3138":{"position":[[279,9]]},"3140":{"position":[[181,9]]},"3142":{"position":[[273,9]]},"3144":{"position":[[177,9]]},"3146":{"position":[[159,10]]},"3148":{"position":[[180,9]]},"3150":{"position":[[182,9]]},"3152":{"position":[[185,9]]},"3154":{"position":[[183,9]]},"3156":{"position":[[159,10],[259,9]]},"3158":{"position":[[463,9]]},"3160":{"position":[[287,11]]},"3162":{"position":[[280,11]]},"3166":{"position":[[289,10]]},"3168":{"position":[[263,9]]},"3172":{"position":[[159,10]]},"3177":{"position":[[176,10]]},"3179":{"position":[[175,10]]},"3181":{"position":[[205,9]]},"3183":{"position":[[185,9]]},"3185":{"position":[[196,9]]},"3187":{"position":[[210,9]]},"3190":{"position":[[163,10]]},"3192":{"position":[[192,9]]},"3195":{"position":[[210,11]]},"3197":{"position":[[136,10]]},"3199":{"position":[[151,9]]},"3201":{"position":[[252,11]]},"3203":{"position":[[136,10]]},"3205":{"position":[[156,9]]},"3207":{"position":[[259,10]]},"3239":{"position":[[277,9]]},"3241":{"position":[[263,9]]},"3243":{"position":[[306,9]]},"3245":{"position":[[253,9]]},"3247":{"position":[[290,9]]},"3249":{"position":[[275,9]]},"3255":{"position":[[274,9]]},"3257":{"position":[[396,10]]},"3261":{"position":[[158,9]]},"3263":{"position":[[593,9]]}}}],["part",{"_index":1042,"t":{"2630":{"position":[[92,6]]},"2685":{"position":[[647,4]]},"2719":{"position":[[1168,4]]},"2775":{"position":[[138,4],[548,4]]}}}],["parti",{"_index":942,"t":{"2618":{"position":[[367,5]]},"2783":{"position":[[80,5]]},"3317":{"position":[[108,5]]}}}],["particip",{"_index":1786,"t":{"2843":{"position":[[1337,11]]}}}],["particular",{"_index":1788,"t":{"2845":{"position":[[433,10]]},"2892":{"position":[[12,10]]},"2930":{"position":[[1000,10]]}}}],["particularli",{"_index":1731,"t":{"2823":{"position":[[264,12]]}}}],["pass",{"_index":64,"t":{"2496":{"position":[[233,6]]},"2518":{"position":[[96,6]]},"2520":{"position":[[1887,6]]},"2610":{"position":[[251,4]]},"2643":{"position":[[271,6]]},"2675":{"position":[[98,6]]},"2685":{"position":[[1392,6]]},"2729":{"position":[[854,6]]},"2745":{"position":[[1312,6]]},"2773":{"position":[[569,6]]},"2787":{"position":[[253,4]]},"2805":{"position":[[134,7]]},"2817":{"position":[[98,7]]},"2821":{"position":[[268,4],[2245,7]]},"2823":{"position":[[542,4]]},"2956":{"position":[[286,4]]},"2960":{"position":[[82,7],[239,4]]},"3014":{"position":[[315,4]]},"3022":{"position":[[141,7],[955,7]]},"3026":{"position":[[824,6]]},"3032":{"position":[[55,4],[147,6]]},"3034":{"position":[[454,7],[524,4]]},"3036":{"position":[[553,7],[623,4]]},"3038":{"position":[[479,7]]},"3040":{"position":[[319,7]]},"3042":{"position":[[494,7]]},"3044":{"position":[[480,7]]},"3046":{"position":[[704,7]]},"3048":{"position":[[495,7]]},"3052":{"position":[[301,7]]},"3054":{"position":[[571,7]]},"3056":{"position":[[191,7]]},"3058":{"position":[[622,7]]},"3060":{"position":[[880,4]]},"3065":{"position":[[1181,4],[1215,6]]},"3089":{"position":[[8,4],[80,6],[1653,4]]},"3091":{"position":[[90,6]]},"3095":{"position":[[8,4]]},"3097":{"position":[[8,4]]},"3099":{"position":[[8,4]]},"3101":{"position":[[8,4]]},"3103":{"position":[[8,4]]},"3105":{"position":[[8,4]]},"3114":{"position":[[8,4]]},"3116":{"position":[[8,4]]},"3120":{"position":[[8,4]]},"3122":{"position":[[8,4]]},"3124":{"position":[[8,4]]},"3126":{"position":[[8,4]]},"3128":{"position":[[8,4]]},"3132":{"position":[[8,4]]},"3138":{"position":[[8,4]]},"3140":{"position":[[8,4]]},"3142":{"position":[[8,4]]},"3144":{"position":[[8,4]]},"3146":{"position":[[8,4]]},"3156":{"position":[[8,4]]},"3160":{"position":[[8,4],[1783,4]]},"3162":{"position":[[8,4]]},"3164":{"position":[[8,4]]},"3166":{"position":[[8,4]]},"3177":{"position":[[8,4]]},"3179":{"position":[[8,4]]},"3181":{"position":[[8,4]]},"3183":{"position":[[8,4]]},"3187":{"position":[[8,4]]},"3190":{"position":[[8,4]]},"3192":{"position":[[8,4]]},"3195":{"position":[[8,4],[1677,4]]},"3197":{"position":[[8,4],[1566,4]]},"3199":{"position":[[8,4],[1591,4]]},"3201":{"position":[[8,4],[1743,4]]},"3203":{"position":[[8,4],[1569,4]]},"3205":{"position":[[8,4],[1601,4]]},"3207":{"position":[[8,4],[1700,4]]},"3222":{"position":[[8,4]]},"3224":{"position":[[8,4]]},"3226":{"position":[[8,4]]},"3228":{"position":[[8,4]]},"3230":{"position":[[8,4]]},"3232":{"position":[[8,4]]},"3239":{"position":[[8,4]]},"3241":{"position":[[8,4]]},"3243":{"position":[[8,4]]},"3245":{"position":[[8,4]]},"3257":{"position":[[8,4]]}}}],["passphras",{"_index":433,"t":{"2537":{"position":[[536,10]]},"2636":{"position":[[523,10]]}}}],["passwd",{"_index":49,"t":{"2494":{"position":[[657,7]]}}}],["password",{"_index":1056,"t":{"2630":{"position":[[601,9]]},"2632":{"position":[[41,8]]},"2636":{"position":[[100,9],[908,9]]},"2771":{"position":[[187,9],[209,9]]},"2775":{"position":[[691,8],[705,8]]},"2777":{"position":[[315,9],[355,8]]},"2779":{"position":[[318,9],[358,8]]},"2831":{"position":[[507,8]]}}}],["password.k3",{"_index":43,"t":{"2494":{"position":[[363,12]]}}}],["past",{"_index":1460,"t":{"2748":{"position":[[525,4]]}}}],["patch",{"_index":2004,"t":{"2900":{"position":[[127,5]]},"3002":{"position":[[622,5]]}}}],["path",{"_index":140,"t":{"2506":{"position":[[128,5],[190,4]]},"2518":{"position":[[1330,4],[1517,4],[2215,5],[2273,4]]},"2520":{"position":[[978,4],[1410,4],[2531,4],[2542,4]]},"2562":{"position":[[598,4],[1883,4],[1946,4],[1969,4],[2660,4]]},"2665":{"position":[[41,4],[74,4]]},"2675":{"position":[[3395,4],[3411,4],[5717,4],[5760,4],[6659,4],[6846,4],[7151,5],[7209,4]]},"2763":{"position":[[793,4]]},"2771":{"position":[[255,5],[286,5],[318,5]]},"2775":{"position":[[211,4],[292,4],[384,4]]},"2777":{"position":[[382,4],[437,4],[490,4],[655,4],[710,4],[763,4]]},"2823":{"position":[[228,5]]},"2908":{"position":[[621,5]]},"2914":{"position":[[268,4]]},"2976":{"position":[[65,4],[152,4]]},"2978":{"position":[[300,4]]},"3038":{"position":[[28,4],[447,5]]},"3122":{"position":[[309,4]]},"3148":{"position":[[175,4],[204,4]]},"3168":{"position":[[280,4]]}}}],["path/to/cni/fil",{"_index":2596,"t":{"3085":{"position":[[152,19]]},"3087":{"position":[[158,19]]}}}],["path/to/encrypt",{"_index":2734,"t":{"3170":{"position":[[194,19]]}}}],["path=/opt/k3s/serv",{"_index":536,"t":{"2541":{"position":[[2088,20]]},"2545":{"position":[[1152,20]]}}}],["path=/var/lib/rancher/k3s/agent/pod",{"_index":2515,"t":{"3030":{"position":[[3987,35]]},"3245":{"position":[[1599,35],[2822,35]]},"3257":{"position":[[1790,35],[3013,35]]}}}],["path=/var/lib/rancher/k3s/server/logs/audit.log",{"_index":1816,"t":{"2864":{"position":[[572,48]]},"3026":{"position":[[898,48],[1236,48]]},"3028":{"position":[[340,48],[906,48]]}}}],["path=/var/lib/rancher/k3s/server/rot",{"_index":551,"t":{"2543":{"position":[[1890,39]]}}}],["path=/var/log/apiserver/audit.log",{"_index":2719,"t":{"3148":{"position":[[290,33]]}}}],["path=:6443",{"_index":1232,"t":{"2685":{"position":[[578,13]]}}}],["server2",{"_index":1236,"t":{"2685":{"position":[[769,7]]}}}],["server_external_ip",{"_index":1875,"t":{"2870":{"position":[[503,18],[717,18],[894,18]]}}}],["server_metr",{"_index":667,"t":{"2562":{"position":[[2146,14]]}}}],["servers=https://127.0.0.1:2379",{"_index":2449,"t":{"3030":{"position":[[771,30]]},"3120":{"position":[[1500,30]]},"3122":{"position":[[1448,30]]},"3124":{"position":[[1317,30]]},"3126":{"position":[[1266,30]]},"3128":{"position":[[1279,30]]},"3130":{"position":[[1392,30]]},"3132":{"position":[[1353,30]]},"3136":{"position":[[1426,30]]},"3138":{"position":[[1407,30]]},"3140":{"position":[[1303,30]]},"3142":{"position":[[1419,30]]},"3144":{"position":[[1284,30]]},"3146":{"position":[[1199,30]]},"3156":{"position":[[1374,30]]},"3162":{"position":[[1416,30]]},"3164":{"position":[[1332,30]]},"3166":{"position":[[1338,30]]},"3239":{"position":[[1683,30]]},"3241":{"position":[[1697,30]]},"3243":{"position":[[1812,30]]}}}],["servic",{"_index":355,"t":{"2526":{"position":[[354,8],[425,7],[1250,8],[1321,7]]},"2528":{"position":[[290,8],[361,7],[1109,8],[1180,7]]},"2535":{"position":[[313,7]]},"2539":{"position":[[1113,7]]},"2541":{"position":[[1683,7],[1729,7],[2162,7]]},"2543":{"position":[[1986,7]]},"2545":{"position":[[4,7],[66,7],[108,7],[205,7],[596,7],[1293,7]]},"2589":{"position":[[288,9]]},"2591":{"position":[[196,9]]},"2618":{"position":[[332,8],[421,7],[622,9]]},"2636":{"position":[[734,7]]},"2645":{"position":[[513,7]]},"2663":{"position":[[106,7],[175,7],[189,7],[259,8],[354,8],[381,7],[1106,7],[1375,7],[1494,7],[1747,7]]},"2675":{"position":[[1466,7],[1533,7],[1571,7],[1640,8],[1760,8],[1787,7]]},"2685":{"position":[[1231,7]]},"2713":{"position":[[519,8]]},"2719":{"position":[[503,8],[578,8]]},"2729":{"position":[[693,7]]},"2731":{"position":[[197,9]]},"2748":{"position":[[583,7]]},"2785":{"position":[[152,8]]},"2791":{"position":[[525,9],[704,9],[1247,9],[1404,9],[1676,8]]},"2815":{"position":[[326,8]]},"2821":{"position":[[127,7],[294,7],[433,7],[550,7]]},"2823":{"position":[[91,8],[402,8]]},"2864":{"position":[[830,7]]},"2866":{"position":[[447,9]]},"2870":{"position":[[1172,8]]},"2872":{"position":[[120,7]]},"2880":{"position":[[241,7]]},"2884":{"position":[[216,8],[330,8],[395,8],[587,8]]},"2886":{"position":[[44,8],[121,8],[603,8],[666,8],[709,8],[809,7]]},"2888":{"position":[[9,7]]},"2892":{"position":[[171,9],[450,7],[546,7],[621,7]]},"2908":{"position":[[127,7],[765,8],[831,8],[1280,7],[1425,8],[1634,7],[1831,7],[2594,8]]},"2950":{"position":[[376,8],[478,7],[754,7],[1184,7],[1447,7],[1537,7],[1898,7]]},"2952":{"position":[[781,7],[908,7],[1008,7],[1270,7],[1661,7]]},"2954":{"position":[[433,7],[533,7]]},"2994":{"position":[[108,7]]},"2998":{"position":[[93,7]]},"3002":{"position":[[754,7]]},"3008":{"position":[[245,7],[298,7]]},"3010":{"position":[[280,7]]},"3026":{"position":[[1120,7]]},"3028":{"position":[[598,7],[1164,7]]},"3030":{"position":[[1565,7],[1594,7],[1674,7],[1753,7],[2715,7],[2806,7]]},"3046":{"position":[[545,7]]},"3048":{"position":[[18,7],[89,7],[227,7],[323,7],[374,7]]},"3060":{"position":[[20,7],[107,7],[176,7],[286,7],[361,7],[390,7],[459,7],[631,7],[678,7],[860,7]]},"3120":{"position":[[2361,7],[2431,7],[2502,7],[2581,7],[2621,7]]},"3122":{"position":[[2309,7],[2379,7],[2450,7],[2529,7],[2569,7]]},"3124":{"position":[[2178,7],[2248,7],[2319,7],[2398,7],[2438,7]]},"3126":{"position":[[2127,7],[2197,7],[2268,7],[2347,7],[2387,7]]},"3128":{"position":[[2140,7],[2210,7],[2281,7],[2360,7],[2400,7]]},"3130":{"position":[[2253,7],[2323,7],[2394,7],[2473,7],[2513,7]]},"3132":{"position":[[2214,7],[2284,7],[2355,7],[2434,7],[2474,7]]},"3136":{"position":[[2287,7],[2357,7],[2428,7],[2507,7],[2547,7]]},"3138":{"position":[[2268,7],[2338,7],[2409,7],[2488,7],[2528,7]]},"3140":{"position":[[2164,7],[2234,7],[2305,7],[2384,7],[2424,7]]},"3142":{"position":[[2280,7],[2350,7],[2421,7],[2500,7],[2540,7]]},"3144":{"position":[[2145,7],[2215,7],[2286,7],[2365,7],[2405,7]]},"3146":{"position":[[2060,7],[2130,7],[2201,7],[2280,7],[2320,7]]},"3156":{"position":[[172,7],[236,7],[441,7],[486,7],[2235,7],[2305,7],[2376,7],[2455,7],[2495,7]]},"3158":{"position":[[337,7]]},"3162":{"position":[[2277,7],[2347,7],[2418,7],[2497,7],[2537,7]]},"3164":{"position":[[2193,7],[2263,7],[2334,7],[2413,7],[2453,7]]},"3166":{"position":[[2199,7],[2269,7],[2340,7],[2419,7],[2459,7]]},"3177":{"position":[[1608,8],[1861,7],[1940,7],[1984,7]]},"3179":{"position":[[192,7],[334,7],[387,7],[1676,8],[1929,7],[2008,7],[2052,7]]},"3181":{"position":[[172,7],[243,7],[276,7],[425,8],[480,7],[1761,8],[2014,7],[2093,7],[2137,7]]},"3183":{"position":[[1657,8],[1910,7],[1989,7],[2033,7]]},"3195":{"position":[[42,7]]},"3201":{"position":[[42,7]]},"3207":{"position":[[134,8]]},"3239":{"position":[[172,7],[390,8],[2544,7],[2614,7],[2685,7],[2764,7],[2804,7]]},"3241":{"position":[[158,7],[376,8],[2558,7],[2628,7],[2699,7],[2778,7],[2818,7]]},"3243":{"position":[[201,7],[432,8],[2673,7],[2743,7],[2814,7],[2893,7],[2933,7]]},"3245":{"position":[[148,7],[362,8]]},"3247":{"position":[[185,7],[419,8]]},"3249":{"position":[[170,7],[396,8]]},"3251":{"position":[[171,7],[396,8]]},"3253":{"position":[[53,7],[270,8]]},"3255":{"position":[[169,7],[364,8]]},"3257":{"position":[[291,7],[580,8]]},"3259":{"position":[[225,7],[446,8]]},"3261":{"position":[[53,7],[300,8]]},"3263":{"position":[[474,7],[1005,8]]},"3274":{"position":[[42,7],[186,7]]},"3276":{"position":[[60,7],[104,7]]}}}],["service'",{"_index":1976,"t":{"2886":{"position":[[328,9],[483,9]]}}}],["service.key",{"_index":489,"t":{"2539":{"position":[[1183,11]]},"2545":{"position":[[364,11]]}}}],["service>,=.node-password.k3s 템플릿을 사용하는 이름으로 kube-system 네임스페이스에 저장됩니다. 이는 노드 ID의 무결성을 보호하기 위해 수행됩니다. 에이전트의 /etc/rancher/node 디렉터리가 제거되거나 기존 이름을 사용하여 노드에 다시 가입하려는 경우, 클러스터에서 노드를 삭제해야 합니다. 이렇게 하면 이전 노드 항목과 노드 비밀번호 시크릿이 모두 정리되고 노드가 클러스터에 (재)조인할 수 있습니다. 비고 K3s v1.20.2 이전 서버는 /var/lib/rancher/k3s/server/cred/node-passwd에 디스크에 비밀번호를 저장합니다. 호스트 이름을 자주 재사용하지만 노드 암호 시크릿을 제거할 수 없는 경우, --with-node-id 플래그를 사용하여 K3s 서버 또는 에이전트를 시작하면 호스트 이름에 고유 노드 ID를 자동으로 추가할 수 있습니다. 활성화하면 노드 ID는 /etc/rancher/node/에도 저장됩니다.","s":"에이전트 노드 등록 작동 방식","u":"/kr/architecture","h":"#에이전트-노드-등록-작동-방식","p":2483},{"i":2494,"t":"K3s 바이너리에는 클러스터 관리에 도움이 되는 여러 가지 추가 도구가 포함되어 있습니다. Command Description k3s server 데이터스토어와 에이전트 컴포넌트 외에 쿠버네티스 apiserver, scheduler, controller-manager, 그리고 cloud-controller-manager 컴포넌트를 실행하는 K3s 서버 노드를 실행합니다. 자세한 내용은 k3s server 명령어 설명서를 참고하세요. k3s agent containerd, flannel, kube-router 네트워크 정책 컨트롤러와 쿠버네티스 kubelet 및 kube-proxy 구성 요소를 실행하는 K3s 에이전트 노드를 실행한다. 자세한 내용은 k3s agent 명령어 설명서를 참조하세요. k3s kubectl 임베드된 kubectl 명령을 실행합니다. 이것은 쿠버네티스 apiserver와 상호작용하기 위한 CLI입니다. KUBECONFIG 환경 변수가 설정되어 있지 않으면, 자동으로 /etc/rancher/k3s/k3s.yaml에서 kubeconfig를 사용하려고 시도합니다. k3s crictl 임베드된 crictl 명령을 실행합니다. 이것은 쿠버네티스의 컨테이너 런타임 인터페이스(CRI: Container Runtime Interface)와 상호 작용하기 위한 CLI입니다. 디버깅에 유용합니다. k3s ctr 내장된 ctr 명령을 실행합니다. 이는 K3s에서 사용하는 컨테이너 데몬인 containerd의 CLI입니다. 디버깅에 유용합니다. k3s token 부트스트랩 토큰을 관리합니다. 자세한 내용은 k3s token 명령어 설명서를 참조하세요. k3s etcd-snapshot K3s 클러스터 데이터의 온디맨드 백업을 수행하여 S3에 업로드합니다. 자세한 내용은 k3s etcd-snapshot 명령어 설명서를 참조하세요. k3s secrets-encrypt 클러스터에 시크릿을 저장할 때 암호화하도록 K3s를 구성합니다. 자세한 내용은 k3s secrets-encrypt 명령어 설명서를 참조하세요. k3s certificate K3s 인증서를 관리합니다. 자세한 내용은 k3s certificate 명령어 설명서를 참조하세요. k3s completion k3s용 셸 자동완성 스크립트를 생성합니다. k3s help 명령 목록 또는 한 명령어에 대한 도움말을 표시합니다.","s":"명령줄 도구","u":"/kr/cli","h":"","p":2493},{"i":2497,"t":"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts.","s":"Client and Server Certificates","u":"/kr/cli/certificate","h":"#client-and-server-certificates","p":2495},{"i":2499,"t":"To rotate client and server certificates manually, use the k3s certificate rotate subcommand: # Stop K3s systemctl stop k3s # Rotate certificates k3s certificate rotate # Start K3s systemctl start k3s Individual or lists of certificates can be rotated by specifying the certificate name: k3s certificate rotate --service , The following certificates can be rotated: admin, api-server, controller-manager, scheduler, k3s-controller, k3s-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy.","s":"Rotating Client and Server Certificates","u":"/kr/cli/certificate","h":"#rotating-client-and-server-certificates","p":2495},{"i":2501,"t":"Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes PKI Certificates and Requirements documentation. By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed. The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the server token as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1. Copies of the CA certificates and keys are extracted to disk during K3s server startup. Any server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes Certificates API controllers may issue additional certificates at runtime. To rotate CA certificates and keys, use the k3s certificate rotate-ca command. The command performs integrity checks to confirm that the updated certificates and keys are usable. If the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts. If problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes. Version Gate Support for the k3s certificate rotate-ca command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1).","s":"Certificate Authority (CA) Certificates","u":"/kr/cli/certificate","h":"#certificate-authority-ca-certificates","p":2495},{"i":2503,"t":"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed. An example script to pre-create the appropriate certificates and keys is available in the K3s repo at contrib/util/generate-custom-ca-certs.sh. This script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates. If you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority. Custom Certificate Authority files must be placed in /var/lib/rancher/k3s/server/tls. The following files are required: server-ca.crt server-ca.key client-ca.crt client-ca.key request-header-ca.crt request-header-ca.key // note: etcd files are required even if embedded etcd is not in use. etcd/peer-ca.crt etcd/peer-ca.key etcd/server-ca.crt etcd/server-ca.key // note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate. service.key Custom CA Topology​ Custom CA Certificates should observe the following topology: Using the Example Script​ 중요한 If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script. If the files do not exist, the script will create new root and intermediate CA certificates. If you want to use only an existing root CA certificate, provide the following files: root.pem root.key If you want to use existing root and intermediate CA certificates, provide the following files: root.pem intermediate.pem intermediate.key To use the example script to generate custom certs and keys before starting K3s, run the following commands: # Create the target directory for cert generation. mkdir -p /var/lib/rancher/k3s/server/tls # Copy your root CA cert and intermediate CA cert+key into the correct location for the script. # For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl. # If you do not have an existing root and/or intermediate CA, the script will generate them for you. cp /etc/ssl/certs/root.pem /etc/ssl/certs/intermediate.pem /etc/ssl/private/intermediate.key /var/lib/rancher/k3s/server/tls # Generate custom CA certs and keys. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash - If the command completes successfully, you may install and/or start K3s for the first time. If the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date.","s":"Using Custom CA Certificates","u":"/kr/cli/certificate","h":"#using-custom-ca-certificates","p":2495},{"i":2505,"t":"To rotate custom CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated certificates and keys into a separate directory. A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used. If a new root CA is required, the rotation will be disruptive. The k3s certificate rotate-ca --force option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA. Using the Example Script​ The example generate-custom-ca-certs.sh script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the DATA_DIR environment variable. To use the example script to generate updated certs and keys, run the following commands: # Create a temporary directory for cert generation. mkdir -p /opt/k3s/server/tls # Copy your root CA cert and intermediate CA cert+key into the correct location for the script. # Non-disruptive rotation requires the same root CA that was used to generate the original certificates. # If the original files are still in the data directory, you can just run: cp /var/lib/rancher/k3s/server/root.* /var/lib/rancher/k3s/server/intermediate.* /opt/k3s/server/tls # Copy the current service-account signing key, so that existing service-account tokens are not invalidated. cp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls # Generate updated custom CA certs and keys. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash - # Load the updated CA certs and keys into the datastore. k3s certificate rotate-ca --path=/opt/k3s/server If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents. If you used the --force option or changed the root CA, ensure that any nodes that were joined with a secure token are reconfigured to use the new token value, prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.","s":"Rotating Custom CA Certificates","u":"/kr/cli/certificate","h":"#rotating-custom-ca-certificates","p":2495},{"i":2507,"t":"To rotate the K3s-generated self-signed CA certificates, use the k3s certificate rotate-ca subcommand. Updated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated certificates and keys into a separate directory. If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a secure token will need to be reconfigured to trust the new CA hash. If the new CA certificates are not cross-signed by the old CA certificates, you will need to use the --force option to bypass integrity checks, and pods will need to be restarted to trust the new root CA. Default CA Topology​ The default self-signed CA certificates have the following topology: When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs: Using The Example Script​ An example script to create updated CA certificates and keys cross-signed by the existing CAs is available in the K3s repo at contrib/util/rotate-default-ca-certs.sh. To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands: # Create updated CA certs and keys, cross-signed by the current CAs. # This script will create a new temporary directory containing the updated certs, and output the new token values. curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash - # Load the updated certs into the datastore; see the script output for the updated token values. k3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents. Ensure that any nodes that were joined with a secure token, including other server nodes, are reconfigured to use the new token value prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.","s":"Rotating Self-Signed CA Certificates","u":"/kr/cli/certificate","h":"#rotating-self-signed-ca-certificates","p":2495},{"i":2509,"t":"The service-account issuer key is an RSA private key used to sign service-account tokens. When rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated. It can be rotated independent of the cluster CAs by using the k3s certificate rotate-ca to install only an updated service.key file that includes both the new and old keys. warning You must not overwrite the currently in-use data in /var/lib/rancher/k3s/server/tls. Stage the updated key into a separate directory. For example, to rotate only the service-account issuer key, run the following commands: # Create a temporary directory for cert generation mkdir -p /opt/k3s/server/tls # Check OpenSSL version openssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional # Generate a new key openssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048 # Append the existing key to avoid invalidating current tokens cat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key # Load the updated key into the datastore k3s certificate rotate-ca --path=/opt/k3s/server It is normal to see warnings for files that are not being updated. If the rotate-ca command returns an error, check the service log for errors. If the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods.","s":"Service-Account Issuer Key Rotation","u":"/kr/cli/certificate","h":"#service-account-issuer-key-rotation","p":2495},{"i":2511,"t":"In this section, you'll learn how to configure the K3s agent. Note that servers also run an agent, so all flags listed on this page are also valid for use on servers. Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.","s":"k3s agent","u":"/kr/cli/agent","h":"","p":2510},{"i":2513,"t":"Flag Default Description -v value 0 Number for the log level verbosity --vmodule value N/A Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value N/A Log to file --alsologtostderr N/A Log to standard error as well as file (if set)","s":"Logging","u":"/kr/cli/agent","h":"#logging","p":2510},{"i":2515,"t":"Flag Environment Variable Description --token value, -t value K3S_TOKEN Token to use for authentication --token-file value K3S_TOKEN_FILE Token file to use for authentication --server value, -s value K3S_URL Server to connect to","s":"Cluster Options","u":"/kr/cli/agent","h":"#cluster-options","p":2510},{"i":2517,"t":"Flag Default Description --data-dir value, -d value \"/var/lib/rancher/k3s\" Folder to hold state","s":"Data","u":"/kr/cli/agent","h":"#data","p":2510},{"i":2519,"t":"Flag Environment Variable Description --node-name value K3S_NODE_NAME Node name --with-node-id N/A Append id to node name --node-label value N/A Registering and starting kubelet with set of labels --node-taint value N/A Registering kubelet with set of taints --protect-kernel-defaults N/A Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults. --selinux K3S_SELINUX Enable SELinux in containerd --lb-server-port value K3S_LB_SERVER_PORT Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)","s":"Node","u":"/kr/cli/agent","h":"#node","p":2510},{"i":2521,"t":"Flag Default Description --container-runtime-endpoint value N/A Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path --pause-image value \"docker.io/rancher/pause:3.1\" Customized pause image for containerd or docker sandbox --private-registry value \"/etc/rancher/k3s/registries.yaml\" Private registry configuration file","s":"Runtime","u":"/kr/cli/agent","h":"#runtime","p":2510},{"i":2523,"t":"Flag Environment Variable Description --node-ip value, -i value N/A IP address to advertise for node --node-external-ip value N/A External IP address to advertise for node --resolv-conf value K3S_RESOLV_CONF Kubelet resolv.conf file --flannel-iface value N/A Override default flannel interface --flannel-conf value N/A Override default flannel config file --flannel-cni-conf value N/A Override default flannel cni config file","s":"Networking","u":"/kr/cli/agent","h":"#networking","p":2510},{"i":2525,"t":"Flag Description --kubelet-arg value Customized flag for kubelet process --kube-proxy-arg value Customized flag for kube-proxy process","s":"Customized Flags","u":"/kr/cli/agent","h":"#customized-flags","p":2510},{"i":2527,"t":"Flag Description --rootless Run rootless --docker Use cri-dockerd instead of containerd --prefer-bundled-bin Prefer bundled userspace binaries over host binaries","s":"Experimental","u":"/kr/cli/agent","h":"#experimental","p":2510},{"i":2529,"t":"Flag Environment Variable Description --no-flannel N/A Use --flannel-backend=none --cluster-secret value K3S_CLUSTER_SECRET Use --token","s":"Deprecated","u":"/kr/cli/agent","h":"#deprecated","p":2510},{"i":2531,"t":"K3s agents can be configured with the options --node-label and --node-taint which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands. Below is an example showing how to add labels and a taint: --node-label foo=bar \\ --node-label hello=world \\ --node-taint key1=value1:NoExecute If you want to change node labels and taints after node registration you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.","s":"Node Labels and Taints for Agents","u":"/kr/cli/agent","h":"#node-labels-and-taints-for-agents","p":2510},{"i":2533,"t":"If an option appears in brackets below, for example [$K3S_URL], it means that the option can be passed in as an environment variable of that name. NAME: k3s agent - Run node agent USAGE: k3s agent [OPTIONS] OPTIONS: --config FILE, -c FILE (config) Load configuration from FILE (default: \"/etc/rancher/k3s/config.yaml\") [$K3S_CONFIG_FILE] --debug (logging) Turn on debug logs [$K3S_DEBUG] -v value (logging) Number for the log level verbosity (default: 0) --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value (logging) Log to file --alsologtostderr (logging) Log to standard error as well as file (if set) --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN] --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE] --server value, -s value (cluster) Server to connect to [$K3S_URL] --data-dir value, -d value (agent/data) Folder to hold state (default: \"/var/lib/rancher/k3s\") --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: \"/var/lib/rancher/credentialprovider/bin\") --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: \"/var/lib/rancher/credentialprovider/config.yaml\") --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX] --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT] --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: \"rancher/mirrored-pause:3.6\") --snapshotter value (agent/runtime) Override default containerd snapshotter (default: \"overlayfs\") --private-registry value (agent/runtime) Private registry configuration file (default: \"/etc/rancher/k3s/registries.yaml\") --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] --flannel-iface value (agent/networking) Override default flannel interface --flannel-conf value (agent/networking) Override default flannel config file --flannel-cni-conf value (agent/networking) Override default flannel cni config file --kubelet-arg value (agent/flags) Customized flag for kubelet process --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process --rootless (experimental) Run rootless --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd","s":"K3s Agent CLI Help","u":"/kr/cli/agent","h":"#k3s-agent-cli-help","p":2510},{"i":2535,"t":"Version Gate Available as of v1.19.1+k3s1 In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup. Creating Snapshots​ Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the options. The snapshot directory defaults to ${data-dir}/server/db/snapshots. The data-dir value defaults to /var/lib/rancher/k3s and can be changed by setting the --data-dir flag. Restoring a Cluster from a Snapshot​ When K3s is restored from backup, the old data directory will be moved to ${data-dir}/server/db/etcd-old/. Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member. To restore the cluster from backup: Single Server High Availability Run K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given: k3s server \\ --cluster-reset \\ --cluster-reset-restore-path= Result: A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot. In this example there are 3 servers, S1, S2, and S3. The snapshot is located on S1. On S1, start K3s with the --cluster-reset option, with the --cluster-reset-restore-path also given: k3s server \\ --cluster-reset \\ --cluster-reset-restore-path= Result: A message in the logs says that K3s can be restarted without the flags. On S2 and S3, stop K3s. Then delete the data directory, /var/lib/rancher/k3s/server/db/: systemctl stop k3s rm -rf /var/lib/rancher/k3s/server/db/ On S1, start K3s again: systemctl start k3s On S2 and S3, start K3s again to join the restored cluster: systemctl start k3s Options​ These options can be passed in with the command line, or in the configuration file, which may be easier to use. Options Description --etcd-disable-snapshots Disable automatic etcd snapshots --etcd-snapshot-schedule-cron value Snapshot interval time in cron spec. eg. every 5 hours 0 */5 * * *(default: 0 */12 * * *) --etcd-snapshot-retention value Number of snapshots to retain (default: 5) --etcd-snapshot-dir value Directory to save db snapshots. (Default location: ${data-dir}/db/snapshots) --cluster-reset Forget all peers and become sole member of a new cluster. This can also be set with the environment variable [$K3S_CLUSTER_RESET]. --cluster-reset-restore-path value Path to snapshot file to be restored S3 Compatible API Support​ K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots. The arguments below have been added to the server subcommand. These flags exist for the etcd-snapshot subcommand as well however the --etcd-s3 portion is removed to avoid redundancy. Options Description --etcd-s3 Enable backup to S3 --etcd-s3-endpoint S3 endpoint url --etcd-s3-endpoint-ca S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify Disables S3 SSL certificate validation --etcd-s3-access-key S3 access key --etcd-s3-secret-key S3 secret key --etcd-s3-bucket S3 bucket name --etcd-s3-region S3 region / bucket location (optional). defaults to us-east-1 --etcd-s3-folder S3 folder To perform an on-demand etcd snapshot and save it to S3: k3s etcd-snapshot \\ --s3 \\ --s3-bucket= \\ --s3-access-key= \\ --s3-secret-key= To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands: k3s server \\ --cluster-init \\ --cluster-reset \\ --etcd-s3 \\ --cluster-reset-restore-path= \\ --etcd-s3-bucket= \\ --etcd-s3-access-key= \\ --etcd-s3-secret-key= Etcd Snapshot and Restore Subcommands​ k3s supports a set of subcommands for working with your etcd snapshots. Subcommand Description delete Delete given snapshot(s) ls, list, l List snapshots prune Remove snapshots that exceed the configured retention count save Trigger an immediate etcd snapshot 비고 The save subcommand is the same as k3s etcd-snapshot. The latter will eventually be deprecated in favor of the former. These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store. For additional information on the etcd snapshot subcommands, run k3s etcd-snapshot. Delete a snapshot from S3. k3s etcd-snapshot delete \\ --s3 \\ --s3-bucket= \\ --s3-access-key= \\ --s3-secret-key= \\ Prune local snapshots with the default retention policy (5). The prune subcommand takes an additional flag --snapshot-retention that allows for overriding the default retention policy. k3s etcd-snapshot prune k3s etcd-snapshot prune --snapshot-retention 10","s":"k3s etcd-snapshot","u":"/kr/cli/etcd-snapshot","h":"","p":2534},{"i":2537,"t":"이 섹션에는 K3s를 실행하고 관리할 수 있는 다양한 방법과 K3s 사용을 위해 호스트 OS를 준비하는 데 필요한 단계를 설명하는 고급 정보가 포함되어 있습니다.","s":"고급 옵션 / 설정","u":"/kr/advanced","h":"","p":2536},{"i":2540,"t":"K3s는 첫 번째 서버 노드를 시작하는 동안 자체 서명된 CA(인증 기관) 인증서를 생성합니다. 이 CA 인증서는 10년 동안 유효하며 자동으로 갱신되지 않습니다. 사용자 지정 CA 인증서 사용 또는 자체 서명 CA 인증서 갱신에 대한 자세한 내용은 k3s 인증서 rotate-ca 명령 설명서를 참조하세요.","s":"인증 기관 인증서","u":"/kr/advanced","h":"#인증-기관-인증서","p":2536},{"i":2542,"t":"K3s 클라이언트 및 서버 인증서는 발급한 날로부터 365일 동안 유효합니다. 만료되었거나 만료 후 90일 이내에 만료된 인증서는 K3s를 시작할 때마다 자동으로 갱신됩니다. 클라이언트 및 서버 인증서를 수동으로 로테이션하는 것에 대한 정보는 k3s 인증서 로테이션 명령 설명서를 참조하세요.","s":"클라이언트 및 서버 인증서","u":"/kr/advanced","h":"#클라이언트-및-서버-인증서","p":2536},{"i":2544,"t":"기본적으로 K3s는 서버와 에이전트 모두에 단일 정적 토큰을 사용합니다. 이 토큰은 클러스터가 생성된 후에는 변경할 수 없습니다. 에이전트 조인에만 사용할 수 있는 두 번째 정적 토큰을 활성화하거나 자동으로 만료되는 임시 kubeadm 스타일 조인 토큰을 생성할 수 있습니다. 자세한 내용은 k3s token 명령어 설명서를 참고하세요.","s":"토큰 관리","u":"/kr/advanced","h":"#토큰-관리","p":2536},{"i":2546,"t":"HTTP 프록시를 통해서만 외부와 연결할 수 있는 환경에서 K3s를 실행하는 경우, K3s 시스템드 서비스에서 프록시 설정을 구성할 수 있습니다. 그러면 이 프록시 설정이 K3s에서 사용되어 내장 컨테이너와 kubelet에 전달됩니다. K3s 설치 스크립트는 자동으로 현재 셸에서 HTTP_PROXY, HTTPS_PROXY 및 NO_PROXY 변수와 CONTAINERD_HTTP_PROXY, CONTAINERD_HTTPS_PROXY 및 CONTAINERD_NO_PROXY 변수가 있는 경우 이를 systemd 서비스의 환경 파일에 작성합니다: /etc/systemd/system/k3s.service.env /etc/systemd/system/k3s-agent.service.env 물론 이 파일을 편집하여 프록시를 구성할 수도 있습니다. K3s는 클러스터 내부 파드 및 서비스 IP 범위와 클러스터 DNS 도메인을 자동으로 NO_PROXY 항목 목록에 추가합니다. 쿠버네티스 노드 자체에서 사용하는 IP 주소 범위(즉, 노드의 퍼블릭 및 프라이빗 IP)가 NO_PROXY 목록에 포함되어 있는지 또는 프록시를 통해 노드에 도달할 수 있는지 확인해야 합니다. HTTP_PROXY=http://your-proxy.example.com:8888 HTTPS_PROXY=http://your-proxy.example.com:8888 NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 K3s와 Kubelet에 영향을 주지 않고 컨테이너에 대한 프록시 설정을 구성하려면, 변수 앞에 CONTAINERD_를 붙이면 됩니다: CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888 CONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888 CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16","s":"HTTP 프록시 구성하기","u":"/kr/advanced","h":"#http-프록시-구성하기","p":2536},{"i":2548,"t":"K3s는 업계 표준 컨테이너 런타임인 containerd를 포함하며 기본값으로 사용합니다. 쿠버네티스 1.24부터, kubelet은 더 이상 kubelet이 dockerd와 통신할 수 있도록 하는 컴포넌트인 dockershim을 포함하지 않습니다. K3s 1.24 이상에는 cri-dockerd가 포함되어 있어 이전 릴리즈의 K3s에서 원활하게 업그레이드하면서 Docker 컨테이너 런타임을 계속 사용할 수 있습니다. 컨테이너 대신 Docker를 사용하려면: K3s 노드에 Docker를 설치합니다. 랜처의 Docker 설치 스크립트 중 하나를 사용하여 Docker를 설치할 수 있습니다: curl https://releases.rancher.com/install-docker/20.10.sh | sh --docker 옵션을 사용하여 K3s를 설치합니다: curl -sfL https://get.k3s.io | sh -s - --docker 클러스터를 사용할 수 있는지 확인합니다: $ sudo k3s kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s kube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s kube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s kube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s kube-system svclb-traefik-jbmvl 2/2 Running 0 43s kube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s Docker 컨테이너가 실행 중인지 확인합니다: $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3e4d34729602 897ce3c5fc8f \"entry\" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 bffdc9d7a65f rancher/klipper-lb \"entry\" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 436b85c5e38d rancher/library-traefik \"/traefik --configfi…\" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0 de8fded06188 rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0 7c6a30aeeb2f rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0 ae6c58cab4a7 9d12f9848b99 \"local-path-provisio…\" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0 be1450e1a11e 9dd718864ce6 \"/metrics-server\" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0 4454d14e4d3f c4d3d16fe508 \"/coredns -conf /etc…\" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0 c3675b87f96c rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0 4b1fddbe6ca6 rancher/pause:3.1 \"/pause\" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0 64d3517d4a95 rancher/pause:3.1 \"/pause\"","s":"컨테이너 런타임으로 Docker 사용","u":"/kr/advanced","h":"#컨테이너-런타임으로-docker-사용","p":2536},{"i":2550,"t":"etcdctl은 etcd 서버와 상호 작용하기 위한 CLI를 제공합니다. K3s는 etcdctl을 번들로 제공하지 않습니다. etcdctl을 사용하여 K3s의 내장된 etcd와 상호 작용하려면 공식 문서를 참조하여 etcdctl을 설치하세요. ETCD_VERSION=\"v3.5.5\" ETCD_URL=\"https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz\" curl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin 그런 다음 인증에 K3s에서 관리하는 인증서 및 키를 사용하도록 etcdctl을 구성하여 사용할 수 있습니다: sudo etcdctl version \\ --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\ --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\ --key=/var/lib/rancher/k3s/server/tls/etcd/client.key","s":"etcdctl 사용하기","u":"/kr/advanced","h":"#etcdctl-사용하기","p":2536},{"i":2552,"t":"K3s는 /var/lib/rancher/k3s/agent/etc/containerd/config.toml에 컨테이너에 대한 config.toml을 생성합니다. 이 파일에 대한 고급 커스터마이징을 위해 같은 디렉터리에 config.toml.tmpl이라는 다른 파일을 생성하면 이 파일이 대신 사용된다. config.toml.tmpl은 Go 템플릿 파일로 취급되며, config.Node 구조가 템플릿으로 전달됩니다. 이 구조를 사용하여 구성 파일을 사용자 정의하는 방법에 대한 Linux 및 Windows 예제는 이 폴더를 참조하세요. config.Node Go 언어 구조체는 여기에 정의되어 있습니다.","s":"컨테이너 설정하기","u":"/kr/advanced","h":"#컨테이너-설정하기","p":2536},{"i":2554,"t":"K3s는 K3s 시작 시 NVIDIA 컨테이너 런타임이 있으면 자동으로 감지하여 설정합니다. 아래의 안내에 따라 노드에 엔비디아 컨테이너 패키지 리포지토리를 설치합니다: https://nvidia.github.io/libnvidia-container/ 엔비디아 컨테이너 런타임 패키지를 설치합니다. 예시: apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server K3s를 설치하거나 이미 설치되어 있는 경우 다시 시작합니다: curl -ksL get.k3s.io | sh - k3s가 엔비디아 컨테이너 런타임을 찾았는지 확인합니다: grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml 이렇게 하면 발견된 런타임 실행 파일에 따라 컨테이너 설정에 nvidia 및/또는 nvidia-experimental 런타임이 자동으로 추가됩니다. 여전히 클러스터에 런타임클래스 정의를 추가하고, 파드 스펙에서 runtimeClassName: nvidia를 설정하여 적절한 런타임을 명시적으로 요청하는 파드를 배포해야 합니다: apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: nvidia handler: nvidia --- apiVersion: v1 kind: Pod metadata: name: nbody-gpu-benchmark namespace: default spec: restartPolicy: OnFailure runtimeClassName: nvidia containers: - name: cuda-container image: nvcr.io/nvidia/k8s/cuda-sample:nbody args: [\"nbody\", \"-gpu\", \"-benchmark\"] resources: limits: nvidia.com/gpu: 1 env: - name: NVIDIA_VISIBLE_DEVICES value: all - name: NVIDIA_DRIVER_CAPABILITIES value: all 엔비디아 컨테이너 런타임은 엔비디아 디바이스 플러그인 및 GPU 기능 검색과 함께 자주 사용되며, 위에서 언급한 것처럼 파드 사양에 runtimeClassName: nvidia가 포함되도록 수정하여 별도로 설치해야 한다는 점에 유의하세요.","s":"NVIDIA 컨테이너 런타임 지원","u":"/kr/advanced","h":"#nvidia-컨테이너-런타임-지원","p":2536},{"i":2556,"t":"경고: 이 기능은 실험 단계입니다. disable-agent 플래그로 시작하면, 서버는 kubelet, 컨테이너 런타임 또는 CNI를 실행하지 않습니다. 클러스터에 노드 리소스를 등록하지 않으며, kubectl get nodes 출력에 나타나지 않습니다. 에이전트리스 서버는 kubelet을 호스트하지 않기 때문에, 파드를 실행하거나 내장된 etcd 컨트롤러 및 시스템 업그레이드 컨트롤러를 포함하여 클러스터 노드를 열거하는 데 의존하는 운영자가 관리할 수 없습니다. 에이전트리스 서버를 실행하는 것은 클러스터 운영자 지원 부족으로 인한 관리 오버헤드 증가를 감수하고서라도 에이전트와 워크로드에 의한 검색으로부터 컨트롤 플레인 노드를 숨기고자 하는 경우에 유리할 수 있습니다.","s":"에이전트 없는 서버 실행하기(실험적)","u":"/kr/advanced","h":"#에이전트-없는-서버-실행하기실험적","p":2536},{"i":2558,"t":"경고: 이 기능은 실험 단계입니다. 루트리스 모드는 잠재적인 컨테이너 브레이크아웃 공격으로부터 호스트의 실제 루트를 보호하기 위해 권한이 없는 사용자로 K3s 서버를 실행할 수 있습니다. 루트리스 쿠버네티스에 대한 자세한 내용은 https://rootlesscontaine.rs/ 을 참조하세요.","s":"루트리스 서버 실행(실험적)","u":"/kr/advanced","h":"#루트리스-서버-실행실험적","p":2536},{"i":2560,"t":"포트 루트리스 실행 시 새로운 네트워크 네임스페이스가 생성됩니다. 이는 K3s 인스턴스가 호스트와 네트워킹이 상당히 분리된 상태로 실행된다는 것을 의미합니다. 호스트에서 K3s에서 실행되는 서비스에 액세스하는 유일한 방법은 K3s 네트워크 네임스페이스에 포트 포워드를 설정하는 것입니다. 루트리스 K3s에는 6443 및 1024 미만의 서비스 포트를 10000 오프셋으로 호스트에 자동으로 바인딩하는 컨트롤러가 포함되어 있습니다. 예를 들어, 포트 80의 서비스는 호스트에서 10080이 되지만 8080은 오프셋 없이 8080이 됩니다. 현재 로드밸런서 서비스만 자동으로 바인딩됩니다. Cgroup Cgroup v1 및 하이브리드 v1/v2는 지원되지 않으며, 순수 Cgroup v2만 지원됩니다. 루트리스 실행 시 누락된 Cgroup으로 인해 K3s가 시작되지 않는 경우, 노드가 하이브리드 모드에 있고 \"누락된\" Cgroup이 여전히 v1 컨트롤러에 바인딩되어 있을 가능성이 높습니다. 멀티노드/멀티프로세스 클러스터 다중 노드 루트리스 클러스터 또는 동일한 노드에 있는 여러 개의 루트리스 k3s 프로세스는 현재 지원되지 않습니다. 자세한 내용은 #6488을 참조하세요.","s":"루트리스 모드의 알려진 이슈","u":"/kr/advanced","h":"#루트리스-모드의-알려진-이슈","p":2536},{"i":2562,"t":"https://rootlesscontaine.rs/getting-started/common/cgroup2/ 을 참조하여 cgroup v2 위임을 활성화합니다. 이 단계는 필수이며, 적절한 cgroups가 위임되지 않으면 루트리스 kubelet을 시작하지 못합니다. https://github.com/k3s-io/k3s/blob//k3s-rootless.service](https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)에서 k3s-rootless.service를 다운로드한다. k3s-rootless.service와 k3s의 버전이 같은 것을 사용해야 합니다. k3s-rootless.service를 ~/.config/systemd/user/k3s-rootless.service에 설치합니다. 이 파일을 시스템 전체 서비스(/etc/systemd/...)로 설치하는 것은 지원되지 않습니다. k3s 바이너리의 경로에 따라 파일의 ExecStart=/usr/local/bin/k3s ... 행을 수정해야 할 수 있습니다. systemctl --user daemon-reload를 실행합니다. systemctl --user enable --now k3s-rootless를 실행한다. KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A를 실행하고, 파드가 실행 중인지 확인한다. 참고: 터미널 세션은 cgroups v2 위임을 허용하지 않으므로 터미널에서 k3s server --rootless를 실행하지 않는다. 터미널에서 꼭 실행해야 하는 경우, systemd-run --user -p Delegate=yes --tty k3s server --roolless를 사용하여 systemd 범위로 래핑합니다.","s":"루트리스 서버 시작하기","u":"/kr/advanced","h":"#루트리스-서버-시작하기","p":2536},{"i":2564,"t":"루트리스 K3s는 호스트와 사용자 네트워크 네임스페이스 간 통신을 위해 rootlesskit 및 slirp4netns를 사용합니다. 루트리스킷과 slirp4net에서 사용하는 구성 중 일부는 환경 변수로 설정할 수 있습니다. 이를 설정하는 가장 좋은 방법은 k3s-rootless systemd 유닛의 Environment 필드에 추가하는 것입니다. Variable Default Description K3S_ROOTLESS_MTU 1500 slirp4netns 가상 인터페이스의 MTU를 설정합니다. K3S_ROOTLESS_CIDR 10.41.0.0/16 slirp4netns 가상 인터페이스에서 사용하는 CIDR을 설정합니다. K3S_ROOTLESS_ENABLE_IPV6 autotedected Enables slirp4netns IPv6 지원. 지정하지 않으면 K3가 듀얼 스택 작동을 위해 구성되면 자동으로 활성화됩니다. K3S_ROOTLESS_PORT_DRIVER builtin 루트리스 포트 드라이버를 선택합니다. builtin 또는 slirp4netns 중 하나를 선택합니다. 빌트인이 더 빠르지만 인바운드 패킷의 원래 소스 주소를 가장합니다. K3S_ROOTLESS_DISABLE_HOST_LOOPBACK true 게이트웨이 인터페이스를 통한 호스트의 루프백 주소에 대한 액세스를 사용할지 여부를 제어합니다. 보안상의 이유로 변경하지 않는 것이 좋습니다.","s":"고급 루트리스 구성","u":"/kr/advanced","h":"#고급-루트리스-구성","p":2536},{"i":2566,"t":"systemctl --user status k3s-rootless를 실행하여 데몬 상태를 확인합니다. journalctl --user -f -u k3s-rootless를 실행하여 데몬 로그를 확인합니다. https://rootlesscontaine.rs/ 참조","s":"루트리스 문제 해결하기","u":"/kr/advanced","h":"#루트리스-문제-해결하기","p":2536},{"i":2568,"t":"K3s 에이전트는 --node-label 및 --node-taint 옵션으로 구성할 수 있으며, 이 옵션은 kubelet에 레이블과 테인트를 추가합니다. 이 두 옵션은 [등록 시점에] 레이블 및/또는 테인트만 추가하므로(./cli/agent.md#node-labels-and-taints-for-agents), 노드가 클러스터에 처음 조인될 때만 설정할 수 있습니다. 현재 모든 버전의 쿠버네티스는 노드가 kubernetes.io 및 k8s.io 접두사가 포함된 대부분의 레이블, 특히 kubernetes.io/role 레이블에 등록하는 것을 제한합니다. 허용되지 않는 레이블을 가진 노드를 시작하려고 하면 K3s가 시작되지 않습니다. 쿠버네티스 작성자가 언급했듯이: 노드는 자체 역할 레이블을 어설트하는 것이 허용되지 않습니다. 노드 역할은 일반적으로 권한 또는 컨트롤 플레인 유형의 노드를 식별하는 데 사용되며, 노드가 해당 풀에 레이블을 지정하도록 허용하면 손상된 노드가 더 높은 권한 자격 증명에 대한 액세스 권한을 부여하는 워크로드(예: 컨트롤 플레인 데몬셋)를 사소하게 끌어들일 수 있습니다. 자세한 내용은 SIG-Auth KEP 279를 참조하세요. 노드 등록 후 노드 레이블과 틴트를 변경하거나 예약 레이블을 추가하려면 kubectl을 사용해야 합니다. taint 및 노드 레이블을 추가하는 방법에 대한 자세한 내용은 쿠버네티스 공식 문서를 참고하세요.","s":"노드 레이블 및 테인트","u":"/kr/advanced","h":"#노드-레이블-및-테인트","p":2536},{"i":2570,"t":"설치 스크립트는 설치 프로세스의 일부로 OS가 systemd 또는 openrc를 사용하는지 자동으로 감지하고 서비스를 활성화 및 시작합니다. openrc로 실행하면 /var/log/k3s.log에 로그가 생성됩니다. systemd로 실행하는 경우, /var/log/syslog에 로그가 생성되며 journalctl -u k3s(또는 에이전트에서는 journalctl -u k3s-agent)를 사용하여 로그를 확인할 수 있습니다. 설치 스크립트로 자동 시작 및 서비스 활성화를 비활성화하는 예제입니다: curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -","s":"설치 스크립트로 서비스 시작하기","u":"/kr/advanced","h":"#설치-스크립트로-서비스-시작하기","p":2536},{"i":2573,"t":"몇몇 유명 Linux 배포판에는 중복 규칙이 누적되어 노드의 성능과 안정성에 부정적인 영향을 주는 버그가 포함된 버전의 iptables가 포함되어 있습니다. 이 문제의 영향을 받는지 확인하는 방법에 대한 자세한 내용은 Issue #3117을 참조하세요. K3s에는 정상적으로 작동하는 iptables(v1.8.8) 버전이 포함되어 있습니다. --prefer-bundled-bin 옵션으로 K3s를 시작하거나 운영 체제에서 iptables/nftables 패키지를 제거하여 K3s가 번들 버전의 iptables를 사용하도록 설정할 수 있습니다. Version Gate prefer-bundled-bin 플래그는 2022-12 릴리스(v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1) 부터 사용할 수 있습니다.","s":"이전 iptables 버전","u":"/kr/advanced","h":"#이전-iptables-버전","p":2536},{"i":2575,"t":"firewalld를 끄는 것이 좋습니다: systemctl disable firewalld --now 방화벽을 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다: firewall-cmd --permanent --add-port=6443/tcp #apiserver firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services firewall-cmd --reload 설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조하세요. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다. 활성화된 경우, nm-cloud-setup을 비활성화하고 노드를 재부팅해야 합니다: systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot","s":"Red Hat Enterprise Linux / CentOS","u":"/kr/advanced","h":"#red-hat-enterprise-linux--centos","p":2536},{"i":2577,"t":"ufw(uncomplicated firewall)를 끄는 것이 좋습니다: ufw disable ufw를 사용하도록 설정하려면 기본적으로 다음 규칙이 필요합니다: ufw allow 6443/tcp #apiserver ufw allow from 10.42.0.0/16 to any #pods ufw allow from 10.43.0.0/16 to any #services 설정에 따라 추가 포트를 열어야 할 수도 있습니다. 자세한 내용은 인바운드 규칙을 참조한다. 파드 또는 서비스에 대한 기본 CIDR을 변경하는 경우, 그에 따라 방화벽 규칙을 업데이트해야 합니다.","s":"Ubuntu","u":"/kr/advanced","h":"#ubuntu","p":2536},{"i":2579,"t":"라즈베리파이 OS는 데비안 기반이며, 오래된 iptables 버전으로 인해 문제가 발생할 수 있습니다. 해결 방법을 참조하세요. 표준 라즈베리파이 OS 설치는 cgroups가 활성화된 상태에서 시작되지 않습니다. K3S는 systemd 서비스를 시작하기 위해 cgroups가 필요합니다. cgroups는 /boot/cmdline.txt에 cgroup_memory=1 cgroup_enable=memory를 추가하여 활성화할 수 있습니다. cmdline.txt 예시: console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory 우분투 21.10부터 라즈베리파이의 vxlan 지원은 별도의 커널 모듈로 옮겨졌습니다. sudo apt install linux-modules-extra-raspi","s":"Raspberry Pi","u":"/kr/advanced","h":"#raspberry-pi","p":2536},{"i":2581,"t":"Docker에서 K3s를 실행하는 방법에는 여러 가지가 있습니다: K3d Docker k3d는 도커에서 멀티노드 K3s 클러스터를 쉽게 실행할 수 있도록 설계된 유틸리티입니다. k3d를 사용하면 쿠버네티스의 로컬 개발 등을 위해 도커에서 단일 노드 및 다중 노드 k3s 클러스터를 매우 쉽게 생성할 수 있습니다. k3d 설치 및 사용 방법에 대한 자세한 내용은 설치 설명서를 참조하세요. Docker를 사용하려면 rancher/k3s 이미지를 사용하여 K3s 서버와 에이전트를 실행할 수도 있습니다. docker run 명령어를 사용합니다: sudo docker run \\ --privileged \\ --name k3s-server-1 \\ --hostname k3s-server-1 \\ -p 6443:6443 \\ -d rancher/k3s:v1.24.10-k3s1 \\ server 비고 태그에 유효한 K3s 버전을 지정해야 하며, latest 태그는 유지되지 않습니다. 도커 이미지는 태그에 + 기호를 허용하지 않으므로 태그에 -를 대신 사용하세요. K3s가 실행되고 나면, 관리자 kubeconfig를 Docker 컨테이너에서 복사하여 사용할 수 있습니다: sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config","s":"Docker에서 k3s 실행하기","u":"/kr/advanced","h":"#docker에서-k3s-실행하기","p":2536},{"i":2583,"t":"Version Gate v1.19.4+k3s1부터 사용 가능 기본적으로 SELinux가 활성화된 시스템(예로 CentOS)에 K3s를 설치하는 경우 적절한 SELinux 정책이 설치되어 있는지 확인해야 합니다. 자동 설치 수동 설치 에어 갭(폐쇄망) 설치를 수행하지 않는 경우 호환되는 시스템에서 설치 스크립트는 랜처 RPM 저장소에서 SELinux RPM을 자동으로 설치합니다. 자동 설치는 INSTALL_K3S_SKIP_SELINUX_RPM=true로 설정하여 건너뛸 수 있습니다. 필요한 policy는 다음 명령을 사용하여 설치할 수 있습니다: yum install -y container-selinux selinux-policy-base yum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-0.2-1.el7_8.noarch.rpm 설치 스크립트가 실패하지 않고 경고를 기록하도록 하려면 다음 환경 변수를 설정하면 됩니다: INSTALL_K3S_SELINUX_WARN=true.","s":"SELinux 지원","u":"/kr/advanced","h":"#selinux-지원","p":2536},{"i":2585,"t":"SELinux를 활용하려면 K3s 서버 및 에이전트를 시작할 때 --selinux 플래그를 지정하세요. 이 옵션은 K3s 구성 파일에서도 지정할 수 있습니다. selinux: true SELinux에서 사용자 지정 --data-dir을 사용하는 것은 지원되지 않습니다. 사용자 지정하려면 사용자 지정 정책을 직접 작성해야 할 가능성이 높습니다. 컨테이너 런타임에 대한 SELinux 정책 파일이 포함된 containers/container-selinux 리포지토리와 K3s를 위한 SELinux 정책이 포함된 k3s-io/k3s-selinux 리포지토리를 참고할 수 있습니다.","s":"SELinux 적용 활성화하기","u":"/kr/advanced","h":"#selinux-적용-활성화하기","p":2536},{"i":2588,"t":"이미지 풀링은 컨테이너 라이프사이클에서 시간이 많이 소요되는 단계 중 하나로 알려져 있습니다. Harter, et al.(https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter), 패키지 풀링은 컨테이너 시작 시간의 76%를 차지하지만, 그 중 읽기 데이터는 6.4%에 불과합니다. 이 문제를 해결하기 위해 k3s는 이미지 콘텐츠의 lazy pulling을 실험적으로 지원합니다. 이를 통해 k3s는 전체 이미지가 풀링되기 전에 컨테이너를 시작할 수 있습니다. 대신 필요한 콘텐츠 청크(예: 개별 파일)를 온디맨드 방식으로 가져옵니다. 특히 대용량 이미지의 경우 이 기술을 사용하면 컨테이너 시작 지연 시간을 단축할 수 있습니다. 지연 풀링을 사용하려면 대상 이미지의 포맷을 eStargz로 지정해야 합니다. 이 형식은 OCI 대체 형식이지만 지연 풀링을 위한 100% 호환되는 이미지 형식입니다. 호환성 때문에 eStargz는 표준 컨테이너 레지스트리(예: ghcr.io)로 푸시할 수 있을 뿐만 아니라 eStargz와 무관한 런타임에서도 실행 가능 합니다. eStargz는 Google CRFS 프로젝트에서 제안한 stargz 형식을 기반으로 개발되었지만 콘텐츠 검증 및 성능 최적화를 포함한 실용적인 기능을 제공합니다. 지연 풀링과 eStargz에 대한 자세한 내용은 Stargz Snapshotter 프로젝트 리포지토리를 참고하시기 바랍니다.","s":"지연 풀링과 eStargz란 무엇인가요?","u":"/kr/advanced","h":"#지연-풀링과-estargz란-무엇인가요","p":2536},{"i":2590,"t":"아래와 같이 k3s 서버와 에이전트에는 --snapshotter=stargz 옵션이 필요합니다. k3s server --snapshotter=stargz 이 구성을 사용하면, eStargz 형식의 이미지에 대해 지연 풀링을 수행할 수 있습니다. 다음 예제 파드 매니페스트는 eStargz 형식의 node:13.13.0 이미지(ghcr.io/stargz-containers/node:13.13.0-esgz)를 사용합니다. 스타즈 스냅샷터가 활성화되면 K3s는 이 이미지에 대해 지연 풀링을 수행합니다. apiVersion: v1 kind: Pod metadata: name: nodejs spec: containers: - name: nodejs-estargz image: ghcr.io/stargz-containers/node:13.13.0-esgz command: [\"node\"] args: - -e - var http = require('http'); http.createServer(function(req, res) { res.writeHead(200); res.end('Hello World!\\n'); }).listen(80); ports: - containerPort: 80","s":"지연 풀링이 가능하도록 k3s 구성하기","u":"/kr/advanced","h":"#지연-풀링이-가능하도록-k3s-구성하기","p":2536},{"i":2592,"t":"K3s용 랜처 로깅은 랜처를 사용하지 않고 설치할 수 있습니다. 이를 위해서는 다음 지침을 실행해야 합니다: helm repo add rancher-charts https://charts.rancher.io helm repo update helm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd helm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging","s":"추가 로깅 소스","u":"/kr/advanced","h":"#추가-로깅-소스","p":2536},{"i":2594,"t":"네트워크 정책에 의해 차단된 패킷을 로깅할 수 있습니다. 패킷은 차단 네트워크 정책을 포함한 패킷 세부 정보를 표시하는 iptables NFLOG 작업으로 전송됩니다. 트래픽이 많으면 로그 메시지 수가 매우 많아질 수 있습니다. 정책별로 로그 속도를 제어하려면, 해당 네트워크 정책에 다음 어노테이션을 추가하여 limit 및 limit-burst iptables 매개변수를 설정합니다: kube-router.io/netpol-nflog-limit= kube-router.io/netpol-nflog-limit-burst= 기본값은 limit=10/minute와 limit-burst=10입니다. 이러한 필드의 형식과 사용 가능한 값에 대한 자세한 내용은 iptables manual을 참조하세요. NFLOG 패킷을 로그 항목으로 변환하려면 ulogd2를 설치하고 [log1]을 group=100에서 읽도록 구성합니다. 그런 다음 ulogd2 서비스를 다시 시작하여 새 구성이 커밋되도록 합니다. 네트워크 정책 규칙에 의해 패킷이 차단되면 /var/log/ulog/syslogemu.log에 로그 메시지가 나타납니다. NFLOG 넷링크 소켓으로 전송된 패킷은 tcpdump 또는 tshark와 같은 명령줄 도구를 사용하여 읽을 수도 있습니다: tcpdump -ni nflog:100 더 쉽게 사용할 수 있지만, tcpdump는 패킷을 차단한 네트워크 정책의 이름을 표시하지 않습니다. 대신 와이어샤크의 tshark 명령을 사용하여 정책 이름이 포함된 nflog.prefix 필드를 포함한 전체 NFLOG 패킷 헤더를 표시하세요.","s":"추가 네트워크 정책 로깅","u":"/kr/advanced","h":"#추가-네트워크-정책-로깅","p":2536},{"i":2596,"t":"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.","s":"k3s secrets-encrypt","u":"/kr/cli/secrets-encrypt","h":"","p":2595},{"i":2598,"t":"Version Gate Available as of v1.21.8+k3s1 K3s contains a CLI tool secrets-encrypt, which enables automatic control over the following: Disabling/Enabling secrets encryption Adding new encryption keys Rotating and deleting encryption keys Reencrypting secrets warning Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution.","s":"Secrets Encryption Tool","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-tool","p":2595},{"i":2600,"t":"Single-Server High-Availability To rotate secrets encryption keys on a single-server cluster: Start the K3s server with the flag --secrets-encryption 비고 Starting K3s without encryption and enabling it at a later time is currently not supported. Prepare k3s secrets-encrypt prepare Kill and restart the K3s server with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Rotate k3s secrets-encrypt rotate Kill and restart the K3s server with same arguments Reencrypt 정보 K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. k3s secrets-encrypt reencrypt The steps are the same for both embedded DB and external DB clusters. To rotate secrets encryption keys on HA setups: Notes Starting K3s without encryption and enabling it at a later time is currently not supported. While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands. Start up all three K3s servers with the --secrets-encryption flag. For brevity, the servers will be referred to as S1, S2, S3. Prepare on S1 k3s secrets-encrypt prepare Kill and restart S1 with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Once S1 is up, kill and restart the S2 and S3 Rotate on S1 k3s secrets-encrypt rotate Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3 Reencrypt on S1 정보 K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. k3s secrets-encrypt reencrypt Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3","s":"Encryption Key Rotation","u":"/kr/cli/secrets-encrypt","h":"#encryption-key-rotation","p":2595},{"i":2602,"t":"Single-Server High-Availability After launching a server with --secrets-encryption flag, secrets encryption can be disabled. To disable secrets encryption on a single-node cluster: Disable k3s secrets-encrypt disable Kill and restart the K3s server with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Reencrypt with flags k3s secrets-encrypt reencrypt --force --skip To re-enable secrets encryption on a single node cluster: Enable k3s secrets-encrypt enable Kill and restart the K3s server with same arguments Reencrypt with flags k3s secrets-encrypt reencrypt --force --skip After launching a HA cluster with --secrets-encryption flags, secrets encryption can be disabled. 비고 While not required, it is recommended that you pick one server node from which to run the secrets-encrypt commands. For brevity, the three servers used in this guide will be referred to as S1, S2, S3. To disable secrets encryption on a HA cluster: Disable on S1 k3s secrets-encrypt disable Kill and restart S1 with same arguments. If running K3s as a service: # If using systemd systemctl restart k3s # If using openrc rc-service k3s restart Once S1 is up, kill and restart the S2 and S3 Reencrypt with flags on S1 k3s secrets-encrypt reencrypt --force --skip To re-enable secrets encryption on a HA cluster: Enable on S1 k3s secrets-encrypt enable Kill and restart S1 with same arguments Once S1 is up, kill and restart the S2 and S3 Reencrypt with flags on S1 k3s secrets-encrypt reencrypt --force --skip","s":"Secrets Encryption Disable/Enable","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-disableenable","p":2595},{"i":2604,"t":"The secrets-encrypt tool includes a status command that displays information about the current status of secrets encryption on the node. An example of the command on a single-server node: $ k3s secrets-encrypt status Encryption Status: Enabled Current Rotation Stage: start Server Encryption Hashes: All hashes match Active Key Type Name ------ -------- ---- * AES-CBC aescbckey Another example on HA cluster, after rotating the keys, but before restarting the servers: $ k3s secrets-encrypt status Encryption Status: Enabled Current Rotation Stage: rotate Server Encryption Hashes: hash does not match between node-1 and node-2 Active Key Type Name ------ -------- ---- * AES-CBC aescbckey-2021-12-10T22:54:38Z AES-CBC aescbckey Details on each section are as follows: Encryption Status: Displayed whether secrets encryption is disabled or enabled on the node Current Rotation Stage: Indicates the current rotation stage on the node. Stages are: start, prepare, rotate, reencrypt_request, reencrypt_active, reencrypt_finished Server Encryption Hashes: Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration. Key Table: Summarizes information about the secrets encryption keys found on the node. Active: The \"*\" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets. Key Type: All keys using this tool are AES-CBC type. See more info here. Name: Name of the encryption key.","s":"Secrets Encryption Status","u":"/kr/cli/secrets-encrypt","h":"#secrets-encryption-status","p":2595},{"i":2606,"t":"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.","s":"k3s token","u":"/kr/cli/token","h":"","p":2605},{"i":2608,"t":"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials.","s":"Token Format","u":"/kr/cli/token","h":"#token-format","p":2605},{"i":2610,"t":"The secure token format (occasionally referred to as a \"full\" token) contains the following parts: :: prefix: a fixed K10 prefix that identifies the token format cluster CA hash: The hash of the cluster's server CA certificate, used to authenticate the server to the joining node. For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk. For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint. credentials: The username and password, or bearer token, used to authenticate the joining node to the cluster. TLS Bootstrapping​ When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials: With TLS verification disabled, download the CA bundle from /cacerts on the server it is joining. Calculate the SHA256 hash of the CA certificate, as described above. Compare the calculated SHA256 hash to the hash from the token. If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle. If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type.","s":"Secure","u":"/kr/cli/token","h":"#secure","p":2605},{"i":2612,"t":"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster. If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to man-in-the-middle attack.","s":"Short","u":"/kr/cli/token","h":"#short","p":2605},{"i":2614,"t":"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator. Type CLI Option Environment Variable Server --token K3S_TOKEN Agent --agent-token K3S_AGENT_TOKEN Bootstrap n/a n/a","s":"Token Types","u":"/kr/cli/token","h":"#token-types","p":2605},{"i":2616,"t":"If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to /var/lib/rancher/k3s/server/token, in secure format. The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully. The server token is also used as the PBKDF2 passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself. warning Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates. For more information on using custom CA certificates, see the k3s certificate documentation. For more information on backing up your cluster, see the Backup and Restore documentation.","s":"Server","u":"/kr/cli/token","h":"#server","p":2605},{"i":2618,"t":"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire. The agent token is written to /var/lib/rancher/k3s/server/agent-token, in secure format. If no agent token is specified, this file is a link to the server token.","s":"Agent","u":"/kr/cli/token","h":"#agent","p":2605},{"i":2620,"t":"Version Gate Support for the k3s token command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1). K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents.","s":"Bootstrap","u":"/kr/cli/token","h":"#bootstrap","p":2605},{"i":2621,"t":"K3s bootstrap tokens use the same generation and validation code as kubeadm token bootstrap tokens, and the k3s token CLI is similar. NAME: k3s token - Manage bootstrap tokens USAGE: k3s token command [command options] [arguments...] COMMANDS: create Create bootstrap tokens on the server delete Delete bootstrap tokens on the server generate Generate and print a bootstrap token, but do not create it on the server list List bootstrap tokens on the server OPTIONS: --help, -h show help k3s token create [token]​ Create a new token. The [token] is the actual token to write, as generated by k3s token generate. If no token is given, a random one will be generated. A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] --description value A human friendly description of how this token is used --groups value Extra groups that this token will authenticate as when used for authentication. (default: Default: \"system:bootstrappers:k3s:default-node-token\") --ttl value The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s) --usages value Describes the ways in which this token can be used. (default: \"signing,authentication\") k3s token delete​ Delete one or more tokens. The full token can be provided, or just the token ID. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] k3s token generate​ Generate a randomly-generated bootstrap token. You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]6.[a-z0-9]16\", where the first portion is the token ID, and the second portion is the secret. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] k3s token list​ List bootstrap tokens, showing their ID, description, and remaining time-to-live. Flag Description --data-dir value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root --kubeconfig value (cluster) Server to connect to [$KUBECONFIG] --output value Output format. Valid options: text, json (default: \"text\")","s":"k3s token","u":"/kr/cli/token","h":"#k3s-token-1","p":2605},{"i":2623,"t":"/etc/rancher/k3s/k3s.yaml에 저장된 kubeconfig 파일은 쿠버네티스 클러스터에 대한 액세스를 구성하는 데 사용됩니다. kubectl 또는 helm과 같은 업스트림 Kubernetes 명령줄 도구를 설치한 경우 올바른 kubeconfig 경로로 구성해야 합니다. 이 작업은 kubeconfig 환경 변수를 내보내거나 --kubeconfig 명령줄 플래그를 호출하여 수행할 수 있습니다. 자세한 내용은 아래 예시를 참고하세요. KUBECONFIG 환경 변수를 활용합니다: export KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl get pods --all-namespaces helm ls --all-namespaces 또는 명령에 kubeconfig 파일의 위치를 지정합니다: kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces","s":"클러스터 접근","u":"/kr/cluster-access","h":"","p":2622},{"i":2625,"t":"/etc/rancher/k3s/k3s.yaml파일을 클러스터 외부에 위치한 머신의 ~/.kube/config로 복사합니다. 그런 다음 server 필드의 값을 K3s 서버의 IP 또는 이름으로 바꿉니다. 이제 kubectl이 K3s 클러스터를 관리할 수 있습니다.","s":"외부에서 kubectl로 클러스터에 접근하기","u":"/kr/cluster-access","h":"#외부에서-kubectl로-클러스터에-접근하기","p":2622},{"i":2627,"t":"etcd가 아닌 다른 데이터스토어를 사용하여 쿠버네티스를 실행할 수 있는 기능은 K3s를 다른 쿠버네티스 배포판과 차별화합니다. 이 기능은 쿠버네티스 운영자에게 유연성을 제공합니다. 사용 가능한 데이터스토어 옵션을 통해 사용 사례에 가장 적합한 데이터스토어를 선택할 수 있습니다. 예를 들어: 팀에 etcd 운영에 대한 전문 지식이 없는 경우, MySQL 또는 PostgreSQL과 같은 엔터프라이즈급 SQL 데이터베이스를 선택할 수 있습니다. CI/CD 환경에서 단순하고 수명이 짧은 클러스터를 실행해야 하는 경우, 임베디드 SQLite 데이터베이스를 사용할 수 있습니다. 엣지에 Kubernetes를 배포하고 고가용성 솔루션이 필요하지만 엣지에서 데이터베이스를 관리하는 데 따른 운영 오버헤드를 감당할 수 없는 경우, 임베디드 etcd를 기반으로 구축된 K3s의 임베디드 HA 데이터스토어를 사용할 수 있습니다. K3s는 다음과 같은 데이터스토어 옵션을 지원합니다: 임베디드 SQLite SQLite는 여러 서버가 있는 클러스터에서는 사용할 수 없습니다. SQLite는 기본 데이터스토어이며, 다른 데이터스토어 구성이 없고 디스크에 임베디드 etcd 데이터베이스 파일이 없는 경우 사용됩니다. 임베디드 etcd 여러 서버에서 임베디드 etcd를 사용하는 방법에 대한 자세한 내용은 고가용성 임베디드 etcd 설명서를 참조하세요. K3s가 새 etcd 클러스터를 초기화하거나 기존 etcd 클러스터에 가입하도록 구성되었거나 시작 시 디스크에 etcd 데이터베이스 파일이 있는 경우 임베디드 etcd가 자동으로 선택됩니다. 외부 데이터베이스 여러 서버에서 외부 데이터스토어를 사용하는 방법에 대한 자세한 내용은 고가용성 외부 DB 설명서를 참조하세요. 지원되는 외부 데이터스토어는 다음과 같습니다: etcd (3.5.4 버전에 대해 검증됨) MySQL (5.7 and 8.0 버전에 대해 검증됨) MariaDB (10.6.8 버전에 대해 검증됨) PostgreSQL (10.7, 11.5, and 14.2 버전에 대해 검증됨)","s":"클러스터 데이터 저장소","u":"/kr/datastore","h":"","p":2626},{"i":2629,"t":"PostgreSQL, MySQL, etcd와 같은 외부 데이터스토어를 사용하려면 K3s가 연결 방법을 알 수 있도록 datastore-endpoint 파라미터를 설정해야 합니다. 또한 연결의 인증 및 암호화를 구성하는 파라미터를 지정할 수도 있습니다. 아래 표에는 이러한 매개변수가 요약되어 있으며, CLI 플래그 또는 환경 변수로 전달할 수 있습니다. CLI Flag Environment Variable Description --datastore-endpoint K3S_DATASTORE_ENDPOINT PostgreSQL, MySQL 또는 etcd 연결 문자열을 지정합니다. 데이터스토어에 대한 연결을 설명하는 데 사용되는 문자열입니다. 이 문자열의 구조는 각 백엔드에 따라 다르며 아래에 자세히 설명되어 있습니다. --datastore-cafile K3S_DATASTORE_CAFILE 데이터스토어와의 통신을 보호하는 데 사용되는 TLS 인증 기관(CA: Certificate Authority) 파일입니다. 데이터스토어에서 사용자 지정 인증 기관에서 서명한 인증서를 사용하여 TLS를 통해 요청을 제공하는 경우, 이 매개변수를 사용하여 해당 CA를 지정하면 K3s 클라이언트가 인증서를 올바르게 확인할 수 있습니다. --datastore-certfile K3S_DATASTORE_CERTFILE 데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 인증서 파일입니다. 이 기능을 사용하려면 데이터스토어가 클라이언트 인증서 기반 인증을 지원하도록 구성되어 있어야 합니다. 이 파라미터를 지정하는 경우 datastore-keyfile 파라미터도 지정해야 합니다. --datastore-keyfile K3S_DATASTORE_KEYFILE 데이터스토어에 대한 클라이언트 인증서 기반 인증에 사용되는 TLS 키 파일입니다. 자세한 내용은 이전 datastore-certfile 매개변수를 참조하세요. 데이터베이스 자격 증명이나 기타 민감한 정보가 프로세스 정보의 일부로 노출되지 않도록 이러한 매개 변수를 명령줄 인수가 아닌 환경 변수로 설정하는 것이 좋습니다.","s":"외부 데이터스토어 구성 파라미터","u":"/kr/datastore","h":"#외부-데이터스토어-구성-파라미터","p":2626},{"i":2631,"t":"앞서 언급했듯이, datastore-endpoint 매개변수에 전달되는 값의 형식은 데이터스토어 백엔드에 따라 달라집니다. 다음은 지원되는 각 외부 데이터스토어에 대한 이 형식과 기능에 대해 자세히 설명합니다. PostgreSQL MySQL / MariaDB etcd 가장 일반적인 형식의 PostgreSQL용 데이터 저장소 엔드포인트 매개 변수는 다음과 같은 형식을 갖습니다: postgres://username:password@hostname:port/database-name 더 고급 구성 매개변수를 사용할 수 있습니다. 이에 대한 자세한 내용은 https://godoc.org/github.com/lib/pq 을 참조하세요. 데이터베이스 이름을 지정했는데 해당 데이터베이스가 존재하지 않으면 서버에서 데이터베이스 생성을 시도합니다. 엔드포인트로 postgres://만 제공하는 경우, K3s는 다음을 시도합니다: 사용자 이름과 비밀번호로 postgres를 사용하여 localhost에 연결합니다. kubernetes라는 이름의 데이터베이스를 생성합니다. 가장 일반적인 형태인 MySQL과 MariaDB의 datastore-endpoint 파라미터는 다음과 같은 형식을 갖습니다: mysql://username:password@tcp(hostname:3306)/database-name 더 고급 구성 매개변수를 사용할 수도 있습니다. 이에 대한 자세한 내용은 https://github.com/go-sql-driver/mysql#dsn-data-source-name 을 참조하세요. K3s의 알려진 이슈로 인해 tls 파라미터를 설정할 수 없습니다. TLS 통신은 지원되지만 예를 들어 이 매개변수를 \"skip-verify\"로 설정하여 K3s가 인증서 확인을 건너뛰도록 할 수는 없습니다. 데이터베이스 이름을 지정했는데 데이터베이스가 존재하지 않으면 서버에서 만들려고 시도합니다. 엔드포인트로 mysql://만 제공하는 경우, K3s는 다음을 시도합니다: root 사용자와 비밀번호를 사용하지 않고 /var/run/mysqld/mysqld.sock에서 MySQL 소켓에 연결합니다. kubernetes라는 이름의 데이터베이스를 생성합니다. 가장 일반적인 형태인 etcd의 datastore-endpoint 파라미터의 형식은 다음과 같습니다: https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379 위는 일반적인 세 개의 노드인 etcd 클러스터를 가정합니다. 이 매개변수는 쉼표로 구분된 하나 이상의 etcd URL을 사용할 수 있습니다.","s":"데이터스토어 엔드포인트 형식 및 기능","u":"/kr/datastore","h":"#데이터스토어-엔드포인트-형식-및-기능","p":2626},{"i":2633,"t":"The way K3s is backed up and restored depends on which type of datastore is used. warning In addition to backing up the datastore itself, you must also back up the server token file at /var/lib/rancher/k3s/server/token. You must restore this file, or pass its value into the --token option, when restoring from backup. If you do not use the same token value when restoring, the snapshot will be unusable, as the token is used to encrypt confidential data within the datastore itself.","s":"Backup and Restore","u":"/kr/datastore/backup-restore","h":"","p":2632},{"i":2635,"t":"No special commands are required to back up or restore the SQLite datastore. To back up the SQLite datastore, take a copy of /var/lib/rancher/k3s/server/db/. To restore the SQLite datastore, restore the contents of /var/lib/rancher/k3s/server/db (and the token, as discussed above).","s":"Backup and Restore with SQLite","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-sqlite","p":2632},{"i":2637,"t":"When an external datastore is used, backup and restore operations are handled outside of K3s. The database administrator will need to back up the external database, or restore it from a snapshot or dump. We recommend configuring the database to take recurring snapshots. For details on taking database snapshots and restoring your database from them, refer to the official database documentation: Official MySQL documentation Official PostgreSQL documentation Official etcd documentation","s":"Backup and Restore with External Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-external-datastore","p":2632},{"i":2639,"t":"See the k3s etcd-snapshot command documentation for information on performing backup and restore operations on the embedded etcd datastore.","s":"Backup and Restore with Embedded etcd Datastore","u":"/kr/datastore/backup-restore","h":"#backup-and-restore-with-embedded-etcd-datastore","p":2632},{"i":2641,"t":"In this section, you'll learn how to configure the K3s server. Note that servers also run an agent, so all of the configuration options listed in the k3s agent documentation are also supported on servers. Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.","s":"k3s server","u":"/kr/cli/server","h":"","p":2640},{"i":2643,"t":"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore. --agent-token --cluster-cidr --cluster-dns --cluster-domain --disable-cloud-controller --disable-helm-controller --disable-network-policy --disable-servicelb --egress-selector-mode --flannel-backend --flannel-external-ip --flannel-ipv6-masq --secrets-encryption --service-cidr","s":"Critical Configuration Values","u":"/kr/cli/server","h":"#critical-configuration-values","p":2640},{"i":2646,"t":"Flag Environment Variable Description --datastore-endpoint value K3S_DATASTORE_ENDPOINT Specify etcd, Mysql, Postgres, or Sqlite (default) data source name --datastore-cafile value K3S_DATASTORE_CAFILE TLS Certificate Authority file used to secure datastore backend communication --datastore-certfile value K3S_DATASTORE_CERTFILE TLS certification file used to secure datastore backend communication --datastore-keyfile value K3S_DATASTORE_KEYFILE TLS key file used to secure datastore backend communication --etcd-expose-metrics N/A Expose etcd metrics to client interface (default: false) --etcd-disable-snapshots N/A Disable automatic etcd snapshots --etcd-snapshot-name value N/A Set the base name of etcd snapshots. Default: etcd-snapshot- (default:\"etcd-snapshot\") --etcd-snapshot-schedule-cron value N/A Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _' (default: \"0 */12 * * *\") --etcd-snapshot-retention value N/A Number of snapshots to retain (default: 5) --etcd-snapshot-dir value N/A Directory to save db snapshots (default: ${data-dir}/db/snapshots) --etcd-s3 N/A Enable backup to S3 --etcd-s3-endpoint value N/A S3 endpoint url (default: \"s3.amazonaws.com\") --etcd-s3-endpoint-ca value N/A S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify N/A Disables S3 SSL certificate validation --etcd-s3-access-key value AWS_ACCESS_KEY_ID S3 access key --etcd-s3-secret-key value AWS_SECRET_ACCESS_KEY S3 secret key --etcd-s3-bucket value N/A S3 bucket name --etcd-s3-region value N/A S3 region / bucket location (optional) (default: \"us-east-1\") --etcd-s3-folder value N/A S3 folder --etcd-s3-insecure Disables S3 over HTTPS --etcd-s3-timeout value S3 timeout (default: 5m0s)","s":"Database","u":"/kr/cli/server","h":"#database","p":2640},{"i":2648,"t":"Flag Environment Variable Description --token value, -t value K3S_TOKEN Shared secret used to join a server or agent to a cluster --token-file value K3S_TOKEN_FILE File containing the cluster-secret/token --agent-token value K3S_AGENT_TOKEN Shared secret used to join agents to the cluster, but not servers --agent-token-file value K3S_AGENT_TOKEN_FILE File containing the agent secret --server value K3S_URL Server to connect to, used to join a cluster --cluster-init K3S_CLUSTER_INIT Initialize a new cluster using embedded Etcd --cluster-reset K3S_CLUSTER_RESET Forget all peers and become sole member of a new cluster","s":"Cluster Options","u":"/kr/cli/server","h":"#cluster-options","p":2640},{"i":2650,"t":"Flag Environment Variable Description --write-kubeconfig value, -o value K3S_KUBECONFIG_OUTPUT Write kubeconfig for admin client to this file --write-kubeconfig-mode value K3S_KUBECONFIG_MODE Write kubeconfig with this mode. The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host.","s":"Admin Kubeconfig Options","u":"/kr/cli/server","h":"#admin-kubeconfig-options","p":2640},{"i":2653,"t":"Flag Default Description --debug N/A Turn on debug logs -v value 0 Number for the log level verbosity --vmodule value N/A Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value N/A Log to file --alsologtostderr N/A Log to standard error as well as file (if set)","s":"Logging","u":"/kr/cli/server","h":"#logging","p":2640},{"i":2655,"t":"Flag Default Description --bind-address value 0.0.0.0 k3s bind address --https-listen-port value 6443 HTTPS listen port --advertise-address value node-external-ip/node-ip IPv4 address that apiserver uses to advertise to members of the cluster --advertise-port value listen-port/0 Port that apiserver uses to advertise to members of the cluster --tls-san value N/A Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert","s":"Listeners","u":"/kr/cli/server","h":"#listeners","p":2640},{"i":2657,"t":"Flag Default Description --data-dir value, -d value /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root Folder to hold state","s":"Data","u":"/kr/cli/server","h":"#data","p":2640},{"i":2659,"t":"Flag Default Description --secrets-encryption false Enable Secret encryption at rest","s":"Secrets Encryption","u":"/kr/cli/server","h":"#secrets-encryption","p":2640},{"i":2661,"t":"Flag Default Description --cluster-cidr value \"10.42.0.0/16\" IPv4/IPv6 network CIDRs to use for pod IPs --service-cidr value \"10.43.0.0/16\" IPv4/IPv6 network CIDRs to use for service IPs --service-node-port-range value \"30000-32767\" Port range to reserve for services with NodePort visibility --cluster-dns value \"10.43.0.10\" IPv4 Cluster IP for coredns service. Should be in your service-cidr range --cluster-domain value \"cluster.local\" Cluster Domain --flannel-backend value \"vxlan\" One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated) --flannel-ipv6-masq \"N/A\" Enable IPv6 masquerading for pod --flannel-external-ip \"N/A\" Use node external IP addresses for Flannel traffic --servicelb-namespace value \"kube-system\" Namespace of the pods for the servicelb component --egress-selector-mode value \"agent\" Must be one of the following: disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs. agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s. pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node. cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range.","s":"Networking","u":"/kr/cli/server","h":"#networking","p":2640},{"i":2663,"t":"Flag Description --default-local-storage-path value Default local storage path for local provisioner storage class","s":"Storage Class","u":"/kr/cli/server","h":"#storage-class","p":2640},{"i":2665,"t":"Flag Description --disable value See \"Using the --disable flag\" --disable-scheduler Disable Kubernetes default scheduler --disable-cloud-controller Disable k3s default cloud controller manager --disable-kube-proxy Disable running kube-proxy --disable-network-policy Disable k3s default network policy controller --disable-helm-controller Disable Helm controller","s":"Kubernetes Components","u":"/kr/cli/server","h":"#kubernetes-components","p":2640},{"i":2667,"t":"Flag Description --etcd-arg value Customized flag for etcd process --kube-apiserver-arg value Customized flag for kube-apiserver process --kube-scheduler-arg value Customized flag for kube-scheduler process --kube-controller-manager-arg value Customized flag for kube-controller-manager process --kube-cloud-controller-manager-arg value Customized flag for kube-cloud-controller-manager process --kubelet-arg value Customized flag for kubelet process --kube-proxy-arg value Customized flag for kube-proxy process","s":"Customized Flags for Kubernetes Processes","u":"/kr/cli/server","h":"#customized-flags-for-kubernetes-processes","p":2640},{"i":2669,"t":"Flag Description --rootless Run rootless --enable-pprof Enable pprof endpoint on supervisor port --docker Use cri-dockerd instead of containerd --prefer-bundled-bin Prefer bundled userspace binaries over host binaries --disable-agent See \"Running Agentless Servers (Experimental)\"","s":"Experimental Options","u":"/kr/cli/server","h":"#experimental-options","p":2640},{"i":2671,"t":"Flag Environment Variable Description --no-flannel N/A Use --flannel-backend=none --no-deploy value N/A Use --disable --cluster-secret value K3S_CLUSTER_SECRET Use --token --flannel-backend wireguard N/A Use --flannel-backend=wireguard-native --flannel-backend value=option1=value N/A Use --flannel-conf to specify the flannel config file with the backend config","s":"Deprecated Options","u":"/kr/cli/server","h":"#deprecated-options","p":2640},{"i":2673,"t":"If an option appears in brackets below, for example [$K3S_TOKEN], it means that the option can be passed in as an environment variable of that name. NAME: k3s server - Run management server USAGE: k3s server [OPTIONS] OPTIONS: --config FILE, -c FILE (config) Load configuration from FILE (default: \"/etc/rancher/k3s/config.yaml\") [$K3S_CONFIG_FILE] --debug (logging) Turn on debug logs [$K3S_DEBUG] -v value (logging) Number for the log level verbosity (default: 0) --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging --log value, -l value (logging) Log to file --alsologtostderr (logging) Log to standard error as well as file (if set) --bind-address value (listener) k3s bind address (default: 0.0.0.0) --https-listen-port value (listener) HTTPS listen port (default: 6443) --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip) --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0) --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or $\\{HOME\\}/.rancher/k3s if not root) --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16) --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16) --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: \"30000-32767\") --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) --cluster-domain value (networking) Cluster Domain (default: \"cluster.local\") --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec' (deprecated), 'host-gw', 'wireguard-native', 'wireguard' (deprecated) (default: \"vxlan\") --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic --egress-selector-mode value (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: \"agent\") --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: \"kube-system\") --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT] --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE] --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN] --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE] --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN] --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE] --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL] --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT] --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET] --cluster-reset-restore-path value (db) Path to snapshot file to be restored --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process --etcd-arg value (flags) Customized flag for etcd process --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT] --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE] --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE] --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE] --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false) --etcd-disable-snapshots (db) Disable automatic etcd snapshots --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: \"etcd-snapshot\") --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: \"0 */12 * * *\") --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5) --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: $\\{data-dir\\}/db/snapshots) --etcd-snapshot-compress (db) Compress etcd snapshot --etcd-s3 (db) Enable backup to S3 --etcd-s3-endpoint value (db) S3 endpoint url (default: \"s3.amazonaws.com\") --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID] --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY] --etcd-s3-bucket value (db) S3 bucket name --etcd-s3-region value (db) S3 region / bucket location (optional) (default: \"us-east-1\") --etcd-s3-folder value (db) S3 folder --etcd-s3-insecure (db) Disables S3 over HTTPS --etcd-s3-timeout value (db) S3 timeout (default: 5m0s) --default-local-storage-path value (storage) Default local storage path for local provisioner storage class --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server) --disable-scheduler (components) Disable Kubernetes default scheduler --disable-cloud-controller (components) Disable k3s default cloud controller manager --disable-kube-proxy (components) Disable running kube-proxy --disable-network-policy (components) Disable k3s default network policy controller --disable-helm-controller (components) Disable Helm controller --node-name value (agent/node) Node name [$K3S_NODE_NAME] --with-node-id (agent/node) Append id to node name --node-label value (agent/node) Registering and starting kubelet with set of labels --node-taint value (agent/node) Registering kubelet with set of taints --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: \"/var/lib/rancher/credentialprovider/bin\") --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: \"/var/lib/rancher/credentialprovider/config.yaml\") --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: \"rancher/mirrored-pause:3.6\") --snapshotter value (agent/runtime) Override default containerd snapshotter (default: \"overlayfs\") --private-registry value (agent/runtime) Private registry configuration file (default: \"/etc/rancher/k3s/registries.yaml\") --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY] --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF] --flannel-iface value (agent/networking) Override default flannel interface --flannel-conf value (agent/networking) Override default flannel config file --flannel-cni-conf value (agent/networking) Override default flannel cni config file --kubelet-arg value (agent/flags) Customized flag for kubelet process --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. --secrets-encryption Enable secret encryption at rest --enable-pprof (experimental) Enable pprof endpoint on supervisor port --rootless (experimental) Run rootless --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX] --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]","s":"K3s Server CLI Help","u":"/kr/cli/server","h":"","p":2640},{"i":2675,"t":"Note: Official support for installing Rancher on a Kubernetes cluster was introduced in our v1.0.0 release. This section describes how to install a high-availability K3s cluster with an external database. Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster is comprised of: Two or more server nodes that will serve the Kubernetes API and run other control plane services Zero or more agent nodes that are designated to run your apps and services An external datastore (as opposed to the embedded SQLite datastore used in single-server setups) A fixed registration address that is placed in front of the server nodes to allow agent nodes to register with the cluster For more details on how these components work together, refer to the architecture section. Agents register through the fixed registration address, but after registration they establish a connection directly to one of the server nodes. This is a websocket connection initiated by the k3s agent process, it is maintained by a client-side load balancer running as part of the agent process.","s":"High Availability External DB","u":"/kr/datastore/ha","h":"","p":2674},{"i":2677,"t":"Setting up an HA cluster requires the following steps:","s":"Installation Outline","u":"/kr/datastore/ha","h":"#installation-outline","p":2674},{"i":2679,"t":"You will first need to create an external datastore for the cluster. See the Cluster Datastore Options documentation for more details.","s":"1. Create an External Datastore","u":"/kr/datastore/ha","h":"#1-create-an-external-datastore","p":2674},{"i":2681,"t":"K3s requires two or more server nodes for this HA configuration. See the Requirements guide for minimum machine requirements. When running the k3s server command on these nodes, you must set the datastore-endpoint parameter so that K3s knows how to connect to the external datastore. The token parameter can also be used to set a deterministic token when adding nodes. When empty, this token will be generated automatically for further use. For example, a command like the following could be used to install the K3s server with a MySQL database as the external datastore and set a token: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" The datastore endpoint format differs based on the database type. For details, refer to the section on datastore endpoint formats. To configure TLS certificates when launching server nodes, refer to the datastore configuration guide. 비고 The same installation options available to single-server installs are also available for high-availability installs. For more details, see the Configuration Options documentation. By default, server nodes will be schedulable and thus your workloads can get launched on them. If you wish to have a dedicated control plane where no user workloads will run, you can use taints. The node-taint parameter will allow you to configure nodes with taints, for example --node-taint CriticalAddonsOnly=true:NoExecute. Once you've launched the k3s server process on all server nodes, ensure that the cluster has come up properly with k3s kubectl get nodes. You should see your server nodes in the Ready state.","s":"2. Launch Server Nodes","u":"/kr/datastore/ha","h":"#2-launch-server-nodes","p":2674},{"i":2683,"t":"Agent nodes need a URL to register against. This can be the IP or hostname of any of the server nodes, but in many cases those may change over time. For example, if you are running your cluster in a cloud that supports scaling groups, you may scale the server node group up and down over time, causing nodes to be created and destroyed and thus having different IPs from the initial set of server nodes. Therefore, you should have a stable endpoint in front of the server nodes that will not change over time. This endpoint can be set up using any number approaches, such as: A layer-4 (TCP) load balancer Round-robin DNS Virtual or elastic IP addresses This endpoint can also be used for accessing the Kubernetes API. So you can, for example, modify your kubeconfig file to point to it instead of a specific node. To avoid certificate errors in such a configuration, you should install the server with the --tls-san YOUR_IP_OR_HOSTNAME_HERE option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.","s":"3. Configure the Fixed Registration Address","u":"/kr/datastore/ha","h":"#3-configure-the-fixed-registration-address","p":2674},{"i":2685,"t":"The same example command in Step 2 can be used to join additional server nodes, where the token from the first node needs to be used. If the first server node was started without the --token CLI flag or K3S_TOKEN variable, the token value can be retrieved from any server already joined to the cluster: cat /var/lib/rancher/k3s/server/token Additional server nodes can then be added using the token: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" There are a few config flags that must be the same in all server nodes: Network related flags: --cluster-dns, --cluster-domain, --cluster-cidr, --service-cidr Flags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable Feature related flags: --secrets-encryption 비고 Ensure that you retain a copy of this token as it is required when restoring from backup and adding nodes. Previously, K3s did not enforce the use of a token when using external SQL datastores.","s":"4. Optional: Join Additional Server Nodes","u":"/kr/datastore/ha","h":"#4-optional-join-additional-server-nodes","p":2674},{"i":2687,"t":"Because K3s server nodes are schedulable by default, the minimum number of nodes for an HA K3s server cluster is two server nodes and zero agent nodes. To add nodes designated to run your apps and services, join agent nodes to your cluster. Joining agent nodes in an HA cluster is the same as joining agent nodes in a single server cluster. You just need to specify the URL the agent should register to and the token it should use. K3S_TOKEN=SECRET k3s agent --server https://fixed-registration-address:6443","s":"5. Optional: Join Agent Nodes","u":"/kr/datastore/ha","h":"#5-optional-join-agent-nodes","p":2674},{"i":2689,"t":"warning Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.","s":"High Availability Embedded etcd","u":"/kr/datastore/ha-embedded","h":"","p":2688},{"i":2691,"t":"To run K3s in this mode, you must have an odd number of server nodes. We recommend starting with three nodes. To get started, first launch a server node with the cluster-init flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster. curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --cluster-init After launching the first server, join the second and third servers to the cluster using the shared secret: curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server --server https://:6443 Check to see that the second and third servers are now part of the cluster: $ kubectl get nodes NAME STATUS ROLES AGE VERSION server1 Ready control-plane,etcd,master 28m vX.Y.Z server2 Ready control-plane,etcd,master 13m vX.Y.Z Now you have a highly available control plane. Any successfully clustered servers can be used in the --server argument to join additional server and worker nodes. Joining additional worker nodes to the cluster follows the same procedure as a single server cluster. There are a few config flags that must be the same in all server nodes: Network related flags: --cluster-dns, --cluster-domain, --cluster-cidr, --service-cidr Flags controlling the deployment of certain components: --disable-helm-controller, --disable-kube-proxy, --disable-network-policy and any component passed to --disable Feature related flags: --secrets-encryption","s":"New cluster","u":"/kr/datastore/ha-embedded","h":"#new-cluster","p":2688},{"i":2693,"t":"If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the --cluster-init flag. Once you've done that, you'll be able to add additional instances as described above. If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (--cluster-init, --server, --datastore-endpoint, etc) are ignored. Important: K3s v1.22.2 and newer support migration from SQLite to etcd. Older versions will create a new empty datastore if you add --cluster-init to an existing server.","s":"Existing clusters","u":"/kr/datastore/ha-embedded","h":"#existing-clusters","p":2688},{"i":2695,"t":"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy. 팁 External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see Service Load Balancer. External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice.","s":"Cluster Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"","p":2694},{"i":2697,"t":"All nodes in this example are running Ubuntu 20.04. For both examples, assume that a HA K3s cluster with embedded etcd has been installed on 3 nodes. Each k3s server is configured with: # /etc/rancher/k3s/config.yaml token: lb-cluster-gd tls-san: 10.10.10.100 The nodes have hostnames and IPs of: server-1: 10.10.10.50 server-2: 10.10.10.51 server-3: 10.10.10.52 Two additional nodes for load balancing are configured with hostnames and IPs of: lb-1: 10.10.10.98 lb-2: 10.10.10.99 Three additional nodes exist with hostnames and IPs of: agent-1: 10.10.10.101 agent-2: 10.10.10.102 agent-3: 10.10.10.103","s":"Prerequisites","u":"/kr/datastore/cluster-loadbalancer","h":"#prerequisites","p":2694},{"i":2699,"t":"HAProxy Nginx HAProxy is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See HAProxy Documentation for more info. Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See KeepAlived Documentation for more info. Install HAProxy and KeepAlived: sudo apt-get install haproxy keepalived Add the following to /etc/haproxy/haproxy.cfg on lb-1 and lb-2: frontend k3s-frontend bind *:6443 mode tcp option tcplog default_backend k3s-backend backend k3s-backend mode tcp option tcp-check balance roundrobin default-server inter 10s downinter 5s server server-1 10.10.10.50:6443 check server server-2 10.10.10.51:6443 check server server-3 10.10.10.52:6443 check Add the following to /etc/keepalived/keepalived.conf on lb-1 and lb-2: vrrp_script chk_haproxy { script 'killall -0 haproxy' # faster than pidof interval 2 } vrrp_instance haproxy-vip { interface eth1 state # MASTER on lb-1, BACKUP on lb-2 priority # 200 on lb-1, 100 on lb-2 virtual_router_id 51 virtual_ipaddress { 10.10.10.100/24 } track_script { chk_haproxy } } Restart HAProxy and KeepAlived on lb-1 and lb-2: systemctl restart haproxy systemctl restart keepalived On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443 You can now use kubectl from server node to interact with the cluster. root@server-1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 32s v1.27.3+k3s1 agent-2 Ready 20s v1.27.3+k3s1 agent-3 Ready 9s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1 Nginx Load Balancer​ 위험 Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure. Nginx Open Source provides a TCP load balancer. See Using nginx as HTTP load balancer for more info. Create a nginx.conf file on lb-1 with the following contents: events {} stream { upstream k3s_servers { server 10.10.10.50:6443; server 10.10.10.51:6443; server 10.10.10.52:6443; } server { listen 6443; proxy_pass k3s_servers; } } Run the Nginx load balancer on lb-1: Using docker: docker run -d --restart unless-stopped \\ -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\ -p 6443:6443 \\ nginx:stable Or install nginx and then run: cp nginx.conf /etc/nginx/nginx.conf systemctl start nginx On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443 You can now use kubectl from server node to interact with the cluster. root@server1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 30s v1.27.3+k3s1 agent-2 Ready 22s v1.27.3+k3s1 agent-3 Ready 13s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1","s":"Setup Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#setup-load-balancer","p":2694},{"i":2701,"t":"위험 Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure. Nginx Open Source provides a TCP load balancer. See Using nginx as HTTP load balancer for more info. Create a nginx.conf file on lb-1 with the following contents: events {} stream { upstream k3s_servers { server 10.10.10.50:6443; server 10.10.10.51:6443; server 10.10.10.52:6443; } server { listen 6443; proxy_pass k3s_servers; } } Run the Nginx load balancer on lb-1: Using docker: docker run -d --restart unless-stopped \\ -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\ -p 6443:6443 \\ nginx:stable Or install nginx and then run: cp nginx.conf /etc/nginx/nginx.conf systemctl start nginx On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster: curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.99:6443 You can now use kubectl from server node to interact with the cluster. root@server1 $ k3s kubectl get nodes -A NAME STATUS ROLES AGE VERSION agent-1 Ready 30s v1.27.3+k3s1 agent-2 Ready 22s v1.27.3+k3s1 agent-3 Ready 13s v1.27.3+k3s1 server-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1 server-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1 server-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1","s":"Nginx Load Balancer","u":"/kr/datastore/cluster-loadbalancer","h":"#nginx-load-balancer","p":2694},{"i":2703,"t":"자주 묻는 질문은 주기적으로 업데이트되며, 사용자가 K3s에 대해 가장 자주 묻는 질문에 대한 답변으로 구성되어 있습니다.","s":"자주 묻는 질문","u":"/kr/faq","h":"","p":2702},{"i":2705,"t":"K3s는 CNCF 인증을 받은 Kubernetes 배포판으로, 표준 Kubernetes 클러스터에 필요한 모든 작업을 수행할 수 있습니다. 단지 더 가벼운 버전일 뿐입니다. 자세한 내용은 main 문서 페이지를 참조하세요.","s":"K3s가 Kubernetes를 대체하기에 적합한가요?","u":"/kr/faq","h":"#k3s가-kubernetes를-대체하기에-적합한가요","p":2702},{"i":2707,"t":"--disable=traefik으로 K3s 서버를 시작하고 인그레스를 배포하기만 하면 됩니다.","s":"Traefik 대신 자체 Ingress를 사용하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#traefik-대신-자체-ingress를-사용하려면-�어떻게-해야-하나요","p":2702},{"i":2709,"t":"현재 K3s는 기본적으로 Windows를 지원하지 않지만, 추후에 지원할 수 있습니다.","s":"K3s는 Windows를 지원하나요?","u":"/kr/faq","h":"#k3s는-windows를-지원하나요","p":2702},{"i":2711,"t":"K3s BUILDING.md에서 지침을 참조하시기 바랍니다.","s":"소스로부터 빌드하려면 어떻게 해야 하나요?","u":"/kr/faq","h":"#소스로부터-빌드하려면-어떻게-해야-하나요","p":2702},{"i":2713,"t":"K3s 로그의 위치는 K3s를 실행하는 방법과 노드의 OS에 따라 달라집니다. 명령줄에서 실행할 경우, 로그는 stdout과 stderr로 전송됩니다. openrc에서 실행하면 /var/log/k3s.log에 로그가 생성됩니다. Systemd에서 실행하는 경우, 로그는 저널널로 전송되며 journalctl -u k3s를 사용하여 볼 수 있습니다. 파드 로그는 /var/log/pods에서 확인할 수 있습니다. 컨테이너 로그는 /var/lib/rancher/k3s/agent/containerd/containerd.log에서 확인할 수 있습니다. K3s를 시작할 때 --debug 플래그(또는 환경설정 파일에서 debug: true)를 사용하면 더 자세한 로그를 생성할 수 있습니다. 쿠버네티스는 프로세스 내의 모든 컴포넌트에 대해 단일 로깅 구성을 사용하는 klog라는 로깅 프레임워크를 사용합니다. K3s는 단일 프로세스 내에서 모든 쿠버네티스 컴포넌트를 실행하기 때문에, 개별 쿠버네티스 컴포넌트에 대해 다른 로그 레벨이나 대상을 구성할 수 없습니다. -v=또는--vmodule== 컴포넌트 인수를 사용하면 원하는 효과를 얻지 못할 수 있습니다. 더 많은 로그 옵션은 추가 로깅 소스를 참조하세요.","s":"K3s 로그는 어디에 있나요?","u":"/kr/faq","h":"#k3s-로그는-어디에-있나요","p":2702},{"i":2715,"t":"예, Docker에서 K3s를 실행하는 방법은 여러 가지가 있습니다. 자세한 내용은 고급 옵션을 참조하세요.","s":"Docker에서 K3s를 실행할 수 있나요?","u":"/kr/faq","h":"#docker에서-k3s를-실행할-수-있나요","p":2702},{"i":2717,"t":"K3s 조인 토큰 관리에 대한 자세한 내용은 k3s token 명령어 설명서를 참조하세요.","s":"K3s 서버와 에이전트 토큰의 차이점은 무엇인가요?","u":"/kr/faq","h":"#k3s-서버와-에이전트-토큰의-차이점은-무엇인가요","p":2702},{"i":2719,"t":"일반적으로 쿠버네티스 버전 skew 정책이 적용됩니다. 즉, 서버가 에이전트보다 최신 버전일 수는 있지만 에이전트가 서버보다 최신 버전일 수는 없습니다.","s":"K3s의 다른 버전들은 얼마나 호환되나요?","u":"/kr/faq","h":"#k3s의-다른-버전들은-얼마나-호환되나요","p":2702},{"i":2721,"t":"K3s를 배포하는 데 문제가 있는 경우 다음과 같이 하세요: 알려진 문제 페이지를 확인하세요. 추가 OS 준비사항을 모두 해결했는지 확인합니다. k3s check-config를 실행하고 통과했는지 확인합니다. K3s 이슈 및 토론에서 문제와 일치하는 항목을 검색합니다. Rancher 슬랙 K3s 채널에 가입하여 도움을 받습니다. K3s 깃허브에 설정과 발생한 문제를 설명하는 새 이슈를 제출합니다.","s":"문제가 발생했는데 어디서 도움을 받을 수 있나요?","u":"/kr/faq","h":"#문제가-발생했는데-어디서-도움을-받을-수-있나요","p":2702},{"i":2723,"t":"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s. Configuration Options provides guidance on the options available to you when installing K3s. Private Registry Configuration covers use of registries.yaml to configure container image registry mirrors. Embedded Mirror shows how to enable the embedded distributed image registry mirror. Air-Gap Install details how to set up K3s in environments that do not have direct access to the Internet. Managing Server Roles details how to set up K3s with dedicated control-plane or etcd servers. Managing Packaged Components details how to disable packaged components, or install your own using auto-deploying manifests. Uninstalling K3s details how to remove K3s from a host.","s":"Installation","u":"/kr/installation","h":"","p":2722},{"i":2726,"t":"On server nodes, any file found in /var/lib/rancher/k3s/server/manifests will automatically be deployed to Kubernetes in a manner similar to kubectl apply, both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster. Manifests are tracked as AddOn custom resources in the kube-system namespace. Any errors or warnings encountered when applying the manifest file may seen by using kubectl describe on the corresponding AddOn, or by using kubectl get event -n kube-system to view all events for that namespace, including those from the deploy controller.","s":"Auto-Deploying Manifests (AddOns)","u":"/kr/installation/packaged-components","h":"#auto-deploying-manifests-addons","p":2724},{"i":2728,"t":"K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: coredns, traefik, local-storage, and metrics-server. The embedded servicelb LoadBalancer controller does not have a manifest file, but can be disabled as if it were an AddOn for historical reasons. Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity.","s":"Packaged Components","u":"/kr/installation/packaged-components","h":"#packaged-components","p":2724},{"i":2730,"t":"You may place additional files in the manifests directory for deployment as an AddOn. Each file may contain multiple Kubernetes resources, delmited by the --- YAML document separator. For more information on organizing resources in manifests, see the Managing Resources section of the Kubernetes documentation. File Naming Requirements​ The AddOn name for each file in the manifest directory is derived from the file basename. Ensure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes object naming restrictions. Care should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled. Here is en example of an error that would be reported if the file name contains underscores: Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') 위험 If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests.","s":"User AddOns","u":"/kr/installation/packaged-components","h":"#user-addons","p":2724},{"i":2732,"t":"There are two ways to disable deployment of specific content from the manifests directory.","s":"Disabling Manifests","u":"/kr/installation/packaged-components","h":"#disabling-manifests","p":2724},{"i":2734,"t":"The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the manifests directory, can be disabled with the --disable flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the manifests directory. For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with --disable=traefik. Multiple items can be disabled by separating their names with commas, or by repeating the flag.","s":"Using the --disable flag","u":"/kr/installation/packaged-components","h":"#using-the---disable-flag","p":2724},{"i":2736,"t":"For any file under /var/lib/rancher/k3s/server/manifests, you can create a .skip file which will cause K3s to ignore the corresponding manifest. The contents of the .skip file do not matter, only its existence is checked. Note that creating a .skip file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist. For example, creating an empty traefik.yaml.skip file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying traefik.yaml: $ ls /var/lib/rancher/k3s/server/manifests ccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip coredns.yaml traefik.yaml $ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s kube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s kube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s If Traefik had already been deployed prior to creating the traefik.skip file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded.","s":"Using .skip files","u":"/kr/installation/packaged-components","h":"#using-skip-files","p":2724},{"i":2738,"t":"For information about managing Helm charts via auto-deploying manifests, refer to the section about Helm.","s":"Helm AddOns","u":"/kr/installation/packaged-components","h":"#helm-addons","p":2724},{"i":2740,"t":"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.","s":"Configuration Options","u":"/kr/installation/configuration","h":"","p":2739},{"i":2742,"t":"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. You can use a combination of INSTALL_K3S_EXEC, K3S_ environment variables, and command flags to pass configuration to the service configuration. The prefixed environment variables, INSTALL_K3S_EXEC value, and trailing shell arguments are all persisted into the service configuration. After installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options. To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token: curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"server\" sh -s - --flannel-backend none --token 12345 curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"server --flannel-backend none\" K3S_TOKEN=12345 sh -s - curl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none # server is assumed below because there is no K3S_URL curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"--flannel-backend none --token 12345\" sh -s - curl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345 When registering an agent, the following commands all result in the same behavior: curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"agent --server https://k3s.example.com --token mypassword\" sh -s - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC=\"agent\" K3S_TOKEN=\"mypassword\" sh -s - --server https://k3s.example.com curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword curl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL For details on all environment variables, see Environment Variables. Note If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost. The contents of the configuration file are not managed by the install script. If you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script.","s":"Configuration with install script","u":"/kr/installation/configuration","h":"#configuration-with-install-script","p":2739},{"i":2744,"t":"As stated, the installation script is primarily concerned with configuring K3s to run as a service. If you choose to not use the script, you can run K3s simply by downloading the binary from our release page, placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service. curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s You can pass configuration by setting K3S_ environment variables: K3S_KUBECONFIG_MODE=\"644\" k3s server Or command flags: k3s server --write-kubeconfig-mode=644 The k3s agent can also be configured this way: k3s agent --server https://k3s.example.com --token mypassword For details on configuring the K3s server, see the k3s server documentation. For details on configuring the K3s agent, see the k3s agent documentation. You can also use the --help flag to see a list of all available options, and their corresponding environment variables. Matching Flags It is important to match critical flags on your server nodes. For example, if you use the flag --disable servicelb or --cluster-cidr=10.200.0.0/16 on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as: failed to validate server configuration: critical configuration value mismatch. See the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes.","s":"Configuration with binary","u":"/kr/installation/configuration","h":"#configuration-with-binary","p":2739},{"i":2746,"t":"Version Gate Available as of v1.19.1+k3s1 In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file. By default, values present in a YAML file located at /etc/rancher/k3s/config.yaml will be used on install. An example of a basic server config file is below: write-kubeconfig-mode: \"0644\" tls-san: - \"foo.local\" node-label: - \"foo=bar\" - \"something=amazing\" cluster-init: true This is equivalent to the following CLI arguments: k3s server \\ --write-kubeconfig-mode \"0644\" \\ --tls-san \"foo.local\" \\ --node-label \"foo=bar\" \\ --node-label \"something=amazing\" \\ --cluster-init In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as true or false in the YAML file. It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as --node-label, the CLI arguments will overwrite all values in the list. Finally, the location of the config file can be changed either through the CLI argument --config FILE, -c FILE, or the environment variable $K3S_CONFIG_FILE.","s":"Configuration File","u":"/kr/installation/configuration","h":"#configuration-file","p":2739},{"i":2748,"t":"Version Gate Available as of v1.21.0+k3s1 Multiple configuration files are supported. By default, configuration files are read from /etc/rancher/k3s/config.yaml and /etc/rancher/k3s/config.yaml.d/*.yaml in alphabetical order. By default, the last value found for a given key will be used. A + can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a + to prevent overwriting the accumulated value. An example of multiple config files is below: # config.yaml token: boop node-label: - foo=bar - bar=baz # config.yaml.d/test1.yaml write-kubeconfig-mode: 600 node-taint: - alice=bob:NoExecute # config.yaml.d/test2.yaml write-kubeconfig-mode: 777 node-label: - other=what - foo=three node-taint+: - charlie=delta:NoSchedule This results in a final configuration of: write-kubeconfig-mode: 777 token: boop node-label: - other=what - foo=three node-taint: - alice=bob:NoExecute - charlie=delta:NoSchedule","s":"Multiple Config Files","u":"/kr/installation/configuration","h":"#multiple-config-files","p":2739},{"i":2750,"t":"All of the above options can be combined into a single example. A config.yaml file is created at /etc/rancher/k3s/config.yaml: token: \"secret\" debug: true Then the installation script is run with a combination of environment variables and flags: curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=\"644\" INSTALL_K3S_EXEC=\"server\" sh -s - --flannel-backend none Or if you have already installed the K3s Binary: K3S_KUBECONFIG_MODE=\"644\" k3s server --flannel-backend none This results in a server with: A kubeconfig file with permissions 644 Flannel backend set to none The token set to secret Debug logging enabled","s":"Putting it all together","u":"/kr/installation/configuration","h":"#putting-it-all-together","p":2739},{"i":2752,"t":"헬름(Helm)은 쿠버네티스를 위한 패키지 관리 도구입니다. 헬름 차트는 쿠버네티스 YAML 매니페스트 문서를 위한 템플릿 구문을 제공합니다. 개발자 또는 클러스터 관리자는 헬름을 사용하여 정적 매니페스트만 사용하는 대신 차트라는 구성 가능한 템플릿을 만들 수 있다. 자신만의 차트 카탈로그 생성에 대한 자세한 내용은 https://helm.sh/docs/intro/quickstart/에서 문서를 확인하세요. K3s는 헬름을 지원하기 위한 별도의 구성이 필요하지 않습니다. 다만, 클러스터 액세스 문서에 따라 kubeconfig 경로를 올바르게 설정했는지 확인하면 됩니다. K3s에는 헬름 차트의 설치, 업그레이드/재구성 및 제거를 관리하는 Helm Controller가 포함되어 있으며, 헬름 차트 커스텀 리소스 정의(CRD)를 사용하여 헬름 차트를 설치, 업그레이드/재구성 및 제거할 수 있습니다. 애드온 매니페스트 자동 배포](./installation/packaged-components.md)와 함께 사용하면 디스크에 단일 파일을 생성하여 클러스터에 헬름 차트를 설치하는 것을 자동화할 수 있습니다.","s":"헬름(Helm)","u":"/kr/helm","h":"","p":2751},{"i":2754,"t":"헬름 차트 커스텀 리소스는 일반적으로 helm 명령줄 도구에 전달할 대부분의 옵션을 담고 있습니다. 다음은 Bitnami 차트 저장소에서 아파치를 배포하여 기본 차트 값 중 일부를 재정의하는 방법에 대한 예제입니다. HelmChart 리소스 자체는 kube-system 네임스페이스에 있지만, 차트의 리소스는 동일한 매니페스트에 생성되는 web 네임스페이스에 배포된다는 점에 유의하세요. 이는 HelmChart 리소스를 배포하는 리소스와 분리하여 유지하려는 경우에 유용할 수 있습니다. apiVersion: v1 kind: Namespace metadata: name: web --- apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: name: apache namespace: kube-system spec: repo: https://charts.bitnami.com/bitnami chart: apache targetNamespace: web valuesContent: |- service: type: ClusterIP ingress: enabled: true hostname: www.example.com metrics: enabled: true HelmChart 필드 정의​ 필드 기본값 설명 헬름 인수 / 플래그 상응값 metadata.name 헬름 차트 이름 NAME spec.chart 리포지토리에 있는 헬름 차트 이름 또는 차트 아카이브(.tgz)에 대한 전체 HTTPS URL CHART spec.targetNamespace default 헬름 차트 대상 네임스페이스 --namespace spec.version 헬름 차트 버전(리포지토리에서 설치하는 경우) --version spec.repo 헬름 차트 리포지토리 URL --repo spec.repoCA HTTPS 사용 서버의 인증서를 지정 --ca-file spec.helmVersion v3 사용할 헬름 버전 (v2 혹은 v3) spec.bootstrap False 클러스터(클라우드 컨트롤러 관리자 등)를 부트스트랩하는 데 이 차트가 필요한 경우 True로 설정합니다. spec.set 간단한 기본 차트 값을 재정의합니다. 값을 통해 설정된 옵션보다 우선합니다. --set / --set-string spec.jobImage 헬름 차트를 설치할 때 사용할 이미지를 지정합니다. 예시. rancher/klipper-helm:v0.3.0 . spec.timeout 300 헬름 작업 시간 초과(초) --timeout spec.failurePolicy reinstall abort로 설정하면 헬름 작업이 중단되고 운영자의 수동 개입이 있을 때까지 중단된다. spec.valuesContent YAML 파일 콘텐츠를 통해 복잡한 기본 차트 값 재정의 --values spec.chartContent Base64로 인코딩된 차트 아카이브 .tgz - spec.chart를 재정의합니다. CHART /var/lib/rancher/k3s/server/static/에 위치한 콘텐츠는 클러스터 내에서 쿠버네티스 APIServer를 통해 익명으로 액세스할 수 있습니다. 이 URL은 spec.chart 필드에 있는 특수 변수 %{KUBERNETES_API}%를 사용하여 템플릿화할 수 있습니다. 예를 들어, 패키지화된 Traefik 컴포넌트는 https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz에서 해당 차트를 로드합니다. 비고 name 필드는 헬름 차트 명명 규칙을 따라야 합니다. 자세한 내용은 헬름 베스트 프랙티스 문서를 참고하세요.","s":"헬름 컨트롤러 사용하기","u":"/kr/helm","h":"#헬름-컨트롤러-사용하기","p":2751},{"i":2756,"t":"Version Gate v1.19.1+k3s1 부터 사용 가능 HelmChart로 배포되는 패키지 컴포넌트(예로 Traefik)의 값을 재정의할 수 있도록, K3s는 HelmChartConfig 리소스를 통해 배포를 사용자 정의할 수 있도록 지원합니다. HelmChartConfig 리소스는 해당 HelmChart의 이름과 네임스페이스와 일치해야 하며, 추가 값 파일로 helm 명령에 전달되는 valuesContent를 추가로 제공할 수 있도록 지원합니다. 비고 HelmChart spec.set 값은 HelmChart 및 HelmChartConfig spec.valuesContent 설정을 재정의합니다. 예를 들어, 패키징된 트래픽 인그레스 구성을 사용자 정의하려면 /var/lib/rancher/k3s/server/manifests/traefik-config.yaml이라는 파일을 생성하고 다음 내용으로 채우면 됩니다: apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- image: name: traefik tag: v2.8.5 forwardedHeaders: enabled: true trustedIPs: - 10.0.0.0/8 ssl: enabled: true permanentRedirect: false","s":"HelmChartConfig로 패키지 컴포넌트 커스터마이징하기","u":"/kr/helm","h":"#helmchartconfig로-패키지-컴포넌트-커스터마이징하기","p":2751},{"i":2758,"t":"Version Gate v1.17.v1.17.0+k3s.1부터 헬름 v3가 기본적으로 지원 및 사용됩니다. K3s는 헬름 v2 또는 헬름 v3를 처리할 수 있습니다. 헬름 v3로 마이그레이션하려는 경우, 이 헬름 블로그 게시물에서 플러그인을 사용하여 성공적으로 마이그레이션하는 방법을 설명합니다. 자세한 내용은 헬름 3 공식 문서 여기를 참고하세요. 클러스터 접근에 대한 섹션에 따라 kubeconfig를 올바르게 설정했는지 확인하세요. 비고 헬름 3에서는 더 이상 Tiller와 helm init 명령이 필요하지 않습니다. 자세한 내용은 공식 문서를 참고하세요.","s":"헬름 버전 2에서 마이그레이션하기","u":"/kr/helm","h":"#헬름-버전-2에서-마이그레이션하기","p":2751},{"i":2760,"t":"You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.","s":"Air-Gap Install","u":"/kr/installation/airgap","h":"","p":2759},{"i":2763,"t":"These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and have a OCI-compliant private registry available in your environment. If you have not yet set up a private Docker registry, refer to the official Registry documentation. Create the Registry YAML and Push Images​ Obtain the images archive for your architecture from the releases page for the version of K3s you will be running. Use docker image load k3s-airgap-images-amd64.tar.zst to import images from the tar file into docker. Use docker tag and docker push to retag and push the loaded images to your private registry. Follow the Private Registry Configuration guide to create and configure the registries.yaml file. Proceed to the Install K3s section below.","s":"Private Registry Method","u":"/kr/installation/airgap","h":"#private-registry-method","p":2759},{"i":2765,"t":"These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and cannot or do not want to use a private registry. This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical. Prepare the Images Directory and Airgap Image Tarball​ Obtain the images archive for your architecture from the releases page for the version of K3s you will be running. Download the images archive to the agent's images directory, for example: sudo mkdir -p /var/lib/rancher/k3s/agent/images/ sudo curl -L -O /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst https://github.com/k3s-io/k3s/releases/download/v1.29.1-rc2%2Bk3s1/k3s-airgap-images-amd64.tar.zst Proceed to the Install K3s section below.","s":"Manually Deploy Images Method","u":"/kr/installation/airgap","h":"#manually-deploy-images-method","p":2759},{"i":2767,"t":"Version Gate The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 K3s includes an embedded distributed OCI-compliant registry mirror. When enabled and properly configured, images available in the containerd image store on any node can be pulled by other cluster members without access to an external image registry. The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball. For more information on enabling the embedded distributed registry mirror, see the Embedded Registry Mirror documentation.","s":"Embedded Registry Mirror","u":"/kr/installation/airgap","h":"#embedded-registry-mirror","p":2759},{"i":2770,"t":"Before installing K3s, complete the Private Registry Method or the Manually Deploy Images Method above to prepopulate the images that K3s needs to install. Binaries​ Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in /usr/local/bin on each air-gapped node and ensure it is executable. Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it install.sh. Default Network Route​ If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following: ip link add dummy0 type dummy ip link set dummy0 up ip addr add 203.0.113.254/31 dev dummy0 ip route add default via 203.0.113.255 dev dummy0 metric 1000 When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary. SELinux RPM​ If you intend to deploy K3s with SELinux enabled, you will need also install the appropriate k3s-selinux RPM on all nodes. The latest version of the RPM can be found here. For example, on CentOS 8: On internet accessible machine: curl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.4.stable.1/k3s-selinux-1.4-1.el8.noarch.rpm # Transfer RPM to air-gapped machine On air-gapped machine: sudo yum install ./k3s-selinux-1.4-1.el8.noarch.rpm See the SELinux section for more information.","s":"Prerequisites","u":"/kr/installation/airgap","h":"#prerequisites","p":2759},{"i":2772,"t":"You can install K3s on one or more servers as described below. Single Server Configuration High Availability Configuration To install K3s on a single server, simply do the following on the server node: INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh To add additional agents, do the following on each agent node: INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://:6443 K3S_TOKEN= ./install.sh 비고 The token from the server is typically found at /var/lib/rancher/k3s/server/token. Reference the High Availability with an External DB or High Availability with Embedded DB guides. You will be tweaking install commands so you specify INSTALL_K3S_SKIP_DOWNLOAD=true and run your install script locally instead of via curl. You will also utilize INSTALL_K3S_EXEC='args' to supply any arguments to k3s. For example, step two of the High Availability with an External DB guide mentions the following: curl -sfL https://get.k3s.io | sh -s - server \\ --token=SECRET \\ --datastore-endpoint=\"mysql://username:password@tcp(hostname:3306)/database-name\" Instead, you would modify such examples like below: INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \\ K3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \\ ./install.sh 비고 K3s's --resolv-conf flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured.","s":"Installing K3s in an Air-Gapped Environment","u":"/kr/installation/airgap","h":"#installing-k3s-in-an-air-gapped-environment","p":2759},{"i":2775,"t":"Upgrading an air-gap environment can be accomplished in the following manner: Download the new air-gap images (tar file) from the releases page for the version of K3s you will be upgrading to. Place the tar in the /var/lib/rancher/k3s/agent/images/ directory on each node. Delete the old tar file. Copy and replace the old K3s binary in /usr/local/bin on each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past with the same environment variables. Restart the K3s service (if not restarted automatically by installer).","s":"Install Script Method","u":"/kr/installation/airgap","h":"#install-script-method","p":2759},{"i":2777,"t":"K3s supports automated upgrades. To enable this in air-gapped environments, you must ensure the required images are available in your private registry. You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the + in the K3s release with a - because Docker images do not support +. You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller here and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.4.0 of the system-upgrade-controller, these images are specified in the manifest YAML: rancher/system-upgrade-controller:v0.4.0 rancher/kubectl:v0.17.0 Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.","s":"Automated Upgrades Method","u":"/kr/installation/airgap","h":"#automated-upgrades-method","p":2759},{"i":2779,"t":"Version Gate The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 K3s embeds Spegel, a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster. The distributed registry mirror is disabled by default.","s":"Embedded Registry Mirror","u":"/kr/installation/registry-mirror","h":"","p":2778},{"i":2781,"t":"In order to enable the embedded registry mirror, server nodes must be started with the --embedded-registry flag, or with embedded-registry: true in the configuration file. This option enables the embedded mirror for use on all nodes in the cluster. When enabled at a cluster level, all nodes will host a local OCI registry on port 6443, and publish a list of available images via a peer to peer network on port 5001. Any image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry. Images imported via air-gap image tar files are pinned in containerd to ensure that they remain available and are not pruned by Kubelet garbage collection.","s":"Enabling The Distributed OCI Registry Mirror","u":"/kr/installation/registry-mirror","h":"#enabling-the-distributed-oci-registry-mirror","p":2778},{"i":2783,"t":"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443. If nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints.","s":"Requirements","u":"/kr/installation/registry-mirror","h":"#requirements","p":2778},{"i":2785,"t":"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes. If a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry. In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the mirrors section of registries.yaml for that registry. The registry does not need to have any endpoints listed, it just needs to be present. For example, to enable distributed mirroring of images from docker.io and registry.k8s.io, configure registries.yaml with the following content on all cluster nodes: mirrors: docker.io: registry.k8s.io: Endpoints for registry mirrors may also be added as usual. In the following configuration, images pull attempts will first try the embedded mirror, then mirror.example.com, then finally docker.io: mirrors: docker.io: endpoint: - https://mirror.example.com If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public registries are enabled - by listing it in the mirrors section: mirrors: mirror.example.com: If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity. For more information on the structure of the registries.yaml file, see Private Registry Configuration.","s":"Enabling Registry Mirroring","u":"/kr/installation/registry-mirror","h":"#enabling-registry-mirroring","p":2778},{"i":2787,"t":"By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this, and only pull images from the configured mirrors and/or the embedded mirror, see the Default Endpoint Fallback section of the Private Registry Configuration documentation. Note that if you are using the --disable-default-endpoint option and want to allow pulling directly from a particular registry, while disallowing the rest, you can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself: mirrors: docker.io: # no default endpoint, pulls will fail if not available on a node registry.k8s.io: # no default endpoint, pulls will fail if not available on a node mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node endpoint: - https://mirror.example.com","s":"Default Endpoint Fallback","u":"/kr/installation/registry-mirror","h":"#default-endpoint-fallback","p":2778},{"i":2790,"t":"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority. Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes. Nodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority.","s":"Authentication","u":"/kr/installation/registry-mirror","h":"#authentication","p":2778},{"i":2792,"t":"warning The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members. If this does not match your cluster's security posture, you should not enable the embedded distributed registry. The embedded registry may make available images that a node may not otherwise have access to. For example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in registries.yaml, the distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry. Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes, as other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry. If image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner.","s":"Potential Concerns","u":"/kr/installation/registry-mirror","h":"#potential-concerns","p":2778},{"i":2794,"t":"Images sharing is controlled based on the source registry. Images loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ctr command line tool, will be shared between nodes if they are tagged as being from a registry that is enabled for mirroring. Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable. For example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store. You would then be able to pull those images from all cluster members, as long as that registry is listed in registries.yaml","s":"Sharing Air-gap or Manually Loaded Images","u":"/kr/installation/registry-mirror","h":"#sharing-air-gap-or-manually-loaded-images","p":2778},{"i":2796,"t":"The embedded registry is read-only, and cannot be pushed to directly using docker push or other common tools that interact with OCI registries. Images can be manually made available via the embedded registry by running ctr -n k8s.io image pull to pull an image, or by loading image archives via the ctr -n k8s.io import or ctr -n k8s.io load commands. Note that the k8s.io namespace must be specified when managing images via ctr in order for them to be visible to the kubelet.","s":"Pushing Images","u":"/kr/installation/registry-mirror","h":"#pushing-images","p":2778},{"i":2798,"t":"Starting the K3s server with --cluster-init will run all control-plane components, including the apiserver, controller-manager, scheduler, and etcd. It is possible to disable specific components in order to split the control-plane and etcd roles on to separate nodes. 정보 This document is only relevant when using embedded etcd. When not using embedded etcd, all servers will have the control-plane role and run control-plane components.","s":"Managing Server Roles","u":"/kr/installation/server-roles","h":"","p":2797},{"i":2800,"t":"To create a server with only the etcd role, start K3s with all the control-plane components disabled: curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler This first node will start etcd, and wait for additional etcd and/or control-plane nodes to join. The cluster will not be usable until you join an additional server with the control-plane components enabled.","s":"Dedicated etcd Nodes","u":"/kr/installation/server-roles","h":"#dedicated-etcd-nodes","p":2797},{"i":2802,"t":"비고 A dedicated control-plane node cannot be the first server in the cluster; there must be an existing node with the etcd role before joining dedicated control-plane nodes. To create a server with only the control-plane role, start k3s with etcd disabled: curl -fL https://get.k3s.io | sh -s - server --token --disable-etcd --server https://:6443 After creating dedicated server nodes, the selected roles will be visible in kubectl get node: $ kubectl get nodes NAME STATUS ROLES AGE VERSION k3s-server-1 Ready etcd 5h39m v1.20.4+k3s1 k3s-server-2 Ready control-plane,master 5h39m v1.20.4+k3s1","s":"Dedicated control-plane Nodes","u":"/kr/installation/server-roles","h":"#dedicated-control-plane-nodes","p":2797},{"i":2804,"t":"Roles can be added to existing dedicated nodes by restarting K3s with the disable flags removed. For example ,if you want to add the control-plane role to a dedicated etcd node, you can remove the --disable-apiserver --disable-controller-manager --disable-scheduler flags from the systemd unit or config file, and restart the service.","s":"Adding Roles To Existing Servers","u":"/kr/installation/server-roles","h":"#adding-roles-to-existing-servers","p":2797},{"i":2806,"t":"As with all other CLI flags, you can use the Configuration File to disable components, instead of passing the options as CLI flags. For example, to create a dedicated etcd node, you can place the following values in /etc/rancher/k3s/config.yaml: cluster-init: true disable-apiserver: true disable-controller-manager: true disable-scheduler: true","s":"Configuration File Syntax","u":"/kr/installation/server-roles","h":"#configuration-file-syntax","p":2797},{"i":2808,"t":"K3s is very lightweight, but has some minimum requirements as outlined below. Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself.","s":"Requirements","u":"/kr/installation/requirements","h":"","p":2807},{"i":2810,"t":"Two nodes cannot have the same hostname. If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the --with-node-id option to append a random suffix for each node, or devise a unique name to pass with --node-name or $K3S_NODE_NAME for each node you add to the cluster.","s":"Prerequisites","u":"/kr/installation/requirements","h":"#prerequisites","p":2807},{"i":2812,"t":"K3s is available for the following architectures: x86_64 armhf arm64/aarch64 s390x ARM64 Page Size Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on aarch64/arm64 systems, the kernel must use 4k pages. RHEL9, Ubuntu, Raspberry PI OS, and SLES all meet this requirement.","s":"Architecture","u":"/kr/installation/requirements","h":"#architecture","p":2807},{"i":2814,"t":"K3s is expected to work on most modern Linux systems. Some OSs have additional setup requirements: Red Hat Enterprise Linux / CentOS / Fedora Ubuntu / Debian Raspberry Pi It is recommended to turn off firewalld: systemctl disable firewalld --now If you wish to keep firewalld enabled, by default, the following rules are required: firewall-cmd --permanent --add-port=6443/tcp #apiserver firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services firewall-cmd --reload Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly. If enabled, it is required to disable nm-cloud-setup and reboot the node: systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot Older Debian release may suffer from a known iptables bug. See Known Issues. It is recommended to turn off ufw (uncomplicated firewall): ufw disable If you wish to keep ufw enabled, by default, the following rules are required: ufw allow 6443/tcp #apiserver ufw allow from 10.42.0.0/16 to any #pods ufw allow from 10.43.0.0/16 to any #services Additional ports may need to be opened depending on your setup. See Inbound Rules for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly. Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See Known Issues. Standard Raspberry Pi OS installations do not start with cgroups enabled. K3S needs cgroups to start the systemd service. cgroupscan be enabled by appending cgroup_memory=1 cgroup_enable=memory to /boot/cmdline.txt. Example cmdline.txt: console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory Starting with Ubuntu 21.10, vxlan support on Raspberry Pi has been moved into a separate kernel module. sudo apt install linux-modules-extra-raspi For more information on which OSs were tested with Rancher managed K3s clusters, refer to the Rancher support and maintenance terms.","s":"Operating Systems","u":"/kr/installation/requirements","h":"#operating-systems","p":2807},{"i":2816,"t":"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here. Spec Minimum Recommended CPU 1 core 2 cores RAM 512 MB 1 GB Resource Profiling captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads. Raspberry Pi and embedded etcd If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load. Disks​ K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC.","s":"Hardware","u":"/kr/installation/requirements","h":"#hardware","p":2807},{"i":2818,"t":"The K3s server needs port 6443 to be accessible by all nodes. The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s. If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250. If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380. Important The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. 위험 Flannel relies on the Bridge CNI plugin to create a L2 network that switches traffic. Rogue pods with NET_RAW capabilities can abuse that L2 network to launch attacks such as ARP spoofing. Therefore, as documented in the Kubernetes docs, please set a restricted profile that disables NET_RAW on non-trustable pods.","s":"Networking","u":"/kr/installation/requirements","h":"#networking","p":2807},{"i":2820,"t":"Protocol Port Source Destination Description TCP 2379-2380 Servers Servers Required only for HA with embedded etcd TCP 6443 Agents Servers K3s supervisor and Kubernetes API Server UDP 8472 All nodes All nodes Required only for Flannel VXLAN TCP 10250 All nodes All nodes Kubelet metrics UDP 51820 All nodes All nodes Required only for Flannel Wireguard with IPv4 UDP 51821 All nodes All nodes Required only for Flannel Wireguard with IPv6 TCP 5001 All nodes All nodes Required only for embedded distributed registry (Spegel) TCP 6443 All nodes All nodes Required only for embedded distributed registry (Spegel) Typically, all outbound traffic is allowed. Additional changes to the firewall may be required depending on the OS used.","s":"Inbound Rules for K3s Nodes","u":"/kr/installation/requirements","h":"#inbound-rules-for-k3s-nodes","p":2807},{"i":2822,"t":"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production: MySQL PostgreSQL etcd","s":"Large Clusters","u":"/kr/installation/requirements","h":"#large-clusters","p":2807},{"i":2824,"t":"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server: Deployment Size Nodes VCPUS RAM Small Up to 10 2 4 GB Medium Up to 100 4 8 GB Large Up to 250 8 16 GB X-Large Up to 500 16 32 GB XX-Large 500+ 32 64 GB","s":"CPU and Memory","u":"/kr/installation/requirements","h":"#cpu-and-memory","p":2807},{"i":2826,"t":"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS.","s":"Disks","u":"/kr/installation/requirements","h":"#disks-1","p":2807},{"i":2828,"t":"You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the --cluster-cidr option to K3s server upon starting.","s":"Network","u":"/kr/installation/requirements","h":"#network","p":2807},{"i":2830,"t":"K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See Cluster Datastore for more info. The following is a sizing guide for the database resources you need to run large clusters: Deployment Size Nodes VCPUS RAM Small Up to 10 1 2 GB Medium Up to 100 2 8 GB Large Up to 250 4 16 GB X-Large Up to 500 8 32 GB XX-Large 500+ 16 64 GB","s":"Database","u":"/kr/installation/requirements","h":"#database","p":2807},{"i":2832,"t":"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet. Upon startup, K3s will check to see if /etc/rancher/k3s/registries.yaml exists. If so, the registry configuration contained in this file is used when generating the containerd configuration. If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure registries.yaml on each node that you want to use the mirror. If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure registries.yaml on each node that will pull images from your registry. Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them, please ensure you also create the registries.yaml file on each server as well.","s":"Private Registry Configuration","u":"/kr/installation/private-registry","h":"","p":2831},{"i":2834,"t":"Containerd has an implicit \"default endpoint\" for all registries. The default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in registries.yaml. For example, when pulling registry.example.com:5000/rancher/mirrored-pause:3.6, containerd will use a default endpoint of https://registry.example.com:5000/v2. The default endpoint for docker.io is https://index.docker.io/v2. The default endpoint for all other registries is https:///v2, where is the registry hostname and optional port. In order to be recognized as a registry, the first component of the image name must contain at least one period or colon. For historical reasons, images without a registry specified in their name are implicitly identified as being from docker.io. Version Gate The --disable-default-registry-endpoint option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1 Nodes may be started with the --disable-default-registry-endpoint option. When this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints, along with the distributed registry if it is enabled. This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available, or if you wish to have only some nodes pull from the upstream registry. Disabling the default registry endpoint applies only to registries configured via registries.yaml. If the registry is not explicitly configured via mirror entry in registries.yaml, the default fallback behavior will still be used.","s":"Default Endpoint Fallback","u":"/kr/installation/private-registry","h":"#default-endpoint-fallback","p":2831},{"i":2836,"t":"The file consists of two top-level keys, with subkeys for each registry: mirrors: : endpoint: - https:///v2 configs: : auth: username: password: token: tls: ca_file: cert_file: key_file: insecure_skip_verify: ","s":"Registries Configuration File","u":"/kr/installation/private-registry","h":"#registries-configuration-file","p":2831},{"i":2838,"t":"The mirrors section defines the names and endpoints of registries, for example: mirrors: registry.example.com: endpoint: - \"https://registry.example.com:5000\" Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one. Redirects​ If the private registry is used as a mirror for another registry, such as when configuring a pull through cache, images pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ns query parameter. For example, if you have a mirror configured for docker.io: mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" Then pulling docker.io/rancher/mirrored-pause:3.6 will transparently pull the image as registry.example.com:5000/rancher/mirrored-pause:3.6. Rewrites​ Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions. This is useful if the organization/project structure in the private registry is different than the registry it is mirroring. For example, the following configuration would transparently pull the image docker.io/rancher/mirrored-pause:3.6 as registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6: mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" rewrite: \"^rancher/(.*)\": \"mirrorproject/rancher-images/$1\" When using redirects and rewrites, images will still be stored under the original name. For example, crictl image ls will show docker.io/rancher/mirrored-pause:3.6 as available on the node, even though the image was pulled from the mirrored registry with a different name.","s":"Mirrors","u":"/kr/installation/private-registry","h":"#mirrors","p":2831},{"i":2840,"t":"The configs section defines the TLS and credential configuration for each mirror. For each mirror you can define auth and/or tls. The tls part consists of: Directive Description cert_file The client certificate path that will be used to authenticate with the registry key_file The client key path that will be used to authenticate with the registry ca_file Defines the CA certificate path to be used to verify the registry's server cert file insecure_skip_verify Boolean that defines if TLS verification should be skipped for the registry The auth part consists of either username/password or authentication token: Directive Description username user name of the private registry basic auth password user password of the private registry basic auth auth authentication token of the private registry basic auth Below are basic examples of using private registries in different modes:","s":"Configs","u":"/kr/installation/private-registry","h":"#configs","p":2831},{"i":2842,"t":"Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when using TLS. With Authentication Without Authentication mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" configs: \"registry.example.com:5000\": auth: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password tls: cert_file: # path to the cert file used in the registry key_file: # path to the key file used in the registry ca_file: # path to the ca file used in the registry mirrors: docker.io: endpoint: - \"https://registry.example.com:5000\" configs: \"registry.example.com:5000\": tls: cert_file: # path to the cert file used in the registry key_file: # path to the key file used in the registry ca_file: # path to the ca file used in the registry","s":"With TLS","u":"/kr/installation/private-registry","h":"#with-tls","p":2831},{"i":2844,"t":"Below are examples showing how you may configure /etc/rancher/k3s/registries.yaml on each node when not using TLS. With Authentication Without Authentication mirrors: docker.io: endpoint: - \"http://registry.example.com:5000\" configs: \"registry.example.com:5000\": auth: username: xxxxxx # this is the registry username password: xxxxxx # this is the registry password mirrors: docker.io: endpoint: - \"http://registry.example.com:5000\" In case of no TLS communication, you need to specify http:// for the endpoints, otherwise it will default to https. In order for the registry changes to take effect, you need to restart K3s on each node.","s":"Without TLS","u":"/kr/installation/private-registry","h":"#without-tls","p":2831},{"i":2846,"t":"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned by the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used. Check the containerd log on the node at /var/lib/rancher/k3s/agent/containerd/containerd.log for detailed information on the root cause of the failure.","s":"Troubleshooting Image Pulls","u":"/kr/installation/private-registry","h":"#troubleshooting-image-pulls","p":2831},{"i":2848,"t":"Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images. The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry. Obtain the k3s-images.txt file from GitHub for the release you are working with. Pull each of the K3s images listed on the k3s-images.txt file from docker.io. Example: docker pull docker.io/rancher/mirrored-pause:3.6 Retag the images to the private registry. Example: docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6 Push the images to the private registry. Example: docker push registry.example.com:5000/rancher/mirrored-pause:3.6","s":"Adding Images to the Private Registry","u":"/kr/installation/private-registry","h":"#adding-images-to-the-private-registry","p":2831},{"i":2850,"t":"warning Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools. It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes. If you installed K3s using the installation script, a script to uninstall K3s was generated during installation. If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the Node Registration documentation for more information.","s":"Uninstalling K3s","u":"/kr/installation/uninstall","h":"","p":2849},{"i":2852,"t":"To uninstall K3s from a server node, run: /usr/local/bin/k3s-uninstall.sh","s":"Uninstalling Servers","u":"/kr/installation/uninstall","h":"#uninstalling-servers","p":2849},{"i":2854,"t":"To uninstall K3s from an agent node, run: /usr/local/bin/k3s-agent-uninstall.sh","s":"Uninstalling Agents","u":"/kr/installation/uninstall","h":"#uninstalling-agents","p":2849},{"i":2856,"t":"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.","s":"Basic Network Options","u":"/kr/networking/basic-network-options","h":"","p":2855},{"i":2858,"t":"Flannel is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin. Flannel options can only be set on server nodes, and must be identical on all servers in the cluster. The default backend for Flannel is vxlan. To enable encryption, use the wireguard-native backend. Using vxlan on Rasperry Pi with recent versions of Ubuntu requires additional preparation. Using wireguard-native as the Flannel backend may require additional modules on some Linux distributions. Please see the WireGuard Install Guide for details. The WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system. You must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend. CLI Flag and Value Description --flannel-ipv6-masq Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than none. --flannel-external-ip Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node. --flannel-backend=vxlan Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi. --flannel-backend=host-gw Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster. --flannel-backend=wireguard-native Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules. --flannel-backend=ipsec Use strongSwan IPSec via the swanctl binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0) --flannel-backend=none Disable Flannel entirely. Version Gate K3s no longer includes strongSwan swanctl and charon binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ipsec backend.","s":"Flannel Options","u":"/kr/networking/basic-network-options","h":"#flannel-options","p":2855},{"i":2860,"t":"The legacy wireguard backend requires installation of the wg tool on the host. This backend is not available in K3s v1.26 and higher, in favor of wireguard-native backend, which directly interfaces with the kernel. The legacy ipsec backend requires installation of the swanctl and charon binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the wireguard-native backend. We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps: Update the K3s config on all server nodes. If using config files, the /etc/rancher/k3s/config.yaml should include flannel-backend: wireguard-native instead of flannel-backend: wireguard or flannel-backend: ipsec. If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed. Reboot all nodes, starting with the servers.","s":"Migrating from wireguard or ipsec to wireguard-native","u":"/kr/networking/basic-network-options","h":"#migrating-from-wireguard-or-ipsec-to-wireguard-native","p":2855},{"i":2862,"t":"Start K3s with --flannel-backend=none and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set --disable-network-policy as well to avoid conflicts. Some important information to take into consideration: Canal Calico Cilium Visit the Canal Docs website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the container_settings section, for example: \"container_settings\": { \"allow_ip_forwarding\": true } Apply the Canal YAML. Ensure the settings were applied by running the following command on the host: cat /etc/cni/net.d/10-canal.conflist You should see that IP forwarding is set to true. Follow the Calico CNI Plugins Guide. Modify the Calico YAML so that IP forwarding is allowed in the container_settings section, for example: \"container_settings\": { \"allow_ip_forwarding\": true } Apply the Calico YAML. Ensure the settings were applied by running the following command on the host: cat /etc/cni/net.d/10-calico.conflist You should see that IP forwarding is set to true. Before running k3s-killall.sh or k3s-uninstall.sh, you must manually remove cilium_host, cilium_net and cilium_vxlan interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped ip link delete cilium_host ip link delete cilium_net ip link delete cilium_vxlan Additionally, iptables rules for cilium should be removed: iptables-save | grep -iv cilium | iptables-restore ip6tables-save | grep -iv cilium | ip6tables-restore","s":"Custom CNI","u":"/kr/networking/basic-network-options","h":"#custom-cni","p":2855},{"i":2864,"t":"K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components. This allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled. This functionality is equivalent to the Konnectivity service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration. The default mode is agent. pod or cluster modes are recommended when running agentless servers, in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy. The egress selector mode may be configured on servers via the --egress-selector-mode flag, and offers four modes: disabled: The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints. This mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform kubectl exec and kubectl logs. agent (default): The apiserver uses agent tunnels to communicate with kubelets. This mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints. pod: The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints. NOTE: This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. cluster or agent mode should be used with these CNIs instead. cluster: The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead.","s":"Control-Plane Egress Selector configuration","u":"/kr/networking/basic-network-options","h":"#control-plane-egress-selector-configuration","p":2855},{"i":2866,"t":"Version Gate Experimental support is available as of v1.21.0+k3s1. Stable support is available as of v1.23.7+k3s1. Known Issue Before 1.27, Kubernetes Issue #111695 causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents: --kubelet-arg=\"node-ip=0.0.0.0\" # To proritize IPv4 traffic #OR --kubelet-arg=\"node-ip=::\" # To proritize IPv6 traffic Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only. To enable dual-stack in K3s, you must provide valid dual-stack cluster-cidr and service-cidr on all server nodes. This is an example of a valid configuration: --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112 Note that you may configure any valid cluster-cidr and service-cidr values, but the above masks are recommended. If you change the cluster-cidr mask, you should also change the node-cidr-mask-size-ipv4 and node-cidr-mask-size-ipv6 values to match the planned pods per node and total node count. The largest supported service-cidr mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud. If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled. Known Issue When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family.","s":"Dual-stack (IPv4 + IPv6) Networking","u":"/kr/networking/basic-network-options","h":"#dual-stack-ipv4--ipv6-networking","p":2855},{"i":2868,"t":"Version Gate Available as of v1.22.9+k3s1 Known Issue If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl net.ipv6.conf.all.accept_ra=2; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of man-in-the-middle attacks. Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the --cluster-cidr and --service-cidr flags. This is an example of a valid configuration: --cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112","s":"Single-stack IPv6 Networking","u":"/kr/networking/basic-network-options","h":"#single-stack-ipv6-networking","p":2855},{"i":2870,"t":"Some cloud providers, such as Linode, will create machines with \"localhost\" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the --node-name flag or K3S_NODE_NAME environment variable and this will pass the node name to resolve this issue.","s":"Nodes Without a Hostname","u":"/kr/networking/basic-network-options","h":"#nodes-without-a-hostname","p":2855},{"i":2872,"t":"This section contains instructions for configuring networking in K3s. Basic Network Options covers the basic networking configuration of the cluster such as flannel and single/dual stack configurations Hybrid/Multicloud cluster provides guidance on the options available to span the k3s cluster over remote or hybrid nodes Multus and IPAM plugins provides guidance to leverage Multus in K3s in order to have multiple interfaces per pod Networking services: dns, ingress, etc explains how CoreDNS, Traefik, Network Policy controller and ServiceLB controller work within k3s","s":"Networking","u":"/kr/networking","h":"","p":2871},{"i":2874,"t":"A K3s cluster can still be deployed on nodes which do not share a common private network and are not directly connected (e.g. nodes in different public clouds). There are two options to achieve this: the embedded k3s multicloud solution and the integration with the tailscale VPN provider. warning The latency between nodes will increase as external connectivity requires more hops. This will reduce the network performance and could also impact the health of the cluster if latency is too high. warning Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location.","s":"Distributed hybrid or multicloud cluster","u":"/kr/networking/distributed-multicloud","h":"","p":2873},{"i":2876,"t":"K3s uses wireguard to establish a VPN mesh for cluster traffic. Nodes must each have a unique IP through which they can be reached (usually a public IP). K3s supervisor traffic will use a websocket tunnel, and cluster (CNI) traffic will use a wireguard tunnel. To enable this type of deployment, you must add the following parameters on servers: --node-external-ip= --flannel-backend=wireguard-native --flannel-external-ip and on agents: --node-external-ip= where SERVER_EXTERNAL_IP is the IP through which we can reach the server node and AGENT_EXTERNAL_IP is the IP through which we can reach the agent node. Note that the K3S_URL config parameter in the agent should use the SERVER_EXTERNAL_IP to be able to connect to it. Remember to check the Networking Requirements and allow access to the listed ports on both internal and external addresses. Both SERVER_EXTERNAL_IP and AGENT_EXTERNAL_IP must have connectivity between them and are normally public IPs. Dynamic IPs If nodes are assigned dynamic IPs and the IP changes (e.g. in AWS), you must modify the --node-external-ip parameter to reflect the new IP. If running K3s as a service, you must modify /etc/systemd/system/k3s.service then run: systemctl daemon-reload systemctl restart k3s","s":"Embedded k3s multicloud solution","u":"/kr/networking/distributed-multicloud","h":"#embedded-k3s-multicloud-solution","p":2873},{"i":2878,"t":"Available in v1.27.3, v1.26.6, v1.25.11 and newer. K3s can integrate with Tailscale so that nodes use the Tailscale VPN service to build a mesh between nodes. There are four steps to be done with Tailscale before deploying K3s: Log in to your Tailscale account In Settings > Keys, generate an auth key ($AUTH-KEY), which may be reusable for all nodes in your cluster Decide on the podCIDR the cluster will use (by default 10.42.0.0/16). Append the CIDR (or CIDRs for dual-stack) in Access controls with the stanza: \"autoApprovers\": { \"routes\": { \"10.42.0.0/16\": [\"your_account@xyz.com\"], \"2001:cafe:42::/56\": [\"your_account@xyz.com\"], }, }, Install Tailscale in your nodes: curl -fsSL https://tailscale.com/install.sh | sh To deploy K3s with Tailscale integration enabled, you must add the following parameter on each of your nodes: --vpn-auth=\"name=tailscale,joinKey=$AUTH-KEY or provide that information in a file and use the parameter: --vpn-auth-file=$PATH_TO_FILE Optionally, if you have your own Tailscale server (e.g. headscale), you can connect to it by appending ,controlServerURL=$URL to the vpn-auth parameters warning If you plan on running several K3s clusters using the same tailscale network, please create appropriate ACLs to avoid IP conflicts or use different podCIDR subnets for each cluster.","s":"Integration with the Tailscale VPN provider (experimental)","u":"/kr/networking/distributed-multicloud","h":"#integration-with-the-tailscale-vpn-provider-experimental","p":2873},{"i":2880,"t":"알려진 이슈는 주기적으로 업데이트되며, 다음 릴리스에서 즉시 해결되지 않을 수 있는 문제에 대해 알려드리기 위해 고안되었습니다.","s":"알려진 이슈","u":"/kr/known-issues","h":"","p":2879},{"i":2882,"t":"스냅(Snap) 패키지를 통해 설치된 도커는 K3s를 실행하는 데 문제를 일으키는 것으로 알려져 있으므로 K3s와 함께 사용하려는 경우 권장하지 않습니다.","s":"스냅(Snap) 도커","u":"/kr/known-issues","h":"#스냅snap-도커","p":2879},{"i":2884,"t":"레거시 대신 nftables 모드에서 iptables를 실행하는 경우 문제가 발생할 수 있습니다. 문제를 방지하려면 최신 버전(예: 1.6.1+)의 iptables를 사용하는 것이 좋습니다. 또한 1.8.0-1.8.4 버전에는 K3s가 실패할 수 있는 알려진 문제가 있습니다. 해결 방법은 추가 OS 준비를 참조하세요.","s":"Iptables","u":"/kr/known-issues","h":"#iptables","p":2879},{"i":2886,"t":"루트리스 모드로 K3s를 실행하는 것은 실험 중이며 몇 가지 알려진 이슈가 있습니다.","s":"Rootless Mode","u":"/kr/known-issues","h":"#rootless-mode","p":2879},{"i":2888,"t":"쿠버네티스는 파드 보안 표준(PSS, Pod Security Standards)을 위해 v1.25에서 PodSecurityPolicy를 제거했습니다. PSS에 대한 자세한 내용은 업스트림 문서에서 확인할 수 있습니다. K3S의 경우, 노드에 'PodSecurityPolicy'가 구성된 경우 수행해야 하는 몇 가지 수동 단계가 있습니다. 모든 노드에서 kube-apiserver-arg 값을 업데이트하여 PodSecurityPolicy 어드미션 플러그인을 제거합니다. 대신 다음 arg 값을 추가합니다: 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml' 이지만, 아직 K3S를 재시작하거나 업그레이드하지 마십시오. 아래는 노드를 강화한 후 구성 파일의 예시입니다. protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - \"admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml\" - \"audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log\" - \"audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml\" - \"audit-log-maxage=30\" - \"audit-log-maxbackup=10\" - \"audit-log-maxsize=100\" kube-controller-manager-arg: - \"terminated-pod-gc-threshold=10\" - \"use-service-account-credentials=true\" kubelet-arg: - \"streaming-connection-idle-timeout=5m\" - \"make-iptables-util-chains=true\" /var/lib/rancher/k3s/server/psa.yaml 파일을 다음 내용으로 작성합니다. 더 많은 네임스페이스를 제외할 수도 있습니다. 아래 예시는 kube-system(필수), cis-operator-system(선택적이지만 Rancher를 통해 보안 스캔을 실행할 때 유용), system-upgrade(자동 업그레이드를 수행하는 경우 필수)을 제외합니다. apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: \"restricted\" enforce-version: \"latest\" audit: \"restricted\" audit-version: \"latest\" warn: \"restricted\" warn-version: \"latest\" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system, system-upgrade] 일반적으로 업그레이드를 수행합니다. 자동 업그레이드를 수행하는 경우 system-upgrade-controller가 실행되는 네임스페이스가 파드 보안 수준에 따라 권한이 부여된 것으로 설정되었는지 확인합니다. apiVersion: v1 kind: Namespace metadata: name: system-upgrade labels: # This value must be privileged for the controller to run successfully. pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.25 # We are setting these to our _desired_ `enforce` level, but note that these below values can be any of the available options. pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/audit-version: v1.25 pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/warn-version: v1.25 업그레이드가 완료된 후, 클러스터에서 남아있는 모든 PSP 리소스를 제거합니다. 대부분의 경우, /var/lib/rancher/k3s/server/manifests/ 내부에서 강화를 위해 사용된 사용자 정의 파일에는 PodSecurityPolicies 및 관련 RBAC 리소스가 있을 수 있습니다. 이러한 리소스를 제거하면 k3s가 자동으로 업데이트됩니다. 때때로 시간이 지난 후에 이러한 리소스가 클러스터에 남아있을 수 있으므로 수동으로 삭제해야 합니다. 이전에 강화 가이드를 따르면 다음과 같이 삭제할 수 있습니다: # Get the resources associated with PSPs $ kubectl get roles,clusterroles,rolebindings,clusterrolebindings -A | grep -i psp # Delete those resources: $ kubectl delete clusterrole.rbac.authorization.k8s.io/psp:restricted-psp clusterrole.rbac.authorization.k8s.io/psp:svclb-psp clusterrole.rbac.authorization.k8s.io/psp:system-unrestricted-psp clusterrolebinding.rbac.authorization.k8s.io/default:restricted-psp clusterrolebinding.rbac.authorization.k8s.io/system-unrestricted-node-psp-rolebinding && kubectl delete -n kube-system rolebinding.rbac.authorization.k8s.io/svclb-psp-rolebinding rolebinding.rbac.authorization.k8s.io/system-unrestricted-svc-acct-psp-rolebinding","s":"강화된(Hardened) 클러스터를 v1.24.x에서 v1.25.x로 업그레이드하기","u":"/kr/known-issues","h":"","p":2879},{"i":2890,"t":"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s. Refer to the Installation Network Options page for details on Flannel configuration options and backend selection, or how to set up your own CNI. For information on which ports need to be opened for K3s, refer to the Networking Requirements.","s":"Networking Services","u":"/kr/networking/networking-services","h":"","p":2889},{"i":2892,"t":"CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the --disable=coredns option. If you don't install CoreDNS, you will need to install a cluster DNS provider yourself.","s":"CoreDNS","u":"/kr/networking/networking-services","h":"#coredns","p":2889},{"i":2894,"t":"Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications. The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443. By default, ServiceLB will expose these ports on all cluster members, meaning these ports will not be usable for other HostPort or NodePort pods. Traefik is deployed by default when starting the server. For more information see Managing Packaged Components. The default config file is found in /var/lib/rancher/k3s/server/manifests/traefik.yaml. The traefik.yaml file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional HelmChartConfig manifest in /var/lib/rancher/k3s/server/manifests. For more details and an example see Customizing Packaged Components with HelmChartConfig. For more information on the possible configuration values, refer to the official Traefik Helm Configuration Parameters.. To remove Traefik from your cluster, start all servers with the --disable=traefik flag. K3s versions 1.20 and earlier include Traefik v1. K3s versions 1.21 and later install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version. To migrate from an older Traefik v1 instance please refer to the Traefik documentation and migration tool.","s":"Traefik Ingress Controller","u":"/kr/networking/networking-services","h":"#traefik-ingress-controller","p":2889},{"i":2896,"t":"K3s includes an embedded network policy controller. The underlying implementation is kube-router's netpol controller library (no other kube-router functionality is present) and can be found here. To disable it, start each server with the --disable-network-policy flag. 비고 Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the k3s-killall.sh script, or clean them using iptables-save and iptables-restore. These steps must be run manually on all nodes in the cluster. iptables-save | grep -v KUBE-ROUTER | iptables-restore ip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore","s":"Network Policy Controller","u":"/kr/networking/networking-services","h":"#network-policy-controller","p":2889},{"i":2898,"t":"Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ServiceLB (formerly Klipper LoadBalancer) that uses available host ports. Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain pending until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration.","s":"Service Load Balancer","u":"/kr/networking/networking-services","h":"#service-load-balancer","p":2889},{"i":2900,"t":"The ServiceLB controller watches Kubernetes Services with the spec.type field set to LoadBalancer. For each LoadBalancer Service, a DaemonSet is created in the kube-system namespace. This DaemonSet in turn creates Pods with a svc- prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port. If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's status.loadBalancer.ingress address list. Otherwise, the node's internal IP is used. If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service. It is possible to expose multiple Services on the same node, as long as they use different ports. If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending.","s":"How ServiceLB Works","u":"/kr/networking/networking-services","h":"#how-servicelb-works","p":2889},{"i":2902,"t":"Create a Service of type LoadBalancer in K3s.","s":"Usage","u":"/kr/networking/networking-services","h":"#usage","p":2889},{"i":2904,"t":"Adding the svccontroller.k3s.cattle.io/enablelb=true label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB. 비고 By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB.","s":"Controlling ServiceLB Node Selection","u":"/kr/networking/networking-services","h":"#controlling-servicelb-node-selection","p":2889},{"i":2906,"t":"To select a particular subset of nodes to host pods for a LoadBalancer, add the enablelb label to the desired nodes, and set matching lbpool label values on the Nodes and Services. For example: Label Node A and Node B with svccontroller.k3s.cattle.io/lbpool=pool1 and svccontroller.k3s.cattle.io/enablelb=true Label Node C and Node D with svccontroller.k3s.cattle.io/lbpool=pool2 and svccontroller.k3s.cattle.io/enablelb=true Create one LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool1. The DaemonSet for this service only deploy Pods to Node A and Node B. Create another LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool2. The DaemonSet will only deploy Pods to Node C and Node D.","s":"Creating ServiceLB Node Pools","u":"/kr/networking/networking-services","h":"#creating-servicelb-node-pools","p":2889},{"i":2908,"t":"To disable ServiceLB, configure all servers in the cluster with the --disable=servicelb flag. This is necessary if you wish to run a different LB, such as MetalLB.","s":"Disabling ServiceLB","u":"/kr/networking/networking-services","h":"#disabling-servicelb","p":2889},{"i":2910,"t":"In order to reduce binary size, K3s removes all \"in-tree\" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following: Sets node InternalIP and ExternalIP address fields based on the --node-ip and --node-external-ip flags. Hosts the ServiceLB LoadBalancer controller. Clears the node.cloudprovider.kubernetes.io/uninitialized taint that is present when the cloud-provider is set to external Before deploying an external CCM, you must start all K3s servers with the --disable-cloud-controller flag to disable to embedded CCM. 비고 If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable.","s":"Deploying an External Cloud Controller Manager","u":"/kr/networking/networking-services","h":"#deploying-an-external-cloud-controller-manager","p":2889},{"i":2912,"t":"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV. Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel. To deploy Multus, we recommend using the following helm repo: helm repo add rke2-charts https://rke2-charts.rancher.io helm repo update Then, to set the necessary configuration for it to work, a correct config file must be created. The configuration will depend on the IPAM plugin to be used, i.e. how your pods using Multus extra interfaces will configure the IPs for those extra interfaces. There are three options: host-local, DHCP Daemon and whereabouts: host-local Whereabouts Multus DHCP daemon The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: https://www.cni.dev/plugins/current/ipam/host-local/. To use the host-local plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig Whereabouts is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide. To use the Whereabouts IPAM plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig rke2-whereabouts: fullnameOverride: whereabouts enabled: true cniConf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of DHCP IPAM plugin. To use this DHCP plugin, please create a file called multus-values.yaml with the following content: config: cni_conf: confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d binDir: /var/lib/rancher/k3s/data/current/bin/ kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig manifests: dhcpDaemonSet: true After creating the multus-values.yaml file, everything is ready to install Multus: helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml That will create a daemonset called multus which will deploy multus and all regular cni binaries in /var/lib/rancher/k3s/data/current/ (e.g. macvlan) and the correct Multus config in /var/lib/rancher/k3s/agent/etc/cni/net.d For more information about Multus, refer to the multus-cni documentation.","s":"Multus and IPAM plugins","u":"/kr/networking/multus-ipams","h":"","p":2911},{"i":2914,"t":"이 가이드는 기본 옵션으로 클러스터를 빠르게 시작하는 데 도움이 됩니다. 설치 섹션에서는 K3s를 설정하는 방법에 대해 자세히 설명합니다. K3s 구성 요소들이 작동하는 방식에 대한 자세한 내용은 아키텍처 섹션을 참조하세요. 정보 Kubernetes를 처음 사용하시나요? 공식 쿠버네티스 문서에는 이미 기본 사항을 설명하는 훌륭한 튜토리얼이 여기 있습니다.","s":"빠른 시작 가이드","u":"/kr/quick-start","h":"","p":2913},{"i":2916,"t":"K3s는 systemd 또는 openrc 기반 시스템에 서비스로 설치하는 편리한 방법으로 설치 스크립트를 제공합니다. 이 스크립트는 https://get.k3s.io 에서 확인할 수 있습니다. 이 방법으로 K3s를 설치하려면, 간단하게 다음을 실행하세요: curl -sfL https://get.k3s.io | sh - 이 설치를 실행한 후: 노드가 재부팅되거나 프로세스가 충돌 또는 종료된 경우 자동으로 재시작되도록 K3s 서비스가 구성됩니다. kubectl, crictl, ctr, k3s-killall.sh 및 k3s-uninstall.sh를 포함한 추가 유틸리티가 설치됩니다. /etc/rancher/k3s/k3s.yaml에 kubeconfig 파일을 작성하고, K3s가 설치한 kubectl이 자동으로 이를 사용하게 됩니다. 단일 노드 서버 설치는 워크로드 파드를 호스팅하는 데 필요한 모든 데이터스토어, 컨트롤 플레인, kubelet 및 컨테이너 런타임 구성 요소를 포함하여 모든 기능을 갖춘 Kubernetes 클러스터입니다. 서버 또는 에이전트 노드를 추가할 필요는 없지만, 클러스터에 추가 용량 또는 중복성을 추가하기 위해 추가하는 것이 좋습니다. 에이전트 노드를 추가로 설치하여 클러스터에 추가하려면, K3S_URL 및 K3S_TOKEN 환경 변수를 사용하여 설치 스크립트를 실행합니다. 다음은 에이전트 가입 방법을 보여주는 예제입니다: curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh - K3S_URL 파라미터를 설정하면 인스톨러가 K3s를 서버가 아닌 에이전트로 구성합니다. K3s 에이전트는 제공된 URL에서 수신 대기 중인 K3s 서버에 등록됩니다. K3S_TOKEN에 사용할 값은 서버 노드의 /var/lib/rancher/k3s/server/node-token에 저장됩니다. 비고 각 머신은 고유한 호스트 이름을 가져야 합니다. 머신에 고유 호스트명이 없는 경우, K3S_NODE_NAME 환경 변수를 전달하고 각 노드에 대해 유효한 고유 호스트명이 있는 값을 제공하세요.","s":"설치 스크립트","u":"/kr/quick-start","h":"#설치-스크립트","p":2913},{"i":2918,"t":"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems. The simplest form of this command is as follows: curl -sfL https://get.k3s.io | sh - When using this method to install K3s, the following environment variables can be used to configure the installation: Environment Variable Description INSTALL_K3S_SKIP_DOWNLOAD If set to true will not download K3s hash or binary. INSTALL_K3S_SYMLINK By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite. INSTALL_K3S_SKIP_ENABLE If set to true will not enable or start K3s service. INSTALL_K3S_SKIP_START If set to true will not start K3s service. INSTALL_K3S_VERSION Version of K3s to download from Github. Will attempt to download from the stable channel if not specified. INSTALL_K3S_BIN_DIR Directory to install K3s binary, links, and uninstall script to, or use /usr/local/bin as the default. INSTALL_K3S_BIN_DIR_READ_ONLY If set to true will not write files to INSTALL_K3S_BIN_DIR, forces setting INSTALL_K3S_SKIP_DOWNLOAD=true. INSTALL_K3S_SYSTEMD_DIR Directory to install systemd service and environment files to, or use /etc/systemd/system as the default. INSTALL_K3S_EXEC Command with flags to use for launching K3s in the service. If the command is not specified, and the K3S_URL is set, it will default to \"agent.\" If K3S_URL not set, it will default to \"server.\" For help, refer to this example. INSTALL_K3S_NAME Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'. INSTALL_K3S_TYPE Type of systemd service to create, will default from the K3s exec command if not specified. INSTALL_K3S_SELINUX_WARN If set to true will continue if k3s-selinux policy is not found. INSTALL_K3S_SKIP_SELINUX_RPM If set to true will skip automatic installation of the k3s RPM. INSTALL_K3S_CHANNEL_URL Channel URL for fetching K3s download URL. Defaults to https://update.k3s.io/v1-release/channels. INSTALL_K3S_CHANNEL Channel to use for fetching K3s download URL. Defaults to \"stable\". Options include: stable, latest, testing. This example shows where to place aforementioned environment variables as options (after the pipe): curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh - Environment variables which begin with K3S_ will be preserved for the systemd and openrc services to use. Setting K3S_URL without explicitly setting an exec command will default the command to \"agent\". When running the agent, K3S_TOKEN must also be set.","s":"Environment Variables","u":"/kr/reference/env-variables","h":"","p":2917},{"i":2920,"t":"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.","s":"Flag Deprecation","u":"/kr/reference/flag-deprecation","h":"","p":2919},{"i":2922,"t":"Flags can be declared as \"To Be Deprecated\" at any time. Flags that are \"To Be Deprecated\" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release. On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users. In the following minor release branch, deprecated flags will become \"nonoperational\", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag. In the next minor release, the nonoperational flags will be removed from documentation and code.","s":"Process","u":"/kr/reference/flag-deprecation","h":"#process","p":2919},{"i":2924,"t":"An example of the process: --foo exists in v1.22.14, v1.23.10, and v1.24.2. After the v1.24.2 release, it is decided to deprecate --foo in favor of --new-foo. In v1.22.15, v1.23.11, and v1.24.3, --foo continues to exist, but will warn users: [Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead --foo will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24. In v1.25.0, --foo is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to --new-foo. In v1.26.0, --foo will cause a fatal error if used. The error message will say: [Fatal] exit 1: --foo is no longer supported, use --new-foo instead In v1.27.0, --foo will be removed completely from all code and documentation.","s":"Example","u":"/kr/reference/flag-deprecation","h":"#example","p":2919},{"i":2926,"t":"This section captures the results of tests to determine minimum resource requirements for K3s. The results are summarized as follows: Components Processor Min CPU Min RAM with Kine/SQLite Min RAM with Embedded etcd K3s server with a workload Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core 768 M 896 M K3s cluster with a single agent Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core 512 M 768 M K3s agent Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 5% of a core 256 M 256 M K3s server with a workload Pi4B BCM2711, 1.50 GHz 20% of a core 768 M 896 M K3s cluster with a single agent Pi4B BCM2711, 1.50 GHz 20% of a core 512 M 768 M K3s agent Pi4B BCM2711, 1.50 GHz 10% of a core 256 M 256 M Scope of Resource Testing Components Included for Baseline Measurements Methodology Environment Baseline Resource Requirements K3s Server with a Workload K3s Cluster with a Single Agent K3s Agent Analysis Primary Resource Utilization Drivers Preventing Agents and Workloads from Interfering with the Cluster Datastore","s":"Resource Profiling","u":"/kr/reference/resource-profiling","h":"","p":2925},{"i":2928,"t":"The resource tests were intended to address the following problem statements: On a single-node cluster, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside to run the entire K3s stack server stack, assuming that a real workload will be deployed on the cluster. On an agent (worker) node, determine the legitimate minimum amount of CPU, memory, and IOPs that should be set aside for the Kubernetes and K3s control plane components (the kubelet and k3s agent).","s":"Scope of Resource Testing","u":"/kr/reference/resource-profiling","h":"#scope-of-resource-testing","p":2925},{"i":2930,"t":"The tested components are: K3s 1.19.2 with all packaged components enabled Prometheus + Grafana monitoring stack Kubernetes Example PHP Guestbook app These are baseline figures for a stable system using only K3s packaged components (Traefik Ingress, Klipper lb, local-path storage) running a standard monitoring stack (Prometheus and Grafana) and the Guestbook example app. Resource figures including IOPS are for the Kubernetes datastore and control plane only, and do not include overhead for system-level management agents or logging, container image management, or any workload-specific requirements.","s":"Components Included for Baseline Measurements","u":"/kr/reference/resource-profiling","h":"#components-included-for-baseline-measurements","p":2925},{"i":2932,"t":"A standalone instance of Prometheus v2.21.0 was used to collect host CPU, memory, and disk IO statistics using prometheus-node-exporter installed via apt. systemd-cgtop was used to spot-check systemd cgroup-level CPU and memory utilization. system.slice/k3s.service tracks resource utilization for both K3s and containerd, while individual pods are under the kubepods hierarchy. Additional detailed K3s memory utilization data was collected from the process_resident_memory_bytes and go_memstats_alloc_bytes metrics using the kubelet exporter integrated into the server and agent processes. Utilization figures were based on 95th percentile readings from steady state operation on nodes running the described workloads.","s":"Methodology","u":"/kr/reference/resource-profiling","h":"#methodology","p":2925},{"i":2934,"t":"OS: Ubuntu 20.04 x86_64, aarch64 Hardware: AWS c5d.xlarge - 4 core, 8 GB RAM, NVME SSD Raspberry Pi 4 Model B - 4 core, 8 GB RAM, Class 10 SDHC","s":"Environment","u":"/kr/reference/resource-profiling","h":"#environment","p":2925},{"i":2936,"t":"This section captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent.","s":"Baseline Resource Requirements","u":"/kr/reference/resource-profiling","h":"#baseline-resource-requirements","p":2925},{"i":2938,"t":"These are the requirements for a single-node cluster in which the K3s server shares resources with a workload. The CPU requirements are: Resource Requirement Tested Processor 10% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 20% of a core Low-power processor such as Pi4B BCM2711, 1.50 GHz The IOPS and memory requirements are: Tested Datastore IOPS KiB/sec Latency RAM Kine/SQLite 10 500 < 10 ms 768 M Embedded etcd 50 250 < 5 ms 896 M","s":"K3s Server with a Workload","u":"/kr/reference/resource-profiling","h":"#k3s-server-with-a-workload","p":2925},{"i":2940,"t":"These are the baseline requirements for a K3s cluster with a K3s server node and a K3s agent, but no workload. The CPU requirements are: Resource Requirement Tested Processor 10% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 20% of a core Pi4B BCM2711, 1.50 GHz The IOPS and memory requirements are: Datastore IOPS KiB/sec Latency RAM Kine/SQLite 10 500 < 10 ms 512 M Embedded etcd 50 250 < 5 ms 768 M","s":"K3s Cluster with a Single Agent","u":"/kr/reference/resource-profiling","h":"#k3s-cluster-with-a-single-agent","p":2925},{"i":2942,"t":"The CPU requirements are: Resource Requirement Tested Processor 5% of a core Intel(R) Xeon(R) Platinum 8124M CPU, 3.00 GHz 10% of a core Pi4B BCM2711, 1.50 GHz 256 M of RAM is required.","s":"K3s Agent","u":"/kr/reference/resource-profiling","h":"#k3s-agent","p":2925},{"i":2944,"t":"This section captures what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads.","s":"Analysis","u":"/kr/reference/resource-profiling","h":"#analysis","p":2925},{"i":2946,"t":"K3s server utilization figures are primarily driven by support of the Kubernetes datastore (kine or etcd), API Server, Controller-Manager, and Scheduler control loops, as well as any management tasks necessary to effect changes to the state of the system. Operations that place additional load on the Kubernetes control plane, such as creating/modifying/deleting resources, will cause temporary spikes in utilization. Using operators or apps that make extensive use of the Kubernetes datastore (such as Rancher or other Operator-type applications) will increase the server's resource requirements. Scaling up the cluster by adding additional nodes or creating many cluster resources will increase the server's resource requirements. K3s agent utilization figures are primarily driven by support of container lifecycle management control loops. Operations that involve managing images, provisioning storage, or creating/destroying containers will cause temporary spikes in utilization. Image pulls in particular are typically highly CPU and IO bound, as they involve decompressing image content to disk. If possible, workload storage (pod ephemeral storage and volumes) should be isolated from the agent components (/var/lib/rancher/k3s/agent) to ensure that there are no resource conflicts.","s":"Primary Resource Utilization Drivers","u":"/kr/reference/resource-profiling","h":"#primary-resource-utilization-drivers","p":2925},{"i":2948,"t":"When running in an environment where the server is also hosting workload pods, care should be taken to ensure that agent and workload IOPS do not interfere with the datastore. This can be best accomplished by placing the server components (/var/lib/rancher/k3s/server) on a different storage medium than the agent components (/var/lib/rancher/k3s/agent), which include the containerd image store. Workload storage (pod ephemeral storage and volumes) should also be isolated from the datastore. Failure to meet datastore throughput and latency requirements may result in delayed response from the control plane and/or failure of the control plane to maintain system state.","s":"Preventing Agents and Workloads from Interfering with the Cluster Datastore","u":"/kr/reference/resource-profiling","h":"#preventing-agents-and-workloads-from-interfering-with-the-cluster-datastore","p":2925},{"i":2950,"t":"Projects implementing the K3s distribution are welcome additions to help expand the community. This page will introduce you to a range of projects that are related to K3s and can help you further explore its capabilities and potential applications. These projects showcase the versatility and adaptability of K3s in various environments, as well as extensions of K3s. They are all useful in creating large scale High Availability (HA) Kubernetes clusters.","s":"Related Projects","u":"/kr/related-projects","h":"","p":2949},{"i":2952,"t":"For users seeking to bootstrap a multi-node K3s cluster and familiar with ansible, take a look at k3s-io/k3s-ansible repository. This set of ansible playbooks provides a convenient way to install K3s on your nodes, allowing you to focus on the configuration of your cluster rather than the installation process.","s":"k3s-ansible","u":"/kr/related-projects","h":"#k3s-ansible","p":2949},{"i":2954,"t":"Another project that simplifies the process of setting up a K3s cluster is k3sup. This project,written in golang, only requires ssh access to your nodes. It also provides a convenient way to deploy K3s with external datastores, not just the embedded etcd.","s":"k3sup","u":"/kr/related-projects","h":"#k3sup","p":2949},{"i":2956,"t":"Another provisioning tool, autok3s, provides a GUI for provising k3s cluster across a range of cloud providers, VMs, and local machines. This tool is useful for users who prefer a graphical interface for provising K3s clusters.","s":"autok3s","u":"/kr/related-projects","h":"#autok3s","p":2949},{"i":2958,"t":"이 섹션에서는 K3s 클러스터를 보호하는 방법론과 수단에 대해 설명합니다. 두 섹션으로 나뉘어져 있습니다. 이 가이드는 K3s가 임베디드 etcd로 실행되고 있다고 가정합니다. 아래 문서는 CIS 쿠버네티스 벤치마크 v1.23에 적용됩니다. 강화 가이드 CIS 벤치마크 자체 평가 가이드","s":"보안","u":"/kr/security","h":"","p":2957},{"i":2960,"t":"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically: Generate an AES-CBC key Generate an encryption config file with the generated key Pass the config to the KubeAPI as encryption-provider-config 팁 Secrets-encryption cannot be enabled on an existing server without restarting it. Use curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption if installing from script, or other methods described in Configuration Options. Example of the encryption config file: { \"kind\": \"EncryptionConfiguration\", \"apiVersion\": \"apiserver.config.k8s.io/v1\", \"resources\": [ { \"resources\": [ \"secrets\" ], \"providers\": [ { \"aescbc\": { \"keys\": [ { \"name\": \"aescbckey\", \"secret\": \"xxxxxxxxxxxxxxxxxxx\" } ] } }, { \"identity\": {} } ] } ] }","s":"Secrets Encryption Config","u":"/kr/security/secrets-encryption","h":"","p":2959},{"i":2962,"t":"K3s contains a utility tool secrets-encrypt, which enables automatic control over the following: Disabling/Enabling secrets encryption Adding new encryption keys Rotating and deleting encryption keys Reencrypting secrets For more information, see the k3s secrets-encrypt command documentation.","s":"Secrets Encryption Tool","u":"/kr/security/secrets-encryption","h":"#secrets-encryption-tool","p":2959},{"i":2964,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.7","u":"/kr/security/self-assessment-1.7","h":"","p":2963},{"i":2966,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.8","u":"/kr/security/self-assessment-1.8","h":"","p":2965},{"i":2969,"t":"수동 업그레이드에서는 클러스터를 수동으로 업그레이드하는 몇 가지 기술을 설명합니다. 또한 Terraform과 같은 타사 코드형 인프라 도구(Infrastructure-as-Code)를 통한 업그레이드의 기초로 사용할 수도 있습니다. 자동 업그레이드는 Rancher의 시스템-업그레이드-컨트롤러(system-upgrade-controller)를 사용하여 쿠버네티스 네이티브 자동 업그레이드를 수행하는 방법을 설명합니다.","s":"K3s 클러스터 업그레이드하기","u":"/kr/upgrades","h":"#k3s-클러스터-업그레이드하기","p":2967},{"i":2971,"t":"Traefik: Traefik이 비활성화되지 않은 경우, K3s 버전 1.20 이하에서는 Traefik v1이 설치되고, K3s 버전 1.21 이상에서는 v1이 없는 경우 Traefik v2가 설치됩니다. 구형 Traefik v1에서 Traefik v2로 업그레이드하려면 Traefik 문서를 참조하시고 마이그레이션 도구를 사용하세요. K3s 부트스트랩 데이터: 외부 SQL 데이터스토어가 있는 HA 구성에서 K3s를 사용 중이고 서버(컨트롤 플레인) 노드가 --token CLI 플래그로 시작되지 않은 경우, 토큰을 지정하지 않고는 더 이상 클러스터에 K3s 서버를 추가할 수 없게 됩니다. 백업에서 복원할 때 필요하므로 이 토큰의 사본을 보관해야 합니다. 이전에는 K3s에서 외부 SQL 데이터스토어를 사용할 때 토큰을 사용하도록 강제하지 않았습니다. 영향을 받는 버전은 <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; 이며, 패치된 버전은 v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1 입니다. 다음과 같이 클러스터에 이미 가입된 서버에서 토큰 값을 찾을 수 있습니다: cat /var/lib/rancher/k3s/server/token 실험용 Dqlite: 실험용 내장 Dqlite 데이터 저장소는 K3s v1.19.1에서 더 이상 사용되지 않습니다. 실험용 Dqlite에서 실험용 내장 etcd 업그레이드는 지원되지 않는다는 점에 유의하세요. 업그레이드를 시도하면 성공하지 못하고 데이터가 손실됩니다.","s":"버전별 주의사항","u":"/kr/upgrades","h":"#버전별-주의사항","p":2967},{"i":2973,"t":"데이터를 유지해야 하는 애플리케이션을 배포할 때는 퍼시스턴트 스토리지를 만들어야 합니다. 퍼시스턴트 스토리지를 사용하면 애플리케이션을 실행하는 파드 외부에 애플리케이션 데이터를 저장할 수 있습니다. 이 스토리지 방식을 사용하면 애플리케이션의 파드에 장애가 발생하더라도 애플리케이션 데이터를 유지할 수 있습니다. 퍼시스턴트 볼륨(PV: persistent volume)은 쿠버네티스 클러스터의 스토리지 조각이며, 퍼시스턴트 볼륨 클레임(PVC: persistent volume claim)은 스토리지에 대한 요청입니다. PV와 PVC의 작동 방식에 대한 자세한 내용은 스토리지 공식 쿠버네티스 문서를 참조하세요. 이 페이지는 로컬 스토리지 제공자 또는 [롱혼(#setting-up-longhorn)]을 사용하여 퍼시스턴트 스토리지를 설정하는 방법을 설명합니다.","s":"볼륨과 저장소","u":"/kr/storage","h":"","p":2972},{"i":2975,"t":"K3s는 몇 가지 선택적 볼륨 플러그인과 모든 내장(\"in-tree\"라고도 함) 클라우드 제공업체를 제거합니다. 이는 더 작은 바이너리 크기를 달성하고 많은 K3s 사용 사례에서 사용할 수 없는 타사 클라우드 또는 데이터센터 기술 및 서비스에 대한 의존을 피하기 위한 것입니다. 이러한 플러그인을 제거해도 핵심 Kubernetes 기능이나 적합성에는 영향을 미치지 않기 때문에 이렇게 할 수 있습니다. 다음 볼륨 플러그인은 K3s에서 제거되었습니다: cephfs fc flocker git_repo glusterfs portworx quobyte rbd storageos K3s와 함께 사용할 수 있는 트리 외 대안인 두 구성 요소가 있습니다: 쿠버네티스 컨테이너 스토리지 인터페이스(CSI) 및 클라우드 프로바이더 인터페이스(CPI)입니다. 쿠버네티스 유지 관리자는 인-트리 볼륨 플러그인을 CSI 드라이버로 적극적으로 마이그레이션하고 있습니다. 이 마이그레이션에 대한 자세한 내용은 여기를 참고하세요.","s":"K3s 스토리지의 차이점은 무엇인가요?","u":"/kr/storage","h":"#k3s-스토리지의-차이점은-무엇인가요","p":2972},{"i":2977,"t":"K3s는 랜처의 로컬 경로 프로비저너와 함께 제공되며, 이를 통해 각 노드의 로컬 스토리지를 사용하여 영구 볼륨 클레임(persistent volume claims)을 즉시 생성할 수 있습니다. 아래에서는 간단한 예제를 다루겠습니다. 자세한 내용은 공식 문서 여기를 참조하세요. 호스트 경로 지원 퍼시스턴트 볼륨 클레임과 이를 활용할 파드를 생성합니다:","s":"로컬 스토리지 공급자 설정하기","u":"/kr/storage","h":"#로컬-스토리지-공급자-설정하기","p":2972},{"i":2979,"t":"apiVersion: v1 kind: PersistentVolumeClaim metadata: name: local-path-pvc namespace: default spec: accessModes: - ReadWriteOnce storageClassName: local-path resources: requests: storage: 2Gi","s":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml","p":2972},{"i":2981,"t":"apiVersion: v1 kind: Pod metadata: name: volume-test namespace: default spec: containers: - name: volume-test image: nginx:stable-alpine imagePullPolicy: IfNotPresent volumeMounts: - name: volv mountPath: /data ports: - containerPort: 80 volumes: - name: volv persistentVolumeClaim: claimName: local-path-pvc yaml을 적용합니다: kubectl create -f pvc.yaml kubectl create -f pod.yaml PV 및 PVC가 생성되었는지 확인합니다: kubectl get pv kubectl get pvc 상태는 각각 Bound여야 합니다.","s":"pod.yaml","u":"/kr/storage","h":"#podyaml","p":2972},{"i":2983,"t":"warning Longhorn은 ARM32를 지원하지 않습니다. K3s는 쿠버네티스용 오픈소스 분산형 블록 스토리지 시스템인 Longhorn을 지원합니다. 아래는 간단한 예제입니다. 자세한 내용은 공식 문서를 참고하시기 바랍니다. longhorn.yaml을 적용하여 Longhorn을 설치합니다: kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml Longhorn은 네임스페이스 longhorn-system에 설치됩니다. yaml을 적용하여 PVC와 파드를 생성합니다: kubectl create -f pvc.yaml kubectl create -f pod.yaml","s":"Longhorn 구성하기","u":"/kr/storage","h":"#longhorn-구성하기","p":2972},{"i":2985,"t":"apiVersion: v1 kind: PersistentVolumeClaim metadata: name: longhorn-volv-pvc spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 2Gi","s":"pvc.yaml","u":"/kr/storage","h":"#pvcyaml-1","p":2972},{"i":2987,"t":"apiVersion: v1 kind: Pod metadata: name: volume-test namespace: default spec: containers: - name: volume-test image: nginx:stable-alpine imagePullPolicy: IfNotPresent volumeMounts: - name: volv mountPath: /data ports: - containerPort: 80 volumes: - name: volv persistentVolumeClaim: claimName: longhorn-volv-pvc PV 및 PVC가 생성되었는지 확인합니다: kubectl get pv kubectl get pvc 상태는 각각 Bound여야 합니다.","s":"pod.yaml","u":"/kr/storage","h":"#podyaml-1","p":2972},{"i":2990,"t":"You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a custom resource definition (CRD), a plan, and a controller. The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a label selector. See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the CRD. The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade jobs on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly. 비고 The upgrade job that is launched must be highly privileged. It is configured with the following: Host IPC, NET, and PID namespaces The CAP_SYS_BOOT capability Host root mounted at /host with read and write permissions To automate upgrades in this manner, you must do the following: Install the system-upgrade-controller into your cluster Configure plans warning If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades. If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page. If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page. If the K3s cluster is not managed Rancher, you may follow the steps below. For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories: system-upgrade-controller k3s-upgrade 팁 When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version.","s":"Overview","u":"/kr/upgrades/automated","h":"#overview","p":2988},{"i":2992,"t":"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command: kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied.","s":"Install the system-upgrade-controller","u":"/kr/upgrades/automated","h":"#install-the-system-upgrade-controller","p":2988},{"i":2994,"t":"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster. The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1: # Server plan apiVersion: upgrade.cattle.io/v1 kind: Plan metadata: name: server-plan namespace: system-upgrade spec: concurrency: 1 cordon: true nodeSelector: matchExpressions: - key: node-role.kubernetes.io/control-plane operator: In values: - \"true\" serviceAccountName: system-upgrade upgrade: image: rancher/k3s-upgrade version: v1.24.6+k3s1 --- # Agent plan apiVersion: upgrade.cattle.io/v1 kind: Plan metadata: name: agent-plan namespace: system-upgrade spec: concurrency: 1 cordon: true nodeSelector: matchExpressions: - key: node-role.kubernetes.io/control-plane operator: DoesNotExist prepare: args: - prepare - server-plan image: rancher/k3s-upgrade serviceAccountName: system-upgrade upgrade: image: rancher/k3s-upgrade version: v1.24.6+k3s1 There are a few important things to call out regarding these plans: The plans must be created in the same namespace where the controller was deployed. The concurrency field indicates how many nodes can be upgraded at the same time. The server-plan targets server nodes by specifying a label selector that selects nodes with the node-role.kubernetes.io/control-plane label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label. The prepare step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute. Both plans have the version field set to v1.24.6+k3s1. Alternatively, you can omit the version field and set the channel field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the release channels. Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s: apiVersion: upgrade.cattle.io/v1 kind: Plan ... spec: ... channel: https://update.k3s.io/v1-release/channels/stable As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed. You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl: kubectl -n system-upgrade get plans -o yaml kubectl -n system-upgrade get jobs -o yaml","s":"Configure plans","u":"/kr/upgrades/automated","h":"#configure-plans","p":2988},{"i":2996,"t":"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped. To stop all of the K3s containers and reset the containerd state, the k3s-killall.sh script can be used. The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted. To run the killall script from a server node, run: /usr/local/bin/k3s-killall.sh","s":"Stopping K3s","u":"/kr/upgrades/killall","h":"","p":2995},{"i":2998,"t":"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS). K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark: K3s will not modify the host operating system. Any host-level modifications will need to be done manually. Certain CIS policy controls for NetworkPolicies and PodSecurityStandards (PodSecurityPolicies on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below. The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary.","s":"CIS Hardening Guide","u":"/kr/security/hardening-guide","h":"","p":2997},{"i":3000,"t":"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section.","s":"Host-level Requirements","u":"/kr/security/hardening-guide","h":"#host-level-requirements","p":2997},{"i":3002,"t":"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults. Note: protect-kernel-defaults is exposed as a top-level flag for K3s. Set kernel parameters​ Create a file called /etc/sysctl.d/90-kubelet.conf and add the snippet below. Then run sysctl -p /etc/sysctl.d/90-kubelet.conf. vm.panic_on_oom=0 vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000","s":"Ensure protect-kernel-defaults is set","u":"/kr/security/hardening-guide","h":"#ensure-protect-kernel-defaults-is-set","p":2997},{"i":3004,"t":"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section. By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the PodSecurity and NodeRestriction admission controllers enabled, among others.","s":"Kubernetes Runtime Requirements","u":"/kr/security/hardening-guide","h":"#kubernetes-runtime-requirements","p":2997},{"i":3006,"t":"v1.25 and Newer v1.24 and Older K3s v1.25 and newer support Pod Security Admissions (PSAs) for controlling pod security. PSAs are enabled by passing the following flag to the K3s server: --kube-apiserver-arg=\"admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml\" The policy should be written to a file named psa.yaml in /var/lib/rancher/k3s/server directory. Here is an example of a compliant PSA: apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: \"restricted\" enforce-version: \"latest\" audit: \"restricted\" audit-version: \"latest\" warn: \"restricted\" warn-version: \"latest\" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system] K3s v1.24 and older support Pod Security Policies (PSPs) for controlling pod security. PSPs are enabled by passing the following flag to the K3s server: --kube-apiserver-arg=\"enable-admission-plugins=NodeRestriction,PodSecurityPolicy\" This will have the effect of maintaining the NodeRestriction plugin as well as enabling the PodSecurityPolicy. When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark. Here is an example of a compliant PSP: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: privileged: false # CIS - 5.2.1 allowPrivilegeEscalation: false # CIS - 5.2.5 requiredDropCapabilities: # CIS - 5.2.7/8/9 - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'csi' - 'persistentVolumeClaim' - 'ephemeral' hostNetwork: false # CIS - 5.2.4 hostIPC: false # CIS - 5.2.3 hostPID: false # CIS - 5.2.2 runAsUser: rule: 'MustRunAsNonRoot' # CIS - 5.2.6 seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a \"system unrestricted policy\" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly. Combining the configuration above with the Network Policy described in the next section, a single file can be placed in the /var/lib/rancher/k3s/server/manifests directory. Here is an example of a policy.yaml file: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'csi' - 'persistentVolumeClaim' - 'ephemeral' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: system-unrestricted-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' spec: allowPrivilegeEscalation: true allowedCapabilities: - '*' fsGroup: rule: RunAsAny hostIPC: true hostNetwork: true hostPID: true hostPorts: - max: 65535 min: 0 privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - '*' --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: svclb-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' spec: allowPrivilegeEscalation: false allowedCapabilities: - NET_ADMIN allowedUnsafeSysctls: - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding fsGroup: rule: RunAsAny hostPorts: - max: 65535 min: 0 runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restricted-psp rules: - apiGroups: - policy resources: - podsecuritypolicies verbs: - use resourceNames: - restricted-psp --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:system-unrestricted-psp rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - system-unrestricted-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:svclb-psp rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - svclb-psp verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted-psp roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:restricted-psp subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system-unrestricted-node-psp-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:system-unrestricted-psp subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system-unrestricted-svc-acct-psp-rolebinding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:system-unrestricted-psp subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: svclb-psp-rolebinding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:svclb-psp subjects: - kind: ServiceAccount name: svclb --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-system spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-system --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: default spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: default --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-public spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-public Note: The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the kube-system namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly.","s":"Pod Security","u":"/kr/security/hardening-guide","h":"#pod-security","p":2997},{"i":3008,"t":"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods. Network policies should be placed the /var/lib/rancher/k3s/server/manifests directory, where they will automatically be deployed on startup. Here is an example of a compliant network policy. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: intra-namespace namespace: kube-system spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: name: kube-system With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-network-dns-policy namespace: spec: ingress: - ports: - port: 53 protocol: TCP - port: 53 protocol: UDP podSelector: matchLabels: k8s-app: kube-dns policyTypes: - Ingress The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster. v1.21 and Newer v1.20 and Older apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-metrics-server namespace: kube-system spec: podSelector: matchLabels: k8s-app: metrics-server ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-svclbtraefik-ingress namespace: kube-system spec: podSelector: matchLabels: svccontroller.k3s.cattle.io/svcname: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-traefik-v121-ingress namespace: kube-system spec: podSelector: matchLabels: app.kubernetes.io/name: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-metrics-server namespace: kube-system spec: podSelector: matchLabels: k8s-app: metrics-server ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-svclbtraefik-ingress namespace: kube-system spec: podSelector: matchLabels: svccontroller.k3s.cattle.io/svcname: traefik ingress: - {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-traefik-v120-ingress namespace: kube-system spec: podSelector: matchLabels: app: traefik ingress: - {} policyTypes: - Ingress --- 정보 Operators must manage network policies as normal for additional namespaces that are created.","s":"NetworkPolicies","u":"/kr/security/hardening-guide","h":"#networkpolicies","p":2997},{"i":3010,"t":"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment. The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information. sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs A starter audit policy to log request metadata is provided below. The policy should be written to a file named audit.yaml in /var/lib/rancher/k3s/server directory. Detailed information about policy configuration for the API server can be found in the Kubernetes documentation. apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata Both configurations must be passed as arguments to the API Server as: --kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' --kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' If the configurations are created after K3s is installed, they must be added to K3s' systemd service in /etc/systemd/system/k3s.service. ExecStart=/usr/local/bin/k3s \\ server \\ '--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \\ '--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \\ K3s must be restarted to load the new configuration. sudo systemctl daemon-reload sudo systemctl restart k3s.service","s":"API Server audit configuration","u":"/kr/security/hardening-guide","h":"#api-server-audit-configuration","p":2997},{"i":3012,"t":"The configuration below should be placed in the configuration file, and contains all the necessary remediations to harden the Kubernetes components. v1.25 and Newer v1.24 and Older protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml' - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' - 'use-service-account-credentials=true' kubelet-arg: - 'streaming-connection-idle-timeout=5m' - 'make-iptables-util-chains=true' protect-kernel-defaults: true secrets-encryption: true kube-apiserver-arg: - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount' - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' - 'audit-log-maxage=30' - 'audit-log-maxbackup=10' - 'audit-log-maxsize=100' kube-controller-manager-arg: - 'terminated-pod-gc-threshold=10' - 'use-service-account-credentials=true' kubelet-arg: - 'streaming-connection-idle-timeout=5m' - 'make-iptables-util-chains=true'","s":"Configuration for Kubernetes Components","u":"/kr/security/hardening-guide","h":"#configuration-for-kubernetes-components","p":2997},{"i":3014,"t":"Listed below are the K3s control plane components and the arguments they are given at start, by default. Commented to their right is the CIS 1.6 control that they satisfy. kube-apiserver --advertise-port=6443 --allow-privileged=true --anonymous-auth=false # 1.2.1 --api-audiences=unknown --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt # 1.2.31 --enable-admission-plugins=NodeRestriction,PodSecurityPolicy # 1.2.17 --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt # 1.2.32 --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt # 1.2.29 --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key # 1.2.29 --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 # 1.2.19 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --profiling=false # 1.2.21 --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 # 1.2.20 --service-account-issuer=k3s --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.2.28 --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt # 1.2.30 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key # 1.2.30 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 kube-controller-manager --address=127.0.0.1 --allocate-node-cidrs=true --bind-address=127.0.0.1 # 1.3.7 --cluster-cidr=10.42.0.0/16 --cluster-signing-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --port=10252 --profiling=false # 1.3.2 --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt # 1.3.5 --secure-port=0 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.3.4 --use-service-account-credentials=true # 1.3.3 kube-scheduler --address=127.0.0.1 --bind-address=127.0.0.1 # 1.4.2 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --port=10251 --profiling=false # 1.4.1 --secure-port=0 kubelet --address=0.0.0.0 --anonymous-auth=false # 4.2.1 --authentication-token-webhook=true --authorization-mode=Webhook # 4.2.2 --cgroup-driver=cgroupfs --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt # 4.2.3 --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --cni-bin-dir=/var/lib/rancher/k3s/data/223e6420f8db0d8828a8f5ed3c44489bb8eb47aa71485404f8af8c462a29bea3/bin --cni-conf-dir=/var/lib/rancher/k3s/agent/etc/cni/net.d --container-runtime-endpoint=/run/k3s/containerd/containerd.sock --container-runtime=remote --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=hostname01 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --kubelet-cgroups=/systemd/system.slice --node-labels= --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true # 4.2.6 --read-only-port=0 # 4.2.4 --resolv-conf=/run/systemd/resolve/resolv.conf --runtime-cgroups=/systemd/system.slice --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt # 4.2.10 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key # 4.2.10 Additional information about CIS requirements 1.2.22 to 1.2.25 is presented below.","s":"Control Plane Execution and Arguments","u":"/kr/security/hardening-guide","h":"#control-plane-execution-and-arguments","p":2997},{"i":3016,"t":"The following are controls that K3s currently does not pass by default. Each gap will be explained, along with a note clarifying whether it can be passed through manual operator intervention, or if it will be addressed in a future release of K3s.","s":"Known Issues","u":"/kr/security/hardening-guide","h":"#known-issues","p":2997},{"i":3018,"t":"Ensure that the admission control plugin NamespaceLifecycle is set. Details Rationale Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects. This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.15","u":"/kr/security/hardening-guide","h":"#control-1215","p":2997},{"i":3020,"t":"Ensure that the admission control plugin PodSecurityPolicy is set. Details Rationale A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.16","u":"/kr/security/hardening-guide","h":"#control-1216","p":2997},{"i":3022,"t":"Ensure that the --audit-log-path argument is set. Details Rationale Auditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.22","u":"/kr/security/hardening-guide","h":"#control-1222","p":2997},{"i":3024,"t":"Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. Details Rationale Retaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.23","u":"/kr/security/hardening-guide","h":"#control-1223","p":2997},{"i":3026,"t":"Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate. Details Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.24","u":"/kr/security/hardening-guide","h":"#control-1224","p":2997},{"i":3028,"t":"Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate. Details Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.25","u":"/kr/security/hardening-guide","h":"#control-1225","p":2997},{"i":3030,"t":"Ensure that the --request-timeout argument is set as appropriate. Details Rationale Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.26","u":"/kr/security/hardening-guide","h":"#control-1226","p":2997},{"i":3032,"t":"Ensure that the --service-account-lookup argument is set to true. Details Rationale If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.2.27","u":"/kr/security/hardening-guide","h":"#control-1227","p":2997},{"i":3034,"t":"Ensure that the --encryption-provider-config argument is set as appropriate. Details Rationale etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures. Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.","s":"Control 1.2.33","u":"/kr/security/hardening-guide","h":"#control-1233","p":2997},{"i":3036,"t":"Ensure that encryption providers are appropriately configured. Details Rationale Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms and secretbox are likely to be appropriate options. This can be remediated by passing a valid configuration to k3s as outlined above. Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.","s":"Control 1.2.34","u":"/kr/security/hardening-guide","h":"#control-1234","p":2997},{"i":3038,"t":"Ensure that the --terminated-pod-gc-threshold argument is set as appropriate. Details Rationale Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 1.3.1","u":"/kr/security/hardening-guide","h":"#control-131","p":2997},{"i":3040,"t":"Ensure that a minimal audit policy is created. Details Rationale Logging is an important detective control for all systems, to detect potential unauthorized access. This can be remediated by passing controls 1.2.22 - 1.2.25 and verifying their efficacy.","s":"Control 3.2.1","u":"/kr/security/hardening-guide","h":"#control-321","p":2997},{"i":3042,"t":"Ensure that the --make-iptables-util-chains argument is set to true. Details Rationale Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open. This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.","s":"Control 4.2.7","u":"/kr/security/hardening-guide","h":"#control-427","p":2997},{"i":3044,"t":"Ensure that default service accounts are not actively used Details Rationale Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments. This can be remediated by updating the automountServiceAccountToken field to false for the default service account in each namespace. For default service accounts in the built-in namespaces (kube-system, kube-public, kube-node-lease, and default), K3s does not automatically do this. You can manually update this field on these service accounts to pass the control.","s":"Control 5.1.5","u":"/kr/security/hardening-guide","h":"#control-515","p":2997},{"i":3046,"t":"If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the CIS Benchmark Self-Assessment Guide to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster.","s":"Conclusion","u":"/kr/security/hardening-guide","h":"#conclusion","p":2997},{"i":3048,"t":"You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. 비고 When upgrading, upgrade server nodes first one at a time, then any agent nodes.","s":"Manual Upgrades","u":"/kr/upgrades/manual","h":"","p":3047},{"i":3050,"t":"Upgrades performed via the installation script or using our automated upgrades feature can be tied to different release channels. The following channels are available: Channel Description stable (Default) Stable is recommended for production environments. These releases have been through a period of community hardening. latest Latest is recommended for trying out the latest features. These releases have not yet been through a period of community hardening. v1.26 (example) There is a release channel tied to each Kubernetes minor version, including versions that are end-of-life. These channels will select the latest patch available, not necessarily a stable release. For an exhaustive and up-to-date list of channels, you can visit the k3s channel service API. For more technical details on how channels work, you see the channelserver project. 팁 When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version.","s":"Release Channels","u":"/kr/upgrades/manual","h":"#release-channels","p":3047},{"i":3052,"t":"To upgrade K3s from an older version you can re-run the installation script using the same flags, for example: curl -sfL https://get.k3s.io | sh - This will upgrade to a newer version in the stable channel by default. If you want to upgrade to a newer version in a specific channel (such as latest) you can specify the channel: curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh - If you want to upgrade to a specific version you can run the following command: curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -","s":"Upgrade K3s Using the Installation Script","u":"/kr/upgrades/manual","h":"#upgrade-k3s-using-the-installation-script","p":3047},{"i":3054,"t":"Or to manually upgrade K3s: Download the desired version of the K3s binary from releases Copy the downloaded binary to /usr/local/bin/k3s (or your desired location) Stop the old k3s binary Launch the new k3s binary","s":"Manually Upgrade K3s Using the Binary","u":"/kr/upgrades/manual","h":"#manually-upgrade-k3s-using-the-binary","p":3047},{"i":3056,"t":"Restarting K3s is supported by the installation script for systemd and OpenRC. systemd To restart servers manually: sudo systemctl restart k3s To restart agents manually: sudo systemctl restart k3s-agent OpenRC To restart servers manually: sudo service k3s restart To restart agents manually: sudo service k3s-agent restart","s":"Restarting K3s","u":"/kr/upgrades/manual","h":"#restarting-k3s","p":3047},{"i":3058,"t":"K3s는 쿠버네티스와 완전히 호환되며 다음과 같은 향상된 기능을 갖춘 배포판입니다: 단일 바이너리로 패키지화. 기본 스토리지 메커니즘으로 sqlite3를 기반으로 하는 경량 스토리지 백엔드. etcd3, MySQL, Postgres도 사용 가능. 복잡한 TLS 및 옵션을 처리하는 간단한 런처에 포함. 경량 환경을 위한 합리적인 기본값으로 기본적으로 보안을 유지함. 다음과 같이 간단하지만 강력한 'batteries-included' 기능 추가. 예를 들어: local storage provider service load balancer Helm controller Traefik ingress controller 모든 쿠버네티스 컨트롤 플레인 구성 요소의 작동은 단일 바이너리 및 프로세스로 캡슐화. 이를 통해 K3s는 인증서 배포와 같은 복잡한 클러스터 작업을 자동화하고 관리. 외부 종속성 최소화(최신 커널과 cgroup 마운트만 필요) K3s는 다음과 같은 필수 종속성을 패키지로 제공합니다: Containerd Flannel (CNI) CoreDNS Traefik (인그레스) Klipper-lb (서비스 로드밸런서) 임베디드 네트워크 정책 컨트롤러 임베디드 로컬 경로 프로비저너 호스트 유틸리티(iptables, socat 등)","s":"k3s란 무엇입니까?","u":"/kr/","h":"","p":3057},{"i":3060,"t":"우리는 메모리 풋프린트 측면에서 절반 크기의 Kubernetes를 설치하기를 원했습니다. Kubernetes는 K8s로 표기되는 10글자 단어입니다. 따라서 쿠버네티스의 절반 크기라면 K3s로 표기된 5글자 단어가 될 것입니다. K3s의 긴 형태는 없으며 공식적인 발음도 없습니다.","s":"이름에는 무슨 뜻이 있나요?","u":"/kr/","h":"","p":3057},{"i":3062,"t":"이 페이지는 번역되지 않았습니다","s":"self-assessment-1.24","u":"/kr/security/self-assessment-1.24","h":"","p":3061},{"i":3065,"t":"Overview​ This document is a companion to the K3s security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers. This guide is specific to the v1.22, v1.23 and v1.24 release line of K3s and the v1.23 release of the CIS Kubernetes Benchmark. For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in Center for Internet Security (CIS). Testing controls methodology​ Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide. Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing. These are the possible results for each control: Pass - The K3s cluster under test passed the audit outlined in the benchmark. Not Applicable - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so. Warn - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed. This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the \"audit\" commands to fit your scenario. NOTE: Only automated tests (previously called scored) are covered in this guide.","s":"CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24","u":"/kr/security/self-assessment-1.23","h":"#cis-kubernetes-benchmark-v123---k3s-with-kubernetes-v122-to-v124","p":3063},{"i":3069,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml","s":"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3071,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml","s":"1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3073,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml","s":"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3075,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml","s":"1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3077,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml","s":"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3079,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml","s":"1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3081,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/etcd.yaml","s":"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3083,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/etcd.yaml","s":"1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated","p":3063},{"i":3085,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 ","s":"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3087,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root ","s":"1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual","p":3063},{"i":3089,"t":"Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chmod 700 /var/lib/etcd Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 1.1.11 Expected Result: '700' is equal to '700' Returned Value: 700","s":"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated","p":3063},{"i":3091,"t":"Result: Not Applicable Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd","s":"1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated","p":3063},{"i":3093,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig","s":"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated","p":3063},{"i":3095,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/admin.conf Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi' Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root","s":"1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3097,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 scheduler Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi' Expected Result: permissions has permissions 644, expected 644 or more restrictive Returned Value: permissions=644","s":"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3099,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root scheduler Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi' Expected Result: 'root:root' is present Returned Value: root:root","s":"1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3101,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 controllermanager Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi' Expected Result: permissions has permissions 644, expected 644 or more restrictive Returned Value: permissions=644","s":"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3103,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root controllermanager Audit: stat -c %U:%G /var/lib/rancher/k3s/server/tls Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root","s":"1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3105,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown -R root:root /etc/kubernetes/pki/ Audit: find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G Expected Result: 'root:root' is present Returned Value: root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root","s":"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated","p":3063},{"i":3107,"t":"Result: warn Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt Audit: stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt","s":"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3109,"t":"Result: warn Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 600 /etc/kubernetes/pki/*.key Audit: stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key","s":"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual","p":3063},{"i":3112,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --anonymous-auth=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'","s":"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)","u":"/kr/security/self-assessment-1.23","h":"#121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual","p":3063},{"i":3114,"t":"Result: pass Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the --token-auth-file= parameter. Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--token-auth-file' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#122-ensure-that-the---token-auth-file-parameter-is-not-set-automated","p":3063},{"i":3116,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the DenyServiceExternalIPs from enabled admission plugins. Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#123-ensure-that-the---denyserviceexternalips-is-not-set-automated","p":3063},{"i":3118,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the --kubelet-https parameter.","s":"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated","p":3063},{"i":3120,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the kubelet client certificate and key parameters as below. --kubelet-client-certificate= --kubelet-client-key= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority' Expected Result: '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated","p":3063},{"i":3122,"t":"Result: pass Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority --kubelet-certificate-authority=. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority' Expected Result: '--kubelet-certificate-authority' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated","p":3063},{"i":3124,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' does not have 'AlwaysAllow' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3126,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to a value that includes Node. --authorization-mode=Node,RBAC Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' has 'Node' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)","u":"/kr/security/self-assessment-1.23","h":"#128-ensure-that-the---authorization-mode-argument-includes-node-automated","p":3063},{"i":3128,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, for example --authorization-mode=Node,RBAC. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode' Expected Result: '--authorization-mode' has 'RBAC' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)","u":"/kr/security/self-assessment-1.23","h":"#129-ensure-that-the---authorization-mode-argument-includes-rbac-automated","p":3063},{"i":3130,"t":"Result: warn Remediation: Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters. --enable-admission-plugins=...,EventRateLimit,... --admission-control-config-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'EventRateLimit' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual","p":3063},{"i":3132,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated","p":3063},{"i":3134,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages. --enable-admission-plugins=...,AlwaysPullImages,... Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--enable-admission-plugins' is present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual","p":3063},{"i":3136,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place. --enable-admission-plugins=...,SecurityContextDeny,... Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual","p":3063},{"i":3138,"t":"Result: pass Remediation: Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated","p":3063},{"i":3140,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated","p":3063},{"i":3142,"t":"Result: pass Remediation: Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,... Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins' Expected Result: '--enable-admission-plugins' has 'NodeRestriction' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated","p":3063},{"i":3144,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and either remove the --secure-port parameter or set it to a different (non-zero) desired port. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port' Expected Result: '--secure-port' is greater than 0 OR '--secure-port' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated","p":3063},{"i":3146,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling' Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.18 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1218-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3148,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example, --audit-log-path=/var/log/apiserver/audit.log","s":"1.2.19 Ensure that the --audit-log-path argument is set (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1219-ensure-that-the---audit-log-path-argument-is-set-automated","p":3063},{"i":3150,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days, for example, --audit-log-maxage=30","s":"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated","p":3063},{"i":3152,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. For example, --audit-log-maxbackup=10","s":"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated","p":3063},{"i":3154,"t":"Result: Not Applicable Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB, --audit-log-maxsize=100","s":"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated","p":3063},{"i":3156,"t":"Result: pass Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --service-account-lookup=true Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep Expected Result: '--service-account-lookup' is not present OR '--service-account-lookup' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated","p":3063},{"i":3158,"t":"Result: Not Applicable Remediation: The request timeout limits the duration of API requests. The default value of 60 seconds is sufficiently low already. Only change the default value if necessary. When extending this limit, make sure to keep it low enough. A large value can exhaust API server resources and make it prone for Denial-of-Service attacks. Edit the config file /etc/rancher/k3s/config.yaml on the control plane node and remove the --request-timeout parameter or set it to an appropriate value if needed. For example, --request-timeout=300s.","s":"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated","p":3063},{"i":3160,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the etcd certificate and key file parameters. --etcd-certfile= --etcd-keyfile= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 1.2.29 Expected Result: '--etcd-certfile' is present AND '--etcd-keyfile' is present Returned Value: --etcd-certfile AND --etcd-keyfile","s":"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated","p":3063},{"i":3162,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the TLS certificate and private key file parameters. --tls-cert-file= --tls-private-key-file= Audit: journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2 Expected Result: '--tls-cert-file' is present AND '--tls-private-key-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3164,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the client certificate authority file. --client-ca-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file' Expected Result: '--client-ca-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3166,"t":"Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the etcd certificate authority file parameter. --etcd-cafile= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile' Expected Result: '--etcd-cafile' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated","p":3063},{"i":3168,"t":"Result: warn Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --encryption-provider-config parameter to the path of that file. For example, --encryption-provider-config= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'","s":"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual","p":3063},{"i":3170,"t":"Result: warn Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider. Audit: grep aescbc /path/to/encryption-config.json","s":"1.2.31 Ensure that encryption providers are appropriately configured (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1231-ensure-that-encryption-providers-are-appropriately-configured-manual","p":3063},{"i":3172,"t":"Result: warn Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'","s":"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3175,"t":"Result: warn Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example, --terminated-pod-gc-threshold=10 Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'","s":"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual","p":3063},{"i":3177,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling' Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.2 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#132-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3179,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node to set the below parameter. --use-service-account-credentials=true Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials' Expected Result: '--use-service-account-credentials' is not equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated","p":3063},{"i":3181,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --service-account-private-key-file parameter to the private key file for service accounts. For example, --service-account-private-key-file=. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file' Expected Result: '--service-account-private-key-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3183,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --root-ca-file parameter to the certificate bundle file. --root-ca-file= Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file' Expected Result: '--root-ca-file' is present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true\"","s":"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3185,"t":"Result: Not Applicable Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true","s":"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated","p":3063},{"i":3187,"t":"Result: pass Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and ensure the correct value for the --bind-address parameter Audit: /bin/ps -ef | grep containerd | grep -v grep Expected Result: '--bind-address' is present OR '--bind-address' is not present Returned Value: root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock","s":"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#137-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3190,"t":"Result: pass Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the control plane node and set the below parameter. --profiling=false Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 Expected Result: '--profiling' is equal to 'false' Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.4.1 Ensure that the --profiling argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#141-ensure-that-the---profiling-argument-is-set-to-false-automated","p":3063},{"i":3192,"t":"Result: pass Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml on the control plane node and ensure the correct value for the --bind-address parameter Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address' Expected Result: '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present Returned Value: Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259\"","s":"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)","u":"/kr/security/self-assessment-1.23","h":"#142-ensure-that-the---bind-address-argument-is-set-to-127001-automated","p":3063},{"i":3195,"t":"Result: pass Remediation: Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.1 Expected Result: 'cert-file' is present AND 'key-file' is present Returned Value: cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file","s":"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3197,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --client-cert-auth=\"true\" Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.2 Expected Result: '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true' Returned Value: --client-cert-auth=true client-cert-auth: true --client-cert-auth=true","s":"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3199,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.3 Expected Result: 'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present Returned Value: error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory","s":"2.3 Ensure that the --auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3201,"t":"Result: pass Remediation: Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --peer-client-file= --peer-key-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.4 Expected Result: 'cert-file' is present AND 'key-file' is present Returned Value: peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file","s":"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated","p":3063},{"i":3203,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --peer-client-cert-auth=true Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.5 Expected Result: '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true' Returned Value: --client-cert-auth=true client-cert-auth: true --client-cert-auth=true","s":"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated","p":3063},{"i":3205,"t":"Result: pass Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.6 Expected Result: '--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false' Returned Value: --peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false","s":"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated","p":3063},{"i":3207,"t":"Result: pass Remediation: [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter. --trusted-ca-file= Audit Script: check_for_k3s_etcd.sh #!/bin/bash # This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3) # before it checks the requirement set -eE handle_error() { echo \"false\" } trap 'handle_error' ERR if [[ \"$(journalctl -D /var/log/journal -u k3s | grep 'Managed etcd cluster initializing' | grep -v grep | wc -l)\" -gt 0 ]]; then case $1 in \"1.1.11\") echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);; \"1.2.29\") echo $(journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-');; \"2.1\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.2\") echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.3\") echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.4\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; \"2.5\") echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; \"2.6\") echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; \"2.7\") echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; esac else # If another database is running, return whatever is required to pass the scan case $1 in \"1.1.11\") echo \"700\";; \"1.2.29\") echo \"--etcd-certfile AND --etcd-keyfile\";; \"2.1\") echo \"cert-file AND key-file\";; \"2.2\") echo \"--client-cert-auth=true\";; \"2.3\") echo \"false\";; \"2.4\") echo \"peer-cert-file AND peer-key-file\";; \"2.5\") echo \"--client-cert-auth=true\";; \"2.6\") echo \"--peer-auto-tls=false\";; \"2.7\") echo \"--trusted-ca-file\";; esac fi Audit Execution: ./check_for_k3s_etcd.sh 2.7 Expected Result: 'trusted-ca-file' is present Returned Value: --trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file","s":"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)","u":"/kr/security/self-assessment-1.23","h":"#27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual","p":3063},{"i":3210,"t":"Result: warn Remediation: Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of client certificates.","s":"3.1.1 Client certificate authentication should not be used for users (Manual)","u":"/kr/security/self-assessment-1.23","h":"#311-client-certificate-authentication-should-not-be-used-for-users-manual","p":3063},{"i":3213,"t":"Result: warn Remediation: Create an audit policy file for your cluster. Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'","s":"3.2.1 Ensure that a minimal audit policy is created (Manual)","u":"/kr/security/self-assessment-1.23","h":"#321-ensure-that-a-minimal-audit-policy-is-created-manual","p":3063},{"i":3215,"t":"Result: warn Remediation: Review the audit policy provided for the cluster and ensure that it covers at least the following areas, Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid risk of logging sensitive data. Modification of Pod and Deployment objects. Use of pods/exec, pods/portforward, pods/proxy and services/proxy. For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).","s":"3.2.2 Ensure that the audit policy covers key security concerns (Manual)","u":"/kr/security/self-assessment-1.23","h":"#322-ensure-that-the-audit-policy-covers-key-security-concerns-manual","p":3063},{"i":3218,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf","s":"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3220,"t":"Result: Not Applicable Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf","s":"4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated","p":3063},{"i":3222,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Audit: stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Expected Result: 'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present Returned Value: 644 644","s":"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3224,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig Audit: /bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' Expected Result: 'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present Returned Value: root:root root:root","s":"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual","p":3063},{"i":3226,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig Audit: stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig Expected Result: '644' is equal to '644' Returned Value: 644 644","s":"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated","p":3063},{"i":3228,"t":"Result: pass Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig Audit: stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root root:root","s":"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated","p":3063},{"i":3230,"t":"Result: pass Remediation: Run the following command to modify the file permissions of the --client-ca-file: chmod 644 Audit: stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt Expected Result: '644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present Returned Value: 644 600","s":"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)","u":"/kr/security/self-assessment-1.23","h":"#417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual","p":3063},{"i":3232,"t":"Result: pass Remediation: Run the following command to modify the ownership of the --client-ca-file: chown root:root . Audit: stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt Expected Result: 'root:root' is equal to 'root:root' Returned Value: root:root root:root","s":"4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)","u":"/kr/security/self-assessment-1.23","h":"#418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual","p":3063},{"i":3234,"t":"Result: Not Applicable Remediation: Run the following command (using the config file location identified in the Audit step) chmod 644 /var/lib/kubelet/config.yaml","s":"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)","u":"/kr/security/self-assessment-1.23","h":"#419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated","p":3063},{"i":3236,"t":"Result: Not Applicable Remediation: Run the following command (using the config file location identified in the Audit step) chown root:root /var/lib/kubelet/config.yaml","s":"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated","p":3063},{"i":3239,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"anonymous-auth\" | grep -v grep; else echo \"--anonymous-auth=false\"; fi' Expected Result: '--anonymous-auth' is equal to 'false' Returned Value: --anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated","p":3063},{"i":3241,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authorization.mode to Webhook. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"authorization-mode\" | grep -v grep; else echo \"--authorization-mode=Webhook\"; fi' Expected Result: '--authorization-mode' does not have 'AlwaysAllow' Returned Value: --authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","u":"/kr/security/self-assessment-1.23","h":"#422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated","p":3063},{"i":3243,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set authentication.x509.clientCAFile to the location of the client CA file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file= Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/sh -c 'if test $(journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep \"Running kube-apiserver\" | tail -n1 | grep \"client-ca-file\" | grep -v grep; else echo \"--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt\"; fi' Expected Result: '--client-ca-file' is present Returned Value: --client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:40Z\" level=info msg=\"Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\"","s":"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)","u":"/kr/security/self-assessment-1.23","h":"#423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated","p":3063},{"i":3245,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' Expected Result: '--read-only-port' is equal to '0' OR '--read-only-port' is not present Returned Value: Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time=\"2022-09-13T13:26:50Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:44Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\"","s":"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#424-ensure-that-the---read-only-port-argument-is-set-to-0-manual","p":3063},{"i":3247,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a value other than 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'","s":"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)","u":"/kr/security/self-assessment-1.23","h":"#425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual","p":3063},{"i":3249,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to set protectKernelDefaults to true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated","p":3063},{"i":3251,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to set makeIPTablesUtilChains to true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)","u":"/kr/security/self-assessment-1.23","h":"#427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated","p":3063},{"i":3253,"t":"Result: Not Applicable Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.8 Ensure that the --hostname-override argument is not set (Manual)","u":"/kr/security/self-assessment-1.23","h":"#428-ensure-that-the---hostname-override-argument-is-not-set-manual","p":3063},{"i":3255,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set eventRecordQPS to an appropriate level. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/ps -fC containerd","s":"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)","u":"/kr/security/self-assessment-1.23","h":"#429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual","p":3063},{"i":3257,"t":"Result: pass Remediation: If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file= --tls-private-key-file= Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service Audit: journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 Expected Result: '--tls-cert-file' is present AND '--tls-private-key-file' is present Returned Value: Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time=\"2022-09-13T13:26:50Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time=\"2022-09-13T13:26:44Z\" level=info msg=\"Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key\"","s":"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual","p":3063},{"i":3259,"t":"Result: Not Applicable Remediation: If using a Kubelet config file, edit the file to add the line rotateCertificates to true or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)","u":"/kr/security/self-assessment-1.23","h":"#4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated","p":3063},{"i":3261,"t":"Result: Not Applicable Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service","s":"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual","p":3063},{"i":3263,"t":"Result: warn Remediation: If using a Kubelet config file, edit the file to set TLSCipherSuites to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 or to a subset of these values. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the --tls-cipher-suites parameter as follows, or to a subset of these values. --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service Audit: /bin/ps -fC containerd","s":"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual","p":3063},{"i":3266,"t":"Result: warn Remediation: Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]","s":"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)","u":"/kr/security/self-assessment-1.23","h":"#511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual","p":3063},{"i":3268,"t":"Result: warn Remediation: Where possible, remove get, list and watch access to Secret objects in the cluster.","s":"5.1.2 Minimize access to secrets (Manual)","u":"/kr/security/self-assessment-1.23","h":"#512-minimize-access-to-secrets-manual","p":3063},{"i":3270,"t":"Result: warn Remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.","s":"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)","u":"/kr/security/self-assessment-1.23","h":"#513-minimize-wildcard-use-in-roles-and-clusterroles-manual","p":3063},{"i":3272,"t":"Result: warn Remediation: Where possible, remove create access to pod objects in the cluster.","s":"5.1.4 Minimize access to create pods (Manual)","u":"/kr/security/self-assessment-1.23","h":"#514-minimize-access-to-create-pods-manual","p":3063},{"i":3274,"t":"Result: warn Remediation: Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false","s":"5.1.5 Ensure that default service accounts are not actively used. (Manual)","u":"/kr/security/self-assessment-1.23","h":"#515-ensure-that-default-service-accounts-are-not-actively-used-manual","p":3063},{"i":3276,"t":"Result: warn Remediation: Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.","s":"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)","u":"/kr/security/self-assessment-1.23","h":"#516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual","p":3063},{"i":3278,"t":"Result: warn Remediation: Remove the system:masters group from all users in the cluster.","s":"5.1.7 Avoid use of system:masters group (Manual)","u":"/kr/security/self-assessment-1.23","h":"#517-avoid-use-of-system-group-manual","p":3063},{"i":3280,"t":"Result: warn Remediation: Where possible, remove the impersonate, bind and escalate rights from subjects.","s":"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)","u":"/kr/security/self-assessment-1.23","h":"#518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual","p":3063},{"i":3283,"t":"Result: warn Remediation: Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.","s":"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)","u":"/kr/security/self-assessment-1.23","h":"#521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual","p":3063},{"i":3285,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.","s":"5.2.2 Minimize the admission of privileged containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#522-minimize-the-admission-of-privileged-containers-automated","p":3063},{"i":3287,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostPID containers.","s":"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated","p":3063},{"i":3289,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostIPC containers.","s":"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated","p":3063},{"i":3291,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostNetwork containers.","s":"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)","u":"/kr/security/self-assessment-1.23","h":"#525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated","p":3063},{"i":3293,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.","s":"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)","u":"/kr/security/self-assessment-1.23","h":"#526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated","p":3063},{"i":3295,"t":"Result: warn Remediation: Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.","s":"5.2.7 Minimize the admission of root containers (Automated)","u":"/kr/security/self-assessment-1.23","h":"#527-minimize-the-admission-of-root-containers-automated","p":3063},{"i":3297,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with the NET_RAW capability.","s":"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)","u":"/kr/security/self-assessment-1.23","h":"#528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated","p":3063},{"i":3299,"t":"Result: warn Remediation: Ensure that allowedCapabilities is not present in policies for the cluster unless it is set to an empty array.","s":"5.2.9 Minimize the admission of containers with added capabilities (Automated)","u":"/kr/security/self-assessment-1.23","h":"#529-minimize-the-admission-of-containers-with-added-capabilities-automated","p":3063},{"i":3301,"t":"Result: warn Remediation: Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.","s":"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual","p":3063},{"i":3303,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers that have .securityContext.windowsOptions.hostProcess set to true.","s":"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5211-minimize-the-admission-of-windows-hostprocess-containers-manual","p":3063},{"i":3305,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with hostPath volumes.","s":"5.2.12 Minimize the admission of HostPath volumes (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5212-minimize-the-admission-of-hostpath-volumes-manual","p":3063},{"i":3307,"t":"Result: warn Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use hostPort sections.","s":"5.2.13 Minimize the admission of containers which use HostPorts (Manual)","u":"/kr/security/self-assessment-1.23","h":"#5213-minimize-the-admission-of-containers-which-use-hostports-manual","p":3063},{"i":3310,"t":"Result: warn Remediation: If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.","s":"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)","u":"/kr/security/self-assessment-1.23","h":"#531-ensure-that-the-cni-in-use-supports-networkpolicies-manual","p":3063},{"i":3312,"t":"Result: warn Remediation: Follow the documentation and create NetworkPolicy objects as you need them.","s":"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)","u":"/kr/security/self-assessment-1.23","h":"#532-ensure-that-all-namespaces-have-networkpolicies-defined-manual","p":3063},{"i":3315,"t":"Result: warn Remediation: If possible, rewrite application code to read Secrets from mounted secret files, rather than from environment variables.","s":"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)","u":"/kr/security/self-assessment-1.23","h":"#541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual","p":3063},{"i":3317,"t":"Result: warn Remediation: Refer to the Secrets management options offered by your cloud provider or a third-party secrets management solution.","s":"5.4.2 Consider external secret storage (Manual)","u":"/kr/security/self-assessment-1.23","h":"#542-consider-external-secret-storage-manual","p":3063},{"i":3320,"t":"Result: warn Remediation: Follow the Kubernetes documentation and setup image provenance.","s":"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)","u":"/kr/security/self-assessment-1.23","h":"#551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual","p":3063},{"i":3323,"t":"Result: warn Remediation: Follow the documentation and create namespaces for objects in your deployment as you need them.","s":"5.7.1 Create administrative boundaries between resources using namespaces (Manual)","u":"/kr/security/self-assessment-1.23","h":"#571-create-administrative-boundaries-between-resources-using-namespaces-manual","p":3063},{"i":3325,"t":"Result: warn Remediation: Use securityContext to enable the docker/default seccomp profile in your pod definitions. An example is as below: securityContext: seccompProfile: type: RuntimeDefault","s":"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)","u":"/kr/security/self-assessment-1.23","h":"#572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual","p":3063},{"i":3327,"t":"Result: warn Remediation: Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker Containers.","s":"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)","u":"/kr/security/self-assessment-1.23","h":"#573-apply-securitycontext-to-your-pods-and-containers-manual","p":3063},{"i":3329,"t":"Result: warn Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.","s":"5.7.4 The default namespace should not be used (Manual)","u":"/kr/security/self-assessment-1.23","h":"#574-the-default-namespace-should-not-be-used-manual","p":3063}],"index":{"version":"2.3.9","fields":["t"],"fieldVectors":[["t/2484",[0,1.752,1,0.912,2,1.096,3,2.178,4,1.931,5,3.403]],["t/2486",[0,1.743,1,0.904,6,5.155,7,2.684]],["t/2488",[0,1.748,1,0.782,6,4.695,7,2.445,8,2.842,9,4.928]],["t/2490",[0,1.741,7,2.822,8,2.544]],["t/2492",[0,1.757,1,0.669,3,1.51,10,4.199,11,4.199,12,4.199,13,1.218,14,1.237,15,5.058,16,6.267,17,4.199,18,4.199,19,4.199,20,0.57]],["t/2494",[0,1.748,1,1.006,2,1.019,3,2.025,4,1.163,13,1.634,21,1.117,22,1.628,23,1.796,24,1.887,25,1.229,26,2.142,27,1.831,28,2.575,29,1.858,30,3.096,31,1.628,32,2.711,33,3.866,34,3.287,35,2.802,36,4.528,37,2.601,38,1.401,39,2.219,40,2.172,41,4.327,42,2.142,43,1.725,44,4.015,45,2.694,46,2.544,47,2.787,48,2.206,49,2.382,50,2.447]],["t/2497",[1,0.88,2,1.487,48,3.866,51,3.01,52,4.796,53,7.468,54,8.376,55,6.607,56,7.468,57,7.581,58,6.069,59,7.468,60,4.25,61,6.607,62,4.537,63,3.319]],["t/2499",[0,1.364,1,1,2,1.711,4,2.053,7,2.316,13,1.868,24,3.331,25,2.063,26,2.449,27,3.233,31,3.778,43,1.972,48,4.339,51,2.358,63,3.419,64,6.501,65,3.495,66,1.091,67,5.177,68,6.035,69,4.131,70,5.466,71,3.1,72,3.555,73,2.523,74,1.746,75,6.438,76,1.897,77,5.177,78,2.685]],["t/2501",[1,0.801,2,1.52,7,1.542,8,2.723,14,1.263,20,0.864,21,2.325,25,0.936,39,2.609,42,1.631,47,3.151,48,4.355,52,3.716,55,3.448,56,3.898,58,3.167,60,2.218,61,3.448,62,2.368,63,2.571,64,4.521,66,1.52,79,1.981,80,2.503,81,3.724,82,3.898,83,3.515,84,1.87,85,2.093,86,1.849,87,3.898,88,1.631,89,1.314,90,3.716,91,3.295,92,2.841,93,4.701,94,4.539,95,2.185,96,2.503,97,4.288,98,4.288,99,3.439,100,2.609,101,6.365,102,4.539,103,3.898,104,3.898,105,4.288,106,4.288,107,4.288,108,4.288,109,3.058,110,4.288,111,2.801,112,3.898,113,2.218,114,0.746,115,2.962,116,1.914,117,2.503,118,2.877,119,2.065,120,4.288,121,4.835,122,3.64,123,2.123,124,3.64,125,2.038,126,3.448,127,3.448,128,3.898,129,2.368,130,3.898,131,1.986,132,4.288,133,2.328,134,2.093,135,1.769,136,2.41,137,2.065,138,3.64,139,2.038,140,1.528,141,3.64,142,3.448,143,2.153,144,3.898,145,3.898,146,3.898,147,3.898]],["t/2503",[0,1.315,1,0.673,2,1.084,21,1.459,42,1.122,43,1.459,48,3.94,49,1.927,51,1.744,55,2.372,60,1.526,62,2.63,63,2.776,64,1.757,66,1.544,74,0.8,76,2.222,79,1.482,81,3.809,87,2.682,90,4.708,92,2.673,93,2.179,94,2.104,95,3.051,99,2.594,109,2.104,112,2.682,114,1.042,125,1.402,140,1.051,148,1.503,149,4.018,150,2.008,151,1.629,152,2.682,153,1.738,154,4.549,155,2.95,156,2.617,157,1.503,158,2.267,159,2.95,160,4.685,161,4.043,162,1.106,163,3.659,164,2.372,165,0.653,166,2.505,167,5.209,168,7.006,169,4.568,170,2.372,171,2.267,172,2.077,173,1.672,174,2.63,175,4.423,176,3.407,177,5.57,178,3.29,179,2.464,180,2.502,181,2.104,182,1.258,183,4.762,184,4.762,185,1.145,186,1.244,187,2.038,188,2.682,189,4.329,190,2.95,191,3.911,192,4.329,193,2.357,194,1.944,195,4.762,196,2.95,197,2.95,198,2.95,199,2.565,200,1.421,201,2.267,202,1.927,203,2.682,204,2.682,205,2.038,206,2.95,207,4.423,208,2.267,209,2.95,210,2.95,211,2.95,212,1.46,213,2.372,214,2.104,215,2.682,216,2.505,217,2.038,218,1.081,219,1.927,220,1.286,221,2.682,222,1.927,223,2.505]],["t/2505",[0,1.306,1,0.696,2,0.91,3,1.135,20,1.059,21,1.919,42,3.162,48,3.655,49,2.062,61,2.538,63,1.275,64,5.391,66,1.683,67,2.538,74,1.699,76,0.93,79,1.565,81,3.753,90,4.852,92,1.409,93,2.331,95,1.608,99,2.859,100,1.92,109,4.468,113,2.601,114,0.874,119,1.52,121,5.553,123,2.489,125,3.707,129,2.776,131,1.462,134,1.541,149,3.373,150,2.119,151,1.743,153,1.444,154,3.395,156,1.095,160,4.308,161,4.268,162,0.928,163,2.425,165,0.698,167,4.438,168,2.425,169,1.633,173,1.276,175,2.331,186,2.119,193,3.862,199,3.102,201,2.425,202,2.062,203,2.869,208,3.863,212,1.562,213,2.538,214,2.251,215,2.869,216,2.68,217,2.18,218,1.156,224,4.043,225,5.038,226,2.562,227,2.299,228,3.228,229,1.032,230,2.331,231,3.284,232,1.963,233,4.043,234,5.694,235,2.331,236,2.524,237,4.043,238,1.894,239,1.76,240,1.345,241,2.389,242,4.569,243,1.135,244,0.814,245,1.92,246,2.331,247,1.88,248,3.156,249,1.316,250,1.331,251,5.694,252,4.043,253,2.538,254,3.156,255,3.156,256,2.68,257,2.869,258,3.156,259,2.869,260,1.105,261,1.095,262,2.18,263,2.68,264,1.685,265,2.425,266,1.562,267,2.062,268,0.838]],["t/2507",[0,1.048,1,0.751,2,0.931,3,1.168,20,1.142,21,1.956,38,1.248,42,3.202,48,3.922,49,2.122,63,1.312,64,5.013,66,1.549,67,2.613,74,0.881,76,1.515,81,3.905,86,1.401,89,2.578,90,3.003,91,6.081,92,4.305,93,2.4,95,1.656,99,2.197,100,1.976,113,2.661,114,0.895,118,2.18,119,2.477,121,5.997,123,1.608,125,4.345,129,2.84,131,1.505,140,1.158,151,1.794,152,2.953,153,1.472,154,3.76,156,2.216,158,2.496,161,4.367,162,0.6,163,2.496,167,2.746,168,2.496,169,2.661,173,0.919,175,2.4,189,5.804,193,3.161,199,2.383,212,1.608,213,2.613,214,2.317,216,2.758,217,2.244,218,1.19,224,4.136,225,4.136,226,2.621,227,2.353,228,3.281,229,1.062,230,2.4,231,3.36,232,2.021,234,2.953,237,2.613,238,1.224,239,1.801,240,1.385,241,3.034,242,4.675,243,1.442,244,0.838,245,3.885,260,1.137,261,1.127,262,2.244,263,2.758,264,1.735,265,2.496,266,1.608,267,2.122,268,0.862,269,2.317,270,7.913,271,4.554,272,2.069,273,2.496,274,2.613,275,1.86,276,3.249,277,4.675,278,3.249,279,3.249]],["t/2509",[0,1.484,1,0.689,2,0.799,3,1.587,21,2.365,42,2.936,48,2.547,49,2.882,64,5.657,66,1.307,74,2.576,76,1.3,81,3.008,86,1.902,90,3.795,92,1.97,99,3.599,114,1.131,119,3.13,121,5.424,123,2.184,125,3.089,129,3.59,131,2.043,135,2.682,153,1.017,156,1.531,162,0.815,169,3.363,173,1.379,175,3.259,185,1.712,186,3.828,188,4.01,193,3.218,199,1.647,201,3.39,202,2.882,217,3.048,218,1.616,222,2.882,224,3.548,225,3.548,226,2.248,227,2.018,228,3.487,229,2.125,230,3.259,231,4.246,232,2.745,240,1.881,244,1.138,251,4.01,256,5.519,257,4.01,259,4.01,260,1.545,262,3.048,271,4.636,280,7.718,281,4.412,282,2.283,283,3.048,284,4.01,285,2.436,286,8.516,287,1.587,288,4.412,289,3.146,290,6.501,291,4.412,292,4.412,293,3.048,294,6.501,295,4.412,296,3.048,297,2.882,298,3.259,299,3.746]],["t/2511",[1,0.666,2,1.684,3,3.345,33,4.195,52,4.356,66,1.576,71,3.594,84,3.254,85,3.643,86,3.217,88,3.539,162,1.378,173,1.81,180,3.921,238,3.505,268,2.815,300,3.546,301,6.001,302,6.335,303,3.118,304,5.54,305,2.069,306,4.54]],["t/2513",[22,3.311,71,3.572,80,4.33,89,2.272,129,4.096,131,5.046,165,2.05,173,1.805,232,4.614,243,2.39,303,2.486,307,3.621,308,3.392,309,3.96,310,5.964,311,5.964,312,6.437,313,5.699,314,5.964,315,5.964,316,4.096,317,5.964,318,5.289,319,4.614]],["t/2515",[2,1.737,22,3.502,42,4.107,66,1.625,173,1.714,243,2.5,249,3.272,250,3.308,303,2.63,320,6.31,321,5.42,322,4.683,323,6.31,324,4.58,325,5.42,326,3.589]],["t/2517",[22,3.876,89,2.66,123,4.299,243,2.302,303,2.911,327,5.672,328,3.211,329,6.414,330,6.193,331,6.673,332,4.795]],["t/2519",[2,1.064,4,2.881,15,4.846,20,1.415,22,2.625,23,2.54,28,2.689,51,2.918,63,2.375,66,0.996,73,3.539,89,2.767,116,2.625,129,3.247,165,1.998,226,4.059,243,2.186,249,2.452,250,2.479,296,4.062,303,1.971,312,6.167,333,4.343,334,4.65,335,5.503,336,5.345,337,3.658,338,5.496,339,4.992,340,4.343,341,4.992,342,2.996,343,5.503,344,4.992,345,1.801,346,3.745,347,3.756,348,4.992,349,3.192,350,5.883,351,4.846,352,4.992,353,2.625,354,4.728,355,4.992]],["t/2521",[22,3.213,28,4.159,37,6.485,38,2.765,39,4.379,66,1.54,89,2.205,160,3.975,165,1.592,173,1.286,182,3.068,185,3.528,243,2.251,268,1.91,303,2.413,312,4.585,356,3.724,357,2.849,358,7.72,359,4.973,360,4.936,361,5.819,362,7.313,363,3.834,364,7.198,365,6.111,366,4.321,367,5.317]],["t/2523",[4,2.086,5,4.807,20,1.371,22,2.92,29,5.48,40,3.896,89,2.919,139,4.064,173,1.702,243,2.474,249,2.728,250,2.758,303,2.193,312,6.678,368,3.844,369,3.419,370,4.118,371,4.389,372,6.794,373,5.554,374,5.554,375,5.554,376,7.321,377,3.021]],["t/2525",[4,3.172,13,2.886,22,3.718,31,4.44,160,5.492,243,2.246,303,3.565,378,5.399,379,5.591]],["t/2527",[22,3.643,28,3.733,37,5.82,66,1.382,162,1.507,303,2.736,361,4.764,380,7.007,381,6.028,382,4.43,383,4.732,384,6.418,385,6.028,386,6.563,387,5.626,388,5.077,389,4.098]],["t/2529",[22,3.795,29,5.131,42,3.235,46,3.841,66,1.706,114,1.479,243,1.92,249,3.546,250,3.585,303,2.85,312,5.416,390,6.837,391,7.728]],["t/2531",[0,1.217,1,0.753,3,2.303,4,2.042,8,2.076,20,1.501,21,1.962,32,3.084,62,3.537,66,1.085,88,2.436,134,4.117,153,1.476,162,1.182,191,4.183,207,4.73,238,3.178,268,1.7,334,6.457,336,7.314,392,4.641,393,3.739,394,6.48,395,3.815,396,4.079,397,4.921,398,1.789,399,4.567,400,5.437,401,6.404,402,6.404,403,3.365,404,4.73,405,2.761]],["t/2533",[1,0.366,2,0.954,3,1.896,4,2.356,5,2.304,13,1.189,15,2.493,20,1.226,23,1.307,28,3.128,29,3.765,31,1.829,37,2.923,38,0.944,39,1.495,40,1.463,42,2.341,51,1.501,63,0.993,66,1.252,71,1.183,73,2.68,80,1.434,89,2.982,114,0.917,116,1.097,123,1.216,129,2.263,131,4.185,139,1.947,150,1.036,153,0.566,160,2.911,162,0.757,165,1.635,173,1.684,182,1.047,185,1.59,193,1.216,194,2.512,226,2.687,232,1.528,238,2.319,243,2.458,249,1.025,250,1.036,268,1.088,296,1.697,303,1.374,305,0.681,307,1.199,308,1.124,309,1.312,310,1.976,311,1.976,313,1.888,314,1.976,315,1.976,316,1.357,317,1.976,318,1.752,319,1.528,320,1.976,321,1.697,322,2.001,323,1.976,324,1.434,325,2.831,326,1.124,327,2.677,328,0.908,329,1.815,330,1.752,331,1.888,332,1.357,333,1.815,334,2.392,335,2.831,336,2.75,337,1.528,338,3.207,339,2.086,340,1.815,341,2.086,342,1.252,343,2.831,344,2.086,345,0.753,346,1.565,347,2.387,348,2.086,349,1.334,350,3.027,351,2.493,352,2.086,353,1.097,354,1.976,355,2.086,356,1.271,357,0.972,358,3.479,359,1.697,360,3.34,361,3.592,362,3.296,363,2.594,365,2.086,366,1.947,367,1.815,368,2.006,369,1.639,370,1.974,371,1.649,372,3.76,373,2.086,374,2.086,375,2.086,376,4.728,377,2.61,378,2.225,379,2.304,380,2.923,381,1.815,382,1.334,383,1.974,384,2.677,385,3.027,386,1.976,387,3.019,388,1.528,389,1.234,398,0.686,406,1.976,407,2.233,408,2.086,409,1.888,410,1.071,411,1.649,412,2.086,413,3.149,414,1.815,415,2.233,416,2.457,417,7.753,418,4.388,419,2.12,420,2.233,421,2.233,422,6.217,423,2.233,424,1.752,425,3.479,426,2.233,427,6.716,428,3.296,429,3.725,430,3.642]],["t/2535",[0,1.443,1,0.893,2,1.089,7,1.068,14,0.875,21,1.218,22,1.775,24,1.537,43,3.243,44,7.72,45,7.927,46,3.117,48,0.662,52,0.986,60,0.873,62,1.64,63,2.622,66,0.286,67,5.549,68,2.118,69,1.942,71,1.43,72,0.932,73,2.357,76,0.497,80,1.734,81,1.049,85,0.824,89,2.223,95,0.86,96,0.986,99,2.603,100,1.807,113,0.873,114,1.612,116,1.326,117,2.322,123,3.416,125,1.89,131,1.376,133,1.612,134,0.824,135,0.697,136,0.949,137,2.306,140,1.418,150,1.677,153,0.389,156,1.38,160,0.932,162,1.007,165,0.88,169,0.873,173,0.531,182,0.72,193,2.701,199,0.63,217,1.166,227,0.772,228,1.342,236,0.848,238,2.6,243,1.232,249,0.704,250,0.712,268,1.055,271,2.118,282,0.873,283,2.748,285,0.932,289,1.204,297,1.103,300,0.802,301,1.358,302,1.433,303,1.829,305,0.468,308,1.359,316,0.932,319,1.05,326,0.772,327,2.598,329,1.247,330,2.118,345,0.91,349,1.612,353,0.754,356,2.477,357,1.574,359,2.748,360,2.599,376,1.297,395,1.006,397,3.056,398,0.472,403,0.887,431,1.433,432,3.661,433,5.88,434,1.688,435,1.688,436,3.013,437,2.389,438,1.688,439,1.358,440,1.688,441,1.166,442,1.94,443,0.917,444,0.967,445,6.505,446,2.97,447,0.594,448,2.7,449,4.065,450,3.376,451,3.185,452,2.7,453,1.688,454,1.688,455,1.05,456,1.688,457,2.522,458,0.986,459,1.433,460,1.433,461,1.204,462,4.838,463,3.537,464,1.247,465,1.535,466,1.433,467,0.967,468,1.297,469,1.433,470,1.433,471,3.615,472,1.103,473,3.977,474,0.728,475,1.535,476,1.359,477,1.535,478,1.075,479,1.05,480,2.389,481,1.166,482,3.237,483,5.107,484,2.522,485,1.433,486,3.977,487,6.016,488,1.006,489,1.433,490,1.688,491,1.103,492,1.688,493,1.05,494,1.688,495,1.358,496,4.96,497,1.535,498,1.535,499,1.688,500,1.688,501,1.688,502,1.688,503,1.247,504,1.433,505,1.688,506,0.596,507,1.358,508,1.05,509,1.213,510,1.075,511,0.642]],["t/2537",[0,1.734,1,0.87,512,5.26]],["t/2540",[0,1.743,1,0.805,64,4.237,81,3.801,96,4.153]],["t/2542",[0,1.744,1,0.899,53,6.701,59,6.701]],["t/2544",[0,1.748,1,0.803,42,2.691,513,6.429]],["t/2546",[0,1.751,1,0.868,4,2.178,264,2.52,368,3.052,514,3.006,515,4.719,516,4.719,517,8.023,518,4.719,519,4.719,520,4.719,521,4.719,522,4.719,523,4.719,524,2.936,525,4.719,526,8.792,527,4.719,528,4.719,529,4.719,530,4.719,531,4.719,532,4.719]],["t/2548",[0,1.675,1,0.676,2,0.988,4,1.362,13,2.197,14,2.231,15,1.571,21,0.791,28,1.181,32,1.243,37,1.841,38,0.992,49,1.686,73,1.673,156,0.896,162,1.298,212,2.114,218,0.946,220,3.906,228,1.166,244,0.666,308,3.215,324,1.507,346,1.644,347,2.119,349,2.318,353,1.152,360,3.815,361,5.074,362,5.652,363,1.088,372,1.841,381,3.154,533,4.27,534,2.582,535,2.582,536,2.582,537,2.358,538,1.538,539,1.451,540,2.789,541,1.762,542,1.784,543,2.95,544,1.907,545,4.392,546,5.461,547,2.582,548,5.768,549,5.768,550,2.72,551,4.27,552,2.582,553,1.478,554,4.993,555,2.582,556,2.582,557,2.865,558,5.461,559,2.582,560,2.347,561,2.582,562,2.582,563,4.27,564,5.461,565,2.582,566,1.984,567,2.582,568,2.582,569,3.625,570,9.436,571,8.957,572,4.27,573,2.582,574,5.461,575,5.461,576,5.461,577,5.461,578,5.461,579,5.461,580,2.582,581,2.347,582,2.582,583,2.582,584,2.582,585,2.582,586,2.582,587,4.27,588,4.27,589,4.27,590,4.27,591,4.27,592,4.27,593,2.582,594,7.028,595,2.582,596,2.582,597,2.582,598,2.582,599,2.582,600,2.582,601,2.582,602,2.582,603,4.27,604,4.27,605,4.27,606,4.27,607,4.27,608,4.27,609,2.582,610,2.582,611,2.582,612,2.582,613,2.582,614,2.582,615,2.582,616,2.582,617,2.582,618,2.582,619,2.582,620,2.582,621,2.192,622,2.582,623,4.27,624,4.27,625,4.27,626,4.27,627,4.27,628,4.27,629,2.582,630,2.582,631,2.582,632,2.582,633,2.582]],["t/2550",[0,1.728,1,0.833,33,3.526,43,2.548,135,2.588,176,2.834,212,3.105,213,5.044,410,2.735,540,5.433,634,10.629,635,6.272,636,6.272,637,6.272,638,6.272,639,4.333,640,6.272,641,6.272,642,5.044,643,6.272,644,6.272,645,6.272,646,5.044,647,6.272,648,6.272,649,6.272]],["t/2552",[0,1.746,1,0.597,639,4.618,650,4.938,651,6.685,652,8.673,653,7.363,654,8.673,655,6.076]],["t/2554",[0,1.741,1,0.728,2,0.732,38,3.135,39,2.462,73,3.43,89,1.24,212,2.003,218,1.482,243,1.376,244,1.043,263,3.435,287,1.455,353,1.806,363,1.706,378,2.196,430,2.795,458,2.362,537,2.234,541,1.669,650,2.989,656,10.404,657,4.046,658,3.109,659,3.678,660,6.095,661,3.678,662,4.046,663,6.095,664,4.046,665,4.046,666,3.678,667,7.332,668,3.63,669,4.046,670,3.63,671,3.435,672,3.63,673,4.046,674,2.517,675,6.095,676,7.332,677,4.346,678,4.046,679,4.046,680,4.046,681,4.046,682,1.949,683,2.989,684,4.046,685,4.046,686,4.046]],["t/2556",[0,1.753,3,2.125,4,2.548,5,3.321,20,0.802,32,2.845,43,1.81,357,2.338]],["t/2558",[0,1.744,1,0.678,687,6.909]],["t/2560",[0,1.754,1,0.875,674,4.32,688,3.242,689,4.831,690,4.831,691,3.569,692,4.831,693,6.945,694,6.318,695,4.831,696,3.077,697,4.831]],["t/2562",[0,1.74,1,0.933,2,1.298,4,1.611,32,2.433,69,3.5,162,0.933,202,3.3,214,3.603,244,1.302,264,3.828,345,1.548,380,5.113,694,5.592,696,4.566,698,5.052,699,5.052,700,5.052,701,5.052,702,5.052,703,9.578,704,5.052,705,5.052,706,4.592,707,3.233,708,2.84,709,2.79,710,3.731,711,5.052,712,5.052,713,5.052,714,5.052]],["t/2564",[0,1.75,1,0.747,22,2.274,89,1.56,249,2.124,250,2.148,264,2.72,345,1.56,380,3.633,715,5.094,716,9.608,717,5.094,718,5.094,719,5.094,720,5.094,721,5.094,722,5.094,723,3.099,724,5.094,725,5.094,726,3.327,727,5.094,728,7.212,729,5.094,730,2.487]],["t/2566",[0,1.685,1,0.877,69,3.984,380,7.007,543,5.638,687,7.418,707,3.812,731,3.166,732,6.563,733,3.166]],["t/2568",[0,1.756,1,0.583,3,1.598,4,1.417,20,0.887,32,2.14,78,1.853,334,3.815,336,5.201,734,4.444,735,4.444,736,3.283,737,4.444,738,4.444,739,4.444,740,4.444]],["t/2570",[0,1.739,1,0.769,3,2.378,212,3.273,264,4.598,512,4.319,537,3.652,538,3.939,539,3.717,731,3.341,733,3.341,741,5.949,742,6.01,743,6.612,744,6.612,745,6.612]],["t/2573",[0,1.744,1,0.818,115,4.183,135,2.498,136,3.403,383,3.912,384,5.307,385,6.001,461,4.318,639,4.183,746,4.839,747,6.055,748,6.055,749,6.055,750,5.503,751,5.503,752,5.503,753,5.503,754,5.503]],["t/2575",[0,1.734,23,1.84,27,4.492,69,3.838,74,1.565,244,1.487,357,3.112,392,4.142,709,3.185,710,4.261,723,3.509,755,7.146,756,7.725,757,8.731,758,7.193,759,5.243,760,7.146,761,5.243,762,5.243,763,8.13,764,3.985,765,5.243,766,5.243,767,4.897]],["t/2577",[0,1.739,23,2.144,74,1.823,244,1.733,357,2.66,511,3.672,723,4.089,756,5.406,768,6.722,769,9.612,770,6.11,771,5.165,772,5.406]],["t/2579",[0,1.734,1,0.557,142,5.018,218,2.286,264,3.332,512,5.415,540,4.076,639,4.311,658,4.795,694,6.246,746,3.717,773,5.672,774,7.535,775,7.535,776,5.672,777,5.672,778,5.672,779,5.672,780,5.672,781,5.672,782,5.672,783,5.672,784,5.672,785,4.45,786,5.298,787,3.089,788,5.672]],["t/2581",[0,1.748,1,0.934,2,1.591,34,2.755,73,1.849,162,1.261,202,3.083,208,3.626,328,1.745,353,3.048,361,5.855,540,4.46,789,8.792,790,4.007,791,3.366,792,2.811,793,4.007,794,4.719,795,4.719,796,3.26,797,4.719,798,4.29]],["t/2583",[0,1.745,1,0.512,38,2.206,135,2.369,136,3.227,218,2.871,343,7.156,509,3.199,659,7.124,799,5.741,800,4.874,801,6.654,802,5.741,803,7.124,804,2.046,805,5.741,806,5.741,807,5.741,808,5.741]],["t/2585",[0,1.745,1,0.894,123,3.17,327,4.183,343,7.642,730,3.126,809,6.404,810,5.437]],["t/2588",[0,1.755,1,0.588,425,3.815,811,4.493,812,4.493,813,4.493,814,4.493,815,4.493,816,4.493,817,4.493,818,2.623,819,8.314,820,3.319,821,3.204,822,4.493,823,4.493,824,4.493,825,6.588]],["t/2590",[0,1.725,1,0.808,2,1.069,20,0.802,21,1.81,38,2.27,73,3.131,244,1.523,347,2.292,363,2.491,378,3.207,458,3.449,514,3.763,668,3.519,670,3.519,672,3.519,674,3.675,691,4.364,819,8.231,826,7.991,827,5.908,828,7.991,829,7.991,830,7.991,831,7.991,832,3.449,833,5.908,834,5.908,835,5.908,836,4.364,837,5.908,838,5.908,839,5.908,840,5.908,841,5.016]],["t/2592",[0,1.679,1,0.597,14,2.555,121,4.258,131,5.01,156,3.01,158,6.664,165,1.479,218,3.177,392,3.096,541,3.578,553,5.834,842,7.084,843,5.376,844,6.685,845,5.992,846,8.673,847,7.363,848,8.673,849,6.685]],["t/2594",[0,1.752,13,1.861,65,2.353,243,1.449,683,6.236,746,4.549,850,9.437,851,6.415,852,6.415,853,4.334,854,4.334,855,4.334,856,4.334,857,6.415,858,4.334,859,4.334,860,4.334,861,7.638,862,6.415,863,4.334,864,4.334,865,4.334]],["t/2596",[1,0.781,46,4.626,47,5.068,84,3.814,85,4.27,86,3.771,137,4.212,345,2.679,866,6.46]],["t/2598",[1,0.639,25,1.562,33,4.022,38,2.749,46,4.491,47,5.337,60,3.702,64,5.396,76,2.669,82,6.504,99,3.42,114,1.245,125,3.4,135,2.952,136,4.022,140,2.55,229,2.339,345,2.192,388,4.452,395,4.262,451,4.177,758,5.754,867,7.156,868,4.674,869,6.504,870,5.754,871,5.285,872,6.504,873,7.156,874,7.156,875,6.075,876,7.156]],["t/2600",[0,1.393,1,0.979,2,1.701,9,1.979,20,0.478,21,1.079,45,5.606,46,4.778,47,5.123,62,3.025,63,3.066,64,5.186,66,1.285,69,2.675,74,2.059,79,1.096,99,1.885,114,1.32,133,2.974,137,2.638,139,1.673,140,1.255,162,1.242,180,1.85,182,1.501,220,3.309,223,4.651,228,4.613,231,3.579,236,4.372,264,2.925,282,1.821,285,1.944,303,1.837,345,1.678,396,4.284,403,1.85,436,3.025,443,2.974,444,2.016,449,8.38,450,6.443,464,4.047,474,3.545,510,3.49,570,4.98,741,3.785,764,2.432,870,7.559,877,5.832,878,8.543,879,4.98,880,4.21,881,4.21,882,3.907,883,4.98,884,1.88,885,1.88,886,2.989,887,2.601,888,3.2]],["t/2602",[0,1.234,1,0.968,2,1.632,9,3.993,20,0.964,21,1.177,45,5.247,46,4.935,47,5.407,66,1.449,69,2.861,74,2.156,79,1.196,114,1.488,140,1.369,162,1.312,220,2.555,228,4.566,236,3.991,237,6.391,264,3.129,282,1.988,303,3.023,345,2.763,357,3.827,396,3.733,403,2.019,443,3.856,444,2.2,449,8.412,450,6.031,474,3.426,479,4.944,741,4.049,836,4.329,870,7.776,878,8.197,879,5.327,885,2.051,886,3.262,887,2.838,888,3.492,889,4.179,890,2.39]],["t/2604",[0,1.219,1,0.512,2,1.735,8,1.211,9,3.925,20,1.333,21,1.757,46,4.33,47,5.341,63,2.317,64,5.532,66,1.431,73,3.069,76,1.101,79,1.163,84,1.629,85,2.8,86,1.611,99,3.451,114,0.998,125,1.776,126,3.005,148,1.904,153,1.609,173,0.667,200,2.762,220,1.629,224,7.469,228,3.154,231,6.066,236,2.881,240,1.593,247,2.226,268,1.522,269,6.361,275,2.139,300,1.776,342,1.904,345,2.139,349,2.028,353,2.561,357,1.479,405,1.611,443,2.028,461,2.665,507,5.615,543,6.416,868,3.747,877,2.871,891,5.214,892,4.091,893,6.019,894,4.665,895,7.119,896,7.119,897,6.346,898,2.181,899,3.654,900,3.736,901,3.736,902,1.274,903,7.119,904,3.736,905,3.736,906,3.736,907,2.665,908,3.736,909,3.172,910,3.736,911,3.396,912,3.005,913,2.581]],["t/2606",[1,0.764,20,1.46,42,3.847,66,1.45,113,5.231,114,1.759,239,2.998,322,4.18,379,4.813]],["t/2608",[1,0.743,42,3.168,51,3.051,72,4.599,113,4.308,114,1.449,200,4.011,239,3.482,322,4.066,345,2.551,383,4.011,418,5.939,914,6.697,915,7.093,916,6.4,917,8.328]],["t/2610",[2,1.758,20,1.086,38,1.806,42,3.903,48,4.097,52,5.123,66,1.356,72,2.596,76,2.006,81,3.624,91,3.612,92,2.099,100,2.86,102,3.353,111,3.071,113,4.819,114,1.393,117,2.744,160,2.596,164,3.781,167,2.51,200,2.264,239,2.384,247,2.8,267,3.071,269,6.926,322,3.908,326,2.15,357,1.861,384,4.447,403,2.47,418,5.709,884,2.51,892,3.353,894,2.8,907,3.353,915,5.709,916,3.612,918,4.701,919,3.781,920,4.701,921,4.701,922,5.476,923,3.991,924,4.701,925,3.612,926,8.777,927,6.809,928,4.701,929,4.701,930,4.701,931,3.781,932,3.472,933,4.701,934,2.234,935,3.248,936,5.781,937,2.518,938,4.273,939,3.991,940,3.155,941,4.701,942,6.809,943,2.994,944,4.701,945,2.695,946,4.273,947,3.353]],["t/2612",[2,1.342,20,1.257,42,3.845,66,1.57,81,2.62,102,5.289,113,4.794,114,1.29,151,4.096,240,3.162,245,4.512,322,3.621,326,3.392,379,4.169,384,4.844,479,4.614,884,3.96,899,4.724,914,7.452,915,5.289,935,5.124,936,6.297,937,2.742,945,2.935,948,6.741,949,5.699,950,7.417,951,6.741,952,6.741,953,5.699]],["t/2614",[1,0.687,2,1.716,3,3.41,33,4.327,42,4.19,89,2.358,102,5.489,116,3.436,137,3.707,140,2.744,156,2.671,238,2.9,249,3.21,250,3.245,268,2.043,312,6.04,321,5.318,887,5.686,894,6.121,954,6.19,955,6.535]],["t/2616",[1,0.435,2,1.875,3,1.752,20,0.661,42,4.012,46,2.2,47,3.458,48,3.701,63,2.822,66,1.665,74,1.321,81,3.336,84,3.046,85,3.987,86,3.011,88,2.657,90,2.843,91,3.742,92,2.174,95,3.559,99,2.809,103,4.427,104,4.427,113,2.519,114,1.861,134,2.377,156,2.424,160,3.857,164,3.916,185,1.889,186,2.053,194,1.988,219,4.562,220,3.046,227,3.194,229,1.592,239,1.705,268,1.292,269,3.473,282,2.519,285,2.689,396,3.102,432,3.268,433,3.181,482,3.276,914,3.916,915,4.981,932,3.597,935,4.825,954,3.916,956,4.135,957,3.597,958,3.364,959,3.742,960,4.427,961,4.87,962,4.87,963,4.87,964,4.427,965,3.742,966,2.345,967,3.268,968,3.916,969,4.427,970,3.364,971,3.473,972,4.135]],["t/2618",[2,1.895,3,3.884,33,4.046,42,4.351,57,5.531,63,2.908,72,3.975,89,2.205,114,1.582,134,3.514,165,1.592,173,1.286,200,3.466,236,3.614,238,2.712,239,2.52,246,5.317,249,3.002,250,3.035,268,1.91,915,5.133,958,4.973,973,5.788,974,7.198,975,7.198]],["t/2620",[1,0.833,3,3.358,20,1.019,21,2.3,42,4.045,57,5.769,60,3.884,63,3.033,66,1.272,90,4.383,102,7.247,113,4.83,135,3.098,136,4.22,137,4.496,138,6.374,140,2.676,141,6.374,142,6.038,143,3.77,144,6.824,145,6.824,146,6.824,147,6.824,976,6.374]],["t/2621",[1,0.818,2,1.608,15,3.685,20,0.407,21,2.33,22,3.814,26,1.142,33,1.687,34,5.187,42,4.322,46,2.181,50,3.24,52,2.818,57,2.306,60,1.552,62,1.657,66,1.289,71,3.343,73,1.176,81,1.06,84,1.309,89,2.81,90,5.495,95,1.529,102,6.54,114,1.323,123,4.399,125,1.426,156,2.64,164,2.413,165,0.664,167,3.706,194,1.225,200,1.445,235,2.217,236,1.507,238,2.283,239,1.051,240,1.279,243,2.249,269,2.14,277,5.506,282,2.498,303,2.327,308,1.373,322,2.357,326,3.175,327,4.534,329,5.127,330,4.95,331,5.334,332,3.833,359,2.073,397,2.306,399,3.443,409,3.71,451,4.441,463,2.217,472,1.96,474,1.294,475,5.506,513,2.728,787,1.486,881,2.306,915,4.32,943,1.911,956,2.548,958,2.073,973,2.413,977,2.306,978,2.728,979,3.001,980,1.867,981,2.728,982,3.001,983,6.309,984,3.001,985,3.001,986,2.357,987,3.001,988,3.001,989,2.548,990,2.217,991,3.001,992,3.001,993,3.001,994,3.001,995,3.001,996,2.073,997,3.001,998,3.001,999,2.306,1000,1.687,1001,2.728,1002,4.388,1003,3.001,1004,3.001,1005,2.14,1006,3.001,1007,4.099,1008,3.001]],["t/2623",[0,1.74,8,1.973,32,4.427,34,6.385,35,7.063,244,2.102,495,6.555,541,4.051,553,5.263,1009,5.531,1010,6.085]],["t/2625",[0,1.728,1,0.863,2,1.439,32,3.828,35,6.108,368,3.024,798,7.225]],["t/2627",[0,1.756,1,0.686,6,5.309,8,1.168,9,2.026,43,3.146,464,2.662,1011,3.644,1012,4.121,1013,2.898,1014,3.604,1015,3.604,1016,3.604,1017,3.604,1018,3.06,1019,3.604,1020,3.604,1021,3.604,1022,3.604]],["t/2629",[0,1.755,1,0.52,22,1.704,33,3.279,43,1.787,48,1.496,81,2.06,172,1.665,227,4.28,249,1.592,250,1.61,303,1.28,356,3.017,937,2.929,1011,3.81,1012,4.308,1023,3.242,1024,3.071,1025,3.242,1026,3.628,1027,3.242,1028,3.628,1029,3.242]],["t/2631",[0,1.754,1,0.685,8,1.805,43,2.351,73,2.67,123,1.779,167,1.919,227,3.116,356,3.525,389,3.421,478,2.289,479,2.235,481,2.482,937,2.058,1011,5.011,1012,4.111,1013,2.89,1018,4.726,1030,3.593,1031,3.593,1032,4.476,1033,3.266,1034,3.593,1035,3.593,1036,3.593,1037,2.347,1038,3.593,1039,3.593,1040,3.593,1041,3.593,1042,3.593]],["t/2633",[1,0.631,2,1.28,42,3.959,44,5.044,47,3.501,58,5.224,66,1.675,116,3.157,123,3.501,173,1.606,219,6.458,220,4.312,227,4.522,229,2.312,236,3.552,238,2.665,243,2.031,267,4.62,305,1.961,432,4.746,433,6.796,894,4.213,959,5.435,964,6.429,970,6.212,996,4.886,1043,6.429]],["t/2635",[6,7.221,21,2.451,42,3.044,79,2.49,109,5.705,219,6.341,220,4.233,227,4.781,247,4.765,433,6.827,452,8.824,510,5.096,1044,8,1045,5.226,1046,8]],["t/2637",[1,0.631,43,2.167,44,7.051,66,1.198,83,3.906,88,3.959,139,4.273,219,4.62,220,3.084,227,3.235,241,3.361,268,1.877,403,3.716,404,7.686,405,3.049,432,4.746,433,6.458,510,5.728,885,3.776,954,5.688,1011,4.62,1012,5.224,1047,6.429,1048,6.429,1049,6.172,1050,7.073,1051,7.073]],["t/2639",[1,0.764,21,2.623,43,3.097,44,6.106,83,4.728,85,4.18,86,3.691,88,3.257,117,4.998,182,3.65,227,3.916,432,5.745,433,5.592]],["t/2641",[1,0.824,2,1.824,3,3.32,33,4.144,66,1.249,71,3.55,84,3.215,85,3.599,86,3.178,88,3.834,137,3.55,162,1.361,173,1.8,180,3.873,238,3.797,268,2.886,300,3.503,301,5.928,302,6.259,303,2.471,304,4.391,305,2.044,306,4.485]],["t/2643",[2,1.553,3,2.365,25,1.873,27,3.303,29,4.868,42,2.502,43,2.015,46,2.971,47,3.256,66,1.454,74,1.784,76,1.938,83,3.632,113,3.402,114,1.873,125,3.125,139,4.078,165,1.455,182,2.804,227,3.008,236,3.303,238,2.478,243,1.485,357,4.007,368,2.502,509,2.685,524,4.091,553,3.766,723,5.221,726,4.296,871,4.858,1052,4.189,1053,4.413,1054,6.577,1055,4.858,1056,3.085,1057,3.839,1058,3.303,1059,3.211,1060,3.839,1061,4.091,1062,5.289]],["t/2646",[0,1.154,6,2.293,22,1.482,24,1.717,40,1.977,43,3.366,44,7.177,45,8.154,46,2.364,48,2.537,51,1.216,52,1.938,60,1.717,62,1.833,66,1.097,72,1.833,73,2.88,80,1.938,81,1.848,89,2.904,99,2.751,123,2.59,150,1.399,160,1.833,165,0.734,172,1.447,173,1.157,193,1.643,199,1.239,227,4.066,238,1.251,239,2.267,243,2.382,249,1.384,250,1.399,283,2.293,303,1.113,308,2.393,312,6.503,326,1.518,327,2.168,330,3.731,345,1.017,353,1.482,356,4.137,357,2.909,388,2.065,432,2.227,436,3.576,437,2.669,457,4.442,458,1.938,459,2.818,460,2.818,461,2.367,462,2.669,463,2.452,464,2.452,465,3.017,478,2.114,479,2.065,480,4.207,481,2.293,482,2.454,483,5.498,484,4.442,485,2.818,514,2.114,550,3.333,804,1.183,937,2.394,1011,2.168,1023,2.818,1024,2.669,1025,2.818,1026,2.065,1027,2.818,1028,2.065,1029,2.818,1032,2.669,1037,2.168,1061,4.028,1063,4.474,1064,3.614,1065,1.692,1066,3.017,1067,3.017,1068,3.319,1069,5.232,1070,3.017,1071,3.017,1072,3.017,1073,2.818,1074,3.865,1075,3.017]],["t/2648",[2,1.781,3,3.688,22,2.73,38,3.142,42,3.743,43,1.873,46,4.163,66,1.667,113,4.767,114,1.905,125,3.887,151,3.377,173,1.757,182,2.607,243,2.383,249,2.55,250,2.578,303,2.05,320,4.918,321,4.225,323,4.918,325,4.225,326,2.797,442,3.994,445,4.918,466,5.192,467,3.502,468,4.699,469,5.192,470,5.192,491,3.994,955,5.192,1076,5.488,1077,6.115,1078,5.558,1079,5.558]],["t/2650",[22,3.251,34,6.327,51,2.668,77,5.858,89,2.231,134,3.556,167,3.889,173,1.636,243,2.263,249,3.038,250,3.071,303,2.442,389,3.658,472,6.87,511,2.771,707,2.826,958,5.032,1060,6.139,1080,5.858,1081,6.621,1082,6.621,1083,7.284,1084,5.597,1085,4.252,1086,4.888,1087,7.284]],["t/2653",[22,3.213,71,3.466,80,4.202,89,2.205,129,3.975,131,5.108,165,2.012,173,1.781,232,4.478,243,2.365,303,2.413,307,3.514,308,3.292,309,3.843,310,5.788,311,5.788,312,6.67,313,5.531,314,5.788,315,5.788,316,3.975,317,5.788,318,5.133,319,4.478,413,6.987,414,5.317]],["t/2655",[1,0.587,20,0.892,22,2.936,23,2.737,66,1.454,73,2.577,89,2.015,114,1.493,116,2.936,139,3.125,199,2.455,243,2.371,303,2.205,312,4.189,347,3.928,368,2.502,369,4.199,370,4.876,392,3.046,428,5.289,442,5.605,514,5.466,688,4.413,792,3.917,937,3.173,1088,3.742,1089,5.978,1090,7.055,1091,5.978,1092,4.69,1093,6.577,1094,5.054,1095,5.054,1096,4.544]],["t/2657",[22,3.822,89,2.623,123,4.238,167,4.571,243,2.283,303,2.87,327,5.592,328,3.166,329,6.324,330,6.106,331,6.579,332,4.728,983,7.782]],["t/2659",[22,3.932,46,4.645,47,5.09,89,2.699,303,2.953,345,2.699,866,6.507,1065,4.489]],["t/2661",[1,0.329,2,1.029,3,3.66,4,1.177,13,1.071,14,1.087,20,1.381,22,1.648,23,2.831,29,3.966,32,2.737,66,1.566,74,2.712,76,1.087,79,1.769,89,1.741,114,1.608,117,2.155,131,1.709,139,2.701,149,3.813,162,1.049,243,2.156,244,2.007,268,0.98,282,2.94,303,1.237,312,3.62,326,4.06,345,1.131,347,2.205,356,4.784,357,1.461,368,3.197,369,3.112,389,1.854,428,4.57,482,2.666,511,2.636,524,2.296,541,2.345,557,2.477,723,5.626,726,3.712,771,2.836,772,2.968,785,4.053,967,2.477,1055,4.198,1056,2.666,1057,3.317,1058,1.854,1059,1.802,1060,2.155,1061,2.296,1062,2.968,1063,5.377,1092,2.632,1097,5.55,1098,3.355,1099,1.91,1100,3.355,1101,2.968,1102,2.968,1103,3.355,1104,3.355,1105,2.632,1106,3.691,1107,3.134,1108,2.411,1109,3.691,1110,3.134,1111,2.411,1112,1.754,1113,7.436,1114,2.836,1115,2.726,1116,3.134,1117,6.929,1118,3.134,1119,3.712,1120,4.57,1121,2.968]],["t/2663",[22,3.795,89,3.085,243,1.92,303,2.85,349,5.824,360,5.466,545,6.837,1122,4.847,1123,7.218]],["t/2665",[1,0.8,8,2.28,13,2.6,22,3.139,24,4.635,25,2.34,26,2.675,27,4.499,31,4,66,1.191,86,3.032,89,3.021,162,1.298,243,1.588,303,3.004,357,4.596,509,3.658,553,5.13,1056,4.203]],["t/2667",[4,2.644,13,3.262,22,2.786,23,2.644,24,4.289,25,2.165,26,3.773,27,4.163,31,3.701,43,2.54,160,5.981,243,2.445,303,3.687,378,5.879,379,6.088]],["t/2669",[2,1.351,3,2.684,22,3.331,28,3.413,37,5.322,66,1.264,86,3.217,162,1.717,303,2.502,345,2.849,347,2.895,350,5.512,356,3.86,357,2.953,361,4.356,380,6.633,381,5.512,382,4.051,383,4.479,384,6.075,385,5.512,386,6.001,387,5.326,388,4.642,389,3.747,430,5.155,1124,8.454,1125,6.783]],["t/2671",[22,3.213,29,5.707,42,2.738,46,3.252,66,1.829,72,3.975,114,1.252,173,1.286,243,2.053,249,3.002,250,3.035,303,2.413,312,6.67,357,2.849,372,5.133,377,3.212,390,5.788,391,6.542,967,4.83,1061,6.201,1108,4.701,1126,3.035,1127,6.111,1128,7.198]],["t/2673",[0,0.756,1,0.348,2,1.072,3,1.742,4,1.403,5,1.081,6,0.721,8,0.338,13,1.953,14,0.789,15,1.17,20,0.913,23,1.403,24,2.016,25,1.222,26,1.674,27,1.671,28,1.783,29,3.019,31,1.486,34,1.943,37,1.372,38,1.028,39,0.635,40,1.146,42,1.483,43,2.727,44,5.111,45,6.198,46,2.189,47,0.952,48,1.049,51,1.612,52,1.123,60,0.54,62,0.576,63,0.421,66,1.277,71,0.502,72,0.576,73,2.321,74,1.193,77,0.839,80,1.123,81,0.679,89,3.034,99,1.341,113,1.385,114,1.46,116,0.859,123,1.648,125,0.914,129,1.062,131,2.88,139,1.852,150,0.811,151,0.576,153,0.24,160,3.093,162,0.494,165,1.072,167,0.557,172,0.455,173,1.43,182,0.82,185,1.038,193,0.952,194,1.359,199,0.718,226,1.364,227,2.216,232,0.649,238,1.469,239,0.937,243,2.427,244,0.858,249,0.435,250,0.44,268,0.51,282,0.995,283,0.721,296,0.721,303,2.175,305,0.289,307,0.509,308,1.224,309,0.557,310,0.839,311,0.839,313,0.801,314,0.839,315,0.839,316,0.576,317,0.839,318,0.744,319,0.649,320,0.839,321,1.329,323,0.839,324,0.609,325,0.721,326,0.88,327,1.748,328,0.386,329,0.77,330,1.909,331,0.801,332,0.576,333,0.77,334,1.123,335,1.329,336,1.291,337,0.649,338,1.628,339,0.886,340,0.77,341,0.886,342,0.532,343,1.329,344,0.886,345,1.348,346,0.664,347,2.517,348,0.886,349,2.116,350,1.977,351,1.17,352,0.886,353,0.859,354,0.839,355,0.886,356,2.506,357,2.984,358,1.633,359,0.721,360,2.846,361,1.943,362,1.547,363,1.643,365,0.886,366,1.582,367,0.77,368,2.131,369,2.096,370,2.119,371,0.7,372,1.909,373,0.886,374,0.886,375,0.886,376,2.558,377,1.554,378,2.63,379,2.723,380,1.372,381,0.77,382,0.566,383,0.926,384,1.256,385,1.421,386,0.839,387,1.533,388,1.197,389,0.966,392,0.483,398,0.291,406,0.839,407,0.948,408,0.886,409,0.801,410,0.455,411,0.7,412,0.886,413,1.478,414,0.77,415,0.948,417,5.091,418,2.374,419,0.995,420,0.948,421,0.948,422,3.999,423,0.948,424,0.744,425,1.633,426,0.948,427,3.999,428,3.134,429,1.748,430,2.299,432,0.7,433,1.256,436,1.478,437,0.839,442,1.748,445,1.547,451,0.609,457,1.633,458,0.609,459,0.886,460,0.886,461,0.744,462,0.839,463,0.77,464,6.282,466,0.886,467,0.597,468,0.801,469,0.886,470,0.886,472,2.174,478,0.664,479,0.649,480,1.547,481,0.721,482,0.902,483,2.272,484,1.633,485,0.886,491,0.681,503,1.421,509,0.785,514,1.705,524,0.649,541,0.794,545,0.839,550,1.705,553,1.101,554,0.621,557,1.291,688,0.7,723,2.371,726,1.256,771,0.801,772,0.839,785,1.372,792,0.621,804,0.372,866,0.77,937,1.441,955,0.886,967,1.291,1011,0.681,1023,0.886,1024,0.839,1025,0.886,1026,0.649,1027,0.886,1028,0.649,1029,0.886,1032,0.839,1037,0.681,1055,1.421,1056,3.264,1057,1.563,1058,0.524,1059,0.509,1060,1.563,1061,2.425,1062,0.839,1063,1.849,1064,1.329,1065,0.532,1066,0.948,1067,0.948,1070,0.948,1071,0.948,1072,0.948,1073,0.886,1074,1.421,1075,0.948,1076,1.291,1078,0.948,1079,0.948,1080,0.839,1081,0.948,1082,0.948,1088,0.839,1089,0.948,1090,3.873,1091,0.948,1092,1.372,1094,0.801,1095,0.801,1096,0.721,1097,1.909,1098,0.948,1099,0.54,1100,0.948,1101,0.839,1102,0.839,1103,0.948,1104,0.948,1105,0.744,1107,0.886,1108,0.681,1110,0.886,1111,0.681,1112,2.662,1122,1.761,1123,0.886,1124,1.748,1126,0.811,1129,1.043,1130,1.043,1131,0.886,1132,1.043,1133,1.923,1134,0.664,1135,0.948,1136,1.043]],["t/2675",[1,0.803,2,1.723,3,3.423,6,3.433,7,1.787,8,2.677,9,3.983,20,1.291,25,1.546,51,1.82,66,1.2,74,1.922,84,3.601,114,1.656,137,2.393,139,3.367,140,1.771,143,2.495,151,2.744,162,1.662,174,2.744,180,2.611,182,2.118,218,2.596,226,2.532,227,3.241,249,2.072,268,1.319,282,2.571,300,3.367,326,3.241,335,4.895,351,3.023,369,2.833,379,3.983,393,2.901,394,6.346,403,2.611,404,3.671,405,2.142,443,3.847,444,2.845,493,3.091,511,1.891,764,3.433,842,3.334,919,3.996,923,6.016,943,3.165,1049,2.793,1112,2.361,1137,4.517,1138,4.969,1139,3.996,1140,4.969,1141,2.744,1142,4.969,1143,2.188,1144,4.219,1145,4.517,1146,3.818,1147,4.219,1148,3.818,1149,3.818,1150,4.969,1151,3.818,1152,4.969,1153,3.818,1154,3.334,1155,4.517,1156,3.433,1157,4.219,1158,3.996,1159,4.969]],["t/2677",[9,5.062,76,2.653,79,2.803,114,1.566,165,1.992,220,3.926,884,4.808]],["t/2679",[84,3.76,86,3.717,88,3.28,95,4.394,114,1.766,139,4.097,156,2.992,227,4.644,238,3.249,241,4.097,405,3.717]],["t/2681",[0,1.21,1,0.838,2,1.879,9,2.402,20,1.429,21,1.945,24,2.211,25,0.933,32,2.058,42,3.19,48,1.674,60,2.211,66,1.42,73,1.674,76,1.259,79,2.358,84,2.768,86,3.266,88,1.626,89,1.309,90,2.494,114,0.743,139,3.017,140,2.7,153,1.463,162,1.172,165,1.676,212,2.115,218,3.071,220,1.863,227,4.446,236,2.146,238,2.392,261,1.483,268,2.378,300,2.031,324,2.494,326,1.954,332,2.36,336,5.626,342,2.177,356,3.919,379,2.402,393,2.494,395,2.545,396,2.722,403,3.336,405,2.737,443,2.32,444,2.447,511,1.626,537,2.36,538,2.545,539,2.402,542,2.952,707,1.658,804,1.523,889,5.402,890,3.949,894,2.545,915,4.527,937,1.58,1011,2.791,1049,3.569,1143,1.319,1160,2.658,1161,3.436,1162,2.583,1163,4.273,1164,4.273,1165,3.436,1166,3.436,1167,3.628,1168,3.628,1169,3.628,1170,3.099,1171,3.283,1172,3.156,1173,4.273,1174,3.884,1175,3.283,1176,3.283]],["t/2683",[2,1.734,3,1.817,7,1.817,8,1.638,20,1.388,27,2.537,34,2.949,48,1.979,62,5.009,66,1.214,72,2.79,73,1.979,80,2.949,114,0.879,116,2.255,129,2.79,134,3.5,137,2.433,151,2.79,153,1.652,156,1.753,162,0.933,165,1.586,170,4.062,173,0.902,199,1.885,218,1.851,220,3.126,226,2.574,238,2.701,241,2.401,268,1.341,272,3.218,285,2.79,297,3.3,335,3.49,342,2.574,351,3.073,356,4.311,368,3.644,369,2.02,382,2.742,388,5.184,392,2.339,478,3.218,482,3.363,524,3.143,792,4.964,937,2.651,949,3.882,966,3.452,986,3.5,1052,3.218,1094,3.882,1095,3.882,1096,3.49,1141,2.79,1151,3.882,1169,4.289,1177,3.882,1178,4.062,1179,3.603,1180,5.765,1181,5.052,1182,5.052,1183,4.062,1184,4.062,1185,3.603,1186,4.592,1187,4.592,1188,3.731,1189,5.052,1190,5.052,1191,4.592,1192,5.052,1193,1.769,1194,5.052,1195,3.39,1196,2.654]],["t/2685",[0,1.313,1,0.455,2,1.806,13,1.478,20,1.354,21,1.56,25,1.574,31,2.274,33,2.863,42,3.796,46,2.301,47,2.522,63,2.058,66,1.628,73,1.996,74,1.382,79,1.586,95,3.675,109,3.633,113,3.731,114,1.584,116,3.219,133,2.765,139,2.421,153,1.174,212,2.522,227,3.298,236,3.621,241,2.421,243,1.15,250,2.148,261,1.768,283,3.519,298,3.763,303,3.221,305,1.413,321,3.519,324,2.974,357,3.603,377,1.799,395,4.296,432,3.418,433,3.327,509,2.079,524,3.169,537,2.813,538,3.034,539,2.863,553,2.917,723,4.387,884,2.72,899,3.245,959,3.914,1013,4.096,1055,3.763,1056,3.383,1112,3.427,1126,2.148,1167,4.325,1168,4.325,1197,5.094,1198,3.327,1199,4.325,1200,5.799,1201,4.096,1202,2.274,1203,4.325,1204,3.914]],["t/2687",[1,0.859,2,1.911,3,3.891,9,4.875,20,1.515,24,3.458,42,2.543,66,1.132,72,3.692,74,1.813,80,3.902,89,2.048,113,4.981,114,1.772,162,1.234,236,3.357,241,3.177,335,4.618,392,3.096,393,3.902,394,5.137,443,3.629,478,4.258,1147,5.675,1148,5.137,1149,5.137,1160,4.159,1205,6.076,1206,6.685,1207,6.685]],["t/2689",[9,4.813,43,2.623,111,5.592,115,5.915,117,4.998,162,1.581,182,3.65,229,2.799,966,4.123,1208,7.782,1209,6.324,1210,6.324,1211,7.782,1212,7.782]],["t/2691",[0,1.095,1,0.383,2,1.97,13,1.244,20,1.32,25,1.958,31,1.914,32,2.065,42,1.631,46,3.429,47,2.123,63,2.571,66,1.286,73,1.68,74,1.163,76,1.263,80,2.503,86,1.849,95,3.243,113,4.345,114,1.856,116,3.388,119,2.065,135,1.769,140,1.528,162,0.792,212,3.151,217,2.962,236,3.196,303,3.008,305,1.189,324,3.716,345,1.314,357,3.324,377,1.515,443,2.328,474,1.849,491,4.157,509,1.75,524,2.668,537,3.515,538,3.791,539,3.578,542,4.397,543,2.962,544,3.167,553,2.455,710,4.701,723,3.872,792,2.554,872,3.898,881,4.891,885,2.289,887,3.167,889,4.539,919,3.448,1055,3.167,1056,2.986,1060,2.503,1076,4.271,1112,3.025,1126,1.808,1143,1.324,1199,3.64,1200,5.119,1201,3.448,1202,1.914,1205,5.785,1213,4.288,1214,5.404,1215,4.288,1216,4.288,1217,2.801,1218,4.288,1219,5.404,1220,4.288,1221,6.365,1222,4.288,1223,4.288,1224,3.448,1225,3.344]],["t/2693",[0,0.919,1,0.75,2,1.702,6,5.806,20,0.864,43,2.881,66,1.079,89,1.952,111,4.161,113,3.296,114,1.808,116,2.844,125,3.027,135,2.628,137,3.068,148,3.246,151,3.518,156,2.211,169,4.348,182,2.716,227,4.574,228,2.878,247,3.795,301,5.123,303,2.136,356,3.296,392,3.892,396,4.058,474,2.747,491,6.143,621,5.409,943,4.058,1049,3.581,1165,5.123,1174,5.791,1198,4.161,1226,5.791,1227,4.895,1228,5.123,1229,5.409,1230,5.409,1231,3.795,1232,6.371,1233,4.401,1234,5.409,1235,4.401]],["t/2695",[0,0.836,1,0.517,2,1.428,7,2.084,8,2.557,9,3.258,13,1.682,20,1.07,25,1.957,66,1.519,74,2.432,84,2.527,86,2.499,133,3.146,139,4.785,140,2.066,153,1.336,182,3.363,194,3.22,218,2.123,226,5.416,300,2.754,335,4.004,351,6.466,369,2.317,382,3.146,393,3.383,394,4.454,405,2.499,444,3.319,482,2.719,511,2.205,923,4.92,925,4.454,943,3.692,966,2.791,969,5.268,1057,4.605,1064,4.004,1126,2.443,1141,3.201,1151,4.454,1214,4.92,1236,4.92,1237,5.268,1238,5.796,1239,5.293,1240,4.92,1241,3.889,1242,5.268,1243,5.268,1244,5.796,1245,5.268]],["t/2697",[0,0.887,1,0.732,2,1.784,3,3.323,9,3.455,20,1.394,42,2.338,43,1.883,114,1.427,116,3.663,153,1.891,162,1.135,169,3.18,182,2.62,205,4.246,218,2.251,226,3.132,268,2.178,285,3.394,289,6.588,346,5.884,351,3.739,353,4.124,368,3.515,393,3.588,411,4.124,792,5.503,887,4.54,899,5.884,902,2.096,937,2.273,1094,4.723,1246,4.723,1247,5.586,1248,5.218,1249,6.146,1250,6.146,1251,6.146,1252,6.146,1253,6.146,1254,6.146,1255,6.146,1256,6.146,1257,6.146]],["t/2699",[0,1.512,1,0.698,2,1.831,3,3.338,9,2.731,20,0.777,21,1.142,25,1.522,32,2.758,40,1.308,63,0.887,66,1.181,68,1.566,69,2.372,73,1.461,76,1.89,84,2.119,86,2.095,88,1.419,89,0.673,90,1.282,96,1.282,113,1.929,114,1.361,119,2.758,135,1.538,137,1.796,140,0.783,154,1.044,156,0.762,162,1.184,165,0.486,170,1.766,173,0.392,194,1.522,202,1.434,208,1.687,212,1.846,218,2.35,220,0.958,226,3.789,228,2.588,238,1.831,261,0.762,268,0.583,289,5.302,307,1.072,308,1.004,309,1.172,324,2.177,328,0.812,332,2.059,346,5.676,351,4.76,353,4.212,361,2.177,368,0.835,392,1.727,432,1.474,437,1.766,443,2.024,444,1.257,477,1.996,482,1.03,514,1.399,537,2.059,538,2.221,539,2.096,540,1.434,542,6.157,543,2.576,544,2.754,549,1.996,658,1.687,688,2.502,710,2.754,793,1.864,821,1.566,871,1.622,899,5.8,912,3.908,970,1.517,971,1.566,1037,2.435,1045,1.434,1060,2.177,1061,3.023,1088,0.958,1090,1.622,1105,4.973,1108,1.434,1151,1.687,1183,1.766,1188,4.738,1191,1.996,1217,2.435,1219,5.92,1236,6.643,1237,7.413,1243,3.389,1248,3.165,1258,2.754,1259,1.864,1260,6.973,1261,2.196,1262,3.729,1263,2.196,1264,2.196,1265,2.196,1266,2.196,1267,2.196,1268,2.196,1269,3.389,1270,3.389,1271,3.389,1272,2.196,1273,2.196,1274,3.729,1275,1.996,1276,2.196,1277,2.196,1278,2.196,1279,2.196,1280,1.474,1281,3.729,1282,2.196,1283,2.196,1284,2.196,1285,2.196,1286,2.196,1287,3.389,1288,2.196,1289,3.165,1290,2.196,1291,1.864,1292,8.1,1293,1.766,1294,2.196,1295,2.196,1296,3.389,1297,2.196,1298,1.996,1299,3.389,1300,1.766,1301,1.622,1302,1.434,1303,3.389,1304,1.996,1305,1.996,1306,1.766,1307,1.996,1308,1.996,1309,1.996,1310,1.766,1311,1.996,1312,1.017,1313,1.996,1314,1.996]],["t/2701",[0,1.533,1,0.648,2,1.811,3,3.415,9,3.384,20,0.817,21,1.219,25,1.584,32,2.899,63,1.608,66,1.23,68,2.838,69,1.943,73,1.56,76,1.773,84,1.736,86,1.716,113,2.059,114,1.408,135,1.642,137,1.917,140,1.419,156,1.381,162,1.494,165,0.881,170,3.201,173,0.711,194,1.625,202,2.6,208,3.058,212,1.97,218,2.205,220,1.736,226,4.124,228,1.798,268,1.056,289,5.177,307,1.943,324,2.323,328,1.472,346,3.834,351,4.923,353,3.88,361,3.514,443,3.268,444,2.279,514,2.535,537,2.198,538,2.371,539,2.237,542,6.316,543,2.75,544,2.94,688,2.671,710,2.94,793,3.379,871,2.94,899,4.624,912,3.201,971,2.838,1037,2.6,1045,2.6,1090,2.94,1105,5.177,1108,2.6,1151,3.058,1183,3.201,1188,2.94,1217,2.6,1219,6.163,1236,7.761,1248,3.379,1258,2.94,1269,3.618,1270,3.618,1271,3.618,1287,3.618,1289,3.379,1292,8.31,1296,3.618,1298,3.618,1299,5.471,1300,3.201,1301,2.94,1302,2.6,1303,5.471,1304,3.618,1305,3.618,1306,3.201,1307,3.618,1308,3.618,1309,3.618,1310,3.201,1311,3.618,1312,1.843,1313,3.618,1314,3.618]],["t/2703",[0,1.727,1,0.754]],["t/2705",[0,1.734,1,0.705,8,3.123,1315,7.897,1316,7.897]],["t/2707",[0,1.674,1,0.798,1317,7.589]],["t/2709",[0,1.696,1,0.786,655,8.007]],["t/2711",[0,1.594,1,0.816,1318,9.139]],["t/2713",[0,1.753,1,0.851,264,2.664,413,5.461,512,3.259,730,2.436,731,1.936,733,1.936,741,3.447,742,4.535,981,4.535,1319,4.99,1320,4.99,1321,4.535,1322,4.99,1323,4.99,1324,4.99]],["t/2715",[0,1.713,1,0.769,361,5.033]],["t/2717",[0,1.701,1,0.91,42,3.304]],["t/2719",[0,1.733,1325,7.022]],["t/2721",[0,1.746,1,0.95,119,3.31,377,2.428,512,4.49,842,4.612]],["t/2723",[1,0.946,2,1.419,25,1.253,26,2.982,38,3.011,43,1.759,66,1.328,79,1.787,140,2.046,165,1.734,182,3.341,185,2.227,194,2.344,200,2.765,218,3.676,220,3.417,238,2.953,249,3.268,261,1.992,268,2.368,300,2.728,345,1.759,357,2.272,363,3.304,366,4.24,389,2.883,399,4.094,405,4.133,476,2.626,482,2.693,1112,3.724,1114,4.412,1126,2.42,1134,4.992,1143,1.773,1172,4.241,1217,3.75,1326,5.218,1327,5.218,1328,3.852,1329,5.741,1330,4.617,1331,4.617,1332,4.617,1333,4.094,1334,5.016,1335,3.493,1336,3.657,1337,3.572,1338,4.412,1339,3.572,1340,3.351,1341,4.241]],["t/2726",[2,1.184,8,2.121,13,2.481,14,2.519,20,0.888,25,1.428,32,4.588,60,3.384,66,1.449,94,4.665,111,4.273,114,1.138,128,5.946,129,3.612,134,3.193,148,3.334,160,3.612,173,1.805,187,5.908,193,3.238,229,2.138,240,2.789,285,3.612,293,4.519,451,4.992,541,3.528,682,4.118,845,4.519,943,4.167,973,5.261,1126,3.605,1179,4.665,1300,6.877,1340,4.992,1342,4.832,1343,5.261,1344,5.32,1345,5.946,1346,6.571,1347,6.542,1348,5.946]],["t/2728",[1,0.887,2,1.295,25,1.562,26,2.722,63,2.891,80,4.177,111,4.674,118,4.802,173,1.618,182,3.05,193,3.542,261,2.483,349,3.884,357,2.832,550,4.558,554,4.262,557,4.802,836,5.285,958,4.943,968,5.754,1000,4.022,1057,4.177,1112,4.305,1118,6.075,1122,3.233,1126,3.017,1134,5.771,1175,5.499,1196,3.76,1239,4.802,1340,5.803,1346,6.961,1349,6.504,1350,7.156]],["t/2730",[0,1.214,1,0.57,2,1.377,8,2.466,20,1.032,26,1.637,38,2.452,52,2.512,58,4.714,63,1.738,66,1.081,73,3.688,79,1.339,84,2.783,85,2.101,86,1.855,88,2.428,89,1.318,116,2.849,129,2.376,130,3.911,149,2.887,153,0.992,173,1.787,174,3.524,181,3.069,193,3.765,232,2.677,243,0.972,256,5.418,261,2.215,275,2.464,282,2.226,300,2.045,306,2.618,340,3.178,342,2.193,357,1.703,377,1.52,379,3.587,441,2.973,508,2.677,682,3.663,902,2.176,909,5.418,913,2.973,990,3.178,1002,8.555,1045,2.811,1053,4.282,1112,3.033,1126,2.69,1134,2.741,1141,2.376,1179,4.551,1195,4.282,1340,5.495,1346,6.465,1351,4.303,1352,4.303,1353,4.303,1354,4.303,1355,4.303,1356,3.461,1357,4.303,1358,2.298,1359,3.461,1360,3.653,1361,5.132,1362,4.303,1363,4.303,1364,4.303,1365,4.303,1366,6.381,1367,3.911,1368,4.303,1369,4.303,1370,4.303,1371,4.303,1372,3.653,1373,3.911,1374,6.381,1375,6.381,1376,3.911,1377,4.303,1378,4.303,1379,7.606,1380,6.381,1381,4.303,1382,3.911,1383,3.911,1384,4.303]],["t/2732",[193,4.425,357,3.538,393,5.218,996,6.175,1045,5.838,1126,3.768,1193,3.129,1340,5.218]],["t/2734",[1,0.617,63,2.792,71,3.329,73,2.708,114,1.701,116,3.956,125,3.285,153,1.593,169,3.576,173,1.235,174,3.817,193,4.387,218,2.532,232,4.3,247,4.117,262,4.775,303,2.971,313,5.312,357,4.222,451,4.035,476,3.161,554,4.117,893,5.312,1037,4.515,1112,3.285,1134,4.403,1135,6.283,1195,4.638,1317,5.868,1340,6.023,1341,6.546,1346,7.516,1385,6.283]],["t/2736",[0,1.034,1,0.809,2,0.914,13,2.418,14,2.455,32,2.433,62,2.79,63,2.041,73,1.979,95,2.574,119,2.433,121,3.218,153,1.164,156,3.453,162,1.539,163,3.882,169,3.709,173,1.828,180,2.654,187,3.49,193,2.501,200,2.433,228,2.282,244,1.302,272,3.218,308,3.812,349,3.892,360,2.742,476,2.31,479,5.643,495,4.062,541,2.084,542,3.49,543,3.49,544,3.731,545,4.062,548,7.575,550,3.218,554,4.27,557,3.39,682,2.433,1045,3.3,1052,4.566,1126,3.023,1165,4.062,1198,4.683,1227,3.882,1230,4.289,1340,4.185,1342,5.296,1346,3.882,1383,4.592,1386,4.062,1387,5.052,1388,3.882,1389,5.052,1390,7.169,1391,6.516,1392,5.052,1393,5.052,1394,5.052,1395,5.052,1396,5.052,1397,5.052,1398,8.334,1399,5.052,1400,5.052,1401,5.052,1402,5.052,1403,5.052,1404,4.592,1405,4.592,1406,2.949]],["t/2738",[26,3.327,85,4.27,300,4.156,403,4.596,553,5.862,843,7.034,1126,3.687,1196,4.596,1339,5.441,1340,5.106]],["t/2740",[1,0.723,2,1.467,3,2.916,21,2.484,62,4.477,66,1.373,84,3.535,88,3.723,95,4.131,165,1.793,220,3.535,238,3.688,268,2.151,304,4.829,403,4.26,931,6.519,1407,8.107,1408,7.369,1409,8.107,1410,8.107]],["t/2742",[0,1.449,1,0.313,2,1.486,3,2.414,14,1.034,21,2.057,26,1.336,29,4.432,42,3.309,63,1.418,66,1.137,74,2.055,76,1.611,86,1.513,125,1.668,133,1.906,140,1.251,154,4.133,162,1.24,165,1.209,173,1.199,180,1.845,191,2.293,205,3.776,212,4.775,218,3.534,236,2.745,238,1.323,243,1.234,249,3.627,250,3.462,252,2.823,264,1.874,268,2.56,284,3.191,303,1.177,305,1.516,324,5.631,325,3.776,335,3.776,340,4.038,382,1.906,397,2.698,398,0.981,405,1.513,447,1.093,474,2.357,537,5.327,538,5.746,539,5.544,741,2.425,804,1.251,836,4.038,890,2.184,922,2.823,965,2.698,1045,2.293,1061,5.108,1105,5.856,1227,2.698,1349,3.191,1411,2.698,1412,2.98,1413,2.98,1414,6.102,1415,2.98,1416,3.51,1417,3.51,1418,1.848,1419,3.51,1420,4.969,1421,6.713,1422,5.466,1423,5.466,1424,4.969,1425,4.969,1426,3.51,1427,5.466,1428,3.51,1429,3.51]],["t/2744",[1,0.951,2,1.902,3,3.09,14,1.324,20,1.241,21,1.377,26,1.709,34,2.623,42,1.709,50,3.015,52,2.623,66,1.549,71,2.164,74,1.787,84,1.959,85,2.194,86,3.704,88,2.968,113,2.325,114,0.782,117,2.623,129,2.481,140,1.602,143,2.256,153,1.036,154,3.131,162,1.216,165,1.726,174,2.481,187,3.104,212,2.224,214,3.204,218,2.413,238,1.693,243,1.015,246,3.319,247,2.676,249,2.748,250,2.778,268,2.689,303,3.205,304,2.676,305,1.246,332,2.481,357,1.778,360,2.439,387,2.573,405,2.84,472,2.935,758,3.613,892,4.698,916,3.453,940,3.015,966,2.164,978,4.084,996,3.104,999,3.453,1053,4.421,1057,2.623,1144,5.593,1227,3.453,1231,2.676,1280,3.015,1412,3.815,1415,3.815,1424,4.084,1425,4.084,1430,3.815,1431,4.084,1432,3.613,1433,2.623,1434,4.493,1435,2.256,1436,4.493,1437,4.084,1438,5.063,1439,4.493,1440,2.526,1441,4.493,1442,4.084,1443,4.493,1444,4.493,1445,4.493]],["t/2746",[0,1.342,1,0.713,2,1.229,20,1.189,33,5.761,34,3.964,66,1.353,71,3.27,76,1.38,89,1.435,90,2.734,99,1.611,114,1.181,116,2.091,134,2.286,135,1.932,136,2.632,140,1.669,150,2.863,153,1.079,173,1.831,218,1.716,226,2.386,230,3.459,243,1.804,249,2.832,250,2.863,262,3.235,268,1.802,285,3.75,303,1.57,306,5.33,334,5.114,377,3.095,398,1.308,400,5.765,410,2.042,411,3.142,412,3.976,431,3.976,472,4.435,474,4.503,491,4.435,510,2.983,730,3.315,937,2.511,945,1.854,947,3.34,966,2.255,1037,3.059,1060,3.964,1065,2.386,1094,5.218,1154,3.142,1385,6.172,1446,6.79,1447,6.79,1448,6.79,1449,3.976,1450,4.683,1451,4.257,1452,6.79,1453,3.976,1454,2.682,1455,4.683,1456,4.683,1457,3.976]],["t/2748",[0,1.422,20,1.384,34,5.073,42,2.88,66,0.925,79,1.699,89,2.319,99,2.989,135,2.252,136,3.068,137,2.629,140,1.946,148,2.782,153,1.258,169,2.824,173,1.676,230,4.032,243,1.962,266,2.702,268,2.306,296,5.229,334,5.073,336,5.831,359,3.771,377,1.928,382,2.963,398,1.525,400,4.634,411,3.663,447,1.092,472,5.676,1000,3.068,1060,5.073,1084,4.194,1086,3.663,1195,5.079,1241,3.663,1457,4.634,1458,4.961,1459,5.458,1460,5.458,1461,4.634,1462,4.634,1463,5.458,1464,5.458,1465,5.458,1466,4.634,1467,5.458,1468,7.57,1469,5.458,1470,5.458,1471,7.57,1472,5.458,1473,7.57,1474,7.57,1475,7.57,1476,7.57]],["t/2750",[0,0.949,1,0.766,2,1.553,29,4.868,34,3.839,42,3.265,46,3.877,131,3.046,153,1.516,154,3.125,156,2.282,162,1.214,165,1.898,173,1.533,212,3.256,218,3.144,238,2.478,247,3.917,249,2.743,250,2.773,266,3.256,303,2.205,324,3.839,345,2.015,387,3.766,411,4.413,413,6.594,443,3.57,447,1.315,537,3.632,538,3.917,539,3.697,730,3.211,1061,5.942,1085,3.839,1105,6.812,1198,4.296,1413,7.285,1420,5.978,1442,7.8,1477,4.413]],["t/2752",[0,1.755,1,0.651,25,1.131,34,3.024,306,3.152,553,4.179,847,4.398,1478,5.18,1479,5.18,1480,5.18]],["t/2754",[0,1.751,13,1.368,14,1.389,23,0.93,73,2.674,74,0.791,81,1.03,89,0.893,135,1.203,158,3.624,165,1.043,173,0.521,243,0.658,306,1.773,345,1.445,458,1.702,478,3.783,514,3.004,541,2.45,550,1.857,553,1.669,554,1.736,581,2.649,668,2.809,670,2.809,672,2.809,674,1.813,696,1.857,730,2.9,792,1.736,843,4.776,894,1.736,1065,1.485,1074,2.153,1367,2.649,1462,2.475,1481,2.915,1482,6.203,1483,5.939,1484,2.649,1485,4.716,1486,2.915,1487,2.915,1488,2.649,1489,2.475,1490,2.014,1491,2.915,1492,5.939,1493,4.716,1494,2.915,1495,2.915,1496,2.915,1497,2.915,1498,2.915,1499,4.287,1500,2.915,1501,2.649,1502,2.915,1503,2.915,1504,2.915,1505,2.915,1506,2.915,1507,2.649,1508,2.915,1509,2.649,1510,2.915,1511,2.915,1512,2.915,1513,2.915,1514,2.915,1515,2.915]],["t/2756",[0,1.739,1,0.479,13,1.556,14,1.58,73,2.93,135,2.212,136,3.014,266,2.655,345,2.291,363,2.261,431,4.553,458,3.13,480,4.312,541,2.212,553,3.071,554,5.127,668,3.194,670,3.194,672,3.194,730,3.65,1065,2.733,1482,8.465,1484,4.874,1488,6.796,1501,4.874,1509,4.874,1516,8.465,1517,5.362,1518,3.961,1519,5.362,1520,5.362,1521,5.362,1522,5.362,1523,5.362]],["t/2758",[0,1.748,1,0.563,34,3.681,135,2.601,136,3.544,289,5.952,491,4.118,553,3.61,696,4.016,1499,8.505,1524,6.305,1525,6.305]],["t/2760",[1,0.7,65,4.259,66,1.329,114,1.365,185,3.044,218,2.874,249,4.322,326,3.589,342,3.998,363,3.308,366,3.728,393,4.58,966,3.778,1126,4.045,1156,5.42,1334,4.41,1336,6.111,1337,5.968,1338,6.029,1526,6.029,1527,5.265,1528,6.661]],["t/2763",[1,0.804,20,0.794,28,2.676,38,2.248,39,3.56,66,1.526,76,1.724,88,2.226,135,2.414,140,2.086,143,2.938,156,3.127,162,1.08,165,1.294,173,1.418,185,3.749,205,4.042,218,2.143,220,2.552,226,4.046,249,3.311,268,2.107,300,2.781,304,3.485,306,3.56,361,5.897,363,4.392,366,4.95,384,3.822,398,1.635,403,3.074,404,4.322,642,4.706,820,4.322,875,4.968,884,3.124,890,3.64,1153,4.496,1198,3.822,1231,3.485,1333,4.173,1336,3.727,1337,3.64,1518,4.322,1529,4.706,1530,6.924,1531,4.968,1532,4.968,1533,4.706,1534,5.318,1535,5.318]],["t/2765",[1,0.715,20,1.088,28,2.715,38,2.281,39,3.612,65,3.223,66,1.358,79,1.848,135,2.449,143,2.981,153,1.368,156,2.06,157,3.025,162,1.48,185,3.11,191,3.878,193,3.969,201,4.562,202,3.878,205,4.101,212,2.939,214,4.234,218,2.175,222,3.878,249,2.476,300,2.821,304,3.536,316,3.278,363,4.586,366,3.81,384,3.878,398,1.659,540,5.237,875,5.04,877,4.562,884,3.17,902,2.025,940,3.984,1080,4.774,1126,3.38,1153,4.562,1198,3.878,1336,3.781,1337,3.693,1526,4.562,1531,5.04,1532,6.807,1533,7.3,1534,7.287,1536,5.937,1537,5.937,1538,5.04,1539,5.937,1540,5.396,1541,5.937,1542,5.937,1543,5.937]],["t/2767",[1,0.572,20,0.869,28,2.929,84,2.793,85,3.126,86,2.761,88,2.436,100,3.896,114,1.114,133,3.476,135,2.642,136,3.6,139,3.043,140,3.006,143,3.216,182,4.272,240,2.73,268,1.7,345,2.584,363,4.39,366,5.18,430,4.424,442,4.183,482,3.004,818,3.739,820,4.73,1037,4.183,1176,4.921,1202,2.859,1302,4.183,1334,6.01,1335,5.131,1529,5.15,1533,5.15,1538,5.437,1544,5.437,1545,5.437,1546,5.437,1547,5.437,1548,5.437,1549,5.437]],["t/2770",[0,0.563,1,0.906,13,1.133,20,1.087,31,1.743,40,3.533,49,2.55,65,2.119,66,1.005,73,1.53,76,1.15,79,1.215,84,1.702,85,1.906,86,1.683,89,2.64,135,2.96,143,1.96,148,1.989,153,0.9,154,3.808,157,1.989,162,0.721,165,0.864,174,3.276,181,2.784,185,1.514,200,1.88,212,1.932,214,2.784,218,3.324,220,1.702,236,1.96,241,2.819,246,4.381,247,2.325,249,1.628,250,1.646,261,1.355,268,1.036,300,1.855,304,2.325,343,6.269,345,1.196,349,2.119,363,3.024,366,1.855,368,3.278,387,4.588,392,3.711,482,1.831,540,2.55,550,2.487,646,3.139,666,3.548,796,2.697,800,3.314,801,6.803,803,3.548,810,3.314,892,2.784,894,2.325,902,2.023,913,2.697,940,3.98,1000,2.194,1056,1.831,1115,2.883,1119,6.347,1126,2.501,1161,5.769,1176,3,1196,3.117,1336,5.104,1337,4.985,1338,3,1339,2.429,1433,2.279,1437,3.548,1489,3.314,1526,4.558,1533,3.139,1550,3.904,1551,3.904,1552,3.548,1553,3.904,1554,3.904,1555,7.174,1556,3.904,1557,3.314,1558,3.139,1559,3.139,1560,8.013,1561,3.904,1562,3.904,1563,5.932,1564,3.904,1565,3.904,1566,3.548,1567,3.314,1568,3.139,1569,3.904,1570,5.932,1571,5.932,1572,3.904]],["t/2772",[0,1.459,1,0.727,2,1.777,3,2.505,4,1.547,20,0.945,21,1.486,42,1.845,50,3.255,72,2.679,73,2.729,76,2.401,84,2.115,116,2.165,139,3.31,140,3.174,148,2.472,153,1.605,154,2.305,162,0.896,182,2.068,212,3.448,218,3.262,227,2.219,244,1.251,268,2.363,272,3.09,282,2.509,303,1.626,305,1.345,324,2.832,349,2.633,371,3.255,372,3.459,382,3.781,389,2.436,392,2.246,393,2.832,398,1.946,403,2.549,443,3.781,444,5.099,464,6.019,474,2.091,524,3.018,537,2.679,538,2.889,539,2.727,884,2.59,890,4.333,902,1.654,943,3.09,959,3.727,966,2.336,1056,2.275,1154,3.255,1167,5.913,1168,4.118,1196,2.549,1227,3.727,1302,3.168,1336,3.09,1337,3.018,1411,3.727,1552,7.406,1573,8.094,1574,4.851,1575,4.851,1576,4.118,1577,4.851,1578,2.951,1579,4.851,1580,4.851,1581,4.851,1582,4.851,1583,4.851,1584,4.409,1585,4.851]],["t/2775",[1,0.846,20,1.152,60,3.348,74,1.756,76,1.907,109,6.056,125,3.076,134,3.16,135,2.67,143,4.264,154,4.035,162,1.195,173,1.517,174,3.574,193,3.204,218,3.111,228,3.837,236,3.25,249,3.541,250,2.729,271,6.056,304,3.855,363,2.729,387,3.706,388,4.026,397,4.973,451,3.778,539,3.638,642,7.622,646,5.205,902,2.896,940,4.343,1228,5.205,1241,4.343,1336,5.409,1337,5.283,1343,5.205,1406,4.957,1454,3.706,1461,5.495,1540,5.883,1586,5.883,1587,6.472]],["t/2777",[0,1.095,1,0.777,14,2.909,25,2.155,32,2.64,72,4.193,76,1.615,79,1.707,119,2.64,135,3.879,137,3.657,140,1.954,143,4.374,153,1.264,180,2.881,185,3.379,187,3.788,222,3.581,241,4.139,249,2.287,261,1.903,306,4.62,345,1.68,361,3.201,363,4.162,366,4.139,395,3.266,396,3.492,790,6.446,796,3.788,890,3.411,913,3.788,940,3.679,1126,2.312,1241,3.679,1336,3.492,1337,3.411,1340,4.433,1406,6.525,1518,4.05,1530,4.213,1567,4.655,1588,5.835,1589,4.984,1590,3.91,1591,5.483,1592,7.593,1593,5.483,1594,5.483,1595,5.483]],["t/2779",[1,0.654,8,2.376,20,0.994,38,2.815,89,2.245,114,1.275,135,3.023,136,4.119,140,2.612,143,3.68,182,3.124,275,4.196,357,2.9,363,3.089,366,4.776,430,5.062,467,5.266,511,2.788,820,5.412,1076,4.917,1202,3.271,1334,5.65,1335,5.595,1544,6.221,1545,6.221,1546,6.221,1547,6.221,1548,6.221,1549,6.221,1596,7.328,1597,6.66,1598,7.328]],["t/2781",[2,1.096,4,1.931,20,1.33,28,3.716,63,2.446,66,1.026,71,2.916,100,3.683,114,1.595,133,3.287,139,2.877,140,3.268,173,1.451,182,4.177,238,2.281,261,2.101,268,1.607,303,2.03,309,3.233,345,2.809,347,3.152,349,3.287,363,4.309,366,4.857,389,3.04,442,3.955,467,4.652,482,2.84,496,5.503,642,4.869,688,4.063,730,2.956,818,3.534,820,4.472,1000,3.403,1005,4.318,1056,2.84,1196,4.269,1231,3.606,1334,4.567,1336,3.857,1337,3.767,1599,6.055,1600,5.14,1601,6.055,1602,5.503,1603,5.14]],["t/2783",[20,1.282,28,3.499,95,3.898,182,3.261,200,3.684,219,4.996,345,2.343,347,2.968,356,3.957,363,3.225,366,4.488,368,2.91,369,3.058,510,4.872,688,5.133,818,4.465,902,3.221,1188,5.65,1196,4.019,1334,4.3,1335,4.654,1600,6.494,1604,8.019,1605,6.151,1606,6.494,1607,5.284,1608,6.494]],["t/2785",[20,1.434,38,1.886,66,0.832,71,3.383,76,2.07,84,2.141,85,2.397,86,2.116,95,2.502,114,0.854,153,1.132,173,0.877,182,2.093,185,2.725,236,2.465,241,3.338,268,2.177,285,2.711,300,3.338,345,3.18,356,4.244,363,4.155,366,5.328,382,2.665,395,2.924,441,3.391,511,1.868,569,4.168,818,4.101,945,1.943,996,3.391,1000,2.76,1045,3.207,1076,3.294,1156,3.391,1302,4.588,1333,5.85,1334,6.261,1335,4.991,1457,4.168,1527,6.008,1607,3.391,1609,4.462,1610,4.168,1611,4.909,1612,6.385,1613,4.462,1614,6.385,1615,4.462,1616,3.501,1617,4.909,1618,4.909,1619,4.462]],["t/2787",[0,1.294,20,1.217,28,2.651,66,0.982,86,2.499,88,2.205,89,3.256,140,3.196,180,3.045,182,2.471,185,2.248,191,5.152,194,2.366,207,4.281,219,5.152,238,2.184,268,2.38,300,2.754,356,5.674,357,3.122,363,3.326,366,4.574,511,3.001,818,6.204,866,4.281,970,4.004,1000,3.258,1053,5.293,1156,4.004,1302,3.786,1334,5.41,1527,3.889,1608,6.697,1612,5.268,1614,5.268,1615,5.268,1620,5.268,1621,4.92,1622,5.796,1623,4.661,1624,4.92]],["t/2790",[2,1.318,7,2.62,20,1.243,25,1.59,48,4.121,51,3.356,52,4.252,66,1.234,79,2.852,92,4.09,99,3.152,114,1.267,172,3.995,182,3.105,269,5.194,285,4.022,322,3.556,366,3.461,467,5.246,482,4.297,902,2.484,925,5.597,1056,3.417,1335,4.431,1625,7.284,1626,7.284,1627,9.161]],["t/2792",[8,1.786,20,1.388,28,2.519,46,2.488,66,1.479,79,1.714,100,3.351,114,1.325,118,3.696,119,2.652,133,4.135,140,1.963,153,1.269,182,3.247,194,2.248,205,3.805,229,1.8,239,1.928,245,4.634,275,3.154,282,2.849,309,2.941,322,2.689,345,1.687,363,4.573,366,4.982,370,2.652,382,2.99,418,5.432,442,3.598,467,4.362,482,3.573,488,3.281,511,2.095,707,2.137,791,3.928,818,4.446,892,3.928,925,4.232,1076,3.696,1179,3.928,1196,2.894,1231,3.281,1302,4.975,1333,3.928,1335,5.312,1343,4.429,1388,4.232,1518,5.626,1530,4.232,1628,4.676,1629,5.508,1630,3.042,1631,5.508,1632,4.068,1633,4.676,1634,7.617,1635,7.617]],["t/2794",[20,0.864,21,1.952,25,1.39,28,2.914,41,4.895,66,1.079,71,3.068,100,5.113,114,1.108,153,1.468,169,3.296,180,3.347,226,4.283,235,4.706,262,5.806,275,3.648,345,1.952,363,4.658,366,4.94,406,5.123,442,4.161,455,3.963,804,2.271,818,3.719,868,4.161,980,3.963,1037,4.161,1076,5.639,1156,5.806,1175,4.895,1179,5.993,1196,3.347,1231,3.795,1302,5.489,1333,4.543,1334,3.581,1336,4.058,1337,3.963,1518,6.208,1538,5.409,1636,8.404,1637,5.791,1638,6.371]],["t/2796",[4,2.156,21,2.071,26,2.571,41,7.861,65,3.669,66,1.145,72,3.733,140,2.409,162,1.248,166,5.738,180,3.552,182,3.724,226,4.451,361,3.946,363,4.466,366,4.599,541,2.789,736,7.557,818,5.099,820,4.993,845,6.686,868,4.415,1000,3.799,1086,4.535,1102,5.436,1156,4.669,1196,5.085,1231,4.026,1289,5.738,1530,6.712,1532,5.738,1639,5.738]],["t/2798",[0,1.02,1,0.631,2,1.628,20,0.96,23,2.256,24,3.659,25,2.344,26,2.691,43,3.188,63,2.857,66,1.523,88,2.691,114,1.23,162,1.66,182,3.834,232,4.4,240,3.015,357,2.799,491,4.62,1000,3.976,1112,4.699,1143,3.213,1193,2.476,1217,5.874,1454,4.05,1640,7.073,1641,6.429]],["t/2800",[0,0.997,1,0.617,2,1.771,20,1.202,23,2.204,24,3.576,25,2.252,26,2.63,43,2.997,63,3.58,95,3.522,113,4.585,114,1.542,116,3.956,122,5.868,156,2.399,207,5.106,212,3.422,324,4.035,345,2.118,357,4.083,491,4.515,537,3.817,539,3.886,972,5.868,1112,4.211,1143,3.021,1217,4.515,1642,6.283,1643,6.283]],["t/2802",[0,1.323,1,0.818,2,1.946,20,1.428,25,2.139,32,3.912,42,3.091,43,3.002,63,2.446,73,2.372,95,3.085,113,3.132,114,1.053,135,2.498,156,2.819,169,3.132,200,2.916,212,2.997,324,3.534,353,2.703,357,3.215,537,3.343,539,3.403,542,5.612,543,4.183,544,4.472,899,3.857,1102,4.869,1143,2.831,1172,6.773,1217,6.4,1642,5.503,1644,6.055,1645,6.055,1646,4.472,1647,8.124,1648,8.124,1649,6.055]],["t/2804",[1,0.67,20,1.267,23,2.394,24,3.884,25,2.038,26,2.856,43,2.3,74,2.037,153,1.73,169,3.884,173,1.341,191,4.904,228,4.218,264,4.009,265,5.769,303,3.13,357,4.208,377,2.652,392,3.477,395,4.472,476,4.27,1143,2.318,1172,6.897,1217,6.099]],["t/2806",[20,1.019,23,2.394,24,3.884,25,1.639,26,2.856,33,5.249,43,2.3,66,1.272,76,2.212,114,1.306,153,1.73,156,2.606,173,1.341,174,4.146,238,2.829,243,1.695,268,1.992,303,3.13,305,2.082,357,4.208,382,4.076,411,5.038,491,4.904,730,5.19,1112,3.568,1172,5.546]],["t/2808",[1,0.949,20,1.019,38,2.884,74,2.037,76,2.212,79,3.163,162,1.724,240,3.201,268,1.992,398,2.098,507,6.038,639,5.187,682,3.616,902,2.561,970,5.187,1108,4.904,1112,3.568,1134,4.782,1139,6.038,1160,5.808,1170,3.665,1650,7.508,1651,6.824,1652,5.187,1653,7.508,1654,6.038,1655,7.508]],["t/2810",[14,2.226,15,4.596,20,1.515,66,1.28,73,3.672,114,1.314,171,5.805,221,6.867,236,4.707,238,2.847,296,5.219,305,2.095,333,5.58,392,3.499,393,4.41,792,6.07,902,3.197,956,6.414,1195,5.069,1356,6.075,1588,5.805,1656,7.554,1657,7.554]],["t/2812",[1,0.678,14,2.24,66,1.288,76,2.24,79,2.366,140,2.709,141,6.454,143,3.817,163,5.841,304,5.604,338,4.625,512,4.965,1139,6.113,1153,5.841,1209,5.615,1210,5.615,1246,5.841,1658,6.909,1659,7.602,1660,7.602,1661,7.602,1662,7.602,1663,4.729,1664,7.602,1665,7.602,1666,7.602,1667,7.602,1668,7.602,1669,7.602,1670,7.602,1671,7.602]],["t/2814",[0,0.946,1,0.585,14,0.997,20,0.459,23,1.694,26,1.287,27,3.293,63,2.649,69,2.593,74,2.189,76,1.565,79,2.312,84,2.859,85,3.201,86,3.202,89,2.275,114,0.589,115,3.669,116,2.927,121,3.383,134,2.593,137,2.558,142,2.721,143,1.699,153,0.78,218,1.946,232,2.105,241,3.835,244,1.915,264,1.807,267,3.469,296,2.338,318,2.413,338,2.059,345,2.472,347,2.061,357,2.94,392,3.037,403,1.778,414,3.923,439,2.721,493,2.105,506,1.195,511,2.495,512,3.469,540,2.21,639,4.53,658,2.6,694,3.564,709,1.869,710,2.5,723,3.232,746,3.164,755,5.96,756,7.202,757,6.751,758,5.273,759,3.076,760,4.828,761,3.076,762,3.076,763,5.96,764,5.131,765,3.076,766,3.076,767,4.509,769,7.784,770,3.076,771,2.6,772,2.721,773,3.076,774,4.828,775,4.828,776,3.076,777,3.076,778,3.076,779,3.076,780,3.076,781,3.076,782,3.076,783,3.076,784,3.076,785,2.413,786,4.509,787,1.675,788,3.076,800,2.873,804,1.206,842,3.564,885,2.836,932,5.486,1171,4.082,1209,5.486,1210,5.486,1235,2.338,1246,4.082,1258,3.923,1435,1.699,1672,3.076,1673,5.312,1674,3.384,1675,3.384,1676,3.384,1677,3.384,1678,6.557,1679,4.272,1680,5.917,1681,5.312,1682,4.828,1683,5.312,1684,4.828,1685,3.384,1686,3.384,1687,3.384,1688,3.384]],["t/2816",[1,0.905,2,1.558,3,3.349,38,2.06,43,2.637,66,1.266,79,2.327,111,4.884,114,0.933,117,5.025,139,2.548,182,3.187,226,2.733,227,2.453,261,1.861,267,3.503,282,2.774,337,3.336,353,3.338,447,1.072,458,3.13,472,3.503,682,3.601,804,1.911,885,4.972,899,3.416,913,3.705,1047,4.874,1049,3.014,1126,3.152,1160,5.355,1170,3.65,1180,4.312,1209,5.523,1210,5.523,1211,6.796,1212,6.796,1435,2.693,1454,3.071,1578,4.549,1590,3.824,1652,3.705,1663,3.336,1689,4.553,1690,3.598,1691,5.332,1692,3.705,1693,4.553,1694,4.312,1695,3.961,1696,3.961,1697,4.312,1698,4.312,1699,4.874,1700,4.553,1701,4.553,1702,6.348,1703,4.874,1704,4.553,1705,4.874,1706,4.553,1707,4.874,1708,5.362,1709,5.362,1710,5.362]],["t/2818",[0,0.663,1,0.705,2,1.572,4,1.465,5,3.765,8,1.49,20,1.41,29,4.704,43,1.408,66,1.564,88,1.748,114,0.799,140,1.638,156,1.595,160,2.537,162,1.237,165,1.017,182,1.959,194,1.876,220,2.004,233,3.695,241,4.126,244,1.727,326,2.102,347,4.033,357,2.651,388,4.166,419,2.377,444,2.631,482,4.33,488,2.737,550,2.927,688,3.083,726,3.001,785,4.776,889,3.277,902,2.284,953,3.531,960,4.177,966,3.225,967,3.083,986,2.243,1056,3.706,1061,4.166,1064,3.174,1090,3.394,1111,4.374,1113,5.386,1154,3.083,1171,3.531,1184,3.695,1231,2.737,1258,3.394,1328,3.083,1358,2.453,1578,2.795,1604,3.901,1696,3.394,1711,5.686,1712,6.087,1713,4.177,1714,4.177,1715,4.177,1716,4.177,1717,4.177,1718,3.277,1719,4.177,1720,4.177,1721,4.177,1722,4.177,1723,4.595,1724,4.595,1725,4.595,1726,4.595,1727,6.697,1728,4.177,1729,4.595,1730,6.087,1731,3.277,1732,4.595,1733,4.595,1734,4.595,1735,3.901,1736,4.595]],["t/2820",[1,0.52,2,1.746,3,2.094,4,1.857,7,2.094,8,1.888,9,3.273,20,1.532,22,2.6,29,4.581,43,1.784,66,0.986,79,3.312,116,2.6,134,2.843,182,3.832,267,3.804,347,2.259,350,4.301,366,3.76,511,2.215,512,3.804,550,3.709,688,5.31,726,3.804,756,4.683,785,4.153,967,5.31,1037,3.804,1092,4.153,1111,3.804,1188,7.449,1335,4.814,1576,4.944,1597,7.193,1600,4.944,1711,7.631,1712,5.293,1713,5.293,1714,5.293,1716,5.293,1717,5.293,1720,5.293,1721,5.293,1737,5.293,1738,5.293]],["t/2822",[1,0.709,43,2.435,66,1.346,76,2.342,79,2.474,114,1.682,139,4.595,140,2.833,238,2.995,444,4.551,764,5.491,804,2.833,882,5.668,885,5.163,1011,5.192,1012,5.871,1049,5.436,1663,4.945,1689,6.748,1739,7.776]],["t/2824",[1,0.624,2,1.266,20,1.211,76,2.06,79,2.176,96,4.081,140,2.492,220,4.518,444,4.003,821,4.986,882,7.013,899,4.453,949,6.86,1126,2.948,1160,4.349,1291,7.579,1528,5.936,1568,7.179,1663,4.349,1690,4.691,1692,4.83,1695,7.907,1740,5.372,1741,6.355,1742,5.936,1743,5.623,1744,8.114,1745,6.355,1746,7.179,1747,6.355,1748,6.355]],["t/2826",[1,0.709,27,3.991,66,1.638,111,5.192,114,1.682,117,5.645,191,5.192,194,3.245,219,5.192,261,2.758,267,5.192,511,3.024,885,4.244,957,5.871,1049,4.468,1160,4.945,1663,4.945,1702,6.748,1705,7.225,1706,6.748,1749,7.948,1750,5.871]],["t/2828",[1,0.738,2,1.497,63,3.342,114,1.723,162,1.527,238,3.117,244,2.133,293,5.714,305,2.294,368,3.147,723,6.026,999,6.356,1663,5.146,1751,7.519,1752,6.356,1753,7.022,1754,7.519]],["t/2830",[1,0.581,20,0.883,43,1.993,76,1.917,84,2.837,86,2.805,96,3.798,114,1.482,137,3.133,162,1.201,220,4.397,227,2.976,240,2.774,241,3.092,342,3.316,353,2.905,682,3.133,821,4.64,882,7.19,890,4.048,899,5.428,912,5.233,949,5,1011,4.25,1012,4.806,1018,5.524,1049,4.79,1126,2.743,1291,5.524,1528,5.524,1568,6.853,1663,5.301,1692,4.495,1695,7.731,1741,5.914,1742,5.524,1743,5.233,1744,7.746,1745,5.914,1746,6.853,1747,5.914,1748,5.914]],["t/2832",[1,0.527,2,1.639,4,1.884,20,1.316,24,3.056,28,3.655,38,2.27,48,2.315,66,1.77,79,1.839,86,2.547,89,1.81,90,3.449,94,4.213,119,2.845,156,2.05,160,3.263,162,1.091,169,3.056,173,1.427,180,3.104,185,3.513,191,5.22,241,4.303,261,2.05,268,2.69,319,3.675,322,2.884,326,2.702,336,3.964,363,3.369,366,4.964,367,4.364,818,4.665,902,3.088,937,2.955,966,2.845,1170,2.884,1328,3.964,1333,6.458,1334,4.492,1527,3.964,1616,4.213,1754,5.37]],["t/2834",[20,0.916,28,3.638,38,1.785,63,1.877,66,1.144,71,2.238,72,2.566,73,2.646,89,3.244,95,2.368,114,0.808,133,2.523,135,1.917,136,2.612,140,2.407,143,2.334,153,1.071,165,1.028,181,3.314,219,3.036,238,2.997,249,1.938,253,3.737,262,3.211,268,2.111,282,2.404,340,3.433,345,1.424,347,1.803,356,5.55,357,3.148,363,2.847,366,5.316,424,3.314,430,3.211,569,3.946,730,2.269,792,2.768,818,4.643,907,3.314,948,4.224,957,3.433,968,3.737,1000,2.612,1112,2.208,1118,3.946,1171,3.571,1196,3.548,1202,2.075,1302,4.411,1333,5.672,1334,3.796,1335,2.827,1336,2.96,1337,2.891,1344,2.891,1461,3.946,1527,4.531,1544,3.946,1545,3.946,1546,3.946,1547,3.946,1548,3.946,1549,3.946,1607,3.211,1608,3.946,1620,4.224,1623,3.737,1755,4.647,1756,4.647,1757,3.946,1758,4.647,1759,4.647,1760,4.224,1761,4.647,1762,3.433,1763,4.647,1764,4.224,1765,3.314]],["t/2836",[2,1.266,42,3.396,51,3.27,78,4.101,81,2.47,99,3.071,173,1.249,199,3.332,309,3.733,356,3.617,360,5.338,366,4.673,377,2.47,393,4.081,479,4.349,902,2.384,934,4.242,935,6.167,936,5.936,937,3.301,939,5.936,947,6.366,1334,3.93,1372,5.936,1453,5.936,1760,6.355,1766,6.355,1767,6.992,1768,5.936,1769,5.936,1770,5.936,1771,6.355]],["t/2838",[20,0.619,28,2.086,36,3.668,66,1.466,71,2.196,73,3.766,76,1.344,89,1.397,95,2.324,100,2.775,134,2.226,140,1.625,153,1.994,165,1.473,181,3.252,185,2.584,252,5.356,253,3.668,268,2.088,282,2.359,300,2.167,305,1.265,342,3.394,356,5.368,363,4.289,366,4.834,399,3.252,424,6.563,478,2.905,493,2.837,495,3.668,804,1.625,818,5.793,842,3.06,898,2.662,902,2.271,966,2.196,1154,3.06,1162,1.555,1196,2.396,1334,6.007,1386,3.668,1527,5.279,1607,3.151,1619,4.145,1757,3.872,1772,3.504,1773,4.56,1774,7.151,1775,4.56,1776,7.868,1777,4.56,1778,7.868,1779,4.56,1780,4.56,1781,7.151,1782,8.365,1783,4.145,1784,4.56,1785,4.56,1786,4.56,1787,4.56,1788,4.56,1789,4.56,1790,4.145]],["t/2840",[2,1.02,22,3.454,42,2.944,48,3.032,51,2.834,66,1.611,73,2.208,78,4.295,81,1.99,99,1.939,153,1.299,173,1.007,185,3.69,199,2.103,207,4.162,268,1.495,300,2.678,322,4.644,342,2.872,360,4.797,366,5.013,377,1.99,398,1.574,418,4.019,479,3.506,481,3.893,707,3.002,902,2.639,919,6.223,934,2.678,935,5.345,937,3.517,939,4.784,947,6.784,1060,3.289,1114,5.946,1334,4.35,1372,6.569,1453,4.784,1609,5.122,1768,4.784,1769,4.784,1770,4.784,1771,5.122,1772,7.31,1791,5.635]],["t/2842",[0,1.566,20,0.798,66,1.807,78,2.452,81,2.814,99,2.74,133,3.192,153,1.355,173,1.863,199,2.973,268,1.56,322,3.888,356,4.121,360,5.663,366,5.157,367,4.343,377,2.814,398,1.643,399,4.193,902,2.005,934,3.785,935,5.503,937,3.34,1334,4.477,1527,5.345,1768,6.762,1769,6.762,1770,6.762,1774,7.24,1792,7.24,1793,7.24]],["t/2844",[0,1.256,1,0.6,20,1.181,66,1.139,72,3.712,78,2.803,89,2.059,133,3.649,134,3.281,153,1.549,228,3.037,241,4.136,268,1.784,322,4.249,356,4.994,366,4.587,367,4.965,377,2.374,398,1.878,399,4.794,510,4.282,514,5.544,902,2.968,934,4.136,935,6.013,937,3.218,1000,3.779,1063,4.644,1141,3.712,1334,4.893,1388,5.165,1527,5.84,1792,6.11,1793,7.911,1794,8.704,1795,5.406]],["t/2846",[4,2.394,8,2.434,20,1.019,28,3.434,66,1.272,85,3.665,89,2.3,119,3.616,127,6.038,129,5.156,131,3.477,167,4.009,260,2.629,262,5.187,268,1.992,356,4.83,363,3.165,405,3.237,406,6.038,441,5.187,488,4.472,818,5.45,871,5.546,891,6.824,1052,4.782,1177,5.769,1321,6.824,1639,6.374,1796,7.508,1797,6.824,1798,5.546]],["t/2848",[1,0.829,33,3.49,71,2.99,79,1.933,143,3.118,153,2.14,173,1.476,185,3.84,205,4.289,285,3.429,361,6.017,363,4.345,366,4.704,381,4.586,389,4.149,398,1.735,424,7.059,482,2.912,493,3.862,818,5.42,868,5.396,884,3.315,902,2.117,1240,5.271,1334,3.49,1518,4.586,1527,5.544,1530,7.135,1531,5.271,1535,5.643,1731,4.428,1757,7.014,1781,7.51,1799,6.209,1800,8.262,1801,5.643]],["t/2850",[1,0.857,8,2.155,20,1.379,33,3.737,46,3.004,66,1.464,84,2.899,85,3.246,86,2.866,88,2.529,90,3.881,93,4.911,114,1.67,123,4.278,139,4.107,154,4.563,156,2.307,169,3.44,218,3.517,227,3.041,229,2.173,244,1.714,261,2.307,268,1.764,349,3.609,394,5.109,451,5.045,476,3.953,489,5.645,868,4.343,935,4.593,1122,3.004,1341,7.092,1507,6.043,1718,4.741,1802,4.343,1803,6.649]],["t/2852",[1,0.804,2,1.63,20,1.222,162,1.663,1341,6.651,1438,6.919,1804,7.241]],["t/2854",[1,0.798,3,3.729,20,1.213,162,1.65,1341,6.602,1438,6.868,1804,7.188]],["t/2856",[1,0.769,29,4.394,238,3.249,240,3.676,268,2.864,304,5.136,726,5.632,943,5.492,1056,4.044,1241,5.786,1805,8.622]],["t/2858",[1,0.311,2,1.208,3,1.252,5,3.052,8,1.128,14,1.025,20,1.27,22,1.554,29,5.377,33,1.956,38,1.337,40,2.073,47,3.305,63,1.406,66,1.667,79,2.546,83,1.922,86,1.5,89,1.663,114,1.161,116,3.367,135,2.24,136,1.956,139,3.173,140,1.241,143,2.727,149,2.335,157,1.774,165,1.201,191,2.273,194,1.421,200,2.615,218,2.996,238,1.311,240,1.484,243,0.786,244,0.897,261,1.884,275,1.993,285,1.922,289,2.482,303,1.167,326,1.592,338,4.588,345,1.066,357,1.378,368,3.297,369,1.392,382,1.889,387,3.109,390,2.799,403,1.829,405,1.5,419,1.801,441,2.404,461,2.482,471,3.164,476,1.592,503,2.571,639,2.404,726,4.361,750,3.164,751,3.164,752,3.164,753,3.164,754,3.164,785,4.761,786,6.943,877,2.674,884,1.858,890,2.165,899,2.217,916,2.674,931,2.799,967,6.073,1056,3.538,1061,5.391,1062,2.799,1092,2.482,1105,2.482,1107,2.955,1108,4.361,1110,2.955,1111,4.926,1114,2.674,1119,2.273,1127,2.955,1131,4.61,1134,2.217,1187,4.935,1196,2.853,1209,2.571,1210,4.011,1246,2.674,1328,3.644,1335,2.117,1344,4.153,1406,2.032,1605,2.799,1606,2.955,1651,3.164,1680,2.404,1738,3.164,1753,2.955,1806,3.48,1807,2.571,1808,3.48,1809,3.48,1810,2.955,1811,2.482,1812,3.48,1813,4.935,1814,3.48,1815,3.48,1816,3.48,1817,5.43,1818,4.935,1819,3.164,1820,3.164,1821,3.164]],["t/2860",[1,0.841,2,1.379,20,1.185,29,4.449,33,3.096,40,3.281,63,2.225,66,0.933,76,1.623,79,2.718,121,3.508,125,3.62,134,2.689,140,2.715,173,0.984,218,2.79,220,2.402,240,2.348,264,2.941,265,4.232,268,2.021,303,2.554,338,3.351,377,2.691,382,2.99,387,3.154,389,3.825,393,3.215,411,3.696,504,6.467,707,2.137,767,4.676,868,3.598,884,2.941,885,2.941,914,4.429,967,6.636,1061,6.831,1108,5.703,1131,6.467,1156,3.805,1175,4.232,1196,2.894,1234,6.467,1449,4.676,1454,3.154,1762,4.068,1818,5.006,1821,5.006,1822,5.853,1823,5.508,1824,5.006,1825,7.617,1826,5.508,1827,5.006,1828,5.508]],["t/2862",[0,1.438,1,0.746,5,4.24,21,1.935,29,2.162,40,2.527,63,1.714,65,2.303,68,3.026,76,2.462,85,2.071,86,2.723,153,1.456,162,1.393,165,1.976,200,2.043,218,2.314,246,5.572,261,2.192,272,4.023,287,2.271,297,2.772,298,4.665,300,3.001,306,5.084,319,2.64,326,1.941,357,1.679,368,3.69,389,3.788,390,3.412,419,3.267,433,4.125,451,4.404,463,4.665,476,2.888,509,2.578,510,2.703,511,2.403,730,4.079,746,4.493,884,2.266,885,2.266,890,2.64,1053,2.847,1056,3.538,1175,3.261,1231,2.527,1245,3.857,1259,3.602,1344,5.198,1361,3.412,1680,2.931,1735,3.602,1804,3.412,1829,4.243,1830,3.857,1831,8.933,1832,8.356,1833,8.356,1834,3.857,1835,4.243,1836,7.595,1837,8.356,1838,6.315,1839,6.315,1840,4.243,1841,4.243,1842,3.412,1843,6.315,1844,6.315,1845,6.315,1846,4.243,1847,6.315,1848,5.74]],["t/2864",[1,0.334,2,1.532,3,3.815,4,3.059,5,4.41,8,1.215,13,2.03,20,0.78,23,3.059,25,1.255,26,1.426,28,1.714,29,1.91,31,3.123,32,2.769,38,1.44,39,2.28,66,1.666,74,2.522,79,1.79,83,3.175,89,1.761,114,1.617,117,2.188,131,1.736,133,2.034,149,3.858,162,1.292,180,1.969,194,1.53,244,1.804,268,1.856,275,3.292,303,1.256,326,3.87,342,1.91,347,1.454,356,5.194,357,2.276,382,2.034,482,3.281,493,2.332,511,1.426,885,2.001,931,3.014,1000,2.107,1058,3.513,1059,3.415,1060,5.861,1063,5.846,1064,2.589,1112,1.781,1113,6.805,1114,2.88,1115,2.768,1116,3.182,1119,3.756,1120,4.624,1125,3.407,1143,1.776,1157,3.182,1158,3.014,1196,3.021,1301,2.768,1335,2.28,1449,3.182,1451,3.407,1558,3.014,1752,2.88,1813,3.407,1849,3.748,1850,3.748,1851,3.748,1852,3.748,1853,3.748,1854,3.182,1855,3.407,1856,3.182,1857,3.407,1858,2.673,1859,3.748,1860,3.748,1861,3.748,1862,3.407]],["t/2866",[0,0.833,1,0.516,2,1.046,3,1.356,4,2.51,5,3.247,8,1.223,20,1.264,27,1.894,29,1.922,40,2.246,52,4.099,63,1.523,66,1.333,74,2.302,76,1.111,79,1.174,88,1.435,89,1.155,95,2.944,114,1.714,115,4.851,116,1.683,134,2.82,135,1.556,136,2.12,137,3.382,140,2.059,153,0.869,156,1.309,160,2.082,165,0.834,169,1.951,174,2.082,180,1.981,194,1.539,200,1.816,243,1.304,244,0.972,247,2.246,249,1.573,268,2.089,285,2.082,297,2.463,303,1.264,345,2.151,368,2.198,369,3.147,392,1.746,396,2.402,419,2.989,430,2.605,442,2.463,461,2.689,481,2.605,498,3.428,509,1.539,511,1.435,723,6.119,726,6.086,880,2.898,885,2.013,892,2.689,932,4.267,957,2.785,1052,2.402,1056,3.294,1092,6.051,1111,5.141,1126,1.59,1185,2.689,1230,3.201,1233,2.605,1328,2.53,1458,3.428,1558,3.033,1559,5.647,1616,2.689,1623,3.033,1663,3.594,1684,3.428,1718,2.689,1765,2.689,1772,2.898,1810,7.204,1811,6.051,1863,3.771,1864,5.777,1865,3.771,1866,5.777,1867,3.771,1868,5.777,1869,3.771,1870,3.771,1871,8.485,1872,3.771,1873,3.771,1874,3.771,1875,3.428,1876,3.428,1877,3.428,1878,3.771,1879,5.777]],["t/2868",[1,0.597,20,0.907,30,5.675,52,3.902,57,5.137,66,1.132,74,2.353,89,2.657,114,1.772,115,4.618,124,5.675,133,3.629,135,2.758,136,3.758,137,3.219,140,2.383,153,1.541,165,1.919,241,3.177,268,1.774,303,2.241,370,3.219,396,4.258,443,3.629,723,5.276,726,5.665,932,4.938,951,6.076,952,6.076,953,5.137,1092,4.767,1119,5.665,1388,5.137,1752,5.137,1811,4.767,1880,6.685,1881,8.673,1882,5.675,1883,6.685,1884,6.076,1885,6.685,1886,6.076,1887,6.685,1888,6.685]],["t/2870",[1,0.691,20,1.292,27,3.89,73,4.038,115,5.351,127,6.23,156,2.688,162,1.43,165,1.714,194,3.162,249,3.23,250,3.266,303,2.597,305,2.148,333,5.722,371,5.198,792,5.67,966,3.73,1033,7.041,1052,4.934,1055,5.722,1161,6.23,1584,7.041,1610,6.577,1889,7.746]],["t/2872",[1,0.896,20,0.874,25,1.847,29,3.281,38,2.473,40,3.835,58,4.755,74,1.746,114,1.644,140,2.295,194,3.455,238,3.189,244,1.66,268,2.509,300,3.059,388,4.005,419,3.331,493,4.005,509,2.628,524,4.005,554,3.835,557,4.32,621,5.466,880,4.947,947,6.035,966,3.1,1000,3.619,1056,4.892,1057,3.758,1195,4.32,1326,5.852,1331,6.805,1332,5.177,1490,4.448,1811,4.591,1856,5.466,1890,6.438,1891,6.438,1892,6.438,1893,3.331,1894,6.438,1895,7.692,1896,5.852,1897,4.947]],["t/2874",[1,0.735,2,1.49,3,2.222,20,1.34,27,3.102,43,2.522,66,1.046,79,1.923,84,2.694,114,1.432,117,3.606,118,4.145,137,2.975,139,2.935,150,2.604,166,5.244,182,3.948,185,3.194,194,2.522,229,2.692,236,3.102,238,2.328,253,4.968,275,3.537,326,3.766,342,3.148,368,2.35,388,3.843,393,3.606,444,3.537,894,3.679,902,2.107,990,4.563,1056,4.344,1076,4.145,1126,3.471,1156,4.267,1195,4.145,1196,3.246,1335,3.758,1616,4.405,1637,5.615,1700,5.244,1719,5.615,1752,4.747,1898,6.177,1899,5.615,1900,5.615,1901,5.244,1902,6.622,1903,6.177,1904,5.615,1905,6.177]],["t/2876",[1,0.801,2,1.275,3,2.957,5,2.771,20,1.379,29,3.59,66,1.519,69,3.439,71,2.374,74,1.337,76,1.452,79,1.534,114,1.225,119,2.374,125,2.342,134,2.406,139,4.509,162,1.301,180,2.59,228,2.227,272,4.487,275,2.822,285,3.89,299,4.185,325,3.405,326,3.222,345,1.51,347,1.912,350,3.641,368,4.131,369,1.971,377,1.741,392,2.283,482,2.312,511,1.875,708,2.771,709,2.722,894,2.936,902,1.681,967,4.727,976,5.981,990,3.641,1056,2.312,1108,3.22,1111,5.37,1113,5.665,1121,3.964,1126,2.078,1127,4.185,1154,5.517,1155,4.48,1157,4.185,1162,2.804,1356,3.964,1604,6.98,1605,3.964,1613,4.48,1616,5.024,1797,4.48,1875,4.48,1901,4.185,1906,4.48,1907,4.929,1908,4.929,1909,8.221,1910,7.045,1911,4.48,1912,4.48]],["t/2878",[0,1.412,1,0.792,2,0.871,20,1.276,25,1.05,66,1.592,74,1.305,76,1.418,78,3.7,85,2.349,89,1.474,90,2.809,99,3.052,114,1.543,118,4.647,131,2.229,140,1.715,156,1.67,157,2.452,162,0.889,165,1.065,173,0.86,186,2.029,194,1.965,200,2.318,212,2.382,218,1.763,229,1.573,236,2.417,238,1.813,275,2.756,296,4.784,297,3.143,326,2.201,342,2.452,345,1.474,368,1.831,392,2.229,482,2.257,537,2.658,723,4.213,771,5.321,883,4.374,884,2.569,902,2.362,990,3.555,1056,2.257,1119,3.143,1126,2.92,1162,2.767,1228,3.87,1233,3.325,1328,3.229,1361,3.87,1718,3.432,1753,4.086,1810,4.086,1811,3.432,1855,4.374,1857,6.294,1900,9.384,1901,7.532,1906,4.374,1913,4.812,1914,4.812,1915,4.812,1916,4.812,1917,4.812,1918,4.374,1919,4.812,1920,4.812,1921,6.925,1922,4.812,1923,4.812,1924,4.812,1925,4.812,1926,4.812,1927,4.812,1928,4.812,1929,4.812]],["t/2880",[0,1.731]],["t/2882",[0,1.728,1,0.884,1930,8.272]],["t/2884",[0,1.74,1,0.658,512,4.815,746,5.498,1931,7.372,1932,7.372,1933,7.372,1934,7.372]],["t/2886",[0,1.715,1,0.775]],["t/2888",[0,1.735,1,0.477,4,0.798,13,2.163,14,2.531,20,0.34,23,1.327,25,1.508,26,0.952,32,2.572,46,1.131,47,1.239,66,0.424,73,1.63,74,0.679,83,2.298,89,1.275,131,2.882,135,3.076,140,0.892,162,0.462,165,0.554,180,1.315,186,1.055,217,1.729,229,1.36,238,0.943,239,0.876,243,0.94,244,2.215,268,0.664,287,0.9,309,1.336,318,1.784,326,1.144,334,1.461,337,1.557,338,1.522,377,1.47,378,3.751,398,0.699,419,1.295,451,3.118,488,1.49,509,1.022,541,1.717,668,3.182,670,3.182,671,2.124,672,1.49,674,1.557,682,2.004,730,2.031,746,1.49,791,4.439,796,3.69,842,1.679,845,1.729,934,1.189,1179,1.784,1204,4.104,1301,1.848,1342,1.848,1358,2.852,1406,3.633,1578,1.522,1798,1.848,1935,4.161,1936,5.284,1937,4.783,1938,1.699,1939,3.533,1940,2.258,1941,2.124,1942,2.124,1943,2.124,1944,2.124,1945,2.124,1946,2.012,1947,2.124,1948,1.784,1949,2.124,1950,2.124,1951,2.274,1952,2.502,1953,1.735,1954,2.124,1955,2.274,1956,2.124,1957,2.274,1958,2.274,1959,2.274,1960,4.161,1961,2.502,1962,4.161,1963,4.161,1964,7.125,1965,2.274,1966,2.124,1967,2.502,1968,2.502,1969,2.502,1970,2.502,1971,4.855,1972,2.502,1973,2.502,1974,4.855,1975,2.502,1976,2.502,1977,2.124,1978,2.274]],["t/2890",[1,0.821,5,4.119,25,2.193,29,3.734,58,5.412,79,2.281,85,3.577,165,1.621,218,2.684,220,3.195,226,3.734,238,3.465,241,3.482,268,1.945,304,5.478,347,2.843,351,4.458,403,4.832,405,3.159,493,4.558,509,2.991,554,4.365,557,4.917,1056,4.714,1057,4.278,1061,4.558,1258,5.412,1490,5.062,1646,5.412,1897,5.631]],["t/2892",[2,1.786,60,4.25,94,5.859,114,1.716,194,3.354,218,3.614,238,3.096,241,3.904,268,2.18,357,3.252,524,5.111,557,6.62,999,6.313,1001,7.468,1126,3.464,1979,8.216]],["t/2894",[1,0.764,2,1.186,25,0.973,26,1.697,31,1.991,63,2.647,65,2.421,66,0.756,74,1.21,84,3.733,85,3.792,86,2.825,88,1.697,89,2.623,94,3.181,114,1.14,116,1.991,122,3.787,135,3.532,143,2.24,148,3.339,153,1.028,156,1.548,160,3.619,162,0.824,169,2.308,173,1.387,180,2.344,218,2.401,223,3.787,226,2.273,240,2.793,243,1.007,244,1.15,268,1.739,303,1.495,347,3.013,351,2.714,377,1.576,382,2.421,403,3.443,404,3.295,405,1.923,408,3.787,442,2.913,476,2.04,514,2.841,553,2.554,554,6.472,674,4.832,691,3.295,696,4.174,868,2.913,971,3.181,1056,2.092,1057,2.604,1064,3.081,1101,3.587,1112,3.114,1126,3.609,1134,4.174,1141,2.463,1148,3.428,1162,1.521,1193,1.562,1229,3.787,1234,5.563,1235,3.081,1239,2.993,1241,2.993,1317,3.787,1328,2.993,1340,2.604,1342,3.295,1391,4.054,1406,2.604,1418,1.508,1454,2.554,1490,3.081,1516,5.956,1639,3.787,1672,4.054,1715,4.054,1877,4.054,1980,4.46,1981,4.46,1982,4.054,1983,4.46,1984,1.968,1985,4.054,1986,3.787,1987,4.46,1988,3.787,1989,4.46,1990,4.054]],["t/2896",[0,1.441,1,0.791,2,1.025,13,2.897,20,0.768,25,2.08,30,8.092,63,2.287,65,3.073,66,1.315,114,0.985,134,2.764,148,2.885,154,2.69,162,1.045,182,2.413,220,2.469,240,2.413,268,2.06,287,2.792,303,1.898,307,3.789,357,3.772,433,5.786,463,6.543,476,2.589,509,4.211,746,5.948,884,3.023,902,1.931,913,3.911,945,2.241,1056,4.838,1115,4.182,1680,5.362,1807,4.182,1842,4.553,1848,7.056,1991,5.661,1992,5.661,1993,5.661,1994,5.661,1995,7.056]],["t/2898",[1,0.831,8,2.023,25,1.362,27,4.163,66,1.404,74,2.69,79,1.942,89,2.54,114,1.085,116,2.786,133,3.388,139,2.965,140,2.224,156,2.166,194,3.8,218,2.286,226,4.744,240,2.66,268,1.656,282,3.228,347,2.421,351,5.663,389,4.163,488,3.717,511,2.374,894,3.717,932,4.609,966,3.005,972,5.298,1005,4.45,1057,4.839,1126,2.631,1178,5.018,1239,6.655,1302,4.076,1454,3.573,1807,6.123,1854,5.298,1996,6.24,1997,5.298,1998,5.018,1999,5.672,2000,6.24,2001,6.24,2002,6.24,2003,6.24,2004,6.24]],["t/2900",[8,1.762,13,1.577,14,1.601,20,1.176,25,1.186,66,1.468,71,2.617,74,2.763,114,0.945,139,3.586,140,1.937,156,3.415,162,1.003,165,1.202,232,3.381,235,4.014,236,2.729,244,2.235,268,1.442,342,2.769,346,3.461,347,3.818,368,3.298,369,3.017,389,3.789,414,4.014,541,2.242,691,5.574,746,3.237,902,2.957,922,4.37,1005,3.875,1057,5.061,1064,3.754,1090,4.014,1101,4.37,1111,3.549,1120,4.37,1195,5.064,1239,6.285,1388,4.176,1454,3.112,1489,4.613,1558,6.069,1605,4.37,1607,5.213,1836,4.939,1977,4.613,1999,4.939,2005,5.434,2006,4.37,2007,7.36,2008,5.434,2009,7.546,2010,5.434,2011,5.434,2012,4.613,2013,4.939]],["t/2902",[1,0.816,74,2.479,156,3.172,894,5.444,1239,6.133]],["t/2904",[0,1.063,20,1.506,25,1.609,66,1.564,71,3.55,84,3.215,89,2.258,140,2.627,235,5.445,244,1.901,282,3.814,334,5.883,347,2.86,389,3.702,395,4.391,511,2.805,1005,6.583,1057,5.883,1060,4.303,1239,4.947,1728,6.701,2014,6.701,2015,7.372,2016,9.231,2017,7.372]],["t/2906",[20,1.543,74,2.712,153,1.468,156,2.917,165,1.409,243,1.439,244,2.425,282,3.296,328,3.107,334,6.232,347,3.26,389,3.199,392,2.95,410,3.665,892,4.543,898,3.719,1126,3.543,1239,6.311,1621,5.409,1646,4.706,1765,4.543,1985,7.639,2007,7.135,2014,7.639,2018,5.791,2019,6.371,2020,6.371,2021,7.639,2022,8.404,2023,8.404]],["t/2908",[2,1.55,114,1.489,162,1.581,222,5.592,268,2.272,303,2.87,342,4.363,346,5.454,357,3.389,966,4.123,1057,4.998,1171,6.579,1242,7.782,2024,8.562]],["t/2910",[0,0.878,1,0.82,2,1.101,20,1.332,25,2.006,26,2.315,27,4.931,63,2.458,76,1.793,139,4.666,165,1.803,182,3.475,194,3.752,200,2.93,268,1.615,303,2.733,336,5.47,357,3.638,368,3.101,369,2.433,382,3.303,387,3.484,389,3.056,476,2.783,804,2.169,945,2.408,1000,3.42,1005,4.339,1057,3.552,1126,3.437,1176,4.676,1239,4.083,1628,6.92,1663,3.785,1904,5.531,2006,4.893,2025,5.531,2026,9.819,2027,6.085,2028,6.085,2029,6.085,2030,6.085,2031,6.085,2032,6.085,2033,6.085]],["t/2912",[1,0.244,2,0.496,5,5.137,8,0.888,13,0.794,14,0.807,20,0.372,26,1.042,29,1.395,34,3.839,35,2.104,40,4.321,61,2.202,66,1.504,76,1.938,79,2.047,84,2.481,85,2.778,88,1.042,89,1.373,100,1.666,114,0.99,119,1.319,121,1.744,137,1.319,149,3.008,156,2.703,158,4.372,162,0.506,165,0.992,173,1.296,194,1.118,218,1.642,222,1.789,238,1.689,243,0.618,244,1.696,261,0.95,267,1.789,268,1.51,282,1.417,293,1.892,332,1.512,345,1.373,349,4.228,368,2.76,369,2.901,377,2.562,382,1.486,387,1.568,389,3.912,392,1.268,403,1.439,404,2.023,419,5.175,443,1.486,468,2.104,493,1.703,510,1.744,542,1.892,553,3.766,708,2.52,730,2.188,787,3.255,843,2.202,845,1.892,885,2.393,887,2.023,957,2.023,966,1.319,990,2.023,999,2.104,1045,3.717,1056,3.403,1097,1.953,1121,2.202,1126,3.284,1141,1.512,1179,1.953,1184,2.202,1195,1.837,1198,1.789,1201,2.202,1241,1.837,1328,4.413,1340,1.598,1356,2.202,1359,2.202,1559,2.202,1703,2.489,1735,2.325,1762,2.023,1783,2.489,1856,6.981,1858,1.953,1876,2.489,1895,9.614,2007,3.805,2034,2.738,2035,2.738,2036,2.738,2037,2.738,2038,2.738,2039,2.738,2040,2.738,2041,2.738,2042,2.738,2043,2.489,2044,2.738,2045,2.738,2046,5.69,2047,2.738,2048,2.738,2049,8.223,2050,7.789,2051,2.738,2052,2.325,2053,2.489,2054,2.738,2055,5.289,2056,7.254,2057,5.69,2058,6.576,2059,7.254,2060,6.576,2061,6.576,2062,5.69,2063,2.738,2064,2.738,2065,2.738,2066,2.489,2067,2.738,2068,2.489,2069,2.738,2070,2.738,2071,2.738]],["t/2914",[0,1.749,1,0.803,8,2.293]],["t/2916",[0,1.755,1,0.88,4,1.206,8,1.226,32,2.789,34,2.208,35,2.907,36,3.042,41,2.907,42,1.439,212,2.867,264,2.02,321,4,325,4,333,2.794,478,2.409,537,3.198,538,3.449,539,3.955,741,2.613,1804,3.042,1842,3.042,2072,3.783,2073,3.783,2074,3.783]],["t/2918",[0,0.928,1,0.955,2,0.939,3,2.861,14,0.967,21,2.712,22,1.466,32,1.581,36,2.641,41,2.523,50,2.203,60,1.699,63,2.598,66,1.555,72,4.034,73,2.033,74,2.49,76,1.528,89,2.964,133,1.783,135,1.355,140,1.17,148,1.673,153,1.196,154,2.465,156,2.535,162,1.187,165,2.253,169,1.699,173,0.927,174,1.813,193,2.568,212,2.568,218,3.243,230,2.425,237,4.172,238,1.955,240,1.4,246,2.425,249,3.317,250,3.08,264,4.247,268,0.871,269,2.342,273,2.523,303,1.101,321,2.268,325,4.442,343,2.268,345,1.006,360,1.783,387,3.682,399,2.342,403,1.725,441,2.268,472,2.145,478,4.096,479,3.227,509,1.341,537,2.865,538,3.09,539,3.614,646,2.641,730,4.128,741,3.584,796,2.268,801,2.788,804,1.17,889,2.342,890,2.043,894,1.956,922,2.641,940,5.337,1116,4.404,1185,4.586,1198,2.145,1330,2.641,1341,2.425,1411,2.523,1412,2.788,1414,2.985,1415,2.788,1435,1.649,1526,2.523,1566,2.985,1573,2.985,1623,2.641,1801,2.985,2075,3.284,2076,3.284,2077,3.284,2078,5.187,2079,3.284,2080,3.284,2081,3.284,2082,5.171,2083,5.187,2084,3.284,2085,3.284,2086,3.284,2087,3.284,2088,3.284,2089,3.284,2090,3.284,2091,3.284,2092,5.187,2093,2.985,2094,3.284,2095,3.284,2096,3.284,2097,3.284,2098,2.985,2099,3.284]],["t/2920",[1,0.691,8,2.511,238,3.587,241,3.681,261,2.688,268,2.526,303,3.455,304,4.614,379,5.351,439,6.23,476,3.543,503,7.612,509,3.162,707,3.005,966,3.73,973,6.23,996,5.351,1000,4.354,1632,5.722,1652,5.351,2100,7.746,2101,7.746]],["t/2922",[62,3.429,66,1.052,76,1.829,83,3.429,88,3.143,125,2.95,126,7.96,129,4.562,137,2.99,143,5.176,229,2.701,231,4.055,268,1.648,273,4.771,303,3.766,334,3.624,468,4.771,476,2.84,503,7.613,653,5.271,707,3.602,966,2.99,977,6.349,1052,3.955,1226,5.643,1241,4.166,1259,5.271,1330,4.993,1897,4.771,2102,6.209,2103,5.643,2104,8.404,2105,5.643,2106,5.643,2107,6.209,2108,6.209,2109,8.262,2110,5.643]],["t/2924",[0,0.848,49,3.84,66,1.53,83,3.247,88,3.03,125,4.601,129,4.398,137,2.831,143,2.952,153,1.355,169,4.673,229,2.953,273,6.941,303,1.971,353,2.625,379,3.305,382,4.324,439,4.728,448,5.344,476,2.689,493,3.658,503,6.672,504,4.992,707,3.09,977,6.121,1052,3.745,1606,4.992,1819,5.344,1918,5.344,2105,5.344,2106,5.344,2110,7.24,2111,11.381,2112,5.879,2113,5.879,2114,7.965,2115,5.879,2116,5.879,2117,5.879,2118,7.965,2119,5.344,2120,5.344,2121,4.992,2122,4.518,2123,5.879,2124,5.344]],["t/2926",[1,0.939,2,1.415,3,3.557,43,1.382,76,1.329,79,2.056,96,4.563,114,1.497,182,1.923,227,2.063,240,1.923,249,1.881,300,2.143,436,2.49,443,4.244,447,1.321,661,4.099,682,4.145,911,4.099,1112,3.139,1160,2.806,1170,4.201,1293,5.313,1435,3.317,1466,3.829,1559,3.627,1578,2.744,1590,3.216,1654,5.313,1690,5.775,1691,6.827,1692,4.564,1693,5.609,1697,3.627,1698,3.627,2125,3.627,2126,7.106,2127,3.829,2128,6.287,2129,6.287,2130,6.287,2131,6.287,2132,6.287,2133,7.698,2134,7.307,2135,8.286,2136,6.005,2137,7.823,2138,6.287,2139,6.287,2140,6.287,2141,4.51,2142,4.51,2143,4.099,2144,4.51]],["t/2928",[1,0.868,2,1.237,3,3.164,4,2.18,8,2.216,20,1.194,25,1.492,76,2.014,114,1.53,127,5.497,162,1.262,165,1.946,205,4.722,369,2.733,443,3.71,682,3.291,1112,3.248,1126,2.882,1143,2.111,1160,5.473,1170,3.337,1225,3.591,1435,3.432,1567,5.803,1590,6.274,1690,5.904,1740,6.761,1750,6.499,1811,6.274,1820,6.213,2145,6.835,2146,8.798,2147,8.798,2148,8.798,2149,6.835]],["t/2930",[0,0.924,1,0.753,3,2.303,8,2.734,14,2.485,25,1.398,26,3.208,38,2.46,66,1.085,79,1.993,131,2.966,153,1.944,162,1.182,227,2.929,240,3.595,309,3.419,318,4.567,345,1.962,346,4.079,349,3.476,360,3.476,363,2.7,554,3.815,682,3.084,1112,4.481,1122,2.893,1134,5.372,1143,1.978,1149,6.48,1170,3.126,1185,4.567,1193,2.242,1435,3.216,1490,4.424,1654,5.15,1750,4.73,1811,6.014,1862,5.821,1997,5.437,2150,6.404,2151,7.665,2152,8.433,2153,7.16,2154,6.404,2155,8.433,2156,7.16]],["t/2932",[1,0.727,2,1.101,3,2.188,4,1.94,20,1.106,28,2.783,66,1.663,70,5.166,83,3.36,111,3.974,116,2.716,118,4.083,119,2.93,123,3.012,162,1.124,218,2.229,244,1.569,264,4.352,285,3.36,309,3.249,332,3.36,379,3.42,389,3.056,405,2.623,550,3.876,658,4.676,682,2.93,694,4.083,804,2.169,943,3.876,1009,7.409,1086,4.083,1170,2.97,1196,3.197,1229,5.166,1345,5.531,1386,4.893,1578,5.974,1603,6.92,1690,5.47,1704,5.166,1740,7.063,2043,5.531,2151,7.409,2156,5.166,2157,6.085,2158,6.085,2159,6.085,2160,6.085,2161,6.085,2162,6.085,2163,6.085,2164,6.085,2165,6.085,2166,6.085,2167,6.085,2168,6.085]],["t/2934",[96,4.551,512,5.092,949,7.941,1123,6.619,1209,5.758,1210,5.758,1246,5.991,1247,7.086,1568,7.685,1658,7.086,1689,6.619,1691,6.815,1692,6.602,1695,7.059,1702,6.619,1911,7.086,2021,7.086,2169,7.796,2170,7.796,2171,7.796,2172,7.796,2173,7.796]],["t/2936",[1,0.952,2,1.808,3,3.592,79,2.61,282,4.338,300,3.985,447,1.677,682,4.038,1160,5.217,1170,4.094,1435,4.211,1590,5.98,1697,6.743]],["t/2938",[0,1.225,1,0.578,2,1.172,20,0.878,43,1.983,79,3.132,96,5.533,114,1.126,182,2.759,227,2.96,436,3.574,443,3.513,682,4.089,966,3.117,1076,4.343,1170,3.16,1293,5.205,1435,4.264,1690,5.698,1691,6.056,1692,4.471,1740,4.973,1743,5.205,1746,5.205,1750,6.272,1902,5.205,2125,6.829,2127,5.495,2128,5.205,2129,5.205,2130,5.205,2131,5.205,2132,5.205,2133,6.829,2134,5.495,2135,6.525,2136,5.883,2138,5.205,2139,5.205,2140,5.205,2174,5.883,2175,6.472,2176,5.883,2177,7.719,2178,5.883]],["t/2940",[0,1.242,1,0.855,2,1.197,3,2.378,20,0.897,43,2.026,79,3.158,96,5.591,114,1.15,182,2.819,227,3.024,436,3.652,682,3.184,1170,3.228,1293,5.318,1435,3.321,1654,5.318,1690,5.779,1691,6.141,1692,4.568,1693,5.614,1740,5.081,1743,5.318,1746,5.318,1750,6.361,1902,5.318,2125,5.318,2127,5.614,2128,5.318,2129,5.318,2130,5.318,2131,5.318,2132,5.318,2133,6.925,2134,5.614,2135,6.617,2138,5.318,2139,5.318,2140,5.318,2176,6.01,2177,7.828,2178,6.01]],["t/2942",[79,3.244,96,4.64,436,4.389,682,3.828,1435,3.991,1690,6.489,1691,6.896,1692,5.491,2125,6.392,2128,6.392,2129,6.392,2130,6.392,2131,6.392,2132,6.392,2133,7.776,2135,6.108,2137,7.225,2138,6.392,2139,6.392,2140,6.392]],["t/2944",[1,0.764,2,1.55,3,3.636,114,1.489,227,3.916,300,4.069,337,5.326,1170,4.18,1578,5.209,1697,6.885,1699,7.782,1700,7.269,1701,7.269]],["t/2946",[1,0.623,2,1.264,3,2.512,7,1.752,8,2.647,14,1.435,20,0.661,24,2.519,25,1.947,26,3.394,38,2.683,43,1.492,66,1.183,79,2.174,83,4.926,111,3.181,114,1.215,116,3.118,134,2.377,137,3.364,156,1.69,171,3.742,174,2.689,220,2.124,222,3.181,225,5.617,226,2.482,227,3.194,244,1.256,261,1.69,319,3.03,332,2.689,363,3.443,395,2.901,488,2.901,682,4.548,818,2.843,842,3.268,894,2.901,946,6.349,966,3.364,1045,3.181,1052,4.449,1112,2.314,1122,3.69,1143,1.504,1149,3.742,1170,2.377,1178,3.916,1180,3.916,1224,3.916,1361,3.916,1430,5.93,1454,2.789,1576,4.135,1578,5.427,1621,4.135,1690,3.268,1704,4.135,1752,5.367,1795,3.916,1802,3.181,1984,2.148,2156,5.93,2179,6.984,2180,4.87,2181,6.984,2182,4.87,2183,4.87,2184,6.984,2185,4.427,2186,3.742,2187,6.984,2188,4.87,2189,4.135,2190,4.87,2191,4.135,2192,4.427,2193,4.427]],["t/2948",[2,1.559,3,3.097,14,1.948,25,1.879,28,3.024,79,2.058,100,4.023,162,1.221,174,3.652,207,4.884,227,4.38,240,2.819,244,2.22,249,2.758,261,2.295,332,3.652,342,3.37,363,2.788,389,3.321,447,1.322,871,6.361,1112,4.092,1122,4.327,1139,5.318,1143,2.659,1158,5.318,1170,4.675,1359,5.318,1360,5.614,1382,6.01,1586,6.01,1701,5.614,1742,5.614,1750,4.884,1802,4.319,1902,5.318,2191,5.614,2192,6.01,2193,6.01,2194,6.612,2195,5.614,2196,6.612,2197,6.612]],["t/2950",[1,0.937,8,2.347,9,4.07,50,6.124,66,1.226,114,1.259,116,3.232,140,2.581,156,2.513,249,3.02,304,4.313,319,4.504,444,4.146,882,5.164,1063,5.002,1097,5.164,1137,6.581,1166,5.823,1180,5.823,1200,5.823,1327,6.581,1335,4.405,1632,7.383,1731,5.164,1807,5.348,1984,3.194,2185,6.581,2198,7.241,2199,7.241,2200,7.241,2201,5.564,2202,7.241,2203,7.241,2204,7.241]],["t/2952",[1,0.917,20,1.287,102,5.489,114,1.649,165,1.703,194,3.142,218,3.473,268,2.043,379,4.327,510,4.903,511,2.928,707,2.986,810,6.535,996,5.318,1633,6.535,2053,6.997,2205,7.697,2206,7.697,2207,10.276,2208,7.697,2209,7.697,2210,6.997,2211,7.697]],["t/2954",[1,0.866,20,1.086,43,2.451,79,2.49,114,1.392,139,3.802,165,1.77,182,3.411,194,3.266,220,3.489,227,3.659,379,4.497,482,3.753,898,4.67,996,5.527,1126,3.373,1632,5.909,1982,7.272,2210,7.272,2212,8,2213,8,2214,8,2215,8]],["t/2956",[1,0.866,27,4.017,40,4.765,66,1.355,114,1.689,171,8.032,194,3.963,349,4.343,383,3.853,707,3.104,868,6.341,898,4.67,1097,5.705,1161,6.434,2216,8,2217,8,2218,8,2219,8]],["t/2958",[0,1.741,1,0.83,43,2.286,1953,3.879,2121,6.335]],["t/2960",[0,1.688,1,0.487,2,1.573,46,4.608,47,5.177,60,2.824,63,2.205,66,0.925,73,2.139,76,1.608,90,5.073,95,2.782,99,2.989,133,2.963,137,2.629,153,1.258,154,2.594,169,2.824,173,1.352,194,3.09,212,2.702,218,2,228,2.466,238,2.057,268,1.449,303,1.83,305,2.099,324,3.186,345,2.319,377,3.315,537,3.014,538,3.251,539,3.068,668,3.251,670,3.251,682,3.645,866,4.032,895,4.961,896,4.961,897,4.961,916,4.194,943,3.477,1526,4.194,1954,4.634,2220,5.458,2221,5.458,2222,4.634,2223,5.458]],["t/2962",[1,0.84,21,2.329,25,1.659,38,2.92,46,4.824,47,5.433,60,3.933,64,4.528,76,2.24,84,3.315,85,3.711,86,3.277,88,2.892,99,3.237,125,3.612,345,2.329,388,4.729,395,4.528,451,4.437,868,4.965,869,6.909,870,6.113,1578,4.625]],["t/2964",[0,1.641]],["t/2966",[0,1.641]],["t/2969",[0,1.743,14,2.146,25,1.59,842,4.888,977,5.597,1406,4.252,2224,7.284,2225,7.284]],["t/2971",[0,1.751,1,0.882,9,2.526,33,2.526,42,1.709,43,1.377,298,3.319,554,5.884,674,4.853,696,4.197,959,3.453,1013,5.298,1988,3.815,1990,4.084,2226,4.493,2227,4.493,2228,4.493,2229,4.493,2230,4.493,2231,4.493,2232,7.801,2233,4.493]],["t/2973",[0,1.752,165,1.301,220,2.564,965,6.121,1802,5.203,2234,6.762,2235,5.883,2236,5.344,2237,4.728]],["t/2975",[0,1.753,1,0.822,8,1.694,2025,4.749,2238,5.225,2239,4.436,2240,5.225,2241,5.225,2242,5.225,2243,5.225,2244,5.225,2245,5.225,2246,5.225,2247,6.673,2248,5.225]],["t/2977",[0,1.748,1,0.635,965,5.466,1802,4.647,2236,6.466]],["t/2979",[73,3.198,89,2.5,178,5.638,349,5.334,360,5.334,458,4.764,541,3.367,668,4.861,670,4.861,672,4.861,674,5.077,682,3.93,1122,3.687,2235,6.028,2249,6.271,2250,7.418,2251,7.418,2252,7.418,2253,7.418]],["t/2981",[0,1.578,32,4.855,38,2.5,73,3.951,89,1.993,123,3.221,156,2.957,244,1.678,306,3.959,347,2.524,349,3.532,360,3.532,363,2.743,458,3.798,541,2.685,668,3.876,670,3.876,672,3.876,674,4.048,691,4.806,732,6.853,841,5.524,1306,5.233,1435,4.279,1802,6.207,2189,5.524,2234,7.235,2235,7.019,2249,5,2254,5.914,2255,5.914,2256,5.914,2257,5.914,2258,7.235,2259,5.914,2260,5.914,2261,5.914,2262,5.914]],["t/2983",[0,1.726,1,0.613,14,2.025,32,4.698,156,3.064,229,2.247,306,4.182,732,7.845,1344,4.276,2235,5.077,2237,8.564,2261,6.248,2262,6.248,2263,6.873,2264,6.873,2265,6.873]],["t/2985",[73,3.263,178,5.753,458,4.862,668,4.961,670,4.961,672,4.961,674,5.181,682,4.011,1122,3.763,2235,6.152,2237,7.998,2249,6.4,2250,7.57,2251,7.57,2252,7.57,2253,7.57,2258,7.07]],["t/2987",[0,1.572,32,4.252,38,2.64,73,4.034,89,2.106,123,3.403,244,1.772,347,2.667,363,2.898,458,4.012,541,2.836,668,4.094,670,4.094,672,4.094,674,4.276,691,5.077,841,5.835,1306,5.527,1435,4.434,1802,6.372,2189,5.835,2234,7.496,2235,7.206,2237,5.527,2249,5.282,2254,6.248,2255,6.248,2256,6.248,2257,6.248,2258,8.282,2259,6.248,2260,6.248]],["t/2990",[0,0.841,1,0.883,3,1.373,8,2.294,14,2.757,20,0.96,24,1.975,25,2.158,26,3.422,49,2.494,66,1.199,76,2.65,79,1.188,84,2.543,86,2.514,89,1.17,114,1.679,118,2.562,125,1.814,134,1.864,135,3.521,157,1.946,160,2.109,162,1.077,167,2.039,168,2.934,171,2.934,217,2.638,218,1.399,229,1.248,238,1.439,261,1.325,268,1.878,304,3.474,334,3.405,337,2.375,389,3.554,398,1.63,405,1.646,441,2.638,472,2.494,479,2.375,509,2.381,541,1.575,682,1.839,791,2.723,842,6.28,847,4.952,884,3.778,889,2.723,970,2.638,1059,1.864,1086,2.562,1108,2.494,1126,1.61,1148,2.934,1153,2.934,1154,2.562,1177,2.934,1186,3.471,1224,3.071,1231,2.274,1325,3.242,1328,2.562,1343,3.071,1344,2.375,1406,6.482,1408,3.471,1477,2.562,1588,2.934,1633,3.242,1646,2.82,1682,3.471,1718,6.882,1731,2.723,1772,4.482,1896,3.471,2104,3.242,2153,3.242,2266,3.818,2267,3.242,2268,3.071,2269,6.432,2270,3.818,2271,3.818,2272,3.818,2273,3.818,2274,3.818,2275,3.242,2276,3.818,2277,3.818,2278,3.471]],["t/2992",[14,2.185,21,2.272,25,2.206,32,3.572,74,2.012,76,2.185,79,2.309,114,1.29,134,3.621,160,4.096,162,1.369,186,3.127,218,3.394,268,1.968,732,5.964,1112,3.524,1126,3.907,1196,3.897,1203,6.297,1344,5.764,1406,5.899,1411,5.699,1589,6.741,2279,6.297,2280,7.867,2281,7.417,2282,7.417,2283,7.417]],["t/2994",[0,1.003,1,0.541,2,1.548,3,2.926,14,2.397,20,1.306,25,1.866,32,2.922,49,1.965,60,1.556,62,2.671,72,2.671,73,1.896,76,1.425,83,2.671,99,1.664,114,1.209,116,1.343,121,1.916,125,1.43,133,1.633,135,2.868,143,3.491,153,0.693,156,2.643,165,1.07,192,4.397,200,1.449,220,1.312,236,2.429,241,2.299,243,0.679,261,1.044,268,0.798,285,1.661,293,2.078,306,2.943,319,1.871,332,1.661,334,4.058,353,2.16,363,2.558,371,3.246,378,1.633,393,2.824,396,1.916,458,3.542,478,3.081,493,1.871,541,2.503,668,3.614,670,3.614,672,2.882,730,2.962,790,5.151,836,2.222,845,3.342,877,4.662,884,1.606,885,1.606,886,2.554,898,1.756,903,2.734,957,2.222,1052,3.865,1059,2.362,1080,3.89,1096,2.078,1126,1.268,1143,2.146,1169,2.554,1178,2.419,1185,2.145,1196,1.581,1199,2.554,1231,1.792,1330,3.89,1348,2.734,1406,6.349,1433,1.756,1557,2.554,1590,2.145,1643,2.734,1646,3.573,1718,7.925,1827,2.734,2006,5.59,2055,2.419,2082,5.59,2093,2.734,2153,4.107,2269,5.515,2284,3.008,2285,6.951,2286,6.067,2287,6.067,2288,4.838,2289,4.838,2290,4.838,2291,6.067,2292,4.838,2293,3.008,2294,3.008,2295,3.008,2296,3.008,2297,3.008,2298,3.008,2299,2.734,2300,3.008]],["t/2996",[1,0.954,2,1.258,20,0.943,28,3.179,38,3.768,66,1.178,68,6.343,74,1.886,93,5.135,114,1.209,123,3.441,140,2.478,154,4.661,162,1.811,193,3.441,220,3.031,273,5.342,274,5.59,332,3.839,444,3.981,445,5.59,451,4.058,476,3.179,511,2.645,746,4.141,1056,3.261,1112,3.303,1275,8.084,1406,4.058,1438,5.342,1680,4.802,1842,7.153,1966,5.902,1995,6.319]],["t/2998",[1,0.856,8,2.331,14,1.495,21,1.554,25,1.983,65,4.534,79,2.238,80,4.197,83,2.801,88,1.93,89,1.554,95,2.585,114,0.882,133,2.754,157,3.664,173,0.906,194,2.071,218,1.858,238,1.911,239,2.517,241,2.411,244,1.308,268,2.217,272,3.231,300,3.417,303,1.701,305,1.407,309,2.708,319,3.156,345,1.554,369,2.028,387,2.905,389,3.611,395,3.021,398,1.417,405,2.187,414,3.747,419,2.624,443,2.754,455,3.156,509,2.935,677,5.957,945,2.008,970,3.504,1112,2.411,1115,3.747,1134,3.231,1166,4.079,1183,4.079,1201,4.079,1228,4.079,1235,3.504,1331,4.079,1338,3.898,1340,2.961,1344,4.473,1358,2.708,1430,4.307,1431,4.611,1477,3.404,1578,3.086,1652,3.504,1691,3.617,1739,4.079,1937,3.898,1938,2.071,1953,4.001,1998,4.079,2068,4.611,2122,3.898,2301,4.611,2302,4.079,2303,4.307,2304,5.073,2305,6.536,2306,5.073,2307,5.073,2308,4.611,2309,5.073,2310,4.307,2311,4.079,2312,5.073,2313,5.073,2314,5.073,2315,4.611]],["t/3000",[43,2.66,79,2.703,268,2.304,300,4.127,309,4.637,338,5.283,389,4.361,393,5.069,1162,2.962,1652,5.999,2316,7.893,2317,8.684]],["t/3002",[1,0.631,4,2.868,79,2.202,89,2.755,156,2.454,162,1.306,165,1.989,173,1.263,180,3.716,202,4.62,243,1.597,303,3.015,309,3.776,337,4.4,338,6.015,342,3.604,392,3.275,398,1.976,1052,4.505,1064,4.886,1162,3.067,1766,6.429,1882,6.005,2055,5.688,2124,6.429,2318,7.073,2319,7.073,2320,8.993,2321,8.993,2322,7.073,2323,7.073,2324,7.073,2325,7.073,2326,7.073,2327,7.073]],["t/3004",[1,0.905,2,1.197,7,2.378,25,1.879,39,4.023,65,3.59,79,2.058,89,2.934,131,3.988,156,2.989,162,1.221,239,3.015,240,2.819,244,2.22,268,1.755,285,3.652,300,3.142,345,2.638,509,4.142,677,4.716,1056,4.492,1196,3.474,1204,5.081,1610,5.614,1652,4.568,1938,2.699,1940,2.899,1953,2.758,1956,5.614,1964,5.318,1998,5.318,2303,5.614,2310,5.614,2328,6.612,2329,6.01,2330,6.612,2331,5.614]],["t/3006",[0,1.264,1,0.418,2,0.523,5,0.92,8,0.53,13,2.165,14,2.419,20,0.222,23,0.921,25,1.022,46,1.305,66,0.657,73,3.893,76,0.851,79,0.509,83,0.904,89,1.189,116,1.732,126,1.316,135,1.601,137,1.391,153,0.894,156,0.568,162,0.534,173,0.693,174,0.904,180,0.86,193,1.43,222,1.887,229,0.945,239,1.639,240,0.698,241,1.844,244,1.645,247,1.721,268,0.767,300,1.373,303,0.969,305,0.801,308,1.322,309,0.874,319,1.018,343,3.235,345,1.435,353,2.09,354,1.316,377,0.578,419,1.495,443,0.888,458,3.724,509,3.046,511,0.623,524,1.018,541,3.193,560,4.256,668,5.218,670,5.777,671,1.389,672,5.01,677,1.167,682,1.869,730,2.61,791,3.34,796,2.681,913,2.681,934,0.778,943,1.84,958,1.13,966,0.788,986,1.894,1056,0.768,1057,0.955,1065,4.184,1095,3.598,1097,3.34,1112,0.778,1115,1.209,1144,1.389,1158,1.316,1176,2.22,1184,1.316,1204,2.22,1233,1.996,1235,1.996,1342,1.209,1344,1.018,1358,3.406,1413,1.389,1490,3.235,1529,2.324,1616,2.061,1632,2.134,1680,6.343,1795,2.324,1802,2.534,1882,1.389,1936,2.453,1937,5.217,1938,1.18,1939,1.389,1940,0.826,1953,2.981,1954,1.389,1955,1.487,1956,1.389,1957,1.487,1958,1.487,1959,1.487,1964,7.728,1971,6.172,1974,4.86,1977,1.389,1978,1.487,1986,2.453,2122,2.22,2126,5.367,2191,2.453,2195,1.389,2247,2.626,2249,2.22,2279,3.294,2280,2.453,2311,3.12,2329,3.527,2331,1.389,2332,1.636,2333,1.636,2334,1.636,2335,1.487,2336,1.487,2337,1.636,2338,4.683,2339,1.636,2340,4.683,2341,1.636,2342,2.889,2343,1.636,2344,2.889,2345,2.889,2346,3.527,2347,1.636,2348,3.527,2349,1.636,2350,3.527,2351,1.636,2352,4.683,2353,2.626,2354,1.636,2355,7.461,2356,4.683,2357,4.256,2358,5.904,2359,5.904,2360,4.683,2361,2.889,2362,6.172,2363,1.636,2364,2.889,2365,2.889,2366,2.626,2367,1.636,2368,1.636,2369,1.636,2370,1.636,2371,6.38,2372,2.889,2373,7.461,2374,3.88,2375,3.88,2376,3.88,2377,2.889,2378,1.636,2379,4.683,2380,6.38,2381,1.636,2382,1.636,2383,1.636,2384,1.487,2385,3.527,2386,3.527,2387,3.527,2388,3.527,2389,3.527]],["t/3008",[0,1.294,1,0.275,2,1.394,13,2.683,14,2.642,25,0.671,26,1.171,60,1.592,66,0.834,73,3.624,79,0.958,83,1.699,89,1.509,94,2.194,114,0.535,116,1.373,135,2.032,153,0.709,156,1.709,169,1.592,174,1.699,193,1.523,204,2.797,244,0.793,261,1.068,299,2.612,306,1.872,334,1.796,342,1.568,347,2.39,398,1.721,458,5.235,482,1.443,509,3.523,511,3.519,524,4.38,541,4.135,550,4.907,554,5.65,668,5.341,670,5.341,672,5.341,674,1.914,683,2.273,696,1.96,913,2.125,945,1.218,968,2.474,971,2.194,1056,4.048,1111,3.217,1126,1.297,1134,1.96,1149,5.411,1188,2.273,1233,2.125,1235,2.125,1342,2.273,1344,3.064,1358,1.643,1490,7.411,1529,2.474,1711,2.612,1737,4.477,1953,1.283,1966,2.612,1988,2.612,2311,7.211,2385,8.151,2386,2.797,2387,8.151,2388,2.797,2389,8.151,2390,4.926,2391,4.926,2392,5.599,2393,8.63,2394,3.077,2395,3.077,2396,3.077,2397,4.926,2398,4.926,2399,3.077,2400,3.077,2401,3.077]],["t/3010",[0,1.396,1,0.827,2,1.58,7,2.86,8,1.507,13,2.533,23,2.784,63,1.877,69,3.296,73,1.821,74,1.261,79,2.102,85,3.296,88,1.768,89,1.424,125,2.208,131,4.48,148,2.368,156,2.76,173,0.83,178,3.211,193,3.937,194,1.897,200,2.238,201,3.571,202,3.036,218,1.702,226,2.368,228,3.051,249,1.938,264,2.481,268,2.461,285,2.566,297,3.036,305,1.289,309,2.481,395,2.768,398,1.298,405,2.004,474,2.004,482,2.18,509,4.175,540,5.195,668,2.768,670,2.768,672,4.022,706,4.224,708,2.612,709,2.566,885,2.481,902,1.585,958,3.211,1193,1.627,1200,3.737,1358,2.481,1477,3.118,1680,3.211,1912,4.224,1940,2.495,1941,5.733,1942,5.733,1953,1.938,1998,3.737,2135,3.571,2195,3.946,2201,3.571,2402,3.946,2403,3.946,2404,4.224,2405,4.647,2406,4.647,2407,3.946,2408,3.036,2409,4.647,2410,4.647,2411,4.647,2412,4.647,2413,6.752,2414,6.752,2415,4.647]],["t/3012",[4,2.266,8,1.618,13,2.617,23,2.266,25,1.806,26,2.704,38,1.917,46,3.211,47,3.518,66,1.204,74,1.928,89,2.177,131,4.827,173,0.891,174,2.755,186,2.996,222,3.259,244,1.832,268,1.886,326,3.25,337,4.421,338,4.323,345,1.529,377,1.763,378,5.379,398,1.394,488,4.233,509,2.901,730,4.403,746,4.233,1112,2.371,1233,3.447,1235,3.447,1301,5.249,1578,4.323,1798,5.249,1936,4.236,1938,2.901,1939,4.236,1940,3.074,1941,6.033,1942,6.033,1943,6.033,1944,6.033,1945,6.033,1946,5.715,1947,6.033,1948,5.068,1949,6.033,1950,6.033,1951,6.459,2122,3.834,2302,4.013,2416,0.959,2417,4.99]],["t/3014",[0,1.566,1,0.241,4,2.297,5,2.492,7,0.972,13,2.372,20,0.602,23,0.862,24,1.398,25,1.23,26,1.028,27,1.357,31,2.517,38,1.703,39,2.697,42,1.028,43,1.999,48,1.059,51,2.995,63,1.091,66,0.458,71,1.301,74,2.099,78,1.849,79,0.841,81,2.304,85,1.319,89,0.828,92,2.517,99,2.813,114,1.346,116,1.206,167,1.443,172,1.933,176,3.694,177,1.996,179,2.293,185,2.187,186,3.037,199,2.889,239,1.974,244,0.697,322,1.319,334,1.577,337,1.681,338,1.644,345,0.828,359,1.867,363,1.139,368,1.028,370,1.301,371,1.813,372,1.927,385,1.996,398,1.239,474,1.165,511,1.687,694,1.813,707,1.048,787,2.195,792,1.609,934,1.284,937,2.663,945,1.069,986,2.164,1053,1.813,1073,2.294,1086,1.813,1088,2.845,1112,1.284,1122,1.221,1143,0.834,1160,1.681,1340,2.588,1858,1.927,1893,2.917,1938,1.103,1948,1.927,1953,1.849,2335,2.456,2336,2.456,2402,2.294,2403,2.294,2418,2.702,2419,2.294,2420,2.702,2421,1.42,2422,1.42,2423,2.226,2424,2.226,2425,2.702,2426,2.702,2427,1.42,2428,3.631,2429,1.42,2430,3.566,2431,2.702,2432,2.702,2433,1.42,2434,2.702,2435,1.42,2436,2.896,2437,1.42,2438,1.42,2439,5.538,2440,2.702,2441,1.42,2442,1.42,2443,2.329,2444,1.42,2445,2.329,2446,2.715,2447,2.702,2448,1.42,2449,1.42,2450,3.785,2451,1.42,2452,1.42,2453,1.42,2454,2.329,2455,1.42,2456,2.702,2457,2.702,2458,2.791,2459,2.702,2460,1.337,2461,1.42,2462,2.791,2463,4.433,2464,2.294,2465,2.702,2466,2.076,2467,2.702,2468,2.076,2469,2.076,2470,2.702,2471,2.702,2472,2.702,2473,2.702,2474,2.702,2475,2.702,2476,2.173,2477,2.702,2478,2.702,2479,2.294,2480,2.702,2481,2.294,2482,2.173,2483,2.702,2484,2.702,2485,2.294,2486,2.702,2487,2.294,2488,2.294,2489,2.294,2490,2.702,2491,2.702,2492,2.702,2493,2.702,2494,2.294,2495,3.764,2496,2.294,2497,2.294,2498,2.294,2499,2.294,2500,2.294,2501,2.702,2502,2.294,2503,4.433,2504,2.294,2505,2.456,2506,2.702,2507,2.702,2508,2.294,2509,2.294,2510,2.294,2511,3.764,2512,2.294,2513,4.433,2514,2.294]],["t/3016",[1,0.873,25,1.769,65,4.401,76,2.388,83,4.477,89,2.484,143,4.071,180,4.26,231,5.295,305,2.714,369,3.241,507,6.519,902,2.765,1154,5.44,1337,5.043,1405,7.369,1764,7.369,1897,6.229,2308,7.369,2515,8.107]],["t/3018",[1,0.603,2,1.223,13,1.961,23,2.156,25,1.906,66,1.145,118,4.535,125,3.212,140,2.409,148,3.444,153,1.558,156,3.031,165,1.932,169,3.497,233,5.436,243,1.526,261,3.031,305,2.422,345,2.071,378,3.669,379,3.799,398,1.888,405,2.914,419,4.519,474,3.766,508,6.021,509,2.759,541,3.993,885,3.609,1204,5.194,1233,4.669,1798,6.452,1938,3.951,2416,1.299,2516,7.94,2517,4.026,2518,6.759]],["t/3020",[1,0.566,2,1.147,13,1.839,14,1.867,23,2.021,25,2.178,66,1.074,114,1.102,117,3.7,124,5.381,138,5.381,148,3.23,153,1.461,162,1.17,165,2.075,239,3.284,243,1.431,244,2.748,261,2.199,305,2.323,309,3.384,345,1.942,378,3.44,398,1.771,405,2.732,419,4.333,474,3.611,482,4.4,508,3.943,509,3.419,682,3.052,1000,3.563,1145,5.761,1202,2.829,1477,4.253,1772,4.87,1937,6.436,1938,3.419,2052,5.381,2416,1.218,2517,3.775,2519,5.761,2520,6.338,2521,6.338]],["t/3022",[1,0.59,2,1.559,7,2.378,8,2.792,13,1.919,14,2.537,23,2.109,70,5.614,88,2.516,131,3.988,148,3.37,153,1.524,157,3.37,165,2.119,181,4.716,194,3.516,231,4.319,239,2.315,243,1.493,261,2.295,305,1.834,345,2.638,360,4.675,378,3.59,398,1.848,405,2.851,474,4.129,707,2.565,893,5.081,947,4.716,954,5.318,1112,3.142,1404,6.01,1641,6.01,1731,4.716,1790,6.01,1940,2.899,2416,1.271,2517,3.939,2522,6.612,2523,6.612,2524,6.612]],["t/3024",[1,0.631,2,1.28,13,2.052,23,2.256,54,7.635,62,3.906,79,2.202,131,4.579,148,3.604,153,1.63,157,3.604,165,1.989,219,4.62,243,1.597,261,3.121,283,4.886,305,1.961,378,3.839,398,1.976,405,3.049,462,5.688,474,4.263,653,6.005,880,5.435,1300,5.688,1310,7.951,1762,5.224,1940,2.57,2416,1.359,2517,4.213,2525,6.429,2526,6.005,2527,6.005,2528,7.073]],["t/3026",[1,0.575,2,1.165,8,2.087,13,1.868,23,2.053,60,3.331,64,3.835,66,1.091,80,3.758,96,4.94,123,4.189,131,4.958,140,2.295,148,3.281,153,1.95,157,3.281,165,1.872,173,1.794,243,1.454,261,2.937,271,6.035,283,4.448,293,4.448,305,1.785,353,2.874,378,3.495,398,1.799,405,2.776,474,4.075,821,4.591,1663,4.005,1679,5.177,1694,5.177,1695,4.755,1698,5.177,1940,1.84,2201,4.947,2416,1.237,2517,3.835,2526,5.466,2527,5.466,2529,5.852,2530,5.177,2531,5.852,2532,5.852]],["t/3028",[1,0.578,2,1.172,8,2.098,13,1.878,23,2.064,60,3.348,64,3.855,66,1.096,80,3.778,96,3.778,123,4.204,131,4.966,140,2.307,148,3.298,153,1.492,157,3.298,165,1.879,173,1.797,243,1.461,261,2.947,271,6.056,283,4.471,293,4.471,305,1.795,353,2.889,378,3.513,398,1.808,405,2.79,474,4.086,821,6.056,1663,4.026,1679,5.205,1694,5.205,1695,4.781,1698,5.205,1940,1.85,2201,4.973,2416,1.244,2517,3.855,2526,5.495,2527,5.495,2530,5.205,2531,5.883,2532,5.883,2533,5.883]],["t/3030",[1,0.522,2,1.631,7,2.855,13,1.698,23,1.866,74,1.587,89,2.432,114,1.018,123,2.897,134,2.856,148,2.982,153,1.349,157,4.592,165,2.235,178,6.676,241,2.781,243,1.321,261,2.031,305,1.623,326,3.631,378,3.176,396,3.727,398,1.635,405,2.523,474,3.885,488,4.729,497,5.318,511,2.226,682,3.823,683,7.138,881,6.924,882,4.173,885,3.124,938,5.318,953,4.496,989,4.968,1074,7.138,1208,5.318,1706,4.968,1802,3.822,2052,4.968,2404,5.318,2416,1.124,2517,3.485,2534,5.851,2535,5.318,2536,8.19,2537,5.851,2538,5.851,2539,4.968,2540,5.318,2541,5.318]],["t/3032",[1,0.587,2,1.19,13,1.908,23,2.737,42,3.634,43,2.015,52,5.009,62,4.739,66,1.454,74,2.849,115,4.544,119,3.167,148,3.351,153,1.978,165,1.455,178,4.544,181,4.69,186,4.428,187,4.544,239,2.303,243,1.485,261,2.282,305,1.824,322,3.211,345,2.015,378,3.57,398,1.838,405,2.835,451,3.839,474,4.118,481,4.544,511,2.502,730,3.211,945,2.603,980,4.091,1411,5.054,2416,1.264,2517,3.917,2542,7.8]],["t/3034",[1,0.65,7,2.62,8,2.361,43,2.231,46,4.139,47,5.206,66,1.234,99,2.506,100,4.431,140,3.265,157,3.712,165,1.611,194,2.973,243,1.645,261,2.528,268,1.933,297,4.758,377,2.573,405,3.95,474,3.14,508,5.699,866,6.767,884,3.889,965,5.597,1122,3.291,1126,3.071,1224,5.858,2407,6.184,2517,4.339,2543,7.284,2544,7.284]],["t/3036",[1,0.818,43,2.231,46,4.139,47,5.365,52,4.252,66,1.552,140,2.596,157,5.107,165,1.611,194,3.74,231,4.758,238,2.745,247,4.339,261,3.179,268,2.66,305,2.02,405,3.95,884,3.889,1231,4.339,1652,5.032,2222,6.184,2416,1.4,2517,4.339,2545,6.621,2546,6.621]],["t/3038",[1,0.569,2,1.153,13,1.848,14,2.771,23,2.032,62,3.518,117,3.719,140,2.995,148,3.246,153,1.468,157,4.283,165,1.859,231,4.161,235,4.706,243,1.898,244,2.167,261,2.917,297,4.161,305,1.767,378,3.458,398,1.78,405,2.747,444,3.648,474,4.054,682,4.047,804,2.271,893,4.895,1043,5.791,1141,3.518,1231,3.795,1432,5.123,1435,3.199,1602,8.548,1603,7.984,1762,4.706,1798,6.208,1946,5.123,2416,1.224,2517,3.795,2530,5.123,2547,7.639,2548,6.371,2549,6.371,2550,6.371,2551,6.371,2552,6.371]],["t/3040",[14,2.373,25,2.127,131,3.73,156,2.795,261,2.795,305,2.233,405,3.472,481,5.563,482,3.777,509,3.288,1231,4.797,1557,8.275,1940,2.301,2201,6.188,2402,6.837,2403,6.837,2416,1.547,2517,4.797,2553,7.32,2554,8.053,2555,8.053]],["t/3042",[1,0.563,2,1.141,4,2.662,13,1.829,23,2.011,26,3.175,60,3.262,65,3.423,79,1.963,134,4.568,148,3.213,153,1.453,165,1.395,238,2.376,243,1.424,244,2.412,261,2.897,268,2.643,274,5.07,275,3.61,305,1.749,378,3.423,398,1.762,405,2.718,474,4.034,488,3.756,730,3.078,746,6.34,804,2.247,885,3.366,909,5.353,976,5.353,1005,4.496,1048,5.731,1056,4.389,1063,4.356,1258,4.657,1358,3.366,1432,5.07,1578,3.836,1680,4.356,1722,5.731,2416,1.211,2517,3.756,2556,6.305,2557,6.305]],["t/3044",[1,0.525,7,2.115,8,2.582,13,2.621,14,1.732,20,0.798,25,1.283,42,2.237,60,3.042,65,3.192,66,1.349,74,3.017,79,1.83,89,3.196,114,1.023,121,5.073,156,2.04,186,4.689,194,3.252,244,2.329,261,2.04,268,1.56,305,1.631,405,2.535,482,2.758,541,3.286,893,4.518,902,2.005,966,2.831,1065,2.996,1121,6.405,1170,2.87,1193,2.789,1616,4.193,1624,4.992,1628,4.992,2006,6.405,2066,5.344,2416,1.13,2419,6.762,2517,3.502,2558,5.879,2559,5.344]],["t/3046",[1,0.723,8,2.628,76,2.388,91,6.229,114,1.702,119,3.904,236,4.071,268,2.151,506,2.864,677,6.979,890,6.088,902,2.765,1953,4.081,2268,6.519,2310,6.882,2560,8.107,2561,8.107,2562,8.107]],["t/3048",[0,1.185,1,0.733,2,1.487,3,2.955,20,1.339,62,4.537,65,4.46,66,1.392,95,4.187,135,3.39,154,3.904,218,3.614,282,4.25,387,4.705,1406,6.172,1765,5.859]],["t/3050",[0,0.744,1,0.649,7,1.855,8,2.733,14,1.52,22,2.303,25,1.126,55,4.148,66,0.874,71,2.484,74,1.399,76,1.52,84,2.249,86,2.224,89,1.58,117,3.011,125,2.451,134,2.518,135,4.133,140,2.593,143,4.848,153,1.189,154,2.451,168,3.964,218,1.89,220,2.249,240,2.199,249,2.151,261,1.79,293,3.564,337,3.209,342,2.629,405,2.224,441,3.564,479,3.209,493,3.209,509,2.106,796,6.325,885,3.885,902,1.759,970,3.564,1063,5.027,1154,4.882,1177,3.964,1185,6.012,1196,2.71,1202,3.248,1325,4.379,1344,3.209,1376,4.689,1406,5.636,1588,3.964,1607,3.564,1632,3.81,1646,3.81,1718,3.679,1739,4.148,1762,5.374,1824,4.689,1834,4.689,2082,8.455,2103,4.689,2104,6.177,2119,4.689,2278,4.689,2302,5.851,2539,4.379,2563,7.276,2564,5.158,2565,5.158,2566,5.158]],["t/3052",[0,1.392,1,0.6,21,2.059,66,1.139,72,3.712,76,1.98,89,2.059,135,4.212,153,1.549,154,3.194,162,1.607,191,5.685,212,4.778,218,2.462,236,3.375,303,2.253,537,5.33,538,5.75,539,5.426,796,4.644,836,4.965,966,3.237,1185,4.794,1193,3.047,1233,6.013,1235,4.644,1406,5.96,2082,7.763,2098,6.11,2567,6.722,2568,6.722]],["t/3054",[1,0.972,65,4.372,68,5.743,109,5.743,125,3.827,135,3.323,143,4.044,150,3.395,271,5.743,387,6.237,889,5.743,940,6.54,1406,4.701,1438,6.188,1765,6.951]],["t/3056",[1,0.967,2,1.658,3,3.783,65,5.709,69,4.472,74,2.485,137,3.508,154,3.461,218,2.668,228,5.177,264,4.892,540,6.87,741,6.329]],["t/3058",[0,1.751,1,0.727,5,2.727,25,1.52,28,2.219,29,2.472,74,1.316,194,1.98,226,2.472,240,2.068,346,3.09,349,2.633,351,2.951,553,2.778,554,4.148,557,3.255,694,3.255,746,2.889,937,1.794,1011,3.168,1032,3.901,1122,2.192,1490,3.351,1997,4.118,2569,3.168,2570,4.851,2571,4.851,2572,4.851]],["t/3060",[0,1.736,1,0.843,8,3.062,96,4.465,436,4.224,2392,6.953]],["t/3062",[0,1.641]],["t/3065",[1,0.91,8,2.624,21,1.844,22,1.777,25,2.184,50,2.671,65,2.161,66,1.02,79,1.239,83,4.009,84,1.736,85,1.943,88,1.514,114,1.512,117,2.323,143,3.023,156,1.381,162,0.735,180,2.091,186,1.678,187,2.75,194,2.457,218,2.205,229,1.301,239,2.833,240,1.697,252,3.201,261,1.381,264,2.125,265,3.058,267,2.6,268,1.597,300,2.86,305,1.669,309,2.125,342,2.028,403,2.091,405,1.716,447,0.796,455,2.476,488,2.371,677,7.137,890,5.906,902,2.76,925,3.058,940,2.671,1053,2.671,1141,2.198,1148,3.058,1166,3.201,1177,4.625,1193,2.107,1203,3.379,1331,3.201,1332,3.201,1338,3.058,1386,4.841,1435,4.591,1454,2.279,1466,3.379,1588,3.058,1590,2.838,1652,2.75,1707,3.618,1739,3.201,1807,2.94,1897,3.058,1940,2.484,1953,3.959,1984,2.655,2013,3.618,2055,3.201,2120,3.618,2121,5.11,2122,3.058,2143,3.618,2299,6.598,2301,3.618,2302,6.989,2303,3.379,2416,1.157,2573,3.98,2574,3.98,2575,3.98,2576,3.98,2577,3.98,2578,3.98,2579,3.98,2580,3.98,2581,3.98,2582,3.98,2583,3.98,2584,3.98,2585,3.98,2586,3.98,2587,3.98,2588,3.98]],["t/3069",[14,2.454,20,1.13,21,2.551,25,1.818,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,1085,4.862,1143,2.572,1440,4.682,1984,3.674,2416,1.6,2589,3.296,2590,3.809]],["t/3071",[14,2.454,20,1.13,21,2.551,25,1.818,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,1143,2.572,1984,3.674,2416,1.6,2589,3.296,2590,3.809,2591,4.862,2592,4.961]],["t/3073",[14,2.437,20,1.122,21,2.534,25,2.162,150,3.487,153,1.907,162,1.527,173,1.477,398,2.311,447,1.654,804,2.948,1085,4.829,1143,2.554,1440,4.65,1984,3.649,2416,1.589,2589,3.274,2593,5.55]],["t/3075",[14,2.437,20,1.122,21,2.534,25,2.162,150,3.487,153,1.907,162,1.527,173,1.477,398,2.311,447,1.654,804,2.948,1143,2.554,1984,3.649,2416,1.589,2589,3.274,2591,4.829,2592,4.927,2593,5.55]],["t/3077",[14,2.454,20,1.13,21,2.551,25,1.818,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,1085,4.862,1143,2.572,1440,4.682,1984,3.674,2416,1.6,2589,3.296,2594,6.697]],["t/3079",[14,2.454,20,1.13,21,2.551,25,1.818,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,1143,2.572,1984,3.674,2416,1.6,2589,3.296,2591,4.862,2592,4.961,2594,6.697]],["t/3081",[14,2.471,20,1.138,21,2.569,25,1.83,150,3.535,153,1.933,162,1.548,173,1.498,398,2.343,447,1.677,804,2.989,1085,4.895,1143,2.589,1440,4.714,1984,3.699,2416,1.611,2595,5.627]],["t/3083",[14,2.471,20,1.138,21,2.569,25,1.83,150,3.535,153,1.933,162,1.548,173,1.498,398,2.343,447,1.677,804,2.989,1143,2.589,1984,3.699,2416,1.611,2591,4.895,2592,4.995,2595,5.627]],["t/3085",[14,2.471,20,1.138,21,2.569,25,1.83,150,3.535,153,1.933,162,1.548,173,1.498,398,2.343,447,1.677,804,2.989,1085,4.895,1143,2.589,1440,4.714,1984,3.699,2416,1.611,2596,7.622]],["t/3087",[14,2.471,20,1.138,21,2.569,25,1.83,150,3.535,153,1.933,162,1.548,173,1.498,398,2.343,447,1.677,804,2.989,1143,2.589,1984,3.699,2416,1.611,2591,4.895,2592,4.995,2596,7.622]],["t/3089",[0,1.587,1,0.558,2,0.57,13,0.913,20,0.427,21,1.537,23,1.004,26,1.198,43,2.855,51,3.041,66,0.533,78,2.092,79,1.562,81,1.772,99,1.726,114,0.548,119,1.516,123,3.096,148,1.604,151,1.738,153,0.726,154,2.384,162,1.317,165,0.696,173,1.615,193,2.483,199,3.375,200,1.516,239,2.498,243,0.711,245,3.052,247,1.875,260,1.756,261,1.093,287,3.789,305,1.734,307,1.537,308,1.44,316,1.738,327,2.056,328,1.855,353,2.239,398,0.88,410,1.373,436,3.94,447,1.003,467,4.754,474,1.357,506,1.112,566,2.419,731,1.946,733,1.946,804,1.122,832,2.929,898,1.838,937,1.855,980,1.958,1026,1.958,1028,1.958,1049,2.82,1065,2.556,1141,2.77,1339,3.891,1433,1.838,1440,1.77,1630,1.738,1940,1.434,2408,5.089,2416,0.605,2436,3.277,2569,2.056,2597,2.325,2598,2.861,2599,3.366,2600,2.112,2601,2.112,2602,3.366,2603,6.656,2604,2.112,2605,2.112,2606,2.006,2607,1.958,2608,1.958,2609,4.197,2610,1.604,2611,2.112,2612,1.259,2613,1.272,2614,3.366,2615,4.787,2616,5.844,2617,3.366,2618,3.366,2619,3.366,2620,3.366,2621,3.366,2622,3.366,2623,3.366,2624,3.366,2625,2.112,2626,2.112,2627,3.366,2628,2.112,2629,1.77]],["t/3091",[0,1.097,2,1.376,20,1.031,21,2.882,43,3.271,123,5.059,148,3.874,153,1.752,162,1.404,193,4.658,247,4.528,287,2.734,305,2.108,327,4.965,398,2.124,447,1.52,474,3.277,566,5.841,804,2.709,1984,3.353,2416,1.461,2591,4.437,2597,5.615,2598,6.909,2630,7.602]],["t/3093",[14,2.471,20,1.138,21,2.569,25,1.83,150,3.535,153,1.933,162,1.548,173,1.498,398,2.343,447,1.677,804,2.989,1084,6.444,1143,2.589,1440,4.714,1984,3.699,2416,1.611,2631,6.743]],["t/3095",[14,2.185,20,1.006,21,2.272,25,1.619,150,3.127,153,1.709,162,1.369,173,1.325,243,1.675,260,2.597,305,2.057,398,2.072,410,4.041,447,1.853,506,2.62,804,2.643,832,4.33,1143,2.29,1435,3.724,1630,4.096,1940,2.119,2416,1.425,2591,4.33,2592,6.305,2610,3.779,2629,4.169,2631,7.452,2632,7.417,2633,5.124,2634,5.289]],["t/3097",[14,2.133,20,0.982,21,2.218,24,3.746,25,1.58,84,3.157,150,3.053,153,1.669,162,1.337,173,1.293,243,1.635,260,2.535,305,2.008,398,2.023,410,3.98,447,1.825,506,3.224,804,2.581,832,4.227,1085,5.835,1143,2.236,1358,3.866,1435,3.636,1440,4.07,1477,6.124,1940,2.069,2416,1.391,2610,3.69,2629,4.07,2633,5.002,2635,8.296,2636,6.581,2637,6.581]],["t/3099",[14,2.199,20,1.012,21,2.286,24,3.86,25,1.629,150,3.146,153,1.72,162,1.378,173,1.333,243,1.685,260,2.613,305,2.069,398,2.085,410,4.056,447,1.86,506,2.636,804,2.66,832,4.356,945,2.953,1143,2.304,1435,3.747,1940,2.132,2416,1.434,2591,4.356,2592,6.036,2610,3.803,2629,4.195,2633,5.155,2634,5.322,2635,8.454]],["t/3101",[14,2.133,20,0.982,21,2.218,25,1.58,84,3.157,150,3.053,153,1.669,162,1.337,173,1.293,243,1.635,260,2.535,305,2.008,398,2.023,410,3.98,447,1.825,506,3.224,804,2.581,832,4.227,1085,5.835,1143,2.236,1358,3.866,1435,3.636,1440,4.07,1477,6.124,1940,2.069,2416,1.391,2610,3.69,2629,4.07,2633,5.002,2636,6.581,2637,6.581,2638,6.581,2639,9.127]],["t/3103",[14,2.268,20,1.044,21,2.358,25,1.68,150,3.245,153,1.774,162,1.421,173,1.375,175,5.686,243,1.738,260,2.695,305,2.135,398,2.151,410,3.357,447,1.896,506,2.719,804,2.744,1143,2.377,1630,4.251,1940,2.2,2416,1.479,2591,4.493,2592,6.388,2610,3.923,2634,5.489,2638,6.997]],["t/3105",[0,0.824,14,1.684,20,0.775,21,1.751,25,1.247,150,2.409,153,1.317,162,1.055,173,1.021,175,4.221,243,1.29,260,2.001,305,1.585,398,1.597,410,2.492,447,1.562,506,2.018,804,2.037,945,2.262,1143,1.765,1940,1.633,2012,4.851,2416,1.098,2591,3.336,2592,7.201,2610,2.912,2634,4.075,2640,4.851,2641,5.714,2642,5.714]],["t/3107",[14,2.373,20,1.093,21,2.467,25,1.758,150,3.395,153,1.856,162,1.487,173,1.438,229,2.633,398,2.25,410,3.512,447,1.611,804,2.87,845,5.563,1085,4.701,1143,2.487,1440,4.527,1940,2.301,2416,1.547,2610,4.104,2640,6.837,2643,8.053,2644,8.053]],["t/3109",[14,2.373,20,1.093,21,2.467,25,1.758,150,3.395,153,1.856,162,1.487,173,1.438,229,2.633,398,2.25,410,3.512,447,1.611,804,2.87,845,5.563,1084,6.188,1143,2.487,1440,4.527,1940,2.301,2416,1.547,2610,4.104,2640,6.837,2645,8.053,2646,8.053]],["t/3112",[0,1.454,1,0.658,2,1.334,7,2.651,13,2.139,20,1,23,2.351,25,1.609,78,3.074,162,1.361,165,1.631,173,1.317,229,2.41,244,1.901,287,3.32,328,2.726,398,2.06,447,1.474,731,2.86,733,2.86,1143,2.276,1162,2.514,1193,2.581,1418,2.493,1940,2.107,2416,1.416,2423,4.635,2424,3.702,2589,2.918,2590,3.372,2606,2.948,2612,2.948,2613,2.978]],["t/3114",[0,1.495,2,0.72,7,1.432,15,5.776,20,0.54,25,0.869,28,2.753,42,2.29,76,1.173,78,2.51,88,1.514,167,5.343,173,1.075,243,0.899,244,1.026,260,1.393,268,1.056,287,2.611,305,1.104,307,1.943,308,4.342,322,1.943,332,2.198,353,4.238,369,3.796,410,1.736,447,1.204,476,1.82,506,1.406,541,3.917,650,2.94,696,6.047,736,7.013,945,1.575,1096,2.75,1143,1.229,1162,1.357,1193,1.393,1418,1.346,1940,1.137,2416,0.765,2589,1.575,2590,1.82,2597,2.94,2647,3.379,2648,3.618,2649,2.94,2650,3.201,2651,3.201,2652,3.201,2653,3.201,2654,3.201,2655,7.862,2656,3.201,2657,3.201,2658,3.201,2659,6.508,2660,7.635,2661,7.635,2662,7.635,2663,7.635,2664,3.201,2665,3.201,2666,3.201,2667,3.201,2668,3.201,2669,3.201,2670,3.201,2671,3.201,2672,4.841,2673,3.201,2674,3.201,2675,3.201,2676,3.201,2677,3.201,2678,3.201]],["t/3116",[0,1.516,2,0.723,7,1.436,15,5.782,20,0.542,25,0.871,28,2.76,167,5.348,173,0.713,243,0.902,244,1.03,260,1.398,287,2.616,305,1.107,307,1.949,308,4.347,332,2.205,345,2.228,353,4.243,369,3.8,410,1.741,419,3.763,447,1.207,476,1.826,506,1.411,541,3.921,650,2.95,696,6.054,736,7.02,945,2.388,1143,1.233,1193,1.398,1418,1.35,1938,2.969,1940,1.141,2416,0.767,2589,1.58,2590,1.826,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211,2679,3.993]],["t/3118",[2,1.507,4,2.656,7,2.995,20,1.13,25,1.818,173,1.488,244,2.147,447,1.665,476,3.809,514,5.305,1143,2.572,1162,2.84,1193,2.916,1418,2.816,1984,3.674,2416,1.6,2589,3.296,2590,3.809]],["t/3120",[0,1.17,1,0.478,2,0.619,4,3.182,7,1.927,8,1.109,13,2.497,20,0.727,23,2.106,25,0.747,31,2.948,43,2.289,48,3.179,51,3.655,74,2.201,76,1.008,78,2.235,81,1.893,88,1.302,92,1.528,99,3.094,114,0.595,162,0.632,165,1.185,172,2.337,173,1.18,176,3.376,179,2.772,185,1.328,186,2.784,199,2.789,220,1.492,239,1.198,243,0.773,244,0.882,260,1.198,266,1.694,275,1.959,287,1.927,305,0.949,326,1.565,328,1.265,345,1.642,347,1.328,368,1.302,369,1.368,370,2.58,377,1.209,383,1.648,398,0.956,447,1.072,506,1.209,511,2.039,707,1.328,731,1.328,733,1.328,787,2.653,934,1.626,937,2.442,945,2.121,986,2.616,1058,1.718,1059,2.616,1088,1.492,1099,1.77,1122,1.546,1143,1.057,1162,1.167,1193,1.198,1202,1.528,1312,1.585,1418,1.157,1893,3.417,1938,1.397,1940,0.978,1953,1.427,2416,0.658,2421,1.798,2422,1.798,2423,1.718,2424,1.718,2427,1.798,2428,1.605,2429,1.798,2430,3.269,2433,1.798,2435,1.798,2437,1.798,2438,1.798,2441,1.798,2442,1.798,2443,2.815,2444,1.798,2445,2.815,2446,1.648,2448,1.798,2449,1.798,2450,4.263,2451,1.798,2452,1.798,2453,1.798,2454,2.815,2455,1.798,2458,2.653,2460,1.694,2461,1.798,2462,2.653,2589,1.354,2590,1.565,2606,1.368,2612,1.368,2613,1.382,2680,3.422,2681,3.422,2682,1.626,2683,1.67,2684,1.626,2685,1.626,2686,1.626,2687,1.626,2688,1.626,2689,1.626,2690,1.626,2691,1.67,2692,1.626,2693,1.626,2694,1.827,2695,1.827,2696,1.827,2697,1.827,2698,1.827,2699,1.827,2700,1.718,2701,1.827,2702,1.827,2703,1.827]],["t/3122",[0,1.093,1,0.488,2,0.635,4,3.076,7,1.966,8,1.138,13,2.523,20,0.742,23,2.141,25,0.766,31,2.997,43,2.321,48,3.408,51,3.186,74,2.227,76,1.034,78,2.28,81,1.931,88,1.336,92,1.567,99,2.607,114,0.611,162,0.648,165,0.777,172,3.581,173,0.976,176,3.423,179,2.828,185,1.362,186,2.83,199,3.065,239,1.229,243,0.793,244,0.905,260,1.229,266,1.738,275,2.01,287,1.966,305,0.974,326,1.606,328,1.298,345,1.675,347,1.362,360,1.906,368,1.336,369,1.404,370,2.632,377,1.24,383,1.691,447,1.093,506,1.24,511,2.08,707,1.362,731,1.362,733,1.362,764,2.425,787,2.706,934,1.668,937,2.482,945,1.389,986,2.669,1058,1.763,1059,2.669,1088,1.531,1099,1.816,1122,1.586,1143,1.084,1162,1.197,1193,1.229,1202,1.567,1312,1.626,1418,1.187,1462,2.98,1893,3.473,1938,1.433,1940,1.003,1953,1.464,2416,0.675,2421,1.845,2422,1.845,2423,1.763,2424,1.763,2427,1.845,2428,1.647,2429,1.845,2430,3.323,2433,1.845,2435,1.845,2437,1.845,2438,1.845,2441,1.845,2442,1.845,2443,2.872,2444,1.845,2445,2.872,2446,1.691,2448,1.845,2449,1.845,2450,4.315,2451,1.845,2452,1.845,2453,1.845,2454,2.872,2455,1.845,2458,2.706,2460,1.738,2461,1.845,2462,2.706,2589,1.389,2590,1.606,2606,1.404,2612,1.404,2613,1.418,2682,1.668,2683,1.714,2684,1.668,2685,1.668,2686,1.668,2687,1.668,2688,1.668,2689,1.668,2690,1.668,2691,1.714,2692,1.668,2693,1.668,2694,1.874,2695,1.874,2696,1.874,2697,1.874,2698,1.874,2699,1.874,2700,1.763,2701,1.874,2702,1.874,2703,1.874,2704,3.51]],["t/3124",[0,1.116,1,0.502,2,0.66,4,2.466,7,2.025,13,2.563,20,0.764,23,1.796,25,0.796,31,3.07,43,2.369,48,1.429,51,3.236,74,2.267,78,2.348,81,1.989,92,1.628,99,2.66,114,0.634,153,0.841,162,0.673,165,0.807,172,3.644,173,0.651,176,3.494,179,2.913,185,1.415,186,2.899,199,2.886,239,1.277,243,1.271,244,0.94,260,1.277,266,1.805,282,1.887,287,2.025,305,1.011,328,1.348,345,1.725,347,1.415,368,1.387,369,1.458,370,2.711,377,1.288,383,1.756,398,1.019,447,1.126,506,1.288,511,2.142,707,1.415,731,1.415,733,1.415,787,2.787,934,1.733,937,2.082,966,1.756,986,2.749,1058,1.831,1059,2.749,1060,4.015,1088,1.59,1099,1.887,1122,1.648,1143,1.126,1162,1.244,1193,1.277,1202,1.628,1312,1.689,1418,1.233,1893,3.558,1938,1.489,1940,1.042,1953,1.521,2416,0.701,2421,1.916,2422,1.916,2423,1.831,2424,1.831,2427,1.916,2428,1.711,2429,1.916,2430,3.404,2433,1.916,2435,1.916,2437,1.916,2438,1.916,2441,1.916,2442,1.916,2443,2.958,2444,1.916,2445,2.958,2446,1.756,2448,1.916,2449,1.916,2450,4.391,2451,1.916,2452,1.916,2453,1.916,2454,2.958,2455,1.916,2458,2.787,2460,1.805,2461,1.916,2462,2.787,2589,1.443,2590,1.668,2606,1.458,2612,1.458,2613,1.473,2682,1.733,2683,1.78,2684,1.733,2685,1.733,2686,1.733,2687,1.733,2688,1.733,2689,1.733,2690,1.733,2691,1.78,2692,1.733,2693,1.733,2694,1.947,2695,1.947,2696,1.947,2697,1.947,2698,1.947,2699,1.947,2700,1.831,2701,1.947,2702,1.947,2703,1.947,2705,5.118,2706,3.647]],["t/3126",[0,1.121,1,0.506,2,0.666,4,2.478,7,2.039,13,2.572,20,1.054,23,1.808,25,0.803,31,3.087,43,2.38,48,1.442,51,3.248,74,2.276,78,2.364,81,2.003,92,1.643,99,2.673,114,0.64,162,0.679,165,0.814,172,3.659,173,0.657,176,3.511,179,2.933,185,1.428,186,2.916,199,2.9,239,1.288,240,1.569,243,1.28,244,0.949,260,1.288,266,1.822,287,2.039,305,1.021,328,1.361,345,1.737,347,1.428,368,1.4,369,1.471,370,2.73,377,1.3,383,1.772,447,1.134,506,1.3,511,2.157,707,1.428,731,1.428,733,1.428,787,2.807,934,1.749,937,2.096,986,2.768,1058,1.848,1059,2.768,1060,4.037,1088,1.605,1099,1.904,1122,1.663,1143,1.136,1162,1.255,1193,1.288,1202,1.643,1312,1.704,1418,1.244,1893,3.578,1938,1.502,1940,1.052,1953,1.535,2416,0.707,2421,1.934,2422,1.934,2423,1.848,2424,1.848,2427,2.979,2428,1.726,2429,1.934,2430,3.424,2433,1.934,2435,1.934,2437,1.934,2438,1.934,2441,1.934,2442,1.934,2443,2.979,2444,1.934,2445,2.979,2446,1.772,2448,1.934,2449,1.934,2450,4.41,2451,1.934,2452,1.934,2453,1.934,2454,2.979,2455,1.934,2458,2.807,2460,1.822,2461,1.934,2462,2.807,2589,1.456,2590,1.683,2606,1.471,2612,1.471,2613,1.487,2682,1.749,2683,1.796,2684,1.749,2685,1.749,2686,1.749,2687,1.749,2688,1.749,2689,1.749,2690,1.749,2691,1.796,2692,1.749,2693,1.749,2694,1.965,2695,1.965,2696,1.965,2697,1.965,2698,1.965,2699,1.965,2700,1.848,2701,1.965,2702,1.965,2703,1.965]],["t/3128",[0,1.119,1,0.505,2,0.664,4,2.474,7,2.034,13,2.569,20,0.767,23,1.804,25,0.801,31,3.082,43,2.377,48,1.438,51,3.244,74,2.273,78,2.359,81,1.998,92,1.638,99,2.669,114,0.638,153,0.846,162,0.677,165,0.812,172,3.654,173,0.655,176,3.505,179,2.926,185,1.423,186,2.91,199,2.896,239,1.285,240,1.564,243,1.277,244,0.946,260,1.285,266,1.816,287,2.034,305,1.017,328,1.357,345,1.733,347,1.423,368,1.396,369,1.467,370,2.724,377,1.296,383,1.767,447,1.131,506,1.296,511,2.152,707,1.423,731,1.423,733,1.423,787,2.8,934,1.743,937,2.091,986,2.761,1058,1.842,1059,2.761,1060,4.03,1088,1.6,1099,1.898,1122,1.658,1143,1.133,1162,1.251,1193,1.285,1202,1.638,1312,1.699,1418,1.241,1893,3.571,1938,1.498,1940,1.048,1953,1.53,1965,5.141,2416,0.705,2421,1.928,2422,1.928,2423,1.842,2424,1.842,2427,2.972,2428,1.721,2429,1.928,2430,3.417,2433,1.928,2435,1.928,2437,1.928,2438,1.928,2441,1.928,2442,1.928,2443,2.972,2444,1.928,2445,2.972,2446,1.767,2448,1.928,2449,1.928,2450,4.404,2451,1.928,2452,1.928,2453,1.928,2454,2.972,2455,1.928,2458,2.8,2460,1.816,2461,1.928,2462,2.8,2589,1.452,2590,1.678,2606,1.467,2612,1.467,2613,1.482,2682,1.743,2683,1.791,2684,1.743,2685,1.743,2686,1.743,2687,1.743,2688,1.743,2689,1.743,2690,1.743,2691,1.791,2692,1.743,2693,1.743,2694,1.959,2695,1.959,2696,1.959,2697,1.959,2698,1.959,2699,1.959,2700,1.842,2701,1.959,2702,1.959,2703,1.959]],["t/3130",[0,1.107,1,0.497,2,0.65,4,2.447,7,2.002,8,1.165,13,2.547,20,0.488,23,1.775,25,0.784,31,3.041,43,2.351,48,1.408,51,3.216,74,2.252,76,1.059,78,2.321,81,1.966,88,1.367,92,1.604,99,2.639,114,0.625,162,0.663,165,1.231,172,1.567,173,0.994,176,3.466,179,2.88,185,1.394,186,2.872,199,2.864,229,1.175,239,1.258,243,0.811,244,0.926,260,1.258,266,1.779,268,0.954,287,2.002,328,1.329,345,2.543,347,1.394,368,1.367,369,1.437,370,2.681,377,1.966,383,1.73,398,1.004,419,2.88,447,1.113,506,1.269,511,2.118,683,2.654,707,1.394,731,1.394,733,1.394,787,2.755,934,1.708,937,2.058,986,2.717,1058,1.804,1059,2.717,1088,1.567,1099,1.859,1122,1.623,1162,1.225,1193,1.258,1202,1.604,1312,1.664,1418,1.215,1765,2.562,1893,3.525,1938,3.389,1940,1.027,1953,1.498,2416,0.69,2421,1.888,2422,1.888,2423,1.804,2424,1.804,2427,1.888,2428,1.685,2429,1.888,2430,3.373,2433,1.888,2435,1.888,2437,1.888,2438,1.888,2441,1.888,2442,1.888,2443,2.925,2444,1.888,2445,2.925,2446,1.73,2448,1.888,2449,1.888,2450,4.362,2451,1.888,2452,1.888,2453,1.888,2454,2.925,2455,1.888,2458,2.755,2460,1.779,2461,1.888,2462,2.755,2589,1.422,2590,1.643,2606,1.437,2612,1.437,2613,1.452,2682,1.708,2683,1.754,2684,1.708,2685,1.708,2686,1.708,2687,1.708,2688,1.708,2689,1.708,2690,1.708,2691,1.754,2692,1.708,2693,1.708,2694,1.919,2695,1.919,2696,1.919,2697,1.919,2698,1.919,2699,1.919,2700,1.804,2701,1.919,2702,1.919,2703,1.919,2707,3.593,2708,3.593,2709,3.593]],["t/3132",[0,1.199,1,0.498,2,0.652,4,2.451,7,2.007,13,2.551,20,0.757,23,1.779,25,0.787,31,3.047,43,2.354,48,1.412,51,3.22,74,2.255,78,2.327,81,1.971,92,1.609,99,2.644,114,0.627,162,0.665,165,0.797,172,1.572,173,0.644,176,3.472,179,2.886,185,1.398,186,2.878,199,2.868,239,1.262,240,1.536,243,1.26,244,0.929,260,1.262,266,1.784,287,2.007,305,0.999,328,1.333,345,2.693,347,1.398,368,1.371,369,1.441,370,2.687,377,1.273,383,1.736,419,3.976,447,1.116,476,1.648,506,1.273,511,2.122,707,1.398,731,1.398,733,1.398,787,2.762,934,1.713,937,2.063,945,1.426,986,2.723,1058,1.81,1059,2.723,1088,1.572,1099,1.864,1122,1.628,1143,1.113,1162,1.229,1193,1.262,1202,1.609,1312,1.669,1418,1.219,1893,3.531,1938,3.393,1940,1.03,1953,1.503,2416,0.692,2421,1.894,2422,1.894,2423,1.81,2424,1.81,2427,1.894,2428,1.69,2429,1.894,2430,3.379,2433,1.894,2435,1.894,2437,1.894,2438,1.894,2441,1.894,2442,1.894,2443,2.931,2444,1.894,2445,2.931,2446,1.736,2448,1.894,2449,1.894,2450,4.367,2451,1.894,2452,1.894,2453,1.894,2454,2.931,2455,1.894,2458,2.762,2460,1.784,2461,1.894,2462,2.762,2589,1.426,2590,1.648,2606,1.441,2612,1.441,2613,1.456,2682,1.713,2683,1.759,2684,1.713,2685,1.713,2686,1.713,2687,1.713,2688,1.713,2689,1.713,2690,1.713,2691,1.759,2692,1.713,2693,1.713,2694,1.924,2695,1.924,2696,1.924,2697,1.924,2698,1.924,2699,1.924,2700,1.81,2701,1.924,2702,1.924,2703,1.924,2710,5.579]],["t/3134",[0,1.496,2,0.723,7,1.436,15,5.782,20,0.542,25,0.871,28,2.76,165,0.883,167,5.348,173,0.713,229,1.305,240,1.702,243,0.902,244,1.03,260,1.398,287,2.616,307,1.949,308,4.347,332,2.205,345,2.228,353,4.243,369,3.8,410,1.741,419,3.122,447,1.207,506,1.411,541,3.921,650,2.95,696,6.054,736,7.02,945,1.58,1143,1.233,1162,1.362,1193,1.398,1418,1.35,1938,2.969,1940,1.141,2416,0.767,2589,1.58,2590,1.826,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211,2711,3.993,2712,3.993]],["t/3136",[0,1.191,1,0.492,2,0.643,4,2.432,7,1.984,13,2.535,20,0.748,23,1.759,25,0.775,31,3.019,43,2.336,48,1.392,51,3.201,74,2.239,78,2.3,81,1.948,92,1.585,99,2.623,114,0.618,162,0.656,165,0.786,172,1.549,173,0.634,174,1.961,176,3.445,179,2.854,185,1.378,186,2.851,199,2.846,229,1.161,239,1.243,240,1.514,243,0.802,244,0.916,260,1.243,266,1.758,287,1.984,328,1.313,345,2.794,347,1.378,368,1.351,369,1.42,370,2.656,377,1.254,383,1.71,419,3.944,447,1.103,506,1.254,511,2.098,707,1.378,731,1.378,733,1.378,787,2.73,934,1.688,937,2.039,971,2.533,986,2.693,1058,1.783,1059,2.693,1088,1.549,1099,1.837,1122,1.605,1143,1.097,1162,1.211,1193,1.243,1198,2.32,1202,1.585,1312,1.645,1418,1.201,1893,3.499,1937,4.238,1938,3.567,1940,1.015,1953,1.481,2416,0.682,2421,1.866,2422,1.866,2423,1.783,2424,1.783,2427,1.866,2428,1.666,2429,1.866,2430,3.348,2433,1.866,2435,1.866,2437,1.866,2438,1.866,2441,1.866,2442,1.866,2443,2.898,2444,1.866,2445,2.898,2446,1.71,2448,1.866,2449,1.866,2450,4.338,2451,1.866,2452,1.866,2453,1.866,2454,2.898,2455,1.866,2458,2.73,2460,1.758,2461,1.866,2462,2.73,2589,1.406,2590,1.624,2606,1.42,2612,1.42,2613,1.435,2682,1.688,2683,1.734,2684,1.688,2685,1.688,2686,1.688,2687,1.688,2688,1.688,2689,1.688,2690,1.688,2691,1.734,2692,1.688,2693,1.688,2694,1.896,2695,1.896,2696,1.896,2697,1.896,2698,1.896,2699,1.896,2700,1.783,2701,1.896,2702,1.896,2703,1.896,2713,5.516,2714,3.551]],["t/3138",[0,1.189,1,0.491,2,0.641,4,2.428,7,1.979,13,2.532,20,0.747,23,1.755,25,0.773,31,3.013,43,2.332,48,1.387,51,3.197,74,2.236,76,1.043,78,2.295,81,1.944,88,1.347,92,1.581,99,2.619,114,0.616,156,1.229,162,0.654,165,0.783,172,1.544,173,0.633,176,3.439,179,2.847,185,1.374,186,2.846,199,2.841,239,1.24,240,1.51,243,1.243,244,0.913,249,1.477,260,1.24,261,1.229,266,1.753,287,2.428,305,0.982,307,1.729,328,1.309,345,1.686,347,1.374,357,2.672,368,1.347,369,1.416,370,2.65,377,1.251,383,1.705,419,3.492,447,1.101,506,1.251,508,2.203,511,2.094,707,1.374,731,1.374,733,1.374,787,2.724,880,2.721,934,1.683,937,2.035,945,2.178,986,2.687,1058,1.778,1059,2.687,1088,1.544,1099,1.832,1122,1.6,1143,1.093,1162,1.208,1193,1.24,1202,1.581,1312,1.64,1418,1.197,1893,3.492,1938,3.108,1940,1.012,1953,1.477,2384,5.002,2416,0.68,2421,1.861,2422,1.861,2423,1.778,2424,1.778,2427,1.861,2428,1.661,2429,1.861,2430,3.342,2433,1.861,2435,1.861,2437,1.861,2438,1.861,2441,1.861,2442,1.861,2443,2.892,2444,1.861,2445,2.892,2446,1.705,2448,1.861,2449,1.861,2450,4.332,2451,1.861,2452,1.861,2453,1.861,2454,2.892,2455,1.861,2458,2.724,2460,1.753,2461,1.861,2462,2.724,2589,1.402,2590,1.62,2606,1.416,2612,1.416,2613,1.431,2682,1.683,2683,1.729,2684,1.683,2685,1.683,2686,1.683,2687,1.683,2688,1.683,2689,1.683,2690,1.683,2691,1.729,2692,1.683,2693,1.683,2694,1.891,2695,1.891,2696,1.891,2697,1.891,2698,1.891,2699,1.891,2700,1.778,2701,1.891,2702,1.891,2703,1.891]],["t/3140",[0,1.202,1,0.5,2,0.656,4,2.458,7,2.016,13,2.557,20,0.76,23,1.787,25,0.791,31,3.058,43,2.362,48,1.42,51,3.228,74,2.261,78,2.337,81,1.98,92,1.618,99,2.652,114,0.631,162,0.669,165,0.802,172,1.581,173,0.648,176,3.483,179,2.899,185,1.406,186,2.889,199,2.877,239,1.269,240,1.545,243,0.819,244,0.935,260,1.269,261,1.258,266,1.795,287,2.464,305,1.005,307,1.77,328,1.34,345,1.717,347,1.406,357,2.712,368,1.379,369,1.45,370,2.699,377,1.281,383,1.746,419,3.544,447,1.121,506,1.281,511,2.132,707,1.406,731,1.406,733,1.406,787,2.774,934,1.723,937,2.072,945,2.218,986,2.736,1058,1.82,1059,2.736,1088,1.581,1099,1.875,1122,1.638,1143,1.119,1162,1.236,1193,1.269,1202,1.618,1312,1.679,1418,1.226,1893,3.544,1938,3.147,1940,1.036,1953,1.512,2416,0.697,2421,1.905,2422,1.905,2423,1.82,2424,1.82,2427,1.905,2428,1.7,2429,1.905,2430,3.392,2433,1.905,2435,1.905,2437,1.905,2438,1.905,2441,1.905,2442,1.905,2443,2.945,2444,1.905,2445,2.945,2446,1.746,2448,1.905,2449,1.905,2450,4.379,2451,1.905,2452,1.905,2453,1.905,2454,2.945,2455,1.905,2458,2.774,2460,1.795,2461,1.905,2462,2.774,2516,3.295,2589,1.435,2590,1.658,2606,1.45,2612,1.45,2613,1.465,2682,1.723,2683,1.77,2684,1.723,2685,1.723,2686,1.723,2687,1.723,2688,1.723,2689,1.723,2690,1.723,2691,1.77,2692,1.723,2693,1.723,2694,1.936,2695,1.936,2696,1.936,2697,1.936,2698,1.936,2699,1.936,2700,1.82,2701,1.936,2702,1.936,2703,1.936]],["t/3142",[0,1.102,1,0.493,2,0.645,4,2.636,7,1.988,8,1.155,13,2.538,20,0.75,23,1.763,25,0.777,31,3.024,43,2.339,48,1.396,51,3.205,74,2.242,76,1.049,78,2.305,81,1.953,88,1.355,92,1.59,99,2.627,114,0.62,162,0.658,165,0.788,172,1.553,173,0.636,176,3.45,179,2.86,185,1.382,186,2.856,199,2.85,239,1.247,240,1.518,243,1.248,244,0.918,260,1.247,266,1.763,268,0.945,287,1.988,305,0.988,328,1.317,345,2.68,347,1.382,368,1.355,369,1.424,370,2.662,377,1.258,383,1.715,419,3.505,447,1.106,506,1.258,511,2.103,707,1.382,731,1.382,733,1.382,787,2.737,934,1.693,937,2.044,986,2.699,1058,1.789,1059,2.699,1088,1.553,1099,1.843,1122,1.609,1143,1.1,1162,1.215,1193,1.247,1202,1.59,1312,1.65,1418,1.204,1893,3.505,1938,3.375,1940,1.018,1953,1.485,2331,5.752,2416,0.684,2421,1.871,2422,1.871,2423,1.789,2424,1.789,2427,1.871,2428,1.671,2429,1.871,2430,3.354,2433,1.871,2435,1.871,2437,1.871,2438,1.871,2441,1.871,2442,1.871,2443,2.905,2444,1.871,2445,2.905,2446,1.715,2448,1.871,2449,1.871,2450,4.344,2451,1.871,2452,1.871,2453,1.871,2454,2.905,2455,1.871,2458,2.737,2460,1.763,2461,1.871,2462,2.737,2589,1.41,2590,1.629,2606,1.424,2612,1.424,2613,1.439,2682,1.693,2683,1.739,2684,1.693,2685,1.693,2686,1.693,2687,1.693,2688,1.693,2689,1.693,2690,1.693,2691,1.739,2692,1.693,2693,1.693,2694,1.902,2695,1.902,2696,1.902,2697,1.902,2698,1.902,2699,1.902,2700,1.789,2701,1.902,2702,1.902,2703,1.902,2715,3.562,2716,3.562]],["t/3144",[0,1.201,1,0.499,2,0.654,4,2.455,7,2.011,13,2.554,20,0.759,23,1.783,25,0.789,31,3.053,43,2.358,48,1.416,51,3.224,74,2.258,78,2.332,81,1.975,92,1.614,99,2.648,114,0.629,162,0.667,165,0.8,172,1.576,173,0.646,176,3.477,179,2.893,185,1.402,186,2.883,199,2.873,233,2.907,239,2.914,243,0.816,244,0.932,260,1.265,266,1.789,287,2.011,305,1.002,308,1.653,328,1.336,342,1.842,345,1.713,347,3.414,368,1.375,369,1.445,370,2.693,377,1.277,383,1.741,447,1.118,476,1.653,506,1.277,511,2.127,707,1.402,731,1.402,733,1.402,787,2.768,934,1.718,937,2.068,945,1.431,986,2.73,1058,1.815,1059,2.73,1088,1.576,1099,1.87,1122,1.633,1143,1.116,1147,3.069,1162,1.233,1193,1.265,1202,1.614,1312,1.674,1418,1.222,1765,2.578,1893,3.538,1938,1.476,1940,1.033,1953,1.507,2416,0.695,2421,1.899,2422,1.899,2423,1.815,2424,1.815,2427,1.899,2428,1.695,2429,1.899,2430,3.385,2433,1.899,2435,1.899,2437,1.899,2438,1.899,2441,1.899,2442,1.899,2443,2.938,2444,1.899,2445,2.938,2446,1.741,2448,1.899,2449,1.899,2450,4.373,2451,1.899,2452,1.899,2453,1.899,2454,2.938,2455,1.899,2458,2.768,2460,1.789,2461,1.899,2462,2.768,2589,1.431,2590,1.653,2606,1.445,2612,1.445,2613,1.46,2682,1.718,2683,1.765,2684,1.718,2685,1.718,2686,1.718,2687,1.718,2688,1.718,2689,1.718,2690,1.718,2691,1.765,2692,1.718,2693,1.718,2694,1.93,2695,1.93,2696,1.93,2697,1.93,2698,1.93,2699,1.93,2700,1.815,2701,1.93,2702,1.93,2703,1.93,2717,3.615]],["t/3146",[0,1.132,1,0.513,2,0.678,4,2.502,7,2.068,13,2.591,20,0.78,23,1.834,25,0.818,31,3.123,43,2.403,48,1.468,51,3.271,74,2.295,78,2.398,81,2.031,92,1.673,99,2.699,114,0.652,162,0.692,165,0.829,172,1.634,173,0.669,176,3.544,179,2.975,185,1.454,186,2.949,199,2.928,239,1.312,243,0.846,244,0.966,260,1.312,266,1.855,287,2.068,305,1.039,328,1.386,345,1.761,347,1.454,368,1.426,369,1.499,370,2.769,377,1.324,383,1.805,398,1.047,447,1.15,506,1.324,511,2.188,707,1.454,731,1.454,733,1.454,787,2.846,934,1.781,937,2.126,986,2.807,1058,1.882,1059,2.807,1065,1.91,1088,1.634,1099,1.939,1122,1.693,1143,1.157,1162,1.278,1193,1.312,1202,1.673,1312,1.736,1418,1.267,1630,2.07,1696,4.247,1893,3.619,1938,1.53,1940,1.071,1953,1.563,2416,0.72,2421,1.969,2422,1.969,2423,1.882,2424,1.882,2427,1.969,2428,1.758,2429,1.969,2430,3.463,2433,1.969,2435,1.969,2437,1.969,2438,1.969,2441,1.969,2442,1.969,2443,3.021,2444,1.969,2445,3.021,2446,2.769,2448,1.969,2449,1.969,2450,4.446,2451,1.969,2452,1.969,2453,1.969,2454,3.021,2455,1.969,2458,2.846,2460,1.855,2461,1.969,2462,2.846,2589,1.483,2590,1.714,2606,1.499,2612,1.499,2613,1.514,2682,1.781,2683,1.83,2684,1.781,2685,1.781,2686,1.781,2687,1.781,2688,1.781,2689,1.781,2690,1.781,2691,1.83,2692,1.781,2693,1.781,2694,2.001,2695,2.001,2696,2.001,2697,2.001,2698,2.001,2699,2.001,2700,1.882,2701,2.001,2702,2.001,2703,2.001]],["t/3148",[2,1.402,7,2.786,20,1.051,25,1.691,131,4.772,153,1.785,165,1.714,173,1.7,244,1.997,360,5.167,447,1.549,958,5.351,1143,2.392,1162,2.642,1193,2.712,1418,2.619,1940,2.945,1984,3.417,2416,1.488,2589,3.066,2590,3.543,2718,7.746,2719,7.746]],["t/3150",[2,1.42,7,2.822,20,1.065,25,1.712,54,6.661,80,4.58,131,4.443,153,1.808,157,3.998,165,1.736,173,1.401,244,2.023,447,1.569,1143,2.423,1162,2.676,1193,2.747,1310,6.31,1418,2.653,1940,2.742,1943,6.661,1984,3.461,2416,1.508,2525,7.132,2589,3.105,2590,3.589]],["t/3152",[2,1.429,7,2.84,20,1.071,25,1.723,96,4.61,131,4.461,153,1.82,157,4.024,165,1.747,173,1.411,243,1.783,244,2.036,447,1.579,1143,2.439,1162,2.693,1193,2.765,1418,2.67,1940,2.752,1944,6.704,1984,3.484,2416,1.517,2529,7.178,2589,3.125,2590,3.612]],["t/3154",[2,1.402,7,2.786,20,1.051,25,1.691,131,4.408,153,1.785,157,3.947,165,2.106,173,1.384,244,1.997,447,1.549,821,5.524,1143,2.392,1162,2.642,1193,2.712,1418,2.619,1663,4.819,1694,7.655,1940,2.72,1945,6.577,1984,3.417,2416,1.488,2533,7.041,2589,3.066,2590,3.543]],["t/3156",[0,1.189,1,0.491,2,0.641,4,2.428,7,1.979,13,2.532,20,0.747,23,1.755,25,0.773,31,3.013,43,2.332,48,1.387,51,3.197,74,2.624,78,2.295,81,1.944,89,1.085,92,1.581,99,2.619,114,0.616,162,0.654,165,0.783,172,1.544,173,0.983,176,3.439,179,2.847,185,1.374,186,3.84,199,2.841,239,1.24,243,0.8,244,0.913,260,1.24,266,1.753,287,2.428,305,0.982,307,1.729,328,1.309,345,1.686,347,1.374,368,1.347,369,1.416,370,2.65,377,1.251,383,1.705,398,0.989,447,1.101,451,2.067,506,1.251,510,2.256,511,2.094,707,1.374,731,1.374,733,1.374,787,2.724,934,1.683,937,2.035,945,2.178,986,2.687,1058,1.778,1059,2.687,1088,1.544,1096,2.446,1099,1.832,1122,1.6,1143,1.093,1162,1.877,1193,1.24,1202,1.581,1312,1.64,1418,1.197,1795,2.848,1893,3.492,1938,1.446,1940,1.012,1953,1.477,2416,0.68,2421,1.861,2422,1.861,2423,1.778,2424,1.778,2427,1.861,2428,1.661,2429,1.861,2430,3.342,2433,1.861,2435,1.861,2437,1.861,2438,1.861,2441,1.861,2442,1.861,2443,2.892,2444,1.861,2445,2.892,2446,1.705,2448,1.861,2449,1.861,2450,4.332,2451,1.861,2452,1.861,2453,1.861,2454,2.892,2455,1.861,2458,2.724,2460,1.753,2461,1.861,2462,2.724,2542,6.136,2589,1.402,2590,1.62,2606,1.416,2612,1.416,2613,1.431,2682,1.683,2683,1.729,2684,1.683,2685,1.683,2686,1.683,2687,1.683,2688,1.683,2689,1.683,2690,1.683,2691,1.729,2692,1.683,2693,1.683,2694,1.891,2695,1.891,2696,1.891,2697,1.891,2698,1.891,2699,1.891,2700,1.778,2701,1.891,2702,1.891,2703,1.891,2720,3.541]],["t/3158",[2,1.197,7,3.097,20,0.897,25,1.443,74,1.794,89,2.638,134,3.228,153,1.524,157,3.37,165,1.463,173,1.181,178,7.009,222,4.319,241,3.142,243,2.291,377,2.336,411,4.437,447,1.322,476,3.024,488,5.13,489,5.614,682,3.184,683,6.361,881,5.081,882,4.716,953,5.081,989,5.614,1074,6.361,1143,2.042,1162,2.255,1198,4.319,1418,2.236,1679,5.318,1984,2.917,2174,7.828,2416,1.271,2530,5.318,2535,6.01,2536,6.01,2539,5.614,2540,6.01,2541,6.01,2721,6.612,2722,6.612]],["t/3160",[0,1.586,1,0.545,2,0.55,7,1.093,8,0.985,13,0.882,20,0.412,23,1.555,25,0.663,26,1.156,43,3.06,48,1.911,51,2.994,66,0.515,76,0.895,78,2.034,79,1.518,81,1.723,88,1.156,99,2.405,114,0.529,119,1.463,151,1.678,154,2.317,162,1.128,165,1.351,173,1.757,199,3.332,200,1.463,220,1.325,239,2.448,243,0.686,244,0.783,245,2.967,260,1.707,261,1.054,275,1.74,287,3.726,305,1.352,307,1.483,308,1.39,316,1.678,326,1.39,328,1.803,353,2.177,410,1.325,436,3.861,447,0.975,467,4.68,506,1.073,731,1.892,733,1.892,832,2.847,898,1.774,937,2.258,945,1.93,980,1.89,1026,3.8,1028,3.8,1049,2.741,1065,2.485,1141,2.693,1143,0.938,1162,1.036,1193,1.064,1339,3.8,1418,1.027,1433,1.774,1940,1.393,2408,1.985,2416,0.584,2436,3.99,2569,1.985,2589,1.203,2590,1.39,2599,3.272,2600,2.039,2601,2.039,2602,3.272,2603,6.613,2604,2.039,2605,2.039,2606,1.95,2607,1.89,2608,1.89,2609,3.272,2610,1.548,2611,2.039,2612,1.215,2613,1.227,2614,3.272,2615,4.691,2616,5.762,2617,3.272,2618,3.272,2619,3.272,2620,3.272,2621,3.272,2622,3.272,2623,3.272,2624,3.272,2625,2.039,2626,2.039,2627,3.272,2628,2.039,2629,1.708,2723,3.038,2724,3.038]],["t/3162",[0,1.037,1,0.563,2,0.577,4,2.292,7,1.823,8,1.034,13,2.54,20,0.688,23,2.012,24,2.622,25,0.696,31,2.816,43,2.202,48,2.472,51,3.059,74,2.127,76,0.94,78,2.114,81,1.791,88,1.213,92,1.424,99,3.125,114,0.555,162,0.589,165,1.121,172,2.21,173,1.491,176,3.247,179,2.622,185,2.788,186,2.66,199,3.267,220,1.391,239,1.775,243,0.72,244,0.822,260,1.117,266,1.579,287,1.147,305,0.884,322,1.557,326,1.459,328,1.179,345,1.553,347,1.237,368,1.213,369,1.275,370,2.441,377,1.127,383,1.536,447,1.014,506,1.127,511,1.928,707,1.237,731,1.237,733,1.237,787,2.509,934,1.516,937,3.359,945,2.006,986,2.474,1058,1.602,1059,2.474,1088,2.21,1099,1.65,1122,1.441,1143,0.985,1162,1.088,1193,1.117,1202,1.424,1312,2.347,1418,1.078,1893,3.263,1938,1.302,1940,0.911,1953,2.114,2416,0.613,2421,1.676,2422,1.676,2423,1.602,2424,1.602,2427,1.676,2428,2.378,2429,1.676,2430,3.123,2433,1.676,2435,1.676,2437,1.676,2438,1.676,2441,1.676,2442,1.676,2443,2.663,2444,1.676,2445,2.663,2446,2.441,2448,1.676,2449,1.676,2450,4.12,2451,1.676,2452,1.676,2453,1.676,2454,2.663,2455,1.676,2458,2.509,2460,1.579,2461,1.676,2462,2.509,2476,5.073,2589,1.262,2590,1.459,2606,1.275,2612,1.275,2682,2.409,2683,2.474,2684,2.409,2685,2.409,2686,2.409,2687,2.409,2688,2.409,2689,2.409,2690,2.409,2691,2.474,2692,2.409,2693,2.409,2694,1.703,2695,1.703,2696,1.703,2697,1.703,2698,1.703,2699,1.703,2700,1.602,2701,1.703,2702,1.703,2703,1.703,2725,4.607,2726,3.189,2727,3.189,2728,2.274,2729,2.708]],["t/3164",[0,1.102,1,0.493,2,0.645,4,2.435,7,1.988,8,1.155,13,2.538,20,0.75,23,2.161,25,0.777,31,3.024,43,2.339,48,2.166,51,3.627,74,2.242,76,1.049,78,2.305,81,3.09,88,1.355,92,1.59,99,2.627,114,0.62,162,0.658,165,1.223,172,2.411,173,1.477,176,3.45,179,2.86,185,1.382,186,2.856,199,2.85,220,1.553,239,1.247,243,0.804,244,0.918,260,1.247,266,1.763,287,1.988,305,0.988,326,1.629,328,1.317,345,1.694,347,1.382,368,1.355,369,1.424,370,2.662,377,1.258,383,1.715,447,1.106,506,1.258,511,2.103,707,1.382,731,1.382,733,1.382,787,2.737,934,1.693,937,2.505,945,1.41,986,2.699,1058,1.789,1059,2.699,1088,1.553,1099,1.843,1122,1.609,1143,1.1,1193,1.247,1202,1.59,1312,1.65,1418,1.204,1893,3.505,1938,1.454,1940,1.018,1953,1.485,2416,0.684,2421,1.871,2422,1.871,2423,1.789,2424,1.789,2427,1.871,2428,1.671,2429,1.871,2430,3.354,2433,1.871,2435,1.871,2437,1.871,2438,1.871,2441,1.871,2442,1.871,2443,2.905,2444,1.871,2445,2.905,2446,1.715,2448,1.871,2449,1.871,2450,4.344,2451,1.871,2452,1.871,2453,1.871,2454,2.905,2455,1.871,2458,2.737,2460,1.763,2461,1.871,2462,2.737,2589,1.41,2590,1.629,2606,1.424,2612,1.424,2613,1.439,2682,1.693,2683,1.739,2684,1.693,2685,1.693,2686,1.693,2687,1.693,2688,1.693,2689,1.693,2690,1.693,2691,1.739,2692,1.693,2693,1.693,2694,1.902,2695,1.902,2696,1.902,2697,1.902,2698,1.902,2699,1.902,2700,1.789,2701,1.902,2702,1.902,2703,1.902,2730,3.237]],["t/3166",[0,1.103,1,0.494,2,0.647,4,2.439,7,1.993,8,1.158,13,2.541,20,0.752,23,2.165,25,0.78,31,3.03,43,2.971,48,2.171,51,3.209,74,2.245,76,1.052,78,2.311,81,1.957,88,1.359,92,1.595,99,2.631,114,0.621,162,0.66,165,1.226,172,2.416,173,1.212,176,3.456,179,2.867,185,1.386,186,2.862,199,2.855,220,1.558,239,1.251,243,0.807,244,0.921,260,1.251,266,1.768,275,2.045,287,1.993,305,0.991,326,1.634,328,1.321,345,1.697,347,1.386,368,1.359,369,1.428,370,2.668,377,1.262,383,1.72,447,1.108,506,1.262,511,2.108,707,1.386,731,1.386,733,1.386,787,2.743,934,1.698,937,2.51,945,1.414,986,2.705,1024,4.456,1058,1.794,1059,2.705,1088,1.558,1099,1.848,1122,1.614,1143,1.103,1162,1.218,1193,1.251,1202,1.595,1312,1.654,1418,1.208,1893,3.512,1938,1.458,1940,1.021,1953,1.49,2416,0.686,2421,1.877,2422,1.877,2423,1.794,2424,1.794,2427,1.877,2428,1.676,2429,1.877,2430,3.36,2433,1.877,2435,1.877,2437,1.877,2438,1.877,2441,1.877,2442,1.877,2443,2.911,2444,1.877,2445,2.911,2446,1.72,2448,1.877,2449,1.877,2450,4.35,2451,1.877,2452,1.877,2453,1.877,2454,2.911,2455,1.877,2458,2.743,2460,1.768,2461,1.877,2462,2.743,2589,1.414,2590,1.634,2606,1.428,2612,1.428,2613,1.443,2682,1.698,2683,1.744,2684,1.698,2685,1.698,2686,1.698,2687,1.698,2688,1.698,2689,1.698,2690,1.698,2691,1.744,2692,1.698,2693,1.698,2694,1.907,2695,1.907,2696,1.907,2697,1.907,2698,1.907,2699,1.907,2700,1.794,2701,1.907,2702,1.907,2703,1.907,2731,3.572]],["t/3168",[0,1.404,1,0.61,2,1.237,7,2.458,8,2.216,13,1.983,20,0.927,23,2.18,25,1.492,47,4.816,76,2.014,88,2.6,153,1.575,162,1.262,165,1.512,173,1.738,194,3.972,229,2.234,244,1.762,268,1.814,287,3.164,328,2.527,360,3.71,377,3.108,447,1.367,731,2.652,733,2.652,1143,2.111,1162,2.331,1193,2.393,1418,2.311,1940,1.953,2416,1.313,2589,2.705,2590,3.126,2606,2.733,2612,2.733,2613,2.761,2732,6.213,2733,6.835]],["t/3170",[8,2.646,47,4.04,76,2.404,88,3.105,173,1.755,194,3.332,229,2.668,268,2.166,287,2.935,447,1.632,1432,6.563,1940,2.332,2222,8.342,2416,1.568,2545,7.418,2546,7.418,2732,7.418,2734,8.161,2735,8.161]],["t/3172",[0,1.419,1,0.624,2,1.266,7,2.515,13,2.029,20,0.949,23,2.23,25,1.526,162,1.291,165,1.547,173,1.249,229,2.285,244,1.803,287,3.211,328,2.585,398,1.953,447,1.398,731,2.712,733,2.712,937,3.301,1143,2.159,1162,2.384,1193,2.448,1418,2.364,1940,1.998,2416,1.343,2464,7.579,2589,2.767,2590,3.198,2606,2.796,2612,2.796,2613,2.824,2736,6.992,2737,6.992,2738,6.992,2739,6.992,2740,6.992,2741,6.992,2742,6.992,2743,6.992,2744,6.355]],["t/3175",[0,1.411,1,0.617,13,2.006,20,0.938,25,2.252,26,3.372,153,1.593,157,3.522,162,1.276,165,1.529,173,1.235,229,2.26,244,2.66,287,3.187,328,2.556,447,1.382,731,2.682,733,2.682,1143,2.134,1193,2.42,1418,2.337,1798,7.225,1940,1.975,1946,7.866,1947,5.868,2416,1.328,2547,8.891,2589,2.736,2593,4.638,2606,2.764,2612,2.764,2613,2.792]],["t/3177",[0,1.187,1,0.551,4,2.624,13,2.388,20,1.005,23,1.968,25,2.095,26,3.131,27,3.099,51,3.014,66,0.697,74,2.232,81,1.453,92,4.408,99,3.033,114,1.789,162,0.76,165,0.91,167,2.197,172,1.794,173,0.735,176,3.983,177,6.078,185,1.596,186,2.602,199,3.291,239,1.44,243,0.929,244,1.061,260,1.44,268,1.092,287,2.22,305,1.141,322,2.009,328,1.521,368,1.565,398,1.15,447,1.234,506,1.453,731,1.596,733,1.596,1065,2.097,1088,1.794,1119,2.687,1143,1.271,1146,4.742,1162,1.403,1193,1.44,1202,1.837,1312,1.905,1418,1.391,1630,2.272,1696,4.559,1822,4.742,1858,2.934,1940,1.176,1948,2.934,1953,1.716,2186,3.162,2416,0.791,2428,1.93,2430,4.074,2446,2.972,2458,2.037,2460,2.037,2462,4.365,2466,3.162,2468,3.162,2469,5.691,2589,1.628,2593,2.761,2606,1.645,2612,1.645,2613,1.662,2682,1.955,2683,2.009,2684,1.955,2685,1.955,2686,1.955,2687,1.955,2688,1.955,2689,1.955,2690,1.955,2691,2.009,2692,1.955,2693,1.955,2700,2.066,2728,2.934,2745,4.963,2746,3.309,2747,3.309]],["t/3179",[0,1.169,1,0.539,4,2.585,13,2.352,20,0.987,23,1.924,25,2.074,26,3.084,27,3.03,51,2.969,66,1.373,74,2.578,81,1.411,92,4.368,99,2.994,114,1.776,162,0.737,165,0.883,167,2.132,172,1.741,173,0.713,176,3.932,177,5.987,185,1.549,186,3.669,199,3.249,239,1.398,243,0.902,244,1.03,260,1.398,268,1.06,287,2.17,305,1.107,322,1.949,328,1.476,368,1.519,398,1.116,418,4.303,447,1.207,506,1.411,731,1.549,733,1.549,1065,2.035,1088,1.741,1119,2.608,1143,1.233,1146,4.637,1162,1.362,1193,1.398,1202,1.783,1312,1.849,1418,1.35,1630,2.205,1822,4.637,1858,2.848,1940,1.141,1948,4.303,1953,1.665,2186,3.068,2416,0.767,2428,1.873,2430,4.013,2446,1.923,2458,1.977,2460,1.977,2462,4.308,2466,3.068,2468,3.068,2469,5.589,2589,1.58,2593,2.679,2606,1.597,2612,1.597,2613,1.613,2682,1.898,2683,1.949,2684,1.898,2685,1.898,2686,1.898,2687,1.898,2688,1.898,2689,1.898,2690,1.898,2691,1.949,2692,1.898,2693,1.898,2700,2.005,2728,2.848,2745,4.853,2746,3.211,2747,3.211]],["t/3181",[0,1.147,1,0.523,4,2.535,13,2.306,20,0.964,23,1.869,25,2.047,26,3.024,27,2.943,51,2.911,66,0.651,74,2.688,81,1.357,92,4.316,99,3.477,114,1.758,153,0.886,162,0.709,165,0.85,167,2.051,172,1.675,173,1.528,176,3.866,177,5.87,185,3.499,186,3.954,199,3.194,239,1.345,243,0.868,244,0.991,260,1.345,268,1.02,287,2.108,305,1.066,322,1.876,328,1.421,368,1.462,447,1.172,506,1.357,731,1.491,733,1.491,945,1.521,1088,1.675,1119,2.51,1143,1.186,1146,4.503,1162,1.31,1193,1.345,1202,1.715,1312,1.779,1418,1.299,1822,4.503,1858,2.74,1940,1.098,1948,2.74,1953,1.602,2186,2.952,2416,0.738,2428,1.802,2430,3.934,2446,1.85,2458,1.902,2460,1.902,2462,4.236,2466,2.952,2468,2.952,2469,5.459,2589,1.521,2593,2.578,2606,1.536,2612,1.536,2613,1.552,2648,3.492,2682,1.826,2683,1.876,2684,1.826,2685,1.826,2686,1.826,2687,1.826,2688,1.826,2689,1.826,2690,1.826,2691,1.876,2692,1.826,2693,1.826,2700,1.929,2728,2.74,2745,4.713,2746,3.09,2747,3.09]],["t/3183",[0,1.167,1,0.537,4,2.581,13,2.348,20,0.985,23,1.92,25,2.072,26,3.079,27,3.023,48,1.56,51,2.964,66,0.674,74,2.195,81,3.07,92,4.364,99,2.99,114,1.774,162,0.735,165,0.881,167,4.64,172,1.736,173,1.552,176,3.927,177,5.977,185,1.544,186,2.538,199,3.244,239,1.393,243,0.899,244,1.026,260,1.393,268,1.056,287,2.165,305,1.104,322,1.943,328,1.472,368,1.514,384,2.6,447,1.204,506,1.406,731,1.544,733,1.544,945,1.575,1088,1.736,1119,2.6,1143,1.229,1146,4.625,1162,1.357,1193,1.393,1202,1.777,1312,1.843,1418,1.346,1822,4.625,1858,2.838,1940,1.137,1948,2.838,1953,1.66,2186,3.058,2416,0.765,2428,1.867,2430,4.006,2446,1.917,2458,1.97,2460,1.97,2462,4.302,2466,3.058,2468,3.058,2469,5.578,2589,1.575,2593,2.671,2606,1.591,2612,1.591,2613,1.608,2682,1.891,2683,1.943,2684,1.891,2685,1.891,2686,1.891,2687,1.891,2688,1.891,2689,1.891,2690,1.891,2691,1.943,2692,1.891,2693,1.891,2700,1.999,2728,2.838,2745,4.841,2746,3.201,2747,3.201,2748,3.98]],["t/3185",[20,1.093,25,2.288,26,3.064,136,4.527,165,1.782,173,1.438,240,3.433,244,2.076,447,1.611,1143,2.487,1162,2.747,1193,2.82,1202,4.351,1418,2.723,1984,3.553,2416,1.547,2589,3.187,2593,5.404,2749,8.053,2750,7.32]],["t/3187",[0,1.516,15,5.782,20,0.542,25,1.587,26,1.519,28,2.76,149,2.679,167,5.348,173,0.713,243,1.363,244,1.03,260,1.398,261,1.386,287,2.616,305,1.107,307,1.949,308,4.347,332,2.205,353,4.243,369,4.082,410,1.741,447,1.207,506,1.411,541,3.921,650,2.95,696,6.054,736,7.02,945,2.388,1088,3.172,1143,1.233,1162,1.362,1193,1.398,1418,1.35,1940,1.141,2416,0.767,2589,1.58,2593,2.679,2597,2.95,2649,2.95,2650,3.211,2651,3.211,2652,3.211,2653,3.211,2654,3.211,2655,7.87,2656,3.211,2657,3.211,2658,3.211,2659,6.519,2660,7.643,2661,7.643,2662,7.643,2663,7.643,2664,3.211,2665,3.211,2666,3.211,2667,3.211,2668,3.211,2669,3.211,2670,3.211,2671,3.211,2672,4.853,2673,3.211,2674,3.211,2675,3.211,2676,3.211,2677,3.211,2678,3.211]],["t/3190",[0,1.333,1,0.732,13,2.381,20,0.834,24,5.1,25,1.341,162,1.135,165,1.36,172,2.68,173,1.466,199,2.294,239,2.152,243,1.388,244,1.585,260,2.152,287,2.21,305,1.704,322,3,328,2.273,398,1.717,447,1.641,506,2.171,731,2.384,733,2.384,1065,3.132,1088,2.68,1143,1.898,1162,2.096,1193,2.152,1312,2.846,1418,2.078,1630,3.394,1696,4.54,1940,1.756,1953,2.563,2416,1.181,2428,2.883,2446,3.952,2476,7.429,2589,2.433,2594,4.943,2606,2.457,2612,2.457,2613,2.483,2682,2.921,2683,3,2684,2.921,2685,2.921,2686,2.921,2687,2.921,2688,2.921,2689,2.921,2690,2.921,2691,3,2692,2.921,2693,2.921,2728,4.383,2729,5.218]],["t/3192",[0,1.457,1,0.709,13,2.303,20,0.794,24,4.999,25,1.277,149,3.926,162,1.08,172,2.552,173,1.045,199,2.184,239,2.049,243,1.793,244,1.509,260,2.049,261,2.031,287,2.855,305,1.623,322,2.856,328,2.164,369,3.864,447,1.588,506,2.067,731,2.27,733,2.27,945,2.316,1088,4.405,1143,1.807,1162,1.996,1193,2.049,1312,2.71,1418,1.978,1630,3.231,1940,1.672,1953,2.44,2416,1.124,2428,2.745,2446,2.818,2476,7.246,2589,2.316,2594,4.706,2606,2.34,2612,2.34,2613,2.364,2682,2.781,2683,2.856,2684,2.781,2685,2.781,2686,2.781,2687,2.781,2688,2.781,2689,2.781,2690,2.781,2691,2.856,2692,2.781,2693,2.781,2728,4.173,2729,4.968,2751,5.851]],["t/3195",[0,1.572,1,0.546,13,0.884,20,0.413,23,0.971,26,1.159,43,2.633,47,1.508,51,2.997,66,0.516,74,0.826,76,0.897,78,2.038,79,1.521,81,1.726,88,1.159,99,2.957,114,0.53,119,1.467,151,1.682,154,2.322,162,1.13,165,1.081,173,1.9,199,3.731,200,1.467,239,2.451,243,0.688,244,0.785,245,2.973,260,1.711,261,1.057,268,0.808,287,3.728,305,1.355,307,1.487,308,1.393,316,1.682,328,1.807,353,2.181,398,0.851,410,1.328,436,3.866,447,0.977,467,4.685,506,1.076,731,1.896,733,1.896,832,2.852,898,1.778,937,2.262,945,1.934,980,1.895,1026,1.895,1028,1.895,1049,2.747,1065,2.49,1141,2.698,1162,1.039,1193,1.066,1280,2.044,1339,3.806,1418,1.03,1433,1.778,1940,1.396,2408,1.99,2416,0.585,2436,3.191,2569,1.99,2595,2.044,2599,3.279,2600,2.044,2601,2.044,2602,3.279,2603,6.616,2604,2.044,2605,2.044,2606,1.954,2607,1.895,2608,1.895,2609,3.279,2610,1.552,2611,2.044,2612,1.218,2613,1.231,2614,4.105,2615,4.698,2616,5.768,2617,3.279,2618,3.279,2619,3.279,2620,3.279,2621,3.279,2622,3.279,2623,3.279,2624,3.279,2625,2.044,2626,2.044,2627,3.279,2628,2.044,2629,1.712,2752,2.769,2753,3.046,2754,4.441,2755,2.769,2756,2.769]],["t/3197",[0,1.587,1,0.557,13,0.911,20,0.426,23,1.001,26,1.195,43,2.54,51,3.634,66,0.532,78,3.245,79,1.558,81,1.768,99,1.722,114,0.546,119,1.512,151,1.734,154,2.379,162,1.153,165,1.108,173,1.663,199,3.81,200,1.512,239,2.494,243,0.709,244,0.81,245,3.046,260,1.753,261,1.09,287,3.752,305,1.388,307,1.533,308,1.436,316,1.734,328,1.851,353,2.235,398,0.877,410,1.369,436,3.934,447,1.001,467,4.748,506,1.109,730,2.444,731,1.942,733,1.942,832,2.923,898,1.833,937,1.851,945,1.243,980,1.953,1026,1.953,1028,1.953,1049,2.814,1065,2.551,1141,2.765,1162,1.071,1193,1.099,1280,2.107,1339,3.884,1418,1.062,1433,1.833,1630,1.734,1940,1.431,2408,2.051,2416,0.603,2436,3.27,2569,2.051,2595,2.107,2599,3.359,2600,2.107,2601,2.107,2602,3.359,2603,6.653,2604,2.107,2605,2.107,2606,2.002,2607,1.953,2608,1.953,2609,3.359,2610,1.6,2611,2.107,2612,1.255,2613,1.269,2614,3.359,2615,4.78,2616,5.838,2617,3.359,2618,4.189,2619,3.359,2620,3.359,2621,3.359,2622,3.359,2623,3.359,2624,3.359,2625,2.107,2626,2.107,2627,4.78,2628,2.107,2629,1.765,2757,3.14]],["t/3199",[0,1.537,1,0.498,13,0.772,15,3.393,20,0.361,23,0.848,26,1.012,43,2.354,50,5.898,51,2.815,66,0.451,71,2.686,78,1.826,79,1.363,81,1.546,84,2.432,86,2.404,99,1.506,114,0.463,116,2.49,119,1.281,129,4.243,151,1.469,154,2.08,162,1.03,165,0.968,173,1.692,193,2.761,199,3.167,200,1.281,238,2.102,239,2.263,243,0.601,244,0.686,245,2.663,260,1.533,261,0.923,287,3.617,298,4.12,305,1.214,307,1.299,308,1.217,316,1.469,328,1.619,353,1.954,379,3.135,405,2.404,409,4.286,410,1.16,436,3.569,447,0.875,467,4.4,476,1.217,506,0.94,566,6.754,731,1.698,733,1.698,832,2.555,898,1.553,937,2.062,945,1.733,966,2.686,980,1.655,1007,4.735,1026,1.655,1028,1.655,1049,2.461,1065,2.842,1141,2.417,1162,0.907,1193,0.931,1280,1.785,1339,4.444,1418,0.9,1433,1.553,1607,3.853,1940,1.251,2408,1.738,2416,0.511,2436,2.859,2569,1.738,2595,1.785,2599,2.937,2600,1.785,2601,1.785,2602,2.937,2603,6.444,2604,1.785,2605,1.785,2606,1.75,2607,1.655,2608,1.655,2609,2.937,2610,1.356,2611,1.785,2612,1.064,2613,1.075,2614,2.937,2615,4.337,2616,5.449,2617,2.937,2618,2.937,2619,3.742,2620,2.937,2621,2.937,2622,2.937,2623,2.937,2624,2.937,2625,1.785,2626,1.785,2627,2.937,2628,2.937,2629,1.496,2758,4.378,2759,5.07,2760,5.07,2761,5.07,2762,5.07,2763,5.07]],["t/3201",[0,1.564,1,0.534,2,0.86,13,0.854,20,0.399,23,0.939,26,1.12,43,2.702,47,1.457,51,3.105,66,0.499,74,0.798,76,0.867,78,1.982,79,1.479,81,1.679,88,1.12,99,3.035,114,0.827,119,1.417,151,1.625,154,2.259,157,1.5,162,1.104,165,1.051,173,1.888,199,3.698,200,1.417,239,2.403,243,0.665,244,0.759,245,2.892,260,1.664,261,1.021,268,0.781,287,3.701,305,1.318,307,1.437,308,1.346,316,1.625,328,1.757,353,2.122,398,0.822,410,1.283,436,3.79,447,0.95,467,5.674,506,1.04,731,1.844,733,1.844,832,2.775,898,1.718,937,2.21,945,1.881,980,1.831,1026,1.831,1028,1.831,1049,2.672,1065,2.422,1141,2.625,1162,1.004,1193,1.03,1280,1.975,1339,3.719,1418,0.995,1433,1.718,1940,1.358,2408,1.922,2416,0.565,2436,3.104,2569,1.922,2595,1.975,2599,3.189,2600,1.975,2601,1.975,2602,3.189,2603,6.574,2604,1.975,2605,1.975,2606,1.9,2607,1.831,2608,1.831,2609,3.189,2610,1.5,2611,1.975,2612,1.177,2613,1.189,2614,3.189,2615,4.605,2616,5.687,2617,3.189,2618,3.189,2619,3.189,2620,4.012,2621,3.189,2622,3.189,2623,3.189,2624,3.189,2625,1.975,2626,1.975,2627,3.189,2628,1.975,2629,1.654,2755,2.675,2756,2.675,2764,4.753,2765,4.32]],["t/3203",[0,1.586,1,0.556,13,0.909,20,0.425,23,0.999,26,1.192,43,2.538,51,3.632,66,0.531,78,3.241,79,1.555,81,1.765,99,1.719,114,0.545,119,1.508,151,1.73,154,2.374,162,1.151,165,1.105,173,1.662,199,3.807,200,1.508,239,2.49,243,0.707,244,0.808,245,3.04,260,1.749,261,1.087,287,3.75,305,1.386,307,1.529,308,1.432,316,1.73,328,1.847,353,2.23,398,0.875,410,1.366,436,3.928,447,0.999,467,4.977,506,1.106,730,2.439,731,1.938,733,1.938,832,2.917,898,1.828,937,1.847,945,1.24,980,1.948,1026,1.948,1028,1.948,1049,2.809,1065,2.546,1141,2.759,1162,1.068,1193,1.097,1280,2.102,1339,3.877,1418,1.059,1433,1.828,1630,1.73,1940,1.428,2408,2.046,2416,0.602,2436,3.263,2569,2.046,2595,2.102,2599,3.352,2600,2.102,2601,2.102,2602,3.352,2603,6.65,2604,2.102,2605,2.102,2606,1.998,2607,1.948,2608,1.948,2609,3.352,2610,1.596,2611,2.102,2612,1.252,2613,1.265,2614,3.352,2615,4.773,2616,5.832,2617,3.352,2618,3.352,2619,3.352,2620,3.352,2621,4.182,2622,3.352,2623,3.352,2624,3.352,2625,2.102,2626,2.102,2627,5.215,2628,2.102,2629,1.761]],["t/3205",[0,1.577,1,0.531,13,0.848,15,1.778,20,0.396,23,0.932,26,1.112,43,2.46,50,3.992,51,2.941,66,0.495,71,1.407,78,1.971,79,1.471,81,1.669,84,1.274,86,1.26,99,1.626,114,0.508,116,1.304,119,1.407,129,2.609,151,1.614,154,2.245,162,1.098,165,1.045,173,1.667,193,1.446,199,3.284,200,1.407,238,1.101,239,2.393,243,0.66,244,0.753,245,2.875,260,1.654,261,1.014,287,3.695,298,2.158,305,1.31,307,1.426,308,1.336,316,1.614,328,1.747,353,2.109,379,1.642,405,1.26,409,2.245,410,1.274,436,3.774,447,0.945,467,5.571,476,1.336,506,1.032,566,4.571,731,1.833,733,1.833,832,2.758,898,1.706,937,2.775,945,1.156,966,1.407,980,1.818,1007,2.481,1026,1.818,1028,1.818,1049,2.656,1065,3.483,1141,2.609,1162,0.996,1193,1.023,1280,1.961,1339,5.653,1418,0.988,1433,1.706,1607,2.019,1630,1.614,1940,1.35,2408,1.908,2416,0.561,2436,3.086,2569,1.908,2595,1.961,2599,3.171,2600,1.961,2601,1.961,2602,3.171,2603,6.565,2604,1.961,2605,1.961,2606,1.889,2607,1.818,2608,1.818,2609,3.171,2610,1.489,2611,1.961,2612,1.168,2613,1.18,2614,3.171,2615,4.586,2616,5.671,2617,3.171,2618,3.171,2619,3.171,2620,3.171,2621,3.171,2622,3.992,2623,3.171,2624,3.171,2625,1.961,2626,1.961,2627,3.171,2628,4.586,2629,1.642,2759,2.656,2760,2.656,2761,2.656,2762,2.656,2763,2.656]],["t/3207",[0,1.571,1,0.545,13,0.882,20,0.412,23,0.969,26,1.156,43,2.735,48,1.19,51,2.994,65,1.649,66,0.515,74,0.824,76,0.895,78,2.034,79,1.518,81,3.153,88,1.156,99,1.678,114,0.529,119,1.463,151,1.678,154,2.317,156,1.054,162,1.128,165,1.079,172,1.325,173,1.831,176,2.203,199,3.332,200,1.463,239,2.448,243,0.686,244,0.783,245,5.431,260,1.707,261,1.054,287,3.726,305,1.352,307,1.483,308,1.39,316,1.678,328,1.803,353,2.177,398,0.849,410,1.325,436,3.861,447,0.975,467,4.68,506,1.073,731,1.892,733,1.892,764,2.099,832,2.847,898,1.774,937,1.803,945,1.203,980,1.89,1026,1.89,1028,1.89,1049,2.741,1065,2.485,1141,2.693,1162,1.036,1172,2.244,1193,1.064,1280,2.039,1339,3.8,1418,1.027,1433,1.774,1435,1.526,1940,1.393,2408,1.985,2416,0.584,2436,3.185,2569,1.985,2595,2.039,2599,3.272,2600,2.039,2601,2.039,2602,3.272,2603,6.613,2604,2.039,2605,2.039,2606,1.95,2607,1.89,2608,1.89,2609,3.272,2610,1.548,2611,2.039,2612,1.215,2613,1.227,2614,3.272,2615,4.691,2616,5.762,2617,3.272,2618,3.272,2619,3.272,2620,3.272,2621,3.272,2622,3.272,2623,4.099,2624,3.272,2625,2.039,2626,2.039,2627,3.272,2628,2.039,2629,1.708,2752,2.762,2754,2.762,2765,2.762]],["t/3210",[8,2.776,48,3.355,51,3.136,66,1.45,174,4.728,194,3.495,229,2.799,447,1.712,966,4.123,1096,5.915,1807,6.324,2416,1.645,2647,7.269,2766,8.562]],["t/3213",[0,1.495,1,0.7,13,2.276,23,2.502,114,1.365,156,2.723,162,1.449,173,1.714,229,2.565,287,3.451,328,2.901,447,1.569,509,3.916,731,3.044,733,3.044,1940,2.962,2416,1.508,2606,3.137,2612,3.137,2613,3.17]],["t/3215",[26,2.63,46,4.004,66,1.171,76,2.037,114,1.542,123,3.422,131,4.778,178,6.122,194,2.822,229,2.26,244,1.782,261,2.399,297,4.515,309,4.732,447,1.382,482,3.242,508,4.3,509,2.822,672,5.279,885,3.691,947,4.929,1000,3.886,1126,2.914,1332,5.559,1359,5.559,1360,5.868,1886,6.283,1940,1.975,2268,5.559,2280,5.868,2305,6.283,2316,6.283,2407,5.868,2416,1.328,2553,6.283,2767,6.912,2768,6.912,2769,6.912,2770,6.912,2771,6.912]],["t/3218",[14,2.454,20,1.13,21,2.551,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,902,2.84,1085,4.862,1225,4.376,1440,4.682,1984,3.674,2416,1.6,2772,4.862,2773,4.862]],["t/3220",[14,2.454,20,1.13,21,2.551,150,3.511,153,1.92,162,1.538,173,1.488,398,2.327,447,1.665,804,2.968,902,2.84,1225,4.376,1984,3.674,2416,1.6,2591,4.862,2592,4.961,2772,4.862,2773,4.862]],["t/3222",[14,2.254,20,1.038,21,2.343,150,3.225,153,1.763,162,1.412,173,1.366,243,1.727,260,2.678,305,2.121,398,2.137,410,3.336,447,1.889,506,2.702,804,2.726,902,2.609,945,3.738,1085,5.982,1225,4.019,1440,4.3,1477,5.133,1940,2.186,2416,1.47,2610,3.898,2774,9.314]],["t/3224",[14,2.159,20,0.994,21,2.245,150,3.089,153,1.689,162,1.353,173,1.309,243,1.655,260,2.565,305,2.032,398,2.047,410,4.01,447,1.839,506,2.588,804,2.612,832,4.278,902,2.499,945,3.64,1225,3.85,1435,3.68,1940,2.094,2416,1.408,2591,4.278,2592,6.278,2610,3.734,2629,4.119,2633,5.062,2634,5.226,2774,9.58]],["t/3226",[14,2.268,20,1.044,21,2.358,150,3.245,153,1.774,162,1.421,173,1.375,243,1.738,260,2.695,305,2.135,398,2.151,410,3.357,447,1.896,506,2.719,804,2.744,902,2.625,1085,6.43,1225,4.045,1440,4.327,1630,4.251,1940,2.2,2416,1.479,2610,3.923,2631,6.19,2775,6.997]],["t/3228",[14,2.254,20,1.038,21,2.343,150,3.225,153,1.763,162,1.412,173,1.366,243,1.727,260,2.678,305,2.121,398,2.137,410,3.336,447,1.889,506,2.702,804,2.726,902,2.609,1225,4.019,1630,4.224,1940,2.186,2416,1.47,2591,4.465,2592,6.549,2610,3.898,2631,6.151,2634,5.455,2775,6.953]],["t/3230",[21,2.205,51,2.637,76,2.121,81,2.543,162,1.329,173,1.624,176,3.252,243,1.625,260,2.52,272,4.585,305,1.996,410,3.139,447,1.818,506,2.543,945,4.365,1084,7.66,1085,5.819,1440,4.046,1477,4.83,1630,3.975,1940,2.057,2416,1.383,2610,3.668,2776,6.542,2777,7.198,2778,7.198,2779,7.198,2780,7.198,2781,7.198,2782,7.198]],["t/3232",[21,2.373,51,2.838,76,2.282,81,2.736,162,1.43,173,1.384,176,3.5,243,1.749,260,2.712,272,4.934,305,2.148,410,3.378,447,1.904,506,2.736,1630,4.278,1940,2.214,2315,7.041,2416,1.488,2591,4.522,2592,6.572,2610,3.947,2634,5.524,2776,7.041,2783,7.746]],["t/3234",[21,2.587,66,1.43,76,2.488,150,3.56,162,1.559,173,1.508,377,2.983,447,1.689,884,4.508,907,6.021,1085,4.929,1440,4.746,1940,2.413,1984,3.725,2416,1.622,2784,7.675]],["t/3236",[21,2.587,66,1.43,76,2.488,150,3.56,162,1.559,173,1.508,377,2.983,447,1.689,884,4.508,907,6.021,1940,2.413,1984,3.725,2416,1.622,2591,4.929,2592,5.029,2784,7.675]],["t/3239",[0,1.309,1,0.562,4,2.789,7,1.144,13,2.537,14,0.937,20,0.686,23,2.008,31,2.811,43,2.198,48,1.246,51,3.055,66,0.857,69,2.469,74,2.372,78,2.993,81,1.787,92,1.42,99,2.469,114,0.553,153,0.733,162,0.934,165,1.119,172,1.387,173,1.125,176,3.242,179,2.617,185,1.234,186,2.655,199,2.678,228,2.285,239,1.114,243,0.718,250,1.341,260,1.114,266,1.575,287,2.817,305,0.882,307,1.553,308,1.455,316,1.757,322,1.553,328,1.87,345,1.929,347,1.234,368,1.21,369,1.272,370,2.436,377,1.787,383,1.532,398,0.889,410,1.387,447,1.012,474,1.371,506,1.124,511,1.924,707,1.234,708,1.788,709,1.757,731,1.962,733,1.962,787,2.504,804,1.134,902,1.085,934,1.512,937,1.87,986,2.469,1058,1.597,1059,2.469,1065,2.578,1088,1.387,1099,1.646,1122,1.437,1162,1.085,1202,1.42,1225,1.671,1312,1.473,1418,1.71,1433,1.857,1435,1.597,1630,1.757,1893,3.258,1938,1.299,1940,0.909,1953,1.327,2416,0.611,2421,1.671,2422,1.671,2423,4.391,2424,3.603,2427,1.671,2428,1.492,2429,1.671,2430,3.117,2433,1.671,2435,1.671,2437,1.671,2438,1.671,2441,1.671,2442,1.671,2443,2.658,2444,1.671,2445,2.658,2446,1.532,2448,1.671,2449,1.671,2450,4.115,2451,1.671,2452,1.671,2453,1.671,2454,2.658,2455,1.671,2458,2.504,2460,1.575,2461,1.671,2462,2.504,2603,1.979,2606,2.023,2607,1.979,2608,1.979,2612,1.272,2613,1.285,2629,1.788,2633,2.198,2682,1.512,2683,1.553,2684,1.512,2685,1.512,2686,1.512,2687,1.512,2688,1.512,2689,1.512,2690,1.512,2691,1.553,2692,1.512,2693,1.512,2694,1.698,2695,1.698,2696,1.698,2697,1.698,2698,1.698,2699,1.698,2700,1.597,2701,1.698,2702,1.698,2703,1.698,2772,1.857,2773,1.857,2785,2.268,2786,1.935]],["t/3241",[0,1.313,1,0.565,4,2.797,7,1.153,13,2.545,14,0.945,20,0.691,23,2.019,31,2.826,43,2.208,48,1.256,51,3.066,66,0.862,69,2.485,74,2.379,78,2.123,81,1.798,92,1.431,99,2.48,114,0.558,153,0.739,162,0.94,165,1.126,172,3.649,173,1.131,176,3.256,179,2.633,185,1.244,186,2.669,199,2.69,228,2.3,239,1.122,243,0.724,250,1.352,260,1.122,266,1.587,287,2.828,305,0.889,307,1.565,308,1.466,316,1.77,328,1.882,345,1.559,347,1.244,368,1.22,369,1.282,370,2.451,377,1.798,383,1.544,398,0.896,410,1.398,447,1.018,474,1.382,506,1.132,511,1.936,707,1.244,708,1.802,709,1.77,731,1.975,733,1.975,787,2.52,804,1.143,902,1.093,934,1.524,937,1.882,986,2.485,1058,1.61,1059,2.485,1060,2.971,1088,1.398,1099,1.659,1122,1.448,1162,1.093,1202,1.431,1225,1.685,1312,1.485,1418,1.721,1433,1.872,1435,1.61,1893,3.275,1938,1.309,1940,0.916,1953,1.337,2416,0.616,2421,1.685,2422,1.685,2423,1.61,2424,1.61,2427,1.685,2428,1.504,2429,1.685,2430,3.133,2433,1.685,2435,1.685,2437,1.685,2438,1.685,2441,1.685,2442,1.685,2443,2.674,2444,1.685,2445,2.674,2446,1.544,2448,1.685,2449,1.685,2450,4.131,2451,1.685,2452,1.685,2453,1.685,2454,2.674,2455,1.685,2458,2.52,2460,1.587,2461,1.685,2462,2.52,2482,5.09,2603,1.994,2606,2.035,2607,1.994,2608,1.994,2612,1.282,2613,1.295,2629,1.802,2633,2.215,2682,1.524,2683,1.565,2684,1.524,2685,1.524,2686,1.524,2687,1.524,2688,1.524,2689,1.524,2690,1.524,2691,1.565,2692,1.524,2693,1.524,2694,1.712,2695,1.712,2696,1.712,2697,1.712,2698,1.712,2699,1.712,2700,1.61,2701,1.712,2702,1.712,2703,1.712,2705,2.914,2772,1.872,2773,1.872,2786,1.95,2787,3.206,2788,3.206,2789,2.914]],["t/3243",[0,1.295,1,0.551,4,2.755,7,1.109,13,2.506,14,0.909,20,0.67,21,0.945,23,1.968,31,2.754,43,2.16,48,1.209,51,3.617,66,0.836,69,2.409,74,2.343,78,2.058,81,3.27,92,1.377,99,2.426,114,0.537,150,1.3,153,0.711,162,0.911,165,1.092,172,1.345,173,1.543,176,3.717,179,3.648,185,1.197,186,2.601,199,2.632,228,2.23,239,1.08,243,0.696,250,1.3,260,1.08,266,1.527,287,2.774,305,0.855,307,1.506,308,1.411,316,1.703,328,1.825,345,1.512,347,1.197,368,1.173,369,1.233,370,2.377,377,1.743,383,1.485,398,0.862,410,1.345,447,0.987,455,1.919,474,1.33,506,1.09,511,1.878,707,1.197,708,1.734,709,1.703,731,1.915,733,1.915,787,2.443,804,1.099,902,1.052,934,1.466,937,1.825,945,1.221,986,2.409,1058,1.549,1059,2.409,1088,1.345,1099,1.596,1122,1.394,1162,1.052,1202,1.377,1225,1.621,1312,1.428,1418,1.669,1435,1.549,1893,3.192,1938,1.259,1940,0.881,1953,1.286,2416,0.593,2421,1.621,2422,1.621,2423,1.549,2424,1.549,2427,1.621,2428,1.447,2429,1.621,2430,3.054,2433,1.621,2435,1.621,2437,1.621,2438,1.621,2441,1.621,2442,1.621,2443,2.593,2444,1.621,2445,2.593,2446,1.485,2448,1.621,2449,1.621,2450,4.053,2451,1.621,2452,3.242,2453,1.621,2454,2.593,2455,1.621,2458,2.443,2460,1.527,2461,1.621,2462,2.443,2603,1.919,2606,1.973,2607,1.919,2608,1.919,2612,1.233,2613,1.246,2629,1.734,2633,2.131,2682,1.466,2683,1.506,2684,1.466,2685,1.466,2686,1.466,2687,1.466,2688,1.466,2689,1.466,2690,1.466,2691,1.506,2692,1.466,2693,1.466,2694,1.647,2695,1.647,2696,1.647,2697,1.647,2698,1.647,2699,1.647,2700,1.549,2701,1.647,2702,1.647,2703,1.647,2730,2.804,2772,1.801,2773,1.801,2786,1.877,2789,2.804,2790,3.084]],["t/3245",[0,1.131,1,0.563,4,2.663,14,0.94,20,0.856,21,0.977,27,2.545,38,2.761,39,3.084,42,1.928,51,1.857,66,0.859,69,2.474,74,1.375,81,1.791,99,1.744,114,1.25,153,0.735,162,0.589,165,1.121,172,2.21,173,1.127,176,2.29,185,1.966,199,1.892,228,2.29,243,0.72,244,1.853,250,1.345,260,1.117,287,1.823,305,0.884,308,2.318,322,2.474,328,1.179,347,2.447,363,2.137,371,3.401,377,1.127,398,0.891,424,3.615,447,1.014,455,1.984,474,1.375,506,1.127,694,3.401,708,1.793,709,1.761,731,1.237,733,1.237,792,3.019,804,1.137,902,1.088,937,2.657,945,1.262,1053,3.401,1086,5.602,1088,2.21,1160,3.153,1162,1.088,1225,1.676,1312,2.347,1340,4.195,1418,1.714,1630,1.761,1940,0.911,1953,2.997,2416,0.613,2423,2.545,2424,2.545,2428,2.378,2439,5.355,2479,4.303,2481,4.303,2482,4.076,2485,4.303,2487,4.303,2488,4.303,2489,4.303,2494,4.303,2495,6.101,2496,4.303,2497,4.303,2498,4.303,2499,4.303,2500,4.303,2502,4.303,2504,4.303,2508,4.303,2509,4.303,2510,4.303,2511,6.101,2512,4.303,2514,4.303,2606,1.275,2612,1.275,2613,1.288,2682,2.409,2684,3.415,2685,2.409,2686,2.409,2687,2.409,2688,1.516,2689,2.409,2690,2.409,2692,2.409,2693,2.409,2772,1.862,2773,1.862,2785,2.274,2786,1.94,2791,3.189,2792,2.899,2793,4.607,2794,4.607,2795,4.607,2796,2.899,2797,2.899,2798,4.607,2799,4.607,2800,4.607,2801,2.899,2802,2.899,2803,2.899,2804,2.899,2805,2.899,2806,4.607,2807,4.607,2808,2.899,2809,2.899,2810,2.899,2811,2.899,2812,2.899,2813,2.899,2814,2.899]],["t/3247",[0,1.346,1,0.56,4,3.17,14,1.848,20,0.851,21,1.922,66,1.409,69,4.061,74,2.256,153,1.446,162,1.158,165,1.84,173,1.667,228,3.758,229,2.05,243,1.416,250,2.645,287,2.992,308,2.869,326,3.804,328,2.319,377,2.216,398,1.753,447,1.254,455,3.902,474,2.704,708,3.526,709,3.464,731,2.433,733,2.433,804,2.236,902,2.139,1074,4.633,1162,2.139,1225,3.296,1301,6.144,1418,2.813,1940,1.792,1949,7.062,1950,5.325,2416,1.205,2606,2.508,2612,2.508,2613,2.534,2772,3.662,2773,3.662,2785,4.473,2786,3.816,2815,6.272]],["t/3249",[4,3.145,14,2.072,20,0.954,21,2.154,66,1.518,69,4.374,74,2.43,153,1.621,165,1.982,173,1.761,228,4.048,250,2.965,337,4.375,338,4.278,377,2.484,398,1.965,447,1.406,455,4.375,474,3.032,708,3.953,709,3.883,730,3.433,804,2.506,902,2.398,1162,2.398,1225,3.695,1418,3.029,1984,3.102,2416,1.351,2505,6.392,2772,4.105,2773,4.105,2785,5.015,2786,4.278,2816,7.032]],["t/3251",[4,3.145,14,2.072,20,0.954,21,2.154,66,1.518,69,4.374,74,2.43,153,1.621,165,1.556,173,1.761,228,4.048,250,2.965,274,5.655,377,2.484,447,1.406,455,4.375,474,3.863,476,3.216,488,4.189,708,3.953,709,3.883,730,3.433,746,4.189,804,2.506,902,2.398,1225,3.695,1418,3.029,1578,4.278,1984,3.102,2416,1.351,2772,4.105,2773,4.105,2785,5.015,2786,4.278,2817,7.032]],["t/3253",[4,3.024,14,2.268,20,1.044,69,4.629,74,2.572,153,1.774,173,1.375,228,4.284,250,3.245,376,5.915,447,1.539,474,3.318,476,3.521,708,4.327,709,4.251,792,4.585,804,2.744,902,2.625,1225,4.045,1418,2.603,1984,3.396,2416,1.479,2772,4.493,2773,4.493,2785,5.489,2786,4.683]],["t/3255",[4,3.128,14,2.048,20,0.943,21,2.13,28,3.179,66,1.507,69,4.342,74,2.413,153,1.602,157,3.543,165,1.968,173,1.752,228,4.018,229,2.272,250,2.931,309,3.712,377,2.456,398,1.942,447,1.39,455,4.325,474,2.997,708,3.908,709,3.839,804,2.478,902,2.371,1162,2.371,1225,3.653,1418,3.007,1940,1.987,2239,5.902,2416,1.336,2649,5.135,2772,4.058,2773,4.058,2785,4.958,2786,4.229,2818,6.952]],["t/3257",[0,1.01,1,0.546,4,2.741,14,0.897,20,0.83,21,0.933,27,2.454,38,2.689,39,2.973,42,1.859,48,1.915,51,1.79,66,1.036,69,2.385,74,1.325,81,1.726,99,2.815,114,1.218,150,2.06,153,0.702,162,0.562,165,1.081,172,2.131,173,1.646,176,2.208,185,2.973,187,2.104,199,2.613,228,2.208,243,0.688,244,1.805,250,1.284,260,1.066,287,1.095,305,0.845,322,2.385,328,1.126,363,2.06,371,3.279,377,1.076,398,0.851,424,3.484,447,0.977,455,1.895,474,1.313,506,1.076,694,3.279,708,1.712,709,1.682,731,1.182,733,1.182,792,2.91,804,1.086,902,1.039,907,2.172,937,3.304,945,1.934,1053,3.279,1086,3.279,1088,2.131,1160,3.04,1162,1.039,1225,1.6,1312,2.263,1340,4.087,1418,1.652,1940,0.87,1953,2.92,2416,0.585,2423,2.454,2424,2.454,2428,2.292,2439,4.148,2479,4.148,2481,4.148,2482,3.929,2485,4.148,2487,4.148,2488,4.148,2489,4.148,2494,4.148,2495,5.944,2496,4.148,2497,4.148,2498,4.148,2499,4.148,2500,4.148,2502,4.148,2504,4.148,2508,4.148,2509,4.148,2510,4.148,2511,5.944,2512,4.148,2514,4.148,2606,1.218,2612,1.218,2613,1.231,2682,2.322,2684,3.327,2685,2.322,2686,2.322,2687,2.322,2688,1.447,2689,2.322,2690,2.322,2692,2.322,2693,2.322,2725,4.441,2772,1.778,2773,1.778,2786,1.853,2792,2.769,2793,4.441,2794,4.441,2795,4.441,2796,2.769,2797,2.769,2798,4.441,2799,4.441,2800,4.441,2801,2.769,2802,2.769,2803,2.769,2804,2.769,2805,2.769,2806,4.441,2807,4.441,2808,2.769,2809,2.769,2810,2.769,2811,2.769,2812,2.769,2813,2.769,2814,2.769,2819,3.046,2820,3.046,2821,2.586]],["t/3259",[4,3.111,14,2.025,20,0.933,21,2.106,64,4.094,66,1.652,69,4.311,74,2.395,89,2.106,153,1.584,173,1.743,228,3.989,243,1.552,250,2.898,377,2.428,392,3.183,447,1.375,455,5.493,474,3.807,476,4.039,708,3.864,709,3.796,730,3.355,804,2.45,902,2.344,1225,3.612,1418,2.986,1984,3.032,2416,1.321,2772,4.012,2773,4.012,2786,4.182,2821,5.835,2822,6.873,2823,6.873,2824,6.873]],["t/3261",[4,3.012,14,2.254,20,1.038,69,4.611,74,2.562,153,1.763,165,1.692,173,1.366,228,4.267,250,3.225,398,2.137,447,1.53,708,4.3,709,4.224,804,2.726,902,2.609,1162,2.609,1202,3.415,1225,4.019,1418,2.586,1984,3.374,2416,1.47,2750,6.953,2772,4.465,2773,4.465,2786,4.654,2821,6.494]],["t/3263",[4,3.078,14,1.98,20,0.912,28,3.074,66,1.474,69,4.249,74,2.361,76,1.98,153,1.549,165,1.926,173,1.724,228,3.932,229,2.197,243,1.965,377,2.374,447,1.344,474,2.898,708,3.779,709,3.712,804,2.396,902,2.292,937,3.218,1162,2.292,1225,3.532,1418,2.943,1433,3.924,1940,1.921,2018,7.911,2239,5.707,2416,1.292,2464,7.389,2649,4.965,2744,6.11,2772,3.924,2773,3.924,2786,4.089,2825,6.722,2826,6.722,2827,6.722]],["t/3266",[0,1.09,32,3.638,66,1.588,73,2.96,77,7.537,95,3.85,114,1.63,119,3.638,229,2.47,241,3.59,447,1.511,451,4.41,476,3.455,707,2.931,791,6.684,907,5.387,1088,3.294,1217,7.155,1373,6.867,1454,4.326,2279,8.651,2416,1.452,2828,7.554]],["t/3268",[46,3.952,71,4.212,114,1.521,229,2.859,447,1.749,476,4,482,4.102,508,5.441,1120,7.034,1454,5.008,2416,1.681]],["t/3270",[66,1.471,229,2.839,447,1.737,508,5.402,1193,3.04,1217,5.672,1241,5.827,1454,4.973,2362,7.893,2416,1.669,2519,7.893,2829,8.684]],["t/3272",[114,1.532,156,3.057,229,2.88,244,2.271,447,1.762,476,4.029,482,4.132,508,5.48,1454,5.044,2416,1.693]],["t/3274",[2,1.429,7,2.84,8,3.123,74,2.613,79,2.458,89,2.419,156,2.74,186,4.061,229,2.581,240,3.366,243,1.783,268,2.096,272,5.03,447,1.579,482,3.704,902,2.693,1065,4.024,1170,3.855,1193,2.765,1624,6.704,2416,1.517,2559,7.178,2830,7.897]],["t/3276",[42,3.257,74,2.743,186,4.263,229,2.799,241,4.069,244,2.208,272,5.454,357,3.389,447,1.712,2267,7.269,2275,7.269,2416,1.645]],["t/3278",[114,1.555,229,2.922,447,1.788,476,4.088,707,3.468,986,4.364,2416,1.718,2831,8.938]],["t/3280",[229,2.88,447,1.762,476,4.029,1088,3.841,1095,6.769,1454,5.044,2416,1.693,2419,7.479,2832,8.809,2833,8.809]],["t/3283",[14,2.488,25,1.843,38,3.244,139,4.012,174,4.663,229,2.76,239,2.956,244,2.177,261,2.93,447,1.689,509,3.447,541,3.484,707,3.276,1170,4.122,1938,3.447,2416,1.622]],["t/3285",[38,3.289,114,1.489,229,2.799,392,3.965,447,1.712,509,3.495,541,3.532,707,3.322,791,6.106,902,2.92,1170,4.18,1358,4.571,1938,3.495,2416,1.645]],["t/3287",[38,3.289,114,1.489,229,2.799,392,3.965,447,1.712,509,3.495,541,3.532,707,3.322,902,2.92,1170,4.18,1358,4.571,1938,3.495,2350,7.782,2416,1.645]],["t/3289",[38,3.289,114,1.489,229,2.799,392,3.965,447,1.712,509,3.495,541,3.532,707,3.322,902,2.92,1170,4.18,1358,4.571,1938,3.495,2348,7.782,2416,1.645]],["t/3291",[38,3.289,114,1.489,229,2.799,392,3.965,447,1.712,509,3.495,541,3.532,707,3.322,902,2.92,1170,4.18,1358,4.571,1938,3.495,2346,7.782,2416,1.645]],["t/3293",[38,3.244,114,1.469,165,1.868,229,2.76,392,3.91,447,1.689,509,3.447,541,3.484,707,3.276,730,4.122,902,2.88,1170,4.122,1358,4.508,1938,3.447,2416,1.622,2834,8.443]],["t/3295",[114,1.469,156,2.93,165,1.868,229,2.76,240,3.599,261,2.93,308,3.862,447,1.689,509,3.447,541,3.484,902,2.88,1097,6.021,2353,7.675,2357,7.675,2416,1.622,2835,8.443]],["t/3297",[38,3.266,114,1.479,229,2.779,392,3.938,447,1.7,509,3.471,541,3.508,707,3.299,902,2.9,1170,4.151,1358,4.54,1730,7.728,1731,6.063,1938,3.471,2416,1.634]],["t/3299",[114,1.511,165,1.921,229,2.839,261,3.014,447,1.737,509,3.545,945,3.437,971,6.193,1165,6.983,2366,7.893,2416,1.669,2836,8.684]],["t/3301",[38,3.73,66,1.355,79,2.49,83,4.418,114,1.392,162,1.477,229,2.615,395,4.765,447,1.6,541,3.301,639,5.527,1731,7.454,1751,7.272,1884,7.272,1938,3.266,1964,6.434,1984,4.283,2268,6.434,2416,1.537,2837,8]],["t/3303",[38,3.244,114,1.469,165,1.868,229,2.76,392,3.91,447,1.689,509,3.447,541,3.484,707,3.276,730,4.122,902,2.88,1170,4.122,1358,4.508,1938,3.447,2416,1.622,2838,8.443]],["t/3305",[38,3.266,114,1.479,229,2.779,392,3.938,447,1.7,509,3.471,541,3.508,707,3.299,902,2.9,1170,4.151,1358,4.54,1802,5.553,1938,3.471,2416,1.634,2839,8.502]],["t/3307",[38,3.244,66,1.43,114,1.469,229,2.76,300,4.012,392,3.91,447,1.689,509,3.447,541,3.484,707,3.276,902,2.88,1170,4.122,1358,4.508,1938,3.447,1986,7.168,2416,1.622]],["t/3310",[5,4.557,8,2.628,66,1.658,114,1.41,137,3.904,229,2.65,342,4.131,359,5.6,419,5.063,447,1.621,488,4.829,509,3.309,1056,3.803,1096,5.6,1111,5.295,1358,4.328,1830,7.369,2012,6.882,2416,1.558,2647,6.882]],["t/3312",[76,2.614,88,3.376,156,3.079,229,2.901,241,4.217,447,1.775,508,5.52,2311,7.136,2416,1.705]],["t/3315",[46,4.568,173,1.529,229,2.799,249,3.571,250,3.61,447,1.712,977,6.579,1086,5.745,1454,4.903,1782,7.782,1984,3.777,2275,7.269,2416,1.645]],["t/3317",[26,3.831,27,4.27,46,4.549,194,3.471,229,2.779,238,3.204,403,4.467,447,1.7,1214,7.218,1240,7.218,1854,7.218,1899,7.728,2416,1.634]],["t/3320",[8,2.877,76,2.614,88,3.376,229,2.901,363,3.741,447,1.775,764,6.13,2416,1.705,2840,8.873]],["t/3323",[76,2.595,88,3.351,156,3.057,229,2.88,241,4.186,447,1.762,508,5.48,541,3.635,1126,3.714,2416,1.693]],["t/3325",[66,1.42,153,1.933,229,2.741,244,2.162,345,2.569,398,2.343,447,1.677,894,4.995,1696,6.194,2267,7.119,2416,1.611,2841,9.077,2842,8.385,2843,8.385,2844,8.385,2845,8.385]],["t/3327",[8,2.7,38,3.199,71,4.011,76,2.454,88,3.168,229,2.722,239,2.916,244,2.147,361,4.862,403,4.376,447,1.665,677,5.939,1344,5.181,1953,3.473,2416,1.6,2841,9.04,2846,8.328]],["t/3329",[8,2.737,125,4.012,156,3.48,157,4.303,229,2.76,261,2.93,447,1.689,511,3.212,541,4.137,682,4.829,1193,2.956,2416,1.622,2847,8.443]]],"invertedIndex":[["",{"_index":0,"t":{"2484":{"position":[[0,1],[2,6],[9,4],[18,2],[21,5],[27,5],[33,2],[36,2],[39,2],[42,6],[49,4],[54,2],[57,6],[64,2],[67,4],[72,3],[80,3],[84,4],[89,3],[93,6],[100,2],[103,3],[118,3],[122,4],[127,4],[132,5],[138,3],[142,3],[146,1],[148,6],[155,2],[158,3],[168,6],[175,4],[180,3],[184,6],[191,2],[194,3],[198,3],[202,2],[205,2],[208,2],[221,3],[225,4],[230,4],[235,6],[242,3],[246,4],[251,2],[263,4],[268,3],[272,1],[279,6],[286,4],[291,2],[294,2],[297,3],[301,2],[304,3],[308,3],[312,2],[315,2],[318,4],[323,6]]},"2486":{"position":[[0,2],[3,6],[10,4],[22,7],[30,2],[33,2],[36,2],[43,3],[47,2],[50,5],[56,2],[59,6],[66,1],[68,4],[73,1],[75,4],[80,3],[84,3],[88,2],[91,3],[95,6],[106,4],[111,2],[114,4],[128,4],[133,5],[139,4],[144,3],[148,1],[150,5]]},"2488":{"position":[[0,2],[3,2],[6,5],[12,3],[16,2],[19,3],[23,3],[27,1],[29,4],[45,3],[49,4],[54,2],[57,3],[61,3],[65,3],[69,3],[76,4],[86,3],[90,1],[92,5],[105,5],[111,3],[115,2],[118,6],[125,1],[127,1],[129,3],[133,2],[136,3],[156,4],[161,2],[164,3],[168,3],[172,4],[177,6],[184,2],[187,9],[197,2],[200,3],[204,4],[209,4],[221,7],[229,3]]},"2490":{"position":[[0,4],[5,2],[8,4],[13,1],[15,3],[19,2],[22,6],[29,2],[32,2],[35,2],[38,3],[42,4],[63,4],[68,4],[73,2],[76,1],[78,4],[83,3],[87,2],[90,2],[93,1],[95,3],[99,2],[102,3],[106,6]]},"2492":{"position":[[0,4],[5,3],[19,5],[25,2],[28,3],[32,3],[36,3],[40,5],[46,4],[51,5],[57,3],[61,4],[66,5],[72,1],[74,6],[81,2],[84,3],[88,6],[95,1],[97,2],[100,4],[105,5],[111,2],[114,3],[118,2],[121,4],[126,3],[130,4],[135,2],[138,3],[142,3],[146,4],[151,4],[156,3],[160,2],[163,3],[167,6],[174,5],[180,2],[183,4],[188,4],[193,3],[197,2],[200,4],[205,3],[209,5],[215,4],[220,3],[224,5],[230,1],[232,5],[266,6],[273,3],[277,2],[280,3],[284,5],[290,5],[296,5],[302,5],[308,2],[311,2],[314,3],[318,3],[322,5],[328,4],[333,4],[338,2],[341,4],[346,4],[376,4],[381,4],[386,4],[403,7],[411,6],[418,2],[421,2],[428,4],[433,4],[438,2],[441,6],[448,5],[472,5],[478,5],[484,2],[487,3],[491,4],[496,3],[500,2],[503,5],[509,3],[513,6],[520,3],[524,4],[529,4],[534,3],[538,2],[541,2],[544,2],[547,3],[551,2],[554,4],[559,4],[564,2],[567,4],[572,3],[576,5],[582,6],[589,1],[591,5],[597,2],[612,2],[615,3],[665,4],[670,5],[676,6],[683,3],[687,3],[691,2],[694,6],[701,2],[704,2],[707,4],[712,3],[716,1],[718,2],[721,3],[740,4],[745,4],[754,2],[757,2],[760,5],[766,4],[771,3],[775,3],[779,2],[782,2],[789,4],[794,3],[798,1],[800,5],[806,5],[812,2],[840,6]]},"2494":{"position":[[4,6],[11,4],[16,3],[20,3],[24,2],[27,2],[30,2],[33,2],[36,3],[40,4],[45,5],[82,7],[90,4],[95,4],[100,2],[103,5],[151,3],[180,5],[186,4],[195,2],[198,3],[202,6],[209,3],[213,3],[228,3],[232,4],[237,6],[287,4],[292,2],[295,5],[301,5],[315,1],[328,2],[331,3],[335,4],[344,4],[349,3],[353,5],[359,3],[363,3],[377,3],[381,4],[386,6],[405,4],[418,3],[422,6],[429,3],[433,5],[450,6],[457,2],[479,2],[482,3],[486,4],[491,2],[494,4],[499,4],[544,5],[550,6],[568,4],[580,3],[584,6],[591,3],[595,6],[602,4],[607,3],[652,2],[655,4],[660,2],[671,4],[676,6],[691,3],[699,3],[703,6],[710,2],[719,4],[724,4],[729,3],[753,4],[758,6],[775,5],[781,3],[785,6],[792,3],[796,3],[810,3],[814,4],[819,6],[848,4],[853,4],[858,4],[863,3],[867,4],[876,7],[884,3],[888,3],[910,3],[914,4],[919,6],[946,5],[952,4],[957,3],[961,1],[963,6],[975,6],[982,3],[986,3],[1010,3],[1014,4],[1019,6],[1046,4],[1051,6],[1058,3],[1062,3],[1082,3],[1086,4],[1091,6],[1118,1],[1120,4],[1125,5],[1131,6],[1147,2],[1150,2],[1153,2],[1156,1],[1158,4],[1163,2],[1166,4],[1171,6]]},"2499":{"position":[[94,1],[124,1],[169,1]]},"2503":{"position":[[925,2],[1067,2],[1303,3],[1951,1],[2043,1],[2139,1],[2247,1],[2473,1],[2601,1]]},"2505":{"position":[[1206,1],[1287,1],[1383,1],[1488,1],[1664,1],[1840,1],[1976,1],[2003,1]]},"2507":{"position":[[1482,1],[1551,1],[1756,1],[1765,1]]},"2509":{"position":[[652,1],[732,1],[772,1],[795,2],[832,1],[892,1],[936,1],[1047,2],[1082,1]]},"2531":{"position":[[358,1],[385,1]]},"2535":{"position":[[1006,1],[1024,1],[1438,1],[1456,1],[2153,1],[2155,1],[2175,1],[2177,1],[2179,2],[3308,1],[3462,1],[3469,1],[3500,1],[3534,1],[3707,1],[3724,1],[3742,1],[3754,1],[3801,1],[3837,1],[3876,1],[4214,2],[4595,1],[4602,1],[4633,1],[4667,1],[4701,1]]},"2537":{"position":[[0,1],[2,4],[12,4],[17,3],[21,1],[23,2],[26,3],[30,3],[38,3],[42,2],[45,3],[53,4],[58,1],[60,3],[64,3],[68,4],[73,2],[76,3],[80,4],[85,5]]},"2540":{"position":[[5,1],[7,2],[10,2],[13,3],[17,4],[22,2],[25,2],[28,3],[38,3],[42,4],[47,6],[54,1],[59,4],[68,2],[71,4],[76,4],[81,4],[86,5],[92,3],[96,2],[102,3],[106,2],[109,2],[112,2],[115,2],[121,3],[125,3],[129,2],[132,3],[136,3],[144,3],[158,2],[161,4],[166,6]]},"2542":{"position":[[4,5],[10,1],[12,2],[15,4],[20,3],[24,4],[34,2],[37,6],[44,6],[51,2],[54,1],[60,3],[64,3],[68,4],[78,3],[82,3],[86,4],[91,6],[98,5],[104,1],[106,2],[109,4],[114,4],[119,6],[126,2],[129,2],[132,3],[140,3],[144,4],[149,2],[152,4],[157,6]]},"2544":{"position":[[0,5],[11,3],[15,4],[20,3],[24,2],[27,2],[30,3],[34,6],[41,1],[43,3],[47,5],[53,3],[57,3],[61,3],[65,1],[67,5],[73,4],[78,4],[83,3],[87,1],[89,2],[92,1],[94,2],[97,2],[100,3],[104,6],[111,4],[116,4],[121,2],[132,3],[136,2],[139,3],[143,3],[147,1],[149,5],[155,3],[159,3],[173,3],[177,4],[182,6]]},"2546":{"position":[[5,4],[10,4],[15,3],[19,3],[23,1],[25,2],[28,4],[38,4],[43,3],[51,4],[56,5],[62,3],[66,3],[70,3],[74,1],[76,5],[82,3],[86,1],[88,3],[92,3],[102,4],[107,2],[110,5],[125,6],[136,2],[139,5],[145,4],[150,2],[153,3],[181,1],[192,3],[242,1],[264,3],[268,2],[271,2],[274,2],[285,4],[290,2],[293,3],[297,6],[382,2],[385,1],[387,3],[391,4],[396,4],[401,3],[405,2],[408,5],[419,4],[424,2],[427,2],[430,1],[432,3],[439,3],[443,4],[452,4],[457,4],[471,2],[474,3],[478,6],[485,5],[491,2],[494,4],[499,4],[507,2],[510,5],[516,3],[520,3],[524,1],[526,4],[545,3],[549,4],[554,3],[558,2],[561,4],[566,2],[569,3],[573,3],[577,1],[579,3],[583,4],[588,4],[761,3],[765,2],[768,2],[771,5],[777,2],[780,3],[784,3],[788,6],[795,2],[798,2],[814,3],[818,4]]},"2548":{"position":[[5,2],[8,2],[11,4],[16,4],[33,4],[38,5],[44,6],[51,5],[74,1],[76,2],[97,3],[101,1],[103,3],[107,2],[110,5],[128,4],[133,5],[148,4],[166,4],[171,2],[174,2],[177,4],[188,4],[193,8],[209,4],[214,4],[219,2],[222,3],[226,1],[228,5],[234,4],[239,2],[250,6],[261,3],[273,6],[280,3],[291,2],[294,4],[299,1],[301,3],[305,4],[318,3],[322,1],[324,5],[388,1],[402,3],[406,4],[416,6],[452,1],[471,5],[477,3],[481,1],[483,3],[487,6],[494,1],[936,5],[942,2],[945,3],[949,6],[956,1]]},"2550":{"position":[[14,3],[18,2],[21,4],[26,2],[34,6],[55,3],[59,4],[64,5],[79,4],[89,3],[99,2],[102,5],[108,2],[111,3],[115,4],[129,6],[296,1],[351,2],[354,2],[357,3],[367,4],[372,3],[376,1],[378,2],[381,5],[396,4],[401,3],[405,1],[407,5],[434,1],[496,1],[553,1]]},"2552":{"position":[[60,5],[66,2],[82,6],[89,1],[91,3],[95,2],[98,2],[101,7],[109,2],[112,2],[115,5],[141,2],[144,3],[148,4],[153,1],[155,3],[159,2],[162,5],[189,3],[193,3],[197,5],[215,3],[219,5],[225,6],[232,1],[234,3],[238,4],[243,2],[246,3],[250,3],[254,4],[259,3],[263,2],[272,1],[282,3],[286,1],[288,3],[292,6],[314,2],[317,4],[322,3],[326,4],[331,5]]},"2554":{"position":[[9,2],[12,1],[21,4],[26,4],[31,3],[35,4],[40,4],[45,6],[52,3],[56,3],[60,2],[63,3],[67,4],[72,4],[77,3],[81,6],[88,6],[141,4],[146,4],[151,3],[155,4],[160,6],[167,3],[274,5],[280,2],[283,4],[288,2],[291,2],[294,2],[297,6],[325,1],[337,4],[342,4],[347,4],[352,4],[357,6],[430,3],[434,2],[437,3],[441,3],[445,2],[448,3],[452,2],[455,4],[460,3],[471,4],[496,4],[501,4],[506,6],[513,3],[517,5],[523,6],[530,3],[534,5],[540,2],[543,4],[574,4],[579,3],[583,4],[588,5],[594,4],[599,3],[603,4],[608,4],[933,1],[941,1],[1085,4],[1090,4],[1095,4],[1100,4],[1105,4],[1110,4],[1115,1],[1121,2],[1124,3],[1128,2],[1131,2],[1134,5],[1140,3],[1144,3],[1148,3],[1152,2],[1155,3],[1185,5],[1191,4],[1196,3],[1200,4],[1205,3],[1209,2],[1212,6]]},"2556":{"position":[[0,3],[4,1],[6,3],[10,2],[13,6],[34,4],[39,5],[45,3],[58,4],[63,3],[67,2],[75,4],[80,5],[86,5],[92,2],[95,4],[100,4],[105,4],[128,3],[132,4],[137,5],[143,6],[150,3],[163,5],[169,2],[172,4],[177,3],[181,5],[187,3],[196,4],[201,1],[203,3],[207,5],[213,5],[219,4],[224,4],[229,3],[233,4],[238,1],[240,4],[245,4],[250,3],[254,1],[256,5],[262,6],[269,3],[273,4],[278,2],[281,4],[286,3],[290,2],[293,4],[298,2],[301,2],[304,4],[309,3],[313,7],[321,5],[327,5],[333,2],[336,6],[343,3],[347,3],[351,3],[355,4],[360,2],[363,3],[367,3],[371,1],[373,5]]},"2558":{"position":[[0,3],[4,1],[6,3],[10,2],[13,6],[20,4],[25,3],[29,4],[34,4],[39,6],[46,6],[53,4],[58,2],[61,3],[65,4],[70,2],[73,3],[77,2],[80,4],[89,3],[93,3],[97,1],[99,5],[105,4],[110,6],[117,2],[120,3],[124,3],[157,1],[159,6]]},"2560":{"position":[[0,2],[3,4],[8,2],[11,1],[13,3],[17,4],[22,7],[30,6],[37,2],[44,5],[50,4],[55,5],[61,3],[65,3],[69,3],[73,5],[79,2],[82,6],[89,5],[101,4],[106,4],[111,5],[117,3],[121,3],[129,4],[134,7],[142,2],[145,4],[150,4],[155,5],[161,4],[177,1],[184,3],[188,3],[192,3],[202,5],[208,4],[213,4],[218,5],[224,5],[230,4],[235,5],[241,2],[244,3],[248,2],[255,4],[260,5],[273,3],[283,3],[287,2],[296,4],[301,2],[304,5],[310,4],[315,4],[320,7],[345,1],[347,5],[360,4],[365,4],[370,2],[384,6],[391,4],[396,2],[399,1],[401,3],[414,2],[422,4],[427,2],[430,3],[434,3],[438,5],[444,3],[448,2],[451,5],[465,3],[472,5],[478,5],[484,2],[487,4],[492,5],[498,11],[510,4],[515,2],[518,2],[521,4],[526,4],[531,2],[534,3],[538,3],[542,2],[545,2],[548,2],[551,4],[560,5],[566,2],[569,4],[574,5],[580,3],[584,3],[595,6]]},"2562":{"position":[[60,1],[62,4],[77,3],[81,7],[89,1],[91,3],[95,5],[101,3],[114,4],[119,3],[123,4],[137,4],[142,5],[303,7],[338,3],[342,2],[345,2],[348,4],[353,4],[425,6],[432,1],[434,3],[438,3],[442,2],[468,4],[473,2],[476,4],[481,5],[491,5],[497,3],[501,2],[504,3],[537,3],[541,2],[544,4],[549,1],[551,1],[553,5],[591,6],[642,5],[697,5],[703,3],[707,2],[710,3],[714,5],[720,3],[724,3],[728,3],[743,3],[747,4],[752,4],[757,5],[786,4],[791,4],[796,5],[802,1],[804,4],[809,2],[812,3],[880,4],[893,3],[897,6]]},"2564":{"position":[[0,4],[10,4],[15,3],[19,4],[24,6],[31,1],[33,3],[37,2],[52,1],[67,6],[74,6],[93,4],[98,2],[101,1],[103,3],[107,2],[110,3],[114,3],[118,1],[120,5],[126,2],[129,4],[134,2],[137,2],[140,3],[165,3],[181,3],[185,4],[190,5],[259,2],[262,6],[274,6],[324,2],[327,7],[335,4],[346,6],[416,3],[420,4],[425,3],[433,2],[436,2],[439,3],[443,2],[446,4],[451,4],[456,7],[497,4],[502,2],[505,5],[511,6],[526,2],[541,1],[543,3],[547,6],[554,4],[559,1],[561,4],[566,4],[571,3],[575,2],[578,2],[581,3],[585,6],[632,5],[638,6],[645,2],[648,4],[653,3],[657,3],[661,2],[664,4],[669,4],[674,3],[678,6],[685,4],[690,3],[694,4],[699,2],[702,2],[705,5]]},"2566":{"position":[[38,4],[43,2],[46,3],[50,6],[95,4],[100,2],[103,3],[107,6],[143,2]]},"2568":{"position":[[4,5],[23,1],[38,4],[43,3],[47,1],[49,4],[54,1],[56,3],[69,4],[74,4],[79,6],[86,1],[88,1],[90,3],[94,3],[98,4],[103,3],[107,4],[112,4],[174,3],[178,5],[184,2],[187,3],[191,2],[194,3],[198,1],[200,5],[206,2],[209,2],[212,3],[216,6],[223,3],[241,1],[250,4],[255,3],[259,4],[264,4],[269,2],[291,4],[296,4],[301,2],[304,6],[311,4],[316,2],[319,4],[324,2],[327,3],[331,5],[337,2],[345,4],[350,5],[356,5],[362,4],[367,6],[374,3],[378,2],[381,2],[384,4],[389,5],[395,2],[398,4],[403,5],[409,2],[412,3],[416,5],[422,2],[425,2],[428,3],[432,3],[436,3],[440,3],[444,4],[449,1],[451,5],[457,3],[461,2],[464,2],[467,4],[472,5],[478,4],[483,3],[487,3],[491,1],[493,2],[496,2],[499,2],[502,3],[506,2],[509,3],[513,3],[517,4],[522,7],[530,3],[534,3],[538,5],[544,4],[549,4],[554,1],[556,5],[562,3],[566,3],[588,6],[595,2],[598,2],[601,1],[603,2],[606,4],[611,3],[615,5],[621,2],[624,4],[629,5],[644,4],[649,4],[660,1],[662,2],[665,4],[670,4],[675,3],[679,2],[682,3],[686,3],[690,5],[696,2],[699,3],[703,6]]},"2570":{"position":[[0,2],[3,5],[9,2],[12,5],[18,3],[34,2],[45,5],[51,4],[56,4],[61,4],[66,3],[70,1],[72,6],[87,4],[110,3],[114,6],[130,4],[135,3],[156,3],[160,4],[186,7],[220,4],[225,3],[229,3],[233,1],[235,5],[241,2],[244,5],[250,2],[253,2],[256,1],[258,3],[262,4],[267,6],[274,6],[310,1]]},"2573":{"position":[[0,2],[3,2],[12,5],[18,2],[21,3],[25,4],[30,3],[34,3],[38,4],[43,4],[48,3],[52,2],[55,3],[59,3],[63,3],[77,4],[82,5],[88,1],[90,3],[94,3],[98,3],[102,4],[107,3],[111,2],[114,3],[118,3],[135,6],[148,5],[154,4],[176,3],[180,4],[185,5],[212,4],[222,5],[228,2],[231,4],[254,4],[259,4],[269,2],[272,3],[286,5],[292,3],[296,1],[298,5],[336,4],[410,2],[413,3],[417,1],[419,5]]},"2575":{"position":[[11,2],[14,2],[17,5],[57,4],[62,5],[68,5],[74,5],[80,2],[83,3],[87,6],[320,3],[324,2],[327,2],[330,3],[334,3],[338,1],[340,2],[343,5],[349,3],[353,3],[357,4],[362,3],[366,6],[373,2],[376,2],[379,4],[384,2],[387,2],[396,4],[401,3],[405,2],[408,2],[411,3],[415,3],[419,6],[426,4],[431,4],[436,3],[456,6],[463,3],[467,5],[473,4]]},"2577":{"position":[[29,2],[32,2],[35,5],[58,5],[64,5],[70,5],[76,2],[79,3],[83,6],[206,3],[210,2],[213,2],[216,3],[220,3],[224,1],[226,2],[229,5],[235,3],[239,3],[243,4],[248,3],[252,5],[258,2],[261,2],[264,4],[269,2],[272,2],[281,4],[286,3],[290,2],[293,2],[296,3],[300,3],[304,6],[311,4]]},"2579":{"position":[[0,6],[11,3],[15,5],[21,3],[34,4],[39,2],[42,3],[46,3],[50,1],[52,5],[58,2],[61,3],[65,6],[72,2],[75,6],[85,3],[98,4],[103,4],[108,4],[113,5],[132,4],[137,4],[142,2],[154,6],[227,4],[232,4],[237,1],[239,5],[257,3],[419,3],[431,7],[445,3],[449,3],[453,2],[456,3],[460,7]]},"2581":{"position":[[14,4],[19,4],[24,2],[27,3],[31,5],[53,4],[58,4],[67,5],[73,2],[76,3],[80,1],[82,3],[86,3],[90,8],[104,4],[109,6],[116,2],[119,2],[122,2],[125,2],[128,4],[133,2],[136,2],[139,1],[141,2],[144,2],[151,5],[157,2],[160,2],[163,3],[167,1],[169,5],[179,2],[182,1],[184,2],[187,3],[191,2],[194,3],[198,3],[202,2],[205,4],[210,6],[225,5],[243,4],[248,4],[257,3],[261,5],[267,3],[271,2],[274,5],[291,4],[296,6],[319,1],[334,1],[356,1],[382,1],[397,1],[428,1],[437,2],[440,3],[444,3],[452,3],[456,4],[461,3],[472,3],[476,4],[481,5],[487,2],[490,4],[495,3],[499,1],[501,3],[505,4],[510,4],[515,3],[520,1],[522,2],[525,6],[537,4],[542,3],[546,3],[569,6],[576,4],[581,3],[585,1],[587,5]]},"2583":{"position":[[28,2],[31,2],[34,5],[49,4],[54,6],[75,4],[80,2],[83,3],[95,3],[99,4],[104,3],[108,4],[113,4],[118,2],[121,2],[124,2],[127,2],[130,2],[133,6],[140,3],[144,4],[149,2],[152,2],[155,4],[160,5],[166,2],[169,5],[175,2],[182,5],[201,4],[206,6],[213,2],[216,3],[255,4],[260,3],[264,1],[266,5],[272,3],[284,2],[287,3],[291,4],[296,3],[300,1],[302,5],[468,2],[471,5],[477,4],[482,2],[485,3],[489,5],[495,3],[499,2],[502,2],[505,3],[509,4],[514,4]]},"2585":{"position":[[9,5],[19,2],[22,1],[24,5],[30,3],[34,1],[46,4],[51,6],[58,1],[60,3],[68,2],[71,5],[77,3],[81,1],[83,5],[113,3],[117,2],[132,4],[137,2],[140,4],[145,5],[151,3],[155,5],[161,3],[165,2],[168,3],[172,2],[175,4],[180,1],[182,4],[187,5],[193,4],[198,4],[203,2],[214,2],[217,3],[221,3],[254,6],[266,2],[277,3],[281,3],[304,6],[311,3],[315,1],[317,5]]},"2588":{"position":[[0,3],[4,3],[8,4],[13,8],[22,3],[26,2],[29,4],[34,2],[37,1],[39,3],[43,3],[47,5],[150,3],[154,3],[158,4],[163,2],[166,3],[175,6],[182,1],[184,1],[186,2],[189,4],[200,6],[207,1],[209,3],[213,4],[218,2],[226,3],[230,4],[249,5],[255,6],[262,2],[265,2],[273,2],[276,4],[281,4],[286,2],[289,5],[295,3],[299,1],[301,5],[307,2],[310,3],[314,3],[318,5],[324,2],[327,4],[332,4],[337,4],[342,6],[349,2],[352,3],[356,4],[361,2],[364,1],[366,3],[370,4],[375,4],[380,2],[383,2],[386,3],[390,3],[394,1],[396,5],[402,2],[405,3],[409,5],[415,2],[418,4],[423,3],[436,4],[441,4],[446,1],[448,3],[456,2],[459,5],[465,2],[468,3],[472,2],[480,4],[485,3],[489,6],[496,3],[500,3],[513,2],[516,4],[521,8],[540,3],[544,1],[546,2],[549,2],[552,3],[565,3],[569,6],[576,2],[579,2],[582,4],[608,6],[615,3],[626,3],[630,4],[635,6],[642,3],[646,2],[649,1],[651,2],[654,4],[659,3],[663,4],[668,3],[672,6],[679,2],[682,3],[695,2],[698,3],[702,3],[725,4],[730,6],[737,5],[743,5]]},"2590":{"position":[[0,3],[4,2],[11,3],[15,6],[43,3],[47,6],[86,1],[88,3],[92,5],[106,3],[110,4],[115,2],[118,2],[121,3],[125,3],[129,1],[131,5],[137,2],[140,2],[143,2],[146,6],[161,3],[228,6],[235,3],[239,5],[245,5],[256,1],[258,4],[263,2],[266,2],[269,3],[273,6],[460,1],[516,1]]},"2592":{"position":[[5,2],[8,3],[12,3],[16,4],[21,2],[24,3],[28,1],[30,5],[36,2],[39,4],[44,2],[47,3],[51,4],[56,4]]},"2594":{"position":[[0,4],[5,3],[9,2],[12,3],[16,3],[20,3],[24,1],[26,5],[32,3],[36,2],[39,4],[44,3],[48,3],[52,2],[55,2],[58,3],[62,4],[82,4],[87,6],[94,4],[99,3],[103,2],[106,3],[110,2],[113,2],[116,3],[120,1],[122,5],[128,4],[133,2],[136,3],[140,6],[147,2],[150,4],[155,3],[159,2],[162,6],[169,4],[180,1],[203,5],[209,6],[324,4],[365,3],[369,3],[373,3],[377,2],[380,3],[384,2],[387,2],[390,3],[394,3],[415,6],[428,3],[432,2],[435,4],[440,5],[454,4],[479,3],[483,6],[490,2],[493,2],[503,4],[508,2],[511,4],[516,1],[518,3],[522,5],[528,4],[533,4],[538,2],[541,3],[545,2],[548,3],[552,4],[586,2],[589,4],[594,6],[607,3],[611,4],[616,3],[620,3],[632,2],[643,2],[646,3],[650,3],[654,4],[659,2],[662,2],[665,5],[693,1],[695,2],[698,3],[702,1],[704,4],[718,3],[722,3],[726,4],[731,3],[735,3],[739,4],[744,5],[750,2],[753,6],[767,3],[771,4],[776,2],[779,3],[783,3],[800,3],[804,3],[808,2],[817,2],[820,3],[824,6]]},"2600":{"position":[[150,2],[363,1],[404,1],[541,2],[606,1],[1259,1],[1300,1],[1529,2],[1594,1]]},"2602":{"position":[[299,1],[340,1],[755,2],[1118,1],[1159,1]]},"2604":{"position":[[188,1],[359,1],[470,1],[671,1],[1565,3]]},"2623":{"position":[[27,3],[42,3],[46,5],[52,5],[58,2],[61,4],[66,4],[71,1],[73,6],[88,2],[97,2],[100,4],[116,3],[120,3],[124,3],[128,2],[131,3],[146,3],[150,4],[155,4],[160,1],[162,3],[177,2],[180,3],[184,5],[203,3],[207,4],[212,4],[217,3],[221,1],[223,5],[229,3],[233,3],[237,2],[240,3],[244,6],[262,2],[265,3],[269,6],[379,2],[382,3],[397,3],[401,3],[405,6]]},"2625":{"position":[[29,4],[34,3],[38,3],[42,3],[62,6],[69,2],[72,2],[82,3],[86,2],[93,3],[100,2],[103,4],[108,5],[114,2],[130,5],[136,3],[140,1],[142,5]]},"2627":{"position":[[6,2],[9,2],[12,7],[20,4],[25,6],[32,3],[36,1],[38,2],[41,3],[50,2],[53,5],[59,4],[64,7],[72,1],[74,3],[78,5],[84,5],[90,4],[95,6],[102,2],[105,3],[109,6],[116,3],[120,2],[123,2],[126,3],[130,2],[133,3],[137,7],[145,3],[149,1],[151,5],[157,2],[160,3],[164,2],[172,3],[176,2],[179,2],[182,3],[186,2],[189,3],[199,2],[214,2],[217,7],[229,7],[237,3],[241,1],[243,5],[255,4],[260,4],[265,3],[269,2],[272,5],[278,4],[283,2],[286,3],[290,4],[302,7],[310,3],[314,1],[316,5],[322,3],[338,4],[343,4],[348,4],[353,5],[359,4],[364,7],[372,4],[377,1],[379,2],[382,2],[385,5],[391,3],[395,1],[397,2],[400,3],[404,4],[415,4],[420,3],[429,4],[437,7],[445,3],[449,1],[451,5],[462,3],[466,2],[469,6],[476,3],[480,6],[487,4],[507,2],[510,3],[514,2],[517,7],[525,3],[529,1],[531,5],[545,2],[548,9],[558,2],[561,6],[568,3],[572,2],[575,4],[580,4],[590,6],[597,3],[601,2],[604,2],[607,6],[614,4],[624,2],[627,4],[632,4],[643,4],[648,3],[652,2],[655,3],[659,3],[663,4],[668,4],[678,4],[683,6],[695,1],[702,5],[708,6],[715,2],[723,5],[729,5],[735,6],[742,2],[745,1],[747,4],[757,6],[764,3],[768,2],[771,2],[774,4],[785,4],[790,6],[797,2],[800,6],[807,2],[810,4],[815,2],[818,7],[826,4],[831,3],[835,2],[838,3],[842,3],[846,4],[851,2],[857,4],[862,6],[869,4],[874,2],[877,7],[885,3],[889,5],[907,3],[911,2],[914,4],[938,3],[942,2],[945,4],[966,3],[970,2],[973,4],[1011,3],[1015,2],[1018,4]]},"2629":{"position":[[25,2],[28,2],[31,7],[39,5],[50,2],[53,3],[57,1],[59,1],[61,3],[84,5],[90,4],[95,4],[100,2],[103,3],[107,2],[110,1],[112,4],[117,4],[122,5],[128,3],[132,2],[135,5],[141,2],[144,3],[148,3],[152,5],[158,4],[163,4],[172,3],[176,2],[179,2],[182,3],[186,3],[190,1],[192,5],[302,2],[310,2],[313,4],[318,6],[325,7],[333,2],[336,3],[340,4],[345,1],[347,4],[352,7],[360,1],[362,4],[367,3],[371,1],[373,4],[378,2],[381,3],[385,3],[389,3],[393,4],[398,5],[444,8],[453,3],[457,4],[462,1],[464,4],[473,2],[506,6],[513,8],[522,3],[526,2],[529,2],[532,4],[537,3],[541,4],[546,4],[556,2],[559,3],[563,4],[568,3],[572,1],[574,5],[580,4],[585,2],[592,4],[601,6],[608,4],[613,4],[618,3],[622,1],[624,5],[674,7],[682,2],[685,5],[691,3],[695,2],[698,3],[702,4],[711,3],[715,6],[722,1],[724,3],[728,5],[734,7],[742,5],[748,3],[752,2],[755,3],[759,5],[765,4],[770,3],[774,4],[779,1],[781,5],[787,4],[792,2],[813,5],[819,4],[824,4],[871,7],[879,2],[882,5],[888,3],[892,2],[895,3],[899,4],[908,1],[910,6],[917,3],[921,3],[925,2],[947,5],[953,6],[960,6],[967,2],[970,4],[975,2],[978,3],[982,3],[986,4],[991,3],[995,3],[999,4],[1004,3],[1008,3],[1012,2],[1015,3],[1019,3],[1023,3],[1027,2],[1030,2],[1033,3],[1037,4],[1042,2],[1045,5]]},"2631":{"position":[[0,2],[3,6],[29,5],[35,4],[40,2],[43,3],[47,6],[54,4],[59,2],[62,6],[69,3],[73,4],[78,1],[80,2],[83,7],[91,2],[94,1],[96,3],[100,3],[104,2],[107,3],[111,6],[135,1],[150,2],[153,4],[158,3],[174,3],[178,3],[182,5],[188,2],[191,3],[195,3],[199,2],[202,3],[206,5],[269,1],[271,2],[274,2],[277,5],[283,3],[287,1],[289,5],[295,2],[298,2],[301,3],[305,3],[345,1],[347,6],[354,6],[361,3],[365,5],[371,2],[374,7],[382,4],[387,3],[391,4],[396,6],[403,3],[407,6],[414,6],[434,4],[439,3],[448,3],[452,6],[459,3],[463,3],[467,5],[483,4],[499,6],[519,3],[523,7],[531,6],[538,2],[541,4],[546,3],[585,5],[591,3],[595,2],[598,3],[602,5],[667,1],[669,2],[672,2],[675,5],[681,3],[685,2],[688,5],[694,2],[697,2],[700,3],[704,3],[768,1],[770,6],[782,3],[786,3],[790,2],[797,5],[803,3],[807,1],[809,5],[819,3],[823,5],[829,2],[832,2],[835,1],[837,5],[858,4],[868,3],[872,3],[876,5],[882,1],[884,2],[887,5],[893,6],[900,3],[904,5],[910,7],[918,4],[923,3],[927,4],[932,4],[937,6],[944,6],[961,4],[966,3],[975,3],[979,6],[991,4],[996,5],[1002,4],[1007,2],[1046,3],[1050,6],[1070,3],[1074,7],[1082,6],[1089,2],[1092,4],[1097,3],[1126,5],[1132,3],[1136,3],[1140,5],[1221,2],[1224,4],[1229,1],[1231,2],[1234,3],[1243,5],[1249,6],[1256,1],[1258,5],[1264,3],[1268,3],[1272,2],[1275,3],[1289,3],[1293,1],[1295,5]]},"2646":{"position":[[891,1],[914,1],[916,1],[918,3],[1553,1]]},"2673":{"position":[[4749,2],[4756,1],[4758,1],[4760,2],[4781,1],[4783,1],[4785,3],[5500,1]]},"2681":{"position":[[617,1],[634,1],[651,1],[969,2]]},"2685":{"position":[[429,1],[446,1],[463,1],[918,2]]},"2691":{"position":[[322,1],[508,1],[668,1]]},"2693":{"position":[[395,1]]},"2695":{"position":[[175,1]]},"2697":{"position":[[186,1]]},"2699":{"position":[[897,1],[927,1],[958,1],[986,1],[1017,1],[1070,1],[1136,1],[1154,1],[1169,1],[1183,1],[1185,1],[1417,1],[1577,1],[1948,2],[2312,2],[2322,1],[2345,1],[2422,1],[2431,1],[2470,1],[2472,1],[2564,1],[2609,1],[2624,1],[2854,1],[3012,1]]},"2701":{"position":[[0,2],[364,2],[374,1],[397,1],[474,1],[483,1],[522,1],[524,1],[616,1],[661,1],[676,1],[906,1],[1064,1]]},"2703":{"position":[[0,2],[3,2],[6,3],[10,5],[16,7],[24,4],[34,2],[37,2],[40,2],[43,2],[46,3],[50,2],[53,4],[58,4],[63,5]]},"2705":{"position":[[10,3],[14,2],[28,6],[35,2],[49,5],[55,3],[59,2],[62,3],[66,3],[70,1],[72,5],[78,2],[81,1],[83,3],[87,3],[91,5],[97,3],[101,3],[110,2],[113,4],[118,6]]},"2707":{"position":[[24,3],[28,4],[33,5],[39,5],[45,2],[48,4]]},"2709":{"position":[[0,2],[8,5],[23,4],[28,4],[33,3],[37,3],[41,1],[43,5]]},"2711":{"position":[[18,3],[22,5],[28,5]]},"2713":{"position":[[4,3],[8,3],[17,4],[22,3],[26,3],[34,2],[37,6],[44,5],[50,3],[54,3],[58,3],[78,6],[94,4],[117,3],[121,6],[138,4],[143,3],[147,3],[151,4],[156,4],[180,4],[185,1],[187,1],[189,5],[195,2],[198,3],[218,3],[222,1],[224,5],[230,4],[235,3],[294,3],[298,1],[300,5],[311,3],[315,1],[325,6],[332,4],[337,4],[356,4],[361,1],[363,3],[367,3],[371,3],[375,1],[377,5],[383,6],[390,4],[395,2],[398,2],[401,5],[407,2],[410,2],[413,2],[416,3],[420,4],[432,2],[435,6],[442,6],[454,2],[457,4],[462,3],[466,2],[469,5],[475,5],[481,4],[486,4],[491,2],[494,5],[500,5],[506,2],[509,2],[512,2],[515,4],[520,3],[524,3],[528,1],[530,5],[575,4],[580,3],[584,4],[589,3],[593,3],[597,2],[600,2],[603,1],[605,5],[611,1],[613,2],[616,2],[619,3],[623,2],[626,2],[629,3],[633,6]]},"2715":{"position":[[0,2],[17,4],[22,3],[26,2],[29,3],[33,5],[39,3],[43,3],[47,2],[50,3],[54,6]]},"2717":{"position":[[4,2],[7,2],[10,3],[14,2],[17,3],[21,3],[35,3],[39,4],[44,6]]},"2719":{"position":[[0,5],[6,5],[12,2],[20,3],[24,6],[31,2],[34,3],[38,6],[45,2],[48,3],[52,2],[55,3],[59,5],[65,4],[70,2],[73,3],[77,2],[80,5]]},"2721":{"position":[[5,4],[10,1],[12,3],[16,2],[19,2],[22,3],[26,2],[29,4],[34,3],[38,2],[41,4],[46,6],[53,2],[59,5],[65,2],[68,5],[74,6],[99,4],[104,5],[110,6],[121,2],[124,1],[126,4],[131,3],[135,4],[140,3],[144,6],[159,2],[166,3],[170,4],[175,3],[179,5],[189,4],[194,3],[198,3],[202,3],[206,4],[211,1],[213,3],[217,6]]},"2730":{"position":[[1113,1],[1115,1],[1120,4],[1297,2]]},"2736":{"position":[[579,1],[712,1]]},"2742":{"position":[[788,1],[890,1],[994,1],[1050,1],[1133,1],[1228,1],[1387,1],[1503,1],[1623,1],[1719,1],[1782,1]]},"2746":{"position":[[489,1],[522,1],[546,1],[571,1],[606,1]]},"2748":{"position":[[291,1],[466,1],[560,1],[618,1],[706,1]]},"2750":{"position":[[275,1]]},"2752":{"position":[[10,6],[17,2],[20,3],[24,2],[27,6],[34,2],[37,3],[41,5],[52,5],[58,3],[62,2],[65,3],[69,3],[73,6],[80,3],[84,2],[87,4],[92,4],[97,3],[101,4],[106,2],[109,6],[116,4],[121,2],[124,4],[129,2],[132,3],[136,4],[141,2],[144,1],[146,3],[150,4],[155,2],[158,4],[163,3],[167,2],[170,3],[174,3],[219,3],[223,6],[235,3],[239,4],[244,2],[247,3],[251,3],[255,4],[260,5],[266,3],[270,4],[275,3],[279,3],[283,2],[297,3],[301,4],[306,5],[312,4],[317,4],[328,2],[331,3],[335,3],[339,9],[349,1],[351,3],[355,4],[377,4],[382,4],[387,2],[390,2],[393,3],[397,3],[410,4],[415,2],[418,3],[422,3],[426,9],[436,1],[438,3],[442,1],[444,5],[450,3],[454,5],[460,2],[507,2],[510,4],[515,4],[520,2],[523,3],[527,4],[532,5],[538,2],[541,3],[545,4],[550,2],[553,4],[558,1],[560,5]]},"2754":{"position":[[0,2],[3,2],[6,3],[10,4],[15,5],[26,3],[30,3],[34,3],[38,4],[43,3],[47,2],[50,5],[56,3],[68,2],[71,5],[77,4],[82,4],[87,2],[90,2],[93,1],[95,1],[97,3],[101,5],[107,3],[111,2],[114,6],[131,3],[135,3],[151,7],[159,4],[164,3],[168,4],[173,3],[177,6],[184,4],[193,7],[201,5],[207,2],[210,6],[217,2],[230,4],[235,4],[240,4],[245,4],[250,5],[256,3],[260,3],[264,1],[266,5],[516,1],[626,2],[629,3],[633,2],[636,3],[640,2],[643,2],[646,2],[649,1],[651,3],[655,3],[673,2],[676,2],[679,2],[698,6],[705,2],[708,2],[711,2],[714,2],[717,2],[720,2],[735,2],[738,2],[786,2],[789,2],[792,2],[795,6],[827,2],[830,2],[833,10],[844,4],[849,3],[873,2],[876,2],[879,5],[914,2],[917,3],[921,4],[926,2],[959,3],[963,2],[966,2],[973,2],[1001,9],[1011,4],[1016,3],[1020,3],[1024,7],[1032,1],[1034,1],[1036,3],[1040,3],[1044,2],[1053,6],[1069,3],[1073,2],[1076,2],[1079,2],[1082,7],[1090,2],[1093,2],[1096,3],[1100,4],[1105,6],[1118,1],[1147,2],[1150,3],[1154,3],[1158,1],[1160,3],[1164,4],[1169,6],[1176,3],[1208,1],[1227,2],[1230,2],[1233,2],[1236,5],[1288,4],[1293,2],[1296,3],[1300,4],[1305,4],[1310,2],[1313,3],[1317,2],[1320,3],[1324,5],[1354,2],[1357,4],[1362,2],[1365,3],[1369,2],[1372,2],[1375,1],[1377,3],[1416,4],[1421,2],[1424,4],[1448,7],[1499,3],[1503,4],[1508,4],[1513,3],[1517,5],[1534,2],[1537,4],[1542,4],[1547,1],[1549,5],[1555,1],[1573,3],[1577,2],[1580,2],[1583,2],[1606,4],[1611,5],[1617,1],[1619,5],[1625,2],[1628,3],[1632,5],[1646,5],[1716,2],[1719,3],[1723,6],[1730,2],[1738,3],[1742,2],[1745,2],[1748,2],[1751,3],[1755,3],[1759,4],[1764,3],[1768,3],[1772,2],[1775,3],[1779,4],[1784,3],[1788,6]]},"2756":{"position":[[26,2],[29,2],[32,2],[46,4],[51,3],[55,7],[73,2],[76,4],[81,1],[83,4],[109,4],[114,2],[117,3],[121,3],[125,3],[129,1],[131,3],[135,6],[158,4],[163,2],[177,3],[181,7],[189,4],[194,3],[198,2],[201,1],[203,3],[212,3],[216,4],[236,3],[240,3],[244,1],[246,3],[250,6],[257,2],[279,2],[292,1],[329,3],[333,7],[341,2],[344,3],[348,4],[353,3],[357,4],[362,3],[366,3],[370,5],[437,3],[441,4],[446,2],[449,4],[454,3],[458,4],[583,1]]},"2758":{"position":[[35,2],[42,5],[48,2],[51,1],[53,6],[65,2],[71,2],[74,2],[81,3],[85,1],[87,5],[93,2],[100,9],[110,3],[114,1],[116,2],[119,3],[123,5],[129,5],[135,4],[140,5],[146,8],[155,3],[159,6],[166,3],[170,3],[174,2],[179,2],[182,2],[185,3],[189,6],[196,4],[201,3],[205,2],[208,3],[212,2],[227,4],[232,5],[238,6],[245,2],[248,2],[256,1],[258,2],[279,3],[283,4],[288,5],[294,3],[298,3],[302,2],[305,3],[309,6]]},"2770":{"position":[[1495,1]]},"2772":{"position":[[409,2],[938,1],[955,1],[972,1],[1180,1],[1266,1],[1281,2]]},"2777":{"position":[[299,1],[366,2]]},"2787":{"position":[[611,1],[694,1],[780,1]]},"2798":{"position":[[268,2]]},"2800":{"position":[[130,1]]},"2802":{"position":[[0,2],[284,1],[466,1]]},"2814":{"position":[[124,1],[133,1],[149,1]]},"2818":{"position":[[1014,2]]},"2842":{"position":[[283,1],[332,1],[380,1],[435,1],[488,1],[653,1],[708,1],[761,1]]},"2844":{"position":[[286,1],[335,1]]},"2862":{"position":[[476,1],[506,1],[859,1],[889,1],[1454,1],[1472,1],[1506,1],[1524,1]]},"2866":{"position":[[455,1],[514,1]]},"2878":{"position":[[273,1],[532,1],[544,1],[635,2],[638,2],[718,1]]},"2880":{"position":[[0,3],[4,3],[8,5],[14,7],[22,2],[25,5],[31,2],[34,4],[39,2],[42,1],[44,2],[47,3],[51,2],[54,5],[60,2],[63,8]]},"2882":{"position":[[9,4],[14,2],[17,3],[21,3],[30,4],[35,1],[37,3],[41,4],[46,3],[50,3],[54,4],[64,2],[67,5],[73,2],[76,4],[81,5]]},"2884":{"position":[[0,3],[4,2],[16,4],[31,4],[36,2],[39,3],[43,3],[47,1],[49,5],[55,3],[59,5],[65,2],[68,5],[93,4],[98,2],[101,5],[107,2],[122,4],[132,3],[136,1],[138,2],[141,3],[145,3],[149,5],[155,2],[158,3],[162,2],[168,3],[172,6]]},"2886":{"position":[[0,4],[5,3],[14,4],[19,2],[22,2],[25,3],[29,1],[31,2],[34,3],[38,3],[42,5]]},"2888":{"position":[[0,6],[7,2],[10,2],[46,2],[76,7],[89,2],[92,3],[96,3],[100,4],[105,4],[110,3],[114,1],[116,5],[127,3],[131,3],[156,3],[160,2],[163,4],[168,2],[171,1],[173,2],[176,2],[179,3],[183,5],[189,2],[192,4],[216,2],[219,6],[244,4],[249,5],[255,6],[262,2],[265,2],[272,2],[275,6],[351,4],[356,2],[364,6],[371,7],[379,5],[385,3],[389,3],[393,3],[397,1],[399,2],[402,3],[406,6],[990,3],[994,2],[997,4],[1002,6],[1009,1],[1011,2],[1014,7],[1022,3],[1026,2],[1029,5],[1035,2],[1038,3],[1095,2],[1098,2],[1101,3],[1105,3],[1109,1],[1111,4],[1134,6],[1141,4],[1146,2],[1149,4],[1154,6],[1528,2],[1547,2],[1613,5],[1619,6],[1626,6],[1633,2],[1636,6],[1643,4],[1648,2],[1678,4],[1683,7],[1691,2],[1694,2],[1697,3],[1701,2],[1704,3],[1708,3],[1712,3],[1716,6],[1723,6],[1800,1],[1969,1],[2280,6],[2287,3],[2291,2],[2294,6],[2301,4],[2306,2],[2313,4],[2318,6],[2325,4],[2330,3],[2373,4],[2378,3],[2382,2],[2385,3],[2389,3],[2393,2],[2396,4],[2421,1],[2423,2],[2431,4],[2436,2],[2439,1],[2441,5],[2447,3],[2451,4],[2456,4],[2466,4],[2471,8],[2480,3],[2484,3],[2488,2],[2491,2],[2494,3],[2498,4],[2503,5],[2509,4],[2514,1],[2516,4],[2521,4],[2526,4],[2531,4],[2536,3],[2540,2],[2543,4],[2548,3],[2552,3],[2556,2],[2559,3],[2563,1],[2565,5],[2571,1],[2612,1],[2681,1],[2695,1],[2721,1],[3067,2]]},"2896":{"position":[[269,2],[666,1],[688,1],[722,1],[744,1]]},"2904":{"position":[[276,2]]},"2910":{"position":[[587,2]]},"2914":{"position":[[0,1],[2,4],[7,2],[10,4],[15,5],[21,3],[25,4],[30,1],[32,3],[36,4],[41,2],[44,5],[55,4],[60,3],[64,2],[67,3],[71,6],[82,2],[85,4],[90,4],[95,3],[99,2],[102,3],[106,3],[110,4],[115,3],[119,6],[126,2],[141,2],[144,7],[152,2],[155,5],[161,4],[166,2],[169,2],[172,3],[176,4],[181,3],[185,5],[191,2],[194,5]]},"2916":{"position":[[13,2],[23,2],[26,4],[31,4],[36,4],[41,3],[45,4],[50,2],[53,5],[59,6],[66,1],[68,5],[93,2],[96,3],[100,1],[102,5],[108,1],[110,4],[120,6],[127,4],[132,3],[136,6],[172,1],[179,1],[181,3],[185,3],[189,2],[192,3],[196,6],[203,5],[209,2],[212,2],[215,3],[219,2],[222,4],[227,6],[238,4],[243,6],[287,1],[307,3],[311,2],[314,5],[320,6],[365,3],[369,5],[380,3],[393,4],[398,2],[401,4],[406,4],[411,2],[414,2],[417,2],[420,3],[424,4],[429,3],[433,5],[439,1],[441,3],[445,2],[448,7],[456,3],[460,4],[473,1],[475,4],[480,3],[484,2],[487,3],[491,4],[496,2],[499,3],[503,2],[517,8],[526,2],[529,2],[532,4],[537,3],[541,3],[545,3],[549,4],[554,5],[560,2],[563,2],[566,2],[569,4],[574,4],[579,2],[582,4],[587,2],[590,5],[596,4],[601,3],[605,3],[609,4],[614,5],[620,6],[635,1],[647,2],[650,3],[654,4],[659,2],[662,5],[668,6],[675,3],[679,4],[684,2],[687,3],[691,4],[696,6],[732,1],[799,5],[805,4],[810,5],[821,3],[825,2],[828,5],[834,6],[845,5],[851,3],[861,2],[864,2],[867,2],[874,3],[878,6],[896,3],[900,2],[903,2],[906,3],[950,6],[957,2],[960,1],[962,3],[966,3],[970,3],[974,3],[978,3],[982,4],[987,3],[991,2],[994,5],[1000,2],[1003,3],[1021,2],[1024,3],[1028,4],[1033,1],[1035,3],[1039,2],[1042,3],[1046,2],[1049,5],[1055,2],[1058,2],[1061,6]]},"2918":{"position":[[250,1],[1795,2],[2471,1]]},"2924":{"position":[[293,1]]},"2930":{"position":[[86,1]]},"2938":{"position":[[399,1],[434,1]]},"2940":{"position":[[364,1],[399,1]]},"2958":{"position":[[0,1],[2,5],[12,5],[18,4],[23,4],[28,3],[32,2],[35,6],[42,1],[44,4],[49,4],[54,5],[60,1],[62,4],[72,4],[83,4],[88,3],[92,6],[99,2],[102,3],[110,5],[116,4],[128,6],[135,2],[138,3],[146,4],[151,2],[154,2],[157,3]]},"2960":{"position":[[300,1],[417,1],[574,1],[668,1],[670,1],[685,1],[697,2],[713,1],[715,1],[727,1],[737,1],[739,1],[794,1],[796,1],[798,1],[800,2],[803,1],[817,2],[820,1],[822,1],[824,1],[826,1],[828,1]]},"2964":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2966":{"position":[[0,1],[2,4],[7,4],[12,5]]},"2969":{"position":[[0,2],[3,8],[12,5],[18,4],[23,7],[31,1],[33,2],[36,3],[40,6],[47,2],[61,2],[64,2],[67,3],[71,3],[103,2],[106,6],[113,3],[117,3],[121,2],[124,5],[130,2],[133,6],[149,3],[153,5],[192,4],[197,5],[203,4],[208,2],[211,6],[218,4],[223,3],[227,6]]},"2971":{"position":[[18,6],[25,2],[28,3],[36,2],[44,5],[62,5],[72,2],[80,5],[90,2],[93,2],[108,6],[115,2],[143,8],[160,3],[164,5],[170,6],[177,3],[181,6],[192,5],[198,4],[203,2],[210,7],[218,2],[224,4],[234,2],[237,3],[241,6],[248,4],[253,3],[269,4],[274,4],[279,2],[282,3],[286,3],[290,4],[295,3],[299,1],[301,2],[304,5],[314,3],[318,3],[322,1],[324,2],[327,4],[332,4],[337,3],[341,1],[343,5],[349,1],[351,3],[355,3],[359,4],[364,4],[369,4],[380,2],[387,7],[395,3],[399,1],[401,3],[405,5],[411,4],[416,6],[423,3],[427,2],[430,3],[434,2],[480,3],[484,3],[488,3],[534,4],[539,3],[543,2],[546,5],[552,2],[555,3],[559,4],[564,2],[567,2],[570,2],[573,1],[575,5],[619,3],[631,3],[635,2],[645,3],[649,4],[668,1],[670,2],[673,4],[678,5],[684,3],[697,3],[701,2],[709,6],[716,4],[721,4],[726,2],[729,6],[736,6],[743,4],[748,4],[753,3],[757,4],[762,6]]},"2973":{"position":[[0,4],[5,4],[10,2],[13,7],[21,3],[25,2],[28,5],[34,5],[40,4],[45,4],[50,5],[56,5],[62,4],[67,7],[75,4],[80,2],[83,3],[87,6],[94,4],[99,3],[103,1],[105,5],[111,1],[113,4],[118,3],[122,4],[127,7],[135,3],[139,3],[143,6],[150,6],[157,4],[162,3],[166,1],[168,5],[174,5],[207,5],[213,5],[219,4],[224,5],[230,5],[236,2],[274,5],[280,2],[283,6],[299,2],[302,3],[306,2],[309,3],[313,3],[317,4],[322,2],[325,5],[331,3],[335,6],[342,1],[344,4],[349,2],[352,4],[357,3],[361,2],[392,4],[397,5],[403,5],[409,4],[414,3],[418,6]]},"2975":{"position":[[5,1],[7,2],[10,3],[14,2],[17,5],[23,2],[42,2],[45,4],[50,5],[56,6],[63,2],[66,1],[68,2],[71,4],[76,3],[80,4],[85,2],[92,2],[95,4],[100,3],[104,1],[106,2],[109,2],[112,4],[117,2],[120,5],[126,2],[129,1],[131,4],[136,2],[139,3],[143,3],[147,2],[150,5],[156,3],[160,5],[166,4],[171,2],[185,4],[190,5],[196,3],[200,3],[204,2],[207,3],[211,3],[215,1],[217,1],[219,5],[225,2],[228,2],[231,5],[243,8],[325,2],[328,3],[332,1],[334,2],[337,2],[340,1],[342,3],[346,1],[348,2],[351,3],[355,5],[361,5],[367,4],[372,4],[388,1],[390,4],[395,5],[416,5],[422,2],[425,4],[430,1],[432,2],[435,2],[438,5],[448,5],[454,5],[460,8],[469,5],[475,1],[477,7],[485,2],[488,3],[492,3],[496,3],[500,6]]},"2977":{"position":[[5,3],[9,2],[12,2],[15,6],[22,2],[25,5],[31,2],[34,2],[37,1],[39,3],[43,2],[46,5],[52,4],[57,2],[60,2],[94,2],[97,3],[101,1],[103,5],[109,5],[115,3],[119,3],[123,7],[131,3],[135,3],[139,2],[142,2],[145,3],[149,6],[156,3],[160,2],[163,2],[166,5],[172,2],[175,4],[180,2],[183,3],[187,3],[191,6]]},"2981":{"position":[[315,6],[379,1],[386,6],[393,6],[431,3],[435,2],[446,4]]},"2983":{"position":[[25,4],[30,5],[41,6],[48,4],[53,3],[57,2],[60,4],[65,4],[80,6],[87,3],[91,3],[95,6],[102,3],[106,3],[110,2],[113,3],[117,5],[123,5],[144,4],[159,6],[273,6],[297,6],[310,4],[320,3],[324,6]]},"2987":{"position":[[315,1],[322,6],[329,6],[367,3],[371,2],[382,4]]},"2990":{"position":[[690,2],[1705,1]]},"2994":{"position":[[406,1],[756,1],[2297,3],[2307,3]]},"3006":{"position":[[779,2],[798,2],[1467,1],[1513,1],[1553,1],[1721,1],[1750,1],[1779,1],[1829,1],[3271,3],[3335,3],[3553,3],[3709,3],[5925,2],[6124,2],[6323,2]]},"3008":{"position":[[438,2],[1476,2],[1717,2],[1945,2],[2159,2],[2400,2],[2609,2],[2639,2]]},"3010":{"position":[[1193,1],[1202,1],[1204,1],[1285,1],[1287,1],[1367,1]]},"3014":{"position":[[256,1],[466,1],[536,1],[610,1],[683,1],[755,1],[820,1],[1091,1],[1554,1],[1663,1],[1890,1],[1981,1],[2338,1],[2620,1],[2689,1],[2792,1],[2839,1],[2907,1],[3013,1],[3086,1],[3159,1],[3250,1],[4064,1],[4091,1],[4279,1],[4358,1]]},"3048":{"position":[[115,2]]},"3050":{"position":[[851,1]]},"3052":{"position":[[140,1],[357,1],[500,1]]},"3058":{"position":[[5,6],[12,3],[16,4],[21,3],[25,2],[28,3],[32,3],[36,2],[39,7],[47,2],[50,5],[56,5],[62,2],[65,4],[70,6],[86,4],[91,2],[94,2],[97,4],[102,4],[131,2],[134,3],[138,3],[146,1],[148,3],[152,4],[157,3],[161,3],[165,3],[169,2],[172,3],[176,2],[179,4],[184,5],[190,5],[196,3],[200,4],[205,3],[209,2],[212,5],[218,3],[243,2],[246,3],[250,2],[253,3],[345,2],[348,5],[354,3],[358,3],[362,2],[365,3],[369,3],[373,2],[376,4],[381,1],[383,5],[389,4],[394,2],[397,2],[405,3],[409,3],[413,2],[416,3],[420,4],[425,3],[429,5],[435,3],[439,2],[442,3],[446,6],[453,3],[464,4],[469,3],[478,3],[482,2],[485,2],[488,4],[493,4],[498,6],[546,6],[564,4],[569,6],[576,4],[581,4],[586,2],[589,4],[594,4],[599,2],[602,2],[605,5],[611,3],[636,2]]},"3060":{"position":[[0,3],[4,3],[8,4],[13,4],[18,2],[21,3],[37,5],[43,6],[67,4],[77,6],[84,3],[88,6],[95,2],[98,4],[108,3],[116,3],[120,1],[122,5],[133,1],[135,3],[139,3],[143,4],[148,3],[152,5]]},"3062":{"position":[[0,1],[2,4],[7,4],[12,5]]},"3089":{"position":[[139,1],[308,1],[413,1],[471,1],[486,1],[515,2],[559,1],[602,1],[617,1],[633,3],[775,1],[807,1],[818,1],[831,4],[931,1],[1060,1],[1258,1],[1385,1],[1588,1],[1716,1],[1806,1],[1917,1],[1957,1],[1995,1]]},"3091":{"position":[[149,1]]},"3105":{"position":[[216,1]]},"3112":{"position":[[238,1],[270,1],[281,1]]},"3114":{"position":[[301,1],[319,1],[351,1],[425,1],[636,1],[918,1],[1200,1],[1482,1],[1764,1],[2046,1],[2328,1]]},"3116":{"position":[[230,1],[248,1],[280,1],[323,1],[406,1],[617,1],[899,1],[1181,1],[1463,1],[1745,1],[2027,1],[2309,1]]},"3120":{"position":[[468,1],[500,1],[511,1],[567,1],[613,1]]},"3122":{"position":[[451,1],[483,1],[494,1],[550,1]]},"3124":{"position":[[325,1],[357,1],[368,1],[413,1]]},"3126":{"position":[[291,1],[323,1],[334,1],[379,1]]},"3128":{"position":[[304,1],[336,1],[347,1],[392,1]]},"3130":{"position":[[395,1],[427,1],[438,1],[489,1]]},"3132":{"position":[[302,1],[334,1],[345,1],[396,1],[456,1]]},"3134":{"position":[[290,1],[308,1],[340,1],[419,1],[630,1],[912,1],[1194,1],[1476,1],[1758,1],[2040,1],[2322,1]]},"3136":{"position":[[368,1],[400,1],[411,1],[462,1],[520,1]]},"3138":{"position":[[390,1],[422,1],[433,1],[465,1],[509,1]]},"3140":{"position":[[286,1],[318,1],[329,1],[361,1],[405,1]]},"3142":{"position":[[421,1],[453,1],[464,1],[515,1]]},"3144":{"position":[[282,1],[314,1],[325,1],[363,1],[400,1]]},"3146":{"position":[[233,1],[265,1],[276,1],[312,1]]},"3156":{"position":[[363,1],[395,1],[406,1],[438,1],[483,1]]},"3160":{"position":[[438,1],[543,1],[601,1],[616,1],[645,2],[689,1],[732,1],[747,1],[763,3],[905,1],[937,1],[948,1],[961,4],[1061,1],[1190,1],[1388,1],[1515,1],[1718,1],[1846,1],[1936,1],[2047,1],[2087,1],[2125,1],[2220,1],[2253,1]]},"3162":{"position":[[430,1],[466,1],[494,1],[527,1]]},"3164":{"position":[[365,1],[397,1],[408,1],[449,1]]},"3166":{"position":[[377,1],[409,1],[420,1],[458,1]]},"3168":{"position":[[419,1],[451,1],[462,1]]},"3172":{"position":[[971,1],[1003,1],[1014,1]]},"3175":{"position":[[320,1],[361,1],[372,1]]},"3177":{"position":[[250,1],[291,1],[302,1],[338,1]]},"3179":{"position":[[270,1],[311,1],[322,1],[380,1]]},"3181":{"position":[[366,1],[407,1],[418,1],[477,1]]},"3183":{"position":[[302,1],[343,1],[354,1],[393,1]]},"3187":{"position":[[239,1],[257,1],[289,1],[320,1],[391,1],[602,1],[884,1],[1166,1],[1448,1],[1730,1],[2012,1],[2294,1]]},"3190":{"position":[[237,1],[269,1],[297,1]]},"3192":{"position":[[247,1],[279,1],[290,1],[329,1],[373,1]]},"3195":{"position":[[332,1],[437,1],[495,1],[510,1],[539,2],[583,1],[626,1],[641,1],[657,3],[799,1],[831,1],[842,1],[855,4],[955,1],[1084,1],[1282,1],[1409,1],[1612,1],[1740,1],[1830,1],[1941,1],[1981,1],[2019,1]]},"3197":{"position":[[221,1],[326,1],[384,1],[399,1],[428,2],[472,1],[515,1],[530,1],[546,3],[688,1],[720,1],[731,1],[744,4],[844,1],[973,1],[1171,1],[1298,1],[1501,1],[1629,1],[1719,1],[1830,1],[1870,1],[1908,1],[2000,1]]},"3199":{"position":[[246,1],[351,1],[409,1],[424,1],[453,2],[497,1],[540,1],[555,1],[571,3],[713,1],[745,1],[756,1],[769,4],[869,1],[998,1],[1196,1],[1323,1],[1526,1],[1654,1],[1744,1],[1855,1],[1895,1],[1933,1]]},"3201":{"position":[[398,1],[503,1],[561,1],[576,1],[605,2],[649,1],[692,1],[707,1],[723,3],[865,1],[897,1],[908,1],[921,4],[1021,1],[1150,1],[1348,1],[1475,1],[1678,1],[1806,1],[1896,1],[2007,1],[2047,1],[2085,1]]},"3203":{"position":[[224,1],[329,1],[387,1],[402,1],[431,2],[475,1],[518,1],[533,1],[549,3],[691,1],[723,1],[734,1],[747,4],[847,1],[976,1],[1174,1],[1301,1],[1504,1],[1632,1],[1722,1],[1833,1],[1873,1],[1911,1],[2003,1]]},"3205":{"position":[[256,1],[361,1],[419,1],[434,1],[463,2],[507,1],[550,1],[565,1],[581,3],[723,1],[755,1],[766,1],[779,4],[879,1],[1008,1],[1206,1],[1333,1],[1536,1],[1664,1],[1754,1],[1865,1],[1905,1],[1943,1],[2035,1],[2071,1]]},"3207":{"position":[[355,1],[460,1],[518,1],[533,1],[562,2],[606,1],[649,1],[664,1],[680,3],[822,1],[854,1],[865,1],[878,4],[978,1],[1107,1],[1305,1],[1432,1],[1635,1],[1763,1],[1853,1],[1964,1],[2004,1],[2042,1]]},"3213":{"position":[[117,1],[149,1],[160,1]]},"3239":{"position":[[537,1],[569,1],[628,1],[660,1],[671,1],[695,1],[721,1],[768,1]]},"3241":{"position":[[523,1],[555,1],[614,1],[646,1],[657,1],[685,1],[711,1],[764,1]]},"3243":{"position":[[579,1],[611,1],[670,1],[702,1],[713,1],[737,1],[763,1],[858,1]]},"3245":{"position":[[487,1],[512,1],[523,1],[564,1],[602,1]]},"3247":{"position":[[544,1],[569,1],[580,1]]},"3257":{"position":[[705,1],[730,1],[758,1],[791,1]]},"3266":{"position":[[312,1]]}}}],["0",{"_index":308,"t":{"2513":{"position":[[34,1]]},"2533":{"position":[[452,2]]},"2535":{"position":[[2147,1],[2168,1]]},"2548":{"position":[[643,1],[705,1],[818,1],[868,1],[923,1]]},"2621":{"position":[[1374,4]]},"2646":{"position":[[882,2],[906,2]]},"2653":{"position":[[65,1]]},"2673":{"position":[[463,2],[1108,2],[4773,2]]},"2699":{"position":[[916,1]]},"2736":{"position":[[838,1],[900,1],[954,1]]},"3006":{"position":[[3438,1],[3912,1]]},"3089":{"position":[[631,1]]},"3114":{"position":[[628,1],[910,1],[1192,1],[1474,1],[1756,1],[2038,1],[2320,1]]},"3116":{"position":[[609,1],[891,1],[1173,1],[1455,1],[1737,1],[2019,1],[2301,1]]},"3134":{"position":[[622,1],[904,1],[1186,1],[1468,1],[1750,1],[2032,1],[2314,1]]},"3144":{"position":[[395,1]]},"3160":{"position":[[761,1]]},"3187":{"position":[[594,1],[876,1],[1158,1],[1440,1],[1722,1],[2004,1],[2286,1]]},"3195":{"position":[[655,1]]},"3197":{"position":[[544,1]]},"3199":{"position":[[569,1]]},"3201":{"position":[[721,1]]},"3203":{"position":[[547,1]]},"3205":{"position":[[579,1]]},"3207":{"position":[[678,1]]},"3239":{"position":[[582,2]]},"3241":{"position":[[568,2]]},"3243":{"position":[[624,2]]},"3245":{"position":[[95,2],[595,3]]},"3247":{"position":[[132,2]]},"3295":{"position":[[165,2]]}}}],["0.0.0.0",{"_index":1089,"t":{"2655":{"position":[[46,7]]},"2673":{"position":[[752,8]]}}}],["0.2",{"_index":806,"t":{"2583":{"position":[[445,3]]}}}],["0/1",{"_index":556,"t":{"2548":{"position":[[750,3]]}}}],["000",{"_index":2782,"t":{"3230":{"position":[[337,5]]}}}],["00:00",{"_index":434,"t":{"2535":{"position":[[227,5]]}}}],["00:00:00",{"_index":2660,"t":{"3114":{"position":[[638,8],[920,8],[1202,8],[1484,8],[1766,8],[2048,8],[2330,8]]},"3116":{"position":[[619,8],[901,8],[1183,8],[1465,8],[1747,8],[2029,8],[2311,8]]},"3134":{"position":[[632,8],[914,8],[1196,8],[1478,8],[1760,8],[2042,8],[2324,8]]},"3187":{"position":[[604,8],[886,8],[1168,8],[1450,8],[1732,8],[2014,8],[2296,8]]}}}],["00:01:28",{"_index":2654,"t":{"3114":{"position":[[427,8]]},"3116":{"position":[[408,8]]},"3134":{"position":[[421,8]]},"3187":{"position":[[393,8]]}}}],["02",{"_index":142,"t":{"2501":{"position":[[1499,2]]},"2579":{"position":[[320,2]]},"2620":{"position":[[135,2]]},"2814":{"position":[[1859,2]]}}}],["04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c",{"_index":2673,"t":{"3114":{"position":[[1916,64]]},"3116":{"position":[[1897,64]]},"3134":{"position":[[1910,64]]},"3187":{"position":[[1882,64]]}}}],["0644",{"_index":1446,"t":{"2746":{"position":[[332,6],[515,6]]}}}],["073f",{"_index":576,"t":{"2548":{"position":[[1155,4],[1318,4],[1659,4]]}}}],["09",{"_index":2690,"t":{"3120":{"position":[[734,2]]},"3122":{"position":[[682,2]]},"3124":{"position":[[551,2]]},"3126":{"position":[[500,2]]},"3128":{"position":[[513,2]]},"3130":{"position":[[626,2]]},"3132":{"position":[[587,2]]},"3136":{"position":[[660,2]]},"3138":{"position":[[641,2]]},"3140":{"position":[[537,2]]},"3142":{"position":[[653,2]]},"3144":{"position":[[518,2]]},"3146":{"position":[[433,2]]},"3156":{"position":[[608,2]]},"3162":{"position":[[650,2],[2826,2]]},"3164":{"position":[[566,2]]},"3166":{"position":[[572,2]]},"3177":{"position":[[459,2]]},"3179":{"position":[[527,2]]},"3181":{"position":[[612,2]]},"3183":{"position":[[508,2]]},"3190":{"position":[[418,2]]},"3192":{"position":[[492,2]]},"3239":{"position":[[917,2]]},"3241":{"position":[[931,2]]},"3243":{"position":[[1046,2]]},"3245":{"position":[[723,2],[1946,2]]},"3257":{"position":[[914,2],[2137,2]]}}}],["0b836757eae8",{"_index":2805,"t":{"3245":{"position":[[1516,12]]},"3257":{"position":[[1707,12]]}}}],["1",{"_index":353,"t":{"2519":{"position":[[593,1]]},"2533":{"position":[[1849,1]]},"2535":{"position":[[3358,1]]},"2548":{"position":[[764,1]]},"2554":{"position":[[990,1]]},"2581":{"position":[[354,1],[380,1]]},"2604":{"position":[[616,1],[1295,1]]},"2646":{"position":[[1601,3]]},"2673":{"position":[[5548,3],[8955,1]]},"2697":{"position":[[304,2],[448,2],[543,2]]},"2699":{"position":[[485,1],[699,1],[861,1],[1032,2],[1082,2],[1224,1],[1300,2],[1575,1],[1640,1],[1754,1],[2274,1],[2508,2],[2737,2],[3075,1],[3190,1]]},"2701":{"position":[[326,1],[560,2],[789,2],[1127,1],[1242,1]]},"2802":{"position":[[527,1]]},"2816":{"position":[[139,1],[165,1]]},"2830":{"position":[[256,1]]},"2924":{"position":[[647,2]]},"2994":{"position":[[537,1],[885,1]]},"3006":{"position":[[1922,1],[1977,1],[3007,1],[3062,1]]},"3026":{"position":[[401,1]]},"3028":{"position":[[387,1]]},"3089":{"position":[[647,2],[1672,2]]},"3114":{"position":[[626,1],[908,1],[1190,1],[1472,1],[1754,1],[2036,1],[2318,1]]},"3116":{"position":[[607,1],[889,1],[1171,1],[1453,1],[1735,1],[2017,1],[2299,1]]},"3134":{"position":[[620,1],[902,1],[1184,1],[1466,1],[1748,1],[2030,1],[2312,1]]},"3160":{"position":[[777,2],[1802,2]]},"3187":{"position":[[592,1],[874,1],[1156,1],[1438,1],[1720,1],[2002,1],[2284,1]]},"3195":{"position":[[671,2],[1696,2]]},"3197":{"position":[[560,2],[1585,2]]},"3199":{"position":[[585,2],[1610,2]]},"3201":{"position":[[737,2],[1762,2]]},"3203":{"position":[[563,2],[1588,2]]},"3205":{"position":[[595,2],[1620,2]]},"3207":{"position":[[694,2],[1719,2]]}}}],["1.1",{"_index":2314,"t":{"2998":{"position":[[1048,5]]}}}],["1.1.11",{"_index":2609,"t":{"3089":{"position":[[653,9],[1678,9],[2066,6]]},"3160":{"position":[[783,9],[1808,9]]},"3195":{"position":[[677,9],[1702,9]]},"3197":{"position":[[566,9],[1591,9]]},"3199":{"position":[[591,9],[1616,9]]},"3201":{"position":[[743,9],[1768,9]]},"3203":{"position":[[569,9],[1594,9]]},"3205":{"position":[[601,9],[1626,9]]},"3207":{"position":[[700,9],[1725,9]]}}}],["1.19.2",{"_index":2150,"t":{"2930":{"position":[[31,6]]}}}],["1.2.1",{"_index":2425,"t":{"3014":{"position":[[258,5]]}}}],["1.2.17",{"_index":2432,"t":{"3014":{"position":[[538,6]]}}}],["1.2.19",{"_index":2440,"t":{"3014":{"position":[[822,6]]}}}],["1.2.20",{"_index":2456,"t":{"3014":{"position":[[1556,6]]}}}],["1.2.21",{"_index":2447,"t":{"3014":{"position":[[1093,6]]}}}],["1.2.22",{"_index":2402,"t":{"3010":{"position":[[17,6]]},"3014":{"position":[[4413,6]]},"3040":{"position":[[208,6]]}}}],["1.2.25",{"_index":2403,"t":{"3010":{"position":[[27,6]]},"3014":{"position":[[4423,6]]},"3040":{"position":[[217,6]]}}}],["1.2.28",{"_index":2459,"t":{"3014":{"position":[[1665,6]]}}}],["1.2.29",{"_index":2436,"t":{"3014":{"position":[[685,6],[757,6]]},"3089":{"position":[[720,9],[1701,9]]},"3160":{"position":[[850,9],[1831,9],[2196,6]]},"3195":{"position":[[744,9],[1725,9]]},"3197":{"position":[[633,9],[1614,9]]},"3199":{"position":[[658,9],[1639,9]]},"3201":{"position":[[810,9],[1791,9]]},"3203":{"position":[[636,9],[1617,9]]},"3205":{"position":[[668,9],[1649,9]]},"3207":{"position":[[767,9],[1748,9]]}}}],["1.2.30",{"_index":2463,"t":{"3014":{"position":[[1892,6],[1983,6]]}}}],["1.2.31",{"_index":2431,"t":{"3014":{"position":[[468,6]]}}}],["1.2.32",{"_index":2434,"t":{"3014":{"position":[[612,6]]}}}],["1.20",{"_index":1988,"t":{"2894":{"position":[[1174,4]]},"2971":{"position":[[39,4]]},"3008":{"position":[[1087,4]]}}}],["1.21",{"_index":1990,"t":{"2894":{"position":[[1224,4]]},"2971":{"position":[[75,4]]}}}],["1.24",{"_index":533,"t":{"2548":{"position":[[57,7],[143,4]]}}}],["1.27",{"_index":1864,"t":{"2866":{"position":[[134,5],[351,4]]}}}],["1.3.2",{"_index":2471,"t":{"3014":{"position":[[2622,5]]}}}],["1.3.3",{"_index":2474,"t":{"3014":{"position":[[2841,5]]}}}],["1.3.4",{"_index":2473,"t":{"3014":{"position":[[2794,5]]}}}],["1.3.5",{"_index":2472,"t":{"3014":{"position":[[2691,5]]}}}],["1.3.7",{"_index":2467,"t":{"3014":{"position":[[2340,5]]}}}],["1.4",{"_index":1570,"t":{"2770":{"position":[[1474,3],[1586,3]]}}}],["1.4.1",{"_index":2478,"t":{"3014":{"position":[[3015,5]]}}}],["1.4.2",{"_index":2475,"t":{"3014":{"position":[[2909,5]]}}}],["1.50",{"_index":2140,"t":{"2926":{"position":[[540,4],[621,4],[680,4]]},"2938":{"position":[[291,4]]},"2940":{"position":[[263,4]]},"2942":{"position":[[151,4]]}}}],["1.6",{"_index":2420,"t":{"3014":{"position":[[141,3]]}}}],["1.6.1",{"_index":1932,"t":{"2884":{"position":[[74,8]]}}}],["1.8.0",{"_index":1933,"t":{"2884":{"position":[[110,5]]}}}],["1.8.4",{"_index":1934,"t":{"2884":{"position":[[116,5]]}}}],["1.el7_8.noarch.rpm",{"_index":807,"t":{"2583":{"position":[[449,18]]}}}],["1.el8.noarch.rpm",{"_index":1571,"t":{"2770":{"position":[[1478,16],[1590,16]]}}}],["1/1",{"_index":548,"t":{"2548":{"position":[[631,3],[693,3],[806,3],[911,3]]},"2736":{"position":[[826,3],[888,3],[942,3]]}}}],["10",{"_index":96,"t":{"2501":{"position":[[330,2]]},"2535":{"position":[[4973,2]]},"2540":{"position":[[64,3]]},"2699":{"position":[[668,3]]},"2824":{"position":[[147,2]]},"2830":{"position":[[253,2]]},"2926":{"position":[[288,3],[392,3],[689,3]]},"2934":{"position":[[136,2]]},"2938":{"position":[[175,3],[392,2],[401,2]]},"2940":{"position":[[175,3],[357,2],[366,2]]},"2942":{"position":[[123,3]]},"3026":{"position":[[57,2],[370,3]]},"3028":{"position":[[356,3]]},"3060":{"position":[[72,4]]},"3152":{"position":[[198,2]]}}}],["10.0.0.0/8",{"_index":1522,"t":{"2756":{"position":[[665,10]]}}}],["10.10.10.100",{"_index":1249,"t":{"2697":{"position":[[247,12]]}}}],["10.10.10.100/24",{"_index":1285,"t":{"2699":{"position":[[1138,15]]}}}],["10.10.10.101",{"_index":1255,"t":{"2697":{"position":[[546,12]]}}}],["10.10.10.102",{"_index":1256,"t":{"2697":{"position":[[568,12]]}}}],["10.10.10.103",{"_index":1257,"t":{"2697":{"position":[[590,12]]}}}],["10.10.10.50",{"_index":1250,"t":{"2697":{"position":[[307,11]]}}}],["10.10.10.50:6443",{"_index":1269,"t":{"2699":{"position":[[701,16],[2354,17]]},"2701":{"position":[[406,17]]}}}],["10.10.10.51",{"_index":1251,"t":{"2697":{"position":[[329,11]]}}}],["10.10.10.51:6443",{"_index":1270,"t":{"2699":{"position":[[740,16],[2379,17]]},"2701":{"position":[[431,17]]}}}],["10.10.10.52",{"_index":1252,"t":{"2697":{"position":[[351,11]]}}}],["10.10.10.52:6443",{"_index":1271,"t":{"2699":{"position":[[779,16],[2404,17]]},"2701":{"position":[[456,17]]}}}],["10.10.10.98",{"_index":1253,"t":{"2697":{"position":[[451,11]]}}}],["10.10.10.99",{"_index":1254,"t":{"2697":{"position":[[469,11]]}}}],["10.41.0.0/16",{"_index":722,"t":{"2564":{"position":[[299,12]]}}}],["10.42.0.0/16",{"_index":771,"t":{"2577":{"position":[[135,12]]},"2661":{"position":[[46,14]]},"2673":{"position":[[1450,13]]},"2814":{"position":[[1186,12]]},"2878":{"position":[[422,14],[546,15]]}}}],["10.43.0.0/16",{"_index":772,"t":{"2577":{"position":[[176,12]]},"2661":{"position":[[125,14]]},"2673":{"position":[[1555,13]]},"2814":{"position":[[1227,12]]}}}],["10.43.0.10",{"_index":1103,"t":{"2661":{"position":[[313,12]]},"2673":{"position":[[1816,11]]}}}],["10.6.8",{"_index":1019,"t":{"2627":{"position":[[958,7]]}}}],["10.7",{"_index":1020,"t":{"2627":{"position":[[989,6]]}}}],["100",{"_index":821,"t":{"2588":{"position":[[475,4]]},"2699":{"position":[[1085,3]]},"2824":{"position":[[170,3]]},"2830":{"position":[[276,3]]},"3026":{"position":[[320,3]]},"3028":{"position":[[55,3],[306,3]]},"3154":{"position":[[249,3]]}}}],["1000",{"_index":1565,"t":{"2770":{"position":[[993,4]]}}}],["10000",{"_index":690,"t":{"2560":{"position":[[196,5]]}}}],["10080",{"_index":692,"t":{"2560":{"position":[[266,6]]}}}],["1024",{"_index":689,"t":{"2560":{"position":[[179,4]]}}}],["10250",{"_index":1717,"t":{"2818":{"position":[[660,6]]},"2820":{"position":[[245,5]]}}}],["10t22:54:38z",{"_index":901,"t":{"2604":{"position":[[699,12]]}}}],["11.5",{"_index":1021,"t":{"2627":{"position":[[996,5]]}}}],["111695",{"_index":1865,"t":{"2866":{"position":[[157,7]]}}}],["112",{"_index":1874,"t":{"2866":{"position":[[1309,4]]}}}],["1123",{"_index":1370,"t":{"2730":{"position":[[1046,4]]}}}],["12",{"_index":461,"t":{"2535":{"position":[[2170,4]]},"2573":{"position":[[346,2]]},"2604":{"position":[[696,2]]},"2646":{"position":[[909,4]]},"2673":{"position":[[4776,4]]},"2858":{"position":[[1956,2]]},"2866":{"position":[[1291,3]]}}}],["12,500",{"_index":2551,"t":{"3038":{"position":[[358,6]]}}}],["12.0.000.tgz",{"_index":1515,"t":{"2754":{"position":[[1701,14]]}}}],["123",{"_index":2684,"t":{"3120":{"position":[[683,3]]},"3122":{"position":[[631,3]]},"3124":{"position":[[500,3]]},"3126":{"position":[[449,3]]},"3128":{"position":[[462,3]]},"3130":{"position":[[575,3]]},"3132":{"position":[[536,3]]},"3136":{"position":[[609,3]]},"3138":{"position":[[590,3]]},"3140":{"position":[[486,3]]},"3142":{"position":[[602,3]]},"3144":{"position":[[467,3]]},"3146":{"position":[[382,3]]},"3156":{"position":[[557,3]]},"3162":{"position":[[599,3],[2775,3]]},"3164":{"position":[[515,3]]},"3166":{"position":[[521,3]]},"3177":{"position":[[408,3]]},"3179":{"position":[[476,3]]},"3181":{"position":[[561,3]]},"3183":{"position":[[457,3]]},"3190":{"position":[[367,3]]},"3192":{"position":[[441,3]]},"3239":{"position":[[866,3]]},"3241":{"position":[[880,3]]},"3243":{"position":[[995,3]]},"3245":{"position":[[672,3],[1368,3],[1895,3],[2591,3]]},"3257":{"position":[[863,3],[1559,3],[2086,3],[2782,3]]}}}],["12345",{"_index":1421,"t":{"2742":{"position":[[855,5],[1184,6],[1269,5]]}}}],["127.0.0.1",{"_index":2751,"t":{"3192":{"position":[[358,11]]}}}],["12:00",{"_index":435,"t":{"2535":{"position":[[237,5]]}}}],["13",{"_index":1312,"t":{"2699":{"position":[[3166,3]]},"2701":{"position":[[1218,3]]},"3120":{"position":[[667,2]]},"3122":{"position":[[615,2]]},"3124":{"position":[[484,2]]},"3126":{"position":[[433,2]]},"3128":{"position":[[446,2]]},"3130":{"position":[[559,2]]},"3132":{"position":[[520,2]]},"3136":{"position":[[593,2]]},"3138":{"position":[[574,2]]},"3140":{"position":[[470,2]]},"3142":{"position":[[586,2]]},"3144":{"position":[[451,2]]},"3146":{"position":[[366,2]]},"3156":{"position":[[541,2]]},"3162":{"position":[[583,2],[2759,2]]},"3164":{"position":[[499,2]]},"3166":{"position":[[505,2]]},"3177":{"position":[[392,2]]},"3179":{"position":[[460,2]]},"3181":{"position":[[545,2]]},"3183":{"position":[[441,2]]},"3190":{"position":[[351,2]]},"3192":{"position":[[425,2]]},"3239":{"position":[[850,2]]},"3241":{"position":[[864,2]]},"3243":{"position":[[979,2]]},"3245":{"position":[[656,2],[1879,2]]},"3257":{"position":[[847,2],[2070,2]]}}}],["13:26",{"_index":2653,"t":{"3114":{"position":[[419,5]]},"3116":{"position":[[400,5]]},"3134":{"position":[[413,5]]},"3187":{"position":[[385,5]]}}}],["13:26:40",{"_index":2683,"t":{"3120":{"position":[[670,8]]},"3122":{"position":[[618,8]]},"3124":{"position":[[487,8]]},"3126":{"position":[[436,8]]},"3128":{"position":[[449,8]]},"3130":{"position":[[562,8]]},"3132":{"position":[[523,8]]},"3136":{"position":[[596,8]]},"3138":{"position":[[577,8]]},"3140":{"position":[[473,8]]},"3142":{"position":[[589,8]]},"3144":{"position":[[454,8]]},"3146":{"position":[[369,8]]},"3156":{"position":[[544,8]]},"3162":{"position":[[586,8],[2762,8]]},"3164":{"position":[[502,8]]},"3166":{"position":[[508,8]]},"3177":{"position":[[395,8]]},"3179":{"position":[[463,8]]},"3181":{"position":[[548,8]]},"3183":{"position":[[444,8]]},"3190":{"position":[[354,8]]},"3192":{"position":[[428,8]]},"3239":{"position":[[853,8]]},"3241":{"position":[[867,8]]},"3243":{"position":[[982,8]]}}}],["13:26:44",{"_index":2808,"t":{"3245":{"position":[[1882,8]]},"3257":{"position":[[2073,8]]}}}],["13:26:50",{"_index":2792,"t":{"3245":{"position":[[659,8]]},"3257":{"position":[[850,8]]}}}],["13:27",{"_index":2659,"t":{"3114":{"position":[[630,5],[912,5],[1194,5],[1476,5]]},"3116":{"position":[[611,5],[893,5],[1175,5],[1457,5]]},"3134":{"position":[[624,5],[906,5],[1188,5],[1470,5]]},"3187":{"position":[[596,5],[878,5],[1160,5],[1442,5]]}}}],["13:28",{"_index":2672,"t":{"3114":{"position":[[1758,5],[2040,5]]},"3116":{"position":[[1739,5],[2021,5]]},"3134":{"position":[[1752,5],[2034,5]]},"3187":{"position":[[1724,5],[2006,5]]}}}],["13:47",{"_index":2677,"t":{"3114":{"position":[[2322,5]]},"3116":{"position":[[2303,5]]},"3134":{"position":[[2316,5]]},"3187":{"position":[[2288,5]]}}}],["13m",{"_index":1223,"t":{"2691":{"position":[[809,3]]}}}],["13t13:26:40z",{"_index":2691,"t":{"3120":{"position":[[737,13]]},"3122":{"position":[[685,13]]},"3124":{"position":[[554,13]]},"3126":{"position":[[503,13]]},"3128":{"position":[[516,13]]},"3130":{"position":[[629,13]]},"3132":{"position":[[590,13]]},"3136":{"position":[[663,13]]},"3138":{"position":[[644,13]]},"3140":{"position":[[540,13]]},"3142":{"position":[[656,13]]},"3144":{"position":[[521,13]]},"3146":{"position":[[436,13]]},"3156":{"position":[[611,13]]},"3162":{"position":[[653,13],[2829,13]]},"3164":{"position":[[569,13]]},"3166":{"position":[[575,13]]},"3177":{"position":[[462,13]]},"3179":{"position":[[530,13]]},"3181":{"position":[[615,13]]},"3183":{"position":[[511,13]]},"3190":{"position":[[421,13]]},"3192":{"position":[[495,13]]},"3239":{"position":[[920,13]]},"3241":{"position":[[934,13]]},"3243":{"position":[[1049,13]]}}}],["13t13:26:44z",{"_index":2809,"t":{"3245":{"position":[[1949,13]]},"3257":{"position":[[2140,13]]}}}],["13t13:26:50z",{"_index":2797,"t":{"3245":{"position":[[726,13]]},"3257":{"position":[[917,13]]}}}],["14.2",{"_index":1022,"t":{"2627":{"position":[[1006,4]]}}}],["1500",{"_index":719,"t":{"2564":{"position":[[242,4]]}}}],["16",{"_index":1744,"t":{"2824":{"position":[[199,2],[223,2]]},"2830":{"position":[[305,2],[351,2]]}}}],["1600",{"_index":2651,"t":{"3114":{"position":[[412,4]]},"3116":{"position":[[393,4]]},"3134":{"position":[[406,4]]},"3187":{"position":[[378,4]]}}}],["1616",{"_index":2650,"t":{"3114":{"position":[[407,4]]},"3116":{"position":[[388,4]]},"3134":{"position":[[401,4]]},"3187":{"position":[[373,4]]}}}],["1:/etc/rancher/k3s/k3s.yaml",{"_index":797,"t":{"2581":{"position":[[619,27]]}}}],["1:2379,https://etcd",{"_index":1040,"t":{"2631":{"position":[[1164,19]]}}}],["1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d",{"_index":2678,"t":{"3114":{"position":[[2480,64]]},"3116":{"position":[[2461,64]]},"3134":{"position":[[2474,64]]},"3187":{"position":[[2446,64]]}}}],["1s",{"_index":991,"t":{"2621":{"position":[[1351,3]]}}}],["2",{"_index":899,"t":{"2604":{"position":[[627,1],[1306,1]]},"2612":{"position":[[226,1]]},"2685":{"position":[[33,1]]},"2697":{"position":[[326,2],[466,2],[565,2]]},"2699":{"position":[[494,2],[738,1],[870,2],[956,1],[1048,1],[1095,1],[1233,2],[1309,2],[1678,1],[1814,1],[2746,2],[3113,1],[3250,1]]},"2701":{"position":[[798,2],[1165,1],[1302,1]]},"2802":{"position":[[570,1]]},"2816":{"position":[[146,1]]},"2824":{"position":[[150,1]]},"2830":{"position":[[258,1],[280,1]]},"2858":{"position":[[1491,1]]}}}],["2.1",{"_index":2614,"t":{"3089":{"position":[[836,6],[1755,6]]},"3160":{"position":[[966,6],[1885,6]]},"3195":{"position":[[860,6],[1779,6],[2090,3]]},"3197":{"position":[[749,6],[1668,6]]},"3199":{"position":[[774,6],[1693,6]]},"3201":{"position":[[926,6],[1845,6]]},"3203":{"position":[[752,6],[1671,6]]},"3205":{"position":[[784,6],[1703,6]]},"3207":{"position":[[883,6],[1802,6]]}}}],["2.2",{"_index":2618,"t":{"3089":{"position":[[965,6],[1794,6]]},"3160":{"position":[[1095,6],[1924,6]]},"3195":{"position":[[989,6],[1818,6]]},"3197":{"position":[[878,6],[1707,6],[1979,3]]},"3199":{"position":[[903,6],[1732,6]]},"3201":{"position":[[1055,6],[1884,6]]},"3203":{"position":[[881,6],[1710,6]]},"3205":{"position":[[913,6],[1742,6]]},"3207":{"position":[[1012,6],[1841,6]]}}}],["2.3",{"_index":2619,"t":{"3089":{"position":[[1089,6],[1834,6]]},"3160":{"position":[[1219,6],[1964,6]]},"3195":{"position":[[1113,6],[1858,6]]},"3197":{"position":[[1002,6],[1747,6]]},"3199":{"position":[[1027,6],[1772,6],[2004,3]]},"3201":{"position":[[1179,6],[1924,6]]},"3203":{"position":[[1005,6],[1750,6]]},"3205":{"position":[[1037,6],[1782,6]]},"3207":{"position":[[1136,6],[1881,6]]}}}],["2.4",{"_index":2620,"t":{"3089":{"position":[[1165,6],[1856,6]]},"3160":{"position":[[1295,6],[1986,6]]},"3195":{"position":[[1189,6],[1880,6]]},"3197":{"position":[[1078,6],[1769,6]]},"3199":{"position":[[1103,6],[1794,6]]},"3201":{"position":[[1255,6],[1946,6],[2156,3]]},"3203":{"position":[[1081,6],[1772,6]]},"3205":{"position":[[1113,6],[1804,6]]},"3207":{"position":[[1212,6],[1903,6]]}}}],["2.5",{"_index":2621,"t":{"3089":{"position":[[1292,6],[1905,6]]},"3160":{"position":[[1422,6],[2035,6]]},"3195":{"position":[[1316,6],[1929,6]]},"3197":{"position":[[1205,6],[1818,6]]},"3199":{"position":[[1230,6],[1843,6]]},"3201":{"position":[[1382,6],[1995,6]]},"3203":{"position":[[1208,6],[1821,6],[1982,3]]},"3205":{"position":[[1240,6],[1853,6]]},"3207":{"position":[[1339,6],[1952,6]]}}}],["2.6",{"_index":2622,"t":{"3089":{"position":[[1414,6],[1945,6]]},"3160":{"position":[[1544,6],[2075,6]]},"3195":{"position":[[1438,6],[1969,6]]},"3197":{"position":[[1327,6],[1858,6]]},"3199":{"position":[[1352,6],[1883,6]]},"3201":{"position":[[1504,6],[2035,6]]},"3203":{"position":[[1330,6],[1861,6]]},"3205":{"position":[[1362,6],[1893,6],[2014,3]]},"3207":{"position":[[1461,6],[1992,6]]}}}],["2.7",{"_index":2623,"t":{"3089":{"position":[[1495,6],[1983,6]]},"3160":{"position":[[1625,6],[2113,6]]},"3195":{"position":[[1519,6],[2007,6]]},"3197":{"position":[[1408,6],[1896,6]]},"3199":{"position":[[1433,6],[1921,6]]},"3201":{"position":[[1585,6],[2073,6]]},"3203":{"position":[[1411,6],[1899,6]]},"3205":{"position":[[1443,6],[1931,6]]},"3207":{"position":[[1542,6],[2030,6],[2113,3]]}}}],["2/2",{"_index":562,"t":{"2548":{"position":[[856,3]]}}}],["20",{"_index":1293,"t":{"2699":{"position":[[1693,3]]},"2926":{"position":[[549,3],[630,3]]},"2938":{"position":[[235,3]]},"2940":{"position":[[235,3]]}}}],["20.04",{"_index":1247,"t":{"2697":{"position":[[45,6]]},"2934":{"position":[[11,5]]}}}],["200",{"_index":1282,"t":{"2699":{"position":[[1072,3]]}}}],["2001:cafe:42::/56",{"_index":1922,"t":{"2878":{"position":[[588,20]]}}}],["2021",{"_index":900,"t":{"2604":{"position":[[691,4]]}}}],["2022",{"_index":750,"t":{"2573":{"position":[[341,4]]},"2858":{"position":[[1951,4]]}}}],["2023",{"_index":141,"t":{"2501":{"position":[[1494,4]]},"2620":{"position":[[130,4]]},"2812":{"position":[[112,4]]}}}],["2024",{"_index":1545,"t":{"2767":{"position":[[96,4]]},"2779":{"position":[[96,4]]},"2834":{"position":[[920,4]]}}}],["203.0.113.254/31",{"_index":1562,"t":{"2770":{"position":[[908,16]]}}}],["203.0.113.255",{"_index":1564,"t":{"2770":{"position":[[961,13]]}}}],["2048",{"_index":295,"t":{"2509":{"position":[[931,4]]}}}],["21.10",{"_index":784,"t":{"2579":{"position":[[423,7]]},"2814":{"position":[[1979,6]]}}}],["22",{"_index":1311,"t":{"2699":{"position":[[3128,3]]},"2701":{"position":[[1180,3]]}}}],["2318",{"_index":2658,"t":{"3114":{"position":[[621,4]]},"3116":{"position":[[602,4]]},"3134":{"position":[[615,4]]},"3187":{"position":[[587,4]]}}}],["2341",{"_index":2665,"t":{"3114":{"position":[[903,4]]},"3116":{"position":[[884,4]]},"3134":{"position":[[897,4]]},"3187":{"position":[[869,4]]}}}],["2379",{"_index":1720,"t":{"2818":{"position":[[785,4]]},"2820":{"position":[[49,4]]}}}],["2380",{"_index":1721,"t":{"2818":{"position":[[794,5]]},"2820":{"position":[[54,4]]}}}],["24h0m0",{"_index":995,"t":{"2621":{"position":[[1417,8]]}}}],["250",{"_index":1743,"t":{"2824":{"position":[[193,3]]},"2830":{"position":[[299,3]]},"2938":{"position":[[430,3]]},"2940":{"position":[[395,3]]}}}],["256",{"_index":2137,"t":{"2926":{"position":[[487,3],[493,3],[703,3],[709,3]]},"2942":{"position":[[160,3]]}}}],["279",{"_index":740,"t":{"2568":{"position":[[583,4]]}}}],["28m",{"_index":1220,"t":{"2691":{"position":[[758,3]]}}}],["2:2379,https://etcd",{"_index":1041,"t":{"2631":{"position":[[1189,19]]}}}],["2b1c8278a6a1_0",{"_index":628,"t":{"2548":{"position":[[2394,14],[2554,14]]}}}],["2gi",{"_index":2253,"t":{"2979":{"position":[[187,3]]},"2985":{"position":[[169,3]]}}}],["2m",{"_index":992,"t":{"2621":{"position":[[1355,3]]}}}],["2wz97",{"_index":565,"t":{"2548":{"position":[[905,5]]}}}],["2wz97_kube",{"_index":587,"t":{"2548":{"position":[[1476,10],[1793,10]]}}}],["3",{"_index":289,"t":{"2509":{"position":[[792,2]]},"2535":{"position":[[1269,1]]},"2697":{"position":[[141,1],[348,2],[587,2]]},"2699":{"position":[[777,1],[1322,2],[1716,1],[1874,1],[2759,2],[3151,1],[3310,1]]},"2701":{"position":[[811,2],[1203,1],[1362,1]]},"2758":{"position":[[177,1],[251,4]]},"2858":{"position":[[43,1]]}}}],["3.00",{"_index":2132,"t":{"2926":{"position":[[279,4],[383,4],[465,4]]},"2938":{"position":[[226,4]]},"2940":{"position":[[226,4]]},"2942":{"position":[[114,4]]}}}],["3.5.4",{"_index":1015,"t":{"2627":{"position":[[900,6]]}}}],["30",{"_index":1310,"t":{"2699":{"position":[[3090,3]]},"2701":{"position":[[1142,3]]},"3024":{"position":[[54,2],[122,2],[247,2]]},"3150":{"position":[[195,2]]}}}],["300",{"_index":1505,"t":{"2754":{"position":[[1223,3]]}}}],["30000",{"_index":1098,"t":{"2661":{"position":[[219,6]]},"2673":{"position":[[1684,6]]}}}],["3117",{"_index":747,"t":{"2573":{"position":[[128,6]]}}}],["3199",{"_index":2667,"t":{"3114":{"position":[[1185,4]]},"3116":{"position":[[1166,4]]},"3134":{"position":[[1179,4]]},"3187":{"position":[[1151,4]]}}}],["32",{"_index":1291,"t":{"2699":{"position":[[1655,3]]},"2824":{"position":[[226,2],[246,2]]},"2830":{"position":[[331,2]]}}}],["32767",{"_index":1099,"t":{"2661":{"position":[[226,6]]},"2673":{"position":[[1691,7]]},"3120":{"position":[[2651,5]]},"3122":{"position":[[2599,5]]},"3124":{"position":[[2468,5]]},"3126":{"position":[[2417,5]]},"3128":{"position":[[2430,5]]},"3130":{"position":[[2543,5]]},"3132":{"position":[[2504,5]]},"3136":{"position":[[2577,5]]},"3138":{"position":[[2558,5]]},"3140":{"position":[[2454,5]]},"3142":{"position":[[2570,5]]},"3144":{"position":[[2435,5]]},"3146":{"position":[[2350,5]]},"3156":{"position":[[2525,5]]},"3162":{"position":[[2567,5]]},"3164":{"position":[[2483,5]]},"3166":{"position":[[2489,5]]},"3239":{"position":[[2834,5]]},"3241":{"position":[[2848,5]]},"3243":{"position":[[2963,5]]}}}],["365",{"_index":53,"t":{"2497":{"position":[[49,3]]},"2542":{"position":[[29,4]]}}}],["3923",{"_index":2669,"t":{"3114":{"position":[[1467,4]]},"3116":{"position":[[1448,4]]},"3134":{"position":[[1461,4]]},"3187":{"position":[[1433,4]]}}}],["3:2379",{"_index":1042,"t":{"2631":{"position":[[1214,6]]}}}],["3e4d34729602",{"_index":567,"t":{"2548":{"position":[[1027,12]]}}}],["3h",{"_index":993,"t":{"2621":{"position":[[1359,4]]}}}],["3m12",{"_index":1297,"t":{"2699":{"position":[[1908,5]]}}}],["3m16",{"_index":1314,"t":{"2699":{"position":[[3344,5]]},"2701":{"position":[[1396,5]]}}}],["3m58",{"_index":1296,"t":{"2699":{"position":[[1848,5],[3284,5]]},"2701":{"position":[[1336,5]]}}}],["3rd",{"_index":1799,"t":{"2848":{"position":[[76,3]]}}}],["4",{"_index":949,"t":{"2612":{"position":[[228,1]]},"2683":{"position":[[584,1]]},"2824":{"position":[[152,1],[174,1]]},"2830":{"position":[[303,1]]},"2934":{"position":[[60,1],[100,1],[112,1]]}}}],["4.2.1",{"_index":2480,"t":{"3014":{"position":[[3088,5]]}}}],["4.2.10",{"_index":2513,"t":{"3014":{"position":[[4281,6],[4360,6]]}}}],["4.2.2",{"_index":2483,"t":{"3014":{"position":[[3161,5]]}}}],["4.2.3",{"_index":2486,"t":{"3014":{"position":[[3252,5]]}}}],["4.2.4",{"_index":2507,"t":{"3014":{"position":[[4093,5]]}}}],["4.2.6",{"_index":2506,"t":{"3014":{"position":[[4066,5]]}}}],["400",{"_index":2781,"t":{"3230":{"position":[[317,5]]}}}],["410a",{"_index":626,"t":{"2548":{"position":[[2384,4],[2544,4]]}}}],["4206",{"_index":590,"t":{"2548":{"position":[[1508,4],[1825,4]]}}}],["43",{"_index":563,"t":{"2548":{"position":[[870,3],[925,3]]}}}],["4367",{"_index":2803,"t":{"3245":{"position":[[1506,4]]},"3257":{"position":[[1697,4]]}}}],["436b85c5e38d",{"_index":583,"t":{"2548":{"position":[[1348,12]]}}}],["440",{"_index":2780,"t":{"3230":{"position":[[297,5]]}}}],["443",{"_index":1985,"t":{"2894":{"position":[[272,4]]},"2906":{"position":[[466,3],[637,3]]}}}],["443_svclb",{"_index":573,"t":{"2548":{"position":[[1110,9]]}}}],["444",{"_index":2779,"t":{"3230":{"position":[[277,5]]}}}],["4454d14e4d3f",{"_index":619,"t":{"2548":{"position":[[2236,12]]}}}],["4559",{"_index":2671,"t":{"3114":{"position":[[1749,4]]},"3116":{"position":[[1730,4]]},"3134":{"position":[[1743,4]]},"3187":{"position":[[1715,4]]}}}],["4647",{"_index":2674,"t":{"3114":{"position":[[2031,4]]},"3116":{"position":[[2012,4]]},"3134":{"position":[[2025,4]]},"3187":{"position":[[1997,4]]}}}],["47ef",{"_index":616,"t":{"2548":{"position":[[2211,4]]}}}],["48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9",{"_index":2675,"t":{"3114":{"position":[[2198,64]]},"3116":{"position":[[2179,64]]},"3134":{"position":[[2192,64]]},"3187":{"position":[[2164,64]]}}}],["4b1fddbe6ca6",{"_index":631,"t":{"2548":{"position":[[2569,12]]}}}],["4bea",{"_index":606,"t":{"2548":{"position":[[2028,4],[2719,4]]}}}],["4c10",{"_index":2812,"t":{"3245":{"position":[[2729,4]]},"3257":{"position":[[2920,4]]}}}],["4c7e",{"_index":577,"t":{"2548":{"position":[[1160,4],[1323,4],[1664,4]]}}}],["4fb1",{"_index":625,"t":{"2548":{"position":[[2379,4],[2539,4]]}}}],["4k",{"_index":1669,"t":{"2812":{"position":[[232,2]]}}}],["4m22",{"_index":1295,"t":{"2699":{"position":[[1788,5]]}}}],["4m49",{"_index":1313,"t":{"2699":{"position":[[3224,5]]},"2701":{"position":[[1276,5]]}}}],["5",{"_index":436,"t":{"2535":{"position":[[261,1],[2139,1],[2149,3],[2254,2],[4775,4]]},"2600":{"position":[[563,2],[1551,2]]},"2646":{"position":[[874,1],[885,3],[998,2]]},"2673":{"position":[[4741,1],[4752,3],[4866,2]]},"2926":{"position":[[474,2]]},"2938":{"position":[[436,1]]},"2940":{"position":[[401,1]]},"2942":{"position":[[64,2]]},"3060":{"position":[[112,3]]},"3089":{"position":[[858,1],[987,1],[1187,1],[1314,1]]},"3160":{"position":[[988,1],[1117,1],[1317,1],[1444,1]]},"3195":{"position":[[882,1],[1011,1],[1211,1],[1338,1]]},"3197":{"position":[[771,1],[900,1],[1100,1],[1227,1]]},"3199":{"position":[[796,1],[925,1],[1125,1],[1252,1]]},"3201":{"position":[[948,1],[1077,1],[1277,1],[1404,1]]},"3203":{"position":[[774,1],[903,1],[1103,1],[1230,1]]},"3205":{"position":[[806,1],[935,1],[1135,1],[1262,1]]},"3207":{"position":[[905,1],[1034,1],[1234,1],[1361,1]]}}}],["5.2",{"_index":2337,"t":{"3006":{"position":[[1296,3]]}}}],["5.2.1",{"_index":2339,"t":{"3006":{"position":[[1475,5]]}}}],["5.2.2",{"_index":2351,"t":{"3006":{"position":[[1787,5]]}}}],["5.2.3",{"_index":2349,"t":{"3006":{"position":[[1758,5]]}}}],["5.2.4",{"_index":2347,"t":{"3006":{"position":[[1729,5]]}}}],["5.2.5",{"_index":2341,"t":{"3006":{"position":[[1521,5]]}}}],["5.2.6",{"_index":2354,"t":{"3006":{"position":[[1837,5]]}}}],["5.2.7/8/9",{"_index":2343,"t":{"3006":{"position":[[1561,9]]}}}],["5.7",{"_index":1016,"t":{"2627":{"position":[[925,4]]}}}],["50",{"_index":2178,"t":{"2938":{"position":[[427,2]]},"2940":{"position":[[392,2]]}}}],["500",{"_index":1746,"t":{"2824":{"position":[[219,3],[241,4]]},"2830":{"position":[[325,3],[346,4]]},"2938":{"position":[[395,3]]},"2940":{"position":[[360,3]]}}}],["5001",{"_index":1600,"t":{"2781":{"position":[[411,5]]},"2783":{"position":[[135,4]]},"2820":{"position":[[443,4]]}}}],["51",{"_index":549,"t":{"2548":{"position":[[645,3],[707,3],[766,3],[820,3]]},"2699":{"position":[[1115,2]]}}}],["512",{"_index":1693,"t":{"2816":{"position":[[158,3]]},"2926":{"position":[[406,3],[644,3]]},"2940":{"position":[[372,3]]}}}],["515",{"_index":663,"t":{"2554":{"position":[[238,3],[258,3]]}}}],["51820",{"_index":1713,"t":{"2818":{"position":[[183,5]]},"2820":{"position":[[291,5]]}}}],["51821",{"_index":1714,"t":{"2818":{"position":[[194,5]]},"2820":{"position":[[367,5]]}}}],["53",{"_index":2391,"t":{"3008":{"position":[[810,2],[835,2]]}}}],["5489f84d5d",{"_index":1399,"t":{"2736":{"position":[[871,10]]}}}],["5497",{"_index":2802,"t":{"3245":{"position":[[1501,4]]},"3257":{"position":[[1692,4]]}}}],["5h39m",{"_index":1647,"t":{"2802":{"position":[[540,5],[599,5]]}}}],["5m0",{"_index":1075,"t":{"2646":{"position":[[1729,5]]},"2673":{"position":[[5687,5]]}}}],["5s",{"_index":1268,"t":{"2699":{"position":[[682,2]]}}}],["6",{"_index":2652,"t":{"3114":{"position":[[417,1]]},"3116":{"position":[[398,1]]},"3134":{"position":[[411,1]]},"3187":{"position":[[383,1]]}}}],["6.4",{"_index":816,"t":{"2588":{"position":[[194,5]]}}}],["60",{"_index":2536,"t":{"3030":{"position":[[252,2],[419,2],[651,2]]},"3158":{"position":[[114,2]]}}}],["600",{"_index":1084,"t":{"2650":{"position":[[298,4]]},"2748":{"position":[[668,3]]},"3093":{"position":[[148,3]]},"3109":{"position":[[141,3]]},"3230":{"position":[[250,5],[268,5],[374,3]]}}}],["620c90a6c1c1_0",{"_index":608,"t":{"2548":{"position":[[2038,14],[2729,14]]}}}],["64",{"_index":1748,"t":{"2824":{"position":[[249,2]]},"2830":{"position":[[354,2]]}}}],["640",{"_index":2778,"t":{"3230":{"position":[[230,5]]}}}],["644",{"_index":1085,"t":{"2650":{"position":[[324,3]]},"2750":{"position":[[535,3]]},"3069":{"position":[[148,3]]},"3073":{"position":[[148,3]]},"3077":{"position":[[148,3]]},"3081":{"position":[[148,3]]},"3085":{"position":[[148,3]]},"3097":{"position":[[138,3],[369,4],[383,3]]},"3101":{"position":[[138,3],[379,4],[393,3]]},"3107":{"position":[[141,3]]},"3218":{"position":[[146,3]]},"3222":{"position":[[136,3],[380,3],[384,3]]},"3226":{"position":[[136,3],[271,5],[289,5],[311,3],[315,3]]},"3230":{"position":[[114,3],[210,5],[370,3]]},"3234":{"position":[[130,3]]}}}],["6443",{"_index":688,"t":{"2560":{"position":[[172,4]]},"2655":{"position":[[97,4]]},"2673":{"position":[[826,5]]},"2699":{"position":[[524,6],[2440,5]]},"2701":{"position":[[492,5]]},"2781":{"position":[[331,5]]},"2783":{"position":[[144,5]]},"2818":{"position":[[26,4]]},"2820":{"position":[[119,4],[529,4]]}}}],["6443/tcp",{"_index":770,"t":{"2577":{"position":[[100,8]]},"2814":{"position":[[1151,8]]}}}],["6443:6443",{"_index":793,"t":{"2581":{"position":[[387,9]]},"2699":{"position":[[2614,9]]},"2701":{"position":[[666,9]]}}}],["6444",{"_index":355,"t":{"2519":{"position":[[683,5]]},"2533":{"position":[[1939,5]]},"2673":{"position":[[9045,5]]}}}],["6488",{"_index":697,"t":{"2560":{"position":[[588,6]]}}}],["64d3517d4a95",{"_index":633,"t":{"2548":{"position":[[2744,12]]}}}],["64ffb68fd",{"_index":1396,"t":{"2736":{"position":[[810,9]]}}}],["65535",{"_index":2359,"t":{"3006":{"position":[[1929,5],[1984,5],[3014,5],[3069,5],[3427,5],[3901,5]]}}}],["6610",{"_index":2676,"t":{"3114":{"position":[[2313,4]]},"3116":{"position":[[2294,4]]},"3134":{"position":[[2307,4]]},"3187":{"position":[[2279,4]]}}}],["6ad9",{"_index":605,"t":{"2548":{"position":[[2023,4],[2714,4]]}}}],["6b82a38edd8f",{"_index":2814,"t":{"3245":{"position":[[2739,12]]},"3257":{"position":[[2930,12]]}}}],["6d59f47c7",{"_index":546,"t":{"2548":{"position":[[615,9],[1986,9],[2677,9]]}}}],["700",{"_index":2408,"t":{"3010":{"position":[[416,3]]},"3089":{"position":[[242,3],[1693,7],[2090,5],[2108,5],[2130,3]]},"3160":{"position":[[1823,7]]},"3195":{"position":[[1717,7]]},"3197":{"position":[[1606,7]]},"3199":{"position":[[1631,7]]},"3201":{"position":[[1783,7]]},"3203":{"position":[[1609,7]]},"3205":{"position":[[1641,7]]},"3207":{"position":[[1740,7]]}}}],["74",{"_index":1398,"t":{"2736":{"position":[[840,3],[902,3],[956,3]]}}}],["7566d596c8",{"_index":551,"t":{"2548":{"position":[[676,10],[2168,10]]}}}],["758cd5fc85",{"_index":564,"t":{"2548":{"position":[[894,10],[1465,10],[1782,10]]}}}],["76",{"_index":815,"t":{"2588":{"position":[[170,4]]}}}],["768",{"_index":2134,"t":{"2926":{"position":[[302,3],[412,3],[563,3],[650,3]]},"2938":{"position":[[407,3]]},"2940":{"position":[[406,3]]}}}],["777",{"_index":1473,"t":{"2748":{"position":[[756,3],[902,3]]}}}],["7c6a30aeeb2f",{"_index":596,"t":{"2548":{"position":[[1689,12]]}}}],["7c9ca4fb39e7_0",{"_index":592,"t":{"2548":{"position":[[1518,14],[1835,14]]}}}],["7zwkt",{"_index":1400,"t":{"2736":{"position":[[882,5]]}}}],["8",{"_index":1568,"t":{"2770":{"position":[[1348,2]]},"2824":{"position":[[176,1],[197,1]]},"2830":{"position":[[282,1],[329,1]]},"2934":{"position":[[68,1],[120,1]]}}}],["8.0",{"_index":1017,"t":{"2627":{"position":[[934,3]]}}}],["80",{"_index":691,"t":{"2560":{"position":[[251,3]]},"2590":{"position":[[604,2]]},"2894":{"position":[[265,2]]},"2900":{"position":[[838,3],[909,3]]},"2981":{"position":[[235,2]]},"2987":{"position":[[235,2]]}}}],["8080",{"_index":693,"t":{"2560":{"position":[[277,5],[290,5]]}}}],["80_svclb",{"_index":582,"t":{"2548":{"position":[[1274,8]]}}}],["8124m",{"_index":2131,"t":{"2926":{"position":[[268,5],[372,5],[454,5]]},"2938":{"position":[[215,5]]},"2940":{"position":[[215,5]]},"2942":{"position":[[103,5]]}}}],["8472",{"_index":1712,"t":{"2818":{"position":[[123,4],[1008,5]]},"2820":{"position":[[184,4]]}}}],["85cb69466",{"_index":1401,"t":{"2736":{"position":[[926,9]]}}}],["8655855d6",{"_index":558,"t":{"2548":{"position":[[790,9],[2342,9],[2502,9]]}}}],["896",{"_index":2136,"t":{"2926":{"position":[[308,3],[569,3]]},"2938":{"position":[[441,3]]}}}],["897ce3c5fc8f",{"_index":568,"t":{"2548":{"position":[[1040,12]]}}}],["89f5",{"_index":2811,"t":{"3245":{"position":[[2724,4]]},"3257":{"position":[[2915,4]]}}}],["8c7f",{"_index":2813,"t":{"3245":{"position":[[2734,4]]},"3257":{"position":[[2925,4]]}}}],["8d7a",{"_index":578,"t":{"2548":{"position":[[1165,4],[1328,4],[1669,4]]}}}],["8e7ac18f9cb0_0",{"_index":579,"t":{"2548":{"position":[[1170,14],[1333,14],[1674,14]]}}}],["8e82",{"_index":627,"t":{"2548":{"position":[[2389,4],[2549,4]]}}}],["9",{"_index":1379,"t":{"2730":{"position":[[1236,4],[1269,4],[1288,8]]}}}],["90",{"_index":59,"t":{"2497":{"position":[[132,2]]},"2542":{"position":[[56,3]]}}}],["90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528",{"_index":2668,"t":{"3114":{"position":[[1352,64]]},"3116":{"position":[[1333,64]]},"3134":{"position":[[1346,64]]},"3187":{"position":[[1318,64]]}}}],["95th",{"_index":2166,"t":{"2932":{"position":[[625,4]]}}}],["98604672",{"_index":2794,"t":{"3245":{"position":[[686,8],[1382,8]]},"3257":{"position":[[877,8],[1573,8]]}}}],["9])?(\\\\.[a",{"_index":1381,"t":{"2730":{"position":[[1255,10]]}}}],["9]*[a",{"_index":1380,"t":{"2730":{"position":[[1246,5],[1279,5]]}}}],["9]16",{"_index":1004,"t":{"2621":{"position":[[2022,6]]}}}],["9]6.[a",{"_index":1003,"t":{"2621":{"position":[[2012,6]]}}}],["9d12f9848b99",{"_index":599,"t":{"2548":{"position":[[1863,12]]}}}],["9dd718864ce6",{"_index":610,"t":{"2548":{"position":[[2066,12]]}}}],["9s",{"_index":1294,"t":{"2699":{"position":[[1731,2]]}}}],["9tnck",{"_index":552,"t":{"2548":{"position":[[687,5]]}}}],["9tnck_kube",{"_index":613,"t":{"2548":{"position":[[2179,10]]}}}],["_",{"_index":1069,"t":{"2646":{"position":[[889,1],[893,2]]}}}],["_desired_",{"_index":1961,"t":{"2888":{"position":[[1999,9]]}}}],["a+x",{"_index":1441,"t":{"2744":{"position":[[511,3]]}}}],["a1",{"_index":2726,"t":{"3162":{"position":[[438,2]]}}}],["a70c",{"_index":2804,"t":{"3245":{"position":[[1511,4]]},"3257":{"position":[[1702,4]]}}}],["a73d",{"_index":607,"t":{"2548":{"position":[[2033,4],[2724,4]]}}}],["a88d",{"_index":617,"t":{"2548":{"position":[[2216,4]]}}}],["aarch64",{"_index":2169,"t":{"2934":{"position":[[25,7]]}}}],["aarch64/arm64",{"_index":1668,"t":{"2812":{"position":[[189,13]]}}}],["abil",{"_index":138,"t":{"2501":{"position":[[1407,7]]},"2620":{"position":[[55,7]]},"3020":{"position":[[204,7]]}}}],["abort",{"_index":1508,"t":{"2754":{"position":[[1281,6]]}}}],["abov",{"_index":247,"t":{"2505":{"position":[[947,5]]},"2604":{"position":[[1283,6]]},"2610":{"position":[[1034,6]]},"2635":{"position":[[275,7]]},"2693":{"position":[[249,6]]},"2734":{"position":[[42,6]]},"2744":{"position":[[1490,6]]},"2750":{"position":[[11,5]]},"2770":{"position":[[97,5]]},"2866":{"position":[[1037,5]]},"3006":{"position":[[2028,5],[2361,5]]},"3036":{"position":[[350,6]]},"3089":{"position":[[215,7]]},"3091":{"position":[[225,7]]}}}],["absenc",{"_index":1853,"t":{"2864":{"position":[[779,7]]}}}],["abus",{"_index":1732,"t":{"2818":{"position":[[1144,5]]}}}],["acceler",{"_index":2039,"t":{"2912":{"position":[[311,12]]}}}],["accept",{"_index":124,"t":{"2501":{"position":[[1040,11]]},"2868":{"position":[[262,9]]},"3020":{"position":[[320,8]]}}}],["access",{"_index":482,"t":{"2535":{"position":[[3189,6],[3203,6],[3507,6],[3522,6],[3849,6],[3864,6],[4640,6],[4655,6]]},"2616":{"position":[[354,6],[416,6]]},"2646":{"position":[[1362,6],[1400,6]]},"2661":{"position":[[1099,6],[1368,6]]},"2673":{"position":[[5291,6],[5316,6]]},"2683":{"position":[[689,9],[1103,6]]},"2695":{"position":[[559,6]]},"2699":{"position":[[297,6]]},"2723":{"position":[[523,6]]},"2767":{"position":[[380,6]]},"2770":{"position":[[1363,10]]},"2781":{"position":[[527,6]]},"2790":{"position":[[0,6],[136,6]]},"2792":{"position":[[345,6],[683,6]]},"2818":{"position":[[37,10],[627,10],[751,10],[911,8],[993,6]]},"2848":{"position":[[223,6]]},"2864":{"position":[[736,6],[1177,6],[1440,6]]},"2876":{"position":[[821,6]]},"2878":{"position":[[482,6]]},"2954":{"position":[[132,6]]},"3008":{"position":[[1041,7]]},"3010":{"position":[[316,6]]},"3020":{"position":[[215,7],[454,6],[507,6]]},"3040":{"position":[[157,7]]},"3044":{"position":[[222,6]]},"3215":{"position":[[131,6]]},"3268":{"position":[[69,6]]},"3272":{"position":[[56,6]]},"3274":{"position":[[108,6]]}}}],["accessmod",{"_index":2250,"t":{"2979":{"position":[[99,12]]},"2985":{"position":[[83,12]]}}}],["accompani",{"_index":2582,"t":{"3065":{"position":[[980,12]]}}}],["accomplish",{"_index":1586,"t":{"2775":{"position":[[40,12]]},"2948":{"position":[[193,12]]}}}],["accord",{"_index":2581,"t":{"3065":{"position":[[963,9]]}}}],["accordingli",{"_index":1682,"t":{"2814":{"position":[[757,12],[1457,12]]},"2990":{"position":[[677,12]]}}}],["account",{"_index":186,"t":{"2503":{"position":[[1121,7]]},"2505":{"position":[[1691,7],[1737,7]]},"2509":{"position":[[12,7],[74,7],[116,7],[213,7],[604,7]]},"2616":{"position":[[742,7]]},"2878":{"position":[[253,7]]},"2888":{"position":[[838,7]]},"2992":{"position":[[116,8]]},"3012":{"position":[[606,7],[1172,7]]},"3014":{"position":[[1573,7],[1602,7],[1682,7],[2723,7],[2814,7]]},"3032":{"position":[[26,7],[97,7],[235,7],[331,7],[382,7]]},"3044":{"position":[[28,8],[115,7],[184,7],[294,7],[369,8],[398,7],[467,7],[639,7],[686,8],[868,8]]},"3065":{"position":[[784,8]]},"3120":{"position":[[2369,7],[2439,7],[2510,7]]},"3122":{"position":[[2317,7],[2387,7],[2458,7]]},"3124":{"position":[[2186,7],[2256,7],[2327,7]]},"3126":{"position":[[2135,7],[2205,7],[2276,7]]},"3128":{"position":[[2148,7],[2218,7],[2289,7]]},"3130":{"position":[[2261,7],[2331,7],[2402,7]]},"3132":{"position":[[2222,7],[2292,7],[2363,7]]},"3136":{"position":[[2295,7],[2365,7],[2436,7]]},"3138":{"position":[[2276,7],[2346,7],[2417,7]]},"3140":{"position":[[2172,7],[2242,7],[2313,7]]},"3142":{"position":[[2288,7],[2358,7],[2429,7]]},"3144":{"position":[[2153,7],[2223,7],[2294,7]]},"3146":{"position":[[2068,7],[2138,7],[2209,7]]},"3156":{"position":[[180,7],[244,7],[449,7],[494,7],[2243,7],[2313,7],[2384,7]]},"3162":{"position":[[2285,7],[2355,7],[2426,7]]},"3164":{"position":[[2201,7],[2271,7],[2342,7]]},"3166":{"position":[[2207,7],[2277,7],[2348,7]]},"3177":{"position":[[1869,7],[1992,7]]},"3179":{"position":[[200,7],[342,7],[395,7],[1937,7],[2060,7]]},"3181":{"position":[[180,7],[251,9],[284,7],[434,7],[488,7],[2022,7],[2145,7]]},"3183":{"position":[[1918,7],[2041,7]]},"3239":{"position":[[2552,7],[2622,7],[2693,7]]},"3241":{"position":[[2566,7],[2636,7],[2707,7]]},"3243":{"position":[[2681,7],[2751,7],[2822,7]]},"3274":{"position":[[50,8],[194,7]]},"3276":{"position":[[68,8],[112,7]]}}}],["acct",{"_index":1978,"t":{"2888":{"position":[[3222,4]]},"3006":{"position":[[5312,4]]}}}],["accumul",{"_index":1467,"t":{"2748":{"position":[[495,11]]}}}],["achiev",{"_index":1719,"t":{"2818":{"position":[[682,9]]},"2874":{"position":[[186,7]]}}}],["acl",{"_index":1929,"t":{"2878":{"position":[[1234,4]]}}}],["act",{"_index":2035,"t":{"2912":{"position":[[135,4]]}}}],["action",{"_index":2519,"t":{"3020":{"position":[[153,7]]},"3270":{"position":[[121,8]]}}}],["activ",{"_index":893,"t":{"2604":{"position":[[317,6],[629,6],[1553,7],[1652,6]]},"2734":{"position":[[196,8]]},"3022":{"position":[[189,10]]},"3038":{"position":[[516,8]]},"3044":{"position":[[45,8]]}}}],["actual",{"_index":980,"t":{"2621":{"position":[[552,6]]},"2794":{"position":[[383,8]]},"3032":{"position":[[277,8]]},"3089":{"position":[[352,8]]},"3160":{"position":[[482,8]]},"3195":{"position":[[376,8]]},"3197":{"position":[[265,8]]},"3199":{"position":[[290,8]]},"3201":{"position":[[442,8]]},"3203":{"position":[[268,8]]},"3205":{"position":[[300,8]]},"3207":{"position":[[399,8]]}}}],["ad",{"_index":395,"t":{"2531":{"position":[[209,5]]},"2535":{"position":[[2810,5]]},"2598":{"position":[[173,6]]},"2681":{"position":[[355,6]]},"2685":{"position":[[377,5],[1014,6]]},"2777":{"position":[[907,5]]},"2785":{"position":[[804,5]]},"2804":{"position":[[13,5]]},"2904":{"position":[[0,6]]},"2946":{"position":[[624,6]]},"2962":{"position":[[135,6]]},"2998":{"position":[[814,6]]},"3010":{"position":[[1098,5]]},"3301":{"position":[[202,6]]}}}],["adapt",{"_index":2204,"t":{"2950":{"position":[[293,12]]}}}],["add",{"_index":392,"t":{"2531":{"position":[[82,4],[142,3],[313,3],[584,3]]},"2575":{"position":[[121,3],[192,3],[264,3]]},"2592":{"position":[[71,3]]},"2655":{"position":[[364,3]]},"2673":{"position":[[1138,3]]},"2683":{"position":[[962,4]]},"2687":{"position":[[155,3]]},"2693":{"position":[[211,3],[590,3]]},"2699":{"position":[[433,3],[802,3]]},"2770":{"position":[[807,3],[852,3],[904,3],[945,3]]},"2772":{"position":[[249,3]]},"2804":{"position":[[125,3]]},"2810":{"position":[[311,3]]},"2814":{"position":[[358,3],[429,3],[501,3]]},"2866":{"position":[[368,3]]},"2876":{"position":[[305,3]]},"2878":{"position":[[782,3]]},"2906":{"position":[[72,3]]},"2912":{"position":[[758,3]]},"3002":{"position":[[320,3]]},"3259":{"position":[[85,3]]},"3285":{"position":[[26,3]]},"3287":{"position":[[26,3]]},"3289":{"position":[[26,3]]},"3291":{"position":[[26,3]]},"3293":{"position":[[26,3]]},"3297":{"position":[[26,3]]},"3303":{"position":[[26,3]]},"3305":{"position":[[26,3]]},"3307":{"position":[[26,3]]}}}],["addit",{"_index":116,"t":{"2501":{"position":[[802,10]]},"2519":{"position":[[577,10]]},"2533":{"position":[[1833,10]]},"2535":{"position":[[4463,10],[4810,10]]},"2614":{"position":[[83,10]]},"2633":{"position":[[93,8]]},"2655":{"position":[[368,10]]},"2673":{"position":[[1142,10],[8939,10]]},"2683":{"position":[[970,10]]},"2685":{"position":[[55,10],[341,10]]},"2691":{"position":[[258,10],[947,10],[991,10]]},"2693":{"position":[[215,10]]},"2697":{"position":[[367,10],[487,10]]},"2730":{"position":[[14,10],[1345,10]]},"2734":{"position":[[52,8],[79,10]]},"2746":{"position":[[45,8]]},"2772":{"position":[[253,10]]},"2800":{"position":[[277,10],[378,10]]},"2814":{"position":[[68,10],[557,10],[1257,10]]},"2820":{"position":[[655,10]]},"2858":{"position":[[445,10],[527,10],[1357,10],[1645,10]]},"2866":{"position":[[1475,10]]},"2894":{"position":[[784,10]]},"2898":{"position":[[628,10]]},"2932":{"position":[[379,10]]},"2946":{"position":[[278,10],[631,10]]},"2950":{"position":[[55,9]]},"2994":{"position":[[152,10]]},"3006":{"position":[[2219,10],[2249,10],[6425,9]]},"3008":{"position":[[2695,10]]},"3014":{"position":[[4367,10]]},"3199":{"position":[[2245,10],[2485,10],[2725,10]]},"3205":{"position":[[2290,10]]}}}],["addition",{"_index":1259,"t":{"2699":{"position":[[208,13]]},"2862":{"position":[[1381,13]]},"2922":{"position":[[170,13]]}}}],["additionalloggingsources.k3s.enabled=tru",{"_index":849,"t":{"2592":{"position":[[324,41]]}}}],["addon",{"_index":1346,"t":{"2726":{"position":[[334,5],[510,6]]},"2728":{"position":[[68,6],[272,5]]},"2730":{"position":[[79,6],[341,5],[1356,5],[1495,5]]},"2734":{"position":[[4,6],[64,6],[185,6]]},"2736":{"position":[[263,5]]}}}],["addon.k3s.cattle.io",{"_index":1365,"t":{"2730":{"position":[[929,19]]}}}],["addr",{"_index":1561,"t":{"2770":{"position":[[899,4]]}}}],["address",{"_index":369,"t":{"2523":{"position":[[71,7],[142,7]]},"2533":{"position":[[2687,9],[2785,9]]},"2655":{"position":[[32,7],[63,7],[132,7],[176,7],[402,9]]},"2661":{"position":[[697,9],[1281,10],[1630,10],[1887,10]]},"2673":{"position":[[700,7],[734,7],[844,7],[874,7],[1176,9],[2239,9],[7752,9],[7850,9]]},"2675":{"position":[[705,7],[945,8]]},"2683":{"position":[[644,9]]},"2695":{"position":[[512,7]]},"2783":{"position":[[111,10]]},"2858":{"position":[[1153,9]]},"2866":{"position":[[208,9],[1796,7],[1817,8],[1882,7]]},"2876":{"position":[[878,10]]},"2900":{"position":[[348,7],[521,7]]},"2910":{"position":[[217,7]]},"2912":{"position":[[1227,9],[1253,7],[1353,9],[1892,7],[1945,9]]},"2928":{"position":[[36,7]]},"2998":{"position":[[149,7]]},"3016":{"position":[[209,9]]},"3114":{"position":[[854,7],[1136,7],[1418,7],[1700,7],[1982,7],[2264,7],[2546,7]]},"3116":{"position":[[835,7],[1117,7],[1399,7],[1681,7],[1963,7],[2245,7],[2527,7]]},"3120":{"position":[[1842,7]]},"3122":{"position":[[1790,7]]},"3124":{"position":[[1659,7]]},"3126":{"position":[[1608,7]]},"3128":{"position":[[1621,7]]},"3130":{"position":[[1734,7]]},"3132":{"position":[[1695,7]]},"3134":{"position":[[848,7],[1130,7],[1412,7],[1694,7],[1976,7],[2258,7],[2540,7]]},"3136":{"position":[[1768,7]]},"3138":{"position":[[1749,7]]},"3140":{"position":[[1645,7]]},"3142":{"position":[[1761,7]]},"3144":{"position":[[1626,7]]},"3146":{"position":[[1541,7]]},"3156":{"position":[[1716,7]]},"3162":{"position":[[1758,7]]},"3164":{"position":[[1674,7]]},"3166":{"position":[[1680,7]]},"3187":{"position":[[202,7],[297,8],[328,8],[820,7],[1102,7],[1384,7],[1666,7],[1948,7],[2230,7],[2512,7]]},"3192":{"position":[[184,7],[303,8],[337,8],[381,8]]},"3239":{"position":[[2025,7]]},"3241":{"position":[[2039,7]]},"3243":{"position":[[2154,7]]}}}],["address:6443",{"_index":1207,"t":{"2687":{"position":[[495,12]]}}}],["address=0.0.0.0",{"_index":2479,"t":{"3014":{"position":[[3047,15]]},"3245":{"position":[[774,15],[1997,15]]},"3257":{"position":[[965,15],[2188,15]]}}}],["address=127.0.0.1",{"_index":2428,"t":{"3014":{"position":[[326,17],[2268,17],[2320,17],[2864,17],[2889,17],[3809,17]]},"3120":{"position":[[995,17]]},"3122":{"position":[[943,17]]},"3124":{"position":[[812,17]]},"3126":{"position":[[761,17]]},"3128":{"position":[[774,17]]},"3130":{"position":[[887,17]]},"3132":{"position":[[848,17]]},"3136":{"position":[[921,17]]},"3138":{"position":[[902,17]]},"3140":{"position":[[798,17]]},"3142":{"position":[[914,17]]},"3144":{"position":[[779,17]]},"3146":{"position":[[694,17]]},"3156":{"position":[[869,17]]},"3162":{"position":[[911,17],[3052,17]]},"3164":{"position":[[827,17]]},"3166":{"position":[[833,17]]},"3177":{"position":[[723,17]]},"3179":{"position":[[791,17]]},"3181":{"position":[[876,17]]},"3183":{"position":[[772,17]]},"3190":{"position":[[644,17]]},"3192":{"position":[[718,17]]},"3239":{"position":[[1178,17]]},"3241":{"position":[[1192,17]]},"3243":{"position":[[1307,17]]},"3245":{"position":[[1326,17],[2549,17]]},"3257":{"position":[[1517,17],[2740,17]]}}}],["address=172.31.0.140",{"_index":2694,"t":{"3120":{"position":[[802,20]]},"3122":{"position":[[750,20]]},"3124":{"position":[[619,20]]},"3126":{"position":[[568,20]]},"3128":{"position":[[581,20]]},"3130":{"position":[[694,20]]},"3132":{"position":[[655,20]]},"3136":{"position":[[728,20]]},"3138":{"position":[[709,20]]},"3140":{"position":[[605,20]]},"3142":{"position":[[721,20]]},"3144":{"position":[[586,20]]},"3146":{"position":[[501,20]]},"3156":{"position":[[676,20]]},"3162":{"position":[[718,20]]},"3164":{"position":[[634,20]]},"3166":{"position":[[640,20]]},"3239":{"position":[[985,20]]},"3241":{"position":[[999,20]]},"3243":{"position":[[1114,20]]}}}],["adher",{"_index":1357,"t":{"2730":{"position":[[543,6]]}}}],["adjust",{"_index":2585,"t":{"3065":{"position":[[1866,6]]}}}],["admin",{"_index":77,"t":{"2499":{"position":[[384,6]]},"2650":{"position":[[116,5]]},"2673":{"position":[[2556,5]]},"3266":{"position":[[74,5],[301,5]]}}}],["administr",{"_index":954,"t":{"2614":{"position":[[143,14]]},"2616":{"position":[[402,13]]},"2637":{"position":[[107,13]]},"3022":{"position":[[247,14]]}}}],["admiss",{"_index":1938,"t":{"2888":{"position":[[282,10],[490,10]]},"2998":{"position":[[858,9]]},"3004":{"position":[[537,9]]},"3006":{"position":[[73,10],[1030,9]]},"3012":{"position":[[258,10],[806,9]]},"3014":{"position":[[484,9]]},"3018":{"position":[[16,9],[94,9],[501,9]]},"3020":{"position":[[16,9],[600,9]]},"3116":{"position":[[192,9],[290,9],[333,9]]},"3120":{"position":[[1234,9]]},"3122":{"position":[[1182,9]]},"3124":{"position":[[1051,9]]},"3126":{"position":[[1000,9]]},"3128":{"position":[[1013,9]]},"3130":{"position":[[248,9],[291,9],[453,9],[499,9],[1126,9]]},"3132":{"position":[[172,9],[360,9],[406,9],[466,9],[1087,9]]},"3134":{"position":[[162,9],[228,9],[350,9]]},"3136":{"position":[[162,9],[277,9],[426,9],[472,9],[530,9],[1160,9]]},"3138":{"position":[[261,9],[476,9],[520,9],[1141,9]]},"3140":{"position":[[163,9],[372,9],[416,9],[1037,9]]},"3142":{"position":[[255,9],[334,9],[479,9],[525,9],[1153,9]]},"3144":{"position":[[1018,9]]},"3146":{"position":[[933,9]]},"3156":{"position":[[1108,9]]},"3162":{"position":[[1150,9]]},"3164":{"position":[[1066,9]]},"3166":{"position":[[1072,9]]},"3239":{"position":[[1417,9]]},"3241":{"position":[[1431,9]]},"3243":{"position":[[1546,9]]},"3283":{"position":[[58,9]]},"3285":{"position":[[113,9]]},"3287":{"position":[[113,9]]},"3289":{"position":[[113,9]]},"3291":{"position":[[113,9]]},"3293":{"position":[[113,9]]},"3297":{"position":[[113,9]]},"3301":{"position":[[233,9]]},"3303":{"position":[[113,9]]},"3305":{"position":[[113,9]]},"3307":{"position":[[113,9]]}}}],["admissionconfigur",{"_index":1955,"t":{"2888":{"position":[[1206,22]]},"3006":{"position":[[457,22]]}}}],["advanc",{"_index":1408,"t":{"2740":{"position":[[126,8]]},"2990":{"position":[[421,8]]}}}],["advertis",{"_index":370,"t":{"2523":{"position":[[82,9],[153,9]]},"2533":{"position":[[2700,9],[2798,9]]},"2655":{"position":[[122,9],[207,9],[245,9],[308,9]]},"2673":{"position":[[834,9],[905,9],[979,9],[1039,9],[7765,9],[7863,9]]},"2792":{"position":[[854,10]]},"2868":{"position":[[100,13]]},"3014":{"position":[[189,9]]},"3120":{"position":[[792,9],[825,9]]},"3122":{"position":[[740,9],[773,9]]},"3124":{"position":[[609,9],[642,9]]},"3126":{"position":[[558,9],[591,9]]},"3128":{"position":[[571,9],[604,9]]},"3130":{"position":[[684,9],[717,9]]},"3132":{"position":[[645,9],[678,9]]},"3136":{"position":[[718,9],[751,9]]},"3138":{"position":[[699,9],[732,9]]},"3140":{"position":[[595,9],[628,9]]},"3142":{"position":[[711,9],[744,9]]},"3144":{"position":[[576,9],[609,9]]},"3146":{"position":[[491,9],[524,9]]},"3156":{"position":[[666,9],[699,9]]},"3162":{"position":[[708,9],[741,9]]},"3164":{"position":[[624,9],[657,9]]},"3166":{"position":[[630,9],[663,9]]},"3239":{"position":[[975,9],[1008,9]]},"3241":{"position":[[989,9],[1022,9]]},"3243":{"position":[[1104,9],[1137,9]]}}}],["ae",{"_index":895,"t":{"2604":{"position":[[361,3],[673,3],[712,3],[1752,3]]},"2960":{"position":[[169,3]]}}}],["ae6c58cab4a7",{"_index":598,"t":{"2548":{"position":[[1850,12]]}}}],["aes256",{"_index":105,"t":{"2501":{"position":[[552,6]]}}}],["aescbc",{"_index":2222,"t":{"2960":{"position":[[717,9]]},"3036":{"position":[[211,7]]},"3170":{"position":[[122,7],[187,6]]}}}],["aescbckey",{"_index":897,"t":{"2604":{"position":[[369,9],[681,9],[720,9]]},"2960":{"position":[[749,12]]}}}],["affect",{"_index":1404,"t":{"2736":{"position":[[1081,8]]},"3022":{"position":[[210,8]]}}}],["aforement",{"_index":2096,"t":{"2918":{"position":[[2376,14]]}}}],["ag",{"_index":544,"t":{"2548":{"position":[[576,3]]},"2691":{"position":[[706,3]]},"2699":{"position":[[1622,3],[3057,3]]},"2701":{"position":[[1109,3]]},"2736":{"position":[[771,3]]},"2802":{"position":[[504,3]]}}}],["again",{"_index":397,"t":{"2531":{"position":[[247,5]]},"2535":{"position":[[1164,5],[1750,6],[1801,5]]},"2621":{"position":[[844,6]]},"2742":{"position":[[1970,5]]},"2775":{"position":[[491,5]]}}}],["against",{"_index":1177,"t":{"2683":{"position":[[35,8]]},"2846":{"position":[[160,7]]},"2990":{"position":[[1937,7]]},"3050":{"position":[[1083,7]]},"3065":{"position":[[276,7],[921,7]]}}}],["agent",{"_index":3,"t":{"2484":{"position":[[215,5]]},"2492":{"position":[[13,5]]},"2494":{"position":[[248,5],[371,5]]},"2505":{"position":[[2287,7]]},"2507":{"position":[[2111,7]]},"2509":{"position":[[1430,6]]},"2511":{"position":[[55,6],[92,6]]},"2531":{"position":[[4,6]]},"2533":{"position":[[157,5],[174,5],[191,5]]},"2556":{"position":[[28,5]]},"2568":{"position":[[165,8]]},"2570":{"position":[[212,7]]},"2614":{"position":[[220,5],[228,5]]},"2616":{"position":[[254,5]]},"2618":{"position":[[16,5],[65,5],[220,5],[325,5],[416,5]]},"2620":{"position":[[266,5],[332,7]]},"2641":{"position":[[93,6],[154,5]]},"2643":{"position":[[251,5]]},"2648":{"position":[[111,5],[207,5],[268,6],[309,5],[373,5]]},"2661":{"position":[[848,7],[923,5],[990,7],[1045,7],[1166,6],[1192,5],[1323,7],[1450,5],[1557,5],[1703,5],[1810,5]]},"2669":{"position":[[228,5]]},"2673":{"position":[[2318,8],[2366,8],[2774,5],[2881,5],[2936,6],[2996,5],[3049,5]]},"2675":{"position":[[525,5],[766,5],[898,6],[1094,5],[1180,5]]},"2683":{"position":[[0,5]]},"2687":{"position":[[139,5],[212,5],[249,5],[301,5],[378,5],[453,5]]},"2697":{"position":[[537,5],[559,5],[581,5]]},"2699":{"position":[[1294,5],[1303,5],[1316,5],[1451,5],[1634,5],[1672,5],[1710,5],[2731,5],[2740,5],[2753,5],[2888,5],[3069,5],[3107,5],[3145,5]]},"2701":{"position":[[783,5],[792,5],[805,5],[940,5],[1121,5],[1159,5],[1197,5]]},"2740":{"position":[[180,5]]},"2742":{"position":[[1295,6],[1665,5],[1784,5]]},"2744":{"position":[[702,5],[745,5],[915,6],[934,5]]},"2772":{"position":[[264,7],[297,5]]},"2816":{"position":[[274,6],[341,6],[426,5],[515,6]]},"2820":{"position":[[124,6]]},"2854":{"position":[[25,5],[61,5]]},"2858":{"position":[[831,7]]},"2864":{"position":[[4,6],[163,5],[218,6],[409,5],[621,6],[965,5],[1132,7],[1244,5],[1280,5],[1490,5],[1600,5],[1772,5],[1851,5],[1961,5]]},"2866":{"position":[[415,7]]},"2874":{"position":[[659,6]]},"2876":{"position":[[450,7],[638,5],[696,5]]},"2918":{"position":[[1510,8],[1711,6],[1739,6],[2698,8],[2724,6]]},"2926":{"position":[[340,5],[422,5],[601,5],[660,5],[895,5],[905,5],[968,6]]},"2928":{"position":[[305,5],[489,7]]},"2930":{"position":[[519,6]]},"2932":{"position":[[574,5]]},"2936":{"position":[[98,6],[165,6]]},"2940":{"position":[[87,6]]},"2944":{"position":[[68,5],[157,6]]},"2946":{"position":[[737,5],[1197,5]]},"2948":{"position":[[115,5],[308,5]]},"2990":{"position":[[1374,5]]},"2994":{"position":[[124,5],[758,5],[829,5],[1536,5],[1555,5],[1660,5]]},"3048":{"position":[[185,5]]},"3056":{"position":[[154,6],[198,5],[276,6],[310,5]]}}}],["agent'",{"_index":1539,"t":{"2765":{"position":[[566,7]]}}}],["agent.service.env",{"_index":523,"t":{"2546":{"position":[[364,17]]}}}],["agent/data",{"_index":416,"t":{"2533":{"position":[[939,12]]}}}],["agent/flag",{"_index":429,"t":{"2533":{"position":[[3158,13],[3231,13]]},"2673":{"position":[[8223,13],[8296,13]]}}}],["agent/network",{"_index":427,"t":{"2533":{"position":[[2658,18],[2744,18],[2837,18],[2922,18],[2997,18],[3078,18]]},"2673":{"position":[[7723,18],[7809,18],[7902,18],[7987,18],[8062,18],[8143,18]]}}}],["agent/nod",{"_index":417,"t":{"2533":{"position":[[1025,12],[1080,12],[1135,12],[1219,12],[1313,12],[1500,12],[1639,12],[1719,12],[1993,12]]},"2673":{"position":[[6354,12],[6409,12],[6464,12],[6548,12],[6642,12],[6829,12],[8375,12],[8745,12],[8825,12]]}}}],["agent/runtim",{"_index":422,"t":{"2533":{"position":[[2135,15],[2298,15],[2430,15],[2534,15],[3421,15]]},"2673":{"position":[[6967,15],[7071,15],[7234,15],[7366,15],[7470,15],[7600,15]]}}}],["agent_external_ip",{"_index":1910,"t":{"2876":{"position":[[579,17],[917,17]]}}}],["agentless",{"_index":1125,"t":{"2669":{"position":[[247,9]]},"2864":{"position":[[678,9]]}}}],["aggreg",{"_index":2698,"t":{"3120":{"position":[[1277,10]]},"3122":{"position":[[1225,10]]},"3124":{"position":[[1094,10]]},"3126":{"position":[[1043,10]]},"3128":{"position":[[1056,10]]},"3130":{"position":[[1169,10]]},"3132":{"position":[[1130,10]]},"3136":{"position":[[1203,10]]},"3138":{"position":[[1184,10]]},"3140":{"position":[[1080,10]]},"3142":{"position":[[1196,10]]},"3144":{"position":[[1061,10]]},"3146":{"position":[[976,10]]},"3156":{"position":[[1151,10]]},"3162":{"position":[[1193,10]]},"3164":{"position":[[1109,10]]},"3166":{"position":[[1115,10]]},"3239":{"position":[[1460,10]]},"3241":{"position":[[1474,10]]},"3243":{"position":[[1589,10]]}}}],["ago",{"_index":571,"t":{"2548":{"position":[[1076,3],[1240,3],[1423,3],[1588,3],[1744,3],[1914,3],[2112,3],[2300,3],[2464,3],[2624,3]]}}}],["air",{"_index":1336,"t":{"2723":{"position":[[441,3]]},"2760":{"position":[[26,3],[81,3]]},"2763":{"position":[[58,3]]},"2765":{"position":[[58,3]]},"2770":{"position":[[314,3],[448,3],[1513,3],[1535,3]]},"2772":{"position":[[1397,3]]},"2775":{"position":[[13,3],[95,3]]},"2777":{"position":[[51,3]]},"2781":{"position":[[579,3]]},"2794":{"position":[[102,3]]},"2834":{"position":[[1304,3]]}}}],["airgap",{"_index":1533,"t":{"2763":{"position":[[494,6]]},"2765":{"position":[[394,6],[708,6],[807,6]]},"2767":{"position":[[500,6]]},"2770":{"position":[[256,6]]}}}],["al.(https://www.usenix.org/conference/fast16/techn",{"_index":813,"t":{"2588":{"position":[[64,54]]}}}],["alice=bob:noexecut",{"_index":1471,"t":{"2748":{"position":[[686,19],[969,19]]}}}],["alloc",{"_index":1858,"t":{"2864":{"position":[[1749,11]]},"2912":{"position":[[1214,9]]},"3014":{"position":[[2288,8]]},"3177":{"position":[[526,8]]},"3179":{"position":[[594,8]]},"3181":{"position":[[679,8]]},"3183":{"position":[[575,8]]}}}],["allow",{"_index":511,"t":{"2535":{"position":[[4852,6]]},"2577":{"position":[[94,5],[124,5],[165,5]]},"2650":{"position":[[333,5]]},"2661":{"position":[[1239,5],[1588,5],[1845,5]]},"2675":{"position":[[760,5]]},"2681":{"position":[[1377,5]]},"2695":{"position":[[290,6]]},"2779":{"position":[[236,6]]},"2785":{"position":[[34,6]]},"2787":{"position":[[403,5],[533,5]]},"2792":{"position":[[572,5]]},"2814":{"position":[[1145,5],[1175,5],[1216,5]]},"2820":{"position":[[646,8]]},"2826":{"position":[[212,6]]},"2862":{"position":[[398,7],[781,7]]},"2864":{"position":[[211,6]]},"2866":{"position":[[1336,5]]},"2876":{"position":[[815,5]]},"2898":{"position":[[209,6]]},"2904":{"position":[[119,5]]},"2952":{"position":[[215,8]]},"2996":{"position":[[3,5]]},"3006":{"position":[[2272,6]]},"3008":{"position":[[578,8],[623,5],[1035,5],[1361,5],[1575,5],[1816,5],[2044,5],[2258,5],[2499,5]]},"3014":{"position":[[211,5],[1273,7]]},"3030":{"position":[[115,6]]},"3032":{"position":[[308,6]]},"3120":{"position":[[847,5],[2078,7]]},"3122":{"position":[[795,5],[2026,7]]},"3124":{"position":[[664,5],[1895,7]]},"3126":{"position":[[613,5],[1844,7]]},"3128":{"position":[[626,5],[1857,7]]},"3130":{"position":[[739,5],[1970,7]]},"3132":{"position":[[700,5],[1931,7]]},"3136":{"position":[[773,5],[2004,7]]},"3138":{"position":[[754,5],[1985,7]]},"3140":{"position":[[650,5],[1881,7]]},"3142":{"position":[[766,5],[1997,7]]},"3144":{"position":[[631,5],[1862,7]]},"3146":{"position":[[546,5],[1777,7]]},"3156":{"position":[[721,5],[1952,7]]},"3162":{"position":[[763,5],[1994,7]]},"3164":{"position":[[679,5],[1910,7]]},"3166":{"position":[[685,5],[1916,7]]},"3239":{"position":[[1030,5],[2261,7]]},"3241":{"position":[[1044,5],[2275,7]]},"3243":{"position":[[1159,5],[2390,7]]},"3329":{"position":[[64,5]]}}}],["allow_ip_forward",{"_index":1838,"t":{"2862":{"position":[[478,22],[861,22]]}}}],["allowedcap",{"_index":2366,"t":{"3006":{"position":[[3312,20],[3751,20]]},"3299":{"position":[[38,19]]}}}],["allowedunsafesysctl",{"_index":2368,"t":{"3006":{"position":[[3784,21]]}}}],["allowprivilegeescal",{"_index":2340,"t":{"3006":{"position":[[1481,25],[2654,25],[3281,25],[3719,25]]}}}],["along",{"_index":1764,"t":{"2834":{"position":[[1201,5]]},"3016":{"position":[[100,5]]}}}],["alongsid",{"_index":969,"t":{"2616":{"position":[[803,9]]},"2695":{"position":[[668,9]]}}}],["alphabet",{"_index":1460,"t":{"2748":{"position":[[206,12]]}}}],["alphanumer",{"_index":1374,"t":{"2730":{"position":[[1088,12],[1156,12]]}}}],["alpin",{"_index":2254,"t":{"2981":{"position":[[130,6]]},"2987":{"position":[[130,6]]}}}],["alreadi",{"_index":1198,"t":{"2685":{"position":[[272,7]]},"2693":{"position":[[362,8]]},"2736":{"position":[[273,7],[975,7]]},"2750":{"position":[[375,7]]},"2763":{"position":[[28,7]]},"2765":{"position":[[28,7]]},"2912":{"position":[[2494,7]]},"2918":{"position":[[604,7]]},"3136":{"position":[[250,7]]},"3158":{"position":[[145,8]]}}}],["alsologtostderr",{"_index":317,"t":{"2513":{"position":[[213,15]]},"2533":{"position":[[609,15]]},"2653":{"position":[[244,15]]},"2673":{"position":[[620,15]]}}}],["alter",{"_index":1349,"t":{"2728":{"position":[[374,8]]},"2742":{"position":[[497,7]]}}}],["altern",{"_index":1096,"t":{"2655":{"position":[[423,11]]},"2673":{"position":[[1197,11]]},"2683":{"position":[[1009,11]]},"2994":{"position":[[1825,14]]},"3114":{"position":[[65,9]]},"3156":{"position":[[200,14]]},"3210":{"position":[[26,11]]},"3310":{"position":[[167,9]]}}}],["altogeth",{"_index":2823,"t":{"3259":{"position":[[138,10]]}}}],["alway",{"_index":957,"t":{"2616":{"position":[[130,6]]},"2826":{"position":[[95,6]]},"2834":{"position":[[90,6]]},"2866":{"position":[[1850,6]]},"2912":{"position":[[393,6]]},"2994":{"position":[[2186,6]]}}}],["alwaysadmit",{"_index":2710,"t":{"3132":{"position":[[244,12],[439,13]]}}}],["alwaysallow",{"_index":2705,"t":{"3124":{"position":[[205,12],[450,13]]},"3241":{"position":[[801,13]]}}}],["alwayspullimag",{"_index":2711,"t":{"3134":{"position":[[201,17]]}}}],["amazon",{"_index":2000,"t":{"2898":{"position":[[437,6]]}}}],["amd64.tar.gz",{"_index":640,"t":{"2550":{"position":[[261,13]]}}}],["amd64.tar.zst",{"_index":1534,"t":{"2763":{"position":[[508,13]]},"2765":{"position":[[722,13],[821,13]]}}}],["amount",{"_index":2147,"t":{"2928":{"position":[[137,6],[359,6]]}}}],["analysi",{"_index":1698,"t":{"2816":{"position":[[365,8]]},"2926":{"position":[[911,8]]},"3026":{"position":[[458,9]]},"3028":{"position":[[444,9]]}}}],["and/or",{"_index":207,"t":{"2503":{"position":[[2285,6],[2665,6],[2731,6]]},"2531":{"position":[[153,6]]},"2787":{"position":[[203,6]]},"2800":{"position":[[293,6]]},"2840":{"position":[[118,6]]},"2948":{"position":[[610,6]]}}}],["annot",{"_index":2364,"t":{"3006":{"position":[[3200,12],[3638,12]]}}}],["anonym",{"_index":2423,"t":{"3014":{"position":[[235,9],[3065,9]]},"3112":{"position":[[172,9],[288,10]]},"3120":{"position":[[871,9]]},"3122":{"position":[[819,9]]},"3124":{"position":[[688,9]]},"3126":{"position":[[637,9]]},"3128":{"position":[[650,9]]},"3130":{"position":[[763,9]]},"3132":{"position":[[724,9]]},"3136":{"position":[[797,9]]},"3138":{"position":[[778,9]]},"3140":{"position":[[674,9]]},"3142":{"position":[[790,9]]},"3144":{"position":[[655,9]]},"3146":{"position":[[570,9]]},"3156":{"position":[[745,9]]},"3162":{"position":[[787,9]]},"3164":{"position":[[703,9]]},"3166":{"position":[[709,9]]},"3239":{"position":[[95,10],[327,9],[678,10],[724,9],[771,9],[825,9],[1054,9]]},"3241":{"position":[[1068,9]]},"3243":{"position":[[1183,9]]},"3245":{"position":[[792,9],[2015,9]]},"3257":{"position":[[983,9],[2206,9]]}}}],["anoth",{"_index":898,"t":{"2604":{"position":[[379,7]]},"2838":{"position":[[407,7]]},"2906":{"position":[[600,7]]},"2954":{"position":[[0,7]]},"2956":{"position":[[0,7]]},"2994":{"position":[[2545,7]]},"3089":{"position":[[1593,7]]},"3160":{"position":[[1723,7]]},"3195":{"position":[[1617,7]]},"3197":{"position":[[1506,7]]},"3199":{"position":[[1531,7]]},"3201":{"position":[[1683,7]]},"3203":{"position":[[1509,7]]},"3205":{"position":[[1541,7]]},"3207":{"position":[[1640,7]]}}}],["ansibl",{"_index":2207,"t":{"2952":{"position":[[74,8],[109,7],[141,7]]}}}],["anyon",{"_index":960,"t":{"2616":{"position":[[342,6]]},"2818":{"position":[[923,7]]}}}],["anywher",{"_index":1551,"t":{"2770":{"position":[[431,8]]}}}],["apach",{"_index":1485,"t":{"2754":{"position":[[389,6],[473,6]]}}}],["api",{"_index":7,"t":{"2486":{"position":[[123,4]]},"2488":{"position":[[151,4]]},"2490":{"position":[[58,4]]},"2499":{"position":[[391,3]]},"2501":{"position":[[776,3]]},"2535":{"position":[[2593,3],[2706,5]]},"2675":{"position":[[471,3]]},"2683":{"position":[[714,4]]},"2695":{"position":[[584,3]]},"2790":{"position":[[41,3]]},"2820":{"position":[[169,3]]},"2946":{"position":[[107,3]]},"3004":{"position":[[130,3]]},"3010":{"position":[[80,3],[673,3],[851,3]]},"3014":{"position":[[266,3]]},"3022":{"position":[[92,3]]},"3030":{"position":[[136,3],[495,3]]},"3034":{"position":[[211,3]]},"3044":{"position":[[247,3]]},"3050":{"position":[[762,4]]},"3112":{"position":[[35,3]]},"3114":{"position":[[121,3]]},"3116":{"position":[[35,3]]},"3118":{"position":[[45,3]]},"3120":{"position":[[139,3],[894,3]]},"3122":{"position":[[142,3],[842,3]]},"3124":{"position":[[35,3],[711,3]]},"3126":{"position":[[35,3],[660,3]]},"3128":{"position":[[35,3],[673,3]]},"3130":{"position":[[129,3],[786,3]]},"3132":{"position":[[35,3],[747,3]]},"3134":{"position":[[35,3]]},"3136":{"position":[[35,3],[820,3]]},"3138":{"position":[[125,3],[801,3]]},"3140":{"position":[[35,3],[697,3]]},"3142":{"position":[[128,3],[813,3]]},"3144":{"position":[[35,3],[678,3]]},"3146":{"position":[[35,3],[593,3]]},"3148":{"position":[[45,3]]},"3150":{"position":[[45,3]]},"3152":{"position":[[45,3]]},"3154":{"position":[[45,3]]},"3156":{"position":[[35,3],[768,3]]},"3158":{"position":[[79,3],[284,3]]},"3160":{"position":[[139,3]]},"3162":{"position":[[125,3],[810,3]]},"3164":{"position":[[125,3],[726,3]]},"3166":{"position":[[139,3],[732,3]]},"3168":{"position":[[116,3]]},"3172":{"position":[[35,3]]},"3239":{"position":[[1077,3]]},"3241":{"position":[[1091,3]]},"3243":{"position":[[1206,3]]},"3274":{"position":[[133,3]]}}}],["apigroup",{"_index":2373,"t":{"3006":{"position":[[4106,10],[4320,10],[4529,10],[4740,9],[4870,9],[5042,9],[5142,9],[5365,9],[5465,9],[5675,9]]}}}],["apiserv",{"_index":23,"t":{"2494":{"position":[[109,10],[439,10]]},"2519":{"position":[[546,9],[641,9]]},"2533":{"position":[[1802,9],[1897,9]]},"2575":{"position":[[139,10]]},"2577":{"position":[[109,10]]},"2655":{"position":[[189,9],[290,9]]},"2661":{"position":[[900,9],[1060,9],[1177,9],[1338,9],[1435,9],[1688,9]]},"2667":{"position":[[74,9],[119,9]]},"2673":{"position":[[887,9],[1021,9],[3455,9],[3508,9],[8908,9],[9003,9]]},"2754":{"position":[[1523,10]]},"2798":{"position":[[97,10]]},"2800":{"position":[[172,9]]},"2804":{"position":[[207,9]]},"2806":{"position":[[273,10]]},"2814":{"position":[[376,10],[1160,10]]},"2864":{"position":[[147,11],[721,9],[942,9],[1147,9],[1265,9],[1410,9],[1475,9],[1836,9]]},"2888":{"position":[[202,9],[473,9]]},"3006":{"position":[[194,9],[1008,9]]},"3010":{"position":[[873,9],[954,9],[1212,9],[1295,9]]},"3012":{"position":[[241,9],[781,9]]},"3014":{"position":[[177,9]]},"3018":{"position":[[544,9]]},"3020":{"position":[[643,9]]},"3022":{"position":[[526,9]]},"3024":{"position":[[366,9]]},"3026":{"position":[[541,9]]},"3028":{"position":[[527,9]]},"3030":{"position":[[751,9]]},"3032":{"position":[[132,9],[542,9]]},"3038":{"position":[[618,9]]},"3042":{"position":[[669,9]]},"3089":{"position":[[796,10]]},"3112":{"position":[[259,10]]},"3120":{"position":[[104,9],[489,10],[780,9]]},"3122":{"position":[[103,9],[472,10],[728,9]]},"3124":{"position":[[346,10],[597,9]]},"3126":{"position":[[312,10],[546,9]]},"3128":{"position":[[325,10],[559,9]]},"3130":{"position":[[416,10],[672,9]]},"3132":{"position":[[323,10],[633,9]]},"3136":{"position":[[389,10],[706,9]]},"3138":{"position":[[411,10],[687,9]]},"3140":{"position":[[307,10],[583,9]]},"3142":{"position":[[442,10],[699,9]]},"3144":{"position":[[303,10],[564,9]]},"3146":{"position":[[254,10],[479,9]]},"3156":{"position":[[384,10],[654,9]]},"3160":{"position":[[104,9],[926,10]]},"3162":{"position":[[99,10],[455,10],[696,9]]},"3164":{"position":[[99,10],[386,10],[612,9]]},"3166":{"position":[[104,9],[398,10],[618,9]]},"3168":{"position":[[440,10]]},"3172":{"position":[[992,10]]},"3177":{"position":[[859,9],[955,9]]},"3179":{"position":[[927,9],[1023,9]]},"3181":{"position":[[1012,9],[1108,9]]},"3183":{"position":[[908,9],[1004,9]]},"3195":{"position":[[820,10]]},"3197":{"position":[[709,10]]},"3199":{"position":[[734,10]]},"3201":{"position":[[886,10]]},"3203":{"position":[[712,10]]},"3205":{"position":[[744,10]]},"3207":{"position":[[843,10]]},"3213":{"position":[[138,10]]},"3239":{"position":[[558,10],[649,10],[963,9]]},"3241":{"position":[[544,10],[635,10],[977,9]]},"3243":{"position":[[600,10],[691,10],[1092,9]]}}}],["apiserver'",{"_index":1852,"t":{"2864":{"position":[[558,11]]}}}],["apiserver.config.k8s.io/v1",{"_index":1954,"t":{"2888":{"position":[[1173,26]]},"2960":{"position":[[625,29]]},"3006":{"position":[[424,26]]}}}],["apiserver.crt",{"_index":2443,"t":{"3014":{"position":[[980,13],[1876,13]]},"3120":{"position":[[1729,13],[2742,13]]},"3122":{"position":[[1677,13],[2690,13]]},"3124":{"position":[[1546,13],[2559,13]]},"3126":{"position":[[1495,13],[2508,13]]},"3128":{"position":[[1508,13],[2521,13]]},"3130":{"position":[[1621,13],[2634,13]]},"3132":{"position":[[1582,13],[2595,13]]},"3136":{"position":[[1655,13],[2668,13]]},"3138":{"position":[[1636,13],[2649,13]]},"3140":{"position":[[1532,13],[2545,13]]},"3142":{"position":[[1648,13],[2661,13]]},"3144":{"position":[[1513,13],[2526,13]]},"3146":{"position":[[1428,13],[2441,13]]},"3156":{"position":[[1603,13],[2616,13]]},"3162":{"position":[[1645,13],[2658,13]]},"3164":{"position":[[1561,13],[2574,13]]},"3166":{"position":[[1567,13],[2580,13]]},"3239":{"position":[[1912,13],[2925,13]]},"3241":{"position":[[1926,13],[2939,13]]},"3243":{"position":[[2041,13],[3054,13]]}}}],["apiserver.key",{"_index":2445,"t":{"3014":{"position":[[1059,13],[1967,13]]},"3120":{"position":[[1808,13],[2824,14]]},"3122":{"position":[[1756,13],[2772,14]]},"3124":{"position":[[1625,13],[2641,14]]},"3126":{"position":[[1574,13],[2590,14]]},"3128":{"position":[[1587,13],[2603,14]]},"3130":{"position":[[1700,13],[2716,14]]},"3132":{"position":[[1661,13],[2677,14]]},"3136":{"position":[[1734,13],[2750,14]]},"3138":{"position":[[1715,13],[2731,14]]},"3140":{"position":[[1611,13],[2627,14]]},"3142":{"position":[[1727,13],[2743,14]]},"3144":{"position":[[1592,13],[2608,14]]},"3146":{"position":[[1507,13],[2523,14]]},"3156":{"position":[[1682,13],[2698,14]]},"3162":{"position":[[1724,13],[2740,14]]},"3164":{"position":[[1640,13],[2656,14]]},"3166":{"position":[[1646,13],[2662,14]]},"3239":{"position":[[1991,13],[3007,14]]},"3241":{"position":[[2005,13],[3021,14]]},"3243":{"position":[[2120,13],[3136,14]]}}}],["apiserver.yaml",{"_index":2590,"t":{"3069":{"position":[[183,14]]},"3071":{"position":[[189,14]]},"3112":{"position":[[100,14]]},"3114":{"position":[[186,14]]},"3116":{"position":[[100,14]]},"3118":{"position":[[110,14]]},"3120":{"position":[[204,14]]},"3122":{"position":[[207,14]]},"3124":{"position":[[100,14]]},"3126":{"position":[[100,14]]},"3128":{"position":[[100,14]]},"3130":{"position":[[194,14]]},"3132":{"position":[[100,14]]},"3134":{"position":[[100,14]]},"3136":{"position":[[100,14]]},"3138":{"position":[[190,14]]},"3140":{"position":[[100,14]]},"3142":{"position":[[193,14]]},"3144":{"position":[[100,14]]},"3146":{"position":[[100,14]]},"3148":{"position":[[110,14]]},"3150":{"position":[[110,14]]},"3152":{"position":[[110,14]]},"3154":{"position":[[110,14]]},"3156":{"position":[[100,14]]},"3160":{"position":[[204,14]]},"3162":{"position":[[190,14]]},"3164":{"position":[[190,14]]},"3166":{"position":[[204,14]]},"3168":{"position":[[181,14]]},"3172":{"position":[[100,14]]}}}],["apivers",{"_index":668,"t":{"2554":{"position":[[613,11],[702,11]]},"2590":{"position":[[280,11]]},"2754":{"position":[[272,11],[327,11]]},"2756":{"position":[[463,11]]},"2888":{"position":[[1161,11],[1273,11],[1730,11]]},"2960":{"position":[[611,13]]},"2979":{"position":[[0,11]]},"2981":{"position":[[0,11]]},"2985":{"position":[[0,11]]},"2987":{"position":[[0,11]]},"2994":{"position":[[420,11],[769,11],[2253,11]]},"3006":{"position":[[412,11],[524,11],[1361,11],[2548,11],[3109,11],[3561,11],[4003,11],[4208,11],[4431,11],[4626,11],[4910,11],[5213,11],[5546,11],[5818,11],[6021,11],[6216,11]]},"3008":{"position":[[331,11],[659,11],[1292,11],[1506,11],[1747,11],[1975,11],[2189,11],[2430,11]]},"3010":{"position":[[730,11]]}}}],["app",{"_index":1149,"t":{"2675":{"position":[[569,4]]},"2687":{"position":[[188,4]]},"2930":{"position":[[146,3],[369,4]]},"2946":{"position":[[437,4]]},"3008":{"position":[[882,4],[1445,4],[2128,4],[2585,4]]}}}],["app.kubernetes.io/nam",{"_index":2400,"t":{"3008":{"position":[[1902,23]]}}}],["appear",{"_index":406,"t":{"2533":{"position":[[13,7]]},"2673":{"position":[[13,7]]},"2794":{"position":[[354,6]]},"2846":{"position":[[200,6]]}}}],["append",{"_index":296,"t":{"2509":{"position":[[938,6]]},"2519":{"position":[[99,6]]},"2533":{"position":[[1093,6]]},"2673":{"position":[[6422,6]]},"2748":{"position":[[300,8],[323,6]]},"2810":{"position":[[188,6]]},"2814":{"position":[[1710,9]]},"2878":{"position":[[437,6],[1062,9]]}}}],["appli",{"_index":1344,"t":{"2726":{"position":[[149,6],[427,8]]},"2834":{"position":[[1485,7]]},"2858":{"position":[[946,5],[1012,7],[1233,7]]},"2862":{"position":[[508,5],[555,7],[891,5],[939,7]]},"2983":{"position":[[174,5]]},"2990":{"position":[[1794,8]]},"2992":{"position":[[226,5],[492,8]]},"2998":{"position":[[273,7],[946,8]]},"3006":{"position":[[1233,7]]},"3008":{"position":[[55,7],[519,7]]},"3050":{"position":[[940,8]]},"3327":{"position":[[66,5]]}}}],["applic",{"_index":1984,"t":{"2894":{"position":[[173,13]]},"2946":{"position":[[534,13]]},"2950":{"position":[[235,13]]},"3065":{"position":[[1263,10],[1295,10]]},"3069":{"position":[[12,10]]},"3071":{"position":[[12,10]]},"3073":{"position":[[12,10]]},"3075":{"position":[[12,10]]},"3077":{"position":[[12,10]]},"3079":{"position":[[12,10]]},"3081":{"position":[[12,10]]},"3083":{"position":[[12,10]]},"3085":{"position":[[12,10]]},"3087":{"position":[[12,10]]},"3091":{"position":[[12,10]]},"3093":{"position":[[12,10]]},"3118":{"position":[[12,10]]},"3148":{"position":[[12,10]]},"3150":{"position":[[12,10]]},"3152":{"position":[[12,10]]},"3154":{"position":[[12,10]]},"3158":{"position":[[12,10]]},"3185":{"position":[[12,10]]},"3218":{"position":[[12,10]]},"3220":{"position":[[12,10]]},"3234":{"position":[[12,10]]},"3236":{"position":[[12,10]]},"3249":{"position":[[12,10]]},"3251":{"position":[[12,10]]},"3253":{"position":[[12,10]]},"3259":{"position":[[12,10]]},"3261":{"position":[[12,10]]},"3301":{"position":[[60,12],[125,12]]},"3315":{"position":[[47,11]]}}}],["approach",{"_index":1186,"t":{"2683":{"position":[[555,11]]},"2990":{"position":[[107,8]]}}}],["appropri",{"_index":157,"t":{"2503":{"position":[[212,11]]},"2765":{"position":[[277,11]]},"2770":{"position":[[1234,11]]},"2858":{"position":[[671,11]]},"2878":{"position":[[1222,11]]},"2990":{"position":[[371,11]]},"2998":{"position":[[825,11],[955,11]]},"3022":{"position":[[425,11]]},"3024":{"position":[[63,12]]},"3026":{"position":[[66,12]]},"3028":{"position":[[65,12]]},"3030":{"position":[[53,12],[183,11],[607,11]]},"3034":{"position":[[64,12]]},"3036":{"position":[[37,13],[147,11],[254,11]]},"3038":{"position":[[65,12],[485,11]]},"3150":{"position":[[207,11]]},"3152":{"position":[[210,11]]},"3154":{"position":[[199,11]]},"3158":{"position":[[489,11]]},"3175":{"position":[[206,11]]},"3201":{"position":[[101,11]]},"3255":{"position":[[100,11]]},"3329":{"position":[[74,11]]}}}],["approxim",{"_index":2532,"t":{"3026":{"position":[[384,11]]},"3028":{"position":[[370,11]]}}}],["apt",{"_index":658,"t":{"2554":{"position":[[171,3]]},"2579":{"position":[[473,3]]},"2699":{"position":[[398,3]]},"2814":{"position":[[2067,3]]},"2932":{"position":[[150,4]]}}}],["architectur",{"_index":1153,"t":{"2675":{"position":[[876,12]]},"2763":{"position":[[388,12]]},"2765":{"position":[[451,12]]},"2812":{"position":[[35,14]]},"2990":{"position":[[1556,12]]}}}],["archiv",{"_index":1532,"t":{"2763":{"position":[[371,7]]},"2765":{"position":[[434,7],[551,7]]},"2796":{"position":[[282,8]]}}}],["area",{"_index":2316,"t":{"3000":{"position":[[14,5]]},"3215":{"position":[[124,6]]}}}],["arg",{"_index":378,"t":{"2525":{"position":[[27,3],[86,3]]},"2533":{"position":[[3148,3],[3221,3]]},"2554":{"position":[[917,5]]},"2590":{"position":[[438,5]]},"2667":{"position":[[24,3],[84,3],[154,3],[233,3],[327,3],[405,3],[464,3]]},"2673":{"position":[[3465,3],[3533,3],[3610,3],[3697,3],[3790,3],[8213,3],[8286,3]]},"2888":{"position":[[212,3],[268,3],[483,4],[783,4],[872,4]]},"2994":{"position":[[1009,5]]},"3012":{"position":[[251,4],[551,4],[640,4],[791,4],[1117,4],[1206,4]]},"3018":{"position":[[554,4]]},"3020":{"position":[[653,4]]},"3022":{"position":[[536,4]]},"3024":{"position":[[376,4]]},"3026":{"position":[[551,4]]},"3028":{"position":[[537,4]]},"3030":{"position":[[761,4]]},"3032":{"position":[[552,4]]},"3038":{"position":[[628,4]]},"3042":{"position":[[679,4]]}}}],["arg=\"admiss",{"_index":2332,"t":{"3006":{"position":[[204,14]]}}}],["arg=\"en",{"_index":2334,"t":{"3006":{"position":[[1018,11]]}}}],["arg=\"nod",{"_index":1866,"t":{"2866":{"position":[[433,9],[497,9]]}}}],["arg='audit",{"_index":2413,"t":{"3010":{"position":[[883,10],[964,10]]}}}],["arg=audit",{"_index":2414,"t":{"3010":{"position":[[1222,9],[1305,9]]}}}],["argument",{"_index":474,"t":{"2535":{"position":[[2784,9]]},"2600":{"position":[[323,10],[521,9],[1219,10],[1457,9],[1706,9]]},"2602":{"position":[[259,10],[581,9],[1078,10],[1437,9]]},"2621":{"position":[[219,14]]},"2691":{"position":[[930,8]]},"2693":{"position":[[385,9]]},"2742":{"position":[[396,9],[2278,9]]},"2746":{"position":[[108,10],[467,10],[639,9],[703,9],[872,10],[953,9],[1000,9],[1040,9],[1168,8]]},"2772":{"position":[[794,9]]},"3010":{"position":[[834,9]]},"3014":{"position":[[58,9]]},"3018":{"position":[[467,8],[559,8]]},"3020":{"position":[[566,8],[658,8]]},"3022":{"position":[[33,8],[492,8],[541,8]]},"3024":{"position":[[35,8],[332,8],[381,8]]},"3026":{"position":[[38,8],[507,8],[556,8]]},"3028":{"position":[[36,8],[493,8],[542,8]]},"3030":{"position":[[34,8],[717,8],[766,8]]},"3032":{"position":[[41,8],[508,8],[557,8]]},"3034":{"position":[[45,8]]},"3038":{"position":[[46,8],[584,8],[633,8]]},"3042":{"position":[[44,8],[635,8],[684,8]]},"3089":{"position":[[93,8]]},"3091":{"position":[[103,8]]},"3239":{"position":[[144,10]]},"3241":{"position":[[130,10]]},"3243":{"position":[[173,10]]},"3245":{"position":[[120,10]]},"3247":{"position":[[157,10]]},"3249":{"position":[[142,10]]},"3251":{"position":[[143,10],[301,8]]},"3253":{"position":[[175,8]]},"3255":{"position":[[141,10]]},"3257":{"position":[[263,10]]},"3259":{"position":[[197,10],[351,8]]},"3263":{"position":[[446,10]]}}}],["arm",{"_index":1708,"t":{"2816":{"position":[[899,3]]}}}],["arm32",{"_index":2263,"t":{"2983":{"position":[[18,6]]}}}],["arm64",{"_index":1662,"t":{"2812":{"position":[[83,5]]}}}],["arm64/aarch64",{"_index":1660,"t":{"2812":{"position":[[63,13]]}}}],["armhf",{"_index":1659,"t":{"2812":{"position":[[57,5]]}}}],["around",{"_index":2328,"t":{"3004":{"position":[[71,6]]}}}],["arp",{"_index":1733,"t":{"2818":{"position":[[1192,3]]}}}],["array",{"_index":2836,"t":{"3299":{"position":[[130,6]]}}}],["asid",{"_index":2148,"t":{"2928":{"position":[[188,5],[410,5]]}}}],["assess",{"_index":2560,"t":{"3046":{"position":[[152,10]]}}}],["assign",{"_index":1121,"t":{"2661":{"position":[[1651,8]]},"2876":{"position":[[1025,8]]},"2912":{"position":[[1934,7]]},"3044":{"position":[[195,8],[519,12]]}}}],["associ",{"_index":1966,"t":{"2888":{"position":[[2591,10]]},"2996":{"position":[[354,10]]},"3008":{"position":[[1196,10]]}}}],["assum",{"_index":205,"t":{"2503":{"position":[[2178,6]]},"2697":{"position":[[71,6]]},"2742":{"position":[[1062,7],[1793,7]]},"2763":{"position":[[12,6]]},"2765":{"position":[[12,6]]},"2792":{"position":[[74,7]]},"2848":{"position":[[157,6]]},"2928":{"position":[[236,8]]}}}],["assumpt",{"_index":2584,"t":{"3065":{"position":[[1765,10]]}}}],["attach",{"_index":2034,"t":{"2912":{"position":[[40,9]]}}}],["attack",{"_index":953,"t":{"2612":{"position":[[338,7]]},"2818":{"position":[[1176,7]]},"2868":{"position":[[321,8]]},"3030":{"position":[[553,7]]},"3158":{"position":[[345,8]]}}}],["attempt",{"_index":441,"t":{"2535":{"position":[[706,7]]},"2730":{"position":[[1583,7]]},"2785":{"position":[[864,8]]},"2846":{"position":[[147,7]]},"2858":{"position":[[846,10]]},"2918":{"position":[[905,7]]},"2990":{"position":[[1712,10]]},"3050":{"position":[[858,10]]}}}],["audiences=https://kubernetes.default.svc.cluster.local,k3",{"_index":2695,"t":{"3120":{"position":[[898,58]]},"3122":{"position":[[846,58]]},"3124":{"position":[[715,58]]},"3126":{"position":[[664,58]]},"3128":{"position":[[677,58]]},"3130":{"position":[[790,58]]},"3132":{"position":[[751,58]]},"3136":{"position":[[824,58]]},"3138":{"position":[[805,58]]},"3140":{"position":[[701,58]]},"3142":{"position":[[817,58]]},"3144":{"position":[[682,58]]},"3146":{"position":[[597,58]]},"3156":{"position":[[772,58]]},"3162":{"position":[[814,58]]},"3164":{"position":[[730,58]]},"3166":{"position":[[736,58]]},"3239":{"position":[[1081,58]]},"3241":{"position":[[1095,58]]},"3243":{"position":[[1210,58]]}}}],["audiences=unknown",{"_index":2426,"t":{"3014":{"position":[[270,17]]}}}],["audit",{"_index":1940,"t":{"2888":{"position":[[561,6],[623,6],[684,6],[708,6],[735,6],[1419,6],[1439,5]]},"3004":{"position":[[141,8],[375,8],[399,5],[427,5]]},"3006":{"position":[[670,6],[690,5]]},"3010":{"position":[[61,5],[144,5],[161,8],[463,5]]},"3012":{"position":[[329,6],[391,6],[452,6],[476,6],[503,6],[895,6],[957,6],[1018,6],[1042,6],[1069,6]]},"3022":{"position":[[18,5],[68,8],[351,5],[437,5]]},"3024":{"position":[[18,5],[217,5]]},"3026":{"position":[[18,5]]},"3028":{"position":[[18,5]]},"3040":{"position":[[22,5]]},"3065":{"position":[[1024,6],[1075,5],[1226,5],[1689,8],[1877,7]]},"3089":{"position":[[260,5],[2025,5]]},"3095":{"position":[[175,6]]},"3097":{"position":[[152,6]]},"3099":{"position":[[158,6]]},"3101":{"position":[[160,6]]},"3103":{"position":[[166,6]]},"3105":{"position":[[172,6]]},"3107":{"position":[[171,6]]},"3109":{"position":[[171,6]]},"3112":{"position":[[193,6]]},"3114":{"position":[[282,6]]},"3116":{"position":[[211,6]]},"3120":{"position":[[423,6]]},"3122":{"position":[[406,6]]},"3124":{"position":[[280,6]]},"3126":{"position":[[246,6]]},"3128":{"position":[[259,6]]},"3130":{"position":[[350,6]]},"3132":{"position":[[257,6]]},"3134":{"position":[[271,6]]},"3136":{"position":[[323,6]]},"3138":{"position":[[345,6]]},"3140":{"position":[[241,6]]},"3142":{"position":[[376,6]]},"3144":{"position":[[237,6]]},"3146":{"position":[[188,6]]},"3148":{"position":[[165,5],[239,5],[280,5]]},"3150":{"position":[[165,5],[250,5]]},"3152":{"position":[[165,5],[244,5]]},"3154":{"position":[[165,5],[259,5]]},"3156":{"position":[[318,6]]},"3160":{"position":[[390,5],[2155,5]]},"3162":{"position":[[385,6]]},"3164":{"position":[[320,6]]},"3166":{"position":[[332,6]]},"3168":{"position":[[374,6]]},"3170":{"position":[[175,6]]},"3172":{"position":[[926,6]]},"3175":{"position":[[275,6]]},"3177":{"position":[[205,6]]},"3179":{"position":[[225,6]]},"3181":{"position":[[321,6]]},"3183":{"position":[[257,6]]},"3187":{"position":[[220,6]]},"3190":{"position":[[192,6]]},"3192":{"position":[[202,6]]},"3195":{"position":[[284,5],[2049,5]]},"3197":{"position":[[173,5],[1938,5]]},"3199":{"position":[[198,5],[1963,5]]},"3201":{"position":[[350,5],[2115,5]]},"3203":{"position":[[176,5],[1941,5]]},"3205":{"position":[[208,5],[1973,5]]},"3207":{"position":[[307,5],[2072,5]]},"3213":{"position":[[36,5],[72,6],[167,6]]},"3215":{"position":[[37,5]]},"3222":{"position":[[188,6]]},"3224":{"position":[[194,6]]},"3226":{"position":[[190,6]]},"3228":{"position":[[196,6]]},"3230":{"position":[[129,6]]},"3232":{"position":[[129,6]]},"3234":{"position":[[112,5]]},"3236":{"position":[[112,5]]},"3239":{"position":[[470,6]]},"3241":{"position":[[456,6]]},"3243":{"position":[[512,6]]},"3245":{"position":[[442,6]]},"3247":{"position":[[499,6]]},"3255":{"position":[[444,6]]},"3257":{"position":[[660,6]]},"3263":{"position":[[1085,6]]}}}],["audit.k8s.io/v1",{"_index":2412,"t":{"3010":{"position":[[742,15]]}}}],["audit.yaml",{"_index":2411,"t":{"3010":{"position":[[564,10]]}}}],["auditor",{"_index":2577,"t":{"3065":{"position":[[381,9]]}}}],["auth",{"_index":78,"t":{"2499":{"position":[[486,4]]},"2568":{"position":[[574,4]]},"2836":{"position":[[149,5],[172,4],[204,4]]},"2840":{"position":[[113,4],[543,4],[686,4],[744,4],[749,4],[805,4]]},"2842":{"position":[[260,5]]},"2844":{"position":[[263,5]]},"2878":{"position":[[293,4],[302,6],[945,4],[1106,4]]},"3014":{"position":[[1164,4],[1242,4]]},"3089":{"position":[[1080,8],[1405,8]]},"3112":{"position":[[299,5]]},"3114":{"position":[[250,4],[360,4]]},"3120":{"position":[[1969,4],[2047,4]]},"3122":{"position":[[1917,4],[1995,4]]},"3124":{"position":[[1786,4],[1864,4]]},"3126":{"position":[[1735,4],[1813,4]]},"3128":{"position":[[1748,4],[1826,4]]},"3130":{"position":[[1861,4],[1939,4]]},"3132":{"position":[[1822,4],[1900,4]]},"3136":{"position":[[1895,4],[1973,4]]},"3138":{"position":[[1876,4],[1954,4]]},"3140":{"position":[[1772,4],[1850,4]]},"3142":{"position":[[1888,4],[1966,4]]},"3144":{"position":[[1753,4],[1831,4]]},"3146":{"position":[[1668,4],[1746,4]]},"3156":{"position":[[1843,4],[1921,4]]},"3160":{"position":[[1210,8],[1535,8]]},"3162":{"position":[[1885,4],[1963,4]]},"3164":{"position":[[1801,4],[1879,4]]},"3166":{"position":[[1807,4],[1885,4]]},"3195":{"position":[[1104,8],[1429,8]]},"3197":{"position":[[993,8],[1318,8],[2015,5],[2048,5],[2125,5]]},"3199":{"position":[[1018,8],[1343,8]]},"3201":{"position":[[1170,8],[1495,8]]},"3203":{"position":[[996,8],[1321,8],[2018,5],[2051,5],[2128,5]]},"3205":{"position":[[1028,8],[1353,8]]},"3207":{"position":[[1127,8],[1452,8]]},"3239":{"position":[[689,5],[781,5],[2152,4],[2230,4]]},"3241":{"position":[[2166,4],[2244,4]]},"3243":{"position":[[2281,4],[2359,4]]}}}],["auth=\"name=tailscale,joinkey=$auth",{"_index":1925,"t":{"2878":{"position":[[839,34]]}}}],["auth=\"tru",{"_index":2757,"t":{"3197":{"position":[[161,11]]}}}],["auth=fals",{"_index":2424,"t":{"3014":{"position":[[245,10],[3075,10]]},"3112":{"position":[[182,10]]},"3120":{"position":[[881,10]]},"3122":{"position":[[829,10]]},"3124":{"position":[[698,10]]},"3126":{"position":[[647,10]]},"3128":{"position":[[660,10]]},"3130":{"position":[[773,10]]},"3132":{"position":[[734,10]]},"3136":{"position":[[807,10]]},"3138":{"position":[[788,10]]},"3140":{"position":[[684,10]]},"3142":{"position":[[800,10]]},"3144":{"position":[[665,10]]},"3146":{"position":[[580,10]]},"3156":{"position":[[755,10]]},"3162":{"position":[[797,10]]},"3164":{"position":[[713,10]]},"3166":{"position":[[719,10]]},"3239":{"position":[[337,10],[734,12],[835,10],[1064,10]]},"3241":{"position":[[1078,10]]},"3243":{"position":[[1193,10]]},"3245":{"position":[[802,10],[2025,10]]},"3257":{"position":[[993,10],[2216,10]]}}}],["auth=tru",{"_index":2627,"t":{"3089":{"position":[[1821,12],[1932,12]]},"3160":{"position":[[1951,12],[2062,12]]},"3195":{"position":[[1845,12],[1956,12]]},"3197":{"position":[[1734,12],[1845,12],[2103,9],[2150,9]]},"3199":{"position":[[1759,12],[1870,12]]},"3201":{"position":[[1911,12],[2022,12]]},"3203":{"position":[[166,9],[1737,12],[1848,12],[2106,9],[2153,9]]},"3205":{"position":[[1769,12],[1880,12]]},"3207":{"position":[[1868,12],[1979,12]]}}}],["authent",{"_index":322,"t":{"2515":{"position":[[89,14],[160,14]]},"2533":{"position":[[733,14],[812,14]]},"2606":{"position":[[56,12]]},"2608":{"position":[[122,12]]},"2610":{"position":[[274,12],[636,12],[1334,15]]},"2612":{"position":[[74,12]]},"2621":{"position":[[1166,12],[1196,15]]},"2790":{"position":[[263,12]]},"2792":{"position":[[457,14]]},"2832":{"position":[[526,15]]},"2840":{"position":[[237,12],[318,12],[593,14],[754,14]]},"2842":{"position":[[116,14],[139,14]]},"2844":{"position":[[120,14],[143,14]]},"3014":{"position":[[3096,14]]},"3032":{"position":[[165,14]]},"3114":{"position":[[90,15]]},"3162":{"position":[[2884,14]]},"3177":{"position":[[553,14]]},"3179":{"position":[[621,14]]},"3181":{"position":[[706,14]]},"3183":{"position":[[602,14]]},"3190":{"position":[[476,14]]},"3192":{"position":[[550,14]]},"3239":{"position":[[79,15]]},"3245":{"position":[[815,14],[2038,14]]},"3257":{"position":[[1006,14],[2229,14]]}}}],["authentication.x509.clientcafil",{"_index":2790,"t":{"3243":{"position":[[79,32]]}}}],["author",{"_index":172,"t":{"2503":{"position":[[694,10],[724,9]]},"2629":{"position":[[495,10]]},"2646":{"position":[[218,9]]},"2673":{"position":[[4038,9]]},"2790":{"position":[[125,10],[369,10]]},"3014":{"position":[[290,13],[3132,13]]},"3120":{"position":[[539,10],[959,13]]},"3122":{"position":[[282,9],[351,9],[522,10],[573,10],[907,13]]},"3124":{"position":[[155,13],[256,13],[375,14],[416,13],[776,13]]},"3126":{"position":[[155,13],[217,13],[341,14],[382,13],[725,13]]},"3128":{"position":[[155,13],[229,13],[354,14],[395,13],[738,13]]},"3130":{"position":[[851,13]]},"3132":{"position":[[812,13]]},"3136":{"position":[[885,13]]},"3138":{"position":[[866,13]]},"3140":{"position":[[762,13]]},"3142":{"position":[[878,13]]},"3144":{"position":[[743,13]]},"3146":{"position":[[658,13]]},"3156":{"position":[[833,13]]},"3162":{"position":[[875,13],[2966,13]]},"3164":{"position":[[262,9],[791,13]]},"3166":{"position":[[274,9],[797,13]]},"3177":{"position":[[636,13]]},"3179":{"position":[[704,13]]},"3181":{"position":[[789,13]]},"3183":{"position":[[685,13]]},"3190":{"position":[[558,13]]},"3192":{"position":[[632,13]]},"3207":{"position":[[105,9]]},"3239":{"position":[[1142,13]]},"3241":{"position":[[307,13],[664,14],[714,13],[767,13],[833,13],[1156,13]]},"3243":{"position":[[1271,13]]},"3245":{"position":[[851,13],[2074,13]]},"3257":{"position":[[1042,13],[2265,13]]}}}],["authorit",{"_index":98,"t":{"2501":{"position":[[401,13]]}}}],["authority=/var/lib/rancher/k3s/server/tls/serv",{"_index":2441,"t":{"3014":{"position":[[851,48]]},"3120":{"position":[[1600,48]]},"3122":{"position":[[1548,48]]},"3124":{"position":[[1417,48]]},"3126":{"position":[[1366,48]]},"3128":{"position":[[1379,48]]},"3130":{"position":[[1492,48]]},"3132":{"position":[[1453,48]]},"3136":{"position":[[1526,48]]},"3138":{"position":[[1507,48]]},"3140":{"position":[[1403,48]]},"3142":{"position":[[1519,48]]},"3144":{"position":[[1384,48]]},"3146":{"position":[[1299,48]]},"3156":{"position":[[1474,48]]},"3162":{"position":[[1516,48]]},"3164":{"position":[[1432,48]]},"3166":{"position":[[1438,48]]},"3239":{"position":[[1783,48]]},"3241":{"position":[[1797,48]]},"3243":{"position":[[1912,48]]}}}],["authority=::.nod",{"_index":11,"t":{"2492":{"position":[[351,11]]}}}],["hostipc",{"_index":2348,"t":{"3006":{"position":[[1735,8],[2862,8],[3363,8]]},"3289":{"position":[[126,7]]}}}],["hostnam",{"_index":792,"t":{"2581":{"position":[[360,8]]},"2655":{"position":[[379,9]]},"2673":{"position":[[1153,9]]},"2683":{"position":[[66,8],[981,8],[1134,9]]},"2691":{"position":[[566,8]]},"2697":{"position":[[275,9],[423,9],[515,9]]},"2754":{"position":[[567,9]]},"2810":{"position":[[31,9],[78,9],[94,9]]},"2834":{"position":[[531,8]]},"2870":{"position":[[83,8],[118,8]]},"3014":{"position":[[3829,8]]},"3245":{"position":[[1346,8],[2569,8]]},"3253":{"position":[[157,8]]},"3257":{"position":[[1537,8],[2760,8]]}}}],["hostnetwork",{"_index":2346,"t":{"3006":{"position":[[1702,12],[2843,12],[3377,12]]},"3291":{"position":[[126,11]]}}}],["hostpath",{"_index":2839,"t":{"3305":{"position":[[142,8]]}}}],["hostpid",{"_index":2350,"t":{"3006":{"position":[[1764,8],[2877,8],[3395,8]]},"3287":{"position":[[126,7]]}}}],["hostport",{"_index":1986,"t":{"2894":{"position":[[396,8]]},"3006":{"position":[[3409,10],[3883,10]]},"3307":{"position":[[147,8]]}}}],["hour",{"_index":460,"t":{"2535":{"position":[[2141,5]]},"2646":{"position":[[876,5]]},"2673":{"position":[[4743,5]]}}}],["hr9p5",{"_index":2795,"t":{"3245":{"position":[[695,5],[1391,5]]},"3257":{"position":[[886,5],[1582,5]]}}}],["http",{"_index":514,"t":{"2546":{"position":[[0,4]]},"2590":{"position":[[455,4]]},"2646":{"position":[[1678,5]]},"2655":{"position":[[73,5],[102,5]]},"2673":{"position":[[763,5],[798,5],[5631,5]]},"2699":{"position":[[2209,4]]},"2701":{"position":[[261,4]]},"2754":{"position":[[741,5],[908,5]]},"2844":{"position":[[487,7],[543,6]]},"2894":{"position":[[20,4]]},"3118":{"position":[[176,5]]}}}],["http.createserver(function(req",{"_index":835,"t":{"2590":{"position":[[479,31]]}}}],["http://registry.example.com:5000",{"_index":1794,"t":{"2844":{"position":[[190,34],[399,34]]}}}],["http_proxi",{"_index":515,"t":{"2546":{"position":[[157,11]]}}}],["http_proxy=http://your",{"_index":525,"t":{"2546":{"position":[[593,22]]}}}],["https://%{kubernetes_api}%/static/charts/traefik",{"_index":1514,"t":{"2754":{"position":[[1652,48]]}}}],["https://10.10.10.100:6443",{"_index":1288,"t":{"2699":{"position":[[1466,25]]}}}],["https://10.10.10.99:6443",{"_index":1308,"t":{"2699":{"position":[[2903,24]]},"2701":{"position":[[955,24]]}}}],["https:///v2",{"_index":1760,"t":{"2834":{"position":[[475,22]]},"2836":{"position":[[106,21]]}}}],["https://charts.bitnami.com/bitnami",{"_index":1486,"t":{"2754":{"position":[[431,34]]}}}],["https://charts.rancher.io",{"_index":844,"t":{"2592":{"position":[[90,25]]}}}],["https://etcd",{"_index":1039,"t":{"2631":{"position":[[1146,12]]}}}],["https://fix",{"_index":1206,"t":{"2687":{"position":[[468,13]]}}}],["https://get.k3s.io",{"_index":539,"t":{"2548":{"position":[[433,18]]},"2570":{"position":[[291,18]]},"2681":{"position":[[598,18]]},"2685":{"position":[[410,18]]},"2691":{"position":[[303,18],[489,18]]},"2699":{"position":[[1398,18],[2835,18]]},"2701":{"position":[[887,18]]},"2742":{"position":[[88,18],[769,18],[871,18],[975,18],[1114,18],[1209,18],[1368,18],[1484,18],[1604,18],[1700,18]]},"2750":{"position":[[256,18]]},"2772":{"position":[[919,18]]},"2775":{"position":[[398,18]]},"2800":{"position":[[111,18]]},"2802":{"position":[[265,18]]},"2916":{"position":[[74,18],[153,18],[713,18]]},"2918":{"position":[[88,18],[231,18],[2452,18]]},"2960":{"position":[[398,18]]},"3052":{"position":[[121,18],[338,18],[481,18]]}}}],["https://github.com/go",{"_index":1035,"t":{"2631":{"position":[[708,21]]}}}],["https://github.com/k3",{"_index":214,"t":{"2503":{"position":[[2519,22]]},"2505":{"position":[[1894,22]]},"2507":{"position":[[1675,22]]},"2562":{"position":[[148,22]]},"2744":{"position":[[439,22]]},"2765":{"position":[[736,22]]},"2770":{"position":[[1392,22]]}}}],["https://github.com/rancher/system",{"_index":2281,"t":{"2992":{"position":[[235,33]]}}}],["https://godoc.org/github.com/lib/pq",{"_index":1031,"t":{"2631":{"position":[[309,35]]}}}],["https://helm.sh/docs/intro/quickstart",{"_index":1478,"t":{"2752":{"position":[[178,40]]}}}],["https://index.docker.io/v2",{"_index":1759,"t":{"2834":{"position":[[398,27]]}}}],["https://k3s.example.com",{"_index":1424,"t":{"2742":{"position":[[1422,23],[1570,23]]},"2744":{"position":[[760,23]]}}}],["https://mirror.example.com",{"_index":1615,"t":{"2785":{"position":[[990,26]]},"2787":{"position":[[871,26]]}}}],["https://nvidia.github.io/libnvidia",{"_index":657,"t":{"2554":{"position":[[95,34]]}}}],["https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml",{"_index":2265,"t":{"2983":{"position":[[183,79]]}}}],["https://registry.example.com:5000",{"_index":1774,"t":{"2838":{"position":[[123,35],[719,35],[1365,35]]},"2842":{"position":[[186,35],[563,35]]}}}],["https://registry.example.com:5000/v2",{"_index":1758,"t":{"2834":{"position":[[322,37]]}}}],["https://releases.rancher.com/instal",{"_index":535,"t":{"2548":{"position":[[335,36]]}}}],["https://rke2",{"_index":2047,"t":{"2912":{"position":[[774,12]]}}}],["https://rootlesscontaine.r",{"_index":687,"t":{"2558":{"position":[[128,28]]},"2566":{"position":[[114,28]]}}}],["https://rootlesscontaine.rs/get",{"_index":698,"t":{"2562":{"position":[[0,35]]}}}],["https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3",{"_index":805,"t":{"2583":{"position":[[376,60]]}}}],["https://tailscale.com/install.sh",{"_index":1924,"t":{"2878":{"position":[[685,32]]}}}],["https://update.k3s.io/v1",{"_index":2093,"t":{"2918":{"position":[[2169,24]]},"2994":{"position":[[2320,24]]}}}],["https://www.cni.dev/plugins/current/ipam/host",{"_index":2054,"t":{"2912":{"position":[[1517,45]]}}}],["https_proxi",{"_index":516,"t":{"2546":{"position":[[169,11]]}}}],["https_proxy=http://your",{"_index":527,"t":{"2546":{"position":[[639,23]]}}}],["human",{"_index":984,"t":{"2621":{"position":[[1064,5]]}}}],["hybrid",{"_index":1894,"t":{"2872":{"position":[[310,6]]}}}],["hybrid/multicloud",{"_index":1891,"t":{"2872":{"position":[[202,17]]}}}],["i.",{"_index":1876,"t":{"2866":{"position":[[1433,4]]},"2912":{"position":[[979,4]]}}}],["id",{"_index":15,"t":{"2492":{"position":[[424,3],[737,2],[785,3],[815,3]]},"2519":{"position":[[92,2],[106,2]]},"2533":{"position":[[1077,2],[1100,2]]},"2548":{"position":[[983,2]]},"2621":{"position":[[1624,3],[2066,3],[2352,3]]},"2673":{"position":[[6406,2],[6429,2]]},"2810":{"position":[[175,2]]},"3114":{"position":[[785,2],[1067,2],[1349,2],[1631,2],[1913,2],[2195,2],[2477,2]]},"3116":{"position":[[766,2],[1048,2],[1330,2],[1612,2],[1894,2],[2176,2],[2458,2]]},"3134":{"position":[[779,2],[1061,2],[1343,2],[1625,2],[1907,2],[2189,2],[2471,2]]},"3187":{"position":[[751,2],[1033,2],[1315,2],[1597,2],[1879,2],[2161,2],[2443,2]]},"3199":{"position":[[2117,2],[2357,2],[2597,2]]},"3205":{"position":[[2162,2]]}}}],["ideal",{"_index":2405,"t":{"3010":{"position":[[256,8]]}}}],["ident",{"_index":916,"t":{"2608":{"position":[[139,8]]},"2610":{"position":[[797,8]]},"2744":{"position":[[1545,11]]},"2858":{"position":[[239,9]]},"2960":{"position":[[805,11]]}}}],["identifi",{"_index":907,"t":{"2604":{"position":[[1178,8]]},"2610":{"position":[[172,10]]},"2834":{"position":[[770,10]]},"3234":{"position":[[94,10]]},"3236":{"position":[[94,10]]},"3257":{"position":[[141,8]]},"3266":{"position":[[26,8]]}}}],["idl",{"_index":1949,"t":{"2888":{"position":[[901,4]]},"3012":{"position":[[669,4],[1235,4]]},"3247":{"position":[[361,4],[609,4]]}}}],["ifac",{"_index":375,"t":{"2523":{"position":[[243,5]]},"2533":{"position":[[2910,5]]},"2673":{"position":[[7975,5]]}}}],["ifnotpres",{"_index":2256,"t":{"2981":{"position":[[154,12]]},"2987":{"position":[[154,12]]}}}],["ignor",{"_index":1230,"t":{"2693":{"position":[[453,8]]},"2736":{"position":[[110,6]]},"2866":{"position":[[187,6]]}}}],["illustr",{"_index":1419,"t":{"2742":{"position":[[629,10]]}}}],["imag",{"_index":363,"t":{"2521":{"position":[[203,5],[262,5]]},"2533":{"position":[[1273,5],[1461,5],[2286,5],[2331,5]]},"2548":{"position":[[986,5]]},"2554":{"position":[[873,6]]},"2590":{"position":[[369,6]]},"2673":{"position":[[6602,5],[6790,5],[7222,5],[7267,5],[7659,6]]},"2723":{"position":[[333,5],[418,5]]},"2756":{"position":[[586,6]]},"2760":{"position":[[261,6]]},"2763":{"position":[[345,7],[364,6],[479,5],[501,6],[532,6],[630,6]]},"2765":{"position":[[249,6],[373,6],[401,5],[427,6],[544,6],[574,6],[715,6],[814,6]]},"2767":{"position":[[274,6],[309,5],[402,5],[431,6],[507,5]]},"2770":{"position":[[83,6],[122,6],[263,7]]},"2775":{"position":[[103,6]]},"2777":{"position":[[105,6],[276,5],[344,6],[785,6],[1003,6]]},"2779":{"position":[[277,6]]},"2781":{"position":[[369,6],[421,5],[455,5],[559,6],[587,5]]},"2783":{"position":[[207,6]]},"2785":{"position":[[61,6],[130,6],[283,6],[342,6],[606,6],[852,6]]},"2787":{"position":[[168,6],[543,5]]},"2792":{"position":[[303,6],[385,6],[487,5],[605,6],[698,6],[725,5],[789,5],[937,5],[982,5]]},"2794":{"position":[[0,6],[59,6],[157,5],[347,6],[450,6],[520,6],[545,5],[595,6]]},"2796":{"position":[[144,6],[233,5],[255,6],[276,5],[415,6]]},"2832":{"position":[[83,6],[664,6]]},"2834":{"position":[[627,5],[705,6]]},"2838":{"position":[[226,5],[472,6],[833,5],[981,5],[1212,5],[1496,6],[1569,5],[1667,5]]},"2846":{"position":[[48,6]]},"2848":{"position":[[10,6],[133,7],[377,6],[502,6],[653,6]]},"2930":{"position":[[548,5]]},"2946":{"position":[[877,7],[985,5],[1080,5]]},"2948":{"position":[[384,5]]},"2981":{"position":[[110,6]]},"2987":{"position":[[110,6]]},"2994":{"position":[[703,6],[1039,6],[1110,6]]},"3014":{"position":[[4198,5]]},"3245":{"position":[[1723,5],[2946,5]]},"3257":{"position":[[1914,5],[3137,5]]},"3320":{"position":[[72,5]]}}}],["image=rancher/mirror",{"_index":2807,"t":{"3245":{"position":[[1551,22],[2774,22]]},"3257":{"position":[[1742,22],[2965,22]]}}}],["imagepullpolici",{"_index":2255,"t":{"2981":{"position":[[137,16]]},"2987":{"position":[[137,16]]}}}],["images.txt",{"_index":1800,"t":{"2848":{"position":[[290,10],[402,10]]}}}],["images/$1",{"_index":1789,"t":{"2838":{"position":[[1450,10]]}}}],["images/mirror",{"_index":1787,"t":{"2838":{"position":[[1306,15]]}}}],["immedi",{"_index":500,"t":{"2535":{"position":[[4190,9]]}}}],["impact",{"_index":1700,"t":{"2816":{"position":[[401,6]]},"2874":{"position":[[439,6]]},"2944":{"position":[[43,6]]}}}],["imperson",{"_index":2832,"t":{"3280":{"position":[[53,12]]}}}],["implement",{"_index":1807,"t":{"2858":{"position":[[65,10]]},"2896":{"position":[[67,14]]},"2898":{"position":[[305,15],[502,15]]},"2950":{"position":[[9,12]]},"3065":{"position":[[1641,15]]},"3210":{"position":[[106,11]]}}}],["implicit",{"_index":1755,"t":{"2834":{"position":[[18,8]]}}}],["implicitli",{"_index":948,"t":{"2612":{"position":[[163,10]]},"2834":{"position":[[759,10]]}}}],["import",{"_index":1231,"t":{"2693":{"position":[[462,10]]},"2744":{"position":[[1096,9]]},"2763":{"position":[[525,6]]},"2781":{"position":[[566,8]]},"2792":{"position":[[956,10]]},"2794":{"position":[[507,6]]},"2796":{"position":[[313,6]]},"2818":{"position":[[800,9]]},"2862":{"position":[[216,9]]},"2990":{"position":[[1170,8]]},"2994":{"position":[[1175,9]]},"3036":{"position":[[118,9]]},"3038":{"position":[[118,9]]},"3040":{"position":[[79,9]]}}}],["inaccess",{"_index":2538,"t":{"3030":{"position":[[337,12]]}}}],["inbound",{"_index":1681,"t":{"2814":{"position":[[625,7],[1325,7]]}}}],["includ",{"_index":240,"t":{"2505":{"position":[[729,10]]},"2507":{"position":[[2179,9]]},"2509":{"position":[[386,8]]},"2604":{"position":[[25,8]]},"2612":{"position":[[23,8]]},"2621":{"position":[[691,9]]},"2726":{"position":[[601,9]]},"2767":{"position":[[172,8]]},"2798":{"position":[[83,9]]},"2808":{"position":[[311,7]]},"2830":{"position":[[33,9]]},"2856":{"position":[[55,9]]},"2858":{"position":[[1885,8]]},"2860":{"position":[[718,7]]},"2894":{"position":[[1191,7],[1416,8]]},"2896":{"position":[[4,8]]},"2898":{"position":[[273,7]]},"2918":{"position":[[2308,8]]},"2926":{"position":[[752,8]]},"2930":{"position":[[391,9],[474,7]]},"2948":{"position":[[361,7]]},"3004":{"position":[[217,7]]},"3006":{"position":[[2129,7]]},"3050":{"position":[[543,9]]},"3058":{"position":[[233,9]]},"3065":{"position":[[581,9]]},"3126":{"position":[[200,8]]},"3128":{"position":[[200,8]]},"3132":{"position":[[236,7]]},"3134":{"position":[[193,7]]},"3136":{"position":[[193,7]]},"3138":{"position":[[321,7]]},"3140":{"position":[[213,7]]},"3142":{"position":[[299,8]]},"3185":{"position":[[209,7]]},"3274":{"position":[[205,7]]},"3295":{"position":[[155,9]]}}}],["incom",{"_index":1850,"t":{"2864":{"position":[[306,8]]}}}],["incorrect",{"_index":1054,"t":{"2643":{"position":[[180,9]]}}}],["increas",{"_index":1752,"t":{"2828":{"position":[[20,10]]},"2864":{"position":[[2093,9]]},"2868":{"position":[[282,8]]},"2874":{"position":[[329,8]]},"2946":{"position":[[553,8],[688,8]]}}}],["independ",{"_index":284,"t":{"2509":{"position":[[267,11]]},"2742":{"position":[[2161,11]]}}}],["indic",{"_index":903,"t":{"2604":{"position":[[885,9],[1082,9],[1331,10],[1569,9]]},"2994":{"position":[[1332,9]]}}}],["individu",{"_index":70,"t":{"2499":{"position":[[201,10]]},"2932":{"position":[[329,10]]},"3022":{"position":[[229,10]]}}}],["info",{"_index":912,"t":{"2604":{"position":[[1775,4]]},"2699":{"position":[[202,5],[355,5],[2237,5]]},"2701":{"position":[[289,5]]},"2830":{"position":[[112,5]]}}}],["inform",{"_index":85,"t":{"2501":{"position":[[79,11]]},"2511":{"position":[[321,11]]},"2535":{"position":[[4474,11]]},"2596":{"position":[[59,12]]},"2604":{"position":[[65,11],[1488,11]]},"2616":{"position":[[575,11],[1135,11],[1228,11]]},"2639":{"position":[[52,11]]},"2641":{"position":[[359,11]]},"2730":{"position":[[193,11]]},"2738":{"position":[[4,11]]},"2744":{"position":[[1506,11]]},"2767":{"position":[[531,11]]},"2770":{"position":[[1640,12]]},"2785":{"position":[[1403,11]]},"2814":{"position":[[648,12],[1348,12],[2114,11]]},"2846":{"position":[[363,11]]},"2850":{"position":[[584,12]]},"2862":{"position":[[226,11]]},"2878":{"position":[[894,11]]},"2890":{"position":[[293,11]]},"2894":{"position":[[489,11],[961,11],[1369,11]]},"2912":{"position":[[1504,12],[2616,11],[3448,11]]},"2962":{"position":[[230,12]]},"3010":{"position":[[386,12],[626,11]]},"3014":{"position":[[4378,11]]},"3065":{"position":[[549,11]]}}}],["infra",{"_index":2806,"t":{"3245":{"position":[[1535,5],[2758,5]]},"3257":{"position":[[1726,5],[2949,5]]}}}],["infrastructur",{"_index":2225,"t":{"2969":{"position":[[75,17]]}}}],["ingress",{"_index":1490,"t":{"2754":{"position":[[544,8]]},"2872":{"position":[[462,8]]},"2890":{"position":[[40,7]]},"2894":{"position":[[199,7]]},"2930":{"position":[[241,8]]},"3006":{"position":[[5928,8],[6127,8],[6326,8],[6457,7]]},"3008":{"position":[[441,8],[784,8],[911,7],[950,7],[1465,8],[1494,7],[1598,7],[1706,8],[1735,7],[1839,7],[1934,8],[1963,7],[2148,8],[2177,7],[2281,7],[2389,8],[2418,7],[2522,7],[2598,8],[2627,7]]},"3058":{"position":[[326,7]]}}}],["init",{"_index":491,"t":{"2535":{"position":[[3719,4]]},"2648":{"position":[[464,4]]},"2673":{"position":[[3187,4]]},"2691":{"position":[[170,4],[366,4]]},"2693":{"position":[[159,4],[406,5],[604,4]]},"2746":{"position":[[416,5],[618,4]]},"2758":{"position":[[274,4]]},"2798":{"position":[[39,4]]},"2800":{"position":[[157,4]]},"2806":{"position":[[254,5]]}}}],["initi",{"_index":151,"t":{"2503":{"position":[[66,7]]},"2505":{"position":[[2598,7]]},"2507":{"position":[[2397,7]]},"2612":{"position":[[280,7]]},"2648":{"position":[[486,10]]},"2673":{"position":[[3202,10]]},"2675":{"position":[[1073,9]]},"2683":{"position":[[375,7]]},"2693":{"position":[[330,11]]},"3089":{"position":[[588,13]]},"3160":{"position":[[718,13]]},"3195":{"position":[[612,13]]},"3197":{"position":[[501,13]]},"3199":{"position":[[526,13]]},"3201":{"position":[[678,13]]},"3203":{"position":[[504,13]]},"3205":{"position":[[536,13]]},"3207":{"position":[[635,13]]}}}],["insecur",{"_index":1073,"t":{"2646":{"position":[[1652,8]]},"2673":{"position":[[5600,8]]},"3014":{"position":[[804,8]]}}}],["insecure_skip_verifi",{"_index":1771,"t":{"2836":{"position":[[339,21]]},"2840":{"position":[[442,20]]}}}],["instal",{"_index":218,"t":{"2503":{"position":[[2657,7]]},"2505":{"position":[[2606,13]]},"2507":{"position":[[2405,13]]},"2509":{"position":[[340,7]]},"2548":{"position":[[728,7]]},"2554":{"position":[[175,7]]},"2579":{"position":[[477,7]]},"2583":{"position":[[312,7],[365,7]]},"2592":{"position":[[138,7],[250,7]]},"2675":{"position":[[27,10],[138,7]]},"2681":{"position":[[500,7],[981,12],[1029,8],[1079,9]]},"2683":{"position":[[879,7]]},"2695":{"position":[[30,7]]},"2697":{"position":[[128,9]]},"2699":{"position":[[361,7],[406,7],[1354,7],[2642,7],[2791,7]]},"2701":{"position":[[694,7],[843,7]]},"2723":{"position":[[39,10],[140,10],[233,10],[449,7],[717,7]]},"2734":{"position":[[337,9]]},"2742":{"position":[[55,12],[110,7],[462,13],[598,9],[1936,7],[1996,7],[2108,7],[2182,7],[2295,7]]},"2744":{"position":[[15,12],[298,14]]},"2746":{"position":[[249,8]]},"2750":{"position":[[164,12],[383,9]]},"2760":{"position":[[8,7]]},"2763":{"position":[[776,7]]},"2765":{"position":[[850,7]]},"2770":{"position":[[7,10],[147,8],[376,7],[416,7],[1222,7],[1564,7]]},"2772":{"position":[[8,7],[126,7],[614,7],[690,7]]},"2775":{"position":[[380,7],[626,11]]},"2814":{"position":[[1588,13],[2071,7]]},"2850":{"position":[[233,9],[257,12],[325,13]]},"2858":{"position":[[600,7],[641,7],[702,9],[2034,7],[2099,10]]},"2860":{"position":[[38,12],[249,12]]},"2862":{"position":[[42,7],[336,7]]},"2878":{"position":[[641,7]]},"2890":{"position":[[156,12]]},"2892":{"position":[[153,7],[187,7]]},"2894":{"position":[[1239,7],[1278,12]]},"2898":{"position":[[372,10]]},"2912":{"position":[[3073,7],[3094,7]]},"2918":{"position":[[55,12],[110,7],[283,7],[361,13],[1000,7],[1264,7],[2061,12]]},"2932":{"position":[[136,9]]},"2952":{"position":[[188,7],[290,12]]},"2960":{"position":[[458,10]]},"2990":{"position":[[975,7]]},"2992":{"position":[[37,9],[165,7]]},"2998":{"position":[[72,12]]},"3010":{"position":[[1074,10]]},"3048":{"position":[[33,12],[69,10]]},"3050":{"position":[[27,12]]},"3052":{"position":[[56,12]]},"3056":{"position":[[35,12]]},"3065":{"position":[[154,12],[1820,12]]}}}],["install.sh",{"_index":1552,"t":{"2770":{"position":[[477,11]]},"2772":{"position":[[233,12],[396,12],[1268,12]]}}}],["install_k3s_bin_dir",{"_index":2083,"t":{"2918":{"position":[[967,19],[1159,20]]}}}],["install_k3s_bin_dir_read_onli",{"_index":2084,"t":{"2918":{"position":[[1090,29]]}}}],["install_k3s_channel",{"_index":2095,"t":{"2918":{"position":[[2212,19]]}}}],["install_k3s_channel=latest",{"_index":2098,"t":{"2918":{"position":[[2473,26]]},"3052":{"position":[[359,26]]}}}],["install_k3s_channel_url",{"_index":2091,"t":{"2918":{"position":[[2090,23]]}}}],["install_k3s_exec",{"_index":1414,"t":{"2742":{"position":[[201,17],[353,16],[1135,18]]},"2918":{"position":[[1357,16]]}}}],["install_k3s_exec=\"ag",{"_index":1423,"t":{"2742":{"position":[[1389,23],[1505,24]]}}}],["install_k3s_exec=\"serv",{"_index":1420,"t":{"2742":{"position":[[790,25],[892,24]]},"2750":{"position":[[303,25]]}}}],["install_k3s_exec='arg",{"_index":1579,"t":{"2772":{"position":[[756,23]]}}}],["install_k3s_exec='serv",{"_index":1581,"t":{"2772":{"position":[[1139,24]]}}}],["install_k3s_nam",{"_index":2087,"t":{"2918":{"position":[[1601,16]]}}}],["install_k3s_selinux_warn",{"_index":2089,"t":{"2918":{"position":[[1907,24]]}}}],["install_k3s_selinux_warn=tru",{"_index":808,"t":{"2583":{"position":[[519,30]]}}}],["install_k3s_skip_download",{"_index":1566,"t":{"2770":{"position":[[1035,25]]},"2918":{"position":[[408,25]]}}}],["install_k3s_skip_download=tru",{"_index":1573,"t":{"2772":{"position":[[202,30],[309,30],[646,30],[1108,30]]},"2918":{"position":[[1195,31]]}}}],["install_k3s_skip_en",{"_index":2079,"t":{"2918":{"position":[[697,23]]}}}],["install_k3s_skip_enable=tru",{"_index":745,"t":{"2570":{"position":[[340,28]]}}}],["install_k3s_skip_selinux_rpm",{"_index":2090,"t":{"2918":{"position":[[1997,28]]}}}],["install_k3s_skip_selinux_rpm=tru",{"_index":802,"t":{"2583":{"position":[[220,34]]}}}],["install_k3s_skip_start",{"_index":2080,"t":{"2918":{"position":[[774,22]]}}}],["install_k3s_skip_start=tru",{"_index":744,"t":{"2570":{"position":[[312,27]]}}}],["install_k3s_symlink",{"_index":2077,"t":{"2918":{"position":[[487,19]]}}}],["install_k3s_systemd_dir",{"_index":2085,"t":{"2918":{"position":[[1227,23]]}}}],["install_k3s_typ",{"_index":2088,"t":{"2918":{"position":[[1798,16]]}}}],["install_k3s_vers",{"_index":2081,"t":{"2918":{"position":[[840,19]]}}}],["install_k3s_version=vx.y.z",{"_index":2567,"t":{"3052":{"position":[[502,26]]}}}],["installation/packag",{"_index":1479,"t":{"2752":{"position":[[463,27]]}}}],["instanc",{"_index":1229,"t":{"2693":{"position":[[226,9]]},"2894":{"position":[[1515,8]]},"2932":{"position":[[13,8]]}}}],["instead",{"_index":382,"t":{"2527":{"position":[[66,7]]},"2533":{"position":[[3468,7]]},"2669":{"position":[[122,7]]},"2673":{"position":[[7014,7]]},"2683":{"position":[[787,7]]},"2695":{"position":[[681,7]]},"2742":{"position":[[2234,7]]},"2748":{"position":[[373,7]]},"2772":{"position":[[713,7],[1056,8]]},"2785":{"position":[[1063,7]]},"2792":{"position":[[996,7]]},"2806":{"position":[[87,7]]},"2858":{"position":[[1203,7]]},"2860":{"position":[[760,7]]},"2864":{"position":[[1814,8]]},"2894":{"position":[[731,8]]},"2910":{"position":[[86,8]]},"2912":{"position":[[124,7]]},"2924":{"position":[[305,7],[694,7]]}}}],["instruct",{"_index":1326,"t":{"2723":{"position":[[22,12]]},"2872":{"position":[[22,12]]}}}],["integr",{"_index":118,"t":{"2501":{"position":[[938,9]]},"2507":{"position":[[750,9]]},"2728":{"position":[[466,10]]},"2792":{"position":[[943,9]]},"2874":{"position":[[245,11]]},"2878":{"position":[[59,9],[752,11]]},"2932":{"position":[[543,10]]},"2990":{"position":[[1609,11]]},"3018":{"position":[[329,9]]}}}],["intel(r",{"_index":2128,"t":{"2926":{"position":[[242,8],[346,8],[428,8]]},"2938":{"position":[[189,8]]},"2940":{"position":[[189,8]]},"2942":{"position":[[77,8]]}}}],["intend",{"_index":1567,"t":{"2770":{"position":[[1160,6]]},"2777":{"position":[[244,6]]},"2928":{"position":[[24,8]]}}}],["intens",{"_index":1703,"t":{"2816":{"position":[[685,10]]},"2912":{"position":[[241,9]]}}}],["inter",{"_index":1266,"t":{"2699":{"position":[[662,5]]}}}],["interact",{"_index":1289,"t":{"2699":{"position":[[1536,8],[2972,8]]},"2701":{"position":[[1024,8]]},"2796":{"position":[[114,8]]}}}],["interf",{"_index":2144,"t":{"2926":{"position":[[994,11]]}}}],["interfac",{"_index":40,"t":{"2494":{"position":[[640,11]]},"2523":{"position":[[284,9]]},"2533":{"position":[[2966,9]]},"2646":{"position":[[564,9]]},"2673":{"position":[[4425,10],[8031,9]]},"2699":{"position":[[988,9]]},"2770":{"position":[[541,9],[645,9]]},"2858":{"position":[[109,9]]},"2860":{"position":[[187,10]]},"2862":{"position":[[1198,11]]},"2866":{"position":[[297,9]]},"2872":{"position":[[417,10]]},"2912":{"position":[[67,10],[277,10],[593,9],[1017,10],[1067,11]]},"2956":{"position":[[190,9]]}}}],["interfer",{"_index":1701,"t":{"2816":{"position":[[497,12]]},"2944":{"position":[[139,12]]},"2948":{"position":[[146,9]]}}}],["intermedi",{"_index":168,"t":{"2503":{"position":[[465,12],[527,12],[1434,12],[1569,12],[1740,12],[2072,12],[2212,12],[2292,12],[2738,12]]},"2505":{"position":[[1316,12]]},"2507":{"position":[[999,12]]},"2990":{"position":[[1839,12]]},"3050":{"position":[[985,12]]}}}],["intermediate.key",{"_index":198,"t":{"2503":{"position":[[1825,16]]}}}],["intermediate.pem",{"_index":197,"t":{"2503":{"position":[[1808,16]]}}}],["intern",{"_index":1605,"t":{"2783":{"position":[[99,8]]},"2858":{"position":[[1214,8]]},"2876":{"position":[[856,8]]},"2900":{"position":[[557,8]]}}}],["internalip",{"_index":2028,"t":{"2910":{"position":[[191,10]]}}}],["internet",{"_index":1338,"t":{"2723":{"position":[[537,9]]},"2760":{"position":[[161,9]]},"2770":{"position":[[1354,8]]},"2998":{"position":[[207,8]]},"3065":{"position":[[807,8]]}}}],["interv",{"_index":437,"t":{"2535":{"position":[[309,8],[2101,8]]},"2646":{"position":[[836,8]]},"2673":{"position":[[4703,8]]},"2699":{"position":[[947,8]]}}}],["intervent",{"_index":2308,"t":{"2998":{"position":[[444,12]]},"3016":{"position":[[178,13]]}}}],["intra",{"_index":2386,"t":{"3006":{"position":[[5867,5],[6070,5],[6265,5]]},"3008":{"position":[[380,5]]}}}],["introduc",{"_index":1137,"t":{"2675":{"position":[[74,10]]},"2950":{"position":[[110,9]]}}}],["invalid",{"_index":256,"t":{"2505":{"position":[[1760,12]]},"2509":{"position":[[236,12],[971,12]]},"2730":{"position":[[971,8],[995,7]]}}}],["investig",{"_index":2526,"t":{"3024":{"position":[[171,11]]},"3026":{"position":[[248,13]]},"3028":{"position":[[247,13]]}}}],["involv",{"_index":2187,"t":{"2946":{"position":[[860,7],[1058,7]]}}}],["io",{"_index":1704,"t":{"2816":{"position":[[727,2]]},"2932":{"position":[[91,2]]},"2946":{"position":[[1040,2]]}}}],["io/etcd/releases/download/${etcd_version}/etcd",{"_index":637,"t":{"2550":{"position":[[192,46]]}}}],["io/k3",{"_index":810,"t":{"2585":{"position":[[289,6]]},"2770":{"position":[[1415,6]]},"2952":{"position":[[102,6]]}}}],["io/k3s/blob//k3",{"_index":700,"t":{"2562":{"position":[[171,25]]}}}],["io/k3s/blob/master/k3",{"_index":702,"t":{"2562":{"position":[[238,22]]}}}],["io/k3s/raw/master/contrib/util/gener",{"_index":215,"t":{"2503":{"position":[[2542,39]]},"2505":{"position":[[1917,39]]}}}],["io/k3s/raw/master/contrib/util/rot",{"_index":278,"t":{"2507":{"position":[[1698,37]]}}}],["io/k3s/releases/download/v1.26.5+k3s1/k3",{"_index":1439,"t":{"2744":{"position":[[462,42]]}}}],["io/k3s/releases/download/v1.29.1",{"_index":1542,"t":{"2765":{"position":[[759,32]]}}}],["iop",{"_index":1750,"t":{"2826":{"position":[[231,5]]},"2928":{"position":[[164,4],[386,4]]},"2930":{"position":[[401,4]]},"2938":{"position":[[304,4],[355,4]]},"2940":{"position":[[276,4],[320,4]]},"2948":{"position":[[134,4]]}}}],["iov",{"_index":2042,"t":{"2912":{"position":[[346,4]]}}}],["ip",{"_index":368,"t":{"2523":{"position":[[45,2],[68,2],[117,2],[139,2]]},"2533":{"position":[[2639,2],[2735,2],[2782,2]]},"2546":{"position":[[436,2],[504,2],[531,4]]},"2625":{"position":[[97,2]]},"2643":{"position":[[467,2]]},"2655":{"position":[[168,2]]},"2661":{"position":[[100,3],[183,3],[339,2],[667,2],[694,2]]},"2673":{"position":[[973,3],[1436,3],[1541,3],[1745,2],[2202,2],[2236,2],[7704,2],[7800,2],[7847,2]]},"2683":{"position":[[60,2],[362,3],[641,2],[993,2],[1123,2]]},"2697":{"position":[[289,3],[437,3],[529,3]]},"2699":{"position":[[267,2]]},"2770":{"position":[[741,3],[844,2],[874,2],[896,2],[936,2]]},"2783":{"position":[[108,2]]},"2828":{"position":[[97,3]]},"2858":{"position":[[1129,2],[1150,2],[1223,4],[1262,2],[1430,2],[1464,4]]},"2862":{"position":[[381,2],[666,2],[764,2],[1051,2],[1300,2],[1327,2],[1353,2]]},"2866":{"position":[[507,6],[1716,2]]},"2874":{"position":[[654,4]]},"2876":{"position":[[94,2],[149,4],[440,2],[529,2],[604,2],[995,4],[1008,3],[1042,3],[1054,2],[1116,2],[1148,3]]},"2878":{"position":[[1248,2]]},"2900":{"position":[[423,2],[458,2],[566,2]]},"2910":{"position":[[252,2],[275,2]]},"2912":{"position":[[1047,3],[1224,2],[1350,2],[1889,2],[1942,2]]},"3014":{"position":[[1769,2]]},"3120":{"position":[[2597,2]]},"3122":{"position":[[2545,2]]},"3124":{"position":[[2414,2]]},"3126":{"position":[[2363,2]]},"3128":{"position":[[2376,2]]},"3130":{"position":[[2489,2]]},"3132":{"position":[[2450,2]]},"3136":{"position":[[2523,2]]},"3138":{"position":[[2504,2]]},"3140":{"position":[[2400,2]]},"3142":{"position":[[2516,2]]},"3144":{"position":[[2381,2]]},"3146":{"position":[[2296,2]]},"3156":{"position":[[2471,2]]},"3162":{"position":[[2513,2]]},"3164":{"position":[[2429,2]]},"3166":{"position":[[2435,2]]},"3177":{"position":[[1956,2]]},"3179":{"position":[[2024,2]]},"3181":{"position":[[2109,2]]},"3183":{"position":[[2005,2]]},"3239":{"position":[[2780,2]]},"3241":{"position":[[2794,2]]},"3243":{"position":[[2909,2]]}}}],["ip/nod",{"_index":1091,"t":{"2655":{"position":[[160,7]]},"2673":{"position":[[965,7]]}}}],["ip6tabl",{"_index":1848,"t":{"2862":{"position":[[1491,9],[1526,9]]},"2896":{"position":[[707,9],[746,9]]}}}],["ip=0.0.0.0",{"_index":1867,"t":{"2866":{"position":[[443,11]]}}}],["ip=:6443",{"_index":1574,"t":{"2772":{"position":[[340,32]]}}}],["k3s_url=https://k3s.example.com",{"_index":1427,"t":{"2742":{"position":[[1625,31],[1721,31]]}}}],["k3s_url=https://myserver:6443",{"_index":2072,"t":{"2916":{"position":[[734,29]]}}}],["k3sup",{"_index":2212,"t":{"2954":{"position":[[75,6]]}}}],["k8",{"_index":2392,"t":{"3008":{"position":[[878,3],[1441,3],[2124,3]]},"3060":{"position":[[62,4]]}}}],["k8s.io",{"_index":736,"t":{"2568":{"position":[[243,6]]},"2796":{"position":[[226,6],[306,6],[330,6],[366,6]]},"3114":{"position":[[777,6],[1059,6],[1341,6],[1623,6],[1905,6],[2187,6],[2469,6]]},"3116":{"position":[[758,6],[1040,6],[1322,6],[1604,6],[1886,6],[2168,6],[2450,6]]},"3134":{"position":[[771,6],[1053,6],[1335,6],[1617,6],[1899,6],[2181,6],[2463,6]]},"3187":{"position":[[743,6],[1025,6],[1307,6],[1589,6],[1871,6],[2153,6],[2435,6]]}}}],["k8s_coredns_coredn",{"_index":622,"t":{"2548":{"position":[[2322,19]]}}}],["k8s_lb",{"_index":572,"t":{"2548":{"position":[[1098,6],[1262,6]]}}}],["k8s_local",{"_index":601,"t":{"2548":{"position":[[1936,9]]}}}],["k8s_metric",{"_index":611,"t":{"2548":{"position":[[2134,11]]}}}],["k8s_pod_coredn",{"_index":630,"t":{"2548":{"position":[[2486,15]]}}}],["k8s_pod_loc",{"_index":632,"t":{"2548":{"position":[[2646,13]]}}}],["k8s_pod_svclb",{"_index":595,"t":{"2548":{"position":[[1610,13]]}}}],["k8s_pod_traefik",{"_index":597,"t":{"2548":{"position":[[1766,15]]}}}],["k8s_traefik_traefik",{"_index":586,"t":{"2548":{"position":[[1445,19]]}}}],["keep",{"_index":1679,"t":{"2814":{"position":[[261,4],[1077,4]]},"3026":{"position":[[362,4]]},"3028":{"position":[[348,4]]},"3158":{"position":[[238,4]]}}}],["keepaliv",{"_index":1260,"t":{"2699":{"position":[[234,10],[321,10],[381,11],[422,10],[1207,10],[1280,10]]}}}],["kep",{"_index":739,"t":{"2568":{"position":[[579,3]]}}}],["kernel",{"_index":338,"t":{"2519":{"position":[[269,6],[289,6],[330,6]]},"2533":{"position":[[1977,6],[2006,6],[2047,6]]},"2673":{"position":[[8359,6],[8388,6],[8429,6]]},"2812":{"position":[[216,6]]},"2814":{"position":[[2047,6]]},"2858":{"position":[[683,6],[770,6],[1368,6],[1656,6]]},"2860":{"position":[[207,7]]},"2888":{"position":[[421,6]]},"3000":{"position":[[48,6]]},"3002":{"position":[[75,6],[186,6],[246,6]]},"3012":{"position":[[189,6],[729,6]]},"3014":{"position":[[4043,6]]},"3249":{"position":[[333,6]]}}}],["kernel.keys.root_maxbytes=25000000",{"_index":2327,"t":{"3002":{"position":[[473,34]]}}}],["kernel.panic=10",{"_index":2325,"t":{"3002":{"position":[[434,15]]}}}],["kernel.panic_on_oops=1",{"_index":2326,"t":{"3002":{"position":[[450,22]]}}}],["key",{"_index":99,"t":{"2501":{"position":[[435,4],[484,4],[612,4],[868,5],[1000,4],[1088,3],[1133,4],[1243,5]]},"2503":{"position":[[23,4],[241,4],[1096,3],[1897,4],[2504,5]]},"2505":{"position":[[364,4],[500,4],[1172,5],[1707,4],[1879,5],[2035,4]]},"2507":{"position":[[387,4],[1229,4],[1512,5]]},"2509":{"position":[[27,3],[49,3],[131,4],[153,3],[416,5],[533,3],[619,4],[849,3],[958,3],[1101,3]]},"2535":{"position":[[3196,3],[3210,3],[3231,3],[3245,3],[3529,4],[3563,4],[3871,4],[3910,4],[4662,4],[4696,4]]},"2598":{"position":[[195,4],[233,4],[326,4]]},"2600":{"position":[[61,4],[787,4]]},"2604":{"position":[[324,3],[429,5],[636,3],[1466,3],[1529,4],[1601,4],[1659,3],[1713,3],[1727,4],[1815,4]]},"2616":{"position":[[542,3],[679,5],[697,4]]},"2646":{"position":[[452,3],[1369,3],[1407,3],[1428,3],[1470,3]]},"2673":{"position":[[4287,3],[5298,3],[5323,3],[5365,3],[5390,3]]},"2746":{"position":[[678,4]]},"2748":{"position":[[271,3],[316,3],[422,3]]},"2790":{"position":[[217,3],[312,4]]},"2836":{"position":[[35,5],[334,4]]},"2840":{"position":[[288,3]]},"2842":{"position":[[449,3],[722,3]]},"2878":{"position":[[275,5],[298,3],[309,5],[874,3]]},"2960":{"position":[[177,3],[235,3],[729,7]]},"2962":{"position":[[157,4],[195,4]]},"2994":{"position":[[586,4],[934,4]]},"3014":{"position":[[1194,3],[1610,3],[1698,3],[1913,3],[2466,3],[2739,3],[4302,3]]},"3034":{"position":[[122,3]]},"3089":{"position":[[1782,3],[1893,3]]},"3120":{"position":[[288,3],[413,3],[631,4],[1999,3],[2447,3],[2526,3],[2770,3]]},"3122":{"position":[[1947,3],[2395,3],[2474,3],[2718,3]]},"3124":{"position":[[1816,3],[2264,3],[2343,3],[2587,3]]},"3126":{"position":[[1765,3],[2213,3],[2292,3],[2536,3]]},"3128":{"position":[[1778,3],[2226,3],[2305,3],[2549,3]]},"3130":{"position":[[1891,3],[2339,3],[2418,3],[2662,3]]},"3132":{"position":[[1852,3],[2300,3],[2379,3],[2623,3]]},"3136":{"position":[[1925,3],[2373,3],[2452,3],[2696,3]]},"3138":{"position":[[1906,3],[2354,3],[2433,3],[2677,3]]},"3140":{"position":[[1802,3],[2250,3],[2329,3],[2573,3]]},"3142":{"position":[[1918,3],[2366,3],[2445,3],[2689,3]]},"3144":{"position":[[1783,3],[2231,3],[2310,3],[2554,3]]},"3146":{"position":[[1698,3],[2146,3],[2225,3],[2469,3]]},"3156":{"position":[[1873,3],[2321,3],[2400,3],[2644,3]]},"3160":{"position":[[278,3],[380,3],[1912,3],[2023,3]]},"3162":{"position":[[271,3],[353,3],[375,3],[542,3],[1915,3],[2363,3],[2442,3],[2686,3]]},"3164":{"position":[[1831,3],[2279,3],[2358,3],[2602,3]]},"3166":{"position":[[1837,3],[2285,3],[2364,3],[2608,3]]},"3177":{"position":[[972,3],[1149,3],[1328,3],[1505,3],[1885,3]]},"3179":{"position":[[1040,3],[1217,3],[1396,3],[1573,3],[1953,3]]},"3181":{"position":[[196,3],[230,3],[300,3],[450,3],[504,3],[1125,3],[1302,3],[1481,3],[1658,3],[2038,3]]},"3183":{"position":[[1021,3],[1198,3],[1377,3],[1554,3],[1934,3]]},"3195":{"position":[[255,3],[1806,3],[1917,3],[2138,4],[2190,3],[2265,3],[2344,3]]},"3197":{"position":[[1695,3],[1806,3]]},"3199":{"position":[[1720,3],[1831,3]]},"3201":{"position":[[316,3],[340,3],[1872,3],[1983,3],[2204,4],[2266,3],[2346,3],[2440,3]]},"3203":{"position":[[1698,3],[1809,3]]},"3205":{"position":[[1730,3],[1841,3]]},"3207":{"position":[[1829,3],[1940,3]]},"3239":{"position":[[2182,3],[2630,3],[2709,3],[2953,3]]},"3241":{"position":[[2196,3],[2644,3],[2723,3],[2967,3]]},"3243":{"position":[[2311,3],[2759,3],[2838,3],[3082,3]]},"3245":{"position":[[1818,3],[3041,3]]},"3257":{"position":[[231,3],[506,3],[528,3],[806,3],[2009,3],[3232,3]]}}}],["key1=value1:noexecut",{"_index":402,"t":{"2531":{"position":[[400,21]]}}}],["key=/var/lib/rancher/k3s/server/tls/cli",{"_index":2444,"t":{"3014":{"position":[[1011,42]]},"3120":{"position":[[1760,42]]},"3122":{"position":[[1708,42]]},"3124":{"position":[[1577,42]]},"3126":{"position":[[1526,42]]},"3128":{"position":[[1539,42]]},"3130":{"position":[[1652,42]]},"3132":{"position":[[1613,42]]},"3136":{"position":[[1686,42]]},"3138":{"position":[[1667,42]]},"3140":{"position":[[1563,42]]},"3142":{"position":[[1679,42]]},"3144":{"position":[[1544,42]]},"3146":{"position":[[1459,42]]},"3156":{"position":[[1634,42]]},"3162":{"position":[[1676,42]]},"3164":{"position":[[1592,42]]},"3166":{"position":[[1598,42]]},"3239":{"position":[[1943,42]]},"3241":{"position":[[1957,42]]},"3243":{"position":[[2072,42]]}}}],["key=/var/lib/rancher/k3s/server/tls/etcd/client.key",{"_index":649,"t":{"2550":{"position":[[557,51]]}}}],["key=:6443",{"_index":1645,"t":{"2802":{"position":[[360,10]]}}}],["nodej",{"_index":831,"t":{"2590":{"position":[[321,6],[354,6]]}}}],["nodeport",{"_index":1101,"t":{"2661":{"position":[[273,8]]},"2673":{"position":[[1654,8]]},"2894":{"position":[[408,8]]},"2900":{"position":[[311,9]]}}}],["noderestrict",{"_index":2331,"t":{"3004":{"position":[[521,15]]},"3006":{"position":[[1128,15]]},"3142":{"position":[[76,15],[308,16],[548,17]]}}}],["nodeselector",{"_index":2289,"t":{"2994":{"position":[[552,13],[900,13]]}}}],["non",{"_index":233,"t":{"2505":{"position":[[505,3],[1385,3]]},"2818":{"position":[[1312,3]]},"3018":{"position":[[183,3]]},"3144":{"position":[[212,4]]}}}],["none",{"_index":1105,"t":{"2661":{"position":[[493,7]]},"2673":{"position":[[2003,7]]},"2699":{"position":[[1648,6],[1686,6],[1724,6],[3083,6],[3121,6],[3159,6]]},"2701":{"position":[[1135,6],[1173,6],[1211,6]]},"2742":{"position":[[842,4],[935,5],[1045,4],[1171,4],[1256,4]]},"2750":{"position":[[355,4],[464,4],[562,4]]},"2858":{"position":[[1104,5]]}}}],["nonoper",{"_index":2109,"t":{"2922":{"position":[[533,17],[704,14]]}}}],["normal",{"_index":299,"t":{"2509":{"position":[[1179,6]]},"2876":{"position":[[979,8]]},"3008":{"position":[[2684,6]]}}}],["notabl",{"_index":2306,"t":{"2998":{"position":[[397,7]]}}}],["note",{"_index":180,"t":{"2503":{"position":[[928,5],[1070,5]]},"2511":{"position":[[62,4]]},"2600":{"position":[[806,5]]},"2641":{"position":[[63,4]]},"2675":{"position":[[0,5]]},"2736":{"position":[[222,4]]},"2742":{"position":[[1889,4]]},"2777":{"position":[[266,5]]},"2787":{"position":[[326,4]]},"2794":{"position":[[306,4]]},"2796":{"position":[[352,4]]},"2832":{"position":[[691,4]]},"2864":{"position":[[1639,5]]},"2866":{"position":[[953,4]]},"2876":{"position":[[650,4]]},"2888":{"position":[[2030,4]]},"2894":{"position":[[1455,5]]},"3002":{"position":[[172,5]]},"3006":{"position":[[6395,5]]},"3016":{"position":[[113,4]]},"3065":{"position":[[1916,5]]}}}],["now",{"_index":710,"t":{"2562":{"position":[[624,3]]},"2575":{"position":[[53,3]]},"2691":{"position":[[643,3],[820,3]]},"2699":{"position":[[1500,3],[2936,3]]},"2701":{"position":[[988,3]]},"2814":{"position":[[242,3]]}}}],["ns",{"_index":1779,"t":{"2838":{"position":[[607,2]]}}}],["number",{"_index":80,"t":{"2501":{"position":[[22,6]]},"2513":{"position":[[36,6]]},"2533":{"position":[[407,6]]},"2535":{"position":[[325,6],[2214,6]]},"2646":{"position":[[958,6]]},"2653":{"position":[[67,6]]},"2673":{"position":[[418,6],[4826,6]]},"2683":{"position":[[548,6]]},"2687":{"position":[[65,6]]},"2691":{"position":[[46,6]]},"2728":{"position":[[17,6]]},"2998":{"position":[[242,6],[322,6]]},"3026":{"position":[[335,6]]},"3028":{"position":[[321,6]]},"3150":{"position":[[219,6]]}}}],["nvcr.io/nvidia/k8s/cuda",{"_index":680,"t":{"2554":{"position":[[880,23]]}}}],["nvidia",{"_index":656,"t":{"2554":{"position":[[14,6],[186,6],[242,6],[369,6],[464,6],[476,6],[566,7],[675,6],[691,6],[831,6],[1177,7]]}}}],["nvidia.com/gpu",{"_index":684,"t":{"2554":{"position":[[974,15]]}}}],["nvidia_driver_cap",{"_index":686,"t":{"2554":{"position":[[1047,26]]}}}],["nvidia_visible_devic",{"_index":685,"t":{"2554":{"position":[[1005,22]]}}}],["nvme",{"_index":2171,"t":{"2934":{"position":[[78,4]]}}}],["o",{"_index":1080,"t":{"2650":{"position":[[65,1]]},"2673":{"position":[[2518,1]]},"2765":{"position":[[668,1]]},"2994":{"position":[[2694,1],[2737,1]]}}}],["object",{"_index":508,"t":{"2535":{"position":[[4445,6]]},"2730":{"position":[[564,6]]},"3018":{"position":[[154,7],[285,8],[419,8]]},"3020":{"position":[[245,7]]},"3034":{"position":[[215,8],[230,7]]},"3138":{"position":[[77,7]]},"3215":{"position":[[355,8]]},"3268":{"position":[[86,7]]},"3270":{"position":[[110,7]]},"3272":{"position":[[70,7]]},"3312":{"position":[[76,7]]},"3323":{"position":[[77,7]]}}}],["observ",{"_index":190,"t":{"2503":{"position":[[1245,7]]}}}],["obtain",{"_index":1531,"t":{"2763":{"position":[[353,6]]},"2765":{"position":[[416,6]]},"2848":{"position":[[275,6]]}}}],["occasion",{"_index":918,"t":{"2610":{"position":[[24,13]]}}}],["occurr",{"_index":1464,"t":{"2748":{"position":[[402,11]]}}}],["oci",{"_index":820,"t":{"2588":{"position":[[452,3]]},"2763":{"position":[[149,3]]},"2767":{"position":[[205,3]]},"2779":{"position":[[211,3]]},"2781":{"position":[[310,3]]},"2796":{"position":[[128,3]]}}}],["odd",{"_index":1213,"t":{"2691":{"position":[[42,3]]}}}],["offer",{"_index":1854,"t":{"2864":{"position":[[909,6]]},"2898":{"position":[[470,5]]},"3317":{"position":[[66,7]]}}}],["offici",{"_index":404,"t":{"2531":{"position":[[528,8]]},"2637":{"position":[[364,8],[397,8],[426,8],[460,8]]},"2675":{"position":[[6,8]]},"2763":{"position":[[278,8]]},"2894":{"position":[[1024,8]]},"2912":{"position":[[2645,8]]}}}],["oidc",{"_index":2766,"t":{"3210":{"position":[[91,4]]}}}],["old",{"_index":271,"t":{"2507":{"position":[[679,3],[1054,3],[1130,3]]},"2509":{"position":[[149,3],[412,3]]},"2535":{"position":[[623,3],[686,5]]},"2775":{"position":[[284,3],[319,3]]},"3026":{"position":[[155,3],[345,3]]},"3028":{"position":[[154,3],[331,3]]},"3054":{"position":[[174,3]]}}}],["older",{"_index":1235,"t":{"2693":{"position":[[534,5]]},"2814":{"position":[[913,5]]},"2894":{"position":[[1498,5]]},"2998":{"position":[[711,6]]},"3006":{"position":[[26,5],[862,5]]},"3008":{"position":[[1286,5]]},"3012":{"position":[[175,5]]},"3052":{"position":[[23,5]]}}}],["omit",{"_index":2296,"t":{"2994":{"position":[[1848,4]]}}}],["on",{"_index":282,"t":{"2509":{"position":[[145,3]]},"2535":{"position":[[819,3]]},"2600":{"position":[[956,3]]},"2602":{"position":[[810,3]]},"2616":{"position":[[71,3]]},"2621":{"position":[[642,3],[1554,3]]},"2661":{"position":[[486,3],[864,3]]},"2673":{"position":[[1996,3],[2311,3]]},"2675":{"position":[[1017,3]]},"2730":{"position":[[1385,3]]},"2772":{"position":[[23,3]]},"2792":{"position":[[740,3]]},"2816":{"position":[[337,3]]},"2834":{"position":[[660,3]]},"2838":{"position":[[343,4]]},"2898":{"position":[[365,3]]},"2904":{"position":[[62,3]]},"2906":{"position":[[433,3]]},"2912":{"position":[[418,3]]},"2936":{"position":[[161,3]]},"3048":{"position":[[161,3]]},"3124":{"position":[[218,3]]}}}],["on=fals",{"_index":2499,"t":{"3014":{"position":[[3785,8]]},"3245":{"position":[[1302,8],[2525,8]]},"3257":{"position":[[1493,8],[2716,8]]}}}],["onc",{"_index":396,"t":{"2531":{"position":[[215,4]]},"2600":{"position":[[1341,4],[1467,4],[1716,4]]},"2602":{"position":[[1200,4],[1447,4]]},"2616":{"position":[[303,4]]},"2681":{"position":[[1479,4]]},"2693":{"position":[[170,4]]},"2777":{"position":[[893,4]]},"2866":{"position":[[662,4]]},"2868":{"position":[[231,4]]},"2994":{"position":[[231,4]]},"3030":{"position":[[350,4]]}}}],["onfailur",{"_index":679,"t":{"2554":{"position":[[803,9]]}}}],["open",{"_index":1258,"t":{"2699":{"position":[[28,4],[2148,4]]},"2701":{"position":[[200,4]]},"2814":{"position":[[589,6],[1289,6]]},"2818":{"position":[[875,5]]},"2890":{"position":[[331,6]]},"3042":{"position":[[590,5]]}}}],["openrc",{"_index":741,"t":{"2570":{"position":[[37,7],[79,7]]},"2600":{"position":[[415,6],[1311,6]]},"2602":{"position":[[351,6],[1170,6]]},"2713":{"position":[[85,8]]},"2742":{"position":[[150,6]]},"2916":{"position":[[16,6]]},"2918":{"position":[[150,6],[2587,6]]},"3056":{"position":[[71,7],[204,6]]}}}],["openssl",{"_index":286,"t":{"2509":{"position":[[740,7],[756,7],[783,8],[853,7]]}}}],["openssl_genrsa_flag",{"_index":290,"t":{"2509":{"position":[[798,21],[868,23]]}}}],["oper",{"_index":83,"t":{"2501":{"position":[[59,10],[1296,9]]},"2637":{"position":[[55,10]]},"2639":{"position":[[97,10]]},"2643":{"position":[[190,9]]},"2858":{"position":[[721,9]]},"2864":{"position":[[228,7],[390,9]]},"2888":{"position":[[1063,8],[1580,8]]},"2922":{"position":[[429,7]]},"2924":{"position":[[348,11]]},"2932":{"position":[[668,9]]},"2946":{"position":[[256,10],[424,9],[520,8],[844,10]]},"2994":{"position":[[629,9],[977,9]]},"2998":{"position":[[526,9]]},"3006":{"position":[[831,8]]},"3008":{"position":[[2642,9]]},"3016":{"position":[[169,8]]},"3065":{"position":[[354,10],[1346,8],[1559,9]]},"3301":{"position":[[185,7]]}}}],["oppos",{"_index":1150,"t":{"2675":{"position":[[613,7]]}}}],["opt",{"_index":2313,"t":{"2998":{"position":[[775,3]]}}}],["opt/k3s/server/tl",{"_index":251,"t":{"2505":{"position":[[1267,19],[1644,19],[1820,19]]},"2509":{"position":[[712,19]]}}}],["opt/k3s/server/tls/service.key",{"_index":294,"t":{"2509":{"position":[[899,31],[1050,31]]}}}],["optim",{"_index":1705,"t":{"2816":{"position":[[813,7]]},"2826":{"position":[[67,7]]}}}],["option",{"_index":238,"t":{"2505":{"position":[[661,6],[2319,6]]},"2507":{"position":[[733,6]]},"2511":{"position":[[167,7],[262,8]]},"2531":{"position":[[38,7],[129,7]]},"2533":{"position":[[6,6],[82,6],[197,9],[207,8]]},"2535":{"position":[[368,8],[937,7],[1369,7],[1857,8],[1872,7],[1978,7],[2963,7],[3326,11]]},"2614":{"position":[[167,6]]},"2618":{"position":[[154,6]]},"2621":{"position":[[210,8],[457,8],[2624,8]]},"2633":{"position":[[283,7]]},"2641":{"position":[[128,7],[205,7],[300,8]]},"2643":{"position":[[14,7]]},"2646":{"position":[[1571,10]]},"2673":{"position":[[6,6],[84,6],[208,9],[218,8],[5518,10]]},"2679":{"position":[[95,7]]},"2681":{"position":[[994,7],[1129,7]]},"2683":{"position":[[942,7],[955,6]]},"2699":{"position":[[40,6],[540,6],[611,6]]},"2723":{"position":[[170,7],[203,7]]},"2740":{"position":[[25,7],[135,7]]},"2742":{"position":[[617,8]]},"2744":{"position":[[1019,8]]},"2750":{"position":[[17,7]]},"2781":{"position":[[177,6]]},"2787":{"position":[[384,6]]},"2806":{"position":[[110,7]]},"2810":{"position":[[178,6]]},"2822":{"position":[[186,7]]},"2828":{"position":[[161,6]]},"2834":{"position":[[544,8],[859,6],[1058,7]]},"2856":{"position":[[46,8]]},"2858":{"position":[[186,7]]},"2872":{"position":[[84,7],[253,7]]},"2874":{"position":[[175,7]]},"2878":{"position":[[969,11]]},"2888":{"position":[[2087,8]]},"2890":{"position":[[177,7],[227,7]]},"2892":{"position":[[132,7]]},"2912":{"position":[[649,8],[1095,8]]},"2918":{"position":[[2300,7],[2416,7]]},"2920":{"position":[[94,8],[174,8]]},"2960":{"position":[[526,8]]},"2990":{"position":[[449,8]]},"2998":{"position":[[837,7]]},"3036":{"position":[[266,8]]},"3042":{"position":[[194,7]]},"3199":{"position":[[2148,9],[2388,9],[2628,9]]},"3205":{"position":[[2193,9]]},"3317":{"position":[[58,7]]}}}],["order",{"_index":1000,"t":{"2621":{"position":[[1924,5]]},"2728":{"position":[[444,5]]},"2748":{"position":[[219,6]]},"2770":{"position":[[701,5]]},"2781":{"position":[[3,5]]},"2785":{"position":[[313,5]]},"2787":{"position":[[524,5]]},"2796":{"position":[[433,5]]},"2798":{"position":[[198,5]]},"2834":{"position":[[562,5]]},"2844":{"position":[[553,5]]},"2864":{"position":[[700,5]]},"2872":{"position":[[394,5]]},"2910":{"position":[[3,5]]},"2920":{"position":[[186,5]]},"3020":{"position":[[308,5]]},"3215":{"position":[[273,5]]}}}],["organ",{"_index":1352,"t":{"2730":{"position":[[208,10]]}}}],["organization/project",{"_index":1785,"t":{"2838":{"position":[[1039,20]]}}}],["origin",{"_index":252,"t":{"2505":{"position":[[1465,8],[1497,8]]},"2742":{"position":[[2016,8]]},"2838":{"position":[[543,8],[1534,8]]},"3065":{"position":[[1047,8]]}}}],["os",{"_index":512,"t":{"2537":{"position":[[49,3]]},"2570":{"position":[[22,3]]},"2579":{"position":[[7,3],[82,2]]},"2713":{"position":[[30,3]]},"2721":{"position":[[56,2]]},"2812":{"position":[[270,3]]},"2814":{"position":[[1483,2],[1585,2]]},"2820":{"position":[[723,2]]},"2884":{"position":[[165,2]]},"2934":{"position":[[0,3]]}}}],["oss",{"_index":1673,"t":{"2814":{"position":[[59,3],[2135,3]]}}}],["other",{"_index":1610,"t":{"2785":{"position":[[220,7]]},"2870":{"position":[[96,6]]},"3004":{"position":[[574,7]]}}}],["other=what",{"_index":1474,"t":{"2748":{"position":[[774,10],[932,10]]}}}],["otherwis",{"_index":1388,"t":{"2736":{"position":[[313,9]]},"2792":{"position":[[330,9]]},"2844":{"position":[[514,9]]},"2868":{"position":[[183,10]]},"2900":{"position":[[535,10]]}}}],["out",{"_index":293,"t":{"2509":{"position":[[895,3]]},"2726":{"position":[[225,3]]},"2828":{"position":[[90,3]]},"2912":{"position":[[1237,3]]},"2994":{"position":[[1200,3]]},"3026":{"position":[[240,3]]},"3028":{"position":[[239,3]]},"3050":{"position":[[362,3]]}}}],["outbound",{"_index":1716,"t":{"2818":{"position":[[357,8]]},"2820":{"position":[[626,8]]}}}],["outlin",{"_index":1652,"t":{"2808":{"position":[[62,8]]},"2816":{"position":[[95,8]]},"2920":{"position":[[113,8]]},"2998":{"position":[[96,8]]},"3000":{"position":[[118,8]]},"3004":{"position":[[166,8]]},"3036":{"position":[[341,8]]},"3065":{"position":[[1232,8]]}}}],["output",{"_index":277,"t":{"2507":{"position":[[1637,6],[1825,6]]},"2621":{"position":[[753,6],[2590,6],[2603,6]]}}}],["outsid",{"_index":1048,"t":{"2637":{"position":[[78,7]]},"3042":{"position":[[522,7]]}}}],["over",{"_index":388,"t":{"2527":{"position":[[143,4]]},"2533":{"position":[[3393,4]]},"2598":{"position":[[115,4]]},"2646":{"position":[[1673,4]]},"2669":{"position":[[199,4]]},"2673":{"position":[[5626,4],[8716,4]]},"2683":{"position":[[138,4],[283,4],[499,4]]},"2775":{"position":[[371,4]]},"2818":{"position":[[109,4],[169,4]]},"2872":{"position":[[295,4]]},"2874":{"position":[[685,4]]},"2962":{"position":[[77,4]]}}}],["overhead",{"_index":1862,"t":{"2864":{"position":[[2103,9]]},"2930":{"position":[[482,8]]}}}],["overlayf",{"_index":426,"t":{"2533":{"position":[[2496,12]]},"2673":{"position":[[7432,12]]}}}],["overrid",{"_index":376,"t":{"2523":{"position":[[259,8],[319,8],[385,8]]},"2533":{"position":[[2446,8],[2941,8],[3016,8],[3097,8]]},"2535":{"position":[[4863,10]]},"2673":{"position":[[7382,8],[8006,8],[8081,8],[8162,8]]},"3253":{"position":[[166,8]]}}}],["override=hostname01",{"_index":2501,"t":{"3014":{"position":[[3838,19]]}}}],["override=k3",{"_index":2800,"t":{"3245":{"position":[[1355,12],[2578,12]]},"3257":{"position":[[1546,12],[2769,12]]}}}],["overview",{"_index":2573,"t":{"3065":{"position":[[0,9]]}}}],["overwrit",{"_index":230,"t":{"2505":{"position":[[257,9]]},"2507":{"position":[[280,9]]},"2509":{"position":[[443,9]]},"2746":{"position":[[1055,9]]},"2748":{"position":[[479,11]]},"2918":{"position":[[686,10]]}}}],["own",{"_index":1083,"t":{"2650":{"position":[[248,5]]}}}],["ownership",{"_index":2315,"t":{"2998":{"position":[[1135,10]]},"3232":{"position":[[66,9]]}}}],["p",{"_index":202,"t":{"2503":{"position":[[2009,1]]},"2505":{"position":[[1265,1]]},"2509":{"position":[[710,1]]},"2562":{"position":[[836,1]]},"2581":{"position":[[385,1]]},"2699":{"position":[[2612,1]]},"2701":{"position":[[664,1]]},"2765":{"position":[[617,1]]},"3002":{"position":[[360,1]]},"3010":{"position":[[411,1]]}}}],["packag",{"_index":1134,"t":{"2673":{"position":[[5844,8]]},"2723":{"position":[[650,8],[693,8]]},"2728":{"position":[[27,8],[316,8]]},"2730":{"position":[[671,8]]},"2734":{"position":[[15,8]]},"2808":{"position":[[279,8]]},"2858":{"position":[[2054,8]]},"2894":{"position":[[514,8],[910,8]]},"2930":{"position":[[47,8],[212,8]]},"2998":{"position":[[1216,8]]},"3008":{"position":[[1063,8]]}}}],["packet",{"_index":1814,"t":{"2858":{"position":[[1336,8]]}}}],["page",{"_index":304,"t":{"2511":{"position":[[127,4],[198,4]]},"2641":{"position":[[236,4]]},"2740":{"position":[[5,4]]},"2744":{"position":[[203,5]]},"2763":{"position":[[419,4]]},"2765":{"position":[[482,4]]},"2770":{"position":[[208,5]]},"2775":{"position":[[139,4]]},"2812":{"position":[[89,4],[235,6]]},"2856":{"position":[[5,4]]},"2890":{"position":[[5,4],[185,4]]},"2920":{"position":[[108,4]]},"2950":{"position":[[100,4]]},"2990":{"position":[[1297,5],[1440,5]]}}}],["paramet",{"_index":1162,"t":{"2681":{"position":[[214,9],[294,9],[1362,9]]},"2838":{"position":[[616,10]]},"2876":{"position":[[323,10],[679,9],[1119,9]]},"2878":{"position":[[800,9],[928,10],[1111,10]]},"2894":{"position":[[1060,12]]},"3000":{"position":[[55,10]]},"3002":{"position":[[82,10],[253,11]]},"3112":{"position":[[159,10]]},"3114":{"position":[[271,10]]},"3118":{"position":[[182,10]]},"3120":{"position":[[292,10]]},"3122":{"position":[[292,9]]},"3124":{"position":[[174,9]]},"3126":{"position":[[174,9]]},"3128":{"position":[[174,9]]},"3130":{"position":[[227,11]]},"3132":{"position":[[190,10]]},"3134":{"position":[[180,9]]},"3136":{"position":[[180,9]]},"3138":{"position":[[279,9]]},"3140":{"position":[[181,9]]},"3142":{"position":[[273,9]]},"3144":{"position":[[177,9]]},"3146":{"position":[[159,10]]},"3148":{"position":[[180,9]]},"3150":{"position":[[182,9]]},"3152":{"position":[[185,9]]},"3154":{"position":[[183,9]]},"3156":{"position":[[159,10],[259,9]]},"3158":{"position":[[463,9]]},"3160":{"position":[[287,11]]},"3162":{"position":[[280,11]]},"3166":{"position":[[289,10]]},"3168":{"position":[[263,9]]},"3172":{"position":[[159,10]]},"3177":{"position":[[176,10]]},"3179":{"position":[[175,10]]},"3181":{"position":[[205,9]]},"3183":{"position":[[185,9]]},"3185":{"position":[[196,9]]},"3187":{"position":[[210,9]]},"3190":{"position":[[163,10]]},"3192":{"position":[[192,9]]},"3195":{"position":[[210,11]]},"3197":{"position":[[136,10]]},"3199":{"position":[[151,9]]},"3201":{"position":[[252,11]]},"3203":{"position":[[136,10]]},"3205":{"position":[[156,9]]},"3207":{"position":[[259,10]]},"3239":{"position":[[277,9]]},"3241":{"position":[[263,9]]},"3243":{"position":[[306,9]]},"3245":{"position":[[253,9]]},"3247":{"position":[[290,9]]},"3249":{"position":[[275,9]]},"3255":{"position":[[274,9]]},"3257":{"position":[[396,10]]},"3261":{"position":[[158,9]]},"3263":{"position":[[593,9]]}}}],["part",{"_index":919,"t":{"2610":{"position":[[92,6]]},"2675":{"position":[[1168,4]]},"2691":{"position":[[647,4]]},"2840":{"position":[[138,4],[548,4]]}}}],["parti",{"_index":1240,"t":{"2695":{"position":[[367,5]]},"2848":{"position":[[80,5]]},"3317":{"position":[[108,5]]}}}],["particip",{"_index":1617,"t":{"2785":{"position":[[1337,11]]}}}],["particular",{"_index":1621,"t":{"2787":{"position":[[433,10]]},"2906":{"position":[[12,10]]},"2946":{"position":[[1000,10]]}}}],["particularli",{"_index":1434,"t":{"2744":{"position":[[264,12]]}}}],["pass",{"_index":305,"t":{"2511":{"position":[[233,6]]},"2533":{"position":[[96,6]]},"2535":{"position":[[1887,6]]},"2633":{"position":[[251,4]]},"2641":{"position":[[271,6]]},"2673":{"position":[[98,6]]},"2685":{"position":[[854,6]]},"2691":{"position":[[1392,6]]},"2742":{"position":[[268,4],[2245,7]]},"2744":{"position":[[542,4]]},"2772":{"position":[[1312,6]]},"2806":{"position":[[98,7]]},"2810":{"position":[[253,4]]},"2828":{"position":[[134,7]]},"2838":{"position":[[569,6]]},"2870":{"position":[[286,4]]},"2960":{"position":[[82,7],[239,4]]},"2998":{"position":[[315,4]]},"3006":{"position":[[141,7],[955,7]]},"3010":{"position":[[824,6]]},"3016":{"position":[[55,4],[147,6]]},"3018":{"position":[[454,7],[524,4]]},"3020":{"position":[[553,7],[623,4]]},"3022":{"position":[[479,7]]},"3024":{"position":[[319,7]]},"3026":{"position":[[494,7]]},"3028":{"position":[[480,7]]},"3030":{"position":[[704,7]]},"3032":{"position":[[495,7]]},"3036":{"position":[[301,7]]},"3038":{"position":[[571,7]]},"3040":{"position":[[191,7]]},"3042":{"position":[[622,7]]},"3044":{"position":[[880,4]]},"3065":{"position":[[1181,4],[1215,6]]},"3089":{"position":[[8,4],[80,6],[1653,4]]},"3091":{"position":[[90,6]]},"3095":{"position":[[8,4]]},"3097":{"position":[[8,4]]},"3099":{"position":[[8,4]]},"3101":{"position":[[8,4]]},"3103":{"position":[[8,4]]},"3105":{"position":[[8,4]]},"3114":{"position":[[8,4]]},"3116":{"position":[[8,4]]},"3120":{"position":[[8,4]]},"3122":{"position":[[8,4]]},"3124":{"position":[[8,4]]},"3126":{"position":[[8,4]]},"3128":{"position":[[8,4]]},"3132":{"position":[[8,4]]},"3138":{"position":[[8,4]]},"3140":{"position":[[8,4]]},"3142":{"position":[[8,4]]},"3144":{"position":[[8,4]]},"3146":{"position":[[8,4]]},"3156":{"position":[[8,4]]},"3160":{"position":[[8,4],[1783,4]]},"3162":{"position":[[8,4]]},"3164":{"position":[[8,4]]},"3166":{"position":[[8,4]]},"3177":{"position":[[8,4]]},"3179":{"position":[[8,4]]},"3181":{"position":[[8,4]]},"3183":{"position":[[8,4]]},"3187":{"position":[[8,4]]},"3190":{"position":[[8,4]]},"3192":{"position":[[8,4]]},"3195":{"position":[[8,4],[1677,4]]},"3197":{"position":[[8,4],[1566,4]]},"3199":{"position":[[8,4],[1591,4]]},"3201":{"position":[[8,4],[1743,4]]},"3203":{"position":[[8,4],[1569,4]]},"3205":{"position":[[8,4],[1601,4]]},"3207":{"position":[[8,4],[1700,4]]},"3222":{"position":[[8,4]]},"3224":{"position":[[8,4]]},"3226":{"position":[[8,4]]},"3228":{"position":[[8,4]]},"3230":{"position":[[8,4]]},"3232":{"position":[[8,4]]},"3239":{"position":[[8,4]]},"3241":{"position":[[8,4]]},"3243":{"position":[[8,4]]},"3245":{"position":[[8,4]]},"3257":{"position":[[8,4]]}}}],["passphras",{"_index":104,"t":{"2501":{"position":[[536,10]]},"2616":{"position":[[523,10]]}}}],["passwd",{"_index":19,"t":{"2492":{"position":[[657,7]]}}}],["password",{"_index":935,"t":{"2610":{"position":[[601,9]]},"2612":{"position":[[41,8]]},"2616":{"position":[[100,9],[908,9]]},"2836":{"position":[[187,9],[209,9]]},"2840":{"position":[[691,8],[705,8]]},"2842":{"position":[[315,9],[355,8]]},"2844":{"position":[[318,9],[358,8]]},"2850":{"position":[[507,8]]}}}],["password.k3",{"_index":12,"t":{"2492":{"position":[[363,12]]}}}],["past",{"_index":1587,"t":{"2775":{"position":[[525,4]]}}}],["patch",{"_index":2103,"t":{"2922":{"position":[[127,5]]},"3050":{"position":[[622,5]]}}}],["path",{"_index":360,"t":{"2521":{"position":[[128,5],[190,4]]},"2533":{"position":[[1330,4],[1517,4],[2215,5],[2273,4]]},"2535":{"position":[[978,4],[1410,4],[2531,4],[2542,4]]},"2548":{"position":[[598,4],[1883,4],[1946,4],[1969,4],[2660,4]]},"2663":{"position":[[41,4],[74,4]]},"2673":{"position":[[3395,4],[3411,4],[5717,4],[5760,4],[6659,4],[6846,4],[7151,5],[7209,4]]},"2736":{"position":[[793,4]]},"2744":{"position":[[228,5]]},"2836":{"position":[[255,5],[286,5],[318,5]]},"2840":{"position":[[211,4],[292,4],[384,4]]},"2842":{"position":[[382,4],[437,4],[490,4],[655,4],[710,4],[763,4]]},"2918":{"position":[[621,5]]},"2930":{"position":[[268,4]]},"2979":{"position":[[65,4],[152,4]]},"2981":{"position":[[300,4]]},"3022":{"position":[[28,4],[447,5]]},"3122":{"position":[[309,4]]},"3148":{"position":[[175,4],[204,4]]},"3168":{"position":[[280,4]]}}}],["path/to/cni/fil",{"_index":2596,"t":{"3085":{"position":[[152,19]]},"3087":{"position":[[158,19]]}}}],["path/to/encrypt",{"_index":2734,"t":{"3170":{"position":[[194,19]]}}}],["path=/opt/k3s/serv",{"_index":259,"t":{"2505":{"position":[[2088,20]]},"2509":{"position":[[1152,20]]}}}],["path=/var/lib/rancher/k3s/agent/pod",{"_index":2504,"t":{"3014":{"position":[[3987,35]]},"3245":{"position":[[1599,35],[2822,35]]},"3257":{"position":[[1790,35],[3013,35]]}}}],["path=/var/lib/rancher/k3s/server/logs/audit.log",{"_index":1941,"t":{"2888":{"position":[[572,48]]},"3010":{"position":[[898,48],[1236,48]]},"3012":{"position":[[340,48],[906,48]]}}}],["path=/var/lib/rancher/k3s/server/rot",{"_index":279,"t":{"2507":{"position":[[1890,39]]}}}],["path=/var/log/apiserver/audit.log",{"_index":2719,"t":{"3148":{"position":[[290,33]]}}}],["path=:6443",{"_index":1216,"t":{"2691":{"position":[[578,13]]}}}],["server2",{"_index":1222,"t":{"2691":{"position":[[769,7]]}}}],["server_external_ip",{"_index":1909,"t":{"2876":{"position":[[503,18],[717,18],[894,18]]}}}],["server_metr",{"_index":612,"t":{"2548":{"position":[[2146,14]]}}}],["servers=https://127.0.0.1:2379",{"_index":2438,"t":{"3014":{"position":[[771,30]]},"3120":{"position":[[1500,30]]},"3122":{"position":[[1448,30]]},"3124":{"position":[[1317,30]]},"3126":{"position":[[1266,30]]},"3128":{"position":[[1279,30]]},"3130":{"position":[[1392,30]]},"3132":{"position":[[1353,30]]},"3136":{"position":[[1426,30]]},"3138":{"position":[[1407,30]]},"3140":{"position":[[1303,30]]},"3142":{"position":[[1419,30]]},"3144":{"position":[[1284,30]]},"3146":{"position":[[1199,30]]},"3156":{"position":[[1374,30]]},"3162":{"position":[[1416,30]]},"3164":{"position":[[1332,30]]},"3166":{"position":[[1338,30]]},"3239":{"position":[[1683,30]]},"3241":{"position":[[1697,30]]},"3243":{"position":[[1812,30]]}}}],["servic",{"_index":74,"t":{"2499":{"position":[[313,7]]},"2503":{"position":[[1113,7]]},"2505":{"position":[[1683,7],[1729,7],[2162,7]]},"2507":{"position":[[1986,7]]},"2509":{"position":[[4,7],[66,7],[108,7],[205,7],[596,7],[1293,7]]},"2575":{"position":[[288,9]]},"2577":{"position":[[196,9]]},"2600":{"position":[[354,8],[425,7],[1250,8],[1321,7]]},"2602":{"position":[[290,8],[361,7],[1109,8],[1180,7]]},"2616":{"position":[[734,7]]},"2643":{"position":[[513,7]]},"2661":{"position":[[106,7],[175,7],[189,7],[259,8],[354,8],[381,7],[1106,7],[1375,7],[1494,7],[1747,7]]},"2673":{"position":[[1466,7],[1533,7],[1571,7],[1640,8],[1760,8],[1787,7]]},"2675":{"position":[[503,8],[578,8]]},"2685":{"position":[[693,7]]},"2687":{"position":[[197,9]]},"2691":{"position":[[1231,7]]},"2695":{"position":[[332,8],[421,7],[622,9]]},"2742":{"position":[[127,7],[294,7],[433,7],[550,7]]},"2744":{"position":[[91,8],[402,8]]},"2754":{"position":[[519,8]]},"2775":{"position":[[583,7]]},"2804":{"position":[[326,8]]},"2808":{"position":[[152,8]]},"2814":{"position":[[525,9],[704,9],[1247,9],[1404,9],[1676,8]]},"2864":{"position":[[376,8],[478,7],[754,7],[1184,7],[1447,7],[1537,7],[1898,7]]},"2866":{"position":[[781,7],[908,7],[1008,7],[1270,7],[1661,7]]},"2868":{"position":[[433,7],[533,7]]},"2872":{"position":[[447,9]]},"2876":{"position":[[1172,8]]},"2878":{"position":[[120,7]]},"2888":{"position":[[830,7]]},"2894":{"position":[[241,7]]},"2898":{"position":[[216,8],[330,8],[395,8],[587,8]]},"2900":{"position":[[44,8],[121,8],[603,8],[666,8],[709,8],[809,7]]},"2902":{"position":[[9,7]]},"2906":{"position":[[171,9],[450,7],[546,7],[621,7]]},"2918":{"position":[[127,7],[765,8],[831,8],[1280,7],[1425,8],[1634,7],[1831,7],[2594,8]]},"2992":{"position":[[108,7]]},"2996":{"position":[[93,7]]},"3010":{"position":[[1120,7]]},"3012":{"position":[[598,7],[1164,7]]},"3014":{"position":[[1565,7],[1594,7],[1674,7],[1753,7],[2715,7],[2806,7]]},"3030":{"position":[[545,7]]},"3032":{"position":[[18,7],[89,7],[227,7],[323,7],[374,7]]},"3044":{"position":[[20,7],[107,7],[176,7],[286,7],[361,7],[390,7],[459,7],[631,7],[678,7],[860,7]]},"3050":{"position":[[754,7]]},"3056":{"position":[[245,7],[298,7]]},"3058":{"position":[[280,7]]},"3120":{"position":[[2361,7],[2431,7],[2502,7],[2581,7],[2621,7]]},"3122":{"position":[[2309,7],[2379,7],[2450,7],[2529,7],[2569,7]]},"3124":{"position":[[2178,7],[2248,7],[2319,7],[2398,7],[2438,7]]},"3126":{"position":[[2127,7],[2197,7],[2268,7],[2347,7],[2387,7]]},"3128":{"position":[[2140,7],[2210,7],[2281,7],[2360,7],[2400,7]]},"3130":{"position":[[2253,7],[2323,7],[2394,7],[2473,7],[2513,7]]},"3132":{"position":[[2214,7],[2284,7],[2355,7],[2434,7],[2474,7]]},"3136":{"position":[[2287,7],[2357,7],[2428,7],[2507,7],[2547,7]]},"3138":{"position":[[2268,7],[2338,7],[2409,7],[2488,7],[2528,7]]},"3140":{"position":[[2164,7],[2234,7],[2305,7],[2384,7],[2424,7]]},"3142":{"position":[[2280,7],[2350,7],[2421,7],[2500,7],[2540,7]]},"3144":{"position":[[2145,7],[2215,7],[2286,7],[2365,7],[2405,7]]},"3146":{"position":[[2060,7],[2130,7],[2201,7],[2280,7],[2320,7]]},"3156":{"position":[[172,7],[236,7],[441,7],[486,7],[2235,7],[2305,7],[2376,7],[2455,7],[2495,7]]},"3158":{"position":[[337,7]]},"3162":{"position":[[2277,7],[2347,7],[2418,7],[2497,7],[2537,7]]},"3164":{"position":[[2193,7],[2263,7],[2334,7],[2413,7],[2453,7]]},"3166":{"position":[[2199,7],[2269,7],[2340,7],[2419,7],[2459,7]]},"3177":{"position":[[1608,8],[1861,7],[1940,7],[1984,7]]},"3179":{"position":[[192,7],[334,7],[387,7],[1676,8],[1929,7],[2008,7],[2052,7]]},"3181":{"position":[[172,7],[243,7],[276,7],[425,8],[480,7],[1761,8],[2014,7],[2093,7],[2137,7]]},"3183":{"position":[[1657,8],[1910,7],[1989,7],[2033,7]]},"3195":{"position":[[42,7]]},"3201":{"position":[[42,7]]},"3207":{"position":[[134,8]]},"3239":{"position":[[172,7],[390,8],[2544,7],[2614,7],[2685,7],[2764,7],[2804,7]]},"3241":{"position":[[158,7],[376,8],[2558,7],[2628,7],[2699,7],[2778,7],[2818,7]]},"3243":{"position":[[201,7],[432,8],[2673,7],[2743,7],[2814,7],[2893,7],[2933,7]]},"3245":{"position":[[148,7],[362,8]]},"3247":{"position":[[185,7],[419,8]]},"3249":{"position":[[170,7],[396,8]]},"3251":{"position":[[171,7],[396,8]]},"3253":{"position":[[53,7],[270,8]]},"3255":{"position":[[169,7],[364,8]]},"3257":{"position":[[291,7],[580,8]]},"3259":{"position":[[225,7],[446,8]]},"3261":{"position":[[53,7],[300,8]]},"3263":{"position":[[474,7],[1005,8]]},"3274":{"position":[[42,7],[186,7]]},"3276":{"position":[[60,7],[104,7]]}}}],["service'",{"_index":2009,"t":{"2900":{"position":[[328,9],[483,9]]}}}],["service.key",{"_index":188,"t":{"2503":{"position":[[1183,11]]},"2509":{"position":[[364,11]]}}}],["service>,= - -검색 결과 없음 - - + +검색 결과 없음 + + -

    검색 결과 없음

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +

    검색 결과 없음

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/security.html b/kr/security.html index 825351efe..73a9f7d62 100644 --- a/kr/security.html +++ b/kr/security.html @@ -2,18 +2,18 @@ - -보안 | K3s - - + +보안 | K3s + + -

    보안

    이 섹션에서는 K3s 클러스터를 보호하는 방법론과 수단에 대해 설명합니다. 두 섹션으로 나뉘어져 있습니다. 이 가이드는 K3s가 임베디드 etcd로 실행되고 있다고 가정합니다.

    +

    보안

    이 섹션에서는 K3s 클러스터를 보호하는 방법론과 수단에 대해 설명합니다. 두 섹션으로 나뉘어져 있습니다. 이 가이드는 K3s가 임베디드 etcd로 실행되고 있다고 가정합니다.

    아래 문서는 CIS 쿠버네티스 벤치마크 v1.23에 적용됩니다.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks +
    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/security/hardening-guide.html b/kr/security/hardening-guide.html index f992834d6..3d0c04b88 100644 --- a/kr/security/hardening-guide.html +++ b/kr/security/hardening-guide.html @@ -2,38 +2,38 @@ - -CIS Hardening Guide | K3s - - + +CIS Hardening Guide | K3s + + -

    CIS Hardening Guide

    This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).

    +

    CIS Hardening Guide

    This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).

    K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:

    1. K3s will not modify the host operating system. Any host-level modifications will need to be done manually.
    2. Certain CIS policy controls for NetworkPolicies and PodSecurityStandards (PodSecurityPolicies on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below.

    The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary.

    -

    Host-level Requirements

    +

    Host-level Requirements

    There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section.

    -

    Ensure protect-kernel-defaults is set

    +

    Ensure protect-kernel-defaults is set

    This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults.

    Note: protect-kernel-defaults is exposed as a top-level flag for K3s.

    -

    Set kernel parameters

    +

    Set kernel parameters

    Create a file called /etc/sysctl.d/90-kubelet.conf and add the snippet below. Then run sysctl -p /etc/sysctl.d/90-kubelet.conf.

    vm.panic_on_oom=0
    vm.overcommit_memory=1
    kernel.panic=10
    kernel.panic_on_oops=1
    kernel.keys.root_maxbytes=25000000
    -

    Kubernetes Runtime Requirements

    +

    Kubernetes Runtime Requirements

    The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section.

    By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the PodSecurity and NodeRestriction admission controllers enabled, among others.

    -

    Pod Security

    -

    K3s v1.25 and newer support Pod Security Admissions (PSAs) for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:

    --kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"

    The policy should be written to a file named psa.yaml in /var/lib/rancher/k3s/server directory.

    Here is an example of a compliant PSA:

    apiVersion: apiserver.config.k8s.io/v1
    kind: AdmissionConfiguration
    plugins:
    - name: PodSecurity
      configuration:
        apiVersion: pod-security.admission.config.k8s.io/v1beta1
        kind: PodSecurityConfiguration
        defaults:
          enforce: "restricted"
          enforce-version: "latest"
          audit: "restricted"
          audit-version: "latest"
          warn: "restricted"
          warn-version: "latest"
        exemptions:
          usernames: []
          runtimeClasses: []
          namespaces: [kube-system, cis-operator-system]
    +

    Pod Security

    +

    K3s v1.25 and newer support Pod Security Admissions (PSAs) for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:

    --kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"

    The policy should be written to a file named psa.yaml in /var/lib/rancher/k3s/server directory.

    Here is an example of a compliant PSA:

    apiVersion: apiserver.config.k8s.io/v1
    kind: AdmissionConfiguration
    plugins:
    - name: PodSecurity
      configuration:
        apiVersion: pod-security.admission.config.k8s.io/v1beta1
        kind: PodSecurityConfiguration
        defaults:
          enforce: "restricted"
          enforce-version: "latest"
          audit: "restricted"
          audit-version: "latest"
          warn: "restricted"
          warn-version: "latest"
        exemptions:
          usernames: []
          runtimeClasses: []
          namespaces: [kube-system, cis-operator-system]

    Note: The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the kube-system namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly.

    -

    NetworkPolicies

    +

    NetworkPolicies

    CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods.

    Network policies should be placed the /var/lib/rancher/k3s/server/manifests directory, where they will automatically be deployed on startup.

    Here is an example of a compliant network policy.

    @@ -43,7 +43,7 @@

    NetworkPolic

    The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster.

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-all-metrics-server
      namespace: kube-system
    spec:
      podSelector:
        matchLabels:
          k8s-app: metrics-server
      ingress:
      - {}
      policyTypes:
      - Ingress
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-all-svclbtraefik-ingress
      namespace: kube-system
    spec:
      podSelector: 
        matchLabels:
          svccontroller.k3s.cattle.io/svcname: traefik
      ingress:
      - {}
      policyTypes:
      - Ingress
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-all-traefik-v121-ingress
      namespace: kube-system
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/name: traefik
      ingress:
      - {}
      policyTypes:
      - Ingress
    ---

    정보

    Operators must manage network policies as normal for additional namespaces that are created.

    -

    API Server audit configuration

    +

    API Server audit configuration

    CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment.

    The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information.

    sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs
    @@ -55,76 +55,76 @@ 

    ExecStart=/usr/local/bin/k3s \
        server \
    	'--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' \
    	'--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' \

    K3s must be restarted to load the new configuration.

    sudo systemctl daemon-reload
    sudo systemctl restart k3s.service
    -

    Configuration for Kubernetes Components

    +

    Configuration for Kubernetes Components

    The configuration below should be placed in the configuration file, and contains all the necessary remediations to harden the Kubernetes components.

    protect-kernel-defaults: true
    secrets-encryption: true
    kube-apiserver-arg:
      - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'
      - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
      - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
      - 'audit-log-maxage=30'
      - 'audit-log-maxbackup=10'
      - 'audit-log-maxsize=100'
    kube-controller-manager-arg:
      - 'terminated-pod-gc-threshold=10'
      - 'use-service-account-credentials=true'
    kubelet-arg:
      - 'streaming-connection-idle-timeout=5m'
      - 'make-iptables-util-chains=true'
    -

    Control Plane Execution and Arguments

    +

    Control Plane Execution and Arguments

    Listed below are the K3s control plane components and the arguments they are given at start, by default. Commented to their right is the CIS 1.6 control that they satisfy.

    kube-apiserver 
        --advertise-port=6443 
        --allow-privileged=true 
        --anonymous-auth=false                                                            # 1.2.1
        --api-audiences=unknown 
        --authorization-mode=Node,RBAC 
        --bind-address=127.0.0.1 
        --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs
        --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt                    # 1.2.31
        --enable-admission-plugins=NodeRestriction,PodSecurityPolicy                      # 1.2.17
        --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt                  # 1.2.32
        --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt                   # 1.2.29
        --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key                    # 1.2.29
        --etcd-servers=https://127.0.0.1:2379 
        --insecure-port=0                                                                 # 1.2.19
        --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt 
        --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt 
        --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key 
        --profiling=false                                                                 # 1.2.21
        --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt 
        --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key 
        --requestheader-allowed-names=system:auth-proxy 
        --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt 
        --requestheader-extra-headers-prefix=X-Remote-Extra- 
        --requestheader-group-headers=X-Remote-Group 
        --requestheader-username-headers=X-Remote-User 
        --secure-port=6444                                                                # 1.2.20
        --service-account-issuer=k3s 
        --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key            # 1.2.28
        --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key 
        --service-cluster-ip-range=10.43.0.0/16 
        --storage-backend=etcd3 
        --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt        # 1.2.30
        --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key # 1.2.30
        --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    kube-controller-manager 
        --address=127.0.0.1 
        --allocate-node-cidrs=true 
        --bind-address=127.0.0.1                                                       # 1.3.7
        --cluster-cidr=10.42.0.0/16 
        --cluster-signing-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt 
        --cluster-signing-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key 
        --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig 
        --port=10252 
        --profiling=false                                                              # 1.3.2
        --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt                   # 1.3.5
        --secure-port=0 
        --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.3.4 
        --use-service-account-credentials=true                                         # 1.3.3
    kube-scheduler 
        --address=127.0.0.1 
        --bind-address=127.0.0.1                                              # 1.4.2
        --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig 
        --port=10251 
        --profiling=false                                                     # 1.4.1
        --secure-port=0
    kubelet 
        --address=0.0.0.0 
        --anonymous-auth=false                                                # 4.2.1
        --authentication-token-webhook=true 
        --authorization-mode=Webhook                                          # 4.2.2
        --cgroup-driver=cgroupfs 
        --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt             # 4.2.3
        --cloud-provider=external 
        --cluster-dns=10.43.0.10 
        --cluster-domain=cluster.local 
        --cni-bin-dir=/var/lib/rancher/k3s/data/223e6420f8db0d8828a8f5ed3c44489bb8eb47aa71485404f8af8c462a29bea3/bin 
        --cni-conf-dir=/var/lib/rancher/k3s/agent/etc/cni/net.d 
        --container-runtime-endpoint=/run/k3s/containerd/containerd.sock 
        --container-runtime=remote 
        --containerd=/run/k3s/containerd/containerd.sock 
        --eviction-hard=imagefs.available<5%,nodefs.available<5% 
        --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% 
        --fail-swap-on=false 
        --healthz-bind-address=127.0.0.1 
        --hostname-override=hostname01 
        --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig 
        --kubelet-cgroups=/systemd/system.slice 
        --node-labels= 
        --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests 
        --protect-kernel-defaults=true                                        # 4.2.6
        --read-only-port=0                                                    # 4.2.4
        --resolv-conf=/run/systemd/resolve/resolv.conf 
        --runtime-cgroups=/systemd/system.slice 
        --serialize-image-pulls=false 
        --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt        # 4.2.10
        --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key # 4.2.10

    Additional information about CIS requirements 1.2.22 to 1.2.25 is presented below.

    -

    Known Issues

    +

    Known Issues

    The following are controls that K3s currently does not pass by default. Each gap will be explained, along with a note clarifying whether it can be passed through manual operator intervention, or if it will be addressed in a future release of K3s.

    -

    Control 1.2.15

    +

    Control 1.2.15

    Ensure that the admission control plugin NamespaceLifecycle is set.

    Details

    Rationale Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.

    This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.16

    +

    Control 1.2.16

    Ensure that the admission control plugin PodSecurityPolicy is set.

    Details

    Rationale A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

    This can be remediated by passing this argument as a value to the enable-admission-plugins= and pass that to --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.22

    +

    Control 1.2.22

    Ensure that the --audit-log-path argument is set.

    Details

    Rationale Auditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.23

    +

    Control 1.2.23

    Ensure that the --audit-log-maxage argument is set to 30 or as appropriate.

    Details

    Rationale Retaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.24

    +

    Control 1.2.24

    Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate.

    Details

    Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.25

    +

    Control 1.2.25

    Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate.

    Details

    Rationale Kubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.26

    +

    Control 1.2.26

    Ensure that the --request-timeout argument is set as appropriate.

    Details

    Rationale Setting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.27

    +

    Control 1.2.27

    Ensure that the --service-account-lookup argument is set to true.

    Details

    Rationale If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 1.2.33

    +

    Control 1.2.33

    Ensure that the --encryption-provider-config argument is set as appropriate.

    Details

    Rationale etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.

    Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.

    -

    Control 1.2.34

    +

    Control 1.2.34

    Ensure that encryption providers are appropriately configured.

    Details

    Rationale Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms and secretbox are likely to be appropriate options.

    This can be remediated by passing a valid configuration to k3s as outlined above. Detailed steps on how to configure secrets encryption in K3s are available in Secrets Encryption.

    -

    Control 1.3.1

    +

    Control 1.3.1

    Ensure that the --terminated-pod-gc-threshold argument is set as appropriate.

    Details

    Rationale Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 3.2.1

    +

    Control 3.2.1

    Ensure that a minimal audit policy is created.

    Details

    Rationale Logging is an important detective control for all systems, to detect potential unauthorized access.

    This can be remediated by passing controls 1.2.22 - 1.2.25 and verifying their efficacy.

    -

    Control 4.2.7

    +

    Control 4.2.7

    Ensure that the --make-iptables-util-chains argument is set to true.

    Details

    Rationale Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open.

    This can be remediated by passing this argument as a value to the --kube-apiserver-arg= argument to k3s server. An example can be found below.

    -

    Control 5.1.5

    +

    Control 5.1.5

    Ensure that default service accounts are not actively used

    Details

    Rationale Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod.

    Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.

    The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

    This can be remediated by updating the automountServiceAccountToken field to false for the default service account in each namespace.

    For default service accounts in the built-in namespaces (kube-system, kube-public, kube-node-lease, and default), K3s does not automatically do this. You can manually update this field on these service accounts to pass the control.

    -

    Conclusion

    -

    If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the CIS Benchmark Self-Assessment Guide to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/security/secrets-encryption.html b/kr/security/secrets-encryption.html index 5e7cf3098..1766f2663 100644 --- a/kr/security/secrets-encryption.html +++ b/kr/security/secrets-encryption.html @@ -2,13 +2,13 @@ - -Secrets Encryption | K3s - - + +Secrets Encryption | K3s + + -

    Secrets Encryption Config

    +

    Secrets Encryption Config

    K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:

    • Generate an AES-CBC key
      • @@ -19,7 +19,7 @@ Use curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption if installing from script, or other methods described in Configuration Options.

    Example of the encryption config file:

    {
      "kind": "EncryptionConfiguration",
      "apiVersion": "apiserver.config.k8s.io/v1",
      "resources": [
        {
          "resources": [
            "secrets"
          ],
          "providers": [
            {
              "aescbc": {
                "keys": [
                  {
                    "name": "aescbckey",
                    "secret": "xxxxxxxxxxxxxxxxxxx"
                  }
                ]
              }
            },
            {
              "identity": {}
            }
          ]
        }
      ]
    }
    -

    Secrets Encryption Tool

    +

    Secrets Encryption Tool

    K3s contains a utility tool secrets-encrypt, which enables automatic control over the following:

    • Disabling/Enabling secrets encryption
      • @@ -27,7 +27,7 @@

      Secr
    • Rotating and deleting encryption keys
    • Reencrypting secrets

    -

    For more information, see the k3s secrets-encrypt command documentation.

    Copyright © 2024 K3s Project Authors. All rights reserved.
    The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
    diff --git a/kr/security/self-assessment-1.23.html b/kr/security/self-assessment-1.23.html index 96954317e..20c06e60c 100644 --- a/kr/security/self-assessment-1.23.html +++ b/kr/security/self-assessment-1.23.html @@ -2,18 +2,18 @@ - -CIS Self Assessment Guide | K3s - - + +CIS Self Assessment Guide | K3s + + -

    CIS Self Assessment Guide

    CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24

    -

    Overview

    +

    CIS Self Assessment Guide

    CIS Kubernetes Benchmark v1.23 - K3s with Kubernetes v1.22 to v1.24

    +

    Overview

    This document is a companion to the K3s security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers.

    This guide is specific to the v1.22, v1.23 and v1.24 release line of K3s and the v1.23 release of the CIS Kubernetes Benchmark.

    For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in Center for Internet Security (CIS).

    -

    Testing controls methodology

    +

    Testing controls methodology

    Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide.

    Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing.

    These are the possible results for each control:

    @@ -26,61 +26,61 @@

    NOTE: Only automated tests (previously called scored) are covered in this guide.

    -

    Controls

    +

    Controls

    -

    1.1 Control Plane Node Configuration Files

    -

    1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

    +

    1.1 Control Plane Node Configuration Files

    +

    1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml

    -

    1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)

    +

    1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml

    -

    1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)

    +

    1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml

    -

    1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)

    +

    1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml

    -

    1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)

    +

    1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml

    -

    1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)

    +

    1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml

    -

    1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)

    +

    1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 /etc/kubernetes/manifests/etcd.yaml

    -

    1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)

    +

    1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/manifests/etcd.yaml

    -

    1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)

    +

    1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 <path/to/cni/files>

    -

    1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)

    +

    1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root <path/to/cni/files>

    -

    1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)

    +

    1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)

    Result: pass

    Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, @@ -95,19 +95,19 @@ 

    '700' is equal to '700'

    Returned Value:

    700
    -

    1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)

    +

    1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)

    Result: Not Applicable

    Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd

    -

    1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)

    +

    1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the control plane node. For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig

    -

    1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)

    +

    1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -118,7 +118,7 @@ 

    'root:root' is equal to 'root:root'

    Returned Value:

    root:root
    -

    1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)

    +

    1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -130,7 +130,7 @@ 

    permissions has permissions 644, expected 644 or more restrictive

    Returned Value:

    permissions=644
    -

    1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)

    +

    1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -141,7 +141,7 @@ 

    'root:root' is present

    Returned Value:

    root:root
    -

    1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)

    +

    1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -153,7 +153,7 @@ 

    permissions has permissions 644, expected 644 or more restrictive

    Returned Value:

    permissions=644
    -

    1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)

    +

    1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -165,7 +165,7 @@ 

    'root:root' is equal to 'root:root'

    Returned Value:

    root:root
    -

    1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)

    +

    1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -177,7 +177,7 @@ 

    'root:root' is present

    Returned Value:

    root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root
    -

    1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)

    +

    1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)

    Result: warn

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -185,7 +185,7 @@ 

    stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt

    -

    1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)

    +

    1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)

    Result: warn

    Remediation: Run the below command (based on the file location on your system) on the control plane node. @@ -193,8 +193,8 @@ 

    stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key

    -

    1.2 API Server

    -

    1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)

    +

    1.2 API Server

    +

    1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)

    Result: warn

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -202,7 +202,7 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'

    -

    1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)

    +

    1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)

    Result: pass

    Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, @@ -214,7 +214,7 @@ 

    '--token-auth-file' is not present

    Returned Value:

    root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock
    -

    1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)

    +

    1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -226,12 +226,12 @@ 

    '--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present

    Returned Value:

    root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock
    -

    1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)

    +

    1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)

    Result: Not Applicable

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the --kubelet-https parameter.

    -

    1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)

    +

    1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and set up the TLS connection between the @@ -240,12 +240,12 @@ 

    --kubelet-client-certificate=<path/to/client-certificate-file>
    --kubelet-client-key=<path/to/client-key-file>

    Audit:

    -
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'
    +
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'

    Expected Result:

    '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)

    +

    1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and setup the TLS connection between @@ -259,7 +259,7 @@ 

    '--kubelet-certificate-authority' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

    +

    1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -267,12 +267,12 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'

    +
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'

    Expected Result:

    '--authorization-mode' does not have 'AlwaysAllow'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)

    +

    1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -284,32 +284,32 @@ 

    '--authorization-mode' has 'Node'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)

    +

    1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, for example --authorization-mode=Node,RBAC.

    Audit:

    -
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'
    +
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'

    Expected Result:

    '--authorization-mode' has 'RBAC'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)

    +

    1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)

    Result: warn

    Remediation: Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.

    -
    --enable-admission-plugins=...,EventRateLimit,...
    --admission-control-config-file=<path/to/configuration/file>
    +
    --enable-admission-plugins=...,EventRateLimit,...
    --admission-control-config-file=<path/to/configuration/file>

    Audit:

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'

    Expected Result:

    '--enable-admission-plugins' has 'EventRateLimit'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)

    +

    1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -321,7 +321,7 @@ 

    '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)

    +

    1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)

    Result: warn

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -334,7 +334,7 @@ 

    '--enable-admission-plugins' is present

    Returned Value:

    root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock
    -

    1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)

    +

    1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)

    Result: warn

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -347,7 +347,7 @@ 

    '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)

    +

    1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)

    Result: pass

    Remediation: Follow the documentation and create ServiceAccount objects as per your environment. @@ -360,7 +360,7 @@ 

    '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)

    +

    1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -372,7 +372,7 @@ 

    '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)

    +

    1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. @@ -386,7 +386,7 @@ 

    '--enable-admission-plugins' has 'NodeRestriction'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)

    +

    1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -398,7 +398,7 @@ 

    '--secure-port' is greater than 0 OR '--secure-port' is not present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.18 Ensure that the --profiling argument is set to false (Automated)

    +

    1.2.18 Ensure that the --profiling argument is set to false (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -410,34 +410,34 @@ 

    '--profiling' is equal to 'false'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.19 Ensure that the --audit-log-path argument is set (Automated)

    +

    1.2.19 Ensure that the --audit-log-path argument is set (Automated)

    Result: Not Applicable

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example, --audit-log-path=/var/log/apiserver/audit.log

    -

    1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)

    +

    1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)

    Result: Not Applicable

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days, for example, --audit-log-maxage=30

    -

    1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)

    +

    1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)

    Result: Not Applicable

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. For example, --audit-log-maxbackup=10

    -

    1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)

    +

    1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)

    Result: Not Applicable

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB, --audit-log-maxsize=100

    -

    1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)

    +

    1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)

    Result: pass

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -451,7 +451,7 @@ 

    '--service-account-lookup' is not present OR '--service-account-lookup' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)

    +

    1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)

    Result: Not Applicable

    Remediation: The request timeout limits the duration of API requests. The default value of 60 seconds is @@ -461,7 +461,7 @@

    1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)

    +

    1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. @@ -476,7 +476,7 @@ 

    '--etcd-certfile' is present AND '--etcd-keyfile' is present

    Returned Value:

    --etcd-certfile AND --etcd-keyfile
    -

    1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)

    +

    1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. @@ -489,7 +489,7 @@ 

    '--tls-cert-file' is present AND '--tls-private-key-file' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"
    -

    1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)

    +

    1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and set up the TLS connection on the apiserver. @@ -502,7 +502,7 @@ 

    '--client-ca-file' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)

    +

    1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)

    Result: pass

    Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. @@ -515,7 +515,7 @@ 

    '--etcd-cafile' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)

    +

    1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)

    Result: warn

    Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. @@ -524,14 +524,14 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'
    -

    1.2.31 Ensure that encryption providers are appropriately configured (Manual)

    +

    1.2.31 Ensure that encryption providers are appropriately configured (Manual)

    Result: warn

    Remediation: Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider.

    Audit:

    grep aescbc /path/to/encryption-config.json
    -

    1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)

    +

    1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)

    Result: warn

    Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml @@ -546,8 +546,8 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'
    -

    1.3 Controller Manager

    -

    1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)

    +

    1.3 Controller Manager

    +

    1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)

    Result: warn

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml @@ -555,7 +555,7 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'
    -

    1.3.2 Ensure that the --profiling argument is set to false (Automated)

    +

    1.3.2 Ensure that the --profiling argument is set to false (Automated)

    Result: pass

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml @@ -567,19 +567,19 @@ 

    '--profiling' is equal to 'false'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"
    -

    1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)

    +

    1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)

    Result: pass

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node to set the below parameter. --use-service-account-credentials=true

    Audit:

    -
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'
    +
    journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'

    Expected Result:

    '--use-service-account-credentials' is not equal to 'false'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"
    -

    1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)

    +

    1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)

    Result: pass

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml @@ -592,7 +592,7 @@ 

    '--service-account-private-key-file' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"
    -

    1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)

    +

    1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)

    Result: pass

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml @@ -604,13 +604,13 @@ 

    '--root-ca-file' is present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"
    -

    1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

    +

    1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

    Result: Not Applicable

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true

    -

    1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)

    +

    1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)

    Result: pass

    Remediation: Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml @@ -621,8 +621,8 @@ 

    '--bind-address' is present OR '--bind-address' is not present

    Returned Value:

    root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock
    -

    1.4 Scheduler

    -

    1.4.1 Ensure that the --profiling argument is set to false (Automated)

    +

    1.4 Scheduler

    +

    1.4.1 Ensure that the --profiling argument is set to false (Automated)

    Result: pass

    Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file @@ -634,7 +634,7 @@ 

    '--profiling' is equal to 'false'

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"
    -

    1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)

    +

    1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)

    Result: pass

    Remediation: Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml @@ -645,8 +645,8 @@ 

    '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present

    Returned Value:

    Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"
    -

    2 Etcd Node Configuration

    -

    2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)

    +

    2 Etcd Node Configuration

    +

    2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)

    Result: pass

    Remediation: Follow the etcd service documentation and configure TLS encryption. @@ -661,7 +661,7 @@ 

    'cert-file' is present AND 'key-file' is present

    Returned Value:

    cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file
    -

    2.2 Ensure that the --client-cert-auth argument is set to true (Automated)

    +

    2.2 Ensure that the --client-cert-auth argument is set to true (Automated)

    Result: pass

    Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master @@ -675,7 +675,7 @@ 

    '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'

    Returned Value:

    --client-cert-auth=true client-cert-auth: true --client-cert-auth=true
    -

    2.3 Ensure that the --auto-tls argument is not set to true (Automated)

    +

    2.3 Ensure that the --auto-tls argument is not set to true (Automated)

    Result: pass

    Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master @@ -689,7 +689,7 @@ 

    'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present

    Returned Value:

    error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory
    -

    2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)

    +

    2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)

    Result: pass

    Remediation: Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -705,7 +705,7 @@ 

    'cert-file' is present AND 'key-file' is present

    Returned Value:

    peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file
    -

    2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)

    +

    2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)

    Result: pass

    Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master @@ -719,7 +719,7 @@ 

    '--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'

    Returned Value:

    --client-cert-auth=true client-cert-auth: true --client-cert-auth=true
    -

    2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)

    +

    2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)

    Result: pass

    Remediation: Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master @@ -733,7 +733,7 @@ 

    '--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'

    Returned Value:

    --peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help <simple|list|output|threads|misc|all>' or 'ps --help <s|l|o|t|m|a>' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false
    -

    2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)

    +

    2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)

    Result: pass

    Remediation: [Manual test] @@ -750,20 +750,20 @@ 

    'trusted-ca-file' is present

    Returned Value:

    --trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file
    -

    3.1 Authentication and Authorization

    -

    3.1.1 Client certificate authentication should not be used for users (Manual)

    +

    3.1 Authentication and Authorization

    +

    3.1.1 Client certificate authentication should not be used for users (Manual)

    Result: warn

    Remediation: Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of client certificates.

    -

    3.2 Logging

    -

    3.2.1 Ensure that a minimal audit policy is created (Manual)

    +

    3.2 Logging

    +

    3.2.1 Ensure that a minimal audit policy is created (Manual)

    Result: warn

    Remediation: Create an audit policy file for your cluster.

    Audit:

    journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'
    -

    3.2.2 Ensure that the audit policy covers key security concerns (Manual)

    +

    3.2.2 Ensure that the audit policy covers key security concerns (Manual)

    Result: warn

    Remediation: Review the audit policy provided for the cluster and ensure that it covers @@ -777,19 +777,19 @@

    4.1 Worker Node Configuration Files

    -

    4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)

    +

    4.1 Worker Node Configuration Files

    +

    4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

    -

    4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)

    +

    4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

    -

    4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)

    +

    4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the each worker node. @@ -801,7 +801,7 @@ 

    'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present

    Returned Value:

    644 644
    -

    4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)

    +

    4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the each worker node. @@ -812,7 +812,7 @@ 

    'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present

    Returned Value:

    root:root root:root
    -

    4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)

    +

    4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the each worker node. @@ -824,7 +824,7 @@ 

    '644' is equal to '644'

    Returned Value:

    644 644
    -

    4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)

    +

    4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)

    Result: pass

    Remediation: Run the below command (based on the file location on your system) on the each worker node. @@ -836,7 +836,7 @@ 

    'root:root' is equal to 'root:root'

    Returned Value:

    root:root root:root
    -

    4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)

    +

    4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)

    Result: pass

    Remediation: Run the following command to modify the file permissions of the @@ -847,7 +847,7 @@ 

    '644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present

    Returned Value:

    644 600
    -

    4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)

    +

    4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)

    Result: pass

    Remediation: Run the following command to modify the ownership of the --client-ca-file: @@ -858,18 +858,18 @@ 

    'root:root' is equal to 'root:root'

    Returned Value:

    root:root root:root
    -

    4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)

    +

    4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)

    Result: Not Applicable

    Remediation: Run the following command (using the config file location identified in the Audit step) chmod 644 /var/lib/kubelet/config.yaml

    -

    4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)

    +

    4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)

    Result: Not Applicable

    Remediation: Run the following command (using the config file location identified in the Audit step) chown root:root /var/lib/kubelet/config.yaml

    -

    4.2 Kubelet

    -

    4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)

    +

    4.2 Kubelet

    +

    4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)

    Result: pass

    Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to @@ -887,7 +887,7 @@ 

    '--anonymous-auth' is equal to 'false'

    Returned Value:

    --anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

    +

    4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

    Result: pass

    Remediation: If using a Kubelet config file, edit the file to set authorization.mode to Webhook. If @@ -904,7 +904,7 @@ 

    '--authorization-mode' does not have 'AlwaysAllow'

    Returned Value:

    --authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)

    +

    4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)

    Result: pass

    Remediation: If using a Kubelet config file, edit the file to set authentication.x509.clientCAFile to @@ -922,7 +922,7 @@ 

    '--client-ca-file' is present

    Returned Value:

    --client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"
    -

    4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)

    +

    4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)

    Result: pass

    Remediation: If using a Kubelet config file, edit the file to set readOnlyPort to 0. @@ -939,7 +939,7 @@ 

    '--read-only-port' is equal to '0' OR '--read-only-port' is not present

    Returned Value:

    Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"
    -

    4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)

    +

    4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)

    Result: warn

    Remediation: If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a @@ -953,7 +953,7 @@ 

    journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'
    -

    4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

    +

    4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

    Result: Not Applicable

    Remediation: If using a Kubelet config file, edit the file to set protectKernelDefaults to true. @@ -964,7 +964,7 @@

    4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)

    +

    4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)

    Result: Not Applicable

    Remediation: If using a Kubelet config file, edit the file to set makeIPTablesUtilChains to true. @@ -975,7 +975,7 @@

    4.2.8 Ensure that the --hostname-override argument is not set (Manual)

    +

    4.2.8 Ensure that the --hostname-override argument is not set (Manual)

    Result: Not Applicable

    Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf @@ -984,7 +984,7 @@

    4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)

    +

    4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)

    Result: warn

    Remediation: If using a Kubelet config file, edit the file to set eventRecordQPS to an appropriate level. @@ -996,7 +996,7 @@ 

    /bin/ps -fC containerd
    -

    4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)

    +

    4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)

    Result: pass

    Remediation: If using a Kubelet config file, edit the file to set tlsCertFile to the location @@ -1015,7 +1015,7 @@ 

    '--tls-cert-file' is present AND '--tls-private-key-file' is present

    Returned Value:

    Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"
    -

    4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)

    +

    4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)

    Result: Not Applicable

    Remediation: If using a Kubelet config file, edit the file to add the line rotateCertificates to true or @@ -1027,7 +1027,7 @@

    4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)

    +

    4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)

    Result: Not Applicable

    Remediation: Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf @@ -1036,7 +1036,7 @@

    4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

    +

    4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

    Result: warn

    Remediation: If using a Kubelet config file, edit the file to set TLSCipherSuites to @@ -1051,8 +1051,8 @@ 

    /bin/ps -fC containerd
    -

    5.1 RBAC and Service Accounts

    -

    5.1.1 Ensure that the cluster-admin role is only used where required (Manual)

    +

    5.1 RBAC and Service Accounts

    +

    5.1.1 Ensure that the cluster-admin role is only used where required (Manual)

    Result: warn

    Remediation: Identify all clusterrolebindings to the cluster-admin role. Check if they are used and @@ -1060,140 +1060,140 @@

    5.1.2 Minimize access to secrets (Manual)

    +

    5.1.2 Minimize access to secrets (Manual)

    Result: warn

    Remediation: Where possible, remove get, list and watch access to Secret objects in the cluster.

    -

    5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)

    +

    5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)

    Result: warn

    Remediation: Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

    -

    5.1.4 Minimize access to create pods (Manual)

    +

    5.1.4 Minimize access to create pods (Manual)

    Result: warn

    Remediation: Where possible, remove create access to pod objects in the cluster.

    -

    5.1.5 Ensure that default service accounts are not actively used. (Manual)

    +

    5.1.5 Ensure that default service accounts are not actively used. (Manual)

    Result: warn

    Remediation: Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false

    -

    5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)

    +

    5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)

    Result: warn

    Remediation: Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.

    -

    5.1.7 Avoid use of system:masters group (Manual)

    +

    5.1.7 Avoid use of system:masters group (Manual)

    Result: warn

    Remediation: Remove the system:masters group from all users in the cluster.

    -

    5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)

    +

    5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)

    Result: warn

    Remediation: Where possible, remove the impersonate, bind and escalate rights from subjects.

    -

    5.2 Pod Security Standards

    -

    5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)

    +

    5.2 Pod Security Standards

    +

    5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)

    Result: warn

    Remediation: Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.

    -

    5.2.2 Minimize the admission of privileged containers (Automated)

    +

    5.2.2 Minimize the admission of privileged containers (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.

    -

    5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)

    +

    5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostPID containers.

    -

    5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)

    +

    5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostIPC containers.

    -

    5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)

    +

    5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostNetwork containers.

    -

    5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)

    +

    5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.

    -

    5.2.7 Minimize the admission of root containers (Automated)

    +

    5.2.7 Minimize the admission of root containers (Automated)

    Result: warn

    Remediation: Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.

    -

    5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)

    +

    5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with the NET_RAW capability.

    -

    5.2.9 Minimize the admission of containers with added capabilities (Automated)

    +

    5.2.9 Minimize the admission of containers with added capabilities (Automated)

    Result: warn

    Remediation: Ensure that allowedCapabilities is not present in policies for the cluster unless it is set to an empty array.

    -

    5.2.10 Minimize the admission of containers with capabilities assigned (Manual)

    +

    5.2.10 Minimize the admission of containers with capabilities assigned (Manual)

    Result: warn

    Remediation: Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.

    -

    5.2.11 Minimize the admission of Windows HostProcess containers (Manual)

    +

    5.2.11 Minimize the admission of Windows HostProcess containers (Manual)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers that have .securityContext.windowsOptions.hostProcess set to true.

    -

    5.2.12 Minimize the admission of HostPath volumes (Manual)

    +

    5.2.12 Minimize the admission of HostPath volumes (Manual)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with hostPath volumes.

    -

    5.2.13 Minimize the admission of containers which use HostPorts (Manual)

    +

    5.2.13 Minimize the admission of containers which use HostPorts (Manual)

    Result: warn

    Remediation: Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use hostPort sections.

    -

    5.3 Network Policies and CNI

    -

    5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)

    +

    5.3 Network Policies and CNI

    +

    5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)

    Result: warn

    Remediation: If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.

    -

    5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)

    +

    5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)

    Result: warn

    Remediation: Follow the documentation and create NetworkPolicy objects as you need them.

    -

    5.4 Secrets Management

    -

    5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)

    +

    5.4 Secrets Management

    +

    5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)

    Result: warn

    Remediation: If possible, rewrite application code to read Secrets from mounted secret files, rather than from environment variables.

    -

    5.4.2 Consider external secret storage (Manual)

    +

    5.4.2 Consider external secret storage (Manual)

    Result: warn

    Remediation: Refer to the Secrets management options offered by your cloud provider or a third-party secrets management solution.

    -

    5.5 Extensible Admission Control

    -

    5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)

    +

    5.5 Extensible Admission Control

    +

    5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)

    Result: warn

    Remediation: Follow the Kubernetes documentation and setup image provenance.

    -

    5.7 General Policies

    -

    5.7.1 Create administrative boundaries between resources using namespaces (Manual)

    +

    5.7 General Policies

    +

    5.7.1 Create administrative boundaries between resources using namespaces (Manual)

    Result: warn

    Remediation: Follow the documentation and create namespaces for objects in your deployment as you need them.

    -

    5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)

    +

    5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)

    Result: warn

    Remediation: Use securityContext to enable the docker/default seccomp profile in your pod definitions. @@ -1201,17 +1201,17 @@

    5.7.3 Apply SecurityContext to your Pods and Containers (Manual)

    +

    5.7.3 Apply SecurityContext to your Pods and Containers (Manual)

    Result: warn

    Remediation: Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker Containers.

    -

    5.7.4 The default namespace should not be used (Manual)

    +

    5.7.4 The default namespace should not be used (Manual)

    Result: warn

    Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes -resources and that all new resources are created in a specific namespace.